fidzu : Arch Linux

On Friday, July 18th, 2025, the Arch Linux team was notified that three AUR packages had been uploaded that contained malware. A few maintainers including myself took care of deleting these packages, removing all traces of the malicious code, and protecting against future malicious uploads.

30 Jan 2026 12:00am GMT

While starting this post I realized I have been maintaining personal infrastructure for over a decade! Most of the things I've self-hosted is been for personal uses. Email server, a blog, an IRC server, image hosting, RSS reader and so on. All of these things has all been a bit all over the place and never properly streamlined. Some has been in containers, some has just been flat files with a nginx service in front and some has been a random installed Debian package from somewhere I just forgot.

19 Jan 2026 12:00am GMT

In the recent blog post on the work funded by Sovereign Tech Fund (STF), we provided an overview of the "File Hierarchy for the Verification of OS Artifacts" (VOA) and the voa project as its reference implementation. VOA is a generic framework for verifying any kind of distribution artifacts (i.e. files) using arbitrary signature verification technologies. The voa CLI ⌨️ The voa project offers the voa(1) command line interface (CLI) which makes use of the voa(5) configuration file format for technology backends. It is recommended to read the respective man pages to get …

11 Jan 2026 12:00am GMT

In 2024 the Sovereign Tech Fund (STF) started funding work on the ALPM project, which provides a Rust-based framework for Arch Linux Package Management. Refer to the project's FAQ and mission statement to learn more about the relation to the tooling currently in use on Arch Linux. The funding has now concluded, but over the time of 15 months allowed us to create various tools and integrations that we will highlight in the following sections. We have worked on six milestones with focus on various aspects of the package management ecosystem, ranging from formalizing, parsing and writing of …

10 Jan 2026 12:00am GMT

Did you know you can have newlines in pathnames? The design is very human and this absolutely doesn't have any unforeseen consequences! Also a friendly reminder that you can store anything on a nameserver if you try hard enough.

Originally posted by me on donotsta.re (2025-12-23)

09 Jan 2026 12:00am GMT

2025 was a crazy simulation. A lot of glitches, plot twists and fun stuff™.

31 Dec 2025 12:00am GMT

Same as last year, this is a summary of what I've been up to throughout the year. See also the recap/retrospection published by my friends (antiz, jvoisin, orhun).

• Uploaded 467 packages to Arch Linux
  • Most of them being reproducible, meaning I provably didn't abuse my position of compiling the binaries
  • 35 of them are signal-desktop
  • 29 of them are metasploit
• Made 53 uploads to Debian
  • All of them being related to my work in the debian-rust team, that I've been a part of since 2018
  • …

31 Dec 2025 12:00am GMT

With the update to driver version 590, the NVIDIA driver no longer supports Pascal (GTX 10xx) GPUs or older. We will replace the nvidia package with nvidia-open, nvidia-dkms with nvidia-open-dkms, and nvidia-lts with nvidia-lts-open. Impact: Updating the NVIDIA packages on systems with Pascal, Maxwell, or older cards will fail to load the driver, which may result in a broken graphical environment. Intervention required for Pascal/older users: Users with GTX 10xx series and older cards must switch to the legacy proprietary branch to maintain support:

• Uninstall the official nvidia, nvidia-lts, or nvidia-dkms packages.
• Install nvidia-580xx-dkms from the AUR

Users with Turing (20xx and GTX 1650 series) and newer GPUs will automatically transition to the open kernel modules on upgrade and require no manual intervention.

20 Dec 2025 12:00am GMT

Peter Jung via arch-announce wrote:

With the update to driver version 590, the NVIDIA driver no longer supports Pascal (GTX 10xx) GPUs or older. We will replace the 'nvidia' package with 'nvidia-open', 'nvidia-dkms' with 'nvidia-open-dkms', and 'nvidia-lts' with 'nvidia-lts-open'. Impact: Updating the NVIDIA packages on systems with Pascal, Maxwell, or older cards will fail to load the driver, which may result in a broken graphical environment. Intervention required for Pascal/older users: Users with GTX 10xx series and older cards must switch to the legacy proprietary branch to maintain support:

• Uninstall the official 'nvidia', 'nvidia-lts', or 'nvidia-dkms' packages.
• Install 'nvidia-580xx-dkms' from the AUR

Users with Turing (20xx and GTX 1650 series) and newer GPUs will automatically transition to the open kernel modules on upgrade and require no manual intervention.

https://archlinux.org/news/nvidia-590-d … l-modules/

20 Dec 2025 12:00am GMT

The following packages may require manual intervention due to the upgrade from 9.0 to 10.0:

• aspnet-runtime
• aspnet-targeting-pack
• dotnet-runtime
• dotnet-sdk
• dotnet-source-built-artifacts
• dotnet-targeting-pack

pacman may display the following error failed to prepare transaction (could not satisfy dependencies) for the affected packages. If you are affected by this and require the 9.0 packages, the following commands will update e.g. aspnet-runtime to aspnet-runtime-9.0: pacman -Syu aspnet-runtime-9.0 pacman -Rs aspnet-runtime

11 Dec 2025 12:00am GMT

Over the course of 2025, every single major cloud provider has failed. In June, Google Cloud had issues taking down Cloud Storage for many users. In late October, Amazon Web Services had a massive outage in their main hub, us-east-1, affecting many services as well as some people's beds. A little over a week later Microsoft Azure had a [widespread outage][Azure outage] that managed to significantly disrupt train service in the Netherlands, and probably also things that matter. Now last week, Cloudflare takes down large swaths of the internet in a way that causes non-tech people to learn Cloudflare exists. And every single time, people share that one XKCD comic.

24 Nov 2025 12:00am GMT

After Gandi was bought up and started taking extortion level prices for their domains I've been looking for an excuse to migrate registrar. Last week I decided to bite the bullet and move to Porkbun as I have another domain renewal coming up. However after setting up an account and paying for the transfer for 4 domains, I realized their DNS services are provided by Cloudflare! I personally do not use Cloudflare, and stay far away from all of their products for various reasons.

18 Nov 2025 12:00am GMT

If you've ever tried to publish a package on PyPI, you might have encountered a quite interesting error message: error: Failed to publish [..] to https://upload.pypi.org/legacy/ Caused by: Upload failed with status code 400 Bad Request. Server says: 400 The name [..] is too similar to an existing project. See https://pypi.org/help/#project-name for more information. Sadly it's not very clear what "too similar" means in this context. Also there's no way to check if your name is acceptable before actually trying to upload the package. Luckily, PyPI warehouse is open source, so let's just check how the validation is implemented.

16 Nov 2025 12:00am GMT

I think 2025 was a good year (for me, it would be hard to say it was that great in general). Well, it still is because as I'm writing this, it's 12th November. I wanted to wait for the end of the year before starting to draft this post, but well - I'm in the right mood, and it makes more sense to act instead of holding back (this is probably a foreshadowing).

13 Nov 2025 12:00am GMT

The waydroid package prior to version 1.5.4-2 (including aur/waydroid) creates Python byte-code files (.pyc) at runtime which were untracked by pacman. This issue has been fixed in 1.5.4-3, where byte-compiling these files is now done during the packaging process. As a result, the upgrade may conflict with the unowned files created in previous versions. If you encounter errors like the following during the update:

error: failed to commit transaction (conflicting files) waydroid: /usr/lib/waydroid/tools/__pycache__/__init__.cpython-313.pyc exists in filesystem waydroid: /usr/lib/waydroid/tools/actions/__pycache__/__init__.cpython-313.pyc exists in filesystem waydroid: /usr/lib/waydroid/tools/actions/__pycache__/app_manager.cpython-313.pyc exists in filesystem

You can safely overwrite these files by running the following command: pacman -Syu --overwrite /usr/lib/waydroid/tools/\*__pycache__/\*

06 Nov 2025 12:00am GMT

The dovecot 2.4 release branch has made breaking changes which result in it being incompatible with any <= 2.3 configuration file. Thus, the dovecot service will no longer be able to start until the configuration file was migrated, requiring manual intervention. For guidance on the 2.3-to-2.4 migration, please refer to the following upstream documentation: Upgrading Dovecot CE from 2.3 to 2.4 Furthermore, the dovecot 2.4 branch no longer supports their replication feature, it was removed. For users relying on the replication feature or who are unable to perform the 2.4 migration right now, we provide alternative packages available in [extra]:

• dovecot23
• pigeonhole23
• dovecot23-fts-elastic
• dovecot23-fts-xapian

The dovecot 2.3 release branch is going to receive critical security fixes from upstream until stated otherwise.

31 Oct 2025 12:00am GMT