3

I recently learned about the amazing (in theory) command "winget", built into Windows 10.

But something about it worries me: a lot of software has all kinds of user-hostile defaults selected in the installer, everything from "enable telemetry" to "install this extra, unwanted malware as well". Whenever I install any software manually, I take great care to disable all of that. But what does winget do?

Well, I didn't dare to "upgrade all" to try it out, so I picked a random, little-used and sane program to try it out with: Krita.

I had previously installed Krita manually on the machine. Now I used winget upgrade KDE.Krita to upgrade Krita.

It worked (but only after I had manually closed Krita and accepted a "UAC" dialog box, which makes me question how automated this can be), but it did put a Krita shortcut on my desktop, which is a checkbox in the installer which is checked by default but which I would never have left checked if it were me doing it.

So this already pretty much tells me that winget trusts the maker of the program to use whatever they want you to use.

Sadly, since this appears to be true, winget is useless to me. Way too many softwares are way too eager to re-enable user-hostile options when you update (which almost always runs the whole installer again).

Still, winget would be so nice for me to be able to use, so I'm still asking here to see if you can tell me some way around this security and privacy issue.

Capone
  • 31
  • 1
  • 1
  • 2

3 Answers3

3

First of all, you misunderstand what winget is. It's a package manager that wants to be similar to package managers from Linux. Thus it can install packages from many sources. Of course, if your choice of a source is not trusted, then winget can't do much about the security of your device. But let's assume we're talking about official sources.

Secondly, your experiment told you nothing about whether the software fully trusts the installers. For that you need to understand the process of what's accepted as a package. Mentioned official sources have some validation processes. The Microsoft community one has a bunch of policies listed. One of them links to unwanted software description that basically covers the cases you described.

You must be notified about what is happening on your device, including what software does and whether it's active.

Software that exhibits lack of choice might:

(...)

  • Install, reinstall, or remove software without your permission, interaction, or consent.

  • Install other software without a clear indication of its relationship to the primary software.

Do moderators check all of them accurately? I don't think anyone can answer, but keep in mind there's always room for human errors. Just like there is when you can miss a random half-hidden checkbox.

You can also always use --override or --interactive switches to pass different options to installer in case that's needed.

Destroy666
  • 12,350
0

For the question of Is Winget repo secure, a Microsoft employee answered this:

The Windows Package Manager Community App Repository performs multiple automated scans of the packages submitted including dynamic analysis. After that has been successful, a moderator will also review the metadata before the package is added. It is primarily community maintained, so the updates for new versions of software depend on the community or the publisher to keep them current. We have provided tooling to help publishers automate the process using https://github.com/microsoft/winget-create

It seems like submissions are scanned and the results are viewed by a moderator. You either trust the process or not, but it seems that winget doesn't trust anything that does not go through the process.

I remark that when you download and install a package from some website, it is only scanned by your local antivirus, and you don't get to see any results or metadata. Winget is in that respect somewhat safer.

harrymc
  • 498,455
0

Winget can install from the MS store, but it also has its own repository.

I can't tell if it will carry on for updating, but the winget install and upgrade command argument has a few options that are of interest

  -i,--interactive                     Request interactive installation; user input may be needed`

So you can tweak the options during initial install or

    --override                           Override arguments to be passed on to the installer`

Which would need the installer for the app to have the arguments you need.

You can update the applications with specific choices separately then use winget to update the rest en-mass. Its a bit messy but its the best option there is

You can look up the options with winget install -? and winget update -?

Journeyman Geek
  • 133,878