PRE-ANNOUNCEMENT: BIND-Members Forum
Joseph S D Yao
jsdy at cospo.osis.gov
Wed Feb 7 13:11:05 UTC 2001
On Wed, Feb 07, 2001 at 03:10:30PM +0800, Lawrence Chan wrote:
...
> Could you be specific as to what Fear, Uncertainty, and Doubt that I am spreading here?
> I am a BIND user too.
That INCREASING the distribution of this information in the few days
before public release will DECREASE users' security.
> > I have no rights in the matter. The owners of the BIND code, however,
> > DO.
>
> It is these self-serving anecdotes (assuming that you're actually speaking on behalf of
> BIND owners) that would give BIND a bad name.
What anecdotes?
And, it should be clear from my first message that I am NOT speaking
for the BIND owners.
> > > disinformation (a delayed information is no information) would not solve the
> >
> > That definition is itself interesting disinformation.
>
> Again, anecdotes. Could you elaborate. ...
Lawrence, if you are unable to procure a dictionary for yourself, I
will gladly do so. Just tell me where to send it.
Anecdotes are not ... whatever you imagine them to be, I can't figure
it our from your usage here. Anecdotes are stories, something like
parables. I am not aware of having told any stories here. "Anecdotal
evidence" is conclusions drawn from one or two stories, where the
effects are too mixed up with other factors to be isolated.
Disinformation is deliberately sown untrue statements. A lack of
information is never disinformation. Well ... I can imagine a
circumstance where it would be, but in this case there is no relation.
> .. Otherwise, people would read it as bugs from
> BIND software are harmless and non-infectuous so long as ISC et al has not announced to
> the public and users as such. They are harmful only after ISC has announced them. And
> whether users are actually at risk during the period between the bug's existence
> acknowledged by ISC and its subsequent public announcement is caveat emptor. Frankly,
> not even software developed and sold solely for profit would do a thing like that to
> their customers, let alone an important software like BIND, started and implemented under
> the pretext of open-source. And if this were true, why bother to announce the bugs at
> all. Just keep quiet and all your bugs would be gone.
Guess what. EVERYBODY DOES THIS. And, yes, as long as a bug has gone
undiscovered by a malicious user, IT IS HARMLESS. A difference that
makes no difference is no difference. The ISC proposes to do no more
and no less than what it has always done vis-a-vis the general public:
to make sure that it has a fix for the bugs before announcing them. To
announce them BEFORE creating the fix: now THAT is what would put
people at risk. Only the irresponsible - and those completely ignored
by commercial software writers - would do that.
> Again, could you elaborate as to why your being so pissed off by your past experience
> with the bosses have anything to do with the bug disinformation issue here.
Maybe you should go back and read the earlier message.
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list