alt Hacker NewsFor me, the solution is simple: anything you download and run locally should not auto-update ever, period. Installing an update (or refusing one) should always be a conscious user action. Otherwise it's just a socially-accepted RCE backdoor.
Replies
duskdozer • yesterday at 1:58 PM
Even without that, I can't afford to deal with the constant churn of UI changes and feature deprecation
I used to use Duplicacy for my backups. The author was hell bent on not allowing disabling auto updates.
The go binary would be downloaded automatically and silently periodically. I tried to fight it for a while but at some point he added checks (!) to ensure that nobody was blocking his RCE model. Meaning it would no longer run on one of my partially air gapped system.
I moved on, but many other software behave that way.
Most chromium-based browsers will show a big scary and permanent button if they can't update, for example.