Introduction 

Keeping software up-to-date is the single most important thing you can do to mitigate cybersecurity threats. New exploits are being discovered every day, so you want to make sure you get security patches as soon as possible.

Windows 

Nobody likes updating Windows because updates can be intrusive and often require a restart. Users, given the choice, will delay updates as long as possible to avoid disruption. This is not acceptable.

The best solution is to force updates via enterprise policy. We don't have Active Directory or anything like that, but this can luckily be easily achieved using HotcakeX's Harden System Security app, which includes update enforcement in even the 1-star configuration. The policy will tell the machine to automatically download and apply the update, and require the user to reboot the machine within a certain period of time.

The next best solution that I know of is to manually log into each machine and update it yourself. Don't recommend.

For non-OS updates, encourage users to install software via winget rather than downloading .exe files, and install romanitho.winget-autoupdate, which checks for updates on each boot.

Project Bluefin 

This is the recommended OS because it updates itself. Updates are automatic, roll-back-able, and live-patching (thanks bootc!). Brew- and flatpak- installed software is also self-updating. You literally don't need to do anything.

NixOS 

If wsnorth is still running NixOS, updates are a little more complicated. wsnorth's configuration is stored on a flake at github:stjohnsucc/flake. She has a GitHub Action set up to automatically update the flake.lock, and a notification will be sent to the main Google Workspace inbox whenever the action is run. Merge the pull request. On wsnorth,

cd /etc/nixos
git pull
sudo nixos-rebuild switch