Is it safe?

[FiftyFour7250]

Hey, I'm new to package managers (first day) and it's not quite clear to me, is it safe? I mean, is there any guarantee that some bad person will not upload a new version of the software but with a built-in virus that even virustotal does not recognize.

What is the difference with Chocolatey in terms of security?

[OfficialEsco]

Its as safe as downloading the program from the website it self, aka not 100%.
Not sure what Chocolatey does for new releases but i doubt they do much more then running VirusTotal, i know they mark them as Unsafe at times (Bloatware etc), but you can still download that version IIRC.

[ImJoakim]

I mean, is there any guarantee that some bad person will not upload a new version of the software but with a built-in virus that even virustotal does not recognize.

Also, if you're talking about adding a new version of an already trusted software (ex. Google Chrome) - all PRs are overseen and approved by Administrators or Community Moderators. More info on moderation can be found via #15674.

[denelon]

Safe is a relative term.

Microsoft uses the strategy of "defense in depth". At a high-level the following describes some of the actions taken during validation and installation.

Installers are evaluated with static and dynamic analysis scanning before being handed over to moderators for further review. We also leverage SmartScreen. The SHA256 for a package is provided prior to install so it can be used to compare what was downloaded. In the event the two don't match, the install does not execute, and the user is warned. We also calculate and compare hashes generated for the manifests themselves as an additional precaution to make sure they haven't been tampered with.