[Gpg4win-devel] Windows Installer, rebuild necessary because of NSIS improvement?
Bernhard Reiter
bernhard at intevation.de
Mon Dec 7 14:53:29 CET 2015
Hi Andrej,
On Friday 04 December 2015 at 12:46:55, Andrej Kacian wrote:
> Hello Bernhard,
>
> thanks for thinking about us. :)
you are welcome! Thanks for creating Free Software in the first place! :)
> yes, I have noticed the advisory, but did not yet have the time to look
> into it in detail. I actually planned to do it this weekend. So far, I
> have the impression that we will need to:
>
> 1. Use an updated NSIS to build our next win32 release. The packages
> in Intevation's apt repository seem to work fine on Debian Stretch.
Yes.
> 2. Strongly suggest to our users that they should be careful about
> the directory they run the installer from.
Yes, always execute an installer in a fresh clean directory where it is the
only file.
> Is there anything else? I am not well-versed in how Windows handles
> DLLs, and some of the discussion on NSIS bug tracker went right over my
> head.
I think they are struggling for a solution that works for earlier versions
of Windows. (We were only concerned with Windows Vista or newer, and possibly
Windows XP.)
> I also was wondering whether #2 could not be mitigated using a check at
> the beginning of the installer, which could check if there are any *.dll
> files in starting directory. Or does the preloading happen even before
> any user code gets to run?
Good question, I don't know for sure: Your solution would lead to
a possible time intervall between check and executing that could still
be used for injecting something.
> > ps.: Do you have reports about Claws working fine with our latest Gpg4win
> > 2.3.0? Would be interesting for us. :)
> > pps.: I'm sending a copy to your users list, though I am not subscribed,
> > I briefly checked our tracker and the list for signs of this already
> > being mentioned before my email.
>
> I haven't seen any, which could very well mean that it works fine. :) I
> myself have only tried it with Gpg4win 2.2.6 so far.
If you have get any reports, let us know. ;)
Best,
Bernhard
--
www.intevation.de/~bernhard (CEO) www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20151207/91cb2918/attachment.sig>
More information about the Gpg4win-devel
mailing list