Microsoft missed a predictable flaw in its Windows Package Manager repo

News
By
published

A lot of work has gone into the Windows Package Manager repository, but it ran into issues allowed by automated approvals.

Windows Package Manager
Windows Package Manager (Image credit: Windows Central)

What you need to know

  • Microsoft has stopped the automated merge of submissions to the Windows Package Manager repository.
  • The Windows Package Manager repository contains manifest files for Windows Package Manager.
  • Microsoft will now manually review submissions to reduce duplicates and submissions with issues.

After a year in preview, Microsoft released Windows Package Manager during Build 2021. The tool allows people to easily manage and install programs and packages, much like many are used to on Linux. Unfortunately, Microsoft saw a hiccup with its automated process for accepting submissions to the Windows Package Manager repository, which contains the manifest files for Windows Package Manager.

Microsoft simplified the process of submitting items to the repository with the preview release of the Windows Package Manager Manifest Creator. The tool lets people provide a URL for the installer of a package. Microsoft's Demetrius explains the tool in a devblog post:

Once the tool has been installed, execute wingetcreate new provide the URL to the installer. Then the tool will download the installer, parse it to determine any of the manifest values available in the installer, and guide you through the process to generate a valid manifest.

It appears that this tool made it a bit too easy to submit packages. Because it was automated, several packages were submitted that had issues. People submitted duplicate packages, created packages with installers with expiration dates, and used installers that need user input. As a result, the packages available from the repository were negatively affected.

As highlighted by The Register, the package for Apple's iCloud client, Valve's Steam runtime, and the Zoom meeting installer were all affected by poor submissions.

People flagged the issues up on GitHub, including user "KaranKad" that pointed out that people were submitting bad or duplicate manifests. KaranKad also broke down the issue in more detail and suggested solutions in another post.

Microsoft must have seen the negative affects the process was having, because it stopped the automated merge, according to Microsoft's "Denelon."

"Windows Package Manager team administrators will begin manually reviewing submissions to reduce the number of duplicate submissions, and manifests with sub-optimal metadata," says Denelon on GitHub.

It's a bit strange that Microsoft didn't forsee this issue. Having an automated process that didn't check for these types of errors was likely to lead to problems, but the team behind Windows Package Manager appears to be on top of it now.

Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.