Some time in the last couple of days, the last of the packages in the Community repository were signed and, thanks to the tremendous work of the Arch developers and Trusted Users, you can fully implement package signing in your /etc/pacman.conf.

You can check the state of the signed packages with this expac one-liner; it will return a list of any unsigned packages:

1

expac -S '%r %n %g' | awk '$3=="(null)" {print $1 "/" $2}'

Now that the packages are all signed, I updated my /etc/pacman.conf to take advantage of this. My overall SigLevel setting requires signed packages, and—as of yesterday—I was able to move the last repository entry over to do the same:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

SigLevel = Required DatabaseOptional TrustedOnly

[core]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[extra]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[community]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[multilib]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

The next step was to add my key to pacman’s keychain so that I could sign the packages that I build using ABS or from the AUR. Allan has an excellent post on setting this up.

First, import your key into pacman’s keyring:

1

pacman-key -r 0xB1BD4E40

Then follow the prompts as you edit the key to sign, set a trust level and save your key:

1
2
3
4
5
6

pacman-key --edit-key 0xB1BD4E40
gpg> lsign
...
gpg> trust
...
gpg> save

Then it is just a matter of changing the BUILDENV option in your /etc/makepkg.conf, which is set to !sign by default. Remove the bang and include the details of the key you wish to use:

1
2
3
4

#-- Packager: name/email of the person or organization building packages
PACKAGER="Jason Ryan <jasonwryan@gmail.com>"
#-- Specify a key to use for package signing
GPGKEY="B1BD4E40"

Now, when you build a package, you will be prompted for your key’s passphrase:

1
2
3
4
5
6
7

==> Signing package...

You need a passphrase to unlock the secret key for
user: "Jason W Ryan <jasonwryan@gmail.com>"
2048-bit RSA key, ID B1BD4E40, created 2010-08-21

Enter passphrase:

Enter the correct passphrase and your package is built and signed:

1

-> Created signature file /home/jason/Build/{pkg}.pkg.tar.xz.sig.

Creative Commons image by donovanbeeson on Flickr.

If you have spent any time at all amongst online (or, for that matter, off-line) communities, you will be familiar with the help vampire. If, by some combination of fortune and ignorance, you haven’t come across this term before, read Amy Hoy’s original—and definitive— post on this scourge, now.

Amy has some excellent tips on identifying help vampires, however, since she originally shed some sunlight on this odious species, they have become even more cunning and have adapted; to the point where there are now several varieties that you should be wary of if you are determined to prevent your online community from becoming overrun with them.

The Infant The easiest to spot because, due to their nascent form, they have not developed sophisticated anti-detection strategies as yet. Also, encouragingly, these are the most likely to respond to the corrective measures Amy outlines in her post.

The infant has probably learned their dependant ways in some other online community with a higher tolerance for their spoonfeeding needs. Corrective measures, vigorously and repeatedly applied can turn them around; but even small amounts of reinforcement of this behaviour can quickly see them morph into one of the more sinister types…

The Leech This reprehensible lifeform just sucks and sucks and sucks until there is nothing left. Some of their forum threads may even appear reasonable, but looking at their profile in totality tells a shocking story. All of their posts are in their own threads, they are not interested in helping anyone else with a problem. They will move remorselessly from issue to issue, expecting the community to provide answers for them at a hemorrhagic rate.

They won’t have made any edits to the Wiki, no matter how trivial. They won’t maintain any packages or donate any time or money to your community. But they will be there night after night, posting their problems and waiting for the hapless to expend their time and energy on them. Like all parasites, they will adapt over time so remain vigilant.

The Fanger The out-and-out help vampire, unabashed and unashamed of their needs. Their sense of entitlement will be telegraphed by needy and demanding thread titles, often featuring exhortations like “HELP” and “URGENT” and almost always embellished with a liberal—and, at times of “real crises,” exclusive—use of all caps and exclamation marks.

The Fanger will also occasionally table (sadly, almost inevitably empty) threats about leaving your community and going off to use some other software; as if the dependency relationship is somehow reversed and it is you, the community, that will suffer if they leave.

The other classic trait of the hardcore vampire is that, like their fictional avatars, they see nothing when a mirror is held up to them. You can call their behaviour as much as you like, it will have no effect. Your only solution here is technology: the hell ban.

The Arch Linux community has grown considerably since it emerged ten years ago this month. Over the last couple of years, the forums in particular have seen a lot of new users signing up to participate. This is unquestionably a good thing™

However, Arch is clearly labelled as being for competent users (and here competent can equally mean accomplished – or prepared to invest in themselves and the community to become competent) and that means not enabling these sorts of vampiric behaviours, in whatever form they manifest.

Notes

Photography is all Creative Commons licensed on Flickr by, in order of appearance:

• Randall Drohrer
• phatcontroller
• Sandra Falkevik

If you are an Arch Linux user and you are not using aurphan, you can take a moment to hang your head in shame before you click on to whatever the next thing is. The package description sums up perfectly what aurphan does:

Finds packages in need of maintainers, bug fixes and patches. Adopt today!

Running aurphan -a, for example, will identify any AUR packages in your database that are not currently maintained; allowing you to log in to the AUR and hit the ‘Adopt’ button, leaving you feeling all worthy and fulfilled.¹

If, like most Archers, you have a compulsive desire to automate everything then clearly typing (or even remembering to type) aurphan -a into a terminal periodically is as ludicrous as it is onerous. The obvious answer is some shell script and a cron job.

First, the cron job:

1
2

crontab -e
@hourly aurphan -a >/tmp/aurphans

Then, as part of my dwm-status script, a function to check that there are no new additions to the file and, if there are, flash a highlight:

1
2
3
4
5
6

aur(){
    aurphans="$(awk '$0 !~ /^No /' /tmp/aurphans | wc -l)"
    if [ $aurphans -gt 0 ]; then
        echo -en "\x03*\x01"
    fi
}

The awk filter excludes a null return, which is “No aurphans found.” Now, if any of the packages that I use from the AUR are disowned, I’ll be the first to know about it.

Notes

1. Actual feeling may differ depending on the package you have adopted and the amount of prescription painkillers that you are currently ingesting…