Scripts during installation process

[Andrej730]

I discovered winget recently and it's really convenient tool. And it's opensource, truly grateful for that.

I've learned from winget install learning that current position about scripts is No scripts during install – something that we completely agreed with and don’t allow with MSIX.

Is it just current policy until winget will grow? Or is something more fundamental?

If it was possible to install packages that are using .bat scripts (possibly libraries that are compilated in the process) that would me an amazing leap for package management on Windows.

[Masamune3210]

The problem with scripts is they can break absurdly easily, and are hard to validate en masse. Unlike Linux and other Unix-likes, where post-install scripts are pretty common, on Windows, most if not all the time the post-install requirements are either handled by the installer itself as its last steps or on first app launch. Its just not as required on Windows imo

[Andrej730]

It's true that scripts are more diverse and complicated than installers, not sure how they handle their validation in Unix-systems.

[Trenly]

The biggest issue that I see with scripts (.bat, .sh, .ps1, etc.) is that they are inherently insecure. They can point to remote endpoints that aren't controlled, they can download and run arbitrary code, they can do all sorts of things - both good and bad.

[Andrej730]

But couldn't .exe installers do the same thing?
I think it's always matter of trust to the source of the installer - whether it's exe or bat script.

[denelon]

It is one of our fundamental tenets.

We validate installers (portable packages, and .zip compressed packages) and use SHA256 hashing to identify installers so we can easily validate they haven't been modified before installing them. The manifests are declarative and do not directly contain scripts that would also need to be scrutinized and handled via other more complex means.

We are working on other solutions to handle the specific cases where pre-deploy or post-deploy actions are required to achieve the desired state for an application to be installed and function properly.

It takes years for software and installers to "migrate" to the best state they can be in. I recently came across the 8 Laws of Software Installation from 2015 attributed to @fearthecowboy.

We're on a journey to improve package management on Windows. Much of the work still depends on the installers. We will do as much as we can to help developers and our customers "fall into the pit of success", and it will take time.

[Andrej730]

Thanks for the detailed response, I like the "fall into the pit of success" philosophy!

But couldn't installers do something under the hood and it's even harded to validate them than not compiled scripts?

[denelon]

We run both static and dynamic analysis on the installers. I'm not sure anything is going to be 100% secure short of disconnecting from the Internet and running in a completely isolated environment, which is why we're doing defense in depth with multiple layers of security.

If memory serves me correctly, we've only had one incident where an installer with bundleware for a specific locale was approved. As soon as we received the report, we removed the package from the repository.

[jantari]

@Andrej730 there has also been a previous issue on this topic with some additional discussion: #299

I have also commented there why I believe this would be an amazing leap ... backwards ... for package management on Windows 😉

The chocolatey package manager uses the script-driven-installs approach and it is riddled with problems for it. With winget, it's time to hopefully improve on the status quo.