Modern, high-performance package manager written in pure Rust for X

• Overview
• Key Features
• Installation
• Quick Install (Published Package)
• Build From Source
• Usage
• Pacman-Style Aliases
• Global Flags
• Configuration
• Signed Repository Bootstrap
• Key Bootstrap Checklist (xpm Native Repository)
• Signature Troubleshooting
• Repository Management
• Project Structure
• Technical Architecture
• Dependency Resolution
• Package Format
• Security
• Repository Hosting
• Relationship with xpkg
• Roadmap
• License
• Command Cheatsheet
• X

xpm is a native Rust replacement for pacman and libalpm, designed for the X distribution. It uses the .xp package format (X Package) natively and maintains compatibility with Arch Linux .pkg.tar.zst packages. Packages are built with xpkg, the companion builder tool.

• Pure Rust - zero C dependencies at any stage
• Native .xp format - X Package format (tar.zst) with .PKGINFO / .BUILDINFO / .MTREE metadata
• SAT-based dependency resolver - powered by resolvo with CDCL and watched-literal propagation
• Arch compatible - reads .pkg.tar.zst packages and alpm-repo-db databases
• Flexible repository management - predefined and temporary repos with xpm repo add/remove/list
• OpenPGP verification - detached signatures with Web of Trust model
• TOML configuration - clean, human-readable config at /etc/xpm.conf

Install the latest published xpm build directly from the official repository:

curl -fsSL https://raw.githubusercontent.com/xscriptor/xpm/main/install.sh | bash

If curl is not available:

wget -qO- https://raw.githubusercontent.com/xscriptor/xpm/main/install.sh | bash

Optional environment variables for the installer:

• XPM_PKG_URL: override the package URL (for testing another build)
• INSTALL_PREFIX: change install prefix (default: /usr/local)

Example:

INSTALL_PREFIX=/usr XPM_PKG_URL="https://xscriptor.github.io/x-repo/x/x86_64/xpm-0.1.0-3-x86_64.xp" \
curl -fsSL https://raw.githubusercontent.com/xscriptor/xpm/main/install.sh | bash

git clone https://github.com/xscriptor/xpm.git
cd xpm
cargo build --release
sudo cp target/release/xpm /usr/local/bin/

# Sync package databases
xpm sync

# Install packages
xpm install <package> [<package>...]

# Remove packages
xpm remove <package>

# System upgrade
xpm upgrade

# Search packages
xpm search <query>

# Query installed packages
xpm query

# Package info
xpm info <package>

# List files owned by a package
xpm files <package>

# Manage repositories
xpm repo list
xpm repo add <name> <url>
xpm repo remove <name>

Configuration file: /etc/xpm.conf (TOML format).

See etc/xpm.conf.example for all available options.

[options]
root_dir = "/"
db_path = "/var/lib/xpm/"
cache_dir = "/var/cache/xpm/pkg/"
gpg_dir = "/etc/xpm/gnupg/"
sig_level = "optional"
parallel_downloads = 5

[[repo]]
name = "x"
server = [
        "https://xscriptor.github.io/x-repo/x/$arch",
]

Optional additional repositories can be appended as extra [[repo]] blocks.

To enforce signature verification from the official repository, install the published trusted keyring and switch the repository to required mode:

# System-wide keyring directory used by xpm (must match gpg_dir in config)
sudo install -d -m 755 /etc/xpm/gnupg

# Download repository public keyring
sudo curl -fsSL \
        https://xscriptor.github.io/x-repo/x/x86_64/trustedkeys.gpg \
        -o /etc/xpm/gnupg/trustedkeys.gpg

# Optional: keep the ASCII-armored public key for auditing
sudo curl -fsSL \
        https://xscriptor.github.io/x-repo/x/x86_64/signing.pub \
        -o /etc/xpm/gnupg/signing.pub

Then set:

[options]
gpg_dir = "/etc/xpm/gnupg/"
sig_level = "required"

You can also override per repository:

[[repo]]
name = "x"
server = ["https://xscriptor.github.io/x-repo/x/$arch"]
sig_level = "required"

Use this checklist to avoid signature-related install failures when consuming the X native .xp repository:

# 1) Ensure keyring directory exists
sudo install -d -m 755 /etc/xpm/gnupg

# 2) Import published keyring + public key
sudo curl -fsSL https://xscriptor.github.io/x-repo/x/x86_64/trustedkeys.gpg \
        -o /etc/xpm/gnupg/trustedkeys.gpg
sudo curl -fsSL https://xscriptor.github.io/x-repo/x/x86_64/signing.pub \
        -o /etc/xpm/gnupg/signing.pub

# 3) Confirm /etc/xpm.conf points to x endpoint and required signatures
sudo tee /etc/xpm.conf >/dev/null <<'EOF'
[options]
root_dir = "/"
db_path = "/var/lib/xpm/"
cache_dir = "/var/cache/xpm/pkg/"
gpg_dir = "/etc/xpm/gnupg/"
sig_level = "required"
parallel_downloads = 5

[[repo]]
name = "x"
server = ["https://xscriptor.github.io/x-repo/x/$arch"]
sig_level = "required"
EOF

# 4) Sync and install from signed .xp repository
sudo xpm sync
sudo xpm install xpkg

• signature required but could not be downloaded:
  • Check that .sig exists for package/database in x/x86_64 endpoint.
• failed to load keyring or no certificates found in keyring:
  • Confirm gpg_dir and trustedkeys.gpg path in /etc/xpm.conf.
• signature is valid but key is unknown:
  • Refresh /etc/xpm/gnupg/trustedkeys.gpg from published endpoint and re-sync.
• Package not found:
  • Confirm xpm repository URL is https://xscriptor.github.io/x-repo/x/$arch and not the pacman endpoint under /repo/x86_64.

Predefined repositories are configured in /etc/xpm.conf. Temporary repositories can be added at runtime with xpm repo add and are stored in /etc/xpm.d/.

xpm/
├── Cargo.toml                  # Workspace root
├── crates/
│   ├── xpm/                    # Binary crate (CLI frontend)
│   │   └── src/
│   │       ├── main.rs         # Entry point, logging, config, dispatch
│   │       └── cli.rs          # clap CLI definition
│   └── xpm-core/               # Library crate (core logic)
│       └── src/
│           ├── lib.rs           # Module root
│           ├── config.rs        # TOML configuration parser
│           ├── error.rs         # Error types
│           └── repo.rs          # Repository manager
├── etc/
│   └── xpm.conf.example        # Example configuration
└── ROADMAP.md                   # Development roadmap

xpm uses a logic-based SAT solver (resolvo) that transforms package relationships into CNF boolean clauses:

The solver implements Unit Propagation with watched literals and Conflict-Driven Clause Learning (CDCL) for efficient backtracking.

Packages use the ALPM .pkg.tar.zst format with Zstandard compression:

• .PKGINFO - package name, version, dependencies
• .BUILDINFO - reproducible build environment
• .MTREE - file integrity hashes
• .INSTALL - optional pre/post install, upgrade, and remove scripts (executed by xpm during transactions)

• OpenPGP detached signatures (.sig) for packages and databases
• Web of Trust model for key validation
• Fakeroot build environment for safe package creation
• Package linting framework for quality assurance

The default package repository is hosted on GitHub Pages at xscriptor.github.io/x-repo. This will migrate to the xscriptor organization for consistency as the project grows. xpm supports any HTTP-based static file server, making future migration to a VPS transparent.

xpm and xpkg are complementary tools in the X ecosystem. They share the same package format and metadata structures but are independent binaries.

xpkg produces .xp packages that xpm installs. During installation, xpm executes any .INSTALL scriptlets generated by xpkg (post_install, pre_upgrade, etc.) and verifies signatures created during the build process.

See the Integration Guide for detailed information about how the tools work together.

See ROADMAP.md for the full development roadmap.

GPL-3.0-or-later. See LICENSE.

# Sync repositories
xpm sync

# Install package(s)
xpm install <pkg>
xpm install <pkg1> <pkg2>

# Install without prompt
xpm install --no-confirm <pkg>

# Remove package(s)
xpm remove <pkg>

# Upgrade all installed packages
xpm upgrade

# Search package
xpm search <query>

# Package info
xpm info <pkg>

# List files owned by a package
xpm files <pkg>

# Query local packages
xpm query

# Show configured repos
xpm repo list