[arch-general] "Automatic" upgrade

[Rodrigo Rivas]

On Tue, Feb 11, 2014 at 5:19 PM, David Rosenstrauch <darose at darose.net>wrote:

> On 02/11/2014 07:17 AM, Ismael Bouya wrote:
>
>> That's not an option. The network on which the machine is is willingly
>> inaccessible from outside: The sysadmin there has the principle that "a
>> machine that works shouldn't be upgraded, because then it can
>> break"
>>
>
> Then your sysadmin is incompetent, since he is completely ignorant of the
> concept of "security upgrades".
>
> DR
>
>
While I agree on disagreeing with this sysadmin, I think that their point
of view is not properly represented. I've know that position before:

1. Upgrades sometimes go wrong.
2. Upgrades that go fine sometimes have unexpected behavior.
3. My machine is not connected to the Internet, so it's not exposed to
attack.

The sysadmin conclusion is therefore:

1. What do I gain upgrading? Nothing.
2. What do I lose upgrading? Maybe something goes wrong.


My guess here is that this "secure" network is full of non-upgraded
(Windows?) machines, and security is attained exclusively by network
isolation.

So my advice to the OP is to play safe and not to program any kind of
inbound tunnel. That could end in disaster and you would be responsible!
Just limit the access to your mole's handmade tunned, or play by the rules
and not upgrade (ug!).

Just my €0.02.
-- 
Rodrigo