From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 17:27:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81868106566C for ; Wed, 9 Jul 2008 17:27:07 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.freebsd.org (Postfix) with ESMTP id 386948FC1C for ; Wed, 9 Jul 2008 17:27:07 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so1567686pyb.10 for ; Wed, 09 Jul 2008 10:27:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=Vfi4Em6T+fa0wp7ymSxCHNukMLkR5zIdZq1u56xBk9E=; b=WhcWF5fhTTtM6ZhWx7+iirkddSDTSaUWjhx5tNmmK48e5W+R+nx+c8IC83ooqIQOt4 o2Zisl+CCwvd2IZm56Ro2eY9QGLPRcbS4F5QWhmJ6YsI3++S8Od8aYuZH/Z/H2wSD6Ze xAYHVV8M+fmgQnazhra21cq+nnawooKcuVh6E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=LS+1fSPfUZY9ECRzNZRF8StD5PahORnloxCrh0pMHlP2A/1V6Qz9polDOwvaAxlB9Y f/AX0QttaWoAOmfpL1j8hOJfv/uNL+KzxTZK8Yj0TM0yAAZTjitBdnq4SHukxxN+HkRn OaqNJCqBdGYzd6YuksirEZZBFUdkwI1E3o0J0= Received: by 10.141.71.14 with SMTP id y14mr4151032rvk.24.1215624426259; Wed, 09 Jul 2008 10:27:06 -0700 (PDT) Received: by 10.141.153.20 with HTTP; Wed, 9 Jul 2008 10:27:06 -0700 (PDT) Message-ID: <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> Date: Wed, 9 Jul 2008 13:27:06 -0400 From: "Josh Mason" To: "Remko Lodder" In-Reply-To: <4874F149.1040101@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> X-Mailman-Approved-At: Wed, 09 Jul 2008 17:58:41 +0000 Cc: freebsd-security@freebsd.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 17:27:07 -0000 On 7/9/08, Remko Lodder wrote: > Remko Lodder wrote: > > Josh Mason wrote: > > > > Thanks, you really showed how you are by sending these replies. I wish you > goodluck with your quest, perhaps someday someone can help you. > > > > Goodbye. > > > > > > Hi, > > I am sorry for this reply, it was an expression of my frustation towards > you. The frustation is just easily generated by people demanding support > from volunteers, that are trying to service you and others in their own > spare time. Time that they can also spend on different items, yet we > crazy people decide to work on a Free Operating System, getting nothing > payed for it, only happy users (Where possible) around us. > > I think you can understand my frustration, because I think you would reply > the same if someone demanded even more free time from you. > > I hope you can understand this. > > //Remko > I completely understand and took no offence from your previous email - I know I am being confrontational. I myself have been in that position many a time before and know exactly how it feels. Unfortunately that doesn't negate the responsibility of the security team to produce patches quickly. The initial response of "the sec team is aware of the situation and will investigate" was basically just fluff. If you weren't already aware of it you aren't much of a sec team. What is needed is an expected delivery. I would say considering the nature of the exploit but honestly that shouldn't change anything at all. If the delivery isn't going to be immediate there should always be an ETA provided. If for nothing else other than so your users can plan around it (i.e. "this is too long I need to take action myself" - "or X time or date is sufficient I'll wait for the official release and apply it then"). Without that people are twiddling their thumbs wondering if there is ever going to be one. Josh