the updater is self updating

but then doesn't this mean that parent^4's point is still valid? i.e.

  > What if an update silently breaks the update process? Hrm!

If the updater is self updating an update may break it so that no further updates are possible.

Sorry for slow response. I sure wish HN would mail me when people comment.

Sure, the updater can break itself. But in practice, you rarely update the updater because the majority of the features you might want to update are in the app, not the updater.

So you update the updater very rarely and cautiously, and you update the app quickly and fearlessly. It's not 100% foolproof, but it's a lot better than the alternative: Any crash bug anywhere in the application having the capacity to disable updates.