LWN.net Weekly Edition for November 27, 2002

The BIND Forum and the maintenance of critical software

Spurred on, perhaps, by the latest set of BIND vulnerabilities (and the problematic handling of those vulnerabilities), the Internet Software Consortium has announced the startup of the "BIND Forum," with AFNIC, APNIC, ARIN, Compaq, Ericsson, HP, IBM, RIPE, Sun, and VeriSign as initial members. Many in the free software community are suspicious of the Forum and its motives. The Forum is worth a look, however, as one way of managing development and support for a piece of critical network software.

BIND, of course, is the package that implements most of the domain name system. The BIND Forum is a relatively old (and controversial) idea - it was first announced back in January, 2001. The basic idea was that members, in exchange for helping to fund BIND development, would gain access to the BIND developers and, crucially, early access to security updates. The idea of restricting security information (about free software) to those who have paid a fee did not prove popular in the community. As a result of criticism, and, presumably, lack of interest, the Forum idea stalled for almost two years. Now, however, it is back.

Corporate memberships in the Forum cost $5000 per year - unless you have over $2 billion in revenue, in which case you pay $50,000. Universities and nonprofit organizations are asked to pay $1000, and individual memberships have a "target minimum" fee of $100. For these fees, members get:

• Direct notification of patches from ISC.

• Read-only access to the ISC cvs server.

• The ability to attend the "BIND Developers Workshop."

All of this requires signing a relatively lengthy contract (available from the ISC site), along with an "intellectual property policy statement" which, essentially, seems to be a restatement of the BIND license.

Those benefits may well be useful to a small number of companies that are deeply concerned with BIND development. What the Forum really has to offer, though, is early access to security alerts. That access is not available to standard Forum members, though; getting the security information requires signing a separate agreement and tacking an addition 20% onto the membership fees. The agreement states that ISC will notify members of security problems "up to ten days" before telling the world by way of CERT. Members are required to keep this information confidential, however, and must guard it "using authentication and encryption tools which have been approved in writing by ISC."

So, if you pay enough, you'll get early warning of security problems, but only if ISC feels like sending it out. Of course, the last vulnerability was not disclosed through ISC, so Forum membership would not have been all that useful that time around.

The Forum appears, to many, to be a way of extracting money from BIND users by restricting access to vital security information. Some see it as a violation of the ethics of full disclosure and free access to the software. This may all be true, but it is worth keeping some things in mind:

• Restricted access to security information during the early stages of a vulnerability is increasingly the norm. Linux distributors (and others), for example, maintain a controlled mailing list for the discussion of security problems. Done properly, restricted access can help ensure that patches are available to most users before information on the problem is widely available.

• Companies that rely heavily on software like BIND have an interest in seeing that it is maintained well. They should be willing to pay for this work.

• BIND remains free software; anybody who has a better way of maintaining it and handling security problems can fork the project and run it as they see fit.

If the BIND Forum idea is implemented well, it could support the future development of the software and help make it more secure for all users. If implemented poorly, it could become an insiders club that ends up restricting the general availability of security information indefinitely. The "up to ten days" provision in the security notification agreement is encouraging in this respect: there is an implicit promise that security information will be restricted to the Forum for no longer than that period.

Whether the BIND Forum will be a success and be helpful to all BIND users remains to be seen. It could well go either way. But, as people and companies continue to look around for viable ways of funding free software development, it would not be surprising to see the creation of more organizations like the BIND Forum in the future.

Comments (4 posted)

Some DMCA bits

The DMCA will be returning to the news as the Elcomsoft trial starts up again on December 2. Thanks to some intervention by the Justice Department, the defendants will actually be able to show up for their trial this time. Elcomsoft will be trying to attack the DMCA and its effects on fair use rights, but the prosecution will do its best to keep fair use issues out of the courtroom altogether. The DMCA, after all, bans "circumvention devices" without care for the preservation of fair use. And Elcomsoft did sell a "circumvention device" in the US. We wish them the best of luck in their trial, but this case is unlikely to be the one that forces large changes in the DMCA.

There is, meanwhile, a mechanism by which small changes can be made in the DMCA. Every three years, the Library of Congress Copyright Office is supposed to look into whether the prohibition on circumvention devices is having an overly adverse effect on any particular type of work. Should such an effect be found, the office can issue a three-year DMCA exemption.

That inquiry is happening now. Seth Finkelstein, who successfully used the exemption process to win immunity for his work looking at censorware blacklists, has posted an article on the EFF site on how to do it. The exemptions are hard to get, and they are very narrow - they do not extend to distribution of circumvention software, for example. Even so, exemptions poke little holes in the DMCA, and can protect certain kinds of work. For example, a certain Linux distributor has made a big show of not distributing information on security-related kernel patches within the U.S.; this company should probably don its colorful headwear and head off to apply for an exemption, and, thus, demonstrate the adverse effect that the DMCA has had in this area. Anybody else who would like to take the time to put in a serious application to highlight an adverse effect of the anti-circumvention provision of the DMCA should seriously consider doing so. The deadline is December 18.

Comments (2 posted)

LWN Update

This week's LWN.net Weekly Edition comes out one day early, so that the LWN staff can go off and enjoy the Thanksgiving holiday. With luck, we'll have finished digesting in time to put out next week's Edition on Thursday as usual.

The individual subscriber count stands nearly constant at 2370. The number of expiring subscriptions is increasing; so far, the flow of new subscribers has been enough to keep the total count from going down.

The statistics-gathering capability of the site has recently been enhanced a bit. So we can now note that, for example, about 11% of the content traffic on LWN.net (excluding the RSS files) originates from logged-in subscribers. So the bulk of our readers, by far, have chosen not to subscribe. There is a relatively high percentage of subscriber traffic from the US, Germany, Britain, and Sweden; on the other hand, Japanese, French, Italian, Australian, and Austrian readers tend not to subscribe.

(For the curious, we got this information by feeding IP addresses to the GeoIP package. GeoIP is licensed under the GPL, and has a Python binding. The statistics are kept as simple counters; we do not track individual readers. The real purpose of this work is to evaluate the idea of offering country-specific text ads; the jury is still out on that one).

Enjoy this week's Edition, and we'll be back on our regular schedule after the holiday. Thanks, as always, for supporting LWN.

Comments (22 posted)