PTS2025

The pacman package manager is used by the Arch Linux distribution and its derivatives. It is written in a memory-unsafe language, runs as root, and performs complicated tasks while downloading packages over the internet.
This is the story of how in 7.0 we isolated the download steps into a separate process, running as an unprivileged user, and further restricted it using seccomp and Landlock.