Google Open Sources Updater 174
Jamie noticed the news that Google Update is now Open Source. The article acknowledges the privacy and security concerns of an application that is always running in the background of your machine, and authorized to install new software. And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.
concerns alleviated... (Score:5, Insightful)
Re: (Score:2, Interesting)
Has anyone built this from source, then checksummed the result to validate that this is the same software?
Bait and switch would be just like these guys!
Re:concerns alleviated... (Score:5, Interesting)
Re: (Score:3, Informative)
Still would not validate.
Theirs is digitally signed and has date stamps in.
I think the only options is to use something like bindiff, which excludes comparisons of much of the PE metadata.
Re: (Score:2)
It wouldn't work without knowing the specifics of the environment they compiled in.
Besides, that wouldn't be bait and switch - just outright lying.
Re: (Score:3, Interesting)
Re: (Score:2)
Re:concerns alleviated... (Score:5, Interesting)
Bait and switch would be just like these guys!
Google wants an auto updater so badly because it allows them to gather more information on you. Why else would it have ever included a unique identifier? There is ZERO reason for a updater to identify anything besides installed product (if that), not even the currently installed version. Any intelligent person knows this, and google is a cut above. That means it was certainly their intention to collect more information through updates. And why wouldn't google do this?
Even today there are a lot of people that never log in to a google service. Google updater is really about identifying and categorizing these users, for better ad targeting or accounting or whatever purpose. All they have to do is install any one google product, even if they never use it. If you log in to google often they already have a great profile on you.
The update check lets them tie your IP address with their profile on you. Many people have 'stable' IP addresses, even though they are using DHCP they get the same address. The updater lets google determine this, or that a person's IP address isn't stable.
The simplest, most effective, and most obvious method to track individuals is with a unique ID. This was the first method updater used (ie, google thinks everybody else are idiots). This provides a direct IP to user mapping at ever update.
Next, they might try a last-update-at timestamp. Even at a second resolution with list of installed products this lets them easily map IP to user with a high degree of accuracy. But they'd probably try something to tighten this up, like return a time cookie from the server and store it for next time.
If they can't do a direct mapping like this, they'll try something more sneaky like 'anonymous usage data' that then can just look up in their database... how many users accessed gmail exactly 327 times and groups 136 times in the last week? Repeat until it narrows down to one.
So the updater software itself is irrelevant. The only issue is what data does it send and does it run often enough to lock down your IP, or determine how your IP changes over time. This is important because tracking images, google-analytics, ad-words can determine your IP as you visit sites.
Re: (Score:2)
The unique ID is just a random number. How does that let Google tie your IP address to an advertising profile better than, say, a regular cookie? All this is good for is deduping update requests, to get an accurate figure for how many machines the software runs on.
If you were building an auto-updater, you'd probably be interested in knowing how many people had your app installed too. That way you know if people uninstall the app you're doing something wrong!
Re: (Score:3, Informative)
The unique ID is just a random number. How does that let Google tie your IP address to an advertising profile better than, say, a regular cookie?
Say the logs look like this:
17.205.76.119: update request from uid 229782969
17.205.76.119: log in to gmail as Joe User
17.205.76.119: request 1x1 dissident-456713.png
17.205.76.119: request google-analytics for site americanidol.com
continues for 1 week
17.205.76.119: update request from uid 229782969
Since there were no other updates from your IP they know you aren't behind a proxy. They can tell with high probability that everything done from that IP during the week is attributable to you. For advertising pu
Re: (Score:2)
Bait and switch would be just like these guys!
Google wants an auto updater so badly because it allows them to gather more information on you. Why else would it have ever included a unique identifier?
The purpose of the ID is described here [google.com]. But you may need to take off the tin foil hat before you can understand it.
GoogleUpdate also uses its own, randomly-generated unique ID number to accurately count total users. This information includes version numbers, languages, operating system, and other install or update-related details, such as whether or not the applications have been run. This information is not associated with you or your Google Account.
Re: (Score:2)
Bait and switch would be just like these guys!
Any examples to back that statement up? Supposedly releasing the source code for an app while secretly making binaries of the app from different source would be very evil indeed.
Re:concerns alleviated... (Score:5, Funny)
Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.
Don't worry, I checked. Has the little (u) and everything for Passover. Dunno how it'll be after the holiday's over, though.
For the love of god (Score:5, Interesting)
Someone add a feature to turn it off completely.
Re:For the love of god (Score:5, Informative)
Here's a wild and crazy idea. You could disable the Google Updater Service via Control Panel\Administrative Tools\Services. I know.... I know.... radical, but it actually works. Imagine that.
Re:For the love of god (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
This sounds like an excellent project for someone. Produce a Google app installer without the privacy and take-over-your-pc stuff. Why do I even need Updater just to install Google Earth or Chrome?
Speaking of Chrome, I'm surprised there isn't a community build yet. There is Iron, but it's produced by a commercial company and I don't have time to check what they did myself. At least I can more or less trust Firefox.
Re: (Score:2)
What, like Chromium?
Re: (Score:2)
Chromium is just the open source version, but it's controlled by Google so if you submit a patch to, say, disable sending Google a serial number I expect it would probably be rejected.
That's what I mean by community build, one based on patches not approved by Google with all the nasty stuff removed.
Re: (Score:2)
What is this task scheduler thingy?
Oh right, I deleted that. :D
Re: (Score:2)
And don't forget to turn off the scheduled event to turn the service back on. And don't forget to do it all over again every time you install/update anything by Google.
No problem, put it in a shell script, and run it from cron every minute.
Finding the windows equivalent of that is left as an exercise for the reader ;-)
Re: (Score:2)
Re: (Score:2)
Or perhaps block the thing with your desktop firewall?
Re: (Score:2)
it can't be disabled unless you uninstall all the applications that use it and there are some privacy issues.
Open and Sponsor Google Pack (Score:2)
Here's a wilder idea: license Google Pack openly, give it better dependency handling, and setup an independant debian-like group to oversee it and it's packages on google-sponsored (but easily mirrorable/replaceable/overridable) servers. Then release tools to help people publish their software, review other software, etc. If google wants to beat MS, the best way to do that is to encourage a debian-like software delivery system on Wi
Re: (Score:2)
Re:For the love of god (Score:5, Informative)
Of course, it will be reinstalled within a few hours if you run another Google program. On my Mac I just changed permissions on the
Re:For the love of god (Score:4, Insightful)
On my Mac I just changed permissions on the /Library/Google/GoogleSoftwareUpdate and ~/Library/Google/GoogleSoftwareUpdate folders to 000, and Google Earth no longer reinstalls the updater or asks me to do so. I never gave GE my password. I'm not sure what the workaround is for Windows.
1. Install Linux
2. Follow above instructions.
Re: (Score:2, Insightful)
Google doesn't have an updater on Linux, at least not one that came with Google Earth or Google Picasa.
Re: (Score:2)
(Well, actually, I am running OS X. When I'm not booted into Ubuntu)
Re: (Score:2)
Why would anyone want to ruin a perfectly good Windows install with Linux?
Re:For the love of god (Score:4, Informative)
I never gave GE my password. I'm not sure what the workaround is for Windows.
Similar. Using the CACLS command line tool, or the Security dialog in file properties, remove all file permissions for all users except the "delete" and "read attribute" permissions.
Read attribute might be able to go too, I haven't tested - but the above will make it so that the file can't be updated, can't be executed, but can still be deleted when you want to.
Re: (Score:2)
Deny all to everyone. Then the only way to do anything with the file is to come back later and give yourself permissions again by removing the deny all to everyone.
You can always modify permissions as the owner so denying all to everyone won't lock you out, you just have to remove the deny later to do anything with it, but it'll stop pretty much every other app from doing anything to it.
Works like a charm.
Useful for preventing apps from screwing with the registry as well if you find something that likes to
Re: (Score:2)
On Windows you can either make a file in the Program Files directory with the exact name of the Google Updater directory (which prevents it from being created), or you can use gpedit.msc to set a "no execute" policy for files in that directory.
Re: (Score:2)
Or you could just change the file permissions to not allow it to be executed, just like every other OS.
Why this behviour? (Score:2)
Someone add a feature to turn it off completely.
Can someone remind why they did it this way again, other than for annoyance? Whatever good reason they had is probably nullified by the fact people try to remove it, because of its annoying behaviour. Please just let me know when I use the application, and not when I haven't opened the application for over a month.
On MacOS X Sparkle [andymatuschak.org] is a nice way to go about things, and something I would like to see ported to other platforms.
Re: (Score:2)
Exactly - all they need to make this problem go away is to adopt the rather more sane update mechanism used by other apps - check for updates on a given schedule when the app is launched - if it's out of date, inform the user, and give them a choice of what to do.
I don't care if it's open or closed source, made by Google or any other company - I don't want background processes running unless they are absolutely necessary, and this one is not.
Managing Google is becoming more difficult. (Score:3, Insightful)
More and more, Google seems to be out of control. There seems to be insufficient friendly oversight of the many initiatives inside the company. That typically occurs because everyone is busy, and because there is no one inside the company who both
Re: (Score:2)
Those are both signs of a "high level of excellent" engineering, not management. Google has always prized engineering talent and disdained management talent.
One case of excellence is engineering. Many are... (Score:2)
Finally some justification (Score:3, Insightful)
And of course, this goes hand-in-hand with keeping Chromium easy to use.
Re: (Score:2)
Re:Finally some justification (Score:5, Funny)
Yes, but as always happens when you open source software, a huge community will immediately spring up from the ground to fork it and start adding features to it. After a few months, that community will decide what it really needs is a ground-up rewrite. After 5 years and several hundred alpha releases, you'll be able to download the first beta of the rewritten app, which by this point will have morphed into an entire Linux distribution which, unfortunately, lacks decent software update capabilities.
Re: (Score:2)
which by this point will have morphed into an entire Linux distribution which, unfortunately, lacks decent software update capabilities.
Yeah, but does it run emacs?
Re: (Score:2)
Your comment would be really funny if it wasn't so depressingly true.
Missing The Point (Score:5, Interesting)
It's not the privacy and security aspects of having Googel Update always running in the background that concerns me, it's that a process that is only needed once in a while is constantly running using up resources unnecessarily.
Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched and in addition allow the user to modify the schedule. I can set Adobe Updater to never check for updates (do it manually) only once a month, or every time, but the crucial part is that it only runs when I run Photoshop (or whatever).
No need to have an updater constantly running in the background at all.
Re: (Score:2, Insightful)
There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".
Google Update was coded pretty carefully to sleep nearly all the time and have as minimal a footprint as possible. I challenge you to detect any degredation of system performance with it running, especially since its CPU and memory load is less than any of several dozen always-running services that come with the OS
Re:Missing The Point (Score:5, Insightful)
There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".
All of this handwaving is unnecessary, since the problem is "ethical" in a sense. The user does not want to have google updater running for whatever reason => the user should be able to remove it whenever he wants. I suppose the rootkit sony installed back in the day didn't consume too much resources either.
Processes that always run make admin complicated. (Score:5, Insightful)
Processes that run all the time make computer administration more complicated. The issue is not just one process; many, many companies want control over user's computers and believe that a system process is the way to achieve that.
Google Updater should run only when a program supplied by Google is running. Unnecessary control is always a reason for criticism, not just unnecessary control over other people's computers. Google managers must weigh whatever hidden benefits they hope to get with the widespread bad public relations that comes from being discussed on Slashdot for doing something many people don't like.
Re:Processes that always run make admin complicate (Score:3, Interesting)
Google Updater should run only when a program supplied by Google is running.
So think about this scenario:
A product has a security issue tha can be exploited remotely (lets say (and this is hopefully not a real exploit, but something like this could theoretically happen)
Google earth has an issue with KMZ files (buffer overflow, whatever)
user gets a kmz file
opens it
--> exploit can do its thing.
It is now useless that Google Earth would display "there is an important security update available".
therefor: it is important to patch the apps *before* opening it.
please note: that is not s
Easy answer (Score:2)
Correction (Score:2)
Re: (Score:2)
That scenario assumes that the updater can do its thing before the user clicks on a bad file. Highly doubful.
It's also worth mentioning that having the Google Updater run as root all the time opens up another vector for exploits.
Re: (Score:2)
Ugh, do you really want every app to get a multi-second delay on startup so it can check for updates? What happens if you're on a slow connection - your entire desktop grinds to a crawl thanks to the constant startup update checks. No app actually does it this way, it'd be crazy, startup time is important.
As to what stops the updater being compromised, I assume it checks whatever it downloads for a digital signature. Why would it not?
Re: (Score:2)
I work on computers for people, sometimes, as a side project.
For the past few years, every single computer that I have to nuke and reinstall Windows on gets the following treatment:
1. Google Updater with Firefox, set up to be as automatic and out-of-sight as possible
2. Avast antivirus, set up to be as automatic and out-of-sight as possible
3. Windows Update set to always install every update, all by itself
I then set Firefox as the default browser, and get rid of most of the IE icons in the system. People
Re: (Score:2)
a, b, c, d--
Riddles and nonsense. I've said my piece. Dispute it with facts, or move on.
Thanks!
Re:Missing The Point (Score:4, Insightful)
There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".
Google Update was coded pretty carefully to sleep nearly all the time and have as minimal a footprint as possible. I challenge you to detect any degredation of system performance with it running, especially since its CPU and memory load is less than any of several dozen always-running services that come with the OS.
Doesn't matter. Just have it run once a week on startup like most apps do and we're fine.
As far as Windows goes, it'd be nice if third parties could register with Windows update. You install app X, it now gets to be polled on Windows update at whatever schedule you use. Update available, there you go. It'd be like what the Linux distros do with their lovely updaters.
I just hate extraneous shit that gets installed and harshes your computer's well-being. Perfect example are the shitty printer TSR's that just sit there in the corner hogging up resources waiting for you to print. Why? Unnecessary! And when you uninstall them it's like your computer gets a needle of adrenaline right in the heart, it's ten times faster than you're used to.
About only half of what sucks about Windows can be directly blamed on Microsoft. The rest of it has to be blamed on the third party apps.
Re: (Score:2)
It is one more damn program that has to start up when I reboot (which isn't often). That slows down the startup process. It runs per-user not per-machine, which probably pisses off people running terminal server (or people who actually use the fast-user-switch stuff).
I cannot think a single reason. Not one. You can schedule update checks like everybody else. You can even do it hourly if you are worried about "OMG ZERO DAY
Re: (Score:2)
That might be true in a vanilla environment.
For some reason, many applications don't understand how to communicate with authenticating proxy servers. (Even Internet Explorer's system of downloading intermediate certificate authorities can't authenticate!).
Google Update is one such app.
The first problem is you can't install a program (such as Chrome) that is Google Update based.
So let's say you download the stand-alone Chrome installer.
Then what happens is the Google Updater tries to update. It can't. So it
Re: (Score:2)
Then all this careful design and coding was a huge waste of resources in itself. There is already a perfectly working way to installing software updates. Check a URL when the app is launched and notify the user.
There's no need at all to have a FREAKING UPDATER FOR GOOGLE APPS running in the background (as root!) all the time. And I for one don't want it on my system. I don't care if it runs on magic dust, it's cluttering up the output of `ps ax` for no good reason and that's bad enough.
Re: (Score:3, Interesting)
In addition, make the installation really explicit and give me options to completely skip an upgrade and not have it bugging me all the time. Seriously, this open sourcing is just a red herring. The real issues are how Google is using it, not what the tool is specifically doing.
you're missing the point, too (Score:2)
Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched
No, that's not right either. What Windows and OS X really need is a decent package and dependency management system like, oh, Linux has had for more than a decade.
Re: (Score:2)
What's wrong with MacPorts [macports.org]?
Re: (Score:2)
The thing to note here is how easy the process is for the user. I drag to install, drag to delete, and don't worry about anything else
Except that:
I can always run the latest software, because I'm not waiting for it to be packaged.
Except that you're constantly waiting for Apple to package and update their system. Some of their software is way, way behind.
I don't
Re: (Score:2)
I could easily say that Linux packaging is fundamentally broken because it's predicated on a development model that fails to maintain consistent ABI compatibility across release, resulting in a massive dependency chain that *REQUIRES* complex tools to adequately manage.
Linux packaging isn't "predicated" on any development model. It's just that because Linux packaging and dependency management works so well, people don't think much about ABI compatibility. Nevertheless, ABI compatibility actually seems to
Re:Adobe Updater (Score:2)
Adobe seems to have got it right with its latest version ...
I accidentally spit my coffee when I read that! Dude, you owe me a keyboard.
Re: (Score:2)
A standard installation of most software, including Adobe software, needs administrative privileges for updating. On a correctly configured computer, Photos
Re: (Score:2)
Re: (Score:3, Interesting)
And it sounds like you still don't understand the concept of sleeping processes. Just because there's a process taking up a number in a process table, it doesn't mean that it's doing anything else. It won't be using any RAM because it's paged out to disc. It won't be using any processor cycles because it's sleeping.
That all really depends on whether the process that you're assuming to be asleep is well-behaved.
Helps to understand these things before you complain about them.
Helps to not make assumptions about those proprietary binaries running on your system... (google update notwithstanding, since we don't know that the source they've released matches the binary we get.)
Would rather they fix it instead. (Score:2, Interesting)
I would prefer it if they fixed Google Update instead of releasing the source. Making it optional and easy to remove would be a good start. Amazingly Apple Update works better and most Apple software on windows, besides Safari, is lousy...
Re: (Score:2, Insightful)
I would prefer it if they fixed Google Update instead of releasing the source.
Thanks to the source release, you now have more than just one "they" to look at.
Re: (Score:2)
Personally I don't mind Google Update the way it is, but that's me.
Re: (Score:2)
And how much are you paying Google for the software that the Updater came with? If the answer is $0, Google isn't being paid, by you at least, to do it, either.
Re: (Score:2, Redundant)
Logical? (Score:2)
And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.
I knew it. Eric Schmidt is Spock's love child... how he managed to hide the ears and eyebrows for this long, though, I don't know.
Wrong solution - why do we need it? (Score:4, Insightful)
Why do we need GoogleUpdater anyway?
OK, you could make a case that security updates, especially for 'critical' apps like Chrome, should be 'pushed', but what's wrong with doing that the way other people do, namely checking for an update when you run the program?
Re: (Score:3, Interesting)
Because if you install chrome and use it only once, with a background service google still gets regular update checks from your IP address.
Using timestamps or unique IDs or other anonymous usage data they can then group your site accesses into a unique profile. Even if they can't map it to a specific user they get an anonymous profile from it, so they know the site access information they gather in other ways is from the same user instead of multiple users.
Re: (Score:2)
Why does getting an update check from an IP help with profiling? I don't get this leap of logic ... if I want to do ad targetting based on IP address, knowing that something behind the same IP address has Google Earth installed doesn't help me at all.
Re: (Score:2)
Why do we need GoogleUpdater anyway?
OK, you could make a case that security updates, especially for 'critical' apps like Chrome, should be 'pushed', but what's wrong with doing that the way other people do, namely checking for an update when you run the program?
checking for a security update when the app is already running can be to late, see my other post [slashdot.org].
A Bad Idea Made Worse (Score:5, Insightful)
First, an always running updater is a security hole of the first order. Gain access to it, and someone malicious could do anything it could do, meaning alter applications without our knowledge.
Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.
Third, CmdrTaco is being naive if he thinks open sourcing an abomination leads to the "obvious conclusion" that it's to be trusted. He forgets that the danger lies in the code that's being downloaded, not the code that is doing the downloading. It's the idea itself that's bad not the implementation.
Finally, what does Google intend this open sourcing to do? Do they want every application on our computer to have an auto-update-without-asking running continually in the background? Bad as what Google is doing, that'd be an even worse horror. And like Google, they're not likely to tell us what they're doing.
I believe it was the philosopher Kant who offered as a moral test the question, "What would the world be like if everyone did this?" One person lying doesn't usually do much harm. Everyone lying would make life almost unbearable.
Having every application behaving like Google's would be an utter disaster. Open-sourcing Google's code makes as much sense as marketing a "Do It Yourself A-Bomb Kit" in the Middle East. The malicious genie is out of the bottle. Now we have to consider the possibility that every obscure application we download contains Google's dastardly code. A seemingly benign application could mutate on command into a monster. And because it spreads any time we're online, it could spread like wildfire. Google doesn't even seem to have been thinking when they came up with open-sourcing their monster.
What the Greeks called hubris, overweening pride, has struck again. Google has replaced Microsoft as the giant, high-tech business that seems most clueless about the distinction between good and evil, sensible and foolish. They censored the Internet for China, they claimed to own every book not in print, and now they want to determine what's on our computers without our consent and without our knowledge.
Re: (Score:3, Informative)
Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.
Wait, what?
I don't know about OS X, but apple products on Windows absolutely demand this and a lot more. After installing itunes, I found I had "iTunesHelper.exe", "mDNSResponder.exe" and "iTunesService.exe", and the quicktime launcher always running in the background. When I disable them they come back every time I run iTunes (save the qt launcher) - and stay running after itunes is closed.
When I update iTunes, quicktime takes over all of my browser preferences again which means I have to spend time
Re: (Score:2)
Don't forget about the Apple Software Updater, which is installed even if you opt-out during the install of whatever software (ie iTunes or Quicktime) you're installing!
At least this can be uninstalled again.
Java also insists on installing an always-running update service, with no easy way to disable.
Are there others -- outside of antivirus vendors, one of the few examples where an always-running updater makes sense?
Re: (Score:3, Insightful)
Yes, all of this complaining about Google should be taken in context. People are saying that this is an instance of their 'we rule the world' attitude, but there are lots of other companies that do the same (constantly running updaters) and worse.
Quicktime is a good example, and HP printer software is another.
At least Google has shown us the code. No way that those others would.
If (YouDo==True) Then {Damned} Else {Damned}; (Score:2)
the danger lies in the code that's being downloaded, not the code that is doing the downloading.
There's also the danger in the code that's already running, and needs to be replaced because it has a security vulnerability?
It was the fictional AI Joshua who said "The only way to win is not to play."
I don't really care for the particulars of google's update service, but I have yet to actually get burned by it.
I'd prefer it if they had something set up where it alerts you if there's an update available, tells you what it is and why you should consider installing it if you're curious, and then allows you t
Re: (Score:2)
It's not a hypothetical question when it comes to auto updaters. Look at your average Windows box and you'll see that there's quite a few of these, and they're typically annoying and consuming far more resources than is called for. Off the top of my head, I know I have to kill the one that comes with Java regularly. Google's is nigh impossible to keep gone. Apple's Quicktim
Re: (Score:2)
Obviously I'm missing something here. Imagine a world where applications update themselves silently in the background when the computer is idle, so the newest version is always ready to use. The. Horror.
Re: (Score:2)
For an app that only makes outbound connections and ensures that the site its connecting to is using a properly verified certificate then its not really a problem, just for paranoids like yourself
Re: (Score:2)
Obviously, open sourcing it is the first step to making it a general service any app can register with. Really, a Google Updater type system should be a part of Windows for many years now. But it's not. If there's going to be an updater system in the background, there might as well be only one - and one that is robust, widely deployed, with high quality code and maintained as open source by a dedicated team of full-time engineers se
Oh brother... (Score:2)
This is the same problem with voting machines. Google has release source codes they claim they used to create the code running on your machine. There is no way to verify that, so this is not reassuring in the slightest, unless you don't know how software works. I think it's great that Google did this, and I have no reason to cite to distrust their intentions here - but this is false assurance at it's best.
So build your own updater. (Score:2)
Build your own updater, or wait for someone to do that, to replace Google's version. There's only one copy of Google Updater running on your computer.
Re: (Score:2)
That is likely to have more verifiable results - but consider whether you can still be 100% sure you are not running something untrusted .. do you audit all the code you build?
At some level you have to trust your vendors, whether it's for binary or source distribution. That's just how it is. Of course that explains why you should not ever use electronic voting machines - since that system can't be trusted, ever. But that's a different issue. :-)
Malware (Score:5, Insightful)
Google Update installs itself without my permission, runs without notifying me, and is difficult to disable and uninstall. This fits my definition of malware. I'd like to have an option for my anti-virus and anti-malware software to start detecting and destroying programs like these.
-- 77IM
Re: (Score:2)
Without your permission? Did you not start the installer and blindly skip the screen where it told you it was going to install it? I don't see how that counts as without your permission.
The fact that you're too lazy to read what was presented to you doesn't change the fact that you were given the opportunity to know what the installer was doing.
Unfortunately your anti-virus and anti-malware can't detect stupid or they would have stopped you from using your computer in the first place.
Is it just me, or are we missing the point? (Score:2)
Isn't it possible that Google's move is nothing more than a response to the recent Apple-centered trouble about a patent on automatic updates?
http://yro.slashdot.org/article.pl?sid=09/04/07/1654220&from=rss [slashdot.org]
Too little, too late (Score:2)
Google has really fucked up with its updater. They installed it behind the user's back, in direct contradiction of Google's own stated guidelines. The Google Earth plugin for the Mac contained the updater, but you wouldn't know it from reading the on-screen installation text.
All the while, Google is saying in their "Software Principles" [google.com]:
Re: (Score:2, Informative)
Find the service name in the Windows Service Browser (find googleupdate in the service list and double-click. It'll be named googleupdate followed by a bunch of random characters). Open a DOS prompt. Enter this command: INSTSRV REMOVE That will delete the service, then you can delete the GoogleUpdate folder from your Program Files.
This will work for any other unwanted service as well.
The command is:
INSTSRV servicename REMOVE
Re:Pfft (Score:4, Interesting)
This isn't a story about "Software X added to supply of OSS, hurrah!" this is "Company Y uses OSS as disclosure strategy", which is modestly novel.
Re: (Score:2)
You really don't know what digital certificates are?
If you don't than you probably shouldn't be worried about why they are stored in the revision control system, or why it might be useful to have dummy certs included with the source to allow the build to work properly out of the box for testing purposes without requiring that you know how to generate ssl certificates.
You really should thank google for including them since you obviously don't know anything about them. I presume you're going to bitch that th
Re: (Score:2)
And for reference, Windows has a package manager and has for ages. You know ... the Windows Installer Service, Add/Remove Programs that love MSI files ...
There is no central repository of apps, but Windows has a fully functional package manager already that is more than capable of taking care of things on its own since before your favorite package manager existed, unless you prefer plain jain tarballs, in which case I fail and you miss the point of a package manager entirely.