Microsoft announces official Windows package manager. 'Not a package manager' users snap back

Linux envy? And why not use existing ones like Chocolatey?


Build Microsoft has said it will push out a new package manager - now in preview - that sounds useful but raises some awkward questions and issues.

Announced at the (virtual) Build conference under way now, the imaginatively named Windows Package Manager is for installing applications, rather than components for developers, for which there are solutions like NuGet and NPM.

Among the best features of Linux is the availability of package managers, such as Debian's Apt, that can install, remove and manage dependencies for applications from the command line. It is not perfect – dependency version issues or broken configuration files can be a problem – but most of the time it makes it easy to get what you want, and is scriptable. Many users would like Windows to be equally convenient to use.

Microsoft has reinforced its relatively newfound love for the command line by introducing Windows Package Manager which lets you install packages from repositories. The default repository is called the Community repo. Malware is a concern, and the company said: "we leverage SmartScreen, static analysis, SHA256 hash validation and a few other processes to reduce the likelihood of malicious software making its way into the repository and onto your machine."

A quick look at what is currently available shows a range of applications including 7Zip, AWS CLI (Command Line Interface), Azure CLI, Discord, Dropbox, KeePass, Git, Inkscape, TreeSize, LibreOffice, PowerToys, SQL Server Management Studio, Gimp, Visual Studio, Firefox, Spotify, Zoom and many more. You can search for packages and validate hash values, a useful check against tampering. You can also add third-party repositories, though none yet exist. When generally available, it will support Windows 10 version 1709 and later.

Some of the packages available in the Windows Package Manager

Some of the packages available in the Windows Package Manager

Getting to those issues, the first that comes to mind is: why has Microsoft created a new package manager rather than using an existing one? Alternatives include Chocolatey which says it has over 7,700 packages and over a billion packages installed by users?

"There were several reasons leading us to create a new solution, Microsoft's senior Program Manager Demitrius Nelon said.

These are mainly to do with the security of the community repository, though he said there were unspecified challenges around "delivering the client program as a native Windows application." He added: "If you are happy with your current package manager, keep using it."

More seriously, the current preview is limited to installation; it does not even have a remove option for packages. It does not auto-update packages or even have any mechanism to update them, and there is no specific dependency management. On the to-do list are features including uninstall, update, and Store app support.

These problems have led to a fundamental issue raised on the WinGet GitHub repository, titled: "Not a package manager." The poster opined: "All it does is downloading installers (which are not packages) and executing them (which is not management)."

Group program manager Andrew Clinick replied that WinGet is a response to requests for "the ability to script what is required to setup a developer machines" and that the real solution to Windows package management is in MSIX, the preferred deployment method, but that WinGet cannot afford to exclude other types of install, since many applications do not yet support MSIX. "Once you're in MSIX we can keep the app up to date, uninstall cleanly plus understand what dependencies are required," he said.

Windows is always in transition, but reaching the point where MSIX is sufficiently well embedded to enable satisfactory package management still looks some way off. There is also the issue of paid-for applications which WinGet does not currently address.

WinGet can be improved, but getting it to work in the way it should depends on the evolution of Windows itself. ®

Broader topics


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022