[wix-devs] 4991 - Handling of related bundles missing from cache

Bob Arnson bob at firegiant.com
Tue Dec 15 16:11:04 PST 2020 

Worth calling out.

-----Original Message-----
From: wix-devs <wix-devs-bounces at lists.wixtoolset.org> On Behalf Of Sean H via wix-devs
Sent: Tuesday, 15 December, 2020 17:43
To: wix-devs at lists.wixtoolset.org
Cc: Sean H <rseanhall at outlook.com>
Subject: Re: [wix-devs] 4991 - Handling of related bundles missing from cache

3. Yes. Some people probably already have their bundle accessible through a URL anyway. Plus if they don't have an attached container, then there's nothing to strip. The BA also will be able to specify local file and whatever else is available when Burn normally prompts the BA for source.

________________________________


1. Smells like overkill but then SHA-1 was broken that way...
2. Check. Detect's sufficient.
3. So you're suggesting that Burn would download the specified URL, strip it, and compare it to the registration hash/size?

-----Original Message-----
From: wix-devs <wix-devs-bounces at lists.wixtoolset.org> On Behalf Of Sean Hall via wix-devs
Sent: Tuesday, 15 December, 2020 17:09
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Cc: Sean Hall <r.sean.hall at gmail.com>
Subject: Re: [wix-devs] 4991 - Handling of related bundles missing from cache

1. File size makes it practically impossible for an attacker to change the contents of the file and still get the same hash. Burn always uses the hash and the file size when verifying by hash.

2. I think you're referring to skipping during Plan. The engine needs the bundle in the cache in order to execute it (for security). If the engine doesn't have the hash and file size, then it's not going to put a random file in the package cache. So there's no way that the engine is going to plan that bundle, so why notify the BA about a package during Plan that will never make it into the plan?

3. Why? It needs the stripped bundle, it knows how to strip a bundle. UX container != attached container. Stripped bundle == bundle with only UX container.


> 1. Why care about file size (i.e., isn't hash sufficient)?
> 2. Why skip BA notification if we didn't record the hash/size? Is 
> there a reason to let the BA know in that case? (Maybe it wants to 
> cancel and say 'go download v1.0 again to uninstall'?) 3. The mismatch 
> between stripped bundle and downloadable bundle seems like it's more 
> of a roadblock than a speed bump. (Is the .exe that gets cached 
> identical if it has no attached containers other than the UX 
> container? If so, that might be a semi-viable workaround but even 
> that's problematic because of the constantly-generated bundle id.)
>
> -----Original Message-----
> From: wix-devs <wix-devs-bounces at lists.wixtoolset.org>
> <wix-devs-bounces at lists.wixtoolset.org> On Behalf Of Sean Hall via 
> wix-devs
> Sent: Tuesday, 15 December, 2020 16:12
> To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org> 
> <wix-devs at lists.wixtoolset.org>
> Cc: Sean Hall <r.sean.hall at gmail.com> <r.sean.hall at gmail.com>
> Subject: [wix-devs] 4991 - Handling of related bundles missing from 
> cache
>
> I created a WIP for 4991 at
>
> https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwixt
> oolset.org%2Fdevelopment%2Fwips%2F4991-handling-of-related-bundl&d
> ata=04%7C01%7C%7Cdb78463b9e274764439408d8a14978d1%7C84df9e7fe9f640afb4
> 35aaaaaaaaaaaa%7C1%7C0%7C637436684210712611%7CUnknown%7CTWFpbGZsb3d8ey
> JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C100
> 0&sdata=gtFdk6QJEC8BDm8sXlRIOdblQ448xZvgyqOlc4x15rY%3D&reserve
> d=0
> es-missing-from-cache
> .
> Any feedback?
> ____________________________________________________________________
> WiX Toolset Developer Mailing List provided by FireGiant
> https://eur06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
> iregiant.com%2F&data=04%7C01%7C%7Cdb78463b9e274764439408d8a14978d1
> %7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637436684210712611%7CUnk
> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
> iLCJXVCI6Mn0%3D%7C1000&sdata=KwKKJVJZI3oUcZYUZ%2BSwA6fb1660bfwkmmo
> aITfFWpk%3D&reserved=0 
> ____________________________________________________________________
> WiX Toolset Developer Mailing List provided by FireGiant
> https://eur06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
> iregiant.com%2F&data=04%7C01%7C%7Cdb78463b9e274764439408d8a14978d1
> %7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637436684210712611%7CUnk
> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
> iLCJXVCI6Mn0%3D%7C1000&sdata=KwKKJVJZI3oUcZYUZ%2BSwA6fb1660bfwkmmo
> aITfFWpk%3D&reserved=0
>
____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant https://eur06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7C%7Cdb78463b9e274764439408d8a14978d1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637436684210712611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KwKKJVJZI3oUcZYUZ%2BSwA6fb1660bfwkmmoaITfFWpk%3D&reserved=0 ____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant https://eur06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=04%7C01%7C%7Cdb78463b9e274764439408d8a14978d1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637436684210712611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KwKKJVJZI3oUcZYUZ%2BSwA6fb1660bfwkmmoaITfFWpk%3D&reserved=0
____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-devs mailing list