Since Setup Factory worked very well for me, I have started looking at Visual Patch. One thing that concerns me is that the patches hold the entire latest version (i.e. patching is not incremental)- I would like to know what security measures are applied to the patch file to prevent extraction of a file from the patch and if anyone has produced an 'unzip' style ***** for visual patch exe's.

Some quick points:

A Visual Patch patch only holds the entire latest version of each updated file in the latest release...i.e., it contains a copy of the "latest version" only on a file-by-file basis.

Visual Patch uses the same type of security measures as Setup Factory for its internal storage archive.

As far as I know, no one has circumvented (or bothered to try circumventing) either program's archive security.

Visual Patch does have some important security features built in, such as being able to identify key files that must exactly match (CRC value, filename, relative location, and file size) on the user's system in order for a valid version to be identified.

Visual Patch also handles the situation where a file exists in the update but doesn't exist on the user's system very carefully. By default, it will only install such a file if it wasn't present in at least one previous release (so the user has a valid excuse to not have that file installed). Of course, you can also override this setting on a per-file basis, choosing to always or never install a particular file.


[This message has been edited by Lorne (edited 01-11-2002).]

I accept your points - I'm just looking for some reassurances... I'm considering VP for a patch I want to put onto our website in a general download area. This will fix some issues with our latest version's main exe file, but will not upgrade any earlier versions. However users of these earlier versions already have all the other files that they would need if they could 'get at' the internal archive for the new executable and so avoid paying for us for a legitimate upgrade. I don't think I'm being too paranoid!

I don't either. From what I've been told, it would be very difficult to circumvent the encryption used in the archive. However, I've personally seen some so-called "impossible to break" hardware encryptions be defeated with statistical analysis techniques (which I unfortunately didn't understand, even with access to the ASM source).

If security is absolutely important, you'll want to take as many measures as you can. Perhaps requiring your users to enter their serial number for authorization would be an additional precaution you could take (assuming you have differentiated lists for the users with the two executables).

You might also want to evaluate TrueUpdate, which would allow you to do some tests on the user's system (checking CRC values and such) before even allowing them to download the patch file.