RepoJournal
Arch Linux

@archlinux

The Arch Linux org — the rolling distro and the developers who run it

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Tue 5 may
  4. Wed 6 may
  5. Thu 7 may
  6. Fri 8 may
  7. Sat 9 may
  8. Sun 10 may
  9. Mon 11 may
  10. Tue 12 may
  11. Wed 13 may
  12. Thu 14 may
  13. Fri 15 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Wed 20 may
  18. Thu 21 may
  19. Sat 23 may
  20. Sun 24 may
  21. Mon 25 may
  22. Tue 26 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

ARCHWEB MATRIX ISOLATION TIGHTENS SECURITY POSTURE

By RepoJournal · Filed · About Arch Linux

Arch infrastructure locked down Matrix well-known directory to primary host only, closing a lateral exposure vector across mirror and secondary deployments.

The infrastructure team merged a critical change [1] [2] that restricts `.well-known/matrix` installation to the main archweb instance, preventing accidental or malicious matrix protocol exposure on distributed deployments. This closes a known work item and hardens the attack surface for services running on secondary infrastructure. On the packages side, python-requests bumped to 2.34.0 [3], bringing dependency freshness across the ecosystem. nvhpc updated to 26.3-3 [4] for users running NVIDIA HPC workflows. Stalwart mail stack received dual updates—webadmin to 1.0.4 and cli to 1.0.6 —addressing improvements in the mail server toolchain. Ruby tooling also moved forward with mixlib-config to 3.1.5 .

Action items

References

  1. [1] Merge branch 'limit_matrix_archweb' archlinux/infrastructure
  2. [2] archweb: Limit installation of `.well-known/matrix` dir & files to main archweb host archlinux/infrastructure
  3. [3] update python-requests to 2.34.0-1 in extra-any archlinux/state
  4. [4] update nvhpc to 26.3-3 in extra-x86_64 archlinux/state

FAQ

What changed in Arch Linux on May 12, 2026?
Arch infrastructure locked down Matrix well-known directory to primary host only, closing a lateral exposure vector across mirror and secondary deployments.
What should Arch Linux teams do about it?
Review archweb deployment configuration to confirm matrix limitation is active • Pull python-requests 2.34.0 in your next dependency refresh cycle • Update nvhpc and stalwart tooling if running HPC or mail services
Which Arch Linux repositories shipped on May 12, 2026?
archlinux/infrastructure, archlinux/state

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.