Why no .Net linker?

Jim Hubbard · Mar 28, 2005

Linkers have been around forever.......why can't we link all needed portions
of the .Net framework into a single EXE?

Although the apps would be a bit larger, this would eliminate the
possibility of Microsoft "fixes" breaking applications and of new .Net
versions breaking older ones. And, you wouldn't have to worry about which
version of .Net (if any) the end user had installed.

Your app would then function just as expected unless fundamental changes
were made to the OS (and that's something every language is susceptible to).

I would opt for a larger app with greater reach over a smaller EXE with
limited reach any day.

Jim Hubbard

Sean Hederman · Mar 28, 2005

Jim Hubbard said:
Linkers have been around forever.......why can't we link all needed
portions of the .Net framework into a single EXE?

And how would CAS operate in such a scheme? Have a look at my article
http://codingsanity.blogspot.com/2005/01/whiny-gripes-about-net.html for a
bit more detail.

Jim Hubbard · Mar 28, 2005

Sean Hederman said:
And how would CAS operate in such a scheme? Have a look at my article
http://codingsanity.blogspot.com/2005/01/whiny-gripes-about-net.html for a
bit more detail.

Perhaps you are right.....I slept through the whole security thing at boot
camp, so I'm not able to toss up any real arguments here.....except to say
that I have yet to see anyone at the companies I have worked at with .Net
(some pretty big companies like Qwest Communications applications built and
hosted at Innotrac) utilize signing at all.

If I create an unsigned application and throw that sucker into a setup built
by Wise or InstallShield, it has unrestricted access to the customers
machine. I've done it a few times now.

Perhaps this isn't the "Microsoft way" but it sure is how things are getting
done.

So, CAS really means nothing to me.

Let's suppose for a minute that a piece of code is "signed". CAS may be
able to verify that the signature matches whatever Verisign says about the
company that signed it, but "bad" companies can get signatures and Verisign
doesn't pass judgment on what can be done with the signed apps - it just
verifies the signature with the data (real or made-up) that it has on file.

It is still up to the user to decide whether a company is trusted ("good")
or untrusted ("bad").

I don't see CAS as anything but Microsoft's attempt to expand the "sandbox"
idea of JAVA. It is not failsafe, and is still highly dependent on the
user - which means that the users will still allow "unsafe" code to run,
just like they run all of that "FREE" crap they download now.

Lot's of work for not much safety - as far as the common user and programmer
is concerned - IMHO.

But, again, I slept through that security stuff myself. They really
should've placed it AFTER telling us how to build a .Net app. Then, maybe
our minds could've gotten off of how to build .Net apps long enough to care
about protecting them.

It's like teaching your son about car safety when all he wants to do is get
behind the wheel and drive. Sure the sound vibrations hit his ears.....but
he didn't hear a thing.

Jim Hubbard

Jim Hubbard · Mar 28, 2005

Holy crap! I'm a 92!

Jim Hubbard

Sean Hederman · Mar 28, 2005

[Snip]

Let's suppose for a minute that a piece of code is "signed". CAS may be
able to verify that the signature matches whatever Verisign says about the
company that signed it, but "bad" companies can get signatures and
Verisign doesn't pass judgment on what can be done with the signed apps -
it just verifies the signature with the data (real or made-up) that it has
on file.

Yes, but an administrator has to grant the signed code elevated permissions.

It is still up to the user to decide whether a company is trusted ("good")
or untrusted ("bad").

I don't see CAS as anything but Microsoft's attempt to expand the
"sandbox" idea of JAVA. It is not failsafe, and is still highly dependent
on the user - which means that the users will still allow "unsafe" code to
run, just like they run all of that "FREE" crap they download now.

Agreed, social engineering attacks are the easiest to perform generally, but
in a company where the users are not admins, the CAS can be effective.

Joel Lucsy · Mar 28, 2005

Jim said:
Linkers have been around forever.......why can't we link all needed portions
of the .Net framework into a single EXE?

Look for ILMerge, it'll merge multiple assemblies together.

Jim Hubbard · Mar 30, 2005

Joel Lucsy said:
Look for ILMerge, it'll merge multiple assemblies together.

Thanks for the link, but do you know of anything that merges everything into
a single EXE (including the .Net framework portions that it needs)?

Sean Hederman · Mar 30, 2005

Jim Hubbard said:
Thanks for the link, but do you know of anything that merges everything
into a single EXE (including the .Net framework portions that it needs)?

http://thinstall.com/help/index.html?linking_netframework.htm

J L · Mar 30, 2005

Check the Stand Alone EXE thread...here we go again LOL

John

Sean Hederman · Mar 30, 2005

J L said:
Check the Stand Alone EXE thread...here we go again LOL

<sigh>Tell me about it.</sigh>

Jim, Thinstall appears to completely bypass CAS, and verification. In
addition, your program will never be able to use any updates or patches to
..NET once it is installed. I personally feel that static linking is a major
mistake, but hell, it's not my call.

Sean Hederman · Mar 30, 2005

Jim Hubbard said:
Holy crap! I'm a 92!

Swine! I'm sure that test was rigged! I deserved more than a 68 ;-)