RepoJournal
Arch Linux

@archlinux

The Arch Linux org — the rolling distro and the developers who run it

Pick a date

The Wire · Showcase

SIGNSTAR AUTHENTICATION OVERHAUL SHIPS, HASKELL ECOSYSTEM CASCADES

By RepoJournal · Filed · About Arch Linux

Arch's signing infrastructure underwent a breaking refactor that rearchitects how authenticated commands chain together, while the Haskell stack rippled with coordinated updates across Yesod and its dependents.

The signstar project landed two major breaking changes that reshape its authentication model [1] [2]. The `Scenario` object now wraps authenticated command chains directly, eliminating the need for nested `Command::Auth` variants and removing mutability requirements from the runner. File-backed authentication is now CLI-only, with core infrastructure relying on `Credentials` objects instead. This is a significant architecture win for maintainability. Supporting these changes, three new passphrase and key management features landed [3] [4] [5], adding policy-driven validation for authentication keys and passphrases created from strings or files. Over in buildbtw, two compilation fixes merged: a GraphQL schema path correction [6] and a build system optimization that prevents unnecessary recompilation during database migrations [7] [8]. The executor also gained graceful build cancellation with SIGTERM support [9]. Meanwhile, the Haskell staging area cycled through coordinated bumps to hledger-web, tamarin-prover, and the full Yesod stack [10] [11] [12] [13] [14], likely triggered by a dependency solver pass. Infrastructure bumped Synapse to 1.155.0 [15].

Action items

References

  1. [1] refactor!: Restructure `Scenario` as chain of authenticated commands archlinux/signstar
  2. [2] feat!: Use file-backed authentication only for the CLI archlinux/signstar
  3. [3] feat: Add `AuthenticationKey`, wrapping `yubihsm::authentication::Key` archlinux/signstar
  4. [4] feat: Add `Passphrase::check_against_policy` archlinux/signstar
  5. [5] feat: Add `Passphrase::new_with_policy` archlinux/signstar
  6. [6] Merge branch 'fix-graphql-schema-path-in-build.rs' into 'main' archlinux/buildbtw
  7. [7] Merge branch 'prevent-extra-compilation-in-just-migrate-database' into 'main' archlinux/buildbtw
  8. [8] Prevent extra compilation in `just migrate-database` archlinux/buildbtw
  9. [9] Merge branch 'executor-allow-cancelling-builds' into 'main' archlinux/buildbtw
  10. [10] update tamarin-prover to 1.12.0-56 in extra-staging-x86_64 archlinux/state
  11. [11] update hledger-web to 1.52.1-19 in extra-staging-x86_64 archlinux/state
  12. [12] update haskell-yesod-static to 1.6.1.2-22 in extra-staging-x86_64 archlinux/state
  13. [13] update haskell-yesod to 1.6.2.1-502 in extra-staging-x86_64 archlinux/state
  14. [14] update haskell-yesod-test to 1.6.23-176 in extra-staging-x86_64 archlinux/state
  15. [15] matrix: Update synapse to 1.155.0 archlinux/infrastructure

FAQ

What changed in Arch Linux on June 17, 2026?
Arch's signing infrastructure underwent a breaking refactor that rearchitects how authenticated commands chain together, while the Haskell stack rippled with coordinated updates across Yesod and its dependents.
What should Arch Linux teams do about it?
Review signstar breaking changes before next signing ceremony - authentication model is restructured • Test haskell-yesod ecosystem updates before pushing to stable - coordinated stack bump • Monitor buildbtw compilation performance post-merge - database migration task optimized
Which Arch Linux repositories shipped on June 17, 2026?
archlinux/signstar, archlinux/buildbtw, archlinux/state, archlinux/infrastructure

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.