synergy: outdated

[nbolton]

Package id: synergy

Current package version: 1.8 Version to update to: 1.17

---

Hi @teknowledgist (and @ferventcoder) :wave:

I am a developer of Synergy (the free community edition).

It looks like the choco package for Synergy is very old and needs updating to v1.15. I think it would also benefit from a title (perhaps "Synergy 1 Community Edition") and logo change too.

Please could we get this package updated to Synergy 1 Community Edition? Let me know if you need anything for this. I believe it should be the free community edition to match brew install synergy.

[teknowledgist]

Hi, @nbolton.

You might note at the bottom of the Synergy package description the note about it being the "last build". The reason for that is Chocolatey relies on downloading/embedding application (installer) binaries. I can't(1) compile an application for Windows on the fly, and if I compiled it prior to updating the package, it would not be an official binary. Users would have no real way to verify that I didn't "mess" with it before compiling.

Basically, (as you are certainly very aware) Windows and Linux/MacOS are very different beasts. (At least from my semi-skilled viewpoint, but I am willing to admin that maybe they are more similar at a fundamental level than I understand.)

I'm open to options if you have any suggestions.

(1) Even if I had the knowledge/skill to auto-compile during a Chocolatey install, doing it on the user-side would require making the package dependent on at least one compiler which complicates users' setups and isn't really required to use the application.

[nbolton]

Sounds like you need us to compile a binary/installer for Synergy 1 Community Edition. Is that what you're saying?

[teknowledgist]

Basically, yes.

If the binary isn't too big (and assuming the license still allows it), I can embed it into the Chocolatey package, but either way, there needs to be a way for users (and Chocolatey Community repository moderators) to verify that the binary file(s) downloaded by Chocolatey or embedded in the package have not changed from the official build.

If you don't want to make the binaries publicly downloadable, but are willing to allow the Chocolatey package to distribute them (embedded), we might be able to convince the moderators of the authenticity if you post the SHA256 hashes of the binaries while only providing them to the package (i.e. me). A VERIFICATION.txt file is standard for embedded Chocolatey packages. I'm not sure that really makes sense, but you have been offering only the source code and no binaries for a few years now, so 🤷 .

[nbolton]

you have been offering only the source code and no binaries for a few years now, so 🤷 .

Yes, I see where you're coming from. It probably seems a bit out of the blue. Perhaps a recent announcement might help to explain things: https://github.com/symless/synergy/discussions/7476

If you don't want to make the binaries publicly downloadable

The binaries for the licensed build are public but do of course require a license. For example: https://symless.com/synergy/download/package/windows/synergy_1.14.6-stable.06a860d9_windows_x64.msi

However, I'm considering building a free-to-use package for Windows under the branding 'Synergy 1 Community Edition'. This would not grant the license for technical support, etc. I am wondering if this needs to be code-signed if we publish the SHA256 hashes on our GitHub project.

I'm intrigued by your proposal to redistribute the official binaries privately through a Chocolatey package with an accompanying SHA256 hash to prove authenticity. That's something to think about.

[teknowledgist]

I can easily either rename the synergy Chocolatey package to be "Synergy 1 Community Edition" or create a new "synergy-community" (or similar) Chocolatey package to separate the old from the new.

The more I think about it though, the weirder the proposal to "split" the binary distribution seems to me. In order to be approved by moderators, the hash would need to be publicly available, but what advantage would that be for anyone? You'd be saying, "Here is the official hash for a binary I'm not going to give you, but is available embedded in this thing over there that requires you understand a totally different piece of software which you might not use for anything else."

If you want to create a free, community edition, I think you should allow folks to get the binary from you. Certainly, you can promote an "easy" way to install it via Chocolatey, and I'm happy to maintain the package, but if you want it to be used, make it easy with multiple paths to success. IMHO, of course.

It's your baby though, so all I can do is try to help you accomplish your vision. 😄

[nbolton]

rename the synergy Chocolatey package to be "Synergy 1 Community Edition"

I think this would be the way to go; keep the ID as synergy and have the app title as "Synergy 1 Community Edition".

the weirder the proposal to "split" the binary distribution seems to me

I think I'm inclined to agree.

I think you should allow folks to get the binary from you. Certainly, you can promote an "easy" way to install it via Chocolatey, and I'm happy to maintain the package, but if you want it to be used, make it easy with multiple paths to success. IMHO, of course.

It's a good opinion and an approach I am strongly considering.

Would it need to be signed? I ask because it'd need to be separate from the code signing we use for the licensed packages, so if it was signed under my name (personally, not through the business) with an open source signing certificate (e.g. from Certum) then maybe that could work.

It's your baby though, so all I can do is try to help you accomplish your vision. 😄

Thank you! I appreciate the support.

[teknowledgist]

Would it need to be signed?

Honestly, I don't know. I haven't gotten any pushback from any of the many dozens of packages I maintain, but I also haven't confirmed that the applications are all signed. My guess is that Chocolatey and the automatic package verification doesn't care, and that Windows Defender is going to be the one to complain/block the execution of the binary (whether the installer or the actual application).

[nbolton]

My guess is that Chocolatey and the automatic package verification doesn't care, and that Windows Defender is going to be the one to complain/block

Ok good to know. I'll build a CE package and throw it at Windows Defender to see how it behaves. It used to be the case that you didn't need to sign (it'd show you a bunch of warnings) but I don't know if Microsoft have gotten more strict in Windows 11.

I'll update here with my findings.

Edit: Windows 10 doesn't seem to care if it's unsigned. I'll test on Windows 11. Haven't heard back from Certum about the open source code signing cert, but perhaps it's not that important?

Edit: I'm still working on this. Blocker is the upstream project rename: https://github.com/deskflow/deskflow/discussions/7517