Software update for non App Store programs

Discussion in 'Mac Apps and Mac App Store' started by jlau, Jan 27, 2017.

  1. jlau macrumors newbie

    Joined:
    Aug 12, 2008
    #1
    The apps that are downloaded in the App Store can be automatically updated using the check update function in the App Store. What is the fastest way to do that for all non App Store programs? If there are many non App Store programs, wouldn't it be hard to make sure that all apps are updated if the only way is to open the programs one by one? Also, what are some programs (both App Store and non App Store) that should be installed to keep the computer safe from being monitored/hacked? Thanks.
     
  2. Rok73 macrumors 65816

    Rok73

    Joined:
    Apr 21, 2015
    Location:
    Planet Earth
    #2
    Well, it's obvious that you have to update apps which are not from the App Store yourself. Most of the software has an auto update function these days. Look for it on the app's preferences.

    MacOS is not prone to viruses or such. Not many are written for the OS. The best option to avoid malware is brain 2.0.
     
  3. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #3
    Its dependent on the app in question. Some apps auto-check, others do not. Many of have a check for updates menu item as well.
     
  4. Jessica Lares macrumors G3

    Jessica Lares

    Joined:
    Oct 31, 2009
    Location:
    Near Dallas, Texas, USA
    #4
    Don't enable auto update. Developers have probably learnt from what happened to Transmission last year, but you never know if something like that is going to happen again and to who. The convenience isn't worth the identity theft, lost of data, and whatever else. You should know why something is getting updated too.

    Saying that, I don't think too much about updates to begin with. I might open an app I haven't used in two weeks and get an update message, but I'm just going to tell it to remind me later and go on using that app and download the new version when I want to. I don't have the fear of things breaking between macOS updates because I'm already using apps that haven't been updated for years anyway.

    You could probably take MacUpdate's update RSS feed and filter it with IFTTT so it only shows the certain apps you want to be updated about. That, or have a script running in the background that checks and then sends you a message through Notification Center.
     
  5. Bart Kela Suspended

    Bart Kela

    Joined:
    Oct 12, 2016
    Location:
    Searching...
    #5
    Well, if the average user turns off auto update, how are they going to know when it is absolutely safe to download the latest version?

    There's really no way of knowing if a software developer's download site has been compromised or not at any given moment.

    The realistic way for Joe Consumer to handle this is to A.) let auto update bring the installed software to the current version, or B.) postpone the update until later. Either way, Joe Consumer doesn't know if the downloaded bits have been compromised.

    And why does software get updated? New features, bug fixes, security fixes, etc. Joe Consumer doesn't have the technical knowledge to assess whether or not any given software update is truly worth upgrading to.

    Telling the average person not to update the software they frequently use is UTTERLY IRRESPONSIBLE.

    Ignore Jessica Lares's dubious "advice." Unless you are a longtime Macintosh IT professional, you don't have the knowledge of which software updates to install or ignore.
     
  6. organicCPU, Jan 27, 2017
    Last edited: Jan 28, 2017

    organicCPU macrumors 6502a

    organicCPU

    Joined:
    Aug 8, 2016
    #6
    Security is a big business and there are always two or more opinions on this.
    There are many built in security tools in MacOS that you can discover like FileVault, (Application) Firewall or User Settings and a lot of things doing their job more under the hood like XProtect, System Integrity Protection or Gatekeeper. Some security apps are a little hidden like pfctl and will get discovered, if you really need and search them through the man pages in Terminal.
    I think, there are great extra tools for analyzing (Wireshark, Private Eye) or blocking (Murus, Little Snitch) available. There are also some tools that claim that they give you additional security and are doing exactly the opposite, like invading and stealing privacy or installing as a tiny little botnet.
    Anti-Virus does have some importance, if you exchange files a lot with windows users and want to make sure, that you don't pass them on.
    For new ransomware like KeRanger it's more important to find the right strategy than a special app, that it doesn't hit you so hard, if it would really happen. For anything else that's the same with the strategy and that depends absolutely on your individual habits of computing.
    As a rule of thumb, I'd say the more third party apps you install, the more risk is there. I.e. Flash, Java, Silverlight etc. do have frequent security updates and are more vulnerable or at least more targeted than others. If you can leave those critical apps away, if not, that's another reason to think about an adequate backup strategy.
    For a debate about security, you should better hook into an existing thread or create another thread with a more meaningful title, that one can find your question.

    As the others mentioned, most common apps for Mac do have automatic update options nowadays. Years ago before the Mac App Store days I tried such update tools, that were capable of updating anything. At least they claimed, that they could do that. After breaking functionality of apps or erroneously updating to newer versions I dislike, I decided to take the manual approach again. Again, that was years ago and I tried none of the solutions listed for Desktop Apps.

    Then, besides the native or well ported binary Mac apps, there is the whole world of UNIX apps, one can find as source code and then compile for Macs. Years ago I used package managers to install that apps. Some are quite recent and still active, some have become a little neglected over time. They are a good starting point to install and update from source in an easy way and those folks maintaining those packages and package managers are doing a fantastic job in porting incompatible sources to code that is working on a Mac. Nevertheless, today I tend to compile software from source by myself, if there is not too much effort for porting. So I can learn much more and know where I can find all components, etc. Homebrew seems to me one of the most recent and widely supported package managers today. MacPorts is a well known source, too. Fink was once my favorite, but the GUI Fink Commander doesn't seem to be maintained anymore so much today. Many package systems are providing access to very different apps, versions, builds, etc., so they can all be valuable, depending on your needs.

    Besides the package managers for UNIX apps there is a growing number of package managers for developers. Those managers are often called dependency managers. Especially for web development, it's frameworks and languages, those managers are and will get more and more important, as there are new versions of frameworks available in fast cycles. At the moment I evaluate different ways to maintain everything I need, but haven't found some rock solid approach yet. Here I just link some well known apps, most of them PHP and Javascript centric. I'm sure that there are many more for all kinds of programming languages or specific development frameworks out there. Would be interesting to list all known installer and maintaining tools (e.g. for Ruby on Rails, Python, Java, C, etc.)

    The following list is far away from being complete, but gives you an impression. As an average user that does just some browsing, writing and sending emails you probably won't have any need for any of these apps, but yes, they do exist.

    Update Desktop Apps:
    Mac Update Desktop
    Mac Informer client
    Appversion
    Software.com for Mac
    Zero Install
    Homebrew Cask

    Install Desktop Apps:
    Get Mac Apps
    macapps.link

    Install and Update UNIX like Apps:
    Homebrew
    MacPorts
    Pallet (GUI for MacPorts)
    PortAuthority (GUI for MacPorts)
    Fink
    FinkCommander (GUI for Fink)
    pkgsrc
    GUIGNA (GUI project for Homebrew, MacPorts, Fink and pkgsrc)
    Rudix
    Nix

    Install and Update Web related packages:
    npm
    ndm (GUI for npm)
    Bower
    Pak
    Duo
    Yarn
    Pear
    Composer
    --- Post Merged, Jan 27, 2017 ---
    I guess what @Jessica Lares wanted to tell is about the vulnerability of Sparkle, a popular framework that updates many different apps. That's not just a problem of a single site. And old apps are especially affected, if they still use old protocols for their update task.
     
  7. Bart Kela Suspended

    Bart Kela

    Joined:
    Oct 12, 2016
    Location:
    Searching...
    #7
    That's moot because Joe Consumer doesn't know what update framework his/her applications are using.

    If she was specifically concerned about Sparkle, she would have mentioned it.

    Still that doesn't change the fact that the average user doesn't have the resources to analyze all this stuff and decide "Yes, I will upgrade Application A; no, I will hold off on upgrading Application B."

    Sadly, this is a perfect example of when technologists can't see the forest for the trees.
     
  8. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #8
    The infected version was not distributed as an automatic update; only the standalone version was. The auto update function probably helped the developers spread the fix much faster.

    Sparkle became the scapegoat for what was ultimately the vendors’ responsibility in the first place. If they serve content over HTTP, then of course that can be compromised by a MITM attack. Even if they distribute code-signed software, they still have to vouch for the source as much as they can.
     
  9. Bart Kela Suspended

    Bart Kela

    Joined:
    Oct 12, 2016
    Location:
    Searching...
    #9
    Again, two more pieces of minutiae that won't register on Joe Consumer's radar.

    Upgrading using the built-in upgrade mechanism is safe whereas downloading the full installer from the vendor's website is dangerous? What sort of consumer is going to figure that out? NONE.

    Man-in-the-middle attacks? They are done precisely because Joe Consumer won't know.

    For all of the amazing technical information that is here, sometimes there is a deplorably scant amount of applicable wisdom.
     
  10. organicCPU, Jan 27, 2017
    Last edited: Jan 27, 2017

    organicCPU macrumors 6502a

    organicCPU

    Joined:
    Aug 8, 2016
    #10
    Yes, I agree. And the more advanced user will get informed by reading MacRumors and knows a bit earlier, when it's good to leave the routine. Concerning Sparkle it was recommended to get the new app releases directly on the developers site and not through auto update.
    Yes, you're right. In that case the vendors and the programmers could have avoided the vulnerability. On the other hand Sparkle could have restricted the use of insecure http in favor of a secure connection years ago. For the end user the result was, not to put blind trust into an update mechanism and always stay sensible and informed on topics like this.
     
  11. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Joined:
    Aug 5, 2001
    Location:
    Denmark
    #11
    Wow, that is such an ignorant reply! Of course users should keep their apps updated! The Transmission incident was extremely unique and not something that happens often!
     
  12. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #12
    Of course they do not figure that out, that was the gist.

    No, they are done because the software is flawed. Vulnerabilities are there whether you are ignorant or tech-savvy. Every piece of software you use can be compromised. Trusting someone else is unavoidable not only with pre-compiled software but pretty much every piece of software distributed, in binary form or as source code. ‘Joe Consumer’ can stick to simple advice: do some basic research about the software, download from one of the vendor’s official sources and keep it updated.
     
  13. Bart Kela Suspended

    Bart Kela

    Joined:
    Oct 12, 2016
    Location:
    Searching...
    #13
    Pundits like Jessica Lares should not be telling people to slack off on updating software.

    Exploits are carried out because there is some return to those miscreants who are creating them. There are relatively few Mac exploits simply because there are relatively few Mac users, not because a given piece of software is inherently insecure (like a web browser).

    Use whatever update mechanism are available and keep that software up to date. That will service the typical user far better in the long run than postponing upgrades.

    This whole thread is utterly appalling in terms of suggesting reasonable actions for Joe Consumer.
     
  14. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #14
    Nobody asked about ‘Joe Consumer’ except yourself and I believe that part of the OP’s question has been answered multiple times now, with a comprehensive list by organicCPU. Do it better then and stop moaning.
     
  15. Ulenspiegel, Jan 28, 2017
    Last edited: Jan 28, 2017

    Ulenspiegel macrumors 68030

    Ulenspiegel

    Joined:
    Nov 8, 2014
    Location:
    Land of Flanders and Elsewhere
    #15
    The picture is not black and white in this case as well.
    Jessica Lares had a point, talking from experience.
    Time showed that it is wise to wait and see with most of the updates, unless it is absolutely necessary because of security and some other specific reasons.
    Lately, I had negative experience with a number of updates that had major bugs, were worse than the previous version, not functioning as it was intended or at all.
    So, common sense should prevail and not blind, unquestionable acceptance of all updates.
     

Share This Page