There is an easy way to make Chocolatey just as secure as your current manual or automated process. If you create your own packages and internally host your own Chocolatey server you will be no less secure than your current process. Creating you own packages will allow you to point to versions of installers your team has downloaded directly from the vendors. You can also control what powershell is running during install. Hosting the your own Chocolatey server is as easy as setting up a Nuget server.
After you set up Setup a Chocolatey server, the steps to create your local and "safe" packages are.
- Download the package from Chocolatey.org
- Modify the package to point to your local binaries
- Verify powershell doesn't do anything you want
- publish the package to your local Chocolatey Server
In most cases you'll see that your really just downloading a package from Chocolatey, modifying the url to point to your local installer, then publishing it locally. It's so quick and you'll have exactly what you what perfect control.
I would argue that you don't need perfect control and you can trust moderation. I would still set up a local Chocolatey server, but not for security. Having a local Chocolatey server allows you to make packages that are customized and faster downloads.
The number two complaint: "so why the dumb name?", some people don't get the reference right away.
No comments:
Post a Comment