Chocolatey from where does it find the package

1.8k views Asked by At

From where does chocolatey find the packages to download? For example if I am installing VirtualBox then from where does it find the latest package to download and is there any chance that it might download an outdated version?

1

There are 1 answers

0
Gary Ewan Park On BEST ANSWER

Packages Are Found by Sources

Chocolatey uses the sources you have provided it to determine the location of the package. If you don't provide a source (or list of sources), it will use the default sources, which you can see by running choco source list. You can add to or remove sources (such as the community package repository aka https://chocolatey.org/api/v2).

Each source can have a priority, which defines the order that Chocolatey searches the sources to find a package. If a package is found on a higher priority source, that package version is used even if there is a newer version on another lower priority source.

Packages vs Software

A package in Chocolatey speak has a slightly different terminology than software.

  • Package == nupkg file
  • Software == runtime binaries, installers, zip, etc that the package represents

For more terminology, check out https://chocolatey.org/docs/getting-started#terminology

VirtualBox Example

Let's use the VirtualBox package as an example to get started with...

Most likely you will find you haven't configured any additional sources (based on your question), so that means you likely only have the default community package repository you are using for a package source.

Have a look here:

https://chocolatey.org/packages/virtualbox#files

This shows you the contents of the Chocolatey package for VirtualBox. If you have a read through the chocolateyInstall.ps1 file you will see exactly where the binaries for this package are being downloaded from:

url = 'http://download.virtualbox.org/virtualbox/5.1.12/VirtualBox-5.1.12-112440-Win.exe'

url64bit = 'http://download.virtualbox.org/virtualbox/5.1.12/VirtualBox-5.1.12-112440-Win.exe' checksum = '0cbdc245122fab090625bb3ec49f21f68c9bbad7d69e05e4a42b1a6ad1968b54' checksum64 = '0cbdc245122fab090625bb3ec49f21f68c9bbad7d69e05e4a42b1a6ad1968b54'

You can look in the files section of each Chocolatey package to find out where the installation files are coming from. Assuming that you haven't enabled the global acceptance of package installation through the Chocolatey features, you can actually view the installation scripts at the time of installation as well. i.e. when you do choco install virtualbox you will be prompted with 3 options, yes, no, and print. In this case, print will show you the installation script and you can see what is about to be downloaded/installed onto your machine.

The only time that the above will be different is if the package that you are installing is what we refer to as an embedded package (which is more typical for organization use since they are hosting internal packages and are not subject to distribution rights like the public community repository). In embedded cases, the installation binaries are already contained within the chocolatey package, so there is no requirement for additional files to be downloaded. When using an embedded package, I would encourage you to look through the VERIFICATION.txt which should be contained within a Chocolatey package on the community repository to review instructions on where the embedded binary comes from, and a mechanism to verify that the contents are what they should be.

Outdated Versions?

With respect to your other question:

is there any chance that it might download an outdated version?

In the case of VirtualBox, this is highly unlikely. If you click on the Package Source link from the package page on Chocolatey.org, you will see that you get taken to this location. This package is part of the Core Team Packages Repository. This repository is making use of the AU Chocolatey Automatic Package Updater Module. As a result, the packages within this repository are checked regularly (at present every 6 hours) for new software versions, and if there are any, they will automatically be pushed to Chocolatey.org. Packages within this repository are maintained by a team of volunteers (myself included) so there is a high chance that packages will be kept up to date that are in here.

However...

This is not the same for all packages that exist on Chocolatey.org's community package repository. The community repository is a community effort, and with almost 4500 packages, I am sure you can understand that some packages may not be as up to date as they could be. These should be evaluated on a case by case basis to ensure that this fit your requirements.

The final thing that I would say is that if up to date packages are your core concern, then you always have the option of NOT using the community repository. Since this is a community feed at the end of the day, it is NOT recommended for internal/production usage for organizations. Instead, you would want to look at pulling these packages internally within your own environment. This can be done either manually or by utilising the business options within Chocolatey.