For instance, if there was a bug in libpng, would you know how many of your containers had a vulnerability? These systems are category 4 – you don’t even know if you’re vulnerable. Things such as Snap, Flatpak, AppImage, Docker containers, Electron apps, and third-party binaries often contain embedded libraries and such for which you have no easy visibility into their status. ![]() Therefore, rolling release systems are category 3. Unlike Debian’s practice of backporting fixes and thus producing narrowly-tailored patches, forcing upgrades to newer versions precludes a “minimal intervention” install. It’s not safe to blindly update packages because they may bring along more than just security patches: they may represent major upgrades that introduce incompatibilities, etc. As with many rolling-release systems, you can’t automate the installation of these security patches with FreeBSD because it is not safe to blindly update packages. ![]() You can also use debsecan to scan for known vulnerabilities on a given installation.įreeBSD has no way to automatically install security patches for things in the packages collection. The debian-security-support package will even warn you of gaps in the system. Those cases requiring manual intervention are category 2. It can automatically apply security patches, in most cases can restart the necessary services for the patch to take effect, and will alert you when some processes or the system must be manually restarted for a patch to take effect (for instance, a kernel update). (It must be stressed that by doing so, you are taking the responsibility of patching them on your own shoulders.) How do common systems stack up?ĭebian, with its support for unattended-upgrades, needrestart, debian-security-support, and such, is largely category 1. And in some cases, people will compile or install applications outside of any OS mechanism. Others, such as many BSDs, have a distinction there. Some OSs, such as Debian, make little or no distinction between the base OS and the applications. All the libraries needed to run all of the above.What is “your system”?Ī critical point here is: what is “your system”? It includes: That said, it is rare to find any system living truly all the way in that scenario, as you’ll see. This is a fallible situation humans are busy, take trips, dismiss alerts, miss alerts, etc. Every other situation relies on the timeliness of human action to keep up-to-date with security patches. It should be obvious that the first situation is ideal. The operator has no way to detect vulnerabilities or necessary patches The operator is automatically alerted to necessary patches, but they require significant effort to apply The operator is automatically alerted to necessary patches, and they can be easily installed with minimal intervention ![]() It runs roughly like this, from best to worst:Īll components are kept up-to-date automatically, with no intervention from the user/operator There is something of a continuum of how you might patch your system. Of course, you have to do other things as well – good passwords, secure practices, etc – but, fundamentally, if your system lacks patches for known vulnerabilities, you’ve already lost at the security ballgame. Now then, it follows that applying those timely patches is a critical part of having a system that it as secure as possible. For a (hopefully large) subset of those vulnerabilities, timely patches will become available. Let’s assume that these statements are true, which I think are well-supported by available evidence:Įvery computer system (OS plus applications) that can do useful modern work has security vulnerabilities, some of which are unknown at any given point in time ĭuring the lifetime of that computer system, some of these vulnerabilities will be discovered. I will write about that later.īut for now, I wanted to comment on something I think is often overlooked and misunderstood by people considering distributions or operating systems: the huge importance of getting security updates in an automated and easy way. I write this in the context of my decision to ditch Raspberry Pi OS and move everything I possibly can, including my Raspberry Pi devices, to Debian.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |