Comment Feed for Channel 9 - Jamie Cool - Demo of ClickOnce

Re: Jamie Cool - Demo of ClickOnce

joe.wurzburger — Thu, 29 Jul 2004 19:52:54 GMT

Cool demo. Our install and support folks are going to go ga-ga over this. We were doing early design work on an "auto-upgrader" for our existing .NET client apps ... looks like that'd be a waste of time now.

I did get a kick out of the IISRESET, though ... now that's a realistic demo.

posted by joe.wurzburger

Re: Jamie Cool - Demo of ClickOnce

farquhar — Thu, 29 Jul 2004 20:25:18 GMT

About key files: "I could have...whatever."

Doesn't sound like the security message is sticking. That, sir, is lip service to security. Demonstrate real world examples.

The more Microsoft folks "whatever" security and use demo/dev behavior the more the folks who only watch and copy will get it wrong or not value the security bits and wizards and what they were designed to do. I realize security wasn't the purpose of the demonstation but the "whatever" hurts the cause.

posted by farquhar

Re: Jamie Cool - Demo of ClickOnce

ZippyV — Thu, 29 Jul 2004 20:50:52 GMT

The guy mentioned that it wouldn't work on Netscape. Why? Can the program and ClickOnce only be launched by Internet Explorer? It should work with other browsers too. Maybe not Netscape but certainly with FireFox or Mozilla or Opera.

posted by ZippyV

Re: Jamie Cool - Demo of ClickOnce

moofish — Thu, 29 Jul 2004 22:02:51 GMT

so what you are saying is that it only works on ms products

posted by moofish

Re: Jamie Cool - Demo of ClickOnce

AndyC — Thu, 29 Jul 2004 22:59:53 GMT

ZippyV wrote:

The guy mentioned that it wouldn't work on Netscape. Why? Can the program and ClickOnce only be launched by Internet Explorer? It should work with other browsers too. Maybe not Netscape but certainly with FireFox or Mozilla or Opera.

I think it was more a case that it won't work the way they are written today. If they call the Windows URL APIs or handle the MIME types correctly themselves it should work fine.

I'm more concerned by how much space will potentially be wasted by the roll-back feature. It's not much for a simple app like that but what about something the size of Office? That said it is potentially very cool for those times when an update breaks functionality.

posted by AndyC

Re: Jamie Cool - Demo of ClickOnce

Sampy — Thu, 29 Jul 2004 23:15:11 GMT

Jamie most likely "whatevered" security because we're still working on tweaking our security settings and system before we release. Thus, what he shows you now in the security part of ClickOnce isn't what you're going to see when we ship Beta 2 and RTM.

As someone who is deeply involved in this (I wrote the code on the security property page and I'm updating the signing page), I can tell you that we are NOT taking security lightly. We work closely with the Windows team to make sure we make the right security choices going forward. The CLR security team is a key contributor to the ClickOnce effort.

Security is ALWAYS on our mind when we design, implement, and test ClickOnce.

posted by Sampy

Re: Jamie Cool - Demo of ClickOnce

Manip — Thu, 29 Jul 2004 23:23:01 GMT

Question.. If a user downloaded/installed the application, and then the Dev changed the security permissions and the user gets an update, does it warn that user about changes in the privileges of the updated version?

posted by Manip

Re: Jamie Cool - Demo of ClickOnce

Sampy — Fri, 30 Jul 2004 00:09:53 GMT

Manip wrote:

Question.. If a user downloaded/installed the application, and then the Dev changed the security permissions and the user gets an update, does it warn that user about changes in the privileges of the updated version?

Yes.

posted by Sampy

Re: Jamie Cool - Demo of ClickOnce

lars — Fri, 30 Jul 2004 11:12:33 GMT

AndyC wrote:

I think it was more a case that it won't work the way they are written today. If they call the Windows URL APIs or handle the MIME types correctly themselves it should work fine.

I'm also confident that the good people working on Firefox will adress that issue. This could become what ActiveX never was! Or in a worst case become ActiveX all over again.
I think the deciding factor will be if it is possible to get end users to pay attention to the security dialogs and not just click accept/deny like zombies.

- Warning: The application "Paris Hilton pictures" needs permissions to mess up your system - is that okey?
- Hell yes, hit me bro!!

CAS is a suweet thing. If people just learn to use it.

posted by lars

Re: Jamie Cool - Demo of ClickOnce

Tom Servo — Fri, 30 Jul 2004 12:34:46 GMT

I can tell you from experience that home users will likely hit OK and ignore any warnings if the application title is pleasing enough, for instance above mentioned exampole "Paris Hilton pictures".

Another question anyway:

Will ClickOnce show warnings if the publisher changed during an update? Because it wouldn't be exactly the bomb when some hacker uploads a different package and ClickOnce assumes it automatically safe because the update comes from the same place as the initial install and all previous updates.

posted by Tom Servo

Re: Jamie Cool - Demo of ClickOnce

farquhar — Sat, 14 Aug 2004 04:26:13 GMT

Thanks Sampy. I really Know MS is taking security seriously. I also Know people deploy code based on your samples. They hop over the wizard they see an MS demo hop over.

My plea is to deal with the security where ever it is encountered in demos. In time it will become second nature, requiring no comment or explanation.

In the mean time I'll go back to educating my devteams and consulting groups on why not to use SQL sa , why not to store secrets in plaintext with everyone read ACLs , and all the other things they learned in the bad old days.

http://ftp.gnu.org/savannah/files/faifes/c1291.html

posted by farquhar

Re: Jamie Cool - Demo of ClickOnce

ZippyV — Sat, 14 Aug 2004 22:36:22 GMT

Why is ClickOnce not available in the Express products?

posted by ZippyV

Re: Jamie Cool - Demo of ClickOnce

scobleizer — Sun, 15 Aug 2004 03:14:32 GMT

Want the honest answer? We'd like to sell you a copy of Visual Studio.

posted by scobleizer

Re: Jamie Cool - Demo of ClickOnce

Sampy — Sat, 21 Aug 2004 19:34:11 GMT

ClickOnce in express is being considered for Beta 2.

However, you can play with ClickOnce with your express SKU today! See my blog post on the topic:

http://blogs.msdn.com/misampso/archive/2004/07/26/197577.aspx

posted by Sampy

Re: Jamie Cool - Demo of ClickOnce

darthelmo — Sun, 22 Aug 2004 17:33:16 GMT

Since this thread has been brought back up already...

ClickOnce sounds suspiciously close in name to InstallShield's One-Click. It's been bugging me enough to mention it.

posted by darthelmo

Re: Jamie Cool - Demo of ClickOnce

Sampy — Sun, 22 Aug 2004 17:52:08 GMT

farquhar wrote:

Thanks Sampy. I really Know MS is taking security seriously. I also Know people deploy code based on your samples. They hop over the wizard they see an MS demo hop over.

All ClickOnce manifests must be signed otherwise they are invalid. VS does not let you create unsigned manifests (we'll make a new key for you if you try and publish without a key selected) and the runtime will not execute them. If a ClickOnce application activated from the internet and does not run inside the Internet zone, it will not activate unless the signature is trusted. Try it in Beta 1, the user isn't even allowed to override this choice.

The ClickOnce defaults will be secure and prevent unathorized execution. We're taking a very XP SP2 approach to things in this regard. "We" being not just the ClickOnce team but all of the Visual Studio and .Net frameworks team and all of Microsoft.

posted by Sampy

Re: Jamie Cool - Demo of ClickOnce

ZippyV — Wed, 01 Sep 2004 15:32:14 GMT

Sampy wrote:

ClickOnce in express is being considered for Beta 2.

In your face Scoble!

BTW, is it possible to pack an application and the setup.exe in a .cab file? My ISP doesn't allow exe files on the webspace or files bigger than 2MB.

posted by ZippyV

Re: Jamie Cool - Demo of ClickOnce

Tom Servo — Thu, 09 Sep 2004 21:50:11 GMT

Dumb question, are the premises (code and whatnot) for a ClickOnce install packed with the file that gets deployed on a webserver? Means, can anyone install a ClickOnce package without installing something else in advance?

posted by Tom Servo

Re: Jamie Cool - Demo of ClickOnce

netsql — Thu, 02 Jun 2005 21:20:03 GMT

Is there a forum we can ask questions about ClickOnce?
Like how to pass it arguments (main String[] type)?
.V

posted by netsql

Re: Jamie Cool - Demo of ClickOnce

scobleizer — Fri, 03 Jun 2005 22:11:07 GMT

These are the best places to go:

http://www.windowsforms.net/Articles/default.aspx?PageID=1&Cat=%22ClickOnce%22+Deployment&ModuleFilter=131&tabindex=3

http://msdn.microsoft.com/smartclient/community/wffaq/wf20.aspx#9mqicswf

posted by scobleizer

Re: Jamie Cool - Demo of ClickOnce

LFS — Sat, 04 Jun 2005 01:02:12 GMT

Sampy wrote:

If a ClickOnce application activated from the internet and does not run inside the Internet zone, it will not activate unless the signature is trusted. Try it in Beta 1, the user isn't even allowed to override this choice.

It looks like I'll need a couple more zones then because I want my internet zone as restrictive as it can be made (absolutely no downloaded script/code is to be executed) so click-once applications from a 'cool-apps' site would not be allowed. Also, I don't want to have to provide full trust to a C-O application from someone I do not know, and I may want to relax restrictions for applications from well known sources, but still not allow full trust (such as executing unmanaged code)

This all looks like it could get very messy, rather quickly if I want anything other than Internet zone, or Full Trust. But I actually do want a sandbox zone for these type of applications, without having to change the settings I have for the current zones. What is being done to provide that sort of sandbox zone?

What I'd like to see is a means to set up a customized zone (sandbox) the first time I hit a click once link such that I can set the permissions right there, or can choose from a preconfigured (admin supplied) template. It seems to me, having just the two extremes (Internet and Trusted) will not be enough to enjoy the technology in a safe manner. Having variable shades of grey will be confusing to a casual user, but providing a few common templates may be well advised....

posted by LFS

Re: Jamie Cool - Demo of ClickOnce

lost_in_denmark — Mon, 20 Mar 2006 11:33:02 GMT

I know I'm a bit late here, but...

I've been asked to create an app that deploys in the way ClickOnce does, and updates silently, with no user interaction at all.

Is this possible using ClickOnce or does the user always get prompted when a new version is available?

TIA

posted by lost_in_denmark