This is exactly the right approach. I did this for my package manager.

It relies on a git repo branch for stable. There are yaml definitions of the packages including urls to their repo, dependencies, etc. Preflight scripts. Post install checks. And the big one, the signatures for verification. No binaries, rpms, debs, ar, or zip files.

What’s actually installed lives in a small SQLite database and searching for software does a vector search on each packages yaml description.

Semver included.

This was inspired by brew/portage/dpkg for my hobby os.