On Wed, 9 Jan 2019 at 20:45, Töma Gavrichenkov <ximaera@gmail.com> wrote:
Nope, this is a misunderstanding. One has to *check* for advisories at least once or twice a week and only update (and reboot is necessary) if there *is* a vulnerability.
I think this contains some assumptions 1. discovering security issues in network devices is expensive (and thus only those you glean from vendor notices realistically exist) 2. downside of being affected by network device security issue is expensive I'm very skeptical if either are true. I think it's very cheap to find security issues in network devices, particularly DoS issues. And I don't think downside is expensive, maybe it's bad 4h and lot of angry customers, but ultimately not that expensive. I think lot of this is self-organising with delay around rules and justifications no one understands, and we're not upgrading often, because it's not (currently) sensible approach. -- ++ytti