[New Feature]: Allow packages submitted by Verified Publishers to be automatically merged

[gerardog]

Description of the new feature/enhancement

When certain conditions are met, allow automatic merge of PRs.
This would be somewhat-analogue to add moderators but restricted for specific packages.

Proposed technical implementation details (optional)

Possible rules:

• If the software vendor is pushing a new version, automatically merge the PR.
  • Could exist as an explicit whitelist text file: UserA --can add packages for manifest--> PackageId.1
    • Whitelists can be protected by CODEOWNERS or similar.
  • For packages hosted on GitHub, it could be inferred either:
    • from Manifest Id. IE: Manifest id UserA.packageB can be updated by user UserA
    • from download url: github.com/user/repo/releases/....

[Trenly]

I disagree fundamentally. Moderation serves not only to validate that the application installs correctly, but also that the metadata is accurate, the installer fields allow for winget to detect the version accurately, that no PUAs are installed with the application, that no dependencies are needed at runtime (which isn’t always caught by the pipelines), etc.

I do agree that Verified Publishers is a needed feature, but I don’t think that it should bypass the need for moderation.

Take for example PolyMC, where the developer went rogue. If the developer were allowed to bypass the moderation step, it could have potentially caused issues for anyone using PolyMC installed through winget.

The validation pipelines are great, but they can’t catch every potential issue, which is why the manual review by a moderator is a necessary step

[gerardog]

@Trenly: I may have described the proposal poorly. I edited to clarify. But please use charitable interpretation. I was trying to describe Verified Publishers, not the removal of moderation.

I do agree that Verified Publishers is a needed feature, but I don’t think that it should bypass the need for moderation.

What flavor of Verified Publishers do you agree with? How does it affect moderation/merge of PRs ?

The validation pipelines are great, but they can’t catch every potential issue

I agree, but moderation neither. AFAICT your example PolyMC, was not filtered by moderation. And, it's not the point. but a moderator could go rogue too. Publishers who want to go rogue, don't need promotion as a Verified Publisher. For example, PolyMC.

Then other points you mentioned, every publisher wants a valid, working package, accurate metadata, etc. You may not promote to Verified Publisher someone who doesn't has a know history of proper publishing.

[denelon]

This is the intent behind:

• Restrict access to manifests for packages #100

We've got a version of it tested, but we're still having to hold off on the business process. We've also been discussing criteria for automated approval.