Arch Linux

Following a long discussion and a recent vote, the role of "Trusted User" has been renamed "Package Maintainer":

• https://gitlab.archlinux.org/archlinux/ … /7/commits
• https://lists.archlinux.org/archives/li … XV2KS5OSC/

The role remains the same. The forum titles have been updated accordingly.

I have spent a fair amount of time hacking on debug packages the past two years. This work resulted in Arch Linux announcing the public debuginfod server which allows users to download symbols and source code to debug software running on their system. With this service users don’t need to figure out what the debug packages are called, installing them and maybe removing it afterwards. It also saves a fair amount of data you need to download.

NBD 用于提供块设备给远程设备使用是一种非常简便、低成本的方法。然而，让 NBD 开始工作的方法在网上能找到很多，但是 NBD 客户端的配置持久化却很难搜到比较完整的资料。在参考了一些过时博客、manpage 等比较分散的资料之后，我总算是凭借蛛丝马迹找到了应当是正确的配置方法。 1、自动加载 nbd 内核模块 echo nbd > /etc/modules-load.d/nbd.conf （虽然——我觉得这件事应该在 nbd 包里完成，因为上游不愿意默认提供的理由只是为了考虑 nbd 未被编译为内核模块的情况。） 2、/etc/nbdtab 没错，光是发现这个东西就花了我不少时间。 nbd 服务器、连接选项等本来在 nbd-client 命令中配置的内容，应当被写到这个文件里。 一个简单的例子： nbd0 192.168.0.10 export0 persist 显而易见，分别对应设备名、服务器地址、服务器上配置的 export 名、其他选项。完整的介绍可以参考对应的 manpage。 3、/etc/fstab 和 nbd@<设备名>.service 到这里就是最后一步了，也是非常容易出错的一步。 此处的设备名应当和 nbdtab 内配置的设备名相符，nbdtab 的配置由这个对应的服务应用。和其他网络设备一样，挂载点、挂载相关的配置应当设置在 /etc/fstab。 这里需要使用 x-systemd.requires 来声明对 systemd 服务的依赖关系。由于服务会被这个依赖关系自动唤起，不需要手动 enable 服务。 /dev/nbd0 /var/lib/archbuild btrfs defaults,x-systemd.requires=nbd@nbd0.service,_netdev,nofail 0 … Continue reading [Arch] systemd 时代的 NBD 客户端持久化配置方法 The post [Arch] systemd 时代的 NBD 客户端持久化配置方法 first appeared on Felix's Blog.

最近 Arch Linux 终于把 OpenSSL 更新到了 3.x 系列版本。一直以来，在处理涉及打包工具链本身的 soname bump 等更新问题时，我们一直缺乏一个透明、优雅的流程。 以往采用过的方法包括但不限于：临时往编译环境里手动塞旧版本兼容包、手动在过渡版本的新版 PKGBUILD 里再编译一份旧版包然后把 lib 装进去等。由于处理这件事的开发者一般独自完成了整个过程，留下来的资料除了 IRC 里的寥寥几语往往十分有限，对于其他开发者、或是下游发行版试图重现这个过程来说，都是一个比较痛苦的过程。 这一次趁着 OpenSSL 3 的机会，本喵深度参与了整个 bootstrap rebuild 过程，并且在 RISC-V port 里复现了一遍。现在记录一下大致的过程和遇到的问题，以备不时之需。 1、首先把旧版库打包，使其可以与新版库同时安装。 openssl-1.1：https://github.com/archlinux/svntogit-packages/commit/d50ecccc79b637830b71795bd919e6467e118ef0 由于需要避免文件冲突，相应的编译选项（–libdir）和 package() 过程中做了一些兼容性处理。如果这个包还需要在 rebuild 之后留下来，比如这次的 openssl-1.1 的情况，头文件和 pkgconfig 的 .pc 文件也需要做处理。如果只是作为兼容包，可以仅保留带 soname 和具体版本的库文件本身。（当然，这种情况下也可以考虑在新版包里直接编译一份旧版库安装进去，毕竟只是临时使用。） 2、让新版库临时依赖旧版库的包 https://github.com/archlinux/svntogit-packages/commit/eef05b437f55c4d9403668ebdc27973c6a6c2134#diff-37538beb61ff63edebbf735dfcf39e5d732f49183d6beb097169d971875ca422R56 这里用到的技巧是，在 package() 方法内追加 depends，以避免编译环境中提前引入这个依赖，产生文件冲突（此时的仓库中，原包名对应的包仍然是旧版本，和 openssl-1.1 兼容包存在文件冲突）。 3、用此时的环境 rebuild 整个工具链需要用到的基础包 这一步具体要处理哪些包需要仔细分析。以这次 … Continue reading [Arch] OpenSSL 3 更新杂记 The post [Arch] OpenSSL 3 更新杂记 first appeared on Felix's Blog.

我在选镜像站的时候，总会遇到一个矛盾：镜像站访问快、镜像站和上游同步延迟低（同步到了最新的包）两者不可兼得。 比较容易想到的解决思路是：只从同步延迟低的镜像下 db，然后从速度快的镜像开始依次试，跳过 404 的镜像，直到找到一个已经存在该文件的镜像。 在过往的十来年里，我一直是通过写一个脚本来分别给 pacman -Sy 和 pacman -Su 设置不同的镜像来勉强解决的。但是这个用法在 pacman 最新系列中被破坏了——pacman 加入了一个镜像站如果 404 次数过多，在同一次更新中就再也不尝试了的新行为。 想到以往的用法会在命令中夹杂许多 404 报错，需要专门的脚本来换镜像体验也并不是很好，我写了个非常简单的本地服务来实现这个需求： #!/usr/bin/ruby # # A simple local redirector for pacman, to get you the latest packages and # utilize available mirrors. # # Usage: # - Set multiple mirrors in /etc/pacman.d/mirrorlist-accel with ordering: # https://fastest-mirror-but-updates-once-a-day/archlinux/ # … Continue reading 用 pacman-accel 给 pacman 加速 The post 用 pacman-accel 给 pacman 加速 first appeared on Felix's Blog.

Hello there. I have not written a new article for quite a time now, but the waiting is finally over. Here comes the article everyone of you ever waited for. Let us install Arch Linux on ChromeOS together. Yihaaaa… (Not quite what you expected? Feel free to drop this article :‘D). If you are reading this, this means you are still here. Nice. So, let us start with a short explanation on why I am doing this:

I’ve released a new tool to manage lockfiles for Arch Linux packages that can’t use a lockfile from the official upstream release. It integrates closely with other Arch Linux tooling like updpkgsums that’s already used to pin the content of build inputs in PKGBUILD. To use this, the downstream lockfile becomes an additional source input in the source= array of our PKGBUILD (this is already the case for some packages). source=("git+https://github.com/vimeo/psalm.git#commit=${_commit}" "composer.lock") You would then add a new function named updlockfiles that can generate new lockfiles and copies them into $outdir, and a prepare function to copy the lockfile in the right place: prepare() { cd ${pkgname} cp ../composer.lock . } updlockfiles() { cd ${pkgname} rm -f composer.lock composer update cp composer.lock "${outdir}/" } To update the package to the latest (compatible) patch level simply run: updlockfiles This can also be used in case upstreams lockfile has vulnerable dependencies that you want to patch downstream. For more detailed instructions see the readme. Thanks This work is currently crowd-funded on github sponsors. I’d like to thank @SantiagoTorres, @repi and @rgacogne for their support in particular. ♥️

Python 2 went end of life January 2020. Since then we have been actively cutting down the number of projects depending on python2 in our repositories, and we have finally been able to drop it from our distribution. If you still have python2 installed on your system consider removing it and any python2 package. If you still require the python2 package you can keep it around, but please be aware that there will be no security updates. If you need a patched package please consult the AUR, or use an unofficial user repository.

As part of dropping Python 2 which is EOL, we have migrated our mailing lists from mailman2 to mailman3. Rewriting of the "From" header and subject (to prepend the list name) have been disabled to keep the DKIM signature intact. This means "reply to mailing list" must be used when replying to the list and you may need to update your filters and rules matching the "From" header. All existing subscriptions are migrated and you do not need to re-subscribe. For managing your subscriptions a new mailman3 account must be registered.

Recent changes in grub added a new command option and changed the way the command is invoked. Depending on your system hardware and setup this could cause an unbootable system due to incompatibilities between the installed bootloader and configuration. After a grub package update it is advised to run both, installation and regeneration of configuration: grub-install ... grub-mkconfig -o /boot/grub/grub.cfg For more specific information on grub-install, please refer to the wiki: GRUB - ArchWiki

In this new blog series, I would like to introduce you to the daily adventures of an Arch Linux package maintainer. This time, we will have a look at reproducible package builds. Reproducible package builds are very important for us, as package maintainers, because reproducible package builds create an independently-verifiable path from source to the final package. This means, every Arch Linux user can verify that noone tampered with the Arch Linux package build process.

wxWidgets 3.2 provides a Qt frontend in addition to the GTK3 one, so packages have been renamed from wxgtk- to wxwidgets-. The GTK2 frontend is no longer provided. If you have wxgtk2 installed, the upgrade will fail with error: failed to prepare transaction (could not satisfy dependencies) :: removing wxgtk-common breaks dependency 'wxgtk-common' required by wxgtk2 In such case, uninstall wxgtk2 first and then proceed with the upgrade.

In Packaging for Arch Linux I described the ins and outs of binary repository management and some of the issues that come with the tooling currently used by Arch Linux. In this article I will highlight the work on new tooling and its features. Since my last write-up on this topic, the project formerly known as arch-repo-management has been renamed to repod (as in repo-d) and has just seen its first minor release. 🎉 You can find its documentation at https://repod.archlinux.page. Read more… (2 min remaining to read)

While in a discussion with my coworkers, a coworker brought up that they wanted to have automatic LUKS disk decryption on their desktop while it was at home. Normally they would use a passphrase to decrypt the LUKS volume but would prefer automatic decryption. There are multiple ways to achieve …

这两天翻出来了去年代收的 PolarFire SoC Icicle Kit。因为隔壁的 FPGA 大佬们看不上这块板子，我打算尝试物尽其用一下，目标只是用板子上的 RISC-V 核启动 Arch Linux RISC-V 的 rootfs 测试（把它当作一块 SD 卡槽没有问题、并且带 PCIE 的 HiFive Unleashed 来用。隔壁嵌入式群的大佬们：买椟还珠！）。如此便开始了年轻人的 FPGA 初体验（可能还是不能算）。 噩梦的开始 一开始尝试的当然是最新版的 Yocto 镜像，毕竟这是“官方”的 Linux 镜像。结果刷完后立刻遇到了启动失败： 一开始我还以为是 SD 卡坏了。在多次尝试未果后…… 当时的猜测是（不一定对），可能因为板子上 FPGA 部分（抱歉，我不知道专业的称呼）不够新，所以我打算刷一下 HSS。结果这成为了噩梦的开始。 可怕的“硬件”工具链 我最初参考的文档来自 U-boot：https://u-boot.readthedocs.io/en/latest/board/microchip/mpfs_icicle.html 这份文档可能已经颇为过时，里面编译 HSS 的部分从一开始就找不到名叫“icicle-kit-es”的 BOARD. 在我加上 mpfs- 前缀，并根据后续报错依次按照我的 CROSS 工具链目标修改了 PLATFORM_RISCV_ABI=lp64d PLATFORM_RISCV_ISA=rv64gc 之后，我遇到了第一个大魔王：SoftConsole。 好在这个工具可以无需注册直接下载。 顺利安装完成后，按照要求设置 SC_INSTALL_DIR，我终于看到了……下个错误：缺少 … Continue reading 萌新的 PolarFire SoC Icicle Kit 初体验 The post 萌新的 PolarFire SoC Icicle Kit 初体验 first appeared on Felix's Blog.

I don't use Spotify or any other streaming platform for listening to music. Some call it old habits, some call it needless effort, but I'm very used to downloading MP3 files over the internet and putting them in a folder on my phone then using the whatever default media player I have installed. However, for a couple of years, I have been following a better and automated approach for taking my music offline and feeling a bit less like I'm in a consumerism bubble.

I noticed there’s a common anti-pattern in some PKGBUILDs, the short scripts that are used to build Arch Linux packages. Specifically we’re looking at the part that references the source code used when building a package: source=("git+https://github.com/alacritty/alacritty.git#tag=v${pkgver}?signed") validpgpkeys=('4DAA67A9EA8B91FCC15B699C85CDAE3C164BA7B4' 'A56EF308A9F1256C25ACA3807EA8F8B94622A6A9') sha256sums=('SKIP') This does:

• ✅ authentication: verify the git tag was signed by one of the two trusted keys.
• ❌ pinning: the source code is not pinned and git tags are not immutable, upstream could create a new signed git tag with an identical name and arbitrarily change the source code without the PKGBUILD noticing.

In contrast consider this PKGBUILD: source=($pkgname-$pkgver.tar.gz::https://github.com/alacritty/alacritty/archive/refs/tags/v$pkgver.tar.gz) sha256sums=('e48d4b10762c2707bb17fd8f89bd98f0dcccc450d223cade706fdd9cfaefb308') …

As Google announced Gsuite is no longer free and I moved to GrapheneOs to de-google further, the last frequently used Google application I use is Youtube. For a long time Youtube has support for RSS feeds for channels although they are not publicly visible. I usually watch videos in my …

Two days ago the wireplumber package was made to replace pipewire-media-session as the latter session manager for PipeWire is considered dead upstream and will see no more releases. Unfortunately, this step was premature. Our pipewire audio packages (pipewire-alsa, pipewire-jack and pipewire-pulse) ship configuration that prompt media-session to activate PipeWire's audio features. When these packages are not installed and the configuration is missing, PipeWire can be used for screen recording without interfering with ALSA or PulseAudio. WirePlumber disregards this mechanism and always configures PipeWire to grab audio devices, meaning users of PulseAudio or bare ALSA experience broken audio. The replacement has been reverted while we attempt to look for a better solution switching to WirePlumber. If you are currently not using PipeWire for audio and wireplumber got installed on your system, please reinstall pipewire-media-session and reboot to restore audio functionality. pacman -Syu pipewire-media-session

With the update to qemu 7.0.0 the package has been turned into a more fine grained split package utilizing meta packages.

• The qemu package is now virtually provided by the meta packages qemu-base, qemu-desktop and qemu-full.
• The functionality of qemu prior to 7.0.0 is replaced by qemu-desktop
• The functionality of qemu-headless is replaced by qemu-base
• The functionality of qemu-arch-extra and qemu-headless-arch-extra is replaced by qemu-emulators-full
• The meta package qemu-full provides all QEMU related packages (excluding qemu-guest-agent)

Recently one of my clients requested me to maintain their Rust project. It is a web server that is built with Rocket + Diesel and running stable for a couple of years now. Like any other Rust developer would do, the first thing that I checked was the outdated dependencies via cargo-outdated. The result was close to what I expected: most of the dependencies were out-of-date. However, among all those crates, rust-jwt caught my eye. It was 12 minor versions behind!

sysctl is a simple and great tool for modifying the kernel parameters. It does its job very well by providing an easy-to-use interface for /proc/sys. It is maintained as a part of procps toolkit for years and it can easily be considered a legacy tool today. So why not push it to its limits and turn it into a more user-friendly and even more useful tool with the power of Rust?

Lets prefix this with: I really love Transparency Logs! It’s a fairly simple concept: If you hash elements together in a binary tree, you can validate and verify if elements are present on a tree by hashing a couple of elements. This is what is commonly known as a Merkle tree. I forget the math, but if you have a tree with a million items, you would only really need less than 10 hashes (I think) to figure out what the hash of the top node would be.

In Arch, a recap I elaborated a bit on my reasons for getting involved with Arch Linux. In this post I would like to highlight a few technical details and give a "behind the scenes" when it comes to packaging on and for Arch Linux. This post is written from the viewpoint of a distribution packager, but it is likely to contain information also useful to people packaging on different distributions or for private purposes. Read more… (21 min remaining to read)

Hello and welcome to another blog article. Today, I would like to discuss one feature of Go 1.18, that I am interested in. No, this will not be another article about generics. The feature I would like to write about is something that might be under the radar for most people, but it still might be useful. If you ever wrote a CLI app in Go you are very familiar with injecting information during the build process into global variables.