Chiral: A Cross-Distro Linux Package Manager in Rust
Most Linux package managers assume one thing:
You are staying inside a single Linux ecosystem.
That assumption breaks real-world systems.
So I built something different.
GitHub:
https://github.com/Amaterus1125/Chiral-CrossDistro-Package-Manager
π§ Introduction
Linux is powerful, but fragmented:
- apt β Debian/Ubuntu
- pacman β Arch
- dnf β Fedora
This creates inconsistency when working across environments.
Chiral is my attempt to unify that experience.
βοΈ What is Chiral?
A cross-distro Linux package manager written in Rust.
It allows installing packages across distributions without relying on the host package manager.
π¦ Example usage
chiral install htop
chiral install fastfetch
chiral list
𧬠Core design (simplified)
Chiral resolves packages using multiple sources:
fn resolve_package(name: &str) -> Option<Package> {
try_arch(name)
.or_else(|| try_debian(name))
.or_else(|| try_custom_repo(name))
}
π§ Arch Linux support
Chiral reads the official repo database:
fn try_arch(pkg: &str) -> Option<Package> {
let db = fetch_arch_db()?;
let entry = db.find(pkg)?;
verify_checksum(&entry.sha256)?;
Some(entry.into())
}
π¦ Debian support
It parses Packages.gz metadata:
fn try_debian(pkg: &str) -> Option<Package> {
let index = fetch_packages_gz()?;
let entry = index.lookup(pkg)?;
verify_sha256(&entry.sha256, &entry.path)?;
Some(entry.into())
}
π Custom repository support
Chiral supports optional checksum sidecars:
package.tar.gz
package.tar.gz.sha256
Verification logic:
fn verify_custom(pkg: &str, hash: &str) -> Result<()> {
let file_hash = sha256(pkg)?;
if file_hash != hash {
return Err("Checksum mismatch");
}
Ok(())
}
π Self-update security model
Chiral verifies its own binary before replacing itself:
fn self_update(asset: &File) -> Result<()> {
let digest = fetch_github_digest(asset)?;
if !verify_sha256(asset, digest) {
panic!("Update rejected: integrity check failed");
}
install_new_binary(asset)?;
Ok(())
}
π‘ Security model (v4.0.0)
All package sources are validated using SHA-256:
- Arch β repo database checksum
- Debian β Packages.gz metadata
- Custom repos β optional sidecar hash
- GitHub β release asset digest
Failure model:
Any mismatch = immediate rejection (fail closed)
βοΈ Implementation details
- Written fully in Rust π¦
- Uses
sha2crate for hashing - Statically linked binary
- Graph-based dependency resolution
- No shell execution in verification pipeline
- Cross-distro filesystem normalization layer
π§ͺ Example install flow
User request β Resolve package β
Fetch metadata β Verify checksum β
Download β Validate β Install
π― Design goal
Not to replace Linux package managers.
But to unify them under one abstraction layer where:
- installation is distro-agnostic
- integrity is consistent
- behavior is predictable
π§ Future work
- Windows support layer (experimental)
- GPG verification for repo trust chains
- Signed Chiral repository format
- Reproducible builds
- Expanded ecosystem support
π Status
Early-stage but fully functional.
Actively evolving with focus on:
- security
- cross-distro compatibility
- system-level reliability
π GitHub
https://github.com/Amaterus1125/Chiral-CrossDistro-Package-Manager
π§ Closing thought
Linux doesnβt need more package managers.
It needs fewer assumptions.
Top comments (0)