Replies: 2 comments 3 replies
-
|
Unfortunately, there isn't much documentation on this. There are some posts scattered through multiple GitHub issues and pull requests which discuss various portions of it, but nothing all in one source. There is a page on the Validation Process but it doesn't contain details on the security testing which is done |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for that link, especially the error label details are helpful 👍 |
Beta Was this translation helpful? Give feedback.
-
|
@khaffner we've kept the documentation "high-level" as the actual processes and sequencing may change. Is there something specific you're interested in, or just more of an overview? |
Beta Was this translation helpful? Give feedback.
-
|
@Trenly's link to the validation process seems to be what I was looking for. But I have a specific question that I hope can be ansvered somewhere more visible to newcomers who have security concerns: |
Beta Was this translation helpful? Give feedback.
-
|
We have had the ask for application signatures, but that would be in addition to the hash and the other validations we perform. We have extra manual processes to validate URLs for installers when they don't match the publisher. If they are approved, we add a waiver for that specific URL difference. |
Beta Was this translation helpful? Give feedback.
-
Hello
I went to PSConfEU last week and heard @denelon talk about WinGet for almost an hour, and he mentioned among many things the automated security testing done by winget(bot?). A few points i jotted down were
And that packages are rescanned and retested regularly. (I may have errors in my notes).
This is cool, and was complete news to me. But I would like to read more about these security features, are they documented somewhere? I struggle to find it.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions