tdf#108580: integrate vc_redist.exe into Windows installer

classic Classic list List threaded Threaded
8 messages Options
Mike Kaganski-2 Mike Kaganski-2
Reply | Threaded
Open this post in threaded view
|

tdf#108580: integrate vc_redist.exe into Windows installer

Hi!

Some time ago, we had a ESC decision [1] to use a workaround for bug
108580 [2] about problem with VCRedist, which stopped to install
essential part of libraries on Windows Vista and above (currently
affected are Win7, Win8, and Win8.1), which was done in
71d9a61302e65fe091cf70c13fa72b3df09b7e3a [3], and "for 6.0 do something
clever".

Here is the proposal [4] that pretends to be clever :)
The following is essentially a copy-paste from the patch commit message:

Since commit 71d9a61302e65fe091cf70c13fa72b3df09b7e3a, we use a
workaround described at [5] as "App-local deployment of the Universal
CRT". We just copy all UCRT DLLs to LibreOffice/program. This has a
drawback though, that our UCRT is not updated by Windows Update, so
users would rely on LibreOffice updates in case of some vulnerabilities
in UCRT (and they could even not realize they have that problem).

MS recommends to install UCRT using EXEs they provide from their site.
The EXEs install both VCRuntimes and UCRTs, along with required patches,
for all Windows versions (Windows XP through Windows 10, where they only
install VCRuntimes); the installed libraries are managed by system's
update mechanism. But those EXEs cannot be used in MSI custom actions
inside InstallExecuteSequence, because they use MSI themselves.

So this patch integrates the vc_redist.xXX.exe into MSI binary table,
and uses custom action to run the EXE after ExecuteAction in
InstallUISequence. This will show the user a VCRedist install window
after the main LibreOffice installation finishes; no user interaction is
required (except one more UAC request), and errors are ignored.

Since this installation takes care of both VCRuntime and UCRT, we can
ultimately drop both the app-local workaround, and vcredist merge module
(so VCRuntime would also be updated by system).

This has its drawback: if one wants to use unattended installation
(without UI; one example is deployment using ActiveDirectory GPO), then
InstallUISequence is not run, and so VCRedist isn't installed. In this
case, one should install VCRedist separately. Supposedly this should not
be huge problem, because this is the case for many existing applications
that need separate VCRedist deployment in these scenarios.

Please share your opinions. Is this change viable?

The patch itself IMO needs some polish: I suppose that we should remove
redundant workaround (and possibly even merge module bits) if we accept
it. But it is in working state, so testing is possible.

[1]
https://lists.freedesktop.org/archives/libreoffice-qa/2017-November/010300.html
[2] https://bugs.documentfoundation.org/show_bug.cgi?id=108580
[3]
https://cgit.freedesktop.org/libreoffice/core/commit/?id=71d9a61302e65fe091cf70c13fa72b3df09b7e3a
[4] https://gerrit.libreoffice.org/46356
[5]
https://blogs.msdn.microsoft.com/vcblog/2015/03/03/introducing-the-universal-crt/

--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Jan-Marek Glogowski Jan-Marek Glogowski
Reply | Threaded
Open this post in threaded view
|

Re: tdf#108580: integrate vc_redist.exe into Windows installer

Hi Mike,

Am 13.12.2017 um 14:02 schrieb Mike Kaganski:

[snip] how to integrate vc_redist into LO MSI

> This has its drawback: if one wants to use unattended installation
> (without UI; one example is deployment using ActiveDirectory GPO), then
> InstallUISequence is not run, and so VCRedist isn't installed. In this
> case, one should install VCRedist separately. Supposedly this should not
> be huge problem, because this is the case for many existing applications
> that need separate VCRedist deployment in these scenarios.
>
> Please share your opinions. Is this change viable?

I would prefer security updates and some unattended install hassle,
which is already well known from other applications.

Mentioning this "unattended install" problem in the release notes should
be enough to give an admin an idea how to fix the problem.

ATB

Jan-Marek
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Juergen Funk Mailinglist Juergen Funk Mailinglist
Reply | Threaded
Open this post in threaded view
|

AW: tdf#108580: integrate vc_redist.exe into Windows installer

In reply to this post by Mike Kaganski-2
Hi Mike,

this is a good idea, but I think the better way is, when the system need the vc_redist then we "download" the new  vc_redist.exe from MS and starting.
This has 2 advantage
 - the LO msi would not be bigger
 - we install always the up to date redist-dll's

In the current way it is possible you install older one of the dll's, and after the LO installation it pop up the Windows-Update, that I think is a little bit strange.

In the unattended installation, I think that is okay, the admin should only inform, what he need for running the LO

Best
Juergen

PS.: it is possible, that email would be block from list.freedesktop.org, all spam goes but mine always block, that life


-----Ursprüngliche Nachricht-----
Von: LibreOffice [mailto:[hidden email]] Im Auftrag von Mike Kaganski
Gesendet: Mittwoch, 13. Dezember 2017 14:02
An: [hidden email]
Betreff: tdf#108580: integrate vc_redist.exe into Windows installer

Hi!

Some time ago, we had a ESC decision [1] to use a workaround for bug
108580 [2] about problem with VCRedist, which stopped to install essential part of libraries on Windows Vista and above (currently affected are Win7, Win8, and Win8.1), which was done in 71d9a61302e65fe091cf70c13fa72b3df09b7e3a [3], and "for 6.0 do something clever".

Here is the proposal [4] that pretends to be clever :) The following is essentially a copy-paste from the patch commit message:

Since commit 71d9a61302e65fe091cf70c13fa72b3df09b7e3a, we use a workaround described at [5] as "App-local deployment of the Universal CRT". We just copy all UCRT DLLs to LibreOffice/program. This has a drawback though, that our UCRT is not updated by Windows Update, so users would rely on LibreOffice updates in case of some vulnerabilities in UCRT (and they could even not realize they have that problem).

MS recommends to install UCRT using EXEs they provide from their site.
The EXEs install both VCRuntimes and UCRTs, along with required patches, for all Windows versions (Windows XP through Windows 10, where they only install VCRuntimes); the installed libraries are managed by system's update mechanism. But those EXEs cannot be used in MSI custom actions inside InstallExecuteSequence, because they use MSI themselves.

So this patch integrates the vc_redist.xXX.exe into MSI binary table, and uses custom action to run the EXE after ExecuteAction in InstallUISequence. This will show the user a VCRedist install window after the main LibreOffice installation finishes; no user interaction is required (except one more UAC request), and errors are ignored.

Since this installation takes care of both VCRuntime and UCRT, we can ultimately drop both the app-local workaround, and vcredist merge module (so VCRuntime would also be updated by system).

This has its drawback: if one wants to use unattended installation (without UI; one example is deployment using ActiveDirectory GPO), then InstallUISequence is not run, and so VCRedist isn't installed. In this case, one should install VCRedist separately. Supposedly this should not be huge problem, because this is the case for many existing applications that need separate VCRedist deployment in these scenarios.

Please share your opinions. Is this change viable?

The patch itself IMO needs some polish: I suppose that we should remove redundant workaround (and possibly even merge module bits) if we accept it. But it is in working state, so testing is possible.

[1]
https://lists.freedesktop.org/archives/libreoffice-qa/2017-November/010300.html
[2] https://bugs.documentfoundation.org/show_bug.cgi?id=108580
[3]
https://cgit.freedesktop.org/libreoffice/core/commit/?id=71d9a61302e65fe091cf70c13fa72b3df09b7e3a
[4] https://gerrit.libreoffice.org/46356
[5]
https://blogs.msdn.microsoft.com/vcblog/2015/03/03/introducing-the-universal-crt/

--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Mike Kaganski-2 Mike Kaganski-2
Reply | Threaded
Open this post in threaded view
|

Re: AW: tdf#108580: integrate vc_redist.exe into Windows installer

Hi Juergen,

thanks for feedback!

On 12/14/2017 11:04 AM, Juergen Funk Mailinglist wrote:
> this is a good idea, but I think the better way is, when the system need the vc_redist then we "download" the new  vc_redist.exe from MS and starting.
> This has 2 advantage
>   - the LO msi would not be bigger
>   - we install always the up to date redist-dll's

Well, the main problem here is that there's no "latest vc_redist.exe"
static link on MS site. So, this approach is simply impossible without
us creating a redirect on our side. And this would create additional
problems:

1. Creating a redirect at TDF side imposes additional load to our server
infrastructure;
2. Users will depend on reliability of TDF servers wrt this (in terms of
their state, correctness of the link, and also possible
man-in-the-middle problems with modified links pointing to malware) -
note that LO downloads themselves are served from multiple mirrors, but
this kind of redirection can't work using mirrors;
3. Users would need internet connection at time of setup (which might
not be there: many download the installer, to bring it somewhere where
there's no Internet connection).

So this is just not an option - at least, this is much worse than
suggestion to simply telling people to manually download and install the
redistributable themselves, put on the download page.

> In the current way it is possible you install older one of the dll's, and after the LO installation it pop up the Windows-Update, that I think is a little bit strange.

No; this is absolutely normal - most softwares out there behave this
way, so not different from usual. Of course, *if* your suggestion was
possible to be implemented in a reasonable way, it would be best - but
the downsides outweigh the benefit.

--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Juergen Funk Mailinglist Juergen Funk Mailinglist
Reply | Threaded
Open this post in threaded view
|

AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

Hi Mike

>1. Creating a redirect at TDF side imposes additional load to our server infrastructure;
>2. Users will depend on reliability of TDF servers wrt this (in terms of their state, correctness of the link, and also possible man-in-the-middle problems with modified links pointing to malware) - note that LO downloads themselves are served from multiple mirrors, but this kind of redirection can't work using mirrors

I have mean directly from Microsoft not from TDF.

>3. Users would need internet connection at time of setup (which might not be there: many download the installer, to bring it somewhere where there's no Internet connection

I think that is not a big problem, the most have an Internet connection (and many App can't install without connection), but when not the installer gives a hint (only when needed), and the user should install the redist.

But any way, this is only a  suggestion, and has also weakness  (e. g. MS changes the link), the other case we have always up to date the vc_redist.exe.

Best
Juergen

 

-----Ursprüngliche Nachricht-----
Von: LibreOffice [mailto:[hidden email]] Im Auftrag von Mike Kaganski
Gesendet: Freitag, 15. Dezember 2017 10:07
An: Juergen Funk Mailinglist <[hidden email]>; [hidden email]
Betreff: Re: AW: tdf#108580: integrate vc_redist.exe into Windows installer

Hi Juergen,

thanks for feedback!

On 12/14/2017 11:04 AM, Juergen Funk Mailinglist wrote:
> this is a good idea, but I think the better way is, when the system need the vc_redist then we "download" the new  vc_redist.exe from MS and starting.
> This has 2 advantage
>   - the LO msi would not be bigger
>   - we install always the up to date redist-dll's

Well, the main problem here is that there's no "latest vc_redist.exe"
static link on MS site. So, this approach is simply impossible without us creating a redirect on our side. And this would create additional
problems:

1. Creating a redirect at TDF side imposes additional load to our server infrastructure; 2. Users will depend on reliability of TDF servers wrt this (in terms of their state, correctness of the link, and also possible man-in-the-middle problems with modified links pointing to malware) - note that LO downloads themselves are served from multiple mirrors, but this kind of redirection can't work using mirrors; 3. Users would need internet connection at time of setup (which might not be there: many download the installer, to bring it somewhere where there's no Internet connection).

So this is just not an option - at least, this is much worse than suggestion to simply telling people to manually download and install the redistributable themselves, put on the download page.

> In the current way it is possible you install older one of the dll's, and after the LO installation it pop up the Windows-Update, that I think is a little bit strange.

No; this is absolutely normal - most softwares out there behave this way, so not different from usual. Of course, *if* your suggestion was possible to be implemented in a reasonable way, it would be best - but the downsides outweigh the benefit.

--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Mike Kaganski-2 Mike Kaganski-2
Reply | Threaded
Open this post in threaded view
|

Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote:
> Hi Mike
>
>> 1. Creating a redirect at TDF side imposes additional load to our server infrastructure;
>> 2. Users will depend on reliability of TDF servers wrt this (in terms of their state, correctness of the link, and also possible man-in-the-middle problems with modified links pointing to malware) - note that LO downloads themselves are served from multiple mirrors, but this kind of redirection can't work using mirrors
> I have mean directly from Microsoft not from TDF.

As I mentioned, there's no "Latest VS 2015 redist" static link on their
side. Only "VS 2015 redist version X.Y.Z", which is the same as
embedding this specific version into installer.

Also: at the time of creating the installer, we could possibly check
that our embedded redist is ~current, so users would have reasonably low
chance to get update request related to newly installed software (taking
into account our rate of releases). OTOH, if a user chooses to download
and install an out-of-date version, then it's not unexpected that, e.g.,
LibreOffice itself would warn about "newer version available"; so I
don't see anything unexpected here on redist side as well.

--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Christian Lohmaier-3 Christian Lohmaier-3
Reply | Threaded
Open this post in threaded view
|

Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

Hi Mike, *,

On Fri, Dec 15, 2017 at 11:22 AM, Mike Kaganski
<[hidden email]> wrote:
> On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote:
> […]
>> I have mean directly from Microsoft not from TDF.
>
> As I mentioned, there's no "Latest VS 2015 redist" static link on their
> side. Only "VS 2015 redist version X.Y.Z", which is the same as embedding
> this specific version into installer.

Even if there was one, I'd object against relying on having internet
connectivity when installing.

> Also: at the time of creating the installer, we could possibly check that
> our embedded redist is ~current,

the redistributables then being handled by windows update → that's not
as critical as with the current method of shipping the dlls locally.

> so users would have reasonably low chance
> to get update request related to newly installed software (taking into
> account our rate of releases). OTOH, if a user chooses to download and
> install an out-of-date version, then it's not unexpected that, e.g.,
> LibreOffice itself would warn about "newer version available"; so I don't
> see anything unexpected here on redist side as well.

Agreed.

ciao
Christian
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Juergen Funk Mailinglist Juergen Funk Mailinglist
Reply | Threaded
Open this post in threaded view
|

AW: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

In reply to this post by Mike Kaganski-2
Hi Mike,

exactly the same


juergen


-----Ursprüngliche Nachricht-----
Von: Mike Kaganski [mailto:[hidden email]]
Gesendet: Freitag, 15. Dezember 2017 11:23
An: Juergen Funk Mailinglist <[hidden email]>; [hidden email]
Betreff: Re: AW: AW: tdf#108580: integrate vc_redist.exe into Windows installer

On 12/15/2017 12:53 PM, Juergen Funk Mailinglist wrote:

> Hi Mike
>
>> 1. Creating a redirect at TDF side imposes additional load to our
>> server infrastructure; 2. Users will depend on reliability of TDF
>> servers wrt this (in terms of their state, correctness of the link,
>> and also possible man-in-the-middle problems with modified links
>> pointing to malware) - note that LO downloads themselves are served
>> from multiple mirrors, but this kind of redirection can't work using
>> mirrors
> I have mean directly from Microsoft not from TDF.

As I mentioned, there's no "Latest VS 2015 redist" static link on their side. Only "VS 2015 redist version X.Y.Z", which is the same as embedding this specific version into installer.

Also: at the time of creating the installer, we could possibly check that our embedded redist is ~current, so users would have reasonably low chance to get update request related to newly installed software (taking into account our rate of releases). OTOH, if a user chooses to download and install an out-of-date version, then it's not unexpected that, e.g., LibreOffice itself would warn about "newer version available"; so I don't see anything unexpected here on redist side as well.

--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice