| Thank you for taking the time to respond. > Yes. And the same is probably true of the browser you used to post this. Also, the OS it's running on. It's the price of being "evergreen." The OS, yes, to a certain extent. I don't think I've set up apt/cron-apt to automatically pull in stuff on (any of) my desktop(s) yet -- they tend to have a couple of bleeding edge repos enabled, and I often do not want even security updates at surprising times. Nothing like firing up your laptop on an airplane just to discover 3d acceleration no longer works because of a kernel security update (frequently for a local-only crash/exploit). As for browsers, I'm mostly familiar with FF, and that usually prompts before update? I think you can set it to automatically update, though? I do accept that trusting a single group of people to maintain the OS can be a good trade-off -- I trust Debian's Security team to do that. Sure, if they are compromised (or more likely, make a mistake) I'll suffer. But I'm not interested in having the small chance of key compromise be multiplied with all the (complex) software packages I use. Also, for context, the same documentation clearly states "Urbit is not (currently) secure in any way" (or something to that effect), and in passing "if urbit runs as root". Well, apt-get does run as root, but a) it only runs automatically if I tell it to, and b) it's built on rather well-tested primitives (GnuPG etc). So, having Urbit be notified of changes, and optionally automatically update sounds great, I'm not sure if I think "always automatically update" sounds quite as great. Especially if the stuff on which trust is built (encryption etc) is still considered unstable. [ed: To be clear, the last bit, I like: "A normal Urbit user never has to think about software update." Key word being "normal". As Urbit is unstable, and everyone are developers and/or testers - there aren't (yet) any such "normal" users? ] |
With SaaS web apps, it is of course impossible to turn off updates, which annoys the heck out of me.