I'm currently hosting a series of meetings where we are certifying all of our existing IE 6 and IE 7 based applications for IE 8. Much is broken because of hacks necessary to make these sites work properly in older versions of the browser.
While I'll be the first to say that we apply the IE Cumulative Updates the day after release ... silently ... to every PC in our company, we wouldn't dream of deploying a major browser update without reviewing it.
Anymore, 99% most of our applications are browser based. A major browser update (Firefox 2.0 -> 3.0 or IE x.0 to IE x+1.0) can be as impacting as upgrading the operating system silently.
Yes, yes, I know. We standardized on IE, bad us. It wasn't my call :o).
As a practitioner, I find this hard to argue with and somewhat obvious, since the preceding 10 years have largely been about how hard it is to get critical patches adopted in opt-in schemes.
The results are kind of bogus in a lot of cases, though. For Safari, for instance, there are multiple "correct" versions (one for 10.5 users, another for 10.4 users), so uptake of a new version can't be expected to ever reach 100%. Same goes for Firefox, where some users are still using the 2.x branch: they obviously won't get a 3.x update.
Really, Chrome is at an advantage here by only having a single version. Comparing other browsers' update cycles to it is hardly fair.
The title is a little off: security updates boost security, and silent updates boost adoption of updates.
The recent stink with Adblock Plus and NoScript using my browser in their personal snowball fight makes me leery of auto-updates. Making the normative choice the default setting has an okay track record, but I'd like as many as eyes as possible helping me keep developers in line with my needs.
As a user, I find this pretty easy to argue with, since the preceding 10 years have largely been about how software companies can't be trusted with silent update capability.
This is a really weak argument, since vendors can undertake the same illicit actions you're averring using opt-in updates. Updates that aren't what they say they are remain a problem regardless of opt-in/opt-out.
Except that the opt-in process enables transparent third party verification. Updates can be tested individually. When an opt-in update misbehaves, word can (and does) spread. It can be avoided.
If a silent update misbehaves, how do we have a chance to -do- anything?
The update was likely applied before we could even open an app to get the news. Should we go online in a VM to verify that it's safe to connect with our preferred OS/software?
The argument is for transparent opt-in updates. It's not for eliminating opt-out. I agree that there should be an opt-out.
The argument about third-party verification is a red herring. I feel somewhat qualified to argue that third parties will "verify" updates no matter how they're disseminated; reversing patches is a bread-and-butter part of security product development.
I'm currently hosting a series of meetings where we are certifying all of our existing IE 6 and IE 7 based applications for IE 8. Much is broken because of hacks necessary to make these sites work properly in older versions of the browser.
While I'll be the first to say that we apply the IE Cumulative Updates the day after release ... silently ... to every PC in our company, we wouldn't dream of deploying a major browser update without reviewing it. Anymore, 99% most of our applications are browser based. A major browser update (Firefox 2.0 -> 3.0 or IE x.0 to IE x+1.0) can be as impacting as upgrading the operating system silently.
Yes, yes, I know. We standardized on IE, bad us. It wasn't my call :o).