There seem to be many interesting KB relevant for us developers. For example:
http://support.microsoft.com/kb/971842/en-us
Is there any way to get these updates by rss / mail?
Keep in mind that as Robert says, you really want to find these only when you have the problem. Hotfixes are to bail you out until a well-tested fix is available via the Service Pack - we in Windows Serviceability issue many hotfixes, and it's just not possible for us to do the thorough, broad testing that we do for service packs and official releases, despite us doing our best to ensure that hotfixes still are good quality.
If Microsoft provided a RSS feed, people would install way more hotfixes than they should, and we don't want people to unintentionally break their own apps and not be able to find out which of the 30 hotfixes they installed is to blame.
Plus, even if a hotfix fixes a specific issue with an app, shipping hotfixes with your app is always trickier than saying "You must be running SP(n) or above"; you have to make sure you're installing the right version and arch of the fix, you have to try to code up "is this installed" routines that end up breaking if MS reissues the hotfix, you have to sign a contract with Microsoft, yadda yadda yadda...
Here is such a list:
http://support.microsoft.com/selectindex/?target=rss
Text for the filter; so much for brevity.
Related
Just made an installer (using QTIFW) for my Qt project but when I tried to install it on other machine the 360 Total Security interrupted the installation process.
It pops up and complains about d3dcompiler_47.dll, asking the user to allow/block the file. If user do nothing, or don't allow, it
seems to be preventing QTIFW of writing it as part of the application installation.
That led to following error
Can't create C:\Program Files\company\project\d3dcompiler_47.dll"
That's quite terrible. I'm wondering how to deal with this situation?
False Positives: False positives from maleware scanners can be quite hard to deal with. To check using more than one malware scanner you can upload the release files individually as well as the complete setup to https://www.virustotal.com. This service runs many malware scanners on the submitted files so you can see what malware scanners flag which binary. There are a few other such anti-malware online scanners such as Kaspersky, Avira, etc...
Update: And then there is Process Explorer. Check this tweet chain for how to check your running application for malware hits per process and loaded file.
When you see the scope of the problem (how many files are flagged), you should work backwards to see how you could go about solving the problem. This can involve getting the files whitelisted by the malware vendor(s), eliminating them from your setup, or fixing technicalities that flag the files, etc... There are some options listed and elaborated below.
Fixes: There are both technical and practical fixes you can try. Don't expect it to be easy. The issue of false positives is a very serious deployment problem. The proposed fixes and workarounds below are in random order:
Compiler Settings: Sometimes you can actually choose different compiler settings to avoid the problem, but often you are not so lucky. I have seen this with files compiled with special Spectre / Meltdown mitigation settings. They were flagged as unknown by malware scanners.
Dangerous API-calls: You should also check what API-calls are made in the problem file(s) that could be known to cause security warnings (unusual and / or dangerous API-methods) - and remove them if you can. I have heard of cases where malware vendors want to refuse to whitelist your binary because what the binary does makes no sense to them (try calling a firmware update for an embedded system as part of your setup installation or some low-level call triggered by a security tool you are installing).
Eliminate Files: Removing certain components from your application can also help sometimes - especially if they are third-party components added to your application for convenience only. In other words your application works fine without them. Removing a problem can be much simpler than fixing it.
Vanilla Installer: Sometimes you can split problem components into a separate setup so your main setup installs without issues. This can help enormously with support issues or overall application approval in corporate settings. You can also make 2 full setups where one has all probable false-positive triggers removed - your "vanilla setup" that should install without drama in all cases.
Digital Signatures: Signing the file with a digital signature can help since a proper certificate "buys trust outright" in reputation-based score systems such as Microsoft SmartScreen. Note that this needs to be an EV-level certificate. Please check for updated information here as technology evolves. Certificate / signing technologies always seem to cause something unexpected.
Malware Scanner Whitelisting: Submit file for white listing. Then there is the formal approach with the malware vendors as explained by Bogdan Mitrache of Advanced Installer here: Antivirus Whitelisting Pains. You submit files to them for white-listing. The article explains real-world experience with binaries flagged as malware when delivering software. Mandatory reading.
Microsoft SmartScreen: Microsoft has their own way to submit files for analysis and white-listing: https://www.microsoft.com/en-us/wdsi/filesubmission. They state: "Microsoft security researchers analyze suspicious files to determine if they are threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware.".
Unique Executable Per Customer: Sometimes a unique executable is used for every customer by auto-generating an installer for each sale. I would advise against this since the installer executable - even when signed - will be a "new encounter" for malware scanners. You could run into trouble you do not need. There is also an added risk for each generated installer executable to actually be infected by real malware, and there is also the QA-issue that every installer should be tested before release.
Signed Malware: Whatever you do, make sure the file in question isn't actually real malware! Obviously your own files can get infected. Test well. If you sign malware and deliver to your client the digital signature is proof positive that you delivered the malware to them. Not good. And then.
More on Digital Signatures: Some information and links to get your setup and / or files signed:
https://www.advancedinstaller.com/user-guide/faq-digital-signature.html
https://knowledge.digicert.com/generalinformation/INFO1119.html
https://www.thawte.com/resources/getting-started/how-code-signing-works/
Installshield Custom Dialogue Installer
I did several websites with Drupal, and now the core is updated and I cannot come back to my customers to update previous installation. I was wondering how risky is to not update drupal core to the last version and how web developers should deal with websites management.
ps. My customers do not have any computer skills.
thanks
The openness of open source means that it is easy to know what an upgrade has fixed. It also means that a hacker could just look at the release notes and do a diff between the previous and current version to spot the vulnerabilities in the previous version.
If you have a good relationship with your clients I would explain the need for an upgrade and see if they want to pay you for it, as their sites are vulnerable to anyone determined enough to look at the release notes and do a little digging.
Here are release notes. Answer on your question lies inside.
Updating the core is very Important, it solves some security risks and brings new features.
I work in a shop that is mostly .NET based, and we're trying to pick out a content management system to use. This means we mostly likely won't be able to use any of the common open source CMS projects (Plone, phpNuke, anthing not based on .NET, etc.).
Since I'm a huge usability nerd (just finished reading The Design of Everyday Things by Norman), I've been looking at them from that point of view. Frankly, I haven't been too impressed. This quote sums it up:
Most open source content management software is useless. The only thing worse is every commercial CMS I’ve used. - Jeffrey Veen
Here's a short list of our requirements:
Has to be .NET based
Prefer open source or on the inexpensive side
Limited feature set (we don't need too many features and they make things harder to use)
Does need Active Directory integration and robust permissions
Should be focused on web standards and usability
I know it's probably an impossible feature list, but are there any content management systems that kinda sorta look like they might not suck more than a Dyson?
Edit:
Here's the current situation:
I'm going to push for N2. I've got Active Directory integration working well (I even wrote a custom role provider). The only thing missing is workflow functionality. Hopefully I can get something going with that since it's the last sticking point. The N2Contrib project might provide a starting point if I can figure it out.
I would still love to check out Stencil CMS if/when it gets off the ground.
One of my co-workers was trying to get Umbraco going but wasn't having much luck.
Thanks for the help!
Self-plug is lame, but what you're describing is pretty much exactly what I am getting ready to release for $79 a pop. If you're still looking in a few weeks, take a peek. If you'd like, shoot me an email (rex#stencilcms.com).
I've heard both positive and negative feedback about Umbraco. A lot of people like Graffiti, but it's more blog-oriented than a full-blown CMS.
Check out N2 (http://n2cms.com/). I think that it covers most, if not all, of your requirements (I don't think it has Active Directory capability at this time). We are using N2 and I have really enjoyed how flexible it has been.
My company just completed a review of several commercial .NET-based CMS/portal platforms and, while I can't reveal who was in them (thanks, NDAs!), I can tell you that IMO they all sucked very, very badly.
Good luck on your search. I'll keep an eye on this thread in the hopes that there's something we missed.
We had a similar set of requirements and chose Telerik Sitefinity. It's got it's faults but overall I've been happy with it so far.
Unfortunately Jeffery speaks the truth. Which is probably why I build a new custom cms from the ground up every few years. Basically, the motivation for "boxed" CMS packages is to have every feature on earth and be everything to everyone and therefore do nothing particularly well for anyone. With the feature bloat comes the usability nightmares. Unless you start customizing and then you usually end up forking the project and losing the advantage of community updates.
Kentico CMS according your list:
Has to be .NET based
It's .net based, .NET Framework 2.0 or later
Prefer open source or on the inexpensive side
Free edition which can be used for commercial purposes is available, paid license starts at $750, source code is an option
Limited feature set (we don't need too many features and they make things harder to use)
Many built-in modules/features, anyway they can be easily disabled to keep the UI simple to use
Does need Active Directory integration and robust permissions
AD, Forms and Live Id! Integration
Should be focused on web standards and usability
UTF-8 Support including RTL languages, WAI Compliant, XHTML Compliant, XML, XHTML, HTML, XSLT, CSS.
Instant on-line demo or download available at:
http://www.kentico.com/Download.aspx
I'm evaluating options to make our search more powerful on our .Net website. I need to look into whether we purchase software/hardware such as the Google Search Appliance (GSA) or develop the solution using a framework such as Lucene.Net
We're a startup, and the GSA provides a lot of good functionality out of the box, but we would need two boxes, with the second as the backup/dev environment and things start getting expensive.....
We have used SQL Server full text in the past, but we're keen to provide very intuitive "Googlesque" type searching to our site and we've struggled to do everything we want with SQL Server.
But, I am not sure what "incubator status" for the Lucene.Net project actually implies. Should I be considering a project that is in incubator status? Is it not active? Will it at some point move into a more active status or be archived off?
Thanks
Lucene.NET is a currently active and updated project. The fact that is hosted as incubated under Apache is a good thing and not a negative one. As you can read on Apache incubation site, Lucene.NET is awaiting for a review and a final approval, but this doesn't mean it's unstable or unsupported.
Concerning your main question, i think using it for the development stage would be an accepptable choiche if you're a startup.
I am not sure what "incubator status" for the Lucene.Net project actually implies
It means that the project, which was an external project, is being evaluated by apache for inclusion in the apache "stable" - I guess they have to make sure the processes are right, that there isn't patented code in there etc etc.
It has NO reflection on the code. Lucene.NET trunk is stable (v2.1), and the downloadable version (v2.0) is also stable, but not "as stable" or as updated.
If you have more questions, I'd suggest you jump on the mailing list (http://incubator.apache.org/lucene.net/) and ask George or DIGY. I've been using it on commercial projects - both internal (http://www.topgear.com for example) and packaged (not sure I can say, but it's an email archiver) since 1.xx, and it works GREAT.
I'd suggest you have a look at Solr, too. It uses the Java Lucene, and is basically an external search server, but you push info into it, rather than it trawling your site. It's on the apache lucene site.
Log4net was in incubation status for a long time in the Apache project. It was still recommended and used extensively. I'd be ok with using Lucene.Net for a couple of reasons. First, as #ste09, says incubation status is a good thing. Second, Lucene (the Java version) is a full-fledged project at Apache. Similar to log4j/log4net, I think this bodes well for Lucene.Net making it out of incubation status.
According to http://msdn.microsoft.com/en-us/library/aa916070.aspx (DnsQuery_W), DNS query libraries are available on Windows Mobile / CE developers for versions 5.0 onwards. Yet, "#include " gives nasty "file not found" errors. What gives?
Strangely enough "dnsapi.lib" is available. Does Microsoft actually expect developers to scavenge the file from somewhere?..
The posted thread here claims that this API is not actually available in Windows Mobile 5 (and perhaps later?), despite claiming otherwise. I looked through the Mobile 5 and 6 SDKs, and didn't see this API either, so perhaps the thread's suggestion might work for you:
If it's a simple host name->IP address
(IPv4 or v6), you can use getnameinfo
in Winsock. The DNSQuery_W is only
needed if you're doing like a
non-A/AAAA query. If you're doing
that, we really don't have any helpers
to do that for you from the OS side -
sorry. You may look around to see if
there's helper library floating around
out there that you may be able to
recompile for CE (assuming you're
comfortable with whatever licensing
agreements they may put on you.)
getnameinfo should be documented here (for Windows Mobile), in case that helps.
If you are really after 'windns.h', I found it in the WM5/WM6/WM6.1 Platform Builders in
\public\common\sdk\inc
The hard part is getting access to the WM Platform Builder if your an ISV. That I can't help you with.