Because of my own personal horror stories of waking up to finding high priority linux servers broken, due to nightly automated updates, I now prevent automatic updates on my servers. I only do manual security updates. In addition to implementing modern security techniques for our network. That is just my personal belief system. It's worked for the past 25 years.
The only time we ever got hacked, was because of some stupid php scripts that our developers had put online, or because people's passwords had become leaked. And some of those situations were nightmares also. In two case of which, happened while I was away on vacation, and I had to fix everything remotely. But that was never due to updates.
I probably shouldn't express my opinion. But I have a lot of empathy for the guy who discovered his mailman broken due to upgraded Python. Which triggered my nightmares.
But it's great though to have a very responsive community here, to bring people back from the dead. - Mark
On Sun, Apr 30, 2023 at 11:14 AM Mark London <mrl@psfc.mit.edu> wrote:
Because of my own personal horror stories of waking up to finding high priority linux servers broken, due to nightly automated updates, I now prevent automatic updates on my servers. I only do manual security updates. In addition to implementing modern security techniques for our network. That is just my personal belief system. It's worked for the past 25 years.
The only time we ever got hacked, was because of some stupid php scripts that our developers had put online, or because people's passwords had become leaked. And some of those situations were nightmares also. In two case of which, happened while I was away on vacation, and I had to fix everything remotely. But that was never due to updates.
I probably shouldn't express my opinion. But I have a lot of empathy for the guy who discovered his mailman broken due to upgraded Python. Which triggered my nightmares.
But it's great though to have a very responsive community here, to bring people back from the dead. - Mark
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ LOL
IMHO, automated upgrades on any server is a bad thing! You have just seen that with Python. Imagine you were running PHP code and you automatically upgraded from PHP7 to PHP8! Chances are high that all your PHP applications will be broken in the process. You ALWAYS need to review all the software for compatibility (with your code & configs) before you do an upgrade. Such information will be clearly spelt in the ChangeLog, which requires a human to read and decide.
Or maybe in 2023, ChatGPT can help with that? :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Odhiambo Washington writes:
Imagine you were running PHP code and you automatically upgraded from PHP7 to PHP8! Chances are high that all your PHP applications will be broken in the process. You ALWAYS need to review all the software for compatibility (with your code & configs) before you do an upgrade.
My pattern is different. I have the advantage that my usages are seasonal, eg, Mediawiki is online October 1 to January 15. Especially with PHP applications, I generally just do it and let it break. A lot of the major apps (Mediawiki!) are quite secure. But minor ones and 3rd party extensions ... there are so many ways to shoot yourself in the foot in all the inject-code-from-the-console P-languages, and PHP has a worse record than most. Staying up to date is worthwhile to me. So PHP and Mediawiki I update in early September, test the features we use, fix things up, and ready to go October 1.
Few businesses can do that. Universities and ski areas, I guess. :-) But if you can do it, it may be a reasonable workflow.
Steve
-- University of Tsukuba Faculty of Policy and Planning Sciences Tennodai 1-1-1, Tsukuba 305-8573 JAPAN tel/fax: +81-29-853-5091 turnbull@sk.tsukuba.ac.jp https://turnbull.sk.tsukuba.ac.jp/
participants (3)
-
Mark London -
Odhiambo Washington -
Stephen J Turnbull