Software version in nodeinfo

I've noticed that the software version is shown in the NodeInfo endpoint:

I've always believed that displaying the software version allowed malicious users to determine which vulnerabilities affect your software.

For example, NodeBB sends x-powered-by header, but only ever sets the value to NodeBB, this has been the case for many years.

The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one facet of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can.

The downside of hiding that information is that sites that gather statistics on fediverse software use wouldn't be able to discern software versions for NodeBB in their charts, but I don't think that's necessarily a problem.

3 Likes