From owner-freebsd-security@FreeBSD.ORG  Wed Jul  9 15:27:45 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 723431065676
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 15:27:45 +0000 (UTC)
	(envelope-from remko@elvandar.org)
Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233])
	by mx1.freebsd.org (Postfix) with ESMTP id 323AF8FC18
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 15:27:45 +0000 (UTC)
	(envelope-from remko@elvandar.org)
Received: from localhost ([::1] helo=galain.elvandar.org)
	by websrv01.jr-hosting.nl with esmtpa (Exim 4.69 (FreeBSD))
	(envelope-from <remko@elvandar.org>)
	id 1KGba2-000ExX-LZ; Wed, 09 Jul 2008 17:27:42 +0200
Received: from 145.7.91.133 (SquirrelMail authenticated user remko)
	by galain.elvandar.org with HTTP;
	Wed, 9 Jul 2008 17:27:42 +0200 (CEST)
Message-ID: <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org>
In-Reply-To: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com>
References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com>
Date: Wed, 9 Jul 2008 17:27:42 +0200 (CEST)
From: "Remko Lodder" <remko@elvandar.org>
To: "Josh Mason" <wtf.matters@gmail.com>
User-Agent: SquirrelMail/1.4.15
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: freebsd-security@freebsd.org, astorms@ncircle.com
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: remko@elvandar.org
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2008 15:27:45 -0000


On Wed, July 9, 2008 5:19 pm, Josh Mason wrote:
> Remko Lodder wrote:
>> On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote:
>>> Are going to expect a update for BIND today?
>>>
>>> http://www.isc.org/index.pl?/sw/bind/bind-security.php
>>>
>>> _______________________________________________
>>
>> Hello,
>>
>> I think it's important that we do not overstretch things instantly. The
>> FreeBSD Security Team is aware of this situation and will investigate
>> how
>> to do plan and act upon this.
>>
>> Thanks,
>> Remko
>>

Hello Josh,

>  Right, lets not act swiftly. That would be too much to ask. Is there any
> reason why FreeBSD is one of the last vendors to release patches for the
> vulnerability?

Thanks for taking the time to reply to the thread. Sadly the tone you are
using makes me feel a bit sad. There is a deeper reply in the reply you
send, and I do not like it. We as the Security Team do our best to act as
soon as possible on things. Items like these tend to take up a lot of time
and resources, we need to test things properly, make sure all the bits and
bytes are OK, so that we don't make people grumpy about things we
overlook. I am sure you can understand that and leave away the attitude.

>
> I apologize, perhaps I should simply do it myself as has been the common
> response as of late, or perhaps install from source retrieved from
> isc.orgshould be the expected answer?

If you want to do that, no one will be stopping you. We as the security
team will be working as hard as possible to try and understand the
problem, wrap up the correct response and make sure it gets fixed where
needed, these things just take time.

>
> Most other vendors seem to have taken this seriously, yet FreeBSD seems to
> be sitting on their hands for some unknown reason while its users remain
> vulnerable.

We also take this seriously, I think you are short-visioned by telling
something like this. There is a mitigation strategy for the BIND issue as
already reported on the list. Given your response you must be clever
enough to find it.

>
> Thanks for all the hard work,

Thanks for the deeper attitude and the email. I hope you can understand
that we are a volunteer organisation which does not have paid people
working on items 24/7 which other vendors might have. If you want to have
that, I am sure we can get some people so far for getting payed for their
normal wages so that we can do that as well. Till that time you should
understand volunteer organisations better, or come up with a better
proposal you simply don't know how much is involved here.

>
>    Your incredibly loyal follower
>

Sarcastic.

-- 
/"\   Best regards,                      | remko@FreeBSD.org
\ /   Remko Lodder                       | remko@EFnet
 X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News