It has been a few years since I touched on software management and a recent lively dialog prompted me to write this article to explain some of the benefits of software management (usually called package management). The discussion was a belief that Microsoft Windows needed software management/package management like Linux. I was quite surprised at the number of people that disagreed with this and it seemed that many didn’t know a lot of hidden advantages of package management. This article is designed to highlight some of the features.
What is software management? In the world of Linux and BSD, there is the concept of software repositories and package managers. Essentially a wide selection of software is centralized and standardized in the method it is installed. For example, FreeBSD has the ports system where with a simple “make” command, I can install one of thousands of applications for the system (At the time of this writing, over 19500 applications).In Windows, this is similar to going online, downloading a file and running the setup application.
However, unlike Windows, by default the ports system utilizes hashs (MD5 and SHA256) to verify the validity of the application (for example, if a web server gets hacked and a virus laden version of the software is loaded, when FreeBSD downloads the software to install, it will notice it failed the checksum and not install the potentially vulnerable software). This does assume that malicious code was not part of the original software and that at the time the port was created/updated, the software was clean (ie not infected as to have an invalid checksum). I am unaware of a situation where this has been a problem. As far as I know, there is no equivalent system for Windows software installation.
In addition, the ports system ties into a security audit system. As a result, when the port is installed, it is checked against a security database to make sure the version of the software being installed does not have any outstanding, known security issues. If it does, this requires a manual override to install the software. Most of the time, the solution is to update the ports tree to get the latest version of the software (generally software is patched within days of the vulnerability being found). As far as I know, there is no equivalent system for Windows software installation.
At this point, your able to easily install software with a single command and have it automatically checked to make sure the file is valid and has no known reported security issues. Perfect. However, one other HUGE advantage is available — recursive installation. Certain software requires other software to be installed inorder to operate correctly. For example, on Windows, an application written in Visual Basic may require the Visual Basic runtimes. Same for applications written in ASP or the .NET framework. When software is installed, the user is usually prompted that this software is required and it is up to the user to navigate the web to find the software, download and install and hope that it is the correct version. While this is not too difficult for perhaps one dependency, if the software has many dependencies (for example, lets say your wanting to install a web application on a fresh Windows installation — this may require manually installing a web server, database server, latest version of the ASP.NET framework, potentially other libraries that the web application uses, etc..). Needless to say, this is a lot of additional locating of software, downloading and installing.
In the FreeBSD ports world, the original “make” command will notice certain software is required and automatically install it. Infact, if it starts installing software and notices THAT software dependecy requries other software, it can install those applications as well. To top it off, its possible to tell the “make” command to configure all the software up-front so the system can install all of the software in the background while your able to attend to more important tasks instead of babysitting the installation. As far as I know, there is no equivalent system for Windows software installation.
So at this point, with one command, I could theoretically install a wide range of software. Here is where the fun really begins with software management.
On FreeBSD, with the “pkg_info” command, I get a list of all the software installed on the system. That is quite nice to know exactly what software is installed (I can backup this list along with my configuration files & user data and recreate the installation without too much issue).
If I am not sure why a certain piece of software is installed, I can query to determine what software (if any) depends on that particular piece of software. On Windows, have you ever uninstalled an application and it had the prompt “This file may be used by another application, do you want to remove?” and was unsure what to do? With software management, it will let you know exactly what other software depends on that particular file and allow you to make an informed decision (not a “well lets try it and hope nothing breaks!”).
Perhaps you need to know the opposite — you see a file on the computer and are unsure what it is for .. once again, you can query the software management system and it can let you know what package that particular file was installed by.If all of the applications you use are managed by the software management system, you can easily weed out potentially harmful files from the system (or simply files that are taking up resources but not being used).
The ongoing maintenance of your software is equally as easy. FreeBSD has a nightly security audit process that checks all installed software against a centralized security database to notify of any security threats for your software. One simple email report that can be reviewed quickly versus reviewing these issues from multiple sources as with Windows. In addition, when the port tree is updated (again, a process that could be setup on a nightly basis) you can easily check to see which software has updates, centrally and scriptable. FreeBSD offers up an “UPDATING” document (which is sync’d when the port tree is updated) that offers up step-by-step instructions for major software updates.
All of the above is fine for a single server, laptop or desktop computer. What can a software management system do for managing clusters, large networks or server farms? Once an application is configured and installed, it is possible to tell FreeBSD to create your own custom packages of this software (pkg_create). From here, you can point other computers to your own central software repository and install the same exact build of the software across as many computers as you manage. Given the flexibility of well defined, simple commands (make, pkg_info, pkg_create, pkg_delete), it is possible to script these in a variety of ways to have software management largely automated.
Perhaps your managing a server farm with mail servers, web servers and file servers. In addition, you might have various desktops (administrative, design, development). It would be possible to create system profiles so a computer could (via a nightly cron process or perhaps through a push out via SSH) be assigned classifications — ie, “Server 01 is a web server and file server” and then assign a software stack that should be loaded on that computer. The system could pull down the custom packages and install them and run any necessary cleanup/configuration scripts to maintain a centralized method of software installation and updates.
Utilizing the security functionality built into the software management tools, it could be possible to have individual systems self-audit their software stacks against the central repository and report any deviation (or simply eliminate inconsistencies).
As a result of these tools, your able to maintain up-to-date software on the computers and have a high degree of confidence that the software on the systems is valid and un-compromised. In the event a system fails, use of packages, text output of the ports installed or a central repository would allow for a new system to be installed and online within a very minimal amount of time (infact, in larger networks, it could be possible to have hot-standby systems so if a system does become unavailable, the stand-by is instantly loaded with the software and during the software install, data from the backup is restored to the stand-by computer to minimize the outage — automatically.).