| ▲ | mikewarot 4 days ago |
| >Saved by procrastination! Seriously, this is one of my key survival mechanisms. By the time I became system administrator for a small services company, I had learned to let other people beta test things. We ran Microsoft Office 2000 for 12 years, and saved soooo many upgrade headaches. We had a decade without the need to retrain. That, and like other have said... never clicking links in emails. |
|
| ▲ | mesofile 4 days ago | parent | next [-] |
| This is how I feel about my Honda, and to some extent, Kubernetes. In the former case I kept a 2006 model in good order for so long I skipped at least two (automobile) generation's worth of car-to-phone teething problems, and after years of hearing people complain about their woes I've found the experience of connecting my iphone to my '23 car pretty hassle-free.
In the latter, I am finally moving a bunch of workloads out of EC2 after years of nudging from my higher-ups and, while it's still far from a simple matter I feel like the managed solutions in EKS and GKE have matured and greatly lessen the pain of migrating to K8S. I can only imagine what I would have gotten bogged down with had I promptly acted on my bosses' suggestion to do this six or seven years ago. (I also feel very lucky that the people I work for let me move on these things in my own due time.) |
| |
| ▲ | cirelli94 3 days ago | parent | next [-] | | In the meantime you had for years a car without connecting your iphone, so you completely didn't have that feature!
There are pros and cons everywhere, but I'm more prone to change often and fix things that wait for feature to be stable and meantime do without them.
Of course, when I can afford it, e.g. not in changing my car every two years :') | | |
| ▲ | rascul 3 days ago | parent [-] | | > In the meantime you had for years a car without connecting your iphone, so you completely didn't have that feature! Such a feature can be added. |
| |
| ▲ | rollcat 3 days ago | parent | prev [-] | | This. At $PAST_DAYJOB we've adopted Docker "only" around 2016, and importantly, we've used it almost identically to how we used to deploy "plain" uWSGI or Apache apps: a bunch of VMs, run some Ansible roles, pull the code (now image), restart, done. The time to move to k8s is when you have a k8s-sized problem. [Looks at Github: 760 releases, 3866 contributors.] Yeah, not now. |
|
|
| ▲ | nottorp 4 days ago | parent | prev | next [-] |
| Not in the "npm ecosystem". You're hopelessly behind there if you haven't updated in the last 54 seconds. |
| |
| ▲ | ainiriand 4 days ago | parent | next [-] | | Well in this case it makes sense to update fast isn't it? | |
| ▲ | ohdeargodno 4 days ago | parent | prev [-] | | Sorry, the "npm ecosystem" command has been deprecated. You can instead use npm environment (or npm under-your-keyboard because we helpfully decided it should autocorrect and be an alias) | | |
|
|
| ▲ | blamestross 4 days ago | parent | prev | next [-] |
| "Just wait 2 weeks to use new versions by default" is an amazing defense method against supply chain attacks. |
| |
| ▲ | booi 3 days ago | parent | next [-] | | Is there some sort of easy operational way to do this? There are well known tech companies that do this internally but afaik this isn't a feature of OSS registries like verdaccio | | |
| ▲ | fclairamb 3 days ago | parent | next [-] | | Renovate is a great (and free) tool to update your dependencies. By default it will update packages in the hours (often minutes) of their release but you can change that behavior with the minimumReleaseAge parameter. https://docs.renovatebot.com/configuration-options/#minimumr... | | |
| ▲ | jamietanna 3 days ago | parent | next [-] | | Yep, Renovate's `minimumReleaseAge` is what you want here Dependabot has recently added this functionality too - it's called `cooldown` https://docs.github.com/en/code-security/dependabot/working-... (I'm soon to be working at Mend on Renovate full time, but have been a big fan of Renovate over other tools for years) | | | |
| ▲ | Apfel 3 days ago | parent | prev [-] | | The one big problem Renovate brings is when it automerges and breaks everything with e.g. a TypeScript upgrade. It's simple enough to handle and prevent but has required quite a lot of developer education for those who are not particularly frontend-focused in my experience. | | |
| ▲ | jamietanna 3 days ago | parent [-] | | Interesting, so you've enabled Renovate's automerge functionality for dependencies? Renovate uses signals like your CI to work out whether things break before an automerge occurs - does that mean your CI didn't catch the breakage? Or something I've missed? (there's also the "merge confidence" that can help here) (I'm soon to be working at Mend on Renovate full time) |
|
| |
| ▲ | wallrat 3 days ago | parent | prev [-] | | There are dependency firewalls that let you enforce this (e.g. https://docs.bytesafe.dev/policies/delay-upstream/). Don't know any OSS solutions though. |
| |
| ▲ | kevinrineer 4 days ago | parent | prev [-] | | Its also really ineffective defense against 0 days! | | |
| ▲ | easterncalculus 3 days ago | parent | next [-] | | In the context of a single system, there is no such thing as an "effective defense against 0 days" - that's marketing babble. A zero day by definition is an exploit with no defense. That's literally what that means. | | |
| ▲ | hdjrudni 3 days ago | parent [-] | | That doesn't sound right. > A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. "Zero day" refers to the fact that the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems. If I never install the infected software, I'm not vulnerable, even if no one knows of its existence. That said, you could argue that because it's a zero day and no one caught it, it can lie dormant for >2 weeks so your "just wait awhile" strategy might not work if no one catches it in that period. But if you're a hacker, sitting on a goldmine of infected computers... do you really want to wait it out to scoop up more victims before activating it? It might be caught. | | |
| ▲ | saberience 3 days ago | parent [-] | | Yeah but zero days usually refers to some software which is commonly installed. E.g. a zero day in the version of windows or mac os that most people are using. No one bothers finding 0-days in software which no one has installed. |
|
| |
| ▲ | blamestross 4 days ago | parent | prev | next [-] | | Sadly we don't have any defense against 0 days if an emergency patch is indistinguishable from an attack itself. Better defense would be to delete or quarantine the compromised versions, fail to build and escalate to a human for zero-day defense. | | |
| ▲ | minitech 3 days ago | parent [-] | | > Sadly we don't have any defense against 0 days if an emergency patch is indistinguishable from an attack itself. Reading the code content of emergency patches should be part of the job. Of course, with better code trust tools (there seem to have been some attempts at that lately, not sure where they’re at), we can delegate that and still do much better than the current state of things. |
| |
| ▲ | ozim 3 days ago | parent | prev [-] | | IF I put my risk management hat on - 0 days in npm ecosystem are not that much of a problem. They stop working before can use them. |
|
|
|
| ▲ | efreak a day ago | parent | prev | next [-] |
| I ran office xp on my desktop and 2000 on my laptop until I got to college and _needed_ to upgrade so I could do work with others. Block it with the firewall and you're good. Now I mostly use WordPad, and use a recent (but rarely updated) version of open office on the rare occasions I actually need an office suite or spreadsheet. If you're worried about vulnerabilities in older software these days, Windows has built-in security features that can help with that, from the sandbox to controlled folders access (intended for ransomware protection, I believe; I use it to prevent my media server from modifying tags) |
|
| ▲ | pixl97 3 days ago | parent | prev | next [-] |
| Works great for new exploited packages. Not so great for already compromised software getting hit by a worm. |
|
| ▲ | RedShift1 4 days ago | parent | prev [-] |
| I'll reply to you tomorrow |
| |
| ▲ | TYPE_FASTER 4 days ago | parent [-] | | ...by then it might be working again anyway, or the user figured out what they were doing wrong. "Hey, is it still broken? No? Great!" |
|
