Home

ISC wants money for BIND patches: news.com

Thu, 11/21/2002 - 09:09 — charlie.collins

Last week several vulnerabilities were discovered in BIND 4 and 8. The group that developed and maintains BIND, ISC (the Internet Software Consortium, whom also makes a few other Internet standard software products) decided to take the opportunity of flaws in their software as time to solicit money from people who needed the patches!?!

Incredible stupidity. I am not against people making money writing software, etc, but BIND is an open source product that has been in use by the Internet community (open source and otherwise) for years and it has always been freely available. In addition BIND is THE DNS server on the Internet. BIND runs a LARGE majority of DNS around the world. This product has a history of being free and open, certainly a reason why it is so popular, and its broken, and the people who make it decide after people have already obtained it, freely, to solicit them for money to get a patch? Is Steve Ballmer working at the ISC now? What the hell?

Specifically ISC said it would not make the patch public and that people needed to email them for the patch and they would provide it. Then when people did email they got a response asking them to join the pay for support BIND maintenance group and NO PATCH. The email stated that the patch would be released to the public later, but for the current time it was only available to paying subscribers to the aforementioned service.

First off this is extortion. Second off if the product is broken you probably dont want to piss people off further by stating you wont give them the patch until they pay. Thirdly if the product is broken you want as many people as possible TO FIX IT NOW to not do any further damage to the overall reputation (not to mention to the Internet itself). ISC has totally missed the boat on this.

Sure get people to sign up for the priority pay service when they originally get BIND. Or pull a Sendmail and make a commercial version and an open source version, etc. But dont give it away at first and then want money for the patches.

Assholes. I was using BIND 9 anyway, but after an attitude like this I might be looking at alternatives like djbdns (tinyDNS) or dents.

For more see the linked news.com story.