> what i really want to talk > about is: how to get people to upgrade their software when defects > are found. > > sending out announcements through CERT and the bind-announce m/l > isn't working.
Paul, I seems to me that you are assuming that the problem is not enought information gets to system admins... that may be the case in some instances, but it is my belief that the majority of the cases have to do with the fact that systems are not administered. i.e. they where setup once and there are assumed to be running without need for maintenance. imho, this is a very reasonable expectation... unfortunatly most software is not really up to what people expect in this regard. If you want to address this issue my suggestion would be to make BIND automatically update itself... and option that needs to default to ON and that can be disabled in managed systems where admins are expected to read CERT and act upon it. This is sort of the direction other systems are taking... microsoft, which is quite competent on the consumer market, tends to have this automated update tools that can be turned off but are a pain to do so. The result is imperfect but imho better than what would be without such tools. I'm afraid that BIND is currently a consumer tool also and that you should not expect an administrator to be present, even if someone was around to initialy setup the system. Pedro.
