| ▲ | DrScientist 9 hours ago | |
The think I find most odd about the constant pressure to update to the most recent and implied best version is that there is some implicit belief that software get's uniformly better with each release. Bottom line those security bugs are not all from version 1.0 , and when you update you may well just be swapping known bugs for unknown bugs. As has been said elsewhere - sure monitor published issues and patch if needed but don't just blindly update. | ||
| ▲ | cesarb 2 hours ago | parent | next [-] | |
> Bottom line those security bugs are not all from version 1.0, and when you update you may well just be swapping known bugs for unknown bugs. One great example of that is log4shell. If you were still using version 1.0 (log4j 1.x), you were not vulnerable, since the bug was introduced in version 2.0 (log4j 2.x). There were some known vulnerabilities in log4j 1.x, but the most common configuration (logging only to a local file or to the console, no remote logging or other exotic stuff) was not affected by any of them. | ||
| ▲ | switchbak 8 hours ago | parent | prev [-] | |
I remember this used to actually be the case, but that was many moons ago when you'd often wait a long time between releases. Or maybe the quality bar was lower generally, and it was just easier to raise it? These days it seems most software just changes mostly around the margins, and doesn't necessarily get a whole lot better. Perhaps this is also a sign I'm using boring and very stable software which is mostly "done"? | ||