About the author

Steven Harmansteven harman :: makes sweet software with computers!

For recent posts and more about me, scroll to the bottom.

Sponsors

Subscribe

  • Subscribe to my feed. via RSS
  • Subscribe via email via email

News

Badges

  • Subtext Project
  • Support Subtext
| Home |

Does Web Software Need a 'Check Engine' Light?

A recent post by security analyst David Kierznowske reports that 49 out of 50 WordPress blogs that he checked out were running an exploitable version of the WordPress blogging engine. According to the post, David looked at blogs running on versions as far back as WordPress v1.2 (with v2.2 being the most recent release, as of this writing).

So does this mean that WordPress is buggy software that is to be avoided? No, not at all. It just means that those users need to do a better job of dealing with the bugs.

The sky is blue and software has bugs

All software has bugs, it's just the nature of the game. And until some magic-voodoo methodology comes along, finally allowing us to write bug-free software, we're just going to have to deal with bugs the best we can.

And what is the best way to handle a bug? Step on it of course! When talking about software bugs that means keeping your application patched and up to date.

Jeff Atwood wants his software to diagnose and fix itself. I think that's a great idea for software systems like your OS or any other software running directly on your desktop/server - like your web browsers, media players, office applications, IM clients, etc... But what about your web-based applications?

The web is different

Do we really want our blog engines, wikis, forums, portals, etc... updating themselves whenever they see fit? I doubt it!

The image editing application running on your laptop suddenly restarting after updating itself is one thing. But having your entire web portal go offline at some random time because it just updated itself is another story entirely.

Keep users updated

Short of the fully automated patching and upgrading utopia that only exists in Jeff's dreams, I believe one of the best ways to encourage users to keep their web applications patched and up to date is to keep them informed. They need to know when a new version is available, or a new high-priority bug has been found, new skins or plugins are available, etc...

In the case of WordPress blogs, you can't blame the guys (and gals) who are building the application for having users that don't keep their blogs patched. There is even a disclaimer on the WordPress Download Archive site stating that

None of these [WordPress Versions] are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained.

Now, I know they have a mailing list that announces when new versions are available along with some other news, and that's a good start. But we as software builders need to do more.

Bring back the ID-10-T light

Perhaps a check engine light wouldn't be such a bad idea for web applications. Of course, I'm not talking about showing that light to the front-end user. I would build it into the applications dashboard - just like in a car - where the application administrator/owner/manager can see it.

In implementation this warning light may just be a built-in RSS reader that shows a short list of the most recent project news items... along with some UI goodness that will warn the user of important news, of course!

You know, I think I might just add that to my to-do list for the next version of Subtext.

Tell me about it

What am I missing? There have got to be some better ways to inform the users of web-based applications that they need to take action to protect themselves. Or is it more than just information that they are missing?

Is it just too hard to manage this stuff? Maybe. That certainly would help explain why so many of the WordPress blogs that David looked at were still running such old and outdated versions of the code.

Do we, the web application builders, need to figure out more seamless way to upgrade our applications? Probably yes... but that is a topic for a whole other blog post. :)

What others are saying.

# Does Web Software Need a 'Check Engine' Light?
Gravatar DotNetKicks.com
May 25, 2007
You've been kicked (a good thing) - Trackback from DotNetKicks.com
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Aaron
May 25, 2007
I think that this may just be a question of how severely do we need to nag the user of our product to upgrade. by the way self-updating desktop software is not acceptable. Things change new bugs are introduced we should only recommend the upgrades not force them.
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Andrew Rimmer
May 25, 2007
I think the dashboard should definitely feature latest SubText news. This shouldn't be obtrusive (it could load in the asynchronously via RSS like Wordpress).

I like your idea of having a status light with a colour indicating whether there are updates available or suggested (security issues).

I think the reason so many wordpress accounts are left on old versions are to do with a variety of reasons. The biggest reason I think is the user base, blog systems bring having a webpage to the masses and a lot of bloggers aren't geeks.

For systems that are so customisable, it makes it very difficult for them to be auto-updatable. However the next best solution has to be to tell people when they are at risk, or when new updates are available - then make it as easy as possible to upgrade.

# re: Does Web Software Need a 'Check Engine' Light?
Gravatar anb
May 26, 2007
I have a couple of plugins installed in my wordpress blog that alert me when there are newer versions available. Perhaps this same technique could be applied to wordpress itself. It still doesn't solve the problem of users not updating their copy when a new version comes along.
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Steve Harman
May 26, 2007
@Aaron: I like the idea of auto-updating software on my desktop... well maybe not for me, but that sure would make life easier for the great majority of users. Think about your mom, or grandma - wouldn't it be nice if their system could keep itself in check?

Microsoft has started down this path with the whole Automatic Updates thing that it's been pushing since Windows XP. I'm no Microsoft fanboy, so don't confuse this as me saying that since Microsoft does it, it must be the right way. I'm just trying to think of what would be easiest for the average software consumer. :)
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Steve Harman
May 26, 2007
@Andrew: I really like the idea of a Subtext dashboard - and the coming Admin UI overhaul we have planned for Subtext v2.0-2.1 should provide me the vehicle to make it happen. Oh, and I totally agree that an AJAXified RSS stream is probably the way to go.

Also, you hit on a really important point when you mentioned how highly customizable systems are inherently more difficult to upgrade. And I agree that that is probably a big reason so many WordPress (or any other PHP web app) installations are running on older versions.

Because the are so easy to customize, almost everyone customizes their installation somewhat. But that leaves the user in a tough position - they then have no idea how to upgrade. And with the zero-friction upgrade path now out the window they just stick with what works... or at least what sort-of-works.

In Subtext we've tried to separate out as much of the customization points as possible so users can still have a relatively pain-free upgrade. But I realize, there is still work to be done on that front - and ideas are always welcome!
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Steve Harman
May 26, 2007
@anb: Agreed - the best we can do right now is alert our users and hope they take the initiative to upgrade their systems.

However, we have to remember that
Hope is not a strategy.
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Simone
May 27, 2007
Steve, the dashboard with the latest interesting posts about Subtext and new release is something Daniela is designing into the new Subtext UI.
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Lucio
May 28, 2007
diagnose and fix itself. I think that's a great idea for software systems like your OS or any other software running directly on your desktop/server - like your web browsers, media players, office applications, IM clients, etc... But what about your web-based applications?


How about gmail? Isn't it diagnosing and fixing itself all the time? I think it's okay to do it, as long as you don't break existing funcionality and/or provide fallback for legacy data in the app if you do.
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Steve Harman
May 28, 2007
@Simo: I saw the sketches that Daniela sent and they look good - looking forward to seeing some more polished designs from her.
# re: Does Web Software Need a 'Check Engine' Light?
Gravatar Steve Harman
May 28, 2007
@Lucio: While it's true that from a user's perspective (read: to you and I) Gmail is automatically fixing itself, but I would venture to guess that in reality the system is being updated by some Google engineer.

That is the thing we need to keep in mind when talking about web-based applications - there are really two types of users:

  1. The application end user
  2. The application owner/maintainer


When thinking about Gmail you and I represent user type #1, while the Google engineers responsible for keeping Gmail running are user type #2.

In thinking about this very blog, which runs on Subtext, you would be user type #1, and I am actually user type #1 and #2. So from your point of view my blog automagically updates itself, but in reality I have to manually push new code out to my server - which is far from automagical to me. :)
Comments have been closed on this topic.