Get-WebFileSimple, to remove gow dependency from JavaJDK package

[drewburlingame]

• uses WebClient.DownloadFile to download files
• allows adding cookies. (necessary for some sites, i.e. downloading java jdk from oracle)
• allows ignoring invalid certificates (self-signed, etc)

I would like to use the existing JavaJDK package, but can't because it depends on gow, which conflicts with other *nix tools I'm using. He only needs gow for wget. With this function, I'm able to download the file without wget.

[ferventcoder]

Interesting. Why not make get-webfile work with these additions?

[drewburlingame]

I spent several hours trying that first, but couldn't get the cookies to
stick across domains. I was testing with the JavaJDK package. I thought
about switching out the implementation of Get-WebFile, but couldn't figure
out how to get all the options in Get-WebFile to work with
WebClient.DownloadFile.

On Sat, Dec 22, 2012 at 4:48 AM, Rob Reynolds [email protected]:

Interesting. Why not make get-webfile work with these additions?

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/224#issuecomment-11636849.

[rismoney]

I don't think we should take this in. It needs to be reconciled with the existing one.
If there are specific use cases for one vs the other then conditional logic can apply the right call...

[rismoney]

https://github.com/chocolatey/chocolatey/blob/master/src/helpers/functions/Get-WebFile.ps1#L46 is this not doing cookie handling? I am not all that familiar with cookie handling in general.

[rismoney]

I do like the ignore cert switch in theory, but not in practice. A package author should not be sending consumers of the package to https sites that don't have valid certificates. I believe that is a call the end user should make, and question the authenticity of the underlying url.

[drewburlingame]

I agree. It would be better to alert the user and let them decide whether
to continue or not.

On Fri, Apr 19, 2013 at 7:17 AM, Rich Siegel [email protected]:

I do like the ignore cert switch in theory, but not in practice. A package
author should not be sending consumers of the package to https sites that
don't have valid certificates. I believe that is a call the _end user_should make, and question the authenticity of the underlying url.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/224#issuecomment-16655336
.

[ferventcoder]

Interesting...we have made choco silent by default. This seems to go
against that idea. Should this not be a pkg then?

On Friday, April 19, 2013, Drew Burlingame wrote:

I agree. It would be better to alert the user and let them decide whether
to continue or not.

On Fri, Apr 19, 2013 at 7:17 AM, Rich Siegel <[email protected]<javascript:_e({}, 'cvml', '[email protected]');>>wrote:

I do like the ignore cert switch in theory, but not in practice. A
package
author should not be sending consumers of the package to https sites
that
don't have valid certificates. I believe that is a call the _end
user_should make, and question the authenticity of the underlying url.

—
Reply to this email directly or view it on GitHub<
https://github.com/chocolatey/chocolatey/pull/224#issuecomment-16655336>
.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/224#issuecomment-16664701
.

---

Rob
"Be passionate in all you do"

http://devlicio.us/blogs/rob_reynolds
http://ferventcoder.com
http://twitter.com/ferventcoder

[drewburlingame]

good point. a flag would help, but not if the pkg was a dependency of
another. i'd hate to see a user not be able to use a package when they
could specify if they were ok with http vs https. it could be that if
choco was going to fail, prompt instead, but only wait for 10 seconds for a
response? that could serve the purpose, but seems complicated.

On Fri, Apr 19, 2013 at 8:38 PM, Rob Reynolds [email protected]:

Interesting...we have made choco silent by default. This seems to go
against that idea. Should this not be a pkg then?

On Friday, April 19, 2013, Drew Burlingame wrote:

I agree. It would be better to alert the user and let them decide
whether
to continue or not.

On Fri, Apr 19, 2013 at 7:17 AM, Rich Siegel <[email protected]<javascript:_e({},
'cvml', '[email protected]');>>wrote:

I do like the ignore cert switch in theory, but not in practice. A
package
author should not be sending consumers of the package to https sites
that
don't have valid certificates. I believe that is a call the _end
user_should make, and question the authenticity of the underlying url.

—
Reply to this email directly or view it on GitHub<
https://github.com/chocolatey/chocolatey/pull/224#issuecomment-16655336>

.

—
Reply to this email directly or view it on GitHub<
https://github.com/chocolatey/chocolatey/pull/224#issuecomment-16664701>
.

---

Rob
"Be passionate in all you do"

http://devlicio.us/blogs/rob_reynolds
http://ferventcoder.com
http://twitter.com/ferventcoder

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/224#issuecomment-16698126
.

[ferventcoder]

Its actually pretty simple, I have this in the environment setup bits, it
would only need to be adapted slightly so we could have it make calls to
the user.

On Saturday, April 20, 2013, Drew Burlingame wrote:

good point. a flag would help, but not if the pkg was a dependency of
another. i'd hate to see a user not be able to use a package when they
could specify if they were ok with http vs https. it could be that if
choco was going to fail, prompt instead, but only wait for 10 seconds for
a
response? that could serve the purpose, but seems complicated.

On Fri, Apr 19, 2013 at 8:38 PM, Rob Reynolds <[email protected]<javascript:_e({}, 'cvml', '[email protected]');>>wrote:

Interesting...we have made choco silent by default. This seems to go
against that idea. Should this not be a pkg then?

On Friday, April 19, 2013, Drew Burlingame wrote:

I agree. It would be better to alert the user and let them decide
whether
to continue or not.

On Fri, Apr 19, 2013 at 7:17 AM, Rich Siegel <[email protected]<javascript:_e({}, 'cvml', '[email protected]');><javascript:_e({},

'cvml', '[email protected] <javascript:_e({}, 'cvml',
'[email protected]');>');>>wrote:

I do like the ignore cert switch in theory, but not in practice. A
package
author should not be sending consumers of the package to https sites
that
don't have valid certificates. I believe that is a call the _end
user_should make, and question the authenticity of the underlying url.

—
Reply to this email directly or view it on GitHub<

https://github.com/chocolatey/chocolatey/pull/224#issuecomment-16655336>

.

—
Reply to this email directly or view it on GitHub<
https://github.com/chocolatey/chocolatey/pull/224#issuecomment-16664701>

.

---

Rob
"Be passionate in all you do"

http://devlicio.us/blogs/rob_reynolds
http://ferventcoder.com
http://twitter.com/ferventcoder

—
Reply to this email directly or view it on GitHub<
https://github.com/chocolatey/chocolatey/pull/224#issuecomment-16698126>
.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/224#issuecomment-16699150
.

---

Rob
"Be passionate in all you do"

http://devlicio.us/blogs/rob_reynolds
http://ferventcoder.com
http://twitter.com/ferventcoder

[rismoney]

Interesting...we have made choco silent by default. This seems to go against that idea. Should this not be a pkg then?

Its not against the idea. Bypassing a tenet of an https request is the offense.
I like ignore, but that is a user call, not a author call. If I am going to a https site, and the name, CA or date is jacked up I am going to most certainly question if I want this on my system.

This is a helper, and doesn't expose the ssl bypass capability to the cli/end user.

If we wanted silent then it would need to work akin to:
cinst foo -ignore-ssl-errors