How to have a boring and low-maintenance system?
-
Not super ideal for a server as far as maintenance and uptime to have unexpected, frequent restarts
This is such a weird take given that 99.9% of people here are just running this on their home servers which aren't dictated by a SLA.
But also as these items are based on Fedora Silverblue, you can just use the
--apply-liveflag when updating to not have to reboot for anything but the kernel as usual.That is very fair!!
But on the other hand, 99.9% of users don't read all of the change notes for their packages and don't have notifications for CVEs. In that case, in my opinion just doing updates as they come would be easier and safer.
-
You simply don't do any maintenance whatsoever.
t. Got a arch linux install that I (rarely) perform "sudo pacman -Syu --noconfirm" and it works like a champ.
Same with fedora. Just run the upgrade once in a while and it work.
-
Those who don't have the time or appetite to tweak/modify/troubleshoot their computers: What is your setup for a reliable and low-maintenance system?
Context:
I switched to Linux a couple of years ago (Debian 11/12). It took me a little while to learn new software and get things set up how I wanted, which I did and was fine.
I've had to replace my laptop though and install a distro (Fedora 41) with a newer kernel to make it work but even so, have had to fix a number of issues. This has also coincided with me having a lot less free time and being less interested in crafting my system and more interested in using it efficiently for tasks and creativity. I believe Debian 13 will have a new enough kernel to support my hardware out of the box and although it will still be a hassle for me to reinstall my OS again, I like the idea of getting it over with, starting again with something thoroughly tested and then not having to touch anything for a couple of years. I don't need the latest software at all times.
I know there are others here who have similar priorities, whether due to time constraints, age etc.
Do you have any other recommendations?
- yet another vote for Debian Stable
- second the comment on: if you need a newer kernel for hardware reasons, use backports
- Xfce
- stick to flatpaks when dealing with wanting to try out a new program (if you like it, then make the decision to use apt or not)
- don’t confuse “hasn’t been updated” with “hasn’t needed to be updated”
-
I've been running Manjaro for the last 4 months and it's been incredibly reliable and smooth. I haven't done any serious tweaking beyond installing a realtime audio kernal. I run updates every few days and I haven't had a single issue so far.
Are you using the liquorix kernel?
I can only see one downvote and four upvotes from here - I think you're good!
-
Comparing a PC maintenance to leaving the keys outside the front door is too dramatic, to not say the least...
...unless you work at NASA and/or your PC is holding something too valuable/sensitive/high-priority for others to want to hack it "that badly" -- which I (highly) doubt it.
No it is
https://www.pandasecurity.com/en/mediacenter/consequences-not-applying-patches/
And:
You're allowing for more attack vectors that would not be there if the system were to be patched. Depending on the severity of the vulnerability, this can result in something like crashes or something as bad as remote code execution, which means attackers can essentially do whatever they want with the pwned machine, such as dropping malware and such. If you wanna try this in action, just spin up a old EOL Windows machine and throw a bunch of metasploit payloads at it and see what you can get.
While nothing sensitive may be going to or on the machine (which may seem to be the case but rarely is the case), this acts as an initial foothold in your environment and can be used as a jumpbox of sorts for the attacker to enumerate the rest of your network.
And:
Not having vulnerability fixes that are already public. Once a patch/update is released, it inherently exposes to a wider audience that a vulnerability exists (assuming we’re only talking about security updates). That then sets a target on all devices running that software that they are vulnerable until updated.
There’s a reason after windows Patch Tuesday there is Exploit Wednesday.
Yes, a computer with vulnerabilities can allow access to others on the network. That’s what it means to step through a network. If computer A is compromised, computer B doesn’t know that so it will still have the same permissions as pre-compromise. If computer A was allowed admin access to computer B, now there are 2 compromised computers.
-
No it is
https://www.pandasecurity.com/en/mediacenter/consequences-not-applying-patches/
And:
You're allowing for more attack vectors that would not be there if the system were to be patched. Depending on the severity of the vulnerability, this can result in something like crashes or something as bad as remote code execution, which means attackers can essentially do whatever they want with the pwned machine, such as dropping malware and such. If you wanna try this in action, just spin up a old EOL Windows machine and throw a bunch of metasploit payloads at it and see what you can get.
While nothing sensitive may be going to or on the machine (which may seem to be the case but rarely is the case), this acts as an initial foothold in your environment and can be used as a jumpbox of sorts for the attacker to enumerate the rest of your network.
And:
Not having vulnerability fixes that are already public. Once a patch/update is released, it inherently exposes to a wider audience that a vulnerability exists (assuming we’re only talking about security updates). That then sets a target on all devices running that software that they are vulnerable until updated.
There’s a reason after windows Patch Tuesday there is Exploit Wednesday.
Yes, a computer with vulnerabilities can allow access to others on the network. That’s what it means to step through a network. If computer A is compromised, computer B doesn’t know that so it will still have the same permissions as pre-compromise. If computer A was allowed admin access to computer B, now there are 2 compromised computers.
Nice cherry picking/moving the goalpost, but that is not how refuting works. A PC at NASA has a much higher "threat level" than my Orange pi zero 3, just chilling on the background. Which means, a potential "security hole" may prove harmful for these pcs... but it'll definitely not hurt me in the slightest.
And before you parrot with other links and/or excuses... yes, I'm not negating their existence. I'm just saying they are there... but, well... "who cares"? If anything, its much faster to set up my distro back up "just like never happened before" than performing any "maintenance" whatsoever. Again, "Common sense antivirus" reigns supreme here -- know what you are doing, and none of these things will matter.
-
I had problems with waking from sleep/hibernate
what graphics do you have? Don't expect that to go away with nvidia. no such issues on AMD though, intel should be fine though
Intel Arc integrated graphics.
-
The problem is when it comes time for a major version upgrade. Debian 12.10.0 to 12.11.0 probably won't be a big deal. But upgrading from Debian 11 to 12 was a pain. Debian 12 to 13 will probably be a pain as well.
In what way? I haven't upgraded between major releases on Debian before.
-
In what way? I haven't upgraded between major releases on Debian before.
Here's the official documentation for upgrading from Debian 11 to 12. The TL;DR is that it takes 8 chapters to describe the process.
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-upgrading.html
-
I've been daily driving it on my desktop and laptop for several months now, seems fine. But I don't need the bleeding edge either.
But that's not what the comment was about... The top level comment said Debian was hard to upgrade, and I have not had that experience.
Specifically upgrading major versions. See the official documentation for upgrading Debian 11 to 12. It's far more involved than minor version upgrades.
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-upgrading.html
-
No it is
https://www.pandasecurity.com/en/mediacenter/consequences-not-applying-patches/
And:
You're allowing for more attack vectors that would not be there if the system were to be patched. Depending on the severity of the vulnerability, this can result in something like crashes or something as bad as remote code execution, which means attackers can essentially do whatever they want with the pwned machine, such as dropping malware and such. If you wanna try this in action, just spin up a old EOL Windows machine and throw a bunch of metasploit payloads at it and see what you can get.
While nothing sensitive may be going to or on the machine (which may seem to be the case but rarely is the case), this acts as an initial foothold in your environment and can be used as a jumpbox of sorts for the attacker to enumerate the rest of your network.
And:
Not having vulnerability fixes that are already public. Once a patch/update is released, it inherently exposes to a wider audience that a vulnerability exists (assuming we’re only talking about security updates). That then sets a target on all devices running that software that they are vulnerable until updated.
There’s a reason after windows Patch Tuesday there is Exploit Wednesday.
Yes, a computer with vulnerabilities can allow access to others on the network. That’s what it means to step through a network. If computer A is compromised, computer B doesn’t know that so it will still have the same permissions as pre-compromise. If computer A was allowed admin access to computer B, now there are 2 compromised computers.
Depends on the environment surrounding the door, as well as the environment surrounding the computer.
Some people simply care less about their computer security. The debate stops there. Security operates on a foundation of what you want to secure.
By comparing two environments of someone's life you know little about, you are commenting from ignorance.
-
Desktop:
- Aurora or Bluefin
Server:
- uCore
Zero maintenance for any of them.
Yeah, sure. I was running Bluefin-DX. One day image maintainers decided to replace something and things break.
UBlue is an amazing project. Team is trying hard but it's definitely not zero mainainace. I fear they are chasing so many UBlue flavours, recently an LTS one based on CoreOS, spreading thin. -
Get a big mainstream distro and stop tinkering with it.
Such a bad comment, what does tinkering mean? Not use any software besides the default one? So only browsing and text apps? facepalm
-
Comparing a PC maintenance to leaving the keys outside the front door is too dramatic, to not say the least...
...unless you work at NASA and/or your PC is holding something too valuable/sensitive/high-priority for others to want to hack it "that badly" -- which I (highly) doubt it.
Wait your previous comment was not sarcastic?
-
Desktop:
- Aurora or Bluefin
Server:
- uCore
Zero maintenance for any of them.
Running exotic niche server images out in the wild...
-
Not super ideal for a server as far as maintenance and uptime to have unexpected, frequent restarts
This is such a weird take given that 99.9% of people here are just running this on their home servers which aren't dictated by a SLA.
But also as these items are based on Fedora Silverblue, you can just use the
--apply-liveflag when updating to not have to reboot for anything but the kernel as usual.So why would somebody run that on their homeserver compared to tried and true staples with tons of documentation?
-
Nice cherry picking/moving the goalpost, but that is not how refuting works. A PC at NASA has a much higher "threat level" than my Orange pi zero 3, just chilling on the background. Which means, a potential "security hole" may prove harmful for these pcs... but it'll definitely not hurt me in the slightest.
And before you parrot with other links and/or excuses... yes, I'm not negating their existence. I'm just saying they are there... but, well... "who cares"? If anything, its much faster to set up my distro back up "just like never happened before" than performing any "maintenance" whatsoever. Again, "Common sense antivirus" reigns supreme here -- know what you are doing, and none of these things will matter.
The problem that I tried to highlight with my "cherry picking" is:
- Running a machine with open vulnerabilities for which patches exist also "paints a target on your back": even if your data is worthless, you are essentially offering free cloud compute.
- But mostly, a single compromised machine can be an entrypoint towards your entire home network.
So unless you have separated this Orange Pi into its own VLAN or done some other advanced router magic, the Orange Pi can reach, and thus more easily attack all your other devices on the network.
Unless you treat your entire home network as untrusted and have everything shut off on the computers where you do keep private data, the Orange Pi will still be a security risk to your entire home network, regardless of what can be found on the little machine itself.
-
Yeah, sure. I was running Bluefin-DX. One day image maintainers decided to replace something and things break.
UBlue is an amazing project. Team is trying hard but it's definitely not zero mainainace. I fear they are chasing so many UBlue flavours, recently an LTS one based on CoreOS, spreading thin.
I've been running Aurora and uCore for over a year and have yet to do any maintenance. -
Running exotic niche server images out in the wild...
It's just Fedora CoreOS with some QoL packages added at build time. Not niche at all.
-
Depends on the environment surrounding the door, as well as the environment surrounding the computer.
Some people simply care less about their computer security. The debate stops there. Security operates on a foundation of what you want to secure.
By comparing two environments of someone's life you know little about, you are commenting from ignorance.
If they don't keep any private data on any computer that trusts their home network/wifi and don't do taxes or banking on those, there's no problem.
But if they do, I maintain that the analogy is correct: their unpatched machine is an easy way to digitally get access to their home, just like an unlocked door is to a physical home.
