PowerToys icon indicating copy to clipboard operation
PowerToys copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Concider shipping self contain to avoid crash on unpredicatable update

Open tebeco opened this issue 3 years ago • 15 comments

Microsoft PowerToys version

0.43.0 visible from the Uninstall menu (App can't run anymore without shared SDK)

Running as admin

  • [ ] Yes

Area(s) with issue?

General

Steps to reproduce

  • Install your computer with the SDK that PowerToy uses
  • alternatly
    • Update your SDK, which could uninstall that SDK on update
    • Just update VS2022, which could update SDK (see previous point)
    • or manually clean your computer for unused SDK
  • Reboot
  • Have a surprise image

This happened after updated VS2022 Preview 17.1 I believe

✔️ Expected Behavior

Having Powertoy ship self contained (maybe even AOT for speed) so that they literally ship what they need to run.

As of today you cannot really predict what application use SDK x.y.z and it's not the first time it happened

❌ Actual Behavior

Full Crash of PowerToy

Other Software

No response

tebeco avatar Nov 11 '21 06:11 tebeco

cc: @yuyoyuppe

franky920920 avatar Nov 12 '21 05:11 franky920920

This is second report we’ve gotten of VS 2022 uninstalling the .net core 3.1 runtime. I’m going to ask internally what is up

@jaimecbernardo / @DHowett we may want to shift to self-contained vs runtime

crutkas avatar Nov 12 '21 06:11 crutkas

If that helps:

I'm on Preview channel of vs2022 so the update that did it was the one from the last RC (of the preview channel) to 17.1 preview 1

tebeco avatar Nov 12 '21 06:11 tebeco

Perhaps there's some way to indicate to the OS that it's being used as a dependency for PowerToys, so it doesn't get uninstalled automatically when visual studio updates? @yuyoyuppe

jaimecbernardo avatar Nov 15 '21 15:11 jaimecbernardo

Shipping self contains avoid hacking around SDK and OS and let the tool works regardless of what happen on a specific computer.

Digging into that won't solve the issue of the user doing manual cleanup either etc... which would be prevented by shipping self contained

it kinda address several scenario at one.

tebeco avatar Nov 15 '21 15:11 tebeco

That's true. As part of this, I think it's important to understand how to do this in a way that can be shared by many of the PowerToys utils at the same time, as to not explode the installed size.

jaimecbernardo avatar Nov 15 '21 23:11 jaimecbernardo

yeah i started asking on C# discord server but i got the feeling that if there's getting in touch with someone from the runtime/sdk team would be more productive

i suspect editing one of the runtime.json file post publish and deploy your own local install of the runtime without powertoy and point to that one could be a thing

relying on wide computer install is a similar step back as .Net Framework in term of reliability of presence and update side effect

there's also ... full AOT and agressive tree shaking i guess

tebeco avatar Nov 16 '21 15:11 tebeco

(thx/credits to @ClxS for the hint here)

https://github.com/Tyrrrz/DotnetRuntimeBootstrapper

.NET Runtime Bootstrapper replaces the default application host exe file, generated by MSBuild for Windows executables, with a fully featured bootstrapper that can automatically download and install .NET runtime and other missing components required by your application.

It could be used to get a "shared" runtime accross multiple application, so that are "self contained while sharing the same runtime together"

The code need to be adapted for the resolution around here: https://github.com/Tyrrrz/DotnetRuntimeBootstrapper/blob/master/DotnetRuntimeBootstrapper.AppHost/Dotnet/DotnetInstallation.cs#L11-L56 like looking at <install folder>/powertoys/runtime/<version> while powertoys lives in <install folder>/powertoys/tools or <install folder>/powertoys/bin

tebeco avatar Dec 08 '21 14:12 tebeco

Related to "shipping self-contained": #19761, #16448, #16288, #15517

Jay-o-Way avatar Oct 24 '22 22:10 Jay-o-Way

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 5 days. It will be closed if no further activity occurs within 5 days of this comment.

ghost avatar Jan 17 '23 20:01 ghost

Yes the toys seems to be self contained now (as per original title)

given previous messages I was unsure if runtime de-dup should now be present or not which might not be pushed into 0.66.0 release yet: image image

tebeco avatar Jan 19 '23 18:01 tebeco

Self contained, although fixes the issue here, generates a big maintenance headache for enterprises that have legal obligations around patching and maintenance on devices.

If we are patching system wide installs of dotNet then we ensure a single source of truth is patched. With applications that ship their own libraries there is no method of patching these without an update to the product that is shipping the self contained library, but these libraries will appear on vulnerability scanning reports which if not remediated within set time windows could lead to the devices being locked out of the network, or for some enterprise areas lead to license to practice or financial cost implications.

ukdocCT avatar Feb 03 '23 16:02 ukdocCT

i'll take the opportunity of that message to answer that it's only ever valid for company with such policy

that headache is likely worse for non entreprise user as an uninstall of a software could lead to brick the powertoy

updating Visual Studio which update the sdk which uninstall old sdk did break these tool several time in the past

so this update is a HUGE improvement for anyone that don't have ultra strict requirement on ui desktop that use powertoy in these context

one solution would be to create dedicated separate package for consumer that prefer relying in such a setup

EDIT: to be clear, i understand and the situation you're stuck in. I just would love 2 separate package because the situation before was also horrible on visual studio updates. both should be acceptable and use should have the choice at this point.

bonus question: with the restriction listed and cut out of network, how do you install and update power tool ?

tebeco avatar Feb 03 '23 16:02 tebeco

so this update is a HUGE improvement for anyone that don't have ultra strict requirement on ui desktop that use powertoy in these context

one solution would be to create dedicated separate package for consumer that prefer relying in such a setup

I am not saying that this is isn't a huge improvement, and i do really appreciate the work and how it will help most users.

bonus question: with the restriction listed and cut out of network, how do you install and update power tool ?

We have a couple of scenarios that we have had to use. Luckily so far we do not have an always on VPN so even if they can not get into the company systems they can still access the internet via their home wifi. At that point we use SCCM cloud gateway to force deliver the update or force the uninstall - which they can then install again once they are back into the company network and can access the Apps portal to install the latest version. In most cases this happens because they have not installed the latest version when we have notified them that its available, but at that time the dotnet version isn't listed as a vulnerability so they don't get locked out the network and they just carry on working. When we know about certain vulnerabilities we perform proactive patching as long as its none disruptive, but we have had a number of these self-contained libraries / portable apps that vulnerability scans pick up as they scan the whole device. These are a lot harder to remediate for us as they dont appear on a normal installed software asset report.

Sorry for the long sprawl, but apps like PowerToys make our life endlessly easier, we just get stuck with having to do it inside ever increasingly strict industry regulations.

ukdocCT avatar Feb 03 '23 17:02 ukdocCT