Re: [arch-general] USB flash installation medium in BIOS machines
> There are only my 2 installed hard drives plus a "USB HDD: ..." option. > I am very positive that this laptop is legacy BIOS only and that it is > somehow wrongly identified as UEFI? It can't be "wrongly identified as UEFI". If the laptop didn't support UEFI, then you wouldn't even see the systemd-boot menu, because there wouldn't be anything to *load* systemd-boot, or support it running. systemd-boot is designed to exclusively run in the UEFI environment, and it just can not work at all in a BIOS environment. >>> I see the boot menu (which looks like systemd-boot menu) with only options >>> for UEFI boot and EFI shell option. -- damjan
Re: [arch-general] No login after update
> I don't see what all the fuss is about > > If you're using Arch, then you should: > > 1. Check Arch news before running update > 2. Update regularly > 3. Watch output from pacman for warnings/advice > 4. Run pacdiff after update and before reboot > > After step 4 there are no longer any pacnew files That would have shown that the new file doesn't have pam_tally2, it wont say you wouldn't be able to login after reboot. actually, even assuming you would know to fix the issue, but you didn't fix the problem immediately and you went to make a coffee - your screen saver was activated, you are locked out. Now I don't understand all the defensiveness - let's all work together to improve things. This is not a non-issue. -- damjan
[arch-general] pam-1.3.1-2 -> 1.4.0-3 breaking change
it seems the 1.4.0-3 removed the tally/tally2 modules and (for some reason) I had `auth required pam_tally2.so` in /etc/pam.d/system-login. Of course that broke the login and I had to rescue the installation from a bootable USB. I wonder if there can be some pam-lint tool that checks your /etc/pam.d/ after upgrades. -- damjan
Re: [arch-general] mkinitcpio hook for custom root decryption with systemd boot
On Thu, 23 Jul 2020 at 12:09, Riccardo Paolo Bestetti via arch-general wrote: > > I have root encryption set up on my system and I currently boot with the > sd-encrypt and sd-lvm hooks. > > I would like to change my current crypto setup in a way that would require > more step to unlock the root than just typing in a passphares. For this > reason, sd-encrypt clearly cannot serve my use case. > > For this reason, I would like to write a custom hook to mount the root > volume. Now, systemd boot doesn't have a concept of runtime hooks. Thus, I > need to make a systemd unit that gets pulled in by cryptsetup.target in the > place of systemd-cryptsetup@.service. (Basically, I need to replace the whole > systemd-cryptsetup-generator and systemd-cryptsetup logic.) > > However, I really have no idea on how to achieve this. Should I write a > custom mkinitcpio hook which completely bypasses sd-crypt/cryptsetup.target > and instead starts a different unit with my own decryption logic? Or is there > a way to hook into cryptsetup.target and instruct it to pull in my logic > instead of systemd-cryptsetup*? > > Of course, the other possibility is to just stop using a systemd boot and > instead setting up a busybox early userspace. Then it's just a matter of > writing a shell script. However, since I'm already using systemd for > everything - from the bootloader to userspace - I don't think it makes much > sense to do that. > > Any help/guidance/suggestion/criticism is highly appreciated. > > Riccardo Paolo Bestetti haven't looked more deeply into it, but luks/dm-crypt/cryptsetup can use keys in the kernel keyring. So maybe it would be enough for you to have a service that configures the keyring before the cryptsetup service. https://fossies.org/linux/cryptsetup/docs/Keyring.txt -- damjan
Re: [arch-general] pacman --assume-installed in a config file?
> > noto-fonts is pulled as a dependency of plasma-integration, but I > > don't want it installed since it takes over the default fonts (ships > > an aggressive fontconfig configuration) for many websites, and looks > > quite bad *for me* (on a 14" FHD display). > > It's also a 90MB package I don't need. > > Hmm, I wonder why it is a hard dependency instead of being used via > ttf-font? I guess it's because plasma-integration ships a /usr/share/kconf_update/fonts_global.pl script that does some font replacements. https://github.com/KDE/plasma-integration/blob/master/src/platformtheme/fonts_global.pl -- damjan
[arch-general] pacman --assume-installed in a config file?
I often find myself using the `assume-installed`[1] option of pacman when doing upgrades, since I want to avoid some (for me) nonsensical dependencies to be installed. Is it possible to configure this in some config file, so I don't have to remember to type it all the time? [1] sudo pacman -Syu --assume-installed noto-fonts noto-fonts is pulled as a dependency of plasma-integration, but I don't want it installed since it takes over the default fonts (ships an aggressive fontconfig configuration) for many websites, and looks quite bad *for me* (on a 14" FHD display). It's also a 90MB package I don't need. -- damjan
Re: [arch-general] USB not assining port number
> but no USB port given > > lsusb gives > Bus 002 Device 011: ID 1781:0c9f Multiple Vendors USBtiny what is this "usb port" that you expect? USBtiny is a HID device as far as I can remember. -- damjan
Re: [arch-general] sway package systemd service
> > the sway package repo includes a systemd service: > https://git.archlinux.org/svntogit/community.git/tree/trunk/sway.service?h=packages/sway > > This file is not included in the package though. Is this systemd > service ready to use or just an obsolete artifact? while on this topic, see the files here, how to integrate sway with systemd --user even better https://github.com/xdbob/sway-services -- damjan
Re: [arch-general] Why "systemd --user" process hanging around after logout?
On Fri, 24 Jan 2020 at 20:50, David Rosenstrauch wrote: > > I've noticed recently that even after I log out of my desktop env (XFCE) > there is a process tree left hanging around running "systemd --user" > under my user ID (with a bunch of gvfs child processes running under > it). https://github.com/systemd/systemd/blob/v240/NEWS#L299 -- damjan
Re: [arch-general] [mkinitpcio] running as non-root creates non-root files in the cpio
> > Alternatively, is there a better place for reporting mkinitpcio> > issues, > > and sending patches? > > I've assigned the bug to the main maintainer, but note that there is > also a Github repo in the archlinux org. > > https://github.com/archlinux/mkinitcpio Thanks, didn't know the github repo -- damjan
[arch-general] [mkinitpcio] running as non-root creates non-root files in the cpio
I've already opened a bug issue, and supplied a patch at https://bugs.archlinux.org/task/65006 but except from the first comment by dreisner, there's not much activity. Is it ok if I escalate here? :) Alternatively, is there a better place for reporting mkinitpcio issues, and sending patches? -- damjan
Re: [arch-general] do i need to configure mkinitcpio.conf for my md array ?
On Thu, 16 Jan 2020 at 14:46, Shadrock Uhuru via arch-general wrote: > > > Hi > i have just configured my 4 disk raid 10 array with mdadm > the filesystem is ext4 unencrypted > and arch is installed on a separate disk > do i need to reconfigure mkinitcpio.conf for my md array > so that the array is assembled and started at boot, > all the examples i've seen have arch installed on the raid array > including the example in the wiki https://wiki.archlinux.org/index.php/RAID > i have not reboot the new array yet > so i would like to make sure everything necessary is configure before i do > that. you need the "mdadm" hook in HOOKS in /etc/mkinitcpio.conf, and rebuild the initramfs. the hook would auto-detect the raid setup, but it will also include /etc/mdadm.conf if it exists. -- damjan
Re: [arch-general] journalctl
On Mon, 2 Dec 2019 at 10:26, Pascal via arch-general wrote: > > hello, > when I use journalctl to track system events, I introduce line breaks for > better readability. > like multitail, I would like to introduce more verbose line breaks... > I wrote these few lines but it doesn't work as expected : > > exec 6<&0 > exec 0< <( while :; do read -sn1 k; echo $'\n'"# $( date +%H:%M:%S ) > ---"$'\n'; done ) > journalctl -f > exec 0<&6 6<&- > > the second instruction "exec 0< <( while..." played alone works perfectly > in my terminal, but not as a redirection for journalctl. > any leads ? > regards, lacsaP. Why don't you just replace the PAGER/SYSTEMD_PAGER from less to your own tool (multitail even? never used it). -- damjan
Re: [arch-general] New kernel packages and mkinitcpio hooks
On Mon, 11 Nov 2019 at 09:18, Ondřej Hruška wrote: > > Hi, > I have a question regarding the kernel changes. > > It sounds like it might break my dm-crypt/luks setup with un-encrypted > /boot partition, if the kernel is not in /boot anymore? the kernel is no longer installed in /boot by the kernel package, but by post-install mkinitcpio scripts. So it ends back there in /boot anyway. -- damjan
Re: [arch-general] [arch-dev-public] New kernel packages and mkinitcpio hooks
> This has been discussed a bit on the dracut thread, as well on some other > threads over time. > I *personally* don't like the complexity of kernel-install that much. I've now read this twice on Arch mail lists, so I have to ask, without any presumptions on my side, what are the arguments against kernel-install? I must say, I don't see much complexity in it. It's only a 184 line bash script[1]. And as added feature, it decouples the kernel install from the kernel package install (and pacman), also defines couple of easy-to-use config locations like /etc/kernel/cmdline But I guess I might be missing something. [1] especially compared to dracut (not that they do the same thing), which seems much more complex, and that complexity did introduce bugs - for which I've sent a PR -- damjan
Re: [arch-general] new packaging of the kernel/mkinitcpio/kmod
On Thu, 31 Oct 2019 at 14:55, Giancarlo Razzolini wrote: > > Em outubro 31, 2019 9:46 Damjan Georgievski via arch-general escreveu: > > Can someone explain in better detail the changes in > > * kmod 26-3 > > * mkinitcpio 27-1 > > * linux 5.3.8.1-1 > > around packaging and pacman hooks? > > > > I can see there's some reorganization of the hooks and scripts, and > > the kernel package no longer > > installing directly to /boot (which is a welcome change, the kernel is > > now only in /usr/lib/modules/5.3.8-arch1-1/vmlinuz) > > but it's not easy for me to reverse-understand what the bash scripts do > > exactly. > > > > I'm asking because I also use pacman hooks on the kernel and some > > other files in order to create my combined kernel+initramfs+cmdline > > UEFI executable signed for secure-boot, and it seems I'll have to > > adopt to a newer setup. > > > > > Hi Damjan, > > The kernel does not install itself anymore to /boot, as you've noticed. But, > the mkinitcpio > hook does that. For now, we are replicating the same behavior as before, but > with a little > more flexibility. > > > I'm working on dracut hooks for doing a similar job, but the idea is that we > eventually will > be more flexible with our booting, giving the user more options. Keep an eye > on the Arch announce > mailing list, as well as the news on the Arch site. > > As for your hooks, we made so that the mkinitcpio hook runs at the same step > the previous linux > hook would. So, there shouldn't be any incompatibilities. But, it depends on > what your hooks are. > Also, you can completely override the mkinitcpio hooks by linking their > filenames to /dev/null on > /etc/pacmand.d/hooks directory. But you'll be left doing the kernel > installation on your own. Thanks for the info Giancarlo, it's true that my hook works as before (I've tested that), but even my original hook was suboptimal anyway, since I needed to define one hook per kernel package. I'm wondering if I can make a more general hook, for example triggering on usr/lib/modules/*/pkgbase (or vmlinuz?) - is that the recommended way now? -- damjan
[arch-general] new packaging of the kernel/mkinitcpio/kmod
Can someone explain in better detail the changes in * kmod 26-3 * mkinitcpio 27-1 * linux 5.3.8.1-1 around packaging and pacman hooks? I can see there's some reorganization of the hooks and scripts, and the kernel package no longer installing directly to /boot (which is a welcome change, the kernel is now only in /usr/lib/modules/5.3.8-arch1-1/vmlinuz) but it's not easy for me to reverse-understand what the bash scripts do exactly. I'm asking because I also use pacman hooks on the kernel and some other files in order to create my combined kernel+initramfs+cmdline UEFI executable signed for secure-boot, and it seems I'll have to adopt to a newer setup. -- damjan
Re: [arch-general] Input, Uinput, and udev problems with user access
> > Up until yesterday evening, the following setup would allow the Fenrir > screen reader to access the tools it needs to read without root access in > terminal emulators like Xterm: > > groupadd --system input > groupadd --system uinput > echo 'KERNEL==\"event*\", NAME=\"input/%k\", MODE=\"660\", > GROUP=\"input\"' >> /etc/udev/rules.d/99-input.rules > echo 'KERNEL==\"uinput\", SUBSYSTEM==\"misc\", > OPTIONS+=\"static_node=uinput\", TAG+=\"uaccess\", GROUP=\"uinput\"' >> > /etc/udev/rules.d/99-fenrirscreenreader.rules > > Now, however, while it can still read the screen, the keyboard does > nothing. Has something changed, and if so, what do I need to do differently > to get it working again? > What kind of keyboard is it?? You mention xterm, so you're running XOrg I presume? -- damjan
Re: [arch-general] [arch-dev-public] Mkinitcpio replacement with Dracut
On Thu, 22 Aug 2019 at 21:36, Giancarlo Razzolini wrote: > Em agosto 22, 2019 16:29 Damjan Georgievski via arch-general escreveu: > > Are there any news/updates on this front? > > > > I have dracut installed in one test VM, but I have to run it manually > after > > each kernel update. The wiki page [1] is still empty, so > > how do I configure proper hooks to build the initramfs (and possibly also > > disable the mkinitcpio ones)? > > > > Yes. I have been working on pacman hooks for this. There are a few things > I need > to iron out before releasing it though. There's a need to change all > kernels as > well, because the hooks are deployed with them currently, this has to > change. > Just in case, I'll mention kernel-install [1] once again, it's a nice central hub where initramfs creators, bootloaders (and optionally signing of uefi images) can hook into, and then any kernel install can call all the users hooks with a single command. [1] https://www.freedesktop.org/software/systemd/man/kernel-install.html -- damjan
Re: [arch-general] [arch-dev-public] Mkinitcpio replacement with Dracut
I have been looking into dracut for some time now, I copied some stuff from > them on a few of my own > scripts and they also have an actual test suite, that we currently can't > use on Arch, but I plan to > change that. > > Are there any news/updates on this front? I have dracut installed in one test VM, but I have to run it manually after each kernel update. The wiki page [1] is still empty, so how do I configure proper hooks to build the initramfs (and possibly also disable the mkinitcpio ones)? [1] https://wiki.archlinux.org/index.php/Dracut -- damjan
Re: [arch-general] Opening a document with unicode in path
On Fri, 2 Aug 2019 at 14:59, John Z. wrote: > Hi everyone, > there's a document on Dropbox, that has unicode character in its > path (french character). Trying to open this document with libre > office (Plasma is running) fails with 'file not found', and the path > shown with error clearly presents the path with that unicode > character replaced by '??' > > What I tried: > * copy the document in a path where there's no unicode - it opens > * copy the document using shell - it works > * copy the document using Dolphin (from Plasma) - it works > * check $LANG - its set to `en_CA.UTF8` > Does `locale -a` show that locale? -- damjan
Re: [arch-general] [arch-dev-public] Mkinitcpio replacement with Dracut
> > I have been looking into dracut for some time now, I copied some stuff > from them on a few of my own > scripts and they also have an actual test suite, that we currently can't > use on Arch, but I plan to > change that. > Is there any support for post hooks in Dracut? ie. I want to sign the uefi image with sbsign, after it's built with `dracut --uefi …` -- damjan
Re: [arch-general] [arch-dev-public] Mkinitcpio replacement with Dracut
> > dracut 049-3 on an Arch [testing] VM > > > > There are a few more instances where arch must be replaced with uname -m. > > I'll deploy a version of dracut with that patch later: > > https://github.com/dracutdevs/dracut/pull/573 > Thanks, I've also noticed another issue about the uefi stub and sent a PR: https://github.com/dracutdevs/dracut/pull/575 -- damjan
Re: [arch-general] [arch-dev-public] Mkinitcpio replacement with Dracut
> > > dracut --uefi > This seems to fail for me: $ sudo dracut --no-early-microcode --uefi /boot/EFI/Linux/arch-linux.efi dracut: Executing: /usr/bin/dracut --no-early-microcode --uefi /boot/EFI/Linux/arch-linux.efi /usr/bin/dracut: line 1063: arch: command not found /usr/bin/dracut: line 1069: arch: command not found dracut: Architecture '' not supported to create a UEFI executable any ideas why?? dracut 049-3 on an Arch [testing] VM -- damjan
Re: [arch-general] [arch-dev-public] Mkinitcpio replacement with Dracut
> 2) Question: >Arch typically has used unversioned initrd images which has the >convenience that the boot standzas don't need updating on new kernel. > This can (also) be fixed if Arch implements the `kerne-install` [1] mechanism to update the boot-loader stanzas. [1] https://www.freedesktop.org/software/systemd/man/kernel-install.html -- damjan
Re: [arch-general] Keyboard shortcuts which change based on current app
On Thu, 14 Feb 2019 at 05:12, Oon-Ee Ng via arch-general < arch-general@archlinux.org> wrote: > Before I try to hack together a solution, are there any existing > apps/frameworks which allow for the same key/button to do something > different based on the currently focused app (in X)? > > My intended use-case is to use the additional buttons on my drawing tablet > to do various functions, but depending on the current app. So in Gimp they > would do one thing, in Libreoffice another, in Inkscape another. > Don't your applications have an option to customize the shortcuts? -- damjan
Re: [arch-general] [arch-dev-public] Proposal: minimal base system
(posting to general, since I can't on dev-public) On Mon, 21 Jan 2019 at 23:03, Levente Polyak via arch-dev-public wrote: > > # Proposal > > There is no strict definition of what a minimal Arch Linux system > installation must contain. However in reality we mostly don’t add any > packages that are in the base group as a dependency to other packages, > which basically makes it a hard requirement. > > The current way of defining a minimal system via a group is non-optimal > for the following reasons: One of the issues that might need to be fixed is this: https://bugs.archlinux.org/task/54887 (FS#54887 - [openssl] remove perl from dependency of the openssl package) -- damjan
Re: [arch-general] Kernel 4.19 preventing Firefox from playing videos
> I have a very strange issue with kernel 4.19.1 With this kernel Firefox > no longer plays any videos. It opens the page but the video wont play. what video? youtube? works well here, on intel i7-7500U, KDE on X11 (modesetting driver) with both 4.19.1-arch1 and 4.19.2-arch1 > I'm running Gnome on a Thinkpad X201. are you running wayland, modsettings or the intel X11 driver (the X modesetting is perhaps recommended) maybe try another compositor, instead of the gnome one -- damjan
Re: [arch-general] i3stats depends on wireless_tools, causing "firmware load for regulatory.db failed" w/o wireless-regdb
On 12 August 2018 at 01:48, David C. Rankin wrote: > Archdevs, > > There seems to be a funny depends (or missing depends) issue for *some* > systems without wireless that have i3status installed. > > This appears to be because i3stats depends on wireless_tools, which during > boot triggers an attempt I don't see anything in the wireless_tools package that would trigger on boot. there are no udev rules or systemd services. -- damjan
Re: [arch-general] systemd --user enable: Failed to connect to bus: No such file or directory
On 27 June 2018 at 08:26, Bjoern Franke wrote: > Hi, > > I'm trying to create a systemd timer for a user to run duply daily. For > one user the enabled worked fine, but another one: > > systemctl --user enable backup.timer > Failed to connect to bus: No such file or directory > > I have no clue why this happens, systemctl daemon-reload (also with > --user) did not fix it. I found a similar issue in the forums, but the > solution was to "ln -s" the timer and than rebooting. But I don't think > this would be the "correct" solution because "systemctl --user enable" > should also work. What distro are you running? And what are the versions of systemd and dbus? You also should have (so confirm that) /usr/lib/systemd/user/dbus.socket and /usr/lib/systemd/user/dbus.service files and a /usr/lib/systemd/user/sockets.target.wants/dbus.socket symlink too -- damjan
Re: [arch-general] Why no git --depth=1 option for makepkg?
>> This means that PKGBUILDs which checkout a specific revision are >> actually worse than the rest, as you cannot even get the source without >> knowing how many commits you need (rather than failing afterwards in >> pkgver() or something). > > Right. I had assumed that git clone -b/--branch did also exist for > tags. https://www.kernel.org/pub/software/scm/git/docs/git-clone.html --branch can also take tags and detaches the HEAD at that commit in the resulting repository.
Re: [arch-general] Disable vboxadd.service & vboxadd-service.service after guest additions included in 4.15?
On 11 February 2018 at 13:47, Giacomo Longo via arch-general wrote: > So you want to have > > vboxadd-service and vboxadd systemd services not starting on Linux kernel > versions 4.15 and above? > > You can manage this by creating a template systemd unit > > /etc/systemd/system/kernel-version-less-then@.service > --- > [Unit] > Description=Check if currently installed kernel version is less than target > > [Service] > Type=oneshot > ExecStart=/usr/bin/sh -c '[[ "$(/usr/bin/vercmp %i %v)" = "1" ]]' > Restart=no > CollectMode=inactive-or-failed > > [Install] > WantedBy=multi-user.target > > Then create the directories > > /etc/systemd/system/vboxadd.service.d/ > /etc/systemd/system/vboxadd-service.service.d/ > > Then for each service > > > /etc/systemd/system/vboxadd.service.d/kerver.conf > - > [Unit] > After=kernel-version-less-then@4.15.service > Requires=kernel-version-less-then@4.15.service > > /etc/systemd/system/vboxadd-service.service.d/kerver.conf > - > [Unit] > After=kernel-version-less-then@4.15.service > Requires=kernel-version-less-then@4.15.service > > In this way, if my bash-fu is correct, the version compare will fail the > kernel-version-less-then@4.15.service and vboxadd and vboxadd-service will > not start there is ConditionKernelVersion= man systemd.unit -- damjan
Re: [arch-general] pacman man page needs at least one update
On 22 August 2017 at 19:01, Jude DaShiell wrote: > pacman -g and pacman --groups both appear no longer working. Neither in > that form generates a current list of groups. pacman -Sg and pacman -Qg seem to work -- damjan
Re: [arch-general] Handling python venv packages breaking on glibc update
> I use psycopg2 for postgres access in my pyramid web-app, and like most > (all?) python developers all the dependencies are in a virtualenv, > including psycopg2 itself. > > This means, of course, that the psycopg2 wheel is precompiled. > > With the recent glibc-2.26 update, I can no longer import psycopg2. This is > the error message I get on the file libresolv-2-c4c53def.5.so: > > symbol __res_maybe_init, version GLIBC_PRIVATE not defined in file > libc.so.6 with link time reference > > I'm not sure why the psycopg2 pip package bundles in libresolv (which is > part of glibc in Arch, explaining why the Arch psycopg2 package works fine, > even without a recompile). Where's the right place for me to fix this? With > the psycopg2 pip maintainers or somewhere else? why not just use the Arch package? I prefer that for pacakges that link to system libraries. -- damjan
Re: [arch-general] How can I set CAPS LOCK as Escape throughout reboot
On 17 August 2017 at 15:51, Junayeed Ahnaf via arch-general wrote: > Hello, > > Currently I use "setxkbmap -option caps:escape" and it works well, but > I'd like to know how to make it persistent through reboot. I set this > line in .xinitrc but it didn't work. depends on your login manager and the desktop environment. Gnome will overwrite XKB settings anyway. KDE would if configured. some login managers (or their Xsession scripts) will read ~/.Xkbmap as options to setxkbmap -- damjan
Re: [arch-general] Why there is no NetworkManager in ArchISO
On 24 July 2017 at 07:30, Junayeed Ahnaf via arch-general wrote: > Hello, > > Why is there no NetworkManager in ArchISO? Isn't it widely accepted as > the go to method of connecting to internet in Linux? Is there any reason > for it not to be default? I would say that the reason NM is not on ArchISO is becaues in the past it didn't have a simple enough support for a console UI, which made it very useless in the ArchISO text-only envrionement. Nowdays, with `nmtui` I'd say it would be ok to have it. NM has been buggy in the past, but these days, it's a great tool. -- damjan
[arch-general] nginx package compiled on testing?
At this moment packages in core/extra are: nginx 1.12.1-1 pacman 5.0.2-1 nginx -V has --with-cc-opt='-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_FORTIFY_SOURCE=2' but the pacman 5.0.2-1 version of /etc/makepkg.conf doesn't have the -fno-plt argument. I'd assume nginx 1.12.1-1 was compiled on a system with pacman 5.0.2-2 from testing? https://git.archlinux.org/svntogit/packages.git/diff/trunk/makepkg.conf?h=packages/pacman&id=0cd22d4454e0e1b3ae589b95274f808001465c15 Is this allowed? I suspect this is one of the reasons I can't compile a dynamic module for nginx -- damjan
Re: [arch-general] Sébastien Luttringer and Tobias Powalowski
On 3 July 2017 at 01:22, Eli Schwartz via arch-general
wrote:
> On 07/02/2017 07:01 PM, Ismael Bouya wrote:
>> (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
>>> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD,
>>> anyone can MITM for the good of their life.
>>> Unless they can fake the signature (Hint; they cant), or trick Lennart into
>>> signing something he shouldnt (Hint; he
>>> wont), we don't have a case here. It doesn't really matter if its HTTP or
>>> HTTPS.
>>>
>>> You also didn't really reply about the threat model.
>>
>> If I understand correctly what Nicohood meant,
>> what could happen is that version X of systemd (or anything else) has a
>> well known vulnerability, fixed in X+1. X+1 is packaged, so anyone
>> up to date thinks "good I'm safe now". But since a man in the middle can
>> force to download version X (signed by the systemd maintainer so
>> considered "secure"), he can force you to download that version when you
>> create the package and you'll think you have the safe version while
>> having the unsafe one.
>
> Okay, this I am genuinely curious about.
>
> In what circumstances can I have:
> - the systemd repository cloned over the git:// protocol
> - an annotated tag for systemd v233 signed by Lennart Poettering.
> - an annotated tag for systemd v232 signed by Lennart Poettering.
> - a man in the middle attack
> - `git verify-tag --raw v233` reports a GOODSIG with a VALIDSIG
> ${fingerprint} that matches with Lennart's known GPG fingerprint as
> recorded in validpgpkeys
>
> And as a result, when I run the git command `git checkout
> refs/tags/v233`, I am tricked into getting v232 instead which contains a
> vulnerability. Also, I wouldn't be alerted by the verbose printing of
> the systemd version which happens during the boot process, nor by
> $systemd_binary --version
>
> ...
>
> Because I don't think git works that way, but I am willing to be proven
> wrong. Also I bet the git developers would be fascinated to hear the
> details, you might even get some sort of bounty for successfully hacking
> git like that.
On the other hand,
the systemd-stable repo doesn't have signed tags (or commits) and Arch
is probably going to move to that since it has post-release fixes for
regressions and bugs.
--
damjan
Re: [arch-general] kernel-install in archlinux
On 22 June 2017 at 14:42, Mauro Santos via arch-general wrote: > On 22-06-2017 12:58, Damjan Georgievski via arch-general wrote: >> Is there any plan for moving ArchLinux to the kernel-install >> infrastructure[1] >> >> I've seen some talk about it from a year ago, but the discussion seems >> to have died off. >> >> My personal use case is to have a hook that self-signs >> kernel+initramfs+cmdline images for secure boot (using my own keys), >> and currently I have to do that manually whenever the initramfs is >> updated. >> >> >> >> >> [1] >> https://www.freedesktop.org/software/systemd/man/kernel-install.html >> [2] >> https://lists.archlinux.org/pipermail/arch-dev-public/2016-May/028014.html >> > > You may want to check 'man alpm-hooks'. You should be able to automate > what you want to do. Unfortunately that's not enough, other hooks (which are unknown) can update the initramfs, and I can't hook on /boot/initramfs-* since it's not part of any package. ps. and yes, I already do have a hook that triggers on the linux package -- damjan
[arch-general] kernel-install in archlinux
Is there any plan for moving ArchLinux to the kernel-install infrastructure[1] I've seen some talk about it from a year ago, but the discussion seems to have died off. My personal use case is to have a hook that self-signs kernel+initramfs+cmdline images for secure boot (using my own keys), and currently I have to do that manually whenever the initramfs is updated. [1] https://www.freedesktop.org/software/systemd/man/kernel-install.html [2] https://lists.archlinux.org/pipermail/arch-dev-public/2016-May/028014.html -- damjan
Re: [arch-general] gnupg: systemd enable in post_install
>> what's the rationale to enable the gnupg sockets in post_install of the >> package? >> >> https://git.archlinux.org/svntogit/packages.git/tree/trunk/install?h=packages/gnupg#n21 >> >> I don't disagree that the sockets maybe should be enabled (I have them >> enabled for me), it's just a strange way to enable them in >> post_install, and linking them in /etc/ >> >> Why doesn't the PKGBUILD make the symlinks in >> /usr/lib/systemd/user/sockets.target.wants/ ? > > > I did that in the pulseaudio package at first and people complained that > they couldn't "disable" the pulseaudio socket and "mask" also prevented a > manual start. got it. makes sense though users will need root privileges to disable it then, but I guess for Arch that doesn't matter. -- damjan
[arch-general] gnupg: systemd enable in post_install
what's the rationale to enable the gnupg sockets in post_install of the package? https://git.archlinux.org/svntogit/packages.git/tree/trunk/install?h=packages/gnupg#n21 I don't disagree that the sockets maybe should be enabled (I have them enabled for me), it's just a strange way to enable them in post_install, and linking them in /etc/ Why doesn't the PKGBUILD make the symlinks in /usr/lib/systemd/user/sockets.target.wants/ ? dbus does that for ex. -- damjan
Re: [arch-general] Unable to start gnome-terminal from KDE session
> ...which sounds a bit like what I'm seeing, at least the slowness part. > However, I use SDDM, so I can't put the recommended > dbus-update-activation-environment in any .xinitrc file (which is only run > when > you do startx as far as I know). > > So, two questions: > > (1) Where would I put this command so that it's run by SDDM on login? isn't that already done via: /etc/X11/xinit/xinitrc.d/50-systemd-user.sh which is sourced by /usr/share/sddm/scripts/Xsession -- damjan
Re: [arch-general] makepkg bind-9 FAILED (unknown public key F1B11BF05CF02E57)
> libtool: compile: gcc -I/home/david/arch/pkg/abs/bind/src/bind-9.11.0-P3 > -I../../.. -I./include -I./../pthreads/include -I../include -I./../include > -I./.. -I/usr/include -D_REENTRANT -D_GNU_SOURCE -march=x86-64 -mtune=generic > -O2 -pipe -fstack-protector-strong -DDIG_SIGCHASE -I/usr/include > -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual > -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing > -fno-delete-null-pointer-checks -c app.c -fPIC -DPIC -o .libs/app.o > In file included from /usr/include/json/autolink.h:9:0, > from /usr/include/json/json.h:9, > from ../include/isc/json.h:33, > from ../include/isc/mem.h:16, > from app.c:29: > /usr/include/json/config.h:9:35: fatal error: string: No such file or > directory > #include //typedef String huh, that's a C++ style #include* and you are compiling with a C compiler (and obviously app.c is a C program) have no idea, see upstream. * and indeed /usr/include/json/config.h is part of jsoncpp "C++ library for interacting with JSON" how did that get included in a C program??? -- damjan
Re: [arch-general] makepkg bind-9 FAILED (unknown public key F1B11BF05CF02E57)
> I pulled ABS updates and got the patch mentioned in > https://bugs.archlinux.org/task/53240. However, attempting to build bind/bind > tools 9.11.0-P3 fails due to an unknown upstream public key: > > makepkg -s > > ... > ==> Verifying source file signatures with gpg... > bind-9.11.0-P3.tar.gz ... FAILED (unknown public key F1B11BF05CF02E57) https://wiki.archlinux.org/index.php/makepkg#Signature_checking -- damjan
Re: [arch-general] Firefox 52 Audio broken
> Since the update to firefox 52 the audio support has been broken. nope, it works fine. alas, ALSA support in Firefox has become unmaintained … this means if Arch reverts to ALSA it'll be shipping worse code just for the few people that choose to not use Pulseaudio (for their own reasons). > This seems to be because pulse audio is now a dependency by default in > firefox. > However firefox can still be build with ALSA support. > > Without getting into any dicussion about issues about pulseaudio itself, I > believe it should be possible to use firefox on arch without being forces to > use pulse > audio. I am certainly not the only one to have banned this package from my > boxes. And having more choices is certainly a good thing. > > Not sure this is the right place but I would like to ask to change back to > the old defaults (ALSA). > With the old defaults, the user can choose to use pulse audio (or JACK) or > stay with plain ALSA support. -- damjan
Re: [arch-general] ownCloud vs. nextcloud
On 30 January 2017 at 17:00, David Runge wrote: > Helloes! > > I wonder what Arch's/Sergej Pupykin's position towards nextcloud is. > It seems that ownCloud lost most of its developers to the schism > introduced last year. > This led to many apps not being (mainly) developed by them anymore and > moving into the hands of nextcloud and/or being more actively developed > by nextcloud now (bookmarks, news, calendar, etc.) > > There definitely also has been a problem transitioning from php 7.0.x to > 7.1 as the current version of ownCloud now has a "hotfix" applied that > just suppresses the error message (which would render owncloud useless, > as owncloud < 9.2 suppossedly doesn't work with php 7.1). > The bookmark app is currently unusable (unable to add new bookmarks due > to an old version of guzzlehttp dependency) and I wonder how much more > of that we'll have incoming. > > Wouldn't it be better to switch to nextcloud in the community repository at > this point? I'd just vote for the package (if it enters community) to remove the set-perms[1] script since it makes no sense, if you run the app with its own user (for ex. uwsgi systemd service, user nextcloud). [1] https://aur.archlinux.org/cgit/aur.git/tree/set-nc-perms.sh?h=nextcloud -- damjan
Re: [arch-general] Ping: 100% package loss
> And the most surprising thing is, that it worked for one single moment, > see the PS, and stopped working after the next reboot - with all what I > tried to make it work still untouched and in place. > > Any further tipps here? do you even have an IPv6 service from your ISP? try pinging [2a00:1450:401b:801::2004] (an address I get for www.google.com) also, ping now has the -4 and -6 options to specify which protocol to use. otherwise, AFAIK the resolver in glibc autodetects if it'll use ipv4 or ipv6 by defult -- damjan
Re: [arch-general] uwsgi-2.0.14-15 segfaults with php plugin
https://bugs.archlinux.org/task/52406 the packager is a bit irresponsible On 17 January 2017 at 17:14, David Runge wrote: > Hey all, > > ran into the issue, that after updating from uwsgi 2.0.14-1 to uwsgi > 2.0.14-5 (php plugin of the same version), all php based webapps make > uwsgi segfault (tested with wordpress and stikked)! > > Something like the below will happen (including after reboot): > > Jan 17 16:24:20 frqrec systemd[1]: Starting uWSGI service unit... > Jan 17 16:24:20 frqrec uwsgi[2370]: [uWSGI] getting INI configuration > from /etc/uwsgi/wordpress.ini > Jan 17 16:24:20 frqrec uwsgi[2370]: *** Starting uWSGI 2.0.14 (64bit) on > [Tue Jan 17 16:24:20 2017] *** > Jan 17 16:24:20 frqrec uwsgi[2370]: compiled with version: 6.3.1 > 20170109 on 10 January 2017 00:34:54 > Jan 17 16:24:20 frqrec uwsgi[2370]: os: Linux-4.8.13-1-ARCH #1 SMP > PREEMPT Fri Dec 9 07:24:34 CET 2016 > Jan 17 16:24:20 frqrec uwsgi[2370]: nodename: frqrec > Jan 17 16:24:20 frqrec uwsgi[2370]: machine: x86_64 > Jan 17 16:24:20 frqrec uwsgi[2370]: clock source: unix > Jan 17 16:24:20 frqrec uwsgi[2370]: pcre jit disabled > Jan 17 16:24:20 frqrec uwsgi[2370]: detected number of CPU cores: 2 > Jan 17 16:24:20 frqrec uwsgi[2370]: current working directory: / > Jan 17 16:24:20 frqrec uwsgi[2370]: detected binary path: /usr/bin/uwsgi > Jan 17 16:24:20 frqrec uwsgi[2370]: setgid() to 33 > Jan 17 16:24:20 frqrec uwsgi[2370]: setuid() to 33 > Jan 17 16:24:20 frqrec uwsgi[2370]: your processes number limit is 15780 > Jan 17 16:24:20 frqrec uwsgi[2370]: your memory page size is 4096 bytes > Jan 17 16:24:20 frqrec uwsgi[2370]: detected max file descriptor number: > 1024 > Jan 17 16:24:20 frqrec uwsgi[2370]: lock engine: pthread robust mutexes > Jan 17 16:24:20 frqrec uwsgi[2370]: thunder lock: disabled (you can > enable it with --thunder-lock) > Jan 17 16:24:20 frqrec uwsgi[2370]: *** Cache "wordpress" initialized: > 64MB (key: 2136 bytes, keys: 2136000 bytes, data: 65536000 bytes, > bitmap: 0 bytes) preallocated *** > Jan 17 16:24:20 frqrec uwsgi[2370]: - SystemD socket activation detected > - > Jan 17 16:24:20 frqrec uwsgi[2370]: uwsgi socket 1 attached to UNIX > address /run/uwsgi/wordpress.sock fd 3 > Jan 17 16:24:20 frqrec uwsgi[2370]: !!! uWSGI process 2370 got > Segmentation Fault !!! > Jan 17 16:24:20 frqrec uwsgi[2370]: *** backtrace of 2370 *** > Jan 17 16:24:20 frqrec uwsgi[2370]: /usr/bin/uwsgi(uwsgi_backtrace+0x2c) > [0x466eec] > Jan 17 16:24:20 frqrec uwsgi[2370]: /usr/bin/uwsgi(uwsgi_segfault+0x21) > [0x4672b1] > Jan 17 16:24:20 frqrec uwsgi[2370]: /usr/lib/libc.so.6(+0x330b0) > [0x7f9a019ea0b0] > Jan 17 16:24:20 frqrec uwsgi[2370]: > /usr/lib/uwsgi/php_plugin.so(+0x53ca) [0x7f9a001fa3ca] > Jan 17 16:24:20 frqrec uwsgi[2370]: *** end of backtrace *** > Jan 17 16:24:20 frqrec systemd[1]: uwsgi-private@wordpress.service: Main > process exited, code=exited, status=1/FAILURE > Jan 17 16:24:20 frqrec systemd[1]: Failed to start uWSGI service unit. > Jan 17 16:24:20 frqrec systemd[1]: uwsgi-private@wordpress.service: Unit > entered failed state. > Jan 17 16:24:20 frqrec systemd[1]: uwsgi-private@wordpress.service: > Failed with result 'exit-code'. > > Reverting back to uwsgi 2.0.14-1 fixes the problem (after restarting the > socket, that activates the webapp). > > As a sidenote: I'm using the hardening and socket activation options as > explained here, which shouldn't have much of an effect on the uwsgi > itself though): > https://wiki.archlinux.org/index.php/UWSGI#Socket_activation > https://wiki.archlinux.org/index.php/UWSGI#Hardening_uWSGI > > Has anyone had the same issue? > I can't seem to find out, what has changed between revision 1 and 5 or > if it needs another rebuild. > > Best, > David > > > -- > https://sleepmap.de -- damjan
Re: [arch-general] [arch-dev-public] Preparing OpenVPN 2.4.x - possible incompatible changes
>> I do not oppose using whatever upstream is deploying, if it's >> rationale. I just think that we could create a system user for >> openvpn, even if most users will deploy it using root. > > We need root privileges at initialization phase, no? Privileges are dropped > to nobody/nobody when initialization sequence completed. > > If we can make things work with non-root system user... Let me know how to do > that. :D You can have systemd-networkd create the tun (or tap) interface and change its ownership to a specific user, that way openvpn doesn't need privileges for that. That's my setup with a bridged tap interface https://gist.github.com/gdamjan/6b988389afe36e4bb769 for tap interfaces, networkd can also do the ip setup, for tun interfaces, openvpn would need to use ... sudo? -- damjan
Re: [arch-general] howto remove old package version
> pacman -Syu > :: Starting full system upgrade... > > warning: mesa: local (13.0.0rc2-2) is newer than extra (12.0.3-3.1) > warning: mesa-libgl: local (13.0.0rc2-2) is newer than extra (12.0.3-3.1) > > how do i remove old version and install new with pacman, > have tried pacman -R but had dependency problems. you should've mentioned that this is ArchLinux Arm and yes, they reverted those packages (at leat on armv6 for raspberrypi) I dunno why, don't even care -- damjan
Re: [arch-general] Cannot no longer resolve local hostname with the new nsswitch.conf
On 8 November 2016 at 18:43, Patrick Burroughs (Celti) via arch-general wrote: > On Tue, 8 Nov 2016 18:01:32 +0100 > Damjan Georgievski via arch-general wrote: > >> > $ getent -s resolve hosts $(hostname) >> >> this should fail since you don't have the resolved service running. > > nss-resolve will chainload nss-dns when systemd-resolved is not running > (see `man 8 nss-resolve`). ah right, that fallback should be removed *in the future* and I was under the impression it already happened https://github.com/systemd/systemd/commit/344874fcd0a3fc1f9bc6cdf34ecaf537c10a3ad3 -- damjan
Re: [arch-general] Cannot no longer resolve local hostname with the new nsswitch.conf
> $ getent -s resolve hosts $(hostname) this should fail since you don't have the resolved service running. but, when using `hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname` standard resolving should then go to the dns source, and then to the myhostname source. what does getent -s dns hosts $(hostname) getent -s myhostname hosts $(hostname) return ? also are you up-to-date with systemd 232? -- damjan
Re: [arch-general] Cannot no longer resolve local hostname with the new nsswitch.conf
On 8 November 2016 at 13:37, Chi-Hsuan Yen via arch-general wrote: > Hi Arch enthuasiasts, > > With testing/filesystem 2016.11-2, I can no longer use my local hostname to > acess services on the local machine. For example: > > $ hostname > PC12574 > > $ ping PC12574 > ping: PC12574: Name or service not known > > Seems changes in nsswitch.conf [1] does the effect. If I change the hosts: > line in nsswitch.conf back to the old configuration "files resolve > mymachines myhostname", or remove the [!UNAVAIL=return] part from this > line, ping works fine: do you have systemd-resolved running? what does `getent -s resolve hosts ` return? -- damjan
[arch-general] new /etc/nsswitch.conf
there's a new /etc/nsswitch.conf file in filesystem-2016.11 Maybe someone would care to explain the changes? maybe even a news post? https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/filesystem&id=f1cd9f7fb4cdf7617a1b875e14be212733f9c67a -- damjan
Re: [arch-general] how to restore root and boot directory
> Hi everyone > while reinstalling arch on raspberry pi memory stick i had the two > partitions mounted on mount points called root and boot in my home dir > on my laptop, > i intended to delete everything in root and boot in my home directory > but lost my mind and rm -rf /boot/* and /root/* instead, > is there a easy way to restore files to boot and do i just fix the root > user directory with useradd ? > shadrock /root really shouldn't have anything of importance, unless you left it there - in which case, you can't recover it /boot has the kernel, the initramfs - which can be recreated if you reinstall the "linux" package and probably some bootloader files that you can also reinstall depending on the boot loader: - grub-install - extlinux - bootctl -- damjan
Re: [arch-general] efivars mounted read-write, but "operation not permitted, "
On 3 August 2016 at 22:03, Zachary Kline wrote: > Hi All, > > This is admittedly more about Linux in general than Arch specifically, but > I’m wondering if anybody has insight into why I can’t delete EFI variables, > when efivarfs is mounted read-write. For anybody interested, I am wanting to > remove the default boot entry created by systemd-boot, but receive an > “Operation not permitted,” message when trying to do so, even as root. try efibootmgr -- damjan
[arch-general] texinfo, a dependency for libidn and libtasn1
Do libidn and libtasn1 really require texinfo? makes texinfo uninstallable, but I don't need docs on this system. Does any of the "requiires" of texinfo[1] actualy require it? shouldn't it be an opt-depend? [1] https://www.archlinux.org/packages/core/x86_64/texinfo/ -- damjan
Re: [arch-general] Announcing pacpak
On 10 July 2016 at 11:05, pelzflorian (Florian Pelz) wrote: > Hello, > > A specter is haunting the GNU/Linux ecosystem: the specter of per-user > containerization. Software like Flatpak and Snappy promise fully > sandboxed GNU/Linux application bundles (instead of merely launching an > application with fewer privileges but without hiding the operating > system, like Bubblewrap or Firejail do). Bundles ship with the version > of their dependencies which they need. Ubuntu is doing something similar it seems https://bregmatter.wordpress.com/2016/07/04/x11-applications-and-unity-8/ This is for their non-deb (deb-less?) distro version, they install debs in containers, each getting their own XMir server. Good for non-trustworthy or exposed apps. -- damjan
Re: [arch-general] time setting problem after installing.
On 3 July 2016 at 22:27, matthew dyer via arch-general wrote: > Hi all, > > I just installed arch into a vertual machine dfor now as I do not have a > bare boons system to install to at the moment. Any way I have a problem > whare my system thinks I am in lundon uk and not in the us. I have tried > running NTPD-QG but I am told that the command not found. I want the clock > to show the correct local time and not have it showing 4 hours ahead of it > self. Any ideas on how to fix this. I want to show it in .profile, but it > just creates a new file instead of using the exhisting file. How can I > change my time to the corect local time? Thanks. I didn't understand half of what you said, but: a) to set the system wide timezone use the command: timedatectl set-timezone Europe/London b) to enable a ntp client you can use systemd-timedate, enable it with: timedatectl set-ntp yes -- damjan
