Another "Quandary" (regarding updates)

Vrai

Well-Known Member
I've been running Linux for quite some time, am comfortable with it and quite enthusiastic about it.
Like many here I started my computer perambulation with PC's running Windows. Whereupon we learned, after having it drummed into our heads, install updates whenever, and as soon as, they are available! O.K. fine.
The same reasoning seemed to prevail regarding updates for my Linux box.
But after the Windows 10 debacle and Microsoft's penchant for installing (sometimes surreptitiously) un-needed and/or un-wanted software (GFX/Get Windows 10) I started examining ALL updates before installing them.

So recently I started paying closer attention to the updates Linux Mint was offering me.
And that's where I began to have a bit of a 'quandary'. Do I install all of them, or just the ones I think I may need?
I used to install them all and hope for the best! But I have read on various forum posts that if the computer is working fine then perhaps the kernel update is not needed and may even introduce problems which did not exist before. Harrumph.
Clem over at the Linux Mint blog has made it quite clear that unless there is a definite need there is no reason to 'upgrade' to a newer version of Linux Mint. O.K. Makes sense.

But what about 'updates'? I currently see updates being offered for systemd, AMD Microcode, chromium, etc.
All of my stuff seems to be working fine. If the updates are NOT security related and everything is working fine then why update?

I am avoiding any updates at the moment which are not 'security' related but wonder if I should just go ahead and install them all anyway. Does the old saying "if it ain't broke don't fix it apply'?

I check the changelog for the updates but unfortunately the kernel updates often don't have any changelog. And AFAIK I don't have any 'chromium' installed on my machine! Nor any AMD.

Decisions, decisions.....
 


captain-sensible

Active Member
thats one thing that annoyed me last time i used any ubuntu derivative i was in Africa with next to know intenet bandwidth then it started auto updates. Someone sublimely said "well you can turn it off". One thing about slackware is , it doesn't do anything unless you tell it to!
 

Condobloke

Well-Known Member
FWIW......I install everything.

With the obvious exceptions......I dont use anything related to Chrome etc....I do not own anything made by amd etc etc....the list is surprisingly short.

Yes i install new kernels. If the system goes pearshaped, that is what Timeshift is for. Simple.

I switched to Linux some 5 years ago to rid myself of the worry/stress/crap, associated with anything windows.
I have no intention of revisiting that crap ever again......and that includes spending time worrying about updates

If anything goes pear shaped, breaks, misbehaves, etc etc.....TIMESHIFT fixes it


Simple.

Life is cool.....so is Linux.
 

atanere

Well-Known Member
FWIW......I install everything.
As far as micro code, NEVER!
I'm with @Condobloke on this one... I install all updates. Patching some simple software bugs may not be "essential" to your system operation, but your distro provider believes it is "worthwhile" to apply these patches. If they didn't think it was worthwhile, then why go to the trouble when they could just wait until their next release to incorporate these updates.

About microcode: Computer manufacturers stop updating their BIOS/UEFI products after awhile, and many people don't apply updates that are available anyway. Microcode are CPU firmware updates (that run at boot time) to help to keep system stability and are definitely worth applying. These help mitigate CPU-related vulnerabilities, such as Spectre and Meltdown.

Arch Linux says, "All users with an AMD or Intel CPU should install the microcode updates to ensure system stability."

Debian says, "... it is not safe at all to just ignore them"
(meaning microcode updates).

Debian also acknowledges in the link above that a microcode update bug could cause boot issues, but this is very rare. I don't think I've ever had an update break something on my computer with Linux (unlike Windows)... but the fear of it happening doesn't stop me from updating.

Cheers
 

atanere

Well-Known Member
Well, after you have bricked a couple cpus, you get wary of Microcode "upgrades". Never mind how I came to that conclusiono_O
A couple? As in more than one? Damn, Paul?!?! Can we ask if your troubles were encountered while flashing a BIOS, like this story? Flashing a BIOS has always had some risk involved, and yes... some microcode updates are brought in with a BIOS update too. But that is not the same as the somewhat frequent microcode updates that come from from the distro providers which only load at runtime... these do not physically "flash the CPU."

Even Slackware pushes microcode updates... at least some of the time. :D

Cheers
 

VP9KS

Well-Known Member
Yeah, when I was young and foolish and had no future, I thought "what could go wrong?" Then I found out what could go wrongo_O! Water under the bridge, but also 3rd degree burns, so to speak. Anyway, an expensive lesson, and not something I wish to repeat.
 

VP9KS

Well-Known Member
A couple? As in more than one? Damn, Paul?!?! Can we ask if your troubles were encountered while flashing a BIOS, like this story? Flashing a BIOS has always had some risk involved, and yes... some microcode updates are brought in with a BIOS update too. But that is not the same as the somewhat frequent microcode updates that come from from the distro providers which only load at runtime... these do not physically "flash the CPU."

Even Slackware pushes microcode updates... at least some of the time. :D

Cheers
Perhaps, but I have more control over what is actually installed with slackware.:p
 

Vrai

Well-Known Member
Here are some examples of what I am talking about;
Code:
amd64-microcode (3.20191021.1+really3.20181128.1~ubuntu0.18.04.1) bionic-security; urgency=medium

  * Revert to 3.20181128.1 version of microcode because of regressions on
    certain hardware. (LP: #1853614)

-- Marc Deslauriers <[email protected]>  Mon, 25 Nov 2019 14:52:06 -0500
I don't have any AMD64 on this machine. It is an Intel Core i5 with Intel HD Graphics. Are they using "amd64" as a generic descriptor for ALL 64 bit processors? Why install microcode which does not even apply to my machine? Even if it did - everything is working fine - I am not having any "regressions on certain hardware".

Code:
chromium-browser (79.0.3945.79-0ubuntu0.18.04.1) bionic; urgency=medium

  * Upstream release: 79.0.3945.79
    - CVE-2019-13725: Use after free in Bluetooth.
    - CVE-2019-13726: Heap buffer overflow in password manager.
    - CVE-2019-13727: Insufficient policy enforcement in WebSockets.
    - CVE-2019-13728: Out of bounds write in V8.
    - CVE-2019-13729: Use after free in WebSockets.
    - CVE-2019-13730: Type Confusion in V8.
    - CVE-2019-13732: Use after free in WebAudio.
    - CVE-2019-13734: Out of bounds write in SQLite.
    - CVE-2019-13735: Out of bounds write in V8.
    - CVE-2019-13764: Type Confusion in V8.
    - CVE-2019-13736: Integer overflow in PDFium.
    - CVE-2019-13737: Insufficient policy enforcement in autocomplete.
    - CVE-2019-13738: Insufficient policy enforcement in navigation.
    - CVE-2019-13739: Incorrect security UI in Omnibox.
    - CVE-2019-13740: Incorrect security UI in sharing.
    - CVE-2019-13741: Insufficient validation of untrusted input in Blink.
    - CVE-2019-13742: Incorrect security UI in Omnibox.
    - CVE-2019-13743: Incorrect security UI in external protocol handling.
    - CVE-2019-13744: Insufficient policy enforcement in cookies.
    - CVE-2019-13745: Insufficient policy enforcement in audio.
    - CVE-2019-13746: Insufficient policy enforcement in Omnibox.
    - CVE-2019-13747: Uninitialized Use in rendering.
    - CVE-2019-13748: Insufficient policy enforcement in developer tools.
    - CVE-2019-13749: Incorrect security UI in Omnibox.
    - CVE-2019-13750: Insufficient data validation in SQLite.
    - CVE-2019-13751: Uninitialized Use in SQLite.
    - CVE-2019-13752: Out of bounds read in SQLite.
    - CVE-2019-13753: Out of bounds read in SQLite.
    - CVE-2019-13754: Insufficient policy enforcement in extensions.
    - CVE-2019-13755: Insufficient policy enforcement in extensions.
    - CVE-2019-13756: Incorrect security UI in printing.
    - CVE-2019-13757: Incorrect security UI in Omnibox.
    - CVE-2019-13758: Insufficient policy enforcement in navigation.
    - CVE-2019-13759: Incorrect security UI in interstitials.
    - CVE-2019-13761: Incorrect security UI in Omnibox.
    - CVE-2019-13762: Insufficient policy enforcement in downloads.
    - CVE-2019-13763: Insufficient policy enforcement in payments.
  * debian/patches/chromium_useragent.patch: refreshed
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/default-allocator: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-extra-arflags.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/touch-v35: refreshed
  * debian/patches/widevine-enable-version-string.patch: updated
  * debian/patches/widevine-other-locations: updated

 -- Olivier Tilloy <[email protected]>  Wed, 11 Dec 2019 10:17:07 +0100
I have NO chromium browser on my machine. I've looked. Perhaps there is a program Linux Mint is using, such as a media player or some such, which uses chromium for the 'back-end'. I don't know. But if I don't have any chromium browser - why install updates for it?

Code:
intel-microcode (3.20191115.1ubuntu0.18.04.2) bionic-security; urgency=medium

  * REGRESSION UPDATE: warm reboots cause hangs on certain Skylake
    processors (LP: 1854764)
    + Reverted microcode (from revision 0x2000065):
      sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792

 -- Steve Beattie <[email protected]>  Mon, 02 Dec 2019 09:23:20 -0800
This one may apply. But if I am not having any "hangs" why mess with it? I'm not even sure if I have "certain Skylake" processors.
Notice the "REGRESSION UPDATE" and "Reverted microcode" - this indicates to me that a previous microcode update introduced a problem (regression) and now we have to 'patch the patch'. If it is working fine I think I will leave it alone unless it is an urgent SECURITY patch. If it ain't broke.....

Code:
Linux kernel 4.15.0-72.81 

            Old Version 4.15.0-66.75   New Version 4.15.0-72.81

No changelog available
Sigh... Sure would be nice if Mint Update would give us SOME indication of what and why. This has been the case for numerous kernel updates. I guess it is up to the user to look up the changes for themselves. I suppose I could head on over to https://www.kernel.org/ and nose around.
5039

But wait - there seems to be a conspicuous lack of kernel 4.15.0-72.81 listed!
Sorry, I'll turn my sarcasm filter back on :/ But you get my point. I'm sure I can find the changelog with a little searching but it sure would be nice if it was right there in Mint Update along with all the other changelogs.

Code:
grub2 (2.02-2ubuntu8.14) bionic; urgency=medium

  * Fix kexec on ACPI/UEFI ARM systems w/ crashkernel reserved memory
    beyond the 4GiB boundary. (LP: #1851190)
  * Apply patch from Peter Jones to forbid the "devicetree" command when
    Secure Boot is enabled. (LP: #1851897)

 -- dann frazier <[email protected]>  Sun, 10 Nov 2019 22:52:35 -0700
"ARM" systems - this machine is not one of. Secure Boot is not enabled. I see no reason to install this update.
Remember the UNIX principle - 'keep it simple' - why keep adding more lines of code to my system, potentially introducing new problems and/or regressions, adding complexity, for something which does not apply or I am not using?

Code:
linux-firmware (1.173.14) bionic; urgency=medium

  * Fix latency issue on Realtek Bluetooth (LP: #1856077)
    - rtl_bt: Update RTL8723D BT FW to 0x828A_96F1

  * Intel Wireless-AC 9560 Bluetooth, whenever connected to BLE devices,
    causes UI freeze when re-logging in after resumed from suspend
    (LP: #1855235)
    - linux-firmware: Update firmware file for Intel Bluetooth AX201

 -- Seth Forshee <[email protected]>  Thu, 12 Dec 2019 07:48:58 -0600
This one could possibly apply to my machine. But my Bluetooth and Wi-Fi are working fine. Why mess with it?

Code:
network-manager-applet  Old Version                New Version
                                             1.8.10-2ubuntu2        1.8.10-2ubuntu3mint1

 [ Clement Lefebvre ]
   * Use symbolic icons in systray

   [ Michael Webster ]
   * Revert a broken quilt patch
Here again - working fine. This does not appear to be a "security" patch - everything is working as it should - I see no reason to apply this update just because it is offered.

Code:
mintreport
Troubleshooting tool for Linux Mint     Old Version         New Version
                                                                     1.0.9                      1.1.4
* Remove root password check
Ugh! I made the mistake of installing this one on my desktop machine and the it would not stop bugging me! No thanks - I'll pass on this one!

And this all brings me around to the issue of 'telemetry'. I think @wizardfromoz posted something the other day about Zorin collecting some sort of telemetry. Ubuntu tried years ago to collect telemetry - perhaps they still do. But many, many Linux users get upset over the idea of their operating system calling home to the mothership.
This is one instance where I would not mind sharing some information about my hardware specs and software installed if it meant I would only be offered updates which were applicable to my unique machine.

Now you. Any thoughts? ¯\_(ツ)_/¯
 

atanere

Well-Known Member
Now you. Any thoughts? ¯\_(ツ)_/¯
In the end, you are the captain of your own Linux ship, and these decisions are up to you. :D

And this all brings me around to the issue of 'telemetry'. I think @wizardfromoz posted something the other day about Zorin collecting some sort of telemetry.
With Zorin, they call it, "census" and it was enabled by default (with no notice) on their new version 15.0, which is what caused such a stir. Now, with updated version 15.1, they have an option box during install that must be checked to disable it. Or it can be removed with sudo apt purge zorin-os-census.


But many, many Linux users get upset over the idea of their operating system calling home to the mothership.
Count me among them, especially when such an action is sneaky and so very, very Microsoft-like. Zorin should have known better than this, I think.

Cheers
 
Last edited:



Members online



Top