The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Wednesday, January 07, 2009

> 5 hours to do a Software Update

It's been one of those days. Sob stories about time wasted in virus scanning and software updates are my specialty, aren't they?

Some people write about what they KNOW.

I write about what ANNOYS ME.


I left for work circa 8am. A bit late, considering that I started leaving at 7:30am, but that's another story.

I had not driven a mile before a realized I had forgotten something. I returned to the house.

I thought: "Since I am delayed, maybe I should just check my computer? It should be fast."

That's how it always goes. It was 8:20.

As soon as my computer boots, the security center red alert is there. Update the virus scanner. Update Windows. Oh-oh: it's a big update. SP3. Apparently I have not used this personal computer for a while.

Before long both my personal computer, and my company laptop, are consumed doing updates. Worse, I could not get anything else done on the net on any other computer (I have several), since my home broadband is slow.

I did not want to disturb the update process - that has, in the past, occasionally resulted in brokennesses. So I waited. And waited. And WAITED. After a while it becomes a matter of interest: how long will this take?

I have been able to use my work laptop for a while. My 3 year old work laptop updated faster than my 6 year old low-end personal tablet PC.

Is this the new benchmark: how long does it take to do a big software update?

It's now 13:53. The personal computer has just rebooted after the update. I hope it's finished, but I don't know yet.


Andy "Krazy" Glew said...

Thinking about this: how can we make software upgrades take less time?

Almost as important: maybe they wll take a long time, but can be done in the background?

Intel's IT deployment system is not so bad. It tends to download in the background. It's still annoying as hell when it needs to reboot, but, today, it took 4 hours to do the update that my personal laptop took more than 5 hours to accomplish.

Unfortunately, my personal laptop has no wireless (at least not the old one in question), and therefore can't do background updates except when plugged in. Which it had not been for quite a while.

Here's an idea:

I have long espoused "personal VPN": I wish that somebody would sell a service whereby all of my PCs VPN'ed to some "Firewalls R Us" company. *All*. If I want to talk to a networked printer, I want to VPN to Firewalls R Us, and VPN from them to my printer.

Reason: the central Firewalls R Us can at least do the good stuff that a central IT department should do: Monitor network traffic. Look for anomalies.

OK, push further: How about if all net-facing applications were split into two pieces:

(1) one piece running on my laptop.

(2) another piece running at some other computer somewhere.

The second piece would run at Firewalls R Us, or at Inyel, or wherever. But, the key thing would be that it runs on a server that is always up, as opposed to the entire app running on my PC.

Reasn: my Pc is NOT always connected to the net. Theewrefore, when I power it on, it may need some patches to be applied RIGHT NOW!

Whereas, if the app were split into two as I describe, it is possible that all of the patches that need to be made to the second piece, running on the always up site, hae already been made.

E.g. imagine that I had a browser split this way. Imagine that there was a buffer overflow in some browser dialog. The second part could have been patched in such a way that the bug would never propagate through the second part to the first.

Andy "Krazy" Glew said...

In the end, it took my personal laptop > 6 hours to update, while my work laptop took "only" 4 hours.

Andy "Krazy" Glew said...

4-6 hours is along time for an unpatched computer to be visible to the network.

Now, I wasn't doing anything - no web browsing -so I should not havebeen vulnerable to that sort of issue.

But, if there was any service responding to incoming requests, or, for that matter, any service making outgoing requests (like "update my virus scanner patterns) they could have been vulnerable.

I almost wish there was an option that amounted to connecting a VPN tunnel between yourself and the update site, with no other traffic allowed until the update was complete(and possibly a scan was complete after the update).

Andy "Krazy" Glew said...

Could a checker based architecture help?

Run a checker shadow of the app, on the more-likely-to-be-up-to-date site (my Firewalls R Us).

If the app that has not yet been patched makes a syscall that the checkershadow does not make, alert.

You might not need to run this all the time. You might onloy run it until the app is updated.