When -DNO_ID is *not* set, dnsmasq is very happy to tell you about some of its innards including version information and some statistics. If you don't trust your local network, all of that should be optional. If you're unsure what I mean, grep for NO_ID in the sources.
Needless to say there are plenty of other configuration variables (hard-wired into the executable) you ought to be taking care of that perhaps should prevent landing certain features on most systems.
(In reply to Jeroen Roovers from comment #1) > Needless to say there are plenty of other configuration variables > (hard-wired into the executable) you ought to be taking care of that perhaps > should prevent landing certain features on most systems. Thank you, was this reported upstream? Is there a specific fix for this? I'm not 100% sure, but this sounds like a Defaul Config issue. Gentoo Security Padawan ChrisADR
(In reply to Christopher Díaz from comment #2) > (In reply to Jeroen Roovers from comment #1) > > Needless to say there are plenty of other configuration variables > > (hard-wired into the executable) you ought to be taking care of that perhaps > > should prevent landing certain features on most systems. > > Thank you, was this reported upstream? Is there a specific fix for this? Why report it upstream? They deliver the code and you get to configure it. If you use their defaults and those happen to not fit your circumstances, you change the defaults and you don't complain upstream. > I'm not 100% sure, but this sounds like a Defaul Config issue. They've already chosen their default[sic]. It's Gentoo that has not.
(In reply to Jeroen Roovers from comment #3) > They've already chosen their default[sic]. It's Gentoo that has not. Ok.. @Maintainer please let us know when the default configs are as secure as possible. Thank you, Gentoo Security Padwan ChrisADR
I could theoretically add a default-on USE flag for this option, though "savedconfig" might be a better option for these sort of things. Generally, we prefer to follow upstream for defaults, as that is a more sustainable approach than reviewing every option independently and changing them.
Go with "savedconfig" like sys-apps/busybox if there are multiple options. No opinion regarding default value at the moment. Like you said, that's upstream default and we are in sync with Debian for example (but maybe they aren't aware...).
Um, instead of introducing an IUSE=savedconfig for a make switch for which the ebuild already incorporates the proper mechanism, why not simply change the default of IUSE=+id to not enabled by default? It's right there in the ebuild. net-dns/dnsmasq:id - Whether report *.bind CHAOS info to clients, otherwise forward such requests upstream instead That might need some more explanation, as most people won't know what CHAOS is and whether they want this, even when they might be able to infer that they might not want their clients to get "reports" like this, depending on the environment in which dnsmasq is deployed.
If this is a single option, IUSE is enough. But your comment #1 suggested that there are multiple other options which should be controllable by the user as well. If that's correct and wanted, take the "savedconfig" approach.
(In reply to Thomas Deutschmann from comment #8) > If this is a single option, IUSE is enough. Have you even looked at the ebuild?
The commit that introduced IUSE=+id: commit 59d350e093e650a90925a43325281ba2e9b5d036 Author: Patrick McLean <chutzpah@gentoo.org> Date: Thu Jun 1 16:32:50 2017 -0700 net-dns/dnsmasq: Version bump to 2.77 Package-Manager: Portage-2.3.6, Repoman-2.3.2 Previous versions did not have NO_ID but did support CHAOS, so the 2.77 ebuild mitigated some of the problems but should not have enabled USE=id by default.
Upstream commit message: commit 7ac9ae1125a28d511cd1989fab52e93a8a710a6a Author: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Date: Fri Sep 9 20:52:08 2016 +0100 Compile time option NO_ID Some consider it good practice to obscure software version numbers to clients. Compiling with -DNO_ID removes the *.bind info structure. This includes: version, author, copyright, cachesize, cache insertions, evictions, misses & hits, auth & servers.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36950876fc0da1b5ced6a6c58508f5bc2c8be572 commit 36950876fc0da1b5ced6a6c58508f5bc2c8be572 Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2018-03-19 18:10:03 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2018-03-19 18:11:38 +0000 net-dns/dnsmasq: Version bump to 2.79 Closes: https://bugs.gentoo.org/586454 Closes: https://bugs.gentoo.org/633496 Closes: https://bugs.gentoo.org/643670 Gentoo-Bug: https://bugs.gentoo.org/645704 Package-Manager: Portage-2.3.24, Repoman-2.3.6 net-dns/dnsmasq/Manifest | 1 + net-dns/dnsmasq/dnsmasq-2.79.ebuild | 198 +++++++++++++++++++++++++++++ net-dns/dnsmasq/files/dnsmasq-init-dhcp-r3 | 35 +++++ net-dns/dnsmasq/files/dnsmasq-init-r4 | 29 +++++ net-dns/dnsmasq/files/dnsmasq.logrotate | 7 + 5 files changed, 270 insertions(+)