I forget where it is documented, but here is what happens: If you include the policy module(s), then anyone can install a replacement runtime that claims to be backward compatible with the one you install/tested against and your program will start using that "newer" one instead of the one you tested with. Makes it easier for future installations to "break" your setup (remember DLL-hell, anyone?).
If you don't include the policy module(s), and you take last year's ATL security update, and the runtime doesn't get updated somewhere in your build/delivery system, you break as well. Personally I have found that the risks associated with shipping the policy modules were less than the troubles caused by not shipping it, but others beg to differ. It is a decision you need to make in consultation with your QA team, realizing that if you take the policy modules you risk support costs or even security issues you will have zero control over in the future. Most QA people I know would argue against the policy modules given that information. -----Original Message----- From: Sascha Beaumont [mailto:sascha.beaum...@gmail.com] Sent: Monday, February 15, 2010 2:42 PM To: General discussion for Windows Installer XML toolset. Subject: [WiX-users] Microsoft merge modules and policy modules, what to include? Hi, Looking over http://blogs.msdn.com/astebner/archive/2007/02/13/building-an-msi-using-wix- v3-0-that-includes-the-vc-8-0-runtime-merge-modules.aspx I see the following note: <update date="2/11/2009"> Removed references to policy MSMs because the general recommendation is to not include policy MSMs when redistributing the VC runtime files. </update> We're distributing policy modules with our application (full module list below) - can anyone point me in the right direction as to where this "general recommendation" is documented? Or what problems including or excluding the policy modules may cause or solve? As a side note, can anyone confirm if any of the modules I'm including below are not required on particular operating systems? Specifically the last four which showed up during a dependency scan on a 3rd party library we use. We support Windows 2000/XP and later and from peeking inside the modules I can tell that GDIPlus is not installed on anything later than Windows 2000 but the others seem to have no such conditions. GDIPlus.msm VC_User_CRT71_RTL_X86_---.msm Microsoft_VC80_CRT_x86.msm policy_8_0_Microsoft_VC80_CRT_x86.msm Microsoft_VC80_MFC_x86.msm policy_8_0_Microsoft_VC80_MFC_x86.msm MSVCRT.MSM COMCAT.MSM MFC42.MSM MSVCIRT.MSM Cheers, Sascha ---------------------------------------------------------------------------- -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
