Scott Hanselman

Is the Windows user ready for apt-get?

May 28, '13 Comments [88] Posted in NuGet | Open Source | Tools
Sponsored By
Chocolatey installs Git

What it does

Chocolatey lets you install Windows applications quickly from the command line via a central catalog of installation scripts. You could install Git, 7Zip or even Microsoft Office (given a key.) The idea is seamless and quiet installations using a well-known key.

For example, once installed you can do this from and command line:

  • cinst git
  • cinst 7zip
  • cinst ruby
  • cinst vlc

That's basically it.

The catalog has grown so complete, in fact, that I recently wanted to install DosBox so I could play Zork. I took and chance and just "cinst dosbox" and it worked. THAT is a the promise that Chocolatey makes.

Getting Started with Chocolatey

You can get started by first installing the Chocolatey package manager. Copy paste this line to your command line and run it. (More on the fearfulness of this first step in a moment).

@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%systemdrive%\chocolatey\bin

Presumably you like to know what command line stuff is going to do to your computer before you do it, so parse this line out. It's going to launch PowerShell to do the hard work. Nearly every Windows machine has PowerShell these days, and it's PowerShell that makes Chocolatey work.

Some folks have custom profiles so the -NoProfile switch suppresses custom profiles to prevent conflicts during installation. It launches a chunk of PowerShell script that it downloads from https://chocolatey.org/install.ps1/ then executes. Note that it's setting execution policy to unrestricted to do this. To be clear, it's executing code downloaded over the web, so there is a non-zero risk there. It then adds Chocolatey to your path (for this one prompt) so you can use it immediately. It'll be added to future instances of prompts automatically.

Look at https://chocolatey.org/install.ps1 now. It's a very clean and easy to read script. It downloads the Chocolatey installation zip file (which is actually a NuGet package), unzips it and continues the installation by running a scripts in the tools section of the package.

How it works

Chocolatey is a bootstrapper that uses PowerShell scripts and the NuGet packaging format to install apps for you. NuGet is the package management system that Windows Developers use to bring libraries down at the project level. Chocolatey (get it? Chocolatey Nu-Get?) extends that concept to bring applications down at the system level.

Today if you want to get 7Zip, you usually google for it, find the site, figure out the latest version or right version for your system, download it, run it, next next next finish and maybe add it to your path. Chocolatey does that for you.

Again, NuGet is libraries installed locally for projects, Chocolatey is applications installed globally for your whole system.

Chocolatey uses PowerShell scripts (that you never have to think about) that package developers use to chain installations and build dependency trees. Take the internals of a Git installation script for example:

try {
Install-ChocolateyPackage 'git.install' 'exe' '/VERYSILENT' 'http://msysgit.googlecode.com/files/Git-1.8.1.2-preview20130201.exe'

#------- ADDITIONAL SETUP -------#
$is64bit = (Get-WmiObject Win32_Processor).AddressWidth -eq 64
$programFiles = $env:programfiles
if ($is64bit) {$programFiles = ${env:ProgramFiles(x86)}}
$gitPath = Join-Path $programFiles 'Git\cmd'

Install-ChocolateyPath $gitPath 'user'

@"

Making GIT core.autocrlf false
"@ | Write-Host

#make GIT core.autocrlf false
& "$env:comspec" '/c git config --global core.autocrlf false'

Write-ChocolateySuccess 'git.install'
} catch {
Write-ChocolateyFailure 'git.install' $($_.Exception.Message)
throw
}

The most important part for you to take away here is the first line. Note that this Chocolatey script is downloading Git from the mSysGit Site. Chocolatey is not changing installers, making installers or hosting installers. It's automating the boring parts of getting software, but it's still getting that software from the same location as always.

Advanced Stuff

Once you learn the basics - and they're pretty basic - there's more depth to Chocolatey to explore. Beyond the cinst and cuninst there's other commands to make installing stuff on Windows easier. Remember, they're all in your PATH so you can call these commands anytime.

Each of these major sources can be called with cinst using the -source parameter like "cinst IISExpress - source WebPI" or using their own aliases for simplicity as shown below.

  • cwindowsfeatures - If you've ever opened Add/Remove programs then click Install Windows Features in order to setup IIS or Hyper-V then this command is for you. Some examples:
    • cwindowsfeatures  IIS-WebServerRole
    • cwindowsfeatures Microsoft-Hyper-V-All
    • cwindowsfeatures TelnetClient
      • Plus, you can always clist -source windowsfeatures for the complete list.
  • cwebpi - The Web Platform Installer is a great GUI for downloading any development tools you might need for Web Development on Windows. It's a catalog, an installer, and a chainer. There's also a command-line version of WebPI that Chocolatey integrates with so you can:
    • cwebpi IISExpress
    • cwebpi VWDOrVs11AzurePack_2_0
      • And again, clist -source webpi gets you a list of what you can do.

There's a more complete list at the Chocolatey Commands Reference including how it integrates with Cygwin, Gems and Python.

Security Issues

nugetlogoThis is a prickly one. How do you make a system that lets you install anything directly from the Internet quickly, cleanly, and easily without, well, installing something evil directly from the Internet? You'll want the communication with the server to be secure and the packages trusted, but you'll also want to make sure the packages haven't been tampered with since they were uploaded. There's the inevitable threat of a man-in-the-middle attack. You'll want to watch for malicious packages and enable quick takedowns if one sneaks by.

Security concerns aren't unique to Chocolatey, of course. They are a part of package repositories since their inception. The node npm repository had a security breach in March of 2012, and the folks at andyet explored the issues surrounding it, but also pointed out that personal responsibility has to have a role as well.

Linux's apt-get solves much of this with appropriate uses of cryptography and best practices that can (and should) be emulated. Packages in apt repos are signed with SecureApp, there are warnings if you're using a 3rd party repo or installing an unsigned package.

The Chocolatey team has been very quick to jump on security issues and they are very approachable. They've added SSL where appropriate and are aware of the work to come. If Chocolatey gets big (bandwidth and costs is a question in my mind) perhaps a non-profit organization would step in to help with not only costs, but also security audits and best practices.

Here's some points (edited for length by me) from a post from Chocolatey's lead, Rob in a post on their mailing list, also in march of 2012:

Security has a big future aspect of chocolatey. At the present I am the curator and I every day I get an email showing me all of the new packages that went in the day before. I look at all packages from new authors and I typically look at the first version of most new packages from authors I have good contacts with.

I've talked at length with others about having a moderated feed in the aspect of every package, every new version would be approved prior to showing up on the main feed. I am paying attention to how debian does things with multiple feeds and there are thoughts to move in that direction as well.

Security? In the future we are looking at a small group of folks be an approving body for nupkgs. We also talked about showing the hash for the nupkg, and possibly letting folks specify a hash for the installers so chocolatey can verify the things it downloads prior to execution.

Chocolatey's LIB folderCould I make a Chocolatey package called "FormatMyHardDrive?" Sure I could, just like I could ask you to open an admin prompt and format c: /q, but you won't, right? ;)

What's next?

Chocolatey is clearly not meant to be used by your "Gender Non-Specific Non-Technical Parent" and it does have some "competition" in the form of the Ninite GUI installation utility. While still not for the average Joe/Jane and having only a limited catalog, Ninite does fill a gap for the super-user to quickly get the common apps and utilities they want.

Additionally, is Chocolatey really apt-get? It's not installing libraries system-wide, although there's no reason it couldn't. Other open source projects like CoApp would like to be the Windows app-get although CoApp is more of a "system-wide libraries, C++ support, and Unix-like utilities" and Chocolatey is more of a "developer and poweruser utilities and their dependencies."

Chocolatey does install dependencies and you can see that happen yourself by trying out "cinst gitextensions" which itself has a dependency on git. Chocolatey will walk the graph and install what it needs before finally installing gitextensions.

Where Chocolatey, and ultimately Windows itself, falls down is with odd PATHing and install locations. Because Windows doesn't have formal install locations for things and because Chocolatey puts itself first in the PATH, it's possible to get one's self into odd situations where apps that were installed outside of Chocolatey don't line up with apps installed inside. For example, I installed Git with Chocolatey some months ago, then forgot about that version and installed a newer version of Git on my own. However, I kept hitting an old git bug because the Chocolatey version of Git was "first." I believe issues like this have changed with recent builds of Chocolatey, but the point remains: it's hard on Windows today to who installed what low-level utility, when, and where it ended up.

Branding

Now, by no means to I want to take away from the hard work done by Rob and the team, but (and I've said this to Rob before) I really have trouble getting past the name Chocolatey. Sure, there are two ways to spell "Chocolaty," which make it hard at least for me to type "Chocolatey" reliably. The -ey is a theoretically a valid variant spelling, but you can tell that that to the red squiggled underline in Word. But it's less the spelling and more the name itself. It lacks the nerdiness of an "npm," the gravitas of an "apt-get," or the poetic terseness of a "gem."  I realize that we are living in a world with companies called Hulu, Yahoo, Microsoft (seriously, MICRO SOFT, what is that?) and Google, but it's worth pointing out that a good name can really take a project to the next level. I'm not sure Chocolatey is the right name for this project, but that's 100% my opinion.

I encourage you, technical reader, to check out Chocolatey for yourself! It's a powerful tool, an engaged and growing community and an interesting piece of tech in its own right.

Is Chocolatey the apt-get Windows users have been waiting for? Sound off in the comments.


Sponsor: Big thanks to SoftFluent for sponsoring the feed this week! Check out their slick code generation tools: Less Plumbing, More Productivity! Generate rock-solid foundations for your .NET applications from Visual Studio and focus on what matters!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Tuesday, May 28, 2013 8:40:28 AM UTC
Wow, I scrolled down to the comment section in order to make the point about the name being utterly awful, and I was pleased to see that you'd already made that point.
Mark Allett
Tuesday, May 28, 2013 8:40:51 AM UTC
And now for some promotion ;-)

And don't forget ChocolateyGUI is an opensource GUI for choco. cinst ChocolateyGUI will get it for you.

chrissie1
Tuesday, May 28, 2013 8:53:45 AM UTC
By the way, I don't get why it is called Chocolatey - is this a cultural thing?
Tuesday, May 28, 2013 8:54:27 AM UTC
Mark - It's a great project, great people and I enjoy it, but yes, the name has to go. I think also some of the messages are unprofessional, like "the chocolately gods have replied to your request."

I'm interested to see who else agrees. I think a rebranding could really take this project to the next level, but I'm not sure if it's just me.
Tuesday, May 28, 2013 8:56:29 AM UTC
Frank - I *think* it's a joke. There's NuGet which is like the candy "Nougat" http://en.wikipedia.org/wiki/Nougat which is often found alongside Chocolate. So it's "Chocolaty Nougat" except spelled differently. It's a play on words.
Tuesday, May 28, 2013 8:56:41 AM UTC
I really really like the idea.

But as you point out "Windows doesn't have formal install locations for things", and it become a mess in no time.

I already dislike application installed via ClickOnce or like Google Chrome, that doesn't care about installation path, so having another set of install folder is really a pain.
Tuesday, May 28, 2013 8:56:50 AM UTC
One of the best parts of Chocolatey is that you can easily put everything in a batch file or PowerShell script. This means that a large part of setting up a machine can be automated for you.

When I showed this to the IT guys at work, they were meh on it - when I showed them a batch file that pulled Chocolately down then a few packages they fell in love since it would enable them to quickly setup machines in a repeatable way.
Tuesday, May 28, 2013 8:59:23 AM UTC
Python also has a nice system called easy_install. Now that is without doubt the best name for a system like that.

There also is a system for Java (before Maven and Ivy came along with m2 repositories and p2 provisioning) called JPackage. It's dead now.

ReactOS also has a very nice system called ReactOS Application Manager (Google it for screenshots).
Ivo Limmen
Tuesday, May 28, 2013 9:07:20 AM UTC
Nice - I hope this project really takes off.
I have been waiting for something like for quite a while and been glancing a bit jealously at the linux guys and their apt-get.
While this project is definitely not revelant for random users, it has the potential to change the way techy guys like us install and update software on Windows forever.

Regarding the name though - it's just awful.
Tuesday, May 28, 2013 9:18:08 AM UTC
Great post - it's interesting to see the guts of Chocolatey (en_GB spelling ;) ) as I've wondered about the underlying detail for a while without getting the chance to dig in deeper.

I've been a fan of Choc for a while now, and have previously used it to help set up developer PCs from a base OS install along with Ninite, WebPI, and networked ISOs:

Scripting the setup of a developer PC, Part 1 of 4 – Installing Applications & Utilities with Ninite

Scripting the setup of a developer PC, Part 2 of 4 – Installing Frameworks and Components with WebPI

Scripting the setup of a developer PC, Part 3 of 4 – Installing.. uh.. everything.. with Chocolatey.

and

Scripting the setup of a developer PC, Part 4 of 4 – Installing Custom Stuff, Interesting Things Encountered, and Conclusion

I've been wondering about the feasibility of using it within environment automation, as the Windows equivalent of yum or apt-get for Chef installs over WinRM but as you said, security would need to be airtight for that sort of system.
Tuesday, May 28, 2013 10:04:00 AM UTC
Making chocolatey packages is pretty challenging because every programme is packaged differently. Sometimes you'll get lucky and only have to deal with a .msi installer. Then there are other times where it's a self-extracting executable inside a ZIP file that also requires you to fiddle around with environment variables.

It's all worth it though when Scott Hanselman mentions one of your packages in one of his blogs.
Tuesday, May 28, 2013 10:05:07 AM UTC
Why not app-get, app-list, app-del?
Easy to remember, easy to type.

Daniel
Tuesday, May 28, 2013 10:13:50 AM UTC
Just call it apt-get ... why not? We fight for web standards etc... why not standardize this across OS's ?
oh yes, legal issues maybe, but seriously! As a developer we are more and more required to do both win8/linux/android/mac development, do you really think my brain can handle typing apt-get on one system and app-get on another and cinstall on the next, no way, i'll use the GUI then!




cornillemichiel
Tuesday, May 28, 2013 10:50:24 AM UTC
Daniel - I *LIKE* that a lot. App-Get. ;)
Tuesday, May 28, 2013 10:50:54 AM UTC
Really love the idea of this!

Really do *loath* the name tho!
GordonS
Tuesday, May 28, 2013 11:10:31 AM UTC
Chocolatey is great, I also recommend boxstarter. Boxstarter is built on chocolatey and adds things like running windows update and reboots. Here is how I am using it: https://github.com/fschwiet/fschwiet-boxstarter.

I like the name personally.
fschwiet
Tuesday, May 28, 2013 11:39:32 AM UTC
Silly me: I thought that one of the main reasons for the Windows Store would be to address EXACTLY this issue. I really think it's sad that after all these years there's not an official solution from MS.
PS: Sorry for the rant.
Luiz Angelo Heinzen
Tuesday, May 28, 2013 11:48:36 AM UTC
@Luiz - It would be used and embraced as well as driver signing has been, I'm sure.
K
Tuesday, May 28, 2013 11:52:48 AM UTC
The very first thing i do when I do a format ...

1. open ie -> search for choclatey.

2. copy/paste the command to install it

3. cinst googlechrome

4. cinst 7zip

5. cinst tortoisegit

...

One other thing u forgot to mention Scott - when a program updates itself (for example, tortoise git), just type cinst <program> and it updates itself, if a new version is available.

so easy!

now .. if only visual studio was split up into lego pieces instead of one huge app with lots of parts we don't use (eg VB...) and then cvs <part of vs> .. we would all be such productive and happy devs!

Pure Krome
Tuesday, May 28, 2013 12:07:50 PM UTC
I get this:

Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
At line:1 char:47
+ iex ((new-object net.webclient).DownloadString <<<< ('https://chocolatey.org/install.ps1'))
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException

However, the corporate proxy almost certainly to blame.

I have to say though, despite knowing about Chocolatey for months and using apt-get in Linux for years, I've never used Chocolatey. When I try to understand *why* that is, I can only conclude it's because it's not intrinsic. I feel like package management has to happen at the O/S level to be truly dependable and for the packages to be kept up to date.

But maybe that's just me...
Kent Boogaart
Tuesday, May 28, 2013 12:13:34 PM UTC
AppGet would be a far better name for this, alas the domain is taken.

But the Powershell command should surely be Get-App.
Jim
Tuesday, May 28, 2013 12:29:01 PM UTC
Scott -

I'm a big fan of choc, have contributed in small part to the main code itself, and have contributed many packages (some of them rather complex). Rob has done a pretty great job of pushing the project forward and building out the ecosystem in his spare time, and it has come a long way. Unlike some projects where the authors are sponsored by their companies to work on these projects during regular biz hours, Rob isn't afforded the chance to improve it during that time -- it's strictly a passion project on the side.

I agree that there are some rough edges, and I think everyone else on the core team agrees.

Yes, the name has to go -- this was one of the biggest things I saw people repeatedly screwing up when showing them the chocolatey ropes on my team. IMHO, at this point I think it should simply be shortened to stem all commands off of `choc` to not only make things shorter / easier to type, but to also reduce the command space and increase discoverability. There are some fancy ways of doing dynamic tab auto-completion in PowerShell that could be leveraged to make this work like git does. As you mentioned, the whole thing could be rebranded.

I raised the command naming / discoverability issues a while back, but never had time to implement a better approach
https://github.com/chocolatey/chocolatey/issues/186
Note that there is some funky heritage as well with existing commands and running .cmd from inside PowerShell, which then runs a new PowerShell session. IMHO, that stuff should be redone at the same time, to make everything a native PowerShell experience. (I'm a PowerShell first guy myself, but Rob might still use cmd as his go-to.)

Another sticking point is that there is no standardization around checking for previously installed tools, or around the uninstallation process in general. Admittedly, dealing with the wealth of Windows based installer technologies (MSI, NSIS, InnoSetup, InstallBuilder, lots of custom variations, etc) can be a real pain for someone who wants a quick'n'dirty wrapper. This causes a bit of quality variation around packages built by different authors -- some people think of this stuff, while others don't. This ends up being important because of dependency hierarchies. Consider a Visual Studio plugin that requires Visual Studio -- you want the chocolatey Visual Studio installer to recognize VS is installed, and move on... not download 3GB of installer only to run the installer and have it error out because VS is installed already.

I suggested implementing an internal DSL to help push these concepts forward a bit more:
https://github.com/chocolatey/chocolatey/issues/160

Another big issue for me is working around transient issues (like packages failing because of network conditions), identifying things which started to install but didn't complete, etc. This becomes difficult to deal with when you build packages that are hierarchical due to chocs current implementation details.

Some of these problems are discussed here:
https://github.com/chocolatey/chocolatey/issues/253


So yes, there are some shortcoming, but even with these warts, it's still a fantastic tool, and I invest spare time in building packages to expand the ecosystem, etc. Also, I think you can see there's a trend here in the tracker -- big issues identified, solutions proposed, but nothing really implemented. I know that all of these problems can be solved and the system can be polished up quite a bit, it's simply a matter of time. This is one of those cases where it would be nice for a corp sponsor to push the state of the art forward, like Google does with a number of it's OSS projects. This is an area of Windows that is in sore need of better tooling, and I know Chocolatey could be really fantastic if collectively there were more cycles to push it forward.
Tuesday, May 28, 2013 12:30:44 PM UTC
PowerShell already has a standard way of naming such things:
Get-app
Remove-app
Update-app
Etc
Tuesday, May 28, 2013 12:40:15 PM UTC
It's more like the AUR repositories of Archlinux than apt-get ;)
Tuesday, May 28, 2013 1:22:30 PM UTC
Love the idea, love the name, love the unprofessional messages. I look forward to a future when I can ask people 'have you got chocolatey?'
Ditford
Tuesday, May 28, 2013 2:17:38 PM UTC
I'll consider it once they remove the unprofessional messages and grow up a little bit. That will show they have the maturity to support this project correctly.
PRMan
Tuesday, May 28, 2013 2:23:14 PM UTC
For your PATH-based issues, don't forget the command-line tool where.exe. It tells you which things match a given command according to PATH and PATHEXT and in which order as well.
Tuesday, May 28, 2013 2:59:09 PM UTC
@Nick ... another way of doing something similar (that I use *all the time*) is a PS implementation of which.


# simulate the unix command for finding things in path
# http://stackoverflow.com/questions/63805/equivalent-of-nix-which-command-in-powershell
function Which([string]$cmd)
{
Get-Command -ErrorAction SilentlyContinue $cmd |
Select -ExpandProperty Definition
}



PS Scott -- you really need to get Markdown comment support into your blog ;0
Tuesday, May 28, 2013 3:32:32 PM UTC
FWIW, I think Chocolatey is the correct British English spelling (see Cambridge Dictionary).

Chocolaty looks misspelled to me, but then, so do a lot of US English words... :)
Tuesday, May 28, 2013 4:22:49 PM UTC
I was super excited when I first discovered Chocolatey a few months ago. I created a simple PowerShell script to pull down all of my apps. I was stoked to see that the gallery had so many apps that I always install right away after formatting my PC.
My one gripe with Chocolatey is that updating the packages is up to package owner to do (for security/reliability purposes I'm sure), and many of them don't update it regularly. So after installing everything using chocolatey I noticed that most of my apps were not on the latest version, so I ended up having to go to the app website anyways and manually download the latest version. Of course I also emailed the package owners asking them to update their packages. I guess this isn't as big of an issue for self-updating software, but a lot of software still doesn't self update and I always like to be on the latest stable version of an app. Many packages haven't been updated in a year or more.
Tuesday, May 28, 2013 5:10:40 PM UTC
They can't do it all. Each package needs a maintainer, which typically should be someone at the company themselves for the big packages and a superfan for the smaller ones.

Again, this is another symptom of the problem that makes them think it's OK to have unprofessional messages.
PRMan
Tuesday, May 28, 2013 5:30:34 PM UTC
I agree the name has to go. It sounds so uncerious that it is hard to recommend it in professional circumstances
Staffan Gustafsson
Tuesday, May 28, 2013 5:34:16 PM UTC
Scott - the link behind the main image of this post points to http://www.chocolately.org/ which is invalid. (note the extra L in the url)
Aaron King
Tuesday, May 28, 2013 6:26:58 PM UTC
I'm a big fan of chocolatey as a concept, but sadly I don't use it all that often. My biggest gripe is what Daniel Schroeder mentions, lack of package updates. I also usually end up going to the app's website because it's very often more recent than the chocolatey package. I guess this isn't helped by the fact that a large number of the packages on the chocolatey gallery are created and owned by other people (e.g. ferventcoder) on behalf of the app owners so the dependency is all on them to do the updates.

However, if chocolatey became more mainstream and recognised as a *primary* way to distribute an app, this would all change. App owners would feel compelled to make a chocolatey push part of their standard release process. I guess some handover/sharing of ownership of packages would be required to make this happen.
Tuesday, May 28, 2013 7:02:27 PM UTC
I am surprised no one has mentioned http://allmyapps.com/ I started using it a few years ago before they started charging for some of the features. Its a GUI equivalent somewhat like Ninite but with lots more apps.

You can browse a huge catalog of apps and make your own list to quickly get what you want installed. Some will install without GUI and some need to run through an installer but it saves time remembering everything you want to install and going to each site for latest version.... When new versions are released you get notified and can update easily.
Pete
Tuesday, May 28, 2013 7:05:37 PM UTC
If the name is such an issue could you not just alias out the commands in powershell or am I missing something?
Do love the idea though used it recently to install what I needed on a clean box, though found myself googling the package names. Really need some search or list functionality.
Tuesday, May 28, 2013 7:37:30 PM UTC
I've never been a fan of "repackagers". IMHO, leave it to the tool maker for installation options. The core OS (and .NET framework) has some great options (that could potentially be improved) such as powershell, various MSI package tools, MSBuild/MSDeploy, vsix packagers, etc. If the curator wants to publish handy powershell installs then great. But I want to use powershell or a trusted setup executable for the installation published by the author (who has credibility and an expert reputation that I chose to trust).

I sometimes do browse ZDNET downloads or similar to see what is popular. I do remember when they started pushing the browser toolbar "spyware" and various virus scanners and it did "sneak up" on a lot of people. Since then, I typically go to the official web site to download and install from. I will likely do the same for Chocolatey.

I do love the idea of curators who take pride in showing the best of the best in utilities, tools and frameworks and sharing with the community. I like the "app store" or blog presentation for that. Sure if there is a common web API that publishers can elect to use, I might automate my own environment configuration but I expect the source to come from where the author elects, not the curator. Realistically how often do you really need to build out your entire environment?

Where the idea of a package manager does resonate for me is in the area where we already have one (nuget). That is "stacks" of toolkits and frameworks that work together nicely for application development. Here the dependencies are more difficult to track and it is often hard to get everything to work together unless you are working with known compatible kits and versions. Plus, the spirit of the effort is to reuse and not re-invent. Therefore a package manger is essential in that scenario.

I think we will find that the authors of tools will be against a single curator "injecting" itself into the process we know today. Developers spend countless hours putting everything together for our consumption and they at least deserve the ad revenue (and just general respect) that comes from visiting their site.
Tuesday, May 28, 2013 8:00:26 PM UTC
Yes Rik, you're missing something. :-) The naming issue isn't about communicating with the computer (aliasing out the commands), but communicating with other human beings. When a clueless manager dismisses your recommendation to use the non-enterprisey "Chocolately" [sic], it does little good to tell them "but I call it enterprisey-get on my own machine!"
Tuesday, May 28, 2013 8:13:59 PM UTC
I really like the concept and I use it quite a bit. However, I don't think it can ever be the trusted source with out involvement from Microsoft.

Ideally the Windows team would sanction some sort of install package format for desktop apps and utilities in the same way they have from store apps. That format could either be a native installer for apps or simply a wrapper around MSI to enable faster up take. With that in place you would need a repository hosted by Microsoft and requiring things like digital signatures, automated virus scan and smart screen.

Chris Patterson
Tuesday, May 28, 2013 9:16:57 PM UTC

Love the idea, love the name, love the unprofessional messages. I look forward to a future when I can ask people 'have you got chocolatey?'

And then you get slapped for your troubles.
[Apologies for the lackluster HTML, still getting used to this]
Mathias
Tuesday, May 28, 2013 9:42:24 PM UTC
Sounds like Windows store. Only without GUI
itay
Tuesday, May 28, 2013 9:46:58 PM UTC
@Daniel Schroeder and Adam Ralph

Yes, this is an issue, and if like some people, you start having a number of Chocolatey Packages, maintaining them becomes hard. However, it should be pointed out that most package maintainers publicize their GitHub repos, so there is nothing to stop other community members submitting a pull request to get the package updated. Hope people would welcome the help.

Also, the other thing to think about is using Rob's Automatic Package updating tool:

https://github.com/chocolatey/chocolatey/wiki/AutomaticPackages

Which if implemented, allows the automatic updating and deployable of Chocolatey Packages.

But I agree, getting the application owners to make and deploy the chocolatey package as part of their release process is the best idea. That is what I have been trying to get OSS projects to do lately, pulling in the use of MyGet to temporarily deploy the Chocolatey Package for testing purposes, and then push to Chocolatey.

Gary
Tuesday, May 28, 2013 10:14:07 PM UTC
To help the adoption rate by "Gender Non-Specific Non-Technical PERSON" Chocolatey needs a setup program to download and run. The problem with current setup method is:

- powershell script is far to scary.
- You can't Ctrl+V in command/power shell

As for the name I'd start looking for a synonym of gem.
Tim Murphy
Wednesday, May 29, 2013 1:02:35 AM UTC
Kinda wish there was a "Dark Chocolatey" that tap into bittorrent and install any app.
Bryan
Wednesday, May 29, 2013 2:53:53 AM UTC
@Tim Murphy: You *can* Ctrl+V into a command/power shell - http://chocolatey.org/packages/wincommandpaste



As for the unprofessional messages that everyone is talking about, I present the following: "This APT has super cow powers." http://en.wikipedia.org/wiki/Aptitude_(software)#Easter_egg
Wednesday, May 29, 2013 2:56:55 AM UTC
To all talking about adoption rate and enterprise use, chocolatey is not trying to compete in either of these areas yet, so it's fine if something as simple as the name is what is keeping it out. It's young and has rough edges and until some of those are smoothed out, I'm not sure we'd consider a rename.
Wednesday, May 29, 2013 3:03:58 AM UTC
@Doug - I think maybe you missed what Choco actually does. It is using what is already out there in the form of MSI/native installers from the author's site.

Chocolatey doesn't "inject" itself into the process you know today, it automates the process that you know today. It goes out to the author's site and downloads the installer, then silently installs it on your machine.

But I freely admit that choco is not for everyone. And we're fine with that...
Wednesday, May 29, 2013 5:25:02 AM UTC
That means using Chocolaty script running as a "Start Up" task - I can install practically anything in a Windows Azure Worker/Web roles. Pure awesomeness. Thanks Scott.
Girish
Wednesday, May 29, 2013 7:02:27 AM UTC
@Girish

For this type of scenario, you might want to look at Boxstarter as well:

http://boxstarter.codeplex.com/

Which builds on top of Chocolatey and handles things like doing Windows Updates, detecting whether machine reboots are required etc. It is a great complimentary application to Chocolatey.

Gary
Wednesday, May 29, 2013 7:26:51 AM UTC
@Oran, thought I'd missed something :) but besides it sounding unprofessional is there any technical reason why you could release a Chocolatey package to alias the commands?
Wednesday, May 29, 2013 8:43:38 AM UTC
"Is the Windows user ready for apt/get"

While I can find no survey, based on a large population, which specifically states what percentage of Windows users even touch PowerShell, I'd guess the percentage of those who are willing to use a command-line driven "anything" is very low.

Chocolatey is clearly for geeks; I don't see any rationale for using gender, or being a parent, as a discriminating factor among the "technoid" Windows' user population: "Gender Non-Specific Non-Technical Parent," which is indirectly asserted by the double-negative format of your statement: "Chocolatey is clearly not meant ..."

Using command-line tools, in the age of GUI, is a reversion equivalent to throwing away bronze-swords, and going back to edges-flaked-by-hand stone adzes, and spear-tips.

That such tools as Chocolatey should be necessary is an indictment of the modern Windows OS (not that Apple's OS's are any better, or Linux, etc.).

A modern OS should provide a high-level interface to facilitate the secure downloading, installation, and updating of 3rd. party applications. To say that "should" be the case is not to imply that it is technically "simple," or "easy," in an age in which vast minions daily assault the security of OS's and applications, and browsers, to do so !

As a quondam geek, I do appreciate the hard work, creativity, and generosity, of people who create products like Chocolatey !

By the way, I find the name no "weirder" than any other software's name, but I would have preferred "Chocolately" (much more mnemonic, and equally nonsensical).

thanks, Bill
BillWoo
Wednesday, May 29, 2013 9:10:56 AM UTC
IMHO name is ok. apt-get is nowere better (try to find command to search packages). Chocolatey analog on Mac has name that I cannot even Google.

The only thing I do not really like with Chocolatey is verbosity. It too verbose.

Everything else is very nice. I do almost all installs with it. Especially on VMs where most of the time I use PowerShell remoting and Chocolatey works as a charm(if package does not show UI :) )

Contribution of Chocolatey packages are easy. If something is outdated, it is easy to contact package owners.

Wednesday, May 29, 2013 9:38:45 AM UTC
@Rob thanks for tip on wincommandpaste. However that doesn't help install chocolatey for the non-technical parents.

Tim Murphy
Wednesday, May 29, 2013 9:54:23 AM UTC
It has just occurred me I can instruct non-tech to win+r ctrl+v.
Tim Murphy
Wednesday, May 29, 2013 10:23:44 AM UTC
What do you mean "Windows doesn't have formal install location"? What happened to %ProgramFiles%?
Wednesday, May 29, 2013 11:05:18 AM UTC
One thing Chocolatey is great for is setting up dependencies on your build server or target environments for continuous delivery.

I have an open source project powerdelivery that lets you use Team Foundation Server (or local) builds targeting your dev, test, production etc. environment with one script to do automated deployments in PowerShell. Chocolatey is built in, in that if you have a packages.config file next to your build script, any packages get installed on the TFS agent automatically.

You can also run Chocolatey with remote powershell commands on your target computers. It really does simplify deployment when you have a base OS image in a data center that you want to configure from the ground up to allow rapid standing up of new environments. Building packages is really easy (considering how complicated MSI can be) and Rob's team does a great job tweeting out updated packages as they are uploaded.

I can't say enough about Chocolatey!
Wednesday, May 29, 2013 11:14:08 AM UTC
"Using command-line tools, in the age of GUI, is a reversion equivalent to throwing away bronze-swords, and going back to edges-flaked-by-hand stone adzes, and spear-tips."

BillWoo, where I find this not to be true is when you have Enterprise organizations that waste significant capital performing activities through the GUI and making mistakes. This is where automation and scripting are crucial to creating repeatable deployment processes and command-line tools are just a natural fit here.

This is just my opinion, but resonates well with operations personnel who have to feel comfortable with what teams are introducing into their production environment. I'm having success with getting ops people to actually start writing powershell deployment scripts (that call command-line tools like Chocolatey) as part of a SCRUM team's sprint deliverables. This way they aren't as paranoid when you're about to do a release as they helped write the automation and test deployment in a separate environment that will be repeated in production if builds are of suitable quality to release.

You really only run into these things when companies are doing frequent releases with many interconnected applications.
Wednesday, May 29, 2013 12:32:46 PM UTC
http://windows-get.sourceforge.net/
You might want to look at this
Wednesday, May 29, 2013 1:47:15 PM UTC
Scott, why your blog does not have the direct "share" buttons e.g. to submit the post to Twitter, G+, Reddit, etc?
Arthur
Wednesday, May 29, 2013 2:21:10 PM UTC
This would have been great a year ago but having the Windows App Store, why do we need it?

I admit it's damn cool though. Nuget has changed the way we get third party assemblies into our apps so it makes sense that we could do that at an OS level.

However, I think it's just too late.
Mark Robinson
Wednesday, May 29, 2013 2:31:17 PM UTC
This is excellent. I've been needing this for a long time. I always get problems organizing and finding some applications.


Nicolas Gago
Wednesday, May 29, 2013 2:53:03 PM UTC
Typos: SecureApp might be SecureApt (assuming you're talking about repositories being GPG signed), and app-get might be apt-get.

Great article though!
Adam Baxter
Wednesday, May 29, 2013 4:08:44 PM UTC
How does this differ from win-get (http://windows-get.sourceforge.net)? If anything, it looks like a wrapper around it - is there some distinction I'm missing apart from the name?
Wednesday, May 29, 2013 4:31:29 PM UTC
Other than the horribly naming, the main issue I have with chocolatey is the up-to-dateness. It's *not* a central repository or even close to widespread, so vendors and project maintainers don't update it.

Say I used cinst to install TFS sidekicks a long time ago (say a year and a half ago). I got version 2.4. Over the past year, chocolatey update *never* updated me. Most likely, I continue blissfully unaware that I'm outdated.

Or, I can go check the TFSSidekicks page myself and find that I can download 4.1, but then I'm stuck, how do I install it?

  • uninstall from chocolatey, then manually install it. once the choc feed is updated, reverse the process.
  • fork the choc feed repository, figure out how to maintain the package myself, update the choc nuget package, and send a pull request. Then wait for it to be accepted and use choc to update.
  • Do the same as #2, but instead of waiting create my own nuget feed with the fork that has my updates.

Bleh! In any case, I need manually watch and update my installs, still having to check the publisher's websites myself, and adding more steps regardless.

Now, this isn't a chocolatey volunteer's fault - until all the publishers update the packages or notify of updates it would take a person checking every package every day to fix this issue, and publishers aren't really going to help until a lot of their users are on it already. But why adopt it if it just adds work?


Also, the name is horrible.
Philip
Wednesday, May 29, 2013 7:16:16 PM UTC
Philip,

You bring up a good point. The way Linux distros handle this is there is a service that periodically runs the package manager to check for new packages and shows a tray icon letting you know there are available updates. You can then choose to install them. You can also choose to automatically install updated packages much like Windows update.

It wouldn't be too difficult to build an equivalent service that asks Chocolatey if there are updates to your installed packages.

Just an idea.
Wednesday, May 29, 2013 7:51:21 PM UTC
Adam - Windows-Get hasn't been touched (from what I can see) in FOUR years. Their catalog has only 200 items and they are ones like ".NET 2.0." Am I missing something?
Wednesday, May 29, 2013 8:58:15 PM UTC
There needs to be a way to stop installs from putting in adware and other crap. Until we can stop that, Windows users should not be doing silent installs from some unknown source.
Wednesday, May 29, 2013 9:15:45 PM UTC
get-it Nu-get
Arjun
Thursday, May 30, 2013 1:46:05 AM UTC
A former co-worker of mine talked about this briefly while I worked with him. I never really dove in to it to understand what his excitement was about but now I get it.

However, after installing Chocolatey, I tried to install a few packages from the command line and it's constantly failing:

C:\Chocolatey\bin>cinst notepadplusplus
Chocolatey (v0.9.8.20) is installing notepadplusplus and dependencies. By instal
ling you accept the license for notepadplusplus and each dependency you are inst
alling.
The schema version of 'Reuse' is incompatible with version 2.1.31022.9038 of NuG
et. Please upgrade NuGet to the latest version from http://go.microsoft.com/fwli
nk/?LinkId=213942.

Finished installing 'notepadplusplus' and dependencies - if errors not shown in
console, none detected. Check log for errors if unsure.


Anybody have an idea of what's going on here and how I fix it? I have already gone to nuGet and downloaded the latest version but the problem still exists.

Thanks in advance!
Thursday, May 30, 2013 7:27:07 AM UTC
Microsoft made sense when it first came out. Microcomputer software. Yep.
Matt
Thursday, May 30, 2013 7:38:19 AM UTC
Brandon, chocolcatey has it's own nuget.exe, execute

cup

in your commandline, this should help.
Thursday, May 30, 2013 8:16:19 AM UTC
Scott - Thanks for the reply, that explains it! I neglected to check when windows-get had last been updated, that was the "something" I was missing in my original post. I'll definitely be trying Chocolatey. Can't wait for the release that removes all the cruft from the installers in the same fashion as Ninite.
Thursday, May 30, 2013 10:15:29 AM UTC
I used apt-get for years and after switching to windows 8 a year ago I tried chocolatey. It wasnt in the same league at all. Maybe I have to try again...
Thursday, May 30, 2013 12:26:12 PM UTC
@Brandon - I think you might have a package in your local nuget cache named "Reuse." You can clear the nuget cache in visual studio or you can go to %LocalAppData%\Nuget\Cache (don't quote me on that path though) and clear out the packages.

Upon looking further I see nuget.org has a package named Reuse (open browser insert nuget.org/packages/Reuse).

I am not sure why it would cause issues but apparently it does.
Thursday, May 30, 2013 1:13:19 PM UTC
@Brandon - I found the issue. It has to do with a bug in nuget.exe. If you install things with an older version of nuget without specifying a source (after caching a package with v2.5 minimum version required), it gives you a warning and installs items successfully. UNLESS, and this is big, UNLESS you specify the -source parameter.

Then it fails every time. Logged an issue here. nuget.codeplex.com/discussions/445455
Thursday, May 30, 2013 1:20:21 PM UTC
Okay, Brandon and anyone who runs into the schema version issue when installing should apply this to their local chocolatey install:

github.com/chocolatey/chocolatey/commit/e70c44455cc3a9745d528929682fb19db8c9d5ae
Thursday, May 30, 2013 1:23:19 PM UTC
Coco-get
Valerie Rodriguez
Thursday, May 30, 2013 1:24:24 PM UTC
+1 for BoxStarter!

Using BoxStarter and chocolatey I managed to completely script my laptop build. On a fresh Windows install, a double-click and 2 hours gives me:
- Windows explorer set up to my preferences
- Remote desktop enabled
- All Windows features I need installed (IIS, MSMQ, etc...)
- All the apps I need installed (browsers, editors, diff/merge tools, etc...)
- Git installed and pre-configures with my favourite settings, including third party diff and merge tool association
- Visual Studio
- SQL Server
- All my Visual Studio extensions pre-installed
- My websites pre-configured in IIS

That really came in handy when my team were lucky enough to get new machines a couple of months ago!

Highly recommended!
Fabien Ruffin
Thursday, May 30, 2013 1:38:22 PM UTC
Or if you want, please clear your local cache then call cup chocolatey -pre to get this error removed.
Friday, May 31, 2013 1:35:39 PM UTC
I am willing to donate the domain app-get.org if Rob and his team want to rename Chocolatey.
Friday, May 31, 2013 9:24:24 PM UTC
One cool feature I love about chocolatey is that you can install a group of tools using a packages.config file. It's a slightly modified version of the packages.config file used by nuget in .NET projects (added source attribute I believe).

This allows you to provide others on your team with a chocolatey packages.config file to install everything they need to develop on a project, including things like iisexpress, vs express / sharpdevelop, git, and so on. All the tools they might need.

You could even commit it to your source control, and put the info in your README so that they know what to do with it.
Saturday, June 01, 2013 2:50:00 AM UTC
@Rob, I don't have issue with it as it is, but I think you could add a "build powershell script" feature that would allow one to select all fo the things to install and then it would export a script that the user could run. They could then key in their licenses as well. The script should only download if the files are not present in a zip library. Some similar techniques are used with psget.

Since 90% of windows software is commercial, I think an App store would be better. That way you could store the licenses. Free software could still be free, but you could have an e-commerce system like Amazon where a one-button purchase would encourage a little be of revenue for those who put there warez in your e-commerce system. Just a thought!
Saturday, June 01, 2013 8:31:14 AM UTC
Gotta agree with Doug, there's the Windows 8 Store right! Let's use that.

Too bad it doesn't have a command line tool for power users that like chocolatey and nu-get. And I can't even find something as simple as filezilla in there.

Put the nuget team, the chocolatey guys and the windows store team together and create something great...
michiel cornille
Saturday, June 01, 2013 2:33:38 PM UTC
I love apt. It is brilliant. Easily the best package manager on Linux.

It does amaze me that Microsoft and Apple have not created a similar tool for handling updates. This would be a great replacement for Windows Updates and the way that OS X handles updates.

OS X has home brew although not an apple product is pretty cool. Have to try Chocolatey, seems pretty cool. Would definitely help sort a lot of issues out at work.

Love to see MS and Apple get onboard with something like this. Scott love to see you push for something like this :)

Blair
Monday, June 03, 2013 4:55:46 AM UTC
I like it so much, I even added two of my own packages after reading your blog post (both of which my packages seem to be getting some good download attention ;-), so i'm glad I've provided useful packages! Also decided to re-installed my Windows 8 on my PC and Laptop and installed all my favorite programs and tools using Chocolatey. Set myself up a Virtual Machine running my old Windows 7 OS key I had laying around previously and will now use this for future Package testing!

I see a good future ahead for Chocolatey, I agree with your security concerns, as I have already made a post about this on their group, as have many others, good thing is, they are taking this into consideration so i'm sure as it matures and more people use it, the 'people' will speak and ensure it becomes as secure as they can make it.

Keep up your awesome posts shanselhansllhamanman.

Also like to say I went through your kickstart course on Microsoft Virtual Academy, really enjoyed that so thanks!
Patrick Magee
Monday, June 03, 2013 3:57:12 PM UTC
I try now to implement signalR with MVC 3.
Do you have an experience to take it together.
I would like to use [Authorize] build-in MVC 3 with ChatHub.
By the way, do you have a video about IIS ?

I love your explanations are clear and focused.
Scotti, You are my MVC Teacher, I was started from scratch !!!

Thanks a lot my friend
Amit
Tuesday, July 02, 2013 11:33:30 AM UTC
I've been using chocolaty ever since I found out about it last year. Awesome tool. As for branding I say winget. Its similar to nuget and also goes along with the same idea as aptget.

Mohan
Thursday, September 12, 2013 4:59:08 PM UTC
I started using Chocolatey a few months back and despite my strong dislike of the root install I thought it was great - especially for command line users like myself. But now I've used it for a bit I realise there is one feature seriously lacking - so lacking in fact that I haven't used it for a few weeks now: package search. The clist command does a pretty limited job and is nowhere near the node package manager (npm) search. I can rarely remember the exact name but if I go onto the Chocolatey website with a couple of search words I find what I want straight away. But since I'm on the web and away from the command line, what's the point? I found this blog post as I just did a quick google to see if Chocolatey had done anything to rectify this but it appears not. Until this is addressed I won't be using it, which is a shame as it would be invaluable otherwise.
Matthew Blott
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.