Think software patching is a hassle? You're not alone Underscoring a barrier to remaining secure online, the average Windows PC user has to install a software update every five days from 22 different providers, according to vulnerability tracking service Secunia. The figure is based on the results of more than 2 million users of Secunia's PSI, or Personal Software Inspector, a …
Is package management! Since (Under most distributions) all of your software comes from a fixed set of known sources and gets managed through a single system (The package manager).
Windows needs a unified package manager, where publishers can notify the package manager of latest updates and where to get them from (Security and trust issues aside that is).
This is exactly what Apple does with the App store and all anyone seems to do is bitch and complain about Apple's draconian control over apps. And that's *Apple*, who generally enjoys a favorable reputation amongst most IT enthusiasts*.
I cannot begin to imagine the shit-storm (both literal and figurative) that would accompany Microsoft's announcement that if you want a program for Windows you have to get it through the MS equivalent to the AppStore. I'm sure the EU would just implode given the way they handled the browser ballot deal.
*Or not depending on your particular viewpoint.
Lawks yes - they're exactly the same..
Do you remember that time that Redhat remotely pulled postfix from everyone's PC because they realised it could be used to send emails containing boobs? Or all those times Suse denied publishing apps because the clouds were a certain shape & the leaves in bottom of their tea settled into the shape of a skull..?
No...? hm.
Apple should be more clear and fair with the App Store, but I think you're making it up when you suggest they remove apps from devices remotely. Amazon did it with 1984 (sweet irony!) but I don't remember Apple doing that. (Well not yet, anyway...)
Debian's apt-get and similar package management systems from other linux distros show that you don't need a central app store to have unified package management.
What you need is the ability to subscribe to lots of different app stores, all of which use the same format to communicate with the package management system.
@PhonicUK : I for one would like to agree, but I'm afraid that all the executives (and all the king's men) will get their IP/DRM-brand (TM) knickers up in a bunch about it, before anything useful could be produced of the idea.
It may appear that progress proceeds backwards, in some offices, on some days.
PSI locks the Flash ActiveX file while in use, which means that trying to patch Flash will fail to remove the previous file, which means that next time around PSI will report that a file is still insecure. So currently I downloaded the patches, then close fully, apply them, and reopen the application. If you close the application before the downloads complete then they are kindly terminated immediately. Improvements are most welcome.
If you don't train users, specially on the level of vista joe xp 7 pack, who just click around on anything to get something finally going, to read and to use their own brains,
scamware levels will go skyhigh, offering quicker nicer better more beautiful software patch/upgrade buttons.
And the "Use our software and everything will go automatically" slogan and policy has to be wiped out as soon as possible and the inventors of this BS as well.
"Automatic patching would only make it better"
Yes and no. The problem is so many updates introduce new bugs. Look at the mess that occurred when SP3 was release for Windows XP. Thousands of PCs failed to boot after an Intel/AMD conflict.
Single automated patching will only be trusted if it proves to be properly tested and not used to push out nasties as "security updates" - WGA anyone?
"This is exactly what Apple does with the App store and".....
No it's not. Apple REQUIRES people to get ALL apps through the app store (unless they jailbreak). Even with Linux distros and the package manager, I can set up "extra" repositores with non-mainstream packages, I can install my own packages seperate from the package manager, I can even go around as root and put apps on there by hand.
" all anyone seems to do is bitch and complain about Apple's draconian control over apps. And that's *Apple*, who generally enjoys a favorable reputation amongst most IT enthusiasts*.
They are Draconian. And they don't have a favorable rep amongst the IT enthusiasts I know, they like Apple better than Microsoft but prefer Linux or BSD (pure BSD, not OSX just because it has a BSD kernel).
"I cannot begin to imagine the shit-storm (both literal and figurative) that would accompany Microsoft's announcement that if you want a program for Windows you have to get it through the MS equivalent to the AppStore. "
Yep. But they could have a voluntary centralized update system, and this would not be a bad thing.
are condemned to re-invent it poorly." Henry Spencer.
The person who could write
"The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale."
should not be writing about the software industry.
BTW - Ubuntu type proper package management terrifies WIndows fanbois - it shows then the vast amount of time they have wasted over the years.
...an update is flawed. There's a recent nVidia driver update that causes fans to malfunction, potentially causing PC overheat. Can an automatic update system account for an automatic fallback in the event an update goes cuckoo?
Furthermore, with all these updates, I wonder about the mindset of coders that causes to many updates to occur?
Package management (a la linux) for the win. It keeps all software in a central (secure, virus-free) location and you have complete control over what you install, so it's not compulsory. Security updates are all done in one go. Easy. If I want something not in the repos I can add another repo (the PPA system in Ubuntu for instance) and I'm good. Obviously one must be more cautious with PPAs as there's not quite the same level of trust, but overall it's still better than the windows way of grabbing everything from different websites with even less trust.
One package manager to rule them all.
Only since MS pushed out Windows Genuine Advantage as a "Critical" patch (critical to their future profits perhaps) I think anyone with a Windows box and half a brain will be *very* weary of auto-anything from them.
OTOH an industry wide body which administered and set up such a system might be more palatable. But it *has* to be voluntary to both the users and developers. it will also be a mega target as *one* doctored file of malware will stuff the user base so security had better be good.
Users would (hopefully) get a better patched PC, developers don't have to set up their patch distribution (Adobe Download Manager. WTF is that about).
Funding it would be tricky, hence my title, as it seems like something a trade body should fund by its member subscriptions.
Cautious thumbs up.
The majority of OS X apps are self-updating; no need for a central repository. (The iPhone and iPad GUI has different priorities and requirements, so there's little point wasting bytes arguing about the App Store.)
Ultimately, the problem isn't the endless stream of security patches. It's the willingness of the users to accept the shoddy coding that *causes* these patches to be produced in the first place.
It's the 21st Century, but we still accept EULAs that effectively absolve *all* developers—and no, it's not just Microsoft; the GNU / Linux fanboys are just as guilty—of any consequences of responsibility for their code's actions. If you are unwilling to trust your *own* code to do what you claim it does, why the hell are you even wasting time writing it?
(And yes, it IS fucking possible to write code to a much higher standard of quality. Check out SparkADA sometime. Or do you think Boeing and Airbus aircraft pop up dialogs in mid-flight informing the crew that a new service pack is available for download?)
Quit adding features. Start adding *stability*.
(Oh, and if your users are "randomly clicking" on stuff, as some have suggested, perhaps you could explain why that action is causing harm to their computer? Perhaps some education in the field of user experience and interaction design is advisable. For you.)
I dare say the Boeing software is excellent, but it does come with a $100 dollar dongle, so it's out of my price bracket.
If you want an Office suite that never needs patching, be prepared to pay ten times as much as you currently do for MS Office. If you also want the vendor to give you a legal right to haul them through the courts if you find a bug, don't expect to buy it from a US vendor.
Funnily enough, the trend seems to be in the opposite direction. More and more people are using software that costs them nothing and comes with no guarantees at all, and using their own assessment of its quality to judge the risk of using it, and self-insuring against any damages they might suffer it that assessment is wrong.
On the down side automatic updates package-manager-style can drag in half a ton of unwanted rubbish - recently Google Chrome installed postfix because of a straggling dependency; they can introduce bugs that weren't there before and make a stable system unstable; and they tend to require bandwidth, which isn't always the case on mobile systems.
On the plus side bugs tend to get fixed; and a unified system stops dozens of apps pouncing on the network connection when it's up.
So Microsoft would do well to adopt or initiate a standardized approach to updates - but I'm not holding my breath.
@Apocalypse Later: you might want to give Chromium OS a miss then. Reading the "Partition Resizing" doc suggests that they're seeking to push updates. Speculatively: I'd be surprised if Google didn't go the whole hog with provisioning.
thats the only way you will decide whats the best...
I have used windows since way back in time and have grew to accept its faults and issues. But recently i have decided that its about time i learned a bit more about linux. Mostly because of the rediculous licincing required for a windows based server.
Linux as a server is far superior than a windows server. end of story. forget about cost, because unless you can spend the time and effort to maintain your own servers the costs involved in getting linux server support usually costs more than windows support. and it is for that reason linux will not make it as a replacement desktop client to windows for a long time yet.
As a new user to linux I can really apprecate how easy it is to maintain the system compared to a windows enviroment and if i was to be setting up a new business with its IT infratructure, it would most proberbly be linux all the way. Mainly because of the simplicity of updates and the securing of the desktop enviroment against un-authorised aplications.
still, i keep a windows machine for photoshop.....
It's called dpkg. It's been developed across years of experience, in the Debian Linux distribution, and now, as well as being used in the ongoing releases of Debian Linux and other Debian released operating systems, it's also being used throughout distributions deriving off the Debian design - including Ubuntu, famous at least for its presence on some Dell netbooks.
It's called dpkg, and can be used via such as the famous 'apt-get', the relative newcomer, 'aptitude', and the couple of GTK-bsed and QT-based X-gui package manager applications.
It's called dpkg, and it's a working model for this kind of thing.
There's also RPM. I don't know if RPM's design is quite as far thought-out as that of the dpkg architecture, frankly.
The whitepaper is the classic smoke using math to show nothing "The complexity of the end-user task to keep a system secure is a function of the number of different
patch mechanisms needed, and the frequency of how often updates have to be installed". Ok, guys, besides that being common sense, show me that function exactly, please...
I guess most users buying software have it pretty updated. Those with pirated one may have issues patching it. Unless they find a repository which doesn't control what software they have...
The security patches are only one type of product improvement - some others, more important, being add-on functionality, and bug fixing. In fact, it is a pain to track down any sort of patch, and mid-term one expects a supplier to sell the updated version of its product. Patch cumulation is also one of the main reasons for buying a CD version of a programme.
Regular patches are also a warning, a sign of thin ice.
Software doesn't have to come from the same place to use the same management interface. After all, third-party software connects to "Add/Remove Programs".
Alternatively, software can manage itself.
Haven't there just been a couple of alerts from Secunia whose severity or whole validity is disputed - for Firefox (bug not exist) and for Opera (crash but no hack) - right before they're offering a tool for updates: which both of those products do anyway automatically. As do Java, Adobe Reader, ...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
