PRE-ANNOUNCEMENT: BIND-Members Forum
Cricket Liu
cricket at VeriSign.com
Thu Feb 1 01:19:57 UTC 2001
> This is not an open source but a full/partial disclosure issue.
No, it's not. No one is arguing that the vulnerabilities shouldn't
be disclosed and disclosed fully. The question is when.
> Marcus Ranum ignited this issue at DEF CON 8 keynote last year.
> I don't get why the non-paying public should wait for bug details
> when the software is free for all. Free software, free bug fix.
Come again? You seem to be arguing that because you don't
pay for the software, you're entitled to prompt notification of
bugs and timely patches.
Surely you can understand the need to patch critical pieces of
infrastructure such as the root, gTLD and ccTLD name servers
and to prepare patched binaries of BIND for various operating
systems before the vulnerability becomes widely known.
cricket
More information about the bind-users
mailing list