New package: jdx.mise version 2024.12.6

[jdx]

Pull request has been created with komac v2.8.0 🚀

Microsoft Reviewers: Open in CodeFlow

Fixes jdx/mise#3425

[wingetbot]

   

[wingetbot]

/AzurePipelines run

[jdx]

@microsoft-github-policy-service agree

[jdx]

not sure why this is failing, it works locally:

winget install --manifest .\manifests\m\mise\jdx\2024.12.4 --ignore-local-archive-malware-scan

[jdx]

it seems to be failing in "installer validation" but I ran winget validate and it passed locally. Unless I'm blind I don't see any actual error coming from CI:

12/10/2024 5:32:18 AM

****************************************************************************************
Installation Verification
****************************************************************************************
Status: Started
============================================================================== 
Task         : Installation Validation
Description  : Invoke an Azure Function
Version      : 1.220.0
Author       : Microsoft Corporation
Help URL     : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/azure-function
============================================================================== 
POST ***?code=***&
Request body: {
  "operationId": "WinGetSvc-Validation-29-197444-20241210-1",
  "buildId": "34420",
  "planUrl": "[https://dev.azure.com/shine-oss/",](https://dev.azure.com/shine-oss/%22,)
  "hubName": "build",
  "projectId": "8b78618a-7973-49d8-9174-4360829d979b",
  "planId": "61c74b16-4f95-450b-a3b6-7233e899dbda",
  "jobId": "68997d86-8ece-5ae8-3ac5-ccdbfa458731",
  "timelineId": "61c74b16-4f95-450b-a3b6-7233e899dbda",
  "taskInstanceId": "b79910ce-dca5-5e27-ad7f-bd285eecb5a2",
  "authToken": ***
  "repository": "microsoft/winget-pkgs",
  "pipelineType": "ValidationPipeline",
  "pullRequestNumber": "197444"
}
				Response Code: OK
				Response: 

12/10/2024 5:36:16 AM

****************************************************************************************
Installation Verification
****************************************************************************************
Status: Completed
Result: Result: Failed

[o-l-a-v]

When testing the manifest locally like so:

# Path
$ManifestDirPath = [System.IO.Path]::Combine(
    ([System.IO.Directory]::GetParent($psEditor.GetEditorContext().CurrentFile.Path).'FullName'),
    'Mise v2024.12.4'
)

# Try validating
winget validate --manifest $ManifestDirPath

# [admin] Enable required settings
gsudo {
    winget settings --enable LocalArchiveMalwareScanOverride
    winget settings --enable LocalManifestFiles
}

# Try installing
winget install --manifest $ManifestDirPath --installer-type portable --verbose

# Uninstall
winget uninstall --manifest $ManifestDirPath --purge

# [admin] Disable settings that was enabled
gsudo {
    winget settings --disable LocalArchiveMalwareScanOverride
    winget settings --disable LocalManifestFiles
}

On following command I get an error saying malware was detected:

PS > winget install --manifest $ManifestDirPath --installer-type portable --verbose

Found mise [mise.jdx] Version 2024.12.4
This application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
Downloading https://github.com/jdx/mise/releases/download/v2024.12.4/mise-v2024.12.4-windows-x64.zip
  ██████████████████████████████  9.60 MB / 9.60 MB
Successfully verified installer hash
Archive scan detected malware. To override this check use --ignore-local-archive-malware-scan

PS >

False positive surely. But might be why the CI/CD tests fail? 🤔

Edit: No positives in VirusTotal: https://www.virustotal.com/gui/url/fc63f35c23e203091fc28824259f930e27880e645d161b7c1fc471e788553956.

Edit 2: WinGet about Zip threat detection: https://github.com/microsoft/winget-cli/blob/master/doc/specs/%23140%20-%20ZIP%20Support.md#zip-threat-detection

Edit 3: 7-Zip complains about this ZIP too:

• 

Edit 4: GitHub runner image for Widows includes 7-Zip, maybe it'd be better to use that for creating the ZIP?

• https://github.com/actions/runner-images/blob/main/images/windows/Windows2022-Readme.md
• https://github.com/jdx/mise/blob/main/scripts/build-tarball.ps1
• The module which has the cmdlet Compress-Archive is archived on GitHub = will likely not get fixes any time soon: https://github.com/PowerShell/Microsoft.PowerShell.Archive

[jdx]

that's very helpful! I'll give that a go

[FilipDeVos]

I'm fairly certain that this is failing because winget does not support zip unpacking portable applications. It wants one of installer types (exe, msi, msix, inno, wix, nullsoft, appx)

I am aware that there is a reference to "zip" installer type, but I believe it is intended for installers inside zip files.

[o-l-a-v]

Here's an example with Azure CLI which also had a portable option with a ZIP:

• https://github.com/microsoft/winget-pkgs/blob/master/manifests/m/Microsoft/AzureCLI/2.65.0/Microsoft.AzureCLI.installer.yaml

Both this PR for Mise and the example above uses:

InstallerType: zip
NestedInstallerType: portable

[FilipDeVos]

Download the log from this url: https://dev.azure.com/shine-oss/8b78618a-7973-49d8-9174-4360829d979b/_apis/build/builds/34420/artifacts?artifactName=InstallationVerificationLogs&api-version=7.1&%24format=zip

It is failing due to MS Defender Antivirus finding threats.

You can submit the file for analysis to https://www.microsoft.com/en-us/wdsi/filesubmission

[jdx]

submitted for analysis, no idea how long that'll take

[wingetbot]

/AzurePipelines run

[o-l-a-v]

About the package identifier:

• Isn't the publisher / author here "JDX", not "mise"?
  • Thus, the WinGet package identifier should be jdx.mise and placed in "J": https://github.com/microsoft/winget-pkgs/tree/master/manifests/j
• What name should be used? Just "mise" or "mise-en-place"?
  • @nagromc made a deal about using the full name over at the Scoop PR: [email protected]: Add manifest ScoopInstaller/Main#6374 (comment)
  • Just "mise" is most used as far as I can see, for instance in the README: https://github.com/jdx/mise, or the install doc: https://mise.jdx.dev/installing-mise.html.
  • Decide on one name for consistency, and use it across all package managers for consistency.

[jdx]

I don't think any package manager uses mise-en-place for the name except scoop

[wingetbot]

/AzurePipelines run

[o-l-a-v]

I don't think any package manager uses mise-en-place for the name except scoop

Chocolatey currently does.

• https://community.chocolatey.org/packages/mise

(I noticed this after I posted my last reply)

[jdx]

oh it seems these package managers separate the concept of an "id" and a "name"—I'm mostly familiar with homebrew which does not. I suppose we can use mise-en-place—though I consider these names totally interchangeable

[wingetbot]

/AzurePipelines run

[stephengillie]

Verify:

Our packages are sorted by PackageIdentifier - a composite of DeveloperName.PackageName, and generally must follow the developer or publisher's conventions for spelling, punctuation, suffixes, etc. These should match the Developer and PackageName fields in the locale file, but I'm not currently aware of any logic to check for matching between the fields.

[wingetbot]

Publish pipeline succeeded for this Pull Request. Once you refresh your index, this change should be present.