Comments (8)
vexx32
commented on May 17, 2024
3
Great! However, as this blog post candidly outlines, Smart Screen will effectively block any and all independent publishers from utilizing WinGet. Yes, even if they get their code signed, at personal expense.
I don't think it's reasonable by any stretch that WinGet will effectively completely block a majority of smaller/independent developers from utilizing it as a platform to deploy their software.
Looking at other package managers, even on Linux, this is a pretty unusual stance to take and severely limits potential contributors both to the packages repository as well as (I would imagine, though yes, I am only speculating) the WinGet application itself.
from winget-pkgs.
chausner
commented on May 17, 2024
2
As part of the validation, the installers are checked with SmartScreen.
from winget-pkgs.
DustinKingen
commented on May 17, 2024
1
@vexx32 I agree. Especially since third parties will be hosting the binaries and they can potentially be compromised for any version of the manifest.
from winget-pkgs.
vexx32
commented on May 17, 2024
Yeah, I'm pretty concerned that all the documentation and responses I've seen indicate that the WinGet team seem to think that validating a manifest ensures that a package can be trusted.
A manifest is metadata. Metadata isn't what causes security breaches in the vast, vast majority of cases.
A serious, concerted effort to validate that malicious code isn't somehow snuck into one of the packages with a valid manifest needs to be made. Virus scanning should be a must-have.
from winget-pkgs.
jamierocks
commented on May 17, 2024
I agree. Especially since third parties will be hosting the binaries and they can potentially be compromised for any version of the manifest.
This would only be an issue if they are compromised before being added without being noticed though, as the sha256 checksum is recorded in the manifest.
Compromised files should be noticed by humans, but SmartScreen should be a good defense against those than fall through the cracks.
from winget-pkgs.
denelon
commented on May 17, 2024
In addition to SmartScreen, we are performing static analysis of the binary for malware and additional validation steps as we work towards update and uninstall capabilities. One of our next activities will be open sourcing the validation pipeline to help bring additional transparency and trust behind the community repository. Some of what we are doing is covered in the blog post.
https://devblogs.microsoft.com/commandline/windows-package-manager-preview/
from winget-pkgs.
vexx32
commented on May 17, 2024
@DustinKingen should this be taken as a confirmation that tools written by independent developers are simply not at all supported/in scope for WinGet?
from winget-pkgs.
DustinKingen
commented on May 17, 2024
@vexx32 I closed this issue since it’s two months old.
I’m not a WinGet maintainer so I won’t be able to address your question.
from winget-pkgs.
Related Issues (20)
- [Update Request]: Change `Peppy.Osu!` to `ppy.osu!` HOT 9
- [Package Issue]: Tenable.NessusAgent HOT 5
- Download request failed. Returned status: 404 HOT 5
- [Update Request]: Crucial.StorageExecutive
- [Update Request]: Oracle.MySQLShell 8.4.0 HOT 3
- [Package Issue]: chrisant996.Clink HOT 6
- [Update Request]: remove ProtonTechnologies.ProtonVPN in favor of Proton.ProtonVPN HOT 6
- [Package Issue]: makeblockteam.mBlock HOT 2
- [Package Issue]: VMware.WorkstationPro HOT 2
- [Package Issue]: SmartProjects.IsoBuster v4.9.1 Hash Mismatch
- [Package Issue]: Citrix.Workspace Installer 404 HOT 1
- [Update Request]: StartIsBack.StartIsBack version 2.9.20
- [Package Issue]: GitExtensionsTeam.GitExtensions HOT 1
- [Update Request]: WhirlwindFX.SignalRgb 2.3.78 HOT 2
- [Update Request]: Advanced SystemCare
- [Update Request]: Oracle VM VirtualBox HOT 2
- [Update Request]: LibreOffice LTS
- [Update Request]: LibreOffice Help Pack (LTS)
- [Update Request]: Dell Command Update Universal > 5.3.34.0 (April 2024) HOT 2
- [Update Request]: ShareX HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from winget-pkgs.