|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Reasons why BIND isn't being upgraded
> Without rehashing the whole "open-disclosure" vs. "non-disclosure" > arguments related to security issues in software, or the historically > extreme inadequacies of CERT in offering timely notification of ANY > security-related issues, it's very disappointing to see ISC resort to a > fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and > "we'll update people via CERT" method of dealing with the community they > have served for so long. > > I would have hoped by now that lists such as Bugtraq would have adequately > exhibited the folly of such methodologies. The purpose of the list doesn't appear to circumvent Bugtraq -- you're comparing two different issues. As I understand it, this list is specifically for software vendors and root operators to get immediate notification and patches to fix the bug in advance. You're confusing a software patch support channel with a security response channel, which ISC's list isn't intended to me. AFAIK -- I'm not related to ISC. You also missed the note that non-for-profit and educational institutions are free to join, and any other group may apply for similar status. I frankly enjoy getting patches and having a few hours to apply them before the remaining world can start diffing the patches. This is true of any channel. I don't always have time to read Bugtraq's high noise ratio. I deeply appreciate any software vendor who provides direct notification to paying support clients. This makes perfect sense. -- Joe Rhett Chief Technology Officer [email protected] ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/
|