[SOLVED] WebP images and BGRABitmap

[TRon]

Things getting more insane by the minute... downloading dll files from some obscure website and attaching it here and advertising named website.

You should never ever do that and in particular not for vc runtime. The honey must be very tasty.

[domasz]

Windows 7 is outdated also Windows 10.. You should test on Windows 11.

Windows 7 is outdated. Windows 11 is a spyware and shouldn't be used.

[lainz]

Windows 7 is outdated also Windows 10.. You should test on Windows 11.

Windows 7 is outdated. Windows 11 is a spyware and shouldn't be used.

At least is an updated spyware, not like the previous spyware versions...

[circular]

Whatever the feelings each person have regarding different versions or OSes, I would like the programs to be runnable on various platforms.

I may be that on newer version of Windows, the Dll is included.

Lainz you're suggesting the Dll can be installed with VCredist. That could be something to tell users of the program.

However it is not uncommon to provide such Dll within the program binaries. TRon, while I understand your concern for security, I invite you to be more explicit about the needs you're expressing.

The website doesn't seem really unsafe. If in doubt, it is recommended to check with a virus scan.
https://www.reddit.com/r/techsupport/comments/ts3kr5/is_dllfilescom_safe/?rdt=64071

However of course, it is always better to get the files from the source, here Microsoft. Google proposes this page, however I am note sure it provides the wanted files:
https://learn.microsoft.com/fr-fr/cpp/windows/latest-supported-vc-redist?view=msvc-170

I wonder if those Dlls are not included by Visual Studio when compiling a project, and here we only had the main Dll. As evoked before, I suppose it would make sense to provide the Dll depending on the version of the program, if it is 32-bit the 32-bit version of the Dll.

[TRon]

TRon, while I understand your concern for security, I invite you to be more explicit about the needs you're expressing.

No problem.

It is not about my concerns. It is about keeping a strict security policy. Every breach is or was made by human err. This is one of those human errors, and a very bad one.

That a person downloads some executable (I count dll's as those as well) is one thing but since VC distribution is something used by a lot of other software it imposes additional security risks. Ones you should not be willing to take. I can tell you exactly which ones but since TS not even bothered to state what he tried except for 'everything' I instead return the favour by saying that everything done by these actions is a risk.

Another concern is posting it here as attachment. How about rights (who cares, right) ? How about user not tampered with those files (we trust users, not) ?

Every developer knows, or at least should know that things like VC runtime distribution comes from M$ and the source to get them therefor is also M$ (not that I trust them either but at least in that case you could hold someone accountable).

That is, if you care about your safety, security and privacy. If you don't care about those then to quote clint: "go ahead, make my day" 

The normal route is to state on which dependencies a release relies on, perhaps with a (direct) link to where to obtain those dependencies. That way the distributor of whatever release avoids responsibility and other concerns about perhaps distributing copyrighted or tampered materials and at the same time avoids any issue reports related to those (3th party) dependencies. The latter which a developer will be confronted with anyways but at least you can then redirect and close.

[lainz]

I can't remember with wich version of Visual Studio I compiled the webp dll files, so that's a problem: knowing wich version of vcredist to download...

[TRon]

I can't remember with wich version of Visual Studio I compiled the webp dll files, so that's a problem: knowing wich version of vcredist to download...

There are tools for that such as for example dependency walker but a simple look at the file in a hex-viewer is able to reveal the same information.

That is besides the fact that you should ofc build your own libwebp library. An yes, I know that googly eyes is not making it any easier for yah windows users.

[lainz]

Yes I compiled the webp dll for bgrabitmap so we're sure about the source of the files.

[circular]

Thanks for the detailed response TRon. Regarding the files provided by AsleyCruz, I've just tested them with virustotal.com and they appear to contain no virus and to be authenticated as provided by Microsoft. So we're alright concerning security.

About copyright, I don't think there is any issue here, this file being widely distributed. By the way, same applies to installing VC redist: in theory, one need to own a licence of Visual Studio to install it. The problem is, Visual Studio doesn't put the required Dlls near the the binaries that have just been compiled because it is expected to be on all target systems. So basically Microsoft considers the file to be kind of public.

Yes I compiled the webp dll for bgrabitmap so we're sure about the source of the files.

Thank you for that.

a simple look at the file in a hex-viewer is able to reveal the same information.

Doesn't sound that simple to look in the binaries. In fact there is new program that helps with that: https://github.com/lucasg/Dependencies

According to this program, the required Dlls are vcruntime140.dll and ucrtbase.dll.

Fun fact: the program Dependencies includes those Dll along its binaries.

I can't remember with wich version of Visual Studio I compiled the webp dll files, so that's a problem: knowing wich version of vcredist to download...

I guess from the name of library identified by AsleyCruz, it would be version 140. Note that you probably have those files on your system, since you compiled the library. And I found those Dlls on my system too. However, all things considered I don't think we need to provide them as such.

Asking for help to ChatGPT, it gave me a simpler solution. To statically link the runtime. This way, no need to provide additional Dll files. The little downsides is that the Dll will be bigger (about 150 Ko) and that the runtime won't updatable.

• For a library that decode WebP images, this is probably not a big deal that the runtime is not updatable independently, but it might be a problem if there is for some reason a major security flaw identified in the future
• 150 Ko is an increase of more than 100% of the size of the library, some people may prefer to keep it smaller

So probably the best course of action is to let developers decide if they want to provide the non statically linked or the statically linked Dll:

• for the developer, the statically linked Dll is the simpler option if they prioritize running the program on all Windows systems over real-time update of the VC redist framework.
• for the not statically linked Dll, it will run on most systems. The developper can invite the user to install VC redist, so they have the the framework and it will be updatable. The thing is how does we know when this is needed. Probably a better error message could be helpful, something like "The library requires Microsoft Visual C++ Redistribuable." and maybe provide a download link.

So I conclude that as far as BGRABitmap is concerned, the most balanced approach is to provide both the statically linked and the non statically linked, but not the VC redist files, and let the developers handle the versioning. What do you think?

[lainz]

So I conclude that as far as BGRABitmap is concerned, the most balanced approach is to provide both the statically linked and the non statically linked, but not the VC redist files, and let the developers handle the versioning. What do you think?

I agree, that's the solution. But a clear readme file will be needed, because the developer maybe doesn't know what to choose...

[circular]

I agree, a little readme file will be wonderful.

I've added one 
https://github.com/bgrabitmap/bgrabitmap/tree/dev-bgrabitmap/libwebp