Bug#769705: unblock: pdns-recursor/3.6.2-2

To: Christian Hofstaedtler <zeha@debian.org>, 769705@bugs.debian.org
Subject: Bug#769705: unblock: pdns-recursor/3.6.2-2
From: Jonathan Wiltshire <jmw@debian.org>
Date: Sun, 16 Nov 2014 21:12:59 +0000
Message-id: <[🔎] 20141116211259.GE6216@lupin.home.powdarrmonkey.net>
Reply-to: Jonathan Wiltshire <jmw@debian.org>, 769705@bugs.debian.org
In-reply-to: <[🔎] 20141116170012.GA9767@sx.local>
References: <[🔎] 20141115174029.GA28003@nq.home.zeha.at> <[🔎] 20141116161310.GI2077@betterave.cristau.org> <[🔎] 20141116162401.GB7308@sx.local> <[🔎] 20141116164449.GO2077@betterave.cristau.org> <[🔎] 20141116170012.GA9767@sx.local>

On Sun, Nov 16, 2014 at 06:00:12PM +0100, Christian Hofstaedtler wrote:
> * Julien Cristau <jcristau@debian.org> [141116 17:45]:
> > On Sun, Nov 16, 2014 at 17:24:02 +0100, Christian Hofstaedtler wrote:
> > > pdns-recursor does a check with upstream to see if they think the
> > > version the user is running has a security issue. (This check is
> > > done using DNS and a log message is printed if there are known
> > > issues.)
> > > 
> > Calling home sounds like a misfeature...
> 
> In general I'd agree with you.
> 
> Users can turn this off by setting security-poll-suffix empty, as
> pointed out by the upstream docs.
> 
> I think for PowerDNS the home call is warranted, given that...
> 
> 1) both pdns-server and -recursor are usually Internet exposed services
> that regularly see abuse (DDoS reflection, regular DoS, ...)
> 
> 2) they usually end up being installed and then forgotten until they
> stop working (then somebody may read a log file)
> 
> 3) upstream is not some evil enterprise corp, but a pure open source
> company that really tries to tie in and work with downstreams.

We have a security team for this. Users who want to stay secure should
subscribe to debian-security-announce, and react to DSAs.

I'd be pretty surprised if I installed pdns-* and found them checking up on
security for me, even if it is mentioned in the upstream docs. After all,
the point of installing from packages is that the maintainer has done the
donkey work of making things work, so I might not even have cause to refer
to them.

I realise this is done with the best of intentions by upstream, but it
would be better if they worked with the security team and stable release
managers to proactively push updates out to users, instead of relying on
them finding a log snippet.

IMO this should be conservative and disabled by default in the package.
That said, I'm not about to pull pdns from Jessie for it.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#769705: unblock: pdns-recursor/3.6.2-2
  - From: Christian Hofstaedtler <zeha@debian.org>

References:
- Bug#769705: unblock: pdns-recursor/3.6.2-2
  - From: Christian Hofstaedtler <zeha@debian.org>
- Bug#769705: unblock: pdns-recursor/3.6.2-2
  - From: Julien Cristau <jcristau@debian.org>
- Bug#769705: unblock: pdns-recursor/3.6.2-2
  - From: Christian Hofstaedtler <zeha@debian.org>
- Bug#769705: unblock: pdns-recursor/3.6.2-2
  - From: Julien Cristau <jcristau@debian.org>
- Bug#769705: unblock: pdns-recursor/3.6.2-2
  - From: Christian Hofstaedtler <zeha@debian.org>

Prev by Date: Bug#769705: Bug#769711: unblock: pdns/3.4.1-3
Next by Date: Bug#769705: Bug#769711: unblock: pdns/3.4.1-3
Previous by thread: Bug#769705: unblock: pdns-recursor/3.6.2-2
Next by thread: Bug#769705: unblock: pdns-recursor/3.6.2-2
Index(es):
- Date
- Thread