2

Many software have a single .pkg (installation package) inside .dmg (disk image), I want to know that why this practice is used.

  1. What is the need to have a mountable disk image of a software (i.e a .dmg), even after binding everything in a .pkg.

  2. Is .pkg vulnerable to something like zip slip does it needs extra security, what are the problems a software may face if it is distributed in .pkg format.

  3. .pkg seems to be already compressed since the dmg doesn't reduce the file size much after that. Seems compression is not the main reason, let me know if I am wrong.

  4. Someone mentioned ".pkg is not a file, but a folder. So maybe collecting it into a single file is essential for downloading." But I cannot right click and see the content as well as via cmd line it shows that it is not a directory. So why we cannot distribute software as a .pkg only why mounting is needed.

Mick F
  • 7,312
  • 6
  • 51
  • 98
Ankita Shrivastava
  • 75
  • 8
  • Early versions of the installer package format were actually folders (and thus needed to be wrapped in something like a .dmg for transport), but starting in OS X v10.5 Apple added support for a ["flat" (single-file) package format](http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html), which is now pretty much all that gets used. I don't know for sure why they're still wrapped in disk images, but I suspect it's mostly inertia. – Gordon Davisson Jul 19 '18 at 05:24
  • Thanks @GordonDavisson, even I observed that .pkg are Flat files now. What do you mean by inertia can you elaborate. – Ankita Shrivastava Jul 19 '18 at 06:12
  • 1
    Basically, I mean that by the time flat packages came out, everyone was used to the ".pkg wrapped in a .dmg" format, and kept using it even though the original purpose was gone. See [the baked ham joke](https://daringnovelist.blogspot.com/2011/07/baked-ham-joke-and-problem-with-legacy.html) for another example of this. Mind you, I haven't added this as an answer because I'm not entirely sure it's correct -- there may be some still-relevant reason for wrapping flat packages that I'm just not aware of. – Gordon Davisson Jul 19 '18 at 06:20
  • @GordonDavisson. got it Thanks – Ankita Shrivastava Jul 19 '18 at 06:26

1 Answers1

1

A pkg(installation package) is only required if your application is complex and needs to execute some scripts or have to install some additional resources in the file system. For most application it is easier for the user and recommend to offer a zip file for download. Zip archives will be automatically uncompressed from Safari after the download and the application is ready to be used.

There are pkg viewer and instructions on how you can inspect the content of an installation package (https://www.macobserver.com/tmo/article/how-to-inspect-an-os-x-package-file-pkg-without-installing).

Marc T.
  • 5,090
  • 1
  • 23
  • 40
  • Thanks Marc, But "pkgutil --expand" doesn't work for me, although I am able to view content via using "xar -xvf", but my main concern is why people wrap .pkg in disk images there must be some reason to do that I want to know the reason. – Ankita Shrivastava Jul 19 '18 at 06:17
  • You can zip a .pkg package as well. I assume its more about traditional reasons. Years ago software was distributed on CD or DVD. A disk image (dmg) was required for distribution so why not to offer user downloading the software the same experience. Even for applications like Xcode this has changed over the years and any application available in the Mac App Store are distributed as a zip. There is no technical reason to do so. – Marc T. Jul 19 '18 at 06:38