NanaZip VS winget-pkgs

https://github.com/M2Team/NanaZip

It includes the above patches as well as few QoL features.

There is also NanaZip which aims to be a more modern Windows application and I think also incorporates the additions of the 7zs fork https://github.com/M2Team/NanaZip

1: https://github.com/M2Team/NanaZip

If you have Windows 10 or above, you should instead use NanaZip instead of 7-Zip-zstd. It is a massively improved fork of 7-Zip.

The first part of modernizing is port everything to XAML, adding dark mode and others. It's expected to be during this year, new UI in 2024. It's in their roadmap in GitHub

Why can't I trust winget?

It's not hard to run the `show` command to see what a winget install will do. https://learn.microsoft.com/en-us/windows/package-manager/wi...

It's easy enough to view the manifests (eg, https://github.com/microsoft/winget-pkgs/blob/2ecf2187ea0bf1...) and arguably, is better then the protection for MITM that you would get using naked cURL & Bash, simply because there are file hashes for all of the installer files provided by a third party.

> They are saying curl is strictly better, not that it is impenetrable

Right. But it arguably is not strictly better.

> You can't trust winget

Again, this is not backed up by anything. I have trust in winget. I can trust that the manifest has at least been vetted by a human, and that the application that will be installed should be the one that I requested. I can not trust that this will happen with curl | bash. If the application that is installed is not the one that I requested, there is tooling a process to sort out why that did not happen, and a way to flag it so that it doesn't happen to other users. I don't have this with curl | bash.

7.0 is now available: https://github.com/microsoft/winget-pkgs/pull/147886

I researched this for a WinGet thing: https://github.com/microsoft/winget-pkgs/pull/110618

Ah, reminds me of that time I requested a .editorconfig file in a Microsoft repo: https://github.com/microsoft/winget-pkgs/issues/329

Take dropbox as an example. This is what the yaml manifest looks like for that if you install it through winget. It literally has a hardcoded link to an .exe installer hosted by dropbox and then just set the flags to silent. I am not spreading misinformation, you are.

It's not quite the same though, as there are different considerations when using a repository of things a unified group has decided should be included and built (or slightly modified existing) packages for and a repo where anyone can submit a package that will go through some level of vetting. In the end I still believe most this discussion is really about individuals and how much trust they apply towards different groups and sources and is not really about Linux or Windows in particular as much.

1: https://github.com/microsoft/winget-pkgs

I never used winget, but probably: - https://github.com/microsoft/winget-pkgs/issues/107858 - https://github.com/Genymobile/scrcpy/issues/4027

It's probably not on the Store, winget pulls from both the Store and a community collection of manifests on GitHub: https://github.com/microsoft/winget-pkgs

I think that's part of the problem, if you don't have that package manager to bootstrap your signature key ring, DNS is your next best bootstrap. It is, of course, a terrible bootstrap for trust, but it is one so many users on Windows have been relying on for such a long time.

For power users on any modern Windows 10/Windows 11 there is at least WinGet now. Its manifests repo is becoming a very interesting (open) source of truth for common Windows applications. Admittedly, it in most cases doesn't seem to be checking specific code signatures in most cases either, but at least includes SHA checksums.

For instance, 7zip's manifests: https://github.com/microsoft/winget-pkgs/tree/master/manifes...

It's too bad there's still not a great option for "average user that doesn't know/trust how to use a CLI", given how sadly polluted the Microsoft Store can be for many common, especially Open Source, applications. For direct instance, because winget kindly includes Microsoft Store results when searching, there is a "7zip 22" in the Microsoft Store that costs some amount of money (winget details say "PaidUnknownPrice" for the pricing information; I'm on a corporate machine right now with the actual Store access locked so can't search in the actual Store right now) and the Publisher is listed as RepackagerExpress.com. (That website currently doesn't go anywhere, giving it a spot check.)

Having seen this, I may boot up my personal machine and try to report this specific Store listing for violating the Store's Open Source policies, though I'm unsure if such whackamole is all that useful. (Seems like it might be a useful winget feature request for it to provide Store Report URLs.)