Last week we were talking about the news released by Arch Linux developers to include support for the zstd compression algorithm as of Pacman version 5.2. And good just a few hours ago the new version was released administrator Pacman 5.2 packages
For those who do not know about Pacman, they should know that this is the Arch Linux package manager, is able to resolve dependencies, and automatically download and install all necessary packages. In theory, the user only needs to execute a single command to fully update the system.
Pacman uses files packed in tar and compressed in gzip or xz for all packages, each of which contains compiled binaries. The packages are downloaded via FTP, you can also use HTTP and local files, depending on how each repository is configured. Complies with Linux Arch Build System (ABS) used to create packages from source code.
Main novelties of Pacman 5.2
With the launch of this new version of Pacman 5.2, we can find that one of the most outstanding novelties is the inclusion of the zstd algorithm that, compared to the "xz" algorithm, speed up compression and unpacking of packages, while preserving the level of compression.
Along with which added the ability to connect managers to makepkg to download source packages and verify by digital signature. In addition, support was also added for packet compression using the lzip and lz4 algorithms.
In the case of Repo-add, the added support for database compression using zstd stands out. In the near future, Arch Linux expects a default transition to using zstd.
Another change in Pacman 5.2 is that support for delta updates has been completely removed, allowing you to download only the changes. The capacity has been removed due to a vulnerability (CVE-2019-18183), which allows arbitrary commands to be executed on the system when using unsigned databases.
For an attack, it is necessary for the user to download the files prepared by the attacker with the database and the delta update. Support for delta updates was disabled by default and was not widely used. In the future, it is planned to completely rewrite the implementation of delta updates.
On the other hand also support for downloading PGP keys using Web Key Directory is highlighted (WKD), whose essence is to place public keys on the web with a link to the domain specified in the email address.
Another change that is worth taking into account is that in this new version of Pacman 5.2 removed "–force" option since with its use the possibility of having problems with dependencies can occur. Now instead of the option "–overwrite" is offered. reflect more accurately.
Whereas for file search results with "-F" option provide extended information such as package group and installation status.
Finally it is also worth mentioning that with the release of Pacman 5.2, a vulnerability has been fixed in the XferCommand command handler (CVE-2019-18182), which allows an MITM attack and an unsigned database to achieve execution of your commands on the system.
And that with Pacman 5.2 it is possible to build using the Meson system instead of Autotools. In the next version, Meson will completely replace Autotools.
Update Pacman to the new version
In these moments in which the article was written the new version of Pacman has not yet been released in Arch Linux repositories, so the only way to have this new version of Pacman 5.2 in our system ands by downloading and compiling the source code for it on our computer.
For adventurers who like builds, they can get the Pacman 5.2 code from the link below.
Meanwhile for the others, it's time to wait for the notification in Octopi or wait for the update to be reflected within the Arch Linux repositories.