headers
Macs R We | 4 Aug 21:56

Re: Apple skewered over missing DNS patch | The Register


On Aug 4, 2008, at 11:59 AM, macosx-talk-request@... wrote:

> From: "Jared Earle" <jearle@...>

> On Fri, Aug 1, 2008 at 5:27 PM, Eugene <list-omnigroup@...>  
> wrote:
>> If you're running BIND, update it yourself.
>> If you're not running BIND, get over yourself.
>
> You're essentially telling us to ditch MacOSX Server and use FreeBSD.
> Thanks, that's excellent advice, especially for this list.

No, I assume he's talking to people running non-server Mac OS X,  
probably 99.95% of the Macs out there.

People who are whining about this "missing patch" are trying to make  
it sound like Mom and Pop Mac users are somehow at risk.  They aren't  
(unless they are from their own ISP, but that's not Apple's issue to  
fix).

Or unless, of course, they turned on BIND manually in their non- 
Server Mac.  The point here is, if they knew enough to do that  
themselves, they know enough to patch it themselves.

Conversely, admins running Server have my sympathy for the wait.

--

-- 
   Macs R We -- Personal Macintosh Service and Support
     in the Wickenburg and far Northwest Valley Areas.
(Continue reading)

Permalink | Reply |
headers
Christopher Bort | 4 Aug 23:09

Re: Apple skewered over missing DNS patch | The Register

On 08/04/08 12:56, macsrwe@... (Macs R We) wrote:

>No, I assume he's talking to people running non-server Mac OS 
>X, probably 99.95% of the Macs out there.
>
>People who are whining about this "missing patch" are trying to 
>make it sound like Mom and Pop Mac users are somehow at risk.  
>They aren't (unless they are from their own ISP, but that's not 
>Apple's issue to fix).
>
>Or unless, of course, they turned on BIND manually in their non-Server
>Mac. The point here is, if they knew enough to do that themselves,
>they know enough to patch it themselves.

Apple provides BIND (along with lots of other FOSS) with the OS, 
both Server and non-Server. It is absolutely Apple's 
responsibility to provide security patches, when available and 
relevant, for software that is included with the OS. Period. 
Whether or not the majority of users are actually using the 
software, thereby putting themselves at risk, is irrelevant. 
Whether or not users can install the patch themselves is 
irrelevant. If Apple provided it, they should provide the 
patched version. In fact, since both Server and non-Server use 
the same BIND, Apple can (and did) provide the patch for both OS 
versions together in the same Software Update package, so the 
whole Server vs. non-Server debate is kind of silly.

--

-- 
Christopher Bort
<topher@...>
(Continue reading)

Permalink | Reply |
headers
scott lewis | 4 Aug 23:15

Re: Apple skewered over missing DNS patch | The Register


On Monday, August 04, 2008, at 05:10PM, "Christopher Bort"
<topher@...> wrote:

>Apple provides BIND (along with lots of other FOSS) with the OS, 

BINGO!

>Whether or not the majority of users are actually using the 
>software, thereby putting themselves at risk, is irrelevant. 

There is only one way Apple can be sure that it's not being used on the client side - stop bundling it.
Permalink | Reply |
headers
Vince LaMonica | 4 Aug 23:23

Re: Apple skewered over missing DNS patch | The Register

On Mon, 4 Aug 2008, scott lewis wrote:

} >Whether or not the majority of users are actually using the 
} >software, thereby putting themselves at risk, is irrelevant. 
} 
} There is only one way Apple can be sure that it's not being used on the 
} client side - stop bundling it.

That would be a bit silly; even if a person doesn't "use" bind, they are 
using it via client apps. Eg: I run TinyDNS [djbdns] on my servers, but 
yet I needed to update bind libraries that were installed for use in 
client programs. I'm pretty sure the "Network Utility" bundled with Mac OS 
X uses those bind9 libraries as well. 

Apple includes a lot of FOSS stuff because they built client apps around 
them; removing the FOSS on the Mac OS X "client" versions would result in 
those apps needing to be removed too [a few examples: Mail.app, Console, 
"web sharing", "Windows sharing", iCal, XCode, Activity Monitor, iChat, 
etc, etc].

/vjl/
Permalink | Reply |
headers
scott lewis | 5 Aug 03:01

Re: Apple skewered over missing DNS patch | The Register


On Monday, August 04, 2008, at 05:23PM, "Vince LaMonica"
<vjl@...> wrote:
>On Mon, 4 Aug 2008, scott lewis wrote:
>

>} There is only one way Apple can be sure that it's not being used on the 
>} client side - stop bundling it.
>
>That would be a bit silly; even if a person doesn't "use" bind, they are 
>using it via client apps. Eg: I run TinyDNS [djbdns] on my servers, but 

My message was meant to have a bit of facetiousness to it, I guess it didn't come across in my reply. :) I
absolutely agree with you, that would be absurd.

In fact, even if what you said wasn't true, it's much simpler. IF Apple ships something, and there's a
security incident that if not serious (it was) but just merely attracts the same amount of attention as
this one did, and every vendor rushes to patch, they absolutely, positively have to patch. Whether they
estimate 1 user uses or 1000.
Permalink | Reply |
headers
Eugene | 7 Aug 21:07

Re: Apple skewered over missing DNS patch | The Register

On Mon, Aug 04, 2008 at 04:09:47PM CDT, Christopher Bort
<topher@...> wrote:
>
> Apple provides BIND (along with lots of other FOSS) with the OS, both 
> Server and non-Server. It is absolutely Apple's responsibility to provide 
> security patches, when available and relevant, for software that is 
> included with the OS. Period.
[...]

And herein lies the debate: the "available and relevant" people
vs. the "period" people.  And this is where rational debate ends
and religiosity begins.

--

-- 
Eugene
http://www.coxar.pwp.blueyonder.co.uk/
Permalink | Reply |

Gmane