Guest: Rob Mensching
- WiX Toolset is used for building MSI packages and deploying them. (Note: This is different than Wix.com, which is a website builder.) The first version of WiX was written in VBScript in 1999; it was made open-source on SourceForge in 2004. (See the WiX Toolset on GitHub.)
- Rob worked on this open-source project at Microsoft, and now does this full time at FireGiant. The company provides support so that companies who were on the fence about using an open-source tool are more trusting. FireGiant also helps people migrate to WiX, performs reviews of existing projects, and now sells a WiX Expansion Pack.
- Visual Studio used to ship with installation helpers — e.g., a free version of InstallShield, Setup and Deployment Projects (Visual Studio Installer).
- The app store model is very different, but has proven to be successful for less computer-savvy users. There is something to be said to having a single place and authority (i.e., white list) that delivers software. This model also helps smaller companies because they don’t have to worry about handling payments.
- In Windows 8 you had to rewrite your app to bring it to the store. Now with Desktop Bridge you can bring your Win32 apps to the store.
- Do you have plans to go cross-platform with this (i.e., supporting Xamarin)?
- App stores are very closed, and the developers have tools they’ve been using for quite a while. There is room for people who want to transition from deploying desktop applications to using the app stores. WiX Toolset can build an AppX package now, as part of the WiX Expansion Pack. The Mac desktop market is small, but the Linux space is more interesting with .NET Core. There’s nothing solid yet, but FireGiant is looking into it; the lack of mature tooling has delayed things. The goal is to take developers from what they already know to these other places.
- Have any vulnerabilities made it to the level of something FireGiant needs to be concerned about?
- At the end of 2015, someone pointed out an issue. MSIs were not the vulnerability, but most complex installers use an .exe that coordinates multiple MSIs. If you put a DLL next to any .exe that is named as one of the imports to that .exe, then that .exe will load from its local directory over anywhere else on the machine. Because WiX does not elevate the access level from the beginning, you can get arbitrary code running, but only as the user account. This can be exploited by browsers that auto-download files via an iframe into an already cluttered directory (e.g., Downloads) where you wouldn’t notice the extra file.
- What challenges did you encounter creating a company around an open-source project?
- There a legal challenges — i.e., publishing changes back to the community through the open-source license and keeping FireGiant-only code separate. There are also community concerns — i.e., not simply taking from contributors for free, publishing meeting notes, fixing bugs, contributing to the toolset.
- There are breaking changes for security reasons, but otherwise between versions they try to avoid breaking changes or at least provide a converter that upgrades older versions.
- What type of project is really where WiX shines?
- The deployment of large projects because it’s designed to scale. For example, Microsoft Office and Visual Studio use WiX. WiX also does well on the low end where people don’t want to spend any money. In the mid-market, some companies find that WiX takes too much time to learn; there are other competitors in this space.
- How are update installers handled? In the past ClickOnce excelled, but recently it seems to be blocked by firewalls or antivirus programs.
- You can configure the installer to look at an Atom feed to see if there’s a newer version. The AppX technology (for app stores) has mechanisms for doing updates which is mostly invisible to the users. There are tools (e.g., WSUS) for handling enterprise-scale application updates; however, this is too much for a small business to manage.
- App stores are great for consumers, but there are still lots of deployments that are just different enough to not meet that one-size-fits-all model.
- Does software as a service (SaaS) mean the end for WiX?
- No, that would be the end for Windows Installer. WiX is a language for installing and deploying, and that is needed on the server side as well.
Better Know a Framework
- ‘Pokémon GO’ Is Purging All Rooted And Jailbroken Devices From The Game To Curb Cheating
- Much of Pokemon GO’s data was based on Niantic’s previous game Ingress.
From show #1275 (MS Deploy); msdeploy and DACPAC have a steep learning curve. msdeploy should have a better C# experience, and that’s probably why Octopus Deploy is so popular. Paid tools will always have a slightly better experience.