Hi,
First thanks for your answer.
I'm currently thinking about a new deployment tool software for Microsoft
systems (XP/Vista/7) like WPKG but with the following functions:
- Installed directly as a Windows service (no cscript)
Well, there is actually not a big difference. Any service is at the end just a
program. If you hard-code the whole functionality into a service or use
"csript.exe" (or any wrapper of it) as a service does not matter much for
Windows.
A big drawback of a monolithic service is the update. Currently the client side
installation is quite "dumb" and static in terms of functionality. WPKG allows
extension of functionality by just replacing wpkg.js on server side with another
version. No upgrade on client side required to add functionality for new
concepts like LDAP support or similar.
In case of a monolithic service you would have to update the service itself much
more often. Updating a program itself is always a special task which is prone to
errors - often just limited by the fact that you cannot simply replace a binary
which is currently running.
Sure update mechanisms can be put in place but if it fails you might lose the
"connection" to the client which requires you to manually fix clients. And
manually is exactly what you don't want to have when using a system like WPKG.
Moreover such a service would have to be compatible with all supported OS. So
you might have to compile it using multiple technologies (.NET 2.0/3.5/4.0?
C/C++?) and make it work on all Windows editions. This can be pretty tough job
to maintain regarding all the "messy" machines out there running broken runtime
libraries etc.
Moreover it would require some "bootstrapping". So all systems would require a
certain level of software stack before applying such a system. Sure you can
include all these dependencies in your installer but it makes it harder to
maintain it.
With WPKG you can start from an clean XP system (even without any SP) and run
WPKG which will upgrade all components in one shot.
Such things might get easier if you limit the support to "more modern" systems.
Like limiting from the beginning that you will support Vista and Windows 7 (and
their server counterparts) only. In such case you can even rely on .NET,
PowerShell etc.
I agree about this point. My idea is to allow the update over internet
that is why I am privileged operation only via HTTP. It must still be
possible to use wpkg.js locally on the computer.
- Retrieve the list of the packages to be installed on the computer from an HTTP
server (a PHP script that queries an LDAP directory to choose a database or xml
file like Profiles.xml). The description of the packages could be an XML file
whose format is identical to WPKG.
WPKG already supports reading profiles.xml, packages.xml and hosts.xml from HTTP
server.
Ok.
I need to check this point.
- Retrieving of files (installation programs) from an HTTP server
WPKG supports download feature. However downloading installers via HTTP also
requires another component in the whole system (the HTTP server) and imposes
more issues like verifying download, when and how to cleanup downloaded files
etc.
Personally I think fetching files from SMB/CIFS/SMB2 shares which are natively
supported by Windows is more stable.
I want to allow update over internet so no SMB/CIFS/SMB2.
- Signing packages and files to ensure they have not been altered and nobody use
this tool to install other software.
This is a very valid point. I already spent a couple of hours thinking about
this. Unfortunately it's very inefficient to implement checksum/signatures in
pure WSH scripting. Verifying the signatures of installers requires to download
all files and verify the signature while some modern installers will not
download all files if the custom setup does not require these files to be read.
So signatures could slow down deployment.
However it's true that currently a WPKG-enabled system can be cheated quite
easily to just connect to a "fake server" making it download and install
software updates from some intruder system.
To prevent this it would require:
- WPKG client to verify wpkg.js signature (and/or verify identity of WPKG
server)
- wpkg.js to verify signatures of each installer and related files
-> The only way I know to do this efficiently is to use external hashing
tools
Maybe it's possible do develop a tool called by wpkg.js to verify the
sign ? So WPKG client verify the wpkg.js signature and for each package
to install wpkg.js call the specific tool who verify if the sign is
correct ?
- Sends the installation state through the HTTP server (a PHP script that stores
information in a DB)
WPKG writes the current state of installation into local wpkg.xml and also into
the logs.
Logs shall be written to some writable share anyway and can be analyzed.
Alternatively a simple WPKG package which uploads wpkg.xml to the server for
server-side analysis is also described in the wiki. I think WPKGExpress also
supports showing client status on a web interface already.
I also need to check this point.
The tool is divided into two parts. The service running on the computer and the
script in PHP.
Sounds like WPKGExpress (or the former WPKG-WEB).
Not exactly in fact in my first view there is 3 parts. The windows
service, the PHP script called by the windows service to retrieve the
list of packages to install for the specific computer and also update
the computer state (last sync, last boot, ...). And another tool like
WPKGExpress.
The advantages I see in that new tools would include:
- Securing the installation packages
As I said this might be difficult to achieve using pure WSH.
- Access to the installation status of packages in real time on computers
-> WPKGExpress
- Ability to work with LDAP
Since quite a while there is a modded wpkg.js with some LDAP support. It seems
to be well-supported recently by Daniel Dehennin. However LDAP is still used by
a minor user base of WPKG. Supporting features used by minorities always brings
the risk of breaking something for the majority.
With my idea of a PHP script dedicated to providing the list of packages
to install for the specific computer it's possible to have multiple
addons (one who read informations from LDAP, another read in a mySQL
database and another in a profiles.xml file. With this everyone has the
choice with less impact in the main source code.
Anyway, you might be interested in:
<http://bugzilla.wpkg.org/show_bug.cgi?id=118>
I will check this.
Thank you for your feedback and sorry for my bad english.
Nobody is perfect ;) I am not a native English speaker either but I always hope
the community will understand most of my words...
Your english is better than mine :-)
br,
Rainer
Thanks for your feedback.
Regards,
--
Olivier LARRIGAUDIERE
-------------------------------------------------------------------------
wpkg-users mailing list archives >> http://lists.wpkg.org/pipermail/wpkg-users/
_______________________________________________
wpkg-users mailing list
wpkg-users@lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users
