Date: Wed, 09 Jul 2008 20:17:10 +0200 From: Remko Lodder <remko@FreeBSD.org> To: Wesley Shields <wxs@FreeBSD.org> Cc: freebsd-security@freebsd.org, Josh Mason <wtf.matters@gmail.com> Subject: Re: BIND update? Message-ID: <487500A6.2030001@FreeBSD.org> In-Reply-To: <20080709181515.GG92109@atarininja.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Wesley Shields wrote: > On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote: >> On 7/9/08, Remko Lodder <remko@freebsd.org> wrote: >>> Remko Lodder wrote: >>>> Josh Mason wrote: >>>> >>>> Thanks, you really showed how you are by sending these replies. I wish you >>> goodluck with your quest, perhaps someday someone can help you. >>>> Goodbye. >>>> >>>> >>> Hi, >>> >>> I am sorry for this reply, it was an expression of my frustation towards >>> you. The frustation is just easily generated by people demanding support >>> from volunteers, that are trying to service you and others in their own >>> spare time. Time that they can also spend on different items, yet we >>> crazy people decide to work on a Free Operating System, getting nothing >>> payed for it, only happy users (Where possible) around us. >>> >>> I think you can understand my frustration, because I think you would reply >>> the same if someone demanded even more free time from you. >>> >>> I hope you can understand this. >>> >>> //Remko >>> >> I completely understand and took no offence from your previous email - >> I know I am being confrontational. I myself have been in that position >> many a time before and know exactly how it feels. Unfortunately that >> doesn't negate the responsibility of the security team to produce >> patches quickly. >> >> The initial response of "the sec team is aware of the situation and >> will investigate" was basically just fluff. If you weren't already >> aware of it you aren't much of a sec team. What is needed is an >> expected delivery. I would say considering the nature of the exploit >> but honestly that shouldn't change anything at all. If the delivery >> isn't going to be immediate there should always be an ETA provided. If >> for nothing else other than so your users can plan around it (i.e. >> "this is too long I need to take action myself" - "or X time or date >> is sufficient I'll wait for the official release and apply it then"). >> Without that people are twiddling their thumbs wondering if there is >> ever going to be one. > > You have a good point there. I'm not aware of any page which describes > the current issues under investigation by the security team. If such a > thing does not exist I think it would be a good thing to have, > especially if it details rough timelines for things. By that I mean > recording historic information and expected information (we received > notification on this date, we expect to have a final advisory on this > date). > > In the security world there is a balance which must be maintained > between providing information to consumers so that they may plan > accordingly, and not providing too much information so that the > attackers can write exploits; this is the sensitive nature of the > information which often leads to opaque processes by security teams > around the world. There is the case where full details are released > without advance notice to the vendors/projects, in which case the > balance has been lost from the start. > > Remko, do you - or anyone else - on the security team have any thoughts > on this? I'd be willing to step up and keep a wiki page (or something > else) up to date with the information. > > -- WXS There will be no such page with information about pending items. Sometimes we are bound to non-disclosures etc. We handle this internally and will continue to do so. If people cannot live with that (like Josh) then that's their challenge. Note I speak largely for myself in this case. I am not going to support a wiki page or something. I do not know what the other secteam members think about that, but I expect something like my opinion. //Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?487500A6.2030001>