ยซ Changelog History


Chocolatey v0.10.0 Release Notes

Release Date: 2016-08-11 // almost 8 years ago

  • ๐Ÿ”’ What was planned for 0.9.10.4 is now 0.10.0. This is due partly to a breaking change we are making for security purposes and a move to provide better a better versioning scheme for the remainder of the sub-v1 versions of Chocolatey. Instead of 0.y.z.0 being considered where major verions occur in the sub 1 series, 0.y.0 will now be considered where those major versions occur. We also are moving right along towards v1 (and hope to be there in 2017).

    ๐Ÿ”’ 0.10.0 carries the fixes for 0.9.10.4 and includes a major security enhancement (checksum requirement).

    ๐Ÿ’ฅ BREAKING CHANGES

    • [Security] Checksum requirement and enhancements - see #112

    ๐Ÿš€ Checksums in package scripts are meant as a measure to validate the originally intended downloaded resources used in the creation of a package are the same files that are received at a future date. This also ensures that the same files that are checked by all parts of moderation (if applicable) are the same files that are received by users for a package. This is seen mostly on the community repository because it is public and packages are subject to copyright laws (distribution rights), which typically requires the package scripts to download software from the official distribution locations. The Chocolatey framework has had the ability to use checksums in package scripts since July 2014.

    What is the requirement? choco will now fail if a package download resources from HTTP/FTP and does not use checksums to verify those downloaded resources. The requirement for HTTP/FTP is #112. We are considering also requiring it for HTTPS (#895) as well. You can optionally set a feature (allowEmptyChecksumsSecure) to ensure packages using HTTPS also use checksums.

    How does this protect the community anymore than before? During moderation review, there is a check of these downloaded binaries against VirusTotal (which verifies these binaries against 50-60+ different virus scanners). The binaries are also verified for installation purposes against a test computer. With an independent 3rd party checksum in the package itself, it guarantees that the files received by a user from those remote sources are the exact same files that were used in the verification process.

    Why the requirement, and why now? This is a measure of protection for the Chocolatey community. HTTP is easy to hack with both DNS poisoning and MITM (man in the middle) attacks. Without independent verification of the integrity of the downloaded resources, users can be left susceptible to these issues. We've been planning a move to require checksums for awhile now, with a planned longer and smoother transition for package maintainers to get packages updated to reduce breakages. Unfortunately there was a recent event with FOSSHub getting hacked (the community repository had 8 possibly affected packages and we quickly took action), which necessitated a need for us to move in a much swifter fashion to ensure the protection of the community sooner, rather than later. The changes in Chocolatey represented by the checksum changes are a major step in the process to ensure protection. Requiring for HTTPS as well will mitigate any future compromises of software distribution sites that are used with Chocolatey packages.

    ๐Ÿ“ฆ Can I shut this behavior off or opt out per package? You can shut off the checksum requirement by enabling the feature allowEmptyChecksums. This will return Chocolatey to previous behavior. We strongly recommend against it.

    โฌ†๏ธ You can shut it off or turn it per package install/upgrade with --allow-empty-checksums and --require-checksums, respectively. See https://docs.chocolatey.org/en-us/choco/commands/install / https://docs.chocolatey.org/en-us/choco/commands/upgrade.

    ๐Ÿ“ฆ You can also disable the feature allowEmptyChecksumsSecure to enforce checksums for packages that download from secure locations (HTTPS).

    Other things I should know? Users also now have the ability to pass their own checksums and checksumtypes into the install. See https://docs.chocolatey.org/en-us/choco/commands/install / https://docs.chocolatey.org/en-us/choco/commands/upgrade.

    KNOWN ISSUES

    ๐Ÿ”‹ FEATURES

    • Pro/Business - Download a package without installing it - see #108

    ๐Ÿ› BUG FIXES

    • Fix - Installing choco on Windows 10 Vagrant box stops Vagrant from being able to manage the box - see #834
    • Fix - 64bit 7z.exe on 32bit system in chocolatey\tools - see #836
    • Fix - [POSH Host] PowerShell exit code does not reset between packages in a single run - see #854
    • Fix - Uninstall-ChocolateyZipPackage is failing - see #871
    • Fix - "C:\Program Files\WindowsPowerShell\Modules" is missing in PSModulePath for cmd.exe #830
    • Fix - Environment variables update fixes #840
    • Fix - Handle null items better - see #853
    • Fix - HKCU may not have Environment (Install of Chocolatey) - see #375
    • Fix - Progress of download does not clear the whole output line - see #875
    • Fix - Wrong download progress reported during package upgrade - see #872
    • Fix - Uninstall not supporting side-by-side => ChocolateyUninstall.ps1 not run - see #862
    • Fix - Uninstall ignores the version parameter - see #861
    • Fix - Search by exact or by id only is case sensitive for remote sources - see #889
    • Fix - Deprecated links inserted in .nuspec files created by choco new ... - see #870
    • Fix - Get-OSArchitectureWidth doesn't do what it says it does - see #828
    • Fix - When Choco fails to get a package from NuGet Core, fail the package with exit code 1 - see #867
    • Fix - Illegal characters in path - see #857
    • Fix - Get-OSArchitectureWidth doesn't do what it says it does - see #828
    • Fix - Pro/Business - Choco install config file fails on licensed assembly - see #866
    • Fix - DISM /all doesn't run anywhere but Windows 6.2 -- no dependencies get installed - see #897

    ๐Ÿ‘Œ IMPROVEMENTS

    • Do not install tab completion (edit of profile) under certain conditions - see #833
    • Choco install with packages.config should print out the packages to install - see #878
    • Larger default log file size and retention - see #852
    • Allow getting installer type to be overridden - see #885
    • Pack - Add optional output folder option - see #598
    • Little command name correction on init.ps1 - see #595
    • Tab completion - don't query if there is a file in the folder that meets completion - see #847