Were there recent changes to install.ps1 file?

[artisticcheese]

Please see the issue which was not there a day ago
chocolatey/cChoco#151

┆Issue is synchronized with this GitLab issue by Unito

[gep13]

@artisticcheese yes, a new version of the install.ps1 file was released today, which addressed a number of issues which were identified.

Are you seeing a problem with it?

[artisticcheese]

Yes, it's not throwing terminating issue when it thinks chocolatey is already installed which causing DSC cChocolatey to proceed with creation of environment variables etc thinking installation successfully proceeded when it did not.

[vexx32]

Yeah, currently it just writes a warning. From what I remember, I think @ferventcoder wanted it as a warning rather than an error, but perhaps it's better if this is a terminating error?

[gep13]

Adding @vexx32 for visibility.

[artisticcheese]

As of right now (with current logic) all cChoco DSC module users will have problems since it's different behavior which was before when I assume it was terminating issue or logic itself was different.
The way cChoco works is that it places install.ps1 file into the folder where chocolatey is being installed and current logic considers non-empty folder as a sign that chocolatey is installed which is not

[ferventcoder]

Sounds like there is an issue with the script - this is covering a security issue where Chocolatey should not install into a pre-created folder (what becomes C:\ProgramData\chocolatey).

[vexx32]

Might it be better for cChoco to place the script either in a temp directory or just add the script after running the install.ps1 to install chocolatey itself, if the script really needs to be in the Chocolatey directory?

[ferventcoder]

Yeppers, cChoco should place the script elsewhere.

chocolatey/cChoco#151 (comment) is the biggest part of why this change needed to occur. With security changes, we do what we can to minimize impact, but unfortunately it doesn't mean we'll catch everything ahead of time.

The problem lies in that someone could pre-create the folder and drop a hijacking dll in here. Then when Chocolatey installs and puts folders on the SYSTEM path, those hijacking DLLs are still there. Even though it installs and asserts admin privileges to the default location (not to C:\Choco - you are left to handle those when you customize the path), it takes everything existing along for the ride.

So to fix the security issue, if there is an existing folder where Chocolatey was going to install, it just doesn't. Errorring in a terminating way on this is just completely out - that would cause a lot of consternation as compared to what is currently being seen (as in a LOT more folks would be affected).

[EricHripko]

Also seeing issues (around proxies) with the recent changes in the install script. Couldn't find the source repository for it, so filed an issue on the main repo: https://github.com/chocolatey/choco/issues/2195.

[gep13]

@artisticcheese a new version of cChoco has been released which addresses the issue that was raised here.

You can find information about this release here:

https://github.com/chocolatey/cChoco/releases/tag/v2.5.0

I am going to go ahead and close out this issue.