WinGet Integration #1392
Comments
|
I'd also like to understand if there is a way to better handle how package information is pulled from WinGet, as several winget packages are listed as |
There is https://repology.org/tools/project-by which does exactly that - maps package names to repology projects. You could've asked to add vulnerable flag to the API. Webpage scraping is not tolerated, also the client must set distinctive user-agent and maintain rate limit or 1RPS (see API TOS). If it would do a lot of requests it may be better to set up a bulk export instead.
Project roughly corresponds to upstream project (Firefox). Package is a single package of it in some repository (Mozilla Firefox 124.0.1 in winget).
Repology is targeted at F/OSS and cross-platform software ecosystem. Projects present in windows and macos repositories only are hidden from the search, though otherwise tracked. |
There should be no problem with legacy versions - as long as a newer version is available, older versions would be marked as legacy instead of outdated. There are some exceptions to this logic though, it would make sense to look at specific examples. |
I've closed the PR; Where should I make the request to add to the API? |
It's still not clear to me whether you need an API change adding vulnerable flag (but it makes sense to add it regardless) or a bulk export. How many requests would a tool generate and in which periods? |
My thoughts are that the tool would request the specific projects that are listed as vulnerable at winget, along with the specific versions that are vulnerable. Looking at the documentation, this could probably be a single call to the One to two calls daily or potentially even less frequently would likely be enough for some basic tooling to be built on Winget's side |
|
Well yes, this looks like it could be done with a single API request. It's rather heavy as it returns a lot of packages, but I guess it's ok if it's not too frequent. I've added vulnerable flag to API projects output. You can use |
One of our community members has started digging into the Repology tooling. Before we add a tool to help us with mappings between WinGet package identifiers and repology "projects" and "packages" I wanted to reach out to see if there is a better way we should reason about this kind of mapping.
I've read a few of the older Issues with "WinGet" mentioned here, and wanted to get a better understanding of how we could help improve each other's projects. I'm a huge fan of the work to pull this project together. We recently added the Repology badge to the main README.md over at winget-pkgs.
There have been several interesting discussions about how we might handle WinGet manifests for versions of packages with potential vulnerabilities.
I'd also like to better understand the logical distinction made here between projects and packages. I saw a comment about avoiding "windows-only" projects. I'm not trying to push any kind of an agenda. I'm just seeking to understand.
The text was updated successfully, but these errors were encountered: