The Arch Linux ecosystem is undergoing a quiet but fundamental transformation. With backing from the Sovereign Tech Fund, the ALPM project has spent 15 months building a comprehensive, Rust-based foundation for package management, challenging the reliance on traditional C libraries and stateful verification systems.
The Arch Linux package manager, pacman, is a cornerstone of the distribution. For years, its core logic has resided in libalpm, a C library that is fast and functional but carries the baggage of its era. A year ago, the ALPM project set out to reimagine this stack, not by replacing pacman overnight, but by building a parallel, memory-safe ecosystem from the ground up. Funded by the Sovereign Tech Fund for 15 months, the project has now concluded its initial push, leaving behind a formidable collection of Rust libraries, tools, and specifications.
This isn't just a rewrite for the sake of modernity. The effort is driven by a desire for stronger safety guarantees, better developer tooling, and a more flexible architecture for the future. The project's output is substantial, spanning from formal specifications of Arch's custom file formats to a new, stateless approach for verifying the integrity of distribution artifacts.
The Foundation: Specifications and Libraries
A core principle of the ALPM project is a "bottom-up, library first" approach. Before code could be written, the behavior of Arch's many custom file formats had to be formally documented. The project produced detailed specifications for formats like SRCINFO, PKGINFO, BUILDINFO, and the repository database structures. This work alone is a major contribution, providing a shared, unambiguous reference for anyone wanting to interact with Arch's packaging ecosystem.
With these specifications in hand, the team built a suite of Rust libraries. The alpm-types crate provides shared, low-level data types used across the stack. Parsers for the various text-based formats were built using the winnow parser combinator library, with shared logic housed in alpm-parsers. Other key libraries include:
alpm-solve: A new dependency resolver built on the genericresolvolibrary.alpm-compress: Handles (de)compression for package and database files.alpm-package: Allows for the creation and extraction of metadata fromalpm-package(7)files.alpm-dbandalpm-repo-db: Handle the parsing and validation of local and remote database files.
This modular design allows developers to pick and choose the components they need, fostering the creation of new, specialized tools.
A New Approach to Verification: VOA
Perhaps the most ambitious part of the project is its rethinking of artifact verification. Arch Linux currently relies on GnuPG with a stateful keyring, a system with several drawbacks: it's tied to GnuPG's specific implementation, requires a running agent, and lacks clear separation between different verification contexts (e.g., official packages vs. unofficial repositories).
The ALPM project introduces the Verification of OS Artifacts (VOA) specification. VOA proposes a stateless, directory-based structure for holding verifiers like OpenPGP certificates, SSH keys, or X.509 certificates. This approach is technology-agnostic and clearly defines which verifiers are used in which context.
The reference implementation, voa, is already functional. It can verify Arch Linux packages using a "trust anchor" model, where a package signature is valid only if its key is certified by a set of pre-defined master keys. The configuration for this is described in a simple YAML file, making the verification policy transparent and easy to audit.
Comments
Please log in or register to join the discussion