[Dnsmasq-discuss] Hiding/obscuring version.bind
simon at thekelleys.org.uk
Tue Sep 6 21:23:53 BST 2016
-----BEGIN PGP SIGNED MESSAGE-----
a) I tend to agree that it's pointless.
b) Not a run-time option, there are too many of those already.
c) Maybe the simplest solution is something like a NO_ID compile time
option that suppresses the whole .bind domain thing?
Certainly happy to take the patch.
On 06/09/16 16:14, Kevin Darbyshire-Bryant wrote:
> Hi Simon & all,
> There has been a bit of activity on the security front in LEDE and
> a recent change proposed removing version numbers from software to
> avoid it leaking to 'the bad guys'. I'll say upfront that I'm not
> a fan of this approach feeling that it's more of the 'security
> through obscurity' route but minds cleverer than mine have thought
> about this so from a LEDE point of view 'we're stuck with it'.
> LEDE's approach is to simply change the VERSION file to 'UNKNOWN'
> at build time. I dislike this because it also removes any info
> from the startup logs or even 'dnsmasq --version' and on the basis
> that 'version number' is a somewhat basic requirement when
> providing advice/support here. A suggestion has been made to
> introduce a compile time option that replaces 'version.bind' with
> "dnsmasq-UNKNOWN', leaving all the usual version strings intact.
> The suggestion was also made rather than having a LEDE specific
> patch that 'upstream' dnsmasq might like this feature.
> I'm willing to do what should be a simple patch for that behaviour
> but is it a) a good idea? b) should it be a run-time option
> instead? c) should we consider obscuring other info as well?
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss