What measures does scoop take to keep malware out of its packages?

[Gitoffthelawn]

Malware can basically be divided into 2 large categories:

• unintentional malware: when malicious code is present due to a security breach, virus infection, or worm
• intentional malware: when malicious code is present due to someone intentionally putting it there

Although people often focus on the second category of malware, the first category is equally important.

When installing software piecemeal (without scoop), the person performing the installation takes the responsibility of inspecting each package before installing it. This can be accomplished via multiple techniques.

When installing software via scoop, many of the common techniques of package inspection are much less likely to be employed. For example, the simple step of uploading each piece of software to VirusTotal is generally skipped by people using scoop.

What measures does scoop employ to keep malware out of its packages?

[HUMORCE]

What measures does scoop employ to keep malware out of its packages?

a. In most cases, Scoop downloads the contents of packages from official distribution channels.

Take manifest main/nginx for example:

❯ scoop cat nginx
{
    "version": "1.27.1",
    "description": "An HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server.",
    "homepage": "https://nginx.org",
    "license": "BSD-2-Clause",
    "notes": "To use the correct configuration run 'nginx -p \"$env:NGINX_HOME\"' or 'nginx -p \"%NGINX_HOME%\"'",
    "url": "https://nginx.org/download/nginx-1.27.1.zip",
    "hash": "f2f1527641c289b4127abfb56baaddc2f98afb66bea7db1a9aec53b0361b273e",
    "extract_dir": "nginx-1.27.1",
    "bin": "nginx.exe",
    "env_set": {
        "NGINX_HOME": "$dir"
    },
    "persist": [
        "conf",
        "html",
        "logs",
        "temp"
    ],
    "checkver": {
        "url": "https://nginx.org/en/CHANGES",
        "regex": "Changes with nginx ([\\d.]+)"
    },
    "autoupdate": {
        "url": "https://nginx.org/download/nginx-$version.zip",
        "extract_dir": "nginx-$version"
    }
}

❯ scoop virustotal nginx
main/nginx: 0/65, see https://www.virustotal.com/gui/file/f2f1527641c289b4127abfb56baaddc2f98afb66bea7db1a9aec53b0361b273e

❯ scoop download nginx
INFO  Downloading 'nginx' [64bit] from main bucket
nginx-1.27.1.zip (2.0 MB) [===============================================================================================] 100%
Checking hash of nginx-1.27.1.zip ... ok.
'nginx' (1.27.1) was downloaded successfully!

b. Based on a, you need to check the content of the manifest to confirm that the downloaded content comes from the official distribution channel of the program via scoop-cat. Mainly, I mean the urls and scripts.

When installing software via scoop, many of the common techniques of package inspection are much less likely to be employed. For example, the simple step of uploading each piece of software to VirusTotal is generally skipped by people using scoop.

Scoop will check hashes before installing / after downloading.

c. Query file report from virustotal via scoop-virustotal.
d. Check them manually by pre-downloading the package content via scoop-download.
e. Keep antivirus program ON, if you take care of security.

[Gitoffthelawn]

Thank you. That's very helpful info. I appreciate it. A few follow-up questions for clarity (the letters below match the letters in your reply):

b. You mentioned "you need to check the content of the manifest to confirm that the downloaded content comes from the official distribution channel of the program via scoop-cat". Why do you recommend using scoop-cat instead of looking directly at the manifests?
c. Does the scoop installer run scoop-virustotal automatically, or do you have to perform this step manually?
d. Does scoop-download just download the package, or does it also extract the files within the package?

Also, what prevents someone from maliciously changing a manifest for a scoop package you have been using for a long time (or making a change that inadvertently points to malware, such as leaving the m off of a .com domain name, thus pointing to a different host)? If you need to check each manifest or use scoop-cat before every update, it seems like much of the convenience of scoop is gone. The concern is that the convenience of scoop may make it a ripe target.

[HUMORCE]

Why do you recommend using scoop-cat instead of looking directly at the manifests?

You can review manifests in any way.

Does the scoop installer run scoop-virustotal automatically, or do you have to perform this step manually?

Scoop does not perform it automatically.

Does scoop-download just download the package, or does it also extract the files within the package?

The sub-command just downloads urls of manifest. NO extraction.

Also, what prevents someone from maliciously changing a manifest for a scoop package you have been using for a long time (or making a change that inadvertently points to malware, such as leaving the m off of a .com domain name, thus pointing to a different host)?

Unless member of ScoopInstaller wants to do this, or a negligence in PR reviewing. Alternatively, you can create your own bucket to ensure that the manifests are under your control.

If you need to check each manifest or use scoop-cat before every update, it seems like much of the convenience of scoop is gone. The concern is that the convenience of scoop may make it a ripe target.

For me, if Scoop offers me 100% convenience, then I can pay <100% convenience for security. You have deal with this whether use Scoop or not, like what you said before:

When installing software piecemeal (without scoop), the person performing the installation takes the responsibility of inspecting each package before installing it. This can be accomplished via multiple techniques.

Scoop provides some features to reduce the work on this.