undefined | Better HN

0 pointsotterley6mo ago0 comments

> so minor versions should be fine to auto update

The problem is that "should" assumes that point releases never introduce regressions (whether they be security, performance, or correctness). Unfortunately, history has shown that regressions can and do happen. The best practice for release engineering (CI/CD, if you will) is to assume the worst, test thoroughly, and release incrementally (include bake time).

Delaying updates isn't just a backstop against security vulnerabilities; it's useful for letting the dust settle after an update of any kind that can adversely impact the application. The theory is that someone will find it before you, report it, and that a fix will be issued.

0 comments

ozim6mo ago

Regressions are irrelevant in this context, you can accept regressions as something you will deal with in case those happen or not.

Simply installing update automatically you get pwned by bad guys, someone taking over your CI/CD server or infrastructure is not something acceptable.

otterleyOP6mo ago

That makes the advice all the more important, rather than making it "irrelevant." My point was that people mistakenly believe point releases are safe to apply automatically. They're not, and not just because of security.

j / k navigate · click thread line to collapse