Siosm's blog

Some thoughts from a systemd, Rust and security aficionado

Repositories

Warning

Those packages are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

I did not make those softwares and I do not own any copyright related to them. If you think I’m infringing some laws/copyright, please contact me and I will remove the package.

Repository content

Most of the packages available in those repositories are in the AUR. I may have tweaked/fixed some. Check the git repository for the full PKGBUILDs.

  • siosm-aur: packages also available in the Arch User Repository, sometimes with minor fixes.

If you find an outdated package in this repo, please send me a mail with the following subject: [<repo>] <package_name> is outdated. I will update it as soon as I can. I will provide only x86_64 packages as I only use this architecture.

Configuration

Add those lines at the end of pacman configuration file /etc/pacman.conf:

1
2

[siosm-aur]
Server = https://siosm.fr/repo/$repo/

GPG key/signature

All my packages are signed with my GPG key. To import the key, run those commands as root :

1
2
3

pacman-key --recv-keys C8D83B6AE4B8685A7290545FDB27818F78688F83
# Or if you've downloaded the key: pacman-key --add siosm_gpg.pub
pacman-key --lsign-key C8D83B6AE4B8685A7290545FDB27818F78688F83

Make sure that the correct key is added to the keyring.

Check this Arch Wiki page or this blog post by Jason Ryan for more information.

PKGBUILD and source files for other projects

A git repository with all the PKGBUILDs files is available on GitHub. You can retrieve them using this command:

1

git clone https://github.com/Siosm/siosm-aur.git

Why should you trust me?

Short answer: YOU SHOULD NOT.

Long answer: As always, it’s a compromise between time and security:

  • If you don’t trust me at all, you’ll have to check and build all the packages by hand, and you won’t need those binary repositories.

  • If you trust me a little, you can assume that I’m indeed building my packages with what I put in the PKGBUILD git repositories. Checking that the PKGBUILD are OK could then be enough.

  • If you trust me completely, go head and use those packages!

Here is how you should proceed if you want to check everything by yourself and then decide if I may be worthy of your trust:

  • Check and download the PKGBUILD corresponding to the package you want to use;
  • Build them by yourself (see the Arch Wiki if you run into troubles);
  • Compare the sha256sum of the content in your package against mine. For binaries, it is likely that the hash won’t match as :
    • there might have been a new version of gcc/glibc available since I last build the package;
    • depending on the package, builds may not be fully reproducible or will provide binaries with minor differences (more details available in this blog post by Jos van den Oever).
  • If the hash doesn’t match and you found noticeable differences between your package and mine, please send me an email so that can investigate what’s going on.