Last week, Microsoft released the first stable version of its Windows 10 package manager, Winget, which allows users to manage apps through the command line.
Much like the package managers available on other platforms, Winget allows Windows users to automate application management when it comes to installing, configuring, upgrading and uninstalling applications. .
But, over the weekend, several users flooded Winget’s software registry with requests to extract duplicate or malformed applications, raising concerns about the integrity of the Winget ecosystem.
Winget’s repository inundated with duplicate apps, malformed manifests
Microsoft first presented the preview version of its Windows 10 Package Manager during Microsoft Build 2020. Since then, Microsoft has developed Winget as an open source project on GitHub.
Last week marked a milestone with the release of the first stable version of Winget.
Microsoft’s guidelines state that independent software vendors (ISVs) looking to upload their app to the Winget registry can do so by submitting the app manifest to their GitHub.
In addition, when contributors submit a manifesto to Winget’s GitHub, with a few exceptions, the manifests are automatically validated by the Winget bot based on defined criteria.
But, over that Memorial Day weekend, several pull requests emerged on Winget’s GitHub containing app names that already existed in the package manager registry.
Additionally, some pull requests contained incorrect application names in the manifests or “bad” links from which the application should be recovered.
And, in a few other cases, new extraction requests would be overwrite the manifests of existing applications, with incomplete information.
The user KaranKad initially raised this issue over the weekend, after collecting more than five dozen examples of invalid pull requests to Winget’s repository.
“People submit incorrect or duplicate manifests without checking whether or not the application already exists in this repository.”
“Create a group of active contributors who know what they are doing, with [the] ability to close a PR so they can prevent bad or duplicate PR entry, âthe user suggested.
Among the many published examples, BleepingComputer noticed how this was especially true for an application named after “PrimoPDF”:
NitroPDF’s PrimoPDF application manifest files would contain Package identifier (“NitroPDFIncNitroPDFPtyLtd.PrimoPDF”) and download URL.
In other cases, BleepingComputer observed, manifests of legitimate apps like VideoLAN’s VLC player and Valve’s Steam app had been overwritten by contributors, but with incomplete information:
BleepingComputer recently reported that open source ecosystems like PyPI were inundated with spam components.
In more serious cases, counterfeit components have been detected being uploaded to the npm and RubyGems repositories.
Left unchecked, these malformed, incomplete, or downright malicious packages can pave the way for everything from simple application errors to a successful supply chain attack.
Although these Winget pull requests, which introduced incomplete information into app manifests, were quickly canceled [1, 2], what can be done to avoid such cases in the future?
Developers offer several solutions
As a result of this ongoing incident, several developers have suggested workarounds or practices Winget can adopt to ensure the integrity of its packages.
“I really really think that brand new Package ID should be verified by someone from the Winget team (or if they want to start a proven contributor system, I would throw my hat in the ring), âsuggested Easton Pillay, Winget developer and contributor.
Pillay also believes that fully automating the addition of new Winget packages will introduce tons of duplicates.
In the same thread, the developer also proposed that the newly created Winget manifests require manual review:
“I know we try not to waste the moderator’s time, but since then [the contributors] commit bad known metadata by default …, the bot doesn’t realize it and then someone who knows the bug exists has to go back and fix all the errors (or live with the bad metadata, which is a tragedy; D), âPillay said.
Microsoft’s Demitrius Nelon, a key person behind the development of Winget, has acknowledged the issue and that he plans to raise it with the team.
Nelon also offered a potential solution:
“One of the options might be to require a ‘second’ approver on a ‘new’ manifest in a ‘new’ directory.”
“The bot has a concept that might work for this scenario. I just don’t want to put too much friction and delay on people submitting manifests, or too much pressure on ‘moderators’.”
“We have a feature on the backlog to detect duplicates. It’s more of a warning than a blocking action. We have ‘valid’ expected renaming scenarios,” Nelon explained.
BleepingComputer contacted Microsoft for comment ahead of the release and we are awaiting their response.