* Jonathan Wiltshire <jmw@debian.org> [141116 22:13]: > On Sun, Nov 16, 2014 at 06:00:12PM +0100, Christian Hofstaedtler wrote: > > * Julien Cristau <jcristau@debian.org> [141116 17:45]: > > > On Sun, Nov 16, 2014 at 17:24:02 +0100, Christian Hofstaedtler wrote: > > > > pdns-recursor does a check with upstream to see if they think the > > > > version the user is running has a security issue. (This check is > > > > done using DNS and a log message is printed if there are known > > > > issues.) > > > > > > > Calling home sounds like a misfeature... > > > > In general I'd agree with you. > > > > Users can turn this off by setting security-poll-suffix empty, as > > pointed out by the upstream docs. > > > > I think for PowerDNS the home call is warranted, given that... > > > > 1) both pdns-server and -recursor are usually Internet exposed services > > that regularly see abuse (DDoS reflection, regular DoS, ...) > > > > 2) they usually end up being installed and then forgotten until they > > stop working (then somebody may read a log file) > > > > 3) upstream is not some evil enterprise corp, but a pure open source > > company that really tries to tie in and work with downstreams. > > We have a security team for this. Users who want to stay secure should > subscribe to debian-security-announce, and react to DSAs. I think the case here is that some users need more pushing, and people come crying to upstream when they run versions from oldstable. After all, Debian ends support for stable distributions after some time, and "root servers" in some data center farms tend to run way longer than that. > I'd be pretty surprised if I installed pdns-* and found them checking up on > security for me, even if it is mentioned in the upstream docs. After all, > the point of installing from packages is that the maintainer has done the > donkey work of making things work, so I might not even have cause to refer > to them. > > I realise this is done with the best of intentions by upstream, but it > would be better if they worked with the security team and stable release > managers to proactively push updates out to users, instead of relying on > them finding a log snippet. I agree, and I must say that I personally think the Debian packaging (freshness) as well as upstream's (actual and commitment to) help have improved dramatically. > IMO this should be conservative and disabled by default in the package. I disagree based on my view of what software runs (on) the Internet today, and is sending me and others useless, dangerous, and expensive traffic. (I do see the privacy issue here, but it's something different for a server daemon and, say, an office package.) -- ,''`. Christian Hofstaedtler <zeha@debian.org> : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `-
Attachment:
signature.asc
Description: Digital signature