[Non-experts] mistakenly worry that software updates are a security risk.
I think this betrays a lack of thought about the risks to non-experts. Tons of malware masquerades as legitimate updates, and non-experts don't always have the knowledge to distinguish legitimate updates from malicious ones. Therefore, to non-experts software updates are a security risk.
Edit: And this is why Chrome's policy of updating automatically and completely silently is the right thing to do, and everyone else (Adobe, Oracle, Microsoft, looking at you) is doing it wrong.
I largely agree with you, but non-technical users have had the frequent experience of "I updated X and then X, Y, or Z broke." Sometimes they even have the causational arrow correct, too. Yesterday they had no problem with Word or hackers. Today, Word doesn't work, to protect them from hackers. "Thanks, geeks."
Or consider how non-technical users can come to associate installs/updates with Arbitrary Negative Consequences even without that being a reflection of reality.
Bingo Card Creator, back when it was downloadable, was accused of killing multiple hard drives every year. You and I know that is preposterous, but all the user knows is that the last consequential thing they did with their computer was install the update and now their machine is bricked.
(The user does not appreciate that the MTBF of laptop hard drives among BCC users is approximately 18 months and that since we'd accordingly be the last thing someone did before data loss at least once a day.)
At least one of these users contacted their IT department, whereupon they were warned in the sternest possible terms to never ever ever ever download anything from the Googles because that could erase all their memory and give their hard drive a virus. A lifetime of learned (and taught) helplessness like that adds up.
> And this is why Chrome's policy of updating automatically and completely silently is the right thing to do
Not everyone is hooked up to unlimited broadband 24/7. To anyone who is frequently jumping between capped satellite & 3G/4G networks, silent auto-updating software not only unexpectedly slows down your already non-ideal connection, but also eats up lots of your capped data.
Lots of services tend to forget about the users who aren't hooked up to broadband 100% of the time.
The proliferation of mobile devices and the convergence of mobile and traditional end user operating systems is solving this one. Android and Windows 8.1 both have the ability to mark an arbitrary WiFi network as metered, and many core services as well as third party apps will happily discriminate between unlimited WiFi and metered WiFi/cellular connections.
Exposing the whole update process to the end user is like exposing the innards of the car's engine to the driver. There's no need to do that. They don't need to be aware of it. It should be just part of the daily magic to them, the stuff that keeps things running even though they don't understand how it happens or are not even aware of it.
Of course, the intricacies of the process should still be exposed to the technical users via various tools and APIs.
... but you can't avoid exposing the fact that the application substantially changed with no advance notice or control, because today's updates are not just security / bug fixes but also UI re-designs, major feature shuffling, etc.
Companies have an interest in forcing users to manually download updates because of ad revenue from the download page, and bundled software on the updater. It will take a lot to convince them to prioritize user security over money.
But are they doing silent updates? Any update that requires a reboot is not silent, and as far as I can see there's been no progress in silent updating since Windows 7. It is definitely possible to patch vulnerabilities in memory without rebooting my computer; heck, most malware will silently patch the vulnerability it used as part of the infection process; Microsoft just can't be bothered to do it themselves.
That's true; however Chrome restarts in a couple of seconds and restores most of your state. Also, all of the work of installing the update is done before it prompts you to do anything. None of that is true for Windows.
When you have 1.6 billion users, every time you waste 5 minutes of their time installing updates and rebooting, that wastes 190 human lifetimes worth of man-hours. I know that Microsoft does not properly account for this when deciding how much effort to allocate to making updates less intrusive.
Most people will not stare at the screen for 5 minutes while it's updating. They will be doing non-computer tasks in the meantime. Also, this ignores the ability for the updates to be postponed[1] until a convenient time (at lunch?, after work?), which means the lost productivity is reduced to the time it takes to restore the workspace.
[1] Even with windows 10's forced updates, I still think it's possible to postpone updates, just not indefinitely.
This is the wrong objection. If only 10% of users lose 5 minutes each, that's... 19 lifetimes' worth of man-hours, which is still excessive. The real reason for not doing rebootless updates is that they're hard to implement, and hard to implement in such a way that they create a risk of problems much bigger than losing 5 minutes (like data loss or security vulns staying open).
But these are not actual lifetimes. You can't kill people by updating a billion computers for the same reason you can't have a baby in one month with 9 women.
the problem with security updates is that they often include feature updates that are not security related... companies like Google appear to have too many engineers and implement changes that I would rather skip.
Well, upgrading often equals bloating and not all of us want to be updating their computer every two years.
That added to what's been said in this thread means no, is not the right thing to do.
It's not just MS, I'm pretty sure every Ubuntu OS update from Hardy to Lucid destroyed 1) my video configuration and 2) one other large thing and 3) 20 little things
I think this betrays a lack of thought about the risks to non-experts. Tons of malware masquerades as legitimate updates, and non-experts don't always have the knowledge to distinguish legitimate updates from malicious ones. Therefore, to non-experts software updates are a security risk.
Edit: And this is why Chrome's policy of updating automatically and completely silently is the right thing to do, and everyone else (Adobe, Oracle, Microsoft, looking at you) is doing it wrong.