I'm currently partly moderating mailing lists for Arch Linux.
Since we've switched to mailman3 I receive *a lot* of info from the
system, that mails are being held in the moderation queue due to being
sent by non-members of the respective lists.
IMHO, we should configure all of our mailing lists to be subscription
only (i.e. automatically reject all mail by non-members). It makes no
sense for anyone to moderate these emails and is a huge waste of time
for people dealing with the moderation of the lists (I get enough spam
everyday as it is... ;-)).
While at it: To my knowledge, we are currently still allowing HTML
emails to be sent to the lists and I think those should be automatically
rejected as well, as it is unnecessary bloat and is not fitting our
context at all (we are not trying to click-track users on a commercial
I've maintained Cura (3d printing slicer) for a while but I no longer
find the energy to maintain it and keep it updated. If anyone is
interested in adopting it feel free, otherwise I will drop it to the AUR
in 2 weeks.
Note that there is a flatpak available as alternative
I currently have a MR open against archlinux-keyring , that adds a
systemd service and timer, which would automatically refresh valid and
existing keys on user systems. For people without access to the
repository's ticket and merge request features, it is possible to browse
the commits in question on the respective branch .
To quote from the accompanying ticket :
For situations in which we do have new signatures which have been
released, we may want a service on user systems that update existing
keys via WKD to have an updated set of keys before updating
Keys are updated in WKD after a release of archlinux-keyring (currently
this is still done in the https://gitlab.archlinux.org/archlinux/wkd
User systems may upgrade any time after that and pacman will pull new
keys from WKD automatically, however it will not pull updates for
Packages that are signed with a key that still had marginal trust in
release A (and therefore already existed on the user system since
release A) and gained full trust in release B will not be updated before
the user does a system upgrade. This leads to the requirement of
installing archlinux-keyring before doing a system upgrade, as otherwise
the key will still have marginal trust on the user system and the
signatures of other updated packages using the key in question will fail
To remedy this situation I think it would be helpful to have a service
update existing keys from WKD twice daily on a timer.
I am not 100% sure whether this has side-effects in regards to
revocations, but as we only ever update WKD after issuing a release and
not when updating the default branch, this should be fine(?).
In short: The service in question will update any valid keys in the
pacman keyring on user systems, that use Arch Linux's relevant domains
as UID to retrieve updated keys (e.g. extended expiration, additional
signatures). Invalid keys and those of other domains are ignored.
This feature is implemented to circumvent (some, but not all) cases of
"update archlinux-keyring before doing a system upgrade".
Cases not covered are (in no particular order):
* *long* outdated system is updated
* new main signing key is required for a packager key to gain full
trust for the packages about to be updated
* local system's archlinux-keyring does not yet offer this feature
* local system's pacman does not yet offer the feature of downloading
package signatures for new keys from WKD
* packager key on local system does not yet have any main key signatures
and would gain full trust with an update of archlinux-keyring
Currently the timer which triggers this service is supposed to be vendor
enabled (i.e. symlink in /usr/lib/systemd/system/timers.target.wants/)
and run daily with a deviation of up to 12h.
Members of the DevOps team have raised concerns about the interval as we
do not really have a clear picture about how many Arch Linux
installations there are world-wide to get numbers on expected median
load for this.
If you have ideas for improvement or general questions, please direct
them at the merge request.
while trying to package the ruby framework rails  I stumbled over the
fact that ruby itself is shipping an assortment of "default gems" which
they call "Standard Library"  
and something called "Bundled Gems" , which is another set of
The problem I see in these gems is that they are pulled into the ruby
source repo  from their dedicated original sources before a ruby
release and then get used in the release.
Furthermore ruby itself does not release a new version of itself
whenever a gem of this standard library updates, which means that over
time sooner or later most of these gems in the bundle
will be out-of-date.
Now apparently ruby has a general solution for that. You can have
multiple versions of one gem installed, the "default" versions do show
up with a default prefix in the `gem list` output.
So much for the actual ruby state. Now I would like to highlight some
points I found out about how Arch Linux is packaging ruby and the issues
I see with it.
Our ruby package  is currently removing a total of nine pre-shipped
gems from the main ruby release with the comment that they are shipped
in seperate packages .
I recently checked and found out that three of these removed gems are
not provided as packages (anymore?). Namely rbs, typerof and erb.
Furthermore the PKGBUILD has code in there which states that it removes
*all* bundled gems to avoid conflicts , but when I run a `gem list |
grep 'default'` I still see the default gems.
After some research I found out the reason is because the path in which
the default gems are located are not the path that we are removing with
these three lines of code.
It could be that the location of these default gems changed in some
version and was never updated.
The problem I see in the current situation is that we have most of the
default gems still installed and then some of them get upgraded
(sometimes even to a higher major version) by dedicated packages.
This can potentially break dependency changes if one of the not upgraded
default gems is requiring the gem that was upgraded to a new major version.
From my point of view the only real fix for this is to make sure that
we again remove all the default gems so that they can be packaged
seperatly. Whether or not we want to provide all gems from the
"standard library" and "bundled gems" is then a different question and
would in the end require more ruby packages.
Also I would recomment to add a comment to the PKGBUILD file of these
gems stating that they are part of the "standard library" / "bundled
gems" and such shouldn't be dropped from the repos in the future.
We also could think about putting all the "standard library" gems (and
maybe even the "bundled gems") in a package group called "ruby-stdlib"
or a meta-package (which I think is better).
That way users could easily install all of them with one command and we
also know which packages belong to the "ruby standard library".
One side effect I see with this approach is that we currently have
"hidden dependencies" on some of the standard library gems like in case
of ruby-nokogiri , which is depending on ruby-racc which is not
listed in the PKGBUILD file.
Currently this package only works because racc is one of the gems in the
standard library  and such pre-installed. If we now cleanup the ruby
package we need to fix such issues.
if you are a main signing key holder or a packager for Arch Linux,
please read this mail very carefully!
We are currently blocked from releasing a new version of
archlinux-keyring, as a release would imply demoting a few packager keys
to marginal trust (aka. not enough signatures from our signing keys to
be allowed to package). Some of these marginal trust keys still (or
again...) have packages in the repositories. All in all the keyring is
not in very good shape due to missing revocations or signatures (and
broken keys that block us from updating to a newer gnupg version, but
that is for another email).
Blocking the release of archlinux-keyring for this long is problematic
in several ways:
* existing keys that need to be updated are blocked from being released
to the users and packages may need to be rebuilt if keys expire on
user systems (which leads to manual action to install the keyring
* new keys can not be released to the users (blocking packagers from
packaging, leading to many outdated packages that need to be taken
over by other packagers)
* the updated trust status of revoked keys can not be released to the
users (allowing old keys to still package)
# Marginal trust keys
There are currently 25(!) marginal trust keys in the keyring, some of
which are old and superseded by new keys (I had to manually assign which
of the keys are old/new/current for the below overview).
alucryd 9437DD3815A7A9169E3D3946AFF5D95098BC6FF5 ~ marginal - old
andrewSC 601F20F1D1BBBF4A78CF5B6DF6B1610B3ECDBC9F ~ marginal - current
arodseth 8A9BC5819C54FEB3DC2A9B48C32217F6F13FF192 ~ marginal - old
arodseth 962855F072C7A01846405864FCF3C8CB5CF9C8D4 ~ marginal - new
cbehan 6EA3F3F3B9082632A9CBE931D53A0445B47A0DAB ~ marginal - old
coderobe 54EB4D6DB209862C8945CACCED84945B35B2555C ~ marginal - current
dbermond 3FFA6AB7B69AAE6CCA263DDE019A7474297D8577 ~ marginal - old
djgera 0F334D8698881578F65D2AE55ED514A45BD5C938 ~ marginal - old
escondida CB33B736591A9CA06098A9A5FCAC9CF5A6EE1209 ~ marginal - old
farseerfc 4B1DE545A801D4549BFD3FEF90CB3D62C13D4796 ~ marginal - old
ibiru F4DDD6DDCEC320B665F502AAE8F18BA1615137BC ~ marginal - old
jlichtblau 38EDD1886756924E1224E49524E4CDB0013C2580 ~ marginal - current
jsteel 8742F7535E7B394A1B048163332C9C40F40D2072 ~ marginal - current
juergen 355BDB97ED4724E6B3A450E7A3D9562A589874AB ~ marginal - old
kgizdov 4BE61D684CB4E31741614E7089AA27231C530226 ~ marginal - old
kkeen 48C3B1F30DDD0FE67E516D16396E3E25BAB142C1 ~ marginal - current
maximbaz EB4F9E5A60D32232BB52150C12C87A28FEAC6B20 ~ marginal - old
mtorromeo 2C118C620F02DB9AC1D0F9FA94DD2393DA2EE423 ~ marginal - old
muflone C521846436D75A3294795B27B4360204B250F0D3 ~ marginal - old
nicohood 97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161 ~ marginal - current
spupykin 3E518BF2526FD1979E8AAE4965C110C1EA433FC7 ~ marginal - old
tensor5 A9B6710D760F6617C530746EC847B6AEB0544167 ~ marginal - old
thomas A314827C4E4250A204CE6E13284FC34C8E4B1A25 ~ marginal - old
wild 0E87D6C3F9AF7FDED0C8588D22E3B67B4A86FDE7 ~ marginal - old
xyne EC3CBE7F607D11E663149E811D1F0DC78F173680 ~ marginal - old
# Revoking "old" marginal trust keys
Revoking these "old" keys is *very important* so that `keyringctl`
properly assigns trust to the packager keys (no old key should be fully
trusted or have marginal trust) and helps a lot in figuring out which
keys need immediate attention going forward (because they are new or
As I have gotten mostly no reply from signing key holders in regards to
this, I hereby ask Florian, Pierre and Levente to please revoke keys
that need revoking  *now* and make sure that the revocation
certificates are merged into the archlinux-keyring repository.
The amount of open tickets is increasing and it makes working with the
keyring more and more difficult if no action is taken!
# Rebuilding packages of "old" marginal trust keys
For some packager keys the process of rebuilding
their packages has already been started more than four months ago ,
some of which are completed, but there are still some left .
I have checked the list of "old" marginal keys to see whether there are
any packages in the repositories signed by them () and have created rebuild
TODOs for any that needed them.
# **IMPORTANT**: Rebuilding packages of "current" marginal trust keys
If by Friday, 2022-07-15 20:00 CEST the marginal trust status of the
"current" keys is not improved to fully trusted, the packages in the
repositories signed by them will be rebuilt and a new version of
archlinux-keyring will be released as soon as that is done (2022-07-16
or 2022-07-17 depending on availability). Help with any upcoming
rebuilds will be very much appreciated!
This means those "current" keys can not be used for packaging anymore.
If you are the holder of an affected key or a main signing key holder,
please communicate this accordingly, so that the key can be signed and a
signature be merged in time!
# Setting up packager keys for archweb
If you are the holder of a packager key, please make sure to select your
"current" or "new" packager key in your archweb profile, so that the
signature status  is displayed correctly. We have *a lot* of keys
that are not setup correctly.
# New main signing key: Jonas Witschel
Last but not least, I would like to thank Jonas for stepping up and
taking on the responsibility of main signing key for Arch Linux .
Most, if not all packagers should by now have received a verification
email by him :)
wxWidgets 3.2 provides a Qt frontend in addition to the GTK3 one, so packages have been renamed from wxgtk-* to wxwidgets-*.
The GTK2 frontend is no longer provided. If you have wxgtk2 installed, the upgrade will fail with
error: failed to prepare transaction (could not satisfy dependencies)
:: removing wxgtk-common breaks dependency 'wxgtk-common' required by wxgtk2
In such case, uninstall wxgtk2 first with
# pacman -Rc wxgtk2
and then proceed with the upgrade.