AW: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

2017-12-15 Thread Juergen Funk Mailinglist 
Hi Mike,

exactly the same


juergen


-Ursprüngliche Nachricht-
Von: Mike Kaganski [mailto:mike.kagan...@collabora.com] 
Gesendet: Freitag, 15. Dezember 2017 11:23
An: Juergen Funk Mailinglist <juergen.funk...@cib.de>; 
libreoffice@lists.freedesktop.org
Betreff: Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote:
> Hi Mike
>
>> 1. Creating a redirect at TDF side imposes additional load to our 
>> server infrastructure; 2. Users will depend on reliability of TDF 
>> servers wrt this (in terms of their state, correctness of the link, 
>> and also possible man-in-the-middle problems with modified links 
>> pointing to malware) - note that LO downloads themselves are served 
>> from multiple mirrors, but this kind of redirection can't work using 
>> mirrors
> I have mean directly from Microsoft not from TDF.

As I mentioned, there's no "Latest VS 2015 redist" static link on their side. 
Only "VS 2015 redist version X.Y.Z", which is the same as embedding this 
specific version into installer.

Also: at the time of creating the installer, we could possibly check that our 
embedded redist is ~current, so users would have reasonably low chance to get 
update request related to newly installed software (taking into account our 
rate of releases). OTOH, if a user chooses to download and install an 
out-of-date version, then it's not unexpected that, e.g., LibreOffice itself 
would warn about "newer version available"; so I don't see anything unexpected 
here on redist side as well.

--
Best regards,
Mike Kaganski
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice

AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

2017-12-15 Thread Juergen Funk Mailinglist 
Hi Mike

>1. Creating a redirect at TDF side imposes additional load to our server 
>infrastructure; 
>2. Users will depend on reliability of TDF servers wrt this (in terms of their 
>state, correctness of the link, and also possible man-in-the-middle problems 
>with modified links pointing to malware) - note that LO downloads themselves 
>are served from multiple mirrors, but this kind of redirection can't work 
>using mirrors

I have mean directly from Microsoft not from TDF. 

>3. Users would need internet connection at time of setup (which might not be 
>there: many download the installer, to bring it somewhere where there's no 
>Internet connection

I think that is not a big problem, the most have an Internet connection (and 
many App can't install without connection), but when not the installer gives a 
hint (only when needed), and the user should install the redist.

But any way, this is only a  suggestion, and has also weakness  (e. g. MS 
changes the link), the other case we have always up to date the vc_redist.exe.

Best 
Juergen

 

-Ursprüngliche Nachricht-
Von: LibreOffice [mailto:libreoffice-boun...@lists.freedesktop.org] Im Auftrag 
von Mike Kaganski
Gesendet: Freitag, 15. Dezember 2017 10:07
An: Juergen Funk Mailinglist <juergen.funk...@cib.de>; 
libreoffice@lists.freedesktop.org
Betreff: Re: AW: tdf#108580: integrate vc_redist.exe into Windows installer

Hi Juergen,

thanks for feedback!

On 12/14/2017 11:04 AM, Juergen Funk Mailinglist wrote:
> this is a good idea, but I think the better way is, when the system need the 
> vc_redist then we "download" the new  vc_redist.exe from MS and starting.
> This has 2 advantage
>   - the LO msi would not be bigger
>   - we install always the up to date redist-dll's

Well, the main problem here is that there's no "latest vc_redist.exe" 
static link on MS site. So, this approach is simply impossible without us 
creating a redirect on our side. And this would create additional
problems:

1. Creating a redirect at TDF side imposes additional load to our server 
infrastructure; 2. Users will depend on reliability of TDF servers wrt this (in 
terms of their state, correctness of the link, and also possible 
man-in-the-middle problems with modified links pointing to malware) - note that 
LO downloads themselves are served from multiple mirrors, but this kind of 
redirection can't work using mirrors; 3. Users would need internet connection 
at time of setup (which might not be there: many download the installer, to 
bring it somewhere where there's no Internet connection).

So this is just not an option - at least, this is much worse than suggestion to 
simply telling people to manually download and install the redistributable 
themselves, put on the download page.

> In the current way it is possible you install older one of the dll's, and 
> after the LO installation it pop up the Windows-Update, that I think is a 
> little bit strange.

No; this is absolutely normal - most softwares out there behave this way, so 
not different from usual. Of course, *if* your suggestion was possible to be 
implemented in a reasonable way, it would be best - but the downsides outweigh 
the benefit.

--
Best regards,
Mike Kaganski
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice

Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

2017-12-15 Thread Christian Lohmaier 
Hi Mike, *,

On Fri, Dec 15, 2017 at 11:22 AM, Mike Kaganski
 wrote:
> On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote:
> […]
>> I have mean directly from Microsoft not from TDF.
>
> As I mentioned, there's no "Latest VS 2015 redist" static link on their
> side. Only "VS 2015 redist version X.Y.Z", which is the same as embedding
> this specific version into installer.

Even if there was one, I'd object against relying on having internet
connectivity when installing.

> Also: at the time of creating the installer, we could possibly check that
> our embedded redist is ~current,

the redistributables then being handled by windows update → that's not
as critical as with the current method of shipping the dlls locally.

> so users would have reasonably low chance
> to get update request related to newly installed software (taking into
> account our rate of releases). OTOH, if a user chooses to download and
> install an out-of-date version, then it's not unexpected that, e.g.,
> LibreOffice itself would warn about "newer version available"; so I don't
> see anything unexpected here on redist side as well.

Agreed.

ciao
Christian
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice

Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

2017-12-15 Thread Mike Kaganski 

On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote:

Hi Mike


1. Creating a redirect at TDF side imposes additional load to our server 
infrastructure;
2. Users will depend on reliability of TDF servers wrt this (in terms of their 
state, correctness of the link, and also possible man-in-the-middle problems 
with modified links pointing to malware) - note that LO downloads themselves 
are served from multiple mirrors, but this kind of redirection can't work using 
mirrors

I have mean directly from Microsoft not from TDF.


As I mentioned, there's no "Latest VS 2015 redist" static link on their 
side. Only "VS 2015 redist version X.Y.Z", which is the same as 
embedding this specific version into installer.


Also: at the time of creating the installer, we could possibly check 
that our embedded redist is ~current, so users would have reasonably low 
chance to get update request related to newly installed software (taking 
into account our rate of releases). OTOH, if a user chooses to download 
and install an out-of-date version, then it's not unexpected that, e.g., 
LibreOffice itself would warn about "newer version available"; so I 
don't see anything unexpected here on redist side as well.


--
Best regards,
Mike Kaganski
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice

Re: AW: tdf#108580: integrate vc_redist.exe into Windows installer

2017-12-15 Thread Mike Kaganski 

Hi Juergen,

thanks for feedback!

On 12/14/2017 11:04 AM, Juergen Funk Mailinglist wrote:

this is a good idea, but I think the better way is, when the system need the vc_redist 
then we "download" the new  vc_redist.exe from MS and starting.
This has 2 advantage
  - the LO msi would not be bigger
  - we install always the up to date redist-dll's


Well, the main problem here is that there's no "latest vc_redist.exe" 
static link on MS site. So, this approach is simply impossible without 
us creating a redirect on our side. And this would create additional 
problems:


1. Creating a redirect at TDF side imposes additional load to our server 
infrastructure;
2. Users will depend on reliability of TDF servers wrt this (in terms of 
their state, correctness of the link, and also possible 
man-in-the-middle problems with modified links pointing to malware) - 
note that LO downloads themselves are served from multiple mirrors, but 
this kind of redirection can't work using mirrors;
3. Users would need internet connection at time of setup (which might 
not be there: many download the installer, to bring it somewhere where 
there's no Internet connection).


So this is just not an option - at least, this is much worse than 
suggestion to simply telling people to manually download and install the 
redistributable themselves, put on the download page.



In the current way it is possible you install older one of the dll's, and after 
the LO installation it pop up the Windows-Update, that I think is a little bit 
strange.


No; this is absolutely normal - most softwares out there behave this 
way, so not different from usual. Of course, *if* your suggestion was 
possible to be implemented in a reasonable way, it would be best - but 
the downsides outweigh the benefit.


--
Best regards,
Mike Kaganski
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice

AW: tdf#108580: integrate vc_redist.exe into Windows installer

2017-12-14 Thread Juergen Funk Mailinglist 
Hi Mike,

this is a good idea, but I think the better way is, when the system need the 
vc_redist then we "download" the new  vc_redist.exe from MS and starting.
This has 2 advantage 
 - the LO msi would not be bigger 
 - we install always the up to date redist-dll's

In the current way it is possible you install older one of the dll's, and after 
the LO installation it pop up the Windows-Update, that I think is a little bit 
strange.

In the unattended installation, I think that is okay, the admin should only 
inform, what he need for running the LO

Best
Juergen

PS.: it is possible, that email would be block from list.freedesktop.org, all 
spam goes but mine always block, that life


-Ursprüngliche Nachricht-
Von: LibreOffice [mailto:libreoffice-boun...@lists.freedesktop.org] Im Auftrag 
von Mike Kaganski
Gesendet: Mittwoch, 13. Dezember 2017 14:02
An: libreoffice@lists.freedesktop.org
Betreff: tdf#108580: integrate vc_redist.exe into Windows installer

Hi!

Some time ago, we had a ESC decision [1] to use a workaround for bug
108580 [2] about problem with VCRedist, which stopped to install essential part 
of libraries on Windows Vista and above (currently affected are Win7, Win8, and 
Win8.1), which was done in 71d9a61302e65fe091cf70c13fa72b3df09b7e3a [3], and 
"for 6.0 do something clever".

Here is the proposal [4] that pretends to be clever :) The following is 
essentially a copy-paste from the patch commit message:

Since commit 71d9a61302e65fe091cf70c13fa72b3df09b7e3a, we use a workaround 
described at [5] as "App-local deployment of the Universal CRT". We just copy 
all UCRT DLLs to LibreOffice/program. This has a drawback though, that our UCRT 
is not updated by Windows Update, so users would rely on LibreOffice updates in 
case of some vulnerabilities in UCRT (and they could even not realize they have 
that problem).

MS recommends to install UCRT using EXEs they provide from their site. 
The EXEs install both VCRuntimes and UCRTs, along with required patches, for 
all Windows versions (Windows XP through Windows 10, where they only install 
VCRuntimes); the installed libraries are managed by system's update mechanism. 
But those EXEs cannot be used in MSI custom actions inside 
InstallExecuteSequence, because they use MSI themselves.

So this patch integrates the vc_redist.xXX.exe into MSI binary table, and uses 
custom action to run the EXE after ExecuteAction in InstallUISequence. This 
will show the user a VCRedist install window after the main LibreOffice 
installation finishes; no user interaction is required (except one more UAC 
request), and errors are ignored.

Since this installation takes care of both VCRuntime and UCRT, we can 
ultimately drop both the app-local workaround, and vcredist merge module (so 
VCRuntime would also be updated by system).

This has its drawback: if one wants to use unattended installation (without UI; 
one example is deployment using ActiveDirectory GPO), then InstallUISequence is 
not run, and so VCRedist isn't installed. In this case, one should install 
VCRedist separately. Supposedly this should not be huge problem, because this 
is the case for many existing applications that need separate VCRedist 
deployment in these scenarios.

Please share your opinions. Is this change viable?

The patch itself IMO needs some polish: I suppose that we should remove 
redundant workaround (and possibly even merge module bits) if we accept it. But 
it is in working state, so testing is possible.

[1]
https://lists.freedesktop.org/archives/libreoffice-qa/2017-November/010300.html
[2] https://bugs.documentfoundation.org/show_bug.cgi?id=108580
[3]
https://cgit.freedesktop.org/libreoffice/core/commit/?id=71d9a61302e65fe091cf70c13fa72b3df09b7e3a
[4] https://gerrit.libreoffice.org/46356
[5]
https://blogs.msdn.microsoft.com/vcblog/2015/03/03/introducing-the-universal-crt/

--
Best regards,
Mike Kaganski
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice