Linked by Thom Holwerda on Mon 15th Dec 2008 15:10 UTC
Editorial states: "Microsoft (or a really smart ISV) should build a full application manager for Windows, similar to what most Linux distributions do today." Most Windows applications come with their own distinctive updating mechanism (much like Mac OS X), instead of having a centralised updating location like most Linux distributions offer. While it certainly wouldn't be harmful for Windows to gain such a feature - the question remains: isn't it time we rethink program installation and management altogether?
Permalink for comment 340430
To read all comments associated with this story, please click here.
RE[3]: Package Manager Freeware
by lemur2 on Tue 16th Dec 2008 04:45 UTC in reply to "RE[2]: Package Manager Freeware"
Member since:

Hi lemur2, You're perfectly right about your comment! The software links aren't check for authenticity and therefore, we can't be sure about security. This software need to be improved in a lot of different aspects but I think it is a good start. Do you have a practical proposition about a new security feature? I don't think traditional software signing is appropriate in this case because we download the software directly from the developer webpage. Maybe website authenticity checking along with showing the location of the download to the user in order to gain trust? If so, please post in in the Issue Tracker here Thanks!

AFAIK, Linux package managers get around this issue by including GPG keys for the repositories in the distribution install CD. If you installed a compromised install CD then you are compromised before you start anyway, but if you install a good CD then this allows packages in the repositories to be signed and for the package managers at the recipient end to check the packages on receipt. This is a pretty good system that, AFAIK, has never had a breach. AFAIK there has never been malware installed on a user's system coming from a repository via a signed package.

Having said that, Linux package managers have no such checking means available in the scenario where a user downloads (from a getdeb type of website) an application package (.deb or .rpm) and then uses the package manager to install that. The best that can be done here is to warn the user: "This package is not signed, do you trust the source of this package?" type of warning.

As far as I can see, every single application on Windows is in the latter category rather than the former. This would mean that every package would generate a similar warning every time the users tried to download and install anything. In that situation, the warning would quickly lose all meaning, and become worthless.

I don't see this as a failing of the AppSnap application (an attempt at a package manager for Windows), but rather as a fundamental shortcoming of Windows itself. I don't see any way that the project can circumvent this shortcoming, sorry.

Edited 2008-12-16 04:49 UTC

Reply Parent Score: 5