2013-04-09

Software updates are the bane of VMs -and Flash is its prophet

It's the first tuesday of the month, so it's Flash update time. Three critical patches, where "critical" means "if you don't update it your computer will belong to someone else"

Adobe Flash Install Screen

These flash updates are the bane of my life. I have to update the three physical machinesin the house, and with two of them used by family members, I can't ignore updating any of them.

The workflow for flash updates is
  1. Open Settings manager, find the flash panel, start that, get it to check for an update.
  2. If there is one, it brings up the "a new update is available, would you like to install it"? dialog.
  3. Flash Control Panel opens up firefox with a download page: start that download.
  4. Close down Firefox
  5. Close down Chrome
  6. Close down the Flash Control Panel (if still present)
  7. Close down the settings manager
  8. Find the flash .dmg file in ~/Downloads
  9. open it
  10. click on the installer
  11. follow its dialog
  12. eject the mounted .dmg image
  13. restart your browsers. This is always a good time to look for Firefox updates too, then check if it recommends any other browser updates.
  14. For all gmail logins, the two-level auth.
That's a repeat 3x operation, with the extra homework that on a multi-login machine, I have to "sudo killall firefox && sudo killall chrome" the other user's browser instances to make sure that the update has propagated (the installer doesn't block if these are running, as it doesn't look for them).

Then comes the VMs. Two windows boxes stripped down to the minimum: no flash, no MSOffice, or Firefox, but Chrome and IE.  IE setup to only trust adobe.com, microsoft.com and the windows update, where trust is "allow installed AX controls".

Manual updates there too, with the MS patch also potentially forcing restarts.

This show the price of VMs: every VM needs to be kept up to date. The no. of VMs I have to update is not O(PCs), it is O(PCs)*(1+O(VMs/PC)

Most of the VMs are on my machine, one Linux VM for native code builds, other VMs for openstack, more for a local LinuxHA cluster

There it is simpler, "yum -y update && shutdown -h0" or the same for "apt-get -update".

Which shows why Linux makes the best OS for my VMs. It's not so much the cost, or the experience, but the near-zero-effort update-everything operation. 

It also show's where Apples "app-store" mind view is limited. Because new App-store apps must be sandboxed and save all state to their (mediocre) Cloud, there's no way for the Appstore to update browsers or the plugins integrated with them. Which leaves two outcomes
  1. Someone needs to go to each mac and go through steps 1-14 above.
  2. They don't get updated, and end up being 0wned.
It's easy to fault Apple here, but it really reflects a world view that we have for software in general, "out of band security updates are so unlikely we don't need to make it easy". Once we switch to assuming that there may be an emergency patch any day of the week, we start thinking "how would I do this as a background task" -which is something all of us need to consider.