Disabling automatic refresh for snap from store

It has been more than a year now since the feature to disable auto-update was requested. 166 comments with 9.1k views, only topped by the “Snap wishlist - suggestions wanted!” with 244 comments and 10.5k views.

It’s very clear that what users and developers want to see from snap the most is an option to disable auto-update. I can’t believe this feature still doesn’t exist. I like the snappy as a package but as I user I literally have no idea what apps are updated, what are still waiting to be updated, what update failed. I know nothing, as a user it’s completely out of my control and I don’t like it. Snapd should prompt the user with updates, user should be able to see the changelog.

There are many reasons to make those updates more visible. Let’s say I’m supporting some dev trough patreon or I bought an app like the ones from JetBrains. As a user I wanna be prompted to update so that I can see the changelogs to learn about the new changes and features so that I can look for them in a software and take advantage from it.

Having a choice, I’d rather have a choice to update than be in an illusion of security because the apps are auto updating.

I like the Android way, it’s on auto by default and I kept it that way since it shows me the entire updating history and there is an active notification for every app that is being updated at the time but I know that I always have the option to disable the auto-update and just do it myself. Also play store or apkm is smarter, it knows not to update while on low bandwidth connection, mobile hotspot or devices mobile data. It can update only using WiFi, it can update only large apps over WiFi and the rest as it feels like. I can control every setting and just configure it myself if I want or disable the auto-update for one app, multiple apps or the entire app library all together. And that’s the way package management is done.

As a user, there are some drivers or software that I simply don’t wanna be the first to update. I wanna wait for at least 50% of users to update in a first few days and if nothing was reported then I’ll update. Let me explain. If you have for example a video editor and you are in the middle of the project, you don’t want to update before you finish that project because what if they tweaked some effects that you are using or the working file format? You could potentially have a real mess, someone in the office opens the working project in a new app, doesn’t notice the changes, saves it and breaks weeks worth of work.

That has already been a case with Krita, Kdenlive, Inkscape 0.92 breaking all the files from the previous version. Gimp… Even Ubuntu 18.04 I updated, couldn’t log in anymore man was I furious

There are cases where I don’t want you to say to me that I can roll back because by then it would be too late. I also don’t want me or any of my employees spending time checking if maybe the snap updated over night of while they were getting coffee. I want the software updater to make me aware that update exists and then I know to update it after we finish that particular project which we started editing using that version of the software.

Also I want my admin to take care of that, not Canonical, they don’t know anything what I’ve outlined here and they shouldn’t know it. What they need to do is make the update process more flexible for me.

As a dev, there’s no way I’d be using this for a non IoT app that doesn’t get tested extensively, I don’t wanna push an update just to discover I made some mistake in the code and everyone got the bad update. I’d rather it be a few users that report the issue and I push another update making most of the users skip the one with the bug. It happens to the best so it’s best to expect it.

You can say but that’s what edge, beta and rc channels are for and we’ve seen how that’s working out even for the snapcrafters team. Most of the snaps with multiple channels have the same version of software across all of them.

I just remembered, while we are on the topic of auto-updating, look what came up to me like 2 weeks ago when I was shutting down my laptop in a hurry to board a plane!

20180611_1745564032×3024 1.09 MB

I mean, imagine my shock, it was the first time I’ve seen that on Ubuntu ever. I might as well have been using windows all along…

I really do hope that Ubuntu devs start making FLOSS philosophy as they might say it “a first class citizen” on Ubuntu again.

P.S. I didn’t miss my flight but I was holding my laptop opened in one hand on the terminal and trough the boarding lol. I was shockingly staring at this newly discovered Ubuntu screen and other ppl and flight attendants were shockingly staring at me #ubuntuproblems

Not all of those views are from objectors, only a few people of those few thousand who have viewed have actually commented or Liked comments to register their opinion (even though I’ve been encouraging people to engage in that way, they don’t always do so), so we don’t know what their opinions actually are, so you can’t claim that that view number demonstrates ‘what users and developers want to see from snap the most’, and many of the comments are actually from snappy devs and myself engaging with objectors rather than making reasoned objections ourselves.

I think I back change here but I get where the devs are coming from and I’ve driven much of the traffic to this page because it’s one of a few places where I think snappy is currently going wrong (but I understand why it’s making this decision and it does have positive consequences, not only negative ones) and I’m honest about snappy’s downsides and want people to try and engage with the devs productively rather than simply get angry about it. Giving specific use-cases as to why this doesn’t work for people (rather than just ‘I don’t like it’) and suggesting changes short of an off switch (since the devs aren’t willing to contemplate an off switch yet) will move this issue, more of that productive input, I think, will create more change We’ve already made progress, the snapd refresh timer enables one to just schedule an update once per month. If people can give good reason as to why that should be extended, and to what period of time and why that particular time period, then it may be… I’ve filed a bug against Ubuntu for Ubuntu to surface this option in a GUI, please mark yourself as affected by that bug

Just because you (and many others) don’t like it doesn’t mean it should be changed. Users will always dislike certain parts of software but other users will dislike the change. The protesting voices are usually the loudest so the objectors’ views can’t always be heeded because, if that’s always done, there’d be constant flip-flops in design. Personally I really like the background updates. It’s completely hands-off and lets you get on with your work, Chromium OS-style. And not allowing a global off switch forces developers to get to grips with the feature and develop tests etc to ensure that their updates don’t break people’s experience. As for the changelog, yes that should be available somewhere and easily accessible from the command-line and from software centres. Was this something that came up at the sprint for GNOME Software @willcooke? Would the home screen surfacing of ‘updates from your favourite application publishers’ cover this? Could it be accessed in a more reliable fashion (i.e. on clicking an application, access to the changelogs is there on the application page)?

In theory those new features should be discoverable enough that you’d find them through just using the software but I get the idea. I think updates on GNOME Software’s home screen will help with that.

It’s not an illusion. There’s some risk because the apps are coming straight from upstream and sometimes the dependencies will be out-of-date but, on the other hand, you get updates, often including security updates, as soon as they come from upstream, there’s no distribution middleman delay.

If your connection is metered, snappy will hold back the refresh for up to 60 days, if you think that should be extended then make your case in the topic and give a specific use-case as to why you may need longer than 60 days. Maybe one could be in a developing country and with no Wi-Fi access but metered mobile data access? Is that a real use-case?

I’ve asked if the metered bandwidth toggle in GNOME 3.28 will work with the above feature, if so then it should cover your use-cases above too (and graphically). You can do this with the command as it is: snap set system refresh.metered=hold then snap set system refresh.metered=null when updating is fine.

Personally I notice when snappy is taking up bandwidth when I’m on a low bandwidth connection so I run snap changes then snap abort foo to end the refresh, but the refresh.metered command is neater than that, and the refresh scheduler.

I didn’t think this was possible in Android? Huh.

What if snappy wants to do things differently?

The former is a good point, I’d like to see some comment on that from, say, @niemeyer, perhaps holding back refreshes on particular snaps for that use-case is a good idea? Or maybe they’d have to say that this is something that snappy can’t provide and you need to use something like AppImage or Flatpak instead for that use-case. The latter (‘working file format’) should be covered by the epochs feature which is currently in development (no ETA yet), as I understand it, if there’s an update that changes something like the file format, the dev should give that a new epoch number and you won’t be automatically refreshed to that new epoch? Is that correct @niemeyer? This would cover your Krita, Kdenlive, Inkscape, GIMP use-cases. Your Ubuntu issue sounds like something different

Once epochs is a feature, if I understand them correctly, that won’t be necessary, everything should just work (though I understand there’s some risk here…I guess the snappy devs reckon that it’s a risk that you should just have to take, sorry!)

Your admin can already take care of that. A feature that has grown out of this topic is the Snap Enterprise Proxy which allows your admin to manage the refreshes!

Staggered updates is an idea (like how Ubuntu pushes out Stable Release Updates to around 20% of users at a time), @niemeyer? Maybe snapd does this already though, not sure.

That’s usually because there hasn’t been a new release recently In theory it works fine, we just need more early adopters reporting bugs… @popey could possibly comment on this, I can’t recall specific occurrences where an update is pushed to a non-stable channel and regressions are fixed, thanks to user reports, before they hit stable, but he may be able to recall occurrences

I like this product very much. It could rise a bar of quality linux software. It is exactly what consumers want.

But, from my perspective, force auto-updates or anything else is a big step back in this world, especially in the open source community.

We’ve already made progress, the snapd refresh timer enables one to just schedule an update once per month.

I would say OK to auto-refresh consumer like programs. But, there is a difference between simple consumer programs, like calculators, and professional software. Especially if you are writing custom plugins and configuration. If an update causes the problem just before you need to finish a work, you will have huge problems. And more customizable software is the more chances to make something incompatible with future updates. It is common to not find time to fix issues within a month.

I didn’t think this was possible in Android? Huh.

Actually, this is possible in the Android. And you don’t need to be a developer to do that. However, Google still notifies users about potential updates.

Screenshot_20180722-1157011080×2160 87.7 KB

I created an account here just to let you know that I think that having something installed on a Long Term Support release distro that is automatically updated is extremely counterintuitive. What happens to the user when someone pushes a broken snap? How is the user supposed to know that the snap broke because of an update? If I were that newb user, I would blame myself. Hell, even as an experienced user, I would probably blame myself first.

What if I’m on a connection with metered bandwidth? I just have to let snapd use up all my bandwidth and be ok with it?

Turning Ubuntu into a half rolling release with snaps is not at all acceptable. Ubuntu is meant to be newb friendly. Newbs should never be forced to have packages that are automatically updated. We have stopped recommending stock Ubuntu due to shipping snaps that are automatically updated by default to newbs in our Linux group. We now only recommend Ubuntu flavors.

This is already supported:

Sorry, but that is not acceptable. The user needs to be able to disable this entirely. This should be disabled entirely by default. What happens when the user has enough snaps to sap all of their bandwidth in one month. You would give them no choice but to use all of their bandwidth on snaps every other month. This is highly unacceptable.

You guys are turning Ubuntu into a half rolling distro with all of these snaps that auto update themselves. Please stop it. Rolling distros are not newb friendly. You are making Ubuntu not newb friendly. No other packages are updated automatically by deault on Ubuntu. The user is not expecting packages to be updated by default on Ubuntu. You are not only doing something they do not expect to happen, you are giving them absolutely no choice in the matter. This seems like something Microsoft would do.

This is not true since 18.04 anymore, security updates are downloaded and installed automatically by default, even for normal distro packages (check the software settings)

Where do you tell the user about this? Is the user given any option to change this on install?

Why are you forcing updates on people? Don’t you realize that people hated Windows 10 for this?

Don’t shoot the messenger please

I created an account only to heart simonizor’s reply and second every word he said.

Here is my short opinion: Not being able to manually disable updates is almost obnoxious. Many, MANY valid reasons has already been pushed in this thread. And what Snapcraft comes up with is some metered connection voodoo?? Guys WTF hahahaha. Give me the choice, boom. Easy peasy and the world would immediately have become a better place.

And for the record, I (and probably many more ppl) will not try to hack my connection into being metered and succumb to hours worth of study of manuals to figure out if this metered-voodoo even suit my needs or how to reach the end goal. Again, giving me an option to manually disable updates would have been so straight forward and easy.

I think overall, we as developers should STOP trying to “think” for our customers and users or otherwise add “features” and hacks all over the place. Just give the end user a real choice!

Not saying the following rant applies to Snapcraft, but time and time again I hear of developers adding effort and energy into building something that actually limits the usability. And the reason is because they decided they know better than millions of users out there. These developers often respond with a; “why would you wanna do that” and then cross their arms. Well excuse me, because I am tethering a WiFi from my phone over a limited roaming data plan in the Sahara desert into a VM that runs a Docker container that…

Developers must understand that the reality is far too complex and demanding for us to dictate and instruct our users what their reality is or “should be”. KISS: Just give them a choice. So simple.

Ok, now something that nobody has mentioned just happened to me. A couple of weeks ago I was on a road trip and I needed to send some emails, login on some servers and check some work stuff, nothing fancy. I activated my cell phone hotspot and started with my business, but something felt off. Everything was going really slow, so I ran nethogs to find the culprit. Guess what, snap was happily updating itself over my data plan and by the time I disconnected my laptop it had already chewed 400MB from my 2GB monthly plan. I couldn’t work with my laptop until we arrived to our destination 2 hours later or I risked to lose more. We are talking about money and time. Don’t you think this story could have been completely different if I could disable the automatic updates and manually choose when I want to install them?
Regards
Mauricio

This has already been fixed (but not fully enabled by default yet as i understand) via:

Another good reason to allow system administrator to do updates when they need.
I’ve got a lxc cluster with lxd installed from snap, because it’s easy and the official documentation says it’s a good way to get the latest stable version.
Today lxd from snap refreshed at 11.44am and all my lxc containers crashed. On a production server. When I really didn’t need it to happen.
Now who’s fault is that? snap for not allow updates when I say I need them? lxd for releasing an update poorly tested? Mine for trusting snap on a production environment?
Sorry for this rant, but it’s ridiculous that you force updates to people perfectly capable to do their own testing and then schedule it when it suits them.

As a professional system administrator this is very easily solved by simply setting the update schedule to a date after your next regular maintenance window.

then you simply manually run snap refresh lxd while doing your regular announced maintenance and make sure to set the schedule to a date after your next maintenance window again.

snapd allows very flexible scheduling (and delays for up to 60 days) to integrate it into your regular scheduled maintenance.

indeed, if you do not use or set up this feature it will simply assume that you did not want to delay the update and do its duty to not leave you with security holes or unfixed bugs on the machine …

As a professional system administrator of a small company I sometimes don’t have time to update servers every 60 days. Also as far as I understand from reading other threads, these updates can be postponed only a certain number of time, after that they get forcefully upplied.
I appreciate the effort to make the internet more secure, but you can’t shove security down other people’s throat.
I’m happy to face the consequences of my lack of security, since it depends entirely on my actions. But I wouldn’t want any more complaints from clients about services stopping unexpectedly.
Said so, I’ll stop asking/spamming. I understand there’s no agreement to be reached here.
Thanks for you reply anyway. I’ll try to do my job better from now on.

i didnt mean to attack you, really

i guess it is us who is doing a really bad job in advertising how to properly deal with snaps in such use cases (else this thread would probably not exist at all).

IMHO (and note that i was not involved in the decisions) the current behaviour is a good compromise to give you enough control while still making sure your install can not become harmful, because even though you are:

…us others are probably not that happy if your lxd cluster becomes part of the next botnet that DOSes our webservers, spreads the encryption trojan that makes us loose all our data if we dont pay some blackmailer etc

The internet is the biggest community project of mankind, each of us has a responsibility, most of us do not care though …

The behaviour of snaps is a little like the friendly policeman that regulary nudges you about that wide open weapon cabinet next to your wide open garage door so that your neighbor doesnt get shot with one of your guns by the theive that dropped by in your street.

It is annoying, no question, but you have control and it should be our job to teach people about how to exercise this control so it does not catch you by surprise and you can actually plan with it …

I am genuinely curious if someone more familiar with security research than I am could comment on this. It seems to be taken as a forgone conclusion that automatic updates result in better security. Of course, most of us have seen widely publicized stories of servers being attacked using known vulnerabilities that should have been patched months prior but for human error. Are there no cases of servers being attacked using vulnerabilities that were introduced through automatic updates? How do we know the latter case is less probable, or is that a hypothesis that snap aims to test? The pessimist in me assumes that software changes bring new bugs. I appreciate the contributions on all sides of this dialog.

@lance. Yes, there is a trade-off. The bleeding-edge introduces bugs, which is the advantage to the Debian, etc. approach of back-porting security fixes into older, better-vetted versions. However, as some will point out, Debian, RHEL, etc. usually only back-port significant security fixes and minor ones will remain un-patched. Put another way, the answer is complex, but you are correct.

To some degree automatic updates offer a false sense of security. It is true that automatic updates increase security for users who never update. However, it is also true that automatic updates may decrease security for those who are more security minded. This whole chain poses some uses-cases. My problem is that I posted such a use-case and it was completely ignored. I decided to give it another shot and started a new thread with a reasonable solution: again no interest. (See Hook to run scripts before and after refresh) Had someone, anyone, shown an interest, I might believe that automatic updates in snaps are totally about security. Given the total lack of interest in cases where automatic updates harm security, I don’t buy the story. Sorry devs, but you need to listen a bit better or, at-least, fake some interest.

@niemeyer since, with the above quote, you effectively promised to address cases where the status quo is not working well, could you have a look at tony’s suggestions? If the snappy team is not able to address a lot of use-cases with the status quo (either because the status quo can’t address them or because the snappy team doesn’t have enough time) then I guess it’s time to introduce the global off switch?