undefined | Better HN

0 pointsTwirrim7y ago0 comments

It absolutely matters. Security is a feature. If you see upgrading as merely technical debt, you're never going to give it the appropriate attention.

0 comments

Nagyman7y ago

Hrm, your statement seems to suggest upgraded versions are primarily security updates. Good projects backport security updates (for LTS versions anyway), and new versions with new features come with their own new security issues.

TwirrimOP7y ago

> Hrm, your statement seems to suggest upgraded versions are primarily security updates

Not in the slightest. But security updates are part of them.

> Good projects backport security updates (for LTS versions anyway), and new versions with new features come with their own new security issues.

There's a limit to how far back patches go, even on the good projects. Rails 3.2 hasn't received a patch in over 2 and a half years, and while there is some desire to backport security fixes, you're dependent on a single individual having spare time to work on it, where more up-to-date releases receive patches far faster, and are far easier to test and integrate in to your existing platform.

I've seen teams, and heard of companies, that are still running services on top of Rails 2 and the like. Now when they look at upgrading Rails the sheer number of changes is mind-boggling, and often represents a non-starter.

I'm certainly not arguing to keep up on the bleeding edge, but making routine upgrading part of your regular workflow is most definitely an important part of remaining secure.

cortesoft7y ago

I never said it wasn’t a feature, just that not upgrading is a form of technical debt, with all the same reasons for existing and sticking around.

regularfry7y ago

To twist the metaphor slightly, it's technical inflation.

j / k navigate · click thread line to collapse