Well, the wish for a boring week didn't quite come true. In addition to the nicely normal triage, we talked a bit about the WiX v3.10.2 security update and the (unfortunate) need for a WiX v3.10.3 soon.

WiX v3.10.2 update

We released WiX v3.10.2 as planned on 20-January. You can read the announcement and details on Setup Matters and download the release.

Unfortunately, users have reported two bugs since the release: managed-code bootstrapper applications that use WinForms crash and the /layout switch without an explicit destination directory downloads files to the clean room directory instead of the original bundle directory.

@jchoover helpfully provided a fix for the /layout bug. The WinForms issue, we're told by Microsoft, is a bug in GDI+ when using SetDefaultDllDirectories, an important mitigation of the Windows vulnerability WiX v3.10.2 provides. WinForms and, likely, a native bootstrapper application that uses GDI+ to manage fonts expose this GDI+ bug. (WixStdBA uses old-school GDI for font management, so isn't affected by this bug.)

Both bugs are serious enough that we agreed a new release is necessary. However, we don't currently have enough information to know how (or even whether) it's possible for Burn to work around the GDI+ bug. Until we know more, we agreed to wait in the hopes we can quickly provide a workaround and package it and the /layout bug fix in a WiX v3.10.3.

We'll provide updates as we learn more.

Issue triage

We closed a few issues that we'd kept open for the reporter to provide needed information. Reporter can reopen issues but after a few weeks, we move issues out of the triage bucket if we can't make any headway on them.