Updating software seems, at first sight, to be a simple task: you just need to overwrite some files with new copies. But then your engineer's training kicks in as you begin to realize all the things that could go wrong. What if the power goes down during the update? What if a bug, not seen while testing the update, renders a percentage of the devices unbootable? What if a third party sends a fake update that enlists your device as part of a botnet? At the very least the software update mechanism must be:
- Robust, so that an update does not render the device unusable
- Fail-safe, so that there is a fall-back mode if all else fails
- Secure, to prevent the device from being hijacked by people installing unauthorized updates
In other words, we need a system that is not susceptible to Murphy's law, which states that if something can go wrong, then...
