Choco: Annoying confirmation for scripts

@chevdor have a look in the chocolatey.config file, in there you will find a allowGlobalConfirmation which is by default false, but you can set this to true, will will always yes.

I'm pretty sure this has already been brought up as an issue.

Moreover, as of now, the request to the user just asks if the script should run or not but the user does not actually see the script. So there is not really a way to make a reasonable decision.

I'm confused - we have other folks who are commenting don't like seeing the script. Help me understand what you are not seeing? Can you send some logs?

It would be nice to be able to define a default per repo. For instance, using my local repo would imply -y by default while using a public repo would require the -y.

This is interesting, would you mind creating a separate ticket for it? I am not sure exactly how we'd do it yet, but still quite interesting.

@gep13 yes indeed, thanks for the pointer.

For the documentation:

C:\ProgramData\chocolatey\config\chocolatey.config

We can find the following by default:

<feature name="allowGlobalConfirmation" enabled="false" setExplicitly="false" />

Changing into:

<feature name="allowGlobalConfirmation" enabled="true" setExplicitly="true" />

prevents the confirmation messages.

Hi,

First, thanks for your answers. Don´t get my comments wrong, I love chocolatey :smile:

@ferventcoder
Seeing the script:
My bad, the script IS visible indeed. My window was just a little too small and the script was actually displayed outside of the visible area. I find the displaying of the script anyway annoying as well. Seeing it in a command choco info would be enough for me. This way, I can see the script if and only if I want to see it. Seeing the script is not secure at all as the script may call another one that is not visible anyway...

My take is that seeing the script and asking for confirmation should be an explicit option such as choco install <package> -safe.

The default should be a straight foward install, as in the previous version. A warning in case of suspicion (not certified package, etc...) would be totally fine though.

I find annoying when I type cinst filezilla to get a message telling me:
1 - if you type 1, I will install (well... ok, that´s why I issued this command in the first place)
2 - if you type 2, I will not install (hmmm, see above, if I did type this command, it means I expect to install)
3 - if you type 3, you should not have to (uh ??? then why do I have this option ??? If this is for debugging, it should be behind a debug flag)

Such annoyance usually ends up in users not reading anything and automatically typing 1 , not matter what...

New feature:
See #179 for the new ticket.

chocolatey feature enable -n allowGlobalConfirmation will set it for you.

It's documented

• https://github.com/chocolatey/choco/wiki/CommandsInstall#chocolatey-install-choco-install
• First bullet here https://github.com/chocolatey/choco/wiki/ReleaseNotes#breaking-changes
• And how to set them here https://github.com/chocolatey/choco/wiki/CommandsFeature

Awesome.
Thank you guys!

On Thu, Mar 19, 2015, 21:53 Rob Reynolds [email protected] wrote:

chocolatey feature enable -n allowGlobalConfirmation will set it for you.

—
Reply to this email directly or view it on GitHub
https://github.com/chocolatey/choco/issues/178#issuecomment-83757651.

It would be perfect if the command line to enable this feature would be featured inside the notification message, so we would not have to google it, or use the ugly notepad alternativ ;)

@ssbarnea which:

notification email

are you referring to?

@gep13 corrected: notification message should clearly state the entire line.

@ssbarnea are we talking about the message from https://github.com/chocolatey/choco/issues/265 ?

https://github.com/chocolatey/choco/commit/b11798e1907e4df80b2eb781ebf47205789fad6e

Perhaps https://github.com/chocolatey/choco/commit/b11798e1907e4df80b2eb781ebf47205789fad6e#diff-b0a6c8ddd1003e9f4cfe4b4eea167fb0R220 should say
Note: To confirm automatically next time, Run choco feature enable -n allowGlobalConfirmation

both choco install -y and choco install -f is the same in my eyes as a new choco user, -f is less annoying, -y is basicly choco install

@nwgat -f forces a reinstall. it would install a package although it is already installed (including execution of the installer). -y would tell you that nothing was done because the package is already installed.

this is how choco should work is that
choco install should show the confirm dialog
choco install -y should NOT show the confirm dialog, this should be 100% automatic like apt-get install -y

@aronovgj i know

choco install should show the confirm dialog
choco install -y should NOT show the confirm dialog, this should be 100% automatic like apt-get install -y

And you are not seeing this work like this? Because this is 100% how it should work.

I was under the impression that https://chocolatey.org packages are vetted. Does this mean that they are not, and I must manually verify packages are not malicious upon each install and upgrade?

From a related thread on Google Groups:

This is how other package managers work (apt-get/yum), which we always want to look at the features they have and decide to emulate or differ. This is a feature we want to emulate.

This is not the same behaviour as apt-get or yum. After apt-get install <package> or yum install <package> they will note how the dependency tree was resolved and specify the total size of the packages to download. Then, they may ask permission to download and install.

There is no prompt after the download to have you review the install scripts. At least, not by default. The packages that you download are signed by trustworthy maintainers who vouch that the packages are ok.

What exactly gave you the impression that packages on chocolatey.org are not vetted (or moderated as we call it)? They are. The -y is only another security layer. If you don't trust the maintainer, the moderator and the auto-moderation which is being introduced currently - if you trust neither of them - you still have a chance to decide if you want to install it.

Then, they may ask permission to download and install.

So what you are saying is that they ask permission, yet somehow when we ask for permission prior to downloading and installing it is different?

That's good to hear. I was unclear on how well-reviewed the packages were. Chocolatey is a pretty sweet project, but you guys don't have the sort of resources that, say, Red Hat has.

So what you are saying is that they ask permission, yet somehow when we ask for permission it is different?

You ask permission for different things. For instance, apt-get will not bother to ask if there's no other packages in the dependency tree besides what you asked to install. It's not a security thing.

@cgmb I'm not quite sure - we ask permission to run a script. that script can download and then subsequently install something.

Self-contained packages however don't need any permission, but they also do not execute anything that would change the state of the underlying system. They just drop package files.

@cgmb our architecture is a bit different - most of our packages contain automation scripts that know how to go get software from the official distribution point and install it. When we stop and ask for confirmation, we are asking for permission to run the script, which could possibly download and install applications.

There is no prompt after the download to have you review the install scripts. At least, not by default. The packages that you download are signed by trustworthy maintainers who vouch that the packages are ok.

We are moving towards PGP signing of packages for security purposes. It wasn't built into the NuGet packaging framework that we selected for Chocolatey so we are adding it, probably the latter half of next year.

And you are correct, we don't have the resources that RedHat does. :)

That's why we try to ruthlessly automate where we can. :)

+1 Please default allowGlobalConfirmation to true. Life is too short for prompt-based security.

@ferventcoder Could we just get the full text of the command in the message that says what setting to set? I have to look it up every time.

@jkodroff sure, file a new issue?

@ferventcoder #1053, per @nwgat's suggestion above.