Slashdot Mirror
Delivering Software, Electronically?
zpengo asks: "I'm trying to find the best way to implement a large-scale Electronic Software Delivery (ESD) service for my software company. I've been able to find very little information online (after weeks of research) so I must take it to America's best and brightest. Have you ever worked with ESD on a higher than plain-vanilla FTP level, and if so, what did you learn from it? When do you consider the product 'delivered'? Was it worth it? (I'm planning to put together a public domain whitepaper on the subject with the information I gather, to help fill in the gaps I found while researching online)."
it's now available for anyone to use as a server or client. www.ximian.com
I did ESD delivery for my company a couple years ago. We used "Wininstall" with great success. The only real problem I ran into was variances and testing.
You know, Joe Schmuck loads his own software, and blammo my ESD job breaks. IF you have rigid controls on your environemnt, ESD works great.
I've worked with this before on a project, and it's usefulness depends on your needs. It's essentially an extension applets; it does not run in a browser, but does run in a secure sandbox.
If you have a pure java swing application, this is probably the way to go. If not, read more about it and decide whether it's appropriate.
The technology was a little rough at first, but I assume it's matured somewhat, considering that it's now part of the standard java environment.
Java Web Start
take your sig and shove it
I really wish people would take some time to do "research" like they "say" they did instead of just come to Slashdot, it shows people are lazy and in some cases ( possibly this one ) Should be thinking about improving there own lifestyles and work habits before starting up a software company..
If the above doesnt fit you then your answer is below.
There are a number of companys out there that specialize in software lic's.
Most can be included into a couple diffrent lang's with very little effort at all.
One very good example of this would be..
http://www.elicense.com/
This and more information can be found on google without a problem. ( But of course this persons "research" didnt include simple searches on the most popular search engine.. But he did research, He really did research hard, I got that link in 1 minute, He spent weeks? researching and sounds like he found nothing? )
Personal Website
Valve Software (makers of Half Life) created a program called Steam. Steam allows you to download patches and goodies (player skins, models, and maps) but you can also buy and download full games. Here is thier website http://www.steampowered.com/ dont know how helpful it will be though.
From the rdist website: "RDist is an open source program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing."
From the rsync website: "rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License"
My business is software configuration management. Electronic software delivery is a critical part of many solutions. Typically we use a web site. The system has access control, software submital, notification, approvals at various levels, retrieval based on approval level, and logging.
For examply, only users identified as Development can submit software. At that point Software Configuration Management is notified to reproduce the software (can SCM build the same binaries as the developers?) SCM retrieves the software from the web site. Once SCM approves the software, Test is notified.
Test retrieves the software and puts it through its paces. If it passes Test grants its approval through the web site. Otherwise the software fails and Test provides a URL explaining the problems. And on...
At any point program management can see the state of the software in its track to customer delivery. PM has override ability to approve software for customer delivery even if it has, for example, failed testing.
The web site makes it easy to access. Access control and approval manage the software delivery process. Notification keeps everyone on the ball. And logging provides CYA - and has covered my butt on numerous occasions.
My boss particularly loves to be sitting in a Change Control Meeting and hear the development manager say, "The software's been delivered to SCM. We're waiting on them." And he can say with confidence, "Not yet it hasn't."
I worked for Releasenow.com, they were hired guns for this sort of thing back about 2000 or so, they seem to have dropped off the net since then. Other players like Digital River were around too. Not to hard to implement, Stick a few apache servers behind a load balancer like an F5 on a big pipe like Exodus and make them pay up front. once you got their money send them a url and password combo that lets them in. The rest is simple stuff. Remember to wash your hands after your done.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Package your application in a self-extracting/self-decrypting archive which uses two keys (k1,k2). k1 is either zero-length or known to the group of indented users. k2 is kept secret until published online at some central site at a time specified by the publisher. If k1 is zero-length, then it'll be an open release of software/data.
software = Decrypt(software, key), where key = Hash(k1 concatenate-with k2).
This is called time-lock crypto as written by Rivest Shamir Wagner in [3].
CertainKey offers this service with all the software/crypto you need at a modest price see [1].
note: I'm a founder of CertainKey...so use discretion.
References:
[1]
[2]
[3]
It's also similar to the way F-Prot Antivirus is delivered.
Basically each customer gets a login for the web site and can download from there. It avoids serial generators and cracks because you can't just download the shareware and then apply a crack. The only people who even get the opportunity to download the software are those who have paid so it's less likely (but still inevitable) that they will give it away, share it on kazaa, etc.
Kagi has a lot of experience with this. Check them out.
-John
I did some searches, and there seems to be a fair amount of info available on this.
There's some good payware service providers like Digital River, Metatec, Intraware, etc. And some decent freeware/open source ones that you could build off of, like weps.org. And there's always freshmeat, twocows.
It really depends what you're trying to achieve - what you're trying to deliver, to whom and for what reasons. You may need accountability, tracking, different views for different user sets, etc. Usually, you're best off just rolling your own if you have the time & resources to implement it.
Oh, and for resuming transactions, you can use HTTP 1.1 "Range" header protocol to do that if the files are large, and you lost connectivity.
I realize that this is /. and open source solutions are preferred. But if you want something scalable, professional and with lots of bells and whistles (like multi-platform support), may I suggest:
/
http://www.tivoli.com/products/index/config-mgr
Full disclosure: I work for Big Blue, and despite my bias I can tell you some HUGE companies and government agencies are happily using this product. (plus lots of small ones too)
Upgrade Suite
It's windows, and freeware now. You might learn about some of the issues from the documentation.
http://pcblues.com - Digits and Wood
...for a large client several years ago. We needed to deploy software to > 400 factory tool control workstations. The prototype was written in Perl, the final version was reimplemented in Python.
;-).
The basic features of the system were as follows:
1) Packaging of software into the smallest deployable units. Define a standard for how files and meta-information are grouped together into a package (e.g. tarfiles, RPM's) so that the packages can be created and installed in a common manner.
2) tracking of dependencies and compatibilities between packages
3) Specification of the set of top-level packages that are required by an individual workstation
4) dependency evaluation to calculate the final set of packages to be installed, or determine if no viable package set existed because of dependency conflicts
5) a sizeable set of tools to allow us to manage this information, build packages, and track what got downloaded, why it got downloaded, and who changed what when
The combination of these features is very much like what RedHat's "update agent" (and other Linux update utilities) provides. If you have the luxury of only having to support Linux, your best bet is probably to try to adapt one of these to your needs.
AOL - Members would join a software club - billed $19.95 monthly - and be able to download from our library. This was for in-house software, not for third party. At a royalty based on $2.95 per hour, we made a few bucks there. AOL's model change pretty much ended that. We also made money from our freebie download area, albeit royalty only. All programming done in Rainman Plus. It was different and pretty easy, but there were some hideous holes in the system security-wise.
Prodigy - Customers bought software and after the transaction downloaded the software. Any disputes or problems were handed by our customer support staff, who would email or snail-mail the product if necessary. We had to snail mail our products b/c of problems w/their software delivery check-in system. We had little direct control of the store.
CompuServe - Most painless to deal with. We uploaded product ourselves. Had to use wierd scripting language to construct/modify store/pricing. It was kinda buggy, but it worked. Store performed quite well. The more often products were changed/updated, the better. Rotating ads throughout system for promotion, front screen placement drove huge traffic (big surprise).
eWorld - Transaction completed in online store, product was emailed to customer minutes after tranasction went through. Worked nicely, but ultimately tanked a couple of months after we got it up and running when Apple shut down eWorld.
Web - Home-brewed CGI scripts ran the store. SSL, transaction processed real-time with our bank, customer could download product for up to 72 hours. Customer support thereafter.
The borwser/platform issues arise with writing headers to the client. There is NO 100% method for doing so.
.xls file binary attachment. Guess what? Either the user is prompted to download the "xsl file", or the browser runs Excel (depending on the user's settings).
Tell me this: what is different between your script writing headers, and the Apache server writing headers, to describe the content about to be sent?
Honestly, use 'wget' or 'lynx -dump' and really examine the headers that are sent when you download a file. Apache is sending those headers. This is what tells the browser what is being sent, and it's the *only* thing telling the browser what is being sent.
Simply mimic those headers (substituting the proper filename and size etc), and the browser will happily prompt the user to download.
We built an inventory system for a manufacturer, and having pre-built Excel reports was one of their requirements. We simply send an HTML table, but sending the headers to appear as a
It just takes some trial and error, but the biggest clue is to look at the headers that are sent when you actually download a file directly. The browser doesn't know (or care) whether it's a binary webserver program, or a bash shell script, sending the headers.
And if that's too much work, again, create a symlink:
ln -s filename.zip [unique-id]-filename.zip
And give a hyperlink to the symlink. That's about as simple as it gets. In Windows you could probably create a "shortcut", but I really don't know/care about that. If you're running Unix, you have a ton of options here.
NGWave - Fast Sound Editor for Windows
You are correct though, about getting a file to the customer. It's harder than it should be!
I'm generating PDFs to send dynamically. I've done the same thing with inline jpgs for ages now, without having to save them to disk in any way, shape, or form.
Browsers don't like HTTP redirects. It doesn't always work. IE5.5 is seriously broken unless you have a certain set of patches installed. Opera 6.0 Linux freaks out. Mozilla mostly handles stuff right.
Eventually I had to do something like you did, generate the file and put it on a directly accessible filesystem, which is very inefficient compared to just streaming the data out, and potentially a lot less secure.
Why can't browsers get their act together with dymanic content generated for external plugins? It doesn't seem like it would be that hard to fix... Mozilla already has it mostly right.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Replying to my own post, but...
I do recall there being one issue, with Mozilla/Netscape specifically, where the filename it prompts you to save is the filename of the *script*. But we got around this using mod_rewrite. So a link like this:
[unique-id]-filename.zip
becomes:
script.php?id=[unique-id]
And, since the browser is seeing "...zip" as the filename, it prompts with the correct default "Save As" filename. That's what we actually did for the Excel file, we just linked to (eg) Report.xls, which was actually a script.
Personally, I say go with the symlink idea. It's probably the easiest for you to change from your current setup; simply change your 'cp' command to 'ln -s'... the deletion of the link, downloading of the link, etc will work just the same as if it were truly a redundant copy of the file.
Of course Apache must be set to follow symlinks; don't forget to check that first.
NGWave - Fast Sound Editor for Windows
Borrowing from the virtual link methodology, I think we may have a solution that will work even in IIS.
We will use the free junction command line component, or linkd.exe, or one of the others and run it from our ASP page using ASPExec from ServerObjects.com. Will do the same as the unix version of a virtual link.
So, even if this thread did not help the oroginal poster, it helped us out and that is a good thing.
Give yourselves all +1 karma
Good job!