- Package metadata parsing (JSON)
- File, script, and config installation
- Installed package database (LMDB)
- Checksums: CRC32, MD5, SHA-256
- Package signing: PGP (gpgme) / libsodium
- Hardware-accelerated SHA-256 (x86_64 SHA-NI, AArch64 crypto, RISC-V Zknh)
- Optimized assembly for CRC32 and MD5 on all three architectures
- Dependency resolver (graph, topological sort)
- Conflict and circular dependency detection at install time
-
provides/replacessupport during resolution - API to query: what installing package X will break
- Rollback on post-install script failure
- Transaction journal in the database
- Public API for third-party tools to register installed packages
- Conflict-free parallel installs: no "package not installed" or "file busy" errors when multiple tools write to the DB simultaneously
- Lock-free read path for queries (list, search, get)
- Hooks: pre/post DB write callbacks for tools like custom package helpers
- Trust chain verification (keyring)
- Install policies: reject unsigned packages, trusted key list
- Sandboxed execution of install scripts (seccomp / namespaces)
- Audit log of all package operations
- ABI stabilization and documentation
- Bindings for other languages (Python, C++)
- Correctness tests: checksum fuzzing, installation unit tests
- pkg-config and CMake find module
- Atomic installation: all-or-nothing semantics