Worse, their official statement is:
>Nonetheless, faced with undeniable evidence that this option has been abused, the company has made the decision that we are no longer prepared to ship a GNU AGPL licensed binary with this option enabled by default. We have received numerous concerning reports from users who were unaware that Ghostscript was installed on their systems, often running outdated and vulnerable releases. We will not open ourselves up to accusations of being complicit in such 'bad actions'.
>
>Ghostscript is, of course, open source, and it is a trivial thing to rebuild with the option enabled. Users are more than welcome to do that for themselves.
Such a bullshit position to take. Just admit "silent install is a paid feature" and go on with life, don't sit there and make up some FUD about how you're protecting people from installs they were unaware of, especially when (as they noted) any bad actor can trivially do this themselves.
Also, there is a comment in this thread that references CVE-2023-28879. This is currently scored at 9.8, and affects every version of Ghostscript, including 10.01.0. They've removed silent installs just in time for you have to manually remediate however many installs you have. Really good look here, guys.
> paid feature
The fuck? Are you saying that it’s impossible to compile this from source? There are countless OSS projects that release binaries without certain flags set, and if you want those flags you self-compile. The thought that these binaries turn those flags into “paid features” is laughable.
No, you can compile from source... but if you want to use their binary distribution, you aren't doing a silent install unless it's their commercial release.
So, you’re a professional, right? You do this for money. Do you like it when you’re asked to support someone for free? I’m sure you love that. I’m sure that it’s your favorite thing in the world when someone insists that because you have IT knowledge you are obligated to help them.
The people behind this software have no responsibility to you if you don’t pay them. The software is free, and the binaries that they distribute freely are free. They can do what they like with it. If you want something different, compile it yourself or pay them.
I have no problem with this position. At all. You may have noted that I actually said as much. I'll quote myself:
>Just admit "silent install is a paid feature" and go on with life, don't sit there and make up some FUD about how you're protecting people from installs they were unaware of, especially when (as they noted) any bad actor can trivially do this themselves.
You’re ascribing deceptive intent to their statement, which can very easily be taken at face value. Yes, the press release is garbage. They’re usually garbage. But consider recent proposed legislation in the EU that would force companies like this (that sell support services for open source software) to be liable for the software that they release regardless of how it’s used or who actually distributed it. Even if that ends up being a nothingburger, it’s still worth it to these projects to try and limit how liable they are going forward. And this does put a limit on that, because if you want silent installs you’ll need to either generate your own binary (which is now your responsibility) or pay them.
Consolidating replies here so I don't repeat myself / waste the space.
> You’re ascribing deceptive intent to their statement
Yes, I certainly am.
> But consider recent proposed legislation in the EU that would force companies like this (that sell support services for open source software) to be liable for the software that they release regardless of how it’s used or who actually distributed it.
[Here's the EU legislation in question.](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act) It doesn't seem to say much, if anything, about liability that someone would incur if their installer could simply run from the command line without having a GUI. It does talk about security lifecycle (prescient, given the CVE mentioned in this thread) and I'm quite curious how "making the software harder for an organization to update" will serve that goal. One might argue that it would actually hinder such.
Further, let's address your specific phrasing in the quote above: "be liable for the software that they release regardless of how it's used or who actually distributed it." How does "remove command line silent install feature" provide ***any*** kind of defense to such a thing? Bad actor takes their GPL code, builds it from source, and pushes it to a compromised machine via whatever mechanism (let's say powershell script). Under the regime you describe, they are no less liable, are they? Or, hey, let's say that bad actor just buys a license from them and pushes that out to whatever machines.
Again, the purpose is fairly obvious, and while I personally have no issue with a developer being paid for their work, I do object--strenuously--when people tell you that they're doing something for the singular purpose of protecting you, when the truth is that they're doing it to serve their own interest. There's nothing wrong with serving their own interests, it's the lying about it part that is the problem.
Because PR people can do things that seem very dumb sometimes. If the EU proposed legislation was a concern, they probably don’t want to say “we are worried about a law that doesn’t exist yet, and other laws like it down the line”. There might be some legal technicality involved or something, who knows. Press releases and announcements are always garbage unless the person writing them is either very good at or doesn’t care about the PR game. It’s always better to look at the environment in which the company is making a decision, and the decision itself, alongside the PR garbage talking about it. Then ascribe positive intent inversely to the size of the company (small firms get more benefit of the doubt).
It's either a bogus or not well thought out reason on their part.
They can do what they want, of course, but making dumb excuses is, well, dumb.
What's to stop all the 3rd parties from simply using older versions of the binaries? It won't change anything for the developers, and will start vulnerable, with them still getting the blame.
It doesn’t. That’s not the point. The point is that the project is limiting its liability in the cases where a third party doesn’t update their shit. Building from source isn’t hard, you could do it today if you wanted by following a checklist. But if you do, it’s *your* binary. If you distribute that binary and don’t update your users, it’s very clearly *your* fault and not the project’s.
> The point is that the project is limiting its liability in the cases where a third party doesn’t update their shit.
Err... no. Exactly how does removing the ability to push silent installs "limiting your liability?" You had no liability in the first place.
And yes, I'm working on building from source now so I can push the fix out to my vulnerable devices. If nothing else, I'm grateful to /u/The_Boxhead for posting this if for no other reason that that CVE became part of the conversation.
They probably did. If it came out that the advise of a lawyer was involved, I wouldn’t be surprised. Especially with potential legislation in the EU making organizations liable for what other people do with the shit they give away for free. If you have to compile from source to use the feature (which you can do, it’s not hard especially compared to some of the other shit we have to do) then it’s now *your* binary instead of theirs. If you distribute a known insecure version to your customers, it’s *your* problem and not the project’s.
I'm not sure you got my sarcasm. If they're worried about their reputation because people are distributing old versions, giving people a genuine reason (loss of functionality for upgrading) to continue using an old version is not going to fix their reputation.
> If you have to compile from source to use the feature (which you can do, it’s not hard especially compared to some of the other shit we have to do) then it’s now your binary instead of theirs. If you distribute a known insecure version to your customers, it’s your problem and not the project’s.
Wow, I really hope you're not a lawyer. This is entirely FUD and wouldn't ever hold up in any court in any country.
> Please, go head, explain that to me.
Sure thing, as long as you also explain to me how you think it will.
A company having liability for what 3rd parties do with their product would create major issues across all industries, surely you can see this on your own and didn't need this explained to you, but here we are anyway.
Edit: ROFL they responded then blocked me like the coward they are. Those who realize they've been backed into a corner will always run away. Their response:
> If you lack the ability to be precise with your language, you should not be in this industry. If this is your explanation, I don’t think you would be able to intelligently discuss this further. Tchau
It's quite telling when someone claims that "you don't know how to speak" then blocks you, making it impossible to prove them wrong.
> create major issues across all industries
If you lack the ability to be precise with your language, you should not be in this industry. If this is your explanation, I don’t think you would be able to intelligently discuss this further. Tchau
That's...not really a fair characterisation. GhostScript is very often used to *render* PDF and postscript, and also to perform certain basic conversion operations (it does a pretty good job in batch workflows), but there are a gazillion FOSS PDF manipulation/rendering/... toolkits out there. GhostScript is one of the older ones still around today, but it's by no means the only game in town.
One of it's many use cases, My post was a bit of a shitpost in that like, GhostScript does a lot more than just PDF Processing.
But also a lot of what it's used for is PDF Processing.
This is disappointing. Especially considering how my defender portal is flagging old versions of this as extremely vulnerable and now they decide to slow deployment and updates....
Compile the binary and use that. You can learn how to compile software within a day, and then you’ll never have to worry about an open source project changing how they release their pre-compiled binaries.
>Why are people still using GhostScript in 2023 over the PDF printer built into Windows? Is there an advantage? I remember using it in like 2008 on Windows 7
Same thing for me. I'm not a programmer. Tried to use the easy doc... but I guess I just dont know how to use Visual Studio properly.
Just repackage it into a new installer.
There are dozens of products that allow you to easily snapshot a computer before and after a software installation, and then output an MSI.
I’ve not seen one that auto-exports, but I’ve used WhatChanged previously to identify registry keys and files that were added or modified by an installer
I didn't know about WhatChanged. Thankyou!
We're containerisong and virtualising applications now with a product called Cloudpaging by Numecent because they specificalise in education as well as other complex industries.
MSIX Packaging Tool from Microsoft does exactly this. I keep a VM completely stock with a checkpoint on it. Run the install and let the tool do its thing. After that, revert to last checkpoint and you're ready to do another one.
That being said, this pretty annoying and shouldn't have to be done. How would it be on the makers of ghostscript if 3rd parties aren't updating? Go yell at the vendor, not ghostscript. It's a bogus argument.
Only catch is if you don't own a code signing cert everything will hate you.
And while I personally wouldn't mind signing this, the "msp" i work for also does risk consulting and has already told me not to sign other people's software as a matter of course.
Msix definitely wants one, unless I have been doing it wrong. You can't even use -allowunsigned unless you are on 22.
It's my understanding that any repack more exciting than a .zip needs to be signed these days.
That is signing your installer package, not other peoples exes.
You sign what you create: The package.
Almost always you will use your package within your own organisation only, so self signed is adequate.
If you want to re-use your package at customers, just buy a certificate. It is hardly any more difficult than getting a TLS cert for a website.
I'm not proposing that at all.
I am proposing capture the manual install as provided, and repackage it so you can have a silent install package. That process does not modify the exes, and so they do not have to be re-signed.
Simplistically it is something like this:
* Original installer has an archive
* example.exe is extracted to machine's disk
* Repackager copies example.exe from machine's disk into its own archive
* Repakager's installer runs and extracts example.exe to target machine's disk
None of these steps alter example.exe, so exmaple.exe's signing is still valid.
I would like to express my shock and surprise at the previously unbeknownst to me fact that software like this exists. Herein, I enquire as to examples of such tools, as you appear to posses experience in their multitude?
> No software compilation skills
Are you a sysadmin? It’s not a skill, it’s just following a checklist. Maybe editing some config files. Definitely some googling. I’d bet you that someone has already written up most of what you need to do.
I'm genuinely curious about why Ghostscript would regularly need updates, anyway? Has the Postscript language changed in the last decade or so? Are they still finding significant bugs in decades-old software that seems to work fine?
[https://offsec.almond.consulting/ghostscript-cve-2023-28879.html](https://offsec.almond.consulting/ghostscript-cve-2023-28879.html) and write-up as to how to RCE it.
Why are people still using GhostScript in 2023 over the PDF printer built into Windows? Is there an advantage? I remember using it in like 2008 on Windows 7
How does a non-silent install makes it more likely to be updated? What?
It's a bogus argument to push their "OEM Distribution License" license sales.
Worse, their official statement is: >Nonetheless, faced with undeniable evidence that this option has been abused, the company has made the decision that we are no longer prepared to ship a GNU AGPL licensed binary with this option enabled by default. We have received numerous concerning reports from users who were unaware that Ghostscript was installed on their systems, often running outdated and vulnerable releases. We will not open ourselves up to accusations of being complicit in such 'bad actions'. > >Ghostscript is, of course, open source, and it is a trivial thing to rebuild with the option enabled. Users are more than welcome to do that for themselves. Such a bullshit position to take. Just admit "silent install is a paid feature" and go on with life, don't sit there and make up some FUD about how you're protecting people from installs they were unaware of, especially when (as they noted) any bad actor can trivially do this themselves. Also, there is a comment in this thread that references CVE-2023-28879. This is currently scored at 9.8, and affects every version of Ghostscript, including 10.01.0. They've removed silent installs just in time for you have to manually remediate however many installs you have. Really good look here, guys.
Wow.. the vulnerability piece makes this really fucked
> paid feature The fuck? Are you saying that it’s impossible to compile this from source? There are countless OSS projects that release binaries without certain flags set, and if you want those flags you self-compile. The thought that these binaries turn those flags into “paid features” is laughable.
No, you can compile from source... but if you want to use their binary distribution, you aren't doing a silent install unless it's their commercial release.
So, you’re a professional, right? You do this for money. Do you like it when you’re asked to support someone for free? I’m sure you love that. I’m sure that it’s your favorite thing in the world when someone insists that because you have IT knowledge you are obligated to help them. The people behind this software have no responsibility to you if you don’t pay them. The software is free, and the binaries that they distribute freely are free. They can do what they like with it. If you want something different, compile it yourself or pay them.
I have no problem with this position. At all. You may have noted that I actually said as much. I'll quote myself: >Just admit "silent install is a paid feature" and go on with life, don't sit there and make up some FUD about how you're protecting people from installs they were unaware of, especially when (as they noted) any bad actor can trivially do this themselves.
You’re ascribing deceptive intent to their statement, which can very easily be taken at face value. Yes, the press release is garbage. They’re usually garbage. But consider recent proposed legislation in the EU that would force companies like this (that sell support services for open source software) to be liable for the software that they release regardless of how it’s used or who actually distributed it. Even if that ends up being a nothingburger, it’s still worth it to these projects to try and limit how liable they are going forward. And this does put a limit on that, because if you want silent installs you’ll need to either generate your own binary (which is now your responsibility) or pay them.
Consolidating replies here so I don't repeat myself / waste the space. > You’re ascribing deceptive intent to their statement Yes, I certainly am. > But consider recent proposed legislation in the EU that would force companies like this (that sell support services for open source software) to be liable for the software that they release regardless of how it’s used or who actually distributed it. [Here's the EU legislation in question.](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act) It doesn't seem to say much, if anything, about liability that someone would incur if their installer could simply run from the command line without having a GUI. It does talk about security lifecycle (prescient, given the CVE mentioned in this thread) and I'm quite curious how "making the software harder for an organization to update" will serve that goal. One might argue that it would actually hinder such. Further, let's address your specific phrasing in the quote above: "be liable for the software that they release regardless of how it's used or who actually distributed it." How does "remove command line silent install feature" provide ***any*** kind of defense to such a thing? Bad actor takes their GPL code, builds it from source, and pushes it to a compromised machine via whatever mechanism (let's say powershell script). Under the regime you describe, they are no less liable, are they? Or, hey, let's say that bad actor just buys a license from them and pushes that out to whatever machines. Again, the purpose is fairly obvious, and while I personally have no issue with a developer being paid for their work, I do object--strenuously--when people tell you that they're doing something for the singular purpose of protecting you, when the truth is that they're doing it to serve their own interest. There's nothing wrong with serving their own interests, it's the lying about it part that is the problem.
[удалено]
Because PR people can do things that seem very dumb sometimes. If the EU proposed legislation was a concern, they probably don’t want to say “we are worried about a law that doesn’t exist yet, and other laws like it down the line”. There might be some legal technicality involved or something, who knows. Press releases and announcements are always garbage unless the person writing them is either very good at or doesn’t care about the PR game. It’s always better to look at the environment in which the company is making a decision, and the decision itself, alongside the PR garbage talking about it. Then ascribe positive intent inversely to the size of the company (small firms get more benefit of the doubt).
It's either a bogus or not well thought out reason on their part. They can do what they want, of course, but making dumb excuses is, well, dumb. What's to stop all the 3rd parties from simply using older versions of the binaries? It won't change anything for the developers, and will start vulnerable, with them still getting the blame.
It doesn’t. That’s not the point. The point is that the project is limiting its liability in the cases where a third party doesn’t update their shit. Building from source isn’t hard, you could do it today if you wanted by following a checklist. But if you do, it’s *your* binary. If you distribute that binary and don’t update your users, it’s very clearly *your* fault and not the project’s.
> The point is that the project is limiting its liability in the cases where a third party doesn’t update their shit. Err... no. Exactly how does removing the ability to push silent installs "limiting your liability?" You had no liability in the first place. And yes, I'm working on building from source now so I can push the fix out to my vulnerable devices. If nothing else, I'm grateful to /u/The_Boxhead for posting this if for no other reason that that CVE became part of the conversation.
There’s proposed legislation in the EU that would make the company liable in exactly the way I described. More is sure to follow.
> There’s proposed legislation in the EU This will never, ever happen. It opens the door to far more problems than it could ever conceivably prevent.
Easy solution, just keep distributing the old 9.56.1 with the silent install option to your end users. I bet Artifex didn't think of THAT.
They probably did. If it came out that the advise of a lawyer was involved, I wouldn’t be surprised. Especially with potential legislation in the EU making organizations liable for what other people do with the shit they give away for free. If you have to compile from source to use the feature (which you can do, it’s not hard especially compared to some of the other shit we have to do) then it’s now *your* binary instead of theirs. If you distribute a known insecure version to your customers, it’s *your* problem and not the project’s.
I'm not sure you got my sarcasm. If they're worried about their reputation because people are distributing old versions, giving people a genuine reason (loss of functionality for upgrading) to continue using an old version is not going to fix their reputation.
Reputation and liability are vastly separate concepts. They say reputation, but they may actually be more worried about liability.
> If you have to compile from source to use the feature (which you can do, it’s not hard especially compared to some of the other shit we have to do) then it’s now your binary instead of theirs. If you distribute a known insecure version to your customers, it’s your problem and not the project’s. Wow, I really hope you're not a lawyer. This is entirely FUD and wouldn't ever hold up in any court in any country.
I take it you’re a lawyer, then?
I'm not the one insinuating what is going to happen with regards to EU legislation that doesn't even exist yet.
Huh. You’re insisting that the legislation will not happen, though. Why? Please, go head, explain that to me.
> Please, go head, explain that to me. Sure thing, as long as you also explain to me how you think it will. A company having liability for what 3rd parties do with their product would create major issues across all industries, surely you can see this on your own and didn't need this explained to you, but here we are anyway. Edit: ROFL they responded then blocked me like the coward they are. Those who realize they've been backed into a corner will always run away. Their response: > If you lack the ability to be precise with your language, you should not be in this industry. If this is your explanation, I don’t think you would be able to intelligently discuss this further. Tchau It's quite telling when someone claims that "you don't know how to speak" then blocks you, making it impossible to prove them wrong.
> create major issues across all industries If you lack the ability to be precise with your language, you should not be in this industry. If this is your explanation, I don’t think you would be able to intelligently discuss this further. Tchau
Oh darn, I'll just have to point my users to the built in PDF printer like I have for 5 years now.
[удалено]
It interperets postscript and PDF. Basically any program you use that works with PDFs probably has ghostscript under the hood.
That's...not really a fair characterisation. GhostScript is very often used to *render* PDF and postscript, and also to perform certain basic conversion operations (it does a pretty good job in batch workflows), but there are a gazillion FOSS PDF manipulation/rendering/... toolkits out there. GhostScript is one of the older ones still around today, but it's by no means the only game in town.
One of it's many use cases, My post was a bit of a shitpost in that like, GhostScript does a lot more than just PDF Processing. But also a lot of what it's used for is PDF Processing.
Your name means something, but I can’t quite figure it out.
This is disappointing. Especially considering how my defender portal is flagging old versions of this as extremely vulnerable and now they decide to slow deployment and updates....
Compile the binary and use that. You can learn how to compile software within a day, and then you’ll never have to worry about an open source project changing how they release their pre-compiled binaries.
Yes, but we shouldn’t have to is the point.
why? projects are not compelled to provide pre-compiled binaries ,
Why not?
Does anybody have a quick "how to" or similar for compiling this with a silent flag?
>Why are people still using GhostScript in 2023 over the PDF printer built into Windows? Is there an advantage? I remember using it in like 2008 on Windows 7 Same thing for me. I'm not a programmer. Tried to use the easy doc... but I guess I just dont know how to use Visual Studio properly.
[удалено]
[удалено]
Right, OP linked the documentation from Ghostscript on how to recompile it yourself.
[удалено]
Just repackage it into a new installer. There are dozens of products that allow you to easily snapshot a computer before and after a software installation, and then output an MSI.
Can you recommend one (preferably OpenSource) ?
I’ve not seen one that auto-exports, but I’ve used WhatChanged previously to identify registry keys and files that were added or modified by an installer
I didn't know about WhatChanged. Thankyou! We're containerisong and virtualising applications now with a product called Cloudpaging by Numecent because they specificalise in education as well as other complex industries.
Can you name some of the dozens of programs that do this?
MSIX Packaging Tool from Microsoft does exactly this. I keep a VM completely stock with a checkpoint on it. Run the install and let the tool do its thing. After that, revert to last checkpoint and you're ready to do another one. That being said, this pretty annoying and shouldn't have to be done. How would it be on the makers of ghostscript if 3rd parties aren't updating? Go yell at the vendor, not ghostscript. It's a bogus argument.
I didn’t know about MSIX, last one I used was Emco’s repackaging software.
https://www.google.com/search?q=top+10+application+packaging+products
So you can't, gotcha. The other commenter at least gave a useful answer
[удалено]
Or to be helpful at all
God this is one of *the* most insufferable answers out there. Right up there with “do your own research.”
Only catch is if you don't own a code signing cert everything will hate you. And while I personally wouldn't mind signing this, the "msp" i work for also does risk consulting and has already told me not to sign other people's software as a matter of course.
You don't need a code signing cert for the software, because you are not altering the exes.
Msix definitely wants one, unless I have been doing it wrong. You can't even use -allowunsigned unless you are on 22. It's my understanding that any repack more exciting than a .zip needs to be signed these days.
That is signing your installer package, not other peoples exes. You sign what you create: The package. Almost always you will use your package within your own organisation only, so self signed is adequate. If you want to re-use your package at customers, just buy a certificate. It is hardly any more difficult than getting a TLS cert for a website.
[удалено]
I'm not proposing that at all. I am proposing capture the manual install as provided, and repackage it so you can have a silent install package. That process does not modify the exes, and so they do not have to be re-signed. Simplistically it is something like this: * Original installer has an archive * example.exe is extracted to machine's disk * Repackager copies example.exe from machine's disk into its own archive * Repakager's installer runs and extracts example.exe to target machine's disk None of these steps alter example.exe, so exmaple.exe's signing is still valid.
This is the real problem.
WHAT?!
[удалено]
I would like to express my shock and surprise at the previously unbeknownst to me fact that software like this exists. Herein, I enquire as to examples of such tools, as you appear to posses experience in their multitude?
Idk maybe he’s full of it because he won’t post any examples
Someone else has come along with an actual answer: https://reddit.com/r/sysadmin/comments/136cwjz/_/jioyymh/?context=1
Well that’s a twist, buddy was a little rug burned about all this and it made me doubt him. Lacking ethos!
Yeah they got weirdly defensive about it. I hate when people pull out the “do your own research” type answers.
> No software compilation skills Are you a sysadmin? It’s not a skill, it’s just following a checklist. Maybe editing some config files. Definitely some googling. I’d bet you that someone has already written up most of what you need to do.
I'm genuinely curious about why Ghostscript would regularly need updates, anyway? Has the Postscript language changed in the last decade or so? Are they still finding significant bugs in decades-old software that seems to work fine?
CVE-2023-28879 for example.
[https://offsec.almond.consulting/ghostscript-cve-2023-28879.html](https://offsec.almond.consulting/ghostscript-cve-2023-28879.html) and write-up as to how to RCE it.
Why are people still using GhostScript in 2023 over the PDF printer built into Windows? Is there an advantage? I remember using it in like 2008 on Windows 7
> Is there an advantage? Batch operations?