Software Installation Policy

Overview

Software installations on CLASSE-managed systems are performed by the CLASSE IT group. To request an installation, please submit a ticket: ServiceRequestTips.

When we install a piece of software on a CLASSE computer, we must treat it as a long-term commitment because we are held responsible for maintaining that software over time -- when security vulnerabilities are discovered, we must apply a patch; if the software stops working because of an operating system update, we need to take the time to find a solution. We have also found that some badly-designed software packages can destabilize the computer's operating system. With over 1200 computers to support, we try our best to anticipate and minimize the number of potential problems.

Our approach to software installations is to collaborate with our users to find and develop solutions that meet their research or business needs, within the context of our managed computing environment. Therefore, software installations are not immediate, and they usually require some discussion with the requestor. However, by having these discussions up front, we ensure the ongoing stability of computing for everyone at the lab.

Choosing and vetting software

We try to avoid a proliferation of software at CLASSE. Therefore, when a software installation is requested, we will probably ask detailed questions -- what is the software for, and how will it be used? If a similar package is already available at CLASSE, we will recommend that that one be used instead. In the past, we have seen that having different tools for the same purpose leads to fragmentation of information at the lab and becomes a barrier to effective collaboration between groups.

In some cases, we will suggest running the requested software on a different operating system (Linux instead of Windows) or on a central Windows server (WinAPP). Or, we may try to repackage the software to isolate it from the operating system. More details on these options are given below.

For the lab's protection, we also review the end-user license agreement to determine if we can legally use the software, and we submit the software for a security review to Cornell's IT Security Office.

Security assessments for software purchases

In November 2015, the Cornell IT Security Office (ITSO) issued a new regulation requiring new software purchases to undergo a security assessment by the ITSO. The purpose of this rule is to reduce the occurrence of security breaches (especially those involving sensitive or confidential information) caused by purchasing software with known vulnerabilities. Therefore, please be advised that software purchases may experience a delay as a result of the security assessment process.

Central installations

Rather than installing multiple copies of a piece of software on many different computers, we may choose to install a single copy of that software in a central location (depending on the user's requirements). A central installation is much easier to maintain than multiple copies (which reduces costs and increases security), and it makes the software available to everyone at the lab. This central location is usually the /nfs/opt filesystem (on Linux), or our central Windows server WinAPP.

Linux vs. Windows

If a piece of software exists in both Windows and Linux versions, we might ask you to try using the Linux version because:

• Linux supports central installations more easily than Windows (see above).
• Linux requires fewer operating system updates than Windows, and fewer system updates means fewer chances to introduce software incompatibilities.
• We try to keep our Windows systems as uncluttered as possible (see below).

Too much software on Windows, AppsAnywhere

We have found that installing too much software on Windows computers can be detrimental to their performance, even when the software is not actively running. For this reason, we try to limit the number software packages (or drivers) installed on any single system. For more details on this problem, please see WindowsPerformance.

To mitigate this effect, we use a utility called AppsAnywhere that "virtualizes" a piece of software, thus isolating it from the underlying Windows operating system. Software that is packaged by Cameyo can be downloaded and run by any user without having to run an installer. We have made a number of software packages available in this way.

Most new software for CLASSE Managed Windows computers is being provided via AppsAnywhere.

Hardware/instrumentation control software

In our experience, Windows drivers for hardware or instrumentation control can sometimes conflict with other packages or with the underlying OS. Such systems become very difficult for us to support in the long term. We often find that software needs to be re-installed on a regular basis, or the computer needs to be re-imaged from scratch, both of which can be time-consuming processes. For this and other reasons, we highly recommend that hardware development and control should be performed on separate computers dedicated to that purpose. In other words, the computer that's used to develop and control the hardware should be considered as part of the hardware itself. We offer many options for working remotely on this dedicated computer, and we would be happy to discuss them with you. More details can be found at HardwareDevelopment.

User installations on Linux

Regular users can build and install most Linux programs and libraries in an NFS file system. Please submit a ServiceRequest for help determining the best way to install, configure, and support any program you may need. Please see LinuxSupport for more information.

Level of support

We are not experts on all the software installed at CLASSE, some of which is very specialized, so we may not always be able to answer questions about usage.

Except for a handful of widely deployed packages (e.g. Microsoft Office, PDF X-change Editor, Firefox), we do not install software updates automatically, unless there is a security patch. To request a software update, users should submit a ServiceRequest. If you've requested software to be installed outside the widely deployed packages, you must work with us to notify us of any security updates. Even thought it's not automatically updated, CLASSE as a whole still must comply with Cornell Policy 5.10 and apply security patches within 14 days of release.

Similarly, we are not able to test every single package installed at CLASSE against upcoming operating system updates, so users may encounter incompatibilities after an operating system update. To report a problem, users should submit a ServiceRequest, and we will do our best to resolve it.