https://wiki.archlinux.org/api.php?action=feedcontributions&user=Kiasoc5&feedformat=atomArchWiki - User contributions [en]2024-03-28T19:05:33ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Readline&diff=778758Readline2023-05-20T05:58:35Z<p>Kiasoc5: Add section on bracketed paste, resolves expansion notice.</p>
<hr />
<div>[[Category:Command-line]]<br />
[[Category:GNU]]<br />
[[de:inputrc]]<br />
[[es:Readline]]<br />
[[ja:Readline]]<br />
[[ru:Readline]]<br />
[[zh-hans:Readline]]<br />
<br />
== Installation ==<br />
<br />
The {{Pkg|readline}} package is most likely already installed as a dependency of [[Bash]].<br />
<br />
== Editing mode ==<br />
<br />
By default Readline uses [[Emacs]] style shortcuts for interacting with command line. However, [[vi]] style editing interface is also supported by adding the following to {{ic|~/.inputrc}}:<br />
<br />
{{hc|~/.inputrc|<br />
set editing-mode vi}}<br />
<br />
Alternatively, to set it only for [[Bash]] by adding the following line to {{ic|~/.bashrc}}:<br />
<br />
{{hc|~/.bashrc|<br />
set -o vi}}<br />
<br />
=== Mode indicator in prompt ===<br />
<br />
Vi-style editing has two modes: command and insert. You can display which one is currently active by adding the following option:<br />
<br />
{{hc|~/.inputrc|<br />
set show-mode-in-prompt on<br />
}}<br />
<br />
This will print a string in your prompt ({{ic|(cmd)}}/{{ic|(ins)}} by default) that can be customized with the {{ic|vi-ins-mode-string}} and {{ic|vi-cmd-mode-string}} variables.<br />
<br />
=== Different cursor shapes for each mode ===<br />
<br />
You can set a different cursor shape for each mode by using [https://www.gnu.org/software/bash/manual/html_node/Readline-Init-File-Syntax.html#index-vi_002dcmd_002dmode_002dstring "\1 .. \2" escapes]:<br />
<br />
{{hc|~/.inputrc|<br />
set vi-ins-mode-string \1\e[6 q\2<br />
set vi-cmd-mode-string \1\e[2 q\2<br />
}}<br />
<br />
This will set a block shaped cursor when in command mode and a pipe cursor when in insert mode. Note that you must have the mode indicator enabled for this to work (see [[#Mode indicator in prompt]]).<br />
<br />
The Virtual Console uses different escape codes, so you should check first which term is being used:<br />
<br />
{{hc|~/.inputrc|2=<br />
$if term=linux<br />
set vi-ins-mode-string \1\e[?0c\2<br />
set vi-cmd-mode-string \1\e[?8c\2<br />
$else<br />
set vi-ins-mode-string \1\e[6 q\2<br />
set vi-cmd-mode-string \1\e[2 q\2<br />
$endif<br />
}}<br />
<br />
See [https://docs.kernel.org/admin-guide/vga-softcursor.html software cursor for VGA] for further details.<br />
<br />
== Fast word movement ==<br />
<br />
[[Xterm]] supports moving between words with {{ic|Ctrl+Left}} and {{ic|Ctrl+Right}} [https://stackoverflow.com/a/7783928 by default]. To achieve this effect with other terminal emulators, find the correct [https://wiki.bash-hackers.org/scripting/terminalcodes terminal codes], and bind them to {{ic|backward-word}} and {{ic|forward-word}} in {{ic|~/.inputrc}}.<br />
<br />
For example, for [[urxvt]]:<br />
<br />
{{hc|~/.inputrc|<br />
"\e[1;5D": backward-word<br />
"\e[1;5C": forward-word}}<br />
<br />
== History ==<br />
<br />
Usually, pressing the up arrow key will cause the last command to be shown regardless of the command that has been typed so far. However, users may find it more practical to list only past commands that match the current input.<br />
<br />
For example, if the user has typed the following commands:<br />
<br />
* {{Ic|ls /usr/src/linux-2.6.15-ARCH/kernel/power/Kconfig}}<br />
* {{Ic|who}}<br />
* {{Ic|mount}}<br />
* {{Ic|man mount}}<br />
<br />
In this situation, when typing {{Ic|ls}} and pressing the up arrow key, current input will be replaced with {{Ic|man mount}}, the last performed command. If the history search has been enabled, only past commands beginning with {{Ic|ls}} (the current input) will be shown, in this case {{Ic|ls /usr/src/linux-2.6.15-ARCH/kernel/power/Kconfig}}.<br />
<br />
You can enable the history search mode by adding the following lines to {{Ic|/etc/inputrc}} or {{Ic|~/.inputrc}}:<br />
<br />
"\e[A": history-search-backward<br />
"\e[B": history-search-forward<br />
<br />
If you are using vi mode, you can add the following lines to {{Ic|~/.inputrc}} (from [https://bbs.archlinux.org/viewtopic.php?pid=428760#p428760 this post]):<br />
<br />
set editing-mode vi<br />
$if mode=vi<br />
set keymap vi-command<br />
# these are for vi-command mode<br />
"\e[A": history-search-backward<br />
"\e[B": history-search-forward<br />
j: history-search-forward<br />
k: history-search-backward<br />
set keymap vi-insert<br />
# these are for vi-insert mode<br />
"\e[A": history-search-backward<br />
"\e[B": history-search-forward<br />
$endif<br />
<br />
If you chose to add these lines to {{Ic|~/.inputrc}}, it is recommended that you also add the following line at the beginning of this file to avoid strange things like [https://bbs.archlinux.org/viewtopic.php?id=112537 this]:<br />
<br />
$include /etc/inputrc<br />
<br />
Alternatively, one can use reverse-search-history (incremental search) by pressing {{ic|Ctrl+R}}, which does not search based on previous input but instead jumps backwards in the history buffer as commands are typed in a search term. Pressing {{ic|Ctrl+R}} again during this mode will display the previous line in the buffer that matches the current search term, while pressing {{ic|Ctrl+G}} (abort) will cancel the search and restore the current input line. So in order to search through all previous {{Ic|mount}} commands, press {{ic|Ctrl+R}}, type 'mount' and keep pressing {{ic|Ctrl+R}} until the desired line is found.<br />
<br />
The forward equivalent to this mode is called forward-search-history and is bound to {{ic|Ctrl+S}} by default. Beware that most terminals override {{ic|Ctrl+S}} to suspend execution until {{ic|Ctrl+Q}} is entered. (This is called XON/XOFF flow control). For activating forward-search-history, either disable flow control by issuing:<br />
<br />
$ stty -ixon<br />
<br />
or use a different key in {{Ic|inputrc}}. For example, to use {{ic|Alt+S}} which is not bound by default:<br />
<br />
"\es": forward-search-history<br />
<br />
== Faster completion ==<br />
<br />
When performing tab completion, a single tab attempts to partially complete the current word. If no partial completions are possible, a double tab shows all possible completions.<br />
<br />
The double tab can be changed to a single tab by setting:<br />
<br />
{{hc|~/.inputrc|<br />
set show-all-if-unmodified on<br />
}}<br />
<br />
Or you can set it such that a single tab will perform both steps: partially complete the word ''and'' show all possible completions if it is still ambiguous:<br />
<br />
{{hc|~/.inputrc|<br />
set show-all-if-ambiguous on<br />
}}<br />
<br />
== Colorized completion ==<br />
<br />
You can enable coloring of completion of filenames with the {{ic|colored-stats}} option. You can also color the identical prefix of completion-lists with {{ic|colored-completion-prefix}}. For example:<br />
<br />
{{hc|~/.inputrc|<br />
# Color files by types<br />
# Note that this may cause completion text blink in some terminals (e.g. xterm).<br />
set colored-stats On<br />
# Append char to indicate type<br />
set visible-stats On<br />
# Mark symlinked directories<br />
set mark-symlinked-directories On<br />
# Color the common prefix<br />
set colored-completion-prefix On<br />
# Color the common prefix in menu-complete<br />
set menu-complete-display-prefix On<br />
}}<br />
<br />
== Macros ==<br />
<br />
Readline also supports binding keys to keyboard macros. For simple example, run this command in Bash:<br />
bind '"\ew": "\C-e # macro"'<br />
<br />
or add the part within single quotes to inputrc:<br />
"\ew": "\C-e # macro"<br />
<br />
Now type a line and press {{ic|Alt}}+{{ic|w}}. Readline will act as though {{ic|Ctrl+E}} (end-of-line) had been pressed, appended with '{{Ic| # macro}}'.<br />
<br />
Use any of the existing keybindings within a readline macro, which can be quite useful to automate frequently used idioms. For example, this one makes {{ic|Ctrl+Alt+L}} append "| less" to the line and run it ({{ic|Ctrl+M}} is equivalent to {{ic|Enter}}):<br />
"\e\C-l": "\C-e | less\C-m"<br />
<br />
The next one prefixes the line with 'yes |' when pressing {{ic|Ctrl+Alt+Y}}, confirming any yes/no question the command might ask:<br />
"\e\C-y": "\C-ayes | \C-m"<br />
<br />
This example wraps the line in {{Ic|su -c &#39;&#39;}}, if {{ic|Alt+S}} is pressed:<br />
"\es": "\C-a su -c '\C-e'\C-m"<br />
<br />
This example prefixes the line with {{Ic|sudo }}, if {{ic|Alt+S}} is pressed. It is safer because it will not input the {{ic|Enter}} key.<br />
"\es": "\C-asudo \C-e"<br />
<br />
As a last example, quickly send a command in the background with {{ic|Ctrl+Alt+B}}, discarding all of its output:<br />
"\e\C-b": "\C-e > /dev/null 2>&1 &\C-m"<br />
<br />
== Disabling control echo ==<br />
<br />
Readline causes the terminal to echo {{Ic|^C}} after {{ic|Ctrl+C}} is pressed. For users who wish to disable this, simply add the following to {{Ic|~/.inputrc}}:<br />
<br />
set echo-control-characters off<br />
<br />
== Bracketed paste ==<br />
<br />
By default, bracketed paste mode is on. It can be set manually in {{Ic|~/.inputrc}}:<br />
<br />
set enable-bracketed-paste on<br />
<br />
This ensures that pasting into Readline inserts the clipboard as single string of characters, instead of inserting characters as if they were entered from the keyboard. This is a safety measure to prevent Readline from automatically modifying and running pasted commands.<br />
<br />
== See also ==<br />
<br />
* [https://www.catonmat.net/download/bash-vi-editing-mode-cheat-sheet.pdf vi readline editing cheat sheet]<br />
* [https://www.catonmat.net/download/readline-emacs-editing-mode-cheat-sheet.pdf emacs readline editing cheat sheet]</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Interception-tools&diff=774074Interception-tools2023-03-28T21:33:44Z<p>Kiasoc5: Add udevmon systemd service</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Keyboard configuration]]<br />
{{Related articles start}}<br />
{{Related|Linux console/Keyboard configuration}}<br />
{{Related|Xbindkeys}}<br />
{{Related|Xmodmap}}<br />
{{Related articles end}}<br />
<br />
[https://gitlab.com/interception/linux/tools interception-tools] is a set of utilities to control and customize the behavior of keyboard input mappings.<br />
<br />
Interception-tools operates at a lower level compared to other similar tools ({{Pkg|xcape}},<br />
[[xmodmap]]) by using [https://www.freedesktop.org/software/libevdev/doc/latest/index.html libevdev] and <br />
[https://www.freedesktop.org/software/systemd/man/libudev.html libudev]. This makes it one of the only options available for customizing the keyboard behavior across [[X11]], [[Wayland]], and the [[Linux console]].<br />
<br />
== Installation ==<br />
<br />
[[Install]] {{Pkg|interception-tools}}. <br />
<br />
Many plugins are available: <br />
<br />
* {{Pkg|interception-caps2esc}} to switch {{ic|CapsLock}} with {{ic|Ctrl}}/{{ic|Esc}}<br />
* {{AUR|interception-caps2esc-delay-git}}<br />
* {{AUR|interception-caps2esc-nocaps-git}}<br />
* {{Pkg|interception-dual-function-keys}} to modify the behavior of a key when held.<br />
* {{AUR|interception-hideaway}}<br />
* {{AUR|interception-k2k-git}}<br />
* {{AUR|interception-ralt2hyper}}<br />
* {{AUR|interception-space2meta}}<br />
* {{AUR|interception-uswitch}}<br />
* {{AUR|interception-vimproved-git}}<br />
* {{AUR|interception-xswitch}}<br />
<br />
Then edit the configuration in {{ic|/etc/interception/udevmon.yaml}} and [[start]] {{ic|udevmon.service}}<br />
<br />
== Configure jobs and plugins ==<br />
<br />
=== How it works ===<br />
<br />
Interception-tool makes use of ''libevdev'', which according to its wiki is essentially a {{man|2|read}} on steroids for {{ic|/dev/input/eventX}} devices.<br />
It sits in between the kernel and the process handling an event. <br />
In the simplest scenario would look like this:<br />
<br />
kernel | libevdev | evtest<br />
<br />
For X.Org input modules, the stack would look like this:<br />
<br />
kernel | libevdev | xf86-input-evdev | X server | X client<br />
<br />
For Wayland, the stack would look like this:<br />
<br />
kernel | libevdev | Compositor | Wayland client<br />
<br />
In other words, {{ic|libevdev}} is so low level that it does not have knowledge of X/Wayland clients.<br />
<br />
=== Practical examples ===<br />
<br />
Interception-tools makes 4 utilities available: <br />
<br />
* {{ic|intercept}}: redirect device input events to stdout, <br />
* {{ic|mux}}: combine streams of input events,<br />
* {{ic|udevmon}}: monitor input devices for launching tasks,<br />
* {{ic|uinput}}: redirect device input events from stdin to virtual device.<br />
<br />
==== Increase niceness ====<br />
<br />
Since the tool is going to be sitting down at the lowest level of the device inputs,<br />
make sure it will behave consistently by increasing {{ic|udevmon}} priority:<br />
<br />
# nice -n -20 udevmon -c udevmon.yaml > udevmon.log 2> udevmon.err &<br />
<br />
{{Tip|The {{ic|udevmon}} systemd service runs with {{ic|1=Nice=-20}}.}}<br />
<br />
==== Simple redirection ====<br />
<br />
The simplest way or redirecting the event to the stdin (without doing nothing) is:<br />
<br />
$ intercept -g ''DEVNODE'' | uinput -d ''DEVNODE''<br />
<br />
where {{ic|''DEVNODE''}} is the path to the actual device: e.g. {{ic|/dev/input/by-path/platform-i8042-serio-0-event-kbd}}.<br />
<br />
==== Embbed commands ====<br />
<br />
To actually perform an operation in between the key event and the input, simply pipe it in between {{ic|intercept}} and {{ic|uinput}}.<br />
<br />
E.g. with the {{Pkg|interception-caps2esc}} plugin installed:<br />
<br />
$ intercept -g ''DEVNODE'' | caps2esc | uinput -d ''DEVNODE''<br />
<br />
If we omitted the {{ic|-g}} flag, then device event would have been just ''observed'', not grabbed.<br />
<br />
==== Feed as YAML ====<br />
<br />
{{Note|Configuration files found on {{ic|/etc/interception/udevmon.d/}} are read first, and fallbacks on {{ic|/etc/interception/udevmon.yaml}}.}}<br />
<br />
This way of intercepting the input can quickly become sub-optimal, this is where {{ic|udevmon}} comes in handy.<br />
udevmon accepts a YAML configuration with a list of jobs (sh commands by default) to be executed. <br />
<br />
In case the device matches a given description:<br />
<br />
{{hc|$ udevmon -c caps2esc.conf.yml|<br />
- JOB: intercept -g''DEVNODE'' {{!}} caps2esc {{!}} uinput -d ''DEVNODE''<br />
DEVICE:<br />
LINK: /dev/input/by-path/platform-i8042-serio-0-event-kbd<br />
}}<br />
<br />
The {{ic|LINK}} configuration will match a device with a specific name, but it will accept also a regex option.<br />
This can be combined with multiple job specifications to create a default behavior, in each case only the first matching job is going to be executed:<br />
<br />
{{bc|<br />
- JOB: intercept -g ''DEVNODE'' {{!}} caps2esc -m 2 {{!}} uinput -d ''DEVNODE''<br />
DEVICE:<br />
LINK: /dev/input/by-id/usb-SEMITEK_USB-HID_Gaming_Keyboard_SN0000000001-event-kbd<br />
- JOB: intercept -g ''DEVNODE'' {{!}} caps2esc {{!}} uinput -d ''DEVNODE''<br />
DEVICE:<br />
EVENTS:<br />
<nowiki>EV_KEY: [[KEY_CAPSLOCK, KEY_ESC]]</nowiki><br />
LINK: .*-event-kbd<br />
}}<br />
<br />
==== Combine devices ====<br />
<br />
Beside input emulation, the {{ic|uinput}} tool also serves purpose to print a device's description in YAML format: <br />
<br />
$ uinput -p -d /dev/input/by-id/my-kbd<br />
<br />
which itself can be fed back to {{ic|uinput}} as:<br />
<br />
$ uinput -c my-kbd.yaml<br />
<br />
It can also merge device and YAML characteristics, which can be used for instance to combine events coming from keyboard and mouse:<br />
<br />
e.g. instance {{ic|CapsLock+Click}} as {{ic|Ctrl+Click}}<br />
<br />
$ uinput -p -d /dev/input/by-id/my-kbd -d /dev/input/by-id/my-mouse -c my-extra.yaml<br />
<br />
==== Handle multiple jobs ====<br />
<br />
The {{ic|mux}} is used to combine multiple pipelines into a single one.<br />
A ''muxer'' needs to be created first,<br />
and it can later be used as the input or the output of a given pipeline.<br />
In a YAML specification file, the muxer is created using the {{ic|CMD}} key:<br />
<br />
{{bc|<br />
- CMD: mux -c caps2esc<br />
- JOB: mux -i caps2esc {{!}} caps2esc {{!}} uinput -c /etc/interception/gaming-keyboard.yaml<br />
- JOB: intercept -g ''DEVNODE'' {{!}} mux -o caps2esc<br />
DEVICE:<br />
LINK: /dev/input/by-id/my-kbd<br />
- JOB: intercept ''DEVNODE'' {{!}} mux -o caps2esc<br />
DEVICE:<br />
LINK: /dev/input/by-id/my-mouse<br />
}}<br />
<br />
In the example above, when the keyboard is connected, it's grabbed and its input events are sent to the {{ic|caps2esc}} muxer that was initially created. Observed input (not grabbed) from mouse is also sent to the same muxer. The buttons of the mouse generate {{ic|EV_KEY}} events, so {{ic|caps2esc}} will accept them.<br />
<br />
== See also ==<br />
<br />
* [https://gitlab.com/interception/linux/tools Official website]<br />
* [https://github.com/kmonad/kmonad kmonad] - advanced keyboard remapping tool daemon<br />
* [https://github.com/snyball/Hawck Hawck] - similar low-level key rebinding daemon</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Talk:Guix&diff=767655Talk:Guix2023-02-14T22:41:48Z<p>Kiasoc5: Talk: add that Guix can work w/o nscd</p>
<hr />
<div>Today I tried to install Guix and continually got name resolution errors;<br />
<br />
<code><br />
Starting download of /gnu/store/63qfd5kfgw8nccnzff3r1gsmd626pcaw-tiff-4.2.0.tar.gz<br />
From https://archive.softwareheritage.org/api/1/content/sha256:eb0484e568ead8fa23b513e9b0041df7e327f4ee2d22db5a533929dfc19633cb/raw/...<br />
In procedure getaddrinfo: Temporary failure in name resolution<br />
failed to download "/gnu/store/63qfd5kfgw8nccnzff3r1gsmd626pcaw-tiff-4.2.0.tar.gz" from "https://download.osgeo.org/libtiff/tiff-4.2.0.tar.gz"<br />
</code><br />
<br />
I resolved this through running nscd;<br />
<code><br />
systemctl start nscd<br />
</code><br />
<br />
It's not like I didn't have a name resolver running, since I have systemd-resolved always on.<br />
So nscd at least seems to change Guix' behaviour and might be required.<br />
<br />
[[User:Alt|Alt]] ([[User talk:Alt|talk]]) 12:03, 13 September 2021 (UTC)<br />
<br />
: I have been running Guix on Arch without enabling nscd and never had name resolution errors.<br />
:<br />
: [[User:kiasoc5|kiasoc5]] ([[User talk:kiasoc5|talk]]) 10:37, 14 February 2023 (UTC)</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Bootstrappable&diff=739828Bootstrappable2022-08-02T14:17:57Z<p>Kiasoc5: mrustc can compile to Rust 1.54.0</p>
<hr />
<div>[[Category:Security]]<br />
[[ja:Bootstrappable]]<br />
[https://bootstrappable.org/ Bootstrappable Builds] allows us to bootstrap Arch Linux easily from scratch using a minimal set of binaries. Allowing a minimal set of binaries to be audited and together with reproducible builds provide confidence that you are running the code which you expect to run.<br />
<br />
== Bootstrapping Arch Linux ==<br />
<br />
[https://www.gnu.org/software/mes/ Mes] is a project which can be utilised to bootstrap Arch Linux from a minimal set of (32bit) binaries having the rest of the system compiled from source code. For Arch Linux we can start bootstrapping a C compiler from mes and later reduce the initial bootstrap binaries to a minimal auditable amount.<br />
<br />
The roadmap to bootstrapping [[GCC]]:<br />
<br />
* Bring Mes into the repository<br />
* Compile Mes with Mes (and compare it with other distributions Debian, Guix, NixOS)<br />
MES=mes AR=mesar CC=mescc ./configure.sh --host=i686-unknown-linux-gnu<br />
V=2 MES=mes AR=mesar GUILE_LOAD_PATH=/usr/share/mes/module/ ./bootstrap.sh<br />
* Compile a [https://gitlab.com/janneke/tinycc/tree/mes-0.21 patched tcc-boot0]<br />
* Compile a tcc-boot with a tiny [https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/tcc-boot-0.9.27.patch patch]<br />
* System utilities<br />
* GCC-2.95.3 (GCC 4.0.4 can also be bootstrapped directly from TCC if musl libc is built first)<br />
<br />
More information:<br />
* https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/commencement.scm<br />
* https://guix.gnu.org/blog/2019/guix-reduces-bootstrap-seed-by-50/<br />
* https://github.com/fosslinux/live-bootstrap/blob/master/parts.rst<br />
<br />
== Bootstrapping Languages ==<br />
<br />
For languages which are self-hoisting (require itself to build a new version) we want a path from a C compiler to for example Rust.<br />
<br />
=== Rust ===<br />
<br />
There is a Rust C++ implementation which can compile Rust 1.54.0 called [https://github.com/thepowersgang/mrustc mrustc]. Guix has more information in this [https://guix.gnu.org/blog/2018/bootstrapping-rust/ blog post].<br />
<br />
=== Java (openjdk) ===<br />
<br />
A path to bootstrapping JDK is described [https://bootstrappable.org/projects/java.html here]</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Core_utilities&diff=735614Core utilities2022-06-29T20:14:36Z<p>Kiasoc5: /* Code searchers */ Add ugrep to code searchers since it has unique features</p>
<hr />
<div>[[Category:Command-line]]<br />
[[Category:Lists of software]]<br />
[[es:Core utilities]]<br />
[[fa:Core utilities]]<br />
[[ja:Core utilities]]<br />
[[pt:Core utilities]]<br />
[[ru:Core utilities]]<br />
[[zh-hans:Core utilities]]<br />
{{Related articles start}}<br />
{{Related|Command-line shell}}<br />
{{Related|Users and groups}}<br />
{{Related|systemd}}<br />
{{Related|pacman}}<br />
{{Related|General recommendations}}<br />
{{Related articles end}}<br />
<br />
''Core utilities'' are the basic, fundamental tools of a [[GNU]]/[[Linux]] system. This article provides an incomplete overview of them, links their documentation and describes useful alternatives. The scope of this article includes, but is not limited to, the [https://www.gnu.org/software/coreutils/coreutils.html GNU coreutils]. Most core utilities are traditional [[Wikipedia:Unix|Unix]] tools (see [[Heirloom]]) and many were standardized by [[Wikipedia:POSIX|POSIX]] but have been developed further to provide more features.<br />
<br />
Most command-line interfaces are documented in [[man page]]s, utilities by the [[GNU Project]] are documented primarily in [[Info manual]]s, some [[shell]]s provide a {{ic|help}} command for shell builtin commands. Additionally most utilities print their usage when run with the {{ic|--help}} flag.<br />
<br />
== Essentials ==<br />
<br />
The following table lists some important utilities which Arch Linux users should be familiar with. See also {{man|1|intro}}.<br />
<br />
{| class=wikitable<br />
! Package !! Utility !! Description !! Documentation !! Alternatives<br />
|-<br />
| shell built-ins || cd || change directory || {{man|1p|cd}} || [[#cd alternatives]]<br />
|-<br />
|rowspan=12| GNU {{Pkg|coreutils}}<br />
| ls || list directory || {{man|1|ls}}, [https://www.gnu.org/software/coreutils/manual/html_node/ls-invocation.html info] || {{Pkg|tree}}, [[#ls alternatives]]<br />
|-<br />
| cat || concatenate files to stdout || {{man|1|cat}}, [https://www.gnu.org/software/coreutils/manual/html_node/cat-invocation.html info] || {{man|1|tac}}, {{Pkg|bat}}<br />
|-<br />
| mkdir || make directory || {{man|1|mkdir}}, [https://www.gnu.org/software/coreutils/manual/html_node/mkdir-invocation.html info]<br />
|-<br />
| rmdir || remove empty directory || {{man|1|rmdir}}, [https://www.gnu.org/software/coreutils/manual/html_node/rmdir-invocation.html info]<br />
|-<br />
| rm || remove files or directories || {{man|1|rm}}, [https://www.gnu.org/software/coreutils/manual/html_node/rm-invocation.html info] || [[shred]]<br />
|-<br />
| cp || copy files or directories || {{man|1|cp}}, [https://www.gnu.org/software/coreutils/manual/html_node/cp-invocation.html info] || [[#cp alternatives]]<br />
|-<br />
| mv || move files or directories || {{man|1|mv}}, [https://www.gnu.org/software/coreutils/manual/html_node/mv-invocation.html info]<br />
|-<br />
| ln || make hard or symbolic links || {{man|1|ln}}, [https://www.gnu.org/software/coreutils/manual/html_node/ln-invocation.html info]<br />
|-<br />
| [[chown]] || change file owner and group || {{man|1|chown}}, [https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html info] || {{man|1|chgrp}}<br />
|-<br />
| [[chmod]] || change file permissions || {{man|1|chmod}}, [https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html info]<br />
|-<br />
| [[dd]] || convert and copy a file || {{man|1|dd}}, [https://www.gnu.org/software/coreutils/manual/html_node/dd-invocation.html info]<br />
|-<br />
| df || report file system disk space usage || {{man|1|df}}, [https://www.gnu.org/software/coreutils/manual/html_node/df-invocation.html info]<br />
|-<br />
| GNU {{Pkg|tar}} || [[tar]] || tar archiver || {{man|1|tar}}, [https://www.gnu.org/software/tar/manual/html_chapter/index.html info] || [[archiver]]s<br />
|-<br />
| GNU {{Pkg|less}} || less || terminal pager || {{man|1|less}} || [[terminal pager]]s<br />
|-<br />
| GNU {{Pkg|findutils}} || find || search files or directories || {{man|1|find}}, [https://www.gnu.org/software/findutils/manual/html_node/find_html/index.html info], [[GregsWiki:UsingFind|GregsWiki]] || [[#find alternatives]]<br />
|-<br />
| GNU {{Pkg|diffutils}} || diff || compare files line by line || {{man|1|diff}}, [https://www.gnu.org/software/diffutils/manual/html_node/Invoking-diff.html info] || [[#diff alternatives]]<br />
|-<br />
| GNU {{Pkg|grep}} || grep || print lines matching a pattern || {{man|1|grep}}, [https://www.gnu.org/software/grep/manual/html_node/index.html info] || [[#grep alternatives]]<br />
|-<br />
| GNU {{Pkg|sed}} || sed || stream editor || {{man|1|sed}}, [https://www.gnu.org/software/sed/manual/html_node/index.html info], [http://sed.sourceforge.net/sed1line.txt one-liners]<br />
|-<br />
| GNU {{Pkg|gawk}} || awk || pattern scanning and processing language || {{man|1|gawk}}, [https://www.gnu.org/software/gawk/manual/html_node/index.html info] || {{Pkg|nawk}}, {{AUR|mawk}}<br />
|-<br />
|rowspan=6| {{Pkg|util-linux}}<br />
| [[Wikipedia:dmesg|dmesg]] || print or control the kernel ring buffer || {{man|1|dmesg}} || [[systemd journal]]<br />
|-<br />
| [[lsblk]] || list block devices || {{man|8|lsblk}}<br />
|-<br />
| [[mount]] || mount a filesystem || {{man|8|mount}}<br />
|-<br />
| [[umount]] || unmount a filesystem || {{man|8|umount}}<br />
|-<br />
| [[su]] || substitute user || {{man|1|su}} || [[sudo]], {{Pkg|opendoas}}<br />
|-<br />
| kill || terminate a process || {{man|1|kill}} || {{man|1|pkill}}, {{man|1|killall}}<br />
|-<br />
|rowspan=3| {{Pkg|procps-ng}}<br />
| pgrep || look up processes by name or attributes || {{man|1|pgrep}} || {{man|1|pidof}}<br />
|-<br />
| ps || show information about processes || {{man|1|ps}} ||rowspan=2| {{man|1|top}}, {{Pkg|htop}}<br />
|-<br />
| free || display amount of free and used memory || {{man|1|free}}<br />
|}<br />
<br />
=== Preventing data loss ===<br />
<br />
{{ic|rm}}, {{ic|mv}}, {{ic|cp}} and shell redirections happily delete or overwrite files without asking. {{ic|rm}}, {{ic|mv}}, and {{ic|cp}} all support the {{ic|-i}} flag to prompt the user before every removal / overwrite. Some users like to enable the {{ic|-i}} flag by default using [[alias]]es. Relying upon these shell options can be dangerous, because you get used to them, resulting in potential data loss when you use another system or user that does not have them. The best way to prevent data loss is to create [[backup]]s.<br />
<br />
== Nonessentials ==<br />
<br />
This table lists core utilities that often come in handy.<br />
<br />
{| class=wikitable<br />
! Package !! Utility !! Description !! Documentation !! Alternatives<br />
|-<br />
|rowspan=3| shell built-ins<br />
| [[alias]] || define or display aliases || {{man|1p|alias}}<br />
|-<br />
| type || print the type of a command || {{man|1p|type}} || {{man|1|which}}<br />
|-<br />
| time || time a command || {{man|1p|time}}<br />
|-<br />
|rowspan=11| GNU {{Pkg|coreutils}}<br />
| [[tee]] || read stdin and write to stdout and files || {{man|1|tee}}, [https://www.gnu.org/software/coreutils/manual/html_node/tee-invocation.html info]<br />
|-<br />
| mktemp || make a temporary file or directory || {{man|1|mktemp}}, [https://www.gnu.org/software/coreutils/manual/html_node/mktemp-invocation.html info]<br />
|-<br />
| cut || print selected parts of lines || {{man|1|cut}}, [https://www.gnu.org/software/coreutils/manual/html_node/cut-invocation.html info]<br />
|-<br />
| tr || translate or delete characters || {{man|1|tr}}, [https://www.gnu.org/software/coreutils/manual/html_node/tr-invocation.html info]<br />
|-<br />
| od || dump files in octal and other formats || {{man|1|od}}, [https://www.gnu.org/software/coreutils/manual/html_node/od-invocation.html info] || {{man|1|hexdump}}, [[vim]]'s {{man|1|xxd}}<br />
|-<br />
| sort || sort lines || {{man|1|sort}}, [https://www.gnu.org/software/coreutils/manual/html_node/sort-invocation.html info]<br />
|-<br />
| uniq || report or omit repeated lines || {{man|1|uniq}}, [https://www.gnu.org/software/coreutils/manual/html_node/uniq-invocation.html info]<br />
|-<br />
| comm || compare two sorted files line by line || {{man|1|comm}}, [https://www.gnu.org/software/coreutils/manual/html_node/comm-invocation.html info]<br />
|-<br />
| head || output the first part of files || {{man|1|head}}, [https://www.gnu.org/software/coreutils/manual/html_node/head-invocation.html info]<br />
|-<br />
| tail || output the last part of files, or follow files || {{man|1|tail}}, [https://www.gnu.org/software/coreutils/manual/html_node/tail-invocation.html info]<br />
|-<br />
| wc || print newline, word and byte count || {{man|1|wc}}, [https://www.gnu.org/software/coreutils/manual/html_node/wc-invocation.html info]<br />
|-<br />
| GNU {{Pkg|binutils}} || strings || print printable characters in binary files || {{man|1|strings}}, [https://sourceware.org/binutils/docs/binutils/strings.html info] || {{AUR|stringsext}}<br />
|-<br />
| GNU {{Pkg|glibc}} || iconv || convert character encodings || {{man|1|iconv}} || {{Pkg|recode}}<br />
|-<br />
| {{Pkg|file}} || file || guess file type || {{man|1|file}}<br />
|}<br />
<br />
The {{Pkg|moreutils}} package provides useful tools like {{man|1|sponge}} that are missing from the GNU coreutils.<br />
<br />
== Alternatives ==<br />
<br />
Alternative core utilities are provided by [[BusyBox]], the [[Heirloom|Heirloom Toolchest]], {{Pkg|9base}}, {{AUR|sbase-git}} and {{AUR|ubase-git}}.<br />
<br />
=== cat alternatives ===<br />
<br />
* {{App|bat|A cat clone with syntax highlighting and Git integration.|https://github.com/sharkdp/bat|{{Pkg|bat}}}}<br />
<br />
=== cd alternatives ===<br />
<br />
* {{App|zoxide|A smart cd command that learns your habits, allowing you to navigate anywhere in just a few keystrokes.|https://github.com/ajeetdsouza/zoxide|{{Pkg|zoxide}}}}<br />
<br />
=== cp alternatives ===<br />
<br />
Using [[rsync#As cp/mv alternative]] allows you to resume a failed transfer, to show the transfer status, to skip already existing files and to make sure of the destination files integrity using checksums.<br />
<br />
=== ls alternatives ===<br />
<br />
* {{App|broot|A new way to see and navigate directory trees.|https://github.com/Canop/broot|{{Pkg|broot}}}}<br />
* {{App|clifm|A file manager that can list files like ls(1) would (plus icons and RGB colors support).|https://github.com/leo-arch/clifm/wiki/Advanced#files-lister-ls-mode|{{AUR|clifm}}}}<br />
* {{App|exa|Another ls replacement with color support, tree view, git integration and other features.|https://github.com/ogham/exa|{{Pkg|exa}}}}<br />
* {{App|lsd|Modern ls with a lot of pretty colors and awesome icons.|https://github.com/Peltoche/lsd|{{Pkg|lsd}}}}<br />
<br />
=== find alternatives ===<br />
<br />
* {{App|fd|Simple, fast and user-friendly alternative to find. Ignores hidden and {{ic|.gitignore}}'d files by default.|https://github.com/sharkdp/fd|{{Pkg|fd}}}}<br />
* {{App|fuzzy-find|Fuzzy completion for finding files.|https://github.com/silentbicycle/ff|{{AUR|ff-git}}}}<br />
* {{App|[[mlocate]]|Merging locate/updatedb implementation.|https://pagure.io/mlocate|{{Pkg|mlocate}}}}<br />
* {{App|plocate|A much faster locate.|https://plocate.sesse.net/|{{Pkg|plocate}}}}<br />
<br />
For graphical file searchers, see [[List of applications/Utilities#File searching]].<br />
<br />
=== diff alternatives ===<br />
<br />
While {{Pkg|diffutils}} does not provide a word-wise diff, several other programs do:<br />
<br />
* [[git]] diff can do a word diff with {{ic|--color-words}}, using {{ic|--no-index}} it can also be used for files outside of Git working trees.<br />
* {{App|cwdiff|A GNU wdiff wrapper that colorizes the output.|https://github.com/junghans/cwdiff|{{AUR|cwdiff}}}}<br />
* {{App|git-delta|A syntax-highlighting pager for git, diff, and grep output.|https://dandavison.github.io/delta/|{{Pkg|git-delta}}}}<br />
* {{App|dwdiff|A word diff front-end for the diff program; supports colors.|https://os.ghalkes.nl/dwdiff.html|{{Pkg|dwdiff}}}}<br />
* {{App|icdiff|A colorized diff tool written in Python. "Improved color diff" is meant to supplement normal diff use.|https://github.com/jeffkaufman/icdiff|{{AUR|icdiff}}}}<br />
* {{App|wdiff|A wordwise implementation of GNU diff; does not support colors.|https://www.gnu.org/software/wdiff/|{{Pkg|wdiff}}}}<br />
<br />
See also [[List of applications/Utilities#Comparison, diff, merge]].<br />
<br />
=== grep alternatives ===<br />
<br />
* {{App|mgrep|A multiline grep.|https://sourceforge.net/projects/multiline-grep/|{{AUR|mgrep}}}}<br />
* {{App|pdfgrep|A tool to search text in PDF files.|https://pdfgrep.org/|{{Pkg|pdfgrep}}}}<br />
* {{App|ripgrep-all|Search in plain text and also in PDFs, E-Books, Office documents, zip, tar.gz.|https://github.com/phiresky/ripgrep-all|{{Pkg|ripgrep-all}}}}<br />
<br />
==== Code searchers ====<br />
<br />
The following three tools aim to replace grep for code search. They do recursive search by default, skip binary files and respect {{ic|.gitignore}}.<br />
<br />
* {{App|ack|A Perl-based grep replacement, aimed at programmers with large trees of heterogeneous source code.|https://beyondgrep.com/|{{Pkg|ack}}}}<br />
* {{App|ripgrep (rg)|A search tool that combines the usability of ag with the raw speed of grep.|https://github.com/BurntSushi/ripgrep|{{Pkg|ripgrep}}}}<br />
* {{App|The Silver Searcher (ag)|Code searching tool similar to Ack, but faster.|https://github.com/ggreer/the_silver_searcher|{{Pkg|the_silver_searcher}}}}<br />
* {{App|ugrep (ug)|Ultra fast grep with interactive TUI, fuzzy search, boolean queries, hexdumps and more.|https://github.com/Genivia/ugrep|{{Pkg|ugrep}}}}<br />
<br />
==== Interactive filters ====<br />
<br />
* {{App|[[fzf]]|General-purpose command-line fuzzy finder, powered by find by default.|https://github.com/junegunn/fzf|{{Pkg|fzf}}}}<br />
* {{App|fzy|A fast, simple fuzzy text selector with an advanced scoring algorithm.|https://github.com/jhawthorn/fzy|{{Pkg|fzy}}}}<br />
* {{App|peco|Simplistic interactive filtering tool.|https://github.com/peco/peco|{{Pkg|peco}}}}<br />
* {{App|percol|Adds flavor of interactive filtering to the traditional pipe concept of the UNIX shell.|https://github.com/mooz/percol|{{AUR|percol}}}}<br />
* {{App|skim|Fuzzy finder written in Rust, similar to fzf.|https://github.com/lotabout/skim|{{Pkg|skim}}}}<br />
<br />
== See also ==<br />
<br />
* [https://www.gnu.org/software/coreutils/manual/coreutils.html GNU Coreutils documentation]<br />
* [https://pubs.opengroup.org/onlinepubs/9699919799/idx/utilities.html POSIX utilities]</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Arch_is_the_best&diff=731953Arch is the best2022-06-08T00:31:36Z<p>Kiasoc5: /* The code */ Fix guile example</p>
<hr />
<div>[[Category:About Arch]]<br />
[[ja:Arch は最高]]<br />
[[ru:Arch is the best]]<br />
[[zh-hans:Arch is the best]]<br />
The '''Arch is the best''' project is a very sophisticated and exquisite, ego-boosting and mind-blowing (albeit perhaps a bit over-engineered) project which gives proof of Arch's superiority.<br />
<br />
== History ==<br />
<br />
The visionary project was originally devised in April 2008 by long time Arch community member [https://bbs.archlinux.org/profile.php?id=2529 lucke] as a simple shell script which provided irrefutable proof that "Arch is the best". It was announced to the world with a [https://bbs.archlinux.org/viewtopic.php?id=47306 forum post], thus illuminating other people's minds, who immediately started porting it to multiple different languages, both programming and verbal, so that every human being on the planet could fully appreciate and benefit from this revolutionary discovery.<br />
<br />
== The code ==<br />
<br />
The "Arch is the best" project is ported to many programming languages.<br />
<br />
;1C&#58;Enterprise:A procedural domain-specific compiled dynamically-typed programming language mostly similar to VisualBasic which is used in "1C:Enterprise" products widespread in Russia and other CIS countries.<br />
<br />
Предупреждение("Arch is the best!");<br />
<br />
;ABAP: Advanced Business Application Programming language.<br />
<br />
REPORT zwhat_is_the_best.<br />
WRITE 'Arch is the best'.<br />
<br />
;Ada: A systems critical programming language.<br />
<br />
with Ada.Text_IO;<br />
use Ada.Text_IO;<br />
procedure ArchIsTheBest is<br />
begin<br />
Put_Line("Arch is the best!");<br />
end ArchIsTheBest;<br />
<br />
;APL: A Programming Language.<br />
<br />
'Arch is the best!'<br />
<br />
;AppleScript: A scripting language created by Apple Inc. and built into the Classic Mac OS since System 7 and into all versions of macOS.<br />
<br />
display alert "Arch is the best!"<br />
say "Indeed, Arch is the best."<br />
<br />
;ArnoldC: Programming language based on the one-liners of Arnold Schwarzenegger.<br />
<br />
IT'S SHOWTIME<br />
TALK TO THE HAND "Arch is the best!"<br />
YOU HAVE BEEN TERMINATED<br />
<br />
;ATS: A functional programming language that uses dependent types to improve programs' reliability.<br />
<br />
implement main () = println! "Arch is the best!"<br />
<br />
;Awk: A data-driven programming language designed for processing text-based data.<br />
<br />
BEGIN {<br />
print "Arch is the best!"<br />
}<br />
<br />
;BASIC: A scripting language that one of the most commonly used computer programming languages in the 1960's, considered an easy step for students to learn before more powerful languages such as FORTRAN.<br />
<br />
10 PRINT "Arch is the best!"<br />
<br />
;Batch: A scripting language for Windows that can be used to automate tasks or just have some fun.<br />
<br />
@echo off<br />
echo Arch is the best!<br />
pause<br />
<br />
;Befunge: Believed to be the first two-dimensional, ASCII-based, general-purpose (in the sense of "you could plausibly write Hunt the Wumpus in it") programming language.<br />
<br />
<v"Arch is the best!"0<br />
<,_@#:<br />
<br />
; BIRL: Like ArnoldC, but for Bambam[https://www.youtube.com/watch?v=3_qEE2i6h5Q].<br />
<br />
HORA DO SHOW<br />
CE QUER VER ESSA PORRA? ("Arch is the best!\n");<br />
BORA CUMPADE 0;<br />
BIRL<br />
<br />
;Boo:A stablished object oriented statically typed programming language for .NET and Mono with a python inspired syntax and a special focus on metaprogramming through language and compiler extensibility features such as macros and custom compilation pipelines.<br />
<br />
print "Arch is the best!"<br />
<br />
;Bourne shell: The original program, should be compatible with any shell.<br />
<br />
#!/bin/sh<br />
echo "Arch is the best!"<br />
<br />
;Bourne shell (Alternate):Handy for piping the output to your favourite IRC/email/IM client. Should work with any shell.<br />
<br />
#!/bin/sh<br />
yes Arch is the best!<br />
<br />
;brainfuck: Doesn't the language name explain it?<br />
<br />
++>++++++>+++++<+[>[->+<]<->++++++++++<]>>.<[-]>[-<++>]<br />
<----------------.---------------.+++++.<+++[-<++++++++++>]<.<br />
>>+.++++++++++.<<.>>+.------------.---.<<.>>---.<br />
+++.++++++++++++++.+.<<+.[-]++++++++++.<br />
<br />
;C: Note the three space indenting used in this project, much like that used by other superior beings.<br />
<br />
#include <stdio.h><br />
#include <stdlib.h><br />
int main(void)<br />
{<br />
puts("Arch is the best!");<br />
return EXIT_SUCCESS;<br />
}<br />
<br />
;C#: Intended to be a simple, modern, general-purpose, object-oriented programming language.<br />
<br />
using System;<br />
Console.WriteLine ("Arch is the best!");<br />
<br />
;C++:Arch == Linux++<br />
<br />
#include <iostream><br />
#include <cstdlib><br />
int main ()<br />
{<br />
std::cout << "Arch is the best!" << std::endl;<br />
return EXIT_SUCCESS;<br />
}<br />
<br />
;COBOL:A simple, lightweight programming language.<br />
<br />
IDENTIFICATION DIVISION.<br />
PROGRAM-ID. TheBest.<br />
<br />
PROCEDURE DIVISION.<br />
DISPLAY "Arch is the best!".<br />
STOP RUN.<br />
<br />
;CoffeeScript: A programming language that transcompiles to JavaScript.<br />
<br />
alert 'Arch is the best!'<br />
<br />
;Clojure: A Lisp dialect that runs on the JVM.<br />
<br />
(prn "Arch is the best!")<br />
<br />
;Common Lisp: A Lisp dialect<br />
<br />
(princ "Arch is the best!")<br />
<br />
;Crystal: An object-oriented, Ruby-like language.<br />
<br />
puts "Arch is the best!"<br />
<br />
;Crystal (through web server): For distributing the message to multiple friends at once.<br />
<br />
# For giving the message to your friends<br />
require "http/server"<br />
<br />
server = HTTP::Server.new(80) do |context|<br />
context.response.content_type = "text/plain"<br />
context.response.print "Arch is the best!"<br />
end<br />
<br />
puts "Listening."<br />
server.listen<br />
<br />
;csh: A C-like shell.<br />
<br />
#!/bin/csh<br />
echo "Arch is the best!"<br />
<br />
;CSS: A stylesheet language, heavily used for styling web pages.<br />
<br />
body * {<br />
display: none;<br />
}<br />
<br />
body::before {<br />
content: "Arch is the best!";<br />
font-family: monospace;<br />
font-size: 2.7rem;<br />
position: absolute;<br />
left: 50%;<br />
top: 50%;<br />
transform: translate(-50%, -50%);<br />
}<br />
<br />
;D: A C-style language. The benefits of hindsight, with modern conveniences.<br />
<br />
import std.stdio : writeln;<br />
void main()<br />
{<br />
writeln("Arch is the best");<br />
}<br />
<br />
;Dart: Google's javascript killer<br />
<br />
main(){<br />
print('Arch is the best');<br />
}<br />
<br />
;Dogescript: Doge-friendly JavaScript<br />
<br />
console.loge with ' So Arch'<br />
console.loge with ' Much Good'<br />
console.loge with ' Wow'<br />
<br />
;Ebuild: Gentoo's build script format.<br />
<br />
DESCRIPTION="Arch is the best!"<br />
SRC_URI="<nowiki>https://wiki.archlinux.org/index.php/Arch_is_the_best</nowiki>"<br />
<br />
LICENSE="GFDL_1.3"<br />
SLOT="0"<br />
KEYWORDS=""<br />
IUSE=""<br />
<br />
DEPEND=""<br />
RDEPEND=""<br />
<br />
src_compile() {<br />
einfo "Arch is the best!"<br />
}<br />
<br />
;Emacs Lisp: A dialect of the Lisp programming language used by the GNU Emacs and XEmacs text editors<br />
<br />
(message "Arch is the best!")<br />
<br />
;Emojicode: A delimiter-less, object oriented, imperative, high-level, hybrid language with emojis as fix points and methods.<br />
<br />
🏁 🍇<br />
😀 🔤Arch is the best!🔤❗️<br />
🍉<br />
<br />
;Elixir: A dynamic, functional language designed for building scalable and maintainable applications<br />
<br />
IO.puts "Arch is the best!"<br />
<br />
;Erlang: A concurrent, garbage-collected programming language and runtime system.<br />
<br />
-module(arch).<br />
-export([is_the_best/0]).<br />
is_the_best() -> io:fwrite("Arch is the best!\n").<br />
<br />
;Or using message passing between processes<br />
<br />
-module(arch).<br />
-export([ultimate_question/0,the_answer/0]).<br />
the_answer() -><br />
receive<br />
{Client,who_is_the_best} -><br />
Client ! {self(),"Arch is the best!"};<br />
{Client,_} -><br />
Client ! {self(),"Taco Taco Taco!"}<br />
end,<br />
the_answer().<br />
ultimate_question() -><br />
Pid = spawn(arch,the_answer,[]),<br />
Pid ! {self(),who_is_the_best},<br />
receive<br />
{Pid,Response} -> io:format("~s~n",[Response])<br />
end.<br />
<br />
;F#: A strongly-typed, functional-first programming language for writing simple code to solve complex problems.<br />
<br />
printfn "Arch is the best!"<br />
<br />
;Factor: High-level stack-based language.<br />
<br />
"Arch is the best" print<br />
<br />
;FIM++: A wordy, imperative, dynamically-typed, and interpreted language that can use Java classes.<br />
<br />
Dear Princess Celestia: Letter About Arch Linux.<br />
Today I learned:<br />
I wrote "Arch is the best!".<br />
Your faithful student, Twilight Sparkle<br />
<br />
;Fish: The user-friendly command line shell.<br />
<br />
function arch_is_the_best --on-event fish_prompt<br />
echo -ne "\e[94mArch is the best!\e[0m"<br />
end<br />
<br />
;Forth:Stack-based language.<br />
<br />
." Arch is the best" cr -- kiss way<br />
<br />
;Fortran95<br />
<br />
program arch<br />
print *,"Arch is the best!"<br />
end program arch<br />
<br />
;Genie: A new programming language, that allows for a more modern programming style while being able to effortlessly create and use GObjects natively.<br />
<br />
init<br />
print "Arch is the best"<br />
<br />
;Gjs: A Javascript binding for GNOME. It's mainly based on Spidermonkey javascript engine and the GObject introspection framework.<br />
<br />
#!/usr/bin/env gjs<br />
print ('Arch is the best');<br />
<br />
;Gleam: A fast, friendly, and functional language for building type-safe, scalable systems.<br />
<br />
import gleam/io<br />
<br />
pub fn main() {<br />
io.println("Arch is the best!")<br />
}<br />
<br />
;Go: A language created by Google that's a love child between C, C++ and Python.<br />
<br />
package main<br />
<br />
import "fmt"<br />
<br />
func main() {<br />
fmt.Println("Arch is the best!")<br />
}<br />
<br />
;Groovy: An agile and dynamic language for the Java Virtual Machine.<br />
<br />
println 'Arch is the best!' <br />
<br />
;Guile: GNU Ubiquitous Intelligent Language for Extensions. A portable, embeddable Scheme implementation.<br />
<br />
#!/usr/local/bin/guile -s<br />
!#<br />
(display "Arch is the best!")<br />
(newline)<br />
<br />
;Hare: A systems programming language designed to be simple, stable, and robust.<br />
<br />
use fmt;<br />
<br />
export fn main() void = {<br />
fmt::println("Arch is the best!")!;<br />
};<br />
<br />
;Haskell: The language where IO is easy and unproblematic.<br />
<br />
main = putStrLn "Arch is the best!"<br />
<br />
;Haxe: An object oriented language based off actionscript that has a flavor of functionality<br />
<br />
package;<br />
<br />
class Main {<br />
public static function main() {<br />
Sys.println("Arch is the best!");<br />
}<br />
}<br />
<br />
;HTML: A markup language used to create and define web pages and their content.<br />
<br />
{{bc|1=<br />
<!DOCTYPE html><br />
<html lang='en'><br />
<head><br />
<title>Arch is the best!</title><br />
</head><br />
<body><br />
<p>Arch is the best!</p><br />
</body><br />
</html><br />
}}<br />
<br />
;Idris: A general purpose pure functional programming language with dependent types. Haskell, but crazier.<br />
<br />
module Main<br />
<br />
main : IO ()<br />
main = putStrLn "Arch is the best!"<br />
<br />
;INTERCAL: "Designed very early one May morning in 1972 by two hackers who are still trying to live it down."<br />
<br />
PLEASE NOTE THAT THIS WAS MADE FOR C-INTERCAL<br />
DO ,10 <- #18<br />
DO ,10SUB#1 <- #126<br />
DO ,10SUB#2 <- #52<br />
DO ,10SUB#3 <- #136<br />
PLEASE DO ,10SUB#4 <- #176<br />
DO ,10SUB#5 <- #18<br />
DO ,10SUB#6 <- #110<br />
DO ,10SUB#7 <- #200<br />
PLEASE DO ,10SUB#8 <- #202<br />
DO ,10SUB#9 <- #214<br />
DO ,10SUB#10 <- #24<br />
DO ,10SUB#11 <- #112<br />
PLEASE DO ,10SUB#12 <- #162<br />
DO ,10SUB#13 <- #190<br />
DO ,10SUB#14 <- #160<br />
PLEASE DO ,10SUB#15 <- #216<br />
DO ,10SUB#16 <- #160<br />
DO ,10SUB#17 <- #170<br />
PLEASE DO ,10SUB#18 <- #52<br />
DO READ OUT ,10<br />
DO GIVE UP<br />
<br />
Also a much larger [https://gist.github.com/ISSOtm/33a486dac52626160131d8daa7f16fc6 ASCII-transcoding version].<br />
<br />
(Non-portable C-INTERCAL I/O had to be used, since INTERCAL-72 does not allow arbitrary characters.)<br />
<br />
;Io: A pure object-oriented programming language inspired by Smalltalk, Self, Lua, Lisp, Act1, and NewtonScript.<br />
<br />
"Arch is the best!" println<br />
<br />
;Java: An extremely portable language, this will run on pretty much anything, it might even run on your toaster!<br />
<br />
public class ArchIsTheBest {<br />
public static void main(String[] args) {<br />
System.out.println("Arch is the best!");<br />
}<br />
}<br />
<br />
;JavaScript: Also known as ECMAScript, a prototype-based object-oriented scripting language.<br />
<br />
console.log('Arch is the best!');<br />
<br />
;JavaScript (in a web browser)<br />
<br />
alert('Arch is the best!');<br />
<br />
;Julia: A fresh approach to numerical computing.<br />
<br />
println("Arch is the best!")<br />
<br />
;Kotlin: JetBrains' attempt to get world domination.<br />
<br />
fun main() {<br />
println("Arch is the best!")<br />
}<br />
<br />
;LaTeX: A typesetting framework and ecosystem implemented on top of TeX (ironically, more famous than TeX). "The" framework for typesetting mathematical equations and diagrams.<br />
<br />
\documentclass{minimal}<br />
<br />
\begin{document}<br />
Arch is the best!<br />
\end{document}<br />
<br />
;LilyPond: A powerful music engraving program with an intuitive LaTeX-like input language.<br />
<br />
\version "2.12.3"<br />
\include "english.ly"<br />
\header { title = "Arch is the best!" }<br />
\score<br />
{<br />
<<<br />
\relative c' { c4 e g c \bar "||" }<br />
\addlyrics { Arch is the best! }<br />
>><br />
}<br />
<br />
;LOLCODE: Why not?<br />
<br />
HAI<br />
CAN HAS STDIO?<br />
VISIBLE "ARCH IS TEH PWNZ LOL!"<br />
KTHXBYE<br />
<br />
;Lua: A lightweight, extensible programming language.<br />
<br />
print "Arch is the best!"<br />
<br />
;Malbolge: A language created to make programming as hard as possible.<br />
<br />
bCBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]<br />
\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9y16543210/.-,+*)('&}C#"!~}|{zyxwvu<br />
tsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLK-CgGFEDCBA@?>=<;:98x6543210/<br />
.-,+*)('&%$#"!~}|u;yxwpun4rqpRhmf,jihgIe^$ba`_^]\[ZYXQVUTMqQPONMFjJI+A<br />
eEDC%A:^>=<|:981U54t21*/.-&Jk)('&}C#"!aw={z\xwvun4lqpi/mlkjiKaf_%p<br />
<br />
;Matlab: A proprietary programming language developed by MathWorks.<br />
<br />
disp('Arch is the best!');<br />
<br />
;Morpho: Morpho is a multi-paradigm programming language that supports procedural, object-oriented and functional programming.<br />
<br />
writeln("Arch is the best!");<br />
<br />
;Myrddin: A system programming language which aims for control and simplicity, featuring strong type checking, generics, type inference, closures, and traits.<br />
<br />
/* mbld -b aitb aitb.myr */<br />
use std<br />
const main = {<br />
std.put("Arch is the best!\n")<br />
}<br />
<br />
;NASM / Yasm (i686): Notice that the string is in the .text section, which feels superior.<br />
<br />
;nasm -f elf32 arch.asm<br />
;ld -o arch arch.o<br />
;./arch<br />
<br />
section .text<br />
global _start<br />
_start:<br />
mov edx,len<br />
mov ecx,msg<br />
mov ebx,1<br />
mov eax,4<br />
int 0x80<br />
xor ebx,ebx<br />
mov eax,1<br />
int 0x80<br />
msg: db "Arch is the best!",10<br />
len equ $-msg<br />
<br />
;NASM / Yasm (x86_64) :Featuring AMD's sexy new instruction, ''syscall''.<br />
<br />
;nasm -f elf64 arch.asm<br />
;ld -o arch arch.o<br />
;./arch<br />
<br />
section .text<br />
global _start<br />
s:<br />
db 'Arch is the best!',0ah<br />
l equ $-s<br />
_start:<br />
mov rax,1<br />
mov rdi,1<br />
mov rsi,s<br />
mov rdx,l<br />
syscall<br />
mov rax,60<br />
xor rdi,rdi<br />
syscall<br />
<br />
;Nim:Portable lightweight programming language.<br />
<br />
echo "Arch is the best!"<br />
<br />
;node.js: a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications, using an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.<br />
<br />
console.log('Arch is the best!');<br />
<br />
;node.js (http server): A node.js program to beam the info that 'Arch is the best!' using HTTP<br />
<br />
require('http').createServer((req,res) => {res.writeHead(200, {'Content-Type': 'text/plain'});res.end('Arch is the best!');}).listen(80);<br />
<br />
;Objective-C: A reflective, object-oriented programming language that adds Smalltalk-style messaging to the C programming language.<br />
<br />
NSLog(@"Arch is the best!");<br />
<br />
;OCaml: The main implementation of the Caml programming language.<br />
<br />
print_endline "Arch is the best!"<br />
<br />
;Octave: High-level interpreted language, primarily intended for numerical computations.<br />
<br />
printf("Arch is the best!\n")<br />
<br />
;Ook!: brainfuck, translated to Orangutan.<br />
<br />
Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook. Ook. Ook! Ook? Ook. Ook? Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook? Ook. Ook? Ook! Ook? Ook. Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook! Ook? Ook! Ook! Ook? Ook! Ook. Ook? Ook! Ook? Ook! Ook! Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook? Ook! Ook? Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook? Ook! Ook? Ook. Ook! Ook. Ook. Ook? Ook. Ook? Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook? Ook. Ook! Ook. Ook. Ook? Ook. Ook? Ook. Ook. Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook? Ook. Ook! Ook. Ook. Ook? Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook? Ook. Ook. Ook. Ook! Ook. Ook! Ook? Ook! Ook! Ook? Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook.<br />
<br />
;Pascal: An influential imperative and procedural programming language.<br />
<br />
program ArchIsTheBest;<br />
begin<br />
writeln('Arch is the best!');<br />
end.<br />
<br />
;PDF: A language used for talking to printers.<br />
<br />
%PDF-1.1<br />
<br />
1 0 obj<br />
<< /Type /Catalog<br />
/Pages 2 0 R<br />
>><br />
endobj<br />
<br />
2 0 obj<br />
<< /Type /Pages<br />
/Kids [3 0 R]<br />
/Count 1<br />
/MediaBox [0 0 595 842]<br />
>><br />
endobj<br />
<br />
3 0 obj<br />
<< /Type /Page<br />
/Parent 2 0 R<br />
/Resources<br />
<< /Font<br />
<< /F1<br />
<< /Type /Font<br />
/Subtype /Type1<br />
/BaseFont /Times-Roman<br />
>><br />
>><br />
>><br />
/Contents 4 0 R<br />
>><br />
endobj<br />
<br />
4 0 obj<br />
<< /Length 48 >><br />
stream<br />
BT<br />
/F1 72 Tf<br />
55 460 Td<br />
(Arch is the best!) Tj<br />
ET<br />
endstream<br />
endobj<br />
<br />
xref<br />
0 5<br />
0000000000 65535 f <br />
0000000016 00000 n <br />
0000000066 00000 n <br />
0000000148 00000 n <br />
0000000303 00000 n <br />
trailer<br />
<< /Root 1 0 R<br />
/Size 5<br />
>><br />
startxref<br />
402<br />
%%EOF<br />
<br />
;Perl: A high-level, general-purpose, interpreted, dynamic programming language.<br />
<br />
#!/usr/bin/env perl<br />
print "Arch is the best!\n";<br />
<br />
;Perl 6: The latest member of the Perl family.<br />
<br />
#!/usr/bin/env perl6<br />
say 'Arch is the best!';<br />
<br />
;PHP: A general-purpose scripting language.<br />
<br />
<?php<br />
echo "Arch is the best!\n";<br />
<br />
;Pixilang: Make me pixels.<br />
<br />
print("Arch is the best!",0,0,#1897D1)<br />
frame<br />
<br />
;Pony:An object-oriented, actor-model, capabilities-secure, high performance programming language.<br />
<br />
actor Main<br />
new create(env: Env) =><br />
env.out.print("Arch is the best!")<br />
<br />
;Portable GNU assembler: {{ic|as -o arch.o arch.s && ld -o arch -O0 arch.o}}<br />
<br />
.section .data<br />
archIsBest:<br />
.ascii "Arch is the best!\n"<br />
archIsBest_len:<br />
.long . - archIsBest<br />
.section .text<br />
.globl _start<br />
_start:<br />
xorl %ebx, %ebx<br />
movl $4, %eax<br />
xorl %ebx, %ebx<br />
incl %ebx<br />
leal archIsBest, %ecx<br />
movl archIsBest_len, %edx<br />
int $0x80<br />
xorl %eax, %eax<br />
incl %eax<br />
xorl %ebx, %ebx<br />
int $0x80<br />
<br />
;Porth: Stack-based like Forth but in python.<br />
<br />
include "std.porth"<br />
proc main in<br />
"Arch is the best!" puts<br />
end<br />
<br />
;PostScript: An older language used for talking to printers.<br />
<br />
%!PS<br />
/monospace 60 selectfont<br />
10 420 moveto<br />
(Arch is the best!) show<br />
showpage<br />
<br />
;Powershell: A task-based command-line shell and scripting language built on .NET.<br />
<br />
Write-Output "Arch is the best!"<br />
<br />
;Processing: An open source programming language and IDE built for the electronic arts and visual design.<br />
<br />
println("Arch is the best!");<br />
<br />
;Prolog: A general purpose logic programming language associated with artificial intelligence and computational linguistics.<br />
<br />
format('Arch is the best~n',[]).<br />
<br />
;Python: A general-purpose high-level programming language.<br />
<br />
print('Arch is the best!')<br />
<br />
;q (kdb+): A programming language for array processing used as the query language for kdb+.<br />
<br />
show "Arch is the best!"<br />
<br />
;QBASIC: An interpreter for a variant of the BASIC programming language which is based on QuickBASIC.<br />
<br />
PRINT "Arch is the best!"<br />
<br />
;R: A language for statistical computing (and much more!).<br />
<br />
archIsBest <- function() { cat("Arch is the best!\n") }<br />
archIsBest()<br />
<br />
;Racket: A general purpose, multi-paradigm programming language in the Lisp-Scheme family.<br />
<br />
#lang racket<br />
<br />
(let ([str "Arch is the best!\n"])<br />
(write-string str)<br />
(values))<br />
<br />
;Ruby: A dynamic, reflective, general purpose object-oriented programming language.<br />
<br />
#!/usr/bin/ruby -w<br />
puts 'Arch is the best!'<br />
<br />
;Rust: Rust is a systems programming language that runs blazingly fast, prevents almost all crashes, and eliminates data races.<br />
<br />
fn main() {<br />
println!("Arch is the best!");<br />
}<br />
<br />
;Salt: Salt is an automation framework<br />
<br />
salt '*' event.fire '{"data":"Arch Is the best!"}' 'arch/best'<br />
<br />
;Scala: A multi paradigm language that runs on the JVM.<br />
<br />
object ArchIsBest extends App {<br />
println("Arch is the best!")<br />
}<br />
<br />
;Scratch: A block based programming language made by MIT.<br />
<br />
[https://scratchblocks.github.io/#?style=scratch3&script=when%20green%20flag%20clicked%0Asay%20%5BArch%20is%20the%20best!%5D%0A Link to scratchblocks where you can see what it would look like as actual scratch code]<br />
when green flag clicked<br />
say [Arch is the best!]<br />
<br />
;Scheme: A dialect of Lisp.<br />
<br />
(display "Arch is the best!\n")<br />
<br />
;Seed: A library and interpreter, dynamically bridging the WebKit JavaScriptCore engine, with the GNOME platform.<br />
<br />
#!/usr/bin/env seed<br />
print ('Arch is the best');<br />
<br />
;Shakespeare Programming Language: Designed to "''make a language with beautiful source code'' [...]"<br />
<br />
Arch is the Best.<br />
<br />
Arthur, a young man who is the best.<br />
Isabella, a likewise young woman who be.<br />
The Ghost, an undead who is the article.<br />
Beatrice, a young woman who is an adjective.<br />
<br />
<br />
Act I: Setting of the Variables.<br />
<br />
Scene I: Setting of Isabella and Arthur.<br />
<br />
[Enter Arthur and Isabella]<br />
<br />
Arthur:<br />
You are as dirty as the square of the sum of a rotten smelly foul devil<br />
and a vile lie! You are as bold as the sum of yourself and an evil hog!<br />
<br />
Isabella:<br />
Thou art as big as the square of a cute fair sweet flower! You are as proud<br />
as the sum of thyself and a cow.<br />
<br />
[Exit Arthur]<br />
<br />
Scene II: Setting of The Ghost.<br />
<br />
[Enter The Ghost]<br />
<br />
Isabella:<br />
You art as loving as myself. Thou are as huge as the sum of yourself and twice<br />
a red old hair. You are as cowardly as the sum of yourself and a fat goat!<br />
<br />
[Exit Isabella]<br />
<br />
Scene III: Setting of Beatrice.<br />
<br />
[Enter Beatrice]<br />
<br />
The Ghost:<br />
Thou are as good as the sum of Isabella and a mighty fine rich noble King.<br />
<br />
[Exeunt The Ghost and Beatrice]<br />
<br />
Act II: Printing Arch is the Best.<br />
<br />
Scene I: Arch.<br />
<br />
[Enter Arthur and Beatrice]<br />
<br />
Beatrice:<br />
Speak thy mind! You art as peaceful as the quotient between thyself and the<br />
clearest Lord.<br />
<br />
Arthur:<br />
Speak your mind!<br />
<br />
[Exeunt Arthur and Beatrice]<br />
<br />
[Enter Isabella and The Ghost]<br />
<br />
The Ghost:<br />
Thou are as normal as the sum of thyself and a town. Speak thy mind!<br />
<br />
Isabella:<br />
Speak your mind!<br />
<br />
[Exit Isabella]<br />
<br />
[Enter Arthur]<br />
<br />
The Ghost:<br />
Speak thy mind!<br />
<br />
[Exit Arthur]<br />
<br />
Scene II: is.<br />
<br />
[Enter Beatrice]<br />
<br />
Beatrice:<br />
Thou are as old as the sum of yourself and a nose. Speak your mind!<br />
<br />
The Ghost:<br />
You art as pretty as the sum of thyself and a face. Speak your mind.<br />
<br />
[Exit The Ghost]<br />
<br />
[Enter Arthur]<br />
<br />
Beatrice:<br />
Speak thy mind.<br />
<br />
Scene III: the.<br />
<br />
Arthur:<br />
You are as blue as the sum of yourself and a hamster. Speak thy mind!<br />
<br />
[Exit Arthur]<br />
<br />
[Enter The Ghost]<br />
<br />
Beatrice:<br />
You are as prompt as the sum of thyself and a lie! Speak your mind.<br />
<br />
[Exit Beatrice]<br />
<br />
[Enter Isabella]<br />
<br />
The Ghost:<br />
You art as happy as the sum of thyself and a large moon. Speak thy mind!<br />
<br />
[Exit The Ghost]<br />
<br />
[Enter Arthur]<br />
<br />
Isabella:<br />
Speak thy mind.<br />
<br />
[Exit Arthur]<br />
<br />
Scene IV: Best.<br />
<br />
[Enter Beatrice]<br />
<br />
Beatrice:<br />
Thou are as blue as the sum of the sum of a curse and thyself and a bad<br />
codpiece. Speak your mind! You art as lovely as the sum of the sum of the<br />
happiness and yourself and a blossoming flower. Speak thy mind.<br />
<br />
Isabella:<br />
You are as healthy as the sum of yourself and a plague! Speak thy mind.<br />
Thou art as huge as the sum of thyself and a hero. Speak your mind!<br />
<br />
[Exit Beatrice]<br />
<br />
[Enter Arthur]<br />
<br />
Isabella:<br />
You art as green as the sum of thyself and a mother. Speak your mind.<br />
<br />
[Exeunt]<br />
<br />
;Shoes: A Ruby version using Shoes for a GUI.<br />
<br />
Shoes.app :width => 135, :height => 30 do<br />
para "Arch is the Best!"<br />
end<br />
<br />
;Smalltalk: Smalltalk is an object-oriented, dynamically typed, reflective programming language.<br />
<br />
Transcript show: 'Arch is the best!'.<br />
<br />
;Solidity: Object-oriented programming language for Ethereum smart contracts.<br />
<br />
pragma solidity ^0.6.0;<br />
<br />
contract ArchIsTheBest {<br />
function archIsTheBest() external pure returns (string memory) {<br />
return "Arch is the best!";<br />
}<br />
}<br />
<br />
;SQL: Structured Query Language, the query language for relational databases<br />
<br />
SELECT 'Arch is the best!';<br />
SELECT 'Arch is the best!' from dual; -- for Oracle DB<br />
<br />
;Standard ML: A general-purpose, modular, functional programming language with compile-time type checking and type inference.<br />
<br />
print "Arch is the best!\n"<br />
<br />
;Swift: A general-purpose, multi-paradigm, compiled programming language developed by Apple Inc.<br />
<br />
print("Arch is the best!")<br />
<br />
;Tcl/Tk: A scripting language that is commonly used for rapid prototyping, scripted applications, GUIs and testing.<br />
<br />
#!/usr/bin/env tclsh<br />
puts "Arch is the best!"<br />
<br />
;TeX: A typesetting language aimed at scientific publishing. Famous for giving the ability to describe complicated equations in a plain text format. The basis for the more famous LaTeX.<br />
<br />
Arch is the best!<br />
\bye<br />
<br />
;TrumpScript: A scripting language based on President Trump's words.<br />
<br />
say it with me, "Arch is the best!";<br />
america is great.<br />
<br />
;UEFI: An extensible firmware framework<br />
<br />
#include <Uefi.h><br />
EFI_STATUS EFIAPI<br />
ArchIsTheBest (<br />
IN EFI_HANDLE ImageHandle,<br />
IN EFI_SYSTEM_TABLE *SystemTable<br />
)<br />
{<br />
SystemTable -> ConOut-> OutputString(SystemTable->ConOut, L"Arch is the best!\n"); <br />
return EFI_SUCCESS;<br />
}<br />
<br />
; V: Simple, fast, safe, compiled language for developing maintainable software.<br />
<br />
fn main() {<br />
println('Arch is the best!')<br />
}<br />
<br />
;Vala: Vala is a new programming language that aims to bring modern programming language features to GNOME developers without imposing any additional runtime requirements and without using a different ABI compared to applications and libraries written in C.<br />
<br />
void main(string[] args) {<br />
stdout.printf("\nArch is the best!\n\n");<br />
}<br />
<br />
; var'aq: [http://freshmeat.sourceforge.net/projects/varaq A warrior's programming language]<br />
"Arch is the best!" cha'<br />
<br />
; Verilog: A hardware description language, standardized as IEEE 1364<br />
module top;<br />
initial $display("Arch is the best!");<br />
endmodule<br />
<br />
; VHDL: VHSIC Hardware Description Language<br />
<br />
use std.textio.all;<br />
<br />
entity top is<br />
end top;<br />
<br />
architecture behaviour of top is begin<br />
process begin<br />
write (output, String'("Arch is the best!"));<br />
wait;<br />
end process;<br />
end behaviour;<br />
<br />
;VimScript: A scripting language for the Vim text editor.<br />
<br />
echo "Arch is the best!"<br />
<br />
;Visual Basic: A third-generation event-driven programming language and integrated development environment (IDE) from Microsoft for its Component Object Model (COM) programming model.<br />
<br />
Module Arch<br />
Sub Main()<br />
MsgBox("Arch is the best!")<br />
End Sub<br />
End Module<br />
<br />
;wenyan-lang: A programming language for the ancient Chinese.<br />
<br />
吾有一言。曰「「阿祺,盡善矣。」」。書之。<br />
<br />
; Wiring (Arduino):Built on Processing, the open source programming language developed at the Massachusetts Institute of Technology.<br />
<br />
void setup()<br />
{<br />
Serial.begin(9600);<br />
}<br />
void loop()<br />
{<br />
Serial.print("Arch is the best!");<br />
}<br />
<br />
; Wolfram: Proprietary programming language developed by Wolfram Inc which emphasizes symbolic computation, functional programming, and rule-based programming.<br />
<br />
Print["Arch is the best"]<br />
<br />
; X11: X11 is an architecture independent system for display of graphical user interfaces.<br />
{{ic|cc -lX11 arch.c}}<br />
<br />
#include <stdio.h><br />
#include <stdlib.h><br />
#include <string.h><br />
<br />
#include <X11/Xlib.h><br />
<br />
int main()<br />
{<br />
Display *d;<br />
Window w;<br />
XEvent e;<br />
int s;<br />
<br />
if (!(d = XOpenDisplay(NULL))) {<br />
fprintf(stderr, "Couldn't open display, but Arch is the best!\n");<br />
exit(1);<br />
}<br />
<br />
s = DefaultScreen(d);<br />
w = XCreateSimpleWindow(d, RootWindow(d,s), 0, 0, 110, 20, 0, <br />
0, WhitePixel(d,s));<br />
XSelectInput(d, w, ExposureMask | KeyPressMask);<br />
XMapWindow(d,w);<br />
<br />
while (1) {<br />
XNextEvent(d, &e);<br />
if (e.type == Expose) {<br />
XDrawString(d, w, DefaultGC(d, s), 5, 15, "Arch is the best!", 17);<br />
}<br />
}<br />
<br />
XCloseDisplay(d);<br />
return 0;<br />
}<br />
<br />
;Z3: A theorem prover from Microsoft Research<br />
<br />
(define-const arch String "Arch is the best")<br />
(simplify (str.++ arch))<br />
<br />
;Zig: A general-purpose programming language and toolchain for maintaining robust, optimal, and reusable software. Intends to deprecate C.<br />
<br />
const std = @import("std");<br />
<br />
pub fn main() !void {<br />
std.debug.warn("Arch is the best!\n", .{});<br />
}<br />
<br />
;Zimbu: A fast, easy to learn, and JS-like programming language.<br />
<br />
FUNC Main() int<br />
IO.write("Arch is the best!")<br />
RETURN 0<br />
}<br />
<br />
;Zsh: A UNIX command interpreter (shell) closely resembling ksh, but includes many enhancements.<br />
<br />
#!/bin/zsh -f<br />
setopt extendedglob<br />
print -- $(echoti setaf 2) ${$(<<<${${${(@j: :)${(@s:_:)${:-What_Linux_is_the_best?}}}/* (#b)([A-Z]i)/Arch $match[1]}} tr '?' '!')} $terminfo[sgr0]</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Arch_is_the_best&diff=731952Arch is the best2022-06-08T00:30:55Z<p>Kiasoc5: Add guile</p>
<hr />
<div>[[Category:About Arch]]<br />
[[ja:Arch は最高]]<br />
[[ru:Arch is the best]]<br />
[[zh-hans:Arch is the best]]<br />
The '''Arch is the best''' project is a very sophisticated and exquisite, ego-boosting and mind-blowing (albeit perhaps a bit over-engineered) project which gives proof of Arch's superiority.<br />
<br />
== History ==<br />
<br />
The visionary project was originally devised in April 2008 by long time Arch community member [https://bbs.archlinux.org/profile.php?id=2529 lucke] as a simple shell script which provided irrefutable proof that "Arch is the best". It was announced to the world with a [https://bbs.archlinux.org/viewtopic.php?id=47306 forum post], thus illuminating other people's minds, who immediately started porting it to multiple different languages, both programming and verbal, so that every human being on the planet could fully appreciate and benefit from this revolutionary discovery.<br />
<br />
== The code ==<br />
<br />
The "Arch is the best" project is ported to many programming languages.<br />
<br />
;1C&#58;Enterprise:A procedural domain-specific compiled dynamically-typed programming language mostly similar to VisualBasic which is used in "1C:Enterprise" products widespread in Russia and other CIS countries.<br />
<br />
Предупреждение("Arch is the best!");<br />
<br />
;ABAP: Advanced Business Application Programming language.<br />
<br />
REPORT zwhat_is_the_best.<br />
WRITE 'Arch is the best'.<br />
<br />
;Ada: A systems critical programming language.<br />
<br />
with Ada.Text_IO;<br />
use Ada.Text_IO;<br />
procedure ArchIsTheBest is<br />
begin<br />
Put_Line("Arch is the best!");<br />
end ArchIsTheBest;<br />
<br />
;APL: A Programming Language.<br />
<br />
'Arch is the best!'<br />
<br />
;AppleScript: A scripting language created by Apple Inc. and built into the Classic Mac OS since System 7 and into all versions of macOS.<br />
<br />
display alert "Arch is the best!"<br />
say "Indeed, Arch is the best."<br />
<br />
;ArnoldC: Programming language based on the one-liners of Arnold Schwarzenegger.<br />
<br />
IT'S SHOWTIME<br />
TALK TO THE HAND "Arch is the best!"<br />
YOU HAVE BEEN TERMINATED<br />
<br />
;ATS: A functional programming language that uses dependent types to improve programs' reliability.<br />
<br />
implement main () = println! "Arch is the best!"<br />
<br />
;Awk: A data-driven programming language designed for processing text-based data.<br />
<br />
BEGIN {<br />
print "Arch is the best!"<br />
}<br />
<br />
;BASIC: A scripting language that one of the most commonly used computer programming languages in the 1960's, considered an easy step for students to learn before more powerful languages such as FORTRAN.<br />
<br />
10 PRINT "Arch is the best!"<br />
<br />
;Batch: A scripting language for Windows that can be used to automate tasks or just have some fun.<br />
<br />
@echo off<br />
echo Arch is the best!<br />
pause<br />
<br />
;Befunge: Believed to be the first two-dimensional, ASCII-based, general-purpose (in the sense of "you could plausibly write Hunt the Wumpus in it") programming language.<br />
<br />
<v"Arch is the best!"0<br />
<,_@#:<br />
<br />
; BIRL: Like ArnoldC, but for Bambam[https://www.youtube.com/watch?v=3_qEE2i6h5Q].<br />
<br />
HORA DO SHOW<br />
CE QUER VER ESSA PORRA? ("Arch is the best!\n");<br />
BORA CUMPADE 0;<br />
BIRL<br />
<br />
;Boo:A stablished object oriented statically typed programming language for .NET and Mono with a python inspired syntax and a special focus on metaprogramming through language and compiler extensibility features such as macros and custom compilation pipelines.<br />
<br />
print "Arch is the best!"<br />
<br />
;Bourne shell: The original program, should be compatible with any shell.<br />
<br />
#!/bin/sh<br />
echo "Arch is the best!"<br />
<br />
;Bourne shell (Alternate):Handy for piping the output to your favourite IRC/email/IM client. Should work with any shell.<br />
<br />
#!/bin/sh<br />
yes Arch is the best!<br />
<br />
;brainfuck: Doesn't the language name explain it?<br />
<br />
++>++++++>+++++<+[>[->+<]<->++++++++++<]>>.<[-]>[-<++>]<br />
<----------------.---------------.+++++.<+++[-<++++++++++>]<.<br />
>>+.++++++++++.<<.>>+.------------.---.<<.>>---.<br />
+++.++++++++++++++.+.<<+.[-]++++++++++.<br />
<br />
;C: Note the three space indenting used in this project, much like that used by other superior beings.<br />
<br />
#include <stdio.h><br />
#include <stdlib.h><br />
int main(void)<br />
{<br />
puts("Arch is the best!");<br />
return EXIT_SUCCESS;<br />
}<br />
<br />
;C#: Intended to be a simple, modern, general-purpose, object-oriented programming language.<br />
<br />
using System;<br />
Console.WriteLine ("Arch is the best!");<br />
<br />
;C++:Arch == Linux++<br />
<br />
#include <iostream><br />
#include <cstdlib><br />
int main ()<br />
{<br />
std::cout << "Arch is the best!" << std::endl;<br />
return EXIT_SUCCESS;<br />
}<br />
<br />
;COBOL:A simple, lightweight programming language.<br />
<br />
IDENTIFICATION DIVISION.<br />
PROGRAM-ID. TheBest.<br />
<br />
PROCEDURE DIVISION.<br />
DISPLAY "Arch is the best!".<br />
STOP RUN.<br />
<br />
;CoffeeScript: A programming language that transcompiles to JavaScript.<br />
<br />
alert 'Arch is the best!'<br />
<br />
;Clojure: A Lisp dialect that runs on the JVM.<br />
<br />
(prn "Arch is the best!")<br />
<br />
;Common Lisp: A Lisp dialect<br />
<br />
(princ "Arch is the best!")<br />
<br />
;Crystal: An object-oriented, Ruby-like language.<br />
<br />
puts "Arch is the best!"<br />
<br />
;Crystal (through web server): For distributing the message to multiple friends at once.<br />
<br />
# For giving the message to your friends<br />
require "http/server"<br />
<br />
server = HTTP::Server.new(80) do |context|<br />
context.response.content_type = "text/plain"<br />
context.response.print "Arch is the best!"<br />
end<br />
<br />
puts "Listening."<br />
server.listen<br />
<br />
;csh: A C-like shell.<br />
<br />
#!/bin/csh<br />
echo "Arch is the best!"<br />
<br />
;CSS: A stylesheet language, heavily used for styling web pages.<br />
<br />
body * {<br />
display: none;<br />
}<br />
<br />
body::before {<br />
content: "Arch is the best!";<br />
font-family: monospace;<br />
font-size: 2.7rem;<br />
position: absolute;<br />
left: 50%;<br />
top: 50%;<br />
transform: translate(-50%, -50%);<br />
}<br />
<br />
;D: A C-style language. The benefits of hindsight, with modern conveniences.<br />
<br />
import std.stdio : writeln;<br />
void main()<br />
{<br />
writeln("Arch is the best");<br />
}<br />
<br />
;Dart: Google's javascript killer<br />
<br />
main(){<br />
print('Arch is the best');<br />
}<br />
<br />
;Dogescript: Doge-friendly JavaScript<br />
<br />
console.loge with ' So Arch'<br />
console.loge with ' Much Good'<br />
console.loge with ' Wow'<br />
<br />
;Ebuild: Gentoo's build script format.<br />
<br />
DESCRIPTION="Arch is the best!"<br />
SRC_URI="<nowiki>https://wiki.archlinux.org/index.php/Arch_is_the_best</nowiki>"<br />
<br />
LICENSE="GFDL_1.3"<br />
SLOT="0"<br />
KEYWORDS=""<br />
IUSE=""<br />
<br />
DEPEND=""<br />
RDEPEND=""<br />
<br />
src_compile() {<br />
einfo "Arch is the best!"<br />
}<br />
<br />
;Emacs Lisp: A dialect of the Lisp programming language used by the GNU Emacs and XEmacs text editors<br />
<br />
(message "Arch is the best!")<br />
<br />
;Emojicode: A delimiter-less, object oriented, imperative, high-level, hybrid language with emojis as fix points and methods.<br />
<br />
🏁 🍇<br />
😀 🔤Arch is the best!🔤❗️<br />
🍉<br />
<br />
;Elixir: A dynamic, functional language designed for building scalable and maintainable applications<br />
<br />
IO.puts "Arch is the best!"<br />
<br />
;Erlang: A concurrent, garbage-collected programming language and runtime system.<br />
<br />
-module(arch).<br />
-export([is_the_best/0]).<br />
is_the_best() -> io:fwrite("Arch is the best!\n").<br />
<br />
;Or using message passing between processes<br />
<br />
-module(arch).<br />
-export([ultimate_question/0,the_answer/0]).<br />
the_answer() -><br />
receive<br />
{Client,who_is_the_best} -><br />
Client ! {self(),"Arch is the best!"};<br />
{Client,_} -><br />
Client ! {self(),"Taco Taco Taco!"}<br />
end,<br />
the_answer().<br />
ultimate_question() -><br />
Pid = spawn(arch,the_answer,[]),<br />
Pid ! {self(),who_is_the_best},<br />
receive<br />
{Pid,Response} -> io:format("~s~n",[Response])<br />
end.<br />
<br />
;F#: A strongly-typed, functional-first programming language for writing simple code to solve complex problems.<br />
<br />
printfn "Arch is the best!"<br />
<br />
;Factor: High-level stack-based language.<br />
<br />
"Arch is the best" print<br />
<br />
;FIM++: A wordy, imperative, dynamically-typed, and interpreted language that can use Java classes.<br />
<br />
Dear Princess Celestia: Letter About Arch Linux.<br />
Today I learned:<br />
I wrote "Arch is the best!".<br />
Your faithful student, Twilight Sparkle<br />
<br />
;Fish: The user-friendly command line shell.<br />
<br />
function arch_is_the_best --on-event fish_prompt<br />
echo -ne "\e[94mArch is the best!\e[0m"<br />
end<br />
<br />
;Forth:Stack-based language.<br />
<br />
." Arch is the best" cr -- kiss way<br />
<br />
;Fortran95<br />
<br />
program arch<br />
print *,"Arch is the best!"<br />
end program arch<br />
<br />
;Genie: A new programming language, that allows for a more modern programming style while being able to effortlessly create and use GObjects natively.<br />
<br />
init<br />
print "Arch is the best"<br />
<br />
;Gjs: A Javascript binding for GNOME. It's mainly based on Spidermonkey javascript engine and the GObject introspection framework.<br />
<br />
#!/usr/bin/env gjs<br />
print ('Arch is the best');<br />
<br />
;Gleam: A fast, friendly, and functional language for building type-safe, scalable systems.<br />
<br />
import gleam/io<br />
<br />
pub fn main() {<br />
io.println("Arch is the best!")<br />
}<br />
<br />
;Go: A language created by Google that's a love child between C, C++ and Python.<br />
<br />
package main<br />
<br />
import "fmt"<br />
<br />
func main() {<br />
fmt.Println("Arch is the best!")<br />
}<br />
<br />
;Groovy: An agile and dynamic language for the Java Virtual Machine.<br />
<br />
println 'Arch is the best!' <br />
<br />
;Guile: GNU Ubiquitous Intelligent Language for Extensions. A portable, embeddable Scheme implementation.<br />
<br />
#!/usr/local/bin/guile -s<br />
!#<br />
(display "Hello, world!")<br />
(newline)<br />
<br />
;Hare: A systems programming language designed to be simple, stable, and robust.<br />
<br />
use fmt;<br />
<br />
export fn main() void = {<br />
fmt::println("Arch is the best!")!;<br />
};<br />
<br />
;Haskell: The language where IO is easy and unproblematic.<br />
<br />
main = putStrLn "Arch is the best!"<br />
<br />
;Haxe: An object oriented language based off actionscript that has a flavor of functionality<br />
<br />
package;<br />
<br />
class Main {<br />
public static function main() {<br />
Sys.println("Arch is the best!");<br />
}<br />
}<br />
<br />
;HTML: A markup language used to create and define web pages and their content.<br />
<br />
{{bc|1=<br />
<!DOCTYPE html><br />
<html lang='en'><br />
<head><br />
<title>Arch is the best!</title><br />
</head><br />
<body><br />
<p>Arch is the best!</p><br />
</body><br />
</html><br />
}}<br />
<br />
;Idris: A general purpose pure functional programming language with dependent types. Haskell, but crazier.<br />
<br />
module Main<br />
<br />
main : IO ()<br />
main = putStrLn "Arch is the best!"<br />
<br />
;INTERCAL: "Designed very early one May morning in 1972 by two hackers who are still trying to live it down."<br />
<br />
PLEASE NOTE THAT THIS WAS MADE FOR C-INTERCAL<br />
DO ,10 <- #18<br />
DO ,10SUB#1 <- #126<br />
DO ,10SUB#2 <- #52<br />
DO ,10SUB#3 <- #136<br />
PLEASE DO ,10SUB#4 <- #176<br />
DO ,10SUB#5 <- #18<br />
DO ,10SUB#6 <- #110<br />
DO ,10SUB#7 <- #200<br />
PLEASE DO ,10SUB#8 <- #202<br />
DO ,10SUB#9 <- #214<br />
DO ,10SUB#10 <- #24<br />
DO ,10SUB#11 <- #112<br />
PLEASE DO ,10SUB#12 <- #162<br />
DO ,10SUB#13 <- #190<br />
DO ,10SUB#14 <- #160<br />
PLEASE DO ,10SUB#15 <- #216<br />
DO ,10SUB#16 <- #160<br />
DO ,10SUB#17 <- #170<br />
PLEASE DO ,10SUB#18 <- #52<br />
DO READ OUT ,10<br />
DO GIVE UP<br />
<br />
Also a much larger [https://gist.github.com/ISSOtm/33a486dac52626160131d8daa7f16fc6 ASCII-transcoding version].<br />
<br />
(Non-portable C-INTERCAL I/O had to be used, since INTERCAL-72 does not allow arbitrary characters.)<br />
<br />
;Io: A pure object-oriented programming language inspired by Smalltalk, Self, Lua, Lisp, Act1, and NewtonScript.<br />
<br />
"Arch is the best!" println<br />
<br />
;Java: An extremely portable language, this will run on pretty much anything, it might even run on your toaster!<br />
<br />
public class ArchIsTheBest {<br />
public static void main(String[] args) {<br />
System.out.println("Arch is the best!");<br />
}<br />
}<br />
<br />
;JavaScript: Also known as ECMAScript, a prototype-based object-oriented scripting language.<br />
<br />
console.log('Arch is the best!');<br />
<br />
;JavaScript (in a web browser)<br />
<br />
alert('Arch is the best!');<br />
<br />
;Julia: A fresh approach to numerical computing.<br />
<br />
println("Arch is the best!")<br />
<br />
;Kotlin: JetBrains' attempt to get world domination.<br />
<br />
fun main() {<br />
println("Arch is the best!")<br />
}<br />
<br />
;LaTeX: A typesetting framework and ecosystem implemented on top of TeX (ironically, more famous than TeX). "The" framework for typesetting mathematical equations and diagrams.<br />
<br />
\documentclass{minimal}<br />
<br />
\begin{document}<br />
Arch is the best!<br />
\end{document}<br />
<br />
;LilyPond: A powerful music engraving program with an intuitive LaTeX-like input language.<br />
<br />
\version "2.12.3"<br />
\include "english.ly"<br />
\header { title = "Arch is the best!" }<br />
\score<br />
{<br />
<<<br />
\relative c' { c4 e g c \bar "||" }<br />
\addlyrics { Arch is the best! }<br />
>><br />
}<br />
<br />
;LOLCODE: Why not?<br />
<br />
HAI<br />
CAN HAS STDIO?<br />
VISIBLE "ARCH IS TEH PWNZ LOL!"<br />
KTHXBYE<br />
<br />
;Lua: A lightweight, extensible programming language.<br />
<br />
print "Arch is the best!"<br />
<br />
;Malbolge: A language created to make programming as hard as possible.<br />
<br />
bCBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]<br />
\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9y16543210/.-,+*)('&}C#"!~}|{zyxwvu<br />
tsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLK-CgGFEDCBA@?>=<;:98x6543210/<br />
.-,+*)('&%$#"!~}|u;yxwpun4rqpRhmf,jihgIe^$ba`_^]\[ZYXQVUTMqQPONMFjJI+A<br />
eEDC%A:^>=<|:981U54t21*/.-&Jk)('&}C#"!aw={z\xwvun4lqpi/mlkjiKaf_%p<br />
<br />
;Matlab: A proprietary programming language developed by MathWorks.<br />
<br />
disp('Arch is the best!');<br />
<br />
;Morpho: Morpho is a multi-paradigm programming language that supports procedural, object-oriented and functional programming.<br />
<br />
writeln("Arch is the best!");<br />
<br />
;Myrddin: A system programming language which aims for control and simplicity, featuring strong type checking, generics, type inference, closures, and traits.<br />
<br />
/* mbld -b aitb aitb.myr */<br />
use std<br />
const main = {<br />
std.put("Arch is the best!\n")<br />
}<br />
<br />
;NASM / Yasm (i686): Notice that the string is in the .text section, which feels superior.<br />
<br />
;nasm -f elf32 arch.asm<br />
;ld -o arch arch.o<br />
;./arch<br />
<br />
section .text<br />
global _start<br />
_start:<br />
mov edx,len<br />
mov ecx,msg<br />
mov ebx,1<br />
mov eax,4<br />
int 0x80<br />
xor ebx,ebx<br />
mov eax,1<br />
int 0x80<br />
msg: db "Arch is the best!",10<br />
len equ $-msg<br />
<br />
;NASM / Yasm (x86_64) :Featuring AMD's sexy new instruction, ''syscall''.<br />
<br />
;nasm -f elf64 arch.asm<br />
;ld -o arch arch.o<br />
;./arch<br />
<br />
section .text<br />
global _start<br />
s:<br />
db 'Arch is the best!',0ah<br />
l equ $-s<br />
_start:<br />
mov rax,1<br />
mov rdi,1<br />
mov rsi,s<br />
mov rdx,l<br />
syscall<br />
mov rax,60<br />
xor rdi,rdi<br />
syscall<br />
<br />
;Nim:Portable lightweight programming language.<br />
<br />
echo "Arch is the best!"<br />
<br />
;node.js: a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications, using an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.<br />
<br />
console.log('Arch is the best!');<br />
<br />
;node.js (http server): A node.js program to beam the info that 'Arch is the best!' using HTTP<br />
<br />
require('http').createServer((req,res) => {res.writeHead(200, {'Content-Type': 'text/plain'});res.end('Arch is the best!');}).listen(80);<br />
<br />
;Objective-C: A reflective, object-oriented programming language that adds Smalltalk-style messaging to the C programming language.<br />
<br />
NSLog(@"Arch is the best!");<br />
<br />
;OCaml: The main implementation of the Caml programming language.<br />
<br />
print_endline "Arch is the best!"<br />
<br />
;Octave: High-level interpreted language, primarily intended for numerical computations.<br />
<br />
printf("Arch is the best!\n")<br />
<br />
;Ook!: brainfuck, translated to Orangutan.<br />
<br />
Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook. Ook. Ook! Ook? Ook. Ook? Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook? Ook. Ook? Ook! Ook? Ook. Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook! Ook? Ook! Ook! Ook? Ook! Ook. Ook? Ook! Ook? Ook! Ook! Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook? Ook! Ook? Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook? Ook! Ook? Ook. Ook! Ook. Ook. Ook? Ook. Ook? Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook? Ook. Ook! Ook. Ook. Ook? Ook. Ook? Ook. Ook. Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook? Ook. Ook! Ook. Ook. Ook? Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook? Ook. Ook. Ook. Ook! Ook. Ook! Ook? Ook! Ook! Ook? Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook.<br />
<br />
;Pascal: An influential imperative and procedural programming language.<br />
<br />
program ArchIsTheBest;<br />
begin<br />
writeln('Arch is the best!');<br />
end.<br />
<br />
;PDF: A language used for talking to printers.<br />
<br />
%PDF-1.1<br />
<br />
1 0 obj<br />
<< /Type /Catalog<br />
/Pages 2 0 R<br />
>><br />
endobj<br />
<br />
2 0 obj<br />
<< /Type /Pages<br />
/Kids [3 0 R]<br />
/Count 1<br />
/MediaBox [0 0 595 842]<br />
>><br />
endobj<br />
<br />
3 0 obj<br />
<< /Type /Page<br />
/Parent 2 0 R<br />
/Resources<br />
<< /Font<br />
<< /F1<br />
<< /Type /Font<br />
/Subtype /Type1<br />
/BaseFont /Times-Roman<br />
>><br />
>><br />
>><br />
/Contents 4 0 R<br />
>><br />
endobj<br />
<br />
4 0 obj<br />
<< /Length 48 >><br />
stream<br />
BT<br />
/F1 72 Tf<br />
55 460 Td<br />
(Arch is the best!) Tj<br />
ET<br />
endstream<br />
endobj<br />
<br />
xref<br />
0 5<br />
0000000000 65535 f <br />
0000000016 00000 n <br />
0000000066 00000 n <br />
0000000148 00000 n <br />
0000000303 00000 n <br />
trailer<br />
<< /Root 1 0 R<br />
/Size 5<br />
>><br />
startxref<br />
402<br />
%%EOF<br />
<br />
;Perl: A high-level, general-purpose, interpreted, dynamic programming language.<br />
<br />
#!/usr/bin/env perl<br />
print "Arch is the best!\n";<br />
<br />
;Perl 6: The latest member of the Perl family.<br />
<br />
#!/usr/bin/env perl6<br />
say 'Arch is the best!';<br />
<br />
;PHP: A general-purpose scripting language.<br />
<br />
<?php<br />
echo "Arch is the best!\n";<br />
<br />
;Pixilang: Make me pixels.<br />
<br />
print("Arch is the best!",0,0,#1897D1)<br />
frame<br />
<br />
;Pony:An object-oriented, actor-model, capabilities-secure, high performance programming language.<br />
<br />
actor Main<br />
new create(env: Env) =><br />
env.out.print("Arch is the best!")<br />
<br />
;Portable GNU assembler: {{ic|as -o arch.o arch.s && ld -o arch -O0 arch.o}}<br />
<br />
.section .data<br />
archIsBest:<br />
.ascii "Arch is the best!\n"<br />
archIsBest_len:<br />
.long . - archIsBest<br />
.section .text<br />
.globl _start<br />
_start:<br />
xorl %ebx, %ebx<br />
movl $4, %eax<br />
xorl %ebx, %ebx<br />
incl %ebx<br />
leal archIsBest, %ecx<br />
movl archIsBest_len, %edx<br />
int $0x80<br />
xorl %eax, %eax<br />
incl %eax<br />
xorl %ebx, %ebx<br />
int $0x80<br />
<br />
;Porth: Stack-based like Forth but in python.<br />
<br />
include "std.porth"<br />
proc main in<br />
"Arch is the best!" puts<br />
end<br />
<br />
;PostScript: An older language used for talking to printers.<br />
<br />
%!PS<br />
/monospace 60 selectfont<br />
10 420 moveto<br />
(Arch is the best!) show<br />
showpage<br />
<br />
;Powershell: A task-based command-line shell and scripting language built on .NET.<br />
<br />
Write-Output "Arch is the best!"<br />
<br />
;Processing: An open source programming language and IDE built for the electronic arts and visual design.<br />
<br />
println("Arch is the best!");<br />
<br />
;Prolog: A general purpose logic programming language associated with artificial intelligence and computational linguistics.<br />
<br />
format('Arch is the best~n',[]).<br />
<br />
;Python: A general-purpose high-level programming language.<br />
<br />
print('Arch is the best!')<br />
<br />
;q (kdb+): A programming language for array processing used as the query language for kdb+.<br />
<br />
show "Arch is the best!"<br />
<br />
;QBASIC: An interpreter for a variant of the BASIC programming language which is based on QuickBASIC.<br />
<br />
PRINT "Arch is the best!"<br />
<br />
;R: A language for statistical computing (and much more!).<br />
<br />
archIsBest <- function() { cat("Arch is the best!\n") }<br />
archIsBest()<br />
<br />
;Racket: A general purpose, multi-paradigm programming language in the Lisp-Scheme family.<br />
<br />
#lang racket<br />
<br />
(let ([str "Arch is the best!\n"])<br />
(write-string str)<br />
(values))<br />
<br />
;Ruby: A dynamic, reflective, general purpose object-oriented programming language.<br />
<br />
#!/usr/bin/ruby -w<br />
puts 'Arch is the best!'<br />
<br />
;Rust: Rust is a systems programming language that runs blazingly fast, prevents almost all crashes, and eliminates data races.<br />
<br />
fn main() {<br />
println!("Arch is the best!");<br />
}<br />
<br />
;Salt: Salt is an automation framework<br />
<br />
salt '*' event.fire '{"data":"Arch Is the best!"}' 'arch/best'<br />
<br />
;Scala: A multi paradigm language that runs on the JVM.<br />
<br />
object ArchIsBest extends App {<br />
println("Arch is the best!")<br />
}<br />
<br />
;Scratch: A block based programming language made by MIT.<br />
<br />
[https://scratchblocks.github.io/#?style=scratch3&script=when%20green%20flag%20clicked%0Asay%20%5BArch%20is%20the%20best!%5D%0A Link to scratchblocks where you can see what it would look like as actual scratch code]<br />
when green flag clicked<br />
say [Arch is the best!]<br />
<br />
;Scheme: A dialect of Lisp.<br />
<br />
(display "Arch is the best!\n")<br />
<br />
;Seed: A library and interpreter, dynamically bridging the WebKit JavaScriptCore engine, with the GNOME platform.<br />
<br />
#!/usr/bin/env seed<br />
print ('Arch is the best');<br />
<br />
;Shakespeare Programming Language: Designed to "''make a language with beautiful source code'' [...]"<br />
<br />
Arch is the Best.<br />
<br />
Arthur, a young man who is the best.<br />
Isabella, a likewise young woman who be.<br />
The Ghost, an undead who is the article.<br />
Beatrice, a young woman who is an adjective.<br />
<br />
<br />
Act I: Setting of the Variables.<br />
<br />
Scene I: Setting of Isabella and Arthur.<br />
<br />
[Enter Arthur and Isabella]<br />
<br />
Arthur:<br />
You are as dirty as the square of the sum of a rotten smelly foul devil<br />
and a vile lie! You are as bold as the sum of yourself and an evil hog!<br />
<br />
Isabella:<br />
Thou art as big as the square of a cute fair sweet flower! You are as proud<br />
as the sum of thyself and a cow.<br />
<br />
[Exit Arthur]<br />
<br />
Scene II: Setting of The Ghost.<br />
<br />
[Enter The Ghost]<br />
<br />
Isabella:<br />
You art as loving as myself. Thou are as huge as the sum of yourself and twice<br />
a red old hair. You are as cowardly as the sum of yourself and a fat goat!<br />
<br />
[Exit Isabella]<br />
<br />
Scene III: Setting of Beatrice.<br />
<br />
[Enter Beatrice]<br />
<br />
The Ghost:<br />
Thou are as good as the sum of Isabella and a mighty fine rich noble King.<br />
<br />
[Exeunt The Ghost and Beatrice]<br />
<br />
Act II: Printing Arch is the Best.<br />
<br />
Scene I: Arch.<br />
<br />
[Enter Arthur and Beatrice]<br />
<br />
Beatrice:<br />
Speak thy mind! You art as peaceful as the quotient between thyself and the<br />
clearest Lord.<br />
<br />
Arthur:<br />
Speak your mind!<br />
<br />
[Exeunt Arthur and Beatrice]<br />
<br />
[Enter Isabella and The Ghost]<br />
<br />
The Ghost:<br />
Thou are as normal as the sum of thyself and a town. Speak thy mind!<br />
<br />
Isabella:<br />
Speak your mind!<br />
<br />
[Exit Isabella]<br />
<br />
[Enter Arthur]<br />
<br />
The Ghost:<br />
Speak thy mind!<br />
<br />
[Exit Arthur]<br />
<br />
Scene II: is.<br />
<br />
[Enter Beatrice]<br />
<br />
Beatrice:<br />
Thou are as old as the sum of yourself and a nose. Speak your mind!<br />
<br />
The Ghost:<br />
You art as pretty as the sum of thyself and a face. Speak your mind.<br />
<br />
[Exit The Ghost]<br />
<br />
[Enter Arthur]<br />
<br />
Beatrice:<br />
Speak thy mind.<br />
<br />
Scene III: the.<br />
<br />
Arthur:<br />
You are as blue as the sum of yourself and a hamster. Speak thy mind!<br />
<br />
[Exit Arthur]<br />
<br />
[Enter The Ghost]<br />
<br />
Beatrice:<br />
You are as prompt as the sum of thyself and a lie! Speak your mind.<br />
<br />
[Exit Beatrice]<br />
<br />
[Enter Isabella]<br />
<br />
The Ghost:<br />
You art as happy as the sum of thyself and a large moon. Speak thy mind!<br />
<br />
[Exit The Ghost]<br />
<br />
[Enter Arthur]<br />
<br />
Isabella:<br />
Speak thy mind.<br />
<br />
[Exit Arthur]<br />
<br />
Scene IV: Best.<br />
<br />
[Enter Beatrice]<br />
<br />
Beatrice:<br />
Thou are as blue as the sum of the sum of a curse and thyself and a bad<br />
codpiece. Speak your mind! You art as lovely as the sum of the sum of the<br />
happiness and yourself and a blossoming flower. Speak thy mind.<br />
<br />
Isabella:<br />
You are as healthy as the sum of yourself and a plague! Speak thy mind.<br />
Thou art as huge as the sum of thyself and a hero. Speak your mind!<br />
<br />
[Exit Beatrice]<br />
<br />
[Enter Arthur]<br />
<br />
Isabella:<br />
You art as green as the sum of thyself and a mother. Speak your mind.<br />
<br />
[Exeunt]<br />
<br />
;Shoes: A Ruby version using Shoes for a GUI.<br />
<br />
Shoes.app :width => 135, :height => 30 do<br />
para "Arch is the Best!"<br />
end<br />
<br />
;Smalltalk: Smalltalk is an object-oriented, dynamically typed, reflective programming language.<br />
<br />
Transcript show: 'Arch is the best!'.<br />
<br />
;Solidity: Object-oriented programming language for Ethereum smart contracts.<br />
<br />
pragma solidity ^0.6.0;<br />
<br />
contract ArchIsTheBest {<br />
function archIsTheBest() external pure returns (string memory) {<br />
return "Arch is the best!";<br />
}<br />
}<br />
<br />
;SQL: Structured Query Language, the query language for relational databases<br />
<br />
SELECT 'Arch is the best!';<br />
SELECT 'Arch is the best!' from dual; -- for Oracle DB<br />
<br />
;Standard ML: A general-purpose, modular, functional programming language with compile-time type checking and type inference.<br />
<br />
print "Arch is the best!\n"<br />
<br />
;Swift: A general-purpose, multi-paradigm, compiled programming language developed by Apple Inc.<br />
<br />
print("Arch is the best!")<br />
<br />
;Tcl/Tk: A scripting language that is commonly used for rapid prototyping, scripted applications, GUIs and testing.<br />
<br />
#!/usr/bin/env tclsh<br />
puts "Arch is the best!"<br />
<br />
;TeX: A typesetting language aimed at scientific publishing. Famous for giving the ability to describe complicated equations in a plain text format. The basis for the more famous LaTeX.<br />
<br />
Arch is the best!<br />
\bye<br />
<br />
;TrumpScript: A scripting language based on President Trump's words.<br />
<br />
say it with me, "Arch is the best!";<br />
america is great.<br />
<br />
;UEFI: An extensible firmware framework<br />
<br />
#include <Uefi.h><br />
EFI_STATUS EFIAPI<br />
ArchIsTheBest (<br />
IN EFI_HANDLE ImageHandle,<br />
IN EFI_SYSTEM_TABLE *SystemTable<br />
)<br />
{<br />
SystemTable -> ConOut-> OutputString(SystemTable->ConOut, L"Arch is the best!\n"); <br />
return EFI_SUCCESS;<br />
}<br />
<br />
; V: Simple, fast, safe, compiled language for developing maintainable software.<br />
<br />
fn main() {<br />
println('Arch is the best!')<br />
}<br />
<br />
;Vala: Vala is a new programming language that aims to bring modern programming language features to GNOME developers without imposing any additional runtime requirements and without using a different ABI compared to applications and libraries written in C.<br />
<br />
void main(string[] args) {<br />
stdout.printf("\nArch is the best!\n\n");<br />
}<br />
<br />
; var'aq: [http://freshmeat.sourceforge.net/projects/varaq A warrior's programming language]<br />
"Arch is the best!" cha'<br />
<br />
; Verilog: A hardware description language, standardized as IEEE 1364<br />
module top;<br />
initial $display("Arch is the best!");<br />
endmodule<br />
<br />
; VHDL: VHSIC Hardware Description Language<br />
<br />
use std.textio.all;<br />
<br />
entity top is<br />
end top;<br />
<br />
architecture behaviour of top is begin<br />
process begin<br />
write (output, String'("Arch is the best!"));<br />
wait;<br />
end process;<br />
end behaviour;<br />
<br />
;VimScript: A scripting language for the Vim text editor.<br />
<br />
echo "Arch is the best!"<br />
<br />
;Visual Basic: A third-generation event-driven programming language and integrated development environment (IDE) from Microsoft for its Component Object Model (COM) programming model.<br />
<br />
Module Arch<br />
Sub Main()<br />
MsgBox("Arch is the best!")<br />
End Sub<br />
End Module<br />
<br />
;wenyan-lang: A programming language for the ancient Chinese.<br />
<br />
吾有一言。曰「「阿祺,盡善矣。」」。書之。<br />
<br />
; Wiring (Arduino):Built on Processing, the open source programming language developed at the Massachusetts Institute of Technology.<br />
<br />
void setup()<br />
{<br />
Serial.begin(9600);<br />
}<br />
void loop()<br />
{<br />
Serial.print("Arch is the best!");<br />
}<br />
<br />
; Wolfram: Proprietary programming language developed by Wolfram Inc which emphasizes symbolic computation, functional programming, and rule-based programming.<br />
<br />
Print["Arch is the best"]<br />
<br />
; X11: X11 is an architecture independent system for display of graphical user interfaces.<br />
{{ic|cc -lX11 arch.c}}<br />
<br />
#include <stdio.h><br />
#include <stdlib.h><br />
#include <string.h><br />
<br />
#include <X11/Xlib.h><br />
<br />
int main()<br />
{<br />
Display *d;<br />
Window w;<br />
XEvent e;<br />
int s;<br />
<br />
if (!(d = XOpenDisplay(NULL))) {<br />
fprintf(stderr, "Couldn't open display, but Arch is the best!\n");<br />
exit(1);<br />
}<br />
<br />
s = DefaultScreen(d);<br />
w = XCreateSimpleWindow(d, RootWindow(d,s), 0, 0, 110, 20, 0, <br />
0, WhitePixel(d,s));<br />
XSelectInput(d, w, ExposureMask | KeyPressMask);<br />
XMapWindow(d,w);<br />
<br />
while (1) {<br />
XNextEvent(d, &e);<br />
if (e.type == Expose) {<br />
XDrawString(d, w, DefaultGC(d, s), 5, 15, "Arch is the best!", 17);<br />
}<br />
}<br />
<br />
XCloseDisplay(d);<br />
return 0;<br />
}<br />
<br />
;Z3: A theorem prover from Microsoft Research<br />
<br />
(define-const arch String "Arch is the best")<br />
(simplify (str.++ arch))<br />
<br />
;Zig: A general-purpose programming language and toolchain for maintaining robust, optimal, and reusable software. Intends to deprecate C.<br />
<br />
const std = @import("std");<br />
<br />
pub fn main() !void {<br />
std.debug.warn("Arch is the best!\n", .{});<br />
}<br />
<br />
;Zimbu: A fast, easy to learn, and JS-like programming language.<br />
<br />
FUNC Main() int<br />
IO.write("Arch is the best!")<br />
RETURN 0<br />
}<br />
<br />
;Zsh: A UNIX command interpreter (shell) closely resembling ksh, but includes many enhancements.<br />
<br />
#!/bin/zsh -f<br />
setopt extendedglob<br />
print -- $(echoti setaf 2) ${$(<<<${${${(@j: :)${(@s:_:)${:-What_Linux_is_the_best?}}}/* (#b)([A-Z]i)/Arch $match[1]}} tr '?' '!')} $terminfo[sgr0]</div>Kiasoc5https://wiki.archlinux.org/index.php?title=PDF,_PS_and_DjVu&diff=731950PDF, PS and DjVu2022-06-07T23:45:10Z<p>Kiasoc5: /* PDF tools */ Add section on pdf signing</p>
<hr />
<div>[[Category:Applications]]<br />
[[Category:File formats]]<br />
[[Category:Lists of software]]<br />
[[Category:Software comparisons]]<br />
[[es:PDF, PS and DjVu]]<br />
This article covers software to view, edit and convert [[Wikipedia:PDF|PDF]], [[Wikipedia:PostScript|PostScript]] (PS), [[Wikipedia:DjVu|DjVu]] (''déjà vu'') and [[Wikipedia:Open XML Paper Specification|XPS]] files.<br />
<br />
== Engines ==<br />
<br />
* {{App|[[Wikipedia:Poppler (software)|Poppler]]|PDF rendering library based on Xpdf. For CJK (Chinese, Japanese, Korean) support with Poppler, [[install]] {{Pkg|poppler-data}}.|https://poppler.freedesktop.org/|{{Pkg|poppler}}}}<br />
* {{App|[[Wikipedia:MuPDF|Mupdf]]| MuPDF is a lightweight PDF, XPS, and EPUB viewer, consisting of a software library, command line tools, and viewers.|https://mupdf.com/|{{Pkg|libmupdf}}}}<br />
* {{App|libspectre|Small library for rendering Postscript documents.|https://www.freedesktop.org/wiki/Software/libspectre|{{Pkg|libspectre}}}}<br />
* {{App|[[Wikipedia:Ghostscript|Ghostscript]]|Interpreter for PostScript and PDF. Provides the {{man|1|gs}} command-line interface, see also {{ic|/usr/share/doc/ghostscript/*/Use.htm}} ([https://ghostscript.com/doc/current/Use.htm online]), along with many wrapper scripts like ''ps2pdf'' and ''pdf2ps''.|https://ghostscript.com/|{{Pkg|ghostscript}}}}<br />
* {{App|DjVuLibre|Suite to create, manipulate and view DjVu documents.|http://djvu.sourceforge.net/|{{Pkg|djvulibre}}}}<br />
* {{App|libgxps|GObject based library for handling and rendering XPS documents.|https://wiki.gnome.org/Projects/libgxps|{{Pkg|libgxps}}}}<br />
<br />
== Viewers ==<br />
<br />
=== Framebuffer ===<br />
<br />
* {{App|fbgs|Poor man's PostScript/pdf viewer for the linux framebuffer console.|https://www.kraxel.org/blog/linux/fbida/|{{Pkg|fbida}}}}<br />
* {{App|fbpdf|Small framebuffer PDF and DjVu viewer based on MuPDF, with [[Vim]] keybindings and written in C|https://repo.or.cz/w/fbpdf.git|{{AUR|fbpdf-git}}}}<br />
* {{App|jfbview|Framebuffer PDF and image viewer. Features include Vim-like controls, zoom-to-fit, a TOC (outline) view and fast multi-threaded rendering.|https://github.com/jichu4n/jfbview|{{AUR|jfbview}}}}<br />
<br />
=== Graphical ===<br />
<br />
{{Note|Some [[web browser]]s can display PDF files, for example with [https://github.com/mozilla/pdf.js PDF.js].}}<br />
<br />
* {{App|[[Wikipedia:Adobe Reader|Adobe Reader]]|Proprietary PDF file viewer offered by Adobe. Discontinued for Linux.|https://www.adobe.com/products/reader.html|{{AUR|acroread}}}}<br />
* {{App|apvlv|Lightweight document viewer with [[Vim]] keybindings using GTK libraries. Supports PDF, DjVu, EPUB, HTML and TXT.|https://naihe2010.github.io/apvlv/|{{AUR|apvlv}}}}<br />
* {{App|Atril|Simple multi-page document viewer for MATE. Supports DjVu, DVI, EPS, EPUB, PDF, PostScript, TIFF, XPS and Comicbook.|https://github.com/mate-desktop/atril|{{Pkg|atril}}}}<br />
* {{App|CorePDF|Simple lightweight PDF viewer based on Qt and poppler. Part of C-Suite.|https://cubocore.org/|{{AUR|corepdf}}}}<br />
* {{App|Deepin Document Viewer|A simple PDF and DjVu reader, supporting bookmarks, highlights and annotations.|https://github.com/linuxdeepin/deepin-reader|{{Pkg|deepin-reader}}}}<br />
* {{App|DjView|Viewer for DjVu documents.|http://djvu.sourceforge.net/djview4.html|{{Pkg|djview}}}}<br />
* {{App|ePDFView|Lightweight PDF document viewer using the Poppler and GTK libraries. Development stopped.|http://freecode.com/projects/epdfview|{{Pkg|epdfview}}}}<br />
* {{App|[[Emacs]]|See also [https://github.com/politza/pdf-tools pdf-tools] for improved pdf support ({{AUR|emacs-pdf-tools-git}}) and the [https://elpa.gnu.org/packages/djvu.html djvu package] for djvu support.|https://www.gnu.org/software/emacs/|{{Pkg|emacs}}}}<br />
* {{App|[[Evince]]|Document viewer for GNOME using GTK. Supports DjVu, DVI, EPS, PDF, PostScript, TIFF, XPS and Comicbook.|https://wiki.gnome.org/Apps/Evince|{{Pkg|evince}}}}<br />
* {{App|[[Wikipedia:Foxit Reader|Foxit Reader]]|Small, fast (compared to Acrobat) proprietary PDF viewer. [https://forums.foxitsoftware.com/forum/portable-document-format-pdf-tools/foxit-reader/180532-linux-how-to-get-automatically-updates-for-foxit-reader-free-version?p&#61;180540#post180540 Discontinued for Linux].|https://www.foxitsoftware.com/pdf-reader/|{{AUR|foxitreader}}}}<br />
* {{App|gv|Graphical user interface for the Ghostscript interpreter that allows to view and navigate through PostScript and PDF documents.|https://www.gnu.org/software/gv/|{{Pkg|gv}}}}<br />
* {{App|[[llpp]]|Very fast PDF reader based off of MuPDF, that supports continuous page scrolling, bookmarking, and text search through the whole document.|https://repo.or.cz/w/llpp.git|{{AUR|llpp}}}}<br />
* {{App|[[MuPDF]]|Very fast EPUB, FictionBook, PDF, XPS and Comicbook viewer written in portable C. Features CJK font support and vim-like bindings.|https://mupdf.com/|{{Pkg|mupdf}}}}<br />
* {{App|[[Wikipedia:Okular|Okular]]|Universal document viewer for KDE. Supports CHM, Comicbook, DjVu, DVI, EPUB, FictionBook, Mobipocket, ODT, PDF, Plucker, PostScript, TIFF and XPS.|https://okular.kde.org/|{{Pkg|okular}}}}<br />
* {{App|pdfpc|Presenter console with multi-monitor support for PDF files.|https://pdfpc.github.io/|{{Pkg|pdfpc}}}}<br />
* {{App|qpdfview|Tabbed document viewer. It uses Poppler for PDF support, libspectre for PS support, DjVuLibre for DjVu support, CUPS for printing support and the Qt toolkit for its interface.|https://launchpad.net/qpdfview|{{AUR|qpdfview}}}}<br />
* {{App|Sioyek|Lightweight PDF viewer based on MuPDF with features designed for viewing research papers and technical books.|https://sioyek.info/|{{AUR|sioyek-git}}}}<br />
* {{App|[[Wikipedia:Xpdf|Xpdf]]|Viewer that can decode LZW and read encrypted PDFs.|https://www.xpdfreader.com/|{{Pkg|xpdf}}}}<br />
* {{App|Xreader|Document viewer part of the X-Apps Project. Supports DjVu, DVI, EPUB, PDF, PostScript, TIFF, XPS, Comicbook.|https://github.com/linuxmint/xreader/|{{Pkg|xreader}}}}<br />
* {{App|[[Zathura]]|Highly customizable and functional document viewer (plugin based). Supports PDF, DjVu, PostScript and Comicbook.|https://pwmt.org/projects/zathura/|{{Pkg|zathura}}}}<br />
<br />
==== Comparison ====<br />
<br />
{{Accuracy|Filling out PDF forms seem to be broken in MuPDF and llpp.}}<br />
<br />
{| class="wikitable sortable" style="text-align:center;"<br />
! Name !! PDF !! PostScript !! DjVu !! XPS !! PDF forms !! PDF Annotation !! [https://git.pwmt.org/pwmt/zathura/-/issues/26 Non-rectangle selection] !! License<br />
|-<br />
! [[Wikipedia:Adobe Reader|Adobe Reader]]<br />
| Custom || {{-}} || {{-}} || {{-}} || {{Yes}} || {{-}} || {{Yes}} || {{V|proprietary}}<br />
|-<br />
! apvlv<br />
| Poppler || {{-}} || DjVuLibre || {{-}} || {{No}} || {{-}} || {{No}} <sup>(not by default, at least)</sup> || {{B|GPLv2}}<br />
|-<br />
! Atril<br />
| Poppler || libspectre || DjVuLibre || libgxps || {{Yes}} || {{-}} || {{-}} || {{B|GPLv2}}<br />
|-<br />
! DjView<br />
| {{-}} || {{-}} || DjVuLibre || {{-}} || {{-}} || {{-}} || {{-}} || {{B|GPLv2}}<br />
|-<br />
! [[Emacs]]<br />
| colspan=2 | Ghostscript* || DjVuLibre* || {{-}} || {{No}} || {{Yes}} || {{Yes}} || {{B|GPLv3}}<br />
|-<br />
! Emacs pdf-tools<br />
| Poppler || {{-}} || {{-}} || {{-}} || {{-}} || {{Yes}} || {{Yes}} || {{B|GPLv3}}<br />
|-<br />
! ePDFView<br />
| Poppler || {{-}} || {{-}} || {{-}} || {{No}} || {{-}} || {{-}} || {{B|GPLv2}}<br />
|-<br />
! [[Evince]]<br />
| Poppler || libspectre || DjVuLibre || libgxps || {{Yes}} || {{Yes}} || {{Yes}} || {{B|GPLv2}}<br />
|-<br />
! [[Wikipedia:Foxit Reader|Foxit Reader]]<br />
| Custom || {{-}} || {{-}} || {{-}} || {{Yes}} || {{Yes}} || {{Yes}} || {{V|proprietary}}<br />
|-<br />
! gv<br />
| colspan=2 | Ghostscript || {{-}} || {{-}} || {{No}} || {{-}} || {{-}} || {{B|GPLv3}}<br />
|-<br />
! [[llpp]]<br />
| libmupdf || {{-}} || {{-}} || libmupdf || {{Yes}} || {{-}} || {{-}} || {{B|GPLv3}}<br />
|-<br />
! [[MuPDF]]<br />
| Custom || {{-}} || {{-}} || Custom || {{Yes}} <sup>({{pkg|mupdf-gl}})</sup> || {{Yes}} <sup>({{pkg|mupdf-gl}})</sup> || {{Yes}} <sup>({{pkg|mupdf-gl}})</sup> || {{B|AGPLv3}}<br />
|-<br />
! [[Wikipedia:Okular|Okular]]<br />
| Poppler || libspectre || DjVuLibre || Custom || {{Yes}} || {{Yes}} || {{Yes}} || {{B|GPL, LGPL}}<br />
|-<br />
! pdfpc<br />
| Poppler || {{-}} || {{-}} || {{-}} || {{No}} || {{-}} || {{-}} || {{B|GPLv2}}<br />
|-<br />
! qpdfview<br />
| Poppler || libspectre* || DjVuLibre* || {{-}} || {{Yes}} || {{Yes}} || {{-}} || {{B|GPLv2}}<br />
|-<br />
! [[Wikipedia:Xpdf|Xpdf]]<br />
| Custom || {{-}} || {{-}} || {{-}} || {{No}} || {{-}} || {{-}} || {{B|GPLv3}}<br />
|-<br />
! Xreader<br />
| Poppler || libspectre* || DjVuLibre* || libgxps* || {{Yes}} || {{Yes}} || {{Yes}} || {{B|GPLv2}}<br />
|-<br />
! [[Zathura]]<br />
| Poppler* / libmupdf* || libspectre* || DjVuLibre* || libmupdf* || {{No|https://git.pwmt.org/pwmt/zathura/issues/101}} || {{No|https://git.pwmt.org/pwmt/zathura/-/issues/7}} || {{No|https://git.pwmt.org/pwmt/zathura/-/issues/26}} || {{B|zlib}}<br />
|}<br />
''* Optional dependency needs to be installed''<br />
<br />
==== PDF forms ====<br />
<br />
The ''PDF forms'' column in the above table refers to [[Wikipedia:PDF#Forms|AcroForms]] support. If you do not need your input to be directly extractable from the PDF, you can also use the applications in [[#Annotation]] or [[#Graphical PDF editing]] to put text on top of a PDF. PDF forms can be created with [[LibreOffice|LibreOffice Writer]] (''View > Toolbars > Form Controls'') and the [[#Advanced editors|advanced PDF editors]].<br />
<br />
The proprietary and deprecated [[Wikipedia:XFA|XFA]] format for forms is not fully supported by Poppler[https://gitlab.freedesktop.org/poppler/poppler/issues/199][https://gitlab.freedesktop.org/poppler/poppler/issues/530] and only supported by [[#Graphical|Adobe Reader]] and [[#Advanced editors|Master PDF Editor]].<br />
<br />
Alternatively, web browsers such as [[Firefox]] or [[Chromium]] feature a built-in PDF viewer capable of filling out forms.<br />
<br />
== Annotation ==<br />
<br />
* {{App|flpsed|A PostScript and PDF annotator, only supports text boxes.|https://flpsed.org/flpsed.html|{{AUR|flpsed}}}}<br />
<br />
See also [[List of applications/Documents#Stylus note-taking]].<br />
<br />
== Graphical PDF editing ==<br />
<br />
* [[Scribus]] can import and export PDF; text is imported as polygons.[https://wiki.scribus.net/canvas/Importing_PDF_files_as_Vector_Graphics]<br />
* [[LibreOffice|LibreOffice Draw]] can import and export PDF; text is imported as text; embedded fonts are substituted.[https://bugs.documentfoundation.org/show_bug.cgi?id=82163][https://ask.libreoffice.org/en/question/38991/garbled-text-when-opening-pdfs-in-draw/]<br />
* [[Inkscape]] can import a single page from a PDF and export to PDF; text is imported as cloned glyphs or text; with the latter embedded fonts are substituted.<br />
* Graphics editors like [[GIMP]] and {{Pkg|krita}} can also import and export PDFs at the cost of [[Wikipedia:Raster graphics|rasterization]].<br />
<br />
=== Basic editors ===<br />
<br />
* {{App|jPDF Tweak|Java Swing application that can combine, split, rotate, reorder, watermark, encrypt, sign, and otherwise tweak PDF files.|http://jpdftweak.sourceforge.net/|{{AUR|jpdftweak}}}}<br />
* {{App|PDF Arranger|Helps merge or split pdf documents and rotate, crop and rearrange pages. It is a maintained fork of PDF-Shuffler.|https://github.com/jeromerobert/pdfarranger|{{Pkg|pdfarranger}}}}<br />
* {{App|PDF Chain|GTK front-end for [[#PDF tools|PDFtk]], written in C++, supporting concatenation, burst, watermarks, attaching files and more.|http://pdfchain.sourceforge.net/|{{AUR|pdfchain}}}}<br />
* {{App|PdfJumbler|Simple tool to rearrange, merge, delete and rotate pages in PDF files.|https://github.com/mgropp/pdfjumbler|{{AUR|pdfjumbler}}}}<br />
* {{App|PDF Mix Tool|Qt front-end for [[#Libraries|PoDoFo]], written in C++, supports splitting, merging, rotating and mixing PDF files.|https://scarpetta.eu/pdfmixtool/|{{Pkg|pdfmixtool}}}}<br />
* {{App|PDF Mod|Reorder, rotate, and remove pages, export images from a document, edit the title, subject, author, and keywords, and combine documents via drag and drop.|https://wiki.gnome.org/Attic/PdfMod|{{Pkg|pdfmod}}}}<br />
* {{App|PDFsam|Open source application, written in Java, supports merging, splitting and rotating.|https://pdfsam.org/|{{AUR|pdfsam}}}}<br />
* {{App|PDF Slicer|Simple application to extract, merge, rotate and reorder pages of PDF documents.|https://junrrein.github.io/pdfslicer/|{{Pkg|pdfslicer}}}}<br />
* {{App|PDF Tricks|Simple, efficient application for small manipulations in PDF files using Ghostscript.|https://github.com/muriloventuroso/pdftricks|{{Pkg|pdftricks}}}}<br />
<br />
=== Cropping tools ===<br />
<br />
* {{App|briss|Java GUI to crop pages of PDF documents to one or more regions selected.|https://sourceforge.net/projects/briss/|{{AUR|briss}}}}<br />
* {{App|krop|Simple graphical tool to crop the pages of PDF files.|https://arminstraub.com/software/krop|{{AUR|krop}}}}<br />
* {{App|pdfCropMargins|Automatically crops the margins of PDF files.|https://github.com/abarker/pdfCropMargins|{{AUR|pdfcropmargins}}}}<br />
* {{App|PdfHandoutCrop|Tool to crop pdf handout with multiple pages per sheet.|https://cges30901.github.io/pdfhandoutcrop/|{{AUR|pdfhandoutcrop}}}}<br />
<br />
=== Advanced editors ===<br />
<br />
* {{App|Master PDF Editor|Functional proprietary PDF editor. Latest version free for non-commercial use. The ''-free'' package is outdated but lacks a watermark.|https://code-industry.net/free-pdf-editor/|{{AUR|masterpdfeditor}}, {{AUR|masterpdfeditor-free}}}}<br />
* {{App|PDF Studio|All-in-one proprietary PDF editor similar to Adobe Acrobat.|https://www.qoppa.com/pdfstudio/|{{AUR|pdfstudio-bin}}}}<br />
<br />
== PDF tools ==<br />
<br />
See also [[#Engines|Ghostscript]].<br />
<br />
* {{App|Coherent PDF|Command line tools to manipulate PDF files including merge, encrypt, decrypt, scale, crop, rotate, bookmarks, stamp, logos, page numbers.|https://community.coherentpdf.com/|{{AUR|cpdf}}}}<br />
* {{App|DiffPDF|Compare the text or the visual appearance of each page in two PDF files.|https://gitlab.com/eang/diffpdf|{{Pkg|diffpdf}}}}<br />
* {{App|mupdf-tools|Tools developed as part of MuPDF, contains {{man|1|mutool}} and ''muraster''.|https://mupdf.com|{{Pkg|mupdf-tools}}}}<br />
* {{App|pdfcpu|Command-line tool to create and modify PDFs.|https://github.com/pdfcpu/pdfcpu|{{AUR|pdfcpu-git}}}}<br />
* {{App|pdfgrep|Commandline utility to search text in PDF files.|https://pdfgrep.org/|{{Pkg|pdfgrep}}}}<br />
* {{App|pdfjam|Can be used to n-up, join, rotate and flip PDFs and arrange them into a format suitable for book binding.|https://github.com/DavidFirth/pdfjam|{{Pkg|texlive-core}}}}<br />
* {{App|pdf2svg|Convert PDF files to SVG files.|http://www.cityinthesky.co.uk/opensource/pdf2svg/|{{Pkg|pdf2svg}}}}<br />
* {{App|[[Wikipedia:PDFtk|PDFtk]]|Simple tool for doing everyday things with PDF documents.|https://gitlab.com/pdftk-java/pdftk|{{pkg|pdftk}}}}<br />
* {{App|[[Wikipedia:QPDF|QPDF]]|Content-preserving PDF transformation system.|https://github.com/qpdf/qpdf|{{Pkg|qpdf}}}}<br />
* {{App|Stapler|Light alternative to PDFtk using the [[#Python|PyPDF2]] library.|https://github.com/hellerbarde/stapler|{{AUR|stapler}}, {{AUR|stapler-git}}}}<br />
<br />
=== Create a PDF from images ===<br />
<br />
With [[GraphicsMagick]]:<br />
<br />
$ gm convert 1.jpg 2.jpg 3.jpg out.pdf<br />
<br />
=== Concatenate PDFs ===<br />
<br />
With Ghostscript:<br />
<br />
$ gs -dNOPAUSE -sDEVICE=pdfwrite -sOUTPUTFILE=out.pdf -dBATCH 1.pdf 2.pdf 3.pdf<br />
<br />
With PDFtk:<br />
<br />
$ pdftk 1.pdf 2.pdf 3.pdf cat output out.pdf<br />
<br />
With Poppler:<br />
<br />
$ pdfunite 1.pdf 2.pdf 3.pdf out.pdf<br />
<br />
With QPDF:<br />
<br />
$ qpdf --empty --pages 1.pdf 2.pdf 3.pdf -- out.pdf<br />
<br />
=== Convert a PDF to text ===<br />
<br />
With Poppler and maintaining the layout:<br />
<br />
$ pdftotext -layout in.pdf out.txt<br />
<br />
See also {{man|1|pdftotext}}.<br />
<br />
=== Decrypt a PDF ===<br />
<br />
This section lists commands to decrypt a PDF to an unencrypted file. Note that most [[#Viewers|PDF viewers]] also support encrypted PDFs.<br />
<br />
With PDFtk:<br />
<br />
$ pdftk in.pdf input_pw ''password'' output out.pdf<br />
<br />
With Poppler to PostScript:<br />
<br />
$ pdftops -upw ''password'' in.pdf out.ps<br />
<br />
With QPDF:<br />
<br />
$ qpdf --decrypt --password=''password'' in.pdf out.pdf<br />
<br />
{{Tip|Forgotten passwords might be recovered with {{Pkg|pdfcrack}}, see {{man|1|pdfcrack}}.}}<br />
<br />
=== Encrypt a PDF ===<br />
<br />
The ''user password'' is used for encryption, the ''owner password'' to restrict operations once the document is decrypted, for more information, see [[Wikipedia:PDF#Security and signatures]].<br />
<br />
With PDFtk:<br />
<br />
$ pdftk in.pdf output out.pdf user_pw ''password''<br />
<br />
With [[#Libraries|PoDoFo]]:<br />
<br />
$ podofoencrypt -u ''user_password'' -o ''owner_password'' in.pdf out.pdf<br />
<br />
With QPDF:<br />
<br />
$ qpdf --encrypt ''user_password'' ''owner_password'' ''key_length'' -- in.pdf out.pdf<br />
<br />
where {{ic|''key_length''}} can be 40, 128 or 256.<br />
<br />
=== Extract images from a PDF ===<br />
<br />
With Poppler to JPEG:<br />
<br />
$ pdfimages ''infile''.pdf -j ''outfileroot''<br />
<br />
=== Extract page range from PDF, split multipage PDF document ===<br />
<br />
With Ghostscript as a single file[https://forums.freebsd.org/threads/split-pdf-file.58902/#post-336971]<br />
<br />
$ gs -sDEVICE=pdfwrite -dNOPAUSE -dBATCH -dSAFER -dFirstPage=''first'' -dLastPage=''last'' -sOutputFile=''outfile''.pdf ''infile''.pdf<br />
<br />
With PDFtk as a single file:<br />
<br />
$ pdftk ''infile''.pdf cat ''first''-''last'' output ''outfile''.pdf<br />
<br />
With Poppler as separate files:<br />
<br />
$ pdfseparate -f ''first'' -l ''last'' ''infile''.pdf ''outfileroot''-%d.pdf<br />
<br />
With QPDF as a single file:<br />
<br />
$ qpdf --empty --pages ''infile''.pdf ''first''-''last'' -- ''outfile''.pdf<br />
<br />
With mutool as a single file:<br />
<br />
$ mutool clean -g ''infile''.pdf ''outfile''.pdf ''first''-''last''<br />
<br />
=== Imposing a PDF ===<br />
<br />
PDF [[Wikipedia:Imposition|Imposition]] (e.g. to combine multiple pages to one page) can be done with [[#PDF tools|pdfjam]], for example paper waste can be reduced with ''pdfnup'' and ''pdfbook'' can be used to arrange PDFs into a format suitable for book binding.<br />
<br />
=== Inspecting metadata ===<br />
<br />
With [[ExifTool]]:<br />
<br />
$ exiftool file.pdf<br />
<br />
With Poppler:<br />
<br />
$ pdfinfo file.pdf<br />
<br />
=== Optimize, reduce size of a PDF ===<br />
<br />
With Ghostscript one of:<br />
<br />
$ ps2pdf -dPDFSETTINGS=/screen in.pdf out.pdf<br />
$ gs -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/printer -sOutputFile=out.pdf in.pdf<br />
<br />
For different settings see the [https://www.ghostscript.com/doc/VectorDevices.htm#PSPDF_IN documentation].<br />
<br />
There is also {{AUR|shrinkpdf}}, a script wrapping gs.<br />
<br />
=== Rasterize a PDF ===<br />
<br />
With [[GraphicsMagick]] to convert a specific page:<br />
<br />
$ gm convert -density ''dpi'' ''infile''.pdf[''page''] ''outfile''.jpg<br />
<br />
With Poppler to convert all pages:<br />
<br />
$ pdftoppm -jpeg -r ''dpi'' ''infile''.pdf ''outfileroot''<br />
<br />
With Poppler to convert a specific page:<br />
<br />
$ pdftoppm -jpeg -r ''dpi'' -f ''page'' -singlefile ''infile''.pdf ''outfileroot''<br />
<br />
=== Splitting PDF pages ===<br />
<br />
With mupdf-tools to split every page vertically into two pages:<br />
<br />
$ mutool poster -y 2 in.pdf out.pdf<br />
<br />
Can be used to undo simple [[#Imposing a PDF|imposition]].<br />
<br />
=== Add signature.png or image to one of the pages in the PDF ===<br />
<br />
Adding an image to any location in a PDF can be done<br />
* with [[ImageMagick]] (convert), xv and pdftk. ([http://emmanuel.branlard.free.fr/work/linux/dev/SignPDF/SignPDF Wrapper script])<br />
* with [[xournal]]<br />
* with [[libreoffice]]<br />
Details on these and other solutions can be found [https://unix.stackexchange.com/questions/85873/how-can-i-add-a-signature-png-to-a-pdf-in-linux on StackExchange].<br />
<br />
=== Add digital signature to PDF ===<br />
<br />
Readers such as Okular and MuPDF can sign digital signatures in PDFs. This requires a PFX certificate, which can be created with [[OpenSSL#Generate_a_self-signed_certificate_with_private_key_in_a_single_command]]:<br />
<br />
$ openssl req -x509 -days 365 -newkey rsa:2048 -keyout cert.pem -out cert.pem<br />
$ openssl pkcs12 -export -in cert.pem -out cert.pfx<br />
<br />
MuPDF users can then sign PDFs with {{ic|cert.pfx}} using the graphical interface or {{ic|mutool sign}} [https://www.mupdf.com/docs/manual-mutool-sign.html]<br />
<br />
Okular users must import {{ic|cert.pfx}} into a certificate store such as the one in the default Firefox profile [https://docs.kde.org/trunk5/en/okular/okular/signatures.html]. On Firefox this is done through Settings -> Privacy & Security -> View Certificates -> Your Certificates -> Import and selecting {{ic|cert.pfx}}. Afterwards Okular will offer this certificate to be used when signing PDFs.<br />
<br />
Libreoffice can also sign PDFs [https://help.libreoffice.org/6.3/en-US/text/shared/guide/digital_signatures.html].<br />
<br />
=== Removing annotations from a PDF ===<br />
<br />
With {{AUR|perl-cam-pdf}}:<br />
<br />
$ rewritepdf.pl -C in.pdf out.pdf<br />
<br />
See https://superuser.com/a/1051543 for more information.<br />
<br />
== DjVu tools ==<br />
<br />
* [[#Engines|DjVuLibre]] provides many command-line tools, like {{man|1|ddjvu}} for example.<br />
* {{App|img2djvu|Single-pass DjVu encoder based on DjVu Libre and ImageMagick.|https://github.com/ashipunov/img2djvu|{{AUR|img2djvu-git}}}}<br />
* {{App|pdf2djvu|Creates DjVu files from PDF files.|https://jwilk.net/software/pdf2djvu|{{AUR|pdf2djvu}}}}<br />
<br />
=== Convert DjVu to images ===<br />
<br />
Break Djvu into separate pages:<br />
<br />
$ djvmcvt -i input.djvu /path/to/out/dir output-index.djvu<br />
<br />
Convert Djvu pages into images:<br />
<br />
$ ddjvu --format=tiff page.djvu page.tiff<br />
<br />
Convert Djvu pages into PDF:<br />
<br />
$ ddjvu --format=pdf inputfile.djvu ouputfile.pdf<br />
<br />
You can also use ''--page'' to export specific pages:<br />
<br />
$ ddjvu --format=tiff --page=1-10 input.djvu output.tiff<br />
<br />
this will convert pages from 1 to 10 into one tiff file.<br />
<br />
=== Processing images ===<br />
<br />
You can use {{Pkg|scantailor-advanced}} to:<br />
<br />
* fix orientation<br />
* split pages<br />
* deskew<br />
* crop<br />
* adjust margins<br />
<br />
=== Make DjVu from images ===<br />
<br />
There is a useful script {{AUR|img2djvu-git}}.<br />
<br />
$ img2djvu -c1 -d600 -v1 ./out<br />
<br />
it will create 600 DPI {{ic|out.djvu}} from all files in {{ic|./out}} directory.<br />
<br />
Alternatively, you can try {{AUR|didjvu}}, which seems to create smaller files especially on images with well defined background.<br />
<br />
== PostScript tools ==<br />
<br />
* {{App|pstotext|Converts PostScript files to text.|https://www.cs.wisc.edu/~ghost/doc/pstotext.htm|{{Pkg|pstotext}}}}<br />
* [[#Engines|Ghostscript]]<br />
<br />
=== ps2pdf ===<br />
<br />
''ps2pdf'' is a wrapper around ghostscript to convert PostScript to PDF:<br />
<br />
$ ps2pdf -sPAPERSIZE=a4 -dOptimize=true -dEmbedAllFonts=true YourPSFile.ps<br />
<br />
Explanation:<br />
<br />
* with {{ic|1=-sPAPERSIZE=something}} you define the paper size. For valid PAPERSIZE values, see [https://ghostscript.com/doc/current/Use.htm#Known_paper_sizes].<br />
* {{ic|1=-dOptimize=true}} lets the created PDF be optimised for loading.<br />
* {{ic|1=-dEmbedAllFonts=true}} makes the fonts look always nice.<br />
<br />
{{Note|You cannot choose the paper orientation in ps2pdf. If your input PS file is healthy, it already contains the orientation information. If you are trying to use an Encapsulated PS file, you will have problems, if it does not fit in the {{ic|1=-sPAPERSIZE}} you specified, because EPS files usually do not contain paper orientation information. A workaround is creating a new paper in ghostscript settings (call it e.g. "slide") and use it as {{ic|1=-sPAPERSIZE=slide}}.}}<br />
<br />
== Libraries ==<br />
<br />
* {{App|libharu|C library for generating PDF documents.|https://github.com/libharu/libharu|{{Pkg|libharu}}, Lua binding: {{AUR|lua-hpdf}}}}<br />
* {{App|PoDoFo|A C++ library to work with the PDF file format.|http://podofo.sourceforge.net|{{Pkg|podofo}}}}<br />
<br />
=== Python ===<br />
<br />
* {{App|PDFMiner|Utils to extract, analyze text data of PDF files. Includes pdf2txt, dumppdf, and latin2ascii|https://www.unixuser.org/~euske/python/pdfminer/|{{Pkg|python-pdfminer}}, {{AUR|pdfminer}}}}<br />
* {{App|pdfrw|A pure Python library that reads and writes PDFs.|https://github.com/pmaupin/pdfrw|{{Pkg|python-pdfrw}}, {{AUR|python2-pdfrw}}}}<br />
* {{App|PyPDF3|A pure-Python library built as a PDF toolkit.|https://github.com/sfneal/PyPDF3|{{AUR|python-pypdf3}}}}<br />
* {{App|PyX|Python library for the creation of PostScript and PDF files.|http://pyx.sourceforge.net|{{Pkg|python-pyx}}}}<br />
* {{App|ReportLab|A proven industry-strength PDF generating solution|https://www.reportlab.com/|{{Pkg|python-reportlab}}, {{AUR|python2-reportlab}}}}<br />
<br />
== See also ==<br />
<br />
* [[List of applications/Documents#Readers and viewers]]<br />
* [[List of applications/Documents#OCR software]]<br />
* [[Wikipedia:List of PDF software]]<br />
* PDF References<br />
** [https://web.archive.org/web/20210116133007/https://www.adobe.com/devnet/pdf/pdf_reference.html PDF Reference and Adobe Extensions to the PDF Specification]<br />
** [[Wikipedia:PDF#Further reading]]</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Firefox/Privacy&diff=731390Firefox/Privacy2022-06-03T01:00:23Z<p>Kiasoc5: /* Web search over Searx */ Add missing "can", set searx urls to github organization</p>
<hr />
<div>[[Category:Web browser]]<br />
[[ja:Firefox プライバシー]]<br />
{{Related articles start}}<br />
{{Related|Firefox}}<br />
{{Related|Tor}}<br />
{{Related|Browser extensions}}<br />
{{Related|Browser Plugins}}<br />
{{Related|Firefox/Tweaks}}<br />
{{Related|Firefox/Profile on RAM}}<br />
{{Related articles end}}<br />
<br />
This article overviews how to configure Firefox to enhance security and privacy.<br />
<br />
== Configuration ==<br />
<br />
The following are privacy-focused tweaks to prevent [https://www.amiunique.org/faq browser fingerprinting] and tracking.<br />
<br />
=== Tracking protection ===<br />
<br />
Firefox gained an option for [https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop Enhanced Tracking Protection]. It can be enabled in different levels via the GUI ''Settings -> Privacy & Security'', or by setting {{ic|about:config}}:<br />
<br />
* {{ic|privacy.trackingprotection.enabled}} {{ic|true}}<br />
<br />
Apart from privacy benefits, enabling [http://venturebeat.com/2015/05/24/firefoxs-optional-tracking-protection-reduces-load-time-for-top-news-sites-by-44/ tracking protection] may also reduce load time by 44%.<br />
<br />
Note that this is not a replacement for ad blocking extensions such as [[Browser extensions#Content blockers|uBlock Origin]] and it may or may not work with [[List of applications/Internet#Firefox_spin-offs|Firefox forks]]. If you are already running such an ad blocker with the correct lists, tracking protection might be redundant.<br />
<br />
=== Anti-fingerprinting ===<br />
<br />
The Firefox [[#Tracking protection|tracking protection]] blocks a list of known "fingerprinters" when your privacy settings are set to ''Standard'' (the default) or ''Strict''. Fingerprinting Protection is a different, experimental feature under heavy development in Firefox.<br />
<br />
Mozilla has started an [[MozillaWiki:Security/Fingerprinting|anti-fingerprinting project in Firefox]], as part of a project to upstream features from [[Tor Browser]]. Many of these anti-fingerprinting features are enabled by this setting in the {{ic|about:config}}:<br />
<br />
* {{ic|privacy.resistFingerprinting}} {{ic|true}}<br />
<br />
{{Warning|This is an experimental feature and can cause some website breakage, timezone is UTC0, and websites will prefer light theme.}}<br />
<br />
For more information see: [https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting Firefox's protection against fingerprinting].<br />
<br />
=== Change browser time zone ===<br />
<br />
The time zone of your system can be used in browser fingerprinting. To set Firefox's time zone to UTC launch it as:<br />
<br />
$ TZ=UTC firefox<br />
<br />
Or, set a script to launch the above (for example, at {{ic|/usr/local/bin/firefox}}).<br />
<br />
=== Change user agent and platform ===<br />
<br />
You can override Firefox's user agent with the {{ic|general.useragent.override}} preference in {{ic|about:config}}.<br />
<br />
The value for the key is your browser's user agent. Select a known common one.<br />
<br />
{{Tip|<br />
* The value {{ic|Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0}} is used as the user agent for the Tor browser, thus being very common.<br />
* The [[#Anti-fingerprinting]] option also enables the Tor browser user agent and changes your browser platform automatically.<br />
}}<br />
<br />
{{Warning|Changing the user agent without changing to a corresponding platform will make your browser nearly unique.}}<br />
<br />
To change the platform for firefox, add the following {{ic|string}} key in {{ic|about:config}}:<br />
<br />
general.platform.override<br />
<br />
Select a known common platform that corresponds with your user agent.<br />
<br />
{{Tip|The value {{ic|Win32}} is used as the platform for the Tor browser, corresponding with the user agent provided above.}}<br />
<br />
=== WebRTC exposes LAN IP address ===<br />
<br />
To prevent websites from getting your local IP address via [[wikipedia:WebRTC|WebRTC]]'s peer-to-peer (and JavaScript), open {{ic|about:config}} and set:<br />
<br />
* {{ic|media.peerconnection.ice.default_address_only}} to {{ic|true}}<br />
* {{ic|media.peerconnection.enabled}} to {{ic|false}}. (only if you want to completely disable WebRTC)<br />
<br />
You can use this [https://net.ipcalf.com/ WebRTC test page] and [https://ipleak.net/ WebRTC IP Leak VPN / Tor IP Test] to confirm that your internal/external IP address is no longer leaked.<br />
<br />
=== Disable HTTP referer ===<br />
<br />
[[Wikipedia:HTTP referer|HTTP referer]] is an optional HTTP header field that identifies the address of the previous webpage from which a link to the currently requested page was followed.<br />
<br />
Set {{ic|network.http.sendRefererHeader}} to {{ic|0}} or {{ic|1}}, depending on your [[MozillaWiki:Security/Referrer|preferences]].<br />
<br />
{{Note|Some sites use the referer header to control origin conditions. Disabling this header completely may cause site breaking. In this case adjusting {{ic|network.http.referer.XOriginPolicy}} may provide a better solution.}}<br />
<br />
=== Disable connection tests ===<br />
<br />
By default Firefox attempts to connect to Amazon and/or Akamai servers at [https://bugzilla.mozilla.org/show_bug.cgi?id=1363651 regular] [https://bugzilla.mozilla.org/show_bug.cgi?id=1359697#c3 intervals], to test your connection. For example a hotel, restaurant or other business might require you to enter a password to access the internet. If such a [[wikipedia:Captive_portal|Captive portal]] exists and is blocking traffic this feature blocks all other connection attempts. This may leak your usage habits.<br />
<br />
To disable Captive Portal testing, in {{ic|about:config}} set:<br />
<br />
* {{ic|network.captive-portal-service.enabled}} to {{ic|false}}<br />
<br />
{{Note|A [https://www.ghacks.net/2020/02/19/why-is-firefox-establishing-connections-to-detectportal-firefox-com-on-start/ report states that] the [https://vpn.mozilla.org/ Mozilla VPN] is unable to connect when this is disabled.}}<br />
<br />
=== Disable telemetry ===<br />
<br />
Set {{ic|toolkit.telemetry.enabled}} to {{ic|false}} and/or disable it under ''Preferences > Privacy & Security > Firefox Data Collection and Use''.<br />
<br />
=== Enable "Do Not Track" header ===<br />
<br />
Set {{ic|privacy.donottrackheader.enabled}} to {{ic|true}} or toggle it in ''Preferences > Privacy & Security > Tracking Protection''<br />
<br />
{{Note|The remote server may choose to not honour the "Do Not Track" request.}}<br />
<br />
{{Warning|The "Do Not Track" header (DNT) may actually be used to fingerprint your browser, since most users leave the option disabled.}}<br />
<br />
=== Disable/enforce 'Trusted Recursive Resolver' ===<br />
<br />
Firefox 60 introduced a feature called [[mozillawiki:Trusted Recursive Resolver|Trusted Recursive Resolver]] (TRR). It circumvents DNS servers configured in your system, instead sending all DNS requests over HTTPS to Cloudflare servers. While this is significantly more secure (as "classic" DNS requests are sent in plain text over the network, and everyone along the way can snoop on these), this also makes all your DNS requests readable by Cloudflare, providing TRR servers.<br />
<br />
* If you trust DNS servers you have configured yourself more than Cloudflare's, you can disable TRR in {{ic|about:config}} by setting {{ic|network.trr.mode}} (integer, create it if it does not exist) to {{ic|5}}. (A value of 0 means disabled by default, and might be overridden by future updates - a value of 5 is disabled by choice and will not be overridden.)<br />
* If you trust Cloudflare DNS servers and would prefer extra privacy (thanks to encrypted DNS requests), you can enforce TRR by setting {{ic|network.trr.mode}} to {{ic|3}} (which completely disables classic DNS requests) or {{ic|2}} (uses TRR by default, falls back to classic DNS requests if that fails). Keep in mind that if you are using any intranet websites or trying to access computers in your local networks by their hostnames, enabling TRR may break name resolving in such cases.<br />
* If you want to encrypt your DNS requests but not use Cloudflare servers, you can point to a new DNS over HTTPS server by setting {{ic|network.trr.uri}} to your resolver URL. A list of currently available resolvers can be found in the [https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers curl wiki], along with other configuration options for TRR.<br />
<br />
=== Disable geolocation ===<br />
<br />
Set {{ic|geo.enabled}} to {{ic|false}} in {{ic|about:config}}.<br />
<br />
{{Note|This may break websites that needs access to your location. One may want to simply allow location-access per site, instead of disabling this feature completely.}}<br />
<br />
=== Disable 'Safe Browsing' service ===<br />
<br />
Safe Browsing offers phishing protection and malware checks, however it may send user information (e.g. URL, file hashes, etc.) to third parties like Google.<br />
<br />
To disable the Safe Browsing service, in {{ic|about:config}} set: <br />
<br />
* {{ic|browser.safebrowsing.malware.enabled}} to {{ic|false}}<br />
* {{ic|browser.safebrowsing.phishing.enabled}} to {{ic|false}}<br />
<br />
In addition disable download checking, by setting {{ic|browser.safebrowsing.downloads.enabled}} to {{ic|false}}.<br />
<br />
=== Disable WebGL ===<br />
<br />
WebGL is a potential security risk.[https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern] Set {{ic|webgl.disabled}} to {{ic|true}} in {{ic|about:config}} if you want to disable it.<br />
<br />
== Extensions ==<br />
<br />
See [[Browser extensions#Privacy]].<br />
<br />
=== Disable WebAssembly (and JavaScript) ===<br />
<br />
Also known as Wasm, [[wikipedia:Webassembly|WebAssembly]] is a relatively new language. As opposed to JavaScript, Wasm executes ''pre-compiled code'' natively in browsers for high-performance simulations and applications. It has been criticized for hiding pathways for malware and [https://trac.torproject.org/projects/tor/ticket/21549 as with JavaScript, can be used to track users]. Tor Browser blocks both JavaScript and Wasm.<br />
<br />
See ''NoScript'' in [[Browser extensions#Privacy]] to block JavaScript the way Tor Browser does, which enables quick access when needed. To disable Wasm, in {{ic|about:config}} set:<br />
<br />
* {{ic|javascript.options.wasm}} to {{ic|false}}<br />
* {{ic|javascript.options.wasm_baselinejit}} to {{ic|false}}<br />
* {{ic|javascript.options.wasm_ionjit}} to {{ic|false}}<br />
<br />
=== Remove system-wide hidden extensions ===<br />
<br />
Some extensions are hidden and installed by default in {{ic|/usr/lib/firefox/browser/features}}. Many can be safely removed via {{ic|rm ''extension-name''.xpi}}. They might not be enabled by default and may have a menu option for enabling or disabling. Note that any files removed will return upon update of the {{pkg|firefox}} package. To keep these extensions removed, consider adding the directories to {{ic|1=NoExtract=}} in {{ic|pacman.conf}}, see [[Pacman#Skip files from being installed to system]]. Some extensions include:<br />
<br />
* {{ic|doh-rollout@mozilla.org.xpi}} - DoH Roll-Out (do not remove if you chose to use [[#Disable/enforce 'Trusted Recursive Resolver']] above).<br />
* {{ic|screenshots@mozilla.org.xpi}} - Firefox Screenshots.<br />
* {{ic|webcompat-reporter@mozilla.org.xpi}} - For reporting sites that are compromised in Firefox, so Mozilla can improve Firefox or patch the site dynamically using the {{ic|webcompat@mozilla.org.xpi}} extension.<br />
* All combined user and system extensions are listed in {{ic|about:support}}. See [https://dxr.mozilla.org/mozilla-release/source/browser/extensions/] for a full list of system extensions including README files describing their functions.<br />
<br />
Firefox installations to paths such as the default release installed to {{ic|/opt}} have system extensions installed at {{ic|/firefox/firefox/browser/features}}.<br />
<br />
== Web search over Searx ==<br />
<br />
Privacy can be boosted by reducing the amount of information you give to a single entity. For example, sending each new web search via a different, randomly selected proxy makes it near impossible for a single search engine to build a profile of you. We can do this using public instances (or sites) of [https://searx.me/ Searx]. Searx is an [https://github.com/searx/searx/blob/master/LICENSE AGPL-3.0], [https://github.com/searx/searx open-source] site-builder, that produces site, known as an 'instances'. Each public 'instance' can act as a middle-man between you and a myriad of different search engines. <br />
<br />
From [https://searx.space/ this list of public instances] and [https://searx.neocities.org/nojs.html others], bookmark as many Searx sites as you wish (if JavaScript is disabled you will need to enable it temporarily to load the list). For fast access to these bookmarks, consider adding {{ic|SX1}}, {{ic|SX2}} ... {{ic|SX(n)}} to the bookmark's ''Name'' field, with {{ic|(n)}} being the number of searx instances you bookmark.<br />
<br />
After this bookmarking, simply typing {{ic|sx}}, a number and {{ic|Enter}} in the URL bar will load an instance.<br />
<br />
{{Note|Update the above bookmarks from time to time or as instances become unreliable to reduce your online fingerprint.}}<br />
<br />
{{Tip|<br />
* If you have a web server and available bandwidth, consider running a public Searx instance to help others improve their privacy ([https://searx.github.io/searx/ more info]).<br />
* For increased privacy, use Searx instances with [[Tor Browser]], which uses onion-routing to provide a degree of anonymity.<br />
* You can improve your privacy further by running a private instance of Searx locally. [[Install]] the {{AUR|searx}} package and [[start]] {{ic|uwsgi@searx.service}}. Searx will be available on http://localhost:8888/.}}<br />
<br />
== Watch videos over Invidious ==<br />
<br />
Invidious instances act as an alternative front-end to YouTube. They are websites built from [https://github.com/iv-org/invidious open-source code]. It has typically been difficult to limit the amount of information a user sent to YouTube (Google) in order to access content.<br />
<br />
Benefits of using Invidious include:<br />
<br />
* Videos are accessible without running scripts. YouTube forces users to run scripts.<br />
* Videos can be saved for future viewing, or for viewing by others, including when offline. This reduces feedback sent to Google about when content is viewed or re-viewed.<br />
* An optional audio-only mode that reduces bandwidth usage. When combined with a browser like [[Tor]], using fewer data packets on a more lightweight website is likely to improve your anonymity.<br />
* Invidious is a free and open-source interface that makes setting up an independent, private, video-hosting service easier. As such there are website that exist that are using Invidious to serve their own content or content removed from YouTube. Therefore it may help limit the profile-building capabilities of YouTube into the future (see note).<br />
<br />
Bookmark as many ''functioning'' invidious instances from the following lists as possible ([https://github.com/iv-org/invidious/wiki/Invidious-Instances here], [https://invidio.us/ here], [https://solmu.org/pub/misc/invidio.html here]). Note that some of these instances may be hosted by Cloudflare.<br />
<br />
You can change any YouTube video URL to an Invidious one by simply replacing the {{ic|youtube.com}} part with the domain of the instance you want to use.<br />
<br />
{{Note|Invidious does not index videos from Facebook or Cloudflare servers. Additionally, content is generally still sent to users from Google servers. For added privacy, see [[Tor Browser]].}}<br />
<br />
== Enterprise policies ==<br />
<br />
Network and system-wide policies may be established through the use of [https://support.mozilla.org/en-US/kb/managing-policies-linux-desktops enterprise policies] which both supplements and overrides user configuration preferences. For example, there is no documented user preference to disable the checking of updates for beta channel releases. However, there exists an enterprise policy which can be effectively deployed as a workaround. Single and/or multiple policies may be administered through {{ic|policies.json}} as follows:<br />
<br />
* Disable application updates<br />
* Force-enable hardware acceleration<br />
<br />
{<br />
"policies": {<br />
"DisableAppUpdate": true,<br />
"HardwareAcceleration": true<br />
}<br />
}<br />
<br />
Verify that {{ic|Enterprise Policies}} is set to {{ic|Active}} in {{ic|about:support}} and review release-specific policies in {{ic|about:policies}}.<br />
<br />
== Sanitized profiles ==<br />
<br />
=== prefs.js ===<br />
<br />
Files which constitute a Firefox profile can be be stripped of certain metadata. For example, a typical {{ic|prefs.js}} contains strings which identify the client and/or the user. <br />
<br />
user_pref("app.normandy.user_id", "6f469186-12b8-50fb-bdf2-209ebc482c263");<br />
user_pref("security.sandbox.content.tempDirSuffix", "2a02902b-f25c-a9df-17bb-501350287f27");<br />
user_pref("toolkit.telemetry.cachedClientID", "22e251b4-0791-44f5-91ec-a44d77255f4a");<br />
<br />
There are multiple approaches by which these strings can be reset with the caveat that a master {{ic|prefs.js}} must first be created without such identifiers and synced into a working profile. The simplest solution is close Firefox before copying its {{ic|prefs.js}} to a separate location:<br />
<br />
$ cp ~/.mozilla/firefox/example.default-release/prefs.js ~/prefs.sanitized.js<br />
<br />
Strip out any and all identfier strings and date codes by either setting them to 0 or removing the entries outright from the copied {{ic|prefs.js}}. Sync the now sanitized {{ic|prefs.js}} to the working profile as required:<br />
<br />
$ rsync -v ~/.prefs.sanitized.js ~/.mozilla/firefox/example.default-release/prefs.js<br />
<br />
{{Note|Required identifier and date code entries and/or strings will automatically be repopulated and reset to new values during the next launch of Firefox}}<br />
<br />
A secondary privacy effect is also incurred which can be witnessed by examining the string results between a sanitized {{ic|prefs.js}} versus a working {{ic|prefs.js}} at [https://fingerprintjs.com/demo Fingerprint JS API Demo].<br />
<br />
=== extensions.json ===<br />
<br />
Assuming that extensions are installed, the {{ic|extensions.json}} file lists all profile extensions and their settings. Of note is the location of the user home directory where the {{ic|.mozilla}} and {{ic|extensions}} folder exist by default. Unwanted background updates may be disabled by setting {{ic|applyBackgroundUpdates}} to the appropriate {{ic|0}} value. Of minor note are {{ic|installDate}} and {{ic|updateDate}}. [[Bubblewrap#Firefox|Bubblewrap]] can effectively mask the username and location of the home directory at which time the {{ic|extensions.json}} file may be sanitized and modified to point to the sandboxed {{ic|HOME}} location.<br />
<br />
{"schemaVersion":31,"addons":[{"id":"uBlock0@raymondhill.net","syncGUID":"{0}","version":"0","type":"extension","optionsURL":"dashboard.html","optionsType":3,"optionsBrowserStyle":true,"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":0,"updateDate":0,"applyBackgroundUpdates":0,"path":"/home/r/.mozilla/firefox/example.default-release/extensions/uBlock0@raymondhill.net.xpi","skinnable":false,"softDisabled":false,"foreignInstall":true,"strictCompatibility":true}}<br />
<br />
Removal of similar metadata from {{ic|addonStartup.json.lz4}} and {{ic|search.json.mozlz4}} can also be accomplished. [https://github.com/jusw85/mozlz4 mozlz4] is a command-line tool which provides compression/decompression support for Mozilla (non-standard) LZ4 files.<br />
<br />
== Removal of subsystems ==<br />
<br />
{{Expansion|The deleted files will be back after upgrading the package, add them to [[pacman#Skip files from being installed to system|NoExtract]] instead.}}<br />
<br />
Telemetry related to [https://firefox-source-docs.mozilla.org/toolkit/crashreporter/crashreporter/index.html crash reporting] may be disabled by removing the following:<br />
<br />
/usr/lib/firefox/crashreporter<br />
/usr/lib/firefox/minidump-analyzer<br />
/usr/lib/firefox/pingsender<br />
<br />
For those who have opted to install Firefox manually from official Mozilla sources, the updater system may be disabled by removing {{ic|updater}} in the {{ic|firefox}} directory.<br />
<br />
== Editing the contents of omni.ja ==<br />
<br />
{{Note|Certain features may be inhibited or lost as a result of modifying the contents of {{ic|omni.ja}}. Additionally, it is updated/overwritten with each Firefox release. It is up to the user to determine whether the gain in privacy is worth the loss of expected usability.}}<br />
<br />
The file {{ic|/usr/lib/firefox/omni.ja}} contains most of the default configuration settings used by Firefox. As an example, starting from Firefox 73, network calls to {{ic|firefox.settings.services.mozilla.com}} and/or {{ic|content-signature-2.cdn.mozilla.net}} cannot be blocked by extensions or by setting preference URLs to {{ic|"");}}. Aside from using a DNS sinkhole or firewalling resolved IP blocks, one solution is to {{man|1|grep}} through the extracted contents of {{ic|omni.ja}} before removing all references to {{ic|firefox.settings.services.mozilla.com}} and/or {{ic|cdn.mozilla.net}}. Extraneous modules such as unused dictionaries and hyphenation files can also be removed in order to reduce the size of {{ic|omni.ja}} for both security and performance reasons.<br />
<br />
To repack/rezip, use the command {{ic|zip -0DXqr omni.ja *}} and make sure that your working directory is the root directory of the files from the {{ic|omni.ja}} file.<br />
<br />
== Hardened user.js templates ==<br />
<br />
Several active projects maintain comprehensive hardened Firefox configurations in the form of a {{ic|user.js}} config that can be dropped to Firefox profile directory:<br />
<br />
* [https://github.com/arkenfox/user.js arkenfox/user.js]<br />
* [https://github.com/pyllyukko/user.js pyllyukko/user.js]<br />
* [https://ffprofile.com/ ffprofile.com] ([https://github.com/allo-/firefox-profilemaker github]) - online user.js generator. You select which features you want to enable and disable and in the end you get a download link for a zip-file with your profile template. You can for example disable some functions, which send data to Mozilla and Google, or disable several annoying Firefox functions like Mozilla Hello or the Pocket integration.<br />
<br />
== See also ==<br />
<br />
* [https://www.privacytools.io/#addons privacytools.io Firefox Privacy Add-ons]<br />
* [https://prism-break.org/en/categories/gnu-linux/#web-browser-addons prism-break.org Web Browser Addons]<br />
* [[MozillaWiki:Privacy/Privacy Task Force/firefox about config privacy tweeks]] - a wiki page maintained by Mozilla with descriptions of privacy specific settings.<br />
* [https://brainfucksec.github.io/firefox-hardening-guide brainfucksec Firefox Hardening Guide.] - A maintained guide for Firefox hardening<br />
* [https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections How to stop Firefox from making automatic connections] - Is an annotated list of corresponding Firefox functionality and settings to disable it case-by-case.</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Guix&diff=730283Guix2022-05-20T19:31:09Z<p>Kiasoc5: Mention that guix-installer is in the AUR.</p>
<hr />
<div>[[Category:Package manager]]<br />
[[ja:Guix]]<br />
{{Warning|Guix is '''not''' the [[pacman|official package manager of Arch]]. It is also still under heavy development. Some packages may currently fail to build on Arch.}}<br />
[https://www.gnu.org/software/guix/ GNU Guix] is a package manager that offers transactional, reproducible, per-user package management.<br />
While Guix can be used stand-alone and provide a full GNU distribution and a kernel by itself, you can install the Guix package manager on top of Arch to make Guix available to users while using a more traditional and mature Unix-like system as a base.<br />
<br />
See the [https://guix.gnu.org/manual/en/ Guix manual] for information on what per-user packaging commands Guix makes available to users.<br />
<br />
== Installation ==<br />
<br />
{{Expansion|The Guix reference manual says {{ic|nscd.service}} should be enabled but it is not clear if {{ic|nscd}} works properly on Arch or if it is even required.}}<br />
On Arch Linux you can install Guix either using the AUR or manually as described in the Guix Manual.<br />
Installing using the AUR has the advantage that pacman is aware of the package and the extra files in the {{ic|/usr}} file tree. But contrarily to other AUR packages, uninstalling the package does not unwind the entire Guix installation.<br />
Since Guix is a package manager by itself and it can also update itself, you still have to manually uninstall the files installed via Guix (no matter whether you installed the AUR package or the manual installation).<br />
Therefore, after updating Guix once, the AUR advantage really turns into a disadvantage, as there will be many unnecessary files in the {{ic|/usr}} file tree that are part of the Guix AUR package but that are never used by Guix anymore.<br />
Therefore, consider using the manual installation.<br />
<br />
=== Manual Installation ===<br />
<br />
For the manual installation, see [https://guix.gnu.org/manual/html_node/Installation.html#Installation chapter Installation] of the Guix manual.<br />
The easiest way is to use the shell installer script linked in there. The installer can also be installed from the AUR as {{AUR|guix-installer}}.<br />
<br />
As of December 2021 this script installs files into the following locations:<br />
* {{ic|/gnu/store}}, {{ic|/var/guix}} (the Guix store)<br />
* {{ic|/usr/local/share/info}}, {{ic|/usr/local/bin}}, (only symlinks)<br />
* {{ic|/root/.config/guix}} (a symlink to the current profile)<br />
* {{ic|/etc/guix/acl}}, (keys for substitute servers)<br />
* {{ic|/etc/profile.d/guix.sh}}, (sets environment variables to put the current Guix profile first in the PATH)<br />
* {{ic|/etc/bash_completion.d/guix}}, {{ic|/usr/share/zsh/site-functions/_guix}}, {{ic|/usr/share/fish/vendor_completions.d/guix.fish}} (shell completions for Bash, Zsh, and Fish)<br />
<br />
Furthermore it installs and enables a systemd service called {{ic|guix-daemon.service}}, and creates users {{ic|guixbuilder01}} ... {{ic|guixbuilder10}} and a group {{ic|guixbuild}}.<br />
<br />
Now start a new login shell (alternatively reboot your machine) and you can start using Guix:<br />
<br />
$ guix install glibc-locales<br />
<br />
=== AUR Package Installation ===<br />
<br />
{{Note|The build check currently fails if {{ic|/bin/sh}} is not a link to bash, which is not a problem on a default Arch installation.}}<br />
{{Note|As of 13.05.2018 ''guix-environment-container'' test fails during makepkg build if [[Makepkg#Building_from_files_in_memory|BUILDDIR environment variable]] points to tmpfs mount.}}<br />
<br />
GNU Guix is available in the AUR as {{AUR|guix}}. As described in the {{ic|PKGBUILD}}, the PGP key by the Guix distributor will need to be added first.<br />
<br />
Guix makes builds more reproducible by running the build process using an unprivileged build user account. Therefore if you want to be able to build {{ic|''n''}} packages simultaneously (e.g. for serving multiple users at the same time) you should create {{ic|''n''}} build user accounts. as Guix should be able to build simultaneously. The following command does this the way described in [https://www.gnu.org/software/guix/manual/html_node/Build-Environment-Setup.html#Build-Environment-Setup Guix manual]:<br />
<br />
# groupadd --system guixbuild<br />
# uncomment and type e.g. 10 for ''n'' below --> have ten users <br />
# for i in `seq -w 1 ''n''`;<br />
do<br />
useradd -g guixbuild -G guixbuild \<br />
-d /var/empty -s `which nologin` \<br />
-c "Guix build user $i" --system \<br />
guixbuilder$i;<br />
done<br />
<br />
[[Systemd#Using units|Start and enable]] {{ic|guix-daemon.service}}.<br />
<br />
You may want to authorize Guix to download and use binary packages (‘substitutes’) from the [https://ci.guix.gnu.org Guix Official Substitute Server]:<br />
<br />
# guix archive --authorize < /usr/share/guix/ci.guix.gnu.org.pub<br />
<br />
== Building packages outside of /tmp ==<br />
<br />
The unit file may need to be extended to use a different {{ic|TMPDIR}} for building if {{ic|/tmp}} does not provide enough space (see the [https://www.gnu.org/software/guix/manual/html_node/Build-Environment-Setup.html#Build-Environment-Setup Guix manual] for details). To use {{ic|''/tmpdir''}} for building instead of {{ic|/tmp}}, [[edit]] {{ic|guix-daemon.service}} to add the following lines:<br />
<br />
{{bc|1=<br />
[Service]<br />
Environment=TMPDIR=''/tmpdir''<br />
}}<br />
<br />
== Uninstalling Guix ==<br />
<br />
Stop and disable {{ic|guix-daemon.service}}.<br />
If you installed Guix as an AUR package, then remove Guix using [[pacman]].<br />
<br />
Remove {{ic|/etc/systemd/system/guix-daemon.service}}, {{ic|/etc/systemd/system/guix-daemon.service.d}}, and {{ic|/etc/profile.d/guix.sh}} if existent.<br />
<br />
Now remove all the Guix build users and their group:<br />
<br />
# for i in `seq -w 1 ''n''`; do userdel guixbuilder$i; done<br />
# groupdel guixbuild<br />
<br />
Then remove the Guix store {{ic|/gnu}} as well as {{ic|/var/guix}} and {{ic|/var/log/guix}}. <br />
Remove stale symlinks in {{ic|/usr/local/share/info}} and {{ic|/usr/local/bin}}.<br />
Also remove {{ic|/etc/guix/acl}} and the shell completion files specific to Guix.</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Talk:Unified_Extensible_Firmware_Interface/Secure_Boot&diff=729944Talk:Unified Extensible Firmware Interface/Secure Boot2022-05-16T19:16:18Z<p>Kiasoc5: Suggest addition of sbctl with warning to wiki</p>
<hr />
<div>== Enroll hash file name ==<br />
<br />
I am a bit confused regarding the following lines:<br />
<br />
''* In the HashTool main menu, select {{ic|Enroll Hash}}, choose {{ic|\loader.efi}} and confirm with {{ic|Yes}}. Again, select {{ic|Enroll Hash}} and {{ic|archiso}} to enter the archiso directory, then select {{ic|vmlinuz-efi}} and confirm with {{ic|Yes}}. Then choose {{ic|Exit}} to return to the boot device selection menu.<br />
* In the boot device selection menu choose {{ic|Arch Linux archiso x86_64 UEFI CD}}''<br />
<br />
There is no file vmlinuz-efi in the said directory, there is only efiboot.img.<br />
Then, the USB stick actually wants to boot from arch/boot/x86_64/vmlinuz. I am not sure which file I actually had to enroll, it was either archiso.img in that directory or the vmlinuz kernel image. In either case the instruction is not accurate. --[[User:Johannes Rohr|Johannes Rohr]] ([[User talk:Johannes Rohr|talk]]) 09:03, 5 February 2015 (UTC)<br />
<br />
: Indeed the instructions are not accurate, and are only meant as an outline. The thing is that their accuracy depends on the approach chosen. For example, the article suggests, among other approaches, to [[Secure Boot#Disable Secure Boot|disable secure boot]] altogether. I think one is expected to integrate the outline in [[Secure Boot#Booting archiso|booting archiso]] with one of the approaches suggested by the rest of the article. For example, the [[Secure Boot#Set up PreLoader|Set up PreLoader section]] explicitly states the usefulness of {{ic|PreLoader.efi}} and {{ic|HashTool.efi}} in {{Pkg|efitools}} is limited. But it also suggest how to get along with {{ic|PreLoader.efi}} and {{ic|HashTool.efi}} from {{AUR|preloader-signed}} or to [https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/ download them manually without using the AUR]. [[User:Regid|Regid]] ([[User talk:Regid|talk]]) 02:05, 18 December 2018 (UTC)<br />
<br />
::The comment you're replying to is from a time when the Archiso supported Secure Boot. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 09:34, 18 December 2018 (UTC)<br />
:::# Why, and when, support for secure boot removed from Archiso?<br />
:::# I find the article confusing. Most of it assumes users are able to install software on the machine, and copy files from anyplace to anywhere on the HD. As if they have a running archlinux installation, and only need to convert the boot process into secure boot. But installation is different. I think the [[Secure Boot#Booting archiso|booting archiso]] section should be moved to the section that is prior to [[Secure Boot#See also|see also]]; emphasize that there is a need to create files and than place them on the [[EFI system partition]]; point to [[archiso]] and [[Remastering the Install ISO]]; and reworked in general.<br />
::: [[User:Regid|Regid]] ([[User talk:Regid|talk]]) 10:59, 18 December 2018 (UTC)<br />
<br />
::::As it says in [[Secure Boot#Booting archiso]], Secure Boot support was removed starting with {{ic|archlinux-2016.06.01-dual.iso}}. It happened because an Arch developer replaced[https://github.com/archlinux/svntogit-packages/commit/a9a9be60696a718f0aa1865d8c6663b2c2cdfce1][https://github.com/archlinux/svntogit-packages/commit/1b7b157c4f2dd062dcf00a589da37390e6a7b59d] the [https://github.com/archlinux/svntogit-packages/blob/packages/prebootloader/trunk/PKGBUILD prebootloader package] with the {{Pkg|efitools}} package. Apparently it happened because both contain {{ic|PreLoader.efi}} and {{ic|HashTool.efi}}. The ''little detail'' that one had signed EFI binaries, but other unsigned was somehow missed and the change got into Archiso[https://gitlab.archlinux.org/archlinux/archiso/commit/908370a17e6f9e64b38e9763db9357f0020ed1d9]. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 11:15, 18 December 2018 (UTC)<br />
<br />
::::Regarding your "2." point. The simple method is to disable Secure Boot, install Arch Linux, setup and enable Secure Boot. The [[Template:Out of date]] is there because you can't boot the official install media with Secure Boot enabled. If you want to add instructions on remastering Archiso with Secure Boot support, go ahead. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 11:18, 18 December 2018 (UTC)<br />
<br />
:::::+1 to the simple method regarding section organization. @Regid: I get what you meant about the template and instruction-flow. Still, I find the current organization even more confusing. Now, the first link goes to [[Secure Boot#Put firmware in "Setup Mode"]], jumping over all the steps that must be understood/done. The last thing someone must do is to remove a platform key from the UEFI ''before'' there is an installable ISO. -- [[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 20:31, 18 December 2018 (UTC)<br />
<br />
:::::: I have edited the article to address [[User:Indigo|Indigo]] comment. [[User:Regid|Regid]] ([[User talk:Regid|talk]]) 11:43, 19 December 2018 (UTC)<br />
<br />
:::::::Thanks, IMO it's better like this for now. Something the article still needs is a little more intro how to proceed for either of the major sections. My suggestion for it is to do it in the [https://wiki.archlinux.org/index.php?title=Secure_Boot&type=revision&diff=559612&oldid=559611] (better idea? change it). I realize that "Change the status" is not an ideal subsection title, but it should give an idea what's missing in my view. An alternative would be to put it into the article intro with 2-3 sentences. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 19:15, 20 December 2018 (UTC)<br />
<br />
== shim ==<br />
<br />
I couldn't add anything to MoKList on my real PC, but everything worked in qemu; it could use more testing. The instructions ''should theoretically work'' for rEFInd and GRUB. AFAIK systemd-boot doesn't support shim and trying to launch SYSLINUX resulted in "System is compromised. halting.".<br />
<br />
The instruction are for a ''generic bootloader'' because I have no interest in installing GRUB, and adding instructions for rEFInd would be pointless since rEFInd has a really simple setup for shim {{ic|refind-install --shim /usr/share/shim-signed/shim.efi}} for hash only and {{ic|refind-install --shim /usr/share/shim-signed/shim.efi --localkeys}} for hash and keys. If anyone is willing to rewrite the instructions to use GRUB as the example bootloader, please do. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 13:02, 7 December 2016 (UTC)<br />
<br />
: A commented but complete and brief working bash-script that runs a signed Arch-Kernel via refind.efi would be nice. [[User:UBF6|UBF6]] ([[User talk:UBF6|talk]]) 14:40, 8 November 2018 (UTC)<br />
<br />
== add section explaining the signing of other EFI utilities, or general troubleshooting section ==<br />
<br />
I'd like to propose adding a section that explains the signing of other EFI utilities such as those detailed on https://wiki.archlinux.org/index.php/REFInd#Tools<br />
<br />
In particular I've just recently resolved an issue which I'm guessing is specific to my motherboard (ASrock Z77 Extreme4) that I'd like to add some troubleshooting info on. Specifically the {{ic|gdisk_x64.efi}} image is shipped signed with the author's key, and apparently my bios only looks at the first key signature of a given EFI app. By removing the author's signature with {{ic|sbattach --remove gdisk_x64.efi}} I was finally able to get it to run with Secure Boot enabled.<br />
<br />
Or maybe this would be better added to a general troubleshooting section? I haven't tested it but I bet if I first signed *any* EFI app with some key that isn't enrolled on my system, and then added my own, I'd have the same issue.<br />
<br />
--[[User:AaronM_Cloudtek|AaronM_Cloudtek]] ([[User talk:AaronM_Cloudtek|talk]]) 05:31, 25 March 2019 (UTC)<br />
<br />
:I think perhaps this could be included in a general section about signing binaries. Whether you use shim, preloader, or your own keys, you still have to sign the binaries. The only real difference is where the certificate is stored (db, or MOKList).<br />
:[[User:Soroshi|Soroshi]] ([[User talk:Soroshi|talk]]) 20:32, 24 December 2019 (UTC)<br />
<br />
== SBUpdate Behaviour Update ==<br />
<br />
"sbupdate expects the /boot/efikeys/db.* files created by cryptboot to be capitalized like DB."<br />
<br />
This is outdated. Uppercase and lowercase "db file" name is accepted. Script uses: @(DB|db)<br />
<br />
{{Unsigned|23:08, 2 July 2019 (UTC)|Superherointj}}<br />
<br />
:Feel free to remove that note. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 06:14, 3 July 2019 (UTC)<br />
<br />
== Booting with own keys but without Microsoft's keys ==<br />
<br />
I was unable to boot my computer (black screen before the POST) after removing Microsoft's keys from firmware and enabling Secure boot. This was because of my graphic card, as explained in Rod Smith's article:<br />
<br />
:Some plug-in cards have firmware that's signed by Microsoft's keys. Such a card will not work (at least, not from the firmware) if you enable Secure Boot without the matching public key. (The card should still work once you've booted an OS. The biggest concern is for cards that must work in a pre-boot environment, such as a video card or for PXE-booting a network card.) You can add Microsoft's keys back to the environment to make such cards work, but this eliminates the advantages of not having those keys, if that's a significant factor for you.<br />
::— [https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html Rod Smith's Controlling Secure Boot]<br />
<br />
I was able to fix it by extracting the UEFI driver (GOP) from the video BIOS of my card, signing it with my own key and re-flashing the VBIOS. It might not be possible with every cards. Anyway, it should be specified that removing Microsoft's keys can render the boot impossible, independently of the dual booting with Windows.<br />
<br />
{{unsigned|07:09, 10 December 2019|Palimpseste}}<br />
<br />
:Having gone through this process myself recently, I am considering re-writing this section to be much clearer. I am wondering what general skill level should be targeted with this section. It is certainly not a simple procedure, but it's not that complicated either. My changes would be based on Rod Smith's guide, as well as the [[https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot excellent guide on the Gentoo wiki]]. I also think that the subsection on signing EFI binaries and kernels should be moved to it's own section, as this is relevant regardless of whether you are using your own keys, shim, or preloader.<br />
:[[User:Soroshi|Soroshi]] ([[User talk:Soroshi|talk]]) 20:24, 24 December 2019 (UTC)<br />
<br />
== Accuracy of "od" command to determine status ==<br />
I just set up secure boot with my own keys, following all the instructions here. After setting everything up and enrolling my keys using KeyTool, I wanted to check my secureboot status using the mentioned od command.<br />
This is what I got: <br />
<br />
~ od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot*<br />
6 0 0 0 1 7 0 0 0 3<br />
<br />
However, the wiki states:<br />
If Secure Boot is enabled, this command returns 1 as the final integer in a list of five, for example: <br />
6 0 0 0 1<br />
<br />
So I assumed something went wrong. The wiki text sounds a lot like secure boot is enabled ''if'' and ''only if'' I get exactly 5 digits with the last one being a 1. Now the keen observer might have noticed that my first 5 digits match those from the wiki exactly. But there is 5 additional ones. The other command mentioned in the wiki tells me secureboot is enabled: <br />
<br />
~ bootctl status<br />
systemd-boot not installed in ESP.<br />
No default/fallback boot loader installed in ESP.<br />
System:<br />
Firmware: UEFI 2.70 (Dell 1.00)<br />
Secure Boot: enabled<br />
Setup Mode: user<br />
...<br />
<br />
Keytool also tells me that secure boot is in "User Mode". And my Firmware settings tell me secure boot is enabled. (Tested several times now) I also tried booting an unsigned binary which the firmware refused. I am not too sure what the od command does, maybe someone with more insight can clarify. [[User:LoNaAleim|LoNaAleim]] ([[User talk:LoNaAleim|talk]]) 19:48, 24 August 2020 (UTC)<br />
<br />
:You may have two ESP partitions. Do you have multiple SecureBoot* entries in efivars? They have a GUID at the end which shows up in the bootctl listing. [[User:Gerdesj|Gerdesj]] ([[User talk:Gerdesj|talk]]) 09:54, 5 October 2021 (UTC)<br />
<br />
== Booting Windows with custom bootloader signature ==<br />
<br />
Windows 10 '''can''' boot with custom bootloader signature. I signed {{ic|bootmgfw.efi}} and Windows still works normally.<br />
<br />
$ sbverify --list /boot/EFI/Microsoft/Boot/bootmgfw.efi <br />
signature 1<br />
image signature issuers:<br />
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
image signature certificates:<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010<br />
signature 2<br />
image signature issuers:<br />
- /CN=[redacted] - Secure Boot DB<br />
image signature certificates:<br />
- subject: /CN=[redacted] - Secure Boot DB<br />
issuer: /CN=[redacted] - Secure Boot DB<br />
<br />
I don't currently have any other keys enrolled, apart from mine.<br />
<br />
$ efi-readvar <br />
Variable PK, length 863<br />
PK: List 0, type X509<br />
Signature 0, size 835, owner [redacted-2]<br />
Subject:<br />
CN=[redacted] - Secure Boot PK<br />
Issuer:<br />
CN=[redacted] - Secure Boot PK<br />
Variable KEK, length 865<br />
KEK: List 0, type X509<br />
Signature 0, size 837, owner [redacted-2]<br />
Subject:<br />
CN=[redacted] - Secure Boot KEK<br />
Issuer:<br />
CN=[redacted] - Secure Boot KEK<br />
Variable db, length 863<br />
db: List 0, type X509<br />
Signature 0, size 835, owner [redacted-2]<br />
Subject:<br />
CN=[redacted] - Secure Boot DB<br />
Issuer:<br />
CN=[redacted] - Secure Boot DB<br />
Variable dbx has no entries<br />
Variable MokList has no entries<br />
(fields replaced with {{ic|[redacted]}} have the same value; same goes for {{ic|[redacted-2]}})<br />
<br />
I am not sure if it works for others. For reference, my machine is a ThinkPad E14, machine type 20RA. Maybe someone can confirm this on their machines and add something to the wiki?<br />
<br />
P/s : maybe a method to automatically sign updates from Microsoft?<br />
<br />
[[User:Cipher|Cipher]] ([[User talk:Cipher|talk]]) 04:59, 5 November 2020 (UTC)<br />
<br />
Hi [[User:Cipher|Cipher]]! I tried booting Windows via {{ic|bootmgfw}}, signed with <br/><br />
- '''both''' Microsofts key <br/><br />
- '''and''' my personal key, <br/><br />
- in SecureBoot mode '''enabled''', <br/><br />
- with my '''personal''' SecureBoot keys enrolled in NVRAM; <br/> <br />
but somehow my BIOS gave a Secure Boot Violation error and didn't let me boot Windows: <br />
<br />
'''Selected boot image did not authenticate. Press ENTER to continue.'''<br />
<br />
It seems like my BIOS can '''only''' read the '''first''' signature of binary EFI files, '''not''' multiple signatures of bootmgfw.efi . <br />
My signature on bootmgfw.efi was the '''second''' one; Microsofts signature was the '''first''' one: <br />
<br />
If I '''delete''' the Microsoft signature from bootmgfw.efi and '''only''' add my own signature, I can get into Windows10 - but only in a Windows10 '''recovery'''/repair environment: Windows complains that my Windows10 installation is '''broken''' (because the Microsoft Windows signature on bootmgfw.efi is missing). <br />
<br />
My BIOS firmware: '''UEFI 2.31 (INSYDE Corp. 4096.01)''' <br />
<br />
My BIOS firmware in detail: <br />
$ sudo dmidecode -t bios<br />
# dmidecode 3.2<br />
Getting SMBIOS data from sysfs.<br />
SMBIOS 2.7 present.<br />
<br />
Handle 0x000E, DMI type 0, 24 bytes<br />
BIOS Information <br />
Vendor: Insyde<br />
Version: F.70<br />
Release Date: 07/18/2016<br />
Address: 0xE0000<br />
Runtime Size: 128 kB<br />
ROM Size: 4 MB<br />
Characteristics:<br />
PCI is supported<br />
BIOS is upgradeable<br />
BIOS shadowing is allowed<br />
Boot from CD is supported<br />
Selectable boot is supported<br />
EDD is supported<br />
Japanese floppy for NEC 9800 1.2 MB is supported (int 13h)<br />
Japanese floppy for Toshiba 1.2 MB is supported (int 13h)<br />
5.25"/360 kB floppy services are supported (int 13h)<br />
5.25"/1.2 MB floppy services are supported (int 13h)<br />
3.5"/720 kB floppy services are supported (int 13h)<br />
3.5"/2.88 MB floppy services are supported (int 13h)<br />
8042 keyboard services are supported (int 9h)<br />
CGA/mono video services are supported (int 10h)<br />
ACPI is supported<br />
USB legacy is supported<br />
BIOS boot specification is supported<br />
Targeted content distribution is supported<br />
UEFI is supported<br />
BIOS Revision: 15.112<br />
Firmware Revision: 29.66<br />
<br />
<br />
So I suppose my UEFI/BIOS implementation is broken. '''My BIOS can probably only read the first signature of signed binary EFI files.''' <br />
<br />
Here's my code: <br />
$ cd /esp/EFI/Microsoft/Boot <br />
<br />
$ sudo sbsign --key /run/media/<redacted>/KEYS+PASSWORDS/SECUREBOOTKEYS/HP-Pavilion-TS-15-Notebook-PC-N010SG/db/DB.key \<br />
--cert /run/media/<redacted>/KEYS+PASSWORDS/SECUREBOOTKEYS/HP-Pavilion-TS-15-Notebook-PC-N010SG/db/DB.crt \<br />
--output bootmgfw.efi.signed bootmgfw.efi <br />
Image was already signed; adding additional signature<br />
<br />
$ mv bootmgfw.efi bootmgfw.efi.backup <br />
$ mv bootmgfw.efi.signed bootmgfw.efi <br />
<br />
$ sbverify --list bootmgfw.efi.backup <br />
signature 1<br />
image signature issuers:<br />
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
image signature certificates:<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010<br />
<br />
$ sbverify --list bootmgfw.efi <br />
signature 1<br />
image signature issuers:<br />
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
image signature certificates:<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010<br />
signature 2<br />
image signature issuers:<br />
- /CN=<redacted> DB<br />
image signature certificates:<br />
- subject: /CN=<redacted> DB<br />
issuer: /CN=<redacted> DB<br />
<br />
$ cd /esp/EFI/BOOT/<br />
$ sudo sbsign --key /run/media/<redacted>/KEYS+PASSWORDS/SECUREBOOTKEYS/HP-Pavilion-TS-15-Notebook-PC-N010SG/db/DB.key \<br />
--cert /run/media/<redacted>/KEYS+PASSWORDS/SECUREBOOTKEYS/HP-Pavilion-TS-15-Notebook-PC-N010SG/db/DB.crt \<br />
--output bootx64.efi.signed bootx64.efi<br />
<br />
$ mv bootx64.efi bootx64.efi.backup <br />
$ mv bootx64.efi.signed bootx64.efi <br />
<br />
$ sbverify --list bootx64.efi.backup <br />
signature 1<br />
image signature issuers:<br />
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
image signature certificates:<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010<br />
<br />
$ sbverify --list bootx64.efi <br />
signature 1<br />
image signature issuers:<br />
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
image signature certificates:<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011<br />
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010<br />
signature 2<br />
image signature issuers:<br />
- /CN=<redacted> DB<br />
image signature certificates:<br />
- subject: /CN=<redacted> DB<br />
issuer: /CN=<redacted> DB<br />
<br />
I only have my personal keys in UEFI keystore (redacted is my real name / my UUID), none from Microsoft: <br />
$ efi-readvar <br />
Variable PK, length 843<br />
PK: List 0, type X509<br />
Signature 0, size 815, owner <redacted><br />
Subject:<br />
CN=<redacted> PK<br />
Issuer:<br />
CN=<redacted> PK<br />
Variable KEK, length 845<br />
KEK: List 0, type X509<br />
Signature 0, size 817, owner <redacted><br />
Subject:<br />
CN=<redacted> KEK<br />
Issuer:<br />
CN=<redacted> KEK<br />
Variable db, length 843<br />
db: List 0, type X509<br />
Signature 0, size 815, owner <redacted><br />
Subject:<br />
CN=<redacted> DB<br />
Issuer:<br />
CN=<redacted> DB<br />
Variable dbx, length 76<br />
dbx: List 0, type SHA256<br />
Signature 0, size 48, owner 00000000-0000-0000-0000-000000000000<br />
Hash:0000000000000000000000000000000000000000000000000000000000000000<br />
<br />
I have booted into SecureBootMode: <br />
$ bootctl status <br />
System:<br />
Firmware: UEFI 2.31 (INSYDE Corp. 4096.01)<br />
Secure Boot: enabled<br />
Setup Mode: user<br />
TPM2 Support: no<br />
Boot into FW: supported<br />
<br />
[[User:DasMenschy|DasMenschy]] ([[User talk:DasMenschy|talk]]) 16:49, 21 September 2021 (UTC)<br />
:Yeah, your firmware doesn't seem to recognize additional signatures from a binary. Did you try to append Microsoft's key to the signature database (the {{ic|db}} variable)?<br />
:''(By the way, please [[Help:Editing#Indenting|indent]] your replies next time. It would be easier for people to separate out messages.)''<br />
:[[User:Cipher|Cipher]] ([[User talk:Cipher|talk]]) 15:39, 21 December 2021 (UTC)<br />
::Yes, if I enroll the Microsoft Windows Production UEFI DB signature CA key from 2011 ([https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt '''MicWinProPCA2011_2011-10-19.crt''' ]) into the UEFI Secure Boot {{ic|db}} variable; I am able to boot Windows. But I wanted to achieve it without enrolling any Microsoft key into the db variable. I would like to avoid future security holes like [https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ '''BOOTHOLE'''], which AFAIK were introduced because Microsoft signs almost anything (probably including '''government surveillance tools'''). As far as I know, Microsoft doesn't really check the programs it signs for security vulnerabilities. <br />
::Currently, I am working around it by only enrolling the '''hashes of {{ic|bootmgfw.efi}}''' into the {{ic|db}} variable - then Windows can also be booted, but without the Microsoft UEFI keys. But of course, that's a lot of work: every time the {{ic|bootmgfw.efi}} changes because of a Windows 10 update, I also have to update the {{ic|db}} variable. And at some point in the future, the db variable stored on small NVRAM will be '''full''' - no more hashes can be added. So another solution would be nice. [[User:DasMenschy|DasMenschy]] ([[User talk:DasMenschy|talk]]) 21:32, 21 December 2021 (UTC)<br />
<br />
:::Figured. Most people I see that provision their own Secure Boot keys do so due to their distrust in Microsoft.<br />
:::Regarding the issue with automating hash enrollment, I have not found a solution either. So far, the Windows binary has to be signed/enrolled before booting, and I do not know whether that is possible inside Windows itself during updates. If that is not the case, you will have to reboot back to Linux to do it, be it automatic or manual (I semi-automated that with the pacman hook as described in the wiki page).<br />
:::About the {{ic|db}} variable, I believe you can wipe it and reinstall your own keys with fresh Windows hashes to deal with space issues (not sure if that could be done inside Linux though). Automate it (maybe a hook at kernel signing? After all, kernel updates are released more frequently than Windows updates, right?) and the issue should be resolved.<br />
:::Also, I am not sure if Windows requires Microsoft signature to be the first - but if it doesn't, maybe we can do some shenanigans to switch your signature to the first entry, effectively satisyfing both Secure Boot and Windows?<br />
:::[[User:Cipher|Cipher]] ([[User talk:Cipher|talk]]) 02:17, 22 December 2021 (UTC)<br />
<br />
<br />
== Add a warning to warn users about dodgy firmware ==<br />
<br />
Unfortunately, as some of you may know, I bricked one of my motherboards with Secure Boot. This is partially documented [https://github.com/osresearch/safeboot/issues/84 in this issue].<br />
The summary of this is: Secure Boot means that all Option-ROMs must be signed and I used custom keys (with sbctl). The firmware decided it has to validate the Option-ROMs with my custom keys now, which fails. Since my setup did not have an integrated GPU/APU the GPU did not get initialized (since the Option-ROM could not be validated, for some reason an internal GPU/APU does not need one) and the motherboard failed to POST and got caught in a loop. I had to send my motherboard to MSI so they could "repair" the firmware. <br />
<br />
I am not a firmware expert, but this ''might'' affect other motherboards too. Since some firmwares can behave strange, I am in favor of maybe adding a warning mentioning potential consequences, ''especially'' when not using the Microsoft keys.<br />
<br />
A very similar issue is apparently present in some Dell motherboards.<br />
<br />
Serious breakage (devices that do not POST anymore and similar) caused by modifications to the efivarfs, like accidentally removing {{ic|/sys}} in a chroot for example, is vaguely related. I heard this is common in Lenovo devices, so not only my specific motherboard (vendor) has related firmware quirks and this is why this maybe warrants a [[Template:Warning]].<br />
<br />
-- [[User:NetSysFire|NetSysFire]] ([[User talk:NetSysFire|talk]]) 02:51, 1 April 2021 (UTC)<br />
<br />
I've added a warning note at the beginning of the section about using your own custom keys. Some people have complained that their Thinkpad laptops were also bricked in this fashion, so it seems best to warn people to be cautious and do further research before proceeding.<br />
[[User:Tensa zangetsu|Tensa zangetsu]] ([[User talk:Tensa zangetsu|talk]]) 20:40, 15 May 2021 (UTC)<br />
: The current warning isn't much help in finding out if one's device is going to be affected. Is [https://github.com/Foxboron/sbctl/wiki/FAQ this] reliable enough to be added to the wiki as a possible check ? --[[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 21:44, 30 December 2021 (UTC)<br />
<br />
== Simplify the page by removing old instructions ==<br />
<br />
There is a lot of text and alternative solutions to the same problems on this page. For instance, do we really need openssl, when sbkeys gets the job done just fine? Because there is no clear structure of alternative paths, the procedure is hard to follow even though I have done this many times before. I suggest either removing the older options, or moving them to separate pages, leaving only the most modern / automated workflow on the main article. A related concern is the manual creation of the /etc/secureboot/keys directory tree. Is there no tool that automatically puts the keys in the right folders, while also creating all the keys, optionally including the Microsoft ones? [[User:Foonoxous|Foonoxous]] ([[User talk:Foonoxous|talk]]) 15:16, 27 November 2021 (UTC)<br />
:: There isn't any easy tools for doing any of this which is why I started writing [https://github.com/Foxboron/sbctl sbctl]]. However I'm not super comfortable adding it to Arch Wiki.<br />
:: [[User:Foxboron|Foxboron]] ([[User talk:Foxboron|talk]]) 19:44, 2 January 2022 (UTC)<br />
:::: I've used sbctl for some time now and I think it is stable enough for addition to the wiki. Perhaps it could be prefaced with a warning for users to understand the full secure boot setup process before using it.<br />
:::: [[User:Kiasoc5|Kiasoc5]] ([[User talk:Kiasoc5|talk]]) 19:16, 16 May 2022 (UTC)</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Guix&diff=729943Guix2022-05-16T19:07:03Z<p>Kiasoc5: Remove double bash completion. glibc-locales should be installed as user not root</p>
<hr />
<div>[[Category:Package manager]]<br />
[[ja:Guix]]<br />
{{Warning|Guix is '''not''' the [[pacman|official package manager of Arch]]. It is also still under heavy development. Some packages may currently fail to build on Arch.}}<br />
[https://www.gnu.org/software/guix/ GNU Guix] is a package manager that offers transactional, reproducible, per-user package management.<br />
While Guix can be used stand-alone and provide a full GNU distribution and a kernel by itself, you can install the Guix package manager on top of Arch to make Guix available to users while using a more traditional and mature Unix-like system as a base.<br />
<br />
See the [https://guix.gnu.org/manual/en/ Guix manual] for information on what per-user packaging commands Guix makes available to users.<br />
<br />
== Installation ==<br />
<br />
{{Expansion|The Guix reference manual says {{ic|nscd.service}} should be enabled but it is not clear if {{ic|nscd}} works properly on Arch or if it is even required.}}<br />
On Arch Linux you can install Guix either using the AUR or manually as described in the Guix Manual.<br />
Installing using the AUR has the advantage that pacman is aware of the package and the extra files in the {{ic|/usr}} file tree. But contrarily to other AUR packages, uninstalling the package does not unwind the entire Guix installation.<br />
Since Guix is a package manager by itself and it can also update itself, you still have to manually uninstall the files installed via Guix (no matter whether you installed the AUR package or the manual installation).<br />
Therefore, after updating Guix once, the AUR advantage really turns into a disadvantage, as there will be many unnecessary files in the {{ic|/usr}} file tree that are part of the Guix AUR package but that are never used by Guix anymore.<br />
Therefore, consider using the manual installation.<br />
<br />
=== Manual Installation ===<br />
<br />
For the manual installation, see [https://guix.gnu.org/manual/html_node/Installation.html#Installation chapter Installation] of the Guix manual.<br />
The easiest way is to use the shell installer script linked in there.<br />
<br />
As of December 2021 this script installs files into the following locations:<br />
* {{ic|/gnu/store}}, {{ic|/var/guix}} (the Guix store)<br />
* {{ic|/usr/local/share/info}}, {{ic|/usr/local/bin}}, (only symlinks)<br />
* {{ic|/root/.config/guix}} (a symlink to the current profile)<br />
* {{ic|/etc/guix/acl}}, (keys for substitute servers)<br />
* {{ic|/etc/profile.d/guix.sh}}, (sets environment variables to put the current Guix profile first in the PATH)<br />
* {{ic|/etc/bash_completion.d/guix}}, {{ic|/usr/share/zsh/site-functions/_guix}}, {{ic|/usr/share/fish/vendor_completions.d/guix.fish}} (shell completions for Bash, Zsh, and Fish)<br />
<br />
Furthermore it installs and enables a systemd service called {{ic|guix-daemon.service}}, and creates users {{ic|guixbuilder01}} ... {{ic|guixbuilder10}} and a group {{ic|guixbuild}}.<br />
<br />
Now start a new login shell (alternatively reboot your machine) and you can start using Guix:<br />
<br />
$ guix install glibc-locales<br />
<br />
=== AUR Package Installation ===<br />
<br />
{{Note|The build check currently fails if {{ic|/bin/sh}} is not a link to bash, which is not a problem on a default Arch installation.}}<br />
{{Note|As of 13.05.2018 ''guix-environment-container'' test fails during makepkg build if [[Makepkg#Building_from_files_in_memory|BUILDDIR environment variable]] points to tmpfs mount.}}<br />
<br />
GNU Guix is available in the AUR as {{AUR|guix}}. As described in the {{ic|PKGBUILD}}, the PGP key by the Guix distributor will need to be added first.<br />
<br />
Guix makes builds more reproducible by running the build process using an unprivileged build user account. Therefore if you want to be able to build {{ic|''n''}} packages simultaneously (e.g. for serving multiple users at the same time) you should create {{ic|''n''}} build user accounts. as Guix should be able to build simultaneously. The following command does this the way described in [https://www.gnu.org/software/guix/manual/html_node/Build-Environment-Setup.html#Build-Environment-Setup Guix manual]:<br />
<br />
# groupadd --system guixbuild<br />
# uncomment and type e.g. 10 for ''n'' below --> have ten users <br />
# for i in `seq -w 1 ''n''`;<br />
do<br />
useradd -g guixbuild -G guixbuild \<br />
-d /var/empty -s `which nologin` \<br />
-c "Guix build user $i" --system \<br />
guixbuilder$i;<br />
done<br />
<br />
[[Systemd#Using units|Start and enable]] {{ic|guix-daemon.service}}.<br />
<br />
You may want to authorize Guix to download and use binary packages (‘substitutes’) from the [https://ci.guix.gnu.org Guix Official Substitute Server]:<br />
<br />
# guix archive --authorize < /usr/share/guix/ci.guix.gnu.org.pub<br />
<br />
== Building packages outside of /tmp ==<br />
<br />
The unit file may need to be extended to use a different {{ic|TMPDIR}} for building if {{ic|/tmp}} does not provide enough space (see the [https://www.gnu.org/software/guix/manual/html_node/Build-Environment-Setup.html#Build-Environment-Setup Guix manual] for details). To use {{ic|''/tmpdir''}} for building instead of {{ic|/tmp}}, [[edit]] {{ic|guix-daemon.service}} to add the following lines:<br />
<br />
{{bc|1=<br />
[Service]<br />
Environment=TMPDIR=''/tmpdir''<br />
}}<br />
<br />
== Uninstalling Guix ==<br />
<br />
Stop and disable {{ic|guix-daemon.service}}.<br />
If you installed Guix as an AUR package, then remove Guix using [[pacman]].<br />
<br />
Remove {{ic|/etc/systemd/system/guix-daemon.service}}, {{ic|/etc/systemd/system/guix-daemon.service.d}}, and {{ic|/etc/profile.d/guix.sh}} if existent.<br />
<br />
Now remove all the Guix build users and their group:<br />
<br />
# for i in `seq -w 1 ''n''`; do userdel guixbuilder$i; done<br />
# groupdel guixbuild<br />
<br />
Then remove the Guix store {{ic|/gnu}} as well as {{ic|/var/guix}} and {{ic|/var/log/guix}}. <br />
Remove stale symlinks in {{ic|/usr/local/share/info}} and {{ic|/usr/local/bin}}.<br />
Also remove {{ic|/etc/guix/acl}} and the shell completion files specific to Guix.</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Firefox/Privacy&diff=729942Firefox/Privacy2022-05-16T19:04:30Z<p>Kiasoc5: 1. Running a public Searx instance benefits others more than it benefits the self. 2. Add how to run Searx locally.</p>
<hr />
<div>[[Category:Web browser]]<br />
[[ja:Firefox プライバシー]]<br />
{{Related articles start}}<br />
{{Related|Firefox}}<br />
{{Related|Tor}}<br />
{{Related|Browser extensions}}<br />
{{Related|Browser Plugins}}<br />
{{Related|Firefox/Tweaks}}<br />
{{Related|Firefox/Profile on RAM}}<br />
{{Related articles end}}<br />
<br />
This article overviews how to configure Firefox to enhance security and privacy.<br />
<br />
== Configuration ==<br />
<br />
The following are privacy-focused tweaks to prevent [https://panopticlick.eff.org/ browser fingerprinting] and tracking.<br />
<br />
=== Anti-fingerprinting ===<br />
<br />
Mozilla has started an [[MozillaWiki:Security/Fingerprinting|anti-fingerprinting project in Firefox]], as part of a project to upstream features from [[Tor Browser]]. Many of these anti-fingerprinting features are enabled by setting {{ic|about:config}}:<br />
<br />
* {{ic|privacy.resistFingerprinting}} {{ic|true}}<br />
<br />
There is no user-facing documentation about this flag, and Mozilla does not recommend users enable it, since it will break a few websites (e.g. [https://support.mozilla.org/en-US/questions/1323089 favicons] may not load, pages will feel sluggish). It exists mostly to make life easier for the Tor Browser developers. But it does automatically enable many of the features listed below (such as changing your reported timezone and user agent), as well as protection against other, lesser-known fingerprinting techniques. See the [https://bugzilla.mozilla.org/show_bug.cgi?id=1333933 tracking bug] that lists many of these features.<br />
<br />
=== Tracking protection ===<br />
<br />
Firefox gained an option for [https://support.mozilla.org/en-US/kb/tracking-protection-firefox tracking protection]. It can be enabled by setting {{ic|about:config}}:<br />
<br />
* {{ic|privacy.trackingprotection.enabled}} {{ic|true}}<br />
<br />
Apart from privacy benefits, enabling [http://venturebeat.com/2015/05/24/firefoxs-optional-tracking-protection-reduces-load-time-for-top-news-sites-by-44/ tracking protection] may also reduce load time by 44%.<br />
<br />
Note that this is not a replacement for ad blocking extensions such as [[Browser extensions#Content blockers|uBlock Origin]] and it may or may not work with [[List of applications/Internet#Firefox_spin-offs|Firefox forks]]. If you are already running such an ad blocker with the correct lists, tracking protection might be redundant.<br />
<br />
=== Change browser time zone ===<br />
<br />
The time zone of your system can be used in browser fingerprinting. To set Firefox's time zone to UTC launch it as:<br />
<br />
$ TZ=UTC firefox<br />
<br />
Or, set a script to launch the above (for example, at {{ic|/usr/local/bin/firefox}}).<br />
<br />
=== Change user agent and platform ===<br />
<br />
You can override Firefox's user agent with the {{ic|general.useragent.override}} preference in {{ic|about:config}}.<br />
<br />
The value for the key is your browser's user agent. Select a known common one.<br />
<br />
{{Tip|<br />
* The value {{ic|Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0}} is used as the user agent for the Tor browser, thus being very common.<br />
* The [[#Anti-fingerprinting]] option also enables the Tor browser user agent and changes your browser platform automatically.<br />
}}<br />
<br />
{{Warning|Changing the user agent without changing to a corresponding platform will make your browser nearly unique.}}<br />
<br />
To change the platform for firefox, add the following {{ic|string}} key in {{ic|about:config}}:<br />
<br />
general.platform.override<br />
<br />
Select a known common platform that corresponds with your user agent.<br />
<br />
{{Tip|The value {{ic|Win32}} is used as the platform for the Tor browser, corresponding with the user agent provided above.}}<br />
<br />
=== WebRTC exposes LAN IP address ===<br />
<br />
To prevent websites from getting your local IP address via [[wikipedia:WebRTC|WebRTC]]'s peer-to-peer (and JavaScript), open {{ic|about:config}} and set:<br />
<br />
* {{ic|media.peerconnection.ice.default_address_only}} to {{ic|true}}<br />
* {{ic|media.peerconnection.enabled}} to {{ic|false}}. (only if you want to completely disable WebRTC)<br />
<br />
You can use this [https://net.ipcalf.com/ WebRTC test page] and [https://ipleak.net/ WebRTC IP Leak VPN / Tor IP Test] to confirm that your internal/external IP address is no longer leaked.<br />
<br />
=== Disable HTTP referer ===<br />
<br />
[[Wikipedia:HTTP referer|HTTP referer]] is an optional HTTP header field that identifies the address of the previous webpage from which a link to the currently requested page was followed.<br />
<br />
Set {{ic|network.http.sendRefererHeader}} to {{ic|0}} or {{ic|1}}, depending on your [[MozillaWiki:Security/Referrer|preferences]].<br />
<br />
{{Note|Some sites use the referer header to control origin conditions. Disabling this header completely may cause site breaking. In this case adjusting {{ic|network.http.referer.XOriginPolicy}} may provide a better solution.}}<br />
<br />
=== Disable connection tests ===<br />
<br />
By default Firefox attempts to connect to Amazon and/or Akamai servers at [https://bugzilla.mozilla.org/show_bug.cgi?id=1363651 regular] [https://bugzilla.mozilla.org/show_bug.cgi?id=1359697#c3 intervals], to test your connection. For example a hotel, restaurant or other business might require you to enter a password to access the internet. If such a [[wikipedia:Captive_portal|Captive portal]] exists and is blocking traffic this feature blocks all other connection attempts. This may leak your usage habits.<br />
<br />
To disable Captive Portal testing, in {{ic|about:config}} set:<br />
<br />
* {{ic|network.captive-portal-service.enabled}} to {{ic|false}}<br />
<br />
{{Note|A [https://www.ghacks.net/2020/02/19/why-is-firefox-establishing-connections-to-detectportal-firefox-com-on-start/ report states that] the [https://vpn.mozilla.org/ Mozilla VPN] is unable to connect when this is disabled.}}<br />
<br />
=== Disable telemetry ===<br />
<br />
Set {{ic|toolkit.telemetry.enabled}} to {{ic|false}} and/or disable it under ''Preferences > Privacy & Security > Firefox Data Collection and Use''.<br />
<br />
=== Enable "Do Not Track" header ===<br />
<br />
Set {{ic|privacy.donottrackheader.enabled}} to {{ic|true}} or toggle it in ''Preferences > Privacy & Security > Tracking Protection''<br />
<br />
{{Note|The remote server may choose to not honour the "Do Not Track" request.}}<br />
<br />
{{Warning|The "Do Not Track" header (DNT) may actually be used to fingerprint your browser, since most users leave the option disabled.}}<br />
<br />
=== Disable/enforce 'Trusted Recursive Resolver' ===<br />
<br />
Firefox 60 introduced a feature called [[mozillawiki:Trusted Recursive Resolver|Trusted Recursive Resolver]] (TRR). It circumvents DNS servers configured in your system, instead sending all DNS requests over HTTPS to Cloudflare servers. While this is significantly more secure (as "classic" DNS requests are sent in plain text over the network, and everyone along the way can snoop on these), this also makes all your DNS requests readable by Cloudflare, providing TRR servers.<br />
<br />
* If you trust DNS servers you have configured yourself more than Cloudflare's, you can disable TRR in {{ic|about:config}} by setting {{ic|network.trr.mode}} (integer, create it if it does not exist) to {{ic|5}}. (A value of 0 means disabled by default, and might be overridden by future updates - a value of 5 is disabled by choice and will not be overridden.)<br />
* If you trust Cloudflare DNS servers and would prefer extra privacy (thanks to encrypted DNS requests), you can enforce TRR by setting {{ic|network.trr.mode}} to {{ic|3}} (which completely disables classic DNS requests) or {{ic|2}} (uses TRR by default, falls back to classic DNS requests if that fails). Keep in mind that if you are using any intranet websites or trying to access computers in your local networks by their hostnames, enabling TRR may break name resolving in such cases.<br />
* If you want to encrypt your DNS requests but not use Cloudflare servers, you can point to a new DNS over HTTPS server by setting {{ic|network.trr.uri}} to your resolver URL. A list of currently available resolvers can be found in the [https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers curl wiki], along with other configuration options for TRR.<br />
<br />
=== Disable geolocation ===<br />
<br />
Set {{ic|geo.enabled}} to {{ic|false}} in {{ic|about:config}}.<br />
<br />
{{Note|This may break websites that needs access to your location. One may want to simply allow location-access per site, instead of disabling this feature completely.}}<br />
<br />
=== Disable 'Safe Browsing' service ===<br />
<br />
Safe Browsing offers phishing protection and malware checks, however it may send user information (e.g. URL, file hashes, etc.) to third parties like Google.<br />
<br />
To disable the Safe Browsing service, in {{ic|about:config}} set: <br />
<br />
* {{ic|browser.safebrowsing.malware.enabled}} to {{ic|false}}<br />
* {{ic|browser.safebrowsing.phishing.enabled}} to {{ic|false}}<br />
<br />
In addition disable download checking, by setting {{ic|browser.safebrowsing.downloads.enabled}} to {{ic|false}}.<br />
<br />
=== Disable WebGL ===<br />
<br />
WebGL is a potential security risk.[https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern] Set {{ic|webgl.disabled}} to {{ic|true}} in {{ic|about:config}} if you want to disable it.<br />
<br />
== Extensions ==<br />
<br />
See [[Browser extensions#Privacy]].<br />
<br />
=== Disable WebAssembly (and JavaScript) ===<br />
<br />
Also known as Wasm, [[wikipedia:Webassembly|WebAssembly]] is a relatively new language. As opposed to JavaScript, Wasm executes ''pre-compiled code'' natively in browsers for high-performance simulations and applications. It has been criticized for hiding pathways for malware and [https://trac.torproject.org/projects/tor/ticket/21549 as with JavaScript, can be used to track users]. Tor Browser blocks both JavaScript and Wasm.<br />
<br />
See ''NoScript'' in [[Browser extensions#Privacy]] to block JavaScript the way Tor Browser does, which enables quick access when needed. To disable Wasm, in {{ic|about:config}} set:<br />
<br />
* {{ic|javascript.options.wasm}} to {{ic|false}}<br />
* {{ic|javascript.options.wasm_baselinejit}} to {{ic|false}}<br />
* {{ic|javascript.options.wasm_ionjit}} to {{ic|false}}<br />
<br />
=== Remove system-wide hidden extensions ===<br />
<br />
Some extensions are hidden and installed by default in {{ic|/usr/lib/firefox/browser/features}}. Many can be safely removed via {{ic|rm ''extension-name''.xpi}}. They might not be enabled by default and may have a menu option for enabling or disabling. Note that any files removed will return upon update of the {{pkg|firefox}} package. To keep these extensions removed, consider adding the directories to {{ic|1=NoExtract=}} in {{ic|pacman.conf}}, see [[Pacman#Skip files from being installed to system]]. Some extensions include:<br />
<br />
* {{ic|doh-rollout@mozilla.org.xpi}} - DoH Roll-Out (do not remove if you chose to use [[#Disable/enforce 'Trusted Recursive Resolver']] above).<br />
* {{ic|screenshots@mozilla.org.xpi}} - Firefox Screenshots.<br />
* {{ic|webcompat-reporter@mozilla.org.xpi}} - For reporting sites that are compromised in Firefox, so Mozilla can improve Firefox or patch the site dynamically using the {{ic|webcompat@mozilla.org.xpi}} extension.<br />
* All combined user and system extensions are listed in {{ic|about:support}}. See [https://dxr.mozilla.org/mozilla-release/source/browser/extensions/] for a full list of system extensions including README files describing their functions.<br />
<br />
Firefox installations to paths such as the default release installed to {{ic|/opt}} have system extensions installed at {{ic|/firefox/firefox/browser/features}}.<br />
<br />
== Web search over Searx ==<br />
<br />
Privacy can be boosted by reducing the amount of information you give to a single entity. For example, sending each new web search via a different, randomly selected proxy makes it near impossible for a single search engine to build a profile of you. We can do this using public instances (or sites) of [https://searx.me/ Searx]. Searx is an [https://github.com/searx/searx-stats2/blob/master/LICENSE AGPL-3.0], [https://github.com/asciimoo/searx open-source] site-builder, that produces site, known as an 'instances'. Each public 'instance' can act as a middle-man between you and a myriad of different search engines. <br />
<br />
From [https://searx.space/ this list of public instances] and [https://searx.neocities.org/nojs.html others], bookmark as many Searx sites as you wish (if JavaScript is disabled you will need to enable it temporarily to load the list). For fast access to these bookmarks, consider adding {{ic|SX1}}, {{ic|SX2}} ... {{ic|SX(n)}} to the bookmark's ''Name'' field, with {{ic|(n)}} being the number of searx instances you bookmark.<br />
<br />
After this bookmarking, simply typing {{ic|sx}}, a number and {{ic|Enter}} in the URL bar will load an instance.<br />
<br />
{{Note|Update the above bookmarks from time to time or as instances become unreliable to reduce your online fingerprint.}}<br />
<br />
{{Tip|<br />
* If you have a web server and available bandwidth, consider running a public Searx instance to help others improve their privacy ([https://searx.github.io/searx/ more info]).<br />
* For increased privacy, use Searx instances with [[Tor Browser]], which uses onion-routing to provide a degree of anonymity.<br />
* You improve your privacy further by running a private instance of Searx locally. Install the {{AUR|searx}} package and [[start]] {{ic|uwsgi@searx.service}}. Searx will be available on http://localhost:8888/.}}<br />
<br />
== Watch videos over Invidious ==<br />
<br />
Invidious instances act as an alternative front-end to YouTube. They are websites built from [https://github.com/iv-org/invidious open-source code]. It has typically been difficult to limit the amount of information a user sent to YouTube (Google) in order to access content.<br />
<br />
Benefits of using Invidious include:<br />
<br />
* Videos are accessible without running scripts. YouTube forces users to run scripts.<br />
* Videos can be saved for future viewing, or for viewing by others, including when offline. This reduces feedback sent to Google about when content is viewed or re-viewed.<br />
* An optional audio-only mode that reduces bandwidth usage. When combined with a browser like [[Tor]], using fewer data packets on a more lightweight website is likely to improve your anonymity.<br />
* Invidious is a free and open-source interface that makes setting up an independent, private, video-hosting service easier. As such there are website that exist that are using Invidious to serve their own content or content removed from YouTube. Therefore it may help limit the profile-building capabilities of YouTube into the future (see note).<br />
<br />
Bookmark as many ''functioning'' invidious instances from the following lists as possible ([https://github.com/iv-org/invidious/wiki/Invidious-Instances here], [https://invidio.us/ here], [https://solmu.org/pub/misc/invidio.html here]). Note that some of these instances may be hosted by Cloudflare.<br />
<br />
You can change any YouTube video URL to an Invidious one by simply replacing the {{ic|youtube.com}} part with the domain of the instance you want to use.<br />
<br />
{{Note|Invidious does not index videos from Facebook or Cloudflare servers. Additionally, content is generally still sent to users from Google servers. For added privacy, see [[Tor Browser]].}}<br />
<br />
== Enterprise policies ==<br />
<br />
Network and system-wide policies may be established through the use of [https://support.mozilla.org/en-US/kb/managing-policies-linux-desktops enterprise policies] which both supplements and overrides user configuration preferences. For example, there is no documented user preference to disable the checking of updates for beta channel releases. However, there exists an enterprise policy which can be effectively deployed as a workaround. Single and/or multiple policies may be administered through {{ic|policies.json}} as follows:<br />
<br />
* Disable application updates<br />
* Force-enable hardware acceleration<br />
<br />
{<br />
"policies": {<br />
"DisableAppUpdate": true,<br />
"HardwareAcceleration": true<br />
}<br />
}<br />
<br />
Verify that {{ic|Enterprise Policies}} is set to {{ic|Active}} in {{ic|about:support}} and review release-specific policies in {{ic|about:policies}}.<br />
<br />
== Sanitized profiles ==<br />
<br />
=== prefs.js ===<br />
<br />
Files which constitute a Firefox profile can be be stripped of certain metadata. For example, a typical {{ic|prefs.js}} contains strings which identify the client and/or the user. <br />
<br />
user_pref("app.normandy.user_id", "6f469186-12b8-50fb-bdf2-209ebc482c263");<br />
user_pref("security.sandbox.content.tempDirSuffix", "2a02902b-f25c-a9df-17bb-501350287f27");<br />
user_pref("toolkit.telemetry.cachedClientID", "22e251b4-0791-44f5-91ec-a44d77255f4a");<br />
<br />
There are multiple approaches by which these strings can be reset with the caveat that a master {{ic|prefs.js}} must first be created without such identifiers and synced into a working profile. The simplest solution is close Firefox before copying its {{ic|prefs.js}} to a separate location:<br />
<br />
$ cp ~/.mozilla/firefox/example.default-release/prefs.js ~/prefs.sanitized.js<br />
<br />
Strip out any and all identfier strings and date codes by either setting them to 0 or removing the entries outright from the copied {{ic|prefs.js}}. Sync the now sanitized {{ic|prefs.js}} to the working profile as required:<br />
<br />
$ rsync -v ~/.prefs.sanitized.js ~/.mozilla/firefox/example.default-release/prefs.js<br />
<br />
{{Note|Required identifier and date code entries and/or strings will automatically be repopulated and reset to new values during the next launch of Firefox}}<br />
<br />
A secondary privacy effect is also incurred which can be witnessed by examining the string results between a sanitized {{ic|prefs.js}} versus a working {{ic|prefs.js}} at [https://fingerprintjs.com/demo Fingerprint JS API Demo].<br />
<br />
=== extensions.json ===<br />
<br />
Assuming that extensions are installed, the {{ic|extensions.json}} file lists all profile extensions and their settings. Of note is the location of the user home directory where the {{ic|.mozilla}} and {{ic|extensions}} folder exist by default. Unwanted background updates may be disabled by setting {{ic|applyBackgroundUpdates}} to the appropriate {{ic|0}} value. Of minor note are {{ic|installDate}} and {{ic|updateDate}}. [[Bubblewrap#Firefox|Bubblewrap]] can effectively mask the username and location of the home directory at which time the {{ic|extensions.json}} file may be sanitized and modified to point to the sandboxed {{ic|HOME}} location.<br />
<br />
{"schemaVersion":31,"addons":[{"id":"uBlock0@raymondhill.net","syncGUID":"{0}","version":"0","type":"extension","optionsURL":"dashboard.html","optionsType":3,"optionsBrowserStyle":true,"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":0,"updateDate":0,"applyBackgroundUpdates":0,"path":"/home/r/.mozilla/firefox/example.default-release/extensions/uBlock0@raymondhill.net.xpi","skinnable":false,"softDisabled":false,"foreignInstall":true,"strictCompatibility":true}}<br />
<br />
Removal of similar metadata from {{ic|addonStartup.json.lz4}} and {{ic|search.json.mozlz4}} can also be accomplished. [https://github.com/jusw85/mozlz4 mozlz4] is a command-line tool which provides compression/decompression support for Mozilla (non-standard) LZ4 files.<br />
<br />
== Removal of subsystems ==<br />
<br />
{{Expansion|The deleted files will be back after upgrading the package, add them to [[pacman#Skip files from being installed to system|NoExtract]] instead.}}<br />
<br />
Telemetry related to [https://firefox-source-docs.mozilla.org/toolkit/crashreporter/crashreporter/index.html crash reporting] may be disabled by removing the following:<br />
<br />
/usr/lib/firefox/crashreporter<br />
/usr/lib/firefox/minidump-analyzer<br />
/usr/lib/firefox/pingsender<br />
<br />
For those who have opted to install Firefox manually from official Mozilla sources, the updater system may be disabled by removing {{ic|updater}} in the {{ic|firefox}} directory.<br />
<br />
== Editing the contents of omni.ja ==<br />
<br />
This [https://developer.mozilla.org/en-US/docs/Mozilla/About_omni.ja_(formerly_omni.jar) Mozilla-optimized zip file]{{Dead link|2021|11|10|status=404}} contains most of the default configuration settings used by Firefox. As an example, starting from Firefox 73, network calls to {{ic|firefox.settings.services.mozilla.com}} and/or {{ic|content-signature-2.cdn.mozilla.net}} cannot be blocked by extensions or by setting preference URLs to {{ic|"");}}. Aside from using a DNS sinkhole or firewalling resolved IP blocks, one solution is to {{man|1|grep}} through the extracted contents of {{ic|omni.ja}} before removing all references to {{ic|firefox.settings.services.mozilla.com}} and/or {{ic|cdn.mozilla.net}}. Extraneous modules such as unused dictionaries and hyphenation files can also be removed in order to reduce the size of {{ic|omni.ja}} for both security and performance reasons.<br />
<br />
To repack/rezip, use the command {{ic|zip -0DXqr omni.ja *}} and make sure that your working directory is the root directory of the files from the {{ic|omni.ja}} file (eg. {{ic|<s>(...) -0DXqr omni.ja path/to/omni/*</s>}} will not work) as stated at the Mozilla page.<br />
<br />
{{Note|Certain features may be inhibited or lost as a result of modifying the contents of {{ic|omni.ja}}. It is up to the user to determine whether the gain in privacy is worth the loss of expected usability}}<br />
<br />
== Hardened user.js templates ==<br />
<br />
Several active projects maintain comprehensive hardened Firefox configurations in the form of a {{ic|user.js}} config that can be dropped to Firefox profile directory:<br />
<br />
* [https://github.com/arkenfox/user.js arkenfox/user.js]<br />
* [https://github.com/pyllyukko/user.js pyllyukko/user.js]<br />
* [https://ffprofile.com/ ffprofile.com] ([https://github.com/allo-/firefox-profilemaker github]) - online user.js generator. You select which features you want to enable and disable and in the end you get a download link for a zip-file with your profile template. You can for example disable some functions, which send data to Mozilla and Google, or disable several annoying Firefox functions like Mozilla Hello or the Pocket integration.<br />
<br />
== See also ==<br />
<br />
* [https://www.privacytools.io/#addons privacytools.io Firefox Privacy Add-ons]<br />
* [https://prism-break.org/en/categories/gnu-linux/#web-browser-addons prism-break.org Web Browser Addons]<br />
* [[MozillaWiki:Privacy/Privacy Task Force/firefox about config privacy tweeks]] - a wiki page maintained by Mozilla with descriptions of privacy specific settings.<br />
* [https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections How to stop Firefox from making automatic connections] - Is an annotated list of corresponding Firefox functionality and settings to disable it case-by-case.</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Guix&diff=707743Guix2021-12-28T06:53:22Z<p>Kiasoc5: Update contents of guix installed with the installation script. Remove /etc/profile/guix.sh as the installer includes it now.</p>
<hr />
<div>[[Category:Package manager]]<br />
[[ja:Guix]]<br />
{{Warning|Guix is '''not''' the [[pacman|official package manager of Arch]]. It is also still under heavy development. Some packages may currently fail to build on Arch.}}<br />
[https://www.gnu.org/software/guix/ GNU Guix] is a package manager that offers transactional, reproducible, per-user package management.<br />
While Guix can be used stand-alone and provide a full GNU distribution and a kernel by itself, you can install the Guix package manager on top of Arch to make Guix available to users while using a more traditional and mature Unix-like system as a base.<br />
<br />
See the [https://guix.gnu.org/manual/en/ Guix manual] for information on what per-user packaging commands Guix makes available to users.<br />
<br />
== Installation ==<br />
<br />
{{Expansion|The Guix reference manual says {{ic|nscd.service}} should be enabled but it is not clear if {{ic|nscd}} works properly on Arch or if it is even required.}}<br />
On Arch Linux you can install Guix either using the AUR or manually as described in the Guix Manual.<br />
Installing using the AUR has the advantage that pacman is aware of the package and the extra files in the {{ic|/usr}} file tree. But contrarily to other AUR packages, uninstalling the package does not unwind the entire Guix installation.<br />
Since Guix is a package manager by itself and it can also update itself, you still have to manually uninstall the files installed via Guix (no matter whether you installed the AUR package or the manual installation).<br />
Therefore, after updating Guix once, the AUR advantage really turns into a disadvantage, as there will be many unnecessary files in the {{ic|/usr}} file tree that are part of the Guix AUR package but that are never used by Guix anymore.<br />
Therefore, consider using the manual installation.<br />
<br />
=== Manual Installation ===<br />
<br />
For the manual installation, see [https://guix.gnu.org/manual/html_node/Installation.html#Installation chapter Installation] of the Guix manual.<br />
The easiest way is to use the shell installer script linked in there.<br />
<br />
As of December 2021 this script installs files into the following locations:<br />
* {{ic|/gnu/store}}, {{ic|/var/guix}} (the Guix store)<br />
* {{ic|/usr/local/share/info}}, {{ic|/usr/local/bin}}, (only symlinks)<br />
* {{ic|/root/.config/guix}} (a symlink to the current profile)<br />
* {{ic|/etc/guix/acl}}, (keys for substitute servers)<br />
* {{ic|/etc/profile.d/guix.sh}}, (sets environment variables to put the current Guix profile first in the PATH)<br />
* {{ic|/etc/bash_completion.d/guix}}, {{ic|/etc/bash_completion.d/guix}}, {{ic|/usr/share/zsh/site-functions/_guix}}, {{ic|/usr/share/fish/vendor_completions.d/guix.fish}} (shell completions for Bash, Zsh, and Fish)<br />
<br />
Furthermore it installs and enables a systemd service called {{ic|guix-daemon.service}}, and creates users {{ic|guixbuilder01}} ... {{ic|guixbuilder10}} and a group {{ic|guixbuild}}.<br />
<br />
Now start a new login shell (alternatively reboot your machine) and you can start using Guix:<br />
<br />
# guix install glibc-locales<br />
<br />
=== AUR Package Installation ===<br />
<br />
{{Note|The build check currently fails if {{ic|/bin/sh}} is not a link to bash, which is not a problem on a default Arch installation.}}<br />
{{Note|As of 13.05.2018 ''guix-environment-container'' test fails during makepkg build if [[Makepkg#Building_from_files_in_memory|BUILDDIR environment variable]] points to tmpfs mount.}}<br />
<br />
GNU Guix is available in the AUR as {{AUR|guix}}. As described in the {{ic|PKGBUILD}}, the PGP key by the Guix distributor will need to be added first.<br />
<br />
Guix makes builds more reproducible by running the build process using an unprivileged build user account. Therefore if you want to be able to build {{ic|''n''}} packages simultaneously (e.g. for serving multiple users at the same time) you should create {{ic|''n''}} build user accounts. as Guix should be able to build simultaneously. The following command does this the way described in [https://www.gnu.org/software/guix/manual/html_node/Build-Environment-Setup.html#Build-Environment-Setup Guix manual]:<br />
<br />
# groupadd --system guixbuild<br />
# uncomment and type e.g. 10 for ''n'' below --> have ten users <br />
# for i in `seq -w 1 ''n''`;<br />
do<br />
useradd -g guixbuild -G guixbuild \<br />
-d /var/empty -s `which nologin` \<br />
-c "Guix build user $i" --system \<br />
guixbuilder$i;<br />
done<br />
<br />
[[Systemd#Using units|Start and enable]] {{ic|guix-daemon.service}}.<br />
<br />
You may want to authorize Guix to download and use binary packages (‘substitutes’) from the [https://ci.guix.gnu.org Guix Official Substitute Server]:<br />
<br />
# guix archive --authorize < /usr/share/guix/ci.guix.gnu.org.pub<br />
<br />
== Building packages outside of /tmp ==<br />
<br />
The unit file may need to be extended to use a different {{ic|TMPDIR}} for building if {{ic|/tmp}} does not provide enough space (see the [https://www.gnu.org/software/guix/manual/html_node/Build-Environment-Setup.html#Build-Environment-Setup Guix manual] for details). To use {{ic|''/tmpdir''}} for building instead of {{ic|/tmp}}, run<br />
<br />
# systemctl edit guix-daemon.service<br />
<br />
to add the following lines:<br />
<br />
{{bc|1=<br />
[Service]<br />
Environment=TMPDIR=''/tmpdir''<br />
}}<br />
<br />
== Uninstalling Guix ==<br />
<br />
Stop and disable {{ic|guix-daemon.service}}.<br />
If you installed Guix as an AUR package, then remove Guix using [[pacman]].<br />
<br />
Remove {{ic|/etc/systemd/system/guix-daemon.service}}, {{ic|/etc/systemd/system/guix-daemon.service.d}}, and {{ic|/etc/profile.d/guix.sh}} if existent.<br />
<br />
Now remove all the Guix build users and their group:<br />
<br />
# for i in `seq -w 1 ''n''`; do userdel guixbuilder$i; done<br />
# groupdel guixbuild<br />
<br />
Then remove the Guix store {{ic|/gnu}} as well as {{ic|/var/guix}} and {{ic|/var/log/guix}}. <br />
Remove stale symlinks in {{ic|/usr/local/share/info}} and {{ic|/usr/local/bin}}.<br />
Also remove {{ic|/etc/guix/acl}} and the shell completion files specific to Guix.</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Unified_Extensible_Firmware_Interface/Secure_Boot&diff=706708Unified Extensible Firmware Interface/Secure Boot2021-12-19T23:40:56Z<p>Kiasoc5: /* Update unified kernel image wiki link */</p>
<hr />
<div>[[Category:Boot process]]<br />
[[ja:セキュアブート]]<br />
[[zh-hans:Unified Extensible Firmware Interface (简体中文)/Secure Boot]]<br />
{{Related articles start}}<br />
{{Related|Arch boot process}}<br />
{{Related|Unified Extensible Firmware Interface}}<br />
{{Related|Security}}<br />
{{Related articles end}}<br />
<br />
[[Wikipedia:Unified_Extensible_Firmware_Interface#Secure_boot|Secure Boot]] is a security feature found in the [[UEFI]] standard, designed to add a layer of protection to the [[Arch_boot_process|pre-boot process]]: by maintaining a cryptographically signed list of binaries authorized or forbidden to run at boot, it helps in improving the confidence that the machine core boot components (boot manager, kernel, initramfs) haven't been tampered with.<br />
<br />
As such it can be seen as a continuation or complement to the efforts in [[Security|securing]] one's computing environment, reducing the attack surface that other software security solutions such as [[Dm-crypt/Encrypting_an_entire_system|system encryption]] cannot easily [[Dm-crypt/Encrypting an entire system#Encrypted boot partition (GRUB)|cover]], while being totally distinct and not dependent on them. Secure Boot just stands on its own as a component of current security practices, with its own set of pros and [[wikipedia:Unified_Extensible_Firmware_Interface#Secure_Boot_2|cons]].<br />
<br />
{{Note|For a deeper overview about Secure Boot in Linux, see [https://www.rodsbooks.com/efi-bootloaders/secureboot.html Rodsbooks' Secure Boot] article and [[#See also|other online resources]]. This article focuses on how to set up Secure Boot in Arch Linux.}}<br />
<br />
== Checking Secure Boot status ==<br />
<br />
=== Before booting the OS ===<br />
<br />
At this point, one has to look at the firmware setup. If the machine was booted and is running, in most cases it will have to be rebooted. <br />
<br />
You may access the firmware configuration by pressing a special key during the boot process. The key to use depends on the firmware. It is usually one of {{ic|Esc}}, {{ic|F2}}, {{ic|Del}} or possibly another {{ic|F''n''}} key. Sometimes the right key is displayed for a short while at the beginning of the boot process. The motherboard manual usually records it. You might want to press the key, and keep pressing it, immediately following powering on the machine, even before the screen actually displays anything.<br />
<br />
After entering the firmware setup, be careful not to change any settings without prior intention. Usually there are navigation instructions, and short help for the settings, at the bottom of each setup screen. The setup itself might be composed of several pages. You will have to navigate to the correct place. The interesting setting might be simply denoted by secure boot, which can be set on or off.<br />
<br />
=== After booting the OS ===<br />
<br />
An easy way to check Secure Boot status on systems using [[systemd]] is to use [[systemd-boot]]:<br />
<br />
{{Note|There is no need to be using systemd-boot as your boot manager for this command to work, it is more akin to the others *ctl systemd utilities (localectl, timedatectl...) and won't touch your configuration.}}<br />
<br />
{{bc|$ bootctl status<br />
System:<br />
Firmware: UEFI 2.70 (American Megatrends 5.15)<br />
Secure Boot: enabled<br />
Setup Mode: user<br />
Boot into FW: supported<br />
...}}<br />
<br />
Here we see that Secure Boot is enabled and enforced; other values are {{ic|disabled}} for Secure Boot and {{ic|setup}} for Setup Mode[https://github.com/systemd/systemd/issues/8154#issue-296106251].<br />
<br />
{{Accuracy|This command might display more than five digits even though secure boot is enabled.}}<br />
<br />
Another way to check whether the machine was booted with Secure Boot is to use this command:<br />
<br />
$ od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot*<br />
<br />
If Secure Boot is enabled, this command returns {{ic|1}} as the final integer in a list of five, for example:<br />
<br />
6 0 0 0 1<br />
<br />
Note, however, that the kernel may be unaware of Secure Boot (even if it is enabled in the firmware) if an insufficiently capable boot loader is used. This can be verified by checking the kernel messages shortly after the system starts up:<br />
<br />
{{hc|# dmesg {{!}} grep -i secure|<br />
[ 0.013442] Secure boot disabled<br />
[ 0.013442] Secure boot could not be determined<br />
}}<br />
<br />
The kernel messages will otherwise read {{ic|Secure boot enabled}}.<br />
<br />
== Booting an installation medium ==<br />
<br />
{{Note|The official installation image does not support Secure Boot ({{Bug|53864}}). To successfully boot the installation medium you will need to [[#Disabling Secure Boot|disable Secure Boot]].}}<br />
<br />
Secure Boot support was initially added in {{ic|archlinux-2013.07.01-dual.iso}} and later removed in {{ic|archlinux-2016.06.01-dual.iso}}. At that time ''prebootloader'' was replaced with {{pkg|efitools}}, even though the latter uses unsigned EFI binaries. There has been no support for Secure Boot in the official installation medium ever since.<br />
<br />
=== Disabling Secure Boot ===<br />
<br />
The Secure Boot feature can be disabled via the UEFI firmware interface. How to access the firmware configuration is described in [[#Before booting the OS]].<br />
<br />
If using a hotkey did not work and you can boot Windows, you can force a reboot into the firmware configuration in the following way (for Windows 10): ''Settings > Update & Security > Recovery > Advanced startup (Restart now) > Troubleshoot > Advanced options > UEFI Firmware settings > restart''.<br />
<br />
Note that some motherboards (this is the case in a Packard Bell laptop) only allow to disable secure boot if you have set an administrator password (that can be removed afterwards). See also [https://www.rodsbooks.com/efi-bootloaders/secureboot.html#disable Rod Smith's Disabling Secure Boot].<br />
<br />
=== Remastering the installation image ===<br />
<br />
{{Expansion|Add explicit instructions.}}<br />
<br />
One might want to [[Remastering the Install ISO|remaster the Install ISO]] in a way described by previous topics of this article. For example, the signed EFI applications {{ic|PreLoader.efi}} and {{ic|HashTool.efi}} from [[#PreLoader]] can be adopted to here. Another option would be to borrow the {{ic|BOOTx64.EFI}} (shim) and {{ic|grubx64.efi}} from installation media of another GNU+Linux distribution that supports Secure Boot and modify the GRUB configuration to one's needs. In this case, the authentication chain of Secure Boot in said distribution's installation media should end to the {{ic|grubx64.efi}} ( [https://www.linux-magazine.com/index.php/layout/set/print/Issues/2014/164/The-State-of-Secure-Boot/(tagid)/154 for example Ubuntu]) so that GRUB would boot the unsigned kernel and initramfs from archiso. Note that up to this point, the article assumed one can access the [[ESP]] of the machine. But when installing a machine that never had an OS before, there is no ESP present. You should explore other articles, for example [[Unified Extensible Firmware Interface#Create UEFI bootable USB from ISO]], to learn how this situation should be handled.<br />
<br />
== Implementing Secure Boot ==<br />
<br />
There are certain conditions making for an ideal setup of ''Secure boot'':<br />
<br />
# UEFI considered mostly trusted (despite having some well known [[Wikipedia:Unified_Extensible_Firmware_Interface#Criticism|criticisms]] and vulnerabilities[https://www.uefi.org/sites/default/files/resources/UEFI%20Firmware%20-%20Security%20Concerns%20and%20Best%20Practices.pdf]) and necessarily [[#Protecting Secure Boot|protected by a strong password]]<br />
# Default manufacturer/third party keys aren't in use, as they have been shown to weaken the security model of Secure Boot by a great margin[https://habr.com/ru/post/446238/]<br />
# UEFI directly loads a user-signed [[EFISTUB]] combined kernel image (no boot manager), including microcode (if applicable) and initramfs so as to maintain throughout the boot process the chain of trust established by Secure Boot and reduce the attack surface<br />
# Use of [[dm-crypt/Encrypting an entire system|full drive encryption]], so that the tools and files involved in the kernel image creation and signing process cannot be accessed and tampered with by someone having physical access to the machine.<br />
# Some further improvements may be obtained by using a [[TPM]], although tooling and support makes this harder to implement.<br />
<br />
A simple and fully self-reliant setup is described in [[#Using your own keys]], while [[#Using a signed boot loader]] makes use of intermediate tools signed by a third-party.<br />
<br />
=== Using your own keys ===<br />
<br />
{{Warning|Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the UEFI/BIOS settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware ([[Wikipedia:OpROM|OpROMs]]), that get executed during boot, are signed using Microsoft's key.}}<br />
<br />
Secure Boot implementations use these keys:<br />
<br />
; Platform Key (PK): Top-level key.<br />
; Key Exchange Key (KEK): Keys used to sign Signatures Database and Forbidden Signatures Database updates.<br />
; Signature Database (db): Contains keys and/or hashes of allowed EFI binaries.<br />
; Forbidden Signatures Database (dbx): Contains keys and/or hashes of denylisted EFI binaries.<br />
<br />
See [https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/ The Meaning of all the UEFI Keys] for a more detailed explanation.<br />
<br />
To use Secure Boot you need at least '''PK''', '''KEK''' and '''db''' keys. While you can add multiple KEK, db and dbx certificates, only one Platform Key is allowed.<br />
<br />
Once Secure Boot is in "User Mode" keys can only be updated by signing the update (using ''sign-efi-sig-list'') with a higher level key. Platform key can be signed by itself.<br />
<br />
==== Install efitools ====<br />
<br />
Nearly all of the following sections require you to [[install]] the {{Pkg|efitools}} package.<br />
<br />
==== Backing up current variables ====<br />
<br />
Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error.<br />
<br />
Run the following commands to backup all four of the principal Secure Boot variables:<br />
<br />
$ efi-readvar -v PK -o old_PK.esl<br />
$ efi-readvar -v KEK -o old_KEK.esl<br />
$ efi-readvar -v db -o old_db.esl<br />
$ efi-readvar -v dbx -o old_dbx.esl<br />
<br />
If you perform these commands on a new computer or motherboard, the variables you extract will most likely be the ones provided by Microsoft.<br />
<br />
==== Creating keys ====<br />
<br />
===== Manual process =====<br />
<br />
To generate keys, perform the following steps.<br />
<br />
You will need private keys and certificates in multiple formats:<br />
<br />
; ''.key'': PEM format '''private''' keys for EFI binary and EFI signature list signing.<br />
; ''.crt'': PEM format certificates for {{man|1|sbsign}}, {{man|1|sbvarsign}} and {{man|1|sign-efi-sig-list}}.<br />
; ''.cer'': DER format certificates for firmware.<br />
; ''.esl'': Certificates in an EFI Signature List for {{man|1|sbvarsign}}, {{man|1|efi-updatevar}}, ''KeyTool'' and firmware.<br />
; ''.auth'': Certificates in an EFI Signature List with an authentication header (i.e. a signed certificate update file) for {{man|1|efi-updatevar}}, ''sbkeysync'', ''KeyTool'' and firmware.<br />
<br />
Create a [[Wikipedia:Globally unique identifier|GUID]] for owner identification:<br />
<br />
$ uuidgen --random > GUID.txt<br />
<br />
Platform key:<br />
<br />
$ openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days ''3650'' -subj "/CN=''my Platform Key''/" -out PK.crt<br />
$ openssl x509 -outform DER -in PK.crt -out PK.cer<br />
$ cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl<br />
$ sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth<br />
<br />
Sign an empty file to allow removing Platform Key when in "User Mode":<br />
<br />
$ sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth<br />
<br />
Key Exchange Key:<br />
<br />
$ openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days ''3650'' -subj "/CN=''my Key Exchange Key''/" -out KEK.crt<br />
$ openssl x509 -outform DER -in KEK.crt -out KEK.cer<br />
$ cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl<br />
$ sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth<br />
<br />
Signature Database key:<br />
<br />
$ openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days ''3650'' -subj "/CN=''my Signature Database key''/" -out db.crt<br />
$ openssl x509 -outform DER -in db.crt -out db.cer<br />
$ cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl<br />
$ sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth<br />
<br />
===== Helper scripts =====<br />
<br />
A helper/convenience script is offered by the author of the reference page on this topic[https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#creatingkeys] (requires [[python]]). A mildly edited version is also packaged as {{AUR|sbkeys}}.<br />
<br />
In order to use it, simply create a folder in a secure location (e.g. {{ic|/etc/efi-keys/}} if later use of {{AUR|sbupdate-git}} to automate unified kernel image creation and signing is planned) and run it:<br />
<br />
# mkdir /etc/efi-keys<br />
# cd !$<br />
# curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh<br />
# chmod +x mkkeys.sh<br />
# ./mkkeys.sh<br />
<Enter a Common Name to embed in the keys, e.g. "Secure Boot"><br />
<br />
This will produce the required files in different formats.<br />
<br />
===== Updating keys =====<br />
<br />
Once Secure Boot is in "User Mode" any changes to KEK, db and dbx need to be signed with a higher level key.<br />
<br />
For example, if you wanted to replace your db key with a new one:<br />
<br />
# [[#Creating keys|Create the new key]],<br />
# Convert it to EFI Signature List,<br />
# Sign the EFI Signature List,<br />
# Enroll the signed certificate update file.<br />
<br />
$ cert-to-efi-sig-list -g "$(< GUID.txt)" ''new_db''.crt ''new_db''.esl<br />
$ sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db ''new_db''.esl ''new_db''.auth<br />
<br />
If instead of replacing your db key, you want to '''add''' another one to the Signature Database, you need to use the option {{ic|-a}} (see {{man|1|sign-efi-sig-list}}):<br />
<br />
$ sign-efi-sig-list '''-a''' -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db ''new_db''.esl ''new_db''.auth<br />
<br />
When {{ic|''new_db''.auth}} is created, [[#Enrolling keys in firmware|enroll it]].<br />
<br />
==== Signing EFI binaries ====<br />
<br />
When ''Secure Boot'' is active (i.e. in "User Mode"), only signed EFI binaries (e.g. applications, [[Unified Extensible Firmware Interface#UEFI drivers|drivers]], [[unified kernel image]]s) can be launched.<br />
<br />
===== Manually with sbsigntools =====<br />
<br />
Install {{Pkg|sbsigntools}} to sign EFI binaries with {{man|1|sbsign}}.<br />
<br />
{{Tip|<br />
* To check if a binary is signed and list its signatures use {{ic|sbverify --list ''/path/to/binary''}}.<br />
* The [[rEFInd]] boot manager's {{ic|refind-install}} script can sign rEFInd EFI binaries and copy them together with the db certificates to the ESP. See [[rEFInd#Using your own keys]] for instructions.<br />
}}<br />
<br />
{{Note|If running ''sbsign'' without {{ic|--output}} the resulting file will be {{ic|''filename''.signed}}. See {{man|1|sbsign}} for more information.}}<br />
<br />
To sign your kernel and boot manager use ''sbsign'', e.g.:<br />
<br />
# sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux<br />
# sbsign --key db.key --cert db.crt --output ''esp''/EFI/BOOT/BOOTx64.EFI ''esp''/EFI/BOOT/BOOTx64.EFI<br />
<br />
{{Warning|Signing kernel only will not protect the initramfs from tampering. See [[Unified kernel image]] to know how to produce a combined image that you can then manually sign with ''sbsign''.}}<br />
<br />
===== Signing the kernel with a pacman hook =====<br />
<br />
You can also use mkinitcpio's [[pacman hook]] to sign the kernel on install and updates.<br />
<br />
Copy {{ic|/usr/share/libalpm/hooks/90-mkinitcpio-install.hook}} to {{ic|/etc/pacman.d/hooks/90-mkinitcpio-install.hook}} and {{ic|/usr/share/libalpm/scripts/mkinitcpio-install}} to {{ic|/usr/local/share/libalpm/scripts/mkinitcpio-install}}.<br />
<br />
In {{ic|/etc/pacman.d/hooks/90-mkinitcpio-install.hook}}, replace:<br />
<br />
Exec = /usr/share/libalpm/scripts/mkinitcpio-install<br />
<br />
with:<br />
<br />
Exec = /usr/local/share/libalpm/scripts/mkinitcpio-install<br />
<br />
In {{ic|/usr/local/share/libalpm/scripts/mkinitcpio-install}}, replace:<br />
<br />
install -Dm644 "${line}" "/boot/vmlinuz-${pkgbase}"<br />
<br />
with:<br />
<br />
sbsign --key ''/path/to/''db.key --cert ''/path/to/''db.crt --output "/boot/vmlinuz-${pkgbase}" "${line}"<br />
<br />
If you are using systemd-boot, there is a [[Systemd-boot#Automatic_update|dedicated pacman hook]] doing this task semi-automatically.<br />
<br />
===== Fully automated unified kernel generation and signing with sbupdate =====<br />
<br />
[https://github.com/andreyv/sbupdate sbupdate] is a tool made specifically to automate unified kernel image generation and signing on Arch Linux. It handles installation, removal and updates of kernels through [[pacman hooks]].<br />
<br />
Install {{AUR|sbupdate-git}} and configure it following the instructions given on the project's homepage.[https://github.com/andreyv/sbupdate#sbupdate]<br />
<br />
{{Tip|If using [[systemd-boot]], set {{ic|1=OUT_DIR="EFI/Linux"}} to get your signed kernel images directly recognized without needing configuration. See {{man|7|systemd-boot|FILES}} and [[Systemd-boot#Adding loaders]].}}<br />
<br />
Once configured, simply run {{ic|sbupdate}} as root for first-time image generation.<br />
<br />
{{Note|''sbupdate'' output often contains errors such as {{ic|warning: data remaining[26413568 vs 26423180]: gaps between PE/COFF sections?}}. Those are harmless and can be safely ignored.[https://github.com/andreyv/sbupdate/issues/30]}}<br />
<br />
==== Putting firmware in "Setup Mode" ====<br />
<br />
Secure Boot is in Setup Mode when the Platform Key is removed. To put firmware in Setup Mode, enter firmware setup utility and find an option to delete or clear certificates. How to enter the setup utility is described in [[#Before booting the OS]].<br />
<br />
==== Enrolling keys in firmware ====<br />
<br />
Use one of the following methods to enroll '''db''', '''KEK''' and '''PK''' certificates.<br />
<br />
{{Tip|As the '''dbx''' (forbidden signatures db) is empty, it can be safely left out in the following instructions.}}<br />
<br />
{{Warning|Enrolling Platform Key sets Secure Boot in "User Mode", leaving "Setup Mode", so it should be enrolled last in sequence.}}<br />
<br />
===== Using sbkeysync =====<br />
<br />
Install {{Pkg|sbsigntools}}. Create a directory {{ic|/etc/secureboot/keys}} with the following directory structure -<br />
<br />
/etc/secureboot/keys<br />
├── db<br />
├── dbx<br />
├── KEK<br />
└── PK<br />
<br />
For example using:<br />
<br />
# mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK}<br />
<br />
Then copy each of the ''.auth'' files that were generated earlier into their respective locations (for example, {{ic|PK.auth}} into {{ic|/etc/secureboot/keys/PK}} and so on).<br />
<br />
See what changes will {{ic|sbkeysync}} shall do to your system's UEFI keystore.<br />
<br />
# sbkeysync --pk --dry-run --verbose<br />
<br />
Finally, use {{ic|sbkeysync}} to enroll your keys.<br />
<br />
# sbkeysync --verbose<br />
# sbkeysync --verbose --pk<br />
<br />
{{Tip|If using {{ic|sbkeysync}} returns write errors, first run {{ic|1=chattr -i /sys/firmware/efi/efivars/{PK,KEK,db}*}} immediately prior to issuing commands with {{ic|sbkeysync}} to temporarily change file attributes, enabling writing of the EFI keys within the {{ic|efivars}} directory. See {{man|1|chattr}}.}}<br />
<br />
On next boot the UEFI should be back in User Mode and enforcing Secure Boot policy.<br />
<br />
===== Using firmware setup utility =====<br />
<br />
Copy all {{ic|*.cer}}, {{ic|*.esl}}, {{ic|*.auth}} to a [[FAT]] formatted file system (you can use [[EFI system partition]]).<br />
<br />
Launch firmware setup utility and enroll '''db''', '''KEK''' and '''PK''' certificates. Firmwares have various different interfaces, see [https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#setuputil Replacing Keys Using Your Firmware's Setup Utility] for example how to enroll keys.<br />
<br />
If the used tool supports it prefer using ''.auth'' and ''.esl'' over ''.cer''.<br />
<br />
===== Using KeyTool =====<br />
<br />
{{ic|KeyTool.efi}} is in {{Pkg|efitools}} package, copy it to ESP. To use it after enrolling keys, sign it with {{ic|sbsign}}.<br />
<br />
# sbsign --key db.key --cert db.crt --output ''esp''/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi<br />
<br />
Launch {{ic|KeyTool-signed.efi}} using firmware setup utility, boot loader or [[Unified Extensible Firmware Interface#UEFI Shell|UEFI Shell]] and enroll keys.<br />
<br />
See [https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#keytool Replacing Keys Using KeyTool] for explanation of KeyTool menu options.<br />
<br />
==== Dual booting with other operating systems ====<br />
<br />
===== Microsoft Windows =====<br />
<br />
{{Expansion|Is it possible to boot Windows by signing its bootloader with a [[#Creating keys|custom key]]?|section=Booting Windows with custom bootloader signature}}<br />
<br />
To [[dual boot with Windows]], you would need to add Microsoft's certificates to the Signature Database. [https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance#14-signature-databases-db-and-dbx Microsoft has two db certificates]:<br />
<br />
* [https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt Microsoft Windows Production PCA 2011] for Windows<br />
* [https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt Microsoft Corporation UEFI CA 2011] for third-party binaries like UEFI drivers, option ROMs etc.<br />
<br />
Create EFI Signature Lists from Microsoft's DER format certificates using Microsoft's GUID ({{ic|77fa9abd-0359-4d32-bd60-28f4e78f784b}}) and combine them in one file for simplicity:<br />
<br />
$ sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt<br />
$ sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt<br />
$ cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl<br />
<br />
Sign a db update with your KEK. Use {{ic|sign-efi-sig-list}} with option {{ic|-a}} to '''add''' not replace a db certificate:<br />
<br />
$ sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_db.esl add_MS_db.auth<br />
<br />
Follow [[#Enrolling keys in firmware]] to add {{ic|add_MS_db.auth}} to Signature Database.<br />
<br />
=== Using a signed boot loader ===<br />
<br />
Using a signed boot loader means using a boot loader signed with Microsoft's key. There are two known signed boot loaders: PreLoader and shim. Their purpose is to chainload other EFI binaries (usually [[boot loader]]s). Since Microsoft would never sign a boot loader that automatically launches any unsigned binary, PreLoader and shim use an allowlist called Machine Owner Key list, abbreviated MokList. If the SHA256 hash of the binary (Preloader and shim) or key the binary is signed with (shim) is in the MokList they execute it, if not they launch a key management utility which allows enrolling the hash or key.<br />
<br />
==== PreLoader ====<br />
<br />
When run, PreLoader tries to launch {{ic|loader.efi}}. If the hash of {{ic|loader.efi}} is not in MokList, PreLoader will launch {{ic|HashTool.efi}}. In HashTool you must enroll the hash of the EFI binaries you want to launch, that means your [[boot loader]] ({{ic|loader.efi}}) and kernel.<br />
<br />
{{Note|Each time you update any of the binaries (e.g. boot loader or kernel) you will need to enroll their new hash.}}<br />
<br />
{{Tip|The [[rEFInd]] boot manager's {{ic|refind-install}} script can copy the rEFInd and PreLoader EFI binaries to the ESP. See [[rEFInd#Using PreLoader]] for instructions.}}<br />
<br />
===== Set up PreLoader =====<br />
<br />
{{Note|{{ic|PreLoader.efi}} and {{ic|HashTool.efi}} in {{Pkg|efitools}} package are not signed, so their usefulness is limited. You can get a signed {{ic|PreLoader.efi}} and {{ic|HashTool.efi}} from {{AUR|preloader-signed}} or [https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/ download them manually].}}<br />
<br />
[[Install]] {{AUR|preloader-signed}} and copy {{ic|PreLoader.efi}} and {{ic|HashTool.efi}} to the [[boot loader]] directory; for [[systemd-boot]] use:<br />
<br />
# cp /usr/share/preloader-signed/{PreLoader,HashTool}.efi ''esp''/EFI/systemd<br />
<br />
Now copy over the boot loader binary and rename it to {{ic|loader.efi}}; for [[systemd-boot]] use:<br />
<br />
# cp ''esp''/EFI/systemd/systemd-bootx64.efi ''esp''/EFI/systemd/loader.efi<br />
<br />
Finally, create a new NVRAM entry to boot {{ic|PreLoader.efi}}:<br />
<br />
# efibootmgr --verbose --disk /dev/sd'''''X''''' --part '''''Y''''' --create --label "PreLoader" --loader /EFI/systemd/PreLoader.efi<br />
<br />
Replace {{ic|''X''}} with the drive letter and replace {{ic|''Y''}} with the partition number of the [[EFI system partition]].<br />
<br />
This entry should be added to the list as the first to boot; check with the {{ic|efibootmgr}} command and adjust the boot-order if necessary.<br />
<br />
====== Fallback ======<br />
<br />
If there are problems booting the custom NVRAM entry, copy {{ic|HashTool.efi}} and {{ic|loader.efi}} to the default loader location booted automatically by UEFI systems:<br />
<br />
# cp /usr/share/preloader-signed/HashTool.efi ''esp''/EFI/BOOT/<br />
# cp ''esp''/EFI/systemd/systemd-bootx64.efi ''esp''/EFI/BOOT/loader.efi<br />
<br />
Copy over {{ic|PreLoader.efi}} and rename it:<br />
<br />
# cp /usr/share/preloader-signed/PreLoader.efi ''esp''/EFI/BOOT/BOOTx64.EFI<br />
<br />
For particularly intransigent UEFI implementations, copy {{ic|PreLoader.efi}} to the default loader location used by Windows systems:<br />
<br />
# mkdir -p ''esp''/EFI/Microsoft/Boot<br />
# cp /usr/share/preloader-signed/PreLoader.efi ''esp''/EFI/Microsoft/Boot/bootmgfw.efi<br />
<br />
{{Note|If dual-booting with Windows, backup the original {{ic|bootmgfw.efi}} first as replacing it may cause problems with Windows updates.}}<br />
<br />
As before, copy {{ic|HashTool.efi}} and {{ic|loader.efi}} to {{ic|''esp''/EFI/Microsoft/Boot/}}.<br />
<br />
When the system starts with Secure Boot enabled, follow the steps above to enroll {{ic|loader.efi}} and {{ic|/vmlinuz-linux}} (or whichever kernel image is being used).<br />
<br />
===== How to use while booting? =====<br />
<br />
A message will show up that says {{ic|Failed to Start loader... I will now execute HashTool.}} To use HashTool for enrolling the hash of {{ic|loader.efi}} and {{ic|vmlinuz.efi}}, follow these steps. These steps assume titles for a remastered archiso installation media. The exact titles you will get depends on your boot loader setup.<br />
<br />
* Select ''OK''<br />
* In the HashTool main menu, select ''Enroll Hash'', choose {{ic|\loader.efi}} and confirm with ''Yes''. Again, select ''Enroll Hash'' and {{ic|archiso}} to enter the archiso directory, then select {{ic|vmlinuz.efi}} and confirm with ''Yes''. Then choose ''Exit'' to return to the boot device selection menu.<br />
* In the boot device selection menu choose ''Arch Linux archiso x86_64 UEFI CD''<br />
<br />
===== Remove PreLoader =====<br />
<br />
{{Note|Since you are going to remove stuff, is a good idea to backup it.}}<br />
<br />
[[Uninstall]] {{AUR|preloader-signed}} and simply remove the copied files and revert configuration; for [[systemd-boot]] use:<br />
<br />
# rm ''esp''/EFI/systemd/{PreLoader,HashTool}.efi<br />
# rm ''esp''/EFI/systemd/loader.efi<br />
# efibootmgr --verbose --bootnum ''N'' --delete-bootnum<br />
# bootctl update<br />
<br />
Where {{ic|''N''}} is the NVRAM boot entry created for booting {{ic|PreLoader.efi}}.<br />
Check with the ''efibootmgr'' command and adjust the boot-order if necessary.<br />
<br />
{{Note|The above commands cover the easiest case; if you have created, copied, renamed or edited further files probably you have to handle with them, too. If PreLoader was your operational boot entry, you obviously also need to [[#Disabling Secure Boot]].}}<br />
<br />
==== shim ====<br />
<br />
{{Expansion|Testing needed.|section=shim}}<br />
<br />
When run, shim tries to launch {{ic|grubx64.efi}}. If MokList does not contain the hash of {{ic|grubx64.efi}} or the key it is signed with, shim will launch MokManager ({{ic|mmx64.efi}}). In MokManager you must enroll the hash of the EFI binaries you want to launch (your [[boot loader]] ({{ic|grubx64.efi}}) and kernel) or enroll the key they are signed with.<br />
<br />
{{Note|<br />
* If you use [[#shim with hash]], each time you update any of the binaries (e.g. boot loader or kernel) you will need to enroll their new hash.<br />
* Since version 15.3, shim will not launch EFI binaries without a valid {{ic|.sbat}} section. Run {{ic|objdump -j .sbat -s ''/path/to/binary.efi''}} to verify if an EFI binary has it. See the [https://github.com/rhboot/shim/blob/main/SBAT.md SBAT documentation] for details.<br />
}}<br />
<br />
===== Set up shim =====<br />
<br />
{{Tip|The [[rEFInd]] boot manager's {{ic|refind-install}} script can sign rEFInd EFI binaries and copy them along with shim and the MOK certificates to the ESP. See [[rEFInd#Using shim]] for instructions.}}<br />
<br />
[[Install]] {{AUR|shim-signed}}.<br />
<br />
Rename your current [[boot loader]] to {{ic|grubx64.efi}}<br />
<br />
# mv ''esp''/EFI/BOOT/BOOTx64.EFI ''esp''/EFI/BOOT/grubx64.efi<br />
<br />
Copy ''shim'' and ''MokManager'' to your boot loader directory on ESP; use previous filename of your boot loader as as the filename for {{ic|shimx64.efi}}:<br />
<br />
# cp /usr/share/shim-signed/shimx64.efi ''esp''/EFI/BOOT/BOOTx64.EFI<br />
# cp /usr/share/shim-signed/mmx64.efi ''esp''/EFI/BOOT/<br />
<br />
Finally, create a new NVRAM entry to boot {{ic|BOOTx64.EFI}}:<br />
<br />
# efibootmgr --verbose --disk /dev/sd'''''X''''' --part '''''Y''''' --create --label "Shim" --loader /EFI/BOOT/BOOTx64.EFI<br />
<br />
''shim'' can authenticate binaries by Machine Owner Key or hash stored in MokList.<br />
<br />
; Machine Owner Key (MOK): A key that a user generates and uses to sign EFI binaries.<br />
; hash: A SHA256 hash of an EFI binary.<br />
<br />
Using hash is simpler, but each time you update your boot loader or kernel you will need to add their hashes in MokManager. With MOK you only need to add the key once, but you will have to sign the boot loader and kernel each time it updates.<br />
<br />
====== shim with hash ======<br />
<br />
If ''shim'' does not find the SHA256 hash of {{ic|grubx64.efi}} in MokList it will launch MokManager ({{ic|mmx64.efi}}).<br />
<br />
In ''MokManager'' select ''Enroll hash from disk'', find {{ic|grubx64.efi}} and add it to MokList. Repeat the steps and add your kernel {{ic|vmlinuz-linux}}. When done select ''Continue boot'' and your boot loader will launch and it will be capable launching the kernel.<br />
<br />
====== shim with key ======<br />
<br />
Install {{Pkg|sbsigntools}}.<br />
<br />
You will need:<br />
<br />
; ''.key'': PEM format '''private''' key for EFI binary signing.<br />
; ''.crt'': PEM format certificate for ''sbsign''.<br />
; ''.cer'': DER format certificate for ''MokManager''.<br />
<br />
Create a Machine Owner Key:<br />
<br />
$ openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days ''3650'' -subj "/CN=''my Machine Owner Key''/" -out MOK.crt<br />
$ openssl x509 -outform DER -in MOK.crt -out MOK.cer<br />
<br />
Sign your boot loader (named {{ic|grubx64.efi}}) and kernel:<br />
<br />
# sbsign --key MOK.key --cert MOK.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux<br />
# sbsign --key MOK.key --cert MOK.crt --output ''esp''/EFI/BOOT/grubx64.efi ''esp''/EFI/BOOT/grubx64.efi<br />
<br />
You will need to do this each time they are updated. You can automate the kernel signing with a [[pacman hook]], e.g.:<br />
<br />
{{hc|/etc/pacman.d/hooks/999-sign_kernel_for_secureboot.hook|2=<br />
[Trigger]<br />
Operation = Install<br />
Operation = Upgrade<br />
Type = Package<br />
Target = linux<br />
Target = linux-lts<br />
Target = linux-hardened<br />
Target = linux-zen<br />
<br />
[Action]<br />
Description = Signing kernel with Machine Owner Key for Secure Boot<br />
When = PostTransaction<br />
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null {{!}} /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key MOK.key --cert MOK.crt --output {} {}; fi' ;<br />
Depends = sbsigntools<br />
Depends = findutils<br />
Depends = grep<br />
}}<br />
<br />
Copy {{ic|MOK.cer}} to a [[FAT]] formatted file system (you can use [[EFI system partition]]).<br />
<br />
Reboot and enable Secure Boot. If ''shim'' does not find the certificate {{ic|grubx64.efi}} is signed with in MokList it will launch MokManager ({{ic|mmx64.efi}}).<br />
<br />
In ''MokManager'' select ''Enroll key from disk'', find {{ic|MOK.cer}} and add it to MokList. When done select ''Continue boot'' and your boot loader will launch and it will be capable launching any binary signed with your Machine Owner Key.<br />
<br />
====== Shim with key and GRUB ======<br />
<br />
Complete the previous section first.<br />
<br />
Create an {{ic|sbat.csv}} file:<br />
{{hc|sbat.csv|<br />
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md<br />
grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/<br />
}}<br />
<br />
Reinstall GRUB using {{ic|sbat.csv}} with with {{ic|TPM}} module enabled and sign it:<br />
<br />
# grub-install --target=x86_64-efi --efi-directory=''esp'' --modules="tpm" --sbat sbat.csv<br />
# sbsign --key MOK.key --cert MOK.crt --output ''esp''/EFI/GRUB/grubx64.efi ''esp''/EFI/GRUB/grubx64.efi<br />
# cp ''esp''/GRUB/grubx64.efi ''esp''/boot/grubx64.efi<br />
<br />
Reboot, select the key in ''MokManager'', and secureboot should be working.<br />
<br />
===== Remove shim =====<br />
<br />
[[Uninstall]] {{AUR|shim-signed}}, remove the copied ''shim'' and ''MokManager'' files and rename back your boot loader.<br />
<br />
== Protecting Secure Boot ==<br />
<br />
The only way to prevent anyone with physical access to disable Secure Boot is to protect the firmware settings with a password.<br />
<br />
Most UEFI firmwares provide such a feature, usually listed under the "Security" section in the firmware settings.<br />
<br />
== See also ==<br />
<br />
* [https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/ Understanding the UEFI Secure Boot Chain] by tianocore<br />
* [[Wikipedia:Unified Extensible Firmware Interface#Secure boot]]<br />
* [https://www.rodsbooks.com/efi-bootloaders/secureboot.html Dealing with Secure Boot] by Rod Smith<br />
* [https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html Controlling Secure Boot] by Rod Smith<br />
* [https://mjg59.dreamwidth.org/5850.html UEFI secure booting (part 2)] by Matthew Garrett<br />
* [https://blog.hansenpartnership.com/uefi-secure-boot/ UEFI Secure Boot] by James Bottomley<br />
* [https://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git/tree/README efitools README]<br />
* [https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot Will your computer's "Secure Boot" turn out to be "Restricted Boot"?] — Free Software Foundation<br />
* [https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement/campaigns/secure-boot-vs-restricted-boot/whitepaper-web Free Software Foundation recommendations for free operating system distributions considering Secure Boot]<br />
* [https://web.archive.org/web/20150928202110/https://firmware.intel.com/messages/219 Intel's UEFI Secure Boot Tutorial]<br />
* [http://dreamhack.it/linux/2015/12/03/secure-boot-signed-modules-and-signed-elf-binaries.html Secure Boot, Signed Modules and Signed ELF Binaries]<br />
* National Security Agency docs: [https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-uefi-defensive-practices-guidance.pdf UEFI Defensive Practices Guidance] and unclassified [https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF UEFI Secure Boot customization]<br />
* [http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/ sbkeysync & maintaining uefi key databases] by Jeremy Kerr<br />
* [https://nwildner.com/posts/2020-07-04-secure-your-boot-process/ Secure your boot process: UEFI + Secureboot + EFISTUB + Luks2 + lvm + ArchLinux] (2020-07)<br />
* [https://security.stackexchange.com/questions/29122/how-is-hibernation-supported-on-machines-with-uefi-secure-boot How is hibernation supported, on machines with UEFI Secure Boot?] (Security StackExchange)<br />
* [http://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html Authenticated Boot and Disk Encryption on Linux] by Lennart Poettering (2021-09-23)</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Security&diff=703331Security2021-11-23T19:40:22Z<p>Kiasoc5: /* Follow vulnerability alerts */ Add arch-audit-gtk</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:File systems]]<br />
[[Category:Networking]]<br />
[[de:Sicherheit]]<br />
[[es:Security]]<br />
[[fa:امنیت]]<br />
[[hu:Security]]<br />
[[ja:セキュリティ]]<br />
[[pt:Security]]<br />
[[ru:Security]]<br />
[[zh-hans:Security]]<br />
{{Related articles start}}<br />
{{Related|Arch Security Team}}<br />
{{Related|General recommendations}}<br />
{{Related|PAM}}<br />
{{Related|Capabilities}}<br />
{{Related|List of Applications/Security}}<br />
{{Related|Arch package guidelines/Security}}<br />
{{Related articles end}}<br />
This article contains recommendations and best practices for [[Wikipedia:Hardening (computing)|hardening]] an Arch Linux system.<br />
<br />
== Concepts ==<br />
<br />
* It ''is'' possible to tighten security to the point where the system is unusable. Security and convenience must be balanced. The trick is to create a secure ''and'' useful system.<br />
* The biggest threat is, and will always be, the user.<br />
* The [[Wikipedia:Principle of least privilege|principle of least privilege]]: Each part of a system should only be able to access what is strictly required, and nothing more.<br />
* Defense in depth: Security works better in independent layers. When one layer is breached, another should stop the attack.<br />
* Be a little paranoid. And be suspicious. If anything sounds too good to be true, it probably is!<br />
* You can never make a system 100% secure unless you unplug the machine from all networks, turn it off, lock it in a safe, smother it in concrete and never use it.<br />
* Prepare for failure. Create a plan ahead of time to follow when your security is broken.<br />
<br />
== Passwords ==<br />
<br />
Passwords are key to a secure Linux system. They secure your [[Users and groups|user accounts]], [[Data-at-rest encryption|encrypted filesystems]], and [[SSH keys|SSH]]/[[GPG]] keys. They are the main way a computer chooses to trust the person using it, so a big part of security is just about picking secure passwords and protecting them.<br />
<br />
=== Choosing secure passwords ===<br />
<br />
Passwords must be complex enough to not be easily guessed from e.g. personal information, or [[Wikipedia:Password cracking|cracked]] using methods like social engineering or brute-force attacks. The tenets of strong passwords are based on ''length'' and ''randomness''. In cryptography the quality of a password is referred to as its [[Wikipedia:Entropic security|entropic security]]. <br />
<br />
Insecure passwords include those containing:<br />
<br />
* Personally identifiable information (e.g., your dog's name, date of birth, area code, favorite video game)<br />
* Simple character substitutions on words (e.g., {{ic|k1araj0hns0n}}), as modern dictionary attacks can easily work with these<br />
* Root "words" or common strings followed or preceded by added numbers, symbols, or characters (e.g., {{ic|DG091101%}})<br />
* Common phrases or strings of dictionary words (e.g. {{ic|photocopyhauntbranchexpose}}) including with character substitution (e.g. {{ic|Ph0toc0pyh4uN7br@nch3xp*se}}) <br />
* Any of the [[wikipedia:List_of_the_most_common_passwords|most common passwords]]<br />
<br />
The best choice for a password is something long (the longer, the better) and generated from a random source. It is important to use a long password. [https://www.theregister.com/2019/02/14/password_length Weak hash algorithms allow an 8-character password hash to be compromised in just a few hours.]<br />
<br />
Tools like {{Pkg|pwgen}} or {{AUR|apg}} can generate random passwords. However, these passwords can be difficult to memorize. One memorization technique (for ones typed often) is to generate a long password and memorize a minimally secure number of characters, temporarily writing down the full generated string. Over time, increase the number of characters typed - until the password is ingrained in muscle memory and need not be remembered. This technique is more difficult, but can provide confidence that a password will not turn up in wordlists or "intelligent" brute force attacks that combine words and substitute characters.<br />
<br />
One technique for memorizing a password is to use a mnemonic phrase, where each word in the phrase reminds you of the next character in the password.<br />
Take for instance “the girl is walking down the rainy street” could be translated to {{ic|t6!WdtR5}} or, less simply, {{ic|t&6!RrlW@dtR,57}}.<br />
This approach could make it easier to remember a password, but note that the various letters have very different probabilities of being found at the start of words ([[Wikipedia:Letter frequency#Relative frequencies of the first letters of a word in the English language|Wikipedia:Letter frequency]]). <br />
<br />
Another effective technique can be to write randomly generated passwords down and store them in a ''safe'' place, such as in a wallet, purse or document safe. Most people do a generally good job of protecting their physical valuables from attack, and it is easier for most people to understand physical security best practices compared to digital security practices. [https://www.schneier.com/news/archives/2010/11/bruce_schneier_write.html Bruce Schneier has endorsed this technique].<br />
<br />
It is also very effective to combine the mnemonic and random technique by saving long randomly generated passwords with a [[password manager]], which will be in turn accessed with a memorable "master password" that must be used only for that purpose. The master password must be memorized and never saved. This requires the password manager to be installed on a system to easily access the password (which could be seen as an inconvenience or a security feature, depending on the situation). Some password managers also have smartphone apps which can be used to display passwords for manual entry on systems without that password manager installed. Note that a password manager introduces a single point of failure if you ever forget the master password.<br />
<br />
It can be effective to use a memorable long series of unrelated words as a password. The theory is that if a sufficiently long phrase is used, the gained entropy from the password's length can counter the lost entropy from the use of dictionary words. This [https://xkcd.com/936/ xkcd comic] demonstrates the entropy tradeoff of this method, taking into account the limited set of possible words for each word in the passphrase. However, password crackers have caught on to this trick and will generate wordlists containing billions of permutations and variants of dictionary words, reducing the effective entropy of the password from the huge character count times the possible characters to (set of words to choose from)^(number of words chosen), because the attacker knows the passphrase generation method. If the set of words you choose from is large (multiple thousand words) and you choose 5-7 or even more random words from it, this method still provides great entropy, even assuming the attacker knows the set of possible words chosen from and the number of words chosen. See e.g. [https://www.rempe.us/diceware/ Diceware] for more.<br />
<br />
See Bruce Schneier's article [https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html Choosing Secure Passwords], [https://www.iusmentis.com/security/passphrasefaq/ The passphrase FAQ] or [[Wikipedia:Password strength]] for some additional background.<br />
<br />
=== Maintaining passwords ===<br />
<br />
Once you pick a strong password, be sure to keep it safe. Watch out for [[Wikipedia:Keylogger|keyloggers]] (software and hardware), screen loggers, [[Wikipedia:Social engineering (security)|social engineering]], [[Wikipedia:Shoulder surfing (computer security)|shoulder surfing]], and avoid reusing passwords so insecure servers cannot leak more information than necessary. [[List of applications/Security#Password managers|Password managers]] can help manage large numbers of complex passwords: if you are copy-pasting the stored passwords from the manager to the applications that need them, make sure to clear the copy buffer every time, and ensure they are not saved in any kind of log (e.g. do not paste them in plain terminal commands, which would store them in files like {{ic|.bash_history}}). Note that password managers that are implemented as browser extensions may be vulnerable to [https://www.spookjs.com side channel attacks]. These can be mitigated by using password managers that run as separate applications.<br />
<br />
As a rule, do not pick insecure passwords just because secure ones are harder to remember. Passwords are a balancing act. It is better to have an encrypted database of secure passwords, guarded behind a key and one strong master password, than it is to have many similar weak passwords. Writing passwords down is perhaps equally effective [https://www.schneier.com/blog/archives/2005/06/write_down_your.html], avoiding potential vulnerabilities in software solutions while requiring physical security.<br />
<br />
Another aspect of the strength of the passphrase is that it must not be easily recoverable from other places.<br />
<br />
If you use the same passphrase for disk encryption as you use for your login password (useful e.g. to auto-mount the encrypted partition or folder on login), make sure that {{ic|/etc/shadow}} ends up on an encrypted partition or/and uses a strong key derivation function (i.e. yescrypt/bcrypt/argon2 or sha512 with PBKDF2, but not md5 or low iterations in PBKDF2) for the stored password hash (see [[SHA password hashes]] for more information).<br />
<br />
If you are backing up your password database, make sure that each copy is not stored behind any other passphrase which in turn is stored in it, e.g. an encrypted drive or an authenticated remote storage service, or you will not be able to access it in case of need; a useful trick is to protect the drives or accounts where the database is backed up using a simple cryptographic hash of the master password. Maintain a list of all the backup locations: if one day you fear that the master passphrase has been compromised you will have to change it immediately on all the database backups and the locations protected with keys derived from the master password.<br />
<br />
Version-controlling the database in a secure way can be very complicated: if you choose to do it, you must have a way to update the master password of all the database versions. It may not always be immediately clear when the master password is leaked: to reduce the risk of somebody else discovering your password before you realize that it leaked, you may choose to change it on a periodical basis. If you fear that you have lost control over a copy of the database, you will need to change all the passwords contained in it within the time that it may take to brute-force the master password, according to its entropy.<br />
<br />
=== Password hashes ===<br />
<br />
{{Expansion|Mention [[Wikipedia:Key derivation function|key derivation functions]], in particular argon2, bcrypt, scrypt and PBKDF2, how to use them, advantages and disadvantages, especially regarding custom-hardware-based brute-force attacks.|section=Removal of incorrect warning}}<br />
<br />
By default, Arch stores the hashed user passwords in the root-only-readable {{ic|/etc/shadow}} file, separated from the other user parameters stored in the world-readable {{ic|/etc/passwd}} file, see [[Users and groups#User database]]. See also [[#Restricting root]].<br />
<br />
Passwords are set with the '''passwd''' command, which [[Wikipedia:Key stretching|stretches]] them with the [[Wikipedia:Crypt (C)|crypt]] function and then saves them in {{ic|/etc/shadow}}. See also [[SHA password hashes]]. The passwords are also [[Wikipedia:Salt (cryptography)|salted]] in order to defend them against [[Wikipedia:Rainbow table|rainbow table]] attacks.<br />
<br />
See also [https://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils How are passwords stored in Linux (Understanding hashing with shadow utils)]{{Dead link|2021|11|19|status=SSL error}}.<br />
<br />
=== Enforcing strong passwords with pam_pwquality ===<br />
<br />
''pam_pwquality'' provides protection against [[Wikipedia:Dictionary attack|Dictionary attacks]] and helps configure a password policy that can be enforced throughout the system. It is based on ''pam_cracklib'', so it is backwards compatible with its options.<br />
<br />
[[Install]] the {{Pkg|libpwquality}} package.<br />
<br />
{{Warning|The ''root'' account is not affected by this policy by default.}}<br />
<br />
{{Note|<br />
* You can use the ''root'' account to set a password for a user that bypasses the desired/configured policy. This is useful when setting temporary passwords.<br />
* Current security guidelines around passwords, e.g. from NIST, but also from others, do not recommend enforcing special characters, since they often only lead to predictable alterations.<br />
}}<br />
<br />
If for example you want to enforce this policy:<br />
<br />
* prompt 2 times for password in case of an error (retry option)<br />
* 10 characters minimum length (minlen option)<br />
* at least 6 characters should be different from old password when entering a new one (difok option)<br />
* at least 1 digit (dcredit option)<br />
* at least 1 uppercase (ucredit option)<br />
* at least 1 lowercase (lcredit option)<br />
* at least 1 other character (ocredit option)<br />
* cannot contain the words "myservice" and "mydomain"<br />
* enforce the policy for root<br />
<br />
Edit the {{ic|/etc/pam.d/passwd}} file to read as:<br />
<br />
{{bc|1=<br />
#%PAM-1.0<br />
password required pam_pwquality.so retry=2 minlen=10 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 [badwords=myservice mydomain] enforce_for_root<br />
password required pam_unix.so use_authtok sha512 shadow<br />
}}<br />
<br />
The {{ic|password required pam_unix.so use_authtok}} instructs the ''pam_unix'' module to not prompt for a password but rather to use the one provided by ''pam_pwquality''.<br />
<br />
You can refer to the {{man|8|pam_pwquality}} and {{man|8|pam_unix}} man pages for more information.<br />
<br />
== CPU ==<br />
<br />
=== Microcode ===<br />
<br />
See [[microcode]] for information on how to install important security updates for your CPU's microcode.<br />
<br />
=== Hardware vulnerabilities ===<br />
<br />
Some CPUs contain hardware vulnerabilities. See the [https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/ kernel documentation on hardware vulnerabilities] for a list of these vulnerabilities, as well as mitigation selection guides to help customize the kernel to mitigate these vulnerabilities for specific usage scenarios.<br />
<br />
To check if you are affected by a known vulnerability, run the following:<br />
<br />
$ grep -r . /sys/devices/system/cpu/vulnerabilities/<br />
<br />
In most cases, updating the kernel and microcode will mitigate vulnerabilities.<br />
<br />
==== Simultaneous multithreading (hyper-threading) ====<br />
<br />
[[Wikipedia:Simultaneous multithreading|Simultaneous multithreading]] (SMT), also called hyper-threading on Intel CPUs, is a hardware feature that may be a source of [https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html L1 Terminal Fault] and [https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html Microarchitectural Data Sampling] vulnerabilities. The Linux kernel and microcode updates contain mitigations for known vulnerabilities, but [https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html#virtualization-with-untrusted-guests disabling SMT may still be required on certain CPUs if untrusted virtualization guests are present].<br />
<br />
SMT can often be disabled in your system's firmware. Consult your motherboard or system documentation for more information. You can also disable SMT in the kernel by adding the following [[kernel parameters]]:<br />
<br />
l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force<br />
<br />
== Memory ==<br />
<br />
=== Hardened malloc ===<br />
<br />
[https://github.com/GrapheneOS/hardened_malloc hardened_malloc] ({{AUR|hardened_malloc}}, {{AUR|hardened-malloc-git}}) is a hardened replacement for [[Wikipedia:GNU C Library|glibc]]'s malloc(). The project was originally developed for integration into Android's [[Wikipedia:Bionic (software)|Bionic]] and [[Wikipedia:musl|musl]] by Daniel Micay, of GrapheneOS, but he has also built in support for standard Linux distributions on the x86_64 architecture.<br />
<br />
While hardened_malloc is not yet integrated into glibc (assistance and pull requests welcome) it can be used easily with LD_PRELOAD. In testing so far, it only causes issues with a handful of applications if enabled globally in {{ic|/etc/ld.so.preload}}. For example, {{ic|man}} fails to work properly unless its {{ic|seccomp}} environment flag is disabled due to not having {{ic|getrandom}} in the standard whitelist, although this can be easily fixed by rebuilding it with the system call added. Since hardened_malloc has a performance cost, you may want to decide which implementation to use on a case-by-case basis based on attack surface and performance needs.<br />
<br />
To try it out in a standalone manner, use the hardened-malloc-preload wrapper script, or manually start an application with the proper preload value:<br />
<br />
LD_PRELOAD="/usr/lib/libhardened_malloc.so" /usr/bin/firefox<br />
<br />
Proper usage with [[Firejail]] can be found on its wiki page, and some configurable build options for hardened_malloc can be found on the github repo.<br />
<br />
== Storage ==<br />
<br />
=== Data-at-rest encryption ===<br />
<br />
[[Data-at-rest encryption]], preferably full-disk encryption with a [[#Passwords|strong passphrase]], is the only way to guard data against physical recovery. This provides complete security when the computer is turned off or the disks in question are unmounted.<br />
<br />
Once the computer is powered on and the drive is mounted, however, its data becomes just as vulnerable as an unencrypted drive. It is therefore best practice to unmount data partitions as soon as they are no longer needed.<br />
<br />
Certain programs, like [[dm-crypt]], allow the user to encrypt a loop file as a virtual volume. This is a reasonable alternative to full-disk encryption when only certain parts of the system need be secure.<br />
<br />
You may also [[Trusted Platform Module#Data-at-rest encryption with LUKS|encrypt a drive with the key stored in a TPM]], although it has had [https://tpm.fail vulnerabilites in the past] and the key can be extracted by a [https://pulsesecurity.co.nz/articles/TPM-sniffing bus sniffing attack].<br />
<br />
=== File systems ===<br />
<br />
The kernel now prevents security issues related to hardlinks and symlinks if the {{ic|fs.protected_hardlinks}} and {{ic|fs.protected_symlinks}} sysctl switches are enabled, so there is no longer a major security benefit from separating out world-writable directories.<br />
<br />
File systems containing world-writable directories can still be kept separate as a coarse way of limiting the damage from disk space exhaustion. However, filling {{ic|/var}} or {{ic|/tmp}} is enough to take down services. More flexible mechanisms for dealing with this concern exist (like [[Disk quota|quotas]]), and some [[file systems]] include related features themselves (Btrfs has quotas on subvolumes).<br />
<br />
==== Mount options ====<br />
<br />
Following the principle of least privilege, file systems should be mounted with the most restrictive mount options possible (without losing functionality).<br />
<br />
Relevant mount options are:<br />
<br />
* {{ic|nodev}}: Do not interpret character or block special devices on the file system.<br />
* {{ic|nosuid}}: Do not allow set-user-identifier or set-group-identifier bits to take effect.<br />
* {{ic|noexec}}: Do not allow direct execution of any binaries on the mounted file system.<br />
** Setting {{ic|noexec}} on {{ic|/home}} disallows executable scripts and breaks [[Wine]]*, [[Steam]], PyCharm, etc.<br />
** Some packages (building {{Pkg|nvidia-dkms}} for example) may require {{ic|exec}} on {{ic|/var}}.<br />
<br />
{{Note|Wine does not need the {{ic|exec}} flag for opening Windows executables. It is only needed when Wine itself is installed in {{ic|/home}}.}}<br />
<br />
File systems used for data should always be mounted with {{ic|nodev}}, {{ic|nosuid}} and {{ic|noexec}}.<br />
<br />
Potential file system mounts to consider:<br />
<br />
* {{ic|/var}}<br />
* {{ic|/home}}<br />
* {{ic|/dev/shm}}<br />
* {{ic|/tmp}}<br />
* {{ic|/boot}}<br />
<br />
=== File access permissions ===<br />
<br />
The default [[file permissions]] allow read access to almost everything and changing the permissions can hide valuable information from an attacker who gains access to a non-root account such as the {{ic|http}} or {{ic|nobody}} users.<br />
<br />
For example:<br />
<br />
# chmod 700 /boot /etc/{iptables,arptables}<br />
<br />
The default [[Umask]] {{ic|0022}} can be changed to improve security for newly created files. The [https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm NSA RHEL5 Security Guide] suggests a umask of {{ic|0077}} for maximum security, which makes new files not readable by users other than the owner. To change this, see [[Umask#Set the mask value]].<br />
<br />
=== Backups ===<br />
<br />
{{Merge|System backup|There is a dedicated page for system backups.}}<br />
<br />
Regularly create backups of important data. Regularly test the integrity of the backups. Regularly test that the backups can be restored.<br />
<br />
Make sure that at least one copy of the data is stored offline, i.e. not connected to the system under threat in any way. [[Wikipedia:Ransomware|Ransomware]] and other destructive attacks may also attack any connected backup systems.<br />
<br />
== User setup ==<br />
<br />
=== Do not use the root account for daily use ===<br />
<br />
Following the principle of least privilege, do not use the root user for daily use. Create a non-privileged user account for each person using the system. Use [[sudo]] as necessary for temporary privileged access.<br />
<br />
=== Enforce a delay after a failed login attempt ===<br />
<br />
Add the following line to {{ic|/etc/pam.d/system-login}} to add a delay of at least 4 seconds between failed login attempts:<br />
<br />
{{hc|/etc/pam.d/system-login|2=<br />
auth optional pam_faildelay.so delay=4000000<br />
}}<br />
<br />
{{ic|4000000}} is the time in microseconds to delay.<br />
<br />
=== Lock out user after three failed login attempts ===<br />
<br />
As of {{Pkg|pambase}} 20200721.1-2, {{ic|pam_faillock.so}} is enabled by default to lock out users for 10 minutes after 3 failed login attempts in a 15 minute period (see {{Bug|67644}}). The lockout only applies to password authentication (e.g. login and ''sudo''), public key authentication over SSH is still accepted. To prevent complete denial-of-service, this lockout is disabled on root.<br />
<br />
To unlock a user, do:<br />
<br />
$ faillock --reset --user ''username''<br />
<br />
By default, the lock mechanism is a file per-user located at {{ic|/run/faillock/}}. Deleting or emptying the file unlocks that user—the directory is owned by root, but the file is owned by the user, so the {{ic|faillock}} command only empties the file, therefore does not require root.<br />
<br />
The module {{ic|pam_faillock.so}} can be configured with the file {{ic|1=/etc/security/faillock.conf}}. The lockout parameters:<br />
<br />
* {{ic|unlock_time}} — the lockout time (in seconds, default 10 minutes).<br />
* {{ic|fail_interval}} — the time in which failed logins can cause a lockout (in seconds, default 15 minutes).<br />
* {{ic|deny}} — the number of failed logins before lockout (default 3).<br />
<br />
{{Note|{{ic|1=deny = 0}} will disable the lockout.}}<br />
<br />
No restart is required for changes to take effect. See {{man|5|faillock.conf}} for further configuration options, such as enabling lockout for the root account, disabling for centralized login (e.g. LDAP), etc.<br />
<br />
=== Limit amount of processes ===<br />
<br />
On systems with many, or untrusted users, it is important to limit the number of processes each can run at once, therefore preventing [[Wikipedia:Fork bomb|fork bombs]] and other denial of service attacks. {{ic|/etc/security/limits.conf}} determines how many processes each user, or group can have open, and is empty (except for useful comments) by default. Adding the following lines to this file will limit all users to 100 active processes, unless they use the {{ic|prlimit}} command to explicitly raise their maximum to 200 for that session. These values can be changed according to the appropriate number of processes a user should have running, or the hardware of the box you are administrating. <br />
<br />
* soft nproc 100<br />
* hard nproc 200<br />
<br />
The current number of threads for each user can be found with {{ic|ps --no-headers -Leo user {{!}} sort {{!}} uniq --count}}. This may help with determining appropriate values for the limits.<br />
<br />
=== Run Xorg rootless ===<br />
<br />
[[Xorg]] is commonly [https://security.stackexchange.com/questions/4641/why-are-people-saying-that-the-x-window-system-is-not-secure/4646#4646 considered insecure] because of its architecture and dated design. Thus it is recommended to avoid running it as root.<br />
<br />
See [[Xorg#Rootless Xorg]] for more details how to run it without root privileges. Alternatively, use [[Wayland]] instead of Xorg.<br />
<br />
== Restricting root ==<br />
<br />
The root user is, by definition, the most powerful user on a system. It is also difficult to audit the root user account. It is therefore important to restrict usage of the root user account as much as possible. There are a number of ways to keep the power of the root user while limiting its ability to cause harm.<br />
<br />
=== Use sudo instead of su ===<br />
<br />
{{Merge|sudo|There is a dedicated article.}}<br />
<br />
Using [[sudo]] for privileged access is preferable to [[su]] for a number of reasons.<br />
<br />
* It keeps a log of which normal privilege user has run each privileged command.<br />
* The root user password need not be given out to each user who requires root access.<br />
* {{ic|sudo}} prevents users from accidentally running commands as ''root'' that do not need root access, because a full root terminal is not created. This aligns with the [[Wikipedia:Principle of least privilege|principle of least privilege]].<br />
* Individual programs may be enabled per user, instead of offering complete root access just to run one command. For example, to give the user ''alice'' access to a particular program:<br />
<br />
# visudo<br />
<br />
{{hc|/etc/sudoers|2=<br />
alice ALL = NOPASSWD: /path/to/program<br />
}}<br />
<br />
Or, individual commands can be allowed for all users. To mount Samba shares from a server as a regular user:<br />
<br />
%users ALL=/sbin/mount.cifs,/sbin/umount.cifs<br />
<br />
This allows all users who are members of the group users to run the commands {{ic|/sbin/mount.cifs}} and {{ic|/sbin/umount.cifs}} from any machine (ALL).<br />
<br />
{{Tip|To use restricted version of {{ic|nano}} instead of {{ic|vi}} with {{ic|visudo}},<br />
<br />
{{hc|/etc/sudoers|2=<br />
Defaults editor=/usr/bin/rnano<br />
}}<br />
<br />
Exporting {{ic|1=EDITOR=nano visudo}} is regarded as a severe security risk since everything can be used as an {{ic|EDITOR}}.<br />
}}<br />
<br />
==== Editing files using sudo ====<br />
<br />
See [[Sudo#Editing files]]. Alternatively, you can use an editor like {{ic|rvim}} or {{ic|rnano}} which has restricted capabilities in order to be safe to run as root.<br />
<br />
=== Restricting root login ===<br />
<br />
Once [[sudo]] is properly configured, full root access can be heavily restricted or denied without losing much usability. To disable root, but still allowing to use [[sudo]], you can use {{ic|passwd --lock root}}.<br />
<br />
==== Allow only certain users ====<br />
<br />
The [[PAM]] {{ic|pam_wheel.so}} lets you allow only users in the group {{ic|wheel}} to login using [[su]]. See [[su#su and wheel]].<br />
<br />
==== Denying SSH login ====<br />
<br />
Even if you do not wish to deny root login for local users, it is always good practice to [[OpenSSH#Deny|deny root login via SSH]]. The purpose of this is to add an additional layer of security before a user can completely compromise your system remotely.<br />
<br />
==== Specify acceptable login combinations with access.conf ====<br />
<br />
When someone attempts to log in with [[PAM]], {{ic|/etc/security/access.conf}} is checked for the first combination that matches their login properties. Their attempt then fails or succeeds based on the rule for that combination. <br />
<br />
+:root:LOCAL<br />
-:root:ALL<br />
<br />
Rules can be set for specific groups and users. In this example, the user archie is allowed to login locally, as are all users in the wheel and adm groups. All other logins are rejected:<br />
<br />
+:archie:LOCAL<br />
+:(wheel):LOCAL<br />
+:(adm):LOCAL<br />
-:ALL:ALL<br />
<br />
Read more at {{man|5|access.conf}}<br />
<br />
== Mandatory access control ==<br />
<br />
[[Wikipedia:Mandatory Access Control|Mandatory access control]] (MAC) is a type of security policy that differs significantly from the [[Wikipedia:Discretionary Access Control|discretionary access control]] (DAC) used by default in Arch and most Linux distributions. MAC essentially means that every action a program could perform that affects the system in any way is checked against a security ruleset. This ruleset, in contrast to DAC methods, cannot be modified by users. Using virtually any mandatory access control system will significantly improve the security of your computer, although there are differences in how it can be implemented.<br />
<br />
=== Pathname MAC ===<br />
<br />
Pathname-based access control is a simple form of access control that offers permissions based on the path of a given file. The downside to this style of access control is that permissions are not carried with files if they are moved about the system. On the positive side, pathname-based MAC can be implemented on a much wider range of filesystems, unlike labels-based alternatives.<br />
<br />
* [[AppArmor]] is a [[Wikipedia:Canonical (company)|Canonical]]-maintained MAC implementation seen as an "easier" alternative to SELinux.<br />
* [[TOMOYO]] is another simple, easy-to-use system offering mandatory access control. It is designed to be both simple in usage and in implementation, requiring very few dependencies.<br />
<br />
=== Labels MAC ===<br />
<br />
Labels-based access control means the extended attributes of a file are used to govern its security permissions. While this system is arguably more flexible in its security offerings than pathname-based MAC, it only works on filesystems that support these extended attributes.<br />
<br />
* [[SELinux]], based on a [[Wikipedia:NSA|NSA]] project to improve Linux security, implements MAC completely separate from system users and roles. It offers an extremely robust multi-level MAC policy implementation that can easily maintain control of a system that grows and changes past its original configuration.<br />
<br />
=== Access Control Lists ===<br />
<br />
[[Access Control Lists]] (ACLs) are an alternative to attaching rules directly to the filesystem in some way. ACLs implement access control by checking program actions against a list of permitted behavior.<br />
<br />
== Kernel hardening ==<br />
<br />
=== Kernel self-protection / exploit mitigation ===<br />
<br />
The {{pkg|linux-hardened}} package uses a [https://github.com/anthraxx/linux-hardened basic kernel hardening patch set] and more security-focused compile-time configuration options than the {{pkg|linux}} package. A custom build can be made to choose a different compromise between security and performance than the security-leaning defaults.<br />
<br />
However, it should be noted that several packages will not work when using this kernel. For example:<br />
<br />
* {{AUR|skypeforlinux-preview-bin}}<br />
* {{AUR|skypeforlinux-stable-bin}}<br />
* {{pkg|throttled}}<br />
<br />
If you use an out-of-tree driver such as [[NVIDIA]], you may need to switch to its [[DKMS]] package.<br />
<br />
==== Userspace ASLR comparison ====<br />
<br />
The {{pkg|linux-hardened}} package provides an improved implementation of Address Space Layout Randomization for userspace processes. The {{pkg|paxtest}} command can be used to obtain an estimate of the provided entropy:<br />
<br />
===== 64-bit processes =====<br />
<br />
{{hc|linux-hardened 5.4.21.a-1-hardened|<br />
Anonymous mapping randomization test : 32 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 40 quality bits (guessed)<br />
Heap randomization test (PIE) : 40 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : 32 quality bits (guessed)<br />
Main executable randomization (PIE) : 32 quality bits (guessed)<br />
Shared library randomization test : 32 quality bits (guessed)<br />
VDSO randomization test : 32 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 40 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 40 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 44 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 44 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 34 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 34 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 32 bits (guessed)<br />
Randomization under memory exhaustion @0 : 32 bits (guessed)<br />
}}<br />
<br />
{{hc|linux 5.5.5-arch1-1|<br />
Anonymous mapping randomization test : 28 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 28 quality bits (guessed)<br />
Heap randomization test (PIE) : 28 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : 28 quality bits (guessed)<br />
Main executable randomization (PIE) : 28 quality bits (guessed)<br />
Shared library randomization test : 28 quality bits (guessed)<br />
VDSO randomization test : 20 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 30 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 30 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 22 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 22 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 28 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 28 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 29 bits (guessed)<br />
Randomization under memory exhaustion @0 : 29 bits (guessed)<br />
}}<br />
<br />
{{hc|linux-lts 4.19.101-1-lts|<br />
Anonymous mapping randomization test : 28 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 28 quality bits (guessed)<br />
Heap randomization test (PIE) : 28 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : 28 quality bits (guessed)<br />
Main executable randomization (PIE) : 28 quality bits (guessed)<br />
Shared library randomization test : 28 quality bits (guessed)<br />
VDSO randomization test : 19 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 30 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 30 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 22 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 22 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 28 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 28 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 28 bits (guessed)<br />
Randomization under memory exhaustion @0 : 28 bits (guessed)<br />
}}<br />
<br />
===== 32-bit processes (on an x86_64 kernel) =====<br />
<br />
{{hc|linux-hardened|<br />
Anonymous mapping randomization test : 16 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 22 quality bits (guessed)<br />
Heap randomization test (PIE) : 27 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : No randomization<br />
Main executable randomization (PIE) : 18 quality bits (guessed)<br />
Shared library randomization test : 16 quality bits (guessed)<br />
VDSO randomization test : 16 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 24 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 24 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 28 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 28 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 18 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 16 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 18 bits (guessed)<br />
Randomization under memory exhaustion @0 : 18 bits (guessed)<br />
}}<br />
<br />
{{hc|linux|<br />
Anonymous mapping randomization test : 8 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 13 quality bits (guessed)<br />
Heap randomization test (PIE) : 13 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : No randomization<br />
Main executable randomization (PIE) : 8 quality bits (guessed)<br />
Shared library randomization test : 8 quality bits (guessed)<br />
VDSO randomization test : 8 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 19 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 19 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 11 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 11 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 8 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 13 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: No randomization<br />
Randomization under memory exhaustion @0 : No randomization<br />
}}<br />
<br />
=== Restricting access to kernel logs ===<br />
<br />
{{Remove|All [[Kernel#Officially supported kernels|officially supported kernels]] have {{ic|1=CONFIG_SECURITY_DMESG_RESTRICT=y}}.}}<br />
<br />
The kernel logs contain useful information for an attacker trying to exploit kernel vulnerabilities, such as sensitive memory addresses. The {{ic|kernel.dmesg_restrict}} flag was to forbid access to the logs without the {{ic|CAP_SYS_ADMIN}} capability (which only processes running as root have by default).<br />
<br />
{{hc|/etc/sysctl.d/51-dmesg-restrict.conf|2=<br />
kernel.dmesg_restrict = 1<br />
}}<br />
<br />
{{Note|This is enabled by default in {{pkg|linux}}[https://github.com/archlinux/svntogit-packages/commit/b78bc292e2218661a3b70163ec30711c87100941], {{Pkg|linux-lts}}[https://github.com/archlinux/svntogit-packages/commit/283332609549a479357d2d58adf80d12e89e345f], {{Pkg|linux-zen}}[https://github.com/archlinux/svntogit-packages/commit/5962e24fe3062a3a96dbc1876ba8ea4ef1d500c9] and {{pkg|linux-hardened}}.}}<br />
<br />
=== Restricting access to kernel pointers in the proc filesystem ===<br />
<br />
Setting {{ic|kernel.kptr_restrict}} to 1 will hide kernel symbol addresses in {{ic|/proc/kallsyms}} from regular users without {{ic|CAP_SYSLOG}}, making it more difficult for kernel exploits to resolve addresses/symbols dynamically. This will not help that much on a pre-compiled Arch Linux kernel, since a determined attacker could just download the kernel package and get the symbols manually from there, but if you are compiling your own kernel, this can help mitigating local root exploits. This will break some {{Pkg|perf}} commands when used by non-root users (but many {{Pkg|perf}} features require root access anyway). See {{Bug|34323}} for more information.<br />
<br />
Setting {{ic|kernel.kptr_restrict}} to 2 will hide kernel symbol addresses in {{ic|/proc/kallsyms}} regardless of privileges.<br />
<br />
{{hc|/etc/sysctl.d/51-kptr-restrict.conf|2=<br />
kernel.kptr_restrict = 1<br />
}}<br />
<br />
{{Note|{{pkg|linux-hardened}} sets {{ic|1=kptr_restrict=2}} by default rather than {{ic|0}}.}}<br />
<br />
=== BPF hardening ===<br />
<br />
BPF is a system used to load and execute bytecode within the kernel dynamically during runtime. It is used in a number of Linux kernel subsystems such as networking (e.g. XDP, tc), tracing (e.g. kprobes, uprobes, tracepoints) and security (e.g. seccomp). It is also useful for advanced network security, performance profiling and dynamic tracing.<br />
<br />
BPF was originally an acronym of [[Wikipedia:Berkeley Packet Filter|Berkeley Packet Filter]] since the original classic BPF was used for packet capture tools for BSD. This eventually evolved into Extended BPF (eBPF), which was shortly afterwards renamed to just BPF (not an acronym). BPF should not be confused with packet filtering tools like iptables or netfilter, although BPF can be used to implement packet filtering tools.<br />
<br />
BPF code may be either interpreted or compiled using a [[Wikipedia:Just-in-time compilation|Just-In-Time (JIT) compiler]]. The Arch kernel is built with {{ic|CONFIG_BPF_JIT_ALWAYS_ON}} which disables the BPF interpreter and forces all BPF to use JIT compilation. This makes it harder for an attacker to use BPF to escalate attacks that exploit SPECTRE-style vulnerabilities. See [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=290af86629b25ffd1ed6232c4e9107da031705cb the kernel patch which introduced CONFIG_BPF_JIT_ALWAYS_ON] for more details.<br />
<br />
The kernel includes a hardening feature for JIT-compiled BPF which can mitigate some types of JIT spraying attacks at the cost of performance and the ability to trace and debug many BPF programs. It may be enabled by setting {{ic|net.core.bpf_jit_harden}} to {{ic|1}} (to enable hardening of unprivileged code) or {{ic|2}} (to enable hardening of all code).<br />
<br />
See the {{ic|net.core.bpf_*}} settings in the [https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html kernel documentation] for more details.<br />
<br />
{{Tip|<br />
* {{Pkg|linux-hardened}} sets {{ic|1=net.core.bpf_jit_harden=2}} by default rather than {{ic|0}}.<br />
* By default, BPF programs can be run even by unprivileged users. To change that behaviour set {{ic|1=kernel.unprivileged_bpf_disabled=1}}[https://access.redhat.com/security/cve/cve-2021-33624].<br />
}}<br />
<br />
=== ptrace scope ===<br />
<br />
The {{man|2|ptrace}} syscall provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. {{ic|ptrace}} is commonly used by debugging tools including ''gdb'', ''strace'', ''perf'', ''reptyr'' and other debuggers. However, it also provides a means by which a malicious process can read data from and take control of other processes.<br />
<br />
Arch enables the [https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html Yama LSM] by default, which provides a {{ic|kernel.yama.ptrace_scope}} [[kernel parameter]]. This parameter is set to {{ic|1}} (restricted) by default which prevents tracers from performing a {{ic|ptrace}} call on traces outside of a restricted scope unless the tracer is privileged or has the {{ic|CAP_SYS_PTRACE}} [[Capabilities|capability]]. This is a significant improvement in security compared to the classic permissions. Without this module, there is no separation between processes running as the same user (in the absence of additional security layers such as {{man|7|pid_namespaces}}).<br />
<br />
{{Note|By default, you can still use tools which require {{ic|ptrace}} by running them as privileged processes, e.g. using [[sudo]].}}<br />
<br />
If you do not need to use debugging tools, consider setting {{ic|kernel.yama.ptrace_scope}} to {{ic|2}} (admin-only) or {{ic|3}} (no {{ic|ptrace}} possible) to harden the system.<br />
<br />
=== hidepid ===<br />
<br />
{{Expansion|1=[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fb5ce62c5920b6e0a8a061f2fe80e0403281e10 Linux 5.8 implemented private instances] and new values for {{ic|1=hidepid=}}.}}<br />
<br />
{{Warning|<br />
* This may cause issues for certain applications like an application running in a sandbox and [[Xorg]] (see workaround).<br />
* This causes issues with [[D-Bus]], [[Polkit]], [[PulseAudio]] and [[bluetooth]] when using {{Pkg|systemd}} > 237.64-1.<br />
}}<br />
<br />
The kernel has the ability to hide other users' processes, normally accessible via {{ic|/proc}}, from unprivileged users by mounting the {{ic|proc}} filesystem with the {{ic|1=hidepid=}} and {{ic|1=gid=}} options documented in https://www.kernel.org/doc/html/latest/filesystems/proc.html. <br />
<br />
This greatly complicates an intruder's task of gathering information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, makes it impossible to learn whether any user runs a specific program (given the program does not reveal itself by its behaviour), and, as an additional bonus, poorly written programs passing sensitive information via program arguments are now protected against local eavesdroppers.<br />
<br />
The {{ic|proc}} [[Users_and_groups#System_groups|group]], provided by the {{Pkg|filesystem}} package, acts as a whitelist of users authorized to learn other users' process information. If users or services need access to {{ic|/proc/<pid>}} directories beyond their own, [[Users_and_groups#Group_management|add them to the group]].<br />
<br />
For example, to hide process information from other users except those in the {{ic|proc}} group:<br />
<br />
{{hc|/etc/fstab|2=<br />
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0<br />
}}<br />
<br />
For user sessions to work correctly, an exception needs to be added for ''systemd-logind'':<br />
<br />
{{hc|/etc/systemd/system/systemd-logind.service.d/hidepid.conf|2=<br />
[Service]<br />
SupplementaryGroups=proc<br />
}}<br />
<br />
=== Restricting module loading ===<br />
<br />
The default Arch kernel has {{ic|CONFIG_MODULE_SIG_ALL}} enabled which signs all kernel modules build as part of the {{Pkg|linux}} package. This allows the kernel to restrict modules to be only loaded when they are signed with a valid key, in practical terms this means that all out of tree modules compiled locally or provides by packages such as {{Pkg|virtualbox-host-modules-arch}} cannot be loaded. Kernel module loading can be restricted by setting the [[kernel parameter]] {{ic|1=module.sig_enforce=1}}. More information can be found at the [https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html kernel documentation].<br />
<br />
=== Disable kexec ===<br />
<br />
Kexec allows replacing the current running kernel.<br />
<br />
{{hc|/etc/sysctl.d/51-kexec-restrict.conf|2=<br />
kernel.kexec_load_disabled = 1<br />
}}<br />
<br />
{{Tip|kexec is disabled by default in {{pkg|linux-hardened}}.}}<br />
<br />
=== Kernel lockdown mode ===<br />
<br />
Since Linux 5.4 the kernel [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aefcf2f4b58155d27340ba5f9ddbe9513da8286d has gained] an optional [https://mjg59.dreamwidth.org/55105.html lockdown feature], intended to strengthen the boundary between UID 0 (root) and the kernel. When enabled some applications may cease to work who rely on low-level access to either hardware or the kernel.<br />
<br />
To use lockdown, its LSM must be initialized and a lockdown mode must be set.<br />
<br />
All [[Kernel#Officially supported kernels|officially supported kernels]] initialize the LSM, but none of them enforce any lockdown mode. <br />
<br />
{{Tip|Enabled LSMs can be verified by running {{ic|cat /sys/kernel/security/lsm}}.}}<br />
<br />
Lockdown has two modes of operation:<br />
<br />
* {{ic|integrity}}: kernel features that allow userland to modify the running kernel are disabled (kexec, bpf).<br />
* {{ic|confidentiality}}: kernel features that allow userland to extract confidential information from the kernel are also disabled.<br />
<br />
To enable kernel lockdown at runtime, run:<br />
<br />
# echo ''mode'' > /sys/kernel/security/lockdown<br />
<br />
To enable kernel lockdown on boot, use the [[kernel parameter]] {{ic|1=lockdown=''mode''}}.<br />
<br />
{{Note|<br />
* Kernel lockdown cannot be disabled at runtime.<br />
* Kernel lockdown disables [[hibernation]].<br />
}}<br />
<br />
See also {{man|7|kernel_lockdown}}.<br />
<br />
=== Linux Kernel Runtime Guard (LKRG) ===<br />
<br />
[https://www.openwall.com/lkrg/ LKRG] ({{AUR|lkrg-dkms}}) is a kernel module which performs integrity checking of the kernel and detection of exploit attempts.<br />
<br />
== Sandboxing applications ==<br />
<br />
See also [[Wikipedia:Sandbox (computer security)]].<br />
<br />
{{Note|The user namespace configuration item {{ic|CONFIG_USER_NS}} is currently enabled in {{Pkg|linux}} (4.14.5 or later), {{Pkg|linux-lts}} (4.14.15 or later), {{Pkg|linux-zen}} (4.14.4-2 or later) and {{Pkg|linux-hardened}}. Lack of it may prevent certain sandboxing features from being made available to applications.}}<br />
<br />
{{Warning|Unprivileged user namespace usage ({{ic|CONFIG_USER_NS_UNPRIVILEGED}}) is enabled by default in {{Pkg|linux}} (5.1.8 or later), {{Pkg|linux-lts}} (4.19.55-2 or later) and {{Pkg|linux-zen}} (5.1.14.zen1-2 or later) unless the {{ic|kernel.unprivileged_userns_clone}} [[sysctl]] is set to {{ic|0}}. Since this greatly increases the attack surface for local privilege escalation, it is advised to disable this manually, or use the {{Pkg|linux-hardened}} kernel. For more information see {{Bug|36969}}.}}<br />
<br />
=== Firejail ===<br />
<br />
[[Firejail]] is an easy to use and simple tool for sandboxing applications and servers alike. Firejail is suggested for browsers and internet facing applications, as well as any servers you may be running.<br />
<br />
=== bubblewrap ===<br />
<br />
[[bubblewrap]] is a sandbox application developed from [[Wikipedia:Flatpak|Flatpak]] with an even smaller resource footprint than Firejail. While it lacks certain features such as file path whitelisting, bubblewrap does offer bind mounts as well as the creation of user/IPC/PID/network/cgroup namespaces and can support both simple and complex sandboxes.<br />
<br />
=== chroots ===<br />
<br />
Manual [[chroot]] jails can also be constructed.<br />
<br />
=== Linux containers ===<br />
<br />
[[Linux Containers]] are another good option when you need more separation than the other options (short of KVM and VirtualBox) provide. LXC is run on top of the existing kernel in a pseudo-chroot with their own virtual hardware.<br />
<br />
=== Other virtualization options ===<br />
<br />
Using full virtualization options such as [[VirtualBox]], [[KVM]], [[Xen]] or [https://www.qubes-os.org/ Qubes OS] (based on Xen) can also improve isolation and security in the event you plan on running risky applications or browsing dangerous websites.<br />
<br />
== Network and firewalls ==<br />
<br />
=== Firewalls ===<br />
<br />
While the stock Arch kernel is capable of using [[Wikipedia:Netfilter|Netfilter]]'s [[iptables]] and [[nftables]], they are not enabled by default. It is highly recommended to set up some form of firewall to protect the services running on the system. Many resources (including ArchWiki) do not state explicitly which services are worth protecting, so enabling a firewall is a good precaution.<br />
<br />
* See [[iptables]] and [[nftables]] for general information.<br />
* See [[Simple stateful firewall]] for a guide on setting up an iptables firewall.<br />
* See [[:Category:Firewalls]] for other ways of setting up netfilter.<br />
* See [[Ipset]] for blocking lists of ip addresses, such as those from Bluetack.<br />
<br />
==== Open ports ====<br />
<br />
{{Style|"Open ports" is not a good title since it disregards interfaces and addresses that the application may be bound to. From the firewalls' point of view, ports may be "open" even if no application listens on them at the moment.}}<br />
<br />
Some services listen for inbound traffic on open network ports. It is important to only bind these services to the addresses and interfaces that are strictly necessary. It may be possible for a remote attacker to [https://samy.pl/slipstream/ exploit flawed network protocols to access exposed services]. This can even happen with [https://nvd.nist.gov/vuln/detail/CVE-2019-13450 processes bound to localhost].<br />
<br />
In general, if a service only needs to be accessible to the local system, bind to a Unix domain socket ({{man|7|unix}}) or a loopback address such as {{ic|localhost}} instead of a non-loopback address like {{ic|0.0.0.0/0}}.<br />
<br />
If a service needs to be accessible to other systems via the network, control the access with strict [[firewall]] rules and configure authentication, authorization and encryption whenever possible.<br />
<br />
You can list all current open ports with {{ic|ss -l}}. To show all '''l'''istening '''p'''rocesses and their '''n'''umeric '''t'''cp and '''u'''dp port numbers:<br />
<br />
# ss -lpntu<br />
<br />
See {{man|8|ss}} for more options.<br />
<br />
=== Kernel parameters ===<br />
<br />
Kernel parameters which affect networking can be set using [[Sysctl]]. For how to do this, see [[Sysctl#TCP/IP stack hardening]].<br />
<br />
=== SSH ===<br />
<br />
To mitigate [[Wikipedia:Brute-force attack|brute-force attacks]] it is recommended to enforce key-based authentication. For OpenSSH, see [[OpenSSH#Force public key authentication]]. Alternatively [[Fail2ban]] or [[Sshguard]] offer lesser forms of protection by monitoring logs and writing [[firewall]] rules but open up the potential for a denial of service, since an attacker can [[wikipedia:Spoofing_attack#Spoofing_and_TCP/IP|spoof]] packets as if they came from the administrator after identifying their address. Spoofing IP has lines of defense, such as by [[sysctl#Reverse path filtering|reverse path filtering]] and [[sysctl#Disable ICMP redirects|disabling ICMP redirects]].<br />
<br />
You may want to harden authentication even more by using two-factor authentication. [[Google Authenticator]] provides a two-step authentication procedure using one-time passcodes (OTP).<br />
<br />
Denying root login is also a good practice, both for tracing intrusions and adding an additional layer of security before root access. For OpenSSH, see [[OpenSSH#Deny]].<br />
<br />
Mozilla publishes an [https://infosec.mozilla.org/guidelines/openssh.html OpenSSH configuration guide] which configures more verbose audit logging and restricts ciphers.<br />
<br />
=== DNS ===<br />
<br />
The default domain name resolution (DNS) configuration is highly compatible but has security weaknesses. See [[Domain name resolution#Privacy_and_security|DNS privacy and security]] for more information.<br />
<br />
=== Proxies ===<br />
<br />
Proxies are commonly used as an extra layer between applications and the network, sanitizing data from untrusted sources. The attack surface of a small proxy running with lower privileges is significantly smaller than a complex application running with the end user privileges.<br />
<br />
For example the DNS resolver is implemented in {{Pkg|glibc}}, that is linked with the application (that may be running as root), so a bug in the DNS resolver might lead to a remote code execution. This can be prevented by installing a DNS caching server, such as [[dnsmasq]], which acts as a proxy. [https://googleonlinesecurity.blogspot.it/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html]<br />
<br />
=== Managing TLS certificates ===<br />
<br />
See [[TLS#Trust management]].<br />
<br />
== Physical security ==<br />
<br />
Physical access to a computer is root access given enough time and resources. However, a high ''practical'' level of security can be obtained by putting up enough barriers.<br />
<br />
An attacker can gain full control of your computer on the next boot by simply attaching a malicious IEEE 1394 (FireWire), Thunderbolt or PCI Express device as they are given full memory access by default.[https://web.archive.org/web/20210312083421/http://breaknenter.org/2014/09/inception-metasploit-integration/] For Thunderbolt, you can restrict the direct memory access completely or to known devices, see [[Thunderbolt#User device authorization]]. For Firewire and PCI Express, here is little you can do from preventing this, or modification of the hardware itself - such as flashing malicious firmware onto a drive. However, the vast majority of attackers will not be this knowledgeable and determined.<br />
<br />
[[#Data-at-rest encryption]] will prevent access to your data if the computer is stolen, but malicious firmware can be installed to obtain this data upon your next log in by a resourceful attacker.<br />
<br />
=== Locking down BIOS ===<br />
<br />
Adding a password to the BIOS prevents someone from booting into removable media, which is basically the same as having root access to your computer. You should make sure your drive is first in the boot order and disable the other drives from being bootable if you can.<br />
<br />
=== Boot loaders ===<br />
<br />
It is highly important to protect your [[boot loader]]. An unprotected boot loader can bypass any login restrictions, e.g. by setting the {{ic|1=init=/bin/sh}} [[kernel parameter]] to boot directly to a shell.<br />
<br />
==== Syslinux ====<br />
<br />
Syslinux supports [[Syslinux#Security|password-protecting your bootloader]]. It allows you to set either a per-menu-item password or a global bootloader password.<br />
<br />
==== GRUB ====<br />
<br />
[[GRUB]] supports bootloader passwords as well. See [[GRUB/Tips and tricks#Password protection of GRUB menu]] for details. It also has support for [[GRUB#Encrypted /boot|encrypted /boot]], which only leaves some parts of the bootloader code unencrypted. GRUB's configuration, [[kernel]] and [[initramfs]] are encrypted.<br />
<br />
=== Secure Boot ===<br />
<br />
[[Secure Boot]] is a feature of [[UEFI]] that allows authentication of the files your computer boots. This helps preventing some [[Wikipedia:Evil maid attack|evil maid attacks]] such as replacing files inside the boot partition. Normally computers come with keys that are enrolled by vendors (OEM). However these can be removed and allow the computer to enter ''Setup Mode'' which allows the user to enroll and manage their own keys.<br />
<br />
The secure boot page guides you through how to set secure boot up by [[Unified Extensible Firmware Interface/Secure Boot#Using your own keys|using your own keys]].<br />
<br />
=== Trusted Platform Module (TPM) ===<br />
<br />
[[Trusted Platform Module|TPMs]] are hardware microprocessors which have cryptographic keys embedded. This forms the fundamental root of trust of most modern computers and allows end-to-end verification of the boot chain. They can be used as internal smartcards, attest the firmware running on the computer and allow users to insert secrets into a tamper-proof and brute-force resistant store.<br />
<br />
=== Boot partition on removable flash drive ===<br />
<br />
One popular idea is to place the boot partition on a flash drive in order to render the system unbootable without it. Proponents of this idea often use [[#Data-at-rest encryption|full-disk encryption]] alongside, and some also use [[Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header|detached encryption headers]] placed on the boot partition.<br />
<br />
This method can also be merged with [[Dm-crypt/Specialties#Encrypted_/boot_and_a_detached_LUKS_header_on_USB|encrypting /boot]].<br />
<br />
=== Automatic logout ===<br />
<br />
If you are using [[Bash]] or [[Zsh]], you can set {{ic|TMOUT}} for an automatic logout from shells after a timeout.<br />
<br />
For example, the following will automatically log out from virtual consoles (but not terminal emulators in X11):<br />
<br />
{{hc|/etc/profile.d/shell-timeout.sh|<nowiki><br />
TMOUT="$(( 60*10 ))";<br />
[ -z "$DISPLAY" ] && export TMOUT;<br />
case $( /usr/bin/tty ) in<br />
/dev/tty[0-9]*) export TMOUT;;<br />
esac<br />
</nowiki>}}<br />
<br />
If you really want EVERY Bash/Zsh prompt (even within X) to timeout, use:<br />
<br />
$ export TMOUT="$(( 60*10 ))";<br />
<br />
Note that this will not work if there is some command running in the shell (eg.: an SSH session or other shell without {{ic|TMOUT}} support). But if you are using VC mostly for restarting frozen GDM/Xorg as root, then this is very useful.<br />
<br />
=== Protect against rogue USB devices ===<br />
<br />
Install [[USBGuard]], which is a software framework that helps to protect your computer against rogue USB devices (a.k.a. [https://srlabs.de/badusb BadUSB]{{Dead link|2021|11|19|status=404}}, [https://github.com/samyk/poisontap PoisonTap] or [https://lanturtle.com/ LanTurtle]) by implementing basic whitelisting and blacklisting capabilities based on device attributes.<br />
<br />
=== Volatile data collection ===<br />
<br />
A computer that is powered on may be vulnerable to [https://fedvte.usalearning.gov/courses/CSI/course/videos/pdf/CSI_D01_S05_T01_STEP.pdf volatile data collection]. It is a best practice to turn a computer completely off at times it is not necessary for it to be on, or if the computer's physical security is temporarily compromised (e.g. when passing through a security checkpoint).<br />
<br />
== Packages ==<br />
<br />
=== Authentication ===<br />
<br />
[https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html#overview Attacks on package managers] are possible without proper use of package signing, and can affect even package managers with [https://www2.cs.arizona.edu/stork/packagemanagersecurity/faq.html proper signature systems]. Arch uses package signing by default and relies on a web of trust from 5 trusted master keys. See [[Pacman-key]] for details.<br />
<br />
=== Upgrades ===<br />
<br />
It is important to regularly [[System_maintenance#Upgrading_the_system|upgrade the system]].<br />
<br />
=== Follow vulnerability alerts ===<br />
<br />
Subscribe to the Common Vulnerabilities and Exposure (CVE) Security Alert updates, made available by National Vulnerability Database, and found on the [https://nvd.nist.gov/download.cfm NVD Download webpage]. The [https://security.archlinux.org/ Arch Linux Security Tracker] serves as a particularly useful resource in that it combines Arch Linux Security Advisory (ASA), Arch Linux Vulnerability Group (AVG) and CVE data sets in tabular format. The tool {{Pkg|arch-audit}} can be used to check for vulnerabilities affecting the running system. A graphical system tray, {{Pkg|arch-audit-gtk}}, can also be used. See also [[Arch Security Team]].<br />
<br />
You should also consider subscribing to the release notifications for software you use, especially if you install software through means other than the main repositories or AUR. Some software have mailing lists you can subscribe to for security notifications. Source code hosting sites often offer RSS feeds for new releases.<br />
<br />
=== Rebuilding packages ===<br />
<br />
Packages can be rebuilt and stripped of undesired functions and features as a means to reduce attack surface. For example, {{Pkg|bzip2}} can be rebuilt without {{ic|bzip2recover}} in an attempt to circumvent [https://security.archlinux.org/CVE-2016-3189 CVE-2016-3189]. Custom hardening flags can also be applied either manually or via a wrapper.<br />
<br />
{{Merge|Arch package guidelines/Security|Security related build flags have their own article.}}<br />
<br />
{{Accuracy|Copy-pasted from a 3 years old blog post. The compiler flags are specific to [[GCC]], some are hardly security related (e.g. {{ic|-O2}}, {{ic|-g}}, {{ic|-Wall}}).}}<br />
<br />
{| class="wikitable"<br />
! Flag !! Purpose<br />
|-<br />
| -D_FORTIFY_SOURCE=2 || Run-time buffer overflow detection <br />
|-<br />
| -D_GLIBCXX_ASSERTIONS || Run-time bounds checking for C++ strings and containers <br />
|-<br />
| -fasynchronous-unwind-tables || Increased reliability of backtraces <br />
|-<br />
| -fexceptions || Enable table-based thread cancellation <br />
|-<br />
| -fpie -Wl,-pie || Full ASLR for executables <br />
|-<br />
| -fpic -shared || No text relocations for shared libraries <br />
|-<br />
| -fplugin=annobin || Generate data for hardening quality control <br />
|-<br />
| -fstack-clash-protection || Increased reliability of stack overflow detection <br />
|-<br />
| -fstack-protector or -fstack-protector-all || Stack smashing protector <br />
|-<br />
| -fstack-protector-strong || Likewise <br />
|-<br />
| -g || Generate debugging information <br />
|-<br />
| -grecord-gcc-switches || Store compiler flags in debugging information <br />
|-<br />
| -mcet -fcf-protection || Control flow integrity protection <br />
|-<br />
| -O2 || Recommended optimizations <br />
|-<br />
| -pipe || Avoid temporary files, speeding up builds <br />
|-<br />
| -Wall || Recommended compiler warnings <br />
|-<br />
| -Werror=format-security || Reject potentially unsafe format string arguments <br />
|-<br />
| -Werror=implicit-function-declaration || Reject missing function prototypes <br />
|-<br />
| -Wl,-z,defs || Detect and reject underlinking <br />
|-<br />
| -Wl,-z,now || Disable lazy binding <br />
|-<br />
| -Wl,-z,relro || Read-only segments after relocation <br />
|}<br />
<br />
* [https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ Flags and info source]<br />
<br />
== See also ==<br />
<br />
* [https://security.archlinux.org/ Arch Linux Security Tracker]<br />
* [https://wiki.centos.org/HowTos/OS_Protection CentOS Wiki: OS Protection]<br />
* [https://developer.ibm.com/technologies/linux/articles/l-harden-desktop/ Hardening the Linux desktop]<br />
* [https://web.archive.org/web/20190701140035/https://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html Hardening the Linux server]<br />
* [https://github.com/lfit/itpol/blob/master/linux-workstation-security.md Linux Foundation: Linux workstation security checklist]<br />
* [https://www.privacyguides.org/ privacyguides.org Privacy Resources]<br />
* [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/ Red Hat Enterprise Linux 7 Security Guide]<br />
* [https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html Securing Debian Manual]<br />
* [https://web.archive.org/web/20140220055801/http://crunchbang.org:80/forums/viewtopic.php?id=24722 The paranoid #! Security Guide]</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Yt-dlp&diff=700160Yt-dlp2021-10-29T02:33:59Z<p>Kiasoc5: Undo revision 700159 by Kiasoc5 (talk) because the change showed a broken link. Also Lahwaacz.bot will handle the change automatically</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Download utilities]]<br />
[[Category:Streaming]]<br />
[[de:Youtube-dl]]<br />
[[es:Youtube-dl]]<br />
[[ja:Youtube-dl]]<br />
[[pl:Youtube-dl]]<br />
{{Related articles start}}<br />
{{Related|mpv}}<br />
{{Related|FFmpeg}}<br />
{{Related articles end}}<br />
[https://yt-dl.org youtube-dl] is a command-line program that lets you easily download videos and audio from more than a thousand websites. See the [https://github.com/ytdl-org/youtube-dl/blob/master/docs/supportedsites.md list] of supported sites.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|youtube-dl}} package, or {{AUR|youtube-dl-git}} for the development version. It is recommended to also install [[FFmpeg]] as it is used for muxing for some sites. See the optional dependencies.<br />
<br />
Various [https://www.reddit.com/r/youtubedl/wiki/info-forks forks] of youtube-dl also exist and may contain additional features, in particular {{AUR|yt-dlp}} adds support for more sites, downloading comments, improvements to format preferences, and other changes. {{AUR|youtube-dlc}} is another fork with many of the aforementioned new features. There are also various [https://www.reddit.com/r/youtubedl/wiki/info-guis graphical frontends] to youtube-dl and/or its forks, such as {{AUR|tartube}} and [https://github.com/oleksis/youtube-dl-gui yt-dlg] ({{AUR|youtube-dl-gui-git}}).<br />
<br />
== Configuration ==<br />
<br />
The system-wide configuration file is {{ic|/etc/youtube-dl.conf}} and the user-specific configuration file is {{ic|~/.config/youtube-dl/config}}. The syntax is simply one command-line option per line. Example configuration:<br />
<br />
--ignore-errors<br />
# --no-playlist<br />
<br />
# Save in ~/Videos<br />
-o ~/Videos/%(title)s.%(ext)s<br />
<br />
# Prefer 1080p or lower resolutions<br />
-f bestvideo[ext=mp4][width<2000][height<=1200]+bestaudio[ext=m4a]/bestvideo[ext=webm][width<2000][height<=1200]+bestaudio[ext=webm]/bestvideo[width<2000][height<=1200]+bestaudio/best[width<2000][height<=1200]/best<br />
<br />
See [https://github.com/ytdl-org/youtube-dl/blob/master/README.md#configuration] for more information.<br />
<br />
== Usage ==<br />
<br />
See {{man|1|youtube-dl}} for the manual.<br />
<br />
$ youtube-dl [OPTIONS] ''URL''<br />
<br />
{{tip|In some cases (like YouTube) {{ic|''URL''}} can be substituted with the video ID.}}<br />
<br />
=== Format selection ===<br />
<br />
When multiple formats of a video are available, ''youtube-dl'' will download the best ones by default.<br />
<br />
To select a specific one to download:<br />
<br />
$ youtube-dl -f ''format'' ''URL''<br />
<br />
To get a list of the available formats:<br />
<br />
$ youtube-dl -F ''URL''<br />
<br />
=== Extract audio ===<br />
<br />
Use {{ic|-x}} for audio-only downloads (requires [[FFmpeg]]):<br />
<br />
$ youtube-dl -x -f bestaudio ''URL''<br />
<br />
Depending on the available source streams, this will often correct the audio-only container. If an audio-only stream is not available, exclude {{ic|-f bestaudio}} from the example above. This will download the video and copy its audio as post process. By default this will remove the downloaded video, include {{ic|-k}} to keep it.<br />
<br />
To also include album art (requires {{Pkg|atomicparsley}}):<br />
<br />
$ youtube-dl -x -f bestaudio[ext=m4a] --add-metadata --embed-thumbnail ''URL''<br />
<br />
=== Subtitles ===<br />
<br />
To see which languages are available:<br />
<br />
$ youtube-dl --list-subs ''URL''<br />
<br />
To download a video with selected subtitles (comma separated):<br />
<br />
$ youtube-dl --write-sub --sub-lang ''LANG'' ''URL''<br />
<br />
For auto-generated subtitles:<br />
<br />
$ youtube-dl --write-auto-sub --sub-lang ''LANG'' ''URL''<br />
<br />
Add {{ic|--skip-download}} to get only subtitles.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Faster downloads ===<br />
<br />
Some websites throttle transfer speeds. You can often get around this by choosing non DASH streams or by using [[aria2]], an external downloader which supports multi-connection downloads. For example:<br />
<br />
$ youtube-dl --external-downloader aria2c --external-downloader-args '-c -j 3 -x 3 -s 3 -k 1M' ''URL''<br />
<br />
=== Playlist ===<br />
<br />
Using youtube-dl for a playlist usually boils down to the following options:<br />
<br />
$ youtube-dl --ignore-errors --continue --no-overwrites --download-archive progress.txt ''usual options'' ''URL''<br />
<br />
This set of options allow for the download to effectively continue even after interruption. If you are archiving, add the usual {{ic|--write-xxx}} and {{ic|--embed-xxx}} options you may have.<br />
<br />
=== Trim (partial download) ===<br />
<br />
Parts of videos can be downloaded by using the output of {{ic|youtube-dl -g -f ''format'' ''URL''}} as ''ffmpeg'' input with the {{ic|-ss}} (for input), {{ic|-t}} and {{ic|-c copy}} [https://ffmpeg.org/ffmpeg.html#Main-options options].<br />
<br />
=== URL from clipboard ===<br />
<br />
A shell [[alias]], a [[desktop launcher]] or a keyboard shortcut can be set to download a video (or audio) of a selected (or copied) URL by outputting it from the [[Wikipedia:X_Window_selection|X selection]]. See [[Clipboard#Tools]].<br />
<br />
== See also ==<br />
<br />
* [https://github.com/ytdl-org/youtube-dl GitHub repository] for documentation.</div>Kiasoc5https://wiki.archlinux.org/index.php?title=Yt-dlp&diff=700159Yt-dlp2021-10-29T02:27:56Z<p>Kiasoc5: yt-dlp is an official package now</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Download utilities]]<br />
[[Category:Streaming]]<br />
[[de:Youtube-dl]]<br />
[[es:Youtube-dl]]<br />
[[ja:Youtube-dl]]<br />
[[pl:Youtube-dl]]<br />
{{Related articles start}}<br />
{{Related|mpv}}<br />
{{Related|FFmpeg}}<br />
{{Related articles end}}<br />
[https://yt-dl.org youtube-dl] is a command-line program that lets you easily download videos and audio from more than a thousand websites. See the [https://github.com/ytdl-org/youtube-dl/blob/master/docs/supportedsites.md list] of supported sites.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|youtube-dl}} package, or {{AUR|youtube-dl-git}} for the development version. It is recommended to also install [[FFmpeg]] as it is used for muxing for some sites. See the optional dependencies.<br />
<br />
Various [https://www.reddit.com/r/youtubedl/wiki/info-forks forks] of youtube-dl also exist and may contain additional features, in particular {{PKG|yt-dlp}} adds support for more sites, downloading comments, improvements to format preferences, and other changes. {{AUR|youtube-dlc}} is another fork with many of the aforementioned new features. There are also various [https://www.reddit.com/r/youtubedl/wiki/info-guis graphical frontends] to youtube-dl and/or its forks, such as {{AUR|tartube}} and [https://github.com/oleksis/youtube-dl-gui yt-dlg] ({{AUR|youtube-dl-gui-git}}).<br />
<br />
== Configuration ==<br />
<br />
The system-wide configuration file is {{ic|/etc/youtube-dl.conf}} and the user-specific configuration file is {{ic|~/.config/youtube-dl/config}}. The syntax is simply one command-line option per line. Example configuration:<br />
<br />
--ignore-errors<br />
# --no-playlist<br />
<br />
# Save in ~/Videos<br />
-o ~/Videos/%(title)s.%(ext)s<br />
<br />
# Prefer 1080p or lower resolutions<br />
-f bestvideo[ext=mp4][width<2000][height<=1200]+bestaudio[ext=m4a]/bestvideo[ext=webm][width<2000][height<=1200]+bestaudio[ext=webm]/bestvideo[width<2000][height<=1200]+bestaudio/best[width<2000][height<=1200]/best<br />
<br />
See [https://github.com/ytdl-org/youtube-dl/blob/master/README.md#configuration] for more information.<br />
<br />
== Usage ==<br />
<br />
See {{man|1|youtube-dl}} for the manual.<br />
<br />
$ youtube-dl [OPTIONS] ''URL''<br />
<br />
{{tip|In some cases (like YouTube) {{ic|''URL''}} can be substituted with the video ID.}}<br />
<br />
=== Format selection ===<br />
<br />
When multiple formats of a video are available, ''youtube-dl'' will download the best ones by default.<br />
<br />
To select a specific one to download:<br />
<br />
$ youtube-dl -f ''format'' ''URL''<br />
<br />
To get a list of the available formats:<br />
<br />
$ youtube-dl -F ''URL''<br />
<br />
=== Extract audio ===<br />
<br />
Use {{ic|-x}} for audio-only downloads (requires [[FFmpeg]]):<br />
<br />
$ youtube-dl -x -f bestaudio ''URL''<br />
<br />
Depending on the available source streams, this will often correct the audio-only container. If an audio-only stream is not available, exclude {{ic|-f bestaudio}} from the example above. This will download the video and copy its audio as post process. By default this will remove the downloaded video, include {{ic|-k}} to keep it.<br />
<br />
To also include album art (requires {{Pkg|atomicparsley}}):<br />
<br />
$ youtube-dl -x -f bestaudio[ext=m4a] --add-metadata --embed-thumbnail ''URL''<br />
<br />
=== Subtitles ===<br />
<br />
To see which languages are available:<br />
<br />
$ youtube-dl --list-subs ''URL''<br />
<br />
To download a video with selected subtitles (comma separated):<br />
<br />
$ youtube-dl --write-sub --sub-lang ''LANG'' ''URL''<br />
<br />
For auto-generated subtitles:<br />
<br />
$ youtube-dl --write-auto-sub --sub-lang ''LANG'' ''URL''<br />
<br />
Add {{ic|--skip-download}} to get only subtitles.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Faster downloads ===<br />
<br />
Some websites throttle transfer speeds. You can often get around this by choosing non DASH streams or by using [[aria2]], an external downloader which supports multi-connection downloads. For example:<br />
<br />
$ youtube-dl --external-downloader aria2c --external-downloader-args '-c -j 3 -x 3 -s 3 -k 1M' ''URL''<br />
<br />
=== Playlist ===<br />
<br />
Using youtube-dl for a playlist usually boils down to the following options:<br />
<br />
$ youtube-dl --ignore-errors --continue --no-overwrites --download-archive progress.txt ''usual options'' ''URL''<br />
<br />
This set of options allow for the download to effectively continue even after interruption. If you are archiving, add the usual {{ic|--write-xxx}} and {{ic|--embed-xxx}} options you may have.<br />
<br />
=== Trim (partial download) ===<br />
<br />
Parts of videos can be downloaded by using the output of {{ic|youtube-dl -g -f ''format'' ''URL''}} as ''ffmpeg'' input with the {{ic|-ss}} (for input), {{ic|-t}} and {{ic|-c copy}} [https://ffmpeg.org/ffmpeg.html#Main-options options].<br />
<br />
=== URL from clipboard ===<br />
<br />
A shell [[alias]], a [[desktop launcher]] or a keyboard shortcut can be set to download a video (or audio) of a selected (or copied) URL by outputting it from the [[Wikipedia:X_Window_selection|X selection]]. See [[Clipboard#Tools]].<br />
<br />
== See also ==<br />
<br />
* [https://github.com/ytdl-org/youtube-dl GitHub repository] for documentation.</div>Kiasoc5