• Jerkface (any/all)@lemmy.ca
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    18 hours ago

    If your system is secure, updating it can only make it insecure. If that is your one and only priority, you have to review updates before applying them, and since you have thoroughly investigated your entire stack up to this update and that version also has your real-world testing behind it, you’re probably not going to apply most updates until some other priority comes along or you discover a previously unknown vulnerability.

    • fizzle@quokk.au
      link
      fedilink
      English
      arrow-up
      4
      ·
      12 hours ago

      If your system is secure, updating it can only make it insecure.

      This “logic” overlooks a number of issues.

      Firstly, no system is “secure”, only more so or less so given a specific threat model.

      Secondly, a system can become less secure without any changes, as exploits are discovered.

    • nymnympseudonym@piefed.social
      link
      fedilink
      English
      arrow-up
      9
      ·
      16 hours ago

      If your system is secure, updating it can only make it insecure

      The Internet has been an adversarial environment since at least 1988

      Thanks to recent AI advances, new security vulnerabilities are being found at a crazy pace in all layers of the stack, from firmware to GUI.

      1zOYXItTY9LRxkE.png

    • Opisek@piefed.blahaj.zone
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      17 hours ago

      I mean, yes, if you can guarantee that all your software stack in 100% secure. In reality this is unfeasible on even mathematically impossible to do formally (reducible to the halting problem). So while bugs keep being found in things like the Linux kernel (naturally, nothing is immune to oversight), and they’re always going to be, keep your software up to date.

      • tomalley8342@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        4 hours ago

        even mathematically impossible to do formally (reducible to the halting problem).

        Nah, if the programs are not arbitrary (and I hope they’re not, considering that you chose them) then it doesn’t reduce to that. But you are right that it is not feasible for most industries and he is right that in some industries it is not only feasible but required.

      • Jerkface (any/all)@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 hours ago

        If security is the one and only priority, you wouldn’t be running a goddamn desktop environment and all that other baggage. You absolutely would be auditing your entire stack. Because security is the one and only priority. I didn’t pose the hypothetical, but that’s the necessary consequence.