Many software have a single .pkg (installation package) inside .dmg (disk image), I want to know that why this practice is used.
What is the need to have a mountable disk image of a software (i.e a .dmg), even after binding everything in a .pkg.
Is .pkg vulnerable to something like zip slip does it needs extra security, what are the problems a software may face if it is distributed in .pkg format.
.pkg seems to be already compressed since the dmg doesn't reduce the file size much after that. Seems compression is not the main reason, let me know if I am wrong.
Someone mentioned ".pkg is not a file, but a folder. So maybe collecting it into a single file is essential for downloading." But I cannot right click and see the content as well as via cmd line it shows that it is not a directory. So why we cannot distribute software as a .pkg only why mounting is needed.
A pkg(installation package) is only required if your application is complex and needs to execute some scripts or have to install some additional resources in the file system. For most application it is easier for the user and recommend to offer a zip file for download. Zip archives will be automatically uncompressed from Safari after the download and the application is ready to be used.
There are pkg viewer and instructions on how you can inspect the content of an installation package (https://www.macobserver.com/tmo/article/how-to-inspect-an-os-x-package-file-pkg-without-installing).