Microsoft's best practices dictate that we dynamically link the VC ++ runtime for security reasons, and it would be nice if our application automatically collected fixes without requiring a separate application update on our part.
However, over the past couple of years I have created installers for the Evolve client. Our biggest client installation problem was caused by failed vcredist installations. The biggest error codes:
1612: Installation source for this product is not available. Make sure the source exists and you can access it.
1638: Another version of this product is already installed. Installation of this version cannot continue. To configure or remove an existing version of this product, use the "Add or Remove Programs" in the control panel.
We also run in cases where some third-party application manually installed the 32-bit version of msvcr100.dll in System32 on the 64-bit version of Windows, which clearly leads to the failure of all applications on the system that rely on this.
Now, my question is: If a developer wants to follow Microsoftโs recommendations for the benefit of the earth, how can we succeed if our products cannot be installed securely? I am now at the crossroads, where I see only two options:
Link all of my binaries statically with the runtime and grab a bit for the binary size and its associated security implications.
Manually distributing VC ++ runtime libraries and deleting them in the application folder, although I donโt even know if I am allowed to do this.
What is everyone else doing there?
source share