@eighthave tell me you've never done support work....

@eighthave also this is extremely fucking bad advice given recent developments (apple secret 0day patch in violation of disclosure policy). regardless of how stupid it is on a normal day.

@jack I can't imagine a reason why knowing your software providers is a bad practice, that's what I'm talking about. You can tell Bruce Schneier that "Security is a process, not a product" is bad advice, since I was quoting him. Stable release processes are very much still a thing, as are running releases. The security properties of each have key differences.

@eighthave you're focusing on other highly technical foss contributors ignoring people with no/less knowledge whose life is on the line in these times of shifting alliances. End users need to fucking patch. Serious hard science needed to reverse this recommendation. Even good hearted dissent is dangerous here. End users are quite frankly not capable of making security tradeoff decisions on their own. Especially under crisis.

@jack I agree that end users who do not look into their software providers should just install updates. That does not mean that we should ban all other discussions about updates, which it sounds like you are recommending. It is dangerous to lull people into complacency to just accepting the status quo because they are not technical. If someone feels threatened, they can also seek out expert advice for things they do not understand. "Updates" also has differences in meaning based on context 1/2

@jack "Updates" also means distros pulling in new upstream versions. The update maximalists often complain that stable distros do not update their packages often enough. That is a technical discussion, which is also good to have in public. "Updates" is a tricky word too, since in American English, it is a variety of meanings while some languages have adopted "Updates" to specifically mean end user software updates. I'm a native American English speaker, sometimes I forget those differences 2/2

Another key discussion area for #updates is a #developer updating the libraries that they use in their app. Ideally the developer would review all source code changes that the lib update includes. This rarely happens in practice, and we see lots of apps inadvertantly include malware via libs that have been taken over. for example https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware This is where devs should be thinking about how much they trust lib authors to maintain secure accounts, domain names, upload processes, etc.

Then compare this to getting package updates via the official #Debian repositories, which includes a wide array of proven techniques for securely shipping software packages and #updates. In addition, Debian has good track record over decades. In most setups, I think it is safe to enable the "unattended-upgrades" package which automatically downloads and installs updates for the majority of packages in Debian. This is the best choice for users who do not have the means to do further examination

@eighthave I think the closest metaphor we have for the role we have to create/inhabit is public health (unfortunate w/ their recent failures, but the guiding principles are close enough). I don't want to shut off all discussion of this but plenty of "mid level" for lack of a better word security people try to learn from public discourse of experts. So we have to be a little cautious of normative statements that would conflict with the basics; we have handwashing analogues, we have times of increased vulnerability. Yeah the distinction b/t upstream release pickup (does debian have a phrase for this its been a while, they tend to name things smartly) has big differences to end user updates for sure! Unfortunately only orgs that already have staff or people some of us directly advise informally get expert advice. Everyone else has to deal with the EFF (ssd) guides if they know they exist or pop tech knowlege (produced by those mid level types often!) or worse government advice.