 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Package manager" – news ·newspapers ·books ·scholar ·JSTOR(December 2022) (Learn how and when to remove this message) |
Apackage manager orpackage management system (PMS) is a collection ofsoftware tools that automates the process ofinstalling, upgrading, configuring, and removingcomputer programs for acomputer in a consistent manner.[1]
A package manager deals withpackages, distributions of software and data inarchive files. Packages containmetadata, such as the software's name, description of its purpose,version number, vendor,checksum (usually acryptographic hash function), and a list ofdependencies necessary for the software to run properly. Upon installation, metadata is stored in a local packagedatabase. Package managers typically maintain a database of software dependencies and version information to prevent software mismatches and missing prerequisites. They work closely withsoftware repositories,binary repository managers, andapp stores.
Package managers are designed to eliminate the need for manual installs and updates. This can be particularly useful for large enterprises whoseoperating systems (OSes) typically consist of hundreds or even tens of thousands of distinct packages.[2]
An early package manager wasSMIT (and itsbackend install) fromIBM AIX. SMIT was introduced with AIX 3.0 in 1989.[citation needed] Package managers likedpkg have existed as early as 1994.[3] Early package managers, from around 1994, had no automaticdependency resolution[4] but could already simplify the process of adding and removing software from a running system.[5]
By around 1995, beginning withCPAN, package managers began handling package repository downloads, and dependency resolution and installation as needed, making it easier to install, uninstall and update software.[6]
A software package is anarchive file containing a computer program as well as necessary metadata for itsdeployment. The program may be insource code that has to becompiled and built first.[7] Package metadata include the software's description, version number, and dependencies.
Package managers are charged with the task of finding, installing, maintaining or uninstalling packages upon the user's command. Typical functions of a package management system include:
Computer systems that rely ondynamic library linking, instead ofstatic library linking, share executable libraries of machine instructions across packages and applications. In these systems, conflicting relationships between different packages requiring different versions of libraries results in a situation calleddependency hell. OnMicrosoft Windows systems, this is also calledDLL hell when working with dynamically-linked libraries.[8]
Modern[when?] package managers have mostly solved these problems by allowing parallel installation of multiple library versions (e.g.OPENSTEP'sFramework system), a dependency of any kind (e.g.slots in GentooPortage), and even packages compiled with different compiler versions (e.g. dynamic libraries built by theGlasgow Haskell Compiler, where a stableABI does not exist), in order to enable other packages to specify which version they are linked or installed against.
System administrators may install and maintain software using tools other than package managers. For example, a local administrator maydownload unpackaged source code, compile it, and install it. This may cause the local system to fall out ofsynchronization with the package manager'sdatabase. The local administrator will be required to take additional measures, such as manually managing some dependencies or integrating the changes into the package manager.
There are tools to ensure that locally-compiled packages are integrated with the package management. For operating systems based on.deb and.rpm files as well asSlackware Linux, there isCheckInstall, and for recipe-based systems such asGentoo Linux and hybrid systems such asArch Linux, it is possible to write a recipe first, which then ensures that the package fits into the local package database.[citation needed]
Upgrades ofconfiguration files may be particularly troublesome. Since package managers, at least onUnix systems, originated as extensions of file archivers, they can usually only overwrite or retain configuration files, rather than apply rules to them. There are exceptions to this that usually apply tokernel configuration (which, if broken, will render the computer unusable after a restart). Problems can be caused if the configuration file format changes; for instance, if the old file does not explicitly disable new options that should be disabled. Some package managers, such asDebian's dpkg, allow configuration during installation. In other situations, packages are installed with the default configuration, which is then overwritten, for example inheadless installations to a large number of computers. This kind of pre-configured installation is also supported by dpkg.
To give users more control over the software they allow to be installed on their systems, and sometimes due to legal or convenience reasons on the distributors' side, packages are often downloaded fromsoftware repositories.[9][better source needed]
When a user is upgrading a package with package management software, it is customary for them to be presented with the actions to be executed (usually the list of packages to be upgraded, and possibly the old and new version numbers), and allow them to either accept the upgrade in bulk, or select individual packages for upgrading. Many package managers can be configured to never upgrade certain packages, or to upgrade them only when criticalvulnerabilities or instabilities are found in the previous version, as defined by the packager of the software. This process is calledupgrade suppression, orversion pinning. For instance, to prevent upgrades to theOpenOffice program:
exclude=openoffice*[10]IgnorePkg= openoffice[11] (to suppress upgrading openoffice in both cases)Some of the more advanced package management features offercascading package removal,[11] in which all packages that depend on the target package and all packages that only it depends on are also removed.
 | This sectionmay containexcessive orirrelevant examples. Please helpimprove it by removingless pertinent examples andelaborating on existing ones.(September 2025) (Learn how and when to remove this message) |
Although commands are specific to each package manager, they are translatable to a large extent, as most package managers offer similar functions. The Arch Linux wiki offers an extensive overview of commands.[14]
| Action | Homebrew | APT | Pacman | dnf (yum) | portage | zypper[15] | Nix | XBPS[16] | swupd[17] | WinGet |
|---|---|---|---|---|---|---|---|---|---|---|
| Install package | brewinstall${PKG} | aptinstall${PKG} | pacman-S${PKG} | dnfinstall${PKG} | emerge${PKG} | zypperin${PKG} | nix-env-i${PKG} | xbps-install${PKG} | swupdbundle-add${PKG} | winget install%PKG% |
| Remove package | brewuninstall${PKG} | aptremove${PKG} | pacman-R${PKG} | dnfremove--nodeps${PKG} | emerge-C${PKG} oremerge--unmerge${PKG} | zypperrm-RU${PKG} | nix-env-e${PKG} | xbps-remove${PKG} | swupdbundle-remove${PKG} | winget uninstall%PKG% |
| Update software database | brewupdate | aptupdate | pacman-Sy | dnfcheck-update | emerge--sync | zypperref | nix-channel--upgrade | xbps-install-S | swupdupdate--download orswupdupdate--update-search-file-index | winget upgrade |
| Show updatable packages | brewoutdated | aptlist--upgradable | pacman-Qu | dnfcheck-update | emerge-avtuDN--with-bdeps=y@world oremerge-u--pretend@world( -D is shorthand for--deep and-u is shorthand for--update.) | zypperlu | nix-channel--upgrade&&\nix-env-u&&\nix-collect-garbage | ./xbps-srcupdate-check${PKG}(requires void-packages repository) | swupdupdate-s orswupdcheck-update | winget upgrade |
| Update all | brewupgrade | aptupgrade | pacman-Syu | dnfupdate | emerge-u-D--with-bdeps=y@world | zypperup | nix-env-u&&nix-collect-garbage | xbps-install-Su | swupdupdate | winget upgrade --all |
| Delete orphans and config | brewautoremove&&brewcleanup | aptautoremove | pacman-Rsn$(pacman-Qdtq) | — | emerge--depclean | zypperrm-u | nix-collect-garbage-d | xbps-remove-of | swupdbundle-remove--orphans&&\swupdclean--all | — |
| Show orphans | brewautoremove--dry-run | — | pacman-Qdt | package-cleanup-q--leaves--exclude-bin( -q is shorthand for--quiet.) | emerge-caD oremerge--depclean--pretend | zypperpa--orphaned--unneeded | — | xbps-remove-o | swupdbundle-list--orphans | — |
| Remove package (and orphans) | brewuninstall${PKG}&&brewautoremove | aptautoremove${PKG} | pacman-Rs${PKG} | dnfremove${PKG} | emerge-c${PKG} oremerge--depclean${PKG} | zypperrm-u--force-resolution${PKG} | nix-env-e${PKG}&&nix-env-u | xbps-remove-R${PKG} | swupdbundle-remove${PKG}&&\swupdbundle-remove--orphans | winget uninstall%PKG% |
Linux distributions oriented tobinary packages rely heavily on package management systems as their primary means of managing and maintaining software.Mobile operating systems such asAndroid (Linux-based) andiOS (Unix-based) rely almost exclusively on their respective vendors' app stores and thus use their own dedicated package management systems.
pacman, a CLI utility forArch-based distributions
A package manager is often called aninstall manager, which can lead to a confusion between package managers andinstallers. The differences include:
| Criterion | Package manager | Installer |
|---|---|---|
| Shipped with | Usually, the operating system | Each computer program |
| Location of installation information | One central installation database | It is entirely at the discretion of the installer. It could be a file within the app's folder, or among the operating system's files and folders. At best, they may register themselves with an uninstallers list without exposing installation information. |
| Scope of maintenance | Potentially all packages on the system | Only the product with which it was bundled |
| Developed by | One package manager vendor | Multiple installer vendors |
| Package format | A handful of well-known formats | There could be as many formats as the number of apps |
| Package format compatibility | Can be consumed as long as the package manager supports it. Either newer versions of the package manager keep supporting it or the user does not upgrade the package manager. | The installer is always compatible with itsarchive format, if it uses any. However, installers, like all computer programs, may be affected bysoftware rot. |
Mostsoftware configuration management systems treat building software and deploying software as separate, independent steps. Abuild automation utility typically takes human-readablesource code files already on a computer, and automates the process of converting them into anexecutable package on the same or a remote computer. Later, a package manager typically running on another computer downloads the pre-built executable and installs it.
However, both kinds of tools have many commonalities:
make install.A few tools, such asMaak andA-A-P, are designed to handle both building and deployment, and can be used as either build automation utilities, package managers, or both.[18]
App stores can also be considered application-level package managers (without the ability to install all levels of programs[19][20]). Unlike traditional package managers, app stores are designed to enable payment for the software itself (instead of for software development), and may only offermonolithic packages with no dependencies or dependency resolution.[21][20] They are usually limited in their management functionality, due to focusing on ease-of-use over power oremergence, and are common in commercial operating systems andsmart devices.
Package managers also often have only human-reviewed code. Many app stores, such as Google Play and Apple's App Store, mainly screen apps using automated tools only;malware can pass these tests by detecting when the app is being tested, and delaying malicious activity.[22][23][24] There are exceptions: thenpm package database, for instance, relies entirely onpostpublication review of its code,[25][26] while the Debian package database has an extensive human review process before any package goes into the main database. TheXZ Utils backdoor used years of trust-building to insert a backdoor, which was nonetheless caught while in thetesting database.
Also known asbinary repository manager, it is a software tool designed to optimize the download and storage of binary files, artifacts and packages used and produced in thesoftware development process.[27] These package managers aim to standardize the way enterprises treat all package types. They give users the ability to apply security and compliance metrics across all artifact types. Universal package managers have been referred to as being at the center of aDevOps toolchain.[28]
Each package manager relies on the format and metadata of the packages in its repository. That is, package managers need groups of files to be bundled along with appropriate metadata, such as dependencies. Often, a core set of utilities manages the basic installation from these packages and multiple package managers use these utilities to provide additional functionality.
For example,yum relies onrpm as abackend. Yum extends the functionality of rpm by adding features such as simple configuration for maintaining a network of systems. As another example, theSynaptic Package Manager provides a graphical user interface by using theAdvanced Packaging Tool (apt) library, which in turn relies ondpkg for core functionality.
Alien is a program that converts between differentLinux package formats, supporting conversion betweenLinux Standard Base (LSB) compliant.rpm packages,.deb, Stampede (.slp),Solaris (.pkg) andSlackware (.tgz,.txz, .tbz, .tlz) packages.
For mobile operating systems,Google Play uses theAndroid application package (APK) package format whileMicrosoft Store uses theAPPX andXAP formats. Both Google Play and Microsoft Store have eponymous package managers.
By the nature offree and open-source software (FOSS), packages under similar and compatible licenses are available on a number of operating systems. These packages can be combined and distributed using configurable packaging systems to handle many permutations of software and manage version-specific dependencies and conflicts. Some managers of FOSS packages are released as FOSS themselves. One typical difference between package management in proprietary operating systems, such as Mac OS X and Windows, and those in free and open source software, such as Linux, is that free and open source software systems permit third-party packages to also be installed and upgraded through the same mechanism, whereas the package managers of Mac OS X and Windows will only upgrade software provided by Apple and Microsoft, respectively (with the exception of some third party drivers in Windows). The ability to continuously upgrade third-party software is typically added by adding theURL of the corresponding repository to the package management's configuration file.
Besides system-level application managers, there are add-on package managers for operating systems with limited capabilities and forprogramming languages in which developers need the latestlibraries.
Unlike system-level package managers, application-level package managers focus on a small part of the software system. They typically reside within adirectory tree that is not maintained by the system-level manager, such asc:\cygwin or/opt/sw.[29] This may not be the case for managers that deal with programming libraries, leading to possible conflicts, as both managers may claim to own a file and may break upgrades.
Ian Murdock commented that package management is "the single biggest advancementLinux has brought to the industry", that it blurs the boundaries between operating systems and applications, and that it makes it "easier to push new innovations [...] into the marketplace and [...] evolve the OS".[30][self-published source]
There is also a conference for package manager developers known as PackagingCon. It was established in 2021 with the aim to understand different approaches to package management.[31]
| Active |
| ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Defunct |
| ||||||||
| |||||||||
