the "but muh security" argument is absolute horseshit 99% of the time. and the 1% that actually need it, are going well beyond automatic updates to secure their systems.
If you look at the background radiation of the Internet of automated things just hitting services to probe for exploits, they are most commonly looking for exploits from bugs in older software.
There's a timing argument - that unless you're at risk of zero days (like you're the DOD) - that you probably don't need to upgrade immediately. But it seems unarguable to me that the longer you wait, the greater the risk from a security perspective.
As always, security is a trade off. Risk of breaking from an update has to be balanced against risk of exploit. I'd argue the latter is going up more quickly than the former.
How many actual zerodays are there that don't require you to ALSO be doing something dumb per year? It seems exceedingly rare. I understand the argument if you're talking about like, a server running some CMS or whatever, sure that's gonna get pwned because it's a big target so it's worth going after. Your natted personal machine? You're fine unless you're running executable off random russian sites (and even then you're probably fine if you're getting your shit from reputable shady sites)
good thing i disable IPv6 at home because it's an annoying pita and i run no machines with windows in the cloud, checkmate :P
on a more serious note though I don't think machines with ipv6 enabled that are behind a NAT are likely to be vulnerable to this, i suppose maybe wormable if you can natpunch through some p2p voip or gaming service, it's the sort of patch i would probably install if i were made aware of it (if i had ipv6 enabled), but being made aware of it doesn't like, leave me worried, and i don't consider it to be likely to affect me unpatched
NAT and IPv6......you really should educate yourself about it IPv6 is not "that" new...trust me (bro). You know, keep learning is a big part of life ;)
It's really not, I never upgrade anything and I haven't been pwned in like a decade. (Or maybe I have been pwned but not in a way that's affected me at all so you know, whatever)
While sibling comment is correct about the discussion I do have a few VPS I've had around for a while (<5 years with only password based SSH too because keys are annoying asf to manage when you're like, on your phone trying to do something etc) and I barely ever upgrade those and everything seems fine. They have DNS pointed at them too so it's not like they're secret in any way.
I suspect it's because I don't use many common software packages so the attack surface is small-ish.
What's difficult about managing keys? I use key login with termux and if anything it's easier because typing passwords (or anything) on a phone is tedious.
Agree in general that people wildly overestimate the risk leaving things alone. e.g. nginx hasn't had a security advisory affecting basic http 1.1 serving static content without TLS in many years. And of course desktops are behind stateful firewalls.
For me a big appeal of having a "home" environment on a VPS is that I can just do useful things from any computer-like device, that's not really possible with keys. Rather than fucking around with keys I can just SSH in from wherever and roll the password when I'm done. High entropy non shared passwords are just fine, you'll get your IP timed out after a couple attempts, nobody is throwing a botnet at bruteforcing my pass.
I understand that auto updates aren't ideal, because they cause breakage (most of my systems dont auto update), but I don't get not updating your systems at all.
I anal so I don't really know what I am talking about but I am hoping for criminal liability as opposed to civil liability. For example, I am thinking if I kill someone with no next of kin, I still have criminal liability even if nobody from the victim's family is there to sue me.
I didn't listen to the podcast but that list is only telling you if something is or is not carcinogenic, but not the magnitude of the effect, or if you should avoid it or not.
For example, a substance that for sure, increases your odds of getting cancer by a one in a million will be ranked at the highest level, while a substance that may increase your odds by 50% will just be "possibly carcinogenic". There are some carcinogens that are unavoidable, and in fact shouldn't be avoided, like sunlight.
It is a useful list, but when presented as a list of how bad things are, it is misleading.
It's worth listening, it's 53 minutes at 1x speed.
The main gist is that the list doesn't specify volume and the low quality of the data due to confounders. Also, conflicting studies.
Examples of things that will "probably" or "possibly" cause cancer:
Night shifts
Aloe vera
Talc
How many night shifts, and what is the risk increase? If you do 1 night shift will it double your chances of catching cancer, or will doing night shifts every day for 40 years increase your risk from 1 in 10 million to 1 in 9 million?
Why? Rspack supports webpack plugins even tho it's written in Rust. That's how you win at adoption.
If Biome would support plugins the answer to post title "What's coming next for ESLint" will be "slide to obsolescence".
Without it ESLint is going to cling on legacy codebases for a bit longer.
Yes, it's well known and established that cold climates has negative effect on batteries. Of course if you're trying to get the best result you optimize the conditions. Just look how most sports records and times are set with best conditions available.
