On 14/10/10 14:51, Matthew Toseland wrote: > Why is it bad to make e.g. a content filter vulnerability mandatory? It looks > legitimate to me...
Because it takes away the choice from the user. If the user has *turned off* automatic updates, it means they've *made a choice* that they prefer stability over continual features/fixes, and they believe (for whatever reason) that the security risk isn't worth the effort it takes to upgrade. >From another perspective, I don't think my node should deny service to another node *just because* they haven't got a patch for some exploit. If their node has really been compromised, then my node should ideally deal with this by detecting the crap that it sends out. (OTOH I don't want my node to keep trying to talk to a node that can't understand it, which is the one thing "mandatory builds" should be used for.) An analogy would be if HTTP has versions from 1-1000, but the protocol is actually the same from version 500-750. The only piece of software that implements HTTP 701 has a security bug that's fixed in HTTP 702, but the newer version is still told not to communicate with the old version. X _______________________________________________ Devl mailing list [email protected] http://freenetproject.org/cgi-bin/mailman/listinfo/devl
