Re: FLAME - security advisories on the 23rd ? uncool idea is unc

On Sat, Dec 24, 2011 at 09:25, Jeremy Chadwick <freebsd@jdc.parodius.com> w=
rote:
<snip>
>
> While this is generally true, the BIND issue was absolutely not
> addressed "as fast as possible". =C2=A0I guess you weren't aware that it =
was
> announced publicly literally over a month ago:
>
> https://www.isc.org/software/bind/advisories/cve-2011-4313
>
> I'm pretty certain there was a software update (new version of BIND)
> announced by ISC shortly after the discovery of this issue. =C2=A0I say t=
his
> because we updated BIND at my workplace within 48-72 hours after said
> issue was announced.
>
> I say all of the above as politely and sincerely as possible -- I don't
> want the FreeBSD Security Team to feel like I'm slamming them for taking
> so long, as I'm quite aware there is sometimes red tape and unexpected
> complexities that take precedent. =C2=A0My point is that you're effective=
ly
> telling Damien that he should be thankful for the quick resolution
> times, and that really isn't the case with regards to the BIND issue.
>
> As for the rest of your comments: I both agree and disagree with their
> sentiments. =C2=A0I would have summed it up as: "responsibility's a bitch=
".
> Try to remember: Damien admitted point blank, up front, that his Email
> was a rant. =C2=A0You know what they say about opinions, right? =C2=A0;-)
>
> All in all, I do hope everyone here has a good holiday season,
> regardless if that's updating 50+ servers on Christmas Eve or at home
> with family. =C2=A0Try to take something positive out of either experienc=
e.

I was aware, and followed along with, the discussion of the DNS
problem on this and other lists. To me, "as fast as possible" does
include overcoming the obstacles lie in wait beyond the brute coding.
I also know that those who are more skilled or adventurous and
otherwise more fortunate could have grabbed code and done it for
themselves, but in many cases it's not possible. I'm betting the
Colin, et al, were sweating over these releases, and really didn't
want to do these releases quite so hard up against the holidays, but
I'm glad they released them as soon as they felt it was the reasonable
thing to do.

I'm just afraid I don't have a lot of time for "woe is me" when the
security of machines (and by extension of organizations) is at stake.

Kurt
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"