Definition
A package manager is a tool that installs, removes, upgrades, and tracks software packages on a system, including resolving the network of dependencies between them. A package is a structured archive — code, metadata, install scripts, version, and a list of other packages it requires — that the manager can install reliably without the user having to know how the pieces fit together.
Linux distributions are largely defined by their package manager and repository. Debian and Ubuntu use apt / dpkg with .deb packages; Fedora and RHEL use dnf / rpm; Arch uses pacman; Alpine uses apk. Language ecosystems have their own — npm and pnpm for JavaScript, pip for Python, cargo for Rust — and the same conceptual machinery applies at the language level as at the OS level.
Why it matters
How it works
A package manager has three core jobs: dependency resolution, installation, and inventory. Resolution is the hard one. Given a request like "install postgresql," the manager has to compute the full transitive closure of dependencies — every other package needed by postgresql, every package needed by those, and so on — then determine whether all the required versions can coexist with packages already on the system. This is a constraint-satisfaction problem; solvers like libsolv and Aptitude's resolver are full SAT solvers under the hood. Installation then downloads each package from a repository, verifies its cryptographic signature, runs pre-install scripts, unpacks files into the filesystem, and runs post-install scripts (creating users, registering services, updating caches). Inventory tracks which packages are installed, which versions, and which files belong to which package — so removal and upgrade can undo or replace those files cleanly.
Repository structure makes the whole system trustworthy. A repository is a server (or mirror network) that hosts the packages plus a signed index. The package manager downloads the index, verifies its signature against a public key shipped with the distribution, and only then trusts the metadata enough to act on it. This chain of trust is why you can apt install untrusted-looking software with reasonable confidence — the signature, not the package name, is what your system actually believes.