I'm... not actually seeing another thread about this... am I? No, it's the old one necrobumped. And how that makes it any better again...? That's it, I forgot: it does not.
First and foremost, allow me to check if I got it straight:
- It all started by installing FreeBSD 11.0
- Something required libpng16.so
- That "something" was built from ports and, at first, worked with libpng16 no issues noted
- For it's "impossible" to perform update in the "real" world (where "real" people pay "real" money to get "real" work done instead of being promised wonders that, suddenly, turn into a charming voice on the phone, deeeply apologizing for an "uncalled matter" yet "sure to be solved soon" - as long as you don't argue about when, exactly, that "soon" is meant to be, of course), nothing was changed - including whatever was built and needs libpng16.so
- Then one day, suddenly, that thing stopped working, allegedly for another lib got outdated.
- That is, for no updates are done, nothing have ever changed, yet something got broken
Is this correct? If not, allow me to present a slightly alternative scenario:
- For the first two statements, it remains the same as previously stated
- At third step, however, I've got it wrong and libpng16 was never needed
- Goes the same until the "one day" where everything went upside down
- At this day, however, instead of libpng16 unexplained start of complainings, the application built before is what changed for what reason might be, thus requiring a .so which was either absent or, when obtained, required something that was lacking, for it belongs to updated versions - and updating, as previously stated by more than one people, it's "impossible to be done without my boss barking at me".
Is this it? Somehow, I still get this feeling of having overlooked something. Let's have another try, shall we?
- Once again, the beginning is pretty much the same
- However, now I think I noticed what pointed I had missed: not every update is impossible. Some of them are, that is.
- Therefore, pieces of the box were kept whereas others remained "stable" (you are saying, not me)
- Since the thing-to-be-run was later implied to have been built from ports at the very beginning, it was either rebuilt against other libs and versions or, alternatively, no port rebuild took place but the libpng16.so, unfortunately, was in the "not-impossible-to-update" list, but its upgraded version is what had a requirement missing. And this requirement, as tragic as it is, was not listed in the "not-impossible-to-update" relation.
OK, now I'm more or less satisfied. Thus, without further ado, let's proceed to the main part. What, exactly, all of this means?
For starters, why some updates should be possible whereas other would have you barked at? Here in my utter ignorance I could swear the process is just the same in cohesion and logic, of course. Unless one's not concerned about these matters, but why would someone like this work in this business anyway? My secretary could update Windows - anyone is able to click "OK", right? I'd rather think a
real professional, responsible for things like "production systems" is either concerned about system management, as let's say libs and linking, or have some colleague at work taking care of this part.
However, Rosie Bunny Linux does it magically. It updates what I need, doesn't update what I don't need, and whenever a possibility of conflict arises, its pack manager quickly delivers the right version of whatever it is
Well, that poses a problem to what I just said. For there are ways of doing business without keeping track of those complicated stuff. Who cares about science or engineering? Rosie Bunny would do it without my paying wages to one of those jackasses know-it-all types! On a second thought, the ones developing Rosie Bunny Linux also have a product named Rosie Bunny
Enterprise Linux. I better keep my distance of this one, for otherwise I would be not only paying wages of know-it-all types, as they wouldn't even actually work for me in a truest sense. However, it's quite safe to rely on their support 99% of the time, right? As for the one percent remaining, let's pretent I never made a fuss about my clients regarding the "perils of update". After all, Rosie Bunny Enterprise is both to take the blame
and keep those things to a minimal - a minimal that'd probably be left unknown by whoever hires me though, and that perhaps could've been avoided or reduced by a single know-it-all, but working here at my place, focused in my business, and able to update
my system. Better yet,
I could learn to do it myself! Yes, that's better. Let's, then, forget about the "Enterprised" thing and be reminded of CentOS, that is, the Rosie Bunny Enterprise-
based Linux - which is free of charge!
Not only free of charge! They care for security and for keeping things running! With as little as a bit of effort on setting, I could have 20 years of updating just essentials, never ever risking any danger of this nature or others might it be!
Well, whoever thinks even
nearly I just said has an odd sense of hardship, for I strive to remember something as tiresome as dealing with Anaconda, yet have no problems with either BSDs (this here and Open, at least) and Solaris (11.3).
SirDice already mentioned how limited manpower would affect the issue. And for why would that be, I can only guess. But not so hard to imagine how better can a limited number of people do well a focused, more centered job, compared to spending hours figuring how that vuln found last week in version X.Y of libfoo could be patched whilst keeping as good as ever when put to work. Work together with thousand of other pieces, of course - each and every one of them just as prone to vulns and such, to make things worse. Therefore, I can understand why their effort is to deliver the best they can - at the cost, little to my opinion, of restarting from scratch some parts that went wrong. And that, of course, would require the rest to be aware of whatever it comes to be, now. That it's fixed. That it's better. Even if my built from last spring stop working because went behind the schedule.
Yet, I can't help but find this argument just a tip of the thing as it really is. I won't judge anyone here nor there for messing around with, say, "hacking". I'm about to graduate on CS and have my interests in many topics there related, but the very field I chose to do my work and research is somewhat far from sec. I do work with algorithm analysis and development, comp. complexity and other formal stuff like spec and verification. Then again, the basics of many stuff are surely taught along the path. Be it while studying computer networks, operating systems (both of these I'd owe looots of time sleeping over Tanenbaum's works), or the very specific classes on the topic of security itself. Regardless. I'm no hacker, have no interest in being one, nor am I worth of particular note and interest. But I do know people, and these know people too. Friends, friends of friends, friends of friends of friends, and so on. Also I do know IRC and spend some time chatting there, as well as nearly forgotten protocols such as DC. And let's just leave the Onion outside this conversation for it's already longer than I'd like it to be. Back to what is relevant, I had a disagreement at the beginning of this year, memory failing to recall when exactly, but pretty sure it was before March. This little incident led me to stop meeting a certain group of people online, whose hobbies were a bit controversial or unethical in a sense, ranging from website defacing to exploiting any machine they found vulnerable and to be exploited. Even if doing so for merely the joy of saying they've done so. Actually, it was one of them who introduced me to FreeBSD, to which I was totally oblivious thus far. For a couple of years or so I've spent some time in their space, discussing lots of stuff, exchanging useful knowledge (about programming, for example), and eventually, reading about their "deeds". And when access was somehow got, before they proceeded to "deface" or whatever they aimed to, they used to paste in the channel the output of
$ uname -a.
I won't answer how many of these had the word "CentOS" in the output string. After all, I took my time and wrote all this to some people stop and think. Think about that stuff about stuff made five years ago being safe because it does not break and CentOS "promised you so". Sure they did, I guess. I promise you I can fly too. Just like Superman. And just as I have some magical stone for selling. The likes of charcoal, but everlasting. A single piece would kept burning for more than 50 years without the slightest sign of degrading. But you surely understand how rare is this, right? So, if by any chance I sell what looks like just charcoal and it lasts just as much, don't blame me. Blame your bad luck, for 99% of my stuff is really magical, but with you something uncalled for is sure to had happened, and my staff is working 24/7 to make sure your pile of ashes get back to a burning stone soon. When? Just soon...
