Kevin Darbyshire-Bryant
2016-09-07 10:34:32 UTC
Attached (in case the git send-email didn't work)
Kevin :-)
Kevin :-)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
a) I tend to agree that it's pointless.
b) Not a run-time option, there are too many of those already.
c) Maybe the simplest solution is something like a NO_ID compile time
option that suppresses the whole .bind domain thing?
Certainly happy to take the patch.
Cheers,
Simon.
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJXzyXYAAoJEBXN2mrhkTWiE90P/1KewRyDq9rcbrddiKQhP2WT
V364psZy9rWQPZbzJLXQ3QvD1CwQChynIzqzUywh2dT7dPSe/XSdTRXab+Fxy0gr
0aITJPNyxIv6i8402YP1JDT6eoAk4JQAdJChQi+UpBDHy6WXe7q4sJKWMIZYDV9/
9meqSZ6OAGtX8kYGA+gpFqPlI/1Y/LAucxInvtvB1ZMXSRk5nNeyEpy7OEsCTqr9
PBK6LRtnQU6Iq7emIWKz0FQZpNZ6xNubZD96OGHrWnfdpT3ONgDO1k0S8/v8S6gw
m1Rwexe0skVnNcGxL9lv5h8lC3w20iUi2OiuT5ebV+IuUkGXMcrW9yW/MKspsxcu
19Bo5VfvYCuNYlW0OCypON455iRf7cXBwzHOqgaVOYc/zBIdDAuBm+n2JAsw7suz
n7pRB8m3G8WPLs5ZKNIgZgasum81uIRD6XaKjOE9cGgO6XVD3u/2mcIQqbg/9QTf
FVlAttRw9T0N2ebKOgJuMX+/Z2OiK7NYP6kebmcdFNhp/xih3xLvpoS4OK9Wyr1q
7LCN5ebjmC/1tSNhhLSK+L/YUtkqFwGu5CL1IJRy6AQS98LxIOL3hRj2A5MRsgXb
fjYlNXqStlX1czPU7eK1zfSCGy6gUNThSvv8peJPtmdVC9IoVyUxCm4nGKzW7syO
vDAjvBAkXGbnbUkcVcfg
=MIfU
-----END PGP SIGNATURE-----
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Hash: SHA256
a) I tend to agree that it's pointless.
b) Not a run-time option, there are too many of those already.
c) Maybe the simplest solution is something like a NO_ID compile time
option that suppresses the whole .bind domain thing?
Certainly happy to take the patch.
Cheers,
Simon.
Hi Simon & all,
There has been a bit of activity on the security front in LEDE and
a recent change proposed removing version numbers from software to
avoid it leaking to 'the bad guys'. I'll say upfront that I'm not
a fan of this approach feeling that it's more of the 'security
through obscurity' route but minds cleverer than mine have thought
about this so from a LEDE point of view 'we're stuck with it'.
LEDE's approach is to simply change the VERSION file to 'UNKNOWN'
at build time. I dislike this because it also removes any info
from the startup logs or even 'dnsmasq --version' and on the basis
that 'version number' is a somewhat basic requirement when
providing advice/support here. A suggestion has been made to
introduce a compile time option that replaces 'version.bind' with
"dnsmasq-UNKNOWN', leaving all the usual version strings intact.
The suggestion was also made rather than having a LEDE specific
patch that 'upstream' dnsmasq might like this feature.
I'm willing to do what should be a simple patch for that behaviour
but is it a) a good idea? b) should it be a run-time option
instead? c) should we consider obscuring other info as well?
Cheers,
Kevin
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-----BEGIN PGP SIGNATURE-----There has been a bit of activity on the security front in LEDE and
a recent change proposed removing version numbers from software to
avoid it leaking to 'the bad guys'. I'll say upfront that I'm not
a fan of this approach feeling that it's more of the 'security
through obscurity' route but minds cleverer than mine have thought
about this so from a LEDE point of view 'we're stuck with it'.
LEDE's approach is to simply change the VERSION file to 'UNKNOWN'
at build time. I dislike this because it also removes any info
from the startup logs or even 'dnsmasq --version' and on the basis
that 'version number' is a somewhat basic requirement when
providing advice/support here. A suggestion has been made to
introduce a compile time option that replaces 'version.bind' with
"dnsmasq-UNKNOWN', leaving all the usual version strings intact.
The suggestion was also made rather than having a LEDE specific
patch that 'upstream' dnsmasq might like this feature.
I'm willing to do what should be a simple patch for that behaviour
but is it a) a good idea? b) should it be a run-time option
instead? c) should we consider obscuring other info as well?
Cheers,
Kevin
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJXzyXYAAoJEBXN2mrhkTWiE90P/1KewRyDq9rcbrddiKQhP2WT
V364psZy9rWQPZbzJLXQ3QvD1CwQChynIzqzUywh2dT7dPSe/XSdTRXab+Fxy0gr
0aITJPNyxIv6i8402YP1JDT6eoAk4JQAdJChQi+UpBDHy6WXe7q4sJKWMIZYDV9/
9meqSZ6OAGtX8kYGA+gpFqPlI/1Y/LAucxInvtvB1ZMXSRk5nNeyEpy7OEsCTqr9
PBK6LRtnQU6Iq7emIWKz0FQZpNZ6xNubZD96OGHrWnfdpT3ONgDO1k0S8/v8S6gw
m1Rwexe0skVnNcGxL9lv5h8lC3w20iUi2OiuT5ebV+IuUkGXMcrW9yW/MKspsxcu
19Bo5VfvYCuNYlW0OCypON455iRf7cXBwzHOqgaVOYc/zBIdDAuBm+n2JAsw7suz
n7pRB8m3G8WPLs5ZKNIgZgasum81uIRD6XaKjOE9cGgO6XVD3u/2mcIQqbg/9QTf
FVlAttRw9T0N2ebKOgJuMX+/Z2OiK7NYP6kebmcdFNhp/xih3xLvpoS4OK9Wyr1q
7LCN5ebjmC/1tSNhhLSK+L/YUtkqFwGu5CL1IJRy6AQS98LxIOL3hRj2A5MRsgXb
fjYlNXqStlX1czPU7eK1zfSCGy6gUNThSvv8peJPtmdVC9IoVyUxCm4nGKzW7syO
vDAjvBAkXGbnbUkcVcfg
=MIfU
-----END PGP SIGNATURE-----
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss