[deckard1]

The "don't touch it if it's not broken" philosophy is fundamentally at odds with an internet-connected machine.

You either need to upgrade or unplug (from the internet).

There are still places out there that are running WindowsNT or DOS even. Because they have applications which simply won't run anywhere else or need to talk to ancient hardware that runs over a parallel port or some weird crap like that. These machines will literally run forever, but you wouldn't connect it to the internet. Your hypothetical cave device would be the same.

Upgrading your OS always carries risk. Whether it's a single yum command or copying your entire app to a new OS.

Besides, if you're on CentOS 8 then wouldn't you also be looking at Docker or something? Isn't this a solved problem?

[chousuke]

The point is the amount of "touching". Applying security patches to RHEL is still a change, but it's significantly less risky than upgrading a faster-changing system where you might not even get security patches at all for the versions of software you're using unless you switch to a newer major version.

[effie]

"don't touch it if it's not broken" is not a philosophy, it is a slogan. Some people say it, because it is preferable to them to run old unpatched vulnerable systems rather than spend resources on upgrades. That's just a reality. Some care about up-to-date, some don't. Most people don't really care about security, and some of those don't care even about CYA security theatre. If they did care about security, they wouldn't run unverified software downloaded from the Internet.

Why Docker has anything to do with this discussion?