StopBadware.org hosted a chat in February of this year talking about auto-updates to software. In particular, what to do with security updates. Here is a link to some notes about that chat session: http://blog.stopbadware.org/2010/02/10/lessons-from-the-auto-update-web-chat.
There are some very interesting issues that fall out of this debate including: Is there a difference between vulnerability fixes and straight product upgrades? What are the requirement differences for an individual user dealing with an update vs. that of an enterprise? Where is the appropriate place to offer an opt-out for an automatic update? How do users separate software licensing issues from automatic security updates?
What seems to be clear to me is that the auto-update process needs to be made much more transparent. Administrators want to know what systems, files, or other resources the update process is communicating with at all times. Right now, a lot of things can be created, modified, or deleted and you have virtually no insight into when or why those actions are taken. Any other kind of update made to a computer or network is usually very tightly managed and described in great detail so that people can be prepared for potential problems, side-effects, or impact.
Right now, many auto-update processes are simply an either/or situation: either you install it, or you don’t. That’s not enough information or options for most IT environments.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.