The Lunacy of "Forced Updates"
Posted by Jeff Disher
The Lunacy of "Forced Updates"
Today's large-scale software breakage across the world gives me hope that this may cause a broader push-back on the software update philosophies currently in use. I don't know if this one was "forced" (as businesses usually aggressively run updates), but it should definitely have been staged into cohorts (nothing good has ever come out of the same decision being made for everyone at the same time), and should probably have been more broadly questioned as to its relevance.

This is something I have complained about for years as the only serious software problems I have had in probably over 20 years are related to software updates: Usually a piece of software updating itself without asking for my consent and sometimes a dependency updating itself or being updated by me. We need to seriously realize that any change can have consequences, and forcing these changes should be illegal: I own this infrastructure so I will decide what is best for it.

I think that the problem originated from a watering-down of language around "security update". When "denial of service" was considered a "security problem", it opened the floodgates for all kinds of nonsensical changes to be made under the guise of "critical security updates". This is wrong since, in my experience, a forced update is frequently the _cause_ of a denial of service. Today is a great example of that.

There are also different levels of this. If an anonymous remote agent can cause a denial of service in publicly accessible infrastructure, that is a big deal and should be described as such and resolved early. If the only denial of service cause is local user error, that should be documented and fixed soon-ish. If the denial of service can't possibly impact an inaccessible and fully automated system with an unchanging workload, it should be left as is.

Of course, I think that the rhetoric around this only fools idiots, usually those who don't want to take any responsibility for their "jobs". I suspect that the ultimate reason behind this is that the service providers don't want to feel as though they need to "support" anything other than the latest permutation of the latest versions of their software. While this is understandable, I would rather than they just stated what their level of support is for previous versions. A simple, "we can only actively investigate problems with the latest version but we have a knowledge base which _may_ help diagnose problems with older versions" would probably suffice.

Hopefully that, combined with explaining what is being updated, and why, might help mitigate these problems and return agency to the users without just saying "we know what is best for you".

Of course, I am sure that this is an unpopular opinion,
Jeff.