I fail to see the point of discussing or arguing partial commercialization
of premium services -- I haven't seen one valid point yet.
Point is, knowing how many organizations rely on their software, and
outright saying that they will NOT let people know about bugs as soon as
they do, even if they are willing to pay for it, just doesn't seem right.
What makes Sun having this information more important than me?
I'd have no problem if Vixie went the Allman route, saying "OK, we're
going to start charging for support. If you want to know about bugs soon
after we do, pay us $X. If not, use at your own risk." But, they're
saying "We're only going to let people who we want to know about the bugs
know about them. The rest of you can hear about it on the evening
news." Even after they started sendmail.com, Allman and his crew have been
very good about releasing new sendmail patches themselves, not making you
wait for CERT Advisories, etc.
Maybe The Sendmail Consortium just realizes that if it wasn't for the
people using, breaking, and making suggestions about code updates for 10+
years, they wouldn't have the business they have now. Maybe ISC is
Agreed. Likewise, I'd give some thought to using BIND again -- even
paying for it -- if some commercial Vixie entity put out something
lynx -dump http://cr.yp.to/djbdns/guarantee.html | sed -e s/"D. J. Bernstein"/ISC/g -e s/djbdns/BIND/g
Yeah, that's some guarantee there, you betcha...
Specifically, the parts that read:
"I offer $500 to the first person to publicly report a
verifiable security hole in the latest version of djbdns"
"My judgment is final as to what constitutes a security hole
It's easy to offer money to your users when only 5 people
worldwide use your software. (And I'm convinced at least 4 of them
are on this list.)
If I had a nickle for every time I've heard somebody tell a salesperson
"sure I'd buy your product if it only did X skanky customer-specific hack"
I wouldn't need to work for a living.
So let me make sure I understand this: You're saying you'd pay for
something that's currently free, if they would in turn pay people for
reporting bugs, which people currently do for free. Is that right?
If that's what you're saying, why don't you just pay them directly? I
think the BIND project can better use its resources working on BIND than
acting as a clearinghouse for your beneficence.