Chocolatey, a package manager for Windows
September 7, 2015 3:40 AM   Subscribe

Here is Chocolatey, a package manager for Windows built on NuGet, like apt-get on Debian-based Linux systems. It requires copying and pasting a couple of command lines for initial installation, but once it's installed you can use it to install ChocolateyGUI to automate installing, upgrading and uninstalling software with a friendlier interface. Once it's working, it's a good way to quickly install software. Here you can browse the packages it can download and install for you..

The website gives directions on how to install Chocolatey from either the old Command Prompt, or the newer Windows PowerShell. Either way, be sure to open it as Administrator: right-click the shortcut and select Open As Administrator, then enter the proper command line into that. (They're different if you're using Comand Prompt or PowerShell.)

In my experience (over about three months, first with v0.9.9.6, then v0.9.9.8) using Chocolatey has not broken anything or messed things up, but of course this is no proof of universal quality. It generally downloads the software you choose to install from their distribution websites. I have noticed some pages that I chose to uninstall through Chocolatey were not actually uninstalled; for these I've noticed I can still uninstall them through the Control Panel. Beyond that, it cannot upgrade or uninstall things that weren't installed through Chocolatey.

For many things, a installation through Chocolatey appears to entail downloading the installer behind the scenes and running it in an unattended mode, so it skips through the standard installer dialogue boxes. With ChocolateyGUI, you can do things though like check several packages among the 2,000+ it has and install them all at once. An automatic uninstaller, that would note system changes made during installation for purposes of rolling back, appears to be a feature in progress.
posted by JHarris (38 comments total) 32 users marked this as a favorite
Argh... when I say "built on nuGet, like apt-get..." I did not mean to imply that apt-get is built on NuGet, which it isn't. It's amazing how many times I can read something I wrote before posting it and not miss a typo.
posted by JHarris at 3:42 AM on September 7, 2015

I meant to write miss a typo, not "not miss a typo." SEE WHAT I MEAN?
posted by JHarris at 3:51 AM on September 7, 2015 [11 favorites]

I like this, I use this and have been using it on 3 machines starting a year or so ago. No problems so far, though obviously there is a concern that something I don't want may be inadvertedly installed - which hasn't hapened. Setting up a new machine becomes a (long) one-liner. Prefer it to Ninite.
posted by dickasso at 3:51 AM on September 7, 2015 [1 favorite] it skips through the standard installer dialogue boxes.

So it runs right past the "custom install" screen and installs whatever browser toolbar, browser, or other bundled-in software the provider has been paid to inflict on the unwary? I don't see that as a benefit.
posted by Kirth Gerson at 4:16 AM on September 7, 2015 [8 favorites]

I haven't known Chocolatey packages to include those things. I think it's up to the package manager to determine the options that are checked. There is a note on the package for CCleaner (a junkware remover) that they intentionally left out its own junk.

Chocolatey's packages are maintained and checked over, often by people other than the software makers themselves. I have done no vetting of the packages beyond what I've installed myself, but I haven't noticed any adware or the like from the packages I've installed, for whatever that's worth. But then, I generally don't install the software that tries to sneak that stuff in. The very attempt puts it on my personal blacklist, with the regrettable exception of Flash's horrible habit of trying to sneak McAfee Office into their installers, which never fails to infuriate me given how Flash is still required for some sites.
posted by JHarris at 4:35 AM on September 7, 2015 [2 favorites]

A long time ago, a group of us had one of our regular "how can we get rich by writing software?" brainstorms. We decided, based on our own experiences, that package management (indeed, resource management in general) for Windows was most desperately needed.

Hurrah! On with the show!

Then we looked at what it would entail, the ways it could go wrong, the burden in maintaining it and tracking Windows itself, how packages interfered with each other... I think we got as far as sketching out some monstrous delta tracking/checkpointing/restoration system that got triggered when it saw something that looked like a package being installed, but it was horrible beyond words and we decided that perhaps we didn't want to be rich after all.

Given the way that apt-get et al can still go wrong, which have been part of the Linux landscape forever and as standard a part of a distro as you'd like, I think we made the right decision. If Chocolatey really does bring more peace than pain, then I can only tip the hat. It is much needed.
posted by Devonian at 4:45 AM on September 7, 2015 [4 favorites]

It's insane to me that modern Windows users *don't* have a standard package manager yet. It's the single best technical piece (leaving aside the freedom and politics) of the open-source *nix offerings: Short of some outliers like Slackware, all of the free unices have working package managers. Even Emacs has a package manager now. Nix/Guix are pushing things further with their bit-perfect reproducible binaries and purely-functional declarative package management.

It may be hard to sell the benefits of the Guix approach to ordinary users right now, but plain vanilla package management is just so obviously something that users would want if they knew about it. Now it's 2015 and somebody's finally come up with a hacky version for Windows.

It's great the Windows users are finally getting this benefit, but c'mon you guys; just jump in the free *nix pool already.
posted by LiteOpera at 5:24 AM on September 7, 2015 [6 favorites]

Devonian, I've used Chocolatey for a few months, and did some reading on it in the meantime as well as for this post. After all that, I'm still not sure how it compares to something like apt-get, I mostly posted it in the hopes that the convenience factor would help people out.

I agree LiteOpera, it is a thing Linux has over pretty much everyone else. I don't know exactly how hacky Chocolatey is, but its site has been crowing lately how Microsoft took Chocolatey repositories as their model for their own package management system OneGet. I guess that's something?
posted by JHarris at 5:41 AM on September 7, 2015

IIRC, Chocolatey has been around for quite a while and has a good reputation. Can't agree more that package management is one of those things that you can't believe you went without once you've had it.

So it runs right past the "custom install" screen and installs whatever browser toolbar, browser, or other bundled-in software the provider has been paid to inflict on the unwary? I don't see that as a benefit.

Nah, Chocolatey's maintainers are pretty good about that stuff. The benefit is always having up-to-date applications without having to keep up with new releases and without opening the application to allow its native update mechanism to run (if it even has one). As a result, zero-day type security is improved because you never actually run out of date code. It also saves a lot of time on the end user's part.
posted by alphagator at 5:57 AM on September 7, 2015 [1 favorite]

What bugs me is how bad most package managers are. Debian's apt-get and dpkg underneath it are really pretty terrific. They manage dependencies and upgrades well, and have done so for 10+ years. In comparison Homebrew for Macs is a shitshow. I'm grateful for it of course, but the original plan to have a lightweight package manager means now four years later it's really missing the features that make dpkg work.

And then there's all the other package managers for developers: pip, npm, gem, etc. They're all sort of OK and sort of half-assed. The only real innovation is Python's virtualenv so you can have multiple installations of things, something npm also does sort of by default.

Chocolatey looks good. About time Windows people got something better than cygwin's installer. Although maybe the more accurate comparison is to Ninite: it looks more for managing Windows apps than some command line environment.
posted by Nelson at 6:39 AM on September 7, 2015 [5 favorites]

The Windows Store looks like it's going to try to be "the package manager for Windows:" Project Centennial is the name of their proposed "Windows programs through the Windows Store". That's not just Windows 10/Metro/Universal Apps, it's MSI-based Windows programs. Apparently.

There is also "Project Westminster" for Web Apps, and "Project Islandwood" for iOS, and "Project Astoria" for Android....! Anyway, everything through the Windows Store, managed by PowerShell.

I mean to put my open-source freeware on Chocolatey, but I'm interested in the Project Centennial work for my commercial non-free software, because it comes with the payment systems...
posted by alasdair at 7:21 AM on September 7, 2015 [2 favorites]

If you'd like similar functionality on the Mac, consider autopkg and its '.install' recipes
posted by Wild_Eep at 7:24 AM on September 7, 2015

I'm glad to hear chocolatey is getting traction. It's a shame package management is so hard on Windows especially. Trying to set up Pip and Virtualenv on Windows is harder than it should be. For one thing, the installer has never set all the PATH variables correctly on any machine I've used. Considering Python is a great language for beginners, this is a real problem. Consider that Windows is the most common OS, so running into these issues will be many people's first programming environment hurdle.
posted by mccarty.tim at 8:10 AM on September 7, 2015 [1 favorite]

Recently did a whole machine rebuild in prep for Win10 w/Chocolatey as a key component, and did the same for 2 laptops for folks I like.

It's really, really hard to explain to anyone who's not had to rebuild Windows, ground-up by hand how amazing this tool is, and how much time it saves. I was happy to toss some money into their Kickstarter, and I'm hoping to start actually making a few contributions to the codebase soon.

Kirth Gerson, it's not impossible to have "add-ons" get installed w/slient, it's a major reason I used to do installs not just manually, but always custom (and thus, making the installs even slower/more hands on). That said, Chocolatey package moderation started a few months ago in part around these kind of issues, and I also use Unchecky to constrain all my installs on my machine (including Chocolatey ones). I get that tool from the Chocolatey repo as one of my 1st installs on a system I'm re/building.

Nelson I use Ninite Pro as well for the software that Chocolatey doesn't have in it's repos yet (or isn't up to date). I also use SUMo -- it seems to report on nearly everything, but you have to manually download/install any packages it finds. Between the 3 I'm well covered for the software I tend to use and chopping a lot of time/energy out of updates.
posted by Asim at 8:45 AM on September 7, 2015 [4 favorites]


"It's great the Windows users are finally getting this benefit, but c'mon you guys; just jump in the free *nix pool already."

I would, but for the fact that I need to run business and productivity software*, and I like playing games when I'm not working.

Before you all start, I have a Raspberry PI media centre, a plug computer running Debian Squeeze, and a laptop with Ubuntu, all used daily.

Windows installers have been fairly bombproof for many years hence there wasn't really a need outside the techy sphere for a *nix-style package manager. The resurgence of virtualisation is what has made it attractive now.

*that doesn't look like a 1990s shareware product.
posted by GallonOfAlan at 8:47 AM on September 7, 2015 [2 favorites]

Is InstallShield still a thing? Even back in 2000 or so it was complete garbage, taking something as simple as "copy this directory to Program Files and these three files to the User's directory" and turning it into a 45+ second ordeal with like 12 mouse clicks. Oh yeah and a proprietary scripting language to build the installer. Just hideous. Is that better in modern Windows?

For that matter why does anything take forever to install on Windows? Even a 450kb Windows Update will sometimes take 2+ minutes to install. What the hell is it doing?
posted by Nelson at 8:53 AM on September 7, 2015 [1 favorite]

I'd guess, off the top of my head, the excess time is spent creating a system restore point.
posted by JHarris at 9:12 AM on September 7, 2015 [1 favorite]

for python on windows (and anything really, but it hides a lot of the ugly of windows) I like anaconda with it's conda package manager. It handles native code dependencies really well and lets you create complete python installs for when you need things that need crazily specific setups. Ipython also helps make command line stuff on windows less painful for me.
posted by Perfectibilist at 9:31 AM on September 7, 2015

I remember the first place I saw the term "GUI". (It was 20 years ago next month)
posted by oneswellfoop at 9:51 AM on September 7, 2015

I've been using the free version of Patch My PC for a few months now -and prefer it over Ninite and Secunia - which were my previous choices. Like Chocolatey, the default options chosen and the default set of apps available - both seem to be sensible.

I can also set it not to install the desktop shortcuts - which Windows sees to think are so wonderful that admin level permission is required to get rid of the things!
posted by rongorongo at 10:13 AM on September 7, 2015 [1 favorite]

Just want to put in my 2c to the "Linux has had package management forever how does Windows not?" discussion -- I think it's important to note that from Microsoft, Apple, and Google's perspectives, their various App Stores (on desktop and mobile) ARE the package managers. That's why Windows and OS X "don't have package managers". They do, they're just walled gardens.
posted by unknownmosquito at 10:43 AM on September 7, 2015 [3 favorites]

Windows has a package manager, it's called Steam.

(Oh, you want to do WORK on your computer? Weird)
posted by selfnoise at 10:45 AM on September 7, 2015 [10 favorites]

Interestingly, the author of Chocolatey NuGet works for PuppetLabs now. Which is understandable; when your entire language relies on being able to install software by name without any user intervention, you need NuGet. And apparently Microsoft's OneGet is largely based on NuGet, which is surprising. But it's hard for me to personally get excited about this, as I've found a path through life that involves using Windows incredibly sparingly.

apt-get is sort of the gold standard here. But not because the underlying technology is awesome. dpkg/apt-get has a number of failings: it's non-transactional, it can't do multiversion installs, and it automatically restarts daemons (mysql) on upgrade. What makes it great is the Debian policy manual, and the large community of Debian developers following it. The policy sets forth a number of things; how metadata is defined and used, but also how packages should interact with one another. When two packages expect to create different files in the same place, the policy manual describes how this is resolved. Users are encouraged to file bugs against packages violating policy, and packages with unaddressed policy violations can be removed from the archive. New contributors are vetted before they can upload official packages. The result is that in contrast with EPEL or, you have a huge package collection, that you can trust to work and not wreck your computer.

From what I've seen neither NuGet or OneGet have any such documentation. And I doubt either have the long term vision to do anything that might discourage low quality contributions.
posted by pwnguin at 11:14 AM on September 7, 2015 [3 favorites]

selfnoise, you joke, but I do wonder if I'd be best off doing all my programming stuff in a Linux vm, and suspend the vm for Windows-only stuff, which is mostly Steam games.
posted by mccarty.tim at 11:30 AM on September 7, 2015 [1 favorite]

you might want to check out Docker for that.
posted by jenkinsEar at 11:32 AM on September 7, 2015

I've tried Chocolatey a couple of times but just couldn't get used to it.

Patch My PC, otoh, seems like a nice alternative. Thanks, rongorongo!
posted by Foci for Analysis at 11:36 AM on September 7, 2015

While we're on the subject of package managers, does anybody know how to get aptitude or a similar apt-related tool to display a column in search results to indicate which repository a package would get installed from? As in, which URL or entry in sources.list it's coming from?

It seems so essential to me, but I've never been able to figure out how to do it. I think I came across a way to scope a search so it only looks in one particular repository, but then you have to do multiple searches to look through all the repositories you're using. I suppose I should just write a script seeing as it's *nix, but I feel like I'm missing something.
posted by XMLicious at 12:52 PM on September 7, 2015

Can it upgrade me to Google Ultron? It's what NASA uses.
posted by Sunburnt at 1:41 PM on September 7, 2015

It's insane to me that modern Windows users *don't* have a standard package manager yet.

They do, it is just that Microsoft hasn't convinced anyone to use it yet. It is called the Windows Store (seriously!)
posted by eye of newt at 1:48 PM on September 7, 2015

I wonder how well these packages are monitored.

I'm reminded of that article where a guy decided to download the top 10 software packages from to see if his anti-virus could handle all the included malware. It couldn't and was quickly overwhelmed (even with the help of the anti-virus programs included in the top 10 packages).
posted by eye of newt at 1:51 PM on September 7, 2015

I will concur with those who say that apt is the gold standard, from a user perspective, and also that this is not necessarily because the underlying tech is exceptionally good. Building Debian packages, let alone fully compliant and you did everything right and no one is going to humiliate you on a public mailing list for this packages, is an unremitting nightmare. I had good intentions for a number of years of involving myself in the development of Debian. A year or so of reading the mailing list and maintaining some unofficial niche packages for a related hobbyist platform has cured me of any illusions that I have the fortitude for it.

I think we are probably on the cusp of some major shifts in how we organize software distribution that hopefully will remove a lot of the incidental pain and historical cruft, but I suspect it's going to be a long hard road.

In the meantime, my hat is off to the people who do the work of packaging, in whatever environment they're doing it. It is a grueling and all too often thankless task.

While we're on the subject of package managers, does anybody know how to get aptitude or a similar apt-related tool to display a column in search results to indicate which repository a package would get installed from? As in, which URL or entry in sources.list it's coming from?

I had to dig around in man pages for a minute, but I think you want apt-cache policy [package].
posted by brennen at 2:44 PM on September 7, 2015 [4 favorites]

What's wrong with homebrew? It's not perfect, but at least they know that practicality and simplicity matters. I actually use the "linuxbrew" version on various unices to maintain local builds of utilities when I don't want to have to shuffle around tar.gz source dists to all the various boxes.

Fink was the original attempt to bring apt-get to mac, and it well and truly sucked because apt-get isn't actually that practical if you don't have a whole organization behind it building and vetting their crazy package dependencies.

MacPorts, pkgsrc are great if you want to spend a week (re-)compiling bullshit you don't need, but in general, aren't actually improvements over just running linux (net/open/freebsd) in a vm on the machine and using apt-get :-)

Anaconda is great, but only because they are getting paid, and there is a very narrow focus, of course, so they have no real far-ranging dependency issues.
posted by smidgen at 3:00 PM on September 7, 2015

smidgen, MacPorts has binaries for most ports. Sometimes they lag a little bit behind source, but only because it takes the buildbots time to compile and sometimes they get busy.
posted by El Mariachi at 5:04 PM on September 7, 2015

While we're on the subject of package managers, does anybody know how to get aptitude or a similar apt-related tool to display a column in search results to indicate which repository a package would get installed from? As in, which URL or entry in sources.list it's coming from?

apt-cache policy $pkgname does the trick. madison has similar results in a slightly easier to parse format.
posted by pwnguin at 7:06 PM on September 7, 2015 [1 favorite]

What's wrong with homebrew?

posted by ChurchHatesTucker at 7:13 PM on September 7, 2015 [1 favorite]

Two questions: who controls the keys to the repository and who vets and reviews the people who have upload access?
posted by introp at 9:40 PM on September 7, 2015

> Interestingly, the author of Chocolatey NuGet works for PuppetLabs now.

Yeah, I've been working with Rob for two years now, and it was great to have him join us (disclaimer: I work at Puppet). Showing Chocolatey to windows admins is kind of an eye opening experience for them, since so much work used to be "acquire MSI / Installer, then click through installation." Previously Puppet could automate the second half once you got us the MSI / installer, but having a package manager on the platform itself makes our lives much, much easier.

> Two questions: who controls the keys to the repository and who vets and reviews the people who have upload access?

Much like other community projects, the community has a few folks who are in charge of it, but the chocolatey tool itself is pretty transparent, for example the Flash Player Plugin here shows the powershell used to install the flash (under the files option it has an option to show the script).

There is also the option to host one's own Chocolately repo server, which for any organization is the sane way to do it, since just like with apt or yum repos, having control of those inside one's org is a good idea. Extra work on the management side of things to control the repo, but also lets ensure that you aren't nuking 1000 systems by accident due to someone adding a bad package upstream - or your system provisioning fails for three hours because the central repo is offline due to maintenance issues and you missed the notification on their mailing list (causing your CI processes to fail because your automated testing relies on building servers to have your code deployed against for integration testing).
posted by mrzarquon at 9:01 AM on September 8, 2015 [1 favorite]

I've been using Patch My PC since this post and it's great. It updates everything and things just work as expected.
posted by Foci for Analysis at 9:19 AM on September 19, 2015

« Older click click, clickclick click   |   “Am I Islamophobic? Probably, yes.” Newer »

This thread has been archived and is closed to new comments