Boris Dalstein - VGC

Boris Dalstein - VGC

Page vérifiée Created at November 1, 2017 Contact


  • Hi everyone!

    Good news: I have finally completed the verification process with the Certificate Authority, and implemented the code signing process as part of the automated builds.

    There is a new alpha version on your dashboard, and you should now have much fewer warnings from your web browser, your antivirus, or Windows using this version and all future versions :-)

    Unfortunately, you will still get the following warning for a little while:


  • This is because Windows uses a reputation system, reputation which is only acquired once enough users have downloaded and installed VGC. I'm not sure how long this is going to take, but eventually this warning should disappear.

    Cheers!

    Boris

  • Hi everyone!

    If you have attempted to download and install VGC Alpha, you may have encountered quite a few scary warnings, making the installation process very far from pleasant. Even worse, the installation might have even failed due to your antivirus getting in the way (see here for details).


  • Are the installers safe to run?

    As long as you download the VGC installers from https://www.vgc.io, you can safely run them despite the warnings: just ignore the warnings, following the steps illustrated in the image above. The "HTTPS" in the URL address ensures that no third party could have maliciously tampered with the download by adding a malware. You know that you're using HTTPS if you see a "lock icon" in the address bar:


  • If the installer fails, please try again a few times: the first failure may be because your antivirus didn't have enough time to verify that there are indeed no viruses. At a last resort, you can try to install VGC with your antivirus disabled (in which case I recommend to turn off your Wifi/Ethernet connection first: the VGC installer doesn't need Internet anyway). Note that I generally don't recommend turning off your antivirus: please re-enable as soon as VGC is installed, and before visiting any websites.

    If you've encountered any of these installation problems, I would appreciate if you let me know in the comments or at [email protected] which version of Windows you are using, which antivirus you are using, and whether turning off the antivirus helped. 

    Why the warnings if the installers are indeed safe??

    The reason for the scary warnings is that I am not yet doing something called "code signing" on the installers I provide. Code signing is a process where a trusted third party called a "Certificate Authority" (= DigiCert, VeriSign, Sectigo, ...), or CA for short, issues to a publisher (= VGC Software) a "code signing certificate", which is a set of cryptographic keys used to prove the identity of said publisher. Then, when Windows, your web browser, or your antivirus encounters an installer or any other program (= "VGC Alpha Installer.exe") , it can ask the CA whether it was correctly signed by the publisher. 

    This process is meant to make it harder for bad people to infect your computer with malware. The problem is that it also makes it more complicated for small teams and individual developers to publish their software without having these scary warnings. The reason is that getting a certificate costs money. Quite a lot of money, in fact. Here is a screenshot from one of the most popular/trusted CA:


  • Yes, you've read that right: "As LOW as $474/year". If you find that sentence outrageous, you're not alone. All they do is basically checking that your company exists, give you a phone call for added verification, and then have a server in place to automatically compute a few multiplications between prime numbers when the Microsoft server asks them if the signature is valid.

    A lot of people complain about this system, which is especially unfair to small open-source projects, such as Notepad++, who decided not to use Code Signing anymore since March 2019

    Fortunately, there actually exist cheaper options, and I just ordered a certificate for $67/year from K Software , a reseller of Sectigo certificates, where Sectigo is one of the reasonably trusted Certificate Authority. I decided that this was a reasonable price to pay to remove those pesky warnings. $67/year is around 1.5% of your donations: thank you!


  • But the annoying part is: even doing this, I have no guarantee that you still don't get a warning. Indeed, even bad people can get a certificate, so Windows uses a "reputation system" in addition to verifying the certificate. How exactly this reputation system works isn't publicly known, but basically if very few people download a given program (which is the case for VGC alpha versions), it is quite likely to get a warning anyway. A slightly less obnoxious warning, but still.

    A solution to bypass the reputation system would be to use a so-called "EV Code Signing Certificate", instead of the more standard "OV Code Signing Certificate" which I ordered. Unfortunately, not only these are even more expensive (around $250-$700 per year, which means 5%-14% of your donations...), but they require the use of a physical cryptographic USB key to sign the installers, which makes it way less convenient (or even impossible), to use when using Cloud-based servers like I do. So I'll stick to OV certificates for now and see how it goes.

    Conclusion

    I am still waiting for the verification process to be complete before I can use the certificate I ordered, and then I'll have to write some code to use the certificate to sign each of the installers as part of the automatic compilation and release process I have in place. Until then, please ignore the warnings :-)

    Once again, thank you for your donations! There are very concretely useful for this specific issue.

    Cheers,

    Boris


  • Yes, you've read that right!

    If you're on Windows, you can head over to your dashboard at https://www.vgc.io/dashboard and download the first alpha version of VGC :-)

    Everything is automated now: each time I make a little change to VGC, a new alpha version is generated and appears in your dashboard. This way, when I talk about new features in Tipeee posts, you'll be able to try them out by yourself!

    The feature set is very limited for now, you can just barely sketch, with no undo and connections between lines. But if you ever manage to create something nice, don't hesitate to post it on the forum! It's not very active at the moment, but it's up to you to make it more active ;) Note that your forum account is a separate account from your VGC account. This will be improved in the future.


  • Apart from implementing a system to give sponsors access to alpha versions, I've also completely overhauled the architecture of "editors" (currently, "Console" and "Performance Monitor"). I was using the default mechanism provided by the library Qt (QDockWidget), but this turned out to be full of bugs, not well maintained, hard to customize, and not having all the features I want. So I've re-implemented my own with the following advantages:

    1. It was quite hard to resize the editors, especially with a pen tablet, because the area where the resize cursor would appear was too narrow (max 5px). With the new implementation, the resize cursor appears within 10px of the editor's boundary, so the resize handle is effectively 20px-wide, even though you don't see it.

    2. Before, the "bottom area" was always extending to the full width of the app, while the "right area" was not extending to the bottom of the app (stopping instead at the top of the bottom area). I wanted the other way around, and this wasn't possible with QDockWidget.

    3. It isn't implemented yet, but I want the right sidebar to be a "fluid layout" area where you just drag and drop any editor and the other editors intuitively move to make space for the the dragged editor (similarly to how you can move icons/widgets on your Android phone or Windows desktop). Most graphics apps (example: Blender) use a "recursively split" method which is always somewhat confusing to use.

    I've also cleaned a little bit the style of the app, and fine-tuned the font size, which turned out to be looking really bad on Windows. What's complicated about fonts, is that there are rendered differently on each operating system, and therefore we need to use different font sizes on each platform to achieve the same visual appearance. It's messy and annoying.

    Next step: release alpha versions for macOS and Linux!

    Cheers,

    Boris


  • Hello everyone!

    I know it is frustrating: it's been a few months that I've been working on these installers, and you still can't download them. There was so many problems along the way, I can't even start to describe how bad the technology is around deploying desktop applications for Windows. 

    But the good news is that most of these problems are now solved! :-D

    We're getting closer to have alpha versions of VGC for Windows available for download. However, there is still an important step to be done:  implement a system to automatically upload these installers to the VGC website, and allow sponsors to download them.

    Once this is done, you will be able to finally try it out, at least those of you on Windows. The next step will be to do the same thing for Mac and for Linux. Fortunately, this should be much easier, as I have much more experience with Unix-based systems.

    Cheers, and thank you so much for you support and your patience!

    Boris

Moved from Toulouse to Montpellier

- 0

  • Some of you may remember that I already moved from Lyon to Toulouse a year ago, but yes, I'm already moving again! The reason is the same as last year: I'm following the academic career of my significant other. Hopefully this time it should be more long term, although nothing is ever sure in life.

    It was quite a tiring adventure: when we arrived at our new apartment, we discovered in despair that the elevator was out of order, so we had to carry everything to the sixth floor by hand, or rather by foot. We all worked hard (we were helped by family members), and I personally did 45 rounds trips to the sixth floor with boxes, furniture, etc... that's a total of 225 floors up and down! For comparison, the taller building in the world, Burj Khalifa, only has 163 floors...

    As for VGC, I'm still working on automating the creation of Windows installers. In particular, I'm making sure that it will be easy to update from one alpha/beta version to the next, so that you will be able to test the new features as soon as they are implemented.

    I'm taking a break the next few days in order to recover from moving in an out, and waiting for the current heat wave happening in France to pass. Then, back to work on these installers!


  • Hello everyone!

    This week, I started to learn the WiX Toolset (https://wixtoolset.org) to automate the creation of installers for Windows (things like "vgc-illustration-setup.exe"). It consists in writing quite ugly XML files, then tell WiX to compile these into an installer.


  • As I already mentioned in the last Tipeee update, for VPaint, I was using another product, called Advanced Installer. This other product is much nicer to use than WiX, but it requires me to open the GUI each time I want to create an installer. Instead, for VGC, I want everything to be fully automatic, so that each time I implement something, there is an installer automatically generated that sponsors can download on https://www.vgc.io. (By the way, don't forget to activate your account!)

    I will call these "Daily Beta" versions, since they will be rather frequent. There may be some days without new versions, and some days with more than one version, so it's not going to be exactly "daily", but close enough. These are technically called "Development Builds", but I thought it was nicer to keep "Beta" in the name since it is a term that I believe more people are familiar with. And while not as technically correct as "Development Builds", the term "Beta" is somewhat correct in this case since they are actually distributed to users for testing. Traditionally, development builds stay internal to the software company and are never tested by actual users, while the term "beta" designates the first versions sent to actual users for testing.

    All of this to say that now, I have to write a few ugly XML files. But in fact, since they were a little too ugly for my taste, I decided instead to write a Python script that automatically generates them. It's not finished yet but it's already working reasonably well, I'm quite happy with this method.

    When will these daily betas be available?? What still needs to be done?

    Unfortunately, there are a lot of things to take care of. I already took care of specifying all the VGC files that need to be installed and where, and created a nice icon file optimized for Windows.

    I also started to figure out all the dependencies that should be installed alongside VGC, such as the Qt library, Python, and Visual Studio redistributables, but this is not fully automated yet. What's tricky is that on my own computer, all these dependencies are already installed (since I need them for compiling VGC), so things tend to naturally work... but it doesn't mean that it would work on other people's computers!

    A good test is to try on a fresh install of Windows. However, I don't want to keep around an actual version of Windows with nothing installed on it just for this purpose... so instead I'm planning to use virtual machines. This is like running an operating system (e.g., Windows 10) inside another operating system (e.g., Linux). It has the advantage of not requiring a brand new computer, but it does require quite a bit of RAM and disk space, so I upgraded a little bit my workstation for that.


  • Though, I quickly ran into one issue: VGC requires OpenGL 3.2, but the software I use to create and run virtual machines, called VirtualBox, only supports OpenGL 1.1. So I can't really test VGC on these virtual machines. At least I can use them to compile VGC, or test that VGC gets installed where it should, but I can't run VGC itself, at least not the user interface part of VGC. An alternative to VirtualBox would be to use VMware, another virtualization tool that has better OpenGL support, but it costs almost $300 and I have no experience using it, so I'm not sure I want to go that route. Maybe.

    Finally, something else that needs to be done is to create an installation wizard to let users choose where they want to install VGC, and specify a few options. Currently, the installer runs completely without user interaction, which is nice for performing upgrades, but not that nice for first-time installs.

    More frequent news on Facebook and Twitter!

    While I don't post very often on Tipeee, I decided to try to post more frequently tiny updates on Facebook and Twitter. 


  • Initially, I didn't want to do that to keep the latest news reserved for sponsors, but now that the bigger incentive to become a sponsor will be "you can download the beta if you're a sponsor", it doesn't really matter. So I'll make the most frequent updates on Facebook and Twitter, and Tipeee posts will now basically be a recap of all the tiny news with more details.

    In conclusion, if you want more frequent news, make sure to follow VGC Software on Facebook or Twitter!

    https://www.facebook.com/vgcsoftware

    https://twitter.com/vgcsoftware

    Thanks again for your support!

    Boris


  • Hello everyone!

    I have just finished to integrate the generation of license keys to the VGC website! Now, whenever I add a new eligible sponsor, license keys are automatically generated and available in the sponsor's dashboard:

    https://www.vgc.io/dashboard 

    Note that if you were already a Silver Sponsor (or higher) at the time of this writing, your existing license keys are NO LONGER VALID. Indeed, I regenerated all the existing license keys due to both a bug in my code, and a design flaw. You should have received an automatic email, and your new license keys can be found in your dashboard.

    The bug was subtle: it only had a 1 out of 256 chance to occur each time I generated a license key, reason why it went undetected for so long. To be precise, it occurred whenever the first 8 bits of some cryptographic signature were all zeros, in which case OpenSSL (the cryptographic library I use) did some optimization by not including the first byte in the signature, and my code parsing this signature failed to handle correctly this scenario. It is now fixed and seems to have affected only one of you (a sponsor had an '=' sign in one of his license key), but I regenerated all license keys anyway due to the design flaw explained below.

    The design flaw was that the keys were tied to an email address: VGC 2020 would have asked you both your address email and your license key, and verify that the pair "license key + email address" was valid. But it turns out that some of you have already changed their email address! So an email address isn't an identifier as stable as I thought. Therefore, I decided to change my mind: keys are now self-contained and don't need any other information to validate.

    Next step: automate the compilation of VGC on Windows, macOS, and Linux, with automatic upload to the website so that sponsors can download it! This will not be trivial, and should take a few weeks. Notably, I have to change which tool I use to generate Windows installers (the tool I was using so far doesn't allow for automation), and implement the upload/download system.

    Thanks again for your support!

    Boris


  • Hi everyone!

    The new VGC account system is finally live at https://www.vgc.io !

    If you are already a sponsor, you should have received an email in the past couple of hours to ask you to activate your VGC account. In fact, you may have received two of them... sorry about that, it was a bug which is now fixed.

    Please let me know if you haven't received this email, or if the sponsorship level indicated in your dashboard (Bronze, Silver, etc.) doesn't match your actual sponsorship level. More generally, let me know if you experience any problem with the activation process or if you see any bugs or area for improvements.

    Cheers!

    Boris

2019 Q1 Informal Financial Report

- 0
News reserved for Tippers only