[ale] AARG! Manual software updates, Sun Java, LibreOffice, help

Michael B. Trausch mike at trausch.us
Mon Nov 7 15:34:35 EST 2011


On 11/07/2011 03:15 PM, Ron Frazier wrote:
> Yes but you said you run Gentoo, which is a rolling release system.  So 
> you may be getting more frequent updates than I.

I didn't do things any differently when I ran Ubuntu.  However, I did
not run the LTS releases except on servers.  If you like to use recent
stuff (not just patched things, but up-to-date on features, too) then
you'll want to not use the LTS releases for that reason.  It's all about
what you choose, and you should choose something that fits the way you
want your system to work.

There are hundreds, if not thousands, of Linux distributions out there.
 You can have your way with at least one of them.

I moved to Gentoo not because Ubuntu wasn't updating things quickly
enough, but because I got tired of the politics and drama behind it,
including variants on the "corporate blame game" that they do in their
bug tracking system.  I started becoming unhappy with Ubuntu way back in
2007, but they weren't so bad that the bad outweighed the good.  With
the advent of the new "we know better than you do" crowd, though, well,
that was the tipping point for me.

> As far as I know, the 
> most common vectors for malware are office documents,

On Microsoft Office, and in the default configuration of having macros
enabled, yes, that'd be correct.

> pdf files,

Use a safe PDF reader, and you won't have that problem.  (By "safe", I
mean one where you can disable JavaScript code execution, or even
better, one that doesn't do it at all.  Only morons use JavaScript in
PDF documents.)

> flash content,

I have never seen Flash do anything nasty on Linux boxes, but then again
I don't use a lot of Flash.  Youtube, and one game on Facebook, really,
and that's it.

> and Java / Javascript exploits.

Insecure software will exist always and forever.  Even more with the
modern mentality that you don't have the learn the underlying concepts,
that learning the programming language is enough.  But, that is why
distributions backport security fixes.

> All the security experts say patch your system frequently and keep all
> your apps up to date.

Within certain limits, yes.  Sounds to me like you're following this
advice blindly, obsessively and to your own detriment of sanity.  Your
choice, but just remember that active distributions already use package
managers so that they can push out security updates without you having
to worry about it.  It does mean more work for the distributor when they
do not follow a rolling release model, but anyone can look at e.g.
Debian to see how well they manage to do it.

> So, I 
> have a particular interest in keeping Firefox, LibreOffice, Flash 
> player, Adobe Reader (Windows only in my case), and Java up to date.

"Up-to-date" isn't really want you want.  Of course, you think you do,
but that's not it.  "Up-to-date" is about features, not about security.
 New feature releases are actually particularly dangerous from a safety
and security standpoint.  Believe it or not, newer isn't always better.

It will always be safer to accept security updates for a stable system
than it will be to perform feature-release upgrades.  Furthermore,
anytime you step outside of the package manager, you are transferring
the role of security manager for those packages away from the
distribution (where people do that for you) to yourself, which means
you're almost certainly going to screw it up.  I know I would.  I'm not
going to go to all that trouble when I have better things to do with my
computer, like spend my time *using* it to get work done.  I don't want
to micromanage my computer.  In fact, that is one reason that I have
been using Linux for so long.  I hate the insane amount of
micromanagement one must do for a Windows computer.  I'd get far less
work done if I had to use Windows on anything even remotely closely
approaching a regular interval.

> Before I brought up this topic, and before finding the Mozilla PPA, my 
> system was only updating LibreOffice to 3.3.2 (I think) and Firefox to 
> 3.26 (I think) and Java to 6.26.

What's that matter?  Look at the distribution's release number.  That
will tell you how many patches (and where, if you're using Ubuntu) were
backported.  The upstream version number serves to identify the basis,
but patches are made on top of those.  Therefore, the source code isn't
really the "pure" upstream source code (except in the case of Java,
which they will update if they need to for security reasons).

> In some cases, that means the programs 
> are several months out of date.

So?  That's really not the point.  The basis will always be "out of
date", that's the nature of a stable release structure.  However,
patches that are on top of it will be far more recent.  Typically,
security patches are backported from the upstream's trunk, master,
mainline, or whatever else they call their development series in their
particular version control system.  Sometimes patches go the other way,
originating at the distribution and being pushed upstream.  Regardless
of which way it goes, the result is the same:  you do not have to worry
about those things, particularly not on your desktop system.

Relax.  Breathe.  It's not Windows.

> Personally, I don't like to be running 
> with things that old, particularly these things, even though I don't 
> always find the time to keep every thing updated every month.

I guess it's a good thing that Ubuntu manages that for you, and usually
you can update in two minutes without even having to reboot.

> That's 
> why I'm trying to find a solution to keep things more up to date.  I'm 
> not quite ready to go through the hassle of upgrading to Ubuntu 11.10, 
> and even if I did, I wouldn't be on LTS any more.

Your whole thread is built on the premise that you don't want to be
running an LTS, but then you're citing that as a downside if you
updated.  I fail to understand the logic.

You either want long-term support and let the distribution manage the
security updates (which come even if you don't see them coming), or you
want bleeding edge.  You sound like you want Gentoo, but then you say
you want 3 years of stable desktop support and security updates.
What'll it be?

	--- Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20111107/2b379e8b/attachment.bin 


More information about the Ale mailing list