Skip to main content
FOSDEM PWA

Relying on more transparent & trustworthy sources for Arch Linux packages

UB2.147 | Day 2 | 11:30 - 11:55 | Speakers: Robin Candau

Relying on more transparent & trustworthy sources for Arch Linux packages
A picture of a devroom at FOSDEM 2024
Open in browser

Notes

Abstract

The software supply chain for Linux distributions is under growing pressure. Several distributions have recently suffered from infected packages caused by compromised or malicious upstream sources, including core libraries, leading to significant security implications.

These incidents prompted Arch Linux to reflect on the way we handle our package sources. With the objective of bringing greater transparency to our packaging process, we revisited historical decisions and established updated guidelines and best practices for selecting trustworthy sources for our packages, in order to prevent (or at least mitigate) such potential security threats in the future.

This talk will share an overview of the specifications and guidelines we established during this reflection.

Speakers

Robin Candau

I'm a French Linux systems & DevOps engineer passionate about music, cycling, skateboarding and the Linux ecosystem!

I'm interested in Linux system development, packaging, infrastructure, reproducible builds and supply chain security.

I'm primarily involved in Arch Linux, fulfilling multiple roles within the Arch Linux Staff, but I also contribute to Reproducible Builds and Alpine Linux.

Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.