> The way I see it, the issue isn't that there aren't enough
> notifications of BIND vulnerabilities.Perhaps. But how much is enough? Current notification levels
certainly get a fair number of admins to upgrade.
Feel free to elaborate on where you think gaps exist..
> Administrator inertia is the root cause. I don't see how an
> automatism such as the one described changes human behavior.
> And unless you change that inertia, no amount of
> notification, databases, registries, yada yada yada will make
> any difference.Correct. Human behavior won't change. The pain must exceed the
inertia.
I'm always open to suggestions.
Let's just suppose for a moment that pain is in fact the right approach.
How do you create such 'pain'?
Spamming admins with (even more) emails is a bad idea, IMHO. I'm sure it'll
catch some of those who enable the feature it, but will it really make that
much of a difference?
For example, I can't think of a precedent for self-updating software that
works (well), especially with the high degree of customization available in
BIND.
Until we find that holy grail, IMHO, the most you can do is make an update
readily available and tell people about it.
Thanks,
Christian