December 28, 2007

Code Signing On The Cheap and Easy

John Robbins attracted my attention a couple of months ago with a series of posts on WiX. More recently I noticed a nice article discussing code signing on the cheap ( and easy ). It's a good read and I reccomend it. Personally I've only signed a few packages with self generated test certificates and then let my customers build the package with their certificates... a sort of design by contract scenario. John's solution is cheap enough that I might just be tempted to go buy a certificate for myself.

December 27, 2007

Bloggers Wanted

A little over three years ago I wrote by first blog post:

I want to try to create a site where myself ( and maybe soon others ) can publish articles that go way beyond the typical newbie "how do I" discussions. A site where we inspire people to get hard core with Software Engineering.


I feel over the years that I've accomplished only part of my goal. It was and still is my intention to try to bring other voices into the discussion. I really encourage people who are passionate about build/setup/deployment to start their own blogs and/or contact me to discuss contributing to this blog as part of a team effort.

To Redist or Not To Redist, That Is The Question

Recently I blogged about issues regarding deploying the .NET Framework 3.5. I was all over the map in terms of my thoughts, and out of the resultant comments came an interesting comment that makes me wonder:

Is it really a violation of the EULA to redist the .NET Framework?

Now I am not a lawyer, and I doubt many people reading my blog are either. However, I invite comments on this subject.

Since my writing style has been distracted as of late ( no doubt because of all the personal hell that I've been going through ) I think I'm just going to stick to a bullet list of thoughts / questions that are on my mind.

1) Microsoft surely wants to cut the red tape and encourage the distribution of the framework as to achieve greater adoption of .NET by ISV's.

2) Silent installs are a fundamental requirement of enterprise deployments so surely there has to be a realistic way of cutting through the red tape ( see #1 ).

3) MSI 4.5 is all about composing applications via micro packages through a seamless installation transaction. Surely, again, that some EULA red tape isn't meant to get in the way of all this.

4) Microsoft makes the entire framework available as a free / unregistered download and they call it "Full Redistributable Package". Is it really redistributable, or is it not really redistributable?

I've seen it mentioned that an MSI package is `cleaner` without a setup.exe, without any redist packages and to simply block the install with an AppSearch/LaunchCondition type pattern. I'd say in certain circumstances that is true. However, I've also worked on some really exotic installs in my time. Some of them were years ahead of MSI 4.5 in terms of distributing literally dozens of redist packages in support of a primary product install. The teams I've supported integrated a lot of different technologies in a product line development environment and you couldn't eliminate the dependencies or tell a project manager that they needed to be installed individually. The expectation was for a seamless automated installation.

I feel myself wanting to go in left field so I'll end it with I invite your comments below.

December 20, 2007

.NET Framework Size

This is a topic that I've been wanting to write about for awhile but I just haven't had the time: Holy Crap the .NET Framework 3.5 is HUGE!

How did we get here? Let's see....

.NET Framework 1.0 Redist: 19.7MB
.NET Framework 1.1 Redist: 23.1MB
.NET Framework 2.0 Redist: 22.4MB
.NET Framework 3.0 Redist: 50.3MB ( x86 )
.NET Framework 3.0 Redist: 90.1MB ( x64 )
.NET Framework 3.5 Redist: 197.0MB

Wow! 197MB! The funny thing is there is a Doctor Dobb's article from 2003 that was questioning the size of .NET 2.0 when it was a mere 1/5th of the size that it is now. Just what in the world would they think now?

It should be understood that the 3.5 redist contains a lot of junk under the hood. It's really invasive... it contains windows patch, patches for previous versions of the framework, different versions for different platform types and so on. There have also been a long list of installer defects already announced that are going to pose problems when it comes time for ISV's to try to integrate the framework into their bootstrappers for their own products.

Related to this topic are a couple observations that I wanted to share. The first is a long list of blogs that I've seen recently detailing installer defects in various .NET / Visual Studio installs. The quality and user experience in these installs really seem to be going downhill. It's not like taking hours to install VS 2005 SP1 wasn't bad enough. Now you are lucky if the installs work in the first place. As an aside, I really can't help wonder if all of the Virtual PC CTP's during the beta cycle didn't contribute to an environment where the installs just wasn't getting close scrutinizing.

The second observation is how many people are willing to just blindly believe in `Microsoft Best Practices`. For example, I recently read the following comment over at InstallSite:

I wonder if there's a specific reason that some of the installer products feel the need to wantonly violate Microsoft's best practices?


When asked to elaborate, the poster mentioned the use of non-standard cab compression techniques such as LZMA. This technique is used by other vendors such as InstallAware. For example, InstallAware is able to reduce the .NET Framework 3.5 Redist by 33% to 132MB. This is still huge, but atleast InstallAware is trying to do something to help out.

This advance in installation technology did not go unpunished though. WiX creator Rob Mensching flamed InstallAware over this issue with the following statement:

So why do I have a negative impression of InstallAware? Two reasons. First, they repackaged redistributable packages (such as the .NET Framework) which violates the EULAs of the products. Messing with other people's stuff then redistributing your modifications without explicit permission bothers me at a philosophical level.


The irony is InstallAware was specifically asked by Microsoft if their technology could be used to reduce the size of the framework SDK.

So it seems to me that LZMA compression really is a best practice. It's just that our overlords at Microsoft just haven't been smart enough to admit and/or support it yet.

Getting back to the framework size issue... I'm afraid I don't see magic bullet for mitigating it. Considering setup developers don't typically get to tell the architects how to code, if 3.5 comes down the pipe we are pretty much just going to have to bite the bullet. As an aside, ClickOnce apps on .NET 3.5 are officially a joke, right?

Sadly I now find myself waiting for MSI 4.5 and it's transacted prereqs patterns to see just how much more complicated ( and worse ) Windows Installer packages for .NET / Visual Studio can become.

December 18, 2007

Fighting The Good Fight

I really wish that I was referring to Setup related issues when I mention Fighting the Good Fight. Unfortunately, I am once again talking about the fight for survival against cancer.

Tomorrow morning my wonderful wife ( of nearly elevent years ) Cheryl will be undergoing liver surgery to attempt to deal with a metastatic tumor. The following months will involve additional surgery to deal with a lung tumor and many, many rounds of chemotherapy. With any luck the surgery will deal with the localized problems and the chemo will take care of the systemic problems.

So I once again come to you and ask that you please keep my wife and family in your thoughts, hearts and prayers in any way that you can.

December 15, 2007

An Example of the Importance of Setup

As a result of my division being sold to another company earlier this summer, one of the many things asked of me was to complete a `Jobs Analysis Questionnaire`. Basically it's a really long form trying to figure out what the heck I do ( think of the Bobs in Office Space asking `So just what is it you do here?` ), how much responsibility I have and what could go wrong if I do it incorrectly.

A lot of people seem to think that Deployment Engineering isn't really important. Very frequently I am contacted by potential clients and recruiters who seem to grossly underestimate their needs. I even see this attitude from very seasoned developers and program managers who really should know better.

Recently I've seen a lot of postings talking about very .NET Framework and Visual Studio installer errors. However even these blatant defects are nothing compared to this gem.

The summary of the story is that a gaming company was putting together an installer using NSIS and in the process they wiped out the BOOT.INI on their customers computers. They try to explain how their entire development process failed to catch this issue but in the end it's inexcusable. In the end they are feeling the pain of trying to make it right.

Sadly this is the case in a lot of development shops. Deployment Engineering just isn't treated as a first class activity. Resources with little or no understanding of deploying applications get assigned, the requirements aren't clearly defined, inferior tools are selected and the test plan is non-existent.