> Even with a proper certificate check, downloading and running a remote executable is by definition an RCE vulnerability.

It literally is not.

> Even with a proper certificate check, downloading and running a remote executable is by definition an RCE vulnerability.

I have to disagree here, the vulnerability part is that it can be exploited by a third party. Auto-update itself isn’t really an RCE vulnerability because the party you get the software from has to be trusted anyways.

> the party you get the software from has to be trusted anyways.

Which is a big problem in itself, that's rarely talked about in such terms.

Me getting some software only means I trust the party I got it from at that moment of time, for that particular version of the software. It doesn't imply I trust that party indefinitely. This is the reason why so many people hate automatic updates (and often disable them when possible): they don't trust the vendor beyond the point of initial installation. They don't trust the vendor won't screw them up with UX "improvements" or license changes or countless other things that actively make users' life miserable.

Think about Windows and Microsoft. You can't at the same time say you don't trust them because of their track record of screwing with their users and enshittifying their products, and at the same time, say they're a trusted first party in your Windows installation. They aren't - they can and will screw you over with some update.

In this sense, it's not a stretch to compare unattended updates with RCE vulnerabiltiy. Just because the attacker is the product vendor, doesn't mean they're not going to pwn your machine and make you miserable. And just because their actions are legal, doesn't make them less painful.

Clicking "Yes" on a "Do you want to upgrade to the latest version?" is not fundamentally different.

> Automatic unattended autoupdate is logically indistinguishable from a RAT/trojan.

What about: the same people do the automatic unattended autoupdate that you downloaded the original program from, or not?

Does it matter? Do you consider them a trusted party indefinitely?

Think at scale of years, and think of e.g. Microsoft of Adobe when pondering this question.

Then just turn it off. qBT isn't windows, it doesn't demand autoupdate.

That said, you really shouldn't be running outdated torrent clients, like any network-connected programs. Case in point - the topic of this thread.

As others already have pointed out, people can change and trusting them during installation doesn't mean you want to have to trust those same people for as long as you use the software.

But also, SSL certificates don't certify the people you are connecting to but instead certify control over a domain which can change hands for various reasons.

Absolutely not. GitHub is usually used as a CDN for updates distributed in binary form; it is run by Microsoft.

If I download source and build and run it, and it downloads binaries from Microsoft and runs those, that isn’t remotely “the same people”.

wordpress guy did just that, he had a store/storage/registry for wordpress plugins, and 'forked' someone elses plugin, and started to serve 'his fork' as an update, under the same name and url ( https://news.ycombinator.com/item?id=41888808 )

Autoupdate is not good, especially with malicous actors between the user and the developer, which you can't really eliminate. Still it is not literally the same as a trojan.