the Windows unrecognized software issue
System dynamics program with additional features for economics
Brought to you by:
hpcoder,
profstevekeen
Not really a problem for personal users as we can just click and still install, but I'm wondering what the problem is exactly with Windows flagging Minsky as I feel it may put people off. Does it just require a recognised code signing certificate? In which case I imagine the cost of that might be prohibitive?
On Thu, Jun 14, 2018 at 05:01:39PM -0000, Nick Jackson wrote:
Hi Nick - could you provide more details please? I've never seen
Windows complain about Minsky being unrecognised, nor my son (who does
QA), nor Steve Keen. In fact, you are the first person to report this
issue.
A quick google of "windows unrecognized software" indicated it could
be due to some malware
(https://www.pcrisk.com/removal-guides/11874-windows-defender-prevent-an-unrecognized-software-scam),
or it could be due to something called SmartScreen which is only
active if you try to run software from Internet Explorer. The question
is, why would you want to run Minsky from Internet Explorer?
That said, I wouldn't put it past Microsoft to do such a thing - Apple
already does this, with a ridiculous $100 per year fee to have your
software signed to prevent a annoying popup the first time you install
the software:
https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
--
Dr Russell Standish Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Senior Research Fellow hpcoder@hpcoders.com.au
Economics, Kingston University http://www.hpcoders.com.au
I should have made it clear that it's just the installer. I've linked screenshots (couldn't attach them). Steve is definitely aware of it as he mentions it when giving a demonstration and asking people to install Minsky. So it is Smart Screen but it happens from running the installer from Windows Explorer not within Internet Explorer. I did a bit of research myself and it does seem it's probably a code signing thing which indeed seems to require an annual cost of maybe even more than $100 per year.
Ah, right - I haven't launched msi files from the Windows Explorer for years - it's much easier to do it directly on the command line using the msiexec command.
But even if I launch the msi from the Windows Explorer, I don't get this unrecognized software message. Maybe a developer machine problem?
BTW - your links did not come through.
Ah - it seems like you have to download the .msi first (eg using IE). Then launching the msi from Windows Explorer from the standard downloads directory triggers the Smart Screen warning. If you move the msi elsewhere, or use the command line, no such warning is triggered.
Talk about swiss cheese security!
For me the warning is triggered no matter where the file is located and even when using the command line. I don't know anybody who is installing downloaded windows programs from the command line but I guess it's all just personal preference.
I think I've managed to attach a file this time.
Well now you do! I was very happy when I discovered the command line variants of launching an MSI or a Mac pkg file. It has saved me a lot of time... YMMV, of course.
I have turned off windows defender and don't have problems like this.
Haha. Well I find a single click from within Chrome to be pretty simple to be honest. Quicker for most average windows users than launching command line, navigating to the directory and typing a command, I would imagine, especially the type who might be concerned about a Smart Screen warning.
As for turning off windows defender, I'm not saying this is a problem for me. I trust the software. I was just suggesting that it might be an issue for those working in more controlled environments and was wondering what it was that was causing it. It looks to be the case that it is expensive code signing, but that was what I was trying to get to the bottom of.
As I said, YMMV. Typically, I'm scp'ing the files from a Linux box, and building the msi from within a cygwin terminal. From there, I'll install the software with msiexec to test it. To do it from windows explorer requires many more mouse click and drags to navigate to the cygwin directory to find the msi file.
I'm all in favour of signing the software.All the linux releases are signed. It is desirable for users to know that the software as downloaded is exactly what I created. I'm just not in favour of extortionist behaviour from the majors. I've posted a ticket to investigate further what open source signing possibilities exist.
Last edit: High Performance Coder 2018-06-17
Download from sourceforge is something like a sign. Problem would be if users download Minsky from somewhere else on internet.
Anyway, it would be better Minsky software to be signed.
I also thought little about this - can some model itself be signed and locked with password and maybe with watermark on canvas and number of version of Minsky in which it is made?
Maker of model, who wants to allow others to modifie his model, but also wants to protect his original version, could issue two versions - one protected and one unprotected. Protected version would allow person who downloads it only to run, stop and pause model but not to modifie it.
As for Minsky software, now only "sign" for some model is that it is downloaded directly from Sourceforge Minsky page or from professor Keen patreon page.
Similar is in music. There is not totally protection but person who first publish some composition on internet or somewhere else and can prove that, has copyright.
Maybe it is not so important, but it seems to me that it would be better, if some advanced models had some additional protection because someone could modifie them and sell investment advices like he is looking to the crystal ball. Or original idea of maker of a model could be ruined with model not working properly in new version of software.
On Sun, Jun 17, 2018 at 01:48:12PM -0000, Kresimir wrote:
It may make sense to save the minsky version along with the file, and
have that visible to the user. Whack that up as a ticket, and it'll
get done soon, because it is a trivial bit of work.
What is currently stored in the file is the schema version (current
version 2). What I do promise is that Minsky will always interpret a
file of a given schema in the same way. But you are relying on my
technical skill to get that correct :). Better would be to know
exactly which version wrote the file, so that in the even of any
discrepancy, the intended behaviour can be determined.
I don't think this is really the function of Minsky. What I'd like to
see happen is to use Github to publish and distribute Minsky
models. There is already a Github project "minsky-models" that is set
up for this purpose, which researchers can fork, add their own models
and make their own modifications to other published models. To
integrate this github project into Minsky is a long term goal...
Cheers
--
Dr Russell Standish Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Senior Research Fellow hpcoder@hpcoders.com.au
Economics, Kingston University http://www.hpcoders.com.au
If I open file with schema 1 add some chart and save file, would then schema be 1 or 2?
On Mon, Jun 18, 2018 at 06:08:05AM -0000, Kresimir wrote:
2 (unless you're using an old version of Minsky). Schemas always move forwards.
Minsky 2.x can understand Minsky 1.x files, (and schema 0 files) but
writes schema 2 files only. Minsky 1.x doesn't understand schema 2
files at all.
Cheers
Dr Russell Standish Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Senior Research Fellow hpcoder@hpcoders.com.au
Economics, Kingston University http://www.hpcoders.com.au
Then it wont be usefull if number of version of software is recorded on some visible place. I just thought little about this because I modified models I dowloaded.
I think you overestimate problem with windows defender and signing of software. Sometimes windows don't recognise certificates of important state owned agencies.
Nick has also said that it is not big problem for personal user.
On Mon, Jun 18, 2018 at 09:46:25AM -0000, Kresimir wrote:
Sure - it won't be for you guys. Also if the vast bulk of open source
software do not code sign, then user will simply click through,
ignoring such warnings, rendering such a system uselss. Such is
life. But the problem that code signing fights against is not
theoretical. Just a few years ago, SourceForge was caught adding
adware into certain downloadable Windows packages (not Minsky). The
ensuing scandal caused significant reputational loss for those
packages, and for SourceForge. This is the sort of thing that code
signing prevents. In the absence of a workable peer-to-peer open
source system like PGP, Microsoft's system is really the best
going. It is at least an industry wide system, not so prone to the
whims of 700lb gorillas like Apple.
--
Dr Russell Standish Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Senior Research Fellow hpcoder@hpcoders.com.au
Economics, Kingston University http://www.hpcoders.com.au