-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Feature]: Find a better way to handle Nightly
packages.
#163098
Comments
I think your last idea is good, but could be as simple as a new admin setting and GPO in the CLI for allowed hash mismatches. An admin or GPO could set a list of package identifiers that automatically skip the hash validation. Another option may be adding signature checking and a thumbprint to the manifest. That way if a publisher puts out a new version of an application, the CLI could check if the binary is signed and if the signature comes from the correct ISV. An admin setting could be added to the CLI to proceed if the hash does not match but the signature does I know it may be a fair bit of work, but another option could be having a different source in winget specifically for nightlies / vanity URLs. There could be a separate folder in this repo like Then, an update to the CLI could add it as a known source which 1) requires admin to enable, 2) can be disabled by GPO, and 3) Automatically proceeds even when hash mismatches occur. This would allow for very controlled processes (i.e - moderation) to determine whether a package can be sufficiently trusted to be added to the trusted folder. Something like Firefox or Google Chrome would be easily trusted, other applications may have different processes such as needing 15 or 20 nightlies in a row to pass standard validation before becoming a trusted vanity URL. The manifests in the trusted folder could be updated by the bot just to help ensure that PackageVersion and SHA are kept somewhat up to date. Bot PRs into trusted apps could be auto-merged without moderator approval, as it could be a requirement of becoming a trusted app that the app versioning is something that works with the bot and can be updated. Or, trusted apps could always be listed as "Latest" and have a SHA that is just always wrong but never checked although I think that having them updated occasionally would be best. |
I also have these issues when submitting packages that update faster:
|
I think this expands slightly further than nightly releases as there are many popular applications currently using vanity URLs. I think it would be great as @Trenly mentioned to have a trusted list for highly reputable vendors like Mozilla and Google that have certain measures in place to reduce updating process. This would help reduce the downtime applications can experience when the vanity URL is broken. Google Chrome is great example, each week it normally receives and update but sometimes it can be twice a week. If the validation pipeline is running smoothly and it's approved shortly after it can be around 3 hours of downtime for the package. The real issue is when something disrupts the process and it can then become 24 hours of downtime. Not to mention the massive amount of labour involved for @stephengillie who has to approve these packages. |
Description of the new feature/enhancement
Packages which are actually updated every ~24 hours currently aren't really a good fit for this package manager. Our validation and approval timing means they will at best be available only ~75% of the time, and sometimes will miss for several days.
General timing:
The most ideal scenario consumes around 16% to 20% of the Nightly package's lifespan. A slightly impacted but still mostly ideal scenario consumes 33%. Additional delays in this process can easily consume the remaining timespan between releases.
Proposed technical implementation details (optional)
Neither of these ideas is really ideal in the current situation, so please be gentle.
One idea:
The number of manual steps complicates expediting the validation and approval process. There might be some kind of expedited system, where certain developers can become vetted in some way (Authorized Publishers?) and have their nightly packages fast-tracked into the Publish pipeline, while the validation and approval steps are pending. And with the caveat that any failure of those pipelines would cause that nightly version to become reverted. This might present too many legal fronts (not a laywer).
Other idea:
"Known Nightlies" could have a flag, or be on a list, or otherwise enumerated such that they could have reduced restrictions on hash mismatches. The package manager could allow hash mismatch overrides - in conjuntion with the above enumeration. (This might be hidden deep behind large security warnings, where only advanced users (who would opt for a nightly version of a package) would know to enable.) This would allow users with a large risk appetite to continue receiving nightly updates.
The text was updated successfully, but these errors were encountered: