Hi all, here is a quick progress report on Valve sponsored work in July 2025. ## Signstar Based on feedback from reviewers, we have added further research and data to [RFC 0059] which provides information on specific costs and technological differences between discussed options. Due to reviewer concerns with regards to colocation hosting feasibility and costs we have pivoted to support the YubiHSM 2 as default backend for the proposed solution. The existing NetHSM integration will remain for as long as possible to potentially be re-evaluated in the future. The code coverage setup has been split so that unit tests and integration tests each have their own report. In an additional step, we have also added coverage reporting for use-cases in which tests have to switch users. Logging to systemd journal with rich metadata has been added, in case journald is available in the given environment. An issue with doctests coverage being broken for multi-member projects has been investigated (see [cargo-llvm-cov#440]). A large part of the NetHSM handling backend has been merged and released, which allows to synchronize a NetHSM backend with a Signstar configuration file ([signstar!249]). To support further backends in the future, work on making the Signstar configuration file format less dependent on the existing set of crates related to the NetHSM has been started ([signstar!292]). A sample signer [yubihsm-pgp] with mock YubiHSM has been implemented. The PoC exercises all major features we would need (creating new ed25519 asymmetric key; creating new wrapping key, backed by 3 out of 5 Shamir’s Secret Sharing and key export/import; creating new OpenPGP certificate using HSM key; signing given data file using that certificate; verifying that file with SOP implementations). YubiHSM additionally has support for [key attestation], sadly, due to RustCrypto version drift it doesn't work when mixed with rPGP. Additionally, investigated internal YubiHSM audit log for operations, which stores all operations executed on the HSM. The log can be cryptographically verified that it has not been tampered with. [YubiHSM logs] ## wkd-exporter Added code coverage, based on the existing code from signstar. Generated code quality file for Gitlab so that each merge request has a nice presentation of what would change. Contributed `[metadata]` attributes to `just` [just#2794] and used that to track CI job package dependencies [wkd-exporter#16]. ### Hours billed for Signstar David (85h), Wiktor (124h) ## Buildbtw We've received lots of feedback from PoC testers which as lead to lots of improvements and a treasure trove of new issues we'll be able to reference while building towards the next milestone: the first "production" release. Our plan is to take all learnings from the PoC and use them to build a small, but polished foundation which will provide build services to all staff members (and eventually also drive-by gitlab contributors). The PoC will continue running for a while (consider joining the testing instance if you haven't done so!), and we've continued working on it. We drastically improved the scheduler's memory usage and performance, fixed lots of papercuts in the CLI and web UI, and fixed bugs, a major one of them in the graph calculation algorithm. We also merged the first contributions from gromit. Thank you, gromit! The impulses for these changes came from onboarding sessions for the PoC testing instance. Thanks to everyone who participated so far! For the new production milestone, we've created plans based on our experience with the PoC: an overhauled data structure for improved performance, a deployment concept and release strategy, OIDC authentication, an improved JSON API for scheduling builds, and a new module structure for the code. Last but not least, we started writing an RFC covering major workflows and requirements for the production system we're envisioning. ### Hours billed for buildbtw Rafael (79h), Sven (39.5h), Levente (0h) ## Package Source Licensing Implemented [pkgctl license](https://gitlab.archlinux.org/archlinux/devtools/-/merge_requests/318) and worked through many packages with bad licenses. Created a [todo to make all packages license compliant](https://archlinux.org/todo/make-packages-license-compliant/). ### Hours billed for Package Source Licensing Rafael (4h), Sven (81h) ## Meeting Notes Meeting notes are available for staff in the [internal-notes] repository. [internal-notes]: https://gitlab.archlinux.org/archlinux/internal-notes/-/tree/main/valve [RFC 0059]: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/59 [cargo-llvm-cov#440]: https://github.com/taiki-e/cargo-llvm-cov/issues/440 [yubihsm-pgp]: https://gitlab.archlinux.org/wiktor/yubihsm-pgp [key attestation]: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concep... [just#2794]: https://github.com/casey/just/pull/2794 [signstar!249]: https://gitlab.archlinux.org/archlinux/signstar/-/merge_requests/249 [signstar!292]: https://gitlab.archlinux.org/archlinux/signstar/-/merge_requests/292 [wkd-exporter#16]: https://gitlab.archlinux.org/archlinux/wkd-exporter/-/merge_requests/16/diff... [YubiHSM logs]: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concep...