Google Chrome Developers On Browser Security 61
CowboyRobot writes "Developers of Google's Chrome browser have spoken up in an article describing their approach to keeping the browser secure, focusing on minimizing the frequency, duration, and severity of exposure. One tool Chrome uses is a recently open-sourced update distribution application called 'Omaha.' 'Omaha automatically checks for software updates every five hours. When a new update is available, a fraction of clients are told about it, based on a probability set by the team. This probability lets the team verify the quality of the release before informing all clients.'"
Re:Beta testers (Score:5, Interesting)
It's certainly better than having the entire user base beta test the patch for them which is where we're at now in most cases.
Now for a better scheduler (Score:4, Interesting)
Now if they could stop running googleupdate crap ALL THE TIME (maybe use the OSs built in scheduling system to run every so often) and give me more control over when/how things get updated it will be much better.
Re:Now for a better scheduler (Score:4, Interesting)
It _is_ killable - ironically, part of what you have to do is delete the job from the scheduler which restarts the damn thing every so often.
It could do with a more user friendly ticky box to turn it off, but it's not completely evil.
One thing I've never understood is why MS didn't expose the Windows Update facilities to other vendors (with user approval, of course.) A one-stop shop for updates a la Ubuntu's Update Manager would be a hell of a lot less messy, and it would actually work for people who do the Right Thing and don't run with Admin / Power User privileges.
No Thanks (Score:3, Interesting)
Every 5 hours?
Fraction?
Probability?
Set by the developer?
Verify the quality?
Yeah, no thanks.
I want updater services to DIE.
Check for an update when I launch your program, and give me the option to turn it off.
Don't run in the background all the time.
Give me the option to manually check for updates.
If there are updates, list them and let me choose whether not to install them. Also supply details about the update, preferably without making me launch your web page.
Tell me which updates will require restarting the program. Tell me how large they are. Give me the option to download now, and install later.
Quality test the fucking updates yourself.
All users should be able to get the update at the same time, with a probability of 1.
Re:No Thanks (Score:2, Interesting)
The problem is if they do that, then 90% of the non-power user internet users won't EVER update. Which means security flaws are never patched. Which means they get a bad name for not fixing a problem that was patched 5 months ago.
I admit that patchers and automatic updaters are a real headache and I wish most of them would just die already... But the simple fact is I'm a power user. Most people (of which my brother is one) don't care. He would rather it handle his business for him cause it's one less thing he has to think about. (no I don't particularly understand this point of view but putting that aside)
Also, as another poster pointed out... They do test the updates, however, they cannot simulate EVERY situation or EVERY computer in existence. It's just impossible. A statistically small roll out makes sense and means that at any one given time, the chance you have to bear the burden of beta tester is minimized. To me, this is an acceptable situation however I would very much like it if they did what you suggested. I would love to have all the details about all the patches and updates immediately shown to me so I can choose what to do with them. However, in the long run, it's just not user friendly for the other 90% of the consumers.
Re:Beta testers (Score:3, Interesting)
So basically, they're getting a random sample of their user base to beta test updates in the wild for them. I hope there's some kind of warning about this while using it.
Since none of us actually read the licence agreement there probably is :)
Comment removed (Score:4, Interesting)