Why are softwares not packaged in a single file?

We see Most of the Windows softwares are packaged in a single executable file. When I double-click Setup file, it sets up all the files, binaries and libraries with it.

I understand the dependency of Ubuntu or more generally linux packages. But I wonder, Why these exists. Isn't it possible to build a single file with all dependencies? What is the problems with this method?

Please try to give the reason in details.


The main reason that dependencies are not included with the program itself is so that components of the system can be easily updated.

Imagine one dependency is used by five different programs. If a security vulnerability is found in that dependency, only one copy has to be updated, rather than five copies.

To the user, it doesn't matter that multiple packages need to be installed - installing the one piece of software you want automatically installs its dependencies.


The main difference between .deb and .exe packaging is not that Ubuntu software is not published in a single file. The main difference is the whole concept of a software repository that contains packages, and that updates can be easily be provided from.

This can sometimes be problematic for computers without a direct internet connection. There are tools, like APTonCD, that help minimise these difficulties.


That is not totally true. Ubuntu software usually comes in one single .deb file. Being utterly simplistic (and inaccurate), .deb files are the correspondent .exe file for windows. All programs, including those in windows use dependencies to other files in the operative system (libraries). The installation process is just more or less explicit in different OS. When you use the software center in Ubuntu to download a program you download only the dependencies that are not installed in your system and the actual program files. That prevents the system from being overloaded with duplicate files and duplicate functionality that would end up in conflicts.

Believe it or not, the only difference between installing a program in windows or Ubuntu is the amount of information that they provide to the users. Windows thinks that its users are dumb and do not want them to know what it is being installed when running an exe file. In linux you get that information..for some users is too much detail, but others (most) really appreciate that.

hope it makes sense.


On Ubuntu, most software does come in a single file. It is a *.deb debian package file which is downloaded, unpacked and installed from your package-manager.

Why doesn't Ubuntu install software from self-extracting executables like most Windows software does?

Because self extracting *.exe files are a very dangerous proposition to accept.

The most critical differences between a self-extracting executables and a packaging system, like the debian/Ubuntu one, are:

  • Security
  • Transparency
  • More granular control

In more detail:

Security

In the windows world you have to trust that single *.exe file. How can one really be sure it can be trusted? How can you even know that it installs something? How can you be sure it doesn't do other things behind your back?

In Ubuntu, all packages are digitally signed, so by using a separate package file - the package manager (be it muon, synaptic, aptitude, or even straight apt) - you get the content verified before it is even unpacked, let alone installed. This assumes, of course, that you trust the repositories. I'd rather trust the Ubuntu repositories (a single authority) than hundreds of often unfamiliar different sources to download from.

Granular Control

With a *.exe file, you can essentially do one thing: execute it. In Ubuntu you can inspect the contents of the package, descriptions, configs, individual files, latest changes, bug fixes, etc. from the convenience of your package manager, before deciding whether to install or not.

When you install from an *.exe file, you also have to trust its 'uninstall' hook (and not all *.exe files are guaranteed to have one). In Ubuntu, all files belonging to standard packages installed by the package manager, can always be uninstalled because that's a function of the package manager, not the package itself. The package manager is a separate, and trusted application, which provides both the installer and uninstaller, the package cannot take away the uninstall hook from you. Of course, a malicious package can sneak stuff via post-install actions, but that's why we have the official repository system and the same people we trust to maintain them.

Transparency

It goes further. On Ubuntu I can really trust my system, because I can verify the software on many levels. The ultimate level is being able to look at source-code. binary packages have corresponding source packages. I can actually look at the source (Example: 'apt-get source bash' will give you the full sources to the bash shell). In the world of *.exe files, usually there are only binaries, and who knows what they actually do behind the scenes?

That said, there are always exceptions to the rules, but for me security and trust mean I cannot accept executing binaries from hundreds of different sources that are hard to verify as a standard way to install components on my system.