Microsoft missed a predictable flaw in its Windows Package Manager repo


What do you want to know

  • Microsoft has stopped the automated merging of submissions to the Windows Package Manager repository.
  • The Windows Package Manager repository contains manifest files for Windows Package Manager.
  • Microsoft will now manually review submissions to reduce duplicates and submissions with issues.

After a year in preview, Microsoft released the Windows Package Manager in Build 2021. The tool allows users to easily manage and install programs and packages, much like many do on Linux. Unfortunately, Microsoft has encountered an issue with its automated submission acceptance process at Windows Package Manager Repositorywhich contains the Windows Package Manager manifest files.

Microsoft has simplified the process of submitting items to the repository with the preview version of Windows Package Manager Manifest Creator. The tool allows users to provide a URL for a package installer. Microsoft’s Demetrius explains the tool in a devblog post (opens in a new tab):

Once the tool is installed, run wingetcreate new and provide the URL to the installer. Then the tool will download the installer, parse it to determine one of the manifest values ​​available in the installer, and walk you through the process to generate a valid manifest.

It seems that this tool has made it a bit too easy to submit packages. Because it was automated, multiple packages were submitted with issues. People submitted duplicate packages, created packages with installers with expiration dates, and used installers that required user intervention. As a result, the packages available from the repository were negatively affected.

As pointed out The registerApple’s iCloud client package, Valve’s Steam runtime, and Zoom meeting installer were all affected by poor submissions.

People reported the issues on GitHub, including user “KaranKad” who underline that people were submitting erroneous or duplicate manifestos. KaranKad also broke down the problem in more detail and suggested solutions in another post.

Microsoft must have seen the negative effects of the process, because it stopped automatic mergingaccording to Microsoft’s “Denelon”.

“Admins on the Windows Package Manager team will begin manually reviewing submissions to reduce duplicate submissions and manifests with sub-optimal metadata,” Denelon says on GitHub.

It’s a bit strange that Microsoft didn’t foresee this problem. Having an automated process that didn’t check for these types of errors was likely to cause problems, but the team behind Windows Package Manager seems to be on top of it now.


Comments are closed.