Package manager

An early package manager was SMIT (and its backend installp) from IBM AIX. SMIT was introduced with AIX 3.0 in 1989.{{Citation needed|date=July 2007}}

Early package managers, from around 1994, had no automatic dependency resolution{{cite web |url=https://eerielinux.wordpress.com/2017/08/15/the-history-of-nix-package-management/ |title=The history of *nix package management |date=14 August 2017 |access-date=12 October 2021 |archive-date=24 October 2021 |archive-url=https://web.archive.org/web/20211024173626/https://eerielinux.wordpress.com/2017/08/15/the-history-of-nix-package-management/ |url-status=live }} but could already drastically simplify the process of adding and removing software from a running system.{{cite web |url=https://www.linuxjournal.com/article/60 |title=A review of InfoMagic's December 1994 Release |access-date=12 October 2021 |archive-date=29 October 2021 |archive-url=https://web.archive.org/web/20211029171535/https://www.linuxjournal.com/article/60 |url-status=live }}

By around 1995, beginning with CPAN, package managers began doing the work of downloading packages from a repository, automatically resolving its dependencies and installing them as needed, making it much easier to install, uninstall and update software from a system.{{cite web |url=http://history.perl.org/PerlTimeline.html |title=The Timeline of Perl and its Culture |access-date=29 October 2021 |archive-date=11 January 2013 |archive-url=https://web.archive.org/web/20130111100906/http://history.perl.org/PerlTimeline.html |url-status=live }}

File:Pms.svg new software. Manual actions can include accepting a license agreement or selecting some package-specific configuration options.]]

A software package is an archive file containing a computer program as well as necessary metadata for its deployment. The computer program can be in source code that has to be compiled and built first.Ludovic Courtès, [https://arxiv.org/abs/1305.4584 Functional Package Management with Guix] {{Webarchive|url=https://web.archive.org/web/20200515101137/https://arxiv.org/abs/1305.4584 |date=15 May 2020 }}, June 2013, Madrid, European Lisp Symposium 2013 Package metadata include package description, package version, and dependencies (other packages that need to be installed beforehand).

Package managers are charged with the task of finding, installing, maintaining or uninstalling software packages upon the user's command. Typical functions of a package management system include:

• Working with file archivers to extract package archives
• Ensuring the integrity and authenticity of the package by verifying their checksums and digital certificates, respectively
• Looking up, downloading, installing, or updating existing software from a software repository or app store
• Grouping packages by function to reduce user confusion
• Managing dependencies to ensure a package is installed with all packages it requires, thus avoiding "dependency hell"

Computer systems that rely on dynamic library linking, instead of static library linking, share executable libraries of machine instructions across packages and applications. In these systems, conflicting relationships between different packages requiring different versions of libraries results in a challenge colloquially known as "dependency hell". On Microsoft Windows systems, this is also called "DLL hell" when working with dynamically linked libraries.{{cite book |first= Chris |last= Tucker |title= 29th International Conference on Software Engineering (ICSE'07) |chapter= OPIUM: Optimal Package Install/Uninstall Manager |publisher= UC San Diego |date= 2007-03-15 |page=1 |doi=10.1109/ICSE.2007.59 |isbn= 978-0-7695-2828-1 |s2cid= 1279451 |url= https://escholarship.org/uc/item/1k07h5vk |chapter-url= http://cseweb.ucsd.edu/~lerner/papers/opium.pdf |archive-url=https://web.archive.org/web/20110614051810/http://cseweb.ucsd.edu/~lerner/papers/opium.pdf |archive-date=2011-06-14 |url-status=live |access-date= 2011-09-14}}

Modern package managers have mostly solved these problems, by allowing parallel installation of multiple versions of a library (e.g. OPENSTEP's Framework system), a dependency of any kind (e.g. slots in Gentoo Portage), and even of packages compiled with different compiler versions (e.g. dynamic libraries built by the Glasgow Haskell Compiler, where a stable ABI does not exist), in order to enable other packages to specify which version they were linked or even installed against.

System administrators may install and maintain software using tools other than package management software. For example, a local administrator may download unpackaged source code, compile it, and install it. This may cause the state of the local system to fall out of synchronization with the state of the package manager's database. The local administrator will be required to take additional measures, such as manually managing some dependencies or integrating the changes into the package manager.

There are tools available to ensure that locally compiled packages are integrated with the package management. For distributions based on .deb and .rpm files as well as Slackware Linux, there is CheckInstall, and for recipe-based systems such as Gentoo Linux and hybrid systems such as Arch Linux, it is possible to write a recipe first, which then ensures that the package fits into the local package database.{{Citation needed|date=July 2007}}

Particularly troublesome with software upgrades are upgrades of configuration files. Since package managers, at least on Unix systems, originated as extensions of file archiving utilities, they can usually only either overwrite or retain configuration files, rather than applying rules to them. There are exceptions to this that usually apply to kernel configuration (which, if broken, will render the computer unusable after a restart). Problems can be caused if the format of configuration files changes; for instance, if the old configuration file does not explicitly disable new options that should be disabled. Some package managers, such as Debian's dpkg, allow configuration during installation. In other situations, it is desirable to install packages with the default configuration and then overwrite this configuration, for instance, in headless installations to a large number of computers. This kind of pre-configured installation is also supported by dpkg.

To give users more control over the kinds of software that they are allowing to be installed on their system (and sometimes due to legal or convenience reasons on the distributors' side), software is often downloaded from a number of software repositories.{{cite web |title=Linux repository classification schemes |date=13 January 2006 |url=http://braintickle.blogspot.com/2006/01/linux-repository-classification.html |publisher=braintickle.blogspot.com |access-date=2008-03-01 |archive-date=11 October 2007 |archive-url=https://web.archive.org/web/20071011053815/http://braintickle.blogspot.com/2006/01/linux-repository-classification.html |url-status=live }}

When a user interacts with the package management software to bring about an upgrade, it is customary to present the user with the list of actions to be executed (usually the list of packages to be upgraded, and possibly giving the old and new version numbers), and allow the user to either accept the upgrade in bulk, or select individual packages for upgrades. Many package managers can be configured to never upgrade certain packages, or to upgrade them only when critical vulnerabilities or instabilities are found in the previous version, as defined by the packager of the software. This process is sometimes called version pinning.

For instance:

• yum supports this with the syntax exclude=openoffice*{{cite web |title=CentOS yum pinning rpms|url=http://lists.centos.org/pipermail/centos/2005-May/046320.html|publisher=centos.org|access-date=2008-03-01 |url-status=unfit |archive-url= https://web.archive.org/web/20071102203232/http://lists.centos.org/pipermail/centos/2005-May/046320.html |archive-date= 2007-11-02}}
• pacman with IgnorePkg= openoffice (to suppress upgrading openoffice in both cases)
• dpkg and dselect support this partially through the hold flag in package selections
• APT extends the hold flag through the complex "pinning" mechanism{{cite web|title=How to keep specific versions of packages installed (complex)|url=https://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html#s-pin|publisher=debian.org|access-date=2008-03-01|archive-date=14 November 2019|archive-url=https://web.archive.org/web/20191114111450/https://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html#s-pin|url-status=dead}} (Users can also blacklist a package{{cite web|title=Apt pinning to blacklist a package|url=http://linux.derkeiler.com/Mailing-Lists/Debian/2009-07/msg00476.html|access-date=2010-08-19|archive-url=https://web.archive.org/web/20110722062625/http://linux.derkeiler.com/Mailing-Lists/Debian/2009-07/msg00476.html|archive-date=22 July 2011|url-status=dead}})
• aptitude has "hold" and "forbid" flags
• portage supports this through the package.mask configuration file

Some of the more advanced package management features offer "cascading package removal",{{cite web|title=pacman(8) Manual Page|url=https://www.archlinux.org/pacman/pacman.8.html|website=archlinux.org|access-date=2008-03-01|archive-date=31 August 2019|archive-url=https://web.archive.org/web/20190831034550/https://www.archlinux.org/pacman/pacman.8.html|url-status=live}} in which all packages that depend on the target package and all packages that only the target package depends on, are also removed.

Although the commands are specific for every particular package manager, they are to a large extent translatable, as most package managers offer similar functions.

The Arch Linux Pacman/Rosetta wiki offers an extensive overview.{{cite web|url=https://wiki.archlinux.org/index.php/Pacman/Rosetta|title=Pacman/Rosetta – ArchWiki|website=wiki.archlinux.org|language=en|access-date=2017-09-17|archive-date=20 November 2016|archive-url=https://web.archive.org/web/20161120213631/https://wiki.archlinux.org/index.php/Pacman/Rosetta|url-status=live}}

Package managers like dpkg have existed as early as 1994.{{cite web |title=dpkg version 0.93.15 source code|url=https://anonscm.debian.org/cgit/dpkg/dpkg.git/plain/scripts/perl-dpkg.pl?id=1b80fb16c22db72457d7a456ffbf1f70a8dfc0a5|access-date=19 December 2018|archive-url=https://web.archive.org/web/20150402141229/https://anonscm.debian.org/cgit/dpkg/dpkg.git/plain/scripts/perl-dpkg.pl?id=1b80fb16c22db72457d7a456ffbf1f70a8dfc0a5|archive-date=2 April 2015|url-status=dead}}

Linux distributions oriented to binary packages rely heavily on package management systems as their primary means of managing and maintaining software. Mobile operating systems such as Android (Linux-based) and iOS (Unix-based) rely almost exclusively on their respective vendors' app stores and thus use their own dedicated package management systems.

File:Apt-get install mediawiki.png|apt-get, a CLI utility installing MediaWiki

File:Aptitude 0.4.11.3 de.png|Aptitude also features a TUI.

File:Synaptic_screenshot.png|Synaptic, a GUI for many Linux package managers

File:Example of pacman in Arch Linux screenshot.png|pacman, a CLI utility for Arch-based distributions

File:Octopi 0.12.0 screenshot.png|Octopi, a Qt GUI for Pacman package manager

File:Pamac 10.3.0 screenshot.png|Pamac, a GTK+ GUI for Pacman package manager

File:Kpackagekit.png|Apper, a Qt GUI for PackageKit

File:Gnome-software-v44.png|GNOME Software, a GTK GUI for PackageKit and Flatpak

File:Windows Package Manager v0.1.41331 Preview 1115x624.png|winget, the Windows Package Manager CLI utility for Windows 10

A package manager is often called an "install manager", which can lead to a confusion between package managers and installers. The differences include:

{{PMS vs Installer}}

Most software configuration management systems treat building software and deploying software as separate, independent steps.

A build automation utility typically takes human-readable source code files already on a computer, and automates the process of converting them into a binary executable package on the same or remote computer.

Later a package manager typically running on some other computer downloads those pre-built binary executable packages over the internet and installs them.

However, both kinds of tools have many commonalities:

• The dependency graph topological sorting used in a package manager to handle dependencies between binary components is also used in a build manager to handle the dependency between source components.
• Many makefiles support not only building executables, but also installing them with make install.
• Every package manager for a source-based distribution {{ndash}} Portage, Sorcery, Homebrew, etc. {{ndash}} supports converting human-readable source code to binary executables and installing it.

A few tools, such as Maak and A-A-P, are designed to handle both building and deployment, and can be used as either a build automation utility or as a package manager or both.Eelco Dolstra, [https://nixos.org/~eelco/pubs/iscsd-scm11-submitted.pdf "Integrating Software Construction and Software Deployment"] {{Webarchive|url=https://web.archive.org/web/20190921030912/https://nixos.org/~eelco/pubs/iscsd-scm11-submitted.pdf |date=21 September 2019 }}.

App stores can also be considered application-level package managers (without the ability to install all levels of programs{{cite news |title=Brew is the macOS app store replacement you didn't know you needed |url=https://www.msn.com/en-us/news/technology/brew-is-the-macos-app-store-replacement-you-didn-t-know-you-needed/ar-BB1mK6Ys |access-date=25 May 2024 |work=www.msn.com}}{{cite web |last1=King |first1=Bertel |title=Linux App Stores Compared: Which One Is Right for You? |url=https://www.makeuseof.com/tag/linux-app-stores-compared/ |website=MUO |access-date=25 May 2024 |language=en |date=17 March 2017}}). Unlike traditional package managers, app stores are designed to enable payment for the software itself (instead of for software development), and may only offer monolithic packages with no dependencies or dependency resolution.{{cite web |title=What is a package manager? |url=https://www.debian.org/doc/manuals/aptitude/pr01s02.en.html |website=www.debian.org}} They are usually extremely limited in their management functionality, due to a strong focus on simplification over power or emergence, and common in commercial operating systems and locked-down “smart” devices.

Package managers also often have only human-reviewed code. Many app stores, such as Google Play and Apple's App Store, screen apps mostly using automated tools only; malware with defeat devices can pass these tests, by detecting when the software is being automatically tested and delaying malicious activity.{{cite news |last1=Barrett |first1=Brian |title=How 18 Malware Apps Snuck Into Apple's App Store |url=https://www.wired.com/story/apple-app-store-malware-click-fraud/ |work=Wired}}{{cite web |last1=Whittaker |first1=Zack |title=Millions downloaded dozens of Android apps from Google Play that were infected with adware |url=https://techcrunch.com/2019/10/24/millions-dozens-android-apps-adware/ |website=TechCrunch |date=24 October 2019}}{{cite news |last1=Newman |first1=Lily Hay |title=Never Ever (Ever) Download Android Apps Outside of Google Play |url=https://www.wired.com/2016/12/never-ever-ever-download-android-apps-outside-google-play/ |work=Wired}} There are, however, exceptions; the npm package database, for instance, relies entirely on post-publication review of its code,{{cite book|last1=Ojamaa|first1=Andres|last2=Duuna|first2=Karl|chapter=Assessing the Security of Node.js Platform|title=2012 International Conference for Internet Technology and Secured Transactions | publisher = IEEE |date=2012|chapter-url=https://ieeexplore.ieee.org/document/6470829|access-date=22 July 2016|isbn= 978-1-4673-5325-0 }}{{cite web |title=npm Code of Conduct: acceptable package content |url=https://docs.npmjs.com/policies/conduct#acceptable-package-content |access-date=9 May 2017}} while the Debian package database has an extensive human review process before any package goes into the main stable database. The XZ Utils backdoor used years of trust-building to insert a backdoor, which was nonetheless caught while in the testing database.

Also known as binary repository manager, it is a software tool designed to optimize the download and storage of binary files, artifacts and packages used and produced in the software development process.{{cite web |url= https://adtmag.com/articles/2015/09/08/jfrog-repository.aspx |title= JFrog Releases 'Universal' Artifact Repository |last= Waters |first= John K. |date= 8 September 2015 |website= ADT Mag |publisher= Application Development Trends Magazine |access-date= 19 February 2016 |archive-date= 2 March 2016 |archive-url= https://web.archive.org/web/20160302162053/https://adtmag.com/articles/2015/09/08/jfrog-repository.aspx |url-status= live }} These package managers aim to standardize the way enterprises treat all package types. They give users the ability to apply security and compliance metrics across all artifact types. Universal package managers have been referred to as being at the center of a DevOps toolchain.{{cite web |url=https://www.codeproject.com/Reference/628210/An-Overview-of-the-NuGet-Ecosystem |title=An Overview of the NuGet Ecosystem |last=Decoster |first=Xavier |date=18 August 2013 |website=CodeProject.com |access-date=6 February 2020 |archive-date=5 July 2020 |archive-url=https://web.archive.org/web/20200705022618/https://www.codeproject.com/Reference/628210/An-Overview-of-the-NuGet-Ecosystem |url-status=live }}

{{Main article|Package format|File archive}}

Each package manager relies on the format and metadata of the packages it can manage. That is, package managers need groups of files to be bundled for the specific package manager along with appropriate metadata, such as dependencies. Often, a core set of utilities manages the basic installation from these packages and multiple package managers use these utilities to provide additional functionality.

For example, yum relies on rpm as a backend. Yum extends the functionality of the backend by adding features such as simple configuration for maintaining a network of systems. As another example, the Synaptic Package Manager provides a graphical user interface by using the Advanced Packaging Tool (apt) library, which, in turn, relies on dpkg for core functionality.

Alien is a program that converts between different Linux package formats, supporting conversion between Linux Standard Base (LSB) compliant .rpm packages, .deb, Stampede (.slp), Solaris (.pkg) and Slackware (.tgz, .txz, .tbz, .tlz) packages.

In mobile operating systems, Google Play consumes Android application package (APK) package format while Microsoft Store uses APPX and XAP formats. (Both Google Play and Microsoft Store have eponymous package managers.)

By the nature of free and open source software, packages under similar and compatible licenses are available for use on a number of operating systems. These packages can be combined and distributed using configurable and internally complex packaging systems to handle many permutations of software and manage version-specific dependencies and conflicts. Some packaging systems of free and open source software are also themselves released as free and open source software. One typical difference between package management in proprietary operating systems, such as Mac OS X and Windows, and those in free and open source software, such as Linux, is that free and open source software systems permit third-party packages to also be installed and upgraded through the same mechanism, whereas the package managers of Mac OS X and Windows will only upgrade software provided by Apple and Microsoft, respectively (with the exception of some third party drivers in Windows). The ability to continuously upgrade third-party software is typically added by adding the URL of the corresponding repository to the package management's configuration file.

{{See also|List of software package management systems#Application-level package managers}}

Beside the system-level application managers, there are some add-on package managers for operating systems with limited capabilities and for programming languages in which developers need the latest libraries.

Unlike system-level package managers, application-level package managers focus on a small part of the software system. They typically reside within a directory tree that is not maintained by the system-level package manager, such as {{Mono|c:\cygwin}} or {{Mono|/opt/sw}}.{{Cite web|title=Fink – Home|url=https://www.finkproject.org/index.php|access-date=2021-09-02|website=finkproject.org|archive-date=18 August 2021|archive-url=https://web.archive.org/web/20210818055630/https://finkproject.org/index.php|url-status=live}} However, this might not be the case for the package managers that deal with programming libraries, leading to a possible conflict as both package managers may claim to "own" a file and might break upgrades.

In 2016, Edgard Marx, a computer scientist from Leipzig University, coined the term Data Dependency Management{{Cite web|title=Data Dependency Management|url=https://github.com/AKSW/KBox|access-date=2023-07-13|website=github.com}} to refer to the systems that deal with the management of data.

Data Dependency Management systems are designed to facilitate the deployment and management of data on the cloud, personal computers, or smart devices (edge). Data Dependency Management frameworks can be used to describe how the data was conceived, licensing as well as its dependencies. The concept of data dependency management comes from software package dependency management tools such as npm for JavaScript, gem for Ruby, and NuGet for .NET. Their rationale is to allow users to manage the software dependency on data, such as machine learning models for data-driven applications. They are useful to publish, locate, and install data packages. A typical example of a data dependency management frameworks are Hugging Face, KBox,{{Cite journal|title=KBox|url=https://ieeexplore.ieee.org/document/7889519|access-date=2023-07-13|website=IEEE|date=January 2017 |pages=125–132 |doi=10.1109/ICSC.2017.77 |s2cid=14980310 }} among others.

Ian Murdock had commented that package management is "the single biggest advancement Linux has brought to the industry", that it blurs the boundaries between operating system and applications, and that it makes it "easier to push new innovations [...] into the marketplace and [...] evolve the OS".{{cite web |title=How package management changed everything|url=http://ianmurdock.com/2007/07/21/how-package-management-changed-everything/|publisher=ianmurdock.com|access-date=2008-03-01|url-status=dead|archive-url=https://web.archive.org/web/20090223072201/http://ianmurdock.com/2007/07/21/how-package-management-changed-everything/|archive-date=23 February 2009}}

There is also a conference for package manager developers known as PackagingCon. It was established in 2021 with the aim to understand different approaches to package management.{{Cite web|title=PackagingCon 2021 – a conference for package manager developers and packagers|url=https://packaging-con.org/|access-date=2021-09-02|website=packaging-con.org|archive-date=2 September 2021|archive-url=https://web.archive.org/web/20210902144959/https://packaging-con.org/|url-status=live}}

• Application strings manager
• Dependency hell
• Installation (computer programs)
• List of software package management systems
• Manifest file
• Package format

{{Reflist}}

• [http://distrowatch.com/dwres.php?resource=package-management Package Management Cheatsheet] from Distrowatch
• [https://wiki.archlinux.org/index.php/Pacman/Rosetta ArchLinux Rosetta Stone – Command Line Comparison for Package Managers]
• [https://github.com/Inducido/upkg-package-manager-rosetta-stone upkg universal package manager] a wrapper that provides same syntax for all flavors of Linux

{{Package management systems}}

{{Software digital distribution platforms}}

Category:Software distribution

Category:Types of tools used in software development