The primary service responsible for ensuring that a submitted package is valid, is called, unsurprisingly, Package Validator. It has been the backbone of the package moderation services since 2015 and the first service a package goes through on its approval journey to the Chocolatey Community Repository. As Chocolatey products evolve, the Package Moderation Services evolve and the rules and guidelines evolve with them. We have made some changes to the Package Validator rules to shift some guidelines to requirements and bring in some new requirements from 1 September 2022.
Before I go into the rules themselves, let’s be clear:
- The rules only affect packages submitted to the Chocolatey Community Repository.
- The rules only affect new package versions submitted and do not affect existing package versions submitted.
In short, if you submit a package version to the Chocolatey Community Repository on, or after, 1 September 2022, these rules will be applied.
There are four types of Package Validator rules that are used:
- Requirements: these are mandatory.
- Guidelines: these are strong recommendations.
- Suggestions: these are suggestions to help improve the quality of the package.
- Notes: these are checks that cannot be automated and are for a human moderator to work through.
Each of these rules are used in different ways. For example, packages that do not meet rule requirements will fail and maintainers will be notified. All other rule types will allow the package to proceed to the next stage of the Package Moderation Services, but a human moderator may ask the maintainer to make changes to a package after their validation checks of the package.
The new rules that have been added to Package Validator are requirements, and are shown below:
- Minimum
description
field length in package metadata. A package description must be a minimum of 30 characters (excluding leading and trailing whitespace) in the package.nuspec
file. This was previously only a guideline that has now become a requirement. - Package metadata should not contain email addresses. There is currently a requirement rule to not include email addresses in the
authors
orowners
field in the package.nuspec
file. This has been enhanced to check all the fields in the package.nuspec
file. - Chocolatey ‘private’ variables can no longer be used. We have recommended for some time that some Chocolatey variables should not be used in packages, so any recent packages are unlikely to be affected by this rule. Those variables are:
ChocolateyToolsLocation
ChocolateyBinRoot
chocolatey_bin_root
ChocolateyPackageFolder
PackageFolder
ChocolateyChecksum32
ChocolateyChecksum64
ChocolateyChecksumType32
ChocolateyChecksumType64
DownloadCacheAvailable
- Download helper cmdlets require a checksum. When using the Chocolatey helper cmdlets that download a file, the
Checksum
orChecksum64
parameter must be used to validate the download. Those helper cmdlets are:Install-ChocolateyPackage
Install-ChocolateyZipPackage
Install-ChocolateyPowershellCommand
Install-ChocolateyVsixPackage
(only supports theChecksum
parameter)Get-ChocolateyWebFile
- Use of Ftp and Web download helper cmdlets must use
Get-ChecksumValid
to validate checksum. TheGet-FtpFile
andGet-WebFile
cmdlets do not have aChecksum
orChecksum64
parameter, but the files downloaded by these cmdlets must still have their checksum validated separately usingGet-ChecksumValid
in the package scripts. - Prevent use of non-Chocolatey download cmdlets. Package maintainers cannot use non-Chocolatey helper cmdlets in packages to download files. These include:
iwr
Invoke-WebRequest
Start-BitsTransfer
curl
wget
Invoke-RestMethod
irm
- Any cmdlet or function containing the name
DownloadFile
- Any cmdlet or function containing the name
GetResponse
The new rules will take effect from 1 September 2022. These new requirements are a formal, automated, implementation of what our team of Community Moderators have been implementing, manually, for some time now, and we anticipate the impact to packages, and package maintainers, to be minimal. However, if there is an impact to a package, the package maintainer can request a temporary exemption to give them time to make changes that will comply with the new rules.
If you have any questions or concerns about these changes, then please reach out on the #community-maintainers channel of our Community Chat.
Popular Tags
- #news 72 Number of post with tag news
- #press release 57 Number of post with tag press release
- #chocolatey for business 46 Number of post with tag chocolatey for business
- #packaging 21 Number of post with tag packaging
- #open source 17 Number of post with tag open source
- #community 15 Number of post with tag community
- #tutorial 14 Number of post with tag tutorial
- #12 days of Chocolatey 2023 12 Number of post with tag 12 days of Chocolatey 2023
- #chocolatey community repository 12 Number of post with tag chocolatey community repository
- #podcast 12 Number of post with tag podcast