The lack of a well-known, well-designed package manager for Windows has always been a problem. Too many programs, including FOSS programs, are downloaded from suspicious-looking websites with tons of ads, and every app updates itself in a different way.

The crappy installation and update channels are often tightly integrated with the vendors' monetization strategies, so there's a huge amount of inertia.

Microsoft Store could have changed this situation, had it been better designed and better received. Unfortunately, nobody seems to use it unless they have no other choice.

WinGet looks much better, but so far it's only for developers and power users.

The Microsoft store would have needed proper vetting and support for normal desktop apps from day 1 for it to actually have been a good option. Also, not requiring the system be set up with an online account would have been helpful for adoption.

I can't say it would have guaranteed people would have liked it, just that those were needed for it to have a chance.

The stupid thing is that a packaging system - MSI and later MSIX - has existed for a long time. But the tooling for it, to put things into packages, is a mess; nor is there a single tool even for Microsoft's own stuff. They really need to get onto dogfooding this stuff.

But then, in an environment dominated by corporate IT who have no real means of switching, why improve the product?

The thing is that I trust the Debian maintainers, so I use dpkg to install my software. I do not trust Microsoft, so I use the browser to install software.

> If you trust Microsoft enough to run their operating system, you trust them enough to develop a package manager.

Yeah enough to run MS Windows in a VM, with services that mess with Windows Update and modified Group Policy.

I do install as most things as possible with the MSYS2 package manager.

> Suppose, for example, that they caught up to where Debian was 30 years ago and Windows shipped with a default list of sources for the core OS to which you could add your internal or preferred partners (e.g. Adobe in many companies). Literally millions of systems wouldn’t have been compromised because they had unpatched apps. If they’d had a curated list of responsible vendors, multiple generations of people wouldn’t have been trained that it’s normal to run installers because a web page told you so.

The issue is that Microsoft is already forcing a lot on its "users", if only installing things from the OS store becomes commonplace, then I think MS Windows will end up like iOS and that is way worse (for me).

> Microsoft Store could have changed this situation

Don't you need to create a Microsoft account to use it? That makes sense for a store where you buy apps with money, but not for a package manager for free software like Notepad++.

P.S. I'm waiting for the day you need a registered Ubuntu account to use their snap store :(

The non-developer / non-power-user is likely already using their Microsoft account to log into the OS.

Many of the software that people install on Windows are quite expensive. So if any package manager were worth calling a "store", one for Windows definitely would be.

It doesn't make sense to have one package manager for paid software and another for free software, so both types of software would be available in the same "store", with the unfortunate consequence that you need to log in with a Microsoft account in order to get free software.

But if I only used free software, I wouldn't even be using Windows.

Honest question. Are you telling me this has never happened to Linux? I seem to recall a situation where the source code was compromised. But maybe I am wrong.

There are always Chocolatey and Scoop.

Why wouldn't those also become a target, if they would grow to be sizable?

And if they have prevention mechanisms, why can't existing supply chains be secured with similar prevention mechanisms, instead of funneling to a single package manager provider?

The supply chain for Notepad++ updates was a PHP script on a shared hosting account pointing to the URL of an executable file.

Surely someone with more resources and more sets of eyes could do better than that? AFAIK nobody has compromised Debian's APT repositories and Red Hat's RPM repositories yet.

These days there is Winget which I'd rather use than either of those.

Do you really need the entire walled garden of the store? It's not impervious just harder to attack but due to it's scale and value it will be constantly attacked. Not a great trade.

What happened to just good old OS APIs? You could wrap the entire "secure update" process into a function call. Does Windows somehow not already have this?

Windows already has a built in updater for MSIX packages.

The Store uses that behind the scenes. You don't have to use the store to use the system update system.

It's particularly good because updates can happen in the background, without having to launch your app to trigger them.

The value of the store is curation: if the random scammers who put up “Totally Acrobat PDF” websites can’t get listed, it’s safer for people who aren’t security experts to trust the installer isn’t blatant malware.

The problem is that this needs strong regulation to prevent it from turning into a payola marketing scam where vendors have to pay for placement.

I'm sure updating can be done with OS APIs, though MS doesn't look like they're in any hurry to integrate even their own store with the Windows Update mechanism.

The problem is finding and installing new software. Without a well-known official repository, people end up downloading Windows apps from random websites filled with ads and five different "Download" buttons, bundled with everything from McAfee to Adobe Reader.

We should be asking how to enable adding external sources like Ubuntu PPAs (which can then be updated like the rest), not whether there should be an official repository to bootstrap the package manager in the first place. "Store" is just a typical name for such a repository, it's not mandatory.