#archlinux-ports | Logs for 2025-09-24
Back
[01:20:22] -!- hritik_ has joined #archlinux-ports
[01:22:13] -!- hritik has quit [Ping timeout: 260 seconds]
[01:37:10] -!- p71- has joined #archlinux-ports
[01:39:02] -!- orhun|M has quit [Ping timeout: 244 seconds]
[01:39:03] -!- p71 has quit [Ping timeout: 244 seconds]
[01:50:01] -!- orhun|M has joined #archlinux-ports
[01:52:12] -!- hritik has joined #archlinux-ports
[01:53:43] -!- hritik_ has quit [Ping timeout: 260 seconds]
[02:14:24] -!- rossy has quit [*.net *.split]
[03:15:20] -!- rossy has joined #archlinux-ports
[03:29:28] -!- hcmb_ has joined #archlinux-ports
[03:29:28] hcmb is now known as Guest9592
[03:29:28] -!- Guest9592 has quit [Killed (platinum.libera.chat (Nickname regained by services))]
[03:29:28] hcmb_ is now known as hcmb
[04:28:41] -!- hritik_ has joined #archlinux-ports
[04:29:30] -!- hritik has quit [Ping timeout: 245 seconds]
[05:31:09] -!- hritik has joined #archlinux-ports
[05:32:10] -!- hritik_ has quit [Ping timeout: 248 seconds]
[06:24:36] -!- nl6720 has quit []
[06:25:35] -!- nl6720 has joined #archlinux-ports
[07:01:50] -!- drathir_tor has quit [Remote host closed the connection]
[07:04:10] -!- hritik_ has joined #archlinux-ports
[07:05:37] -!- hritik has quit [Ping timeout: 255 seconds]
[07:07:32] -!- drathir_tor has joined #archlinux-ports
[07:34:10] -!- Antiz has quit [Quit: The Lounge - https://thelounge.chat]
[07:34:52] -!- Antiz has joined #archlinux-ports
[07:36:04] -!- hritik has joined #archlinux-ports
[07:36:28] -!- hritik_ has quit [Ping timeout: 256 seconds]
[07:58:05] -!- Antiz has quit [Quit: The Lounge - https://thelounge.chat]
[08:00:02] -!- Antiz has joined #archlinux-ports
[08:06:32] -!- hritik_ has joined #archlinux-ports
[08:07:30] -!- hritik has quit [Ping timeout: 244 seconds]
[08:08:35] <Solskogen> I've found yet another inconsistency in the state repo. The package libwnck says (in the state repo) 2.31.0-4, but in the actual repos I find extra/os/x86_64/libwnck-2.31.0-6-x86_64.pkg.tar.zst
[09:18:00] <DrZee> I have come to the conclusion that pacstrap behaves differently if executed in a container (docker) environment vs. normal host. Most likely this relates to how the chroot is setup .... this also (in part) explains why archlinux-docker uses it's own make-rootfs and not pacstrap.
[09:22:02] <Antiz> DrZee: Archlinux-docker used pacstrap before, but has always injected its own pacman.conf beforehand
[09:22:14] <Antiz> So that's not the reason why it doesn't use pacstrap anymore
[09:22:37] <Antiz> See e.g. https://gitlab.archlinux.org
[09:22:38] <phrik> Title: Makefile · b6727d838f5ad4d88eaeb34fe5fe9de2fe5cc819 · Arch Linux / archlinux-docker · GitLab (at gitlab.archlinux.org)
[09:23:04] <jelle> do you pacstrap from an archlinux docker created one?
[09:23:13] <jelle> because that has a special pacman.conf :)
[09:24:48] <Antiz> Again, I could be wrong but I think that pacstrap was dropped from the archlinux-docker project to allow rootless builds
[09:26:11] <Antiz> Because pacstrap requires actual root privileges, while relying on fakeroot/fakechroot allows for rootless builds (which is easier to manage from a CI/CD pov and is also generally more secure).
[09:28:12] <Antiz> The fact that pacstrap may not write a pacman.conf in /etc when ran in a docker environment is definitely not the reason why archlinux-docker doesn't use it anymore (as it was actually like that before, as demonstrated in the link I gave above)
[09:32:32] <Antiz> DrZee: I'm pretty sure I'm right given https://gitlab.archlinux.org
[09:32:33] <phrik> Title: Merge no-root-build branch into master (!38) · Merge requests · Arch Linux / archlinux-docker · GitLab (at gitlab.archlinux.org)
[09:34:07] <Antiz> DrZee: You can see from that MR that pacstrap was dropped from the Makefile in favor of fakechroot/fakeroot to allow rootless build (as hinted by the branch name) in order to move to automatic scheduled releases with GitLabCI (as described in the MR description)
[09:36:55] <Antiz> So yeah, again, I'm pretty positive that the reason why pacstrap was dropped in favor an "homemade" way to build the rootfs (via fakeroot/fakechroot) is mainly (solely?) to allow rootless builds and automatic build/release from GitLabCI.
[09:39:23] <DrZee> in the ci/cd that I use it's not a problem to run the container in previldged mode as root .... so that's not really my concern/problem. pacstrap executes just fine (or rather there are no logged errors)... but apart from the missing /etc/pacman.conf I also see that the tarball build in the container is only 83MB vs. 117MB when run on a proper host ... so something funny is going on.
[09:39:54] -!- hritik has joined #archlinux-ports
[09:40:54] -!- hritik_ has quit [Ping timeout: 252 seconds]
[09:41:36] <Antiz> Yup, might not be a problem for your CI/CD, but it was for archlinux-docker (as we want to rely on secure runners for automatic builds/releases workflow which shouldn't run in privileged mode).
[09:42:18] <Antiz> This just to explain the rationale behind the switch from pacstrap to this "homemade" solution on the archlinux-docker side (and to confirm my theory :P)
[09:44:37] <Antiz> But regardless, pacstrap may indeed act differently in a "regular" env and a containerized env for some reasons 🤷 Not sure why is that / what actually differs, I understand the confusion here.
[09:46:25] <Antiz> But it's not the reason why archlinux-docker moved away from it though.
[09:46:45] <Antiz> DrZee: Anyway, is using the -P flag an option for you as a "workaround"?
[09:47:18] <Antiz> I understand this does not solve the mystery here, but that might allow to move forward in the mean time?
[09:52:05] <DrZee> Antiz: the problem with using the -P flag is that the pacstrap command is actually embedded deep in the belly of mkarchiso ... so to add it would require a MR or using my own archiso neither a good idea ... and then i still need to run the comparison. For now I'm going the quick way and retooling to run tarball builds every 14 days (for now - can be changed to run more often if required)
[09:52:05] <DrZee> using a regular host ...
[09:57:03] <Antiz> Ah I see
[09:57:45] <DrZee> Antiz: ref secure runners - aren't the runners ephermal? the way I use build containers in the AWS CodeBuild process is that the are lunched only for the specific purpose to do what's described in the builspec file ... if executing some of the commands requires the container to run in privileged mode so be it ... after the job is done it's never used again ... and you can't break out of
[09:57:45] <DrZee> the environment to influence other components in the pipeline ... so not sure where the security aspect plays a role ...
[10:00:32] <Antiz> They are ephemeral, but we still want to rely on unpriviledged runners for our official builds / releases automated workflow. This is more a of "general best security practice" than anything specific.
[10:00:58] <Antiz> As in, why would we run something in privileged mode when we can achieve the same in an unprivileged mode? :)
[10:02:22] <Antiz> This reduce the attack surface. Scripts and ci.yml can be modified by anyone and be executed in a MR CI run or something
[10:02:43] <Antiz> We could eventually lead to data extraction / info leak (e.g. CI tokens, and so on).
[10:03:13] <Antiz> s/We could/Which could
[10:04:38] <Antiz> Of course, this is hypothetical scenario at that point, but this is also why we have .SRCINFO for instead (to avoid sourcing an actual bash script, in the form of the PKGBUILD, which could be exploited to perform malicious actions when being sourced).
[10:04:49] <Antiz> s/for instead/for instance
[10:06:18] -!- hritik has quit [Ping timeout: 248 seconds]
[10:08:04] <Antiz> So yeah, I think it mostly comes down to "let's not unnecessarily allow for privileged actions if we don't explicitly need to" as a precaution to not allow additional attack vectors unnecessarily.
[10:15:59] <Antiz> In your case where you're the only one able to modify your buildspec, it's probably fine.
[10:17:34] <DrZee> That's a fair point - I'm used to that I'm the only that can push code execute in the pipeline :) ... so it never crossed my mind that someone could manipulate the builspec ...
[10:19:09] <DrZee> generally though I don't run them in previldged mode only when I must ... and in those cases the builspec is not part of the code that's pushed so the build spec is "immutable" seen from the container ...
[10:19:56] <Antiz> Haha yeah, in our case, anyone can modify the buildspec and the CI (or some parts of it) is being ran on pushes and / or MRs. So we definitely wanna control the scope / privileges actions are executed with (specifically since some of those CI are meant to build and release artifacts to the public)
[10:39:12] <DrZee> I was almost done with the container tarball build refactoring to a regular host is a bit annoying... and takes time. hope I one day can figure it out because it's so much simpler ...
[10:39:29] <DrZee> to use a container
[11:21:38] -!- hritik has joined #archlinux-ports
[12:25:19] -!- hritik_ has joined #archlinux-ports
[12:27:00] -!- hritik has quit [Ping timeout: 245 seconds]
[12:56:40] -!- hritik has joined #archlinux-ports
[12:58:31] -!- hritik_ has quit [Ping timeout: 250 seconds]
[14:41:41] -!- marmis has quit [Quit: Bye!]
[14:59:37] -!- marmis has joined #archlinux-ports
[15:02:42] -!- hritik_ has joined #archlinux-ports
[15:03:21] -!- hritik has quit [Ping timeout: 265 seconds]
[15:05:52] hritik_ is now known as hritik
[15:34:05] -!- hritik has quit [Ping timeout: 250 seconds]
[15:49:08] -!- hritik has joined #archlinux-ports
[16:05:56] -!- hritik has quit [Ping timeout: 244 seconds]
[16:22:20] -!- hritik has joined #archlinux-ports
[16:36:25] -!- hritik has quit [Ping timeout: 244 seconds]
[16:54:07] -!- hritik has joined #archlinux-ports
[17:22:10] hritik is now known as hrtk
[17:37:13] -!- hrtk_ has joined #archlinux-ports
[17:38:50] -!- hrtk has quit [Ping timeout: 256 seconds]
[18:07:44] -!- hrtk has joined #archlinux-ports
[18:09:39] -!- hrtk_ has quit [Ping timeout: 250 seconds]
[18:39:20] -!- hrtk_ has joined #archlinux-ports
[18:39:54] -!- hrtk has quit [Ping timeout: 248 seconds]
[19:09:49] -!- hrtk has joined #archlinux-ports
[19:11:54] -!- hrtk_ has quit [Ping timeout: 248 seconds]
[19:31:18] <idealseal> bschnei: is there a special mirror required? Neither my local mirror nor geo.mirror.pkgbuild.com seems to contains any ports/aarch64 directories
[19:31:52] <bschnei> idealseal: yes. Is this for your Pi5 or a cloud VM?
[19:32:00] <idealseal> Pi5
[19:32:50] <bschnei> Server = https://arch-linux-repo.drzee.net
[19:32:58] <bschnei> repo name is [release]
[19:33:21] <bschnei> you will also need SigLevel = TrustAll Optional because the packages are not signed (yet)
[19:33:59] <idealseal> Got it, thanks!
[19:35:01] <bschnei> np. to be clear, this aarch64 work is still "pre-RFC". That is, its still largely outside of the official Arch ecosystem. Building/hosting of packages is all separate.
[19:36:36] <bschnei> wait. I think I have an old URI. Solskogen or DrZee, help me out?
[19:38:51] <DrZee> ther server is correct but the two repos are [core] and [extra] ...
[19:38:59] <bschnei> thank you!
[19:41:04] -!- hrtk_ has joined #archlinux-ports
[19:43:30] -!- hrtk has quit [Ping timeout: 256 seconds]
[19:52:50] <Solskogen> repo name is not release
[19:52:59] <Solskogen> oh, sorry :-D
[20:07:40] <DrZee> i hope to have tarballs building by the weekend.... then a new tarball will be built about every 14 days ... if you feel it should be more often let me know ..
[20:50:17] <Solskogen> every 14 days is fine. Once a month is fine as well. If there are huge changes being made we can ask you kindly to create a new one :-)
[20:51:55] <Solskogen> Antiz, jelle or gromit: Can any of you nudge Antonio Rojas a bit? the package gmp has the same pkgrel in the main branch as in the latest tag, but they are not the same :-)
[21:45:07] -!- hrtk has joined #archlinux-ports
[21:47:06] -!- hrtk_ has quit [Ping timeout: 248 seconds]
[22:10:12] -!- titus_livius has joined #archlinux-ports
[22:10:17] <gromit> Solskogen: What do you mean? Is the request just to rebuild it?
[22:16:31] -!- hrtk_ has joined #archlinux-ports
[22:18:27] -!- hrtk has quit [Ping timeout: 244 seconds]
[22:24:41] <bschnei> ya, I think that's what he means. There have been several commits since the tag to fix things, but there hasn't been a rebuild/release.
[22:27:32] <gromit> but the fixes that have gone in are only really relevant in order to build the package, so there is no reason to rebuild it for that
[22:47:47] -!- hrtk has joined #archlinux-ports
[22:50:13] -!- hrtk_ has quit [Ping timeout: 260 seconds]
[23:00:31] -!- p71- has quit [Ping timeout: 258 seconds]
[23:02:10] -!- p71 has joined #archlinux-ports