So, Windows has more linux in it these days



  • I often read Scott Hanselman's blog. He frequently talks about interesting things that I would never have known about. Case in point is today's:

    I can honestly say I didn't know this was there.



  • I knew. It's the beginnings of a package manager.

    I was keeping an eye on this, hoping MS might expand it so it can replace the Windows store. But no such foresight.



  • @cartman82 said:

    so it can replace the Windows store

    That will never happen. Like Hanselman says, hopefully there will be a package source for Windows Store apps, but the average user would rather use an app store than a package manager. There's no reason not to have both.





  • @Magus said:

    That will never happen. Like Hanselman says, hopefully there will be a package source for Windows Store apps, but the average user would rather use an app store than a package manager. There's no reason not to have both.

    It should be the other way around. OneGet should be the backend of windows store. So other people could

    • Create different GUI-s to target Windows Store database
    • Add different stores (eg chocolatey) to be targeted by Windows Store app (or similar apps)
    • Any combination of the above

    The one thing that stopped me from digging into "modern apps" was reliance on a single app store. Without some way for 3rd parties to step in, I don't see that changing now.



  • @cartman82 said:

    It should be the other way around.

    No, it shouldn't.

    @cartman82 said:

    Create different GUI-s to target Windows Store database

    The whole point of the store is a consistent look and feel across devices. A single UI which adjusts to phone, tablet, desktop, or hololens. It has a very specific purpose, and while they'd like it to replace msi, they know that even if they succeed, it will take decades.

    The goals of the two are totally different, and it makes more sense for the more general, more technical one to be used less.



  • @Magus said:

    I often read Scott Hanselman's blog. He frequently talks about interesting things that I would never have known about.

    Interesting, although too much focus on Microsoft stuff.



  • @cartman82 said:

    It should be the other way around. OneGet should be the backend of windows store. So other people could

    Create different GUI-s to target Windows Store database
    Add different stores (eg chocolatey) to be targeted by Windows Store app (or similar apps)
    Any combination of the above

    How would you handle payment processing?

    I mean I get what you're after, but I don't see how it could possible work on a practical level.

    @cartman82 said:

    The one thing that stopped me from digging into "modern apps" was reliance on a single app store.

    That's true of a lot of "apps". iOS, Blackberry, Xbox, PS, PS Vita, Nintendo DS, Roku, etc.

    About the only exception is Android, since it has Google's and Amazon's stores.



  • @blakeyrat said:

    How would you handle payment processing?

    I mean I get what you're after, but I don't see how it could possible work on a practical level.

    You don't think you can have a generic app store system, with payment processing?

    Something like, have an IAppStore interface with methods to

    • determine whether user X has rights to download a package
    • offer available payment options for package X
    • execute payment using method X and user's payment information for method X

    Pretty much like app store backend works now, only generic, so other groups could expose (or target) the same API.

    I don't see the problem.

    @blakeyrat said:

    That's true of a lot of "apps". iOS, Blackberry, Xbox, PS, PS Vita, Nintendo DS, Roku, etc.

    About the only exception is Android, since it has Google's and Amazon's stores.

    If you're powerful enough, you can make the devs swallow the bitter pill of tying their fortunes to the whims of a single company. Right now, MS isn't. Also, on Windows, I can still just publish my apps on my website and have people download them. That's not an option on iOS.

    The only path for MS is to open up their app ecosystem for 3rd party providers. Once people are used to getting their Windows apps from a store, MS can tightening up the integration. Eg. to add a 3rd party source, instead of clicking a link on a website, you must copy/paste something into an advanced dialog in control panel. And of course, 90% of the people would just keep using the nice, easily available Windows Store tile and never even look for alternatives. Kind if like PlayStore on android.

    Microsoft has missed a huge opportunity here.



  • @cartman82 said:

    You don't think you can have a generic app store system, with payment processing?

    Something like, have an IAppStore interface with methods to- determine whether user X has rights to download a package- offer available payment options for package X- execute payment using method X and user's payment information for method X

    Pretty much like app store backend works now, only generic, so other groups could expose (or target) the same API.

    I don't see the problem.

    How do you verify the company/entity providing this UI is PCI compliant?



  • @Magus said:

    The whole point of the store is a consistent look and feel across devices. A single UI which adjusts to phone, tablet, desktop, or hololens. It has a very specific purpose, and while they'd like it to replace msi, they know that even if they succeed, it will take decades.

    The goals of the two are totally different, and it makes more sense for the more general, more technical one to be used less.

    Which part of the word "backend" did you not understand?

    It would look completely the same on the outside. Just leave the escape hatch open, so hobbyist / nerd would feel better adopting the ecosystem.



  • @blakeyrat said:

    How do you verify the company/entity providing this UI is PCI compliant?

    How do you determine that a website you give your credit card is PCI compliant?

    Word of mouth. Reputation. Certificate.



  • That still makes no sense, and only clarifies that you aren't thinking about reality, but instead some kind of world where things work completely differently than they actually do.



  • @cartman82 said:

    How do you determine that a website you give your credit card is PCI compliant?

    Word of mouth. Reputation. Certificate.

    Ok but here's the deal: Microsoft would be the one sticking their neck out here, not the users.

    What's Microsoft's incentive to potentially get in trouble with VISA/MasterCard/etc? What's in it for them? What advantage of this API could possibly offset that huge risk?

    @Magus said:

    That still makes no sense, and only clarifies that you aren't thinking about reality, but instead some kind of world where things work completely differently than they actually do.

    It's like "14-year-old who's never worked in an office" thinking, which unfortunately is epidemic in this industry.



  • @Magus said:

    That still makes no sense, and only clarifies that you aren't thinking about reality, but instead some kind of world where things work completely differently than they actually do.

    How things work now, as far as I understand (correct me if I'm wrong).

    How I would like things to work:

    Noob users get very visible icons for the green stuff. Advanced users (or everyone, if MS turns evil / screws up) can install others by clicking special links or pasting stuff into console or whatever.

    If MS did this, they would have stood a much better chance of making Windows Store ecosystem a reality.



  • Riiiiight.

    But how do you manage payment processing?



  • @blakeyrat said:

    Ok but here's the deal: Microsoft would be the one sticking their neck out here, not the users.

    What's Microsoft's incentive to potentially get in trouble with VISA/MasterCard/etc? What's in it for them? What advantage of this API could possibly offset that huge risk?

    Why would MS stick their neck out? This system would work completely outside MS's supervision.

    As in, I decide to open up my own app store. Users can go to my website and download something. My store then becomes a page inside Windows App store, or is installed as a separate app, whatever. Bottom line is, my business is parallel with MS's app store business, not integrated into it. I bear the responsibility.

    Pretty straightforward, like any other app or site operates today.



  • @blakeyrat said:

    Riiiiight.

    But how do you manage payment processing?

    :wtf:

    Using the API I specified earlier? Like, it's a part of my "Provider"?

    I still don't see the problem you're so concerned about.



  • So any wag could create a UI that just allows free access to every app with no payment?



  • @blakeyrat said:

    So any wag could create a UI that just allows free access to every app with no payment?

    Err... what? No?

    I can decide through the API whether you're authorized to download apps from my "source" or not. And to become authorized, you must pay. Using that same API.

    Imagine the same way Windows Store works now, only decoupled from the system. As if a third party was able to install their own store.



  • @cartman82 said:

    I can decide through the API whether you're authorized to download apps from my "source" or not. And to become authorized, you must pay. Using that same API.

    Ok; how does Microsoft ensure the "entity" paying is PCI compliant?

    I feel like I'm just asking the same questions over and over here...



  • @blakeyrat said:

    Ok; how does Microsoft ensure the "entity" paying is PCI compliant?

    I feel like I'm just asking the same questions over and over here...

    Yeah, you are.

    Answer me this: why is it Microsoft's business to ensure that?



  • @cartman82 said:

    @blakeyrat said:
    So any wag could create a UI that just allows free access to every app with no payment?

    Err... what? No?

    I can decide through the API whether you're authorized to download apps from my "source" or not. And to become authorized, you must pay. Using that same API.

    Imagine the same way Windows Store works now, only decoupled from the system. As if a third party was able to install their own store.

    It sounds like you're advocating for some sort of OAuth implicit flow for payments ... which could work, but there's no incentive to implement it from a 3rd party point of view (i.e. you can't tack on any fees to individual purchases).



  • @cartman82 said:

    @blakeyrat said:
    Ok; how does Microsoft ensure the "entity" paying is PCI compliant?

    I feel like I'm just asking the same questions over and over here...

    Yeah, you are.

    Answer me this: why is it Microsoft's business to ensure that?

    Because they're the one who has the contract with VISA/MC. It's their risk according to the agreement.



  • @cartman82 said:

    Answer me this: why is it Microsoft's business to ensure that?

    It's not, really. But since they'd be shoveling the shit the instant something bad happens (either having to comp people for some third-party's fuck-up or, even worse, having to pay settlements to consumers for some third-party's fuck-up), it also represents a huge risk to them.



  • @rad131304 said:

    Because they're the one who has the contract with VISA/MC. It's their risk according to the agreement.

    No they are not.

    If I open up a store, I make the contract with banks and ensure compliance.

    MS has nothing to do with it. They just provide an infrastructure, where people can use my store directly from OS instead of going to my website.



  • @blakeyrat said:

    It's not, really. But since they'd be shoveling the shit the instant something bad happens (either having to comp people for some third-party's fuck-up or, even worse, having to pay settlements to consumers for some third-party's fuck-up), it also represents a huge risk to them.

    Why? If I use Internet Explorer to enter my credit card into some website and get screwed, no one's chasing Microsoft. Why would this be any different?



  • @cartman82 said:

    @rad131304 said:
    Because they're the one who has the contract with VISA/MC. It's their risk according to the agreement.

    No they are not.

    If I open up a store, I make the contract with banks and ensure compliance.

    MS has nothing to do with it. They just provide an infrastructure, where people can use my store directly from OS instead of going to my website.

    If I buy an app from the MS store through the 3rd party store, how is that payment processed in your world? I'm obviously not understanding how I get money if I publish an app in MS and it's purchased through the 3rd party store.



  • @cartman82 said:

    No they are not.

    If I open up a store, I make the contract with banks and ensure compliance.

    Ok, but you're just shuffling the problem around.

    @cartman82 said:

    MS has nothing to do with it. They just provide an infrastructure, where people can use my store directly from OS instead of going to my website.

    So how does MS ensure the product has been paid for before delivering the bytes to the user?

    @cartman82 said:

    Why? If I use Internet Explorer to enter my credit card into some website and get screwed, no one's chasing Microsoft. Why would this be any different?

    I feel like maybe there's some huge component to this system you maybe forgot to explain?

    Look, a million app developers put their apps on Microsoft's store. They establish this huge trust relationship with Microsoft.

    Now you're saying some random third party should be able to exploit that trust relationship without any say from the app developers?



  • @blakeyrat said:

    So any wag could create a UI that just allows free access to every app with no payment?

    Apps can still use the MS Store API to ask if they are legitimately installed, if the trial period is up, etc.



  • @rad131304 said:

    If I buy an app from the MS store through the 3rd party store, how is that payment processed in your world? I'm obviously not understanding how I get money if I publish an app in MS and it's purchased through the 3rd party store.

    We are now talking about an alternate GUI?

    The GUI uses Microsoft's Store API (or "provider") to make the purchase. Microsoft gets the money the same as if the purchase was made from the "official" App Store app.



  • @blakeyrat said:

    So how does MS ensure the product has been paid for before delivering the bytes to the user?

    MS doesn't do that. The "provider" does.

    The provider handles the payment and delivers the bytes.

    Package manager is just a fancy alternative to web browser downloading and installing the app.

    @blakeyrat said:

    I feel like maybe there's some huge component to this system you maybe forgot to explain?

    Look, a million app developers put their apps on Microsoft's store. They establish this huge trust relationship with Microsoft.

    Now you're saying some random third party should be able to exploit that trust relationship without any say from the app developers?

    I still don't understand.

    Give me an example scenario where this mysterious problem happens.



  • @cartman82 said:

    @rad131304 said:
    If I buy an app from the MS store through the 3rd party store, how is that payment processed in your world? I'm obviously not understanding how I get money if I publish an app in MS and it's purchased through the 3rd party store.

    We are now talking about an alternate GUI?

    The GUI uses Microsoft's Store API (or "provider") to make the purchase. Microsoft gets the money the same as if the purchase was made from the "official" App Store app.

    And why would MS want to open their API up to allow that? They're the one processing the Credit Card so they're responsible for the transaction from VISA/MC's POV if a fraudulent transaction occurs. I could build a bot that uses the Microsoft Store API to submit fraudulent purchases for my fake apps to make tons of $$ off of compromised MS accounts. Or what if the 3rd party sends all of the CC#s and info somewhere so that it all ends up on the black market?



  • @cartman82 said:

    The GUI uses Microsoft's Store API (or "provider") to make the purchase. Microsoft gets the money the same as if the purchase was made from the "official" App Store app.

    PCI rules don't work that way. The company taking the payment is responsible for being PCI compliant even if a third-party payment processor handles the details for them.

    There was until recently a "loophole" related to using an iframe to the third-party's domain, but:

    1. I don't think that "loophole" can be exploited in a non-web medium
    2. I'm pretty sure the CC companies are working on closing off that loophole as we speak.
    3. Exploiting this loophole would still make Microsoft (as the payment processor) responsible for people fucking-up, and still put hundreds of app developers into a shitty solution where they're now "trusting" more storefronts than they signed-up for.

    The best MS could do, IMO, is make it opt-in for app developers, at which point almost no app developers would ever turn it on, because

    #Duh duh duuuh

    the question, "what's in it for them?" remains unanswered.



  • Back to that dumb diagram:

    Windows store apps are very little like Chocolatey apps. One is msi, the other isn't. Yes, it makes sense for a package manager to be able to install either. It doesn't make sense for the Windows Store, which is specifically designed to provide one type of app which is guaranteed to give the same experience on multiple platforms to provide msi apps.

    Yes, you could build a store that uses the package manager and just ignores everything from any other provider, but what does that get you?



  • @radwhatever, @blakeyrat

    I see now what you mean. I was thinking more in terms of Windows Store reaching for different providers, which was my main concern. Your concern is a third party GUI reaching towards the Windows Store (or other) backends.

    So basically, a provider must ensure that all communication between the client and server is made through secure channel. On the web, the client is a web page, downloaded through secure connection. In a package manager version, there would need to be a similar system.

    How about something like a UAC window that acts like a paypal iframe? The popup ensures you are connected to who you think you're connected. Everything else is up to the relationship between you and the provider.

    That should work, that's how browsers work. Or you could just use a browser window, whatever. Point is, these technical hurdles just don't seem like such a big deal, if there was will to overcome them.



  • @Magus said:

    Windows store apps are very little like Chocolatey apps. One is msi, the other isn't. Yes, it makes sense for a package manager to be able to install either. It doesn't make sense for the Windows Store, which is specifically designed to provide one type of app which is guaranteed to give the same experience on multiple platforms to provide msi apps.

    Your argument: Windows Store shouldn't be designed as you propose because Windows Store is designed differently.

    Duh.

    @Magus said:

    Yes, you could build a store that uses the package manager and just ignores everything from any other provider, but what does that get you?

    Windows Store not being a wasteland?



  • Technically the plan is fine; we're not talking technically, we're talking business.

    And in a business context, the credit card companies got you by the balls. Basically.



  • @cartman82 said:

    @radwhatever, @blakeyrat

    I see now what you mean. I was thinking more in terms of Windows Store reaching for different providers, which was my main concern. Your concern is a third party GUI reaching towards the Windows Store (or other) backends.

    So basically, a provider must ensure that all communication between the client and server is made through secure channel. On the web, the client is a web page, downloaded through secure connection. In a package manager version, there would need to be a similar system.

    How about something like a UAC window that acts like a paypal iframe? The popup ensures you are connected to who you think you're connected. Everything else is up to the relationship between you and the provider.

    That should work, that's how browsers work. Or you could just use a browser window, whatever. Point is, these technical hurdles just don't seem like such a big deal, if there was will to overcome them.

    Well, I think that @blakeyrat's and my concern is more that there are rules around PII and card info during the transaction that everybody handling the data must obey (but ultimately the corp that signed the agreement is on the hook for). Opening the API directly to accept that data would open up MS to a huge amount of liability.

    Something like an OAuth implicit flow exchange would probably work to mitigate some of the major issues regarding the PII (CC#, personal info, etc.), but there's no compelling business reason for MS to do it since MS would still be liable for 3rd party fraud from the POV of the credit card company.



  • I thought NuGet (and it's PowerShell based console) has been with us for a long time.

    Although it only have plugins, and libraries, and libraries for libraries.

    EDIT: Btw, we have Web Platform Installer for other kind of free stuffs too (which also have function to solve dependencies).



  • I don't know much about payment processing, but I strongly suspect that whenever party A sends credit-card related information too party B, for party B to be PCI-compliant, they have to know beyond reasonable doubt that party A only handles the information in a PCI-compliant manner. In addition, if party A cares about PCI compliance, they likely also require to know beyond reasonable doubt that party B will handle the information in a PCI-compliant manner. And this kind of certainty cannot exist without a clear contract.

    Thus a free API between storefronts and backing stores cannot exist. Each pair of storefront and backingstore that needs to work will require both parties to enter into a contract, and to ascertain themselves the other party is following that contract. This would lead to the upfront costs for a new storefront or backing store to be much to high for one ever to be feasible, even if oother parties were willing to cooperate.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.