search

linuxmint / mintupdate

The Linux Mint Update Manager
317 stars 155 forks source link

Linux Mint 20.2 is a bit more insistent about updating but not as annoying as Windows or Mac #692

Open noloader opened 3 years ago

noloader commented 3 years ago

Hi Everyone,

The Register published an article recently called Linux Mint 20.2 is a bit more insistent about updating but not as annoying as Windows or Mac. I wanted to comment on this article and ensure the Linux Mint development team receives it. According to Docs » Where, that is this GitHub. This is feedback on Linux Mint's Security Engineering and workflows.

The image below is from the article.

notify

Here's the meat and potatoes of my comment... The strategy is wrong, the interface is too complicated, and users don't care what you prompt them with. Here's why I feel that way.

The strategy is wrong ===================

I think the strategy is wrong. Linux Mint is depending on users to do something to keep the machine secure and running well. We've known that is the wrong approach to security and robustness for a long time.

Microsoft performed a study around 2000 and found a machine on the internet was under attack within 5 minutes of being taken online. I don't think it is wise to depend on a user to install updates when the attacks begin immediately. It is not just my thinking...

There are two books on engineering security that I am aware. The first is Ross Anderson's Security Engineering. The second is Peter Gutmann's Engineering Security. Neither book tells us to leave this stuff to users. Both books tell us to fix things for the user without user intervention.

Gutmann's PhD thesis was The Design and Verification of a Cryptographic Security Architecture. He is an expert on Security and Usability. Here is what Gutmann writes about the ideal strategy (pp. 26-29 of his book):

Defend, don’t Ask

The “defend, don’t ask” aphorism is made explicit in the rules set out by the US Consumer Product Safety Commission (CPSC) which requires that hazards be designed out of products if this is at all possible, and can also modify an existing requirement for warnings to require a product redesign if it’s found that the existing warnings aren’t working...

The best approach to the human-factors problem posed by warning dialogs is to redesign the way that the application works so that they’re no longer needed. Since users will invariably click ‘OK’ (or whatever’s needed to make the dialog disappear so that they can get on with their job) the best way to protect users is to actually do the right thing, rather than abrogating responsibility to the user. A system that constantly throws up its hands and reports “Human decision required” belongs in a low-budget science fiction drama, not on your desktop. As Mr. Miyagi says in Karate Kid II, “Best block, not be there”, or as rendered into a computing context by Gordon Bell, “The cheapest, fastest, and most reliable components of a computer system are those that aren’t there”. In a security context the best warning dialog is one that isn’t there, with the application doing the right thing without having to bother the user.

So, the ideal default strategy for Linux Mint is to install the updates without user intervention. Defend, don't ask.

Interface is too complicated ========================

I think the interface is too complicated. There are at least 9 settings/dials a user must read, understand and adjust. Depending on the user to do the right thing is a recipe for disaster. The configuration is going to result in dialogs that the user does not care about. About all you can count on is a user will click some button so they can get back to doing what they were doing. A user does not care what that button is as they can get back to doing what they were doing.

Here's what Gutmann has to say about it (pp. 129-149 from the book):

How Users Really Make Decisions Now that we’ve looked at how things don’t work, how can we find out how they actually do work? There are two ways to approach this, we can either use empirical evaluation, examining and measuring what people do in practice, or we can use conceptual modelling, taking a set of conceptual models (including, for reference, the SEU model) and seeing which one best matches (or at least approximates) reality. ...

Humans take the RPD approach to making a decision when they can’t hold all of the necessary information in working memory, or can’t retrieve the information needed to solve the problem from long-term memory, or can’t apply standard problem- solving techniques within the given time limit. ...

If a user is trying to perform task A and an unexpected dialog box B pops up (Figure 59), they aren’t going to stop and carefully consider B. Instead, they’re going to find the quickest way to get rid of B so that they can get back to doing their intended task A (Figure 60).

How to handle updates =====================

I think Linux Mint should be installing security and other updates unless the users does something special. I eat my own dog food: here's my GitHub with an auto-update project that installs security and other updates because distros don't do it.

I had to provide an auto-update project because distros are doing such a poor job at handling things. I cannot ask my 85 year old grandmother and 60 year old mother and father to do the things you want them to do. They simply don't understand. They don't understand the various icons in the task bar. They don't understand the prompts when you interrupt them. All of this stuff needs to be done for them.

From Gutmann's book I know installing security patches and updates for my grandparents and parents is the ideal strategy. It applies to all users, and not just my machines or my family members. It is the Defend, Don't Ask strategy.

Here is how I would design the updates UI. The recommended setting would be selected by default so users don't have to do anything special to get the recommended setting.

updates-dialog

"Manually install updates (not recommended)" is there as a concession to some engineer who would complain. Personally, I would not have it. None of the systems under my purview would have it since it is an insecure waste of time. It is not worth the code it would take to implement it.

I think an even better update architecture is, automatically install all updates without a UI setting. Don't even provide a dialog with configuration settings. Just install the updates. If the user installs a package, like update-settings-ui, then provide a dialog like shown above. If the user does not install the package, then there is no choice. The user gets all updates all the time without configuration options, taskbar icons or prompts. It is the Defend, Don't Ask strategy.

From the article:

The freedom to upgrade as and when the user chooses seems a good thing yet the demands of security suggest that a degree of automation is also desirable.

To state the obvious, a reporter is not security engineer. The reporter's statement that "its a good thing to allow users to decide if/when to take security updates [sic]" is bad advice. Don't follow his advice. Follow the advice of experts like Ross Anderson and Peter Gutmann.

edschindler commented 3 years ago

Interesting article, disappointing discussion! A few thoughts to maybe stimulate some discussion: 1) The "Grandma" use case is an interesting thought experiment. Mint is pretty close, and the security update concern that triggered this article is critical, but is there anything else we can do to help Grandma use Linux?? (While not dumbing it down for Linux's core user base, of course.) What does Grandma-simple look like? 2) I like having "expert options" accessible from the simple default interface. Linux users are more technical than average (Windows, Mac) users, and do not appreciate dumbed down everything (Win 10, mobile apps). Particularly annoying: adding nuanced settings by editing underlying files, then losing those changes with a careless click on a simplified settings dialog. 3) Grandma, in particular, tends to turn off her computer when she's not using it. The simplified auto-update has to accommodate this. Given how fast she might shut it off, do we need a way to tell her "your computer will turn itself off when the updates are done."? (Maybe it already does this.) (In fact, triggering stuff like updates and backups at shutdown can be pretty handy, if the Grandma is comfortable walking away and letting the computer turn itself off when all the maintenance activities are done.) 4) Updating, for example, Firefox while Firefox is running can cause Firefox to crash. How would a background update handle those cases, given that hooks to trigger further automation (tell Grandma to stand by, then restart and restore) are not necessarily provided in the updates? Services restart themselves when updated, applications may not.

cypressfruit commented 3 years ago

Hi, if I can add my two bob?

Running with Grandma.... For the scenario we are looking at, Grandma probably would not use a lot of the 'extras' that are default with Mint, which leads me to think that Grandma would probably be quite content using a much simpler Version, almost a bare bones, with the few most used applications/software, which means that any updates would be potentially smaller and fewer?

So, maybe we need a Grandma Mint? Can't leave out Grandpa, so a more generic name?

noloader commented 3 years ago

@cypre,

So, maybe we need a Grandma Mint? Can't leave out Grandpa, so a more generic name?

Lol... I've got a [mostly] working Grandma Mint. I call it Linux Mint, Silver Edition. It uses a silver theme instead of a green theme. It also uses larger fonts and icons out of the box. I still need to fix the Greeter or Login screen. The greeter does not honor Visual Assist settings. The greeter still uses a font of like 8 and the icons are too small.

I'm working with two senior residences to cut-over their computer room from Windows 8 and Windows 10 to Silver Edition in a kiosk-like mode. The senior residences are small apartment buildings with 50 or 100 residences. They have a computer room with 5 or 10 machine and a printer that residents can use.

But don't get too hung up on grandma and grandpa use case. The full automatic updates to keep the machine completely patched applies to all non-savvy users, and not just seniors. That is, folks like you and @edschindler are fine with the way things are setup. Folks like you know how to install the extra updates. Non-savvy users (including seniors) need the extra help.

edschindler commented 3 years ago

I introduced multiple topics off the main subject of "automated upgrades for most" because the parent got tagged "discussion" and I thought we could be a little less focused in this kind of thread. I hope that wasn't a mistake, if Mint Silver ends up getting all the attention and hijacks the post.

Grandma, by the way, is a persona (as used in ux) rather than the proposed name, and Kiosk is a good description for it, though not 100%.

Even Mint Silver has a couple of sub-use cases: grandson (persona!)-installed and -managed (even if remotely), and fully on-her-own, from install to daily use to upgrades. The public "computer lab" case is a third, with the need to support multiple users on each workstation.

I was imagining almost another edition of Mint, beside Cinnamon and Mate... It might be based on any of them, but very bare bones. But it could be a user type as well, with a normal Mint install, but set up a Silver user and they get a stripped down kiosk style UI with minimal applications visible.

One important question is what's wrong with Chromebook for this purpose? Does Chromebook meet the Grandma use case well enough? (even if we have to hold our noses...)

noloader commented 3 years ago

@edschindler,

One important question is what's wrong with Chromebook for this purpose? Does Chromebook meet the Grandma use case well enough?

Very good question. I tried a Chromebook with my father. Google ties products and services to the point it is unusable for some users.

For example, upon boot, there's a login screen with big, pronounced areas for a username and password. There's also an option for an anonymous login like kiosk mode. The text for the anonymous login is small and faint because it is light grey and blends in with white background.

When my father tired to use the Chromebook to get online, he asked me, "why do we need a password for the internet" and "what is the password"? He did not know he needed to click the anonymous login text (he probably did not see it).

To set kiosk mode/automatic login for a Chromebook my father needed a Gmail account, and then needed to add an extension. That would have been a big problem for someone who thinks the internet has a password.

I brought the usability issue up with the Chromebook folks. I complained that Google' tying of products and services was making the Chromebook too difficult for some users. They told me a Chromebook was not for everyone.

UnisTorvalds commented 1 year ago

One of my favourite things about Linux OSes in general is that they respect the user. I'm in control. The OS doesn't second guess my intent or take action without my input (whether that be updating software or uploading "telemetry" to the vendor); in contrast to all commercial OSes (ios, android, windows, etc.)