[rascul]

An update is nothing special that I have to be prepared for. I do it all the time across all my systems, and it's largely automated. If a single update is such a burden that you must prepare days in advance for then perhaps there's room to improve the processes.

[detaro]

ok, so the actionable thing is "make a note to check for and run updates on Nov 1, even though it might a public holiday for you" and you're done. actionable != lots of effort, but I still appreciate a warning if I'm supposed to work on a holiday.

And yes, plenty places are not at the point where this is a "press button and done" activity, even if it should be. (e.g. pretty much everyone who is buying any kind of "appliance" and isn't just running open-source stuff now knows to go check with vendors)

[stoplying1]

"I'm good at DevOps and everyone else should be too", feels tangential, and isn't going to help you when your banking session gets compromised because your bank wasn't prepared to roll this out through any expedited process versus their regulatory compliant, slow process.

(As an example/thought experiment. I make no claims about the vulnerability at hand.)

[rascul]

I don't know anything about the update processes banks use. I would hope they wouldn't have to jump through hoops to apply a security update. Didn't they learn this already?

[adamckay]

What do you expect banks and other regulated industries do? YOLO patch whatever and whenever?

I don't work in a regulated industry where it's required, but we do similar with a proper change control process and there's not a single individual that's authorised to perform changes without oversight, (even if that oversight from senior leadership comes retrospectively).

[rascul]

What did banks do with heartbleed, shellshock, spectre, etc?