how to get people to upgrade? (Re: The weak link? DNS)

Paul Vixie vixie at vix.com
Wed Mar 26 21:22:59 UTC 2003


i see that a lot of folks are responding publically.  sorry to spawn a thread.

niels=nanog at bakker.net (Niels Bakker) writes:
> So how much would this differ from `make install' running this shell script?

most bind installations are prefab -- the come with the operating system and
there's no "make install" done after the host has a name.

christian.kuhtz at BellSouth.com ("Kuhtz, Christian") writes:
> Administrator inertia is the root cause.  I don't see how an automatism such
> as the one described changes human behavior.  And unless you change that
> inertia, no amount of notification, databases, registries, yada yada yada
> will make any difference.

this argues for time bombs, where the software will stop working after it
detects some condition (too much time has passed, or an advertisement for
newer software is seen, or a vulnerability notice is seen).  this would be
wildly unpopular, contrary to the open source philosophy, and never adopted.

roque at sbcglobal.net (Pedro R Marques) writes:
> If you want to address this issue my suggestion would be to make BIND
> automatically update itself... and option that needs to default to ON
> and that can be disabled in managed systems where admins are expected
> to read CERT and act upon it.

this solution implies a trust relationship between a server operator and the
software provider which in fact never exists in reality.  even my microsoft
sysadmin friends carefully eyeball any "software update" patch before they'll
put it on production iron.  then there's the local customization issue -- and
the binary problem, since many name server hosts do not have compilers.  again
this would be contrary to the open source philosophy.

***

i don't want to have this be bimodal (run binaries from someone you're
required to trust, or else run source and be out of date most of the time)
since neither mode is interesting or useful.

i do agree that other open source packages (openssl for example, or apache)
would benefit from a good answer to the "how to get folks to upgrade"
question.  however, i'm not sure a single answer will fit all packages.

having the server check for updates and issue local mail is appealing, but
i'm more concerned about MIM when fetching update information than i am with
simply registering package version numbers, hosts, and e-mail addresses.
-- 
Paul Vixie



More information about the NANOG mailing list