The URL in question[0] provides a 200 response and an executable without requiring authorization/authentication. That's a particularly weird definition of "not public"
I was quoting from the pinned comment on the page, by the way.
And, that is indeed a particularly weird definition of "not public", but from my experience, par for the course when there's only a squeeze page in the way of a download.
I was definitely commenting the issue (and likely Telerik's) definition of "not public".
The two stated reasons (again, likely just citing Telerik's request), are "they own the ip" and "it's not public" are just bogus. Linking to a publicly accessible resource doesn't have anything to do with IP (using someone's trademark to accurately describe the thing or direct people to it is not a crime, at least in the US), and "it's not public" is just false, as shown.
All in all, seems like a cave on Chocolatey's part. Particularly since they have a whole section of their FAQ dedicated to vendor distribution rights[0], which goes through pains to show that most of the time, there is no distribution at all (since it's just automation scripts).
This is about as silly as Telerik saying that I can't write:
I recognized none of the three names in the title, and following the link didn't help much either. I came back once I saw there were more comments, and now it seems to make a little more sense.
Chocolatey is like homebrew for Windows, and Telerik is a company that makes Fiddler, which may be something like Charles for MacOS.
Took a bit to figure all that out, though. The title reads like dadaist poetry.
> Telerik reached out and is asking that the Fiddler package be removed as it is giving direct access to a download location they no longer show on the site. Since they have an information gateway to receive information prior to download, they have asked that we remove the package so that folks obtain the downloads directly from them.
Whilst it doesn't do everything that Fiddler does, and isn't open-source, I'd say Postman is worth a look for playing around with HTTP requests. The user interface is a lot more user friendly (in my opinion):
Postman doesn't quite fill the niche, because it can't see all http/https traffic (ex: from other non-browser applications). Also, postman can't see anything that happens to the request after it's submitted (ex: by an anti-virus network filter).
Which is not to say that Postman is not good at what it does do.
Fiddler can install Root CA certificate and use it to sign fake certificates for websites to MitM on HTTPS. If someone knows how to do that in Wireshark, please, tell me.
Wireshark and Fiddler are both exceptional tools that serve vastly different purposes focusing on different OSI layers. Fiddler is an HTTP(S) proxy and Wireshark is a packet sniffer. While you can probably achieve in Wireshark what Fiddler offers, it's going to be an utter pain in the ass.
If you want an open-source alternative to Fiddler, consider mitmproxy [1].
Honest question - why are people so enthusiastic about Chocolatey? Most packages, including the Fiddler package, just run a small Powershell script that downloads an installer from a known location (in this case https://www.telerik.com/docs/default-source/fiddler/fiddlers...), verifies the checksum and runs it silently. As far as I know, it's all just wrappers on top of stuff that's always existed in Windows Installer. Is it simply the convenience of the chocolatey.org catalog and the ability to avoid visiting a bunch of websites looking for installers? I thought ninite.com had that cornered for most uses.
This is similar to how a lot of the homebrew cask packages work on OS X. Ninite appears to be more end-user/consumer focused while chocolatey aims for a wider swath of developer packages as well.
Personally, I use neither because neither is open source. Instead, I use scoop: http://scoop.sh/
People are excited to be rescued from the hell of searching the Internet for a program you want. One of the things that regularly blows the minds of people new to the Linux world is the ability to install anything you can remember the name of.
While Chocolatey isn't quite there yet (it may never given the difficulty of working around Windows), but it is way better than installing 50 programs manually.
Ninite is great for a small selection of apps, but it is not a package manager by any means. For quick setup, yeah it works, but you wouldn't rebuild the installer to install one program, you may as well download the program in the first place.
Chocolatey allows you to chain together as many installs as you like, so you can essentially set up whatever apps you want on a system unattended. You could argue it's just a wrapper around the windows installer system but you could equally argue that npm is just a wrapper around javascript files.
and I'm up and running with all my standard apps. Having to download all those apps, verify the checksums and go through the install wizard can easily take a couple of hours. It's especially useful if you're spinning up a lot of vms.
Just using a cli command to check for upgrades and apply them is it worth for me for some apps.
As not everything is supported, this is only half a solution, but every bit helps.
Also, as a maintainer of one package[0] - although it's for developers, apparently sometimes there are problems installing the software on Windows and so it's a bit of effort every release and we can make at least a few users happy.
At this point if you are going to the effort of custom installers as with Ninite you might as well switch to building APPX containers (with the Desktop Bridge) and use the Windows Store (and/or Windows Store for Business and/or Add-AppxPackage PowerShell automation).
Personally, I think it's time to converge to APPX and away from semi-proprietary solutions like Chocolatey/Ninite/etc for desktop applications. (I say that as having once been a big Chocolatey fan.)
Is there portable open source tooling to create these packages, like there is for MSI? Can programs installed through Appx packages do everything you can do as a Windows app or is there some form of mandatory sandboxing that would prevent its use for e.g. installing services or setting up credential providers?
The APPX format itself is quite a lot simpler than MSI (APPX is a .ZIP file with a manifest XML file, and typically a code signature), and most major installer project systems that can build an MSI can build an APPX already (including a plugin for the open source WiX toolset and recent versions of many of the most used commercial options).
APPX still encourages UWP apps, but the Desktop Bridge exists for Win32 Desktop applications. For Win32 Desktop applications there is still a small sandbox, but think of it along the lines of "Docker container". The container is there mostly to make install/uninstall clean and reproducible. Win32 applications are otherwise "full privilege" applications to the APIs they used before. The Desktop Bridge stuff itself is partly open source, but definitely not portable, you can download the Desktop App Converter for free on Windows 10 [directly from the Windows Store] and it will Docker-esque use mini-Windows containers to run an existing EXE/MSI install and try to capture what it installs into an APPX package.
I don't think it currently supports installing Win32 services directly, and it definitely doesn't support things like kernel drivers. The focus is mostly on desktop applications. UWP has a powerful background task model that is powerful enough to replace many uses of Win32 Windows services for desktop application needs, and the Desktop Bridge GitHub has samples of communicating between Win32 and UWP pieces.
The full Win32 Office suite has been on the Windows Store in Preview for a couple months now, and it seems pretty clear to me that if Office can be bundled entirely in APPX than most other desktop applications don't have much excuse left.
That's the biggest reason, it's easy to upgrade everything at once, not getting nagged but auto updaters when you want to actually use a program, not hunting around the web to check if there are uninstalled updates, etc. The other big convenience is as you said, having everything in a single catalog.
This was going to be my response too. You can update your installed software fairly painlessly[1]. You can do that with Ninite too, but the range of software available with Chocolatey is larger.
[1] Except for the occasional package or two that the maintainers don't keep up to date, which is a shame.
Also, I can reasonably trust that the community would flag any issues like getting a malwared version of software. It's sometimes not easy to find official sites for some software and the skeezy download.com style sites are always high on the search engine results.
I think you nailed it in your second to last sentence.
It's not often I'm back in the Windows world, but when I am it feels like going back to the early 2000s.. ending up on very skeevy-looking sites trying to hunt the "Download" button that isn't a banner ad. Anything that can take that away is worth it.
Sure, but it's surprising how much Windows software still leans on "file download sites" that do the whole "your file will download in X seconds or click here" nonsense. It's sometimes hard to tell if it's the real/official download unless you backtrack. Very weird compared to Mac software where usually a .dmg is downloaded straight from the creator's own site.
The last 10 years have been great for creating headlines that just sound REALLY funny to anyone outside our industry. I just showed this to my partner and she thought this might have been related to the Teletubbies.
Actually sometimes, reading news headlines like this sometimes makes me feel like I'm watching an advertisement for a Plumbus from Rick and Morty.
I automatically read that headline as intended, didn't even smirk. I don't want to forget the absurdity of our world and its little dramas, so thanks for the reminder!
Good on them. Software vendors should be able to excercise some control over how their software is distributed.
Also, I find any system where someone else tries to "add value" by wrapping or aggregating a bunch of pre-existing stuff without asking for permission from the pre-existing owners to be distasteful and somewhat rude.
What's the bet that Chocolately obtained prior permission from Telerik, Mozilla, Google or any other of the software vendors to redistribute their packages? It seems unlikely
The comment I'm responding to called out "What's the bet that Chocolately obtained prior permission from Telerik, Mozilla, Google or any other of the software vendors to redistribute their packages?"
I'm of the opinion that Telerik has the right to license their software as they see fit, including making it not available for packaging in Chocolatey, and legal precedent makes it much more dubious whether or not the existence of an accessible URL makes it legally OK for Chocolatey to package it than I think most people here are acknowledging.
That said, the commenter I replied to also called out Mozilla, and as far as I'm aware, the software of theirs that folks package is FOSS
I feel like this is the first half of a comment. If you believe I misunderstand how Chocolatey works, the interesting bit isn't telling me I'm mistaken, it's correcting my mistake by pointing out that Chocolatey doesn't actually copy and redistribute the package, it provides users with scripting sufficient that their local machine downloads the package from the origin service.
But in practice, I'm aware of how Chocolatey works, and figured I could get away with pointing out that the US legal system has previously considered access of remote systems to be a crime even in cases of publicly exposed endpoints without having to do a longwinded explanation of the role of Chocolatey vs the end user running Chocolatey's provided scripts.
Ok, what do you feel about older Broadcom drivers for Linux?
Those drivers are not open source, and did not allow for distribution. So Linux distributions included scripts to download from the public sources (provided by Broadcom), and run the install. The only software "distributed" by the OS provider, was a simple download script (probably less than a couple dozen lines).
If you are Ok with that, then note that that is what Chocolately does. I linked to the actual source code of the Chocolately package in another comment if you want to see what it does.
I think that my distribution (Fedora) doesn't do that with the Broadcom drivers, at least in the official distribution. I don't really think that is a great practice for an official distribution.
That's a bad example: Debian only packages GPL (or compatible) code, and by releasing something as GPL you are giving certain rights to anyone that receives it, including the right to package it. Put another way, Debian already does get permission before packaging anything (they just don't need to ask).
I'm specifically addressing the comment I replied to, which commented on whether or not Chocolately asked for permission from several companies, including Telerik but also Mozilla, whose software is notably FOSS
If software vendors are making publically available a url from which to download packages, then as far as I'm concerned they can pound sand. What does it matter if I fetch its contents via a shell script or a browser?
Providing a script to download binaries from the site is a completely different thing from re-hosting and redistributing binaries without permission. I don't use chocolatey and have no idea what the background is to this story, so don't take this as a defense of their actions.
> If software vendors are making publically available a url from which to download packages, then as far as I'm concerned they can pound sand. What does it matter if I fetch its contents via a shell script or a browser?
Is there any point arguing that? If Chocolatey refused, then Telerik would remove the public download. If Telerik insists on asking for email addresses or showing a TOS before allowing a download, then that's what they're going to do.
You're technically correct, but it's not a technical issue.
60 comments
[ 3.5 ms ] story [ 119 ms ] threadso, they want to waste their money sending spam to all the fake emails everyone enters in their website when they reinstall windows
i think they could have thought that through a little better
The URL in question[0] provides a 200 response and an executable without requiring authorization/authentication. That's a particularly weird definition of "not public"
[0] - https://github.com/chocolatey/chocolatey-coreteampackages/co...
https://www.telerik.com/docs/default-source/fiddler/fiddlers...
And, that is indeed a particularly weird definition of "not public", but from my experience, par for the course when there's only a squeeze page in the way of a download.
The two stated reasons (again, likely just citing Telerik's request), are "they own the ip" and "it's not public" are just bogus. Linking to a publicly accessible resource doesn't have anything to do with IP (using someone's trademark to accurately describe the thing or direct people to it is not a crime, at least in the US), and "it's not public" is just false, as shown.
All in all, seems like a cave on Chocolatey's part. Particularly since they have a whole section of their FAQ dedicated to vendor distribution rights[0], which goes through pains to show that most of the time, there is no distribution at all (since it's just automation scripts).
This is about as silly as Telerik saying that I can't write:
"curl https://www.telerik.com/docs/default-source/fiddler/fiddlers...
[0] - https://chocolatey.org/docs/package-triage-process#are-you-a...
Chocolatey is like homebrew for Windows, and Telerik is a company that makes Fiddler, which may be something like Charles for MacOS.
Took a bit to figure all that out, though. The title reads like dadaist poetry.
Chocolatey Nougat (Nuget) geddit?
> Telerik reached out and is asking that the Fiddler package be removed as it is giving direct access to a download location they no longer show on the site. Since they have an information gateway to receive information prior to download, they have asked that we remove the package so that folks obtain the downloads directly from them.
http://tcpreplay.appneta.com/wiki/overview.html
Whilst it doesn't do everything that Fiddler does, and isn't open-source, I'd say Postman is worth a look for playing around with HTTP requests. The user interface is a lot more user friendly (in my opinion):
https://www.getpostman.com/
Which is not to say that Postman is not good at what it does do.
If you want an open-source alternative to Fiddler, consider mitmproxy [1].
[1] https://github.com/mitmproxy/mitmproxy
FWIW, I've also had bluescreens on Windows from a certain combination of NPCAP and an Intel Ethernet driver.
Personally, I use neither because neither is open source. Instead, I use scoop: http://scoop.sh/
>> Looking for familiar Unix tools? Tired of Powershell’s Verb-Noun verbosity?
Sold.
But alternatives aren’t:
Chocolatey - Apache license - https://github.com/chocolatey/choco
Homebrew (for Mac) - BSD license - https://github.com/Homebrew/brew
Scoop (as previously mentioned) - Public Domain - https://github.com/lukesampson/scoop
Comparing Scoop to Chocolatey: https://github.com/lukesampson/scoop/wiki/Chocolatey-Compari...
While Chocolatey isn't quite there yet (it may never given the difficulty of working around Windows), but it is way better than installing 50 programs manually.
Ninite is great for a small selection of apps, but it is not a package manager by any means. For quick setup, yeah it works, but you wouldn't rebuild the installer to install one program, you may as well download the program in the first place.
I guess this is the root of my question, how does Chocolatey "manage packages" above and beyond what Windows already does with Add/Remove Programs?
For various reasons I don't use it much anymore, but it's really convenient to go to a new machine after a rebuild and just run a standard script of
choco install -y vim; choco install -y python # ...another 20 lines
and I'm up and running with all my standard apps. Having to download all those apps, verify the checksums and go through the install wizard can easily take a couple of hours. It's especially useful if you're spinning up a lot of vms.
As not everything is supported, this is only half a solution, but every bit helps.
Also, as a maintainer of one package[0] - although it's for developers, apparently sometimes there are problems installing the software on Windows and so it's a bit of effort every release and we can make at least a few users happy.
[0]: https://chocolatey.org/packages/Lein/
Personally, I think it's time to converge to APPX and away from semi-proprietary solutions like Chocolatey/Ninite/etc for desktop applications. (I say that as having once been a big Chocolatey fan.)
APPX still encourages UWP apps, but the Desktop Bridge exists for Win32 Desktop applications. For Win32 Desktop applications there is still a small sandbox, but think of it along the lines of "Docker container". The container is there mostly to make install/uninstall clean and reproducible. Win32 applications are otherwise "full privilege" applications to the APIs they used before. The Desktop Bridge stuff itself is partly open source, but definitely not portable, you can download the Desktop App Converter for free on Windows 10 [directly from the Windows Store] and it will Docker-esque use mini-Windows containers to run an existing EXE/MSI install and try to capture what it installs into an APPX package.
I don't think it currently supports installing Win32 services directly, and it definitely doesn't support things like kernel drivers. The focus is mostly on desktop applications. UWP has a powerful background task model that is powerful enough to replace many uses of Win32 Windows services for desktop application needs, and the Desktop Bridge GitHub has samples of communicating between Win32 and UWP pieces.
The full Win32 Office suite has been on the Windows Store in Preview for a couple months now, and it seems pretty clear to me that if Office can be bundled entirely in APPX than most other desktop applications don't have much excuse left.
Personally, I'm more interested in system-level programs for integrating Windows with some existing infrastructure.
That's the biggest reason, it's easy to upgrade everything at once, not getting nagged but auto updaters when you want to actually use a program, not hunting around the web to check if there are uninstalled updates, etc. The other big convenience is as you said, having everything in a single catalog.
[1] Except for the occasional package or two that the maintainers don't keep up to date, which is a shame.
- Ninite is not unattended, you have to use a gui.
- Ninite doesn't have a lot of choice and not open to more.
- All package managers only fetch a package, check some hash and run a simple installation process (it's 90% file copy)
- It's enjoyable to most coders to be able to search for and install a package without browsing a website.
- You can use chocolatey locally too, to automate provisioning in a way
It's not often I'm back in the Windows world, but when I am it feels like going back to the early 2000s.. ending up on very skeevy-looking sites trying to hunt the "Download" button that isn't a banner ad. Anything that can take that away is worth it.
Should get a lot more interest IMNHO.
Actually sometimes, reading news headlines like this sometimes makes me feel like I'm watching an advertisement for a Plumbus from Rick and Morty.
Also, I find any system where someone else tries to "add value" by wrapping or aggregating a bunch of pre-existing stuff without asking for permission from the pre-existing owners to be distasteful and somewhat rude.
What's the bet that Chocolately obtained prior permission from Telerik, Mozilla, Google or any other of the software vendors to redistribute their packages? It seems unlikely
"wget https://www.telerik.com/docs/default-source/fiddler/fiddlers... && fiddlersetup.exe"
redistribute their packages
Chocolately wasn't redistributing the Fiddler packages[0].
[0] - https://github.com/chocolatey/chocolatey-coreteampackages/bl...
AFAIK, Fiddler is not FOSS.
I'm of the opinion that Telerik has the right to license their software as they see fit, including making it not available for packaging in Chocolatey, and legal precedent makes it much more dubious whether or not the existence of an accessible URL makes it legally OK for Chocolatey to package it than I think most people here are acknowledging.
That said, the commenter I replied to also called out Mozilla, and as far as I'm aware, the software of theirs that folks package is FOSS
Chocolately never distributed Fiddler packages. This is just a basic misunderstanding of how Chocolately works.
But in practice, I'm aware of how Chocolatey works, and figured I could get away with pointing out that the US legal system has previously considered access of remote systems to be a crime even in cases of publicly exposed endpoints without having to do a longwinded explanation of the role of Chocolatey vs the end user running Chocolatey's provided scripts.
Those drivers are not open source, and did not allow for distribution. So Linux distributions included scripts to download from the public sources (provided by Broadcom), and run the install. The only software "distributed" by the OS provider, was a simple download script (probably less than a couple dozen lines).
If you are Ok with that, then note that that is what Chocolately does. I linked to the actual source code of the Chocolately package in another comment if you want to see what it does.
Providing a script to download binaries from the site is a completely different thing from re-hosting and redistributing binaries without permission. I don't use chocolatey and have no idea what the background is to this story, so don't take this as a defense of their actions.
Is there any point arguing that? If Chocolatey refused, then Telerik would remove the public download. If Telerik insists on asking for email addresses or showing a TOS before allowing a download, then that's what they're going to do.
You're technically correct, but it's not a technical issue.