Restrict access to manifests for packages #100
Comments
denelon
added
the
Issue-Feature
denelon
changed the title
|
Some OSS producers also wish to manage releases for manifests and installers for their software. |
denelon
added
the
Area-Validation-Pipeline
ghost
added
the
No-Recent-Activity
This comment has been minimized.
This comment has been minimized.
KevinLaMS
removed
the
No-Recent-Activity
|
Why was WinGet 1.0 released/announced without completing this incredibly security-critical goal? |
|
The technical implementation for this feature is complete. We are now working on the business process for identifying verified developers. The implementation is similar to the waivers for validation stored in a .version file. The ownership metadata will be recorded in a .package file. |
## Change Due to issues we are seeing with deploying directly from the URL, this change moves the client to download the msix file first, and deploy it from a local file. This is intended to be a temporary measure until we can investigate the direct deployment issue further, but it may need to become permanent depending on the result of the investigation. ## Testing Manually validated that the change works against the production environment with source add and automatic update.
After re-reading this whole issue six times, I still fail to understand how this feature was implemented and how to use it. Could you please give a link to some docs or whatever? |
|
We are still working on the business process for this feature. Once that has been completed, the technical implementation here will be further documented. The simple overview of the technical implementation is we will have a file in the directory (either publisher, or package) identifying the verified developers GitHub alias. When a PR is submitted by anyone other than the verified developer, they will be informed. If the verified developer submits a PR, the validation will continue down the normal process. |
|
I'm still deeply concerned this thing is actually on real Windows PCs that actual people use prior to this being implemented. |
|
Just a thought, what about scenarios like LF/CRLF line ending enforcement? We would need to ensure that the pull request pipeline fails if line endings are incorrect first, as we wouldn't be able to normalise the manifest at a later stage if we are restricted in changing the manifest for the package. |
Some software vendors will want to manage releases for manifests of their software.
The text was updated successfully, but these errors were encountered: