Build Microsoft has said it will push out a new package manager - now in preview - that sounds useful but raises some awkward questions and issues.
Announced at the (virtual) Build conference under way now, the imaginatively named Windows Package Manager is for installing applications, rather than components for developers, for which there are solutions like NuGet and NPM.
Among the best features of Linux is the availability of package managers, such as Debian's Apt, that can install, remove and manage dependencies for applications from the command line. It is not perfect – dependency version issues or broken configuration files can be a problem – but most of the time it makes it easy to get what you want, and is scriptable. Many users would like Windows to be equally convenient to use.
Microsoft has reinforced its relatively newfound love for the command line by introducing Windows Package Manager which lets you install packages from repositories. The default repository is called the Community repo. Malware is a concern, and the company said: "we leverage SmartScreen, static analysis, SHA256 hash validation and a few other processes to reduce the likelihood of malicious software making its way into the repository and onto your machine."
A quick look at what is currently available shows a range of applications including 7Zip, AWS CLI (Command Line Interface), Azure CLI, Discord, Dropbox, KeePass, Git, Inkscape, TreeSize, LibreOffice, PowerToys, SQL Server Management Studio, Gimp, Visual Studio, Firefox, Spotify, Zoom and many more. You can search for packages and validate hash values, a useful check against tampering. You can also add third-party repositories, though none yet exist. When generally available, it will support Windows 10 version 1709 and later.
Getting to those issues, the first that comes to mind is: why has Microsoft created a new package manager rather than using an existing one? Alternatives include Chocolatey which says it has over 7,700 packages and over a billion packages installed by users?
"There were several reasons leading us to create a new solution, Microsoft's senior Program Manager Demitrius Nelon said.
These are mainly to do with the security of the community repository, though he said there were unspecified challenges around "delivering the client program as a native Windows application." He added: "If you are happy with your current package manager, keep using it."
More seriously, the current preview is limited to installation; it does not even have a remove option for packages. It does not auto-update packages or even have any mechanism to update them, and there is no specific dependency management. On the to-do list are features including uninstall, update, and Store app support.
These problems have led to a fundamental issue raised on the WinGet GitHub repository, titled: "Not a package manager." The poster opined: "All it does is downloading installers (which are not packages) and executing them (which is not management)."
Group program manager Andrew Clinick replied that WinGet is a response to requests for "the ability to script what is required to setup a developer machines" and that the real solution to Windows package management is in MSIX, the preferred deployment method, but that WinGet cannot afford to exclude other types of install, since many applications do not yet support MSIX. "Once you're in MSIX we can keep the app up to date, uninstall cleanly plus understand what dependencies are required," he said.
Windows is always in transition, but reaching the point where MSIX is sufficiently well embedded to enable satisfactory package management still looks some way off. There is also the issue of paid-for applications which WinGet does not currently address.
WinGet can be improved, but getting it to work in the way it should depends on the evolution of Windows itself. ®
Sponsored: Ransomware has gone nuclear