Oil changes, safety recalls, and software patches

Source: Oil changes, safety recalls, and software patches

security patches should be treated in the same vein as safety recalls — unless you’re certain that you’re not affected, take care of them as a matter of urgency — but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient… or not at all, if not convenient. It’s easy to say that such users are wrong; but as an industry it’s time that we think about why they are wrong rather than merely blaming them for their problems.

The problems of the large volume of patches and their reputation for breaking things is made worse by the fact that many systems use the same mechanism for distributing both security fixes and other changes — bug fixes and new features. … presenting updates through the same channel tends to conflate them in the minds of users, with the result that critical security updates instead end up being given the lesser attention more appropriately due to a new feature update.