PRE-ANNOUNCEMENT: BIND-Members Forum

Lawrence Chan webmaster at montevino.com
Wed Feb 7 16:15:10 UTC 2001 

Hello,

Joseph S D Yao wrote:

> On Wed, Feb 07, 2001 at 03:10:30PM +0800, Lawrence Chan wrote:
> ...
> > Could you be specific as to what Fear, Uncertainty, and Doubt that I am spreading here?
> > I am a BIND user too.
>
> That INCREASING the distribution of this information in the few days
> before public release will DECREASE users' security.

As a bind user, that is precisely what I am concerned about.  If you really think that by
delaying the public release of bug information will not decrease users' security, then why do
it?  Why would the delay be necessary?  And don't forget, all users of BIND would be affected
during the blackout period, including the members of the proposed forum.

> > > I have no rights in the matter.  The owners of the BIND code, however,
> > > DO.
> >
> > It is these self-serving anecdotes (assuming that you're actually speaking on behalf of
> > BIND owners) that would give BIND a bad name.
>
> What anecdotes?
>
> And, it should be clear from my first message that I am NOT speaking
> for the BIND owners.
>
> > > > disinformation (a delayed information is no information) would not solve the
> > >
> > > That definition is itself interesting disinformation.
> >
> > Again,  anecdotes.  Could you elaborate.  ...
>
> Lawrence, if you are unable to procure a dictionary for yourself, I
> will gladly do so.  Just tell me where to send it.
>
> Anecdotes are not ... whatever you imagine them to be, I can't figure
> it our from your usage here.  Anecdotes are stories, something like
> parables.  I am not aware of having told any stories here.  "Anecdotal
> evidence" is conclusions drawn from one or two stories, where the
> effects are too mixed up with other factors to be isolated.
>
> Disinformation is deliberately sown untrue statements.  A lack of
> information is never disinformation.  Well ... I can imagine a
> circumstance where it would be, but in this case there is no relation.

I have a dictionary and I think everyone would have easy access to one or just use:

http://dictionary.com

There is no point me arguing here.

> >                                       ..  Otherwise, people would read it as bugs from
> > BIND software are harmless and non-infectuous so long as ISC et al has not announced to
> > the public and users as such.  They are harmful only after ISC has announced them.  And
> > whether users are actually at risk during the period between the bug's existence
> > acknowledged by ISC and its subsequent public announcement is caveat emptor.  Frankly,
> > not even software developed and sold solely for profit would do a thing like that to
> > their customers, let alone an important software like BIND, started and implemented under
> > the pretext of open-source.    And if this were true, why bother to announce the bugs at
> > all.  Just keep quiet and all your bugs would be gone.
>
> Guess what.  EVERYBODY DOES THIS.  And, yes, as long as a bug has gone
> undiscovered by a malicious user, IT IS HARMLESS.  A difference that
> makes no difference is no difference.  The ISC proposes to do no more
> and no less than what it has always done vis-a-vis the general public:
> to make sure that it has a fix for the bugs before announcing them.  To
> announce them BEFORE creating the fix: now THAT is what would put
> people at risk.  Only the irresponsible - and those completely ignored
> by commercial software writers - would do that.

This is so misleading and it's precisely what I mean by disinformation, however
well-intentioned you may be.  Firstly, what makes you think that a bug (a code portion somehow
turns faulty through usage and could not be anticipated by the coder) is harmful only when a
malicious user is exploiting it?  Secondly, if a bug has indeed been uncovered by a malicious
user before ISC does, the bug would never get reported.  He, she or it would continue to
exploit it until it is discovered by someone else, someone who actually got hurt by using it.
Finding the quickest way to best disperse patches for bugs and stop the damage, however
difficult under open-source setup has nothing and should have nothing to do with alerting users
of risk.

> > Again, could you elaborate as to why your being so pissed off by your past experience
> > with the bosses have anything to do with the bug disinformation issue here.
>
> Maybe you should go back and read the earlier message.

All the emails concerning this particular mail thread are back-referenced above and I believe
I've replied all your email point by point and quoted.  This thread of mail is turning into a
flame and I should best refrain from participating further as I believe I've made my point
quite clear.

Lawrence Chan
lchan at montevino.com

More information about the bind-users mailing list