Specification: PUA Allowlisting with User Warnings#6293
Draft
denelon wants to merge 1 commit into
Draft
Conversation
Specification for a tiered PUA classification system enabling legitimate software (RustDesk, Malwarebytes, etc.) to be published to winget-pkgs with governed allowlisting, client warnings, and GPO controls. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Trenly
reviewed
Jun 17, 2026
| | **Restricted** | Legitimate uses but elevated risk profile | Moderator review required | Strong warning + consent | | ||
| | **Blocked** | Confirmed unwanted/malicious | Rejected | N/A | | ||
|
|
||
| ### Manifest Schema Extension (v1.29.0) |
|
|
||
| ### Allowlist Governance | ||
|
|
||
| Maintained as `policies/pua-allowlist.yaml` in `winget-pkgs`: |
Contributor
There was a problem hiding this comment.
Clarify if this file is maintained by automation, or manually. What edit restrictions need to be placed on it at pkgs?
Comment on lines
+134
to
+137
| #### `--silent`: | ||
|
|
||
| Warning suppressed entirely. Installation proceeds. | ||
|
|
Contributor
There was a problem hiding this comment.
--silent does not currently control any CLI behavior as far as I'm aware, it only uses the silent installer switches. Confirm if the two behaviors should be mixed
| #### `--silent`: | ||
|
|
||
| Warning suppressed entirely. Installation proceeds. | ||
|
|
| | `winget upgrade` | Show PUA warning if upgrading a PUA package | | ||
| | `winget show` | Display PUA classification in package details | | ||
| | `winget search` | `--include-security` shows PUA flag in results | | ||
| | `winget list` | `--include-security` shows PUA flag for installed PUA packages | |
|
|
||
| ### Schema Version | ||
|
|
||
| Requires manifest schema version 1.29.0 for the `PuaClassification` field. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📖 Description
Specification for a tiered PUA classification system enabling legitimate software (RustDesk, Malwarebytes, etc.) to be published to winget-pkgs with governed allowlisting, client-side warnings, and Group Policy controls. Includes manifest schema extension, validation pipeline changes, and enterprise policy management.
Authored with GitHub Copilot assistance.
🔗 References
Related Issues:
🔍 Validation
Spec document — no code changes to validate.
✅ Checklist
📋 Issue Type
Microsoft Reviewers: Open in CodeFlow