On 2010/10/14 (Oct), at 9:32 AM, Ximin Luo wrote: > On 14/10/10 14:51, Matthew Toseland wrote: >> Why is it bad to make e.g. a content filter vulnerability >> mandatory? It looks legitimate to me... > > Because it takes away the choice from the user. If the user has > *turned off* > automatic updates, it means they've *made a choice* that they prefer > stability > over continual features/fixes, and they believe (for whatever > reason) that the > security risk isn't worth the effort it takes to upgrade.
What's more, it is also not truly "mandatory" to the programming- inclined. The node takes the advertised version value from another node at face value. Months/years ago I made a trivial patch to simply make my "version" the greatest-seen. I was surprised when it hit +1300 (which we are only now getting to), indicating that there are other nodes "in the wild" which do not obey the mandatory versioning scheme. So this means that the developers can make a choice asto how to use the software that "ordinary" users cannot; arguably going against the spirit of open source software. > From another perspective, I don't think my node should deny service > to another > node *just because* they haven't got a patch for some exploit. If > their node > has really been compromised, then my node should ideally deal with > this by > detecting the crap that it sends out. I like it !!! When a node detects an out-of-protocol condition, it responds with a new message: "WTF?". Which the receiving node takes to mean it is incompatible/too-old. Don't know if it would work any better. > (OTOH I don't want my node to keep trying to talk to a node that can't > understand it, which is the one thing "mandatory builds" should be > used for.) > > An analogy would be if HTTP has versions from 1-1000, but the > protocol is > actually the same from version 500-750. The only piece of software > that > implements HTTP 701 has a security bug that's fixed in HTTP 702, but > the newer > version is still told not to communicate with the old version. Yes, but unlike HTTP, freenet is still experimental. As such, I think the present goal of mandatory releases is more to ensure that there is a degree of uniform so that network changes can be reliably judged and issues diagnosed. -- Robert Hailey
