Modern, high-performance package manager written in pure Rust for X
- Overview
- Key Features
- Installation
- Quick Install (Published Package)
- Build From Source
- Usage
- Pacman-Style Aliases
- Global Flags
- Configuration
- Signed Repository Bootstrap
- Key Bootstrap Checklist (xpm Native Repository)
- Signature Troubleshooting
- Repository Management
- Project Structure
- Technical Architecture
- Dependency Resolution
- Package Format
- Security
- Repository Hosting
- Roadmap
- License
- Command Cheatsheet
- X
xpm is a native Rust replacement for pacman and libalpm, designed for the X distribution. It uses the .xp package format (X Package) natively and maintains compatibility with Arch Linux .pkg.tar.zst packages.
- Pure Rust - zero C dependencies at any stage
- Native .xp format - X Package format (tar.zst) with
.PKGINFO/.BUILDINFO/.MTREEmetadata - SAT-based dependency resolver - powered by
resolvowith CDCL and watched-literal propagation - Arch compatible - reads
.pkg.tar.zstpackages andalpm-repo-dbdatabases - Flexible repository management - predefined and temporary repos with
xpm repo add/remove/list - OpenPGP verification - detached signatures with Web of Trust model
- TOML configuration - clean, human-readable config at
/etc/xpm.conf
Install the latest published xpm build directly from the official repository:
curl -fsSL https://raw.githubusercontent.com/xscriptor/xpm/main/install.sh | bash
If curl is not available:
wget -qO- https://raw.githubusercontent.com/xscriptor/xpm/main/install.sh | bash
Optional environment variables for the installer:
XPM_PKG_URL: override the package URL (for testing another build)INSTALL_PREFIX: change install prefix (default:/usr/local)
Example:
INSTALL_PREFIX=/usr XPM_PKG_URL="https://xscriptor.github.io/x-repo/x/x86_64/xpm-0.1.0-3-x86_64.xp" \
curl -fsSL https://raw.githubusercontent.com/xscriptor/xpm/main/install.sh | bash
git clone https://github.com/xscriptor/xpm.git
cd xpm
cargo build --release
sudo cp target/release/xpm /usr/local/bin/
# Sync package databases
xpm sync
# Install packages
xpm install <package> [<package>...]
# Remove packages
xpm remove <package>
# System upgrade
xpm upgrade
# Search packages
xpm search <query>
# Query installed packages
xpm query
# Package info
xpm info <package>
# List files owned by a package
xpm files <package>
# Manage repositories
xpm repo list
xpm repo add <name> <url>
xpm repo remove <name>
| Alias | Command |
|---|---|
xpm Sy |
xpm sync |
xpm S <pkg> |
xpm install <pkg> |
xpm R <pkg> |
xpm remove <pkg> |
xpm Su |
xpm upgrade |
xpm Q |
xpm query |
xpm Ss <query> |
xpm search <query> |
xpm Si <pkg> |
xpm info <pkg> |
xpm Ql <pkg> |
xpm files <pkg> |
| Flag | Description |
|---|---|
-c, --config <PATH> |
Custom configuration file |
-v, --verbose |
Increase verbosity (-v, -vv, -vvv) |
--no-confirm |
Skip confirmation prompts |
--root <PATH> |
Alternative installation root |
--dbpath <PATH> |
Alternative database directory |
--cachedir <PATH> |
Alternative cache directory |
--no-color |
Disable colored output |
Configuration file: /etc/xpm.conf (TOML format).
See etc/xpm.conf.example for all available options.
[options]
root_dir = "/"
db_path = "/var/lib/xpm/"
cache_dir = "/var/cache/xpm/pkg/"
gpg_dir = "/etc/xpm/gnupg/"
sig_level = "optional"
parallel_downloads = 5
[[repo]]
name = "x"
server = [
"https://xscriptor.github.io/x-repo/x/$arch",
]
Optional additional repositories can be appended as extra [[repo]] blocks.
To enforce signature verification from the official repository, install the published trusted keyring and switch the repository to required mode:
# System-wide keyring directory used by xpm (must match gpg_dir in config)
sudo install -d -m 755 /etc/xpm/gnupg
# Download repository public keyring
sudo curl -fsSL \
https://xscriptor.github.io/x-repo/x/x86_64/trustedkeys.gpg \
-o /etc/xpm/gnupg/trustedkeys.gpg
# Optional: keep the ASCII-armored public key for auditing
sudo curl -fsSL \
https://xscriptor.github.io/x-repo/x/x86_64/signing.pub \
-o /etc/xpm/gnupg/signing.pub
Then set:
[options]
gpg_dir = "/etc/xpm/gnupg/"
sig_level = "required"
You can also override per repository:
[[repo]]
name = "x"
server = ["https://xscriptor.github.io/x-repo/x/$arch"]
sig_level = "required"
Use this checklist to avoid signature-related install failures when consuming the X native .xp repository:
# 1) Ensure keyring directory exists
sudo install -d -m 755 /etc/xpm/gnupg
# 2) Import published keyring + public key
sudo curl -fsSL https://xscriptor.github.io/x-repo/x/x86_64/trustedkeys.gpg \
-o /etc/xpm/gnupg/trustedkeys.gpg
sudo curl -fsSL https://xscriptor.github.io/x-repo/x/x86_64/signing.pub \
-o /etc/xpm/gnupg/signing.pub
# 3) Confirm /etc/xpm.conf points to x endpoint and required signatures
sudo tee /etc/xpm.conf >/dev/null <<'EOF'
[options]
root_dir = "/"
db_path = "/var/lib/xpm/"
cache_dir = "/var/cache/xpm/pkg/"
gpg_dir = "/etc/xpm/gnupg/"
sig_level = "required"
parallel_downloads = 5
[[repo]]
name = "x"
server = ["https://xscriptor.github.io/x-repo/x/$arch"]
sig_level = "required"
EOF
# 4) Sync and install from signed .xp repository
sudo xpm sync
sudo xpm install xpkg
signature required but could not be downloaded:- Check that
.sigexists for package/database inx/x86_64endpoint.
- Check that
failed to load keyringorno certificates found in keyring:- Confirm
gpg_dirandtrustedkeys.gpgpath in/etc/xpm.conf.
- Confirm
signature is valid but key is unknown:- Refresh
/etc/xpm/gnupg/trustedkeys.gpgfrom published endpoint and re-sync.
- Refresh
- Package not found:
- Confirm xpm repository URL is
https://xscriptor.github.io/x-repo/x/$archand not the pacman endpoint under/repo/x86_64.
- Confirm xpm repository URL is
Predefined repositories are configured in /etc/xpm.conf. Temporary repositories can be added at runtime with xpm repo add and are stored in /etc/xpm.d/.
xpm/
├── Cargo.toml # Workspace root
├── crates/
│ ├── xpm/ # Binary crate (CLI frontend)
│ │ └── src/
│ │ ├── main.rs # Entry point, logging, config, dispatch
│ │ └── cli.rs # clap CLI definition
│ └── xpm-core/ # Library crate (core logic)
│ └── src/
│ ├── lib.rs # Module root
│ ├── config.rs # TOML configuration parser
│ ├── error.rs # Error types
│ └── repo.rs # Repository manager
├── etc/
│ └── xpm.conf.example # Example configuration
└── ROADMAP.md # Development roadmap
xpm uses a logic-based SAT solver (resolvo) that transforms package relationships into CNF boolean clauses:
| Requirement | CNF Clause | Meaning |
|---|---|---|
| Dependency | !foo OR bar |
If foo is installed, bar must be too |
| Root requirement | foo |
Target package is mandatory |
| Conflict | !bar_v1 OR !bar_v2 |
Mutually exclusive versions |
The solver implements Unit Propagation with watched literals and Conflict-Driven Clause Learning (CDCL) for efficient backtracking.
Packages use the ALPM .pkg.tar.zst format with Zstandard compression:
.PKGINFO- package name, version, dependencies.BUILDINFO- reproducible build environment.MTREE- file integrity hashes.INSTALL- optional pre/post install scripts
- OpenPGP detached signatures (
.sig) for packages and databases - Web of Trust model for key validation
- Fakeroot build environment for safe package creation
- Package linting framework for quality assurance
The default package repository is hosted on GitHub Pages at xscriptor.github.io/x-repo. This will migrate to the xscriptor organization for consistency as the project grows. xpm supports any HTTP-based static file server, making future migration to a VPS transparent.
See ROADMAP.md for the full development roadmap.
| Version | Milestone |
|---|---|
v0.1.0 |
Functional CLI with configuration |
v0.5.0 |
Native engine (resolver + packages + repo db) |
v0.8.0 |
Security and transaction management |
v1.0.0 |
Benchmarked, tested, production-ready |
GPL-3.0-or-later. See LICENSE.
# Sync repositories
xpm sync
# Install package(s)
xpm install <pkg>
xpm install <pkg1> <pkg2>
# Install without prompt
xpm install --no-confirm <pkg>
# Remove package(s)
xpm remove <pkg>
# Upgrade all installed packages
xpm upgrade
# Search package
xpm search <query>
# Package info
xpm info <pkg>
# List files owned by a package
xpm files <pkg>
# Query local packages
xpm query
# Show configured repos
xpm repo list
