Git-native · Sandboxed · HackerOS Ecosystem

HPM

HackerOS Package Manager — the native package manager of HackerOS. No binary archives. Packages are git repositories. Versions are git tags. Built exclusively for the HackerOS ecosystem.

$ hpm install <package>

01 OVERVIEW #

Git-native Linux namespaces Landlock LSM HackerOS Ecosystem Side-by-side versions GUI app support

Each package is a plain git repository with an info.hk manifest and a contents/ directory, or a build.toml describing how to obtain the binary. No .deb archives — just git.

Every package runs in an isolated environment using Linux namespaces + Landlock. GUI apps get X11/Wayland/D-Bus access and are registered in the system app menu automatically.

Install flow

# 1. Central index
{ "mypkg": { "repo": "https://github.com/user/mypkg" } }

# 2. hpm install mypkg
  → fetch repo.json              (HTTP, no clone)
  → clone git repo
  → checkout latest semver tag
  → read info.hk
  → install apt deps
  → run build.toml / build.info
  → copy contents/ → store
  → install .desktop + icon      (GUI apps)
  → create /usr/bin wrapper

# 3. Running
$ mypkg → hpm run mypkg → sandbox → exec

02 QUICKSTART #

sudo hpm refresh          # update package index
hpm search editor         # find packages
hpm info hedit            # show package details
sudo hpm install hedit    # install
hedit myfile.txt          # use it
sudo hpm update           # update all packages
sudo hpm remove hedit     # remove

Root requiredInstall, remove, update and upgrade commands require sudo. Search, info, list and query commands work as normal user.

03 COMMAND REFERENCE #

Package Commands

Command	Description
hpm refresh	Download package index and pre-fetch metadata
hpm install <pkg>[@<ver>]...	Install packages, resolve hpm and apt dependencies automatically
hpm remove <pkg>[@<ver>]	Remove a package or a specific installed version
hpm update	Update all non-pinned packages to latest version
hpm upgrade	Upgrade hpm itself
hpm switch <pkg> <ver>	Switch the active version of an installed package

Query Commands

Command	Description
hpm search <query>	Search by name or description — HTTP only, never clones git
hpm info <package>	Show full package details
hpm list	List all installed packages with versions and pinned status
hpm outdated	Show packages with newer versions available
hpm deps <pkg>	Print the full dependency tree
hpm verify <package>	Verify installed package integrity (SHA-256)

Maintenance Commands

Command	Description
hpm run <pkg> <bin> [args]	Run a binary from an installed package inside its sandbox
hpm build <name>	Package the current directory as an hpm package
hpm clean	Remove cached git repos and temporary files
hpm pin <pkg> <ver>	Pin a package to a specific version
hpm unpin <pkg>	Unpin the current version

04 VERSION MANAGEMENT #

hpm reads versions from git tags in the format v1.2.3 or 1.2.3. Multiple versions can be installed side by side.

sudo hpm install hedit@1.9.0   # install specific version alongside current
sudo hpm switch hedit 1.9.0    # switch active version
sudo hpm pin hedit 1.9.0       # pin — prevents automatic updates
sudo hpm unpin hedit            # unpin when ready to update
sudo hpm remove hedit@1.9.0    # remove specific version only

05 SANDBOX #

hpm automatically selects the right isolation level. No manual configuration required — the sandbox is transparent to the user.

Sandbox modes

Mode	When	Isolation
Full	Pure CLI, no network/GUI/extra paths	New user+mount+UTS+PID+net+cgroup namespaces + pivot_root + Landlock
Compat	GUI apps, network, home dir access	New mount namespace only — shares host user/network/IPC. Landlock active.
None	sandbox.disabled = true	Direct exec — no isolation. Only for trusted system tools.

Sandbox options in info.hk

[sandbox]
-> network   => false   # allow network access
-> gui       => true    # bind X11/Wayland/D-Bus/PulseAudio/PipeWire
-> full_gui  => false   # gui + /dev/shm (Electron/Chromium apps)
-> dev       => false   # expose /dev devices
-> disabled  => false   # disable sandbox entirely
-> filesystem => {}     # extra host paths to bind-mount

Warningsandbox.disabled = true gives the binary full host access. Use only for packages you fully trust.

What Landlock protects

Path	Access
/usr, /lib, /bin, /etc	Read + execute only
/proc, /sys	Read only
/app (package dir)	Full read/write/execute
/tmp	Full read/write
$HOME	Full read/write (compat mode)
Extra filesystem paths	Full read/write

06 REPOSITORY LAYOUT #

my-package/
  ├── info.hk            ← required: manifest
  ├── build.toml         ← optional: build/download instructions
  ├── contents/
  │   ├── bin/
  │   │   └── my-binary    ← chmod +x in git (0o100755)
  │   ├── icons/
  │   │   └── my-package.png ← app icon (GUI apps)
  │   └── my-package.desktop ← custom .desktop (optional)
  └── README.md

Key ruleThe binary name in bins.<name> must match the actual filename in contents/bin/<name>. hpm searches recursively and shows a list of all files found when it doesn't match.

07 INFO.HK MANIFEST #

HK Format documentationThe info.hk manifest uses the HK format — HackerOS's native configuration language. Full syntax reference is documented separately:

hackeros-linux-system.github.io → HK Format Documentation ↗

Complete manifest reference

[metadata]
-> name    => my-package
-> version => 1.0.0
-> authors => Your Name
-> license => MIT
-> gui     => false               # shorthand for sandbox.gui = true
-> bins.my-binary => ""           # each binary gets a /usr/bin wrapper

[description]
-> summary => One-line shown in hpm search
-> long    => Longer description shown in hpm info

[sandbox]
-> network   => false
-> gui       => false
-> full_gui  => false
-> dev       => false
-> disabled  => false
-> filesystem => {}

[build]
-> commands => {}
-> deb_deps => {}

[runtime]
-> deb_deps => {}

[specs]
-> dependencies.other-pkg => ">=1.0"

[desktop]
-> display_name => My Application
-> icon         => icons/my-package.png
-> categories   => Utility;GTK;
-> comment      => Short description for the app menu
-> mime_types   => text/plain;
-> keywords     => tool;utility;
-> desktop_file => my-package.desktop

08 BUILD.TOML #

When absent, hpm copies contents/ directly. Add build.toml when the binary needs downloading or compiling.

type = "download"

type         = "download"
url          = "https://github.com/user/repo/releases/download/v{version}/bin-linux-x86_64"
install_path = "bin/mybinary"
runtime_deps = ["libssl3"]

# From a tar.gz archive:
type             = "download"
url              = "https://example.com/v{version}/tool.tar.gz"
binary_path      = "tool/bin/tool"
strip_components = 0
install_path     = "bin/tool"

type = "build"

type         = "build"
commands     = ["cargo build --release"]
output       = "target/release/mytool"
install_path = "bin/mytool"
build_deps   = ["build-essential"]
runtime_deps = ["libssl3"]

[env]
CARGO_PROFILE_RELEASE_LTO = "true"

09 GUI APPLICATIONS #

When gui = true or sandbox.gui = true, hpm automatically:

Runs in compat mode — shares X11/Wayland/D-Bus with the host
Installs a .desktop file to /usr/share/applications/
Installs the icon to hicolor and pixmaps
Runs update-desktop-database and gtk-update-icon-cache

GUI info.hk example

[metadata]
-> name    => myapp
-> version => 1.0.0
-> gui     => true
-> bins.myapp => ""

[sandbox]
-> gui      => true
-> network  => false

[runtime]
-> deb_deps => { libgtk-3-0 => "" }

[desktop]
-> display_name => My App
-> icon         => icons/myapp.png
-> categories   => Graphics;Viewer;

Custom .desktop fileIf you ship a .desktop file in contents/, hpm uses it automatically and patches only the Exec= line to route through hpm run.

Electron / Chromium apps

[sandbox]
-> full_gui => true    # adds /dev/shm for shared memory
-> network  => true    # if the app needs internet access

10 PUBLISHING #

1. Create the repository

mkdir my-package && cd my-package && git init
mkdir -p contents/bin
cp /path/to/binary contents/bin/my-package
chmod +x contents/bin/my-package
# create info.hk (see section 07 for full reference)
git add . && git commit -m "initial release"
git tag v1.0.0 && git push origin main --tags

2. Add to repo.json

{
  "packages": {
    "my-package": {
      "repo": "https://github.com/yourname/my-package"
    }
  }
}

Versions field is optionalhpm discovers available versions automatically from git tags. The "versions" array is optional hint-only metadata.

3. Submit a pull request

Open a PR to HackerOS-Package-Manager ↗ adding your entry to repo/repo.json.

11 REPO.JSON #

{
  "packages": {
    "hello-hpm": {
      "repo": "https://github.com/HackerOS-Linux-System/hpm-example-repo"
    },
    "hedit": {
      "repo": "https://github.com/hackerOS/hedit",
      "versions": ["1.0.0", "2.0.0", "2.1.0"]
    }
  }
}

12 STORE LAYOUT #

/usr/lib/HackerOS/hpm/store/my-package/
  ├── 1.0.0/    ← installed version
  ├── 2.0.0/    ← side-by-side
  └── current   ← symlink → 2.0.0

/usr/bin/my-package                      ← wrapper script
/usr/share/applications/my-package.desktop ← GUI apps only
/usr/share/icons/hicolor/256x256/apps/my-package.png
/var/lib/hpm/state.json                  ← state + checksums

13 HPM VS AUR VS PPA #

Feature	hpm	AUR (yay)	PPA (apt)
Package format	Git repo + info.hk	PKGBUILD	.deb archive
Sandbox / isolation	Built-in (namespaces+Landlock)	None	None
GUI app support	Yes (.desktop + icons)	Yes	Yes
Side-by-side versions	Yes	No	No
Version pinning	Yes	Partial	hold
Search speed	Fast (raw HTTP)	Medium	Fast
Binary integrity	SHA-256	Optional	GPG
Build from source	Yes (build.toml)	Yes	No
Pre-built download	Yes (build.toml)	Partial	Yes
Auto dep resolution	hpm + apt deps	Full	Full

14 HK FORMAT #

The info.hk manifest uses the HK format — HackerOS's native configuration language. Readable, hierarchical, with built-in interpolation, strong typing and precise error messages.

hackeros-linux-system.github.io/tools-docs/hk.html ↗