logoalt Hacker News

troadyesterday at 11:25 PM8 repliesview on HN

It now seems to be best practice to simultaneously keep things updated (to avoid newly discovered vulnerabilities), but also not update them too much (to avoid supply chain attacks). Honestly not sure how I'm meant to action those at the same time.

Replies

Marsymarstoday at 12:14 AM

The easiest way to action as a user seems like it would be to use local package managers that includes something like Dependabot's cooldown config. I'm not aware of any local package managers that do something like this?

https://docs.github.com/en/code-security/reference/supply-ch...

grueztoday at 12:04 AM

You basically need to make a trade-off between 0days and supply chain attacks. Browsers, office suite, media players, archivers, and other programs that are connected to the internet and are handling complex file formats? Update regularly, or at least keep an eye out for CVEs. A text editor, or any other program that doesn't deal with risky data? You're probably fine with auto update turned off

_carbyau_yesterday at 11:57 PM

I imagine that it depends on the use case.

Using notepad++ (or whatever other program) in a manner that deals with internet content a lot - then updating is the thing.

Using these tools in a trusted space (local files/network only) : then don't update unless it needs to be different to do what you want.

For many people, something in between because new files/network-tech comes and goes from the internet. So, update occasionally...

show 1 reply
taftsteryesterday at 11:38 PM

In the early days, updates quite often made systems less stable, by a demonstrable margin. My dad once turned off all updates on his Windows machine, with the ensuing peril that you can imagine.

Sadly, it feels like Microsoft updates lately have trended back towards being unreliable and even user hostile. It's messed up if you update and can't boot your machine afterwards, but here we are. People are going to turn off automatic updates again.

TingPingyesterday at 11:31 PM

I feel like supply chain attacks are the much rarer situation than real world exploits but I don’t have numbers.

show 1 reply
GauntletWizardyesterday at 11:32 PM

Unless there's an announcement of a zero day, update a month after each new release. Keeps you on a recent version while giving security systems and researchers time to detect threats.

worksonmineyesterday at 11:37 PM

Debian stable. If you need something to be on the bleeding edge install it from backports or build from source. But keep most of your system boring and stable. It has worked fine for me for years.

show 1 reply