[Dnsmasq-discuss] Hiding/obscuring version.bind
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Tue Sep 6 16:14:10 BST 2016
Hi Simon & all,
There has been a bit of activity on the security front in LEDE and a
recent change proposed removing version numbers from software to avoid
it leaking to 'the bad guys'. I'll say upfront that I'm not a fan of
this approach feeling that it's more of the 'security through obscurity'
route but minds cleverer than mine have thought about this so from a
LEDE point of view 'we're stuck with it'.
LEDE's approach is to simply change the VERSION file to 'UNKNOWN' at
build time. I dislike this because it also removes any info from the
startup logs or even 'dnsmasq --version' and on the basis that 'version
number' is a somewhat basic requirement when providing advice/support
here. A suggestion has been made to introduce a compile time option
that replaces 'version.bind' with "dnsmasq-UNKNOWN', leaving all the
usual version strings intact. The suggestion was also made rather than
having a LEDE specific patch that 'upstream' dnsmasq might like this
feature.
I'm willing to do what should be a simple patch for that behaviour but
is it a) a good idea? b) should it be a run-time option instead? c)
should we consider obscuring other info as well?
Cheers,
Kevin
More information about the Dnsmasq-discuss
mailing list