Saturday, May 3, 2014

The Case Against Automatic Updating Software

After various incidents over the past 2 years, I've reached a point where I now consider "automatic updates" for software as being evil1. As a software engineer, I can understand the attraction of this for critical and genuine security risks (the public safety benefits here I do not dispute). I do however take issue with using automatic updates as a "push mechanism for feature changes"2,3,4, especially when these are inexplicably bundled with important security fixes which cannot be obtained otherwise5.

This classic comic summarises the current situation quite succinctly

Notes for the above:
*1 - This is true for nearly all uses/instances of automatically updating software at the moment
*2 - Microsoft, Google, and Samsung take note! Your records on this are particularly poor!   >-(      (BTW, Windows 8+ and Android 4.4+ both suck. Windows Vista/7 and Android 4.3 however are perfectly great, but appear to have become evolutionary dead ends...)
*3 - Apple: What the heck is going on with IOS 7+   It's a, "upgrade to 7+ and lose most of the good look-n-feel" vs "watch your back - you're gonna get hacked" dichotomy again
*4 - Mozilla: you've been treading a fine line here, and have err'd a few times on the wrong side. Get your act together... there's a reason I use Firefox not Chrome, so stop trying to become Chrome. Gah!
*5 - Sure, I know there's overhead in maintaining multiple dev branches around to facilitate this. Open source certainly helps in this regard by letting users at least have to option of brewing up their own patched versions should the need arise, and the Linux community in general is quite good about maintaining their software so that it works this way. However, Linux and FOSS projects often come with one or two limitations:
        1) it may/may not work well, depending on whether your hardware is "supported" (i.e. whether anyone in the dev team uses your hardware and thus has a good incentive to ensure it works);
        2) this assumes of course that said software is possible for mere mortals to easily compile the software without having to pull down half the internet to get required copies of the dependencies (and recursively build those)  >-( 

So, what is wrong with the current state of automatic updates as implemented by the software industry today:
  1. It is NOT OK that you randomly and silently roll out "updates" which MUST be applied, often at the least convenient of times (especially when they come with "unwanted side effects" as per 3 - 5)
  2. It is NOT OK that said updates are often a mix of important security updates bundled with "trojan un-features" mixed in
  3. It is NOT OK that the majority of the "un-features" don't actually improve/fix the most critical issues in your software/platform which users have had to resort to seeking 3rd party hacks to patch them over into palatable states
  4. It is NOT OK that the "un-features" end up breaking said patches until the patch devs have time to update (which can take at least a month, as they themselves have to firstly get the update pushed to them before they can start work). In the meantime, everyone must suffer through dealing with the vanilla unpatched crap that's just been broken by an unwanted and unexpected workflow breaking update
  5. It is NOT OK to be pushing significant UI changes through auto update channels. This is especially true if said changes equate to the yet more examples of the disgusting "Flat UI" trash in vogue at the moment. (For the record, these are examples of the sorts of "un-features" that you should be avoiding! Just because you left some wunderkind script kiddy still in his diapers and orthodontics code your UI, that doesn't mean you should bow to the aesthetic neuroses driven by what he finds easiest to bash out in an afternoon the day before his caffeine-addled managers demanded it done)
  6. It is NOT OK that your updater probes the network several times a day (sometimes multiple times an hour, *ahem* Google), locks up the computer for several minutes at a time while it consumes 50-90% of RAM (especially when, since previous updates were ultimately disabled to prevent unwanted disruptions and to conserve bandwidth on connections with anemic monthly data caps, *ahem* Microsoft) each time it decides to do such a check, or thrashes the disk whenever it's in the middle of an update
I'm not calling for the complete abandonment of automatic updaters (as yet). But if we don't get our act together and stop committing the above crimes against humanity, then that will be the only possible option. Let's not let it get to that stage.

    No comments:

    Post a Comment