Arch Linux: Recent news updates

kea >= 1:3.0.3-6 update requires manual intervention

Robin Candau — Tue, 07 Apr 2026 16:50:29 +0000

The kea package has moved all services to run as a dedicated kea user (instead of root) for improved security. This change requires permission updates to the runtime files created by the kea services.

Users upgrading from an existing kea installation should therefore run the following commands after the upgrade:

chown kea: /var/lib/kea/* /var/log/kea/* /run/lock/kea/logger_lockfile

systemctl try-restart kea-ctrl-agent.service kea-dhcp{4,6,-ddns}.service

Accounts that need to interact with kea services files (e.g. lease files under /var/lib/kea, log files under /var/log/kea or configuration files under /etc/kea) should be added to the kea group.

iptables now defaults to the nft backend

Felix Yan — Sun, 05 Apr 2026 18:28:33 +0000

The old iptables-nft package name is replaced by iptables, and the legacy backend is available as iptables-legacy.

When switching packages (among iptables-nft, iptables, iptables-legacy), check for .pacsave files in /etc/iptables/ and restore your rules if needed:

/etc/iptables/iptables.rules.pacsave
/etc/iptables/ip6tables.rules.pacsave

Most setups should work unchanged, but users relying on uncommon xtables extensions or legacy-only behavior should test carefully and use iptables-legacy if required.

NVIDIA 590 driver drops Pascal and lower support; main packages switch to Open Kernel Modules

Peter Jung — Sat, 20 Dec 2025 18:53:42 +0000

With the update to driver version 590, the NVIDIA driver no longer supports Pascal (GTX 10xx) GPUs or older. We will replace the nvidia package with nvidia-open, nvidia-dkms with nvidia-open-dkms, and nvidia-lts with nvidia-lts-open.

Impact: Updating the NVIDIA packages on systems with Pascal, Maxwell, or older cards will fail to load the driver, which may result in a broken graphical environment.

Intervention required for Pascal/older users: Users with GTX 10xx series and older cards must switch to the legacy proprietary branch to maintain support:

Uninstall the official nvidia, nvidia-lts, or nvidia-dkms packages.
Install nvidia-580xx-dkms from the AUR

Users with Turing (20xx and GTX 1650 series) and newer GPUs will automatically transition to the open kernel modules on upgrade and require no manual intervention.

.NET packages may require manual intervention

George Rawlinson — Thu, 11 Dec 2025 07:01:28 +0000

The following packages may require manual intervention due to the upgrade from 9.0 to 10.0:

aspnet-runtime
aspnet-targeting-pack
dotnet-runtime
dotnet-sdk
dotnet-source-built-artifacts
dotnet-targeting-pack

pacman may display the following error failed to prepare transaction (could not satisfy dependencies) for the affected packages.

If you are affected by this and require the 9.0 packages, the following commands will update e.g. aspnet-runtime to aspnet-runtime-9.0:

pacman -Syu aspnet-runtime-9.0

pacman -Rs aspnet-runtime

waydroid >= 1.5.4-3 update may require manual intervention

George Hu — Thu, 06 Nov 2025 00:35:08 +0000

The waydroid package prior to version 1.5.4-2 (including aur/waydroid) creates Python byte-code files (.pyc) at runtime which were untracked by pacman. This issue has been fixed in 1.5.4-3, where byte-compiling these files is now done during the packaging process.

As a result, the upgrade may conflict with the unowned files created in previous versions. If you encounter errors like the following during the update:

error: failed to commit transaction (conflicting files)

waydroid: /usr/lib/waydroid/tools/__pycache__/__init__.cpython-313.pyc exists in filesystem

waydroid: /usr/lib/waydroid/tools/actions/__pycache__/__init__.cpython-313.pyc exists in filesystem

waydroid: /usr/lib/waydroid/tools/actions/__pycache__/app_manager.cpython-313.pyc exists in filesystem

You can safely overwrite these files by running the following command:

pacman -Syu --overwrite /usr/lib/waydroid/tools/\*__pycache__/\*

dovecot >= 2.4 requires manual intervention

Thore Bödecker — Fri, 31 Oct 2025 21:20:51 +0000

The dovecot 2.4 release branch has made breaking changes which result in it being incompatible with any <= 2.3 configuration file.

Thus, the dovecot service will no longer be able to start until the configuration file was migrated, requiring manual intervention.

For guidance on the 2.3-to-2.4 migration, please refer to the following upstream documentation: Upgrading Dovecot CE from 2.3 to 2.4

Furthermore, the dovecot 2.4 branch no longer supports their replication feature, it was removed.

For users relying on the replication feature or who are unable to perform the 2.4 migration right now, we provide alternative packages available in [extra]:

dovecot23
pigeonhole23
dovecot23-fts-elastic
dovecot23-fts-xapian

The dovecot 2.3 release branch is going to receive critical security fixes from upstream until stated otherwise.

Recent service outages

Christian Heusel — Thu, 21 Aug 2025 22:01:13 +0000

We want to provide an update on the recent service outages affecting our infrastructure. The Arch Linux Project is currently experiencing an ongoing denial of service attack that primarily impacts our main webpage, the Arch User Repository (AUR), and the Forums.

We are aware of the problems that this creates for our end users and will continue to actively work with our hosting provider to mitigate the attack. We are also evaluating DDoS protection providers while carefully considering factors including cost, security, and ethical standards.

To improve the communication around this issue we will provide regular updates on our service status page going forward.

As a volunteer-driven project, we appreciate the community's patience as our DevOps team works to resolve these issues. Please bear with us and thank you for all the support you have shown so far.

Workarounds during service disruption

In the case of downtime for archlinux.org:
- Mirrors: The mirror list endpoint used in tools like reflector is hosted on this site. Please default to the mirrors listed in the pacman-mirrorlist package during an outage.
- ISO: Our installation image is available on a lot of the mirrors, for example the DevOps administered geomirrors. Please always verify its integrity as described on the wiki and confirm it is signed by 0x3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C (or other trusted keys that may be used in the future).
In the case of downtime for aur.archlinux.org:
- Packages: We maintain a mirror of AUR packages on GitHub. You can retrieve a package using: $ git clone --branch <package_name> --single-branch https://github.com/archlinux/aur.git <package_name>
In the case of downtime for wiki.archlinux.org:
- Docs: The arch-wiki-docs and arch-wiki-lite contain recent snapshots of the articles as hosted on the Arch Linux wiki.

Additional remarks

Our services may send an initial connection reset due to the TCP SYN authentication performed by our hosting provider, but subsequent requests should work as expected.
We are keeping technical details about the attack, its origin and our mitigation tactics internal while the attack is still ongoing.

zabbix >= 7.4.1-2 may require manual intervention

Robin Candau — Mon, 04 Aug 2025 14:58:22 +0000

Starting with 7.4.1-2, the following Zabbix system user accounts (previously shipped by their related packages) will no longer be used. Instead, all Zabbix components will now rely on a shared zabbix user account (as originally intended by upstream and done by other distributions):

zabbix-server
zabbix-proxy
zabbix-agent (also used by the zabbix-agent2 package)
zabbix-web-service

This shared zabbix user account is provided by the newly introduced zabbix-common split package, which is now a dependency for all relevant zabbix-* packages.

The switch to the new user account is handled automatically for the corresponding main configuration files and systemd service units.

However, manual intervention may be required if you created custom files or configurations referencing to and / or being owned by the above deprecated users accounts, for example:

PSK files used for encrypted communication
Custom scripts for metrics collections or report generations
sudoers rules for metrics requiring elevated privileges to be collected
...

Those should therefore be updated to refer to and / or be owned by the new zabbix user account, otherwise some services or user parameters may fail to work properly, or not at all.

Once migrated, you may remove the obsolete user accounts from your system.

linux-firmware >= 20250613.12fe085f-5 upgrade requires manual intervention

Jan Alexander Steffens — Sat, 21 Jun 2025 23:09:08 +0000

With 20250613.12fe085f-5, we split our firmware into several vendor-focused packages. linux-firmware is now an empty package depending on our default set of firmware.

Unfortunately, this coincided with upstream reorganizing the symlink layout of the NVIDIA firmware, resulting in a situation that Pacman cannot handle. When attempting to upgrade from 20250508.788aadc8-2 or earlier, you will see the following errors:

linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad103 exists in filesystem
linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad104 exists in filesystem
linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad106 exists in filesystem
linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad107 exists in filesystem

To progress with the system upgrade, first remove linux-firmware, then reinstall it as part of the upgrade:

# pacman -Rdd linux-firmware
# pacman -Syu linux-firmware

Plasma 6.4.0 will need manual intervention if you are on X11

Tomaz Canabrava — Fri, 20 Jun 2025 07:08:17 +0000

On Plasma 6.4 the wayland session will be the only one installed when the users does not manually specify kwin-x11.

With the recent split of kwin into kwin-wayland and kwin-x11, users running the old X11 session needs to manually install plasma-x11-session, or they will not be able to login. Currently pacman is not able to figure out your personal setup, and it wouldn't be ok to install plasma-x11-session and kwin-x11 for every one using Plasma.