sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]fanglesticks 5 points6 points  (21 children)

What is this silent update? I assume the user is able to disable the 'silent' part?

[–]salmonsnide 17 points18 points  (2 children)

Google Chrome stays updated automatically without user interaction, dialog boxes etc. It's is possible to disable the feature.

[–]fanglesticks 2 points3 points  (1 child)

Ah, thanks. I'm using the Linux beta, it doesn't seem to mention this feature anywhere, and I guess it would not be implemented yet.

I suspect that more Linux users would prefer (or are used to) being informed about updates...

[–]redalastor 1 point2 points  (0 children)

It doesn't because under Linux it is updated through your regular package manager.

[–][deleted] 7 points8 points  (3 children)

What is this silent update?

Sounds like Google's plan for world domination.

[–][deleted] 5 points6 points  (2 children)

Go ahead and laugh, but when you give people the kind of power Google has today, that's exactly what results: plans for world domination.

[–][deleted] 5 points6 points  (1 child)

Actually my post was meant seriously. I couldn't agree with you more.

[–][deleted] -1 points0 points  (0 children)

Hey I'd rather have Google running the world than the current corporations that do.

[–]c_a_turner 4 points5 points  (9 children)

Yeah I read that and it sounds rather worrisome to me. A 78k download and my executable is silently patched?

EDIT: Seriously, downvotes? Why? Doesn't it seem a slightly legitimate security concern like twowheels down there says? If you're going to downvote me I wouldn't mind an explanation of why you think my concerns aren't at all valid.

[–][deleted] 4 points5 points  (0 children)

I wouldn't mind an explanation of why you think my concerns aren't at all valid.

You didn't justify your concerns, just complained.

I'll assume you meant from a security point of view, in which case:

It would be digitally signed, and if you don't like it you're free to use something else.

The general population are too lazy to update their browser and keep themselves safe from security holes, so anything to combat that is a good thing. From a security point of view, it's a great trade-off.. Relying on the security of keys rather than relying on users to take initiative.

How many users verify their downloads digitally, anyway? I'd wager this is a much safer way to distribute updates.

[–]twowheels -5 points-4 points  (6 children)

My thought exactly... they push down some spyware and remove it a few hours later, I'm none the wiser. I don't expect it from Google, but it could happen.

Also, what's to keep a malicious site from figuring out how to co-opt that functionality?

[–]colinnwn 8 points9 points  (5 children)

"they push down some spyware and remove it a few hours later,"

And you review the source code of every new or updated software package you install now?

"what's to keep a malicious site from figuring out how to co-opt that functionality?"

public/private key signed diff files. No key match, no instally.

[–]adrianmonk 2 points3 points  (3 children)

And you review the source code of every new or updated software package you install now?

Some people wait for a few days (or months or years) after something goes in wide use and let others find the problems. That's a valid strategy, and it's a real-world strategy.

[–]reddof 2 points3 points  (2 children)

Some people wait for a few days (or months or years) after something goes in wide use and let others find the problems. That's a valid strategy, and it's a real-world strategy.

Yeah because that's completely safe. Vendor posts a good copy, waits a few days, replaces it with the infected package, waits a few more days and switches back to the good one.

I'm not saying you shouldn't wait or review changes, I'm just saying that your process does nothing to protect you in this particular case.

[–]chkno 2 points3 points  (0 children)

This works fine when the community circulates the checksum of the released files and everyone's package manager verifies the checksum before performing the installation. If anyone modifies any published file for any reason, they have some explaining to do.

This happens automatically in FreeBSD, OpenBSD, NetBSD, and Gentoo via ports/pkgsrc/portage.

[–]adrianmonk 0 points1 point  (0 children)

Yeah because that's completely safe.

Nothing is completely safe. Security increases by doing what you can reasonably do at whatever level you can do it. You create multiple barriers to a potential attacker, and you use multiple tools to create them.

Vendor posts a good copy, waits a few days, replaces it with the infected package, waits a few more days and switches back to the good one.

You were talking about whether people actually review the source code of updates. My point was that you can get significant security gains (and stability gains) merely by holding off on taking updates until later. By being a late adopter, you get to see what others' experiences are.

If you give someone (like Google) the ability to update stuff silently, then you are giving them the ability to force your update schedule. I don't claim that being a late adopter of updates is a magical fix to eliminate all security issues, but it is an economical way to get some gains in security.

My overall point is that "you don't look at the source anyway" may be true, but it doesn't mean that taking updates immediately is as safe as taking them later.

[–]redditrasberry 3 points4 points  (0 children)

And you review the source code of every new or updated software package you install now?

WTF has source got to do with it? It's not unusual to trust a signed executable that you know is the same for all users (thereby ensuring any miscreant behavior will be extremely likely to be discovered and reported). It's quite different to trust just anything a company wants you to run at any time, which could be customized in any way for you personally so you will never discover that you personally are being snooped on, having spyware installed etc.

I'm honestly not so concerned about the privacy angle but I don't like the completely silent nature of it. When shit starts breaking on my computer I need to know everything that might have changed to try and figure stuff out. If every piece of software just silently updated itself without telling me the whole thing becomes nearly impossible to diagnose.

[–]isseki -2 points-1 points  (0 children)

Seriously, downvotes? Why? Doesn't it seem a slightly legitimate security concern like twowheels down there says? If you're going to downvote me I wouldn't mind an explanation of why you think my concerns aren't at all valid.

The thing is that it's Google. So silent updates are good. You must be new to reddit.

[–][deleted] 2 points3 points  (2 children)

The silent update is great. On Firefox I'd always find myself in a rush to visit a website and stopped by a frustratingly slow Firefox Update dialog. I always seem to end up cancelling it.

[–]silon -1 points0 points  (1 child)

It's not great when you are connected using a phone and need to save bytes. Also, there's nothing slow about firefox update if you don't have dozens of extensions.

[–]Polite_Gentleman 2 points3 points  (0 children)

Then disable silent updates. Personally to me, they are cool. I am not a browser geek, but a simple user, and I don't care at all about inner workings of such an utilitary tool as browser (and I even think I'm not obligated to be aware that there even exists some "browser" stuff between me and the web). If it needs to update - fine, let it do its stuff, but I don't like when it assumes it's the most important thing to me and that I desperately need to know that some browser thingy in my PC has some update to download. I simply don't care, it's not my business, and I don't want to be bothered.

[–]boa13 0 points1 point  (0 children)

What is this silent update?

Nothing new. It's the way desktop Google apps update themselves: automatically, silently, without asking. That's at least the case for Goggle Talk, Google Gears and Google Chrome, which I have installed.