Swyx and WinGet

Enreach Info
Enreach Info
  • Updated

The information in this article concerns the following products:

  • SwyxIt! 
  • Swyx

SUMMARY

Enreach does not yet support WinGet for Swyx software, but 3rd-parties publishing Swyx software for WinGet might interfere with your installation when you use WinGet for automatic updates. 

Either don’t use it or mitigate the risks by using winget pin or your own WinGet repository. 

WHAT IS WINGET?

Current Windows versions ship the WinGet package manager which is able to automate software installation and updates on Windows similar to linux package managers. Per default the WinGet client in Windows uses a community-driven repository which provides software package descriptions for software to install.

As long as a software package like SwyxIt! is available for download publicly on the internet anybody can create a package description for winget and publish that in the community repository.

Note: If you find Swyx Software via winget search … that information is not provided or controlled by Enreach. It could or could not point to genuine Swyx software downloads.

Enreach does not (yet) support WinGet for Swyx software and does not provide Swyx software descriptions via the standard WinGet repository. However, third parties unrelated to Enreach have already published Swyx software package descriptions in the WinGet repository in the past. Enreach cannot prevent that because the WinGet repository has no mechanisms in place to do that.

Note: The WinGet community repository does not give any guarantees about the source of the software described in the repository. It is the responsibility of the users using WinGet on their Windows machines to decide if a software offered via WinGet is genuine or not. 

UNWANTED SWYXIT! UPDATES VIA WINGET

WinGet has an automatic detection mechanism which uses a heuristic to find software descriptions in it’s repository for software not installed via winget. Once that happens WinGet can and will update this software.

We observed that this detection already found SwyxIt! software descriptions published by a 3rd-party which causes the winget update command to update SwyxIt! which had not been installed via WinGet. These updates cannot know about dependencies of SwyxIt! to the installed SwyxServer version and just perform the update anyway.

Note: When you use winget update you might get SwyxIt! updated to a version which is not compatible with the SwyxServer or SwyxOn Tenant you are using. As a consequence this users won't be able to log on to SwyxServer! 

Because of the way WinGet works (see above) Enreach cannot prevent these updates to happen.

RISKS OF USING WINGET FOR SWXX SOFTWARE UPDATES

If used improperly, the use of WinGet for automatic software updates carries certain risks in general, but also specifically in the context of Swyx 

  • The standard WinGet repository does not give any guarantees about the software it describes and relies on standard Windows mechanisms (like Defender or digital signatures on the installers) for checking if an installer is genuine.
  • The digital signature check Windows performs for silent MSI updates (standard when using winget update) does not prevent an MSI signed by a different entity than Enreach to run and update installed Swyx software.
  • The WinGet update mechanism cannot know about SwyxIt!'s dependency on specific SwyxServer or SwyxON tenant versions. It would just update SwyxIt! to a version incompatible with your Swyx Server or SwyxON tenant.

PREVENT WINGET FROM UPDATING SWYXIT!

If you intend to use WinGet on your Windows systems you have a few options to prevent it from updating SwyxIt!

  • Option 1: Use WinGet software pinning
    WinGet has a software pinning function to restrict the winget update or winget update --all function from updating a package. 

    Example: If you have Swyx 14.25 you can pin SwyxIt to 14.25.* versions like this:
    winget pin add --id Enreach.SwyxIt -v 14.25.*

    Because Enreach cannot control what software descriptions are uploaded to the community repository by 3rd-parties, the ID might be different than the one in this example.

    Pinning is a WinGet client feature and must be done on every system where WinGet is used.

  • Option 2: Do not use the community-driven widget repository
    While this may sound drastic, you could configure your Windows systems to not use the community-driven WinGet repository like this:
    winget source remove winget

    and rely on an own self-hosted repository where you have control over the software descriptions offered in that repository.

    Allowed sources can also be defined via group policy.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.