Microsoft is tightening Windows Package Manager (winget) submission rules
Microsoft released the final version of Windows Package Manager just recently. The open source program introduces package management on Windows devices. It can be used to install, update or uninstall software programs using the provided command line interface, PowerShell scripts, or third-party graphical user interface helpers.
One of the interesting features of the program is that it can be used to update the majority of installed programs on Windows at once, even if the some or even all of the applications have not been installed using the Windows Package Manager.
The default repository of the package manager is a community repository that is managed and maintained on GitHub. The submission process was automated up until now, which meant that anyone could push new programs or program versions to the repository. The process turned out to be very problematic for the quality of the repository.
The developers put automated safeguards in place but no checks for duplicates, erroneous submissions, submissions with false information, or even the submission of problematic programs. One of the main issues that the developers observed was that duplicates were submitted, and that these duplicates would often lack proper metadata information, would be program versions that were not the latest, or would have unofficial download paths. Many of the issues were discussed in the comments section here on the site when version 1.0 of the package manager was released.
The development team made the decision to stop the automatic submission process in favor of a manual review process to "reduce the number of duplicate submissions, and manifests with sub-optimal metadata". Community moderators should assist the team in the review process, and criteria for becoming a moderator are currently being discussed on the project's GitHub repository. Suggestions include selecting moderators who have contributed to the repository and helped others with their contributions.
Another idea is to get publishers involved to improve the verification process and speed up the submission process of new or updated packages.
If you want to be in full control of submissions, you need to review them manually. Microsoft recognized this and decided to switch from automated to manual submissions. That's a good thing, even though it may mean that it may take longer before new submissions or changes find their way into the repository.
Now You: have you used the Package Manager before? What is your take on the development?
I avoid sites like Ninite because they skip all configuration options and assume you want a default configuration. Does winget have the same problem?
Accepting all submitted programs without checking seems to be a remarkably stupid decision.
I gave winget a try and was very happy with the results for the most part. I was pleased to see several of the programs I already had installed show up in the list and they were updated to the latest version with no issues.
There was one odd thing- Adobe Reader and another program showing up as having a pending update even though the latest version was already installed, and I imagine this is because the version number was written slightly differently (the update had parentheses and the installed version did not). I imagine oddities like this will be fixed after the submission rules are tightened up.
I’ve been wondering if winget is Microsoft’s way of exploring an actually sane package management system in Windows ahead of what people are speculating will be Windows 11. If winget (plus a pretty front end for the average user) becomes the norm for installing software in Windows and they do away with the current Microsoft app store, it would be a big step in the right direction.
I don’t want to get my hopes up but I guess a part of me wants to be cautiously optimistic.
Somehow the Neowin Newsletter, Software Updates section gives me very current reference to official program URLs often relevant to my installed programs. Ths information keeps me very current as I like manually updating them individually.
I understand what this is and what it does but not why it exists or whether it will continue to exist given the manual input MS decided is necessary for its integrity.
The GH project was initiated two years ago, MS must see something in their Package Manager beside Linux similar terminology. Organizations good at product development are also good at killing dubious projects early. /s
Regardless, updating for the sake of updating can cause problems. I let our Linux distros do security updates automatically but I review package updates before committing. I do everything manually on Windows.
If instead of the developers complaining about duplicates submissions or incomplete metadata, they should have someone that actually fixes and manages these submissions, instead submissions are left hanging for months.
Its a know fact also that there are many different people (community people not MS staff) making these submissions, none reads the other already existing submissions or bug reports, so duplicates will happen because people are lazy.
None the less, winget is pretty much useless, it does not support install sources that are within an archive like zip, it doesnt support package dependencies, which means a large percentage of software cant be part of this repository until such time support is added.
Least of all, winget was pretty much has a shady story behind how it came to be, if anyone is familiar with how it treated AppGet and its developer, (which project is now dead and was much better than winget is now)
Ah yes, so now, when applications have known vulnerabilities and the developer updates and fixes such issues, then such fixes will take twice or three times longer than before to treacle down to winget
Great move MS.
Winget, the place to go to install outdated applications.
You’d better not write comments on articles about things you don’t uderstand, so you don’t look silly.
The manifest does not need to be updated every time a new version of the program is released. The article is about adding new programs to the repository, not new versions of programs already in the repository.
Huh? The manifest does have to be updated every time. Inside every package are directories dedicated to each package version. Some are lagging behind quite a lot.
Maybe follow your own advice on not commenting about the things you don’t understand.
7-zip package updated almost same day as the package was released on their website…. oops
How’s that relevant?
And Thunderbird wasn’t updating for days after release.
Just means that people were quicker to notice the 7-zip update, or the dev themselves added the new manifest.
This is just the tip of the iceberg with more bad news coming in the future. At least, for the common folk trying to manager its own windows PC this way. Not so dramatic for testing and VM enviroments. And some concern if you do not use your own repository when doing multiple endpoints deployments. But do not mind me, carry on.
> Huh? The manifest does have to be updated every time. Inside every package are directories dedicated to each package version. Some are lagging behind quite a lot.
Yes, but you do realize that there’s automation to update all of them?
All of the contributors probably have RSS feeds to check for an update and then update the manifest files. Chocolatey and Scoop has to go through the same hurdles as WinGet.
This is very inexcusable for you to comment on.
> Ah yes, so now, when applications have known vulnerabilities and the developer updates and fixes such issues, then such fixes will take twice or three times longer than before to treacle down to winget
Please don’t comment on things you don’t understand. This is the exact same as Chocolatey and Scoop.
I created a package for WinGet and it was merged in a few hours or so.
What about Chocolatey or Scoop? They take days compared to WinGet LOL.