Hi all, here is a quick progress report on Valve sponsored work in Q1 2026. We figured quarterly reports is a good cadence. ## Signstar - Milestones have been added and adjusted to contain work items for the proposed steps described in [RFC 0059]. - We have split out the mkosi-based image-building setup to the separate [Signstar-OS GitLab] repository. - In a [milestone for YubiHSM2 support] we track the remaining work required to automate the use of a YubiHSM2 as backend with Signstar - In this context we have rewritten the configuration layer, to accommodate several backends and are still busy with a few places to refactor for this larger change. - Improvements to the project's task running integration have been made to simplify this for direct use and CI. - We fixed a couple of bugs in the YubiHSM library (`yubihsm.rs`). - A small proof-of-concept has been designed and implemented for encryption and decryption of Yubico backup format, including parsing and wrapping ed25519 signing keys, AES-128 authorization keys and opaque data. The backup format is compatible with Yubico's own tools. Work is under way to expose these features as a CLI tool. - In a [milestone for a virtualized test setup] we are working towards creating a public environment that can be used by interested developers and package maintainers for test purposes and will at the same time serve as a long-term staging environment for automated updates. Generally, you can follow our work on the [Signstar GitLab] and [Signstar-OS GitLab] projects. ## Buildbtw Following the concessions of the last progress report, we are happy to report that we're now back to full capacity. In the last report, we announced that we had started work on the production version of buildbtw. By now, we have migrated most of the code from the PoC into the new production version and done most of the production-readiness work we set out to do. In contrast to the PoC, all the new production code is reviewed in-depth, documented, and well-tested. - Continuous deployment for review, staging and production environments ([buildbtw-archlinux-org]) - Keycloak roles are automatically mapped to buildbtw roles for permission management - Build graph calculation, diffing, and persistence - GitLab Executor running builds in vmexec and uploads artifacts - vmexec fixes, features, and a lot of testing - Modern responsive web UI - Session management & API keys - Parallel repo updater/cloner Next steps and in-progress work: - Nice bbtw CLI with good developer experience - API docs - Finish up pipeline scheduling - Separate out the repo-updater crate into its own project - Deploy the GitLab Executor As always, you can follow us over at GitLab [gitlab-buildbtw] and specifically the current milestone [buildbtw-milestone]. ## Meeting Notes Meeting notes are available for staff in the [internal-notes] repository. [RFC 0059]: https://rfc.archlinux.page/0059-automated-digital-signing-of-os-artifacts/ [Signstar GitLab]: https://gitlab.archlinux.org/archlinux/signstar [Signstar-OS GitLab]: https://gitlab.archlinux.org/archlinux/signstar-os [buildbtw-archlinux-org]: https://buildbtw.archlinux.org/ [buildbtw-milestone]: https://gitlab.archlinux.org/archlinux/buildbtw/-/milestones/10 [gitlab-buildbtw]: https://gitlab.archlinux.org/archlinux/buildbtw/-/boards/24162 [internal-notes]: https://gitlab.archlinux.org/archlinux/internal-notes/-/tree/main/valve [milestone for a virtualized test setup]: https://gitlab.archlinux.org/archlinux/signstar/-/milestones/6 [milestone for YubiHSM2 support]: https://gitlab.archlinux.org/archlinux/signstar/-/milestones/12