Driven by Google and like-minded software makers, a new era is dawning in which your software is constantly refreshed--often without any intervention on your part at all.

Depending on how you see things, that could be either a scary loss of control over your own computer or a boon to convenience and security. Either way, the practice is increasingly common.

I, for one, welcome it.

How many times a week do you see a software update dialog box like this

(Credit: Screenshot by Stephen Shankland/CNET)

In the last week or so, I've manually updated Google's Chrome, Chrome Canary, and Picasa' Adobe Systems' Flash Player, Photoshop, Premiere, and AIR' Microsoft Windows 7 and Office 2008 for the Mac' Apple Aperture' Mozilla's Firefox and Thunderbird' Opera' and Evernote. Should this really be my job Automatic updates can cause compatibility problems and yield control to corporations whose agendas may differ from your own, but used judiciously, I think it's an improvement.

In days of yore, software came on disks manufactured and shipped at some expense to customers. But the Internet Age has enabled not just digital distribution, but frequent distribution, and programmers are following suit with a more continual stream of smaller updates.

In short, a lot of software is becoming a constant work in progress rather than a finished product. With that change, along with the spread of computing technology to so many corners of our lives, the burden of maintaining it shifts to the software maker.

"[With] commodities like browsers or operating systems, non-technical consumers may well be best served by automatic updates," said Sebastian Holst, chief marketing officer of PreEmptive Solutions, a company that helps customers monitor and manage their software. "Many of the updates address emerging security threats rather than simply adding 'nice-to-have' feature extensions. Wouldn't it be great if we could automatically update the batteries in smoke detectors If we have to work to motivate homeowners to take that simple step to protect themselves, how realistic is it to expect consumers to conscientiously update their software"

Browsers lead the charge Browsers are a prime example of the auto-update ethos. When Google released Chrome more than two years ago, the company quietly began a program in which the browser silently updates itself automatically. The software periodically checks a server to see if an update is available, downloads it when it finds one, and installs it for use when the browser or computer is restarted.

At the time, Google said, "For major version updates, when feature changes are involved, we'll explore options for providing users with more details about the changes," but so far it's maintained its silence, so to speak. Here's Google's rationale for silent, automatic updates today:

The primary reason is to ensure that as many users as possible are on the most current version of the software--and therefore as secure as possible--with minimal user effort...We've found that [waiting for user permission] only is desired in certain administration cases and in enterprise scenarios. For those cases we provide auto-update control via standard administration mechanisms.

Opera has followed suit. "We actually do it as a silent update now. You can change that to have more control, though. But the default is silent," spokesman Thomas Ford said.

And with the new version of Firefox due in 2011, Mozilla plans to make automatic updates easier. "With Firefox 4 we'll be adding the capability to apply updates in the background to reduce the delay on start-up, and (thankfully) changing things so that not every update will result in a new tab being opened," said Mike Beltzner, vice president of engineering for Firefox. "However we'll always provide a clear message about how the user's software has been updated, as well as a way to see what was changed."

Firefox programmers want the browser to improve faster, though, and to accommodate that is considering a more aggressive auto-update embrace.

"I think we also need to consider whether doing releases as frequently as once a quarter requires we default to mandatory (silent) updates across major versions," said Mozilla programmer Robert O'Callahan in a mailing list message this week.

"Yes, we need to consider it," Beltzner replied. However, he added, "I wouldn't equate mandatory with silent--there are ways of doing automatic updates that are not silent, and I find that silent ends up putting people on tilt a bit."

In the browser world, I'm inclined toward automatic updates. It raises compatibility issues with plug-ins, but given how central a role browsers play in today's Net attacks, I want holes plugged as soon as possible.

And in the long run, an auto-update ethos could help avoid today's bane of the Web, Internet Explorer 6, released in 2001 and now holding back efforts to build a more secure and powerful Web.

Cultural adjustment Windows Update embodies the shift in software distribution and was a significant moment in my growing appreciation for automatic updates.

Microsoft has shifted to an incremental monthly "Patch Tuesday" update cycle that has partly replaced the earlier service pack approach of infrequent, massive overhauls. The motivation is simple: security. No longer do software makers get much of a grace period between discovery of a vulnerability and attackers exploiting it. Indeed, Microsoft sometimes releases "out-of-band" patches for urgent problems.

Major feature updates--such as the shift from Windows XP to Windows Vista to Windows 7--are still unusual. But plenty of real improvements such as better video drivers arrive regularly, too.

You&39're doing it wrong: This Microsoft Office for Mac 2008 update dialog box, hidden behind other windows, perversely says I have to quit the Microsoft AutoUpdate program before updating Office.

(Credit: Screenshot by Stephen Shankland/CNET)

A few years ago I had an "Aha!" moment with Windows Update, which I'd set to automatically download updates but wait for my permission to install. I realized that I installed every security patch Microsoft sent. There have been some problems sometimes with those patches, but despite being fairly technical I'm not the kind of person who'll be able to detect them in some sort of testing.

I concluded that I'd probably be better off overall with Windows installing those updates and my checking later to see what was patched. I made the change, and I'm happy with it so far.

Sure, maybe some creepy government programmer is slipping a back door into my computer, but my guess is the updates are more likely to protect than compromise me and my data.

I've also become a part-time sysadmin for a mother-in-law who lives several time zones away (thank you, LogMeIn). She's not technically inclined at all, so it was a no-brainer for me to enable automatic Windows updates on her machine.

Her situation made me think more carefully about silent updates. I want to be notified of updates with easy-to-find release notes detailing what changed on my computers (hint hint, Adobe AIR team). But many people lack the expertise to understand that information. In my mother-in-law's case, pop-ups and dialog boxes and tabs alerting her to changes are confusing and worrying rather than helpful.

"It shouldn't be, but alas, it is the user's responsibility [to update software]. We're willing to tolerate this horrible user experience simply because PCs are so useful," said Paul Kocher, president of Cryptography Research. "As microprocessors become more pervasive such as in smart appliances at home, the update experience becomes even less tolerable, so finding a solution to this problem is a top priority for the PC industry. Intel understands this, as evidenced by their purchase of McAfee, so I'm cautiously optimistic that we'll see some improvements eventually."

Caveats Auto update must be effective if it's to work. In three major updates to Office 2008 for the Mac in the last year, I've had to endure dialog boxes hidden inaccessibly behind other windows, mammoth downloads, and intrusive requirements to shut down all sorts of third-party software. The most perverse moment, each of the three times: the alert that I had to quit the Microsoft AutoUpdate program before I could proceed with the update.

It turns out I only had to quit an invisible dialog box asking me how often I wanted to check for updates. My gut reaction, given how awful the experience is: never! But a poorly implemented automatic update shouldn't hold back the automatic update idea overall.

We should each get to choose silent or verbose updates, but I've concluded that there's a role for silent updates, too.

Your opinion may differ, of course, and especially in a corporate environment caution is appropriate to avoid breaking existing computer systems. And think twice before you let any old software maker issue automatic updates.

"Users should decide their level of trust on a supplier-by-supplier basis, not app-by-app, and grant auto-update privileges only to those with a well-earned (established) reputation for software quality and customer support," Holst said.

Enabling auto update isn't such an easy choice for those with responsibility for managing dozens, hundreds, or thousands of computers, though.

"Corporate IT admins make every possible attempt to block auto-updating software because it often breaks other software the users need," said Jennifer Bayuk of the Stevens Institute of Technology. "Corporate admins do a lot of what is called 'sociability testing' to ensure that diverse software can operate in harmony on a single machine, and auto-updating software defeats the integrity of their desktop deployment strategy."

Web, Chrome OS, and phones Perhaps the most ambitious embodiment of the auto-update era is Google's Chrome OS. It's a browser-based affair, running Web applications rather than anything on the Linux operating system hidden under the covers. Like Chrome, it's got two common plug-ins built in--a PDF reader and Adobe's Flash Player--so Chrome OS can take over responsibility for updating them, too.

With Chrome OS, Google will send updates automatically. It shouldn't be the user's responsibility to keep the software up to date, Google argues.

With Chrome OS and Web applications, the lines blur between Web applications and native applications. The auto-update era is already well-established at Web sites. Sometimes companies such as Yahoo, Facebook, Twitter, and Google give users a chance to opt in to new versions of their sites, but many more changes happen behind the scenes without the user's say-so, and the old versions eventually are phased out.

Web applications on Chrome OS can take a variety of forms ranging from glorified bookmarks to apps that work without a Net connection to browser extensions that give the browser new abilities. All these mechanisms, though, can be updated automatically.

Google also is headed this direction with Android. Newer versions of its mobile operating system let people grant applications permission to automatically update themselves. It didn't take me long to enable it for most applications.

Chrome OS, smartphones, Net-connected TVs, satellite navigation systems, and automobile firmware illustrate how software is moving beyond the relatively narrow domain of personal computers. Multiply today's update woes by these new electronics, then factor in the limited user interfaces many of these new devices, and the idea that users bear responsibility for keeping software up to date becomes increasingly untenable.

I see plenty of possible concerns with the auto-update era--incompatibilities, mistrust of corporations, new malware conduits, and intrusive user monitoring. But in my mind, the overall benefits outweigh the risks. I look forward to a world in which software is fluidly and constantly improved.


Discuss   Add this link to...  Bury

Comments Who Voted Related Links