Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"update_check" setting is ignored #1206

Closed
FichteFoll opened this Issue May 13, 2016 · 27 comments

Comments

@FichteFoll
Copy link
Member

FichteFoll commented May 13, 2016

Summary

The update_check setting is seemingly ignored, as per numerous reports on the forum.

Expected behavior

Setting "update_check": false should prevent "An update has been found" popups from appearing, as it did previously.

Actual behavior

No change in behavior.

Environment

  • Operating system and version: mostly Linux it seems
  • Sublime Text:
    • Build >=3080?

https://forum.sublimetext.com/t/update-check-false-not-working/14847
https://forum.sublimetext.com/t/disable-a-new-version-of-sublime-text-is-available-download-now-in-sublime-3-stable-channel/19961
https://forum.sublimetext.com/t/st3-ignore-update-check-false/17468

@Industry

This comment has been minimized.

Copy link

Industry commented May 16, 2016

Same issue on a windows machine. Such a nuisance

@bazzinotti

This comment has been minimized.

Copy link

bazzinotti commented May 16, 2016

Very annoying

@VaelVictus

This comment has been minimized.

Copy link

VaelVictus commented May 24, 2016

The irony being that we must now update to a future version that we don't want in order to null further update messages. Is this fixable with a plugin? I'd like to stay at my current version because I cannot handle another broken theme.

@FichteFoll

This comment has been minimized.

Copy link
Member Author

FichteFoll commented May 24, 2016

Your only option is to prevent ST from reaching the update check server, via your firewall settings or by editing hosts. I don't know which host it connects to however.

Edit: The IP seems to be 209.20.75.76.

@wbond

This comment has been minimized.

Copy link
Member

wbond commented May 25, 2016

Unlicensed copies do not have the ability to turn off update checks.

@VaelVictus

This comment has been minimized.

Copy link

VaelVictus commented May 26, 2016

Ouch. You'll just have to leave it to the pirates. As for me, I'll try the IP block.

@bazzinotti

This comment has been minimized.

Copy link

bazzinotti commented May 26, 2016

I'll buy it, of course. Very useful tool I should have bought sooner 😄

@matkoniecz

This comment has been minimized.

Copy link

matkoniecz commented May 26, 2016

Unlicensed copies do not have the ability to turn off update checks.

Maybe mention it in "An update has been found" popup? This problem was one of main reasons* why I was hesitant to buy license.

second is Paypal - for start it asked me for password to my bank account[sic!] and after refusing demanded credit card info...

*This phishing turned out to be operated by supposedly credible company Trustly and is result of recent bug in financial law in EU - http://security.stackexchange.com/questions/121707/paypal-is-asking-for-my-bank-details-how-secure-is-this.

@FichteFoll

This comment has been minimized.

Copy link
Member Author

FichteFoll commented May 26, 2016

The update_check setting isn't documented at all.

@ayibfanani

This comment has been minimized.

Copy link

ayibfanani commented May 28, 2016

update_check work, if you have a license.

@VaelVictus

This comment has been minimized.

Copy link

VaelVictus commented May 28, 2016

Unfortunately, blocking the IP 209.20.75.76 did not work.

I suppose it's possible to buy a license and just not upgrade, but I've been against buying because I can't buy once - if I bought Sublime Text 3, I'd need to pay for 4 and 5 and so on. While you could argue Sublime's great and I use it daily, there are other similar editors that have caught up to it, so I find this attitude of forcing us to buy a license to null the second annoying warning fairly inconsiderate. With respect for the standards it set for other code editors, maybe Sublime's reign is soon to be over.

@mc0e

This comment has been minimized.

Copy link

mc0e commented Jun 17, 2016

@VaelVictus Or, if using LinuxMint, you could upgrade SublimeText using apt like any other software. You'd need to pay for the software to get rid of the nag though.

I'm also concerned that the updatecheck is reporting my current software in clear-text, and being unencrypted, the update response looks likely to be open to tampering with where software gets downloaded from.

@FichteFoll

This comment has been minimized.

Copy link
Member Author

FichteFoll commented Jun 17, 2016

From my tests, I didn't detect any unencrypted communication from ST to a potential update server, only a TLS connection to the IP I mentioned earlier. That was on Windows.

@wbond

This comment has been minimized.

Copy link
Member

wbond commented Jun 17, 2016

The update check on Linux does not use TLS because different distros have different versions on OpenSSL, and the update check binary is separate from the plugin host where we have OpenSSL statically linked.

My hope is to try and solve this as some point by trying to dlopen OpenSSL with a baseline SSL config.

@mc0e

This comment has been minimized.

Copy link

mc0e commented Jun 17, 2016

re @FichteFoll 's comment:

sudo ngrep -d any sublimetext
####################
T 10.135.1.6:42906 -> 209.20.75.76:80 [AP]
  GET /updates/3/stable/updatecheck?version=3114&platform=linux&arch=x64&r=1&
  m=gw7W HTTP/1.0..Host: www.sublimetext.com..User-Agent: sublime-version-che
  ck/3.0....                                                                 
###########
T 209.20.75.76:80 -> 10.135.1.6:42906 [AFP]
  {.    "latest_version": 3114,.    "update_url": "https://www.sublimetext.co
  m/3",..    "manifest_host": "www.sublimetext.com",.    "update_host": "down
  load.sublimetext.com",..    "manifest_path_osx": "/_pak/sublime_text_osx_31
  14.manifest.xz",.    "update_path_osx": "/sublime_text_osx_3114.pak.xz",.. 
 "manifest_path_windows_x64": "/_pak/sublime_text_windows_x64_3114.manife
  st.xz",.    "update_path_windows_x64": "/sublime_text_windows_x64_3114.pak.
  xz",..    "manifest_path_windows_x32": "/_pak/sublime_text_windows_x32_3114
  .manifest.xz",.    "update_path_windows_x32": "/sublime_text_windows_x32_31
  14.pak.xz".}.                                                              
####################################^Cexit

re @wbond 's comment, if you can't encrypt, that's fine. Preferred even, with the caveats:

  • don't have ST send info about the users' system in cleartext.
  • download the new package directly, not using a browser, and validate the signature on the package against a locally held key.

This is pretty basic practice, and well covered by existing package managers. If you can't duplicate this yourself (and I'm not sure why you'd want to) then prefer to distribute your software from repositories using apt, yum, homebrew and the like, that have this functionality.

I actually prefer HTTP over HTTPS for this sort of thing because it's cacheable, though the associated signing and key management issues are not trivial if you choose to build them yourself.

I haven't noticed a lot of other developers having trouble using OpenSSL. There are of course security issues with it from time to time, but if you use a separately installed library, that's not your responsibility, and statically linking OpenSSL makes the problem considerably worse, as it's hard for users to know what version of OpenSSL they are running, and it requires you to update your software when OpenSSL has an issue (and the current mechanism for that doesn't make it particularly likely that users will do that promptly).

@wbond

This comment has been minimized.

Copy link
Member

wbond commented Jun 17, 2016

We never download the package for you on Linux, and all package downloads happen over TLS.

We are different than most Linux software in that we don't build 14 different variations for every distro and their preferred version of OpenSSL.

As I mentioned in my previous comment, I am intending to address not using TLS for update checks on Linux. I don't have an ETA, however.

@wbond

This comment has been minimized.

Copy link
Member

wbond commented Jun 17, 2016

In terms of statically linking OpenSSL with Python, there is no reasonable other option for any of the platforms:

  • Windows does not ship OpenSSL
  • OS X ships an ancient, broken, unsupported version of 0.9.8
  • Different distros of Linux ship different versions, some with different lib names (libssl0.9.8, libssl1.0.0, libssl10) with 1.1.0 being added to the mix soon. The only way to deal with this would be to use dlopen(), but I'm not going to patch Python's _ssl.c without peer review.
@mc0e

This comment has been minimized.

Copy link

mc0e commented Jun 17, 2016

Yes, windows is deeply problematic. I prefer to have nothing to do with it. You have little choice but to deal with it though, so you're probably stuck with rolling a release whenever a security issue crops up in openssl, or depending on an intermediary library which takes on this task of tracking openssl.

Is the problem easier if you go via a library like libcurl which presumably already deals with the range of OpenSSL versions, and covers most (probably all?) of your target platforms.

The security problems with statically linking openssl are a big deal. Your software is running on privileged systems behind firewalls, often with wide-ranging access to the infrastructure of various organisations where developers work. How quickly are you going to be able to release new versions when security issues arise? Are you going to cease distributing the older vulnerable versions? Are you going to issue security alerts to your users?

@cirrusUK

This comment has been minimized.

Copy link

cirrusUK commented Dec 21, 2016

merge 127.0.0.1 www.sublimetext.com into /etc/hosts
or
merge 0.0.0.0 www.sublimetext.com into /etc/hosts

@VaelVictus

This comment has been minimized.

Copy link

VaelVictus commented Dec 22, 2016

Thanks, Cirrus! That fix seems to be working for over 24 hours now.

@thrift24

This comment has been minimized.

Copy link

thrift24 commented Jan 5, 2017

I just had to register a github account to chime in.

I uninstalled the software over this issue. Had this been done in any sensible way I very well may have decided to purchase a license, instead this software is trying to hold users hostage with 90s era nagware, No thanks.

This software does not respect the user.

@wbond

This comment has been minimized.

Copy link
Member

wbond commented Jan 5, 2017

Just to reiterate – if you purchase a license, you can install whatever build you want and disable update checks.

If you are just trying the software, you need to use the latest beta or dev build, or deal with update checks.

If you haven't purchased a license and the update notice is to the point of getting annoying, it may be time to buy a license. I mean honestly, you'll be seeing the Purchase popup far more frequently…

@thrift24

This comment has been minimized.

Copy link

thrift24 commented Jan 5, 2017

Clearly you've missed my use case as I have never seen a purchase pop up (not that I would have been much more excited for that), but I have seen the upgrade pop-up 20 or so times.

Basically I installed this software probably a year ago on the Windows side of a dual boot machine. I run a Linux environment on that machine some 99% of the time where I am more than happy with the available cli editors. Today I was in Windows and wanted to edit several files, so I opened them in your software to be immediately distracted by this upgrade pop up. Look, I'm sure your updates are really great, but it's the only software I've ever used that gives me a pop-up over updating with no way to disable it....I'm trying to get some simple stuff done, I don't care about your update. I don't keep an editor running, so as I close the software and reopen other files I am continiously smacked with this pop-up until I got distracted from what I was doing, found the setting to disable auto update, noticed it didn't work, found it was due to a license, and was about to update my hosts file to block your site when I realized that I have no need for software that was designed this way. There's a million editors out there, so I'll go use one that respects me enough to talk to me about upgrading when I download a new copy for another machine... Which hasn't happened because I don't use your software frequently... and now never will.

Do whatever you want, but there are some users who have no problem with paying for software when approached properly, but this is the antithesis of the proper way to do that.

@VaelVictus

This comment has been minimized.

Copy link

VaelVictus commented Jan 5, 2017

you need to use the latest beta or dev build, or deal with update checks.

I'll buy a license if you can prove why this is necessary, and not some arbitrary decision you've made that coincidentally happens to further encourage purchasing licenses. That is: tell me why an unlicensed user should have to deal with the update notice. What good it does anyone but yourself, that an unlicensed user cannot turn the update notice off if they don't wish to update.

@wbond

This comment has been minimized.

Copy link
Member

wbond commented Jan 5, 2017

@VaelVictus New betas are released about once every three months or so. It isn't like you are on an upgrade treadmill. You should really only ever have to install one new version during most evaluation periods. It takes a very short amount of time to apply the upgrade.

I didn't write the update check or restrictions, but it seems pretty obvious to me this is not about forcing people to pay – otherwise there wouldn't be an open-ended evaluation period on the product. I'll leave it to your imagination as to why an evaluation user would want to not evaluate the newest build of Sublime Text, but instead stay on an old, out-dated version.

Anyway, this issue tracker isn't really a discussion forum. This issue has been closed indicating why update_check does not appear to work for some users. If anyone wants to discuss further thoughts about the issue, https://forum.sublimetext.com/ probably makes more sense.

@bhartvigsen

This comment has been minimized.

Copy link

bhartvigsen commented Sep 15, 2017

Unlicensed copies do not have the ability to turn off update checks.

You just lost a paid user for life.

@tluanga34

This comment has been minimized.

Copy link

tluanga34 commented Oct 3, 2017

I just fixed it for myself by installing the latest build manually by from here https://www.sublimetext.com/3.

For linux users, replace the files inside /opt/sublime_text/ directory with the one downloaded.

@SublimeTextIssues SublimeTextIssues locked and limited conversation to collaborators Oct 3, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.