Chocolatey Software Blog | Upcoming Changes to Package

The primary service responsible for ensuring that a submitted package is valid, is called, unsurprisingly, Package Validator. It has been the backbone of the package moderation services since 2015 and the first service a package goes through on its approval journey to the Chocolatey Community Repository. As Chocolatey products evolve, the Package Moderation Services evolve and the rules and guidelines evolve with them. We have made some changes to the Package Validator rules to shift some guidelines to requirements and bring in some new requirements from 1 September 2022.

Before I go into the rules themselves, let’s be clear:

  • The rules only affect packages submitted to the Chocolatey Community Repository.
  • The rules only affect new package versions submitted and do not affect existing package versions submitted.

In short, if you submit a package version to the Chocolatey Community Repository on, or after, 1 September 2022, these rules will be applied.

There are four types of Package Validator rules that are used:

  • Requirements: these are mandatory.
  • Guidelines: these are strong recommendations.
  • Suggestions: these are suggestions to help improve the quality of the package.
  • Notes: these are checks that cannot be automated and are for a human moderator to work through.

Each of these rules are used in different ways. For example, packages that do not meet rule requirements will fail and maintainers will be notified. All other rule types will allow the package to proceed to the next stage of the Package Moderation Services, but a human moderator may ask the maintainer to make changes to a package after their validation checks of the package.

The new rules that have been added to Package Validator are requirements, and are shown below:

  • Minimum description field length in package metadata. A package description must be a minimum of 30 characters (excluding leading and trailing whitespace) in the package .nuspec file. This was previously only a guideline that has now become a requirement.
  • Package metadata should not contain email addresses. There is currently a requirement rule to not include email addresses in the authors or owners field in the package .nuspec file. This has been enhanced to check all the fields in the package .nuspec file.
  • Chocolatey ‘private’ variables can no longer be used. We have recommended for some time that some Chocolatey variables should not be used in packages, so any recent packages are unlikely to be affected by this rule. Those variables are:
    • ChocolateyToolsLocation
    • ChocolateyBinRoot
    • chocolatey_bin_root
    • ChocolateyPackageFolder
    • PackageFolder
    • ChocolateyChecksum32
    • ChocolateyChecksum64
    • ChocolateyChecksumType32
    • ChocolateyChecksumType64
    • DownloadCacheAvailable
  • Download helper cmdlets require a checksum. When using the Chocolatey helper cmdlets that download a file, the Checksum or Checksum64 parameter must be used to validate the download. Those helper cmdlets are:
    • Install-ChocolateyPackage
    • Install-ChocolateyZipPackage
    • Install-ChocolateyPowershellCommand
    • Install-ChocolateyVsixPackage (only supports the Checksum parameter)
    • Get-ChocolateyWebFile
  • Use of Ftp and Web download helper cmdlets must use Get-ChecksumValid to validate checksum. The Get-FtpFile and Get-WebFile cmdlets do not have a Checksum or Checksum64 parameter, but the files downloaded by these cmdlets must still have their checksum validated separately using Get-ChecksumValid in the package scripts.
  • Prevent use of non-Chocolatey download cmdlets. Package maintainers cannot use non-Chocolatey helper cmdlets in packages to download files. These include:
    • iwr
    • Invoke-WebRequest
    • Start-BitsTransfer
    • curl
    • wget
    • Invoke-RestMethod
    • irm
    • Any cmdlet or function containing the name DownloadFile
    • Any cmdlet or function containing the name GetResponse

The new rules will take effect from 1 September 2022. These new requirements are a formal, automated, implementation of what our team of Community Moderators have been implementing, manually, for some time now, and we anticipate the impact to packages, and package maintainers, to be minimal. However, if there is an impact to a package, the package maintainer can request a temporary exemption to give them time to make changes that will comply with the new rules.

If you have any questions or concerns about these changes, then please reach out on the #community-maintainers channel of our Community Chat.

Software