karlchen wrote: ⤴Sun Jun 27, 2021 12:50 pm
Please, convince me that and why what I am doing is dangerous. Explain to me, please, what precisely is dangerous. Give me examples perhaps.
Why should I assume that using this LM 18.1 in June 2021, 2 months after the end of its supported life, for e-mailing with Thunderbird 78.11.0 and surfing the web with Firefox 89.0.2 were more dangerous
than doing the same things with LM 19.3 e.g., using the same Thunderbird and Firefox versions?
I am sceptical.
Convince me, please.
Let's see...how about...
lsof -P -p $(pgrep firefox) | grep '\.so' | awk '{print $9}' | grep -v firefox | less
126 libraries loaded in total...which are not pre-included with the "latest shiny firefox tar.gz" from Mozilla.
Latest or not latest Firefox...it loads unsupported versions of libraries, as in:
you're not actually doing the exact 'same things' if we really want to be pedantic...
(and from a quick glance, i can very quickly see libxml, libpng, zlib, pcre, freetype...
ie. relatively usual suspects with a pretty colorful history record of CVEs).
Now, if someone wanted to (supposedly) be 100% certain that firefox doesn't load unmaintained & potentially vulnerable code,
he/she would have to upgrade the following...
Code: Select all
lsof -P -p $(pgrep firefox) | grep '\.so' | awk '{print $9}' | grep -v firefox | xargs dpkg -S | awk '{print $1}' | cut -d: -f1 | sort -u
That is, 105 packages in total...
...ie. the end-user is free to dig through the net to see which ones of those 105 packages,
received updates to resolve possible remote execution issues, during those latest 2 months.
It might very well be absolutely none. I don't doubt that at all -
but i certainly didn't bother checking such one by one...
However, it's also not Firefox-specific: the end-user should furthermore rinse & repeat the above,
for other common & daily used software as well: eg. thunderbird, soffice, vlc, the image viewer, the pdf reader etc.
Basically, for every software which receives / parses data from random online sources out there one way or another
(movies from torrent sites, photos, e-books, you name it)...
Someone doesn't really have to worry much for eg. libobscure.so or libyeahwhatever.so, fair enough.
You do have to worry though for eg. libheif, libmatroska, libpng, poppler...
To not sound as an alarmist / scaremonger,
i do currently type this from a partition with Mint 18.3, FF 89 & linux-5.10-oem...
It's not my main playground though currently - or better said, at this point in time, i keep it around exactly as a playground.
PS: At the risk of sounding paternalistic
(not referring to Karl here, he more than obviously knows very damn well what to do, how & when),
when eg.
Clem says that people should keep their systems updated in a relatively reasonable timeframe,
no, most likely he did not got hired from Microsoft, got secretly in cahoots with Gates,
re-located in Redmond or something, and decided to 'force updates' onto people.
Far more likely that he just doesn't want people to have to deal with all of the above,
manually digging / monkey-patching and what not, or worse yet, possibly get into more awkward situations (the 'who knows' part).
See Pjotr's advice above as well: if it's your main system, your actual workplace (and not just a 'playground'),
keep it simple, and use something properly supported instead...