@scottalanmiller said in What do you think, did we do this right?:
Can you ever hide the bad stuff from the bad guys? Bad guys will just run the product and get any announcement that is sent out no matter what. That's a given. But the most important thing is letting good admins know what to do, bad admins that don't update - that's their decision and risk.
Well, not fully of course, it is all open source. But the barrier to getting at the problem is a fair bit higher when there are hundreds of changes and some might or might not have a security impact vs you have 5 changes and you KNOW they impact security. It won't stop the NSA but might stop a script kiddie and at least give people more time to update.
I'm not saying it is a magic bullet, but it is widely considered security best practice to do it this way
Anyway, I'm hoping for automated minor updates to solve this in a more elegant way. We've decreased the target on the back of Nextcloud users significantly with our security scan - only 3% outdated systems is a quite small thing to put time and effort in if you're looking to do something like ransomware.