Slashdot Mirror
Google Open Sources Updater
Jamie noticed the news that Google Update is now Open Source. The article acknowledges the privacy and security concerns of an application that is always running in the background of your machine, and authorized to install new software. And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.
Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.
Get a web developer
Someone add a feature to turn it off completely.
to the "do no evil" slogan.
And of course, this goes hand-in-hand with keeping Chromium easy to use.
It's not the privacy and security aspects of having Googel Update always running in the background that concerns me, it's that a process that is only needed once in a while is constantly running using up resources unnecessarily.
Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched and in addition allow the user to modify the schedule. I can set Adobe Updater to never check for updates (do it manually) only once a month, or every time, but the crucial part is that it only runs when I run Photoshop (or whatever).
No need to have an updater constantly running in the background at all.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
"Unfortunately, the service has many bugs, it can't be disabled unless you uninstall all the applications that use it and there are some privacy issues"
I would prefer it if they fixed Google Update instead of releasing the source. Making it optional and easy to remove would be a good start. Amazingly Apple Update works better and most Apple software on windows, besides Safari, is lousy...
Visit ssjx.co.uk
a chair could be heard, sailing gracefully across the redmond campus.
burying your competitor certainly takes alot of dirt these days.
Good people go to bed earlier.
I'm afraid I can't do that.
And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.
I knew it. Eric Schmidt is Spock's love child... how he managed to hide the ears and eyebrows for this long, though, I don't know.
Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
I can't seem to figure out how to remove it. I tried the Google Updater Service via Control Panel\Administrative Tools\Services\local method and it says disabled . . . I removed it from the list of startup programs in my registry. I'm not running any Google software. But restarting my PC it somehow reloads itself and finds its way into my running programs. Simply using task manager to kill it doesn't even work.
The only solution I can find is tell my firewall to permanently ban it from using my internet connection.
Why do we need GoogleUpdater anyway?
OK, you could make a case that security updates, especially for 'critical' apps like Chrome, should be 'pushed', but what's wrong with doing that the way other people do, namely checking for an update when you run the program?
First, an always running updater is a security hole of the first order. Gain access to it, and someone malicious could do anything it could do, meaning alter applications without our knowledge.
Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.
Third, CmdrTaco is being naive if he thinks open sourcing an abomination leads to the "obvious conclusion" that it's to be trusted. He forgets that the danger lies in the code that's being downloaded, not the code that is doing the downloading. It's the idea itself that's bad not the implementation.
Finally, what does Google intend this open sourcing to do? Do they want every application on our computer to have an auto-update-without-asking running continually in the background? Bad as what Google is doing, that'd be an even worse horror. And like Google, they're not likely to tell us what they're doing.
I believe it was the philosopher Kant who offered as a moral test the question, "What would the world be like if everyone did this?" One person lying doesn't usually do much harm. Everyone lying would make life almost unbearable.
Having every application behaving like Google's would be an utter disaster. Open-sourcing Google's code makes as much sense as marketing a "Do It Yourself A-Bomb Kit" in the Middle East. The malicious genie is out of the bottle. Now we have to consider the possibility that every obscure application we download contains Google's dastardly code. A seemingly benign application could mutate on command into a monster. And because it spreads any time we're online, it could spread like wildfire. Google doesn't even seem to have been thinking when they came up with open-sourcing their monster.
What the Greeks called hubris, overweening pride, has struck again. Google has replaced Microsoft as the giant, high-tech business that seems most clueless about the distinction between good and evil, sensible and foolish. They censored the Internet for China, they claimed to own every book not in print, and now they want to determine what's on our computers without our consent and without our knowledge.
I was thinking it would be interesting if we could turn this into a windows package manager so I go and look at the code.
You know, I can't even be bothered thinking through what these are. Perhaps when I'm done recoiling in horror that the Chrome source drop wasn't a bad example and Google engineers really do routinely maintain binaries in svn.
I wouldn't be impressed until Google open sources its' search engine infrastructure.
Anybody can write an updater program. Slashdot is making this popular only because Google is doing it. Zillions of such programs are already open source. And they work on more platforms.
This article is useless. This shows that Slashdot is sucking Google's dick. Nothing more.
If I loook on my notebook I find Windows Update, Google Update, EA update together with application integrated autoupdaters (Firefox, Thunderbird, Acrobat Reader, Skype) running. I'm sure there a others, I don't even know about.
If Microsoft had implemented auto update as an simple open operating system feature (which could be used by other software vendors), nobody would need a private update service running all time. Your application would just need to register an autoupdate URL during installation and all updates (OS, applications, drivers) could be handled by a single (hopefully secure) update mechanism. If were a standard OS feature, nobody will bother building proprietary updaters and MS could further reduce TCO by providing enterprise wide policy control (so that a company could enable a specific update or not).
Maybe an open source autoupdater is a first step into that direction (although it would require encouraging others to use a common autoupdate).
The problem is fundamentally social. Companies, and social groups in general, are always both growing socially and dying socially. In a company as well-established as Google, the challenge is to keep the processes of growth stronger than the processes of death.
More and more, Google seems to be out of control. There seems to be insufficient friendly oversight of the many initiatives inside the company. That typically occurs because everyone is busy, and because there is no one inside the company who both understands particular social processes and has the power and insight to influence them. Friendly, creative management is a lot more difficult than the average person realizes.
Of course, Google started from a very high level of excellent management. Google's management ability was initially not only in providing an excellent search engine, but also in being able to build the infrastructure necessary to serving billions of queries of a database, each in less than a second.
I'm very interested in such issues: Futurepower®.
Someone add a feature to turn it off completely.
Can someone remind why they did it this way again, other than for annoyance? Whatever good reason they had is probably nullified by the fact people try to remove it, because of its annoying behaviour. Please just let me know when I use the application, and not when I haven't opened the application for over a month.
On MacOS X Sparkle is a nice way to go about things, and something I would like to see ported to other platforms.
Jumpstart the tartan drive.
This is the same problem with voting machines. Google has release source codes they claim they used to create the code running on your machine. There is no way to verify that, so this is not reassuring in the slightest, unless you don't know how software works. I think it's great that Google did this, and I have no reason to cite to distrust their intentions here - but this is false assurance at it's best.
http://www.unfocus.com/
Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched
No, that's not right either. What Windows and OS X really need is a decent package and dependency management system like, oh, Linux has had for more than a decade.
Google Update installs itself without my permission, runs without notifying me, and is difficult to disable and uninstall. This fits my definition of malware. I'd like to have an option for my anti-virus and anti-malware software to start detecting and destroying programs like these.
-- 77IM
Student: Is it true that the foundation of the universe is paradox?
Master: Well, yes and no.
Build your own updater, or wait for someone to do that, to replace Google's version. There's only one copy of Google Updater running on your computer.
MOD PARENT UP! '... the problem is "ethical" in a sense.'
Processes that run all the time make computer administration more complicated. The issue is not just one process; many, many companies want control over user's computers and believe that a system process is the way to achieve that.
Google Updater should run only when a program supplied by Google is running. Unnecessary control is always a reason for criticism, not just unnecessary control over other people's computers. Google managers must weigh whatever hidden benefits they hope to get with the widespread bad public relations that comes from being discussed on Slashdot for doing something many people don't like.
America, wake up!
the danger lies in the code that's being downloaded, not the code that is doing the downloading.
There's also the danger in the code that's already running, and needs to be replaced because it has a security vulnerability?
It was the fictional AI Joshua who said "The only way to win is not to play."
I don't really care for the particulars of google's update service, but I have yet to actually get burned by it.
I'd prefer it if they had something set up where it alerts you if there's an update available, tells you what it is and why you should consider installing it if you're curious, and then allows you to download and install it, postpone installing for a user-defined period, at which point you get prompted again, or declines the update forever.
You see? You see? Your stupid minds! Stupid! Stupid!
Isn't it possible that Google's move is nothing more than a response to the recent Apple-centered trouble about a patent on automatic updates?
http://yro.slashdot.org/article.pl?sid=09/04/07/1654220&from=rss
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
Adobe seems to have got it right with its latest version ...
I accidentally spit my coffee when I read that! Dude, you owe me a keyboard.
"The ferrets, they're every where I tell you!"
Google Updater should run only when a program supplied by Google is running.
So think about this scenario:
A product has a security issue tha can be exploited remotely (lets say (and this is hopefully not a real exploit, but something like this could theoretically happen)
Google earth has an issue with KMZ files (buffer overflow, whatever)
user gets a kmz file
opens it
--> exploit can do its thing.
It is now useless that Google Earth would display "there is an important security update available".
therefor: it is important to patch the apps *before* opening it.
please note: that is not specific to the google updater, but every app that only checks for updates while it runs.
I've always wondered why companies didn't register their updater as a Windows scheduled task that could be run weekly, daily or even hourly. That way, no process would be constantly running.
I work on computers for people, sometimes, as a side project.
For the past few years, every single computer that I have to nuke and reinstall Windows on gets the following treatment:
1. Google Updater with Firefox, set up to be as automatic and out-of-sight as possible
2. Avast antivirus, set up to be as automatic and out-of-sight as possible
3. Windows Update set to always install every update, all by itself
I then set Firefox as the default browser, and get rid of most of the IE icons in the system. People take about 0.3 seconds to get used to Firefox, and are happy to hear that it will keep itself updated and reasonably free of unintentional badness.
Before I started doing these things, computers would come back to me pretty quickly after a clean reinstall of Windows, because they'd trash them in no time.
Now, it usually takes years before I see the same PC again. And it's not that the customer is mad at me for installing the EVIL GOOGLE UPDATER and don't want to give me any more business, it's just that their shit is STILL WORKING JUST FINE.
I run into customers from time to time at the grocery store or wherever, and always ask how their computer is doing. "Oh, it's been great since you last had it," is a typical response.
I use Google Updater myself. Of course I want the latest Firefox. And why not the newest Google Earth, too? I see no harm in this.
Kid-proof tablet..
Why couldn't Google Earth check for updates upon startup before loading that file? The file doesn't execute, it is only associated to run Google Earth with its filename passed as a parameter. All Google Earth would need to do is check for updates and postpone loading the file until an update confirm/deny is received from the user.
Aside from that gaping hole in your logic, what is to prevent the Google Updater from becoming compromised itself and used to start downloading all sorts of malware?
Yes, but how does a company continue to achieve excellent engineering? There is, perhaps surprisingly, a large social component to that achievement.
The answer is to do the updating before the application is fully loading.
Should be, of course, "... fully loaded."
Here's a wilder idea: license Google Pack openly, give it better dependency handling, and setup an independant debian-like group to oversee it and it's packages on google-sponsored (but easily mirrorable/replaceable/overridable) servers. Then release tools to help people publish their software, review other software, etc. If google wants to beat MS, the best way to do that is to encourage a debian-like software delivery system on Windows, which gives users entirely equal choice between firefox and IE, OpenOffice and MS Office, etc. It's microsoft's software delivery channel that needs to be conquered, not its products, which at best aren't that great.
Ugh, do you really want every app to get a multi-second delay on startup so it can check for updates? What happens if you're on a slow connection - your entire desktop grinds to a crawl thanks to the constant startup update checks. No app actually does it this way, it'd be crazy, startup time is important.
As to what stops the updater being compromised, I assume it checks whatever it downloads for a digital signature. Why would it not?
So you would rather have your desktop grind to a crawl at random, unpredictable times due to the constant background update checks rather then when you specifically tell it to?
Please check your hyperbole at the door.
Does this mean we can start to download programs from google again without getting our systems infested by their bloatware updater?
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
If:
a) You do not have privacy concerns about Google tracking you,
b) Your customers don't, either,
c) You and/or your customers would prefer easy install over privacy, and
d) You and/or your customers trust all of the newest releases of all software without review,
then sure, I see no problem with it.
However, if you answered "no" to any of the above, then you might have a problem with it. I would answer no to 'c' and 'd' above, personally. That being the case, I want to be able to disable the thing that I do not trust.
Giving this a typical car analogy: if you ride in a taxi or a bus, you are trusting that the driver won't crash, speed, try to kill you, or record your cell phone conversations. Some of these are, of course, more likely than others (notably, the chances of your bus driver trying to kill you are pretty slim). None of them are particularly likely. However, if you had some reason to believe that the driver would do any of these things, you probably wouldn't ride the bus.
Of course, most people just get on the bus and don't think about these things. Most people just install Google updater and don't think about their privacy or potential code issues. That does not, and should not, negate the need for the rider/user to be able to choose whether or not to ride the bus/run the program.
I'm not saying that Google updater is bad. I'm saying that the inability to disable it is bad.
There must be many software people reading slashdot.
I must ask you all, why does every damn program have to install extra services or tasks that runs in the background?
Why can't these be started when I, the user, start that program and shut down again when I close it???
The process list is like 4 pages long and the services are bloated all to hell.
Not to mention the boot time it takes to start all these programs and services.
Updates can be checked when the user runs the program, or if it's running 24/7 check once a day.
Yes I myself goes hunting after them, shutting them down etc. But my friends doesn't, most people don't even know how.
So please, stop this madness. You know how to do it right, so then start doing it!
-Roger the Hardware engineer
Please extract your head from your rectum.
Processes that run all the time make computer administration more complicated.
Having more software makes computer administration more complicated. Connecting to a network makes computer administration more complicated. Having users makes computer administration more complicated.
Google managers must weigh whatever hidden benefits they hope to get with the widespread bad public relations that comes from being discussed on Slashdot for doing something many people don't like.
I would say that -users- must weigh the benefits they hope to get from whatever free Google app they're using. If you want, you can wait a week for the massive Google PR disaster you predict this discussion will cause, but when it doesn't happen, put training your users on your to-do list.
a, b, c, d--
Riddles and nonsense. I've said my piece. Dispute it with facts, or move on.
Thanks!
Kid-proof tablet..
Google has really fucked up with its updater. They installed it behind the user's back, in direct contradiction of Google's own stated guidelines. The Google Earth plugin for the Mac contained the updater, but you wouldn't know it from reading the on-screen installation text.
All the while, Google is saying in their "Software Principles":
But what I really can't understand is that Google had to write its own updater in the first place. What's wrong with Appcasting, which (1) works, (2) doesn't have to run as a daemon all the time and (3) doesn't run as root all the time?
It seems the NIH is strong with Google.
Free Manning, jail Obama.
That scenario assumes that the updater can do its thing before the user clicks on a bad file. Highly doubful.
It's also worth mentioning that having the Google Updater run as root all the time opens up another vector for exploits.
Free Manning, jail Obama.