this post was submitted on 28 Feb 2024
852 points (100.0% liked)
linuxmemes
25762 readers
585 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
- Don't get baited into back-and-forth insults. We are not animals.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudoin Windows. - No porn, no politics, no trolling or ragebaiting.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
5. 🇬🇧 Language/язык/Sprache
- This is primarily an English-speaking community. 🇬🇧🇦🇺🇺🇸
- Comments written in other languages are allowed.
- The substance of a post should be comprehensible for people who only speak English.
- Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
6. (NEW!) Regarding public figures
We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations. - Keep discussions polite and free of disparagement.
- We are never in possession of all of the facts. Defamatory comments will not be tolerated.
- Discussions that get too heated will be locked and offending comments removed.
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.
founded 2 years ago
MODERATORS
I work at a medium size company with hundreds of Linux servers and none of them get updated. Because it's more important that they keep running as they are than to have the latest updates. I bet this is very common for most companies.
There is nothing more important than security patches on a system.
I used to work at an FMI, which’s motto was “keep things stable”. Even the ciso department bought that crap. Until we hired a white hat hacker. The only thing given was the name of the company. He managed to get into the building, access an employee’s workstation and install a root kit on one of the most important financial message tracking systems (you know, the one that instructs other systems to transfer money), using a security bug, which would have been patched if they kept a regular (security) update cycle. After shit hit the fan, many people were fired and an update cycle was introduced.
No system is important enough to not patch. And if you believe it is, you’re wrong.
Yeah, but that just takes way too much work. You think I really care about the company's/bank's money if I'm not getting paid enough for that job? Security patches can also introduce new problems, like x changes, so y doesn't work, so the main app doesn't work... and what, then I have to manually edit code, introduce the thing that x relied on so that y can work again?
I'm sorry, but this is not your average IT department's job... or if it is, I expect a damn good compensation for it.
I've updated and rolled back snapshots because of shit like this... nah, not gonna try and figure out what the problem was... at least not for the salary I'm currently getting paid. If it burns, it burns, so be it.
“Way too much work” — if you ever said that where I work I’d fire you or not hire you in a heartbeat. An administrator’s role is not only to the stability of the system but the security too. You’re a hackers wet dream.
The phrase "Fuck you, pay me" comes to mind.
Cheapskates don't get top of the line security hardening. Pay more now or suffer a breach and pay contractors $1000/hr to fix your broken shit because you paid minimum wage for an administrator position and wanted them to do 5 jobs at once.
This guy gets it... and probably doesn't live in the US, cuz he knows the term "work 5 jobs at once".
load more comments
(6 replies)
One, you have no idea how much or little I'm getting paid. Two, you have no idea where I live and the struggles I have to face every day. Three, even if I do work "as expected", I won't get paid more (agan, you don't know where I live).
It's real easy to bitch about work ethics on a full stomach while getting back from work in a nice car with heated leather seats.
What I say still holds. If you ever uttered that sentiment in front of me or did not follow through on patching when asked you’d be out on your ass. Has nothing to do with your situation or what you’re making. Your righteous indignation on patching has no place in a business plain and simple.
Not trying to start an argument here but you sound very far removed from individual contributors, so maybe from your point of view it would simply look like adding it to a pile. More important than adding it to a pile is to make sure there's systems in place to make sure OSs are patched. You wouldn't be complaining to the IT/sysadmin guy about your servers' vulnerability or patching schedules, you'd be talking to your cybersec department who'd have oversight. And if there's a breach and your only defense is "I added it to the IT guys pile", 100% you are getting fired as well.
No, it doesn't... because as I said, you have your needs (food, shelter, good car, nice place to live) met... you wouldn't be talking like this if your place was a dump or you ate the cheapes shit on the market (cuz that's what you can afford).
I get your point, but capitalism is about doing the least amount of work to maximize your pay. And if the owners (who have the most skin ulin the game) don't care about infrastructure then why should anyone else?
load more comments
(4 replies)
load more comments
(2 replies)
If it's important that it keeps running then it should just be redundant and taking one node down for an update shouldn't be an issue. I know this is wishful thinking for a lot of services but I refuse to be on call for something if the client can't be bothered to make it redundant.
Jup same here. We have a colleague that constantly reminds everyone that we're not properly patched (even running eol versions) but there's always something to be done that's a higher priority.
Exactly. Shit needs to just work, period. Why? Because otherwise, I'm the one getting 2AM calls... and I would be OK with that if I'm properly compensated for it... which I'm not.
Did you think of testing security updates on a staging environment before going in production with it, if you suspect in can break things?
I think there is no excuse to apply security fixes wich have a CVE number.
If you are on Debian stable unattended updates are not a problem.
See, building and configuring a staging environment also takes time and money... money which they are not willing to spend on something "for testing" and not in actual use. Plus, I'm not gonna get paid for doing that either, so why actually do it... to be honest, I would do it, even for free, but you gotta caugh up the money for the hardware man. I've been told "just use what you have in the scrap pile"... for what, a server 🤨? Are you serious? They barely spend any money on that even, why should I bother creating something as e staging environment.
load more comments
(2 replies)
Not at all.
Typically monthly or quarterly patching depending on severity and DMZ exposures. When log4j or shellshock hit it was patch once the patch was released and tested
If it's a personal server that can manage being down for 15min or so. You could just setup auto updates with email if anything goes wrong and reboot off hours. Containers also make it less risky although it does fail to update every once in a great while.
load more comments
(2 replies)
Do you work for the North Korean government or something OP? Why discourage people from keeping their systems secure?
What they are referring to is people just don't update their server because during that time they wouldn't be able to make a profit. This goes more to middle siszed businesses but happens rather often
Blows my mind, lol. Usually means no redundancy that allows one set to be done while the other set handles the traffic.
"Why should we pay for another server one works just fine, a second would just be waisted money."
Also
"We need 9 9s of reliability or the company will fail."
Yeah, it is quite common, I can confirm... well, at least around here it is.
load more comments
(5 replies)
I was making a joke
Joke transfer unsuccessful. Server crashed. Time to update the joke server.
Well seems like i missed this one
Security is an art... the art of not giving a fuck about your data
-Op, probably
I find this to be least acurate with debian.. on other distros a patch may or may not install a new version of that package. that can bring changes to the behavior.
On debian stable the security issues are backported. So you can patch and be sure that there is no changes to the behavior of the system. It is basically the reason all vm's i manage are debian stable.
It is also true they never crash. But that is expected of linux. It is the extreme reliabillity that is the debian killer feature for me.
Me with my 'homelab' nas:
system (user-facing) package has an update? It'll auto-update overnight
dockerized service has feature updates? Let watchtower handle it with the weekly schedule
dockerized service with security patch? yeah, let's hit that this afternoon
actual system update? EVERYTHING IS GOING OFFLINE -4 SECONDS AGO FOR THIS
The system is going down NOW.
https://youtu.be/Z1TlbLfaJp8?si=nL9C6MqHUbWm0cy-
The system is down
Here is an alternative Piped link(s):
https://piped.video/Z1TlbLfaJp8?si=nL9C6MqHUbWm0cy-
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source; check me out at GitHub.
Debian updates are not usually that big of a deal especially if you have HA configured
i'm pretty sure security updates are optional.
Just put a "these colors don't run" text in the log in
Unatended-upgrades keeps all systems securly patched. But there is a need for a reboot for kernel updates now and then.
load more comments
(5 replies)
True except for the one BOFH admin on the team who actually cares about best practices.
And yes, most distros have painless updates, the devs and everyone else don't care.
Hi. It's me. The guy bitching about best practices every other meeting. Sorry, but some of my past and present coworkers are clowns.
load more comments
(1 replies)
"Until you crash, no on ~~cares~~ will reboot you."
yes, im guilty of this. haven't got time to update my server to v12
Isn't live patching a thing?
view more: next ›