operating system developers , using the Rust language and the microkernel concept, new package manager . The project is developing a new package format, a package management library, and a command line toolkit for creating and retrieving a cryptographically verified collection of files. The pkgar code is written in Rust and under the MIT license.
The pkgar format does not pretend to be universal and is optimized taking into account the specifics of the Redox OS operating system. The package manager supports source verification using a digital signature and integrity control. Checksums are calculated using a hash function . The verification-related functionality of pkgar can be accessed without actually storing the package archive, by manipulating only the header portion. In particular, the package consists of a header file (.pkgar_head) and a data file (.pkgar_data). A correctly signed complete summary package (.pkgar) can be obtained by simply appending the header file to the data file (βcat example.pkgar_head example.pkgar_data > example.pkgarβ).
The header file contains separate checksums for the header and structures with parameters from the data file, as well as a digital signature to verify the package. The data file includes a sequential listing of all files and directories supplied in the package. Each data element is preceded by a structure with metadata that includes a checksum for the data itself, size, access rights, relative path of the file being installed, and the offset of the parameters of the next data element. If during the update process individual files have not changed and the checksum matches, then they are skipped and not loaded.
You can check the integrity of the source by receiving only the header file, and the correctness of the selected data file by loading only the structures with the parameters of this file and making sure that they comply with the checksum certified in the header file. The data itself can be checked after it has been loaded, using the checksum from the structure with parameters preceding the data.
Packages are inherently repeatable, meaning that creating a package for a specific directory will always result in an identical package. After installation, only metadata is saved in the system, which is sufficient to reconstruct the package from the installed data (the composition of the package, checksums, paths and access rights are contained in the metadata).
Main goals of pkgar:
- Atomicityβupdates are applied automatically whenever possible.
- Traffic savings - data is transferred over the network only when the hash changes (during updating, only changed files are downloaded).
- High performance, fast cryptographic algorithms are used (blake3 supports parallel data processing when calculating hashes). If the data from the repository has not previously been cached, a hash for the downloaded data can be calculated at download time.
- Minimalistic - Unlike other formats, pkgar only includes the metadata needed to extract the package.
- Independence of the installation directory - the package can be installed in any directory, by any user (the user must have write permission to the selected directory).
- Security - Packets are always cryptographically verified, and verification is performed before actual operations are performed on the package (the header is loaded first and if the digital signature is correct, data is loaded into a temporary directory, which is moved to the target directory after verification).
Source: opennet.ru