Daniel Klein
Wyatt O'DayWe haven’t released a new version. So there’s nothing to self-update.
Regarding your own self-updates make sure your server supports the old TLS protocols supported by the old .NET version.
Sep 21permalink
wyUpdate can't/won't self-updateAnswered
I include wyUpdate 2.6.18.4 built in 2012 in my company's products. But I see the last change to wyUpdate was in 2020 which includes some security updates that are now mandatory for us (using TLS 1.2 or 1.3, forbidding the use of TLS 1.0 and 1.1). AWS is turning off TLS 1.0 and 1.1 in June 2023, and if wyUpdate can't use TLS 1.2 or 1.3 by then it will fail. However, wyUpdate won't update itself and stays on the 2012 version.
How can I get wyUpdate to update to the latest version?
---
We've tried including the .NET 4.0 version of wyUpdate instead of the .NET 2.0 version in our builds (an option selectable in the wyBuild properties file). This fixes the problem for brand new installations, but not for our existing installations out there in the wild. We've also tried adding the .NET 2.0 version to all old versions, adding the .NET 4.0 version to the new version of files to be updated during patching and reuploading the patch files, but wyUpdate.exe is not altered from its original installed version. We're aware that this procedure is highly not recommended but we were all out of other ideas.
Sep 20, edited Sep 21permalink
I am baffled why you have continued to make commits to wyUpdate (including commits that fix the very problem we are having, e.g. commit 60cccd3 on 14 April 2020) if you have no intention of releasing any updates to the 2012 version. If there is no new version it will be impossible to continue to use wyUpdate once TLS 1.0 and 1.1 are retired, which I have no control over. Eventually it will be impossible to find a server anywhere that allows TLS 1.0 and 1.1. We will not be leaving AWS (“make sure your server supports the old TLS protocols”) in favour of wyUpdate, compromised security, and delaying the inevitable.
We have no “self-updates”. According to your own documentation, wyUpdate performs self-updates (https://wyday.com/wybuild/help/faq.php “You should not include wyUpdate.exe in your updates — wyUpdate self-updates.”), which it can't do if no further updates are forthcoming. When functioning properly, it then updates our products.
Can you recommend an updater that will work in 2023 and beyond? And how do we migrate all existing installations from wyUpdate to a different updater? We will need to disable and remove wyUpdate once we have a replacement that works in a secure environment as it causes error in our applications when it fails.
Alternatively, can you suggest a path forward that will allow existing installations to continue to update with wyUpdate once TLS 1.0 and 1.1 are switched off? If you are not already aware, this article explains that AWS will disable TLS 1.0 and 1.1 by 28 June 2023: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/ All old (and therefore current) versions of wyUpdate will cease to work on AWS at that point, leading to many upset customers. In order to prevent unexpected service disruptions, AWS recommends switching now which we are attempting to do.
Sep 21permalink
Answer
The solution we've gone for is to include the .NET 4.0 version of wyUpdate.exe with the patch files, plus a batch file which gets executed by wyUpdate after updating. The batch file renames the original .NET 2.0 version of wyUpdate.exe out of the way, then renames the .NET 4.0 version to just “wyUpdate.exe”. Will we change which files are included in the next update so that the old .NET 2.0 version and the batch file are deleted by wyUpdate.exe.
Sep 27permalink
It took us 4 days to build this workaround. Multiply your daily rate by 4 to work out how much it cost us, and how much it would cost you to work out an equivalent solution from scratch without wyDay's help.
If you are reading this after 28 June 2023 and your AWS hosted solution has suddenly stopped updating, know that Wyatt O'Day was aware of this issue 9 months before it happened and chose to not take it seriously. One day TLS 1.3 (the latest version at the time of writing) will be deprecated and unsupported. But Wyatt O'Day thinks TLS 1.0 will be supported forever which is why he doesn't see the need to release an update to wyUpdate to fix this issue.
Sep 29permalink