DEV Community

ChirallyActive
ChirallyActive

Posted on

Improving my Cross-Distro Package manager made in Rust

Chiral: A Cross-Distro Linux Package Manager in Rust

Most Linux package managers assume one thing:

You are staying inside a single Linux ecosystem.

That assumption breaks real-world systems.

So I built something different.

GitHub:
https://github.com/Amaterus1125/Chiral-CrossDistro-Package-Manager


🧠 Introduction

Linux is powerful, but fragmented:

  • apt β†’ Debian/Ubuntu
  • pacman β†’ Arch
  • dnf β†’ Fedora

This creates inconsistency when working across environments.

Chiral is my attempt to unify that experience.


βš—οΈ What is Chiral?

A cross-distro Linux package manager written in Rust.

It allows installing packages across distributions without relying on the host package manager.


πŸ“¦ Example usage

chiral install htop
chiral install fastfetch
chiral list
Enter fullscreen mode Exit fullscreen mode

🧬 Core design (simplified)

Chiral resolves packages using multiple sources:

fn resolve_package(name: &str) -> Option<Package> {
    try_arch(name)
        .or_else(|| try_debian(name))
        .or_else(|| try_custom_repo(name))
}
Enter fullscreen mode Exit fullscreen mode

🐧 Arch Linux support

Chiral reads the official repo database:

fn try_arch(pkg: &str) -> Option<Package> {
    let db = fetch_arch_db()?;
    let entry = db.find(pkg)?;

    verify_checksum(&entry.sha256)?;

    Some(entry.into())
}
Enter fullscreen mode Exit fullscreen mode

πŸ“¦ Debian support

It parses Packages.gz metadata:

fn try_debian(pkg: &str) -> Option<Package> {
    let index = fetch_packages_gz()?;
    let entry = index.lookup(pkg)?;

    verify_sha256(&entry.sha256, &entry.path)?;

    Some(entry.into())
}
Enter fullscreen mode Exit fullscreen mode

🌐 Custom repository support

Chiral supports optional checksum sidecars:

package.tar.gz
package.tar.gz.sha256
Enter fullscreen mode Exit fullscreen mode

Verification logic:

fn verify_custom(pkg: &str, hash: &str) -> Result<()> {
    let file_hash = sha256(pkg)?;

    if file_hash != hash {
        return Err("Checksum mismatch");
    }

    Ok(())
}
Enter fullscreen mode Exit fullscreen mode

πŸ” Self-update security model

Chiral verifies its own binary before replacing itself:

fn self_update(asset: &File) -> Result<()> {
    let digest = fetch_github_digest(asset)?;

    if !verify_sha256(asset, digest) {
        panic!("Update rejected: integrity check failed");
    }

    install_new_binary(asset)?;
    Ok(())
}
Enter fullscreen mode Exit fullscreen mode

πŸ›‘ Security model (v4.0.0)

All package sources are validated using SHA-256:

  • Arch β†’ repo database checksum
  • Debian β†’ Packages.gz metadata
  • Custom repos β†’ optional sidecar hash
  • GitHub β†’ release asset digest

Failure model:

Any mismatch = immediate rejection (fail closed)


βš™οΈ Implementation details

  • Written fully in Rust πŸ¦€
  • Uses sha2 crate for hashing
  • Statically linked binary
  • Graph-based dependency resolution
  • No shell execution in verification pipeline
  • Cross-distro filesystem normalization layer

πŸ§ͺ Example install flow

User request β†’ Resolve package β†’
Fetch metadata β†’ Verify checksum β†’
Download β†’ Validate β†’ Install
Enter fullscreen mode Exit fullscreen mode

🎯 Design goal

Not to replace Linux package managers.

But to unify them under one abstraction layer where:

  • installation is distro-agnostic
  • integrity is consistent
  • behavior is predictable

🧭 Future work

  • Windows support layer (experimental)
  • GPG verification for repo trust chains
  • Signed Chiral repository format
  • Reproducible builds
  • Expanded ecosystem support

πŸ“Œ Status

Early-stage but fully functional.

Actively evolving with focus on:

  • security
  • cross-distro compatibility
  • system-level reliability

πŸ”— GitHub

https://github.com/Amaterus1125/Chiral-CrossDistro-Package-Manager


🧠 Closing thought

Linux doesn’t need more package managers.

It needs fewer assumptions.


Top comments (0)