How Software Updates Should be Done

2020-01-22

Keeping software up-to-date can be hard. Ideally, you want to ensure you have the latest features, security patches, and bug fixes in your app.

The problem is, this gets very difficult:

  • Making sure your dependencies allow a matching version for other libraries and tools' dependencies
  • Getting users to stay up to date
  • Doing update checking and downloading in a privacy friendly way

My general rule of thumb is:

  • Allow a recent range of versions for each dependency. Allow back as far as possible.
  • Make your CDN not log IPs.
  • Apply security headers.
  • Require minor updates that will take >2 minutes to be installed, so people are at least somewhat up-to-date.
  • Make sure your downloads page includes almost no JS, so the link can't be modified.

While these goals may not be universal, I just think this is a standard that should be adopted.