Google opens update software to scrutiny

In an attempt to better show what its software is up to, Google has released the source code of its Google Update software, a project code-named Omaha that can automatically install new versions of programs, including the Chrome browser and Google Earth.

"Some users can be surprised to find this program running, and at Google, we don't like disappointing our users. We've been working hard to address these concerns, and releasing the source code for Omaha is our attempt to make the purpose of Google Update totally transparent," Myles Jordan of Google's software engineering team and Michael Smith of its product management team said in a blog post Friday.

Google believes in automatic updates of software so security vulnerabilities can be patched quickly, and Google Update is the tool that permits automatic downloading and installation of a new version in the background so it's ready to run the next time the program is launched.

Sharing source code can allay concerns about what exactly software is up to, but Google also hopes that others will be able to use Omaha.

"Keeping software up-to-date is hard. So if you're thinking of developing your own auto-updater, or have already started, we hope that the code we are releasing today will be helpful to you," the Google employees said.

The company also released an Omaha developer guide for those wishing to use the software. Omaha is governed by the Apache License 2.0, Google's preferred open-source software license.

[Vegaman_Dan]

I can't help but wonder that by making this open, has Google just opened the doors to possible exploits being automatically installed onto a system by spoofing the content delivery method? <br /> <br />Seems like a security issue might be a concern here.

Not really. Any determined cracker can EASILY decompile the installer to see what it's doing or just sniff the network packets... all this WITHOUT having access to the installer source code. This just opens it up to the rest of us to validate what's going on. It puts a lot more scrutiny on what the code's doing AND allows us to find potential security problems with it and report it to Google. The end result is the installer will get more secure over time (not that it isn't secure now) and we'll have the assurance that Google isn't up to no good with the closed code.

[Vegaman_Dan]

Could a third party then use this to replace the orignal Google Updater and use a customized one that allows the end user decide what products get updated or installed automatically? For example, if you install Google Earth, you get a full suite of extra unrelated Google products installed without your consent when it auto updates. I'd like to have more control over that.

[mbenedict]

True in theory only.<br /><br />Unfortunately open sourcing also helps less-determined crackers, while "the rest of us" who (in theory) can "validate what's going on" rarely do so in practice. Thus open source software isn't necessarily more secure than closed-sourced ones (one can point to Debian's massive SSL blunder, as an example.)<br /><br />Don't get me wrong, it's great to have transparency from Google, but that's different from security.

[JCPayne]

@Vegaman: Thats why u only download the software from the original site. Anyone taking the risk of d/ling the google software or its patching tool/software from a third party site, runs the risk of installing something rogue (whether google shows whats behind the code or not.)