Arch Linux

1. Glibc 2.41 corrupting Discord installation

   We plan to move glibc and its friends to stable later today, Feb 3. After installing the update, the Discord client will show a red warning that the installation is corrupt.

   This issue has been fixed in the Discord canary build. If you rely on audio connectivity, please use the canary build, login via browser or the flatpak version until the fix hits the stable Discord release.

   There have been no reports that (written) chat connectivity is affected.

   UPDATE: The issue has been fixed in Discord 0.0.84-1.

2. Critical rsync security release 3.4.0

   We'd like to raise awareness about the rsync security release version 3.4.0-1 as described in our advisory ASA-202501-1.

   An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client. Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.

   We highly advise anyone who runs an rsync daemon or client prior to version 3.4.0-1 to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed.

   All infrastructure servers and mirrors maintained by Arch Linux have already been updated.

3. Providing a license for package sources

   Arch Linux hasn't had a license for any package sources (such as PKGBUILD files) in the past, which is potentially problematic. Providing a license will preempt that uncertainty.

   In RFC 40 we agreed to change all package sources to be licensed under the very liberal 0BSD license. This change will not limit what you can do with package sources. Check out the RFC for more on the rationale and prior discussion.

   Before we make this change, we will provide contributors with a way to voice any objections they might have. Starting on 2024-11-19, over the course of a week, contributors will receive a single notification email listing all their contributions.

   • If you receive an email and agree to this change, there is no action required from your side.
   • If you do not agree, please reply to the email and we'll find a solution together.

   If you contributed to Arch Linux packages before but didn't receive an email, please contact us at package-sources-licensing@archlinux.org.

4. Manual intervention for pacman 7.0.0 and local repositories required

   With the release of version 7.0.0 pacman has added support for downloading packages as a separate user with dropped privileges.

   For users with local repos however this might imply that the download user does not have access to the files in question, which can be fixed by assigning the files and folder to the alpm group and ensuring the executable bit (+x) is set on the folders in question.

   $ chown :alpm -R /path/to/local/repo
   

   Remember to merge the .pacnew files to apply the new default.

   Pacman also introduced a change to improve checksum stability for git repos that utilize .gitattributes files. This might require a one-time checksum change for PKGBUILDs that use git sources.

5. The sshd service needs to be restarted after upgrading to openssh-9.8p1

   After upgrading to openssh-9.8p1, the existing SSH daemon will be unable to accept new connections (see https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5).
   When upgrading remote hosts, please make sure to restart the sshd service using systemctl try-restart sshd right after upgrading.

   We are evaluating the possibility to automatically apply a restart of the sshd service on upgrade in a future release of the openssh-9.8p1 package.