Windows 10's package manager flooded with duplicate, malformed apps

Last week, Microsoft released the first stable version of its Windows 10 package manager, Winget, which enables users to manage apps via command-line.

Much like package managers available on other platforms, Winget lets Windows users automate app management when it comes to installing, configuring, upgrading, and uninstalling applications.

But, over the weekend, multiple users flooded Winget's software registry with pull requests for apps that are either duplicate or malformed, thereby raising concerns about the integrity of the Winget ecosystem.

Winget's repo flooded with duplicate apps, malformed manifests

Microsoft had first introduced the preview version of its Windows 10 package manager at Microsoft Build 2020. Since then, Microsoft developed Winget as an open-source project on GitHub.

Last week marked a milestone when the first stable version of Winget was released.

Microsoft's guidelines state that independent software vendors (ISVs) looking to upload their application to the Winget registry, can do so by submitting the application's manifest on their GitHub.

Furthermore, when contributors submit a manifest to Winget's GitHub, with some exceptions, the manifests are automatically validated by Winget's bot against set criteria.

But, over this Memorial Day weekend, multiple pull requests emerged on Winget's GitHub containing names of apps that had already existed in the package manager's registry.

Moreover, some pull requests contained incorrect application names in the manifests or "bad" links from where the application should get fetched.

And, in few other cases, new pull requests would overwrite existing applications' manifests, with incomplete info.

The user KaranKad originally raised this issue over the weekend, after gathering over five dozen such examples of invalid pull requests being made to Winget's repo.

"People are submitting bad or duplicate manifests without checking if the app already exists or not in this repository."

"Create a group of active contributors who know what they are doing, with [the] ability to close a PR so they can prevent bad or duplicate PRs from getting in," suggested the user. 

Out of the many examples posted, BleepingComputer noticed how this was especially true for an app named after "PrimoPDF":

Incorrect Winget PackageIdentifier and InstallerUrl submitted for NitroPDF application (GitHub)

The manifest files for the NitroPDF's PrimoPDF app reportedly contains malformed PackageIdentifier ("NitroPDFIncNitroPDFPtyLtd.PrimoPDF") and download URL.

In other cases, BleepingComputer observed, manifests of legitimate applications like VideoLAN's VLC player and Valve's Steam app had been overwritten by contributors, but with incomplete info:

Manifest of VideoLAN's VLC player overwritten with incomplete info (GitHub)

BleepingComputer has recently reported on open-source ecosystems like PyPI getting flooded with garbage spam components.

In more serious cases, counterfeit components have been caught getting uploaded to the npm and RubyGems repositories.

Left unchecked, these malformed, incomplete, or outright malicious packages can pave a way for anything from simple application errors to a successful supply-chain attack.

Although these Winget pull requests, which introduced incomplete information in the applications' manifests, were shortly reverted [1, 2], what is being done to prevent such instances in the future?

Developers propose multiple solutions

Following this ongoing incident, multiple developers have suggested workarounds or practices Winget can adopt to ensure the integrity of its packages.

"I really really think that any new PackageIdentifer should have to be checked by someone on the Winget team (or if they want to start a recognized contributor system I'd throw my hat in the ring),"  suggested Easton Pillay, a developer and Winget contributor.

Pillay also believes that fully automating the addition of new Winget packages will introduce tons of duplicates.

In the same thread, the developer also proposed that newly created Winget manifests should require a manual review:

"I know we are trying not to waste the moderator's time, but since [the contributors] are committing known bad metadata by default..., the bot doesn't realize it and then someone who knows that the bug exists has to go back and fix all of the errors (or live with the metadata being wrong, which is a tragedy ;D)," said Pillay.

Microsoft's Demitrius Nelon, a key person behind Winget's development has acknowledged the issue and that he plans to bring it up with the team.

Nelon has also proposed a potential solution:

"One of the options could be requiring a 'second' approver on a 'new' manifest in a 'new' directory."

"The bot has a concept that might work for that scenario. I just don't want to put too much friction and time delay for people submitting manifests, nor too much pressure on 'moderators'."

"We've got a feature on the backlog to detect duplicates. It's more of a warning than a blocking action. We have some expected 'valid' rename scenarios," explained Nelon.

BleepingComputer has reached out to Microsoft for comment prior to publishing and we are awaiting their response.