On Friday, July 18th, 2025, the Arch Linux team was notified that three AUR packages had been uploaded that contained malware. A few maintainers including myself took care of deleting these packages, removing all traces of the malicious code, and protecting against future malicious uploads.

While starting this post I realized I have been maintaining personal infrastructure for over a decade! Most of the things I’ve self-hosted is been for personal uses. Email server, a blog, an IRC server, image hosting, RSS reader and so on. All of these things has all been a bit all over the place and never properly streamlined. Some has been in containers, some has just been flat files with a nginx service in front and some has been a random installed Debian package from somewhere I just forgot.

In the recent blog post on the work funded by Sovereign Tech Fund (STF), we provided an overview of the "File Hierarchy for the Verification of OS Artifacts" (VOA) and the voa project as its reference implementation. VOA is a generic framework for verifying any kind of distribution artifacts (i.e. files) using arbitrary signature verification technologies. The voa CLI ⌨️ The voa project offers the voa(1) command line interface (CLI) which makes use of the voa(5) configuration file format for technology backends. It is recommended to read the respective man pages to get …

In 2024 the Sovereign Tech Fund (STF) started funding work on the ALPM project, which provides a Rust-based framework for Arch Linux Package Management. Refer to the project's FAQ and mission statement to learn more about the relation to the tooling currently in use on Arch Linux. The funding has now concluded, but over the time of 15 months allowed us to create various tools and integrations that we will highlight in the following sections. We have worked on six milestones with focus on various aspects of the package management ecosystem, ranging from formalizing, parsing and writing of …

Did you know you can have newlines in pathnames? The design is very human and this absolutely doesn't have any unforeseen consequences! Also a friendly reminder that you can store anything on a nameserver if you try hard enough. Originally posted by me on donotsta.re (2025-12-23)

2025 was a crazy simulation. A lot of glitches, plot twists and fun stuff™.

Same as last year, this is a summary of what I’ve been up to throughout the year. See also the recap/retrospection published by my friends (antiz, jvoisin, orhun). Uploaded 467 packages to Arch Linux Most of them being reproducible, meaning I provably didn’t abuse my position of compiling the binaries 35 of them are signal-desktop 29 of them are metasploit Made 53 uploads to Debian All of them being related to my work in the debian-rust team, that I’ve been a part of since 2018 …

With the update to driver version 590, the NVIDIA driver no longer supports Pascal (GTX 10xx) GPUs or older. We will replace the nvidia package with nvidia-open, nvidia-dkms with nvidia-open-dkms, and nvidia-lts with nvidia-lts-open. Impact: Updating the NVIDIA packages on systems with Pascal, Maxwell, or older cards will fail to load the driver, which may result in a broken graphical environment. Intervention required for Pascal/older users: Users with GTX 10xx series and older cards must switch to the legacy proprietary branch to maintain support: Uninstall the official nvidia, nvidia-lts, or nvidia-dkms packages. Install nvidia-580xx-dkms from the AUR Users with Turing (20xx and GTX 1650 series) and newer GPUs will automatically transition to the open kernel modules on upgrade and require no manual intervention.

Peter Jung via arch-announce wrote: With the update to driver version 590, the NVIDIA driver no longer supports Pascal (GTX 10xx) GPUs or older. We will replace the 'nvidia' package with 'nvidia-open', 'nvidia-dkms' with 'nvidia-open-dkms', and 'nvidia-lts' with 'nvidia-lts-open'. Impact: Updating the NVIDIA packages on systems with Pascal, Maxwell, or older cards will fail to load the driver, which may result in a broken graphical environment. Intervention required for Pascal/older users: Users with GTX 10xx series and older cards must switch to the legacy proprietary branch to maintain support: Uninstall the official 'nvidia', 'nvidia-lts', or 'nvidia-dkms' packages. Install 'nvidia-580xx-dkms' from the AUR Users with Turing (20xx and GTX 1650 series) and newer GPUs will automatically transition to the open kernel modules on upgrade and require no manual intervention. https://archlinux.org/news/nvidia-590-d … l-modules/

The following packages may require manual intervention due to the upgrade from 9.0 to 10.0: aspnet-runtime aspnet-targeting-pack dotnet-runtime dotnet-sdk dotnet-source-built-artifacts dotnet-targeting-pack pacman may display the following error failed to prepare transaction (could not satisfy dependencies) for the affected packages. If you are affected by this and require the 9.0 packages, the following commands will update e.g. aspnet-runtime to aspnet-runtime-9.0: pacman -Syu aspnet-runtime-9.0 pacman -Rs aspnet-runtime

Over the course of 2025, every single major cloud provider has failed. In June, Google Cloud had issues taking down Cloud Storage for many users. In late October, Amazon Web Services had a massive outage in their main hub, us-east-1, affecting many services as well as some people’s beds. A little over a week later Microsoft Azure had a [widespread outage][Azure outage] that managed to significantly disrupt train service in the Netherlands, and probably also things that matter. Now last week, Cloudflare takes down large swaths of the internet in a way that causes non-tech people to learn Cloudflare exists. And every single time, people share that one XKCD comic.

After Gandi was bought up and started taking extortion level prices for their domains I’ve been looking for an excuse to migrate registrar. Last week I decided to bite the bullet and move to Porkbun as I have another domain renewal coming up. However after setting up an account and paying for the transfer for 4 domains, I realized their DNS services are provided by Cloudflare! I personally do not use Cloudflare, and stay far away from all of their products for various reasons.

If you've ever tried to publish a package on PyPI, you might have encountered a quite interesting error message: error: Failed to publish [..] to https://upload.pypi.org/legacy/ Caused by: Upload failed with status code 400 Bad Request. Server says: 400 The name [..] is too similar to an existing project. See https://pypi.org/help/#project-name for more information. Sadly it's not very clear what "too similar" means in this context. Also there's no way to check if your name is acceptable before actually trying to upload the package. Luckily, PyPI warehouse is open source, so let's just check how the validation is implemented.

I think 2025 was a good year (for me, it would be hard to say it was that great in general). Well, it still is because as I'm writing this, it's 12th November. I wanted to wait for the end of the year before starting to draft this post, but well - I'm in the right mood, and it makes more sense to act instead of holding back (this is probably a foreshadowing).

The waydroid package prior to version 1.5.4-2 (including aur/waydroid) creates Python byte-code files (.pyc) at runtime which were untracked by pacman. This issue has been fixed in 1.5.4-3, where byte-compiling these files is now done during the packaging process. As a result, the upgrade may conflict with the unowned files created in previous versions. If you encounter errors like the following during the update: error: failed to commit transaction (conflicting files) waydroid: /usr/lib/waydroid/tools/__pycache__/__init__.cpython-313.pyc exists in filesystem waydroid: /usr/lib/waydroid/tools/actions/__pycache__/__init__.cpython-313.pyc exists in filesystem waydroid: /usr/lib/waydroid/tools/actions/__pycache__/app_manager.cpython-313.pyc exists in filesystem You can safely overwrite these files by running the following command: pacman -Syu --overwrite /usr/lib/waydroid/tools/\*__pycache__/\*

The dovecot 2.4 release branch has made breaking changes which result in it being incompatible with any <= 2.3 configuration file. Thus, the dovecot service will no longer be able to start until the configuration file was migrated, requiring manual intervention. For guidance on the 2.3-to-2.4 migration, please refer to the following upstream documentation: Upgrading Dovecot CE from 2.3 to 2.4 Furthermore, the dovecot 2.4 branch no longer supports their replication feature, it was removed. For users relying on the replication feature or who are unable to perform the 2.4 migration right now, we provide alternative packages available in [extra]: dovecot23 pigeonhole23 dovecot23-fts-elastic dovecot23-fts-xapian The dovecot 2.3 release branch is going to receive critical security fixes from upstream until stated otherwise.

I said when I made the announcement that there wasn’t any drama, and there still isn’t.

I've been meaning to write this post for some time now, well I've been meaning to write several posts for some time now so I thought - let's write one post that is especially hard to follow, that's even better right? What finally pushed me to write was yesterday's (as I'm writing this) pastagang birthday party. If you don't know what pastagang is, then this post is not about pastagang ...but you should get the idea by the end anyway (or just read pastagang.cc), this post will be quite chaotic. It's something different this time, a little bit more personal. I had quite a lot of "breakthroughs" this year and want to share this. Maybe, but just maybe you will find this relatable. I'm not an influencer. I am the only planned target audience for this post. If you are not me, add "maybe" to every "should" you read. Some of the things may not apply to you. You may even think this whole post is just plain wrong, and I'm fine with that. You are getting an almost unedited look at my stream of thoughts, and if you think that this post is a mess - thank goodness, this means you are not in my head but an actual human being, wheeeew.

rebuilderd v0.25.0 was recently released, this version has improved in-toto support for cryptographic attestations that this blog post briefly outlines. 😺 As a quick recap, rebuilderd is an automatic build scheduler that emerged in 2019/2020 from the Reproducible Builds project doing the following: Track binary packages available in a Linux distribution Attempt to compile the official binary packages from their (alleged) source code Check if the package we compiled is bit-for-bit identical If so, mark it GOOD, issue an attestation In every other case, mark it BAD, generate a diffoscope …

https://archlinux.org/news/recent-services-outages/

We want to provide an update on the recent service outages affecting our infrastructure. The Arch Linux Project is currently experiencing an ongoing denial of service attack that primarily impacts our main webpage, the Arch User Repository (AUR), and the Forums. We are aware of the problems that this creates for our end users and will continue to actively work with our hosting provider to mitigate the attack. We are also evaluating DDoS protection providers while carefully considering factors including cost, security, and ethical standards. To improve the communication around this issue we will provide regular updates on our service …

Starting with 7.4.1-2, the following Zabbix system user accounts (previously shipped by their related packages) will no longer be used. Instead, all Zabbix components will now rely on a shared zabbix user account (as originally intended by upstream and done by other distributions): zabbix-server zabbix-proxy zabbix-agent (also used by the zabbix-agent2 package) zabbix-web-service This shared zabbix user account is provided by the newly introduced zabbix-common split package, which is now a dependency for all relevant zabbix-* packages. The switch to the new user account is handled automatically for the corresponding main configuration files and systemd service units. However, manual intervention may be required if you created custom files or configurations referencing to and / or being owned by the above deprecated users accounts, for example: PSK files used for encrypted communication Custom scripts for metrics collections or report generations sudoers rules for metrics requiring elevated privileges to be collected ... Those should therefore be updated to refer to and / or be owned by the new zabbix user account, otherwise some services or user parameters may fail to work properly, or not at all. Once migrated, you may remove the obsolete user accounts from your system.

Since GNOME 48, users can now preserve their battery health directly from GNOME Settings. Currently, this feature only works on laptops that support both start and end charge thresholds, such as ThinkPads. Ideally, we’d like to support every laptop with any form of charge threshold control but that isn't …

In Arch Linux, as part of RFC40, we have recently decided to license all Arch Linux package sources as 0BSD. Our package sources didn't have any license previously. RFC40 only specified that we do want to license our package sources but it didn't specify how to ensure this. As such, in RFC52 we decided we want to use REUSE to achieve that. NOTE: It might be a bit confusing that our PKGBUILD files also have a license field. However, this field specifies the upstream license, i.e. the license of the software that we package. It does not specify …

In October 2024 a team of dedicated developers has started work on the ALPM project. Since then it has been focusing on writing new documentation on many aspects of Arch Linux Package Management that were not thoroughly documented in the past. This article provides an overview of the specifications written by this project and attempts to contextualize them for the reader. The existing stack 📚 With its bash based makepkg tool for package creation, the libalpm C library for interfacing with system state and the central pacman package management tool, the pacman project has defined the …

With 20250613.12fe085f-5, we split our firmware into several vendor-focused packages. linux-firmware is now an empty package depending on our default set of firmware. Unfortunately, this coincided with upstream reorganizing the symlink layout of the NVIDIA firmware, resulting in a situation that Pacman cannot handle. When attempting to upgrade from 20250508.788aadc8-2 or earlier, you will see the following errors: linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad103 exists in filesystem linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad104 exists in filesystem linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad106 exists in filesystem linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad107 exists in filesystem To progress with the system upgrade, first remove linux-firmware, then reinstall it as part of the upgrade: # pacman -Rdd linux-firmware # pacman -Syu linux-firmware

On Plasma 6.4 the wayland session will be the only one installed when the users does not manually specify kwin-x11. With the recent split of kwin into kwin-wayland and kwin-x11, users running the old X11 session needs to manually install plasma-x11-session, or they will not be able to login. Currently pacman is not able to figure out your personal setup, and it wouldn't be ok to install plasma-x11-session and kwin-x11 for every one using Plasma. tldr: Install plasma-x11-session if you are still using x11

We are transitioning the wine and wine-staging package to a pure wow64 build. This change removes the dependency on the multilib repository for wine and wine-staging. The main reason for this is to align with upstream Wine development, which simplifies packaging and the dependency chain. Potential Issues: OpenGL Performance: A known limitation of the new WoW64 mode is reduced performance for 32-bit applications that use OpenGL directly Breaking Changes: Existing 32-bit prefixes needs to be recreated If you are facing issues with 32 bit prefixes, please recreate these and reinstall the application.

This series is meant to document and promote the joint effort of making ratatui truly portable. Ratatui alpha with no-std support released!

Ratatui v0.30 will introduce block border merging, a feature that previously required manual handling.

I went to Berlin for a music event and here is what happened.

This series is meant to document and promote the joint effort of making ratatui truly portable. Update: no_std ratatui

Ratatui gave us beautiful TUIs. Ratzilla expanded it to the web. But why shall we stop there? Why shall we stop anywhere? Are We Embedded Yet? This series is meant to document and promote the joint effort of making ratatui truly portable.

April is usualy tax season for most people in Norway, and as I got some “money back on the skætt” I wound up purchasing an OpenWrt One to replace my 13-14 year old Asus router. I’ve been meaning to learn a bit more about networking in general and getting an OpenWrt router seemed like a fun project. Last year I bought a Beryl AX from GL-Inet as I was travelling for a few weeks.

Valkey, a high-performance key/value datastore, will be replacing redis in the [extra] repository. This change is due to Redis modifying its license from BSD-3-Clause to RSALv2 and SSPLv1 on March 20th, 2024[0]. Arch Linux Package Maintainers intend to support the availability of the redis package for roughly 14 days from the day of this post, to enable a smooth transition to valkey. After the 14 day transition period has ended, the redis package will be moved to the AUR. Also, from this point forward, the redis package will not receive any additional updates and should be considered deprecated until it is removed. Users are recommended to begin transitioning their use of Redis to Valkey as soon as possible to avoid possible complications after the 14 day transition window closes. [0] https://github.com/redis/redis/commit/0b34396924eca4edc524469886dc5be6c77ec4ed

Last Thursday Rust 1.85 was released, and with it, edition 2024 has dropped. The new edition is significantly larger than the two editions that preceded it, and contains many small but significant quality of life improvements to the language. In this post, I’d like to explain what an edition is, and summarize all the changes that were made to the language I love. If you need the details, I recommend reading the edition guide, but for a general overview, read on.

Around two years ago, we've merged the [community] repository into [extra] as part of the git migration. In order to not break user setups, we kept these repositories around in an unused and empty state. We're going to clean up these old repositories on 2025-03-01. On systems where /etc/pacman.conf still references the old [community] repository, pacman -Sy will return an error on trying to sync repository metadata. The following deprecated repositories will be removed: [community], [community-testing], [testing], [testing-debug], [staging], [staging-debug]. Please make sure to remove all use of the aforementioned repositories from your /etc/pacman.conf (for which a .pacnew was shipped with pacman>=6.0.2-7)!

In the cold of December we have but one thing to keep us warm: our laptops, trying to solve Advent of Code puzzles with inefficient algorithms. This year, 2024, is the tenth edition, and the puzzles are filled with more Easter eggs than ever before. Unfortunately, I’m not interested in Easter eggs, or solving the puzzles. I am a DevOps engineer, and I’m going to apply Infrastructure as Code principles to Advent of Code.

We plan to move glibc and its friends to stable later today, Feb 3. After installing the update, the Discord client will show a red warning that the installation is corrupt. This issue has been fixed in the Discord canary build. If you rely on audio connectivity, please use the canary build, login via browser or the flatpak version until the fix hits the stable Discord release. There have been no reports that (written) chat connectivity is affected.

We'd like to raise awareness about the rsync security release version 3.4.0-1 as described in our advisory ASA-202501-1. An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client. Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt. We highly advise anyone who runs an rsync daemon or client prior to version 3.4.0-1 to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed. All infrastructure servers and mirrors maintained by Arch Linux have already been updated.

Dear blog. This post is inspired by an old friend of mine who has been writing these for the past few years. I meant to do this for a while now, but ended up not preparing anything, so this post is me writing it from memory. There’s likely stuff I forgot, me being gentle with myself I’ll probably just permit myself to complete this list the next couple of days. I hate bragging, I try to not depend on external validation as much as possible, and being the anti-capitalist that I am, I try to be content with knowing I’m …

A eulogy for the greatest dog of all, and a friend I will never forget.

Like my blog? Here is how I set it up.

Arch Linux hasn't had a license for any package sources (such as PKGBUILD files) in the past, which is potentially problematic. Providing a license will preempt that uncertainty. In RFC 40 we agreed to change all package sources to be licensed under the very liberal 0BSD license. This change will not limit what you can do with package sources. Check out the RFC for more on the rationale and prior discussion. Before we make this change, we will provide contributors with a way to voice any objections they might have. Starting on 2024-11-19, over the course of a week, contributors will receive a single notification email listing all their contributions. If you receive an email and agree to this change, there is no action required from your side. If you do not agree, please reply to the email and we'll find a solution together. If you contributed to Arch Linux packages before but didn't receive an email, please contact us at package-sources-licensing@archlinux.org.

After Turkey banned Discord, I had to jump through some hoops, fix my VPN, and learn a bit about how DNS works.

A collection of facts about yours truly. Guaranteed to be as accurate as my memory.

With the release of version 7.0.0 pacman has added support for downloading packages as a separate user with dropped privileges. For users with local repos however this might imply that the download user does not have access to the files in question, which can be fixed by assigning the files and folder to the alpm group and ensuring the executable bit (+x) is set on the folders in question. $ chown :alpm -R /path/to/local/repo Remember to merge the .pacnew files to apply the new default. Pacman also introduced a change to improve checksum stability for git repos that utilize .gitattributes files. This might require a one-time checksum change for PKGBUILDs that use git sources.

Some thoughts on why I started livestreaming my open-source development sessions and my future plans.

In the previous article I investigated how to create a reproducible image but ended up with only managing to create two identical image directories. In this article we'll end up with a fully bit-by-bit reproducible filesystem image! Some things have changed since the last post, mkosi now no longer creates …

The past year I have been hacking around on tools utilizing TPMs, and one of the features I have been interested to learn more about is the device attestation features. After being a bit inspired by some ideas from people at work, the hackerspace and toots on mastodon, I figure out a SSH certificate authority would be a cool small project to hack on. Last year I wrote an SSH agent with TPM bound keys so this would nicely fit into the existing tooling.

Arch Linux in August 2024 # Staff # We would like to welcome Quentin Michaud as part of the Arch Linux Package Maintainer team. RFC # A previously proposed Distribution Developer Manual RFC has been accepted with the intention to document how to run the distribution while leveraging GitLab’s collaboration features and streamlined workflows for maintaining and evolving the resulting specifications. We have proposed an RFC to license all Arch Linux package sources under the terms of the Zero-Clause BSD license.

A while ago I saw a post on LinkedIn that piqued my interest, not because it was any good, but because it was impressively wrong. It claimed that, to quote, “if every email user deleted just 10 emails, it would save enough electricity to power millions of households each year”. This is not only wrong, it is obviously wrong. In this post, I’d like to dive into why it’s wrong, how one might come to think it’s right, and perhaps what better message you could put out there to save the planet.

I've blogged before about creating vagrant images using mkosi as part of an investigation to move image creation to mkosi but also as I will be giving a talk at All Systems Go about Arch Linux images mkosi and reproducibility. With reproducible images in this article I mean that anyone …

Arch Linux in July 2024 # Pacman # Pacman v7.0.0 has been released as a major feature version. A new DownloadUser configuration option allows for dropping privileges when downloading files to a temporary directory. On top of this security measure, the new Landlock sandbox also prevents writing outside the restricted download directory. Additionally, makepkg removes GITFLAGS support, as it required breaking changes to git source handling. Furthermore this release addresses unstable git checksumming influenced by specific user configuration. On top, it now prevents PKGBUILD from overriding BUILDENV to avoid undesired side effects.

Last FOSDEM, there where some talks around mkosi using it for kernel hacking and systemd integration tests. These talks got me interested in mkosi, a systemd project for building OS images. After chatting some more with the maintainers, I considered the idea of moving the arch-boxes project to mkosi. (note …

After upgrading to openssh-9.8p1, the existing SSH daemon will be unable to accept new connections (see https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5). When upgrading remote hosts, please make sure to restart the sshd service using systemctl try-restart sshd right after upgrading. We are evaluating the possibility to automatically apply a restart of the sshd service on upgrade in a future release of the openssh-9.8p1 package.

Arch Linux in June 2024 # archinstall # The archinstall v2.8.1 update has been released, featuring several bug fixes and improvements to partitioning and desktop profiles, along with the introduction of experimental LVM support and the addition of Finnish translation. ArchWeb # ArchWeb 2024-06-12 has been rolled out, which includes an update to Django’s latest major version, Django 5.0 as well as small improvements within our Ruff configuration used as our Python linter.

Arch Linux in May 2024 # Staff # We would like to welcome Bert Peters (bertptrs) as well as Giovanni Harting (anonfunc) as part of the Arch Linux Package Maintainer team. RFC # An RFC has been accepted to introduce “Arch Linux Ports” as testbed for unofficial architectures until they are integrated in the main Arch Linux repositories. devtools # We have released devtools v1.2.0, featuring several new enhancements and improvements. This release includes distro flag changes, notably the addition of no-omit-frame-pointer flags and _FORTIFY_SOURCE level 3.

Rationale Emacs users try to avoid leaving their editor for other tasks. There is an shell (Eshell: The Emacs Shell), an integration into Secret Service API (Emacs auth-source Library 0.3) and countless other integrations. Search is a central element of the Gnome desktop environment. Many applications implement the Search Provider dbus interface to provide suitable results. The aim of this package is to make these search results also available within the Emacs editor.

I went on a trip to Mongolia to find out the meaning behind my name.

Arch Linux in April 2024 # Staff # Project Leader Election # Recently, we held our Arch Linux Project Leader election, and the current Project Leader, Levente “anthraxx” Polyák, was the sole nominee. As per our election rules, he has been re-elected for another term. Congratulations to Levente, and we wish him continued success in his leadership! RFC # An RFC has been accepted to grant all Arch Linux staff members, not limited to those in packaging roles, the privilege to initiate RFCs directly, aligning with the broad range of topics these documents encompass.

Recently we held our leader election, and the previous Project Leader Levente "anthraxx" Polyák ran again while no other people were nominated for the role. As per our election rules he is re-elected for a new term. The role of of the project lead within Arch Linux is connected to a few responsibilities regarding decision making (when no consensus can be reached), handling financial matters with SPI and overall project management tasks. Congratulations to Levente and all the best wishes for another successful term! 🥳

Let's delve into the realm of open source funding along with Ratatui's journey.

The vm.max_map_count paramater will be increased from the default 65530 value to 1048576. This change should help address performance, crash or start-up issues for a number of memory intensive applications, particularly for (but not limited to) some Windows games played through Wine/Steam Proton. Overall, end users should have a smoother experience out of the box with no expressed concerns about potential downsides in the related proposal on arch-dev-public mailing list. This vm.max_map_count increase is introduced in the 2024.04.07-1 release of the filesystem package and will be effective right after the upgrade. Before upgrading, in case you are already setting your own value for that parameter in a sysctl.d configuration file, either remove it (to switch to the new default value) or make sure your configuration file will be read with a higher priority than the /usr/lib/sysctl.d/10-arch.conf file (to supersede the new default value).

Okay, sorry for the clickbait. NixOS is not reproducible according to the Reproducible Builds definition. I keep reading people making this claim repeatedly on orange-site, even LWN.net made a similar claim when writing about Nix and Guix earlier this week.1 Along with their recently launched wiki. So, what is the Reproducible Builds definition?2 When is a build reproducible? A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

Arch Linux in March 2024 # Staff # We would like to welcome Carl Smedstad as part of the Arch Linux Package Maintainer team. Furthermore, we would like to welcome svartkanin as Support Staff for the archinstall project, assisting with issue tracking and handling of merge requests. Project Leader Election # The 2024 Arch Linux Project Leader election process has started, with the nomination period now officially open for candidate submissions.

TL;DR: Upgrade your systems and container images now! As many of you may have already read (one), the upstream release tarballs for xz in version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor. This vulnerability is tracked in the Arch Linux security tracker (two). The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor. The following release artifacts contain the compromised xz: installation medium 2024.03.01 virtual machine images 20240301.218094 and 20240315.221711 container images created between and including 2024-02-24 and 2024-03-28 The affected release artifacts have been removed …

Please join me in extending our profound "Thank you"s to 2ManyDogs who has hung up their ban hammer and now joins other former moderators in the infamous Fellows Taco Lounge. In addition, it is my extreme pleasure to welcome Schard as our newest moderation team member.

Please see the Arch main page announcement and take appropriate action. https://archlinux.org/news/the-xz-packa … ackdoored/

We hope y'all had a good start in the new year of 2024 — With the new year usually come new resolutions. If you don't have any so far, we have one for you: What if you decided to give Arch a bit of help with testing package updates this year? Arch uses testing repositories as a buffer for core/critical package updates (or any other package updates that would benefit from being tested first) before entering the stable repositories. Testing these package updates helps us to catch more bugs upfront and ensures flawless updates for the stable repos, and that is where you can help! By joining the official Arch Linux Testing Team, you'll get the ability to "sign off" packages in testing after vouching for their correctness (or reporting a bug otherwise). This helps Arch Package Maintainers catching eventual bugs upfront and helps to move packages out of the testing repositories faster and more efficiently. We are not necessarilly looking for in depth testing. Verifiying that a program launches correctly and that you're able to perform your usual routine with it is already a good test on its own. You can also check the general testing guidelines. This is a very effective and rather easy way to contribute to Arch Linux. The more testers we have, the more reliable packages updates will be. We hope to see some of you there, also join us on IRC on Libera in #archlinux-testing!

With the release of mkinitcpio v38, several hooks previously provided by Arch packages have been moved to the mkinitcpio upstream project. The hooks are: systemd, udev, encrypt, sd-encrypt, lvm2 and mdadm_udev. To ensure no breakage of users' setup occurs, temporary conflicts have been introduced into the respective packages to prevent installing packages that are no longer compatible. The following packages needs to be upgraded together: mkinitcpio 38-2 systemd 255.4-2 lvm2 2.03.23-3 mdadm 4.3-2 cryptsetup 2.7.0-3 Please note that the mkinitcpio flag --microcode, and the microcode option in the preset files, has been deprecated in favour of a new microcode hook. This also allows you to drop the microcode initrd lines from your boot configuration as they are now packed together with the main initramfs image.

Arch Linux in February 2024 # Staff # We would like to welcome Vincent Dahmen (wahrwolf) as Arch Linux Support Staff with their new role as Mirror Admin. On top we would like to welcome andreymal and codingkoopa to their new role as ArchWiki Maintainers. Additionally, we would like to congratulate Christian Heusel (gromit) on his promotion to a full DevOps member. Testing Team # In early February, we issued a call for participation about joining the Arch Testing Team which was also shared on the Forum, Mastodon, Reddit and IRC. The response was overwhelmingly positive, with over 60 new testing accounts created, significantly extending our capacity for more reliable package update testing! For those who haven’t joined yet, there’s still time! 😉

Sharing my experience after giving a talk at FOSDEM 2024!

Arch Linux in January 2024 # Staff # We would like to welcome Vladimir LAVALLADE (Erus Iluvatar) to their new role as ArchWiki Administrator. Infrastructure # The DevOps team has recently provisioned a new EPYC 9454P build server for Arch Linux packaging. This high-performance server is meant to streamline the packaging process, ensuring more efficient building of resource hungry package builds. mkinitcpio # mkinitcpio v37.2 and v37.3 have been released.

As someone who has to use a laptop for work, I keep my laptop plugged in 8 hours or more a day, 7 days a week. The laptop's battery during these days would discharge and charge, slowly degrading the battery because only the last ~ 20% would be charged and discharged …

I recently realized stdout is much faster than stderr for Rust. Here are my findings after diving deep into this rabbit hole.

We are making dbus-broker our default implementation of D-Bus, for improved performance, reliability and integration with systemd. For the foreseeable future we will still support the use of dbus-daemon, the previous implementation. Pacman will ask you whether to install dbus-broker-units or dbus-daemon-units. We recommend picking the default. For a more detailed rationale, please see our RFC 25.

Chromecast is one of those devices I just generally use a lot. They are small practical and enables me to stream video or music to my TV from multiple devices. But it also requires you to have a supported browser or video player. This is obviously a bit boring. There has been multiple command line chromecast streamers through the years. But their ffmpeg usage has been shoddy at best with no hardware decoding support and usually quite bad implementations.

For the ninth December in a row, I’m playing with Advent of Code. Advent of Code is a series of 50 puzzles published by Eric Wastl, where you try to solve Christmas from some far-fetched horror. Every day from December 1st to December 25th, two puzzles become available, but the second is revealed only after you provide the answer to the first. In this post I will go over how you can solve them, and hopefully some interesting concepts along the way.

Arch Linux in December 2023 # Staff # We would like to welcome Jakub Klinkovský (lahwaacz) as part of the Arch Linux Package Maintainer team. User meetup # During the 37th Chaos Communication Congress (37C3), we hosted a user meetup. At this event, we presented our latest achievements and developments. Additionally, we held an open Q&A session to engage and connect with our community. dbscripts # We performed a thorough cleanup of the codebase, removing all legacy SVN functionality that is no longer necessary.

Arch Linux in November 2023 # Arch Summit 2023 # The Arch Summit took place in Hamburg, Germany, on November 4th and 5th, bringing together Arch Linux staff and invited guests. The summit provided an opportunity for the staff to connect, socialize, and delve into discussions regarding various aspects of our distro. A range of topics were explored including but not limited to infrastructure and mirror management, rebuilders for packages, signing enclave, mkinitcpio, packaging tooling improvements, and community building.

We are happy to announce that the migration of the bugtracker to GitLab is done! 🥳 Thanks to everyone who has helped during the migration! This means the issue tracker and merge requests on the GitLab package repos are now enabled. The old bugtracker will subsequently be closed down. For archiving reasons there will be a static copy so that links (for example the randomly picked Task #56716) are still stable, migrated bugs have a closing comment pointing to the new URL on GitLab. Packaging bugs are now opened on the repo hosting the corresponding packaging sources, the "Add a new Bug" button on the package page on archlinux.org will automatically direct you to the correct place to open the issue. The workflow afterwards is mostly the same, first our Bug Wranglers will have a look at the issues and triage them, and then they will be handed over to the respective Package Maintainers to fix. A list of all issues can be found here. If you do not have an account for GitLab already (which authenticates against our SSO service), please write us a mail with your desired username to accountsupport@archlinux.org as advised in the banner.

Arch Linux in October 2023 # Staff # We would like to welcome Christian Heusel (gromit) to the Arch Linux DevOps team, expanding his responsibilities. bugbuddy # The initial version of Bugbuddy, our GitLab bug bot, has been introduced. This tool assigns package maintainers to confirmed GitLab issues in the packaging group. Notably, the code has undergone substantial improvement, now operating as a daemon process that can promptly respond to GitLab webhook calls.

In Grants for Operating Systems I discussed my journey through the grant application writing business since beginning of last year. To keep things light and somewhat focused, I left out a topic, that I would like to write about in more detail in the following sections. It's about selection bias in grants provided by Next Generation Internet (NGI), that can be applied for directly or through NLnet. Read more… (11 min remaining to read)

Over the past years I have written (unsuccessful) funding applications for free software projects, associated with the Arch Linux Operating System. This article is about my experiences with applying for numerous funds and my advice for people trying to get their work funded. TL;DR: Writing funding applications is extremely tedious and the selection process mostly intransparent and discouraging. Depending on what you apply for and who you apply with, you may never get funding due to other, additional factors. Read more… (8 min remaining to read)

We are introducing a change in JDK/JRE packages of our distro. This is triggered from the way a JRE is build in modern versions of Java (>9). We are introducing this change in Java 21. To sum it up instead of having JDK and JRE packages coexist in the same system we will be making them conflict. The JDK variant package includes the runtime environment to execute Java applications so if one needs compilation and runtime of Java they need only the JDK package in the future. If, on the other hand, they need just runtime of Java then JRE (or jre-headless) will work. This will (potentially) require a manual user action during upgrade: If you have both JDK and JRE installed you can manually install the JDK with pacman -Syu jdk-openjdk and this removes the JRE related packages. If you have both JRE and JRE-headless you will need to choose one of them and install it manually since they would conflict each other now. If you only have one of the JDK/JRE/JRE-headless pacman should resolve dependencies normally and no action is needed. At the moment this is only valid for the upcoming JDK 21 release.

Here is how you can publish a Rust project with a single click of a button and automate everything.

Arch Linux in September 2023 # Staff # We would like to welcome Fabian Bornschein (fabiscafe) as part of the Arch Linux Package Maintainer team. Bug weekend # During the 1st to 3rd of September, we conducted a bug weekend with the aim of resolving old bugs and implementing proposed solutions. This effort not only reduced the backlog but also contributed to streamlining the upcoming bug tracker migration, resulting in the resolution of approximately 200 bugs.

After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”.

With shadow >= 4.14.0, Arch Linux's default password hashing algorithm changed from SHA512 to yescrypt. Furthermore, the umask settings are now configured in /etc/login.defs instead of /etc/profile. This should not require any manual intervention. Reasons for Yescrypt The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam) and its stronger resilience towards password cracking attempts over SHA512. Although the winner of the Password Hashing Competition has been argon2, this algorithm is not yet available in libxcrypt …

Having a full Linux mobile or tablet device has always interested me, to have an alternative to Android and use Arch Linux everywhere. Realistically I won't be able to give up Android on my phone, but what about tablet's? Phosh was developed to be a graphical user interface for mobile …

Arch Linux in August 2023 # Staff # We would like to welcome Tomaz Canabrava (tcanabrava) as part of the Arch Linux Package Maintainer team. AURWeb # In AURWeb v6.2.7, we primarily focused on bug fixes while revamping Prometheus metrics. We introduced new measures like request tracking and cache-hit/miss ratios for search queries, enhancing our ability to make development decisions and aiding the AUR moderation team in identifying trends.

In the past, I have used Weechat with Weechat and IRC relays. Since, I have switched to ChromeOS, I disabled the IRC relay, because I switched to the Weechat Android App on ChromeOS. Nevertheless, I was never 100% happy with the Weechat relay. The relay usually works via a shared password and access to this relay is equal to SSH access. Hence, I have decided to switch to SSH tunneling. With SSH tunneling, I am able to use SSH keys for authentication.

Let's take a look at what is new in the new version of "Ratatui" and how it became the successor of tui-rs.

As of ansible-core 2.15.3, upstream moved documentation and examples to a separate dedicated repository (see the related changelogs). This means that, starting from version 2.15.3 the ansible-core package will stop shipping documentation and a default configuration example under /etc/ansible/ansible.cfg. Regarding the documentation, it is available online: https://docs.ansible.com/ As for the configuration file, as explained in the wiki, a base config can be generated with the following command: ansible-config init --disabled > ansible.cfg After updating from ansible-core <= 2.15.2-1 to >= 2.15.3-1, everyone using a custom global Ansible configuration file stored under /etc/ansible/ansible.cfg will have their configuration saved as a pacsave file. To restore it, run the following command: mv /etc/ansible/ansible.cfg.pacsave /etc/ansible/ansible.cfg

Next.JS is a fairly nice way of building a multi-page, mostly statically rendered website with React and making it make sense. It actually solves the problem of “what if a React app was not a Single Page Application” pretty well, but it’s somewhat particular about how it wants to be deployed.

I am a big fan of LUKS encrypted USB sticks. They are easy to make and easy to handle on most Linux systems. ChromeOS is one of these systems, where I had trouble with LUKS encrypted USB sticks or block devices in general. Although ChromeOS is capable to mount a various number of filesystems, it has no idea what to do with a LUKS encrypted USB stick. The first idea most people have is launching a Crostini container and decrypting the USB stick via cryptsetup.

Hello friend, long ago I have ditched Arch Linux for my main operating systems and switched to ChromeOS with Arch Linux in Crostini. For a long time this setup worked fine, until I encountered a few issues with Arch Linux and Yubikeys. In this article, I would like to show you how I setup my Yubikey on Arch Linux running in Crostini within ChromeOS. First, we have to ensure that /etc/polkit-1/rules.

Arch Linux in July 2023 # Staff # We would like to welcome Mario Oenning (moson) as new Arch Linux Support Staff Member. devtools # arch-nspawn is now utilizing a distinct scope name instead of the previous --keep-unit approach. This allows for the creation of a dedicated scope, placing the container within a slice hierarchy which allows a more precise resource control. This enhancement will be part of the next release.

"Ratatui" is a Rust library for building rich terminal user interfaces. In this post, I'm sharing what's new in the latest version and also a fun way to easily create terminal user interfaces in a jiffy.