John, thank you for your comments. I find them very valuable. Please find below my remarks.
RE 1: I am not sure how you define "code injections" in MSI. If you sign your MSI with certificate, classic injections will not work. RE 2: The remark on Trojan is as good for MSI as for any other situation; system administrator may activate Trojan by executing any legitimate command-line utility in elevated security session; MSI is not any different than that. The only solution is to ban running command-line utilities. RE 3: Yes, I agree that "mercy" applies, but it applies to *any* code that is more complex than "hello world". This includes even the best-written WiX installer, provided the installer has to do really complex things. Just 2 examples of what I mean: advanced configuration of IIS or SQL server can only be done by running external tools, "heat" cannot do that - maybe "smelter" will :). And those, by all means, are at mercy of everything you can imagine. If "responsible security analysis" will reject MSI that calls legitimate/operating-system utilities, I am afraid lots of existing MSIs and other types of installers would have to be rejected. "Many things are superficially easier to execute in the short term, but the long term costs can be high." I agree; however "superficial" seems to be the new way to go, for pretty much everything. Because of that, shortcuts are good as they deliver cheaply for the time being; chances are the whole thing will be replaced or discontinued very soon anyway. "Cheap" is more powerful than "good". Like it or not - that's separate story, I am just stating the fact how things work. Best, Marek -----Original Message----- From: John Cooper [mailto:jocoo...@jackhenry.com] Sent: Thursday, July 03, 2014 9:37 AM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 It is a very bad idea to use any external executable in an MSI because: 1) the MSI is now defenseless against code injection 2) defenseless against a Trojan 3) at the mercy of whatever version to version changes are made to the calling interface of the executable Any responsible security analysis will reject such an MSI. In general, maintainability of such MSIs is poor over the long term. Many things are superficially easier to execute in the short term, but the long term costs can be high. -- John Merryweather Cooper Build & Install Engineer - ESA Jack Henry & Associates, Inc.® Shawnee Mission, KS 66227 Office: 913-341-3434 x791011 jocoo...@jackhenry.com www.jackhenry.com -----Original Message----- From: Marek Mielcarek [mailto:mmielca...@actuate.com] Sent: Thursday, July 3, 2014 8:24 AM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 Phill, Thank you for the hint. I am aware of using heat for registering COM however I find calling regasm immensely easier and better way. If you have dedicated resource with nothing on the neck but just playing with WiX, using heat is probably fine. In my case WiX is just a very small fragment of large environment I have to maintain. WiX is great but hugely time-consuming. It requires lots of tweaking before you get the details together so they work the way you want. I do not have such luxury. Anyway, I found the reason, resolved the issue and can forget about for some time. Thank you, Marek. -----Original Message----- From: Phill Hogland [mailto:phogl...@rimage.com] Sent: Thursday, July 03, 2014 8:44 AM To: wix-users@lists.sourceforge.net Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 Not really the question asked, but are you aware of using heat to harvest regasm entries? http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Re-To-regasm-or-to-not-regasm-td7580188.html -- View this message in context: http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/calling-regasm-exe-from-Wix-installer-on-Win-2012-tp7595630p7595633.html Sent from the wix-users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
