Microsoft has introduced human moderation for packages submitted to the repository for its newly released Winget package manager, following a spike in duplicate and/or bad submissions.
The Windows Package Manager, also known as Winget, was released during Microsoft’s Build event last week. At the time, senior program manager Demitrius Nelon made a point of how easy it was to submit packages to the repository, introducing a tool called the Windows Package Manager Manifest Creator. Users simply run the tool, providing the URL to the installer for the target package. Nelon said:
“Then the tool will download the installer, parse it to determine any of the manifest values available in the installer, and guide you through the process to generate a valid manifest. If you provide your GitHub credentials when prompted, it will even fork the repository, create a new branch, submit a pull request, and provide you with the URL to track its progress.”
It became apparent that as everything after this step was automated, Microsoft had exposed the repository to all sorts of problems. Windows enthusiasts, keen to extend the usefulness of the repository, added their favourite packages without checking whether it was already included.
In other cases, bad manifests were generated as users did not think through all the implications of creating a package, for example linking to an installer URL that would expire a few days later, or that required user input. Another issue was pull requests that overwrite existing good manifests with worse substitutes.
A concerned user opened a GitHub issue called “Moderation needed“, showing the extent of the problem.
Many well-known packages were affected, such as Apple’s iCloud client, Valve’s Steam runtime, and the Zoom meetings installer. Although there was some crude effort at malware protection, with every upload being submitted to VirusTotal, the system was open for abuse.
It was added that “without any ownership by either Microsoft or official app developer channels, Winget package manifests may or may not be updated in a timely manner, if at all, and without any practices or policy about architectures, release channels, deployment configurations, etc, users may be getting 32-bit versions on their 64-bit machine when 64-bit versions exist, or be stuck on very old versions, or get broken releases instead of stable ones.”
Shortly after, Nelon commented that: “The ‘automated merge’ has been stopped” and promised further changes. Yesterday, Nelon said:
“Windows Package Manager team administrators will begin manually reviewing submissions to reduce the number of duplicate submissions and manifests with sub-optimal metadata. We have also implemented moderation to help maintain the quality of the community catalogue.”
He listed 12 Microsoft moderators and 2 community moderators and started a new discussion about how future moderation should be handled.