From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:17:16 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BEAE1065676 for ; Wed, 9 Jul 2008 18:17:16 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id DA0B78FC12 for ; Wed, 9 Jul 2008 18:17:15 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from [195.64.94.120] (helo=axantucar.local) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KGeE6-000OC6-PE; Wed, 09 Jul 2008 20:17:14 +0200 Message-ID: <487500A6.2030001@FreeBSD.org> Date: Wed, 09 Jul 2008 20:17:10 +0200 From: Remko Lodder User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Wesley Shields References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> In-Reply-To: <20080709181515.GG92109@atarininja.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 09 Jul 2008 18:20:16 +0000 Cc: freebsd-security@freebsd.org, Josh Mason Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:17:16 -0000 Wesley Shields wrote: > On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote: >> On 7/9/08, Remko Lodder wrote: >>> Remko Lodder wrote: >>>> Josh Mason wrote: >>>> >>>> Thanks, you really showed how you are by sending these replies. I wish you >>> goodluck with your quest, perhaps someday someone can help you. >>>> Goodbye. >>>> >>>> >>> Hi, >>> >>> I am sorry for this reply, it was an expression of my frustation towards >>> you. The frustation is just easily generated by people demanding support >>> from volunteers, that are trying to service you and others in their own >>> spare time. Time that they can also spend on different items, yet we >>> crazy people decide to work on a Free Operating System, getting nothing >>> payed for it, only happy users (Where possible) around us. >>> >>> I think you can understand my frustration, because I think you would reply >>> the same if someone demanded even more free time from you. >>> >>> I hope you can understand this. >>> >>> //Remko >>> >> I completely understand and took no offence from your previous email - >> I know I am being confrontational. I myself have been in that position >> many a time before and know exactly how it feels. Unfortunately that >> doesn't negate the responsibility of the security team to produce >> patches quickly. >> >> The initial response of "the sec team is aware of the situation and >> will investigate" was basically just fluff. If you weren't already >> aware of it you aren't much of a sec team. What is needed is an >> expected delivery. I would say considering the nature of the exploit >> but honestly that shouldn't change anything at all. If the delivery >> isn't going to be immediate there should always be an ETA provided. If >> for nothing else other than so your users can plan around it (i.e. >> "this is too long I need to take action myself" - "or X time or date >> is sufficient I'll wait for the official release and apply it then"). >> Without that people are twiddling their thumbs wondering if there is >> ever going to be one. > > You have a good point there. I'm not aware of any page which describes > the current issues under investigation by the security team. If such a > thing does not exist I think it would be a good thing to have, > especially if it details rough timelines for things. By that I mean > recording historic information and expected information (we received > notification on this date, we expect to have a final advisory on this > date). > > In the security world there is a balance which must be maintained > between providing information to consumers so that they may plan > accordingly, and not providing too much information so that the > attackers can write exploits; this is the sensitive nature of the > information which often leads to opaque processes by security teams > around the world. There is the case where full details are released > without advance notice to the vendors/projects, in which case the > balance has been lost from the start. > > Remko, do you - or anyone else - on the security team have any thoughts > on this? I'd be willing to step up and keep a wiki page (or something > else) up to date with the information. > > -- WXS There will be no such page with information about pending items. Sometimes we are bound to non-disclosures etc. We handle this internally and will continue to do so. If people cannot live with that (like Josh) then that's their challenge. Note I speak largely for myself in this case. I am not going to support a wiki page or something. I do not know what the other secteam members think about that, but I expect something like my opinion. //Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News