Chocolatey surprise or how to break Internet

Chocolatey is famous package manager for Windows. Folks also name it “homebrew for Windows”. Today, right before my vacation leave, I got Chocolatey surprise. Can you spot surprise in this code?

Nothing wrong here. You can find plenty of exactly the same files on GitHub. Now let me explain the issue.

Hint #1. Look at commit history:

image

Hint #2. Look at release history (today is August 12, no any releases in last ~two months):

image

Hint #3. Look at https://chocolatey.org/install.ps1 and try to download latest package:

image

Type the link above to your browser and…

image

Wow, there is automatic download of unreleased version on the Internet! But it’s not that bad. The bad thing is new version has breaking changes. And this is how it breaks:

image

Just like that - “Empty checksums are no longer allowed by default for non-secure sources.”. You have to use --allowEmptyChecksums now.

The funny part is that you can see how --allow-empty-checksums is misspelled. There is --allowEmptyChecksums and --allow-empty-checksums on screenshot. The last one doesn’t work!

Well, it’s definitely good idea to improve security, but the thing is that I never seen deprecation warnings! This is a rule number one in this world today - before you break something, make sure you scream about it! You cannot just break it like this with no heads up!

The fix could be just to use --allowEmptyChecksums every time or just specify chocolatey version during installation. Unfortunately on Chocolatey website they don’t encourage users to specify version. And seems like there is no any way to specify mask. In Ruby, Node and all other languages/frameworks we could use the mask 0.9.x, but seems like there is no such mechanism in Chocolatey. So to fix it… just always specify the exact latest version:

Happy hacking!

Written on August 12, 2016