OP posted a since-the-dawn-of-time complaint about automatic updates that ignores why they are necessary, and clearly states that he's just refusing to engage with the usual reasons for them.
The "generic" response is beacuse the complaint is simiarly generic.
Sorry, I'm not sure I'm parsing this right, you're saying "security updates are necessary and I as a user am going to have worse outcomes for not updating my stuff"?
My personal experience does not match this at all, so is the explanation there that I'm just lucky?
Sorry for the reply to my own reply here but I'm genuinely incredibly curious for someone to explain to me why updates are necessary. It really seems like a cargo cult thing to me but I'm not the smartest person and if someone can explain to me where I'm doing my threat model/attack surface analysis incorrectly I'd love to learn.
>I'm genuinely incredibly curious for someone to explain to me why updates are necessary.
Because software is never finished. There are always bugs to fix, new platforms to support, new features to be added, more polish to be added, etc. It is the developers goal to have the quality of their software to go up over time.
It is in developers interest for their users to remain secure, not experience bugs, have a good experience, and to solve a problem or need they have. Updates to applications try and address one or more of these things.
If making the user's life better is a cargo cult thing. Then maybe that cargo cult isn't such a bad thing.
If you are specifically talking about why should you care about a chrome 0day patch because you've never visited a shady site that tried to exploit it then the reason is that it's important for the ecosystem to be seen as secure. You want to make it as least financially viable to exploit Chrome as possible, you want to ensure people think of the web as a secure platform they can use without being afraid, as Google you want to avoid bad PR about a big hack. The first point is important. You want to increase the customer acquisition cost for an attacker which is "the cost to get a visitor divided by the chance a user's browser has not gotten the patch yet." (In proctice different demographics may have different patch rates which lowers the CAC my targeting that demographic) Google's lever for increasing an attacker's CAC is to use autoupdates to lower the chance. When CAC > LCV (lifetime customer value) then the attacker does not have a financial incentive to compromise users and this results in a large drop in the rate of attacks. The required updates remove the incentives to use the attacks which is why you feel like you aren't being targeted.
It's like how some management don't understand the value of a system administrator because when a system administrator does their job correctly everything appears to just work. When security updates are properly going out it may feel like they are unneccessary, but that just means that the defenders are doing a good job.
In the first bit you have not described why updates are necessary, you've given some reasons why updates can be useful. Opting into updates sometimes is fine. The context of the parent and grandparent posts is specifically security and security updates.
Security wise for most applications there's the oft overlooked possibility of just not connecting to the internet. Though when it comes to my personal experience running antivirusless Windows with updates disabled it has not been a problem for me for a decade now. According to my router I'm not part of a botnet either. It just doesn't seem necessary at all. Your attack surface as an individual on a reasonably well secured network is minuscule and your threat model is basically just the background radiation of bots trying whatever random exploits. Sure, I keep my router patched because it's on the edge, but other than that it doesn't matter.
Though I will give you that browsers are a special case where the tool is specifically used all the time to connect to potentially hostile content and give that content the ability to execute code on your machine. Things on the edge are a scenario where keeping up with security patches actually make sense.
No, this response was not generated by ChatGPT. I would like to point out that there is one part of the Linux ecosystem that does automatic updates well which is Android based operating systems. What this post is about, desktop Linux, is much further behind so a more generic response is deserved.
Before we get the point where we are discussing aspects like under what conditions should updates be applied or the priority of which updates should be installed first, desktop Linux needs to show that it can handle the basics.
My phone hasn't gotten update in over a year as Google dropped support for my old pixel. My 10 year old Linux desktop updated yesterday... Oh, and I didn't have to reboot my machine (live patching for the win). Android update is not "better" it is different with different goals.
The support duration of an operating system is different from the quality of how it handles autoupdates. Unsupported Android devices can still receive updates to apps from the Play Store. We were talking about application updates specifically and not operating system updates which while similar, are typically handled differently.
Upgrading Android apps does not need a reboot of the device either. Again live patching is a separate feature from automatic application updates. If you read the article it shows a case where a Roussel is fruterated with how live patching is broken on desktop Linux. Meanwhile on Android apps don't do that when they are updated.
The "generic" response is beacuse the complaint is simiarly generic.