You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
He points out that it's important to work to “make it trivial to upgrade” and that “Users will not take your security fix if you’ll break their system”. That’s a GREAT point. Upgrade traumas have become very normalized, and the fear of updating leads to a lot of vulnerabilities in the real world, because users are rightly afraid to update and/or simply can't afford it. The Python 2->3 migration was slow and painful, as an example.
My thanks to @gregkh for pointing this issue out. Obviously this looks different in kernels, libraries, application software, and larger systems, but the overall point seems valid for everyone.
Perhaps we can add something like this in the future to work to make it trivial to upgrade, at least as something SUGGESTED. I’m sure it’ll be hard to “properly capture” but it seems worthwhile. I haven't developed any specific text yet; this issue hopefully will capture a discussion eventually leading to it.
The text was updated successfully, but these errors were encountered:
Greg K-H's talk "Non-technical issues in providing good security practices in an open-source project" at the Developing Secure Systems Summit makes a good point about updates / upgrades.
He points out that it's important to work to “make it trivial to upgrade” and that “Users will not take your security fix if you’ll break their system”. That’s a GREAT point. Upgrade traumas have become very normalized, and the fear of updating leads to a lot of vulnerabilities in the real world, because users are rightly afraid to update and/or simply can't afford it. The Python 2->3 migration was slow and painful, as an example.
My thanks to @gregkh for pointing this issue out. Obviously this looks different in kernels, libraries, application software, and larger systems, but the overall point seems valid for everyone.
Perhaps we can add something like this in the future to work to make it trivial to upgrade, at least as something SUGGESTED. I’m sure it’ll be hard to “properly capture” but it seems worthwhile. I haven't developed any specific text yet; this issue hopefully will capture a discussion eventually leading to it.
The text was updated successfully, but these errors were encountered: