package manager release , used in the Arch Linux distribution. From can be distinguished:
- Support for delta updates has been completely removed, allowing only changes to be downloaded. The feature has been removed due to a vulnerability being identified (), which allows you to run arbitrary commands in the system when using unsigned databases. For an attack, it is necessary for the user to download files prepared by the attacker with a database and delta update. Support for delta updates was disabled by default and was not widely used. In the future, it is planned to completely rewrite the implementation of delta updates;
- A vulnerability has been fixed in the XferCommand command handler (), allowing, in the event of a MITM attack and an unsigned database, to achieve execution of its commands in the system;
- Makepkg has added the ability to connect handlers for downloading source packages and checking by digital signature. Added support for packet compression using the lzip, lz4 and zstd algorithms. Added support for database compression using zstd to repo-add. Coming soon to Arch Linux switching to using zstd by default, which, compared to the “xz” algorithm, will speed up the operations of compressing and decompressing packets, while maintaining the compression level;
- It is possible to assemble using the Meson system instead of Autotools. In the next release, Meson will completely replace Autotools;
- Added support for loading PGP keys using the (WKD), the essence of which is to place public keys on the web with a link to the domain specified in the postal address. For example, for the address "[email protected]"The key can be downloaded via the link "https://example.com/.well-known/openpgpkey/hu/183d7d5ab73cfc5ece9a5f94e6039d5a". Loading keys via WKD is enabled by default in pacman, pacman-key and makepkg;
- The “--force” option has been removed, instead of which the “--overwrite” option, which more accurately reflects the essence of the operation, was proposed more than a year ago;
- File search results using the -F option provide expanded information such as package group and installation status.
Source: opennet.ru