The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Self updating application

Hello, I want my application to be able to "self update". That is, if I find a bug and fix it, I want the application to be able to go online (by itself or on user command) and download a new version. Or at least say that there is a new version.

This application will be done in C#.

So I was thinking I could have a simple Apache webserver running PHP, with a PHP script that when executed would give:

* Latest Application Version
* Current user's version
* Link to New Version if there is one.

This data could be given in XML for example.

This information would be parsed by the C# program in order for the program to be able to tell the user that there is a new version.

1) Is this a good solution ?

2) Regarding the auto update itself, the program would receive a link like in the previous example (or it could be stored in the program itself) and then somehow it would fetch the new version.

3) Now how could the program use the updated version to update itself? Should I create an installer app that would close the PROGRAM and unpack the new files to the PROGRAM directory ?

Other strategies?

Also, which security issues should I be aware in this kind of thing?

Thursday, July 12, 2007
I'm in the process of evaluating Auto Update from Indigo Rose  Software.
Praveen Angyan Send private email
Thursday, July 12, 2007
The format you are using is the HL7 data format standard used for sharing data in the medical industry.  I believe the latest HL7 specification is XML so you probably just need to move to it.  You can buy commercial parsers for HL7 and I'm sure someone probably sells an editor.
Thursday, July 12, 2007
Sorry wrong thread.
Thursday, July 12, 2007
The security is a key part but can be solved relatively easily via a secure connection (ssl) and validating the downloads (a hash like md5), but the bigger problem is compatibility.

You need to be able to have the system test itself before and after the update and then determine what to do if there are errors.  Therefore, you need a huge amount of Unit Testing and you need to know where your inter-module dependencies are.  And once you introduce dependencies, how do you make sure you get the right batch in the right order?  It gets pretty nasty in no time at all.

I'm in the thick of this one right now...
KC Send private email
Thursday, July 12, 2007
This has been discuessed a few times now..
Create a directory on your webserver containing pages for each version of your program.
Create a webbrowser control that links to the page relating to the version your user is using.
The page on the webserver tells the user the status etc  and gives them the option to download.
They then download and intall the update as per your chosen method of update.

If you have a simple executable then I guess you could just write an updater program and distribute that with your original program. The updater then just stops the running process and overwrites the exe file. You will need to give consideration to the UAC in Vista though.

Otherwise, you will need an msi or similar package.
Glen Harvy Send private email
Thursday, July 12, 2007
If you have or want big customers, you're asking for a lifetime of misery, because they tend to have strict rules about who is allowed to update stuff and when.
Greg Send private email
Thursday, July 12, 2007
If you do this then for heaven's sake make sure auto-update can be turned off. Not just for your big customers with security issues, but also for the rest of us who don't want to be told that "Dingbat version is now available".
DJ Clayworth
Thursday, July 12, 2007
"If you do this then for heaven's sake make sure auto-update can be turned off. "

Yeah but that's the easy part.
Thursday, July 12, 2007
Have you tried Visual Studio's "ClickOnce Deployment"?
hobit Send private email
Thursday, July 12, 2007
The security part is actually a bit tricky.

SSL itself doesn't provide you with defense for a man in the middle attack; the attacker can spoof the DNS response and redirect the client to any other server with valid certificate and infected version of your software.

Hard-coding the certificate fingerprint will limit the validity of the solution to however long is your certificate valid.

One way would be to generate your own CA certificate, hard-code its fingerprint to the application, then generate a certificate signed with the CA one, run it with a webserver on a high port (assuming you don't have a spare IP address).

Then, the application should check if the server it connects to has a certificate signed by your CA.  Do it both when checking for an update AND doing the actual download (also over HTTPS).
Radosław Zieliński Send private email
Friday, July 13, 2007
+1 For Click-Once

Microsoft has already solved this problem and since you are using C# you should just take advantage of the built-in capabilities of .NET

Friday, July 13, 2007

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz