[dns-operations] New subscribers

Andrew Sullivan ajs at shinkuro.com
Wed Dec 29 14:50:20 UTC 2010


On Wed, Dec 29, 2010 at 02:36:49PM +0000, Paul Vixie wrote:
> > 2)  "need to upgrade" will have a different meaning to different people.
> 
> if there's a CVE for a some version, does everybody "need to upgrade"?
> (i see your point that the mere existence of a later version on the same
> release, like you're running 9.17.4 and 9.17.5 comes out) might be of
> varying interest, but if there's a CVE, can we presume universal interest?)

Surely not.  A CVE could be on a feature you have disabled.  For
instance, if the CVE is due to remote root, but the box you're looking
at is a distribution master that never gets queries from the outside,
it might be more prudent to wait than it is to upgrade (because, for
instance, there are other priorities).

This is one reason why packages from your OS supplier are supposed to
be an advantage.  If you use Debian or its derivatives, for instance,
you can put just the security feed in your apt.sources list, and then
keep on top of that.  That's one place to manage all the urgent
upgrades for your system, rather than having every daemon on the
system have its own way of alerting you to these things.

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.



More information about the dns-operations mailing list