
Introducing PackageManagement in Windows 10 - sz4kerto
http://blogs.technet.com/b/packagemanagement/archive/2015/04/29/introducing-packagemanagement-in-windows-10.aspx
======
SwellJoe
I was going to say, "Finally! They've gotten it right after all these years of
sucking so hard as to be unusable on servers." But, I did some digging into
the github for OneGet
([https://github.com/OneGet/oneget](https://github.com/OneGet/oneget))...

And, they haven't gotten it right. Windows package management still sucks so
hard as to make the OS unusable on servers (and annoying as hell on the
desktop). This is seemingly a simple-minded downloader, with none of the
capabilities I would expect of a modern package manager. Sure, it's nice that
it can download and install stuff from the command line (and it's idiotic that
it's been so difficult to do that in the past), pulling from a variety of
sources. But to imply that this is somehow comparable to apt or yum is
disingenuous, at best. I'm guessing it's simply ignorance; Windows folks
usually have no idea what they're missing (if they did, they couldn't possibly
tolerate how bad it is).

I can find no mention of dependency resolution, for starters, which is the
core reason apt and yum are magnificent. Nothing about querying for what files
or commands are provided by which packages. Basic validation tools (i.e. if I
uninstall or upgrade X, will Y break?), also seem to be missing.

In short: It's simply not a package manager in the sense we mean when we speak
of apt or yum. "Lipstick on a pig" is a saying that might apply here.

~~~
alkonaut
Is application dependency management in windows normally a problem? Apart from
the odd runtime, I expect Windows applications to be pretty much self
contained, and not dependent on any system-wide libraries (which is a huge
benefit I think).

For development it's a different story, there you can have several levels of
dependencies, but there NuGet at least appears at least as powerful as similar
options on other platforms.

~~~
ioddly
> Is application dependency management in windows normally a problem?

It has its own name.

[http://en.wikipedia.org/wiki/DLL_Hell](http://en.wikipedia.org/wiki/DLL_Hell)

~~~
mdlowman
DLL hell certainly used to be a big issue in Windows. But I disagree that it
remains a major factor; Windows apps are increasingly bundled and Windows
system functions that used to be the cause of these issues, like DirectX, are
packaged as redistributables that allow side-by-side installs.

~~~
thrownaway122
How do they handle security updates? Does every app have to update all its own
libraries in an e.g. heartbleed scenario?

~~~
useerup
There's the WinSxS and the GAC (Global Assembly Cache). In SxS actually means
side-by-side. Both WinSxS and the GAC supports multiple versions of the same
libraries, and the program manifests set up policies for which library
versions they require/accept.

An application may for instance say that it accepts any newer "minor" version.

For security patching you can replace a library with a new "build". So if an
application uses libraries placed in WinSxS or the GAC it will pick up any
centrally patched libraries without the risk of jumping to a too new version
with breaking changes. The new version _can_ exist alongside older versions
and they can all be patched - for security reasons or otherwise.

A vendor can also distribute libraries alongside the application - in the
application library itself. In that case the responsibility for patching is
placed squarely on the vendor of that application.

------
tomswartz07
Perhaps I missed it, but the article doesn't mention this in any way: Windows
ABSOLUTELY needs a way to go from 'Fresh Install' to 'Fully upgraded' with
minimal interaction.

Linux can do this: run `apt-get dist-upgrade` in Ubuntu, and you get all of
the most recent updates.

However, in Windows, you install 3 updates, restart, install 5 updates,
restart, install 110 updates, restart....

~~~
stephengillie
One of the core issues with breaking this pattern is that you're installing a
new feature on this reboot, then installing all of its patches on the next
reboot.

    
    
      So you install 186 updates on a fresh install. This includes .NET 4.5 (or 4.5.1 or 4.5.2), and requires a reboot.
    
      Now you're done right? You just installed 168 updates, how many updates can there be? On your next reboot, you get another 60 updates, of which 20 are .NET 4.5 updates and security updates. Another is the OS SP1, which needed a reboot before install.
    
      Now you're done right? You just installed 228 updates, how many updates can there be? On your next reboot, you have another 168 updates, most of which are patches for OS SP1. 
    
      Now you're done right? You just installed 396 updates, how many updates can there be? On your next reboot, you have another 12 updates, including...
    

I've seen this chain across more than 6 reboots. I once literally spent an
entire day just patching a server.

~~~
tomswartz07
Yep, this is exactly what I'm talking about.

I don't see why they cant 'look ahead' to say; Oh- this update X depends on
update Y, but it's going to be installed, so we could just add it in the queue
anyway.

~~~
bentcorner
Or rather, slipstream future updates to current downloads. E.g., if you're
installing component X that has patches A, B, C, then perhaps you should get
customers to download component X that is already in a patched state.

~~~
whoopdedo
What I always wonder, while twiddling my thumbs during the interminable
upgrade-reboot-upgrade cycle, is how many of these these updates will be
overwritten by a later update. Am I wasting my time downloading multiple
versions of the same file?

~~~
UweSchmidt
These upgrade-shortcuts could introduce a significant increase in testing
complexity if you want ensure that you can go from any system version to the
current version.

On the other hand, with the current system people upgrade from Windows 1.0 to
8 (e.g.
[https://www.youtube.com/watch?v=8WP7AkJo3OE](https://www.youtube.com/watch?v=8WP7AkJo3OE)).

------
eliaspro
Although I applaud the efforts, at the current state that's just sugarcoating
the nastiness of code-executing installers. A package installation should
basically just deploy the components of a passive package archive to the
filesystem and leave any actions to the package manager. This solution doesn't
even provide a generic interface e.g. to run a query which file would be
provided by which package or to which package a specific file in the
filesystem belongs to. The installation process still relies on mostly
uncontrollable code execution.

~~~
seanp2k2
Well, how else would windows software give you an option to decline to not
skip disabling the installation of their system heath turbo-boost quick launch
tray toolbar search engine registry cleaner by checking a box?

------
lmedinas
Windows badly needs this to be a general Development OS. Lot's of developers
in the last years run away from Windows to OSX and Linux because of this.

Without Visual Studio, which installs the C++ and .Net dev env, it's a pain to
install anything which works out of the box in Windows.

Example: Perl or Python both have an installer but you have to update the
system PATH, the console sucks so you can never use it, no simple way to keep
it update unless you use the installer again and so on...

If all these goodies are available in a "unixy away" i'm sure Windows will be
used by general Developers.

~~~
k-mcgrady
>> "Without Visual Studio, which installs the C++ and .Net dev env, it's a
pain to install anything which works out of the box in Windows."

On Mac don't you need to installed the Xcode command line tools before being
able to do most dev stuff?

~~~
evilduck
That's the easiest way, but not the only way. Likewise, on Ubuntu you also
often need build-essentials and various other dev libs manually installed.

~~~
lmedinas
Do we really want to compare "sudo apt-get install build-essentials" with
installing all VS, Perl,Python etc... in Windows ? :)

~~~
recursive
Well, in some ways it's worse.

I'm not too familiar with linux, but a year or two ago, I was trying to set up
a rails development environment on a Ubuntu VM. I had quite a few challenges
along the way, but one of them that I recall that confounded me for an hour or
so was that I needed to install build-essentials, which was not documented in
the guide I was using, nor was it marked as a dependency in whatever package I
was actually trying to install.

When you install Visual Studio, generally it automatically installs anything
you're missing, or at least tells you how to do it.

------
igravious
I recently blogged about the Linux world needing something like this.

[http://leto.electropoiesis.org/propaganda/plugins-and-
packag...](http://leto.electropoiesis.org/propaganda/plugins-and-packages-and-
extensions-and-bundles-oh-my/)

I hate having to individually update my Wordpress install, my Rubies, my
system packages, my IDE (be it Eclipse or Android Studio), a separate TeXLive
install from the OS packages, even Vim now has its own package management with
Pathogen...

There must be some way to _unify_ this proliferation of software update
mechanisms.

edit: It would be _ironic_ in the extreme if Windows of all platforms manages
to get this out the gate before the Linux community considering how awesome
stuff like apt-get, yum, and emerge are... Oh well, just goes to show that
open-source giveth with the one hand and taketh with the other.

~~~
Sir_Substance
[https://xkcd.com/927/](https://xkcd.com/927/)

~~~
igravious
So cynical. But unfortunately, so true.

------
outworlder
Oh, wow.

Please, can I get a decent command line now?

~~~
dummyfellow
you can get conemu

~~~
kelvin0
Tried it, and it looks nice ... however crashes very often for me, and
sometime becomes horribly slow (typing and seeing it displayed takes close to
a second..)

------
hetman
This really is an audacious proposal and will be an awesome tool if they pull
it off. For now there is still a long way to go. There is no command for
upgrading a package version yet for example; in fact, when I looked at this a
month ago, if you force it to install a newer package version without
uninstalling the old one first, it simply seems to forget the old one ever
existed and leaves associated files behind. Hopefully a lot of this will be
ironed out by the time Windows 10 is released.

------
dvdcxn
As someone who isn't very familiar with package managers, what does this mean
for Chocolatey?

~~~
cwyers
[https://groups.google.com/forum/#!topic/chocolatey/a8WdEoF-M...](https://groups.google.com/forum/#!topic/chocolatey/a8WdEoF-M58)

> What does this mean for Chocolatey? More awesome. More security. More
> better. Chocolatey is going nowhere, OneGet is a core API that enables
> package managers to hook in and take advantage of Windows components easier.

> The best understanding I have is that OneGet is shipping with a prototype
> plugin compatible with Chocolatey. Right now this means that it is separate
> from Chocolatey. We will be working with Garrett to bring the plugin over to
> core Chocolatey as we rewrite the Chocolatey client in C# this year.

> Right now folks are getting up in arms as they see this as a replacement for
> Chocolatey and it is not. Chocolatey will need to build a few hooks for use
> with OneGet.

~~~
towelguy
So Chocolatey is gonna use OneGet in the back? I was thinking it would be a
package provider for OneGet instead.

~~~
squeaky-clean
I don't know much about how this works, but it looks like that's exactly it.

[https://github.com/OneGet/ChocolateyProvider](https://github.com/OneGet/ChocolateyProvider)

------
davidgerard
FUCKING YES.

Good package management (apt in particular) is a magnificent feature of
Debian/Ubuntu.

The barest approximation of dependency-management in Windows is supplied by
Ninite.

------
deevus
It's not exactly a package manager (it doesn't do proper dependency
management) but for development I absolutely love Scoop[1]. It makes it so
simple to get tools for Windows command line without Cygwin.

Disclaimer: I'm a contributer

[1]: [http://scoop.sh/](http://scoop.sh/)

------
_RPM
But where will the software come from? Do you have to hook up your credit card
to the package manager?

------
ddingus
Well, one small step.

I first encountered package management in SGI IRIX. IRIX had a "mini root",
which was an installer, subset of IRIX, running single user mode. Just know
it's there for now, and hold that thought.

Most of the time, people launched "swmgr", which put a nice GUI on top of
"inst", which was the actual tool doing the work. Inst eventually could pull
from an http repository, and of course, worked with file based ones, mounted
however made best sense.

That thing was seriously potent! One time, I needed to setup Alias renderer
software on a bunch of machines to push out a little movie. So I just did it,
remote displaying the gui on my O2 after mounting a shared image to work from.

Asked them all to load it, and about half reported out of space. Right MID
INSTALL, I was given the option to do some removals, so I did, at which point
the primary task could continue. Short story was it took about 30 minutes to
blast some renderer software onto about 10 IRIX boxes, all with users logged
in, doing stuff.

(Yes, I looked at what they were running, and pulled some sub-systems that
wouldn't impact them, and no, they didn't ever know it was done, but for some
disk activity)

After authoring a little script to push frames around, I set 'em all to render
with every free cycle, and as users left the building, added a renderer
process and escalated the priority of both. It all got done, I pulled the
software, and on the machines that I had pruned from, put that all back, and
never heard a peep.

Awesome. No reboots.

The other notable thing was taking my very first IRIX filesystem from a modest
Indy, all the way through to a multi-CPU Origin system. Each time, I would
clone it, setup on a new box, launch that mini-root, have it evaluate what was
there, issue a couple of commands to keep configuration, update system, go.
And it would update all the libraries, drivers, and assorted bits to run on
the new box.

From time to time, I would need to do a little cleanup, maybe touching an
unmanaged application and a setting or two, but I really did carry one file
system through about 10 years of computing, using a package manager to keep it
sorted with basically zero issues.

This was mid 90's.

Linux has most of those features today, (hello apt get!) and it's a bigger
mess of packages, but then again, there is a whole lot more managed now than
IRIX had. Some companies would produce managed packages and sync up with SGI,
and those were great. Others were tarballs. Oh well. One could make packages
and go that way, and I did a time or two, but mostly didn't.

The thing I liked the most about that era of software, and about IRIX in
particular, was how just about every single thing was written to be effective
and useful on the command line, and in scripted form.

Additionally, most everything had a --gui, or --verbose option, or both that
would improve on the console I/O to the point where a gui could just be a
wrapper, able to do what it needs to do without there being anything separate
needed. When in single user mode, or remote console, terminal, whatever,
really didn't matter. One could script, run a gui, command line, whatever, and
it all just worked fine.

Back then, I saw Linux growing, and also later, saw Linux start to get the
better bits of IRIX as SGI moved off IRIX and MIPS and onto Linux Itanium.
That caused me to pick up a copy of Redhat 5.2 and begin switching over. One
of the best moves I ever made actually.

So those days on IRIX are long gone, but I really do miss the fantastic
systems engineering, package management, and documentation they shipped. It
was complete, and if you went digging, what you needed to know actually
shipped on the box with very, very few exceptions.

Windows... Yeah, it's better now. I run it all the time, and that's due to
some software and the niche I'm in. No worries. But it really never did
compare to the work SGI did in the 90's. Few things have.

I'm glad to see this. Just like I'm glad to see lots of things in Microsoft
land, many way overdue.

I just wish it would launch a bit more complete and be a bit less painful
before it really settles in and works well.

Maybe somebody should give these guys a tour of computing outside the bubble.
There were a lot of really great things done. Seems to me, getting them done
again, now, unabashedly is the right move. No shame. Just do it.

Lots of us would be a lot happier, and we really don't care where it comes
from. Just nail it for those of us who have to continue to run the OS.

Thanks.

------
WorldWideWayne
Please give us something that doesn't require PowerShell, since PowerShell
never just works. Just look at the ridiculous bullshit that you have to deal
with when you want to use Chocolatey (from the Chocolatey install guide):

 _Note: You must have your execution policy set to unrestricted (or at least
in bypass) for this to work (Set-ExecutionPolicy Unrestricted). There have
been reports that RemoteSigned is enough for the install to work._

~~~
bkeroack
> PowerShell never just works.

That statement is a bit much. I agree the default execution policy is
annoying, but can you blame MS for being a little overzealous given their
history?

Some aspects of Powershell are actually pretty nice. Ever want to use a real
hashmap in bash for example? Or easy JSON construction/manipulation without
hacks like jq? PS has all that.

~~~
simplexion
I have had so many people tell me how fantastic PowerShell is. Not a single
one of them was ever a *nix user. PowerShell is getting better with a tab
completion of sorts but it is still a headache to figure out commands without
web search. I try to force myself to use PowerShell as often as possible, but
continuously find myself going back to a GUI. I have the opposite problem when
using Linux.

~~~
aesthetics1
I think this comes from being unfamiliar with it.

Want to know what you can do with network adapters? Run Get-Help _AD_ to see
every cmdlet containing AD, and narrow your search from there.

Get-Help auto-updates itself. See a command, but want to know all of the ins
and outs (syntax etc) of using it? Run Get-Help [command]. Use the optional
-Examples flag to see several well-explained examples. You can even add
-Online to get the technet article to launch in your default web browser.

I would think that _nix users would feel at home with powershell. Microsoft
has made a big push for getting developers to take a second look at Windows.
They even set up aliases for common_ nix commands. Don't type 'dir', just type
'ls' \- It works fine.

~~~
dlitz
> Microsoft has made a big push for getting developers to take a second look
> at Windows.

This presumes that the developers' first look and decision to stay away from
Windows was mistaken. It wasn't.

I avoid Windows because mistakes were made. If Microsoft continues to assert
that _I 'm_ the one who made the mistakes, then I'm just going to keep
avoiding their stuff.

As a developer, I make dependency choices based largely on my confidence in
the upstream's judgment. Microsoft has a long track record of making poor
technical decisions and then never fixing them. I've also heard enough about
their internal culture to understand how difficult this would be to change.
Introducing a shell or a package manager well over a decade after it was clear
that they needed one doesn't inspire confidence.

Not to mention Microsoft's tendency act coercively when they can get away with
it, and friendly when they can't. Yes, I'm bitter about this.

I still don't plan on taking a second look.

------
acd
I wrote to m$ requesting this feature a few years ago, happy it got
implemented regardless of they listened or not. It will be good for security
and admins/devops.

