A turning point for CVE numbers

Posted Feb 20, 2024 13:42 UTC (Tue) by pizza (subscriber, #46)
In reply to: A turning point for CVE numbers by gmgod
Parent article: A turning point for CVE numbers

> But at any rate, the time of the go-lucky approach of installing Debian stable and believing the system will never come down after an update is over.

What's the standard financial disclaimer... "past performance is no guarantee of future success"?

I once publicly called out someone (who _definitely_ should have known better) for professional incompetence after they went on a "systemd is responsble for everything wrong with society!!!111" rant after something went wrong on a Debian 9 (I think) upgrade on a critical system. A remote, (completely) headless critical system.

...Because you don't do _any_ updates on critical systems without some measure of testing first. Or, at minimum, some sort of reversion/recovery procedure. While even basic (end-user) smoke tests would have caught this particular failure [1] the fact that there wasn't any thought given to recovering from an update failure (not even "remote hands" capable of hooking up and looking at the local console) was inexcusable.

[1] Due to non-Debian-supplied software failing to start properly and systemd actually catching the failure instead of ignoring it.

A turning point for CVE numbers

Posted Feb 20, 2024 14:48 UTC (Tue) by farnz (subscriber, #17727) [Link] (1 responses)

Your anecdote links to a known change we're seeing in the software world: failure is less and less of an option over time. Back In The Day™ (for various values of back in the day), it was fine to depend on user complaints to tell you if a service was running or not. It was fine for anyone who could telnet to a host to be able to log in as root with just a plaintext password to authenticate them. It was fine for a system to have a few days downtime while broken hardware got replaced. It was fine for sysadmins to go digging in people's files just to see if there was something interesting in there.

None of this is OK any more; arguably, much of it was never OK, it was just accepted because doing better cost more than people were willing to pay. But time has moved on, and we expect more for less money, and to some extent, we get it - I can pay someone like Fastmail for better e-mail service than I used to be able to get from an in-house server, backed up by improvements to connectivity (where my LAN might have shared a single dial-up link 30 years ago, I've now got high speed Internet that's faster than the LAN speeds I got 30 years ago, and mail protocols designed to cope with the latency added by going to an outside datacentre instead of to a machine on the 10BASE2 network).

A turning point for CVE numbers

Posted Feb 20, 2024 15:34 UTC (Tue) by pizza (subscriber, #46) [Link]

> But time has moved on, and we expect more for less money, and to some extent, we get it

Note that "for less money" in practice, means an increasing unwillingness to pay _anything at all_, because "something else is paying/subsidizing the cost of service"

(And one of those "something elses" is our service provider snooping on everything we do, including our at-rest data, finding "interesting" things to monetize. But hey, it's not "money", so that's fine!)