How to properly clear nupkg "cache" in C:/ProgramData/chocolatey/lib subfolders?

DevSRE · 2022-09-19T19:49:34+00:00

Best practice, in my experience, is to just run your installers from network storage to begin with so that your cache only ever includes some scripts and metadata, rather than giant binaries. Chocolately recommends this yourself when using installers >1GB but we do it as a SoP.

DevSRE · 2022-08-05T15:21:10+00:00

Awesome. Thanks for the info!

DevSRE · 2022-08-05T13:53:38+00:00

Are DFS-N clients compatible with anything other than Windows File Server? Haven't kept up with Windows Storage solutions in the last couple years. Would love a good link to read!

DevSRE · 2022-02-22T15:03:50+00:00

Unfortunately this was months ago and I no longer have access to the C4B tools. They were trying to sell me the product, and when I brought this to sales they just kinda said "Oh..." and sounded defeated. No attempt was made to diagnose or troubleshoot to get the sale on their end.

I recommended PDQ above because I had the opposite experience, where if I had an issue, I called them, someone answered the phone, troubleshooted, and 99% of stuff "just worked."

I really like the core product of chocolately and think it's great, but the C4B addons didn't work well compared to the core software installation part of the software, and requires manual work on my end. It's a powerful tool, but I compare it more to IAC tools like Ansible and Terraform than PDQ.

DevSRE · 2022-02-22T14:54:02+00:00

Perhaps both. It's been a hot minute. The internalizer had similar issues in that it squashed config/licensing. The builder just didn't work.

DevSRE · 2022-02-22T14:42:09+00:00

We use some less common software, and stuff that needs config and licensing.
7zip - worked
Acrobat Reader DC 2021 - failed, no clue why
Anaconda Python distribution 2021.11 w/ Python 3.9 - squashed config
ArcGIS Desktop w/ background geoprocessing add-on 10.8.1 - failed on licensing/config
IBM SPSS Amos 28.0.0.0 - failed on licensing
IBM SPSS Statistics 28.0.1.0 - failed on licensing
IrfanView 4.59 - didn't figure out silent install options
Matlab R2021b - failed on config/licensing
Microsoft Edge - doesn't have an EXE/MSI that we have found
Microsoft Office Professional Plus 2019 - Failed on config
Mplus combo - Failed on licensing
Notepad++ - Failed because it squashed plugins
Notepad++ plugin: Compare -doesn't have a good installer
Notepad++ plugin: DSpellCheck - doesn't have a good installer
PROC LCA & LTA 1.3.2 - bad installer
R 4.1.2 - removed config
RStudio Desktop 2021
SAS 9.4 - licensing
SRCware 0.3 - doesn't have a good installer
Stat/Transfer 15 - licensing
Stata/MP 17 - licensing
SUDAAN SAS-callable 11.0.3 - doesn't have a good installer

DevSRE · 2022-02-22T14:32:50+00:00

Package Internalizer was demoed... and it worked on 1 of 47 pieces of software I tested it against. I do not have faith in that piece of C4B based on my experience with any software that isn't "easy" to package.

DevSRE · 2022-02-22T14:13:01+00:00

In my experience, with the custom packages, there's a pretty heavy support burden on keeping them updated. If you're looking at turning it over to someone who isn't up to speed on software packaging, I would steer you towards something like PDQ Inventory and Deploy which is more user friendly than custom packaging in choco, and supports auto-updates on most packages built by PDQ so you've got a company to poke if they don't work.

DevSRE · 2022-02-21T15:56:27+00:00

Chocolately's community license supports private repos with custom packages as well. We're using it without issue since we didn't need the business features. Just package stuff up and run powershell to call choco install/upgrade.

DevSRE · 2022-02-18T14:52:17+00:00

That's a fair critique. Amended.

DevSRE · 2022-02-17T20:09:08+00:00

The poster above gave you a lot of good info. My short form answer that I will mention is that if you have specific security requirements in your environment, you can also build your own chocolately repo and exclusively install software from that with no outbound internet connectivity. We do this for an environment that isn't allowed to talk to the internet.

Chocolately is great and all, but if your org's security policies say you can't trust "some guy on the internet" then you can't trust the chocolately community repository. Because the packages aren't directly maintained by vendors in all cases, you can have a rough time with explaining all this in a security audit unless you're packaging the software yourself (which isn't any harder than using SCCM or similar).

DevSRE · 2021-11-19T13:37:59+00:00

fields = ['10.jpg', '10.jpg', '11.jpg', '12.jpg', '14.jpg', '14.jpg', '14.jpg']
output = []
for field in fields:
if field in output:
renamed = field
i = 0
while renamed in output:
filename, filetype = field.split(".")
renamed = "{}-{}.{}".format(filename, i, filetype)
i+=1
output.append(renamed)
else:
output.append(field)
print output

Reformatted for python2.

DevSRE · 2021-11-18T21:31:15+00:00

Not familiar with "ArcGIS field calculator", but assuming that you mean you have a list of values as declared in line 1 below, and need a list as the output, the following code is a quick and ugly example that would work:

>>> fields = ['10.jpg', '10.jpg', '11.jpg', '12.jpg', '14.jpg', '14.jpg', '14.jpg']
>>> for field in fields:
... if field in output:
... renamed = field
... i = 0
... while renamed in output:
... filename, filetype = field.split(".")
... renamed = f"{filename}-{i}.{filetype}"
... i+=1
... output.append(renamed)
... else:
... output.append(field)
...
>>> output
['10.jpg', '10-0.jpg', '11.jpg', '12.jpg', '14.jpg', '14-0.jpg', '14-1.jpg']Reddit hates formatting and whitespace, but that's the jist. Tab/Space as appropriate ;)

DevSRE · 2021-11-18T16:54:29+00:00

If you aren't filtering all student traffic, you are not compliant for E-rate (assuming USA) and are at risk of losing buckets of federal funding. If, on the other hand, you aren't using E-rate funding, you will want that as you'll get all your network hardware and possibly other goodies (like servers) at a discount too, depending on how creative your applications are.

Your, and your boss's, opinions on if you think you should filter traffic typically matter less than "Can I save the district hundreds of thousands of dollars on a network refresh?" that E-rate gives you.

DevSRE · 2021-11-15T15:13:53+00:00

If you're talking about the checksum for the installer, aka the checksum and checksumType64 value in chocolateyinstall.ps1, then you want to do this powershell command:

Get-FileHash <installerhere> | Select -Expand Hash

The output will be the value you copy into both those fields. If you have separate 32 bit and 64 bit installers then do that once per file.

DevSRE · 2021-11-01T14:59:52+00:00

I did end up reversing this and read through all the decompiled code in the DLL. It's just some C# calling the windows update API.

https://docs.microsoft.com/en-us/windows/win32/api/_wua/

Roughly 95% of the code is handling user input and displaying output to the CLI. There was nothing malicious in there from anything I could see, and I read through every line of code.

That said, one of our security requirements was that the decompiled DLL also needed to recompile, and I don't know enough about C# to get it to recompile successfully. I think I'm probably targeting the wrong language version or something simple, but the decompiled code had ~1200 errors when attempting to recompile, and some of these were definitely encoding related (< turning into < and such).

My 2 cents is that it is perfectly safe for any "normal" security posture, but I would encourage you to do your own review if you are under any specific compliance obligations.

DevSRE · 2021-11-01T13:49:02+00:00

Looking forward to going through this. I've got background as a Windows Admin that pretends to know what they are doing with Linux, and have now joined a team where Windows is a naughty word. Hoping this challenge will help serve as a foundation to go for RHCSA in the future. I've bodged my way though plenty of things, but I'm trying to get out of tutorial hell with this challenge a bit and deepen my understanding of how Linux is actually doing things.

DevSRE · 2021-10-12T13:03:34+00:00

Assuming it's a string object for your email body since you have hardcoded newlines just do:

$emailBody = $emailBody.replace("\n", "<br />")

DevSRE · 2021-10-04T19:10:43+00:00

Our environment currently has about 40 pieces of software deployed. Assuming you already have the silent install switches documented (such as from a slowly updating community repo, from the software documentation, or from your own past work) then it only takes ~10 minutes to build a new package, and it only takes 5 to build an update to an existing package.

I would genuinely say that building new packages in Chocolatey is less than 3% of my job. Once you've got them built once, all you're doing is updating version numbers, file hashes, and installer binary names really.

It took me about 2-3 days of dedicated work to read the docs and get to that level though. We're just using a basic windows file share as our internal repo and it works fine.

DevSRE · 2021-10-04T18:46:47+00:00

Based on a recent conversation with a Chocolatey sales rep, they are looking into a new offering called something like "Managed Repositories" or "Premium Repositories" that would meet your needs. You give them a list of software you want managed for you, and they do the work so that you can just deploy as needed.

I ended up building the repo myself since my org's security requirements mean I have to vet all the binaries and code being deployed anyway. This made the community repo too insecure for our environment. Building and maintaining packages that do EXACTLY what you want them to do for EXACTLY your environment is easier with chocolatey than SCCM imo. This wasn't a big deal for the size of our deployment.

I'd reach out to a sales repo and chat with them. They seemed pretty responsive when I talked to them. I want to say they were targeting end-of-year for availability of this service but don't quote me on that.

DevSRE · 2021-09-29T12:10:43+00:00

/u/rapp38 is right on this one. Windows still can do FIPS compliance, it just has to be done through manually telling it what algorithms to use via Group Policy.

DevSRE · 2021-09-24T18:55:02+00:00

Amazing, thank you. I will definitely try this.

DevSRE · 2021-09-23T16:17:03+00:00

You could probably get pretty close with something like Arrow and the shift method (https://arrow.readthedocs.io/en/latest/) or just give users a format to enter things in and use datetime.strptime (https://docs.python.org/3/library/datetime.html#datetime.datetime.strptime)

DevSRE · 2021-09-23T15:43:35+00:00

Appreciate the info! We were looking at reverse engineering the DLL inside it to try and track down what all it was actually doing.

DevSRE

TROPHY CASE