During the debacle of the Hub introducing malware to users machines ( see ’ Malware when installing Unity Hub ’ thread ), I was trying to work out how to prevent the Hub from auto-updating. Unfortunately as its not a frequent occurrence I wasn’t sure what the actual update process was. I seem to remember it informing you an update was available, but you still had to ok it.
Well this morning I see a notification in the Hub telling me its auto-downloaded the 3.1.1 update and will automatically install it after restarting the Hub and I have NO ability on my OWN machine to prevent this!
Now this is either an amazing coincidence or Unity have decided to push this out to everyone to try and cover any existing issues or threats within third party code used by the hub. Both of which would be terrible decisions!
Firstly if this was a coincidence, what the HELL is Unity doing allowing auto-updates to the Hub whilst they are supposedly meant to be performing a full audit of all third party code? The auto-update should have been disabled immediately the initial problem occurred and should not have been re-instated before providing the necessary reassurances and documentation to customers that the Hub is guaranteed to be safe.
If its the latter then again what the HELL is Unity doing allowing auto-updates to the Hub whilst they are supposedly meant to be performing a full audit of all third party code? I simply don’t believe they were able to perform such an audit in two days or less!
I honestly don’t understand Unity’s approach to this. I can certainly think of some very worrying reasons for pushing this update to everyone ( i.e. they already found potential threats during the auditing ), but maybe its as simple as just trying to make sure that anyone who happened to have installed the 3.1.0 are forced to update, but in doing so its forcing everyone with older versions ( i have 3.0.1) to update as well.
The fact that they’ve not announced this update or the reason for it is also worrying!
Finally to go back to my point of this post is that the one thing Unity MUST have done before pushing an update is to provide the user, its customers a means to opt-out of auto-updates. Especially with a piece of software that has been shown to not have been previously audited with regard to the third party code its installing on users machines.
