undefined | Better HN

0 pointsshevy-java18d ago0 comments

> It's impossible to convince the "frequent upgrader" that maybe that's a risk in terms of introducing new issues.

Well, you critisize people who run the latest software here. Two counter-arguments:

1) If you don't upgrade frequently, you end up with super stable debian stuck on ... ancient software. This in turn means that many more recent software, won't work, unless you recompile a lot. I had this issue with mesa for instance, then needing a more recent LLVM, spirv-components and so forth. No chance to have that easily on debian, unless you control what you compile. On my local system here I run gtk2, gtk3 and gtk4 just fine. Good luck having that with debian for recent version; even debian sid is slow compared to, say, gentoo or arch(linux) or void(linux) here.

2) Even debian systems would be vulnerable to copy.fail. So that strategy is also not automatically better.

Personally I am among the frequent update folks. I use ruby scripts to automatically update to the latest, in hope that the people who write code are not incompetent. There is no guarantee that newer software is automatically always better; it is a trade-off. I don't have the time and resource for infinite security audits. I need to get things done and this approach, different to the "everything is scary" crowd, works super-well for me. I use a versioned AppDir approach on linux though, so I don't run into many issues of "can not upgrade because of same .so name issue", so I can conveniently switch to other versions as-is, including the kernel. (Excluding ABI differences and glibc, but for about 98% of the programs this works very well. I am also not alone with the get-everything-working approach, see xserver or gtk2-ng: https://github.com/X11Libre/xserver https://git.devuan.org/Daemonratte/gtk2-ng - granted, for the linux kernel this does not work that well ... I think we need better strategies for the linux kernel, things such as copy.fail should not be possible. I have no good solution here, AI will find many more exploits. No clue how we can prevent this or mitigate this more easily. I was surprised when the local instructor showed us how easy it is to use python for gaining superuser access as-is.)

0 comments

YZF17d ago

Pulling the very latest of everything is IMO risky. What I will acknowledge is that not knowing what known issues are in your stack vs. just pulling the latest all the time is less clear. But running more stable older versions of software while tracking new vulnerabilities seems like it mitigates both the risk of new changes introducing new issues and the risk of a new vulnerability not getting addressed. This worked well for company #1 where we delivered some pretty critical products and the bar was very high for reliability and security.

A long time ago I heard that Google reviews every single line of third party code they use, not sure if it's true or if they still do it.

anthk18d ago

Debian had backports since forever. You could totally upgrade the kernel and MESA since month 1.

tremon18d ago

Not forever, backports were introduced with Sarge IIRC. And typically versions only appears in backports that are also in testing/unstable, e.g. Linux 6.19 is currently in trixie-backports but the non-LTS kernels between 6.12 and 6.18 were not available there, nor is the current 7.0 (yet).

j / k navigate · click thread line to collapse