Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

The principle of package updates?

https://forum.tranquil.it/viewtopic.php?t=1354

Page 1 of 1

The principle of package updates?

Published: July 18, 2018 - 2:19 PM
by tsunyan
Good morning,

I've recently started using WAPT Community version 1.5.1.26 and I have a question that's been bothering me. I don't quite understand how the software package updates work.

When I import a package from the WAPT store https://store.wapt.fr/ Using the "Import from Internet" button, I receive this package in my private repository. So far, so good. But if there's a new version of the software on their official website, the package won't update automatically.

Will importing the package from the WAPT store update the packages in my private repository? If so, are we dependent on the person who manages the package on the store? If not, do we have to wait for a new version on the store before re-importing it to our private repository?

Another question related to package updates

I noticed that the OwnCloud version on the store is outdated. So I created the package and added an `update_package()` function that will update the source code if it's not already up-to-date within the package. For those using ownCloud, here's the function that retrieves the latest version of the software from the official website https://owncloud.org/download/ :

Code: Select all

from setuphelpers import *
import glob
import re

def update_package():
    htmlSource = wgets("https://owncloud.org/download/").splitlines()
    filename = ''
    realVersion = ''

    for line in htmlSource:

        match = re.search("https://download.owncloud.com/desktop/stable/ownCloud-.*-setup\.exe", line)
        if match:
            realVersion = line[line.find("ownCloud-")+9:line.find("-setup.exe")]
            print("Last version : ", realVersion)
            filename = 'ownCloud-%s-setup.exe' % realVersion
            print("File name : ", filename)

    exe = glob.glob('*.exe')
    for fn in exe:
        if fn != filename :
            print 'remove' + fn
            remove_file(fn)

    if not isfile(filename):
        print('Download' + filename)
        wget('https://download.owncloud.com/desktop/stable/ownCloud-%s-setup.exe' % (realVersion), filename)

    print ('Write ' + realVersion + '-0 in WAPT\\control')
    from waptpackage import PackageEntry
    pe = PackageEntry()
    pe.load_control_from_wapt(os.getcwd())
    pe.version = realVersion +'-0'
    pe.save_control_to_wapt(os.getcwd())

    print('The update is complete, you can now test and then launch a build upload.')
    
if __name__ == '__main__':
    update_package()
This works fine in PyScripter. Right-clicking on `update-package-source` and selecting "Run" updates the software in the folder and the version in the `control` file. Then you just need to run `build-upload`, and that's it. The problem is that you can't do this directly from the console. Perhaps I haven't figured out how; correct me if I'm wrong.

For a somewhat "ugly" alternative, I could include the package update at the beginning of the install() function after checking if the version on the internet is higher than that of my package; I haven't tried it yet, but it doesn't seem very suitable.

Thank you for your feedback

Re: The principle of package updates?

Published: July 18, 2018 - 9:58 PM
by kguerineau
Good evening,
When I import a package from the WAPT store (https://store.wapt.fr/) using the "Import from Internet" button, I receive that package in my private repository. So far, so good. But if there's a new version of the software on their official website, the package won't update automatically.

Will importing the package from the WAPT store update the packages in my private repository? If so, are we dependent on the person managing the package on the store? If not, do we have to wait for a new version on the store before re-importing it to our private repository?
When we update software, you do indeed need to import it onto your WAPT server. You can create a script that will check that your packages are up to date by comparing the two repositories. This is what we do for our managed services clients.


Another question related to package updates:

I've noticed that the OwnCloud version on the store isn't up to date. So I created the package and added an `update_package()` function that updates the source code if it's not already updated within the package. For those using ownCloud, here's the function that retrieves the latest version of the software from the official website: https://owncloud.org/download/ :
[...]

This works well in PyScripter. By right-clicking on `update-package-source` and selecting "Run," it correctly updates the software in the folder as well as the version in the `control` file. Then you just need to run `build-upload`, and that's it. The problem is that you can't do this directly from the console. Perhaps I haven't figured out how; correct me if I'm wrong.
Indeed, the console is not updating the packages.

For a somewhat "ugly" alternative, I could include the package update at the beginning of the install() function after checking if the version on the internet is higher than that of my package; I haven't tried it yet, but it doesn't seem very suitable.
This is above all an alternative that is not recommended at all and goes against the way WAPT works.
Indeed, if you deploy the package using the "update-package" function in the installer, it means that each machine will download the executable from the internet. This presents two problems:
  • 1. The bandwidth that will be heavily used
  • 2. Lack of control over what is installed on the computer. Imagine a problem with the integrity of the downloaded file (corrupted or virus).
Furthermore, in this case, between the time you import the package into your private repository and the time the executable is downloaded, there may be a version difference... The package inventory reporting will then be inaccurate!

The 'update-package' function saves time when you update the package.

Good evening

Re: The principle of package updates?

Published: July 19, 2018 - 4:48 PM
by tsunyan
When we update software, you do indeed need to import it onto your WAPT server. You can create a script that will check that your packages are up to date by comparing the two repositories. This is what we do for our managed services clients.
Yes, I see, to know if we need to update ourselves with regard to the public deposit.

Indeed, the console is not updating the packages.
Is this a feature that will be implemented in the future?

This is primarily an alternative that is strongly discouraged and goes against the way WAPT works.
Indeed, if you deploy the package with the "update-package" function in the installer, it means that each machine will download the executable from the internet. This presents two problems:
1. The bandwidth will be heavily used.
2. There is no control over what is installed on the machine. Imagine a problem with the integrity of the downloaded file (corruption or a virus).
Furthermore, in this case, there may be a version difference between the time you import the package into your private repository and the time the executable is downloaded... The package inventory will then be inaccurate!

The "update-package" function saves time when you update the package.
That's what I thought, it wasn't a good idea. I suppose I can then automate the update-package for all packages with a batch script or PowerShell.

Thank you for these explanations.

Re: The principle of package updates?

Published: July 19, 2018 - 9:59 PM
by vcardon
tsunyan wrote: Jul 19, 2018 - 4:48 PMIs this a feature that will be implemented in the future?
Such a feature is highly undesirable because the park administrator is responsible for what they retrieve from the internet and what they deploy on their park.

He must verify that what he deploys is safe.

I'll let you draw your own parallel with this article describing a recent tragedy:

http://www.lefigaro.fr/international/20 ... parfum.php

Sincerely.

Vincent

Re: The principle of package updates?

Published: July 19, 2018 - 10:35 PM
by sfonteneau
tsunyan wrote: Jul 19, 2018 - 4:48 PM That's what I thought, it wasn't a good idea. I suppose I can then automate the update-package for all packages with a batch script or PowerShell.
Why not run an update package every night? But as Vincent points out, this isn't recommended for obvious security reasons. The software must be verified by a human before being installed across an entire network.

Indeed, a publisher can be compromised, for example:

CCleaner: https://www.generation-nt.com/ccleaner-...51839.html

Or, for example, recently in the case of PDF Creator: https://landingpage.pdfforge.org/domain/en

In this kind of situation, you automatically plant an entire park... :roll: Damage ...

A good solution would be, at worst, to run an update package every night but push the new package into a maturity: VALIDATION-WAIT

All that's left for you to do is test the software

Re: The principle of package updates?

Published: July 20, 2018 - 1:10 PM
by tsunyan
Thank you for these recommendations and quick responses @vcardon @sfonteneau.
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru