Hacker News new | past | comments | ask | show | jobs | submit login

I completely agree. I just want to point out that Windows Update can deliver application updates and has done so for Office, Silverlight, Defender, Bing something and possibly others. So the capability is there, they "just" need to enable it for 3rd parties. Oops, I used a 4-letter word. I'm sure it's more complicated than that.

They sorta did it for Store/UWP apps, but Win32 applications aren't going anywhere anytime soon (I hope!).




I forgot about the Store apps and I remember when that came out, I thought "They got that mostly right". "Mostly Right" from the perspective that there is a standardized software install/repository for applications that also updates them. "Wrong" in that it's following the iOS App Store model rather than the Linux model, has no (real) ability to add third-party, software that hasn't undergone the "Microsoft Stamp of Approval"[0]. And I'll admit that my first thought was that it was the end of any dream that MSUs would be opened up to third-parties.

And the Office/Silverlight mix always drove me crazy - it's something you have to separately turn on (and depending on the OS version/kind, you have to click through an additional EULA to activate), so they already had the plumbing in place to accept non-OS update complete with an EULA page and "activation" of that feature. I know there are a lot of issues that have to be addressed to successfully implement this. There are those legal ones -- like the ones they encountered that caused them to differentiate "Windows Update" and "Microsoft Update", as well as adding another attack vector (now the drive-by installs only need to install a new repository and they can deploy malware through updates)[1], as well as probably tens or so that I am not clever enough to think of.

[0] Though a quick search for just about anything in the WinStore indicates that Microsoft's standards are really low -- the spam disguised as software in the is a big problem.

[1] There's ways around this, though, with existing features already built into Windows. Using a model similar to Intellicode with an internet connection required to verify trust and CRL (you need it to download the update, any way, after all), backed up by a bit more hands-on verification on Microsoft's side (along with a higher fee to pay for that) would cover third-party repositories and for "Internal Enterprise" MSUs -- built by IT staff and deployed via SCCM -- the requirements could be "accept only if it originates from the enterprise CA that the domain trusts" (not other, external, CAs).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: