A word about standardization
Anyone who’s used to a package manager on Linux will immediately notice that Chocolatey uses three different commands (cinst, cup, and choco) to carry out operations. That’s a very non-standard way of doing things compared to the Linux-based apt-get or pacman, both of which start every command with
To better standardize usage, you can use the command format
choco [command] to invoke Chocolatey. So instead of typing
cinst dosbox, you can use the install command:
choco install dosbox
To update, you can use the update command:
choco update dosbox
Even though the standardized approach is favored, Chocolatey’s creator Rob Reynolds says the shorthand commands will remain a part of the project. So feel free to use whichever group of commands you find easier.
But what about security?
Chocolatey is convenient, but there’s no way around the fact it's not an ideal choice if you’re concerned about security for your PC right now. Installing programs with Chocolatey requires that you trust the package creator.
You could monitor Chocolatey as it installs your programs to see which sites the downloads are coming from, but that defeats the convenience of using Chocolatey as an automated process.
The implicit trust model probably means that pulling from the Chocolatey community feed wouldn't be the best choice for large enterprises or even smaller companies. That said, Chocolatey can be tuned to rely on a private feed controlled by the company where all packages are vetted by the IT department.
While security is not ideal right now, Reynolds says there are some big changes in the works for future versions of Chocolatey. Over the next year, trusted community members will begin moderating the stable feed and all packages will be reviewed before being added. Approved packages will include cryptographic signing by the moderator who approved it.
Future versions of Chocolatey will include a scanning algorithm to detect packages with malicious intent. Users will also be able to control who they trust by accepting or denying packages based on public key signatures, just like package managers in Linux.
Alternatives to Chocolatey
In April, the company introduced OneGet, a package manager interface for PowerShell 5.0. OneGet is essentially a manager for package managers that allows you to access downloads from multiple package managers—like Chocolatey and NuGet—in one spot. The first version of OneGet relies solely on the Chocolatey package feed.
Microsoft’s project is still a work in progress and appears to be mostly a tool for system administrators. Chocolatey, by comparison, is aimed at any Windows user willing to give it a try.
You can't live on Chocolatey alone
Although Chocolatey sounds pretty tasty, it isn’t for every program out there. You can't use Chocolatey for a program stuck behind a paywall, for instance. However, any programs that are free to download and ask for a purchase or license key are fair game.
Unless you want to start seeking out new sources or creating your own packages, you are restricted to what’s in the community feed.
The current feed is pretty large, with more than 2,000 unique packages and more than 8,000 total at time of writing. It includes a variety of programs including all the major third-party web browsers, uTorrent, Vuze, Notepad++, Sublime Text (versions 2 and 3), VLC, Office 365 Home Premium, CCleaner, GIMP, IrfanView, Skype, and many others.
Chocolatey may not be for every Windows user, but anyone who wants to get their hands a little dirty on the command line will find a very useful tool with this package manager for Windows.