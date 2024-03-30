Yeah, my company had been putting off the update to openssl 1.0.2 because updating openssl is a giant PITA. But we finally did, cause people were whining about TLS 1.2 and/or diffie-hellman ephemeral / perfect forward security... And then a month later, heartbleed. Which wasn't in openssl 1.0.0. (Or maybe heartbleed was in 1.0.0, and we were on 0.9.8; I dunno OpenSSL was terrible at making updates that would fix the security bit and break everything else) Thanks a lot. We didn't switch to libressl, too much work, not enough gain. But we did switch to running TLS in a separate, locked down, process from our webserver, so if there was a future issue with like read/write filesystem access, it wouldn't be able to do anything.



All that said, while clearly some of the 'let's update this dependency' messages were suspicious, there's at least one that seems like a normal update all the things guy with bad timing.



Keeping everything up to date is a treadmill, and there's usually not a lot of benefit. It doesn't take much more work to audit a quarter of updates than a year of updates, and most software doesn't turn into a pumpkin in the meantime. The only issue is when there's an actual important fix, you've got to figure out how it applies to the version you're running if you're running something out of date.