Wednesday, 28 June 2017

Is the Windows user ready for apt-get?

WHAT IT DOES

Chocolatey lets you install Windows applications quickly from the command line via a central catalog of installation scripts. You could install Git, 7Zip or even Microsoft Office (given a key.) The idea is seamless and quiet installations using a well-known key.
For example, once installed you can do this from and command line:
  • cinst git
  • cinst 7zip
  • cinst ruby
  • cinst vlc
That's basically it.
The catalog has grown so complete, in fact, that I recently wanted to install DosBox so I could play Zork. I took and chance and just "cinst dosbox" and it worked. THAT is a the promise that Chocolatey makes.

GETTING STARTED WITH CHOCOLATEY

You can get started by first installing the Chocolatey package manager. Copy paste this line to your command line and run it. (More on the fearfulness of this first step in a moment).
@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%systemdrive%\chocolatey\bin
Presumably you like to know what command line stuff is going to do to your computer before you do it, so parse this line out. It's going to launch PowerShell to do the hard work. Nearly every Windows machine has PowerShell these days, and it's PowerShell that makes Chocolatey work.
Some folks have custom profiles so the -NoProfile switch suppresses custom profiles to prevent conflicts during installation. It launches a chunk of PowerShell script that it downloads from https://chocolatey.org/install.ps1/ then executes. Note that it's setting execution policy to unrestricted to do this. To be clear, it's executing code downloaded over the web, so there is a non-zero risk there. It then adds Chocolatey to your path (for this one prompt) so you can use it immediately. It'll be added to future instances of prompts automatically.
Look at https://chocolatey.org/install.ps1 now. It's a very clean and easy to read script. It downloads the Chocolatey installation zip file (which is actually a NuGet package), unzips it and continues the installation by running a scripts in the tools section of the package.

HOW IT WORKS

Chocolatey is a bootstrapper that uses PowerShell scripts and the NuGet packaging format to install apps for you. NuGet is the package management system that Windows Developers use to bring libraries down at the project level. Chocolatey (get it? Chocolatey Nu-Get?) extends that concept to bring applications down at the system level.
Today if you want to get 7Zip, you usually google for it, find the site, figure out the latest version or right version for your system, download it, run it, next next next finish and maybe add it to your path. Chocolatey does that for you.
Again, NuGet is libraries installed locally for projects, Chocolatey is applications installed globally for your whole system.
Chocolatey uses PowerShell scripts (that you never have to think about) that package developers use to chain installations and build dependency trees. Take the internals of a Git installation script for example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
try {
  Install-ChocolateyPackage 'git.install' 'exe' '/VERYSILENT' 'http://msysgit.googlecode.com/files/Git-1.8.1.2-preview20130201.exe'
 
  #------- ADDITIONAL SETUP -------#
  $is64bit = (Get-WmiObject Win32_Processor).AddressWidth -eq 64
  $programFiles = $env:programfiles
  if ($is64bit) {$programFiles = ${env:ProgramFiles(x86)}}
  $gitPath = Join-Path $programFiles 'Git\cmd'
 
  Install-ChocolateyPath $gitPath 'user'
 
@"
 
Making GIT core.autocrlf false
"@ | Write-Host
 
  #make GIT core.autocrlf false
  & "$env:comspec" '/c git config --global core.autocrlf false'
 
  Write-ChocolateySuccess 'git.install'
} catch {
  Write-ChocolateyFailure 'git.install' $($_.Exception.Message)
  throw
}
The most important part for you to take away here is the first line. Note that this Chocolatey script is downloading Git from the mSysGit Site. Chocolatey is not changing installers, making installers or hosting installers. It's automating the boring parts of getting software, but it's still getting that software from the same location as always.

ADVANCED STUFF

Once you learn the basics - and they're pretty basic - there's more depth to Chocolatey to explore. Beyond the cinst and cuninst there's other commands to make installing stuff on Windows easier. Remember, they're all in your PATH so you can call these commands anytime.
Each of these major sources can be called with cinst using the -source parameter like "cinst IISExpress - source WebPI" or using their own aliases for simplicity as shown below.
  • cwindowsfeatures - If you've ever opened Add/Remove programs then click Install Windows Features in order to setup IIS or Hyper-V then this command is for you. Some examples:
    • cwindowsfeatures  IIS-WebServerRole
    • cwindowsfeatures Microsoft-Hyper-V-All
    • cwindowsfeatures TelnetClient
      • Plus, you can always clist -source windowsfeatures for the complete list.
  • cwebpi - The Web Platform Installer is a great GUI for downloading any development tools you might need for Web Development on Windows. It's a catalog, an installer, and a chainer. There's also a command-line version of WebPI that Chocolatey integrates with so you can:
    • cwebpi IISExpress
    • cwebpi VWDOrVs11AzurePack_2_0
      • And again, clist -source webpi gets you a list of what you can do.
There's a more complete list at the Chocolatey Commands Reference including how it integrates with Cygwin, Gems and Python.

SECURITY ISSUES

nugetlogoThis is a prickly one. How do you make a system that lets you install anything directly from the Internet quickly, cleanly, and easily without, well, installing something evil directly from the Internet? You'll want the communication with the server to be secure and the packages trusted, but you'll also want to make sure the packages haven't been tampered with since they were uploaded. There's the inevitable threat of a man-in-the-middle attack. You'll want to watch for malicious packages and enable quick takedowns if one sneaks by.
Security concerns aren't unique to Chocolatey, of course. They are a part of package repositories since their inception. The node npm repository had a security breach in March of 2012, and the folks at andyet explored the issues surrounding it, but also pointed out that personal responsibility has to have a role as well.
Linux's apt-get solves much of this with appropriate uses of cryptography and best practices that can (and should) be emulated. Packages in apt repos are signed with SecureApp, there are warnings if you're using a 3rd party repo or installing an unsigned package.
The Chocolatey team has been very quick to jump on security issues and they are very approachable. They've added SSL where appropriate and are aware of the work to come. If Chocolatey gets big (bandwidth and costs is a question in my mind) perhaps a non-profit organization would step in to help with not only costs, but also security audits and best practices.
Security has a big future aspect of chocolatey. At the present I am the curator and I every day I get an email showing me all of the new packages that went in the day before. I look at all packages from new authors and I typically look at the first version of most new packages from authors I have good contacts with.
I've talked at length with others about having a moderated feed in the aspect of every package, every new version would be approved prior to showing up on the main feed. I am paying attention to how debian does things with multiple feeds and there are thoughts to move in that direction as well.
Security? In the future we are looking at a small group of folks be an approving body for nupkgs. We also talked about showing the hash for the nupkg, and possibly letting folks specify a hash for the installers so chocolatey can verify the things it downloads prior to execution.
Chocolatey's LIB folderCould I make a Chocolatey package called "FormatMyHardDrive?" Sure I could, just like I could ask you to open an admin prompt and format c: /q, but you won't, right? ;)

WHAT'S NEXT?

Chocolatey is clearly not meant to be used by your "Gender Non-Specific Non-Technical Parent" and it does have some "competition" in the form of the Ninite GUI installation utility. While still not for the average Joe/Jane and having only a limited catalog, Ninite does fill a gap for the super-user to quickly get the common apps and utilities they want.
Additionally, is Chocolatey really apt-get? It's not installing libraries system-wide, although there's no reason it couldn't. Other open source projects like CoApp would like to be the Windows app-get although CoApp is more of a "system-wide libraries, C++ support, and Unix-like utilities" and Chocolatey is more of a "developer and poweruser utilities and their dependencies."
Chocolatey does install dependencies and you can see that happen yourself by trying out "cinst gitextensions" which itself has a dependency on git. Chocolatey will walk the graph and install what it needs before finally installing gitextensions.
Where Chocolatey, and ultimately Windows itself, falls down is with odd PATHing and install locations. Because Windows doesn't have formal install locations for things and because Chocolatey puts itself first in the PATH, it's possible to get one's self into odd situations where apps that were installed outside of Chocolatey don't line up with apps installed inside. For example, I installed Git with Chocolatey some months ago, then forgot about that version and installed a newer version of Git on my own. However, I kept hitting an old git bug because the Chocolatey version of Git was "first." I believe issues like this have changed with recent builds of Chocolatey, but the point remains: it's hard on Windows today to who installed what low-level utility, when, and where it ended up.

BRANDING

Now, by no means to I want to take away from the hard work done by Rob and the team, but (and I've said this to Rob before) I really have trouble getting past the name Chocolatey. Sure, there are two ways to spell "Chocolaty," which make it hard at least for me to type "Chocolatey" reliably. The -ey is a theoretically a valid variant spelling, but you can tell that that to the red squiggled underline in Word. But it's less the spelling and more the name itself. It lacks the nerdiness of an "npm," the gravitas of an "apt-get," or the poetic terseness of a "gem."  I realize that we are living in a world with companies called Hulu, Yahoo, Microsoft (seriously, MICRO SOFT, what is that?) and Google, but it's worth pointing out that a good name can really take a project to the next level. I'm not sure Chocolatey is the right name for this project, but that's 100% my opinion.
I encourage you, technical reader, to check out Chocolatey for yourself! It's a powerful tool, an engaged and growing community and an interesting piece of tech in its own right.
Is Chocolatey the apt-get Windows users have been waiting for? Sound off in the comments.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Blog Archive