• rtxn@lemmy.worldEnglish
    1·
    4 hours ago

    NO REAL-WORLD USE FOUND for staying more than ONE VERSION behind

    Joke’s on you, my servers are largely unaffected by regreSSHion because they’re too outdated.

    • OsrsNeedsF2P@lemmy.ml
      2·
      16 hours ago

      As someone who loves the old designs (I’ve run Chicago95 for years now), the only thing stopping me from running CDE is it lacks first-class support from any distro I’ve used

  • germanatlas@lemmy.blahaj.zone
    816·
    2 days ago

    no real-world use found for staying more than one version behind

    The ssh vulnerability didn’t affect Debian because the packages were too many versions behind

    • bisby@lemmy.worldEnglish
      18·
      2 days ago

      Except this isn’t true at all.

      https://security-tracker.debian.org/tracker/CVE-2024-6387

      Regresshion impacted bookworm and trixie both. Buster was too old.

      With the downside of me doing an apt update and seeing that openssh-server was on 1:9.2p1-2+deb12u3 and I had no idea at a glance if this included the fix or not (qualys’s page states version 8.5p1-9.8p1 were vulnerable).

      If you are running debian bookworm or trixie, you absolutely should update your openssh-server package.

    • azvasKvklenko@sh.itjust.worksEnglish
      41·
      2 days ago

      AFAIK, the xz vulnerability was designed for Debian based on its workaround fixing systemd service status detection. Even if it shipped to something like Arch, the malicious code wouldn’t load.

  • marduk@lemmy.sdf.org
    261·
    2 days ago

    The “install lib-blah-blah-blah” bit doesn’t bother me 'cause whenever I need to make something work, I just copy and paste the “sudo apt install …” commands straight from the internet :)

  • lemmyvore@feddit.nlEnglish
    122·
    2 days ago

    I would uninstall the screensaver so fast if I saw a nag screen. Wtf it’s a screensaver, what does it matter? I’ll use a version that’s 50 years old if I want to.

    • bisby@lemmy.worldEnglish
      20·
      2 days ago

      Because the dev gets a huge number of bug reports for bugs that were resolved 5 versions ago.

      They actually asked debian to stop shipping the screensaver, because they were getting tired of saying “this is already fixed, debian is just not going to ship the fix for another year”. Debian didn’t want to stop, so the dev added the nag screen, because it was the only way to stop the flood of bug reports for things that were already fixed.

        • Malfeasant@lemmy.world
          2·
          14 hours ago

          Lololololololol. No, they do not. I support a product that gets updated roughly quarterly, and the number of times people complain about their vulnerability scanner finding something when they’re on a 4 year old version is too damn high.

        • OsrsNeedsF2P@lemmy.ml
          1·
          16 hours ago

          Lots of people simply don’t know.

          Source: I filed bug reports to Fcitx when I first installed Debian, because I didn’t realize Debian shipped packages from the before the stone ages

        • bisby@lemmy.worldEnglish
          8·
          2 days ago

          Should they? Yes. They should also be searching for previous bug reports. I’m sure a lot of people do. But if you have enough users, even if 1% of people don’t use good reporting behaviors, you wind up with a lot of duplicate or bad reports.

          There are plenty of blog posts out there that basically can be summarized as talking about how grueling open source work can be because users are often aggressive in their demands.

          But this is a prime example of debian “stable” doesn’t mean “no crashes” but instead it means “unchanging, which means any bugs and crashes will remain for the whole release”

  • Engywuck@lemm.ee
    2921·
    2 days ago

    I know this is just a meme, but the “Stop using xxx!” posts are really annoying.