I am breaking the silence to get the word out (to those loyal souls that still aggregate my blog) about 2 articles on VSTO deployment. First article is an in depth overview of VSTO deployment models and proposed solutions. The second one is a complete walkthrough for setup project creation with code samples. Most important - this is a must read for every VSTO developer. If your setup does not install pre-requisites - tons of people won't be able to use your add-in. If your setup does not make sure PIAs are on the machine - tons of people won't be able to use your add-in. If your setup does not deploy CAS policies correctly - tons of people ... But If your setup does deploy CAS policy incorrectly and allows evil hackers take control over the machine - you are done (if you are not Microsoft, of course:)). The articles address all these points.
Deployment is VSTO's pain point. Part of it is because of the extremely scrutinous security model. Another part is because of our initial desire to support ClickOnce-like capabilities for offline scenarios when ClickOnce was not ready yet to support VSTO-like solutions. The above articles do not remove the pain but help controlling it. In the future we are loooking at removing it at all and making deployment complete part of VSTO experience as it should be - easy and sometimes pleasantly surprising :).
Any development in this area should not go without mentioning some excellent work that has been done by VSTO community. In the past Mads Nissen (helped by Peter Jausovec ) posted a solution for VSTO deployment. What Mads has done is very good work even though it suggested to manipulate CAS policies using the CAS APIs (Peter Torr would not be very happy about this because manipulating security APIs directly is prone to errors. And security bugs may be very costly to both you and your customer).
Finally I wanted to congratulate my colleagues Lubo, Darryn and McLean for getting this article out.