2

I recently learned about the amazing (in theory) command "winget", built into Windows 10.

But something about it worries me: a lot of software has all kinds of user-hostile defaults selected in the installer, everything from "enable telemetry" to "install this extra, unwanted malware as well". Whenever I install any software manually, I take great care to disable all of that. But what does winget do?

Well, I didn't dare to "upgrade all" to try it out, so I picked a random, little-used and sane program to try it out with: Krita.

I had previously installed Krita manually on the machine. Now I used winget upgrade KDE.Krita to upgrade Krita.

It worked (but only after I had manually closed Krita and accepted a "UAC" dialog box, which makes me question how automated this can be), but it did put a Krita shortcut on my desktop, which is a checkbox in the installer which is checked by default but which I would never have left checked if it were me doing it.

So this already pretty much tells me that winget trusts the maker of the program to use whatever they want you to use.

Sadly, since this appears to be true, winget is useless to me. Way too many softwares are way too eager to re-enable user-hostile options when you update (which almost always runs the whole installer again).

Still, winget would be so nice for me to be able to use, so I'm still asking here to see if you can tell me some way around this security and privacy issue.

Capone
  • 21
  • 1
  • I'm sorry if I am wrong, but I always believed winget installs apps from Microsoft Store. And if so, it is exactly like installing app from the store: it wouldn't ask you anything either. – markalex Mar 15 '23 at 13:38
  • @markalex No. It uses a "manifest file" made by each author, apparently. – Capone Mar 15 '23 at 13:39
  • I believe MS Store installations use manifests too because apps are installed without any questions. This is the case for all application stores: winget, choco, google play, appstore; you have to trust these stores. – markalex Mar 15 '23 at 13:52

3 Answers3

1

First of all, you misunderstand what winget is. It's a package manager that wants to be similar to package managers from Linux. Thus it can install packages from many sources. Of course, if your choice of a source is not trusted, then winget can't do much about the security of your device. But let's assume we're talking about official sources.

Secondly, your experiment told you nothing about whether the software fully trusts the installers. For that you need to understand the process of what's accepted as a package. Mentioned official sources have some validation processes. The Microsoft community one has a bunch of policies listed. One of them links to unwanted software description that basically covers the cases you described.

You must be notified about what is happening on your device, including what software does and whether it's active.

Software that exhibits lack of choice might:

(...)

  • Install, reinstall, or remove software without your permission, interaction, or consent.

  • Install other software without a clear indication of its relationship to the primary software.

Do moderators check all of them accurately? I don't think anyone can answer, but keep in mind there's always room for human errors. Just like there is when you can miss a random half-hidden checkbox.

You can also always use --override or --interactive switches to pass different options to installer in case that's needed.

Destroy666
  • 5,299
  • 7
  • 16
  • 35
  • Well debian and other linux package managers 'do' have a standard packaging format. It'll do things like tell you the default config has changed and ask if you want to keep yours. winget is.... well it downloads, verifies and runs whatever installer - it be msi or various exe based ones. – Journeyman Geek Mar 15 '23 at 15:08
0

For the question of Is Winget repo secure, a Microsoft employee answered this:

The Windows Package Manager Community App Repository performs multiple automated scans of the packages submitted including dynamic analysis. After that has been successful, a moderator will also review the metadata before the package is added. It is primarily community maintained, so the updates for new versions of software depend on the community or the publisher to keep them current. We have provided tooling to help publishers automate the process using https://github.com/microsoft/winget-create

It seems like submissions are scanned and the results are viewed by a moderator. You either trust the process or not, but it seems that winget doesn't trust anything that does not go through the process.

I remark that when you download and install a package from some website, it is only scanned by your local antivirus, and you don't get to see any results or metadata. Winget is in that respect somewhat safer.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Well... Unintended malware is quite different from checkboxes which the author of the program wants because it benefits them, but the user does not want because it violates their privacy. I'm not just talking about malware. – Capone Mar 15 '23 at 14:39
  • I understand, but winget does an almost-automatic installation. If you want more control over the installation parameters and version, you need to install interactively. This is actually the reason I'm not using it. As I said, it all depends on your intentions. For a quick installation, use winget. For more control, do it yourself. Your decision. – harrymc Mar 15 '23 at 14:46
0

Winget can install from the MS store, but it also has its own repository.

I can't tell if it will carry on for updating, but the winget install and upgrade command argument has a few options that are of interest

  -i,--interactive                     Request interactive installation; user input may be needed`

So you can tweak the options during initial install or

    --override                           Override arguments to be passed on to the installer`

Which would need the installer for the app to have the arguments you need.

You can update the applications with specific choices separately then use winget to update the rest en-mass. Its a bit messy but its the best option there is

You can look up the options with winget install -? and winget update -?

Journeyman Geek
  • 127,463
  • 52
  • 260
  • 430
  • Well, I tried `-i`, but not only is it interactive (of course, but thus defeating the point of this tool), but it actually just shows you the GUI elements from the installer. I assumed it was going to be in text. As for `--override`, I'm neither sure what you mean by it or what it's meant for. – Capone Mar 15 '23 at 16:08