When you submit a package to the Chocolatey Community Repository, it enters a moderation queue where it passes through a number of automated services to validate, verify, and scan it, before passing to a human for final approval.

Two of those services, appropriately named Package Verifier and Package Scanner, go as far as to actually install your package in a sandbox to verify that the package behaves as you'd expect it to.

For many years now these services have used a sandbox running Windows Server 2012 R2. This assisted in ensuring compatibility with many of the Operating Systems that Chocolatey itself supports. If a package could be successfully installed on Windows Server 2012 R2, then users of the Chocolatey Community Repository could have high confidence that it will install for them too, regardless of the version of Windows they're using.

Time marches on however, and while Chocolatey still supports older Operating Systems, other software and large portions of the internet increasingly don't. This means that the sandbox was missing several features that software and packages expect from the Operating System that they're being installed on. Given this we've recently been working on a new sandbox running Windows Server 2019 to better meet the expected installation environment required by the majority of packages.

I'm pleased to say that this work is complete and both Package Verifier and Scanner have been using this new sandbox for several months. As with all things in IT Operations, no one noticed this change and so that means we did a good job!

What does this change?

A number of packages take dependencies that require a reboot on installation. The prime culprit for these dependency related reboots are the various versions of .NET Framework. The new Package Moderation Services sandbox has .NET Framework 4.8 pre-installed and so a reboot is no longer required, and packages can be verified successfully now.

Some websites have dropped support for older "cipher suites" which made it difficult for the moderation services running on Windows Server 2012 R2 to download installers from these websites. The new sandbox, running a new Operating System, has these newer cipher suites built-in allowing it to download installers, and other files, from those websites.

Numerous packages required certain Operating System updates to be installed and would take these updates as dependencies, as they should. The problem is that Windows updates require a reboot, and this would break the verification process. The new sandbox includes all current patches, so a reboot will no longer be needed.

What does this mean for package maintainers?

Package maintainers don't need to do anything at this point.

In the coming weeks we'll begin to remove some of the existing exemptions that packages have had due to issues related to the previous sandbox version. We'll be keeping a close eye on these packages as new versions are submitted, to ensure that they make their way through the automatic moderation process as we expect them to. We'll work with you to re-assess the need for exemptions if they continue to fail when tested again.

If you do note any odd behavior with your packages, I would encourage you to please reach out on the #community-maintainers channel of our Community Chat.

What about the Chocolatey Testing Environment?

Given that the new sandbox has been in use by the Package Verifier and Package Scanner services without issue for some time now, we've publicly released the image for use in the official Chocolatey Testing Environment!

Starting today, you can pull the new Windows Server 2019 Vagrant box, versioned 3.0.0, from Chocolatey's Vagrant Cloud!

For details about setting up, or upgrading, the Chocolatey Testing Environment do check out the project's README.

Wrap up

This update has been a long time coming, and I'm personally very pleased to see it take shape.

I wanted to thank all of our Community members that have asked, and patiently waited, for this change. A special thanks to those maintainers and moderators that have had to dig into verification failures and decide when an exemption has been required.

If you want to discuss any of these changes further, please join us on our Community Chat.

comments powered by Disqus