Ratatui Received Funding: What's Next?
Let's delve into the realm of open source funding along with Ratatui's journey.
https://blog.orhun.dev/open-source-funding-with-ratatui/
#planetarch
Let's delve into the realm of open source funding along with Ratatui's journey.
https://blog.orhun.dev/open-source-funding-with-ratatui/
#planetarch
π2π₯1
The Name Quest
I went on a trip to Mongolia to find out the meaning behind my name.
https://blog.orhun.dev/mongolia-trip/
#planetarch
I went on a trip to Mongolia to find out the meaning behind my name.
https://blog.orhun.dev/mongolia-trip/
#planetarch
β1π₯±1
The xz package has been backdoored
Update: To our knowledge the malicious code which was distributed via the release tarball never made it into the Arch Linux provided binaries, as the build script was configured to only inject the bad code in Debian/Fedora based package build environments. The news item below can therefore mostly be ignored.
We are closely monitoring the situation and will update the package and news as neccesary.
TL;DR: Upgrade your systems and container images now!
As many of you may have already read ([one](https://www.openwall.com/lists/oss-security/2024/03/29/4)), the upstream release tarballs for `xz` in version `5.6.0` and `5.6.1` contain malicious code which adds a backdoor.
This vulnerability is tracked in the Arch Linux security tracker ([two](https://security.archlinux.org/ASA-202403-1)).
The `xz` packages prior to version `5.6.1-2` (specifically `5.6.0-1` and `5.6.1-1`) contain this backdoor.
The following release artifacts contain the compromised `xz`:
installation medium
virtual machine images `20240301.218094` and `20240315.221711`
container images created between and including 2024-02-24 and 2024-03-28
The affected release artifacts have been removed from our mirrors.
We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version!
## Upgrading the system
It is strongly advised to do a full system upgrade right away if your system currently has
## Upgrading container images
To figure out if you are using an affected container image, use either
or
depending on whether you use
Any Arch Linux container image older than
Run either
or
to upgrade affected container images to the most recent version.
Afterwards make sure to rebuild any container images based on the affected versions and also inspect any running containers!
## Regarding sshd authentication bypass/code execution
From the upstream report (one):
> openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:
However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
https://archlinux.org/news/the-xz-package-has-been-backdoored/
#news
Update: To our knowledge the malicious code which was distributed via the release tarball never made it into the Arch Linux provided binaries, as the build script was configured to only inject the bad code in Debian/Fedora based package build environments. The news item below can therefore mostly be ignored.
We are closely monitoring the situation and will update the package and news as neccesary.
TL;DR: Upgrade your systems and container images now!
As many of you may have already read ([one](https://www.openwall.com/lists/oss-security/2024/03/29/4)), the upstream release tarballs for `xz` in version `5.6.0` and `5.6.1` contain malicious code which adds a backdoor.
This vulnerability is tracked in the Arch Linux security tracker ([two](https://security.archlinux.org/ASA-202403-1)).
The `xz` packages prior to version `5.6.1-2` (specifically `5.6.0-1` and `5.6.1-1`) contain this backdoor.
The following release artifacts contain the compromised `xz`:
installation medium
2024.03.01virtual machine images `20240301.218094` and `20240315.221711`
container images created between and including 2024-02-24 and 2024-03-28
The affected release artifacts have been removed from our mirrors.
We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version!
## Upgrading the system
It is strongly advised to do a full system upgrade right away if your system currently has
xz version 5.6.0-1 or 5.6.1-1 installed:pacman -Syu## Upgrading container images
To figure out if you are using an affected container image, use either
podman image history archlinux/archlinuxor
docker image history archlinux/archlinuxdepending on whether you use
podman or docker.Any Arch Linux container image older than
2024-03-29 and younger than 2024-02-24 is affected.Run either
podman image pull archlinux/archlinuxor
docker image pull archlinux/archlinuxto upgrade affected container images to the most recent version.
Afterwards make sure to rebuild any container images based on the affected versions and also inspect any running containers!
## Regarding sshd authentication bypass/code execution
From the upstream report (one):
> openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:
ldd "$(command -v sshd)"However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
https://archlinux.org/news/the-xz-package-has-been-backdoored/
#news
π₯±3π2π2πΏ2
Increasing the default vm.max_map_count value
The vm.max\_map\_count parameter will be increased from the default
This change should help address performance, crash or start-up issues for a number of memory intensive applications, particularly for (but not limited to) some Windows games played through Wine/Steam Proton. Overall, end users should have a smoother experience out of the box with no expressed concerns about potential downsides in the related proposal on arch-dev-public mailing list.
This
Before upgrading, in case you are already setting your own value for that parameter in a
https://archlinux.org/news/increasing-the-default-vmmaxmapcount-value/
#news
The vm.max\_map\_count parameter will be increased from the default
65530 value to 1048576.This change should help address performance, crash or start-up issues for a number of memory intensive applications, particularly for (but not limited to) some Windows games played through Wine/Steam Proton. Overall, end users should have a smoother experience out of the box with no expressed concerns about potential downsides in the related proposal on arch-dev-public mailing list.
This
vm.max_map_count increase is introduced in the 2024.04.07-1 release of the filesystem package and will be effective right after the upgrade.Before upgrading, in case you are already setting your own value for that parameter in a
sysctl.d configuration file, either remove it (to switch to the new default value) or make sure your configuration file will be read with a higher priority than the /usr/lib/sysctl.d/10-arch.conf file (to supersede the new default value).https://archlinux.org/news/increasing-the-default-vmmaxmapcount-value/
#news
π2π1
Planet Arch Linux & News
The xz package has been backdoored Update: To our knowledge the malicious code which was distributed via the release tarball never made it into the Arch Linux provided binaries, as the build script was configured to only inject the bad code in Debian/Fedoraβ¦
the bot got stuck for a while
π
π
π€£12β€4π4β‘2π³1πΏ1
Arch Linux 2024 Leader Election Results
Recently we held our leader election, and the previous Project Leader Levente "anthraxx" PolyΓ‘k ran again while no other people were nominated for the role.
As per our election rules he is re-elected for a new term.
The role of of the project lead within Arch Linux is connected to a few responsibilities regarding decision making (when no consensus can be reached), handling financial matters with SPI and overall project management tasks.
Congratulations to Levente and all the best wishes for another successful term! π₯³
https://archlinux.org/news/arch-linux-2024-leader-election-results/
#news
Recently we held our leader election, and the previous Project Leader Levente "anthraxx" PolyΓ‘k ran again while no other people were nominated for the role.
As per our election rules he is re-elected for a new term.
The role of of the project lead within Arch Linux is connected to a few responsibilities regarding decision making (when no consensus can be reached), handling financial matters with SPI and overall project management tasks.
Congratulations to Levente and all the best wishes for another successful term! π₯³
https://archlinux.org/news/arch-linux-2024-leader-election-results/
#news
π3π€£2β€1π1
Gnome Search Provider: Emacs Integration
Rationale Emacs users try to avoid leaving their editor for other tasks. There is an shell (Eshell: The Emacs Shell), an integration into Secret Service API (Emacs auth-source Library 0.3) and countless other integrations. Search is a central element of the Gnome desktop environment. Many applications implement the Search Provider dbus interface to provide suitable results. The aim of this package is to make these search results also available within the Emacs editor.
https://blog.hoetzel.info/post/consult-gnome-search/
#planetarch
Rationale Emacs users try to avoid leaving their editor for other tasks. There is an shell (Eshell: The Emacs Shell), an integration into Secret Service API (Emacs auth-source Library 0.3) and countless other integrations. Search is a central element of the Gnome desktop environment. Many applications implement the Search Provider dbus interface to provide suitable results. The aim of this package is to make these search results also available within the Emacs editor.
https://blog.hoetzel.info/post/consult-gnome-search/
#planetarch
π©2
The sshd service needs to be restarted after upgrading to openssh-9.8p1
After upgrading to
When upgrading remote hosts, please make sure to restart the sshd service using
We are evaluating the possibility to automatically apply a restart of the sshd service on upgrade in a future release of the openssh-9.8p1 package.
https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
#news
After upgrading to
openssh-9.8p1, the existing SSH daemon will be unable to accept new connections (see https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5). When upgrading remote hosts, please make sure to restart the sshd service using
systemctl try-restart sshd right after upgrading.We are evaluating the possibility to automatically apply a restart of the sshd service on upgrade in a future release of the openssh-9.8p1 package.
https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
#news
π«‘10
Building vagrant images with mkosi
Last FOSDEM, there where some talks around mkosi using it for kernel hacking and systemd integration tests. These talks got me interested in mkosi, a systemd project for building OS images. After chatting some more with the maintainers, I considered the idea of moving the arch-boxes project to mkosi. (note β¦
https://vdwaa.nl/mkosi-vagrant-images.html
#planetarch
Last FOSDEM, there where some talks around mkosi using it for kernel hacking and systemd integration tests. These talks got me interested in mkosi, a systemd project for building OS images. After chatting some more with the maintainers, I considered the idea of moving the arch-boxes project to mkosi. (note β¦
https://vdwaa.nl/mkosi-vagrant-images.html
#planetarch
π1
Investigating creating reproducible images with mkosi
I've blogged before about creating vagrant images using mkosi as part of an investigation to move image creation to mkosi but also as I will be giving a talk at All Systems Go about Arch Linux images mkosi and reproducibility. With reproducible images in this article I mean that anyone β¦
https://vdwaa.nl/mkosi-reproducible-images.html
#planetarch
I've blogged before about creating vagrant images using mkosi as part of an investigation to move image creation to mkosi but also as I will be giving a talk at All Systems Go about Arch Linux images mkosi and reproducibility. With reproducible images in this article I mean that anyone β¦
https://vdwaa.nl/mkosi-reproducible-images.html
#planetarch
π2
Deleting emails will not save the planet
A while ago I saw a post on LinkedIn that piqued my interest, not because it was any good, but because it was impressively wrong. It claimed that, to quote, βif every email user deleted just 10 emails, it would save enough electricity to power millions of households each yearβ. This is not only wrong, it is obviously wrong. In this post, Iβd like to dive into why itβs wrong, how one might come to think itβs right, and perhaps what better message you could put out there to save the planet.
https://bertptrs.nl/2024/08/24/deleting-emails-will-not-save-the-planet.html
#planetarch
A while ago I saw a post on LinkedIn that piqued my interest, not because it was any good, but because it was impressively wrong. It claimed that, to quote, βif every email user deleted just 10 emails, it would save enough electricity to power millions of households each yearβ. This is not only wrong, it is obviously wrong. In this post, Iβd like to dive into why itβs wrong, how one might come to think itβs right, and perhaps what better message you could put out there to save the planet.
https://bertptrs.nl/2024/08/24/deleting-emails-will-not-save-the-planet.html
#planetarch
π3
SSH CA with device and identity attestation: ssh-tpm-ca-authority
The past year I have been hacking around on tools utilizing TPMs, and one of the features I have been interested to learn more about is the device attestation features. After being a bit inspired by some ideas from people at work, the hackerspace and toots on mastodon, I figure out a SSH certificate authority would be a cool small project to hack on. Last year I wrote an SSH agent with TPM bound keys so this would nicely fit into the existing tooling.
https://linderud.dev/blog/ssh-ca-with-device-and-identity-attestation-ssh-tpm-ca-authority/
#planetarch
The past year I have been hacking around on tools utilizing TPMs, and one of the features I have been interested to learn more about is the device attestation features. After being a bit inspired by some ideas from people at work, the hackerspace and toots on mastodon, I figure out a SSH certificate authority would be a cool small project to hack on. Last year I wrote an SSH agent with TPM bound keys so this would nicely fit into the existing tooling.
https://linderud.dev/blog/ssh-ca-with-device-and-identity-attestation-ssh-tpm-ca-authority/
#planetarch
π1
Reproducible Arch images with mkosi
In the previous article I investigated how to create a reproducible image but ended up with only managing to create two identical image directories. In this article we'll end up with a fully bit-by-bit reproducible filesystem image! Some things have changed since the last post, mkosi now no longer creates β¦
https://vdwaa.nl/mkosi-reproducible-arch-images.html
#planetarch
In the previous article I investigated how to create a reproducible image but ended up with only managing to create two identical image directories. In this article we'll end up with a fully bit-by-bit reproducible filesystem image! Some things have changed since the last post, mkosi now no longer creates β¦
https://vdwaa.nl/mkosi-reproducible-arch-images.html
#planetarch
π2
Why I started livestreaming as a Rust developer?
Some thoughts on why I started livestreaming my open-source development sessions and my future plans.
https://blog.orhun.dev/livestreaming/
#planetarch
Some thoughts on why I started livestreaming my open-source development sessions and my future plans.
https://blog.orhun.dev/livestreaming/
#planetarch
π2π2π€1
Manual intervention for pacman 7.0.0 and local repositories required
With the release of version 7.0.0 pacman has added support for downloading packages as a separate user with dropped privileges.
For users with local repos however this might imply that the download user does not have access to the files in question, which can be fixed by assigning the files and folder to the
Remember to merge the .pacnew files to apply the new default.
Pacman also introduced a change to improve checksum stability for git repos that utilize
https://archlinux.org/news/manual-intervention-for-pacman-700-and-local-repositories-required/
#news
With the release of version 7.0.0 pacman has added support for downloading packages as a separate user with dropped privileges.
For users with local repos however this might imply that the download user does not have access to the files in question, which can be fixed by assigning the files and folder to the
alpm group and ensuring the executable bit (+x) is set on the folders in question.$ chown :alpm -R /path/to/local/repo
Remember to merge the .pacnew files to apply the new default.
Pacman also introduced a change to improve checksum stability for git repos that utilize
.gitattributes files. This might require a one-time checksum change for PKGBUILDs that use git sources.https://archlinux.org/news/manual-intervention-for-pacman-700-and-local-repositories-required/
#news
π8β€1π€1
Optimized cloud-init template on Proxmox
There are already quite a few resources out there demonstrating how to create a cloud-init enabled VM template in Proxmox. Here are the ones I mainly used to discover the topic, and which I suggest you go through because what follows depends on them:
Proxmox [wiki](https://pve.proxmox.com/wiki/Cloud-Init_Support) and [official documentation](https://pve.proxmox.com/pve-docs/chapter-qm.html#qm_cloud_init) on Cloud-Init support
Perfect Proxmox Template with Cloud Image and Cloud Init (YouTube, Techno Tim 2022-03)
What those and many similar resources give are step-by-step instructions divided in as many commands to facilitate understanding. What I havenβt seen so far though, is an all-in-one, optimized command to do the same thing, β¦
https://bastientraverse.com/en/proxmox-optimized-cloud-init-template/
#planetarch
There are already quite a few resources out there demonstrating how to create a cloud-init enabled VM template in Proxmox. Here are the ones I mainly used to discover the topic, and which I suggest you go through because what follows depends on them:
Proxmox [wiki](https://pve.proxmox.com/wiki/Cloud-Init_Support) and [official documentation](https://pve.proxmox.com/pve-docs/chapter-qm.html#qm_cloud_init) on Cloud-Init support
Perfect Proxmox Template with Cloud Image and Cloud Init (YouTube, Techno Tim 2022-03)
What those and many similar resources give are step-by-step instructions divided in as many commands to facilitate understanding. What I havenβt seen so far though, is an all-in-one, optimized command to do the same thing, β¦
https://bastientraverse.com/en/proxmox-optimized-cloud-init-template/
#planetarch
π1
Facts
A collection of facts about yours truly. Guaranteed to be as accurate as my memory.
https://serebit.dev/posts/facts/
#planetarch
A collection of facts about yours truly. Guaranteed to be as accurate as my memory.
https://serebit.dev/posts/facts/
#planetarch
π1
Can't trust any VPN these days
After Turkey banned Discord, I had to jump through some hoops, fix my VPN, and learn a bit about how DNS works.
https://blog.orhun.dev/cant-trust-any-vpn/
#planetarch
After Turkey banned Discord, I had to jump through some hoops, fix my VPN, and learn a bit about how DNS works.
https://blog.orhun.dev/cant-trust-any-vpn/
#planetarch
π4
Providing a license for package sources
Arch Linux hasn't had a license for any package sources (such as PKGBUILD files) in the past, which is potentially problematic. Providing a license will preempt that uncertainty.
In RFC 40 we agreed to change all package sources to be licensed under the very liberal 0BSD license. This change will not limit what you can do with package sources. Check out the RFC for more on the rationale and prior discussion.
Before we make this change, we will provide contributors with a way to voice any objections they might have. Starting on 2024-11-19, over the course of a week, contributors will receive a single notification email listing all their contributions.
If you receive an email and agree to this change, there is no action required from your side.
If you do not agree, please reply to the email and we'll find a solution together.
If you contributed to Arch Linux packages before but didn't receive an email, please contact us at package-sources-licensing@archlinux.org.
https://archlinux.org/news/providing-a-license-for-package-sources/
#news
Arch Linux hasn't had a license for any package sources (such as PKGBUILD files) in the past, which is potentially problematic. Providing a license will preempt that uncertainty.
In RFC 40 we agreed to change all package sources to be licensed under the very liberal 0BSD license. This change will not limit what you can do with package sources. Check out the RFC for more on the rationale and prior discussion.
Before we make this change, we will provide contributors with a way to voice any objections they might have. Starting on 2024-11-19, over the course of a week, contributors will receive a single notification email listing all their contributions.
If you receive an email and agree to this change, there is no action required from your side.
If you do not agree, please reply to the email and we'll find a solution together.
If you contributed to Arch Linux packages before but didn't receive an email, please contact us at package-sources-licensing@archlinux.org.
https://archlinux.org/news/providing-a-license-for-package-sources/
#news
π7π2β€1
How I set up this blog
Like my blog? Here is how I set it up.
https://blog.orhun.dev/setting-up-this-blog/
#planetarch
Like my blog? Here is how I set it up.
https://blog.orhun.dev/setting-up-this-blog/
#planetarch
π2
Goodbye, Sam
A eulogy for the greatest dog of all, and a friend I will never forget.
https://serebit.dev/posts/merry-christmas-sam/
#planetarch
A eulogy for the greatest dog of all, and a friend I will never forget.
https://serebit.dev/posts/merry-christmas-sam/
#planetarch
β€13π5π€‘2