Last week Microsoft released the first stable version of Winget, its built-in package manager for Windows. The tool allows automating app management by installing them from a centralized repo in bulk, updating them all at once, and uninstalling them with a single command. The repo is open for public and maintained by enthusiasts, so this caused malformed app packages to appear.
If you are not familiar with Winget, it is an automation tool that helps you speed up installing software on a computer. All you need to do is tell the system what software you want. Next, Winget finds the latest version (or the one specific release you need) and installs it silently in the background. Besides installing apps, you can use Winget to find information about packages, manage sources, upgrade apps, uninstall apps, etc.
You can download Winget from the project's repository on GitHub. Microsoft also plans to integrate Winget into all supported versions on Windows 10. You can also join the Windows Package Manager Insider Program if you’d like automatic updates from the store, and you want to run it on your version of Windows 10.
The Winget repo is now filled with duplicate apps, malformed manifests
Microsoft's guidelines state that independent software vendors (ISVs) looking to upload their application to the Winget registry, can do so by submitting the application's manifest on their GitHub. The manifest approval is an automated process. The uploaded manifests are automatically validated against a set of predefined criteria.
After the public availability of Winget 1.0, people started to submit to GitHub plenty of apps to be included in Winget's repo, including the apps that were already available there.
Moreover, some pull requests contained incorrect application names in the manifests or "bad" links from where the application should get fetched. In a number of cases, new submissions would overwrite existing applications' manifests, with incomplete info.
BleepingComputer provides examples of such manifests. The manifest files for the NitroPDF's PrimoPDF app reportedly contains malformed PackageIdentifier ("NitroPDFIncNitroPDFPtyLtd.PrimoPDF") and download URL.
Another good example of how serious the issue is the properly composed manifest file which was overwritten by contributors, but with incomplete info.
The good thing that malformed manifests were quickly reverted, but there should be a mechanism to prevent such incidents in the future.
The community suggests to have a team of moderators to check the manifest files before they get approved and become available to everyone.
Microsoft's Demitrius Nelon, a key person behind Winget's development has acknowledged the issue and that he plans to bring it up with the team. He comes with his own solution:
"One of the options could be requiring a 'second' approver on a 'new' manifest in a 'new' directory."
He also mentioned that the team is considering making a duplicate check system for manifests. Nelon pointed out that their intention is to avoid too much friction and time delay for people submitting manifests.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!