My Experience with Package & Dependency Managers

Have you seen people use apt-get to install packages on Linux distributions or how people just type in stuff to their terminal and basically get everything done? Ok we gonna learn how to do that and I will share my opinion/experience with each…

Source : https://devrant.com/rants/791178/rant

If you have worked with a Unix based distributions or would to love to learn how to as a developer, you are at the correct place.

What is a package?

Packages were invented to combat this complexity. Packages collect multiple data files together into a single archive file for easier portability and storage, or simply compress files to reduce storage space. The binaries included in a package are precompiled with according to the sane defaults the developer has chosen. Packages also contain metadata, such as the software’s name, a description of its purpose, a version number, and a list of dependencies necessary for the software to run properly.

What is a dependency?

A program may require one or more other programs to run (the “dependencies”). The dependencies can be recursive with potentially very deep relationships. Sometimes the dependency is only for testing or “building/compiling” the program - i.e. development or “dev” dependency. Sometimes it is needed to run the program; other times it can be optional to provide extra features.

Homebrew

I became a Mac OS user in the year 2017. To state the obvious Mac OS is a Unix based operating system, therefore, some of the core features that you find on Linux distributions you can find them here too. To understand the difference between Mac OS & Linux followthis link. Gradually working multiple programming languages I found myself taking time to install packages, therefore started shell scripting found that there was an easy method to install & configure these packages which was Homebrew. This basically made my life easier, everything & anything I wanted was on brew. I could safely setup environments to test different versions of SDKs for my projects.

To install this, Copy & Past the below on your Terminal:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

As for the security implication YES there are some alerting vulnerabilities. I suggest you install brew in a location other than your /usr/local/bin but within your home folder.

CocoaPods

CocoaPods is a dependency manager for Swift and Objective-C Cocoa projects. It has over 58 thousand libraries and is used in over 3 million apps.

Basically, I was just getting started with Swift and ran into a few problems like implementing OAuth, Live Streaming from a device and etc. Like a typical developer, my first instinct was to sit down and code the entire package. Later when I ran into the same problem that many developers over the years had which was implementing the module itself I comment on the stack overflow and started using the official SDKs provided via CocoaPods and people this was much easier than writing your packages. Just make sure to check it before you jump into conclusions like me.

To install this, Copy & Paste the below on your Terminal:

$ sudo gem install cocoapods

Like all package managers out there CocoaPods too have some vulnerabilities. To safeguard app or users I would suggest something like a blacklist. Given the fact the app store may reject the application, it would be a good my suggestion would be this solution .

Chocolatey

The sane way to manage software on Windows.

Switching back and forth from Linux distributions, Mac OS to Microsoft Windows is like walking on water. It’s really difficult because most of the tools that you work on the terminal might not be available on Command Prompt or PowerShell, so the solution is Chocolatey. I have been using chocolatey for a few years now to my understanding it’s a great tool for people like myself switching when the deliverables require it.

To install this, Copy & Paste the below on your Command Prompt:

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

Chocolatey is vulnerable in its own ways most of the packages require elevated privileges, therefore, it really concerns me as to why? This may very well be your UAC settings.

Anaconda

You’re probably thinking about snakes.

The open-source Anaconda Distribution is the easiest way to perform Python/R data science and machine learning on Linux, Windows, and Mac OS.

Yes, it’s package manager for Python & R. It’s quite popular because of python. I use this package manager for mostly python related project, but I guess it works for the above languages too.

To install this, Copy & Paste the below on your Terminal/Command Prompt:

Terminal :

sudo apt-get update | brew update sudo apt-get install python3.6 | brew install python cd somewhere curl -O https://repo.anaconda.com/archive/Anaconda3-5.2.0-Linux-x86_64.sh bash Anaconda3-5.2.0-Linux-x86_64.sh ** Note: You might have to set the $PATH**

Windows :

choco install python --version 3.6.X choco install anaconda3 ** Note: You might have to set the $PATH. Replace X with the desired version.**

Composer

Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you.

The sophomore year I had my final software project for that particular year. The deadline was in 2 1/2 weeks. I had to come with an idea, conduct a survey, implement an MVP and present to an academic panel. A mammoth task most would say it’s impossible. I had a conversation with a few friends and came with a localized solution to fit the Sri Lankan market. The baseline idea was related to eCommerce. Now I wrote one from scratch using the SLIM framework. When I was starting the project had no idea that PHP too had a dependency manager, after I started learning SLIM figured it out and got started and finally delivered on the solution deadline.

Composer was vulnerable. I remember someone reminding me that it had 0-day security vulnerability, but it’s fixed now. Just wondering if the tool is updated frequently. Anyways if you are working heavily on PHP, I recommend a dependency manager like composer

To install this, Copy & Paste the below on your Terminal/Command Prompt:

Terminal :

#!/bin/sh

EXPECTEDSIGNATURE=”$(wget -q -O - https://composer.github.io/installer.sig)” php -r “copy(’https://getcomposer.org/installer’, ‘composer-setup.php’);” ACTUALSIGNATURE=”$(php -r “echo hash_file(‘sha384’, ‘composer-setup.php’);”)”

if [ ”$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE” ] then >&2 echo ‘ERROR: Invalid installer signature’ rm composer-setup.php exit 1 fi

php composer-setup.php —quiet RESULT=$? rm composer-setup.php exit$RESULT Command Prompt:

choco install php choco install composer`

NPM

CLI for managing your node modules (Packages)

NPM is something I use on a day to day basis. Most JavaScript, Typescript and etc. projects require it. I used NPM extensively for node related projects but found out there was a much fast workaround for package management for node.

To install this, Copy & Paste the below on your Terminal/Command Prompt:

Terminal :

sudo apt-get nodejs | brew install node

Manually :

curl -L https://www.npmjs.com/install.sh | sh

Command Prompt:

choco install nodejs.install

Ruby Gems

RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries, a tool designed to easily manage the installation of gems, and a server for distributing them.

I haven’t got a lot of experience with this, but I started using ruby first when I initially put out my Jekyll site on GitHub back in 2016. Basically, the ruby version wouldn’t work on Windows it was a hassle but moving on a year later on to Mac OS, I needed gems to install most of my tools and has proven itself as viable package manager. For best secure practices follow https://guides.rubygems.org/security/.

To install this, Copy & Paste the below on your Terminal/Command Prompt:

Both Mac OS & Linux distributions have RubyGems preconfigured hence not required to reinstall it.

Command Prompt:

choco install ruby

Nuget

NuGet is the package manager for .NET.

If you’re a developer who is on .NET, you should probably know this package manager. For most .NET projects Visual Studio automatically installs the required packages while this process could be done manually with the NuGet package manager. From my personal experiences, the NuGet library has the most vulnerable packages to date.

To install this, Copy & Paste the below on your Terminal/Command Prompt:

Terminal :

sudo apt install nuget | brew install nuget

Windows:

Install Visual Studio

Yum

Yum is an automatic updater and package installer/remover for rpm systems. It automatically computes dependencies and figures out what things should occur to install packages.

If you’ve worked with Red Hat or any other RPM systems this would be the tool to manage packages. I remember the sweet memories when I worked with Red Hat for some enterprise-level projects which did not allow us to install packages. (Manual Firewalls) My team members & I had to look for alternative package managers to ensure the requirements by our dev teams were met. This package manager is available on most RPM systems, therefore wouldn’t require reinstallation.