Security of Extension and Software from GitHub to Store

%3CLINGO-SUB%20id%3D%22lingo-sub-2696928%22%20slang%3D%22en-US%22%3ESecurity%20of%20Extension%20and%20Software%20from%20GitHub%20to%20Store%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2696928%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20i%20want%20a%20discuss%20a%20thing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20actually%20have%20a%20very%20Hight%20level%20of%20security%20rules%20applied%20on%20my%20network%2Fcomputer%20(Hardware%20and%20software)%2C%20but%20it%20seem%20there%20is%20a%20hole%20in%20the%20transparency%20we%20can%20have%20a%20software%20engineer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%2C%20i%20have%20in%20my%20security%20policy%20explained%20how%20my%20hardware%20and%20software%20security%20during%20development%20and%20test%20of%20my%20extension%20are%20done%20and%20with%20whom%20software.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20the%20hole%20rely%20in%20the%20upload%20to%20the%20Microsoft%20Store%20of%20the%20code%20stored%20on%20GitHub%2C%20i%20want%20to%20know%20if%20actually%20or%20later%20is%20possible%20to%20deploy%20as%20an%20update%20to%20the%20partner%20center%20(where%20we%20upload%20these%20extension%2Fsoftware%20to%20Microsoft%20store)%20directly%20without%20having%20to%20pass%20by%20a%20zip%20on%20the%20computer%2C%20(and%20add%20a%20flags%20on%20the%20store%20page%20(or%20GitHub%20page)%20that%20is%20done).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ask%20this%20to%20totally%20eliminate%20the%20reliance%20on%20trust%20that%20the%20developer%20has%20really%20uploaded%20the%20same%20version%20on%20the%20Store%20(minus%20the%20signature%20of%20file%20added%20by%20Microsoft)%20that%20the%20one%20on%20GitHub.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20actually%20know%20that%20some%20user%2Fdev%20will%20not%20like%20that%20(like%20any%20security%20update%20(see%20windows%2011%20tpm%20enforcement%20to%20understand)%2C%20but%20transparency%20and%20security%20is%20now%20something%20very%20important.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20to%20see%20constructive%20answer%20on%20how%20i%20can%20achieve%20that%20even%20if%20GitHub%20%2F%20Store%20don't%20propose%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2696928%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPartners%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Super Contributor

Hello i want a discuss a thing.

 

I actually have a very Hight level of security rules applied on my network/computer (Hardware and software), but it seem there is a hole in the transparency we can have a software engineer.

 

For instance, i have in my security policy explained how my hardware and software security during development and test of my extension are done and with whom software.

 

But the hole rely in the upload to the Microsoft Store of the code stored on GitHub, i want to know if actually or later is possible to deploy as an update to the partner center (where we upload these extension/software to Microsoft store) directly without having to pass by a zip on the computer, (and add a flags on the store page (or GitHub page) that is done).

 

I ask this to totally eliminate the reliance on trust that the developer has really uploaded the same version on the Store (minus the signature of file added by Microsoft) that the one on GitHub.

 

I actually know that some user/dev will not like that (like any security update (see windows 11 tpm enforcement to understand), but transparency and security is now something very important.

 

Hope to see constructive answer on how i can achieve that even if GitHub / Store don't propose it.

0 Replies