From owner-freebsd-stable@FreeBSD.ORG Thu Jul 10 10:17:50 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C5FE1065671; Thu, 10 Jul 2008 10:17:50 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (unknown [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id CC3C68FC15; Thu, 10 Jul 2008 10:17:49 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (unknown [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id E6E1E28454; Thu, 10 Jul 2008 18:17:48 +0800 (CST) Received: from localhost (unknown [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id A4BCAEB1B1A; Thu, 10 Jul 2008 18:17:47 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id jFrWVhLHBB5Q; Thu, 10 Jul 2008 18:17:33 +0800 (CST) Received: from charlie.delphij.net (c-69-181-135-56.hsd1.ca.comcast.net [69.181.135.56]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 658EDEB1F2B; Thu, 10 Jul 2008 18:17:31 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=Ggtlzo+/Qe/yL8NLNpkYsPLDEkCU2xCwA1sHq5P0tcbIvPK/vDZBOsenxOK7aOh8r rP+PWLFjGhoDG7hUfg5hA== Message-ID: <4875E1B6.3010407@delphij.net> Date: Thu, 10 Jul 2008 03:17:26 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.14 (X11/20080616) MIME-Version: 1.0 To: Jeremy Chadwick References: <20080710094006.GX6902@e-Gitt.NET> <20080710094451.GS62764@server.vk2pj.dyndns.org> <20080710095809.GA59288@eos.sc1.parodius.com> In-Reply-To: <20080710095809.GA59288@eos.sc1.parodius.com> X-Enigmail-Version: 0.95.6 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Peter Jeremy , freebsd-stable@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 10:17:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Chadwick wrote: | On Thu, Jul 10, 2008 at 07:44:51PM +1000, Peter Jeremy wrote: |> On 2008-Jul-10 11:40:06 +0200, Oliver Brandmueller wrote: |>> shouldn't there be a very urgent BIND update somewhere around? |> There has been a very long thread about this in -security. Leaving |> out the trolls and flaming, the salient points are: |> - The bind port has been updated to include the relevant patches |> - The security team is aware of the issue and is working on a fix. | | I'm curious to know why the BIND ports were updated before the base | system BIND. Absolutely no offence intended towards Doug, but the | priority seems reversed. Speaking as my own: Base system needs more conservative QA process, e.g. we want to minimize the change, we need to analyst the impact (FWIW the security fix would negatively affect heavy traffic sites) and document it (i.e. the security advisory), and we want to make the change a one-time one (for instance, shall we patch libc's resolver as well?), so rushing into a "presumably patched" state would not be a very good solution. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkh14bYACgkQi+vbBBjt66ALTQCdEozuYtUUgI1bn/nitLeIZHqj 6Y0AnRb1wOIklk3h6Q5MFB4keEy9ZRDP =PAr6 -----END PGP SIGNATURE-----