Starting with Ghostscript 10.01.0, released in March 2023, you can no longer silently install Ghostscript under the GNU GPL Affero license. This change has made many system administrators angry.
Let’s dig in.
Ghostscript is an interpreter for the PostScript®️ language and PDF files. It is available under either the GNU GPL Affero license for free or licensed for commercial use from Artifex Software, Inc. It is open-source and has been under active development for over 30 years and has been ported to several different systems during this time.
Disclaimer: Although we strive to maintain accurate and current information, we do not make any representations or warranties regarding the accuracy or correctness of the Artifex license description. Your reliance on such information is strictly at your own risk. It is advisable to contact the vendor to ensure you have the correct license information.
Open Source – AGPL - This license means that if you distribute Ghostscript software, or make the software’s functionality available to users interacting with it remotely through a computer network, you must share your source code. This license has silent installation disabled.
Commercial license agreement with Artifex - If you cannot meet the requirements of AGPL licenses, you must buy a commercial license. This license supports silent installation.
Organizations can no longer deploy a free version of Ghostscript under the GNU GPL Affero license to all their endpoints. They can’t use mass deployment solutions like Configuration Manager (SCCM) or Intune. These and other deployment solutions must applications to support a silent installation option.
Artifex owns and fully controls its open-source Ghostscript product. It removed the silent installation option for the GNU GPL Affero license EXE installer starting with version 10.01.0.
Due to not supported silent installation following issues arise for organizations:
It caused a lot of organizations to spend extra time and money solving this sudden issue.
Software vendors who need to use Ghostscript as part of their solution can buy a commercial license. Then, they can include Ghostscript source code in their software. In that case, there would be no issues for organizations that want to deploy such software. Organizations would deploy the main software that has Ghostscript baked in without even knowing it.
But, the problem is with software vendors who declare Ghostscript as their dependency. And they do it for a reason. Software vendors do not want to take responsibility or make an effort to keep updating their software only because of the library they use. This is because of possible security issues found in third-party libraries.
In general, developers want to be independent from other libraries they do not control. Declaring some libraries as dependencies can remove this burden. Also, abstaining from third-party libraries can remove additional development and licensing expenses.
There are two places where Artifex shared their reasoning for why they disabled the silent install option. The Ghostscript bug tracking portal and the Artifex news site.
Let’s see responses from both places and unpack them.
Response from Ken Sharp on why they disabled the silent option on the Ghostscript bug tracking portal:
“We have encountered a great number of applications installing Ghostscript either in contravention of the AGPL or without sufficiently informing users of the fact that the application includes Ghostscript, and the user’s rights under the AGPL.As a concrete example; here’s a portion of the text of a recent email sent to us for support:”“Ive got a massive issue with GhostScript having current exploits tied to it the issue is, I have no idea what Software uses GhostScript as a dependency/side install to figure out which vendor I need to reach out to in order to get the latest version so GhostScript is updated.”
From the Artifex news site:
“…users who were unaware that Ghostscript was installed on their systems, often running outdated and vulnerable releases.”
Organizations that use mass deployment solutions go through software evaluation and approval processes. These processes help understand which software they need and how to deploy it. An important step of the process is understanding if the organization meets the terms and conditions of the vendor.
System administrators then deploy software to end-users without notifying them. It is in the name – silent installation.
End-users cannot be responsible for software that they even have no right to install in the first place. They simply do not have admin rights to install any software. In this case, full responsibility takes the organization with the system administrator.
If end-users need to identify the specific Ghostscript version used by a particular software, they should reach out to administrators overseeing the deployments. Not the vendor.
Without a silent installation option organizations are in a much, much worse situation to keep Ghostscript up to date. Removing the silent installation option is not helping but making things worse.
Let’s acknowledge, that older versions of Ghostscript supported silent installation. So organizations do have this software installed on their end-points. This situation now makes organizations more vulnerable than before. But now they have to make difficult choices to keep Ghostscript up to date.
You can read here that people are planning to stay on outdated vulnerable Ghostscript versions because of this change. This is not good.
From the Artifex news site:
“We have received numerous concerning reports from users who were unaware that Ghostscript was installed on their systems, often running outdated and vulnerable releases. We will not open ourselves up to accusations of being complicit in such ‘bad actions’.”
No software vendor wants to be held liable for outdated software with the consequences that can follow. This is why almost every open-source and in fact, most software comes with ALL CAPITAL text in their license agreement. It says: “Open-Source software is distributed WITHOUT ANY WARRANTY.”
Artifex is no exception to this. Everyone can read that on their AGPL licensing page, https://artifex.com/licensing/agpl. You can see it when installing their software and even opening the shortcut this application installs.
From the bugs portal:
“Finally, as one of my colleagues points out; this is open source software and you are free to alter it as you see fit, provided only that you conform to the terms of the AGPL licence.”
From the Artifex news site:
“Ghostscript is, of course, open source, and it is a trivial thing to rebuild with the option enabled. Users are more than welcome to do that for themselves.”
No hints, no instructions, and no blog posts on how to solve this “trivial” issue from the Artifex side.
Not having a silent installer mainly affects the system administrator. Yet, system administrators usually do not have the required skills to alter the software’s source code. This is not to mention any additional that might be necessary for such modifications.
So, no, it is not a trivial task for system administrators to modify the source code of the software and be confident that the changes are made correctly.
My rhetoric question - If the software vendor thinks this is so easy to fix by the users then why bother slowing them down?
From the bugs portal:
“Alternatively, we offer commercial solutions and I’m sure our sales people would be delighted to field any enquiries.”
Ah, right. Sorry for asking.
In the bug-tracking portal, we can read that Artifex may have no deep understanding of the issue and the scale of the impact this change is causing.
From the bugs portal:
“It does mean that automated Windows deployment tools for large organisation can’t use our installer any more. However I question why an organisation would be installing Ghostscript on a large number of Windows PCs. It’s not exactly an end-user shiny.”
This response seems more like rhetoric than genuine curiosity. At least when reading the final sentence on the Artifex news portal about this issue.
“Further discussion on this subject will not change anything, and merely distracts the developers from their actual work.”
Ouch.
This option takes a lot of time and is not practical for medium to large organizations.
Not updating software to the newer versions is not recommended. Please try to avoid this option. The last couple of Ghostscript versions have Common Vulnerabilities and Exposures (CVEs). They also do not support silent installation anymore.
Read more about Ghostscript CVEs here under the Security Advisory section.
Money can solve this problem completely and forever. You can support developers for their work and the value they bring by purchasing a commercial license. The commercial license of Ghostscript also has the installer with a silent switch enabled.
But, it will be very hard for the system administrator to go, explain, and prove the need for this purchase to their management. In most cases, open-source applications are just a dependency for other (possibly) already paid software. Based on my experience, management rarely approves this purchase if there are other options available. And there are.
If you have the knowledge and the tools you can re-build the Ghostscript with a silent switch set back on.
Here is the documentation on how to do that on Windows OS.
Here is a possible commit that removed the silent install switch.
Disclaimer – We haven’t tested this, and we are not sure if it is the correct or the only thing that needs to be done to reenable the silent install switch.
This is a fast and trustworthy solution that will generate a better installer than the original vendor exe.
Master Repackager is paid software that will be useful not only for repackaging Ghostscript to MSI but also for many other software that do not have a silent install option. And there are still plenty of crappy software installers out there.
Look how easy it is:
https://www.youtube.com/watch?v=XpLVMc87A7I
If based on software terms & conditions software is available for the user there MUST be a silent installation option. Organizations must manage applications and keep their environment secure. This functionality is crucial. And it helps the vendor get more consumers. Win-Win.
With the push of a button, organizations can deploy your application to thousands of consumers and customers. But many software vendors do not have that or they treat silent installation options as a feature that we must pay extra for - and that’s the mistake.
Having silent installation behind the paywall is like if a restaurant is charging extra for tableware. The main justification would be that the restaurant cannot expose itself to situations where customers might harm themselves with restaurant knives. While it is possible to bring a bowl, spoon, and knife from home (repackaging), washing dishes after every restaurant visit is not your primary task—eating is. This will reduce the likelihood of wanting to return to the restaurant. In restaurants, we pay for the food, and everything else, such as the experience and tableware, is factored into the meal price.
If a restaurant cannot offer a quality meal that customers are willing to pay for, and the only option to attract them is with free or cheap meals, only later corner them with extra payment, or create struggles for standard things like tableware, then this restaurant is already in a problematic situation.
The same applies to the software vendors. We pay for the software, not the mechanism of how to deploy it.
Nowadays especially with Master Packager Dev, it is a trivial thing to have an excellent installer.
Let’s look at what will happen when software vendors do not create a silent installation or hide it behind the paywall:
Vendors do not realize what are the consequences of not having a good installer.
The only way I see we can change this is to contact vendors and let them know by explaining WHY they should make the installer better. Because usually they simply do not know that.
We finally need to remove the curtains and show vendors what is happening when we get a bad installer. The struggle, the time, and the money spent re-doing stuff. Applications are here to support our business not to make it harder.
Let me suggest to watch my session at AppManagEvent 2023. Here I explain why we’re in this mess and what can help make application management a much better process.
Spending time focusing on features that target customers are willing to pay for without pushing them into corners. If you want to step up your installer creation level we have a software called Master Packager Dev. It will generate and automate the highest enterprise-quality MSI creation in minutes. This can help make all angry system administrators forget about this hiccup. Imagine an installer where system administrators say, wow I’m glad we chose “Your Product name”, it was so easy to deploy it. Love them.
Some may say: “But the silent install option can be a paid feature like any other feature."
A company is on the wrong path if it is forced to make more money by putting obstacles to its consumers. Instead, it should innovate and solve problems for which people are willing to pay.
Disabling the silent option creates more problems and solves none.
Not having a good installer with a silent install option will distract the developers from their actual work.