Date: Sat, 24 Dec 2011 13:28:49 -0800 From: Kurt Buff <kurt.buff@gmail.com> To: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: FLAME - security advisories on the 23rd ? uncool idea is uncool Message-ID: <CADy1Ce48yAmeYfv7EJE=VxtVBa3t2JdHdWiBS6CN5y3diN0e_w@mail.gmail.com> In-Reply-To: <20111224172505.GA48953@icarus.home.lan> References: <4EF4A75C.2040609@my.gd> <CADy1Ce4Gq2EmGj7GL93kArkGzT1hZ2kk43oRC%2B9iRn5TDj1HEA@mail.gmail.com> <20111224172505.GA48953@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Dec 24, 2011 at 09:25, Jeremy Chadwick <freebsd@jdc.parodius.com> w= rote: <snip> > > While this is generally true, the BIND issue was absolutely not > addressed "as fast as possible". =C2=A0I guess you weren't aware that it = was > announced publicly literally over a month ago: > > https://www.isc.org/software/bind/advisories/cve-2011-4313 > > I'm pretty certain there was a software update (new version of BIND) > announced by ISC shortly after the discovery of this issue. =C2=A0I say t= his > because we updated BIND at my workplace within 48-72 hours after said > issue was announced. > > I say all of the above as politely and sincerely as possible -- I don't > want the FreeBSD Security Team to feel like I'm slamming them for taking > so long, as I'm quite aware there is sometimes red tape and unexpected > complexities that take precedent. =C2=A0My point is that you're effective= ly > telling Damien that he should be thankful for the quick resolution > times, and that really isn't the case with regards to the BIND issue. > > As for the rest of your comments: I both agree and disagree with their > sentiments. =C2=A0I would have summed it up as: "responsibility's a bitch= ". > Try to remember: Damien admitted point blank, up front, that his Email > was a rant. =C2=A0You know what they say about opinions, right? =C2=A0;-) > > All in all, I do hope everyone here has a good holiday season, > regardless if that's updating 50+ servers on Christmas Eve or at home > with family. =C2=A0Try to take something positive out of either experienc= e. I was aware, and followed along with, the discussion of the DNS problem on this and other lists. To me, "as fast as possible" does include overcoming the obstacles lie in wait beyond the brute coding. I also know that those who are more skilled or adventurous and otherwise more fortunate could have grabbed code and done it for themselves, but in many cases it's not possible. I'm betting the Colin, et al, were sweating over these releases, and really didn't want to do these releases quite so hard up against the holidays, but I'm glad they released them as soon as they felt it was the reasonable thing to do. I'm just afraid I don't have a lot of time for "woe is me" when the security of machines (and by extension of organizations) is at stake. Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce48yAmeYfv7EJE=VxtVBa3t2JdHdWiBS6CN5y3diN0e_w>