Graphviz iz outdated due to upstream changes. It requires as far as I can see full rewrite which at the end should invoke dot -c in admin console.
It now provides both x32 and x64 cmake builds:
FYI the Graphviz maintainers are currently trying to assess the delta in functionality between the 2.38 release and 2.44.1: https://forum.graphviz.org/t/windows-x86-x86-64-builds/305/6
@Smattr
Are you saying for someone to go ahead and work on fixing the update script? The forum thread doesn't make it clear.
I think there's no reason to hold off on updating the Chocolatey script if you have time to work on this. However, be aware there has been lots of turbulence in the Graphviz world between the 2.38 release and the 2.44.1 release. There are likely binaries that ship in the 2.38 release that are missing from the 2.44.1 release. Users who are upgrading may find this surprising.
If you post a PR for this and tag me in it, I can review the changes from a Graphviz perspective.
One other thing, we've had users reporting the 2.44.1 installer is detected by several AV programs. The general thinking is that this is a false positive, but we have limited ability to evaluate these results or influence them: https://gitlab.com/graphviz/graphviz/-/issues/1773.
@Smattr
I will work on updating the update script, but the install/zip files being flagged by VirusTotal is disturbing.
This might not cause issue for FOSS users of chocolatey, but paid users of chocolatey could be denied update/install of the program.
Please keep us updated on the Issue #1773
@RedBaron2 I agree, the amount of anti-virus scanners getting triggered on VirusTotal is disturbing.
And for the chocolatey repository it is way to high (12/53 for the zip archive, and 22/70 for the executable) without a sufficient reason for the flagging (just saying false flags would not be a sufficient reason in this case).
Until there is sufficient reason, or the amount gets less than 10 (then it can be reasoned with false flags) this package should NOT get updated on chocolatey.org.
/cc @gep13 @pauby
Further to what @AdmiringWorm has mentioned, we are in the process of fully adding the package-scanner into the package moderation process. As such, any package with greater than 10 detections from VirusTotal will be pushed back to the maintainer to investigate. It will be possible to exempt a package that has greater than 10 detections, but this will be required on a per package version basis.
Sounds like a good idea. In the meantime, Magnus Jacobsson has done some painstaking work jumping through the hoops to get AV vendors to acknowledge and remove the Graphviz false positives. Some (or all) of the installers you may want to pull for Chocolatey should now be detection free: https://gitlab.com/graphviz/graphviz/-/issues/1773
Magnus Jacobsson has done some painstaking work jumping through the hoops to get AV vendors to acknowledge and remove the Graphviz false positives
That is inspirational :) Awesome work guys.
Working on the new update script. This will include the development --pre build for both builds stable and development
I will need to do the finishing touches later this week.
I know it is recommended too have packages be embedded, but to update this package is it absolutely necessary?
/cc @majkinetor @AdmiringWorm
Just looking to see if changing it to be downloaded is that bad.
Just looking to see if changing it to be downloaded is that bad.
Yes, its that bad. Why is embedding it a problem ?
@RedBaron2 https://github.com/chocolatey-community/chocolatey-coreteampackages/blob/master/CONTRIBUTING.md#114-embed-a-package-if-allowed
changing it to a non-embedded package is not acceptable when it can be embedded.
The (WIP) PR has been updated and is a good embedded package. I just needs to be tested.
Thanks to all for your help.
/cc @Smattr @majkinetor @AdmiringWorm
Most helpful comment
That is inspirational :) Awesome work guys.