By all means make the default behaviour apply security updates, but that is very different to forcing updates of all types no matter what.
In any case, for users who do have some idea of what they're doing, OS security updates are probably a relatively low priority today. Frequent robust backups, proper firewalls, and applying security updates to any applications that pull content from remote sources are likely to be more important in practice. If you get to the point where you're relying on your OS to protect you, you've probably already gone wrong at least once. Most desktop OSes won't do much to protect you against threats like data exfiltration anyway, because the security models are nowhere near sophisticated enough.
Applying security updates by default would solve that problem just as well. From the user's point of view, there is no good reason to force updates against a user's explicit decision, and there is no good reason to push non-security/stability updates even by default.
The only time forcing all updates in that way makes a difference is when Microsoft wants to override a user's deliberate preference not to have their system changed in that way. This cannot possibly be in the user's interest, only Microsoft's.
You act as if people should prioritize downloading security updates over actually being able to reliably use their computer. For many people, they want to use their machine first before worrying about security.
And as another sibling commenter mentioned, what about crunchtimes, are those the best times to figure out what works and doesn't?
And? How do updates help any of this? Firewalls are a thing. Memory-safe languages are a thing. Unit tests are a thing. Fuzzing is a thing. And it is not an OS's job to protect the user from themselves (i.e. social engineering). If you've installed malware, you deserve the consequences and you will be more careful next time. It's okay for powerful technologies to require a minimum level of education.
Not applying security updates puts you at risk. It is in your best interest to make all of the paths lead to eventually reminding you again to update. Nothing forces you to update, it will just remind you again that you need to.
Why don't you want security updates? Personally, on all OSes I use I just want security updates to happen. My time is too valuable for me to go reading about every minor security update, when I will just install it anyway.
The point was requiring regular updates to stay safe, so yes, security updates. The attack surface of a password manager would be infinitesimally smaller than that of an OS.
As far as general updates go, I agree with you, but these shouldn't need to be that frequent. I still have software from the XP era running on my computer.
I was talking about OSX. I think operating systems should make it very clear to the users what critical updates need to be installed, but they shouldn't force users to update against their will and interrupt their workflow. Something like this:
> These critical security updates are essential for continuing safe and secure operation of your computer!
> Critical security update x: allows an attacker to take control of your PC
> Critical security update y: ....
> Critical security update z: ....
In the U.S at least we give people personal liberties over much more serious matters such as allowing people to refuse care in a medical context. The health of someone's personal PC is nothing next to that.
Well take your pick, then. You can have automatic updates and get security/functionality updates, or you can not and not, and an OS upgrade can be reasonably considered under the aegis of system updates.
Y'all have been campaigning for users to be automatically updated, often whether they want to or not (c.f. Windows rebooting overnight causing the loss of any open documents) because having them not be makes everyone demonstrably less safe and users will never update if you ask them to.
True, but I don't think that justifies the practice at all.
At the very least, software needs to do what it used to do: make security updates separate from all other updates so users can just get the security bits.
Sure it's nice for the average joe soap not turning their machine into a botnet node
It is, but we should really stop tolerating that as an argument for mandatory updates. Enabling security updates by default on Windows editions not intended to be professionally managed would be sufficient to achieve most or all of the same benefits without imposing the much-criticised costs to users. The same argument holds for other tech that wants to force changes in behaviour and/or phone-home behaviour on its buyer/owner/user once the purchase is completed, including almost any device associated with the word "smart".
Sorry, I'm not sure I'm parsing this right, you're saying "security updates are necessary and I as a user am going to have worse outcomes for not updating my stuff"?
My personal experience does not match this at all, so is the explanation there that I'm just lucky?
That's a spurious argument. What's important is that the OS forces updates _by default_.
Sure, some of the people that turn it off overestimate their own capabilities, and that will lead to infection. But that's a very small portion of the total population, the vast majority of which will leave everything set to default.
This is why I tacitly approve of forced (or pressured) automatic updates for Windows, macOS, and iOS. Everyone is probably safer when most efforts to fix Zero day exploits, General hardening, etc. are concentrated on fewer versions.
When I want freedom to do what I want with my computer, I run Linux, but for my Apple devices I want auto updates.
So many updates these days have nothing to do with security, just with "feautes" nobody asked for apart from random product manager who needs his paycheck.
In any case, for users who do have some idea of what they're doing, OS security updates are probably a relatively low priority today. Frequent robust backups, proper firewalls, and applying security updates to any applications that pull content from remote sources are likely to be more important in practice. If you get to the point where you're relying on your OS to protect you, you've probably already gone wrong at least once. Most desktop OSes won't do much to protect you against threats like data exfiltration anyway, because the security models are nowhere near sophisticated enough.
reply