The nuts and bolts => Networking & Security => Topic started by: sledgehammer on July 12, 2014, 11:07:05 pm

Title: update question
Post by: sledgehammer on July 12, 2014, 11:07:05 pm
Several months ago, my machine, a samsung, quit (sort won't save files and there's plenty of room on the hard drive).  I eventually developed a plan, in lieu of saving to a usb stick, being to put 7.1 on a new Lenovo Ideapad once 7.1 arrived and then move all my stuff over. Meanwhile I started using an old IBM T60P running debian wheezy, while keeping the 7.0 Vector workhorse machines running at the office. 7.1 has been a long time coming. I notice with debian that often, perhaps every week, I will get a warning "your systems needs to be updated," or "security updates are available."  I then go to synaptic package manager, click "mark all upgrades", usually two or three programs install, the warning sign disappears and I go about my business.. These updates don't seem to install programs, but rather, I think, utilities of some nature or another are installed.   I have no problem with this, though the wheezy programs are somewhat dated (often quite a bit out of date). For example, wheezy still has lyx 2.03, which is 3 or 4 versions out-of-date.  This never happened for long with Vector as I was almost always able to install new versions of software and kept my system up-to-date that way.

I don't recall that Vector issues update/security notices nearly as often. Yet my wordpress site was recently hacked (blacklisted, after I started maintaining it on the debian machine) and I never was hacked while maintaining it on my samsung..

So, finally, here is my question: Are these debian update/security notices needed and, if so, does hata_ph's regular posting of new software (which I read regularly) perform the same basic function?
Title: Re: update question
Post by: rbistolfi on July 14, 2014, 11:15:04 am
Hi John,

Short answer, yes and yes.
Those security updates usually patch known issues. These are important because known issues are usually easy to exploit if an attacker targets you.
We try to release these kind of updates as fast as we can. While not always announced as they should, they usually hit the repos quickly.
Your Wordpress problem could be caused by an outdated wordpress instance (or one of its plugins if you use any) or its dependencies (some database like mysql or postgress, PHP, etc.) It is good idea to update wordpress often, it is so popular that is a common target for the black hats.

Title: Re: update question
Post by: sledgehammer on July 14, 2014, 08:12:13 pm
Thanks Rodrigo. 

Argentina stood proud yesterday.  We who reside on this side of the world can hold our heads high.  That includes Brazilians.

Your response leads me to ask a followup question, which relates to the various posts over the years dealing with whether, on Vector, one should run "mark all updates" in the standard Vector repository on a regular basis.  I have never done this for fear I will somehow cause something to stop working.  I just watch hata_ph's posts and if I see something I know I am using with a later version, install it once it reaches the standard repository (and occasionally from the Vector testing and even the untested repositories).  But it sounds like I might be better off installing all upgrades from the standard repository on a regular basis.. What do you think?  .

Title: Re: update question
Post by: retired1af on July 15, 2014, 06:09:56 am
Installing all updates isn't a good idea as it can and often does result in breakage. We just don't have the testing capability that the bigger distributions have to make sure that a new update doesn't mess with existing setups.
Title: Re: update question
Post by: rbistolfi on July 15, 2014, 06:30:10 am

The ultimate goal is to allow automatic updates without any problem. Its a hard to reach one. We think that 7.1 will be better than any other Vector version in that matter once it is released. I think you should be safe if sticking with the stable repositories. The Vector team is always thinking about how to solve this problem. A combination of community effort (testing new packages) and automatic testing software is probably the optimal solution. For someone that follows the forum posts, shouldnt be hard to identify must-have updates. For those who do not have the time or the will for that, the team will do the best for making the updates to work with minimal intervention. The vectorites have been working a lot for improving the situation, we will have to wait for 7.1 and see how effective this work will be.

About the Argentina performance in the World Cup, I think we cant ask for more. Asking for a win is absurd, what I and some others expect from our players is to leave everything in the field, and to play for winning. IMHO our fellows did it great. Congratulations to the German team for a well deserved championship :)