On Sun, Nov 16, 2014 at 06:00:12PM +0100, Christian Hofstaedtler wrote: > * Julien Cristau <jcristau@debian.org> [141116 17:45]: > > On Sun, Nov 16, 2014 at 17:24:02 +0100, Christian Hofstaedtler wrote: > > > pdns-recursor does a check with upstream to see if they think the > > > version the user is running has a security issue. (This check is > > > done using DNS and a log message is printed if there are known > > > issues.) > > > > > Calling home sounds like a misfeature... > > In general I'd agree with you. > > Users can turn this off by setting security-poll-suffix empty, as > pointed out by the upstream docs. > > I think for PowerDNS the home call is warranted, given that... > > 1) both pdns-server and -recursor are usually Internet exposed services > that regularly see abuse (DDoS reflection, regular DoS, ...) > > 2) they usually end up being installed and then forgotten until they > stop working (then somebody may read a log file) > > 3) upstream is not some evil enterprise corp, but a pure open source > company that really tries to tie in and work with downstreams. We have a security team for this. Users who want to stay secure should subscribe to debian-security-announce, and react to DSAs. I'd be pretty surprised if I installed pdns-* and found them checking up on security for me, even if it is mentioned in the upstream docs. After all, the point of installing from packages is that the maintainer has done the donkey work of making things work, so I might not even have cause to refer to them. I realise this is done with the best of intentions by upstream, but it would be better if they worked with the security team and stable release managers to proactively push updates out to users, instead of relying on them finding a log snippet. IMO this should be conservative and disabled by default in the package. That said, I'm not about to pull pdns from Jessie for it. -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Attachment:
signature.asc
Description: Digital signature