Applications; Portable vs. Installed

gjacobse

This might be a lightly odd question- however it is a debate I am having with my brother, who is also is IT.

Installed vs. Portable:

There are a number of Portable apps that mirror those installed. Portable Apps list some 400 applications which can be run from a thumb drive, making what you use on a daily basis - highly mobile. But is this 'better' than installed apps? I can see from a certain standpoint - that yes it could be - but also likely not.

Mirroring your build, it can be on a external storage device, One Drive, GDrive, NextCloud, etc and allow you to have access to your tool box from anywhere - and not have to install anything.

I can see this being helpful if you have and use more than one computer at a time (Laptop, Desktop) or go to a endusers desk and need something not installed on their system. Making a backup can be as simple as a quick drag and drop, and if you have autorun still enabled on your computer, can be scripted so that when you plug in the USB device, it auto copies to a back up location. - Better for it to synchronize than copy - to ensure both side are up to date.

But is this better or worse over installing applications on the device. We won't discuss data corruption, as that is always possible - regardless of which path you take on this.

Incidently - nearly all of the applications I have are locally installed via choco

scottalanmiller

It's far more complex than that. Both approaches exist and are useful in different situations. There is a reason why installed apps have far more traction, on every OS. Installed apps are able to register with the system deeply, be easily managed by the installation tools, and interact with library versions. A portable app has to have all libraries compiled into itself.

This goes further. So if libraries are used from the system, it is easy to audit and know when you have a library out of date. Find a bug in OpenSSL, you know that when you patch OpenSSL that everything that depends on it is likewise patches. But if you have a portable app that statically compiles in OpenSSL you can't tell what version of the library you have, and patching requires you to download a new version of the portable app, which likely will lag dramatically behind the library patches, if it ever gets them at all.

Portable apps are handy, for sure. But they have less control, require more work from the vendor to stay maintained, are much harder to audit for, and are much larger than their installed counterparts.

stacksofplates

@scottalanmiller said in Applications; Portable vs. Installed:

It's far more complex than that. Both approaches exist and are useful in different situations. There is a reason why installed apps have far more traction, on every OS. Installed apps are able to register with the system deeply, be easily managed by the installation tools, and interact with library versions. A portable app has to have all libraries compiled into itself.

This goes further. So if libraries are used from the system, it is easy to audit and know when you have a library out of date. Find a bug in OpenSSL, you know that when you patch OpenSSL that everything that depends on it is likewise patches. But if you have a portable app that statically compiles in OpenSSL you can't tell what version of the library you have, and patching requires you to download a new version of the portable app, which likely will lag dramatically behind the library patches, if it ever gets them at all.

Portable apps are handy, for sure. But they have less control, require more work from the vendor to stay maintained, are much harder to audit for, and are much larger than their installed counterparts.

This might be changing. Go tools are essentially portable apps that don't necessarily require dependencies (some can obviously). The maintenance work is the same no matter what. Size for them is dependent, anywhere from a few MB to things like Terraform that are over 80 MB. I'm sure there are bigger also.

I think things that weren't designed to be portable are harder to maintain than software that is. But I see the landscape changing to more single binary executables in the future.

scottalanmiller

@stacksofplates said in Applications; Portable vs. Installed:

But I see the landscape changing to more single binary executables in the future.

Snap and AppImage agree with you. Basically bloat isn't the issue it was fifteen years ago. So people are rethinking what makes a system easy to manage.

IRJ

Web apps, while not related directly, I think will put more pressure on the portable side. It will get to the point where OS will not matter for anything (which is the way it should be).

gjacobse

I know one application in particular, for me at least, is the web browser - I use a mix of Chrome, FireFox and Chromium. And when at work, I'm forced to use IE and Edge for certain things. IE is more of setting up a user for a web based app that gasp only works with the companion software running on Windows 7.

But - I have saved sign-ons for email and a few sites (like ML), and it would be nice to sync across the few computers I use (not work - no personal on work). And now - I'm about to move from one PC to a newer one, while it's not a trouble - it's the trouble in doing so.

The newer computer - once wiped of the original OS, was set to run Win10 Pro, and one of the first things done was install Choco - and then a 20 application list.. didn't hesitate on it. But now - I have to move my current data to the new - and while 'it's easy enough' it 'could be easier' using all portable. Though - there are just some applications that just won't work that way.

Some things I do use the Google Sync - as safe as it is(n't). It's a risk I take - and on financial sites, they aren't saved...

The idea - make it easier on myself,.. but at not time compromise my digital security (any more than needed).

jmoore

One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.

gjacobse

@jmoore said in Applications; Portable vs. Installed:

One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.

Annnnd there is of course -THAT- aspect. Yea,.. general end users don't need to be able to do that.

jmoore

@jmoore said in Applications; Portable vs. Installed:

One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.

Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.

scottalanmiller

@jmoore said in Applications; Portable vs. Installed:

One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.

The issue there is using the registry as a means for app control. That's not really a good mechanism for that. Yes, it stops system wide use of the installer, but if that isn't the goal (which it isn't here), it's totally the wrong tool. So the issue here is attempting to use a tool that does X and hoping that it does Y.

Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.) But what they are doing is running an arbitrary binary which, almost always, is exactly how things are supposed to work. You do this far more often than you realize.

A big question would be... why do you want to restrict binaries from users?

scottalanmiller

@gjacobse said in Applications; Portable vs. Installed:

@jmoore said in Applications; Portable vs. Installed:

One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.

Annnnd there is of course -THAT- aspect. Yea,.. general end users don't need to be able to do that.

Actually, they generally do. Not all the time, but way more often than you think.

jmoore

@scottalanmiller said in Applications; Portable vs. Installed:

Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.)

Yeah your right I just phrased it wrong, I know better lol. Just wasn't thinking.

scottalanmiller

Portable = Not Installed.

Users generally need to be able to write and run and use binaries. Whether they make them themselves, get them from coworkers, run them from the network, have them spawned from their browser, etc. you run apps that aren't installed, constantly.

In fact, the entire purpose of a web browser (okay, not the entire purpose, but most of it today) is as a platform for being able to do exactly this. Why are we generally okay with users getting portable Javascript apps all day long, but aren't okay if they are written in some other language? Why are we okay with 99% of the portable apps that they use, but not others? What's the concern, define the problem in human terms then we can address it in computational ones.

jmoore

@scottalanmiller said in Applications; Portable vs. Installed:

A big question would be... why do you want to restrict binaries from users?

Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.

scottalanmiller

@jmoore said in Applications; Portable vs. Installed:

@scottalanmiller said in Applications; Portable vs. Installed:

Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.)

Yeah your right I just phrased it wrong, I know better lol. Just wasn't thinking.

This also means that they aren't "working around" your permissions. The perms that you have in place are only in reference to installation, not in reference to downloading or running. They aren't working around you, it's that the limitations put on the users are far different than believed.

scottalanmiller

@jmoore said in Applications; Portable vs. Installed:

@scottalanmiller said in Applications; Portable vs. Installed:

A big question would be... why do you want to restrict binaries from users?

Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.

Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.

gjacobse

@jmoore said in Applications; Portable vs. Installed:

@jmoore said in Applications; Portable vs. Installed:

One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.

Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.

I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.

jmoore

@scottalanmiller said in Applications; Portable vs. Installed:

@jmoore said in Applications; Portable vs. Installed:

@scottalanmiller said in Applications; Portable vs. Installed:

Portable apps are not installed. So your users are not installing whatever they want. They aren't installing at all (which generally users don't have the power to do anyway.)

Yeah your right I just phrased it wrong, I know better lol. Just wasn't thinking.

This also means that they aren't "working around" your permissions. The perms that you have in place are only in reference to installation, not in reference to downloading or running. They aren't working around you, it's that the limitations put on the users are far different than believed.

Yes that is correct. I need more coffee. So the idea is to keep users from installing anything on their own unless its an approved app.

jmoore

@scottalanmiller said in Applications; Portable vs. Installed:

@jmoore said in Applications; Portable vs. Installed:

@scottalanmiller said in Applications; Portable vs. Installed:

A big question would be... why do you want to restrict binaries from users?

Thats the sysadmin decision. He considers it a security measure and I can understand it somewhat.

Does he? Because he's not restricting them in any way, and totally okay with all the portable apps delivered in the web browser, right? So he's totally okay with them. Just confused, I'd guess.

Well, I can't presume to know his mind but hes just trying to limit the damage that can be done i suppose. I am guessing that is what he is thinking.

scottalanmiller

@jmoore said in Applications; Portable vs. Installed:

He considers it a security measure and I can understand it somewhat.

If you understand it, describe it. What exactly is the concern? Don't use a term like "portable app", because that's so broad that everyone is confused. In general we restrict installing because that's how really dangerous things happen. But portable apps are normally allowed because they essentially have to be for computers to work. What use is a computer with no portable apps today? Basically, it's just a brick. Not completely, but close to it.

Avoid agreeing with him, based on a feeling. If you can define the concern, do so. If not, it's important to recognize an emotional response and address it. My guess is that like most "out of his league" sys admins, he feels inadequate in his job and knows that he's in over his head and that people around him know that he doesn't know his job. And to feel better about himself, it's common to desire power and control over users to compensate. That's generally where something like this comes from. Not because it makes sense, or even works. Not because it's about security, or is good for the business. But out of a personal desire to inflict discomfort on end users in order to feel a sense of power when, in reality, he probably feels impotent at work from not understanding his job.