L
L
luxter2019-09-25 16:26:25
linux
luxter, 2019-09-25 16:26:25

Do you put updates if they don't ask for it in order to keep up-to-date, close CVE and etc?

Hello. For the sake of interest, I want to know the total. opinion on the hackneyed topic of updates. There are in one data center (security, closed segment, meticulous security guards, everything) cars on relatively old RHEL 6.x, there are many sites running on cms, which is also ancient. This whole thing has never been updated. And here is the internal perfectionism for updating everything as much as possible, but the classic principle "it works - don't touch it" haunts. There is no objective need to install updates, it performs its functions, a couple of ports are open from the outside (although if it is very necessary, they will find a hole through them). It would seem, why update, but there are adherents of updates, and there are adherents of the lazy sect who do not want to update and keep up to date. And when you need it, it turns out that after 100500 versions you just can’t update without a tambourine and it turns out, which only makes it worse. So I'm on two sides: score and wait for the "necessary" or slowly start updating.
In addition, there are various projects that are physically based on the more recent centos 7.2, and since the initial setup, the system packages, the kernel, have not been updated either (well, at least cms is updated here), but it still annoys that one day it will be necessary to update, t .to. developers will need something from the latest version of a package that will require an update of the entire OS.
And just like that, "updates for the sake of updates" also do not want to be installed. Summarizing, I will form a question: do you install updates if they are not asked to do so in order to maintain relevance, close CVE and etc.? And what do you think about this whole topic? Thank you.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
A
Andrey Semenov, 2019-09-25
@EraserKhv

Security updates are a must, especially on systems that look at the Internet.
Functional updates, here it's better "it works - don't touch it" :) Examples. 1. There is an X-ray baggage scanner at the airport, it is controlled by a computer with Windows NT pre-installed, an attempt to update is an opportunity to get a brick that is very expensive to revive. 2. There is a file server running on Windows 2003 R2 in one organization, in a branch far, far away, the absence of new drivers does not allow to install a more recent OS, the financial situation does not allow changing hardware. However, he has 2 years of uptime and no gaps. Does it work?) Don't touch it :)
It all depends on the situation.

R
Ronald McDonald, 2019-09-25
@Zoominger

internal perfectionism for updating everything as much as possible

Correctly.
This is a very bad principle that should never be used.
And there is. From major to major, most often, you just can’t upgrade.
Yes, definitely. No one does updates (updates themselves, patches) just like that, because there is nothing to do, these are always bug fixes, closing holes, new features.
Not every day, but once every 2-4 weeks for sure.
I advise you to take an image of some server through dd and cut it to the same VirtualBox and, for starters, update it there. If all is well - update combat.

C
CityCat4, 2019-09-25
@CityCat4

EL6 has its own updates - until now. Yes, there the main package base is ancient, like a mammoth barn, but updates are on the bucket and the main packages are coming out and, if you wish, you can add something more or less fresh there.
If you don’t update, then one day you can get into a situation where the bosses are screaming and rushing, demanding to install software X, for the installation of which software Y is needed, which is not installed because the Z version of the library is lower than necessary, and to update it you need to shovel half the system .. ..
Ronald McDonald gave good advice - remove the image, try to drive it into a virtual machine and update and see what jambs come up. Start with the least loaded car.

V
Valentine, 2019-09-25
@ProFfeSsoRr

And just like that, "updates for the sake of updates" also do not want to be installed.

And rightly so, it's just dangerous. I have a process in place for how to live on a rolling release in a prod, and when the process is established, you can update every day, but "just like that" is dangerous.
But there is a moment in that we are talking about RHEL, they don’t radically update within one version of the distribution, but they themselves test everything for compatibility. And if they release an update - apparently it is necessary.

R
Radjah, 2019-09-26
@Radjah

If there is a possibility of a problem, then you put the necessary version of the OS and software on the test machine / virtual machine, deploy one "site on cms, which is also ancient" there.
Test performance on typical tasks. If there are no problems, then you can throw into battle.
If the engine cannot be updated, then it will at least work on a newer version of the http server and interpreter with closed holes.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question