[HN Gopher] Never update anything
___________________________________________________________________
Never update anything
Author : cesarb
Score : 70 points
Date : 2021-11-04 12:16 UTC (1 days ago)
(HTM) web link (blog.kronis.dev)
(TXT) w3m dump (blog.kronis.dev)
| mt42or wrote:
| I'm not sure if this is a joke or not.
| emef wrote:
| > Here's a fair warning: this article is reductio ad absurdum,
|
| literally the first sentence...
| hutzlibu wrote:
| It is not a joke, just a very frustrated (clickbaity) hyperbole
| rant.
|
| "My premise is that updates are a massive waste of time, most
| of the time. Obviously, someone will jump out and say that
| "Hey, if you don't update, your Windows XP installation will
| get added to a botnet in less than a week," and they'll also be
| right at the same time. "
|
| So my understanding is, when compared to a academical,
| idealistic point of view, handling of updates is not optimal.
| Sure thing.
|
| But in reality, you still must patch your WinXP system if you
| have no better alternative and the author likely agrees. And if
| you do have a shitty legacy java project that is still needed
| in production - you still have to patch it, if you have to use
| it in the wild.
| shimonabi wrote:
| I upgraded my Ubuntu distribution last week and my old Xerox
| Phaser laser printer stopped working over the network.
|
| Something like this should never happen.
| michaelt wrote:
| I've got some sympathy for this perspective.
|
| It's frustrating when you update in order to get the latest
| security updates - and you get forced to do a bunch of pointless
| busywork because some asshole has made some arbitrary change like
| deciding that 'which' is deprecated now.
| schaefer wrote:
| DOS 5.2 ftw
| snerbles wrote:
| Do what my Tandy 1000 did, and burn DOS 3.3 right to ROM. None
| of this wimpy flash-but-with-a-read-only-bit, no fancy UV-
| erasable EEPROM...just honest-to-goodness-blown-fuse ROM.
|
| Boots immediately too.
| forgotmypw17 wrote:
| I literally never update anything unless it is not working. Quite
| happy here with Firefox 66.x on Ubuntu 14.x, which is what
| happened to come with this particular device.
|
| I have an iPad running iOS 8.x, which I'm also very happy with,
| especially when I do testing on the clusterfucks that are later
| iOS and Firefox releases.
|
| Browsing a handful of reputable text-based websites from behind a
| NAT, I don't see the problem. (And I feel the same way about
| HTTP, which is faster, more compatible, and more accessible to
| boot.)
| paxys wrote:
| Semantic versioning is a curse. It makes perfect logical sense
| until you are a few iterations in and quickly run into dependency
| hell as shown in the diagrams in the article.
|
| My solution to this isn't "never update anything", but rather
| "never version anything". People can choose to stick to the bits
| they originally got, which is perfectly fine, or they can switch
| to the current "live" one. As a developer I'm only ever building
| and maintaining the latest source.
| HWR_14 wrote:
| Versioning things helps with bug reports. Oh, this was
| introduced in 3.144.42? Great, let's look at the changes to
| that build.
| SkeuomorphicBee wrote:
| You don't need semantic versioning for that. "Oh, this was
| introduced in build 22456" works just as well.
| nameisname wrote:
| Except that using a build number in the way you're
| describing is just a worse semantic version. You now have
| no way to indicate if your changes are breaking. Separation
| of your pipelines also just got a lot more hectic because
| you could have a situation where you don't know what
| happened when you're missing "versions" (builds) because
| it's failing but still incrementing... Using build numbers
| for versioning doesn't really work in a large ecosystem and
| often relies on picking the latest of a branch or having to
| sift through builds when deploying to find the right one.
| jkrubin wrote:
| 100% the way to go. Also people in python land (myself
| included) Are prone to "emotional" versioning
| named-user wrote:
| http://sentimentalversioning.org/
| CTmystery wrote:
| I'm trying to understand this comment. Do you never use package
| managers?
| HWR_14 wrote:
| I tend to agree with the premise that in general updates aren't
| something to race out and apply. Security updates, yes. Updates
| that are required because of API changes, yes. Other ones are
| often more trouble then they are worth.
| moonchrome wrote:
| Like the author mentions in the backporting section, if you
| don't update you'll fall behind maintained version and then you
| don't get security updates and upgrading is a huge chunk of
| work that has to be tackled as a giant step. Depends on your
| priorities and timeline, not updating is the most
| straightforward example of creating technical debt.
| dtoznayxvf wrote:
| If the software you are using auto-updates and you lose business
| or esteem of peers -- it's YOUR fault.
|
| Allowing most software companies to update anything on an running
| functioning work-related machine that you use to make $$, is
| ASKING FOR IT. WHEN it breaks something that is your fault for
| being so stupid.
|
| I update software in most cases by installing it on another
| machine/device and then once it is confirmed to work, switching
| devices and wiping the former-work-device.
|
| Yes I have more than 2 of everything critical for making $$.
|
| Yes I filter all my inbound and outbound network traffic and
| default deny, at home and on the road
|
| Software that prevents you from disabling auto-updates is a
| virus.
| titzer wrote:
| > WHEN it breaks something that is your fault for being so
| stupid.
|
| Sorry, this one raises my hackles. It's exactly such a user-
| hostile worldview that makes everything suck. It's just more
| victim-blaming and elitist tongue clicking that helps
| absolutely no one.
|
| _Everyone_ is stupid when it comes to software. There are
| hundreds of millions, if not billions, of lines of code,
| written by tens of thousands of different people, with myriad
| internal and external complexity, all breaking and falling
| apart at the same time. It is _literally_ beyond human
| comprehension all the niggling details that could go wrong.
|
| I whole-fist pushback against this "oh you should know what you
| are doing with metric asstons of other people's code". Uh, no.
| That's the attitude of unserious people who want to ship
| garbage and make it users' problem.
| mwaitjmp wrote:
| Having two of everything is actually a pretty decent idea.
|
| Part of the fear of updating though is the time sink.
|
| Even if I attempt to update one mac laptop to the new version
| (of which I believe there is a new one just released, doesn't
| seem long since I last updated...) knowing that I have a safe
| backup, I dread the thought of spending hours knowing something
| _should_ be working but is now broken. It can be infuriating.
| Especially when it's a pattern/way of working you have become
| so accustomed to.
| endymi0n wrote:
| Having two servers with an unpatched CVE 10/10 vuln will get
| both pwned in short to no time.
|
| Or just one, exposing your data in a ransom attack.
|
| Dependency and update management is hard. Welcome to IT.
|
| From my experience, extreme viewpoints and religions are
| convenient in the way they have answers to all hard questions
| in life that are simple, clear and wrong.
|
| If you like simple and correct answers, you're usually better
| off choosing simple questions instead.
| dtoznayxvf wrote:
| dear raul, did you read the article? 'Here's a fair
| warning: this article is reductio ad absurdum, therefore
| you shouldn't take it as gospel. '
| ch4s3 wrote:
| This resonates with me for a LOT of reasons but I take a very
| different approach. I try to keep just a few dependencies and
| keep them all up to date. For most updates I can read every
| line of updated code. I learn a lot, get all of the security
| patches, and sometimes I realize I don't need a dependency and
| I remove it. I'm always trying to take small calculated risks.
| I have great monitoring and rollbacks are easy.
| [deleted]
| ketralnis wrote:
| If you're running software maintained by someone else and you
| don't let them do that, and there's a security or major bug fix
| and you lose business or esteem of peers -- it's YOUR fault.
|
| Ignoring upstream security fixes on a work-related machine that
| you use to make $$, is ASKING FOR IT. WHEN it breaks something
| that is your fault for being so stupid.
|
| Neither of these extremisms are helpful. It's clearly more
| nuanced than any of this.
| dtoznayxvf wrote:
| Of course it is. Context matters. I was trying to keep with
| the spirit of the article: 'Here's a fair warning: this
| article is reductio ad absurdum, therefore you shouldn't take
| it as gospel. ' Usually though in my experience, if you also
| control the network, then most security updates can wait to
| be tested on a non-production machine. Also it helps to Never
| ever use Windows.
| repomies69 wrote:
| In one company there were quite old linux boxes that were never
| updated. They never caused any problems, the software in them
| kept chugging along just nicely.
| ssklash wrote:
| As a red teamer/pentester, this is an attacker's dream. This has
| to be a joke.
| hdjjhhvvhga wrote:
| In general, of course. However, the article describes the
| ridiculousness of today's update mania. And there are actually
| systems that I don't update very often (my OpenBSD-based
| firewall) without losing any sleep over it. Unfortunately, such
| systems are very few in the real world.
| freeflight wrote:
| Auto-updates are an attacker's dream too.
|
| Also, this disclaimer in the very first sentence of the
| article:
|
| _> "Here's a fair warning: this article is reductio ad
| absurdum"_
| Waterluvian wrote:
| AWS: "Postgres 9.6 is old. On January 22 we will forcibly update
| your instances to 12. We hope you noticed this alert. We
| certainly didn't email you about this. You'd better get off your
| ass and test/fix your clients for any potential issues."
| AzzieElbab wrote:
| Never updating and always updating are just two different ways of
| sticking your head in the sand
| benburton wrote:
| > Docker Desktop doesn't let you decide whether you want updates
| or not, unless you pay them
|
| This made me uninstall Docker Desktop.
| travisd wrote:
| They actually just reverted this change within the last week
| (of course with accompanying "we love listening to your
| feedback!!!1!" eyeroll inducing messaging).
| throwaway984393 wrote:
| I use a 5 year old Linux distribution and I never update it
| except for important security patches. Works great. Nothing
| changes so nothing breaks. I ran into a problem once with trying
| to run some Go binary that wasn't actually static (pretty common
| apparently) but got it working in a Docker container.
| encryptluks2 wrote:
| Better yet, if you don't want updated software, then why are you
| installing it? Just use a versioned Linux distro be done with it.
| theptip wrote:
| There's something to be said for being on the oldest minor
| version that still receives patch releases (usually the LTS if
| there is such a thing). Unfortunately most FOSS libraries don't
| have the luxury/resources to support parallel releases. So to get
| security fixes you need to keep somewhat up to date with other
| changes.
|
| The worst place to be is having to fix a CVE in a hurry, but
| first having to upgrade your framework a few major versions
| including fixing some breaking API changes. I'd rather pay a
| small tax every month than have to risk those late nights.
|
| Dependabot is great here, you can get updates for free, or at
| least preview if they are going to pass all your tests.
| m4rtink wrote:
| I guess enterprise Linux subscriptions are such a tax, right ?
|
| It pays for Red Hat/SUSE/Canonical to maintain and old stable
| version CVE free for you, so you don't have to update so often.
___________________________________________________________________
(page generated 2021-11-05 23:00 UTC)