Blueberry Linux
Docs Package Management (bpm)

Package Management (bpm)

bpm is Blueberry's native package manager, written in Rust. It installs packages from an HTTP(S) repository, verifying every one. The native format is .bpm (a zstd(tar) stream with a TOML .BPM manifest), resolved against a single ed25519-signed index.

Everyday commands

bpm update                 # refresh the signed package index
bpm search nginx           # search the index
bpm info redis             # show a package's version, size, dependencies
bpm install nginx          # install (with dependencies)
bpm remove nginx           # uninstall
bpm upgrade                # update everything installed
bpm list                   # list installed packages
bpm clean                  # clear the download cache
bpm verify                 # re-check installed files against their hashes

How a package is trusted

Every install passes three checks before anything touches your disk:

  1. Signed index. The repo's bpm.index is accompanied by

bpm.index.sig, an ed25519 signature verified against a public key compiled into the bpm binary. A tampered index is rejected.

  1. Per-package SHA-256. The index records a SHA-256 for each package file.

bpm streams the package and checks the hash as it goes.

  1. TLS. Everything is fetched over HTTPS.

If any check fails, the operation aborts and nothing is written.

Where packages come from

bpm reads /etc/bpm/repos.conf. The default points at the official mirror:

https://repo.mmzsigmond.me/

You can add or replace mirrors — including your own (see Hosting a Mirror).

The provided base set

Some base-image libraries (zlib, zstd, xz, lz4, ca-certificates) are part of the root filesystem rather than separate packages. They are listed in etc/bpm/provided so the dependency solver treats them as already-satisfied and doesn't try to install them.

What bpm upgrade updates

bpm upgrade rolls the whole installed userspace forward. The kernel is a pinned prebuilt artifact and is not part of that roll — it advances when a new artifact is published, not on every upgrade. This is intentional; see The Kernel Model.

Services

A package that should run as a service lists enable = ["sshd.service"] in its recipe. On install bpm writes the systemd [Install] symlinks offline — so it works inside a chroot or disk image and takes effect on next boot — and starts the unit immediately when installing into the live root.

Installing from a local package

bpm install ./nginx-1.27.3-1-x86_64.bpm

Useful when testing a recipe you just built (see Creating Packages).

Building packages

Any recipe in packages/ can be built into a package:

ENGINE=podman tools/build-bpm-pkg.sh <out-dir> nginx redis   # native .bpm

This runs the build inside an ephemeral container, fetching build dependencies, compiling from source, and emitting .bpm files from each bpm.toml. Full details: Creating Packages.