How do you deal with security,bandwidth and the future of this project?

Showing 1-3 of 3 messages
How do you deal with security,bandwidth and the future of this project? Brad Gillap 3/23/12 11:23 PM
Ive been using ketarin to wrap up packages and deploy on most of the
machines I fix in the computer shop, and I like ninite but it's not
for business use unless you pay for it. The packages have to download
every single time with ninite as well.  Chocolatey looks very
promising but I have a few questions about the future of this project.

Typically with linux products you don't have to really worry about the
security of your package sources from most places. How can chocolatey
maintain security when anyone with an account can upload packages? Do
you eventually plan on adding a rating system of some kind or maybe a
small group of curators with some tools to automatically download all
the packages every so often and scan them for issues or do you plan on
leaving that up to the user. Perhaps this is better done on the
clients side so that packages can automatically be checked with a
clamwin addon automatically.

Does chocolatey redownload the latest package every single time or
does it do a compare against the package on the server to see if a new
version is needed?

Finally,  this is more of a powershell question which I'm a little
green in still.  Currently I like to map a network drive to computers
temporarily and execute ketarin from my file server over the network
using the net use command in batch. Will I still be able to do this?
Will chocolatey be able to just maintain the latest packages on my
fileserver without downloading them all over again every single time I
run my script?
Re: [chocolatey] How do you deal with security,bandwidth and the future of this project? FerventCoder 3/24/12 6:47 PM
Hi Brad,
 Security has a big future aspect of chocolatey. At the present I am the curator and I every day I get an email showing me all of the new packages that went in the day before. I look at all packages from new authors and I typically look at the first version of most new packages from authors I have good contacts with.

I've talked at length with others about having a moderated feed in the aspect of every package, every new version would be approved prior to showing up on the main feed. I am paying attention to how debian does things with multiple feeds and there are thoughts to move in that direction as well.

I'm going to refer to the chocolatey package as nupkg for the rest of this message. I'm going to refer to the native installer that chocolatey also might download if the nupkg specifies it as the installer.

Several questions in your email:
1. Security? In the future we are looking at a small group of folks be an approving body for nupkgs. We also talked about showing the hash for the nupkg, and possibly letting folks specify a hash for the installers so chocolatey can verify the things it downloads prior to execution.
2. Ratings system? We are planning to implement both a ratings system and a type of Ohloh "I use this" system so people can get a sense of popularity not just in the sense of downloads because with updates that number can get skewed a bit (android market anyone?).
3. Redownload? Chocolatey downloads a nupkg one time currently per version per machine. There is a -force switch that will make it rerun the installation scripts for a nupkg. That means if there is an installer it downloads, it will currently redownload that installer. To make the parity of this better, in the future the -force will redownload the nupkg as well.  If you call cinst on a nupkg and there is not a newer version available, it will not do anything.  If there is a new version available, it will download it. You can also use chocolatey update or cup with the nupkg name to let it check for and install updates for nupkgs. You can also do cup all for it to check all installed nupkgs for updates. In the spirit of apt we have a feature called pinning coming in the future that will also you to suppress upgrades. 
4. Chocolatey/latest packages? Chocolatey puts nupkgs in a particular folder on the computer. The installers currently go to a subfolder of your temporary folder. Those get cleaned up when you want. Right now it is not configurable. We are going to be implementing a configuration at some point as well. This would make a good configuration point.

Hopefully that helps. Chocolatey was started about a year ago and it's grown quite a bit over that year. Over that time it has received a lot of support and grown quite a bit. It integrates with both ruby gems and WebPI (platform installer). Chocolatey packages were split off from and over to their own gallery. You can store your nupkgs in a custom feed and call cinst all -source somecustomfeed! It found its way into a book (Pro Nuget)! Chocolatey is definitely a tool/platform with a defined future if you are worried about it going away.

By the way, ketarin ( looks pretty cool. Might be something we could integrate with as an option in the future if you want your package store to stay local.
"Be passionate in all you do"

Let's get chocolatey!

You received this message because you are subscribed to the Google
Groups "chocolatey" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Re: [chocolatey] How do you deal with security,bandwidth and the future of this project? FerventCoder 4/1/12 1:00 PM
Brad, I released ketarin as it's own package. Thanks for showing me this. I am thinking it will ultimately replace how I learn of new package updates versus changedetection.com 

"Be passionate in all you do"