←back to thread

Microsoft Edit

(github.com)
486 points ethanpil | 2 comments | 25 Jun 25 00:07 UTC | HN request time: 0.649s | source
Show context
ocdtrekkie ◴[25 Jun 25 01:38 UTC] No.44372923[source]
It'd be nice if they didn't recommend winget for installation though. winget is an egregious security risk that Microsoft has just like pretended follows even minimal security practices, despite just launching four years ago with no protection from bad actors whatsoever and then never implementing any improvements since.
replies(2): >>44372958 #>>44373306 #
easton ◴[25 Jun 25 01:45 UTC] No.44372958[source]
disclaimer: I used to commit to winget a lot and now I don’t.

…but is it really less secure than brew or choco? The installers are coming from reasonably trusted sources and are scanned for malware by MS, a community contributor has to approve the manifest changes, and the manifests themselves can’t contain arbitrary code outside of the linked executable. Feels about as good as you can get without requiring the ISVs themselves to maintain repos.

replies(1): >>44373015 #
1. ocdtrekkie ◴[25 Jun 25 01:58 UTC] No.44373015[source]
The installers are coming from random people on the Internet. Most software repositories have trusted contributors and a policy of requiring a piece of software be arguably worthy of inclusion. Perhaps because Microsoft is afraid to pick winners, every piece of garbage is allowed on winget, and there's no way to restrict who can make changes to what packages.

There are ISVs that would like to lock down their software so they can maintain it but a trillion dollar company couldn't spare a dollar to figure out a "business process" to do this. As far as I know, Microsoft has a single employee involved who has laughed off any security concerns with "well the automated malware scanner would find it".

The "community contributors" were just... people active on GitHub when they launched it. Was anyone vetted in any way? No.

The Microsoft Store has actual app reviewers, winget has... "eh, lgtm".

replies(1): >>44373223 #
2. 90s_dev ◴[25 Jun 25 02:46 UTC] No.44373223[source]
The policy of including the author's name next to the project name, along with some indication that it really is the author and not an imposter, I think that's probably the best we're ever going to get, since at that point it just comes down to community trust.