From https://chocolatey.org/install.ps1 , which is fetched from the main install snippet, downloads Chocolatey over plain HTTP.

Which is then executed in a PowerShell with -ExecutionPolicy unrestricted.

There's an 80/20 thing here, though. Except more like 99.9/.1.

Yes, there is value in ensuring software is delivered without tampering direct from a trusted source. But the main problem people are dealing with is finding a trusted source for the install - one that actually delivers the software they wanted, without malware, without a confusing installer. Chocolatey solves the main problem pretty well. I can look at download counts, comments, and repos to verify what the installer is doing. There's an active forum that discusses problems or suggested improvements to packages.

It doesn't verify that there's no tampering along the way, but for most users that's an absolutely miniscule problem compared with the "Google / Click Link / Install Wrong Program and/or Malware" system.

So, let's fix that.

While that's a nice sentiment, it indicates a rather complete lack of understanding of security issues by chocolatey in the first place.

Sure, they can move that particular download to https, but it doesn't install any confidence that they've thought through the rest of their flow. As far as I can tell, packages don't even need to be signed.

As a result, I'd not be able to trust anything they do.

Which goes back to my original statement. If more people used it and knew about it, maybe more people could get involved.

This stuff is hard. And presumably we're doing this programming stuff because we're not afraid of hard problems.

One problem at a time - end users can't find the right links to download, so this solves that.

Now open some issues about the security stuff and let's get that patched up.

Telling people to not use Windows, or that "X is flawed so rather than fix it I'll avoid it" isn't moving anything anywhere. I'd rather get involved.

Ninite is another option with a similar purpose.