I do regular automated updates. For anything requiring human intervention like the xz thing I trust Lemmy and YouTube to keep me updated. No dedicated news source because if I were to freak out about every new vulnerability found I wouldn’t be able to sleep at night.
Why does the xz thing require human intervention?
If you had it on a computer that is accessible via SSH from the internet you should proceed under the assumption that it was compromised. Which means you should reinstall from a safe medium and change your keys and passwords.
I just use
unattended-upgrades
and forget about itSame for the RPM ecosystem: yum-cron and walk away. Been that way for almost 25 years.
Having been involved with OS Security in the middle of my career, I also still watch feeds like I used to; just, different ones, now.
My distribution (archlinux) notifies of critical vulnerabilities that require user action. There’s a news mailing list.
After that I rely on social network (Mastodon mostly) or lemmy for news, as vulnerabilities often get some conversation. Apart from that, software i’m really interested in I also follow through RSS so I get news when they update for their vulnerabilities -that is when the vulnerabilities are not self inflicted as the xz case-.
Mailing list provided by my distro. https://lists.debian.org/debian-security-announce/
you just made me look for my distros security list, I never even thought of that!
Didn’t know this existed. Just subscribed. Thanks
I didn’t really consider that there are feeds for such things, especially for my distro(s). Embarrassing, but it means you helped making me safer!
I’m now subscribed to the Debian security list, seeing as all my servers run Debian. I just had unattended upgrades with Mail logs before.
I actually have automated security updates on all my servers. Also in general i run greenbone at home that does daily scans of all the VLANS/networks I have at home.
You can watch rss feeds to follow all CVEs like Microsoft’s https://api.msrc.microsoft.com/update-guide/rss
NIST used to have an rss feed for CVEs but deprecated it recently. They still have other ways you can follow it though https://nvd.nist.gov/vuln/data-feeds
Or if you just want to follow CVEs for certain applications you can host/subscribe to something like https://www.opencve.io/welcome which allows you to filter CVEs from NIST’s National Vulnerability Database (NVD)