[wix-devs] 4991 - Handling of related bundles missing from cache

Sean Hall r.sean.hall at gmail.com
Tue Dec 15 14:08:42 PST 2020 

1. File size makes it practically impossible for an attacker to change the
contents of the file and still get the same hash. Burn always uses the hash
and the file size when verifying by hash.

2. I think you're referring to skipping during Plan. The engine needs the
bundle in the cache in order to execute it (for security). If the engine
doesn't have the hash and file size, then it's not going to put a random
file in the package cache. So there's no way that the engine is going to
plan that bundle, so why notify the BA about a package during Plan that
will never make it into the plan?

3. Why? It needs the stripped bundle, it knows how to strip a bundle. UX
container != attached container. Stripped bundle == bundle with only UX
container.


> 1. Why care about file size (i.e., isn't hash sufficient)?
> 2. Why skip BA notification if we didn't record the hash/size? Is there a
> reason to let the BA know in that case? (Maybe it wants to cancel and say
> 'go download v1.0 again to uninstall'?)
> 3. The mismatch between stripped bundle and downloadable bundle seems like
> it's more of a roadblock than a speed bump. (Is the .exe that gets cached
> identical if it has no attached containers other than the UX container? If
> so, that might be a semi-viable workaround but even that's problematic
> because of the constantly-generated bundle id.)
>
> -----Original Message-----
> From: wix-devs <wix-devs-bounces at lists.wixtoolset.org>
> <wix-devs-bounces at lists.wixtoolset.org> On Behalf Of Sean Hall via
> wix-devs
> Sent: Tuesday, 15 December, 2020 16:12
> To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
> <wix-devs at lists.wixtoolset.org>
> Cc: Sean Hall <r.sean.hall at gmail.com> <r.sean.hall at gmail.com>
> Subject: [wix-devs] 4991 - Handling of related bundles missing from cache
>
> I created a WIP for 4991 at
>
> https://wixtoolset.org/development/wips/4991-handling-of-related-bundles-missing-from-cache
> .
> Any feedback?
> ____________________________________________________________________
> WiX Toolset Developer Mailing List provided by FireGiant
> http://www.firegiant.com/
> ____________________________________________________________________
> WiX Toolset Developer Mailing List provided by FireGiant
> http://www.firegiant.com/
>

More information about the wix-devs mailing list