Jaunty's update notifications

Oli Warner oli at thepcspy.com
Thu Apr 23 09:32:56 UTC 2009 

>From what I gather (reading forum and brainstorm posts) the topic of update
notifications may have already been discussed ad nauseum in devel but I
missed that discussion and I find the current update method a mammoth step
backwards for usability and security.

I'm running very much a non-standard install these days. I've tinkered with
things. I say that because I want to make sure what I'm seeing (as a user)
is by design and not by some random compound of mistakes. So please put me
right if I'm describing something that isn't true of a fresh install.

   - Apt is still scheduled to update at ~8am every day.
   - Update Manager will open if it has standard updates 7 days old or
   security updates 2 days old
   - This is done (and I paraquote) to tidy up the Notification Area

So firstly there's the "random window" usability argument. New users,
especially those who have migrated from an infected Windows computer
suffering pop-up hell tend to be incredibly wary of things that just appear.
If I arrive at my PC (with the aim of doing something specific) I'd probably
ignore the update screen. I might not even know what it is and close it.
Having it just spring up is setting a dangerous precedent for annoy-ware and
might result people turning off the automatic updates to live an easier
life.

That paired with the time delay might lead to occasions where everybody has
worked really hard to get a security update out and it isn't applied for
days. The speed that remote flaws are converted into exploits is
disgustingly fast and it should be the principal concept that when we have
security updates, we make sure users get them installed. Leaving them to
stew for days isn't abiding that idea.

What is the default update procedure? Would a fresh install of Ubuntu
install security updates without confirmation as soon as it gets them? If
not, why on earth not? If you think they don't need to be enabled, please
just go and look at the mess not enabling them has caused the world. Windows
XP SP0, pirated around the world without automatic updates has contributed
to the rapid rise of botnets. Let's keep Ubuntu safe.

*Now, what was wrong with the old update behaviour?* Was it too subtle? I
think it was. Plenty of people who I've installed Ubuntu for have managed to
ignore it completely and it takes several reminders from me to get them
using the updates as intended. Does that mean the notification icon was a
bad idea? No. It just didn't go far enough.

What I'm suggesting is we go all-out to ensure people know there are updates
and they know what to do. Think an animated, spinning version of the update
notification, balloon pop-ups explaining why installing the updates is a
good idea and if they close that balloon, leave the icon in the notification
area, spawning fresh balloons at increased frequency.

You could argue that it's equally annoying as just spawning the update
window and I'd probably agree, but I think it's that important to make sure
users do their updates.

My final idea is adding another group that allows users to install security
updates (only) without becoming root. I have no idea how it would work but
if an update balloon popped up giving me the option to "install updates
now", I know I'd be more inclined to install them on a regular basis if I
didn't have to stick my password in each and every time.

I lied. *This* will be my final idea: are you using any data collection
methods to analyse how people are using the updates? I'm sure the changes
that have been made so far have been done to increase uptake but how will we
know either way if there isn't a metric to track? I would suggest submitting
an "upgradable packages over one day old" for both security and other
patches (as two values) when apt does its morning upgrade.

Of course you'd need to ask the user permission for that data collection but
that's the easy part as it's just an extension of the popularity contest.

I hope that all makes sense. Please argue for or against any of it.

Oli Warner.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20090423/e308ad08/attachment.html>

More information about the Ubuntu-devel-discuss mailing list