How Ingestion Works

APM’s magic lies in how it transforms a single-file AppImage into a managed, deduplicated application.

1. Extraction

When you run apm install, the AppImage’s SquashFS filesystem is extracted. APM handles both Type 1 and Type 2 AppImages.

2. Deduplication (CAS)

Every extracted file is passed through the Content-Addressed Store. APM calculates the SHA-256 hash of each file. If a file (like a shared library) already exists in the store, the new copy is discarded. This is why installing ten Electron apps doesn’t take ten times the space.

3. Sandboxing

APM scans the extracted contents (like .desktop files) and consults its verified metadata to generate an initial sandbox.args file. This file defines what the app can see and do via Sydbox.

Sydbox uses Landlock to restrict the app’s view of the filesystem without the need for complex namespaces or mounts.

4. Finalization

APM creates a small “AppRun” wrapper and symlinks it to ~/.local/bin/. You can now run the app just like any other system command, but with the benefits of Sydbox-powered sandboxing and deduplication.