gitwtfhub

wtf is pm?

kelseyhightower/pm — explained in plain English

Analysis updated 2026-07-17 · repo last pushed 2014-10-04

45GoAudience · developerComplexity · 2/5DormantSetup · moderate

TL;DR

A lightweight Go package manager for self-contained binaries, build, sign, distribute, install, and verify standalone apps without dependency resolution.

Mindmap

mindmap
  root((repo))
    What it does
      Package binaries
      Sign and verify
      Install and remove
    Tech stack
      Go
      Cryptographic signing
    Use cases
      Distribute CLI tools
      Verify package authenticity
      Cache downloads locally
    Audience
      Developers
      Small teams shipping CLIs

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Package a self-contained binary with a metadata file and private key, producing a signed archive.

REASON 2

Distribute a CLI tool to customers with built-in checksum and signature verification.

REASON 3

Install and update a packaged binary from a URL or local file with local caching.

REASON 4

Verify downloaded packages against trusted public keys in a keyring before installing.

What's in the stack?

Go

How it stacks up

kelseyhightower/pmkelseyhightower/journal-2-logentriesmacan-dev/easysni
Stars454545
LanguageGoGoGo
Last pushed2014-10-042016-10-04
MaintenanceDormantDormant
Setup difficultymoderatemoderateeasy
Complexity2/52/53/5
Audiencedeveloperops devopsgeneral

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 30min

Only handles standalone binaries, no dependency resolution or shared library support, and hosting setup isn't documented.

Wtf does this do

pm is a lightweight package manager designed for self-contained binaries, programs that don't need extra dependencies installed to run. It handles the full lifecycle of distributing software: building packages from your binaries, downloading and installing them, listing what's installed, removing them, and verifying their authenticity. Think of it as a simple way to distribute and manage standalone applications without the overhead of traditional package systems. The workflow is straightforward. When building a package, you point the tool at your binary, a metadata file, and a private key. It produces a compressed archive along with checksum and signature files for integrity and security. On the receiving end, someone can download or install packages from a URL or a local file. The tool caches downloads locally and skips re-downloading if the local copy is already up to date. It also supports cryptographic verification: you add trusted public keys to a keyring directory, then verify packages against those keys before installing them. This tool would appeal to teams or individuals who distribute self-contained binaries and want a clean, secure way to manage installation and updates. For example, a startup shipping a command-line tool to customers could use it to package, sign, and distribute each release. The end user could then install, verify, and update the tool with a few simple commands, without needing a complex package manager or worrying about missing dependencies. The project is notably minimal in scope. It doesn't try to handle dependency resolution, shared libraries, or complex installation environments, it's built specifically for binaries that run on their own. This makes it easy to understand and use, but limits it to scenarios where that simplicity fits. The README doesn't go into detail about supported platforms beyond an example showing macOS and AMD64 architecture in filenames, and it doesn't explain how hosting or serving packages at remote URLs should be set up.

Yoink these prompts

Prompt 1
Show me the pm command to package my Go binary with a metadata file and sign it with my private key.
Prompt 2
Help me set up a keyring directory and verify a downloaded package against a trusted public key using pm.
Prompt 3
I'm distributing a CLI tool to customers, walk me through building, signing, and hosting a package with pm.
Prompt 4
Explain how pm's local caching avoids re-downloading a package that's already up to date.

Frequently asked questions

wtf is pm?

A lightweight Go package manager for self-contained binaries, build, sign, distribute, install, and verify standalone apps without dependency resolution.

What language is pm written in?

Mainly Go. The stack also includes Go.

Is pm actively maintained?

Dormant — no commits in 2+ years (last push 2014-10-04).

How hard is pm to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is pm for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.