From owner-freebsd-security@FreeBSD.ORG  Wed Jul  9 20:30:08 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 870081065671;
	Wed,  9 Jul 2008 20:30:08 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: from strawberry.noncombatant.org (strawberry.noncombatant.org
	[64.142.6.126])
	by mx1.freebsd.org (Postfix) with ESMTP id 6079A8FC0A;
	Wed,  9 Jul 2008 20:30:08 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: by strawberry.noncombatant.org (Postfix, from userid 1001)
	id 383BF866A10; Wed,  9 Jul 2008 13:30:08 -0700 (PDT)
Date: Wed, 9 Jul 2008 13:30:08 -0700
From: Chris Palmer <chris@noncombatant.org>
To: Wesley Shields <wxs@FreeBSD.org>, freebsd-security@freebsd.org
Message-ID: <20080709203008.GF55473@noncombatant.org>
References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com>
	<3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org>
	<17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com>
	<4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org>
	<17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com>
	<20080709181515.GG92109@atarininja.org>
	<20080709183325.GE55473@noncombatant.org>
	<20080709185405.GJ92109@atarininja.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20080709185405.GJ92109@atarininja.org>
User-Agent: Mutt/1.4.2.3i
Cc: 
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2008 20:30:08 -0000

Wesley Shields writes:

> > Malware authors create exploits based on information they gleaned by
> > reverse
> 
> (legitimate businesses).  I'm also not sure how this applies since the
> project is open source - the fix is published at the time of the patch,

My implicit (sorry about that) point was that if closed source software has
no obscurity, there's no way open source software can have any. So we should
not pretend that there is any, nor that it can help. The best course is to
provide users full information about the risks they face and to respond with
timely and correct fixes to those issues that introduce unnecessary risk.

In this case, the BIND bug is already patched and publicly available anyway.