"To this day all I ever run are Live systems, because the operating system “just works” out of the box without any installation or configuration on my side, and every time I reboot the machine I have a “factory new”, known-good state."
https://itsfoss.com/appimage-interview/
This confuses me. If you use a live system as your daily driver, how do you get security patches that were issued since the last release of the OS? Also, AFAIK even the live systems on 64-bit install images usually launch into a 32-bit session, so they can be used for recovery etc on any computer they are inserted into.
For daemons and apps regular apt/yum update will work, of course until the next reboot when you need to reinstall all updates.
For kernel the only option is livepatch.
In practice I suspect the answer is however: you don't. "We're defaced? Oh we just reboot and we're no longer defaced!"
And granted that any possible instability may be usually only by updates, I don't think it's a viable solution at all.
@kravietz I'm not saying a properly installed system completely prevents this (nothing is perfectly secure), but surely regular security patching majorly reduces the attack surface?
Absolutely, web browsers are one the most complex and most frequently patched software out there. Some of the recent CPU attacks (Meltdown/Spectre) can be exploited through the browsers specifically and were mitigated at the kernel level. They can be exploited in targeted manner (email) or passively (watering hole attacks).
@kravietz
> "We're defaced? Oh we just reboot and we're no longer defaced!"
I don't think he's talking about servers. He's talking about a desktop system. In which case there are much more serious potential consequences to getting pwned than your website being defaced (eg Bad Actors getting your banking/ crypto passwords).