Actually it depends on the package type. Chocolatey doesn't require an admin shell nor does it require PowerShell for packages that have the runtime executables embedded in the package. Those are known as portable packages.
The problem with a blanket statement for admin shell is that for almost everything you want to do with Windows, it requires administrative permissions to actually install things. So it's more that Windows requires admin permissions to run native installers like MSIs, InstallShield, InnoSetup, etc.
PowerShell is also been moved down to just an automated script install provider in choco. It will become optional once ScriptCS and others are supported as alternative automated script providers.
Only a download script for GUI apps? That's interesting and very likely misinformed. Since Chocolatey builds on top of NuGet.Core, it's got all of the same benefits to dependency resolution you get with NuGet. Plus it builds on top of that with quite a few things. You can call it a fancy download script if you want, but I think you are missing all of the things it does since it was rewritten last year - in addition to a download script, here are things it does currently - https://github.com/chocolatey/choco/wiki/GettingStarted#how-...
It looks like all of my comments on your post were private notes. Edit: I readded the ones I could make public.
You wrote that the Chocolatey Gallery had no formal review process, and in the same month (October 2014), a formal review process was introduced. The community feed on the Chocolatey Gallery has had moderation of packages since October 2014. I shared that information with you at the time we changed the security model in 2014, so I'm slightly disappointed that you failed to acknowledge that aspect has been fixed.
"Chocolatey is based on v2 NuGet which is a) terrible and"
I laughed at that point because I completely agree that NuGet v2 isn't great at all. Also you forgot to mention that NuGet v3 is brand new and there isn't yet published documentation on how to get from one format to the next - https://github.com/NuGet/Home/issues/1870. Not sure how fast you expect Chocolatey to adopt NuGet v3, but it's a bit much to throw this argument in here as a reason NOT to use Chocolatey.
I don't think you can get from one format to the next, and I don't expect them to adopt it at all. Unless something has changed recently V3 doesn't support the content/ or tools/ folders in the package, nor does it support pre- or post- install scripts. There are whole classes of V2 package which can't be created in V3. I expect some of this to change, but since MS went ahead and shipped V3 with Visual Studio 2015 and started publishing packages in that format, they have to be a lot more deliberate about changing behavior.
I guess my point re: Chocolatey is that they depended on a bad upstream tool that has moved in a different direction from what Chocolatey probably needs. So Chocolatey is either stuck on an old codebase - MS says they are going to maintain v2, but who thinks that is going to last? - or they are forking and maintaining themselves, which also seems unlikely as they risk giving up compatibility with all the NuGet repo software they also kind of depend on.
It's likely building on top of NuGet was a mistake on my part, but it's all there was at the time and it was pretty easy to get started. We don't need the tools folder and we don't like the content folder.
Since Chocolatey does everything once the NuGet package is in place related to automation scripts, it doesn't really matter that v3 doesn't support the pre or post scripts. I started working with the NuGet team a couple of summers ago about making the format more flexible, this was just as v3 work was starting to get ramped up.
At some point Chocolatey will likely not have any dependencies on NuGet itself, but will be compatible with NuGet packaging formats. To move more towards a machine package manager there are more things you need in the specification (like what versions of Windows does a package support as metadata, dependencies per OS, optional dependencies, virtuals, etc). Things that NuGet proper may never need.
My point being, Chocolatey has done a lot of growing up over the last year with a complete rewrite in C#, and will continue to grow up into a full fledged package manager over the next couple of years. There are some fundamental things we are still working out, but there are some amazing things in the pipeline coming for Chocolatey.
I looked at chocolatey a few years back and decided I didn't like installing anonymously packaged software on my machine.
Recently my team started using it for cloud formation app deployment and I see it has reviewed and approved packages now.
I was also under the misaprehension that chocolatey packages contained binaries but they typically download from the software makers site at install time - so no binary interference to inject nasties by package authors.
Have to say I'm impressed with the updates to security and will look into using it privately as a result.
You are correct about the distribution licensing, however that really only applies to the packages on the community feed. When Chocolatey is used internally, I think you will see it is more about files on disk versus dealing with things changing and the non-deterministic nature of the internet.
