Slashdot Mirror
Delivering Software, Electronically?
zpengo asks: "I'm trying to find the best way to implement a large-scale Electronic Software Delivery (ESD) service for my software company. I've been able to find very little information online (after weeks of research) so I must take it to America's best and brightest. Have you ever worked with ESD on a higher than plain-vanilla FTP level, and if so, what did you learn from it? When do you consider the product 'delivered'? Was it worth it? (I'm planning to put together a public domain whitepaper on the subject with the information I gather, to help fill in the gaps I found while researching online)."
When do you consider the product 'delivered'?
When it's available on Kazaa?
it's now available for anyone to use as a server or client. www.ximian.com
I've been able to find very little information online (after weeks of research) so I must take it to America's best and brightest.
Um, this is Slashdot, dude...
If you celebrate Xmas, befriend me (538
I've worked with this before on a project, and it's usefulness depends on your needs. It's essentially an extension applets; it does not run in a browser, but does run in a secure sandbox.
If you have a pure java swing application, this is probably the way to go. If not, read more about it and decide whether it's appropriate.
The technology was a little rough at first, but I assume it's matured somewhat, considering that it's now part of the standard java environment.
Java Web Start
take your sig and shove it
What software, which audience, which principles? It makes a difference whether you are building ESD like tucows or for a special product for a special market - for example. It might be possible for you to get some real information out from here, but you will have to tell more. Don't be scared, if someone wants to look up your company, he is already well capable of doing it :)
My biggest concern is that if the transfer fails in the middle you can pick it up from that point. Also that it doesn't need you to install funky software before hand.
Always make sure you're wearing one of those wrist-strap thingies.
Valve Software (makers of Half Life) created a program called Steam. Steam allows you to download patches and goodies (player skins, models, and maps) but you can also buy and download full games. Here is thier website http://www.steampowered.com/ dont know how helpful it will be though.
At my school, there's a page set up for your basic freeware (acrobat reader, PuTTy), and other more expensive site-licensed software (X-Win, CRT, Dreamweaver) require a user logon to download. The IT department keeps a log of all the downloads, and whoever's logon is used is responsible for the software. For the really expensive stuff (MATLAB, Mathematica), paperwork is necessary.
Take a look at it: http://www.bu.edu/software/
From the rdist website: "RDist is an open source program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing."
From the rsync website: "rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License"
My business is software configuration management. Electronic software delivery is a critical part of many solutions. Typically we use a web site. The system has access control, software submital, notification, approvals at various levels, retrieval based on approval level, and logging.
For examply, only users identified as Development can submit software. At that point Software Configuration Management is notified to reproduce the software (can SCM build the same binaries as the developers?) SCM retrieves the software from the web site. Once SCM approves the software, Test is notified.
Test retrieves the software and puts it through its paces. If it passes Test grants its approval through the web site. Otherwise the software fails and Test provides a URL explaining the problems. And on...
At any point program management can see the state of the software in its track to customer delivery. PM has override ability to approve software for customer delivery even if it has, for example, failed testing.
The web site makes it easy to access. Access control and approval manage the software delivery process. Notification keeps everyone on the ball. And logging provides CYA - and has covered my butt on numerous occasions.
My boss particularly loves to be sitting in a Change Control Meeting and hear the development manager say, "The software's been delivered to SCM. We're waiting on them." And he can say with confidence, "Not yet it hasn't."
what are you trying to deliver ?
I built a app that for win32 sat in the systray and then looked at a internal FTP and checked the manifest against its own on the machine if anything was new download and ask the user for interaction
on the java side their was webstart which is really nice and is default on MacOS X.x
this automatcally does what my app did and is a hell of a lot nice and secure
apps like windows update are pretty silly as you have to ask the user to look every day and how many lusers do that ? let alone people who know better
its what crontabs where ment for (-;
of course you can build it into the app
and if you just want to deliver software to customers use sftp
its nice and you can even get it on a java applet so that you can point people to a web page and get them to enter username and password and then its server side chrooting them to the right dir
have fun
regards
John Jones
Try this EDS solution.
kthx
If there's a problem, it's probably related to getting paid for it. Or, worst case, figuring out some way to "deliver" some kind of hostile code (adware, spyware, etc.) to the user's desktop.
I developed (insert plug here-http://payloadz.com)
We do about 5,000 transactions per month.
Our method is this (note, this is after 5 iterations of delivery systems- all of which had issues):
- When a customer pays, we create a unique copy of the purchased product and place it in a queue directy for download. This unique file is prefixed with the customers transaction ID, so
"filename.zip" becomes "a1dys3ad4a-filename.zip"
We then provide a direct link to the file. We also send this direct link in an email to the person.
After 48 hours the file is deleted. after which time, the customer must request more downloads from the merchant.
We tried many other methods but there always arose a browser/platform issue. The ONLY reliable method has been to provide a direct link to the file for download.
It can create server load and file storage issues if you have a large scale site.
Hope that helps, feel free to contact me off list.
I worked for Releasenow.com, they were hired guns for this sort of thing back about 2000 or so, they seem to have dropped off the net since then. Other players like Digital River were around too. Not to hard to implement, Stick a few apache servers behind a load balancer like an F5 on a big pipe like Exodus and make them pay up front. once you got their money send them a url and password combo that lets them in. The rest is simple stuff. Remember to wash your hands after your done.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Package your application in a self-extracting/self-decrypting archive which uses two keys (k1,k2). k1 is either zero-length or known to the group of indented users. k2 is kept secret until published online at some central site at a time specified by the publisher. If k1 is zero-length, then it'll be an open release of software/data.
software = Decrypt(software, key), where key = Hash(k1 concatenate-with k2).
This is called time-lock crypto as written by Rivest Shamir Wagner in [3].
CertainKey offers this service with all the software/crypto you need at a modest price see [1].
note: I'm a founder of CertainKey...so use discretion.
References:
[1]
[2]
[3]
... when things goes wrong? If you view software as a service, then someone along the line has to make a decision to deploy it. Usually it is some sysadmin who ultimately is responsible for the smooth running of the who ball-of-string (ignoring any CTO stupidity). IMHO that is why they like ftp/http/app-get in that it is a conscious decision to review and vet any new release.
.BET, or ASP) becomes a side issue when lawsuits are flying, especially for any mission-critical software (cf backbone router flash-upgrades).
On the other hand, if you are offering automagic updates (a la MS) then I hope the software contract indicates what happens if things goes wrong. The actual mechanism (whether JavaBeans,
LL
It's also similar to the way F-Prot Antivirus is delivered.
Basically each customer gets a login for the web site and can download from there. It avoids serial generators and cracks because you can't just download the shareware and then apply a crack. The only people who even get the opportunity to download the software are those who have paid so it's less likely (but still inevitable) that they will give it away, share it on kazaa, etc.
Kagi has a lot of experience with this. Check them out.
-John
A lot standard exist; whether they are useful depends on the platform you are targeting and/or the architecture of your product. You've shared nothing about either, so I'll just point you at some general standards that you may find helpful, or as sample design patterns that may bring you closer to your goal. Check out the OSD specification at the Web Consortium's main site. An XML-based software description language, it's raison d'etre is electronic delivery of software. I know Microsoft used the format at one point, and I know of at least one other company that architected their product to use the OSD language for software installation as well. An alternative to the OSD model is Sun's Java Web Start, tailored to automatic installation of software for the Java platform. If you still need to roll your own, may I suggest that you consider the package format used in the Debian GNU/Linux distribution as a good design pattern to follow? Because the format exposes extensive amounts of meta-data in each package, a complete array of tools exist to automatically resolve, download, and install dependencies--one of the major benefits of using Debian as a Linux platform. Finally, if you are a member of the ACM, their online Digital Library will no doubt have extensive information, as would the IEEE online resources (again, membership required). A free resource similar to those of the ACM and IEEE that I often find helpful is Citeseer. Hope some of those help!
Do you want to deliver upgrades or patches?
Do you want to tie your system into a point of sale mechanism?
Are you worried about security? (you should be)
What security mechanisms are you able to implement?
How many people will download your software each day? Each hour? How many do you expect to do so next year?
What platforms will your target audience be running?
I could go on and on....but my point is that you cannot go to anyone, even "America's Best and Brightest" (whereever they are) and ask for a one-size-fits-all solution to a software delivery system - even if you do have a fancy buzzword like ESD to make it sound sort of sexy.
You first step here (AS ALWAYS) is to define your specifications. You can *start* with the questions above but if you haven't thought of 4 times that many yourself in your specs then you don't really know what you want... and hence can be offered no real solution.
----- In Your Cubicle No One Can Hear You Scream...
I am currently adding ESD capability to my eCommerce software, so that I can deliver electronic goods to customers.
The approach I am looking at is one where after payment has been accepted, the user gets a secure account where they can download the files they have a valid licence for, and the file is passed through a script which checks that the user has authenticated properly. This means they cannot simply post a URL to allow everyone access to the file.
In order to authenticate, and so that they can download this file again at a later date (maybe their hard disk blew up or whatever), they must enter a random 4 digits of the credit card used to purchase the file. This means they would not simply post a username/password and allow everyone access to their account.
When they receive the file it will be archived. When they unarchive the file, the custom unarchiver will request authorisation from my server, informing me they have the file, and what the md5 hash is. This confirms to me they have a valid file and helps against credit card refunds.
Inside the archive, I will look for ways to have unique ID's hidden inside various files, so I can then track the file's owner should it appear on any file sharing sites/networks. This doesnt have to be done in realtime, you can prepare 1000 files in advance and assign them to customers. I will look to write into the EULA a clause that states it is their sole responsibility to keep the file and contents secure, and that any lost sales will be charged to them if it could be proven they were neglegent in securing their computer/network.
I think that the above will be a good set of measures to take. Of course, it all depends on how important/valuable your software is.
Remember, if someone is really persistant, they will find away to share your files without detection. So things like great customer service, and value add will be your biggest help in keeping your customers loyal to you.
Will you be here all week?
Take a look at SVGames.com. This is an outfit that sells, among other things, PDFs of old TSR AD&D books (the PDF were obtaining by scanning the books). The PDFs are a few bucks each and are sold only through download.
The neat thing is that they offer a temporary download URL that allows you to redo a download wihin a few days if the first one failed. You don't even need to bookmark the temp URL, you just reenter your name and CC number for authentication and can redo the download (without being charged twice, obviously). This is a very cool feature. I suggest your site adopt a similar functionality.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Don't forget that once you have distributed your software over the Internet to an untrustworthy, evil user, s/he is going to give it away for free. S/he is going to start buring illegal copies of the software he downloaded for all his friends and will probably download it right into his P2P upload directory.
After the Electronic Software Delivery (ESD) is complete, the user has to get through the EULA so he can install it.
Just who are you going to get to write that EULA?
Might I humbly suggest,
http://www.evil-lawyers-who-write-eulas.com
These guys specialize in incomprehensible leagaleze and by the time they are done, your EULA will stand a proud 250 lines long and allow you to have your way with both the user of your software and his/her computer.
Good Luck!@
If your programs are written in Java, then Java Web Start is unbeatable.
However I recommend third party fedex or ups wans. They add great routing and delivery support and would mix your data with their own delivery network. They integrate well with the messenger protocal since they both use the mail room gateway as a standard to retrieve and sometimes even store data. The mailroom is the default gateway between the messenger and fedex and ups protocals.
The downside of course can be transfer time and very high latency. For example using a third party network like fedex can take a day or two to ship the data to Hong Kong and can be pricy depending on how quick you want the data to move.
The good side of sneakernet is that when the network is down I can still get data from one side of the office to the next. When the network is congested I can still move around huge amounts of data depending on the store medium used. With me implementing the messenger layer of the sneakernet protocal suite, you do not have to worry about hiring any expensive consultans or installation fee's. All you need is the store medium like a tape or cd-rw drive on both nodes.
Ps. I am looking for work and wouldn't mind doing this at this point.
http://saveie6.com/
Come on, these guys don't even read the stories they themselves submit, and neither do the moderators or posters or even the slashdot crew. You expect them to do enough research to actually read the slashdot story too?
Infuriate left and right
It depends in a huge part on the type of program, but for general-public use (what some would term "consumer" but I'm trying to erase that word from my vocabulary) a Shareware/registration system is often the easiest, if you have some sort of unique identifier to use.
:-) It also means that you need to maintain only one binary version, and you can make it a simple direct URL which is compatible with every browser in existance.
For example...
In the Palm OS world, most software is released in a Shareware fashion. Every Palm OS device has a HotSync ID that is used to identify it on a PC, and to keep that device's data separate from other Palms on the same PC. Two people could very well have the same ID, but not on the same PC, and the vast majority of users just use their own name as their ID, so the odds of two people with identical IDs meeting is neglibible.
What most developers do is release a single binary version of the program that includes all of the functionality, but sometimes blocks it with popups, disabled functions, timeouts, or whatever. If the user decides to register, they go to a web site (usually PalmGear.com) and enter their HotSync ID along with their credit card data and the web site generates a unique registration key for them based on their HotSync ID and some program-specific key, known only to the developer. The user enters that code into the Palm program and they're all set and registered. The program can then just generate what the reg code should be against the HotSync ID and the secret key (which it has compiled into it), and determine if the entered code is valid or not. The reg code is stored in the device's Preferences database (sorta kinda the Palm version of the Registry, though better implemented), so the user can easily beam the program to others and SHAZAAM!, the other user now has the unregistered, shareware version of the program! Yay, viral marketing!
Yes, it is possible for the user to fudge the HotSync ID with 3rd party programs, but that's not very common. And frankly, if someone is going to do that to "get around" your registration system, they would never have paid for the program in the first place, so you've lost nothing.
Of course, that is all predicated on the platform supporting that sort of unique ID. I don't know if that sort of user-defined, constant, pseudo-unique ID exists on any other platform. I wish it did, it would make it a lot easier to develop shareware-type apps. E-mail address is possible, but is subject to change more often.
[insert obligatory commentary about why you should be releasing GPLed software instead of commercial software here.]
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
Do you really care whether you use electronic hardware to send your software, or are you interested in sending software over the net? Computers and the internet don't necessarily have to be based on electronic hardware.
Upgrade Suite
It's windows, and freeware now. You might learn about some of the issues from the documentation.
http://pcblues.com - Digits and Wood
When I need to transfer large amounts of data, I use rsync where possible. This allows for updates of the data without transfering all of the data, unless everything changes in the current update.
No need to worry about that with perl code. The syntax is so damn ugly it looks binary anyhow. Just remove the comments and ship away!
Got Code?
Remembers when Numega had a trial version of SoftIce(kernel mode debugger) available for download?
Warez groups used it a LOT to remove copy protection from games/apps/etc, so the first think they did whith it after they downloaded it was to alter the SoftIce binaries to get rid of the expiration date...using SoftIce itself to find the places where the checks were being made.
...for a large client several years ago. We needed to deploy software to > 400 factory tool control workstations. The prototype was written in Perl, the final version was reimplemented in Python.
;-).
The basic features of the system were as follows:
1) Packaging of software into the smallest deployable units. Define a standard for how files and meta-information are grouped together into a package (e.g. tarfiles, RPM's) so that the packages can be created and installed in a common manner.
2) tracking of dependencies and compatibilities between packages
3) Specification of the set of top-level packages that are required by an individual workstation
4) dependency evaluation to calculate the final set of packages to be installed, or determine if no viable package set existed because of dependency conflicts
5) a sizeable set of tools to allow us to manage this information, build packages, and track what got downloaded, why it got downloaded, and who changed what when
The combination of these features is very much like what RedHat's "update agent" (and other Linux update utilities) provides. If you have the luxury of only having to support Linux, your best bet is probably to try to adapt one of these to your needs.
I was involved with such a problem on a failed start-up (which didn't get funding for going into operation after we had solved the problem). We used Install Anywhere for our initial distribution and the app itself was written in java, stored in two signed jars which included a generic "key". When it came time to first run or upgrade the app, a request was sent to a server (apache+servlets) which took its info from the jars (generic or unique key + sig) and returned back a new jar(s) with any upgrades/patches (new jars were themselves were each "uniquely" keyed and signed).
The app itself was started by a launcher which would watchdog the app and could report/then fall back the patches/new code if it didn't work. We could (by option) track users/problems/usage statistics and control upgrades for each user. Finally, we have a diagnostic applet (+HTML page) in the same jar which the user could then start from a browser to deal with failed system/comm/proxy issues.
It worked extremely well during the pilot -- interestingly the most important feature turned out to be the diagnostic applet which saved us huge amounts of time during the trial rollouts, test cycles and releases. Our biggest expenses came from initial support and upgrades.
Hope this helps.
I'm trying to find the best way to implement a large-scale Electronic Software Delivery (ESD) service for my software company.
/ SOFTWARE-VERSION.ARCH.rpm \
/ SOFTWARE-VERSION.tar.bz \ ./configure ... \
;-)
How about the following:
$ wget http://MIRROR.sourceforge.net/sourceforge/PROJECT
> && su -c 'rpm -Uhv SOFTWARE-VERSION.ARCH.rpm'
Or alternatively:
$ wget http://MIRROR.sourceforge.net/sourceforge/PROJECT
> && tar xjf SOFTWARE-VERSION.tar.bz2 \
> && cd SOFTWARE-VERSION \
> &&
> && make \
> && make check \
> && su -c 'make install'
moto411.com
Borrowing from the virtual link methodology, I think we may have a solution that will work even in IIS.
We will use the free junction command line component, or linkd.exe, or one of the others and run it from our ASP page using ASPExec from ServerObjects.com. Will do the same as the unix version of a virtual link.
So, even if this thread did not help the oroginal poster, it helped us out and that is a good thing.
Give yourselves all +1 karma
Good job!
This system allows someone to snoop e-mails going out to you customers and obtain freebee software urls.
I am curious how this is done (for prevention knowledge only). This includes snooping HTTP traffic for passwords, etc.
For example, how can somebody snoop into HTTP traffic going between client A and server B? Do they have to tap into A or B's ISP from the inside of the ISP?
I am a software guy who is a bit cloudy about network stuff.
Table-ized A.I.
British actually, can we have our language back now please?
Perhaps it wont reach the widest audience but it's certainly a great way to deliver it :)
Just throw it on a warez site and write the URL on the bathroom wall. Every machine in the office will be up to date in no time. And they'll all be running the latest copy of MS Office and Photoshop, too -- at absolutely no cost to the company!
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Check out No-Touch Deployment in the .NET Framework for an interesting way of solving the problem of delivering software updates automatically, without the need for user intervention. If you set it up properly, it's actually more secure than just downloading straight from a website, because of the very granular code access security features of the .NET Framework.
Because they have a lot of things set up to support automatic shipment of electronic goods and automatic serial key generation and such. With a little thought "the supplier ships the goods" requires zero effort.
you might want to check out smartcert on google. Pricey but they hold your files and handle transactions. They do not use watermarks to make unique copies.
I have been working on a simple shop system to tie into Payment One and other credit card clearing systems, written in Perl. A lot of the design depends on your own business policy and how much risk you are willing to take (i.e. is it okay if people can post copies of your software on bbs systems?). If you only have a few items it is easy but with higher throughput you will want to manage clients and handle cooling off (giving money back) quickly. Check out Red Hat's system for some ideas.