Windows can't be secured, because it lacks package management

Package managers are good for you

Modern package managers, like Gentoo's Portage, have all kinds of advanced functionality but none of it is as important as the basic one: one-line (or one-click for the GUI masochists out there) installation, uninstallation, and upgrading of any program. The amount of packages available in a mainstream distribution today is on the order of 10,000, and most of them also have semi- or unofficial package repositories containing thousands more. The average user can spend their entire life without ever needing to install something manually, and so the average (non-technical) user often doesn't even know how to do it, not even on the level of ./configure; make; make install. (A techie who needs to install something that isn't packaged will often create an unofficial package for it along the way.)

So where am I going with this? Obviously Windows has no package management. Note that I'm not talking about a unified technology to create setup programs - that's what MSI, the Microsoft Installer, is for - but about a central repository of programs, and a way of managing them once they're installed. The Add/Remove Programs list doesn't count either - in fact it's not even in the same category:

1. It doesn't support installation, which of course is much more important than uninstallation.


2. The software maker still has to write his own uninstallation program. The user has to rely on it, so if the program breaks, Add/Remove won't help you cleanup everything it installed.

Lacking an official way to install or upgrade something, the security average home Windows user is severely compromised. There are three reasons for this:

1. Trusting the ISV. The user has to decide whether to trust each ISV he buys from, instead of having a distro to do it for him. The average user certainly doesn't know whether the latest version of Adobe Photoshop has several published, unfixed vulnerabilities. He probably doesn't even care. He'll just use the shiniest thing around.


2. Bad sources. The user is liable to install spyware, trojans, virus-infected programs, etc. which he receives in spam mail, from a phishing site, or as warez. A good package database would have filtered these and probably provided the correct program he was really looking for. As it is, he comes to rely on untrustworthy sources for his software.


3. No updates. The user never, ever updates his software, unless he's looking for a feature present in the new version. This is because it's too bothersome to go to the individual home pages of the 50 programs he has installed and figure out what the latest update is that doesn't require money (as major upgrades often do). It's even worse with programs he copied illegally, as they might have been cracked or used a blacklisted license key, preventing patches from installing. A Windows ISV has no way of pushing out critical security upgrades to home users - not even on a scale of months.

How Windows would benefit from package management

There's a good reason, historically speaking, why a Windows user can't tell his computer 'install the latest version of Photoshop' the way I can run 'emerge gimp'. That's because Photoshop isn't free, not even free as in beer. But everyone and his uncle has an e-commerce system these days. Buying software online isn't any more difficult than buying music. In fact it's easier, because you don't have to worry about someone's software or hardware media player not supporting your DRM.

So why doesn't Microsoft organize a big marketplace where people can buy, download, and automagically install/upgrade any Windows programs someone else might want to sell? It seems like a win-win situation:

1. Programs are easy to buy and install, which should make people purchase them


2. Obscure ISVs get more exposure, because you can search the package repository and everyone's represented on equal terms


3. Fixes are easy to deliver, and new versions easy to sell


4. You can integrate requests for support, user-driven mutual support forums, and (for those companies who agree to it) open or at least openly-readable issue trackers


5. You don't have to ask people to register (they already have), so the ISVs and their, um, partners can do better targeted advertising. The customers, meanwhile, only have to reveal their personal data to one company - Microsoft - rather than to every ISV who today wants you to register to receive support or an installation key


6. There's a single activation/registration/validation technology for fighting piracy and tracking customers. Today every ISV has to build or buy their own. (That means there's just one technology to break, as has been done with Genuine Advantage, but we know the PHBs don't ever believe a new form of anti-copying tech or DRM can be broken before it is.)


7. Sysadmins in big companies can hook into the system for central installation, upgrade, and removal of programs across a company's computers


8. You could integrate Windows' own updates and third-party driver updates into it

There are advantages for Microsoft, too (apart from using the same system themselves for their applications - it beats Microsoft Update hands-down). They can take money from companies for the right to use the system. Once it's successful enough, they can kill competitors or just unwanted software by refusing to include it. They can sell digital signatures of approval, like they do today for drivers, that would actually mean something ("the latest driver will be downloaded and installed automatically, just plug-in your new hardware" is a big step forward from "the accompanying disc includes a year-old WHDL-approved driver"). And they would use the system themselves to get even more power than they have today, in the form of being able to send out an upgrade that would be installed on every Windows machine in the world. Or a command to uninstall some software that's buggy, breaks somebody's DRM, or has been banned by US courts. Come to think of it, some authoritarian-minded governments would definitely be in favor of this technology.

Why there's no Windows package manager

So why don't they do it? I think the main reason is actually technological: even if you brought everyone's installers together, their average quality wouldn't be up to scratch. Today most installers use MSI, but if Microsoft were to impose some quality control, many would be disqualified due to broken upgrade or removal procedures, and many software packages would be unable to be installed together, due to either bugs or nasty competition. And of course the ideal of actually sharing shared libraries, and being able to update them separately from the apps using them, would require a colossal amount of work from everyone involved. In fact I doubt that last could be made to work in anything other than a free software setting.

I can think of some other, less likely reasons why this hasn't been done. One is that Microsoft hasn't been successful in establishing a single online identity and means of payment. And they probably missed their chance to buy eBay, who have allied with Google. But they've never had anything interesting to sell yet. It seems worth a try.

Another obstacle is the ever-present antitrust threat. If Microsoft were to offer such a system, they would increase their monopolistic power while killing off anyone already in that niche. Admittedly there's no existing database of installations of Windows programs, but there are quite a few programs out there that offer to distribute and manage software across your Windows network, including at least one owned by Microsoft (not counting the builtin Group Policy method of distributing MSI packages in a Windows domain). If Microsoft were to expand their solution to encompass official support from big ISVs, they would gain a big advantage against competitors. Is there a real threat to Microsoft from antitrust regulators? I honestly have no clue, but I do know it hasn't seemed to stop them before.

Perhaps the ISVs themselves wouldn't want to go along. There are many reasons for an ISV to fear joining such a venture. It should be seen as Microsoft roping in the entire Windows software industry en masse, opening their mouth wide for a huge last embrace-and-extending move that gives them direct control over all software ever written for Windows. But Microsoft is good at making a few companies go along, then playing them against those who hang back. Once enough ISVs sign up, they can be given preferential treatment. Once everyone Microsoft likes signs up, the next version of Windows after Vista can simply disallow installation of any programs not signed by Microsoft and distributed via the MS package manager. (Think that's over the top? Vista already does that for drivers. Why not for everyone else? It's not open-source drivers that Microsoft has to compete with, after all.)

The only good thing about all this is that noone but Microsoft can start such a move. A package manager for Windows wouldn't gain critical mass without having Microsoft's own updates and installations on board. So perhaps I should chalk it up in the horribly-evil-things-Microsoft-can-do-but-hasn't-yet category. (A system that lets Microsoft control a whitelist of what Windows software is allowed to exist, and to change or uninstall any such software remotely? Sure it's evil.) I just hope by the time they get around it, Windows will have lost enough ground that tightening their control only hastens the inevitable.

Have you got a better idea why Microsoft never made a real package manager? If you do, please leave a comment or write me!