|
|
|
|
|
|
by kevincox
1338 days ago
|
|
|
It seems to me that it may be better in many cases to support exactly two configurations (or some other small fixed number). This way there is no need to wait until a new version is released and dropping the vulnerable one won't cause any downtime. Ideally both codepaths would be regularly exercised (maybe clients should pick randomly when both choices are available). Then as soon as a vulnerability is discovered (maybe even before it is publicly revealed) all clients and servers could immediately drop support for the one that was discovered vulnerable. Then the release of a new configuration can be done slowly with reasonable caution to get back to the desired redundancy level. |
|
|