Package Management (bpm)
bpm is Blueberry's native package manager, written in Rust. It installs packages from an HTTP(S) repository, verifying every one. The native format is .bpm (a zstd(tar) stream with a TOML .BPM manifest), resolved against a single ed25519-signed index.
Everyday commands
bpm update # refresh the signed package index
bpm search nginx # search the index
bpm info redis # show a package's version, size, dependencies
bpm install nginx # install (with dependencies)
bpm remove nginx # uninstall
bpm upgrade # update everything installed
bpm list # list installed packages
bpm clean # clear the download cache
bpm verify # re-check installed files against their hashes
How a package is trusted
Every install passes three checks before anything touches your disk:
- Signed index. The repo's
bpm.indexis accompanied by
bpm.index.sig, an ed25519 signature verified against a public key compiled into the bpm binary. A tampered index is rejected.
- Per-package SHA-256. The index records a SHA-256 for each package file.
bpm streams the package and checks the hash as it goes.
- TLS. Everything is fetched over HTTPS.
If any check fails, the operation aborts and nothing is written.
Where packages come from
bpm reads /etc/bpm/repos.conf. The default points at the official mirror:
https://repo.mmzsigmond.me/
You can add or replace mirrors — including your own (see Hosting a Mirror).
The provided base set
Some base-image libraries (zlib, zstd, xz, lz4, ca-certificates) are part of the root filesystem rather than separate packages. They are listed in etc/bpm/provided so the dependency solver treats them as already-satisfied and doesn't try to install them.
What bpm upgrade updates
bpm upgrade rolls the whole installed userspace forward. The kernel is a pinned prebuilt artifact and is not part of that roll — it advances when a new artifact is published, not on every upgrade. This is intentional; see The Kernel Model.
Services
A package that should run as a service lists enable = ["sshd.service"] in its recipe. On install bpm writes the systemd [Install] symlinks offline — so it works inside a chroot or disk image and takes effect on next boot — and starts the unit immediately when installing into the live root.
Installing from a local package
bpm install ./nginx-1.27.3-1-x86_64.bpm
Useful when testing a recipe you just built (see Creating Packages).
Building packages
Any recipe in packages/ can be built into a package:
ENGINE=podman tools/build-bpm-pkg.sh <out-dir> nginx redis # native .bpm
This runs the build inside an ephemeral container, fetching build dependencies, compiling from source, and emitting .bpm files from each bpm.toml. Full details: Creating Packages.
Blueberry