Too easy. Microsoft introduces moderation for Winget package repo after spike in bad submissions

Belated recognition that maybe, just maybe, someone should check submissions to official Windows package receptacle


Microsoft has introduced human moderation for packages submitted to the repository for its newly released Winget package manager, following a spike in duplicate and/or bad submissions.

The Windows Package Manager, also known as Winget, was released during Microsoft's Build event last week. At the time, senior program manager Demitrius Nelon made a point of how easy it was to submit packages to the repository, introducing a tool called the Windows Package Manager Manifest Creator.

Users simply run the tool, providing the URL to the installer for the target package. "Then the tool will download the installer, parse it to determine any of the manifest values available in the installer, and guide you through the process to generate a valid manifest. If you provide your GitHub credentials when prompted, it will even fork the repository, create a new branch, submit a pull request, and provide you the URL to track its progress," said Nelon.

It became apparent that as everything after this step was automated, Microsoft had exposed the repository to all sorts of problems. Windows enthusiasts, keen to extend the usefulness of the repository, added their favourite packages without checking whether it was already included.

In other cases, bad manifests were generated as users did not think through all the implications of creating a package, for example linking to an installer URL that would expire a few days later, or that required user input. Another issue was pull requests that overwrote existing good manifests with worse substitutes.

A concerned user opened a GitHub issue called "Moderation needed", showing the extent of the problem.

Many well-known packages were affected, such as Apple's iCloud client, Valve's Steam runtime, and the Zoom meetings installer. Although there was some crude effort at malware protection, with every upload being submitted to VirusTotal, the system was open for abuse.

"What would happen if I sent a PR that caused the Chrome package to install Firefox instead? Would any checks prohibit it from being automatically merged?" said one user.

They added that "without any ownership by either Microsoft or official app developer channels, Winget package manifests may or may not be updated in a timely manner, if at all, and without any practices or policy about architectures, release channels, deployment configurations, etc, users may be getting 32-bit versions on their 64-bit machine when 64-bit versions exist, or be stuck on very old versions, or get broken releases instead of stable ones."

Shortly after, Nelon commented that: "The 'automated merge' has been stopped" and promised further changes.

Yesterday, Nelon said that "Windows Package Manager team administrators will begin manually reviewing submissions to reduce the number of duplicate submissions, and manifests with sub-optimal metadata. We have also implemented moderation to help maintain the quality of the community catalog."

He listed 12 Microsoft moderators and 2 community moderators, and started a new discussion about how future moderation should be handled.

There is also a plan to have verified publishers, which Nelon said is "nearly complete."

Why before GA?

The surprising aspect of this matter is that Microsoft had apparently not considered the full reliability and security aspects of introducing an official package manager for Windows ahead of its general availability. The company puts huge resources into Windows security, and ensuring a clean, reliable and trustworthy package repository is critical.

Nelon said: "I don't believe any one individual can be an expert in all of the edge cases with installers and third party software. This is going to be a team effort. We will all learn together, and we will all likely make mistakes… our thinking and our solutions will evolve over time."

Fair enough, but this does sound like work that should have been done before rather than after the general rollout. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021