....which I've trimmed and left in for context
Your suggestion of using FTP sites (like it used to be) is a great
one, but you have to keep in mind that you're a computer geek like the rest
of us so you understand FTP and you don't mind typing in address.
No, you misunderstand me there.
When I use FTP, resume, etc. I'm not aware of it; I've used normal
HTML links to navigate my way to the download process, and whether
that uses HTTP or FTP is transparent to me (does HTTP support
Resume?). I'm not proposing that we revert to FTP in the form of raw
browsable directories full of files, though that sort of access may
lend itself to 3rd-party automation as might be used by systadmins
(e.g. rolling out patches from a Linux server)
The average user hasn't got a clue as to what OS is on their PC
You can meet stupidity half way, and there's nothing wrong with
providing a dummy Windows Update for them. There's everything wrong
with expecting the rest of us to use it, making it the only way to get
stuff (and thus a single point of failure).
In fact, I'm impressed with the way this downloads in the backround
without caring if it's broken up by disconnects etc., so I might use
it to update my own PC - but the point I'm making is that this does
nothing to help me apply these patches to other PCs.
As this crisis has taught us, you may specifically NEED the ability to
download fixes for Product A from a PC that runs Product B, or in fact
anything other than Product A.
Yes, there are arcane ways to get complete forms of patches for OSs
other than the one you are on, that can redeployed. Things like using
the "catalog" function via Win98, or scooping what is hopefully a
complete file set from Temp, or using command-line parameters so the
stub downloads but doesn't install, or alternate URLs for the
corporate site. All of these are needlessly difficult compared to,
say, downloading freeware from TuCows or Download.com
Besides, you can have a "what OS am I?" button on the front door web
page, that will query the PC via active content if active content is
enabled, and/or display text such as "Rt-click My Computer, click
Properties..." (hardly rocket science, that)
Now, to us "experts" who manage large networks, auto updating with out
testing is absolutely unthinkable and for good reason. A bad patch on one
PC is manageable but I can't imagine the hell that would occur when some
bad patch was updated across the corporate net
Re-think that bit. Would you rather have multiple PCs (some of which
still work) and on-site technically-competent administration, or have
your only PC fall on its ass and have no clue what to do?
I'm sick of all this corporate-orientated focus, especially when it's
applied to the XP *Home* version they aren't supposed to be using in
the first place. I'm thinking not only of stand-alone newbies, but
also the techs (from pros, OEM or reseller warranty support etc. right
down to the geeky neighbour over the fence) that support them - they
are part of the newbie's extended environment, as are we ng posters.
First distribution Media and methods.
1) MS should provide distribution CDs through the reseller channel, but not
for free. I think MS and other software companies should be able to recoup
the distribution materials AT COST.
No. If MS screws up, it should cost MS to fix -^%$k'em, they are
already getting off more lightly than manufacturers who actually make
real goods, such as hardware, cars, etc. As it is, they dish out wads
of fluff on CD-ROM for free (i.e. "How To Sell Exchange Server"), they
can and should make the same effort for obligationware. WTF should we
pay for MS's screw-ups beyond the time we are obliged to waste wiping
their butt for them? We don't even get decent NFR (Not For Resale)
pricing, only a rental-slavery kitchen-sink deal.
The software industry sold us on the concept that what they make has
real per-instance value, such that every copy should be paid for,
whereas in fact user support is the sole significant per-instance cost
Don't let the same industry re-define software as impossible to create
properly (thus absolving themselves of the "must be fit for use"
requirement all other manufacturers have to live with), so now that we
are to consider it a dribbleware "service" and accept the chains of
rental slavery (which would basically mean the vendor gets paid
forever for the life of a product, even if the user saw no value
whatsoever in any of the subsequent upgrades).
The biggest problem I see with this, however, is that the CD can only
represent the state of patches at the time it was produced. How after do
you expect this to be produced? Once a month?
Yep. By then, there will be enough volume to fill the CD (esp. if you
remember how many 120k patches need some awful 120M SP first)
And how many CD's do we produce?
MS has lists of resellers, upstream disties, and the primary disties
upstream of them. They can either send to all resellers on their
lists directly, or send wads of CDs to the disties where the resellers
can collect them at the despatch counter, where they could sign for
them too. The normal trade restrictions apply; Not For Resale,
limited to dealers registered with the distie, that sort of thing.
It's a LOT cheaper than mailing one to every registered user, plus
staffing the procedure to mail one to every unregistered user who asks
for one. We can CDR copies from there onwards, if need be.
I think if you break out your Excel and work up a few numbers
you'll quickly see that it's not economically feasible to produce a
CD as frequently as needed, given the current rate of patch release,
Not so - you may well find that the cost of the CD is the least of the
costs. MS already churns out relatively small volumes of monthly CDs
for TechNet, MSDN and so forth, as well as the useless marketing fluff
I mentioned earlier. What I'm saying is, as resellers and techs we
are in the position to do the hard part; getting patches applied in
the field, and acting as an out-of-band channel that flows around the
single-point-of-failure risk that Windows Update represents.
Just as security support is treated as exceptional by MS (extended
lifetime for old products, not charged for as other support calls
are), so should obligationware be treated as an exception that passes
through the "pay-for" TechNet, MSDN etc. sphincters.
and if you chose to do it once a quarter you're bound to get hit 2
months into a quarter with a new hole
Hence once a month.
Lastly, how many consumers do you really think are going to go
out and get the CD, free or otherwise, and then install it.
Ah, again you are misunderstanding me. I'm not suggesting that MS
send CDs directly to every user (say, the way AOL regularly sends CDs
to every human that breathes). I'm saying they should propagate these
CDs on a one-per-business basis to techs and resellers, who can then
apply it to the clients they support and the new PCs they build.
However, an order to send fix CDs to every user is an entirely
possible outcome, should a group-action case be made against MS for
damages arising from defective sware. Even if MS weasels out of this
via EULA small print, drawing public media attention to this small
print is itself likely to be costly to MS, in the bigger picture.
2) Now, for free, they should provide non Windows Update downloadable
binaries via FTP, HTTP, or any other standard method. Hell they can even
provide the ISO of the CD. Cost there is minimal. Maintenance and
management of an FTP site. If done right Window Update and FTP can feed
from the same repository.
Yep. There are so many users who need this stuff that it would be
dumb to restrict oneself to a single channel (e.g. only Windows
Update, or only FTP, or only ask-your-reseller CDs). You need the
redundancy not only to cope with attacks such as this, but simply to
manage the bandwidth of demand.
Frankly, I thought the WPA service would have been attacked like this,
and a year ago at that. Malware can easily destroy WPA info so the
user is forced to re-activate, then DDoS the activation servers.
The only thing that limits the degree of carnage here, has been the
temperance of the malware coder. Something the media should bear in
mind before writing yet another "horned monster" article.
1) Most, if not all, updated from WU already provide uninstall
functionality. However, I do agree that this should be the expected
behavior. Nothing should install on an OS with out a method of removal
which will restore the system to it's previous state.
Lately, MS has been lazy on this, relying on System Restore.
This SUCKS because SR *will* cause colateral damage by reversing any
other system change made in the same window - it may even roll back av
installations or engine updates and bring malware back from the dead.
SR is a safety-net for unexpected problems and badly-behaved software
installations. What MS is saying here, is that badly-behaved
installations are now an acceptable norm, because there's SR. BAD++
To that, XP has a great system restore feature
No, bollocks! See above.
2) I also agree that patches should be distributed in a common wrapper,
meaning that every patch behaves the same way when executed, splash screen,
readme's et al. Within this wrapper MS can have the binaries for all the
OSes and the wrapper can take care of the OS check. This way there is only
one file per patch. Sure the distribution will be larger but considering
the size of most patches are relatively small it won't make much difference.
Yep - ASCII is cheap, and compresses well. We aren't asking for MPEG
how-to-hold-a-scewdriver demos here... and all of this *exists*
already; even ameteurs writing shareware and freeware know what a
self-extracting archive is, and how to meet these software
installation standard norms. MS really has no excuse.
And as you point out, directly patching the hole and removing the pork
barrel will reduce the size even more. One last thing, explorer should be
able to open this wrapper with out executing it similar to zip files.
This way a skilled person can get into the patch and pull out what's needed or
repackage the patch for other distribution methods such as SMS or GPOs.
Or read the ReadMe.txt, etc. Or add a little extra "surprise" before
re-distribution... let's just say MD5 is your friend there
At this point, I must mention that these recent RPC patches pass with
flying colors. They can be "opened with WinZip" and have legible
ReadMe.txt files inside, they can be downloaded from Netscape directly
from the links, and they support Resume so that downloaders can
accelerate the process by loading the same file from multiple points
simultaneously (tested with Netscape 7.0 and Star Downloader).
That's what I meant (in this thread, or another) when I say MS seems
to have learned some lessons since the MIME-spoofing hole forced all
Windows users older than XP to download a whole new IE subsystem.
With all that said, the thing you have to keep in mind is that MS has to
cater to two completely different audiences. There's us computer literate
people who like to know everything that's going on and have total control
and then there is the average user that Art speaks of.
There are a lot of gradations in between, and MS has at least some
awareness of the role of peer/mentor support, in that they run the MS
newsgroups and MVP system there. This is the closest thing MS gets to
the user-support culture that typifies Linux et al.
--------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
