[ale] AARG! Manual software updates, Sun Java, LibreOffice, help
Ron Frazier
atllinuxenthinfo at c3energy.com
Tue Nov 8 08:29:34 EST 2011
I want to thank all who have been sharing information with me on this
thread. I'm trying to get my brain around the differences between
maintaining a Windows machine, and a Linux machine, and what's required
to keep the machine secure and functional. Obviously, there are
dramatic differences between the two systems, so I appreciate the help.
I have a few more comments / questions related to this message. Last
night, I rebooted into a live CD of Ubuntu 10.04 to refresh my memory of
what it was like the day it was born. That evoked more questions, which
I'll post in a separate message. More comments below.
Sincerely,
Ron
On 11/07/2011 03:34 PM, Michael B. Trausch wrote:
> On 11/07/2011 03:15 PM, Ron Frazier wrote:
>
>> Yes but you said you run Gentoo, which is a rolling release system. So
>> you may be getting more frequent updates than I.
>>
> I didn't do things any differently when I ran Ubuntu. However, I did
> not run the LTS releases except on servers. If you like to use recent
> stuff (not just patched things, but up-to-date on features, too) then
> you'll want to not use the LTS releases for that reason. It's all about
> what you choose, and you should choose something that fits the way you
> want your system to work.
>
> There are hundreds, if not thousands, of Linux distributions out there.
> You can have your way with at least one of them.
>
> I moved to Gentoo not because Ubuntu wasn't updating things quickly
> enough, but because I got tired of the politics and drama behind it,
> including variants on the "corporate blame game" that they do in their
> bug tracking system. I started becoming unhappy with Ubuntu way back in
> 2007, but they weren't so bad that the bad outweighed the good. With
> the advent of the new "we know better than you do" crowd, though, well,
> that was the tipping point for me.
>
>
>> As far as I know, the
>> most common vectors for malware are office documents,
>>
> On Microsoft Office, and in the default configuration of having macros
> enabled, yes, that'd be correct.
>
>
LibreOffice / OpenOffice has security settings I have to check too. I
believe the Macro setting defaults to high security, but I always check
it anyway. There is a checkbox for usage of the JRE, which I turn off.
Also, under the Save options, there is a whole screen of checkboxes for
running Visual Basic apps, which I also turn off. In general, I don't
want ANY automation running in my documents.
>> pdf files,
>>
> Use a safe PDF reader, and you won't have that problem. (By "safe", I
> mean one where you can disable JavaScript code execution, or even
> better, one that doesn't do it at all. Only morons use JavaScript in
> PDF documents.)
>
>
Agreed. You can turn off JavaScript in Adobe's reader, which I do,
among a few other things on the Windows side of my fence. The document
viewer, which is the default reader in my version of Ubuntu doesn't have
any preferences related to JavaScript, so hopefully, it's not running.
>> flash content,
>>
> I have never seen Flash do anything nasty on Linux boxes, but then again
> I don't use a lot of Flash. Youtube, and one game on Facebook, really,
> and that's it.
>
>
>> and Java / Javascript exploits.
>>
> Insecure software will exist always and forever. Even more with the
> modern mentality that you don't have the learn the underlying concepts,
> that learning the programming language is enough. But, that is why
> distributions backport security fixes.
>
>
The main way I keep potential Flash / Java / JavaScript exploits at bay,
other than practicing safe computing, is to keep the Flash Player, Java,
and Firefox as up to date security-wise as possible. I understand from
prior discussions that Firefox may be up to date security-wise even
though it's version says 3.6.23 and Firefox's website says 7.0.1. I
must say, that's very confusing. Also, I don't know how to KNOW that it
has all the security updates and bug fixes that it would if it were
Firefox 7. The package manager seems to keep the flash player pretty up
to date. Java updates are a potential problem, for reasons I'll discuss
in another message. One other way I minimize potential problems is with
the NoScript Firefox plugin. No scripting of any kind or Flash
operations are allowed on any website unless I specifically approve.
Now, that's not failsafe, as humans aren't failsafe. However, I'm very
reluctant to turn that on unless I have some reason to trust the site.
>> All the security experts say patch your system frequently and keep all
>> your apps up to date.
>>
> Within certain limits, yes. Sounds to me like you're following this
> advice blindly, obsessively and to your own detriment of sanity. Your
> choice, but just remember that active distributions already use package
> managers so that they can push out security updates without you having
> to worry about it. It does mean more work for the distributor when they
> do not follow a rolling release model, but anyone can look at e.g.
> Debian to see how well they manage to do it.
>
>
>> So, I
>> have a particular interest in keeping Firefox, LibreOffice, Flash
>> player, Adobe Reader (Windows only in my case), and Java up to date.
>>
> "Up-to-date" isn't really want you want. Of course, you think you do,
> but that's not it. "Up-to-date" is about features, not about security.
> New feature releases are actually particularly dangerous from a safety
> and security standpoint. Believe it or not, newer isn't always better.
>
>
I see your point. I guess I would say that I want the system and
applications to remain as up to date as possible from a security and bug
fix point of view. I don't have to have the latest greatest bleeding
edge features.
> It will always be safer to accept security updates for a stable system
> than it will be to perform feature-release upgrades. Furthermore,
> anytime you step outside of the package manager, you are transferring
> the role of security manager for those packages away from the
> distribution (where people do that for you) to yourself, which means
> you're almost certainly going to screw it up. I know I would. I'm not
> going to go to all that trouble when I have better things to do with my
> computer, like spend my time *using* it to get work done. I don't want
> to micromanage my computer. In fact, that is one reason that I have
> been using Linux for so long. I hate the insane amount of
> micromanagement one must do for a Windows computer. I'd get far less
> work done if I had to use Windows on anything even remotely closely
> approaching a regular interval.
>
>
You have a point here as well. There are other reasons I use Windows.
Ease of maintenance isn't one of them. I, of course, prefer to be using
the computer rather than maintaining it as well. The package manager in
Linux does handle most of the updates for me, which is much easier than
Windows. My maintenance checklist also includes procedures for checking
and setting application options, particularly related security and
privacy. The Firefox preferences screen has 6 tabs I need to be
concerned with in initial setup, each with 6 or more settings to check,
in general. (Not all are security / privacy related.) Also, each
plugin added usually has a preferences screen. And, in the case of
Firefox, you have to check things on each login on each OS. I go back
and check them a few times a year for a couple of reasons. First, with
several computers, some of which have two OS's, and some of which have
multiple logins, it's easy to omit certain settings which I want to have
replicated among them all. Second, there have been times I've seen
settings change during upgrades or reinstalls. (Not so much with
Firefox, but with other things.) So, I check them periodically. I do
this with all applications which connect to the internet. These setup
procedures apply to either Windows or Linux. Also, my checklist include
preventive maintenance items, like backups, virus scans, disk checks,
ups tests, etc. These also apply to either Windows or Linux. So, while
I would readily admit that Linux is easier to maintain than Windows, I
would say that no computer is maintenance free, no matter what OS it's
running.
>> Before I brought up this topic, and before finding the Mozilla PPA, my
>> system was only updating LibreOffice to 3.3.2 (I think) and Firefox to
>> 3.26 (I think) and Java to 6.26.
>>
> What's that matter? Look at the distribution's release number. That
> will tell you how many patches (and where, if you're using Ubuntu) were
> backported. The upstream version number serves to identify the basis,
> but patches are made on top of those. Therefore, the source code isn't
> really the "pure" upstream source code (except in the case of Java,
> which they will update if they need to for security reasons).
>
>
Not quite following you there. My System Monitor program in Gnome says
I'm running Ubuntu 10.04. That's all it's ever said.
>> In some cases, that means the programs
>> are several months out of date.
>>
> So? That's really not the point. The basis will always be "out of
> date", that's the nature of a stable release structure. However,
> patches that are on top of it will be far more recent. Typically,
> security patches are backported from the upstream's trunk, master,
> mainline, or whatever else they call their development series in their
> particular version control system. Sometimes patches go the other way,
> originating at the distribution and being pushed upstream. Regardless
> of which way it goes, the result is the same: you do not have to worry
> about those things, particularly not on your desktop system.
>
> Relax. Breathe. It's not Windows.
>
>
So, what I think you're saying is; for all the applications included in
the distribution and in the package manager, as long as I run routine
updates, and as long as the distribution is supported, then the OS and
applications will be up to date with regard to bug fixes and security
patches, regardless of what the application version numbers are.
>> Personally, I don't like to be running
>> with things that old, particularly these things, even though I don't
>> always find the time to keep every thing updated every month.
>>
> I guess it's a good thing that Ubuntu manages that for you, and usually
> you can update in two minutes without even having to reboot.
>
>
>> That's
>> why I'm trying to find a solution to keep things more up to date. I'm
>> not quite ready to go through the hassle of upgrading to Ubuntu 11.10,
>> and even if I did, I wouldn't be on LTS any more.
>>
> Your whole thread is built on the premise that you don't want to be
> running an LTS, but then you're citing that as a downside if you
> updated. I fail to understand the logic.
>
> You either want long-term support and let the distribution manage the
> security updates (which come even if you don't see them coming), or you
> want bleeding edge. You sound like you want Gentoo, but then you say
> you want 3 years of stable desktop support and security updates.
> What'll it be?
>
> --- Mike
>
>
My most important desire is that the system be as secure and bug free as
it can be. I don't necessarily need bleeding edge features, as long as
the thing works. However, I don't want to be feature obsolete either.
I had a situation recently where my Pandora music service refused to
work properly. Tech support told me that I HAD to upgrade past Firefox
4 because the older versions were not supported. At the time, Synaptic
refused to update Firefox past version 3.6.23. I had to install a
Mozilla PPA in order to upgrade to Firefox 7 so things would work
again. I didn't really want to do that, because they changed the UI in
Firefox 7 substantially and some of my plugins wouldn't work. I've
worked around the UI issues and found some new plugins. But the point
is, that I had to do a feature upgrade to keep using the Pandora
service, and the package manager refused to help, without giving it an
attitude adjustment.
In terms of updating the OS off of the LTS, most people I've heard on
podcasts or talked to say do not "update" an OS but do a clean install.
Since Ubuntu is on a 6 month release cycle, I'd be reinstalling every 6
months if I wanted to stay up to date. Every time I install a computer
from scratch, I spend about a week installing things, configuring, and
tweaking to get it purring like a kitten just the way I want. Then, it
takes another 6 months for me to get all the little things I missed set
up the way I want and running smoothly. Those latter things, I usually
fix as I have time and encounter them not working. For example, on a
laptop I got months ago to replace another one who's display hinges
broke, I just the other day set up the swap file. I still don't have
the firewall auto starting the way I want. And, I don't think I have my
Evernote application running at all. These are non critical things, but
are nevertheless annoying that they're not working. So, I certainly
don't want to be doing a clean OS install every 6 months, since it takes
me 6 months to really get the machine running like a well oiled machine
(metaphorically of course). Now, if I could just "update" it every 6
months, and everything keeps working, and all my configuration settings
don't change, and I only reinstall every 3 years or so, that's a
different story. That, I would consider doing.
Sincerely,
Ron
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list