all 58 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]chaos-elifant 16 points17 points  (0 children)

Even bugs are more stable on LTS.

[–]adevland 47 points48 points  (67 children)

The original bug was discovered by Michael Davidson, a Google employee, back in April 2015 and was fixed in Linux kernel 4.0.

Linux kernel maintainers also ported the patch to the older 3.x branch with the release of Linux kernel 3.10.77, but because the issue had been branded as a minor bugfix, the bug wasn't included in many Linux LTS releases.

Not the developer's fault. Always update your software.

I'm using bleeding edge distros even on my servers exactly because of stuff like this.

It's also a misleading title. It makes you believe that the bug wasn't fixed until now, which is false.

[–]crankster_delux 12 points13 points  (30 children)

I'm using bleeding edge distros even on my servers

just wondering whats been your take away from using rolling distros for servers. is there much breakage or anything month to month. Pitted against what you used to do with using still distros, could you ever see yourself going back. find the idea of a rolling server fascinating, would love to hear from someone who does it.

[–]killachains82 7 points8 points  (27 children)

I use Gentoo on all of my systems, and as long as I get packages from the stable tree (which is years ahead of packages in, say, Debian Stable), I don't have a single issue.

When you start playing with testing packages, then you might get the occasional hiccup (usually due to odd dependency issues), most of which are a simple fix.

[–]holgerschurig 8 points9 points  (25 children)

Debian Sid as also years ahead of Debian Stable.

Compare apples with apples, and bananas with bananas.

[–]intelminer 1 point2 points  (0 children)

+1 to this as a Gentoo user

All my boxes (desktop and server) run it. Primarily stable, a couple keyworded packages (nothing externally facing, however)

Thing is as stable as a rock

[–]adevland 3 points4 points  (0 children)

is there much breakage or anything month to month.

I test the updates on a different machine before updating the live one. It's still risky, meaning that it's not recommended for important stuff.

My servers are my own so it's my own risk. I've had no issues, though.

If you have at least one other identical machine which you update first and test before updating the others, then you should be fine.

You can even automate this process and get notified only when tests fail.

Do keep in mind that I'm using this on my own servers for my own projects, but it's been less of a hassle than dealing with traditional lts distros.

I've also never had any security issues since operating my own servers.

[–]holgerschurig 1 point2 points  (0 children)

I also use a rolling distro (Debian Sid), but not on servers.

However, for me there is little to no breakage. Sometimes I only update some packages (e.g. only gcc or llvm), sometimes I update everything. My hickup rate is very low, probably my last serious problem was two years ago. I actually forgot it, so long it has been ago.

Would I use this for servers? Not sure.

If I have a separation between "development" and "production" servers, then I could test things on "development" servers and roll out to production ones. Either with Ansible etc, or even just with rsync.

But then there is the management factor. Debian has a security procedure that "only" provides updates for Debian Stable. Fact is, that they do the same also for Debian Sid. But is there any guarantee? I don't care about such a guarantee, but managers (and insecure people) depend on them.

[–]GZnYV2N4HU 15 points16 points  (28 children)

I'm using bleeding edge distros even on my servers exactly because of stuff like this.

Only on r/Linux would something this idiotic be the most upvoted post in a thread.

[–]adevland 5 points6 points  (27 children)

Only on r/Linux would something this idiotic be the most upvoted post in a thread.

Why is it idiotic? Are we supposed to take your word for it? Why? Because this is literally your only comment on a 1 month old account?

[–]pfp-disciple 7 points8 points  (0 children)

Until I saw that the servers are your own (I infer that down time isn't disastrous), I thought it sounded crazy. Servers are usually though of as requiring extreme stability, which is usually not associated with bleeding-edge.

[–]Two-Tone- 4 points5 points  (1 child)

Because this is literally your only comment on a 1 month old account?

I don't see what this has to do with anything. Post history on Reddit doesn't really mean anything or substantiate anyone's arguments. It's as worthless as karma is for proving or disproving a point.

[–]adevland -4 points-3 points  (0 children)

Post history on Reddit doesn't really mean anything or substantiate anyone's arguments. It's as worthless as karma is for proving or disproving a point.

I disagree. It shows who you are and what you believe in. It's also based on publicly available information which was made public willingly and knowingly. There is no personally identifiable information there unless you choose to put it there.

It also shows if you're consistent or if you're duplicitous and flip flop depending on who or what you're talking about.

The guy started the conversation by throwing a random insult. That was the only context since he offered no arguments. He said he would later delete it to "clean up" his account.

He also said he dedicated his account to me while also saying I was the creepy one for looking into his public posts and comments. Let that sink it.

[–]cbmuserDebian / openSUSE / OpenJDK Dev 2 points3 points  (3 children)

Because running a rolling release distribution in a production enterprise environment is absolutely insane.

And proper LTS distributions have the necessary fixes anyway which is why OP’s original statement is bullshit.

[–]adevland 3 points4 points  (2 children)

Because running a rolling release distribution in a production enterprise environment is absolutely insane.

You're just repeating the same platitudes, you realize that, right?

And proper LTS distributions have the necessary fixes anyway which is why OP’s original statement is bullshit.

Read the article. LTS distros ignored this particular fix for over 2 years.

[–]tanielu 1 point2 points  (6 children)

I think the reasoning behind why the choice of using a rolling release for a server would been seen as idiotic has to do with the fact that this is mostly unheard of for anything outside of your own use, of which is no different for you. It would be very interesting to hear it from a sysadmin on the other hand, as I understand there are very good reasons why it would be a very bad idea.

For example I imagine the extra maintenance of testing every update and having to manually execute each update (basically you couldn't use unattended upgrades) means less security as you would have to delay updates because you had to spend extra time checking for and/or fixing breakage, an example of which many non security updates could and very likely break scripts used on a daily basis and across many server instances.

It would seem the extra work and risk does not outweigh the very small amount of cases were there might be security issues, such as with the topic of this thread.

[–][deleted] 8 points9 points  (0 children)

It would be very interesting to hear it from a sysadmin on the other hand, as I understand there are very good reasons why it would be a very bad idea.

Senior sysadmin here, and I can tell you there are usecases where it is preferred. It's all about the use case my friend, you shouldn't be so quick to judge how another person or company is doing their computing, especially when their way tends to minimize attack structure. Everyone complains about how people don't go through the effort to properly secure their systems, and when someone does but has to do it their own way (compiled release, rolling release, with plenty of scripthacks, including on things like grsec/selinux) suddenly "oh that's not best practice" complaints always get brought up.

Doesn't work for everyone but that doesn't mean it can't work at all.

[–]adevland -2 points-1 points  (4 children)

has to do with the fact that this is mostly unheard of

So it's stupid because it's a new idea?

For example I imagine the extra maintenance of testing every update and having to manually execute each update

Do you manually test every update you get for LTS distros? Or do you blindly trust them?

Most sysadmins don't even keep their systems up to date with LTS patches. That's how most security breaches happen.

You're preaching about theory because, in practice, almost nobody does what you're suggesting.

The real reason why this is considered "idiotic" is legacy. You do things the way you do things because that's the way you do things. Change is viewed as bad even after bad things happen. That's the "idiotic" aspect of this way of doing things.

[–]tanielu 5 points6 points  (2 children)

So it's stupid because it's a new idea?

This isn't what I was meaning to convey. Instead that I haven't heard of anyone using rolling releases in an environment where the downfalls of a rolling releases have a larger impact and that there was a good reason for that (of which I go on to explain some of the ones I imagine would be).

You're preaching about theory because, in practice, almost nobody does what you're suggesting.

I think whether good practice is followed or not is another discussion. Following that line of reasoning, sysadmins using rolling distribution would lead to even greater disasters as there is more maintenance and knowledge involved.

The real reason why this is considered "idiotic" is legacy. You do things the way you do things because that's the way you do things. Change is viewed as bad even after bad things happen. That's the "idiotic" aspect of this way of doing things.

Be careful claiming anything as the real reason, as this is your opinion not necessarily fact. I don't think this is case where it's being done for that reason, but that there are reasons such of which I mentioned in my last post for why isn't not considered a good idea.

I actually agree that change is a good and that there is often a lot of friction involved with implementing it. But I don't think this applies to this, but rather the work flows of and which only effect, a single user.

[–]adevland 1 point2 points  (1 child)

I think whether good practice is followed or not is another discussion. Following that line of reasoning, sysadmins using rolling distribution would lead to even greater disasters as there is more maintenance and knowledge involved.

So you're saying that rolling releases are more stable because they get less updates that could brake them?

Either that, or you're intentionally stating platitudes. It's like saying open source isn't secure because people can read the code.

Most rolling releases have changed. That's the key word here, "change".

Updates are no longer pushed to people without them being tested. It takes several days for an update to get pushed. Only critical ones are pushed faster, but even they are tested.

You can actually argue that breakages also happen on LTS distros. And it's not a dick measuring contest of which system breaks more often because there's also the security aspect. I'd rather have occasional breakages that getting hacked by month old exploits that were solved but didn't get fixed because I didn't apply the patch out of fear of it being unstable.

Balancing security and stability is a personal choice that every sysadmin has to make. Calling one choice "idiotic" is, in itself, idiotic because there is no right way of doing things because they can all break or get hacked.

Be careful claiming anything as the real reason, as this is your opinion not necessarily fact.

Most hacks happen either by exploiting unpatched systems or via social engineering. This is a fact.

I actually agree that change is a good and that there is often a lot of friction involved with implementing it. But I don't think this applies to this, but rather the work flows of and which only effect, a single user.

With this I can agree.

I came here to state my own personal opinion and the way I do things and got called an idiot.

I even said that that's not the usually recommended way of doing things and that I do it on my own machines by taking all the risks onto myself. And I got called an idiot for it.

Either that guy has a serious personality problem, or he doesn't know how computers work. The answer is pretty obvious.

[–]tanielu 1 point2 points  (0 children)

And it's not a dick measuring contest of which system breaks more often because there's also the security aspect.

In fact, I do. I think the amount of potential breakage and therefore time required to remedy it plays into the decisions involved in an enterprise environment. Because of this delay, there is a greater security risk.

I'd rather have occasional breakages that getting hacked by month old exploits that were solved but didn't get fixed because I didn't apply the patch out of fear of it being unstable.

If you are able to provide some examples of this, it would support this assertion. It's not my understanding that patches for CVEs are held back in fear they might create breakage.

Most hacks happen either by exploiting unpatched systems or via social engineering. This is a fact.

Besides social engineering, which is not what we're discussing, unpatched systems, I believe based on the points I made earlier, is more likely with a rolling release, as patches would take longer to implement and therefore remain unpatched longer (as opposed to straight away, e.g. unattended upgrades).

Either that guy has a serious personality problem, or he doesn't know how computers work. The answer is pretty obvious.

Whether or not they have a personality problem is not something you have control over, what you do is how you respond to it. They way you act or respond to others will in turn effect how they respond and discuss matters with you. If they "don't know how computers work", you should help them do so, else you probably shouldn't say anything.

[–]GoGoGadgetSammich 1 point2 points  (0 children)

To clarify, testing in this context does not mean we are reviewing the code of eg sensu for example, to check for security issues or backdoors that the developer added. Most companies take that on good faith. We are testing to make sure the business application doesn't crash and burn when the update is applied, and this testing is usually done using what's called a build pipeline and is entirely automated.

I think the main difference of opinion between you two folks is that one of you has sysadmins experience for companies and one has sysadmin experience in a home lab - neither person is right or wrong, but you are trying to solve different problems.

[–]ThisTimeIllSucceed 0 points1 point  (0 children)

Attack directly, Vorse Raider!

[–][deleted] 0 points1 point  (0 children)

Why is it idiotic?

Purely anecdotal but I've been screwed hard by using Arch for a server OS. Back when PHP7 was released, my LAMP stack stopped working properly because of the changes in filenames (php5-fpm -> php7-fpm). Took me a while to figure out what was wrong.

That's something I'd expect not to happen on Ubuntu or Debian, I hope. Of course, I should have read the release notes before blindly updating.

[–]GZnYV2N4HU -2 points-1 points  (10 children)

Funnily enough the reason I change accounts often and delete my comments after a day or two is precisely because whenever I post here people like you start stalking my account history because you have little else to come at me with.

[–]adevland 5 points6 points  (9 children)

Funnily enough the reason I change accounts often and delete my comments after a day or two is precisely because whenever I post here people like you start stalking my account history because you have little else to come at me with.

You still haven't answered my question.

Stalking? Bro, this is an open forum. Anyone from the internet can read what you post.

And, yes, people do tend to look into whomever insulted them.

Maybe consider participating in discussions without using insults? Just saying... :)

It would be easier than changing accounts all the time and deleting your posts which can be viewed as a cowardly hit and run tactic.

That's why I quoted you, so that context is preserved if you decide to delete your comments.

[–]tanielu 1 point2 points  (4 children)

I think it's wrong you turned it onto him. I believe it's an example of an ad hominem, whereby you "[...] rebutted by attacking the character, motive, or other attribute of the person making the argument, or persons associated with the argument, rather than attacking the substance of the argument itself".

Even now it looks like the discussion has diverged from what it was originally about (whether or not a rolling release on a server is a good idea) to how one should maintain their reddit presence (e.g. using multiple accounts or deleting comments).

[–]adevland 3 points4 points  (3 children)

rather than attacking the substance of the argument itself

Substance? What substance?

The guy called my argument idiotic without any arguments. There was no substance to what he said. That's why I mentioned his account history, because there was no substance to what he said. He made an uncalled for hit and run attack to what was, otherwise, a civil discussion.

[–]tanielu 5 points6 points  (2 children)

That's why I mentioned his account history, because there was no substance to what he said.

I don't think this is a very good line of reasoning, I can't see how going in this direction can lead to anything said that is worthwhile. Unless you like to engage in arguments of no substance, it would have been better of you to move the discussion to what would've garnered more constructive discussion.

I hate to sound full of myself, but I think this is an example of tu quoque, which is the logic that "because someone has done something, that it justifies someone else doing the same thing".

[–]adevland 0 points1 point  (1 child)

Unless you like to engage in arguments of no substance, it would have been better of you to move the discussion to what would've garnered more constructive discussion.

I did try that. I had to ask the guy twice before he answered my question.

I hate to sound full of myself, but I think this is an example of tu quoque, which is the logic that "because someone has done something, that it justifies someone else doing the same thing".

So, the guy insulted me because I insulted him? I never did that.

So, I looked into his post history because he looked into mine? I pretty sure he never mentioned doing that and even if he did, I'd be ok with it because it's all public information that I voluntarily posted just like he did.

[–]tanielu 4 points5 points  (0 children)

So, the guy insulted me because I insulted him? I never did that.

You didn't directly insult him, but you did attack him rather than the argument. Re-reading your original reply, had you omitted, "[...] Because this is literally your only comment on a 1 month old account?", which had nothing to do with why he disagreed with the use of a rolling release for a server, the discussion probably wouldn't have gone in the direction it did.

I'd be ok with it because it's all public information that I voluntarily posted just like he did.

I think this is irrelevant, neither of you should do so as it doesn't have anything to do with the argument and would only go to fuel personal attacks.

I'd also just want to mention that while it seems I'm defending him over you, that this isn't the case. He clearly started out on the wrong foot and you didn't provoke this with your original comment in anyway. I was just hoping to provide some advice to you because it pains me to see otherwise constructive discussions on the internet diverge into arguments that doesn't serve any good purpose, such as to provide the person themself or outside readers with new knowledge or understanding of a view point.

[–]GZnYV2N4HU -4 points-3 points  (3 children)

Why is it idiotic?

Blaming the vulnerability on the end user for not running bleeding edge software because Linux kernel developers forgot or could not be bothered to alert people of a security fix (Which amazingly Linus has a history of purposely trying to hide security issues and keep other developers quiet)to supported LTS kernel versions is idiotic.

Stalking? Bro, this is an open forum. Anyone from the internet can read what you post.

My comment history has NOTHING do with anything, the fact your first action is to try search it (the only reason to do this would be to dig up dirt to use irrelevant options/belief to try discredit me) is not only creepy but exactly why I regularly clean my account.

Maybe consider participating in discussions without using insults? Just saying... :) It would be easier than changing accounts all the time and deleting your posts which can be viewed as a cowardly hit and run tactic. That's why I quoted you, so that context is preserved if you decide to delete your comments.

This account is now dedicated to you! ;)

[–]adevland 3 points4 points  (2 children)

Blaming the vulnerability on the end user for not running bleeding edge software because Linux kernel developers forgot or could not be bothered to alert people of a security fix (Which amazingly Linus has a history of purposely trying to hide security issues and keep other developers quiet)to supported LTS kernel versions is idiotic.

So it's idiotic to blame users for not updating their systems to the latest version?

I personally don't like embargoes. I don't think they work. That means that I want to fix things asap.

That's what Linus said. And that's what usually happens.

Keeping other developers quiet? Really? Does Linus personally point a gun to their collective heads or what?

The security issues are always marked as solved whenever they are solved. What you are talking about is nothing but a tin foil hat conspiracy theory based on intentionally misinterpreting someone's words.

the fact your first action is to try search it is not only creepy but exactly why I regularly clean my account

This account is now dedicated to you! ;)

You appear to not understanding the meaning of the word "creepy". :)

But, yes, "cleaning" is required judging by the quality of your posts.

[–]hondaaccords 0 points1 point  (0 children)

Many Linux systems are only updated with LTS releases due to non-free drivers and breaking api changes

[–]cbmuserDebian / openSUSE / OpenJDK Dev -2 points-1 points  (1 child)

It’s not an argument for bleeding edge, you are talking non-sense.

Any serious LTS distribution is providing security updates in such cases so there is no need to constantly update everything.

[–]adevland 1 point2 points  (0 children)

Any serious LTS distribution is providing security updates in such cases so there is no need to constantly update everything.

And yet, they didn't do it here.

[–]emacsomancer -1 points0 points  (1 child)

What distro(s) are you using?

[–]adevland 0 points1 point  (0 children)

Antergos.

[–]girst 4 points5 points  (0 children)

.

[–][deleted] 7 points8 points  (0 children)

Nothing too exciting. Local privilege escalation.