Parm: cross-platorm, general purpose Package Manager
Posted by houndz-@reddit | linux | View on Reddit | 13 comments
Hey all, I've just released v0.1.0 of my first open-source CLI tool after 2 months!
Parm is a general-purpose, cross-platform (yes, really) package manager similar to the likes of Homebrew. It's meant to have virtually no dependencies, light installs, and no root access all within a single binary.
Link: https://github.com/yhoundz/parm
How it works:
Parm uses the GitHub REST API to download and install GitHub releases, and it will extract binaries and adds them to PATH for you. Of course, you can also remove and update packages seamlesly. This means you can install any application or program hosted on GitHub.
To keep track of installed packages, Parm writes a manifest file to every installed package that stores metadata about it, which allows it to check for updates or divulge package information without having to retrieve the package again upstream.
Why Parm?
I initially created this because my default package manager, apt, has a bunch of outdated packages, so if I wanted an updated version, I'd have to use some other package manager or another install method. I wanted to centralize all the applications I install to make it easier to keep track of them. If you're content with your system's package manager (or homebrew), then this probably isn't for you.
Parm also gets upstream releases right when the maintainer updates the GitHub repository (no more waiting on 3rd-party package maintainers). That also means that I don't have to maintain a central registry of packages, as they're all available on GitHub. You can read more about Parm in the project's README and/or documentation.
Features:
- Install, update, remove, list packages
- Config management right from the CLI (no need to manually write to config files via a text editor)
- Retrieve information about any package upstream (or locally).
- Checksum/SHA256 verification (limited support)
- Intuitive UX and sane defaults
Tech Stack/Libaries Used:
- Golang
- Cobra CLI Framework + Viper (for configuration)
- go-github (to interact with GitHub REST API)
I'm relatively new to Go and Parm is still in an alpha state, so any feedback, contributions, thoughts, or feature ideas would be much appreciated!
Link (again): https://github.com/yhoundz/parm
Ashleighna99@reddit
Nail security defaults and reproducible installs first; that’ll make Parm stick.
- OP, add signature verification (cosign/SLSA/GPG) and an allowlist for trusted orgs; require --insecure to bypass so users don’t accidentally install sketchy releases.
- Ship a lockfile (parm.lock) with owner/repo, version, asset, checksum, and signature, plus export/import so dotfiles and CI can reproduce setups.
- Handle GitHub rate limits with PAT support, ETag-based caching, a local tarball cache, and exponential backoff on 403s.
- Let users define per-repo asset rules (regex, OS/arch mapping, post-install steps). On Windows, generate shims like Scoop; on macOS, mount/copy from dmg when needed; on Linux, check glibc vs musl compatibility.
- Add per-project envs: parm env init creates .parm/bin and an activate script; optional direnv integration makes it seamless.
- Improve cleanup: track every file in the manifest, offer uninstall --dry-run, and a parm doctor to flag PATH conflicts.
Homebrew for macOS setups and Scoop on Windows cover user-space installs for me, and DreamFactory comes in when I need to auto-generate database-backed REST APIs so a CLI can talk to a simple backend.
Ship strong verification and reproducible installs as defaults and Parm will land well.
whosdr@reddit
You mean the repositories you're pulling from with Apt has outdated packages. That's a huge difference.
houndz-@reddit (OP)
yeah thats my bad on the commits; a lot of them were early in development where i was only focused on building features or just building the core functionality of the program, but now that the repository is public, i'll start making PRs and branches instead of committing everything to master.
bmwiedemann@reddit
https://cbea.ms/git-commit/ is recommended reading.
whosdr@reddit
It was a bit of a surprise, not quite what I had expected.
I think it's a neat toy project but not something I'd want to use like this myself.
houndz-@reddit (OP)
yeah that's fair. I built this primarily for my own interest and to learn more about the software development cycle (and not so much to render every other package manager obsolete). Thanks for the feedback!
OptimalAnywhere6282@reddit
I believe this is the solution to the wrong problem: you wanted newer software on a Debian-based distro. the Debian philosophy consists of stability over bleeding edge releases. a Debian installation that has packages with non-verified stability is called a "franken-debian".
if you want newer software, I'd recommend switching to a different, rolling release distro like Arch, Fedora and many others, rather than making your own non-standard package manager (yet another one for the list) that might potentially break your Debian installation.
houndz-@reddit (OP)
I actually use WSL with Ubuntu and I honestly can't be bothered to switch off at this point, especially since I don't usually back up my dotfiles. I also doubt that downloading binaries from GitHub will brick my Linux installation. I do appreciate the feedback though.
whosdr@reddit
That depends on the project you pick. Grab the wrong version of libc, make/install it and good luck to you. ;p
bmwiedemann@reddit
So does it only work for software that is statically linked such as rust and golang?
houndz-@reddit (OP)
Unfortunately, yeah. There isn't a lot I can do about it besides notify the user what shared libraries a specific binary needs (but won't actually install them), which is the current behavior. FWIW I've installed neovim with no issues, but the required shared libraries are likely just left over from my old homebrew installation of nvim or because they were already on my machine so it isn't really saying much.
bmwiedemann@reddit
In theory you could interface with PackageKit to get dependencies installed, but you would have to figure out what is missing with
lddand which package provides it (depends on the distribution)houndz-@reddit (OP)
That sounds interesting, I'll check it out, thanks