Recent news
The xz package has been backdoored
TL;DR: Upgrade your systems NOW!
Following the related OpenWall post:
The upstream tarballs of xz 5.6.0 and 5.6.1 contain a backdoor which uses liblzma as a means to compromise SSH servers.
Preliminary analysis from the aforementioned post shows that the backdoor is designed to exploit openssh when linked against libsystemd (which depends on lzma) to compromise the SSH services. Artix and Arch don't link openssh to liblzma and thus this attack vector is not possible.
Based on the same analysis, the execution of openssh under systemd is a prerequisite for the backdoor to activate and given the additional distance of Artix to systemd (aren't we glad?), the exploit shouldn't affect any running Artix system.
However, it is strongly advised that all Artix users and administrators out there immediately upgrade their systems and container images (or at least xz to version 5.6.1-2) and restart openssh. Versions of xz up to and including 5.4.1-1 are not affected.
Server is back online
The server is back online, all systems nominal.
Server malfunction
Due to a server malfunction, multiple Artix services are unavailable. Among them:
- Gitea
- Archive
- Galaxy repository
Changes to default password hashing algorithm and umask settings
Following the related Arch announcement
With shadow >= 4.14.0, Artix Linux's default password hashing algorithm changed from SHA512 to yescrypt.
Furthermore, the umask settings are now configured in /etc/login.defs instead of /etc/profile.
This should not require any manual intervention.
Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam) and its stronger resilience towards password cracking attempts over SHA512.
Although the winner of the Password Hashing Competition has been argon2, this even more resilient algorithm is not yet available in libxcrypt (attempt one, attempt two).
Configuring yescrypt
The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix module (i.e. in /etc/pam.d/system-auth).
General list of changes
- yescrypt is used as default password hashing algorithm, instead of SHA512
- pam honors the chosen ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore
- changes in the filesystem (>= 2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile
Repository structure changes (updates)
Following the related Arch migration announcement, our repository structure has changed accordingly. The [gremlins] repository has split into [system-gremlins] and [world-gremlins]; likewise, the [goblins] repository has split into [system-goblins] and [world-goblins]. The [galaxy] repository has been merged into [world].
How are end users affected?
Those who don't use testing ([-gremlins]) and staging ([-goblins]) repositories won't see any difference; those who do, will have to enable [system-gremlins] and [world-gremlins] manually.
The Universe repository
All packages from this repository have been moved to the replaced galaxy repository. As a result, those who have the universe repository enabled in pacman.conf should remove it and add galaxy.
Another change is that the [-bin] packages have been removed, as these can be built locally. Also, librewolf had to be dropped due to critical build issues that occur since the last two versions.
The omniverse repo will remain as it was and is, though some of its packages will be moved to the galaxy and world repositories.
, 2017-2024