[ale] AARG! Manual software updates, Sun Java, LibreOffice, help

Michael B. Trausch mike at trausch.us
Tue Nov 8 11:38:40 EST 2011


On 11/08/2011 08:29 AM, Ron Frazier wrote:
> I want to thank all who have been sharing information with me on this 
> thread.  I'm trying to get my brain around the differences between 
> maintaining a Windows machine, and a Linux machine, and what's required 
> to keep the machine secure and functional.  Obviously, there are 
> dramatic differences between the two systems, so I appreciate the help.

Keep in mind that the difference isn't between "Windows" and "Linux".
The differences you are talking about are the differences between
Microsoft Windows $VERSION and Ubuntu $VERSION.  Both operating systems
have significant differences from themselves and everything else in
existence.

The other thing is that Windows is an operating system distribution
(that is admittedly rather barebones, since it doesn't manage
applications as well), while Ubuntu is also an operating system
distribution.  The perhaps most fundamental difference between the two
systems is the fact that Ubuntu places applications within the scope of
the system's in-built package manager.  This is the case on many
Linux-based operating systems.  (Remember that a kernel is not itself a
complete operating system.)

> On 11/07/2011 03:34 PM, Michael B. Trausch wrote:
>> On 11/07/2011 03:15 PM, Ron Frazier wrote:
>>> As far as I know, the
>>> most common vectors for malware are office documents,
>>>      
>> On Microsoft Office, and in the default configuration of having macros
>> enabled, yes, that'd be correct.
> 
> LibreOffice / OpenOffice has security settings I have to check too.  I 
> believe the Macro setting defaults to high security, but I always check 
> it anyway.  There is a checkbox for usage of the JRE, which I turn off.  
> Also, under the Save options, there is a whole screen of checkboxes for 
> running Visual Basic apps, which I also turn off.  In general, I don't 
> want ANY automation running in my documents.

And by default, you don't, except for that which is in-built (such as in
the spreadsheet program, where default built-in functions are the whole
point).  Those options only take effect if you actually enable macros.

Unfortunately, this is an excellent real-world example proving the GNOME
project's point that less complex user interfaces are better, combined
with the next section here.

>>> pdf files,
>>>      
>> Use a safe PDF reader, and you won't have that problem.  (By "safe", I
>> mean one where you can disable JavaScript code execution, or even
>> better, one that doesn't do it at all.  Only morons use JavaScript in
>> PDF documents.)
> 
> Agreed.  You can turn off JavaScript in Adobe's reader, which I do, 
> among a few other things on the Windows side of my fence.  The document 
> viewer, which is the default reader in my version of Ubuntu doesn't have 
> any preferences related to JavaScript, so hopefully, it's not running.

It's not.  Evince does not support JavaScript in PDF documents at all.
There is no real reason to add that support.  In fact, because it
represents a preference that would have to be there, they won't add it,
because the Evince developers themselves are in favor of an application
that has no preferences at all.  (I disagree, being a relatively
advanced computer user; I think that there needs to be a balance between
OMG-too-much and zippo.)

>>> flash content,
>>>      
>> I have never seen Flash do anything nasty on Linux boxes, but then again
>> I don't use a lot of Flash.  Youtube, and one game on Facebook, really,
>> and that's it.
>>    
>>> and Java / Javascript exploits.
>>>      
>> Insecure software will exist always and forever.  Even more with the
>> modern mentality that you don't have the learn the underlying concepts,
>> that learning the programming language is enough.  But, that is why
>> distributions backport security fixes.
> 
> The main way I keep potential Flash / Java / JavaScript exploits at bay, 
> other than practicing safe computing, is to keep the Flash Player, Java, 
> and Firefox as up to date security-wise as possible.  I understand from 
> prior discussions that Firefox may be up to date security-wise even 
> though it's version says 3.6.23 and Firefox's website says 7.0.1.  I 
> must say, that's very confusing.  Also, I don't know how to KNOW that it 
> has all the security updates and bug fixes that it would if it were 
> Firefox 7.

It doesn't have to be confusing at all.  The fact that applications are
within the scope of the package manager means that you do not need to
worry about that.  As long as you run updates when prompted, your system
is pretty much safe.  The reason that most Linux distributions do things
this way is so that you don't have to worry.   A typical installation of
Ubuntu, for example, can easily have more than 1,000 packages installed
on the system.  Now, imagine what would happen if you had to worry about
updating them all yourself.

In fact, most of the security vulnerabilities that you'll see in large
projects are not because of a problem in the project itself, but rather
something that it relies on (say, libpng, libjpeg, or a program like
ghostscript or imagemagick, or a language, such as most notably, PHP).
The point is that you don't have to worry about these sorts of things on
a desktop system.  You have to be a little more conscientious of those
things when you are running servers only because they possess increased
exposure.

For the amount of exposure your workstation has, relying upon the
(saner) operating systems in order to provide security fixes is the
smart thing to do (you know, "work smart, not hard").  Update once a
week, and you have zippo to worry about.  In fact, sometimes you'll be
less secure running upstream's software, because of the fact that
distributions tend to be a point of origin for "quick fixes" in such
software, and it takes time to push those things upstream.  But security
fixes that come down "from the top" tend to be cherry-picked and applied
very quickly.

> The package manager seems to keep the flash player pretty up 
> to date.  Java updates are a potential problem, for reasons I'll discuss 
> in another message.  One other way I minimize potential problems is with 
> the NoScript Firefox plugin.  No scripting of any kind or Flash 
> operations are allowed on any website unless I specifically approve.  
> Now, that's not failsafe, as humans aren't failsafe.  However, I'm very 
> reluctant to turn that on unless I have some reason to trust the site.

I'll still argue that (at least on a modern Linux-based operating
system) this work is extraneous.  But if it makes you happy, so be it. :)

>>> All the security experts say patch your system frequently and keep all
>>> your apps up to date.
>>
>> Within certain limits, yes.  Sounds to me like you're following this
>> advice blindly, obsessively and to your own detriment of sanity.  Your
>> choice, but just remember that active distributions already use package
>> managers so that they can push out security updates without you having
>> to worry about it.  It does mean more work for the distributor when they
>> do not follow a rolling release model, but anyone can look at e.g.
>> Debian to see how well they manage to do it.
>>

Just to add to this a bit.

Keeping your applications up-to-date brings with it zero assurances,
other than that the code that you are running is fresh.  Fresh code is
viewed by many security experts to be suspect until it is reviewed.  A
true security expert would say that you should keep your applications
up-to-date with the newest stable (in the Debian sense of the word)
release of the software.  Do not run very new releases that have new,
untested, unreviewed code.

But this is not something that a true expert can recommend to an end
user.  Thankfully, we have Debian to show us how to do it!  :)

And yes, Debian is quite obsessive about using stable, proved, reviewed
software and even still there are security updates.  And they provide
those for a bloody long time, so if you are *really* worried about all
of this stuff and you *seriously* do not want to have to worry about it
all, then install Debian.  Seriously.

Gentoo takes another approach to system security in the applications and
libraries; it uses the most recently released non-development versions
of things (in most cases) and then it enables you to control the
dependencies of them.  For example, you can build LibreOffice completely
without the ability to use Java.  Or you can build Firefox such that it
uses IPC (or not).  Or you can even build GNU bash without sockets
support if that's your cup of tea.  By giving users that level of
control with a relatively easy to use interface, you can control the
attack surface directly for the entire system or the individual
application itself.  It also means that if you as a rule don't use Java,
you can disable Java for the whole system but enable it for a single
application (such as perhaps serving Java applications on the Web), and
other software will be built without the ability to use Java.

>> "Up-to-date" isn't really want you want.  Of course, you think you do,
>> but that's not it.  "Up-to-date" is about features, not about security.
>>   New feature releases are actually particularly dangerous from a safety
>> and security standpoint.  Believe it or not, newer isn't always better.
> 
> I see your point.  I guess I would say that I want the system and 
> applications to remain as up to date as possible from a security and bug 
> fix point of view.  I don't have to have the latest greatest bleeding 
> edge features.

Then what you want is to use a Linux distribution that provides security
updates.  The good news is, you already are.

If you want to do more work to "check up" on them, then subscribe to the
Ubuntu vulnerabilities mailing list, subscribe to the US-CERT mailing
list, and subscribe to other mailing lists that serve the problem
domain.  Watch them all.  You could even go so far as to chart the TTL
for exploits if you wanted to, so that you could evaluate how well your
distribution does and change distributions if you want.  But beware,
actually keeping track of all that is a full-time job in itself.

Keep managing your installed application software manually on Windows.
In that world, you have to do it.  Then come back to the light side,
kick up your feet, and simply focus on computing.  :-)

>> It will always be safer to accept security updates for a stable system
>> than it will be to perform feature-release upgrades.  Furthermore,
>> anytime you step outside of the package manager, you are transferring
>> the role of security manager for those packages away from the
>> distribution (where people do that for you) to yourself, which means
>> you're almost certainly going to screw it up.  I know I would.  I'm not
>> going to go to all that trouble when I have better things to do with my
>> computer, like spend my time *using* it to get work done.  I don't want
>> to micromanage my computer.  In fact, that is one reason that I have
>> been using Linux for so long.  I hate the insane amount of
>> micromanagement one must do for a Windows computer.  I'd get far less
>> work done if I had to use Windows on anything even remotely closely
>> approaching a regular interval.
> 
> You have a point here as well.  There are other reasons I use Windows.  
> Ease of maintenance isn't one of them.  I, of course, prefer to be using 
> the computer rather than maintaining it as well.  The package manager in 
> Linux does handle most of the updates for me, which is much easier than 
> Windows.  My maintenance checklist also includes procedures for checking 
> and setting application options, particularly related security and 
> privacy.  The Firefox preferences screen has 6 tabs I need to be 
> concerned with in initial setup, each with 6 or more settings to check, 
> in general.  (Not all are security / privacy related.)  Also, each 
> plugin added usually has a preferences screen.  And, in the case of 
> Firefox, you have to check things on each login on each OS.  I go back 
> and check them a few times a year for a couple of reasons.  First, with 
> several computers, some of which have two OS's, and some of which have 
> multiple logins, it's easy to omit certain settings which I want to have 
> replicated among them all.  Second, there have been times I've seen 
> settings change during upgrades or reinstalls.  (Not so much with 
> Firefox, but with other things.)  So, I check them periodically.  I do 
> this with all applications which connect to the internet.  These setup 
> procedures apply to either Windows or Linux.  Also, my checklist include 
> preventive maintenance items, like backups, virus scans, disk checks, 
> ups tests, etc.  These also apply to either Windows or Linux.  So, while 
> I would readily admit that Linux is easier to maintain than Windows, I 
> would say that no computer is maintenance free, no matter what OS it's 
> running.

Work smart, not hard.

If you are really doing all this by hand, stop it.  And do not learn
Java, not right now.  Instead, learn yourself the relevant scripting
languages (you can use Python on both, if you wanted) and automate these
tasks.

Then you will become a power user.

These computers, they are wonderful.  Do something once, maybe twice,
and no later than the third occasion, SCRIPT IT.  This will require that
you learn a little bit about the things you wish to script on a slightly
different level, but then you can have small tools that do these things
*for* you.

It isn't terribly difficult to do, and you can reduce your checklist to
a single item: run my script pack to set things up.

Though, there are other, better solutions, too.  You can use Firefox
sync, which IIUIC handles replication of settings and bookmarks.  If you
don't want to use Mozilla's sync server, you can even set up your own,
say on your home LAN or on a Linode that you rent.

>>> Before I brought up this topic, and before finding the Mozilla PPA, my
>>> system was only updating LibreOffice to 3.3.2 (I think) and Firefox to
>>> 3.26 (I think) and Java to 6.26.
>>>      
>> What's that matter?  Look at the distribution's release number.  That
>> will tell you how many patches (and where, if you're using Ubuntu) were
>> backported.  The upstream version number serves to identify the basis,
>> but patches are made on top of those.  Therefore, the source code isn't
>> really the "pure" upstream source code (except in the case of Java,
>> which they will update if they need to for security reasons).
> 
> Not quite following you there.  My System Monitor program in Gnome says 
> I'm running Ubuntu 10.04.  That's all it's ever said.

The system monitor is correct.

I should have said "Look at the distribution's release number for the
package".  e.g.:
mbt at spicerack:~$ dpkg -l bash
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  bash           4.1-2ubuntu3   The GNU Bourne Again SHell
mbt at spicerack:~$

This says that the GNU bash package is version 4.2, has been patched
twice by Debian and thrice by Ubuntu.

ii  libapache2-mod-wsgi             2.8-2ubuntu1                Python
WSGI adapter module for Apache

Patched twice by Debian, once by Ubuntu.

ii  python2.6      2.6.5-1ubuntu6 An interactive high-level
object-oriented la

Once by Debian, six times by Ubuntu.

You can see these when you run your system updates, too, and instead of
using dpkg at the command line you can use the GUI wrapper program to
read all the versions of the packages on your system.

You'll get all that information as well if you subscribe to Ubuntu's
security updates mailing list.

> So, what I think you're saying is; for all the applications included in 
> the distribution and in the package manager, as long as I run routine 
> updates, and as long as the distribution is supported, then the OS and 
> applications will be up to date with regard to bug fixes and security 
> patches, regardless of what the application version numbers are.

Correct!

>> Your whole thread is built on the premise that you don't want to be
>> running an LTS, but then you're citing that as a downside if you
>> updated.  I fail to understand the logic.
>>
>> You either want long-term support and let the distribution manage the
>> security updates (which come even if you don't see them coming), or you
>> want bleeding edge.  You sound like you want Gentoo, but then you say
>> you want 3 years of stable desktop support and security updates.
>> What'll it be?
> 
> My most important desire is that the system be as secure and bug free as 
> it can be.  I don't necessarily need bleeding edge features, as long as 
> the thing works.  However, I don't want to be feature obsolete either.  
> I had a situation recently where my Pandora music service refused to 
> work properly.  Tech support told me that I HAD to upgrade past Firefox 
> 4 because the older versions were not supported.  At the time, Synaptic 
> refused to update Firefox past version 3.6.23.  I had to install a 
> Mozilla PPA in order to upgrade to Firefox 7 so things would work 
> again.  I didn't really want to do that, because they changed the UI in 
> Firefox 7 substantially and some of my plugins wouldn't work.  I've 
> worked around the UI issues and found some new plugins.  But the point 
> is, that I had to do a feature upgrade to keep using the Pandora 
> service, and the package manager refused to help, without giving it an 
> attitude adjustment.

You probably could have used user agent switcher to work around that.  I
can't think of any technical reason that Pandora wouldn't have worked,
it's a Flash application.  But, if you stayed with the most recent OS
release (e.g., not an LTS release) then this problem would never have
occurred; there are many Web sites (including every one that I
implement) that require that you're using a recent Web browser.  I
simply won't support out-of-date browsers.  In this case, it's not about
security, but features; I am *not* going to maintain backwards
compatibility beyond a year or so.  I am but one person and I ain't got
that kind of time to play the Microsoft backwards-compatible-forever game.

> In terms of updating the OS off of the LTS, most people I've heard on 
> podcasts or talked to say do not "update" an OS but do a clean install.  

You can update from LTS to next non-LTS, and from LTS to LTS, and yes,
they are both supported (and the last time I did them, they worked just
fine).

Other package managers have deficiencies when upgrading, but they were
never designed from the start to upgrade, either.  With Debian's package
manager (which Ubuntu uses), as long as the packages are well put
together the upgrade will work fine.

Use update manager, though, and not the command line, because they use
Update Manager to provide additional scripts to the update process when
upgrading from one distribution to another so that you don't have to do
so much work by hand.  They refuse to provide these for anything other
than sequential release upgrades (and LTS-to-LTS upgrades), which I
understand perfectly, so if you're more than two releases out of date,
then a reinstallation is recommended.

But if you always update to the next release a few weeks after it comes
out, you'll never have to worry about it.  I know people that have
upgraded one-after-another since Hardy.

> Since Ubuntu is on a 6 month release cycle, I'd be reinstalling every 6 
> months if I wanted to stay up to date.  Every time I  install a computer 
> from scratch, I spend about a week installing things, configuring, and 
> tweaking to get it purring like a kitten just the way I want.

So, don't.

Again:  It's not Windows (and this time, too: It's not Red Hat)!

> Then, it 
> takes another 6 months for me to get all the little things I missed set 
> up the way I want and running smoothly.  Those latter things, I usually 
> fix as I have time and encounter them not working.  For example, on a 
> laptop I got months ago to replace another one who's display hinges 
> broke, I just the other day set up the swap file.  I still don't have 
> the firewall auto starting the way I want.

Why do you need a firewall on a laptop?  Just don't install any
network-facing dæmons and you're fine.

> And, I don't think I have my 
> Evernote application running at all.  These are non critical things, but 
> are nevertheless annoying that they're not working.  So, I certainly 
> don't want to be doing a clean OS install every 6 months, since it takes 
> me 6 months to really get the machine running like a well oiled machine 
> (metaphorically of course).  Now, if I could just "update" it every 6 
> months, and everything keeps working, and all my configuration settings 
> don't change, and I only reinstall every 3 years or so, that's a 
> different story.  That, I would consider doing.

You can certainly upgrade from one release to the next.  Always wait a
few weeks, because you want the new release to be shaken down and you
want to not compete with everyone else to try to get the download to
succeed.

Yes, defaults can change.  Whole programs can be swapped out or brought
in.  But that's why they provide release notes, so that you are made
aware of such things.  It makes it possible (and easy!) to know what's
going on.  Set-up once, backup frequently, and update when practical.
If you ever encounter trouble, you *do* have a recent backup, right?

	--- Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20111108/360300b0/attachment-0001.bin 


More information about the Ale mailing list