[kelnos]

> With security, you need some online service so you can find the new CVEs every day.

Or you just do it manually if that service is down. It's weird to me that the argument for not having an automated, 3rd-party service is "if it goes down then you'll have to do things manually", when the alternative is "you always have to do it manually".

If you are comfortable trusting a third-party service to tell you when to upgrade, then that is absolutely an improvement over doing security updates manually. This is why I have unattended-upgrades set up on my Debian systems to automatically install updates from Debian Security every day. Sure, it may fail for whatever reason, but I am certainly not going to take the time to (or even remember to) update every day.

[staticassertion]

Yeah, honestly there's probably just a few libraries you're going to have to care about re: keeping up to date. Everything else can get updated opportunistically/ on some cadence. Your exposed attack surface for most software is pretty much your TLS library and network stack. The more mature you become the more of the attack surface you can try to track.

But basically if you just subscribe to a few projects' releases you can pretty easily get things pushed to you when it matters.