2025-01-16
We'd like to raise awareness about the rsync security release version
3.4.0-1
as described in our advisory
ASA-202501-1.
An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.
Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client.
Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as
~/.bashrc
or
~/.popt
.
We highly advise anyone who runs an rsync daemon or client prior to version
3.4.0-1
to upgrade and reboot their systems immediately.
As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed.
All infrastructure servers and mirrors maintained by Arch Linux have already been updated.
Robin Candau@Official News
2024-12-31
Dear blog. This post is inspired by an
old friend of mine who has been writing these for the past few years. I meant to do this for a while now, but ended up not preparing anything, so this post is me writing it from memory. There’s likely stuff I forgot, me being gentle with myself I’ll probably just permit myself to complete this list the next couple of days.
I hate bragging, I try to not depend on external validation as much as possible, and being the anti-capitalist that I am, I try to be content with knowing I’m …
kpcyrd
2024-12-24
A eulogy for the greatest dog of all, and a friend I will never forget.
Campbell Jones
2024-12-23
Like my blog? Here is how I set it up.
Unknown@Orhun Parmaksiz
2024-11-19
Arch Linux hasn't had a license for any package sources (such as PKGBUILD files) in the past, which is potentially problematic. Providing a license will preempt that uncertainty.
In
RFC 40 we agreed to change all package sources to be licensed under the very liberal
0BSD license.
This change will not limit what you can do with package sources. Check out
the RFC for more on the rationale and prior discussion.
Before we make this change, we will provide contributors with a way to voice any objections they might have. Starting on 2024-11-19, over the course of a week, contributors will receive a single notification email listing all their contributions.
- If you receive an email and agree to this change, there is no action required from your side.
- If you do not agree, please reply to the email and we'll find a solution together.
If you contributed to Arch Linux packages before but didn't receive an email, please contact us at package-sources-licensing@archlinux.org.
Rafael Epplée@Official News
2024-10-16
After Turkey banned Discord, I had to jump through some hoops, fix my VPN, and learn a bit about how DNS works.
Unknown@Orhun Parmaksiz
2024-10-04
A collection of facts about yours truly. Guaranteed to be as accurate as my memory.
Campbell Jones
2024-09-14
With the release of
version 7.0.0 pacman has added support for
downloading packages as a separate user with dropped privileges.
For users with local repos however this might imply that the download
user does not have access to the files in question, which can be fixed
by assigning the files and folder to the
alpm
group and ensuring the
executable bit (
+x
) is set on the folders in question.
$ chown :alpm -R /path/to/local/repo
Remember to
merge the .pacnew files to apply the new default.
Pacman also introduced
a change to improve checksum stability for
git repos that utilize
.gitattributes
files. This might require a
one-time checksum change for
PKGBUILD
s that use git sources.
Morten Linderud@Official News
2024-09-06
Some thoughts on why I started livestreaming my open-source development sessions and my future plans.
Unknown@Orhun Parmaksiz
2024-08-31
The past year I have been hacking around on tools utilizing TPMs, and one of the features I have been interested to learn more about is the device attestation features.
After being a bit inspired by some ideas from people at work, the hackerspace and toots on mastodon, I figure out a SSH certificate authority would be a cool small project to hack on. Last year I wrote an SSH agent with TPM bound keys so this would nicely fit into the existing tooling.
Morten Linderud
2024-08-31
In the previous
article
I investigated how to create a reproducible image but ended up with only
managing to create two identical image directories. In this article we'll end
up with a fully bit-by-bit reproducible filesystem image!
Some things have changed since the last post, mkosi now no longer creates …
Jelle van der Waa (jelle@vdwaa.nl)@Jelle van der Waa
2024-08-29
Arch Linux in August 2024
#
Staff
#
We would like to welcome
Quentin Michaud as part of the Arch Linux Package
Maintainer team.
RFC
#
A previously proposed
Distribution Developer Manual RFC has been accepted
with the intention to document how to run the distribution while leveraging
GitLab’s collaboration features and streamlined workflows for maintaining and
evolving the resulting specifications.
We have proposed an
RFC to license all Arch Linux package sources under
the terms of the Zero-Clause BSD license.
Arch Monthly Reports
2024-08-24
A while ago I saw a post on LinkedIn that piqued my interest, not because it was any good, but because it was impressively wrong. It claimed that, to quote, “if every email user deleted just 10 emails, it would save enough electricity to power millions of households each year”. This is not only wrong, it is obviously wrong. In this post, I’d like to dive into why it’s wrong, how one might come to think it’s right, and perhaps what better message you could put out there to save the planet.
Bert Peters@Bert Peters
2024-08-18
I've blogged before about creating
vagrant images using
mkosi as part
of an investigation to move image creation to mkosi but also as I will be
giving a talk at
All Systems Go about Arch Linux
images mkosi and reproducibility.
With reproducible images in this article I mean that anyone …
Jelle van der Waa (jelle@vdwaa.nl)@Jelle van der Waa
2024-07-29
Arch Linux in July 2024
#
Pacman
#
Pacman v7.0.0 has been released as a major feature version. A new
DownloadUser
configuration option allows for dropping privileges when
downloading files to a temporary directory. On top of this security measure,
the new Landlock sandbox also prevents writing outside the restricted download
directory.
Additionally,
makepkg
removes
GITFLAGS
support, as it required breaking
changes to git source handling. Furthermore this release addresses unstable git
checksumming influenced by specific user configuration. On top, it now prevents
PKGBUILD
from overriding
BUILDENV
to avoid undesired side effects.
Arch Monthly Reports
2024-07-27
Last FOSDEM, there where some talks around mkosi using it for
kernel
hacking
and
systemd integration
tests.
These talks got me interested in mkosi, a systemd project for building OS
images. After chatting some more with the maintainers, I considered the idea of
moving the
arch-boxes
project to mkosi. (note …
Jelle van der Waa (jelle@vdwaa.nl)@Jelle van der Waa
2024-07-01
After upgrading to
openssh-9.8p1
, the existing SSH daemon will be unable to accept new connections (see
https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5).
When upgrading remote hosts, please make sure to restart the sshd service
using
systemctl try-restart sshd
right after upgrading.
We are evaluating the possibility to automatically apply a restart of the sshd service on upgrade in a future release of the openssh-9.8p1 package.
Robin Candau@Official News
2024-06-29
Arch Linux in June 2024
#
archinstall
#
The
archinstall v2.8.1 update has been released, featuring several bug
fixes and improvements to partitioning and desktop profiles, along with the
introduction of experimental LVM support and the addition of Finnish
translation.
ArchWeb
#
ArchWeb 2024-06-12 has been rolled out, which includes an update to
Django’s latest major version, Django 5.0 as well as small improvements within
our Ruff configuration used as our Python linter.
Arch Monthly Reports
2024-05-29
Arch Linux in May 2024
#
Staff
#
We would like to welcome
Bert Peters (bertptrs) as well as
Giovanni
Harting (anonfunc) as part of the Arch Linux Package Maintainer team.
RFC
#
An
RFC has been accepted to introduce “Arch Linux Ports” as testbed for
unofficial architectures until they are integrated in the main Arch Linux
repositories.
devtools
#
We have released
devtools v1.2.0, featuring several new enhancements and
improvements. This release includes distro flag changes, notably the addition
of
no-omit-frame-pointer
flags and
_FORTIFY_SOURCE
level 3.
Arch Monthly Reports
2024-05-23
Rationale Emacs users try to avoid leaving their editor for other tasks. There is an shell (Eshell: The Emacs Shell), an integration into Secret Service API (Emacs auth-source Library 0.3) and countless other integrations.
Search is a central element of the Gnome desktop environment. Many applications implement the Search Provider dbus interface to provide suitable results.
The aim of this package is to make these search results also available within the Emacs editor.
Jürgen Hötzel
2024-05-03
I went on a trip to Mongolia to find out the meaning behind my name.
Unknown@Orhun Parmaksiz
2024-04-29
Arch Linux in April 2024
#
Staff
#
Project Leader Election
#
Recently, we held our
Arch Linux Project Leader election, and the current
Project Leader, Levente “anthraxx” Polyák, was the sole nominee. As per our
election rules, he has been re-elected for another term. Congratulations to
Levente, and we wish him continued success in his leadership!
RFC
#
An
RFC has been accepted to grant all Arch Linux staff members, not
limited to those in packaging roles, the privilege to initiate RFCs directly,
aligning with the broad range of topics these documents encompass.
Arch Monthly Reports
2024-04-15
Recently we held our leader election, and the previous Project Leader Levente "anthraxx" Polyák ran again while no other people were nominated for the role.
As per
our election rules he is re-elected for a new term.
The role of of the project lead within Arch Linux is connected to
a few
responsibilities regarding decision making (when no consensus can be reached), handling
financial matters with SPI and overall project management tasks.
Congratulations to Levente and all the best wishes for another successful term! 🥳
Christian Heusel@Official News
2024-04-08
Let's delve into the realm of open source funding along with Ratatui's journey.
Unknown@Orhun Parmaksiz
2024-04-07
The
vm.max_map_count paramater will be increased from the default
65530
value to
1048576
.
This change should help address performance, crash or start-up issues for a number of memory intensive applications, particularly for (but not limited to)
some Windows games played through Wine/Steam Proton. Overall, end users should have a smoother experience out of the box with no expressed concerns about potential downsides in
the related proposal on arch-dev-public mailing list.
This
vm.max_map_count
increase is introduced in the
2024.04.07-1
release of the
filesystem package and will be effective right after the upgrade.
Before upgrading, in case you are already setting your own value for that parameter in a
sysctl.d
configuration file, either remove it (to switch to the new default value) or make sure your configuration file will be read
with a higher priority than the
/usr/lib/sysctl.d/10-arch.conf
file (to supersede the new default value).
Robin Candau@Official News