Certainly, you're right there. Though do we need auto updates for addressing that, with all of the risks and annoyances that come with that mechanism?
For example, something like GitLab doesn't have automatic updates (in self-hosted versions) and seems to get by just fine with sufficiently scary update notices for serious CVEs, for example: https://about.gitlab.com/releases/2022/08/22/critical-securi...
Of course, those who just don't care won't even bother with those updates and the consequences are obvious. Automatic updates would prevent that, but then again, the backlash in the Ubuntu community for having snap packages on servers (and to a lesser degree on desktop) would suggest that that's just not enough to get people to buy into it.
One could also claim that server software and desktop software are entirely different beasts, but personally I'd prefer to update software on my desktop PC through apt or another standard mechanism (when I want, from sources I trust), as opposed to every piece of software deciding on their own bespoke update mechanism.
Personally, I don't really have a good answer. Both approaches are somewhat flawed, just in different ways to different folks in different circumstances.
> the backlash in the Ubuntu community for having snap packages on servers (and to a lesser degree on desktop) would suggest that that's just not enough to get people to buy into it.
> Personally, I don't really have a good answer. Both approaches are somewhat flawed, just in different ways to different folks in different circumstances.
You hit the nail on the head. It depends on the target market for your application. If your users do not expect to manually update, it’s probably a good idea to build an auto update mechanism that is opt-out or opt-in. It might not be worth it for other target markets though.
However, my point was that just because an application isn’t doing something critical, doesn’t make security vulnerabilities in that application harmless.
For example, something like GitLab doesn't have automatic updates (in self-hosted versions) and seems to get by just fine with sufficiently scary update notices for serious CVEs, for example: https://about.gitlab.com/releases/2022/08/22/critical-securi...
Of course, those who just don't care won't even bother with those updates and the consequences are obvious. Automatic updates would prevent that, but then again, the backlash in the Ubuntu community for having snap packages on servers (and to a lesser degree on desktop) would suggest that that's just not enough to get people to buy into it.
One could also claim that server software and desktop software are entirely different beasts, but personally I'd prefer to update software on my desktop PC through apt or another standard mechanism (when I want, from sources I trust), as opposed to every piece of software deciding on their own bespoke update mechanism.
Personally, I don't really have a good answer. Both approaches are somewhat flawed, just in different ways to different folks in different circumstances.