About Chocolatey

What is Chocolatey?

Chocolatey is a package manager for Windows (like apt-get or yum but for Windows). It was designed to be a decentralized framework for quickly installing applications and tools that you need. It is built on the NuGet infrastructure currently using PowerShell as its focus for delivering packages from the distros to your door, err computer.

Chocolatey is a single, unified interface designed to easily work with all aspects of managing Windows software using a packaging framework that understands both versioning and dependency requirements. Chocolatey packages encapsulate everything required to manage a particular piece of software into one deployment artifact by wrapping installers, executables, zips, and scripts into a compiled package file. Chocolatey packages can be used independently, but also integrate with configuration managers like SCCM, Puppet, and Chef. Chocolatey is trusted by businesses all over the world to manage their software deployments on Windows. You’ve never had so much fun managing software!

Chocolatey is brought to you by the work and inspiration of the community, the work and thankless nights of the Chocolatey Team, and Rob heading up the direction.

You can host your own sources and add them to Chocolatey, you can extend Chocolatey's capabilities, and folks, it's only going to get better.

Organizations that need better integration with Windows, more features and a smoother experience, not to mention a supported solution, turn to Chocolatey for Business.

With all of this in mind, think of Chocolatey as a framework that you can build on top of. Chef, Puppet, Boxstarter, PowerShell DSC, Ansible, Saltstack, etc all have ways for using Chocolatey to ensure the state of a computer and packages installed. Even Microsoft has decided to use Chocolatey's framework with the PowerShell PackageManagement / OneGet package manager aggregator! See Jeffrey Snover's post for more information.

About Chocolatey.org

Chocolatey.org is a feed of packages provided and maintained by the community. If you are a business looking at using Chocolatey, it is strongly recommended that you do not use the community feed. See the question below on trusting the community feed.

Chocolatey.org is currently a fork of the NuGet gallery. Over time Chocolatey.org is planned to be rewritten as a totally custom website. The Chocolatey team has over 20 years of experience in writing fast, efficient and secure websites.

Package moderation was implemented in October 2014. Every version of a package that comes through goes through at least two forms of automated review. If the package is not a trusted package, then a human must check over what is not easy for a computer to find to ensure that the packages are not doing anything malicious, but installing the software they state they are installing. Moderation does not check that the software that the package installs is free of malware. We do automatically scan every package and the resources it downloads with VirusTotal and display those results right on the package pages. However that verification is only at the time of check and internet resources can change. If you need better peace of mind, we offer runtime malware protection in Chocolatey Pro and Chocolatey for Business.

Future security enhancements like package signing are planned to increase the security of the community feed. Bear with us, this is going to take time to get into place. The plan is that a moderator would review and sign off on a package with a cryptographic key. Users of Chocolatey would only need to trust moderators. As moderators are shifted, updates of Chocolatey will reflect this. There will also be an out of band way for users to trust a new maintainer.
For other security enhancements, please see Security and the community feed.

The repository for issues/enhancements/requests for Chocolatey.org at GitHub Chocolatey.org

About the Official Chocolatey Client

The official Chocolatey client is the one you get from chocolatey.org on the package page. This is the only official client. Chocolatey GUI is a recognized client that is an extension of the official client. It is recommended you use the official client as it has the latest security fixes, the latest features, and is supported by the Chocolatey team.

The repository for issues/enhancements/requests for Chocolatey at GitHub Chocolatey
Note that broken packages should be reported back to package maintainers, not to the client repository or on the mailing list. For more information, see the triage process.

Frequently Asked Questions

What is the difference between Chocolatey and NuGet? NuGet is for development libraries, Chocolatey is a binary machine package manager. Typically you can think of it like this: "You use NuGet to get 3rd party libraries that you use to build the tools and applications that you host on Chocolatey."

How do I contact the Chocolatey group? The best way to do this is to use the official mailing list (see the mailing list link below).

Why can't I see my post on the mailing list? First time posters are moderated to cut down on spammers. Be patient and we will approve your message.

Why is my software listed here? I haven't given anyone distribution permission! Many times the way Chocolatey works is to use PowerShell to download the package from the official distribution point, this way no distribution rights are violated. This is not always the case so feel free to reach out to the site administrators or contact us if you do have questions. Also see Software vendor for more details.

I am the owner of software listed here and would like to maintain the package. That's awesome to hear! The way this works out is to use the contact site admins link on the package page and we will handle reaching out to the current maintainers for you. Also see Software vendor for more details.

How do I know if I can trust the community feed (the packages on this site?) Even with moderation in place, the answer is that you can't fully trust the packages here. They are created by community members and although moderated to determine that they are installing the software the package is based on and that the package itself doesn't do anything malicious, it makes no guarantees about the underlying software that is installed. In some cases package maintainers do not implement checksums on the downloads, so there is also not a guarantee that what the original maintainers/moderators expected for you to get is what you get. We will make checksums a requirement in the future to combat this, but for now you should be somewhat careful about placing full trust in something you cannot control.

If you require trust (e.g. most organizations require this), you should have an internal feed with vetted packages using internal resources. You should always decide whether you trust the maintainer(s) of the package, and even then you may want to inspect the package prior to installing. You can inspect packages easily by clicking download on the package page (and then treating the nupkg file as a zip archive).

I'm an organization wanting to use Chocolatey. Awesome! Many organizations use Chocolatey, but the caveat is that they don't use the packages you will find on this site because they have a low tolerance for breakages, and require a higher trust and control over packages.

Quite a few community folks use the packages on this site, which is a feed of packages provided and maintained by the community (it is also known as the community feed). Packages on the community feed usually download software from official distribution points. When software owners move download locations or other breakages occur because of the internet, the package is broken until the new location is specified in an updated version of the package.

For folks in the community that are not using Chocolatey for production purposes, it is fine to use the community feed. For organizations that have a low tolerance for breakages and require a higher level of security, control, and trust, a self-hosted Chocolatey server is the recommended option. This guarantees that your installs, upgrades, and uninstalls will always work every time. This gives you complete control over what software gets installed. Also because you are vetting newer versions, you control when those newer versions are available for upgrade.

See Hosting your own internal server (it has non-Windows options as well).

Is there a package that is broken, needs updating or something else? Please read over the Package Triage Process for details.

Who owns Chocolatey? The copyright for Chocolatey belongs to RealDimensions Software, LLC. RealDimensions Software, LLC is a company that Rob formed to support the development of FOSS software and libraries that further the ecosystem.

Do you have Business or Pro editions of Chocolatey? Yes! See Pricing for details!

I need a support contract. We can work with you on that. Please see Pricing and contact us for details!

Are there other FAQs? There is a link to the FAQs at the top!