What is Package Moderation?

Back in October 2014, Package Moderation was introduced to the Chocolatey Community Repository. Rob Reynolds, the Creator and Founder, of Chocolatey wrote about this on his blog. What this meant was that any package that was pushed to the Chocolatey Community Repository would now be subject to human moderation.

Since the introduction of the human aspect to Package Moderation, a number of automated systems have been introduced. These include:

What did this mean for package consumers?

With the introduction of Package Moderation, consumers of packages from the Chocolatey Community Repository would get:

  • High quality packages: moderators give feedback to maintainers and fixes can be added.
  • Appropriate packages: packages that are not relevant to Chocolatey's community repository will not be approved.
  • Trust: packages are reviewed for safety and completeness before they are live.

What were things like before Package Moderation started?

Before the introduction of Package Moderation, any package (regardless of contents), could be submitted to the Chocolatey Community Repository. This meant that a package would be immediately available to be installed by anyone. Due to the risks associated with running Chocolatey CLI with administrative permissions, the ability for anyone to push a package was not something that was desirable.

Who were the early moderators?

When Package Moderation was first introduced to Chocolatey Community Repository, there were a different set of moderators helping, compared to the people that work on it today. They included:

  • Rob Reynolds
  • Matt Wrock
  • Gary Park
  • Thomas Walter
  • Resandro
  • dtgm
  • Anthony Mastream
  • Dan Atkinson
  • Simon Cropp
  • jbrezanski
  • doc
  • riezebosch
  • digitaldrummer

What does working on Package Moderation look like?

Package Moderation starts and stops on the moderation queue. This view shows all the possible states for a package that has been pushed to the Chocolatey Community Repository:

  • Submitted: this is the first state for a package, but it will immediately be moved into a Pending state.
  • Updated: this is a package that has been pushed again by the maintainer of the package (could be that a change was required after the initial submission).
  • Pending: this is a package that is either pending one of the automated Package Moderation Services to run, or the package is pending the approval of a dependent package.
  • Waiting: this is a package that has been reviewed (either by a human moderator, or an automated Package Moderation Service) and a change is required by the maintainer.
  • Responded: this is a package that has had a comment made by the maintainer of the package, perhaps based on feedback from a human moderator, or requesting help after an automated Package Moderation Service has run.
  • Ready: this is a package that is ready for review by a human moderator.

Packages appear in this queue based on when they were first pushed, and then if action is taken on them. Moderators will then work through the queue, in the order presented.

Moderators are looking to ensure that any package submitted to the Chocolatey Community Repository meet the documented requirements and guidelines. If a package doesn't meet something here, a moderator will leave a comment, asking for the package to be modified, and then re-submitted. This process might go through a few cycles, and once things has been addressed, the package will be approved.

In addition to these requirements and guidelines, moderators will be checking to ensure that no duplicated packages are being created, as well as to ensure that the package is intended to be used by all users of the Chocolatey Community Repository.

How many moderators work on the Chocolatey Community Repository today?

The current moderation team is made up of 11 people, covering 7 different time zones. We aim to keep the package moderation queue as low as possible, and to get packages moderated as quickly as possible, but there are times when this simply isn't possible. We try to be as open and transparent about this as we can. You can always find the current moderation queue on the site, and we also regularly post the moderation stats in the community-repository channel in our Community Hub.

As an example, here is the moderation information for August 2024:

Moderation Stats Table for August 2024
Moderation Stats Chart for August 2024
Moderation Stats Pie Chat for August 2024
Moderation Stats Average Time Chart for August

Interested in helping out?

If you are interested in helping out with moderation of packages on the Chocolatey Community Repository, we would love to have you involved. The rough steps for becoming a moderator are outlined on our docs site, but feel free to reach out on our Community Chat if you have any other questions.

The Future

We have lots of ideas on how we are going to continue to improve the moderation of Chocolatey packages on the Chocolatey Community Repository. These include:

  • Improvements to the package-differ service
    • Making it easier for a package moderator to "see" differences in files using a diff/display technology similar to what you would see on GitHub.
  • Tighter integration with the latest version of VirusTotal.
comments powered by Disqus

Written By:

Gary Ewan Park

Principal Software Engineer

Gary is a Microsoft MVP in Developer Technologies and also GitHub Star. Throughout his career, Gary has always looked to see how things can be automated, using the mantra that if you do the same thing more than twice, it is time for automation.

Share On
Posted In
Popular Tags
View All Tags
Recent Posts
More Posts