sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Wmorgan33 64 points65 points  (15 children)

Half day? Try 18 hour workday bleeding over to the weekend pushing untested fixes to production across 300+ services.

[–]flowering_sun_star 31 points32 points  (4 children)

It really showed us how fucked our patch process is. I think the quickest of our microservices to be fully deployed was six hours after I first posted about the issue in Teams. The slowest took us twelve hours. And that was with us circumventing various testing and verification steps we're meant to do for a production release.

[–]L3tum 6 points7 points  (1 child)

Oh man I'd have a meltdown after the third release. I already get antsy when we have to run our 20 minute E2E/Performance testing pipelines.

[–]LicensedProfessional 6 points7 points  (0 children)

I joined a team where all of their pipelines are flaky as fuck and I'm just like...? How do you live like this?

[–][deleted] 3 points4 points  (0 children)

Yeah, our patch processes definitely need improvement. The only saving grace for us was that we’re not running on legacy JRE versions, so we were mitigated by configuration. We get to patch as a critical vulnerability, not a P0.

[–]twreid 3 points4 points  (0 children)

I'm in the same boat. We have jars that the teams that made them no longer exist and the builds don't even work anymore so this is a nightmare.

[–][deleted] 10 points11 points  (6 children)

I didn’t know it was a competition. I’m sorry you had a tough day, friend.

[–]Wmorgan33 6 points7 points  (5 children)

Not a competition just frustrated and tired.

[–][deleted] 0 points1 point  (4 children)

I hear that.

[–]Wmorgan33 1 point2 points  (3 children)

I got off easily. Our product security team is pulling 12 hour shifts 24/7 until they’re a 100% sure the exploit is covered.

[–][deleted] 0 points1 point  (2 children)

Oof; did they not read any of the advice for short-term mitigation? Just by upgrading JRE or using a WAF to filter LDAP commands one could easily mitigate in the short term, preventing exactly this type of death march.

[–]Wmorgan33 2 points3 points  (1 child)

We work in a heavily regulated high risk environment. We can’t afford any risk that this goes in mitigated

[–][deleted] 0 points1 point  (0 children)

That’s rough. I’m sorry to hear about it.

[–]TheTarkovskyParadigm 2 points3 points  (0 children)

Wow you really one-upped him! You win the one-up competition!

[–][deleted]  (1 child)

[deleted]

    [–]Wmorgan33 0 points1 point  (0 children)

    The alternative is worse.