Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Zip][Portable] New package: WindowsPostInstallWizard.UniversalSilentSwitchFinder version 1.5.0.0 #80300

Merged
1 commit merged into from
Sep 29, 2022
Merged

[Zip][Portable] New package: WindowsPostInstallWizard.UniversalSilentSwitchFinder version 1.5.0.0 #80300

1 commit merged into from
Sep 29, 2022

Conversation

Trenly
Copy link
Contributor

@Trenly Trenly commented Sep 21, 2022
edited by ghost
Loading

  • Have you signed the Contributor License Agreement?
  • Have you checked that there aren't other open pull requests for the same manifest update/change?
  • Have you validated your manifest locally with winget validate --manifest <path>?
  • Have you tested your manifest locally with winget install --manifest <path>?
  • Does your manifest conform to the 1.2 schema?
Microsoft Reviewers: Open in CodeFlow

@wingetbot
Copy link
Collaborator

Service Badge  Service Badge  

@wingetbot
Copy link
Collaborator

/AzurePipelines run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@wingetbot wingetbot added the URL-Validation-Error Microsoft Defender SmartScreen triggered during automatic validation label Sep 21, 2022
@wingetbot
Copy link
Collaborator

Url validation error

  • manifests\w\WPIWnet\UniversalSilentSwitchFinder\1.5.0.0
    • https://www.softpedia.com/publisher/wpiw-net-75672.html
      • Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
    • https://www.softpedia.com/user/privacy.shtml
      • Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
    • https://www.softpedia.com/get/System/Launchers-Shutdown-Tools/Universal-Silent-Switch-Finder.shtml
      • Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
    • https://www.softpedia.com/user/licensing_free.php
      • Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

@ghost
Copy link

ghost commented Sep 21, 2022

Hello @Trenly,

The package manager bot determined there was an issue with some of the URLs included in the manifest file. Please check the pull request for more details and make sure the urls are correct.

Template: msftbot/validationError/urls/smartScreen

@ghost ghost added the Needs-Author-Feedback This needs a response from the author. label Sep 21, 2022
@wingetbot
Copy link
Collaborator

/AzurePipelines run

@ghost ghost removed URL-Validation-Error Microsoft Defender SmartScreen triggered during automatic validation Needs-Author-Feedback This needs a response from the author. labels Sep 21, 2022
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

vedantmgoyal9
vedantmgoyal9 suggested changes Sep 21, 2022
View reviewed changes
Copy link
Contributor

@vedantmgoyal9 vedantmgoyal9 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#31163 (reply in thread)

@jedieaston

@ghost ghost added the Needs-Author-Feedback This needs a response from the author. label Sep 21, 2022
@ghost ghost assigned Trenly Sep 21, 2022
@ghost
Copy link

ghost commented Sep 21, 2022

Hello @Trenly,

The package manager bot determined changes have been requested to your PR.

Template: msftbot/changesRequested

@Trenly
Copy link
Contributor Author

Trenly commented Sep 21, 2022

#31163 (reply in thread)

@jedieaston

Isn’t that the entire purpose of the pipeline and the malware scans though, is to catch when potentially malicious software links are used?

USSF has been around since 2011, and I know that myself and others who use winget are familiar enough with the package to know that it is safe. And, if it ever were to be compromised, that is why there is hash validations

@ghost ghost added Needs-Attention This work item needs to be reviewed by a member of the core team. and removed Needs-Author-Feedback This needs a response from the author. labels Sep 21, 2022
@vedantmgoyal9
Copy link
Contributor

USSF is great, but SoftPedia isn't trustable.

@Trenly
Copy link
Contributor Author

Trenly commented Sep 21, 2022

USSF is great, but SoftPedia isn't trustable.

I’m not saying that SoftPedia is trustable as a whole. I'm saying that in certain cases where we know the package is safe, there are checks in place that would prevent bad updates. In fact, no publiser website is truly "trustable", not even Microsoft's. All websites are vulnerable to compromise. Certainly SoftPedia being open to all increases the chances of the site hosting malware, but that doesn’t mean all packages are malware.

We know USSF is safe, and if the hash were ever to change then it would be blocked from installing without using the force parameter.

@wingetbot wingetbot added Azure-Pipeline-Passed Validation pipeline passed. There may still be manual validation requirements. Validation-Domain labels Sep 21, 2022
@ghost ghost assigned JohnMcPMS and yao-msft Sep 21, 2022
@ghost
Copy link

ghost commented Sep 21, 2022

Hello @Trenly,

One or more of the installer URLs doesn't appear valid.

This may happen for sites with policies prohibiting distribution or use by third parties.

This may happen for URLs pointing to domains that do not align with the publisher domain or package domain. If you could provide supporting evidence from the publisher that the URLs for the installer are correct, that would help us to validate and approve this PR.

Template: msftbot/validationError/urls/domain

@ghost ghost added Needs-Author-Feedback This needs a response from the author. and removed Needs-Attention This work item needs to be reviewed by a member of the core team. labels Sep 21, 2022
ItzLevvie
ItzLevvie previously approved these changes Sep 21, 2022
View reviewed changes
@ghost ghost added the Moderator-Approved One of the Moderators has reviewed and approved this PR label Sep 21, 2022
@JohnMcPMS
Copy link
Member

I can say that the publisher of that on Softpedia, wpiw.net, is blocked by MSIT as a malware site. Doesn't make me feel a warm and fuzzy inside.

Calling for an adult. @denelon !

@ghost ghost removed Error-Hash-Mismatch The InstallerSHA256 Hash specified in the manifest doesn't match with the InstallerURL hash Needs-Attention This work item needs to be reviewed by a member of the core team. Moderator-Approved One of the Moderators has reviewed and approved this PR labels Sep 23, 2022
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@Trenly Trenly changed the title New package: WPIWnet.UniversalSilentSwitchFinder version 1.5.0.0 New package: WindowsPostInstallWizard.UniversalSilentSwitchFinder version 1.5.0.0 Sep 23, 2022
@Trenly Trenly changed the title New package: WindowsPostInstallWizard.UniversalSilentSwitchFinder version 1.5.0.0 [Zip][Portable] New package: WindowsPostInstallWizard.UniversalSilentSwitchFinder version 1.5.0.0 Sep 23, 2022
@Trenly Trenly marked this pull request as draft September 23, 2022 12:49
@Trenly
Copy link
Contributor Author

Trenly commented Sep 23, 2022

@denelon - Blocking Issue on .zip please

@wingetbot wingetbot added the Manifest-Validation-Error Manifest validation failed label Sep 23, 2022
@ghost
Copy link

ghost commented Sep 23, 2022

Hello @Trenly,

The package manager bot determined that the metadata was not compliant.

Please verify the manifest file is compliant with the package manager 1.2 manifest specification.
Make sure the ID is of the form publisher.appname and that the folder structure is manifests\partition\publisher\appname\version.
Note: The path and "PackageIdentifier" are case sensitive.
Be sure to use a tool like VSCode to make sure the manifest YAML syntax is correct.

You could also try our Windows Package Manager Manifest Creator or the YamlCreate script.

For details on the specific error, see the details link below in the build pipeline.

Template: msftbot/validationError/manifest/metadata

@ghost ghost added the Needs-Author-Feedback This needs a response from the author. label Sep 23, 2022
@denelon denelon added the .zip label Sep 23, 2022
@ghost
Copy link

ghost commented Sep 23, 2022

Hello @Trenly,

This package appears to reference a compressed .zip archive rather than an installer.

This PR is blocked until support for .zip is implemented in:

Template: msftbot/blockingIssue/zipInstaller

@ghost ghost added the Blocking-Issue Manifest validation is blocked by a known issue. label Sep 23, 2022
@ghost ghost added the Moderator-Approved One of the Moderators has reviewed and approved this PR label Sep 23, 2022
@ryfu-msft
Copy link
Contributor

This package will be used as a test example for the portables in zip feature. This manifest will be checked in manually as zip manifests are not yet supported in validation. This also means that the latest stable 1.3 client will not be able to install this package as .zip is not yet supported in that version.

@ryfu-msft ryfu-msft marked this pull request as ready for review September 29, 2022 17:00
@ryfu-msft ryfu-msft added Validation-Completed Validation passed and removed Manifest-Validation-Error Manifest validation failed Blocking-Issue Manifest validation is blocked by a known issue. Needs-Author-Feedback This needs a response from the author. labels Sep 29, 2022
@ghost
Copy link

ghost commented Sep 29, 2022

Hello @ryfu-msft!

Because this pull request has the Validation-Completed label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

@ghost
Copy link

ghost commented Sep 29, 2022

Hello Trenly,
Validation has completed.

Template: msftbot/validationCompleted

@ghost ghost merged commit 811f993 into microsoft:master Sep 29, 2022
@wingetbot
Copy link
Collaborator

Publish pipeline succeeded for this Pull Request. Once you refresh your index, this change should be present.

@Trenly Trenly deleted the WPIWnet.UniversalSilentSwitchFinder-1.5.0.0-F36DF37B8922BA branch September 29, 2022 17:25
@mdanish-kh mdanish-kh mentioned this pull request Oct 11, 2022
Closed
5 tasks
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vedantmgoyal9 vedantmgoyal9 vedantmgoyal9 requested changes

@ItzLevvie ItzLevvie ItzLevvie approved these changes

Assignees
No one assigned
Labels
Moderator-Approved One of the Moderators has reviewed and approved this PR Publish-Pipeline-Succeeded Validation-Completed Validation passed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@Trenly @wingetbot @vedantmgoyal9 @JohnMcPMS @denelon @ryfu-msft @ItzLevvie @yao-msft