Recent DDoS attacks powered by embedded devices have finally discredited theold excuse that security is not important: security support (and thus softwareupdates) is suddenly a required feature. Often, physical access to these devices is limited and there is noadministrator who can fix issues manually. Thus, performing updates is anoperation with a critical design goal: Never brick the device! This talk gives an overview of the surprisingly complex requirements andcommon pitfalls for a generic update mechanism by comparing several existingapproaches. Also, our reasons for implementing (yet another) tool and thereasoning behind the design choices are explained. Using RAUC and other open source update tools as examples, requirements,limitations and possible pitfalls in the process of designing and implementinga redundancy and update infrastructure will be presented. You will also get abrief overview over RAUCs design and abstraction of the underlying system thatallows to manage both simple asymmetric setups consisting of a full system andan initramfs-based recovery system as well as complex setups with multipleroot filesystems, application and data storage partitions. * How to make updates atomic? * How to manage both simple and complex redundancy concepts? * How to allow secure and trusted updates? * How to schedule updates to a large number of devices?