
Oil changes, safety recalls, and software updates - cperciva
http://www.daemonology.net/blog/2017-06-14-oil-changes-safety-recalls-software-patches.html
======
x0x0
I'll admit to putting off applying security patches because my laptop is a
giant repository of state and it's a pita to bring it all back up again.

I have to remember how to start postgres, the erb command to make rails work,
figure out how my upgrade to bash subtly broke virtualenvwrapper, make sure I
didn't accidentally leave anything open in vim in some random window or go
through the whining about vim swap files, and dump/restore all the state
spread through 20+ browser windows, probably 30+ bash instances, and a couple
repls. etc. It's really fucking annoying.

Another thing that ate 3 hours of my life recently: post reboot, zoom.us,
which previously worked flawlessly, no longer works. I of course discover this
as a meeting is starting.

~~~
StavrosK
Do this, and you'll thank me:

[https://www.stavros.io/posts/provisioning-your-computer-
one-...](https://www.stavros.io/posts/provisioning-your-computer-one-command-
awesome/)

~~~
jacquesm
Was that blog post meant to end like that? It looks as if a lot is missing.

The last lines for me read:

"The main script

First, let’s start with the main Ansible script:

~~~yaml This playbook is meant to provision a new computer. Run with: ansible-
playbook -i , provision.yml"

~~~
StavrosK
Oops, no, I recently migrated to a static site generator and some posts broke.
I'll fix it now, thanks Jacques.

EDIT: Phew, fixed, good catch, thanks. There was a triple dash in the article,
which Lektor interpreted as the end of the post :/

~~~
jacquesm
Hehe, one of those painless migrations ;)

At least you found the cause.

~~~
StavrosK
Ugh, tell me about it, it took days :( Thanks again!

------
jacques_chester
Another reason for the resistance is the pain of upgrading.

Anything that requires a reboot, for example, is likely to be held off for a
long time. When people are at the computer, it's because they want to use it
_right now_. They aren't there to watch it reboot a few times.

It's less painful once you scale past single systems. Insofar as you have
distributed systems that tolerate some fraction of their instances
disappearing and reappearing, you can roll an upgrade out across the system
without users having to notice that it's happened. Where I work we do this
very well -- we update and upgrade live production systems for CVEs and
feature adjustments quite frequently without systems running on them being any
the wiser.

Still remaining is the sheer amount of independent dependency tracks into any
given software system. Operating system, multiple language ecosystems,
multiple infrastructure systems ... once you include _development_
dependencies and tools -- and you ought to -- the surface area to watch and
manage goes up sharply.

~~~
barrkel
It's even worse if the machine reboots while you're away; the risk of lost
work is massively increased.

------
jacquesm
The biggest change will not come from getting users to upgrade, it will come
from producing higher quality software in the first place.

~~~
TeMPOraL
Sure, but if we're in dreamland, then I think the second biggest factor will
be making security upgrades invisible to users. If you could ensure that you
can upgrade any part of your OS/application while it's running, without ever
requiring a reboot, then the problem disappears as you can simply stop asking
people when they want a security patch.

In terms of safety, not much good comes from _asking_ people.

(That, or let's just all agree that CVEs are a threat to Internet security,
and have a policy for always displaying a message like "Your device will
reboot in 05:00 in order to install a critical security patch. Please save
your work." and have the users take comfort that it's not just their computer,
but half of the planet is rebooting with them. That solution is game-
theoretically unstable, though.)

~~~
OrwellianChild
Agreed that asking is largely counterproductive when it comes to security
patches (as opposed to feature updates). To satisfy the concerns of folks like
@jacquesm, it might be best to implement a soft form of the hidden update:
Make them opt-out rather than opt-in.

Keeps everyone happy and dramatically improves compliance.

------
rwallace
> counterproductive, in that presenting updates through the same channel tends
> to conflate them in the minds of users, with the result that critical
> security updates instead end up being given the lesser attention more
> appropriately due to a new feature update

Good article, but actually understates the problem. It's not just that
nonsecurity updates are appropriately due _lesser_ attention. It's that they
are appropriately due _negative_ attention. My computer works fine the way it
is. I actively do not want it screwed around with. I make a necessary
exception for security updates. To put anything other than a security update
into that channel is an abuse of trust that was granted for an important
purpose, and trust that is abused is liable to be lost.

------
King-Aaron
While I totally agree with most of the article, it made me grind my teeth at
the frequency the author changes the oil in their car... That poor valvetrain
will be full of gummy carbon deposits. RIP whoever buys the car second-hand.

~~~
miahi
I always wondered how this oil-change scam still continues in the US. Modern
cars with synthetic oils don't need an oil change every 3-4 months or 3000
miles.

I always changed the oil according to the (European or Japanese)
manufacturer's schedule (once a year / every 10-15000km) and had no issues
with the cars (even >10 years old cars).

~~~
alkonaut
Is there a difference though? If you see my other reply to the parent, I
posted the US oil change schedule for a european car. It seems to be in line
with what I experience in europe .

Is it a difference between european and US _made_ cars?

~~~
StavrosK
I know nothing on the matter, but it seems to me that it's a cultural
difference. Americans are just more used to changing the oil often, so oil
companies can sell them more oil even if they don't need it.

~~~
alkonaut
Found this [http://www.autoblog.com/2009/02/24/oil-change-
intervals/](http://www.autoblog.com/2009/02/24/oil-change-intervals/)

"For years the accepted oil change interval (as per carmakers) had been every
3 months or 3000 miles, whichever comes first. And why was that? It was
because oils of yesterday broke down when left in the crankcase environment
for longer than the prescribed interval. The combination of heat, friction,
and the oil oxidizing over time resulted in an unholy clothing of the engine's
internal parts called sludge."

That's an absolutely insane number, and I have never heard of that (I have had
cars for 20 years that always were 10k to 15k km intervals, and simply done on
a yearly or 18 months service).

~~~
bluGill
I have a tractor from 1939. The owners manual states that modern oils are much
better than old oils and as a result practices of years past do not apply. (I
don't recall the exact wording) If you ask collectors today there is a big
debate on if it is safe to use modern detergent oils in those old tractors.

------
baking
I change my oil religiously, but I ignore safety recalls because I hate going
to dealerships.

~~~
upvotinglurker
Yes, the author's assertion that safety recalls "elicit prompt attention"
doesn't reflect my [US] experience. Many people don't take the recalls
seriously or just can't be bothered.

There have been news stories about this too, e.g.
[https://www.theguardian.com/money/2014/dec/17/us-drivers-
str...](https://www.theguardian.com/money/2014/dec/17/us-drivers-struggle-
with-recall-fatigue-driving-dangerous-cars)

------
fivestar
All the items listed in the article are FUD to get you into the dealership so
they can upsell you. Oil changes are necessary but not critical to be done
unless long overdue. Cheaper to do them yourself or find a reliable shop.

Software updates: Is the car running right or is there an issue?

Safety recalls: We're obsessed with the dog-whistle safety, but like anything
else, there are trade-offs. Our Honda got recalled for the airbag inflators
and I waited a few months before eventually taking it in. Result: No one died.
I also have one car that has no airbags at all. I feel fine.

