> This ought to be the sort of thing that management is there to remind the developers of, but in practice it seems like the opposite is true.

In my experience, management does remind developers of this. Usually after an incident that ultimately boils down to management having incentivized everything else at the cost of good operational practices.

That used to be easy, until the security mafia entered the room with their anti-rollback requirements.

Yeah, In application programming over the air is frankly terrifying because when it goes bad it goes really bad.

I remember a firefox dev commenting that the updater code was the most dangerous part of the app to touch because if you break it, it's game over, you can't push a fix.

100%. How you manage updates and software configuration in general in remote embedded systems is near to my heart for the same reasons. I keep having to fight at work because none of my coworkers or management understand that outsourcing updates is basically hiring a third party to sometimes brick your equipment.

I already feel this with an app that only serves a few thousand people. Even with the paranoia I managed to mess up the updater once, a year+ later and still have people who haven't updated from that version.

Always good to have a few redundant systems to help with this. Minimum being some way to push alerts to specific versions.