Rust packaging guidelines: Remove --all-features suggestion

2025-02-18 Thread kpcyrd
ystem libraries, which is something we explicitly don't want. cheers, kpcyrd

Re: Official Arch Linux image for WSL

2025-02-14 Thread kpcyrd
, but it's not like we're transferring over the archlinux.org domain, or them naming their next operating system release Arch Linux 12. Does anybody know how Ubuntu dealt with this? cheers, kpcyrd

Re: Official Arch Linux image for WSL

2025-01-28 Thread kpcyrd
ul, even on non-Arch Linux computers. I think considering WSL related bug reports as low priority is very acceptable, and treat it more like a best-effort project instead of blocking it outright. cheers, kpcyrd

Re: Talks from Arch contributors at FOSDEM 2025

2025-01-24 Thread kpcyrd
On 1/23/25 10:50 PM, Morten Linderud wrote: FOSDEM is approaching and several Arch contributors and maintainers are holding talks next weekend. I have taken the liberty to collect up all the talks in this email so other staff, and users, are aware. # kpcyrd (together with h01ger from Debian

Re: Amending RFC40 to remove custom 0BSD license

2025-01-06 Thread kpcyrd
stem is enough work to warrant an interim solution. I've been doing this kind of copyright annotation work for Debian for just shy of about 300 packages and it's a heroic amount of work to do this for the entire operating system. cheers, kpcyrd

New supply-chain security tool: backseat-signed

2024-04-02 Thread kpcyrd
posed to give guidance on what to code review. This is also why I think code signing by upstream is somewhat low priority, since the big distros can form consensus around "what's the source code" regardless. https://github.com/kpcyrd/backseat-signed The README shows how to veri

Arch Linux minimal container userland 100% reproducible - now what?

2024-03-20 Thread kpcyrd
epro-env[4] that I'm currently trying to land[5] in ubuntu 24.04 LTS, but is blocked by Debian's libnettle[6]. [4]: https://github.com/kpcyrd/repro-env [5]: https://tracker.debian.org/pkg/rust-repro-env [6]: https://tracker.debian.org/pkg/nettle cheers, kpcyrd

Revising Go packaging guidelines (2024)

2024-03-18 Thread kpcyrd
ly any memory-corruption based exploits for Go software. ## Motivation - Most of our Go software is currently not reproducible due to Cgo, including core/libcap, which is the last unreproducible package in docker.io/library/archlinux - The barrier for packaging Go in Arch Linux is currently somewhat high (compared to e.g. packaging Rust), the guideline requires too much interpretation and could be improved - Quirks that are only needed for old Go projects (like 2.1.1) should be listed towards the end instead of being the first code block in the guideline --- cheers, kpcyrd

Forensic tool release: archlinux-userland-fs-cmp (reproducible pre-compiled binary available)

2024-01-31 Thread kpcyrd
hello, I released a tool recently that I'd like to share with this list: https://github.com/kpcyrd/archlinux-userland-fs-cmp It's supposed to be used from a rescue image (any Linux) with an Arch install mounted to e.g. /mnt. It does the following: - Open /mnt/var/lib/pacman and e

git 2.38.0: Change in `git archive` output

2022-10-16 Thread kpcyrd
t/4f4be00d302bc52d0d9d5a3d4738bb525066c710 I don't know if there's some kind of gzip standard that could be used to align the git internal gzip implementation with gnu gzip. I'm not saying this is necessarily a bug or regression but it makes it harder to reproduce github tar balls from a git repository. Just sharing what I've debugged. :) cheers, kpcyrd

Public release: updlockfiles 0.1.0

2022-10-16 Thread kpcyrd
dependencies. Announcement blog post: https://vulns.xyz/2022/10/updlockfiles/ Repository: https://github.com/kpcyrd/updlockfiles cheers, kpcyrd

auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

2022-05-29 Thread kpcyrd
ohai! I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum: https://vulns.xyz/2022/05/auth-tarball-from-git/ Let me know what you think - that's all, kpcyrd