Jamie Cool - Demo of ClickOnce

Sign in to queue

Description

ClickOnce is a new deployment technology in the next version of Visual Studio (Visual Studio 2005, aka "Whidbey"). 

ClickOnce lets you deliver .NET apps with just a single click off of a Web page. Here Jamie Cool demonstrates the developer experience of ClickOnce and how you'll be able to use it in your own applications.

Embed

Download

Download this episode

The Discussion

  • User profile image
    joe.​wurzburger
    Cool demo.  Our install and support folks are going to go ga-ga over this.  We were doing early design work on an "auto-upgrader" for our existing .NET client apps ... looks like that'd be a waste of time now.

    I did get a kick out of the IISRESET, though ... now that's a realistic demo. Smiley
  • User profile image
    farquhar
    About key files: "I could have...whatever."

    Doesn't sound like the security message is sticking. That, sir, is lip service to security. Demonstrate real world examples.

    The more Microsoft folks "whatever" security and use demo/dev behavior the more the folks who only watch and copy will get it wrong or not value the security bits and wizards and what they were designed to do. I realize security wasn't the purpose of the demonstation but the "whatever" hurts the cause.
  • User profile image
    ZippyV
    The guy mentioned that it wouldn't work on Netscape. Why? Can the program and ClickOnce only be launched by Internet Explorer? It should work with other browsers too. Maybe not Netscape but certainly with FireFox or Mozilla or Opera.
  • User profile image
    moofish
    so what you are saying is that it only works on ms products
  • User profile image
    AndyC
    ZippyV wrote:
    The guy mentioned that it wouldn't work on Netscape. Why? Can the program and ClickOnce only be launched by Internet Explorer? It should work with other browsers too. Maybe not Netscape but certainly with FireFox or Mozilla or Opera.


    I think it was more a case that it won't work the way they are written today. If they call the Windows URL APIs or handle the MIME types correctly themselves it should work fine.

    I'm more concerned by how much space will potentially be wasted by the roll-back feature. It's not much for a simple app like that but what about something the size of Office? That said it is potentially very cool for those times when an update breaks functionality.
  • User profile image
    Sampy
    Jamie most likely "whatevered" security because we're still working on tweaking our security settings and system before we release. Thus, what he shows you now in the security part of ClickOnce isn't what you're going to see when we ship Beta 2 and RTM.

    As someone who is deeply involved in this (I wrote the code on the security property page and I'm updating the signing page), I can tell you that we are NOT taking security lightly. We work closely with the Windows team to make sure we make the right security choices going forward. The CLR security team is a key contributor to the ClickOnce effort.

    Security is ALWAYS on our mind when we design, implement, and test ClickOnce.
  • User profile image
    Manip
    Question.. If a user downloaded/installed the application, and then the Dev changed the security permissions and the user gets an update, does it warn that user about changes in the privileges of the updated version?
  • User profile image
    Sampy
    Manip wrote:
    Question.. If a user downloaded/installed the application, and then the Dev changed the security permissions and the user gets an update, does it warn that user about changes in the privileges of the updated version?


    Yes.
  • User profile image
    lars
    AndyC wrote:

    I think it was more a case that it won't work the way they are written today. If they call the Windows URL APIs or handle the MIME types correctly themselves it should work fine.


    I'm also confident that the good people working on Firefox will adress that issue. This could become what ActiveX never was! Or in a worst case become ActiveX all over again.
    I think the deciding factor will be if it is possible to get end users to pay attention to the security dialogs and not just click accept/deny like zombies.

    - Warning: The application "Paris Hilton pictures" needs permissions to mess up your system - is that okey?
    - Hell yes, hit me bro!!

    CAS is a suweet thing. If people just learn to use it.
  • User profile image
    Tom Servo
    I can tell you from experience that home users will likely hit OK and ignore any warnings if the application title is pleasing enough, for instance above mentioned exampole "Paris Hilton pictures".

    Another question anyway:

    Will ClickOnce show warnings if the publisher changed during an update? Because it wouldn't be exactly the bomb when some hacker uploads a different package and ClickOnce assumes it automatically safe because the update comes from the same place as the initial install and all previous updates.
  • User profile image
    farquhar
    Thanks Sampy. I really Know MS is taking security seriously. I also Know people deploy code based on your samples. They hop over the wizard they see an MS demo hop over.

    My plea is to deal with the security where ever it is encountered in demos. In time it will become second nature, requiring no comment or explanation.

    In the mean time I'll go back to educating my devteams and consulting groups on why not to use SQL sa , why not to store secrets in plaintext with everyone read ACLs , and all the other things they learned in the bad old days.

    http://ftp.gnu.org/savannah/files/faifes/c1291.html
  • User profile image
    ZippyV
    Why is ClickOnce not available in the Express products?
  • User profile image
    scobleizer
    Want the honest answer? We'd like to sell you a copy of Visual Studio.
  • User profile image
    Sampy
    ClickOnce in express is being considered for Beta 2.

    However, you can play with ClickOnce with your express SKU today! See my blog post on the topic:

    http://blogs.msdn.com/misampso/archive/2004/07/26/197577.aspx
  • User profile image
    darthelmo
    Since this thread has been brought back up already...

    ClickOnce sounds suspiciously close in name to InstallShield's One-Click.  It's been bugging me enough to mention it. Smiley
  • User profile image
    Sampy
    farquhar wrote:
    Thanks Sampy. I really Know MS is taking security seriously. I also Know people deploy code based on your samples. They hop over the wizard they see an MS demo hop over.


    All ClickOnce manifests must be signed otherwise they are invalid. VS does not let you create unsigned manifests (we'll make a new key for you if you try  and publish without a key selected) and the runtime will not execute them. If a ClickOnce application activated from the internet and does not run inside the Internet zone, it will not activate unless the signature is trusted. Try it in Beta 1, the user isn't even allowed to override this choice.

    The ClickOnce defaults will be secure and prevent unathorized execution. We're taking a very XP SP2 approach to things in this regard. "We" being not just the ClickOnce team but all of the Visual Studio and .Net frameworks team and all of Microsoft.
  • User profile image
    ZippyV
    Sampy wrote:
    ClickOnce in express is being considered for Beta 2.

    In your face Scoble!

    BTW, is it possible to pack an application and the setup.exe in a .cab file? My ISP doesn't allow exe files on the webspace or files bigger than 2MB.
  • User profile image
    Tom Servo
    Dumb question, are the premises (code and whatnot) for a ClickOnce install packed with the file that gets deployed on a webserver? Means, can anyone install a ClickOnce package without installing something else in advance?
  • User profile image
    netsql
    Is there a forum we can ask questions about ClickOnce?
    Like how to pass it arguments (main String[] type)?
    .V
  • User profile image
    scobleizer
  • User profile image
    LFS
    Sampy wrote:
    If a ClickOnce application activated from the internet and does not run inside the Internet zone, it will not activate unless the signature is trusted. Try it in Beta 1, the user isn't even allowed to override this choice.

    It looks like I'll need a couple more zones then because I want my internet zone as restrictive as it can be made (absolutely no downloaded script/code is to be executed) so click-once applications from a 'cool-apps' site would not be allowed. Also, I don't want to have to provide full trust to a C-O application from someone I do not know, and I may want to relax restrictions for applications from well known sources, but still not allow full trust (such as executing unmanaged code)

    This all looks like it could get very messy, rather quickly if I want anything other than Internet zone, or Full Trust. But I actually do want a sandbox zone for these type of applications, without having to change the settings I have for the current zones.  What is being done to provide that sort of sandbox zone?
     
    What I'd like to see is a means to set up a customized zone (sandbox) the first time I hit a click once link such that I can set the permissions right there, or can choose from a preconfigured (admin supplied) template.  It seems to me, having just the two extremes (Internet and Trusted) will not be enough to enjoy the technology in a safe manner.  Having variable shades of grey will be confusing to a casual user, but providing a few common templates may be well advised.... 

  • User profile image
    lost_in_den​mark

    I know I'm a bit late here, but...

    I've been asked to create an app that deploys in the way ClickOnce does, and updates silently, with no user interaction at all.

    Is this possible using ClickOnce or does the user always get prompted when a new version is available?

    TIA

Add Your 2 Cents