using latest version instead of version number about winget-pkgs HOT 7 CLOSED

We are running a background process to check and see if the "Sha256" for an installer is still valid for the manifests. There is still work to automatically generate new manifests when files change.

One of the primary use cases for package managers is to be able to install a specific version of a package. If we only have access to a "latest" version of a package from the source, this creates challenges. We're considering additional meta-data in the manifest to identify these kinds of packages.

from winget-pkgs.

We've introduced automation to generate a valid manifest with the correct hash with the installer has changed at the URL provided by a manifest.

from winget-pkgs.

Related discussion: https://github.com/microsoft/winget-pkgs/issues/278

from winget-pkgs.

The challenge here is the SHA256 hash of the installer. The "latest" manifest would become invalid as soon as the newer "version" showed up with a different hash. We also run static analysis on any binary before it is included in the repository.

May users are intentional about wanting specific versions of software.

from winget-pkgs.

How about including a list of versions inside the manifest?
There could be a 'lastest' version and then also additional, fixed versions if there are download URLs for those.

This would sovle the problem of wrong version numbers if there's only a dynamic download URL where a specific version can't be selected.

It would also enable functionality like winget show <app-name> --versions to list all available versions and executing winget install <app-name> -v 'x.x.x'.

The static versions could be kept up-to-date, but this solution would prevent packages from becoming outdated simply because the latest version hasn't been pushed to the repo yet, which sometimes is the case with (linux) package managers.

from winget-pkgs.

VLC is interesting in that the SHA is located next to the download for latest. I don't know if this is a common pattern, but would a SHA at the same directory of the download be an avenue to consider?

from winget-pkgs.

@Chaphasilor we're looking at a few options, but we're likely to avoid trying to list every version of a package in a single manifest. Any time any of them changed, or became unavailable, we'd have to modify the manifest. We do list the versions for all current manifests:

'winget show vscode --versions'
'winget show --name Git -e --versions'

from winget-pkgs.