I have a problem with auto-updaters. They usually install a service or sit as “innocent” icon in the taskbar notification area. That’s a waste of my computer’s resources while they could do better, e.g. using scheduled tasks or checking only when the application runs. Plus it’s not easy to secure such a mechanism so that only your application can be updated and nobody can misuse it, e.g. to install malware.
We have no auto-update for SwyxIt! yet. We probably will do it, but it won’t be a service or another background task.
I have a problem with auto-updaters. They usually install a service or sit as “innocent” icon in the taskbar notification area. That’s a waste of my computer’s resources while they could do better, e.g. using scheduled tasks or checking only when the application runs. Plus it’s not easy to secure such a mechanism so that only your application can be updated and nobody can misuse it, e.g. to install malware.
We have no auto-update for SwyxIt! yet. We probably will do it, but it won’t be a service or another background task.
And it won’t auto-update when you have no administrative rights. It’s too hard to get right, means the effort we would need to spend is just not worth it.
- We would need to introduce a Windows service running with administrative rights and allow that to install SwyxIt! updates.
- A service cannot directly interact with the desktop for security reasons. We would need to implement an own interaction mechanism so that the user sees what’s happening.
- Securing such a service so that nobody can sneak in a non-SwyxIt update is not easy and would need a lot of additional testing. You don’t believe it? Look at this. Neither MacOS X, iTunes, Winzip, Winamp, OpenOffice and Java have secure enough auto-update mechanisms. And they have much more development and test resources at hand than we have.
- Such a service would run all the time, wasting resources on each client system.
- Using signed Windows Installer patches (msp) would work in theory. They can be installed by non-admins, because Windows Installer checks if the signature matches a certificate in the original MSI. But we would need to release each SwyxIt update as full MSI and as a MSP. And MPS would work for Windows Installer “minor upgrades” only. SwyxIt always does a “major upgrade” which has the advantage that you can just execute the msi file. Minor upgrades would need a bootstrapper application to initiate a “minor upgrade”.
The current plan for SwyxIt! auto-update is like this:
- Admin provides new setup package (msi) by uploading it to the SwyxWare database. That would be the normal msi files we release, nothing special, nothing additional.
- SwyxIt uses ConfigDataStore API after logging in to check for new updates, i.e. only your local SwyxServer is the source and you need to be authenticated at SwyxWare.
- The user gets a notification and can initiate a small update application which installs the MSI.
- When the SwyxIt user runs on Windows Vista and has no administrative rights, the normal Windows Vista elevation prompt (user account control) comes up to get admin credentials.
- On older Windows versions, SwyxIt will use the standard “Run as” dialog to get credentials for the update application.
- If the user has no admin credentials the update cannot be installed.
This solution is far from perfect, but I think it’s a good compromise between the effort it takes to realize and the benefits it provides. And please don’t ask when it will be realized. That has not been decided yet.