mersenneforum.org  

Go Back   mersenneforum.org > Great Internet Mersenne Prime Search > Software

Reply
 
Thread Tools
Old 2020-05-15, 08:45   #12
M344587487
 
M344587487's Avatar
 
"Composite as Heck"
Oct 2017

22×3×72 Posts
Default

If it has access to WAN you risk breaking it by not keeping it up to date. Offline/airgapped PC's are where I agree that not updating is a reasonable option.
M344587487 is online now   Reply With Quote
Old 2020-05-15, 10:04   #13
henryzz
Just call me Henry
 
henryzz's Avatar
 
"David"
Sep 2007
Cambridge (GMT)

130558 Posts
Default

One of the biggest reasons to keep up to date is that security holes often get published when they are fixed. This leaves unpatched people as targets(generally there are enough to be worth targetting).
henryzz is offline   Reply With Quote
Old 2020-05-15, 10:10   #14
xilman
Bamboozled!
 
xilman's Avatar
 
May 2003
Down not across

276016 Posts
Default

Quote:
Originally Posted by retina View Post
You are just describing a situation where the thing isn't working, or a portion of it isn't working. Then it needs some change.

So my questions still stand unanswered: So I wonder what is 20.04 giving you that the older OS doesn't provide? If you had a working system then why risk breaking it?
See above.

Some components were potentially buggy, including some possible security bugs which may not yet be in the wild. For instance, python 2.x reached EOL four months ago. Any holes in it will not be patched but 18.04 LTS required it at a deep system level. 20.04 LTS uses 3.x exclusively.

Some novel food became available. Numerous examples can be found at https://wiki.ubuntu.com/FocalFossa/R...s_in_20.04_LTS. Just one example of particular interest to me is PostgreSQL 12

Focal is shipping postgresql-12, which has many improvements:

improved query performance, particularly over larger data sets
SQL/JSON path expression support
generated columns
pluggable table storage interface


because I run PostgreSQL databases to hold integer factorization and astronomy databases.

Those benefits were sufficiently important for me to take the risk of upgrading and, in the case of PostgreSQL, the expense of fixing the breakages.
xilman is offline   Reply With Quote
Old 2020-05-15, 10:15   #15
xilman
Bamboozled!
 
xilman's Avatar
 
May 2003
Down not across

100111011000002 Posts
Default

Quote:
Originally Posted by henryzz View Post
One of the biggest reasons to keep up to date is that security holes often get published when they are fixed. This leaves unpatched people as targets(generally there are enough to be worth targetting).
An example of inoculation against a potential future threat.
xilman is offline   Reply With Quote
Old 2020-05-15, 12:05   #16
EdH
 
EdH's Avatar
 
"Ed Hall"
Dec 2009
Adirondack Mtns

22×5×7×23 Posts
Default

I haven't checked lately, but 18.04's repository openmpi wouldn't work with --hostname when I was trying to use it. I was never able to get it working, even from source. This kept me from upgrading my 16.04 machines. Does anyone know if openmpi is working properly in 20.04 LTS?
EdH is offline   Reply With Quote
Old 2020-05-17, 03:20   #17
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

553410 Posts
Default

So based upon the responses above.

1. We upgrade our OS because of a vague promise that newer stuff is "more secure" than older stuff.

2. We upgrade our OS because of an application's new features we want.

The first one looks like a catch-all to scare people into complying
The second one looks like a non-sequitur to me. And application version shouldn't be tied to an OS.

I think a lot of the time people upgrade because the vendor tells them to. "We have some new shiny , upgrade immediately because we say so." Amirite?
retina is online now   Reply With Quote
Old 2020-05-17, 07:06   #18
xilman
Bamboozled!
 
xilman's Avatar
 
May 2003
Down not across

25·32·5·7 Posts
Default

Quote:
Originally Posted by retina View Post
So based upon the responses above.

1. We upgrade our OS because of a vague promise that newer stuff is "more secure" than older stuff.
Much more than a vague promise. In the case of Ubuntu the source code is available for you to check the claims made.
xilman is offline   Reply With Quote
Old 2020-05-17, 08:32   #19
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

2×2,767 Posts
Default

Quote:
Originally Posted by xilman View Post
Much more than a vague promise. In the case of Ubuntu the source code is available for you to check the claims made.
I disagree with your conclusion. Yes we can review the source code. But no we can't spot the security problems. If it really was so easy to spot problems by checking the source code then we shouldn't have any security issues. Or indeed any bugs, but still they persist.
retina is online now   Reply With Quote
Old 2020-05-17, 09:03   #20
xilman
Bamboozled!
 
xilman's Avatar
 
May 2003
Down not across

1008010 Posts
Default

Quote:
Originally Posted by retina View Post
I disagree with your conclusion. Yes we can review the source code. But no we can't spot the security problems. If it really was so easy to spot problems by checking the source code then we shouldn't have any security issues. Or indeed any bugs, but still they persist.
Here are the steps to be taken.
  • A vulnerability is published. The publication specifies the nature of the bug and at least one possible exploit. Some publications include proof-of-concept code to exploit the bug.
  • Examine the code for 18.04 LTS and verify that the bug exists and is exploitable in the manner documented.
  • Examine the code for 20.04 LTS and verify that the vulnerability has been addressed.
  • Repeat for the other bugs.
Of course we can't spot all bugs. That doesn't prevent us from being able to spot some bugs. Don't let the perfect be the enemy of the good.

Last fiddled with by xilman on 2020-05-17 at 09:04
xilman is offline   Reply With Quote
Old 2020-05-17, 09:50   #21
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

159E16 Posts
Default

Quote:
Originally Posted by xilman View Post
Here are the steps to be taken.
  • A vulnerability is published. The publication specifies the nature of the bug and at least one possible exploit. Some publications include proof-of-concept code to exploit the bug.
  • Examine the code for 18.04 LTS and verify that the bug exists and is exploitable in the manner documented.
  • Examine the code for 20.04 LTS and verify that the vulnerability has been addressed.
  • Repeat for the other bugs.
That's great. But doesn't address the problem. It is still a vague response. "There will be some bugs identified, and they will be fixed." No specific bugs mentioned at all. Vague.

No one has said something like: Their NIC driver ABC has bug XYZ and they need a fix for that.

But even if someone has a specific bug they need fixed. Then that fix would have to be only available in the newest version. Which for some reason hasn't been fixed in the current version they are using. Are there any security bugs fixed in 20.04 that haven't been fixed in 18.04? Or maybe someone is using 16.04 and the bug was introduced in 18.04 and if they had blindly upgraded to 18.04 they would have been worse off. I suspect almost no one knows because almost no one bothers to check. Because it is always the vague "it will be more secure" without any data to provided to support that.

What new bugs are you getting with the new version? That's impossible to say of course because if we knew about them, we would fix them. Perhaps it is a case of "better the devil you know"?
retina is online now   Reply With Quote
Old 2020-05-17, 10:37   #22
xilman
Bamboozled!
 
xilman's Avatar
 
May 2003
Down not across

25·32·5·7 Posts
Default

Quote:
Originally Posted by retina View Post
No one has said something like: Their NIC driver ABC has bug XYZ and they need a fix for that.
You are using the words "no one" in a way which is unfamiliar to me.

For instance, read https://9to5linux.com/new-ubuntu-lin...ulnerabilities

The authors have said just that.

If by "no one" you mean contributors to this thread, then I am interested in "local attacker" vulnerabilities because I do not care to damage my systems inadvertently. Perhaps I am "no one".
xilman is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
login on ubuntu wildrabbitt Software 16 2015-12-06 00:24
Ubuntu storm5510 Linux 24 2013-11-08 20:59
Ubuntu saddies ET_ GPU Computing 12 2013-05-14 14:30
Ubuntu 9.10 henryzz Linux 11 2010-01-29 21:31
mprime under Ubuntu? Unregistered Linux 8 2007-11-23 23:03

All times are UTC. The time now is 08:35.

Wed Jul 8 08:35:47 UTC 2020 up 105 days, 6:08, 0 users, load averages: 1.94, 1.72, 1.83

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.