Arch Planet
Planet Arch Linux is a window into the world, work and lives of Arch Linux developers, package maintainers and support staff.
Can't trust any VPN these days
After Turkey banned Discord, I had to jump through some hoops, fix my VPN, and learn a bit about how DNS works.
Facts
A collection of facts about yours truly. Guaranteed to be as accurate as my memory.
Optimized cloud-init templates on Proxmox
There are already quite a few resources out there demonstrating how to create a cloud-init enabled VM template in Proxmox. Here are the ones I mainly used to discover the topic, and which I suggest you go through because what follows depends on them:
- Proxmox FAQ, wiki and mostly identical official documentation on Cloud-Init support
- Perfect Proxmox Template with Cloud Image and Cloud Init (YouTube, Techno Tim 2022-03)
Optimized cloud-init template on Proxmox
There are already quite a few resources out there demonstrating how to create a cloud-init enabled VM template in Proxmox. Here are the ones I mainly used to discover the topic, and which I suggest you go through because what follows depends on them:
- Proxmox wiki and official documentation on Cloud-Init support
- Perfect Proxmox Template with Cloud Image and Cloud Init (YouTube, Techno Tim 2022-03)
Manual intervention for pacman 7.0.0 and local repositories required
With the release of version 7.0.0 pacman has added support for
downloading packages as a separate user with dropped privileges.
For users with local repos however this might imply that the download
user does not have access to the files in question, which can be fixed
by assigning the files and folder to the
alpm group and ensuring the
executable bit (+x) is set on the folders in question.
$ chown :alpm -R /path/to/local/repo
Remember to merge the .pacnew files to apply the new default.
Pacman also introduced a change to improve checksum stability for
git repos that utilize .gitattributes files. This might require a
one-time checksum change for PKGBUILDs that use git sources.
Why I started livestreaming as a Rust developer?
Some thoughts on why I started livestreaming my open-source development sessions and my future plans.
SSH CA with device and identity attestation: ssh-tpm-ca-authority
The past year I have been hacking around on tools utilizing TPMs, and one of the features I have been interested to learn more about is the device attestation features.
After being a bit inspired by some ideas from people at work, the hackerspace and toots on mastodon, I figure out a SSH certificate authority would be a cool small project to hack on. Last year I wrote an SSH agent with TPM bound keys so this would nicely fit into the existing tooling.
Reproducible Arch images with mkosi
In the previous
article
I investigated how to create a reproducible image but ended up with only
managing to create two identical image directories. In this article we'll end
up with a fully bit-by-bit reproducible filesystem image!
Some things have changed since the last post, mkosi now no longer creates …
August
Arch Linux in August 2024
#
Staff
#
We would like to welcome Quentin Michaud as part of the Arch Linux Package
Maintainer team.
RFC
#
A previously proposed Distribution Developer Manual RFC has been accepted
with the intention to document how to run the distribution while leveraging
GitLab’s collaboration features and streamlined workflows for maintaining and
evolving the resulting specifications.
We have proposed an RFC to license all Arch Linux package sources under
the terms of the Zero-Clause BSD license.
Deleting emails will not save the planet
A while ago I saw a post on LinkedIn that piqued my interest, not because it was any good, but because it was impressively wrong. It claimed that, to quote, “if every email user deleted just 10 emails, it would save enough electricity to power millions of households each year”. This is not only wrong, it is obviously wrong. In this post, I’d like to dive into why it’s wrong, how one might come to think it’s right, and perhaps what better message you could put out there to save the planet.
Investigating creating reproducible images with mkosi
I've blogged before about creating vagrant images using
mkosi as part
of an investigation to move image creation to mkosi but also as I will be
giving a talk at All Systems Go about Arch Linux
images mkosi and reproducibility.
With reproducible images in this article I mean that anyone …
July
Arch Linux in July 2024
#
Pacman
#
Pacman v7.0.0 has been released as a major feature version. A new
DownloadUser configuration option allows for dropping privileges when
downloading files to a temporary directory. On top of this security measure,
the new Landlock sandbox also prevents writing outside the restricted download
directory.
Additionally, makepkg removes GITFLAGS support, as it required breaking
changes to git source handling. Furthermore this release addresses unstable git
checksumming influenced by specific user configuration. On top, it now prevents
PKGBUILD from overriding BUILDENV to avoid undesired side effects.
Building vagrant images with mkosi
Last FOSDEM, there where some talks around mkosi using it for kernel
hacking
and systemd integration
tests.
These talks got me interested in mkosi, a systemd project for building OS
images. After chatting some more with the maintainers, I considered the idea of
moving the arch-boxes
project to mkosi. (note …
The sshd service needs to be restarted after upgrading to openssh-9.8p1
After upgrading to
openssh-9.8p1, the existing SSH daemon will be unable to accept new connections (see https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5).
When upgrading remote hosts, please make sure to restart the sshd service
using systemctl try-restart sshd right after upgrading.
We are evaluating the possibility to automatically apply a restart of the sshd service on upgrade in a future release of the openssh-9.8p1 package.
June
Arch Linux in June 2024
#
archinstall
#
The archinstall v2.8.1 update has been released, featuring several bug
fixes and improvements to partitioning and desktop profiles, along with the
introduction of experimental LVM support and the addition of Finnish
translation.
ArchWeb
#
ArchWeb 2024-06-12 has been rolled out, which includes an update to
Django’s latest major version, Django 5.0 as well as small improvements within
our Ruff configuration used as our Python linter.
May
Arch Linux in May 2024
#
Staff
#
We would like to welcome Bert Peters (bertptrs) as well as Giovanni
Harting (anonfunc) as part of the Arch Linux Package Maintainer team.
RFC
#
An RFC has been accepted to introduce “Arch Linux Ports” as testbed for
unofficial architectures until they are integrated in the main Arch Linux
repositories.
devtools
#
We have released devtools v1.2.0, featuring several new enhancements and
improvements. This release includes distro flag changes, notably the addition
of
no-omit-frame-pointer flags and _FORTIFY_SOURCE level 3.
Gnome Search Provider: Emacs Integration
Rationale Emacs users try to avoid leaving their editor for other tasks. There is an shell (Eshell: The Emacs Shell), an integration into Secret Service API (Emacs auth-source Library 0.3) and countless other integrations.
Search is a central element of the Gnome desktop environment. Many applications implement the Search Provider dbus interface to provide suitable results.
The aim of this package is to make these search results also available within the Emacs editor.
The Name Quest
I went on a trip to Mongolia to find out the meaning behind my name.
April
Arch Linux in April 2024
#
Staff
#
Project Leader Election
#
Recently, we held our Arch Linux Project Leader election, and the current
Project Leader, Levente “anthraxx” Polyák, was the sole nominee. As per our
election rules, he has been re-elected for another term. Congratulations to
Levente, and we wish him continued success in his leadership!
RFC
#
An RFC has been accepted to grant all Arch Linux staff members, not
limited to those in packaging roles, the privilege to initiate RFCs directly,
aligning with the broad range of topics these documents encompass.
Arch Linux 2024 Leader Election Results
Recently we held our leader election, and the previous Project Leader Levente "anthraxx" Polyák ran again while no other people were nominated for the role.
As per our election rules he is re-elected for a new term.
The role of of the project lead within Arch Linux is connected to a few
responsibilities regarding decision making (when no consensus can be reached), handling
financial matters with SPI and overall project management tasks.
Congratulations to Levente and all the best wishes for another successful term! 🥳
Ratatui Received Funding: What's Next?
Let's delve into the realm of open source funding along with Ratatui's journey.
Increasing the default vm.max_map_count value
The vm.max_map_count paramater will be increased from the default
65530 value to 1048576.
This change should help address performance, crash or start-up issues for a number of memory intensive applications, particularly for (but not limited to) some Windows games played through Wine/Steam Proton. Overall, end users should have a smoother experience out of the box with no expressed concerns about potential downsides in the related proposal on arch-dev-public mailing list.
This vm.max_map_count increase is introduced in the 2024.04.07-1 release of the filesystem package and will be effective right after the upgrade.
Before upgrading, in case you are already setting your own value for that parameter in a sysctl.d configuration file, either remove it (to switch to the new default value) or make sure your configuration file will be read with a higher priority than the /usr/lib/sysctl.d/10-arch.conf file (to supersede the new default value).
NixOS is not reproducible
Okay, sorry for the clickbait.
NixOS is not reproducible according to the Reproducible Builds definition.
I keep reading people making this claim repeatedly on orange-site, even LWN.net made a similar claim when writing about Nix and Guix earlier this week.1 Along with their recently launched wiki.
So, what is the Reproducible Builds definition?2
When is a build reproducible?
A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.
xz Package Backdoor
Please see the Arch main page announcement and take appropriate action.
https://archlinux.org/news/the-xz-packa … ackdoored/
The xz package has been backdoored
TL;DR: Upgrade your systems and container images now!
As many of you may have already read (one), the upstream release tarballs for
xz in version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.
This vulnerability is tracked in the Arch Linux security tracker (two).
The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor.
The following release artifacts contain the compromised xz:
- installation medium
2024.03.01 - virtual machine images
20240301.218094and20240315.221711 - container images created between and including 2024-02-24 and 2024-03-28