Microsoft missed a predictable flaw in its Windows Package Manager repo
A lot of work has gone into the Windows Package Manager repository, but it ran into issues allowed by automated approvals.
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
What you need to know
After a year in preview, Microsoft releasedWindows Package Managerduring Build 2021. The tool allows people to easily manage and install programs and packages, much like many are used to on Linux. Unfortunately, Microsoft saw a hiccup with its automated process for accepting submissions to theWindows Package Manager repository, which contains the manifest files for Windows Package Manager.
Microsoft simplified the process of submitting items to the repository with the preview release of the Windows Package Manager Manifest Creator. The tool lets people provide a URL for the installer of a package. Microsoft’s Demetrius explains the tool in adevblog post:
Once the tool has been installed, execute wingetcreate new provide the URL to the installer. Then the tool will download the installer, parse it to determine any of the manifest values available in the installer, and guide you through the process to generate a valid manifest.
It appears that this tool made it a bittooeasy to submit packages. Because it was automated, several packages were submitted that had issues. People submitted duplicate packages, created packages with installers with expiration dates, and used installers that need user input. As a result, the packages available from the repository were negatively affected.
As highlighted byThe Register, the package for Apple’s iCloud client, Valve’s Steam runtime, and the Zoom meeting installer were all affected by poor submissions.
People flagged the issues up on GitHub, including user “KaranKad” thatpointed outthat people were submitting bad or duplicate manifests. KaranKad also broke down the issue in more detail and suggested solutions inanother post.
Microsoft must have seen the negative affects the process was having, because itstopped the automated merge, according to Microsoft’s “Denelon.”
“Windows Package Manager team administrators will begin manually reviewing submissions to reduce the number of duplicate submissions, and manifests with sub-optimal metadata,” says Denelon onGitHub.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
It’s a bit strange that Microsoft didn’t forsee this issue. Having an automated process that didn’t check for these types of errors was likely to lead to problems, but the team behind Windows Package Manager appears to be on top of it now.
Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He’s covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean’s journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.
