Is that safe? Microsoft's policy [1] seems to say that anyone can publish an update to a package as long as it passes "an automated process" which checks that it's "not known to be malicious".
It’s not. And it gets worse. A WinGet package can suddenly be introduced for software you have already installed and then the next "update all" will install whatever. Could be something completely different!
WinGet is not only unreliable, it is but one step removed from Remote Code Execution as a Service. Well, maybe one-and-a-half, if package repo maintainers were to pay attention, but that’s not realistic.
WinGet is not only unreliable, it is but one step removed from Remote Code Execution as a Service. Well, maybe one-and-a-half, if package repo maintainers were to pay attention, but that’s not realistic.