Many manufacturers haven't quite got over their liking of tethering to a computer to apply software and updates. For example Samsung has Kies (although you can often do OTA too). For one of my phones (HTC/Tmobile G2), there is an update available but it can only be installed over a cable from a Windows computer and completely wipes your device in the process. (I used CM instead.)

The real problem that has to be addressed for his contention about automatic updates is economic. Things that are sold have the payment upfront (eg operating systems, phones). There is usually no economic reason to have updates. The reason why they are done is to avoid losing customers, or because of (possible) harm to the vendor and their partners. At the moment this is a strong effect on operating systems, while almost non-existent on Android handsets.

The purpose of the article was to focus on why A]auto updating is beneficial from a security standpoint. I'm assuming the end user doesn't want their device compromised. They want security baked in.

I also agree that automatic updates don't make sense from an economic standpoint. But, users assume applications are secure when they purchase. It is up to the manufacturer or the developer to make sure the users of their applications and devices aren't being compromised because of their mistakes.

It is far more complex than that. How many users have no lock screen, weak passwords, use old versions of operating systems, let others play with their devices, share accounts etc?

What a user wants is for their devices to perform a job such as communication and entertainment. It gets very confusing for technical folk who then fail to distinguish between goals and tasks. (The software we write is focussed on tasks.) Here is an excellent article on the distinction: http://www.drdobbs.com/goal-directed-software-design/1844099...

"security" as such is not a goal - it is more an annoyance. It is why you have to have a lock screen (which gets in the way of the goals), "strong" passwords, and worry about compromise. Performing maintenance (which is what updates are about) are also not helping the goals - they are actually more work that also gets in the way of the goals.

A good way of looking at security is not as a binary on/off thing, but rather as an expense for someone who wants "your stuff". Does it cost an attacker 1 cent, a dollar, a million dollars? If "security" was part of the purchase decision process then it would be mentioned in the specs in some sort of measurable way.

Ultimately what will happen will only happen because of the economics or laws. Laws that try to put liability on the developers won't work for many practical reasons. What would be most effective is for it to be easy to for consumers to respond by taking their money elsewhere. This happens when there is low barriers of entry to the market, and low/no switching costs, as well as the items being relatively cheap. This is happening to various degrees, although it is fought tooth and nail by some (eg carriers in the US).

Did you really need to phrase the criticism this way? It seems unnecessarily confrontational, and serves only to detract from the rest of your (well-considered) points.

Why not "The author appears to be unaware of the realities of Android updates."?

I read HN comments because there tends to be a far higher level of civility than (for example) reddit technology threads. It is a simple thing to foster a better atmosphere, but it makes all the difference in the calibre of the discussion.

"Is it hard to update? No! Android devices can be upgraded through the settings without having to pay for the new version. Here is how simple it is!"

My manner is to be direct and to match the rhetoric of what I'm responding to. You are right that it can be seen as unnecessarily confrontational - please downvote as appropriate.

AFAIK, only Google devices (Nexus*) reliably get the latest updates. Handset manufacturers profit when customers buy new phones to get new software features; free software updates dip into those profits.

The android OS ecosystem is totally broken on this level by the carriers who have every interest in making the higher cost phones more attractive by not updating the Android version on lower cost phones and not updating the version for existing customers. This issue is exactly why Linus' rant resonated with people and Engadget's position attracted so much fire. Nobody should be on an old version of Android. I've got my phone up to Android 4.0 after a stupid custom process from the manufacturer (which only ran on Windows) but I am fairly certain it's the last official update I will see for it even though it's more than capable of running newer versions. However, unless I can get a source more reliable than some php forum for updating it myself I am unlikely to update outside of this manufacturer version.

I really hope Google's Nexus intervention clears up this issue and finally turns the telcos into dumb pipes, but I am afraid it will only make the carriers offer an up-to-date Android on sale, which then won't be updated later. This is why the ecosystem for installing vanilla Android needs to be seriously improved and Google needs to step up to their responsibilities to provide automatic updating to carriers or a really properly supported community for mods.

LOL!

You'd be better to attribute that to them being under-resourced to deliver software updates to all models of phones immediately. They focus on shipping to the high end phones first -- those customers have paid more for that support. Some low end devices just never get to the top of the priority list.

If you want upgrades, buy the best phone you can. If you are buying low end, you have to realise that it's essentially locked to the version that it ships with.

That's my take on it anyway. I don't have any inside information.