CK> The way I see it, the issue isn't that there aren't enough CK> notifications of BIND vulnerabilities.
Perhaps. But how much is enough? Current notification levels certainly get a fair number of admins to upgrade.
Feel free to elaborate on where you think gaps exist..
CK> Administrator inertia is the root cause. I don't see how an CK> automatism such as the one described changes human behavior. CK> And unless you change that inertia, no amount of CK> notification, databases, registries, yada yada yada will make CK> any difference.
Correct. Human behavior won't change. The pain must exceed the inertia.
I'm always open to suggestions. Let's just suppose for a moment that pain is in fact the right approach. How do you create such 'pain'? Spamming admins with (even more) emails is a bad idea, IMHO. I'm sure it'll catch some of those who enable the feature it, but will it really make that much of a difference? For example, I can't think of a precedent for self-updating software that works (well), especially with the high degree of customization available in BIND. Until we find that holy grail, IMHO, the most you can do is make an update readily available and tell people about it. Thanks, Christian ***** "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers."