It WingetUI trustworthy?

I found this open source app to install apps on pc and keep the installed apps up-to-date, But how can i trust it? How to be sure it is not malware/spyware/honeybot …etc??

Github link:

1 Like

This is a toxic response and a form of gatekeeping. This is on par with RTFM and other statements used to berate those with lesser understanding. Outsiders must be welcomed and embraced by the privacy and security community. Most people aren’t developers, so telling them to inspect the code will do more harm than good, likely turning them indifferent to the cause. This is a community that should be willing to help and teach others, not belittle them.

2 Likes

I skimmed over the repository for you. I don’t have any Windows experience, so take what I say with caution. On the surface, the project seems okay. They have a healthy number of stars, forks, and contributors and seem to receive a lot of community support. That’s not to say there can’t be anything malicious hidden in it, but these are all good signs of a trustworthy project. If you’re extremely concerned about it, I would try and get some opinions on the project from someone who’s more familiar with it, but other than that, I think it wouldn’t be unreasonable to trust them.

2 Likes

I don’t see how saying someone to research/inspect about the project could possibly be a form of “gatekeeping”. Also how am I supposed to know whether or not the concerned person have a “lesser understanding”? I can’t go around assuming everyone’s technical knowledge.

Anyways I apologise for any hurtful comments I might have passed in the thread.

I think there’s nothing wrong with suggesting more research about a project, but that’s not what you said. Inspecting the code is very different from inspecting and researching the project. Only suggesting reviewing the code and nothing else makes it seem like privacy and security are only for developers. There are plenty of other options, and as this thread on self-auditing FOSS projects shows, inspecting the code isn’t necessary for most people.

Again, there’s nothing wrong with recommending code inspection, but something tells me that the people who have the skills needed to effectively do that are already aware of that option and are just trying to fast-track the work. I know the man pages, logs, and wiki can fix any issues I have on my Linux machine, but if I can save hours of work by checking the forum, you bet I’m going to that first.

1 Like

It never caught up to me the importance of synonyms until now. Anyways, I have deleted the original post to avoid any further toxic discussion on the aforementioned matter.

1 Like

Cool project, and cheers for bringing it to my attention. I’ve tried a few GUIs for Windows package managers, but never found one that worked well. I thought I’d take the bullet, and give this a try on a VM. It would be nice to point people in the direction of something like this, so I hope it works out. I’m writing this as I go:

Downloading it from Github was easy, and all the files were inside the installer. The installer did not need admin priviliages, but it will ask you to download Visual Studio stuff, that will require admin rights. I don’t have a big problem with this, if you’re already using Windows. Note, you can also install Scoop with the installer, but I never did this. After the install, it sets itself to autolaunch upon login. This can easily be disabled.

The GUI just seems to be a frontend to Winget. It simply loads the Winget repo when it’s launched, and displays all the packages. It would take awhile to get through them all, so just use the Search function. Search does not use a 3rd party, you’re just using Winget. I would note though, that the software does ping marticliment.com, and versions.marticliment.com. Both of those connections can be blocked, and you’d have no issues. I assume it’s just for version checking.

Now, I could not use the software to install packages. I could download them, but I could not install them. I got error code “0x80070422”. This is a locked down Windows 11, without MS Store (and a bunch of MS apps/services are disabled/removed), so I expect that to be the reason. As these packages seem to be coming from official distrobutors, I don’t see much of an issue on that end. For example, VLC was downloaded from “download.videolan.org”, and LibreOffice was downloaded from “downloadarchive.documentfoundation.org”.

Unless someone here can give a decent reason why, I think I’ll still recommend this software to folks.

2 Likes