InformAction Forums

Hello,

I searched the FAQ and also searched through the forums. My forum search returned 1100 plus hits, after the first few pages, well the answer might have been there but I was not able to narrow the search.

Anyhow, what I would like to know is how to disable the silent update feature. Apparently this was implemented a number of releases ago and I didn't catch it. I would like to be able to confirm that I want the updates installed rather than just having it done for me.

Here is why. I use an automated backup tool FEBE and it runs each day. If I don't know that NS has updated, the tool stalls because there is a pending update. I have FEBE set to run while I'm at lunch, so I'm usually not present when FEBE runs into the wall. Then I must go and manually re-run FEBE after I've closed the browser and restarted.

Please advise on how to turn off the silent automatic updates.

Thank you,

Firefox does the updating, not NoScript.

An alternative approach, if you want to check 'what you are about to receive',
is to check the Recent all builds feed (or the Recent stable releases feed)
just before you run your FEBE.

If there is a NoScript update you can do it manually, using the linked XPI
(just right click the link and "Open Link in New Tab").

See NoScript Feed Coming Up Short?
http://forums.informaction.com/viewtopi ... eed#p34543 for more information and the URLs for the linked XPIs.

Then run FEBE.

dhouwn wrote:Firefox does the updating, not NoScript.

With your Firefox 11, using Menu, Tools, Add-ons, you can use the "Tools" button: looks like
a 'cog wheel' to adjust how 'Automatically' you want Firefox to update your Add-ons.

DJ-Leith

Please advise on how to turn off the silent automatic updates.

DJ-Leith wrote:...With your Firefox 11, using Menu, Tools, Add-ons, you can use the "Tools" button: looks like
a 'cog wheel' to adjust how 'Automatically' you want Firefox to update your Add-ons....

@ DJ-Leith: Being a fan of simplicity, I like your second solution better than the first.


@ wachobc: Firefox Tools > Add-Ons. As DJ-Leith said, click the down-arrow next to the gear wheel. ***
Uncheck "Update add-ons automatically".
Then be sure to open that same menu and click "Check for updates" (manual update check) before each backup, and perhaps once more each day if you use the computer for extended periods, so that you still stay reasonably current on updates.


*** @ dhouwn:

The fact that they hid this setting in an unlabeled gear icon, with a vague onmouseover tooltip only, is just another step backwards from F2/F3 -- a reference to the "newer is not always better" in my reply to you in another thread a little while ago. [/rant]

Thank you all for the replies!

I agree with the comment about the non-descript gear icon. I would have never had a clue to look there.

Yes, I could go out and check for updates each day, but I also know that if FEBE was not able to be 'scheduled' that I would forget to do that as well. Automation, re: FEBE is nice.

When I went and checked the 'gear' drop-down, it seems like the folks at FF decided either A) you get automatic updates or B) you do not get automatic updates. There's no 'ask me' option to updating. That is disappointing.

This is (obviously) the first time I've encountered the update issue so I'm assuming that there was a recent change in one of the releases.

Hopefully the folks writing FF will give the end user a little more control over the update process in the next release.

Best,

wachobc wrote:Yes, I could go out and check for updates each day, but I also know that if FEBE was not able to be 'scheduled' that I would forget to do that as well. Automation, re: FEBE is nice.

When I went and checked the 'gear' drop-down, it seems like the folks at FF decided either A) you get automatic updates or B) you do not get automatic updates. There's no 'ask me' option to updating. That is disappointing.

Firefox Tools > Options > Advanced > Update > "Check for updates, but let me choose whether to install them" > OK.

The wording is a bit different from F3, but the path there is the same. However, was it really necessary to hide this in "Advanced"? Most non-tech users (quite rightly) stay away from things marked "Advanced". IMHO, this preference doesn't qualify. YMMV.

btw, this has always been my own choice. If I'm in the middle of online banking (for example), I don't want *any* program creating new Internet connections, including my AV, Firefox, or other updaters. IMTFHHO. (tin-foil-hat)

This is (obviously) the first time I've encountered the update issue so I'm assuming that there was a recent change in one of the releases. ... I agree with the comment about the non-descript gear icon. I would have never had a clue to look there.

Hey, it took me a while to find it --sort of rummaging around, clicking this and that -- after downloading whichever of the first "New! Improved!" versions of Fx had this huge regression in easy user access to these GUI elements.

Hopefully the folks writing FF will give the end user a little more control over the update process in the next release.

Their track record seems to be taking more control away from the users in some regard, or at least, hiding the config settings ...

On a related topic, did you know that Firefox 12 can update itself?
Not the Add-ons but the 'main program': Firefox.

Firefox 12 released - can now update itself 24 April 2012 I'm posting this link because
A. Heise Security have written clearly (like Tom T. - and better than me).
B. They have shown pictures, this really helps. One picture is the Menu setting that Tom T. wrote about
(Thu Apr 19, 2012 1:06 am - above)
BUT with the 'new option for Firefox 12' - the "Use a background service to install updates".
C. Helpful hyperlinks for further reading.

DJ-Leith

DJ-Leith wrote:On a related topic, did you know that Firefox 12 can update itself?

I had previously told a friend about this, who has a background in industrial and government software applications, but does not closely follow Internet or browser issues.
The reaction: Practically criminal.

What if your machine can't support the new version?
What if you would like to examine the Release Notes, etc., first? ... and make config changes, including any new GUI or about:config defaults in the new version -- the version that you don't know you have?

Compare: Microsoft updates your XP system to Vista without your knowledge. Not practical or really possible, but the idea is the same...

Thanks for the pic of the change away from auto-update. One pic is worth 1000 words (no matter how clearly written, TUVM )

DJ-Leith wrote:BUT with the 'new option for Firefox 12' - the "Use a background service to install updates".

Interesting: I don't have that option in the GUI for F12.
I am still running a portable version until I see what other stuff they might have hidden.
Perhaps the good people at PortableApps.com removed that deliberately, as a service to their user base?

Answer: No, it's been that way all along.

Modifications

I made some modifications to the default version of Firefox to make it more USB key friendly (decreasing the number of writes to the drive, which will increase drive life). These changes are listed here so you'll know what they are, and so you can recreate the process, if so desired. Obviously, you can change many of these settings (ex cache) by changing the options in Firefox, but you will increase the number of writes to your flash drive, thus decreasing its life.
<snip>
* Update Prompt - As updating the browser on a flash drive can be very slow, Firefox Portable asks you if you'd like to update rather than doing it automatically.

(the emphasis was mine)

It appears that you can manually reset it to the Automatic Update, but even doing so, there still is no option for a "Background service".

Cheers for John T. Haller & Co. I really must eke out a few more dollars as a donation to those good people.

Incidentally, the portable edition can be placed on your hard drive as well. This would reduce the inevitable loss in performance that is dependent on the speed of your flash drive, which can vary widely among brands, sizes, etc.
One advantage of the portable on a HD versus native install would be that it's easy to run multiple versions and/or multiple profiles, even simultaneously, without the -no-remote command line switch, or even having to use the Profile Manager at all. (Each install has its own Default Profile.)

Updating within the same directory, whether on flash or hard drive, still preserves all settings from the previous version, just as a native overwrite/update does.

Thanks to DJ-Leith for an excellent link drawing attention to this issue, of which most users would probably be unaware.
Spread the word, people.

Firefox supports updating itself for a long, long time, at least Firefox 1.5 was capable of doing that if I remember correctly. This new service (which BTW just runs when needed) makes it possible for Firefox start the updater application with the appropriate right when the rights Firefox runs with would not suffice to do the update (e.g. because the "Program Files" directory and subdirectories are read-only for the default user under Vista/7), for most users under Windows Vista/7 that means that the UAC elevation dialog* will be popping up no more whenever an update is to be applied (considering the default settings; in other setups elevation through the elevation dialog might not be possible, in such cases using the service is the only possibility for Firefox to update itself when running with insufficient rights).

* see the images at http://en.wikipedia.org/wiki/User_Account_Control for how it looks like.

@ dhouwn:

The update could occur without the user knowing, or having a chance to object - or even to allow/deny the connection. This is what seems to be new, and distasteful. Avoiding a UAC prompt on those OSs that have it hardly seems justification for, in essence, hacking someone's computer. ***

From DJ-Leith's link:

The final result should be an almost silent update that, at most, only alerts users after an update has been successfully applied.

No, thank you, Sir.

*** "Installing sw without the user's consent, or even knowledge" -- pretty much one definition of black-hat hacking. In the US, that's a felony.
I wonder if anyone will press charges against MZ?

Tom T. wrote:This is what seems to be new, and distasteful.

It's not new for some users (e.g. users logged in as admins under XP), minor updates (now every update) were applied "silently" since quite some time.

Tom T. wrote:What if your machine can't support the new version?

Then you should switch to Opera (at least that's what the official position by Mozilla was for Win2k users and it's what I believe gets displayed to users on 2k systems instead of Firefox updating itself).

Tom T. wrote:What if you would like to examine the Release Notes, etc., first? ...

Then you should disable automatic updating, the option is still there. But since there is always only one current and supported version of a product (considering Firefox ESR and classic Firefox to be seperate products), not updating to the newest major version is basically not an endorsed/supported option from Mozilla's perspective.

Tom T. wrote:This would reduce the inevitable loss in performance that is dependent on the speed of your flash drive, which can vary widely among brands, sizes, etc.

Since the read speed of Flash mediums is often superior to hard disks going for a mixed solution might also be a good idea, have the folder of your profile (where things are often written to, inter alia since the cache is there per default) on the hard disk and the Firefox installation folder on the flash drive.

dhouwn wrote:

Tom T. wrote:This is what seems to be new, and distasteful.

It's not new for some users (e.g. users logged in as admins under XP),

You mean, like me?

minor updates (now every update) were applied "silently" since quite some time.

I've always checked the "notify, but don't install" option. It's the "Background Service" (what exactly *is* that? Will my firewall detect it as separate from firefox.exe?) that appears to be a novel introduction.

dhouwn wrote:

Tom T. wrote:What if your machine can't support the new version?

Then you should switch to Opera. (That was the official position by Mozilla for Win2k users and it's what I believe gets displayed to users on such systems instead of updating)

Reasonable enough. As discussed elsewhere, including with GµårÐïåñ, some might feel that an unsupported version of Firefox + NoScript is safer than a supported version of anything else that doesn't support NS. Whether black-hatters will chase a rapidly-diminishing base of users of the old version versus the fertile, rich ground of a new release, especially since:

Firefox formerly was superior in safety to IE even in updating. MS would await Patch Tuesday, even if the patch were ready three weeks earlier. (Sometimes, two months earlier, if there were "too many" updates for a single PT. It's happened at least once, that they've admitted and that I remember.) MZ would release decimal-point bumps pretty much whenever a critical vuln was discovered/reported, verified, and the patch was ready. Check the changelog for Fx 2 and 3; some had only one high-security update.

Now, F12 fixes seven Critical, four High, and three Moderate from F11. Surely some of those were ready to go at some earlier date. Why no F 11.0.1, .0.2, etc.? How many of those were publicly known but unpatched? (Another statistic in which Fx formerly crushed IE.) Not a rhetorical question; if you know, please tell. But it seems unlikely that all twelve would have been simultaneously reported/patched.

Back to the main point: If Fx adopts MS policy, or worse: Critical fixes only on major version bumps every six or eight weeks when the new Rapid Release comes out, then evildoers should have a field day on the new ones. Which means they may not bother with F3 -- or F2.
(NOTE: For discussion purposes only. Official recommendation is always to use a currently-supported version of *all* software.)

Tom T. wrote:What if you would like to examine the Release Notes, etc., first? ...

Then you should disable automatic updating, the option is still there. But since there is always only one current and supported version of a product (considering Firefox ESR and classic Firefox to be seperate products), not updating is basically not an endorsed/supported option from Mozilla's view.

True enough. But as said, if I'm doing online banking, I don't want some b/g service doing stuff in the, uh -- background.
And maybe I intend to get the new browser, but I'd like to go to MZ Release Notes, etc., first, to see what changes I need to make in the defaults. And surely I can trust MZ enough to go there with the older browser? ... versus *not even knowing that I have a new browser* (cf. DJ-Leith's link-quote again) for which I may wish to change things.

There is no excuse for hiding from me the fact that you've made a major change to my software, and I expect the default setting is to "Auto-update in b/g."

Tom T. wrote:This would reduce the inevitable loss in performance that is dependent on the speed of your flash drive, which can vary widely among brands, sizes, etc.

Since the read speed of Flash mediums is often superior to hard disks you could also go for a mixed solution, have the profile (where often things are written to since there is the cache per default) on the hard disk and the Firefox installation on the flash drive.

I've realized that I have very slow flash drives -- bought for price, without performance-shopping. But I don't intend to buy new ones any time soon.
Clever optimization idea for those who do have fast USB drives, though.

Tom T. wrote:It's the "Background Service" (what exactly *is* that? Will my firewall detect it as separate from firefox.exe?) that appears to be a novel introduction.

At this point it does not much more than to start updater.exe with more rights (after validating that it can be trusted, e.g. comes from Mozilla).

Tom T. wrote:MS would await Patch Tuesday

They started doing that since 2003, that's true. Still they would sometimes do out-of-band updates if a vulnerability was exploited actively in-the-wild.

Tom T. wrote:MZ would release decimal-point bumps pretty much whenever a critical vuln was discovered/reported, verified, and the patch was ready.

I read on a blog from a Mozilla release engineer or so that internally they worked with 6-week timeframes before the introduction of the rapid releases. Still, like MS they would do out-of-band releases if they considered it necessary. They still have the concept for out-of-band updates in the rapid release model, it's called "chemspill"s. 6.0.1 and 6.0.2 were such releases where security problems were solved (in that particular case because of the DigiNotar certificate fiasco).

Tom T. wrote:Why no F 11.0.1, .0.2, etc.?

To get adequate testing of up-to-6 weeks or even more if they defer it? Though with more transparent updates they certainly could do more low-risk out-of-band updates and don't have to fear about users being upset about too many update prompts (remember how it was before the introduction of dev versions of NoScript?).

Tom T. wrote:Back to the main point: If Fx adopts MS policy, or worse: Critical fixes only on major version bumps every six or eight weeks when the new Rapid Release comes out, then evildoers should have a field day on the new ones.

I don't quite get what you are talking about, are you talking about the problem of the timeframe between updates being released (at which point the baddies might have gotten a hint about a potential exploit, hopefully not before) and being applied widely? Exactly this was one of the reasons why Patch Tuesday was introduced, to coordinate with system admins in order to minimise this window (but don't ask me why they chose Tuesday).

Tom T. wrote:But as said, if I'm doing online banking, I don't want some b/g service doing stuff in the, uh -- background.

Like I said, the does never run in the background at the same time as the Firefox instance it wants to update ATM (this might change with Bug 307181 - (bgupdates) Eliminate wait while restarting Firefox after update (apply update in background)), it gets started by updater.exe and it then starts another instance of updater.exe with more rights, that is before Firefox gets started ATM.

Tom T. wrote:And surely I can trust MZ enough to go there with the older browser?

Can you? What if there is another certificate disaster, someone MITMes your connection and replaces an automatic update of a Firefox add-on currently being shipped to you in the background, OK, I know, a little bit too artificial scenario.
Anyway, we are here talking about the defaults for the average user, the average user doesn't wants to read no release notes, damn computer should just let him do his/her work.

Tom T. wrote:There is no excuse for hiding from me the fact that you've made a major change to my software,

The excuse is transparency for the average user, see above.

Tom T. wrote:and I expect the default setting is to "Auto-update in b/g."

You do, then where is the issue? (typo?)

Tom T. wrote:I've realized that I have very slow flash drives

You sure? You benchmarked it? Otherwise, you could try http://usbspeed.nirsoft.net/

It's the "Background Service" (what exactly *is* that? Will my firewall detect it as separate from firefox.exe?) that appears to be a novel introduction.

scrib Tom T.

It's a Service in the Win admin area. It runs either manually or automatically, same as all other Win services.
If you run portables, you won't have equivalent services, will you.
If it's on a permanent Win install, it will now have that service listed and running either as auto or manual, depending on how the config item is toggled. The service name is "Mozilla Maintenance Service".

While your annoyance is justified about having something run automatically without your being alerted, I can't understand why so *much* noise here.. Surely the greater proportion of folk running Fx want their install to be as current as possible *for security reasons* but also with as little need for them to have input during the process. Most when they see a UAC popup either freeze and need to check with their admin - wasting time and energy when all they want is a trusted oversight of their browser install - or they dismiss the popup and remain insecure until someone explains how to update (possibly too late for the next zero-day) or they accept the UAC and get annoyed because it interrupts them.
This is a Windows-specific enhancement that is sensible for the majority of those still trapped in Win land.

Surely Mozilla on their part want to have their user base as current as possible while at the same time avoiding server overload at update time. Having them organise the service flexibly within the Win system of "nice" processes makes a lot of sense in that regard, as well as plugging the gap of background updates on Win systems where the browser isn't running long enough sessions to ensure timely updates.

The browser has reached as much importance as systems have in these times, and security updating is more important for most than you with your much greater familiarity with your own system appear to understand.

Would you condemn the novice to zero-days if it could be helped?
Would you condemn the community to more bot nets than necessary as a result?

dhouwn wrote:

Tom T. wrote:MZ would release decimal-point bumps pretty much whenever a critical vuln was discovered/reported, verified, and the patch was ready.

I read on a blog from a Mozilla release engineer or so that internally they worked with 6-week timeframes before the introduction of the rapid releases. Still, like MS they would do out-of-band releases if they considered it necessary. They still have the concept for out-of-band updates in the rapid release model, it's called "chemspill"s. 6.0.1 and 6.0.2 were such releases where security problems were solved (in that particular case because of the DigiNotar certificate fiasco).

They don't have dates on the Fx 3.6 Security Updates page, but it does seem that they would issue a decimal update for even a single issue. There were 27 updates in the 27 months of support, which averages one per month, but unless my memory is really bad (it's possible ), I do seem to remember security updates at shorter intervals then that -- with others at longer intervals. Still averages more than once every six weeks.

Tom T. wrote:Why no F 11.0.1, .0.2, etc.?

dhouwn wrote:To get adequate testing of up-to-6 weeks or even more if they defer it? Though with more transparent updates they certainly could do more low-risk out-of-band updates and don't have to fear about users being upset about too many update prompts (remember how it was before the introduction of dev versions of NoScript?).

There was a 10.0.1 and a 10.0.2 also, so perhaps they were chemical spills... they were critical. I guess my wish is that when there is a critical issue, you patch, test, and release ASAP, regardless of "cycles". Is this unreasonable? ... I can understand batching less-critical fixes.

Tom T. wrote:Back to the main point: If Fx adopts MS policy, or worse: Critical fixes only on major version bumps every six or eight weeks when the new Rapid Release comes out, then evildoers should have a field day on the new ones.

dhouwn wrote:I don't quite get what you are talking about, are you talking about the problem of the timeframe between updates being released (at which point the baddies might have gotten a hint about a potential exploit, hopefully not before) and being applied widely? Exactly this was one of the reasons why Patch Tuesday was introduced, to coordinate with system admins in order to minimise this window (but don't ask me why they chose Tuesday).

Not quite. Patch Tuesday creates that 27-day window of opportunity. (They chose Tuesday because Mondays suck for everyone. ) Let's say 12.0 is released, and bad people know that F13 won't be released for six weeks (at least). They can hunt actively for flaws in F12 and exploit them. If MZ isn't committed to fixing any exploit as soon as there is evidence of it in the wild *or* reported responsibly, then there is the same window of opportunity. And what is reported responsibly by Mr. Whitehat may be discovered an hour later by Mr. Blackhat, who has 5+ weeks to have fun and tell all his haxxor fr13ndz about it.

If MZ *is* committed in such cases, that would be good to know, and to see documented. The feeling is that they're more driven by dates than by events.
In a different field in which I once worked, it was considered inferior to focus more on the process than on the results. Work should be results-driven, or problem-solving driven, rather than issue releases on some fixed schedule. Still set goals, of course, but if something happens tomorrow...

Tom T. wrote:But as said, if I'm doing online banking, I don't want some b/g service doing stuff in the, uh -- background.

dhouwn wrote:Like I said, the does never run in the background at the same time as the Firefox instance it wants to update ATM (this might change with Bug 307181 - (bgupdates) Eliminate wait while restarting Firefox after update (apply update in background)), it gets started by updater.exe and it then starts another instance of updater.exe with more rights, that is before Firefox gets started ATM.

Thanks for that, unless they change it to the bad way. Any idea whether they will?

Anyway, we are here talking about the defaults for the average user, the average user doesn't wants to read no release notes, damn computer should just let him do his/her work.

Some average users I've heard from don't want to start their browser and find out that it's different from the last time they started it, with no notice.
Recall that IIRC, geolocation was default-enabled until enough people screamed. OK, "we'll always ask". What about the MS Update that installed .NET add-on for Fx, without user knowledge? People were rightly upset. That wasn't MZ's fault, but now MZ is doing the same thing as MS did there.

To save work and interrupt for average user, I say: Default to auto-notify of new release or update; ask user "Install now? Later?", and include a box:
"In the future, go ahead and update Firefox for me automatically."
This is the same issue as with cookies and many other things:

"Change from opt-out to opt-in".

So long as John and Jane Average have knowingly opted in to this, cool. It bothers them only once.

Tom T. wrote:There is no excuse for hiding from me the fact that you've made a major change to my software,

The excuse is transparency for the average user, see above.

See above.

Tom T. wrote:and I expect the default setting is to "Auto-update in b/g."

You do, then where is the issue? (typo?)

No, no typo. I expect them to default to what I don't like, at least without notice: The silent update, with *maybe* notification *after* install, as per DJ-Leith's link. I want them to do what's said above: Default to notify/ask, and offer opt-in to future silence. (With a clear setting to opt back out at any time.)

Tom T. wrote:I've realized that I have very slow flash drives

You sure? You benchmarked it? Otherwise, you could try http://usbspeed.nirsoft.net/

Mine looks pretty good there, but as they say:

The test is made by writing a large file (named $speed_test_nirsoft$.dat) into your USB flash drive, and then reading it back for testing the read speed. Be aware that you need at least 100 MB of free disk space in order to successfully make this speed test.
Also, be aware that this test is made with sequential read and write operations. When using multiple small files, the read/write performances are usually much lower than sequential read/write.

I did already know that. Portable browser entirely on flash would make many small writes, not one large one. Empirically, the portable is very slow compared to native install.

The guy at the local factory-authorized service center did say as you did, that the potential throughput of the USB ports themselves is quite high, faster than the HD (which has a mechanical search arm, etc. -- if I had the money, I'd have accepted his offer to replace my HD with a SSD. Less heat, less weight, longer battery life.). But if my particular flash drive fares less well on many small read/writes...

ServiceDefinition wrote:

It's the "Background Service" (what exactly *is* that? Will my firewall detect it as separate from firefox.exe?) that appears to be a novel introduction.

It's a Service in the Win admin area. It runs either manually or automatically, same as all other Win services.

OK, like Windows Background Intelligent Transfer Service. Got it, thanks.

ServiceDefinition wrote:If it's on a permanent Win install, it will now have that service listed and running either as auto or manual, depending on how the config item is toggled. The service name is "Mozilla Maintenance Service".

Good, then it can be disabled like any other Win service.

If you run portables, you won't have equivalent services, will you.

No, which is why I had to ask -- didn't see it anywhere.

While your annoyance is justified about having something run automatically without your being alerted, I can't understand why so *much* noise here..

Because my annoyance was justified... .. and if you've followed the thread, you'd know I'm not speaking just for myself. See the ref to my friend who wrote security-clearance type stuff for the US Gov, but never for Windows, and doesn't follow browser issues, etc. And thought this idea was horrible.

This is a Windows-specific enhancement that is sensible for the majority of those still trapped in Win land.

Somehow, they survived F2 and F3, with a "notify me", so they could install when convenient, and not necessarily in the middle of a session.
That may not be instantaneous, but it's still better than waiting until next Patch Tuesday or next MZ calendar-marked Rapid Release.

The browser has reached as much importance as systems have in these times, and security updating is more important for most than you with your much greater familiarity with your own system appear to understand.

On the contrary, and I hate to repeat myself, IRL I deal almost exclusively with non-tech users. It's the hard-core techies, at MZ or MS or Mac or wherever, who hang only with other hard-core techies, and cannot relate to novices.

I've observed this in other fields in which I worked, ranging from sports coaching to the business world. The cognoscenti can't empathize with the noob.

Would you condemn the novice to zero-days if it could be helped?... Would you condemn the community to more bot nets than necessary as a result?

Of course not. This is why I object to the every-six-weeks update schedule vs. fix everything as soon as you can, even if you just issued a patch yesterday for something else.

A notification screen, perhaps with a special screen for in-the-wilds -- "THIS UPDATE FIXES AN URGENT SECURITY FLAW" -- but don't cry wolf when it doesn't. For less-urgent, the prompt lets the user update at their earliest convenience.

And as said above to dhouwn, if they would like to opt-in to silent auto-up, fine.

Cheers.