Arch Planet

Planet Arch Linux is a window into the world, work and lives of Arch Linux developers, trusted users and support staff.

RSS Feed

AUR Migration: New SSH HostKeys


Due to the fact that the AUR has been migrated to a new server, the SSH HostKeys used to connect to the host have changed. These are the new keys fingerprints: Ed25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 ECDSA: SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI RSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 The fingerprints above can also be found on the AUR home page when not logged in.

Wayland in 2020


It is nearly a year since my last blog article about Wayland on Linux. Thus I thought it is time for an update on how my desktop with sway developed. What happened? I changed my file sharing scripts I moved from rofi to bemenu I changed my scripts, that were based on rofi For my file sharing scripts I introduced a new helper script with the generic name share.

Fix PDF Display on Chrome


For many months I had a weird issue with displaying PDFs in chrome on my website. I always thought this is a browser issue and would be fixed soon, but actually it was an issue with my Content Security Policy (CSP). If you ever stumbled upon my CV you might have looked on this: Finally I could fix this, after finding this Chrome issue here: The problem got triggered via my strong CSP.

Improving the Secure Boot user experience


Secure boot tooling is terrible, can we do better? Currently the most widely used tooling for secure boot is the Ubuntu sbsigntools and efitools. If you are currently using secure boot both of these packages are probably installed on your system. Both of them support the basics of generating signature lists and signing the EFI variables with certificates, but they still have differences which is a source of confusion. efitools has 3 different ways of generating signature lists, cert-to-efi-hash-list, cert-to-sig-list and hash-to-efi-sig-list.

Test driving Flathub mirror for users in China


One of the reasons Flathub is relatively fast regardless of where it’s used is CDN service provided by Fastly. This is not a good thing for users from China though, where Fastly, and thus Flathub, is blocked. Similar services are operating in China, but being an open source project, it’s easy to guess our budget is close to zero. A fellow Arch developer, Felix Yan suggested some VPS providers that are considered “China-friendly”. In the end, I configured two new servers in Seoul using Oracle Cloud free tier. As Flathub enforces the remote URL for historical reasons, switching to …

Introduction to in-toto


Today I would like to talk about supply chains. I am participating as package maintainer for several years for now and supply chains are one of the key factors that were on my mind the most. As package maintainer I try to ensure, that all users can be certain, that they are actually using what the project owners had in their minds. This only works with a secure supply chain. This secure supply chain seems to be a big problem for many devs.

Not seeing the wood for the trees


The way Flathub infrastructure works is not complicated for current trends, but there are enough moving parts to make debugging transient issues tricky. When a user starts a download, Flatpak connects to CDN provided by Fastly. CDN connects to one of two front servers, VPSes acting as caching load balancers/proxies in front of hub, the main server exposing ostree repositories and publishing new builds with flat-manager. These happen on Buildbot, another VPS. All HTTP servers are nginx. No magic involved; boring is an advantage for infrastructure. One long-standing issue was random 503 Service Unavailable errors, causing Flatpak to …

Identify the OS via ping


This article will be rather short. I just wanted to highlight something, that not much people know. This could be helpful for network diagnostics or capture-the-flag games. If you ever find yourself in the situation to identify a device’s OS only by it’s IP address, you can try just pinging the device. The TTL (Time-To-Live) will give you an hint about the OS. You can use the following table for the beginning:

Postmortem 2020-04-28


Prolog My server went down today. So I’ve decided to write a little postmortem for me, so that I will hopefully learn from my server outage. This is also a nice moment to learn how Google writes postmortems: Overview Date: 2020-04-29 Status: Complete, action items in progress Impact: The following of my components went down for a period of 5 hours and 6 minutes: WKD server https// (images are partly persist unavailable) IRC bouncer git server Root Causes: Backup restore mechanisms didn’t work as expected.

Packaging LXD for Arch Linux


With the release of 3.20, LXD was included into the community repository of Arch Linux in January, and has currently been sitting there happily for the past months. LXD is a container manager from Canonical that manages containers as if they where independent machines in a cluster. I have somehow taken to calling them “containers-as-machines”. This is in contrast to podman and docker which would be “containers-as-applications”. Think of lxd as ganeti, but for containers.

Changing the expiration date of your Yubikey


In this, hopefully short, article I want to summarize what I’ve did for changing the expiration date of my GPG key on my Yubikey. This tutorial is for all people who has generated their GPG key on their laptop and then transferred it to the Yubikey. If you’ve generated the GPG key pair on the Yubikey, you will not need this. We need to differentiate between two cases: Changing the expiration date of a subkey or changing the expiration date of your GPG master key.

zn_poly 0.9.2-2 update requires manual intervention


The zn_poly package prior to version 0.9.2-2 was missing a soname link. This has been fixed in 0.9.2-2, so the upgrade will need to overwrite the untracked files created by ldconfig. If you get an error zn_poly: /usr/lib/ exists in filesystem when updating, use pacman -Syu --overwrite usr/lib/ to perform the upgrade.

nss>=3.51.1-1 and lib32-nss>=3.51.1-1 updates require manual intervention


The nss and lib32-nss packages prior to version 3.51.1-1 were missing a soname link each. This has been fixed in 3.51.1-1, so the upgrade will need to overwrite the untracked files created by ldconfig. If you get any of these errors nss: /usr/lib/ exists in filesystem lib32-nss: /usr/lib32/ exists in filesystem when updating, use pacman -Syu --overwrite /usr/lib\*/ to perform the upgrade.

Share your Wifi via QR code


Hey, this is going to be a short blog article. A few days ago I had a friend at my place who asked for the Wifi password. So I presented my 32 char WPA2 key and we all got very frustrated, because we had to type it in manually. After typing the key in, I thought there must be a better solution for tackling this problem, like generating a QR code.

hplip 3.20.3-2 update requires manual intervention


The hplip package prior to version 3.20.3-2 was missing the compiled python modules. This has been fixed in 3.20.3-2, so the upgrade will need to overwrite the untracked pyc files that were created. If you get errors such as these hplip: /usr/share/hplip/base/__pycache__/__init__.cpython-38.pyc exists in filesystem hplip: /usr/share/hplip/base/__pycache__/avahi.cpython-38.pyc exists in filesystem hplip: /usr/share/hplip/base/__pycache__/codes.cpython-38.pyc exists in filesystem ...many more... when updating, use pacman -Suy --overwrite /usr/share/hplip/\* to perform the upgrade.



If you had a closer look on my domain you’ve might checked my MX records: ❯ resolvectl query -t mx IN MX 10 IN MX 10 IN MX 20 Yes, I have to admit I don’t host my own mail infrastructure. I think this is too toilsome and I have better things to do, like writing this blog article. In this article I want to explain to you how I’ve configured the SPF, DKIM and DMARC settings for my domain.

More ways to handle dotfiles


I’ve received plenty of feedback for my last blog article on how I handle dotfiles, hence I’ve decided that I want to give a glimpse on how others are managing their dotfiles. Another way of handling dotfiles is using GNU stow as explained here: With GNU stow it’s possible to store your dotfiles in a separate directory and then symlink to the files in this directory via invoking stow <directory name>.

firewalld>=0.8.1-2 update requires manual intervention


The firewalld package prior to version 0.8.1-2 was missing the compiled python modules. This has been fixed in 0.8.1-2, so the upgrade will need to overwrite the untracked pyc files created. If you get errors like these firewalld: /usr/lib/python3.8/site-packages/firewall/__pycache__/__init__.cpython-38.pyc exists in filesystem firewalld: /usr/lib/python3.8/site-packages/firewall/__pycache__/client.cpython-38.pyc exists in filesystem firewalld: /usr/lib/python3.8/site-packages/firewall/__pycache__/dbus_utils.cpython-38.pyc exists in filesystem ...many more... when updating, use pacman -Suy --overwrite /usr/lib/python3.8/site-packages/firewall/\* to perform the upgrade.

How to handle dotfiles


In this article I want to show how I handle my dotfiles and why I think it’s the best way to handle them. I tried different approaches for handling dotfiles in the past: puppet ansible home made shell script magic maybe a few more I don’t remember, because i didn’t use them so much. So what’s wrong with puppet or ansible? Don’t get me wrong, I love config management and I love using both for bigger infrastructure.

New Caddyfile and more


I made a few significant changes on my blog. First, I have a new Caddyfile for Caddy: {experimental_http3},,{redir*https://{}.{}{path}}{redir*{path}},{file_serverroot*/srv/www/{host}/public/header{Strict-Transport-Security"max-age=31536000; includeSubDomains; preload; always"Public-Key-Pins"pin-sha256=\"sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=\"; pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\"; pin-sha256=\"C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=\"; includeSubdomains; max-age=2629746;"X-Frame-Options"SAMEORIGIN"X-Content-Type-Options"nosniff"X-XSS-Protection"1; mode=block"Content-Security-Policy"default-src 'none'; base-uri 'self'; form-action 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; worker-src 'self'; object-src 'self'; media-src 'self'; frame-ancestors 'none'; manifest-src 'self'; connect-src 'self'"Referrer-Policy"strict-origin"Feature-Policy"geolocation 'none';midi 'none'; sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'none';fullscreen 'self';payment 'none';"Expect-CT"max-age=604800"}header/.well-known/openpgpkey/*{Content-Typeapplication/octet-streamAccess-Control-Allow-Origin*}encode{zstdgzip}}The new Caddyfile enables experimental HTTP3 support. Also I’ve added a few redirects to my new domain.

The Future of the Arch Linux Project Leader


Hello everyone, Some of you may know me from the days when I was much more involved in Arch, but most of you probably just know me as a name on the website. I’ve been with Arch for some time, taking the leadership of this beast over from Judd back in 2007. But, as these things often go, my involvement has slid down to minimal levels over time. It’s high time that changes. Arch Linux needs involved leadership to make hard decisions and direct the project where it needs to go. And I am not in a position to do this. In a team effort, the Arch Linux staff devised a new process for determining future leaders. From now on, leaders will be elected by the staff for a term length of two years. Details of this new process can be found here In the first official vote with Levente Polyak (anthraxx), Gaetan Bisson (vesath), Giancarlo Razzolini (grazzolini), and Sven-Hendrik Haase (svenstaro) as candidates, and through 58 verified votes, a winner was chosen: Levente Polyak (anthraxx) will be taking over the reins of this ship. Congratulations! Thanks for everything over all these years, Aaron Griffin (phrakture)

Planet Arch Linux migration


The software behind was implemented in Python 2 and is no longer maintained upstream. This functionality has now been implemented in's archweb backend which is actively maintained but offers a slightly different experience. The most notable changes are the offered feeds and the feed location. Archweb only offers an Atom feed which is located at here.

Terraforming my blog


I’ve just pushed a first step for managing my infrastructure via Hashicorps Terraform. In this article I want to speak about this first step and I want to give a glimpse into the future for it. My infrastructure is hosted in Hetzner Cloud (there is luckily a terraform provider for it). DNS will be talked about in a later blog article. I usually store my passwords in a gopass password store, hence I’ve wanted to let Terraform retrieve the Hetzner Cloud API key magically.

sshd needs restarting after upgrading to openssh-8.2p1


After upgrading to openssh-8.2p1, the existing SSH daemon will be unable to accept new connections. (See FS#65517.) When upgrading remote hosts, please make sure to restart the SSH daemon using systemctl restart sshd right after running pacman -Syu. If you are upgrading to openssh-8.2p1-3 or higher, this restart will happen automatically.

Automate (offline) backups with restic and systemd


This blog post builds on the content of the fedora magazine article Automate backups with restic and systemd. 2 important features were missing in the article for my use case: Don't reveal restic passwords in plain-text files Backup to offline storage (USB flash drive) Fortunately modern Linux distributions offer all mechanisms to implement these 2 requirements: Udisks(2) allows non-privileged users to mount external USB-disks automatically systemd.