A few months ago, when I wanted to take a look at Microsoft’s sleek new Windows Terminal, I went to a place I haven’t been in a long time — the Windows Store.

If you’re like me (or most developers I know) you also do your best to avoid this ancient corner of the Windows universe. It’s plagued by desktop-skinned web apps and media content, but devoid of the grown-up software you really need (Steam, Discord, Zoom, Visual Studio Code). Once the future of Windows deployment, today’s Windows Store is so unloved that it almost feels like a piece of abandonware.

Search for Git, and the Windows Store recommends Ratatouille the movie (?) and a Linux distro

It didn’t have to be this way. Just look at the Linux operating system. Different Linux distributions have their own headaches, but software installation isn’t one of them. Linux has package managers, which let you automate big installs, rebuild systems at will, and handle dependencies as part of a single install.

On Windows, the experience remains pretty much what it was in 1998 — you find a setup that was created in one of several custom setup-building programs, decide whether or not to trust it on your computer, and then step through an old-fashioned “wizard” of steps that may ask a few largely meaningless questions. Sure, sometimes these programs have silent install options, but it’s up to you to know how that works for each piece of software you want to install. The whole system is a chore when it works. It’s an even bigger headache when an installation needs to be updated or repaired.

Of course, this isn’t the complete story. Windows does have third-party package managers. Some, like Chocolatey and Scoop, are excellent. They’ve built up an impressive base of community support, which is critical, because a package manager isn’t just about the tool, but also the repository it fronts. (Take the example of JavaScript. How many developers install Node just to get a working copy of npm — and how many people would use npm if the package manager didn’t wrap the world’s largest repository of JavaScript libraries?) But most end users haven’t ever seen a Windows package manager. Even some Windows-centric business refuse to adopt them without Microsoft’s explicit endorsement.

Introducing winget

Microsoft announced that it was developing its own package manager, called winget, more than a year ago. Now Microsoft is finally ready to release an official Windows Package Manager version 1.0. If you’ve signed up to receive early Windows updates through the Windows Insider program, winget may already be on your computer. If not, you can get it from its GitHub page. Or, just wait a few weeks for winget to be rolled out in an official Windows update and appear on computers everywhere.

Is this a reason for Windows developers to celebrate? Well, a little bit. Early preview versions of winget left out key features (like the ability to uninstall or update software). But the 1.0 release has matured into something closer to a bare minimum level of usefulness.

On a first run-through, winget feels pretty good. You can search for available packages with winget search:

You can install them with winget install:

When you start an install with winget, Microsoft gets the appropriate manifest from its catalog, downloads the corresponding setup file, and verifies that its hash matches what’s specified in the manifest. If they match (meaning the setup hasn’t been tampered with), winget launches the install.

If you’re lucky, this process can unfold with no user interaction required. But sometimes, you’ll need to click through a setup wizard or security prompt, which diminishes the benefit of having a command-line tool. Sometimes my setups just couldn’t complete themselves, for reasons unknown:

(If you’re curious, winget’s lengthy log didn’t divulge the reason for this failed install beyond the generic 1603 exit code.)

It gets worse. Winget has the ability to update installed packages, either one at a time or all at once. But at the moment, only a few packages actually support upgrades. You can find out which ones work by running winget upgrade. The problem is that when I tried winget, it couldn’t update most of these supposedly upgradeable apps either. Here’s my failed attempts with Discord, Firefox, and Node:

Uninstall support isn’t much better. And dependencies — well, winget doesn’t even try to tackle that can of worms.

What works: security

You’ve already seen how winget uses a hashing mechanism to verify that a package hasn’t been changed. That prevents the kind of exploit where you try to install your favorite file archiving utility, only to find that the domain was scooped up by a cybercriminal and your software was transformed into a piece of ransomware.

But winget goes beyond just hash checking. Microsoft also uses the SmartScreen service to filter out known malware, and performs static analysis to reduce the chance of dangerous software getting into the repository. These features aren’t perfect, but they offer much more protection that you get downloading a raw EXE on the web. Security is also one of the best arguments for why Microsoft should maintain its own package manager. Secure, scriptable installs deserve to be an OS-level feature. (Although one could argue that Microsoft would be farther ahead if they just bought Chocolatey or AppGet.)

The winget compromise

In some ways, winget is really just a mirage. It’s a neat command-line interface over the conflicted reality of the Windows registry and Add/Remove Programs feature.

Just some of the nearly 500 packages winget list reports on my computer

If you dare to run winget list, you’ll see a mammoth list of software packages and updates, some of which are missing version information or even a GUID. This free-for-all makes me wonder how anyone can be successful using commands like winget export (to generate a list of packages) and winget import (to install them on another computer). The Windows plumbing might be there, but the majority of Windows setup programs won’t play nicely.

Some will point out that “this is just the way Windows works.” Except Windows has a relatively modern package standard, called MSIX, which solves many of these problems. MSIX setups don’t interact directly with the registry and file system. Instead, they run in a container and interact with a virtualized registry and file system, which means Windows can record exactly what they’re doing. Crucially, this means that when it comes time to uninstall the program, the operating system can control the process. It knows where the setup placed files and what registry keys it created, so it can clean up the mess. And that’s much better than launching someone’s custom-written uninstall program and hoping it behaves nicely.

But MSIX hasn’t been adopted widely. Today, it’s still too limiting even for Microsoft’s software products. Winget seems like it was an opportunity to boost MSIX, enforce a stricter package management system, and start moving forward out of the unsupervised installer hell we all inhavit. But there’s just too much legacy software still in use and too many Windows problems that we’ve just learned to live with. Winget is — like many pieces of deep-rooted windows infrastructure — a slowly evolving compromise.

So what should you do now? If you’ve got a third-party package manager, keep using it for the foreseeable future. If you’ve going nothing, you’re going to find something to like in winget. For my part, I’m going to be remain happy, and optimistic for the future… but more than a little underwhelmed.