Date: Wed, 9 Jul 2008 14:30:51 -0400 From: Wesley Shields <wxs@FreeBSD.org> To: Remko Lodder <remko@FreeBSD.org> Cc: freebsd-security@freebsd.org, Josh Mason <wtf.matters@gmail.com> Subject: Re: BIND update? Message-ID: <20080709183051.GH92109@atarininja.org> In-Reply-To: <487500A6.2030001@FreeBSD.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709181515.GG92109@atarininja.org> <487500A6.2030001@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 09, 2008 at 08:17:10PM +0200, Remko Lodder wrote: > Wesley Shields wrote: > > On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote: > >> On 7/9/08, Remko Lodder <remko@freebsd.org> wrote: > >>> Remko Lodder wrote: > >>>> Josh Mason wrote: > >>>> > >>>> Thanks, you really showed how you are by sending these replies. I wish you > >>> goodluck with your quest, perhaps someday someone can help you. > >>>> Goodbye. > >>>> > >>>> > >>> Hi, > >>> > >>> I am sorry for this reply, it was an expression of my frustation towards > >>> you. The frustation is just easily generated by people demanding support > >>> from volunteers, that are trying to service you and others in their own > >>> spare time. Time that they can also spend on different items, yet we > >>> crazy people decide to work on a Free Operating System, getting nothing > >>> payed for it, only happy users (Where possible) around us. > >>> > >>> I think you can understand my frustration, because I think you would reply > >>> the same if someone demanded even more free time from you. > >>> > >>> I hope you can understand this. > >>> > >>> //Remko > >>> > >> I completely understand and took no offence from your previous email - > >> I know I am being confrontational. I myself have been in that position > >> many a time before and know exactly how it feels. Unfortunately that > >> doesn't negate the responsibility of the security team to produce > >> patches quickly. > >> > >> The initial response of "the sec team is aware of the situation and > >> will investigate" was basically just fluff. If you weren't already > >> aware of it you aren't much of a sec team. What is needed is an > >> expected delivery. I would say considering the nature of the exploit > >> but honestly that shouldn't change anything at all. If the delivery > >> isn't going to be immediate there should always be an ETA provided. If > >> for nothing else other than so your users can plan around it (i.e. > >> "this is too long I need to take action myself" - "or X time or date > >> is sufficient I'll wait for the official release and apply it then"). > >> Without that people are twiddling their thumbs wondering if there is > >> ever going to be one. > > > > You have a good point there. I'm not aware of any page which describes > > the current issues under investigation by the security team. If such a > > thing does not exist I think it would be a good thing to have, > > especially if it details rough timelines for things. By that I mean > > recording historic information and expected information (we received > > notification on this date, we expect to have a final advisory on this > > date). > > > > In the security world there is a balance which must be maintained > > between providing information to consumers so that they may plan > > accordingly, and not providing too much information so that the > > attackers can write exploits; this is the sensitive nature of the > > information which often leads to opaque processes by security teams > > around the world. There is the case where full details are released > > without advance notice to the vendors/projects, in which case the > > balance has been lost from the start. > > > > Remko, do you - or anyone else - on the security team have any thoughts > > on this? I'd be willing to step up and keep a wiki page (or something > > else) up to date with the information. > > > > -- WXS > > There will be no such page with information about pending items. > Sometimes we are bound to non-disclosures etc. We handle this internally > and will continue to do so. If people cannot live with that (like Josh) > then that's their challenge. > > Note I speak largely for myself in this case. I am not going to support > a wiki page or something. I do not know what the other secteam members > think about that, but I expect something like my opinion. That's certainly a fair statement. I understand the non-disclosure aspect of the situation, but I also feel a more transparent process where ever possible is a good idea. I suspect more thought on the matter is necessary. -- WXS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080709183051.GH92109>