AW: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer
Hi Mike, exactly the same juergen -Ursprüngliche Nachricht- Von: Mike Kaganski [mailto:mike.kagan...@collabora.com] Gesendet: Freitag, 15. Dezember 2017 11:23 An: Juergen Funk Mailinglist <juergen.funk...@cib.de>; libreoffice@lists.freedesktop.org Betreff: Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote: > Hi Mike > >> 1. Creating a redirect at TDF side imposes additional load to our >> server infrastructure; 2. Users will depend on reliability of TDF >> servers wrt this (in terms of their state, correctness of the link, >> and also possible man-in-the-middle problems with modified links >> pointing to malware) - note that LO downloads themselves are served >> from multiple mirrors, but this kind of redirection can't work using >> mirrors > I have mean directly from Microsoft not from TDF. As I mentioned, there's no "Latest VS 2015 redist" static link on their side. Only "VS 2015 redist version X.Y.Z", which is the same as embedding this specific version into installer. Also: at the time of creating the installer, we could possibly check that our embedded redist is ~current, so users would have reasonably low chance to get update request related to newly installed software (taking into account our rate of releases). OTOH, if a user chooses to download and install an out-of-date version, then it's not unexpected that, e.g., LibreOffice itself would warn about "newer version available"; so I don't see anything unexpected here on redist side as well. -- Best regards, Mike Kaganski ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer
Hi Mike >1. Creating a redirect at TDF side imposes additional load to our server >infrastructure; >2. Users will depend on reliability of TDF servers wrt this (in terms of their >state, correctness of the link, and also possible man-in-the-middle problems >with modified links pointing to malware) - note that LO downloads themselves >are served from multiple mirrors, but this kind of redirection can't work >using mirrors I have mean directly from Microsoft not from TDF. >3. Users would need internet connection at time of setup (which might not be >there: many download the installer, to bring it somewhere where there's no >Internet connection I think that is not a big problem, the most have an Internet connection (and many App can't install without connection), but when not the installer gives a hint (only when needed), and the user should install the redist. But any way, this is only a suggestion, and has also weakness (e. g. MS changes the link), the other case we have always up to date the vc_redist.exe. Best Juergen -Ursprüngliche Nachricht- Von: LibreOffice [mailto:libreoffice-boun...@lists.freedesktop.org] Im Auftrag von Mike Kaganski Gesendet: Freitag, 15. Dezember 2017 10:07 An: Juergen Funk Mailinglist <juergen.funk...@cib.de>; libreoffice@lists.freedesktop.org Betreff: Re: AW: tdf#108580: integrate vc_redist.exe into Windows installer Hi Juergen, thanks for feedback! On 12/14/2017 11:04 AM, Juergen Funk Mailinglist wrote: > this is a good idea, but I think the better way is, when the system need the > vc_redist then we "download" the new vc_redist.exe from MS and starting. > This has 2 advantage > - the LO msi would not be bigger > - we install always the up to date redist-dll's Well, the main problem here is that there's no "latest vc_redist.exe" static link on MS site. So, this approach is simply impossible without us creating a redirect on our side. And this would create additional problems: 1. Creating a redirect at TDF side imposes additional load to our server infrastructure; 2. Users will depend on reliability of TDF servers wrt this (in terms of their state, correctness of the link, and also possible man-in-the-middle problems with modified links pointing to malware) - note that LO downloads themselves are served from multiple mirrors, but this kind of redirection can't work using mirrors; 3. Users would need internet connection at time of setup (which might not be there: many download the installer, to bring it somewhere where there's no Internet connection). So this is just not an option - at least, this is much worse than suggestion to simply telling people to manually download and install the redistributable themselves, put on the download page. > In the current way it is possible you install older one of the dll's, and > after the LO installation it pop up the Windows-Update, that I think is a > little bit strange. No; this is absolutely normal - most softwares out there behave this way, so not different from usual. Of course, *if* your suggestion was possible to be implemented in a reasonable way, it would be best - but the downsides outweigh the benefit. -- Best regards, Mike Kaganski ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer
Hi Mike, *, On Fri, Dec 15, 2017 at 11:22 AM, Mike Kaganskiwrote: > On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote: > […] >> I have mean directly from Microsoft not from TDF. > > As I mentioned, there's no "Latest VS 2015 redist" static link on their > side. Only "VS 2015 redist version X.Y.Z", which is the same as embedding > this specific version into installer. Even if there was one, I'd object against relying on having internet connectivity when installing. > Also: at the time of creating the installer, we could possibly check that > our embedded redist is ~current, the redistributables then being handled by windows update → that's not as critical as with the current method of shipping the dlls locally. > so users would have reasonably low chance > to get update request related to newly installed software (taking into > account our rate of releases). OTOH, if a user chooses to download and > install an out-of-date version, then it's not unexpected that, e.g., > LibreOffice itself would warn about "newer version available"; so I don't > see anything unexpected here on redist side as well. Agreed. ciao Christian ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer
On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote: Hi Mike 1. Creating a redirect at TDF side imposes additional load to our server infrastructure; 2. Users will depend on reliability of TDF servers wrt this (in terms of their state, correctness of the link, and also possible man-in-the-middle problems with modified links pointing to malware) - note that LO downloads themselves are served from multiple mirrors, but this kind of redirection can't work using mirrors I have mean directly from Microsoft not from TDF. As I mentioned, there's no "Latest VS 2015 redist" static link on their side. Only "VS 2015 redist version X.Y.Z", which is the same as embedding this specific version into installer. Also: at the time of creating the installer, we could possibly check that our embedded redist is ~current, so users would have reasonably low chance to get update request related to newly installed software (taking into account our rate of releases). OTOH, if a user chooses to download and install an out-of-date version, then it's not unexpected that, e.g., LibreOffice itself would warn about "newer version available"; so I don't see anything unexpected here on redist side as well. -- Best regards, Mike Kaganski ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: AW: tdf#108580: integrate vc_redist.exe into Windows installer
Hi Juergen, thanks for feedback! On 12/14/2017 11:04 AM, Juergen Funk Mailinglist wrote: this is a good idea, but I think the better way is, when the system need the vc_redist then we "download" the new vc_redist.exe from MS and starting. This has 2 advantage - the LO msi would not be bigger - we install always the up to date redist-dll's Well, the main problem here is that there's no "latest vc_redist.exe" static link on MS site. So, this approach is simply impossible without us creating a redirect on our side. And this would create additional problems: 1. Creating a redirect at TDF side imposes additional load to our server infrastructure; 2. Users will depend on reliability of TDF servers wrt this (in terms of their state, correctness of the link, and also possible man-in-the-middle problems with modified links pointing to malware) - note that LO downloads themselves are served from multiple mirrors, but this kind of redirection can't work using mirrors; 3. Users would need internet connection at time of setup (which might not be there: many download the installer, to bring it somewhere where there's no Internet connection). So this is just not an option - at least, this is much worse than suggestion to simply telling people to manually download and install the redistributable themselves, put on the download page. In the current way it is possible you install older one of the dll's, and after the LO installation it pop up the Windows-Update, that I think is a little bit strange. No; this is absolutely normal - most softwares out there behave this way, so not different from usual. Of course, *if* your suggestion was possible to be implemented in a reasonable way, it would be best - but the downsides outweigh the benefit. -- Best regards, Mike Kaganski ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
AW: tdf#108580: integrate vc_redist.exe into Windows installer
Hi Mike, this is a good idea, but I think the better way is, when the system need the vc_redist then we "download" the new vc_redist.exe from MS and starting. This has 2 advantage - the LO msi would not be bigger - we install always the up to date redist-dll's In the current way it is possible you install older one of the dll's, and after the LO installation it pop up the Windows-Update, that I think is a little bit strange. In the unattended installation, I think that is okay, the admin should only inform, what he need for running the LO Best Juergen PS.: it is possible, that email would be block from list.freedesktop.org, all spam goes but mine always block, that life -Ursprüngliche Nachricht- Von: LibreOffice [mailto:libreoffice-boun...@lists.freedesktop.org] Im Auftrag von Mike Kaganski Gesendet: Mittwoch, 13. Dezember 2017 14:02 An: libreoffice@lists.freedesktop.org Betreff: tdf#108580: integrate vc_redist.exe into Windows installer Hi! Some time ago, we had a ESC decision [1] to use a workaround for bug 108580 [2] about problem with VCRedist, which stopped to install essential part of libraries on Windows Vista and above (currently affected are Win7, Win8, and Win8.1), which was done in 71d9a61302e65fe091cf70c13fa72b3df09b7e3a [3], and "for 6.0 do something clever". Here is the proposal [4] that pretends to be clever :) The following is essentially a copy-paste from the patch commit message: Since commit 71d9a61302e65fe091cf70c13fa72b3df09b7e3a, we use a workaround described at [5] as "App-local deployment of the Universal CRT". We just copy all UCRT DLLs to LibreOffice/program. This has a drawback though, that our UCRT is not updated by Windows Update, so users would rely on LibreOffice updates in case of some vulnerabilities in UCRT (and they could even not realize they have that problem). MS recommends to install UCRT using EXEs they provide from their site. The EXEs install both VCRuntimes and UCRTs, along with required patches, for all Windows versions (Windows XP through Windows 10, where they only install VCRuntimes); the installed libraries are managed by system's update mechanism. But those EXEs cannot be used in MSI custom actions inside InstallExecuteSequence, because they use MSI themselves. So this patch integrates the vc_redist.xXX.exe into MSI binary table, and uses custom action to run the EXE after ExecuteAction in InstallUISequence. This will show the user a VCRedist install window after the main LibreOffice installation finishes; no user interaction is required (except one more UAC request), and errors are ignored. Since this installation takes care of both VCRuntime and UCRT, we can ultimately drop both the app-local workaround, and vcredist merge module (so VCRuntime would also be updated by system). This has its drawback: if one wants to use unattended installation (without UI; one example is deployment using ActiveDirectory GPO), then InstallUISequence is not run, and so VCRedist isn't installed. In this case, one should install VCRedist separately. Supposedly this should not be huge problem, because this is the case for many existing applications that need separate VCRedist deployment in these scenarios. Please share your opinions. Is this change viable? The patch itself IMO needs some polish: I suppose that we should remove redundant workaround (and possibly even merge module bits) if we accept it. But it is in working state, so testing is possible. [1] https://lists.freedesktop.org/archives/libreoffice-qa/2017-November/010300.html [2] https://bugs.documentfoundation.org/show_bug.cgi?id=108580 [3] https://cgit.freedesktop.org/libreoffice/core/commit/?id=71d9a61302e65fe091cf70c13fa72b3df09b7e3a [4] https://gerrit.libreoffice.org/46356 [5] https://blogs.msdn.microsoft.com/vcblog/2015/03/03/introducing-the-universal-crt/ -- Best regards, Mike Kaganski ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice