[TreeSize Free] Needs checksum

[Redsandro]

The installation of this package is not unattended because user needs to approve installation of an unverified package.

Scripted and automated downloads over chocolatey aren't possible.

Could you add checksums to this package?

This package downloads over HTTPS but does not yet have package checksums to verify the package. We recommend asking the maintainer to add cheksums to this package.
The install of treesizefree was NOT successful.

Moved from https://github.com/chocolatey/chocolatey-coreteampackages/issues/576

[maartenba]

@gep13 what needs to be done here? (also TreeSizeFree is owned by the author of it I think)

[gep13]

@maartenba if you look at the current installation script for this package:

if ($env:chocolateyPackageParameters -match '/lang=') {$param=$env:chocolateyPackageParameters} Else {$param="/LANG=EN"+" "+$env:chocolateyPackageParameters}
Install-ChocolateyPackage 'treesizefree' 'exe' "$param /verysilent" 'http://www.jam-software.de/treesize_free/TreeSizeFreeSetup.exe'

You will see that it is downloading from a bare http url, i.e. not https. Out of the box, chocolatey no longer allows that, unless there are checksums in place for the downloaded binaries, so that chocolatey can verify what it is downloading, is what the package maintainer is expecting it to be.

If you look at current packages in the core team repo:

https://github.com/chocolatey/chocolatey-coreteampackages/blob/master/automatic/calibre/tools/chocolateyInstall.ps1

You will see that the expected checksums are passed in as parameters to the install command, and chocolatey will verify that they match what is downloaded.

Does that make sense?

It is all part of the bigger plan to ensure security of the applications that are being installed.

[maartenba]

The thing is, the package is actually no longer hosted in here... https://chocolatey.org/profiles/JamSoftware maintains it now but no idea where source live.

[gep13]

In which case, @Redsandro I would suggest that we close this issue, and follow up with the other maintainer.

@maartenba would you like me to remove you as a maintainer of this package on chocolatey.org? If so, I think it might be a good idea to remove the source files of that package from this repo, to avoid confusion like this in the future.

[maartenba]

Yes please!

[gep13]

@maartenba said... Yes please!

Done! It's annoying that you can't delete a folder through the GitHub UI. Noticed that you had to do three commits to delete everything.

[Redsandro]

Hmm.. I have to hunt down another repo and open a 3rd issue now? I feel like going to City Hall and ask for something. It also includes 3 redirects. Bureaucracy.

This is not your fault @maartenba and @gep13. I just couldn't resist speaking. The chocolatey gallery should find a way to make this easier. Compulsory public source available for packages or something, and url pushed with the package. But this is not the place. I will direct this annoyance to /dev/null. (And contact the real maintainer.)

[maartenba]

@Redsandro This is a legacy of "the old days" I think :-) Back then I published a lot of packages, and over time the actual owners of the software have (or have not) taken over package maintenance on Chocolatey. Completely get your point though (I would be annoyed, too). But I think following the redirects in these specific cases will lead to a better Chocolatey for everyone, so I am grateful for you logging this issue, @gep13 chasing the original owner, etc. In Chocolatey we trust!

[Redsandro]

@maartenba yes, I'm from legacy times too. :)

Chocolatey is the best thing that happened to Windows in years. I love it.

I was actively committing to the chocolatey source and running a package repo myself in 2013/2014 but the sheer time overhead of both getting others to do something, and, more importantly, rejected PR's due to nirvana reasoning that would leave issues open for up to 18 months, kind of tested my blood pressure and made me decide to play a more minor role.

Getting things done in a democracy is hard when you only have a few hours to spare.

In stead I've been focusing more on my laptop repair business and the more dictatorship style private project where I don't have this time overhead: WindowsRemix.

[maartenba]

Good choice! And as a fervent Chocolatey user and fan I much appreciate your efforts in the past :-) This kind of work is what makes things great! (Also thanks @gep13 for similar reasons :-))