Whenever the Chrome team releases a new version of the web browser to the stable channel, it highlights that the release will be rolled over time.

Yesterday's release of Chrome 63 Stable for the desktop for instance does so in the first paragraph on the Chrome Releases blog.

"The Chrome team is delighted to announce the promotion of Chrome 63 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks."

I asked myself for a long time why Google decides to roll out these releases over time. While I don't really mind if the release does not include security fixes, I do mind a staged roll out of a release if it does include security patches.

A staged roll out means, basically, that some Chrome installations won't be protected against attacks that target the patched vulnerabilities in the browser.

The update to Chrome 63 for the desktop has one critical vulnerability for instance, and five that are rated as high. This particular update fixes 37 security vulnerabilities according to Google's Chrome team.

Access to reports about the vulnerabilities is limited for most of them, but Google does list information about each vulnerability reported to the company by third-party researchers. This helps attackers, as Google reveals the component that is affected usually in the description.

Google Chrome is set to update automatically, but users can load chrome://settings/help at any time to run a manual check for updates.

Google does not prevent the installation of updates on desktop machines. This is not the case on Android where application updates may not be available for days or even weeks even if you go to the Google Play Store listing and hit the install button there, or check for updates manually.

A better way

Security updates should be made available to all Chrome installations immediately. A system similarly to Windows Updates might work in regards to making the update available. Microsoft releases security updates only on the second Tuesday of every month, but makes them available to all systems with automatic updates enabled right away.

Tip: Google changed the design of the chrome://flags page in the release, and also that of the Bookmarks Manager. You can restore the old design of the bookmarks manager for now by setting the preference chrome://flags/#enable-md-bookmarks to disabled, and restarting Chrome afterwards.

Closing Words

Security updates should be made available to all users in my opinion. While you do need the right infrastructure for that to ensure that updates are delivered to anyone right away, but Google should not have any issues with that.

I don't know why Google rolls out updates over time though; it could really be because it wants to reduce the load that updates cause by distributing these updates over days or weeks.