Delivering Software, Electronically?

zpengo asks: "I'm trying to find the best way to implement a large-scale Electronic Software Delivery (ESD) service for my software company. I've been able to find very little information online (after weeks of research) so I must take it to America's best and brightest. Have you ever worked with ESD on a higher than plain-vanilla FTP level, and if so, what did you learn from it? When do you consider the product 'delivered'? Was it worth it? (I'm planning to put together a public domain whitepaper on the subject with the information I gather, to help fill in the gaps I found while researching online)."

ximian's red carpet

[j1mmy]

it's now available for anyone to use as a server or client. www.ximian.com

ESD

[Anonymous Coward]

I did ESD delivery for my company a couple years ago. We used "Wininstall" with great success. The only real problem I ran into was variances and testing.

You know, Joe Schmuck loads his own software, and blammo my ESD job breaks. IF you have rigid controls on your environemnt, ESD works great.

Java? You could try Java Web Start

[atomray]

I've worked with this before on a project, and it's usefulness depends on your needs. It's essentially an extension applets; it does not run in a browser, but does run in a secure sandbox.

If you have a pure java swing application, this is probably the way to go. If not, read more about it and decide whether it's appropriate.

The technology was a little rough at first, but I assume it's matured somewhat, considering that it's now part of the standard java environment.

Java Web Start [sun.com]

Software Delivery

[cyberlotnet]

I really wish people would take some time to do "research" like they "say" they did instead of just come to Slashdot, it shows people are lazy and in some cases ( possibly this one ) Should be thinking about improving there own lifestyles and work habits before starting up a software company..

If the above doesnt fit you then your answer is below.

There are a number of companys out there that specialize in software lic's.

Most can be included into a couple diffrent lang's with very little effort at all.

One very good example of this would be..
http://www.elicense.com/

This and more information can be found on google without a problem. ( But of course this persons "research" didnt include simple searches on the most popular search engine.. But he did research, He really did research hard, I got that link in 1 minute, He spent weeks? researching and sounds like he found nothing? )

Valve is doing it

[TheAntiCrust]

Valve Software (makers of Half Life) created a program called Steam. Steam allows you to download patches and goodies (player skins, models, and maps) but you can also buy and download full games. Here is thier website http://www.steampowered.com/ dont know how helpful it will be though.

rsync and rdist

[jutpm]

What is wrong with rsync [anu.edu.au] and rdist [magnicomp.com]?

From the rdist website: "RDist is an open source program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing."

From the rsync website: "rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License"

Web Based Software Delivery

[BuildMonkey]

My business is software configuration management. Electronic software delivery is a critical part of many solutions. Typically we use a web site. The system has access control, software submital, notification, approvals at various levels, retrieval based on approval level, and logging.

For examply, only users identified as Development can submit software. At that point Software Configuration Management is notified to reproduce the software (can SCM build the same binaries as the developers?) SCM retrieves the software from the web site. Once SCM approves the software, Test is notified.

Test retrieves the software and puts it through its paces. If it passes Test grants its approval through the web site. Otherwise the software fails and Test provides a URL explaining the problems. And on...

At any point program management can see the state of the software in its track to customer delivery. PM has override ability to approve software for customer delivery even if it has, for example, failed testing.

The web site makes it easy to access. Access control and approval manage the software delivery process. Notification keeps everyone on the ball. And logging provides CYA - and has covered my butt on numerous occasions.

My boss particularly loves to be sitting in a Change Control Meeting and hear the development manager say, "The software's been delivered to SCM. We're waiting on them." And he can say with confidence, "Not yet it hasn't."

I worked for a company that did that

[infonography]

I worked for Releasenow.com, they were hired guns for this sort of thing back about 2000 or so, they seem to have dropped off the net since then. Other players like Digital River were around too. Not to hard to implement, Stick a few apache servers behind a load balancer like an F5 on a big pipe like Exodus and make them pay up front. once you got their money send them a url and password combo that lets them in. The rest is simple stuff. Remember to wash your hands after your done.

Consider this...(corporate plug)

[jlcooke]

Package your application in a self-extracting/self-decrypting archive which uses two keys (k1,k2). k1 is either zero-length or known to the group of indented users. k2 is kept secret until published online at some central site at a time specified by the publisher. If k1 is zero-length, then it'll be an open release of software/data.

software = Decrypt(software, key), where key = Hash(k1 concatenate-with k2).

This is called time-lock crypto as written by Rivest Shamir Wagner in [3].

CertainKey [certainkey.com] offers this service with all the software/crypto you need at a modest price see [1].

note: I'm a founder of CertainKey...so use discretion.

References:
[1] [certainkey.com]
[2] [com.com]
[3] [mit.edu]

Please restrain the knee-jerk reaction

[Jucius Maximus]

As much as we like to poke fun at Steve Gibson, you might want to take a look at the way he delivers [grc.com] his flagship product SpinRite.

It's also similar to the way F-Prot Antivirus [complex.is] is delivered.

Basically each customer gets a login for the web site and can download from there. It avoids serial generators and cracks because you can't just download the shareware and then apply a crack. The only people who even get the opportunity to download the software are those who have paid so it's less likely (but still inevitable) that they will give it away, share it on kazaa, etc.

Kagi.com

[DreamerFi]

Kagi [kagi.com] has a lot of experience with this. Check them out.

-John

How could you not find alot of info?

[Anonymous Coward]

I did some searches, and there seems to be a fair amount of info available on this.

There's some good payware service providers like Digital River, Metatec, Intraware, etc. And some decent freeware/open source ones that you could build off of, like weps.org. And there's always freshmeat, twocows.

It really depends what you're trying to achieve - what you're trying to deliver, to whom and for what reasons. You may need accountability, tracking, different views for different user sets, etc. Usually, you're best off just rolling your own if you have the time & resources to implement it.

Oh, and for resuming transactions, you can use HTTP 1.1 "Range" header protocol to do that if the files are large, and you lost connectivity.

Re:.....tell...us...more...

[Anonymous Coward]

I realize that this is /. and open source solutions are preferred. But if you want something scalable, professional and with lots of bells and whistles (like multi-platform support), may I suggest:

http://www.tivoli.com/products/index/config-mgr/

Full disclosure: I work for Big Blue, and despite my bias I can tell you some HUGE companies and government agencies are happily using this product. (plus lots of small ones too)

Re:Valve is doing it

[sfe_software]

Off-topic, but:

If it only it worked through NAT firewalls. Grrrr

The server is blocking ICMP requests, which means it will not see the ICMP Fragmentation Needed packets your NAT'd boxes will send. You need to reduce the MTU to around 1412 on the machines behind the firewall, or force the MTU in the firewall itself.

If using Linux 2.4/iptables, see the netfilter kernel config help option for "TCPMSS Target Support"...

Note that, technically, this is a problem on the server side (blocking ICMP for "security" reasons) but it can be solved on your end.

(I fought with this for months before I found the problem)

I wrote something to do this a while ago...

[marko123]

Upgrade Suite [pcblues.com]

It's windows, and freeware now. You might learn about some of the issues from the documentation.

I developed such a system

[keyslammer]

...for a large client several years ago. We needed to deploy software to > 400 factory tool control workstations. The prototype was written in Perl, the final version was reimplemented in Python.

The basic features of the system were as follows:

1) Packaging of software into the smallest deployable units. Define a standard for how files and meta-information are grouped together into a package (e.g. tarfiles, RPM's) so that the packages can be created and installed in a common manner.
2) tracking of dependencies and compatibilities between packages
3) Specification of the set of top-level packages that are required by an individual workstation
4) dependency evaluation to calculate the final set of packages to be installed, or determine if no viable package set existed because of dependency conflicts
5) a sizeable set of tools to allow us to manage this information, build packages, and track what got downloaded, why it got downloaded, and who changed what when ;-).

The combination of these features is very much like what RedHat's "update agent" (and other Linux update utilities) provides. If you have the luxury of only having to support Linux, your best bet is probably to try to adapt one of these to your needs.

Softdisk - back in the day

[Anonymous Coward]

Back in the day I worked at Softdisk and we had several distribution methods, depending on the service provider (Prodigy, AOL, CompuServe, eWorld, Web).

AOL - Members would join a software club - billed $19.95 monthly - and be able to download from our library. This was for in-house software, not for third party. At a royalty based on $2.95 per hour, we made a few bucks there. AOL's model change pretty much ended that. We also made money from our freebie download area, albeit royalty only. All programming done in Rainman Plus. It was different and pretty easy, but there were some hideous holes in the system security-wise.

Prodigy - Customers bought software and after the transaction downloaded the software. Any disputes or problems were handed by our customer support staff, who would email or snail-mail the product if necessary. We had to snail mail our products b/c of problems w/their software delivery check-in system. We had little direct control of the store.

CompuServe - Most painless to deal with. We uploaded product ourselves. Had to use wierd scripting language to construct/modify store/pricing. It was kinda buggy, but it worked. Store performed quite well. The more often products were changed/updated, the better. Rotating ads throughout system for promotion, front screen placement drove huge traffic (big surprise).

eWorld - Transaction completed in online store, product was emailed to customer minutes after tranasction went through. Worked nicely, but ultimately tanked a couple of months after we got it up and running when Apple shut down eWorld.

Web - Home-brewed CGI scripts ran the store. SSL, transaction processed real-time with our bank, customer could download product for up to 72 hours. Customer support thereafter.

ESD? Isn't that just digital delivery of data...

[constantnormal]

... kinda like registered snail mail?

I believe it's already been done. Originally, the exchange of digital information was done by a wide variety of means, then commerce kinda standardized on this thing called EDI (Electronic Data Interchange). More recently, it's evolved into an XML-based thing, but it's still EDI.

It seems to have all the attributes you need:
*) electronic delivery across platform, language, even character sets (XML will handle/requires Unicode).
*) authentication of the recipient and sender, reasonable security
*) provisions to automatically and securely exchange payment data upon receipt
*) a standardized set of tags to use for referring to the business entities involved in the exchange
*) many products already exist to facilitate this

Googling on "XML EDI" will get you a bunch of responses. From a quick once once-over of the 1st page, I thought this one was a good starting point:
http://www.eccnet.com/xmledi/guidelines-st yled.xml

The only downside (and you may or may not consider it a problem) is that this requires your consumers to use a program they probably don't already have to receive and decode the transmission. Ftp has the virtue of being essentially omnipresent, albeit in minutely-differing flavors, and requires a modicum of knowledge to use in cross-platform, cross character set interactions. Perhaps your target user base has that knowledge. You don't really say whether this is an intracorporate distribution mechanism, or a vehicle for direct sales to the unwashed masses. This is important.

I'm not really sure why nobody (at least nobody I know of) is using this to manage software distribution and payment exchange today, other than that the existing web-based tools are "good enuff".

I'm sure some standards group has defined the grammar for commercial sale of software and related items (media, documentation, support contracts). And I'm equally sure that someone has a nice generic java-based XML-EDI client/server implementation package. But it's certainly cheaper to whack out something using normal web tools and ftp.

In the end, cheaper usually wins out over everything else.

Re:I do!

[sfe_software]

The borwser/platform issues arise with writing headers to the client. There is NO 100% method for doing so.

Tell me this: what is different between your script writing headers, and the Apache server writing headers, to describe the content about to be sent?

Honestly, use 'wget' or 'lynx -dump' and really examine the headers that are sent when you download a file. Apache is sending those headers. This is what tells the browser what is being sent, and it's the *only* thing telling the browser what is being sent.

Simply mimic those headers (substituting the proper filename and size etc), and the browser will happily prompt the user to download.

We built an inventory system for a manufacturer, and having pre-built Excel reports was one of their requirements. We simply send an HTML table, but sending the headers to appear as a .xls file binary attachment. Guess what? Either the user is prompted to download the "xsl file", or the browser runs Excel (depending on the user's settings).

It just takes some trial and error, but the biggest clue is to look at the headers that are sent when you actually download a file directly. The browser doesn't know (or care) whether it's a binary webserver program, or a bash shell script, sending the headers.

And if that's too much work, again, create a symlink:

ln -s filename.zip [unique-id]-filename.zip

And give a hyperlink to the symlink. That's about as simple as it gets. In Windows you could probably create a "shortcut", but I really don't know/care about that. If you're running Unix, you have a ton of options here.

Re:I do!

[GigsVT]

You are correct though, about getting a file to the customer. It's harder than it should be!

I'm generating PDFs to send dynamically. I've done the same thing with inline jpgs for ages now, without having to save them to disk in any way, shape, or form.

Browsers don't like HTTP redirects. It doesn't always work. IE5.5 is seriously broken unless you have a certain set of patches installed. Opera 6.0 Linux freaks out. Mozilla mostly handles stuff right.

Eventually I had to do something like you did, generate the file and put it on a directly accessible filesystem, which is very inefficient compared to just streaming the data out, and potentially a lot less secure.

Why can't browsers get their act together with dymanic content generated for external plugins? It doesn't seem like it would be that hard to fix... Mozilla already has it mostly right.

Re:I do!

[sfe_software]

Replying to my own post, but...

I do recall there being one issue, with Mozilla/Netscape specifically, where the filename it prompts you to save is the filename of the *script*. But we got around this using mod_rewrite. So a link like this:

[unique-id]-filename.zip

becomes:

script.php?id=[unique-id]

And, since the browser is seeing "...zip" as the filename, it prompts with the correct default "Save As" filename. That's what we actually did for the Excel file, we just linked to (eg) Report.xls, which was actually a script.

Personally, I say go with the symlink idea. It's probably the easiest for you to change from your current setup; simply change your 'cp' command to 'ln -s'... the deletion of the link, downloading of the link, etc will work just the same as if it were truly a redundant copy of the file.

Of course Apache must be set to follow symlinks; don't forget to check that first.

Re:I do! - hooray for *nix users

[Superfreaker]

Borrowing from the virtual link methodology, I think we may have a solution that will work even in IIS.

We will use the free junction command line component, or linkd.exe, or one of the others and run it from our ASP page using ASPExec from ServerObjects.com. Will do the same as the unix version of a virtual link.

So, even if this thread did not help the oroginal poster, it helped us out and that is a good thing.

Give yourselves all +1 karma
Good job!

Re:Please restrain the knee-jerk reaction

[alexburke]

I paid for SpinRite 5, and if you own it you'll notice your serial number is embedded in the executable itself in a non-obvious manner and is displayed at runtime.

So anyone who shares it will be likely flagged by Gibson.