Updates in Linux are far more tolerable. There’s really no reason to delay Debian stable, imo, unless you absolutely can’t risk some downtime.
Server rats excepted, it’s just a process that goes in the background and at most, you have to reboot the kernel.
There’s no staring at the Blue Screen of Boredom while windows update holds your machine hostage.
I work at a medium size company with hundreds of Linux servers and none of them get updated. Because it's more important that they keep running as they are than to have the latest updates. I bet this is very common for most companies.
There is nothing more important than security patches on a system.
I used to work at an FMI, which’s motto was “keep things stable”. Even the ciso department bought that crap. Until we hired a white hat hacker. The only thing given was the name of the company. He managed to get into the building, access an employee’s workstation and install a root kit on one of the most important financial message tracking systems (you know, the one that instructs other systems to transfer money), using a security bug, which would have been patched if they kept a regular (security) update cycle. After shit hit the fan, many people were fired and an update cycle was introduced.
No system is important enough to not patch. And if you believe it is, you’re wrong.
Yeah, but that just takes way too much work. You think I really care about the company's/bank's money if I'm not getting paid enough for that job? Security patches can also introduce new problems, like x changes, so y doesn't work, so the main app doesn't work... and what, then I have to manually edit code, introduce the thing that x relied on so that y can work again?
I'm sorry, but this is not your average IT department's job... or if it is, I expect a damn good compensation for it.
I've updated and rolled back snapshots because of shit like this... nah, not gonna try and figure out what the problem was... at least not for the salary I'm currently getting paid. If it burns, it burns, so be it.
If it's important that it keeps running then it should just be redundant and taking one node down for an update shouldn't be an issue. I know this is wishful thinking for a lot of services but I refuse to be on call for something if the client can't be bothered to make it redundant.
Jup same here. We have a colleague that constantly reminds everyone that we're not properly patched (even running eol versions) but there's always something to be done that's a higher priority.
Not at all.
Typically monthly or quarterly patching depending on severity and DMZ exposures. When log4j or shellshock hit it was patch once the patch was released and tested
If it's a personal server that can manage being down for 15min or so. You could just setup auto updates with email if anything goes wrong and reboot off hours. Containers also make it less risky although it does fail to update every once in a great while.
Do you work for the North Korean government or something OP? Why discourage people from keeping their systems secure?
What they are referring to is people just don't update their server because during that time they wouldn't be able to make a profit. This goes more to middle siszed businesses but happens rather often
Security is an art... the art of not giving a fuck about your data
-Op, probably
I find this to be least acurate with debian.. on other distros a patch may or may not install a new version of that package. that can bring changes to the behavior. On debian stable the security issues are backported. So you can patch and be sure that there is no changes to the behavior of the system. It is basically the reason all vm's i manage are debian stable.
It is also true they never crash. But that is expected of linux. It is the extreme reliabillity that is the debian killer feature for me.Me with my 'homelab' nas:
system (user-facing) package has an update? It'll auto-update overnight
dockerized service has feature updates? Let watchtower handle it with the weekly schedule
dockerized service with security patch? yeah, let's hit that this afternoon
actual system update? EVERYTHING IS GOING OFFLINE -4 SECONDS AGO FOR THIS
The system is going down NOW.
https://youtu.be/Z1TlbLfaJp8?si=nL9C6MqHUbWm0cy-
The system is down
Debian updates are not usually that big of a deal especially if you have HA configured
i'm pretty sure security updates are optional.
Just put a "these colors don't run" text in the log in
Unatended-upgrades keeps all systems securly patched. But there is a need for a reboot for kernel updates now and then.
I remember when Linux fan boys would give Windows users shit for needing to restart for updates.
True except for the one BOFH admin on the team who actually cares about best practices.
And yes, most distros have painless updates, the devs and everyone else don't care.
Hi. It's me. The guy bitching about best practices every other meeting. Sorry, but some of my past and present coworkers are clowns.
I'm a compassionate operator from hell. I will compromise with the devs on some practices but I force security updates on them with impunity.
"Until you crash, no on
careswill reboot you."- until there's a PCI audit.
I have two words for you, "compensating controls."
It's like goddamn magic.
yes, im guilty of this. haven't got time to update my server to v12
Isn't live patching a thing?
But Debian has security updates and you can set up unattended upgrades.
Meirl
