I've noticed that the software version is shown in the NodeInfo endpoint:
I've always believed that displaying the software version allowed malicious users to determine which vulnerabilities affect your software.
For example, NodeBB sends x-powered-by
header, but only ever sets the value to NodeBB
, this has been the case for many years.
The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one facet of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can.
The downside of hiding that information is that sites that gather statistics on fediverse software use wouldn't be able to discern software versions for NodeBB in their charts, but I don't think that's necessarily a problem.