undefined | Better HN

0 pointsAQXt5y ago0 comments

...which happens all the time in the free software world, when you type `apt-get|yum|brew update`.

What are the odds of one dependency being taken over by a shady anonymous entity?

0 comments

8 comments · 3 top-level

Snarwin5y ago· 4 in thread

The fact that you have to manually type in `apt-get update` (or similar) means it's not automatic. You have full control over when the update takes place, and which packages get updated.

spiffytech5y ago

When discussing software updates, I feel like folks on HN commonly overestimate how much impact opportunity for controlling updates has. I haven't seen someone in my social/professional circles ever hesitate before applying an apt-get update. Nobody I've known checks changelogs (except developers checking on direct dependencies), nobody reads the patches for the updates to verify nothing malicious slipped in. "There's an update, I'd better apply it, unless it smells like a breaking change."

So in practical terms, my experience is that vanishingly few people will behave differently than an auto-update system would behave, except in rare occasions like a malicious update making the headlines. We definitely need a solution for rejecting malicious updates, but I feel backing away from auto updates throws the baby out with the bathwater and would be a net-negative change for the industry and for users.

acdha5y ago

There are exceptions but I think that’s true in the same way people tell their doctor they eat well, exercise daily, and go to sleep on time every night — aspirational, almost certainly discounting the times it doesn’t happen as exceptions and ignoring the actual frequency. The most I’ve seen people consistently do is delay a little in case an update is pulled, and statistically nobody does the kind of analysis that you’d need to catch an unadvertised change.

traviscj5y ago

There's also the occasional _necessity_ for making a breaking change, in particular _breaking some exploit_ and thereby making the software more secure.

I don't envy Chrome leadership's decision or having that problem to solve.

shawnz5y ago

I don't think the question is about control but rather whether automatic updates, when intentionally activated by the user, contribute more positively to the system's security than negatively.

Without automatic updates, you might be more inclined to put off a patch which turns out to be urgent. Or you might be more likely to lose track of which patches have been applied across your various systems.

mad1825y ago· 1 in thread

Packages in the default repos for some large Linux distro are usually reviewed and tested by many people until they make it into updates for current stable version, so while it's probably not entirely impossible for some malicious code to get in, it seems pretty unlikely. Unlike browser extensions, where the current owner can upload anything they want and it's pushed to the users without them even knowing.

AQXtOP5y ago

How about `npm`, `pip`, `cpan`?...

We have seen bad updates breaking the entire Javascript ecosystem, but they were not intentional.

All it takes to inject a bad dependency is a burned out developer willing to delegate his free project to someone else...

SiteRelEnby5y ago

It's more the chance of an unexpected breaking change. When you use a package manager, you're expecting stuff to change (and get to review what's changing).

Upgrading manually regularly: Good idea.

Having a cronjob to do it automatically without user intervention: Bad idea.

j / k navigate · click thread line to collapse