On 2010/10/14 (Oct), at 9:32 AM, Ximin Luo wrote:
On 14/10/10 14:51, Matthew Toseland wrote:
Why is it bad to make e.g. a content filter vulnerability
mandatory? It looks legitimate to me...
Because it takes away the choice from the user. If the user has
*turned off*
automatic updates, it means they've *made a choice* that they prefer
stability
over continual features/fixes, and they believe (for whatever
reason) that the
security risk isn't worth the effort it takes to upgrade.
What's more, it is also not truly "mandatory" to the programming-
inclined.
The node takes the advertised version value from another node at face
value. Months/years ago I made a trivial patch to simply make my
"version" the greatest-seen. I was surprised when it hit +1300 (which
we are only now getting to), indicating that there are other nodes "in
the wild" which do not obey the mandatory versioning scheme.
So this means that the developers can make a choice asto how to use
the software that "ordinary" users cannot; arguably going against the
spirit of open source software.
From another perspective, I don't think my node should deny service
to another
node *just because* they haven't got a patch for some exploit. If
their node
has really been compromised, then my node should ideally deal with
this by
detecting the crap that it sends out.
I like it !!! When a node detects an out-of-protocol condition, it
responds with a new message: "WTF?". Which the receiving node takes to
mean it is incompatible/too-old. Don't know if it would work any better.
(OTOH I don't want my node to keep trying to talk to a node that can't
understand it, which is the one thing "mandatory builds" should be
used for.)
An analogy would be if HTTP has versions from 1-1000, but the
protocol is
actually the same from version 500-750. The only piece of software
that
implements HTTP 701 has a security bug that's fixed in HTTP 702, but
the newer
version is still told not to communicate with the old version.
Yes, but unlike HTTP, freenet is still experimental. As such, I think
the present goal of mandatory releases is more to ensure that there is
a degree of uniform so that network changes can be reliably judged and
issues diagnosed.
--
Robert Hailey
_______________________________________________
Devl mailing list
[email protected]
http://freenetproject.org/cgi-bin/mailman/listinfo/devl
