Crise

blog 1.5.0: Securing your updates

2 posts in this topic

Welcome to what is hopefully the first of many blog style articles here at ApexDC.net. This time I hope to give a bit more depth to the new version that is literally just around the corner, especially since it has been a while.

Taking one of the new changes under the magnifying glass. This involves a bit of history and hopefully gives an entirely new meaning to one of the pretty meaningless looking lines that from time to time appear in our list of changes despite Lee's best efforts at writing it out so they would not appear.

Those who have followed the ApexDC project for a longer time period, might remember that with 1.1.0 we introduced automatic update system in ApexDC. However, if you remember that you must also remember how relatively quickly afterwards we stopped deploying updates in this manner. At that time making the choice to move away from the (then) newly implemented system seemed like clear regression to me, but looking back on it now I know the correct choices were made back then.

The reasons for not automatically update our users anymore and revert back to the infinitely more annoying (for you) method of handling updates can be covered by three key points (not in any particular order):

  • Automated updates gave the users one less reason to visit the web page, reducing overall activity on site and in the community.
  • Automatically replacing users binaries has several security considerations that were not really properly handled back then. For example consider the domain being taken over and a malicious individual could feed unknown code to users that then get executed on the users system as a part of the update process.
  • The implementation back then wasn't very flexible and was also somewhat prone to unnecessary failures.

All of this is history, from a few years back, but it seems good ideas die hard - this one in particular has come up on multiple occasions since then and, like those of you who have been paying attention to our recent public testing know, we recently decided to revisit the idea of automated updates.

Needless to say I wouldn't be writing this if the above concerns were still valid, but why am I do it then exactly. It all comes down to one thing really. Every time we release a new version, we have to lay out the changes in that version and more often than not the list of changes has some entries that bear little to no significance to an actual user, so we decided to elaborate a bit on one such change in the 1.5.0 release. The change involving the update check got chosen especially because it involves not an entirely new feature but most likely a forgotten one.

So yes, automated updates will be a prominent sight in the future of ApexDC as we keep thriving for better user experience. Sometimes it may take a while and be long time coming, like in this case, but it will be coming now and in the future. ApexDC is an important project for everyone involved and when we make decisions concerning it a great deal of discussion and thought always goes into them. However, when the decisions get made initially we don't always go into great detail about the reasons behind them, but usually those reasons are in fact good.

As we come to a close here, I would like to take a moment to thank all of you who participated in our public beta test and stuck through it with us. Based on the feedback from this time, I think we can safely say that it is more than likely that we will do something like this in the future as well. In the mean time, while we do not know how often we will be making posts like this in the future if you have topics that you'd like us to cover feel free to leave them in the comments below, even if you just want us to voice our opinions about something, I am sure as long as the topic inspires us to write about it we will find the time to put something down. I intentionally avoided many technical details this time around but if that is what you want to read about it can be arranged.

Comment, discuss, criticise the word is free, see you next time.

SowlayetlyRal and Richardcend like this

Share this post


Link to post
Share on other sites

Can the automatic update system be turned off completely? If not, please add that, as software should not phone home in any way if the user wants that. Privacy should be paramount, as should be giving the user control if they want it.

Share this post


Link to post
Share on other sites