Artix Linux is a rolling-release distribution, based on Arch Linux.

It uses real init systems, because PID1 must be simple, secure and stable.

Recent news

Packages archive #2

A backup package archive (located in the US) has just gone online, to address connectivity issues reported by some of our users.

The xz package has been backdoored

TL;DR: Upgrade your systems NOW!

Following the related OpenWall post:
The upstream tarballs of xz 5.6.0 and 5.6.1 contain a backdoor which uses liblzma as a means to compromise SSH servers.

Preliminary analysis from the aforementioned post shows that the backdoor is designed to exploit openssh when linked against libsystemd (which depends on lzma) to compromise the SSH services. Artix and Arch don't link openssh to liblzma and thus this attack vector is not possible.

Based on the same analysis, the execution of openssh under systemd is a prerequisite for the backdoor to activate and given the additional distance of Artix to systemd (aren't we glad?), the exploit shouldn't affect any running Artix system.

However, it is strongly advised that all Artix users and administrators out there immediately upgrade their systems and container images (or at least xz to version 5.6.1-2) and restart openssh. Versions of xz up to and including 5.4.1-1 are not affected.

Server is back online

The server is back online, all systems nominal.

Server malfunction

Due to a server malfunction, multiple Artix services are unavailable. Among them:
  • Gitea
  • Archive
  • Galaxy repository
Unless it's a very serious hardware problem, it should be fixed sometime on Monday.

Changes to default password hashing algorithm and umask settings

Following the related Arch announcement

With shadow >= 4.14.0, Artix Linux's default password hashing algorithm changed from SHA512 to yescrypt.

Furthermore, the umask settings are now configured in /etc/login.defs instead of /etc/profile.

This should not require any manual intervention.

Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam) and its stronger resilience towards password cracking attempts over SHA512.

Although the winner of the Password Hashing Competition has been argon2, this even more resilient algorithm is not yet available in libxcrypt (attempt one, attempt two).

Configuring yescrypt
The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix module (i.e. in /etc/pam.d/system-auth).

General list of changes
  • yescrypt is used as default password hashing algorithm, instead of SHA512
  • pam honors the chosen ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore
  • changes in the filesystem (>= 2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile