2025-07-03, 11:05–11:40 (Europe/Paris), Amphitheater 122
The pacman package manager is used by the Arch Linux distribution and its derivatives. It is written in a memory-unsafe language, runs as root, and performs complicated tasks while downloading packages over the internet.
This is the story of how in 7.0 we isolated the download steps into a separate process, running as an unprivileged user, and further restricted it using seccomp and Landlock.
Long-time member of the Arch Linux security team, Remi works at PowerDNS on DNSdist, an open-source DNS load-balancer.