vixie at isc.org
Tue Jun 14 15:26:12 UTC 2011
> Date: Tue, 14 Jun 2011 12:05:11 +0200
> From: Hauke Lampe <lampe at hauke-lampe.de>
> > I'm not convinced that getting BIND to phone home (when? how often?) is
> > worthwhile.
> I agree there. But *if* it is implemented, it should not use the version
> number itself because that's not a good indicator on the patch level.
just to clarify, patch level is not important, vulnerability is important.
so, information of the form "a later version is available" is not what i'm
hoping for here, even if the later version has some bug fixes. defects are
something a sysadmin should want to know about and i agree with others here
that a better way of discovering that than "watch the mailing list" should
be available. however, defects aren't worthy of a phone home debate.
the thing that rises to the level of "public good" here is vulnerabilities,
and for those, a specific version number is the lookup key we'd need. we
can talk about ways to ask for a broad set of vulnerable version data so
that the version number of the server that's testing itself is not exposed
on the network (even though speaking for ISC it would really help us to know
which versions are in widest use so we could stop patching the dead ones.)
however, to reframe the inquiry, the thing sysadmins should care about
(whether later versions exist) is different from the thing ISC should care
about (whether sysadmins know that they are running _vulnerable_ code.)
we probably need to discuss and solve both of those problems, but they are
different problems and may not lead to an overlapping solution.
More information about the bind-workers