As the title states, It’s interesting how my workflow evolves over time, usually from my experiences or as I come to understand what I’m doing better. When I first started using Gemini in this manner, I’d simply ask a question, then use the response to accomplish whatever I was asking about. My process has evolved into describing my hardware and which OS I’m using when appropriate before getting to what I’m attempting to accomplish, and my process is resulting in me being asked fewer and fewer follow-up questions as my ‘prompt’ improves. My interaction has become more conversational over time.
For example, in Windows, I use UniGetUI to monitor, notify me, and manage/update installed software as updates become available. UniGetUI uses win-get and in my case, scoop for package management behind the scenes. The win-get repository is vetted and curated by Microsoft, so if I can trust Microsoft enough to use their Windows OS, I should also be able to trust the content of the win-get repository to be malware-free. Scoop on the other hand is community-driven, and open source, so while the community attempts to vet the repository’s content, the process is not as thorough as the process Microsoft puts submissions through, so I wanted to better ensure that what I use from scoop’s as safe as reasonably possible. To accomplish my goal, I chatted with Google’s Gemini.
We started with developing a PowerShell script to scan the scoop packages for software I have installed on my computer (I had to get an API key to do that - an easy fix). Next I decided to first run the scoop scan, then offer to open UniGetUI to it’s updates page, allowing me to abort the update if malware’s detected. Since we already have the script to scan updates from scoop for installed software, Gemini recommended we keep it and create another one to run it, then open UniGetUI on its Updates page.
The process involved creating the script to scan scoop packages on the server that are installed on my computer, and finding that a VirusTotal API key is required, so I logged into VirusTotal to get my API key (I’m already a community member), and set it up with scoop so the scan can succeed, as well as modifying the command to execute the PowerShell script so Windows will allow it to execute rather than to open it in a text editor (the Windows default behavior).
So the dev process was very iterative, first by enabling the script to be executed in PowerShell rather than immediately exiting with a momentary flash of red text on the screen, then discovering the need for the VirusTotal API key. With the scoop scan script working properly, the next step was setting up the script to run the scan, then open UniGetUI. This is where the bypass command had to be added, because the script was attempting to execute a helper script (the scoop scan script).
With all that done and functioning properly, I now can have as much trust in the software on my computer that comes from the scoop repository as I have for what comes from Win-get.
My reasoning for doing this is that we’ve been seeing malware getting inserted into what should otherwise be trustworthy packages (note the recent issues with Arch’s AUR), it occurred to me that the same could easily happen with any community-driven repository as is scoop.
Now, if I ever decide to use any package from the AUR, I can create a similar script to use VirusTotal to scan it in a similar fashion before executing garuda-update, and I mat post a suggestion that Garuda add such a scan as part of the update script, although I’m uncertain how likely it may be that the distribution would want to go to the additional membership cost that would be involved when users can implement the scan at no cost by creating a wrapper script to implement the scan, then ask if the update should be executed.
Perhaps my next Linux project will be to implement the VirusTotal scan before executing garuda-update. If I find that such a scan can be implemented, I may come back with my implementation so my IT’sFOSS community family can use it too, although that would require any user who would implement toe scan would have to become a VirusTotal community member (there is a free membership level). I’m sorry if I tended to ramble a bit here,
Ernie