# People with Older releases



## abhay4589 (Jan 9, 2013)

I don't post into these forums much but I read.
So many people mentions while asking that they are using End of release versions.
Are there any particular reasons to do so?


----------



## throAU (Jan 9, 2013)

Laziness
Fears over software compatibility
Actual software compatibility issues with proprietary software
Software that a vendor has only 'certified' for use on version X.Y


----------



## phoenix (Jan 9, 2013)

Not wanting to break something that is working.


----------



## Uniballer (Jan 9, 2013)

I confess that I have a Pentium-100 (i.e. P54C) with 64MB of RAM that will not boot any version of FreeBSD later than 6.4, probably due to BIOS bugs.  The machine still works reliably 24/7, and I have it doing environmental control tasks in a small kennel (heat, ventilation, etc) with no exposure to the Internet.  On the other hand, everything else is at 9.1, and if I need to replace the box I will just run the latest supported version on the newer hardware.


----------



## gkontos (Jan 9, 2013)

phoenix said:
			
		

> Not wanting to break something that is working.



Unfortunately this will always lead to problems. Most of those systems also run outdated software with bugs and vulnerabilities. 

The person who set up the server and the software is long gone. A new person comes in with limited knowledge and he decides to just leave it the way it is. 

All of a sudden we see a post in the forum from someone having a problem with a system that had 700 days uptime.


----------



## SirDice (Jan 9, 2013)

Also, don't forget, a lot of people have a misplaced trust in anything unix. They think that, just because there isn't a lot of malware, they're invulnerable and don't need to update.


----------



## gkontos (Jan 9, 2013)

SirDice said:
			
		

> Also, don't forget, a lot of people have a misplaced trust in anything unix. They think that, just because there isn't a lot of malware, they're invulnerable and don't need to update.



According to an interesting study regarding webserver attacks, it looks like attackers also feel that way :e


----------



## abhay4589 (Jan 9, 2013)

I read that paper, Does that mean Most attacker will look for "Attractiveness" rather then "Probability" of success?
If i am using older or non-Unix software then "attractiveness" will be more.


----------



## SirDice (Jan 9, 2013)

If my own experience is anything to go by, they're always looking for so-called "low hanging fruit". About 90% of the attacks I see are automated, bots that are looking for known vulnerabilities. About 9% is done by script-kiddies, those are the ones that fire IIS exploits at your Apache server. It's the 1% that's left I'm worried about. Those are the ones that are capable of taking over your server without you noticing it.


----------



## gkontos (Jan 9, 2013)

True, still even that 1% are like vampires in a sense that they would never come in unless you invite them first.

They will carefully enumerate your systems without causing too much noise. In most cases they will find a "legit" point of entrance left by a careless developer or administrator.


----------



## SirDice (Jan 9, 2013)

Moral of the story is, keep your stuff up to date even if you think you will never be a target.


----------



## wblock@ (Jan 9, 2013)

SirDice said:
			
		

> Moral of the story is, keep your stuff up to date even if you think you will never be a target.



I would say that as "You _are_ a target.  Get used to it."


----------



## kpedersen (Jan 9, 2013)

One thing that really annoyed me. (Though this is more Linux specific)
To quote AMD with it's older Radeon drivers



> AMD has moved to the AMD Radeonâ„¢ HD 4000, AMD Radeon HD 3000, and AMD Radeon HD 2000 Series new driver support model.  These updates will focus on resolving application specific issues and critical updates. The reason for the shift in support policy is *largely due to the fact that the AMD Radeon HD 4000, AMD Radeon HD 3000, and AMD Radeon HD 2000 Series have been optimized to their maximum potential from a performance and feature perspective.*



Now lets say that the drivers really are as good as they can possibly be (which they aren't btw). The issue is that they only work on Linux up to Fedora 15 (with no updates) because of kernel ABI changes.

This kinda gives me the feeling that the developers of the proprietary catalyst drivers don't actually understand how Linux works. This is ultimately AMD forcing it's users to use an old deprecated and insecure version of Linux whilst AMD chant how perfect the drivers are.

EDIT: Oh yeah.. it's "new driver support model" means, no longer maintained. No updates to support current kernels.


----------



## throAU (Jan 10, 2013)

wblock@ said:
			
		

> I would say that as "You _are_ a target.  Get used to it."



This.

Most exploits these days are not some guy sitting down plotting how to break into your specific network.

They're a canned exploit that is sprayed all over.

If you are vulnerable, and you are exposed, you will eventually be exploited - whether you are "a target" or not.

Your choices are pretty much
- eliminate the vulnerability
- eliminate the exposure (often not possible due to service provision)
- both of the above
- get hacked

I'm keen to see IPv6 properly take off, as scanning for vulnerable hosts to exploit or even just spraying a subnet hoping to hit something is a lot harder.  Sure, you'll still have public services exposed via DNS, but collecting surveillance is going to be a lot more difficult and will require network sniffing.  And even then, due to the randomized IPv6 privacy stuff, it will only be valid for a limited time.




			
				kpedersen said:
			
		

> This kinda gives me the feeling that the developers of the proprietary catalyst drivers don't actually understand how Linux works. This is ultimately AMD forcing it's users to use an old deprecated and insecure version of Linux whilst AMD chant how perfect the drivers are.



Alternatively, I would suggest it is the Linux kernel devs not understanding how driver development works in the real world.

If they actually want hardware vendors to start caring and supporting their hardware on Linux, maintaining a stable kernel ABI for some committed period of time would be a start.  How can a hardware vendor budget for Linux driver support when there is a big unknown regarding re-writes to support a moving platform?

Yes this will enable closed source drivers to function more easily.  Do you want drivers or not?


----------



## kpa (Jan 10, 2013)

> If they actually want hardware vendors to start caring and supporting their hardware on Linux, maintaining a stable kernel ABI for some committed period of time would be a start. How can a hardware vendor budget for Linux driver support when there is a big unknown regarding re-writes to support a moving platform?



This is something where FreeBSD should  improve as well. As far as I know for example the VirtualBox kernel drivers compiled for 9.0-RELEASE are very unlikely to work as they are on 9.1-RELEASE or 9-STABLE.


----------



## qsecofr (Jan 10, 2013)

time & money.
two dichotomous forces of nature few can tame.

addendum to that: not everyone running an EOL version is a highly-skilled FreeBSD sysadmin, but rather doing the best they can.

(no offense, but the word "laziness" kinda irked me a bit)


----------



## sossego (Jan 10, 2013)

abhay4589 said:
			
		

> I don't post into these forums much but I read.
> So many people mentions while asking that they are using End of release versions.
> Are there any particular reasons to do so?



Others are poor and only have old releases on CDs because that is all they have.


----------



## kpedersen (Jan 10, 2013)

throAU said:
			
		

> Alternatively, I would suggest it is the Linux kernel devs not understanding how driver development works in the real world.



Haha, very good point.

But I guess AMD should have noted that before actually creating the driver otherwise I would have simply rented out the graphics card for a year if the driver only works for about a year


----------



## michaelrmgreen (Jan 10, 2013)

I run an older release because iBCS2 is broken on more recent ones. However it isn't a problem, the system isn't connected to the intertubes and the other users are all trusted.


----------



## nekoexmachina (Jan 22, 2013)

Laziness
No problems which I want to fix (e.g. no problems at all) with older release on my HW/SW.
No reason to stay up to date.

Thats at home. Server is updated asap.


----------

