Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Stallman is almost always right but nothing he says is particularly surprising or useful.

Yes auto updates allow delivery of malware but its not like manual updating was any better. No user was auditing changes before hitting the update.



Give a user a choice though, and they dismiss the update notification because it's naggy and annoying and usually involves restarting your app or OS (I'm mainly thinking of operating systems here).

Microsoft went in hard / aggressively and are forcing update installs and restarts, which IMO is going the wrong direction.

Wasn't there a Linux project where they could update the OS / kernel without a restart? I feel like this is what all OSes should aim for. I like to think Android is going in one direction, moving shared libraries (Play Services) outside of the core OS so it can be updated independently.


> Give a user a choice though, and they dismiss the update notification because it's naggy and annoying and usually involves restarting your app or OS (I'm mainly thinking of operating systems here).

...or because it doesn't justify its right to be there. As a user, the updates mean to me a high probability of getting more bloated, less usable app with important functionality moved or missing. The security implications are abstract. The usability impact is real.


> Wasn't there a Linux project where they could update the OS / kernel without a restart?

Ubuntu? Last time I updated, they asked me if I wanted to start using Livepatch, so it seems pretty integrated: https://ubuntu.com/security/livepatch

(though I'm horrible at noticing the critical battery warnings so I get frequent reboots for free – but that method wouldn't work on Windows which installs updates on shutdown!)


Windows is in an even worse position because of NTFS file locking shenanigans. A lot of the time you can't even update the userspace without rebooting.


> update the OS / kernel without a restart

https://wiki.archlinux.org/index.php/Kernel_live_patching


But if you were slow updating you could avoid a malware once it was known.


Also if you were slow updating, you could avoid critical security patches (and many people did)


Which affect the OS mostly and not individual apps. Funnily enough OS updates are usually not automatic. Which I think is a good thing because vendors keep mixing them with "feature updates" which end up making things worse (looking at you Samsung).

I'd love for Google to take away the security update channel from the phone vendors and auto-update ONLY security-related things through that.


So what happens if you are on an old version, a security issue is discovered, but they only fix it in the new version?


Yeah and missing security updates was WAY more common, autoupdates is the lesser of the two evils by far ...


Who will detect the malware if we are all slow to update?


The early adopters. There are always people that will weight that risk of latest & greatest and vs buggy differently, it should be a choice. Especially for apps that don't have a beta testing or early bird channel.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: