[FatalLogic]

I'm not a Transmission user, but this makes me wonder, as a sort of Ask HN question: How long do you wait before updating software?

If you always update as soon as possible, then you risk getting hit by a compromise like this one, or you could suffer other unintentional bad effects of a botched update.

But the longer you delay updating, the more you raise your risk of becoming a victim of a new vulnerability that's just been patched and is now in the wild.

[ivanhoe]

Problem is that apps nowadays check for updates automatically. And if the release message says it's a security patch I guess the most of usrs will update right away. At least I do. And obviously if I was a hacker I would play that "important security update, upgrade immediately" card, it's a basic social engineering...

[okket]

Neither during this or the previous incidence the updates were compromised (they were checked by the installed binary). Only fresh downloads from the website.

[FatalLogic]

I haven't read much about this, so perhaps I'm not understanding clearly, but if the downloaded binary from Transmission's "website server" was replaced, then how is that not a compromise?

I genuinely feel for the developers, and I personally would not blame them if I was affected, but unless the data was intercepted enroute from their server, then I think they have to accept some degree of responsibility for the whole delivery chain to the end user.

[fredoralive]

It was compromised, but wouldn't affect updates as the internal updater checks signatures.

(IIRC the first compromised version (not sure about the second) also had broken / no Mac OS codesigning, though I'm not sure how many people turn off / bypass gatekeeper).

[dragandj]

Well, they do accept some kind of responsibility: it is spelled out clearly in the license what they accept, and you can choose whether you prefer the terms defined in GPL, or MIT (Transmission is dual-licensed).

[FatalLogic]

Do you mind linking to that? Please quote the relevant part of license if you have time.

I ask that because I think they'd be insane to accept responsibility.

I searched on their site, briefly, but I couldn't find this.

I haven't checked MIT license but the GPL 3.0 has got this clause about liability limitation.

16. Limitation of Liability.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

To me it sounds like it means whatever happens after you use our software, it's not our fault! Which sounds like a reasonable license for open source free software, to me.

[dragandj]

Exactly that. They give you their work for free (as in freedom and also as in beer), so why would they accept anthing more than a responsibility to provide you with the source and wish you a good luck? If you want protection, you can buy commercial support for a GPL-licensed software, if it exists for the software in question, or look for an insurance company to buy insurance against any calamity. Why would Transmission developers provide such thing, and what's more, for free?

[labster]

I wait about a week, unless I've heard out of band talk about some terrible hack with a punny name and we all need to upgrade NAO!1! I suppose I should always look for a secondary source for release notes or such as soon as possible; I don't because I am a lazy human.

[FatalLogic]

Yes, totally, if you want to make the best decision, then you have to keep up with the news. That's why I'm interested in other opinions about this, because there's a lot of datapoints you need to factor into a decision. It's not a simple decision. That's work, and we are lazy humans, you're right.

But, I don't wait a whole week if the update is from an organization which I think I can trust not to totally botch an update, because they're conscious of the enormous potential for costly legal liability. I'm thinking of organizations such as Microsoft, Apple, Nvidia, AMD, Google, as a few examples. I might wait 1 or 2 days in that case.

[labster]

It's more like a botched update from Microsoft, Apple, etc. will be noticed by lots of people within one or two days.

[FatalLogic]

The size of the user base is certainly an important factor. To maybe exaggerate a contrary opinion though, I'd say that users of, for example, Ubuntu Linux, are far more alert to security issues than Microsoft customers.

I'm not totally disagreeing, I'm just trying to say that calculating a confidence score for software updates is not simple. Maybe it's clearer if I give you a real-world example: I use cryptocurrencies to move moderately large amounts of capital in my business, and so my paranoia-level for software installed on the single, air-gapped laptop that handles cryptocurrencies is sky high and crazy cautious. My other business is separated from that, and I can be much more relaxed about software updates for it, because the risks are much lower.