PackageKit’s Long-Awaited CLI Refresh: pkgcli Arrives as pkcon’s Successor

Matthias Klumpp has spent years shaping the infrastructure that powers software installation across Linux distributions. Last year, as a fellow with the Sovereign Tech Agency, he turned his attention to a long-neglected corner of that world. The result is pkgcli. Released alongside recent PackageKit updates, this new command-line tool aims to replace two decades of accumulated quirks in pkcon.

PackageKit has served as the D-Bus abstraction layer connecting graphical tools like GNOME Software to backend package managers such as APT, DNF and Zypper. Its original CLI, pkcon, mirrored the daemon’s internal API too closely. Commands like get-details and get-updates felt more like debug hooks than user-facing utilities. Output stayed plain. Scripting options remained absent. And development on it halted nearly ten years ago.

“For almost two decades, the PackageKit package management abstraction layer has shipped with pkcon as its command-line client,” Klumpp wrote in his announcement. “pkcon does its job, but it was always kind of a ‘testing’ front-end for the PackageKit daemon rather than a tool designed for everyday use.”

That observation, shared on his Ximions Blog, captures the motivation. With major changes coming to PackageKit itself, the need for a better testing and interaction layer grew urgent. Klumpp built pkgcli from scratch. The tool ships by default with PackageKit 1.3.4 and later. Users on up-to-date distributions may already find it in their PATH.

Command names now read like natural descriptions of the task. Instead of get-details, administrators type show. Search replaces get-updates in spirit while list-updates reports available packages. What-provides surfaces the package offering a specific capability. These shifts feel small until repeated dozens of times daily.

Output received equal care. Colors appear by default yet respect the NO_COLOR standard. Text alignment works across languages. Terminal chaos on East Asian locales disappears. Package details display in a more readable format. Sensible defaults govern behavior: metadata refreshes more often, unused dependencies clean up automatically.

Scripting users gain the most. The –json flag switches output to JSON Lines format. Each line stands alone as a complete object. Pipe the results straight into jq. Administrators can now query updates, parse dependencies or monitor transactions without fragile text scraping. One example from Klumpp’s post shows pkgcli –json list-updates | jq -r ‘.name’ extracting package names cleanly.

Practical commands demonstrate the difference. pkgcli search editor lists packages matching a term in name or description. pkgcli search name python3 narrows to names only. Refreshing cache and listing updates flows as pkgcli refresh && pkgcli list-updates. Relationship queries such as list-depends and list-requiring help trace package graphs. The what-provides subcommand resolves virtual capabilities like a specific GStreamer decoder.

But PackageKit’s story this year includes darker chapters. In April, researchers at Deutsche Telekom’s Security Red Team disclosed CVE-2026-41651, nicknamed Pack2TheRoot. The high-severity flaw exploited a TOCTOU race condition in the daemon. Local users could manipulate transaction flags after authorization checks, gaining root privileges to install or remove packages arbitrarily.

Affected versions ran from 1.0.2 through 1.3.4. The fix arrived in PackageKit 1.3.5. Distributions rushed backports. LinuxSecurity.com detailed how the bug undermined assumptions about the root boundary on Ubuntu, Fedora, Debian and other systems where PackageKit runs by default. The report highlighted the split trust model between polkit authorization and the transaction execution path.

Interestingly, the advisory and follow-up coverage recommend monitoring tools to detect suspicious activity. For older releases, pkmon served that role. Newer ones point to pkgcli monitor. The timing aligns. Klumpp’s work on pkgcli predates public disclosure of the vulnerability yet delivers a more reliable observer for the daemon’s actions. Penligent.ai published testing results across Ubuntu 24.04, Debian, Rocky Linux and Fedora, confirming the fix and stressing the value of transaction monitoring.

Phoronix covered the pkgcli launch hours after Klumpp’s blog appeared. Michael Larabel noted the tool’s origins in frustration with pkcon’s stagnation and highlighted its human-friendly design and JSON scripting capabilities. The Phoronix article from June 14, 2026, pointed readers back to the original post for examples and man page details.

pkgcli does not kill pkcon. Distributions can still compile the older binary for scripts that depend on its exact behavior. Yet the new tool’s arrival signals a broader shift. PackageKit faces renewed development. Its CLI now matches the quality expected from modern utilities. Administrators who once tolerated pkcon’s limitations gain readable output, consistent defaults and scriptable interfaces.

Feedback channels stand open. Klumpp welcomes bug reports and patches through the PackageKit GitHub repository. The man page for pkgcli already documents the full command set. Early reactions on his blog praised the JSONL approach and the clearer naming. One commenter, experienced in CLI design, said the structured output would influence their own future projects.

Challenges remain. Not every distribution has updated to PackageKit 1.3.5 or later. Legacy scripts may cling to pkcon. Backend stability across APT, DNF and others still depends on individual maintainers. Yet the foundation has improved. A tool built for testing has become one suited for daily operation.

And that matters. Linux package management spans servers, desktops and containers. When the layer abstracting those differences gains a friendlier face, the entire stack benefits. pkgcli won’t transform how enterprises deploy software overnight. It does, however, remove one source of daily friction for the people who keep those systems running.

Watch for adoption in the coming months. Fedora, Debian and Ubuntu testers already have access. As more distributions ship the updated PackageKit, pkgcli will move from novelty to default. The change has been two decades in preparation. Its timing, arriving amid heightened scrutiny of PackageKit’s security model, feels particularly apt.