Most active commenters
  • ocdtrekkie(3)
  • tim--(3)

←back to thread

Microsoft Edit

(github.com)
486 points ethanpil | 14 comments | 25 Jun 25 00:07 UTC | HN request time: 6.082s | source | bottom
1. ocdtrekkie ◴[25 Jun 25 01:38 UTC] No.44372923[source]
It'd be nice if they didn't recommend winget for installation though. winget is an egregious security risk that Microsoft has just like pretended follows even minimal security practices, despite just launching four years ago with no protection from bad actors whatsoever and then never implementing any improvements since.
replies(2): >>44372958 #>>44373306 #
2. easton ◴[25 Jun 25 01:45 UTC] No.44372958[source]
disclaimer: I used to commit to winget a lot and now I don’t.

…but is it really less secure than brew or choco? The installers are coming from reasonably trusted sources and are scanned for malware by MS, a community contributor has to approve the manifest changes, and the manifests themselves can’t contain arbitrary code outside of the linked executable. Feels about as good as you can get without requiring the ISVs themselves to maintain repos.

replies(1): >>44373015 #
3. ocdtrekkie ◴[25 Jun 25 01:58 UTC] No.44373015[source]
The installers are coming from random people on the Internet. Most software repositories have trusted contributors and a policy of requiring a piece of software be arguably worthy of inclusion. Perhaps because Microsoft is afraid to pick winners, every piece of garbage is allowed on winget, and there's no way to restrict who can make changes to what packages.

There are ISVs that would like to lock down their software so they can maintain it but a trillion dollar company couldn't spare a dollar to figure out a "business process" to do this. As far as I know, Microsoft has a single employee involved who has laughed off any security concerns with "well the automated malware scanner would find it".

The "community contributors" were just... people active on GitHub when they launched it. Was anyone vetted in any way? No.

The Microsoft Store has actual app reviewers, winget has... "eh, lgtm".

replies(1): >>44373223 #
4. 90s_dev ◴[25 Jun 25 02:46 UTC] No.44373223{3}[source]
The policy of including the author's name next to the project name, along with some indication that it really is the author and not an imposter, I think that's probably the best we're ever going to get, since at that point it just comes down to community trust.
5. dale_huevo ◴[25 Jun 25 03:03 UTC] No.44373306[source]
winget is just Windows developers' version of curl | bash. Yet another example of Microsoft copying Linux features.
replies(2): >>44373331 #>>44376065 #
6. ocdtrekkie ◴[25 Jun 25 03:08 UTC] No.44373331[source]
Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.

There is no validation when you winget whether or not the executable is from the official source or that a third party contributor didn't tamper with how it's maintained.

replies(3): >>44373345 #>>44373356 #>>44373443 #
7. dale_huevo ◴[25 Jun 25 03:11 UTC] No.44373345{3}[source]
If you think HTTPS is performing code validation I have news for you.

HTTPS only guarantees the packets containing the unverified malicious code are not tampered with from the server to you. A server which could very well be compromised and alternate code put in its place.

You are drawing an egregious apples-to-oranges comparison here. Please re-read what you said.

You could serve digitally signed code over plain HTTP and it would be more secure than your example over HTTPS. Unfortunately there are a lot of HTTPS old wives' tales that many misinformed developers believe in.

8. tim-- ◴[25 Jun 25 03:15 UTC] No.44373356{3}[source]
> in a reasonably secure fashion

It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline. https://lukespademan.com/blog/the-dangers-of-curlbash/

There is 0 validation that the script that you are piping into bash is the script that you expect. Even just validating the command by copying and pasting the URL in a browser -- or using curl and piping into more/less is not enough to protect you.

replies(2): >>44373469 #>>44373685 #
9. dgfitz ◴[25 Jun 25 03:39 UTC] No.44373443{3}[source]
curl | bash is absolutely on my very short list of “things I’ll never do” and I wince when I see it. rm -rf starting from / is another. I watched someone type in (as root) “rm -rf / home/user/folder” once. By the time I realized what had happened it was too late.
10. ToValueFunfetti ◴[25 Jun 25 03:44 UTC] No.44373469{4}[source]
The parent is talking about MITM, which is prevented with TLS and curl but not winget. They are saying curl is strictly better, not that it is impenetrable. If you trust the domain owner, you can trust curl | bash, but you can't trust winget
replies(1): >>44373557 #
11. tim-- ◴[25 Jun 25 04:11 UTC] No.44373557{5}[source]
Why can't I trust winget?

It's not hard to run the `show` command to see what a winget install will do. https://learn.microsoft.com/en-us/windows/package-manager/wi...

It's easy enough to view the manifests (eg, https://github.com/microsoft/winget-pkgs/blob/2ecf2187ea0bf1...) and arguably, is better then the protection for MITM that you would get using naked cURL & Bash, simply because there are file hashes for all of the installer files provided by a third party.

> They are saying curl is strictly better, not that it is impenetrable

Right. But it arguably is not strictly better.

> You can't trust winget

Again, this is not backed up by anything. I have trust in winget. I can trust that the manifest has at least been vetted by a human, and that the application that will be installed should be the one that I requested. I can not trust that this will happen with curl | bash. If the application that is installed is not the one that I requested, there is tooling a process to sort out why that did not happen, and a way to flag it so that it doesn't happen to other users. I don't have this with curl | bash.

12. bee_rider ◴[25 Jun 25 04:46 UTC] No.44373685{4}[source]
>> Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.

> It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline.

I’m confused by this; it seems to be written in the tone of a correction but you both seem to be saying that you get whatever the server sends. (?)

replies(1): >>44373807 #
13. tim-- ◴[25 Jun 25 05:14 UTC] No.44373807{5}[source]
> you both seem to be saying that you get whatever the server sends

Yes, but I am also saying that you can't verify that the script that is run on one machine with a pipe is the same script that runs on a second machine with a pipe.

The key part of the original statement is the server can choose to send different scripts based on different factors. A curl&bash script on machine 1 does not necessarily mean the same curl&bash script will be run on machine 2.

The tooling provided by a `curl | bash` pipeline provides no security at all.

With winget, there is at least tooling to be able to see that the same file (with the same hash) will be downloaded and installed.

There are ways to do this better, for example, check out https://hashbang.sh. It includes a GPG signature that is verified against the install script, before it is passed to curl.

14. TiredOfLife ◴[25 Jun 25 11:33 UTC] No.44376065[source]
Windows already has

irm <URL> | iex