Editing Package manager (section)

== Comparison with app stores ==

''[[App stores]]'' can also be considered application-level package managers (without the ability to install all levels of programs<ref>{{cite news |title=Brew is the macOS app store replacement you didn't know you needed |url=https://www.msn.com/en-us/news/technology/brew-is-the-macos-app-store-replacement-you-didn-t-know-you-needed/ar-BB1mK6Ys |access-date=25 May 2024 |work=www.msn.com}}</ref><ref name=comp>{{cite web |last1=King |first1=Bertel |title=Linux App Stores Compared: Which One Is Right for You? |url=https://www.makeuseof.com/tag/linux-app-stores-compared/ |website=MUO |access-date=25 May 2024 |language=en |date=17 March 2017}}</ref>). Unlike traditional package managers, app stores are designed to enable payment for the software itself (instead of for software development), and may only offer monolithic packages with no dependencies or dependency resolution.<ref>{{cite web |title=What is a package manager? |url=https://www.debian.org/doc/manuals/aptitude/pr01s02.en.html |website=www.debian.org}}</ref><ref name=comp/> They are usually extremely limited in their management functionality, due to a strong focus on simplification over power or [[emergent structures|emergence]], and common in commercial operating systems and locked-down “smart” devices.

Package managers also often have only human-reviewed code. Many app stores, such as Google Play and Apple's App Store, screen apps mostly using automated tools only; malware with [[defeat device]]s can pass these tests, by detecting when the software is being automatically tested and delaying malicious activity.<ref>{{cite news |last1=Barrett |first1=Brian |title=How 18 Malware Apps Snuck Into Apple's App Store |url=https://www.wired.com/story/apple-app-store-malware-click-fraud/ |work=Wired}}</ref><ref>{{cite web |last1=Whittaker |first1=Zack |title=Millions downloaded dozens of Android apps from Google Play that were infected with adware |url=https://techcrunch.com/2019/10/24/millions-dozens-android-apps-adware/ |website=TechCrunch |date=24 October 2019}}</ref><ref>{{cite news |last1=Newman |first1=Lily Hay |title=Never Ever (Ever) Download Android Apps Outside of Google Play |url=https://www.wired.com/2016/12/never-ever-ever-download-android-apps-outside-google-play/ |work=Wired}}</ref> There are, however, exceptions; the [[npm]] package database, for instance, relies entirely on [[post-publication review]] of its code,<ref name="OjamaaDuuna12">{{cite book|last1=Ojamaa|first1=Andres|last2=Duuna|first2=Karl|chapter=Assessing the Security of Node.js Platform|title=2012 International Conference for Internet Technology and Secured Transactions | publisher = IEEE |date=2012|chapter-url=https://ieeexplore.ieee.org/document/6470829|access-date=22 July 2016|isbn= 978-1-4673-5325-0 }}</ref><ref>{{cite web |title=npm Code of Conduct: acceptable package content |url=https://docs.npmjs.com/policies/conduct#acceptable-package-content |access-date=9 May 2017}}</ref> while the [[Debian]] package database has an extensive human review process before any package goes into the main stable database. The [[XZ Utils backdoor]] used years of trust-building to insert a backdoor, which was nonetheless caught while in the testing database.