[superflyguy]

I just checked and I was on v9 from 8 years ago on my work pc. Why bother fixing security bugs etc if you're not going to roll them out? With other Windows software I get told about updates when I load them (winscp, Virtualbox) or they check and update themselves (Firefox).

[MereInterest]

Because there are multiple conflicting priorities here. On the one hand, it is good to keep software updated, and therefore software should check for updates. On the other hand, software should restrict itself to solving one problem domain. Interacting with the internet is something wholly distinct from decompressing files, and so the software should not branch off into a new domain. Choosing between these priorities is not necessarily straightforward.

I could also argue that automatic updates are themselves a security hole. They are a way for new code to be downloaded and run, without notifying the user. As a result, it means that your security depends on the security of a machine not under your control. Not too much of a risk for Firefox, but imagine having a program that auto-updated from SourceForge during its experimental fling as a malware distributor.

[EvilTerran]

A real-life example of the risk of automatic updates: about a decade ago, the maintainers of the Shareaza multi-protocol p2p client lost control of their domain, and the new owners of the domain pushed their own (sleazy, commercial) software to unsuspecting Shareaza users via its update mechanism.

(IIRC the maintainers learned the right lesson from that, and started signing their updates so it can't happen again)

[mschwaig]

Windows is special here because Microsoft never properly solved the distribution problem for software.

If you want the typical user on Windows to run updated software, your software has to at least entice updating if not auto-update straight away.

Not solving this whole distribution mess is by far the worst downside of Windows as a platform. Not getting malware when installing software on your Windows PC is hard.

[superflyguy]

Assuming I agree with you, what's the reason for not telling me about updates when I run the app? What's the advantage of the decision they've taken which is to not announce this?

[MereInterest]

Because even determining that there is an update available requires checking against an outside source to see if an update is available. This requires internet access, which requires handling network protocols, network security and encryption, none of which have anything to do with file compression. Increasing the scope of a project introduces additional failure modes, and a larger security risk.

If a project already performs telemetry, or if they have developer announcements, then the project has already increased its scope, and checking for updates is a relatively minor addition. If it is a well-behaved stand-alone application that doesn't make unwarranted external connections, then checking for updates is a large increase of scope.

[e12e]

Old thread, but I'd like to point at http://scoop.sh [1] which provides a command line package manager for Windows - and allows easy update of packages.

Chocolatey is similar in some ways, but scoop works hard to isolate installed apps from each others, and from other users (which can be good and bad). It's a little like an apt-like wrapper for binary-only (x)stow.

[1] scoop is hosted on github - the download url is on proper ssl, the bare scoop.sh domain presents a github-cert.