Can a company own its manifest and updates? #146374
-
|
We [Doist] would like to take ownership of the We love that the community has submitted Todoist to WinGet on our behalf and that, thanks to wingetbot, it's up to the latest version of our desktop app, but we have concerns about what happens if someone in the community updated the installerUrl for our app and pointed it to something else. Is there a way of being able to approve PRs related to this package (via CODEOWNERS) so that this can be controlled. I appreciate that this would mean we'd need to approve PRs from wingetbot that automatically want to update to the latest version number, but we have a desktop team that can take care of those approvals. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
There currently is not a way to do this, but it is in process. I believe @denelon is still working on the final issues with the business process side, as noted in #100 As far as concerns about the safety of the manifest and ensuring it points to the correct place, all PRs have to go through an automated scan which makes sure that the Installer URL is associated with a domain that heuristically matches the package information. If it doesn't match, it requires additional documentation and a waiver in order for it to pass validation. In addition to that, all manifests go through a moderation process wherein a moderator checks through the information in the manifest, ensures it is accurate, tests to ensure the install is successful and that the metadata matches what is specified in the manifest, etc. So while waiting for the verified publishers feature to be complete, it is highly unlikely that a community member could point it to something incorrect without it being caught |
Beta Was this translation helpful? Give feedback.
-
|
We actually prefer for publishers to submit their own manifests, but we do allow the community to bootstrap and maintain them in the absence of the publisher. We've also developed wingetcreate to help with CI/CD scenarios. |
Beta Was this translation helpful? Give feedback.
-
|
I could add you to the Auth list for my approval pipeline. This would block users who aren't on the list at the last step in the process. |
Beta Was this translation helpful? Give feedback.
There currently is not a way to do this, but it is in process. I believe @denelon is still working on the final issues with the business process side, as noted in #100
As far as concerns about the safety of the manifest and ensuring it points to the correct place, all PRs have to go through an automated scan which makes sure that the Installer URL is associated with a domain that heuristically matches the package information. If it doesn't match, it requires additional documentation and a waiver in order for it to pass validation. In addition to that, all manifests go through a moderation process wherein a moderator checks through the information in the manifest, ensures it is accurate, t…