[dogma1138]

On the other hand the only users that predictively fall to browser exploits when we run end user targeted red-team ops are the devs and IT peeps that run Linux instead of OSX/Windows.

In fact across the board Linux machines in many enterprises are more likely to run outdated and possibly vulnerable software.

[swebs]

It sounds like that's a failure of your IT team to handle updates. Either that or your sourceless claims are just to spread FUD.

Most distros have different update channels so that you can install security updates without feature updates. Tools like unattended-upgrades make it trivial to automatically install daily security updates. You can then manually install other updates at a later time if you're concerned with breakage.

https://wiki.debian.org/UnattendedUpgrades

[dogma1138]

I'm very well aware that there are ISM solutions for ensuring updates for all operating systems.

For Linux Desktops it is especially hard since many of the solutions are not oriented for desktop users and when the package manager is not used there are gaps in software enumeration.

The best solutions I've seen so far are essentially block access to all online repos and manage your own but many organizations don't want to go that route, with ubuntu you can even use the "appstore" UI for displaying only your repo.

Your thinking is also too narrow while I gave examples from a managed environment there are plenty of Linux users running on unmanaged machines. Most users even "technically savvy" ones are not going to be reading release notes and reviewing CVEs daily via RSS.

Having a reliable way to ensure automated updates for Linux especially for commonly used and exploited software is an important tool to have and I wish more repos would implement something like Windows Update than say "what if Firefox puts in a keylogger" because that isn't a good argument as you can argue to them back "what if you put in a keylogger?" if you already pull your updates from your distro's managed repo you already accept that risk as such the risk of having no automatic updates at that point makes you less secure not more.

If you want to use a different repo or build everything from source locally that's fine but that is a completely different security model.

Also neither shifting the blame or claiming FUD are good arguments. Firstly there was no blame associated with the end user, at any point where there is a security system failure the end user isn't the "causal factor" doesn't matter if it's an unpatched system or did clicked on a phishing link they are do not own any of the causal blame.

As for FUD, calling something FUD is generally intellectually lazy and is used to end an argument by moving the goal post and changing the subject.

[jhasse]

This is because Ubuntu doesn't automatically install updates by default. On Fedora you can install updates when shutting down your computer, resulting in less people delaying it.

[dogma1138]

My point wasn't about Ubuntu or not but rather about this so called "threat model" that is the reason behind the lack of automatic updates.

The threat model is simply not valid for the security model that users who use a package manager follow.

Don't get me wrong supply chain based threat models including the source and intermediates are a valid concern.

But you already accept those risk by using a package manager and a managed repo which contains the source code and or binaries for the applications you want.

Not providing automatic updates to protect me from Mozilla won't reduce the risk when the risk from the package manager and the managed repo is just as high if not higher it just increases the overall risk as now I need to ensure that I follow their release cycle closely to make sure that my browser is always up to date.