@@ -383,25 +383,29 @@ Therefore, application of updates needst to be performed in a manner that mainta
Requirements:
-**[REQ-UPDATES-0]:** Authenticity and integrity of upgrade package shall be verifiable using a cryptographic digital signature verification prior to installation.
-**[REQ-UPDATES-1]:** The product shall maintain a monotonic version counter or equivalent mechanism to prevent installation of updates with an older vulnerable version.
-**[REQ-UPDATES-2]:** If the product supports intentional rollback, this action shall require explicit authorisation and shall be based on separately versioned and signed rollback metadata.
-**[REQ-UPDATES-3]:** The product shall apply updates in an atomic manner such that incomplete or failed updates do not result in a partially updated state. In the event that an update cannot be completed successfully, the product shall automatically restore a previously operational software state, ensuring the product remains functional.
-**[REQ-UPDATES-5]:** The product shall inform the user about update availability if applicable.
-**[REQ-UPDATES-1]:** The product shall maintain a monotonic version counter or equivalent mechanism to prevent installation of updates with an older version.
-**[REQ-UPDATES-2]:** If the product supports intentional rollback, invoking action shall require explicit authorisation and shall be based on separately versioned and signed rollback metadata.
-**[REQ-UPDATES-3]:** The product shall provide a mechanism to restore the system operational state after a failed update.
-**[REQ-UPDATES-4]:** The product shall automatically recover from a failed update and resume operation if applicable.
-**[REQ-UPDATES-5]:** The product shall inform the system user about update availability if applicable.
-**[REQ-UPDATES-6]:** The product shall track the relevant component versions of the product and the managed devices if applicable.
-**[REQ-UPDATES-7]:** The product shall log start and finish of the update download if applicable.
-**[REQ-UPDATES-8]:** The product shall perform an automatic upgrade of the product and the managed devices if the operative context and the application design allows this to happen within the defined availability targets.
-**[REQ-UPDATES-9]:** The product shall provide a way for the system user to post-bone or desided the applicatoin schedule.
-**[REQ-UPDATES-10]:** Automatic updates shall be on by default, if applicable.
-**[REQ-UPDATES-9]:** The product shall provide a way for the system user to postpone or re-schedule the application update.
-**[REQ-UPDATES-10]:** Automatic updates shall be on by default if applicable.
These requirements are generally binding, and there is no low-medium-high tiering available.
The requirements [REQ-UPDATES-5], [REQ-UPDATES-6], [REQ-UPDATES-7] and [REQ-UPDATES-8] are conditional due to different operative management models.
The requirements REQ-UPDATES-4 to 8 and 10 are conditional due to different operative management and ownership models.
A cellphone that is connected to a corporate inventory management often has it's own update manager, and the device does not rely on the centralised control.
Similary in a modern cluster deployment, the application can not update itself, as the control is in the cluster, which makes the provisioning, scheduling and network shaping decisions for all applications ran in the same context.
Similary in a modern cluster deployment, the application can not update itself, as the control is in the cluster, which makes the provisioning, scheduling and network shaping decisions for all applications running in the same context.
Applying automatic updates are also subject to the operative environment design.
In some occasions, the cluster design does not have the capasity to provison the extra workload needed to make a seameless trasfer of application functions.
Distributed application design and delay lines built with buffers might tolerate partial downtime of individual components and services, but as the upgrade controller designs are not fully matured, the evaluation of upgrade structures needs to be left for the assessors.
> Example: The cluster design might not have the capasity to provison the extra workload needed to make a seameless trasfer of application functions as intentend by the product. Availability of the capasity might require coordination outside of the update automation.
Distributed application design and delay lines built with buffers might tolerate partial downtime of individual components and services, but as the workload scheduling control can be outside of the proruct context.
<mark>Add reference to operative model when moving to the new structure.</mark>