Know Your Convoy: How a Tortoise Can Slow Down Your Panther-Speed Updates

If a panther, an elephant, and a tortoise were to travel as a convoy, what would determine their speed? No, this is not a trick question. You guessed it right – the tortoise is what matters.

The Ambition

Like a panther, I would like my systems to be at the forefront of technology. Forget technology debt, software obsolescence, missing patches, and vulnerabilities. This is how I designed one of my servers:

1) ArchLinux for the server. It is a 'rolling' type operating system. It is open source and actively maintained.

2) Nginx-mainline (pronounced EngineX) for the web server. This is the development branch where new features and enhancements are introduced. It receives more frequent updates, including new features, improvements, and bug fixes.

3) Automatic daily updates. The average patching policy thus works out to 12 hours.

Normally, the above design should keep the server at the forefront of technology, right? But the reality was different.

The Problem

Despite the automation, the system did not upgrade itself to the latest mainline version 1.27 of nginx. The reason was simple. One of the open-source modules (aka headers-more) was hardcoded by its maintainer to version 1.26 of nginx. ArchLinux would spot this conflict and not update at all. My convoy had a tortoise disguised as a panther.

The Solution

The fix was easy. I got rid of the tortoise. Updated the ArchLinux server, which went through at panther speed!

Moral of the Story:

Know your convoy! For that, you should think of the SBoM (Software Bill of Materials).

Santosh Pandit

11 June 2024