Include Winget instructions to Update 02 installation.md #521
Conversation
Include the Windows Package Manager instruction do install K6
|
@Alexandre-Nourissier, thanks for your contribution and support. There is an issue discussing how to document unofficial packages #52. Given other possible implications, it is better if the k6 core team reviews and decides how to provide unofficial installation instructions. cc @na-- |
This would be ideal. I do notice that this wasn't a priority for the k6 team as the issue was abandoned 15 months ago. Bear in mind that malicious or benevolent 3rd parties will not wait for your team to act. Even if k6 doesn't publicly communicate about a package or doesn't consider itself the owner of this package, if a convenient way to install k6 is available through a distribution channel, people will want to use it. Sometimes, just like for Winget, it's easy to track down the actual source of the package, but sometimes, it's also pretty hard to have the package's exclusive ownership. In any case, thank you and your team for this great tool! |
|
There seems to be an official and up-to-date winget package: https://github.com/microsoft/winget-pkgs/blob/master/manifests/k/k6/k6/0.35.0/k6.k6.installer.yaml Even though we don't maintain that, it will be fine to include that in our docs, since it's an "official" package in the main winget repo. It has some controls and review on how it's updated, similarly to the homebrew package. The weird thing though is that the latest version shown in https://winget.run/pkg/k6/k6 is k6 v0.31.1 😕 |
|
I wasn't aware of this website but I assume that the data aggregation routine is offline. I assume that people just use the CLI search feature, or check the GitHub repository directly. But my opinion doesn't matter, it's up to the team to have the ownership. That said, if I had to advocate against the WinGet distribution channel, I would say that it can be hard to retain exclusive ownership of the package. At least at some point in history, (don't know if this is still the case) anyone could push a new update that would target a non-approved executable. There is protection against the targeted executable being replaced (hash), but a new version doesn't have to be hosted on the same domain as the previous one. |
There was a problem hiding this comment.
I wasn't aware of this website but I assume that the data aggregation routine is offline.
Yeah, that's probably likely...
That said, if I had to advocate against the WinGet distribution channel, I would say that it can be hard to retain exclusive ownership of the package. At least at some point in history, (don't know if this is still the case) anyone could push a new update that would target a non-approved executable. There is protection against the targeted executable being replaced (hash), but a new version doesn't have to be hosted on the same domain as the previous one.
That's fair, but again, we don't want to have an "exclusive ownership of the package". We don't have that for the homebrew k6 package and we still recommend it in the docs. And if some linux distro starts having an official k6 package tomorrow, we'll mention that as well...
We simply want these package managers to have some review process in place, so it's fairly difficult for someone to maliciously replace the k6 package with their own custom build. From what I can see, the official microsoft/winget-pkgs repo has this: https://github.com/microsoft/winget-pkgs/pulls?q=is%3Apr+is%3Aclosed
So, if you replace the vedantmgoyal2009 repo with the official one and reword the sentence (it's not "unofficial"), I'd be fine with merging this PR.
Also changed the wording to clarify the stance of the team on the official quality of the packages.
|
@na-- Good catch! Well, that was dangerous... Thanks for keeping up with my shenanigans 🥇. I made the change to include the missing information. |
|
Thanks, @Alexandre-Nourissier. |
Include the Windows Package Manager instruction to install K6.
This helps clarify which package to install, as a search with "k6" returns multiple results, and could possibly lead to confusion in the future.