Preferential notice of new versions

Mailman List Mirror (Read Only)
1

It seems pretty clear if you don't pay, you receive exactly the same
advisories you receive now. No more, no less, no sooner, no later.

CERT has always told a few other groups about vulnerabilities prior to
their public release of advisories (vendors, some affected parties, etc).
If anything, ISC's comments seem directed at CERT's procedures. Instead
of trying to pass the information back and forth through CERT, ISC is
adding a direct mechanism for the same groups to communicate. It doesn't
affect any of the other existing communication channels.

CERT issues a public alert about a vulnerability on its schedule. BUGTRAQ
users continue to post exploits when and how they choose. And as always,
the source code for all ISC released versions of BIND are available, so you
can find all the flaws yourself.

I will, and have, flogged Paul for doing stuff; but I'm afraid I don't
understand the uproar about this one.

I suspect there is another way to get yourself on the "list." Find and fix
some significant bugs in BIND.

2

The odd thing is, I think Paul said past and future security notifications
have been and will be distributed via CERT (to non-bind-members). I could
be wrong, but I don't think I've ever gotten initial notification of a
BIND security problem from CERT. Heck...even this most recent one was
first publicized via nanog several days before the CERT notification.

Obviously, if the masses have to wait for CERT, we will be getting later
notification than in the past.

3

The odd thing is, I think Paul said past and future security notifications
have been and will be distributed via CERT (to non-bind-members). I could
be wrong, but I don't think I've ever gotten initial notification of a
BIND security problem from CERT. Heck...even this most recent one was
first publicized via nanog several days before the CERT notification.

Paul has repeatedly stated that nothing will change about how notifications
are done, thus you can probably expect to see a notification here in
advance of CERT. Note that I'm not speaking for Paul, ISC, etc.