* [Windows Client] Out of date Title scare my users @ 2021-11-24 15:21 Bruno UT1 2021-11-24 15:42 ` Jason A. Donenfeld 0 siblings, 1 reply; 9+ messages in thread From: Bruno UT1 @ 2021-11-24 15:21 UTC (permalink / raw) To: wireguard Hi, Thank you again for your great work. I have a suggestion for the Windows Client (maybe applicable for others). I install Wireguard in my university on about 500 computers in 2 phases: Phase 1 : validation Phase 2 : production So my end users have not, most of the time, the last version. They have "Out of date" in the Wireguard window title and some of them call the helpdesk, thinking they have a problem. I can't deploy all versions as soon as they are available, I can't activate automatic update and my users have no admin rights. So my suggestion is to add a new admin registry key to hide update, or not check them at all. Is that possible ? Regards ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-24 15:21 [Windows Client] Out of date Title scare my users Bruno UT1 @ 2021-11-24 15:42 ` Jason A. Donenfeld 2021-11-25 13:34 ` Diab Neiroukh 2021-11-25 14:23 ` lazerl0rd 0 siblings, 2 replies; 9+ messages in thread From: Jason A. Donenfeld @ 2021-11-24 15:42 UTC (permalink / raw) To: Bruno UT1; +Cc: wireguard, Diab Neiroukh I agree the situation is a bit ridiculous. I'll revert the change that added this: https://git.zx2c4.com/wireguard-windows/commit/?id=82129ba288f7561c89bb80e04841ffb46bc29889 I'm CCing Diab, who originally requested the change, in case he wants to argue with you about it. But in the absence of that, I'll revert. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-24 15:42 ` Jason A. Donenfeld @ 2021-11-25 13:34 ` Diab Neiroukh 2021-11-25 14:23 ` lazerl0rd 1 sibling, 0 replies; 9+ messages in thread From: Diab Neiroukh @ 2021-11-25 13:34 UTC (permalink / raw) To: Jason A. Donenfeld; +Cc: Bruno UT1, wireguard Dear Bruno, Whilst I understand the frustration that having hundreds of users can cause, I don't believe simply reverting the change [as proposed by Jason] is the correct solution. I've come up with a few alternative solutions, but before I present them I'd just like to give a brief introduction into why I requested that change in the first place. WireGuard on Windows exclusively provides a GUI to users of the Administrators group, as well as a limited GUI to users of the Network Configuration Operators group when the `LimitedOperatorUI` DWORD is set. The latter is helpful for users who wish to separate their personal and administrator accounts (to protect themselves against the plethora of UAC exploits, amongst other security issues) where otherwise the user would have to switch accounts to switch tunnels. However, the GUI shown to Network Configuration Operators lacked any information about updates. This lead to users in such setups to not be informed about any updates unless they switched out to the Administrator account and or kept an eye on the releases online. This is quite a problem as users could be running ancient versions of WireGuard for relatively long periods of time without the knowledge that they are doing so (some users may even assume WireGuard automatically updates). As such, I asked Jason if he could add the ability for non-admins to at least be informed of an update which lead to where we are today. After speaking to Jason "off the mailing list", he stated he wouldn't like to add any more configuration options (via the Registry or within the GUI) nor any metadata to updates so bearing that in mind I came up with a few alternatives: 1) Rewording the update prompt for non-admins to appear less "aggressive". Currently, the prompt is "Please ask the system administrator to update." but this could be changed to something along the lines of "There is an update available. The system administrator will update when necessary." which should reduce most, if not all, users from contacting you unnecessarily. I can throw up a patch for this if Jason agrees. 2) Avoiding users seeing the UI at all, where unnecessary. If your users do not need *control* of the WireGuard configuration, then avoiding showing them the UI altogether could be an option. I don't know your system as well as you do, of course, so I can't assure that this solution is valid. However, having hundreds of users as Network Configuration Operators sounds a little "worrying" to me. 3) Showing an even more limited UI for unprivileged users. If the users still need some form of UI, then an even more limited UI could be presented to users not part of the Administrators nor the Network Configuration Operators groups. This would lack any form of control, and could still be under the same `LimitedOperatorUI` Registry DWORD, or not if is deemed "safe enough for the masses". If it is, you could say the semantics refer to "Limited [User or Network] Operator UI". 4) Updates could be hidden from the UI for N days after an update or N updates (preferably two in this case, so that it doesn't pile up) for Network Configuration Operators. This provides you [and any other sysadmins] with a "buffer zone" to apply the updates before users contact you about them. This could also be teamed up with 1) to further reduce the likelihood of users contacting you. I'm not a large fan of this "solution", however, since WireGuard for Windows lacks any metadata to differentiate important and optional updates which can lead to a security patch or critical bug-fix being ignored for some time. 5) Creating a separate group which are able to switch tunnels. For users who just need the GUI to switch tunnels, having a group specific to such behaviour named something along the lines of "WireGuard Operators" could be helpful. Hopefully at least one of these suffices for you so that we can meet a mid-point of sorts that matches both your criteria as well as my own. PS: Whilst it may seem a pain, I believe that a balance should be achieved between the sysadmins and users where if the former forgets to apply an update "for too long" then the users contact them as a reminder. After all, we're all humans and we do forget sometimes. The solutions 1) - with a prompt such as "There is an update available. The system administrator should update soon." - and 4) match up to this quite nicely. Thank for your time, Diab Neiroukh On Wed, Nov 24 2021 at 16:42:59 +0100, Jason A. Donenfeld <Jason@zx2c4.com> wrote: > I agree the situation is a bit ridiculous. I'll revert the change that > added this: > https://git.zx2c4.com/wireguard-windows/commit/?id=82129ba288f7561c89bb80e04841ffb46bc29889 > > I'm CCing Diab, who originally requested the change, in case he wants > to argue with you about it. But in the absence of that, I'll revert. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-24 15:42 ` Jason A. Donenfeld 2021-11-25 13:34 ` Diab Neiroukh @ 2021-11-25 14:23 ` lazerl0rd 2021-11-25 16:07 ` Bruno UT1 1 sibling, 1 reply; 9+ messages in thread From: lazerl0rd @ 2021-11-25 14:23 UTC (permalink / raw) To: Jason A. Donenfeld; +Cc: Bruno UT1, wireguard Dear Bruno, Whilst I understand the frustration that having hundreds of users can cause, I don't believe simply reverting the change [as proposed by Jason] is the correct solution. I've come up with a few alternative solutions, but before I present them I'd just like to give a brief introduction into why I requested that change in the first place. WireGuard on Windows exclusively provides a GUI to users of the Administrators group, as well as a limited GUI to users of the Network Configuration Operators group when the `LimitedOperatorUI` DWORD is set. The latter is helpful for users who wish to separate their personal and administrator accounts (to protect themselves against the plethora of UAC exploits, amongst other security issues) where otherwise the user would have to switch accounts to switch tunnels. However, the GUI shown to Network Configuration Operators lacked any information about updates. This lead to users in such setups to not be informed about any updates unless they switched out to the Administrator account and or kept an eye on the releases online. This is quite a problem as users could be running ancient versions of WireGuard for relatively long periods of time without the knowledge that they are doing so (some users may even assume WireGuard automatically updates). As such, I asked Jason if he could add the ability for non-admins to at least be informed of an update which lead to where we are today. After speaking to Jason "off the mailing list", he stated he wouldn't like to add any more configuration options (via the Registry or within the GUI) nor any metadata to updates so bearing that in mind I came up with a few alternatives: 1) Rewording the update prompt for non-admins to appear less "aggressive". Currently, the prompt is "Please ask the system administrator to update." but this could be changed to something along the lines of "There is an update available. The system administrator will update when necessary." which should reduce most, if not all, users from contacting you unnecessarily. I can throw up a patch for this if Jason agrees. 2) Avoiding users seeing the UI at all, where unnecessary. If your users do not need *control* of the WireGuard configuration, then avoiding showing them the UI altogether could be an option. I don't know your system as well as you do, of course, so I can't assure that this solution is valid. However, having hundreds of users as Network Configuration Operators sounds a little "worrying" to me. 3) Showing an even more limited UI for unprivileged users. If the users still need some form of UI, then an even more limited UI could be presented to users not part of the Administrators nor the Network Configuration Operators groups. This would lack any form of control, and could still be under the same `LimitedOperatorUI` Registry DWORD, or not if is deemed "safe enough for the masses". If it is, you could say the semantics refer to "Limited [User or Network] Operator UI". 4) Updates could be hidden from the UI for N days after an update or N updates (preferably two in this case, so that it doesn't pile up) for Network Configuration Operators. This provides you [and any other sysadmins] with a "buffer zone" to apply the updates before users contact you about them. This could also be teamed up with 1) to further reduce the likelihood of users contacting you. I'm not a large fan of this "solution", however, since WireGuard for Windows lacks any metadata to differentiate important and optional updates which can lead to a security patch or critical bug-fix being ignored for some time. 5) Creating a separate group which are able to switch tunnels. For users who just need the GUI to switch tunnels, having a group specific to such behavior named something along the lines of "WireGuard Operators" could be helpful. Hopefully at least one of these suffices for you so that we can meet a mid-point of sorts that matches both your criteria as well as my own. Thank for your time, Diab Neiroukh PS: Whilst it may seem a pain, I believe that a balance should be achieved between the sysadmins and users where if the former forgets to apply an update "for too long" then the users contact them as a reminder. After all, we're all humans and we do forget sometimes. The solutions 1) - with a prompt such as "There is an update available. The system administrator should update soon." - and 4) match up to this quite nicely. On 2021-11-24 15:42, Jason A. Donenfeld wrote: > I agree the situation is a bit ridiculous. I'll revert the change that > added this: > https://git.zx2c4.com/wireguard-windows/commit/?id=82129ba288f7561c89bb80e04841ffb46bc29889 > > I'm CCing Diab, who originally requested the change, in case he wants > to argue with you about it. But in the absence of that, I'll revert. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-25 14:23 ` lazerl0rd @ 2021-11-25 16:07 ` Bruno UT1 2021-11-25 16:27 ` Jason A. Donenfeld 0 siblings, 1 reply; 9+ messages in thread From: Bruno UT1 @ 2021-11-25 16:07 UTC (permalink / raw) To: lazerl0rd, Jason A. Donenfeld; +Cc: wireguard Hi Diab, Thank you for the detailed explanation. My suggestion to add a new registry key seemed easy, but I understand a limited number of options is important. From your alternatives : 1) Probably the easiest to implement. It's not my favorite, but it would be better no doubt. 2) I used Network Configuration Operators for everyone because no other option was available. It's not great as you said, but users need to start and stop the VPN sometimes. I can't remove all rights. 3) Do you suggest a "read only" interface ? I looks like the opposite of what I need, the less users see the better. 4) It seems pretty complicate for a small improvement. Like you I'm not fan, but why not if Jason like it. It can but combined with the first option. 5) I like this option, but I supposed it wasn't possible. If it is, a group that can only access to the list of tunnels and start or stop them is a good solution for my environment. Removing Network Configuration Operators rights would be an improvement. To summarize, the option 5 is what I'm looking for from the beginning. But if it's to complicate (or impossible) to do, the first one looks like a good start. Rewording can be done easily and quickly (before a better solution is chosen, if possible). In that case, I indicate that I mainly use the french localization (it explains my poor english language level). Maybe the french version seems more aggressive that the english one? I don't know who leads this language translation, but I suggest him (or her) to change the Windows title "Obsolète" (out of date) to something softer, or nothing in the title just the update tab. Thank for your time too, Bruno ANDRY Le 25/11/2021 à 15:23, lazerl0rd@thezest.dev a écrit : > Dear Bruno, > > Whilst I understand the frustration that having hundreds of users can > cause, I don't believe simply reverting the change [as proposed by > Jason] is the correct solution. I've come up with a few alternative > solutions, but before I present them I'd just like to give a brief > introduction into why I requested that change in the first place. > > WireGuard on Windows exclusively provides a GUI to users of the > Administrators group, as well as a limited GUI to users of the Network > Configuration Operators group when the `LimitedOperatorUI` DWORD is > set. The latter is helpful for users who wish to separate their > personal and administrator accounts (to protect themselves against the > plethora of UAC exploits, amongst other security issues) where > otherwise the user would have to switch accounts to switch tunnels. > However, the GUI shown to Network Configuration Operators lacked any > information about updates. This lead to users in such setups to not be > informed about any updates unless they switched out to the > Administrator account and or kept an eye on the releases online. This > is quite a problem as users could be running ancient versions of > WireGuard for relatively long periods of time without the knowledge > that they are doing so (some users may even assume WireGuard > automatically updates). As such, I asked Jason if he could add the > ability for non-admins to at least be informed of an update which lead > to where we are today. > > After speaking to Jason "off the mailing list", he stated he wouldn't > like to add any more configuration options (via the Registry or within > the GUI) nor any metadata to updates so bearing that in mind I came up > with a few alternatives: > > 1) Rewording the update prompt for non-admins to appear less > "aggressive". Currently, the prompt is "Please ask the system > administrator to update." but this could be changed to something along > the lines of "There is an update available. The system administrator > will update when necessary." which should reduce most, if not all, > users from contacting you unnecessarily. I can throw up a patch for > this if Jason agrees. > > 2) Avoiding users seeing the UI at all, where unnecessary. If your > users do not need *control* of the WireGuard configuration, then > avoiding showing them the UI altogether could be an option. I don't > know your system as well as you do, of course, so I can't assure that > this solution is valid. However, having hundreds of users as Network > Configuration Operators sounds a little "worrying" to me. > > 3) Showing an even more limited UI for unprivileged users. If the > users still need some form of UI, then an even more limited UI could > be presented to users not part of the Administrators nor the Network > Configuration Operators groups. This would lack any form of control, > and could still be under the same `LimitedOperatorUI` Registry DWORD, > or not if is deemed "safe enough for the masses". If it is, you could > say the semantics refer to "Limited [User or Network] Operator UI". > > 4) Updates could be hidden from the UI for N days after an update or N > updates (preferably two in this case, so that it doesn't pile up) for > Network Configuration Operators. This provides you [and any other > sysadmins] with a "buffer zone" to apply the updates before users > contact you about them. This could also be teamed up with 1) to > further reduce the likelihood of users contacting you. I'm not a large > fan of this "solution", however, since WireGuard for Windows lacks any > metadata to differentiate important and optional updates which can > lead to a security patch or critical bug-fix being ignored for some time. > > 5) Creating a separate group which are able to switch tunnels. For > users who just need the GUI to switch tunnels, having a group specific > to such behavior named something along the lines of "WireGuard > Operators" could be helpful. > > Hopefully at least one of these suffices for you so that we can meet a > mid-point of sorts that matches both your criteria as well as my own. > > Thank for your time, > Diab Neiroukh > > PS: Whilst it may seem a pain, I believe that a balance should be > achieved between the sysadmins and users where if the former forgets > to apply an update "for too long" then the users contact them as a > reminder. After all, we're all humans and we do forget sometimes. The > solutions 1) - with a prompt such as "There is an update available. > The system administrator should update soon." - and 4) match up to > this quite nicely. > > On 2021-11-24 15:42, Jason A. Donenfeld wrote: >> I agree the situation is a bit ridiculous. I'll revert the change that >> added this: >> https://git.zx2c4.com/wireguard-windows/commit/?id=82129ba288f7561c89bb80e04841ffb46bc29889 >> >> >> I'm CCing Diab, who originally requested the change, in case he wants >> to argue with you about it. But in the absence of that, I'll revert. > > !DSPAM:5,619f9c6d262291485912835! > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-25 16:07 ` Bruno UT1 @ 2021-11-25 16:27 ` Jason A. Donenfeld 2021-11-26 8:47 ` Jason A. Donenfeld 0 siblings, 1 reply; 9+ messages in thread From: Jason A. Donenfeld @ 2021-11-25 16:27 UTC (permalink / raw) To: Bruno UT1; +Cc: Diab Neiroukh, WireGuard mailing list > nothing in the title just the update tab. If you find that an acceptable compromise, it's fine with me. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-25 16:27 ` Jason A. Donenfeld @ 2021-11-26 8:47 ` Jason A. Donenfeld 2021-11-26 9:17 ` lazerl0rd 0 siblings, 1 reply; 9+ messages in thread From: Jason A. Donenfeld @ 2021-11-26 8:47 UTC (permalink / raw) To: Bruno UT1; +Cc: Diab Neiroukh, WireGuard mailing list https://git.zx2c4.com/wireguard-windows/commit/?id=8120d07dd5fc9a5e545419fe13490086ce920f31 Is this okay with both of you? ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-26 8:47 ` Jason A. Donenfeld @ 2021-11-26 9:17 ` lazerl0rd 2021-11-30 10:12 ` Bruno UT1 0 siblings, 1 reply; 9+ messages in thread From: lazerl0rd @ 2021-11-26 9:17 UTC (permalink / raw) To: Jason A. Donenfeld; +Cc: Bruno UT1, WireGuard mailing list I assume you've chosen the "reword" route instead of any larger changes, for the better or worse (though as Bruno said, it would be great if 5) is considered somewhere down the line). Since this route was chosen, I suggest that we also reword the update prompt itself as I feel that is equally responsible for users "freaking out". After all, it is literally telling users to contact their sysadmin instantly for each update. I propose something along the lines of the following patch (though I guess il8n will be a bit of a pain): ``` From 76ea8a81cf327527089bfea8209bf4f2faa1b6cf Mon Sep 17 00:00:00 2001 From: Diab Neiroukh <lazerl0rd@thezest.dev> Date: Fri, 26 Nov 2021 09:12:15 +0000 Subject: [PATCH] ui: Don't explicitly tell users to contact their sysadmin for updates. The wording used here practically told users to instantly contact their system administrators for every update. We can reword it to instead to implicitly suggest that they contact their system administrator if the update has not been applied for "a relatively long time". Signed-off-by: Diab Neiroukh <lazerl0rd@thezest.dev> --- ui/updatepage.go | 2 +- zgotext.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ui/updatepage.go b/ui/updatepage.go index 96fc87f3..76a8dced 100644 --- a/ui/updatepage.go +++ b/ui/updatepage.go @@ -65,7 +65,7 @@ func NewUpdatePage() (*UpdatePage, error) { button.SetText(l18n.Sprintf("Update Now")) if !IsAdmin { - button.SetText(l18n.Sprintf("Please ask the system administrator to update.")) + button.SetText(l18n.Sprintf("There is an update available. The system administrator should update soon.")) button.SetEnabled(false) status.SetText(l18n.Sprintf("Status: Waiting for administrator")) } diff --git a/zgotext.go b/zgotext.go index efbb9a80..e35974aa 100644 --- a/zgotext.go +++ b/zgotext.go @@ -235,7 +235,7 @@ var messageKeyToIndex = map[string]int{ "Packet with invalid IP version from %v": 215, "Peer": 100, "Persistent keepalive:": 54, - "Please ask the system administrator to update.": 275, + "There is an update available. The system administrator should update soon.": 275, "Preshared key:": 51, "Protocol version must be 1": 85, "Public key:": 46, -- 2.34.0 ``` On 2021-11-26 08:47, Jason A. Donenfeld wrote: > https://git.zx2c4.com/wireguard-windows/commit/?id=8120d07dd5fc9a5e545419fe13490086ce920f31 > > Is this okay with both of you? ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Windows Client] Out of date Title scare my users 2021-11-26 9:17 ` lazerl0rd @ 2021-11-30 10:12 ` Bruno UT1 0 siblings, 0 replies; 9+ messages in thread From: Bruno UT1 @ 2021-11-30 10:12 UTC (permalink / raw) To: lazerl0rd, Jason A. Donenfeld; +Cc: WireGuard mailing list Hi, I validate what Diab said. It's a good start, hoping option 5 will be possible later. Thank you for changes. Have a good day. Le 26/11/2021 à 10:17, lazerl0rd@thezest.dev a écrit : > I assume you've chosen the "reword" route instead of any larger > changes, for the better or worse (though as Bruno said, it would be > great if 5) is considered somewhere down the line). > > Since this route was chosen, I suggest that we also reword the update > prompt itself as I feel that is equally responsible for users > "freaking out". After all, it is literally telling users to contact > their sysadmin instantly for each update. I propose something along > the lines of the following patch (though I guess il8n will be a bit of > a pain): > > ``` > From 76ea8a81cf327527089bfea8209bf4f2faa1b6cf Mon Sep 17 00:00:00 2001 > From: Diab Neiroukh <lazerl0rd@thezest.dev> > Date: Fri, 26 Nov 2021 09:12:15 +0000 > Subject: [PATCH] ui: Don't explicitly tell users to contact their > sysadmin for > updates. > > The wording used here practically told users to instantly contact their > system administrators for every update. We can reword it to instead to > implicitly suggest that they contact their system administrator if > the update has not been applied for "a relatively long time". > > Signed-off-by: Diab Neiroukh <lazerl0rd@thezest.dev> > --- > ui/updatepage.go | 2 +- > zgotext.go | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/ui/updatepage.go b/ui/updatepage.go > index 96fc87f3..76a8dced 100644 > --- a/ui/updatepage.go > +++ b/ui/updatepage.go > @@ -65,7 +65,7 @@ func NewUpdatePage() (*UpdatePage, error) { > button.SetText(l18n.Sprintf("Update Now")) > > if !IsAdmin { > - button.SetText(l18n.Sprintf("Please ask the system > administrator to update.")) > + button.SetText(l18n.Sprintf("There is an update available. > The system administrator should update soon.")) > button.SetEnabled(false) > status.SetText(l18n.Sprintf("Status: Waiting for > administrator")) > } > diff --git a/zgotext.go b/zgotext.go > index efbb9a80..e35974aa 100644 > --- a/zgotext.go > +++ b/zgotext.go > @@ -235,7 +235,7 @@ var messageKeyToIndex = map[string]int{ > "Packet with invalid IP version from > %v": 215, > "Peer": 100, > "Persistent > keepalive:": 54, > - "Please ask the system administrator to > update.": 275, > + "There is an update available. The system administrator should > update soon.": 275, > "Preshared > key:": 51, > "Protocol version must be > 1": 85, > "Public key:": 46, ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-11-30 10:12 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-11-24 15:21 [Windows Client] Out of date Title scare my users Bruno UT1 2021-11-24 15:42 ` Jason A. Donenfeld 2021-11-25 13:34 ` Diab Neiroukh 2021-11-25 14:23 ` lazerl0rd 2021-11-25 16:07 ` Bruno UT1 2021-11-25 16:27 ` Jason A. Donenfeld 2021-11-26 8:47 ` Jason A. Donenfeld 2021-11-26 9:17 ` lazerl0rd 2021-11-30 10:12 ` Bruno UT1
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).