Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Google The Internet Upgrades

Google Open Sources Updater 174

Jamie noticed the news that Google Update is now Open Source. The article acknowledges the privacy and security concerns of an application that is always running in the background of your machine, and authorized to install new software. And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.
This discussion has been archived. No new comments can be posted.

Google Open Sources Updater

Comments Filter:
  • by datapharmer ( 1099455 ) on Monday April 13, 2009 @08:51AM (#27555837) Homepage
    Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.
    • Re: (Score:2, Interesting)

      Has anyone built this from source, then checksummed the result to validate that this is the same software?

      Bait and switch would be just like these guys!

      • by xouumalperxe ( 815707 ) on Monday April 13, 2009 @09:13AM (#27556063)
        That would only work if you used the same build of the same compiler, with the same flags.
        • Re: (Score:3, Informative)

          by 0xygen ( 595606 )

          Still would not validate.

          Theirs is digitally signed and has date stamps in.

          I think the only options is to use something like bindiff, which excludes comparisons of much of the PE metadata.

      • It wouldn't work without knowing the specifics of the environment they compiled in.

        Besides, that wouldn't be bait and switch - just outright lying.

      • Re: (Score:3, Interesting)

        Somebody has to do this, so it might as well be me: Yes, the usual [bell-labs.com]
        • So be sure not to use the Google C Compiler. Be careful; they sometimes just call it gcc, so as to hide its sinister Googlywoogly origin.
      • by 0xABADC0DA ( 867955 ) on Monday April 13, 2009 @11:31AM (#27558101)

        Bait and switch would be just like these guys!

        Google wants an auto updater so badly because it allows them to gather more information on you. Why else would it have ever included a unique identifier? There is ZERO reason for a updater to identify anything besides installed product (if that), not even the currently installed version. Any intelligent person knows this, and google is a cut above. That means it was certainly their intention to collect more information through updates. And why wouldn't google do this?

        Even today there are a lot of people that never log in to a google service. Google updater is really about identifying and categorizing these users, for better ad targeting or accounting or whatever purpose. All they have to do is install any one google product, even if they never use it. If you log in to google often they already have a great profile on you.

        The update check lets them tie your IP address with their profile on you. Many people have 'stable' IP addresses, even though they are using DHCP they get the same address. The updater lets google determine this, or that a person's IP address isn't stable.

        The simplest, most effective, and most obvious method to track individuals is with a unique ID. This was the first method updater used (ie, google thinks everybody else are idiots). This provides a direct IP to user mapping at ever update.

        Next, they might try a last-update-at timestamp. Even at a second resolution with list of installed products this lets them easily map IP to user with a high degree of accuracy. But they'd probably try something to tighten this up, like return a time cookie from the server and store it for next time.

        If they can't do a direct mapping like this, they'll try something more sneaky like 'anonymous usage data' that then can just look up in their database... how many users accessed gmail exactly 327 times and groups 136 times in the last week? Repeat until it narrows down to one.

        So the updater software itself is irrelevant. The only issue is what data does it send and does it run often enough to lock down your IP, or determine how your IP changes over time. This is important because tracking images, google-analytics, ad-words can determine your IP as you visit sites.

        • The unique ID is just a random number. How does that let Google tie your IP address to an advertising profile better than, say, a regular cookie? All this is good for is deduping update requests, to get an accurate figure for how many machines the software runs on.

          If you were building an auto-updater, you'd probably be interested in knowing how many people had your app installed too. That way you know if people uninstall the app you're doing something wrong!

          • Re: (Score:3, Informative)

            by 0xABADC0DA ( 867955 )

            The unique ID is just a random number. How does that let Google tie your IP address to an advertising profile better than, say, a regular cookie?

            Say the logs look like this:

            17.205.76.119: update request from uid 229782969
            17.205.76.119: log in to gmail as Joe User
            17.205.76.119: request 1x1 dissident-456713.png
            17.205.76.119: request google-analytics for site americanidol.com
            continues for 1 week
            17.205.76.119: update request from uid 229782969

            Since there were no other updates from your IP they know you aren't behind a proxy. They can tell with high probability that everything done from that IP during the week is attributable to you. For advertising pu

        • by Bert690 ( 540293 )

          Bait and switch would be just like these guys!

          Google wants an auto updater so badly because it allows them to gather more information on you. Why else would it have ever included a unique identifier?

          The purpose of the ID is described here [google.com]. But you may need to take off the tin foil hat before you can understand it.

          GoogleUpdate also uses its own, randomly-generated unique ID number to accurately count total users. This information includes version numbers, languages, operating system, and other install or update-related details, such as whether or not the applications have been run. This information is not associated with you or your Google Account.

      • Bait and switch would be just like these guys!

        Any examples to back that statement up? Supposedly releasing the source code for an app while secretly making binaries of the app from different source would be very evil indeed.

    • by jollyreaper ( 513215 ) on Monday April 13, 2009 @09:35AM (#27556327)

      Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.

      Don't worry, I checked. Has the little (u) and everything for Passover. Dunno how it'll be after the holiday's over, though.

  • For the love of god (Score:5, Interesting)

    by Anonymous Coward on Monday April 13, 2009 @08:53AM (#27555849)

    Someone add a feature to turn it off completely.

    • by Jamie's Nightmare ( 1410247 ) on Monday April 13, 2009 @09:02AM (#27555965)

      Here's a wild and crazy idea. You could disable the Google Updater Service via Control Panel\Administrative Tools\Services. I know.... I know.... radical, but it actually works. Imagine that.

      • by Perseid ( 660451 ) on Monday April 13, 2009 @09:13AM (#27556079)
        And don't forget to turn off the scheduled event to turn the service back on. And don't forget to do it all over again every time you install/update anything by Google. Also, the instructions to kill it don't seem to be the same all the time. Maybe it depends on exactly what app you're installing. Maybe it's just Google trying to screw with my mind. Google Update needs to die.
        • by Tikkun ( 992269 )
          This reminds me why I like cron.
        • by AmiMoJo ( 196126 )

          This sounds like an excellent project for someone. Produce a Google app installer without the privacy and take-over-your-pc stuff. Why do I even need Updater just to install Google Earth or Chrome?

          Speaking of Chrome, I'm surprised there isn't a community build yet. There is Iron, but it's produced by a commercial company and I don't have time to check what they did myself. At least I can more or less trust Firefox.

          • by Zerth ( 26112 )

            What, like Chromium?

            • by AmiMoJo ( 196126 )

              Chromium is just the open source version, but it's controlled by Google so if you submit a patch to, say, disable sending Google a serial number I expect it would probably be rejected.

              That's what I mean by community build, one based on patches not approved by Google with all the nasty stuff removed.

        • What is this task scheduler thingy?

          Oh right, I deleted that. :D

        • And don't forget to turn off the scheduled event to turn the service back on. And don't forget to do it all over again every time you install/update anything by Google.

          No problem, put it in a shell script, and run it from cron every minute.

          Finding the windows equivalent of that is left as an exercise for the reader ;-)

      • by octaene ( 171858 )

        Or perhaps block the thing with your desktop firewall?

      • From TFA:

        it can't be disabled unless you uninstall all the applications that use it and there are some privacy issues.

      • Here's a wild and crazy idea. You could disable the Google Updater Service

        Here's a wilder idea: license Google Pack openly, give it better dependency handling, and setup an independant debian-like group to oversee it and it's packages on google-sponsored (but easily mirrorable/replaceable/overridable) servers. Then release tools to help people publish their software, review other software, etc. If google wants to beat MS, the best way to do that is to encourage a debian-like software delivery system on Wi

      • This does not actually work, as I've done it numerous times. There's also a scheduled task that reenables it, among other things. I have been trying to disable it for a while and have not been able to get it to go away. Just gave up at this point.
    • by dfm3 ( 830843 ) on Monday April 13, 2009 @09:05AM (#27555987) Journal
      Google has already provided instructions [google.com] on how to uninstall the updater [google.com].

      Of course, it will be reinstalled within a few hours if you run another Google program. On my Mac I just changed permissions on the /Library/Google/GoogleSoftwareUpdate and ~/Library/Google/GoogleSoftwareUpdate folders to 000, and Google Earth no longer reinstalls the updater or asks me to do so. I never gave GE my password. I'm not sure what the workaround is for Windows.
      • by syousef ( 465911 ) on Monday April 13, 2009 @09:34AM (#27556323) Journal

        On my Mac I just changed permissions on the /Library/Google/GoogleSoftwareUpdate and ~/Library/Google/GoogleSoftwareUpdate folders to 000, and Google Earth no longer reinstalls the updater or asks me to do so. I never gave GE my password. I'm not sure what the workaround is for Windows.

        1. Install Linux
        2. Follow above instructions.

        • Re: (Score:2, Insightful)

          Google doesn't have an updater on Linux, at least not one that came with Google Earth or Google Picasa.

        • by dfm3 ( 830843 )
          Hey, I never said I was running Mac OS X on that Mac. For all you know it could be a very expensive Linux box. :-P

          (Well, actually, I am running OS X. When I'm not booted into Ubuntu)
        • Why would anyone want to ruin a perfectly good Windows install with Linux?

      • by thePowerOfGrayskull ( 905905 ) <marc,paradise&gmail,com> on Monday April 13, 2009 @09:52AM (#27556631) Homepage Journal

        I never gave GE my password. I'm not sure what the workaround is for Windows.

        Similar. Using the CACLS command line tool, or the Security dialog in file properties, remove all file permissions for all users except the "delete" and "read attribute" permissions.

        Read attribute might be able to go too, I haven't tested - but the above will make it so that the file can't be updated, can't be executed, but can still be deleted when you want to.

        • Deny all to everyone. Then the only way to do anything with the file is to come back later and give yourself permissions again by removing the deny all to everyone.

          You can always modify permissions as the owner so denying all to everyone won't lock you out, you just have to remove the deny later to do anything with it, but it'll stop pretty much every other app from doing anything to it.

          Works like a charm.

          Useful for preventing apps from screwing with the registry as well if you find something that likes to

      • by AmiMoJo ( 196126 )

        On Windows you can either make a file in the Program Files directory with the exact name of the Google Updater directory (which prevents it from being created), or you can use gpedit.msc to set a "no execute" policy for files in that directory.

        • Or you could just change the file permissions to not allow it to be executed, just like every other OS.

    • Someone add a feature to turn it off completely.

      Can someone remind why they did it this way again, other than for annoyance? Whatever good reason they had is probably nullified by the fact people try to remove it, because of its annoying behaviour. Please just let me know when I use the application, and not when I haven't opened the application for over a month.

      On MacOS X Sparkle [andymatuschak.org] is a nice way to go about things, and something I would like to see ported to other platforms.

      • Exactly - all they need to make this problem go away is to adopt the rather more sane update mechanism used by other apps - check for updates on a given schedule when the app is launched - if it's out of date, inform the user, and give them a choice of what to do.

        I don't care if it's open or closed source, made by Google or any other company - I don't want background processes running unless they are absolutely necessary, and this one is not.

  • by PhasmatisApparatus ( 1086395 ) on Monday April 13, 2009 @08:54AM (#27555871)
    to the "do no evil" slogan.

    And of course, this goes hand-in-hand with keeping Chromium easy to use.
    • It could still be doing evil, but you can now find the evil yourself and remove it. Most people of course will be running supplied binaries, not compiling the code themselves, and don't know the difference anyway.
      • by eln ( 21727 ) on Monday April 13, 2009 @09:27AM (#27556235)

        Yes, but as always happens when you open source software, a huge community will immediately spring up from the ground to fork it and start adding features to it. After a few months, that community will decide what it really needs is a ground-up rewrite. After 5 years and several hundred alpha releases, you'll be able to download the first beta of the rewritten app, which by this point will have morphed into an entire Linux distribution which, unfortunately, lacks decent software update capabilities.

        • which by this point will have morphed into an entire Linux distribution which, unfortunately, lacks decent software update capabilities.

          Yeah, but does it run emacs?

        • Your comment would be really funny if it wasn't so depressingly true.

  • Missing The Point (Score:5, Interesting)

    by Blue Stone ( 582566 ) on Monday April 13, 2009 @08:57AM (#27555909) Homepage Journal

    It's not the privacy and security aspects of having Googel Update always running in the background that concerns me, it's that a process that is only needed once in a while is constantly running using up resources unnecessarily.

    Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched and in addition allow the user to modify the schedule. I can set Adobe Updater to never check for updates (do it manually) only once a month, or every time, but the crucial part is that it only runs when I run Photoshop (or whatever).

    No need to have an updater constantly running in the background at all.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".

      Google Update was coded pretty carefully to sleep nearly all the time and have as minimal a footprint as possible. I challenge you to detect any degredation of system performance with it running, especially since its CPU and memory load is less than any of several dozen always-running services that come with the OS

      • by ultrabot ( 200914 ) on Monday April 13, 2009 @09:54AM (#27556665)

        There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".

        All of this handwaving is unnecessary, since the problem is "ethical" in a sense. The user does not want to have google updater running for whatever reason => the user should be able to remove it whenever he wants. I suppose the rootkit sony installed back in the day didn't consume too much resources either.

        • by Futurepower(R) ( 558542 ) on Monday April 13, 2009 @10:50AM (#27557499) Homepage
          MOD PARENT UP! '... the problem is "ethical" in a sense.'

          Processes that run all the time make computer administration more complicated. The issue is not just one process; many, many companies want control over user's computers and believe that a system process is the way to achieve that.

          Google Updater should run only when a program supplied by Google is running. Unnecessary control is always a reason for criticism, not just unnecessary control over other people's computers. Google managers must weigh whatever hidden benefits they hope to get with the widespread bad public relations that comes from being discussed on Slashdot for doing something many people don't like.
          • Google Updater should run only when a program supplied by Google is running.

            So think about this scenario:

            A product has a security issue tha can be exploited remotely (lets say (and this is hopefully not a real exploit, but something like this could theoretically happen)

            Google earth has an issue with KMZ files (buffer overflow, whatever)
            user gets a kmz file
            opens it
            --> exploit can do its thing.

            It is now useless that Google Earth would display "there is an important security update available".

            therefor: it is important to patch the apps *before* opening it.

            please note: that is not s

            • The answer is to do the updating before the application is fully loading.
            • by he-sk ( 103163 )

              That scenario assumes that the updater can do its thing before the user clicks on a bad file. Highly doubful.

              It's also worth mentioning that having the Google Updater run as root all the time opens up another vector for exploits.

          • by adolf ( 21054 )

            I work on computers for people, sometimes, as a side project.

            For the past few years, every single computer that I have to nuke and reinstall Windows on gets the following treatment:

            1. Google Updater with Firefox, set up to be as automatic and out-of-sight as possible
            2. Avast antivirus, set up to be as automatic and out-of-sight as possible
            3. Windows Update set to always install every update, all by itself

            I then set Firefox as the default browser, and get rid of most of the IE icons in the system. People

      • by jollyreaper ( 513215 ) on Monday April 13, 2009 @09:54AM (#27556671)

        There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".

        Google Update was coded pretty carefully to sleep nearly all the time and have as minimal a footprint as possible. I challenge you to detect any degredation of system performance with it running, especially since its CPU and memory load is less than any of several dozen always-running services that come with the OS.

        Doesn't matter. Just have it run once a week on startup like most apps do and we're fine.

        As far as Windows goes, it'd be nice if third parties could register with Windows update. You install app X, it now gets to be polled on Windows update at whatever schedule you use. Update available, there you go. It'd be like what the Linux distros do with their lovely updaters.

        I just hate extraneous shit that gets installed and harshes your computer's well-being. Perfect example are the shitty printer TSR's that just sit there in the corner hogging up resources waiting for you to print. Why? Unnecessary! And when you uninstall them it's like your computer gets a needle of adrenaline right in the heart, it's ten times faster than you're used to.

        About only half of what sucks about Windows can be directly blamed on Microsoft. The rest of it has to be blamed on the third party apps.

      • It is one more damn program that has to start up when I reboot (which isn't often). That slows down the startup process. It runs per-user not per-machine, which probably pisses off people running terminal server (or people who actually use the fast-user-switch stuff).

        There are several reasons why Google Update runs all the time that you're missing

        I cannot think a single reason. Not one. You can schedule update checks like everybody else. You can even do it hourly if you are worried about "OMG ZERO DAY

      • That might be true in a vanilla environment.

        For some reason, many applications don't understand how to communicate with authenticating proxy servers. (Even Internet Explorer's system of downloading intermediate certificate authorities can't authenticate!).

        Google Update is one such app.

        The first problem is you can't install a program (such as Chrome) that is Google Update based.

        So let's say you download the stand-alone Chrome installer.

        Then what happens is the Google Updater tries to update. It can't. So it

      • by he-sk ( 103163 )

        Then all this careful design and coding was a huge waste of resources in itself. There is already a perfectly working way to installing software updates. Check a URL when the app is launched and notify the user.

        There's no need at all to have a FREAKING UPDATER FOR GOOGLE APPS running in the background (as root!) all the time. And I for one don't want it on my system. I don't care if it runs on magic dust, it's cluttering up the output of `ps ax` for no good reason and that's bad enough.

    • Re: (Score:3, Interesting)

      by samkass ( 174571 )

      In addition, make the installation really explicit and give me options to completely skip an upgrade and not have it bugging me all the time. Seriously, this open sourcing is just a red herring. The real issues are how Google is using it, not what the tool is specifically doing.

    • Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched

      No, that's not right either. What Windows and OS X really need is a decent package and dependency management system like, oh, Linux has had for more than a decade.

      • by he-sk ( 103163 )

        What's wrong with MacPorts [macports.org]?

    • Adobe seems to have got it right with its latest version ...

      I accidentally spit my coffee when I read that! Dude, you owe me a keyboard.

    • by Gnavpot ( 708731 )

      Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched and in addition allow the user to modify the schedule. I can set Adobe Updater to never check for updates (do it manually) only once a month, or every time, but the crucial part is that it only runs when I run Photoshop (or whatever).

      A standard installation of most software, including Adobe software, needs administrative privileges for updating. On a correctly configured computer, Photos

    • The question is: why haven't OSes gotten this right for all applications? (I know apt, yum, macports, blah blah .. still not there.)
  • "Unfortunately, the service has many bugs, it can't be disabled unless you uninstall all the applications that use it and there are some privacy issues"

    I would prefer it if they fixed Google Update instead of releasing the source. Making it optional and easy to remove would be a good start. Amazingly Apple Update works better and most Apple software on windows, besides Safari, is lousy...
    • Re: (Score:2, Insightful)

      by FrostDust ( 1009075 )

      I would prefer it if they fixed Google Update instead of releasing the source.

      Thanks to the source release, you now have more than just one "they" to look at.

      • Yeah, but the other theys aren't being paid to do it. If they do it, awesome, but it should be Google that does it.

        Personally I don't mind Google Update the way it is, but that's me.
        • Yeah, but the other theys aren't being paid to do it. If they do it, awesome, but it should be Google that does it.

          And how much are you paying Google for the software that the Updater came with? If the answer is $0, Google isn't being paid, by you at least, to do it, either.

  • Re: (Score:2, Redundant)

    Comment removed based on user account deletion
  • And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.

    I knew it. Eric Schmidt is Spock's love child... how he managed to hide the ears and eyebrows for this long, though, I don't know.

  • by Bearhouse ( 1034238 ) on Monday April 13, 2009 @09:26AM (#27556211)

    Why do we need GoogleUpdater anyway?
    OK, you could make a case that security updates, especially for 'critical' apps like Chrome, should be 'pushed', but what's wrong with doing that the way other people do, namely checking for an update when you run the program?

    • Re: (Score:3, Interesting)

      by 0xABADC0DA ( 867955 )

      Because if you install chrome and use it only once, with a background service google still gets regular update checks from your IP address.

      Using timestamps or unique IDs or other anonymous usage data they can then group your site accesses into a unique profile. Even if they can't map it to a specific user they get an anonymous profile from it, so they know the site access information they gather in other ways is from the same user instead of multiple users.

      • Why does getting an update check from an IP help with profiling? I don't get this leap of logic ... if I want to do ad targetting based on IP address, knowing that something behind the same IP address has Google Earth installed doesn't help me at all.

    • by Val314 ( 219766 )

      Why do we need GoogleUpdater anyway?
      OK, you could make a case that security updates, especially for 'critical' apps like Chrome, should be 'pushed', but what's wrong with doing that the way other people do, namely checking for an update when you run the program?

      checking for a security update when the app is already running can be to late, see my other post [slashdot.org].

  • by InklingBooks ( 687623 ) on Monday April 13, 2009 @09:42AM (#27556457)
    I'd agree with Bluestone's remarks and add some of my own.

    First, an always running updater is a security hole of the first order. Gain access to it, and someone malicious could do anything it could do, meaning alter applications without our knowledge.

    Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.

    Third, CmdrTaco is being naive if he thinks open sourcing an abomination leads to the "obvious conclusion" that it's to be trusted. He forgets that the danger lies in the code that's being downloaded, not the code that is doing the downloading. It's the idea itself that's bad not the implementation.

    Finally, what does Google intend this open sourcing to do? Do they want every application on our computer to have an auto-update-without-asking running continually in the background? Bad as what Google is doing, that'd be an even worse horror. And like Google, they're not likely to tell us what they're doing.

    I believe it was the philosopher Kant who offered as a moral test the question, "What would the world be like if everyone did this?" One person lying doesn't usually do much harm. Everyone lying would make life almost unbearable.

    Having every application behaving like Google's would be an utter disaster. Open-sourcing Google's code makes as much sense as marketing a "Do It Yourself A-Bomb Kit" in the Middle East. The malicious genie is out of the bottle. Now we have to consider the possibility that every obscure application we download contains Google's dastardly code. A seemingly benign application could mutate on command into a monster. And because it spreads any time we're online, it could spread like wildfire. Google doesn't even seem to have been thinking when they came up with open-sourcing their monster.

    What the Greeks called hubris, overweening pride, has struck again. Google has replaced Microsoft as the giant, high-tech business that seems most clueless about the distinction between good and evil, sensible and foolish. They censored the Internet for China, they claimed to own every book not in print, and now they want to determine what's on our computers without our consent and without our knowledge.

    • Re: (Score:3, Informative)

      Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.

      Wait, what?

      I don't know about OS X, but apple products on Windows absolutely demand this and a lot more. After installing itunes, I found I had "iTunesHelper.exe", "mDNSResponder.exe" and "iTunesService.exe", and the quicktime launcher always running in the background. When I disable them they come back every time I run iTunes (save the qt launcher) - and stay running after itunes is closed.

      When I update iTunes, quicktime takes over all of my browser preferences again which means I have to spend time

      • Don't forget about the Apple Software Updater, which is installed even if you opt-out during the install of whatever software (ie iTunes or Quicktime) you're installing!
        At least this can be uninstalled again.

        Java also insists on installing an always-running update service, with no easy way to disable.

        Are there others -- outside of antivirus vendors, one of the few examples where an always-running updater makes sense?

      • Re: (Score:3, Insightful)

        by Qwavel ( 733416 )

        Yes, all of this complaining about Google should be taken in context. People are saying that this is an instance of their 'we rule the world' attitude, but there are lots of other companies that do the same (constantly running updaters) and worse.

        Quicktime is a good example, and HP printer software is another.

        At least Google has shown us the code. No way that those others would.

    • the danger lies in the code that's being downloaded, not the code that is doing the downloading.

      There's also the danger in the code that's already running, and needs to be replaced because it has a security vulnerability?

      It was the fictional AI Joshua who said "The only way to win is not to play."

      I don't really care for the particulars of google's update service, but I have yet to actually get burned by it.

      I'd prefer it if they had something set up where it alerts you if there's an update available, tells you what it is and why you should consider installing it if you're curious, and then allows you t

    • I believe it was the philosopher Kant who offered as a moral test the question, "What would the world be like if everyone did this?"

      It's not a hypothetical question when it comes to auto updaters. Look at your average Windows box and you'll see that there's quite a few of these, and they're typically annoying and consuming far more resources than is called for. Off the top of my head, I know I have to kill the one that comes with Java regularly. Google's is nigh impossible to keep gone. Apple's Quicktim

    • "Finally, what does Google intend this open sourcing to do? Do they want every application on our computer to have an auto-update-without-asking running continually in the background? Bad as what Google is doing, that'd be an even worse horror."

      Obviously I'm missing something here. Imagine a world where applications update themselves silently in the background when the computer is idle, so the newest version is always ready to use. The. Horror.

    • First, an always running updater is a security hole of the first order. Gain access to it, and someone malicious could do anything it could do, meaning alter applications without our knowledge.

      For an app that only makes outbound connections and ensures that the site its connecting to is using a properly verified certificate then its not really a problem, just for paranoids like yourself

      Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen ye

    • Having every application behaving like Google's would be an utter disaster.

      Obviously, open sourcing it is the first step to making it a general service any app can register with. Really, a Google Updater type system should be a part of Windows for many years now. But it's not. If there's going to be an updater system in the background, there might as well be only one - and one that is robust, widely deployed, with high quality code and maintained as open source by a dedicated team of full-time engineers se

  • This is the same problem with voting machines. Google has release source codes they claim they used to create the code running on your machine. There is no way to verify that, so this is not reassuring in the slightest, unless you don't know how software works. I think it's great that Google did this, and I have no reason to cite to distrust their intentions here - but this is false assurance at it's best.

    • Build your own updater, or wait for someone to do that, to replace Google's version. There's only one copy of Google Updater running on your computer.

      • by Touvan ( 868256 )

        That is likely to have more verifiable results - but consider whether you can still be 100% sure you are not running something untrusted .. do you audit all the code you build?

        At some level you have to trust your vendors, whether it's for binary or source distribution. That's just how it is. Of course that explains why you should not ever use electronic voting machines - since that system can't be trusted, ever. But that's a different issue. :-)

  • Malware (Score:5, Insightful)

    by S77IM ( 1371931 ) on Monday April 13, 2009 @10:37AM (#27557323)

    Google Update installs itself without my permission, runs without notifying me, and is difficult to disable and uninstall. This fits my definition of malware. I'd like to have an option for my anti-virus and anti-malware software to start detecting and destroying programs like these.

      -- 77IM

    • Without your permission? Did you not start the installer and blindly skip the screen where it told you it was going to install it? I don't see how that counts as without your permission.

      The fact that you're too lazy to read what was presented to you doesn't change the fact that you were given the opportunity to know what the installer was doing.

      Unfortunately your anti-virus and anti-malware can't detect stupid or they would have stopped you from using your computer in the first place.

  • Isn't it possible that Google's move is nothing more than a response to the recent Apple-centered trouble about a patent on automatic updates?

    http://yro.slashdot.org/article.pl?sid=09/04/07/1654220&from=rss [slashdot.org]

  • Google has really fucked up with its updater. They installed it behind the user's back, in direct contradiction of Google's own stated guidelines. The Google Earth plugin for the Mac contained the updater, but you wouldn't know it from reading the on-screen installation text.

    All the while, Google is saying in their "Software Principles" [google.com]:

    We believe software should not trick you into installing it. It should be clear to you when you are installing or enabling software on your computer and you should have the

Every program is a part of some other program, and rarely fits.

Working...