WAPT- (2018-07-04)

  • non backward compatible change: remove the use of uninstall_string;
  • replace the use of eval with string manipulation for uninstall_key list server side;
  • cosmetic: limit repo row height when description is long;
  • Add option for use_fqdn_as_uuid when building waptagent.exe;
  • waptwua options in ini file with its own section [waptwua] (Enterprise);
  • handle wua offline / online scan param in wapt-get.ini (Enterprise);
  • store Windows Update rules in local db as a dict (Enterprise);
  • use _ instead of - in update_id to separate UpdateId with RevisionNumber (Enterprise)
  • add Online wua scans (offline=False in [waptwua] section) (Enterprise)
  • fix package_uuid not sent to server’s host inventory:
    • creates a random package_uuid when installing in DEV mode;
    • creates a random package_uuid when installing a package without package_uuid;
  • moved and renamed EnsureWUAUServRunning to setuphelpers:
    • added package_uuid to host packages status grid and database;
    • added pending_reboot_reasons to inventory;
  • display package version for missing packages;
  • display a red icon in host package list when a package must be removed due to conflicts or change of Organizational Unit;
  • fix wapt-get sign-packages key password dialog:
    • added setting maturity and increment automatically the version in sign-packages action in sign-packages action;
  • added missing columns and improve formating for Packages grids;
  • store uninstall_key as a json list in local DB instead of python repr:
    • stores uninstall_key as an array in server DB;
    • handles backward compatible repr on server and local service
  • Add WindowsUpdates host history grid below WindowsUpdate grid (Enterprise):
    • store Host Windows update history in server DB;
    • keep selected or focused rows in grids;
    • refresh in packages and groups with Show Hosts active, refresh Hosts list too;
    • update Packages table when uploading a Package / Group;
    • disable indexes for some BinaryJson fields;
  • fix windows update install_date reporting (Enterprise);

WAPT- (2018-10-02)

This is a bugfix release for

  • waptexit: changed the default value of upgrade_only_if_not_process_running parameter to False instead of True:

    if upgrade_only_if_not_process_running is True, the install tasks for packages with running processes (impacted_process) are skipped;

    if upgrade_only_if_not_process_running is False, the install tasks for packages with running processes may impact the user if the installer kills the running processes;

  • waptwua: take in account Windows Updates RevisionNumber attribute to identify uniquely an Update in addition to UpdateID field (Enterprise only). This fixes the 404 error when downloading missing windows updates on a client.

WAPT- (2018-09-26)

This is a bugfix release for

  • fix for WAPTServer Enterprise on Windows: added proper upgrade path from PostgreSQL 9.4 (used in WAPT 1.5) to PostgreSQL 9.6 which is required for WAPT-Windows Update:
    • new database binary and data directory path are suffixed with -9.6;
    • old data is suffixed with -old after migration;
  • fix upgrade script for MongoDB upgrade (WAPT 1.3) to PostgreSQL used since WAPT 1.5;
  • fix regression on WMI / DMI inventory which may be not properly sent back to the server;

WAPT- (2018-09-14)

Main new features if you are coming from 1.5:

  • per package Audit feature (Enterprise only);
  • WAPT managed Windows Updates tech preview (Enterprise only);
  • wizards to guide post configuration of Windows server and first use of waptconsole;
  • waptconsole/ private repo page: added a grid which shows the computers where the selected package is installed;

It includes numerous changes over the version.


  • per package Audit feature:

    • def audit() hook function to add into package’s By default, check uninstall key presence in registry:

    • wapt-get audit;

    • wapt-get -S audit;

    • wapt-get audit <packagename>;

    • right click in waptconsole on machines or installed packages/ Audit package;

    • synthetic audit status for each machine;

    • for each installed package: last_audit_status, last_audit_on, last_audit_output, next_audit_on;

    • scheduled globally with wapt-get.ini parameter [global]:

      waptaudit_task_period = 4h

      or in package’s control file:

      audit_schedule = 1d
    • audit log displayed in waptconsole below installed package grid if Audit Status column is focused;

  • Updated python modules

  • build with Lazarus 1.8.2 instead of CodeTyphon 2.8 for the Windows executables:

    • better strings encoding handling Easier to setup for the development

Known issues

  • PostgreSQL 9.6 is required for WAPT WUA tech preview (Debian Jessie not supported);
  • WAPT 1.6 includes one more security layer in the agent to server connection. After server upgrade, the client desktops won’t be able to connect to the server as long as they have not been upgraded themselves. If you require to be able to remotely manage the WAPT agent while the agent has not yet been upgraded, it is necessary to set allow_unauthenticated_connect to True in waptserver.ini;


  • [Fix] add AD Groups as Hosts dependencies in waptconsole;
  • [Fix] remove image on reachable column if no status has been sent yet;
  • [Fix] Organizational Units WAPT packages not being installed when there are spaces in DN;
  • [Fix] Operational error when host are trying to reconnect but are not registered;
  • [Fix] fill in created_on db fields on win updates data;
  • debian server postinst: remove old pyc files;


  • Improved WAPT console setup Wizard;
  • allow_unauthenticated_connect defaults to allow_unauthenticated_registration if it is not explicitly set in waptserver.ini file (This will ease migration from 1.5 to 1.6);
  • Escape key on password edit of login moves focus to configuration combo;
  • PackageEntry.asrequirement(): removed space between package name and version specification;
  • missing install_date in insert_many for some updates;
  • add force arg for WAPTUpdateServerStatus action;
  • don’t includes in initial host’s packages inventory, and full inventory;
  • allow to use installed waptdeploy.exe without retry/ignore dialog;
  • be sure error is reported properly in socketio;
  • added package_uuid and homepage package attributes;
  • added installed on columns for host wsus updates;
  • fix WUA grid layout saving;

WAPT- (2018-07-16)

Known issues

  • PostgreSQL 9.6 is required for WAPT WUA tech preview (Debian Jessie not supported);
  • the authentication of client connections to the WAPT websockets server is not compatible with pre-1.6.2 wapt clients. During migration, if you want to keep the connection with clients, you have to disable the authentication with the parameter: allow_unauthenticated_connect = 0 in server’s configuration file waptserver.ini. When all clients have migrated, this can be removed;


  • wizard for the initial configuration of waptserver on Windows;
  • wizard for the initial configuration of waptconsole connection parameters;
  • Enterprise only: waptconsole/ private repo page: added a grid which shows the computers where the selected package is installed;
  • Enterprise only: WAPT WUA Windows Updates management technical preview:
    • activate with waptwua_enabled = 1 in wapt-get.ini file on the client;
    • scan of updates on Windows clients with the IUpdateSearcher Windows API and the wsusscan2 cab file from Microsoft;
    • additional page in WAPTconsole host inventory for Windows updates status reported (HostWsus model);
    • additional page in WAPTconsole for the consolidated view of all updates reported by hosts (WsusUpdates model);
    • periodic Task on server to check and download newer version of wsusscan2 cab file from Microsoft (daemon/ service wapttasks);
    • periodic Task on server to download missing windows updates files as reported by Windows client after scan:
      • missing files are downloaded if one of the client should install it and has not yet a copy in its local windows update cache;
      • downloads are logged in WsusDownloadTasks model;


  • added field in hosts table to keep the hashes of sent host data, so that clients can send only what needs to be updated;
  • added db_port server config parameter if posgresql server is not running on standard port 5432is not running on standard port 5432;
  • added editor optional attribute for package control, used in register_windows_uninstall helper if supplied;
  • websocket authentication with a timestamped token obtained from server with client SSL certificateom server with client SSL certificate;
  • json responses from waptserver are gzipped;


  • forced host uuid
  • forced computer AD Organizational unit
  • public certs dir
  • fix caching of negative result for certs chain validation
  • refactoring of server python modules (config, utils, auth, app, common, decorators, model, server) for the enterprise modularity;
  • fix timezone file timestamp handling for http download;

Python modules updates

  • peewee to 3.4
  • eventlet==0.23.0
  • huey 1.9.1
  • eventlet 0.20.1 -> 0.22.1


  • event: Event.wait() timeout=None argument to be compatible with upstream CPython
  • greendns: Treat /etc/hosts entries case-insensitive; Thanks to Ralf Haferkamp


  • dns: reading /etc/hosts raised DeprecationWarning for universal lines on Python 3.4+; Thanks to Chris Kerr
  • green.openssl: Drop OpenSSL.rand support; Thanks to Haikel Guemar
  • green.subprocess: keep CalledProcessError identity; Thanks to Linbing@github
  • greendns: be explicit about expecting bytes from sock.recv; Thanks to Matt Bennett
  • greendns: early socket.timeout was breaking IO retry loops
  • GreenSocket.accept does not notify_open; Thanks to orishoshan
  • patcher: set locked RLocks’ owner only when patching existing locks; Thanks to Quan Tian
  • patcher: workaround for monotonic “no suitable implementation”; Thanks to Geoffrey Thomas
  • queue: empty except was catching too much
  • socket: context manager support; Thanks to Miguel Grinberg
  • support: update monotonic 1.3 (5c0322dc559bf)
  • support: upgrade bundled dnspython to 1.16.0 (22e9de1d7957e)
  • websocket: fd leak when client did not close connection properly; Thanks to Konstantin Enchant
  • websocket: support permessage-deflate extension; Thanks to Costas Christofi and Peter Kovary
  • wsgi: close idle connections (also applies to websockets)
  • wsgi: deprecated options are one step closer to removal
  • wsgi: handle remote connection resets; Thanks to Stefan Nica


  • new timeout error API: .is_timeout=True on exception object. It’s now easy to test if network error is transient and retry is appropriate. Please spread the word and invite other libraries to support this interface.
  • hubs: use monotonic clock by default (bundled package); Thanks to Roman Podoliaka and Victor Stinner
  • dns: EVENTLET_NO_GREENDNS option is back, green is still default
  • dns: hosts file was consulted after nameservers
  • wsgi: log_output=False was not disabling startup and accepted messages
  • greenio: Fixed OSError: [WinError 10038] Socket operation on nonsocket
  • dns: EAI_NODATA was removed from RFC3493 and FreeBSD
  • fix mark_as_closed() wrong number of args
  • New feature: Add zipkin tracing to eventlet
  • db_pool: proxy Connection.set_isolation_level()
  • Flask-socketio 2.9.2 -> 3.0.1
  • python-engineio 2.0.1 -> 2.0.4
  • python-socketio 1.8.3 -> 1.9.0
  • websocket-client 0.47

WAPT- (2018-07-04)

New features

  • Audit: def audit() optional hook in package is called periodically to check compliance. Log and status is reported in server DB and displayed in console (Enterprise).
  • WSUS tech preview: based on local Windows update engine and WSUSSCAN2 cab Microsoft file. WAPT server act as a caching proxy for updates. Scanning for, downloading and applying Windows updates can be triggered from console on workstations (Enterprise). A new wapttasks process is launched on the server to download updates and wsusscan cab from Internet.

Changes / Improvements

  • Better utf8 handling
  • wapt-get make-template from a directory creates a basic installer for portable apps.
  • wapt-get, waptexit: Removed ZeroMQ message queue on the client, replaced by simple http long polling to monitor tasks status.
  • waptconsole: Replaced blocking timer based http polling for tasks status by threaded http long polling.
  • waptconsole: Filter hosts on whether current personal certificate signature is authorized for remote tasks (Enterprise). If same server is used for several organizations, it allows to focus on own machines. This supposes that different CA certificates are deployed depending on the client host’s organization. In this release, the filtering is not enforced and not cryptographically authenticated.
  • Renamed to and to, activated absolute import for all python sourced absolute import for all python sources
  • Removed use_http_proxy_for_template parameter (setting is now in [wapt-templates] repo)


  • Handle WUA tasks (Scan, download, apply updates) (Enterprise)
  • Handle Auditing tasks


  • Added a tasks queue (Huey) for the WSUS background tasks (Enterprise).
  • gzip compression activated on the nginx configuration


  • option in wapt-get.ini to hide some items :

    • hidden_wapttray_actions: comma separated list of :

    LaunchWAPTConsole register serviceenable reloadconfig cancelrunningtask cancelalltasks showtasks sessionsetup forceregister localinfo configure

  • use long polling instead of zmq

  • stop/ start/ query waptservice using a thread to avoid gui freeze.


  • waptguihelper: be sure to load the proper python27.dll
  • core: forward force argument from console to install() hook
  • overwrite psproj package file when editing a package to fix path to WAPT python virtualenv and add new debug actions.

Modules updates

  • GUI Binaries are built with Lazarus 1.8.2/ fpc 3.0.4 instead of CodeTyphon 2.8.
  • peewee 3.0.4
  • eventlet 0.23.0
  • huey 1.9.1
  • pywin32 rev 223
  • Flask-socketio 2.9.6
  • engineio.socket 2.0.4
  • websocket-client 0.47
  • pyOpenSSL 17.5.0
  • request 2.19.1

Known issues

  • unit type of packages (with AD DN style names) are not well handled by local WAPT self service, because of commas in name.

WAPT- (2018-06-21)


  • wapttray: fix av potential cause
  • improved buffer LogOuput
  • fix wait task result loop in waptserver
  • fix bad acl on waptservice
  • fix repo timeout not taken in account
  • bad parameter for repo_url and [wapt-host] section
  • waptexit AV potential cause
  • make isAdmin non blocking as a workaround for false positive checks
  • use timeout parameter when importing external package
  • pass timeout parameter when importing
  • fix bad repo_url config naming
  • fix calc hash when compiling if file does not exist
  • fix repo timeout is float
  • fix custom zip corruption when signing a package with non ascii filenames
  • fix check wapt_db is assigned when rollbacking
  • improved logging in events
  • waptconsole: fix bug installed packages section is reported as base instead of unit or host
  • ensure manual service wua running when using command line
  • Python modules updates upgrade peewee to 3.4 eventlet==0.23.0 huey 1.9.1
  • Replace eventprintinfo with LogOutput Add waptwua_enabled config parameter missing ensure_listdd waptwua_enabled config parameter missing ensure_list
  • Default waptwua_enabled to None to avoid wuauserv service configuration change
  • added missing columns for windows window updates
  • waptconsole: Add action in waptconsole to show help on KB
  • wapttray cosmetic: hide duplicated separators in tray popup menu when some actions are hidden
  • Add http_proxy ini setting for the server external download operations
  • wapttray: Start and stop WAPTservice using a thread to avoid gui freeze
  • Pure FPC PBKDF2 password hash calc for postconf
  • Refactor server code to share app and socketio instances
  • fix: forward the “force” argument (command line and through the websockets) to the install() hook
  • fix: wapttray: don’t display all missed events at tray startup
  • no default audit_period
  • Removed zeromq, replaced by long http polling between wapttray, wapt-get and waptservice

WAPT (2018-07-12)

Bug fixes

WAPT- (2018-07-04)

Bug fixes

  • fix zipfile python library bug for packages which contains files with non-ascii filenames. Signed WAPT packages were corrupted in this case.
  • fix deadlocks on server database when simultaneous DB connections is larger than 100 (default maximum connections configured by default on postgresql)
  • fix waptconsole crash on warning message when license is about to expire (Enterprise)
  • fix %s -> %d format string for expiration warning message
  • fix host_certificate not found for waptstarter
  • update waptserversetup.iss to include enterprise modules (Enterprise)
  • fix download link to waptsetup and waptdeploy on server index page for Windows

Modules updates

  • requests 2.19.1
  • Rocket 1.2.8 - Don’t try to resurrect connections that timeout. Increase the timeout … to decrease the likelihood.
    • handle PyPi only supports HTTPS/TLS downloads now
    • Fix the problem that when body is empty no terminating chunk is sent for chunked encoding.
    • Avoid sending the terminating chunk in case it’s a HEAD request.
    • Fix the problem that when body is empty no terminating chunk is sent for chunked encoding.
    • Explicitly set the log level to warning.
    • Fix bug “Threadpool grows by negative amount when max_threads = 0”
    • Don’t try to resurrect connections that timeout. Increase the timeout to decrease the likelihood.
    • handle PyPi only supports HTTPS/TLS downloads now
    • Fix the problem that when body is empty no terminating chunk is sent for chunked encoding.
    • Avoid sending the terminating chunk in case it’s a HEAD request.
    • Fix the problem that when body is empty no terminating chunk is sent for chunked encoding.
    • Explicitly set the log level to warning.
    • Fix bug “Threadpool grows by negative amount when max_threads = 0”

WAPT- (2018-03-28)


  • waptexit: Displays a custom PNG logo if one is created in %WAPT_HOME%templateswaptexit-logo.png

  • nssm.exe is signed with Tranquil IT code signing key

  • waptconsole: Add locale and maturity columns in packages status grid

  • waptconsole: wapagent wizard; be sure to get a relative path when checking cert validity

  • waptsetup: Add /CopyPackagesTrustedCA and /CopyServersTrustedCA command line parameters to allow deployment of wapt with specific certificates with GPO for wapt without recompiling waptsetup.


    c:tmpwaptdeploy –hash=e17c4eddd45d34000df0cfe64af594438b0c3e1ee9791812516f116d4f4b9fa9 –minversion= –waptsetupurl=http://buildbot/~tisadmin/wapt/latest/waptsetup.exe –setupargs=/CopyPackagesTrustedCA=c:tmptranquilit.crt –setupargs=/ –setupargs=/ –setupargs=/repo_url= –setupargs=/waptserver= –setupargs=/DIR=c:wapt

Bug fixes

  • waptconsole: regression introduced in Unable to login if server has not a fully qualified domain name (FQDN)
  • setuphelpers: winstartup_info fallback when COMMON_STARTUP folder does not exist, repeventing a client to register properly.
  • version/ revision in wapttray dispkay the git hash instead of old svn rev number.
  • waptconsole: update fr translation for certs bundle hint
  • waptconsole: compare properly packages when number of version members differs 1.3 -<> 1.3.1 for example

WAPT- (2018-03-27)

Bug fixes

  • Fix add Active Directory groups
  • Fix newest only with locale, architecture and maturity
  • Fix Import from external repository with mixed locale, architecture and maturity
  • Add –setupargs to waptdeploy
  • RPM fix
  • Enterprise build fix (Enterprise)
  • Different icons for WAPT Community and Enterprise editions
  • Switch to Community features when no licence instead of aborting (Enterprise)
  • Some up to date Installed Packages marked as upgradable because of bad comparison maturity None/ maturity ‘’
  • Depends and conflicts fields of HostsPackagesStatus table limited to 800 chars -> type changed to ArrayField to handle unlimited number of dependencies
  • git python module added as part of WAPT libraries
  • list organizational unit packages in Group package table (Enterprise)
  • fix MongoDB to PostgreSQL database upgrade script
  • fix licence/ hosts count/ expiry check (Enterprise)
  • relative path for verify_cert

Known issues

  • When waptserver is searched with DNS SRV query (dnsdomain param), Kerberos register auth is not working.

WAPT- (2018-03-13)

Global architecture

  • Multiple languages for description of packages. English, French, German, Spanish, Polish are handled as a start point. More to be added in the future.
  • The Description columns in waptconsole displays either languages depending on language setting in waptconsole.ini. In packages, description_fr, description_en, etc… have been added.
  • When renaming hosts, old host package (matching previous host uuid) is now “removed” instead of now “removed” instead of forgotten.
  • [NEW] Handle AD organizational unit packages (Enterprise edition)
  • New package attributes:
    • locale attribute : A computer can be configured to accept only packages with a specific locale.
    • maturity attribute : stores status like DEV, *PREPROD, PROD to describe the level of completion of the package. Computers can be configured to accept packages with specified maturities. Default packages maturity of computer is both the empty one and *PROD.
    • impacted_process attribute : csv list of process names which would be killed before install (install_msi_if_needed, install_exe_if_needed) and uninstall (by the mean of uninstallkey list). Could be used too in the future for “soft” upgrade remote action which upgrade softwares while they are not running.

Setup/ WAPT upgrades

WAPTupgrade package :

  • Increased lifetime for upgrade task windows scheduler trigger for computers which are down for many days when upgrading.
  • Added a trigger at start of the computer.


  • Displays the list of embedded trusted packages certificates when building the custom waptagent installer.

Bug fixes

  • handle unicode filepaths for Packages Wizard.
  • work in progress improvement of unicode handling globally in WAPTconsole.
  • fix use proxy if needed for “download and edit” from external repo


  • fix bug in create_programs_menu_shortcut and create_user_programs_menu_shortcut. Shortcuts were created in startup and not startup/programs.

WAPT- rc1 (2018-03-08)

Global architecture

There is now some additional support for packages localization.

In Package control file, the description_fr, description_en, description_de, description_pl, description_es can be used to give description in respective french, english, german, polish languages.

If not set, the base description is used.


WAPT- rc1 (2018-02-27)

Global architecture

There is a significant internal change on how python libraries are managed inside WAPT. This There is a significant internal change on how python libraries are managed inside WAPT. This has implications on the way python scripts are launched. This change is only relevant for peoples launching WAPT processes manually.

We have removed the (not clean) sys.path manipulations inside wapt python scripts sources. The consequence is that all python scripts must be run with prior setting PYTHONHOME and PYTHONPATH pointing to WAPT home directory (/opt/wapt on Linux).

Failing to do so results in scripts claiming that libraries are missing.

On Linux waptserver, libs are now in the default /opt/wapt/lib/python2.7 location instead of using non standard former one.

  • [IMP] WAPT has its own full python environment for libraries, even when debugging. Before, system wide python27 installation was needed for PyScripter to run.

    Now, PyScripter can be started with a special batch file waptpyscripter.bat which sets the environment variables for python (PYTHONHOME and PYTHONPATH) and run PyScripter with python dll path set to wapt own copy.

  • [NEW] Command line scripts with proper environment:

    • wapt-serverpostconf on Linux server to start server
    • wapt-scanpackages
    • wapt-signpackages
  • [NEW] Added some debugging commandline tools which setup python environment properly before running the python before running the python script:

    • To debug waptservice, launch in cmd as admin: runwaptservice.bat;
    • To debug waptserver, launch in cmd : runwaptserver.bat or under linux:;
    • To launch PyScripter without the need for local system wide python27 install, run waptpyscripter.bat;

WAPT client

  • [IMP] Add local wapt-get.ini settings packages_whitelist and packages_blacklist to restrict accepted packages from repository based on their package’s name;
  • [IMP] More detailed reporting off host’s repositories configuration (now includes dnsdomain, proxy, and list of trusted certificates);
  • [FIX] fixed display in the Windows task bar of the login window (to allow in particular the autofill of the password by password managers); waptagent failing to compile if keys/ certificates already exist but the certificate had been removed from C:waptssl;
  • [NEW] Handle AD organizational unit packages (Enterprise edition)
  • [IMP] Fallback to basic auth when a host is registering on waptserver if Kerberos is enabled but authentication fails.
  • [IMP] for wapt-get.exe, allow to designate configuration wapt-get.ini file with –config option with base name of user waptconsole ini file (without ini extension) instead of full path. Handy when switching between several configurations. Same behaviour as for waptconsole. Example: wapt-get -c site3 build-upload c:waptdevtest-7zip-wapt;
  • [FIX] Be sure to not loop for ever in websockets retry loop if something is wrong in host waptserver or websocket configuration.
  • [FIX] Update PyScripter project template to use project directory as parameter for debug actions, and use relative paths for filenames.
  • [FIX] Fix bad package version comparison. Return True when comparing 1.2-1 to 1.2.1-3 (note: this is not homogeneous with the Version() class behaviour. todo: merge both);
  • [FIX] waptsetup: register and update must be launched with elevated privileges. So remove runasoriginaluser option.
  • [NEW] Introduced attributes target_os and impacted_process for package’s control file. They are not yet taken in account.
  • [NEW] Introduced machinery to handle X509 client certificates authentication for repositories and waptserver (specially for public servers);
  • [NEW] Introduced classes to generate X509 CRL;


  • [UPD] setuphelpers.removetree: Try to remove readonly flag when remove_tree reach a Access Denied error.
  • [FIX] unicode handling in shell startup shortcuts.
  • [IMP] waptutils.wget can check sha1 or sh256 hashes in addition to md5, and can cache and resume partial downloads.

WAPT Console

  • [NEW] Action in WAPTconsole to plan in near future a restart of waptservice on selected Hosts.
  • [IMP] Mass host update/upgrade in waptconsole actions are now launched in single shot instead of one host at a time.
  • [NEW] Allow to force a host_dn in wapt-get.ini when host is not in a domain (Enterprise).
  • [NEW] Add timeout parameter for setuphelpers service_start, service_stop and service_restart.
  • [IMP] Group filter list box is now editable, and one can type a partial group match and press enter to filter on all matching groups. Seperator is comma (,). Handle * at the end of search to find all occurrences even if one group matches exactly.

WAPT Server

  • Add bat script migrate-hosts.bat to set environment for
  • Add script to trigger action on pre 1.5 hosts with reachable 8088 waptservice port from 1.5 server.
  • Fix registration_auth_user reset to None when reusing host certificate for re-register.
  • Removed unnecessary dependencies krb5-user, msktutil, python-psutil for waptserver package.
  • Increase client_max_body_size for http post on nginx for large update/ upgrade trigger
    • fix signature_clockskew waptserver config parameter not taken in account
    • unified loggers for server
    • have waptserver ask wapt client to update status using websockets if websocket connection is up but database is not aware of given SID (case where waptserver is restarted but Nginx is kept up, and restart of waptserver service is fast enough to not trigger a reconnection of the clients);
  • [FIX] Disable proxy for migrate-hosts;

Known issues

  • waptservice: if a system account level http proxy is defined in registry on the windows host, websocket client library tries to use it and fails to connect to the server. Workaround: make an exception for waptserver;

  • waptconsole: if a http proxy is defined in waptconsole.ini, section [global], key http_proxy, it is used by the waptconsole even if setting use_proxy_for_xxx is False Workround: set http_proxy to an empty string in waptconsole.ini;

  • when using a not self-signed personal certificate, depending of th issuer, the certificate file <private_dir>mine_cert.crt can contain the full chain (own certificate, intermediate CA, and root CA). When waptconsole asks if the certificate should be put in authorized client certificate directory (<wapt-dir>ssl), the full crt file is copied as this. This means that all certificates in crt file are authorized, and not only the personal one. This is perhaps not desired;

    Workaround: check if the personal pem encoded crt file contains the full certificates chain. If this is the case, copy in <wapt-dir>ssl only the parts of the PEM file matching the certificates you want to trust;

  • SNI is not properly handled by waptconsole code, leading to incorrect error about certificate validation on https server with virtual hosts;

  • Certificates CRL updates (periodical signature, …) must be managed manually using tools like easy-rsa. Only CRL accessible by a URL are supported;

  • proxies are not supported on the server, so CRL can not be updated properly (as far as Distribution Point is defined in certificates) if the server has no direct http access to the distribution points;

  • https certificates are verified on the clients using the bundle defined by the verify_cert ini settings. If this setting is simply True, the bundle supplied with python libraries is used to check issuers. This bundle is not updated unless WAPT is upgraded, so new issuers or no more trusted issuers are taken in account only at this point. So it is better to deploy your own CA bundle along with wapt and define the verify_cert path.

  • for rc1, on the linux server, there are broken symbolic links in lib/python2.7 folder. Next rc does not exhibit this problem;

WAPT- (2018-01-09)

  • [NEW] Historize in wapt_localstatus PostgreSQL table the dependencies and conflicts of installed packages (to provide an easy way to warn when conflicting package will be installed or should be removed);
  • [FIX] load fill certificate chain from host packages to check control (as it is the case for other types of packages);
  • [SECURITY] regression: check host package control signature right after downloading (it is checked too when starting install);
  • [FIX] regression: don’t install host package if version is lower than installed one;
  • [FIX] don’t raise an exception during session-setup if package has no;

WAPT Client

  • [FIX] intermediate CA pinning: Allow to deploy intermediate CA as authorized package CA without root CA (segragation of rules between entities);
  • [FIX] old style print statement (without parentheses) raising an error in setup-session or uninstall functions;

setuphelpers/ libraries

  • [UPD] Add cache_dir parameter to wget function;
  • [UPD] renamed cabundle parameter to trusted_bundle;
  • [NEW] Add python methods to create certificate from CSR;

WAPT Console

  • Add checkbox in create waptagent to sign with sha1 in addition to sha256 for old wapt client upgrades;
  • Force host package version to be at least equal to already installed host package (when host package is deleted, version was starting again at 0);
  • [FIX] regression: check existing host package signature before editing it;

WAPT Server

  • [FIX] Force waptserver DB structure upgrade at each server startup;
  • [UPD] Add db_connect_timeout parameter for pool of waptserver DB connections;
  • [NEW] Store depends and conflicts attributes in waptserver HostPackagesStatus PotsgreSQL table;

Known issues

  • SNI is not properly handled by waptconsole code, leading to incorrect error about certificate validation on https server with virtual hosts;
  • Certificates CRL updates (periodical signature, …) must be managed manually using tools like easy-rsa. Only CRL accessible by a URL are supported;

WAPT- (2018-01-03)

  • Quelques fallback pour permettre l’utilisation de la console WAPT sous Wine
  • Ebauche architecture plugins dans waptconsole.
  • Interface GUI pour entrer les mots de passe dans PyScripter
  • Action make-template dans installeur crée un paquet vide
  • Inclusion de la chaine de certificats du signataire dans le paquet au lieu du seul certificat final
  • IMPROVE: gestion des certificats signés par une autorité intermédiaire pour les actions de la console Wapt
  • Ajout option pour spécifier fichier de configuration pour waptconsole.
  • [FIX] SNI pour la récupération de la chaine de certificats dans waptconsole.
  • [ADD] added actions to launch mass updates/ upgrades, offer updates to the users (WAPT Enterprise);
  • F5 rafraîchit la liste des paquets
  • Changement à distance de la description de l’ordinateur
  • Possibilité de configurer plusieurs instances de serveurs Wapt sur un serveur/ VM.
  • chunked http upload pour pouvoir uploader des gros paquets sans passer par du scp.
  • Ajout installation forcée d’un paquet sur un poste dans la console.
  • Ajout option pour masquer les actions avancées (simplication affichage console)
  • CN du Certificat / clé machine sont nommés comme l’UUID.
  • Si une ou plusieurs dépendances d’un paquet ne peuvent pas être installées, le paquet parent n’est pas installé et est marqué en erreur.
  • Memory leak sur le serveur
  • Gestion timezone pour validité de certificats
  • [SECURITY] prend tous les fichiers en compte dans la vérification des hashes, pas seulement ceux dans le répertoire racine (régression apparue en 1.5 mais non présente en 1.3)

WAPT- (2017-11-16)

Architecture globale

  • [NEW] the host packages are now named with the BIOS UUID of the machine instead of the FQDN (it is possible to use the FQDN as the UUID with the parameter use_fqdn_as_uuid but it may create duplicates in the console);
  • le service waptservice écoute sur l’adresse de loopback, port 8088 et non plus sur toutes les interfaces. Cela réduit la surface d’attaque potentielle si un attaquant spoofe l’adresse IP du serveur WAPT;
  • le service waptservice crée au démarrage une connexion Websockets (Socket.IO) vers le serveur pour permettre à la console de déclencher les Update/ Upgrade / Install/ Remove ; On ne pass plus par le port 8088 du service;
  • [NEW] the Websocket requests from the WAPT console to the WAPT agents are now signed with the key of the Administrator. Before, security relied on source IP restriction and the validation of the Administrator’s login/ password;
  • la base de données d’inventaire est maintenant une base PostgreSQL en remplacement de MongoDB. Cela facilite le requêtage pour un reporting personnalisé, le langage SQL étant mieux connu des administrateurs système ;
  • l’affichage dans la console d’un grand nombre de machines a été amélioré. L’affichage de plusieurs milliers de machines n’est plus un problème ;
  • modifier la configuration d’un grand nombre de machines a été rendu largement plus performant ;
  • la reprise d’un téléchargement partiel de paquet est maintenant possible (interruption lors de l’arrêt …) ;
  • les clés privées doivent maintenant obligatoirement être protégées avec un mot de passe ;

Console WAPT

  • passage en Websockets ;
  • gestion des écrans de haute résolution (ex: écrans 4k) ;
  • modernisation des jeux d’icônes dans la console ;
  • changement à la volée de la description du poste ;
  • option pour changer le mot de passe d’une clé ;

Format des paquets

  • la présence du fichier est optionnelle (plus particulièrement, il n’est pas nécessaire pour les paquets groupes et machines qui ne contiennent que des dépendances) ;
  • [NEW] if the package contains a file, it MUST be signed with a Code Signing certificate, otherwise the package WILL NOT be installed. The roles are now differenciated between the role of the Package Deployer (allowed to sign group and host packages) and the role of Package Developer (allowed to sign group, host AND base packages);
  • lors de la signature du paquet, le certificat du signataire est ajouté dans le paquet (WAPT/certificate.crt) ;
  • le fichier manifest est renommé manifest.sha256 au lieu de manifest.sha1 et signature.sha256 au lieu de signature ;
  • ajout des attributs suivants au fichier control :
    • signed_attributes : pour la fiabilité de la vérification
    • min_wapt_version : le paquet est ignoré (et ne s’installe pas) si wapt n’est pas au moins à cette version
    • installed_size : le paquet ne s’installe pas s’il n’y a pas au moins cet espace disponible sur le disque système
    • max_os_version : le paquet est ignoré si Windows a une version supérieure à cet attribut
    • min_os_version : le paquet est ignoré si Windows a une version inférieure à cet attribut
    • maturity :
    • locale :

Configuration générale des agents

  • section explicite [wapt-host] pour le dépôt des paquets machines sinon l’url est déduite de <repo_url>+’-host’ ;
  • section explicite [wapt] pour le dépôt principal, sinon <repo_url> est pris en compte ;
  • vérification des certificats activée par défaut pour toutes les connexions https ;
  • signature avec du sha256 au lieu de sha1 ;
  • prise en compte de paquets signés avec des certificats délivrés par une autorité, déploiement uniquement du certificat de l’autorité ;
  • utilisation de l’UUID du client pour le nom des paquets machine au lieu du FQDN ;
  • possibilité d’utiliser le FQDN comme UUID au lieu de l’UUID du Bios. (paramètre use_fqdn_as_uuid) (ou uuid forcé : paramètre forced_uuid) ;
  • lorsqu’on signe, on désigne le signataire par son certificat et non sa clé privée. La clé privée est recherchée par wapt dans le même répertoire que le certificat personnel. On incite à avoir un certificat par personne agissant sur WAPT ;
  • possibilité de prendre en compte la révocation de certificats (la CRL est fournie aux poste lors de l’update, dans le fichier Packages) ;
  • re-signature possible sous Linux avec la commande ;
  • installation dans Program Files(x86) par défaut ;


  • running_as_admin, running_as_system ;
  • correctif sur add_shutdown_script ;
  • ajout paramètre remove_old_version pour install_msi_if_needed et install_exe_if_needed ;


  • ajout fonction update-package-sources qui lance la fonction optionnelle update_package() du paquet ;
  • remplacement de l’option –private-key par l’option –certificate pour désigner le certificat à utiliser pour signer le paquet. La clé privée est recherchée dans le même répertoire que le certificat ;
  • remplacement du fichier WAPT/wapt.psproj à chaque édition d’un paquet (pour mettre à jour le chemin vers les modules WAPT suivant l’installation dans C:wapt ou C:Program Files (x86)wapt) ;
  • vérification du certificat serveur lors du enable-check-certificate pour éviter de mauvaises configurations ;


  • ajout options
Usage: wapt-signpackages -c crtfile package1 package2

Re-sign a list of packages

  -h, --help            show this help message and exit
  -c PUBLIC_KEY, --certificate=PUBLIC_KEY
                        Path to the PEM RSA certificate to embed identitiy in
                        control. (default: )
  -k PRIVATE_KEY, --private-key=PRIVATE_KEY
                        Path to the PEM RSA private key to sign packages.
                        (default: )
  -l LOGLEVEL, --loglevel=LOGLEVEL
                        Loglevel (default: warning)
  -i, --if-needed       Re-sign package only if needed (default: warning)
  -m MD, --message-digest=MD
                        Message digest type for signatures.  (default: sha256)
  -s, --scan-packages   Rescan packages and update local Packages index after
                        signing.  (default: False)

Console WAPT

  • [NEW] all actions sent to the hosts are signed with the Administrator’s key;
  • [NEW] generation of a key / certificate pair signed by a Certificate Authority (WAPT Enterprise);
  • option de créer un certificat Code Signing ou non (version Enterprise);
  • option pour changer le mot de passe d’une clé RSA ;
  • option de vérification des certificats lors de la création du waptagent ;
  • lancement TISHelp (version Enterprise) ;
  • limitation du nombre de machines retournées dans la console ;
  • ajout filtre reachable = poste connecté au serveur WAPT ;
  • possibilité de changer la description du poste


  • authentification sur une base LDAP (version Enterprise) ;
  • utilisation des Websockets pour les actions ;


  • le Webservice http de waptservice écoute uniquement sur la loopback (donc plus de vérification si port 8088 ouvert sur firewall..) ;
  • le waptservice se connecte en websocket au serveur WAPT si le paramètre waptserver est présent dans wapt-get.ini ;
  • le paramètre websockets_verify_cert active la vérification SSL du certificat pour la connexion websockets ;
  • affichage de liste des certificats / CA autorisés pour les paquets ;
  • affichage signataire paquet ;
  • [NEW] allow_user_service_restart parameter allows a standard user to restart the WAPT service on her computer;
  • lancement de tishelp en mode service par URL /tishelp ;

Installeur waptagent

  • suppression installation msvcrt ;
  • restent uniquement 2 options : installer le service et lancer wapttray ;
  • options pour une installation silencieuse :
    • dnsdomain pour la recherche auto wapt et waptserver
    • wapt_server
    • repo_url
  • waptupgrade fait systématiquement une installation complète (pas d’installation incrémentale) ;

Améliorations ->

  • pas obligatoire pour uninstall ;
  • chemin unicode pour édition de paquets ;
  • corrigé la recherche de dépots en s’appuyant sur les DNS ;
  • corrigé \0000 pour PostgreSQL ;
  • introduit une option pour avoir une double signature sha1 et sha256 ;
  • vérification https pour upload waptagent ;
  • option –if-needed dans wapt-signpackages ;
  • fix proxy dans import paquets ;
  • gestion des révocations de certificats (CRL) ;
  • fix attributs requis dans signature actions ;
  • max_clients ;
  • fix option sans serveur (waptstarter) ;
  • ajout lancement tishelp ;
  • force update à l’installation ;

WAPT-1.4.0 (2017-05-05)

  • pas de release officielle ;
  • [NEW] migration sur la base PostgreSQL à la place de MongoDB ;

WAPT-1.3.13 (2017-07-25)

Security fix

  • régression : Package files content check was skipped if signature of manifest and Packages index file checksum was ok. This regression affects all 1.3.12 releases, but not WAPT <= 1.3.9 and >= upcoming 1.5. In order to exploit this bug, one would need to tamper the Packages files either through a MITM (if you do not have valid https certificate check) or a root access on the WAPT server.

Other changes

  • compatibility with packages signed with upcoming WAPT 1.5. With WAPT 1.5, package are signed with sha256 hashes. An option allows to sign them with sha1 too so that they can be used with WAPT 1.3 without signing them again.
  • new package certificate for Tranquil IT packages. previous certificate for package on has expired. all packages on has been signed again with new key / certificate with both sha1 and sha256 hashes, and WAPT 1.5 signature style (control data is signed as well as files)
  • fix for local GPO add_shutdown_script() function (thanks jf-guillou !)
  • fix for waptsetup.exe postinstall actions (update / register) when running waptsetup.exe installer without elevated priviledges: added runascurrentuser flag
  • remove needless python libraries to make install package slimmer

WAPT (2017-06-26)

Console WAPT

  • [NEW] Assistant de création de paquets à partir d’un fichier MSI ou d’un Exe ;
  • [NEW] Option dans le menu Outils ou par drag drop dans l’onglet dépôt privé ;
  • [NEW] Découverte des options silencieuses ;
  • [NEW] Utilisation des fonctions install_exe_if_needed et install_msi_if_needed au lieu d’un simple run() pour les exes et les MSI (plusieurs templates de dans C:wapttemplates) ;
  • [NEW] Amélioration significative de la vitesse de modification en masse des paquets machines ;
  • [NEW] Vérification optionnelle de la signature des paquets que l’on importe d’un dépôt extérieur. La liste des certificats autorisés se trouve par défaut dans %APPDATA%waptconsolessl et peut-être précisée dans les paramètres de la waptconsole. Le paramètre ini se nomme authorized_certs_dir. Sinon, les certificats autorisés sont ceux dans C:waptssl ;
  • [NEW] Vérification optionnelle du certificat https pour les dépôts extérieurs dans la console ;
  • [NEW] Vérification de la signature des paquets machines, groupes et logiciels avant leur modification dans la console ou dans PyScripter ;
  • [NEW] Lors de l’import d’un dépôt extérieur, possibilité d’éditer le paquet pour inspection plutôt que de le charger directement sur le dépôt de production ;
  • [NEW] Changement des URL relatives à la documentation. ;
  • [NEW] Possibilité d’actualiser le certificat sans recréer la paire de clés RSA (en particulier pour préciser un Common Name correct, qui apparaît comme le signataire des paquets) ;
  • [NEW] HTTPS par défaut pour les URL de dépot.

Autres correctifs

  • [FIX] Paramètre AppNoConsole:1 pour NSSM (waptservice / waptserver) pour permettre le fonctionnement sur Windows 10 Creators Updates ;
  • [FIX] Problème de fichier Zip qui restent verrouillés si une erreur est déclenchée ;
  • [FIX] Suppression répertoire temporaire lors de l’annulation d’édition d’un groupe ;
  • [FIX] Gestion espace dans les fichiers de projet PyScripter ;
  • [FIX] Gestion utf8 / unicode pour certaines fonctions ;
  • [FIX] Fix gestion encoding quand run_not_fatal() renvoie une errreur ;
  • [FIX] remplacement librairie mongo.bson par json natif de python ,
  • [FIX] bug dans la synchro des groupes AD avec les paquets WAPT ;
  • [FIX] bug “La clé privée n’existe pas” la première fois qu’elle est renseignée si on ne redémarre pas la console ;
  • [FIX] bug “redémarrage service wapt” (merci à QGull) ;
  • [FIX] possibilité d’avoir des majuscules dans les noms de paquet (toutefois pas recommandé, les noms des paquets sont sensibles à la casse) ;
  • [FIX] quelques actualisation des exemples de configuration wapt-get.ini.tmpl
  • [FIX] la compilation du waptagent échoue si les clés / certificats existent déjà mais que le certificat a été supprimé de C:waptssl ;
  • [FIX] affichage dans la barre des tâches de la fenêtre de login (pour permettre en particulier l’autofill par des gestionnaires de mot de passe) ;

WAPT (2017-04-11)

  • [FIX] Argument shell = True was not explicitly passed to the underlying function as it occurred on previous versions.

WAPT 1.3.9 (2017-03-03)


  • [FIX] update code to follow more PEP8 recommandations;
  • [FIX] upgradedb locks sqlite database issue;
  • [FIX] Fix broken DNS SRV record discovery;
  • [FIX] Fix unicode handling of signer / CN / organisation in certificates;
  • [FIX] Unzipped netifaces module;


  • [NEW] Expands wildcards args for install, show, build-package, sign-package;
  • [FIX] Fix show-params wapt-get command;
  • [FIX] Fix register with description not working on some computers;
  • [FIX] Fix broken -c –config option;

Added setuphelpers functions

  • [NEW] reg_key_exists ;
  • [NEW] reg_value_exists ;
  • [NEW] run_powershell ;
  • [NEW] remove_metroapp ;
  • [NEW] local_users_profiles ;
  • [NEW] get_profiles_users ;
  • [NEW] get_last_logged_on_user ;
  • [NEW] get_user_from_sid ;
  • [NEW] get_profile_path ;
  • [NEW] wua_agent_version ;
  • [NEW] local_admins ;
  • [NEW] local_group_memberships ;
  • [NEW] local_group_members ;

Modified helpers

  • [IMP] command:run : explicit default values for run command help in PyScripter. Added return_stderr argument (overloaded str object);
  • [FIX] run_notfatal : fix unicode issue in use wmi module for wmi_info_basic instead of wmic shell command;
  • [IMP] make_path : improved when first argument is a drive. Be smart if an argument is a callable;
  • [FIX] CalledProcessError : restored command:CalledProcessError alias;
  • [ADD] host_infos : added profiles_users, last_logged_on_user, local_administrators, wua_agent_version attributes;
  • [IMP] ensure_unicode : return None if None, for bytes strings, try utf8 decoding before system locale decoding;

Console WAPT

  • [FIX] restore allowed lowercase/uppercase package naming;

  • [ADD] 4 host popup menu actions:

    • Computer Mgmt;
    • Computer Users;
    • Computer Services;
    • RemoteAssist;
  • [FIX] fixed other issues in the WAPT console:

    • Don’t search host while typing;
    • utf8 search (accents…);
    • utf8 compare;
    • try to get localized versions of special folders;


  • [ADD] waptpythonw.exe binary in distribution for console less python scripts (to avoid having cmd.exe windows poping up when invoking a python script);
  • [FIX] change default wapt templates URL to;
  • [FIX] when upgrading, (full waptagent.exe install) remove stalled waptagent.exe installs;

WAPT (2016-11-18)


  • [SEC] Fix inheritance of rights on wapt root folder for Windows 10 during setup when installed in C:wapt. On Windows 10, cacls.exe does not work and does not remove “Authenticated Users” from C:wapt. cacls.exe has been replaced by icacls.exe:

    • on pre-wapt 1.3.7 systems, you can fix this by running the following command, or upgrade to wapt 1.3.8 (you may check icacls.exe c:wapt /inheritance:r)
    • This can be achieved with a GPO, or a wapt package
  • [IMP] in next versions of WAPT, the default install path of wapt will be changed from root folder C:wapt to a more standard C:Program Files (x86)wapt.

  • [IMP] By default, waptsetup.exe / waptsetup-tis.exe do not distribute certificates to avoid to deploy directly packages from Tranquil IT. waptagent.exe by default distributes the certificates that are installed on the mangement desktop creating the waptagent.

Core changes

  • [IMP] The database structure has changed between 1.3.8 and to include additional attributes from packages : signer, signer_fingerprint, locale, and maturity. signer and signer_fingerprint are populated when signing the package to identify the origin. This means local WAPT database is upgraded when first starting WAPT and this is not backward compatible;
  • [IMP] Installers have a limited set of options, the most common use of WAPT is priviledged;
  • [ADD] 3 new parameters for the waptexit policy behaviour : hiberboot_enabled, max_gpo_script_wait, pre_shutdown_timeout. These parameters are not set by default and should be added to wapt-get.ini [global] section if needed;
  • [IMP] Use user’s waptconsole.ini configuration file instead of wapt-get.ini for the commands targeted to package development (sources, make-template, make-host-template, make-group-template, build-package, sign-package, build-upload, duplicate, edit, edit-host, upload-package, update-packages. This avoids the need to write these parameters in wapt-get.ini on the development workstation. These parameters are not shared across multiple users on same machine. One use case is to allow multiple profiles (key, upload location) depending on the maturity of package (development, test, production…);


  • [ADD] helper functions dir_is_empty, file_is_locked, service_restart and WindowsVersions class
  • [IMP] Added referer and user_agent in wget and wgets
  • [IMP] run function : define stdin as PIPE to avoid lockup process waiting for input or error like unable to duplicate handle when using for example powershell
  • [IMP] Version class : try to compare version using at least Version.members_count
  • [FIX] encoding fixes for registry functions, fix encoding for registry_setstring key name
  • [FIX] install_exe_if_needed : don’t check uninstall_key or min_version if not provided
  • [FIX] install_exe_if_needed and install_msi_if_needed version check if –force
  • [UPD] Check version and uninstall key after install with install_exe_if_needed and install_msi_if_needed
  • [UPD] inventory includes informations from WMI.Win32_OperatingSystem
  • [ADD] get_disk_free_space helper function
  • [UPD] check free disk space when downloading with wget. check http status before.
  • [UPD] Version class : Version(‘7’)<Version(‘7.1’) should return True


  • [ADD] 2 commands to get server SSL certificate and activate the certificate checking when using https with waptserver
  • [FIX] get_sources to allow svn checkout of a new package project
  • [FIX] register problems with some BIOS with bitmaps
  • [UPD] Check uninstall key after package install if uninstallkey is provided
  • [FIX] added compatibility OS in manifest file for wapt-get and waptconsole version windows
  • [FIX] erroneous error messages for session-setup in the WAPT console
  • [UPD] add “pattern” parameter to all_files function
  • [FIX] Install Date incorrectly registered by register_uninstall
  • [ADD] user_local_appdata function
  • [ADD] add the signer CN and signer_fingerprint to control file when building package
  • [ADD] add control attributes min_wapt_version to trigger an exception if Package requires a minimum level of libraries. The version is checked againts ‘s __version__ attribute.
  • [ADD] authorized_certificates attribute is sent to the WAPT server. It contains the list of host’s signer certificates distributed on the host
  • [FIX] When signing, check if WAPT zip file has already a signature file. (python zipfile can not replace the file inline)


  • [ADD] Show All Versions checkbox in Available Packages page
  • [UPD] Skin updated
  • [ADD] Filter searchbox for available packages


  • [ADD] Add NOT checkbox for keywords search in waptconsole to search for hosts NOT having a specific package or software…
  • [FIX] fix integer limit for grid display of package size, use int64 for size of packages in waptconsole.
  • [UPD] don’t list packages of section “restricted” in local webservice available packages list
  • [UPD] Common Name attribute should be populated now, so that signer identity is not None in package control file.
  • [ADD] signer’s identity column in packages grid
  • [FIX] escape quotes in package’s description
  • [ADD] Check waptagent.exe version against waptsetup-tis version at waptconsole startup.
  • [UPD] try to display a progress dialog at waptconsole startup
  • [FIX] company not set when building customized waptagent.exe
  • [ADD] initialize Organization in waptagent.exe build with CN from certificate.


  • [UPD] some text introduction changes


  • [NEW] Limit trayicon balloon popup when Windows version is above Windows 7 or if notify_user = 0 in wapt-get.ini


  • [UPD] Use broadcast address on interface for wakeonlan call
  • [FIX] remove the check of wapt server password which prevents the proper registration of waptserver on Windows.
  • [UPD] when upgrading, reuse existing waptserver.ini file if it already exists, don’t overwrite server_uuid and ask for password reset if it already exists

waptdeploy waptupgrade

  • [FIX] waptdeploy not working on WinXP removed DisableWow64FileSystemRedir on runtask.
  • [FIX] waptupgrade : Missing quotes for system account on Windows XP


  • [ADD] BeautifulSoup for wapt packages auto updates tasks
  • [UPD] winsys library update to ‘1.0b1’

WAPT (2015-05-05)

  • [ADD] UUID parameter for direct requests to hosts from the WAPT Server;
  • [ADD] allow host to refuse request if not right target (if ip has changed since last update_status for example)
  • [ADD] fallback on waptserver usage_statictics if mongodb lacks aggregate support
  • [IMP] register host on server in postconf using waptservice http instead of command line wapt-get

WAPT 1.2.2 (2015-04-22)

WAPT 1.2.1 (2015-03-26)

Console WAPT

  • [ADD] combobox for filtering on groups in waptconsole.
  • [ADD] Add ADS Groups as packages action to WAPT host selection popup menu
  • [ADD] cleancache action to clean local waptconsole packages cache
  • [ADD] added notify_server on network reconfiguration if waptserver is available;
  • [IMP] column groups shows only host’s direct dependencies with package’s section == “group” instead of all direct dependencies.
  • [ADD] optional anonymous statistics (nb of machines, nb of packages, age of updates…) sent to Tranquil IT to document the communication around WAPT (sent by waptconsole at most every 24h)
  • [IMP] improved mass hosts delete,
  • [ADD] delete hosts package action. server >=1.2.2 only :
  • [IMP] big packages uploads (write uploaded packages by chunk) (but still some issues on 32bits servers due to uwsgi)
  • [IMP] display version of mismatch when editing package
  • [FIX] host’s packages not saved when some dependencies don’t exist anymore
  • [FIX] restore working Cancel running task button
  • [FIX] canceling subprocesses not working in freepascal apps (when waiting for InnoSetup compile for example)

wapt-get / waptservice

  • [ADD] reset-uuid and generate-uuid for duplicated UUID issues
  • [IMP] find_wapt_repo_url processus to avoid waiting for all repos if one repo is ok (improved response time in buggy networks)
  • [IMP] windows DNS resolver in wapt client (python part) instead of pure python resolver. Should reduce issues when multiple network cards or inactive network connections.
  • [IMP] changed priority of server discovery using SRV dns records. -> first priority ascending and weight descending. -> comply with standards.
  • [FIX] solved some issues with SQLite and threads in local waptservice
  • [IMP] explicit transaction handling and isolation_level = None for local waptDB (to try to avoid locks)
  • [IMP] teardown handler for waptservice to commit or rollback thread local connections
  • [FIX] for waptrepo detection in freepascal parts : same processus as python part.
  • [FIX] for edit_package when supplying a wapt filename instead of package request


  • [ADD] read the docs theme for sphinx setuphelpers API documentation. WIP
  • [ADD] _all_ list to avoid importing unecessary names in modules. Now only functions defined in setuphelpers are available when importing setuphelpers. This can break some WAPT packages if names were indirectly imported through setuphelpers module.
  • [ADD] need_install, install_exe_if_needed, install_msi_if_needed functions to setuphelpers
  • [ADD] local_desktops function
  • [FIX] version class instances accept to be compared to str
  • [REM] processnames_list which is unused in setuphelpers
  • [ADD] add_ads_groups and get_computer_groups to
  • [FIX] run helper
  • [FIX] on_write callback not working
  • [FIX] TimeoutExpired not formatted properly
  • [FIX] use closure for registry keys


  • [IMP] waptdeploy with more command line options (in particular tasks to merge to default innosetup selected tasks)
  • [FIX] waptrepo detection using dns records


  • [FIX] waptagent upload error on windows
  • [FIX] debian packages should work for Jessie
  • [IMP] copytree2 for waptupgrade
  • [FIX] trap exception for version check on copy of exe and dll
  • [FIX] mongodb-server version should be >= 2.4

WAPT-1.1.1 (2015-02-26)

Console WAPT

  • [IMP] the loading of the main grid has been optimized; only configured coumns are displayed;
  • [IMP] the WAPT server detects the hosts whose waptservice is listening. Their Reachable status is shown with a green / grey indicator;
  • [IMP] the WAPT package to upgrade WAPT on hosts (???-waptupgrade.wapt) is generated by the WAPT console at the same time as the WAPT agent installer (waptagent.exe), the two files are then uploaded on the WAPT server;
  • [ADD] the package dependencies of each host are displayed in the grid. This allows to see what hosts have no package;
  • [ADD] possibility to trigger available package upgrades on hosts that are listening from the WAPT console. In that case, the host sends its status to the WAPT server after the upgrade;
  • [ADD] possibility to filter hosts in the WAPT console according to their upgrade status or whether they are “reachable” or not,
  • [ADD] when packages are flagged for install but are not yet installed on a host, they appear with a blue “+” indicator. It is then possible to force the immediate install of the package with a right-click;


  • [ADD] cleaning of the cache on the hosts after each successful upgrade;


  • [ADD] the versions of the WAPT agent, WAPT Server are shown in the main web page of the WAPT Server (with a red indicator if there is a problem);

Création de paquets

  • [ADD] functions to setuphelpers to manage shortcuts:
    • remove_desktop_shortcut;
    • remove_user_desktop_shortcut;
    • remove_programs_menu_shortcut;
    • remove_user_programs_menu_shortcut;


  • [IMP] verification of used ports during the post-configuration of WAPT Server on a Windows machine;


  • [IMP] the waptserver no longer listen on 8080 port by default.

    The Apache frontal web server listens in HTTP and HTTPS and relays action calls to the python waptservice that only listens locally.

    It is therefore necessary to update wapt-get.ini files on WAPT agents and to replace wapt_server = http://monserveurwapt:8080 with wapt_server = https://monserveurwapt.

    If you can not make that change to your WAPT agents, it is possible to return to the previous behavior.

    On Debian, edit the file /opt/wapt/waptserver/waptserver.ini, and in the [uwsgi] section, put:

    http-socket =

    On Windows, edit C:waptwaptserverwaptserver.ini and replace:

    server = Rocket(('', port), 'wsgi', {"wsgi_app":app})


    server = Rocket(('', port), 'wsgi', {"wsgi_app":app})

    The repository may stay in HTTP on port 80.

    The calls to the WAPT Server are authenticated, but it is advized to restrict access to authorized sub-networks with a firewall.

  • [IMP] json calls to the webservice of the WAPT Server are now standardized;

  • [IMP] when launching command:update / command:upgrade / command:remove / command:forget / command:tasks_status actions from the WAPT console, the IP address of the host is no longer sent, but instead its UUID, and it is the WAPT Server that finds the IP address and the port to use; et c’est le serveur wapt qui s’occupe de déterminer quelle IP / port utiliser;

  • [ADD] verification in the WAPT console that the version of the WAPT Server is sufficient;

  • [ADD] the timeout to connect to WAPT agents and read the data are configurable in waptserver.ini;

WAPT-1.0 (2015-01-31)

  • [ADD] first public version of WAPT