The point is that this is a pretty small portion of all security updates. Compare to iOS, where updating the browser or iMessage (both with very large vulnerability surfaces) requires a system update.
True, but I don't think that justifies the practice at all.
At the very least, software needs to do what it used to do: make security updates separate from all other updates so users can just get the security bits.
It's easier to do an update with a single security fix rather than an update that rolls in a ton of new functionality that ends up breaking your device. Seen this time and time again with OS/dependency update.
The problem is, security updates should stick to security, and should be clearly separated from feature updates - especially from the ones that remove features.
The problem is that they'll use the opportunity to schlep a bunch of non-security related stuff into the update as well. That's the thing that really bothers me about these, that you can't say just the security patches and hold the telemetry/marketing/spyware/adware/crapware/malware/etc.
I understand the will of using new programming tools, but security updates should be the central reason for update. It is not clear how are those managed.
Then manufacturers should fix that problem. The reason people don't like security updates, is that they are tied to feature updates. Most people don't like the new feature updates, and would happily take just the security updates. If users were given that option, I'm betting that a lot of the push-back to updates would drop fast.
reply