I would still love to see an indication/warning that the installer source has changed if you're upgrading an already-installed package (at minimum when there's domain changes), and show the URL of the new installer. ![]() That alleviates most of my concerns for layman users. ![]() Thanks for the detailed response! I'm still new to winget and didn't realize that there was going to be a logical separation between the MS store and community repos, and that the MS Store would be the default with community being opt-in. msix(bundle), where your antivirus software will probably scan it before it's executed to install it onto your PC.īeta Was this translation helpful? Give feedback. The PR is also manually validated by Moderators, in either VMs, or Bare Metal - so installers are always double checked to make sure that it isn't a malicious package intended to steal people's passwords or monitor what they're typing on their keyboard:Įven if the pipelines cannot catch the malware issue, depending on the antivirus software someone has, all installers from WinGet are downloaded to %TEMP%\WinGet, except for. I don't see where security risks would be an issue here because every installer goes through Dynamic Analysis (Virus Scan) in the Pipelines' VMs, and if there's a PUA or malware in the installer, it's immediately flagged by the pipelines. If this worries you, keep an eye on when the Microsoft Store source becomes the default source (instead of the community repository where you'll have to manually opt-in to use it in the future) for WinGet that way you'll know what you're downloading. We also check the hashes to make sure it matches the official sources. TechSpot because this website has adware and may have tampered the software." but we got no choice other than to use URLs from various mirrors due to hotlinking. IrfanView is one of them because it doesn't allow hotlinking downloads, so we have to use download links from BetaNews or somewhere else.Ī common comment I have seen a few months ago from someone here has said something along these lines: "Please don't use i.e. SHA256 of those installers never changed, I'm guessing the developers did this to reduce the amount of overhead or bandwidth on 7-Zip's servers, and allow other people to download it faster from GitHub's CDN.Īlso, not every single package in this repository uses official links. Recently, they deleted the GitHub account and moved their installers back to the official website. Same with 7-Zip, developers moved their downloads from the official website to GitHub. You're right that the redirect for the download URL shouldn't have been changed, since WinGet can handle redirects by itself, but I done this purely to reduce the amount of 301 URLs (as well as majority of the 302 URLs) where some 301 URLs were incorrectly flagged as 200 by cURL or Wget, but were actually 404 - i.e. Though, all URLs in this repository are being scanned regularly by various scripts, and if a particular URL doesn't work or if the SHA256 hash does not match, we can easily fix it by looking for a new download link from the official website or official release distribution. You'll simply just get 404 Not Found or 403 Forbidden. If the publisher no longer uses and moves to hosting their downloads on Google or Amazon, then that will definitely be an issue because the URLs won't work anymore and there's nothing for the website to redirect to. ![]() If a malicious person took over the bucket, the hash would likely change and then no one can install it until the hash is fixed in the package where it has to go through automatic and manual validation again as well as automated and manual virus checks, and then the database will be updated with the new changes. shouldn't be a huge issue here as the only person that has control over that bucket right now is the CodeSector developers, and no one else is allowed. ![]() Is a temporary redirect to, so your concerns about but it could be changed at any point by whoever controls the bucket.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |