There seems to be a common mode of thinking about these days that is something like "updated software is always best". I agree there is some truth to that, but it is unfortunately not that simple. Most vulns were introduced in an update, they were not there from the beginning. "Security is a process, not a product", so how the software is developed changes the relationship between updates and , e.g. software that never issues stable updates vs. software with stable releases.

@eighthave this has been an endless struggle for me, and I cannot figure out what my "best bet" is here: #debian is lovely on many ways, but I worry that outdated software and long delays cause as many issues as not-immediately-adopting-new-versions solves.
Security is one aspect, but features that are more advanced/thorough because they are matured in a newer version often seem out of reach even if there are security benefits.
I have been distro-hopping for years because of this.

@eighthave is your life too easy? not having enough challenge in life? what could make you want to write this in public?
@eighthave also this is extremely fucking bad advice given recent developments (apple secret 0day patch in violation of disclosure policy). regardless of how stupid it is on a normal day.

@jack I can't imagine a reason why knowing your software providers is a bad practice, that's what I'm talking about. You can tell Bruce Schneier that "Security is a process, not a product" is bad advice, since I was quoting him. Stable release processes are very much still a thing, as are running releases. The security properties of each have key differences.

@eighthave you're focusing on other highly technical foss contributors ignoring people with no/less knowledge whose life is on the line in these times of shifting alliances. End users need to fucking patch. Serious hard science needed to reverse this recommendation. Even good hearted dissent is dangerous here. End users are quite frankly not capable of making security tradeoff decisions on their own. Especially under crisis.

@jack I agree that end users who do not look into their software providers should just install updates. That does not mean that we should ban all other discussions about updates, which it sounds like you are recommending. It is dangerous to lull people into complacency to just accepting the status quo because they are not technical. If someone feels threatened, they can also seek out expert advice for things they do not understand. "Updates" also has differences in meaning based on context 1/2

@jack "Updates" also means distros pulling in new upstream versions. The update maximalists often complain that stable distros do not update their packages often enough. That is a technical discussion, which is also good to have in public. "Updates" is a tricky word too, since in American English, it is a variety of meanings while some languages have adopted "Updates" to specifically mean end user software updates. I'm a native American English speaker, sometimes I forget those differences 2/2

Another key discussion area for is a updating the libraries that they use in their app. Ideally the developer would review all source code changes that the lib update includes. This rarely happens in practice, and we see lots of apps inadvertantly include malware via libs that have been taken over. for example This is where devs should be thinking about how much they trust lib authors to maintain secure accounts, domain names, upload processes, etc.

Then compare this to getting package updates via the official repositories, which includes a wide array of proven techniques for securely shipping software packages and . In addition, Debian has good track record over decades. In most setups, I think it is safe to enable the "unattended-upgrades" package which automatically downloads and installs updates for the majority of packages in Debian. This is the best choice for users who do not have the means to do further examination

@eighthave I think the closest metaphor we have for the role we have to create/inhabit is public health (unfortunate w/ their recent failures, but the guiding principles are close enough). I don't want to shut off all discussion of this but plenty of "mid level" for lack of a better word security people try to learn from public discourse of experts. So we have to be a little cautious of normative statements that would conflict with the basics; we have handwashing analogues, we have times of increased vulnerability. Yeah the distinction b/t upstream release pickup (does debian have a phrase for this its been a while, they tend to name things smartly) has big differences to end user updates for sure! Unfortunately only orgs that already have staff or people some of us directly advise informally get expert advice. Everyone else has to deal with the EFF (ssd) guides if they know they exist or pop tech knowlege (produced by those mid level types often!) or worse government advice.
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml