PDA

View Full Version : Should firmware be updated automatically?



JJZolx
2005-09-15, 15:00
I began to file this as an enhancment request, but on second thought figured maybe there's a reason that it's implemented as it is now. So I'll ask...

I don't understand the need for user intervention to update SB firmware. If when upgrading SlimSerer to version x.x.x, that version insists that a player's firmware version be updated to version N before it will do anything, then why not just have the server signal the player to go and upgrade its firmware? What's the reason for having a person press a button to get to the same point?

MrC
2005-09-15, 15:02
I can think of one very good reason. To ensure the user does not disconnect power or the network.

If there's backup firmware, and no real update happens until the file is transferred, then I can see auto-update being acceptable.

pfarrell
2005-09-15, 17:33
On Thu, 2005-09-15 at 15:00 -0700, JJZolx wrote:
> I don't understand the need for user intervention to update SB
> firmware.

It is a huge security problem to have servers randomly make changes to
other computers. While the SB1/2 is not much of a computer, it is one.

The security principal says that you need a user action to confirm
any changes to a computer. Even the Microsoft Windows update does this.

Pressing the power button is simple, but positive confirmation that
the owner really wants this.

--
Pat
http://www.pfarrell.com/music/slimserver/slimsoftware.html

Milhouse
2005-09-15, 17:42
http://forums.slimdevices.com/showthread.php?t=9464

seanadams
2005-09-15, 17:43
It's not really necessary except

a) as a security measure
b) to ensure the user knows it's being updated

Losing power or network connectivity during an update will not cause any problem -the update image is downloaded and verified in a reserved section of flash and there are protections in place if power is lost during any part of the installation process.

A scenario involving a malicious firmware update is pretty far-fetched but not inconceivable.

JJZolx
2005-09-15, 17:53
On Thu, 2005-09-15 at 15:00 -0700, JJZolx wrote:
> I don't understand the need for user intervention to update SB
> firmware.

It is a huge security problem to have servers randomly make changes to
other computers. While the SB1/2 is not much of a computer, it is one.

The security principal says that you need a user action to confirm
any changes to a computer. Even the Microsoft Windows update does this.

Pressing the power button is simple, but positive confirmation that
the owner really wants this.
To a degree, I understand and agree with what you're saying. However, due to the fact that the SlimServer:SB connection is dead in the water until the firmware is upgraded, then the notion that the user 'wants' to update the firmware is a little far fetched. It would be like your computer stopping dead, with nothing you can do other than to obey the onscreen instructions to press the spacebar to download and install some operating system update.

MrC
2005-09-15, 18:25
It is a huge security problem to have servers randomly make changes to
other computers. While the SB1/2 is not much of a computer, it is one.

The security principal says that you need a user action to confirm
any changes to a computer. Even the Microsoft Windows update does this.

This seems a little off. There are plenty of server based management apps that do this regularly and frequently. Managed AntiVirus software does this, Window Domain Controllers do this, many unix server-pushed patches are done this way, various databases pushes such as NIS maps are done this way, etc. etc.

As long as a secure relationship has been previously established, there is nothing problematic with such remote, automatic updating.

pfarrell
2005-09-15, 19:08
On Thu, 2005-09-15 at 18:25 -0700, MrC wrote:
> pfarrell Wrote:
> > It is a huge security problem to have servers randomly make changes to
> > other computers. While the SB1/2 is not much of a computer, it is one.
> >
> > The security principal says that you need a user action to confirm
> > any changes to a computer. Even the Microsoft Windows update does this.
>
> This seems a little off. There are plenty of server based management
> apps that do this regularly and frequently. Managed AntiVirus software
> does this, Window Domain Controllers do this, many unix server-pushed
> patches are done this way, various databases pushes such as NIS maps
> are done this way, etc. etc.

You're right that we've gotten used to the AntiVirus software doing
this, also mine just updates the data and asks for a confirmation before
updating the software. [Of course, Von Neuman made data and programs
hard to differentiate.]

And yes, lots of Microsoft products do this (SMS, etc.).
But none of my linux servers allow such stuff.

> As long as a secure relationship has been previously established, there
> is nothing problematic with such remote, automatic updating.

How about your neighbor updates her SlimServer and microcode and your
WiFi goes down. If you haven't setup your SqueezeBox "properly"
is there really a trust relationship there?

I'm not in charge, but I like it the way it is.
IMHO, etc.

--
Pat
http://www.pfarrell.com/music/slimserver/slimsoftware.html

Michaelwagner
2005-09-16, 19:53
I like it the way it is.
IMHO, etc.


Agreed. I hate it when software just upgrades without warning. I know virus scanners and operating systems have options to do this automagically, and I ALWAYS turn them off.

ceejay
2005-09-16, 23:44
Sounds like the answer to the original question is... file an enhancement request, but ask for it to be optional - "enable automatic firmware updates yes/no"

Personally I'd probably turn it on but can easily understand why others may not.

Ceejay

max.spicer
2005-09-17, 01:55
Ah good, more options! ;-)

Max


Sounds like the answer to the original question is... file an enhancement request, but ask for it to be optional - "enable automatic firmware updates yes/no"

Personally I'd probably turn it on but can easily understand why others may not.

Ceejay