undefined | Better HN

0 pointsindymike3y ago0 comments

This is what is expected on LTS releases and is what is expected by people that highly value long term support releases. That said, I think modern security and modern software development practices have obsoleted a lot of the thinking behind LTS releases.

0 comments

JohnFen3y ago

Sadly, modern software development practices have neutered a lot of LTS releases -- but the need for real LTS releases is stronger than ever.

indymikeOP3y ago

> but the need for real LTS releases is stronger than ever

Actually, I think the LTS mentality is one of the bigger problems in security right now. The hardest problems I've had to deal with in tech all stem for LTS:

* Getting an not-substantial budget to update an essential but forgotten server with custom software and an unpatched heartbleed problem.

* Convincing developers to even look at old web services that have massive SQL injection and were built with libraries with known (six years ago) exploits, all running on some 13 year old version of RedHat.

* Inevitable meetings where you try your best to avoid saying "I told you so" when a disclosure, cryptolocker or malware infestation happens because of the above. These are no fun because they quickly devolve into career-end bingo.

JohnFen3y ago

(This entire comment is about my use of my own machines, not about the use of machines in an enterprise setting. In the enterprise, much of this is very, very different)

From a security point of view, yes, you have a point.

But I blame the problem on the industry shift to lumping security and feature updates together. I hate, and prevent, automatic software updates because I don't want feature changes to happen except if/when I'm ready for them. Feature updates are very disruptive, and sometimes break things horribly.

If I could just get security updates, I'd allow those to automatically happen without thinking twice. LTS releases were a (poor) compromise to accomodate those of us who can't, or won't, take on random feature updating.

Sadly, the LTS time periods are getting so short that they're often not effective for this purpose anymore -- so in those cases, I resort to blocking updates entirely until I'm ready for them.

That's also a bad security place to be. I just don't see any other way to handle it aside from separating security and feature updating, like we used to do. But that's not going happen. So all I'm left with is LTS releases and blocking updates.

j / k navigate · click thread line to collapse

0 comments

JohnFen3y ago

Sadly, modern software development practices have neutered a lot of LTS releases -- but the need for real LTS releases is stronger than ever.

indymikeOP3y ago

> but the need for real LTS releases is stronger than ever

Actually, I think the LTS mentality is one of the bigger problems in security right now. The hardest problems I've had to deal with in tech all stem for LTS:

* Getting an not-substantial budget to update an essential but forgotten server with custom software and an unpatched heartbleed problem.

JohnFen3y ago

(This entire comment is about my use of my own machines, not about the use of machines in an enterprise setting. In the enterprise, much of this is very, very different)

From a security point of view, yes, you have a point.

Sadly, the LTS time periods are getting so short that they're often not effective for this purpose anymore -- so in those cases, I resort to blocking updates entirely until I'm ready for them.

j / k navigate · click thread line to collapse