undefined | Better HN

0 pointsb10101011y ago0 comments

Why are the packages from chocolatey trusted?

I am not familiar with chocolatey but the powershell script on https://chocolatey.org/packages/filezilla (click show files) contains the following

  $url = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win32-setup.exe/download"
  $url64bit = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win64-setup.exe/download"

So its still fetching executables from sourceforge using plain http with no checksums or signatures in sight. On the assumption that executable does include the sourceforge malware, The silent install argument ("/S") passed to the executable by chocolatey seems to be the only reason its not installed along with filezilla.

Is there any reason to believe ninite does anything different?

0 comments

1 comments · 1 top-level

swies11y ago

We should play this up more on our site, but Ninite (I'm a co-founder and we're YC W08) does this stuff right.

All our .exes are signed, app config information comes over https, and downloads are all checked for hashes that match our testing before being automated. We're not just naively adding silent switches either, we'll automate clicks to get through less well-behaved installers when needed.

Why can you trust Ninite? Money. Thousands of businesses pay us for Ninite Pro and the free version is our marketing department. We're extremely careful to make sure our updates come out on time and junk free.

j / k navigate · click thread line to collapse