Still get "upgrade" suggestion when skip-upgrade-test=yes

[jpasher-lazor]

Version

• Distribution: Ubuntu 22.04
• Lynis version: master

Describe the bug
When setting skip-upgrade-test=yes, it will skip the actual version test, but it will still report the suggestion due to this code:

Line 791 in lynis:

OLD_RELEASE=0
TIME_DIFFERENCE_CHECK=10368000 # 4 months
RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
NOW=$(date "+%s")
if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
    # Show if release is old, only if we didn't show it with normal update check
    if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
        ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available."
    fi
    OLD_RELEASE=1
fi

In my opinion, the if statement that wraps ReportSuggestion should take into consideration whether skip-upgrade-test=yes and not show that message if that is the case. I can create a PR if others agree this is desirable.

Expected behavior
I disabled upgrade test, so that means I don't need to see anything related to upgrades.

[mboelen]

That is intended behavior. The first part of Lynis checks if there is actually an update available and as you saw you can disable that part. The second one is a simple "Lynis might be outdated" test. It is merely a suggestion for people to check if there is a newer version available. Up to the user to deal upon that suggestion or accept that a possibly outdated version is being used.

[jpasher-lazor]

If that's the intended behavior, then I can't really argue, but I disagree with that intention. It basically makes it where there's no way to truly ignore the version upgrade test. The fact that you might be running a lynis release that is over four months old is directly related to upgrading (otherwise, why would you care if it's old). If I don't care about upgrading (because I'm managing it in some other way), I wouldn't care about seeing recommendations related to upgrading either.

[mboelen]

It's not a version upgrade test, but a pointer or a hint to the user. The reason for giving this is that there might not be a newer version in the first place available (e.g. if you use Ubuntu and got an older version from the repositories), or because the upgrade check itself failed (e.g. no connectivity). So it is not always because one does not care about upgrading, but typically being unaware about the possibility that there is a newer version. More importantly, to hint users to use a (fairly) recent version.

If we want to allow the user to also skip this "Lynis is possibly outdated" test, then we could consider adding a new option. This way both checks can be disabled.

[wileyhy]

"skip-upgrade-test" is singular, but there are multiple upgrade tests, so that's already vague. Singular can be interpreted as "all" of something, but how are both of these two tests... - one checking for the positive existence of a newer version (which could result in an upgrade action), and... - one that is triggered based on time (which could be a false positive, as perhaps there wouldn't have been any upgrades available, in which case it's something of a fishing expedition)... ...equivalent to all upgrade tests? The first test seems neccesary while the second seems extraneous. From a dualistic sort of perspective, that could equate to "any and all," but that would be "all" plus something additional. The "skip-upgrade-test" option leads the user to expect one option, or oneness among options. There isn't any guarantee that in any (approximately) four month period any project at all would release a newer version, so why give the user any reason to expect a new release? If there weren't a new release within the set time frame, how would that reflect upon the project in terms of... are these people missing their deadlines? ...is this project still active? ...was that security-related suggestion inaccurate? "Lynis might be outdated," "Lynis is possibly outdated," are very different statements from "Check the website or GitHub to see if there is an update available." The first two are non-commital suggestions; the third is written using the imperative (ie, command) verb tense. Why send people on a fishing expedition? If they look on github as they were directed to do, and there aren't any upgrades available, couldn't they begin to wonder about the accuracy of Lynis' instructions to them? Can you tell I've been on this particular fishing expedition a few times myself? ;-) Wiley

…

On Thu, Sep 26, 2024, 10:17 AM Michael Boelen ***@***.***> wrote: It's not a version upgrade test, but a pointer or a hint to the user. The reason for giving this is that there might not be a newer version in the first place available (e.g. if you use Ubuntu and got an older version from the repositories), or because the upgrade check itself failed (e.g. no connectivity). So it is not always because one does not care about upgrading, but typically being unaware about the possibility that there is a newer version. More importantly, to hint users to use a (fairly) recent version. If we want to allow the user to also skip this "Lynis is possibly outdated" test, then we could consider adding a new option. This way both checks can be disabled. — Reply to this email directly, view it on GitHub <#1538 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUF2F22XIELDNHWFZ3DYJ23ZYQ6S3AVCNFSM6AAAAABNNBJN2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZXGUYTGMRSGI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>