>From what I gather (reading forum and brainstorm posts) the topic of update notifications may have already been discussed ad nauseum in devel but I missed that discussion and I find the current update method a mammoth step backwards for usability and security. I'm running very much a non-standard install these days. I've tinkered with things. I say that because I want to make sure what I'm seeing (as a user) is by design and not by some random compound of mistakes. So please put me right if I'm describing something that isn't true of a fresh install. <ul><li>Apt is still scheduled to update at ~8am every day. </li><li>Update Manager will open if it has standard updates 7 days old or security updates 2 days old</li><li>This is done (and I paraquote) to tidy up the Notification Area </li></ul>So firstly there's the "random window" usability argument. New users, especially those who have migrated from an infected Windows computer suffering pop-up hell tend to be incredibly wary of things that just appear. If I arrive at my PC (with the aim of doing something specific) I'd probably ignore the update screen. I might not even know what it is and close it. Having it just spring up is setting a dangerous precedent for annoy-ware and might result people turning off the automatic updates to live an easier life. That paired with the time delay might lead to occasions where everybody has worked really hard to get a security update out and it isn't applied for days. The speed that remote flaws are converted into exploits is disgustingly fast and it should be the principal concept that when we have security updates, we make sure users get them installed. Leaving them to stew for days isn't abiding that idea. What is the default update procedure? Would a fresh install of Ubuntu install security updates without confirmation as soon as it gets them? If not, why on earth not? If you think they don't need to be enabled, please just go and look at the mess not enabling them has caused the world. Windows XP SP0, pirated around the world without automatic updates has contributed to the rapid rise of botnets. Let's keep Ubuntu safe. Now, what was wrong with the old update behaviour? Was it too subtle? I think it was. Plenty of people who I've installed Ubuntu for have managed to ignore it completely and it takes several reminders from me to get them using the updates as intended. Does that mean the notification icon was a bad idea? No. It just didn't go far enough. What I'm suggesting is we go all-out to ensure people know there are updates and they know what to do. Think an animated, spinning version of the update notification, balloon pop-ups explaining why installing the updates is a good idea and if they close that balloon, leave the icon in the notification area, spawning fresh balloons at increased frequency. You could argue that it's equally annoying as just spawning the update window and I'd probably agree, but I think it's that important to make sure users do their updates. My final idea is adding another group that allows users to install security updates (only) without becoming root. I have no idea how it would work but if an update balloon popped up giving me the option to "install updates now", I know I'd be more inclined to install them on a regular basis if I didn't have to stick my password in each and every time. I lied. This will be my final idea: are you using any data collection methods to analyse how people are using the updates? I'm sure the changes that have been made so far have been done to increase uptake but how will we know either way if there isn't a metric to track? I would suggest submitting an "upgradable packages over one day old" for both security and other patches (as two values) when apt does its morning upgrade. Of course you'd need to ask the user permission for that data collection but that's the easy part as it's just an extension of the popularity contest. I hope that all makes sense. Please argue for or against any of it. Oli Warner.