Brian Thomas Sniffen wrote: > Josh Triplett <josh.trip@verizon.net> writes: > >>Hmmm, good point. That goes back to the problem regarding Debian not >>keeping old versions around. I had imagined that the user could usually >>just point to their distributor unless they personally changed the >>software, but that doesn't cover the case when that distributor no >>longer distributes. > > It also has privacy and security implications. I can't just say "This > is apache, get it from apache.org." I have to say "This is apache > version 1.3.26 with the following plugins..." and I need to do it in a > way accessible to anyone using the software -- even if all I serve > them is a "buzz off, you're unauthenticated" page. > > But standard advice on network security is *not* to advertise specific > banners. I don't think much of that advice, but I sure do see a lot > of it. Is it free to make this kind of requirement of users of the > software, that they ignore good security practice? If your network would be insecure if someone knew the versions of software you run, then your network is insecure. - Josh Triplett
Attachment:
signature.asc
Description: OpenPGP digital signature