What are package managers? It is very important for sane, safe, and reliable computing. Yet most computer users don’t know what package managers are. Windows doesn’t have one (well, there are some third party ones that nobody knows about or uses), and this may be one of the biggest reasons people I know still get malware. In this post I hope to explain what they are, what they accomplish, and why you should use one.
So here are some common scenarios I see:
1 - Suzy has installed some programs such as anything from Adobe (particularly Flash), something that required the Java runtime, and various other third party programs for Windows. Every time she boots her computer, it slows down so each of these can phone home, check for and maybe download updates, and pester her with notifications that each of these things needs to be updated. What a pain! Package managers fix this.
2 - Jordan wants to install some program, such as Firefox. He searches for an installer, clicks some random link that is not from Mozilla (the makers of Firefox), and runs the installer he found there. Little did he know that this installer from random-not-mozilla-but-some-bad-guy.com installed a bunch of spyware, adware, or other malware alongside Firefox. Also, it installed firefox with 15 advertising and shopping bars! Yuck! Package managers fix this. (this one is the one I see my parents doing all the time.)
3 - William (ok, this one is actually a real person — me) is asked by a friend to help clean up and make her computer go faster. He checks the installed programs and finds a bunch of crap! After checking with the friend which ones are actually used, they mostly aren’t! While trying to remove what most obviously seems like malware or otherwise unwanted cruft, the uninstallation scripts fail! The computer stalls and hangs various times! Even when stuff goes reasonably well, everything usually isn’t completely cleaned up, and crap is left in the (stupid) MS Windows registry and other places. The computer will never be quite the same without going to (what is particularly with Windows) extreme measures — re-installing (which on Windows is so much more of a pain than on any Linux distro…). This would be fixed by package managers!
So now that I’ve set up various pains which they fix, let me explain a little bit about how programs are installed. Programs are files. Sometimes they have auxiliary files that are needed as well — images, sound files, etc. To install a program, these files need to be copied somewhere that the system knows about. And really, that’s all that needs to happen for a sane operating system. But the powers that be decide that we want insane computing. So often installation of programs (especially on Windows) requires the updating of some databases or “registries”. This means that these programs need a little helper program along with them that changes those database files.
Without package managers, you have to go find an installer program that someone set up to put all the files in the right place, and edit the registry files. However, these installation programs or “scripts”, can really do whatever they want. When you get one from Joe Shmoe on the internet, he could have put anything in that script. Therefore, you get malware, advertising, and generally junk. And software needs to be updated. When you just have a program installed by running an installer program, there is no centralized way to know if, when, or how to update things. So this means either no updates happen unless the user manually goes and searches for updates (to everything), or each program has extra functionality to check all these things themselves. Then they run — wait for it — another script that can do anything to update these files. Get the picture? And what about uninstalling? You don’t want a program anymore, so you want to get rid of it and all the problems it causes you. Well, you need an *un*installer program for this, which is generally bundled in. But the makers of the software didn’t want you to *un*install it, only install it! So these are generally shoddy, poorly written scripts that leave things in a mess. And of course, they can do anything, so they might even have been written by your malicious friend Joe P. Shmoe hacker who bundled the adware, and he wants revenge if you uninstall it!
Package managers, however, handle the situation differently.
The idea with package managers is that they have a listing of software from trusted sources set up by you, your operating system distributor, or some other third party that you trust. IE an operating system with a package manager (say, Ubuntu GNU/Linux) comes with a listing of software curated by the distributor (Canonical), generally auditable by the community (the various Ubuntu users at large). You can add extra listings from third parties you trust, or add your own. The package manager can then update from these lists of sources to find out about updates to all your software, and fetch them (in “packages”) for installation/update. The package manager can handle dependencies (IE one program requires another), which is always a sore spot in Windows. When paired with Free/Open Source software (which is generally the case with GNU/Linux distributions), the software can be retrieved in source code form, which you can build yourself, or which can be built automatically by various servers. These builds can be cross-checked to ensure the produced packages are identical, proving that they have not been tampered with behind the scenes, adding malware.
Since, in reality, most software does not need any script to run, often the packages have no scripts — just files to put in the right place. When this happens, there is no program running that can do anything it wants to any part of your computer — just a trusted system (the package manager) unzipping files into their places. Beautiful. This is unfortunately not always the case, but tends to be the norm with eg. Arch Linux.
So in summary, if you use a package manager, you get your software from trusted sources (rather than scouring random websites for them), you have a centralized system on your computer to track and maintain all installations and updates, including dependencies of the programs you use. And all of this leads to stable, dependable systems where software can be added and removed cleanly. They’re not all perfect, and some of them are (much) better than others, but they are an important piece of computing machinery that is sorely needed in most platforms.
Extra tidbits for those who still want to read or want more detail…
It’s not a silver bullet for secure computing — the issue of trust in computing runs deep, and there is a large chain of people you need to trust. But package management in Free Software operating systems is pretty good — stuff is generally packaged by someone other than the original author (IE someone is at least slightly reviewing the software getting packaged, in case the author is evil). The packages are not build directly, but there is a recipe for it — IE an easy to read set of automated instructions for how to retrieve the source and build it. These recipes make it easier to see if the packager has tampered with the software, and are generally viewed by at least a couple of unrelated parties (who can check on each other). And people who volunteer their time to contribute to free (as in freedom!) software projects are usually not out to get you. This contrasts to the proprietary and Windows world of one person/company making an unscrutable executable file (IE nobody can see the source code and know what it does. And if you look at the track record of software companies, they are usually out to control what you can do, lock you into their software, and keep you from using other peoples’ software.), packaged (as an install script) by themselves or some bad guy masquerading as them (so there is no review in the install scripts, which are actually often less of “scripts” (which generally means code that can run but can still be read) and more inscrutable binary files themselves (and remember, install scripts can do anything). And compound all of this with the user searching random websites to install it… it’s a recipe for disaster!
Also, free software systems aren’t the only ones who have package managers (though they’re leaps and bounds better, and they’ve had them since the early 90’s. The early 90’s!!! This is something people could have been using for over 20 years, but stupid corporate interests (MS, and to a lesser degree Apple) have kept computing in the dark ages of packaging!). For example, IOS (Iphone, Ipad…) has package management. But it is controlled solely by Apple, not by you (eg. they can delete or change your software remotely without your consent or even notification, which they have done maliciously various times. You can’t add software or software repositories that you trust, etc. You really just rent Apple products from their true owners and masters — Apple, inc). Android has package management, but there is not really a high level of trust in the repositories (there is no review, anyone can add packages, and there are often complaints of malware), and it is also pretty controlled by Google. Neither of these systems handle dependencies in any way. But they do offer more security and cleanliness in the installation/uninstallation and update process. (I could go on for hours and hours about how they are both terrible operating systems, though, for a myriad of technical, social, and political reasons.)
For those wondering what is different about programs running scripts in installers vs running a program normally and how that can make a difference for security: Generally when you run programs they run under a normal user account that is more limited in privileges, meaning can’t do simply anything. But when you install stuff you have to do it as “root”, or as an “administrator” (you probably get a pop-up box asking for permission that, granted, you just say “yes” to). Basically what this means is that at this time you give the program full control over everything. So it can change what starts up automatically, for instance. Maybe it makes something run automatically that logs all your keystrokes (including usernames and passwords) and sends them in an encrypted connection to somewhere the bad guy can read them. Programs that you run normally have less power to do stuff like that, and you have to launch the program yourself. Not that this means you can’t run a keylogger as a normal user (you can). But most systems don’t let ordinary user programs decide what starts automatically, for instance (I think). Generally, it’s just a little safer when bad guys get some limitations.
This post complains about the Windows registry and OS registries in general. They are a bad idea, for various reasons I won’t go over here. But with regards to package management, one of the easiest ways to replace them is to simply make a directory of independent files where the different registry entries would go — they are much more manageable, and the computer can read them all at startup just as easily as it can read the single file registry. Heck, if you want you can generate a registry from the directory tree at regular intervals. This would eliminate the need for those horrible installation/uninstallation/update package scripts!
I have thought a fair bit about package managers, and what makes some of them better than others. I have thought out some great ideas for my ideal package manager, which I will probably write about at a later time (and it will probably be much more technical).