I suggest you ...

← General

Allow auto-updating of the Agent

The agent currently does not auto-update, due to security concerns of downloading and running code.

Allow an option for auto-updating in some form.

7 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Forgot password?
    Create a password
    I agree to the terms of service
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    Tom WardillAdminTom Wardill (Admin, Server Density) shared this idea  ·   ·  Admin →
    declined  ·  David MyttonAdminDavid Mytton (Founder, Server Density) responded  · 

    We are not going to implement auto update in the Windows agent for the following reasons:

    - Loses predictability for the sysadmin unless we build in our own control panel options.

    - Opens a potential security hole if we were to be compromised.

    - Another security issue for customers to consider.

    - People don’t necessarily want to be on the latest version – they want a stable version which is running fine, then be able to control the process e.g. doing it on a known date, rollback process, etc.

    Unlike Linux with apt and rpm, there is no Windows system for distributing packages and updates which we could otherwise use. ClickOnce is Microsoft’s recommended method but may not work with system services.

    Instead, we are going to distribute an MSI which will allow for easier installation and updates.

    5 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Forgot password?
      Create a password
      I agree to the terms of service
      Signed in as (Sign out)
      Close
      Close
      Submitting...
      • Carl MalartreCarl Malartre commented  · 

        "Automatic updating opens a potential security hole where if our systems were compromised, an update could be pushed out to all customers silently and automatically."

        I think this is also true:
        "Non-automatic updating opens a potential security hole where if our systems were compromised, an update could be pushed out to all customers silently, when they click on the update. People who don't update could run old code with known security risks."

        This is just delaying the effects. People will click it and will still install malware. Implement a random() delay in the auto-install and you have the same result.

        Now imagine the opposite: Windows Update not working automatically? F-secure antivirus not updating itself? The world would be full of virus!

        I think the benefits are real and should be an option. People with stronger security policy could disable it.

        Why Google Chrome does it?

      • David MyttonAdminDavid Mytton (Founder, Server Density) commented  · 

        The design of the agents is they never take any action without it being initiated by the user first e.g. this is why we do not allow plugins to be installed via our web UI - you have to use our local installer.

        Automatic updating opens a potential security hole where if our systems were compromised, an update could be pushed out to all customers silently and automatically.

      • Carl MalartreCarl Malartre commented  · 

        Why clicking on a button on the server would remove that security concern?

        What are the precise security concerns and the advantages of not auto-updating?

      General: Agent

      Feedback and Knowledge Base

      (thinking…)