[dtoznayxvf]

If the software you are using auto-updates and you lose business or esteem of peers -- it's YOUR fault.

Allowing most software companies to update anything on an running functioning work-related machine that you use to make $$, is ASKING FOR IT. WHEN it breaks something that is your fault for being so stupid.

I update software in most cases by installing it on another machine/device and then once it is confirmed to work, switching devices and wiping the former-work-device.

Yes I have more than 2 of everything critical for making $$.

Yes I filter all my inbound and outbound network traffic and default deny, at home and on the road

Software that prevents you from disabling auto-updates is a virus.

[titzer]

> WHEN it breaks something that is your fault for being so stupid.

Sorry, this one raises my hackles. It's exactly such a user-hostile worldview that makes everything suck. It's just more victim-blaming and elitist tongue clicking that helps absolutely no one.

Everyone is stupid when it comes to software. There are hundreds of millions, if not billions, of lines of code, written by tens of thousands of different people, with myriad internal and external complexity, all breaking and falling apart at the same time. It is literally beyond human comprehension all the niggling details that could go wrong.

I whole-fist pushback against this "oh you should know what you are doing with metric asstons of other people's code". Uh, no. That's the attitude of unserious people who want to ship garbage and make it users' problem.

[dtoznayxvf]

But do we even disagree my friend?

[ketralnis]

If you're running software maintained by someone else and you don't let them do that, and there's a security or major bug fix and you lose business or esteem of peers -- it's YOUR fault.

Ignoring upstream security fixes on a work-related machine that you use to make $$, is ASKING FOR IT. WHEN it breaks something that is your fault for being so stupid.

Neither of these extremisms are helpful. It's clearly more nuanced than any of this.

[dtoznayxvf]

Of course it is. Context matters. I was trying to keep with the spirit of the article: 'Here's a fair warning: this article is reductio ad absurdum, therefore you shouldn't take it as gospel. ' Usually though in my experience, if you also control the network, then most security updates can wait to be tested on a non-production machine. Also it helps to Never ever use Windows.

[ch4s3]

This resonates with me for a LOT of reasons but I take a very different approach. I try to keep just a few dependencies and keep them all up to date. For most updates I can read every line of updated code. I learn a lot, get all of the security patches, and sometimes I realize I don’t need a dependency and I remove it. I’m always trying to take small calculated risks. I have great monitoring and rollbacks are easy.

[mwaitjmp]

Having two of everything is actually a pretty decent idea.

Part of the fear of updating though is the time sink.

Even if I attempt to update one mac laptop to the new version (of which I believe there is a new one just released, doesn’t seem long since I last updated…) knowing that I have a safe backup, I dread the thought of spending hours knowing something _should_ be working but is now broken. It can be infuriating. Especially when it’s a pattern/way of working you have become so accustomed to.

[endymi0n]

Having two servers with an unpatched CVE 10/10 vuln will get both pwned in short to no time.

Or just one, exposing your data in a ransom attack.

Dependency and update management is hard. Welcome to IT.

From my experience, extreme viewpoints and religions are convenient in the way they have answers to all hard questions in life that are simple, clear and wrong.

If you like simple and correct answers, you're usually better off choosing simple questions instead.

[deeblering4]

Unpatched? Not necessarily.

Unpatched and unmitigated? Yes.

Taking the time to build “defense in depth” into the architecture has saved my ass on many occasions.

[dtoznayxvf]

dear raul, did you read the article? 'Here's a fair warning: this article is reductio ad absurdum, therefore you shouldn't take it as gospel. '

[kenniskrag]

On "cloud" servers I usually do a snapshot before the upgrade. That way I can revert to it in a few minutes.