Currently, the Chocolatey package for the windows desktop app downloads the installer at runtime. I would like it if the package would be changed so it includes the installer inside the package instead of downloading the installer separately.
Making this change would improve the reliability of the package, because it removes the failure point of an additional download during the installation. Additionally, it would make the lives of people running internal chocolatey repositories easier, as the package would be able to be installed on machines without an internet connection, or with a heavily filtered internet connection.
That’s not how chocolatey (free version) works. The free version only includes automated install instructions. Adding a binary payload is usually not allowed.
Downloading the actual binaries from the original author’s site is the preferred way due to multiple concerns:
- Security: You can’t tamper the official packages if they’re downloaded from the official site.
- Licensing: Some software like MySQL doesn’t allow redistribution of their prebuilt installer files.
- Cost: Hosting 100.000 packages and providing 1 billion downloads of these at an average 50MB/package is quite costly
For enterprise scenarios like yours, there’s the Chocolatey Pro and C4B versions that have a private caching CDN for binaries included if you’re a paying customer and the vendor’s software license allows for redistribution.
Adding a binary payload is allowed, and actually recommended if the total package size is under 200mb and the license allows redistribution of the binary.
No, it is possible, say for example if the author’s site was compromised, or it is possible to MITM a download over HTTP (not s). I am not saying that it is likely, or that Bitwarden is vulnerable to either of these, but that you cannot give absolutes like that in computer security like saying something is %100 safe.
Chocolatey packages are moderated. Packages that include a binary are required to include instructions for how the moderator can verify that the included binary is the exact same binary downloadable from the author’s site.
Not a problem in this case. First, the Bitwarden desktop app is licensed under GPL 3, which explicitly allows redistribution. Secondly, even if the license that Bitwarden desktop was under did not allow redistribution, it would not matter because it would not be redistribution, but distribution since the Bitwarden package is maintained by the Bitwarden staff, not by the community.
Not really applicable.
Chocolatey is willing to host packages up to 200mb in the community repository. That is what the Chocolatey professional edition supports, a large chunk of the money from that goes toward hosting the community repository.
The Bitwarden desktop installer is not even close to 50mb, try 70 times less than that. The installer is under 1mb, which I do not think is a large problem to host.
bitwarden-cli package on chocolatey.org already includes the binary.
In that case: I rest my case
I was sure the binary was not supposed to be included as that’s the way many packages handle it.
it would not matter because it would not be redistribution, but distribution since the Bitwarden package is maintained by the Bitwarden staff, not by the community.
The reasons I gave were more generic in favor of not packaging a binary into the nupkg, not specifically for the Bitwarden case.
If I was mistaken about that being the recommended way by chocolatey, then please don’t mind me, I’ll go back to my corner and will think about researching my position before providing counter-arguments.
Also, I just discovered that the exe is not all that is required for install, there are
.nsis.7z files that are downloaded at runtime that include the install files. These should also be included inside the Chocolatey package.