Arch Linux in February 2023
Git packaging sources
All major workflow and usability requirements for the
https://monthly-reports.archlinux.page/2023/02/
#planetarch
Git packaging sources
All major workflow and usability requirements for the
pkgctl tooling have been finished and a experimental devtools-git-poc package has been put into the repositories. Furthermore the proof of concept sandbox environment has been set up and rolled out to anyone interested in testing. In the current phase we will collect feedback to catch bugs and further usability improvements [0]. We are still very eagerly seeking for more testers.https://monthly-reports.archlinux.page/2023/02/
#planetarch
👍1
Zig Bits 0x2: Using defer to defeat memory leaks
Let's talk about how to detect memory leaks in Zig and avoid them by using the
https://blog.orhun.dev/zig-bits-02/
#planetarch
Let's talk about how to detect memory leaks in Zig and avoid them by using the
defer statement.https://blog.orhun.dev/zig-bits-02/
#planetarch
Setting up a packaging environment for Alpine Linux (introducing alpkg)
Recently I have been interested in Alpine Linux and thought it would be nice to maintain some Rust packages in their repositories. In this post, I will share my notes/adventures on setting up a packaging environment and a tool called "alpkg" for automating this process.
https://blog.orhun.dev/alpine-packaging-setup/
#planetarch
Recently I have been interested in Alpine Linux and thought it would be nice to maintain some Rust packages in their repositories. In this post, I will share my notes/adventures on setting up a packaging environment and a tool called "alpkg" for automating this process.
https://blog.orhun.dev/alpine-packaging-setup/
#planetarch
👍3
Writing a Linux executable from scratch with x86_64-unknown-none and Rust
I recently mentioned on the internet I did work in this direction and a friend of mine asked me to write a blogpost on this. I didn’t blog for a long time (keeping all the goodness for myself hehe), so here we go. 🦝 To set the scene, let’s assume we want to make an exectuable binary for x86_64 Linux that’s supposed to be extremely portable. It should work on both Debian and Arch Linux. It should work on systems without glibc like Alpine Linux. It should even work in a FROM scratch Docker container. In a more serious setting …
https://vulns.xyz/2023/03/linux-executable-from-scratch-with-x86_64-unknown-none-rust/
#planetarch
I recently mentioned on the internet I did work in this direction and a friend of mine asked me to write a blogpost on this. I didn’t blog for a long time (keeping all the goodness for myself hehe), so here we go. 🦝 To set the scene, let’s assume we want to make an exectuable binary for x86_64 Linux that’s supposed to be extremely portable. It should work on both Debian and Arch Linux. It should work on systems without glibc like Alpine Linux. It should even work in a FROM scratch Docker container. In a more serious setting …
https://vulns.xyz/2023/03/linux-executable-from-scratch-with-x86_64-unknown-none-rust/
#planetarch
March
Arch Linux in March 2023 # Git packaging sources # We have improved a lot of pieces in pkgctl according to the feedback from the sandbox environment. Most notably it is possible to provide GitLab tokens via the DEVTOOLS_GITLAB_TOKEN environment variable, pass nocheck to the build command for bootstrap builds, handle subrelease pkgrels as well as several bugfixes. We are doing another round of testing and would like to proceed with the rollout afterwards.
https://monthly-reports.archlinux.page/2023/03/
#planetarch
Arch Linux in March 2023 # Git packaging sources # We have improved a lot of pieces in pkgctl according to the feedback from the sandbox environment. Most notably it is possible to provide GitLab tokens via the DEVTOOLS_GITLAB_TOKEN environment variable, pass nocheck to the build command for bootstrap builds, handle subrelease pkgrels as well as several bugfixes. We are doing another round of testing and would like to proceed with the rollout afterwards.
https://monthly-reports.archlinux.page/2023/03/
#planetarch
👍3
Zig Bits 0x3: Mastering project management in Zig
In this post, I'm sharing tips & tricks about managing/maintaining an open-source Zig project and mentioning the commonly used practices. I'm also giving a brief introduction to my first-ever Zig project "**linuxwave**" which led to the writing of this series.
https://blog.orhun.dev/zig-bits-03/
#planetarch
In this post, I'm sharing tips & tricks about managing/maintaining an open-source Zig project and mentioning the commonly used practices. I'm also giving a brief introduction to my first-ever Zig project "**linuxwave**" which led to the writing of this series.
https://blog.orhun.dev/zig-bits-03/
#planetarch
Golang crypto/ecdh and the TPM
I have lately been trying to learn more about the Trusted Platform Module (TPM) as they are capable of key creation and sealing secrets in a secure manner. They are common hardware these days and make for a reasonable ways to store secrets. age is a file encryption/decryption tool from Filippo Valsorda which a lot of people have been using to replace GnuPG for things like password-store. It has a few plugins doing things like storing keys on Yubikey, Trezor hardware wallets or the Apple Secure Enclave, however it doesn’t have a TPM plugin.
https://linderud.dev/blog/golang-crypto/ecdh-and-the-tpm/
#planetarch
I have lately been trying to learn more about the Trusted Platform Module (TPM) as they are capable of key creation and sealing secrets in a secure manner. They are common hardware these days and make for a reasonable ways to store secrets. age is a file encryption/decryption tool from Filippo Valsorda which a lot of people have been using to replace GnuPG for things like password-store. It has a few plugins doing things like storing keys on Yubikey, Trezor hardware wallets or the Apple Secure Enclave, however it doesn’t have a TPM plugin.
https://linderud.dev/blog/golang-crypto/ecdh-and-the-tpm/
#planetarch
April
Arch Linux in April 2023 # project management # We’ve create a GitLab Board [0\] to track all tasks related to project management and project leadership. This Board allows us to visualize the exact state of tasks using different lanes and labels, making it easier to keep track of ongoing progress. Additionally, tasks will receive comments and lane updates to reflect the latest developments. This is another step towards providing increased transparency, structure, and visibility for our staff and users alike.
https://monthly-reports.archlinux.page/2023/04/
#planetarch
Arch Linux in April 2023 # project management # We’ve create a GitLab Board [0\] to track all tasks related to project management and project leadership. This Board allows us to visualize the exact state of tasks using different lanes and labels, making it easier to keep track of ongoing progress. Additionally, tasks will receive comments and lane updates to reflect the latest developments. This is another step towards providing increased transparency, structure, and visibility for our staff and users alike.
https://monthly-reports.archlinux.page/2023/04/
#planetarch
👍8
Git migration announcement
This Friday morning (2023-05-19) the Git packaging migration will start until Sunday (2023-05-21). The Arch Linux packaging team will not be able to update packages in any of the repositories during this period.
Notification when the migration starts, and when it is completed, will be published on the
How does this impact Arch Linux users?
The
All affected repositories will be provided as empty repositories for a transition period after the migration. For regular users, this means that everything works as before.
Note: After the migration is done, users that have the testing repositories enabled need to include the new repositories (
Other changes:
* SVN access is discontinued and will dissappear.
* The svn2git mirror will no longer be updated.
*
How does this impact Arch Linux tier 1 mirrors?
During the migration rsync and HTTP access will be shut down. We will send an email notification to arch-mirrors once everything has been finished.
How does this impact Arch Linux packagers?
Packagers will not be able to patch and update their packages. The internal Tier 0 mirror is also going to be disabled for the duration of this migration.
https://archlinux.org/news/git-migration-announcement/
#news
This Friday morning (2023-05-19) the Git packaging migration will start until Sunday (2023-05-21). The Arch Linux packaging team will not be able to update packages in any of the repositories during this period.
Notification when the migration starts, and when it is completed, will be published on the
[arch-dev-public] mailing list.How does this impact Arch Linux users?
The
[testing] repository will be split into [core-testing] and [extra-testing], the [staging] repository will be split into [core-staging] and [extra-staging]. The [community] repository will be merged into [extra] and will therefore be empty after the migration.All affected repositories will be provided as empty repositories for a transition period after the migration. For regular users, this means that everything works as before.
Note: After the migration is done, users that have the testing repositories enabled need to include the new repositories (
[core-testing] and [extra-testing] instead of [testing]) in their pacman.conf before updating their system.Other changes:
* SVN access is discontinued and will dissappear.
* The svn2git mirror will no longer be updated.
*
asp, which relies on the svn2git mirror, will stop working. It is replaced by pkgctl repo clone.How does this impact Arch Linux tier 1 mirrors?
During the migration rsync and HTTP access will be shut down. We will send an email notification to arch-mirrors once everything has been finished.
How does this impact Arch Linux packagers?
Packagers will not be able to patch and update their packages. The internal Tier 0 mirror is also going to be disabled for the duration of this migration.
https://archlinux.org/news/git-migration-announcement/
#news
🙏3👍2❤🔥1💯1🏆1
Git migration completed
We are proud to announce that the migration to Git packaging succeeded! 🥳
Thanks to everyone who has helped during the migration!
Package sources are now available on GitLab. Note that the bugtracker is still flyspray and that merge requests are not accepted as of now. We intend to open the issue tracker and merge requests on the Gitlab package repos in the near future.
Mirrors are syncing again, but it may take a bit of time until your mirror of choice has caught up.
## For users
Update your system and merge the pacman pacnew
For users of the now deprecated
For some more detailed instructions on how to obtain PKGBUILDs see the corresponding wiki article.
## For packagers
Before starting, first uninstall
Make sure you have both, an updated devtools and pacman on your system:
Additionally clean up old chroots in
For instruction on how to use
https://archlinux.org/news/git-migration-completed/
#news
We are proud to announce that the migration to Git packaging succeeded! 🥳
Thanks to everyone who has helped during the migration!
Package sources are now available on GitLab. Note that the bugtracker is still flyspray and that merge requests are not accepted as of now. We intend to open the issue tracker and merge requests on the Gitlab package repos in the near future.
Mirrors are syncing again, but it may take a bit of time until your mirror of choice has caught up.
## For users
Update your system and merge the pacman pacnew
/etc/pacman.conf.pacnew file. This is required as we have moved the [community] repository into [extra].$ pacman -Syu "pacman>=6.0.2-7"
For users of the now deprecated
asp tool, you will need to switch to pkgctl:$ pacman -Syu "devtools>=1:1.0.0-1"
$ pkgctl repo clone linux
For some more detailed instructions on how to obtain PKGBUILDs see the corresponding wiki article.
## For packagers
Before starting, first uninstall
devtools-git-poc and remove any repos from your filesystem that you cloned during the git proof-of-concept testing.Make sure you have both, an updated devtools and pacman on your system:
$ pacman -Syu "devtools>=1:1.0.0-1" "pacman>=6.0.2-7"
Additionally clean up old chroots in
/var/lib/archbuild/$ rm -rf /var/lib/archbuild/
# or optionally, use the --clean option for pkgctl build *ONCE*
$ pkgctl build --clean
For instruction on how to use
pkgctl, please take a look at the "How to be a packager" wiki article and also consult the man page of each subcommand for further information:$ man pkgctl-build
$ man pkgctl-repo-clone
https://archlinux.org/news/git-migration-completed/
#news
👏12👍5
OpenBLAS >= 0.3.23-2 update requires manual intervention
The openblas package prior to version 0.3.23-2 doesn't ship optimized LAPACK routine and CBLAS/LAPACKE interfaces for compatibility. This decision has been reverted now, and the ability to choose a different default system BLAS/LAPACK implementation while keeping openblas installed is now provided to allow future co-installation of BLIS, ATLAS, etc.
The default BLAS implementation will be used for most packages like NumPy or R. Please install "blas-openblas" and "blas64-openblas" to make OpenBLAS the default BLAS implementation, just like the old behavior.
Unfortunately you will get errors on updating if you currently have OpenBLAS installed as the default BLAS implementation:
error: failed to prepare transaction (could not satisfy dependencies) :: installing openblas (0.3.23-2) breaks dependency 'blas' required by cblas :: installing openblas (0.3.23-2) breaks dependency 'blas' required by lapack
Please append your preferred default BLAS implementation to the regular -Syu command line to get around it. For example:
or
https://archlinux.org/news/openblas-0323-2-update-requires-manual-intervention/
#news
The openblas package prior to version 0.3.23-2 doesn't ship optimized LAPACK routine and CBLAS/LAPACKE interfaces for compatibility. This decision has been reverted now, and the ability to choose a different default system BLAS/LAPACK implementation while keeping openblas installed is now provided to allow future co-installation of BLIS, ATLAS, etc.
The default BLAS implementation will be used for most packages like NumPy or R. Please install "blas-openblas" and "blas64-openblas" to make OpenBLAS the default BLAS implementation, just like the old behavior.
Unfortunately you will get errors on updating if you currently have OpenBLAS installed as the default BLAS implementation:
error: failed to prepare transaction (could not satisfy dependencies) :: installing openblas (0.3.23-2) breaks dependency 'blas' required by cblas :: installing openblas (0.3.23-2) breaks dependency 'blas' required by lapack
Please append your preferred default BLAS implementation to the regular -Syu command line to get around it. For example:
pacman -Syu blas-openblas
or
pacman -Syu blas
https://archlinux.org/news/openblas-0323-2-update-requires-manual-intervention/
#news
TeX Live package reorganization
Starting from version 2023.66594-9, TeX Live packages have been reorganized to mirror upstream collections. Even though the new
which means the euler CTAN package is contained in
A new metapackage texlive-meta is available to install all subpackages (except for language specific ones), and the new texlive-doc package provides the full documentation for offline use.
https://archlinux.org/news/tex-live-package-reorganization/
#news
Starting from version 2023.66594-9, TeX Live packages have been reorganized to mirror upstream collections. Even though the new
texlive-basic replaces the old texlive-core, many of the texlive-core contents (including language specific files) are now split between different packages. To find out which Arch package contains a specific CTAN package, you can use the tlmgr utility, eg.$ tlmgr info euler | grep collection
collection: collection-latexrecommended
which means the euler CTAN package is contained in
texlive-latexrecommended. You may also use pacman -F to query for specific files.A new metapackage texlive-meta is available to install all subpackages (except for language specific ones), and the new texlive-doc package provides the full documentation for offline use.
https://archlinux.org/news/tex-live-package-reorganization/
#news
👍3
budgie-desktop >= 10.7.2-6 update requires manual intervention
When upgrading from budgie-desktop 10.7.2-5 to 10.7.2-6, the package mutter43 must be replaced with magpie-wm, which currently depends on mutter. As mutter43 conflicts with mutter, manual intervention is required to complete the upgrade.
First remove mutter43, then immediately perform the upgrade. Do not relog or reboot between these steps.
https://archlinux.org/news/budgie-desktop-1072-6-update-requires-manual-intervention/
#news
When upgrading from budgie-desktop 10.7.2-5 to 10.7.2-6, the package mutter43 must be replaced with magpie-wm, which currently depends on mutter. As mutter43 conflicts with mutter, manual intervention is required to complete the upgrade.
First remove mutter43, then immediately perform the upgrade. Do not relog or reboot between these steps.
pacman -Rdd mutter43pacman -Syuhttps://archlinux.org/news/budgie-desktop-1072-6-update-requires-manual-intervention/
#news
👍7
ansible-core >= 2.15.3-1 update may require manual intervention
As of
This means that, starting from version
Regarding the documentation, it is available online: https://docs.ansible.com/
As for the configuration file, as explained in the wiki, a base config can be generated with the following command:
After updating from
To restore it, run the following command:
https://archlinux.org/news/ansible-core-2153-1-update-may-require-manual-intervention/
#news
As of
ansible-core 2.15.3, upstream moved documentation and examples to a separate dedicated repository (see the related changelogs). This means that, starting from version
2.15.3 the ansible-core package will stop shipping documentation and a default configuration example under /etc/ansible/ansible.cfg.Regarding the documentation, it is available online: https://docs.ansible.com/
As for the configuration file, as explained in the wiki, a base config can be generated with the following command:
ansible-config init --disabled > ansible.cfgAfter updating from
ansible-core <= 2.15.2-1 to >= 2.15.3-1, everyone using a custom global Ansible configuration file stored under /etc/ansible/ansible.cfg will have their configuration saved as a pacsave file. To restore it, run the following command:
mv /etc/ansible/ansible.cfg.pacsave /etc/ansible/ansible.cfghttps://archlinux.org/news/ansible-core-2153-1-update-may-require-manual-intervention/
#news
Changes to default password hashing algorithm and umask settings
With shadow >=
Furthermore, the umask [2] settings are now configured in /etc/login.defs instead of /etc/profile.
This should not require any manual intervention.
Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512.
Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6].
Configuring yescrypt
The
General list of changes
▪️yescrypt is used as default password hashing algorithm, instead of SHA512
▪️pam honors the chosen
▪️changes in the filesystem (>=
#news
With shadow >=
4.14.0, Arch Linux's default password hashing algorithm changed from SHA512 to yescrypt [1].Furthermore, the umask [2] settings are now configured in /etc/login.defs instead of /etc/profile.
This should not require any manual intervention.
Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512.
Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6].
Configuring yescrypt
The
YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value [7]. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix [8] module (i.e. in /etc/pam.d/system-auth).General list of changes
▪️yescrypt is used as default password hashing algorithm, instead of SHA512
▪️pam honors the chosen
ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore▪️changes in the filesystem (>=
2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile
https://archlinux.org/news/changes-to-default-password-hashing-algorithm-and-umask-settings/#news
❤6
Store ssh keys inside the TPM: ssh-tpm-agent
After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”.
https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/
#planetarch
After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”.
https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/
#planetarch
👍9
September
Arch Linux in September 2023 # Staff # We would like to welcome Fabian Bornschein (fabiscafe) as part of the Arch Linux Package Maintainer team. Bug weekend # During the 1st to 3rd of September, we conducted a bug weekend with the aim of resolving old bugs and implementing proposed solutions. This effort not only reduced the backlog but also contributed to streamlining the upcoming bug tracker migration, resulting in the resolution of approximately 200 bugs.
https://monthly-reports.archlinux.page/2023/09/
#planetarch
Arch Linux in September 2023 # Staff # We would like to welcome Fabian Bornschein (fabiscafe) as part of the Arch Linux Package Maintainer team. Bug weekend # During the 1st to 3rd of September, we conducted a bug weekend with the aim of resolving old bugs and implementing proposed solutions. This effort not only reduced the backlog but also contributed to streamlining the upcoming bug tracker migration, resulting in the resolution of approximately 200 bugs.
https://monthly-reports.archlinux.page/2023/09/
#planetarch
👍6
Fully Automated Releases for Rust Projects
Here is how you can publish a Rust project with a single click of a button and automate everything.
https://blog.orhun.dev/automated-rust-releases/
#planetarch
Here is how you can publish a Rust project with a single click of a button and automate everything.
https://blog.orhun.dev/automated-rust-releases/
#planetarch
❤1
Incoming changes in JDK / JRE 21 packages may require manual intervention
We are introducing a change in JDK/JRE packages of our distro. This is triggered from the way a JRE is build in modern versions of Java (>9). We are introducing this change in Java 21. To sum it up instead of having JDK and JRE packages coexist in the same system we will be making them conflict. The JDK variant package includes the runtime environment to execute Java applications so if one needs compilation and runtime of Java they need only the JDK package in the future. If, on the other hand, they need just runtime of Java then JRE (or jre-headless) will work. This will (potentially) require a manual user action during upgrade:
▪️ If you have both JDK and JRE installed you can manually install the JDK with
▪️ If you have both JRE and JRE-headless you will need to choose one of them and install it manually since they would conflict each other now.
▪️ If you only have one of the JDK/JRE/JRE-headless pacman should resolve dependencies normally and no action is needed.
At the moment this is only valid for the upcoming JDK 21 release.
https://archlinux.org/news/incoming-changes-in-jdk-jre-21-packages-may-require-manual-intervention/
#news
We are introducing a change in JDK/JRE packages of our distro. This is triggered from the way a JRE is build in modern versions of Java (>9). We are introducing this change in Java 21. To sum it up instead of having JDK and JRE packages coexist in the same system we will be making them conflict. The JDK variant package includes the runtime environment to execute Java applications so if one needs compilation and runtime of Java they need only the JDK package in the future. If, on the other hand, they need just runtime of Java then JRE (or jre-headless) will work. This will (potentially) require a manual user action during upgrade:
▪️ If you have both JDK and JRE installed you can manually install the JDK with
pacman -Syu jdk-openjdk and this removes the JRE related packages.▪️ If you have both JRE and JRE-headless you will need to choose one of them and install it manually since they would conflict each other now.
▪️ If you only have one of the JDK/JRE/JRE-headless pacman should resolve dependencies normally and no action is needed.
At the moment this is only valid for the upcoming JDK 21 release.
https://archlinux.org/news/incoming-changes-in-jdk-jre-21-packages-may-require-manual-intervention/
#news
👍14
Grants for Operating Systems
Over the past years I have written (unsuccessful) funding applications for free software projects, associated with the Arch Linux Operating System. This article is about my experiences with applying for numerous funds and my advice for people trying to get their work funded. TL;DR: Writing funding applications is extremely tedious and the selection process mostly intransparent and discouraging. Depending on what you apply for and who you apply with, you may never get funding due to other, additional factors. Read more… (8 min remaining to read)
https://sleepmap.de/2023/grants-for-operating-systems/
#planetarch
Over the past years I have written (unsuccessful) funding applications for free software projects, associated with the Arch Linux Operating System. This article is about my experiences with applying for numerous funds and my advice for people trying to get their work funded. TL;DR: Writing funding applications is extremely tedious and the selection process mostly intransparent and discouraging. Depending on what you apply for and who you apply with, you may never get funding due to other, additional factors. Read more… (8 min remaining to read)
https://sleepmap.de/2023/grants-for-operating-systems/
#planetarch
Operating System Bias in Next Generation Internet and NLnet
In Grants for Operating Systems I discussed my journey through the grant application writing business since beginning of last year. To keep things light and somewhat focused, I left out a topic, that I would like to write about in more detail in the following sections. It's about selection bias in grants provided by Next Generation Internet (NGI), that can be applied for directly or through NLnet. Read more… (11 min remaining to read)
https://sleepmap.de/2023/operating-system-bias-in-next-generation-internet-and-nlnet/
#planetarch
In Grants for Operating Systems I discussed my journey through the grant application writing business since beginning of last year. To keep things light and somewhat focused, I left out a topic, that I would like to write about in more detail in the following sections. It's about selection bias in grants provided by Next Generation Internet (NGI), that can be applied for directly or through NLnet. Read more… (11 min remaining to read)
https://sleepmap.de/2023/operating-system-bias-in-next-generation-internet-and-nlnet/
#planetarch