2021-12-27
The libxml2 package prior to version 2.9.12-6 was missing the compiled python modules. This has been fixed in 2.9.12-6, so the upgrade may need to overwrite any untracked pyc files created. If you get errors like these
libxml2: /usr/lib/python3.10/site-packages/__pycache__/drv_libxml2.cpython-310.opt-1.pyc exists in filesystem
libxml2: /usr/lib/python3.10/site-packages/__pycache__/drv_libxml2.cpython-310.pyc exists in filesystem
libxml2: /usr/lib/python3.10/site-packages/__pycache__/libxml2.cpython-310.opt-1.pyc exists in filesystem
libxml2: /usr/lib/python3.10/site-packages/__pycache__/libxml2.cpython-310.pyc exists in filesystem
when updating, use
pacman -Syu --overwrite /usr/lib/python3.10/site-packages/__pycache__/\*
to perform the upgrade.
Jan Alexander Steffens@Official News
2021-11-21
The full configuration for this article can be visited here: https://github.com/shibumi/infra/tree/pulumi-migration
This weekend I had finally some time to have a longer glimpse on Hetzner and Pulumi. Pulumi sparked my interest for a pretty long time now after reading Engin’s blog post about pulumi and Microsoft Azure. I tried Pulumi earlier, but I gave up pretty fast, because it had no Netlify support. The missing Netlify support did not change, but I did not want to invest time in my Terraform configuration, hence I decided to have a look on Pulumi instead.
Christian Rebischke
2021-11-13
As Arch Linux package maintainer I heavily rely on a secure upstream and a secure source code distribution process. I have spent days or maybe even weeks discussing with maintainers why I rely on a secure upstream and how important signatures on tags, commits or source tarballs are. Many maintainers have started signing their source tarballs after such a discussion, others mentioned problems with their PGP keys and a minority saw signing their source tarballs as waste of time.
Christian Rebischke
2021-11-10
This article is a short followup to my last article about cosign. I received many questions for my last article. The most common one was:
“But wait! If the certificates are only valid for 30 minutes, how are my users supposed to validate my artifacts?”
This is very common misconception and to be honest: I ran into the same trap at first. The terms “ephemeral” or “short-lived” do not refer to the signature validation.
Christian Rebischke
2021-11-07
While reading the cosign-installer I have stumbled upon these lines in the documentation:
- name:SigntheimageswithGitHubOIDC**notproductionready**run:cosignsign-oidc-issuerhttps://token.actions.githubusercontent.com${TAGS}env:TAGS:${{steps.docker_meta.outputs.tags}}COSIGN_EXPERIMENTAL:1The shown lines are a step of a Github Action and are still experimental, but very interesting. It allows to sign a docker image via making use of the OpenID Connect standard. OpenID Connect can be summarized as follows: If you login into Github, Github will create a number of tokens. These tokens are then associated with your Github Action and with these tokens you can sign any artifact.
Christian Rebischke
2021-10-18
rebuilderd 0.15.0 very recently released, this is a short intro into what it is, how it works and how to build our own integrations!
rebuilderd monitors an index of artifacts and parses it into a datastructure that looks like this. In the most basic case, based on the
distro field it’s going to pick the right build script and attempt to generate an artifact identical to the file linked to in
url.
We’re starting with a script that generates a json. In our case we’ll simply hard-code all values for demonstration purpose. Most of these values can be arbitrary …
kpcyrd
2021-09-30
This is the monthly report of what I’ve been up to in September 2021. 🙌
Reproducible Builds
There have been 3 releases of rebuilderd this month,
0.14.0, and two minor bugfix releases,
0.14.1 and
0.14.2.
The 0.14.0 release introduced experimental support to rebuild
Tails images in
#66. Tails is a portable operating system that’s known for it’s strong focus on privacy and security, and commonly used by activists, journalists and various human-rights NGOs. It already had reproducible images for a long time (since around 2017), but you had to reproduce the images manually. Starting with this release …
kpcyrd
2021-09-24
In this article I want to give a short overview over the current state of Arch Linux with respect to cloud native technologies. I would like to show why I think Arch Linux is perfect as a daily driver in the cloud native ecosystem and how the current state of cloud native software in Arch Linux looks like.
Reason Nr 1: Security At Arch Linux we take security very seriously. Our newly selected project lead has a strong security background (founding member of the Arch Linux security team) and member in a CTF group.
Christian Rebischke
2021-09-01
In looking to moving my phone to LineageOS, I've started thinking about moving
my mail, contacts and calendar data to my own server. After researching solutions for a while, I decided to try out
xandikos. A simple Python carddav/caldav server intended for a single user with a basic feature …
Jelle van der Waa (jelle@vdwaa.nl)@Jelle van der Waa
2021-08-31
This is the monthly report of what I’ve been up to in August 2021. 🙌
Reproducible Builds
There are many different reasons to be interested in Reproducible Builds. When I originally got involved in the project I wasn’t a maintainer in any Linux distribution yet, instead I was wondering if there’s a way to distribute pre-compiled artifacts as an independent open source dev without carrying all the responsibility alone.
A few years later I’ve now published a manual called
i-probably-didnt-backdoor-this. It contains a hello world program and instructions on how to reproduce the various pre-compiled artifacts, explains all build …
kpcyrd
2021-08-21
A few months ago I wrote up some code for mkinitcpio which teaches it how to create UEFI executables utilizing the systemd stub.
The change can be found here: https://github.com/archlinux/mkinitcpio/pull/53
This is a short introduction to why the feature is great, how it makes it easier to boot your system, and how it can be used to better secure your system with something like secure boot.
The Boot Process For the past decade most computers have two ways to boot.
Morten Linderud
2021-08-17
Due to
recent political events there’s an increased interest in Afghanistan’s websites. This is a tutorial on how to run sn0int on
.gov.af to enumerate as many sites as possible for
archival purpose.
Installation
sn0int can be installed with
pacman -S sn0int or
brew install sn0int.
Enumerating an eTLD
We’re going to start sn0int in a new workspace that we call
gov-af. This can be any name, it’s just a way to organize our data.
We’re then creating a
gov.af domain object in sn0int so we can run investigations on it. This is technically not how the …
kpcyrd
2021-08-13
Some Linux distributions (like Alpine and Arch Linux) are shipping something called “python bytecode” in their packages. It’s stored in .pyc files and is generated during the package build. They’re stored in __pycache__ folders and can be seen here:
% tar tvvf /var/cache/pacman/pkg/python-wsproto-1.0.0-1-any.pkg.tar.zst
-rw-r--r-- root/root 5053 2020-12-09 16:24 .BUILDINFO
-rw-r--r-- root/root 2497 2020-12-09 16:24 .MTREE
-rw-r--r-- root/root 436 2020-12-09 16:24 .PKGINFO
drwxr-xr-x root/root 0 2020-12-09 16:24 usr/
drwxr-xr-x root/root 0 2020-12-09 16:24 usr/lib/
drwxr-xr-x root/root 0 2020-12-09 16:24 usr/lib/python3.9/
drwxr-xr-x root/root 0 2020-12-09 16:24 usr/lib/python3.9/site-packages/
drwxr-xr-x root/root 0 2020-12-09 16:24 usr/lib/python3.9/site-packages/wsproto/
drwxr-xr-x root/root 0 2020-12-09 16:24 usr/lib/python3.9/site-packages/wsproto-1.0.0-py3.9.egg-info/
-rw-r--r-- root/root 6997 …
kpcyrd
2021-08-01
At the end of July, I had some days off and some more time to focus on some unreproducible packages in Arch Linux and get some of the issues resolved. This post goes through the resolved issues by category.
gzipped man pages
By default if a manpage is compressed with …
Jelle van der Waa (jelle@vdwaa.nl)@Jelle van der Waa
2021-08-01
Hello and welcome to another article about Kubernetes. In this article we will go through the Kubermatic installation on Hetzner Cloud. But first of all let us go through a few questions:
What is Kubermatic and why do I need it? Kubermatic abstracts different Kubernetes clusters and providers for you. It does not matter if you want a cluster on Amazon, Google, Hetzner, vSphere or on-premise. With Kubermatic you can easily bootstrap new clusters in your favorite location with your favorite cloud provider or on-premise.
Christian Rebischke
2021-08-01
Quite a while ago, Arch Linux has turned on many binary security features via compilation flags (2016)1 or turned off options that are known to help exploit software (debugging symbols, RPATH). Now we have 2021 and Arch Linux made good experience with the additional security options.
We made good experience on Arch Linux with the following flags so far:
FULL RELRO (Full Relocation Read-Only)2 STACK CANARY3 NX-Bit4 PIE (Position Independent Executable/Code)5 Setting no RPATH6 Setting no Symbols FORTIFY7 Some of these flags are known to have effects on performance.
Christian Rebischke
2021-07-29
During summer 2017 I picked up Rust as one of my programming languages. Since this was my first compiled programming language (ignoring some of my early C antics), I was faced with one inherent problem: “How do I distribute pre-compiled binaries without getting
SolarWinded?”. Granted, those might not have been my exact words back in Fall 2017, but I was intrigued by this problem and got involved in the
reproducible builds project as a volunteer contributor.
About 4 years later this is now changing to part-time open source security research thanks to sponsoring by Google & The Linux Foundation! …
kpcyrd
2021-07-23
Today we’ve noticed a disagreement between the Arch Linux rebuilders about the “cross” package, a popular @rustlang cross-compile tool. One rebuilder reported they’ve succesfully reproduced the package, while the other reported they couldn’t. Let’s have a look what that means.
The official rebuilder says “yup, we took the official package, took the source code, built it in the same environment and got a bit-for-bit identical package, there was probably no build-server compromise (or if there was, they at least didn’t mess with this build)”.
Another rebuilder also tried but had less luck. It periodically retries to get a match with …
kpcyrd
2021-07-22
Feeling inspired by watching
togglebit's Rust/Vim setup and having some spare time due to my summer vacation I started re-investigating my Vim setup. For my setup I was looking for the following features/areas to improve:
- Git integration
- Debugging projects in vim
- Language server features, completion, go to …
Jelle van der Waa (jelle@vdwaa.nl)@Jelle van der Waa
2021-06-30
Alrighty, we initially planned a part two with NixOS, but 1) we’d have to learn scheme (and we’d rather not) 2) somebody needs to to do it for alpine anyway. Pack yo toothbrush, we got supplychains that need securin’!
First of all,
@ariadneconill went up and beyond and un-dead-ended us by implementing –ignore-devno and –renumber-inodes in cpio.c, sending patches to busybox and then uploading a patched busybox 1.33.1-r3 to alpine for us to continue with. Outstanding work!
This looks really good, the initramfs is indeed reproducible now as it’s not showing up in the diff anymore. The APKINDEX.tar.gz is a …
kpcyrd
2021-06-26
Ever wondered if that raspi is actually running the code it’s supposed to? Today we’re taking Alpine Linux as a base and trying to make a reproducible image, so an independent party can verify the image is legitimately built from source. All patches are going to be sent upstream.
It’s mostly mtimes, so we’re starting by editing ./mkimg.base.sh and introducing SOURCE_DATE_EPOCH support to normalize it. After that diffoscope shows 3 files that actually differ in content. We’re going to focus on the initramfs first and look into the APKINDEX.tar.gz later.
This turned out slightly tricky, we’re excluding rpi2 support to …
kpcyrd
2021-06-17
Today’s blog article is a more unusual one. If you know me in person you would not connect me to web development, but yet here we are. So, how do I got here? One student at my university has asked me if I could help and have a look on their code. He was working on unit tests with Selenium on a very beginner friendly level. This is how I got more interested in this topic.
Christian Rebischke
2021-06-08
Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and
SHA1) are no longer accepted for new passwords. Users that still have
their passwords stored with a weak hash will be asked to update their
password on their next login.
If the login just fails (for example from display manager) switch to a
virtual terminal (Ctrl-Alt-F2) and log in there once.
Christian Hesse@Official News
2021-05-24
As some of you may have read over the past days, there has been an ownership dispute over the
freenode.net network. The IRC network has been used by Arch Linux and many other projects over the past decades as a platform for discussion and support.
The dispute led to the exodus of most former freenode staff from the network and the founding of a new network:
libera.chat
Starting today, Arch Linux and its sister projects
Arch Linux ARM and
Arch Linux 32 will begin migrating the official IRC channels from freenode.net to libera.chat. Please bear with us as this can take some time to be fully settled in.
We thank the freenode community for the many years of great service and collaboration.
David Runge@Official News
2021-05-21
In today’s article I would like to shine some light on my local terminal setup. My setup consists of ZSH and Alacritty. ZSH or the Z shell is an extended variant of the Bourne shell (bash). It comes with a few useful features and extensions. Many people use the ZSH mostly for nice shell prompts or tab completion. This article will be about more advanced features, like custom shortcuts. Alacritty is a terminal emulator written in Rust.
Christian Rebischke
