Why is Google rolling out Chrome updates over time?
Whenever the Chrome team releases a new version of the web browser to the stable channel, it highlights that the release will be rolled over time.
Yesterday's release of Chrome 63 Stable for the desktop for instance does so in the first paragraph on the Chrome Releases blog.
The Chrome team is delighted to announce the promotion of Chrome 63 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
I asked myself for a long time why Google decides to roll out these releases over time. While I don't really mind if the release does not include security fixes, I do mind a staged roll out of a release if it does include security patches.
A staged roll out means, basically, that some Chrome installations won't be protected against attacks that target the patched vulnerabilities in the browser.
The update to Chrome 63 for the desktop has one critical vulnerability for instance, and five that are rated as high. This particular update fixes 37 security vulnerabilities according to Google's Chrome team.
Access to reports about the vulnerabilities is limited for most of them, but Google does list information about each vulnerability reported to the company by third-party researchers. This helps attackers, as Google reveals the component that is affected usually in the description.
Google Chrome is set to update automatically, but users can load chrome://settings/help at any time to run a manual check for updates.
Google does not prevent the installation of updates on desktop machines. This is not the case on Android where application updates may not be available for days or even weeks even if you go to the Google Play Store listing and hit the install button there, or check for updates manually.
A better way
Security updates should be made available to all Chrome installations immediately. A system similarly to Windows Updates might work in regards to making the update available. Microsoft releases security updates only on the second Tuesday of every month, but makes them available to all systems with automatic updates enabled right away.
Tip: Google changed the design of the chrome://flags page in the release, and also that of the Bookmarks Manager. You can restore the old design of the bookmarks manager for now by setting the preference chrome://flags/#enable-md-bookmarks to disabled, and restarting Chrome afterwards.
Security updates should be made available to all users in my opinion. While you do need the right infrastructure for that to ensure that updates are delivered to anyone right away, but Google should not have any issues with that.
I don't know why Google rolls out updates over time though; it could really be because it wants to reduce the load that updates cause by distributing these updates over days or weeks.
Now You: Why do you think that Chrome updates are not made available right away?
I think it’s probably a combination of server load and just in case there is an issue with the update it gives them a bit more time to fix it before everyone is already updated which would force them to all have to update again straight away,
If it breaks certain software combinations, making Chrome uable to work properly, or at all, they can stop the rollout with just a portion of users being affected instead of a larger percentage. At least that’s why I think deploying an update in stages is for, especially in Google’s case where server workload and bandwidth are not a problem.
I prefer the current method of making an update immediately available to all who care when it’s first available via help-about. This minimizes the effect of a bad fix to just a relatively few users, and makes it much easier for Google to devote human resource to troubleshoot and resolve the problem. FWIW….
My comment seems to apply to Firefox 57.0.1 as help-about gets me 57.0.2 . Seems a gradual roll-out happens with Firefox as well as Chrome, even though it is an incremental version bump for Firefox this time.
Personally, I wouldn’t touch Chrome. Not ever. It tracks, and has a built in “ID” system, you can’t easily turn off updates, and I like to be in control of that…..it uses tons of memory, and worst of all, it feels so “unpolished and basic”. Honestly and truly, even if I’m the only one that thinks this….the settings, look and feel….all feel like 2003 or 2004. I just can’t understand the attraction to that browser. I also believe (just my opinion of course), that we should be holding Google at arms-length, at a distance, and it just not tick my ‘privacy-boxes’. Instead, I’ve tried some Chrome variants/forks, like Epic, Cent, and Slimjet.
That this browser (Chrome) should have the largest market share of all astounds me……and the fact that they relentlessly added a “Get Chrome” button on every other browser (that can only be turned off with CSS) puts me off even more.
Totally astounded at the take up of this browser!!
They did not “add a Get Chrome button on every other browser”. They display the “Get Chrome” button on their own website (google.com) if they detect you are not using Chrome. How is it wrong for them to advertise their own product on their own website?
@ Ross – Yes, I understand this, but for reasons of brevity, I did not expand.
Of course, this is not a browser issue, per se. It is simply that the User Agent is picked up by Google, and used to force a message on the screen.
The trouble is, if you auto-remove “most” cookies as I do, then all that happens is that you keep seeing Google’s nagging and persistent message. This soon becomes tedious, and you feel that Google is heavy handed (as they are anyway).
I addressed this a long time ago with CSS, and adjustments to DOM. In fact, I run a number of scripts that makes any Google services very “tamed” and far more as I want to see them.
I’m never logged into Google anyway, and they can’t collect my IP addres (VPN), and with the control I have imposed on Google, I find at last, that it becomes a usable service.
I hope this clarifies my original comments about Google forcing their messages upon the browser.
I can understand the reasons for not wanting to use Chrome. I only keep it installed to keep up with development.
On my hardware I don’t see it using tons of memory and I actually think they have made some significant progress in the last year or so in reducing the amount of memory used. I use a crapton of flags and command line switches, that said, with 12 tabs open, scrolling pages, opening links, I see around 1.25-1.5GB of ram used. I don’t consider that a lot but then I have more memory than I can use, my excuse is VirtualBox. ;)
As far as security and privacy go there are a bunch of options with flags and command line switches, of course most people won’t be aware of them. You can enable TLS 1.3, disable cipher suites, limit referer data if any, limit what kind of prefetch is used if any, and many many other options. And last but definitely not least, it takes like one minute to disable automatic google updates in Win7. In some ways, Chrome isn’t the complete horror that it was a couple years ago. Why do I always feel like I’ve crossed over into the Dark Side? The Shame! :-D
That’s odd! I just noticed that with Chrome Dev the search box on the chrome://flags page is still searching the whole page just like “Find” (CTRL+F) does but Chrome stable does not. Must be a bug!
A lot of people that have Google Chrome installed on their desktops have not installed it on their own. “It just appeared there”, usually bundled with Adobe Flash (install or update) or some other program, or it was installed by using the Internet Explorer method, that doesn’t appear to be typical download/installation.
There are a lot of “non-tech” or “naive” users that can’t tell the difference between a browser and a website. So once Google Chrome has appeared on their computer, they just think they *must* use it to access the Google website to search for something. Some others think that “the Internet” must be accessed by a Google search (don’t know about typing a URL), so if they want to access Facebook, they must type facebook on Google and access it from the search results…
That’s the way, in my opinion, Google Chrome has made itself the most used browser…
About the deferred distribution of updates… If updates are untested, or not tested enough, or you’re just using users as beta testers, it would be best to distribute them over time, just in case something breaks… If they are properly tested and the probability of breaking something is almost none, then it makes sense to distribute them as fast as possible.
Re your last paragraph: I have been running Chrome x64 beta since it was first available as a user choice. In all that time only one problem was apparent to me, and I temporarily has to roll back to latest Chrome stable until the problem was resolved in the beta. That says to me Chrome developers and testers do an amazing job before a Chrome x64 beta is released. In all that time using Chrome x64 beta, I take advantage of the new function and security without waiting to see this in the stable version. Works for me….
I think there are two very unfortunate trends in the software industry these days that lead to this situation (and they’re both related to the highly misguided trend of “continuous release”). It’s not just a Chrome thing.
The first issue is that companies don’t really do serious testing prior to release anymore, so they can’t have a high degree of confidence that their changes won’t break things. Thus the need to roll out updates over time, to reduce the scale of the impact when the update inevitably breaks things.
The second is that companies no longer differentiate between “security releases” and “feature releases”. They’re all just lumped in together now.
Both of these things individually are pretty terrible, but the combination of the two can be downright infuriating.
I prefer the over time roll out just like Windows 10. Most of us don’t need new features immediately. And, the security risk is very minimal compared to what you believe. You have to visit the specified attack site within a very short time frame. Nearly impossible scenario for most people even without adblock.
This is something I have noticed Google doing more and more. I don’t use Chrome on any of my desktops/laptops, but I do have a Chromebook that I like to use for traveling because it is cheap and replaceable. Chrome OS updates have been increasingly staggered over the last year, with it sometimes being a couple weeks before I receive them. I assumed that part of this was because Google is slowing rolling out Play Store support and wanted to make sure there were minimal issues. That assumption does not appear to be correct now I guess.
> This helps attackers, as Google reveals the component that is affected usually in the description.
What you mean by that? I’d say this helps everyone involved, including attackers, but they’re in company of browser developers, sysadmins, curious and power users.
Publishing the information rises prices for non-published bugs, making exploitation cost higher. Which is good for all users.
I don’t mind them publishing the info, but if they do a staged roll out, they should not until updates are available to all users.
Well, I agree there is issue with non-updated deployments, I’m just saying Google handling this better than most others, including Microsoft.
Also, are you sure updates are unavailable, not just undelivered?
I didn’t receive the update yet when I read the article, but once I opened menu â†’ Help â†’ About Google Chrome, it started downloading it right away. And this is almost always the case.
I don’t think Google delays updates because they have bandwidth issues. Instead, other organizations may: imagine 100 PCs simultaneously start downloading Chrome update one morning. Even if that org has a 100 MBps link and it’s unused by anything else, it’s 1 MBps per PC (by the way, this is reason many organizations’ admins turn off auto-updates for most software).
And in organizations, nothing stops admins from deploying new msi via group policy right away, and Linux admins have no problems at all if the set up local mirror of repository.
Home usersâ€¦ may be victims, but still they are way less frequently a target. Also, savvy home users can force update just by opening chrome://settings/help if they want.
Often though (just look at current thread) power users prefer to stop updates until they have a problem. This is what they learned from Microsoft way.
On the desktop, you can run a manual check for updates to get them at that point. If you don’t, then you may not get them right away. I guess it depends on how everything is configured on your end.
by the way, here are official explanations: https://support.google.com/chrome/a/answer/3168106
It’s for Chrome OS, not just for the browser, but I guess principles are the same.
I agree with Sophie….and well written.
as a Systems Engineer, I really dislike auto-updating software. Every version has to be checked for compliance with all the software and hardware (driver) variations. Being able to prevent such updates is then key, to lower pressure to keep every piece of software to the latest version. I normally do that on a 2 month cycle of checking software being updated, test the latest, etc. Its nice if you only have a couple software packages to maintain, but if you have hundreds, its just simply not feasible to keep it all updated to the latest, and meanwhile having other tasks as well.
From a security perspective, updating right away isn’t really required. While the “vulnerability” information is out there, there aren’t many infected servers that exploit it already or that soon. The chance to run into it that fast is negligible.
After that, you come to considerations of update regimen to home users, that if some goes wrong with roll-out you have to manage that problem. Best is then to distribute to the biggest variety of hardware/software, but that isn’t predictable unless you keep a database of that. So a randomized userbase is then updated most probably thru their own randomized auto-update schedule, and availability of the update on servers in their region.
I suspect that the manual update is a separate server that is being called that always has the latest no matter what to cater to those users that really want to install it.
@John – Immensely words of common sense, as you have noted.
Your own perspective is the same as mine, down to the last letter.
It should be pointed out that google removed the “unique-ID” from chrome in 2012.Ironically vivaldi have incorporated it into their browser.