XPost: alt.comp.os.windows-10   
   From: user@example.net   
      
   On 31/03/2024 20.17, Newyana2 wrote:   
   > "J.O. Aho"  wrote   
   >   
   > | > The   
   > | > whole approach is a ridiculous mess. How could quality control   
   > | > possibly be carried out on so many constant changes?   
   > |   
   > | Quite simple, most open source projects can get free static code   
   > | inspection (this can be automated say when a pull request is made), a   
   > | review is always needed before code are merged (how good it is depends   
   > | on the maintainers, all from sloppy microsoft standard to BSD high   
   > | standard) . This is the same way as most closed source projects also are   
   > | done.   
   > |   
   >   
   >    I don't see it as a closed vs open issue. Microsoft   
   > now do the same dripfeed updating. Essentially, the   
   > SOHo customer base are now an unpaid beta testing   
   > army.   
      
   That was the feeling one got reading, bashing on open source development   
   model, which in reality don't be that much different from remote working   
   setups with the exception that developers not gone trough a silly interview.   
      
      
   >    I've had to make efforts to block these unknown updates   
   > in both Win10 and Suse.   
      
   In microsoft updates you can't opt out from specific updates, everything   
   is bundled together, while for example with Suse you can block specific   
   packages from being updated (in the long run you may get a dependency   
   issue, not my problem).   
      
     > (And yes, it is in the 100s. I had   
   > my firewall down briefly after a week or two when Suse couldn't   
   > call home.   
      
   What you call for calling home for Suse is just a fetch of the latest   
   status on what packages exists in the remote repository and some   
   metadata, so it's one way communication, sure the remote end could store   
   your IP and which repository you was fetching from.   
      
   It's on your local system that the calculation is done which packages   
   are needed to be installed to get everything up to latest version.   
      
   This differs much from the microsoft way, which you tell everything to   
   microsoft and they tell you what to install.   
      
      
   >  It told me I had 360 updates waiting. What are   
   > they?   
      
   The update applet in Suse would tell you about which CVE are resolved in   
   the new update, the exception was Tumbleweed as the release was consider   
   experimental and you could have many package updates for multiple reasons.   
      
   Keep in mind that in 99% of the cases you already have them installed   
   and they are dependencies of the programs you may know like firefox,   
   chromium, ...   
   If a program is listed, it tend to be about a security fix or minor   
   improvements that affects stability and speed (keep in mind that a bug   
   can also be introduced for it's a human who has written the code).   
   Of course if you like me prefer a rollin-release-distro, then updates   
   may bring new features and new dependencies, but I trust my distro   
   maintainers to have an eye on what is good and safe, so I don't care to   
   look at what changes for each package at each time, but I could just   
   take a look at the change log for each package as my favorite distro do   
   provide that as metadata.   
      
      
   > I didn't   
   > agree to be a beta testing volunteer for programmers who   
   > can't stop fiddling. I'm guessing they may spend more time   
   > rebuilding the install package than actually writing the software.)   
      
   then you need to find an EOL distribution of ms-windows version and live   
   with that there will not be any fixes for what ever vulnerability there   
   may be found.   
      
      
   >    The way it used to work is that software was thoroughly   
   > tested before release.   
      
   Haha... yeah sure, never been the case, if even a QA-testing before it   
   tend to be just the new feature and seldom the whole application, so   
   things can easily break like when ms released the new version of "teams"   
   and they broke spellchecking.   
      
      
   > Then another version might come out   
   > in maybe a year.   
      
   This was in the times when no one was concerned about vulnerabilities,   
   clueless about things like OWASP Top 10, the world has changed a lot   
   since the 20th century, now the bad boys tend to know about application   
   vulnerabilities faster than the developers, when methods of detecting of   
   bad code has evolved (static analyzes, LLM, auto testing, ...), then a   
   random vulnerabilities ain't enough, then you need to create   
   vulnerabilities and organized actors try to get their code into   
   application in different manners like hack repositories and inject their   
   code, get employment at different companies or agencies or joining open   
   source developments.   
      
   You can't go around with software with a known vulnerability for a year,   
   not even a week...   
      
   >  And one could easily find a list of   
   > actual changes in the new version.   
      
   Most open source projects do hand a change.log which tells you about   
   what is new in each version. There are some closed source projects that   
   do the same too.   
      
      
   > Most of my Windows software   
   > hasn't been updated in ages and still works fine.   
      
   yeah, they do work, but with all the vulnerabilities you are also an   
   easy target which your firewall will not protect you from.   
      
      
   > But Microsoft and   
   > Linux are now both guilty of seat-of-the-pants updating. If it   
   > isn't stopped, Windows will show a message at boot every few   
   > days: "Please wait. Installing updates."   
   >   
   >    Apple is a different thing. They serve a consumer-only audience,   
   > updating periodically with stable releases and quickly dropping   
   > support for older products.   
      
   Apple and microsoft has the same release policy, monthly updates unless   
   something really critical then out of cycle releases.   
      
   Both don't talk about vulnerabilities until they have released a fix, so   
   in theory you can have a vulnerability for 10 years which they know of   
   and haven't bothered to fix for they think it's of low impact but may   
   already be utilized in hacks.   
      
      
      
   >   
   >   If someone screws up and needs to issue a fix, that's fine.   
   > But it shouldn't happen very often. An OS on a computer that's   
   > actually in use shouldn't be getting dripfeed updates.   
      
   This is why peoples devices gets to be part of large botnets, for they   
   ignore security in the same way that MAGA ignores that mr tinyhands   
   wants a bloodbath in US.   
      
      
     > It should   
   > be getting updates rarely and then with good reason. MS know that.   
   > That's why they let corporate customers update periodically and   
   > test out the changes before rolling them out.   
      
   They know that people are annoyed by rebooting their computer each time   
   there is an update and as I told you before in ms-windows a file is   
   locked it is locked and can't be replaced until the application which   
   uses it has closed it, and as the kernel has opened files that needs to   
   be replaced, the kernel can't be up and running in full to finish a   
   update, so you need to reboot.   
      
   This differs from Unix and Linux where two version of a file can exists   
   at the same time, so after an update all you need to do is restart the   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)