Not installing security updates isn’t really a viable strategy these days. Even
waiting a few days to see whether other people have trouble with the update is
problematic when a zero day
exploit might be available.
It’s a bit like playing Russian Roulette in a room full of people who feel their
job is to point their guns at you until you pull the trigger.
Obviously this goes wrong once in a while. The recent Samba 3.0.23 update broke access from Windows and Mac machines on my Fedora Core 4 system, but some people with Fedora Core 5 are reporting that all logins to their systems are disabled.
After a bit of searching around and trying various things, I found that in my
case I could bring my system back to life by “upgrading” to an older version of
the four packages in question.
There is some indication that version 3.0.23a will be out real soon now… but that doesn’t really make me feel completely happy. Nor does the realisation that my FC4 system will officially be “legacy” next week and I’ll need an upgrade to at least FC5 to stay within my “properly supported” comfort zone.
This kind of thing does seem to happen more often with Fedora, and anecdotally seems to be related to their strategy of pulling in new releases rather than back-porting security fixes. Moving to a more “enterprise” style system for the places where I need stability rather than the latest features is probably the right answer for me; once RHEL 5 is out I will probably take a close look at it and the equivalent CentOS release.
[Update 20060729: the 3.0.23a release doesn’t fix the problem, at least for me.]