The Arch Linux community has exciting news: the Arch Linux Package Management (ALPM) project has received significant funding (€562,800) from the German Sovereign Tech Agency.
This financial boost will empower a team of four part-time developers to advance ALPM over the next 15 months. Work was already underway as of October 2024, and the project is set to deliver transformative changes by the end of 2025.
For the unfamiliar, ALPM plays a vital role in the Arch ecosystem, providing the foundation for package creation, validation, installation, and repository management.
The project aims to modernize these functions through robust specifications, Rust libraries, and tools. Additionally, ALPM will offer drop-in alternatives for some features provided by Pacman, Arch Linux’s beloved package manager.
One key initiative involves creating a comprehensive set of formal specifications for packaging data formats. Although the Arch Linux packaging ecosystem is currently well-loved by a passionate community, it relies on somewhat underspecified or undocumented metadata types.
By establishing versioned specifications and implementing Rust libraries, the team intends to clarify what’s actually inside a package, how it should be created, and how it can be reliably integrated into various contexts—such as automated build systems and repository management tools.
In addition, the ALPM project plans to significantly improve the handling of signatures and cryptographic verifications. Right now, Arch Linux package management primarily depends on a stateful GnuPG keyring.
However, this approach has shown its age, occasionally causing maintenance headaches and complicating the verification process.
To address this, the funded work includes developing a universal API specification and a corresponding Rust library. This step aims to simplify signature verification and pave the way for a more diverse set of cryptographic tools—ultimately achieving a stateless verification model that is more resilient, modular, and secure.
Another major milestone is introducing a dedicated Rust library for handling individual packages from start to finish. This means more than just parsing a file; it involves creating a modern ecosystem where package validation, installation, and integration with C-based libraries like libalpm are straightforward and maintainable.
Taken together, these improvements will help move the Arch Linux infrastructure into a truly next-generation model, making it easier for other projects and distributions to benefit from the underlying tools.
The work will be conducted openly on the Arch Linux GitLab, inviting anyone interested to jump in and contribute.
Visit the announcement for more information. The STA website is expected to post more information about the investment shortly.
