Another "Quandary" (regarding updates)

Vrai

Well-Known Member
Credits
2,395
I've been running Linux for quite some time, am comfortable with it and quite enthusiastic about it.
Like many here I started my computer perambulation with PC's running Windows. Whereupon we learned, after having it drummed into our heads, install updates whenever, and as soon as, they are available! O.K. fine.
The same reasoning seemed to prevail regarding updates for my Linux box.
But after the Windows 10 debacle and Microsoft's penchant for installing (sometimes surreptitiously) un-needed and/or un-wanted software (GFX/Get Windows 10) I started examining ALL updates before installing them.

So recently I started paying closer attention to the updates Linux Mint was offering me.
And that's where I began to have a bit of a 'quandary'. Do I install all of them, or just the ones I think I may need?
I used to install them all and hope for the best! But I have read on various forum posts that if the computer is working fine then perhaps the kernel update is not needed and may even introduce problems which did not exist before. Harrumph.
Clem over at the Linux Mint blog has made it quite clear that unless there is a definite need there is no reason to 'upgrade' to a newer version of Linux Mint. O.K. Makes sense.

But what about 'updates'? I currently see updates being offered for systemd, AMD Microcode, chromium, etc.
All of my stuff seems to be working fine. If the updates are NOT security related and everything is working fine then why update?

I am avoiding any updates at the moment which are not 'security' related but wonder if I should just go ahead and install them all anyway. Does the old saying "if it ain't broke don't fix it apply'?

I check the changelog for the updates but unfortunately the kernel updates often don't have any changelog. And AFAIK I don't have any 'chromium' installed on my machine! Nor any AMD.

Decisions, decisions.....
 


captain-sensible

Well-Known Member
Credits
5,792
thats one thing that annoyed me last time i used any ubuntu derivative i was in Africa with next to know intenet bandwidth then it started auto updates. Someone sublimely said "well you can turn it off". One thing about slackware is , it doesn't do anything unless you tell it to!
 

Condobloke

Well-Known Member
Credits
3,638
FWIW......I install everything.

With the obvious exceptions......I dont use anything related to Chrome etc....I do not own anything made by amd etc etc....the list is surprisingly short.

Yes i install new kernels. If the system goes pearshaped, that is what Timeshift is for. Simple.

I switched to Linux some 5 years ago to rid myself of the worry/stress/crap, associated with anything windows.
I have no intention of revisiting that crap ever again......and that includes spending time worrying about updates

If anything goes pear shaped, breaks, misbehaves, etc etc.....TIMESHIFT fixes it


Simple.

Life is cool.....so is Linux.
 

atanere

Well-Known Member
Credits
0
FWIW......I install everything.
As far as micro code, NEVER!
I'm with @Condobloke on this one... I install all updates. Patching some simple software bugs may not be "essential" to your system operation, but your distro provider believes it is "worthwhile" to apply these patches. If they didn't think it was worthwhile, then why go to the trouble when they could just wait until their next release to incorporate these updates.

About microcode: Computer manufacturers stop updating their BIOS/UEFI products after awhile, and many people don't apply updates that are available anyway. Microcode are CPU firmware updates (that run at boot time) to help to keep system stability and are definitely worth applying. These help mitigate CPU-related vulnerabilities, such as Spectre and Meltdown.

Arch Linux says, "All users with an AMD or Intel CPU should install the microcode updates to ensure system stability."

Debian says, "... it is not safe at all to just ignore them"
(meaning microcode updates).

Debian also acknowledges in the link above that a microcode update bug could cause boot issues, but this is very rare. I don't think I've ever had an update break something on my computer with Linux (unlike Windows)... but the fear of it happening doesn't stop me from updating.

Cheers
 

atanere

Well-Known Member
Credits
0
Well, after you have bricked a couple cpus, you get wary of Microcode "upgrades". Never mind how I came to that conclusiono_O
A couple? As in more than one? Damn, Paul?!?! Can we ask if your troubles were encountered while flashing a BIOS, like this story? Flashing a BIOS has always had some risk involved, and yes... some microcode updates are brought in with a BIOS update too. But that is not the same as the somewhat frequent microcode updates that come from from the distro providers which only load at runtime... these do not physically "flash the CPU."

Even Slackware pushes microcode updates... at least some of the time. :D

Cheers
 

VP9KS

Well-Known Member
Credits
319
Yeah, when I was young and foolish and had no future, I thought "what could go wrong?" Then I found out what could go wrongo_O! Water under the bridge, but also 3rd degree burns, so to speak. Anyway, an expensive lesson, and not something I wish to repeat.
 

VP9KS

Well-Known Member
Credits
319
A couple? As in more than one? Damn, Paul?!?! Can we ask if your troubles were encountered while flashing a BIOS, like this story? Flashing a BIOS has always had some risk involved, and yes... some microcode updates are brought in with a BIOS update too. But that is not the same as the somewhat frequent microcode updates that come from from the distro providers which only load at runtime... these do not physically "flash the CPU."

Even Slackware pushes microcode updates... at least some of the time. :D

Cheers
Perhaps, but I have more control over what is actually installed with slackware.:p
 

Vrai

Well-Known Member
Credits
2,395
Here are some examples of what I am talking about;
Code:
amd64-microcode (3.20191021.1+really3.20181128.1~ubuntu0.18.04.1) bionic-security; urgency=medium

  * Revert to 3.20181128.1 version of microcode because of regressions on
    certain hardware. (LP: #1853614)

-- Marc Deslauriers <[email protected]>  Mon, 25 Nov 2019 14:52:06 -0500
I don't have any AMD64 on this machine. It is an Intel Core i5 with Intel HD Graphics. Are they using "amd64" as a generic descriptor for ALL 64 bit processors? Why install microcode which does not even apply to my machine? Even if it did - everything is working fine - I am not having any "regressions on certain hardware".

Code:
chromium-browser (79.0.3945.79-0ubuntu0.18.04.1) bionic; urgency=medium

  * Upstream release: 79.0.3945.79
    - CVE-2019-13725: Use after free in Bluetooth.
    - CVE-2019-13726: Heap buffer overflow in password manager.
    - CVE-2019-13727: Insufficient policy enforcement in WebSockets.
    - CVE-2019-13728: Out of bounds write in V8.
    - CVE-2019-13729: Use after free in WebSockets.
    - CVE-2019-13730: Type Confusion in V8.
    - CVE-2019-13732: Use after free in WebAudio.
    - CVE-2019-13734: Out of bounds write in SQLite.
    - CVE-2019-13735: Out of bounds write in V8.
    - CVE-2019-13764: Type Confusion in V8.
    - CVE-2019-13736: Integer overflow in PDFium.
    - CVE-2019-13737: Insufficient policy enforcement in autocomplete.
    - CVE-2019-13738: Insufficient policy enforcement in navigation.
    - CVE-2019-13739: Incorrect security UI in Omnibox.
    - CVE-2019-13740: Incorrect security UI in sharing.
    - CVE-2019-13741: Insufficient validation of untrusted input in Blink.
    - CVE-2019-13742: Incorrect security UI in Omnibox.
    - CVE-2019-13743: Incorrect security UI in external protocol handling.
    - CVE-2019-13744: Insufficient policy enforcement in cookies.
    - CVE-2019-13745: Insufficient policy enforcement in audio.
    - CVE-2019-13746: Insufficient policy enforcement in Omnibox.
    - CVE-2019-13747: Uninitialized Use in rendering.
    - CVE-2019-13748: Insufficient policy enforcement in developer tools.
    - CVE-2019-13749: Incorrect security UI in Omnibox.
    - CVE-2019-13750: Insufficient data validation in SQLite.
    - CVE-2019-13751: Uninitialized Use in SQLite.
    - CVE-2019-13752: Out of bounds read in SQLite.
    - CVE-2019-13753: Out of bounds read in SQLite.
    - CVE-2019-13754: Insufficient policy enforcement in extensions.
    - CVE-2019-13755: Insufficient policy enforcement in extensions.
    - CVE-2019-13756: Incorrect security UI in printing.
    - CVE-2019-13757: Incorrect security UI in Omnibox.
    - CVE-2019-13758: Insufficient policy enforcement in navigation.
    - CVE-2019-13759: Incorrect security UI in interstitials.
    - CVE-2019-13761: Incorrect security UI in Omnibox.
    - CVE-2019-13762: Insufficient policy enforcement in downloads.
    - CVE-2019-13763: Insufficient policy enforcement in payments.
  * debian/patches/chromium_useragent.patch: refreshed
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/default-allocator: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-extra-arflags.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/touch-v35: refreshed
  * debian/patches/widevine-enable-version-string.patch: updated
  * debian/patches/widevine-other-locations: updated

 -- Olivier Tilloy <[email protected]>  Wed, 11 Dec 2019 10:17:07 +0100
I have NO chromium browser on my machine. I've looked. Perhaps there is a program Linux Mint is using, such as a media player or some such, which uses chromium for the 'back-end'. I don't know. But if I don't have any chromium browser - why install updates for it?

Code:
intel-microcode (3.20191115.1ubuntu0.18.04.2) bionic-security; urgency=medium

  * REGRESSION UPDATE: warm reboots cause hangs on certain Skylake
    processors (LP: 1854764)
    + Reverted microcode (from revision 0x2000065):
      sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792

 -- Steve Beattie <[email protected]>  Mon, 02 Dec 2019 09:23:20 -0800
This one may apply. But if I am not having any "hangs" why mess with it? I'm not even sure if I have "certain Skylake" processors.
Notice the "REGRESSION UPDATE" and "Reverted microcode" - this indicates to me that a previous microcode update introduced a problem (regression) and now we have to 'patch the patch'. If it is working fine I think I will leave it alone unless it is an urgent SECURITY patch. If it ain't broke.....

Code:
Linux kernel 4.15.0-72.81 

            Old Version 4.15.0-66.75   New Version 4.15.0-72.81

No changelog available
Sigh... Sure would be nice if Mint Update would give us SOME indication of what and why. This has been the case for numerous kernel updates. I guess it is up to the user to look up the changes for themselves. I suppose I could head on over to https://www.kernel.org/ and nose around.
5039

But wait - there seems to be a conspicuous lack of kernel 4.15.0-72.81 listed!
Sorry, I'll turn my sarcasm filter back on :/ But you get my point. I'm sure I can find the changelog with a little searching but it sure would be nice if it was right there in Mint Update along with all the other changelogs.

Code:
grub2 (2.02-2ubuntu8.14) bionic; urgency=medium

  * Fix kexec on ACPI/UEFI ARM systems w/ crashkernel reserved memory
    beyond the 4GiB boundary. (LP: #1851190)
  * Apply patch from Peter Jones to forbid the "devicetree" command when
    Secure Boot is enabled. (LP: #1851897)

 -- dann frazier <[email protected]>  Sun, 10 Nov 2019 22:52:35 -0700
"ARM" systems - this machine is not one of. Secure Boot is not enabled. I see no reason to install this update.
Remember the UNIX principle - 'keep it simple' - why keep adding more lines of code to my system, potentially introducing new problems and/or regressions, adding complexity, for something which does not apply or I am not using?

Code:
linux-firmware (1.173.14) bionic; urgency=medium

  * Fix latency issue on Realtek Bluetooth (LP: #1856077)
    - rtl_bt: Update RTL8723D BT FW to 0x828A_96F1

  * Intel Wireless-AC 9560 Bluetooth, whenever connected to BLE devices,
    causes UI freeze when re-logging in after resumed from suspend
    (LP: #1855235)
    - linux-firmware: Update firmware file for Intel Bluetooth AX201

 -- Seth Forshee <[email protected]>  Thu, 12 Dec 2019 07:48:58 -0600
This one could possibly apply to my machine. But my Bluetooth and Wi-Fi are working fine. Why mess with it?

Code:
network-manager-applet  Old Version                New Version
                                             1.8.10-2ubuntu2        1.8.10-2ubuntu3mint1

 [ Clement Lefebvre ]
   * Use symbolic icons in systray

   [ Michael Webster ]
   * Revert a broken quilt patch
Here again - working fine. This does not appear to be a "security" patch - everything is working as it should - I see no reason to apply this update just because it is offered.

Code:
mintreport
Troubleshooting tool for Linux Mint     Old Version         New Version
                                                                     1.0.9                      1.1.4
* Remove root password check
Ugh! I made the mistake of installing this one on my desktop machine and the it would not stop bugging me! No thanks - I'll pass on this one!

And this all brings me around to the issue of 'telemetry'. I think @wizardfromoz posted something the other day about Zorin collecting some sort of telemetry. Ubuntu tried years ago to collect telemetry - perhaps they still do. But many, many Linux users get upset over the idea of their operating system calling home to the mothership.
This is one instance where I would not mind sharing some information about my hardware specs and software installed if it meant I would only be offered updates which were applicable to my unique machine.

Now you. Any thoughts? ¯\_(ツ)_/¯
 

atanere

Well-Known Member
Credits
0
Now you. Any thoughts? ¯\_(ツ)_/¯
In the end, you are the captain of your own Linux ship, and these decisions are up to you. :D

And this all brings me around to the issue of 'telemetry'. I think @wizardfromoz posted something the other day about Zorin collecting some sort of telemetry.
With Zorin, they call it, "census" and it was enabled by default (with no notice) on their new version 15.0, which is what caused such a stir. Now, with updated version 15.1, they have an option box during install that must be checked to disable it. Or it can be removed with sudo apt purge zorin-os-census.


But many, many Linux users get upset over the idea of their operating system calling home to the mothership.
Count me among them, especially when such an action is sneaky and so very, very Microsoft-like. Zorin should have known better than this, I think.

Cheers
 
Last edited:

Vrai

Well-Known Member
Credits
2,395
An 'update' regarding my 'updates quandary' update <------ ¯\_(ツ)_/¯

I just ran the Mint update app because it seemed a good thing to do. I was also looking for an updated Firefox whereas there has been an update to Firefox available for some few days now because of a security flaw. It took Mint longer than I would have expected or preferred to update their repository with the new Firefox version. :/

And I still run into the "quandary" of whether to update or not. For some unknown reason Linux Mint does not see fit to include a changelog regarding kernel updates. This seems rather odd as I see many Mint forum posts from users with mega grand post counts (Mint Gurus?) indicating that one should not update the kernel unless there is a definite, compelling reason to do so. So why no changelog to inform the user if this is a security update or someone just forgot to dot an i or cross a t?

I know there are Linux users who advocate for just installing all available updates - but that smacks of the "Windows" way of doing things. I prefer to be an informed Linux user and to know why I am doing what I am doing. See the below screenshots - one of no changelog available (Linux kernel) and one of Grub update regarding UEFI - I have no, and do not use UEFI on this machine, so why mess with updating my Grub2?

I'm not complaining (or not trying to) but am just asking the questions and raising the issue.
update_linux_kernel.png

grub_update.png

I still say it is worth looking over the updates and if you don't need it and it is working fine don't mess with it. Security updates - yes - fine - 'tiddly-widdly' - updates - maybe not so much.

P.S. I have tried looking up the changes to the Linux kernel to determine what has changed from the version I have installed to what is new and different in the 'new' version. It was not a fun exercise!
 

Attachments

jglen490

Well-Known Member
Credits
2,035
Kubuntu 18.04.4 LTS. I update everything offered.

The updates between distro upgrades, are almost entirely security related: OS, apps, drivers, etc. There are almost zero functionality changes, unless it it happens at the same as a security update. No Linux firmware, no driver, no app has ever bricked my PC. On occasion, an update has introduced a small bit of instability and is corrected in the next update. The devs and the community pay attention, and do fix things.

I will tell you this, I DO NOT stray far from a stock distro. A very few PPAs, no "upstream" kernels. If I do install some out of the ordinary app, and it doesn't work or behaves badly - it's gone. I don't care of that app is intended to solve world hunger (well maybe that!).

Be wise with what you do, what you install. An upstream kernel may be intended to solve some issue, but if the distro is not built to accommodate the new kernel, it's use just increases risk to your use of that distro. That shows up everyday in the distro-specific forums; "I just installed 5.6 kernel, and now my system won't work". "Well, duh, your distro was built on 5.0".

One solution to that problem is a complete "roll you own" Linux, built from source code, compiled, tested, and debugged to work properly with source code built apps and drivers. I wish you well with that. You would use ALL your time doing nothing but babysitting the source code, discovering vulnerabilities, fixing those vulnerabilities and errors, in short doing what teams of devs do with a distro. And you would have little time to enjoy your computing, as well as your living.

Obviously, do what you think is right, and if you think you know better don't update something. Just be aware of unintended consequences when you take matters into your own hands. Yes, it's Linux and certainly do have choices. My advice is, don't screw with the stability of your production platform.
 

Vrai

Well-Known Member
Credits
2,395
There are almost zero functionality changes, unless it it happens at the same as a security update. No Linux firmware, no driver, no app has ever bricked my PC.
Yet.

I DO NOT stray far from a stock distro. A very few PPAs, no "upstream" kernels
Me neither! I like the idea of 'ppa's' but it seems to introduce 'problems' almost as often as it 'fixes' them. I tend to stick with whatever is in the repo's of the distro I am using.

I don't care of that app is intended to solve world hunger (well maybe that!).
Well, yes. Maybe that! :)

That shows up everyday in the distro-specific forums; "I just installed 5.6 kernel, and now my system won't work".
Exactly what I was referring to.

One solution to that problem is a complete "roll you own" Linux, built from source code, compiled, tested, and debugged to work properly with source code built apps and drivers.
I'm not quite up to that level of 'Linux Guru' yet! Unlike some Slackware users er..ahem ( @captain-sensible ) ...

Obviously, do what you think is right, and if you think you know better don't update something.
I don't think I "know better" than the Linux devs who package and maintain the distro of choice. But I do try to be an informed and educated Linux user.
I just raise the issue to encourage constructive debate on an issue important to all Linux users.
 

captain-sensible

Well-Known Member
Credits
5,792
Well I am no guru .I think there are two types of Linux user.To give you a Metaphor there is the car driver who has half a clue on the physics and chemistry of combustion and the other who looks to put a spanner in the works.. instinctevly I'm a driver not looking for trouble. There are those who drive a robin reliant 3 wheeler up a 60 degree hill and then come out with s question such as "why does my robin go backwards".
 

Vrai

Well-Known Member
Credits
2,395
Well I am no guru .I think there are two types of Linux user.To give you a Metaphor there is the car driver who has half a clue on the physics and chemistry of combustion and the other who looks to put a spanner in the works.. instinctevly I'm a driver not looking for trouble. There are those who drive a robin reliant 3 wheeler up a 60 degree hill and then come out with s question such as "why does my robin go backwards".
Unfortunately (or fortunately) - I am of the type who has to put a spanner in everything and figure how it works! :)
 

Condobloke

Well-Known Member
Credits
3,638
@Vrai .....you mean you pull it apart to figure out why its going so good..... ;)
 


Members online


Latest posts

Top