Software update hell
Posted by Jason Baker on February 3, 2009
Have you heard of Conficker? If not, you should read up on it. It seems that Conficker has turned into one of the largest botnets in the world almost overnight. As of the most recent data, Conficker has infected 15 million computers (although other studies place that number at about 8-12 million).
And here’s the kicker: Conficker exploits a vulnerability that was patched by Microsoft almost 4 months ago. To make matters even worse, an estimated 30% of all windows computers are still vulnerable to this virus.
Who’s at fault?
If you’re like me, you are probably appalled by the idea that this many users haven’t installed updates recently. But before you blame this outbreak on idiot end users, answer this question: how many times have you hit “restart later” instead of installing an update right away? I do it for almost every update that comes out. In fact, I’m in “you should really restart your computer now” mode to write this blog post.
Ok, so writing that last sentence made me restart my computer, but you get the idea.
Now, I’m a user who understands the importance of installing updates. If the process of installing updates is enough to make me put off installing updates, imagine what Joe Internet User must think of the software update process. Is it any wonder that we still have to tweak webpages to work with IE 6?
I’d like to compare who’s doing things right with who’s doing things wrong when it comes to updates now.
Who gets it right?
To date, I’ve only seen two systems (that I can think of off the top of my head) that handle updates properly: Google Chrome and Linux.
Chrome’s received a lot of flack for installing updates without prompting the user. But I think that this is undeserved. To be fair, I can see where this is coming from. The idea that a piece of software can make changes to itself is somewhat frightening from a privacy point of view. It can also be frightening from a security point of view. After all, how do you know that you’re really downloading updates from Google and not some Internet Bad Guy?
While I can see the merits in these points of view, I have to respectfully disagree. The benefits of having regular updates trumps this concern in both the security and privacy areas. After all, if you’re not secure, how can you have privacy? Plus, if the updates don’t significantly affect the end-user experience, how can they make an informed decision about whether or not to install the update to begin with?
What can we learn from Chrome? Updates that don’t significantly affect the end user experience should be completely transparent to the end user.
For those of you who still dislike the idea of software updating itself automatically, there’s another way of doing things.
I should mention that I’m talking about my experiences with Debian and Ubuntu Linux. Your milage may vary.
To me, Linux is more of a server operating system that made it big on the desktop than the other way around (even though it was originally made for the desktop). With that said, let me point out that Linux as a whole tends to operate in a diametrically opposed fashion to what I posted for Google Chrome. Linux makes it very difficult to do things that a computer’s administrator doesn’t want you to do. This means that on a Linux system, you need to approve every update to every piece of software installed on your system.
I’m sure that there are ways around this in most Linux distros. I just don’t care enough to find it. Heck, on Debian I don’t even install the update notifier. I’m more than happy to go into synaptic, click reload and apply updates. This is a lot more work (relatively speaking) than clicking “restart now” and having everything done for you automagically. Why am I so willing to do this? Two reasons:
- I almost never have to restart my computer after installing an update in Linux.
- I can choose to install updates whenever I want to.
- I can install all my updates in one place.
Granted, my way of doing things on Debian probably wouldn’t work for Joe Internet User. But there’s a lesson to be learned here: users are willing to do more work to install updates if it means less interruption.
Who gets it wrong?
I’m sure by now, you’ve figured out what my top pick will be for who’s getting it wrong: Windows. I’m going to talk mainly about Windows because most of the software that gets it wrong is just a variation on what I’ll be mentioning here, not because I hate Windows. So what does Windows do wrong? A few things:
- You have to restart your computer at the slightest provocation. In fairness, Microsoft is getting better about this. But I still find myself restarting my computer more with Windows than any other Operating System. The problem is that restarting your computer is a fairly expensive task for most users. You have to save your work, wait a few minutes for your computer to restart, set everything back up the way you had it before the restart, and then get back into the swing of whatever you were doing. This can be a good 15 minute chunk of your time.
- It nags. I really think this is a good natured attempt on Microsoft’s part to get you to install your updates. But Microsoft ignores the principle of Psychological Reactance. In laymen’s terms, this principle means that the more you try to force somebody to do something, the more they will resist changes. I mean, tell me that the first thought that goes through your head after the third or fourth “you should restart your computer” or “you should install your updates.” My first thought is usually “NO I WILL NOT INSTALL MY UPDATES.” This has the effect of making me disable the nags, not installing updates.
- There’s no central place to install updates. Unlike Linux, I usually have to have several different programs to install updates to my computer. That means that at some point, I have to make a decision about whether to update or not for just about every program I have installed.
- It interrupts. I’d be willing to forgive most of these if it weren’t for one thing: installing updates in Windows is an interruption. Users don’t want to worry about installing updates when they’re reading email or writing a blog post or chatting on facebook.
Are you done yet?
If you’re a programmer, you have a responsibility to your users to keep your software secure. And part of this responsibility is to make updates easy to install for your end users. How do you plan on making updates painless?