I agree with the arguments on reference counting and upgrades. If you need that, heat is better for sure. Fortunately, I do not need reference count. In my case uninstalling is easy - just calling the regasm again. Today you can grill anything based on security but we surely run into a paradox here. If the only way to deliver secure and trusted software is to produce everything in-house, only Microsoft should be 100% successful (and the rest of us not) but we question even that in this discussion.
I inspected WebAppPool element but could not find many properties that can be configured in IIS. For example "Enable 32-bit Applications", "Ping*" (i.e. Ping Enabled) or "Processor Affinity*" (i.e. "Processor Affinity Enabled"). So far the only way to get them set is calling appcmd.exe, but I am probably missing some info here (?). If Federal Reserve use Windows then it is easier to explain the explosion of America's negative trillions over past 15 years :) ...I am sorry but could not taking a bit of fun ride on the example John used. Having said that, I wish Happy July 4th to all fellow Americans. Cheers! Marek -----Original Message----- From: John Cooper [mailto:jocoo...@jackhenry.com] Sent: Thursday, July 03, 2014 12:52 PM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 I leave that to you. As usual you are right, but it slips by from my radar because I can't do it any other way. The installer must be transactional or QA testing of it becomes burdensome. Upgrade support is a given and won't work if the installer isn't mostly transactional. Even more so for patching. And uninstall is surprisingly critical. I've got a Google mobile phone app that pretends to uninstall but then comes back to file at the next upgrade cycle. Not a nice user experience. -- John Merryweather Cooper Build & Install Engineer - ESA Jack Henry & Associates, Inc.® Shawnee Mission, KS 66227 Office: 913-341-3434 x791011 jocoo...@jackhenry.com www.jackhenry.com -----Original Message----- From: Rob Mensching [mailto:r...@firegiant.com] Sent: Thursday, July 3, 2014 11:44 AM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 You skipped the important stuff. Like rollback, upgrade, uninstall and reference counting. Calling regasm will not help you solve any of the hard problems around those situations. It'll be easy to get clean install running but everything else is much harder. At FireGiant, we always recommend users use the built in Windows Installer tables (in this case the Registry table) whenever possible. Doing otherwise creates a chain of issues, some of which don't show up until you try to service your product. _______________________________________________________________ FireGiant | Dedicated support for the WiX toolset | http://www.firegiant.com/ -----Original Message----- From: John Cooper [mailto:jocoo...@jackhenry.com] Sent: Thursday, July 3, 2014 7:56 AM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 Many executable utilities from Microsoft have known buffer overruns bugs in their parameter passing. If the particular version of the executable is not known before execution, there is no guarantee that it doesn't have one or more of these flaws. In any case, signing of the MSI does not help you because no modification to the MSI is required. It now has a truck-sized hole through which anything can enter. The moral of the story is any security flaws inherent in the executable are now immediately inherited by the installer every time it is run. The problem is not command line utilities per se. The problem is the assumption that someone else has put the target computer into a secure state ahead of time. If the service one of my installers stands up to the Federal Reserve is penetrated, they will not come to the individual who installed it, or to the system administrator. They will come for me. I take that responsibility very seriously. I do both the IIS configuration and the SQL deployment without any external executables. Security is not an accident or an excuse. It is designed in, or it doesn't exist at all. -- John Merryweather Cooper Build & Install Engineer - ESA Jack Henry & Associates, Inc.® Shawnee Mission, KS 66227 Office: 913-341-3434 x791011 jocoo...@jackhenry.com www.jackhenry.com -----Original Message----- From: Marek Mielcarek [mailto:mmielca...@actuate.com] Sent: Thursday, July 3, 2014 9:42 AM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 John, thank you for your comments. I find them very valuable. Please find below my remarks. RE 1: I am not sure how you define "code injections" in MSI. If you sign your MSI with certificate, classic injections will not work. RE 2: The remark on Trojan is as good for MSI as for any other situation; system administrator may activate Trojan by executing any legitimate command-line utility in elevated security session; MSI is not any different than that. The only solution is to ban running command-line utilities. RE 3: Yes, I agree that "mercy" applies, but it applies to *any* code that is more complex than "hello world". This includes even the best-written WiX installer, provided the installer has to do really complex things. Just 2 examples of what I mean: advanced configuration of IIS or SQL server can only be done by running external tools, "heat" cannot do that - maybe "smelter" will :). And those, by all means, are at mercy of everything you can imagine. If "responsible security analysis" will reject MSI that calls legitimate/operating-system utilities, I am afraid lots of existing MSIs and other types of installers would have to be rejected. "Many things are superficially easier to execute in the short term, but the long term costs can be high." I agree; however "superficial" seems to be the new way to go, for pretty much everything. Because of that, shortcuts are good as they deliver cheaply for the time being; chances are the whole thing will be replaced or discontinued very soon anyway. "Cheap" is more powerful than "good". Like it or not - that's separate story, I am just stating the fact how things work. Best, Marek -----Original Message----- From: John Cooper [mailto:jocoo...@jackhenry.com] Sent: Thursday, July 03, 2014 9:37 AM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 It is a very bad idea to use any external executable in an MSI because: 1) the MSI is now defenseless against code injection 2) defenseless against a Trojan 3) at the mercy of whatever version to version changes are made to the calling interface of the executable Any responsible security analysis will reject such an MSI. In general, maintainability of such MSIs is poor over the long term. Many things are superficially easier to execute in the short term, but the long term costs can be high. -- John Merryweather Cooper Build & Install Engineer - ESA Jack Henry & Associates, Inc.® Shawnee Mission, KS 66227 Office: 913-341-3434 x791011 jocoo...@jackhenry.com www.jackhenry.com -----Original Message----- From: Marek Mielcarek [mailto:mmielca...@actuate.com] Sent: Thursday, July 3, 2014 8:24 AM To: General discussion about the WiX toolset. Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 Phill, Thank you for the hint. I am aware of using heat for registering COM however I find calling regasm immensely easier and better way. If you have dedicated resource with nothing on the neck but just playing with WiX, using heat is probably fine. In my case WiX is just a very small fragment of large environment I have to maintain. WiX is great but hugely time-consuming. It requires lots of tweaking before you get the details together so they work the way you want. I do not have such luxury. Anyway, I found the reason, resolved the issue and can forget about for some time. Thank you, Marek. -----Original Message----- From: Phill Hogland [mailto:phogl...@rimage.com] Sent: Thursday, July 03, 2014 8:44 AM To: wix-users@lists.sourceforge.net Subject: Re: [WiX-users] calling regasm.exe from Wix installer on Win 2012 Not really the question asked, but are you aware of using heat to harvest regasm entries? http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Re-To-regasm-or-to-not-regasm-td7580188.html -- View this message in context: http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/calling-regasm-exe-from-Wix-installer-on-Win-2012-tp7595630p7595633.html Sent from the wix-users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
