Siosm's blog

Some thoughts about security, Arch Linux, KDE, music...

Repositories

Warning

Those packages are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

I did not make those softwares and I do not own any copyright related to them. If you think I’m infringing some laws/copyright, please contact me (tim@siosm.fr) and I will remove the package.

Repository content

Most of the packages available in those repositories are in the AUR. I may have tweaked/fixed some. Check the git repository for the full PKGBUILDs.

  • siosm-aur: packages also available in the Arch User Repository, sometimes with minor fixes;
  • siosm-selinux: packages required for SELinux support - work in progress (notably missing an Arch Linux compatible SELinux policy). See the SELinux page on the Arch Wiki for details;
  • arch-hardened: (empty, work in progress) Hardened core packages for the Arch Linux Hardened project. See the Arch Hardened section.

If you find an outdated package in this repo, please send a mail to tim@siosm.fr with the following subject: [<repo>] <package_name> is outdated. I will update it as soon as I can. I will provide only x86_64 packages as I only use this architecture.

Configuration

Add those lines at the end of pacman configuration file /etc/pacman.conf:

1
2
3
4
5
6
7
8
9
[siosm-aur]
Server = http://repo.siosm.fr/$repo/

[siosm-selinux]
Server = http://repo.siosm.fr/$repo/

# Empty, coming soon!
#[arch-hardened]
#Server = http://repo.siosm.fr/$repo/

GPG key/signature

All my packages are signed with my GPG key. To import the key, run those commands as root :

1
2
pacman-key --add siosm_gpg.pub
pacman-key --lsign-key C8D83B6AE4B8685A7290545FDB27818F78688F83

Check this Arch Wiki page or this blog post by Jason Ryan for more information.

PKGBUILD and source files for other projects

A git repository (and the cgit web interface) hosting the PKGBUILD files is available at git.siosm.fr. Clones of those repositories are also available on GitHub. You can retrieve them using one of those commands:

1
2
3
git clone git://git.siosm.fr/<repo-name>
git clone http://git.siosm.fr/<repo-name>
git clone https://git.siosm.fr/<repo-name>

Why should you trust me?

Short answer: YOU SHOULD NOT.

Long answer: As always, it’s a compromise between time and security:

  • If you don’t trust me at all, you’ll have to check and build all the packages by hand, and you won’t need those binary repositories.

  • If you trust me a little, you can assume that I’m indeed building my packages with what I put in the PKGBUILD git repositories. Checking that the PKGBUILD are OK could then be enough.

  • If you trust me completely, go head and use those packages!

Here is how you should proceed if you want to check everything by yourself and then decide if I may be worthy of your trust:

  • Check and download the PKGBUILD corresponding to the package you want to use;
  • Build them by yourself (see the Arch Wiki if you run into troubles);
  • Compare the sha256sum of the content in your package against mine. For binaries, it is likely that the hash won’t match as :
    • there might have been a new version of gcc/glibc available since I last build the package;
    • depending on the package, builds may not be fully reproducible or will provide binaries with minor differences (more details available in this blog post by Jos van den Oever).
  • If the hash doesn’t match and you found noticeable differences between your package and mine, please send me an email so that can investigate what’s going on.