How do you roll back a fatal car accident caused by the faulty update?
Giving user’s control over when the update runs allows them to be in a safe and secure setting when that update happens. Allowing them time, gives them and Jeep the ability to slow roll the update so they can halt it if initial feedback is negative.
I say this as a Mac user who does not allow auto updates for MacOS. I wait a week or so until the chatter validates it as non-breaking. They pushed an OS update several years ago that broke a few things I rely on. So I don’t trust them now, but these things just happen on OS’s with third party software. I expect it. But, I also don’t want to be forced to deal with the headaches immediately. I’d rather let the third parties run updates and advise how to deal, before I have to dive into fixing things. With car firmware, there’s really no excuse for this except poor engineering / processes.
Good points, I did miss those. However, if I had this vehicle and I was reading this article today - and had the ability I'm asking for - I would just keep my current version running until they figure this mess out. It's the advantage of letting other people run the updates first, you get to hear about issues before you experience them.
Many security compliances require auto-updates to be on. It's thought of to be a lesser evil, because many (most) users never update their OS/browsers, which is worse.
Well it could be solved on two fronts, you could issue the update and let users know that the update needs to be installed and will be automatically installed if not done by a specific timeframe.
If there are security related updates where the risk is severe then they may auto update.
the point was that manufacture is forced to have auto update enabled in name of security compliance. so, this issue needs to be solved by compliance first
Well, my comment was from owner's side. An end-user corporation is the owner of a corporate device like car, so it can decide whether turning it on or off. I just commented that for any serious corporation auto-updates will be turned on, per compliance requirements applied to the corporation.
This is a hypothetical in this situation, car manufacturers are under no such obligation. Also, rules like this tend to get reversed once the true risk is realized- people dying that is. We do all kinds of things for very marginal improvements to security these days
> Giving user’s control over when the update runs allows them to be in a safe and secure setting when that update happens. Allowing them time, gives them and Jeep the ability to slow roll the update so they can halt it if initial feedback is negative.
This does not fix any QA process that is broken. And frankly you should not need to update any control unit firmware after it is sold. The fact that they're even doing this is broken.
Unless your Mac is somehow attached to 5000 pounds of metal going 65 on the highway, the same standards should probably not apply.
The manufacturer needs to issue a recall in that case. They can't have their cake and then eat it too. Either the update is not critical and should not be generally available or it is critical and they should inform their users with the proper framing.
The original software will always have bugs in it, and those bugs will need correction. Software updates to fix/enhance it will also introduce new bugs.
The idea that one can create complex bug-free software is a fantasy. The correct mindset is to learn how to deal with failure. (This is how airliners are designed.)
> What if the update is to address a safety issue?
If they didn't make "safety" right from the first time, why do you think they will do it better the second time, when the fixes are more expensive and the time pressure is enormous ?
Hence the famous joke at NASA that you get to launch the rocket when the documentation if piled up would be taller than the rocket itself.
...all of which is just an excuse to show this great picture of Margaret Hamilton [1] lead developer on the Apollo guidance system standing next to (and slightly shorter than) the printouts of the source code https://en.wikipedia.org/wiki/File:Margaret_Hamilton_-_resto...
I've worked on some interesting software with lives on the line as well and the amount of test code absolutely dwarfed the functional part. I wonder whether at the time of the effort you linked that was already common practice and if it was what the fraction of that code was tests.
Assuming she's 1.65 meters tall and 66 lines per page (quite common back then), at 0.2 mm thickness per page that's 8K pages times 66 lines / page is ~550K lines. Pretty impressive!
on the other hand, if you know your old software is buggy and could cause fatal accident, you release a software update, but for some unknown reasons, the user keeps denying updating software, what would you do ?
It should be costly. You want to encourage companies to make better/safer products that have been well tested. The whole “Move quick and break things” is from the perspective of a completely nonessential social media service. They have no consequences when they break things, although even that has changed as every minute of downtime is lost revenue. Self inflicted financial pain is completely acceptable, if they choose to take that path. Car companies should not.
Just issuing a recall is not enough. There are countless reasons why someone does not return the product: They maybe simple not know, and there is no way to reach them.
That is why Samsung push update to disable note 7 even after recalling them.
> There are countless reasons why someone does not return the product: They maybe simple not know, and there is no way to reach them.
In Germany we let the Kraftfahrtbundesamt handle this. You are required by law to keep your address updated with the authorities, and all vehicles have to be registered to get a license plate. When a recall for safety reasons happens, the Kraftfahrtbundesamt writes a notification letter, and if you do not respond in time with evidence of having the recall issue remediated by a qualified shop (or doing it yourself and getting a sign-off from a licensed inspector), eventually they write to your local DMV office that can ban your vehicle from the roads, and if you miss that the police shows up at your home and physically removes the license sticker from the table.
And heaven forbid you get actually caught driving the car after having gotten the notification letter from your local DMV. That's automatically felony territory. Our authorities really, really do not mess around.
As American, I assume most the thread above was assuming US locale and it Seems like a solid case of the all too common “impossible by US status quo standards” when in fact the solution can be quite simple we just lack the imagination or willingness to see what worths elsewhere
You can apply every fancy safety model (V cycle, iso262626, ASIL, MIRSA) and nothing can guarantee you write one-shot bug free software when your software is slightly more complex than just controlling some lights, sensors or actuators.
Are you suggesting the “does it drive” test after an update isn’t a reasonable test that should be a fairly common sense one to add in?
In all scenarios, tricky bugs will happen. Something inconceivable will go untested. But that’s not what happened here. This is basically functionality being lost that very obviously should have been tested.
In that sense, they could have made progress. Nobody is expecting perfection. You seem to be hung up on the distinction
Giving user’s control over when the update runs allows them to be in a safe and secure setting when that update happens. Allowing them time, gives them and Jeep the ability to slow roll the update so they can halt it if initial feedback is negative.
I say this as a Mac user who does not allow auto updates for MacOS. I wait a week or so until the chatter validates it as non-breaking. They pushed an OS update several years ago that broke a few things I rely on. So I don’t trust them now, but these things just happen on OS’s with third party software. I expect it. But, I also don’t want to be forced to deal with the headaches immediately. I’d rather let the third parties run updates and advise how to deal, before I have to dive into fixing things. With car firmware, there’s really no excuse for this except poor engineering / processes.