This reduces the attack surface on a local installation of Chocolatey and limits who can make changes to the directory.
You can install Chocolatey to Program Files if you feel that is a more appropriate place. Because Chocolatey has files that change with package installations and it doesn't actually install to Programs and Features (what we consider synonymous with Program Files), we didn't feel this was the appropriate location. Plus with logging currently all in the same location, it would mean you would need to run choco
with administrative permissions every time, even if you are just doing things like searching for packages, finding out what is installed locally, etc.
You can definitely choose to install to Program Files, however bear in mind that the following considerations apply for you as well.
- Files in Program Files are not supposed to change. Data/user data (aka packages) would need to be somewhere else. Most folks put that common user data to ProgramData. Since the Chocolatey files are not much on top of that, everything is there.
- Program Files is usually, IMHO, reserved for things that are actually system-installed on the machine (like in Program and Features). And again, only what is installed by an installer should go there. All data/packages should go somewhere else, like ProgramData.
- .NET doesn't handle long paths well. In fact it doesn't handle them at all. We are not much worse off in Program Files, until you consider Program Files (x86).
- Choco is both x86/x64 - but the applications it installs could be either. Where do those go (this is assuming we shim in "C:\Program Files\Chocolatey\bin" and not to "C:\ProgramData\chocolatey\bin")? Technically x86 apps should never be in "C:\Program Files", they should be in "C:\Program Files (x86)".
Not saying it is an impossible scenario. It's just generally a difficult scenario to say that's what the default should be without creating confusion and incompatibilities.