Automatically remove stale packages

[github-account1111]

Description of the new feature / enhancement

I was about to install a package but was prudent enough to check the website to make sure I'm getting the latest version through winget. Turns out I wouldn't be. Winget has 3.9.1 while the actual newest version is 3.16.3.

I don't know how updates are handled. Hopefully automatically, in which case when there is an error (e.g. a 404) all versions of the package should be wiped from the repo. If for whatever weird reason the updates are handled manually.. then they shouldn't be handled manually.

Proposed technical implementation details

Maybe only the actual publishers should be allowed to add their packages to the repo. That would at least ensure that the publisher is aware the package even is on winget. Consequently it will ensure that the package won't go stale.

Correct me if I'm wrong, but the current way of submitting-any-app-willynilly-by-anyone-willing seems very insecure.

[Trenly]

When a URL goes 404, the version is supposed to be automatically removed by the wingetbot automation. However, it seems that functionality is currently broken.

Correct me if I'm wrong, but the current way of submitting-any-app-willynilly-by-anyone-willing seems very insecure.

Packages are scanned by multiple AntiVirus providers to ensure they are not malware. Additionally, there are automated checks in place to make sure that the package download matches the publisher information in the manifest. If someone were to submit Google Chrome underneath the publisher Mozilla then it would throw a warning and the validation would fail. Not only is there the automated testing, but all packages are reviewed by community moderators to ensure the manifest is correct and applications install correctly.

[github-account1111]

When I said insecure, I wasn't referring to malware in packages. Outdated software has more vulnerabilities. I thought one of the goals of Winget is to keep the system as up-to-date as possible.

As an example, Windscribe hasn't been updated for 7 versions. Wasn't wingetbot supposed to react back in November when v2.7.14 was released? Relying on humans to submit things timely is obviously not feasible.

[Masamune3210]

Not everything can be easily automated or has had work with the intention of doing so. Automatic detection of things only goes so far. For example, url's that change drastically between versions of a download

[denelon]

@github-account1111

Our preference is for publishers to submit manifests for their own software as they release it. They may also remove older versions if they wish.

Until a publisher or a community member finds the right heuristics for automating package submission for new versions, it requires a person to be aware a new version is available and either submit the manifest themselves, or make a request via an Issue.