On 06/28/2010 09:58 AM, David E. Ross wrote: > On 6/27/10 4:31 AM, Robert Kaiser wrote: >> Daniel schrieb: >>> Seems something is wrong here! >> >> Yes, not letting it check daily and automatically apply security updates >> is wrong, as it compromises your security. >> >> Robert Kaiser >> > > Some software (Windows XP included) offer the option to check for > updates and notify me without downloading or installing the updates. > That's what I want. > > I want to control when I actually update because my background in > configuration management means that I log the changes -- files and > Windows registry -- to my configuration. It means that I record the new > version in my configuration summary. > > It also means that I update the list of spoofing UAs in my PrefBar > installation when I get a new version of SeaMonkey. Etc, etc. For all > this, it means that I want to stop doing anything else before I update > and that I disable my Internet connection after the download but before > the update (which is why I submitted bug #340330). >
+1 This is also a security issue; the opposite of what Robert suggests. The default of automatically downloading a SM update (2.0.4 to 2.0.5 for example) without the user first authorizing the download is plain wrong. I suspect that the update url's, app.update.url etc strings could easily be changed by a trojan etc. app.update.url. We of course _trust_ that the auto update urls are secure and working, but the possibility still exists that these actions could be redirected to a trojan update.xml Then of course, what if you are purposely keeping the rev at a particular version (testing, problems with the updated version etc)? Or worse yet, if the update that you hadn't planned on installing fails? http://kb.mozillazine.org/Software_Update _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
