PRE-ANNOUNCEMENT: BIND-Members Forum

[Christine Tran]

>No, it's not.  No one is arguing that the vulnerabilities shouldn't
>be disclosed and disclosed fully.  The question is when.

A window where paying members get access to bugs & fixes while
the rest of the hoi polloi waits doesn't sound like full disclosure
to me, but call me crazy.  

>> Free software, free bug fix.
>
>Come again?  You seem to be arguing that because you don't
>pay for the software, you're entitled to prompt notification of
>bugs and timely patches.

Umm, yes ... you've seen the Dilbert strip where management pays
coders a buck for every bug found?  I am not in any remotely oblique
way suggesting that anyone at Nominum or ISC went to the Dilbert
School of Programming.  Lots of people run BIND because it's 
good AND free, but once they've commited to BIND, they'll discover
a hidden security cost.  I realize ISC doesn't proactively invite
people to use BIND, but it's rather unfair for folks who gravitate to
BIND because they don't have the big money, who will be behind the
security power curve for this same reason.  In Egypt it costs you
nothing to ride a camel, but $10 USD to get off.  I think I'll have
less problem if ISC charges up front.

>Surely you can understand the need to patch critical pieces of
>infrastructure such as the root, gTLD and ccTLD name servers

I'm all for that.  I went back & reread Paul's original message and
all the responses & rebuttals.  Still not convinced it's not a disclosure
issue.  Still not convinced the consortium will result in timely bug
fix and no vulnerability leakage.  Someone mentioned that this is
not different from current situation when CERT prewarns the vendors,
so why change and introduce an undemocratic, discretionary fee-based
system that fosters an atmosphere of exclusivity?  I won't belabour the
point, Cricket can have the last word. :)

CT