I just spent a day upgrading the server that hosts this blog. As a one-man team, I pride myself on maintaining a secure setup where automatic updates are installed every night. Even if a restart is required, the services reboot themselves using Docker Swarm’s magic. However, the server was still running on Ubuntu 16.04 LTS (Long Term Support), which no longer receives security updates unless you have a pro subscription. As shown in the picture below, support dropped beginning in 2021.
So, what’s the big deal? Did I really need to update now? Probably not. Since support ended, there has been just one Linux kernel issue published, which appears to be abstract in nature and not a high-priority security vulnerability. Nevertheless, it’s better to patch known issues.
Despite this, I proceeded with the update, which led to the following issues:
- To upgrade from 16.04 to the latest 22.04 LTS edition, you must first upgrade to 18.04 and then 20.04.
- The kernel no longer supports the formerly default AUFS volume system used by Docker; now, overlay2 is the default.
- Updating these drivers emptied my local image registry. My remote image repository, also on the same server, became inaccessible due to a broken Nginx proxy, as the services couldn’t start due to the image issues.
- After manually addressing the Nginx proxy setup and disabling all services except the registry, I was able to download the images again and restart the services.
All in all, it was a cumbersome process that caused about an hour of downtime for all applications. However, I am pleased to report that the server is now secure on 22.04 until 2027. It’s not just the operating system that needs to be secure; this can also be managed through cloud services.
Software
Take Drupal 7, for example, which remains the most used version of Drupal: see usage statistics.
The Drupal community tries its hardest to transition projects away from this version but still saw the need to continue supporting it with security updates until 2025. I also have a project running on Drupal 7, and upgrading it to Drupal 10 would likely require almost as much effort as creating the project initially. Therefore, I will probably maintain it on Drupal 7 and stay vigilant for publicly published security vulnerabilities.
Overall, there is little incentive to update software and services, especially for projects no longer in active development:
- Stable software can become buggy with a major update.
- Development costs are high, and the work is often unrewarding for developers.
- There’s no immediate benefit to revenue or customer experience.
- Most security vulnerabilities don’t apply to specific situations or can be mitigated in other ways.
Conclusion
Be cautious about the data you store and share in software applications. If you’re a stakeholder in higher-risk applications, ask your development team about the versions they run compared to the latest stable versions.
0 Comments