ArchWiki - User contributions [en]

Creating packages for other distributions

2026-05-17T19:02:42Z

Lahwaacz: Undo revision 875606 by Torontal-varmegye (talk) - breaks formatting

[[Category:Package development]]
[[hu:Creating packages for other distributions]]
[[ja:他のディストリビューションのパッケージの作成]]
[[pt:Creating packages for other distributions]]
{{Related articles start}}
{{Related|Creating packages}}
{{Related articles end}}
[[Arch is the best]]. But you may still want to package for other distributions.

== General ==

* [[Virtualization]] is an obvious way, but requires maintaining additional system(s).
* Use distribution-specific packaging tools. Examples: {{Pkg|abuild}} (Alpine), {{Aur|dh-make}}, {{Pkg|dpkg}} (Debian), {{Pkg|rpm-tools}} (Fedora). Shortcuts such as [https://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ dpkg-deb] may be suited for less complex tasks.
* [[Chroot]] or [[systemd-nspawn]] to create a base system inside (yet separate from) Arch. Examples: {{Pkg|debootstrap}} (Debian), {{Pkg|dnf}} (Fedora). This has the added benefit of building in a minimal, clean environment.
* Use chroot with packaging tools in an an automated fashion. Examples: {{Aur|pbuilder-ubuntu}} (Debian).
* A different way to handle (possibly incompatible) dependencies is [http://jurjenbokma.com/ApprenticesNotes/getting_statlinked_binaries_on_debian.xhtml static linking]. Please note that most distributions frown on this practice.
* Common practice applies regardless of distribution used. For example, do [https://bbs.archlinux.org/viewtopic.php?id=67561 not build packages as root].

== Alpine ==

See [[abuild]].

== Debian ==

The [https://www.debian.org/doc/manuals/packaging-tutorial/packaging-tutorial.pdf Debian Packaging Tutorial] explains the groundwork. It describes use of the following tools:

{{Expansion|Missing tools: ''lintian'', ''reprepo'', ''cdbs'', ''svn-buildpackage'', ''javahelper''}}

* {{App|cowdancer|Copy-on-write wrapper for pbuilder|https://packages.debian.org/sid/cowdancer|{{Aur|cowdancer}}}}
* {{App|debootstrap|A tool used to create a Debian base system from scratch, without requiring the availability of dpkg or apt.|https://packages.debian.org/sid/debootstrap|{{Pkg|debootstrap}}}}
* {{App|devscripts|Scripts to make the life of a Debian Package maintainer easier|https://packages.debian.org/sid/devscripts|{{Aur|devscripts}}}}
* {{App|dh-autoreconf|Debhelper add-on to call autoreconf and clean up after the build|https://packages.debian.org/sid/dh-autoreconf|{{Aur|dh-autoreconf}}}}
* {{App|dh-make|Tool that converts source archives into Debian package source|https://packages.debian.org/sid/dh-make|{{Aur|dh-make}}}}
* {{App|[[Wikipedia:dpkg|dpkg]]|The Debian Package Manager|https://packages.debian.org/sid/dpkg|{{Pkg|dpkg}}}}
* {{App|dput|Debian package upload tool|https://packages.debian.org/sid/dput|{{Aur|dput}}}}
* {{App|git-buildpackage|Tools from Debian to integrate the package build system with Git|https://honk.sigxcpu.org/piki/projects/git-buildpackage/|{{Aur|git-buildpackage}}}}
* {{App|makedeb|Creates ''.deb'' packages through PKGBUILD files very similarly to makepkg|https://www.makedeb.org/}}
* {{App|pbuilder-ubuntu|Chroot environment for building Debian packages|https://launchpad.net/ubuntu/+source/pbuilder|{{Aur|pbuilder-ubuntu}}}}
* {{App|[[Wikipedia:Quilt_(software)|quilt]]|Manage a series of patches by keeping track of the changes each patch makes|https://savannah.nongnu.org/projects/quilt|{{Pkg|quilt}}}}
* {{App|strip-nondeterminism|Tool for stripping bits of non-deterministic information from files|https://salsa.debian.org/reproducible-builds/strip-nondeterminism|{{Pkg|strip-nondeterminism}}}}

=== Tips and tricks about Debian ===

==== Override dependency handling ====

''dpkg'' does not recognize dependencies installed by [[pacman]]. This means {{ic|dpkg-buildpackage}} will generally fail with errors such as:

dpkg-checkbuilddeps: Unmet build dependencies: build-essential:native debhelper (>= 8.0.0)
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting

To override this, use the -d flag:

$ dpkg-buildpackage -d -us -uc

You may also need to override {{ic|dh_shlibdeps}} by adding the following lines to {{ic|debian/rules}}:

override_dh_shlibdeps:
dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info

{{Note|Any run-time dependencies (and matching version numbers) should be added manually to
{{ic|debian/control}}, where {{ic|<nowiki>${shlibs:Depends}</nowiki>}} now has no meaning.}}

{{Warning|Even ''if'' you manage to successfully build a package this way, it is '''strongly recommended''' to build in a clean environment (such as chroot) to prevent any incompatibilities.}}

==== Set up a chroot ====

See the [https://wiki.ubuntu.com/PbuilderHowto Pbuilder How-To] for an introduction to ''pbuilder-ubuntu''. Using ''cowdancer'' in addition is recommended as [[wikipedia:Copy-on-write|copy-on-write]] offers a significant performance benefit.

* {{Pkg|debian-archive-keyring}}, {{Pkg|ubuntu-keyring}} and {{Aur|gnupg1}} are required.
* ''eatmydata'' is available as {{Pkg|libeatmydata}}. To prevent {{ic|LD_PRELOAD}} errors, it must be installed both inside and outside the chroot. As the paths are different in Arch and Debian, create the following symbolic links:
# ln -s /usr/lib/libeatmydata.so.1.1.1 /usr/lib/libeatmydata/libeatmydata.so
# ln -s /usr/lib/libeatmydata.so.1.1.1 /usr/lib/libeatmydata/libeatmydata.so.1
* [https://gist.github.com/erus/b4bfe014796ba17d6ec72e8b57341996#file-gistfile1-sh Sample pbuilderrc]
* To create a source package for pbuilder to handle:
$ dpkg-buildpackage -d -us -uc -S

=== See also about Debian ===

* [https://www.debian.org/doc/debian-policy/ Debian Policy]
* [https://www.debian.org/doc/manuals/maint-guide/ New Maintainers' Guide]
* [https://raphaelhertzog.com/2012/08/08/how-to-use-quilt-to-manage-patches-in-debian-packages/ Quilt in Debian packaging]

== Fedora ==

{{Expansion|}}

[https://docs.fedoraproject.org/en-US/package-maintainers/Packaging_Tutorial/ Fedora Packaging Tutorial]

* {{App|rpm-tools|RPM.org fork, used in major RPM distributions|http://www.rpm.org/|{{Pkg|rpm-tools}}}}
* {{App|mock|Takes Source RPMs and builds RPMs from them in a chroot|https://github.com/rpm-software-management/mock/wiki|{{Aur|mock}}}}

=== See also about Fedora ===

* [https://copr.fedoraproject.org/ Copr]

== openSUSE ==

The [https://openbuildservice.org/ Open Build Service (OBS)] is a generic system to build and distribute packages from sources in an automatic, consistent and reproducible way. It supports at least .deb, .rpm and Arch packages.

=== Creating Arch packages in OBS with OSC ===

{{Note|For building, you must upload your PKGBUILD file as well as the source files (by uploading or letting OBS download the files). OBS uses virtual machines without networking support and cannot download any file.}}

==== Creating a package ====

# Create an account in [https://build.opensuse.org/]
# [[Install]] the {{AUR|osc}} package. Upstream documentation is available [https://en.opensuse.org/openSUSE:OSC here].
# Create an example {{ic|home:foo}} project.
# Create an example {{ic|home:foo:bar}} subproject (optional, but recommended).
# Create a new {{ic|ham}} example package with {{ic|osc meta pkg -e home:foo:bar ham}}. Save the created XML then exit.
# Switch to a clean working directory then checkout the project you have just created: {{ic|osc co home:foo:bar/ham}}.
# Now cd into it: {{ic|cd home:foo:bar/ham}}.

==== Managing a package ====

Now it is time to decide how we will manage our project. There are two practical ways to do this:

# Maintain a PKGBUILD plus its helper files (such as *.install scripts) in a version control system (such as git, hg) then just make OBS track it;
# Maintain a package entirely in OBS itself.

The first version is more flexible and dynamic. To proceed:

* From your project directory, create a {{ic|_service}} file with the following contents:

{{bc|<nowiki><services>
<service name="tar_scm">
<param name="scm">git</param>
<param name="url">git://<your_repo_here></param>
<param name="versionformat">git%cd~%h</param>
<param name="versionprefix"><your_version_here></param>
<param name="filename"><name_of_your_package></param>
</service>
<service name="recompress">
<param name="file">*.tar</param>
<param name="compression">xz</param>
</service>
<service name="set_version"/>
</services></nowiki>}}

Here is an example for {{AUR|gimp-git}}:

{{bc|<nowiki><services>
<service name="tar_scm">
<param name="scm">git</param>
<param name="url">git://git.gnome.org/gimp.git</param>
<param name="versionformat">git%cd~%h</param>
<param name="versionprefix">2.9.1</param>
<param name="filename">gimp-git</param>
</service>
<service name="recompress">
<param name="file">*.tar</param>
<param name="compression">xz</param>
</service>
<service name="set_version"/>
</services></nowiki>}}

* Make OBS track it: {{ic|osc add _service}}
* If you have any other files to include into the repo, just proceed as before: add the files in the project directory, then make OBS track them (OBS uses subversion as its underlying SCM, so this process might already be familiar for you)
* Check-in (=upload) your files into the repo {{ic|osc ci -m "commit message (e.g. bumped package xxx to version yyy"}}.

Now, after a while, OBS will begin building your package.

==== Tips and tricks about openSUSE ====

{{Out of date|The [https://archlinux.org/news/git-migration-completed/ git migration] is done and [community] is gone.|talk=ArchWiki talk:Requests#Git migration}}

* To see the build progress of your package, cd into its working directory, then: {{ic|osc results}}.
* There are three repositories, Arch:Core, Arch:Extra and Arch:Community. [community] can be appended as a "repository path" after adding the main Arch repository to the project.

==== ca-certificates-utils package problem ====

If OBS build fails because of the ca-certificates-utils package, you can add this line to your project config (from your project page, go to Advanced -> Project Config).
Prefer: ca-certificates-utils ca-certificates

==== See also about openSUSE ====

* Example repo: [https://build.opensuse.org/package/show/home:metakcahura/cpu-x-git arch-cpu-x-git]
* [https://en.opensuse.org/openSUSE:Packaging_guidelines openSUSE packaging guidelines]
* [https://en.opensuse.org/Portal:Packaging Portal:Packaging from openSUSE wiki]

== Multi-distribution ==

=== Pacur ===

Some tools such as [https://github.com/pacur/pacur Pacur] allow building packages for multiple Linux distributions with a consistent package specification format.
The package format is very similar to [[PKGBUILD]] so it is easy to re-use an existing PKGBUILD and add a few distribution-specific variables to be able to build debian and rpm packages effortlessly.
By quickly adapting a PKGBUILD one is able to build package for Amazon Linux, Centos, Debian, Oracle Linux, Fedora and Ubuntu.

== See also ==

* [https://bbs.archlinux.org/viewtopic.php?id=175409 Arch forums (BBS) - PKGBUILD equivalents for other distros]
* [https://bbs.archlinux.org/viewtopic.php?id=182198 Arch forums (BBS) - Original discussion]

Talk:Python/Virtual environment

2026-05-17T19:01:37Z

Lahwaacz: /* Mention uv */ Reply

== running 'pip install' from virtualenv will not work if base-devel is not present ==

When running below procedure:

pacman python-virtualenv
cd /home
mkdir myvenv
virtualenv --always-copy myvenv
cd myvenv
source bin/activate
pip install numpy

I was getting following error:

RuntimeError: Broken toolchain: cannot link a simple C program

It seems gcc was missing from the system. After installing base-devel all works fine.

[[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 00:39, 15 May 2015 (UTC)

== Should it mention Poetry? ==

In my experience, Poetry is superior to Pipenv in every way. And despite claims to the contrary, Pipenv has never been blessed as the "official one true way" of doing things.

[[User:Thomastc|Thomastc]] ([[User talk:Thomastc|talk]]) 09:30, 1 February 2021 (UTC)

For a long time, pipenv still got many problem. It provides a good way to specific the version of packages. But it is not the best. Just venv+pip is much better. What's more, Poetry is good enough to be mention. Someone say docker+python work well, which is not good enough to debug bug good to deploy.

[[User:Kearney|Kearney]] ([[User talk:Kearney|talk]]) 13:55, 18 August 2021 (UTC)

== Should it mention to disable pip version check? ==

Pip by default always checks for latest version and that slows down update speed. Disabling the check speeds it up since it will be installed along {{pkg|python-pip}} anyway.

pip config set global.disable-pip-version-check true

[[User:Pickfire|Pickfire]] ([[User talk:Pickfire|talk]]) 03:27, 11 February 2022 (UTC)

== Mention uv ==

Sorta "TODO". The {{Pkg|uv}} package is not mentioned here, and it is kinda strange for me. — [[User:Andrei Korshikov|Andrei Korshikov]] ([[User talk:Andrei Korshikov|talk]]) 12:32, 17 May 2026 (UTC)

:uv can replace virtualenv etc. but it is not a virtual environment tool. Its primary purpose is project management. [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:01, 17 May 2026 (UTC)

Python

2026-05-17T19:00:12Z

Lahwaacz: Undo revision 875588 by Andrei Korshikov (talk) - a virtual environment is created for a specific version, it does not allow to switch to a different Python version when created

[[Category:Programming languages]]
[[de:Python]]
[[ja:Python]]
[[pt:Python]]
[[ru:Python]]
[[uk:Python]]
[[zh-hans:Python]]
{{Related articles start}}
{{Related|/Virtual environment}}
{{Related|Django}}
{{Related|List of applications/Utilities#Python IDEs}}
{{Related|List of programming languages}}
{{Related|Python package guidelines}}
{{Related|mod_wsgi}}
{{Related articles end}}

From [[Wikipedia:Python (programming language)]]:

: Python is a [[Wikipedia:High-level programming language|high-level]], [[Wikipedia:General-purpose programming language|general-purpose]] programming language that emphasizes [[Wikipedia:Computer programming#Readability of source code|code readability]], simplicity, and ease-of-writing with the use of [[Wikipedia:Off-side rule|significant indentation]]… and [[Wikipedia:Garbage collection (computer science)|garbage collection]]. Python supports multiple [[Wikipedia:Programming paradigm|programming paradigm]]s but with an emphasis on [[Wikipedia:Object-oriented programming|object-oriented programming]] and [[Wikipedia:Type system#Dynamic type checking and runtime type information|dynamic typing]].

From [https://docs.python.org/3/faq/general.html#what-is-python What is Python?]:

* it is an interpreted, interactive, object-oriented programming language;
* it incorporates modules, exceptions, dynamic typing, very high level dynamic data types, and classes;
* it supports multiple programming paradigms beyond object-oriented programming, such as procedural and functional programming;
* it combines remarkable power with very clear syntax;
* it has interfaces to many system calls and libraries, as well as to various window systems, and is extensible in C or C++;
* it is also usable as an extension language for applications that need a programmable interface;
* it is portable—it runs on many Unix variants including Linux and macOS, and on Windows.

== Installation ==

[[Install]] the {{Pkg|python}} package.

=== Other versions ===

Previous and future versions of Python are available via the [[Arch User Repository]] (AUR). These are useful for applications or projects that require specific versions, or just for curiosity. See [https://devguide.python.org/versions/ Status of Python versions] and [https://devguide.python.org/versions/#status-key Status key] for more information.

'''Feature''' (can accept new features) and '''prerelease''' (no new features can go in):

* Python 3.15: {{AUR|python315}} (feature)

'''Bugfix''' (also called '''maintenance''' or '''stable'''):

* Python 3.14: {{AUR|python314-freethreaded}} ([https://docs.python.org/3/howto/free-threading-python.html free-threaded]—with [https://wiki.python.org/moin/GlobalInterpreterLock Global Interpreter Lock], or GIL, disabled)
* Python 3.13: {{AUR|python313}}
* Python 3.13: {{AUR|python313-freethreaded}} (free-threaded)

'''Security''' (accept security fixes only):

* Python 3.12: {{AUR|python312}}
* Python 3.11: {{AUR|python311}}
* Python 3.10: {{AUR|python310}}

[https://endoflife.date/python End-of-life] (unmaintained):

* Python 3.9: {{AUR|python39}} — [https://peps.python.org/pep-0596/ PEP 596]
* Python 3.8: {{AUR|python38}} — [https://peps.python.org/pep-0569/ PEP 569]
* Python 3.7: {{AUR|python37}} — [https://peps.python.org/pep-0537/ PEP 537]
* Python 3.6: {{AUR|python36}} — [https://peps.python.org/pep-0494/ PEP 494]
* Python 2.7: {{AUR|python2}} — [https://www.python.org/doc/sunset-python-2/ Sunsetting Python 2]

Each of these packages installs a distinct binary named after the version number, e.g. ''python3.13'' for Python 3.13, allowing multiple versions to coexist on a system. You can also use {{man|1|pyenv}} or {{Pkg|uv}} to easily install and switch between multiple versions of Python.

Extra modules and libraries for old versions of Python may be found in the AUR by searching for {{ic|python<''version without period''>}}, e.g. searching for {{ic|python310}} for Python 3.10 modules.

You can also download the source for any release on the https://www.python.org/downloads/ page.

=== Alternative implementations ===

The {{Pkg|python}} package installs [https://github.com/python/cpython CPython], the [[Wikipedia:Python (programming language)#Reference implementation|reference implementation]] of Python. However, there are also [[Wikipedia:Python (programming language)#Other implementations|other implementations]] available. These implementations are usually based on older versions of Python and are not fully compatible with CPython.

Implementations available on Arch Linux include:

* {{App|IronPython|An implementation of the Python programming language which is tightly integrated with [[.NET]]. It can use .NET libraries and allows .NET programs to use Python libraries.|https://ironpython.net|{{AUR|ironpython2}}, {{AUR|ironpython3}}}}
* {{App|Jython|An implementation of the Python language written in Java. It can be used to embed Python scripting into Java programs or use Java libraries in Python programs.|https://www.jython.org/|{{Pkg|jython}}}}
* {{App|micropython|Python for microcontrollers. It includes a small subset of the Python standard library and is optimized to run on microcontrollers and in constrained environments.|https://micropython.org/|{{AUR|micropython}}}}
* {{App|[[PyPy]]| A Python implementation written in Python. It has speed and memory usage advantages compared to CPython.|https://www.pypy.org|{{Pkg|pypy}}, {{Pkg|pypy3}}}}

=== Alternative shells ===

The {{Pkg|python}} package includes an interactive [https://realpython.com/python-repl/ Python shell] ([[Wikipedia:Read–eval–print loop|REPL]]) which can be launched with the {{ic|python}} command. The following shells are also available:

* {{App|bpython|A fancy interface for the Python interpreter.|https://bpython-interpreter.org/|{{Pkg|bpython}}}}
* {{App|IPython|A powerful interactive Python shell.|https://ipython.org/|{{Pkg|ipython}}}}
* {{App|[[Jupyter]]|A web-based computation application powered by IPython.|https://jupyter.org/|{{Pkg|jupyterlab}}, {{Pkg|jupyter-notebook}}}}
* {{App|ptpython|An advanced Python REPL built with [https://github.com/prompt-toolkit/python-prompt-toolkit prompt-toolkit].|https://github.com/prompt-toolkit/ptpython|{{aur|ptpython}}}}

== Package management ==

There are several ways to install Python packages on Arch Linux.

=== Arch repositories ===

A large number of popular packages are available in the [[official repositories]] and [[AUR]]. This is [[System maintenance#Use the package manager to install software|the preferred way]] to install system-wide packages, and the only method officially supported on Arch Linux.

=== Third-party packages ===

Developers working with Python may need to use packages or package versions not available in the Arch repositories. The recommended practice is to use a separate [[#Virtual environment|virtual environment]] to isolate each project, preventing conflicts with system packages in {{ic|/usr}}. Various tools are available to install packages within a virtual environment:

* {{App|{{man|1|pip}}|The official package installer for Python.|https://pip.pypa.io/|{{Pkg|python-pip}}}}
* {{App|pipx|A specialized package installer that can only be used to install packages with CLI entrypoints (but not library packages).|https://pipx.pypa.io|{{Pkg|python-pipx}}}}
* {{App|Poetry|Python dependency management and packaging made easy. Poetry is a single tool to develop, build, publish, and track dependencies for Python projects.|https://python-poetry.org/|{{Pkg|python-poetry}}}}
* {{App|Conda|Conda provides package, dependency, and environment management for any language. Conda was originally created for Python, and is popular for scientific computing, data science and machine learning. Conda is the package manager of the [https://github.com/conda-forge/miniforge miniforge] community distribution and the [https://repo.anaconda.com/ Anaconda] and [https://docs.anaconda.com/miniconda/ Miniconda] distributions.|https://docs.conda.io|{{AUR|python-conda}}}}
* {{App|uv|An extremely fast Python package installer and resolver, written in Rust. A single tool to replace ''pip'', pip-tools, ''pipx'', ''poetry'', ''pyenv'', ''twine'', ''virtualenv'', and more.|https://docs.astral.sh/uv/|{{Pkg|uv}}}}

''pip'', ''pipx'', ''poetry'' and ''uv'' install packages from the [https://pypi.org/ Python Package Index] and other indexes. Conda and Miniconda use the [https://repo.anaconda.com/ Anaconda repositories].

As an alternative to virtual environments, {{ic|pip install --user}} can be used to install packages into the [https://pip.pypa.io/en/latest/user_guide/#user-installs user scheme] instead of {{ic|/usr}}. This separates packages per-user rather than per-project. Virtual environments are usually the better choice.

See the [https://packaging.python.org/ Python Packaging User Guide] for the official best practices for package management.

{{Note|There are also tools integrating ''pip'' with ''pacman'' by automatically generating PKGBUILDs for specified PyPI packages: see [[Creating packages#PKGBUILD generators]].}}

{{Tip|[https://pipenv.pypa.io pipenv] provides a single CLI for [https://github.com/pypa/pipfile Pipfile], ''pip'' and [[virtualenv]]. It is available as {{Pkg|python-pipenv}}.}}

=== Historical notes ===

Historically, ''easy_install'' (part of {{Pkg|python-setuptools}}) was used to install packages distributed as [https://packaging.python.org/glossary/#term-Egg Eggs]. ''easy_install'' and Eggs have been replaced with ''pip'' and [https://packaging.python.org/glossary/#term-Wheel Wheels]. See [https://packaging.python.org/en/latest/discussions/pip-vs-easy-install/ pip vs easy_install] and [https://packaging.python.org/en/latest/discussions/package-formats/ Package Formats] for more information.

Previous versions of ''pip'' could install third-party packages system-wide, but this caused a number of problems outlined in [https://peps.python.org/pep-0668/ PEP668]. The system-wide environment is now marked as an [https://packaging.python.org/en/latest/specifications/externally-managed-environments/ externally managed environment], and ''pip'' no longer allows system-wide installation.

== Widget bindings ==

The following [[Wikipedia:Widget toolkit|widget toolkit]] bindings are available:

* {{App|Tkinter|The standard Python interface to the [https://www.tcl.tk/ Tk] GUI toolkit.|https://docs.python.org/3/library/tkinter.html|{{Pkg|python}}}}
* {{App|Qt for Python (PySide2)|The official Python bindings for [[Qt]]5.|https://www.qt.io/qt-for-python|{{AUR|pyside2}}, {{AUR|pyside2-tools}}}}
* {{App|Qt for Python (PySide6)|The official Python bindings for [[Qt]]6.|https://www.qt.io/qt-for-python|{{Pkg|pyside6}}, {{Pkg|pyside6-tools}}}}
* {{App|pyQt|A set of Python bindings for Qt.|https://riverbankcomputing.com/software/pyqt/intro|{{Pkg|python-pyqt5}}, {{Pkg|python-pyqt6}}}}
* {{App|PyGObject|Python bindings for GObject based libraries such as [[GTK]], [[GStreamer]], WebKitGTK, GLib, and GIO.|https://pygobject.readthedocs.io/|{{Pkg|python-gobject}}}}
* {{App|wxPython|A cross-platform GUI toolkit for Python which wraps [https://www.wxwidgets.org/ wxWidgets].|https://wxpython.org/|{{Pkg|python-wxpython}}}}

To use these with Python, you may also need to install the associated widget toolkit packages (e.g. {{Pkg|tk}} must also be installed to use Tkinter).

== Tips and tricks ==

=== Virtual environment ===

Python provides tools to create isolated ''virtual environments'' into which packages may be installed without conflicting with other virtual environments or the system packages. Virtual environments can also run applications with different versions of Python on the same system.

See [[Python/Virtual environment]] for details.

=== Tab completion in Python shell ===

[https://docs.python.org/3/tutorial/interactive.html Tab completion] is available in the interactive shell by default. Note that the readline completer will only complete names in the global namespace. You can use {{Pkg|python-jedi}} for a richer tab completion experience [https://jedi.readthedocs.io/en/latest/docs/usage.html#tab-completion-in-the-python-shell].

=== List packages built for a specific Python version ===

Sometimes it is useful to know which installed packages were built for a specific version of Python. For example,

$ pacman -Qoq /usr/lib/python3.12

will list all those built for Python version 3.12. This is especially useful when the official Python version is updated and one wants to get a list of packages from the [[AUR]] that need rebuilding because they were built for a possibly no longer installed Python version, see [[#Module not found after Python version update]].

== Troubleshooting ==

=== Module not found after Python version update ===

A Python-based application might output {{ic|No module named ''module_name''}} for an installed dependency named {{ic|''module_name''}} after having upgraded the {{Pkg|python}} package to a new minor version (e.g. from version 3.10 to 3.11).

The above scenario happens when a dependency is not available for that Python version or not installed at all. Python packages are installed in a versioned site-packages directory ({{ic|/usr/lib/python''X.Y''/site-packages}} if system-wide, or {{ic|~/.local/lib/python''X.Y''/site-packages/}} if per-user, where {{ic|''X.Y''}} is a version like "3.11"). So whenever there is a new minor version upgrade, the Python-based package built with previous Python version must be rebuilt against the new one in order to be properly used.

Please notice it is the user's responsibility to rebuild non-official packages, including Python-based packages installed from AUR. See [[AUR#Updating packages]] and [[FAQ#What if I run a full system upgrade and there will be an update for a shared library, but not for the applications that depend on it?]]

== See also ==

=== Official ===

* [https://docs.python.org/ Official Python documentation] (Can be installed with the {{Pkg|python-docs}} package for offline access.)
* [https://docs.python.org/3/tutorial/index.html Official Python tutorial]

=== Third-Party ===

* [https://automatetheboringstuff.com/ Automate the Boring Stuff with Python] - Creative Commons book
* [https://github.com/vinta/awesome-python Awesome Python] - A curated list of Python resources
* [https://python.swaroopch.com/ A Byte of Python] - Creative Commons book
* [https://inventwithpython.com/cracking/ Cracking Codes With Python] - Free online book
* [https://stephensugden.com/crash_into_python/ Crash into Python] - Free tutorial
* [https://realpython.com/python-debugging-pdb/ Python Debugging With Pdb] - Guide to using {{ic|pdb}}, the Python debugger
* [https://diveintopython3.net/ Dive Into Python] - Creative Commons book
* [https://www.oreilly.com/library/view/fluent-python-2nd/9781492056348/ Fluent Python] - Commercial book
* [https://www.oreilly.com/library/view/introducing-python-2nd/9781492051374/ Introducing Python] - Commercial book
* [https://inventwithpython.com/invent4thed/ Invent Your Own Computer Games with Python] - Free online book
* [https://learnpython.org/ Learn Python] - Free interactive tutorial
* [https://learnpythonthehardway.org/ Learn Python the Hard Way] - Commercial book
* [https://pythonspot.com Pythonspot Python Tutorials] - Free online tutorials
* [https://greenteapress.com/wp/think-python-2e// Think Python] - Creative Commons book

NetworkManager

2026-05-17T18:58:00Z

Lahwaacz: /* dnsmasq */ style

[[Category:Network managers]]
[[Category:DHCP]]
[[ar:Networkmanager]]
[[de:Networkmanager]]
[[fr:NetworkManager]]
[[hu:NetworkManager]]
[[ja:NetworkManager]]
[[pt:NetworkManager]]
[[ru:NetworkManager]]
[[zh-hans:NetworkManager]]
{{Related articles start}}
{{Related|Network configuration}}
{{Related|Wireless network configuration}}
{{Related articles end}}

[[Wikipedia:NetworkManager|NetworkManager]] is a program for providing detection and configuration for systems to automatically connect to networks.

[https://networkmanager.dev/ NetworkManager] can be useful for both wireless and wired networks. For wireless networks, NetworkManager prefers known wireless networks and has the ability to switch to the most reliable network. NetworkManager-aware applications can switch from online and offline mode.

NetworkManager also prefers wired connections over wireless ones, has support for modem connections and certain types of VPN.

{{Warning|By default, secrets—e.g. Wi-Fi passwords—are accessible to the root user in the filesystem and to users with access to settings via the GUI (e.g. via [[#nm-applet]]). For more information, see [[#Encrypted network keyphrases]].}}

== Installation ==

NetworkManager can be [[install]]ed with the package {{Pkg|networkmanager}}, which contains a daemon, a command line interface (''nmcli'') and a curses‐based interface (''nmtui'').

=== Enable NetworkManager ===

After installation, you should [[start/enable]] {{ic|NetworkManager.service}}. Once the NetworkManager daemon is started, it will automatically connect to any available "system connections" that have already been configured. Any "user connections" or unconfigured connections will need ''nmcli'' or an applet to configure and connect.

{{Note|
* Each network interface should be managed by only one [[Network configuration#Network managers|DHCP client or network manager]], so it is advised to run only one DHCP client or network manager on the system. Find a list of the currently running services with {{ic|1=systemctl --type=service}} and then [[stop]] or reconfigure those that conflict.
* If [[systemd-resolved]] is not [[started]], an error message will start flooding your logs. See [[#Unit dbus-org.freedesktop.resolve1.service not found]] for more info.
}}

=== Additional interfaces ===

* {{Pkg|nm-connection-editor}} for a graphical user interface,
* {{Pkg|network-manager-applet}} for a system tray applet (see the [[#nm-applet]] section).

=== Mobile broadband support ===

NetworkManager uses [[ModemManager]] for mobile broadband connection support.

[[Install]] {{Pkg|modemmanager}} and {{Pkg|usb_modeswitch}}. Afterwards [[enable]] and [[start]] {{ic|ModemManager.service}}.

It may be necessary to [[restart]] {{ic|NetworkManager.service}} for it to detect ModemManager. After you restart it, re-plug the modem again and it should be recognized.

Add connections from a front-end (e.g. {{Pkg|nm-connection-editor}}) and select mobile broadband as the connection type. After selecting your ISP and billing plan, [[Wikipedia:Access Point Name|APN]] and other settings should be filled in automatically using information from {{Pkg|mobile-broadband-provider-info}}.

=== PPPoE / DSL support ===

[[Install]] {{Pkg|ppp}} package for PPPoE / DSL connection support. To actually add PPPoE connection, use {{ic|1=nm-connection-editor}} and add new DSL/PPPoE connection.

=== VPN support ===

NetworkManager since version 1.16 has native support for [[WireGuard]], all it needs is the {{ic|wireguard}} kernel module. Read the [https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/ WireGuard in NetworkManager blog post] for details.

Support for other VPN types is based on a plug-in system. They are provided in the following packages:

* {{Pkg|networkmanager-openconnect}} for [[OpenConnect]]
* {{Pkg|networkmanager-openvpn}} for [[OpenVPN]]
* {{Pkg|networkmanager-pptp}} for [[PPTP Client]]
* {{Pkg|networkmanager-strongswan}} for [[strongSwan]]
* {{Pkg|networkmanager-vpnc}}
* {{AUR|networkmanager-fortisslvpn}}
* {{AUR|networkmanager-iodine-git}}
* {{AUR|networkmanager-libreswan}}
* {{Pkg|networkmanager-l2tp}}
* {{AUR|networkmanager-ssh}}
* {{Pkg|network-manager-sstp}}

{{Warning|1=There are a lot of [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues?search=VPN&state=opened bugs] related to VPN support. Check the daemon processes options set via the GUI correctly and double-check with each package release.}}

{{Note|
* To have fully functioning DNS resolution when using VPN, you should set up [[#DNS caching and conditional forwarding|conditional forwarding]].
* These plug-ins may not have a documented command line interface, or may not work at all without an applet running. This is not an issue if you are using a regular desktop environment; if you are not, you should run [[#nm-applet]] while configuring or activating the connection so that you get the necessary dialogues. [https://bbs.archlinux.org/viewtopic.php?id{{=}}246698]
}}

== Usage ==

NetworkManager comes with {{man|1|nmcli}} and {{man|1|nmtui}}.

=== nmcli examples ===

List nearby Wi-Fi networks:

$ nmcli device wifi list

Connect to a Wi-Fi network:

$ nmcli device wifi connect ''SSID_or_BSSID'' password ''password''

Connect to a hidden Wi-Fi network:

$ nmcli device wifi connect ''SSID_or_BSSID'' password ''password'' hidden yes

Connect to a Wi-Fi on the {{ic|wlan1}} interface:

$ nmcli device wifi connect ''SSID_or_BSSID'' password ''password'' ifname wlan1 ''profile_name''

Disconnect an interface:

$ nmcli device disconnect ifname eth0

Get a list of connections with their names, UUIDs, types and backing devices:

$ nmcli connection show

Activate a connection (i.e. connect to a network with an existing profile):

$ nmcli connection up ''name_or_uuid''

Delete a connection:

$ nmcli connection delete ''name_or_uuid''

See a list of network devices and their state:

$ nmcli device

Turn off Wi-Fi:

$ nmcli radio wifi off

=== Edit a connection ===

For a comprehensive list of settings, see {{man|5|nm-settings}}.

Firstly, you need to get a list of connections:

{{hc|$ nmcli connection|<nowiki>
NAME UUID TYPE DEVICE
Wired connection 2 e7054040-a421-3bef-965d-bb7d60b7cecf ethernet enp5s0
Wired connection 1 997f2782-f0fc-301d-bfba-15421a2735d8 ethernet enp0s25
MY-HOME-WIFI-5G 92a0f7b3-2eba-49ab-a899-24d83978f308 wifi --
</nowiki>}}

Here you can use the first column as connection-id used later. In this example, we pick {{ic|Wired connection 2}} as a connection-id.

You have three methods to configure a connection {{ic|Wired connection 2}} after it has been created:

; nmcli interactive editor
: {{ic|nmcli connection edit 'Wired connection 2'}}. Usage is well documented from the editor.

; nmcli command line interface
: {{ic|nmcli connection modify 'Wired connection 2' ''setting''.''property'' ''value''}}. See {{man|1|nmcli}} for usage. For example, you can change its IPv4 route metric to 200 using {{ic|nmcli connection modify 'Wired connection 2' ipv4.route-metric 200}} command.
To remove a setting, pass an empty field ("") to it like this:
: {{ic|nmcli connection modify 'Wired connection 2' ''setting''.''property'' ""}}

; Connection file
: In {{ic|/etc/NetworkManager/system-connections/}}, modify the corresponding {{ic|Wired connection 2.nmconnection}} file . Do not forget to reload the configuration file with {{ic|nmcli connection reload}}.

=== nmtui ===

NetworkManager ships a text user interface (TUI) for managing connections, the system hostname and radio switches. It can be launched by running {{ic|nmtui}}.

== Front-ends ==

To provide integration with a [[desktop environment]], most users will want to install an applet. This not only provides easy access to network selection and configuration, but also provides the agent necessary for securely storing secrets. Various desktop environments have their own applet; otherwise, you can use [[#nm-applet]].

=== GNOME ===

[[GNOME]] has a built-in tool, accessible from the Network settings.

=== KDE Plasma ===

[[Install]] the {{Pkg|plasma-nm}} package. After that, add it to the KDE taskbar via the ''Panel options > Add widgets > Networks'' menu.

=== nm-applet ===

{{Pkg|network-manager-applet}} is a GTK 3 front-end which works under Xorg environments with a systray.

To store connection secrets install and configure an application which implements the [https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service D-Bus API] such as [[GNOME/Keyring]], [[KDE Wallet]], or [[KeePassXC]].

Be aware that after enabling the tick-box option {{ic|Make available to other users}} for a connection, NetworkManager stores the password in plain-text, though the respective file is accessible only to root (or other users via {{ic|nm-applet}}). See [[#Encrypted network keyphrases]].

In order to run {{ic|nm-applet}} without a systray, you can use {{AUR|trayer}} or {{Pkg|stalonetray}}. For example, you can add a script like this one in your path:

{{hc|nmgui|<nowiki>
#!/bin/sh
nm-applet 2>&1 > /dev/null &
stalonetray 2>&1 > /dev/null
killall nm-applet
</nowiki>}}

When you close the ''stalonetray'' window, it closes {{ic|nm-applet}} too, so no extra memory is used once you are done with network settings.

The applet can show notifications for events such as connecting to or disconnecting from a Wi-Fi network. For these notifications to display, ensure that you have a notification server installed - see [[Desktop notifications]]. If you use the applet without a notification server, you might see some messages in stdout/stderr, and the applet might hang. See [https://bugzilla.gnome.org/show_bug.cgi?id=788313].

In order to run {{ic|nm-applet}} with such notifications disabled, start the applet with the following command:

$ nm-applet --no-agent

{{Tip|{{ic|nm-applet}} might be started automatically with a [[XDG Autostart|autostart desktop file]], to add the {{ic|--no-agent}} option modify the Exec line there, i.e.

{{bc|1=Exec=nm-applet --no-agent}}

}}

{{Warning|On [[i3]], if nm-applet is started with the {{ic|--no-agent}} option, it is not possible to connect to a new encrypted Wi-Fi network by clicking on the item list because no password input dialogue window will pop out. [[journal]] will show {{ic|no secrets: No agents were available for this request}}.}}

==== Appindicator ====

As of version 1.18.0 Appindicator support is [https://gitlab.archlinux.org/archlinux/packaging/packages/network-manager-applet/-/commit/527448fb2a87d85055f504f463dfe961dccd75c3 available] in the official {{Pkg|network-manager-applet}} package. To use nm-applet in an Appindicator environment start the applet with the following command:

$ nm-applet --indicator

=== networkmanager-dmenu ===

Alternatively there is {{Pkg|networkmanager-dmenu}} which is a small script to manage NetworkManager connections with [[dmenu]] or [[rofi]] instead of {{ic|nm-applet}}. It provides all essential features such as connection to existing NetworkManager Wi-Fi or wired connections, connect to new Wi-Fi connections, requests passphrase if required, connect to existing VPN connections, enable/disable networking, launch ''nm-connection-editor'' GUI, connect to Bluetooth networks.

=== switchboard ===

Pantheon's {{Pkg|switchboard}} offers a desktop environment-agnostic way to configure NetworkManager when combined with {{Pkg|switchboard-plug-network}} and {{Pkg|nm-connection-editor}}. It can be ran with the following command:

$ io.elementary.settings

== Configuration ==

NetworkManager may require some additional steps to be able run properly. Make sure you have configured {{ic|/etc/hosts}} as described in [[Network configuration#Set the hostname]] section.

NetworkManager has a global configuration file at {{ic|/etc/NetworkManager/NetworkManager.conf}}. Additional configuration files can be placed in {{ic|/etc/NetworkManager/conf.d/}}. Usually no configuration needs to be done to the global defaults.

After editing a configuration file, the changes can be applied by running:

# nmcli general reload

=== NetworkManager-wait-online ===

Enabling {{ic|NetworkManager.service}} also enables {{ic|NetworkManager-wait-online.service}}, which is a oneshot system service that waits for the network to be configured. The latter has {{ic|1=WantedBy=network-online.target}}, so it will finish only when {{ic|network-online.target}} itself is enabled or pulled in by some other unit. See also [[systemd#Running services after the network is up]].

By default, {{ic|NetworkManager-wait-online.service}} waits for NetworkManager startup to complete, rather than waiting for network connectivity specifically (see {{man|1|nm-online}}). If {{ic|NetworkManager-wait-online.service}} finishes before the network is really up, resulting in failed services on boot, [[extend the unit]] to remove the {{ic|-s}} from the {{ic|ExecStart}} line:

[Service]
ExecStart=
ExecStart=/usr/bin/nm-online -q

Be aware that this can cause [https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/thread/EGC324JD3HJCGVN7J55WYPRLFDA3TP7N/ other issues].

In some cases, the service will still fail to start successfully on boot due to the timeout setting being too short. [[Edit]] the service to change {{ic|NM_ONLINE_TIMEOUT}} from {{ic|60}} to a higher value.

=== Set up PolicyKit permissions ===

By default, all users in active local sessions are allowed to change most network settings without a password. See [[General troubleshooting#Session permissions]] to check your session type. In most cases, everything should work out of the box.

Some actions (such as changing the system hostname) require an administrator password. In this case, you need to [[Users and groups#Group management|add]] yourself to the {{ic|wheel}} group and run a [[Polkit#Authentication agents|Polkit authentication agent]] which will prompt for your password.

For remote sessions (e.g. [[TigerVNC#Running vncserver for virtual (headless) sessions|headless VNC]]), you have several options for obtaining the necessary privileges to use NetworkManager:

# [[Users and groups#Group management|Add]] yourself to the {{ic|wheel}} group. You will have to enter your password for every action. Note that your user account may be granted other permissions as well, such as the ability to use [[sudo]] without entering the root password.
# [[Users and groups#Group management|Add]] yourself to the {{ic|network}} group and create {{ic|/etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules}} with the following content: {{bc|<nowiki>
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {
return polkit.Result.YES;
}
});
</nowiki>}} All users in the {{ic|network}} group will be able to add and remove networks without a password (which means you do not have to run a Polkit authentication agent, so this option will also work in SSH sessions).

=== Proxy settings ===

NetworkManager does support some proxy settings. While they can not be directly modified using ''nmtui'', ''nm-applet'' and ''nmcli'' support those.
See the proxy settings in {{man|5|nm-settings-nmcli}}.

Additionally, custom proxy commands can always be run using dispatcher scripts, see [[#Dispatcher examples]].

See also [[Proxy settings]].

=== Checking connectivity ===

NetworkManager can try to reach a webserver after connecting to a network in order to determine if it is e.g behind a captive portal. The default host (configured in {{ic|/usr/lib/NetworkManager/conf.d/20-connectivity.conf}}) is [https://ping.archlinux.org ping.archlinux.org] (a CNAME alias of redirect.archlinux.org). To use a different webserver or to disable connectivity checking, create {{ic|/etc/NetworkManager/conf.d/20-connectivity.conf}}, see {{man|5|NetworkManager.conf|CONNECTIVITY SECTION}}. Below is an example of using GNOME servers (it does not require the use of [[GNOME]]):

{{hc|/etc/NetworkManager/conf.d/20-connectivity.conf|<nowiki>
[connectivity]
uri=http://nmcheck.gnome.org/check_network_status.txt
</nowiki>}}

To disable NetworkManager's connectivity check, use the following configuration. This can be useful when connected to a VPN that blocks connectivity checks.

{{hc|/etc/NetworkManager/conf.d/20-connectivity.conf|<nowiki>
[connectivity]
enabled=false
</nowiki>}}

{{Note|Although automatic connectivity checks are a potential privacy leak, Arch Linux's default connectivity URL is committed to not logging any access. See [https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/fabccd0f61e5dea3925e8a0c6a46d56d5750c121#a4f34381bbb18ea77bfb3dd11a8aeca707078fca_0_26] [https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/ping/templates/nginx.d.conf.j2].}}

=== Captive portals ===

{{Style|Complex scripts should not be maintained on the wiki.}}

For those behind a [[Wikipedia:Captive portal|captive portal]], the desktop manager may automatically open a window asking for credentials. If your desktop does not, you can use {{Pkg|capnet-assist}} package (however, it currently has a broken NetworkManager dispatcher script). Alternatively, you can create a NetworkManager dispatcher script with the following content:

{{hc|/etc/NetworkManager/dispatcher.d/90-open_captive_portal|<nowiki>
#!/bin/sh -e
# Script to dispatch NetworkManager events
#
# Runs shows a login webpage on walled garden networks.
# See NetworkManager(8) for further documentation of the dispatcher events.

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

if [ -x "/usr/bin/logger" ]; then
logger="/usr/bin/logger -s -t captive-portal"
else
logger=":"
fi

wait_for_process() {
PNAME=$1
while [ -z "$(/usr/bin/pgrep $PNAME)" ]; do
sleep 3;
done
}

#launch the browser, but on boot we need to wait that nm-applet starts
start_browser() {
local user="$1"
local display="$2"

export DISPLAY="$display"
wait_for_process nm-applet

export XAUTHORITY="/home/$user/.Xauthority"

$logger "Running browser as '$user' with display '$display' to login in captive portal"
sudo -u "$user" --preserve-env=DISPLAY,XAUTHORITY -H xdg-open http://capnet.elementary.io 2>&1 > /dev/null
}

# Run the right scripts
case "$2" in
connectivity-change)
$logger -p user.debug "dispatcher script triggered on connectivity change: $CONNECTIVITY_STATE"
if [ "$CONNECTIVITY_STATE" = "PORTAL" ]; then
# Match last column of who's output with ' :[at least one digit] '
who | awk '$NF ~ /$:[0-9]+$/ { print $1 " " substr($NF, 2, length($NF)-2) };' | \
while read user display; do
start_browser $user $display || $logger -p user.err "Failed for user: '$user' display: '$display'"
done
fi
;;
*)
# In a down phase
exit 0
;;
esac
</nowiki>}}

Make the script [[executable]]. But that script assumes you use X and simply opens http page. It might not work for everyone.

You will need to [[restart]] {{ic|NetworkManager.service}} or reboot for this to start working. Once you do, the dispatcher script should open a login window once it detects you are behind a captive portal.

Simple solution is [https://github.com/Seme4eg/captive-portal-sh captive-portal-sh] - shell script that obtains captive portal URL and opens it in your default browser (for Wayland users only).

Another solution is {{AUR|captive-browser-git}} based on Google Chrome.

==== iwd support for captive portal support on legacy hardware ====

Some older Wi-Fi chips (e.g. Broadcom BCM4360) require the proprietary {{ic|wl}} driver, which lacks support for the OWE/Elliptic-Curve handshake that many captive-portal hotspots use before presenting a login page. By switching NetworkManager’s Wi-Fi backend to {{ic|iwd}} (see [[#Using iwd as the Wi-Fi backend]]), which implements the full OWE key exchange in userspace over the existing driver, you can complete the encrypted association, obtain a DHCP lease, and trigger the portal “PORTAL” state. Once that is done, any dispatcher script or browser-launcher will reliably pop up the login page on hardware that otherwise could never fully connect.

=== DHCP client ===

By default NetworkManager uses its internal DHCP client. The internal DHCPv4 plugin is based on the [https://nettools.github.io/n-dhcp4/ nettools' n-dhcp4] library, while the internal DHCPv6 plugin is made from code based on systemd-networkd.

To use a different DHCP client [[install]] one of the alternatives:

* {{Pkg|dhcpcd}} - [[dhcpcd]]
* {{Pkg|dhclient}} - [[dhclient]]

To change the DHCP client backend, set the option {{ic|1=main.dhcp=''dhcp_client_name''}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}. E.g.:

{{hc|1=/etc/NetworkManager/conf.d/dhcp-client.conf|2=
[main]
dhcp=dhcpcd
}}

{{Note|
Do not enable the systemd units shipped with the {{Pkg|dhclient}} and {{Pkg|dhcpcd}} packages. They will conflict with NetworkManager, see the note in [[#Installation]] for details.
}}

=== DNS management ===

NetworkManager's DNS management is described in the GNOME project's wiki page—[https://wiki.gnome.org/Projects/NetworkManager/DNS Projects/NetworkManager/DNS].

==== DNS caching and conditional forwarding ====

NetworkManager has a plugin to enable DNS caching and conditional forwarding ([https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/143 previously] called "split DNS" in NetworkManager's documentation) using [[dnsmasq]] or [[systemd-resolved]]. The advantages of this setup is that DNS lookups will be cached, shortening resolve times, and DNS lookups of VPN hosts will be routed to the relevant VPN's DNS servers. This is especially useful if you are connected to more than one VPN.

{{Note|If {{ic|/etc/resolv.conf}} is a symlink to {{ic|/run/systemd/resolve/stub-resolv.conf}}, {{ic|/run/systemd/resolve/resolv.conf}},{{ic|/lib/systemd/resolv.conf}} or {{ic|/usr/lib/systemd/resolv.conf}}, NetworkManager will choose systemd-resolved automatically. To use dnsmasq, you must first remove that symlink, then restart NetworkManager.}}

===== dnsmasq =====

Make sure {{Pkg|dnsmasq}} has been installed. Then set {{ic|1=main.dns=dnsmasq}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/dns.conf|2=
[main]
dns=dnsmasq
}}

Now run {{ic|nmcli general reload}} as root. NetworkManager will automatically start dnsmasq and add {{ic|127.0.0.1}} to {{ic|/etc/resolv.conf}}. The original DNS servers can be found in {{ic|/run/NetworkManager/no-stub-resolv.conf}}. You can verify dnsmasq is being used by doing the same DNS lookup twice with {{ic|drill example.com}} and verifying the server and query times.

{{Note|
* You do not need to start {{ic|dnsmasq.service}} or edit {{ic|/etc/dnsmasq.conf}}. NetworkManager will start dnsmasq without using the systemd service and without reading the dnsmasq's default configuration file(s).
* The dnsmasq instance started by NetworkManager will bind to {{ic|127.0.0.1:53}}, you cannot run any other software (including {{ic|dnsmasq.service}}) on the same address and port.
}}

{{Tip|To clear the DNS cache, [[restart]] {{ic|NetworkManager.service}}.}}

====== Custom dnsmasq configuration ======

Custom configurations can be created for ''dnsmasq'' by creating configuration files in {{ic|/etc/NetworkManager/dnsmasq.d/}}. For example, to change the size of the DNS cache (which is stored in RAM):

{{hc|/etc/NetworkManager/dnsmasq.d/cache.conf|2=
cache-size=1000
}}

You can check the configuration file syntax with:

$ dnsmasq --test --conf-file=/dev/null --conf-dir=/etc/NetworkManager/dnsmasq.d

See {{man|8|dnsmasq}} for all available options.

====== IPv6 ======

{{Accuracy|This does not solve the issue because NetworkManager does not add {{ic|::1}} to {{ic|/etc/resolv.conf}}. Unless {{ic|@::1}} is manually passed to drill, it will still fail with {{ic|Error: error sending query: No (valid) nameservers defined in the resolver}}.}}

Enabling {{ic|dnsmasq}} in NetworkManager may break IPv6-only DNS lookups (i.e. {{ic|drill -6 [hostname]}}) which would otherwise work. In order to resolve this, creating the following file will configure ''dnsmasq'' to also listen to the IPv6 loopback:

{{hc|/etc/NetworkManager/dnsmasq.d/ipv6-listen.conf|2=
listen-address=::1
}}

In addition, {{ic|dnsmasq}} also does not prioritize upstream IPv6 DNS. Unfortunately NetworkManager does not do this ([https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/936712 Ubuntu Bug]). A workaround would be to disable IPv4 DNS in the NetworkManager config, assuming one exists.

====== DNSSEC ======

The dnsmasq instance started by NetworkManager by default will not validate [[DNSSEC]]. To enable DNSSEC validation, thus breaking DNS resolution with name servers that do not support it, create the following configuration file:

{{hc|/etc/NetworkManager/dnsmasq.d/dnssec.conf|2=
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
}}

===== systemd-resolved =====

{{Expansion|NetworkManager 1.16 adds a new setting {{ic|main.systemd-resolved}}[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/d4eb4cb45f41b1751cacf71da558bf8f0988f383] (enabled by default). It unconditionally sends DNS configuration to systemd-resolved. Related to "Preserving resolv.conf" from [[systemd-resolved#DNS]]?}}

NetworkManager can use [[systemd-resolved]] as a DNS resolver and cache. Make sure that ''systemd-resolved'' is properly configured and that {{ic|systemd-resolved.service}} is [[started]] before using it.

systemd-resolved will be used automatically if {{ic|/etc/resolv.conf}} is a [[systemd-resolved#DNS|symlink]] to {{ic|/run/systemd/resolve/stub-resolv.conf}}, {{ic|/run/systemd/resolve/resolv.conf}} or {{ic|/usr/lib/systemd/resolv.conf}}.

You can enable it explicitly by setting {{ic|1=main.dns=systemd-resolved}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/dns.conf|2=
[main]
dns=systemd-resolved
}}

===== DNS resolver with an openresolv subscriber =====

If [[openresolv]] has a subscriber for your local [[DNS resolver]], set up the subscriber and [[#Use openresolv|configure NetworkManager to use openresolv]].

Because NetworkManager advertises a single "interface" to ''resolvconf'', it is not possible to implement conditional forwarding between two NetworkManager connections. See [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/153 NetworkManager issue 153].

This can be partially mitigated if you set {{ic|1=private_interfaces="*"}} in {{ic|/etc/resolvconf.conf}}[https://roy.marples.name/projects/openresolv/configuration/]. Any queries for domains that are not in search domain list will not get forwarded. They will be handled according to the local resolver's configuration, for example, forwarded to another DNS server or resolved recursively from the DNS root.

==== Custom DNS servers ====

===== Setting custom global DNS servers =====

To set DNS servers for all connections, specify them in {{man|5|NetworkManager.conf}} using the syntax {{ic|1=servers=''serveripaddress1'',''serveripaddress2'',''serveripaddress3''}} in a section named {{ic|[global-dns-domain-*]}}. For example:

{{hc|/etc/NetworkManager/conf.d/dns-servers.conf|2=
[global-dns-domain-*]
servers=::1,127.0.0.1
}}

{{Note|
* If you use [[#DNS caching and conditional forwarding|NetworkManager's dnsmasq or systemd-resolved plugin]] or [[#DNS resolver with an openresolv subscriber|openresolv subscribers]], then do not specify loopback addresses with the {{ic|1=servers=}} option, it can break DNS resolution.
* The specified servers do not get sent to [[systemd-resolved]], the connection's DNS servers are used instead. See [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1366 NetworkManager issue 1366] and [https://github.com/systemd/systemd/issues/33754 systemd issue 33754].
}}

===== Setting custom DNS servers in a connection =====

====== Setting custom DNS servers in a connection (GUI) ======

Setup will depend on the type of front-end used; the process usually involves right-clicking on the applet, editing (or creating) a profile, and then choosing DHCP type as ''Automatic (specify addresses)''. The DNS addresses will need to be entered and are usually in this form: {{ic|127.0.0.1, ''DNS-server-one'', ...}}.

====== Setting custom DNS servers in a connection (nmcli / connection file) ======

To set up DNS Servers per connection, you change the {{ic|ipv4.dns}} and {{ic|ipv6.dns}} settings (and their associated {{ic|dns-search}} and {{ic|dns-options}}) in the [[#Edit a connection|connection settings]].

If {{ic|method}} is set to {{ic|auto}} (when you use DHCP/RA), you need to set {{ic|ignore-auto-dns}} to {{ic|yes}}.

To use DNS over TLS ([[#systemd-resolved|requires systemd-resolved]]), specify the DNS servers using the syntax {{ic|1=dns=''ip.address''#''servername'';}} and additionally set the {{ic|connection.dns-over-tls}} setting to {{ic|2}}. For example, to use Quad9:

{{hc|/etc/NetworkManager/system-connections/Example Wi-Fi.nmconnection|2=
...
[connection]
...
dns-over-tls=2

[ipv4]
...
dns=9.9.9.9#dns.quad9.net;149.112.112.112#dns.quad9.net;
ignore-auto-dns=true

[ipv6]
...
dns=2620:fe::fe#dns.quad9.net;2620:fe::9#dns.quad9.net;
ignore-auto-dns=true
}}

{{Note|This example uses Quad9. Replace it with a DNS resolver you trust. See [[Domain name resolution#Third-party DNS services]].}}

==== /etc/resolv.conf ====

NetworkManager's {{ic|/etc/resolv.conf}} management mode is configured with the {{ic|main.rc-manager}} setting. {{Pkg|networkmanager}} sets it to {{ic|symlink}} as opposed to the upstream default {{ic|auto}}. The setting and its values are documented in the {{man|5|NetworkManager.conf}} man page.

{{Tip|Using openresolv allows NetworkManager to coexist with other ''resolvconf'' supporting software or, for example, to run a local DNS caching and split-DNS resolver for which openresolv has a [[openresolv#Subscribers|subscriber]]. Note that conditional forwarding is [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/153 not yet fully supported] when using NetworkManager with openresolv.}}

''NetworkManager'' also offers hooks via so called dispatcher scripts that can be used to alter the {{ic|/etc/resolv.conf}} after network changes. See [[#Network services with NetworkManager dispatcher]] and {{man|8|NetworkManager}} for more information.

{{Note|
* If NetworkManager is configured to use either [[#dnsmasq|dnsmasq]] or [[#systemd-resolved|systemd-resolved]], then the appropriate loopback addresses will be written to {{ic|/etc/resolv.conf}}.
* The {{ic|resolv.conf}} file NetworkManager writes or would write to {{ic|/etc/resolv.conf}} can be found at {{ic|/run/NetworkManager/resolv.conf}}.
* A {{ic|resolv.conf}} file with the acquired name servers and search domains can be found at {{ic|/run/NetworkManager/no-stub-resolv.conf}}.
}}

===== Unmanaged /etc/resolv.conf =====

To stop NetworkManager from touching {{ic|/etc/resolv.conf}}, set {{ic|1=main.dns=none}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/dns.conf|2=
[main]
dns=none
}}

{{Tip|You might also want to set {{ic|1=main.systemd-resolved=false}}, so that NetworkManager does not send the DNS configuration to [[systemd-resolved]].}}

{{Note|See [[#DNS caching and conditional forwarding]], to configure NetworkManager using other DNS backends like [[dnsmasq]] and [[systemd-resolved]], instead of using {{ic|1=main.dns=none}}.}}

After that {{ic|/etc/resolv.conf}} might be a broken symlink that you will need to remove. Then, just create a new {{ic|/etc/resolv.conf}} file.

===== Use openresolv =====

{{Note|NetworkManager does not support using systemd-resolved's ''resolvconf'' interface ({{man|1|resolvectl|COMPATIBILITY WITH RESOLVCONF(8)}}) which is provided by {{Pkg|systemd-resolvconf}}.
* Do not set {{ic|1=main.rc-manager=resolvconf}} when using [[systemd-resolved]], instead make sure to [[systemd-resolved#DNS|correctly create the /etc/resolv.conf symlink]] or [[#systemd-resolved|configure NetworkManager to use systemd-resolved explicitly]].
* Make sure the {{Pkg|systemd-resolvconf}} package is not installed when systemd-resolved is not used. Unless {{ic|systemd-resolved.service}} started, it will break all networking software (not just NetworkManager) that use resolvconf.
}}

To configure NetworkManager to use [[openresolv]], set {{ic|1=main.rc-manager=resolvconf}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/rc-manager.conf|2=
[main]
rc-manager=resolvconf
}}

=== Firewall ===

You can [[Firewalld#Using NetworkManager to manage zones|assign a firewalld zone]] based on your current connection. For example a restrictive firewall when at work, and a less restrictive one when at home.

This can also be done with [[#Network services with NetworkManager dispatcher|NetworkManager dispatcher]].

== Network services with NetworkManager dispatcher ==

There are quite a few network services that you will not want running until NetworkManager brings up an interface. NetworkManager has the ability to start services when you connect to a network and stop them when you disconnect (e.g. when using [[NFS]], [[SMB]] and [[NTPd]]).

To activate the feature you need to [[enable]] and [[start]] the {{ic|NetworkManager-dispatcher.service}}.

Once the service is active, scripts can be added to the {{ic|/etc/NetworkManager/dispatcher.d}} directory.

Scripts must be owned by '''root''', otherwise the dispatcher will not execute them. For added security, set group [[ownership]] to root as well:

# chown root:root /etc/NetworkManager/dispatcher.d/''10-script.sh''

Make sure the file is [[executable]].

The scripts will be run in alphabetical order at connection time, and in reverse alphabetical order at disconnect time. To ensure what order they come up in, it is common to use numerical characters prior to the name of the script (e.g. {{ic|10-portmap}} or {{ic|30-netfs}} (which ensures that the ''portmapper'' is up before NFS mounts are attempted).

Scripts will receive the following arguments:

* '''Interface name:''' e.g. {{ic|eth0}}
* '''Action:''' ''up'', ''down'', ''vpn-up'', ''vpn-down'', ... (see {{man|8|NetworkManager-dispatcher}} for the complete list)

{{Warning|If you connect to foreign or public networks, be aware of what services you are starting and what servers you expect to be available for them to connect to. You could make a security hole by starting the wrong services while connected to a public network.}}

=== Avoiding the dispatcher timeout ===

If the above is working, then this section is not relevant. However, there is a general problem related to running dispatcher scripts which take longer to be executed. Initially an internal timeout of three seconds only was used. If the called script did not complete in time, it was killed. Later the timeout was extended to about 20 seconds (see the [https://bugzilla.redhat.com/show_bug.cgi?id=982734 Bugtracker] for more information). If the timeout still creates the problem, a work around may be to use a [[drop-in file]] for the {{ic|NetworkManager-dispatcher.service}} to remain active after exit:

{{hc|/etc/systemd/system/NetworkManager-dispatcher.service.d/remain_after_exit.conf|2=
[Service]
RemainAfterExit=yes
}}

Now start and enable the modified {{ic|NetworkManager-dispatcher}} service.

{{Warning|Adding the {{ic|RemainAfterExit}} line to it will prevent the dispatcher from closing. Unfortunately, the dispatcher '''has''' to close before it can run your scripts again. With it the dispatcher will not time out but it also will not close, which means that the scripts will only run once per boot. Therefore, do not add the line unless the timeout is definitely causing a problem.}}

=== Dispatcher examples ===

==== Automatically set the timezone ====

Create a [[#Network services with NetworkManager dispatcher|NetworkManager dispatcher script]] and make it [[executable]]:

{{hc|/etc/NetworkManager/dispatcher.d/09-timezone|
#!/bin/sh
case "$2" in
up)
timedatectl set-timezone "$(curl --fail <nowiki>https://ipapi.co/timezone</nowiki>)"
;;
esac
}}

{{Tip|Using {{ic|connectivity-change}} instead of {{ic|up}} can prevent timezone changes when connecting to VPNs with clients such as [[OpenConnect]].}}

Alternatively, the tool {{aur|tzupdate}} automatically sets the timezone based on the geolocation of the IP address. This [https://medium.com/@ipdata_co/what-is-the-best-commercial-ip-geolocation-api-d8195cda7027 comparison of the most popular IP geolocation apis] may be helpful in deciding which API to use in production.

==== Mount remote directory with sshfs ====

As the script is run in a very restrictive environment, you have to export {{ic|SSH_AUTH_SOCK}} in order to connect to your SSH agent. There are different ways to accomplish this, see [https://bbs.archlinux.org/viewtopic.php?pid=1042030#p1042030 this message] for more information. The example below works with [[GNOME Keyring]], and will ask you for the password if not unlocked already. In case NetworkManager connects automatically on login, it is likely ''gnome-keyring'' has not yet started and the export will fail (hence the sleep). The {{ic|UUID}} to match can be found with the command {{ic|nmcli connection status}} or {{ic|nmcli connection list}}.

{{bc|<nowiki>
#!/bin/sh
USER='username'
REMOTE='user@host:/remote/path'
LOCAL='/local/path'

interface=$1 status=$2
if [ "$CONNECTION_UUID" = "</nowiki>''uuid''<nowiki>" ]; then
case $status in
up)
# sleep 10
SSH_AUTH_SOCK=$(find /tmp -maxdepth 1 -type s -user "$USER" -name 'ssh')
export SSH_AUTH_SOCK
su "$USER" -c "sshfs $REMOTE $LOCAL"
;;
down)
fusermount -u "$LOCAL"
;;
esac
fi
</nowiki>}}

==== Mounting of SMB shares ====

Some [[SMB]] shares are only available on certain networks or locations (e.g. at home). You can use the dispatcher to only mount SMB shares that are present at your current location.

The following script will check if we connected to a specific network and mount shares accordingly:

{{hc|/etc/NetworkManager/dispatcher.d/30-mount-smb.sh|<nowiki>
#!/bin/sh

# Find the connection UUID with "nmcli connection show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
if [ "$2" = "up" ]; then
if [ "$CONNECTION_UUID" = "uuid" ]; then
mount /your/mount/point &
# add more shares as needed
fi
fi
</nowiki>}}

The following script will unmount all SMB shares before a software initiated disconnect from a specific network:

{{hc|/etc/NetworkManager/dispatcher.d/pre-down.d/30-umount-smb.sh|<nowiki>
#!/bin/sh

if [ "$CONNECTION_UUID" = "uuid" ]; then
umount -a -l -t cifs
fi
</nowiki>}}

{{Note|Make sure this script is located in the {{ic|pre-down.d}} sub-directory as shown above, otherwise it will unmount all shares on any connection state change.}}

The following script will attempt to unmount all SMB shares following an unexpected disconnect from a specific network:

{{hc|/etc/NetworkManager/dispatcher.d/40-umount-smb.sh|<nowiki>
#!/bin/sh

if [ "$CONNECTION_UUID" = "uuid" ]; then
if [ "$2" = "down" ]; then
umount -a -l -t cifs
fi
fi
</nowiki>}}

{{Note|
* Since NetworkManager 0.9.8, the ''pre-down'' and ''down'' events are not executed on shutdown or restart, see [https://bugzilla.gnome.org/show_bug.cgi?id=701242 this bug report] for more info.
* The previous ''umount'' scripts are still prone to leaving applications actually accessing the mount to 'hang'.
}}

An alternative is to use the script as seen in [[NFS#Using a NetworkManager dispatcher]]:

{{hc|/etc/NetworkManager/dispatcher.d/30-smb.sh|<nowiki>
#!/bin/sh

# Find the connection UUID with "nmcli con show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
WANTED_CON_UUID="CHANGE-ME-NOW-9c7eff15-010a-4b1c-a786-9b4efa218ba9"

if [ "$CONNECTION_UUID" = "$WANTED_CON_UUID" ]; then

# Script parameter $1: network interface name, not used
# Script parameter $2: dispatched event

case "$2" in
"up")
mount -a -t cifs
;;
"down"|"pre-down"|"vpn-pre-down")
umount -l -a -t cifs >/dev/null
;;
esac
fi
</nowiki>}}

{{Note|This script ignores mounts with the {{ic|noauto}} option, remove this mount option or use {{ic|auto}} to allow the dispatcher to manage these mounts.}}

Create a symlink inside {{ic|/etc/NetworkManager/dispatcher.d/pre-down/}} to catch the {{ic|pre-down}} events:

# ln -s ../30-smb.sh /etc/NetworkManager/dispatcher.d/pre-down.d/30-smb.sh

==== Mounting of NFS shares ====

See [[NFS#Using a NetworkManager dispatcher]].

==== Use dispatcher to automatically toggle wireless depending on LAN cable being plugged in ====

The idea is to only turn Wi-Fi on when the LAN cable is unplugged (for example when detaching from a laptop dock), and for Wi-Fi to be automatically disabled, once a LAN cable is plugged in again.

Create the following dispatcher script[https://superuser.com/questions/233448/disable-wlan-if-wired-cable-network-is-available], replacing {{ic|''Your_Ethernet_Interface''}} with your ethernet interface's device name.

{{Note|You can get a list of interfaces using [[#nmcli examples|nmcli]] ({{ic|nmcli d {{!}} grep ethernet}}). The Ethernet interfaces start with {{ic|en}} or {{ic|eth}}, e.g. {{ic|enp0s5}} or {{ic|eth0}}.}}

Remember to make the script [[executable]]. You can verify that it works by [[restart]]ing {{ic|NetworkManager.service}}, running {{ic|ip a}}, and checking that {{ic|wlp3s0}} (or whatever your Wi-Fi interface is called) is in {{ic|state DOWN}}. If you encounter unexpected behavior, check the [[journal]] of {{ic|NetworkManager-dispatcher.service}}.

{{hc|/etc/NetworkManager/dispatcher.d/99-wifi-auto-toggle.sh|2=
#!/bin/sh

LOG_PREFIX="WiFi Auto-Toggle"
ETHERNET_INTERFACE="''Your_Ethernet_Interface''"

if [ "$1" = "$ETHERNET_INTERFACE" ]; then
case "$2" in
up)
echo "$LOG_PREFIX ethernet up"
nmcli radio wifi off
;;
down)
echo "$LOG_PREFIX ethernet down"
nmcli radio wifi on
;;
esac
elif [ "$(nmcli -g GENERAL.STATE device show $ETHERNET_INTERFACE)" = "20 (unavailable)" ]; then
echo "$LOG_PREFIX failsafe"
nmcli radio wifi on
fi
}}

{{Note|There is a fail-safe for the case when the LAN interface was connected when the computer was last on, and then disconnected while the computer was off. That would mean the radio would still be off when the computer is turned back on, and with a disconnected LAN interface, you would have no network.}}

==== Use dispatcher to connect to a VPN after a network connection is established ====

In this example we want to connect automatically to a previously defined VPN connection after connecting to a specific Wi-Fi network. First thing to do is to create the dispatcher script that defines what to do after we are connected to the network.

{{Accuracy|A scripting without {{ic|iwgetid}} does work too and may be more reliable?|section=Fixes for automatic VPN dispatcher script}}

{{Note|This script will require {{Pkg|wireless_tools}} in order to use {{ic|iwgetid}}.}}

{{hc|/etc/NetworkManager/dispatcher.d/vpn-up|<nowiki>
#!/bin/sh
VPN_NAME="name of VPN connection defined in NetworkManager"
ESSID="Wi-Fi network ESSID (not connection name)"

interface=$1 status=$2
case $status in
up|vpn-down)
if iwgetid | grep -qs ":\"$ESSID\""; then
nmcli connection up id "$VPN_NAME"
fi
;;
down)
if iwgetid | grep -qs ":\"$ESSID\""; then
if nmcli connection show --active | grep "$VPN_NAME"; then
nmcli connection down id "$VPN_NAME"
fi
fi
;;
esac
</nowiki>}}

If you would like to attempt to automatically connect to VPN for all Wi-Fi networks, you can use the following definition of the ESSID: {{ic|1=ESSID=$(iwgetid -r)}}. Remember to set the script's permissions [[#Network services with NetworkManager dispatcher|accordingly]].

Trying to connect with the above script may still fail with {{ic|NetworkManager-dispatcher.service}} complaining about 'no valid VPN secrets', because of [https://developer.gnome.org/NetworkManager/0.9/secrets-flags.html the way VPN secrets are stored]. Fortunately, there are different options to give the above script access to your VPN password.

1: One of them requires editing the VPN connection configuration file to make NetworkManager store the secrets by itself rather than inside a keyring [https://bugzilla.redhat.com/show_bug.cgi?id=710552 that will be inaccessible for root]: open up {{ic|/etc/NetworkManager/system-connections/''name of your VPN connection''.nmconnection}} and change the {{ic|password-flags}} and {{ic|secret-flags}} from {{ic|1}} to {{ic|0}}.

If that alone does not work, you may have to create a {{ic|passwd-file}} in a safe location with the same permissions and ownership as the dispatcher script, containing the following:

{{hc|/path/to/passwd-file|
vpn.secrets.password:YOUR_PASSWORD
}}

The script must be changed accordingly, so that it gets the password from the file:

{{hc|/etc/NetworkManager/dispatcher.d/vpn-up|<nowiki>
#!/bin/sh
VPN_NAME="name of VPN connection defined in NetworkManager"
ESSID="Wi-Fi network ESSID (not connection name)"

interface=$1 status=$2
case $status in
up|vpn-down)
if iwgetid | grep -qs ":\"$ESSID\""; then
nmcli connection up id "$VPN_NAME" passwd-file /path/to/passwd-file
fi
;;
down)
if iwgetid | grep -qs ":\"$ESSID\""; then
if nmcli connection show --active | grep "$VPN_NAME"; then
nmcli connection down id "$VPN_NAME"
fi
fi
;;
esac
</nowiki>}}

2: Alternatively, change the {{ic|password-flags}} and put the password directly in the configuration file adding the section {{ic|vpn-secrets}}:

[vpn]
....
password-flags=0

[vpn-secrets]
password=''your_password''

{{Note|It may now be necessary to re-open the NetworkManager connection editor and save the VPN passwords/secrets again.}}

==== Use dispatcher to disable IPv6 on VPN provider connections ====

Many [[:Category:VPN providers|commercial VPN providers]] support only IPv4. That means all IPv6 traffic bypasses the VPN and renders it virtually useless. To avoid this, dispatcher can be used to disable all IPv6 traffic for the time a VPN connection is up.

{{hc|/etc/NetworkManager/dispatcher.d/10-vpn-ipv6|<nowiki>
#!/bin/sh

case "$2" in
vpn-up)
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
;;
vpn-down)
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
;;
esac
</nowiki>}}

{{Note|The above script does not work for WireGuard since NetworkManager does not send the {{ic|vpn-up/down}} events for it. Instead you have to rely on generic events for your WireGuard interfaces as demonstrated in [https://gist.github.com/TheDcoder/85e1ec99a31180e20ba8e4896024f265].}}

As an alternative, dispatcher can be used to temporarily set the IPv6 mode of the device used by the VPN connection to {{ic|link-local}}. This will avoid NetworkManager log spam about IPv6 being disabled. This script will not work if multiple devices or connections provide IPv6 connectivity, but could be adapted to iterate over multiple devices. Note that any change to the connection (using {{man|1|nmcli}} or a [[desktop environment]]) will reapply the entire connection to the device and re-enable IPv6 (if it is enabled in the connection).

{{hc|/etc/NetworkManager/dispatcher.d/10-vpn-ipv6|<nowiki>
#!/bin/sh

case "$2" in
vpn-up)
nmcli device modify "${DEVICE_IFACE}" ipv6.method link-local
;;
vpn-down)
nmcli device reapply "${DEVICE_IFACE}"
;;
esac
</nowiki>}}

==== OpenNTPD ====

See [[OpenNTPD#Using NetworkManager dispatcher]].

==== Dynamically set NTP servers received via DHCP with systemd-timesyncd ====

When roaming between different networks (e.g. a company's LAN, Wi-Fi at home, various other Wi-Fi now and then) you might want to set the NTP server(s) used by timesyncd to those provided by DHCP. However, NetworkManager itself is not capable to communicate with systemd-timesyncd to set the NTP server(s).

The dispatcher can work around it.

[[Create]] the overlay directory for your systemd-timesyncd configuration {{ic|/etc/systemd/timesyncd.conf.d}} if it does not already exist. Inside {{ic|/etc/NetworkManager/dispatcher.d}}, put the following:

{{hc|/etc/NetworkManager/dispatcher.d/10-update-timesyncd|<nowiki>
#!/bin/sh

[ -z "$CONNECTION_UUID" ] && exit 0
INTERFACE="$1"
ACTION="$2"

case $ACTION in
up | dhcp4-change | dhcp6-change)
# `DHCP6_DHCP6_NTP_SERVERS` with double `DHCP6` is the correct variable name as varified by `printenv` as of NetworkManager 1.56.0-1
set -- ${DHCP6_DHCP6_NTP_SERVERS-} ${DHCP4_NTP_SERVERS-}
servers=$*
[ -n "$servers" ] || exit 0
mkdir -p /etc/systemd/timesyncd.conf.d
cat <<-THE_END >"/etc/systemd/timesyncd.conf.d/${CONNECTION_UUID}.conf"
[Time]
NTP=$servers
THE_END
systemctl restart systemd-timesyncd.service
;;
down)
rm -f "/etc/systemd/timesyncd.conf.d/${CONNECTION_UUID}.conf"
systemctl restart systemd-timesyncd.service
;;
esac
</nowiki>}}

Every time NetworkManager sets up a new network connection ({{ic|1=ACTION=up}}) or gets some update for an existing connection ({{ic|1=ACTION=dhcp4-change}} or {{ic|1=ACTION=dhcp6-change}}) and the provided connection data contains information about NTP server(s) ({{ic|DHCP6_DHCP6_NTP_SERVERS}} and {{ic|DHCP4_NTP_SERVERS}}), a connection specific overlay configuration file is written to {{ic|/etc/systemd/timesyncd.conf.d}}, containing the provided NTP server(s). Whenever a connection is taken down ({{ic|1=ACTION=down}}) the connection specific overlay file is removed. After each change to the configuration of systemd-timesyncd, this service is restarted to pick up the updated configuration. The use of connection specific configuration files is intentional so that when two or more connections are managed by NetworkManager in parallel the different NTP server names in the configuration are not overwritten as {{ic|up}}, {{ic|dhcp4-change}}, {{ic|dhcp6-change}} and {{ic|down}} actions might come in an arbitrary order.

{{Note|{{ic|1=DHCP6_DHCP6_NTP_SERVERS}} with double {{ic|1=DHCP6}} is the correct variable name as varified by {{ic|1=printenv}} as of NetworkManager 1.56.0-1 }}

== Testing ==

NetworkManager applets are designed to load upon login so no further configuration should be necessary for most users. If you have already disabled your previous network settings and disconnected from your network, you can now test if NetworkManager will work. The first step is to [[start]] {{ic|NetworkManager.service}}.

Some applets will provide you with a {{ic|.desktop}} file so that the NetworkManager applet can be loaded through the application menu. If it does not, you are going to either have to discover the command to use or logout and login again to start the applet. Once the applet is started, it will likely begin polling network connections with for auto-configuration with a DHCP server.

To start the GNOME applet in non-xdg-compliant window managers like [[awesome]]:

nm-applet --sm-disable &

For static IP addresses, you will have to configure NetworkManager to understand them. The process usually involves right-clicking the applet and selecting something like 'Edit Connections'.

== Tips and tricks ==

=== Encrypted network keyphrases ===

By default, NetworkManager stores passwords in clear text in the connection files at {{ic|/etc/NetworkManager/system-connections/}}. To print the stored passwords, use the following command:

# grep -r '^psk=' /etc/NetworkManager/system-connections/

The passwords are accessible to the root user in the filesystem and to users with access to settings via the GUI (e.g. {{ic|nm-applet}}).

It is preferable to save the passwords in encrypted form in a keyring instead of clear text. The downside to this is that the connections have to be set up for each user.

In order to read and write to the keyring, there must be a secret agent available. This can be one of:

* {{ic|nmcli}} with the {{ic|--ask}} option
* One of the graphical interfaces from [[#Front-ends]]

If you make neither of these available, then authentication will fail with the error {{ic|no secrets: No agents were available for this request.}}

On a single user machine, it is enough to set up encryption for root partition. See: [[Dm-crypt]].

==== Using GNOME Keyring ====

The keyring daemon has to be started and the keyring needs to be unlocked for the following to work.

Furthermore, NetworkManager needs to be configured not to store the password for all users. Using GNOME's {{Pkg|network-manager-applet}}, run {{ic|nm-connection-editor}} from a terminal, select a network connection, click ''Edit'', select the ''Wi-Fi Security'' tab and click on the right icon of password and check ''Store the password only for this user''.

==== Using KDE Wallet ====

Using KDE's {{Pkg|plasma-nm}}, click the applet, click on the top right ''Settings'' icon, click on a network connection, in the ''General configuration'' tab, untick ''All users may connect to this network''. If the option is ticked, the passwords will still be stored in clear text, even if a keyring daemon is running.

If the option was selected previously and you un-tick it, you may have to use the {{ic|reset}} option first to make the password disappear from the file. Alternatively, delete the connection first and set it up again.

=== Sharing internet connection over Wi-Fi ===

You can share your internet connection (e.g. 3G or wired) with a few clicks. Please note that a [[firewall]] may interfere with internet sharing.

You will need a Wi-Fi card which supports AP mode, see [[Software access point#Wi-Fi device must support AP mode]] for details.

[[Install]] the {{Pkg|dnsmasq}} package to be able to actually share the connection. Note that NetworkManager starts its own instance of ''dnsmasq'', independent of {{ic|dnsmasq.service}}, as a DHCP server. See [[#dnsmasq]] for the caveats.

Create the shared connection:

* Click on applet and choose ''Create new wireless network''.
* Follow wizard (choose WPA2 or higher, be sure to use at least 8 character long password, lower lengths will fail).
** Choose either [[Fedora:Features/RealHotspot|Hotspot]] or Ad-hoc as Wi-Fi mode.

The connection will be saved and remain stored for the next time you need it.

{{Note|Android does not support connecting to Ad-hoc networks. To share a connection with Android use infrastructure mode (i.e. set Wi-Fi mode to "Hotspot").}}

=== Sharing internet connection over Ethernet ===

Scenario: your device has internet connection over Wi-Fi and you want to share the internet connection to other devices over Ethernet.

Requirements:

* [[Install]] the {{Pkg|dnsmasq}} and {{Pkg|nm-connection-editor}} packages to be able to actually share the connection. Note that NetworkManager starts its own instance of ''dnsmasq'', independent of {{ic|dnsmasq.service}}, as a DHCP server. See [[#dnsmasq]] for the caveats.
* Your internet connected device and the other devices are connected over a suitable Ethernet cable (this usually means a cross over cable or a switch in between).
* Internet sharing is not blocked by a [[firewall]].

Steps:

* Run {{ic|nm-connection-editor}} from terminal.
* Add a new Ethernet connection.
* Give it some sensible name. For example "Shared Internet"
* Go to "IPv4 Settings".
* For "Method:" select "Shared to other computers".
* Save

Now you should have a new option "Shared Internet" under the Wired connections in NetworkManager.

=== Checking if networking is up inside a cron job or script ===

{{Out of date|''nm-tool'' was removed from NetworkManager for long time now[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/bb8c75bd536d4f8fb80a4366025a279078f0ec81]. ''nmcli'' should be used instead.}}

Some ''cron'' jobs require networking to be up to succeed. You may wish to avoid running these jobs when the network is down. To accomplish this, add an '''if''' test for networking that queries NetworkManager's ''nm-tool'' and checks the state of networking. The test shown here succeeds if any interface is up, and fails if they are all down. This is convenient for laptops that might be hardwired, might be on wireless, or might be off the network.

{{bc|<nowiki>
if [ $(nm-tool|grep State|cut -f2 -d' ') == "connected" ]; then
#Whatever you want to do if the network is online
else
#Whatever you want to do if the network is offline - note, this and the else above are optional
fi
</nowiki>}}

This is useful for a {{ic|cron.hourly}} script that runs ''fpupdate'' for the F-Prot virus scanner signature update, as an example. Another way it might be useful, with a little modification, is to differentiate between networks using various parts of the output from ''nm-tool''; for example, since the active wireless network is denoted with an asterisk, you could grep for the network name and then grep for a literal asterisk.

=== Connect to network with secret on boot ===

By default, NetworkManager will not connect to networks requiring a secret automatically on boot. This is because it locks such connections to the user who makes it by default, only connecting after they have logged in. To change this, do the following:

# Right click on the {{ic|nm-applet}} icon in your panel and select Edit Connections and open the Wireless tab
# Select the connection you want to work with and click the Edit button
# Check the boxes “Connect Automatically” and “Available to all users”
# Additionally, ensure that under "Wi-Fi Security", "Store password for all users (not encrypted)" is selected

Log out and log back in to complete.

=== OpenConnect with password in KWallet ===

While you may type both values at connection time, {{Pkg|plasma-nm}} 0.9.3.2-1 and above are capable of retrieving OpenConnect username and password directly from [[KWallet]].

Open "KDE Wallet Manager" and look up your OpenConnect VPN connection under "Network Management|Maps". Click "Show values" and
enter your credentials in key "VpnSecrets" in this form (replace ''username'' and ''password'' accordingly):

form:main:username%SEP%''username''%SEP%form:main:password%SEP%''password''

Next time you connect, username and password should appear in the "VPN secrets" dialog box.

=== Ignore specific devices ===

Sometimes it may be desired that NetworkManager ignores specific devices and does not try to configure addresses and routes for them. You can quickly and easily ignore devices by MAC or interface-name by using the following in {{ic|/etc/NetworkManager/conf.d/unmanaged.conf}}:

[keyfile]
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth0

After editing the file, run {{ic|nmcli general reload}} as root. Afterwards you should be able to configure interfaces without NetworkManager altering what you have set.

=== Configuring MAC address randomization ===

See [[MAC address spoofing#NetworkManager]].

{{Note| The iwd backend reportedly refuses MAC address randomisation. A workaround is available at [[MAC address spoofing#NetworkManager]]. }}

=== Turn off hostname sending ===

NetworkManager by default sends the hostname to the DHCP server.

To disable sending your hostname to the DHCP server globally, set the {{ic|ipv4.dhcp-send-hostname{{=}}0}} and {{ic|ipv6.dhcp-send-hostname{{=}}0}} options with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}. E.g.:

{{hc|/etc/NetworkManager/conf.d/dhcp-send-hostname.conf|2=
[connection]
ipv4.dhcp-send-hostname=0
ipv6.dhcp-send-hostname=0
}}

To disable sending your hostname to the DHCP server for a specific connection (or alternatively, enable it for a connection if it is disabled globally), add the following to your network connection file:

{{hc|/etc/NetworkManager/system-connections/''your_connection_file''.nmconnection|2=
...
[ipv4]
dhcp-send-hostname=false
...
[ipv6]
dhcp-send-hostname=false
...
}}

{{Note|These options are only honored by the default [[#DHCP client|internal DHCP client]]. To omit sending the hostname when using NetworkManager with dhcpcd, edit {{ic|/etc/dhcpcd.conf}} and insert {{ic|anonymous}} as the last line.}}

=== Enable IPv6 Privacy Extensions ===

See [[IPv6#NetworkManager]].

=== Configure a unique DUID per connection ===

The DHCPv6 Unique Identifier (DUID) is a value used by the DHCPv6 client to identify itself to DHCPv6 servers. NetworkManager supports 3 types of DUID:

* DUID-UUID ([[RFC:6355|RFC 6355]]): generated from an Universally Unique IDentifier (UUID).
* DUID-LL ([[RFC:3315|RFC 3315]]): generated from the Link-Layer address (a.k.a. MAC address).
* DUID-LLT ([[RFC:3315|RFC 3315]]): generated from the Link-Layer address plus a timestamp.

If the internal NetworkManager's DHCP client is in use (the default) it will identify itself with a global and permanent DUID-UUID generated from the machine-id ({{ic|/etc/machine-id}}). This means that all connections share the same UUID, which may be a privacy breach.

Fortunately, NetworkManager is able to provide unique DUIDs per connection, derived from the connection's stable-id and a per-host unique key. You can enable that by adding the following configuration under {{ic|/etc/NetworkManager/conf.d}}:

{{hc|/etc/NetworkManager/conf.d/duid.conf|2=
[connection]
ipv6.dhcp-duid=stable-uuid
}}

The {{ic|stable-ll}} and {{ic|stable-llt}} values are also supported. For further information read the description for {{ic|dhcp-duid}} in {{man|5|nm-settings|ipv6 setting}}.

=== Working with wired connections ===

By default, NetworkManager generates a connection profile for each wired ethernet connection it finds. At the point when generating the connection, it does not know whether there will be more Ethernet adapters available. Hence, it calls the first wired connection "Wired connection 1". You can avoid generating this connection, by configuring {{ic|no-auto-default}} (see {{man|5|NetworkManager.conf}}), or by simply deleting it. Then NetworkManager will remember not to generate a connection for this interface again.

You can also edit the connection (and persist it to disk) or delete it. NetworkManager will not re-generate a new connection. Then you can change the name to whatever you want. You can use something like {{Pkg|nm-connection-editor}} for this task.

=== Using iwd as the Wi-Fi backend ===

{{Note|1=<nowiki/>
* Do not enable {{ic|iwd.service}} or manually configure [[iwd]]. NetworkManager will start and manage it itself.
* Consider [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues?scope=all&utf8=%E2%9C%93&state=opened&search=iwd existing issues] before switching to ''iwd''.}}

To enable the [https://archive.kernel.org/oldwiki/iwd.wiki.kernel.org/networkmanager.html experimental iwd backend], first [[install]] {{Pkg|iwd}} and then create the following configuration file:

{{hc|/etc/NetworkManager/conf.d/wifi_backend.conf|2=
[device]
wifi.backend=iwd
}}

To use MAC randomization with iwd see [[MAC address spoofing#iwd]].

Alternatively, you can install {{AUR|networkmanager-iwd}}, a modified package configured to build ''NetworkManager'' working exclusively with ''iwd'', with the main difference being that ''iwd'' is required and ''wpa_supplicant'' can be uninstalled after building.

{{Note|1=You may need to [https://archive.kernel.org/oldwiki/iwd.wiki.kernel.org/networkmanager.html#converting_network_profiles convert existing NetworkManager network profiles] after switching to ''iwd''.}}

=== Running in a network namespace ===

If you would like to run NetworkManager inside a network namespace (e.g., to manage a specific device which should be used by selected applications), bring the device down before moving it to the namespace:

$ ip link set dev ''MY_DEVICE'' down
$ ip link set dev ''MY_DEVICE'' netns ''MY_NAMESPACE''
$ ip netns exec ''MY_NAMESPACE'' NetworkManager
...
$ ip netns exec ''MY_NAMESPACE'' killall NetworkManager

otherwise NetworkManager will later fail to establish the connection with a {{ic|device is strictly unmanaged}} error.

=== Automatically connect to VPN ===

NetworkManager can be set to automatically connect to a VPN when connecting to the internet, on a per network basis. The VPN connection itself can be added in GNOME's NetworkManager front-end, but to make it automatically use the VPN {{ic|nmcli}} must be used. Other front-ends might not have this limitation.

First, make sure to make the VPN connection available to all users. In the GNOME this is a matter of checking a box under the {{ic|details}} tab. Under the {{ic|Identity}} tab, in the password field, click the icon on the right side in the field, and set it to {{ic|Store the password for all users}}.

Then find the UUID of the VPN connection, and add that to {{ic|connection.secondaries}} of the Internet connection:

# UUID=$(nmcli --get-values connection.uuid connection show ''name-of-VPN-connection'')
# nmcli connection modify ''name-of-Internet-connection'' connection.secondaries "$UUID"

Now when NetworkManager is restarted and you connect to the Internet connection you have configured, you should automatically get connected to the VPN.

== Troubleshooting ==

=== No prompt for password of secured Wi-Fi networks ===

When trying to connect to a secured Wi-Fi network, no prompt for a password is shown and no connection is established. This happens when no keyring package is installed. An easy solution is to install {{Pkg|gnome-keyring}}. If you want the passwords to be stored in encrypted form, follow [[GNOME Keyring]] to set up the ''gnome-keyring-daemon''.

=== Network management disabled ===

When NetworkManager shuts down but the pid (state) file is not removed, you will see a {{ic|Network management disabled}} message. If this happens, remove the file manually:

# rm /var/lib/NetworkManager/NetworkManager.state

=== Problems with internal DHCP client ===

If you have problems with getting an IP address using the internal DHCP client, consider using another DHCP client, see [[#DHCP client]] for instructions. This workaround might solve problems in big wireless networks like eduroam.

=== DHCP problems with dhclient ===

If you have problems with getting an IP address via DHCP, try to add the following to your {{ic|/etc/dhclient.conf}}:

interface "eth0" {
send dhcp-client-identifier 01:''aa:bb:cc:dd:ee:ff'';
}

Where {{ic|''aa:bb:cc:dd:ee:ff''}} is the MAC address of this NIC. The MAC address can be found using the {{ic|ip link show ''interface''}} command from the {{Pkg|iproute2}} package.

=== 3G modem not detected ===

See [[Mobile broadband modem#NetworkManager]].

=== Switching off WLAN on laptops ===

Sometimes NetworkManager will not work when you disable your Wi-Fi adapter with a switch on your laptop and try to enable it again afterwards. This is often a problem with ''rfkill''. To check if the driver notifies ''rfkill'' about the wireless adapter's status, use:

$ watch -n1 rfkill list all

If one identifier stays blocked after you switch on the adapter you could try to manually unblock it with (where X is the number of the identifier provided by the above output):

# rfkill event unblock X

=== Static IP address settings revert to DHCP ===

{{Out of date|This section is [[Special:Diff/119236|added in 2010]] and describes an ancient version of ''nm-applet''. Is this still relevant in 2024?}}

Due to an unresolved bug, when changing default connections to a static IP address, {{ic|nm-applet}} may not properly store the configuration change, and will revert to automatic DHCP.

To work around this issue you have to edit the default connection (e.g. "Auto eth0") in {{ic|nm-applet}}, change the connection name (e.g. "my eth0"), uncheck the "Available to all users" checkbox, change your static IP address settings as desired, and click '''Apply'''. This will save a new connection with the given name.

Next, you will want to make the default connection not connect automatically. To do so, run {{ic|nm-connection-editor}} ('''not''' as root). In the connection editor, edit the default connection (e.g. "Auto eth0") and uncheck "Connect automatically". Click '''Apply''' and close the connection editor.

=== Cannot edit connections as normal user ===

See [[#Set up PolicyKit permissions]].

=== Forget hidden wireless network ===

Since hidden networks are not displayed in the selection list of the Wireless view, they cannot be forgotten (removed) with the GUI. You can delete one with the following command:

# rm /etc/NetworkManager/system-connections/''SSID''.nmconnection

This also works for any other connection.

=== VPN not working in GNOME ===

When setting up OpenConnect or vpnc connections in NetworkManager while using GNOME, you will sometimes never see the dialog box pop up and the following error appears in {{ic|/var/log/errors.log}}:

localhost NetworkManager[399]: <error> [1361719690.10506] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.

This is caused by the GNOME NetworkManager Applet expecting dialog scripts to be at {{ic|/usr/lib/gnome-shell}}, when NetworkManager's packages put them in {{ic|/usr/lib/networkmanager}}.
As a "temporary" fix (this bug has been around for a while now), make the following symlink(s):

* For OpenConnect: {{ic|ln -s /usr/lib/nm-openconnect-auth-dialog /usr/lib/gnome-shell/}}
* For VPNC (i.e. Cisco VPN): {{ic|ln -s /usr/lib/nm-vpnc-auth-dialog /usr/lib/gnome-shell/}}

This may need to be done for any other NetworkManager VPN plugins as well, but these are the two most common.

=== Unable to connect to visible European wireless networks ===

WLAN chips are shipped with a default [[Wireless network configuration#Respecting the regulatory domain|regulatory domain]]. If your access point does not operate within these limitations, you will not be able to connect to the network. Fixing this is easy:

# [[Install]] {{Pkg|wireless-regdb}}.
# Uncomment the correct country code in {{ic|/etc/conf.d/wireless-regdom}}.
# Reboot the system, because the setting is only read on boot.

=== Automatic connect to VPN on boot is not working ===

The problem occurs when the system (i.e. NetworkManager running as the root user) tries to establish a VPN connection, but the password is not accessible because it is stored in the GNOME Keyring of a particular user.

A solution is to keep the password to your VPN in plaintext, as described in step (2.) of [[#Use dispatcher to connect to a VPN after a network connection is established]].

You do not need to use the dispatcher described in step (1.) to auto-connect anymore, if you use the new "auto-connect VPN" option from the {{ic|nm-applet}} GUI.

=== systemd bottleneck ===

Over time the log files ({{ic|/var/log/journal}}) can become very large. This can have a big impact on boot performance when using NetworkManager, see: [[systemd#Boot time increasing over time]].

=== Regular network disconnects, latency and lost packets (Wi-Fi) ===

NetworkManager does a scan every 2 minutes.

Some Wi-Fi drivers have issues when scanning for base stations whilst connected/associated. Symptoms include VPN disconnects/reconnects and lost packets, web pages failing to load and then refresh fine.

Running {{ic|journalctl -f}} as root will indicate that this is taking place, messages like the following will be contained in the logs at regular intervals.

NetworkManager[410]: <info> (wlp3s0): roamed from BSSID 00:14:48:11:20:CF (my-wifi-name) to (none) ((none))

If roaming is not important, the periodic scanning behavior can be disabled by locking the BSSID of the access point in the Wi-Fi connection profile.

=== Unable to turn on Wi-Fi with Lenovo laptop (IdeaPad, Legion, etc.) ===

There is an issue with the {{ic|ideapad_laptop}} module on some Lenovo models due to the Wi-Fi driver incorrectly reporting a soft block. The card can still be manipulated with {{ic|netctl}}, but managers like NetworkManager break. You can verify that this is the problem by checking the output of {{ic|rfkill list}} after toggling your hardware switch and seeing that the soft block persists.

{{Accuracy|Try to use {{ic|rfkill.default_state}} and {{ic|rfkill.master_switch_mode}} (see [https://docs.kernel.org/admin-guide/kernel-parameters.html kernel-parameters.html]) to fix the rfkill problem.}}

[[modprobe|Unloading]] the {{ic|ideapad_laptop}} module should fix this. ('''warning''': this may disable the laptop keyboard and touchpad also!).

=== nm-applet disappears in i3wm ===

If you use the {{ic|xfce4-notifyd.service}} for notifications you must [[edit]] the unit and add the following:

{{hc|/etc/systemd/user/xfce4-notifyd.service.d/display_env.conf|2=
[Service]
Environment="DISPLAY=:0.0"
}}

After reloading the daemons [[restart]] {{ic|xfce4-notifyd.service}}. Exit i3 and start it back up again and the applet should show on the tray.

=== Unit dbus-org.freedesktop.resolve1.service not found ===

If {{ic|systemd-resolved.service}} is not started, NetworkManager will try to start it using D-Bus and fail:

dbus-daemon[991]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by ':1.23' (uid=0 pid=1012 comm="/usr/bin/NetworkManager --no-daemon ")
dbus-daemon[991]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.resolve1.service': Unit dbus-org.freedesktop.resolve1.service not found.
dbus-daemon[991]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by ':1.23' (uid=0 pid=1012 comm="/usr/bin/NetworkManager --no-daemon ")

This is because NetworkManager will try to send DNS information to [[systemd-resolved]] regardless of the {{ic|1=main.dns=}} setting in {{man|5|NetworkManager.conf}}.[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/d4eb4cb45f41b1751cacf71da558bf8f0988f383]

This can be disabled with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/no-systemd-resolved.conf|2=
[main]
systemd-resolved=false
}}

See {{Bug|62138}}.

=== Secrets were required, but not provided ===

If you received the following error when attempting to connect to a network:

{{hc|$ nmcli device wifi connect ''SSID'' password ''password''|
Error: Connection activation failed: (7) Secrets were required, but not provided
}}

This error can have numerous causes and you should read the [[journal]] (filter it with {{ic|-u NetworkManager}}). For example, if NetworkManager took too long to establish connection, it will believe that the password is incorrect:

{{bc|
NetworkManager[1372]: <warn> [1643991888.3808] device (wlan0): Activation: (wifi) association took too long
NetworkManager[1372]: <info> [1643991888.3809] device (wlan0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
NetworkManager[1372]: <warn> [1643991888.3838] device (wlan0): Activation: (wifi) asking for new secrets
}}

You can try deleting the connection profile and creating a new one:

$ nmcli connection delete ''SSID''
$ nmcli device wifi connect ''SSID'' password ''password''

You can also try disabling MAC address randomization:

{{hc|/etc/NetworkManager/conf.d/wifi_rand_mac.conf|2=
[device]
wifi.scan-rand-mac-address=no
}}

=== WPA Enterprise connection with iwd ===

If you try to connect to an WPA Enterprise network like 'eduroam' with NetworkManager with the [[#Using iwd as the Wi-Fi backend|iwd backend]] then you will get the following error from NetworkManager:

Connection 'eduroam' is not avialable on device wlan0 because profile is not compatible with device (802.1x connections must have IWD provisioning files)

This is because NetworkManager can not configure a WPA Enterprise network. Therefore you have to configure it using an iwd configuration file {{ic|/var/lib/iwd/''essid''.8021x}} like described in [[iwd#WPA Enterprise]].

=== Failed to request VPN secrets ===

If you get this error:
Failed to request VPN secrets #1: No agents were available for this request.

It is either because the password is empty or you have to [[#Set up PolicyKit permissions|set up PolicyKit permissions]].

=== OpenVPN connections fail with "secrets: failed to request VPN secrets" warn ===

{{Remove|This does not warrant a troubleshooting section. Optional dependencies are pointed out by pacman, if this is not clear enough it should be covered in [[#VPN support]].|section=Remove unnecessary section 8.22}}

The package {{Pkg|networkmanager-openvpn}} requires {{Pkg|libnma-gtk4}} and optionally {{Pkg|libnma}} (Gtk3) when integrated within the GNOME-Shell. If {{Pkg|libnma}} is required but not installed a message will be printed to the system log:

{{bc|
NetworkManager[642]: <warn> [...] vpn[..."name_of_vpn_profile VPN"]: secrets: failed to request VPN secrets #3: No agents were available for this request.
}}

=== OpenVPN connections fail with OpenSSL "ca md too weak" error ===

Since {{Pkg|openssl}} was updated to version 3, certificates generated with legacy cryptographic algorithms are rejected by default. Attempting to use {{Pkg|networkmanager-openvpn}} with such a setup can result in the following error in the logs:

{{bc|
nm-openvpn[14359]: OpenSSL: error:0A00018E:SSL routines::ca md too weak
nm-openvpn[14359]: Cannot load certificate file /home/archie/.local/share/networkmanagement/certificates/my_issued_cert.crt
nm-openvpn[14359]: Exiting due to fatal error
}}

The correct approach is to have the OpenVPN server administrator generate and re-issue more secure certificates. However, as an immediate work-around, OpenVPN requires {{ic|1=tls-cipher "DEFAULT:@SECLEVEL=0"}}. This may not be possible through the plugin GUI, but it is possible with ''nmcli''. Separately, you will also need to enable the ''legacy'' provider in OpenSSL.

Firstly, obtain the name of the VPN connection with the issue, from the output of the following:

$ nmcli connection show

Assuming the connection name is ''vpn.example.com'', use ''nmcli'' like so:

$ nmcli connection modify vpn.example.com +vpn.data tls-cipher=DEFAULT:@SECLEVEL=0

The change should instantly be reflected in {{ic|/etc/NetworkManager/system-connections/vpn.example.com.nmconnection}}.

As for OpenSSL, edit {{ic|/etc/ssl/openssl.cnf}} as described on the [https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers OpenSSL wiki].

Specifically, at the end of the {{ic|[provider_sect]}} section add {{ic|1=legacy = legacy_sect}}. Under {{ic|[default_sect]}} uncomment {{ic|1=activate = 1}}. Lastly, add a new section {{ic|[legacy_sect]}} that also contains the line {{ic|1=activate = 1}}. Excluding most other preexisting configuration sections, the end result will look something like:

{{hc|/etc/ssl/openssl.cnf|2=
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1
}}

Finally, [[restart]] the {{ic|NetworkManager.service}} to have the new OpenSSL configuration take effect.

=== WPA Enterprise connections fail to authenticate with OpenSSL "unsupported protocol" error ===

Since {{Pkg|openssl}} was updated to version 3, "SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0" [https://www.openssl.org/news/openssl-3.0-notes.html by default]. Attempting to authenticate to a Wi-Fi network only supporting older standards results in the following error in the logs:

{{bc|
wpa_supplicant[3320]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[3320]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
}}

The correct approach is to convince the institution's administrator to upgrade the encrypted networking tunnel protocol to TLS 1.3 and optionally drop support for deprecated security standards, including TLS 1.0/1.1, DTLS 1.0 and SSL 1-3. However, as an immediate workaround, there are multiple ways to allow TLS 1.0 and/or 1.1 by default. One way would be to manually patch or revert the breaking changes in OpenSSL ([https://github.com/openssl/openssl/commit/7bf2e4d7f0c7ae19b7a8c416910886a7171e9820]). As this also lowers security for all other programs using OpenSSL level 1, it is not recommended. Instead, one can directly set the level used by wpa_supplicant, like described in [https://bbs.archlinux.org/viewtopic.php?id=286417#p2104492 BBS#286417]. To only change the affected connection, it is possible to set {{ic|1=phase1-auth-flags=32}} or {{ic|1=phase1-auth-flags=64}} in the {{ic|1=[802-1x]}} section of the connection's configuration file. This may not be possible through GUIs, but it is possible with ''nmcli''.

Firstly, obtain the name of the Wi-Fi connection with the issue, from the output of the following:

$ nmcli connection show

Assuming the connection uses TLS 1.0 and its name is ''Example Wi-Fi'', use ''nmcli'' like so:

$ nmcli connection modify 'Example Wi-Fi' 802-1x.phase1-auth-flags 32

And for a TLS 1.1 connection, type "64" instead:

$ nmcli connection modify 'Example Wi-Fi' 802-1x.phase1-auth-flags 64

{{Note|1=The number you type in refers to the number you get from raising 2 to the power of '''n'''. Here, '''n''' is the index of the network authentication bit octet, read from right to left. Flipping the fifth bit enables TLS 1.0 '''[log(2) 32]''' and flipping the sixth bit enables TLS 1.1 '''[log(2) 64]'''.}}

The change should instantly be reflected in {{ic|/etc/NetworkManager/system-connections/Example Wi-Fi.nmconnection}}.

Finally, [[restart]] the {{ic|NetworkManager.service}} to have the new OpenSSL configuration take effect.

== See also ==

* [https://blogs.gnome.org/dcbw/2015/02/16/networkmanager-for-administrators-part-1/ NetworkManager for Administrators Part 1]

Ruby package guidelines

2026-05-16T13:49:11Z

Lahwaacz: flag for moving to the Developer Manual

[[Category:Arch package guidelines]]
[[ja:Ruby Gem パッケージガイドライン]]
{{Package guidelines}}

{{Move|developer-manual:package-guidelines/ruby|This page is being migrated to the ''Developer Manual''. Further changes should be contributed via [https://gitlab.archlinux.org/archlinux/developer-manual/-/merge_requests/4 merge request].}}

This document covers standards and guidelines on writing [[PKGBUILD]]s for software that uses {{Pkg|ruby}}.

== Package naming ==

For libraries, use {{ic|ruby-$_name}} (where {{ic|$_name}} is the upstream project name). For applications, use the project name (without the {{ic|ruby-}} prefix) and optionally add {{ic|ruby-$_name}} to {{ic|provides}}.

== Build and tests ==

Ruby packages should be built from upstream sources as this provides a transparent chain of trust for the build. To ensure integration with the existing set of Ruby packages, it is expected to run tests using {{Pkg|ruby-rake}} or {{Pkg|ruby-rspec}}.

{{Note|To detect dependency changes in between releases of a project, have a close look at the {{ic|.gemspec}} or {{ic|Gemfile}} upon update.}}

== Template ==

{{hc|head=PKGBUILD|output=
prepare() {
cd "${_name}-${pkgver}"

# update gemspec/Gemfile to allow newer version of the dependencies
sed --in-place --regexp-extended 's{{!}}~>{{!}}>={{!}}g' "${_name}.gemspec"
}

build() {
cd "${_name}-${pkgver}"

local _gemdir="$(gem env gemdir)"

gem build "${_name}.gemspec"

gem install \
--local \
--verbose \
--ignore-dependencies \
--build-root "tmp_install" \
"${_name}-${pkgver}.gem"

# remove unrepreducible files
rm --force --recursive --verbose \
"tmp_install/${_gemdir}/cache/" \
"tmp_install/${_gemdir}/gems/${_name}-${pkgver}/vendor/" \
"tmp_install/${_gemdir}/doc/${_name}-${pkgver}/ri/ext/"

find "tmp_install/${_gemdir}/gems/" \
-type f \
$ \
-iname "*.o" -o \
-iname "*.c" -o \
-iname "*.so" -o \
-iname "*.time" -o \
-iname "gem.build_complete" -o \
-iname "Makefile" \
$ \
-delete

find "tmp_install/${_gemdir}/extensions/" \
-type f \
$ \
-iname "mkmf.log" -o \
-iname "gem_make.out" \
$ \
-delete
}

check() {
cd "${_name}-${pkgver}"

local _gemdir="$(gem env gemdir)"

GEM_HOME="tmp_install/${_gemdir}" rake test
}

package() {
cd "${_name}-${pkgver}"

cp --archive --verbose tmp_install/* "${pkgdir}"

install --verbose -D --mode=0644 LICENSE --target-directory "${pkgdir}/usr/share/licenses/${pkgname}"
install --verbose -D --mode=0644 *.md --target-directory "${pkgdir}/usr/share/doc/${pkgname}"
}
}}

== Tips and tricks ==

=== The gem is deriving the files to add with "git ls-files" ===

In this case you can add the following {{ic|sed}} command to the {{ic|prepare()}} function:

{{bc|
# we don't build from a git checkout
sed --in-place --regexp-extended 's{{!}}git ls-files{{!}}find . -type f -not -path "*/\.git/*"{{!}}' "${_name}.gemspec"
}}

=== The upstream project is using "rspec" to run tests ===

In this case you can replace the code line in the {{ic|check()}} function with the following:

GEM_HOME="tmp_install/${_gemdir}" rspec

== See also ==

* [https://www.ruby-lang.org/en/documentation/ Ruby language documentation]
* [https://ruby.github.io/rake/ Rake documentation]
* [https://guides.rubygems.org/ Rubygems documentation]
* {{man|1|ruby}}

Rust package guidelines

2026-05-16T13:47:38Z

Lahwaacz: flag for moving to the Developer Manual

[[Category:Arch package guidelines]]
[[ja:Rust パッケージガイドライン]]
[[pt:Rust package guidelines]]
[[zh-hans:Rust 软件打包准则]]
{{Package guidelines}}

{{Move|developer-manual:package-guidelines/rust|This page is being migrated to the ''Developer Manual''. Further changes should be contributed via [https://gitlab.archlinux.org/archlinux/developer-manual/-/merge_requests/5 merge request].}}

This document covers standards and guidelines on writing [[PKGBUILD]]s for software written in [[Rust]].

== Package naming ==

When packaging [[Rust]] projects, the package name should almost always be the same as the name of the generated binary. Note that it does not make any sense to package library crates, so only crates with bins will be packaged. For ones that generate more than one binary, the upstream crate name is usually appropriate. In any event the package name should be entirely lowercase.

== Source ==

Most Rust projects may be built from tarballs, source archives (e.g. source links on GitHub releases), or any other published source.

When other sources are not available, most Rust projects are published on [https://crates.io crates.io] which provides a stable download URL scheme for use with [[cargo]]. The downside of this source is that it usually does not include all the test files, license files, or other assets normally in the other sources. If needed, the [[PKGBUILD#source]] can use the following template:

<nowiki>source=("$pkgname-$pkgver.tar.gz::https://static.crates.io/crates/$pkgname/$pkgname-$pkgver.crate")</nowiki>

== Depends ==

While some Rust projects have external dependencies, most just use Rust ecosystem libraries that are statically embedded in the final binary. As such most projects will not need to specify many {{ic|depends}}. The usual exceptions that most Rust binaries do link against glibc libraries, so {{ic|libgcc}} and {{ic|glibc}} are typically dependencies of most Rust packages. There may be more if the build process looks for and links against any system libraries.

For {{ic|makedepends}}, the vast majority of Rust projects are designed to be built using the [[cargo]] dependency manager, which both orchestrates the download of libraries to satisfy build time dependencies as well as makes all the necessary calls to {{ic|rustc}}, the actual Rust compiler. Currently both ''cargo'' and ''rustc'' are provided by the {{Pkg|rust}} package, but there are also alternative ways of getting both of these together or separately including the {{Pkg|rustup}} package. As such, the tool most PKGBUILDs are going to call is ''cargo'' and you should depend directly on it.

makedepends=(cargo)

If a project requires the use of a nightly version of the Rust tool chain, use:

makedepends=(cargo-nightly)

== Prepare ==

The rust dependency manager [[cargo]] is able to download all the libraries required to build a project ahead of time. Running this fetch in the {{ic|prepare()}} stage enables the later {{ic|build()}} and other stages to be run entirely offline.

prepare() {
export RUSTUP_TOOLCHAIN=stable
cargo fetch --locked --target host-tuple
}

where:

* {{ic|1=RUSTUP_TOOLCHAIN=stable}} makes sure the default tool chain is set to ''stable'' in the event users have changed their default. Of course this should be set to ''nightly'' in the event that's what the upstream project requires. This avoids a common side effect of user preferences when not building in a chroot. Also note this is ''not required'' if the upstream project has a {{ic|rust-toolchain}} file or {{ic|rust-toolchain.toml}} file in their sources that serves this purpose.
* {{ic|--locked}} tells ''cargo'' to strictly adhere to the versions specified in the {{ic|Cargo.lock}} file and prevent it from updating dependencies. This is important for [https://reproducible-builds.org/ reproducible builds].
* {{ic|--target host-tuple}} tells ''cargo'' to only fetch dependencies needed for the specific target platform being built, thus reducing downloads (see [https://doc.rust-lang.org/cargo/commands/cargo-fetch.html#fetch-options Fetch options]).

{{Note|If building a VCS package for an upstream source project that does not keep its {{ic|Cargo.lock}} file in sync with {{ic|Cargo.toml}} between release cycles, add {{ic|cargo update}} before running {{ic|cargo fetch}}. All other aspects of the build should work as documented here, although the result will not be a fully reproducible build because the dependencies will be resolved at build time.}}

== Build ==

Building a Rust package.

build() {
export RUSTUP_TOOLCHAIN=stable
export CARGO_TARGET_DIR=target
cargo build --frozen --release --all-features
}

where:

* {{ic|--release}} tells ''cargo'' to compile a release build (the default is a debug build)
* {{ic|--frozen}} tells ''cargo'' to stay offline and only use the versions specified in the {{ic|Cargo.lock}} file and as cached by the fetch run in the {{ic|prepare()}} stage. This is functionally equivalent to {{ic|--locked --offline}}, which may also be used. This is important for [https://reproducible-builds.org/ reproducible builds].
* {{ic|--all-features}} tells ''cargo'' to compile with all features of the package enabled. Alternatively, use {{ic|--features ''FEATURE1'',''FEATURE2''}} if you want enable only selected features.
* {{ic|1=CARGO_TARGET_DIR=target}} tells ''cargo'' to place the output in ''target'' relative to the current directory. This avoids a common side effect of user preferences when not building in a chroot.

{{Note|The two environment variables are not needed for Arch repository packages because they are ''always'' built in chroot environments with default settings. They are included here for the convenience of AUR users that may not realize the consequences of changing their user default settings and not using chroots when building packages.}}

== Check ==

Most Rust projects provide a simple way to run the test suite.

check() {
export RUSTUP_TOOLCHAIN=stable
cargo test --frozen --all-features
}

You should also check if the repository is a [https://doc.rust-lang.org/cargo/reference/workspaces.html cargo workspace]. Just open up {{ic|/Cargo.toml}} and see if it contains a {{ic|[workspace]}} section. If so, you should add the {{ic|--workspace}} flag to {{ic|cargo test}} to ensure that all tests of the workspace members are run too.

{{Note|Avoid using the {{ic|--release}} flag when running tests, because it enables compiler optimizations and disables some features like integer overflow checks and {{ic|debug_assert!()}} macro, so in theory you ''could'' end up catching less problems. Since the final binary artifacts being tested are not the same as the ones we package anyway and we are not testing the build toolchain, for most Rust projects there is nothing to gain by testing in release mode.}}

== Package ==

Rust builds binaries in {{ic|target/release}} and can simply be installed to {{ic|/usr/bin}}.

package() {
install -Dm0755 -t "$pkgdir/usr/bin/" "target/release/$pkgname"
}

If a package has more than one executable in {{ic|/usr/bin}} you can use find command:

package() {
find target/release \
-maxdepth 1 \
-executable \
-type f \
-exec install -Dm0755 -t "$pkgdir/usr/bin/" {} +
}

=== Notes about using cargo install ===

Some packages should install more files such as a man page or other assets. In the event that such a package does not have any other way to install these, one can use {{ic|cargo install}}. In this case {{ic|build()}} is unnecessary because {{ic|cargo install}} forces rebuilding even if the package already has been built by using {{ic|cargo build}}. The {{ic|prepare()}} stage can still be used to fetch sources ahead of time:

package() {
export RUSTUP_TOOLCHAIN=stable
cargo install --no-track --frozen --all-features --root "$pkgdir/usr/" --path .
}

The {{ic|--no-track}} argument should always be used, otherwise {{ic|cargo install}} will create unwanted files such as {{ic|/usr/.crates.toml}} or {{ic|/usr/.crates2.json}}.

== Complete PKGBUILD template ==

{{bc|1=
<nowiki>
# Maintainer: Firstname Lastname <email@example.org>

pkgname=
pkgver=
pkgrel=1
pkgdesc=''
url=''
license=()
makedepends=('cargo')
depends=()
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
source=()
b2sums=()

prepare() {
export RUSTUP_TOOLCHAIN=stable
cargo fetch --locked --target host-tuple
}

build() {
export RUSTUP_TOOLCHAIN=stable
export CARGO_TARGET_DIR=target
cargo build --frozen --release --all-features
}

check() {
export RUSTUP_TOOLCHAIN=stable
cargo test --frozen --all-features
}

package() {
install -Dm0755 -t "$pkgdir/usr/bin/" "target/release/$pkgname"
# for custom license, e.g. MIT
# install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}
</nowiki>
}}

== Example packages ==

Click ''Package Actions > Source Files'' in the package page to see its example PKGBUILD.

* {{Pkg|cbindgen}}
* {{Pkg|ripgrep}}

Category:Pages or sections flagged with Template:Merge

2026-05-16T12:55:41Z

Lahwaacz: Reverted edit by Lahwaacz.bot (talk) to last revision by Lahwaacz

Category:Archive

2026-05-16T12:50:45Z

Lahwaacz: Reverted edit by Lahwaacz.bot (talk) to last revision by Lahwaacz

This category groups pages that have been [[ArchWiki:Archive|archived]].

Go package guidelines

2026-05-15T19:33:13Z

Lahwaacz: flag for moving

[[Category:Arch package guidelines]]
[[ja:Go パッケージガイドライン]]
[[pt:Go package guidelines]]
[[zh-hans:Go package guidelines]]
{{Package guidelines}}

{{Move|developer-manual:package-guidelines/go|This page is being migrated to the ''Developer Manual''. Further changes should be contributed via [https://gitlab.archlinux.org/archlinux/developer-manual/-/merge_requests/8 merge request].}}

This document covers standards and guidelines on writing [[PKGBUILD]]s for [[Go]].

== General guidelines ==

=== Package naming ===

Use {{ic|go-''modulename''}} if the package provides a program that is strongly coupled to the Go ecosystem. For other applications, use only the program name.

{{Note|The package name should be entirely lowercase.}}

== Building ==

=== Dependencies ===

Go 1.11 introduced the initial support for [https://github.com/golang/go/wiki/Modules go modules]. This allows Go upstream code to declare dependencies and pin them to the given project version. Currently our packaging efforts utilize this to vendor dependencies.

==== Upstream project without go modules ====

For upstream code that does not utilise Go modules, the following workaround exists. Consider filing an issue upstream.

{{hc|PKGBUILD|2=
<nowiki>
url=https://github.com/upstream_user/upstream_project

prepare() {
cd "$pkgname-$pkgver"
go mod init "${url#https://}" # strip https:// from canonical URL
go mod tidy
}
</nowiki>
}}

{{Note|Any such hacks makes the package unreproducible as modules will change between package builds.}}

==== Upstream project with go modules ====

By default, go will use {{ic|GOPATH}} to download and store go modules.
It will grow the user {{ic|~/go}} directory.

To keep all go modules in the package build environment, you can add a prepare step to configure {{ic|1=GOPATH="${srcdir}"}}, and download the go modules in the package src directory.

{{hc|PKGBUILD|2=
<nowiki>
prepare() {
cd "${pkgname}-${pkgver}"
export GOPATH="${srcdir}"
go mod download -modcacherw
}
</nowiki>
}}

=== Flags and build options ===

Go does not automatically pass system build flags ({{ic|CFLAGS}}, {{ic|LDFLAGS}}, etc.) to its C toolchain. To compile Go binaries with [https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro RELRO] and other hardening flags, {{ic|CGO_CFLAGS}}, {{ic|CGO_LDFLAGS}}, and related variables must be explicitly set in the build environment.

{{bc|1=
export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}"
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"

# or alternatively you can define some of these flags from the CLI options
go build \
-trimpath \
-buildmode=pie \
-mod=readonly \
-modcacherw \
-ldflags "-linkmode external -extldflags \"${LDFLAGS}\"" \
.
}}

{{Note|Most Makefiles written for Go applications overwrite {{ic|GOFLAGS}} and do not pass the above flags to the compiler. If the upstream project uses a Makefile, it must either be patched to respect these flags or be bypassed in favor of invoking {{ic|go build}} directly.}}

==== Flag meaning ====

* {{ic|1=-buildmode=pie}} enables [[Wikipedia:Position-independent code|PIE compilation]] for binary hardening.
* {{ic|-trimpath}} important for [[reproducible builds]] so full build paths and module paths are not embedded.
* {{ic|1=-mod=readonly}} ensure the module files are not updated in any go actions.
* {{ic|-modcacherw}} is not important, but it ensures that go modules creates a write-able path. Default is read-only.

{{Tip|When package sources include a {{ic|vendor}} directory with {{ic|modules.txt}}, the {{ic|-mod}} flag can safely be changed to {{ic|1=-mod=vendor}}.}}

{{Warning|It is up to the packager to verify the build flags are passed correctly to the compiler. Read the {{ic|Makefile}} if there is one.}}

==== Supporting debug packages ====

Enabling debug packages with source listing and proper symbol look ups require a few modifications to the default buildflags.

* Removal of {{ic|-trimpath}} to ensure source paths are rewritten in the binary
* Include {{ic|1=-compressdwarf=false}} in {{ic|-ldflags}} to ensure we can parse the DWARF headers as current tooling does not support compressed headers.
* Ensure {{ic|1=-linkmode=external}} as the internal linker go uses does not embed a build-id into the binary.
* Include {{ic|1=GOPATH="${srcdir}"}} so ''makepkg'' can include the source code for all modules.

The above options should produce a debug package with proper detached symbols and source listings which can then be picked up by the debugger.

{{bc|1=
export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}"
export GOPATH="${srcdir}"
export GOFLAGS="-buildmode=pie -mod=readonly -modcacherw"

go build -ldflags "-compressdwarf=false -linkmode external" .
}}

=== Output directory ===

There are currently a few ways to build all go binaries in a project.

{{bc|
build(){
cd "$pkgname-$pkgver"
go build -o output-binary .
}
}}

{{ic|...}} is a shorthand for the compiler to recursively descend into the directory and find all binaries. It can be used in conjunction with a output directory to build everything.

{{bc|
prepare(){
cd "$pkgname-$pkgver"
mkdir -p build
}

build(){
cd "$pkgname-$pkgver"
go build -o build ./cmd/...
}
}}

== Sample PKGBUILD ==

{{bc|<nowiki>
pkgname=foo
pkgver=0.0.1
pkgrel=1
pkgdesc='Go PKGBUILD Example'
arch=('x86_64')
url="https://example.org/$pkgname"
license=('GPL')
makedepends=('go')
source=("$url/$pkgname-$pkgver.tar.gz")
sha256sums=('1337deadbeef')

prepare(){
cd "$pkgname-$pkgver"
mkdir -p build/
}

build() {
cd "$pkgname-$pkgver"
export GOPATH="${srcdir}"
export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}"
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
go build -o build ./cmd/...
}

check() {
cd "$pkgname-$pkgver"
go test ./...
}

package() {
cd "$pkgname-$pkgver"
install -Dm755 build/$pkgname "$pkgdir"/usr/bin/$pkgname
}
</nowiki>}}

== Example packages ==

* {{Pkg|podman}}
* {{Pkg|k9s}}
* {{Pkg|helm}}

DeveloperWiki:Staff Services

2026-05-15T19:29:16Z

Lahwaacz: update after interwiki prefix change

#REDIRECT [[developer-manual:staff/staff-services]]

User:Eschwartz/Staff Services

2026-05-15T19:28:56Z

Lahwaacz: update after interwiki prefix change

#REDIRECT [[developer-manual:staff/staff-services]]

DeveloperWiki:Build machines

2026-05-15T19:28:35Z

Lahwaacz: update after interwiki prefix change

#REDIRECT [[developer-manual:staff/staff-services#build-server-buildarchlinuxorg]]

DeveloperWiki:PKGBUILD.com

2026-05-15T19:28:11Z

Lahwaacz: update after interwiki prefix change

#REDIRECT [[developer-manual:staff/staff-services#public-html--home-directory-pkgbuildcom]]

Data-at-rest encryption

2026-05-10T17:45:16Z

Lahwaacz: Undo revision 872878 by Ua4000 (talk) - does not fit in this section, or this page actually (read the first paragraph for intended scope)

[[Category:Data-at-rest encryption]]
[[es:Data-at-rest encryption]]
[[it:Data-at-rest encryption]]
[[ja:保存データ暗号化]]
[[pt:Data-at-rest encryption]]
[[ru:Data-at-rest encryption]]
[[zh-hans:Data-at-rest encryption]]
{{Related articles start}}
{{Related|dm-crypt}}
{{Related|VeraCrypt}}
{{Related|eCryptfs}}
{{Related|EncFS}}
{{Related|gocryptfs}}
{{Related|fscrypt}}
{{Related|Tomb}}
{{Related|tcplay}}
{{Related|GnuPG}}
{{Related|Sequoia PGP}}
{{Related|OpenPGP}}
{{Related|Self-encrypting drives}}
{{Related|dm-crypt/Encrypting an entire system}}
{{Related articles end}}
This article discusses [[Wikipedia:Data at rest|data-at-rest]] [[Wikipedia:Disk encryption|encryption]] software, which on-the-fly encrypts / decrypts data written to / read from a [[block device]], [[disk partition]] or directory. Examples for block devices are hard drives, flash drives and DVDs.

Data-at-rest encryption should only be viewed as an adjunct to the existing security mechanisms of the operating system - focused on securing physical access, while relying on ''other'' parts of the system to provide things like network security and user-based access control.

== Why use encryption? ==

Data-at-rest encryption ensures that files are always stored on disk in an encrypted form. The files only become available to the operating system and applications in readable form while the system is running and unlocked by a trusted user (data [[Wikipedia:Data in use|in use]] or [[Wikipedia:Data in transit|in transit]]). An unauthorized person looking at the disk contents directly, will only find garbled random-looking data instead of the actual files.

For example, this can prevent unauthorized viewing of the data when the computer or hard-disk is:

* located in a place to which non-trusted people might gain access while you are away
* lost or stolen, as with laptops, netbooks or external storage devices
* in the repair shop
* discarded after its end-of-life

In addition, data-at-rest encryption can also be used to add some security against unauthorized attempts to tamper with your operating system – for example, the installation of keyloggers or Trojan horses by attackers who can gain physical access to the system while you are away.

{{Warning|Data-at-rest encryption does not protect your data from all threats.

You will still be vulnerable to:

* Attackers who can break into your system (e.g. over the Internet) while it is running and after you have already unlocked and mounted the encrypted parts of the disk.
* Attackers who are able to gain physical access to the computer while it is running (even if you use a screenlocker), or very shortly ''after'' it was running, if they have the resources to perform a [[Wikipedia:Cold boot attack|cold boot attack]].
* A government entity, which not only has the resources to easily pull off the above attacks, but also may simply force you to give up your keys/passphrases using various techniques of [[Wikipedia:Coercion|coercion]]. In most non-democratic countries around the world, as well as in the USA and UK, it may be legal for law enforcement agencies to do so if they have suspicions that you might be hiding something of interest.
* [[Wikipedia:Rubber-hose cryptanalysis|Rubber-hose cryptanalysis]]. Also see [https://xkcd.com/538/ XKCD #538]

Data-at-rest encryption also will not protect you against someone simply [[Securely wipe disk|wiping your disk]]. [[Backup programs|Regular backups]] are recommended to keep your data safe.
}}

A very strong disk encryption setup (e.g. full system encryption with authenticity checking and no plaintext boot partition) is required to stand a chance against professional attackers who are able to tamper with your system ''before'' you use it. And even then it cannot prevent all types of tampering (e.g. hardware keyloggers). The best remedy might be [[hardware-based full-disk encryption]] and [[Wikipedia:Trusted Computing|Trusted Computing]].

=== System data encryption ===

While encrypting only the user data itself (often located within the home directory, or on removable media like a data DVD), is the simplest and least intrusive method, it has some significant drawbacks.
In modern computer systems, there are many background processes that may cache and store information about user data or parts of the data itself in non-encrypted areas of the hard drive, like:

:* swap partitions
:** (potential remedies: disable swapping, or use [[encrypted swap]] as well)
:* {{ic|/tmp}} (temporary files created by user applications)
:** (potential remedies: avoid such applications; mount {{ic|/tmp}} inside a [[ramdisk]])
:* {{ic|/var}} (log files and databases and such; for example, [[locate]] stores an index of all file names in {{ic|/var/lib/plocate/plocate.db}})

The solution is to encrypt both system and user data, preventing unauthorized physical access to private data that may be cached by the system. This however comes with the disadvantage that unlocking of the encrypted parts of the disk has to happen at boot time. Another benefit of system data encryption is that it complicates the installation of malware like [[Wikipedia:Keystroke logging|keyloggers]] or rootkits for someone with physical access.

== Preparation ==

=== Choosing a setup ===

Which encryption setup is appropriate for you will depend on your goals (please read [[#Why use encryption?]] above) and system parameters.

Among other things, you will need to answer the following questions:

;What kind of "attacker" do you want to protect against?

* Casual computer user snooping around your disk when your system is turned off, stolen, etc.
* Professional cryptanalyst who can get repeated read/write access to your system before and after you use it
* Anyone in between

;What do you want to encrypt?

* Only user data
* User data and system data
* Only confidential data, i.e. a subset of your data

;How should swap, {{ic|/tmp}}, etc. be taken care of?

* Disable or mount as ramdisk
* Encrypted swap
** Swapfile as part of full disk encryption
** Encrypt swap partition separately

;How should encrypted parts of the disk be unlocked?

* Passphrase
** Same as login password
** Different to login password
* Keyfile (e.g. on a USB stick, that you keep in a safe place or carry around with yourself)
* Both

;''When'' should encrypted parts of the disk be unlocked?

* Before boot
* During boot
* At login
* Manually on demand ''(after login)''

;How should multiple users be accommodated?

* Not at all
* Using a shared passphrase (or keyfile) known to every user
* Independently issued and revocable passphrases (or keyfiles) for the same encrypted part of the disk
* Separate encrypted parts of the disk for different users

Then you can go on to make the required technical choices (see [[#Available methods]] and [[#How the encryption works]] below), regarding:

* stacked filesystem encryption vs. blockdevice encryption
* key management
* cipher and mode of operation
* metadata storage
* location of the "lower directory" (in case of stacked filesystem encryption)

=== Preparing the disk ===

Before setting up encryption on a (part of a) disk, consider securely wiping it first. This consists of overwriting the entire drive or partition with a stream of zero bytes or random bytes, and is done for one or both of the following reasons:

;Prevent recovery of previously stored data

Disk encryption does not change the fact that individual sectors are only overwritten on demand, when the file system creates or modifies the data those particular sectors hold (see [[#How the encryption works]] below). Sectors which the filesystem considers "not currently used" are not touched, and may still contain remnants of data from previous filesystems. The only way to make sure that all data which you previously stored on the drive can not be [[Wikipedia:Data recovery|recovered]], is to manually erase it.
For this purpose it does not matter whether zero bytes or random bytes are used (although wiping with zero bytes will be much faster).

;Prevent disclosure of usage patterns on the encrypted drive

Ideally, the whole encrypted part of the disk should be indistinguishable from uniformly random data. This way, no unauthorized person can know which and how many sectors actually contain encrypted data - which may be a desirable goal in itself (as part of true confidentiality), and also serves as an additional barrier against attackers trying to break the encryption.
In order to satisfy this goal, wiping the disk using high-quality random bytes is crucial.

The second goal only makes sense in combination with block device encryption, because in the case of stacked filesystem encryption the encrypted data can easily be located anyways (in the form of distinct encrypted files in the host filesystem). Also note that even if you only intend to encrypt a particular folder, you will have to erase the whole partition if you want to get rid of files that were previously stored in that folder in unencrypted form (due to [[Wikipedia:File system fragmentation|disk fragmentation]]). If there are other folders on the same partition, you will have to back them up and move them back afterwards.

Once you have decided which kind of disk erasure you want to perform, refer to the [[Securely wipe disk]] article for technical instructions.

{{Tip|In deciding which method to use for secure erasure of a hard disk drive, remember that this will not need to be performed more than once for as long as the drive is used as an encrypted drive.}}

=== Available methods ===

{{Expansion|[[Ext4]], [[ZFS]] and possible other filesystems offer (native) encryption.|section=Add filesystem encryption}}

All data-at-rest encryption methods operate in such a way that even though the disk actually holds encrypted data, the operating system and applications "see" it as the corresponding normal readable data as long as the cryptographic container (i.e. the logical part of the disk that holds the encrypted data) has been "unlocked" and mounted.

For this to happen, some "secret information" (usually in the form of a keyfile and/or passphrase) needs to be supplied by the user, from which the actual encryption key can be derived (and stored in the kernel keyring for the duration of the session).

If you are completely unfamiliar with this sort of operation, please also read the [[#How the encryption works]] section below.

The available data-at-rest encryption methods can be separated into two types by their layer of operation:

==== Stacked filesystem encryption ====

Stacked filesystem encryption solutions are implemented as a layer that stacks on top of an existing filesystem, causing all files written to an encryption-enabled folder to be encrypted on-the-fly before the underlying filesystem writes them to disk, and decrypted whenever the filesystem reads them from disk. This way, the files are stored in the host filesystem in encrypted form (meaning that their contents, and usually also their file/folder names, are replaced by random-looking data of roughly the same length), but other than that they still exist in that filesystem as they would without encryption, as normal files / symlinks / hardlinks / etc.

The way it is implemented, is that to unlock the folder storing the raw encrypted files in the host filesystem ("lower directory"), it is mounted (using a special stacked pseudo-filesystem) onto itself or optionally a different location ("upper directory"), where the same files then appear in readable form - until it is unmounted again, or the system is turned off.

Available solutions in this category include [[eCryptfs]] and [[EncFS]], or one of the cloud-ready options below.

===== Cloud-storage optimized =====

If you are deploying stacked filesystem encryption to achieve zero-knowledge synchronization with third-party-controlled locations such as cloud-storage services, you may want to consider alternatives to eCryptfs and EncFS, since these are not optimized for transmission of files over the Internet. There are some solutions designed for this purpose instead:

* [[gocryptfs]]
* {{AUR|cryptomator}} or {{AUR|cryptomator-bin}} (multi-platform)
* {{Pkg|cryfs}}

Note that some cloud-storage services offer zero-knowledge encryption directly through their own [[List of applications/Internet#Cloud synchronization clients|client applications]].

==== Block device encryption ====

Block device encryption methods, on the other hand, operate ''below'' the filesystem layer and make sure that everything written to a certain block device (i.e. a whole disk, or a partition, or a file acting as a [[Wikipedia:loop device|loop device]]) is encrypted. This means that while the block device is offline, its whole content looks like a large blob of random data, with no way of determining what kind of filesystem and data it contains. Accessing the data happens, again, by mounting the protected container (in this case the block device) to an arbitrary location in a special way.

The following "block device encryption" solutions are available in Arch Linux:

;loop-AES: loop-AES is a descendant of cryptoloop and is a secure and fast solution to system encryption. However, loop-AES is considered less user-friendly than other options as it requires non-standard kernel support.

;dm-crypt: [[dm-crypt]] is the standard device-mapper encryption functionality provided by the Linux kernel. It can be used directly by those who like to have full control over all aspects of partition and key management. The management of dm-crypt is done with the {{Pkg|cryptsetup}} userspace utility. It can be used for the following types of block-device encryption: ''LUKS'' (default), ''plain'', and has limited features for ''loopAES'' and ''Truecrypt'' devices.
:* LUKS, used by default, is an additional convenience layer which stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use and cryptographic security.
:* plain dm-crypt mode, being the original kernel functionality, does not employ the convenience layer. It is more difficult to apply the same cryptographic strength with it. When doing so, longer keys (passphrases or keyfiles) are the result. It has, however, other advantages for very specific cases. For example, a single block device can be segmented and encrypted accordingly.

;TrueCrypt/VeraCrypt: A portable format, supporting encryption of whole disks/partitions or file containers, with compatibility across all major operating systems. TrueCrypt was discontinued by its developers in May 2014. The [[VeraCrypt]] fork was audited in 2016.

For practical implications of the chosen layer of operation, see the [[#Block device vs stacked filesystem encryption]] below, as well as the general write up for [https://www.systutorials.com/docs/linux/packages/ecryptfs-utils-111/ecryptfs-faq.html#compare eCryptfs]. See [[:Category:Encryption]] for the available content of the methods compared below, as well as other tools not included in the table.

=== Block device vs stacked filesystem encryption ===

{| class="wikitable left-align-row-headers" style="text-align:center;"
!
! Block device encryption
! Native/stacked filesystem encryption
|-
! Encrypts
| block devices
| files
|-
! Container for encrypted data may be...
| a disk or disk partition / a file as loop device
| a directory in an existing file system
|-
! Relation to filesystem
| operates below filesystem layer: does not care whether the content of the encrypted block device is a filesystem, a partition table, a LVM setup, or anything else
| adds encryption via filesystem-native features, or an additional/stacked encryption layer to an existing filesystem. Both automatically encrypt/decrypt files whenever they are written/read.
|-
! Encrypts file metadata (number of files, directory structure, file sizes, permissions, modification times, etc.)
| {{Yes}} (Using 'discard' may reveal file sizes)
| {{R|Partial (Filenames are encrypted, other metadata may be visible depending on features)}}
|-
! Can be used to custom-encrypt whole hard drives (including partition tables)
| {{Yes}}
| {{No}}
|-
! Can be used to encrypt swap space
| {{Yes}}
| {{No}}
|-
! Can be used without pre-allocating a fixed amount of space for the encrypted data container
| {{R|No (Using 'discard' may allow sparsely-allocated containers, at the cost of revealing file sizes)}}
| {{Yes}}
|-
! Can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc.
| {{No}}1
| {{Yes}}2
|-
! Allows offline file-based backups of encrypted files
| {{No}}
| {{Yes}}
|}

# well, a single file in those filesystems could be used as a container (virtual loop-back device!) but then one would not actually be using the filesystem (and the features it provides) anymore.
# No for ZFS. For other filesystem-native encryption mount restrictions may apply.

=== Comparison table ===

{{Expansion|Fill in blanks. Add sources to checkmarks / crosses. What is ''salt'', ''key-slot diffusion'' or ''key scrubbing''?}}

The column "dm-crypt +/- LUKS" denotes features of dm-crypt for both LUKS ("+") and plain ("-") encryption modes. If a specific feature requires using LUKS, this is indicated by "(with LUKS)". Likewise "(without LUKS)" indicates usage of LUKS is counter-productive to achieve the feature and plain mode should be used.

{| class="wikitable left-align-row-headers" style="text-align:center; cell-padding:100px; "
!{{Grey|Summary}}
! Loop-AES
! [[dm-crypt]] +/- LUKS
! [[VeraCrypt]]
! [[ZFS]]
! [[fscrypt]]
! [[eCryptfs]]
! [[EncFS]]
! [[gocryptfs]]
|-
! Encryption type
| block device
| block device
| block device
| native filesystem or block device
| native filesystem
| stacked filesystem
| stacked filesystem
| stacked filesystem
|-
! Note
| longest-existing one; possibly the fastest; works on legacy systems
| de-facto standard for block device encryption on Linux; very flexible
| maintained fork of TrueCrypt, supporting TrueCrypt and VeraCrypt volumes
| encryption feature relatively new (2019); encrypted block devices provided by ZVOL
| default for Chrome OS and Android encryption
| slightly faster than EncFS; individual encrypted files portable between systems
| easiest one to use; supports non-root administration
| aspiring successor of EncFS
|-
! Availability in Arch Linux
| requires manually compiled, custom kernel
| ''kernel modules:'' already shipped with default kernel; ''tools:'' {{Pkg|device-mapper}}, {{Pkg|cryptsetup}}
| {{Pkg|veracrypt}}
| [[ZFS#Installation]]
| ''kernel module:'' already shipped with default kernel; ''tool:'' {{Pkg|fscrypt}}
| ''kernel module:'' already shipped with default kernel; ''tools:'' {{Pkg|ecryptfs-utils}}
| {{Pkg|encfs}}
| {{Pkg|gocryptfs}}
|-
! License
| GPL
| GPL
| Apache License 2.0, parts subject to TrueCrypt License v3.0
| CDDL
| GPL (kernel), Apache 2.0 (userspace tool)
| GPL
| GPL
| MIT
|-
! Encryption implemented in...
| kernelspace
| kernelspace
| kernelspace
| kernelspace
| kernelspace
| kernelspace
| userspace ([[FUSE]])
| userspace ([[FUSE]])
|-
! Cryptographic metadata stored in...
| ?
| with LUKS: LUKS Header
| begin/end of (decrypted) device ([https://www.veracrypt.fr/en/VeraCrypt%20Volume%20Format%20Specification.html format spec])
| DSL (dataset & snapshot layer; [https://www.youtube.com/watch?v=frnLiXclAMo talk]/[https://blog.heckel.xyz/wp-content/uploads/2017/01/zfs-encryption-nov-2016.pdf slides])
| {{ic|.fscrypt}} directory at root of each filesystem
| header of each encrypted file
| control file at the top level of each EncFS container
| ?
|-
! Wrapped encryption key stored in...
| ?
| with LUKS: LUKS header
| begin/end of (decrypted) device ([https://www.veracrypt.fr/en/VeraCrypt%20Volume%20Format%20Specification.html format spec])
| DSL (dataset & snapshot layer; [https://www.youtube.com/watch?v=frnLiXclAMo talk]/[https://blog.heckel.xyz/wp-content/uploads/2017/01/zfs-encryption-nov-2016.pdf slides])
| {{ic|.fscrypt}} directory at root of each filesystem
| key file that can be stored anywhere
| key file that can be stored anywhere
[https://github.com/rfjakob/encfs-next/blob/master/encfs/encfs.pod#environment-variables][https://github.com/vgough/encfs/issues/48#issuecomment-69301831]
| ?
|-
! {{Grey|Usability features}}
! Loop-AES
! dm-crypt +/- LUKS
! VeraCrypt
! ZFS
! fscrypt
! eCryptfs
! EncFS
! gocryptfs
|-
! Non-root users can create/destroy containers for encrypted data
| {{No}}
| {{No}}
| {{No}}
| {{Yes}}
| {{Yes}}
| limited
| {{Yes}}
| {{Yes}}
|-
! Provides a GUI
| {{No}}
| {{No}}
| {{Yes}}
| {{No}}
| {{No}}
| {{No}}
| {{Yes}}
[[EncFS#Gnome Encfs Manager|optional]]
| {{No}}
|-
! Support for automounting on login
| ?
| {{Yes}}
| {{Yes}}
with [[VeraCrypt#Automounting using /etc/crypttab|systemd and /etc/crypttab]]
| {{Yes}} with [[ZFS#Unlock/Mount at boot time: systemd|systemd]]
| {{Yes}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Support for automatic unmounting in case of inactivity
| ?
| ?
| ?
| {{No}}
| {{No}}
| ?
| {{Yes}}
| {{Yes|https://github.com/rfjakob/gocryptfs/blob/master/Documentation/MANPAGE.md#-i-duration--idle-duration}}
|-
! {{Grey|Security features}}
! Loop-AES
! dm-crypt +/- LUKS
! VeraCrypt
! ZFS
! fscrypt
! eCryptfs
! EncFS
! gocryptfs
|-
! Supported ciphers
| AES
| AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish,… (every cipher the kernel Crypto API offers)
| AES, Twofish, Serpent, Camellia, Kuznyechik
| AES
| AES, ChaCha12
| AES, Blowfish, Twofish...
| AES, Blowfish, Twofish, and any other ciphers available on the system
| AES
|-
! Integrity
| none
| optional in LUKS2
| none
| CCM, GCM
| none
| none
| none (default mode) HMAC (paranoia mode)
| GCM
|-
! Support for salting
| ?
| {{Yes}} (with LUKS)
| {{Yes}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
| ?
| {{Yes}}
|-
! Support for cascading multiple ciphers
| ?
| Not in one device, but blockdevices can be cascaded
| {{Yes}}
AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent
| {{No}}
| {{No}}
| ?
| {{No}}
| {{No}}
|-
! Support for key-slot diffusion
| ?
| {{Yes}} (with LUKS)
| ?
| ?
| {{No}}
| ?
| ?
| ?
|-
! Protection against key scrubbing
| {{Yes}}
| {{Yes}} (without LUKS)
| ?
| ?
| {{No}}
| ?
| ?
| ?
|-
! Support for multiple (independently revocable) keys for the same encrypted data
| ?
| {{Yes}} (with LUKS)
| ?
| {{No}}
| {{Yes}}
| ?
| {{No}}
| ?
|-
! {{Grey|Performance features}}
! Loop-AES
! dm-crypt +/- LUKS
! VeraCrypt
! ZFS
! fscrypt
! eCryptfs
! EncFS
! gocryptfs
|-
! Multithreading support
| ?
| {{Yes|https://kernelnewbies.org/Linux_2_6_38#head-49f5f735853f8cc7c4d89e5c266fe07316b49f4c}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
| ?
| ?
| {{Yes}}
|-
! Hardware-accelerated encryption support
| {{Yes}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
| {{Yes|https://github.com/vgough/encfs/issues/118}}
| {{Yes}}
|-
! {{Grey|Block device encryption specific}}
! Loop-AES
! dm-crypt +/- LUKS
! VeraCrypt
! ZFS
! colspan=4 rowspan=2 {{Grey|}}
|-
! Support for (manually) resizing the encrypted block device in-place
| ?
| {{Yes}}
| {{No}}
| {{Yes}}
|-
! {{Grey|Stacked filesystem encryption specific}}
! colspan=3 rowspan=5 {{Grey|}}
! ZFS
! fscrypt
! eCryptfs
! EncFS
! gocryptfs
|-
! Supported file systems
| ZFS
| ext4, F2FS, UBIFS
| ext3, ext4, xfs (with caveats), jfs, nfs...
| ext3, ext4, xfs (with caveats), jfs, nfs, cifs...
[https://github.com/vgough/encfs]
| any
|-
! Ability to encrypt filenames
| {{Yes|https://zfsonlinux.org/manpages/0.8.3/man8/zfs.8.html#lbAO}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
| {{Yes}}
|-
! Ability to ''not'' encrypt filenames
| {{No}}
| {{No}}
| {{Yes}}
| {{Yes}}
| {{Yes|https://github.com/rfjakob/gocryptfs/blob/master/Documentation/MANPAGE.md#-plaintextnames}}
|-
! Optimized handling of sparse files
| {{Yes}}
| {{Yes}}
| {{No}}
| {{Yes}}
| {{Yes}}
|-
! {{Grey|Compatibility & prevalence}}
! Loop-AES
! dm-crypt +/- LUKS
! VeraCrypt
! ZFS
! fscrypt
! eCryptfs
! EncFS
! gocryptfs
|-
! Supported Linux kernel versions
| 2.0 or newer
| CBC-mode since 2.6.4, ESSIV 2.6.10, LRW 2.6.20, XTS 2.6.24
| ?
| 2.6.32 or newer (as of 0.8.3)
| 4.1 or newer
| ?
| 2.4 or newer
| ?
|-
! Encrypted data can also be accessed from Windows
| ?
| ?
| {{Yes}}
| {{Yes}} [https://openzfsonwindows.org/ OpenZFS on Windows] ([https://github.com/openzfsonwindows/ZFSin repo])
| {{No}}
| ?
| {{No}} (requires admin rights)
| {{Yes}} ([https://github.com/bailey27/cppcryptfs cppcryptfs port])
|-
! Encrypted data can also be accessed from Mac OS X
| ?
| ?
| {{Yes}}
| {{Yes}} [https://openzfsonosx.org/ OpenZFS on OS X] ([https://github.com/openzfsonosx/zfs repo])
| {{No}}
| ?
| {{Yes|https://github.com/vgough/encfs/wiki/Mac-OS-X}}
| {{Yes|1=https://github.com/rfjakob/gocryptfs?tab=readme-ov-file#platforms}} (beta quality)
|-
! Encrypted data can also be accessed from FreeBSD
| ?
| ?
| {{Yes}}
| {{Yes}} [https://zfsonfreebsd.github.io/ZoF/ ZFS on FreeBSD] (native; [https://github.com/zfsonfreebsd/ZoF repo])
| {{No}}
| ?
| {{Yes|https://www.freshports.org/sysutils/fusefs-encfs/}}
| {{No|https://github.com/rfjakob/gocryptfs/discussions/741}}
|-

! Used by
| ?
| Debian/Ubuntu installer (system encryption) Fedora installer
| ?
| ?
| Android, Chrome OS
| ?
| ?
| ?
|}

=== Examples ===

In practice, it could turn out something like:

;Example 1: Simple user data encryption (internal hard drive) using a virtual folder called {{ic|~/Private}} in the user's home directory encrypted with [[EncFS]]
:* encrypted versions of the files stored on-disk in {{ic|~/.Private}}
:* unlocked on demand with dedicated passphrase

;Example 2: Partial system encryption with each user's home directory encrypted with [[ECryptfs]]
:* unlocked on respective user login, using login passphrase
:* {{ic|swap}} and {{ic|/tmp}} partitions encrypted with [[Dm-crypt with LUKS]], using an automatically generated per-session throwaway key
:* indexing/caching of contents of {{ic|/home}} by ''slocate'' (and similar applications) disabled.

;Example 3: System encryption - whole hard drive except {{ic|/boot}} partition (however, {{ic|/boot}} can be encrypted with [[Dm-crypt/Encrypting an entire system#Encrypted boot partition (GRUB)|GRUB]]) encrypted with [[Dm-crypt with LUKS]]
:* unlocked during boot, using passphrases or USB stick with keyfiles
:* Maybe different passphrases/keys per user - independently revocable
:* Maybe encryption spanning multiple drives or partition layout flexibility with [[Dm-crypt/Encrypting an entire system#LUKS on LVM|LUKS on LVM]]

;Example 4: Hidden/plain system encryption - whole hard drive encrypted with [[dm-crypt|plain dm-crypt]]
:* USB-boot, using dedicated passphrase plus USB stick with keyfile
:* data integrity checked before mounting
:* {{ic|/boot}} partition located on aforementioned USB stick

;Example 5: File container encryption - a pre-allocated file serves as encrypted container for user data
:* A file such as {{ic|~/.volume.img}} is encrypted with [[Dm-crypt/Encrypting a non-root file system#File container]]
:* Occasional backup by copying the whole container to a remote host

Many other combinations are of course possible. You should carefully plan what kind of setup will be appropriate for your system.

== How the encryption works ==

This section is intended as a high-level introduction to the concepts and processes which are at the heart of usual disk encryption setups.

It does not go into technical or mathematical details (consult the appropriate literature for that), but should provide a system administrator with a rough understanding of how different setup choices (especially regarding key management) can affect usability and security.

=== Basic principle ===

For the purposes of disk encryption, each blockdevice (or individual file in the case of stacked filesystem encryption) is divided into '''sectors''' of equal length, for example 512 bytes (4096 bits). The encryption/decryption then happens on a per-sector basis, so the n'th sector of the blockdevice/file on disk will store the encrypted version of the n'th sector of the original data.

Whenever the operating system or an application requests a certain fragment of data from the blockdevice/file, the whole sector (or sectors) that contains the data will be read from disk, decrypted on-the-fly, and temporarily stored in memory:

{{Text art|<nowiki>
╔═══════╗
sector 1 ║"???.."║
╠═══════╣ ╭┈┈┈┈┈╮
sector 2 ║"???.."║ ┊ key ┊
╠═══════╣ ╰┈┈┬┈┈╯
: : │
╠═══════╣ ▼ ┣┉┉┉┉┉┉┉┫
sector n ║"???.."║━━━━━━(decryption)━━━━━━━▶┋"abc.."┋ sector n
╠═══════╣ ┣┉┉┉┉┉┉┉┫
: :
╚═══════╝

encrypted unencrypted
blockdevice or data in RAM
file on disk
</nowiki>}}

Similarly, on each write operation, all sectors that are affected must be re-encrypted completely (while the rest of the sectors remain untouched).

In order to be able to de/encrypt data, the disk encryption system needs to know the unique secret "key" associated with it. Whenever the encrypted block device or folder in question is to be mounted, its corresponding key (called henceforth its "master key") must be supplied.

The entropy of the key is of utmost importance for the security of the encryption. A randomly generated byte string of a certain length, for example 32 bytes (256 bits), has desired properties but is not feasible to remember and apply manually during the mount.

For that reason two techniques are used as aides. The first is the application of cryptography to increase the entropic property of the master key, usually involving a separate human-friendly passphrase. For the different types of encryption the [[#Comparison table]] lists respective features. The second method is to create a keyfile with high entropy and store it on a medium separate from the data drive to be encrypted.

See also [[Wikipedia:Authenticated encryption]].

=== Keys, keyfiles and passphrases ===

The following are examples how to store and cryptographically secure a master key with a keyfile:

;Stored in a plaintext keyfile

Simply storing the master key in a file (in readable form) is the simplest option. The file - called a "keyfile" - can be placed on a USB stick that you keep in a secure location and only connect to the computer when you want to mount the encrypted parts of the disk (e.g. during boot or login).

;Stored in passphrase-protected form in a keyfile or on the disk itself

The master key (and thus the encrypted data) can be protected with a secret passphrase, which you will have to remember and enter each time you want to mount the encrypted block device or folder. See [[#Cryptographic metadata]] below for details.

;Randomly generated on-the-fly for each session

In some cases, e.g. when encrypting swap space or a {{ic|/tmp}} partition, it is not necessary to keep a persistent master key at all. A new throwaway key can be randomly generated for each session, without requiring any user interaction. This means that once unmounted, all files written to the partition in question can never be decrypted again by ''anyone'' - which in those particular use-cases is perfectly fine.

=== Cryptographic metadata ===

Frequently the encryption techniques use cryptographic functions to enhance the security of the master key itself. On mount of the encrypted device the passphrase or keyfile is passed through these and only the result can unlock the master key to decrypt the data.

A common setup is to apply so-called "key stretching" to the passphrase (via a "key derivation function"), and use the resulting enhanced passphrase as the mount key for decrypting the actual master key (which has been previously stored in encrypted form):

{{Text art|<nowiki>
╭┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈╮ ╭┈┈┈┈┈┈┈┈┈┈┈╮
┊ mount passphrase ┊━━━━⎛key derivation⎞━━━━▶┊ mount key ┊
╰┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈╯ ,──⎝ function ⎠ ╰┈┈┈┈┈┬┈┈┈┈┈╯
╭──────╮ ╱ │
│ salt │───────────´ │
╰──────╯ │
╭──────────────────────╮ ▼ ╭┈┈┈┈┈┈┈┈┈┈┈┈╮
│ encrypted master key │━━━━━━━━━━━━━━━━━━━━(decryption)━━━━▶┊ master key ┊
╰──────────────────────╯ ╰┈┈┈┈┈┈┈┈┈┈┈┈╯
</nowiki>}}

The '''key derivation function''' (e.g. PBKDF2 or scrypt) is deliberately slow (it applies many iterations of a hash function, e.g. 1000 iterations of HMAC-SHA-512), so that brute-force attacks to find the passphrase are rendered infeasible. For the normal use-case of an authorized user, it will only need to be calculated once per session, so the small slowdown is not a problem.
It also takes an additional blob of data, the so-called "'''salt'''", as an argument - this is randomly generated once during set-up of the disk encryption and stored unprotected as part of the cryptographic metadata. Because it will be a different value for each setup, this makes it infeasible for attackers to speed up brute-force attacks using precomputed tables for the key derivation function.

The '''encrypted master key''' can be stored on disk together with the encrypted data. This way, the confidentiality of the encrypted data depends completely on the secret passphrase.

Additional security can be attained by instead storing the encrypted master key in a keyfile on e.g. a USB stick. This provides '''two-factor authentication''': Accessing the encrypted data now requires something only you ''know'' (the passphrase), and additionally something only you ''have'' (the keyfile).

Another way of achieving two-factor authentication is to augment the above key retrieval scheme to mathematically "combine" the passphrase with byte data read from one or more external files (located on a USB stick or similar), before passing it to the key derivation function.The files in question can be anything, e.g. normal JPEG images, which can be beneficial for [[#Plausible deniability]]. They are still called "keyfiles" in this context, though.

After it has been derived, the master key is securely stored in memory (e.g. in a kernel keyring), for as long as the encrypted block device or folder is mounted.

It is usually not used for de/encrypting the disk data directly, though.
For example, in the case of stacked filesystem encryption, each file can be automatically assigned its own encryption key. Whenever the file is to be read/modified, this file key first needs to be decrypted using the main key, before it can itself be used to de/encrypt the file contents:

{{Text art|<nowiki>
╭┈┈┈┈┈┈┈┈┈┈┈┈╮
┊ master key ┊
file on disk: ╰┈┈┈┈┈┬┈┈┈┈┈┈╯
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ │
╎╭───────────────────╮╎ ▼ ╭┈┈┈┈┈┈┈┈┈┈╮
╎│ encrypted file key│━━━(decryption)━━━━▶┊ file key ┊
╎╰───────────────────╯╎ ╰┈┈┈┈┬┈┈┈┈┈╯
╎┌───────────────────┐╎ ▼ ┌┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┐
╎│ encrypted file │◀━━━━━━━━━━━━━━━(de/encryption)━━━━━▶┊ readable file ┊
╎│ contents │╎ ┊ contents ┊
╎└───────────────────┘╎ └┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┘
└ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘
</nowiki>}}

In a similar manner, a separate key (e.g. one per folder) may be used for the encryption of file names in the case of stacked filesystem encryption.

In the case of block device encryption one master key is used per device and, hence, all data. Some methods offer features to assign multiple passphrases/keyfiles for the same device and others not. Some use above mentioned functions to secure the master key and others give the control over the key security fully to the user. Two examples are explained by the cryptographic parameters used by [[dm-crypt]] in plain or LUKS modes.

When comparing the parameters used by both modes one notes that dm-crypt plain mode has parameters relating to how to locate the keyfile (e.g. {{ic|--keyfile-size}}, {{ic|--keyfile-offset}}). The dm-crypt LUKS mode does not need these, because each blockdevice contains a header with the cryptographic metadata at the beginning. The header includes the used cipher, the encrypted master-key itself and parameters required for its derivation for decryption. The latter parameters in turn result from options used during initial encryption of the master-key (e.g. {{ic|--iter-time}}, {{ic|--use-random}}).

For the dis-/advantages of the different techniques, please refer back to [[#Comparison table]] or browse the specific pages.

See also:

* [[Security#Passwords]]
* [[Wikipedia:Passphrase]]
* [[Wikipedia:Key (cryptography)]]
* [[Wikipedia:Key management]]
* [[Wikipedia:Key derivation function]]

=== Ciphers and modes of operation ===

The actual algorithm used for translating between pieces of unencrypted and encrypted data (so-called "plaintext" and "ciphertext") which correspond to each other with respect to a given encryption key, is called a "'''cipher'''".

Disk encryption employs "block ciphers", which operate on fixed-length blocks of data, e.g. 16 bytes (128 bits). At the time of this writing, the predominantly used ones are:

{| class="wikitable"
!
! block size
! key size
! comment
|-
| [[Wikipedia:Advanced Encryption Standard|AES]]
| 128 bits
| 128, 192 or 256 bits
| Approved by the NSA for protecting "TOP SECRET" classified US-government information when used with a key size of 256 bits (CNSA 2.0). [https://eprint.iacr.org/2019/1492.pdf 128- and 192-bit keys remain safe] against [https://www.fierceelectronics.com/electronics/aes-256-joins-quantum-resistance non-quantum adversaries] (same for below). Commonly has fast hardware implementation.
|-
| [[wikipedia:Blowfish (cipher)|Blowfish]]
| 64 bits
| 32–448 bits
| One of the first patent-free secure ciphers that became publicly available, hence very well established on Linux
|-
| [[Wikipedia:Twofish|Twofish]]
| 128 bits
| 128, 192 or 256 bits
| Developed as successor of Blowfish, but has not attained as much widespread usage
|-
| [[wikipedia:Serpent (cipher)|Serpent]]
| 128 bits
| 128, 192 or 256 bits
| Considered the most secure of the five AES-competition finalists[https://csrc.nist.gov/archive/aes/round2/r2report.pdf][https://www.cl.cam.ac.uk/~rja14/Papers/serpentcase.pdf][https://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf].
|}

Encrypting/decrypting a sector ([[#Basic principle|see above]]) is achieved by dividing it into small blocks matching the cipher's block-size, and following a certain rule-set (a so-called "'''mode of operation'''") for how to consecutively apply the cipher to the individual blocks.

Simply applying it to each block separately without modification (dubbed the "''electronic codebook (ECB)''" mode) would not be secure, because if the same 16 bytes of plaintext always produce the same 16 bytes of ciphertext, an attacker could easily recognize patterns in the ciphertext that is stored on disk.

The most basic (and common) mode of operation used in practice is "''cipher-block chaining (CBC)''". When encrypting a sector with this mode, each block of plaintext data is combined in a mathematical way with the ciphertext of the previous block, before encrypting it using the cipher. For the first block, since it has no previous ciphertext to use, a special pre-generated data block stored with the sector's cryptographic metadata and called an "'''initialization vector (IV)'''" is used:

{{Text art|<nowiki>
╭──────────────╮
│initialization│
│vector │
╰────────┬─────╯
╭ ╠══════════╣ ╭─key │ ┣┉┉┉┉┉┉┉┉┉┉┫
│ ║ ║ ▼ ▼ ┋ ┋ . START
┴ ║"????????"║◀━━━(cipher)━━━━━(+)━━━━━┋"Hello, W"┋ block ╱╰────┐
sector n ║ ║ ┋ ┋ 1 ╲╭────┘
of file or ║ ║──────────────────╮ ┋ ┋ '
blockdevice ╟──────────╢ ╭─key │ ┠┈┈┈┈┈┈┈┈┈┈┨
┬ ║ ║ ▼ ▼ ┋ ┋
│ ║"????????"║◀━━━(cipher)━━━━━(+)━━━━━┋"orld !!!"┋ block
│ ║ ║ ┋ ┋ 2
│ ║ ║──────────────────╮ ┋ ┋
│ ╟──────────╢ │ ┠┈┈┈┈┈┈┈┈┈┈┨
│ ║ ║ ▼ ┋ ┋
: : ... : ... ... : ... : ...

ciphertext plaintext
on disk in RAM
</nowiki>}}

When decrypting, the procedure is reversed analogously.

One thing worth noting is the generation of the unique initialization vector for each sector. The simplest choice is to calculate it in a predictable fashion from a readily available value such as the sector number. However, this might allow an attacker with repeated access to the system to perform a so-called [[wikipedia:Watermarking attack|watermarking attack]]. To prevent that, a method called "Encrypted salt-sector initialization vector ('''ESSIV''')" can be used to generate the initialization vectors in a way that makes them look completely random to a potential attacker.

There are also a number of other, more complicated modes of operation available for disk encryption, which already provide built-in security against such attacks (and hence do not require ESSIV).
One of them is XTS, which is preferred over ESSIV since cryptsetup 2.7.0.
Some can also additionally guarantee authenticity of the encrypted data (i.e. confirm that it has not been modified/corrupted by someone who does not have access to the key).

See also:

* [[Wikipedia:Disk encryption theory]]
* [[Wikipedia:Block cipher]]
* [[Wikipedia:Block cipher modes of operation]]

==== Stream ciphers ====

Stream ciphers work in streams and do not need such thing as a "mode of operation". Nevertheless, properties required for disk encryption (e.g. "wide-block") mean that layers need to be added on top of them. As far as disk encryption on Linux is concerned, the main example is XChaCha12 in the [https://lwn.net/Articles/776721/ Adiantum] configuration, {{ic|xchacha12,aes-adiantum}}, intended for low-end systems where the hardware has no AES acceleration. Adiantum is fast on such hardware. It also guarantees authenticity of the encrypted data.

=== Plausible deniability ===

See [[Wikipedia:Plausible deniability]] and [[Wikipedia:Deniable Encryption]].

== Backup for disk encryption scenarios ==

Make a [[backup]] of the user data to protect against data loss. In general the backup of your encrypted data should be encrypted as well.

=== Block device encryption ===

There are multiple options; you can back up the disk block device where the encryption container resides as an image, e.g. {{ic|/dev/sd''x''}}, or you can back up the filesystem inside of the encrypted container, e.g. {{ic|/dev/mapper/''dm_name''}}, or you can back up the files, e.g. with [[rsync]]. The following sections list the advantages and disadvantages of each option.

==== Backup of disk block device ====

A backup of the disk block device is:

* encrypted as is with the same level of security as the working copy
* contains your LUKS header
* always as large as the disk block device
* does not easily allow advanced backup strategies such as incremental backup, compression, or deduplication
* easily restored to a new disk as this also restores the encryption container

==== Backup of the filesystem or files ====

A backup of the filesystem or files is:

* ''not'' encrypted as is
* should be encrypted before transport over the network, or when saving to disk, requiring additional effort
* not necessarily encrypted with the same level of security as the working copy
* does not contain your LUKS header
* only as large as the used space on the filesystem, see e.g. [[partclone]]
* allows advanced backup strategies such as incremental backup, compression, or deduplication
* requires manual restoration of the encryption container to a new disk, for example by restoring the LUKS header backup

==== LUKS header backup ====

If using LUKS it is possible to make a [[Dm-crypt/Device encryption#Backup and restore|backup of the LUKS headers]]: it can make sense to periodically check and synchronize those backups, especially if passphrases have been revoked.

If however you have a backup of the data, and want to restore it, you can recreate the LUKS encrypted partition from scratch with cryptsetup and then restore the data, therefore backing up the LUKS header is less important than backing up the data.

Electron package guidelines

2026-05-10T17:17:26Z

Lahwaacz: Undo revision 873530 by Indigo (talk) the discussion section has been reverted

[[Category:Arch package guidelines]]
[[ja:Electron パッケージガイドライン]]
[[pt:Electron package guidelines]]
{{Package guidelines}}

This document covers standards and guidelines on writing [[PKGBUILD]]s for [[Electron]].

== Using the system electron ==

Arch Linux provides versioned [https://archlinux.org/packages/?q=electron electron*] packages and an {{Pkg|electron}} metapackage for the latest version. They can be used to run an electron application via a shell script wrapper:

{{bc|#!/bin/sh

exec /usr/bin/electron34 /path/to/''appname''/ "$@"}}

The {{ic|''appname''/}} directory, or alternatively a file bundle called {{ic|''appname''.asar}}, can be found in a prebuilt electron application as the {{ic|resources/app/}} folder (or {{ic|resources/app.asar}}). Everything else is just a copy of the electron runtime and can be removed from the final package.

{{Note|Applications that require {{ic|1=ELECTRON_RUN_AS_NODE=1}}, e.g. [[Visual Studio Code]], cannot use {{ic|/usr/bin/electron*}}. See [https://gitlab.archlinux.org/archlinux/packaging/packages/code code.sh].}}

=== Editing version on package.json ===

It is dangerous to edit version of Electron in {{ic|package.json}} or {{ic|package-lock.json}} using {{ic|sed}}. You can use {{ic|1=npm pkg set devDependencies.electron=$(cat /usr/lib/electron*/version)}} instead.
{{Accuracy|Editing package.json may not needed and unrelated to building modules correctly.}}

=== Building compiled extensions against the system electron ===

Some electron applications have compiled native extensions which link to the electron runtime, and must be built using the correct electron version. Since npm/yarn will always build against a private prebuilt copy of electron, patch the electron dependency from {{ic|package.json}} to reference the same version as the system electron dependency. The build system will download the prebuilt copy it requires, compile the native extensions, and package everything into a final distribution, but this can be pruned during the {{ic|package()}} step as usual.

Alternatively, you can remove the electron dependency from {{ic|package.json}} and set the correct environment variables before running npm:

export npm_config_target=$(tail /usr/lib/electron/version)
export npm_config_arch=x64
export npm_config_target_arch=x64
export npm_config_disturl=https://electronjs.org/headers{{Dead link|2023|10|29|status=404}}
export npm_config_runtime=electron
export npm_config_build_from_source=true
HOME="$srcdir/.electron-gyp" npm install

Set {{ic|HOME}} to a path inside the {{ic|$srcdir}} so the build process does not place any files in your real {{ic|HOME}} directory. Make sure to adjust the path for all further commands that make use of the {{ic|.electron-gyp}} cache.

(more details [https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules#using-npm in Electron docs]).

=== Using electron-builder with system electron ===

Many projects use '''electron-builder''' to build and package the Javascript file and Electron binaries. By default electron-builder downloads the entire electron version that is defined in the package management file (e.g. {{ic|package.json}}). This might not be desired if you want to use the system electron and save the bandwidth since you are going to throw away the electron binaries anyway. The electron-builder provides the configurations {{ic|electronDist}} and {{ic|electronVersion}}, to specify a custom path of Electron and the version the application is packaged for respectively.

Find the electron-builder configuration file (e.g. {{ic|electron-builder.json}}) and add the following settings:

* {{ic|electronDist}} to　{{ic|/usr/lib/electron34}} for {{Pkg|electron34}}
* {{ic|electronVersion}} to the contents of {{ic|/usr/lib/electron34/version}} (without the leading {{ic|v}} if exists)

Packages that apply this: {{AUR|rocketchat-desktop}} {{AUR|ubports-installer-git}}

[https://www.electron.build/configuration#electrondist electron-builder configuration]

Alternatively you can use the CLI to change/add these settings like this:

./node_modules/.bin/electron-builder --linux --x64 --dir $dist -c.electronDist=$electronDist -c.electronVersion=$electronVer

Note that you have to specify all these options or it will not work.

{{Accuracy|Current setting still copies Electron from $electronDist . It is expired to add the method to stop it. }}
{{Accuracy|Packaging with Arch's Electron discards fuses bits [https://www.electronjs.org/docs/latest/tutorial/fuses] flipped by electron-builder. Some bits should be emulated by including environment variables to launcher.}}

== Architecture ==

See [[PKGBUILD#arch]].

An Electron package that contains compiled native extensions is architecture-dependent. Otherwise it is most likely architecture-independent.

If the package contains a prebuilt copy of electron, it is always architecture-dependent.

== Directory structure ==

If the package is architecture-dependent, install the {{ic|resources/app/}} directory to {{ic|/usr/lib/''appname''/}}. Otherwise use {{ic|/usr/share/''appname''/}}.

If the package contains a prebuilt copy of electron, copy the final distribution in its entirety to {{ic|/opt/''appname''}}.

== Getting version of Electron ==

Version of Electron could be given by {{ic|npm pkg get devDependencies.electron}} in the directory containing {{ic|package.json}} or {{ic|package-lock.json}}.

Prebuild or [[Nonfree applications package guidelines|Nonfree]] application hides version of electron from {{ic|package.json}}, {{ic|package-lock.json}}, and {{ic|version}} files. In such case, you may get version by replacing {{ic|app}} or {{ic|app.asar}} with {{ic|/usr/lib/electron/resources/default_app.asar}} and running {{ic|''pathto/electron-binary'' --version}}.
{{Note|Avoid doing it at PKGBUILD. This should be last resort to make packages with system-wide electron.}}

User talk:Lahwaacz.bot

2026-05-10T14:13:10Z

Lahwaacz: /* Marking bot edits as minor edit */ Reply

== marking AUR links to pkgbase as broken link ==

hi, your bot marked a {{Aur|policyd}} link as broken (on https://wiki.archlinux.org/index.php?title=Postfix&diff=next&oldid=431606#Rule-based_mail_processing). the pkgbase policyd exists, but packages derived from it have different names. can you fix this please? thank you! [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:05, 24 April 2016 (UTC)

:Hi, that's a general problem of the [[Template:AUR]], which works only for packages and not pkgbases. For {{AUR|policyd}} the link does not work, it leads to a 404 page. I think that this behaviour is fine because users can install only packages and not pkgbases. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:53, 24 April 2016 (UTC)

::Hm, I see the problem here. How could i implement a link to https://aur.archlinux.org/pkgbase/policyd with the AUR annotation? [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:59, 24 April 2016 (UTC)

:::Ok fixed it: [https://aur.archlinux.org/pkgbase/policyd policyd]AUR [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 19:03, 24 April 2016 (UTC)

::::Hmm, that's not perfect either, because users expect such links to be ''packages'' that can be installed—on the other hand, pkgbases can't be installed. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:30, 16 July 2016 (UTC)

== Removes title case, is this desired? ==

I noticed this bot just swept through and some links from title case to quasi-sentence case. This seems like incorrect behavior to me. In English writing, proper nouns are supposed to be capitalized, and technical writing has a lot of proper nouns. A bot can't possibly tell the difference between a proper noun like "[EFI System Partition]" and the same words as common nouns in "your [system partition]". Should we respond to edits we disagree with using "undo", or will the bot just make the same change on a second pass?

{{unsigned|15:17, 3 July 2018‎|Bobpaul}}

:The ArchWiki does not use title case even in page titles, see the rule in [[Help:Style#Title]]. For links to pages, using the same capitalization as the target page is preferable (see also [[Help:Style#Hypertext metaphor]]). So, generally, the edits were correct, though if you have a specific controversial case we can debate it further. Also, the "(interactive)" suffix in the edit summaries means that a human sat behind a keyboard and pressed "yes" to confirm each change. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:31, 3 July 2018 (UTC)

== Dead link with SSL error status ==

Hi. It looks like this edit is wrong: [https://wiki.archlinux.org/index.php?title=Help:Editing_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&curid=2786&diff=630264&oldid=618993]. I tried to follow the link and it is working. Also I check the link in the [[Help:Editing#Tables|original article]] — it is actually the same link like in the russian wiki, but not marked as dead and is working fine too. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 09:31, 7 August 2020 (UTC)

:The bot is using [https://requests.readthedocs.io/en/master/ requests] and this query is returning {{ic|certificate verify failed: unable to get local issuer certificate}}. I don't know enough SSL to know what is the problem... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:00, 7 August 2020 (UTC)

:: Firefox says that the certificate for www.tablesgenerator.com expires on February 10, 2022. Anyway I fixed the link. Maybe http replacement on https helps, I don't know. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 12:20, 7 August 2020 (UTC)

== Removing English Interlanguage Link ==

This bot has been removing English interlanguage link from my translated pages such as [[Arch Linux (বাংলা)]], [[Main page (বাংলা)]]....Why? -- [[User:FOSS ভক্ত|FOSS ভক্ত]] ([[User talk:FOSS ভক্ত|talk]]) 07:03, 24 September 2020 (UTC)

:The links will be added automatically when the language is added to the interlanguage table. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:22, 26 September 2020 (UTC)

== Marking bot edits as minor edit ==

I think this bot's edits should be marked as minor edit, so the system won't send notification emails about the article being changed. -- [[User:Huupoke12|Huupoke12]] ([[User talk:Huupoke12|talk]]) 04:19, 19 November 2021 (UTC)

:Hi, it's not that simple because then MediaWiki would not send notifications even for normal user edits that follow after a minor bot edit. That's because the minor bot edit would still be recorded as unread in the watchlist table, it would just not send the notification email, so it would be waiting until you visit the page again before sending the next notification for the page. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:53, 19 November 2021 (UTC)

::Hi, is it possible for edits made by this bot to be recorded as bot edits ? since the edits are neither marked (m) nor (b) they all show up in watchlists, even if both minor and bot edits are supposedly filtered out.
::-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 07:21, 13 October 2024 (UTC)
:::I explicitly want the wiki to send notifications for bot edits, because they should still be reviewed. Unfortunately email notifications for bots are seriously broken (see https://phabricator.wikimedia.org/T358087#10223291) so I removed Lahwaacz.bot from the bot group yesterday. Note that the most serious bug is actually [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read]... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:50, 13 October 2024 (UTC)
::::Hmm, I understand but this is going to make everyone's watchlist basically unreadable. Any idea how to work around this ? [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:52, 13 October 2024 (UTC)
:::::As a temporary solution it looks like they can be filtered out by unchecking wiki-scripts in advanced filters. Works for me but it might affect a lot of people. [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:56, 13 October 2024 (UTC)
::::::Also note that the bot is done for the weekend and won't be making so many edits any time soon. Or rather I might try running it more often to spread out the amount of edits...
::::::By the way, do you speak PHP? Maybe we can bribe you to fix the MediaWiki issues 😂
::::::— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:05, 13 October 2024 (UTC)
:::::::Haha no sorry :) [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 18:44, 13 October 2024 (UTC)

:Taking this discussion in a new course, I think minor edits still should be labelled as minor edits but not for the purposes as email notifications as described here but for the triviality of the edit. For example, [[ASUS Linux]] had an edit from this bot account where it removed 2 spaces and helped clean it up a bit, which is trivial enough to warrant a minor edit. To cite [[Help:Editing]], it is superficial and indisputable and [[Wikipedia: Help:Minor_edit#Exceptions]], where bot account edits should be considered minor. However I do agree that if a major edit is made it should not tag it as a minor edit. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:05, 9 May 2026 (UTC)
::Of course in an ideal world they should be marked as minor edits, but it is not possible due to MediaWiki bugs, namely [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read] as mentioned in the earlier replies... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 12:14, 9 May 2026 (UTC)
:::Then this should be added as a note, preferably at [[Help:Editing#Editing]], that bot account edits are exempted for the timebeing from marking edits as minor until the notification error at so and so in this thread is resolved, it would help reduce the confusion for new and existing users. Should I add it there?
:::Thanks for the reply! [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:59, 9 May 2026 (UTC)
::::[[Help:Editing]] is for people, not bots. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:22, 9 May 2026 (UTC)
:::::[[Archwiki:Bots#wiki-scripts]] then? [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 13:31, 9 May 2026 (UTC)
::::::Ok thanks. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:13, 10 May 2026 (UTC)

== <s>Bot account</s> ==

I suspect that it is not correct that this account is not considered to be a bot...

I don't see it here: https://wiki.archlinux.org/index.php?title=Special:ListUsers&group=bot [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 12:59, 9 May 2025 (UTC)

:See [[#Marking bot edits as minor edit|the discussion above]]: "I removed Lahwaacz.bot from the bot group" — [[User:Andreymal|andreymal]] ([[User talk:Andreymal|talk]]) 13:17, 9 May 2025 (UTC)
::Ah, got it. I wasn't wrong, but bot handling isn't right either, so we have what we have.
::Didn't read it right away because I wasn't expecting it to be related. [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 17:16, 9 May 2025 (UTC)

:::No problem, but this can be closed.

MAC address spoofing

2026-05-10T13:33:10Z

Lahwaacz: /* NetworkManager */ style

[[Category:Network configuration]]
[[Category:Security]]
[[de:MAC-Adresse abfragen und setzen]]
[[es:MAC address spoofing]]
[[fr:MAC address spoofing]]
[[ja:MAC アドレス偽装]]
[[pt:MAC address spoofing]]
[[ru:MAC address spoofing]]
[[zh-hans:MAC address spoofing]]
Media Access Control (MAC) randomization can be used for increased privacy by not disclosing your real MAC address to the network.
This article gives several methods to spoof a MAC address.

== Manually ==

There are two methods for spoofing a MAC address: [[install]]ing and configuring either {{Pkg|iproute2}} or {{Pkg|macchanger}}. Both of them are outlined below.

=== iproute2 ===

First, you can check your current MAC address with the command:

# ip link show ''interface''

where {{ic|''interface''}} is the name of your [[network interface]].

The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:

link/ether 00:1d:98:5a:d1:3a

The first step to spoofing the MAC address is to bring the network interface down. It can be accomplished with the command:

# ip link set dev ''interface'' down

Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with any of known vendors. Therefore, unless you control the network(s) you are connecting to, use MAC prefix of any real vendor (basically, the first three bytes), and use random values for next three bytes. For more information please read [[Wikipedia:Organizationally unique identifier]].

To change the MAC, we need to run the command:

# ip link set dev ''interface'' address ''XX:XX:XX:XX:XX:XX''

Where any 6-byte value will suffice for {{ic|''XX:XX:XX:XX:XX:XX''}}.

The final step is to bring the network interface back up. This can be accomplished by running the command:

# ip link set dev ''interface'' up

If you want to verify that your MAC has been spoofed, simply run {{ic|ip link show ''interface''}} again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.

=== macchanger ===

Another method uses {{Pkg|macchanger}} (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.

[[Install]] the package {{Pkg|macchanger}}.

The spoofing is done on per-interface basis, specify [[network interface]] name as {{ic|''interface''}} in each of the following commands.

The MAC address can be spoofed with a fully random address:

# macchanger -r ''interface''

To randomize only device-specific bytes of current MAC address (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:

# macchanger -e ''interface''

To change the MAC address to a specific value, you would run:

# macchanger --mac=''XX:XX:XX:XX:XX:XX'' ''interface''

Where {{ic|''XX:XX:XX:XX:XX:XX''}} is the MAC you wish to change to.

Finally, to return the MAC address to its original, permanent hardware value:

# macchanger -p ''interface''

{{Note|A device cannot be in use (connected in any way or with its interface up) while the MAC address is being changed.}}

== Automatically ==

=== systemd-udevd ===

[[udev]] allows you to perform MAC address spoofing by creating {{man|5|systemd.link}} files or udev rules.

==== systemd.link ====

To set a static spoofed MAC address:

{{hc|/etc/systemd/network/01-mac.link|2=
[Match]
PermanentMACAddress=''original MAC''

[Link]
MACAddress=''spoofed MAC''
}}

To randomize the MAC address on every boot, set {{ic|1=MACAddressPolicy=random}} instead of {{ic|1=MACAddress=''spoofed MAC''}}.

==== udev rule ====

Use {{ic|address}} attribute to match the correct device by its original MAC address and change it using the {{ic|ip}} command:

{{hc|/etc/udev/rules.d/81-mac-spoof.rules|2=
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="''original MAC''", RUN+="/usr/bin/ip link set dev $name address ''spoofed MAC''"
}}

{{Note|udev only accepts MAC addresses in lowercase.}}

=== systemd unit ===

==== Creating unit ====

Below you find two examples of [[systemd]] units to change a MAC address at boot, one sets a static MAC using ''ip'' and one uses ''macchanger'' to assign a random MAC address. The systemd {{ic|network-pre.target}} is used to ensure the MAC is changed before a network manager like [[Netctl]] or [[NetworkManager]], [[systemd-networkd]] or [[dhcpcd]] service starts.

===== iproute2 =====

[[systemd]] unit setting a predefined MAC address:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=MAC Address Change %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev %i address 36:aa:88:c8:75:3a
ExecStart=/usr/bin/ip link set dev %i up

[Install]
WantedBy=multi-user.target
</nowiki>}}

===== macchanger =====

[[systemd]] unit setting a random address while preserving the original NIC vendor bytes. Ensure that {{Pkg|macchanger}} is [[Pacman#Installing specific packages|installed]]:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target
</nowiki>}}

A full random address can be set using the {{ic|-r}} option, see [[#macchanger]].

==== Enabling service ====

Append the desired network interface to the service name (e.g. {{ic|eth0}}) and [[enable]] the service (e.g. {{ic|macspoof@eth0.service}}).

Reboot, or stop and start the prerequisite and requisite services in the proper order. If you are in control of your network, verify that the spoofed MAC has been picked up by your router by examining the static, or DHCP address tables within the router.

=== netctl interfaces ===

You can use a [[Netctl#Using hooks|netctl hook]] to run a command each time a netctl profile is re-/started for a specific network interface. Replace {{ic|''interface''}} accordingly:

{{hc|/etc/netctl/interfaces/''interface''|2=
#!/usr/bin/env sh
/usr/bin/macchanger -r ''interface''}}

Make the script [[executable]].

Source: [https://web.archive.org/web/20220708111031/https://blog.akendo.eu/post/2015-01-10-archlinux-random-mac-for-new-wireless-connections/ akendo.eu (archive)]

=== NetworkManager ===

{{Note|1=<nowiki/>
* When using iwd as a backend, [[NetworkManager]] ignores MAC spoofing options from {{ic|/etc/NetworkManager/NetworkManager.conf}} and {{ic|/etc/NetworkManager/conf.d/*}}. MAC spoofing must be set in {{ic|/etc/iwd/main.conf}} – see the [[#iwd]] section.
* Disabling MAC address randomization may be needed to get (stable) link connection [https://bbs.archlinux.org/viewtopic.php?id=220101] and/or networks that restrict devices based on their MAC Address or have a limit network capacity.
}}

NetworkManager supports two types MAC Address Randomization: randomization during scanning, and for network connections. Both modes can be configured by modifying {{ic|/etc/NetworkManager/NetworkManager.conf}} or by creating a separate configuration file in {{ic|/etc/NetworkManager/conf.d/}} which is recommended since the aforementioned configuration file may be overwritten by NetworkManager.

Randomization during Wi-Fi scanning is enabled by default, but it may be disabled by adding the following lines to {{ic|/etc/NetworkManager/NetworkManager.conf}} or a dedicated configuration file under {{ic|/etc/NetworkManager/conf.d}}:

{{hc|/etc/NetworkManager/conf.d/wifi_rand_mac.conf|2=
[device]
wifi.scan-rand-mac-address=no
}}

MAC randomization for network connections can be set to different modes for both wireless and ethernet interfaces.

In terms of MAC randomization the most important modes are {{ic|stable}} and {{ic|random}}. {{ic|stable}} generates a random MAC address when you connect to a new network and associates the two permanently. This means that you will use the same MAC address every time you connect to that network. In contrast, {{ic|random}} will generate a new MAC address every time you connect to a network, new or previously known. You can configure the MAC randomization by adding the desired configuration under {{ic|/etc/NetworkManager/conf.d}}:

{{hc|/etc/NetworkManager/conf.d/wifi_rand_mac.conf|2=
[device-mac-randomization]
# "yes" is already the default for scanning
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
# Randomize MAC for every ethernet connection
ethernet.cloned-mac-address=random
# Generate a random MAC for each Wi-Fi and associate the two permanently.
wifi.cloned-mac-address=stable
}}

To configure MAC randomization for a specific connection (for example, if the network does not like random MAC addresses), [[NetworkManager#Edit a connection|edit the connection]] to set {{ic|802-11-wireless.cloned-mac-address}} to one of the modes (e.g. {{ic|stable}} or {{ic|random}}).

See the following [https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ GNOME blog post] for more details.

=== wpa_supplicant ===

wpa_supplicant can use random MAC address for each ESS connection(AP) (see [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf] for details).

Add this to your configuration:

{{hc|/etc/wpa_supplicant/wpa_supplicant-wlan0.conf|2=
mac_addr=1
preassoc_mac_addr=1
gas_rand_mac_addr=1
}}

=== iwd ===

To randomize the MAC address when iwd starts (see {{man|5|iwd.config}} for details):

{{hc|/etc/iwd/main.conf|2=
[General]
AddressRandomization=once
AddressRandomizationRange=full
}}

Specifying {{ic|AddressRandomization}} enables control over when MAC address is randomized. If set to {{ic|disabled}} MAC is not spoofed and {{ic|AddressRandomizationRange}} is ignored. If set to {{ic|once}} MAC is assigned every time iwd is started. If set to {{ic|network}} MAC is spoofed once for each network and reused for each connection to a known network.

Specifying {{ic|AddressRandomizationRange}} enables control over which part of the address is randomized. If set to {{ic|nic}}, only the NIC specific octets (last three octets) are randomized. The permanent mac address of the network interface is used for the initial 3 octets. If set to {{ic|full}}, all six octets of the address are randomized.

== Troubleshooting ==

=== Connection to DHCPv4 network fails ===

If you cannot connect to a DHCPv4 network and you are using dhcpcd, you might need to [[Dhcpcd#Client ID|modify the dhcpcd configuration]] to obtain a lease.

== See also ==

* [[Wikipedia:MAC spoofing]]
* [https://github.com/alobbs/macchanger Macchanger GitHub page]
* [https://www.debianadmin.com/change-your-network-card-mac-media-access-control-address.html Article on DebianAdmin] with more ''macchanger'' options

ArchWiki:Bots

2026-05-10T13:28:50Z

Lahwaacz: /* wiki-scripts */ improve wording, remove filtering advice because wiki-scripts tag is not necessarily bot edit

[[Category:ArchWiki]]
[[hu:ArchWiki:Bots]]
[[ja:ArchWiki:ボット]]
[[pt:ArchWiki:Bots]]
[[zh-hans:Project:机器人]]
{{Related articles start}}
{{Related|Help:Procedures}}
{{Related articles end}}

[[w:Bots|Bots]] are an important tool of the [[ArchWiki:Maintenance Team|maintenance team]], which allows to easily perform repetitive tasks ranging from daily routine to complicated one-shot updates. Bot edits constitute over 8% of all contributions to the wiki — all of these edits would have been very tedious to do manually.

There are currently two active bot accounts:

* [[User:Kynikos.bot|Kynikos.bot]] (operated by [[User:Kynikos|Kynikos]])
* [[User:Lahwaacz.bot|Lahwaacz.bot]] (operated by [[User:Lahwaacz|Lahwaacz]])

{{Expansion|Maybe add something like a policy regarding new bots?}}

== Software ==

Bots use the [[mw:API|MediaWiki API]] to communicate with the wiki server. There are many bots developed by the [[w:Wikimedia Foundation|Wikimedia Foundation]] using this API, but they are usually not general enough to work on other wikis or even conflict with our style guidelines. Therefore we have been working on our own ArchWiki-specific bot tools, which have the same flaws when evaluated by external parties.

=== Wiki Monkey ===

The [https://github.com/kynikos/wiki-monkey Wiki Monkey] project's aim is to facilitate efficient editing by directly enhancing wiki pages in the web browser. It runs as a user script, allowing to execute repetitive tasks semi-automatically in article editor pages, or fully automatically from article-list pages such as [[Special:Categories|Categories]] or [[Special:WhatLinksHere|WhatLinksHere]]. Wiki Monkey also adds some helpers such as filters for [[Special:RecentChanges]] and [[Special:NewPages]]. See the [https://github.com/kynikos/wiki-monkey/wiki documentation] for details.

Edits made by Wiki Monkey's bot interface are marked with the {{ic|wiki-monkey}} [[Special:Tags|tag]], which can be [{{canonicalurl:Special:RecentChanges|hidebots=0&tagfilter=wiki-monkey}} filtered] in the list of recent changes.

=== wiki-scripts ===

The [https://github.com/lahwaacz/wiki-scripts wiki-scripts] project contains many Python scripts built around a small library-like abstraction for the MediaWiki API. The purpose of the included scripts ranges from collecting information without editing the wiki to performing complex automated edits, which are described in [[#Tasks]].

Edits made by wiki-scripts, either automatically or interactively, are marked with the {{ic|wiki-scripts}} [[Special:Tags|tag]], which can be [{{canonicalurl:Special:RecentChanges|hidebots=0&tagfilter=wiki-scripts}} filtered] in the list of recent changes.

{{Note|Until issues with the MediaWiki bots notifications like [https://phabricator.wikimedia.org/T358087] and [https://phabricator.wikimedia.org/T374404] are resolved, [[User:Lahwaacz.bot]] is temporarily set as normal user account and exempted from marking their edits as [[Wikipedia:Help:Minor edit|minor]].}}

== Tasks ==

This section describes the tasks that are repeatedly performed by ArchWiki bots. It serves as an overview and documentation of the features of operated bot scripts. Note that bot edits are by default hidden from [[Special:RecentChanges]], since their inclusion would make it far more difficult to follow and participate with regular contributions.

=== Double redirects ===

Fixing [[Help:Procedures#Fix double redirects|double redirects]] is the oldest automated task. It can be done for example with a [https://github.com/lahwaacz/wiki-scripts/blob/master/fix-double-redirects.py Python script] or [[#Wiki Monkey|Wiki Monkey]]'s dedicated plugin.

=== Table of contents ===

The [[Table of contents]] page and its "translations" are maintained by using the [https://github.com/lahwaacz/wiki-scripts/blob/master/toc.py toc.py] script. The script can be run daily, its execution takes couple of seconds.

The page needs to be initialized manually with the following entry-point table:

{{bc|<nowiki>
{| id="wiki-scripts-toc-table"
|}
</nowiki>}}

The content of this table is replaced with an updated version generated by the script, the rest of the page is left intact. The script recognizes the following optional attributes for configuration:

* {{ic|data-toc-languages}} specifies the languages to be shown on the page. It is a comma-separated list of language tags, at most 2 can be specified. Defaults to the language of the current page, i.e. {{ic|ru}} for [[Table of contents (Русский)]].
* {{ic|data-toc-alsoin}} specifies the translation of the "also in" phrase. The format is {{ic|''tag1:text, tag2:text, ...''}}.

For example (from [[Table of contents (Русский)]]):

{{bc|<nowiki>
{| id="wiki-scripts-toc-table" data-toc-languages="ru,en" data-toc-alsoin="ru:Также в"
...
|}
</nowiki>}}

Users can also translate the category names in the table by editing the links on the wiki page and the script will preserve them on updates.

=== Statistics ===

The [[ArchWiki:Statistics]] page is maintained by the [https://github.com/lahwaacz/wiki-scripts/blob/master/statistics.py statistics.py] script. Currently only the [[ArchWiki:Statistics#User statistics|User statistics]] section is autogenerated, the rest is updated manually. The update takes about 15 seconds and should be run daily.

The script works by obtaining metadata of all revisions and user accounts from the API and caching it locally for better performance. The edit counts are determined by manually counting user contributions without relying on MediaWiki counters.

{{Note|Some improvements are discussed in [[ArchWiki talk:Statistics#Improvements]].}}

=== Package templates ===

The [https://github.com/lahwaacz/wiki-scripts/blob/master/update-package-templates.py update-package-templates.py] script parses the content of all pages and updates the [[Template:Pkg|Pkg]], [[Template:Grp|Grp]] and [[Template:AUR|AUR]] templates. The package name is actually not changed by the script, but e.g. for packages that have been recently moved from AUR to the official repositories, the link is updated from [[Template:AUR]] to [[Template:Pkg]]. Invalid package links are marked with [[Template:Broken package link]] along with a sometimes useful hint showing the package status.

The script uses localized versions of [[Template:Broken package link]] when they exist and falls back to the English versions. Other than that there is no server-side configuration.

After each run, but at most once per 7 days, the script creates a detailed report of broken links at [[User:Lahwaacz.bot/Reports/archpkgs]].

=== Interlanguage ===

The [https://github.com/lahwaacz/wiki-scripts/blob/master/interlanguage.py interlanguage.py] script does the following:

* Checks if the language of categories assigned to each page matches the language of the page itself.
* Creates missing localized categories, mirroring the English category tree.
* Updates the [[Help:i18n#Interlanguage links|interlanguage links]] on all content pages using [https://lahwaacz.github.io/wiki-scripts/ws/ws.interlanguage.InterlanguageLinks.html this algorithm].

The execution time depends on the amount of updates, it is usually less than a minute and about 30 seconds when there are no updates.

=== Page language ===

The [https://github.com/lahwaacz/wiki-scripts/blob/master/update-page-language.py update-page-language.py] script determines the language of each page based on the title (see [[Help:i18n#Page titles]]) and sets the language code in the wiki's database. This is possible with the MediaWiki's [[mw:Manual:$wgPageLanguageUseDB|$wgPageLanguageUseDB]] setting [https://gitlab.archlinux.org/archlinux/archwiki/-/merge_requests/39].

=== Link checking ===

* [https://github.com/lahwaacz/wiki-scripts/blob/master/extlink-checker.py extlink-checker.py] tries to check the status of external links and those that are definitely broken are marked with [[Template:Dead link]]. Many links still pass unchecked by this tool, mainly because of sites requiring JavaScript and servers returning an inconclusive HTTP status code.
* [https://github.com/lahwaacz/wiki-scripts/blob/master/url-replace.py url-replace.py] performs various replacements on external links, such as updating URLs from HTTP to HTTPS or replacing external links to wiki.archlinux.org with internal links.
* [https://github.com/lahwaacz/wiki-scripts/blob/master/link-checker.py link-checker.py] performs various checks and replacements on internal links, links to manual pages and external links (using the same code as {{ic|url-replace.py}}).
* [https://github.com/lahwaacz/wiki-scripts/blob/master/mark-archived-links.py mark-archived-links.py] marks internal links that lead to [[ArchWiki:Archive]] with [[Template:Archived page]].

NetworkManager

2026-05-10T13:18:58Z

Lahwaacz: style: Help:Style#Section_headings

[[Category:Network managers]]
[[Category:DHCP]]
[[ar:Networkmanager]]
[[de:Networkmanager]]
[[fr:NetworkManager]]
[[hu:NetworkManager]]
[[ja:NetworkManager]]
[[pt:NetworkManager]]
[[ru:NetworkManager]]
[[zh-hans:NetworkManager]]
{{Related articles start}}
{{Related|Network configuration}}
{{Related|Wireless network configuration}}
{{Related articles end}}

[[Wikipedia:NetworkManager|NetworkManager]] is a program for providing detection and configuration for systems to automatically connect to networks.

[https://networkmanager.dev/ NetworkManager] can be useful for both wireless and wired networks. For wireless networks, NetworkManager prefers known wireless networks and has the ability to switch to the most reliable network. NetworkManager-aware applications can switch from online and offline mode.

NetworkManager also prefers wired connections over wireless ones, has support for modem connections and certain types of VPN.

{{Warning|By default, secrets—e.g. Wi-Fi passwords—are accessible to the root user in the filesystem and to users with access to settings via the GUI (e.g. via [[#nm-applet]]). For more information, see [[#Encrypted network keyphrases]].}}

== Installation ==

NetworkManager can be [[install]]ed with the package {{Pkg|networkmanager}}, which contains a daemon, a command line interface (''nmcli'') and a curses‐based interface (''nmtui'').

=== Enable NetworkManager ===

After installation, you should [[start/enable]] {{ic|NetworkManager.service}}. Once the NetworkManager daemon is started, it will automatically connect to any available "system connections" that have already been configured. Any "user connections" or unconfigured connections will need ''nmcli'' or an applet to configure and connect.

{{Note|
* Each network interface should be managed by only one [[Network configuration#Network managers|DHCP client or network manager]], so it is advised to run only one DHCP client or network manager on the system. Find a list of the currently running services with {{ic|1=systemctl --type=service}} and then [[stop]] or reconfigure those that conflict.
* If [[systemd-resolved]] is not [[started]], an error message will start flooding your logs. See [[#Unit dbus-org.freedesktop.resolve1.service not found]] for more info.
}}

=== Additional interfaces ===

* {{Pkg|nm-connection-editor}} for a graphical user interface,
* {{Pkg|network-manager-applet}} for a system tray applet (see the [[#nm-applet]] section).

=== Mobile broadband support ===

NetworkManager uses [[ModemManager]] for mobile broadband connection support.

[[Install]] {{Pkg|modemmanager}} and {{Pkg|usb_modeswitch}}. Afterwards [[enable]] and [[start]] {{ic|ModemManager.service}}.

It may be necessary to [[restart]] {{ic|NetworkManager.service}} for it to detect ModemManager. After you restart it, re-plug the modem again and it should be recognized.

Add connections from a front-end (e.g. {{Pkg|nm-connection-editor}}) and select mobile broadband as the connection type. After selecting your ISP and billing plan, [[Wikipedia:Access Point Name|APN]] and other settings should be filled in automatically using information from {{Pkg|mobile-broadband-provider-info}}.

=== PPPoE / DSL support ===

[[Install]] {{Pkg|ppp}} package for PPPoE / DSL connection support. To actually add PPPoE connection, use {{ic|1=nm-connection-editor}} and add new DSL/PPPoE connection.

=== VPN support ===

NetworkManager since version 1.16 has native support for [[WireGuard]], all it needs is the {{ic|wireguard}} kernel module. Read the [https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/ WireGuard in NetworkManager blog post] for details.

Support for other VPN types is based on a plug-in system. They are provided in the following packages:

* {{Pkg|networkmanager-openconnect}} for [[OpenConnect]]
* {{Pkg|networkmanager-openvpn}} for [[OpenVPN]]
* {{Pkg|networkmanager-pptp}} for [[PPTP Client]]
* {{Pkg|networkmanager-strongswan}} for [[strongSwan]]
* {{Pkg|networkmanager-vpnc}}
* {{AUR|networkmanager-fortisslvpn}}
* {{AUR|networkmanager-iodine-git}}
* {{AUR|networkmanager-libreswan}}
* {{Pkg|networkmanager-l2tp}}
* {{AUR|networkmanager-ssh}}
* {{Pkg|network-manager-sstp}}

{{Warning|1=There are a lot of [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues?search=VPN&state=opened bugs] related to VPN support. Check the daemon processes options set via the GUI correctly and double-check with each package release.}}

{{Note|
* To have fully functioning DNS resolution when using VPN, you should set up [[#DNS caching and conditional forwarding|conditional forwarding]].
* These plug-ins may not have a documented command line interface, or may not work at all without an applet running. This is not an issue if you are using a regular desktop environment; if you are not, you should run [[#nm-applet]] while configuring or activating the connection so that you get the necessary dialogues. [https://bbs.archlinux.org/viewtopic.php?id{{=}}246698]
}}

== Usage ==

NetworkManager comes with {{man|1|nmcli}} and {{man|1|nmtui}}.

=== nmcli examples ===

List nearby Wi-Fi networks:

$ nmcli device wifi list

Connect to a Wi-Fi network:

$ nmcli device wifi connect ''SSID_or_BSSID'' password ''password''

Connect to a hidden Wi-Fi network:

$ nmcli device wifi connect ''SSID_or_BSSID'' password ''password'' hidden yes

Connect to a Wi-Fi on the {{ic|wlan1}} interface:

$ nmcli device wifi connect ''SSID_or_BSSID'' password ''password'' ifname wlan1 ''profile_name''

Disconnect an interface:

$ nmcli device disconnect ifname eth0

Get a list of connections with their names, UUIDs, types and backing devices:

$ nmcli connection show

Activate a connection (i.e. connect to a network with an existing profile):

$ nmcli connection up ''name_or_uuid''

Delete a connection:

$ nmcli connection delete ''name_or_uuid''

See a list of network devices and their state:

$ nmcli device

Turn off Wi-Fi:

$ nmcli radio wifi off

=== Edit a connection ===

For a comprehensive list of settings, see {{man|5|nm-settings}}.

Firstly, you need to get a list of connections:

{{hc|$ nmcli connection|<nowiki>
NAME UUID TYPE DEVICE
Wired connection 2 e7054040-a421-3bef-965d-bb7d60b7cecf ethernet enp5s0
Wired connection 1 997f2782-f0fc-301d-bfba-15421a2735d8 ethernet enp0s25
MY-HOME-WIFI-5G 92a0f7b3-2eba-49ab-a899-24d83978f308 wifi --
</nowiki>}}

Here you can use the first column as connection-id used later. In this example, we pick {{ic|Wired connection 2}} as a connection-id.

You have three methods to configure a connection {{ic|Wired connection 2}} after it has been created:

; nmcli interactive editor
: {{ic|nmcli connection edit 'Wired connection 2'}}. Usage is well documented from the editor.

; nmcli command line interface
: {{ic|nmcli connection modify 'Wired connection 2' ''setting''.''property'' ''value''}}. See {{man|1|nmcli}} for usage. For example, you can change its IPv4 route metric to 200 using {{ic|nmcli connection modify 'Wired connection 2' ipv4.route-metric 200}} command.
To remove a setting, pass an empty field ("") to it like this:
: {{ic|nmcli connection modify 'Wired connection 2' ''setting''.''property'' ""}}

; Connection file
: In {{ic|/etc/NetworkManager/system-connections/}}, modify the corresponding {{ic|Wired connection 2.nmconnection}} file . Do not forget to reload the configuration file with {{ic|nmcli connection reload}}.

=== nmtui ===

NetworkManager ships a text user interface (TUI) for managing connections, the system hostname and radio switches. It can be launched by running {{ic|nmtui}}.

== Front-ends ==

To provide integration with a [[desktop environment]], most users will want to install an applet. This not only provides easy access to network selection and configuration, but also provides the agent necessary for securely storing secrets. Various desktop environments have their own applet; otherwise, you can use [[#nm-applet]].

=== GNOME ===

[[GNOME]] has a built-in tool, accessible from the Network settings.

=== KDE Plasma ===

[[Install]] the {{Pkg|plasma-nm}} package. After that, add it to the KDE taskbar via the ''Panel options > Add widgets > Networks'' menu.

=== nm-applet ===

{{Pkg|network-manager-applet}} is a GTK 3 front-end which works under Xorg environments with a systray.

To store connection secrets install and configure an application which implements the [https://specifications.freedesktop.org/secret-service-spec/latest/ Secret Service D-Bus API] such as [[GNOME/Keyring]], [[KDE Wallet]], or [[KeePassXC]].

Be aware that after enabling the tick-box option {{ic|Make available to other users}} for a connection, NetworkManager stores the password in plain-text, though the respective file is accessible only to root (or other users via {{ic|nm-applet}}). See [[#Encrypted network keyphrases]].

In order to run {{ic|nm-applet}} without a systray, you can use {{AUR|trayer}} or {{Pkg|stalonetray}}. For example, you can add a script like this one in your path:

{{hc|nmgui|<nowiki>
#!/bin/sh
nm-applet 2>&1 > /dev/null &
stalonetray 2>&1 > /dev/null
killall nm-applet
</nowiki>}}

When you close the ''stalonetray'' window, it closes {{ic|nm-applet}} too, so no extra memory is used once you are done with network settings.

The applet can show notifications for events such as connecting to or disconnecting from a Wi-Fi network. For these notifications to display, ensure that you have a notification server installed - see [[Desktop notifications]]. If you use the applet without a notification server, you might see some messages in stdout/stderr, and the applet might hang. See [https://bugzilla.gnome.org/show_bug.cgi?id=788313].

In order to run {{ic|nm-applet}} with such notifications disabled, start the applet with the following command:

$ nm-applet --no-agent

{{Tip|{{ic|nm-applet}} might be started automatically with a [[XDG Autostart|autostart desktop file]], to add the {{ic|--no-agent}} option modify the Exec line there, i.e.

{{bc|1=Exec=nm-applet --no-agent}}

}}

{{Warning|On [[i3]], if nm-applet is started with the {{ic|--no-agent}} option, it is not possible to connect to a new encrypted Wi-Fi network by clicking on the item list because no password input dialogue window will pop out. [[journal]] will show {{ic|no secrets: No agents were available for this request}}.}}

==== Appindicator ====

As of version 1.18.0 Appindicator support is [https://gitlab.archlinux.org/archlinux/packaging/packages/network-manager-applet/-/commit/527448fb2a87d85055f504f463dfe961dccd75c3 available] in the official {{Pkg|network-manager-applet}} package. To use nm-applet in an Appindicator environment start the applet with the following command:

$ nm-applet --indicator

=== networkmanager-dmenu ===

Alternatively there is {{Pkg|networkmanager-dmenu}} which is a small script to manage NetworkManager connections with [[dmenu]] or [[rofi]] instead of {{ic|nm-applet}}. It provides all essential features such as connection to existing NetworkManager Wi-Fi or wired connections, connect to new Wi-Fi connections, requests passphrase if required, connect to existing VPN connections, enable/disable networking, launch ''nm-connection-editor'' GUI, connect to Bluetooth networks.

=== switchboard ===

Pantheon's {{Pkg|switchboard}} offers a desktop environment-agnostic way to configure NetworkManager when combined with {{Pkg|switchboard-plug-network}} and {{Pkg|nm-connection-editor}}. It can be ran with the following command:

$ io.elementary.settings

== Configuration ==

NetworkManager may require some additional steps to be able run properly. Make sure you have configured {{ic|/etc/hosts}} as described in [[Network configuration#Set the hostname]] section.

NetworkManager has a global configuration file at {{ic|/etc/NetworkManager/NetworkManager.conf}}. Additional configuration files can be placed in {{ic|/etc/NetworkManager/conf.d/}}. Usually no configuration needs to be done to the global defaults.

After editing a configuration file, the changes can be applied by running:

# nmcli general reload

=== NetworkManager-wait-online ===

Enabling {{ic|NetworkManager.service}} also enables {{ic|NetworkManager-wait-online.service}}, which is a oneshot system service that waits for the network to be configured. The latter has {{ic|1=WantedBy=network-online.target}}, so it will finish only when {{ic|network-online.target}} itself is enabled or pulled in by some other unit. See also [[systemd#Running services after the network is up]].

By default, {{ic|NetworkManager-wait-online.service}} waits for NetworkManager startup to complete, rather than waiting for network connectivity specifically (see {{man|1|nm-online}}). If {{ic|NetworkManager-wait-online.service}} finishes before the network is really up, resulting in failed services on boot, [[extend the unit]] to remove the {{ic|-s}} from the {{ic|ExecStart}} line:

[Service]
ExecStart=
ExecStart=/usr/bin/nm-online -q

Be aware that this can cause [https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/thread/EGC324JD3HJCGVN7J55WYPRLFDA3TP7N/ other issues].

In some cases, the service will still fail to start successfully on boot due to the timeout setting being too short. [[Edit]] the service to change {{ic|NM_ONLINE_TIMEOUT}} from {{ic|60}} to a higher value.

=== Set up PolicyKit permissions ===

By default, all users in active local sessions are allowed to change most network settings without a password. See [[General troubleshooting#Session permissions]] to check your session type. In most cases, everything should work out of the box.

Some actions (such as changing the system hostname) require an administrator password. In this case, you need to [[Users and groups#Group management|add]] yourself to the {{ic|wheel}} group and run a [[Polkit#Authentication agents|Polkit authentication agent]] which will prompt for your password.

For remote sessions (e.g. [[TigerVNC#Running vncserver for virtual (headless) sessions|headless VNC]]), you have several options for obtaining the necessary privileges to use NetworkManager:

# [[Users and groups#Group management|Add]] yourself to the {{ic|wheel}} group. You will have to enter your password for every action. Note that your user account may be granted other permissions as well, such as the ability to use [[sudo]] without entering the root password.
# [[Users and groups#Group management|Add]] yourself to the {{ic|network}} group and create {{ic|/etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules}} with the following content: {{bc|<nowiki>
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {
return polkit.Result.YES;
}
});
</nowiki>}} All users in the {{ic|network}} group will be able to add and remove networks without a password (which means you do not have to run a Polkit authentication agent, so this option will also work in SSH sessions).

=== Proxy settings ===

NetworkManager does support some proxy settings. While they can not be directly modified using ''nmtui'', ''nm-applet'' and ''nmcli'' support those.
See the proxy settings in {{man|5|nm-settings-nmcli}}.

Additionally, custom proxy commands can always be run using dispatcher scripts, see [[#Dispatcher examples]].

See also [[Proxy settings]].

=== Checking connectivity ===

NetworkManager can try to reach a webserver after connecting to a network in order to determine if it is e.g behind a captive portal. The default host (configured in {{ic|/usr/lib/NetworkManager/conf.d/20-connectivity.conf}}) is [https://ping.archlinux.org ping.archlinux.org] (a CNAME alias of redirect.archlinux.org). To use a different webserver or to disable connectivity checking, create {{ic|/etc/NetworkManager/conf.d/20-connectivity.conf}}, see {{man|5|NetworkManager.conf|CONNECTIVITY SECTION}}. Below is an example of using GNOME servers (it does not require the use of [[GNOME]]):

{{hc|/etc/NetworkManager/conf.d/20-connectivity.conf|<nowiki>
[connectivity]
uri=http://nmcheck.gnome.org/check_network_status.txt
</nowiki>}}

To disable NetworkManager's connectivity check, use the following configuration. This can be useful when connected to a VPN that blocks connectivity checks.

{{hc|/etc/NetworkManager/conf.d/20-connectivity.conf|<nowiki>
[connectivity]
enabled=false
</nowiki>}}

{{Note|Although automatic connectivity checks are a potential privacy leak, Arch Linux's default connectivity URL is committed to not logging any access. See [https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/fabccd0f61e5dea3925e8a0c6a46d56d5750c121#a4f34381bbb18ea77bfb3dd11a8aeca707078fca_0_26] [https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/ping/templates/nginx.d.conf.j2].}}

=== Captive portals ===

{{Style|Complex scripts should not be maintained on the wiki.}}

For those behind a [[Wikipedia:Captive portal|captive portal]], the desktop manager may automatically open a window asking for credentials. If your desktop does not, you can use {{Pkg|capnet-assist}} package (however, it currently has a broken NetworkManager dispatcher script). Alternatively, you can create a NetworkManager dispatcher script with the following content:

{{hc|/etc/NetworkManager/dispatcher.d/90-open_captive_portal|<nowiki>
#!/bin/sh -e
# Script to dispatch NetworkManager events
#
# Runs shows a login webpage on walled garden networks.
# See NetworkManager(8) for further documentation of the dispatcher events.

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

if [ -x "/usr/bin/logger" ]; then
logger="/usr/bin/logger -s -t captive-portal"
else
logger=":"
fi

wait_for_process() {
PNAME=$1
while [ -z "$(/usr/bin/pgrep $PNAME)" ]; do
sleep 3;
done
}

#launch the browser, but on boot we need to wait that nm-applet starts
start_browser() {
local user="$1"
local display="$2"

export DISPLAY="$display"
wait_for_process nm-applet

export XAUTHORITY="/home/$user/.Xauthority"

$logger "Running browser as '$user' with display '$display' to login in captive portal"
sudo -u "$user" --preserve-env=DISPLAY,XAUTHORITY -H xdg-open http://capnet.elementary.io 2>&1 > /dev/null
}

# Run the right scripts
case "$2" in
connectivity-change)
$logger -p user.debug "dispatcher script triggered on connectivity change: $CONNECTIVITY_STATE"
if [ "$CONNECTIVITY_STATE" = "PORTAL" ]; then
# Match last column of who's output with ' :[at least one digit] '
who | awk '$NF ~ /$:[0-9]+$/ { print $1 " " substr($NF, 2, length($NF)-2) };' | \
while read user display; do
start_browser $user $display || $logger -p user.err "Failed for user: '$user' display: '$display'"
done
fi
;;
*)
# In a down phase
exit 0
;;
esac
</nowiki>}}

Make the script [[executable]]. But that script assumes you use X and simply opens http page. It might not work for everyone.

You will need to [[restart]] {{ic|NetworkManager.service}} or reboot for this to start working. Once you do, the dispatcher script should open a login window once it detects you are behind a captive portal.

Simple solution is [https://github.com/Seme4eg/captive-portal-sh captive-portal-sh] - shell script that obtains captive portal URL and opens it in your default browser (for Wayland users only).

Another solution is {{AUR|captive-browser-git}} based on Google Chrome.

==== iwd support for captive portal support on legacy hardware ====

Some older Wi-Fi chips (e.g. Broadcom BCM4360) require the proprietary {{ic|wl}} driver, which lacks support for the OWE/Elliptic-Curve handshake that many captive-portal hotspots use before presenting a login page. By switching NetworkManager’s Wi-Fi backend to {{ic|iwd}} (see [[#Using iwd as the Wi-Fi backend]]), which implements the full OWE key exchange in userspace over the existing driver, you can complete the encrypted association, obtain a DHCP lease, and trigger the portal “PORTAL” state. Once that is done, any dispatcher script or browser-launcher will reliably pop up the login page on hardware that otherwise could never fully connect.

=== DHCP client ===

By default NetworkManager uses its internal DHCP client. The internal DHCPv4 plugin is based on the [https://nettools.github.io/n-dhcp4/ nettools' n-dhcp4] library, while the internal DHCPv6 plugin is made from code based on systemd-networkd.

To use a different DHCP client [[install]] one of the alternatives:

* {{Pkg|dhcpcd}} - [[dhcpcd]]
* {{Pkg|dhclient}} - [[dhclient]]

To change the DHCP client backend, set the option {{ic|1=main.dhcp=''dhcp_client_name''}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}. E.g.:

{{hc|1=/etc/NetworkManager/conf.d/dhcp-client.conf|2=
[main]
dhcp=dhcpcd
}}

{{Note|
Do not enable the systemd units shipped with the {{Pkg|dhclient}} and {{Pkg|dhcpcd}} packages. They will conflict with NetworkManager, see the note in [[#Installation]] for details.
}}

=== DNS management ===

NetworkManager's DNS management is described in the GNOME project's wiki page—[https://wiki.gnome.org/Projects/NetworkManager/DNS Projects/NetworkManager/DNS].

==== DNS caching and conditional forwarding ====

NetworkManager has a plugin to enable DNS caching and conditional forwarding ([https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/143 previously] called "split DNS" in NetworkManager's documentation) using [[dnsmasq]] or [[systemd-resolved]]. The advantages of this setup is that DNS lookups will be cached, shortening resolve times, and DNS lookups of VPN hosts will be routed to the relevant VPN's DNS servers. This is especially useful if you are connected to more than one VPN.

{{Note|If {{ic|/etc/resolv.conf}} is a symlink to {{ic|/run/systemd/resolve/stub-resolv.conf}}, {{ic|/run/systemd/resolve/resolv.conf}},{{ic|/lib/systemd/resolv.conf}} or {{ic|/usr/lib/systemd/resolv.conf}}, NetworkManager will choose systemd-resolved automatically. To use dnsmasq, you must first remove that symlink, then restart NetworkManager.}}

===== dnsmasq =====

Make sure {{Pkg|dnsmasq}} has been installed. Then set {{ic|1=main.dns=dnsmasq}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/dns.conf|2=
[main]
dns=dnsmasq
}}

Now run {{ic|nmcli general reload}} as root. NetworkManager will automatically start dnsmasq and add {{ic|127.0.0.1}} to {{ic|/etc/resolv.conf}}. The original DNS servers can be found in {{ic|/run/NetworkManager/no-stub-resolv.conf}}. You can verify dnsmasq is being used by doing the same DNS lookup twice with {{ic|drill example.com}} and verifying the server and query times.

{{Note|
* You do not need to start {{ic|dnsmasq.service}} or edit {{ic|/etc/dnsmasq.conf}}. NetworkManager will start dnsmasq without using the systemd service and without reading the dnsmasq's default configuration file(s).
* The dnsmasq instance started by NetworkManager will bind to {{ic|127.0.0.1:53}}, you cannot run any other software (including {{ic|dnsmasq.service}}) on the same address and port.
}}

====== Custom dnsmasq configuration ======

Custom configurations can be created for ''dnsmasq'' by creating configuration files in {{ic|/etc/NetworkManager/dnsmasq.d/}}. For example, to change the size of the DNS cache (which is stored in RAM):

{{hc|/etc/NetworkManager/dnsmasq.d/cache.conf|2=
cache-size=1000
}}

You can check the configuration file syntax with:

$ dnsmasq --test --conf-file=/dev/null --conf-dir=/etc/NetworkManager/dnsmasq.d

See {{man|8|dnsmasq}} for all available options.

====== IPv6 ======

{{Accuracy|This does not solve the issue because NetworkManager does not add {{ic|::1}} to {{ic|/etc/resolv.conf}}. Unless {{ic|@::1}} is manually passed to drill, it will still fail with {{ic|Error: error sending query: No (valid) nameservers defined in the resolver}}.}}

Enabling {{ic|dnsmasq}} in NetworkManager may break IPv6-only DNS lookups (i.e. {{ic|drill -6 [hostname]}}) which would otherwise work. In order to resolve this, creating the following file will configure ''dnsmasq'' to also listen to the IPv6 loopback:

{{hc|/etc/NetworkManager/dnsmasq.d/ipv6-listen.conf|2=
listen-address=::1
}}

In addition, {{ic|dnsmasq}} also does not prioritize upstream IPv6 DNS. Unfortunately NetworkManager does not do this ([https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/936712 Ubuntu Bug]). A workaround would be to disable IPv4 DNS in the NetworkManager config, assuming one exists.

====== DNSSEC ======

The dnsmasq instance started by NetworkManager by default will not validate [[DNSSEC]]. To enable DNSSEC validation, thus breaking DNS resolution with name servers that do not support it, create the following configuration file:

{{hc|/etc/NetworkManager/dnsmasq.d/dnssec.conf|2=
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
}}

===== systemd-resolved =====

{{Expansion|NetworkManager 1.16 adds a new setting {{ic|main.systemd-resolved}}[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/d4eb4cb45f41b1751cacf71da558bf8f0988f383] (enabled by default). It unconditionally sends DNS configuration to systemd-resolved. Related to "Preserving resolv.conf" from [[systemd-resolved#DNS]]?}}

NetworkManager can use [[systemd-resolved]] as a DNS resolver and cache. Make sure that ''systemd-resolved'' is properly configured and that {{ic|systemd-resolved.service}} is [[started]] before using it.

systemd-resolved will be used automatically if {{ic|/etc/resolv.conf}} is a [[systemd-resolved#DNS|symlink]] to {{ic|/run/systemd/resolve/stub-resolv.conf}}, {{ic|/run/systemd/resolve/resolv.conf}} or {{ic|/usr/lib/systemd/resolv.conf}}.

You can enable it explicitly by setting {{ic|1=main.dns=systemd-resolved}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/dns.conf|2=
[main]
dns=systemd-resolved
}}

===== DNS resolver with an openresolv subscriber =====

If [[openresolv]] has a subscriber for your local [[DNS resolver]], set up the subscriber and [[#Use openresolv|configure NetworkManager to use openresolv]].

Because NetworkManager advertises a single "interface" to ''resolvconf'', it is not possible to implement conditional forwarding between two NetworkManager connections. See [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/153 NetworkManager issue 153].

This can be partially mitigated if you set {{ic|1=private_interfaces="*"}} in {{ic|/etc/resolvconf.conf}}[https://roy.marples.name/projects/openresolv/configuration/]. Any queries for domains that are not in search domain list will not get forwarded. They will be handled according to the local resolver's configuration, for example, forwarded to another DNS server or resolved recursively from the DNS root.

==== Custom DNS servers ====

===== Setting custom global DNS servers =====

To set DNS servers for all connections, specify them in {{man|5|NetworkManager.conf}} using the syntax {{ic|1=servers=''serveripaddress1'',''serveripaddress2'',''serveripaddress3''}} in a section named {{ic|[global-dns-domain-*]}}. For example:

{{hc|/etc/NetworkManager/conf.d/dns-servers.conf|2=
[global-dns-domain-*]
servers=::1,127.0.0.1
}}

{{Note|
* If you use [[#DNS caching and conditional forwarding|NetworkManager's dnsmasq or systemd-resolved plugin]] or [[#DNS resolver with an openresolv subscriber|openresolv subscribers]], then do not specify loopback addresses with the {{ic|1=servers=}} option, it can break DNS resolution.
* The specified servers do not get sent to [[systemd-resolved]], the connection's DNS servers are used instead. See [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1366 NetworkManager issue 1366] and [https://github.com/systemd/systemd/issues/33754 systemd issue 33754].
}}

===== Setting custom DNS servers in a connection =====

====== Setting custom DNS servers in a connection (GUI) ======

Setup will depend on the type of front-end used; the process usually involves right-clicking on the applet, editing (or creating) a profile, and then choosing DHCP type as ''Automatic (specify addresses)''. The DNS addresses will need to be entered and are usually in this form: {{ic|127.0.0.1, ''DNS-server-one'', ...}}.

====== Setting custom DNS servers in a connection (nmcli / connection file) ======

To set up DNS Servers per connection, you change the {{ic|ipv4.dns}} and {{ic|ipv6.dns}} settings (and their associated {{ic|dns-search}} and {{ic|dns-options}}) in the [[#Edit a connection|connection settings]].

If {{ic|method}} is set to {{ic|auto}} (when you use DHCP/RA), you need to set {{ic|ignore-auto-dns}} to {{ic|yes}}.

To use DNS over TLS ([[#systemd-resolved|requires systemd-resolved]]), specify the DNS servers using the syntax {{ic|1=dns=''ip.address''#''servername'';}} and additionally set the {{ic|connection.dns-over-tls}} setting to {{ic|2}}. For example, to use Quad9:

{{hc|/etc/NetworkManager/system-connections/Example Wi-Fi.nmconnection|2=
...
[connection]
...
dns-over-tls=2

[ipv4]
...
dns=9.9.9.9#dns.quad9.net;149.112.112.112#dns.quad9.net;
ignore-auto-dns=true

[ipv6]
...
dns=2620:fe::fe#dns.quad9.net;2620:fe::9#dns.quad9.net;
ignore-auto-dns=true
}}

{{Note|This example uses Quad9. Replace it with a DNS resolver you trust. See [[Domain name resolution#Third-party DNS services]].}}

==== /etc/resolv.conf ====

NetworkManager's {{ic|/etc/resolv.conf}} management mode is configured with the {{ic|main.rc-manager}} setting. {{Pkg|networkmanager}} sets it to {{ic|symlink}} as opposed to the upstream default {{ic|auto}}. The setting and its values are documented in the {{man|5|NetworkManager.conf}} man page.

{{Tip|Using openresolv allows NetworkManager to coexist with other ''resolvconf'' supporting software or, for example, to run a local DNS caching and split-DNS resolver for which openresolv has a [[openresolv#Subscribers|subscriber]]. Note that conditional forwarding is [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/153 not yet fully supported] when using NetworkManager with openresolv.}}

''NetworkManager'' also offers hooks via so called dispatcher scripts that can be used to alter the {{ic|/etc/resolv.conf}} after network changes. See [[#Network services with NetworkManager dispatcher]] and {{man|8|NetworkManager}} for more information.

{{Note|
* If NetworkManager is configured to use either [[#dnsmasq|dnsmasq]] or [[#systemd-resolved|systemd-resolved]], then the appropriate loopback addresses will be written to {{ic|/etc/resolv.conf}}.
* The {{ic|resolv.conf}} file NetworkManager writes or would write to {{ic|/etc/resolv.conf}} can be found at {{ic|/run/NetworkManager/resolv.conf}}.
* A {{ic|resolv.conf}} file with the acquired name servers and search domains can be found at {{ic|/run/NetworkManager/no-stub-resolv.conf}}.
}}

===== Unmanaged /etc/resolv.conf =====

To stop NetworkManager from touching {{ic|/etc/resolv.conf}}, set {{ic|1=main.dns=none}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/dns.conf|2=
[main]
dns=none
}}

{{Tip|You might also want to set {{ic|1=main.systemd-resolved=false}}, so that NetworkManager does not send the DNS configuration to [[systemd-resolved]].}}

{{Note|See [[#DNS caching and conditional forwarding]], to configure NetworkManager using other DNS backends like [[dnsmasq]] and [[systemd-resolved]], instead of using {{ic|1=main.dns=none}}.}}

After that {{ic|/etc/resolv.conf}} might be a broken symlink that you will need to remove. Then, just create a new {{ic|/etc/resolv.conf}} file.

===== Use openresolv =====

{{Note|NetworkManager does not support using systemd-resolved's ''resolvconf'' interface ({{man|1|resolvectl|COMPATIBILITY WITH RESOLVCONF(8)}}) which is provided by {{Pkg|systemd-resolvconf}}.
* Do not set {{ic|1=main.rc-manager=resolvconf}} when using [[systemd-resolved]], instead make sure to [[systemd-resolved#DNS|correctly create the /etc/resolv.conf symlink]] or [[#systemd-resolved|configure NetworkManager to use systemd-resolved explicitly]].
* Make sure the {{Pkg|systemd-resolvconf}} package is not installed when systemd-resolved is not used. Unless {{ic|systemd-resolved.service}} started, it will break all networking software (not just NetworkManager) that use resolvconf.
}}

To configure NetworkManager to use [[openresolv]], set {{ic|1=main.rc-manager=resolvconf}} with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/rc-manager.conf|2=
[main]
rc-manager=resolvconf
}}

=== Firewall ===

You can [[Firewalld#Using NetworkManager to manage zones|assign a firewalld zone]] based on your current connection. For example a restrictive firewall when at work, and a less restrictive one when at home.

This can also be done with [[#Network services with NetworkManager dispatcher|NetworkManager dispatcher]].

== Network services with NetworkManager dispatcher ==

There are quite a few network services that you will not want running until NetworkManager brings up an interface. NetworkManager has the ability to start services when you connect to a network and stop them when you disconnect (e.g. when using [[NFS]], [[SMB]] and [[NTPd]]).

To activate the feature you need to [[enable]] and [[start]] the {{ic|NetworkManager-dispatcher.service}}.

Once the service is active, scripts can be added to the {{ic|/etc/NetworkManager/dispatcher.d}} directory.

Scripts must be owned by '''root''', otherwise the dispatcher will not execute them. For added security, set group [[ownership]] to root as well:

# chown root:root /etc/NetworkManager/dispatcher.d/''10-script.sh''

Make sure the file is [[executable]].

The scripts will be run in alphabetical order at connection time, and in reverse alphabetical order at disconnect time. To ensure what order they come up in, it is common to use numerical characters prior to the name of the script (e.g. {{ic|10-portmap}} or {{ic|30-netfs}} (which ensures that the ''portmapper'' is up before NFS mounts are attempted).

Scripts will receive the following arguments:

* '''Interface name:''' e.g. {{ic|eth0}}
* '''Action:''' ''up'', ''down'', ''vpn-up'', ''vpn-down'', ... (see {{man|8|NetworkManager-dispatcher}} for the complete list)

{{Warning|If you connect to foreign or public networks, be aware of what services you are starting and what servers you expect to be available for them to connect to. You could make a security hole by starting the wrong services while connected to a public network.}}

=== Avoiding the dispatcher timeout ===

If the above is working, then this section is not relevant. However, there is a general problem related to running dispatcher scripts which take longer to be executed. Initially an internal timeout of three seconds only was used. If the called script did not complete in time, it was killed. Later the timeout was extended to about 20 seconds (see the [https://bugzilla.redhat.com/show_bug.cgi?id=982734 Bugtracker] for more information). If the timeout still creates the problem, a work around may be to use a [[drop-in file]] for the {{ic|NetworkManager-dispatcher.service}} to remain active after exit:

{{hc|/etc/systemd/system/NetworkManager-dispatcher.service.d/remain_after_exit.conf|2=
[Service]
RemainAfterExit=yes
}}

Now start and enable the modified {{ic|NetworkManager-dispatcher}} service.

{{Warning|Adding the {{ic|RemainAfterExit}} line to it will prevent the dispatcher from closing. Unfortunately, the dispatcher '''has''' to close before it can run your scripts again. With it the dispatcher will not time out but it also will not close, which means that the scripts will only run once per boot. Therefore, do not add the line unless the timeout is definitely causing a problem.}}

=== Dispatcher examples ===

==== Automatically set the timezone ====

Create a [[#Network services with NetworkManager dispatcher|NetworkManager dispatcher script]] and make it [[executable]]:

{{hc|/etc/NetworkManager/dispatcher.d/09-timezone|
#!/bin/sh
case "$2" in
up)
timedatectl set-timezone "$(curl --fail <nowiki>https://ipapi.co/timezone</nowiki>)"
;;
esac
}}

{{Tip|Using {{ic|connectivity-change}} instead of {{ic|up}} can prevent timezone changes when connecting to VPNs with clients such as [[OpenConnect]].}}

Alternatively, the tool {{aur|tzupdate}} automatically sets the timezone based on the geolocation of the IP address. This [https://medium.com/@ipdata_co/what-is-the-best-commercial-ip-geolocation-api-d8195cda7027 comparison of the most popular IP geolocation apis] may be helpful in deciding which API to use in production.

==== Mount remote directory with sshfs ====

As the script is run in a very restrictive environment, you have to export {{ic|SSH_AUTH_SOCK}} in order to connect to your SSH agent. There are different ways to accomplish this, see [https://bbs.archlinux.org/viewtopic.php?pid=1042030#p1042030 this message] for more information. The example below works with [[GNOME Keyring]], and will ask you for the password if not unlocked already. In case NetworkManager connects automatically on login, it is likely ''gnome-keyring'' has not yet started and the export will fail (hence the sleep). The {{ic|UUID}} to match can be found with the command {{ic|nmcli connection status}} or {{ic|nmcli connection list}}.

{{bc|<nowiki>
#!/bin/sh
USER='username'
REMOTE='user@host:/remote/path'
LOCAL='/local/path'

interface=$1 status=$2
if [ "$CONNECTION_UUID" = "</nowiki>''uuid''<nowiki>" ]; then
case $status in
up)
# sleep 10
SSH_AUTH_SOCK=$(find /tmp -maxdepth 1 -type s -user "$USER" -name 'ssh')
export SSH_AUTH_SOCK
su "$USER" -c "sshfs $REMOTE $LOCAL"
;;
down)
fusermount -u "$LOCAL"
;;
esac
fi
</nowiki>}}

==== Mounting of SMB shares ====

Some [[SMB]] shares are only available on certain networks or locations (e.g. at home). You can use the dispatcher to only mount SMB shares that are present at your current location.

The following script will check if we connected to a specific network and mount shares accordingly:

{{hc|/etc/NetworkManager/dispatcher.d/30-mount-smb.sh|<nowiki>
#!/bin/sh

# Find the connection UUID with "nmcli connection show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
if [ "$2" = "up" ]; then
if [ "$CONNECTION_UUID" = "uuid" ]; then
mount /your/mount/point &
# add more shares as needed
fi
fi
</nowiki>}}

The following script will unmount all SMB shares before a software initiated disconnect from a specific network:

{{hc|/etc/NetworkManager/dispatcher.d/pre-down.d/30-umount-smb.sh|<nowiki>
#!/bin/sh

if [ "$CONNECTION_UUID" = "uuid" ]; then
umount -a -l -t cifs
fi
</nowiki>}}

{{Note|Make sure this script is located in the {{ic|pre-down.d}} sub-directory as shown above, otherwise it will unmount all shares on any connection state change.}}

The following script will attempt to unmount all SMB shares following an unexpected disconnect from a specific network:

{{hc|/etc/NetworkManager/dispatcher.d/40-umount-smb.sh|<nowiki>
#!/bin/sh

if [ "$CONNECTION_UUID" = "uuid" ]; then
if [ "$2" = "down" ]; then
umount -a -l -t cifs
fi
fi
</nowiki>}}

{{Note|
* Since NetworkManager 0.9.8, the ''pre-down'' and ''down'' events are not executed on shutdown or restart, see [https://bugzilla.gnome.org/show_bug.cgi?id=701242 this bug report] for more info.
* The previous ''umount'' scripts are still prone to leaving applications actually accessing the mount to 'hang'.
}}

An alternative is to use the script as seen in [[NFS#Using a NetworkManager dispatcher]]:

{{hc|/etc/NetworkManager/dispatcher.d/30-smb.sh|<nowiki>
#!/bin/sh

# Find the connection UUID with "nmcli con show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
WANTED_CON_UUID="CHANGE-ME-NOW-9c7eff15-010a-4b1c-a786-9b4efa218ba9"

if [ "$CONNECTION_UUID" = "$WANTED_CON_UUID" ]; then

# Script parameter $1: network interface name, not used
# Script parameter $2: dispatched event

case "$2" in
"up")
mount -a -t cifs
;;
"down"|"pre-down"|"vpn-pre-down")
umount -l -a -t cifs >/dev/null
;;
esac
fi
</nowiki>}}

{{Note|This script ignores mounts with the {{ic|noauto}} option, remove this mount option or use {{ic|auto}} to allow the dispatcher to manage these mounts.}}

Create a symlink inside {{ic|/etc/NetworkManager/dispatcher.d/pre-down/}} to catch the {{ic|pre-down}} events:

# ln -s ../30-smb.sh /etc/NetworkManager/dispatcher.d/pre-down.d/30-smb.sh

==== Mounting of NFS shares ====

See [[NFS#Using a NetworkManager dispatcher]].

==== Use dispatcher to automatically toggle wireless depending on LAN cable being plugged in ====

The idea is to only turn Wi-Fi on when the LAN cable is unplugged (for example when detaching from a laptop dock), and for Wi-Fi to be automatically disabled, once a LAN cable is plugged in again.

Create the following dispatcher script[https://superuser.com/questions/233448/disable-wlan-if-wired-cable-network-is-available], replacing {{ic|''Your_Ethernet_Interface''}} with your ethernet interface's device name.

{{Note|You can get a list of interfaces using [[#nmcli examples|nmcli]] ({{ic|nmcli d {{!}} grep ethernet}}). The Ethernet interfaces start with {{ic|en}} or {{ic|eth}}, e.g. {{ic|enp0s5}} or {{ic|eth0}}.}}

Remember to make the script [[executable]]. You can verify that it works by [[restart]]ing {{ic|NetworkManager.service}}, running {{ic|ip a}}, and checking that {{ic|wlp3s0}} (or whatever your Wi-Fi interface is called) is in {{ic|state DOWN}}. If you encounter unexpected behavior, check the [[journal]] of {{ic|NetworkManager-dispatcher.service}}.

{{hc|/etc/NetworkManager/dispatcher.d/99-wifi-auto-toggle.sh|2=
#!/bin/sh

LOG_PREFIX="WiFi Auto-Toggle"
ETHERNET_INTERFACE="''Your_Ethernet_Interface''"

if [ "$1" = "$ETHERNET_INTERFACE" ]; then
case "$2" in
up)
echo "$LOG_PREFIX ethernet up"
nmcli radio wifi off
;;
down)
echo "$LOG_PREFIX ethernet down"
nmcli radio wifi on
;;
esac
elif [ "$(nmcli -g GENERAL.STATE device show $ETHERNET_INTERFACE)" = "20 (unavailable)" ]; then
echo "$LOG_PREFIX failsafe"
nmcli radio wifi on
fi
}}

{{Note|There is a fail-safe for the case when the LAN interface was connected when the computer was last on, and then disconnected while the computer was off. That would mean the radio would still be off when the computer is turned back on, and with a disconnected LAN interface, you would have no network.}}

==== Use dispatcher to connect to a VPN after a network connection is established ====

In this example we want to connect automatically to a previously defined VPN connection after connecting to a specific Wi-Fi network. First thing to do is to create the dispatcher script that defines what to do after we are connected to the network.

{{Accuracy|A scripting without {{ic|iwgetid}} does work too and may be more reliable?|section=Fixes for automatic VPN dispatcher script}}

{{Note|This script will require {{Pkg|wireless_tools}} in order to use {{ic|iwgetid}}.}}

{{hc|/etc/NetworkManager/dispatcher.d/vpn-up|<nowiki>
#!/bin/sh
VPN_NAME="name of VPN connection defined in NetworkManager"
ESSID="Wi-Fi network ESSID (not connection name)"

interface=$1 status=$2
case $status in
up|vpn-down)
if iwgetid | grep -qs ":\"$ESSID\""; then
nmcli connection up id "$VPN_NAME"
fi
;;
down)
if iwgetid | grep -qs ":\"$ESSID\""; then
if nmcli connection show --active | grep "$VPN_NAME"; then
nmcli connection down id "$VPN_NAME"
fi
fi
;;
esac
</nowiki>}}

If you would like to attempt to automatically connect to VPN for all Wi-Fi networks, you can use the following definition of the ESSID: {{ic|1=ESSID=$(iwgetid -r)}}. Remember to set the script's permissions [[#Network services with NetworkManager dispatcher|accordingly]].

Trying to connect with the above script may still fail with {{ic|NetworkManager-dispatcher.service}} complaining about 'no valid VPN secrets', because of [https://developer.gnome.org/NetworkManager/0.9/secrets-flags.html the way VPN secrets are stored]. Fortunately, there are different options to give the above script access to your VPN password.

1: One of them requires editing the VPN connection configuration file to make NetworkManager store the secrets by itself rather than inside a keyring [https://bugzilla.redhat.com/show_bug.cgi?id=710552 that will be inaccessible for root]: open up {{ic|/etc/NetworkManager/system-connections/''name of your VPN connection''.nmconnection}} and change the {{ic|password-flags}} and {{ic|secret-flags}} from {{ic|1}} to {{ic|0}}.

If that alone does not work, you may have to create a {{ic|passwd-file}} in a safe location with the same permissions and ownership as the dispatcher script, containing the following:

{{hc|/path/to/passwd-file|
vpn.secrets.password:YOUR_PASSWORD
}}

The script must be changed accordingly, so that it gets the password from the file:

{{hc|/etc/NetworkManager/dispatcher.d/vpn-up|<nowiki>
#!/bin/sh
VPN_NAME="name of VPN connection defined in NetworkManager"
ESSID="Wi-Fi network ESSID (not connection name)"

interface=$1 status=$2
case $status in
up|vpn-down)
if iwgetid | grep -qs ":\"$ESSID\""; then
nmcli connection up id "$VPN_NAME" passwd-file /path/to/passwd-file
fi
;;
down)
if iwgetid | grep -qs ":\"$ESSID\""; then
if nmcli connection show --active | grep "$VPN_NAME"; then
nmcli connection down id "$VPN_NAME"
fi
fi
;;
esac
</nowiki>}}

2: Alternatively, change the {{ic|password-flags}} and put the password directly in the configuration file adding the section {{ic|vpn-secrets}}:

[vpn]
....
password-flags=0

[vpn-secrets]
password=''your_password''

{{Note|It may now be necessary to re-open the NetworkManager connection editor and save the VPN passwords/secrets again.}}

==== Use dispatcher to disable IPv6 on VPN provider connections ====

Many [[:Category:VPN providers|commercial VPN providers]] support only IPv4. That means all IPv6 traffic bypasses the VPN and renders it virtually useless. To avoid this, dispatcher can be used to disable all IPv6 traffic for the time a VPN connection is up.

{{hc|/etc/NetworkManager/dispatcher.d/10-vpn-ipv6|<nowiki>
#!/bin/sh

case "$2" in
vpn-up)
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
;;
vpn-down)
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
;;
esac
</nowiki>}}

{{Note|The above script does not work for WireGuard since NetworkManager does not send the {{ic|vpn-up/down}} events for it. Instead you have to rely on generic events for your WireGuard interfaces as demonstrated in [https://gist.github.com/TheDcoder/85e1ec99a31180e20ba8e4896024f265].}}

As an alternative, dispatcher can be used to temporarily set the IPv6 mode of the device used by the VPN connection to {{ic|link-local}}. This will avoid NetworkManager log spam about IPv6 being disabled. This script will not work if multiple devices or connections provide IPv6 connectivity, but could be adapted to iterate over multiple devices. Note that any change to the connection (using {{man|1|nmcli}} or a [[desktop environment]]) will reapply the entire connection to the device and re-enable IPv6 (if it is enabled in the connection).

{{hc|/etc/NetworkManager/dispatcher.d/10-vpn-ipv6|<nowiki>
#!/bin/sh

case "$2" in
vpn-up)
nmcli device modify "${DEVICE_IFACE}" ipv6.method link-local
;;
vpn-down)
nmcli device reapply "${DEVICE_IFACE}"
;;
esac
</nowiki>}}

==== OpenNTPD ====

See [[OpenNTPD#Using NetworkManager dispatcher]].

==== Dynamically set NTP servers received via DHCP with systemd-timesyncd ====

When roaming between different networks (e.g. a company's LAN, Wi-Fi at home, various other Wi-Fi now and then) you might want to set the NTP server(s) used by timesyncd to those provided by DHCP. However, NetworkManager itself is not capable to communicate with systemd-timesyncd to set the NTP server(s).

The dispatcher can work around it.

[[Create]] the overlay directory for your systemd-timesyncd configuration {{ic|/etc/systemd/timesyncd.conf.d}} if it does not already exist. Inside {{ic|/etc/NetworkManager/dispatcher.d}}, put the following:

{{hc|/etc/NetworkManager/dispatcher.d/10-update-timesyncd|<nowiki>
#!/bin/sh

[ -z "$CONNECTION_UUID" ] && exit 0
INTERFACE="$1"
ACTION="$2"

case $ACTION in
up | dhcp4-change | dhcp6-change)
# `DHCP6_DHCP6_NTP_SERVERS` with double `DHCP6` is the correct variable name as varified by `printenv` as of NetworkManager 1.56.0-1
set -- ${DHCP6_DHCP6_NTP_SERVERS-} ${DHCP4_NTP_SERVERS-}
servers=$*
[ -n "$servers" ] || exit 0
mkdir -p /etc/systemd/timesyncd.conf.d
cat <<-THE_END >"/etc/systemd/timesyncd.conf.d/${CONNECTION_UUID}.conf"
[Time]
NTP=$servers
THE_END
systemctl restart systemd-timesyncd.service
;;
down)
rm -f "/etc/systemd/timesyncd.conf.d/${CONNECTION_UUID}.conf"
systemctl restart systemd-timesyncd.service
;;
esac
</nowiki>}}

Every time NetworkManager sets up a new network connection ({{ic|1=ACTION=up}}) or gets some update for an existing connection ({{ic|1=ACTION=dhcp4-change}} or {{ic|1=ACTION=dhcp6-change}}) and the provided connection data contains information about NTP server(s) ({{ic|DHCP6_DHCP6_NTP_SERVERS}} and {{ic|DHCP4_NTP_SERVERS}}), a connection specific overlay configuration file is written to {{ic|/etc/systemd/timesyncd.conf.d}}, containing the provided NTP server(s). Whenever a connection is taken down ({{ic|1=ACTION=down}}) the connection specific overlay file is removed. After each change to the configuration of systemd-timesyncd, this service is restarted to pick up the updated configuration. The use of connection specific configuration files is intentional so that when two or more connections are managed by NetworkManager in parallel the different NTP server names in the configuration are not overwritten as {{ic|up}}, {{ic|dhcp4-change}}, {{ic|dhcp6-change}} and {{ic|down}} actions might come in an arbitrary order.

{{Note|{{ic|1=DHCP6_DHCP6_NTP_SERVERS}} with double {{ic|1=DHCP6}} is the correct variable name as varified by {{ic|1=printenv}} as of NetworkManager 1.56.0-1 }}

== Testing ==

NetworkManager applets are designed to load upon login so no further configuration should be necessary for most users. If you have already disabled your previous network settings and disconnected from your network, you can now test if NetworkManager will work. The first step is to [[start]] {{ic|NetworkManager.service}}.

Some applets will provide you with a {{ic|.desktop}} file so that the NetworkManager applet can be loaded through the application menu. If it does not, you are going to either have to discover the command to use or logout and login again to start the applet. Once the applet is started, it will likely begin polling network connections with for auto-configuration with a DHCP server.

To start the GNOME applet in non-xdg-compliant window managers like [[awesome]]:

nm-applet --sm-disable &

For static IP addresses, you will have to configure NetworkManager to understand them. The process usually involves right-clicking the applet and selecting something like 'Edit Connections'.

== Tips and tricks ==

=== Encrypted network keyphrases ===

By default, NetworkManager stores passwords in clear text in the connection files at {{ic|/etc/NetworkManager/system-connections/}}. To print the stored passwords, use the following command:

# grep -r '^psk=' /etc/NetworkManager/system-connections/

The passwords are accessible to the root user in the filesystem and to users with access to settings via the GUI (e.g. {{ic|nm-applet}}).

It is preferable to save the passwords in encrypted form in a keyring instead of clear text. The downside to this is that the connections have to be set up for each user.

In order to read and write to the keyring, there must be a secret agent available. This can be one of:

* {{ic|nmcli}} with the {{ic|--ask}} option
* One of the graphical interfaces from [[#Front-ends]]

If you make neither of these available, then authentication will fail with the error {{ic|no secrets: No agents were available for this request.}}

On a single user machine, it is enough to set up encryption for root partition. See: [[Dm-crypt]].

==== Using GNOME Keyring ====

The keyring daemon has to be started and the keyring needs to be unlocked for the following to work.

Furthermore, NetworkManager needs to be configured not to store the password for all users. Using GNOME's {{Pkg|network-manager-applet}}, run {{ic|nm-connection-editor}} from a terminal, select a network connection, click ''Edit'', select the ''Wi-Fi Security'' tab and click on the right icon of password and check ''Store the password only for this user''.

==== Using KDE Wallet ====

Using KDE's {{Pkg|plasma-nm}}, click the applet, click on the top right ''Settings'' icon, click on a network connection, in the ''General configuration'' tab, untick ''All users may connect to this network''. If the option is ticked, the passwords will still be stored in clear text, even if a keyring daemon is running.

If the option was selected previously and you un-tick it, you may have to use the {{ic|reset}} option first to make the password disappear from the file. Alternatively, delete the connection first and set it up again.

=== Sharing internet connection over Wi-Fi ===

You can share your internet connection (e.g. 3G or wired) with a few clicks. Please note that a [[firewall]] may interfere with internet sharing.

You will need a Wi-Fi card which supports AP mode, see [[Software access point#Wi-Fi device must support AP mode]] for details.

[[Install]] the {{Pkg|dnsmasq}} package to be able to actually share the connection. Note that NetworkManager starts its own instance of ''dnsmasq'', independent of {{ic|dnsmasq.service}}, as a DHCP server. See [[#dnsmasq]] for the caveats.

Create the shared connection:

* Click on applet and choose ''Create new wireless network''.
* Follow wizard (choose WPA2 or higher, be sure to use at least 8 character long password, lower lengths will fail).
** Choose either [[Fedora:Features/RealHotspot|Hotspot]] or Ad-hoc as Wi-Fi mode.

The connection will be saved and remain stored for the next time you need it.

{{Note|Android does not support connecting to Ad-hoc networks. To share a connection with Android use infrastructure mode (i.e. set Wi-Fi mode to "Hotspot").}}

=== Sharing internet connection over Ethernet ===

Scenario: your device has internet connection over Wi-Fi and you want to share the internet connection to other devices over Ethernet.

Requirements:

* [[Install]] the {{Pkg|dnsmasq}} and {{Pkg|nm-connection-editor}} packages to be able to actually share the connection. Note that NetworkManager starts its own instance of ''dnsmasq'', independent of {{ic|dnsmasq.service}}, as a DHCP server. See [[#dnsmasq]] for the caveats.
* Your internet connected device and the other devices are connected over a suitable Ethernet cable (this usually means a cross over cable or a switch in between).
* Internet sharing is not blocked by a [[firewall]].

Steps:

* Run {{ic|nm-connection-editor}} from terminal.
* Add a new Ethernet connection.
* Give it some sensible name. For example "Shared Internet"
* Go to "IPv4 Settings".
* For "Method:" select "Shared to other computers".
* Save

Now you should have a new option "Shared Internet" under the Wired connections in NetworkManager.

=== Checking if networking is up inside a cron job or script ===

{{Out of date|''nm-tool'' was removed from NetworkManager for long time now[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/bb8c75bd536d4f8fb80a4366025a279078f0ec81]. ''nmcli'' should be used instead.}}

Some ''cron'' jobs require networking to be up to succeed. You may wish to avoid running these jobs when the network is down. To accomplish this, add an '''if''' test for networking that queries NetworkManager's ''nm-tool'' and checks the state of networking. The test shown here succeeds if any interface is up, and fails if they are all down. This is convenient for laptops that might be hardwired, might be on wireless, or might be off the network.

{{bc|<nowiki>
if [ $(nm-tool|grep State|cut -f2 -d' ') == "connected" ]; then
#Whatever you want to do if the network is online
else
#Whatever you want to do if the network is offline - note, this and the else above are optional
fi
</nowiki>}}

This is useful for a {{ic|cron.hourly}} script that runs ''fpupdate'' for the F-Prot virus scanner signature update, as an example. Another way it might be useful, with a little modification, is to differentiate between networks using various parts of the output from ''nm-tool''; for example, since the active wireless network is denoted with an asterisk, you could grep for the network name and then grep for a literal asterisk.

=== Connect to network with secret on boot ===

By default, NetworkManager will not connect to networks requiring a secret automatically on boot. This is because it locks such connections to the user who makes it by default, only connecting after they have logged in. To change this, do the following:

# Right click on the {{ic|nm-applet}} icon in your panel and select Edit Connections and open the Wireless tab
# Select the connection you want to work with and click the Edit button
# Check the boxes “Connect Automatically” and “Available to all users”
# Additionally, ensure that under "Wi-Fi Security", "Store password for all users (not encrypted)" is selected

Log out and log back in to complete.

=== OpenConnect with password in KWallet ===

While you may type both values at connection time, {{Pkg|plasma-nm}} 0.9.3.2-1 and above are capable of retrieving OpenConnect username and password directly from [[KWallet]].

Open "KDE Wallet Manager" and look up your OpenConnect VPN connection under "Network Management|Maps". Click "Show values" and
enter your credentials in key "VpnSecrets" in this form (replace ''username'' and ''password'' accordingly):

form:main:username%SEP%''username''%SEP%form:main:password%SEP%''password''

Next time you connect, username and password should appear in the "VPN secrets" dialog box.

=== Ignore specific devices ===

Sometimes it may be desired that NetworkManager ignores specific devices and does not try to configure addresses and routes for them. You can quickly and easily ignore devices by MAC or interface-name by using the following in {{ic|/etc/NetworkManager/conf.d/unmanaged.conf}}:

[keyfile]
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth0

After editing the file, run {{ic|nmcli general reload}} as root. Afterwards you should be able to configure interfaces without NetworkManager altering what you have set.

=== Configuring MAC address randomization ===

See [[MAC address spoofing#NetworkManager]].

{{Note| The iwd backend reportedly refuses MAC address randomisation. A workaround is available at [[MAC address spoofing#NetworkManager]]. }}

=== Turn off hostname sending ===

NetworkManager by default sends the hostname to the DHCP server.

To disable sending your hostname to the DHCP server globally, set the {{ic|ipv4.dhcp-send-hostname{{=}}0}} and {{ic|ipv6.dhcp-send-hostname{{=}}0}} options with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}. E.g.:

{{hc|/etc/NetworkManager/conf.d/dhcp-send-hostname.conf|2=
[connection]
ipv4.dhcp-send-hostname=0
ipv6.dhcp-send-hostname=0
}}

To disable sending your hostname to the DHCP server for a specific connection (or alternatively, enable it for a connection if it is disabled globally), add the following to your network connection file:

{{hc|/etc/NetworkManager/system-connections/''your_connection_file''.nmconnection|2=
...
[ipv4]
dhcp-send-hostname=false
...
[ipv6]
dhcp-send-hostname=false
...
}}

{{Note|These options are only honored by the default [[#DHCP client|internal DHCP client]]. To omit sending the hostname when using NetworkManager with dhcpcd, edit {{ic|/etc/dhcpcd.conf}} and insert {{ic|anonymous}} as the last line.}}

=== Enable IPv6 Privacy Extensions ===

See [[IPv6#NetworkManager]].

=== Configure a unique DUID per connection ===

The DHCPv6 Unique Identifier (DUID) is a value used by the DHCPv6 client to identify itself to DHCPv6 servers. NetworkManager supports 3 types of DUID:

* DUID-UUID ([[RFC:6355|RFC 6355]]): generated from an Universally Unique IDentifier (UUID).
* DUID-LL ([[RFC:3315|RFC 3315]]): generated from the Link-Layer address (a.k.a. MAC address).
* DUID-LLT ([[RFC:3315|RFC 3315]]): generated from the Link-Layer address plus a timestamp.

If the internal NetworkManager's DHCP client is in use (the default) it will identify itself with a global and permanent DUID-UUID generated from the machine-id ({{ic|/etc/machine-id}}). This means that all connections share the same UUID, which may be a privacy breach.

Fortunately, NetworkManager is able to provide unique DUIDs per connection, derived from the connection's stable-id and a per-host unique key. You can enable that by adding the following configuration under {{ic|/etc/NetworkManager/conf.d}}:

{{hc|/etc/NetworkManager/conf.d/duid.conf|2=
[connection]
ipv6.dhcp-duid=stable-uuid
}}

The {{ic|stable-ll}} and {{ic|stable-llt}} values are also supported. For further information read the description for {{ic|dhcp-duid}} in {{man|5|nm-settings|ipv6 setting}}.

=== Working with wired connections ===

By default, NetworkManager generates a connection profile for each wired ethernet connection it finds. At the point when generating the connection, it does not know whether there will be more Ethernet adapters available. Hence, it calls the first wired connection "Wired connection 1". You can avoid generating this connection, by configuring {{ic|no-auto-default}} (see {{man|5|NetworkManager.conf}}), or by simply deleting it. Then NetworkManager will remember not to generate a connection for this interface again.

You can also edit the connection (and persist it to disk) or delete it. NetworkManager will not re-generate a new connection. Then you can change the name to whatever you want. You can use something like {{Pkg|nm-connection-editor}} for this task.

=== Using iwd as the Wi-Fi backend ===

{{Note|1=<nowiki/>
* Do not enable {{ic|iwd.service}} or manually configure [[iwd]]. NetworkManager will start and manage it itself.
* Consider [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues?scope=all&utf8=%E2%9C%93&state=opened&search=iwd existing issues] before switching to ''iwd''.}}

To enable the [https://archive.kernel.org/oldwiki/iwd.wiki.kernel.org/networkmanager.html experimental iwd backend], first [[install]] {{Pkg|iwd}} and then create the following configuration file:

{{hc|/etc/NetworkManager/conf.d/wifi_backend.conf|2=
[device]
wifi.backend=iwd
}}

To use MAC randomization with iwd see [[MAC address spoofing#iwd]].

Alternatively, you can install {{AUR|networkmanager-iwd}}, a modified package configured to build ''NetworkManager'' working exclusively with ''iwd'', with the main difference being that ''iwd'' is required and ''wpa_supplicant'' can be uninstalled after building.

{{Note|1=You may need to [https://archive.kernel.org/oldwiki/iwd.wiki.kernel.org/networkmanager.html#converting_network_profiles convert existing NetworkManager network profiles] after switching to ''iwd''.}}

=== Running in a network namespace ===

If you would like to run NetworkManager inside a network namespace (e.g., to manage a specific device which should be used by selected applications), bring the device down before moving it to the namespace:

$ ip link set dev ''MY_DEVICE'' down
$ ip link set dev ''MY_DEVICE'' netns ''MY_NAMESPACE''
$ ip netns exec ''MY_NAMESPACE'' NetworkManager
...
$ ip netns exec ''MY_NAMESPACE'' killall NetworkManager

otherwise NetworkManager will later fail to establish the connection with a {{ic|device is strictly unmanaged}} error.

=== Automatically connect to VPN ===

NetworkManager can be set to automatically connect to a VPN when connecting to the internet, on a per network basis. The VPN connection itself can be added in GNOME's NetworkManager front-end, but to make it automatically use the VPN {{ic|nmcli}} must be used. Other front-ends might not have this limitation.

First, make sure to make the VPN connection available to all users. In the GNOME this is a matter of checking a box under the {{ic|details}} tab. Under the {{ic|Identity}} tab, in the password field, click the icon on the right side in the field, and set it to {{ic|Store the password for all users}}.

Then find the UUID of the VPN connection, and add that to {{ic|connection.secondaries}} of the Internet connection:

# UUID=$(nmcli --get-values connection.uuid connection show ''name-of-VPN-connection'')
# nmcli connection modify ''name-of-Internet-connection'' connection.secondaries "$UUID"

Now when NetworkManager is restarted and you connect to the Internet connection you have configured, you should automatically get connected to the VPN.

== Troubleshooting ==

=== No prompt for password of secured Wi-Fi networks ===

When trying to connect to a secured Wi-Fi network, no prompt for a password is shown and no connection is established. This happens when no keyring package is installed. An easy solution is to install {{Pkg|gnome-keyring}}. If you want the passwords to be stored in encrypted form, follow [[GNOME Keyring]] to set up the ''gnome-keyring-daemon''.

=== Network management disabled ===

When NetworkManager shuts down but the pid (state) file is not removed, you will see a {{ic|Network management disabled}} message. If this happens, remove the file manually:

# rm /var/lib/NetworkManager/NetworkManager.state

=== Problems with internal DHCP client ===

If you have problems with getting an IP address using the internal DHCP client, consider using another DHCP client, see [[#DHCP client]] for instructions. This workaround might solve problems in big wireless networks like eduroam.

=== DHCP problems with dhclient ===

If you have problems with getting an IP address via DHCP, try to add the following to your {{ic|/etc/dhclient.conf}}:

interface "eth0" {
send dhcp-client-identifier 01:''aa:bb:cc:dd:ee:ff'';
}

Where {{ic|''aa:bb:cc:dd:ee:ff''}} is the MAC address of this NIC. The MAC address can be found using the {{ic|ip link show ''interface''}} command from the {{Pkg|iproute2}} package.

=== 3G modem not detected ===

See [[Mobile broadband modem#NetworkManager]].

=== Switching off WLAN on laptops ===

Sometimes NetworkManager will not work when you disable your Wi-Fi adapter with a switch on your laptop and try to enable it again afterwards. This is often a problem with ''rfkill''. To check if the driver notifies ''rfkill'' about the wireless adapter's status, use:

$ watch -n1 rfkill list all

If one identifier stays blocked after you switch on the adapter you could try to manually unblock it with (where X is the number of the identifier provided by the above output):

# rfkill event unblock X

=== Static IP address settings revert to DHCP ===

{{Out of date|This section is [[Special:Diff/119236|added in 2010]] and describes an ancient version of ''nm-applet''. Is this still relevant in 2024?}}

Due to an unresolved bug, when changing default connections to a static IP address, {{ic|nm-applet}} may not properly store the configuration change, and will revert to automatic DHCP.

To work around this issue you have to edit the default connection (e.g. "Auto eth0") in {{ic|nm-applet}}, change the connection name (e.g. "my eth0"), uncheck the "Available to all users" checkbox, change your static IP address settings as desired, and click '''Apply'''. This will save a new connection with the given name.

Next, you will want to make the default connection not connect automatically. To do so, run {{ic|nm-connection-editor}} ('''not''' as root). In the connection editor, edit the default connection (e.g. "Auto eth0") and uncheck "Connect automatically". Click '''Apply''' and close the connection editor.

=== Cannot edit connections as normal user ===

See [[#Set up PolicyKit permissions]].

=== Forget hidden wireless network ===

Since hidden networks are not displayed in the selection list of the Wireless view, they cannot be forgotten (removed) with the GUI. You can delete one with the following command:

# rm /etc/NetworkManager/system-connections/''SSID''.nmconnection

This also works for any other connection.

=== VPN not working in GNOME ===

When setting up OpenConnect or vpnc connections in NetworkManager while using GNOME, you will sometimes never see the dialog box pop up and the following error appears in {{ic|/var/log/errors.log}}:

localhost NetworkManager[399]: <error> [1361719690.10506] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.

This is caused by the GNOME NetworkManager Applet expecting dialog scripts to be at {{ic|/usr/lib/gnome-shell}}, when NetworkManager's packages put them in {{ic|/usr/lib/networkmanager}}.
As a "temporary" fix (this bug has been around for a while now), make the following symlink(s):

* For OpenConnect: {{ic|ln -s /usr/lib/nm-openconnect-auth-dialog /usr/lib/gnome-shell/}}
* For VPNC (i.e. Cisco VPN): {{ic|ln -s /usr/lib/nm-vpnc-auth-dialog /usr/lib/gnome-shell/}}

This may need to be done for any other NetworkManager VPN plugins as well, but these are the two most common.

=== Unable to connect to visible European wireless networks ===

WLAN chips are shipped with a default [[Wireless network configuration#Respecting the regulatory domain|regulatory domain]]. If your access point does not operate within these limitations, you will not be able to connect to the network. Fixing this is easy:

# [[Install]] {{Pkg|wireless-regdb}}.
# Uncomment the correct country code in {{ic|/etc/conf.d/wireless-regdom}}.
# Reboot the system, because the setting is only read on boot.

=== Automatic connect to VPN on boot is not working ===

The problem occurs when the system (i.e. NetworkManager running as the root user) tries to establish a VPN connection, but the password is not accessible because it is stored in the GNOME Keyring of a particular user.

A solution is to keep the password to your VPN in plaintext, as described in step (2.) of [[#Use dispatcher to connect to a VPN after a network connection is established]].

You do not need to use the dispatcher described in step (1.) to auto-connect anymore, if you use the new "auto-connect VPN" option from the {{ic|nm-applet}} GUI.

=== systemd bottleneck ===

Over time the log files ({{ic|/var/log/journal}}) can become very large. This can have a big impact on boot performance when using NetworkManager, see: [[systemd#Boot time increasing over time]].

=== Regular network disconnects, latency and lost packets (Wi-Fi) ===

NetworkManager does a scan every 2 minutes.

Some Wi-Fi drivers have issues when scanning for base stations whilst connected/associated. Symptoms include VPN disconnects/reconnects and lost packets, web pages failing to load and then refresh fine.

Running {{ic|journalctl -f}} as root will indicate that this is taking place, messages like the following will be contained in the logs at regular intervals.

NetworkManager[410]: <info> (wlp3s0): roamed from BSSID 00:14:48:11:20:CF (my-wifi-name) to (none) ((none))

If roaming is not important, the periodic scanning behavior can be disabled by locking the BSSID of the access point in the Wi-Fi connection profile.

=== Unable to turn on Wi-Fi with Lenovo laptop (IdeaPad, Legion, etc.) ===

There is an issue with the {{ic|ideapad_laptop}} module on some Lenovo models due to the Wi-Fi driver incorrectly reporting a soft block. The card can still be manipulated with {{ic|netctl}}, but managers like NetworkManager break. You can verify that this is the problem by checking the output of {{ic|rfkill list}} after toggling your hardware switch and seeing that the soft block persists.

{{Accuracy|Try to use {{ic|rfkill.default_state}} and {{ic|rfkill.master_switch_mode}} (see [https://docs.kernel.org/admin-guide/kernel-parameters.html kernel-parameters.html]) to fix the rfkill problem.}}

[[modprobe|Unloading]] the {{ic|ideapad_laptop}} module should fix this. ('''warning''': this may disable the laptop keyboard and touchpad also!).

=== nm-applet disappears in i3wm ===

If you use the {{ic|xfce4-notifyd.service}} for notifications you must [[edit]] the unit and add the following:

{{hc|/etc/systemd/user/xfce4-notifyd.service.d/display_env.conf|2=
[Service]
Environment="DISPLAY=:0.0"
}}

After reloading the daemons [[restart]] {{ic|xfce4-notifyd.service}}. Exit i3 and start it back up again and the applet should show on the tray.

=== Unit dbus-org.freedesktop.resolve1.service not found ===

If {{ic|systemd-resolved.service}} is not started, NetworkManager will try to start it using D-Bus and fail:

dbus-daemon[991]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by ':1.23' (uid=0 pid=1012 comm="/usr/bin/NetworkManager --no-daemon ")
dbus-daemon[991]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.resolve1.service': Unit dbus-org.freedesktop.resolve1.service not found.
dbus-daemon[991]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by ':1.23' (uid=0 pid=1012 comm="/usr/bin/NetworkManager --no-daemon ")

This is because NetworkManager will try to send DNS information to [[systemd-resolved]] regardless of the {{ic|1=main.dns=}} setting in {{man|5|NetworkManager.conf}}.[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/d4eb4cb45f41b1751cacf71da558bf8f0988f383]

This can be disabled with a configuration file in {{ic|/etc/NetworkManager/conf.d/}}:

{{hc|/etc/NetworkManager/conf.d/no-systemd-resolved.conf|2=
[main]
systemd-resolved=false
}}

See {{Bug|62138}}.

=== Secrets were required, but not provided ===

If you received the following error when attempting to connect to a network:

{{hc|$ nmcli device wifi connect ''SSID'' password ''password''|
Error: Connection activation failed: (7) Secrets were required, but not provided
}}

This error can have numerous causes and you should read the [[journal]] (filter it with {{ic|-u NetworkManager}}). For example, if NetworkManager took too long to establish connection, it will believe that the password is incorrect:

{{bc|
NetworkManager[1372]: <warn> [1643991888.3808] device (wlan0): Activation: (wifi) association took too long
NetworkManager[1372]: <info> [1643991888.3809] device (wlan0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
NetworkManager[1372]: <warn> [1643991888.3838] device (wlan0): Activation: (wifi) asking for new secrets
}}

You can try deleting the connection profile and creating a new one:

$ nmcli connection delete ''SSID''
$ nmcli device wifi connect ''SSID'' password ''password''

You can also try disabling MAC address randomization:

{{hc|/etc/NetworkManager/conf.d/wifi_rand_mac.conf|2=
[device]
wifi.scan-rand-mac-address=no
}}

=== WPA Enterprise connection with iwd ===

If you try to connect to an WPA Enterprise network like 'eduroam' with NetworkManager with the [[#Using iwd as the Wi-Fi backend|iwd backend]] then you will get the following error from NetworkManager:

Connection 'eduroam' is not avialable on device wlan0 because profile is not compatible with device (802.1x connections must have IWD provisioning files)

This is because NetworkManager can not configure a WPA Enterprise network. Therefore you have to configure it using an iwd configuration file {{ic|/var/lib/iwd/''essid''.8021x}} like described in [[iwd#WPA Enterprise]].

=== Failed to request VPN secrets ===

If you get this error:
Failed to request VPN secrets #1: No agents were available for this request.

It is either because the password is empty or you have to [[#Set up PolicyKit permissions|set up PolicyKit permissions]].

=== OpenVPN connections fail with "secrets: failed to request VPN secrets" warn ===

{{Remove|This does not warrant a troubleshooting section. Optional dependencies are pointed out by pacman, if this is not clear enough it should be covered in [[#VPN support]].|section=Remove unnecessary section 8.22}}

The package {{Pkg|networkmanager-openvpn}} requires {{Pkg|libnma-gtk4}} and optionally {{Pkg|libnma}} (Gtk3) when integrated within the GNOME-Shell. If {{Pkg|libnma}} is required but not installed a message will be printed to the system log:

{{bc|
NetworkManager[642]: <warn> [...] vpn[..."name_of_vpn_profile VPN"]: secrets: failed to request VPN secrets #3: No agents were available for this request.
}}

=== OpenVPN connections fail with OpenSSL "ca md too weak" error ===

Since {{Pkg|openssl}} was updated to version 3, certificates generated with legacy cryptographic algorithms are rejected by default. Attempting to use {{Pkg|networkmanager-openvpn}} with such a setup can result in the following error in the logs:

{{bc|
nm-openvpn[14359]: OpenSSL: error:0A00018E:SSL routines::ca md too weak
nm-openvpn[14359]: Cannot load certificate file /home/archie/.local/share/networkmanagement/certificates/my_issued_cert.crt
nm-openvpn[14359]: Exiting due to fatal error
}}

The correct approach is to have the OpenVPN server administrator generate and re-issue more secure certificates. However, as an immediate work-around, OpenVPN requires {{ic|1=tls-cipher "DEFAULT:@SECLEVEL=0"}}. This may not be possible through the plugin GUI, but it is possible with ''nmcli''. Separately, you will also need to enable the ''legacy'' provider in OpenSSL.

Firstly, obtain the name of the VPN connection with the issue, from the output of the following:

$ nmcli connection show

Assuming the connection name is ''vpn.example.com'', use ''nmcli'' like so:

$ nmcli connection modify vpn.example.com +vpn.data tls-cipher=DEFAULT:@SECLEVEL=0

The change should instantly be reflected in {{ic|/etc/NetworkManager/system-connections/vpn.example.com.nmconnection}}.

As for OpenSSL, edit {{ic|/etc/ssl/openssl.cnf}} as described on the [https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers OpenSSL wiki].

Specifically, at the end of the {{ic|[provider_sect]}} section add {{ic|1=legacy = legacy_sect}}. Under {{ic|[default_sect]}} uncomment {{ic|1=activate = 1}}. Lastly, add a new section {{ic|[legacy_sect]}} that also contains the line {{ic|1=activate = 1}}. Excluding most other preexisting configuration sections, the end result will look something like:

{{hc|/etc/ssl/openssl.cnf|2=
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1
}}

Finally, [[restart]] the {{ic|NetworkManager.service}} to have the new OpenSSL configuration take effect.

=== WPA Enterprise connections fail to authenticate with OpenSSL "unsupported protocol" error ===

Since {{Pkg|openssl}} was updated to version 3, "SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0" [https://www.openssl.org/news/openssl-3.0-notes.html by default]. Attempting to authenticate to a Wi-Fi network only supporting older standards results in the following error in the logs:

{{bc|
wpa_supplicant[3320]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[3320]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
}}

The correct approach is to convince the institution's administrator to upgrade the encrypted networking tunnel protocol to TLS 1.3 and optionally drop support for deprecated security standards, including TLS 1.0/1.1, DTLS 1.0 and SSL 1-3. However, as an immediate workaround, there are multiple ways to allow TLS 1.0 and/or 1.1 by default. One way would be to manually patch or revert the breaking changes in OpenSSL ([https://github.com/openssl/openssl/commit/7bf2e4d7f0c7ae19b7a8c416910886a7171e9820]). As this also lowers security for all other programs using OpenSSL level 1, it is not recommended. Instead, one can directly set the level used by wpa_supplicant, like described in [https://bbs.archlinux.org/viewtopic.php?id=286417#p2104492 BBS#286417]. To only change the affected connection, it is possible to set {{ic|1=phase1-auth-flags=32}} or {{ic|1=phase1-auth-flags=64}} in the {{ic|1=[802-1x]}} section of the connection's configuration file. This may not be possible through GUIs, but it is possible with ''nmcli''.

Firstly, obtain the name of the Wi-Fi connection with the issue, from the output of the following:

$ nmcli connection show

Assuming the connection uses TLS 1.0 and its name is ''Example Wi-Fi'', use ''nmcli'' like so:

$ nmcli connection modify 'Example Wi-Fi' 802-1x.phase1-auth-flags 32

And for a TLS 1.1 connection, type "64" instead:

$ nmcli connection modify 'Example Wi-Fi' 802-1x.phase1-auth-flags 64

{{Note|1=The number you type in refers to the number you get from raising 2 to the power of '''n'''. Here, '''n''' is the index of the network authentication bit octet, read from right to left. Flipping the fifth bit enables TLS 1.0 '''[log(2) 32]''' and flipping the sixth bit enables TLS 1.1 '''[log(2) 64]'''.}}

The change should instantly be reflected in {{ic|/etc/NetworkManager/system-connections/Example Wi-Fi.nmconnection}}.

Finally, [[restart]] the {{ic|NetworkManager.service}} to have the new OpenSSL configuration take effect.

== See also ==

* [https://blogs.gnome.org/dcbw/2015/02/16/networkmanager-for-administrators-part-1/ NetworkManager for Administrators Part 1]

User talk:Lahwaacz.bot

2026-05-09T13:23:04Z

Lahwaacz: /* Marking AUR package as missing */ remove closed discussion

== marking AUR links to pkgbase as broken link ==

hi, your bot marked a {{Aur|policyd}} link as broken (on https://wiki.archlinux.org/index.php?title=Postfix&diff=next&oldid=431606#Rule-based_mail_processing). the pkgbase policyd exists, but packages derived from it have different names. can you fix this please? thank you! [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:05, 24 April 2016 (UTC)

:Hi, that's a general problem of the [[Template:AUR]], which works only for packages and not pkgbases. For {{AUR|policyd}} the link does not work, it leads to a 404 page. I think that this behaviour is fine because users can install only packages and not pkgbases. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:53, 24 April 2016 (UTC)

::Hm, I see the problem here. How could i implement a link to https://aur.archlinux.org/pkgbase/policyd with the AUR annotation? [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:59, 24 April 2016 (UTC)

:::Ok fixed it: [https://aur.archlinux.org/pkgbase/policyd policyd]AUR [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 19:03, 24 April 2016 (UTC)

::::Hmm, that's not perfect either, because users expect such links to be ''packages'' that can be installed—on the other hand, pkgbases can't be installed. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:30, 16 July 2016 (UTC)

== Removes title case, is this desired? ==

I noticed this bot just swept through and some links from title case to quasi-sentence case. This seems like incorrect behavior to me. In English writing, proper nouns are supposed to be capitalized, and technical writing has a lot of proper nouns. A bot can't possibly tell the difference between a proper noun like "[EFI System Partition]" and the same words as common nouns in "your [system partition]". Should we respond to edits we disagree with using "undo", or will the bot just make the same change on a second pass?

{{unsigned|15:17, 3 July 2018‎|Bobpaul}}

:The ArchWiki does not use title case even in page titles, see the rule in [[Help:Style#Title]]. For links to pages, using the same capitalization as the target page is preferable (see also [[Help:Style#Hypertext metaphor]]). So, generally, the edits were correct, though if you have a specific controversial case we can debate it further. Also, the "(interactive)" suffix in the edit summaries means that a human sat behind a keyboard and pressed "yes" to confirm each change. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:31, 3 July 2018 (UTC)

== Dead link with SSL error status ==

Hi. It looks like this edit is wrong: [https://wiki.archlinux.org/index.php?title=Help:Editing_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&curid=2786&diff=630264&oldid=618993]. I tried to follow the link and it is working. Also I check the link in the [[Help:Editing#Tables|original article]] — it is actually the same link like in the russian wiki, but not marked as dead and is working fine too. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 09:31, 7 August 2020 (UTC)

:The bot is using [https://requests.readthedocs.io/en/master/ requests] and this query is returning {{ic|certificate verify failed: unable to get local issuer certificate}}. I don't know enough SSL to know what is the problem... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:00, 7 August 2020 (UTC)

:: Firefox says that the certificate for www.tablesgenerator.com expires on February 10, 2022. Anyway I fixed the link. Maybe http replacement on https helps, I don't know. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 12:20, 7 August 2020 (UTC)

== Removing English Interlanguage Link ==

This bot has been removing English interlanguage link from my translated pages such as [[Arch Linux (বাংলা)]], [[Main page (বাংলা)]]....Why? -- [[User:FOSS ভক্ত|FOSS ভক্ত]] ([[User talk:FOSS ভক্ত|talk]]) 07:03, 24 September 2020 (UTC)

:The links will be added automatically when the language is added to the interlanguage table. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:22, 26 September 2020 (UTC)

== Marking bot edits as minor edit ==

I think this bot's edits should be marked as minor edit, so the system won't send notification emails about the article being changed. -- [[User:Huupoke12|Huupoke12]] ([[User talk:Huupoke12|talk]]) 04:19, 19 November 2021 (UTC)

:Hi, it's not that simple because then MediaWiki would not send notifications even for normal user edits that follow after a minor bot edit. That's because the minor bot edit would still be recorded as unread in the watchlist table, it would just not send the notification email, so it would be waiting until you visit the page again before sending the next notification for the page. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:53, 19 November 2021 (UTC)

::Hi, is it possible for edits made by this bot to be recorded as bot edits ? since the edits are neither marked (m) nor (b) they all show up in watchlists, even if both minor and bot edits are supposedly filtered out.
::-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 07:21, 13 October 2024 (UTC)
:::I explicitly want the wiki to send notifications for bot edits, because they should still be reviewed. Unfortunately email notifications for bots are seriously broken (see https://phabricator.wikimedia.org/T358087#10223291) so I removed Lahwaacz.bot from the bot group yesterday. Note that the most serious bug is actually [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read]... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:50, 13 October 2024 (UTC)
::::Hmm, I understand but this is going to make everyone's watchlist basically unreadable. Any idea how to work around this ? [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:52, 13 October 2024 (UTC)
:::::As a temporary solution it looks like they can be filtered out by unchecking wiki-scripts in advanced filters. Works for me but it might affect a lot of people. [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:56, 13 October 2024 (UTC)
::::::Also note that the bot is done for the weekend and won't be making so many edits any time soon. Or rather I might try running it more often to spread out the amount of edits...
::::::By the way, do you speak PHP? Maybe we can bribe you to fix the MediaWiki issues 😂
::::::— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:05, 13 October 2024 (UTC)
:::::::Haha no sorry :) [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 18:44, 13 October 2024 (UTC)

:Taking this discussion in a new course, I think minor edits still should be labelled as minor edits but not for the purposes as email notifications as described here but for the triviality of the edit. For example, [[ASUS Linux]] had an edit from this bot account where it removed 2 spaces and helped clean it up a bit, which is trivial enough to warrant a minor edit. To cite [[Help:Editing]], it is superficial and indisputable and [[Wikipedia: Help:Minor_edit#Exceptions]], where bot account edits should be considered minor. However I do agree that if a major edit is made it should not tag it as a minor edit. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:05, 9 May 2026 (UTC)
::Of course in an ideal world they should be marked as minor edits, but it is not possible due to MediaWiki bugs, namely [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read] as mentioned in the earlier replies... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 12:14, 9 May 2026 (UTC)
:::Then this should be added as a note, preferably at [[Help:Editing#Editing]], that bot account edits are exempted for the timebeing from marking edits as minor until the notification error at so and so in this thread is resolved, it would help reduce the confusion for new and existing users. Should I add it there?
:::Thanks for the reply! [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:59, 9 May 2026 (UTC)
::::[[Help:Editing]] is for people, not bots. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:22, 9 May 2026 (UTC)

== <s>Bot account</s> ==

I suspect that it is not correct that this account is not considered to be a bot...

I don't see it here: https://wiki.archlinux.org/index.php?title=Special:ListUsers&group=bot [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 12:59, 9 May 2025 (UTC)

:See [[#Marking bot edits as minor edit|the discussion above]]: "I removed Lahwaacz.bot from the bot group" — [[User:Andreymal|andreymal]] ([[User talk:Andreymal|talk]]) 13:17, 9 May 2025 (UTC)
::Ah, got it. I wasn't wrong, but bot handling isn't right either, so we have what we have.
::Didn't read it right away because I wasn't expecting it to be related. [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 17:16, 9 May 2025 (UTC)

:::No problem, but this can be closed.

User talk:Lahwaacz.bot

2026-05-09T13:22:12Z

Lahwaacz: /* Marking bot edits as minor edit */ Reply

== marking AUR links to pkgbase as broken link ==

hi, your bot marked a {{Aur|policyd}} link as broken (on https://wiki.archlinux.org/index.php?title=Postfix&diff=next&oldid=431606#Rule-based_mail_processing). the pkgbase policyd exists, but packages derived from it have different names. can you fix this please? thank you! [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:05, 24 April 2016 (UTC)

:Hi, that's a general problem of the [[Template:AUR]], which works only for packages and not pkgbases. For {{AUR|policyd}} the link does not work, it leads to a 404 page. I think that this behaviour is fine because users can install only packages and not pkgbases. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:53, 24 April 2016 (UTC)

::Hm, I see the problem here. How could i implement a link to https://aur.archlinux.org/pkgbase/policyd with the AUR annotation? [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:59, 24 April 2016 (UTC)

:::Ok fixed it: [https://aur.archlinux.org/pkgbase/policyd policyd]AUR [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 19:03, 24 April 2016 (UTC)

::::Hmm, that's not perfect either, because users expect such links to be ''packages'' that can be installed—on the other hand, pkgbases can't be installed. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:30, 16 July 2016 (UTC)

== Removes title case, is this desired? ==

I noticed this bot just swept through and some links from title case to quasi-sentence case. This seems like incorrect behavior to me. In English writing, proper nouns are supposed to be capitalized, and technical writing has a lot of proper nouns. A bot can't possibly tell the difference between a proper noun like "[EFI System Partition]" and the same words as common nouns in "your [system partition]". Should we respond to edits we disagree with using "undo", or will the bot just make the same change on a second pass?

{{unsigned|15:17, 3 July 2018‎|Bobpaul}}

:The ArchWiki does not use title case even in page titles, see the rule in [[Help:Style#Title]]. For links to pages, using the same capitalization as the target page is preferable (see also [[Help:Style#Hypertext metaphor]]). So, generally, the edits were correct, though if you have a specific controversial case we can debate it further. Also, the "(interactive)" suffix in the edit summaries means that a human sat behind a keyboard and pressed "yes" to confirm each change. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:31, 3 July 2018 (UTC)

== Dead link with SSL error status ==

Hi. It looks like this edit is wrong: [https://wiki.archlinux.org/index.php?title=Help:Editing_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&curid=2786&diff=630264&oldid=618993]. I tried to follow the link and it is working. Also I check the link in the [[Help:Editing#Tables|original article]] — it is actually the same link like in the russian wiki, but not marked as dead and is working fine too. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 09:31, 7 August 2020 (UTC)

:The bot is using [https://requests.readthedocs.io/en/master/ requests] and this query is returning {{ic|certificate verify failed: unable to get local issuer certificate}}. I don't know enough SSL to know what is the problem... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:00, 7 August 2020 (UTC)

:: Firefox says that the certificate for www.tablesgenerator.com expires on February 10, 2022. Anyway I fixed the link. Maybe http replacement on https helps, I don't know. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 12:20, 7 August 2020 (UTC)

== Removing English Interlanguage Link ==

This bot has been removing English interlanguage link from my translated pages such as [[Arch Linux (বাংলা)]], [[Main page (বাংলা)]]....Why? -- [[User:FOSS ভক্ত|FOSS ভক্ত]] ([[User talk:FOSS ভক্ত|talk]]) 07:03, 24 September 2020 (UTC)

:The links will be added automatically when the language is added to the interlanguage table. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:22, 26 September 2020 (UTC)

== Marking bot edits as minor edit ==

I think this bot's edits should be marked as minor edit, so the system won't send notification emails about the article being changed. -- [[User:Huupoke12|Huupoke12]] ([[User talk:Huupoke12|talk]]) 04:19, 19 November 2021 (UTC)

:Hi, it's not that simple because then MediaWiki would not send notifications even for normal user edits that follow after a minor bot edit. That's because the minor bot edit would still be recorded as unread in the watchlist table, it would just not send the notification email, so it would be waiting until you visit the page again before sending the next notification for the page. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:53, 19 November 2021 (UTC)

::Hi, is it possible for edits made by this bot to be recorded as bot edits ? since the edits are neither marked (m) nor (b) they all show up in watchlists, even if both minor and bot edits are supposedly filtered out.
::-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 07:21, 13 October 2024 (UTC)
:::I explicitly want the wiki to send notifications for bot edits, because they should still be reviewed. Unfortunately email notifications for bots are seriously broken (see https://phabricator.wikimedia.org/T358087#10223291) so I removed Lahwaacz.bot from the bot group yesterday. Note that the most serious bug is actually [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read]... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:50, 13 October 2024 (UTC)
::::Hmm, I understand but this is going to make everyone's watchlist basically unreadable. Any idea how to work around this ? [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:52, 13 October 2024 (UTC)
:::::As a temporary solution it looks like they can be filtered out by unchecking wiki-scripts in advanced filters. Works for me but it might affect a lot of people. [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:56, 13 October 2024 (UTC)
::::::Also note that the bot is done for the weekend and won't be making so many edits any time soon. Or rather I might try running it more often to spread out the amount of edits...
::::::By the way, do you speak PHP? Maybe we can bribe you to fix the MediaWiki issues 😂
::::::— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:05, 13 October 2024 (UTC)
:::::::Haha no sorry :) [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 18:44, 13 October 2024 (UTC)

:Taking this discussion in a new course, I think minor edits still should be labelled as minor edits but not for the purposes as email notifications as described here but for the triviality of the edit. For example, [[ASUS Linux]] had an edit from this bot account where it removed 2 spaces and helped clean it up a bit, which is trivial enough to warrant a minor edit. To cite [[Help:Editing]], it is superficial and indisputable and [[Wikipedia: Help:Minor_edit#Exceptions]], where bot account edits should be considered minor. However I do agree that if a major edit is made it should not tag it as a minor edit. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:05, 9 May 2026 (UTC)
::Of course in an ideal world they should be marked as minor edits, but it is not possible due to MediaWiki bugs, namely [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read] as mentioned in the earlier replies... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 12:14, 9 May 2026 (UTC)
:::Then this should be added as a note, preferably at [[Help:Editing#Editing]], that bot account edits are exempted for the timebeing from marking edits as minor until the notification error at so and so in this thread is resolved, it would help reduce the confusion for new and existing users. Should I add it there?
:::Thanks for the reply! [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:59, 9 May 2026 (UTC)
::::[[Help:Editing]] is for people, not bots. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:22, 9 May 2026 (UTC)

== <s>Bot account</s> ==

I suspect that it is not correct that this account is not considered to be a bot...

I don't see it here: https://wiki.archlinux.org/index.php?title=Special:ListUsers&group=bot [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 12:59, 9 May 2025 (UTC)

:See [[#Marking bot edits as minor edit|the discussion above]]: "I removed Lahwaacz.bot from the bot group" — [[User:Andreymal|andreymal]] ([[User talk:Andreymal|talk]]) 13:17, 9 May 2025 (UTC)
::Ah, got it. I wasn't wrong, but bot handling isn't right either, so we have what we have.
::Didn't read it right away because I wasn't expecting it to be related. [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 17:16, 9 May 2025 (UTC)

:::No problem, but this can be closed.

== <s>Marking AUR package as missing</s> ==

Hello! Your bot marked {{AUR|cros-container-guest-tools-git}} as not found, even though the page and the repo still exist (at https://wiki.archlinux.org/index.php?title=Chrome_OS_devices/Crostini&diff=next&oldid=848291#Introduction). Is there any particular reason it did this? [[User:Ry10hu|Ry10hu]] ([[User talk:Ry10hu|talk]]) 22:37, 20 December 2025 (UTC)

:Hi, it was a bug, it's already fixed: [https://github.com/lahwaacz/wiki-scripts/commit/dd2452238ddc289b0aa68a4dc52fe3e9149dca89] [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:47, 21 December 2025 (UTC)

Help talk:Template

2026-05-09T13:21:08Z

Lahwaacz: /* Have editors create the talk page discussions for Status templates: Merge and Move */ edit

== Should administrative templates be translated? ==

I have coincidentally encountered a stub page ([[Яндекс Диск (Русский)]], now deleted) with wrong localized title, which was marked for deletion using a localized template, [[Template:Deletion (Русский)]]. This was obviously wrong, because the page was not listed under [[Special:WhatLinksHere/Template:Deletion]], which is the list which is systematically checked.

I admit that localized "administrative templates" can be useful for coordinating the effort of a translation team, and having English messages on localized pages might be considered ugly, but there are considerable downsides in splitting the [[Special:WhatLinksHere]] by language this way.

Another step deeper, maybe we should put together a list of templates that should not be translated?

-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:59, 10 September 2014 (UTC)

:I think what you're saying makes sense (and a lot) only for [[Template:Deletion]]; the admins (like any other user) can't expand, merge or update articles written in languages they don't speak, right? :) What other templates were you thinking about? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 10:43, 11 September 2014 (UTC)

::True, every other [[Help:Template#Article status templates|article status template]] could be used in localized form by the maintenance team. Regardless, there will always be fragmentation of the [[Special:WhatLinksHere]]: for example when fulfilling the [[ArchWiki:requests|requests]], it is common to use English message (and template) on localized pages if the editor does not speak the language. This should be definitely considered by the translation teams.
::Personally, I find it strange that [[Template:Out of date|outdated]] or [[Template:Accuracy|inaccurate]] content from English pages can be spread by translation (see [https://wiki.archlinux.org/index.php?title=Bluetooth_Mouse_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&diff=next&oldid=334522#.D0.90.D0.B2.D1.82.D0.BE.D0.BC.D0.B0.D1.82.D0.B8.D1.87.D0.B5.D1.81.D0.BA.D0.B8_.D0.BF.D0.BE.D0.B4.D0.BA.D0.BB.D1.8E.D1.87.D0.B0.D1.82.D1.8C_.D0.BC.D1.8B.D1.88.D1.8C_.D0.BF.D1.80.D0.B8_.D0.B7.D0.B0.D0.B3.D1.80.D1.83.D0.B7.D0.BA.D0.B5]).
::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:36, 11 September 2014 (UTC)

:::About the first point on "fragmentation" of WLH pages, do you mean that it inevitably happens that some localized articles are marked with localized templates and some with English templates? In what cases is it possible that somebody adds a status template to an article without being able to understand its language? And if (s)he does, is that really the right thing to do? And if it is, maybe we could recommend to use the localized version of the template even if the message is then written in English?
:::About the second point on template "spreading", I don't find it "strange" if it happens when somebody translates from an article that is marked with such status template: he's adding the localized template not only to remind to the team that the article contains outdated content, but also to notify all non-contributing readers about possible inaccuracies. But maybe I haven't understood what you meant exactly?
:::Just to come back to the original topic, isn't it a good thing that the WLH pages for the English status templates are not (ideally) "polluted" by non-English articles? (Doesn't apply to Template:Deletion, I know)
:::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 14:33, 12 September 2014 (UTC)

::::For example when fulfilling [[ArchWiki:Requests]], there is often some unique keyword or phrase to identify the relevant section, even in localized pages. Google translate can be used to ''partially'' understand the surrounding text, even if the translation is grammatically incorrect. This makes it pretty easy to mark the section with English message (translating the message from English would be risky, the grammar mistakes might alter the meaning), which I think is an improvement (any warning should be better than none). Using a localized template in this case would require checking if such template exists, and even if it does, combining localized template and English message is even more weird.
::::About fragmentation and using localized ''article status templates'' generally, its advantage is that it filters out other languages in the WLH lists, but this only partial (the global list will always contain some localized pages, unless we want to create the necessary templates for each language and do some mass cleanup, and the localized lists will not point out localized pages marked with global templates). The disadvantage is that global maintenance, if only marking as outdated as per [[ArchWiki:Requests]], will be harder.
::::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 21:51, 12 September 2014 (UTC)

:::::Ok, of course each solution has pros and cons (will we need a summary table for this issue too?): honestly I wouldn't find it too weird if a localized template had an English message, which could also be translated afterwards by somebody else. Yes, adding a localized status template requires a bit more typing, sometimes even copy-pasting if there are non-Latin chars in the language name: this could be mitigated in the future by [[Help talk:i18n#Language namespace(s) in place of suffixes?]]; I understand this could effectively discourage adding status templates to translations. On the other hand, a bot would be able to convert the templates to the proper localized versions very easily, so that's a task that could be performed periodically (it could be used to check also other templates). And yes, having a translated version for each template would be required if we enforced such a policy. Finally, let's not forget that localized templates would be more useful to casual readers than English templates.
:::::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:03, 14 September 2014 (UTC)

::::About the template spreading, it is safe to assume that [[Template:Poor writing]] will never be translated. Instead, the translator will probably fix the English article prior to translating it, which is happening ''a lot'', even when the style issues are not marked with a template, and this is absolutely great. On the other hand, I have never noticed any other ''article status template'' being resolved during translation. Admittedly, sometimes it is best to just translate the inaccurate content along with the template, or the translator might be unable to resolve it, but in terms of statistics I think that I should have noticed at least some effort by now.
::::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 21:51, 12 September 2014 (UTC)

:::::Well, [[Template:Poor writing]] does have a translation already with some backtransclusions, I'm not sure if you'd delete it (I wouldn't). -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:03, 14 September 2014 (UTC)

::As the discussion about other [[Help:Template#Article status templates|article status templates]] is getting slightly off-topic, let's take a list of one item for now, [[Template:Deletion]]. How do we mark it as non-translatable? The translated versions could then be redirected to the English template and deleted when there are no backlinks. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 22:01, 12 September 2014 (UTC)

:::I think the [https://docs.python.org/3.4/glossary.html#term-eafp EAFP] approach is better in this case, I can think of 2 implementations:
:::# Create a redirect for each Template:Deletion_(Language) title and protect them from editing with an exhaustive justification in the summary (this solution would A) be more consistent with the usage of the other status templates and B) allow us grouping the backtransclusions of Template:Deletion by language in its WLH page).
:::# Redirect the existing translations temporarily, convert them all with a bot, then delete them and finally protect all the Template:Deletion_(Language) titles from creation with an exhaustive justification in the summary.
:::I prefer 1), do you agree/disagree or have additional options?
:::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:08, 14 September 2014 (UTC)

== Template "nowrap" ==

I would like to ask for opinions about adding a wiki template like [https://en.wikipedia.org/wiki/Template:Nowrap Wikipedia's "nowrap"].

Although there are already some alternative solutions available for specific cases (e.g. {{ic|&nbsp;}} for non-breaking space, {{ic|&#8209;}} for non-breaking hyphen), the "nowrap" template (and/or other similar templates) covers additional cases.

For example, you might find one line of text presented as ending with the word {{ic|package}} and the same sentence continues in the next line, presented as starting with {{ic|(s)}}. By using the "nowrap" template on this expression, you get {{ic|package(s)}} all together, either at the end of one line or at the beginning of the next one, but never separated in 2 lines.

This is just an example. Other cases can be (more) relevant (too). Obviously, the "nowrap" template can also be used instead of (multiple) non-breaking spaces and non-breaking hyphens.

Without a "nowrap" (or similar) template, the alternatives are either to not care about these things, or to use one of the following (please note that some alternatives might be more appropriate than others):

{{bc|
1=This text will not wrap.
Some sentence... package(s) and the sentence continues.
}}
{{bc|
1=This text will not wrap.
Some sentence... package(s) and the sentence continues.
}}

The "nowrap" template also has some "alias" (or redirection) names in Wikipedia, or we could use a new different name for this same template.

Is this kind of situation worth a template for the ArchLinux wiki? Any thoughts? [[User:Ady|Ady]] ([[User talk:Ady|talk]]) 15:39, 27 March 2016 (UTC)

:I don't know, it seems a bit overcomplicated to me... What browser are you using that wraps "package(s)" at the parenthesis? At least Firefox correctly interprets it as a single word, since I do believe that these cases should be handled by the browser. The same goes for e.g. "package-s". Can you give more examples where this template would be needed (and would be a clearly better solution than using non-breaking spaces etc.)? — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 06:57, 30 March 2016 (UTC)

::Hmm, perhaps I have not used the best example - I know I have seen this "package(s)" example somewhere, but currently I cannot recall where / when exactly.
::I should point out that users could see an unwanted (word) wrapping, depending on the width of the wiki text area (e.g. screen resolution, web browser's zoom, fonts...).
::As for "better" (or common) examples, please see [https://en.wikipedia.org/wiki/Wikipedia:NOWRAP] for brevity.
::BTW, using space characters and hyphens are the (most) common word-separators in certain languages, but not in all of them (e.g. CJK languages), so a "nowrap" template might be even more helpful in some translated wiki pages than in the English ones.
::I want to be clear. I am also not completely sure this type of template is "essential" for the ArchLinux wiki. It is potentially helpful; the question would be whether it is worth it. [[User:Ady|Ady]] ([[User talk:Ady|talk]]) 02:51, 31 March 2016 (UTC)

:::I see, I should have been more specific, but what I meant with "more examples" is existing samples of the ArchWiki (in any language) where such template would improve the page rendering and/or the source text. To put it in other words: after creating the template, where exactly is it going to be used?
:::In general I'm against creating templates (or Categories, etc.) "just in case they come in handy one day", although in this case I admit the idea can make somewhat sense, so if you really feel you want to create the template, I won't object further, maybe somebody else will find good uses for it and we'll start appreciating its existence ^^
:::— [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 03:23, 31 March 2016 (UTC)

::::I am a contributor to other wiki sites (in addition to the ArchLinux wiki). As editor(s) of wiki text, it is usually recommended to be aware that readers might use very different setups. While I/we might not see a certain behavior in the presentation of the wiki text / page, others might.
::::Although the ArchLinux wiki would not (need to) consider older versions of web browsers (or web browsers being used in non-Linux OSes), I am used to test the results of my editions with at least a couple of different setups.
::::I found a [https://www.cs.tut.fi/~jkorpela/html/nobr.html web page] about word wrapping in HTML that might be of interest to (some) wiki editors. Some notes about it:
::::* Most of its content mentions Internet Explorer, but it also mentions Firefox, Opera and others.
::::* In theory, it is somewhat outdated (at the time of this writing, its last update was during 2013).
::::* In spite of its date, I am convinced that at least some of the issues are still relevant (with potential improvements and regressions in each new version / variant of web browser).
::::* The part of that web page that is relevant to our discussion here is that there are several alternative methods so to achieve the desired wrapping result, whether it is about preventing word-wrapping, imposing word-wrapping, or allowing optional wrapping at certain specific positions within an expression / word.
::::Some of the simpler alternatives, (probably with a varying degree of effective results): {{ic|&nbsp;}}, {{ic|&#8209;}}, {{ic|&#xfeff;}}, {{ic|&#8288;}}, {{ic|wbc}}, and for generic wiki text, a "nowrap" (or, one of its alias names, "nobr") templates.
::::The advantage of a "nowrap" template over its non-template alternatives is that it is more generic; editors can avoid having to use different tricks according to the specific character (space, hyphen, minus sign, em/en dash...) and it covers potential cases that have no alternative or that would make the source of the wiki text less-readable.
::::So, without a "nowrap" template, I guess that most of the relevant cases in Latin-like languages would be covered by some non-template alternative, or by using the full "span style expression". Although perhaps there might be some cases in which a "nowrap" template would not have an alternative in Latin-like languages, I am also ''guessing'' that such (few?) cases would probably not be worth a template in the ArchLinux wiki.
::::But then there are the CJK languages, in which wrapping styles / rules might be more important / complex than some form of "hyphen" and/or space characters.
::::Maybe [[User:Fengchao]] and/or other members that are fluent in CJK languages might have a different / relevant perspective?
::::— [[User:Ady|Ady]] ([[User talk:Ady|talk]]) 13:40, 1 April 2016 (UTC)

== Forum link ==

:Moved from [[Talk:Bash/Functions]] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:13, 23 October 2015 (UTC)

The article has two types of forum links:

*[https://bbs.archlinux.org/viewtopic.php?id=30155 BBS#30155] (intro, as in [[Template:Bug]]) and
*https://bbs.archlinux.org/viewtopic.php?id=101010 (section [[Bash/Functions#Kingbash|#Kingbash]])

Which one is right again? --'''[[User:Det|Det]][[User talk:Det|talk]]''' 11:44, 24 July 2015 (UTC)

:Full URLs should be avoided, see [[Help:Style#Hypertext_metaphor]], otherwise I know of no recommended wording for forum links. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 12:13, 24 July 2015 (UTC)

::That section doesn't actually even talk about external links, while [[Help:Editing#External links]] says ''"just type the full URL"'', but also that ''"it is often more useful to make the link display something other than the URL"''. --'''[[User:Det|Det]][[User talk:Det|talk]]''' 16:04, 24 July 2015 (UTC)

:::This was already mentioned somewhere some time ago, I don't remember where nor when, anyway [https://wiki.archlinux.org/index.php?title=Special%3ALinkSearch&target=https%3A%2F%2Fbbs.archlinux.org%2Fviewtopic.php] would seem to justify the creation of a [[Template:BBS]], just like we have [[Template:Bug]]. — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:18, 25 July 2015 (UTC)

::::The problem with a BBS template is that links to the full thread have simple query string {{ic|1=?id=''number''}}, whereas links to posts have {{ic|1=?pid=''number''#''number''}}. There would have to be two different templates, which would get confusing very quickly.
::::There are more problems with existing links to the BBS: from looking at the list you posted, there are many links specifying the page number in the query string ({{ic|1=p=''num''}}), but FluxBB has variable/configurable number of posts per page. The links should point to either the full thread (first page), or a specific post.
:::: -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:31, 25 July 2015 (UTC)

:::::Like with links to bugs, a bbs url has to be pasted and manually modified anyway, but most of the times the conversion to [[Template:Bug]] ends up being done by a bot, which would be able to use two different BBS templates appropriately.
:::::I see 5 types of viewtopic.php links:
:::::# {{ic|1=?id=''number''}}: these could be changed to [[Template:BBSid]] instances.
:::::# {{ic|1=?id=''number''&p=''number''}}: when {{ic|''number''}} is {{ic|1}}, they could drop it and use [[Template:BBSid]]; otherwise they should point to a post as you say and use a [[Template:BBSpid]] template (we could publish a list of such links for manual fixing, since the correct post has to be found by a human, a bot can't do it).
:::::# {{ic|1=?pid=''number''}}: these could be changed to [[Template:BBSpid]] instances, the link fragment is the same as {{ic|''number''}} with a prefixed {{ic|p}}, so it's easy to add using the same template argument.
:::::# {{ic|1=?pid=''number''#p''number''}}: these could be changed to [[Template:BBSpid]] instances, {{ic|''number''}} needs to be specified only once.
:::::# {{ic|1=?t=''number''}}: these seem to be all broken, so they should be marked as dead, or fixed.
:::::I've chosen [[Template:BBSid]] and [[Template:BBSpid]] instead of e.g. [[Template:BBSthread]] and [[Template:BBSpost]] thinking that it would be easier to get their relation to the url when used manually, but I'm still quite undecided (provided that we actually decide to introduce the new templates).
:::::— [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 04:27, 26 July 2015 (UTC)

::::::3. and 4. are identical (btw. haven't you confused their descriptions a little?), except that 3. only opens the page with the given post (based on the user's posts-per-page setting), but stays at the top of the page, whereas 4. points directly to the post (the {{ic|#p''number''}} is the trick to do it). So 3. should also never be used, but it's trivial to transform it to 4. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:50, 26 July 2015 (UTC)

:::::::Of course, I was reasoning from a bot's point of view, which would indeed see 3. and 4. as different cases. My description of 3. was assuming that the need for a fragment was obvious (hence the mention of how easy it is to add it even if it's not in the original link), but what's important is that you seem to have understood anyhow :P — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 10:44, 26 July 2015 (UTC)

::::::::I agree on using only PID and ID. If you're linking to a page, you most likely should link to a PID. To distinguish between both, you could use {{ic|##}} for PID and {{ic|#}} for ID.
::::::::I don't have suggestions on automating the implementation. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:18, 23 October 2015 (UTC)

== New Template Application ==

I was thinking a new template could be added for application pages that would give quick info on a package. It would be right floated like "related articles". I made a quick example here: [[User:Meskarune/package]] but it could use more work on the format/syntax. [[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 20:17, 23 January 2017 (UTC)

:I don't see the point of this. You want to know the package name? Look in ''Installation''. The website and description? Should be linked in the intro. systemd service, user & group and man pages should be under ''Usage''. Config paths & examples under ''Configuration''. –[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 05:43, 2 January 2018 (UTC)

::The point of the sidebar table is that people will not have to go searching through lots of text for important information. If you only want to quickly know the service file and config file on Arch without reading through all the text on the wiki it would be in an easy to find place. Obviously its just some extra "eye candy" if you will that people could choose to use.
::
::The larger issue I was trying to address was the lack of strict standardization for pages on packages.
::
::The idea is that the content, and specific order of sections for package pages should be standardized with certain sections being required. For example, install and configuration. This will increase the quality of package pages on the wiki and enable scripts to be able to automatically mark issues such as lacking an install section. This isn't just about a template for a table, it is about having more specific standards for package pages as well in order to help people write them easier and increase over all quality and decrease maintenance time.
::
::My proposal is that the example page I wrote should be the standard format for all pages on packages on the wiki.[[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 19:39, 9 August 2018 (UTC)

:::If you want to find out services / configuration files / man pages of a package without reading an article, you can just grep {{ic|pacman -Ql}} for {{ic|/system/}}, {{ic|/etc/}} and {{ic|/man/}}. Your sidebar duplicates information and would thus increase the cost of maintenance (unnecessarily so). We already have [[Help:Style#Standard_sections|standard sections]]. I don't think that we need to require some sections / have a strict order for all standard sections. We don't need a dedicated example article, we got enough actual articles to serve as an example. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 05:06, 10 August 2018 (UTC)
::::I put together code for the info box: https://wiki.archlinux.org/index.php/User:Meskarune/Template:application first time writing a template, it was a good learning experience if anything else. I originally got the idea from wikipedia info boxes.
::::
::::Anyways, I don't propose that the info box be required for every package page, but on certain ones it would be very useful, for things like web servers, email servers, etc it is very common for people to go to the wiki page first, then go to upstream docs/bug trackers after, so having a small list would be helpful, and I think if people want to add them to such pages, the maintenance is not much since upstream doesn't often change. As for man page links, I often have the arch wiki on my phone while doing things on a computer without a GUI, and it is honestly useful to have man page links so its easier to read something on a phone while doing something in a TTY. I don't know how common that use case is, but I can't be the only one. It would also be useful for people who are visually impaired because finding links in text is difficult with a screen reader, and voice commands on phones are better than they are on linux.
::::
::::And as for the "standard sections" in the style guide, "installation" wasn't even on there until you added it after this discussion started. (and I am grateful you took the time to do that) Part of the reason for my original suggestion of having more standard sections was because there was a lack. I also still believe that having certain sections required for packages will increase quality and consistency of the pages over time and lower maintenance because scripts can automatically tag any page under category:package if it is lacking installation or configuration. But that is of course up to y'all to decide about that. I really don't have the time/energy to argue about this if no one else thinks more standardization is a good idea.[[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 23:39, 11 August 2018 (UTC)
''[Moved from [[ArchWiki talk:Administrators#Package page style guide/template]]. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 13:07, 9 August 2018 (UTC)]''

I wrote a style guide/example template for package wiki pages. I wanted to get some feedback on it and possibly see if this couldn't be adopted as a standard on the wiki. This is the page: [[User:Meskarune/package]]

Maybe a wiki template could be created for the application info table sidebar thingy, this way it is faster/easier to add.

I think this would help improve the quality of package pages and help users get useful information faster. --[[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 20:37, 8 August 2018 (UTC)

== Creation of package search templates ==

We have got [[Template:Pkg]], [[Template:AUR]] and [[Template:man]] but package searches are still linked using external links, e.g.:

<pre>
[https://www.archlinux.org/packages/?q=thunderbird-i18n language pack]
[https://aur.archlinux.org/packages/?K=android-platform- older versions]
</pre>

I am therefore pondering whether we should create {{ic|<nowiki>{{Pkg?|foo}}</nowiki>}} → [https://www.archlinux.org/packages/?q=foo PKG?foo] and {{ic|<nowiki>{{AUR?|foo}}</nowiki>}} → [https://aur.archlinux.org/packages/?K=foo AUR?foo].

Pros:

* readers can identify package search links just by looking at them
* dedicated templates make the markup more readable and semantic

Cons:

* it further complicates [[Help:Reading#Formatting]]

While [[Template:AUR?]] already exists it's deprecated and produced "{{AUR?|foo}}", so there should be no problem in changing it.

The question is if it's worth it to create two templates for ~35 pages. What do you guys think?

--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 08:15, 20 May 2018 (UTC)

:It can be worth it, but how easy would it be to use the template, compared to the current link-like usage? You've taken your examples out of their context, [[Thunderbird]] and [[Android]], but there they are naturally inserted with an alternative link label, and as far as I remember this happens pretty much everywhere a package-search link is used.
:Perhaps this hypothetical template should still allow - if not even force - an alternative label (I don't like the [https://www.archlinux.org/packages/?q=foo PKG?foo] rendering too much anyway), but then in that case why not create dedicated interwiki links instead? We can do it easily from [[Special:Interwiki]].
:-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:49, 22 May 2018 (UTC)

::If the links require an alternative label, wrapping it with a template does not make much sense. Also, there are so few of such links and still there are similar cases that would require a manual link - e.g. the language pack links in [[Firefox#Installing]] which link to the ''pkgbase'' listings. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:50, 22 May 2018 (UTC)

::What about the following interwiki prefixes?
::{{bc|aur → https://aur.archlinux.org/packages/$1 pkg → https://www.archlinux.org/packages/$1}}--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 08:03, 24 May 2018 (UTC)

:::So now you want to replace the [[Template:Pkg]] and [[Template:AUR]] templates with interwiki links? That does not address the package search problem, unless you're about to write <nowiki>[[aur:?q=foo]]</nowiki>. It would also remove the special formatting of the package links, so that's no from me. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:30, 26 May 2018 (UTC)

::::I obviously don't want to replace [[Template:Pkg]] and [[Template:AUR]]. I left out the query parameters to make it flexible.--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 09:47, 26 May 2018 (UTC)

:::::In that case the purpose of the interwiki links would not be well defined, the {{ic|1=?q=}} string (which is an implementation detail) would have to be written manually on every page, and the alternative label would have to be used to make the link less ugly. Anyway, templates are much more flexible than interwiki links so let's either use templates or interwiki links which are as simple as possible. But before discussing the implementation details, we should agree on whether the use case is worth the effort or not. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:52, 26 May 2018 (UTC)

::::::Given the relatively limited number of applications, I wouldn't go as far as adding another template to our toolbox, but an interwiki link is such a simple thing that as I said I'd be in favor of setting up.
::::::I wouldn't like "flexible" interwiki links either, however, I'd rather go for:
aur → https://aur.archlinux.org/packages/?K=$1
pkg → https://www.archlinux.org/packages/?q=$1
::::::So the examples in the OP would become:
<pre>
[[aur:android-platform-|older versions]]
[[pkg:thunderbird-i18n|language pack]]
</pre>
::::::I'm not 100% sure about the prefixes though, I wish we could use {{ic|aur?}} and {{ic|pkg?}} or similar...
::::::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 17:09, 26 May 2018 (UTC)

:::::::I meant the question is if it's worth doing it some other way instead of using the external links. External and interwiki links look the same and with the alternative label interwiki links don't save as much typing (one could even say that the URL, which is not very long in this case, can be copy-pasted completely which makes it easier to use). There are also other similar cases (like the pkgbase links above) which would require external links anyway. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 22:08, 26 May 2018 (UTC)

::::::::Well, of course I don't have a mathematical answer to that question, I can only say that interwiki links look neater to me in the source text, and since those search URLs are resources directly provided by Arch Linux, it makes sense ''to me'' to give them a shortcut, but yeah, more than a typing advantage it's a ''personal'' aesthetic preference over which I won't argue much more than this :)
::::::::Just to complete my reply, the full links could still be copy-pasted from the rendered pages; copy-pasting when editing the source text shouldn't be affected, because if you want to create a similar type of link, it doesn't matter if it's in the interwiki or the external-link form, although interwiki links are easier to just type than copy-paste. Interwiki links for split packages would be less useful and easy to use indeed.
::::::::Also, about the rendered looks, I want to remind that if we want we can specifically style (standard) package-search links however we like, whether they are created with external or interwiki links, but in the latter case we can target them specifically thanks to the ''extiw'' class.
::::::::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:23, 27 May 2018 (UTC)

== Creation of Template:Info ==

I think we have got enough articles about [[GNU]] software to warrant a template for [[Info manual]]s, analogous to [[Template:man]].

gnu.org hosts HTML [[Info manual]]s for apparently most GNU packages, generally in the form of {{ic|<nowiki>https</nowiki>://www.gnu.org/software/''package''/manual/html_node/''node''.html}}.

I created [[User:Larivact/drafts/Template:Info]] as a draft, only to realize that gnu.org replaces spaces with dashes, meaning, like [[Template talk:Hc#hc breaks in lists]], this template would require [[mw:Extension:StringFunctions]].

--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 11:21, 15 August 2018 (UTC)

:Not only that, it also encodes characters like dashes: [https://www.gnu.org/software/coreutils/manual/html_node/Special-built_002din-utilities.html] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:47, 15 August 2018 (UTC)

::Well spotted, so: {{bc|' ' -> '_' '-' -> '_002d' '/' -> '_002f'}} should cover most cases. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 12:13, 15 August 2018 (UTC)

:::And I guess every other "blacklisted" character has to be encoded as {{ic|_}} + {{ic|''4-digit hex code''}}... So what's the full blacklist?
:::As for StringFunctions, that's a [https://phabricator.wikimedia.org/T8455#110965 dead-end solution].
:::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 12:47, 15 August 2018 (UTC)

::::It's not a blacklist it's a whitelist, anything not {{ic|[A-Za-z0-9 ]}} is encoded, see [https://svn.savannah.gnu.org/viewvc/texinfo/trunk/tp/Texinfo/Convert/NodeNameNormalization.pm?view=markup#l114].
::::Yeah Lua/[[mw:Extension:Scribunto]] would allow for more readable code and correct templates. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 13:06, 15 August 2018 (UTC)
::::I opened [[ArchWiki talk:Administrators#Scribunto]]. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 17:34, 18 August 2018 (UTC)

== More inline-style templates ==

I would like to create more templates for inline-flagging of some style problems, similarly to [[Template:Dead link]] or [[Template:Broken section link]]:

* [[Template:Avoid implicit link]] (for {{ic|<nowiki>[[...|here]]</nowiki>}}, {{ic|<nowiki>[[...|above]]</nowiki>}}, {{ic|<nowiki>[[...|below]]</nowiki>}} etc.)
* [[Template:Avoid external link]] (for external links to Wikipedia, AUR packages etc.)
* [[Template:Citation needed]] or [[Template:Reference needed]]
* [[Template:Language register]] (could be used with arguments, e.g. {{ic|<nowiki>{{Language register|too informal}}</nowiki>}}, {{ic|<nowiki>{{Language register|avoid acronyms}}</nowiki>}}, etc.)

Some of them could be applied (semi)automatically with a bot. Maybe you can also think of more problems that could be marked similarly.

-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:25, 23 February 2020 (UTC)

:I don't see much need for [[Template:Language register]] since it would usually apply to whole paragraphs or the entire article instead of some phrase/word as [[Template:Dead link]]. I think [[Template:Style]] fully covers that case. I'm also somewhat skeptical of a bot's ability to apply it accurately, but maybe I'm mistaken about that.
:I do like the other proposed templates. I think [[Template:Citation needed]]/[[Template:Reference needed]] in particular would be very useful. It could ease the burden when flagging questionable claims, unlike [[Template:Expansion]] or [[Template:Accuracy]] which require a detailed "reason".
: -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 14:27, 23 February 2020 (UTC)

::I think [[Template:Language register]] would be useful for phrases explicitly mentioned in [[Help:Style#Language register]], e.g. "at the time of writing". They occur frequently and using [[Template:Style]] is usually an overkill, especially if the phrase appears inside a [[template:note|note]] or a list. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:33, 23 February 2020 (UTC)

:::Simpler alternative (possibly too simplistic): make only one new generic inline Style template, and clarify the reason with its argument case by case. Of course it will mix all cases together in its WhatLinksHere page, but so does [[Template:Style]]. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:47, 16 March 2020 (UTC)

::::I wouldn't like to add too much text to inline templates, because the wikicode would become too chaotic. Even <nowiki>{{avoid implicit link}}</nowiki> is shorter than <nowiki>{{inline style|avoid implicit link}}</nowiki>, and the former can even include a link to the relevant section in [[Help:Style]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:59, 21 March 2020 (UTC)

:::::No worries, I'm fine either way, maybe you can only start with the templates that can be applied with a bot, since for a human it might be just equally easy to directly fix links, acronyms, abbreviations etc. than flag them with a template. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 11:31, 21 March 2020 (UTC)
:As far as I understand, we are quite happy with <code><nowiki>{{Style|…}}</nowiki></code> and its friends. I want to close this stale topic. — [[User:Andrei Korshikov|Andrei Korshikov]] ([[User talk:Andrei Korshikov|talk]]) 16:21, 13 August 2025 (UTC)
::Actually, I would like to revisit this topic at some point. [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:40, 14 August 2025 (UTC)
:::👍 [[User:Andrei Korshikov|Andrei Korshikov]] ([[User talk:Andrei Korshikov|talk]]) 18:54, 14 August 2025 (UTC)

== Suggest using user page sandbox ==

Everyone using [[Template:Sandbox]] has following disadvantages:

* Only one user can edit it at a time.
* Breaks previous drafts and talks.

Instead of everyone using [[Template:Sandbox]] I propose suggesting to copy whole template to [[User:Exampleuser/Template]] and testing there. Also you can test template without saving the page, which you can't do on already created template page.

[[Template:Template]] and [[Help:Template#Creation]] would need to be updated, possibly first should link to latter instead of [[Template:Sandbox]]. Instead of creating template in main namespace instructions should suggest creating it in user page, then start new discussion on [[Help:Template]] to introduce it to the wiki.

-- [[User:Svito|Svito]] ([[User talk:Svito|talk]]) 00:12, 13 May 2020 (UTC)

:If people move or archive or delete their personal sandbox page, the drafts and talks will break anyway. And there were not many cases in the past where multiple users wanted to edit the template sandbox at the same time. Using just one template sandbox is good in at least one way: it helps to push things forward faster, because otherwise it would block other things. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 08:39, 13 May 2020 (UTC)

::Only admins can delete pages. And only users that were breaking our draft templates were [[User:Larivact]] which quit wiki and myself which I stopped doing because its pointless and because it breaks old talks. I don't see how [[Template:Sandbox]] helps push things faster. Obviously you would only save new version of template if you wanted to discuss it with other editors (which by default is slow because you have to wait for other people), and for previewing any non-existent page on wiki is faster, because you can preview without saving. Also if you want to draft many templates you should create [[Template:Sandbox2]] and the like, which [[User:Kynikos]] did and bloats our template space (why not name it [[Template:Command]] if we decided we allow creating draft templates in main template namespace), which we use to figure out optimal amount of templates we wish to maintain and update. -- [[User:Svito|Svito]] ([[User talk:Svito|talk]]) 16:41, 13 May 2020 (UTC)

::My main point as long as you need at least 2 different version of same or different templates, [[Template:Sandbox]] is not good enough. Other option would be just have resulting html directly inside draft pages, which is even uglier and harder to update without using extra tools like sed. -- [[User:Svito|Svito]] ([[User talk:Svito|talk]]) 16:45, 13 May 2020 (UTC)

:::I've thought about this a little, it may make sense to me, how would you patch [[Template:Template]] and [[Help:Template#Creation]]? I've moved [[Template:Sandbox2]]. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 16:41, 19 May 2020 (UTC)

== "Help:Template" or "Help:Templates"? ==

Singular or plural?..

"Template" is about what template is: it is useful for template creators (mostly, wiki admins).

"Templates" are about "template list" ([[Help:Template#List of templates]]). Wiki contributors are interested in them.

I think our page is named after [[Wikipedia:Template]], but, hey, that page is all about what the template is—compare it with [[mw:Templates]].

To be clear: I want to rename this page from "Template" to "Templates": ordinary users don't care what template is, but how to use them.

-- [[User:Andrei Korshikov|Andrei Korshikov]] ([[User talk:Andrei Korshikov|talk]]) 14:55, 1 August 2025 (UTC)

:I'm for renaming the page. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:58, 7 August 2025 (UTC)
:I have no strong opinion either way, if it feels clearer to everyone let's go. [[User:Erus Iluvatar|Erus Iluvatar]] ([[User talk:Erus Iluvatar|talk]]) 16:24, 23 August 2025 (UTC)

== Have editors create the talk page discussions for Status templates: Merge and Move ==

The templates Merge and Move have an optional parameter of a talk page discussion. If the editors who make either of these two specific tags, also add the talk page topic atleast in brief they would be subscribed to that specific conversation. However if the editors only add the template to a subsection of a page other editors would have to make said topic page and then reach out to the original editor via their user talk page or other contact methods just to include them or get their perspectives, which could be an avoided waste of space of their user talk page space.

I suggest having a sentence in [[Help:Template#Status]] saying something along the lines of, "Please create a topic discussion when using Merge or Move templates so as to be subscribed to any ongoing discussions where needed".
This is more of QOL/best practices kind of change than a hard requirement change. Please let me know your thoughts on this. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:40, 8 May 2026 (UTC)

:The subscription to individual discussion topics is a weird feature, it is not necessary to get notifications. Many people who add these templates already have the page (and thus its talk page too) on their watchlist and get email notifications for all edits. Subscribing to discussions would mean duplicate notifications. Furthermore, you can mention people like @[[User:TheKnightSky|TheKnightSky]] to get their attention from anywhere. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:56, 9 May 2026 (UTC)
::You are right, that aspect makes sense.
::However regarding linking to the user page, I had thoroughly read the [[Help:Editing]], and [[Help:Template]] and [https://www.mediawiki.org/wiki/Help:Templates Help:Templates], and there was no mention of this notifying the user, much less this being described in them. The notification I received for this reply was along the lines of "
::‪Lahwaacz‬ mentioned you on ‪Help talk:Template‬ in "‪Have editors create the talk page discussions for...‬".
::The subscription to individual discussion topics is a weird feature, it is not necessary to get notifications. Many people who add these templates...
::", this was the only notification, there was no "Lahwaacz replied in xyz" for this.
::But on the other hand for a separate notification, "
::‪Lahwaacz‬ mentioned you on the talk page of user ‪Lahwaacz.bot‬ in "‪Marking bot edits as minor edit‬".
::Taking this discussion in a new course, I think minor edits still should be labelled as minor edits but not for the purposes as email notifications...
::", where I was not mentioned using my user page, but you had replied to my text.
::And another point for "
::‪Lahwaacz‬ replied in "‪Marking bot edits as minor edit‬".
::Of course in an ideal world they should be marked as minor edits, but it is not possible due to MediaWiki bugs, namely Notifications stop after bot...
::", which was an expected notification behaviour for a reply.
::By your logic I should have received 2 pings for this reply, unless in the backend multiple notifications for the same action is prohibited, which contradicts itself given that I got 2 notifications for the "Mayking bot edits" thread and only 1 for this even when mentioned by name, which also isn't described anywhere I could find. And im exclusively talking about the notifications on the webpage, not via email. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:44, 9 May 2026 (UTC)
:::If you enabled email notifications and added this page to your watchlist, you would have received 2 emails for a single edit, I think. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:20, 9 May 2026 (UTC)

Help talk:Template

2026-05-09T13:20:35Z

Lahwaacz: /* Have editors create the talk page discussions for Status templates: Merge and Move */ Reply

== Should administrative templates be translated? ==

I have coincidentally encountered a stub page ([[Яндекс Диск (Русский)]], now deleted) with wrong localized title, which was marked for deletion using a localized template, [[Template:Deletion (Русский)]]. This was obviously wrong, because the page was not listed under [[Special:WhatLinksHere/Template:Deletion]], which is the list which is systematically checked.

I admit that localized "administrative templates" can be useful for coordinating the effort of a translation team, and having English messages on localized pages might be considered ugly, but there are considerable downsides in splitting the [[Special:WhatLinksHere]] by language this way.

Another step deeper, maybe we should put together a list of templates that should not be translated?

-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:59, 10 September 2014 (UTC)

:I think what you're saying makes sense (and a lot) only for [[Template:Deletion]]; the admins (like any other user) can't expand, merge or update articles written in languages they don't speak, right? :) What other templates were you thinking about? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 10:43, 11 September 2014 (UTC)

::True, every other [[Help:Template#Article status templates|article status template]] could be used in localized form by the maintenance team. Regardless, there will always be fragmentation of the [[Special:WhatLinksHere]]: for example when fulfilling the [[ArchWiki:requests|requests]], it is common to use English message (and template) on localized pages if the editor does not speak the language. This should be definitely considered by the translation teams.
::Personally, I find it strange that [[Template:Out of date|outdated]] or [[Template:Accuracy|inaccurate]] content from English pages can be spread by translation (see [https://wiki.archlinux.org/index.php?title=Bluetooth_Mouse_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&diff=next&oldid=334522#.D0.90.D0.B2.D1.82.D0.BE.D0.BC.D0.B0.D1.82.D0.B8.D1.87.D0.B5.D1.81.D0.BA.D0.B8_.D0.BF.D0.BE.D0.B4.D0.BA.D0.BB.D1.8E.D1.87.D0.B0.D1.82.D1.8C_.D0.BC.D1.8B.D1.88.D1.8C_.D0.BF.D1.80.D0.B8_.D0.B7.D0.B0.D0.B3.D1.80.D1.83.D0.B7.D0.BA.D0.B5]).
::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:36, 11 September 2014 (UTC)

:::About the first point on "fragmentation" of WLH pages, do you mean that it inevitably happens that some localized articles are marked with localized templates and some with English templates? In what cases is it possible that somebody adds a status template to an article without being able to understand its language? And if (s)he does, is that really the right thing to do? And if it is, maybe we could recommend to use the localized version of the template even if the message is then written in English?
:::About the second point on template "spreading", I don't find it "strange" if it happens when somebody translates from an article that is marked with such status template: he's adding the localized template not only to remind to the team that the article contains outdated content, but also to notify all non-contributing readers about possible inaccuracies. But maybe I haven't understood what you meant exactly?
:::Just to come back to the original topic, isn't it a good thing that the WLH pages for the English status templates are not (ideally) "polluted" by non-English articles? (Doesn't apply to Template:Deletion, I know)
:::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 14:33, 12 September 2014 (UTC)

::::For example when fulfilling [[ArchWiki:Requests]], there is often some unique keyword or phrase to identify the relevant section, even in localized pages. Google translate can be used to ''partially'' understand the surrounding text, even if the translation is grammatically incorrect. This makes it pretty easy to mark the section with English message (translating the message from English would be risky, the grammar mistakes might alter the meaning), which I think is an improvement (any warning should be better than none). Using a localized template in this case would require checking if such template exists, and even if it does, combining localized template and English message is even more weird.
::::About fragmentation and using localized ''article status templates'' generally, its advantage is that it filters out other languages in the WLH lists, but this only partial (the global list will always contain some localized pages, unless we want to create the necessary templates for each language and do some mass cleanup, and the localized lists will not point out localized pages marked with global templates). The disadvantage is that global maintenance, if only marking as outdated as per [[ArchWiki:Requests]], will be harder.
::::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 21:51, 12 September 2014 (UTC)

:::::Ok, of course each solution has pros and cons (will we need a summary table for this issue too?): honestly I wouldn't find it too weird if a localized template had an English message, which could also be translated afterwards by somebody else. Yes, adding a localized status template requires a bit more typing, sometimes even copy-pasting if there are non-Latin chars in the language name: this could be mitigated in the future by [[Help talk:i18n#Language namespace(s) in place of suffixes?]]; I understand this could effectively discourage adding status templates to translations. On the other hand, a bot would be able to convert the templates to the proper localized versions very easily, so that's a task that could be performed periodically (it could be used to check also other templates). And yes, having a translated version for each template would be required if we enforced such a policy. Finally, let's not forget that localized templates would be more useful to casual readers than English templates.
:::::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:03, 14 September 2014 (UTC)

::::About the template spreading, it is safe to assume that [[Template:Poor writing]] will never be translated. Instead, the translator will probably fix the English article prior to translating it, which is happening ''a lot'', even when the style issues are not marked with a template, and this is absolutely great. On the other hand, I have never noticed any other ''article status template'' being resolved during translation. Admittedly, sometimes it is best to just translate the inaccurate content along with the template, or the translator might be unable to resolve it, but in terms of statistics I think that I should have noticed at least some effort by now.
::::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 21:51, 12 September 2014 (UTC)

:::::Well, [[Template:Poor writing]] does have a translation already with some backtransclusions, I'm not sure if you'd delete it (I wouldn't). -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:03, 14 September 2014 (UTC)

::As the discussion about other [[Help:Template#Article status templates|article status templates]] is getting slightly off-topic, let's take a list of one item for now, [[Template:Deletion]]. How do we mark it as non-translatable? The translated versions could then be redirected to the English template and deleted when there are no backlinks. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 22:01, 12 September 2014 (UTC)

:::I think the [https://docs.python.org/3.4/glossary.html#term-eafp EAFP] approach is better in this case, I can think of 2 implementations:
:::# Create a redirect for each Template:Deletion_(Language) title and protect them from editing with an exhaustive justification in the summary (this solution would A) be more consistent with the usage of the other status templates and B) allow us grouping the backtransclusions of Template:Deletion by language in its WLH page).
:::# Redirect the existing translations temporarily, convert them all with a bot, then delete them and finally protect all the Template:Deletion_(Language) titles from creation with an exhaustive justification in the summary.
:::I prefer 1), do you agree/disagree or have additional options?
:::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:08, 14 September 2014 (UTC)

== Template "nowrap" ==

I would like to ask for opinions about adding a wiki template like [https://en.wikipedia.org/wiki/Template:Nowrap Wikipedia's "nowrap"].

Although there are already some alternative solutions available for specific cases (e.g. {{ic|&nbsp;}} for non-breaking space, {{ic|&#8209;}} for non-breaking hyphen), the "nowrap" template (and/or other similar templates) covers additional cases.

For example, you might find one line of text presented as ending with the word {{ic|package}} and the same sentence continues in the next line, presented as starting with {{ic|(s)}}. By using the "nowrap" template on this expression, you get {{ic|package(s)}} all together, either at the end of one line or at the beginning of the next one, but never separated in 2 lines.

This is just an example. Other cases can be (more) relevant (too). Obviously, the "nowrap" template can also be used instead of (multiple) non-breaking spaces and non-breaking hyphens.

Without a "nowrap" (or similar) template, the alternatives are either to not care about these things, or to use one of the following (please note that some alternatives might be more appropriate than others):

{{bc|
1=This text will not wrap.
Some sentence... package(s) and the sentence continues.
}}
{{bc|
1=This text will not wrap.
Some sentence... package(s) and the sentence continues.
}}

The "nowrap" template also has some "alias" (or redirection) names in Wikipedia, or we could use a new different name for this same template.

Is this kind of situation worth a template for the ArchLinux wiki? Any thoughts? [[User:Ady|Ady]] ([[User talk:Ady|talk]]) 15:39, 27 March 2016 (UTC)

:I don't know, it seems a bit overcomplicated to me... What browser are you using that wraps "package(s)" at the parenthesis? At least Firefox correctly interprets it as a single word, since I do believe that these cases should be handled by the browser. The same goes for e.g. "package-s". Can you give more examples where this template would be needed (and would be a clearly better solution than using non-breaking spaces etc.)? — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 06:57, 30 March 2016 (UTC)

::Hmm, perhaps I have not used the best example - I know I have seen this "package(s)" example somewhere, but currently I cannot recall where / when exactly.
::I should point out that users could see an unwanted (word) wrapping, depending on the width of the wiki text area (e.g. screen resolution, web browser's zoom, fonts...).
::As for "better" (or common) examples, please see [https://en.wikipedia.org/wiki/Wikipedia:NOWRAP] for brevity.
::BTW, using space characters and hyphens are the (most) common word-separators in certain languages, but not in all of them (e.g. CJK languages), so a "nowrap" template might be even more helpful in some translated wiki pages than in the English ones.
::I want to be clear. I am also not completely sure this type of template is "essential" for the ArchLinux wiki. It is potentially helpful; the question would be whether it is worth it. [[User:Ady|Ady]] ([[User talk:Ady|talk]]) 02:51, 31 March 2016 (UTC)

:::I see, I should have been more specific, but what I meant with "more examples" is existing samples of the ArchWiki (in any language) where such template would improve the page rendering and/or the source text. To put it in other words: after creating the template, where exactly is it going to be used?
:::In general I'm against creating templates (or Categories, etc.) "just in case they come in handy one day", although in this case I admit the idea can make somewhat sense, so if you really feel you want to create the template, I won't object further, maybe somebody else will find good uses for it and we'll start appreciating its existence ^^
:::— [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 03:23, 31 March 2016 (UTC)

::::I am a contributor to other wiki sites (in addition to the ArchLinux wiki). As editor(s) of wiki text, it is usually recommended to be aware that readers might use very different setups. While I/we might not see a certain behavior in the presentation of the wiki text / page, others might.
::::Although the ArchLinux wiki would not (need to) consider older versions of web browsers (or web browsers being used in non-Linux OSes), I am used to test the results of my editions with at least a couple of different setups.
::::I found a [https://www.cs.tut.fi/~jkorpela/html/nobr.html web page] about word wrapping in HTML that might be of interest to (some) wiki editors. Some notes about it:
::::* Most of its content mentions Internet Explorer, but it also mentions Firefox, Opera and others.
::::* In theory, it is somewhat outdated (at the time of this writing, its last update was during 2013).
::::* In spite of its date, I am convinced that at least some of the issues are still relevant (with potential improvements and regressions in each new version / variant of web browser).
::::* The part of that web page that is relevant to our discussion here is that there are several alternative methods so to achieve the desired wrapping result, whether it is about preventing word-wrapping, imposing word-wrapping, or allowing optional wrapping at certain specific positions within an expression / word.
::::Some of the simpler alternatives, (probably with a varying degree of effective results): {{ic|&nbsp;}}, {{ic|&#8209;}}, {{ic|&#xfeff;}}, {{ic|&#8288;}}, {{ic|wbc}}, and for generic wiki text, a "nowrap" (or, one of its alias names, "nobr") templates.
::::The advantage of a "nowrap" template over its non-template alternatives is that it is more generic; editors can avoid having to use different tricks according to the specific character (space, hyphen, minus sign, em/en dash...) and it covers potential cases that have no alternative or that would make the source of the wiki text less-readable.
::::So, without a "nowrap" template, I guess that most of the relevant cases in Latin-like languages would be covered by some non-template alternative, or by using the full "span style expression". Although perhaps there might be some cases in which a "nowrap" template would not have an alternative in Latin-like languages, I am also ''guessing'' that such (few?) cases would probably not be worth a template in the ArchLinux wiki.
::::But then there are the CJK languages, in which wrapping styles / rules might be more important / complex than some form of "hyphen" and/or space characters.
::::Maybe [[User:Fengchao]] and/or other members that are fluent in CJK languages might have a different / relevant perspective?
::::— [[User:Ady|Ady]] ([[User talk:Ady|talk]]) 13:40, 1 April 2016 (UTC)

== Forum link ==

:Moved from [[Talk:Bash/Functions]] -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:13, 23 October 2015 (UTC)

The article has two types of forum links:

*[https://bbs.archlinux.org/viewtopic.php?id=30155 BBS#30155] (intro, as in [[Template:Bug]]) and
*https://bbs.archlinux.org/viewtopic.php?id=101010 (section [[Bash/Functions#Kingbash|#Kingbash]])

Which one is right again? --'''[[User:Det|Det]][[User talk:Det|talk]]''' 11:44, 24 July 2015 (UTC)

:Full URLs should be avoided, see [[Help:Style#Hypertext_metaphor]], otherwise I know of no recommended wording for forum links. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 12:13, 24 July 2015 (UTC)

::That section doesn't actually even talk about external links, while [[Help:Editing#External links]] says ''"just type the full URL"'', but also that ''"it is often more useful to make the link display something other than the URL"''. --'''[[User:Det|Det]][[User talk:Det|talk]]''' 16:04, 24 July 2015 (UTC)

:::This was already mentioned somewhere some time ago, I don't remember where nor when, anyway [https://wiki.archlinux.org/index.php?title=Special%3ALinkSearch&target=https%3A%2F%2Fbbs.archlinux.org%2Fviewtopic.php] would seem to justify the creation of a [[Template:BBS]], just like we have [[Template:Bug]]. — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:18, 25 July 2015 (UTC)

::::The problem with a BBS template is that links to the full thread have simple query string {{ic|1=?id=''number''}}, whereas links to posts have {{ic|1=?pid=''number''#''number''}}. There would have to be two different templates, which would get confusing very quickly.
::::There are more problems with existing links to the BBS: from looking at the list you posted, there are many links specifying the page number in the query string ({{ic|1=p=''num''}}), but FluxBB has variable/configurable number of posts per page. The links should point to either the full thread (first page), or a specific post.
:::: -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:31, 25 July 2015 (UTC)

:::::Like with links to bugs, a bbs url has to be pasted and manually modified anyway, but most of the times the conversion to [[Template:Bug]] ends up being done by a bot, which would be able to use two different BBS templates appropriately.
:::::I see 5 types of viewtopic.php links:
:::::# {{ic|1=?id=''number''}}: these could be changed to [[Template:BBSid]] instances.
:::::# {{ic|1=?id=''number''&p=''number''}}: when {{ic|''number''}} is {{ic|1}}, they could drop it and use [[Template:BBSid]]; otherwise they should point to a post as you say and use a [[Template:BBSpid]] template (we could publish a list of such links for manual fixing, since the correct post has to be found by a human, a bot can't do it).
:::::# {{ic|1=?pid=''number''}}: these could be changed to [[Template:BBSpid]] instances, the link fragment is the same as {{ic|''number''}} with a prefixed {{ic|p}}, so it's easy to add using the same template argument.
:::::# {{ic|1=?pid=''number''#p''number''}}: these could be changed to [[Template:BBSpid]] instances, {{ic|''number''}} needs to be specified only once.
:::::# {{ic|1=?t=''number''}}: these seem to be all broken, so they should be marked as dead, or fixed.
:::::I've chosen [[Template:BBSid]] and [[Template:BBSpid]] instead of e.g. [[Template:BBSthread]] and [[Template:BBSpost]] thinking that it would be easier to get their relation to the url when used manually, but I'm still quite undecided (provided that we actually decide to introduce the new templates).
:::::— [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 04:27, 26 July 2015 (UTC)

::::::3. and 4. are identical (btw. haven't you confused their descriptions a little?), except that 3. only opens the page with the given post (based on the user's posts-per-page setting), but stays at the top of the page, whereas 4. points directly to the post (the {{ic|#p''number''}} is the trick to do it). So 3. should also never be used, but it's trivial to transform it to 4. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:50, 26 July 2015 (UTC)

:::::::Of course, I was reasoning from a bot's point of view, which would indeed see 3. and 4. as different cases. My description of 3. was assuming that the need for a fragment was obvious (hence the mention of how easy it is to add it even if it's not in the original link), but what's important is that you seem to have understood anyhow :P — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 10:44, 26 July 2015 (UTC)

::::::::I agree on using only PID and ID. If you're linking to a page, you most likely should link to a PID. To distinguish between both, you could use {{ic|##}} for PID and {{ic|#}} for ID.
::::::::I don't have suggestions on automating the implementation. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 11:18, 23 October 2015 (UTC)

== New Template Application ==

I was thinking a new template could be added for application pages that would give quick info on a package. It would be right floated like "related articles". I made a quick example here: [[User:Meskarune/package]] but it could use more work on the format/syntax. [[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 20:17, 23 January 2017 (UTC)

:I don't see the point of this. You want to know the package name? Look in ''Installation''. The website and description? Should be linked in the intro. systemd service, user & group and man pages should be under ''Usage''. Config paths & examples under ''Configuration''. –[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 05:43, 2 January 2018 (UTC)

::The point of the sidebar table is that people will not have to go searching through lots of text for important information. If you only want to quickly know the service file and config file on Arch without reading through all the text on the wiki it would be in an easy to find place. Obviously its just some extra "eye candy" if you will that people could choose to use.
::
::The larger issue I was trying to address was the lack of strict standardization for pages on packages.
::
::The idea is that the content, and specific order of sections for package pages should be standardized with certain sections being required. For example, install and configuration. This will increase the quality of package pages on the wiki and enable scripts to be able to automatically mark issues such as lacking an install section. This isn't just about a template for a table, it is about having more specific standards for package pages as well in order to help people write them easier and increase over all quality and decrease maintenance time.
::
::My proposal is that the example page I wrote should be the standard format for all pages on packages on the wiki.[[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 19:39, 9 August 2018 (UTC)

:::If you want to find out services / configuration files / man pages of a package without reading an article, you can just grep {{ic|pacman -Ql}} for {{ic|/system/}}, {{ic|/etc/}} and {{ic|/man/}}. Your sidebar duplicates information and would thus increase the cost of maintenance (unnecessarily so). We already have [[Help:Style#Standard_sections|standard sections]]. I don't think that we need to require some sections / have a strict order for all standard sections. We don't need a dedicated example article, we got enough actual articles to serve as an example. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 05:06, 10 August 2018 (UTC)
::::I put together code for the info box: https://wiki.archlinux.org/index.php/User:Meskarune/Template:application first time writing a template, it was a good learning experience if anything else. I originally got the idea from wikipedia info boxes.
::::
::::Anyways, I don't propose that the info box be required for every package page, but on certain ones it would be very useful, for things like web servers, email servers, etc it is very common for people to go to the wiki page first, then go to upstream docs/bug trackers after, so having a small list would be helpful, and I think if people want to add them to such pages, the maintenance is not much since upstream doesn't often change. As for man page links, I often have the arch wiki on my phone while doing things on a computer without a GUI, and it is honestly useful to have man page links so its easier to read something on a phone while doing something in a TTY. I don't know how common that use case is, but I can't be the only one. It would also be useful for people who are visually impaired because finding links in text is difficult with a screen reader, and voice commands on phones are better than they are on linux.
::::
::::And as for the "standard sections" in the style guide, "installation" wasn't even on there until you added it after this discussion started. (and I am grateful you took the time to do that) Part of the reason for my original suggestion of having more standard sections was because there was a lack. I also still believe that having certain sections required for packages will increase quality and consistency of the pages over time and lower maintenance because scripts can automatically tag any page under category:package if it is lacking installation or configuration. But that is of course up to y'all to decide about that. I really don't have the time/energy to argue about this if no one else thinks more standardization is a good idea.[[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 23:39, 11 August 2018 (UTC)
''[Moved from [[ArchWiki talk:Administrators#Package page style guide/template]]. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 13:07, 9 August 2018 (UTC)]''

I wrote a style guide/example template for package wiki pages. I wanted to get some feedback on it and possibly see if this couldn't be adopted as a standard on the wiki. This is the page: [[User:Meskarune/package]]

Maybe a wiki template could be created for the application info table sidebar thingy, this way it is faster/easier to add.

I think this would help improve the quality of package pages and help users get useful information faster. --[[User:Meskarune|Meskarune]] ([[User talk:Meskarune|talk]]) 20:37, 8 August 2018 (UTC)

== Creation of package search templates ==

We have got [[Template:Pkg]], [[Template:AUR]] and [[Template:man]] but package searches are still linked using external links, e.g.:

<pre>
[https://www.archlinux.org/packages/?q=thunderbird-i18n language pack]
[https://aur.archlinux.org/packages/?K=android-platform- older versions]
</pre>

I am therefore pondering whether we should create {{ic|<nowiki>{{Pkg?|foo}}</nowiki>}} → [https://www.archlinux.org/packages/?q=foo PKG?foo] and {{ic|<nowiki>{{AUR?|foo}}</nowiki>}} → [https://aur.archlinux.org/packages/?K=foo AUR?foo].

Pros:

* readers can identify package search links just by looking at them
* dedicated templates make the markup more readable and semantic

Cons:

* it further complicates [[Help:Reading#Formatting]]

While [[Template:AUR?]] already exists it's deprecated and produced "{{AUR?|foo}}", so there should be no problem in changing it.

The question is if it's worth it to create two templates for ~35 pages. What do you guys think?

--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 08:15, 20 May 2018 (UTC)

:It can be worth it, but how easy would it be to use the template, compared to the current link-like usage? You've taken your examples out of their context, [[Thunderbird]] and [[Android]], but there they are naturally inserted with an alternative link label, and as far as I remember this happens pretty much everywhere a package-search link is used.
:Perhaps this hypothetical template should still allow - if not even force - an alternative label (I don't like the [https://www.archlinux.org/packages/?q=foo PKG?foo] rendering too much anyway), but then in that case why not create dedicated interwiki links instead? We can do it easily from [[Special:Interwiki]].
:-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:49, 22 May 2018 (UTC)

::If the links require an alternative label, wrapping it with a template does not make much sense. Also, there are so few of such links and still there are similar cases that would require a manual link - e.g. the language pack links in [[Firefox#Installing]] which link to the ''pkgbase'' listings. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:50, 22 May 2018 (UTC)

::What about the following interwiki prefixes?
::{{bc|aur → https://aur.archlinux.org/packages/$1 pkg → https://www.archlinux.org/packages/$1}}--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 08:03, 24 May 2018 (UTC)

:::So now you want to replace the [[Template:Pkg]] and [[Template:AUR]] templates with interwiki links? That does not address the package search problem, unless you're about to write <nowiki>[[aur:?q=foo]]</nowiki>. It would also remove the special formatting of the package links, so that's no from me. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:30, 26 May 2018 (UTC)

::::I obviously don't want to replace [[Template:Pkg]] and [[Template:AUR]]. I left out the query parameters to make it flexible.--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 09:47, 26 May 2018 (UTC)

:::::In that case the purpose of the interwiki links would not be well defined, the {{ic|1=?q=}} string (which is an implementation detail) would have to be written manually on every page, and the alternative label would have to be used to make the link less ugly. Anyway, templates are much more flexible than interwiki links so let's either use templates or interwiki links which are as simple as possible. But before discussing the implementation details, we should agree on whether the use case is worth the effort or not. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:52, 26 May 2018 (UTC)

::::::Given the relatively limited number of applications, I wouldn't go as far as adding another template to our toolbox, but an interwiki link is such a simple thing that as I said I'd be in favor of setting up.
::::::I wouldn't like "flexible" interwiki links either, however, I'd rather go for:
aur → https://aur.archlinux.org/packages/?K=$1
pkg → https://www.archlinux.org/packages/?q=$1
::::::So the examples in the OP would become:
<pre>
[[aur:android-platform-|older versions]]
[[pkg:thunderbird-i18n|language pack]]
</pre>
::::::I'm not 100% sure about the prefixes though, I wish we could use {{ic|aur?}} and {{ic|pkg?}} or similar...
::::::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 17:09, 26 May 2018 (UTC)

:::::::I meant the question is if it's worth doing it some other way instead of using the external links. External and interwiki links look the same and with the alternative label interwiki links don't save as much typing (one could even say that the URL, which is not very long in this case, can be copy-pasted completely which makes it easier to use). There are also other similar cases (like the pkgbase links above) which would require external links anyway. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 22:08, 26 May 2018 (UTC)

::::::::Well, of course I don't have a mathematical answer to that question, I can only say that interwiki links look neater to me in the source text, and since those search URLs are resources directly provided by Arch Linux, it makes sense ''to me'' to give them a shortcut, but yeah, more than a typing advantage it's a ''personal'' aesthetic preference over which I won't argue much more than this :)
::::::::Just to complete my reply, the full links could still be copy-pasted from the rendered pages; copy-pasting when editing the source text shouldn't be affected, because if you want to create a similar type of link, it doesn't matter if it's in the interwiki or the external-link form, although interwiki links are easier to just type than copy-paste. Interwiki links for split packages would be less useful and easy to use indeed.
::::::::Also, about the rendered looks, I want to remind that if we want we can specifically style (standard) package-search links however we like, whether they are created with external or interwiki links, but in the latter case we can target them specifically thanks to the ''extiw'' class.
::::::::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:23, 27 May 2018 (UTC)

== Creation of Template:Info ==

I think we have got enough articles about [[GNU]] software to warrant a template for [[Info manual]]s, analogous to [[Template:man]].

gnu.org hosts HTML [[Info manual]]s for apparently most GNU packages, generally in the form of {{ic|<nowiki>https</nowiki>://www.gnu.org/software/''package''/manual/html_node/''node''.html}}.

I created [[User:Larivact/drafts/Template:Info]] as a draft, only to realize that gnu.org replaces spaces with dashes, meaning, like [[Template talk:Hc#hc breaks in lists]], this template would require [[mw:Extension:StringFunctions]].

--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 11:21, 15 August 2018 (UTC)

:Not only that, it also encodes characters like dashes: [https://www.gnu.org/software/coreutils/manual/html_node/Special-built_002din-utilities.html] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:47, 15 August 2018 (UTC)

::Well spotted, so: {{bc|' ' -> '_' '-' -> '_002d' '/' -> '_002f'}} should cover most cases. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 12:13, 15 August 2018 (UTC)

:::And I guess every other "blacklisted" character has to be encoded as {{ic|_}} + {{ic|''4-digit hex code''}}... So what's the full blacklist?
:::As for StringFunctions, that's a [https://phabricator.wikimedia.org/T8455#110965 dead-end solution].
:::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 12:47, 15 August 2018 (UTC)

::::It's not a blacklist it's a whitelist, anything not {{ic|[A-Za-z0-9 ]}} is encoded, see [https://svn.savannah.gnu.org/viewvc/texinfo/trunk/tp/Texinfo/Convert/NodeNameNormalization.pm?view=markup#l114].
::::Yeah Lua/[[mw:Extension:Scribunto]] would allow for more readable code and correct templates. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 13:06, 15 August 2018 (UTC)
::::I opened [[ArchWiki talk:Administrators#Scribunto]]. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 17:34, 18 August 2018 (UTC)

== More inline-style templates ==

I would like to create more templates for inline-flagging of some style problems, similarly to [[Template:Dead link]] or [[Template:Broken section link]]:

* [[Template:Avoid implicit link]] (for {{ic|<nowiki>[[...|here]]</nowiki>}}, {{ic|<nowiki>[[...|above]]</nowiki>}}, {{ic|<nowiki>[[...|below]]</nowiki>}} etc.)
* [[Template:Avoid external link]] (for external links to Wikipedia, AUR packages etc.)
* [[Template:Citation needed]] or [[Template:Reference needed]]
* [[Template:Language register]] (could be used with arguments, e.g. {{ic|<nowiki>{{Language register|too informal}}</nowiki>}}, {{ic|<nowiki>{{Language register|avoid acronyms}}</nowiki>}}, etc.)

Some of them could be applied (semi)automatically with a bot. Maybe you can also think of more problems that could be marked similarly.

-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:25, 23 February 2020 (UTC)

:I don't see much need for [[Template:Language register]] since it would usually apply to whole paragraphs or the entire article instead of some phrase/word as [[Template:Dead link]]. I think [[Template:Style]] fully covers that case. I'm also somewhat skeptical of a bot's ability to apply it accurately, but maybe I'm mistaken about that.
:I do like the other proposed templates. I think [[Template:Citation needed]]/[[Template:Reference needed]] in particular would be very useful. It could ease the burden when flagging questionable claims, unlike [[Template:Expansion]] or [[Template:Accuracy]] which require a detailed "reason".
: -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 14:27, 23 February 2020 (UTC)

::I think [[Template:Language register]] would be useful for phrases explicitly mentioned in [[Help:Style#Language register]], e.g. "at the time of writing". They occur frequently and using [[Template:Style]] is usually an overkill, especially if the phrase appears inside a [[template:note|note]] or a list. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:33, 23 February 2020 (UTC)

:::Simpler alternative (possibly too simplistic): make only one new generic inline Style template, and clarify the reason with its argument case by case. Of course it will mix all cases together in its WhatLinksHere page, but so does [[Template:Style]]. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:47, 16 March 2020 (UTC)

::::I wouldn't like to add too much text to inline templates, because the wikicode would become too chaotic. Even <nowiki>{{avoid implicit link}}</nowiki> is shorter than <nowiki>{{inline style|avoid implicit link}}</nowiki>, and the former can even include a link to the relevant section in [[Help:Style]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:59, 21 March 2020 (UTC)

:::::No worries, I'm fine either way, maybe you can only start with the templates that can be applied with a bot, since for a human it might be just equally easy to directly fix links, acronyms, abbreviations etc. than flag them with a template. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 11:31, 21 March 2020 (UTC)
:As far as I understand, we are quite happy with <code><nowiki>{{Style|…}}</nowiki></code> and its friends. I want to close this stale topic. — [[User:Andrei Korshikov|Andrei Korshikov]] ([[User talk:Andrei Korshikov|talk]]) 16:21, 13 August 2025 (UTC)
::Actually, I would like to revisit this topic at some point. [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:40, 14 August 2025 (UTC)
:::👍 [[User:Andrei Korshikov|Andrei Korshikov]] ([[User talk:Andrei Korshikov|talk]]) 18:54, 14 August 2025 (UTC)

== Suggest using user page sandbox ==

Everyone using [[Template:Sandbox]] has following disadvantages:

* Only one user can edit it at a time.
* Breaks previous drafts and talks.

Instead of everyone using [[Template:Sandbox]] I propose suggesting to copy whole template to [[User:Exampleuser/Template]] and testing there. Also you can test template without saving the page, which you can't do on already created template page.

[[Template:Template]] and [[Help:Template#Creation]] would need to be updated, possibly first should link to latter instead of [[Template:Sandbox]]. Instead of creating template in main namespace instructions should suggest creating it in user page, then start new discussion on [[Help:Template]] to introduce it to the wiki.

-- [[User:Svito|Svito]] ([[User talk:Svito|talk]]) 00:12, 13 May 2020 (UTC)

:If people move or archive or delete their personal sandbox page, the drafts and talks will break anyway. And there were not many cases in the past where multiple users wanted to edit the template sandbox at the same time. Using just one template sandbox is good in at least one way: it helps to push things forward faster, because otherwise it would block other things. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 08:39, 13 May 2020 (UTC)

::Only admins can delete pages. And only users that were breaking our draft templates were [[User:Larivact]] which quit wiki and myself which I stopped doing because its pointless and because it breaks old talks. I don't see how [[Template:Sandbox]] helps push things faster. Obviously you would only save new version of template if you wanted to discuss it with other editors (which by default is slow because you have to wait for other people), and for previewing any non-existent page on wiki is faster, because you can preview without saving. Also if you want to draft many templates you should create [[Template:Sandbox2]] and the like, which [[User:Kynikos]] did and bloats our template space (why not name it [[Template:Command]] if we decided we allow creating draft templates in main template namespace), which we use to figure out optimal amount of templates we wish to maintain and update. -- [[User:Svito|Svito]] ([[User talk:Svito|talk]]) 16:41, 13 May 2020 (UTC)

::My main point as long as you need at least 2 different version of same or different templates, [[Template:Sandbox]] is not good enough. Other option would be just have resulting html directly inside draft pages, which is even uglier and harder to update without using extra tools like sed. -- [[User:Svito|Svito]] ([[User talk:Svito|talk]]) 16:45, 13 May 2020 (UTC)

:::I've thought about this a little, it may make sense to me, how would you patch [[Template:Template]] and [[Help:Template#Creation]]? I've moved [[Template:Sandbox2]]. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 16:41, 19 May 2020 (UTC)

== "Help:Template" or "Help:Templates"? ==

Singular or plural?..

"Template" is about what template is: it is useful for template creators (mostly, wiki admins).

"Templates" are about "template list" ([[Help:Template#List of templates]]). Wiki contributors are interested in them.

I think our page is named after [[Wikipedia:Template]], but, hey, that page is all about what the template is—compare it with [[mw:Templates]].

To be clear: I want to rename this page from "Template" to "Templates": ordinary users don't care what template is, but how to use them.

-- [[User:Andrei Korshikov|Andrei Korshikov]] ([[User talk:Andrei Korshikov|talk]]) 14:55, 1 August 2025 (UTC)

:I'm for renaming the page. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:58, 7 August 2025 (UTC)
:I have no strong opinion either way, if it feels clearer to everyone let's go. [[User:Erus Iluvatar|Erus Iluvatar]] ([[User talk:Erus Iluvatar|talk]]) 16:24, 23 August 2025 (UTC)

== Have editors create the talk page discussions for Status templates: Merge and Move ==

The templates Merge and Move have an optional parameter of a talk page discussion. If the editors who make either of these two specific tags, also add the talk page topic atleast in brief they would be subscribed to that specific conversation. However if the editors only add the template to a subsection of a page other editors would have to make said topic page and then reach out to the original editor via their user talk page or other contact methods just to include them or get their perspectives, which could be an avoided waste of space of their user talk page space.

I suggest having a sentence in [[Help:Template#Status]] saying something along the lines of, "Please create a topic discussion when using Merge or Move templates so as to be subscribed to any ongoing discussions where needed".
This is more of QOL/best practices kind of change than a hard requirement change. Please let me know your thoughts on this. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:40, 8 May 2026 (UTC)

:The subscription to individual discussion topics is a weird feature, it is not necessary to get notifications. Many people who add these templates already have the page (and thus its talk page too) on their watchlist and get email notifications for all edits. Subscribing to discussions would mean duplicate notifications. Furthermore, you can mention people like @[[User:TheKnightSky|TheKnightSky]] to get their attention from anywhere. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:56, 9 May 2026 (UTC)
::You are right, that aspect makes sense.
::However regarding linking to the user page, I had thoroughly read the [[Help:Editing]], and [[Help:Template]] and [https://www.mediawiki.org/wiki/Help:Templates Help:Templates], and there was no mention of this notifying the user, much less this being described in them. The notification I received for this reply was along the lines of "
::‪Lahwaacz‬ mentioned you on ‪Help talk:Template‬ in "‪Have editors create the talk page discussions for...‬".
::The subscription to individual discussion topics is a weird feature, it is not necessary to get notifications. Many people who add these templates...
::", this was the only notification, there was no "Lahwaacz replied in xyz" for this.
::But on the other hand for a separate notification, "
::‪Lahwaacz‬ mentioned you on the talk page of user ‪Lahwaacz.bot‬ in "‪Marking bot edits as minor edit‬".
::Taking this discussion in a new course, I think minor edits still should be labelled as minor edits but not for the purposes as email notifications...
::", where I was not mentioned using my user page, but you had replied to my text.
::And another point for "
::‪Lahwaacz‬ replied in "‪Marking bot edits as minor edit‬".
::Of course in an ideal world they should be marked as minor edits, but it is not possible due to MediaWiki bugs, namely Notifications stop after bot...
::", which was an expected notification behaviour for a reply.
::By your logic I should have received 2 pings for this reply, unless in the backend multiple notifications for the same action is prohibited, which contradicts itself given that I got 2 notifications for the "Mayking bot edits" thread and only 1 for this even when mentioned by name, which also isn't described anywhere I could find. And im exclusively talking about the notifications on the webpage, not via email. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:44, 9 May 2026 (UTC)
:::If you enabled email notifications and added this page to your watchlist, you would have received 2 emails, I think. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:20, 9 May 2026 (UTC)

User talk:Lahwaacz.bot

2026-05-09T12:14:56Z

Lahwaacz: /* Marking bot edits as minor edit */ Reply

== marking AUR links to pkgbase as broken link ==

hi, your bot marked a {{Aur|policyd}} link as broken (on https://wiki.archlinux.org/index.php?title=Postfix&diff=next&oldid=431606#Rule-based_mail_processing). the pkgbase policyd exists, but packages derived from it have different names. can you fix this please? thank you! [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:05, 24 April 2016 (UTC)

:Hi, that's a general problem of the [[Template:AUR]], which works only for packages and not pkgbases. For {{AUR|policyd}} the link does not work, it leads to a 404 page. I think that this behaviour is fine because users can install only packages and not pkgbases. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:53, 24 April 2016 (UTC)

::Hm, I see the problem here. How could i implement a link to https://aur.archlinux.org/pkgbase/policyd with the AUR annotation? [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:59, 24 April 2016 (UTC)

:::Ok fixed it: [https://aur.archlinux.org/pkgbase/policyd policyd]AUR [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 19:03, 24 April 2016 (UTC)

::::Hmm, that's not perfect either, because users expect such links to be ''packages'' that can be installed—on the other hand, pkgbases can't be installed. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:30, 16 July 2016 (UTC)

== Removes title case, is this desired? ==

I noticed this bot just swept through and some links from title case to quasi-sentence case. This seems like incorrect behavior to me. In English writing, proper nouns are supposed to be capitalized, and technical writing has a lot of proper nouns. A bot can't possibly tell the difference between a proper noun like "[EFI System Partition]" and the same words as common nouns in "your [system partition]". Should we respond to edits we disagree with using "undo", or will the bot just make the same change on a second pass?

{{unsigned|15:17, 3 July 2018‎|Bobpaul}}

:The ArchWiki does not use title case even in page titles, see the rule in [[Help:Style#Title]]. For links to pages, using the same capitalization as the target page is preferable (see also [[Help:Style#Hypertext metaphor]]). So, generally, the edits were correct, though if you have a specific controversial case we can debate it further. Also, the "(interactive)" suffix in the edit summaries means that a human sat behind a keyboard and pressed "yes" to confirm each change. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:31, 3 July 2018 (UTC)

== Dead link with SSL error status ==

Hi. It looks like this edit is wrong: [https://wiki.archlinux.org/index.php?title=Help:Editing_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&curid=2786&diff=630264&oldid=618993]. I tried to follow the link and it is working. Also I check the link in the [[Help:Editing#Tables|original article]] — it is actually the same link like in the russian wiki, but not marked as dead and is working fine too. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 09:31, 7 August 2020 (UTC)

:The bot is using [https://requests.readthedocs.io/en/master/ requests] and this query is returning {{ic|certificate verify failed: unable to get local issuer certificate}}. I don't know enough SSL to know what is the problem... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:00, 7 August 2020 (UTC)

:: Firefox says that the certificate for www.tablesgenerator.com expires on February 10, 2022. Anyway I fixed the link. Maybe http replacement on https helps, I don't know. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 12:20, 7 August 2020 (UTC)

== Removing English Interlanguage Link ==

This bot has been removing English interlanguage link from my translated pages such as [[Arch Linux (বাংলা)]], [[Main page (বাংলা)]]....Why? -- [[User:FOSS ভক্ত|FOSS ভক্ত]] ([[User talk:FOSS ভক্ত|talk]]) 07:03, 24 September 2020 (UTC)

:The links will be added automatically when the language is added to the interlanguage table. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:22, 26 September 2020 (UTC)

== Marking bot edits as minor edit ==

I think this bot's edits should be marked as minor edit, so the system won't send notification emails about the article being changed. -- [[User:Huupoke12|Huupoke12]] ([[User talk:Huupoke12|talk]]) 04:19, 19 November 2021 (UTC)

:Hi, it's not that simple because then MediaWiki would not send notifications even for normal user edits that follow after a minor bot edit. That's because the minor bot edit would still be recorded as unread in the watchlist table, it would just not send the notification email, so it would be waiting until you visit the page again before sending the next notification for the page. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:53, 19 November 2021 (UTC)

::Hi, is it possible for edits made by this bot to be recorded as bot edits ? since the edits are neither marked (m) nor (b) they all show up in watchlists, even if both minor and bot edits are supposedly filtered out.
::-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 07:21, 13 October 2024 (UTC)
:::I explicitly want the wiki to send notifications for bot edits, because they should still be reviewed. Unfortunately email notifications for bots are seriously broken (see https://phabricator.wikimedia.org/T358087#10223291) so I removed Lahwaacz.bot from the bot group yesterday. Note that the most serious bug is actually [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read]... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:50, 13 October 2024 (UTC)
::::Hmm, I understand but this is going to make everyone's watchlist basically unreadable. Any idea how to work around this ? [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:52, 13 October 2024 (UTC)
:::::As a temporary solution it looks like they can be filtered out by unchecking wiki-scripts in advanced filters. Works for me but it might affect a lot of people. [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:56, 13 October 2024 (UTC)
::::::Also note that the bot is done for the weekend and won't be making so many edits any time soon. Or rather I might try running it more often to spread out the amount of edits...
::::::By the way, do you speak PHP? Maybe we can bribe you to fix the MediaWiki issues 😂
::::::— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:05, 13 October 2024 (UTC)
:::::::Haha no sorry :) [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 18:44, 13 October 2024 (UTC)

:Taking this discussion in a new course, I think minor edits still should be labelled as minor edits but not for the purposes as email notifications as described here but for the triviality of the edit. For example, [[ASUS Linux]] had an edit from this bot account where it removed 2 spaces and helped clean it up a bit, which is trivial enough to warrant a minor edit. To cite [[Help:Editing]], it is superficial and indisputable and [[Wikipedia: Help:Minor_edit#Exceptions]], where bot account edits should be considered minor. However I do agree that if a major edit is made it should not tag it as a minor edit. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:05, 9 May 2026 (UTC)
::Of course in an ideal world they should be marked as minor edits, but it is not possible due to MediaWiki bugs, namely [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read] as mentioned in the earlier replies... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 12:14, 9 May 2026 (UTC)

== <s>Bot account</s> ==

I suspect that it is not correct that this account is not considered to be a bot...

I don't see it here: https://wiki.archlinux.org/index.php?title=Special:ListUsers&group=bot [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 12:59, 9 May 2025 (UTC)

:See [[#Marking bot edits as minor edit|the discussion above]]: "I removed Lahwaacz.bot from the bot group" — [[User:Andreymal|andreymal]] ([[User talk:Andreymal|talk]]) 13:17, 9 May 2025 (UTC)
::Ah, got it. I wasn't wrong, but bot handling isn't right either, so we have what we have.
::Didn't read it right away because I wasn't expecting it to be related. [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 17:16, 9 May 2025 (UTC)

:::No problem, but this can be closed.

== <s>Marking AUR package as missing</s> ==

Hello! Your bot marked {{AUR|cros-container-guest-tools-git}} as not found, even though the page and the repo still exist (at https://wiki.archlinux.org/index.php?title=Chrome_OS_devices/Crostini&diff=next&oldid=848291#Introduction). Is there any particular reason it did this? [[User:Ry10hu|Ry10hu]] ([[User talk:Ry10hu|talk]]) 22:37, 20 December 2025 (UTC)

:Hi, it was a bug, it's already fixed: [https://github.com/lahwaacz/wiki-scripts/commit/dd2452238ddc289b0aa68a4dc52fe3e9149dca89] [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:47, 21 December 2025 (UTC)

User talk:Lahwaacz.bot

2026-05-09T12:11:27Z

Lahwaacz: /* Marking bot edits as minor edit */ reorder replies for logical flow

== marking AUR links to pkgbase as broken link ==

hi, your bot marked a {{Aur|policyd}} link as broken (on https://wiki.archlinux.org/index.php?title=Postfix&diff=next&oldid=431606#Rule-based_mail_processing). the pkgbase policyd exists, but packages derived from it have different names. can you fix this please? thank you! [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:05, 24 April 2016 (UTC)

:Hi, that's a general problem of the [[Template:AUR]], which works only for packages and not pkgbases. For {{AUR|policyd}} the link does not work, it leads to a 404 page. I think that this behaviour is fine because users can install only packages and not pkgbases. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 18:53, 24 April 2016 (UTC)

::Hm, I see the problem here. How could i implement a link to https://aur.archlinux.org/pkgbase/policyd with the AUR annotation? [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 18:59, 24 April 2016 (UTC)

:::Ok fixed it: [https://aur.archlinux.org/pkgbase/policyd policyd]AUR [[User:Fordprefect|Fordprefect]] ([[User talk:Fordprefect|talk]]) 19:03, 24 April 2016 (UTC)

::::Hmm, that's not perfect either, because users expect such links to be ''packages'' that can be installed—on the other hand, pkgbases can't be installed. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:30, 16 July 2016 (UTC)

== Removes title case, is this desired? ==

I noticed this bot just swept through and some links from title case to quasi-sentence case. This seems like incorrect behavior to me. In English writing, proper nouns are supposed to be capitalized, and technical writing has a lot of proper nouns. A bot can't possibly tell the difference between a proper noun like "[EFI System Partition]" and the same words as common nouns in "your [system partition]". Should we respond to edits we disagree with using "undo", or will the bot just make the same change on a second pass?

{{unsigned|15:17, 3 July 2018‎|Bobpaul}}

:The ArchWiki does not use title case even in page titles, see the rule in [[Help:Style#Title]]. For links to pages, using the same capitalization as the target page is preferable (see also [[Help:Style#Hypertext metaphor]]). So, generally, the edits were correct, though if you have a specific controversial case we can debate it further. Also, the "(interactive)" suffix in the edit summaries means that a human sat behind a keyboard and pressed "yes" to confirm each change. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:31, 3 July 2018 (UTC)

== Dead link with SSL error status ==

Hi. It looks like this edit is wrong: [https://wiki.archlinux.org/index.php?title=Help:Editing_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9)&curid=2786&diff=630264&oldid=618993]. I tried to follow the link and it is working. Also I check the link in the [[Help:Editing#Tables|original article]] — it is actually the same link like in the russian wiki, but not marked as dead and is working fine too. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 09:31, 7 August 2020 (UTC)

:The bot is using [https://requests.readthedocs.io/en/master/ requests] and this query is returning {{ic|certificate verify failed: unable to get local issuer certificate}}. I don't know enough SSL to know what is the problem... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:00, 7 August 2020 (UTC)

:: Firefox says that the certificate for www.tablesgenerator.com expires on February 10, 2022. Anyway I fixed the link. Maybe http replacement on https helps, I don't know. -- [[User:Duodai|Duodai]] ([[User talk:Duodai|talk]]) 12:20, 7 August 2020 (UTC)

== Removing English Interlanguage Link ==

This bot has been removing English interlanguage link from my translated pages such as [[Arch Linux (বাংলা)]], [[Main page (বাংলা)]]....Why? -- [[User:FOSS ভক্ত|FOSS ভক্ত]] ([[User talk:FOSS ভক্ত|talk]]) 07:03, 24 September 2020 (UTC)

:The links will be added automatically when the language is added to the interlanguage table. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:22, 26 September 2020 (UTC)

== Marking bot edits as minor edit ==

I think this bot's edits should be marked as minor edit, so the system won't send notification emails about the article being changed. -- [[User:Huupoke12|Huupoke12]] ([[User talk:Huupoke12|talk]]) 04:19, 19 November 2021 (UTC)

:Hi, it's not that simple because then MediaWiki would not send notifications even for normal user edits that follow after a minor bot edit. That's because the minor bot edit would still be recorded as unread in the watchlist table, it would just not send the notification email, so it would be waiting until you visit the page again before sending the next notification for the page. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:53, 19 November 2021 (UTC)

::Hi, is it possible for edits made by this bot to be recorded as bot edits ? since the edits are neither marked (m) nor (b) they all show up in watchlists, even if both minor and bot edits are supposedly filtered out.
::-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 07:21, 13 October 2024 (UTC)
:::I explicitly want the wiki to send notifications for bot edits, because they should still be reviewed. Unfortunately email notifications for bots are seriously broken (see https://phabricator.wikimedia.org/T358087#10223291) so I removed Lahwaacz.bot from the bot group yesterday. Note that the most serious bug is actually [https://phabricator.wikimedia.org/T374404 Notifications stop after bot edits until page is manually viewed or watchlist is marked as read]... — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:50, 13 October 2024 (UTC)
::::Hmm, I understand but this is going to make everyone's watchlist basically unreadable. Any idea how to work around this ? [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:52, 13 October 2024 (UTC)
:::::As a temporary solution it looks like they can be filtered out by unchecking wiki-scripts in advanced filters. Works for me but it might affect a lot of people. [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 08:56, 13 October 2024 (UTC)
::::::Also note that the bot is done for the weekend and won't be making so many edits any time soon. Or rather I might try running it more often to spread out the amount of edits...
::::::By the way, do you speak PHP? Maybe we can bribe you to fix the MediaWiki issues 😂
::::::— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:05, 13 October 2024 (UTC)
:::::::Haha no sorry :) [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 18:44, 13 October 2024 (UTC)

:Taking this discussion in a new course, I think minor edits still should be labelled as minor edits but not for the purposes as email notifications as described here but for the triviality of the edit. For example, [[ASUS Linux]] had an edit from this bot account where it removed 2 spaces and helped clean it up a bit, which is trivial enough to warrant a minor edit. To cite [[Help:Editing]], it is superficial and indisputable and [[Wikipedia: Help:Minor_edit#Exceptions]], where bot account edits should be considered minor. However I do agree that if a major edit is made it should not tag it as a minor edit. [[User:TheKnightSky|TheKnightSky]] ([[User talk:TheKnightSky|talk]]) 12:05, 9 May 2026 (UTC)

== <s>Bot account</s> ==

I suspect that it is not correct that this account is not considered to be a bot...

I don't see it here: https://wiki.archlinux.org/index.php?title=Special:ListUsers&group=bot [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 12:59, 9 May 2025 (UTC)

:See [[#Marking bot edits as minor edit|the discussion above]]: "I removed Lahwaacz.bot from the bot group" — [[User:Andreymal|andreymal]] ([[User talk:Andreymal|talk]]) 13:17, 9 May 2025 (UTC)
::Ah, got it. I wasn't wrong, but bot handling isn't right either, so we have what we have.
::Didn't read it right away because I wasn't expecting it to be related. [[User:Karakurt|Karakurt]] ([[User talk:Karakurt|talk]]) 17:16, 9 May 2025 (UTC)

:::No problem, but this can be closed.

== <s>Marking AUR package as missing</s> ==

Hello! Your bot marked {{AUR|cros-container-guest-tools-git}} as not found, even though the page and the repo still exist (at https://wiki.archlinux.org/index.php?title=Chrome_OS_devices/Crostini&diff=next&oldid=848291#Introduction). Is there any particular reason it did this? [[User:Ry10hu|Ry10hu]] ([[User talk:Ry10hu|talk]]) 22:37, 20 December 2025 (UTC)

:Hi, it was a bug, it's already fixed: [https://github.com/lahwaacz/wiki-scripts/commit/dd2452238ddc289b0aa68a4dc52fe3e9149dca89] [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:47, 21 December 2025 (UTC)

Help talk:Template

2026-05-09T09:56:42Z

Lahwaacz: /* Have editors create the talk page discussions for Status templates: Merge and Move */ Reply

System backup

2026-05-09T09:47:33Z

Lahwaacz: move the link to Synchronization and backup programs to the main text

[[Category:Backup]]
[[es:System backup]]
[[it:System backup]]
[[ja:システムバックアップ]]
[[pt:System backup]]
[[zh-hans:System backup]]
{{Related articles start}}
{{Related|System maintenance#Backup}}
{{Related|Data-at-rest encryption#Backup for disk encryption scenarios}}
{{Related|Disk cloning}}
{{Related|Migrate installation to new hardware}}
{{Related|File recovery}}
{{Related articles end}}

A system backup is <q>the process of backing up the operating system, files and system-specific useful/essential data. [It] primarily ensures that not only the user data in a system is saved, but also the system's state or operational condition. This helps in restoring the system to the last-saved state along with all the selected backup data.</q>[https://www.techopedia.com/definition/29387/system-backup]{{Dead link|2025|11|17|status=404}}

One common and generally effective method is to follow the 3-2-1 strategy:

* Maintain three copies of your data,
* Use two different types of storage media,
* Store one copy offsite.

== Methods ==

The [[Synchronization and backup programs]] page includes many options that are suitable for full system backups. Other common approaches are listed in the following subsections.

=== Using Btrfs snapshots ===

See [[Btrfs#Snapshots]], [[#Snapshots and /boot partition]], and [[Snapper]].

=== Using LVM snapshots ===

See [[LVM#Snapshots]], [[Create root filesystem snapshots with LVM]], and [[#Snapshots and /boot partition]].

=== Using rsync ===

See [[rsync#As a backup utility]].

=== Using tar ===

See [[Full system backup with tar]].

=== Using SquashFS ===

See [[Full system backup with SquashFS]].

{{Note|SquashFS does not support [[ACL]]s.}}

== Bootable backup ==

Having a bootable backup can be useful in case the filesystem becomes corrupt or if an update breaks the system. The backup can also be used as a test bed for updates, with the ''testing'' repo enabled, etc. If you transferred the system to a different partition or drive and you want to boot it, the process is as simple as updating the backup's {{ic|/etc/fstab}} and your boot loader's configuration file.

This section assumes that you backed up the system to another drive or partition, that your current boot loader is working fine, and that you want to boot from the backup as well.

=== Update the fstab ===

Without rebooting, edit the backup's [[fstab]] by commenting out or removing any existing entries. Add one entry for the partition containing the backup, for example:

UUID=''XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'' / ''ext4'' defaults 0 1

Remember to use [[Persistent block device naming|a persistent block device name]] and the proper filesystem type.

=== Update the boot loader's configuration file ===

For [[Syslinux]], all you need to do is duplicate the current entry, except pointing to a different drive or partition.

{{Tip|Instead of editing {{ic|syslinux.cfg}}, you can also temporarily edit the menu during boot. When the menu shows up, press the {{ic|Tab}} key and change the relevant entries. Partitions are counted from one, drives are counted from zero.}}

For [[GRUB]], it is recommended that you automatically [[GRUB#Generate the main configuration file|re-generate the main configuration file]]. If you want to freshly install all GRUB files to somewhere other than {{ic|/boot}}, such as {{ic|/mnt/newroot/boot}}, use the {{ic|--boot-directory}} flag.

Also verify the new menu entry in {{ic|/boot/grub/grub.cfg}}. Make sure the UUID is matching the new partition, otherwise it could still boot the old system. Find the UUID of a partition with [[lsblk]]:

$ lsblk -no NAME,UUID /dev/sd''XY''

where {{ic|/dev/sd''XY''}} is the desired partition (e.g. {{ic|/dev/sdb3}}). To list the UUIDs of partitions GRUB thinks it can boot, use ''grep'':

# grep UUID= /boot/grub/grub.cfg

=== First boot ===

Reboot the computer and select the right entry in the boot loader. This will load the system for the first time. All peripherals should be detected and the empty folders in {{ic|/}} will be populated.

Now you can re-edit {{ic|/etc/fstab}} to add the previously removed partitions and mount points.

== Snapshots and /boot partition ==

If your [[file system]] supports snapshots (e.g., [[LVM#Snapshots|LVM]] or [[Btrfs#Snapshots|Btrfs]]), these will most likely exclude the {{ic|/boot}} partition or [[ESP]].

You can copy the boot partition automatically on a kernel update to your {{ic|root}} partition with a [[pacman hook]] (make sure the hook file is owned by root):

{{hc|/etc/pacman.d/hooks/55-bootbackup_pre.hook|2=
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Path
Target = usr/lib/modules/*/vmlinuz

[Action]
Depends = rsync
Description = Backing up pre /boot...
When = PreTransaction
Exec = /usr/bin/bash -c 'rsync -a --mkpath --delete /boot/ "/.bootbackup/$(date +%Y_%m_%d_%H.%M.%S)_pre"/'
}}

{{hc|/etc/pacman.d/hooks/95-bootbackup_post.hook|2=
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Path
Target = usr/lib/modules/*/vmlinuz

[Action]
Depends = rsync
Description = Backing up post /boot...
When = PostTransaction
Exec = /usr/bin/bash -c 'rsync -a --mkpath --delete /boot/ "/.bootbackup/$(date +%Y_%m_%d_%H.%M.%S)_post"/'
}}

== Automation ==

Backups that are only manually created are rarely up to date when they are needed. Therefore it is recommended to setup an automated process to ensure backup processes are executed regularly. The most common solutions are provided by [[systemd/Timers]] and [[Cron]].

For a local system wide backup that requires read access to all files the following systemd timer and service may be useful as a template for automated backup processes.

To use a ''timer'' unit [[enable]] and [[start]] it like any other unit.

{{hc|/etc/systemd/system/backup.timer|2=
[Unit]
Description=Timer for backups

[Timer]
OnCalendar=weekly
Persistent=true
Unit=backup.service

[Install]
WantedBy=timers.target
}}

The following example is configured to run with minimal required permissions while preventing modifications from normal users for increased security.

Note that this example will block the shutdown process when it is initiated while the backup is running. This ensures that the backup is not interrupted, but can lead to a delay during shutdown/reboot if many new files need to be saved.

{{hc|/etc/systemd/system/backup.service|2=
[Unit]
Description=Backup system

[Service]
Type=simple
User=''backupuser''

AmbientCapabilities=CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=full
RemoveIPC=yes
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service
UMask=7007

ExecStart=/usr/local/bin/backup.sh
ExecStop=bash -c 'if [ -n "$MAINPID" ]; then tail --pid="$MAINPID" -f /dev/null; fi'
}}

{{ic|CAP_DAC_READ_SEARCH}} sets the capability that allows bypassing file read permission checks in the file system; thus all files in the file system will be accessible without requiring root permissions.

For remote backups allow the use of network protocols:

RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

System backup

2026-05-09T09:41:46Z

Lahwaacz: /* Using restic */ Synchronization and backup programs have a dedicated page

[[Category:Backup]]
[[es:System backup]]
[[it:System backup]]
[[ja:システムバックアップ]]
[[pt:System backup]]
[[zh-hans:System backup]]
{{Related articles start}}
{{Related|Synchronization and backup programs}}
{{Related|System maintenance#Backup}}
{{Related|Data-at-rest encryption#Backup for disk encryption scenarios}}
{{Related|Disk cloning}}
{{Related|Migrate installation to new hardware}}
{{Related|File recovery}}
{{Related articles end}}

A system backup is <q>the process of backing up the operating system, files and system-specific useful/essential data. [It] primarily ensures that not only the user data in a system is saved, but also the system's state or operational condition. This helps in restoring the system to the last-saved state along with all the selected backup data.</q>[https://www.techopedia.com/definition/29387/system-backup]{{Dead link|2025|11|17|status=404}}

One common and generally effective method is to follow the 3-2-1 strategy:

* Maintain three copies of your data,
* Use two different types of storage media,
* Store one copy offsite.

== Using Btrfs snapshots ==

See [[Btrfs#Snapshots]], [[#Snapshots and /boot partition]], and [[Snapper]].

== Using LVM snapshots ==

See [[LVM#Snapshots]], [[Create root filesystem snapshots with LVM]], and [[#Snapshots and /boot partition]].

== Using rsync ==

See [[rsync#As a backup utility]].

== Using tar ==

See [[Full system backup with tar]].

== Using SquashFS ==

See [[Full system backup with SquashFS]].

{{Note|SquashFS does not support [[ACL]]s.}}

== Bootable backup ==

Having a bootable backup can be useful in case the filesystem becomes corrupt or if an update breaks the system. The backup can also be used as a test bed for updates, with the ''testing'' repo enabled, etc. If you transferred the system to a different partition or drive and you want to boot it, the process is as simple as updating the backup's {{ic|/etc/fstab}} and your boot loader's configuration file.

This section assumes that you backed up the system to another drive or partition, that your current boot loader is working fine, and that you want to boot from the backup as well.

=== Update the fstab ===

Without rebooting, edit the backup's [[fstab]] by commenting out or removing any existing entries. Add one entry for the partition containing the backup, for example:

UUID=''XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'' / ''ext4'' defaults 0 1

Remember to use [[Persistent block device naming|a persistent block device name]] and the proper filesystem type.

=== Update the boot loader's configuration file ===

For [[Syslinux]], all you need to do is duplicate the current entry, except pointing to a different drive or partition.

{{Tip|Instead of editing {{ic|syslinux.cfg}}, you can also temporarily edit the menu during boot. When the menu shows up, press the {{ic|Tab}} key and change the relevant entries. Partitions are counted from one, drives are counted from zero.}}

For [[GRUB]], it is recommended that you automatically [[GRUB#Generate the main configuration file|re-generate the main configuration file]]. If you want to freshly install all GRUB files to somewhere other than {{ic|/boot}}, such as {{ic|/mnt/newroot/boot}}, use the {{ic|--boot-directory}} flag.

Also verify the new menu entry in {{ic|/boot/grub/grub.cfg}}. Make sure the UUID is matching the new partition, otherwise it could still boot the old system. Find the UUID of a partition with [[lsblk]]:

$ lsblk -no NAME,UUID /dev/sd''XY''

where {{ic|/dev/sd''XY''}} is the desired partition (e.g. {{ic|/dev/sdb3}}). To list the UUIDs of partitions GRUB thinks it can boot, use ''grep'':

# grep UUID= /boot/grub/grub.cfg

=== First boot ===

Reboot the computer and select the right entry in the boot loader. This will load the system for the first time. All peripherals should be detected and the empty folders in {{ic|/}} will be populated.

Now you can re-edit {{ic|/etc/fstab}} to add the previously removed partitions and mount points.

== Snapshots and /boot partition ==

If your [[file system]] supports snapshots (e.g., [[LVM#Snapshots|LVM]] or [[Btrfs#Snapshots|Btrfs]]), these will most likely exclude the {{ic|/boot}} partition or [[ESP]].

You can copy the boot partition automatically on a kernel update to your {{ic|root}} partition with a [[pacman hook]] (make sure the hook file is owned by root):

{{hc|/etc/pacman.d/hooks/55-bootbackup_pre.hook|2=
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Path
Target = usr/lib/modules/*/vmlinuz

[Action]
Depends = rsync
Description = Backing up pre /boot...
When = PreTransaction
Exec = /usr/bin/bash -c 'rsync -a --mkpath --delete /boot/ "/.bootbackup/$(date +%Y_%m_%d_%H.%M.%S)_pre"/'
}}

{{hc|/etc/pacman.d/hooks/95-bootbackup_post.hook|2=
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Path
Target = usr/lib/modules/*/vmlinuz

[Action]
Depends = rsync
Description = Backing up post /boot...
When = PostTransaction
Exec = /usr/bin/bash -c 'rsync -a --mkpath --delete /boot/ "/.bootbackup/$(date +%Y_%m_%d_%H.%M.%S)_post"/'
}}

== Automation ==

Backups that are only manually created are rarely up to date when they are needed. Therefore it is recommended to setup an automated process to ensure backup processes are executed regularly. The most common solutions are provided by [[systemd/Timers]] and [[Cron]].

For a local system wide backup that requires read access to all files the following systemd timer and service may be useful as a template for automated backup processes.

To use a ''timer'' unit [[enable]] and [[start]] it like any other unit.

{{hc|/etc/systemd/system/backup.timer|2=
[Unit]
Description=Timer for backups

[Timer]
OnCalendar=weekly
Persistent=true
Unit=backup.service

[Install]
WantedBy=timers.target
}}

The following example is configured to run with minimal required permissions while preventing modifications from normal users for increased security.

Note that this example will block the shutdown process when it is initiated while the backup is running. This ensures that the backup is not interrupted, but can lead to a delay during shutdown/reboot if many new files need to be saved.

{{hc|/etc/systemd/system/backup.service|2=
[Unit]
Description=Backup system

[Service]
Type=simple
User=''backupuser''

AmbientCapabilities=CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=full
RemoveIPC=yes
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service
UMask=7007

ExecStart=/usr/local/bin/backup.sh
ExecStop=bash -c 'if [ -n "$MAINPID" ]; then tail --pid="$MAINPID" -f /dev/null; fi'
}}

{{ic|CAP_DAC_READ_SEARCH}} sets the capability that allows bypassing file read permission checks in the file system; thus all files in the file system will be accessible without requiring root permissions.

For remote backups allow the use of network protocols:

RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

MAC address spoofing

2026-05-09T09:37:04Z

Lahwaacz: /* Automatically */ move note for NetworkManager to the correct section

[[Category:Network configuration]]
[[Category:Security]]
[[de:MAC-Adresse abfragen und setzen]]
[[es:MAC address spoofing]]
[[fr:MAC address spoofing]]
[[ja:MAC アドレス偽装]]
[[pt:MAC address spoofing]]
[[ru:MAC address spoofing]]
[[zh-hans:MAC address spoofing]]
This article gives several methods to spoof a Media Access Control (MAC) address.

== Manually ==

There are two methods for spoofing a MAC address: [[install]]ing and configuring either {{Pkg|iproute2}} or {{Pkg|macchanger}}. Both of them are outlined below.

=== iproute2 ===

First, you can check your current MAC address with the command:

# ip link show ''interface''

where {{ic|''interface''}} is the name of your [[network interface]].

The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:

link/ether 00:1d:98:5a:d1:3a

The first step to spoofing the MAC address is to bring the network interface down. It can be accomplished with the command:

# ip link set dev ''interface'' down

Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with any of known vendors. Therefore, unless you control the network(s) you are connecting to, use MAC prefix of any real vendor (basically, the first three bytes), and use random values for next three bytes. For more information please read [[Wikipedia:Organizationally unique identifier]].

To change the MAC, we need to run the command:

# ip link set dev ''interface'' address ''XX:XX:XX:XX:XX:XX''

Where any 6-byte value will suffice for {{ic|''XX:XX:XX:XX:XX:XX''}}.

The final step is to bring the network interface back up. This can be accomplished by running the command:

# ip link set dev ''interface'' up

If you want to verify that your MAC has been spoofed, simply run {{ic|ip link show ''interface''}} again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.

=== macchanger ===

Another method uses {{Pkg|macchanger}} (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.

[[Install]] the package {{Pkg|macchanger}}.

The spoofing is done on per-interface basis, specify [[network interface]] name as {{ic|''interface''}} in each of the following commands.

The MAC address can be spoofed with a fully random address:

# macchanger -r ''interface''

To randomize only device-specific bytes of current MAC address (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:

# macchanger -e ''interface''

To change the MAC address to a specific value, you would run:

# macchanger --mac=''XX:XX:XX:XX:XX:XX'' ''interface''

Where {{ic|''XX:XX:XX:XX:XX:XX''}} is the MAC you wish to change to.

Finally, to return the MAC address to its original, permanent hardware value:

# macchanger -p ''interface''

{{Note|A device cannot be in use (connected in any way or with its interface up) while the MAC address is being changed.}}

== Automatically ==

=== systemd-udevd ===

[[udev]] allows you to perform MAC address spoofing by creating {{man|5|systemd.link}} files or udev rules.

==== systemd.link ====

To set a static spoofed MAC address:

{{hc|/etc/systemd/network/01-mac.link|2=
[Match]
PermanentMACAddress=''original MAC''

[Link]
MACAddress=''spoofed MAC''
}}

To randomize the MAC address on every boot, set {{ic|1=MACAddressPolicy=random}} instead of {{ic|1=MACAddress=''spoofed MAC''}}.

==== udev rule ====

Use {{ic|address}} attribute to match the correct device by its original MAC address and change it using the {{ic|ip}} command:

{{hc|/etc/udev/rules.d/81-mac-spoof.rules|2=
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="''original MAC''", RUN+="/usr/bin/ip link set dev $name address ''spoofed MAC''"
}}

{{Note|udev only accepts MAC addresses in lowercase.}}

=== systemd unit ===

==== Creating unit ====

Below you find two examples of [[systemd]] units to change a MAC address at boot, one sets a static MAC using ''ip'' and one uses ''macchanger'' to assign a random MAC address. The systemd {{ic|network-pre.target}} is used to ensure the MAC is changed before a network manager like [[Netctl]] or [[NetworkManager]], [[systemd-networkd]] or [[dhcpcd]] service starts.

===== iproute2 =====

[[systemd]] unit setting a predefined MAC address:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=MAC Address Change %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev %i address 36:aa:88:c8:75:3a
ExecStart=/usr/bin/ip link set dev %i up

[Install]
WantedBy=multi-user.target
</nowiki>}}

===== macchanger =====

[[systemd]] unit setting a random address while preserving the original NIC vendor bytes. Ensure that {{Pkg|macchanger}} is [[Pacman#Installing specific packages|installed]]:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target
</nowiki>}}

A full random address can be set using the {{ic|-r}} option, see [[#macchanger]].

==== Enabling service ====

Append the desired network interface to the service name (e.g. {{ic|eth0}}) and [[enable]] the service (e.g. {{ic|macspoof@eth0.service}}).

Reboot, or stop and start the prerequisite and requisite services in the proper order. If you are in control of your network, verify that the spoofed MAC has been picked up by your router by examining the static, or DHCP address tables within the router.

=== netctl interfaces ===

You can use a [[Netctl#Using hooks|netctl hook]] to run a command each time a netctl profile is re-/started for a specific network interface. Replace {{ic|''interface''}} accordingly:

{{hc|/etc/netctl/interfaces/''interface''|2=
#!/usr/bin/env sh
/usr/bin/macchanger -r ''interface''}}

Make the script [[executable]].

Source: [https://web.archive.org/web/20220708111031/https://blog.akendo.eu/post/2015-01-10-archlinux-random-mac-for-new-wireless-connections/ akendo.eu (archive)]

=== NetworkManager ===

See [[NetworkManager#Configuring MAC address randomization]].

{{Note|When using iwd as a backend, [[NetworkManager]] ignores MAC spoofing options from {{ic|/etc/NetworkManager/NetworkManager.conf}} and {{ic|/etc/NetworkManager/conf.d/*}}. MAC spoofing must be set in {{ic|/etc/iwd/main.conf}} – see the [[#iwd]] section.}}

=== wpa_supplicant ===

wpa_supplicant can use random MAC address for each ESS connection(AP) (see [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf] for details).

Add this to your configuration:

{{hc|/etc/wpa_supplicant/wpa_supplicant-wlan0.conf|2=
mac_addr=1
preassoc_mac_addr=1
gas_rand_mac_addr=1
}}

=== iwd ===

To randomize the MAC address when iwd starts (see {{man|5|iwd.config}} for details):

{{hc|/etc/iwd/main.conf|2=
[General]
AddressRandomization=once
AddressRandomizationRange=full
}}

Specifying {{ic|AddressRandomization}} enables control over when MAC address is randomized. If set to {{ic|disabled}} MAC is not spoofed and {{ic|AddressRandomizationRange}} is ignored. If set to {{ic|once}} MAC is assigned every time iwd is started. If set to {{ic|network}} MAC is spoofed once for each network and reused for each connection to a known network.

Specifying {{ic|AddressRandomizationRange}} enables control over which part of the address is randomized. If set to {{ic|nic}}, only the NIC specific octets (last three octets) are randomized. The permanent mac address of the network interface is used for the initial 3 octets. If set to {{ic|full}}, all six octets of the address are randomized.

== Troubleshooting ==

=== Connection to DHCPv4 network fails ===

If you cannot connect to a DHCPv4 network and you are using dhcpcd, you might need to [[Dhcpcd#Client ID|modify the dhcpcd configuration]] to obtain a lease.

== See also ==

* [[Wikipedia:MAC spoofing]]
* [https://github.com/alobbs/macchanger Macchanger GitHub page]
* [https://www.debianadmin.com/change-your-network-card-mac-media-access-control-address.html Article on DebianAdmin] with more ''macchanger'' options

MAC address spoofing

2026-05-09T09:35:22Z

Lahwaacz: /* iwd */ wording, incorporate second note to the paragraph explaining the option

[[Category:Network configuration]]
[[Category:Security]]
[[de:MAC-Adresse abfragen und setzen]]
[[es:MAC address spoofing]]
[[fr:MAC address spoofing]]
[[ja:MAC アドレス偽装]]
[[pt:MAC address spoofing]]
[[ru:MAC address spoofing]]
[[zh-hans:MAC address spoofing]]
This article gives several methods to spoof a Media Access Control (MAC) address.

== Manually ==

There are two methods for spoofing a MAC address: [[install]]ing and configuring either {{Pkg|iproute2}} or {{Pkg|macchanger}}. Both of them are outlined below.

=== iproute2 ===

First, you can check your current MAC address with the command:

# ip link show ''interface''

where {{ic|''interface''}} is the name of your [[network interface]].

The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:

link/ether 00:1d:98:5a:d1:3a

The first step to spoofing the MAC address is to bring the network interface down. It can be accomplished with the command:

# ip link set dev ''interface'' down

Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with any of known vendors. Therefore, unless you control the network(s) you are connecting to, use MAC prefix of any real vendor (basically, the first three bytes), and use random values for next three bytes. For more information please read [[Wikipedia:Organizationally unique identifier]].

To change the MAC, we need to run the command:

# ip link set dev ''interface'' address ''XX:XX:XX:XX:XX:XX''

Where any 6-byte value will suffice for {{ic|''XX:XX:XX:XX:XX:XX''}}.

The final step is to bring the network interface back up. This can be accomplished by running the command:

# ip link set dev ''interface'' up

If you want to verify that your MAC has been spoofed, simply run {{ic|ip link show ''interface''}} again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.

=== macchanger ===

Another method uses {{Pkg|macchanger}} (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.

[[Install]] the package {{Pkg|macchanger}}.

The spoofing is done on per-interface basis, specify [[network interface]] name as {{ic|''interface''}} in each of the following commands.

The MAC address can be spoofed with a fully random address:

# macchanger -r ''interface''

To randomize only device-specific bytes of current MAC address (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:

# macchanger -e ''interface''

To change the MAC address to a specific value, you would run:

# macchanger --mac=''XX:XX:XX:XX:XX:XX'' ''interface''

Where {{ic|''XX:XX:XX:XX:XX:XX''}} is the MAC you wish to change to.

Finally, to return the MAC address to its original, permanent hardware value:

# macchanger -p ''interface''

{{Note|A device cannot be in use (connected in any way or with its interface up) while the MAC address is being changed.}}

== Automatically ==

=== systemd-udevd ===

[[udev]] allows you to perform MAC address spoofing by creating {{man|5|systemd.link}} files or udev rules.

==== systemd.link ====

To set a static spoofed MAC address:

{{hc|/etc/systemd/network/01-mac.link|2=
[Match]
PermanentMACAddress=''original MAC''

[Link]
MACAddress=''spoofed MAC''
}}

To randomize the MAC address on every boot, set {{ic|1=MACAddressPolicy=random}} instead of {{ic|1=MACAddress=''spoofed MAC''}}.

==== udev rule ====

Use {{ic|address}} attribute to match the correct device by its original MAC address and change it using the {{ic|ip}} command:

{{hc|/etc/udev/rules.d/81-mac-spoof.rules|2=
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="''original MAC''", RUN+="/usr/bin/ip link set dev $name address ''spoofed MAC''"
}}

{{Note|udev only accepts MAC addresses in lowercase.}}

=== systemd unit ===

==== Creating unit ====

Below you find two examples of [[systemd]] units to change a MAC address at boot, one sets a static MAC using ''ip'' and one uses ''macchanger'' to assign a random MAC address. The systemd {{ic|network-pre.target}} is used to ensure the MAC is changed before a network manager like [[Netctl]] or [[NetworkManager]], [[systemd-networkd]] or [[dhcpcd]] service starts.

===== iproute2 =====

[[systemd]] unit setting a predefined MAC address:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=MAC Address Change %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev %i address 36:aa:88:c8:75:3a
ExecStart=/usr/bin/ip link set dev %i up

[Install]
WantedBy=multi-user.target
</nowiki>}}

===== macchanger =====

[[systemd]] unit setting a random address while preserving the original NIC vendor bytes. Ensure that {{Pkg|macchanger}} is [[Pacman#Installing specific packages|installed]]:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target
</nowiki>}}

A full random address can be set using the {{ic|-r}} option, see [[#macchanger]].

==== Enabling service ====

Append the desired network interface to the service name (e.g. {{ic|eth0}}) and [[enable]] the service (e.g. {{ic|macspoof@eth0.service}}).

Reboot, or stop and start the prerequisite and requisite services in the proper order. If you are in control of your network, verify that the spoofed MAC has been picked up by your router by examining the static, or DHCP address tables within the router.

=== netctl interfaces ===

You can use a [[Netctl#Using hooks|netctl hook]] to run a command each time a netctl profile is re-/started for a specific network interface. Replace {{ic|''interface''}} accordingly:

{{hc|/etc/netctl/interfaces/''interface''|2=
#!/usr/bin/env sh
/usr/bin/macchanger -r ''interface''}}

Make the script [[executable]].

Source: [https://web.archive.org/web/20220708111031/https://blog.akendo.eu/post/2015-01-10-archlinux-random-mac-for-new-wireless-connections/ akendo.eu (archive)]

=== NetworkManager ===

See [[NetworkManager#Configuring MAC address randomization]].

=== wpa_supplicant ===

wpa_supplicant can use random MAC address for each ESS connection(AP) (see [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf] for details).

Add this to your configuration:

{{hc|/etc/wpa_supplicant/wpa_supplicant-wlan0.conf|2=
mac_addr=1
preassoc_mac_addr=1
gas_rand_mac_addr=1
}}

=== iwd ===

To randomize the MAC address when iwd starts (see {{man|5|iwd.config}} for details):

{{hc|/etc/iwd/main.conf|2=
[General]
AddressRandomization=once
AddressRandomizationRange=full
}}

Specifying {{ic|AddressRandomization}} enables control over when MAC address is randomized. If set to {{ic|disabled}} MAC is not spoofed and {{ic|AddressRandomizationRange}} is ignored. If set to {{ic|once}} MAC is assigned every time iwd is started. If set to {{ic|network}} MAC is spoofed once for each network and reused for each connection to a known network.

Specifying {{ic|AddressRandomizationRange}} enables control over which part of the address is randomized. If set to {{ic|nic}}, only the NIC specific octets (last three octets) are randomized. The permanent mac address of the network interface is used for the initial 3 octets. If set to {{ic|full}}, all six octets of the address are randomized.

{{Note|When using iwd as a backend, [[NetworkManager]] ignores MAC spoofing options from {{ic|/etc/NetworkManager/NetworkManager.conf}} and {{ic|/etc/NetworkManager/conf.d/*}}. MAC spoofing must be set in {{ic|/etc/iwd/main.conf}}.}}

== Troubleshooting ==

=== Connection to DHCPv4 network fails ===

If you cannot connect to a DHCPv4 network and you are using dhcpcd, you might need to [[Dhcpcd#Client ID|modify the dhcpcd configuration]] to obtain a lease.

== See also ==

* [[Wikipedia:MAC spoofing]]
* [https://github.com/alobbs/macchanger Macchanger GitHub page]
* [https://www.debianadmin.com/change-your-network-card-mac-media-access-control-address.html Article on DebianAdmin] with more ''macchanger'' options

MAC address spoofing

2026-05-09T09:29:30Z

Lahwaacz: /* iwd */ style

[[Category:Network configuration]]
[[Category:Security]]
[[de:MAC-Adresse abfragen und setzen]]
[[es:MAC address spoofing]]
[[fr:MAC address spoofing]]
[[ja:MAC アドレス偽装]]
[[pt:MAC address spoofing]]
[[ru:MAC address spoofing]]
[[zh-hans:MAC address spoofing]]
This article gives several methods to spoof a Media Access Control (MAC) address.

== Manually ==

There are two methods for spoofing a MAC address: [[install]]ing and configuring either {{Pkg|iproute2}} or {{Pkg|macchanger}}. Both of them are outlined below.

=== iproute2 ===

First, you can check your current MAC address with the command:

# ip link show ''interface''

where {{ic|''interface''}} is the name of your [[network interface]].

The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:

link/ether 00:1d:98:5a:d1:3a

The first step to spoofing the MAC address is to bring the network interface down. It can be accomplished with the command:

# ip link set dev ''interface'' down

Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with any of known vendors. Therefore, unless you control the network(s) you are connecting to, use MAC prefix of any real vendor (basically, the first three bytes), and use random values for next three bytes. For more information please read [[Wikipedia:Organizationally unique identifier]].

To change the MAC, we need to run the command:

# ip link set dev ''interface'' address ''XX:XX:XX:XX:XX:XX''

Where any 6-byte value will suffice for {{ic|''XX:XX:XX:XX:XX:XX''}}.

The final step is to bring the network interface back up. This can be accomplished by running the command:

# ip link set dev ''interface'' up

If you want to verify that your MAC has been spoofed, simply run {{ic|ip link show ''interface''}} again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.

=== macchanger ===

Another method uses {{Pkg|macchanger}} (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.

[[Install]] the package {{Pkg|macchanger}}.

The spoofing is done on per-interface basis, specify [[network interface]] name as {{ic|''interface''}} in each of the following commands.

The MAC address can be spoofed with a fully random address:

# macchanger -r ''interface''

To randomize only device-specific bytes of current MAC address (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:

# macchanger -e ''interface''

To change the MAC address to a specific value, you would run:

# macchanger --mac=''XX:XX:XX:XX:XX:XX'' ''interface''

Where {{ic|''XX:XX:XX:XX:XX:XX''}} is the MAC you wish to change to.

Finally, to return the MAC address to its original, permanent hardware value:

# macchanger -p ''interface''

{{Note|A device cannot be in use (connected in any way or with its interface up) while the MAC address is being changed.}}

== Automatically ==

=== systemd-udevd ===

[[udev]] allows you to perform MAC address spoofing by creating {{man|5|systemd.link}} files or udev rules.

==== systemd.link ====

To set a static spoofed MAC address:

{{hc|/etc/systemd/network/01-mac.link|2=
[Match]
PermanentMACAddress=''original MAC''

[Link]
MACAddress=''spoofed MAC''
}}

To randomize the MAC address on every boot, set {{ic|1=MACAddressPolicy=random}} instead of {{ic|1=MACAddress=''spoofed MAC''}}.

==== udev rule ====

Use {{ic|address}} attribute to match the correct device by its original MAC address and change it using the {{ic|ip}} command:

{{hc|/etc/udev/rules.d/81-mac-spoof.rules|2=
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="''original MAC''", RUN+="/usr/bin/ip link set dev $name address ''spoofed MAC''"
}}

{{Note|udev only accepts MAC addresses in lowercase.}}

=== systemd unit ===

==== Creating unit ====

Below you find two examples of [[systemd]] units to change a MAC address at boot, one sets a static MAC using ''ip'' and one uses ''macchanger'' to assign a random MAC address. The systemd {{ic|network-pre.target}} is used to ensure the MAC is changed before a network manager like [[Netctl]] or [[NetworkManager]], [[systemd-networkd]] or [[dhcpcd]] service starts.

===== iproute2 =====

[[systemd]] unit setting a predefined MAC address:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=MAC Address Change %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev %i address 36:aa:88:c8:75:3a
ExecStart=/usr/bin/ip link set dev %i up

[Install]
WantedBy=multi-user.target
</nowiki>}}

===== macchanger =====

[[systemd]] unit setting a random address while preserving the original NIC vendor bytes. Ensure that {{Pkg|macchanger}} is [[Pacman#Installing specific packages|installed]]:

{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target
</nowiki>}}

A full random address can be set using the {{ic|-r}} option, see [[#macchanger]].

==== Enabling service ====

Append the desired network interface to the service name (e.g. {{ic|eth0}}) and [[enable]] the service (e.g. {{ic|macspoof@eth0.service}}).

Reboot, or stop and start the prerequisite and requisite services in the proper order. If you are in control of your network, verify that the spoofed MAC has been picked up by your router by examining the static, or DHCP address tables within the router.

=== netctl interfaces ===

You can use a [[Netctl#Using hooks|netctl hook]] to run a command each time a netctl profile is re-/started for a specific network interface. Replace {{ic|''interface''}} accordingly:

{{hc|/etc/netctl/interfaces/''interface''|2=
#!/usr/bin/env sh
/usr/bin/macchanger -r ''interface''}}

Make the script [[executable]].

Source: [https://web.archive.org/web/20220708111031/https://blog.akendo.eu/post/2015-01-10-archlinux-random-mac-for-new-wireless-connections/ akendo.eu (archive)]

=== NetworkManager ===

See [[NetworkManager#Configuring MAC address randomization]].

=== wpa_supplicant ===

wpa_supplicant can use random MAC address for each ESS connection(AP) (see [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf] for details).

Add this to your configuration:

{{hc|/etc/wpa_supplicant/wpa_supplicant-wlan0.conf|2=
mac_addr=1
preassoc_mac_addr=1
gas_rand_mac_addr=1
}}

=== iwd ===

To randomize the MAC address when iwd starts (see {{man|5|iwd.config}} for details):

{{hc|/etc/iwd/main.conf|2=
[General]
AddressRandomization=once
AddressRandomizationRange=full
}}

Specifying {{ic|AddressRandomization}} enables control over when MAC address is randomized. If set to {{ic|disabled}} MAC is not spoofed and {{ic|AddressRandomizationRange}} is ignored. If set to {{ic|once}} MAC is assigned every time iwd is started. If set to {{ic|network}} MAC is spoofed once for each new unique network connection.

Specifying {{ic|AddressRandomizationRange}} enables control over which part of the address is randomized. If set to {{ic|nic}}, only the NIC specific octets (last three octets) are randomized. The permanent mac address of the network interface is used for the initial 3 octets. If set to {{ic|full}}, all six octets of the address are randomized.

{{Note|
* When using iwd as a backend iwd ignores MAC spoofing configs, like NetworkManager from {{ic|/etc/NetworkManager/NetworkManager.conf}} and {{ic|/etc/NetworkManager/conf.d/*}}. MAC spoofing must be set from {{ic|/etc/iwd/main.conf}}
* The {{ic|1=AddressRandomization=network}} reuses spoofed MAC on reconnection to a network. It does not create a unique spoof for an existing known network. It may be better to use {{ic|once}} and [[restart]] iwd as per your needs.
}}

== Troubleshooting ==

=== Connection to DHCPv4 network fails ===

If you cannot connect to a DHCPv4 network and you are using dhcpcd, you might need to [[Dhcpcd#Client ID|modify the dhcpcd configuration]] to obtain a lease.

== See also ==

* [[Wikipedia:MAC spoofing]]
* [https://github.com/alobbs/macchanger Macchanger GitHub page]
* [https://www.debianadmin.com/change-your-network-card-mac-media-access-control-address.html Article on DebianAdmin] with more ''macchanger'' options

Headless

2026-05-09T09:22:57Z

Lahwaacz: Undo revision 873323 by Aurabert (talk) - bad formatting + do not make complex edits at once

[[Category:Remote desktop]]
{{Related articles start}}
{{Related|Xorg}}
{{Related|Wayland}}
{{Related|xrandr}}
{{Related|Multihead}}
{{Related|OpenSSH}}
{{Related articles end}}

{{Move|Remote desktop|The page is not about "headless" systems, but about setting up remote desktop.}}

A '''headless''' computer is one which does not have a connected monitor. This is common for servers or remote systems where you would access the system over the network. This article describes different methods for how to set up a headless server that can provide a GUI desktop over the network.

{{Note|The terms used in this article are very specific to avoid confusion:
* '''Monitor''' refers to a '''physical''' display device, such as an LCD panel.
* '''Screen''' refers to an X-Window screen (a virtual screen for remote desktop).
* '''Server''' refers to the remote computer you want to access.
* '''Client''' refers the computer where you are physically at.
}}

== Some common tools ==

These are some of the existing tools available to solve the headless remote desktop problem. Some of these tools are used in the Solutions chapter later on.

=== VNC remote desktop client + server ===

Old but very common remote desktop technology. Common on Linux. This is desktop oriented and usually shows a pixel perfect copy of the server desktop. VNC will usually only send updates over the network to the client if something changes on screen.

=== RDP remote desktop client + server ===

Similar to VNC but more common on Windows. RDP is very similar in use case and technology to VNC but has more functionalty.

=== Sunshine server + Moonlight client ===

A "game streaming"-oriented solution that works well also for remote desktops. This solution will continuously send a video stream from the server to the client. Since video compression is not directly suited for pixel perfect replication it will sometimes show a picture with slight artifacts.
[https://docs.lizardbyte.dev/projects/sunshine/latest/index.html Sunshine] is the server software and [https://moonlight-stream.org/ Moonlight] is the client application. Since this solution streams at a very low level from the server it is compatible with both X and Wayland and works most GPUs. Some drawbacks of this solution is 1) it uses multiple ports and protocols and is therefore more difficult to tunnel over the internet than RDP and VNC and 2) uses more network bandwidth than RDP and VNC.

=== Rustdesk, Anydesk ===

[https://rustdesk.com/ Rustdesk] and [https://anydesk.com/en Anydesk] have nonstandard protocols so therefore provide both the client and server software. They are still a bit immature on Wayland.

=== Network KVMs ===

This is a hardware unit connected to the server, both to the display port and a USB port. This will emulate a monitor and keyboard+mouse and present this to the client (usually via a web page). The main drawback is that the picture quality is sometimes not very good and the picture resolution is limited, of course depending on KVM solution. For more enterprise grade servers, the network KVM is usually built into the server (e.g. HP ILO or Dell IDRAC).

=== Monitor dummy plug ===

A dummy plug is a plug that is inserted into the display port or hdmi ports on the server. It acts as a monitor to the GPU. The sole purpose is to trick the GPU into thinking it is connected to a monitor. That is sometimes required before the GPU will display something, like for example a desktop GUI. The benefit is that you can mirror the screen via some remote desktop solution but the drawback is that you can no longer see the output of the monitor so troubleshooting is sometimes tricky. If you want to search the Internet for a plug to purchase, search for "hdmi plug" or "display port plug", possibly also adding "virtual display adapter".

=== Virtual display ===

Virtual displays can be created using the [https://docs.kernel.org/gpu/vkms.html VKMS] (Virtual Kernel Mode Setting) or [[Displaylink|EVDI]] (Extensible Virtual Display Interface) kernel modules. They emulate DRM devices, allowing Xorg or Wayland to treat them as physical outputs.

=== Other tools ===

See [[List of applications/Internet#Remote desktop|List of applications/Internet Remote desktop]].

== Common problems ==

When trying to set up a remote desktop, some problems are usually encountered. We note them here for information.

=== A monitor needs to be connected and turned on ===

Most remote desktop solutions will mirror whatever is on the monitor over the network to the client. This will however require that a monitor is connected and turned on, otherwise the GPU driver will often refuse to allow the desktop to start. A monitor that is turned on will also consume unnecessary power.

=== Resizing desktop to client window does not work ===

Most remote desktop solutions do not support resizing of the remote desktop to fit the client window. As a fallback, it is often possible to change the resolution of the desktop.

=== Keys do not present correctly ===

Pressing keys on the client keyboard will cause the wrong characters on screen. This is a complex problem and involves both the client and server desktops, as well as the remote desktop software used. Can be solved, but may require some trial and error to find the right combination.

=== Slow screen updates ===

Some solutions are slower than others. It is necessary to try multiple solutions to find a good solution to this problem.

=== GPU acceleration not used ===

Some solutions will fall back to SW driven GUI for the desktop. That may not be a performance problem but may cause problems running some 3D software that require some features that are not emulated in the SW graphics pipeline.

=== High CPU usage ===

Something to watch out for is high CPU usage, both in use and when idling and both on server and client. Game streaming solutions seem to have less focus on low power usage.

== Solutions ==

This chapter contains solutions for how to build a remote desktop solution to a headless server with the following requirements:

# Fully headless. No monitor or monitor plug required.
# Desktop resize supported. Should resize to size of client window.
# Low CPU usage.
# GPU accelerated.

=== Labwc/sway/wayfire with wayvnc ===

This solution does not mirror the desktop shown on a physical monitor. Instead a fully virtual monitor is used. The requirements above are fulfilled.

# Install [[labwc]] on the server. This probably works also for any other desktop based on wlroots. Known to also work are sway or wayfire.
# Install {{AUR|wayvnc-git}} on the server.
# Use the following example script to start the desktop with labwc:

#!/bin/bash
# Example script to start a headless desktop + VNC server
export WLR_BACKENDS=headless
export WLR_LIBINPUT_NO_DEVICES=1
#export WLR_RENDER_DRM_DEVICE=/dev/dri/renderD128 # Only needed for wayfire
labwc >& labwc.log &
sleep 5
export WAYLAND_DISPLAY=wayland-0 # change to wayland-1 for other than labwc
wayvnc 0.0.0.0 >& wayvnc.log &

Use the [[TigerVNC]] client to access the remote desktop. This VNC client supports proper window resizing.

=== GNOME ===

Gnome can be started in headless mode according to [https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1698 this link].

=== KDE ===

For X11, this can be achieved by using TigerVNC both for the client and server. For Wayland, no method has yet been found.

=== Custom EDID file ===

{{Accuracy|A "headless" computer is one which does not have a connected monitor. Tricking the system to think that a monitor is connected is not "headless". Why is this necessary?}}

A custom EDID (Extended Display Identification Data) file can be added via a [[kernel parameter]] to trick the system that there is a monitor plugged in even though there is not any present nor physically plugged in.[https://www.azdanov.dev/articles/2025/how-to-create-a-virtual-display-for-sunshine-on-arch-linux]. This can be used to save money from buying dummy plugs and allow for resolutions that normal dummy plugs would not support (such as 3440x1440). Premade EDID files can be acquired [https://git.linuxtv.org/v4l-utils.git/tree/utils/edid-decode/data here]

Once you have downloaded an EDID file that has what you need, you will then have to create a directory for the file. After making the directory, move or copy the EDID file to the directory.
{{bc|# mkdir -p /usr/lib/firmware/edid
# mv samsung-q800t-hdmi2.1 /usr/lib/firmware/edid/}}

The outputs on your GPU must be identified and a free output must be available, replacing {{ic|HDMI-A-1}} in the next step with the appropriate output.
{{hc|$ for p in /sys/class/drm/*/status; do con{{=}}${p%/status}; echo -n "${con#*/card?-}: "; cat $p; done|
DP-1: disconnected
HDMI-A-1: disconnected
VGA-1: disconnected}}

Add the following [[kernel parameters]] afterwards
{{bc|drm.edid_firmware{{=}}HDMI-A-1:edid/samsung-q800t-hdmi2.1 video{{=}}HDMI-A-1:e}}

Update your initial image creator's config to include the EDID file. This one is for [[mkinitcpio]]'s {{ic|mkinitcpio.conf}}.
{{bc|FILES{{=}}(/usr/lib/firmware/edid/samsung-q800t-hdmi2.1)}}

Afterwards, regenerate the [[initramfs]]

=== VKMS ===

This example shows how to run KDE Wayland and Sunshine, but other options are possible.

Virtual Kernel Mode Setting ([https://docs.kernel.org/gpu/vkms.html VKMS]) is a software-only KMS driver that allows for a virtual display output without physical hardware connected.

Load the {{ic|vkms}} [[Kernel module|kernel module]]. Enabling the virtual cursor is often necessary for remote desktop applications.

{{bc|# modprobe vkms enable_cursor{{=}}1}}

Identify which card corresponds to your physical GPU and which corresponds to VKMS:

{{bc|$ ls -l /sys/class/drm/card*/device/driver}}

KDE compositor can use the [[KDE#Method_2:_KWIN_DRM_DEVICES_(KWin-specific)|KWIN_DRM_DEVICES]] environment variable to split rendering and output responsibilities.

{{bc|export XDG_SESSION_TYPE{{=}}wayland
export KWIN_FORCE_SW_CURSOR{{=}}1
# Example: Render on Intel (card1), Output to VKMS (card2)
export KWIN_DRM_DEVICES{{=}}/dev/dri/card1:/dev/dri/card2

# Start KDE
dbus-run-session startplasma-wayland &
sleep 5

# Start Sunshine
sunshine &}}

=== EVDI ===

This method uses [[DisplayLink|evdi]] to create a virtual connector and {{ic|Xorg}} with the {{ic|modesetting}} driver to simulate a physical display.

{{Note|While functional, this {{ic|evdi}} method is a proof of concept compared to the VKMS approach.}}

Install {{AUR|evdi-dkms}} and load the module.

{{bc|# modprobe evdi initial_device_count{{=}}1}}

Define a virtual device and monitor. Use {{ic|lspci -nnd ::03xx}} to find GPU's BusID (e.g., {{ic|00:02.0}} becomes {{ic|PCI:0:2:0}}).

{{hc|/etc/X11/xorg.conf.d/20-evdi.conf|
Section "Device"
Identifier "gpu"
Driver "modesetting"
BusID "PCI:0:2:0"
EndSection

Section "Monitor"
Identifier "VirtualMonitor"
Option "Enable" "true"
EndSection

Section "Screen"
Identifier "Default Screen"
Device "gpu"
Monitor "VirtualMonitor"
DefaultDepth 24
SubSection "Display"
Modes "1920x1080"
EndSubSection
EndSection}}

Start Xorg in the background.

{{bc|# Xorg :0 -noreset -novtswitch -sharevts +extension MIT-SHM &
$ export DISPLAY{{=}}:0}}

Use {{ic|cvt}} to generate a valid modeline for your desired resolution.

{{bc|$ cvt 1920 1080 60}}

Use the output from the {{ic|cvt}} command to define the new mode. Your output device name, e.g., DVI-I-1-1, may vary; check {{ic|xrandr --listmonitors}}).

{{bc|$ xrandr --newmode "1920x1080_60.00" 173.00 1920 2048 2248 2576 1080 1083 1088 1120 -hsync +vsync
$ xrandr --addmode DVI-I-1-1 "1920x1080_60.00"
$ xrandr --output DVI-I-1-1 --mode "1920x1080_60.00"}}

Start your Desktop Environment and the streaming server.

{{bc|$ startplasma-x11 &
$ sunshine &}}

Python

2026-05-08T07:49:05Z

Lahwaacz: /* Other versions */ this should not be imperative, connecting to previous sentence makes it clearer that it can coexist with the AUR packages

WebAuthn

2026-05-08T07:29:51Z

Lahwaacz: /* Authenticators and Tools */ style

[[Category:Authentication]]
[[ja:WebAuthn]]
{{Related articles start}}
{{Related|Universal 2nd Factor}}
{{Related|Security}}
{{Related articles end}}

[[Wikipedia:WebAuthn|Web Authentication (WebAuthn)]] is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

Similar to legacy U2F, Web Authentication is resilient to verifier impersonation, that is, it is resistant to active man-in-the-middle-attacks, but unlike U2F, WebAuthn does not require a traditional password. Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine. [[Wikipedia:Passkey|Passkey]] is another term used by some vendors to refer to WebAuthn or FIDO credentials.

== FIDO2 vs U2F ==

FIDO2 is the successor of the FIDO Universal 2nd Factor [[U2F]] legacy protocol. FIDO2 authentication has all the advantages of U2F—the primary difference is that a FIDO2 authenticator can also be a single-factor (passwordless) authenticator. The U2F protocol is designed to act as a second factor to strengthen existing username/password-based login flows.

== Authentication for websites ==

WebAuthn/FIDO2 is supported by major sites like Google, Facebook, Twitter, or GitHub. See https://www.dongleauth.com/ to find other websites and links to setup documentation. Major sites offer different WebAuthn variants but may first offer Passkeys authentication, since that allows to transiently synchronize credentials to a cloud-based account instead of relying on a separate hardware authenticator or password manager.

Modern browsers like Firefox and Chromium support WebAuthn authentication standalone, additional dependencies are not required.

For a demo site to test the WebAuthn authentication process, see https://webauthn.io/.

== Local Linux authentication (PAM) ==

For using U2F authentication see [[U2F]].

=== Using a FIDO2 authenticator for local login ===

The FIDO2 specification includes an extension called HMAC Secret Extension (hmac-secret), which allows the secure use of a shared secret stored on the authenticator for local authentication.

One of the easiest ways to setup the local authentication process with FIDO2 is through the use of
[[systemd-homed]] and the setup options of [[systemd-homed#Setup user with FIDO2 hmac-secret for authentication and encryption|homectl]].

== Authenticators and tools ==

=== Using TPM as a FIDO device ===

To use [[TPM]] as a FIDO device, install {{AUR|tpm-fido-git}}. This is useful for testing or if you do not have a FIDO key. Alternatives include {{AUR|linux-id}}, a fork of the original ''tpm-fido'', and {{AUR|passkeyd}}.

=== Software-based authenticators (without TPM) ===

For software based authenticator, {{AUR|passkeyd}} and {{AUR|passkeez}} are available.

== Support ==

* [[Chromium]]: supported since v70
* [[Firefox]]: supported since v60
* {{Pkg|bitwarden}}: the web extension {{AUR|firefox-extension-bitwarden-bin}}, {{AUR|bitwarden-chromium}} enables saving passkeys directly in the vault without the need for a security key.
* [[KeePassXC]]
* [[pass]] with {{AUR|passless}}

== See also ==

* https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html
* https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension
* [https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/ Passkeys: a shattered dream]

Llama.cpp

2026-05-07T05:11:26Z

Lahwaacz: /* Installation */ avoid note

[[Category:Development]]
[[Category:Graphics]]

{{Related articles start}}
{{Related|Vulkan}}
{{Related|General-purpose computing on graphics processing units}}
{{Related|Ollama}}
{{Related articles end}}

LLM inference in C/C++.

== Installation ==

llama.cpp is available in the [[AUR]]:

* [[Install]] {{AUR|llama.cpp}} for CPU inference.
* [[Install]] {{AUR|llama.cpp-vulkan}} for GPU inference. Ensure you have the appropriate [[Vulkan]] driver installed.
* [[Install]] {{AUR|llama.cpp-cuda}} for inference with [[CUDA]].
* [[Install]] {{AUR|llama.cpp-hip}} for inference with [[ROCm]].

== Usage ==

Primary executors are {{ic|llama-cli}} and {{ic|llama-server}}.

=== llama-cli ===

{{ic|llama-cli}} is the command-line executor:

$ llama-cli -m ''model.gguf''

=== llama-server ===

{{ic|llama-server}} launches an API server with a built-in WebUI:

$ llama-server --host ''address'' --port ''port'' -m ''model.gguf''

== Obtaining models ==

llama.cpp uses models in the GGUF format.

=== Download from Hugging Face ===

Download models from [https://huggingface.co Hugging Face] using the {{ic|-hf}} flag:

$ llama-cli -hf ''org/model''

{{Warning|This may overwrite an existing model file without prompting.}}

=== Manual download ===

Manually download models using {{Pkg|wget}} or {{Pkg|curl}}:

$ wget -c ''model.gguf''

== Tips and tricks ==

=== Model quantization ===

Quantization lowers model precision to reduce memory usage.

GGUF models use suffixes to indicate quantization level. Generally, lower numbers (e.g. '''Q4''') use less memory but may reduce quality compared to higher numbers (e.g. '''Q8''').

=== Knowledge distillation ===

Knowledge distillation compresses a larger model into a smaller model by training the smaller model to follow the behaviors of the larger model.

Typically, GGUF models indicate knowledge distillation using the {{ic|student-teacher-distill}} denotation, where:

* {{ic|student}} represents the smaller model.
* {{ic|teacher}} represents the larger model.

=== Specifying context size ===

llama.cpp loads the context size from the model by default, and it allocates memory for the whole context window.

Specify a lower context size in case you run out of memory.

$ llama-cli -c ''32000'' -m ''model.gguf''

=== Key-value cache quantization ===

For further memory efficiency, you can quantize the key-value cache.

$ llama-cli -ctk ''q8_0'' -ctv ''q8_0'' -m ''model.gguf''

This, combined with a lower context size, can significantly reduce memory usage.

{{Note|
* Aggressive quantization on '''keys''' reduces quality noticeably.
* Aggressive quantization on '''values''' is usually better tolerated, but still risks degradation.
}}

=== Agent system ===

While llama-server runs a WebUI, the same endpoint also operates as an OpenAI-compatible server. It can be configured to use with coding agents like {{Pkg|opencode}} and {{Pkg|qwen-code}}.

Also, recent updates have introduced built-in agent capabilities.

==== Built-in tools ====

To enable built-in tools for filesystem operations and shell access, start llama-server with:

$ llama-server --tools all -m ''model.gguf''

This, combined with a reasonably strong reasoning model, can be considered as a minimal coding agent running in browser.

{{Warning|
Be very aware, that all interactions are submitted to the operating system on the behalf of whoever is running llama-server. '''At no time''' should llama-server be exposed to the network and/or running as root with built-in tools enabled!
}}

==== Model Context Protocol servers ====

Other tools (e.g. search, fetch) can be added to the WebUI, given that the tools are served as MCP endpoints.

=== Monitoring GPU utilization ===

See [[Graphics processing unit#Monitoring]].

== Troubleshooting ==

=== MCP requests denied by CORS policy ===

To use the WebUI with an MCP endpoint hosted online, enable MCP CORS proxy:

$ llama-server ''--webui-mcp-proxy'' -m ''model.gguf''

== See also ==

* [https://github.com/ggml-org/llama.cpp Upstream GitHub repository]
* [https://github.com/ggml-org/llama.cpp/discussions/16938 Upstream guide: using the new WebUI of llama.cpp]
* [https://github.com/ggml-org/llama.cpp/discussions/15396 Upstream guide: running gpt-oss with llama.cpp]

Tor

2026-05-03T08:21:37Z

Lahwaacz: /* Web browsing */ wording

[[Category:Anonymity networks]]
[[de:Tor]]
[[ja:Tor]]
[[ru:Tor]]
[[zh-hans:Tor]]
{{Related articles start}}
{{Related|GNUnet}}
{{Related|I2P}}
{{Related|Freenet}}
{{Related articles end}}
The [https://www.torproject.org Tor Project] (''T''he ''o''nion ''r''outing) is an open source implementation of [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:Internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.

Users of the Tor network run an onion proxy software on their machines, which presents a SOCKS interface to its clients. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring forward secrecy between routers.

Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off is that using Tor can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network). See [[Wikipedia:Tor (anonymity network)]] for more information.

{{Note|Tor by itself is '''not''' all you need to maintain anonymity. There are several major pitfalls to watch out for (see [https://support.torproject.org/tor-browser/security/using-tb-safely/ Tor Browser best practices]).}}

== Installation ==

[[Install]] the {{Pkg|torbrowser-launcher}} package to use the [https://www.torproject.org/download/ Tor Browser], which is the only supported way to browse the web anonymously using Tor.

Users intending to manually use Tor with other software, [https://community.torproject.org/relay/ run relays], or [https://community.torproject.org/onion-services/ host onion services] should install the {{Pkg|tor}} package. The majority of this article covers this usage.

''Nyx'' is a command line monitor for Tor, it provides bandwidth usage, connection details and on-the-fly configuration editing. To use it, [[install]] the {{Pkg|nyx}} package.

== Usage ==

[[Start/enable]] {{ic|tor.service}}. Alternatively, launch it manually as the {{ic|tor}} user:

[tor]$ /usr/bin/tor

{{Tip|Tor Browser [https://tor.stackexchange.com/questions/24105/is-tor-system-service-required-for-browsing/24106#24106 runs its own Tor instance], so there is no need to enable {{ic|tor.service}} to use it.}}

To use a program over Tor, configure it to use {{ic|127.0.0.1}} or {{ic|localhost}} as a SOCKS5 proxy, with port {{ic|9050}} for plain Tor with standard settings.

{{Tip|If multiple entries are present, Tor will perform stream isolation between listeners by default.}}

The proxy supports remote DNS resolution: use {{ic|socks5'''h'''://localhost:9050}} for DNS resolution from the exit node (instead of {{ic|socks5}} for a local DNS resolution).

To check if Tor is functioning properly, visit https://check.torproject.org/ with Tor Browser or [[CURL]]:

$ curl -x socks5h://localhost:9050 -s https://check.torproject.org

== Configuration ==

Tor reads its configurations from the file {{ic|/etc/tor/torrc}} by default, or if the latter is not found, from {{ic|$HOME/.torrc}}. The configuration options are explained in {{man|1|tor}}.

Drop-in files are supported by enabling:
{{hc|/etc/tor/torrc|
%include /etc/torrc.d/*.conf}}

To reload the configuration after a change, [[reload]] {{ic|tor.service}}.

=== Tor ControlPort ===

Some programs may require access to your ''Tor ControlPort'' to gain low-level control over your Tor node.

The {{ic|ControlPort}} allows other programs to monitor and modify your Tor node's configuration while it is running, or get details about the status of the Tor network and its circuits.

To enable it, add to your {{ic|torrc}}:

ControlPort 9051

From [https://spec.torproject.org/control-spec/protocol-outline.html The Tor Control Protocol]:

: For security, the stream (''T''or ''C''ontrol) should not be accessible by untrusted parties.

To enhance security, restrict access to the {{ic|ControlPort}} using a ''cookie file'', ''control password'', or both.

{{Warning|Only grant the password or cookie access to trusted processes and users, as they can be used to modify any configuration options of the service.}}

==== Nyx ====

Assuming the {{ic|ControlPort 9051}} is set in {{ic|torrc}}, you can start {{Pkg|nyx}} by running:

$ nyx

To watch Tor connections in nyx [https://nyx.torproject.org/#no_connections], add to your {{ic|torrc}}:

DisableDebuggerAttachment 0

{{Note|It is not recommended to run {{ic|nyx}} unrestricted. Follow [[#Set a Tor Control cookie file]] and/or [[#Set a Tor Control password]].}}

==== Set a Tor Control cookie file ====

Add to your {{ic|torrc}}:

{{bc|
CookieAuthentication 1
CookieAuthFile /var/lib/tor/control_auth_cookie
CookieAuthFileGroupReadable 1
DataDirectoryGroupReadable 1
}}

[[Restart]] {{ic|tor.service}} to apply the change.

Enabling {{ic|CookieAuthentication}} restricts access to the {{ic|ControlPort}} by enforcing file permissions on the Tor cookie file and the Tor data directory.

Add users to the {{ic|tor}} [[user group]] to give them access to the Tor cookie file.

You can use this command to check the permissions:

{{hc|$ stat -c%a /var/lib/tor /var/lib/tor/control_auth_cookie|
750
640}}

==== Set a Tor Control password ====

Convert your password from plaintext to hash:

{{bc|
$ set +o history # unset bash history
$ tor --hash-password '<nowiki/>''your_password''<nowiki/>'
$ set -o history # set bash history
}}

Add the generated hash to your {{ic|torrc}}:

HashedControlPassword ''your_hash''

{{Note|The bash history commands prevent your cleartext password from being written to your bash {{ic|$HISTFILE}}.}}

==== Open Tor ControlSocket ====

If a program requires access to your Tor {{ic|ControlSocket}}, such as a [[Wikipedia:Unix_domain_socket|Unix domain Socket]], add the following to your {{ic|torrc}}:

{{bc|
ControlSocket /var/lib/tor/control_socket
ControlSocketsGroupWritable 1
DataDirectoryGroupReadable 1
}}

Add the user who will run the program to the {{ic|tor}} [[user group]].

[[Restart]] {{ic|tor.service}} and relaunch the program.

To verify the {{ic|ControlSocket}} permissions:

{{hc|$ stat -c%a /var/lib/tor /var/lib/tor/control_socket|
750
660}}

==== Testing ====

To test your {{ic|ControlPort}}, run {{Pkg|openbsd-netcat}} with:

$ echo -e 'PROTOCOLINFO\r\n' | nc 127.0.0.1 9051

To test your {{ic|ControlSocket}}, run {{Pkg|socat}} with:

$ echo -e 'PROTOCOLINFO\r\n' | socat - UNIX-CLIENT:/var/lib/tor/control_socket

Both commands should print:

{{bc|1=
250-PROTOCOLINFO 1
250-AUTH METHODS=COOKIE,SAFECOOKIE,HASHEDPASSWORD COOKIEFILE="/var/lib/tor/control_auth_cookie"
250-VERSION Tor="0.4.8.12"
250 OK
514 Authentication required.
}}

See [https://spec.torproject.org/control-spec/commands.html The Tor Control Protocol] for more commands.

== Web browsing ==

The only way to browse anonymously is with the supported ''Tor Browser'', which uses a patched version of [[Firefox]]. It can be installed with the {{Pkg|torbrowser-launcher}} package and launched from the terminal by the ''torbrowser-launcher'' command.

{{Note|While Tor can be used with regular browsers, it is not recommended. Even in "private browsing" mode, factors such as [https://support.torproject.org/glossary/#browser-fingerprinting fingerprinting], [https://support.torproject.org/glossary/#add-on-extension-or-plugin plugins], and DNS leaks may reveal your IP address or identity. [https://support.torproject.org/#tbb_tbb-9]}}

== HTTP proxy ==

Tor offers a built-in tunneled HTTP proxy and can also be used with an HTTP proxy like [[Privoxy]]; however, using the SOCKS5 library is generally recommended.

=== Tor ===

Add following line to your {{ic|torrc}} file to set port {{ic|8118}} on your {{ic|localhost}} as HTTP proxy:

HTTPTunnelPort 127.0.0.1:8118

Refer to [https://2019.www.torproject.org/docs/tor-manual.html.en#HTTPTunnelPort Tor manual] for further information.

=== Firefox ===

The [https://addons.mozilla.org/firefox/addon/smartproxy/ SmartProxy] or [https://addons.mozilla.org/firefox/addon/foxyproxy-standard/ FoxyProxy] add-ons allow you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.

=== Privoxy ===

You can also use this setup in other applications like messaging (e.g. [[Jabber]], [[IRC client]]s). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.

== Instant messaging ==

In order to use an instant messaging client with tor, we do not need an HTTP proxy like [[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.

=== Pidgin ===

{{Move|Pidgin|Instant messaging clients should document Tor usage on their respective pages, to avoid cluttering this page.}}

You can set up [[Pidgin]] to use Tor globally, or per account. To use Tor globally, go to ''Tools -> Preferences -> Proxy''. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:

Proxy type: SOCKS 5
Host: 127.0.0.1
Port: 9050

== Pacman ==

[[Pacman]] download operations (repository databases, packages, and public keys) can be done using the Tor network.

Advantages:
* Attackers monitoring your Internet connection and specifically targeting your machine can no longer observe its updates. This makes it difficult for them to deduce which packages you have installed, their versions, or your update frequency. However, they can still learn the software and versions you use by other means, such as watching packets from your HTTP server or probing the machine, which reveals the installed HTTP server and its version.
* If a mirror is not an onion service, a malicious exit relay in your Tor circuit may watch your updates and decide to attack you, but it is unlikely to deanonymize you.
* Attackers trying to prevent your machine from getting security fixes by making it believe there are no new updates will have a harder time, as they cannot target your machine specifically.

Disadvantages:
* Longer update times due to longer latency and lower throughput. This can pose a big security risk if updates need to be applied as quickly as possible, especially on machines directly connected to the Internet. That is the case when there is a major security flaw that is easy to probe and exploit, and attackers have already begun targeting as many systems as they can before those systems are updated.

Reliability with Tor:
* You no longer need a working DNS.
* You depend on the Tor network and the exit nodes not blocking the updates.
* You rely on the Tor daemon to work properly. The Tor daemon may not work if there is insufficient disk space available. "Reserved blocks gid:" in ext4, quotas, or other means can fix that.
* If you are in a country where Tor is blocked, or if there are very few or no Tor users, you should use bridges.

Note on GPG:
On stock Arch, pacman only trust keys which are either signed by you (that can be done with {{ic|pacman-key --lsign-key}}) or signed by 3 of 5 Arch master keys. If a malicious exit node replaces packages with ones signed by its key, pacman will not let the user install the package.

{{Note| This might not be true for other distributions derived from Arch, for non-official repositories, and for AUR.}}

{{hc|/etc/pacman.conf|2=
...
XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 --location --continue-at - --fail --output %o %u
...
}}

{{Note|Due to work in progress for database signatures, you might get a 404 error for the signatures. Depending on your [[Pacman/Package signing#Configuring pacman]], it should be harmless.}}

== Running a Tor relay ==

The Tor network is reliant on people contributing bandwidth and setting up services. There are several ways to contribute to the network.

A usual Tor circuit consists of:
Tor User -> Guard Relay -> Middle Relay -> Exit Relay -> Destination (i.e. example.com)

See the [https://community.torproject.org/relay/ official documentation] and [https://community.torproject.org/policies/relays/expectations-for-relay-operators/ Expectations for Relay Operators] for more information.

=== Running a Middle/Guard relay ===

Also known as non-exit relays: A guard relay is the first hop in a Tor circuit, while a middle relay acts as the second hop.

This means that your machine will act as an entry node or forwarding relay and, unlike a [[#Running a Tor bridge|bridge]], it will be listed in the public Tor directory. Your IP address will be publicly visible in the Tor directory but the relay will only forward to other relays or [[#Running a Tor exit relay|Tor exit nodes]], not directly to the internet.

To [https://community.torproject.org/relay/setup/ setup] a non-exit relay, see [https://community.torproject.org/relay/setup/guard/archlinux/] and [https://community.torproject.org/relay/setup/post-install/].

=== Running a Tor bridge ===

A Tor bridge is a Tor relay that is not listed in the public Tor directory, thus making it possible for people to connect to the Tor network when governments or ISPs block all public Tor relays. Visit https://bridges.torproject.org/ for more information and instructions on how to get bridge addresses.

To [https://community.torproject.org/relay/setup/bridge/ setup] a Tor bridge, see [https://community.torproject.org/relay/setup/bridge/archlinux/] and [https://community.torproject.org/relay/setup/post-install/].

=== Running a Tor exit relay ===

Any requests from a Tor user to the regular internet must exit the Tor network at some point, and exit relays provide this essential service. To the destination host, these requests will appear to originate from your machine. This means that running an exit relay is typically viewed as more legally burdensome than running other types of Tor relays.

Before becoming an exit relay, it is '''strongly''' recommended to read [https://community.torproject.org/relay/community-resources/ Legal resources] and [https://blog.torproject.org/tips-running-exit-node/ tips for running an exit node].

To setup an exit relay, see [https://community.torproject.org/relay/setup/exit/] and [https://community.torproject.org/relay/setup/post-install/].

==== Configuration ====

{{Remove|Content that is 10+ years old provides little value beyond the [https://community.torproject.org/relay/ official documentation], including possibly wrong iptables rules that could pose risks. Also, pdnsd has not been maintained since 2012. Tor Project recommends using up-to-date resources for firewall rules and unbound for DNS. [https://community.torproject.org/relay/setup/post-install/ ][https://community.torproject.org/relay/setup/exit/]}}

Using the {{ic|torrc}}, you can configure which services you wish to allow through your exit relay.

Make the relay an exit relay:

ExitRelay 1

Allow all traffic:

ExitPolicy accept *:*

Allow only IRC ports {{ic|6660-6667}} but nothing else to exit from relay:

ExitPolicy accept *:6660-6667,reject *:*

By default, Tor will block certain ports. You can use the {{ic|torrc}} to override this, for example accepting NNTP:

ExitPolicy accept *:119

==== +100Mbps Exit Relay configuration example ====
{{Out of date|Should probably be switched from legacy [[iptables]] to [[nftables]]. Also, review what still counts as a "fast relay" in currentyear.}}

If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}}, the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall and [[pdnsd]] as DNS cache. It is important to ''first'' read [https://community.torproject.org/relay/setup/post-install/ Relay Post-install and good practices].

{{Note|See [[#Running Tor in a systemd-nspawn container with a virtual network interface]] for instructions to install Tor in a {{ic|systemd-nspawn}} container.}}

===== Tor =====

====== Raise maximum number of open file descriptors ======

To handle more than 32768 connections, {{ic|LimitNOFILE}} can be raised [https://support.torproject.org/#relay-operators_packaged-tor]:

{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|2=
[Service]
LimitNOFILE=65536
}}

To successfully raise {{ic|nofile}} limit, you may also have to append the following:

{{hc|/etc/security/limits.conf|
...
tor soft nofile 65536
tor hard nofile 65536
@tor soft nofile 65536
@tor hard nofile 65536
}}

Check if the {{ic|nofile}} (filedescriptor) limit is successfully raised with {{ic|ulimit -Hn}} as the tor user.

====== Start tor.service as root to bind Tor to privileged ports ======

To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.

====== Tor configuration ======

An example configuration:

{{hc|/etc/tor/torrc|2=
SOCKSPort 0 ## Pure relay configuration without local socks proxy

Log notice stdout ## Default Tor behavior

ControlPort 9051 ## For nyx connection
CookieAuthentication 1 ## For nyx connection

ORPort 443 ## Service must be started as root

Address $IP ## IP or FQDN
Nickname $NICKNAME ## Nickname displayed in [https://metrics.torproject.org/rs.html Tor Relay Search]

RelayBandwidthRate 500 Mbits ## bytes/KBytes/MBytes/GBytes/KBits/MBits/GBits
RelayBandwidthBurst 1000 MBits ## bytes/KBytes/MBytes/GBytes/KBits/MBits/GBits

ContactInfo $E-MAIL ## [https://gitlab.torproject.org/tpo/community/relays/-/issues/18 Tor Relay good practices] suggests an email

DirPort 80 ## Service must be started as root
DirPortFrontPage /etc/tor/tor-exit-notice.html ## [https://gitlab.torproject.org/tpo/core/tor/-/raw/main/contrib/operator-tools/tor-exit-notice.html Original]

MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)

ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy

User tor ## Return to tor user after service started as root

DisableDebuggerAttachment 0 ## For nyx connection

### Performance related options ###
AvoidDiskWrites 1 ## Reduce wear on SSD
DisableAllSwap 1 ## Service must be started as root
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support
NumCPUs 2 ## Only start two threads
}}

See {{man|1|tor}} for details.

Tor opens a socks proxy on port 9050 by default — even if you do not configure one. Set {{ic|SOCKSPort 0}} if you plan to run Tor only as a relay, and not make any local application connections yourself.

{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.

{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|nyx}} to connect to Tor and display connections.

{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80.

{{ic|DirPortFrontPage}} displays [https://gitlab.torproject.org/tpo/core/tor/-/raw/main/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.

{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.

{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.

{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out".

If {{ic|grep aes /proc/cpuinfo}} returns that your CPU supports AES instructions and {{ic|lsmod {{!}} grep aes}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see https://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration.

{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].

Use the {{ic|User tor}} option to properly reduce Tor’s privileges.

===== iptables =====

Setup and learn to use [[iptables]]. Instead of being a [[Simple stateful firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.

{{hc|/etc/iptables/iptables.rules|2=
*raw
-A PREROUTING -j NOTRACK
-A OUTPUT -j NOTRACK
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp ! --syn -j ACCEPT
-A INPUT -p udp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
}}

{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.

{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.

{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.

{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.

{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.

{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.

{{ic|-A INPUT -p icmp -j ACCEPT}} allow [[wikipedia:Internet_Control_Message_Protocol|ICMP]].

{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.

{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.

{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.

===== pdnsd =====

{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}

You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.

{{hc|/etc/pdnsd.conf|2=
...
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB
...
server {
label= "resolvconf";
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.
uptest=query; ## Test availability using empty DNS queries.
query_test_name="."; ## To be used if remote servers ignore empty queries.
interval=10m; ## Test every 10 minutes.
purge_cache=off; ## Ignore TTL.
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.
preset=off; ## Assume server is down before uptest.
}
...
}}

This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.

====== Uncensored DNS ======

If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Alternative DNS services]] for alternatives and add them in a separate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS servers]].

===== Ensuring relay is working =====

To verify the function of your tor relay,
check that {{ic|tor.service}} started correctly with the [[journal]] or the [[unit status]].
If there are no errors, run {{ic|nyx}} to ensure your relay is making connections.
Do not be concerned if your [https://blog.torproject.org/lifecycle-new-relay new relay] is slow at first; this is normal.
After approximately 3 hours, your relay should be published and searchable on [https://metrics.torproject.org/rs.html#search Relay Search].

== Tor DNS ==

DNS queries can be performed through the command-line interface by using {{ic|tor-resolve}}. For example:

{{hc|$ tor-resolve archlinux.org|
66.211.214.131
}}

The tor 0.2.x series also provides a built-in DNS forwarder. To enable it, add the following lines to the Tor configuration file and [[restart]] the daemon:

{{hc|/etc/tor/torrc|
DNSPort 9053
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
}}

This will allow tor to accept DNS requests (listening on port {{ic|9053}}) like a regular DNS server, and resolve the domain via the Tor network.

A downside of both methods is that they are only able to resolve DNS queries for A, AAAA and PTR records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].

{{Tip|See [https://support.torproject.org/#misc_check-socks-dns-leaks] to check if an application is leaking DNS requests.}}

=== Using Tor DNS systemwide ===

It is possible to configure your system to use Tor DNS for any A, AAAA, and PTR queries your system makes, regardless of whether you eventually use Tor to connect to your final destination. To do this, configure your system to use {{ic|127.0.0.1}} as its DNS server and edit the {{ic|DNSPort}} line in {{ic|/etc/tor/torrc}} to show:

DNSPort 53

Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for Tor DNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose. Note, if you are using ''NetworkManager'' you will need to add your configuration file to the location outlined in [[NetworkManager#dnsmasq]].

Change the tor setting to listen for the DNS request in port {{ic|9053}} and install {{Pkg|dnsmasq}}.

Modify its configuration file so that it contains:

{{hc|/etc/dnsmasq.conf|2=
no-resolv
port=53
server=127.0.0.1#9053
listen-address=127.0.0.1
}}

These configurations set dnsmasq to listen only for requests from the local computer, and to use Tor DNS at its sole upstream provider. It is now necessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server:

{{hc|/etc/resolv.conf|
nameserver 127.0.0.1
}}

[[Start]] the {{ic|dnsmasq.service}}.

Finally, if you use [[dhcpcd]] you need to change its settings so that it does not alter the {{ic|resolv.conf}} file. Add this line in the configuration file:

{{hc|/etc/dhcpcd.conf|
nohook resolv.conf
}}

If you already have an {{ic|nohook}} line, add {{ic|resolv.conf}} separated by a comma.

== Torsocks ==

{{Pkg|torsocks}} allows you to use an application through the Tor network without requiring any configuration changes to the application itself. From {{man|1|torsocks}}:

:'''torsocks''' is a wrapper between the torsocks library and the application in order to make every Internet communication go through the Tor network.

For a comparison of {{ic|torsocks}} with its predecessor, see [https://tor.stackexchange.com/a/21000].

{{Note|The wrapper deliberately and verbosely fails for certain system calls, which cause some applications to not fully work with it. See [https://stackoverflow.com/questions/46634215/torsocks-and-unsupported-syscalls torsocks-and-unsupported-syscalls].}}

Usage example:

$ torsocks elinks checkip.dyndns.org
$ torsocks wget -qO- https://check.torproject.org/ | grep -i congratulations

== Transparent Torification ==

{{Accuracy|How well those iptables rules protect against leaks, and why not just use [https://www.whonix.org/wiki/About Whonix][https://www.whonix.org/wiki/Leaks]? It may be unwise to apply them blindly in your system.}}

In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SOCKSPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks.

Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use an amnesic solution like [https://tails.net/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.

When a transparent proxy is used, it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario.
Doing so produces undefined and potentially unsafe behavior. In theory, the user could get six hops instead of three in the Tor network. However, it is not guaranteed that the three additional hops received are different; the user could end up with the same hops, possibly in reverse or mixed order.
The Tor Project opinion is that this is unsafe [https://support.torproject.org/misc/#misc_misc-11]{{Dead link|2025|11|17|status=404}}
[https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO#tor-over-tor].

To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).

{{Note|This file uses the NAT table to force outgoing connections through the {{ic|TransPort}} or {{ic|DNSPort}}, and blocks anything it cannot torrify. By enabling {{ic|AutomapHostsOnResolve}}, Tor will return a virtual IP address from the {{ic|VirtualAddrNetworkIPv4}} range. This feature allows applications that resolve addresses to connect seamlessly to {{ic|.onion}} addresses.

* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.
* Where {{ic|--ipv6}} or {{ic|--ipv4}} is explicitly defined, {{ic|iptables-restore}} will ignore the rule if it is not for the correct protocol.
* {{ic|ip6tables}} does not support {{ic|--reject-with}}.

Make sure your {{ic|torrc}} contains the following lines:
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
DNSPort 5353

See {{man|8|iptables}}.
}}

{{Note|If you get this error: {{ic|iptables-restore: unable to initialize table 'nat'}}, you have to load the appropriate kernel modules:

# modprobe ip_tables iptable_nat ip_conntrack iptable-filter ipt_state

}}

{{hc|/etc/iptables/iptables.rules|
*nat
:PREROUTING ACCEPT [6:2126]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [17:6239]
:POSTROUTING ACCEPT [6:408]

-A OUTPUT -d 10.192.0.0/10 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A OUTPUT -o lo -j RETURN
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN
--ipv4 -A OUTPUT -d 172.16.0.0/12 -j RETURN
--ipv4 -A OUTPUT -d 10.0.0.0/8 -j RETURN
-A OUTPUT -m owner --uid-owner "tor" -j RETURN
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
--ipv6 -A INPUT -j REJECT
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
--ipv4 -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
--ipv4 -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
--ipv6 -A OUTPUT -j REJECT
COMMIT
}}

This file also works for {{ic|ip6tables-restore}}, so you may symlink it:

# ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules

Then make sure Tor is running, and [[start/enable]] the {{ic|iptables}} and {{ic|ip6tables}} systemd units.

You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].

== Tips and tricks ==

=== Kernel capabilities ===

To run tor as a non-root user and use a port lower than {{ic|1024}}, you can use kernel capabilities to allow it to bind to privileged ports:

# setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/tor

{{Note|Any upgrade to the tor package will reset the permissions. Consider using [[pacman#Hooks]] to automatically set the permissions after upgrades.}}

If you use {{ic|tor.service}}, it is also possible to use [[systemd]] to grant tor the appropriate permissions. This has the benefit that permissions do not need to be reapplied after every tor upgrade:

{{hc|/etc/systemd/system/tor.service.d/netcap.conf|2=
[Service]
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
AmbientCapabilities=CAP_NET_BIND_SERVICE
}}

Refer to [https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443 superuser.com] for further explanations.

=== Using system tor in Tor Browser ===

When using the Tor Browser, it is possible to use the running {{ic|tor.service}} instead of establishing a second connection to the Tor network.
Instructions are provided in the starter file for the browser, which by default is located at {{ic| ~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser}}.

As of version {{ic|0.3.7}}, you can follow these steps:
# In {{ic|/etc/tor/torrc}}, look for the option {{ic|#SOCKSPort}} and copy down the address and port there. If no address is given, it is {{ic|127.0.0.1}} by default, and if not port is given it is {{ic|9050}} by default.
# Follow the steps in [[#Tor ControlPort]] and [[#Set a Tor Control password]], and copy down both the password and control port you have set.
# In the Tor Browser, navigate to {{ic|about:config}} and set the following preferences: {{bc|<nowiki>
# SETTING NAME VALUE
# network.proxy.socks <SocksAddress>
# network.proxy.socks_port <SocksPort>
# extensions.torbutton.inserted_button true
# extensions.torbutton.launch_warning false
# extensions.torbutton.loglevel 2
# extensions.torbutton.logmethod 0
# extensions.torlauncher.control_port <ControlPort>
# extensions.torlauncher.loglevel 2
# extensions.torlauncher.logmethod 0
# extensions.torlauncher.prompt_at_startup false
# extensions.torlauncher.start_tor false
</nowiki>}}
# Edit the start file of the Tor Browser, which by default is {{ic|~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser}}. Replace {{ic|''secret''}} with the control password in the following line: {{bc|1=setControlPortPasswd ${TOR_CONTROL_PASSWD:='"''secret''"'<nowiki>}</nowiki>}}{{Warning|Do not modify the set of two quotes around {{ic|''secret''}}.}}
# Restart the Tor Browser. If successful, there should be a message on the startup page explaining that the connection is not managed by the Tor Browser, and {{ic|tor.service}} should log a line saying {{ic|New control connection opened from <SocksAddress>}}.

=== Running Tor in a chroot ===

{{Remove|chroot is not a security feature [https://www.redhat.com/en/blog/chroot-security-feature]. {{Pkg|tor}} ships with several systemd sandboxing options which conflicts with a chroot environment [https://bbs.archlinux.org/viewtopic.php?id{{=}}259710].}}

{{Note| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}

For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in {{ic|/opt/torchroot}}:

{{hc|~/torchroot-setup.sh|2=<nowiki>
#!/bin/sh
export TORCHROOT=/opt/torchroot

mkdir -p $TORCHROOT
mkdir -p $TORCHROOT/etc/tor
mkdir -p $TORCHROOT/dev
mkdir -p $TORCHROOT/usr/bin
mkdir -p $TORCHROOT/usr/lib
mkdir -p $TORCHROOT/usr/share/tor
mkdir -p $TORCHROOT/var/lib
mkdir -p $TORCHROOT/var/log/tor/

ln -s /usr/lib $TORCHROOT/lib
cp /etc/hosts $TORCHROOT/etc/
cp /etc/host.conf $TORCHROOT/etc/
cp /etc/localtime $TORCHROOT/etc/
cp /etc/nsswitch.conf $TORCHROOT/etc/
cp /etc/resolv.conf $TORCHROOT/etc/

cp /usr/bin/tor $TORCHROOT/usr/bin/
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/

### /var/log/tor/notices.log is only needed if you run hidden services
# cp /var/log/tor/notices.log $TORCHROOT/var/log/tor/

cp -r /var/lib/tor $TORCHROOT/var/lib/
cp /etc/tor/torrc $TORCHROOT/etc/tor/

chown tor:tor $TORCHROOT
chmod 700 $TORCHROOT
chown -R tor:tor $TORCHROOT/var/lib/tor
chown -R tor:tor $TORCHROOT/var/log/tor

sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"

mknod -m 644 $TORCHROOT/dev/random c 1 8
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
mknod -m 666 $TORCHROOT/dev/null c 1 3

if [ "$(uname -m)" = "x86_64" ]; then
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
ln -sr /usr/lib64 $TORCHROOT/lib64
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
fi

</nowiki>}}

After running the script as root, Tor can be launched in the [[chroot]] with the command:

# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor

or, if you use systemd, [[Systemd#Editing provided units|overload]] the service:

{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=
[Service]
User=root
ExecStart=
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"
KillSignal=SIGINT
}}

=== Running Tor in a systemd-nspawn container with a virtual network interface ===

{{Expansion|It is not clear what this example is trying to achieve.}}

In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.

See [[systemd-nspawn]] and [[systemd-networkd]] for full documentation.

==== Host installation and configuration ====

In this example the container will reside in {{ic|/srv/container}}:

# mkdir -p /srv/container/tor-exit

[[Install]] the {{Pkg|arch-install-scripts}}.

Install {{Pkg|base}}, {{Pkg|tor}} and {{Pkg|nyx}} as per [[systemd-nspawn#Create and boot a minimal Arch Linux container]]:

# pacstrap -K -ci /srv/container/tor-exit base tor nyx

Symlink to register the container on the host, as per [[systemd-nspawn#Management]]:

# ln -s /srv/container/tor-exit/ /var/lib/machines/

==== Virtual network interface ====

Create a drop-in configuration file for the container:

{{hc|/etc/systemd/nspawn/tor-exit.nspawn|2=
[Network]
MACVLAN=''interface''

[Exec]
LimitNOFILE=65536
}}

{{ic|1=MACVLAN=''interface''}} creates a "macvlan" interface named {{ic|mv-''interface''}} and assigns it to the container, see [[systemd-nspawn#Use a "macvlan" or "ipvlan" interface]] for details. This is advisable for security as it will allow you to give a private IP to the container, and it will not know what your machine's IP is. This can help obscure DNS requests.

{{ic|1=LimitNOFILE=65536}} per [[#Raise maximum number of open file descriptors]].

Set up [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-''interface''.network}}.

==== Start and enable systemd-nspawn ====

[[Start/enable]] {{ic|systemd-nspawn@tor-exit.service}}.

==== Container configuration ====

Login to the container (see [[systemd-nspawn#machinectl]]):

# machinectl shell root@tor-exit

==== Start and enable systemd-networkd ====

[[Start]] and enable {{ic|systemd-networkd.service}}. {{ic|networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.

==== Configure Tor ====

See [[#Running a Tor relay]].

{{Tip|It is easier to edit files in the container from the host with your normal editor.}}

=== Java ===

One can ensure a [https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html java application proxies] its connections through Tor by defining its [[Environment variables#Defining variables|environment variable]]:

JAVA_OPTIONS="$JAVA_OPTIONS -DsocksProxyHost=localhost -DsocksProxyPort=9050"

== Troubleshooting ==

=== Tor Browser proxy problems ===

Tor Browser typically works without significant customization. If the bundled proxy fails with {{ic|proxy server is refusing connections}} for any website, consider reinstallation by removing the {{ic|~/.local/share/torbrowser/}} directory (make sure to back up important files).

== See also ==

* [https://2019.www.torproject.org/about/torusers.html.en Who uses Tor?]
* [https://support.torproject.org/abuse/ Tor Abuse FAQ]
* [https://tb-manual.torproject.org/circumvention/ Using pluggable transports to circumvent censorship]
* [https://community.torproject.org/onion-services/setup/ Set up Your Onion Service]
* [https://metrics.torproject.org/ Tor Metrics]
* [https://gitlab.torproject.org/legacy/trac Tor's archived wiki]
* [https://www.whonix.org/wiki/Tor_Myths_and_Misconceptions Whonix — Tor Myths and Misconceptions]

Audit framework

2026-05-03T06:24:46Z

Lahwaacz: /* Which files or syscalls are worth-auditing? */ revert https://wiki.archlinux.org/index.php?title=Audit_framework&diff=next&oldid=872833 - if you don't know for sure, don't add even more uncertainty

[[Category:Security]]
[[Category:Logging]]
[[ja:Audit フレームワーク]]
{{Related articles start}}
{{Related|Security}}
{{Related|List of Applications/Security}}
{{Related articles end}}
The Linux audit framework provides a CAPP-compliant ([[Wikipedia:Controlled Access Protection Profile|Controlled Access Protection Profile]]) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system. It can help you track actions performed on a system.

Linux audit helps make your system more secure by providing you with means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them.

The audit framework works by listening to the event reported by the kernel and logging them to a log file.

{{Note|1=Audit framework compatibility with containers was fixed in Linux 3.15, see [https://bugzilla.redhat.com/show_bug.cgi?id=893751], however interpreting audit records may be difficult as support for namespace ID is still work in progress, see [https://github.com/linux-audit/audit-kernel/issues/32].}}

== Installation ==

In-kernel audit support is available in all [[Kernel#Officially supported kernels|officially supported kernels]]. For custom kernels {{ic|CONFIG_AUDIT}} should be enabled. Userspace support is provided by the {{Pkg|audit}} package that is already installed as a dependency of {{Pkg|base}} packages.

Audit can be enabled at boot-time by setting {{ic|1=audit=1}} as [[kernel parameter]]. This will ensure that all processes that run before the audit daemon starts are marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit. See {{man|8|auditd}}.

{{Note|In order to disable audit completely and suppress audit messages from appearing in journal you may set {{ic|1=audit=0}} as [[kernel parameter]] and/or [[mask]] {{ic|systemd-journald-audit.socket}}.}}

Audit framework is composed of the auditd daemon, responsible for writing the audit messages that were generated through the audit kernel interface and triggered by application and system activity. [[Start/enable]] {{ic|auditd.service}} to activate the daemon.

This daemon can be controlled, or fine tuned, by several commands and files:

* {{man|8|auditctl}}: to control the behavior of the daemon on the fly, adding rules etc.
* {{ic|/etc/audit/audit.rules}}: contains the rules and various parameters of the auditd daemon. This file is automatically generated from {{ic|/etc/audit/rules.d/}} by {{ic|audit-rules.service}}. See {{man|7|audit.rules}} and {{man|8|augenrules}} for details.
* {{man|8|aureport}}: generate report of the activity on a system
* {{man|8|ausearch}}: search for various events
* {{man|5|auditd-plugins}}: takes audit events and distributes them to child programs that want to analyze events in realtime. Also see {{pkg|audispd-plugins}}.
* {{ic|/etc/audit/auditd.conf}}: configuration file related to the logging. See {{man|5|auditd.conf}} for details.

== Adding rules ==

Before adding rules, you must know that the audit framework can be very verbose and that each rule must be carefully tested before being effectively deployed. Indeed, just one rule can flood all your logs within a few minutes.

=== Audit files and directories access ===

The most basic use of the audit framework is to log the access to the files you want.
To do this, you must place a watch on a file or a directory. A concrete example is to track accesses to the passwd file:

# auditctl -a always,exit -F arch=b64 -F path=/etc/passwd -F perm=rwxa
# auditctl -a always,exit -F arch=b32 -F path=/etc/passwd -F perm=rwxa

You can track access to a folder with:

# auditctl -a always,exit -F arch=b64 -F dir=/etc/security
# auditctl -a always,exit -F arch=b32 -F dir=/etc/security

The first rule keeps track of every read {{ic|r}} , write {{ic|w}} , execution {{ic|x}} , attribute change {{ic|a}} to the file {{ic|/etc/passwd}}.
The second one keeps track of any access to the {{ic|/etc/security/}} folder.

You can list all active rules with:

# auditctl -l

You can delete all rules with:

# auditctl -D

Once you validate the rules, you can add them to a ''.rules'' file in {{ic|/etc/audit/rules.d/}}:

{{hc|/etc/audit/rules.d/example.rules|2=
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=rwxa
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=rwxa
-a always,exit -F arch=b64 -F dir=/etc/security
-a always,exit -F arch=b32 -F dir=/etc/security
}}

=== Audit syscalls ===

The audit framework allows you to audit the syscalls performed with the {{ic|-a}} option.

A security related rule is to track the {{man|2|chmod}} syscall, to detect file ownership changes:

# auditctl -a exit,always -S chmod

For a list of all syscalls: {{man|2|syscalls}}

A lot of rules and possibilities are available, see {{man|8|auditctl}} and {{man|7|audit.rules}}.

=== Filter unwanted messages ===

In order to prevent noisy audit messages from flooding system logs you may add rules to exclude some of them:

{{hc|/etc/audit/rules.d/quiet.rules|2=
-a exclude,always -F msgtype=SERVICE_START
-a exclude,always -F msgtype=SERVICE_STOP
-a exclude,always -F msgtype=BPF
-a exclude,always -F exe=/usr/bin/sudo
}}

Remember to verify changes (fix as necessary) and regenerate {{ic|/etc/audit/audit.rules}} as follows:

# augenrules --check
# augenrules --load

== Search the logs ==

The audit framework provides some tools to ease the use and the research of events happening on a system.

=== Using pid ===

You can search events related to a particular pid using {{ic|ausearch}}:

# ausearch -p 1

This command will show you all the events logged according to your rules related to PID 1 (i.e. systemd).

=== Using keys ===

One of the great features of the audit framework is its ability to use {{ic|keys}} to manage events, such a usage is recommended.

You can use the {{ic|-F key{{=}}}} option in your rules to be able to find related events easily:

# auditctl -a always,exit -F arch=b64 -F path=/etc/passwd -F perm=rwxa -F key=KEY_pwd

Then, if you search for events with the key {{ic|KEY_pwd}}, ausearch will display only event related to the file {{ic|/etc/passwd}}.

# ausearch -k KEY_pwd

=== Look for abnormalities ===

The {{ic|aureport}} tool can be used to quickly report any abnormal event performed on the system, it includes network interfaces used in promiscous mode, process or thread crashing or exiting with ENOMEM error etc.

The easiest way to use {{ic|aureport}} is:

# aureport -n

aureport can be used to generate custom reports, see {{man|8|aureport}}.

== Which files or syscalls are worth-auditing? ==

Keep in mind that each audit rule added will generate logs, so you must be ready to treat this amount of information.
Basically, each security-related event/file must be monitored, like [[w:Intrusion detection system|ids]], [[w:Intrusion prevention system|ips]], [[w:Anti-rootkit|anti-rootkit]]s etc.
On the other side, it is totally useless to track every write syscall, the smallest compilation will fill your logs with this event.

More complex set of rules can be set up, performing auditing on a very fine-grained base. If you want to do so, see {{man|8|auditctl}}.

== Gather logs from different hosts ==

The audit framework has a plugin system which provides the possibility to send local logfiles to a remote auditd.

=== Send logfiles ===

To send your logfiles to a remote host you need the {{ic|audisp-remote}} plugin which belongs to the {{Pkg|audispd-plugins}} package.
Activate the plugin:

{{hc|/etc/audisp/plugins.d/au-remote.conf|output=
active = yes
direction = out
path = /usr/bin/audisp-remote
type = always
format = string
}}

and set the remote host where the logs should be send to:

{{hc|/etc/audisp/audisp-remote.conf|output=
remote_server = domain.name.or.ip
port = 60
##local_port = optional
transport = tcp
}}

=== Receive logfiles ===

To make audit listen for remote audispds you just need to set the tcp options:

{{hc|/etc/audit/auditd.conf|output=
tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535 #optional
tcp_client_max_idle = 0
}}

Now you can view the logs of '''all''' configured hosts in the logfiles of the receiving auditd.

== Rotate the logs ==

Send {{ic|SIGUSR1}} to the audit daemon:

# pkill -USR1 -x auditd

== Troubleshooting ==

=== Audit logs flooding into virtual console ===

For users not having enabled auditd, using kernel debug messages higher than {{ic|1=loglevel=4}} can result in audit flooding security notices on top of virtual terminal.

These messages can be silenced by [[enabling]] {{ic|auditd.service}}.

Alternative solutions are:

* lowering your loglevel,
* disabling audit logs with the [[kernel parameter]] {{ic|1=audit=0}}.

See the [https://github.com/systemd/systemd/issues/15324 systemd issue 15324 on GitHub] for the details.

== See also ==

* [https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/#more Configuring and auditing Linux systems with Audit daemon]
* [https://linux-audit.com/linux-audit-framework-101-basic-rules-for-configuration/ Linux Audit Framework 101 – Basic Rules for Configuration]
* [https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/ Tuning auditd: high-performance Linux Auditing]

List of applications/Internet

2026-05-02T15:56:24Z

Lahwaacz: /* Privacy-focused chromium spin-offs */ Widevine is patched so should be listed as separate application

[[Category:Internet applications]]
[[Category:Lists of software]]
[[es:List of applications (Español)/Internet]]
[[hu:List of applications (Magyar)/Internet]]
[[ja:アプリケーション一覧/インターネット]]
[[pl:List of applications (Polski)/Internet]]
[[zh-hans:List of applications/Internet]]
{{List of applications navigation}}

== Network connection ==

=== Network managers ===

See [[Network configuration#Network managers]].

=== VPN clients ===

* {{App|GlobalProtect-openconnect|A GlobalProtect VPN client (GUI) for Linux, based on OpenConnect and built with Qt5, supports SAML auth mode.|https://github.com/yuezk/GlobalProtect-openconnect/|{{Pkg|globalprotect-openconnect}}}}
* {{App|Libreswan|A free software implementation of the most widely supported and standardized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE").|https://libreswan.org/|{{AUR|libreswan}}}}
* {{App|[[Mullvad]]|A GUI client for the Mullvad VPN service |https://mullvad.net/|{{Pkg|mullvad-vpn}}}}
* {{App|[[Nebula]]|A mesh VPN network|https://nebula.defined.net/docs/|{{Pkg|nebula}}}}
* {{App|[[NetworkManager]]|Supports a variety of protocols (e.g. MS, Cisco, Fortinet) via a plugin system.|https://wiki.gnome.org/Projects/NetworkManager/VPN|{{Pkg|networkmanager}}}}
* {{App|[[OpenConnect]]|Supports Cisco and Juniper VPNs.|https://www.infradead.org/openconnect/|{{Pkg|openconnect}}}}
* {{App|[[ProtonVPN]]|VPN provider that uses the OpenVPN and WireGuard protocol.|https://protonvpn.com/|{{Pkg|proton-vpn-gtk-app}}}}
* {{App|[[Openswan]]|IPsec-based VPN Solution.|https://www.openswan.org/|{{AUR|openswan}}}}
* {{App|[[OpenVPN]]|To connect to OpenVPN VPNs.|https://openvpn.net/|{{Pkg|openvpn}}}}
* {{App|[[PPTP Client]]|To connect to PPTP VPNs, like Microsoft VPNs (MPPE). (insecure)|https://pptpclient.sourceforge.net/|{{Pkg|pptpclient}}}}
* {{App|RiseupVPN|A GUI client for the Riseup VPN service from riseup.net.|https://riseup.net/en/vpn/ | {{AUR|riseup-vpn}} or {{AUR|riseup-vpn-configurator}} }}
* {{App|[[Rosenpass]]|Hybrid security against quantum computers for WireGuard by adding a post-quantum-secure key exchange|https://rosenpass.eu/|{{Pkg|rosenpass}}}}
* {{App|[[strongSwan]]|IPsec-based VPN Solution.|https://www.strongswan.org/|{{Pkg|strongswan}}}}
* {{App|[[tinc]]|tinc is a free VPN daemon.|https://www.tinc-vpn.org/|{{Pkg|tinc}}}}
* {{App|vopono|OpenVPN and WireGuard wrapper to launch applications with VPN tunnels in network namespaces.|https://github.com/jamesmcm/vopono|{{AUR|vopono}}}}
* {{App|vpnc|To connect to Cisco 3000 VPN Concentrators.|https://www.unix-ag.uni-kl.de/~massar/vpnc/|{{Pkg|vpnc}}}}
* {{App|[[WireGuard]]|Next generation secure network tunnel.|https://www.wireguard.com/|{{Pkg|wireguard-tools}}}}

=== Proxy servers ===

* {{App|Brook|Proxy focusing on strong encryption and being undetectable.|https://txthinking.github.io/brook/|{{Pkg|brook}}}}
* {{App|Dante|SOCKS server and SOCKS client, implementing [[RFC:1928]] and related standards.|https://www.inet.no/dante/|{{Pkg|dante}}}}
* {{App|Geph|A modular Internet censorship circumvention system designed specifically to deal with national filtering.|https://geph.io/en/|{{AUR|geph4-client}}}}
* {{App|hiddify|Multiplatform chain proxy client based on {{AUR|sing-box}}.|https://github.com/hiddify/hiddify-next|{{AUR|hiddify}}}}
* {{App|[[NaïveProxy]]|A Proxy using Chrome's network stack to camouflage traffic with strong censorship resistence and low detectablility.|https://github.com/klzgrad/naiveproxy|{{AUR|naiveproxy}}}}
* {{App|[[Privoxy]]|Non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk.|https://www.privoxy.org/|{{Pkg|privoxy}}}}
* {{App|[[Shadowsocks]]|Secure socks5 proxy, designed to protect your Internet traffic.|https://shadowsocks.org/|{{Pkg|shadowsocks-rust}}}}
* {{App|[[Squid]]|Caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.|https://www.squid-cache.org/|{{Pkg|squid}}}}
* {{App|[[Stunnel]]|A server and client to add and remove TLS encryption to TCP data flow.|https://www.stunnel.org/|{{Pkg|stunnel}}}}
* {{App|Throne|Cross-platform GUI proxy utility (Empowered by {{AUR|sing-box}}).|https://github.com/throneproj/Throne|{{AUR|throne}}}}
* {{App|Tinyproxy|Lightweight HTTP/HTTPS proxy daemon.|https://tinyproxy.github.io/|{{Pkg|tinyproxy}}}}
* {{App|[[Trojan]]|An unidentifiable mechanism that helps you bypass GFW.|https://trojan-gfw.github.io/trojan/|{{Pkg|trojan}}}}
* {{App|[[V2Ray]]|V2Ray is the core of Project V, which is a set of tools to help you build your own privacy network over the internet.|https://www.v2fly.org/en_US/|{{Pkg|v2ray}}}}
* {{App|V2RayN|A GUI client for Windows, Linux and macOS, support {{AUR|xray}} and {{AUR|sing-box}} cores and others.|https://github.com/2dust/v2rayN|{{AUR|v2rayN}}}}
* {{App|[[Varnish]]|High-performance HTTP accelerator.|https://varnish-cache.org/|{{Pkg|varnish}}}}
* {{App|Wireproxy|[[WireGuard]] client that exposes itself as a SOCKS5 proxy.|https://github.com/pufferffish/wireproxy|{{Pkg|wireproxy}}}}
* {{App|XX-Net|Easy to use web proxy tool.|https://github.com/XX-net/XX-Net/|{{AUR|xx-net}}}}
* {{App|Ziproxy|Forwarding (non-caching) compressing HTTP proxy server.|https://ziproxy.sourceforge.net/|{{Pkg|ziproxy}}}}

=== Anonymizing networks ===

* {{App|Arti|Rust implementation of the Tor anonymizing overlay network.|https://gitlab.torproject.org/tpo/core/arti|{{Pkg|arti}}}}
* {{App|[[GNUnet]]|Framework for secure peer-to-peer networking.|https://gnunet.org/|CLI: {{AUR|gnunet}}, GUI: {{AUR|gnunet-gtk}}}}
* {{App|Hyphanet|An encrypted network without censorship, previously named Freenet.|https://www.hyphanet.org/|{{AUR|hyphanet}}}}
* {{App|[[I2P]]|Distributed anonymous network.|https://geti2p.net/|{{Pkg|i2pd}}, {{AUR|i2p}}}}
* {{App|Lantern|Peer-to-peer internet censorship circumvention software.|https://getlantern.org/|{{AUR|lantern-bin}}}}
* {{App|Lokinet|Anonymous, decentralized and IP based overlay network for the internet.|https://lokinet.org/|{{AUR|lokinet}}}}
* {{App|[[Tor]]|Anonymizing overlay network.|https://www.torproject.org/|{{Pkg|tor}}}}

=== Network tunnels ===

* {{App|6tunnel|Tunnels IPv6 connections for IPv4-only applications.|https://github.com/wojtekka/6tunnel/|{{Pkg|6tunnel}}}}
* {{App|iodine|Tunnel IPv4 data through a DNS server.|https://code.kryo.se/iodine/|{{Pkg|iodine}}}}
* {{App|isatapd|Creates and maintains an ISATAP tunnel ([[RFC:5214]]).|http://www.saschahlusiak.de/linux/isatap.htm|{{Pkg|isatapd}}}}
* {{App|Ping Tunnel|A tool for reliably tunneling TCP connections over ICMP echo request and reply packets.|https://www.cs.uit.no/~daniels/PingTunnel/|{{Pkg|ptunnel}}}}
* {{App|Tuntox|Tunnel TCP connections over the Tox protocol.|https://github.com/gjedeer/tuntox/|{{Pkg|tuntox}}}}

=== Deep packet inspection circumvention ===

Tools to avoid censorship, bandwidth throttle without anonymization. See [[Wikipedia:Deep packet inspection]], [[Wikipedia:Internet censorship circumvention]] for an introduction to the topic.

* {{App|Bypass DPI|A simple software using SOCKS5, written in C and targeted at Russian censorship.|https://github.com/hufrea/byedpi|{{AUR|byedpi}}}}
* {{App|Cloak|A pluggable transport that works alongside traditional proxy tools like [[OpenVPN]], written in Go.|https://github.com/cbeuw/Cloak|{{AUR|cloak-obfuscation}}}}
* {{App|DPI Tunnel|An HTTP/transparent proxy, written in C++ and targeted at Russian censorship.|https://github.com/txtsd/DPITunnel|{{AUR|dpitunnel}}}}
* {{App|Green Tunnel|An anti-censorship utility using SOCKS5, written in nodejs and targeted at Iranian censorship.|https://github.com/SadeghHayeri/GreenTunnel|{{AUR|green-tunnel}}}}
* {{App|hysteria|A powerful, lightning fast and censorship resistant proxy that masquerades as standard HTTP/3 traffic. Supports SOCKS5, TUN, and TCP/UDP forwarding. Written in Go.|https://hysteria.network/|{{AUR|hysteria}}}}
* {{App|naiveproxy|A proxy using Chrome's network stack to camouflage traffic as normal HTTPS, making it highly resistant to DPI. Written in C++.|https://github.com/klzgrad/naiveproxy|{{AUR|naiveproxy}}}}
* {{App|Psiphon|An open-source Internet censorship circumvention system that uses SSH tunneling and obfuscation to bypass firewalls. Includes both client and server components.|https://github.com/Psiphon-Labs/psiphon-tunnel-core|{{AUR|psiphon-console-client}}, {{AUR|psiphon-server}}}}
* {{App|SpoofDPI|A simple and fast tool using SOCKS5, written in Go.|https://github.com/xvzc/SpoofDPI|{{AUR|spoofdpi}}}}
* {{App|zapret|A Netfilter queue mode or SOCKS5/transparent proxy, written in C and targeted at Russian censorship.|https://github.com/bol-van/zapret|{{AUR|zapret-git}}}}

=== Speedtest tools ===

* {{App|cloudflarespeedtest|Test Cloudflare CDN latency and speed to find the fastest IP.|https://github.com/XIU2/CloudflareSpeedTest|{{AUR|cloudflarespeedtest-bin}}}}
* {{App|LibreSpeed|Open source speedtest with graphical GTK client.|https://librespeed.org/|{{AUR|speedtest-librespeed}}}}
* {{App|nperf|Wide-area network speed test application.|https://www.nperf.com/|{{AUR|nperf-gui-appimage}}}}
* {{App|SpeedTest++|Unofficial speedtest.net CLI using raw TCP for better accuracy.|https://github.com/taganaka/SpeedTest|{{AUR|speedtest++}}}}
* {{App|speedtest-cli|Command-line interface for testing internet bandwidth using speedtest.net servers.|https://github.com/sivel/speedtest-cli|{{Pkg|speedtest-cli}}}}

=== Network monitoring and diagnostics tools ===

* {{App|bandwhich|Terminal bandwidth utilization tool showing usage by process, connection, and remote IP/hostname.|https://github.com/imsnif/bandwhich |{{Pkg|bandwhich}}}}
* {{App|dog|Modern command-line DNS client alternative to dig with colored output and JSON support.|https://dns.lookup.dog/ |{{Pkg|dog}}}}
* {{App|flent|The Fleet Network Tester for measuring bufferbloat and latency under load.|https://flent.org/ |{{AUR|flent}}}}
* {{App|gping|Ping with a real-time graph visualization of latency to multiple hosts.|https://github.com/orf/gping |{{Pkg|gping}}}}
* {{App|hyperfine|Command-line benchmarking tool, useful for comparing network response times.|https://github.com/sharkdp/hyperfine |{{Pkg|hyperfine}}}}
* {{App|netsniff-ng|High-performance Linux network packet sniffer and analyzer toolkit.|http://netsniff-ng.org/ |{{Pkg|netsniff-ng}}}}
* {{App|oha|HTTP load generator with TUI showing detailed timing breakdown (DNS, TCP, TLS, TTFB).|https://github.com/hatoo/oha |{{Pkg|oha}}}}
* {{App|ooniprobe-cli|Official OONI Probe CLI for detecting internet censorship, website blocking, and traffic manipulation.|https://ooni.org/ |{{AUR|ooniprobe-cli}}}}
* {{App|sniffnet|Network traffic monitoring with TUI/GUI, statistics by protocol, and per-host analysis.|https://github.com/GyulyVGC/sniffnet |{{Pkg|sniffnet}}}}
* {{App|tcping|TCP connectivity checker that bypasses ICMP blocks for port-specific diagnostics.|https://github.com/zhengxiaowai/tcping|{{AUR|tcping}}}}
* {{App|termshark|Terminal UI for tshark, providing a Wireshark-like interface in the terminal.|https://termshark.io/ |{{Pkg|termshark}}}}
* {{App|trippy|A network diagnostic tool combining traceroute and ping with an interactive TUI.|https://github.com/fujiapple852/trippy |{{Pkg|trippy}}}}

== Web browsers ==

See also [[Wikipedia:Comparison of web browsers]].

=== Console ===

* {{App|[[Wikipedia:Browsh|browsh]]|A fully-modern text-based browser. Runs as a frontend to headless Firefox.|https://www.brow.sh/|{{AUR|browsh}}}}
* {{App|Carbonyl|A Chromium based browser built to run in a terminal.|https://fathy.fr/carbonyl|{{AUR|carbonyl}}}}
* {{App|Chawan|A web browser for your terminal.|https://sr.ht/~bptato/chawan/|{{Pkg|chawan}}}}
* {{App|[[ELinks]]|Advanced and well-established feature-rich text mode web browser with mouse wheel scroll support, frames and tables, extensible with Lua & Guile (links fork).|http://elinks.or.cz/|{{Pkg|elinks}}}}
* {{App|[[Wikipedia:Links (web browser)|Links]]|Graphics and text mode web browser. Includes a console version similar to Lynx.|http://links.twibright.com/|{{Pkg|links}}}}
* {{App|[[Wikipedia:Lynx (web browser)|Lynx]]|Text browser for the World Wide Web.|https://lynx.invisible-island.net/|{{Pkg|lynx}}}}
* {{App|[[w3m]]|Pager/text-based web browser. It has vim-like keybindings, and is able to display images.|https://salsa.debian.org/debian/w3m|{{Pkg|w3m}}}}

=== Graphical ===

==== Gecko-based ====

See also [[Wikipedia:Gecko (software)]].

* {{App|[[Firefox]]|Extensible browser from Mozilla based on Gecko with fast rendering.|https://mozilla.com/firefox|{{Pkg|firefox}}}}
* {{App|[[Wikipedia:SeaMonkey|SeaMonkey]]|Continuation of the Mozilla Internet Suite.|https://www.seamonkey-project.org/|{{AUR|seamonkey}}}}

===== Firefox spin-offs =====

* {{App|[[Wikipedia:Floorp|Floorp]]|Firefox-based browser developed by a community of students in Japan.| https://floorp.ablaze.one|{{AUR|floorp}}}}
* {{App|[[Wikipedia:GNU IceCat|GNU IceCat]]|A customized build of Firefox ESR distributed by the GNU Project, stripped of non-free components and with additional privacy extensions. Release cycle may be delayed compared to Mozilla Firefox.|https://www.gnu.org/software/gnuzilla/|{{AUR|icecat}}}}
* {{App|Konform Browser|A customized build of Firefox ESR focused on security, privacy and freedom. Originally based on LibreWolf.|https://codeberg.org/konform-browser|{{AUR|konform-browser}}}}
* {{App|[[Wikipedia:LibreWolf|LibreWolf]]|A fork of Firefox, focused on privacy, security and freedom.|https://librewolf.net/|{{AUR|librewolf}}}}
* {{App|[[Wikipedia:Midori (web browser)|Midori]]|Light, fast and secure browser.|https://github.com/goastian/midori-desktop|{{AUR|midori}}}}
* {{App|[[Wikipedia:Mullvad Browser|Mullvad Browser]]|Privacy-focused web browser developed by Mullvad VPN and the Tor Project based on Firefox ESR.|https://mullvad.net/en/browser|{{AUR|mullvad-browser}}}}
* {{App|[[Tor]] Browser Launcher|Securely and easily download, verify, install, and launch Tor Browser, a fork of Firefox ESR.|https://github.com/micahflee/torbrowser-launcher|{{Pkg|torbrowser-launcher}}}}
* {{App|[[Wikipedia:Waterfox|Waterfox]]|Fork of Mozilla Firefox featuring some privacy, usability, and speed enhancements.|https://www.waterfox.net/|{{AUR|waterfox}}}}
* {{App|[[Wikipedia:Zen Browser|Zen Browser]]|An experimental, performance-optimized fork of Firefox focused on customizability and design with additional features.|https://www.zen-browser.app/|{{AUR|zen-browser}}}}

==== Blink-based ====

See also [[Wikipedia:Blink (web engine)]].

* {{App|[[Chromium]]|Web browser developed by Google, the open source project behind Google Chrome.|https://www.chromium.org/|{{Pkg|chromium}}}}

===== Privacy-focused chromium spin-offs =====

* {{App|[[Wikipedia:Brave (web browser)|Brave]]|Web browser with builtin ad- and tracker blocking.|https://www.brave.com/|{{AUR|brave}}}}
* {{App|Cromite|Cromite is a Chromium fork based on Bromite (Currently unmaintained) with built-in support for ad blocking and an eye for privacy. See [https://github.com/uazo/cromite/blob/master/docs/FEATURES.md List of features].|https://www.cromite.org/|{{AUR|cromite-bin}}}}
* {{App|Helium|A browser in beta based on Ungoogled Chromium with Chrome Web Store proxying and additional features, such as split view and !bangs in the address bar.|https://helium.computer/|{{AUR|helium-browser}}}}
* {{App|Thorium|Thorium develops a periodically synchronized fork of the Chromium browser, expanded with additional patches to optimize performance, improve usability and enhance security. According to the developers' tests Thorium is 8-40% ahead of the regular Chromium, mainly due to the inclusion of additional optimizations during compilation.|https://thorium.rocks/|{{AUR|thorium-browser-bin}}}}
* {{App|[[Wikipedia:Ungoogled Chromium|Ungoogled Chromium]]|Modifications to Google Chromium for removing Google integration and enhancing privacy, control, and transparency.|https://github.com/ungoogled-software/ungoogled-chromium|{{AUR|ungoogled-chromium}}}}
* {{App|[[Wikipedia:Ungoogled Chromium|Ungoogled Chromium]] (Widevine)|A patched version of Ungoogled Chromium for those who want to benefit from its privacy features while also being able to access DRM-protected content.|https://github.com/ungoogled-software/ungoogled-chromium|{{AUR|ungoogled-chromium-widevine-bin}}}}

===== Proprietary chromium spin-offs =====

* {{App|[[Wikipedia:Google Chrome|Google Chrome]]|Proprietary web browser developed by Google.|https://www.google.com/chrome/|{{AUR|google-chrome}}}}
* {{App|[[Wikipedia:Microsoft Edge|Microsoft Edge]]|Proprietary web browser developed by Microsoft.|https://www.microsoft.com/edge/|{{AUR|microsoft-edge-stable-bin}}}}
* {{App|[[Wikipedia:Opera (web browser)|Opera]]|Proprietary browser developed by Opera Software.|https://www.opera.com/opera|{{AUR|opera}}}}
* {{App|[[Wikipedia:Opera (web browser)#Opera GX|Opera GX]]|Proprietary "gaming-oriented" alternative to the regular Opera browser. Also developed by Opera Software.|https://www.opera.com/gx|{{AUR|opera-gx}}}}
* {{App|[[Wikipedia:SlimBrowser|Slimjet]]|Fast, smart and powerful proprietary browser based on Chromium.|https://www.slimjet.com/|{{AUR|slimjet}}}}
* {{App|[[Wikipedia:SRWare Iron|SRWare Iron]]|Light-weight proprietary browser based on Chromium.|https://www.srware.net/iron/|{{AUR|srware-iron-bin}}}}
* {{App|[[Vivaldi]]|An advanced proprietary browser made with the power user in mind.|https://vivaldi.com/|{{Pkg|vivaldi}}}}
* {{App|[[Wikipedia:Yandex Browser|Yandex Browser]]|Proprietary browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.|https://browser.yandex.com/|{{AUR|yandex-browser}}}}

===== Browsers based on Qt WebEngine =====

{{Note|''qt5-webengine''–based browsers were removed from the list, because it is today considered insecure and outdated.}}

* {{App|Angelfish|Web browser for Plasma Mobile. Part of {{Grp|kde-network}}.|https://apps.kde.org/angelfish/|{{Pkg|angelfish}}}}
* {{App|[[Wikipedia:Dooble|Dooble]]|Colorful Web browser.|https://textbrowser.github.io/dooble/|{{AUR|dooble}}}}
* {{App|[[Wikipedia:Eric Python IDE|Eric]]|QtWebEngine-based HTML browser, part of the eric6 development toolset, can be launched with the {{ic|eric6_browser}} command.|https://eric-ide.python-projects.org/|{{AUR|eric}}}}
* {{App|[[Wikipedia:Falkon|Falkon]]|Web browser based on QtWebEngine, written in Qt framework. Part of {{Grp|kde-network}}.|https://falkon.org/|{{Pkg|falkon}}}}
* {{App|Fiery|A convergent web browser. Part of {{Grp|maui}}.|https://mauikit.org/apps/|{{Pkg|fiery}}}}
* {{App|[[Wikipedia:Konqueror|Konqueror]]|Web browser based on Qt toolkit and Qt WebEngine. Part of {{Grp|kde-network}}.|https://apps.kde.org/konqueror/|{{Pkg|konqueror}}}}
* {{App|[[qutebrowser]]|A keyboard-driven, [[vim]]-like browser based on PyQt5 and QtWebEngine.|https://qutebrowser.org/|{{Pkg|qutebrowser}}}}

===== Browsers based on Electron =====

* {{App|Catalyst|A minimal FOSS web browser with no data collection.|https://getcatalyst.eu.org|{{AUR|catalyst-browser-bin}}}}
* {{App|Franz|Messaging browser for WhatsApp, Facebook Messenger, Slack, Telegram and many other web services.|https://meetfranz.com/|{{AUR|franz}}}}
* {{App|Ferdium|A GPL-licensed alternative to Franz, forked from Franz.|https://ferdium.org/|{{AUR|ferdium}}}}
* {{App|Min|A fast, minimal browser that protects your privacy. It includes an interface designed to minimize distractions.|https://minbrowser.org/|{{AUR|min}}}}
* {{App|Vieb|Minimalist Electron-based browser with Vim-inspired keybindings and a built-in ad-blocker.|https://vieb.dev|{{AUR|vieb}}}}

==== WebKitGTK-based ====

See also [[Wikipedia:WebKit]].

{{Note|''webkitgtk, webkitgtk2, qt5-webkit'' and ''qtwebkit''–based browsers were removed from the list, because these are today considered insecure and outdated. More info [https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ here] and [https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ here].}}

Most of these support ad-blocking via [https://github.com/jun7/wyebadblock wyebadblock].
* {{App|[[Badwolf]]|A minimalist privacy-focused browser.|https://hacktivis.me/projects/badwolf|{{AUR|badwolf}}}}
* {{App|Eolie|Simple web browser for GNOME.|https://wiki.gnome.org/Apps/Eolie|{{Pkg|eolie}}}}
* {{App|[[GNOME Web]]|Browser which uses the WebKitGTK rendering engine. Part of {{Grp|gnome}}.|https://apps.gnome.org/Epiphany/|{{Pkg|epiphany}}}}
* {{App|[[Luakit]]|Fast, small, webkit based browser framework extensible by Lua.|https://luakit.github.io/|{{Pkg|luakit}}}}
* {{App|[[Nyxt]]|Keyboard-oriented, infinitely extensible browser designed for power users. It has familiar key-bindings (Emacs, VI, CUA) and features fuzzy searching between tabs, multiple selections, history as a tree and more.|https://nyxt.atlas.engineer/|{{Pkg|nyxt}}}}
* {{App|[[surf]]|Lightweight WebKit-based browser, which follows the [https://suckless.org/philosophy suckless philosophy] (basically, the browser itself is a single C source file).|https://surf.suckless.org/|{{AUR|surf}}}}
* {{App|Surfer|Simple keyboard based web browser, written in C. It supports custom JS-scripts.|https://github.com/nihilowy/surfer|{{AUR|surfer-git}}}}
* {{App|Tangram|Integration of web applications into the desktop, specifically GNOME.|https://apps.gnome.org/Tangram/|{{Pkg|tangram}}}}
* {{App|Vimb|A Vim-like web browser written in C that is inspired by Pentadactyl and Vimprobable. It includes a manpage and a howto for common configurations. It supports custom JS-scripts, dark mode and handles geolocation requests.|https://fanglingsu.github.io/vimb/|{{Pkg|vimb}}}}
* {{App|wyeb|A vim-like web browser inspired by dwb and luakit with Adblock.|https://github.com/jun7/wyeb|{{AUR|wyeb-git}}}}

==== Goanna-based ====

See also [[Wikipedia:Goanna (software)]].

* {{App|[[Wikipedia:Basilisk (web browser)|Basilisk]]|A XUL-based web browser, similar in design to Firefox, aimed at providing a fully functional browsing experience with a classic interface.|https://basilisk-browser.org/|{{AUR|basilisk}}}}
* {{App|[[Wikipedia:Pale Moon (web browser)|Pale Moon]]|A Firefox fork focussing on speed, with a pre-Firefox 29 interface. Uses [[Wikipedia:Goanna (software)|Goanna]] layout engine, a fork of Gecko. Firefox add-ons may not be compatible. Without support for newer Firefox features such as WebExtensions, cache2, e10s, and OTMC. Many of the old [https://github.com/JustOff/ca-archive 93,598 versions of 19,450 Firefox add-ons created by 14,274 developers over the past 15 years using XUL/XPCOM technology in the Classic Add-ons Archive] still work.|https://www.palemoon.org/|{{AUR|palemoon}}}}

==== Servo-based ====

* {{App|[[Wikipedia:Servo (software)|Servo]]|Web browser rendering engine written in Rust, with WebGL and WebGPU support, and adaptable to desktop, mobile, and embedded applications.|https://servo.org/|{{AUR|servo}}}}
* {{App|Verso|Experimental web browser based on Servo experimenting with multi-view and multi-window and building UI elements entirely from Servo.|https://github.com/versotile-org/verso/|{{AUR|verso-git}}}}

==== Other ====

* {{App|[[Dillo]]|Small, fast graphical web browser built on [[Wikipedia:Fltk|FLTK]]. Uses its own layout engine.|https://dillo-browser.org/|{{Pkg|dillo}}}}
* {{App|[[Wikipedia:Ladybird (web browser)|Ladybird]]|Web browser built from scratch using the [[Wikipedia:SerenityOS|SerenityOS]] LibWeb engine.|https://ladybird.org/|{{AUR|ladybird}}}}
* {{App|[[Wikipedia:Links (web browser)|Links]]|Graphics and text mode web browser. Includes a graphical X-window/framebuffer version with CSS, image rendering, pull-down menus. It can be launched with the {{ic|xlinks -g}} command.|http://links.twibright.com/|{{Pkg|links}}}}
* {{App|[[Wikipedia:NetSurf|NetSurf]]|Featherweight browser written in C, notable for its slowly developing JavaScript support and fast rendering through its own layout engine.|https://www.netsurf-browser.org/|{{Pkg|netsurf}}}}

=== Gemini browsers ===

See also [[Wikipedia:Gemini (protocol)#Software]].

* {{App|Amfora|Terminal browser for the Gemini protocol.|https://github.com/makeworld-the-better-one/amfora|{{Pkg|amfora}}}}
* {{App|Bombabillo|Non-web client for the terminal, supporting Gopher, Gemini and much more.|https://bombadillo.colorfield.space/|{{AUR|bombadillo}}}}
* {{App|Castor|Graphical client for the Gemini, Gopher, and Finger protocols, written in Rust with GTK.|https://git.sr.ht/~julienxx/castor|{{AUR|castor}}}}
* {{App|Geopard|A graphical gemini client written in rust, using the gtk4 toolkit.|https://github.com/ranfdev/Geopard|{{AUR|geopard}}}}
* {{App|Kristall|Qt-based Gemini browser.|https://github.com/MasterQ32/kristall|{{AUR|kristall}}}}
* {{App|Lagrange|Desktop GUI client for browsing Gemini space, offering modern conveniences familiar from web browsers.|https://gmi.skyjake.fi/lagrange|{{AUR|lagrange}}}}
* {{App|Telescope|w3m-like browser for Gemini.|https://www.telescope-browser.org/{{Dead link|2025|08|15|status=SSL error}}|{{AUR|telescope}}}}

== Web servers ==

A [[Wikipedia:Web server|web server]] serves HTML web pages and other files via HTTP to clients like [[:Category:Web browser|web browsers]].
The major web servers can be interfaced with programs to serve dynamic content ([[web applications]]).

See also [[:Category:Web server]] and [[Wikipedia:Comparison of web server software]].

* {{App|[[Apache HTTP Server]]|A high performance Unix-based HTTP server.|https://httpd.apache.org/|{{Pkg|apache}}}}
* {{App|[[Caddy]]|HTTP/3 web server with automatic HTTPS.|https://caddyserver.com/|{{Pkg|caddy}}}}
* {{App|[[Hiawatha]]|Secure and advanced web server.|https://hiawatha.leisink.net/|{{AUR|hiawatha}}}}
* {{App|[[Lighttpd]]|A secure, fast, compliant and very flexible web-server.|https://www.lighttpd.net/|{{Pkg|lighttpd}}}}
* {{App|[[nginx]]|Lightweight HTTP server and IMAP/POP3 proxy server.|https://nginx.org/|{{Pkg|nginx}}}}
* {{App|sthttpd|Supported fork of the thttpd web server.|https://github.com/blueness/sthttpd|{{AUR|sthttpd}}}}
* {{App|Traefik|A modern reverse proxy and load balancer that makes deploying microservices easy.|https://traefik.io/traefik/|{{Pkg|traefik}}}}
* {{App|yaws|Web server/framework written in Erlang.|https://erlyaws.github.io/|{{AUR|yaws}}}}

=== Static web servers ===

* {{App|Apache Traffic Server|Fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server.|https://trafficserver.apache.org/|{{AUR|trafficserver}}}}
* {{App|darkhttpd|A small and secure static web server, written in C, does not support HTTPS or Auth.|https://unix4lyfe.org/darkhttpd/|{{Pkg|darkhttpd}}}}
* {{App|http.server|[[Python]] standard library module, which can be used from the command-line, but due to security considerations not recommended for production.|https://docs.python.org/library/http.server.html|{{Pkg|python}}}}
* {{App|[[miniserve]]|Rust alternative to darkhttpd with UTF-8, optional HTTP authentication, file uploading, and more.|https://github.com/svenstaro/miniserve|{{Pkg|miniserve}}}}
* {{App|quark|An extremely small and simple http get-only web server. It only serves static pages on a single host.|https://tools.suckless.org/quark/|{{AUR|quark-git}}}}
* {{App|serve|Static file serving and directory listing.|https://github.com/zeit/serve|{{AUR|nodejs-serve}}}}
* {{App|Webfs|Simple and instant web server for mostly static content.|https://linux.bytesex.org/misc/webfs.html|{{AUR|webfs}}}}

=== Specialized web servers ===

* {{App|chezdav|WebDAV server that allows to share a particular directory.|https://wiki.gnome.org/phodav|{{Pkg|phodav}}}}
* {{App|LibreKitten|Block-based programming language based off Scratch that includes a web server extension.|https://librekitten.org|{{AUR|librekitten-cli-bin}}}}
* {{App|Mongoose|Embedded web server library, supports WebSocket and MQTT.|https://github.com/cesanta/mongoose|{{AUR|mongoose}}}}
* {{App|OnionShare|Lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you.|https://onionshare.org/|{{Pkg|onionshare}}}}
* {{App|Transfer More|A minimalist open-source upload HTTP server to store and share files temporarily, written in Crystal, and based on Kemal.|https://up.sceptique.eu/|{{AUR|transfer-more}}}}
* {{App|VServer|GTK application, which opens an http server in the selected folder and shares your files.|https://github.com/bcedu/ValaSimpleHTTPServer|{{AUR|vserver-git}}}}
* {{App|webhook|Small server for creating HTTP endpoints (hooks)|https://github.com/adnanh/webhook|{{Pkg|webhook}}}}
* {{App|Woof|An ad-hoc single file webserver; Web Offer One File.|http://www.home.unix-ag.org/simon/woof.html|{{AUR|woof}}}}

=== WSGI servers ===

* {{App|Gunicorn|A Python WSGI HTTP Server for UNIX.|https://gunicorn.org/|{{Pkg|gunicorn}}}}
* {{App|[[uWSGI]]|A fast, self-healing and developer/sysadmin-friendly application container server written in C.|https://uwsgi-docs.readthedocs.io/|{{Pkg|uwsgi}}}}
* {{App|Waitress|A WSGI server for Python 3.|https://github.com/Pylons/waitress|{{Pkg|python-waitress}}}}

Apache also supports WSGI with [[mod_wsgi]].

=== Performance testing ===

* {{App|httperf|Can generate various HTTP workloads, written in C.|https://github.com/httperf/httperf|{{AUR|httperf-git}}}}
* {{App|httping|A "ping"-like tool for HTTP requests|https://www.vanheusden.com/httping/|{{Pkg|httping}}}}
* {{App|http_load|A webserver performance testing tool, runs in a single process.|https://www.acme.com/software/http_load/{{Dead link|2025|03|15|status=SSL error}}|{{AUR|http_load}}}}
* {{App|siege|An HTTP regression testing and benchmarking utility.|https://www.joedog.org/siege-home/|{{Pkg|siege}}}}
* {{App|vegeta|HTTP load testing tool, written in Go.|https://github.com/tsenart/vegeta|{{Pkg|vegeta}}}}
* {{App|Web Bench|Benchmarking tool, uses fork() for simulating multiple clients.|http://home.tiscali.cz/~cz210552/webbench.html|{{AUR|webbench}}}}

== File sharing ==

=== Download managers ===

See also [[Wikipedia:Comparison of download managers]].

==== Console ====

* {{App|[[aria2]]|Lightweight download utility that supports HTTP/S, FTP, SFTP, BitTorrent and Metalink. It can run as a daemon controlled via a built-in JSON-RPC or XML-RPC interface.|https://aria2.github.io/|{{Pkg|aria2}}}}
* {{App|Axel|Featherweight command line download accelerator sitting at under 250kB on disk. Supports HTTP/S and FTP.|https://github.com/eribertomota/axel|{{Pkg|axel}}}}
* {{App|[[cURL]]|A URL retrieval utility and library. Supports HTTP, FTP and SFTP.|https://curl.haxx.se/|{{Pkg|curl}}}}
* {{App|Gtuber|Fetch media info from websites (bilibili, lbry, niconico, reddit, twitch, youtube). Includes a command-line downloader ({{ic|gtuber-dl}}) and a GStreamer plugin, which is used automatically when you try playing video from website that Gtuber can handle in your GStreamer based application.|https://github.com/Rafostar/gtuber|{{AUR|gtuber}}}}
* {{App|HTTPie|Human-friendly command-line HTTP client for the API era.|https://github.com/httpie/httpie|{{Pkg|httpie}}}}
* {{App|[[Wikipedia: dargahamn.net | dargahamn.net ]]|An easy-to-use offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.|https://www. dargahamn.net .com/|{{Pkg| dargahamn.net }}}}
* {{App|[[Wikipedia:Lftp|LFTP]]|Sophisticated file transfer program. Supports HTTP, FTP, SFTP, FISH, and BitTorrent.|https://lftp.yar.ru/|{{Pkg|lftp}}}}
* {{App|Plowshare|A set of command-line tools designed for managing file-sharing websites (aka Hosters).|https://github.com/mcrapet/plowshare|{{AUR|plowshare}}}}
* {{App|[[Wikipedia:RTMPDump|RTMPDump]]|Download FLV videos through RTMP (Adobe's proprietary protocol for Flash video players)|http://rtmpdump.mplayerhq.hu/|{{Pkg|rtmpdump}}}}
* {{App|snarf|Command-line URL retrieval tool. Supports HTTP and FTP.|https://www.xach.com/snarf/|{{AUR|snarf}}}}
* {{App|[[Streamlink]]|Launch streams from various streaming services in a custom video player or save them to a file.|https://streamlink.github.io/|{{Pkg|streamlink}}}}
* {{App|[[Wikipedia:Streamripper|Streamripper]]|Records and splits streaming mp3 into tracks.|https://streamripper.sourceforge.net/|{{AUR|streamripper}}}}
* {{App|[[Wget]]|A network utility to retrieve files from the Web. Supports HTTP and FTP.|https://www.gnu.org/software/wget/|{{Pkg|wget}}}}
* {{App|yewtube|Terminal-based YouTube player and downloader.|https://github.com/mps-youtube/yewtube|{{AUR|yewtube}}}}
* {{App|You-Get|Download media contents (videos, audios, images) from the Web.|https://you-get.org/|{{AUR|you-get}}}}
* {{App|youtube-dl|Download videos from YouTube and many other web sites.|https://rg3.github.io/youtube-dl/|{{AUR|youtube-dl}}}}
* {{App|youtube-viewer|Command line utility for viewing YouTube videos.|https://github.com/trizen/youtube-viewer|{{AUR|youtube-viewer}}}}
* {{App|[[yt-dlp]]|A youtube-dl fork with additional features and fixes.|https://github.com/yt-dlp/yt-dlp|{{Pkg|yt-dlp}}}}
* {{App|ytfzf|A POSIX script to find and watch youtube videos from the terminal.|https://github.com/pystardust/ytfzf|{{Pkg|ytfzf}}}}

==== Graphical ====

* {{App|ClipGrab|Downloader and converter for YouTube, Vimeo and many other online video sites.|https://clipgrab.org/|{{AUR|clipgrab}}}}
* {{App|FatRat|Qt based download manager with support for HTTP, FTP, SFTP, BitTorrent and Metalink.|https://github.com/LubosD/fatrat|{{AUR|fatrat-git}}}}
* {{App|Forklift|Simple GUI for youtube-dl using PyGObject.|https://github.com/Johnn3y/Forklift|{{AUR|forklift-git}}}}
* {{App|gtk-youtube-viewer|GTK utility for viewing YouTube videos. See optional dependencies for the GUI.|https://github.com/trizen/youtube-viewer|{{AUR|youtube-viewer}}}}
* {{App|[[Wikipedia:Wget#GWget|Gwget]]|Download manager for GNOME. Supports HTTP and FTP.|https://gitlab.gnome.org/Archive/gwget|{{AUR|gwget}}}}
* {{App|Gydl|GUI wrapper around the already existing youtube-dl program to download content from sites like YouTube.|https://github.com/JannikHv/gydl|{{AUR|gydl-git}}}}
* {{App|Gyre|GTK3 downloader for videos from Coub.|https://github.com/HelpSeeker/Gyre|{{AUR|gyre}}}}
* {{App|[[JDownloader]]|Java-based downloader for one-click hosting sites.|https://jdownloader.org/|{{AUR|jdownloader2}}}}
* {{App|[[Wikipedia:KGet|KGet]]|Download manager for KDE. Supports HTTP, FTP, BitTorrent and Metalink. Part of {{Grp|kde-network}}.|https://apps.kde.org/kget/|{{Pkg|kget}}}}
* {{App|MegaBasterd|Yet another unofficial MEGA downloader/uploader/streaming suite.|https://github.com/tonikelope/megabasterd|{{AUR|megabasterd-bin}}}}
* {{App|Motrix|Full-featured download manager that supports downloading HTTP, FTP, BitTorrent, Magnet, etc. Based on the [https://electronjs.org/ Electron] platform.|https://motrix.app/|{{AUR|motrix}}}}
* {{App|Persepolis|Graphical front-end for aria2 download manager with lots of features. Supports HTTP and FTP.|https://persepolisdm.github.io/|{{Pkg|persepolis}}}}
* {{App|[[pyLoad]]|Downloader written in Python and designed to be extremely lightweight, easily extensible and fully manageable via web.|https://pyload.net/|{{AUR|pyload-ng}}}}
* {{App|Steadyflow|Simple download manager for GNOME. Supports HTTP and FTP.|https://launchpad.net/steadyflow|{{Pkg|steadyflow}}}}
* {{App|Streamtuner2|Internet radio station and video browser. It simply lists stations in categories from different directories and launches your preferred media apps for playback.|https://sourceforge.net/projects/streamtuner2/|{{AUR|streamtuner2}}}}
* {{App|uGet|GTK download manager featuring download classification and HTML import. Supports HTTP, FTP, BitTorrent, Metalink, YouTube and Mega.|https://ugetdm.com/|{{Pkg|uget}}}}
* {{App|Varia|GTK frontend for aria2c and yt-dlp.|https://github.com/giantpinkrobots/varia|{{AUR|varia}}}}
* {{App|Video Downloader|GTK application to download videos from websites like YouTube and many others (based on youtube-dl).|https://github.com/Unrud/video-downloader|{{AUR|video-downloader}}}}
* {{App|Xtreme Download Manager|Powerful tool to increase download speed up-to 500%. Supports HTTP and FTP. Video grabber works in a general way and is not limited to certain websites.|https://subhra74.github.io/xdm/|{{AUR|xdman}}}}
* {{App|youtubedl-gui|Simple-to-use graphical interface for youtube-dl.|https://github.com/JaGoLi/ytdl-gui|{{AUR|youtubedl-gui}}}}

=== LAN file transfer ===

See also [[#LAN messengers]].

* {{App|LAN Share|Cross-platform local area network file transfer application, built using Qt GUI framework. It can be used to transfer a whole folder, one or more files, large or small immediately without any additional configuration.|https://github.com/abdularis/LAN-Share|{{AUR|lanshare}}}}
* {{App|LocalSend|Cross-platform app to securely share files and messages with nearby devices over the local network without needing an internet connection.|https://localsend.org/|{{AUR|localsend}}}}
* {{App|Magic Wormhole|Command-line tool {{ic|wormhole}} to securely transfer data between computers.|https://github.com/magic-wormhole/magic-wormhole|{{Pkg|magic-wormhole}}}}
* {{App|NitroShare|Cross-platform network file transfer application, built using Qt GUI framework. It is designed to make transferring files from one device to another on the local network extremely simple.|https://nitroshare.net/|{{AUR|nitroshare}}}}
* {{App|Teleport|Native GTK3 application to effortlessly share files on the local network.|https://gitlab.gnome.org/jsparber/teleport|{{AUR|teleport-share-git}}}}
* {{App|Warp|Securely send files to each other via the internet or local network by exchanging a word-based code. It uses the Magic Wormhole protocol.|https://apps.gnome.org/Warp/|{{Pkg|warp}}}}
* {{App|Warpinator|GTK application to share files across the LAN.|https://github.com/linuxmint/warpinator|{{Pkg|warpinator}}}}

=== Cloud storage servers ===

* {{App|copyparty|Lightweight and portable file server with extensive protocol, media playback and file management support.|https://github.com/9001/copyparty|{{Pkg|copyparty}}}}
* {{App|[[Cozy]]|A personal cloud you can hack, host and delete.|https://cozy.io/|{{Pkg|cozy-stack}}}}
* {{App|[[Nextcloud]]|A cloud server to store your files centrally on a hardware controlled by you.|https://nextcloud.com|{{Pkg|nextcloud}}}}
* {{App|[[Pydio]]|Mature open source web application for file sharing and synchronization.|https://pydio.com/|{{AUR|pydio}}}}
* {{App|Seafile|An online file storage and collaboration tool with advanced support for file syncing, privacy protection and teamwork.|https://www.seafile.com/|{{AUR|seafile-server}}}}

=== Cloud synchronization clients ===

{{Tip|<nowiki></nowiki>
* Some [[synchronization and backup programs]] provide direct support for some cloud-storage services.
* Some [[FUSE#List of FUSE filesystems|FUSE filesystems]] provide a way to mount cloud-storage as a filesystem. Google Drive can be accessed also by {{Pkg|kio-gdrive}} for KIO-based applications (like [[Dolphin]]).
* See [[Data-at-rest encryption#Cloud-storage optimized]] to achieve zero-knowledge (client-side transparent encryption) storage on any third-party cloud service.
}}

==== Multi-protocol clients ====

* {{App|CloudCross|Synchronize local files and folders with many cloud providers. Mail.ru Cloud, Yandex Disk, Google Drive, OneDrive and Dropbox support is available.|https://github.com/MasterSoft24/CloudCross|{{AUR|cloudcross}}}}
* {{App|Rclone|Multi-provider sync, copy, and mount client.|https://rclone.org/|{{Pkg|rclone}}}}
* {{App|Rclone Browser|GUI client for Rclone.|https://github.com/kapitainsky/RcloneBrowser|{{AUR|rclone-browser}}}}

==== Google Drive clients ====

* {{App|DriveSync|Command line utility that synchronizes your Google Drive files with a local folder on your machine.|https://github.com/MStadlmeier/drivesync|{{AUR|drivesync}}}}
* {{App|gdrive|Command line utility for interacting with Google Drive.|https://github.com/prasmussen/gdrive|{{AUR|gdrive}}}}
* {{App|Google Drive OCamlFUSE|A FUSE filesystem for Google Drive, written in OCaml.|https://github.com/astrada/google-drive-ocamlfuse|{{AUR|google-drive-ocamlfuse}}}}
* {{App|Grive|Google Drive client with support for new Drive REST API and partial sync.|https://github.com/vitalif/grive2|{{AUR|grive}}}}
* {{App|[[Insync]]|Unofficial proprietary Google Drive desktop client.|https://www.insynchq.com/|{{AUR|insync}}}}

==== Other synchronization clients ====

* {{App|aws-cli|CLI for Amazon Web Services, including efficient file transfers to and from Amazon S3.|https://aws.amazon.com/cli/|{{Pkg|aws-cli}}}}
* {{App|Backblaze B2|Backblaze B2 open-source command-line client.|https://www.backblaze.com/b2/cloud-storage.html|{{AUR|backblaze-b2}}}}
* {{App|Baidu Netdisk|Proprietary client for cloud storage service launched by Baidu (formerly Baidu Cloud).|https://pan.baidu.com|{{AUR|baidunetdisk-bin}}}}
* {{App|[[Cozy]] Drive|Desktop client for Cozy.|https://cozy-labs.github.io/cozy-desktop/|{{Pkg|cozy-desktop}}}}
* {{App|[[Dropbox]]|Proprietary desktop client for Dropbox.|https://www.dropbox.com/|{{AUR|dropbox}}}}
* {{App|[[Wikipedia:Mega (service)|Mega]] Sync Client|Proprietary (though [https://github.com/meganz/MEGAsync/blob/master/LICENCE.md source-available]) desktop client to sync files with Mega.|https://mega.nz/|CLI: {{AUR|megacmd}}, GUI: {{AUR|megasync}}}}
* {{App|Megatools|Unofficial CLI for Mega.|https://megatools.megous.com/|{{AUR|megatools}}}}
* {{App|[[Nextcloud]] Client|Desktop client for Nextcloud.|https://nextcloud.com/|{{Pkg|nextcloud-client}}}}
* {{App|Nutstore|Proprietary desktop client for Nutstore.|https://www.jianguoyun.com/|{{AUR|nutstore}}}}
* {{App|OneDrive|Fork of the unofficial CLI for [https://onedrive.live.com/about/ OneDrive].|https://github.com/abraunegg/onedrive|{{AUR|onedrive-abraunegg}}}}
* {{App|[[Wikipedia:ownCloud|ownCloud]] Desktop Client|Desktop syncing client for ownCloud.|https://owncloud.com/client/|{{Pkg|owncloud-client}}}}
* {{App|pCloud Drive|Proprietary desktop syncing client for pCloud. Based on the [https://electronjs.org/ Electron] platform.|https://www.pcloud.com/download-free-online-cloud-file-storage.html|{{AUR|pcloud-drive}}}}
* {{App|[[Pydio]]Sync|Desktop client for Pydio.|https://pydio.com/|{{AUR|pydio-sync}}}}
* {{App|S3cmd|Unofficial CLI for Amazon S3.|https://s3tools.org/s3cmd|{{Pkg|s3cmd}}}}
* {{App|Seafile Client|GUI client for Seafile.|https://www.seafile.com/|{{AUR|seafile-client}}}}
* {{App|[[Wikipedia:SpiderOak|SpiderOak]] One|Proprietary client for SpiderOak One.|https://spideroak.com/|{{AUR|spideroak-one}}}}
* {{App|[[Wikipedia:Synology|Synology]] Drive|Proprietary GUI client to sync and share files between a centralized Synology NAS and multiple client computers.|https://www.synology.com/|{{AUR|synology-drive}}}}
* {{App|[[Wikipedia:Tresorit|Tresorit]]|Proprietary desktop syncing client for Tresorit.|https://tresorit.com/download|{{AUR|tresorit}}}}
* {{App|Versiobit|Desktop file sync client with versioning and end-to-end encryption.|https://versiobit.com|{{AUR|versiobit}}}}
* {{App|[[Yandex Disk]]|Proprietary CLI for Yandex Disk.|https://disk.yandex.ru/|{{AUR|yandex-disk}}}}

=== FTP ===

==== FTP clients ====

See also [[Wikipedia:Comparison of FTP client software]].

* {{App|[[CurlFtpFS]]|is a filesystem for accessing FTP hosts based on FUSE and libcurl.|https://curlftpfs.sourceforge.net/|{{Pkg|curlftpfs}}}}
* {{App|[[Wikipedia:FileZilla|FileZilla]]|Fast and reliable FTP, FTPS and SFTP client.|https://filezilla-project.org/|{{Pkg|filezilla}}}}
* {{App|ftp|Simple ftp client provided by GNU Inetutils|https://www.gnu.org/software/inetutils/manual/inetutils.html#ftp-invocation|{{Pkg|inetutils}}}}
* {{App|lftp|Sophisticated command line based FTP client|https://lftp.yar.ru/|{{Pkg|lftp}}}}
* {{App|ncftp|A set of free application programs implementing FTP.|https://www.ncftp.com/|{{Pkg|ncftp}}}}
* {{App|[[Wikipedia:tnftp|tnftp]]|FTP client with several advanced features for [[Wikipedia:NetBSD|NetBSD]].|https://freshmeat.sourceforge.net/projects/tnftp|{{Pkg|tnftp}}}}

Some file managers like [[Dolphin]], [[GNOME Files]] and [[Thunar]] also provide FTP functionality.

==== FTP servers ====

See also [[Wikipedia:List of FTP server software]].

* {{App|bftpd|Small, easy-to-configure FTP server|https://bftpd.sourceforge.net/|{{Pkg|bftpd}}}}
* {{App|ftpd|Simple ftp server provided by GNU Inetutils|https://www.gnu.org/software/inetutils/manual/inetutils.html#ftpd-invocation|{{Pkg|inetutils}}}}
* {{App|proFTPd|A secure and configurable FTP server|http://www.proftpd.org/|{{AUR|proftpd}}}}
* {{App|[[Pure-FTPd]]|Free (BSD-licensed), secure, production-quality and standard-compliant FTP server.|https://www.pureftpd.org/project/pure-ftpd/|{{AUR|pure-ftpd}}}}
* {{App|[[vsftpd]]|Lightweight, stable and secure FTP server for UNIX-like systems.|https://security.appspot.com/vsftpd.html|{{Pkg|vsftpd}}}}

=== BitTorrent clients ===

Some [[#Download managers|download managers]] are also able to connect to the BitTorrent network: [[Aria2]], [[Wikipedia:Lftp|LFTP]], FatRat, [[Wikipedia:KGet|KGet]], [[Wikipedia:MLDonkey|MLDonkey]], uGet.

See also [[Wikipedia:Comparison of BitTorrent clients]].

==== Console ====

* {{App|Ctorrent|CTorrent is a BitTorrent client implemented in C++ to be lightweight and quick.|http://www.rahul.net/dholmes/ctorrent/|{{AUR|enhanced-ctorrent}}}}
* {{App|[[Deluge]]|BitTorrent client with multiple user interfaces in a client/server model. This package includes a console client.|https://deluge-torrent.org/|{{Pkg|deluge}}}}
* {{App|peerflix|Streaming torrent client for node.js.|https://github.com/mafintosh/peerflix|{{AUR|peerflix}}}}
* {{App|[[rTorrent]]|Simple and lightweight ncurses BitTorrent client.|https://rakshasa.github.io/rtorrent/|{{Pkg|rtorrent}}}}
* {{App|[[Transmission]] CLI|Simple and easy-to-use BitTorrent client with a daemon version and multiple front-ends. This package includes backend, daemon, command-line interface, and a Web UI interface.|https://transmissionbt.com/|{{Pkg|transmission-cli}}}}

==== Graphical ====

* {{App|[[Deluge]] (GTK interface)|User-friendly BitTorrent client written in Python using GTK.|https://deluge-torrent.org/|{{Pkg|deluge-gtk}}}}
* {{App|Fragments|Easy to use BitTorrent client for the GNOME desktop environment.|https://apps.gnome.org/Fragments/|{{Pkg|fragments}}}}
* {{App|[[Wikipedia:FrostWire|FrostWire]]|Easy to use cloud downloader, BitTorrent client and media player.|https://www.frostwire.com/|{{AUR|frostwire}}}}
* {{App|Gopeed|Modern download manager built with Golang and Flutter that supports HTTP, BitTorrent, Magnet protocol.|https://gopeed.com/|{{AUR|gopeed-bin}}}}
* {{App|[[Ktorrent]]|Feature-rich BitTorrent client for KDE. Part of {{Grp|kde-network}}.|https://apps.kde.org/ktorrent/|{{Pkg|ktorrent}}}}
* {{App|PikaTorrent|Pick a Torrent, stream and download on all your devices.|https://www.pikatorrent.com/|{{AUR|pikatorrent-bin}}, {{AUR|pikatorrent-git}}}}
* {{App|Powder Player|Hybrid between a streaming BitTorrent client and a player. Based on the [https://electronjs.org/ Electron] platform.|https://powder.media/|{{AUR|powder-player-bin}}}}
* {{App|[[qBittorrent]]|Open source (GPLv2) BitTorrent client with an integrated torrent search engine that strongly resembles µTorrent.|https://www.qbittorrent.org/|{{Pkg|qbittorrent}}}}
* {{App|[[Wikipedia:Tixati|Tixati]]|Proprietary peer-to-peer file sharing program that uses the popular BitTorrent protocol.|https://tixati.com/|{{AUR|tixati}}}}
* {{App|[[Transmission]]|Simple and easy-to-use BitTorrent client with a daemon version and multiple front-ends.|https://transmissionbt.com/|GTK: {{Pkg|transmission-gtk}}, Qt: {{Pkg|transmission-qt}}}}
* {{App|[[Transmission]] Remote|GTK client for remote management of the Transmission BitTorrent client, using its HTTP RPC protocol.|https://github.com/transmission-remote-gtk/transmission-remote-gtk|{{Pkg|transmission-remote-gtk}}}}
* {{App|Tremotesf|Qt client for remote management of the Transmission BitTorrent client, using its HTTP RPC protocol.|https://github.com/equeim/tremotesf2|{{AUR|tremotesf}}}}
* {{App|[[Wikipedia:Tribler|Tribler]]|4th generation file sharing system BitTorrent client.|https://www.tribler.org|{{AUR|tribler-bin}}}}
* {{App|[[Wikipedia:Vuze|Vuze]]|Feature-rich BitTorrent client written in Java (formerly Azureus).|https://www.vuze.com/|{{AUR|vuze}}}}
* {{App|WebTorrent Desktop|Streaming BitTorrent application. Based on the [https://electronjs.org/ Electron] platform.|https://webtorrent.io/desktop/|{{AUR|webtorrent-desktop}}}}

=== Other P2P networks ===

See also [[Wikipedia:Comparison of file-sharing applications]].

* {{App|[[aMule]]|Well-known eDonkey/Kad client with a daemon version and GTK, web, and CLI front-ends.|https://www.amule.org/|{{Pkg|amule}}}}
* {{App|EiskaltDC++|Direct Connect and ADC client.|https://github.com/eiskaltdcpp/eiskaltdcpp|GTK: {{AUR|eiskaltdcpp-gtk}}, Qt: {{AUR|eiskaltdcpp-qt}}}}
* {{App|[[Wikipedia:gtk-gnutella|gtk-gnutella]]|GTK server/client for the Gnutella peer-to-peer network.|https://gtk-gnutella.sourceforge.net/|{{AUR|gtk-gnutella}}}}
* {{App|[[IPFS]]|IPFS is a P2P Network capable of sharing and receiving files.|https://ipfs.io/|{{Pkg|kubo}}}}
* {{App|KaMule|KDE graphical front-end for aMule.|https://github.com/nihui/kamule/|{{AUR|kamule}}}}
* {{App|LBRY|Browser and wallet for LBRY, the decentralized, user-controlled content marketplace. Based on the [https://electronjs.org/ Electron] platform.|https://lbry.io/|{{AUR|lbry-desktop}}}}
* {{App|lbt|Small set of command-line tools for LBRY.|https://gitlab.com/gardenappl/lbt|{{AUR|lbt}}}}
* {{App|[[Wikipedia:MLDonkey|MLDonkey]]|Multi-protocol P2P client that supports HTTP, FTP, BitTorrent, Direct Connect, eDonkey and FastTrack.|https://mldonkey.sourceforge.net/|{{AUR|mldonkey}}}}
* {{App|ncdc|Modern and lightweight Direct Connect and ADC client with a friendly ncurses interface.|https://dev.yorhel.nl/ncdc|{{AUR|ncdc}}}}
* {{App|Nicotine+|A graphical client for the Soulseek P2P network.|https://github.com/Nicotine-Plus/nicotine-plus|{{Pkg|nicotine+}}}}
* {{App|Send Anywhere|Proprietary file sharing service where users can directly share digital content in real time. Based on the [https://electronjs.org/ Electron] platform.|https://send-anywhere.com/|{{AUR|sendanywhere}}}}

=== Pastebin services ===

See also [[Wikipedia:Pastebin]].

Pastebin services are often used to quote text or images while collaborating and troubleshooting. Pastebin clients provide a convenient way to post from the command line.
{{Note|An acceptable pastebin service does not require enabling JavaScript for viewing, does not display adverts, manipulate the pasted content or require a login.

[https://pastebin.com/ pastebin.com] is blocked for some people because of malware found on the site and has a history of annoying issues (requires JavaScript, displays adverts, inserts CRLF line-endings and displaying CAPTCHAs at random). Do '''not''' use it.}}

==== Without a dedicated client ====

Some services can be used with more general command line tool, such as [[cURL]]. For extensions, such as line numbers, one can use more command line tools. Such as {{ic|cat -n}}.

* [https://0x0.st/ 0x0.st] is a file hosting service. Usage examples are:
:{{bc|1=$ ''command'' {{!}} curl -F 'file=@-' <nowiki>https://0x0.st</nowiki>}} or upload a file: {{bc|1=$ curl -F 'file=@''path/to/file''' <nowiki>https://0x0.st</nowiki>}}
:{{Note|Read the instructions on the website for further options such as file removal tokens, expiration, and private URLs.}}
* [https://paste.c-net.org/ paste.c-net.org] accepts HTTP requests and works with [[nc]].
* [https://termbin.com termbin.com] works with [[nc]].

==== Dedicated clients ====

* {{App|Fb-client|Client for the [https://paste.xinu.at/ paste.xinu.at] pastebin.|https://paste.xinu.at|{{Pkg|fb-client}}}}
* {{App|Gist|Command-line interface for the [https://gist.github.com/ gist.github.com] pastebin service.|https://github.com/defunkt/gist|{{Pkg|gist}}}}
* {{App|imgur|A CLI client which can upload image to [https://imgur.com imgur.com] image sharing service.|https://github.com/tremby/imgur.sh|{{AUR|imgur.sh}}}}
* {{App|Pastebinit|Really small Python script that acts as a Pastebin client (see {{ic|pastebinit -l}} for the list of servers).|https://launchpad.net/pastebinit|{{Pkg|pastebinit}}}}
* {{App|ruby-haste|Client for [https://hastebin.com/ hastebin.com].|https://github.com/seejohnrun/haste-client|{{AUR|ruby-haste}}}}
* {{App|Wgetpaste|Bash script that automates pasting to a number of pastebin services.|http://wgetpaste.zlin.dk/|{{Pkg|wgetpaste}}}}

== Communication ==

=== Email clients ===

See also [[Wikipedia:Comparison of email clients]]

==== Console ====

* {{App|[[aerc]]|Work in progress asynchronous email client.|https://sr.ht/~rjarry/aerc|{{Pkg|aerc}}}}
* {{App|alot|An experimental terminal MUA based on [https://notmuchmail.org/ notmuch mail]. It is written in python using the [https://urwid.org/ urwid] toolkit.|https://github.com/pazz/alot|{{Pkg|alot}}}}
* {{App|[[Alpine]]|Fast, easy-to-use and Apache-licensed email client based on [[Wikipedia:Pine (email client)|Pine]].|https://alpineapp.email/|{{AUR|alpine}}}}
* {{App|himalaya|Himalaya CLI is written in Rust, based on email-lib.|https://github.com/pimalaya/himalaya|{{Pkg|himalaya}}}}
* {{App|mu/mu4e|Email indexer (mu) and client for emacs (mu4e). Xapian based for fast searches.|https://www.djcbsoftware.nl/code/mu/mu4e.html|{{AUR|mu}}}}
* {{App|[[Mutt]]|Small but very powerful text-based mail client.|http://www.mutt.org/|{{Pkg|mutt}}}}
* {{App|[[Mutt|NeoMutt]]|Command line mail reader (or MUA). It is a fork of Mutt with added features.|https://neomutt.org/|{{Pkg|neomutt}}}}
* {{App|[[nmh]]|A modular mail handling system.|https://www.nongnu.org/nmh/|{{AUR|nmh}}}}
* {{App|[[notmuch]]|A fast mail indexer built on top of ''xapian''.|https://notmuchmail.org/|{{Pkg|notmuch}}}}
* {{App|sendemail|A lightweight command line SMTP email client written in Perl.|http://caspian.dotconf.net/menu/Software/SendEmail/|{{AUR|sendemail}}}}
* {{App|[[S-nail]]|a mail processing system with a command syntax reminiscent of ''ed'' with lines replaced by messages. Provides the functionality of [[Wikipedia:mailx|mailx]].|https://www.sdaoden.eu/code.html#s-mailx|{{Pkg|s-nail}}}}
* {{App|[[Sup]]|CLI mail client with very fast searching, tagging, threading and GMail like operation.|https://sup-heliotrope.github.io/|{{AUR|sup}}}}
* {{App|swaks|Swiss Army Knife SMTP; Command line SMTP testing, including TLS and AUTH, can be used to send emails.|https://jetmore.org/john/code/swaks/|{{Pkg|swaks}}}}
* {{App|Wanderlust|Email client and news reader for Emacs.|https://github.com/wanderlust/wanderlust/|{{Pkg|wanderlust}}}}

==== Graphical ====

* {{App|Balsa|Simple and light email client for GNOME.|https://pawsa.fedorapeople.org/balsa/|{{Pkg|balsa}}}}
* {{App|Betterbird|Fork of thunderbird.|https://www.betterbird.eu/|{{AUR|betterbird-bin}}}}
* {{App|[[Wikipedia:Claws Mail|Claws Mail]]|Lightweight GTK-based email client and news reader.|https://www.claws-mail.org/|{{Pkg|claws-mail}}}}
* {{App|ElectronMail|Unofficial desktop application for several end-to-end encrypted email providers (like ProtonMail, Tutanota). Based on the [https://electronjs.org/ Electron] platform.|https://github.com/vladimiry/ElectronMail|{{AUR|electronmail-bin}}}}
* {{App|[[Evolution]]|Mature and feature-rich e-mail client that is part of the GNOME project. Part of {{Grp|gnome-extra}}.|https://gitlab.gnome.org/GNOME/evolution/-/wikis/home|{{Pkg|evolution}}}}
* {{App|Geary|Simple desktop mail client built in [[Wikipedia:Vala (programming language)|Vala]]. Part of {{Grp|gnome-extra}}.|https://wiki.gnome.org/Apps/Geary|{{Pkg|geary}}}}
* {{App|[[Wikipedia:Kmail|Kmail]]|Mature and feature-rich email client. Part of {{Grp|kde-pim}}.|https://kontact.kde.org/components/kmail/|{{Pkg|kmail}}}}
* {{App|Mailspring|Fork of [[Wikipedia:Nylas Mail|Nylas Mail]] by one of the original authors. The paid "Pro" version requires a Mailspring ID and has extra features like snooze, send later. Based on the [https://electronjs.org/ Electron] platform.|https://getmailspring.com/|{{AUR|mailspring}}}}
* {{App|[[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]]|Email client included in the SeaMonkey suite.|https://www.seamonkey-project.org/|{{AUR|seamonkey}}}}
* {{App|[[Thunderbird]]|Feature-rich email client from Mozilla written in GTK.|https://www.thunderbird.net/|{{Pkg|thunderbird}}}}
* {{App|Tutanota|Email client for Tutanota mail service. Based on the [https://electronjs.org/ Electron] platform.|https://tutanota.com/|{{AUR|tutanota-desktop}}}}

==== Web-based ====

* {{App|[[Nextcloud]] Mail|An email webapp for NextCloud.|https://github.com/nextcloud/mail|{{Pkg|nextcloud-app-mail}}}}
* {{App|[[Roundcube]]|Browser-based multilingual IMAP client webapp with a native application-like user interface.|https://roundcube.net/|{{Pkg|roundcubemail}}}}
* {{App|SquirrelMail|Webmail for Nuts!|https://squirrelmail.org/|{{AUR|squirrelmail}}}}

=== Mail notifiers ===

* {{App|Ayatana Webmail|Webmail notifications and actions for any desktop.|https://tari.in/www/software/ayatana-webmail/{{Dead link|2025|08|15|status=404}}|{{AUR|ayatana-webmail}}}}
* {{App|Bubblemail|New and Unread mail notification service for local mailboxes, pop, imap, and gnome online accounts. A fork of Mailnag.|http://bubblemail.free.fr/|{{AUR|bubblemail}}}}
* {{App|Gnubiff|Mail notification program that checks for mail and displays headers when new mail has arrived.|https://gnubiff.sourceforge.net/|{{Pkg|gnubiff}}}}
* {{App|Mailnag|Extensible mail notification daemon.|https://github.com/pulb/mailnag|{{Pkg|mailnag}}}}

=== Mail servers ===

See [[Mail server]].

* {{App|DavMail|POP/IMAP/SMTP/Caldav/Carddav/LDAP exchange gateway allowing users to use any mail/calendar client with an Exchange server.|https://davmail.sourceforge.net/|{{AUR|davmail}}}}
* {{App|Modoboa|A modular mail hosting and management platform, written in Python.|https://modoboa.org/|{{AUR|modoboa}}}}

=== Mail retrieval agents ===

See also [[Wikipedia:Mail retrieval agent]].

* {{App|[[fdm]]|Program to fetch and deliver mail.|https://github.com/nicm/fdm|{{Pkg|fdm}}}}
* {{App|[[Wikipedia:Fetchmail|Fetchmail]]|A remote-mail retrieval utility.|https://www.fetchmail.info/|{{Pkg|fetchmail}}}}
* {{App|[[getmail]]|A POP3/IMAP4 mail retriever with reliable Maildir and command delivery.|http://pyropus.ca/software/getmail/|{{AUR|getmail}}}}
* {{App|hydroxide|A third-party, open-source ProtonMail CardDAV, IMAP and SMTP bridge|https://github.com/emersion/hydroxide|{{AUR|hydroxide}}}}
* {{App|imapsync|IMAP synchronisation, sync, copy or migration tool|https://imapsync.lamiral.info/|{{Pkg|imapsync}}}}
* {{App|[[isync]]|IMAP and MailDir mailbox synchronizer|https://isync.sourceforge.net/|{{Pkg|isync}}}}
* {{App|mpop|A small, fast POP3 client suitable as a fetchmail replacement|https://marlam.de/mpop/|{{Pkg|mpop}}}}
* {{App|[[OfflineIMAP]]|Synchronizes emails between two repositories.|https://www.offlineimap.org/|{{Pkg|offlineimap}}}}
* {{App|vomit|Rust utility to sync between Maildir mailbox and IMAP mailbox|https://git.sr.ht/~bitfehler/vomit-sync/tree/master/item/cli/README.md|{{AUR|vsync}} (sync-only part of {{AUR|vomit}} mail tookit)}}

=== Instant messaging clients ===

See also [[Wikipedia:Comparison of instant messaging clients]] and [[Wikipedia:Comparison of VoIP software]].

This section lists all client software with [[Wikipedia:Instant messaging|instant messaging]] support.

==== Multi-protocol clients ====

{{Note|All messengers that support several networks by means of direct connections to them belong to this section.}}

The number of networks supported by these clients is very large but they (like any multi-protocol clients) usually have very limited or no support for network-specific features.

===== Console =====

* {{App|[[Bitlbee|BitlBee]]|IRC gateway to popular chat networks.|https://bitlbee.org/|{{AUR|bitlbee}}}}
* {{App|Finch|Ncurses-based chat client that uses libpurple and supports all its protocols (Bonjour, Gadu-Gadu, Groupwise, IRC, SIMPLE, XMPP, Zephyr).|https://developer.pidgin.im/wiki/Using%20Finch|{{AUR|finch}}}}
* {{App|[[WeeChat]]|Modular, lightweight ncurses-based IRC client. A variety of other protocols are supported through plugins.|https://weechat.org/|{{Pkg|weechat}}}}

===== Graphical =====

* {{App|[[Wikipedia:Jitsi|Jitsi]]|Audio/video VoIP phone and instant messenger written in Java that supports protocols such as SIP, XMPP, IRC and many other useful features.|https://jitsi.org/|{{AUR|jitsi}}}}
* {{App|Lith|WeeChat Relay client, allowing to connect to a running WeeChat instance from anywhere.|https://lith.app/|{{AUR|lith-git}}}}
* {{App|[[Pidgin]]|Multi-protocol instant messaging client with audio support that uses libpurple and supports all its protocols (Bonjour, Gadu-Gadu, Groupwise, IRC, SIMPLE, XMPP, Zephyr).|https://pidgin.im/|{{AUR|pidgin}}}}
* {{App|[[Wikipedia:Smuxi|Smuxi]]|Cross-platform IRC client that also supports XMPP.|https://smuxi.im/|{{AUR|smuxi}}}}
* {{App|[[Thunderbird]]|Feature-rich email client supports instant messaging and chat using IRC and XMPP.|https://www.thunderbird.net/|{{Pkg|thunderbird}}}}
* {{App|glowing-bear-electron|A web client for WeeChat|https://glowing-bear.org/|{{AUR|glowing-bear-electron}}}}

==== IRC clients ====

See also [[Wikipedia:Comparison of Internet Relay Chat clients]].

===== Console =====

* {{App|[[Wikipedia:BitchX|BitchX]]|Console-based IRC client developed from the popular [[Wikipedia:ircII|ircII]].|https://bitchx.sourceforge.net/|{{AUR|bitchx-git}}}}
* {{App|catgirl|TLS-only terminal IRC client.|https://git.causal.agency/catgirl|{{AUR|catgirl}}}}
* {{App|ERC|Powerful, modular and extensible IRC client for [[Emacs]].|https://savannah.gnu.org/projects/erc/|included with {{Pkg|emacs}}}}
* {{App|[[ii]]|Featherweight IRC client, literally {{ic|tail -f}} the conversation and {{ic|echo}} back your replies to a file.|https://tools.suckless.org/ii/|{{AUR|ii}}}}
* {{App|ircii|Oldest maintained IRC client which lays claim to being small and fast owing to its reduced feature set.|http://www.eterna23.net/ircii/|{{AUR|ircii}}}}
* {{App|[[Irssi]]|Highly-configurable ncurses-based IRC client.|https://irssi.org/|{{Pkg|irssi}}}}
* {{App|pork|Programmable, ncurses-based IRC client that mostly looks and feels like ircII.|http://dev.ojnk.net/|{{Pkg|pork}}}}
* {{App|ScrollZ|Advanced IRC client based on [[Wikipedia:ircII|ircII]].|https://www.scrollz.info/|{{AUR|scrollz}}}}
* {{App|senpai|An IRC client that works best with bouncers (e.g. {{Pkg|soju}}): no logs are kept, history is fetched from the server via [https://ircv3.net/specs/extensions/chathistory CHATHISTORY], networks are fetched from the server via [https://git.sr.ht/~emersion/soju/tree/master/item/doc/ext/bouncer-networks.md bouncer-networks].
|https://sr.ht/~delthas/senpai/|{{Pkg|senpai}}}}
* {{App|sic|Extremely simple IRC client, similar to [[Wikipedia:Ii (IRC client)|ii]].|https://tools.suckless.org/sic/|{{AUR|sic}}}}
* {{App|tiny|an IRC client written in Rust with a clutter-free interface|https://github.com/osa1/tiny|{{Pkg|tiny}}}}

===== Graphical =====

* {{App|[[Wikipedia:ChatZilla|ChatZilla]]|Clean, easy to use and highly extensible Internet Relay Chat (IRC) client, built on the Mozilla platform using [[Wikipedia:XULRunner|XULRunner]]. Included in the [[Wikipedia:SeaMonkey|SeaMonkey]] suite.|http://chatzilla.hacksrus.com/|{{AUR|seamonkey}}}}
* {{App|Halloy|An open-source IRC client written in Rust, with the iced GUI library.|https://halloy.squidowl.org/|{{Pkg|halloy}}}}
* {{App|[[HexChat]]|Fork of XChat for Linux and Windows.|https://hexchat.github.io/|{{AUR|hexchat}}}}
* {{App|[[Wikipedia:Konversation|Konversation]]|Qt-based IRC client for the KDE desktop. Part of {{Grp|kde-network}}.|https://konversation.kde.org/|{{Pkg|konversation}}}}
* {{App|[[Wikipedia:KVIrc|KVIrc]]|Qt-based IRC client featuring extensive themes support.|https://kvirc.net/|{{Pkg|kvirc}}}}
* {{App|Loqui|GTK IRC client.|https://loqui.sunnyone.org/|{{AUR|loqui}}}}
* {{App|LostIRC|Simple GTK IRC client with tab-autocompletion, multiple server support, logging and others.|https://lostirc.sourceforge.net|{{AUR|lostirc}}}}
* {{App|Polari|Simple IRC client by the GNOME project. Part of {{Grp|gnome-extra}}.|https://apps.gnome.org/Polari/|{{Pkg|polari}}}}
* {{App|[[Quassel]]|Modern, cross-platform, distributed IRC client.|https://quassel-irc.org/|KDE: {{Pkg|quassel-monolithic}}, Qt: {{Pkg|quassel-monolithic-qt}}}}
* {{App|Srain|Modern, beautiful IRC client written in GTK 3.|https://srain.silverrainz.me|{{AUR|srain}}}}
* {{App|Thelounge|Modern self-hosted web IRC client|https://thelounge.chat/|{{AUR|thelounge}}}}

==== XMPP clients ====

See also [[Wikipedia:XMPP]].

===== Console =====

* {{App|Freetalk|Console-based XMPP client.|https://www.gnu.org/software/freetalk/|{{AUR|freetalk}}}}
* {{App|jabber.el|Minimal XMPP client for [[Emacs]].|https://emacs-jabber.sourceforge.net/|{{AUR|emacs-jabber}}}}
* {{App|MCabber|Small XMPP console client, includes features: SSL, PGP, MUC, OTR and UTF8.|https://mcabber.com/|{{Pkg|mcabber}}}}
* {{App|Poezio|XMPP client with IRC feeling|https://poez.io/|{{AUR|poezio}}}}
* {{App|Profanity|A console based XMPP client inspired by Irssi.|https://profanity-im.github.io/|{{Pkg|profanity}}}}

===== Graphical =====

* {{App|Converse.js|Web-based XMPP chat client written in JavaScript.|https://conversejs.org/|{{AUR|conversejs}}}}
* {{App|Dino|A modern, easy to use XMPP client, with PGP and OMEMO support.|https://dino.im/|{{Pkg|dino}}}}
* {{App|[[Gajim]]|XMPP client with audio support written in Python using GTK.|https://gajim.org/|{{Pkg|gajim}}}}
* {{App|Kaidan|A simple, user-friendly Jabber/XMPP client providing a modern user interface using Kirigami and QtQuick.|https://www.kaidan.im/|{{Pkg|kaidan}}}}
* {{App|Libervia (Salut à Toi)|Web frontend for Salut à Toi, multi-purpose XMPP client|https://libervia.org/|{{AUR|libervia-web-hg}}}}
* {{App|Nextcloud JavaScript XMPP Client|Chat app for Nextcloud with XMPP, end-to-end encryption, video calls, file transfer & group chat.|https://github.com/nextcloud/jsxc.nextcloud|{{AUR|nextcloud-app-jsxc}}}}
* {{App|[[Wikipedia:Psi (instant messaging client)|Psi]]|Qt-based XMPP client.|https://psi-im.org/|{{Pkg|psi}}}}
* {{App|[[Wikipedia:Spark (XMPP client)|Spark]]|Cross-platform real-time XMPP collaboration client optimized for business and organizations.|https://www.igniterealtime.org/projects/spark/|{{AUR|spark}}}}
* {{App|Swift|XMPP client written in C++ with Qt and Swiften.|https://swift.im/|{{AUR|swift-im}}}}
* {{App|[[Wikipedia:Tkabber|Tkabber]]|Easy to hack feature-rich XMPP client by the author of the ejabberd XMPP server.|https://tkabber.jabber.ru/|{{AUR|tkabber}}}}
* {{App|Vacuum IM|Full-featured crossplatform XMPP client.|https://github.com/Vacuum-IM/vacuum-im|{{AUR|vacuum-im}}}}

==== SIP clients ====

See also [[Wikipedia:List of SIP software#Clients]].

* {{App|baresip|portable and modular SIP User-Agent with audio and video support.|https://github.com/baresip/baresip|{{Pkg|baresip}}}}
* {{App|[[Wikipedia:Blink (SIP client)|Blink]]|State of the art, easy to use SIP client.|https://icanblink.com/|{{AUR|blink}}}}
* {{App|Calls|Simple, elegant phone dialer and call handler for GNOME. It can be used with a cellular modem for plain old telephone calls as well as VoIP calls using the SIP protocol.|https://gitlab.gnome.org/GNOME/calls|{{Pkg|gnome-calls}}}}
* {{App|Jami|SIP-compatible softphone and instant messenger for the decentralized Jami network. Formerly known as Ring and SFLphone.|https://jami.net/|{{Pkg|jami-qt}}}}
* {{App|[[Wikipedia:Linphone|Linphone]]|VoIP phone application (SIP client) for communicating freely with people over the internet, with voice, video, and text instant messaging.|https://www.linphone.org/|{{AUR|linphone-desktop}}}}
* {{App|[[Wikipedia:Twinkle (software)|Twinkle]]|Qt softphone for VoIP and IM communication using SIP.|http://twinkle.dolezel.info/|{{AUR|twinkle}}}}
* {{App|Zoiper|Proprietary SIP and IAX2 VoIP softphone|https://zoiper.com|{{AUR|zoiper-bin}}}}

==== Matrix clients ====

See also [[Matrix]] and [https://matrix.org/clients/ Matrix Clients].

* {{App|Chatty|Simple to use SMS and Matrix messaging application.|https://gitlab.gnome.org/World/Chatty|{{Pkg|chatty}}}}
* {{App|Cinny|Cinny is a matrix client focusing primarily on simple, elegant and secure interface. The desktop app is made with [https://github.com/tauri-apps/tauri Tauri].|https://github.com/cinnyapp/cinny-desktop|{{AUR|cinny-desktop}}}}
* {{App|Element|Glossy Matrix client with an emphasis on performance and usability. Web application and desktop application based on the [https://electronjs.org/ Electron] platform.|https://element.io/|{{Pkg|element-web}}, {{Pkg|element-desktop}}}}
* {{App|FluffyChat|Multi-platform Matrix client with a simple and clean UI written in Dart/Flutter.|https://fluffychat.im/|{{AUR|fluffychat}}}}
* {{App|Fractal|Matrix client for GNOME written in Rust.|https://wiki.gnome.org/Apps/Fractal|{{Pkg|fractal}}}}
* {{App|Gomuks|Terminal Matrix client written in Go using [https://github.com/tulir/mautrix-go mautrix] and [https://github.com/tulir/mauview mauview].|https://maunium.net/go/gomuks|{{Pkg|gomuks}}}}
* {{App|iamb|A terminal-based Matrix client with Vim keybindings written in Rust.|https://github.com/ulyssa/iamb|{{Aur|iamb}}}}
* {{App|Moment|A fancy, customizable, keyboard-operable Matrix chat client for encrypted and decentralized communication. Written in Qt/QML + Python with nio, fork of the now-abandoned Mirage.|https://mx-moment.xyz/|{{AUR|moment}}}}
* {{App|Neochat|KDE client for the Matrix protocol. Part of {{Grp|kde-network}}.|https://apps.kde.org/neochat/|{{Pkg|neochat}}}}
* {{App|nheko|Desktop client for the Matrix protocol.|https://github.com/Nheko-Reborn/nheko|{{Pkg|nheko}}}}
* {{App|Quaternion|Qt5-based IM client for the Matrix protocol.|https://github.com/QMatrixClient/Quaternion|{{AUR|quaternion}}}}
* {{App|QuickMedia|A rofi inspired native client for web services. Supports Matrix and several other sites.|https://git.dec05eba.com/QuickMedia/about/|{{AUR|quickmedia}}}}
* {{App|SchildiChat|Matrix client based on Element with a more traditional instant messaging experience. Based on the [https://electronjs.org/ Electron] platform.|https://schildi.chat/|{{AUR|schildichat-desktop-eol}}}}
* {{App|Spectral|Qt5-based Glossy cross-platform client for Matrix.|https://gitlab.com/spectral-im/spectral|{{AUR|spectral-matrix}}}}
* {{App|Syphon|Privacy-centric cross-platform Matrix client with E2EE support, currently in alpha.|https://github.com/syphon-org/syphon|{{AUR|syphon-bin}}}}

==== Tox clients ====

See also [[Tox]] and [https://wiki.tox.chat/clients comparison clients]

* {{App|ratox|FIFO based tox client.|https://git.z3bra.org/ratox/file/README.html|{{AUR|ratox-git}}}}
* {{App|Toxic|ncurses-based Tox client|https://github.com/Jfreegman/toxic|{{Pkg|toxic}}}}
* {{App|Venom|a modern Tox client for the GNU/Linux desktop|https://github.com/naxuroqa/Venom|{{AUR|venom}}}}
* {{App|µTox|Lightweight Tox client.|https://github.com/uTox/uTox|{{Pkg|utox}}}}

==== LAN messengers ====

See also [[Avahi#Link-Local (Bonjour/Zeroconf) chat]] and [[Wikipedia:Comparison of LAN messengers]].

* {{App|BeeBEEP|Secure LAN Messenger.|https://www.beebeep.net/|{{AUR|beebeep}}}}
* {{App|iptux|LAN communication software, compatible with IP Messenger.|https://github.com/iptux-src/iptux|{{Pkg|iptux}}}}

==== P2P messaging clients ====

See also [[Ring]] and [[Tox]].

* {{App|[[Wikipedia:Briar (software)|Briar]]|Briar is a messaging application designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate.|https://briarproject.org/|{{AUR|briar-desktop}}, {{AUR|briar-headless}}}}
* {{App|Manyverse|Modern decentralized messaging and sharing application built on top of Secure Scuttlebutt (SSB).|https://gitlab.com/staltz/manyverse|{{AUR|manyverse-bin}}}}
* {{App|Patchwork|Decentralized messaging and sharing application built on top of Secure Scuttlebutt (SSB). Based on the [https://electronjs.org/ Electron] platform.|https://github.com/ssbc/patchwork|{{AUR|ssb-patchwork}}}}
* {{App|Poncho Wonky|Decentralized messaging and sharing application built on top of Secure Scuttlebutt (SSB). Based on the [https://electronjs.org/ Electron] platform. Maintained, updated Fork of Patchwork|https://github.com/soapdog/patchwork/|{{AUR|poncho-wonky}}}}
* {{App|RetroShare|Serverless encrypted instant messenger with filesharing, chatgroups, mail.|https://retroshare.cc/|{{AUR|retroshare}}}}
* {{App|[[Wikipedia:Ricochet (software)|Ricochet]]|Anonymous peer-to-peer instant messaging system built on [[Tor]] hidden services.|https://www.ricochetrefresh.net/|{{AUR|ricochet-refresh}}}}

==== Chatmail clients ====

* {{App|Delta Chat|A privacy oriented [https://chatmail.at/ chatmail] application. Based on the [https://electronjs.org/ Electron] platform.|https://delta.chat/|{{Pkg|deltachat-desktop}}}}
* {{App|Parla|A [https://chatmail.at/ chatmail] application for the [[GNOME]] desktop. Based on the [[GTK]] framework.|https://github.com/trufae/parla/|{{Pkg|parla}}}}

==== Other IM clients ====

* {{App|Caprine|Unofficial Facebook Messenger app. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/sindresorhus/caprine|{{AUR|caprine}}}}
* {{App|Chatterino|Chat client for Twitch chat.|https://chatterino.com/|{{AUR|chatterino2}}}}
* {{App|[[Discord]]|Proprietary all-in-one voice and text chat application for gamers that’s free and works on both your desktop and phone. Based on the [https://electronjs.org/ Electron] platform.|https://discordapp.com/|{{Pkg|discord}}}}
* {{App|Flare|Unofficial Signal client based on GTK.|https://gitlab.com/schmiddi-on-mobile/flare|{{AUR|flare}}}}
* {{App|[[Wikipedia:Gitter|Gitter]]|Communication product for communities and teams on GitLab and GitHub.|https://gitter.im/|{{AUR|gitter-bin}}}}
* {{App|[[Wikipedia:Jitsi|Jitsi]] Meet|Desktop application for Jitsi Meet. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/jitsi/jitsi-meet-electron|{{AUR|jitsi-meet-desktop}}}}
* {{App|Kotatogram Desktop|Experimental fork of Telegram Desktop.|https://kotatogram.github.io/|{{AUR|kotatogram-desktop}}}}
* {{App|Matterhorn|Console client for the Mattermost chat system.|https://github.com/matterhorn-chat/matterhorn|{{AUR|matterhorn}}}}
* {{App|[[Mattermost]] Desktop|Desktop application for Mattermost. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/mattermost/desktop|{{Pkg|mattermost-desktop}}}}
* {{App|[[Mumble]]|Voice chat application similar to TeamSpeak.|https://www.mumble.info/|{{Pkg|mumble}}}}
* {{App|Paper Plane|Chat over Telegram on a modern and elegant client.|https://github.com/paper-plane-developers/paper-plane|{{AUR|paper-plane}}}}
* {{App|[[QQ]]|Proprietary instant messaging software developed by Tencent (imitating ICQ).|https://im.qq.com/|{{AUR|linuxqq}}}}
* {{App|Rocket.Chat Desktop|Desktop application for Rocket.Chat. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/RocketChat/Rocket.Chat.Electron|{{AUR|rocketchat-desktop}}}}
* {{App|Ruqola|Rocket.Chat client for the KDE desktop.|https://apps.kde.org/ruqola/|{{AUR|ruqola}}}}
* {{App|Session Desktop|Onion routing based messenger. Based on the [https://electronjs.org/ Electron] platform.|https://getsession.org/|{{AUR|session-desktop}}}}
* {{App|[[Wikipedia:Signal (software)|Signal]] Desktop|Desktop application for Signal private messenger. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/signalapp/Signal-Desktop|{{Pkg|signal-desktop}}}}
* {{App|[[Wikipedia:Slack (software)|Slack]]|Proprietary Slack client for desktop. Based on the [https://electronjs.org/ Electron] platform.|https://slack.com/|{{AUR|slack-desktop}}}}
* {{App|teams-for-linux|Unofficial Microsoft Teams for Linux client. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/IsmaelMartinez/teams-for-linux|{{AUR|teams-for-linux}}}}
* {{App|[[TeamSpeak]]|Proprietary VoIP application with gamers as its target audience.|https://www.teamspeak.com/|{{Pkg|teamspeak3}}}}
* {{App|[[TeamTalk]]|Proprietary VoIP application with video chat, file and desktop sharing. Desktop sharing does not appear to be working in Linux though. AUR package is server only, but client is built in the make process.|https://bearware.dk|{{AUR|teamtalk}}}}
* {{App|[[Telegram]] Desktop|Official Telegram desktop client.|https://desktop.telegram.org/|{{Pkg|telegram-desktop}}}}
* {{App|[[Wikipedia:Viber|Viber]]|Proprietary cross-platform IM and VoIP software.|https://www.viber.com/products/linux/|{{AUR|viber}}}}
* {{App|[[Wikipedia:WeChat|WeChat]]|Tencent WeChat Client.|https://linux.weixin.qq.com/|{{AUR|wechat}}}}
* {{App|[[Wikipedia:Wire (software)|Wire]]|Modern, private messenger. Based on the [https://electronjs.org/ Electron] platform.|https://wire.com/|{{AUR|wire-desktop}}}}
* {{App|[[Zoom Meetings|Zoom]]|Proprietary video conferencing, online meetings and group messaging application.|https://zoom.us/|{{AUR|zoom}}}}
* {{App|[[Wikipedia:Zulip|Zulip]]|Desktop client for Zulip group chat. Based on the [https://electronjs.org/ Electron] platform.|https://zulipchat.com/apps/linux|{{AUR|zulip-desktop}}}}

=== Instant messaging servers ===

See also [[Wikipedia:Comparison of instant messaging protocols]].

==== IRC servers ====

* {{App|Ergo|A modern and simple to set up IRC server written in Go. Combines the features of an IRCd, a services framework, and a bouncer.|https://ergo.chat/|{{AUR|ergochat}}}}
* {{App|[[InspIRCd]]|A stable, modern and lightweight IRC daemon.|https://www.inspircd.org/|{{AUR|inspircd}}}}
* {{App|IRCD-Hybrid|A lightweight, high-performance internet relay chat daemon.|https://www.ircd-hybrid.org/|{{AUR|ircd-hybrid}}}}
* {{App|miniircd|A small and configuration free IRC server, suitable for private use.|https://github.com/jrosdahl/miniircd|{{AUR|miniircd-git}}}}
* {{App|ngIRCd|A free, portable and lightweight Internet Relay Chat server for small or private networks.|https://ngircd.barton.de/|{{AUR|ngircd}}}}
* {{App|Solanum|Solanum is the upcoming IRCd for unified networks that is being worked on by a collaboration of Libera Chat and OFTC staff.|https://solanum.chat/|{{AUR|solanum-ircd-git}}}}
* {{App|[[UnrealIRCd]]|Open Source IRC Server.|https://www.unrealircd.org/|{{Pkg|unrealircd}}}}

==== XMPP servers ====

* {{App|Ejabberd|Robust, scalable and extensible XMPP Server written in Erlang|https://www.ejabberd.im/|{{Pkg|ejabberd}}}}
* {{App|Jabberd2|An XMPP server written in the C language and licensed under the GNU General Public License. It was inspired by jabberd14.|https://jabberd2.org/|{{AUR|jabberd2}}}}
* {{App|[[Openfire]]|An XMPP IM multiplatform server written in Java|https://www.igniterealtime.org/projects/openfire/|{{Pkg|openfire}}}}
* {{App|[[Prosody]]|An XMPP server written in the [https://www.lua.org/ Lua] programming language. Prosody is designed to be lightweight and highly extensible. It is licensed under a permissive [https://prosody.im/source/mit MIT license].|https://prosody.im/|{{Pkg|prosody}}}}

==== SIP servers ====

See also [[Wikipedia:List of SIP software#Servers]].

* {{App|[[Asterisk]]|A complete PBX solution.|https://www.asterisk.org/|{{AUR|asterisk}}}}
* {{App|Kamailio|SIP server for large VoIP and real-time communication platforms.|https://www.kamailio.org/|{{AUR|kamailio}}}}
* {{App|openSIPS|SIP proxy/server for voice, video, IM, presence and any other SIP extensions.|https://opensips.org/|{{Pkg|opensips}}}}
* {{App|Repro|An open-source, free SIP server.|https://www.resiprocate.org/About_Repro{{Dead link|2025|04|05|status=404}}|{{AUR|repro}}}}
* {{App|[[Wikipedia:Yate (telephony engine)|Yate]]|Advanced, mature, flexible telephony server that is used for VoIP and fixed networks, and for traditional mobile operators and MVNOs.|https://yate.ro/|{{Pkg|yate}}}}

==== Other IM servers ====

* {{App|[[Mattermost]]|Open source private cloud server, Slack-alternative.|https://github.com/mattermost/mattermost-server|{{Pkg|mattermost}}}}
* {{App|[[Murmur]]|The voice chat application server for Mumble.|https://www.mumble.info/|{{Pkg|mumble-server}}}}
* {{App|Nextcloud Talk|Video- and audio-conferencing app for Nextcloud.|https://github.com/nextcloud/spreed|{{Pkg|nextcloud-app-spreed}}}}
* {{App|Rocket.Chat|Web chat server, developed in JavaScript, using the Meteor fullstack framework.|https://github.com/RocketChat/Rocket.Chat|{{AUR|rocketchat-server}}}}
* {{App|[[Matrix|Synapse]]|Reference homeserver for the Matrix protocol.|https://github.com/matrix-org/synapse|{{Pkg|matrix-synapse}}}}
* {{App|[[TeamSpeak]] Server|Proprietary VoIP conference server.|https://teamspeak.com/|{{Pkg|teamspeak3-server}}}}
* {{App|uMurmur|Minimalistic Mumble server.|https://umurmur.net/|{{Pkg|umurmur}}}}

=== Collaborative software ===

See also [[Wikipedia:Collaborative software]].

* {{App|[[SOGo]]|Groupware server built around OpenGroupware.org (OGo) and the SOPE application server.|https://sogo.nu/|{{AUR|sogo}}}}

=== Link shortening servers ===

* {{App|microbin|A tiny, self-contained, configurable paste bin and URL shortener written in Rust.|https://github.com/szabodanika/microbin|{{AUR|microbin}}}}
* {{App|shlink|Self-proclaimed definitive self-hosted URL shortener.|https://shlink.io/|{{AUR|shlink}}}}
* {{App|YOURLS|A self-hosted link shortening service written in PHP.|https://yourls.org/|{{AUR|yourls}}}}

== News, RSS, and blogs ==

=== News aggregators ===

[[Web feed]]s aggregators. Some [[#Email clients|email clients]] are also able to act as news aggregator: [[Wikipedia:Claws Mail|Claws Mail]] RSSyl plugin, [[Evolution]], [[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]], [[Thunderbird]].

See also [[Wikipedia:Comparison of feed aggregators]].

==== Console ====

* {{App|Bulletty|Pretty TUI RSS reader that locally stores articles as markdown.|https://bulletty.croci.dev/|{{Pkg|bulletty}}}}
* {{App|[[Wikipedia:Canto (news aggregator)|Canto]]|Ncurses RSS aggregator.|https://github.com/themoken/canto-curses|{{Pkg|canto-curses}}}}
* {{App|Ditch The Bell|A highly configurable Linux-based desktop notifier for RSS/Atom feeds.|https://github.com/eschermoore/ditchthebell|{{AUR|dtbell-git}}}}
* {{App|feed2imap-go|[https://github.com/feed2imap/feed2imap feed2imap] reimplemented in Go that aggregating RSS/Atom/jsonfeed into folders of your IMAP mailbox.|https://github.com/Necoro/feed2imap-go|{{AUR|feed2imap-go}}}}
* {{App|[[Wikipedia:Gnus|Gnus]]|Email, NNTP and RSS client for Emacs.|https://www.gnus.org/|{{Pkg|emacs}}}}
* {{App|[[Newsboat]]|Ncurses RSS aggregator with layout and keybinding similar to the [[Mutt]] email client.|https://newsboat.org/|{{Pkg|newsboat}}}}
* {{App|[[Newsraft]]|Feed reader with ncurses user interface. It is greatly inspired by [[Newsboat]] and tries to be its lightweight counterpart. |https://codeberg.org/newsraft/newsraft/|{{AUR|newsraft}}}}
* {{App|Rawdog|"RSS Aggregator Without Delusions Of Grandeur" that parses RSS/CDF/Atom feeds into a static HTML page of articles in chronological order.|https://offog.org/code/rawdog/|{{AUR|rawdog}}}}
* {{App|rss2email|Aggregating your RSS/Atom feed into your IMAP/Maildir mailbox as a cronjob.|https://github.com/rss2email/rss2email|{{Pkg|rss2email}}}}
* {{App|sfeed|Crontab oriented shell-scriptable feed aggregator setup with an RSS/Atom parser utility plus a simple ncurses reader.|https://codemadness.org/sfeed-simple-feed-parser.html|{{AUR|sfeed}}}}
* {{App|Snownews|Text mode RSS news reader.|https://sourceforge.net/projects/snownews/|{{AUR|snownews}}}}

==== Graphical ====

* {{App|[[Wikipedia:Kontact#News feed aggregator|Akregator]]|News aggregator for KDE, part of {{Grp|kde-pim}}.|https://apps.kde.org/akregator/|{{Pkg|akregator}}}}
* {{App|Alligator|Kirigami-based RSS/Atom feed reader for mobile devices. Part of {{Grp|kde-network}}.|https://apps.kde.org/alligator/|{{Pkg|alligator}}}}
* {{App|Feeds|An RSS/Atom feed reader for GNOME.|https://gfeeds.gabmus.org/|{{Pkg|gfeeds}}}}
* {{App|Fluent Reader|Modern desktop RSS reader built with React and Fluent UI. Based on the [https://electronjs.org/ Electron] platform.|https://hyliu.me/fluent-reader/|{{AUR|fluent-reader}}}}
* {{App|HackUp|Read Hacker News from the desktop.|https://github.com/mdh34/hackup|{{AUR|hackup-git}}}}
* {{App|[[Wikipedia:Liferea|Liferea]]|GTK news aggregator for online news feeds and weblogs.|https://lzone.de/liferea/|{{Pkg|liferea}}}}
* {{App|Newsflash|Modern feed reader designed for the GNOME desktop. The spiritual successor to FeedReader.|https://apps.gnome.org/NewsFlash/|{{Pkg|newsflash}}}}
* {{App|Raven|Simple desktop RSS reader made using VueJS. Based on the [https://electronjs.org/ Electron] platform.|https://ravenreader.app/|{{AUR|raven-reader}}}}
* {{App|RSS Guard|Very tiny RSS and ATOM news reader developed using Qt framework.|https://github.com/martinrotter/rssguard|{{Pkg|rssguard}}}}
* {{App|Tickr|GTK-based RSS Reader that displays feeds as a smooth scrolling line on your desktop, as known from TV stations.|https://www.open-tickr.net/|{{AUR|tickr}}}}

==== Graphical, Web-based ====

* {{App|[[Nextcloud]] News|RSS/Atom feed reader for Nextcloud.|https://github.com/nextcloud/news|{{Pkg|nextcloud-app-news}}}}
* {{App|selfoss|The new multipurpose RSS reader, live stream, mashup, aggregation web application.|https://selfoss.aditu.de/|{{AUR|selfoss}}}}
* {{App|[[Tiny Tiny RSS]]|Web-based news feed (RSS/Atom) aggregator.|https://tt-rss.org/|{{Pkg|tt-rss}}}}

=== Podcast clients ===

Some media players are also able to act as podcast client: [[Amarok]], Cantata, [[Wikipedia:Clementine (software)|Clementine]], Goggles Music Manager, [[Wikipedia:Rhythmbox|Rhythmbox]], [[VLC media player]]. [[Wikipedia:git-annex|git-annex]] can also [https://git-annex.branchable.com/tips/downloading_podcasts/ function as podcatcher].

See also [[Wikipedia:List of podcatchers]].

==== Console ====

* {{App|castero|A TUI podcast client for the terminal.|https://github.com/xgi/castero|{{AUR|castero-git}}}}
* {{App|castget|Simple, command-line RSS enclosure downloader, primarily intended for automatic, unattended downloading of podcasts.|https://castget.johndal.com/|{{Pkg|castget}}}}
* {{App|gpo|Text mode interface of gPodder.|https://gpodder.github.io/|{{Pkg|gpodder}}}}
* {{App|Greg|A command-line podcast aggregator.|https://github.com/manolomartinez/greg|{{AUR|greg-git}}}}
* {{App|pcd|A minimal podcast client written in go|https://github.com/kvannotten/pcd|{{AUR|pcd}}}}

==== Graphical ====

* {{App|gPodder|Podcast client and media aggregator (GTK interface).|https://gpodder.github.io/|{{Pkg|gpodder}}}}
* {{App|Kasts|Convergent podcast application that looks good on desktop and mobile. Part of {{Grp|kde-multimedia}}.|https://apps.kde.org/kasts/|{{Pkg|kasts}}}}
* {{App|Pocket Casts|Electron wrapper around the Pocket Casts web app with support for MPRIS (media controls).|https://pocketcasts.com/|{{AUR|pocket-casts-linux}}}}
* {{App|Podcasts|Podcast client for the GNOME desktop written in Rust.|https://apps.gnome.org/Podcasts/|{{Pkg|gnome-podcasts}}}}
* {{App|Vocal|Simple podcast client for the Modern Desktop (GTK).|https://vocalproject.net/|{{AUR|vocal}}}}

=== Usenet newsreaders ===

Some [[#Email clients|email clients]] are also able to act as Usenet newsreader: [[Wikipedia:Claws Mail|Claws Mail]], [[Evolution]], [[Mutt|NeoMutt]], [[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]], [[Wikipedia:Sylpheed|Sylpheed]], [[Thunderbird]].

See also: [[Wikipedia:List of Usenet newsreaders]], [[Wikipedia:Comparison of Usenet newsreaders]].

==== Console ====

* {{App|nn|Alternative more user-friendly (curses-based) Usenet newsreader for UNIX.|http://www.nndev.org/|{{AUR|nn}}}}
* {{App|[[Wikipedia:slrn|slrn]]|Text-based news client.|https://www.slrn.org/|{{AUR|slrn}}}}
* {{App|[[Wikipedia:Tin (newsreader)|tin]]|A cross-platform threaded NNTP and spool based UseNet newsreader.|http://tin.org/|{{AUR|tin}}}}
* {{App|trn|A text-based Threaded Usenet newsreader.|https://trn.sourceforge.net/|{{AUR|trn}}}}

==== Graphical ====

* {{App|[[NZBGet]]|Usenet binary downloader for .nzb files with web and CLI interface.|https://nzbget.net/|{{Pkg|nzbget}}}}
* {{App|[[Wikipedia:Pan (newsreader)|Pan]]|GTK Usenet newsreader that's good at both text and binaries.|https://gitlab.gnome.org/GNOME/pan|{{Pkg|pan}}}}
* {{App|[[SABnzbd]]|An open-source binary newsreader webapp written in Python.|https://sabnzbd.org/|{{AUR|sabnzbd}}}}
* {{App|XRN|Usenet newsreader for X Window System.|https://www.mit.edu/people/jik/software/xrn.html|{{AUR|xrn}}}}

=== Microblogging clients ===

* {{App|Choqok|Microblogging client for KDE that supports Mastodon, Pump.io and GNU social.|https://choqok.kde.org/|{{AUR|choqok-git}}}}
* {{App|Dianara|Pump.io client written in Qt.|https://jancoding.wordpress.com/dianara/|{{AUR|dianara}}}}
* {{App|Lemmy-UI|Official web app for lemmy.|https://github.com/LemmyNet/lemmy-ui|{{AUR|lemmy-ui}}}}
* {{App|Liftoff|A mobile and desktop lemmy client written in flutter.|https://github.com/liftoff-app/liftoff|{{AUR|liftoff-bin}}}}
* {{App|Mikutter|Simple, powerful Mastodon client using GTK and Ruby.|https://mikutter.hachune.net/|{{AUR|mikutter}}}}
* {{App|Pumpa|Pump.io client written in C++ and Qt.|https://pumpa.branchable.com/|{{AUR|pumpa-git}}}}
* {{App|Tokodon|Mastodon client for KDE. Part of {{Grp|kde-network}}.|https://apps.kde.org/tokodon/|{{Pkg|tokodon}}}}
* {{App|Toot|CLI and TUI tool for interacting with Mastodon instances.|https://github.com/ihabunek/toot|{{Pkg|toot}}}}
* {{App|Tuba|GTK4 client for Mastodon.|https://apps.gnome.org/Tuba/|{{Pkg|tuba}}}}
* {{App|Whalebird|Mastodon client application. Based on the [https://electronjs.org/ Electron] platform.|https://whalebird.social/|{{AUR|whalebird}}}}

=== Blog engines ===

See also [[Wikipedia:Blog software]] and [[Wikipedia:List of content management systems]].
{{note|Content managers, social networks, and blog publishers overlap in many functions.}}
* {{App|[[Diaspora]]|A distributed privacy aware social network.|https://diasporafoundation.org|{{AUR|diaspora-mysql}} or {{AUR|diaspora-postgresql}}}}
* {{App|[[Drupal]]|A PHP-based content management platform.|https://www.drupal.org/|{{Pkg|drupal}}}}
* {{App|[[Joomla]]|A php Content Management System (CMS) which enables you to build websites and powerful online applications.|https://www.joomla.org/|{{AUR|joomla}}}}
* {{App|[[Wordpress]]|Blog tool and publishing platform.|https://wordpress.org/|{{Pkg|wordpress}}}}

=== Static site generators ===

* {{App|Hexo|Fast, simple and powerful blog framework.|https://hexo.io/|{{AUR|hexo-cli}}}}
* {{App|Hugo|Hugo is a static HTML and CSS website generator written in Go. It is optimized for speed, ease of use, and configurability.|https://gohugo.io/|{{Pkg|hugo}}}}
* {{App|Jekyll|Static blog engine, written in Ruby, which supports Markdown, textile and other formats.|https://jekyllrb.com/|{{Pkg|jekyll}}}}
* {{App|Nikola|Static site generator written in Python, with incremental rebuilds and multiple markup formats.|https://getnikola.com/|{{Pkg|nikola}}}}
* {{App|Pelican|Static site generator, powered by Python.|https://getpelican.com/|{{Pkg|pelican}}}}
* {{App|Zola|An opinionated static site generator, written in Rust.|https://www.getzola.org/|{{Pkg|zola}}}}

=== Gallery software ===

* {{App|fgallery|A static photo gallery generator with no frills that has a stylish, minimalist look.|https://www.thregr.org/wavexx/software/fgallery/|{{AUR|fgallery}}}}
* {{App|jAlbum|A freeware cross-platform software for managing and creating digital photo albums or galleries.|https://jalbum.net/en/|{{AUR|jalbum}}}}
* {{App|jolly|A tool for statically generating galleries from images.|https://gitlab.com/prior99/jolly|{{AUR|jolly}}}}
* {{App|llgal|An easy and fast on-line gallery generator based on iGal.|http://bgoglin.free.fr/llgal/|{{AUR|llgal}}}}
* {{App|Photoview|A photo gallery for self-hosted personal servers.|https://photoview.github.io/|{{AUR|photoview}}}}
* {{App|Piwigo|A web application to manage your collection of photos, and other medias.|https://piwigo.org/|{{AUR|piwigo}}}}
* {{App|revela|A static web image gallery generator.|https://sr.ht/~yaroslav/revela/|{{AUR|revela}}}}
* {{App|Sigal|A simple static gallery generator.|http://sigal.saimon.org/en/latest/|{{Pkg|sigal}}}}
* {{App|thumbsup|A static web galleries for all your photos and videos.|https://thumbsup.github.io/|{{AUR|nodejs-thumbsup}}}}
* {{App|ZenphotoCMS|A CMS for selfhosted, gallery focused websites.|https://www.zenphoto.org/|{{AUR|zenphoto}}}}

== Remote desktop ==

See also [[Wikipedia:Remote desktop software]] and [[Wikipedia:Comparison of remote desktop software]].

See also [https://remotedesktop.google.com Chrome Remote Desktop] for a web browser based solution.

=== Remote desktop clients ===

* {{App|[[Wikipedia:AnyDesk|AnyDesk]]|Proprietary remote desktop software.|https://anydesk.com/|{{AUR|anydesk-bin}}}}
* {{App|GNOME Connections|Remote desktop client for GNOME. Supports RDP and VNC. Part of {{Grp|gnome}}.|https://apps.gnome.org/Connections/|{{Pkg|gnome-connections}}}}
* {{App|GVncViewer|Simple VNC Client on Gtk-VNC. Run with {{ic|gvncviewer}}.|https://wiki.gnome.org/Projects/gtk(2d)vnc|{{Pkg|gtk-vnc}}}}
* {{App|[[Wikipedia:KRDC|KRDC]]|Remote Desktop Client for KDE. Supports RDP and VNC. Part of {{Grp|kde-network}}.|https://apps.kde.org/krdc/|{{Pkg|krdc}}}}
* {{App|[[Remmina]]|Remote desktop client written in GTK. Supports RDP, VNC, SPICE, X2Go and SSH.|https://remmina.org/|{{Pkg|remmina}}}}
* {{App|Remote Viewer|Simple remote display client. Supports SPICE and VNC.|https://virt-manager.org/|{{Pkg|virt-viewer}}}}
* {{App|RustDesk|A remote desktop software, open source, written in Rust.|https://rustdesk.com|{{AUR|rustdesk}}}}
* {{App|Sunlogin Remote Control|Proprietary software that supports remote control of mobile devices, Windows, Mac, Linux and other systems. It uses its own proprietary protocol.|https://sunlogin.oray.com/en/about/about{{Dead link|2025|04|05|status=404}}|{{AUR|sunloginclient}}}}
* {{App|[[Wikipedia:TeamViewer|TeamViewer]]|Proprietary remote desktop client. It uses its own proprietary protocol.|https://www.teamviewer.com/|{{AUR|teamviewer}}}}
* {{App|ToDesk|Proprietary remote desktop client that suits for remote teamwork. It uses its own proprietary protocol.|https://www.todesk.com/|{{AUR|todesk-bin}}}}
* {{App|[[Wikipedia:Vinagre|Vinagre]]|Remote desktop viewer for GNOME. Supports RDP, VNC, SPICE and SSH.|https://wiki.gnome.org/Apps/Vinagre|{{AUR|vinagre}}}}
* {{App|[[TigerVNC|vncviewer (TigerVNC)]]|VNC viewer for X.|https://tigervnc.org/|{{Pkg|tigervnc}}}}
* {{App|[[X2Go]] Client|A graphical client (Qt5) for the X2Go system that uses the [[w:NX technology|NX technology]] protocol.|https://wiki.x2go.org/doku.php|{{AUR|x2goclient}}}}
* {{App|xfreerdp|FreeRDP X11 client. Run with {{ic|xfreerdp3}}.|https://www.freerdp.com/|{{Pkg|freerdp}}}}

=== Remote desktop servers ===

* {{App|freerdp-shadow-cli3|A utility for sharing an X display via RDP.|https://www.freerdp.com/|{{Pkg|freerdp}}}}
* {{App|GNOME Remote Desktop|A remote desktop server for GNOME. Supports RDP and VNC. Part of {{Grp|gnome}}.|https://gitlab.gnome.org/GNOME/gnome-remote-desktop|{{Pkg|gnome-remote-desktop}}}}
* {{App|kmsvnc|A VNC server for DRM/KMS capable GNU/Linux devices.|https://github.com/isjerryxiao/kmsvnc|{{AUR|kmsvnc}}}}
* {{App|KRdp|A limited RDP server for KDE.|https://invent.kde.org/plasma/krdp|{{Pkg|krdp}}}}
* {{App|Krfb|VNC server for KDE. Part of {{Grp|kde-network}}.|https://apps.kde.org/krfb/|{{Pkg|krfb}}}}
* {{App|MeshCentral|Device management server for files, terminal access and remote desktop into Linux (X11), macOS and Windows.|https://meshcentral.com/|{{AUR|meshcentral}}}}
* {{App|[[NoMachine]]|Proprietary remote desktop server and client based on [[w:NX technology|NX
technology]].|https://nomachine.com/|{{AUR|nomachine}}}}
* {{App|wayvnc|VNC server for wlroots based wayland compositors (such as {{Pkg|sway}}).|https://github.com/any1/wayvnc|{{Pkg|wayvnc}}}}
* {{App|[[TigerVNC|x0vncserver (TigerVNC)]]|VNC Server for X displays.|https://tigervnc.org/|{{Pkg|tigervnc}}}}
* {{App|[[x11vnc]]|VNC server for real X displays.|http://www.karlrunge.com/x11vnc/|{{Pkg|x11vnc}}}}
* {{App|[[X2Go]] Server|An open source remote desktop software that uses the [[w:NX technology|NX technology]] protocol.|https://wiki.x2go.org/doku.php|{{AUR|x2goserver}}}}
* {{App|[[Xpra]]|A multi-platform screen and application forwarding system.|https://xpra.org/|{{Pkg|xpra}}}}
* {{App|[[Xrdp]]|A daemon that supports RDP. It uses Xvnc, X11rdp or xorgxrdp as a backend.|https://www.xrdp.org/|{{AUR|xrdp}}}}

User talk:Lahwaacz

2026-05-02T15:53:53Z

Lahwaacz: /* Reversions on List of applications/Internet */ Reply

== bot checking links after move ==

Hi, re [[Talk:Touchpad Synaptics#adding libinput alternative]]. [[Touchpad Synaptics]] has 100+ backlinks and the more important ones - a bit tedious task. I was just glancing over your clever github bot scripts. It would be handy to have a script after such moves: walk over the backlinks of [[Touchpad Synaptics]] and just replace "[[Touchpad Synaptics" with "[[Synaptics" from the links. That would leave all links to subsections intact. Leaving out the translations to handle manually, there would not be much to go wrong, or? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 07:36, 26 September 2015 (UTC)

:Hi, thanks for the suggestion. It would be indeed handy in this case, but most likely not generally. Imagine that there was a [[UUID]] page, which was later generalized and renamed to [[Persistent block device naming]] and content about UUID is now only a section on the page. In this case using the naive replacement would likely change the meaning of many sentences, and using shorter redirects for convenience is actually encouraged. There would have to be a list of whitelisted "harmless" replacements, which could even help to replace <nowiki>[[pacman|Install]]</nowiki> with <nowiki>[[Install]]</nowiki> etc. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 08:01, 26 September 2015 (UTC)

::Yes, good examples, but you are thinking universal already :) I did not mean it could be that. For example, if you take the time when the bulk of the title case moves were done. With such a script one could avoid a lot of internal redirects as well. E.g. [https://wiki.archlinux.org/index.php/Special:WhatLinksHere/Beginners'_Guide]. But it's ok, just an idea. Please close this, if you think it's too singular cases with a simple enough replacement where it could be applied. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 10:02, 26 September 2015 (UTC)

== Automatic template correction ==

Per [[Help:Template#Style]], templates should be used with the capitalization shown in the examples in their pages, so {{ic|{{AUR|...}} is correct, while {{ic|{{aur|...}} is not.

However, there are pages that don't respect that rule (e.g. [[Android_Debug_Bridge]] until recently).

I beleive this correction should be easy to implement using a bot. What do you think?

{{unsigned|07:24, 25 August 2020‎|Relrel}}

:Yes, this should be easy, but the bot should not make a huge amount of simple style-only changes - they should be combined with corrections for more complex rules. Anyway, there is an idea to create a [https://github.com/lahwaacz/wiki-scripts/issues/22 style linter] for the ArchWiki rules. Would you like to help? ;-) – [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:21, 25 August 2020 (UTC)

== Readability in Wiki ==

I noticed that you and the other admins and moderators often want sentences to continue endlessly, without line breaks.
For example in the introduction of [[Wayland]].

I think it would be better to have more seperated sentences, so it is easier to read and "important" information is easier visible for people.
I don't know who is responsible, but maybe some options in MediaWiki (or whatever this wiki software is) could be changed as well, to make make line breaks etc. easier and reduce the height-space (if you know what I mean) between sentences, so it looks better, even though line breaks are used.

[[User:G3ro|G3ro]] ([[User talk:G3ro|talk]]) 14:38, 15 October 2020 (UTC) G3ro

:I don't know exactly what you mean. Is it about the readability of the rendered HTML or the "source code" of the page? -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:15, 15 October 2020 (UTC)

:: Well I guess it can be about both. But mainly it is about what people see on the page.
:: There are three seperate topics I mentioned:

:: 1. Use line breaks: I would like to use more line breaks, because if you have long sentences that are written after each other without line breaks, it gets "harder" to recognize when the next sentence starts.
:: While I agree to what you said somewhere, that sentences that belong directly together, should be written in one "paragraph", it would be useful for sentences that cover (slightly) different "topics" to be visibly parted.

:: 2. Adjust margin options: I notice that when line breaks are used, there is a vertical space added between two sentences. Just like in this post. If you would use line breaks more often, this is a little too much spacing in my oppinion.

:: 3. Potential options to make line breaks easier: It would be very convenient if a line break in the source code would lead to a line break in displayed text as well, instead of needing to add an empty line.

:: [[User:G3ro|G3ro]] ([[User talk:G3ro|talk]]) 20:33, 15 October 2020 (UTC) G3ro

:::OK, now I understand. I agree that splitting different topics usually improves legibility, but they should be split into separate paragraphs and not just by line breaks (e.g. using the tags). Paragraphs are semantic units whereas line breaks inside a paragraph are usually typographic errors.
:::Also note that such splitting alone may not be enough to improve the text flow. For example, if we consider the intro for [[Wayland]], the second sentence about XWayland would not constitute a good paragraph - it is just a plain statement and the new topic is not nicely introduced. Ideally, you'd split the topic and make some wording changes for the second paragraph.
:::As for the margin options, that is the difference between paragraph splitting and non-semantic line breaks. In my opinion, the styling is correct in this respect, as paragraphs should be discernible. You mentioned that you like line breaks to easily recognize where a sentence ends - but reading should be based on whole paragraphs, not sentences. There should be no reason to skip anything in the middle of a paragraph, otherwise it should be probably split into multiple paragraphs or otherwise rephrased.
:::If you find it hard to follow a long sentence horizontally on a wide screen, we might consider enforcing some maximum width for the whole content. I think the readability would be better, since there would be more top-to-bottom eye movement at the cost of left-to-right-and-back.
:::-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:59, 15 October 2020 (UTC)

== Root on ZFS draft ==

Hi, I submitted [https://github.com/openzfs/openzfs-docs/pull/104 a Root on ZFS draft] to official doc repo.

In the draft, the following directories are separated from root filesystem:
home,root,srv,usr/local,var/log,var/spool,var/tmp

Is this appropriate for Arch Linux? Or do you have any suggestion on the draft?
Any comment is appreciated.
[[User:M0p|M0p]] ([[User talk:M0p|talk]]) 01:28, 23 January 2021 (UTC)

== Network configuration edit ==

Hello

You reversed my edit in the network configuration pages (https://wiki.archlinux.org/index.php?title=Network_configuration/Wireless&diff=next&oldid=788365) because you stated it was out of scope and tlsv1.0 is insecure

I disagree on the first part, many people I know, I first have struggled to configure eduroam on archlinux and this place seems the best fitted

On the second part, I agree tlsv1.0 is outdated and insecure, sadly it's the one used in some schools [[User:Ultraxime|Ultraxime]] ([[User talk:Ultraxime|talk]]) 17:11, 4 October 2023 (UTC)

== VCS revert ==

https://wiki.archlinux.org/index.php?title=VCS_package_guidelines&diff=0&oldid=802958

While the VCS page isn't about AUR, I feel that the short Note about not bumping up pkgver needlessly is still a welcome addition to it, and additionally linking to the AUR policy is a fine crosslink.

[[User:C0rn3j|C0rn3j]] ([[User talk:C0rn3j|talk]]) 15:42, 11 March 2024 (UTC) [[User:C0rn3j|C0rn3j]] ([[User talk:C0rn3j|talk]]) 15:42, 11 March 2024 (UTC)

:You can already link to the note in [[Arch User Repository#Flagging packages out-of-date]]. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:58, 11 March 2024 (UTC)
::That's exactly the note I linked, VCS package guidelines for AUR deserve such a footnote on this page.
::Just today I went to link the VCS page to a friend confused about -git packages, only to again find out that's exactly the page that is missing any kind of mention about it.
::Please reconsider. [[User:C0rn3j|C0rn3j]] ([[User talk:C0rn3j|talk]]) 11:58, 22 May 2024 (UTC)

:::You should just direct people to [[Arch User Repository#Flagging packages out-of-date]]. The [[VCS package guidelines]] page is not about the AUR ''out of date'' button and the upgrade process. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:51, 22 June 2024 (UTC)

== Install Arch Linux on a removable medium ==

Its not an edge case, there is still plenty of BIOS machines. Real edge case is a person who installs arch on USB stick :) it is not a general advice, please read it again carefully.

https://wiki.archlinux.org/index.php?title=Install_Arch_Linux_on_a_removable_medium&oldid=815197 [[User:Omeringen|Omeringen]] ([[User talk:Omeringen|talk]]) 16:14, 24 August 2024 (UTC)

== makepkg documentation update on correct usage git+http ==

""unmirroring" a git repository is not a thing" if you think so then please create PKGBUILD file with <code>git+<nowiki>https://gitlab-ci-token</nowiki>:<token>@gitlab.com/project.git</code> you will see immediately that "project" folder contains mirror because git.sh script is cloning with --mirror option. Next internal step after cloning is going to fail with message about its not git repository. To solve this issue you have to at [new_name]::git+http... to be clone from bare to normal mode. Reason why I love arch linux and use it since 2015 commercial is Wiki. Wiki should be up to date and this is my contribution. Please reconsider undo once more.

I literally hit the same problem while rebuilding my custom package and spend hour trying to figure out how to solve the problem which in my opinion should be covered by the Wiki.

https://unix.stackexchange.com/questions/154919/how-to-modify-a-pkgbuild-which-uses-git-sources-to-pull-only-a-shallow-clone
Note: now /usr/share/makepkg/source/git.sh should be patched instead that one of popular answers. [[User:Lukaszdh|Lukaszdh]] ([[User talk:Lukaszdh|talk]]) 15:25, 24 November 2024 (UTC)

:I cannot reproduce your issue and can't tell if the problem is about the {{ic|[new_name]::}} prefix or something else. There are definitely many existing packages that don't have the prefix and still work. Can you show your full PKGBUILD and the error output you are getting? — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:41, 24 November 2024 (UTC)
::From obvious reason I can not share with you repository I've made sample repo which use same principal.
::https://gitlab.guns4hire.cc/lukasz.busko/lahwaacz/-/blob/master/pkg/PKGBUILD?ref_type=heads
::I was not able to reproduce the issue so it seems that it somehow it is gitlab issue.
::The weird thing is that for actual project we are currently getting bare repo instead of normal one every time when attempt is to use PKGBUILD with out <what_ever_name>::. I will update this topic in a few days will try to redo production repo maybe it's gitlab issue after all. [[User:Lukaszdh|Lukaszdh]] ([[User talk:Lukaszdh|talk]]) 21:42, 24 November 2024 (UTC)
:::Well this repo works just fine for me: I could run [[makepkg]] with no issues so it is not a GitLab issue either. What is the version of the tools you are using? — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 21:53, 24 November 2024 (UTC)
::::Hey, sorry for delay was very busy. So at the end it looks like gitlab repository issue. When I add next origin for current local repository and then push and clone imagine problem does not exist anymore. [[User:Lukaszdh|Lukaszdh]] ([[User talk:Lukaszdh|talk]]) 23:07, 30 November 2024 (UTC)

== Python packaging guidelines: Unpacking wheels ==

You removed the tip I added in the Python packaging guidelines regarding unpacking wheels, noting the packaging guidelines pages are to be modified by Package Maintainers only.

* I nonspecifically recall previously being advised to offer a more concrete edit for consideration, this was me overcorrecting in the other direction. To avoid a third reiteration, could you please explain what the expected editing procedure is for edits of this scale? I eg see no mention of such a PM-only policy in [[ArchWiki:Contributing]] or [[Help:Editing]]
* Accepting that my edit may have been against policy -- was there anything substantively wrong with my edit? Or was it merely removed because I had violated policy? In particular, what is blocking restoring it to the page?

Thanks,
[[User:Gesh|Gesh]] ([[User talk:Gesh|talk]]) 19:39, 26 January 2025 (UTC)

:Hi, the guidelines are supposed to be authoritative even for official packages so major changes need to be discussed and accepted by the team before adding them to the page. The talk page should be used for this purpose, you can draft the addition and have it reviewed by others. Even though your idea was probably not to change the direction of the guidelines, the wording should be much better to document the status quo without potentially arguable recommendations. You can find my view on this by reading the recent comments in [[Talk:Python package guidelines#Using virtualenvs for tests, doc generation]]. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 21:08, 26 January 2025 (UTC)

== Is "Don't start with a warning" a general rule? ==

On [[Btrfs]] regarding my last edit you corrected the positioning of the warning with the comment "Don't start with a warning".

Can I consider this a general rule of style or was your correction specific to that case? I'm asking because there are at least 7 other topics in the same article that start with a warning. Or should the positioning of the other warnings be altered too?

My reasoning was to put the warning at the top because the user should know before he tries out the deletion command.

No offense, I'm just trying to learn the style of the wiki. [[User:Multifred|Multifred]] ([[User talk:Multifred|talk]]) 23:43, 2 March 2025 (UTC)

:It doesn't make much sense to expect the reader to know what the section is all about just from the title and jump right into a warning. So yeah, the other sections should be checked as well. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 06:10, 3 March 2025 (UTC)

== Write cache ==

Hi! Apologies to take up your time.

I'd like to clarify that my write-cache script is actually a scanner. While it tests and re-applies settings on a 30 second timescale, it's not expecting things to change anywhere that fast, and is meant to catch simple cases like suspensions, reboots, and new hardware additions, while not being intensively hooked into the system. I think it can be better, but this solves my own practical needs well enough, and I'm hoping that it serves as a launch point for the next person who comes along with the same issues as me.

Hope your day goes well! [[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 04:35, 14 April 2025 (UTC)

:Also, I apologize for modifying the factual accuracy warning myself. I should've left that up to your discretion and choice. [[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 04:38, 14 April 2025 (UTC)
::What I thought had gone on was that you'd tagged it because the code wasn't using systemd's specific boot and hibernate triggers within the unitfile. This got me defensive since I'd failed to get them working. What I realize now is that a casual reading of what I wrote and a glance at my code can definitely imply that it's just toggling write cache off once every 30 seconds.
::[[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 04:55, 14 April 2025 (UTC)
:::Morning-after reflections! (My apologies, I'm very introspective.)
:::So, to go through your points in detail:
:::* On applying the setting every 30 seconds; the goal is to catch occasional events within at most 30 seconds, rather than one event that re-asserts every 30 seconds.
:::* On applying settings during reboot -- that's already handled by the nature of being a systemd unit file.
:::* On applying settings during suspend, hibernate -- it is possible to convert the service back into a one-shot and set the unit file with some strict ordering regarding running after and around suspensions, but at the current time I can download a ready-made unit file off the internet and still not see ''any'' script re-ran after hibernation. (Ran into this with AMDGPU as well). This one is a proper matter of needing more dev time.
:::* On applying settings upon hardware additions, i.e. sata hotplug and USB keys, a udev rule can be written. This is a proper matter of needing more dev time.
:::All that said though, on the aspects of being better code, I do have to stand a bit by my inital assessment and say that since this isn't really a code-publishing platform and instead a launching off-point for system administrators ready to roll up the sleeves and get specific with their setup, I make the case that rather than tagging with a factual accuracy dispute (making most readers unwilling to engage with the section), the readers are better equipped with a warning that this is a jumping off point and may not be suitable for their case.
:::I do support the addition of a tag here in general. If the tag remains a factual accuracy tag though, I'm inclined to more simply remove the code to help the article be more readable for the general public.
:::Thank you for your time!
:::[[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 00:32, 15 April 2025 (UTC)
::::Hello! I am writing again about your direct public tagging of the Hdparm article for a factual accuracy error. This is the third day I have woken up without a response, despite being active in the article, in its talk page, and on your user talk page here.
::::As it is, I have repeatedly made my case for why I find the tag inappropriate, and have repeatedly put in the effort to contact you and get this resolved. Five minutes of time is more than enough to review the three pages and my writings. If you don't follow up with me here, it is my understanding that you have no complaints with any action I've taken thus far, and I am justified in removing your tag with you being the one in error.
::::I apologize for the stern tone. See you tommorow when I sit down to check my wiki'ing.
::::I [[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 02:11, 16 April 2025 (UTC)
:::::Chill dude, not every editor checks and answers their talk page daily. From memory @[[User:Lahwaacz|Lahwaacz]] answers within a week. [[User:Erus Iluvatar|Erus Iluvatar]] ([[User talk:Erus Iluvatar|talk]]) 06:43, 16 April 2025 (UTC)
::::::Are you willing to review the page in his stead to resolve this today then? I am here on this single issue. [[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 23:47, 16 April 2025 (UTC)
:::::::Be patient. We are volunteers and no one here is getting paid, yet you act as if we were. [[User:NetSysFire|NetSysFire]] ([[User talk:NetSysFire|talk]]) 00:47, 17 April 2025 (UTC)
::::The accuracy template is intended to improve the content of the section, not to dissuade readers. That's why it is [[Template:Accuracy]] and not [[Template:Warning]]. Getting it right obviously means investing some time into explaining the motivation and improving the technical solution.
::::Before the technicalities, maybe you can explain why you want to keep the write cache absolutely disabled on your drives. Does it often fail or what is the concern? As a rule of thumb, the general recommendation is to keep the system on the defaults and trust the manufacturer and kernel programmers they know what they're doing. Modern file systems have a way to control when data actually gets written and to avoid data corruption (read about cache flushing and journaling). There is a warning in the section but I might dispute its accuracy/relevance too...
::::As for the script, I'd really not want a script to touch my drives every N seconds (whatever the N is). Besides the increased system load, it might also interfere with the disk's standby/suspend and potentially other functionality. hdparm is designed as a oneshot management command and running it in a loop is just weird. The right way to do it is to identify all events that reset the setting and apply the command just once after each event via oneshot service, udev rule, etc. If you don't want to do all of it, that's fine - the wiki can also just describe briefly what is the right way and leave the implementation as an exercise for the reader.
::::— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:30, 17 April 2025 (UTC)
:::::Gotcha. Thank you for the reply, and I apologize for my impatience. (Up until I had several other users jumping in, I had no clue what kind of social system I was walking into here, and I was panicking and catastrophising. That's definitely on me, and I apologize for any email spam you received. My core stress being that I feared that this would be a factual accuracy tag that never resolves, like most I've seen on the wiki, and worrying that I made this page worse as a result.)
:::::My use case is that I have three systems which can be hit by infrequent power-outtages, and I have tracked down and found corruption from the drive's internal write caching. It seems to interfere with any and all filesystem smarts, as a pretty simple write-reordering is more than enough to defeat the atomicity of filesystem operations no matter the underlying mechanisms that try and guarantee it (i.e. CoW filesystems and journaling), and I have quite a backlog of experiences of NTFS, Ext4, and Btrfs all corrupting during power loss despite never failing when hitting the machine's reset button.
:::::This section on this article is thus far the simplest solution I have found and the only one that does not require me to put money down on excess hardware, and I'm ''very'' willing to dig my own grave, vary from manufacturer defaults, and trade performance for system consistency and ease of maintennance. For anybody interested in what other resources I turned up, my next strategy from here has been considering the use of an overlay filesystem or Btrfs seeding (https://btrfs.readthedocs.io/en/stable/Seeding-device.html) to try and aid in system repairability, but these mechanisms have no power of prevention.
:::::My workload is read-heavy in every single case, with writes primarily consisting of simple everyday logging, system management, and the ordinary sprawl of user programs making caches as they run, etc. One such system is for example an SMBv1 share for a dedicated offline network of legacy machines, providing a bulk of large system images so they don't have to be stored locally. Disabling write caching with this script has had no effect on the sustained throughput of my disks when writing new large chunks, or their read performance, and a properly set I/O scheduler has had a much larger effect on system usability than the state of the disk's write cache.
:::::I agree that most people aren't doing this, that nobody should run this script on there system without knowing the trade-offs they are making. This is not a usual and default use-case, but this is just about the only place where this is documented, with straightforward warnings already existing and stressing what kind of a decision this is.
:::::As for the quality of the script itself -- when it comes to overhead, I have some relevant benchmark figures on the performance of 'hdparm -W /path/to/disk':
:::::* in a loop running hdparm -t on a Crucial MX500 disk with nothing else ran, the read throughput is 342 MB/sec. For a Western Digital WD 8TB, the performance is 179MB/s.
:::::* starting a loop of 30,000 hdparm -W (only probing the write cache state, not setting it) operations with zero read timers while the above runs, the read throughput is 317 MB/sec for the SSD, and 177 MB/S for the hard disk. The loops finish in 1m18s for both the SSD and the hard-disk, giving a runtime of 2 milliseconds.
:::::* starting a loop of 30,000 hdparm -W1 or -W0 operations, the read throughput drops to 230MB/sec on the SSD, and 80MB/sec for the hard-disk. The loop takes 10 minutes to complete, giving a runtime of 20 milliseconds.
:::::* in both cases, system usability did not tank, though this might have more to do with the I/O scheduler and Linux's own disk caching.
:::::As such, running one probing hdparm -W command once per 30 seconds on disk uses an estimated 0.06% of the drive's bus time, and there isn't much to worry about in terms of polling overhead.
:::::That said, I do agree that the code isn't the point. I'm very open to wherever you want to take this section.
:::::Apologies again for the panicking and taking up your time!
:::::I [[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 03:54, 18 April 2025 (UTC)
::::::Ok, so the warning in that section must stay. I don't want to tell you what to do with your drives, but still it would be nice to at least mention how to proceed if the user wants to run the action only after specific event that resets the setting. Something like "For resets after suspend/hibernation, see [[Power management/Suspend and hibernate#Sleep hooks]]" etc. For this it would be good to decouple the action from the loop in the script so that it can be used in different ways. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 08:24, 27 April 2025 (UTC)
:::::::The thing I think I've failed to communicate here is that the action inside of its loop and the implications making it up have always been spelled out in individual commands, plain english instructions, and textual warnings all in the existing text of the section, long before I ever touched it. Spotlighting out the inner loop would be very redundant, because that text is a better explanation. This is why I argue that if you dislike the loop, it should be removed. I don't have working code that makes it run on events. Yes it would be nice if I did. But I don't see what makes the section ''factually innacurate'' if it's ''correct'' but a nicer solution ''could'' exist.
:::::::I now argue that the code be removed, because I do not have time from my day to argue for it. We're caught in the weeds in useless semantics and that's all this code has done, so please remove it, because it's never going to outdo this unproductivity bubble of already wasted time. [[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 22:35, 28 April 2025 (UTC)
:::::::I want to stress that all I've done is combine existing wiki content and extended it the simplest step forward I could come up with. I did it because I thought it was a non-obvious but very straightforward synthesis of two pages, justifiable by the existing text of the section, already asking that the user be aware and have technical reasons to want to be doing this. But it's too many days and too many emails later, and we're still on the same initial point that you just like the nicer solution that doesn't yet exist. I'm stepping out from this conversation and I'm not returning. [[User:Ethel-Maxwell|Ethel-Maxwell]] ([[User talk:Ethel-Maxwell|talk]]) 22:46, 28 April 2025 (UTC)

== Other wlroots based compositors edit ==

as it stands, you need xdg-portal-gtk to be able to screenshare in other wlroots based compositors ie dwl with out it you can't screenshare, speaking as someone who used a wlroots based compositors you need that, I can't speak for other wlroots based compositors ie river but for me I needed xdg-portal-gtk to be able to screenshare [[User:Matthewq337|Matthewq337]] ([[User talk:Matthewq337|talk]])

:There is a table in [[XDG Desktop Portal#List of backends and interfaces]]
:Which other portal from {{pkg|xdg-desktop-portal-gtk}} do you need for screensharing? As it is documented now, it seems completely unrelated to this functionality.
:

== <s>About -O3 possible performance reduction warning revert.</s> ==

Hey, I had edited the [[Makepkg#C and C++]] page and added a warning that it can actually cause a reduction in performance. Quoted from the page: "Using this flag will in most cases improve the performance of the binary, although this is not guaranteed and depends on the binary." You pointed out that this already says "most cases", but that doesn't really clearly imply that it can actually '''hurt''' performance, It implies more of a "Either it goes up, or stays still" feel. That's why I added that warning.

I believe we can either change that sentence a bit to more clearly imply that it can be counterproductive, or we can keep the warning.

Thanks. [[User:LinuxLover471|asyync1024]] ([[User talk:LinuxLover471|talk]]) 03:43, 26 January 2026 (UTC)

:Hi, feel free to change the sentence to clarify your point. It would be best if you have some reference for a case where it can hurt performance. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:13, 1 February 2026 (UTC)
::Done! I changed the wording as follows:
::"Using this flag will in most cases improve performance of the binary, although this is not guaranteed and in some cases can prove conter-productive."
::I couldn't really think of an example, I might later add something, though it's unlikely. [[User:Asyync1024|asyync1024]] ([[User talk:Asyync1024|talk]]) 04:47, 2 February 2026 (UTC)

== Revert regarding early KMS warning on the NVIDIA page ==

Hi,

you reverted my edit on the NVIDIA page, where I added a warning to the early KMS section that it can cause issues with hibernation. You wrote that "KMS on the linked page is not linked to NVIDIA, so it hardly qualifies as "known to cause issues"". I do agree that the link was not ideal, but I think that the warning should be there. On my machine, hibernation did not work for quite some time, so a few days ago, I finally searched the web for possible causes of that, and I read that, when loading the driver early, it would already have initialized so it could not properly resume (or something like that), so I tried removing early KMS and that fixed it. Of course, I don't know if it always has this issue, but I think it'd be sensible to tell users that, should they experience issues, this may be the cause. I added the link because it seemed sensible to reference issues with hibernation in general (so that a reader might also check that page, if early KMS was not the cause).

Do I understand correctly that the revert was because of the (somewhat misleading) link to the "issues with hibernation" page, and not the warning itself? So would it be acceptable to re-add the warning, just without that link? [[User:CraftingShadowDE|CraftingShadowDE]] ([[User talk:CraftingShadowDE|talk]]) 12:19, 8 February 2026 (UTC)

:Hi, please improve the troubleshooting section rather than adding a general warning which takes a bit more. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:19, 8 February 2026 (UTC)

== Nvidia container without CUDA ==

Hey Lahwaacz, you motivated [https://wiki.archlinux.org/index.php?title=Docker&diff=prev&oldid=871798 this revert] to [[Docker#With_the_--gpus_option_(recommended)]] with:

: ''using an image without cuda with gpus is pretty useless''

That's awfully restrictive as GPU passthrough without CUDA has many practical use cases:

'''Graphics & Display'''

* Running desktop GUI applications or full desktop environments (via VNC/X11) that need hardware-accelerated rendering
* WebGL or OpenGL workloads in headless browsers for screenshot/rendering services
* Video transcoding with hardware encoders (Intel QSV, AMD VCE, NVIDIA NVENC used via VA-API/VAAPI, not CUDA)

'''Video Processing'''

* FFmpeg hardware-accelerated transcoding using VA-API, DXVA2, or VideoToolbox
* Live streaming pipelines that need fast H.264/H.265 encoding without CPU overhead
* Frame extraction at scale from large video archives

'''Compute via OpenCL / Vulkan'''

* Password/hash cracking tools (Hashcat) using OpenCL
* Physics simulations or scientific compute that targets OpenCL
* Vulkan compute shaders for image processing pipelines

'''Gaming & Emulation'''

* Game servers or emulators (RetroArch, Dolphin) needing 3D acceleration
* Cloud gaming infrastructure using Vulkan-based rendering
* VirtualGL for remote 3D application streaming

'''Media & Home Server'''

* Plex/Jellyfin/Emby hardware transcoding via VAAPI or NVENC (driver-level, not CUDA)
* Automated media processing pipelines (thumbnail generation, format conversion)

Besides, being unexpectedly hit with a >2GB download doesn't make for a great wiki exploration experience.

So I stand by my edit and will revert to it if you don't provide a more convincing rationale. ~~ [[User:Neitsab|Neitsab]] ([[User talk:Neitsab|talk]]) 13:59, 26 April 2026 (UTC)

:In that case, would you mind using the {{ic|archlinux:base}} image rather than {{ic|ubuntu}} in the examples? Mentioning the [https://hub.docker.com/r/nvidia/cuda/tags nvidia/cuda] images somewhere would still be nice. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:48, 26 April 2026 (UTC)
::I don't mind at all, this is actually an excellent idea.
::I had noticed while doing this edit that this section is too Nvidia-specific. I'd like to take some time this week to generalize it to include the main other GPU makers/interfaces (ROCm, OpenVino, SYCL...); that'll allow it to have a proper CUDA subsection which will include the current examples.
::What's the better approach for a large expansion like this: work on a draft in my personal namespace and ask for comments from [[Talk:Docker]] or work on it little by little on the page itself? [[User:Kynikos]] always warned me against making one big edit to a section in a single changeset... [[User:Neitsab|Neitsab]] ([[User talk:Neitsab|talk]]) 19:41, 26 April 2026 (UTC)
:::Well, NVIDIA has the {{pkg|nvidia-container-toolkit}} which makes passing their GPUs to containers easy. I'm afraid there is nothing like it from other vendors.
:::If you just add a new section, feel free to do it directly on the [[Docker]] page and then we will see how to reorganize it best.
:::— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:49, 26 April 2026 (UTC)

== Reversions on [[List of applications/Internet]] ==

Hi Lahwaacz,

You reverted some of my edits in [[List of applications/Internet]]. Specifically, binary packages from the AUR are not relevant even if compilation times are very high with the source version. That's fine. My decision to recommend binary packages was that many other binary packages are recommended in the same section of the article (web browsers section), so I recommended other binary packages for consistency as well. I'll edit the article to link to the source packages whenever available. And also, [[Help:Style]] states:

"The package (or packages, or package groups) involved must be linked, preferably ''without variants'' (typically denoted by a suffix such as <code>-bin</code>, <code>-git</code>, or <code>-nightly</code>) unless they provide a meaningful difference."

I thought the compilation time would be a "meaningful difference", but since you clarified that, it's fine. I believe that line in [[Help:Style]] may be in direct conflict with the directive in [[Template:App#Style]], and one or both should be updated to better clarify.

Additionally, my Opera edit did not need to be reverted, since it was not in violation of any style rules. But don't worry, I'll add that back.

Thanks. [[User:TheSleuth|TheSleuth]] ([[User talk:TheSleuth|talk]]) 14:29, 2 May 2026 (UTC)

:The [[Template:App#Style]] concerns the use in <nowiki>{{App|...}}</nowiki>, specifically, it is relevant on the List of applications pages. The section says "Development (e.g. -git) or binary (i.e. -bin) versions of packages should not be linked if there is a stable or source version available."
:There is no conflict with [[Help:Style]] - the template style is just more specific.
:— [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:53, 2 May 2026 (UTC)

List of applications/Internet

2026-05-02T13:56:20Z

Lahwaacz: revert last edits - see Template:App#Style, compilation time does not matter for this decision

[[Category:Internet applications]]
[[Category:Lists of software]]
[[es:List of applications (Español)/Internet]]
[[hu:List of applications (Magyar)/Internet]]
[[ja:アプリケーション一覧/インターネット]]
[[pl:List of applications (Polski)/Internet]]
[[zh-hans:List of applications/Internet]]
{{List of applications navigation}}

== Network connection ==

=== Network managers ===

See [[Network configuration#Network managers]].

=== VPN clients ===

* {{App|GlobalProtect-openconnect|A GlobalProtect VPN client (GUI) for Linux, based on OpenConnect and built with Qt5, supports SAML auth mode.|https://github.com/yuezk/GlobalProtect-openconnect/|{{Pkg|globalprotect-openconnect}}}}
* {{App|Libreswan|A free software implementation of the most widely supported and standardized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE").|https://libreswan.org/|{{AUR|libreswan}}}}
* {{App|[[Mullvad]]|A GUI client for the Mullvad VPN service |https://mullvad.net/|{{Pkg|mullvad-vpn}}}}
* {{App|[[Nebula]]|A mesh VPN network|https://nebula.defined.net/docs/|{{Pkg|nebula}}}}
* {{App|[[NetworkManager]]|Supports a variety of protocols (e.g. MS, Cisco, Fortinet) via a plugin system.|https://wiki.gnome.org/Projects/NetworkManager/VPN|{{Pkg|networkmanager}}}}
* {{App|[[OpenConnect]]|Supports Cisco and Juniper VPNs.|https://www.infradead.org/openconnect/|{{Pkg|openconnect}}}}
* {{App|[[ProtonVPN]]|VPN provider that uses the OpenVPN and WireGuard protocol.|https://protonvpn.com/|{{Pkg|proton-vpn-gtk-app}}}}
* {{App|[[Openswan]]|IPsec-based VPN Solution.|https://www.openswan.org/|{{AUR|openswan}}}}
* {{App|[[OpenVPN]]|To connect to OpenVPN VPNs.|https://openvpn.net/|{{Pkg|openvpn}}}}
* {{App|[[PPTP Client]]|To connect to PPTP VPNs, like Microsoft VPNs (MPPE). (insecure)|https://pptpclient.sourceforge.net/|{{Pkg|pptpclient}}}}
* {{App|RiseupVPN|A GUI client for the Riseup VPN service from riseup.net.|https://riseup.net/en/vpn/ | {{AUR|riseup-vpn}} or {{AUR|riseup-vpn-configurator}} }}
* {{App|[[Rosenpass]]|Hybrid security against quantum computers for WireGuard by adding a post-quantum-secure key exchange|https://rosenpass.eu/|{{Pkg|rosenpass}}}}
* {{App|[[strongSwan]]|IPsec-based VPN Solution.|https://www.strongswan.org/|{{Pkg|strongswan}}}}
* {{App|[[tinc]]|tinc is a free VPN daemon.|https://www.tinc-vpn.org/|{{Pkg|tinc}}}}
* {{App|vopono|OpenVPN and WireGuard wrapper to launch applications with VPN tunnels in network namespaces.|https://github.com/jamesmcm/vopono|{{AUR|vopono}}}}
* {{App|vpnc|To connect to Cisco 3000 VPN Concentrators.|https://www.unix-ag.uni-kl.de/~massar/vpnc/|{{Pkg|vpnc}}}}
* {{App|[[WireGuard]]|Next generation secure network tunnel.|https://www.wireguard.com/|{{Pkg|wireguard-tools}}}}

=== Proxy servers ===

* {{App|Brook|Proxy focusing on strong encryption and being undetectable.|https://txthinking.github.io/brook/|{{Pkg|brook}}}}
* {{App|Dante|SOCKS server and SOCKS client, implementing [[RFC:1928]] and related standards.|https://www.inet.no/dante/|{{Pkg|dante}}}}
* {{App|Geph|A modular Internet censorship circumvention system designed specifically to deal with national filtering.|https://geph.io/en/|{{AUR|geph4-client}}}}
* {{App|hiddify|Multiplatform chain proxy client based on {{AUR|sing-box}}.|https://github.com/hiddify/hiddify-next|{{AUR|hiddify}}}}
* {{App|[[NaïveProxy]]|A Proxy using Chrome's network stack to camouflage traffic with strong censorship resistence and low detectablility.|https://github.com/klzgrad/naiveproxy|{{AUR|naiveproxy}}}}
* {{App|[[Privoxy]]|Non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk.|https://www.privoxy.org/|{{Pkg|privoxy}}}}
* {{App|[[Shadowsocks]]|Secure socks5 proxy, designed to protect your Internet traffic.|https://shadowsocks.org/|{{Pkg|shadowsocks-rust}}}}
* {{App|[[Squid]]|Caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.|https://www.squid-cache.org/|{{Pkg|squid}}}}
* {{App|[[Stunnel]]|A server and client to add and remove TLS encryption to TCP data flow.|https://www.stunnel.org/|{{Pkg|stunnel}}}}
* {{App|Throne|Cross-platform GUI proxy utility (Empowered by {{AUR|sing-box}}).|https://github.com/throneproj/Throne|{{AUR|throne}}}}
* {{App|Tinyproxy|Lightweight HTTP/HTTPS proxy daemon.|https://tinyproxy.github.io/|{{Pkg|tinyproxy}}}}
* {{App|[[Trojan]]|An unidentifiable mechanism that helps you bypass GFW.|https://trojan-gfw.github.io/trojan/|{{Pkg|trojan}}}}
* {{App|[[V2Ray]]|V2Ray is the core of Project V, which is a set of tools to help you build your own privacy network over the internet.|https://www.v2fly.org/en_US/|{{Pkg|v2ray}}}}
* {{App|V2RayN|A GUI client for Windows, Linux and macOS, support {{AUR|xray}} and {{AUR|sing-box}} cores and others.|https://github.com/2dust/v2rayN|{{AUR|v2rayN}}}}
* {{App|[[Varnish]]|High-performance HTTP accelerator.|https://varnish-cache.org/|{{Pkg|varnish}}}}
* {{App|Wireproxy|[[WireGuard]] client that exposes itself as a SOCKS5 proxy.|https://github.com/pufferffish/wireproxy|{{Pkg|wireproxy}}}}
* {{App|XX-Net|Easy to use web proxy tool.|https://github.com/XX-net/XX-Net/|{{AUR|xx-net}}}}
* {{App|Ziproxy|Forwarding (non-caching) compressing HTTP proxy server.|https://ziproxy.sourceforge.net/|{{Pkg|ziproxy}}}}

=== Anonymizing networks ===

* {{App|Arti|Rust implementation of the Tor anonymizing overlay network.|https://gitlab.torproject.org/tpo/core/arti|{{Pkg|arti}}}}
* {{App|[[GNUnet]]|Framework for secure peer-to-peer networking.|https://gnunet.org/|CLI: {{AUR|gnunet}}, GUI: {{AUR|gnunet-gtk}}}}
* {{App|Hyphanet|An encrypted network without censorship, previously named Freenet.|https://www.hyphanet.org/|{{AUR|hyphanet}}}}
* {{App|[[I2P]]|Distributed anonymous network.|https://geti2p.net/|{{Pkg|i2pd}}, {{AUR|i2p}}}}
* {{App|Lantern|Peer-to-peer internet censorship circumvention software.|https://getlantern.org/|{{AUR|lantern-bin}}}}
* {{App|Lokinet|Anonymous, decentralized and IP based overlay network for the internet.|https://lokinet.org/|{{AUR|lokinet}}}}
* {{App|[[Tor]]|Anonymizing overlay network.|https://www.torproject.org/|{{Pkg|tor}}}}

=== Network tunnels ===

* {{App|6tunnel|Tunnels IPv6 connections for IPv4-only applications.|https://github.com/wojtekka/6tunnel/|{{Pkg|6tunnel}}}}
* {{App|iodine|Tunnel IPv4 data through a DNS server.|https://code.kryo.se/iodine/|{{Pkg|iodine}}}}
* {{App|isatapd|Creates and maintains an ISATAP tunnel ([[RFC:5214]]).|http://www.saschahlusiak.de/linux/isatap.htm|{{Pkg|isatapd}}}}
* {{App|Ping Tunnel|A tool for reliably tunneling TCP connections over ICMP echo request and reply packets.|https://www.cs.uit.no/~daniels/PingTunnel/|{{Pkg|ptunnel}}}}
* {{App|Tuntox|Tunnel TCP connections over the Tox protocol.|https://github.com/gjedeer/tuntox/|{{Pkg|tuntox}}}}

=== Deep packet inspection circumvention ===

Tools to avoid censorship, bandwidth throttle without anonymization. See [[Wikipedia:Deep packet inspection]], [[Wikipedia:Internet censorship circumvention]] for an introduction to the topic.

* {{App|Bypass DPI|A simple software using SOCKS5, written in C and targeted at Russian censorship.|https://github.com/hufrea/byedpi|{{AUR|byedpi}}}}
* {{App|Cloak|A pluggable transport that works alongside traditional proxy tools like [[OpenVPN]], written in Go.|https://github.com/cbeuw/Cloak|{{AUR|cloak-obfuscation}}}}
* {{App|DPI Tunnel|An HTTP/transparent proxy, written in C++ and targeted at Russian censorship.|https://github.com/txtsd/DPITunnel|{{AUR|dpitunnel}}}}
* {{App|Green Tunnel|An anti-censorship utility using SOCKS5, written in nodejs and targeted at Iranian censorship.|https://github.com/SadeghHayeri/GreenTunnel|{{AUR|green-tunnel}}}}
* {{App|hysteria|A powerful, lightning fast and censorship resistant proxy that masquerades as standard HTTP/3 traffic. Supports SOCKS5, TUN, and TCP/UDP forwarding. Written in Go.|https://hysteria.network/|{{AUR|hysteria}}}}
* {{App|naiveproxy|A proxy using Chrome's network stack to camouflage traffic as normal HTTPS, making it highly resistant to DPI. Written in C++.|https://github.com/klzgrad/naiveproxy|{{AUR|naiveproxy}}}}
* {{App|Psiphon|An open-source Internet censorship circumvention system that uses SSH tunneling and obfuscation to bypass firewalls. Includes both client and server components.|https://github.com/Psiphon-Labs/psiphon-tunnel-core|{{AUR|psiphon-console-client}}, {{AUR|psiphon-server}}}}
* {{App|SpoofDPI|A simple and fast tool using SOCKS5, written in Go.|https://github.com/xvzc/SpoofDPI|{{AUR|spoofdpi}}}}
* {{App|zapret|A Netfilter queue mode or SOCKS5/transparent proxy, written in C and targeted at Russian censorship.|https://github.com/bol-van/zapret|{{AUR|zapret-git}}}}

=== Speedtest tools ===

* {{App|cloudflarespeedtest|Test Cloudflare CDN latency and speed to find the fastest IP.|https://github.com/XIU2/CloudflareSpeedTest|{{AUR|cloudflarespeedtest-bin}}}}
* {{App|LibreSpeed|Open source speedtest with graphical GTK client.|https://librespeed.org/|{{AUR|speedtest-librespeed}}}}
* {{App|nperf|Wide-area network speed test application.|https://www.nperf.com/|{{AUR|nperf-gui-appimage}}}}
* {{App|SpeedTest++|Unofficial speedtest.net CLI using raw TCP for better accuracy.|https://github.com/taganaka/SpeedTest|{{AUR|speedtest++}}}}
* {{App|speedtest-cli|Command-line interface for testing internet bandwidth using speedtest.net servers.|https://github.com/sivel/speedtest-cli|{{Pkg|speedtest-cli}}}}

=== Network monitoring and diagnostics tools ===

* {{App|bandwhich|Terminal bandwidth utilization tool showing usage by process, connection, and remote IP/hostname.|https://github.com/imsnif/bandwhich |{{Pkg|bandwhich}}}}
* {{App|dog|Modern command-line DNS client alternative to dig with colored output and JSON support.|https://dns.lookup.dog/ |{{Pkg|dog}}}}
* {{App|flent|The Fleet Network Tester for measuring bufferbloat and latency under load.|https://flent.org/ |{{AUR|flent}}}}
* {{App|gping|Ping with a real-time graph visualization of latency to multiple hosts.|https://github.com/orf/gping |{{Pkg|gping}}}}
* {{App|hyperfine|Command-line benchmarking tool, useful for comparing network response times.|https://github.com/sharkdp/hyperfine |{{Pkg|hyperfine}}}}
* {{App|netsniff-ng|High-performance Linux network packet sniffer and analyzer toolkit.|http://netsniff-ng.org/ |{{Pkg|netsniff-ng}}}}
* {{App|oha|HTTP load generator with TUI showing detailed timing breakdown (DNS, TCP, TLS, TTFB).|https://github.com/hatoo/oha |{{Pkg|oha}}}}
* {{App|ooniprobe-cli|Official OONI Probe CLI for detecting internet censorship, website blocking, and traffic manipulation.|https://ooni.org/ |{{AUR|ooniprobe-cli}}}}
* {{App|sniffnet|Network traffic monitoring with TUI/GUI, statistics by protocol, and per-host analysis.|https://github.com/GyulyVGC/sniffnet |{{Pkg|sniffnet}}}}
* {{App|tcping|TCP connectivity checker that bypasses ICMP blocks for port-specific diagnostics.|https://github.com/zhengxiaowai/tcping|{{AUR|tcping}}}}
* {{App|termshark|Terminal UI for tshark, providing a Wireshark-like interface in the terminal.|https://termshark.io/ |{{Pkg|termshark}}}}
* {{App|trippy|A network diagnostic tool combining traceroute and ping with an interactive TUI.|https://github.com/fujiapple852/trippy |{{Pkg|trippy}}}}

== Web browsers ==

See also [[Wikipedia:Comparison of web browsers]].

=== Console ===

* {{App|[[Wikipedia:Browsh|browsh]]|A fully-modern text-based browser. Runs as a frontend to headless Firefox.|https://www.brow.sh/|{{AUR|browsh}}}}
* {{App|Carbonyl|A Chromium based browser built to run in a terminal.|https://fathy.fr/carbonyl|{{AUR|carbonyl}}}}
* {{App|Chawan|A web browser for your terminal.|https://sr.ht/~bptato/chawan/|{{Pkg|chawan}}}}
* {{App|[[ELinks]]|Advanced and well-established feature-rich text mode web browser with mouse wheel scroll support, frames and tables, extensible with Lua & Guile (links fork).|http://elinks.or.cz/|{{Pkg|elinks}}}}
* {{App|[[Wikipedia:Links (web browser)|Links]]|Graphics and text mode web browser. Includes a console version similar to Lynx.|http://links.twibright.com/|{{Pkg|links}}}}
* {{App|[[Wikipedia:Lynx (web browser)|Lynx]]|Text browser for the World Wide Web.|https://lynx.invisible-island.net/|{{Pkg|lynx}}}}
* {{App|[[w3m]]|Pager/text-based web browser. It has vim-like keybindings, and is able to display images.|https://salsa.debian.org/debian/w3m|{{Pkg|w3m}}}}

=== Graphical ===

==== Gecko-based ====

See also [[Wikipedia:Gecko (software)]].

* {{App|[[Firefox]]|Extensible browser from Mozilla based on Gecko with fast rendering.|https://mozilla.com/firefox|{{Pkg|firefox}}}}
* {{App|[[Wikipedia:SeaMonkey|SeaMonkey]]|Continuation of the Mozilla Internet Suite.|https://www.seamonkey-project.org/|{{AUR|seamonkey}}}}

===== Firefox spin-offs =====

* {{App|[[Wikipedia:Floorp|Floorp]]|Firefox-based browser developed by a community of students in Japan.| https://floorp.ablaze.one|{{AUR|floorp}}}}
* {{App|[[Wikipedia:GNU IceCat|GNU IceCat]]|A customized build of Firefox ESR distributed by the GNU Project, stripped of non-free components and with additional privacy extensions. Release cycle may be delayed compared to Mozilla Firefox.|https://www.gnu.org/software/gnuzilla/|{{AUR|icecat}}}}
* {{App|Konform Browser|A customized build of Firefox ESR focused on security, privacy and freedom. Originally based on LibreWolf.|https://codeberg.org/konform-browser|{{AUR|konform-browser}}}}
* {{App|[[Wikipedia:LibreWolf|LibreWolf]]|A fork of Firefox, focused on privacy, security and freedom.|https://librewolf.net/|{{AUR|librewolf}}}}
* {{App|[[Wikipedia:Midori (web browser)|Midori]]|Light, fast and secure browser.|https://github.com/goastian/midori-desktop|{{AUR|midori}}}}
* {{App|[[Wikipedia:Mullvad Browser|Mullvad Browser]]|Privacy-focused web browser developed by Mullvad VPN and the Tor Project based on Firefox ESR.|https://mullvad.net/en/browser|{{AUR|mullvad-browser-bin}}}}
* {{App|[[Tor]] Browser Launcher|Securely and easily download, verify, install, and launch Tor Browser, a fork of Firefox ESR.|https://github.com/micahflee/torbrowser-launcher|{{Pkg|torbrowser-launcher}}}}
* {{App|[[Wikipedia:Waterfox|Waterfox]]|Fork of Mozilla Firefox featuring some privacy, usability, and speed enhancements.|https://www.waterfox.net/|{{AUR|waterfox}}}}
* {{App|[[Wikipedia:Zen Browser|Zen Browser]]|An experimental, performance-optimized fork of Firefox focused on customizability and design with additional features.|https://www.zen-browser.app/|{{AUR|zen-browser-bin}}}}

==== Blink-based ====

See also [[Wikipedia:Blink (web engine)]].

* {{App|[[Chromium]]|Web browser developed by Google, the open source project behind Google Chrome.|https://www.chromium.org/|{{Pkg|chromium}}}}

===== Privacy-focused chromium spin-offs =====

* {{App|[[Wikipedia:Brave (web browser)|Brave]]|Web browser with builtin ad- and tracker blocking.|https://www.brave.com/|{{AUR|brave-bin}}}}
* {{App|Cromite|Cromite is a Chromium fork based on Bromite (Currently unmaintained) with built-in support for ad blocking and an eye for privacy. See [https://github.com/uazo/cromite/blob/master/docs/FEATURES.md List of features].|https://www.cromite.org/|{{AUR|cromite-bin}}}}
* {{App|Helium|A browser in beta based on Ungoogled Chromium with Chrome Web Store proxying and additional features, such as split view and !bangs in the address bar.|https://helium.computer/|{{AUR|helium-browser-bin}}}}
* {{App|Thorium|Thorium develops a periodically synchronized fork of the Chromium browser, expanded with additional patches to optimize performance, improve usability and enhance security. According to the developers' tests Thorium is 8-40% ahead of the regular Chromium, mainly due to the inclusion of additional optimizations during compilation.|https://thorium.rocks/|{{AUR|thorium-browser-bin}}}}
* {{App|[[Wikipedia:Ungoogled Chromium|Ungoogled Chromium]]|Modifications to Google Chromium for removing Google integration and enhancing privacy, control, and transparency|https://github.com/ungoogled-software/ungoogled-chromium|{{AUR|ungoogled-chromium}}}}
* {{App|[[Wikipedia:Ungoogled Chromium|Ungoogled Chromium]] (Widevine)|A patched version of Ungoogled Chromium for those who want to benefit from its privacy features while also being able to access DRM-protected content.|https://github.com/ungoogled-software/ungoogled-chromium|{{AUR|ungoogled-chromium-widevine-bin}}}}

===== Proprietary chromium spin-offs =====

* {{App|[[Wikipedia:Google Chrome|Google Chrome]]|Proprietary web browser developed by Google.|https://www.google.com/chrome/|{{AUR|google-chrome}}}}
* {{App|[[Wikipedia:Microsoft Edge|Microsoft Edge]]|Proprietary web browser developed by Microsoft.|https://www.microsoft.com/edge/|{{AUR|microsoft-edge-stable-bin}}}}
* {{App|[[Wikipedia:Opera (web browser)|Opera]]|Proprietary browser developed by Opera Software.|https://opera.com|{{AUR|opera}}}}
* {{App|[[Wikipedia:SlimBrowser|Slimjet]]|Fast, smart and powerful proprietary browser based on Chromium.|https://www.slimjet.com/|{{AUR|slimjet}}}}
* {{App|[[Wikipedia:SRWare Iron|SRWare Iron]]|Light-weight proprietary browser based on Chromium.|https://www.srware.net/iron/|{{AUR|srware-iron-bin}}}}
* {{App|[[Vivaldi]]|An advanced proprietary browser made with the power user in mind.|https://vivaldi.com/|{{Pkg|vivaldi}}}}
* {{App|[[Wikipedia:Yandex Browser|Yandex Browser]]|Proprietary browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.|https://browser.yandex.com/|{{AUR|yandex-browser}}}}

===== Browsers based on Qt WebEngine =====

{{Note|''qt5-webengine''–based browsers were removed from the list, because it is today considered insecure and outdated.}}

* {{App|Angelfish|Web browser for Plasma Mobile. Part of {{Grp|kde-network}}.|https://apps.kde.org/angelfish/|{{Pkg|angelfish}}}}
* {{App|[[Wikipedia:Dooble|Dooble]]|Colorful Web browser.|https://textbrowser.github.io/dooble/|{{AUR|dooble}}}}
* {{App|[[Wikipedia:Eric Python IDE|Eric]]|QtWebEngine-based HTML browser, part of the eric6 development toolset, can be launched with the {{ic|eric6_browser}} command.|https://eric-ide.python-projects.org/|{{AUR|eric}}}}
* {{App|[[Wikipedia:Falkon|Falkon]]|Web browser based on QtWebEngine, written in Qt framework. Part of {{Grp|kde-network}}.|https://falkon.org/|{{Pkg|falkon}}}}
* {{App|Fiery|A convergent web browser. Part of {{Grp|maui}}.|https://mauikit.org/apps/|{{Pkg|fiery}}}}
* {{App|[[Wikipedia:Konqueror|Konqueror]]|Web browser based on Qt toolkit and Qt WebEngine. Part of {{Grp|kde-network}}.|https://apps.kde.org/konqueror/|{{Pkg|konqueror}}}}
* {{App|[[qutebrowser]]|A keyboard-driven, [[vim]]-like browser based on PyQt5 and QtWebEngine.|https://qutebrowser.org/|{{Pkg|qutebrowser}}}}

===== Browsers based on Electron =====

* {{App|Catalyst|A minimal FOSS web browser with no data collection.|https://getcatalyst.eu.org|{{AUR|catalyst-browser-bin}}}}
* {{App|Franz|Messaging browser for WhatsApp, Facebook Messenger, Slack, Telegram and many other web services.|https://meetfranz.com/|{{AUR|franz}}}}
* {{App|Ferdium|A GPL-licensed alternative to Franz, forked from Franz.|https://ferdium.org/|{{AUR|ferdium}}}}
* {{App|Min|A fast, minimal browser that protects your privacy. It includes an interface designed to minimize distractions.|https://minbrowser.org/|{{AUR|min}}}}
* {{App|Vieb|Minimalist Electron-based browser with Vim-inspired keybindings and a built-in ad-blocker.|https://vieb.dev|{{AUR|vieb-bin}}}}

==== WebKitGTK-based ====

See also [[Wikipedia:WebKit]].

{{Note|''webkitgtk, webkitgtk2, qt5-webkit'' and ''qtwebkit''–based browsers were removed from the list, because these are today considered insecure and outdated. More info [https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ here] and [https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ here].}}

Most of these support ad-blocking via [https://github.com/jun7/wyebadblock wyebadblock].
* {{App|[[Badwolf]]|A minimalist privacy-focused browser.|https://hacktivis.me/projects/badwolf|{{AUR|badwolf}}}}
* {{App|Eolie|Simple web browser for GNOME.|https://wiki.gnome.org/Apps/Eolie|{{Pkg|eolie}}}}
* {{App|[[GNOME Web]]|Browser which uses the WebKitGTK rendering engine. Part of {{Grp|gnome}}.|https://apps.gnome.org/Epiphany/|{{Pkg|epiphany}}}}
* {{App|[[Luakit]]|Fast, small, webkit based browser framework extensible by Lua.|https://luakit.github.io/|{{Pkg|luakit}}}}
* {{App|[[Nyxt]]|Keyboard-oriented, infinitely extensible browser designed for power users. It has familiar key-bindings (Emacs, VI, CUA) and features fuzzy searching between tabs, multiple selections, history as a tree and more.|https://nyxt.atlas.engineer/|{{Pkg|nyxt}}}}
* {{App|[[surf]]|Lightweight WebKit-based browser, which follows the [https://suckless.org/philosophy suckless philosophy] (basically, the browser itself is a single C source file).|https://surf.suckless.org/|{{AUR|surf}}}}
* {{App|Surfer|Simple keyboard based web browser, written in C. It supports custom JS-scripts.|https://github.com/nihilowy/surfer|{{AUR|surfer-git}}}}
* {{App|Tangram|Integration of web applications into the desktop, specifically GNOME.|https://apps.gnome.org/Tangram/|{{Pkg|tangram}}}}
* {{App|Vimb|A Vim-like web browser written in C that is inspired by Pentadactyl and Vimprobable. It includes a manpage and a howto for common configurations. It supports custom JS-scripts, dark mode and handles geolocation requests.|https://fanglingsu.github.io/vimb/|{{Pkg|vimb}}}}
* {{App|wyeb|A vim-like web browser inspired by dwb and luakit with Adblock.|https://github.com/jun7/wyeb|{{AUR|wyeb-git}}}}

==== Goanna-based ====

See also [[Wikipedia:Goanna (software)]].

* {{App|[[Wikipedia:Basilisk (web browser)|Basilisk]]|A XUL-based web browser, similar in design to Firefox, aimed at providing a fully functional browsing experience with a classic interface.|https://basilisk-browser.org/|{{AUR|basilisk}}}}
* {{App|[[Wikipedia:Pale Moon (web browser)|Pale Moon]]|A Firefox fork focussing on speed, with a pre-Firefox 29 interface. Uses [[Wikipedia:Goanna (software)|Goanna]] layout engine, a fork of Gecko. Firefox add-ons may not be compatible. Without support for newer Firefox features such as WebExtensions, cache2, e10s, and OTMC. Many of the old [https://github.com/JustOff/ca-archive 93,598 versions of 19,450 Firefox add-ons created by 14,274 developers over the past 15 years using XUL/XPCOM technology in the Classic Add-ons Archive] still work.|https://www.palemoon.org/|{{AUR|palemoon}}}}

==== Servo-based ====

* {{App|[[Wikipedia:Servo (software)|Servo]]|Web browser rendering engine written in Rust, with WebGL and WebGPU support, and adaptable to desktop, mobile, and embedded applications.|https://servo.org/|{{AUR|servo}}}}
* {{App|Verso|Experimental web browser based on Servo experimenting with multi-view and multi-window and building UI elements entirely from Servo.|https://github.com/versotile-org/verso/|{{AUR|verso-git}}}}

==== Other ====

* {{App|[[Dillo]]|Small, fast graphical web browser built on [[Wikipedia:Fltk|FLTK]]. Uses its own layout engine.|https://dillo-browser.org/|{{Pkg|dillo}}}}
* {{App|[[Wikipedia:Ladybird (web browser)|Ladybird]]|Web browser built from scratch using the [[Wikipedia:SerenityOS|SerenityOS]] LibWeb engine.|https://ladybird.org/|{{AUR|ladybird}}}}
* {{App|[[Wikipedia:Links (web browser)|Links]]|Graphics and text mode web browser. Includes a graphical X-window/framebuffer version with CSS, image rendering, pull-down menus. It can be launched with the {{ic|xlinks -g}} command.|http://links.twibright.com/|{{Pkg|links}}}}
* {{App|[[Wikipedia:NetSurf|NetSurf]]|Featherweight browser written in C, notable for its slowly developing JavaScript support and fast rendering through its own layout engine.|https://www.netsurf-browser.org/|{{Pkg|netsurf}}}}

=== Gemini browsers ===

See also [[Wikipedia:Gemini (protocol)#Software]].

* {{App|Amfora|Terminal browser for the Gemini protocol.|https://github.com/makeworld-the-better-one/amfora|{{Pkg|amfora}}}}
* {{App|Bombabillo|Non-web client for the terminal, supporting Gopher, Gemini and much more.|https://bombadillo.colorfield.space/|{{AUR|bombadillo}}}}
* {{App|Castor|Graphical client for the Gemini, Gopher, and Finger protocols, written in Rust with GTK.|https://git.sr.ht/~julienxx/castor|{{AUR|castor}}}}
* {{App|Geopard|A graphical gemini client written in rust, using the gtk4 toolkit.|https://github.com/ranfdev/Geopard|{{AUR|geopard}}}}
* {{App|Kristall|Qt-based Gemini browser.|https://github.com/MasterQ32/kristall|{{AUR|kristall}}}}
* {{App|Lagrange|Desktop GUI client for browsing Gemini space, offering modern conveniences familiar from web browsers.|https://gmi.skyjake.fi/lagrange|{{AUR|lagrange}}}}
* {{App|Telescope|w3m-like browser for Gemini.|https://www.telescope-browser.org/{{Dead link|2025|08|15|status=SSL error}}|{{AUR|telescope}}}}

== Web servers ==

A [[Wikipedia:Web server|web server]] serves HTML web pages and other files via HTTP to clients like [[:Category:Web browser|web browsers]].
The major web servers can be interfaced with programs to serve dynamic content ([[web applications]]).

See also [[:Category:Web server]] and [[Wikipedia:Comparison of web server software]].

* {{App|[[Apache HTTP Server]]|A high performance Unix-based HTTP server.|https://httpd.apache.org/|{{Pkg|apache}}}}
* {{App|[[Caddy]]|HTTP/3 web server with automatic HTTPS.|https://caddyserver.com/|{{Pkg|caddy}}}}
* {{App|[[Hiawatha]]|Secure and advanced web server.|https://hiawatha.leisink.net/|{{AUR|hiawatha}}}}
* {{App|[[Lighttpd]]|A secure, fast, compliant and very flexible web-server.|https://www.lighttpd.net/|{{Pkg|lighttpd}}}}
* {{App|[[nginx]]|Lightweight HTTP server and IMAP/POP3 proxy server.|https://nginx.org/|{{Pkg|nginx}}}}
* {{App|sthttpd|Supported fork of the thttpd web server.|https://github.com/blueness/sthttpd|{{AUR|sthttpd}}}}
* {{App|Traefik|A modern reverse proxy and load balancer that makes deploying microservices easy.|https://traefik.io/traefik/|{{Pkg|traefik}}}}
* {{App|yaws|Web server/framework written in Erlang.|https://erlyaws.github.io/|{{AUR|yaws}}}}

=== Static web servers ===

* {{App|Apache Traffic Server|Fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server.|https://trafficserver.apache.org/|{{AUR|trafficserver}}}}
* {{App|darkhttpd|A small and secure static web server, written in C, does not support HTTPS or Auth.|https://unix4lyfe.org/darkhttpd/|{{Pkg|darkhttpd}}}}
* {{App|http.server|[[Python]] standard library module, which can be used from the command-line, but due to security considerations not recommended for production.|https://docs.python.org/library/http.server.html|{{Pkg|python}}}}
* {{App|[[miniserve]]|Rust alternative to darkhttpd with UTF-8, optional HTTP authentication, file uploading, and more.|https://github.com/svenstaro/miniserve|{{Pkg|miniserve}}}}
* {{App|quark|An extremely small and simple http get-only web server. It only serves static pages on a single host.|https://tools.suckless.org/quark/|{{AUR|quark-git}}}}
* {{App|serve|Static file serving and directory listing.|https://github.com/zeit/serve|{{AUR|nodejs-serve}}}}
* {{App|Webfs|Simple and instant web server for mostly static content.|https://linux.bytesex.org/misc/webfs.html|{{AUR|webfs}}}}

=== Specialized web servers ===

* {{App|chezdav|WebDAV server that allows to share a particular directory.|https://wiki.gnome.org/phodav|{{Pkg|phodav}}}}
* {{App|LibreKitten|Block-based programming language based off Scratch that includes a web server extension.|https://librekitten.org|{{AUR|librekitten-cli-bin}}}}
* {{App|Mongoose|Embedded web server library, supports WebSocket and MQTT.|https://github.com/cesanta/mongoose|{{AUR|mongoose}}}}
* {{App|OnionShare|Lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you.|https://onionshare.org/|{{Pkg|onionshare}}}}
* {{App|Transfer More|A minimalist open-source upload HTTP server to store and share files temporarily, written in Crystal, and based on Kemal.|https://up.sceptique.eu/|{{AUR|transfer-more}}}}
* {{App|VServer|GTK application, which opens an http server in the selected folder and shares your files.|https://github.com/bcedu/ValaSimpleHTTPServer|{{AUR|vserver-git}}}}
* {{App|webhook|Small server for creating HTTP endpoints (hooks)|https://github.com/adnanh/webhook|{{Pkg|webhook}}}}
* {{App|Woof|An ad-hoc single file webserver; Web Offer One File.|http://www.home.unix-ag.org/simon/woof.html|{{AUR|woof}}}}

=== WSGI servers ===

* {{App|Gunicorn|A Python WSGI HTTP Server for UNIX.|https://gunicorn.org/|{{Pkg|gunicorn}}}}
* {{App|[[uWSGI]]|A fast, self-healing and developer/sysadmin-friendly application container server written in C.|https://uwsgi-docs.readthedocs.io/|{{Pkg|uwsgi}}}}
* {{App|Waitress|A WSGI server for Python 3.|https://github.com/Pylons/waitress|{{Pkg|python-waitress}}}}

Apache also supports WSGI with [[mod_wsgi]].

=== Performance testing ===

* {{App|httperf|Can generate various HTTP workloads, written in C.|https://github.com/httperf/httperf|{{AUR|httperf-git}}}}
* {{App|httping|A "ping"-like tool for HTTP requests|https://www.vanheusden.com/httping/|{{Pkg|httping}}}}
* {{App|http_load|A webserver performance testing tool, runs in a single process.|https://www.acme.com/software/http_load/{{Dead link|2025|03|15|status=SSL error}}|{{AUR|http_load}}}}
* {{App|siege|An HTTP regression testing and benchmarking utility.|https://www.joedog.org/siege-home/|{{Pkg|siege}}}}
* {{App|vegeta|HTTP load testing tool, written in Go.|https://github.com/tsenart/vegeta|{{Pkg|vegeta}}}}
* {{App|Web Bench|Benchmarking tool, uses fork() for simulating multiple clients.|http://home.tiscali.cz/~cz210552/webbench.html|{{AUR|webbench}}}}

== File sharing ==

=== Download managers ===

See also [[Wikipedia:Comparison of download managers]].

==== Console ====

* {{App|[[aria2]]|Lightweight download utility that supports HTTP/S, FTP, SFTP, BitTorrent and Metalink. It can run as a daemon controlled via a built-in JSON-RPC or XML-RPC interface.|https://aria2.github.io/|{{Pkg|aria2}}}}
* {{App|Axel|Featherweight command line download accelerator sitting at under 250kB on disk. Supports HTTP/S and FTP.|https://github.com/eribertomota/axel|{{Pkg|axel}}}}
* {{App|[[cURL]]|A URL retrieval utility and library. Supports HTTP, FTP and SFTP.|https://curl.haxx.se/|{{Pkg|curl}}}}
* {{App|Gtuber|Fetch media info from websites (bilibili, lbry, niconico, reddit, twitch, youtube). Includes a command-line downloader ({{ic|gtuber-dl}}) and a GStreamer plugin, which is used automatically when you try playing video from website that Gtuber can handle in your GStreamer based application.|https://github.com/Rafostar/gtuber|{{AUR|gtuber}}}}
* {{App|HTTPie|Human-friendly command-line HTTP client for the API era.|https://github.com/httpie/httpie|{{Pkg|httpie}}}}
* {{App|[[Wikipedia: dargahamn.net | dargahamn.net ]]|An easy-to-use offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.|https://www. dargahamn.net .com/|{{Pkg| dargahamn.net }}}}
* {{App|[[Wikipedia:Lftp|LFTP]]|Sophisticated file transfer program. Supports HTTP, FTP, SFTP, FISH, and BitTorrent.|https://lftp.yar.ru/|{{Pkg|lftp}}}}
* {{App|Plowshare|A set of command-line tools designed for managing file-sharing websites (aka Hosters).|https://github.com/mcrapet/plowshare|{{AUR|plowshare}}}}
* {{App|[[Wikipedia:RTMPDump|RTMPDump]]|Download FLV videos through RTMP (Adobe's proprietary protocol for Flash video players)|http://rtmpdump.mplayerhq.hu/|{{Pkg|rtmpdump}}}}
* {{App|snarf|Command-line URL retrieval tool. Supports HTTP and FTP.|https://www.xach.com/snarf/|{{AUR|snarf}}}}
* {{App|[[Streamlink]]|Launch streams from various streaming services in a custom video player or save them to a file.|https://streamlink.github.io/|{{Pkg|streamlink}}}}
* {{App|[[Wikipedia:Streamripper|Streamripper]]|Records and splits streaming mp3 into tracks.|https://streamripper.sourceforge.net/|{{AUR|streamripper}}}}
* {{App|[[Wget]]|A network utility to retrieve files from the Web. Supports HTTP and FTP.|https://www.gnu.org/software/wget/|{{Pkg|wget}}}}
* {{App|yewtube|Terminal-based YouTube player and downloader.|https://github.com/mps-youtube/yewtube|{{AUR|yewtube}}}}
* {{App|You-Get|Download media contents (videos, audios, images) from the Web.|https://you-get.org/|{{AUR|you-get}}}}
* {{App|youtube-dl|Download videos from YouTube and many other web sites.|https://rg3.github.io/youtube-dl/|{{AUR|youtube-dl}}}}
* {{App|youtube-viewer|Command line utility for viewing YouTube videos.|https://github.com/trizen/youtube-viewer|{{AUR|youtube-viewer}}}}
* {{App|[[yt-dlp]]|A youtube-dl fork with additional features and fixes.|https://github.com/yt-dlp/yt-dlp|{{Pkg|yt-dlp}}}}
* {{App|ytfzf|A POSIX script to find and watch youtube videos from the terminal.|https://github.com/pystardust/ytfzf|{{Pkg|ytfzf}}}}

==== Graphical ====

* {{App|ClipGrab|Downloader and converter for YouTube, Vimeo and many other online video sites.|https://clipgrab.org/|{{AUR|clipgrab}}}}
* {{App|FatRat|Qt based download manager with support for HTTP, FTP, SFTP, BitTorrent and Metalink.|https://github.com/LubosD/fatrat|{{AUR|fatrat-git}}}}
* {{App|Forklift|Simple GUI for youtube-dl using PyGObject.|https://github.com/Johnn3y/Forklift|{{AUR|forklift-git}}}}
* {{App|gtk-youtube-viewer|GTK utility for viewing YouTube videos. See optional dependencies for the GUI.|https://github.com/trizen/youtube-viewer|{{AUR|youtube-viewer}}}}
* {{App|[[Wikipedia:Wget#GWget|Gwget]]|Download manager for GNOME. Supports HTTP and FTP.|https://gitlab.gnome.org/Archive/gwget|{{AUR|gwget}}}}
* {{App|Gydl|GUI wrapper around the already existing youtube-dl program to download content from sites like YouTube.|https://github.com/JannikHv/gydl|{{AUR|gydl-git}}}}
* {{App|Gyre|GTK3 downloader for videos from Coub.|https://github.com/HelpSeeker/Gyre|{{AUR|gyre}}}}
* {{App|[[JDownloader]]|Java-based downloader for one-click hosting sites.|https://jdownloader.org/|{{AUR|jdownloader2}}}}
* {{App|[[Wikipedia:KGet|KGet]]|Download manager for KDE. Supports HTTP, FTP, BitTorrent and Metalink. Part of {{Grp|kde-network}}.|https://apps.kde.org/kget/|{{Pkg|kget}}}}
* {{App|MegaBasterd|Yet another unofficial MEGA downloader/uploader/streaming suite.|https://github.com/tonikelope/megabasterd|{{AUR|megabasterd-bin}}}}
* {{App|Motrix|Full-featured download manager that supports downloading HTTP, FTP, BitTorrent, Magnet, etc. Based on the [https://electronjs.org/ Electron] platform.|https://motrix.app/|{{AUR|motrix}}}}
* {{App|Persepolis|Graphical front-end for aria2 download manager with lots of features. Supports HTTP and FTP.|https://persepolisdm.github.io/|{{Pkg|persepolis}}}}
* {{App|[[pyLoad]]|Downloader written in Python and designed to be extremely lightweight, easily extensible and fully manageable via web.|https://pyload.net/|{{AUR|pyload-ng}}}}
* {{App|Steadyflow|Simple download manager for GNOME. Supports HTTP and FTP.|https://launchpad.net/steadyflow|{{Pkg|steadyflow}}}}
* {{App|Streamtuner2|Internet radio station and video browser. It simply lists stations in categories from different directories and launches your preferred media apps for playback.|https://sourceforge.net/projects/streamtuner2/|{{AUR|streamtuner2}}}}
* {{App|uGet|GTK download manager featuring download classification and HTML import. Supports HTTP, FTP, BitTorrent, Metalink, YouTube and Mega.|https://ugetdm.com/|{{Pkg|uget}}}}
* {{App|Varia|GTK frontend for aria2c and yt-dlp.|https://github.com/giantpinkrobots/varia|{{AUR|varia}}}}
* {{App|Video Downloader|GTK application to download videos from websites like YouTube and many others (based on youtube-dl).|https://github.com/Unrud/video-downloader|{{AUR|video-downloader}}}}
* {{App|Xtreme Download Manager|Powerful tool to increase download speed up-to 500%. Supports HTTP and FTP. Video grabber works in a general way and is not limited to certain websites.|https://subhra74.github.io/xdm/|{{AUR|xdman}}}}
* {{App|youtubedl-gui|Simple-to-use graphical interface for youtube-dl.|https://github.com/JaGoLi/ytdl-gui|{{AUR|youtubedl-gui}}}}

=== LAN file transfer ===

See also [[#LAN messengers]].

* {{App|LAN Share|Cross-platform local area network file transfer application, built using Qt GUI framework. It can be used to transfer a whole folder, one or more files, large or small immediately without any additional configuration.|https://github.com/abdularis/LAN-Share|{{AUR|lanshare}}}}
* {{App|LocalSend|Cross-platform app to securely share files and messages with nearby devices over the local network without needing an internet connection.|https://localsend.org/|{{AUR|localsend}}}}
* {{App|Magic Wormhole|Command-line tool {{ic|wormhole}} to securely transfer data between computers.|https://github.com/magic-wormhole/magic-wormhole|{{Pkg|magic-wormhole}}}}
* {{App|NitroShare|Cross-platform network file transfer application, built using Qt GUI framework. It is designed to make transferring files from one device to another on the local network extremely simple.|https://nitroshare.net/|{{AUR|nitroshare}}}}
* {{App|Teleport|Native GTK3 application to effortlessly share files on the local network.|https://gitlab.gnome.org/jsparber/teleport|{{AUR|teleport-share-git}}}}
* {{App|Warp|Securely send files to each other via the internet or local network by exchanging a word-based code. It uses the Magic Wormhole protocol.|https://apps.gnome.org/Warp/|{{Pkg|warp}}}}
* {{App|Warpinator|GTK application to share files across the LAN.|https://github.com/linuxmint/warpinator|{{Pkg|warpinator}}}}

=== Cloud storage servers ===

* {{App|copyparty|Lightweight and portable file server with extensive protocol, media playback and file management support.|https://github.com/9001/copyparty|{{Pkg|copyparty}}}}
* {{App|[[Cozy]]|A personal cloud you can hack, host and delete.|https://cozy.io/|{{Pkg|cozy-stack}}}}
* {{App|[[Nextcloud]]|A cloud server to store your files centrally on a hardware controlled by you.|https://nextcloud.com|{{Pkg|nextcloud}}}}
* {{App|[[Pydio]]|Mature open source web application for file sharing and synchronization.|https://pydio.com/|{{AUR|pydio}}}}
* {{App|Seafile|An online file storage and collaboration tool with advanced support for file syncing, privacy protection and teamwork.|https://www.seafile.com/|{{AUR|seafile-server}}}}

=== Cloud synchronization clients ===

{{Tip|<nowiki></nowiki>
* Some [[synchronization and backup programs]] provide direct support for some cloud-storage services.
* Some [[FUSE#List of FUSE filesystems|FUSE filesystems]] provide a way to mount cloud-storage as a filesystem. Google Drive can be accessed also by {{Pkg|kio-gdrive}} for KIO-based applications (like [[Dolphin]]).
* See [[Data-at-rest encryption#Cloud-storage optimized]] to achieve zero-knowledge (client-side transparent encryption) storage on any third-party cloud service.
}}

==== Multi-protocol clients ====

* {{App|CloudCross|Synchronize local files and folders with many cloud providers. Mail.ru Cloud, Yandex Disk, Google Drive, OneDrive and Dropbox support is available.|https://github.com/MasterSoft24/CloudCross|{{AUR|cloudcross}}}}
* {{App|Rclone|Multi-provider sync, copy, and mount client.|https://rclone.org/|{{Pkg|rclone}}}}
* {{App|Rclone Browser|GUI client for Rclone.|https://github.com/kapitainsky/RcloneBrowser|{{AUR|rclone-browser}}}}

==== Google Drive clients ====

* {{App|DriveSync|Command line utility that synchronizes your Google Drive files with a local folder on your machine.|https://github.com/MStadlmeier/drivesync|{{AUR|drivesync}}}}
* {{App|gdrive|Command line utility for interacting with Google Drive.|https://github.com/prasmussen/gdrive|{{AUR|gdrive}}}}
* {{App|Google Drive OCamlFUSE|A FUSE filesystem for Google Drive, written in OCaml.|https://github.com/astrada/google-drive-ocamlfuse|{{AUR|google-drive-ocamlfuse}}}}
* {{App|Grive|Google Drive client with support for new Drive REST API and partial sync.|https://github.com/vitalif/grive2|{{AUR|grive}}}}
* {{App|[[Insync]]|Unofficial proprietary Google Drive desktop client.|https://www.insynchq.com/|{{AUR|insync}}}}

==== Other synchronization clients ====

* {{App|aws-cli|CLI for Amazon Web Services, including efficient file transfers to and from Amazon S3.|https://aws.amazon.com/cli/|{{Pkg|aws-cli}}}}
* {{App|Backblaze B2|Backblaze B2 open-source command-line client.|https://www.backblaze.com/b2/cloud-storage.html|{{AUR|backblaze-b2}}}}
* {{App|Baidu Netdisk|Proprietary client for cloud storage service launched by Baidu (formerly Baidu Cloud).|https://pan.baidu.com|{{AUR|baidunetdisk-bin}}}}
* {{App|[[Cozy]] Drive|Desktop client for Cozy.|https://cozy-labs.github.io/cozy-desktop/|{{Pkg|cozy-desktop}}}}
* {{App|[[Dropbox]]|Proprietary desktop client for Dropbox.|https://www.dropbox.com/|{{AUR|dropbox}}}}
* {{App|[[Wikipedia:Mega (service)|Mega]] Sync Client|Proprietary (though [https://github.com/meganz/MEGAsync/blob/master/LICENCE.md source-available]) desktop client to sync files with Mega.|https://mega.nz/|CLI: {{AUR|megacmd}}, GUI: {{AUR|megasync}}}}
* {{App|Megatools|Unofficial CLI for Mega.|https://megatools.megous.com/|{{AUR|megatools}}}}
* {{App|[[Nextcloud]] Client|Desktop client for Nextcloud.|https://nextcloud.com/|{{Pkg|nextcloud-client}}}}
* {{App|Nutstore|Proprietary desktop client for Nutstore.|https://www.jianguoyun.com/|{{AUR|nutstore}}}}
* {{App|OneDrive|Fork of the unofficial CLI for [https://onedrive.live.com/about/ OneDrive].|https://github.com/abraunegg/onedrive|{{AUR|onedrive-abraunegg}}}}
* {{App|[[Wikipedia:ownCloud|ownCloud]] Desktop Client|Desktop syncing client for ownCloud.|https://owncloud.com/client/|{{Pkg|owncloud-client}}}}
* {{App|pCloud Drive|Proprietary desktop syncing client for pCloud. Based on the [https://electronjs.org/ Electron] platform.|https://www.pcloud.com/download-free-online-cloud-file-storage.html|{{AUR|pcloud-drive}}}}
* {{App|[[Pydio]]Sync|Desktop client for Pydio.|https://pydio.com/|{{AUR|pydio-sync}}}}
* {{App|S3cmd|Unofficial CLI for Amazon S3.|https://s3tools.org/s3cmd|{{Pkg|s3cmd}}}}
* {{App|Seafile Client|GUI client for Seafile.|https://www.seafile.com/|{{AUR|seafile-client}}}}
* {{App|[[Wikipedia:SpiderOak|SpiderOak]] One|Proprietary client for SpiderOak One.|https://spideroak.com/|{{AUR|spideroak-one}}}}
* {{App|[[Wikipedia:Synology|Synology]] Drive|Proprietary GUI client to sync and share files between a centralized Synology NAS and multiple client computers.|https://www.synology.com/|{{AUR|synology-drive}}}}
* {{App|[[Wikipedia:Tresorit|Tresorit]]|Proprietary desktop syncing client for Tresorit.|https://tresorit.com/download|{{AUR|tresorit}}}}
* {{App|Versiobit|Desktop file sync client with versioning and end-to-end encryption.|https://versiobit.com|{{AUR|versiobit}}}}
* {{App|[[Yandex Disk]]|Proprietary CLI for Yandex Disk.|https://disk.yandex.ru/|{{AUR|yandex-disk}}}}

=== FTP ===

==== FTP clients ====

See also [[Wikipedia:Comparison of FTP client software]].

* {{App|[[CurlFtpFS]]|is a filesystem for accessing FTP hosts based on FUSE and libcurl.|https://curlftpfs.sourceforge.net/|{{Pkg|curlftpfs}}}}
* {{App|[[Wikipedia:FileZilla|FileZilla]]|Fast and reliable FTP, FTPS and SFTP client.|https://filezilla-project.org/|{{Pkg|filezilla}}}}
* {{App|ftp|Simple ftp client provided by GNU Inetutils|https://www.gnu.org/software/inetutils/manual/inetutils.html#ftp-invocation|{{Pkg|inetutils}}}}
* {{App|lftp|Sophisticated command line based FTP client|https://lftp.yar.ru/|{{Pkg|lftp}}}}
* {{App|ncftp|A set of free application programs implementing FTP.|https://www.ncftp.com/|{{Pkg|ncftp}}}}
* {{App|[[Wikipedia:tnftp|tnftp]]|FTP client with several advanced features for [[Wikipedia:NetBSD|NetBSD]].|https://freshmeat.sourceforge.net/projects/tnftp|{{Pkg|tnftp}}}}

Some file managers like [[Dolphin]], [[GNOME Files]] and [[Thunar]] also provide FTP functionality.

==== FTP servers ====

See also [[Wikipedia:List of FTP server software]].

* {{App|bftpd|Small, easy-to-configure FTP server|https://bftpd.sourceforge.net/|{{Pkg|bftpd}}}}
* {{App|ftpd|Simple ftp server provided by GNU Inetutils|https://www.gnu.org/software/inetutils/manual/inetutils.html#ftpd-invocation|{{Pkg|inetutils}}}}
* {{App|proFTPd|A secure and configurable FTP server|http://www.proftpd.org/|{{AUR|proftpd}}}}
* {{App|[[Pure-FTPd]]|Free (BSD-licensed), secure, production-quality and standard-compliant FTP server.|https://www.pureftpd.org/project/pure-ftpd/|{{AUR|pure-ftpd}}}}
* {{App|[[vsftpd]]|Lightweight, stable and secure FTP server for UNIX-like systems.|https://security.appspot.com/vsftpd.html|{{Pkg|vsftpd}}}}

=== BitTorrent clients ===

Some [[#Download managers|download managers]] are also able to connect to the BitTorrent network: [[Aria2]], [[Wikipedia:Lftp|LFTP]], FatRat, [[Wikipedia:KGet|KGet]], [[Wikipedia:MLDonkey|MLDonkey]], uGet.

See also [[Wikipedia:Comparison of BitTorrent clients]].

==== Console ====

* {{App|Ctorrent|CTorrent is a BitTorrent client implemented in C++ to be lightweight and quick.|http://www.rahul.net/dholmes/ctorrent/|{{AUR|enhanced-ctorrent}}}}
* {{App|[[Deluge]]|BitTorrent client with multiple user interfaces in a client/server model. This package includes a console client.|https://deluge-torrent.org/|{{Pkg|deluge}}}}
* {{App|peerflix|Streaming torrent client for node.js.|https://github.com/mafintosh/peerflix|{{AUR|peerflix}}}}
* {{App|[[rTorrent]]|Simple and lightweight ncurses BitTorrent client.|https://rakshasa.github.io/rtorrent/|{{Pkg|rtorrent}}}}
* {{App|[[Transmission]] CLI|Simple and easy-to-use BitTorrent client with a daemon version and multiple front-ends. This package includes backend, daemon, command-line interface, and a Web UI interface.|https://transmissionbt.com/|{{Pkg|transmission-cli}}}}

==== Graphical ====

* {{App|[[Deluge]] (GTK interface)|User-friendly BitTorrent client written in Python using GTK.|https://deluge-torrent.org/|{{Pkg|deluge-gtk}}}}
* {{App|Fragments|Easy to use BitTorrent client for the GNOME desktop environment.|https://apps.gnome.org/Fragments/|{{Pkg|fragments}}}}
* {{App|[[Wikipedia:FrostWire|FrostWire]]|Easy to use cloud downloader, BitTorrent client and media player.|https://www.frostwire.com/|{{AUR|frostwire}}}}
* {{App|Gopeed|Modern download manager built with Golang and Flutter that supports HTTP, BitTorrent, Magnet protocol.|https://gopeed.com/|{{AUR|gopeed-bin}}}}
* {{App|[[Ktorrent]]|Feature-rich BitTorrent client for KDE. Part of {{Grp|kde-network}}.|https://apps.kde.org/ktorrent/|{{Pkg|ktorrent}}}}
* {{App|PikaTorrent|Pick a Torrent, stream and download on all your devices.|https://www.pikatorrent.com/|{{AUR|pikatorrent-bin}}, {{AUR|pikatorrent-git}}}}
* {{App|Powder Player|Hybrid between a streaming BitTorrent client and a player. Based on the [https://electronjs.org/ Electron] platform.|https://powder.media/|{{AUR|powder-player-bin}}}}
* {{App|[[qBittorrent]]|Open source (GPLv2) BitTorrent client with an integrated torrent search engine that strongly resembles µTorrent.|https://www.qbittorrent.org/|{{Pkg|qbittorrent}}}}
* {{App|[[Wikipedia:Tixati|Tixati]]|Proprietary peer-to-peer file sharing program that uses the popular BitTorrent protocol.|https://tixati.com/|{{AUR|tixati}}}}
* {{App|[[Transmission]]|Simple and easy-to-use BitTorrent client with a daemon version and multiple front-ends.|https://transmissionbt.com/|GTK: {{Pkg|transmission-gtk}}, Qt: {{Pkg|transmission-qt}}}}
* {{App|[[Transmission]] Remote|GTK client for remote management of the Transmission BitTorrent client, using its HTTP RPC protocol.|https://github.com/transmission-remote-gtk/transmission-remote-gtk|{{Pkg|transmission-remote-gtk}}}}
* {{App|Tremotesf|Qt client for remote management of the Transmission BitTorrent client, using its HTTP RPC protocol.|https://github.com/equeim/tremotesf2|{{AUR|tremotesf}}}}
* {{App|[[Wikipedia:Tribler|Tribler]]|4th generation file sharing system BitTorrent client.|https://www.tribler.org|{{AUR|tribler-bin}}}}
* {{App|[[Wikipedia:Vuze|Vuze]]|Feature-rich BitTorrent client written in Java (formerly Azureus).|https://www.vuze.com/|{{AUR|vuze}}}}
* {{App|WebTorrent Desktop|Streaming BitTorrent application. Based on the [https://electronjs.org/ Electron] platform.|https://webtorrent.io/desktop/|{{AUR|webtorrent-desktop}}}}

=== Other P2P networks ===

See also [[Wikipedia:Comparison of file-sharing applications]].

* {{App|[[aMule]]|Well-known eDonkey/Kad client with a daemon version and GTK, web, and CLI front-ends.|https://www.amule.org/|{{Pkg|amule}}}}
* {{App|EiskaltDC++|Direct Connect and ADC client.|https://github.com/eiskaltdcpp/eiskaltdcpp|GTK: {{AUR|eiskaltdcpp-gtk}}, Qt: {{AUR|eiskaltdcpp-qt}}}}
* {{App|[[Wikipedia:gtk-gnutella|gtk-gnutella]]|GTK server/client for the Gnutella peer-to-peer network.|https://gtk-gnutella.sourceforge.net/|{{AUR|gtk-gnutella}}}}
* {{App|[[IPFS]]|IPFS is a P2P Network capable of sharing and receiving files.|https://ipfs.io/|{{Pkg|kubo}}}}
* {{App|KaMule|KDE graphical front-end for aMule.|https://github.com/nihui/kamule/|{{AUR|kamule}}}}
* {{App|LBRY|Browser and wallet for LBRY, the decentralized, user-controlled content marketplace. Based on the [https://electronjs.org/ Electron] platform.|https://lbry.io/|{{AUR|lbry-desktop}}}}
* {{App|lbt|Small set of command-line tools for LBRY.|https://gitlab.com/gardenappl/lbt|{{AUR|lbt}}}}
* {{App|[[Wikipedia:MLDonkey|MLDonkey]]|Multi-protocol P2P client that supports HTTP, FTP, BitTorrent, Direct Connect, eDonkey and FastTrack.|https://mldonkey.sourceforge.net/|{{AUR|mldonkey}}}}
* {{App|ncdc|Modern and lightweight Direct Connect and ADC client with a friendly ncurses interface.|https://dev.yorhel.nl/ncdc|{{AUR|ncdc}}}}
* {{App|Nicotine+|A graphical client for the Soulseek P2P network.|https://github.com/Nicotine-Plus/nicotine-plus|{{Pkg|nicotine+}}}}
* {{App|Send Anywhere|Proprietary file sharing service where users can directly share digital content in real time. Based on the [https://electronjs.org/ Electron] platform.|https://send-anywhere.com/|{{AUR|sendanywhere}}}}

=== Pastebin services ===

See also [[Wikipedia:Pastebin]].

Pastebin services are often used to quote text or images while collaborating and troubleshooting. Pastebin clients provide a convenient way to post from the command line.
{{Note|An acceptable pastebin service does not require enabling JavaScript for viewing, does not display adverts, manipulate the pasted content or require a login.

[https://pastebin.com/ pastebin.com] is blocked for some people because of malware found on the site and has a history of annoying issues (requires JavaScript, displays adverts, inserts CRLF line-endings and displaying CAPTCHAs at random). Do '''not''' use it.}}

==== Without a dedicated client ====

Some services can be used with more general command line tool, such as [[cURL]]. For extensions, such as line numbers, one can use more command line tools. Such as {{ic|cat -n}}.

* [https://0x0.st/ 0x0.st] is a file hosting service. Usage examples are:
:{{bc|1=$ ''command'' {{!}} curl -F 'file=@-' <nowiki>https://0x0.st</nowiki>}} or upload a file: {{bc|1=$ curl -F 'file=@''path/to/file''' <nowiki>https://0x0.st</nowiki>}}
:{{Note|Read the instructions on the website for further options such as file removal tokens, expiration, and private URLs.}}
* [https://paste.c-net.org/ paste.c-net.org] accepts HTTP requests and works with [[nc]].
* [https://termbin.com termbin.com] works with [[nc]].

==== Dedicated clients ====

* {{App|Fb-client|Client for the [https://paste.xinu.at/ paste.xinu.at] pastebin.|https://paste.xinu.at|{{Pkg|fb-client}}}}
* {{App|Gist|Command-line interface for the [https://gist.github.com/ gist.github.com] pastebin service.|https://github.com/defunkt/gist|{{Pkg|gist}}}}
* {{App|imgur|A CLI client which can upload image to [https://imgur.com imgur.com] image sharing service.|https://github.com/tremby/imgur.sh|{{AUR|imgur.sh}}}}
* {{App|Pastebinit|Really small Python script that acts as a Pastebin client (see {{ic|pastebinit -l}} for the list of servers).|https://launchpad.net/pastebinit|{{Pkg|pastebinit}}}}
* {{App|ruby-haste|Client for [https://hastebin.com/ hastebin.com].|https://github.com/seejohnrun/haste-client|{{AUR|ruby-haste}}}}
* {{App|Wgetpaste|Bash script that automates pasting to a number of pastebin services.|http://wgetpaste.zlin.dk/|{{Pkg|wgetpaste}}}}

== Communication ==

=== Email clients ===

See also [[Wikipedia:Comparison of email clients]]

==== Console ====

* {{App|[[aerc]]|Work in progress asynchronous email client.|https://sr.ht/~rjarry/aerc|{{Pkg|aerc}}}}
* {{App|alot|An experimental terminal MUA based on [https://notmuchmail.org/ notmuch mail]. It is written in python using the [https://urwid.org/ urwid] toolkit.|https://github.com/pazz/alot|{{Pkg|alot}}}}
* {{App|[[Alpine]]|Fast, easy-to-use and Apache-licensed email client based on [[Wikipedia:Pine (email client)|Pine]].|https://alpineapp.email/|{{AUR|alpine}}}}
* {{App|himalaya|Himalaya CLI is written in Rust, based on email-lib.|https://github.com/pimalaya/himalaya|{{Pkg|himalaya}}}}
* {{App|mu/mu4e|Email indexer (mu) and client for emacs (mu4e). Xapian based for fast searches.|https://www.djcbsoftware.nl/code/mu/mu4e.html|{{AUR|mu}}}}
* {{App|[[Mutt]]|Small but very powerful text-based mail client.|http://www.mutt.org/|{{Pkg|mutt}}}}
* {{App|[[Mutt|NeoMutt]]|Command line mail reader (or MUA). It is a fork of Mutt with added features.|https://neomutt.org/|{{Pkg|neomutt}}}}
* {{App|[[nmh]]|A modular mail handling system.|https://www.nongnu.org/nmh/|{{AUR|nmh}}}}
* {{App|[[notmuch]]|A fast mail indexer built on top of ''xapian''.|https://notmuchmail.org/|{{Pkg|notmuch}}}}
* {{App|sendemail|A lightweight command line SMTP email client written in Perl.|http://caspian.dotconf.net/menu/Software/SendEmail/|{{AUR|sendemail}}}}
* {{App|[[S-nail]]|a mail processing system with a command syntax reminiscent of ''ed'' with lines replaced by messages. Provides the functionality of [[Wikipedia:mailx|mailx]].|https://www.sdaoden.eu/code.html#s-mailx|{{Pkg|s-nail}}}}
* {{App|[[Sup]]|CLI mail client with very fast searching, tagging, threading and GMail like operation.|https://sup-heliotrope.github.io/|{{AUR|sup}}}}
* {{App|swaks|Swiss Army Knife SMTP; Command line SMTP testing, including TLS and AUTH, can be used to send emails.|https://jetmore.org/john/code/swaks/|{{Pkg|swaks}}}}
* {{App|Wanderlust|Email client and news reader for Emacs.|https://github.com/wanderlust/wanderlust/|{{Pkg|wanderlust}}}}

==== Graphical ====

* {{App|Balsa|Simple and light email client for GNOME.|https://pawsa.fedorapeople.org/balsa/|{{Pkg|balsa}}}}
* {{App|Betterbird|Fork of thunderbird.|https://www.betterbird.eu/|{{AUR|betterbird-bin}}}}
* {{App|[[Wikipedia:Claws Mail|Claws Mail]]|Lightweight GTK-based email client and news reader.|https://www.claws-mail.org/|{{Pkg|claws-mail}}}}
* {{App|ElectronMail|Unofficial desktop application for several end-to-end encrypted email providers (like ProtonMail, Tutanota). Based on the [https://electronjs.org/ Electron] platform.|https://github.com/vladimiry/ElectronMail|{{AUR|electronmail-bin}}}}
* {{App|[[Evolution]]|Mature and feature-rich e-mail client that is part of the GNOME project. Part of {{Grp|gnome-extra}}.|https://gitlab.gnome.org/GNOME/evolution/-/wikis/home|{{Pkg|evolution}}}}
* {{App|Geary|Simple desktop mail client built in [[Wikipedia:Vala (programming language)|Vala]]. Part of {{Grp|gnome-extra}}.|https://wiki.gnome.org/Apps/Geary|{{Pkg|geary}}}}
* {{App|[[Wikipedia:Kmail|Kmail]]|Mature and feature-rich email client. Part of {{Grp|kde-pim}}.|https://kontact.kde.org/components/kmail/|{{Pkg|kmail}}}}
* {{App|Mailspring|Fork of [[Wikipedia:Nylas Mail|Nylas Mail]] by one of the original authors. The paid "Pro" version requires a Mailspring ID and has extra features like snooze, send later. Based on the [https://electronjs.org/ Electron] platform.|https://getmailspring.com/|{{AUR|mailspring}}}}
* {{App|[[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]]|Email client included in the SeaMonkey suite.|https://www.seamonkey-project.org/|{{AUR|seamonkey}}}}
* {{App|[[Thunderbird]]|Feature-rich email client from Mozilla written in GTK.|https://www.thunderbird.net/|{{Pkg|thunderbird}}}}
* {{App|Tutanota|Email client for Tutanota mail service. Based on the [https://electronjs.org/ Electron] platform.|https://tutanota.com/|{{AUR|tutanota-desktop}}}}

==== Web-based ====

* {{App|[[Nextcloud]] Mail|An email webapp for NextCloud.|https://github.com/nextcloud/mail|{{Pkg|nextcloud-app-mail}}}}
* {{App|[[Roundcube]]|Browser-based multilingual IMAP client webapp with a native application-like user interface.|https://roundcube.net/|{{Pkg|roundcubemail}}}}
* {{App|SquirrelMail|Webmail for Nuts!|https://squirrelmail.org/|{{AUR|squirrelmail}}}}

=== Mail notifiers ===

* {{App|Ayatana Webmail|Webmail notifications and actions for any desktop.|https://tari.in/www/software/ayatana-webmail/{{Dead link|2025|08|15|status=404}}|{{AUR|ayatana-webmail}}}}
* {{App|Bubblemail|New and Unread mail notification service for local mailboxes, pop, imap, and gnome online accounts. A fork of Mailnag.|http://bubblemail.free.fr/|{{AUR|bubblemail}}}}
* {{App|Gnubiff|Mail notification program that checks for mail and displays headers when new mail has arrived.|https://gnubiff.sourceforge.net/|{{Pkg|gnubiff}}}}
* {{App|Mailnag|Extensible mail notification daemon.|https://github.com/pulb/mailnag|{{Pkg|mailnag}}}}

=== Mail servers ===

See [[Mail server]].

* {{App|DavMail|POP/IMAP/SMTP/Caldav/Carddav/LDAP exchange gateway allowing users to use any mail/calendar client with an Exchange server.|https://davmail.sourceforge.net/|{{AUR|davmail}}}}
* {{App|Modoboa|A modular mail hosting and management platform, written in Python.|https://modoboa.org/|{{AUR|modoboa}}}}

=== Mail retrieval agents ===

See also [[Wikipedia:Mail retrieval agent]].

* {{App|[[fdm]]|Program to fetch and deliver mail.|https://github.com/nicm/fdm|{{Pkg|fdm}}}}
* {{App|[[Wikipedia:Fetchmail|Fetchmail]]|A remote-mail retrieval utility.|https://www.fetchmail.info/|{{Pkg|fetchmail}}}}
* {{App|[[getmail]]|A POP3/IMAP4 mail retriever with reliable Maildir and command delivery.|http://pyropus.ca/software/getmail/|{{AUR|getmail}}}}
* {{App|hydroxide|A third-party, open-source ProtonMail CardDAV, IMAP and SMTP bridge|https://github.com/emersion/hydroxide|{{AUR|hydroxide}}}}
* {{App|imapsync|IMAP synchronisation, sync, copy or migration tool|https://imapsync.lamiral.info/|{{Pkg|imapsync}}}}
* {{App|[[isync]]|IMAP and MailDir mailbox synchronizer|https://isync.sourceforge.net/|{{Pkg|isync}}}}
* {{App|mpop|A small, fast POP3 client suitable as a fetchmail replacement|https://marlam.de/mpop/|{{Pkg|mpop}}}}
* {{App|[[OfflineIMAP]]|Synchronizes emails between two repositories.|https://www.offlineimap.org/|{{Pkg|offlineimap}}}}
* {{App|vomit|Rust utility to sync between Maildir mailbox and IMAP mailbox|https://git.sr.ht/~bitfehler/vomit-sync/tree/master/item/cli/README.md|{{AUR|vsync}} (sync-only part of {{AUR|vomit}} mail tookit)}}

=== Instant messaging clients ===

See also [[Wikipedia:Comparison of instant messaging clients]] and [[Wikipedia:Comparison of VoIP software]].

This section lists all client software with [[Wikipedia:Instant messaging|instant messaging]] support.

==== Multi-protocol clients ====

{{Note|All messengers that support several networks by means of direct connections to them belong to this section.}}

The number of networks supported by these clients is very large but they (like any multi-protocol clients) usually have very limited or no support for network-specific features.

===== Console =====

* {{App|[[Bitlbee|BitlBee]]|IRC gateway to popular chat networks.|https://bitlbee.org/|{{AUR|bitlbee}}}}
* {{App|Finch|Ncurses-based chat client that uses libpurple and supports all its protocols (Bonjour, Gadu-Gadu, Groupwise, IRC, SIMPLE, XMPP, Zephyr).|https://developer.pidgin.im/wiki/Using%20Finch|{{AUR|finch}}}}
* {{App|[[WeeChat]]|Modular, lightweight ncurses-based IRC client. A variety of other protocols are supported through plugins.|https://weechat.org/|{{Pkg|weechat}}}}

===== Graphical =====

* {{App|[[Wikipedia:Jitsi|Jitsi]]|Audio/video VoIP phone and instant messenger written in Java that supports protocols such as SIP, XMPP, IRC and many other useful features.|https://jitsi.org/|{{AUR|jitsi}}}}
* {{App|Lith|WeeChat Relay client, allowing to connect to a running WeeChat instance from anywhere.|https://lith.app/|{{AUR|lith-git}}}}
* {{App|[[Pidgin]]|Multi-protocol instant messaging client with audio support that uses libpurple and supports all its protocols (Bonjour, Gadu-Gadu, Groupwise, IRC, SIMPLE, XMPP, Zephyr).|https://pidgin.im/|{{AUR|pidgin}}}}
* {{App|[[Wikipedia:Smuxi|Smuxi]]|Cross-platform IRC client that also supports XMPP.|https://smuxi.im/|{{AUR|smuxi}}}}
* {{App|[[Thunderbird]]|Feature-rich email client supports instant messaging and chat using IRC and XMPP.|https://www.thunderbird.net/|{{Pkg|thunderbird}}}}
* {{App|glowing-bear-electron|A web client for WeeChat|https://glowing-bear.org/|{{AUR|glowing-bear-electron}}}}

==== IRC clients ====

See also [[Wikipedia:Comparison of Internet Relay Chat clients]].

===== Console =====

* {{App|[[Wikipedia:BitchX|BitchX]]|Console-based IRC client developed from the popular [[Wikipedia:ircII|ircII]].|https://bitchx.sourceforge.net/|{{AUR|bitchx-git}}}}
* {{App|catgirl|TLS-only terminal IRC client.|https://git.causal.agency/catgirl|{{AUR|catgirl}}}}
* {{App|ERC|Powerful, modular and extensible IRC client for [[Emacs]].|https://savannah.gnu.org/projects/erc/|included with {{Pkg|emacs}}}}
* {{App|[[ii]]|Featherweight IRC client, literally {{ic|tail -f}} the conversation and {{ic|echo}} back your replies to a file.|https://tools.suckless.org/ii/|{{AUR|ii}}}}
* {{App|ircii|Oldest maintained IRC client which lays claim to being small and fast owing to its reduced feature set.|http://www.eterna23.net/ircii/|{{AUR|ircii}}}}
* {{App|[[Irssi]]|Highly-configurable ncurses-based IRC client.|https://irssi.org/|{{Pkg|irssi}}}}
* {{App|pork|Programmable, ncurses-based IRC client that mostly looks and feels like ircII.|http://dev.ojnk.net/|{{Pkg|pork}}}}
* {{App|ScrollZ|Advanced IRC client based on [[Wikipedia:ircII|ircII]].|https://www.scrollz.info/|{{AUR|scrollz}}}}
* {{App|senpai|An IRC client that works best with bouncers (e.g. {{Pkg|soju}}): no logs are kept, history is fetched from the server via [https://ircv3.net/specs/extensions/chathistory CHATHISTORY], networks are fetched from the server via [https://git.sr.ht/~emersion/soju/tree/master/item/doc/ext/bouncer-networks.md bouncer-networks].
|https://sr.ht/~delthas/senpai/|{{Pkg|senpai}}}}
* {{App|sic|Extremely simple IRC client, similar to [[Wikipedia:Ii (IRC client)|ii]].|https://tools.suckless.org/sic/|{{AUR|sic}}}}
* {{App|tiny|an IRC client written in Rust with a clutter-free interface|https://github.com/osa1/tiny|{{Pkg|tiny}}}}

===== Graphical =====

* {{App|[[Wikipedia:ChatZilla|ChatZilla]]|Clean, easy to use and highly extensible Internet Relay Chat (IRC) client, built on the Mozilla platform using [[Wikipedia:XULRunner|XULRunner]]. Included in the [[Wikipedia:SeaMonkey|SeaMonkey]] suite.|http://chatzilla.hacksrus.com/|{{AUR|seamonkey}}}}
* {{App|Halloy|An open-source IRC client written in Rust, with the iced GUI library.|https://halloy.squidowl.org/|{{Pkg|halloy}}}}
* {{App|[[HexChat]]|Fork of XChat for Linux and Windows.|https://hexchat.github.io/|{{AUR|hexchat}}}}
* {{App|[[Wikipedia:Konversation|Konversation]]|Qt-based IRC client for the KDE desktop. Part of {{Grp|kde-network}}.|https://konversation.kde.org/|{{Pkg|konversation}}}}
* {{App|[[Wikipedia:KVIrc|KVIrc]]|Qt-based IRC client featuring extensive themes support.|https://kvirc.net/|{{Pkg|kvirc}}}}
* {{App|Loqui|GTK IRC client.|https://loqui.sunnyone.org/|{{AUR|loqui}}}}
* {{App|LostIRC|Simple GTK IRC client with tab-autocompletion, multiple server support, logging and others.|https://lostirc.sourceforge.net|{{AUR|lostirc}}}}
* {{App|Polari|Simple IRC client by the GNOME project. Part of {{Grp|gnome-extra}}.|https://apps.gnome.org/Polari/|{{Pkg|polari}}}}
* {{App|[[Quassel]]|Modern, cross-platform, distributed IRC client.|https://quassel-irc.org/|KDE: {{Pkg|quassel-monolithic}}, Qt: {{Pkg|quassel-monolithic-qt}}}}
* {{App|Srain|Modern, beautiful IRC client written in GTK 3.|https://srain.silverrainz.me|{{AUR|srain}}}}
* {{App|Thelounge|Modern self-hosted web IRC client|https://thelounge.chat/|{{AUR|thelounge}}}}

==== XMPP clients ====

See also [[Wikipedia:XMPP]].

===== Console =====

* {{App|Freetalk|Console-based XMPP client.|https://www.gnu.org/software/freetalk/|{{AUR|freetalk}}}}
* {{App|jabber.el|Minimal XMPP client for [[Emacs]].|https://emacs-jabber.sourceforge.net/|{{AUR|emacs-jabber}}}}
* {{App|MCabber|Small XMPP console client, includes features: SSL, PGP, MUC, OTR and UTF8.|https://mcabber.com/|{{Pkg|mcabber}}}}
* {{App|Poezio|XMPP client with IRC feeling|https://poez.io/|{{AUR|poezio}}}}
* {{App|Profanity|A console based XMPP client inspired by Irssi.|https://profanity-im.github.io/|{{Pkg|profanity}}}}

===== Graphical =====

* {{App|Converse.js|Web-based XMPP chat client written in JavaScript.|https://conversejs.org/|{{AUR|conversejs}}}}
* {{App|Dino|A modern, easy to use XMPP client, with PGP and OMEMO support.|https://dino.im/|{{Pkg|dino}}}}
* {{App|[[Gajim]]|XMPP client with audio support written in Python using GTK.|https://gajim.org/|{{Pkg|gajim}}}}
* {{App|Kaidan|A simple, user-friendly Jabber/XMPP client providing a modern user interface using Kirigami and QtQuick.|https://www.kaidan.im/|{{Pkg|kaidan}}}}
* {{App|Libervia (Salut à Toi)|Web frontend for Salut à Toi, multi-purpose XMPP client|https://libervia.org/|{{AUR|libervia-web-hg}}}}
* {{App|Nextcloud JavaScript XMPP Client|Chat app for Nextcloud with XMPP, end-to-end encryption, video calls, file transfer & group chat.|https://github.com/nextcloud/jsxc.nextcloud|{{AUR|nextcloud-app-jsxc}}}}
* {{App|[[Wikipedia:Psi (instant messaging client)|Psi]]|Qt-based XMPP client.|https://psi-im.org/|{{Pkg|psi}}}}
* {{App|[[Wikipedia:Spark (XMPP client)|Spark]]|Cross-platform real-time XMPP collaboration client optimized for business and organizations.|https://www.igniterealtime.org/projects/spark/|{{AUR|spark}}}}
* {{App|Swift|XMPP client written in C++ with Qt and Swiften.|https://swift.im/|{{AUR|swift-im}}}}
* {{App|[[Wikipedia:Tkabber|Tkabber]]|Easy to hack feature-rich XMPP client by the author of the ejabberd XMPP server.|https://tkabber.jabber.ru/|{{AUR|tkabber}}}}
* {{App|Vacuum IM|Full-featured crossplatform XMPP client.|https://github.com/Vacuum-IM/vacuum-im|{{AUR|vacuum-im}}}}

==== SIP clients ====

See also [[Wikipedia:List of SIP software#Clients]].

* {{App|baresip|portable and modular SIP User-Agent with audio and video support.|https://github.com/baresip/baresip|{{Pkg|baresip}}}}
* {{App|[[Wikipedia:Blink (SIP client)|Blink]]|State of the art, easy to use SIP client.|https://icanblink.com/|{{AUR|blink}}}}
* {{App|Calls|Simple, elegant phone dialer and call handler for GNOME. It can be used with a cellular modem for plain old telephone calls as well as VoIP calls using the SIP protocol.|https://gitlab.gnome.org/GNOME/calls|{{Pkg|gnome-calls}}}}
* {{App|Jami|SIP-compatible softphone and instant messenger for the decentralized Jami network. Formerly known as Ring and SFLphone.|https://jami.net/|{{Pkg|jami-qt}}}}
* {{App|[[Wikipedia:Linphone|Linphone]]|VoIP phone application (SIP client) for communicating freely with people over the internet, with voice, video, and text instant messaging.|https://www.linphone.org/|{{AUR|linphone-desktop}}}}
* {{App|[[Wikipedia:Twinkle (software)|Twinkle]]|Qt softphone for VoIP and IM communication using SIP.|http://twinkle.dolezel.info/|{{AUR|twinkle}}}}
* {{App|Zoiper|Proprietary SIP and IAX2 VoIP softphone|https://zoiper.com|{{AUR|zoiper-bin}}}}

==== Matrix clients ====

See also [[Matrix]] and [https://matrix.org/clients/ Matrix Clients].

* {{App|Chatty|Simple to use SMS and Matrix messaging application.|https://gitlab.gnome.org/World/Chatty|{{Pkg|chatty}}}}
* {{App|Cinny|Cinny is a matrix client focusing primarily on simple, elegant and secure interface. The desktop app is made with [https://github.com/tauri-apps/tauri Tauri].|https://github.com/cinnyapp/cinny-desktop|{{AUR|cinny-desktop}}}}
* {{App|Element|Glossy Matrix client with an emphasis on performance and usability. Web application and desktop application based on the [https://electronjs.org/ Electron] platform.|https://element.io/|{{Pkg|element-web}}, {{Pkg|element-desktop}}}}
* {{App|FluffyChat|Multi-platform Matrix client with a simple and clean UI written in Dart/Flutter.|https://fluffychat.im/|{{AUR|fluffychat}}}}
* {{App|Fractal|Matrix client for GNOME written in Rust.|https://wiki.gnome.org/Apps/Fractal|{{Pkg|fractal}}}}
* {{App|Gomuks|Terminal Matrix client written in Go using [https://github.com/tulir/mautrix-go mautrix] and [https://github.com/tulir/mauview mauview].|https://maunium.net/go/gomuks|{{Pkg|gomuks}}}}
* {{App|iamb|A terminal-based Matrix client with Vim keybindings written in Rust.|https://github.com/ulyssa/iamb|{{Aur|iamb}}}}
* {{App|Moment|A fancy, customizable, keyboard-operable Matrix chat client for encrypted and decentralized communication. Written in Qt/QML + Python with nio, fork of the now-abandoned Mirage.|https://mx-moment.xyz/|{{AUR|moment}}}}
* {{App|Neochat|KDE client for the Matrix protocol. Part of {{Grp|kde-network}}.|https://apps.kde.org/neochat/|{{Pkg|neochat}}}}
* {{App|nheko|Desktop client for the Matrix protocol.|https://github.com/Nheko-Reborn/nheko|{{Pkg|nheko}}}}
* {{App|Quaternion|Qt5-based IM client for the Matrix protocol.|https://github.com/QMatrixClient/Quaternion|{{AUR|quaternion}}}}
* {{App|QuickMedia|A rofi inspired native client for web services. Supports Matrix and several other sites.|https://git.dec05eba.com/QuickMedia/about/|{{AUR|quickmedia}}}}
* {{App|SchildiChat|Matrix client based on Element with a more traditional instant messaging experience. Based on the [https://electronjs.org/ Electron] platform.|https://schildi.chat/|{{AUR|schildichat-desktop-eol}}}}
* {{App|Spectral|Qt5-based Glossy cross-platform client for Matrix.|https://gitlab.com/spectral-im/spectral|{{AUR|spectral-matrix}}}}
* {{App|Syphon|Privacy-centric cross-platform Matrix client with E2EE support, currently in alpha.|https://github.com/syphon-org/syphon|{{AUR|syphon-bin}}}}

==== Tox clients ====

See also [[Tox]] and [https://wiki.tox.chat/clients comparison clients]

* {{App|ratox|FIFO based tox client.|https://git.z3bra.org/ratox/file/README.html|{{AUR|ratox-git}}}}
* {{App|Toxic|ncurses-based Tox client|https://github.com/Jfreegman/toxic|{{Pkg|toxic}}}}
* {{App|Venom|a modern Tox client for the GNU/Linux desktop|https://github.com/naxuroqa/Venom|{{AUR|venom}}}}
* {{App|µTox|Lightweight Tox client.|https://github.com/uTox/uTox|{{Pkg|utox}}}}

==== LAN messengers ====

See also [[Avahi#Link-Local (Bonjour/Zeroconf) chat]] and [[Wikipedia:Comparison of LAN messengers]].

* {{App|BeeBEEP|Secure LAN Messenger.|https://www.beebeep.net/|{{AUR|beebeep}}}}
* {{App|iptux|LAN communication software, compatible with IP Messenger.|https://github.com/iptux-src/iptux|{{Pkg|iptux}}}}

==== P2P messaging clients ====

See also [[Ring]] and [[Tox]].

* {{App|[[Wikipedia:Briar (software)|Briar]]|Briar is a messaging application designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate.|https://briarproject.org/|{{AUR|briar-desktop}}, {{AUR|briar-headless}}}}
* {{App|Manyverse|Modern decentralized messaging and sharing application built on top of Secure Scuttlebutt (SSB).|https://gitlab.com/staltz/manyverse|{{AUR|manyverse-bin}}}}
* {{App|Patchwork|Decentralized messaging and sharing application built on top of Secure Scuttlebutt (SSB). Based on the [https://electronjs.org/ Electron] platform.|https://github.com/ssbc/patchwork|{{AUR|ssb-patchwork}}}}
* {{App|Poncho Wonky|Decentralized messaging and sharing application built on top of Secure Scuttlebutt (SSB). Based on the [https://electronjs.org/ Electron] platform. Maintained, updated Fork of Patchwork|https://github.com/soapdog/patchwork/|{{AUR|poncho-wonky}}}}
* {{App|RetroShare|Serverless encrypted instant messenger with filesharing, chatgroups, mail.|https://retroshare.cc/|{{AUR|retroshare}}}}
* {{App|[[Wikipedia:Ricochet (software)|Ricochet]]|Anonymous peer-to-peer instant messaging system built on [[Tor]] hidden services.|https://www.ricochetrefresh.net/|{{AUR|ricochet-refresh}}}}

==== Chatmail clients ====

* {{App|Delta Chat|A privacy oriented [https://chatmail.at/ chatmail] application. Based on the [https://electronjs.org/ Electron] platform.|https://delta.chat/|{{Pkg|deltachat-desktop}}}}
* {{App|Parla|A [https://chatmail.at/ chatmail] application for the [[GNOME]] desktop. Based on the [[GTK]] framework.|https://github.com/trufae/parla/|{{Pkg|parla}}}}

==== Other IM clients ====

* {{App|Caprine|Unofficial Facebook Messenger app. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/sindresorhus/caprine|{{AUR|caprine}}}}
* {{App|Chatterino|Chat client for Twitch chat.|https://chatterino.com/|{{AUR|chatterino2}}}}
* {{App|[[Discord]]|Proprietary all-in-one voice and text chat application for gamers that’s free and works on both your desktop and phone. Based on the [https://electronjs.org/ Electron] platform.|https://discordapp.com/|{{Pkg|discord}}}}
* {{App|Flare|Unofficial Signal client based on GTK.|https://gitlab.com/schmiddi-on-mobile/flare|{{AUR|flare}}}}
* {{App|[[Wikipedia:Gitter|Gitter]]|Communication product for communities and teams on GitLab and GitHub.|https://gitter.im/|{{AUR|gitter-bin}}}}
* {{App|[[Wikipedia:Jitsi|Jitsi]] Meet|Desktop application for Jitsi Meet. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/jitsi/jitsi-meet-electron|{{AUR|jitsi-meet-desktop}}}}
* {{App|Kotatogram Desktop|Experimental fork of Telegram Desktop.|https://kotatogram.github.io/|{{AUR|kotatogram-desktop}}}}
* {{App|Matterhorn|Console client for the Mattermost chat system.|https://github.com/matterhorn-chat/matterhorn|{{AUR|matterhorn}}}}
* {{App|[[Mattermost]] Desktop|Desktop application for Mattermost. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/mattermost/desktop|{{Pkg|mattermost-desktop}}}}
* {{App|[[Mumble]]|Voice chat application similar to TeamSpeak.|https://www.mumble.info/|{{Pkg|mumble}}}}
* {{App|Paper Plane|Chat over Telegram on a modern and elegant client.|https://github.com/paper-plane-developers/paper-plane|{{AUR|paper-plane}}}}
* {{App|[[QQ]]|Proprietary instant messaging software developed by Tencent (imitating ICQ).|https://im.qq.com/|{{AUR|linuxqq}}}}
* {{App|Rocket.Chat Desktop|Desktop application for Rocket.Chat. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/RocketChat/Rocket.Chat.Electron|{{AUR|rocketchat-desktop}}}}
* {{App|Ruqola|Rocket.Chat client for the KDE desktop.|https://apps.kde.org/ruqola/|{{AUR|ruqola}}}}
* {{App|Session Desktop|Onion routing based messenger. Based on the [https://electronjs.org/ Electron] platform.|https://getsession.org/|{{AUR|session-desktop}}}}
* {{App|[[Wikipedia:Signal (software)|Signal]] Desktop|Desktop application for Signal private messenger. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/signalapp/Signal-Desktop|{{Pkg|signal-desktop}}}}
* {{App|[[Wikipedia:Slack (software)|Slack]]|Proprietary Slack client for desktop. Based on the [https://electronjs.org/ Electron] platform.|https://slack.com/|{{AUR|slack-desktop}}}}
* {{App|teams-for-linux|Unofficial Microsoft Teams for Linux client. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/IsmaelMartinez/teams-for-linux|{{AUR|teams-for-linux}}}}
* {{App|[[TeamSpeak]]|Proprietary VoIP application with gamers as its target audience.|https://www.teamspeak.com/|{{Pkg|teamspeak3}}}}
* {{App|[[TeamTalk]]|Proprietary VoIP application with video chat, file and desktop sharing. Desktop sharing does not appear to be working in Linux though. AUR package is server only, but client is built in the make process.|https://bearware.dk|{{AUR|teamtalk}}}}
* {{App|[[Telegram]] Desktop|Official Telegram desktop client.|https://desktop.telegram.org/|{{Pkg|telegram-desktop}}}}
* {{App|[[Wikipedia:Viber|Viber]]|Proprietary cross-platform IM and VoIP software.|https://www.viber.com/products/linux/|{{AUR|viber}}}}
* {{App|[[Wikipedia:WeChat|WeChat]]|Tencent WeChat Client.|https://linux.weixin.qq.com/|{{AUR|wechat}}}}
* {{App|[[Wikipedia:Wire (software)|Wire]]|Modern, private messenger. Based on the [https://electronjs.org/ Electron] platform.|https://wire.com/|{{AUR|wire-desktop}}}}
* {{App|[[Zoom Meetings|Zoom]]|Proprietary video conferencing, online meetings and group messaging application.|https://zoom.us/|{{AUR|zoom}}}}
* {{App|[[Wikipedia:Zulip|Zulip]]|Desktop client for Zulip group chat. Based on the [https://electronjs.org/ Electron] platform.|https://zulipchat.com/apps/linux|{{AUR|zulip-desktop}}}}

=== Instant messaging servers ===

See also [[Wikipedia:Comparison of instant messaging protocols]].

==== IRC servers ====

* {{App|Ergo|A modern and simple to set up IRC server written in Go. Combines the features of an IRCd, a services framework, and a bouncer.|https://ergo.chat/|{{AUR|ergochat}}}}
* {{App|[[InspIRCd]]|A stable, modern and lightweight IRC daemon.|https://www.inspircd.org/|{{AUR|inspircd}}}}
* {{App|IRCD-Hybrid|A lightweight, high-performance internet relay chat daemon.|https://www.ircd-hybrid.org/|{{AUR|ircd-hybrid}}}}
* {{App|miniircd|A small and configuration free IRC server, suitable for private use.|https://github.com/jrosdahl/miniircd|{{AUR|miniircd-git}}}}
* {{App|ngIRCd|A free, portable and lightweight Internet Relay Chat server for small or private networks.|https://ngircd.barton.de/|{{AUR|ngircd}}}}
* {{App|Solanum|Solanum is the upcoming IRCd for unified networks that is being worked on by a collaboration of Libera Chat and OFTC staff.|https://solanum.chat/|{{AUR|solanum-ircd-git}}}}
* {{App|[[UnrealIRCd]]|Open Source IRC Server.|https://www.unrealircd.org/|{{Pkg|unrealircd}}}}

==== XMPP servers ====

* {{App|Ejabberd|Robust, scalable and extensible XMPP Server written in Erlang|https://www.ejabberd.im/|{{Pkg|ejabberd}}}}
* {{App|Jabberd2|An XMPP server written in the C language and licensed under the GNU General Public License. It was inspired by jabberd14.|https://jabberd2.org/|{{AUR|jabberd2}}}}
* {{App|[[Openfire]]|An XMPP IM multiplatform server written in Java|https://www.igniterealtime.org/projects/openfire/|{{Pkg|openfire}}}}
* {{App|[[Prosody]]|An XMPP server written in the [https://www.lua.org/ Lua] programming language. Prosody is designed to be lightweight and highly extensible. It is licensed under a permissive [https://prosody.im/source/mit MIT license].|https://prosody.im/|{{Pkg|prosody}}}}

==== SIP servers ====

See also [[Wikipedia:List of SIP software#Servers]].

* {{App|[[Asterisk]]|A complete PBX solution.|https://www.asterisk.org/|{{AUR|asterisk}}}}
* {{App|Kamailio|SIP server for large VoIP and real-time communication platforms.|https://www.kamailio.org/|{{AUR|kamailio}}}}
* {{App|openSIPS|SIP proxy/server for voice, video, IM, presence and any other SIP extensions.|https://opensips.org/|{{Pkg|opensips}}}}
* {{App|Repro|An open-source, free SIP server.|https://www.resiprocate.org/About_Repro{{Dead link|2025|04|05|status=404}}|{{AUR|repro}}}}
* {{App|[[Wikipedia:Yate (telephony engine)|Yate]]|Advanced, mature, flexible telephony server that is used for VoIP and fixed networks, and for traditional mobile operators and MVNOs.|https://yate.ro/|{{Pkg|yate}}}}

==== Other IM servers ====

* {{App|[[Mattermost]]|Open source private cloud server, Slack-alternative.|https://github.com/mattermost/mattermost-server|{{Pkg|mattermost}}}}
* {{App|[[Murmur]]|The voice chat application server for Mumble.|https://www.mumble.info/|{{Pkg|mumble-server}}}}
* {{App|Nextcloud Talk|Video- and audio-conferencing app for Nextcloud.|https://github.com/nextcloud/spreed|{{Pkg|nextcloud-app-spreed}}}}
* {{App|Rocket.Chat|Web chat server, developed in JavaScript, using the Meteor fullstack framework.|https://github.com/RocketChat/Rocket.Chat|{{AUR|rocketchat-server}}}}
* {{App|[[Matrix|Synapse]]|Reference homeserver for the Matrix protocol.|https://github.com/matrix-org/synapse|{{Pkg|matrix-synapse}}}}
* {{App|[[TeamSpeak]] Server|Proprietary VoIP conference server.|https://teamspeak.com/|{{Pkg|teamspeak3-server}}}}
* {{App|uMurmur|Minimalistic Mumble server.|https://umurmur.net/|{{Pkg|umurmur}}}}

=== Collaborative software ===

See also [[Wikipedia:Collaborative software]].

* {{App|[[SOGo]]|Groupware server built around OpenGroupware.org (OGo) and the SOPE application server.|https://sogo.nu/|{{AUR|sogo}}}}

=== Link shortening servers ===

* {{App|microbin|A tiny, self-contained, configurable paste bin and URL shortener written in Rust.|https://github.com/szabodanika/microbin|{{AUR|microbin}}}}
* {{App|shlink|Self-proclaimed definitive self-hosted URL shortener.|https://shlink.io/|{{AUR|shlink}}}}
* {{App|YOURLS|A self-hosted link shortening service written in PHP.|https://yourls.org/|{{AUR|yourls}}}}

== News, RSS, and blogs ==

=== News aggregators ===

[[Web feed]]s aggregators. Some [[#Email clients|email clients]] are also able to act as news aggregator: [[Wikipedia:Claws Mail|Claws Mail]] RSSyl plugin, [[Evolution]], [[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]], [[Thunderbird]].

See also [[Wikipedia:Comparison of feed aggregators]].

==== Console ====

* {{App|Bulletty|Pretty TUI RSS reader that locally stores articles as markdown.|https://bulletty.croci.dev/|{{Pkg|bulletty}}}}
* {{App|[[Wikipedia:Canto (news aggregator)|Canto]]|Ncurses RSS aggregator.|https://github.com/themoken/canto-curses|{{Pkg|canto-curses}}}}
* {{App|Ditch The Bell|A highly configurable Linux-based desktop notifier for RSS/Atom feeds.|https://github.com/eschermoore/ditchthebell|{{AUR|dtbell-git}}}}
* {{App|feed2imap-go|[https://github.com/feed2imap/feed2imap feed2imap] reimplemented in Go that aggregating RSS/Atom/jsonfeed into folders of your IMAP mailbox.|https://github.com/Necoro/feed2imap-go|{{AUR|feed2imap-go}}}}
* {{App|[[Wikipedia:Gnus|Gnus]]|Email, NNTP and RSS client for Emacs.|https://www.gnus.org/|{{Pkg|emacs}}}}
* {{App|[[Newsboat]]|Ncurses RSS aggregator with layout and keybinding similar to the [[Mutt]] email client.|https://newsboat.org/|{{Pkg|newsboat}}}}
* {{App|[[Newsraft]]|Feed reader with ncurses user interface. It is greatly inspired by [[Newsboat]] and tries to be its lightweight counterpart. |https://codeberg.org/newsraft/newsraft/|{{AUR|newsraft}}}}
* {{App|Rawdog|"RSS Aggregator Without Delusions Of Grandeur" that parses RSS/CDF/Atom feeds into a static HTML page of articles in chronological order.|https://offog.org/code/rawdog/|{{AUR|rawdog}}}}
* {{App|rss2email|Aggregating your RSS/Atom feed into your IMAP/Maildir mailbox as a cronjob.|https://github.com/rss2email/rss2email|{{Pkg|rss2email}}}}
* {{App|sfeed|Crontab oriented shell-scriptable feed aggregator setup with an RSS/Atom parser utility plus a simple ncurses reader.|https://codemadness.org/sfeed-simple-feed-parser.html|{{AUR|sfeed}}}}
* {{App|Snownews|Text mode RSS news reader.|https://sourceforge.net/projects/snownews/|{{AUR|snownews}}}}

==== Graphical ====

* {{App|[[Wikipedia:Kontact#News feed aggregator|Akregator]]|News aggregator for KDE, part of {{Grp|kde-pim}}.|https://apps.kde.org/akregator/|{{Pkg|akregator}}}}
* {{App|Alligator|Kirigami-based RSS/Atom feed reader for mobile devices. Part of {{Grp|kde-network}}.|https://apps.kde.org/alligator/|{{Pkg|alligator}}}}
* {{App|Feeds|An RSS/Atom feed reader for GNOME.|https://gfeeds.gabmus.org/|{{Pkg|gfeeds}}}}
* {{App|Fluent Reader|Modern desktop RSS reader built with React and Fluent UI. Based on the [https://electronjs.org/ Electron] platform.|https://hyliu.me/fluent-reader/|{{AUR|fluent-reader}}}}
* {{App|HackUp|Read Hacker News from the desktop.|https://github.com/mdh34/hackup|{{AUR|hackup-git}}}}
* {{App|[[Wikipedia:Liferea|Liferea]]|GTK news aggregator for online news feeds and weblogs.|https://lzone.de/liferea/|{{Pkg|liferea}}}}
* {{App|Newsflash|Modern feed reader designed for the GNOME desktop. The spiritual successor to FeedReader.|https://apps.gnome.org/NewsFlash/|{{Pkg|newsflash}}}}
* {{App|Raven|Simple desktop RSS reader made using VueJS. Based on the [https://electronjs.org/ Electron] platform.|https://ravenreader.app/|{{AUR|raven-reader}}}}
* {{App|RSS Guard|Very tiny RSS and ATOM news reader developed using Qt framework.|https://github.com/martinrotter/rssguard|{{Pkg|rssguard}}}}
* {{App|Tickr|GTK-based RSS Reader that displays feeds as a smooth scrolling line on your desktop, as known from TV stations.|https://www.open-tickr.net/|{{AUR|tickr}}}}

==== Graphical, Web-based ====

* {{App|[[Nextcloud]] News|RSS/Atom feed reader for Nextcloud.|https://github.com/nextcloud/news|{{Pkg|nextcloud-app-news}}}}
* {{App|selfoss|The new multipurpose RSS reader, live stream, mashup, aggregation web application.|https://selfoss.aditu.de/|{{AUR|selfoss}}}}
* {{App|[[Tiny Tiny RSS]]|Web-based news feed (RSS/Atom) aggregator.|https://tt-rss.org/|{{Pkg|tt-rss}}}}

=== Podcast clients ===

Some media players are also able to act as podcast client: [[Amarok]], Cantata, [[Wikipedia:Clementine (software)|Clementine]], Goggles Music Manager, [[Wikipedia:Rhythmbox|Rhythmbox]], [[VLC media player]]. [[Wikipedia:git-annex|git-annex]] can also [https://git-annex.branchable.com/tips/downloading_podcasts/ function as podcatcher].

See also [[Wikipedia:List of podcatchers]].

==== Console ====

* {{App|castero|A TUI podcast client for the terminal.|https://github.com/xgi/castero|{{AUR|castero-git}}}}
* {{App|castget|Simple, command-line RSS enclosure downloader, primarily intended for automatic, unattended downloading of podcasts.|https://castget.johndal.com/|{{Pkg|castget}}}}
* {{App|gpo|Text mode interface of gPodder.|https://gpodder.github.io/|{{Pkg|gpodder}}}}
* {{App|Greg|A command-line podcast aggregator.|https://github.com/manolomartinez/greg|{{AUR|greg-git}}}}
* {{App|pcd|A minimal podcast client written in go|https://github.com/kvannotten/pcd|{{AUR|pcd}}}}

==== Graphical ====

* {{App|gPodder|Podcast client and media aggregator (GTK interface).|https://gpodder.github.io/|{{Pkg|gpodder}}}}
* {{App|Kasts|Convergent podcast application that looks good on desktop and mobile. Part of {{Grp|kde-multimedia}}.|https://apps.kde.org/kasts/|{{Pkg|kasts}}}}
* {{App|Pocket Casts|Electron wrapper around the Pocket Casts web app with support for MPRIS (media controls).|https://pocketcasts.com/|{{AUR|pocket-casts-linux}}}}
* {{App|Podcasts|Podcast client for the GNOME desktop written in Rust.|https://apps.gnome.org/Podcasts/|{{Pkg|gnome-podcasts}}}}
* {{App|Vocal|Simple podcast client for the Modern Desktop (GTK).|https://vocalproject.net/|{{AUR|vocal}}}}

=== Usenet newsreaders ===

Some [[#Email clients|email clients]] are also able to act as Usenet newsreader: [[Wikipedia:Claws Mail|Claws Mail]], [[Evolution]], [[Mutt|NeoMutt]], [[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]], [[Wikipedia:Sylpheed|Sylpheed]], [[Thunderbird]].

See also: [[Wikipedia:List of Usenet newsreaders]], [[Wikipedia:Comparison of Usenet newsreaders]].

==== Console ====

* {{App|nn|Alternative more user-friendly (curses-based) Usenet newsreader for UNIX.|http://www.nndev.org/|{{AUR|nn}}}}
* {{App|[[Wikipedia:slrn|slrn]]|Text-based news client.|https://www.slrn.org/|{{AUR|slrn}}}}
* {{App|[[Wikipedia:Tin (newsreader)|tin]]|A cross-platform threaded NNTP and spool based UseNet newsreader.|http://tin.org/|{{AUR|tin}}}}
* {{App|trn|A text-based Threaded Usenet newsreader.|https://trn.sourceforge.net/|{{AUR|trn}}}}

==== Graphical ====

* {{App|[[NZBGet]]|Usenet binary downloader for .nzb files with web and CLI interface.|https://nzbget.net/|{{Pkg|nzbget}}}}
* {{App|[[Wikipedia:Pan (newsreader)|Pan]]|GTK Usenet newsreader that's good at both text and binaries.|https://gitlab.gnome.org/GNOME/pan|{{Pkg|pan}}}}
* {{App|[[SABnzbd]]|An open-source binary newsreader webapp written in Python.|https://sabnzbd.org/|{{AUR|sabnzbd}}}}
* {{App|XRN|Usenet newsreader for X Window System.|https://www.mit.edu/people/jik/software/xrn.html|{{AUR|xrn}}}}

=== Microblogging clients ===

* {{App|Choqok|Microblogging client for KDE that supports Mastodon, Pump.io and GNU social.|https://choqok.kde.org/|{{AUR|choqok-git}}}}
* {{App|Dianara|Pump.io client written in Qt.|https://jancoding.wordpress.com/dianara/|{{AUR|dianara}}}}
* {{App|Lemmy-UI|Official web app for lemmy.|https://github.com/LemmyNet/lemmy-ui|{{AUR|lemmy-ui}}}}
* {{App|Liftoff|A mobile and desktop lemmy client written in flutter.|https://github.com/liftoff-app/liftoff|{{AUR|liftoff-bin}}}}
* {{App|Mikutter|Simple, powerful Mastodon client using GTK and Ruby.|https://mikutter.hachune.net/|{{AUR|mikutter}}}}
* {{App|Pumpa|Pump.io client written in C++ and Qt.|https://pumpa.branchable.com/|{{AUR|pumpa-git}}}}
* {{App|Tokodon|Mastodon client for KDE. Part of {{Grp|kde-network}}.|https://apps.kde.org/tokodon/|{{Pkg|tokodon}}}}
* {{App|Toot|CLI and TUI tool for interacting with Mastodon instances.|https://github.com/ihabunek/toot|{{Pkg|toot}}}}
* {{App|Tuba|GTK4 client for Mastodon.|https://apps.gnome.org/Tuba/|{{Pkg|tuba}}}}
* {{App|Whalebird|Mastodon client application. Based on the [https://electronjs.org/ Electron] platform.|https://whalebird.social/|{{AUR|whalebird}}}}

=== Blog engines ===

See also [[Wikipedia:Blog software]] and [[Wikipedia:List of content management systems]].
{{note|Content managers, social networks, and blog publishers overlap in many functions.}}
* {{App|[[Diaspora]]|A distributed privacy aware social network.|https://diasporafoundation.org|{{AUR|diaspora-mysql}} or {{AUR|diaspora-postgresql}}}}
* {{App|[[Drupal]]|A PHP-based content management platform.|https://www.drupal.org/|{{Pkg|drupal}}}}
* {{App|[[Joomla]]|A php Content Management System (CMS) which enables you to build websites and powerful online applications.|https://www.joomla.org/|{{AUR|joomla}}}}
* {{App|[[Wordpress]]|Blog tool and publishing platform.|https://wordpress.org/|{{Pkg|wordpress}}}}

=== Static site generators ===

* {{App|Hexo|Fast, simple and powerful blog framework.|https://hexo.io/|{{AUR|hexo-cli}}}}
* {{App|Hugo|Hugo is a static HTML and CSS website generator written in Go. It is optimized for speed, ease of use, and configurability.|https://gohugo.io/|{{Pkg|hugo}}}}
* {{App|Jekyll|Static blog engine, written in Ruby, which supports Markdown, textile and other formats.|https://jekyllrb.com/|{{Pkg|jekyll}}}}
* {{App|Nikola|Static site generator written in Python, with incremental rebuilds and multiple markup formats.|https://getnikola.com/|{{Pkg|nikola}}}}
* {{App|Pelican|Static site generator, powered by Python.|https://getpelican.com/|{{Pkg|pelican}}}}
* {{App|Zola|An opinionated static site generator, written in Rust.|https://www.getzola.org/|{{Pkg|zola}}}}

=== Gallery software ===

* {{App|fgallery|A static photo gallery generator with no frills that has a stylish, minimalist look.|https://www.thregr.org/wavexx/software/fgallery/|{{AUR|fgallery}}}}
* {{App|jAlbum|A freeware cross-platform software for managing and creating digital photo albums or galleries.|https://jalbum.net/en/|{{AUR|jalbum}}}}
* {{App|jolly|A tool for statically generating galleries from images.|https://gitlab.com/prior99/jolly|{{AUR|jolly}}}}
* {{App|llgal|An easy and fast on-line gallery generator based on iGal.|http://bgoglin.free.fr/llgal/|{{AUR|llgal}}}}
* {{App|Photoview|A photo gallery for self-hosted personal servers.|https://photoview.github.io/|{{AUR|photoview}}}}
* {{App|Piwigo|A web application to manage your collection of photos, and other medias.|https://piwigo.org/|{{AUR|piwigo}}}}
* {{App|revela|A static web image gallery generator.|https://sr.ht/~yaroslav/revela/|{{AUR|revela}}}}
* {{App|Sigal|A simple static gallery generator.|http://sigal.saimon.org/en/latest/|{{Pkg|sigal}}}}
* {{App|thumbsup|A static web galleries for all your photos and videos.|https://thumbsup.github.io/|{{AUR|nodejs-thumbsup}}}}
* {{App|ZenphotoCMS|A CMS for selfhosted, gallery focused websites.|https://www.zenphoto.org/|{{AUR|zenphoto}}}}

== Remote desktop ==

See also [[Wikipedia:Remote desktop software]] and [[Wikipedia:Comparison of remote desktop software]].

See also [https://remotedesktop.google.com Chrome Remote Desktop] for a web browser based solution.

=== Remote desktop clients ===

* {{App|[[Wikipedia:AnyDesk|AnyDesk]]|Proprietary remote desktop software.|https://anydesk.com/|{{AUR|anydesk-bin}}}}
* {{App|GNOME Connections|Remote desktop client for GNOME. Supports RDP and VNC. Part of {{Grp|gnome}}.|https://apps.gnome.org/Connections/|{{Pkg|gnome-connections}}}}
* {{App|GVncViewer|Simple VNC Client on Gtk-VNC. Run with {{ic|gvncviewer}}.|https://wiki.gnome.org/Projects/gtk(2d)vnc|{{Pkg|gtk-vnc}}}}
* {{App|[[Wikipedia:KRDC|KRDC]]|Remote Desktop Client for KDE. Supports RDP and VNC. Part of {{Grp|kde-network}}.|https://apps.kde.org/krdc/|{{Pkg|krdc}}}}
* {{App|[[Remmina]]|Remote desktop client written in GTK. Supports RDP, VNC, SPICE, X2Go and SSH.|https://remmina.org/|{{Pkg|remmina}}}}
* {{App|Remote Viewer|Simple remote display client. Supports SPICE and VNC.|https://virt-manager.org/|{{Pkg|virt-viewer}}}}
* {{App|RustDesk|A remote desktop software, open source, written in Rust.|https://rustdesk.com|{{AUR|rustdesk}}}}
* {{App|Sunlogin Remote Control|Proprietary software that supports remote control of mobile devices, Windows, Mac, Linux and other systems. It uses its own proprietary protocol.|https://sunlogin.oray.com/en/about/about{{Dead link|2025|04|05|status=404}}|{{AUR|sunloginclient}}}}
* {{App|[[Wikipedia:TeamViewer|TeamViewer]]|Proprietary remote desktop client. It uses its own proprietary protocol.|https://www.teamviewer.com/|{{AUR|teamviewer}}}}
* {{App|ToDesk|Proprietary remote desktop client that suits for remote teamwork. It uses its own proprietary protocol.|https://www.todesk.com/|{{AUR|todesk-bin}}}}
* {{App|[[Wikipedia:Vinagre|Vinagre]]|Remote desktop viewer for GNOME. Supports RDP, VNC, SPICE and SSH.|https://wiki.gnome.org/Apps/Vinagre|{{AUR|vinagre}}}}
* {{App|[[TigerVNC|vncviewer (TigerVNC)]]|VNC viewer for X.|https://tigervnc.org/|{{Pkg|tigervnc}}}}
* {{App|[[X2Go]] Client|A graphical client (Qt5) for the X2Go system that uses the [[w:NX technology|NX technology]] protocol.|https://wiki.x2go.org/doku.php|{{AUR|x2goclient}}}}
* {{App|xfreerdp|FreeRDP X11 client. Run with {{ic|xfreerdp3}}.|https://www.freerdp.com/|{{Pkg|freerdp}}}}

=== Remote desktop servers ===

* {{App|freerdp-shadow-cli3|A utility for sharing an X display via RDP.|https://www.freerdp.com/|{{Pkg|freerdp}}}}
* {{App|GNOME Remote Desktop|A remote desktop server for GNOME. Supports RDP and VNC. Part of {{Grp|gnome}}.|https://gitlab.gnome.org/GNOME/gnome-remote-desktop|{{Pkg|gnome-remote-desktop}}}}
* {{App|kmsvnc|A VNC server for DRM/KMS capable GNU/Linux devices.|https://github.com/isjerryxiao/kmsvnc|{{AUR|kmsvnc}}}}
* {{App|KRdp|A limited RDP server for KDE.|https://invent.kde.org/plasma/krdp|{{Pkg|krdp}}}}
* {{App|Krfb|VNC server for KDE. Part of {{Grp|kde-network}}.|https://apps.kde.org/krfb/|{{Pkg|krfb}}}}
* {{App|MeshCentral|Device management server for files, terminal access and remote desktop into Linux (X11), macOS and Windows.|https://meshcentral.com/|{{AUR|meshcentral}}}}
* {{App|[[NoMachine]]|Proprietary remote desktop server and client based on [[w:NX technology|NX
technology]].|https://nomachine.com/|{{AUR|nomachine}}}}
* {{App|wayvnc|VNC server for wlroots based wayland compositors (such as {{Pkg|sway}}).|https://github.com/any1/wayvnc|{{Pkg|wayvnc}}}}
* {{App|[[TigerVNC|x0vncserver (TigerVNC)]]|VNC Server for X displays.|https://tigervnc.org/|{{Pkg|tigervnc}}}}
* {{App|[[x11vnc]]|VNC server for real X displays.|http://www.karlrunge.com/x11vnc/|{{Pkg|x11vnc}}}}
* {{App|[[X2Go]] Server|An open source remote desktop software that uses the [[w:NX technology|NX technology]] protocol.|https://wiki.x2go.org/doku.php|{{AUR|x2goserver}}}}
* {{App|[[Xpra]]|A multi-platform screen and application forwarding system.|https://xpra.org/|{{Pkg|xpra}}}}
* {{App|[[Xrdp]]|A daemon that supports RDP. It uses Xvnc, X11rdp or xorgxrdp as a backend.|https://www.xrdp.org/|{{AUR|xrdp}}}}

Clipboard

2026-05-02T10:29:47Z

Lahwaacz: /* Tools */ move link to the tip

[[Category:X server]]
[[Category:Lists of software]]
[[es:Clipboard]]
[[hu:Clipboard]]
[[ja:クリップボード]]
[[ru:Clipboard]]
[[zh-hans:Clipboard]]
{{Related articles start}}
{{Related|Copying text from a terminal}}
{{Related|Firefox#Middle-click behavior}}
{{Related|GTK#Disable mouse paste}}
{{Related|Vim#Clipboard}}
{{Related articles end}}

{{Expansion|Describe clipboards for [[Wayland]] and Xwayland. Some references: [https://wiki.gnome.org/Initiatives/Wayland/PrimarySelection], [https://github.com/swaywm/sway/issues/1012], [https://bugreports.qt.io/browse/QTBUG-66008], [https://gitlab.gnome.org/GNOME/gsettings-desktop-schemas/-/merge_requests/119].}}

According to [[Wikipedia:Clipboard (computing)|Wikipedia]]:
:The clipboard is a facility used for short-term data storage and/or data transfer between documents or applications, via [[Wikipedia:copy and paste|copy and paste]] operations.

== History ==

In X10 ([[w:X_Window_System#Release history|1985]]), [[w:X_Window_selection#Cut_buffers|cut buffers]] were introduced. These were limited buffers that stored arbitrary text and were used by most applications. However, they were inefficient and implementation of them varied, so selections were introduced. Cut buffers are long deprecated, and although some applications (such as [[xterm]]) may have legacy support for them, it is both not likely and not recommended that they be used.

== Selections ==

[[Freedesktop.org]] describes the two main [[w:X_Window_selection#Selections|selections]] as follows:[https://specifications.freedesktop.org/clipboard-spec/latest/]

;PRIMARY: Used for the currently selected text, even if it is not explicitly copied, and for middle-mouse-click pasting. In some cases, pasting is also possible with a keyboard shortcut.
;CLIPBOARD: Used for explicit copy/paste commands involving keyboard shortcuts or menu items. Hence, it behaves like the single-clipboard system on Windows. Unlike PRIMARY, it can also handle [https://stackoverflow.com/questions/3571179/how-does-x11-clipboard-handle-multiple-data-formats multiple data formats].

The majority of programs for [[Xorg]], including [[Qt]] and [[GTK]] applications, follow this behavior. While [https://tronche.com/gui/x/icccm/ ICCCM] also defines a SECONDARY selection, it does not have a consensually agreed upon purpose. Despite the naming, all three selections are basically "clipboards". Rather than the old "cut buffers" system where arbitrary applications could modify data stored in the cut buffers, only one application may control or "own" a selection at one time. This prevents inconsistencies in the operation of the selections.

See the [[Keyboard shortcuts]] page which lists the default shortcuts in many programs.

It is also important to realize that according to the selection protocols, nothing is copied [https://unix.stackexchange.com/questions/213840/how-to-toggle-or-turn-off-text-selection-being-sent-to-the-clipboard/213843#213843 until it is pasted]. For example, if you select some word in a terminal window, close the terminal and then want to paste it somewhere else, it will not work because the terminal is gone and the text has not been copied anywhere. If you want the word to be preserved after closing terminal window, consider installing a [[clipboard manager]].

{{Note|[[#Managers|Clipboard managers]] can significantly change the user experience, for example they might synchronize the PRIMARY and CLIPBOARD selections to emulate a single-clipboard system.}}

== Disabling middle-click paste ==

The following disables the middle-click pasting behavior by automatically clearing PRIMARY, without disabling the middle-click button or altering its other functionalities (like opening in a new tab or scrolling).

=== Globally ===

==== Using sxhkd ====

Using [[sxhkd]], add the following to the [[sxhkd#Configuration|configuration file]]:

~button2
;echo -n | xclip -in

The command makes use of {{Pkg|xclip}}. See [[sxhkd#Usage]] for configuring sxhkd to autostart.

==== Using xsel ====

Run the script

#!/bin/sh
while true; do
xsel --follow --input --nodetach </dev/null
done

=== Application-specific ===

* [[GTK]] — See [[GTK#Disable mouse paste]]
* [[Firefox]] — See [[Firefox#Middle-click behavior]]
* [[LibreOffice]] — Can be disabled from Tools > Options > LibreOffice > View > Mouse

== Tools ==

This section lists command-line tools to manipulate the clipboards.

* {{App|sselp|Simple X11 selection printer. Prints the X11 selection to stdout.|https://tools.suckless.org/x/sselp|{{AUR|sselp}}}}
* {{App|xclip|A lightweight, command-line based interface to the X11 clipboard.|https://github.com/astrand/xclip|{{Pkg|xclip}}}}
* {{App|xsel|Command-line program for getting and setting the contents of the X11 selection.|http://www.vergenet.net/~conrad/software/xsel/|{{Pkg|xsel}}}}
* {{App|wl-clipboard|A simple copy/paste tool for [[Wayland]] compositors.|https://github.com/bugaevc/wl-clipboard|{{Pkg|wl-clipboard}}}}

{{Tip|Clipboards on Wayland can be synchronized with {{Pkg|wl-clipboard}} using {{ic|wl-paste --primary --watch wl-copy}}. See [[Copying text from a terminal]] for more examples.}}

== Managers ==

This section lists clipboard managers which provide additional features such as clipboard history or synchronization.

* {{App|Anamnesis|Clipboard manager that stores all the clipboard history and offers an interface to do a full-text search. It has both a command line and GUI mode available.|https://anamnesis.sourceforge.net/|{{AUR|anamnesis}}}}
* {{App|Autocutsel|Command line and daemon interfaces to synchronize PRIMARY, {{Ic|CLIPBOARD}} and cut buffer selections.|https://www.nongnu.org/autocutsel/|{{AUR|autocutsel}}}}
* {{App|Clipboard|Easy-to-use clipboard manager for terminals with multiple different clipboards, persistent clipboards, and regex selection.|https://github.com/Slackadays/Clipboard|{{AUR|clipboard}}}}
* {{App|Clipboard Indicator|Clipboard manager extension for GNOME Shell. Adds a clipboard indicator to the top panel, and caches clipboard history.|https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator|{{AUR|gnome-shell-extension-clipboard-indicator-git}}}}
* {{App|Clipcat|Clipboard manager written in Rust which allows user to select clipboard history from application launchers such as [[dmenu]], [[rofi]]. |https://github.com/xrelkd/clipcat|{{Pkg|clipcat}}}}
* {{App|cliphist|wayland clipboard manager with support for multimedia.|https://github.com/sentriz/cliphist|{{Pkg|cliphist}}}}
* {{App|Clipman|Clipboard manager plugin for the Xfce4 panel. It keeps the clipboard contents around while it is usually lost when you close an application. It is able to handle text and images, and has a feature to execute actions on specific text selections by matching them against regular expressions.|https://goodies.xfce.org/projects/panel-plugins/xfce4-clipman-plugin|{{Pkg|xfce4-clipman-plugin}}}}
* {{App|Clipmenu|Dmenu based clipboard manager|https://github.com/cdown/clipmenu/|{{Pkg|clipmenu}}}}
* {{App|Clipmon|A lightweight clipboard manager for Wayland. Intended as a monitoring tool that will send a notification when an application pastes from the clipboard on its own (this feature is a work in progress).|https://git.sr.ht/~whynothugo/clipmon|{{AUR|clipmon-git}}}}
* {{App|Cursor Clip|GTK4 Wayland Clipboard Manager written in Rust with dynamic positioning. Features a Windows 11–style clipboard history, adapted to native GNOME design.|https://github.com/Sirulex/cursor-clip|{{AUR|cursor-clip-git}}}}
* {{App|clipse|A configurable, TUI-based clipboard manager application written in Go with minimal dependency.|https://github.com/savedra1/clipse|{{AUR|clipse}}}}
* {{App|clipsim|Simple and fast X clipboard manager written in C.|https://github.com/lucas-mior/clipsim|{{AUR|clipsim-git}}}}
* {{App|Clipster|A lightweight, command-line-driven clipboard manager, written in Python.|https://github.com/mrichar1/clipster|{{AUR|clipster}}}}
* {{App|Clipton|Clipboard manager with a Rofi frontend.|https://github.com/madprops/clipton|{{AUR|clipton-git}}}}
* {{App|CopyQ|Clever Qt clipboard manager with searchable and editable history, custom actions on items and command line support.|https://github.com/hluk/CopyQ|{{Pkg|copyq}}}}
* {{App|Gnome Clipboard History|Gnome Clipboard History is a clipboard manager GNOME extension that saves what you've copied into an easily accessible, searchable history panel.|https://github.com/SUPERCILEX/gnome-clipboard-history|{{AUR|gnome-shell-extension-clipboard-history}}}}
* {{App|GPaste|Clipboard management system that aims at being a new generation Parcellite, with a modular structure split in a couple of libraries and a daemon for adaptability. Offers a GNOME Shell extension and a CLI interface.|https://github.com/Keruspe/GPaste|{{Pkg|gpaste}}}}
* {{App|[[Greenclip]]|Simple clipboard manager to be integrated with rofi|https://github.com/erebe/greenclip|{{AUR|rofi-greenclip}}}}
* {{App|[[Wikipedia:Klipper|Klipper]]|Full featured clipboard manager for the KDE desktop.|https://userbase.kde.org/Klipper|{{Pkg|plasma-workspace}}}}
* {{App|Parcellite|Lightweight yet feature-rich clipboard manager. It has both a command line and GUI mode available.|https://parcellite.sourceforge.net/|{{Pkg|parcellite}}}}
* {{App|Qlipper|Lightweight and cross-platform clipboard history applet based on Qt.|https://github.com/pvanek/qlipper/|{{AUR|qlipper}}}}
* {{App|xclipboard|Official X clipboard command-line client.|https://www.x.org/releases/X11R7.5/doc/man/man1/xclipboard.1.html|{{Pkg|xorg-xclipboard}}}}
* {{App|xcmenu|Clipboard synchronizer developed for window manager users.|https://github.com/dindon-sournois/xcmenu|{{AUR|xcmenu-git}}}}

== See also ==

* [https://specifications.freedesktop.org/clipboard-spec/latest/ Cut-and-paste in X]
* [https://www.jwz.org/doc/x-cut-and-paste.html X Selections, Cut Buffers, and Kill Rings.]
* [https://www.uninformativ.de/blog/postings/2017-04-02/0/POSTING-en.html X11: How does “the” clipboard work?]
* [https://wayland.app/protocols/primary-selection-unstable-v1 Wayland's Primary selection protocol]

Keyboard shortcuts

2026-05-02T10:02:55Z

Lahwaacz: /* Rebooting */ remove unnecessary sentence

[[Category:Keyboard configuration]]
[[Category:X server]]
[[Category:Accessibility]]
[[fr:Keyboard shortcuts]]
[[hu:Keyboard shortcuts]]
[[ja:キーボードショートカット]]
[[pt:Keyboard shortcuts]]
[[ru:Keyboard shortcuts]]
[[zh-hans:Keyboard shortcuts]]
{{Related articles start}}
{{Related|Fluxbox#Keyboard shortcuts}}
{{Related|i3#Keyboard shortcuts}}
{{Related|Linux console#Keyboard shortcuts}}
{{Related|LXDE#Keyboard shortcuts}}
{{Related|Openbox#Keyboard shortcuts}}
{{Related|Xfce#Keyboard shortcuts}}
{{Related|Xmonad#X-Selection-Paste}}
{{Related|Zsh#Key bindings}}
{{Related articles end}}

This article provides a list of (not commonly known) default keyboard shortcuts and provides information about user customization.

{{Tip|If you like a keyboard-centered workflow, you might also appreciate a [[tiling window manager]].}}

== Standard shortcuts ==

=== Kernel (SysRq) ===

There are several low level shortcuts that are implemented in the kernel via the [[Wikipedia:SysRq|SysRq]] key which can be used for debugging and recovering from an unresponsive system. Whenever possible, it is recommended that you use these shortcuts instead of doing a hard shutdown (holding down the power button to completely power off the system).

See [[Wikipedia:Magic SysRq key]] for more details.

==== Enabling ====

[[systemd]] has the SysRq permissions bitmask [https://github.com/systemd/systemd/blob/main/sysctl.d/50-default.conf#L14-L19 set to 0x10 by default], which [https://docs.kernel.org/admin-guide/sysrq.html does not allow process signalling or rebooting], among other things. To allow full use of the {{ic|SysRq}} key on your system, add {{ic|1=kernel.sysrq = 1}} to your [[sysctl#Configuration|sysctl configuration]]. Values greater than 1 can be used to selectively enable SysRq functions; see the [https://docs.kernel.org/admin-guide/sysrq.html Linux kernel documentation] for details. If you want to make sure it will be enabled even before the partitions are mounted and in the initramfs, then add {{ic|1=sysrq_always_enabled=1}} to your [[kernel parameters]].

Note that changing the setting through these methods will cause the changes to persist across reboots. If you want to try changing the SysRq settings for just your current session, you can run either {{ic|1=sysctl kernel.sysrq=1}} or {{ic|echo "1" > /proc/sys/kernel/sysrq}}.

To avoid security risks involved in fully enabling the {{ic|SysRq}} function, users may turn on a subset of features, as described in the following section. If unrestricted use of {{ic|SysRq}} is enabled, it allows killing processes and forcing reboots, which does not increase risk to desktop and laptop users. But it also can be used to dump the contents of the CPU registers, which could theoretically reveal sensitive information. Unless you [https://github.com/jd/sysrqd go out of your way], that requires physical access to the system.

==== Rebooting ====

A common idiom to remember this is "'''R'''eboot '''E'''ven '''I'''f '''S'''ystem '''U'''tterly '''B'''roken" (also referred to as "REISUB"). Alternatively, think of it as "BUSIER" backwards.

{{Note|Please be aware that "REISUB" itself is just a mnemonic, not any kind of general recommendation for the key press sequence to take back control of an unresponsive system. You should not blindly press these sequences each time without knowing their actual function as noted below.}}

{| class="wikitable"
! Keyboard Shortcut
! Description
! Code to Enable
! Other Functions Enabled
|-
| {{ic|Alt+SysRq+r}} Unraw
| Switch keyboard mode for the current virtual console from the ''raw'' mode to ASCII mode (also known as XLATE mode) [https://unix.stackexchange.com/a/16555].
| {{C|4}}
| {{ic|Alt+SysRq+k}} SAK
|-
| {{ic|Alt+SysRq+e}} Terminate
| Send SIGTERM to all processes, allowing them to terminate gracefully.
| rowspan=2 {{C|64}}
| rowspan=2 | {{ic|Alt+SysRq+f}} OOM kill {{ic|Alt+SysRq+j}} Thaw
|-
| {{ic|Alt+SysRq+i}} Kill
| Send SIGKILL to all processes, forcing them to terminate immediately.
|-
| {{ic|Alt+SysRq+s}} Sync
| Flush data to disk.
| {{C|16}}
| {{-}}
|-
| {{ic|Alt+SysRq+u}} Unmount
| Unmount and remount all filesystems read-only.
| {{C|32}}
| {{-}}
|-
| {{ic|Alt+SysRq+b}} Reboot
| Reboot
| {{C|128}}
| {{-}}
|}

For example, to selectively enable just the reboot function, set {{ic|1=kernel.sysrq}} to 128. The whole set of REISUB functions can be enabled by setting it to 244, although this also enables the additional functions, such as those listed in the last column of the table. For further documentation, see the [https://docs.kernel.org/admin-guide/sysrq.html SysRq key documentation] and the kernel source file {{ic|/drivers/tty/sysrq.c}}.

If you have an unresponsive system and want to perform the entire REISUB sequence, do the following:

* Press and hold {{ic|Alt}}.
* Press and release {{ic|SysRq}} (or {{ic|Print/PrtScn}} if your keyboard doesn't have {{ic|SysRq}}).
* Press and release each of the letters in the mnemonic in order, waiting about 1 second in between each press.

==== Killing a memory-hogging process ====

{{ic|Alt+SysRq+f}} can be used to invoke the [https://docs.kernel.org/admin-guide/mm/concepts.html?highlight=oom#oom-killer OOM (out-of-memory) killer] without causing a kernel panic if nothing can be killed. The OOM killer uses a set of heuristics to pick whichever relatively non-vital process is using the most memory and kill it. This is very useful to kill a process that is softlocking your system by causing excessive thrashing, such as a runaway browser script, and can alleviate the need for a reboot in many cases. Note that the OOM killer can target a wide variety of processes despite its well-meaning heuristics and can be somewhat unpredictable, so be careful about calling it casually.

==== Remote usage ====

{{AUR|sysrqd}} is a daemon for remotely using {{ic|SysRq}} functionality. It appears to be currently unmaintained. [https://aur.archlinux.org/packages/sysrqd#comment-922563]

==== Troubleshooting ====

* If a SysRq action produces output, it is sent to the kernel ring buffer where the [[systemd journal]] will pick it up. When nothing prevents the output to be displayed on the [[Linux console]], it will be there too. Not having a response on the console does not prove the SysRq command was not processed successfully. If that is the case, run {{ic|journalctl -kf}} to monitor the output as it arrives to the kernel ring buffer.
* If you are using a [[display manager]] and after {{ic|Alt+SysRq+e}} you are presented with the login screen (or full desktop if autologin is enabled), it is most likely caused by {{ic|1=Restart=always}} directive in the relevant [[systemd|service file]]. If necessary, [[edit the unit]], however this should not prevent the "REISUB" sequence from working.
* If all the above combinations work except {{ic|Alt+SysRq+b}}, try using the opposite {{ic|Alt}} key.
* On laptops that use {{ic|Fn}} key to differentiate {{ic|SysRq}} from {{ic|PrintScreen}}, it may not actually be necessary to use the {{ic|Fn}} key (i.e., {{ic|Alt+PrintScreen+''letter''}} could work).
* On Lenovo laptops (outside of their Legion lineup) {{ic|SysRq}} is often configured as {{ic|Fn+S}}. To use it press and hold {{ic|Alt}} then press {{ic|Fn+s}}, '''release''' {{ic|Fn}} and {{ic|s}} still holding {{ic|Alt}} followed by the keys above.
* You may need to press {{ic|Ctrl}} along with {{ic|Alt}}, or {{ic|AltGr}}[https://unix.stackexchange.com/a/403843]. The full key shortcut would be {{ic|Ctrl+Alt+SysRq+b}} or {{ic|AltGr+SysRq+b}}.
* Some keyboards, like Logitech K835, use {{ic|Fn+Ins}} to produce {{ic|SysRq}}.

=== Xorg and Wayland ===

{| class="wikitable"
! Keyboard Shortcut
! Description
! Notes
|-
| {{ic|Ctrl+Alt+F1}}, {{ic|F2}}, {{ic|F3}}, ...
| Switch to ''n''-th virtual console
| If it does not work, try {{ic|Ctrl+Alt+Fn+F…}}.
|-
| {{ic|Shift+Insert}} {{ic|Mouse Button 2}}
| Paste text from the [[Clipboard|PRIMARY buffer]]
| By default, Qt maps {{ic|Shift+Insert}} to CLIPBOARD instead of the PRIMARY buffer (see e.g. [https://doc.qt.io/qt-5/qlineedit.html#details]) and {{ic|Ctrl+Shift+Insert}} is mapped to the PRIMARY buffer.
|-
|}

== Customization ==

The below tools bind keys to higher-level actions. For tools that only bind keys to other keys, see [[Input remap utilities]].

=== Readline ===

[[Readline]] is a commonly used library for line-editing; it is used for example by [[Bash]], FTP, and many more (see the details of {{Pkg|readline}} package under "Required By" for more examples). It has [[Emacs]]-like and [[vi]]-like editing modes which can be customized with escape sequences. Default key bindings are listed in {{man|3|readline}} and the [https://tiswww.cwru.edu/php/chet/readline/rluserman.html Info documentation].

=== Xorg ===

See [[Xorg/Keyboard configuration#Frequently used XKB options]] for some common shortcuts, that are disabled by default.

When we are in a graphical environment we may want to execute a command when certain key combination is pressed (i.e. bind a command to a ''keysym''). There are multiple ways to do that:

* The most portable way using low level tools, such as [[acpid]]. Not all keys are supported, but configuration in uniform way is possible for keyboard keys, power adapter connection and even headphone jack (un)plugging events. It is also difficult to run programs inside X session correctly.
* The universal way using [[Xorg]] utilities (e.g. [[xbindkeys]]) and eventually your desktop environment or window manager tools.
* The quicker way using a third-party program to do everything in GUI, such as the Gnome Control Center.

==== sxhkd ====

A simple X hotkey daemon with a powerful and compact configuration syntax. See [[sxhkd]] for details.

==== actkbd ====

From [http://users.softlab.ece.ntua.gr/~thkala/projects/actkbd/ actkbd home page]:
:{{AUR|actkbd}} is a simple daemon that binds actions to keyboard events. It recognises key combinations and can handle press, repeat and release events. Currently it only supports the linux-2.6 evdev interface. It uses a plain-text configuration file which contains all the bindings.

A sample configuration and guide is available [http://users.softlab.ece.ntua.gr/~thkala/projects/actkbd/latest/README here].

==== xbindkeys ====

[[xbindkeys]] allows advanced mapping of keysyms to actions independently of the Desktop Environment.

{{Tip| If you find {{ic|xbindkeys}} difficult to use, try the graphical manager {{AUR|xbindkeys_config-gtk2}}.}}

=== Key binding for X-selection-paste ===

{{Accuracy|1={{ic|Shift+Insert}} pastes the PRIMARY buffer.}}
{{Expansion|Why the 100ms delay?}}

Users who prefer to work with the keyboard rather than the mouse may benefit from a key binding to the paste operation of the middle mouse button. This is especially useful in a keyboard-centered environment. A workflow example is:

# In Firefox, select a string you want to web-search for (with the mouse).
# Hit {{ic|Ctrl+k}} to enter the "search engine" field.
# Hit {{ic|F9}} to paste the buffer, instead of moving the mouse pointer to the field and middle-click to paste.

{{Note|{{ic|Shift+Insert}} has a similar yet different functionality, see [[#Xorg]]: {{ic|Shift+Insert}} inserts the clipboard buffer, not the x-selection-paste buffer. In some applications, these two buffers are mirrored.}}

The method suggested here uses the following three packages::

* {{Pkg|xsel}} to give access to the x-selection-buffer content.
* [[Xbindkeys]] to bind a key-stroke to an action.
* {{AUR|xvkbd}} to pass the buffer string to the application by emulating keyboard input.

This example binds the x-selection-paste operation to the {{ic|F9}} key:

{{hc|.xbindkeysrc|
"xvkbd -no-jump-pointer -xsendevent -text "\D1`xsel`" 2>/dev/null"
F9
}}

The {{ic|"\D1"}} code prefixes a 100 ms pause to inserting the selection buffer (see the [http://t-sato.in.coocan.jp/xvkbd/ xvkbd home page]).

{{Note|Depending on your X configuration, you may need to drop the {{ic|-xsendevent}} argument to xvkbd.}}
The key codes for keys other than {{ic|F9}} can be determined using {{ic|xbindkeys -k}}.

References:

* [https://unix.stackexchange.com/questions/11889/pasting-x-selection-not-clipboard-contents-with-keyboard Pasting X selection (not clipboard) contents with keyboard]
* [http://t-sato.in.coocan.jp/xvkbd/ xvkbd home page]

== See also ==

* [https://lnag.sourceforge.net/lnag_html/node5.html Linux Newbie Administrator Guide - Shortcuts and Commands]
* [https://tldp.org/HOWTO/Keyboard-and-Console-HOWTO.html The Linux keyboard and console HOWTO]

General recommendations

2026-05-02T09:18:13Z

Lahwaacz: /* Graphical user interface */ add general intro about display server and graphics drivers

[[Category:System administration]]
[[bs:General recommendations]]
[[ca:General recommendations]]
[[cs:General recommendations]]
[[el:General recommendations]]
[[es:General recommendations]]
[[fr:General recommendations]]
[[hu:General recommendations]]
[[it:General recommendations]]
[[ja:一般的な推奨事項]]
[[lv:General recommendations]]
[[pl:General recommendations]]
[[pt:General recommendations]]
[[ru:General recommendations]]
[[tr:General recommendations]]
[[zh-hans:建议阅读]]
[[zh-hant:General recommendations]]
{{Related articles start}}
{{Related|Frequently asked questions}}
{{Related|List of applications}}
{{Related|System maintenance}}
{{Related articles end}}

This document is an annotated index of popular articles and important information for improving and adding functionalities to the installed Arch system. Readers are assumed to have read and followed the [[Installation guide]] to obtain a basic Arch Linux installation. Having read and understood the concepts explained in [[#System administration]] and [[#Package management]] is ''required'' for following the other sections of this page and the other articles in the wiki.

== System administration ==

This section deals with administrative tasks and system management. See [[Core utilities]] and [[:Category:System administration]] for more.

=== Users and groups ===

A new installation leaves you with only the [[Wikipedia:Superuser|superuser]] account, better known as "root". Logging in as root for prolonged periods of time, possibly even exposing it via [[SSH]] on a server, [https://apple.stackexchange.com/questions/192365/is-it-ok-to-use-the-root-user-as-a-normal-user/192422#192422 is insecure]. Instead, you should create and use unprivileged user account(s) for most tasks, only using the root account for system administration. See [[Users and groups#User management]] for details.

Users and groups are a mechanism for ''access control''; administrators may fine-tune group membership and ownership to grant or deny users and services access to system resources. Read the [[Users and groups]] article for details and potential security risks.

=== Security ===

Read [[Security]] for recommendations and best practices on hardening the system.

For a list of applications to allow running commands or starting an interactive shell as another user (e.g. root), see [[List of applications/Security#Privilege elevation]]. For graphical equivalents (and how to avoid them), see [[Privilege elevation for graphical applications]].

{{Tip|More fine-grained privilege elevation is provided by [[polkit]], which requires additional setup for graphical environments.}}

=== Service management ===

Arch Linux uses [[systemd]] as the [[init]] process, which is a system and service manager for Linux. For maintaining your Arch Linux installation, it is a good idea to learn the basics about it.

Interaction with ''systemd'' is done through the ''systemctl'' command. See [[systemd#Basic systemctl usage]] for more information.

A logging system is also provided, with the command ''journalctl''. See [[journal]] for more information.

=== System maintenance ===

Arch is a rolling release system and has rapid package turnover, so users have to take some time to do [[system maintenance]].

== Package management ==

This section contains helpful information related to package management. See [[FAQ#Package management]] and [[:Category:Package management]] for more.

{{Note|It is imperative to keep up to date with changes in Arch Linux that require manual intervention '''before''' upgrading your system. Subscribe to the [https://lists.archlinux.org/mailman3/lists/arch-announce.lists.archlinux.org/ arch-announce mailing list] or the [https://archlinux.org/feeds/news/ recent news RSS feed]. Alternatively, check the front page [https://archlinux.org/ Arch news] every time before you update.}}

=== pacman ===

[[pacman]] is the Arch Linux ''pac''kage ''man''ager: it is highly encouraged to become familiar with it before reading any other articles.

For long term handling of cached packages, see [[pacman#Cleaning the package cache]].

See [[pacman/Tips and tricks]] for suggestions on how to improve your interaction with ''pacman'' and package management in general.

=== Repositories ===

See the [[Official repositories]] article for details about the purpose of each officially maintained repository.

If you plan on using 32-bit applications, you will want to enable the [[multilib]] repository.

The [[Unofficial user repositories]] article lists several other unsupported repositories.

You may consider installing the [[pkgstats]] service.

=== Mirrors ===

Visit the [[Mirrors]] article for steps on taking full advantage of using the fastest and most up to date mirrors of the official repositories. As explained in the article, a particularly good advice is to routinely check the [https://archlinux.org/mirrors/status/ Mirror Status] page for a list of mirrors that have been recently synced. This can be automated with [[Reflector]].

=== Arch Build System ===

''Ports'' is a system initially used by BSD distributions consisting of build scripts that reside in a directory tree on the local system. Simply put, each port contains a script within a directory intuitively named after the installable third-party application.

The [[Arch build system]] offers the same functionality by providing build scripts called [[PKGBUILD]]s, which are populated with information for a given piece of software: integrity hashes, project URL, version, license and build instructions. These PKGBUILDs are parsed by [[makepkg]], the actual program that generates packages that are cleanly manageable by ''pacman''.

Every package in the repositories along with those present in the AUR are subject to recompilation with ''makepkg''.

=== Arch User Repository ===

While the Arch Build System allows the ability of building software available in the official repositories, the [[Arch User Repository]] (AUR) is the equivalent for user submitted packages. It is an unsupported repository of build scripts accessible through the [https://aur.archlinux.org/ web interface] or through the [[Aurweb RPC interface]].

== Booting ==

This section contains information pertaining to the boot process. An overview of the Arch boot process can be found at [[Arch boot process]]. See [[:Category:Boot process]] for more.

=== Hardware auto-recognition ===

Hardware should be auto-detected by [[udev]] during the boot process by default. A potential improvement in boot time can be achieved by disabling module auto-loading and specifying required modules manually, as described in [[Kernel modules]]. Additionally, [[Xorg]] should be able to auto-detect required drivers using {{ic|udev}}, but users have the option to configure the X server manually too.

=== Microcode ===

Processors may have [https://www.anandtech.com/show/8376/intel-disables-tsx-instructions-erratum-found-in-haswell-haswelleep-broadwelly faulty behaviour], which the kernel can correct by updating the ''microcode'' on startup. See [[Microcode]] for details.

=== Retaining boot messages ===

Once the login prompt appears, the messages from boot are cleared, leaving users unable to gather feedback from them. [[Disable clearing of boot messages]] to overcome this limitation.

=== Num Lock activation ===

[[Wikipedia:Num Lock|Num Lock]] is a toggle key found in most keyboards. For activating Num Lock's number key-assignment during startup, see [[Activating numlock on bootup]].

== Graphical user interface ==

This section provides orientation for users wishing to run graphical applications on their system. See [[:Category:Graphical user interfaces]] for additional resources.

The core component of a graphical user interface is a [[List of applications/Other#Display servers|display server]], which coordinates the input and output of its clients to and from the rest of the operating system, the hardware, and each other. The display server and/or its clients may require installing an [[Graphics processing unit#Installation|appropriate GPU driver]] to accelerate rendering and other graphics operations. Although the display server provides the basic framework for building a graphical environment, additional components may be considered necessary for a complete user experience.

=== Desktop environments ===

[[Desktop environment]]s such as [[KDE]], [[GNOME]], [[COSMIC]], [[Xfce]], [[Cinnamon]], [[LXDE]], bundle together a wide range of well-integrated applications, such as a window manager or compositor, panel/taskbar, file manager, terminal emulator, text editor, icons, and other utilities. Users with less experience may wish to install a desktop environment for a more familiar environment. See [[:Category:Desktop environments]] for additional resources.

=== Window managers or compositors ===

A full-fledged desktop environment provides a complete and consistent graphical user interface, but tends to consume a good amount of system resources. Users seeking to maximize performance or otherwise simplify their environment may opt to install a [[window manager]] or [[Wayland#Compositors|compositor]] alone and hand-pick desired extras. Using [[Xorg]], most desktop environments allow use of an alternative window manager as well. [[:Category:Dynamic window managers|Dynamic]], [[:Category:Stacking window managers|stacking]], and [[:Category:Tiling window managers|tiling]] window managers differ in their handling of window placement.

=== Display manager ===

Most desktop environments include a [[display manager]] for automatically starting the graphical environment and managing user logins. Users without a desktop environment can install one separately. Alternatively you may [[start X at login]] as a simple alternative to a display manager.

=== User directories ===

Well-known user directories like Downloads or Music are created by the {{ic|xdg-user-dirs-update.service}} user service, that is provided by {{Pkg|xdg-user-dirs}} and enabled by default upon install. If your desktop environment or window manager does not pull in the package, you can [[install]] it and run {{ic|xdg-user-dirs-update}} manually as per [[XDG user directories#Creating default directories]].

== Power management ==

This section may be of use to laptop owners or users otherwise seeking power management controls. See [[:Category:Power management]] for more.

See [[Power management]] for more general overview.

=== ACPI events ===

Users can configure how the system reacts to ACPI events such as pressing the power button or closing a laptop's lid. For the recommended method using [[systemd]], see [[Power management#ACPI events]]. For the old method, see [[acpid]].

=== CPU frequency scaling ===

Modern processors can decrease their frequency and voltage to reduce heat and power consumption. Less heat leads to more quiet system and prolongs the life of hardware. See [[CPU frequency scaling]] for details.

=== Laptops ===

For articles related to portable computing along with model-specific installation guides, please see [[:Category:Laptops]]. For a general overview of laptop-related articles and recommendations, see [[Laptop]].

=== Suspend and hibernate ===

See the main article: [[Power management/Suspend and hibernate]].

== Multimedia ==

[[:Category:Multimedia]] includes additional resources.

=== Sound system ===

[[ALSA]] is a kernel [[sound system]] that should work out the box (it just needs to be [[Advanced Linux Sound Architecture#Unmuting the channels|unmuted]]). [[Sound server]]s such as [[PipeWire]] and [[PulseAudio]] can offer additional features and support more complex audio configuration.

See [[Professional audio]] for advanced audio requirements.

== Networking ==

This section is confined to small networking procedures. See [[Network configuration]] for a full configuration guide and [[:Category:Networking]] for related articles.

=== DNS security ===

For better security while browsing the web, paying online, connecting to [[SSH]] services and similar tasks consider using [[DNSSEC]]-enabled [[DNS resolver]] that can validate signed [[Wikipedia:Domain Name System|DNS]] records, and an encrypted protocol such as [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]]. See [[Domain name resolution]] for details.

=== Setting up a firewall ===

A firewall can provide an extra layer of protection on top of the Linux networking stack. While the stock Arch kernel is capable of using [[Wikipedia:Netfilter|Netfilter]]'s [[iptables]] and [[nftables]], neither are enabled by default. It is highly recommended to set up some form of firewall. See [[:Category:Firewalls]] for available guides.

=== Network shares ===

To share files among the machines in a network, follow the [[NFS]] or the [[SSHFS]] article.

Use [[Samba]] to join a Windows network. To configure the machine to use Active Directory for authentication, read [[Active Directory integration]].

See also [[:Category:Network sharing]].

== Input devices ==

This section contains popular input device configuration tips. See [[:Category:Input devices]] for more.

=== Keyboard layouts ===

Non-English or otherwise non-standard keyboards may not function as expected by default. The necessary steps to configure the keymap are different for virtual console and [[Xorg]], they are described in [[Keyboard configuration in console]] and [[Keyboard configuration in Xorg]] respectively.

=== Mouse buttons ===

Owners of advanced or unusual mice may find that not all mouse buttons are recognized by default, or may wish to assign different actions for extra buttons. Instructions can be found in [[Mouse buttons]].

=== Laptop touchpads ===

Many laptops use [[Wikipedia:Synaptics|Synaptics]] or [[Wikipedia:Alps Electric|ALPS]] "touchpad" pointing devices. For these, and several other touchpad models, you can use either the Synaptics input driver or libinput; see [[Touchpad Synaptics]] and [[libinput]] for installation and configuration details.

=== TrackPoints ===

See the [[TrackPoint]] article to configure your TrackPoint device.

== Optimization ==

This section aims to summarize tweaks, tools and available options useful to improve system and application performance.

=== Benchmarking ===

[[Benchmarking]] is the act of measuring performance and comparing the results to another system's results or a widely accepted standard through a unified procedure.

=== Improving performance ===

The [[Improving performance]] article gathers information and is a basic rundown about gaining performance in Arch Linux.

=== Solid state drives ===

The [[Solid state drive]] article covers many aspects of solid state drives, including configuring them to maximize their lifetimes, e.g. with [[TRIM]].

== System services ==

This section relates to [[daemons]].

=== File index and search ===

Most distributions have a ''locate'' command available to be able to quickly search files. Arch Linux provides several alternatives, see [[locate]] for details.

[[List of applications/Utilities#File searching|Desktop search engines]] provide a similar service, while better integrated into [[desktop environment]]s.

=== Local mail delivery ===

A default setup does not provide a way to synchronize mail. A list of mail delivery agents is available in the [[Mail server]] article.

=== Printing ===

[[CUPS]] is a standards-based, open source printing system developed by OpenPrinting for Linux. See [[:Category:Printers]] for printer-specific articles.

== Appearance ==

This section contains frequently-sought "eye candy" tweaks for an aesthetically pleasing Arch experience. See [[:Category:Eye candy]] for more.

=== Fonts ===

You may wish to install a set of TrueType fonts, as only unscalable bitmap fonts are included in a basic Arch system. There are several general-purpose [[Fonts#Families|font families]] providing large [[Wikipedia:Unicode|Unicode]] coverage and even [[Metric-compatible fonts|metric compatibility]] with fonts from other operating systems.

A plethora of information on the subject can be found in the [[Fonts]] and [[Font configuration]] articles.

If spending a significant amount of time working from the virtual console (i.e. outside an X server), users may wish to change the console font to improve readability; see [[Linux console#Fonts]].

=== GTK and Qt themes ===

A big part of the applications with a graphical interface for Linux systems are based on the [[GTK]] or the [[Qt]] toolkits. See those articles and [[Uniform look for Qt and GTK applications]] for ideas to improve the appearance of your installed programs and adapt it to your liking.

== Console improvements ==

This section applies to small modifications that improve console programs' practicality. See [[:Category:Command-line shells]] for more.

=== Tab-completion enhancements ===

It is recommended to properly set up extended [[Wikipedia:Command-line_completion|tab completion]] right away, as instructed in the article of your chosen [[shell]].

=== Aliases ===

Aliasing a command, or a group thereof, is a way of saving time when using the console. This is especially helpful for repetitive tasks that do not need significant alteration to their parameters between executions. Common time-saving aliases can be found in [[Bash#Aliases]], which are easily portable to [[zsh]] as well.

=== Alternative shells ===

[[Bash]] is the shell installed by default in an Arch system. The live installation media, however, uses [[zsh]] with the {{Pkg|grml-zsh-config}} addon package. See [[Command-line shell#List of shells]] for more alternatives.

=== Bash additions ===

A list of miscellaneous Bash settings, history search and [[Readline]] macros is available in [[Bash#Tips and tricks]].

=== Colored output ===

This section is covered in [[Color output in console]].

=== Compressed files ===

Compressed files, or archives, are frequently encountered on a GNU/Linux system. [[Tar]] is one of the most commonly used archiving tools, and users should be familiar with its syntax (Arch Linux packages, for example, are simply {{Pkg|zstd}} compressed tarballs). See [[Archiving and compression]].

=== Console prompt ===

The console prompt ({{ic|PS1}}) can be customized to a great extent. See [[Bash/Prompt customization]] or [[Zsh#Prompts]] if using Bash or Zsh, respectively.

=== Emacs shell ===

Emacs is known for featuring options beyond the duties of regular text editing, one of these being a full shell replacement. Consult [[Emacs#Colored output issues]] for a fix regarding garbled characters that may result from enabling colored output.

=== Mouse support ===

Using a mouse with the console for copy-paste operations can be preferred over [[GNU Screen]]'s traditional copy mode. Refer to [[General purpose mouse]] for comprehensive directions. Note that you can already do this in [[terminal emulator]]s with the [[clipboard]].

=== Session management ===

Using terminal multiplexers like [[tmux]] or [[GNU Screen]], programs may be run under sessions composed of tabs and panes that can be detached at will, so when the user either kills the terminal emulator, terminates [[X]], or logs off, the programs associated with the session will continue to run in the background as long as the terminal multiplexer server is active. Interacting with the programs requires reattaching to the session.

Arch package guidelines

2026-05-02T09:01:20Z

Lahwaacz: this is already in a note

[[Category:Arch package guidelines]]
[[es:Arch package guidelines]]
[[fr:Arch package guidelines]]
[[hu:Arch package guidelines]]
[[ja:Arch パッケージガイドライン]]
[[pt:Arch package guidelines]]
[[ru:Arch package guidelines]]
[[zh-hans:Arch 打包准则]]
{{Package guidelines}}
{{Related articles start}}
{{Related|/Security}}
{{Related|Arch build system}}
{{Related|Creating packages}}
{{Related|makepkg}}
{{Related articles end}}

When building packages for [[Arch Linux]], adhere to the package guidelines below, especially if the intention is to contribute a new package to Arch Linux. You should also see the {{man|5|PKGBUILD}} and {{man|8|makepkg}} [[man page]]s.

Important points listed on this page are not repeated on the other package guideline pages. These specific guidelines are intended as an addition to the standards listed below.

See ''.proto'' files in the {{ic|/usr/share/pacman/}} [https://gitlab.archlinux.org/pacman/pacman/-/tree/master/proto directory] as [[PKGBUILD]] examples.

{{Note|Packages submitted to the [[Arch User Repository]] must additionally comply with [[AUR submission guidelines]].}}

== Package etiquette ==

* Packages should '''never''' be installed to {{ic|/usr/local/}}.

* '''Do not introduce new variables or functions''' into {{ic|PKGBUILD}} build scripts, unless the package cannot be built without doing so, as these could possibly '''conflict''' with variables and functions used in ''makepkg'' itself.

* If a new variable or a new function is absolutely required, '''prefix its name with an underscore''' ({{ic|_}}), e.g. {{bc|1=_customvariable=}}

* '''Avoid''' using {{ic|/usr/libexec/}} for anything. Use {{ic|/usr/lib/$pkgname/}} instead.

* The {{ic|packager}} field from the package meta file can be '''customized''' by the package builder by modifying the appropriate option in the {{ic|/etc/makepkg.conf}} file, or alternatively override it by creating {{ic|~/.makepkg.conf}}.

* '''Do not use makepkg subroutines''' (e.g. {{ic|error}}, {{ic|msg}}, {{ic|msg2}}, {{ic|plain}}, {{ic|warning}}) as they might change at any time. To print data, use {{ic|printf}} or {{ic|echo}}.

* All important messages should be echoed during install using an '''.install file'''. For example, if a package needs extra setup to work, directions should be included.

* '''Dependencies''' are the most common packaging error. Please take the time to verify them carefully, for example by running {{man|1|ldd}}, {{ic|ldd --unused --function-relocs}} and {{man|1|readelf|dynamic}} on dynamic executables, checking tools required by scripts or looking at the documentation of the software. The [[namcap]] utility can help you in this regard. This tool can analyze both the {{ic|PKGBUILD}} file and the resulting package tarball and will warn you about bad permissions, missing dependencies, redundant dependencies, and other common mistakes.

* Any '''optional dependencies''' that are not needed to run the package or have it generally function should not be included in the '''depends''' array; instead the information should be added to the '''optdepends''' array:
:{{bc|<nowiki>
optdepends=('cups: printing support'
'sane: scanners support'
'libgphoto2: digital cameras support'
'alsa-lib: sound support'
'giflib: GIF images support'
'libjpeg: JPEG images support'
'libpng: PNG images support')
</nowiki>}}
:The above example is taken from the {{Pkg|wine}} package. The optdepends information is automatically printed out on installation/upgrade so one should '''not''' keep this kind of information in {{ic|.install}} files.

* When creating a '''package description''' for a package, do not include the package name in a self-referencing way. For example, "Nedit is a text editor for X11" could be simplified to "A text editor for X11". Also try to keep the descriptions to ~80 characters or less.

* Try to keep the '''line length''' in the {{ic|PKGBUILD}} file below ~100 characters.

* Where possible, '''remove empty lines''' from the {{ic|PKGBUILD}} ({{ic|provides}}, {{ic|replaces}}, etc.)

* It is common practice to '''preserve the order''' of the {{ic|PKGBUILD}} fields in the same order as given in the [[PKGBUILD]] article. However, this is not mandatory, as the only requirement in this context is '''correct Bash syntax'''.

* '''Quote''' variables which may contain spaces, such as {{ic|"$pkgdir"}} and {{ic|"$srcdir"}}.

* To ensure the '''integrity''' of packages, make sure that the [[PKGBUILD#Integrity|integrity variables]] contain correct values. These can be updated using the {{man|8|updpkgsums}} tool.

== Package naming ==

* Package names can contain only alphanumeric characters and any of {{ic|@}}, {{ic|.}}, {{ic|_}}, {{ic|+}}, {{ic|-}}. Names are not allowed to start with hyphens or dots. All letters should be lowercase.
* Package names should '''not''' be suffixed with the upstream major release version number (e.g. we do not want libfoo2 if upstream calls it libfoo v2.3.4) in case the library and its dependencies are expected to be able to keep using the most recent library version with each respective upstream release. However, for some software or dependencies, this can not be assumed. In the past this has been especially true for widget toolkits such as GTK and Qt. Software that depends on such toolkits can usually not be trivially ported to a new major version. As such, in cases where software can not trivially keep rolling alongside its dependencies, package names should carry the major version suffix (e.g. gtk2, gtk3, qt4, qt5). For cases where most dependencies can keep rolling along the newest release but some cannot (for instance closed source that needs libpng12 or similar), a deprecated version of that package might be called libfoo1 while the current version is just libfoo.

== Package versioning ==

* Package [[PKGBUILD#pkgver|version]] — {{ic|pkgver}} — '''should be the same as the version released by the author'''.
* Versions can include letters if need be, e.g. version could be {{ic|2.54BETA32}}.
* '''Version tags may not include hyphens''', and may contain letters, numbers, and periods only. If the upstream version contains a hyphen, it must be replaced with an underscore.

* Package [[PKGBUILD#pkgrel|releases]] — {{ic|pkgrel}} — are '''specific to Arch Linux packages'''. These allow users to differentiate between newer and older package builds. When a new package version is first released, the '''release count starts at 1'''. Then as fixes and optimizations are made, the package will be '''re-released''' to the Arch Linux public and the '''release number will increment'''.
* When a new version comes out, the release count resets to 1.
* Package release tags follow the '''same naming restrictions as version tags'''.

== Package dependencies ==

* '''Do not rely on [[Wikipedia:Transitive dependency|transitive dependencies]]''' in any of the [[PKGBUILD#Dependencies]], as they might break, if one of the dependencies is updated.
* List all direct library dependencies. To identify them {{man|1|find-libdeps}} (part of {{pkg|devtools}}) can be used.

== Package relations ==

* Do not add {{ic|$pkgname}} to [[PKGBUILD#provides]], as it is always implicitly provided by the package.
* Do not add {{ic|$pkgname}} to [[PKGBUILD#conflicts]], as a package cannot conflict with itself.
* List all external shared libraries of a package in [[PKGBUILD#provides]] (e.g. {{ic|'libsomething.so'}}). To identify them {{man|1|find-libprovides}} (part of {{pkg|devtools}}) can be used.

== Package sources ==

* HTTPS sources ({{ic|https://}} for tarballs, {{ic|git+https://}} for git sources) should be used wherever possible
* Sources should be verified using PGP signatures wherever possible (this might entail building from a git tag instead of a source tarball, if upstream signs commits and tags but not the tarballs)
{{Accuracy|commit# is not required in recent pacman as proper checksum is supported for git sources. See[https://gitlab.archlinux.org/pacman/pacman/-/commit/2fc2ab6cf0fbb93e1b3182a1997d3c9ffc9fc0fd]. gitea package also has been updated to use below approach}}
* When building from a git tag, use its object hash obtained from {{ic|git rev-parse}} instead of the tag name:
:{{bc|<nowiki>
_tag=1234567890123456789012345678901234567890 # git rev-parse "v$pkgver"
source=(git+https://$url.git?signed#tag=$_tag)

pkgver() {
cd "$pkgname"
git describe
}
</nowiki>}}
:An example for this approach can be found in the {{Pkg|gitea}} package. The reason for this practice is that tags can be force pushed to change the commit that they are pointing to, which would alter the built package. Using the tag object hash ensures the integrity of the sources because force pushing the tag changes its hash. Using a {{ic|pkgver()}} function prevents accidentally bumping {{ic|pkgver}} without updating {{ic|_tag}} as well. See [[VCS package guidelines#VCS sources]] for more info on the formatting of VCS sources.
* '''Do not diminish the security or validity of a package''' (e.g. by removing a checksum check or by removing PGP signature verification), because an upstream release is broken or suddenly lacks a certain feature (e.g. PGP signature missing for a new release)
* Sources have to be unique in {{ic|srcdir}} (this might require renaming them when downloading, e.g. {{ic|<nowiki>"${pkgname}-${pkgver}.tar.gz::https://${pkgname}.tld/download/${pkgver}.tar.gz"</nowiki>}})
* Avoid using specific mirrors (e.g. on sourceforge) to download, as they might become unavailable
* Git objects (e.g., tags, commits, etc.) signed by an SSH key can be verified using a git command with {{ic|gpg.ssh.allowedSignersFile}} pointing to a file specifying possible signing keys. See [https://gitlab.archlinux.org/archlinux/packaging/packages/python-structlog/-/blob/main/PKGBUILD] for an example.

== Working with upstream ==

It is considered best-practice to work closely with upstream wherever possible. This entails reporting problems about building and testing a package.

* Report problems to upstream right away.
* Upstream patches wherever possible.
* Add comments with links to relevant (upstream) bug tracker tickets in the [[PKGBUILD]] (this is particularly important, as it ensures, that other packagers can understand changes and work with a package as well).

It is recommended to track upstream with tools such as {{pkg|nvchecker}}, {{aur|nvrs}} or {{pkg|urlwatch}} to be informed about new stable releases.

== Directories ==

* '''Configuration files''' should be placed in the {{ic|/etc}} directory. If there is more than one configuration file, it is customary to '''use a subdirectory''' in order to keep the {{ic|/etc}} area as clean as possible. Use {{ic|/etc/''pkg''}} where {{ic|''pkg''}} is the name of the package (or a suitable alternative, eg, apache uses {{ic|/etc/httpd/}}).
* Package files should follow these '''general directory guidelines''':

:{| class="wikitable"
|-
| {{ic|/etc}}
| '''System-essential''' configuration files
|-
| {{ic|/usr/bin}}
| Binaries
|-
| {{ic|/usr/lib}}
| Libraries
|-
| {{ic|/usr/include}}
| Header files
|-
| {{ic|/usr/lib/''pkg''}}
| Modules, plugins, etc.
|-
| {{ic|/usr/share/doc/''pkg''}}
| Application documentation
|-
| {{ic|/usr/share/info}}
| GNU Info system files
|-
| {{ic|/usr/share/licenses/''pkg''}}
| Application licenses
|-
| {{ic|/usr/share/man}}
| Manpages
|-
| {{ic|/usr/share/''pkg''}}
| Application data
|-
| {{ic|/var/lib/''pkg''}}
| Persistent application storage
|-
| {{ic|/etc/''pkg''}}
| Configuration files for ''pkg''
|-
| {{ic|/opt/''pkg''}}
| Large self-contained packages
|}

* Packages should not contain any of the following directories:
** {{ic|/bin}}
** {{ic|/sbin}}
** {{ic|/dev}}
** {{ic|/home}}
** {{ic|/srv}}
** {{ic|/media}}
** {{ic|/mnt}}
** {{ic|/proc}}
** {{ic|/root}}
** {{ic|/selinux}}
** {{ic|/sys}}
** {{ic|/tmp}}
** {{ic|/var/tmp}}
** {{ic|/run}}

== Makepkg duties ==

When [[makepkg]] is used to build a package, it does the following automatically:

# Checks if package '''dependencies''' and '''makedepends''' are installed
# '''Downloads source''' files from servers
# '''Checks the integrity''' of source files
# '''Unpacks''' source files
# Does any necessary '''patching'''
# '''Builds''' the software and installs it in a fake root
# '''Strips''' symbols from binaries
# '''Strips''' debugging symbols from libraries
# '''Compresses''' manual and/or info pages
# Generates the '''package meta file''' which is included with each package
# '''Compresses''' the fake root into the package file
# '''Stores''' the package file in the configured destination directory (i.e. the current working directory by default)

== Architectures ==

The {{ic|arch}} array should contain {{ic|'x86_64'}} if the compiled package is architecture-specific. Otherwise, use {{ic|'any'}} for architecture independent packages.

== Licenses ==

There are two kinds of licenses regarding an Arch package:

=== PKGBUILD's license field ===
The {{ic|license}} field of a {{ic|PKGBUILD}}. It lists the packaged software's upstream license. It is NOT the license of the package source. The licenses in this field must be in the [https://spdx.org/licenses/ SPDX license format]. See also [[PKGBUILD#license]] for more details.

=== Package sources licenses ===

The license for the package sources themselves. In [https://rfc.archlinux.page/0040-license-package-sources/ RFC40], Arch Linux specifies that package sources are to be licensed as [[Wikipedia:BSD licenses#0-clause license ("BSD Zero Clause License")|BSD Zero Clause License]] ({{ic|0BSD}}) with [https://rfc.archlinux.page/0052-reuse/ RFC52] specifying that [https://reuse.software/ REUSE] should be used to enforce this.

It boils down to this:

# Have a {{ic|LICENSE}} file in the sources root with exactly [https://gitlab.archlinux.org/archlinux/devtools/-/blob/master/data/LICENSE?ref_type=heads this content]. This is Arch Linux's {{ic|0BSD}} license for packages.
# Have a {{ic|REUSE.toml}} in the sources root. You can use {{ic|pkgctl license setup}} to generate a reasonable config to get you started.
# Make sure to run {{ic|pkgctl license check}} and that it returns no errors.

If you have additional files that you need to license, you need to pick a reasonable license for them. This is usually quite straight forward:

* If the file in question (for example, a launcher script {{ic|launcher.sh}} or a systemd service file {{ic|myunit.service}}) was created entirely by you or other Arch staff, license it as {{ic|0BSD}}. {{Note|If there is a patch that you wrote that you also want to submit upstream, you can still license it as {{ic|0BSD}} for Arch and allow upstream to apply their license on submission.}}
* If the file was taken from upstream (for instance, an icon {{ic|tool.png}} or a patch {{ic|fix.patch}}), then it should carry the upstream license.

See also the [https://devblog.archlinux.page/2025/pkgctl-license/ Arch Linux Dev blog post] introducing {{man|1|pkgctl-license}}.

== Reproducible builds ==

Arch is working on making all packages [[Reproducible builds|reproducible]]. A packager can check if a package is reproducible with {{ic|makerepropkg}} from {{Pkg|devtools}} or {{ic|repro}} from {{Pkg|archlinux-repro}}.

$ makerepropkg $pkgname-1-1-any.pkg.tar.zst

Or

$ repro -f $pkgname-1-1-any.pkg.tar.zst

If the timestamp is required at build-time, use the environment variable {{ic|SOURCE_DATE_EPOCH}}. The format is [https://reproducible-builds.org/docs/source-date-epoch/ documented upstream].

Headless

2026-05-01T13:10:52Z

Lahwaacz: /* Other tools */ style

GRUB/Tips and tricks

2026-04-30T11:14:07Z

Lahwaacz: /* Warning to perform grub-install/grub-mkconfig at each grub update */ if this was safe to automate, the devs would have done it

[[Category:Boot loaders]]
[[es:GRUB (Español)/Tips and tricks]]
[[ja:GRUB/ヒントとテクニック]]
[[zh-hans:GRUB/Tips and tricks]]
== Alternative installation methods ==

=== Install to external USB stick ===

==== BIOS ====

Assume your USB stick's first partition is FAT32 and its partition is /dev/sdy1

# mount --mkdir /dev/sdy1 /mnt/usb
# grub-install --target=i386-pc --debug --boot-directory=/mnt/usb/boot /dev/sdy
# grub-mkconfig -o /mnt/usb/boot/grub/grub.cfg

Optionally backup configuration files of {{ic|grub.cfg}}:

# mkdir -p /mnt/usb/etc/default
# cp /etc/default/grub /mnt/usb/etc/default
# cp -a /etc/grub.d /mnt/usb/etc

# sync; umount /mnt/usb

==== EFI ====

For removable installations you have to use {{ic|--removable}} and specify both {{ic|--boot-directory}} and {{ic|--efi-directory}}. [https://www.gnu.org/software/grub/manual/grub/html_node/Installing-GRUB-using-grub_002dinstall.html#Installing-GRUB-using-grub_002dinstall]

# grub-install --target=x86_64-efi --bootloader-id=GRUB --efi-directory=''/mnt/usb'' --boot-directory=''/mnt/usb''/boot --removable

=== Install to partition or partitionless disk ===

{{Warning|GRUB '''strongly discourages''' installation to a partition boot sector or a partitionless disk as GRUB Legacy or Syslinux does. This setup is prone to breakage, especially during updates, and is '''not supported''' by the Arch developers.}}

To set up grub to a partition boot sector, to a partitionless disk (also called superfloppy) or to a floppy disk, run (using for example {{ic|/dev/sdaX}} as the {{ic|/boot}} partition):

# chattr -i /boot/grub/i386-pc/core.img
# grub-install --target=i386-pc --debug --force /dev/sdaX
# chattr +i /boot/grub/i386-pc/core.img

{{Note|
* {{ic|/dev/sdaX}} used for example only.
* {{ic|1=--target=i386-pc}} instructs {{ic|grub-install}} to install for BIOS systems only. It is recommended to always use this option to remove ambiguity in ''grub-install''.
}}

You need to use the {{ic|--force}} option to allow usage of blocklists and should not use {{ic|1=--grub-setup=/bin/true}} (which is similar to simply generating {{ic|core.img}}).

{{ic|grub-install}} will give out warnings like which should give you the idea of what might go wrong with this approach:

/sbin/grub-setup: warn: Attempting to install GRUB to a partitionless disk or to a partition. This is a BAD idea.
/sbin/grub-setup: warn: Embedding is not possible. GRUB can only be installed in this setup by using blocklists.
However, blocklists are UNRELIABLE and their use is discouraged.

Without {{ic|--force}} you may get the below error and {{ic|grub-setup}} will not setup its boot code in the partition boot sector:

/sbin/grub-setup: error: will not proceed with blocklists

With {{ic|--force}} you should get:

Installation finished. No error reported.

The reason why {{ic|grub-setup}} does not by default allow this is because in case of partition or a partitionless disk is that GRUB relies on embedded blocklists in the partition bootsector to locate the {{ic|/boot/grub/i386-pc/core.img}} file and the prefix directory {{ic|/boot/grub}}. The sector locations of {{ic|core.img}} may change whenever the file system in the partition is being altered (files copied, deleted etc.). For more info, see https://bugzilla.redhat.com/show_bug.cgi?id=728742 and https://bugzilla.redhat.com/show_bug.cgi?id=730915.

The workaround for this is to set the immutable flag on {{ic|/boot/grub/i386-pc/core.img}} (using {{ic|chattr}} command as mentioned above) so that the sector locations of the {{ic|core.img}} file in the disk is not altered. The immutable flag on {{ic|/boot/grub/i386-pc/core.img}} needs to be set only if GRUB is installed to a partition boot sector or a partitionless disk, not in case of installation to MBR or simple generation of {{ic|core.img}} without embedding any bootsector (mentioned above).

Unfortunately, the {{ic|grub.cfg}} file that is created will not contain the proper UUID in order to boot, even if it reports no errors. see https://bbs.archlinux.org/viewtopic.php?pid=1294604#p1294604.
In order to fix this issue the following commands:

# mount /dev/sdxY /mnt #Your root partition.
# mount /dev/sdxZ /mnt/boot #Your boot partition (if you have one).
# arch-chroot /mnt

Now, install {{Pkg|linux}}, then:

# grub-mkconfig -o /boot/grub/grub.cfg

=== Generate core.img alone ===

To populate the {{ic|/boot/grub}} directory and generate a {{ic|/boot/grub/i386-pc/core.img}} file '''without''' embedding any GRUB bootsector code in the MBR, post-MBR region, or the partition bootsector, add {{ic|1=--grub-setup=/bin/true}} to {{ic|grub-install}}:

# grub-install --target=i386-pc --grub-setup=/bin/true --debug /dev/sda

{{Note|
* {{ic|/dev/sda}} used for example only.
* {{ic|1=--target=i386-pc}} instructs {{ic|grub-install}} to install for BIOS systems only. It is recommended to always use this option to remove ambiguity in grub-install.
}}

You can then chainload GRUB's {{ic|core.img}} from GRUB Legacy or syslinux as a Linux kernel or as a multiboot kernel (see also [[Syslinux#Chainloading]]).

== GUI configuration tools ==

* {{App|grub-customizer|GTK customizer for GRUB or BURG|https://launchpad.net/grub-customizer|{{AUR|grub-customizer}}}}

== Drop-in configuration ==

{{Merge|GRUB#Configuration|
* Editing drop-ins instead of the main config has precedent on the wiki.
* Have to check out Arch's PKGBUILD of GRUB to even know that Arch patches grub-mkconfig in this way.
* Unnecessarily obscure.
}}

Since [https://gitlab.archlinux.org/archlinux/packaging/packages/grub/-/commit/beee9df4ae2e3b2150d4e54b3825064e77661cb4 GRUB 2.12-1], in addition to the main configuration file {{ic|/etc/default/grub}}, drop-in configuration snippets are, if any, read by {{ic|grub-mkconfig}} from {{ic|/etc/default/grub.d/*.cfg}}, and naturally, they have higher precedence than and override the main {{ic|/etc/default/grub}} configuration file, are sourced lexicographically, and so on. This is an alternative to editing {{ic|/etc/default/grub}} directly, and every mention of editing {{ic|/etc/default/grub}} can be made to drop-ins located in this folder.

{{Note|
* The folder {{ic|/etc/default/grub.d}} is not present after installing GRUB, and would have to be created manually first.
* Do not confuse {{ic|/etc/default/grub.d}} as being {{ic|/etc/grub.d}}.
}}

== Visual configuration ==

In GRUB it is possible, by default, to change the look of the menu. Make sure to initialize the GRUB graphical terminal, gfxterm, in {{ic|/etc/default/grub}}:

GRUB_TERMINAL_OUTPUT="gfxterm"

=== Setting the framebuffer resolution ===

GRUB can set the framebuffer for both GRUB itself ({{ic|GFXMODE}}) and the kernel ({{ic|GFXPAYLOAD}}). The old {{ic|1=vga=}} way is deprecated. The preferred method is editing {{ic|/etc/default/grub}} to set width (pixels) x height (pixels) x [[Wikipedia:color depth|color depth]]:

GRUB_GFXMODE=1024x768x32
GRUB_GFXPAYLOAD_LINUX=keep

Multiple resolutions can be specified, including the default {{ic|auto}}, so it is recommended that you edit the line to resemble {{ic|1=GRUB_GFXMODE=''desired_resolution'',''fallback_such_as_1024x768'',auto}}. For more information, refer to [https://www.gnu.org/software/grub/manual/grub/html_node/gfxmode.html the GRUB gfxmode documentation]. The [https://www.gnu.org/software/grub/manual/html_node/gfxpayload.html#gfxpayload gfxpayload] property will make sure the kernel keeps the resolution.

{{Note|
* Only the modes supported by the graphics card via [[wikipedia:VESA BIOS Extensions|VESA BIOS Extensions]] can be used. To view the list of supported modes, install {{Pkg|hwinfo}} and run {{ic|hwinfo --framebuffer}} as root. Alternatively, enter the GRUB command line and run the command {{ic|videoinfo}}.
* Earlier versions of the [[NVIDIA]] proprietary driver (tested with GeForce GTX 970, driver: nvidia 370) accepts {{ic|GRUB_GFXMODE}} in format {{ic|''width''x''height''-''depth''}} (e.g. {{ic|1920x1200-24}}, but not {{ic|1920x1200x24}}). This does not appear to apply to newer cards and drivers. Pascal cards with more recent drivers (tested with GeForce GTX 1060 and nvidia 381.22) will not work with the suggested format and attempting to use it results in serious issues, including but not limited to system crashes and hard locks. The current driver and cards are best configured with {{ic|GRUB_GFXMODE}} in the standard {{ic|''width''x''height''x''depth''}} format.
* Make sure to run {{ic|grub-mkconfig -o /boot/grub/grub.cfg}} after making changes.
}}

If this method does not work for you, the deprecated {{ic|1=vga=}} method will still work. Just add it next to the {{ic|1="GRUB_CMDLINE_LINUX_DEFAULT="}} line in {{ic|/etc/default/grub}} for example: {{ic|1="GRUB_CMDLINE_LINUX_DEFAULT="quiet splash vga=792"}} will give you a {{ic|1024x768}} resolution.

=== Background image and bitmap fonts ===

GRUB comes with support for background images and bitmap fonts in {{ic|pf2}} format. The [[Wikipedia:GNU Unifont|GNU Unifont]] font is included in the {{Pkg|grub}} package under the filename {{ic|unicode.pf2}}, or, as only ASCII characters under the name {{ic|ascii.pf2}}. Run {{ic|pacman -Ql grub {{!}} grep pf2}} to get the file paths.

Image formats supported include [[Wikipedia:JPEG|JPEG]], [[Wikipedia:PNG|PNG]] and [[Wikipedia:Truevision TGA|TGA]], providing the correct modules are loaded. The maximum supported resolution depends on your hardware.

Make sure you have set up the proper [[#Setting the framebuffer resolution|framebuffer resolution]].

Edit {{ic|/etc/default/grub}} like this:

GRUB_BACKGROUND="/boot/grub/myimage"
#GRUB_THEME="/path/to/gfxtheme"
GRUB_FONT="/path/to/font.pf2"

{{Note|If you have installed GRUB on a separate partition, {{ic|/boot/grub/myimage}} automatically becomes {{ic|/grub/myimage}} in {{ic|grub.cfg}}.}}

[[GRUB#Generate the main configuration file|Re-generate]] {{ic|grub.cfg}} to apply the changes. If adding the splash image was successful, the user will see {{ic|"Found background image..."}} in the terminal as the command is executed. If this phrase is not seen, the image information was probably not incorporated into the {{ic|grub.cfg}} file.

If the image is not displayed, check:

* The path and the filename in {{ic|/etc/default/grub}} are correct
* The image is of the proper size and format (tga, png, 8-bit jpg)
* The image was saved in the RGB mode, and is not indexed
* The console mode is not enabled in {{ic|/etc/default/grub}}
* The command {{ic|grub-mkconfig}} must be executed to place the background image information into the {{ic|/boot/grub/grub.cfg}} file
* The {{ic|grub-mkconfig}} scripts will not quote the file name in {{ic|grub.cfg}} so make sure it does not contain spaces

=== Theme ===

Here is an example for configuring Starfield theme which was included in GRUB package.

Edit {{ic|/etc/default/grub}}:

GRUB_THEME="/usr/share/grub/themes/starfield/theme.txt"

[[GRUB#Generate the main configuration file|Re-generate]] {{ic|grub.cfg}} to apply the changes. If configuring the theme was successful, you will see {{ic|Found theme: /usr/share/grub/themes/starfield/theme.txt}} in the terminal.

Your splash image will usually not be displayed when using a theme.

{{Note|GRUB can only load themes from paths accessible at boot. On encrypted drives, GRUB cannot access anything on the encrypted device before it is unlocked/mapped. See [https://bbs.archlinux.org/viewtopic.php?id{{=}}288619].

If the theme path may be inaccessible (e.g. due to encryption or an unavailable partition), copy it to {{ic|/boot/grub/themes/}} or install it using {{ic|grub-install --themes{{=}}''theme_names'' ...}}.
}}

=== Menu colors ===

You can set the menu colors in GRUB. The available colors for GRUB can be found in [https://www.gnu.org/software/grub/manual/grub/html_node/color_005fnormal.html the GRUB Manual].
Here is an example:

Edit {{ic|/etc/default/grub}}:

GRUB_COLOR_NORMAL="light-blue/black"
GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

=== Hidden menu ===

One of the unique features of GRUB is hiding/skipping the menu and showing it by holding {{ic|Esc}} when needed. You can also adjust whether you want to see the timeout counter.

Edit {{ic|/etc/default/grub}} as you wish. Here are the lines you need to add to enable this feature, the timeout has been set to five seconds and to be shown to the user:

GRUB_TIMEOUT=5
GRUB_TIMEOUT_STYLE='countdown'

{{ic|GRUB_TIMEOUT}} is how many seconds before displaying menu.

=== Disable framebuffer ===

Users who use NVIDIA proprietary driver might wish to disable GRUB's framebuffer as it can cause problems with the binary driver.

To disable framebuffer, edit {{ic|/etc/default/grub}} and uncomment the following line:

GRUB_TERMINAL_OUTPUT=console

Another option if you want to keep the framebuffer in GRUB is to revert to text mode just before starting the kernel. To do that modify the variable in {{ic|/etc/default/grub}}:

GRUB_GFXPAYLOAD_LINUX=text

=== Language ===

{{Remove|There is no need for a temporarily solution when there is a permanent one in [[Locale#LANGUAGE: fallback locales]].|section=Section 4.7: Language - Removal Template}}

{{Ic|grub-mkconfig}} utilizes {{Ic|gettext}} for translations. The language used is determined by the [[Locale#Variables]].

{{Tip|If a locale is placed after {{Ic|en_US}} or {{Ic|en}} in your {{Ic|LANGUAGE}} variable, {{Ic|grub-mkconfig}} might choose that secondary locale. This is because grub uses {{Ic|C}} as the default locale for English, but doesn't explicitly name or alias it as {{Ic|en_US}} or {{Ic|en}}. See [[Locale#LANGUAGE: fallback locales]] for permanent solution.}}

You can temporarily override the Locale when running {{Ic|grub-mkconfig}} to generate config in a specific language, for example English (C locale):

# LC_ALL=C grub-mkconfig -o /boot/grub/grub.cfg

== Booting ISO9660 image file directly via GRUB ==

GRUB supports booting from ISO images directly via loopback devices, see [[Multiboot USB drive#Using GRUB and loopback devices]] for examples.

== Password protection of GRUB menu ==

{{Warning|If someone has physical access to your machine and is able to boot a live USB/disk (''i.e.'', BIOS allows booting from an external disk), it is fairly trivial for one to modify GRUB configuration files to bypass this if {{ic|/boot}} resides on an unencrypted partition. See [[GRUB#Encrypted /boot]] and [[Security#Data-at-rest encryption]].}}

If you want to secure GRUB so it is not possible for anyone to change boot parameters or use the command line, you can add a username and password to GRUB's configuration files. To do this, run the command {{ic|grub-mkpasswd-pbkdf2}}, then enter a password and confirm it:

{{hc|$ grub-mkpasswd-pbkdf2|
[...]
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.C8ABD3E93C4DFC83138B0C7A3D719BC650E6234310DA069E6FDB0DD4156313DA3D0D9BFFC2846C21D5A2DDA515114CF6378F8A064C94198D0618E70D23717E82.509BFA8A4217EAD0B33C87432524C0B6B64B34FBAD22D3E6E6874D9B101996C5F98AB1746FE7C7199147ECF4ABD8661C222EEEDB7D14A843261FFF2C07B1269A
}}

Then, adjust permissions on {{ic|/etc/grub.d/40_custom}} such that only root can read it by running {{ic|chmod o-r /etc/grub.d/40_custom}}. Then modify the file as following:

{{hc|/etc/grub.d/40_custom|2=
set superusers="'''username'''"
password_pbkdf2 '''username ''password-hash'''''
}}

where {{ic|''password-hash''}} is the string starting with ''grub.pbkdf2'' generated by {{ic|grub-mkpasswd_pbkdf2}}.

Regenerate your configuration file with {{ic|grub-mkconfig}}. Accessing the GRUB command line, ''boot parameters'' and also '''booting an entry''' now require the specified username and password. The latter can be prevented by following [[#Password protection of GRUB edit and console options only]].

This can be relaxed and further customized with configuring more users as described in the "Security" part of [https://www.gnu.org/software/grub/manual/grub.html#Security the GRUB manual].

=== Password protection of GRUB edit and console options only ===

Adding {{ic|--unrestricted}} to a menu entry will allow any user to boot the OS while preventing the user from editing the entry and preventing access to the grub command console.
Only a superuser or users specified with the {{ic|--user}} switch will be able to edit the menu entry.

{{hc|/boot/grub/grub.cfg|2=
menuentry 'Arch Linux' --unrestricted --class arch --class gnu-linux --class os ...
}}

{{Accuracy|{{ic|/etc/grub.d/10_linux}} should not be edited, it will be overwritten when {{pkg|grub}} is updated.}}

In order to make Linux entries {{ic|--unrestricted}}, the {{ic|CLASS}} variable in the beginning of {{ic|/etc/grub.d/10_linux}} can be modified.

{{hc|/etc/grub.d/10_linux|2=
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
}}

== Hide GRUB unless the Shift key is held down ==

{{Note|This does not work on [https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/425979 UEFI systems], because the firmware does not provide a way to detect the state of the modifier key.}}

In order to achieve the fastest possible boot, instead of having GRUB wait for a timeout, it is possible for GRUB to hide the menu, unless the {{ic|Shift}} key is held down during GRUB's start-up.

In order to achieve this, you should add the following line to {{ic|/etc/default/grub}}:

GRUB_FORCE_HIDDEN_MENU="true"

Then create the file {{ic|/etc/grub.d/31_hold_shift}} containing [https://gist.githubusercontent.com/anonymous/8eb2019db2e278ba99be/raw/257f15100fd46aeeb8e33a7629b209d0a14b9975/gistfile1.sh], make it [[executable]], and regenerate the grub configuration:

# grub-mkconfig -o /boot/grub/grub.cfg

{{Note|This setup uses keystatus to detect keypress event so it may not work on some machines.}}

== Combining the use of UUIDs and basic scripting ==

If you like the idea of using UUIDs to avoid unreliable BIOS mappings or are struggling with GRUB's syntax, here is an example boot menu item that uses UUIDs and a small script to direct GRUB to the proper disk partitions for your system. All you need to do is replace the UUIDs in the sample with the correct UUIDs for your system. The example applies to a system with a boot and root partition. You will obviously need to modify the GRUB configuration if you have additional partitions:

{{bc|<nowiki>
menuentry "Arch Linux 64" {
# Set the UUIDs for your boot and root partition respectively
set the_boot_uuid=ece0448f-bb08-486d-9864-ac3271bd8d07
set the_root_uuid=c55da16f-e2af-4603-9e0b-03f5f565ec4a

# (Note: This may be the same as your boot partition)

# Get the boot/root devices and set them in the root and grub_boot variables
search --fs-uuid $the_root_uuid --set=root
search --fs-uuid $the_boot_uuid --set=grub_boot

# Check to see if boot and root are equal.
# If they are, then append /boot to $grub_boot (Since $grub_boot is actually the root partition)
if [ $the_boot_uuid == $the_root_uuid ] ; then
set grub_boot=($grub_boot)/boot
else
set grub_boot=($grub_boot)
fi

# $grub_boot now points to the correct location, so the following will properly find the kernel and initramfs
linux $grub_boot/vmlinuz-linux root=/dev/disk/by-uuid/$the_root_uuid ro
initrd $grub_boot/initramfs-linux.img
}
</nowiki>}}

== Multiple entries ==

=== Disable submenu ===

If you have multiple kernels installed, say linux and linux-lts, by default {{ic|grub-mkconfig}} groups them in a submenu. If you do not like this behaviour you can go back to one single menu by adding the following line to {{ic|/etc/default/grub}}:

GRUB_DISABLE_SUBMENU=y

=== Recall previous entry ===

GRUB can remember the last entry you booted from and use this as the default entry to boot from next time. This is useful if you have multiple kernels (i.e., the current Arch one and the LTS kernel as a fallback option) or operating systems. To do this, edit {{ic|/etc/default/grub}} and change the value of {{ic|GRUB_DEFAULT}}:

GRUB_DEFAULT=saved

This ensures that GRUB will default to the saved entry. To enable saving the selected entry, add the following line to {{ic|/etc/default/grub}}:

GRUB_SAVEDEFAULT=true

This will only work if /boot is not a btrfs, because grub cannot write to btrfs. But it will generate a misleading error message: "sparse file not allowed. Press any key to continue.".

{{Note|Manually added menu items, e.g. Windows in {{ic|/etc/grub.d/40_custom}} or {{ic|/boot/grub/custom.cfg}}, will need {{ic|savedefault}} added.}}

=== Changing the default menu entry ===

To change the default selected entry, edit {{ic|/etc/default/grub}} and change the value of {{ic|GRUB_DEFAULT}}:

Using menu titles:

GRUB_DEFAULT='Advanced options for Arch Linux>Arch Linux, with Linux linux'

{{Note|If you are using a non-English locale, the generated menu title may be different from the example above. It might be a good idea to add {{ic|LANG{{=}}C}} above the {{ic|GRUB_DEFAULT}} line, or set {{ic|GRUB_DEFAULT}} according to the correct title in your locale.}}

Using numbers:

GRUB_DEFAULT="1>2"

Grub identifies entries in the [[GRUB#Generated grub.cfg|generated menu]] (i.e. {{ic|/boot/grub/grub.cfg}}) counted from zero. That means {{ic|0}} for the first entry which is the default value, {{ic|1}} for the second and so on. Main and submenu entries are separated
by a {{ic|>}} and are both identified by a number, title, or ID.

The example above boots the third entry from the main menu 'Advanced options for Arch Linux'.

Using IDs (see value after --id or $menuentry_id_option in grub.cfg if generating your grub.cfg):

GRUB_DEFAULT="gnulinux-advanced-39c666d6-c7fc-4fa6-8287-9540056f5a02>gnulinux-linux-zen-advanced-39c666d6-c7fc-4fa6-8287-9540056f5a02"

Documentation of all three identifier methods: https://www.gnu.org/software/grub/manual/grub/html_node/default.html

=== Boot non-default entry only once ===
{{accuracy|Are only some Debian derivatives do not seem to require the settings in the Note any more|section=Is now days, grub-reboot does not take care for everything?}}
The command {{ic|grub-reboot}} is very helpful to boot another entry than the default only once. GRUB loads the entry passed in the first command line argument, when the system is rebooted the next time. Most importantly GRUB returns to loading the default entry for all future booting. Changing the configuration file or selecting an entry in the GRUB menu is not necessary.

{{Note|This requires {{ic|1=GRUB_DEFAULT=saved}} in {{ic|/etc/default/grub}} (and then regenerating {{ic|grub.cfg}}) or, in case of hand-made {{ic|grub.cfg}}, the line {{ic|1=set default="${saved_entry}"}}.}}

== Play a tune ==

You can play a tune through the PC-speaker while booting (right before the menu appears) by modifying the variable {{ic|GRUB_INIT_TUNE}}:

GRUB_INIT_TUNE="''tempo'' [''note_pitch note_duration''] [''second_note_pitch second_note_duration''] ..."

{{Note|The boot menu '''will not be displayed''' until the music is finished playing.}}

You can add [https://gist.github.com/erus/d7f9f6f43744f94f0bd5b8487e057269 a menu entry] to play each of these common {{ic|GRUB_INIT_TUNE}} samples by creating the linked {{ic|/etc/grub.d/91_tune_demo}} and then re-running {{ic|grub-mkconfig}}.

For information on this, you can look at {{ic|info grub -n play}}, while some [https://gist.github.com/ArtBIT/cfb030c0791b42330381acce33f82ca0 collections] exist.

== Manual configuration of core image for early boot ==

If you require a special keymap or other complex steps that GRUB is not able to configure automatically in order to make {{ic|/boot}} available to the GRUB environment, you can generate a core image yourself. On UEFI systems, the core image is the {{ic|grubx64.efi}} file that is loaded by the firmware on boot. Building your own core image will allow you to embed any modules required for very early boot, as well as a configuration script to bootstrap GRUB.

Firstly, taking as an example a requirement for the {{ic|dvorak}} keymap embedded in early-boot in order to enter a password for an encrypted {{ic|/boot}} on a UEFI system:

Determine from the generated {{ic|/boot/grub/grub.cfg}} file what modules are required in order to mount the crypted {{ic|/boot}}. For instance, under your {{ic|menuentry}} you should see lines similar to:

{{bc|1=
insmod diskfilter cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha256
insmod ext2
cryptomount -u 1234abcdef1234abcdef1234abcdef
set root='cryptouuid/1234abcdef1234abcdef1234abcdef'
}}

Take note of all of those modules: they will need to be included in the core image. Now, create a tarball containing your keymap. This will be bundled in the core image as a memdisk:

# grub-kbdcomp -o dvorak.gkb dvorak
# tar cf memdisk.tar dvorak.gkb

Now create a configuration file to be used in the GRUB core image. This is in the same format as your regular grub config, but need contain only a few lines to find and load the main configuration file on the {{ic|/boot}} partition:

{{hc|early-grub.cfg|2=
set root=(memdisk)
set prefix=($root)/

terminal_input at_keyboard
keymap /dvorak.gkb

cryptomount -u 1234abcdef1234abcdef1234abcdef
set root='cryptouuid/1234abcdef1234abcdef1234abcdef'
set prefix=($root)/grub

configfile grub.cfg
}}

Finally, generate the core image, listing all of the modules determined to be required in the generated {{ic|grub.cfg}}, along with any modules used in the {{ic|early-grub.cfg}} script. The example above needs {{ic|memdisk}}, {{ic|tar}}, {{ic|at_keyboard}}, {{ic|keylayouts}} and {{ic|configfile}}.

# grub-mkimage -c early-grub.cfg -o grubx64.efi -O x86_64-efi -m memdisk.tar diskfilter cryptodisk luks gcry_rijndael gcry_sha256 ext2 memdisk tar at_keyboard keylayouts configfile

The generated EFI core image can now be used in the same way as the image that is generated automatically by {{ic|grub-install}}: place it in your [[EFI system partition]] and enable it with {{ic|efibootmgr}}, or configure as appropriate for your system firmware.

See also [https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html#using-a-custom-keyboard-layout Debian cryptsetup docs].

== UEFI further reading ==

{{Style|This could be made more concise, better organized.}}

Below is other relevant information regarding installing Arch via UEFI.

=== Alternative install method ===

{{Expansion|What would be the reason to place all of GRUB's files in the ESP?|section=UEFI further reading/Alternative install method}}

Usually, GRUB keeps all files, including configuration files, in {{ic|/boot}}, regardless of where the EFI system partition is mounted.

If you want to keep these files inside the EFI system partition itself, add {{ic|1=--boot-directory=''esp''}} to the grub-install command:

# grub-install --target=x86_64-efi --efi-directory=''esp'' --bootloader-id=grub --boot-directory=''esp'' --debug

This puts all GRUB files in {{ic|''esp''/grub}}, instead of in {{ic|/boot/grub}}. When using this method, make sure you have ''grub-mkconfig'' put the configuration file in the same place:

# grub-mkconfig -o ''esp''/grub/grub.cfg

Configuration is otherwise the same.

=== UEFI firmware workaround ===

See [[GRUB#Default/fallback boot path]].

=== GRUB standalone ===

This section assumes you are creating a standalone GRUB for x86_64 systems (x86_64-efi). For 32-bit (IA32) EFI systems, replace {{ic|x86_64-efi}} with {{ic|i386-efi}} where appropriate.

It is possible to create a {{ic|grubx64_standalone.efi}} application which has all the modules embedded in a tar archive within the UEFI application, thus removing the need to have a separate directory populated with all of the GRUB UEFI modules and other related files. This is done using the {{ic|grub-mkstandalone}} command (included in {{Pkg|grub}}) as follows:

# echo 'configfile ${cmdpath}/grub.cfg' > /tmp/grub.cfg
# grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="part_gpt part_msdos" --locales="en@quot" --themes="" -o "''esp''/EFI/grub/grubx64_standalone.efi" "boot/grub/grub.cfg=/tmp/grub.cfg" -v

Then copy the GRUB configuration file to {{ic|''esp''/EFI/grub/grub.cfg}} and create a UEFI Boot Manager entry for {{ic|''esp''/EFI/grub/grubx64_standalone.efi}} using [[UEFI#efibootmgr|efibootmgr]].

{{Note|The option {{ic|1=--modules="part_gpt part_msdos"}} (with the quotes) is necessary for the {{ic|${cmdpath} }} feature to work properly.}}

{{Warning|
* You may find that the {{ic|grub.cfg}} file is not loaded due to {{ic|${cmdpath} }} missing a slash (i.e. {{ic|(hd1,msdos2)EFI/Boot}} instead of {{ic|(hd1,msdos2)/EFI/Boot}}) and so you are dropped into a GRUB shell. If this happens determine what {{ic|${cmdpath} }} is set to ({{ic|echo ${cmdpath} }}) and then load the configuration file manually (e.g. {{ic|configfile (hd1,msdos2)/EFI/Boot/grub.cfg}}).
* If Secure Boot with shim is used, remember to add the SBAT section using {{ic|--sbat /usr/share/grub/sbat.csv}}.
}}

==== Technical information ====

The GRUB EFI file always expects its configuration file to be at {{ic|${prefix}/grub.cfg}}. However in the standalone GRUB EFI file, the {{ic|${prefix} }} is located inside a tar archive and embedded inside the standalone GRUB EFI file itself (inside the GRUB environment, it is denoted by {{ic|"(memdisk)"}}, without quotes). This tar archive contains all the files that would be stored normally at {{ic|/boot/grub}} in case of a normal GRUB EFI install.

Due to this embedding of {{ic|/boot/grub}} contents inside the standalone image itself, it does not rely on actual (external) {{ic|/boot/grub}} for anything. Thus in case of standalone GRUB EFI file {{ic|1=${prefix}==(memdisk)/boot/grub}} and the standalone GRUB EFI file reads expects the configuration file to be at {{ic|1=${prefix}/grub.cfg==(memdisk)/boot/grub/grub.cfg}}.

Hence to make sure the standalone GRUB EFI file reads the external {{ic|grub.cfg}} located in the same directory as the EFI file (inside the GRUB environment, it is denoted by {{ic|${cmdpath} }}), we create a simple {{ic|/tmp/grub.cfg}} which instructs GRUB to use {{ic|${cmdpath}/grub.cfg}} as its configuration ({{ic|configfile ${cmdpath}/grub.cfg}} command in {{ic|(memdisk)/boot/grub/grub.cfg}}). We then instruct grub-mkstandalone to copy this {{ic|/tmp/grub.cfg}} file to {{ic|${prefix}/grub.cfg}} (which is actually {{ic|(memdisk)/boot/grub/grub.cfg}}) using the option {{ic|1="boot/grub/grub.cfg=/tmp/grub.cfg"}}.

This way, the standalone GRUB EFI file and actual {{ic|grub.cfg}} can be stored in any directory inside the EFI system partition (as long as they are in the same directory), thus making them portable.

=== UEFI and BIOS installation ===

{{Expansion|Is this the same as [[Multiboot USB drive#Hybrid UEFI GPT + BIOS GPT/MBR boot]]? Does it work without hybrid MBR?|section=Section 12.4: UEFI and BIOS installation}}

If your arch installation should be bootable on both UEFI and BIOS systems, install [[GRUB]] using both methods. Partition the disk as GPT, create an [[EFI system partition]] and a BIOS boot partition as well, mount the ESP at {{ic|/efi}} and run the GRUB install commands for both ways.

# grub-install --target=i386-pc --recheck /dev/sdx
# grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck

In a BIOS system the EFI variables are not present, thus the UEFI NVRAM boot entries cannot be set and the 2nd command will report an error. By using the {{ic|--no-nvram}} and {{ic|--removable}} option the system will have a good chance to be bootable in UEFI mode too:

# grub-install --target=i386-pc --recheck /dev/sdx
# grub-install --target=x86_64-efi --efi-directory=/efi --recheck --removable --no-nvram

For some BIOS implementations it may be necessary to set the PMBR’s boot flag, e.g. with parted

(parted) disk_set pmbr_boot on

== Speeding up LUKS decryption in GRUB ==

{{Warning|Before following this section, make sure you understand the importance of high entropy passwords. Information on how to generate secure passwords can be found at [[Wikipedia:Password strength]]. Also make sure you do understand the basics of cryptography in use. Using parameters unsuitable for the given feature may render your system unusable.}}

Upon boot [[GRUB]] may in some cases take a long time to verify the password. This can be due to a high cost parameters of the [[Wikipedia:Key derivation function|key derivation function]], which you can check as follows:

# cryptsetup luksDump /dev/sda3

The problem is that the cost parameters for a given keyslot are generated when the key is added to ensure a balance between being high enough to protect against brute force attacks and low enough to allow for fast key derivation by estimating the capabilities of your computer. However, when [[GRUB]] is started, it might not have the same computational resources at hand, thus being vastly slower.

If your password provides enough entropy to counter common attacks by itself, you can lower the parameters. For example to lower the iteration count of [[Wikipedia:PBKDF2|PBKDF2]], use:

# cryptsetup luksChangeKey --pbkdf-force-iterations 1000 /dev/sda3

A minimum of 1000 iterations is recommended as per [[RFC:2898|RFC 2898]], but you should aim for higher values if you can (The cost for an attacker as well as the time for key derivation scale linearly).

Recommended parameters for [[Wikipedia:Argon2|Argon2]] are discussed in [[RFC:9106|RFC 9106]].

{{Tip|[[GRUB]] tries enabled key slots sequentially. When adding keys, the {{ic|--key-slot}} option can be used to specify a key slot explicitly.}}

== Decrypt LUKS protected disk with the TPM ==

In recent version of GRUB (since {{ic|2.14-rc1}}), it is possible to use the TPM to unlock an encrypted disk. It is useful if {{ic|/boot}} partition is encrypted as it avoids the need to enter the passphrase at boot and makes unattended boot possible.

The first step consists in creating a random LUKS key and adding it to the store. This is achieved as follows (ajust the {{ic|0228eb43-a7cc-4737-a0d3-cf784154feea}} UUID to match the encrypted disk on your system):

# dd if=/dev/urandom of=luks-key bs=1 count=32
# cryptsetup luksAddKey /dev/disk/by-uuid/0228eb43-a7cc-4737-a0d3-cf784154feea luks-key --pbkdf=pbkdf2 --hash=sha512

The key can be sealed with the TPM and stored on the unencrypted ''esp'' partition as follows:

# grub-protect --action=add --protector=tpm2 --tpm2-pcrs=7 --tpm2key --tpm2-keyfile=luks-key --tpm2-outfile=''esp''/EFI/GRUB/sealed.tpm

Note that the tpm2-pcrs parameter can be adjusted to your needs. See [[Trusted_Platform_Module#Accessing_PCR_registers]] for more information.

Create a early grub boot script in {{ic|/boot/grub/early-grub.cfg}} with the following content:

{{bc|<nowiki>
clear
echo 'Starting grub...'
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
cryptomount -u 0228eb43-a7cc-4737-a0d3-cf784154feea -P tpm2
set root='cryptouuid/0228eb43-a7cc-4737-a0d3-cf784154feea'
set prefix=($root)/@/boot/grub
configfile grub.cfg
</nowiki>}}

In the above script, you need to adjust the UUID of the disk and the prefix to the {{ic|/boot/grub}} directory. In this example, the {{ic|/boot/grub}} directory is located in the {{ic|@}} subvolume of a [[Btrfs]] filesystem.

Regenerate the GRUB efi binary and make sure to include all the modules you need.

# grub-mkimage -p /boot/grub --disable-shim-lock -c /boot/grub/early-grub.cfg -o ''esp''/EFI/GRUB/grubx64.efi -O x86_64-efi part_gpt cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 btrfs tpm2_key_protector fat configfile tpm echo

If secure boot is enabled, don't forget to sign the grub efi binary. For instance with {{ic|sbctl}}:

# sbctl sign {{ic|''esp''/EFI/GRUB/grubx64.efi}}

See [[Unified_Extensible_Firmware_Interface/Secure_Boot]] for more information.

== See also ==

* [http://wiki.rosalab.ru/en/index.php/Grub2_theme_tutorial GRUB 2 theme tutorial]{{Dead link|2025|11|17|status=404}}

Talk:Dm-crypt/System configuration

2026-04-30T11:06:57Z

Lahwaacz: /* Pinning a LUKS volume via '/etc/crypttab' file ONLY */ close

== "2.3 Using sd-encrypt hook" very confusing ==

I stumbled into the topics sd-encrypt and systemd-based init system through the section in this article, because i want to unlock two LUKS devices which together contain the root fs. The sd-encrypt section is very confusing, since it's basically just a reference and a bad starting point to learn about systemd init systems and sd-encrypt. I think the section would be more helpful if it would start with a few basic system configurations, ie. some examples. With just the reference it is very hard to tell which parameters/config files are actually needed, and how they complement or replace each other. Unfortunately as of right now i don't know enough to add examples. Cheers, [[User:Clonejo|Clonejo]] ([[User talk:Clonejo|talk]]) 15:51, 16 May 2021 (UTC)

::tried to simplify, removing only things that are already mentioned in two other places at least on the same page, here's the rollback https://wiki.archlinux.org/index.php?title=Dm-crypt/System_configuration&curid=17199&diff=693328&oldid=693327 and that have nothing to do with mouting root with sd-encrypt. [[User:Gcb|Gcb]] ([[User talk:Gcb|talk]]) 10:32, 29 August 2021 (UTC)

== Reordering ==

This article is fairly confusing in its organisation. Jotting down a few ideas for a reordering, for reference as I don't have time to modify the article right now.
{| class="wikitable"
|+ quick draft
|-
! Current structure !! Suggested one
|-
|
# Unlocking in early userspace
## mkinitcpio
## Kernel parameters
### root
### resume
### Using encrypt hook
### Using systemd-cryptsetup-generator
# Unlocking in late userspace
## Crypttab
# Troubleshooting
||
# Initramfs
## mkinitcpio
## dracut etc..
# Using crypttab and crypttab.initramfs
# Using Kernel parameters
## root
## resume
## Using encrypt hook
## Using sd-encrypt hook
# Troubleshooting
|}

Considering:
* [[Dm-crypt/Encrypting a non-root file system]] already exists and, despite the name, also deals with decrypting non-root file systems
* [[Dm-crypt/System configuration]] deals with decrypting both root and non root, both in early and late userspace.

I think one page should deal with decrypting root, and the other with other non-root filesystems, or alternatively, one page with decrypting in early userspace and the other in late userspace to avoid overlaps. Or maybe just delete the decrypting part of [[Dm-crypt/Encrypting a non-root file system]] and use the draft above.

It should also be made prominently clear from the beginning that using GPT automounting is a very simple way to make all of this beefy article completely obsolete for most setups.

-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 01:30, 14 January 2023 (UTC)

:I'm against changing the structure like that. The current structure states that there are two main ways to automatically unlock encrypted devices: early userspace and late userspace, IMHO it's important to have this distinction made clear. While [[dm-crypt/System configuration#mkinitcpio]] and [[dm-crypt/System configuration#Kernel parameters]] may not have the best order or structure, I don't see a better way to organize them.
:As for [[dm-crypt/Encrypting a non-root file system]], there is very little about unlocking there. The only change I would make is replacing the two links in [[dm-crypt/Encrypting a non-root file system#At boot time]] with [[dm-crypt/System configuration#Unlocking in late userspace]].
: -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 07:23, 14 January 2023 (UTC)
:: I understand, however it is equally true that there are two main ways to decrypt devices, using kernel parameters, or using crypttab(.initramfs). It's the usual A(1,2)B(1,2) vs 1(A,B)2,(A,B) problem. The thing is, I think we should look at it from the point of view of someone coming from the installation guide, who just clicked on "system encryption" in : "If you want to create any stacked block devices for [[LVM]], [[dm-crypt|system encryption]] or [[RAID]], do it now". The wiki needs to quickly point to an overview of how this can be achieved, rather than just reproduce info from man pages.
:: My problem with leaving it as it is, is that encryption is actually pretty straightforward, and the wiki actually makes it look a lot more complicated than it is. For example, the possible use of crypttab.initramfs, despite being arguably easier than that of kernel parameters (possible use of LABELs, visible layout if decrypting multiple devices, typos easier to spot) is hidden inside a tip in the middle of the page. Of course, this page is not the only culprit, and [[Dm-crypt/Device encryption]] also needs some love.
:: I also like the current structure as a theoretical overview, I just don't think it's as efficient when you just want to get things done.
-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 11:25, 14 January 2023 (UTC)

:::This is Arch Linux, things don't get done around here. /s
:::The "two main ways to decrypt devices" are not always interchangeable. Things that must be unlocked in early userspace (root and swap when using hibernation) cannot be specified in {{ic|/etc/crypttab}}. While unlocking things earlier than needed (e.g. unlocking {{ic|/home}}) should work most of the time, it needlessly complicates things and could cause issues with more complex block device setups.
:::{{ic|crypttab.initramfs}} is specific to mkinitcpio's sd-encrypt hook. AFAIK, dracut and booster don't support such a thing. The usual way to unlock devices in early userspace is kernel parameters, so that's the main thing we should stick to.
::: -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 12:18, 14 January 2023 (UTC)
:::: In that case [[Dm-crypt/System configuration#Using systemd-cryptsetup-generator]] is a little inaccurate, it says that {{ic|systemd-cryptsetup-generator}} is invoked by the {{ic|systemd}} dracut module and doesn't mention that {{ic|crypttab.initramfs}} does not work with that. It's tricky because the {{ic|sd-encrypt}} hook which has the {{ic|crypttab.initramfs}} trick is installed by {{Pkg|cryptsetup}}, but it doesn't look like it comes from upstream.
:::: So it might indeed not be interchangeable with kernel parameters, when using Dracut, but it definitely is when using mkinitcpio. Dracut is not the default though, so I think a warning regarding Dracut would be enough, and does not change the logic above.
:::: If we keep the current layout then, maybe a short intro explaining what needs to be unlocked early / late can help.
:::: -- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 15:11, 14 January 2023 (UTC)
:::: Indeed I just stumbled upon this particularity with {{ic|crypttab.initramfs}} not working on {{ic|dracut}} as implied here, finally found out what was going on and came here to correct it.
:::: I am still experimenting, but would you not be able to simply include {{ic|/etc/crypttab}} in dracut? Perhaps that would be a decent suggestion to place here as replacement.
:::: gonna go try that now and wait for feedback here
:::: --[[User:Deduct1069|Deduct1069]] ([[User talk:Deduct1069|talk]]) 14:49, 21 January 2023 (UTC)

::::: I suggest to move the dracut crosslink/reference into the tip. I can see how its current mention along with the default mkinitcpio is confusing. Without doubt dracut has crypto-related options/modules that are not covered by our default. Yet, it can't be this article to describe them. [[Dracut]]/[[Dracut#Dracut modules]] should probably gain more flesh to elaborate what the systemd-generator implements regarding {{man|7|dracut.modules|Initramfs_Functions}} ..
::::: {{ic|crypttab.initramfs}} is hooked into {{pkg|cryptsetup}}, because that package owns {{ic|crypttab}} and the split is to provide ''choice'' what to unlock in early boot. I'm not sure a lot of users need/want to unlock much more than root at this stage. Perhaps it would be best to disentangle the basic {{ic|rd.*}} parameters to unlock root and move the whole tip down towards [[Dm-crypt/System configuration#rd.luks.options]] (ordering this under it). This way it may be easier to get a bootable system with the generator. Users installing are unlikely to have multiple devices in crypttab already and if they do, it is covered as is just a little below.?
::::: --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 06:51, 22 January 2023 (UTC)

::::::I guess the question is: should other initramfs generators besides mkinitcpio be documented in this page? The expansion template at the top makes me think they should, but currently there's no dracut or Booster section there. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 15:34, 23 January 2023 (UTC)
:::::Valid point. Although the reordering suggested above allows for keeping other generators while specifying, in the first part, that dracut and others '''have''' to use the kernel parameters method, while standard setups with mkinitcpio can choose one method or the other. keeps all the info but avoids the clutter.
:::::-- [[User:Cvlc|Cvlc]] ([[User talk:Cvlc|talk]]) 17:52, 23 January 2023 (UTC)

::::::All methods use kernel parameters. mkinitcpio gained systemd support very early on, offering it an alternative. Of course it is useful to document further alternatives that were gained since, but why start it in this article, which is for core repo Arch? Take Booster, another alternative nl6720 rightly mentions. [[Booster#Enable encryption]] explains very efficiently how to use it to boot an encrypted root. It is definetely due to crosslink it (both directions), just as dracut - which still needs similar instructions. The good point is that (afaik) systemd used the {{ic|rd.}} nomenclatura from dracut anyway, so there should be no problem to crosslink the respective [[#Using systemd-cryptsetup-generator]] explanation, if needed.
::::::--[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:51, 23 January 2023 (UTC)
::::::I've looked at [[Booster#Enable encryption]] again and think it makes no sense to mention it in this section, as it implements a dedicated subset of {{ic|rd.}} kernel and LUKS crypto parameters. It could be crosslinked alongside dracut in the article introduction (as available alternatives to primarily covered mkinitcpio), once that is added.
::::::--[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:20, 1 February 2023 (UTC)
::::::Reading this section again, I think we could gain clarity by adding a subsection for ''crypttab.initramfs'' before 1.2.4.4 crypttab.options, and moving the info from the Tip into it, just referencing it from the intro.
::::::Question: The warning states "To activate all devices in {{ic|/etc/crypttab}} do not specify any {{ic|luks.*}} parameters and use {{ic|rd.luks.*}}.". Is this correct? {{ic|1=luks.crypttab=}} defaults to {{ic|Yes}}.
::::::--[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 22:58, 1 February 2023 (UTC)

:::::::The warning is correct. {{man|8|systemd-cryptsetup-generator}} mentions it too: "If /etc/crypttab exists, only those UUIDs specified on the kernel command line will be activated in the initrd or the real root." -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 10:02, 2 February 2023 (UTC)

::::::::Ok, thanks. Below I take the subsection intro and poke it a little. If that makes sense along above talk, I'd take a shuffle at the tip/note/warning next (dracut mention in the tip). --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 23:39, 2 February 2023 (UTC)

:::::::::I think the current first sentence is more correct than the one in the draft. {{man|8|systemd-cryptsetup-generator}} doesn't unlock anything itself, it generates {{man|8|systemd-cryptsetup@.service}} services that do. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 10:01, 6 February 2023 (UTC)

::::::::::Fair enough, but "that -> to" can fix that. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:30, 7 February 2023 (UTC)
::::::::::I close the draft snippet, frankly I don't find the time to expand it currently and don't want it to block others to contribute improvements. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 07:41, 16 April 2023 (UTC)

== Description to mount at boot missing something ==

I just tried to follow the instructions for mounting at boot (2.1.1) yesterday and I was '''not''' able to successfully complete this task using the descriptions provided here. I think there are two problems here:

# The instructions are not very well structured. I had the use case to mount my "home" partition, which is a second drive internally. So I didn't had deal with removable drives. But the documentation in 2.1.1 seemed to be jumping the use-cases back and forth.
# There is definitely something missing. The {{ic|systemd-cryptsetup@name.service}} is mentioned, but there is no hint how this would get used. I had to dig StackExchange and find [https://unix.stackexchange.com/questions/107810/why-my-encrypted-lvm-volume-luks-device-wont-mount-at-boot-time this post] to actually set up my fstab correctly and add {{ic|x-systemd.automount,x-systemd.requires{{=}}systemd-cryptsetup@name.service}} to the mount options.

I would like to improve the article based on my experience, especially better structuring it for the different use cases (internal drives, removable drives) and also add the necessary systemd-dependency in fstab.

Any comments?

--[[User:Moabeat|Moabeat]] ([[User talk:Moabeat|talk]]) 08:24, 3 September 2023 (UTC)

:The systemd dependencies should be handled correctly without any user intervention (if the crypttab and fstab are correct). The generated systemd services are started automatically and the {{ic|.mount}} unit for a fstab entry is ordered after the relevant {{ic|.device}} unit that appears when the {{ic|systemd-cryptsetup@name.service}} opens the encrypted partition. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:43, 3 September 2023 (UTC)

::Thanks for the quick response. I revisited this now once more and you are absolutely right. I think what caused the issue was, that I didn't have the "defaults" options in my fstab for my home partition. For some reason this created an "home.automount" unit, which was triggered before the mapper became available and broke the dependency chain. Maybe worth a troubleshooting paragraph? --[[User:Moabeat|Moabeat]] ([[User talk:Moabeat|talk]]) 12:43, 3 September 2023 (UTC)

:::I don't think that systemd does anything special if the {{ic|defaults}} is present or missing - it is just a set of options that are applied when mounting. Also {{ic|home.automount}} should not be created unless you have the {{ic|x-systemd.automount}} option. Without any {{ic|x-systemd.*}} option there would be only {{ic|home.mount}}. — [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:03, 3 September 2023 (UTC)

::::I tried to reproduce this again, after it works properly now. I was not able to. Unfortunately I cannot trace back what was the issue my home didn't get automounted. I even did the same procedure on a second machine in the meantime the same issue didn't show up again. [[User:Moabeat|Moabeat]] ([[User talk:Moabeat|talk]]) 03:42, 22 September 2023 (UTC)

== <s>Pinning a LUKS volume via '/etc/crypttab' file ONLY</s> ==

[[Dm-crypt/System configuration#Pinning a LUKS volume]]
d.ALT 10:32, 10 April 2026 (UTC)

<del>The <code>tpm2-measure-pcr=yes</code> + <code>fixate-volume-key=</code> combo '''must''' and can be used in <code>/etc/crypttab</code> file '''only'''.</del>
<del></del>
<del>Here's why: https://en.opensuse.org/Portal:MicroOS/FDE#PCR_#15</del> [[User:D.ALT|D.ALT]] ([[User talk:D.ALT|talk]]) 17:16, 7 April 2026 (UTC)

:This assertion is false. I am currently using this setup without any issue. Also the link does not talk about <code>fixate-volume-key=</code>. So could you explain why are you saying that in more details? [[User:Benjarobin|Benjarobin]] ([[User talk:Benjarobin|talk]]) 18:05, 7 April 2026 (UTC)
::Yup.
::You're right, thanks for correcting me.
::First of all, now I realize my misunderstanding was due to the fact that I hadn't fully understood the relationship between the <code>/etc/crypttab</code> file itself (https://www.freedesktop.org/software/systemd/man/260/crypttab.html) and the possibility to actually declare its forth field also as a ''Kernel Commandline Paramter'' (https://www.freedesktop.org/software/systemd/man/260/systemd-cryptsetup-generator.html).
::: <code>luks.options=</code>, <code>rd.luks.options=</code> (https://www.freedesktop.org/software/systemd/man/260/systemd-cryptsetup-generator.html#luks.options=)
:::: ... This parameter is the analogue of the fourth [https://www.freedesktop.org/software/systemd/man/260/crypttab.html# crypttab(5)] field ''<code>options</code>''.
::Secondly, it’s true that the link doesn’t mention <code>fixate-volume-key=</code>, but it’s also true that [https://www.freedesktop.org/software/systemd/man/260/crypttab.html#fixate-volume-key= the relevant manpage option] says:
::<blockquote>The expected hash matches the digest which is measured to the sha256 PCR bank of the TPM2 when <code>tpm2-measure-pcr=</code> is used.</blockquote>
::So, even if the link doesn't report it, <code>fixate-volume-key=</code> is for sure related to <code>tpm2-measure-pcr='''yes'''</code> (even if its usage is not mandatory).

d.ALT 10:32, 10 April 2026 (UTC)

Llama.cpp

2026-04-30T11:01:12Z

Lahwaacz: /* Installation */ revert https://wiki.archlinux.org/index.php?title=Llama.cpp&diff=next&oldid=870429 - there is no reason to exclude -cuda and -hip (see Talk:Ollama#Prioritize_ollama-vulkan) and AUR problems should be solved on the AUR side

[[Category:Development]]
[[Category:Graphics]]

{{Related articles start}}
{{Related|Vulkan}}
{{Related|General-purpose computing on graphics processing units}}
{{Related|Ollama}}
{{Related articles end}}

LLM inference in C/C++.

== Installation ==

llama.cpp is available in the [[AUR]]:

* [[Install]] {{AUR|llama.cpp}} for CPU inference.
* [[Install]] {{AUR|llama.cpp-vulkan}} for GPU inference.
* [[Install]] {{AUR|llama.cpp-cuda}} for inference with [[CUDA]].
* [[Install]] {{AUR|llama.cpp-hip}} for inference with [[ROCm]].

{{Note|
* If you are installing {{AUR|llama.cpp-vulkan}}, ensure you have the appropriate [[Vulkan]] driver installed.
* The package {{AUR|llama.cpp-cuda}} has been flagged out-of-date since 2025-12-22.
}}

== Usage ==

Primary executors are {{ic|llama-cli}} and {{ic|llama-server}}.

=== llama-cli ===

{{ic|llama-cli}} is the command-line executor:

$ llama-cli -m ''model.gguf''

=== llama-server ===

{{ic|llama-server}} launches an API server with a built-in WebUI:

$ llama-server --host ''address'' --port ''port'' -m ''model.gguf''

== Obtaining models ==

llama.cpp uses models in the GGUF format.

=== Download from Hugging Face ===

Download models from [https://huggingface.co Hugging Face] using the {{ic|-hf}} flag:

$ llama-cli -hf ''org/model''

{{Warning|This may overwrite an existing model file without prompting.}}

=== Manual download ===

Manually download models using {{Pkg|wget}} or {{Pkg|curl}}:

$ wget -c ''model.gguf''

== Tips and tricks ==

=== Model quantization ===

Quantization lowers model precision to reduce memory usage.

GGUF models use suffixes to indicate quantization level. Generally, lower numbers (e.g. '''Q4''') use less memory but may reduce quality compared to higher numbers (e.g. '''Q8''').

=== Knowledge distillation ===

Knowledge distillation compresses a larger model into a smaller model by training the smaller model to follow the behaviors of the larger model.

Typically, GGUF models indicate knowledge distillation using the {{ic|student-teacher-distill}} denotation, where:

* {{ic|student}} represents the smaller model.
* {{ic|teacher}} represents the larger model.

=== Specifying context size ===

llama.cpp loads the context size from the model by default, and it allocates memory for the whole context window.

Specify a lower context size in case you run out of memory.

$ llama-cli -c ''32000'' -m ''model.gguf''

=== Key-value cache quantization ===

For further memory efficiency, you can quantize the key-value cache.

$ llama-cli -ctk ''q8_0'' -ctv ''q8_0'' -m ''model.gguf''

This, combined with a lower context size, can significantly reduce memory usage.

{{Note|
* Aggressive quantization on '''keys''' reduces quality noticeably.
* Aggressive quantization on '''values''' is usually better tolerated, but still risks degradation.
}}

=== Agent system ===

While llama-server runs a WebUI, the same endpoint also operates as an OpenAI-compatible server. It can be configured to use with coding agents like {{Pkg|opencode}} and {{Pkg|qwen-code}}.

Also, recent updates have introduced built-in agent capabilities.

==== Built-in tools ====

To enable built-in tools for filesystem operations and shell access, start llama-server with:

$ llama-server --tools all -m ''model.gguf''

This, combined with a reasonably strong reasoning model, can be considered as a minimal coding agent running in browser.

{{Warning|
Be very aware, that all interactions are submitted to the operating system on the behalf of whoever is running llama-server. '''At no time''' should llama-server be exposed to the network and/or running as root with built-in tools enabled!
}}

==== Model Context Protocol servers ====

Other tools (e.g. search, fetch) can be added to the WebUI, given that the tools are served as MCP endpoints.

=== Monitoring GPU utilization ===

See [[Graphics processing unit#Monitoring]].

== Troubleshooting ==

=== MCP requests denied by CORS policy ===

To use the WebUI with an MCP endpoint hosted online, enable MCP CORS proxy:

$ llama-server ''--webui-mcp-proxy'' -m ''model.gguf''

== See also ==

* [https://github.com/ggml-org/llama.cpp Upstream GitHub repository]
* [https://github.com/ggml-org/llama.cpp/discussions/16938 Upstream guide: using the new WebUI of llama.cpp]
* [https://github.com/ggml-org/llama.cpp/discussions/15396 Upstream guide: running gpt-oss with llama.cpp]

List of applications/Other

2026-04-28T11:03:50Z

Lahwaacz: revert ordering changes from last 2 edits

[[Category:Applications]]
[[Category:Lists of software]]
[[es:List of applications (Español)/Other]]
[[hu:List of applications (Magyar)/Other]]
[[ja:アプリケーション一覧/その他]]
[[pl:List of applications (Polski)/Other]]
[[zh-hans:List of applications/Other]]
{{List of applications navigation}}

== Organization ==

=== CalDAV/CardDAV servers ===

* {{App|Baïkal|A lightweight CalDAV+CardDAV server.|https://sabre.io/baikal/|{{AUR|baikal}}}}
* {{App|kcaldav|Simple, safe, minimal CalDAV server.|https://kristaps.bsd.lv/kcaldav|{{AUR|kcaldav}}}}
* {{App|[[Radicale]]|Free and Open-Source CalDAV and CardDAV Server.|https://radicale.org|{{Pkg|radicale}}}}
* {{App|xandikos|A lightweight yet complete CardDAV/CalDAV server that backs onto a Git repository.|https://www.xandikos.org|{{Pkg|xandikos}}}}

=== Personal information managers ===

These applications support time, task and contacts management.

* {{App|[[Evolution]]|Personal information management application that provides integrated mail, calendaring and address book functionality. Part of {{Grp|gnome-extra}}.|https://gitlab.gnome.org/GNOME/evolution/-/wikis/home|{{Pkg|evolution}}}}
* {{App|[[Wikipedia:Kontact|Kontact]]|Integrated solution to your personal information management. Part of {{Grp|kde-pim}}.|https://kontact.kde.org/|{{Pkg|kontact}}}}
* {{App|Merkuro|Calendar and contact application that allows you to manage your tasks, events and contacts. Part of {{Grp|kde-pim}}.|https://apps.kde.org/merkuro/|{{Pkg|merkuro}}}}
* {{App|Osmo|GTK personal organizer, which includes calendar, tasks manager and address book modules.|https://osmo-pim.sourceforge.net|{{Pkg|osmo}}}}
* {{App|[[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]] with [[Wikipedia:Lightning (software)|Lightning]]|Extension to SeaMonkey that provides calendar and task support.|https://www.seamonkey-project.org/|{{AUR|seamonkey}}}}
* {{App|[[Thunderbird]]|A fully featured E-mail client formerly developed by Mozilla.|https://www.thunderbird.net|{{Pkg|thunderbird}}}}

=== Time management ===

==== Console ====

* {{App|Calcurse|Text-based ncurses calendar and scheduling system (supports CalDAV)|https://calcurse.org|{{Pkg|calcurse}}}}
* {{App|ccal|A console program which writes a calendar together with Chinese calendar to standard output.|https://ccal.chinesebay.com/ccal/ccal.htm|{{AUR|ccal}}}}
* {{App|khal|Command-line (non-interactive) and ncurses (interactive) calendar system (supports CalDAV)|https://github.com/pimutils/khal|{{Pkg|khal}}}}
* {{App|gcalcli|Command-line (non-interactive) Google Calendar for event management and agendas.|https://github.com/insanum/gcalcli|{{AUR|gcalcli}}}}
* {{App|mail2rem|Small script for importing ''.ics'' calendars from Maildir to Remind calendar.|https://github.com/esovetkin/mail2rem|{{AUR|mail2rem-git}}}}
* {{App|Pal|Very lightweight calendar with both interactive and non-interactive interfaces.|https://palcal.sourceforge.net/|{{AUR|pal}}}}
* {{App|pcal|A tool to create pdf calendars from pcal input which can be exported by some calendar programs.|https://sourceforge.net/projects/pcal/|{{AUR|pcal}}}}
* {{App|[[Remind]]|Highly sophisticated text-based calendaring and notification system.|https://dianne.skoll.ca/projects/remind/|{{Pkg|remind}}}}
* {{App|When|Simple personal calendar program.|http://lightandmatter.com/when/when.html|{{Pkg|when}}}}
* {{App|Wyrd|Text-based front-end to Remind, a calendar and alarm program used on UNIX and Linux computers.|https://gitlab.com/wyrd-calendar/wyrd|{{AUR|wyrd}}}}

==== Graphical ====

* {{App|Agenda|Calendar application built with MauiKit. Part of {{Grp|maui}}.|https://mauikit.org/apps/|{{Pkg|maui-agenda}}}}
* {{App|Calindori|Calendar application for Plasma Mobile.|https://apps.kde.org/calindori/|{{Pkg|calindori}}}}
* {{App|chinese-calendar|Chinese traditional calendar for Ubuntu Kylin.|https://launchpad.net/chinese-calendar/|{{Pkg|chinese-calendar}}}}
* {{App|CoreTime|Very simple Clock/Calendar application which shows a clock, supports alarms, reminders, a stop watch and a timer. Part of C-Suite.|https://cubocore.gitlab.io/|{{AUR|coretime}}}}
* {{App|Deepin Calendar|Calendar application for Deepin.|https://www.deepin.org/en/original/dde-calendar/|{{Pkg|deepin-calendar}}}}
* {{App|etmtk (Event and Task Manager)|Simple application with a "Getting Things Done!" approach to handling events, tasks, activities, reminders and projects.|https://people.duke.edu/~dgraham/ETMtk/|{{AUR|etmtk}}}}
* {{App|Gahshomar|Persian (Jalali/Farsi) calendar.|https://gahshomar.github.io/gahshomar/|{{AUR|gahshomar}}}}
* {{App|GNOME Calendar|Calendar application for GNOME. Part of {{Grp|gnome}}.|https://apps.gnome.org/Calendar/|{{Pkg|gnome-calendar}}}}
* {{App|[[Wikipedia:KAlarm|KAlarm]]|Personal alarm message, command and email scheduler, part of {{Grp|kde-pim}}.|https://apps.kde.org/kalarm/|{{Pkg|kalarm}}}}
* {{App|Kongress|Companion application for conferences made by KDE. Part of {{Grp|kde-utilities}}.|https://apps.kde.org/kongress/|{{Pkg|kongress}}}}
* {{App|[[Wikipedia:Kontact#Organizer|KOrganizer]]|Calendar and scheduling program, part of {{Grp|kde-pim}}.|https://kontact.kde.org/components/korganizer|{{Pkg|korganizer}}}}
* {{App|Merkuro Calendar|Calendar application using Akonadi that supports both local and online calendars: Nextcloud, Google Calendar, Outlook, Caldav and more. Part of {{Grp|kde-pim}}.|https://apps.kde.org/merkuro.calendar/|{{Pkg|merkuro}}}}
* {{App|[[Nextcloud]] Calendar|Calendar app for Nextcloud.|https://github.com/nextcloud/calendar|{{Pkg|nextcloud-app-calendar}}}}
* {{App|Outspline|Extensible outliner with advanced time management features, supporting events with complex recurrence schemes.|https://kynikos.github.io/outspline/|{{AUR|outspline}}}}
* {{App|TkRemind|Sophisticated calendar and alarm program.|https://dianne.skoll.ca/projects/remind/|{{Pkg|remind}}}}

=== Timers ===

==== Countdown timers and stopwatch ====

* {{App|arttime|Clock, timer, pattern-based time manager, ASCII art viewer. Set a one-off, multiple, repeating, pattern-based timers.|https://github.com/poetaman/arttime|{{AUR|arttime-git}}}}
* {{App|Chess Clock|Simple application to provide time control for over-the-board chess games.|https://apps.gnome.org/Chessclock/|{{Pkg|chess-clock}}}}
* {{App|GNOME Clocks|Clocks application for GNOME, including alarm, stopwatch and timer functionality. Part of {{Grp|gnome}}.|https://apps.gnome.org/Clocks/|{{Pkg|gnome-clocks}}}}
* {{App|Hourglass|Simple time keeping application designed for elementary OS.|https://github.com/sgpthomas/hourglass|{{AUR|hourglass}}}}
* {{App|KClock|A convergent clock application for Plasma. It contains alarm, timer, stopwatch and timezone functionalities. Part of {{Grp|kde-utilities}}.|https://apps.kde.org/kclock/|{{Pkg|kclock}}}}
* {{App|Kronometer|Stopwatch application for KDE.|https://apps.kde.org/kronometer/|{{Pkg|kronometer}}}}
* {{App|KTeaTime|Handy timer for steeping tea. Part of {{Grp|kde-utilities}}.|https://apps.kde.org/kteatime/|{{Pkg|kteatime}}}}
* {{App|pystopwatch|Stopwatch written in Python with a clock and two countdown functions that can minimize to the tray.|https://xyne.dev/projects/pystopwatch/|{{AUR|pystopwatch}}}}
* {{App|snore|A program like sleep, but with feedback.|https://github.com/clamiax/snore|{{AUR|snore-git}}}}
* {{App|termdown|Countdown timer and stopwatch in your terminal.|https://github.com/trehn/termdown|{{Pkg|termdown}}}}

==== Break timers ====

* {{App|Break Timer|Keeps track of how much you are using the computer, and it reminds you to take regular breaks. Works only in GNOME.|https://wiki.gnome.org/Apps/BreakTimer|{{Pkg|gnome-break-timer}}}}
* {{App|RSI Break|Takes care of your health and regularly breaks your work to avoid repetitive strain injury (RSI) [https://bugs.kde.org/show_bug.cgi?id{{=}}422033 on Xorg].|https://apps.kde.org/rsibreak/|{{Pkg|rsibreak}}}}
* {{App|Safe Eyes|Tool to reduce and prevent repetitive strain injury (RSI).|https://slgobinath.github.io/SafeEyes/|{{AUR|safeeyes}}}}
* {{App|Work-break|Work and rest time balancer taking into account your current and today strain.|https://github.com/ShadoySV/work-break/|{{AUR|work-break}}}}
* {{App|[[Wikipedia:Workrave|Workrave]]|Program that assists in the recovery and prevention of RSI [https://bbs.archlinux.org/viewtopic.php?id{{=}}285701 on Xorg].|https://workrave.org/|{{Pkg|workrave}}}}

==== Pomodoro timers ====

See [[Wikipedia:Pomodoro Technique]] for an introduction.

* {{App|flow|Pomodoro app that blocks distractions while you work.|https://github.com/iamsergio/flow-pomodoro|{{AUR|flow-pomodoro}}}}
* {{App|Francis|App that uses the well-known pomodoro technique to help you get more productive. Part of {{Grp|kde-utilities}}.|https://apps.kde.org/francis/|{{Pkg|francis}}}}
* {{App|Gnomato|Timer for the Pomodoro Technique.|https://github.com/diegorubin/gnomato|{{AUR|gnomato}}}}
* {{App|Pilorama|Eye-candy timeboxing tool written in QML|https://github.com/eplatonoff/pilorama|{{AUR|pilorama-git}}}}
* {{App|Pomodoro|Time management utility for GNOME based on the Pomodoro Technique.|https://gnomepomodoro.org/|{{AUR|gnome-shell-pomodoro}}}}
* {{App|Pomodoro-Logger|Pomodoro timer and logger with [[Wikipedia:Kanban board|Kanban board]] for task management and tracking.|https://github.com/zxch3n/PomodoroLogger|{{AUR|pomodoro-logger}}}}
* {{App|potato-c|A minimal and efficient pomodoro timer with server-client structure.|https://github.com/nimaaskarian/potato-c|{{AUR|potato-c}}}}
* {{App|Solanum|Pomodoro timer for the GNOME desktop.|https://apps.gnome.org/Solanum/|{{Pkg|solanum}}}}
* {{App|Tomate|Timer for the Pomodoro Technique.|https://github.com/eliostvs/tomate-gtk|{{AUR|tomate-gtk}}}}
* {{App|Tomighty|Desktop timer for the Pomodoro Technique.|https://tomighty.github.io|{{AUR|tomighty}}}}

=== Time trackers ===

* {{App|ActivityWatch|A self/local-hosted, cross-platform, client-server, privacy-focused active window tracker.|https://github.com/ActivityWatch/activitywatch|{{AUR|activitywatch-bin}}}}
* {{App|Hamster|Time tracking application that helps you to keep track on how much time you have spent during the day on activities you choose to track.|http://projecthamster.org/|{{Pkg|hamster-time-tracker}}}}
* {{App|Kapow|Punch clock to track time spent on projects.|https://gottcode.org/kapow/|{{AUR|kapow}}}}
* {{App|KTimeTracker|Todo management and time tracking application.|https://apps.kde.org/ktimetracker/|{{Pkg|ktimetracker}}}}
* {{App|Tider|Lightweight time tracking application (GTK)|https://github.com/naspeh/tider|{{AUR|tider-git}}}}
* {{App|Timenaut|Time tracker that tracks active windows and lets you sort them into categories. Based on the [https://electronjs.org/ Electron] platform.|https://timenaut.app/|{{AUR|timenaut-appimage}}}}
* {{App|Timetrack|Simple time-tracking app for GNOME.|https://gitlab.gnome.org/danigm/timetrack|{{AUR|timetrack}}}}
* {{App|Timewarrior|A command-line time-tracking application.|https://timewarrior.net/|{{Pkg|timew}}}}
* {{App|Wakatime|Open source plugins for metrics about your programming with intuitive web-interface.|https://wakatime.com/|{{AUR|wakatime}}}}

=== Task management ===

==== Console ====

* {{App|c3|A multi-platform TUI todo manager that extends calcurse's todo format to have a tree-like dependency structure, and even more! |https://github.com/nimaaskarian/c3|{{AUR|c3}}}}
* {{App|Cfait|Powerful, simple, elegant, and lightweight CalDAV task manager (TUI & GUI).|https://codeberg.org/trougnouf/cfait|{{AUR|cfait}}}}
* {{App|dijo|Scriptable, curses-based, digital habit tracker |https://github.com/nerdypepper/dijo|{{AUR|dijo}}}}
* {{App|Taskbook|Tasks, boards and notes for the command-line habitat.|https://github.com/klauscfhq/taskbook|{{AUR|taskbook}}}}
* {{App|Taskell|A command-line kanban board/task manager.|https://github.com/smallhadroncollider/taskell|{{AUR|taskell}}}}
* {{App|[[Wikipedia:Taskwarrior|Taskwarrior]]|Command-line To-do list application with support for lua customization and more.|https://taskwarrior.org/|{{Pkg|task}}}}
* {{App|todoman|Command-line To-do list manager (supports CalDAV)|https://github.com/pimutils/todoman|{{Pkg|todoman}}}}
* {{App|Todo.txt|Small command-line To-do manager.|https://github.com/todotxt/todo.txt-cli/|{{AUR|todotxt}}}}
* {{App|TuDu|Ncurses-based hierarchical To-do list manager with vim-like keybindings.|https://code.meskio.net/tudu/|{{AUR|tudu}}}}

==== Graphical ====

* {{App|Agenda|Simple, fast, no-nonsense to-do (task) list for elementary OS.|https://github.com/dahenson/agenda|{{AUR|agenda}}}}
* {{App|Cfait|Powerful, simple, elegant, and lightweight CalDAV task manager (TUI & GUI).|https://codeberg.org/trougnouf/cfait|{{AUR|cfait}}}}
* {{App|Effitask|Graphical task manager, based on the [http://todotxt.com/ Todo.txt] format.|https://github.com/sanpii/effitask|{{AUR|effitask}}}}
* {{App|Endeavour|Personal task manager for GNOME. Part of {{Grp|gnome-extra}}.|https://wiki.gnome.org/Apps/Todo|{{Pkg|endeavour}}}}
* {{App|Errands|Todo application for those who prefer simplicity.|https://apps.gnome.org/List/|{{Pkg|errands}}}}
* {{App|Go For It!|Simple and stylish productivity app, featuring a to-do list, merged with a timer that keeps your focus on the current task. To-do lists are stored in the [http://todotxt.com/ Todo.txt] format.|https://manuelkehl.de/projects/go-for-it/|{{AUR|go-for-it}}}}
* {{App|GTG|Personal tasks and TODO list items organizer for GNOME inspired by the [[Wikipedia:Getting Things Done|Getting Things Done (GTD)]] methodology.|https://github.com/getting-things-gnome/gtg|{{AUR|gtg}}}}
* {{App|KomoDo|Todo manager that uses todo.txt specification.|https://apps.kde.org/komodo/|{{Pkg|komodo}}}}
* {{App|[[Nextcloud]] Tasks|Tasks app for Nextcloud.|https://github.com/nextcloud/tasks|{{Pkg|nextcloud-app-tasks}}}}
* {{App|Planner|Task manager with Todoist support.|https://useplanner.com/|{{AUR|planify}}}}
* {{App|ptask|GTK task manager based on [[Wikipedia:Taskwarrior|Taskwarrior]].|https://wpitchoune.net/ptask/|{{AUR|ptask}}}}
* {{App|sleek|todo.txt app with modern GUI. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/ransome1/sleek/|{{AUR|sleek}}}}
* {{App|TickTick|Is a simple and effective to-do list and task manager app with seamless cloud synchronization across all your devices|https://ticktick.com/|{{AUR|ticktick}}}}
* {{App|Zanshin|To-do management application for KDE. Part of {{Grp|kde-pim}}.|https://apps.kde.org/zanshin/|{{Pkg|zanshin}}}}

=== Contacts management ===

==== Console ====

* {{App|Abook|Text-based contacts manager designed for use with mutt.|https://abook.sourceforge.net/|{{AUR|abook}}}}
* {{App|Khard|Command-line addressbook that is able to sync with CardDAV-servers.|https://github.com/scheibler/khard|{{Pkg|khard}}}}

==== Graphical ====

* {{App|Addresses|Address book application for GNUstep.|https://www.nongnu.org/gap/addresses/|{{AUR|addresses.app}}}}
* {{App|Communicator|Integrated address book and dialer application features the search for and view of contacts, edit contact details, and make new contacts, favorites, and dialer pad. Part of {{Grp|maui}}.|https://mauikit.org/apps/communicator/|{{Pkg|communicator}}}}
* {{App|GNOME Contacts|Contacts manager for GNOME. Part of {{Grp|gnome}}.|https://apps.gnome.org/Contacts/|{{Pkg|gnome-contacts}}}}
* {{App|KAddressBook|Address book manager for KDE. Part of {{Grp|kde-pim}}.|https://kontact.kde.org/components/kaddressbook|{{Pkg|kaddressbook}}}}
* {{App|LDAP Administration Tool|Browse LDAP-based directories and add/edit/delete entries contained within.|https://sourceforge.net/projects/ldap-at/|{{AUR|lat}}}}
* {{App|Merkuro Contacts|Address book using Akonadi. Part of {{Grp|kde-pim}}.|https://apps.kde.org/merkuro.contact/|{{Pkg|merkuro}}}}
* {{App|[[Nextcloud]] Contacts|Contacts app for Nextcloud.|https://github.com/nextcloud/contacts|{{Pkg|nextcloud-app-contacts}}}}
* {{App|[[phpLDAPadmin]]|LDAP client webapp. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory.|https://phpldapadmin.sourceforge.net/|{{Pkg|phpldapadmin}}}}
* {{App|[[Thunderbird]] with [https://gitlab.com/CardBook/CardBook CardBook] extension|address book based on the CardDAV and vCard standards.|https://gitlab.com/CardBook/CardBook|{{Pkg|thunderbird}}}}

=== Financial management ===

See also [[Wikipedia:Comparison of accounting software]].

==== Console ====

* {{App|Beancount|A double-entry bookkeeping computer language that lets you define financial transaction records in a text file, read them in memory, generate a variety of reports from them, and provides a web interface.|https://beancount.github.io/|{{AUR|beancount}}}}
* {{App|hledger|An accounting program for tracking money, time, or any other commodity, using double-entry accounting and a simple, editable file format. hledger is inspired by and largely compatible with ledger.|https://hledger.org/|{{Pkg|hledger}}}}
* {{App|[[Ledger]]|Ledger is a powerful, double-entry accounting system that is accessed from the UNIX command-line.|https://www.ledger-cli.org/|{{Pkg|ledger}}}}

==== Graphical ====

* {{App|Eqonomize!|Cross-platform personal accounting software, with focus on efficiency and ease of use for the small household economy.|https://eqonomize.github.io/|{{AUR|eqonomize}}}}
* {{App|[[ERPNext]]|Free and open source Enterprise Resource Planning (ERP).|https://github.com/frappe/erpnext|{{AUR|erpnext}}}}
* {{App|[[Wikipedia:GnuCash|GnuCash]]|Financial application that implements a double-entry book-keeping system with features for small business accounting.|https://www.gnucash.org/|{{Pkg|gnucash}}}}
* {{App|Grisbi|Personal finance system which manages third party, expenditure and receipt categories, as well as budgetary lines, financial years, and other information that makes it suitable for associations.|https://www.grisbi.org/|{{AUR|grisbi}}}}
* {{App|[[Wikipedia:HomeBank|HomeBank]]|Easy to use finance manager that can analyse your personal finance in detail using powerful filtering tools and graphs.|http://homebank.free.fr/|{{Pkg|homebank}}}}
* {{App|[[Wikipedia:KMyMoney|KMyMoney]]|Personal finance manager that operates in a similar way to [[Wikipedia:Microsoft Money|Microsoft Money]]. It supports different account types, categorisation of expenses and incomes, reconciliation of bank accounts and import/export to the “QIF” file format.|https://kmymoney.org/|{{Pkg|kmymoney}}}}
* {{App|Kresus|Self-hosted personal finance management software. It automatically retrieves every day all your new bank transactions and lets you categorize them, study them through charts and establish a budget.|https://kresus.org/en/|{{Pkg|kresus}}}}
* {{App|Manager|Proprietary accounting software for small business.|https://www.manager.io/|{{AUR|manager-accounting}}}}
* {{App|Money Manager EX|An easy-to-use personal finance suite|https://www.moneymanagerex.org/|{{AUR|moneymanagerex}}}}
* {{App|[[Odoo]]|Open source ERP system purely in Python. Previously known as OpenERP.|https://www.odoo.com/|{{AUR|odoo-venv}}}}
* {{App|Skrooge|Personal finances manager for the KDE desktop.|https://skrooge.org/|{{Pkg|skrooge}}}}

=== Cryptocurrency ===

* {{App|Atomic Wallet|Manage your Bitcoin, Ethereum, XRP, Litecoin, XLM, and over 300 other coins and tokens. |https://atomicwallet.io/|{{AUR|atomicwallet}}}}
* {{App|Bitcoin Core|Connect to the Bitcoin P2P Network.|https://bitcoincore.org/|{{Pkg|bitcoin-qt}}}}
* {{App|Cake Wallet|Multicurrency wallet.|https://github.com/cake-tech/cake_wallet|{{AUR|cake-wallet-bin}}}}
* {{App|Coinomi|Securely store, manage and exchange Bitcoin, Ethereum, and more than 1,770 other blockchain assets.|https://www.coinomi.com/|{{AUR|coinomi-wallet-bin}}}}
* {{App|Cointop|Terminal based application for tracking cryptocurrencies.|https://cointop.sh/|{{AUR|cointop}}}}
* {{App|Dogecoin Core|Dogecoin Core wallet, Allows you to connect to the Dogecoin P2P Network.|https://dogecoin.com/|{{AUR|dogecoin-qt}}, {{AUR|multidoge}}}}
* {{App|Electrum|Lightweight Bitcoin client.|https://electrum.org/|{{Pkg|electrum}}}}
* {{App|Exodus|All-in-one proprietary application to secure, manage, and exchange blockchain assets. Based on the [https://electronjs.org/ Electron] platform.|https://www.exodus.io/|{{AUR|exodus}}}}
* {{App|Feather Wallet|Lightweight Monero wallet.|https://featherwallet.org/|{{AUR|feather-wallet}}}}
* {{App|Monero|Monero wallet.|https://getmonero.org/|{{Pkg|monero-gui}}, {{Pkg|monero}}}}
* {{App|Sparrow Wallet|Advanced Bitcoin client.|https://sparrowwallet.com/|{{AUR|sparrow-wallet}}}}

=== Project management ===

See also [[Wikipedia:Comparison of project management software]].

* {{App|[[Wikipedia:Calligra Plan|Calligra Plan]]|Project management application, which is intended for managing moderately large projects with multiple resources.|https://calligra.org/components/plan/|{{Pkg|calligra-plan}}}}
* {{App|[[Wikipedia:GanttProject|GanttProject]]|Project scheduling application featuring gantt chart, resource management, calendaring.|https://www.ganttproject.biz/|{{AUR|ganttproject}}}}
* {{App|[[Notion-app]]|A note-taking software and project management software that is used for note-taking, task management, project management, knowledge management, and personal knowledge management. |https://www.notion.so/|{{AUR|notion-app-electron}}}}
* {{App|Planner|Project management application for GNOME.|https://wiki.gnome.org/Apps/Planner|{{Pkg|planner}}}}
* {{App|[[Wikipedia:ProjectLibre|ProjectLibre]]|Project management software alternative to [[Wikipedia:Microsoft Project|Microsoft Project]].|https://www.projectlibre.com/product/projectlibre-open-source{{Dead link|2025|08|15|status=404}}|{{AUR|projectlibre}}}}
* {{App|[[Wikipedia:TaskJuggler|TaskJuggler]]|Modern and powerful project management tool. Its new approach to project planning and tracking is more flexible and superior to the commonly used Gantt chart editing tools.|https://taskjuggler.org/|{{AUR|taskjuggler}}}}

=== Bookmark management ===

* {{App|KEditBookmarks|Bookmark organizer and editor. Part of {{Grp|kde-utilities}}.|https://invent.kde.org/utilities/keditbookmarks|{{Pkg|keditbookmarks}}}}
* {{App|Read It Later|Simple Wallabag client.|https://gitlab.gnome.org/World/read-it-later|{{Pkg|read-it-later}}}}

=== Recipe management ===

* {{App|Gourmand|Simple but powerful recipe-managing application.|https://github.com/GourmandRecipeManager/gourmand|{{AUR|gourmand}}}}
* {{App|Recipes|Recipe management application for GNOME. Part of {{Grp|gnome-extra}}.|https://wiki.gnome.org/Apps/Recipes|{{Pkg|gnome-recipes}}}}

=== Travel management ===

See also [[List of applications/Science#Navigation and routing]].

* {{App|Itinerary|Digital travel assistant with a priority on protecting your privacy. Part of {{Grp|kde-pim}}.|https://apps.kde.org/itinerary/|{{Pkg|itinerary}}}}

=== Health management ===

* {{App|Health|Health tracking app for the GNOME desktop.|https://apps.gnome.org/Health/|{{Pkg|health}}}}

== Education ==

See also [[List of games#Education]].

* {{App|Artikulate|Pronunciation trainer that helps improving and perfecting a learner's pronunciation skills for a foreign language. Part of {{Grp|kde-education}}.|https://apps.kde.org/artikulate/|{{Pkg|artikulate}}}}
* {{App|Fretboard|Look up guitar chords.|https://apps.gnome.org/Fretboard/|{{Pkg|fretboard}}}}
* {{App|Kalm|Teach you different breathing techniques. Part of {{Grp|kde-utilities}}.|https://apps.kde.org/kalm/|{{Pkg|kalm}}}}
* {{App|[[Moodle]]|Open-source software learning management system.|https://moodle.org/|{{AUR|moodle}}}}
* {{App|[[Wikipedia:OpenBoard|OpenBoard]]|Interactive whiteboard software for schools and universities.|https://openboard.ch/index.en.html|{{AUR|openboard}}}}
* {{App|Wike|Wikipedia reader for the GNOME desktop.|https://apps.gnome.org/Wike/|{{Pkg|wike}}}}
* {{App|Wildcard|Provides a simple interface to test/practice regular expressions.|https://gitlab.gnome.org/World/Wildcard|{{Pkg|wildcard}}}}

=== Flashcards ===

See also [[Wikipedia:List of flashcard software]].

* {{App|[[Anki]]|Intelligent spaced-repetition memory training program.|https://apps.ankiweb.net/|{{Pkg|anki}}}}
* {{App|jVLT|Vocabulary learning tool.|https://www.linuxlinks.com/jVLT/|{{AUR|jvlt}}}}
* {{App|KWordQuiz|Tool that gives you a powerful way to master new vocabularies. Part of {{Grp|kde-education}}.|https://apps.kde.org/kwordquiz/|{{Pkg|kwordquiz}}}}
* {{App|[[Mnemosyne]]|Flash-card tool which optimizes your learning process.|https://mnemosyne-proj.org/|{{AUR|mnemosyne}}}}
* {{App|Parley|Program to help you memorize things. It uses the spaced repetition learning method, also known as flash cards. Part of {{Grp|kde-education}}.|https://apps.kde.org/parley/|{{Pkg|parley}}}}
* {{App|Pauker|Flash card based learning tool using shortterm and longterm memory training.|https://pauker.sourceforge.net/|{{AUR|pauker}}}}
* {{App|StudyFlash|Learn flashcards inside your terminal|https://github.com/Alone2/studyFlash|{{AUR|studyflash}}}}

=== Touch typing ===

==== Console ====

* {{App|Dvorak 7min|Simple ncurses-based typing tutor for those trying to become fluent with the Dvorak keyboard layout.|https://github.com/yaychris/dvorak7min|{{AUR|dvorak7min}}}}
* {{App|GNU Typist|Universal typing tutor.|https://www.gnu.org/software/gtypist/|{{AUR|gtypist}}}}
* {{App|psani-profi|Program that will teach you touchtyping (Czech).|https://www.sallyx.org/sally/psani-vsemi-deseti/|{{AUR|psani-profi}}}}
* {{App|Typespeed|Test your typing speed, and get your fingers' CPS.|https://typespeed.sourceforge.net/|{{AUR|typespeed}}}}
* {{App|typiskt|touchtype training in the terminal (Bash).|https://github.com/budlabs/typiskt|{{AUR|typiskt}}}}

==== Graphical ====

* {{App|Klavaro|Teaching touch typing that intends to be keyboard and language independent.|https://klavaro.sourceforge.io/|{{Pkg|klavaro}}}}
* {{App|[[Wikipedia:KTouch|KTouch]]|Program to learn and practice touch typing. Part of {{Grp|kde-education}}.|https://apps.kde.org/ktouch/|{{Pkg|ktouch}}}}
* {{App|TIPP10|Intelligent touch typing tutor.|https://www.tipp10.com/|{{Pkg|tipp10}}}}
* {{App|TypingTest|Typing test desktop program with a large amount of customization.|https://github.com/laelath/typingtest|{{AUR|typingtest-git}}}}

== Accessibility ==

See [[Accessibility]] for tips on operating the desktop and [[:Category:Accessibility]] for all available articles. See also [[List of applications/Utilities#On-screen keyboards|On-screen keyboards]].

=== Speech synthesizers ===

See also [[Wikipedia:Comparison of speech synthesizers]] and [https://tools.wmflabs.org/tts-comparison/ listening comparison of the different engines].

* {{App|Ekho|Chinese text-to-speech (TTS) software for Cantonese, Mandarin, Zhaoan Hakka, Tibetan, Ngangien and Korean.|https://eguidedog.net/ekho.php|{{AUR|ekho}}}}
* {{App|eSpeak|Compact speech synthesizer for more than 50 languages.|https://espeak.sourceforge.net/|{{AUR|espeak}}}}
* {{App|[[Wikipedia:eSpeakNG|eSpeak NG]]|Fork of eSpeak (due to inactivity of original maintainer).|https://github.com/espeak-ng/espeak-ng|{{Pkg|espeak-ng}}}}
* {{App|[[Festival]]|General framework for building speech synthesis systems as well as including examples of various modules. As a whole it offers full text to speech.|https://www.cstr.ed.ac.uk/projects/festival/|{{Pkg|festival}}}}
* {{App|Flite|Lightweight speech synthesis engine.|http://festvox.org/flite/|{{Pkg|flite}}}}
* {{App|Gespeaker|GTK frontend for espeak. It allows you to play a text in many languages with settings for voice, pitch, volume and speed.|https://muflone.com/gespeaker/english/|{{AUR|gespeaker}}}}
* {{App|KMouth|Speech synthesizer frontend which enables persons that cannot speak to let their computer speak. Part of {{Grp|kde-accessibility}}.|https://apps.kde.org/kmouth/|{{Pkg|kmouth}}}}
* {{App|MaryTTS|Multilingual text-to-speech synthesis platform written in Java.|https://marytts.github.io/|{{AUR|marytts}}}}
* {{App|[[Mbrola|MBROLA]]|Proprietary phonemes-to-audio program which supports more than 70 languages. Mbrola-voices can also be used with eSpeak.|http://tcts.fpms.ac.be/synthesis/mbrola.html|{{AUR|mbrola}}}}
* {{App|Mimic|Text-to-speech voice synthesis from the Mycroft project (based on Flite).|https://mimic.mycroft.ai/|{{AUR|mimic}}}}
* {{App|Open JTalk|Japanese text-to-speech synthesis system.|https://sourceforge.net/projects/open-jtalk/|{{AUR|open-jtalk}}}}
* {{App|Orca|Screen reader for individuals who are blind or visually impaired, using eSpeak (via Speech Dispatcher). Part of {{Grp|gnome}}.|https://wiki.gnome.org/Projects/Orca|{{Pkg|orca}}}}
* {{App|piper|A fast, local neural text to speech system.|https://github.com/rhasspy/piper|{{AUR|piper-tts-bin}}}}
* {{App|[[RHVoice]]|Cross-platform (including Android) text-to-speech from a blind Russian-speaking developer, based on [https://hts.sp.nitech.ac.jp HTS] (ru, ka, uk, ky, tt, en, pt, eo)|https://github.com/RHVoice/RHVoice|{{Pkg|rhvoice}}}}
* {{App|[[Simple Orca Plugin System|SOPS]]|Provides a simple way to write custom plugins for screen reader Orca.|https://github.com/chrys87/simple-orca-plugin-system|{{AUR|simpleorcapluginsystem}}}}
* {{App|[[Speech dispatcher]]|Common interface to speech synthesis. It has backends for eSpeak, Festival, and a few other speech synthesizers.|https://freebsoft.org/speechd|{{Pkg|speech-dispatcher}}}}

=== Speech recognition ===

See also [[Wikipedia:Speech recognition software for Linux]].

* {{App|[[Wikipedia:Julius (software)|Julius]]|Large vocabulary continuous speech recognition engine.|https://github.com/julius-speech/julius|{{AUR|julius-speech}}}}
* {{App|[[Wikipedia:Kaldi (software)|Kaldi]]|Speech recognition toolkit.|https://github.com/kaldi-asr/kaldi|{{AUR|kaldi}}}}
* {{App|Kaylee|Somewhat fancy voice command recognition program that performs actions when a user speaks loosely preset sentences.|https://github.com/Ratfink/kaylee|{{AUR|kayleevc}}}}
* {{App|[[Wikipedia:Mycroft (software)|Mycroft]]|Hackable voice assistant.|https://github.com/MycroftAI/mycroft-core|{{AUR|mycroft-core}}}}
* {{App|nerd-dictation|Light weight manually activated dictation using the VOSK-API.|https://github.com/ideasman42/nerd-dictation|{{AUR|nerd-dictation-git}}}}
* {{App|Numen|Voice control for handsfree computing.|https://sr.ht/~geb/numen/|{{AUR|numen}}}}

=== Screen magnifiers ===

* {{App|boomer|Zoomer application for Linux.|https://github.com/tsoding/boomer|{{AUR|boomer-git}}}}
* {{App|KMag|Small KDE utility to magnify a part of the screen. Part of {{Grp|kde-accessibility}}.|https://apps.kde.org/kmag/|{{Pkg|kmag}}}}
* {{App|Magnus|Very simple desktop magnifier, showing the area around the mouse pointer in a separate window magnified two, three, four, or five times.|https://kryogenix.org/code/magnus/|{{AUR|magnus}}}}
* {{App|Virtual Magnifying Glass|Simple, customizable and easy-to-use screen magnification tool.|https://magnifier.sourceforge.net/|{{AUR|vmg}}}}
* {{App|xzoom|Zoom, rotate and mirror area of X display.|https://www.ibiblio.org/pub/Linux/X11/libs/!INDEX.short.html|{{AUR|xzoom}}}}

=== On-screen annotation ===

* {{App|Gromit-MPX|Tool to make annotations on the screen.|https://github.com/bk138/gromit-mpx|{{AUR|gromit-mpx}}}}
* {{App|Pylote|Tool to draw on the screen.|http://pascal.peter.free.fr/pylote-en.html|{{AUR|pylote-git}}}}
* {{App|Screenkey|Tool to display pressed keys.|https://www.thregr.org/~wavexx/software/screenkey/|{{Pkg|screenkey}}}}
* {{App|Show Me The Key|A screenkey alternative that works under Wayland via libinput|https://showmethekey.alynx.one|{{Pkg|showmethekey}}}}

=== Mouse ===

* {{App|Easystroke|Use mouse gestures to initiate commands and hotkeys.|https://github.com/thjaeger/easystroke/wiki|{{AUR|easystroke}}}}
* {{App|KMouseTool|Clicks the mouse whenever the mouse cursor pauses briefly. It was designed to help those with repetitive strain injuries, for whom pressing buttons hurts. Part of {{Grp|kde-accessibility}}.|https://apps.kde.org/kmousetool/|{{Pkg|kmousetool}}}}
* {{App|Mousetweaks|Accessibility enhancements for pointing devices.|https://wiki.gnome.org/Projects/Mousetweaks|{{Pkg|mousetweaks}}}}

== Display servers ==

A display server or window server is a program whose primary task is to coordinate the input and output of its clients to and from the rest of the operating system, the hardware, and each other.

* {{App|Arcan|A development framework for anything between user interfaces for specialised embedded applications, and a standalone desktop environment.|https://arcan-fe.com/|{{AUR|arcan}}}}
* {{App|[[Xorg]]|The public, open-source implementation of the [[Wikipedia:X Window System|X Window System]] (commonly X11, or X).|https://www.x.org|{{Pkg|xorg}}}}
* {{App|[[Xephyr]]|A nested X server that runs as an X application.|https://freedesktop.org/wiki/Software/Xephyr/|{{Pkg|xorg-server-xephyr}}}}
* {{App|XLibre|A fork of Xorg that is [[Intel graphics#With the modesetting driver 2|tear free]] by default, supports client isolation and fixes several upstream bugs.|https://github.com/X11Libre/xserver/ |{{AUR|xlibre-xserver}}}}
* {{App|[[Wayland]]|A newer, alternative display server protocol with several [[Wayland#Compositors|compositors]] to choose from. Its advantages over Xorg are enhanced security features, more efficient handling of modern graphics tasks and active development while retaining compatibility through [[Xwayland]].|https://wayland.freedesktop.org/|{{Pkg|wayland}}}}

== Display managers ==

See the main article: [[Display manager#List of display managers]].

== Desktop environments ==

See the main article: [[Desktop environment#List of desktop environments]].

=== Window managers ===

==== Console ====

See also [[List of applications/Utilities#Terminal multiplexers]], which offer some of the functions of window managers for the console.

* {{App|twin|Text-mode window manager.|https://sourceforge.net/projects/twin/|{{AUR|twin}}}}
* {{App|Wmutils|A set of tools for X windows manipulation.|https://github.com/wmutils/core|{{AUR|wmutils-git}}}}

==== Graphical ====

See the main article: [[Window manager#List of window managers]].

==== Composite managers ====

See the main article: [[Xorg#List of composite managers]].

=== Wayland compositors ===

See the main article: [[Wayland#Compositors]].

=== Window tilers ===

* {{App|QuickTile|Lightweight standalone alternative to Compiz Grid plugin.|http://ssokolow.com/quicktile/|{{AUR|quicktile-git}}}}
* {{App|wumwum|The Window Manager manager. It can turn emwh compliant window managers into a tiling window manager while retaining all initial functionalities.|https://wumwum.sourceforge.net/|{{AUR|wumwum}}}}

=== Desktop shells ===

Desktop shells provide a graphical shell layer on top of a window manager or compositor, including panels, launchers, and other desktop components. They can be used to build a desktop-like experience, but do not constitute full desktop environments.

* {{App|AGS|Aylur's GTK Shell is a framework for building custom desktop shells using GTK.|https://aylur.github.io/ags/|{{AUR|aylurs-gtk-shell}}}}
* {{App|DankMaterialShell|Desktop shell for Wayland compositors, built with Quickshell and Go.|https://github.com/AvengeMedia/DankMaterialShell|{{Pkg|dms-shell}}}}
* {{App|eww|ElKowar's Wacky Widgets is a standalone widget system made in Rust that allows you to implement your own, custom widgets in any window manager.|https://github.com/elkowar/eww|{{AUR|eww}}}}
* {{App|liquidshell|Basic desktop shell for Xorg, an alternative to plasmashell, implemented using QtWidgets. It provides a bottom panel, a desktop wallpaper and desktop widgets.|https://apps.kde.org/liquidshell/|{{Pkg|liquidshell}}}}
* {{App|Noctalia|Minimal desktop shell for Wayland compositors, built on Quickshell.|https://noctalia.dev/|{{AUR|noctalia-shell}}}}
* {{App|[[nwg-shell]]|Modular GTK3-based shell for Sway and Hyprland compositors.|https://nwg-piotr.github.io/nwg-shell/|{{Pkg|nwg-shell}}}}
* {{App|wf-shell|Shell components for the Wayfire compositor.|https://github.com/WayfireWM/wf-shell|{{Pkg|wf-shell}}}}

=== Taskbars ===

See also [[Wikipedia:Taskbar]].

==== For both Wayland and Xorg ====
* {{App|[[Cairo-Dock]]|Highly customizable dock and launcher application.|https://www.glx-dock.org/|{{Pkg|cairo-dock}}}}
* {{App|LXQt Panel|Qt-based taskbar, part of the [[LXQt]] desktop.|https://github.com/lxqt/lxqt-panel|{{Pkg|lxqt-panel}}}}
* {{App|Xfce Panel|Panel included in the [[Xfce]] desktop.|https://docs.xfce.org/xfce/xfce4-panel/start|{{Pkg|xfce4-panel}}}}
* {{App|yambar|A modular and lightweight status bar for X11 and Wayland that goes to great lengths to be both CPU and battery efficient.|https://codeberg.org/dnkl/yambar|{{AUR|yambar}}}}

==== For Wayland only ====
* {{App|Dash to Panel|A fully customizable icon taskbar for {{Pkg|gnome-shell}}. Moves the dash into the GNOME main panel, similar to KDE Plasma and Windows 10.|https://github.com/home-sweet-gnome/dash-to-panel|{{Pkg|gnome-shell-extension-dash-to-panel}}}}
* {{App|Ironbar|A customisable and feature-rich GTK4 status bar for Wayland compositors, written in Rust.|https://github.com/JakeStanger/ironbar|{{Pkg|ironbar}}}}
* {{App|nwg-dock|GTK-based dock for Sway and Hyprland compositors.|https://github.com/nwg-piotr/nwg-dock|For Sway: {{Pkg|nwg-dock}}, for Hyprland: {{Pkg|nwg-dock-hyprland}}}}
* {{App|nwg-panel|GTK3-based panel for Sway and Hyprland compositors.|https://github.com/nwg-piotr/nwg-panel|{{Pkg|nwg-panel}}}}
* {{App|SFWBar|Flexible taskbar application for Wayland compositors, designed with a stacking layout in mind.|https://github.com/LBCrion/sfwbar|{{AUR|sfwbar}}}}
* {{App|Waybar|A customizable status bar for wlroots-based Wayland compositors.|https://github.com/Alexays/Waybar/|{{Pkg|waybar}}}}

==== For Xorg only ====
* {{App|[[Bmpanel]]|Lightweight, NETWM compliant panel.|https://github.com/nsf/bmpanel2|{{AUR|bmpanel2}}}}
* {{App|DockbarX|Standalone, dock-style taskbar for X11 with window grouping.|https://github.com/xuzhen/dockbarx|{{AUR|dockbarx}}}}
* {{App|[[fbpanel]]|Lightweight, NETWM compliant desktop panel.|https://aanatoly.github.io/fbpanel/|{{AUR|fbpanel}}}}
* {{App|[[Wikipedia:GNOME Panel|GNOME Panel]]|Panel included in the [[GNOME Flashback]] desktop.|https://wiki.gnome.org/Projects/GnomePanel|{{Pkg|gnome-panel}}}}
* {{App|[[Lemonbar]]|A featherweight status bar based on XCB. Provides UTF-8 support, background and foreground colors, text alignment, and not much more.|https://github.com/LemonBoy/bar|{{AUR|lemonbar}}}}
* {{App|LXPanel|Lightweight X11 desktop panel and part of the [[LXDE]] desktop.|https://github.com/lxde/lxpanel|{{Pkg|lxpanel}}}}
* {{App|MATE Panel|Panel included in the [[MATE]] desktop.|https://github.com/mate-desktop/mate-panel/|{{Pkg|mate-panel}}}}
* {{App|plainPanel|A lightweight panel written in Qt. It aims to be a desktop environment, but for now, it includes just a panel and a control center.|https://plainDE.github.io/|{{AUR|plainde-meta}}}}
* {{App|[[Plank]]|Elegant, simple, clean dock from [[Pantheon]] desktop environment.|https://launchpad.net/plank|{{Pkg|plank}}}}
* {{App|[[Polybar]]|A fast and easy-to-use tool for creating status bars.|https://github.com/jaagr/polybar|{{Pkg|polybar}}}}
* {{App|[[Tint2]]|Simple panel/taskbar developed specifically for Openbox.|https://gitlab.com/o9000/tint2|{{Pkg|tint2}}}}
* {{App|Vala Panel|GTK3 panel for compositing window managers.|https://gitlab.com/vala-panel-project/vala-panel|{{AUR|vala-panel}}}}
* {{App|[[xmobar]]|A lightweight, text-based, status bar written in Haskell.|https://archives.haskell.org/projects.haskell.org/xmobar/|{{Pkg|xmobar}}}}

=== System tray ===

[[Desktop environments]] typically have their own system tray implementation. E.g. [[KDE]] ships with Plasma Panel and [[Xfce]] ships with {{Pkg|xfce4-panel}}. For [[GNOME]], see [[GNOME#AppIndicators/Top bar icons]]. For [[dwm]], see [https://dwm.suckless.org/patches/systray/ systray patch].

* {{App|AllTray|Dock other applications into the system tray (notification area).|https://github.com/mbt/alltray|{{AUR|alltray}}}}
* {{App|Docker|Docking application which acts as a system tray.|https://icculus.org/openbox/2/docker/|{{AUR|docker-tray}}}}
* {{App|KDocker|Dock any application in the system tray (notification area).|https://github.com/user-none/KDocker|{{AUR|kdocker}}}}
* {{App|[[Stalonetray]]|Stand-alone freedesktop.org and KDE system tray (notification area) for [[Xorg]]. It has full XEMBED support and minimal dependencies: an X11 lib only. Stalonetray works with virtually any EWMH-compliant window manager.|https://stalonetray.sourceforge.net/|{{Pkg|stalonetray}}}}
* {{App|Trayer|Lightweight GTK-based system tray (notification area).|https://github.com/sargon/trayer-srg/|{{AUR|trayer}}}}

==== Tray indicators ====

Desktop-independent tray indicators. Useful for window managers without built-in tray widgets:

* {{Pkg|cbatticon}}: battery
* {{Pkg|volumeicon}}: volume
* {{Pkg|pasystray}}: pulseaudio
* {{AUR|sbxkb}}: keyboard layout
* {{Pkg|python-pystray}}: Python library for creating tray entries.
* {{AUR|tktray}}: Tk extension to create system tray icons following XDG specifications.

=== Application launchers ===

See also [[Wikipedia:Comparison of desktop application launchers]].

* {{App|Albert|Sophisticated, plugin based standalone keyboard launcher.|https://albertlauncher.github.io/|{{AUR|albert}}}}
* {{App|Application Finder|Easy-to-use application launcher from Xfce.|https://docs.xfce.org/xfce/xfce4-appfinder/start|{{Pkg|xfce4-appfinder}}}}
* {{App|Bashrun2|Provides a different, barebones approach to a run dialog, using a specialized Bash session within a small xterm window.|http://henning-bekel.de/bashrun2/|{{AUR|bashrun2}}}}
* {{App|bemenu|Lightweight dynamic menu inspired by dmenu. Works natively on Wayland.|https://github.com/Cloudef/bemenu|{{Pkg|bemenu}}}}
* {{App|Cartridges|Simple game launcher written in Python using GTK4 and Libadwaita.|https://apps.gnome.org/Cartridges/|{{Pkg|cartridges}}}}
* {{App|[[dmenu]]|Fast and lightweight dynamic menu for X which is also useful as an application launcher.|https://tools.suckless.org/dmenu/|{{Pkg|dmenu}}}}
* {{App|dmenu-extended|Extension to ''dmenu'' for quickly opening files and folders.|https://github.com/markjones112358/dmenu-extended|{{AUR|dmenu-extended-git}}}}
* {{App|dswitcher|''dmenu''-based window switcher that works regardless of workspace or minimization.|https://github.com/Antithesisx/dswitcher|{{AUR|dswitcher-git}}}}
* {{App|fuzzel|Application launcher for wlroots-based Wayland compositors, similar to rofi's `drun` mode.|https://codeberg.org/dnkl/fuzzel|{{Pkg|fuzzel}}}}
* {{App|[[Gmrun]]|Lightweight GTK-based application launcher, with the ability to run programs inside a terminal and other handy features.|https://sourceforge.net/projects/gmrun/|{{AUR|gmrun}}}}
* {{App|GNOME Games|GNOME application to browse your local video games library and to easily pick and play a game from it. Part of {{Grp|gnome-extra}}.|https://wiki.gnome.org/Apps/Games|{{Pkg|gnome-games}}}}
* {{App|Gnome-Pie|Circular application launcher (pie menu) for Linux. It is made of several pies, each consisting of multiple slices.|https://simmesimme.github.io/gnome-pie.html|{{Pkg|gnome-pie}}}}
* {{App|higgins|Desktop agnostic application launcher, file finder, calculator and more. Plugin based and freely and easily extendable via user-written plugins.|https://github.com/kokoko3k/higgins|{{AUR|higgins-git}}}}
* {{App|j4-dmenu-desktop|Very fast dmenu application launcher.|https://github.com/enkore/j4-dmenu-desktop|{{Pkg|j4-dmenu-desktop}}}}
* {{App|jgmenu|Simple, independent, contemporary-looking X11 menu, designed for scripting, ricing and tweaking.|https://github.com/johanmalm/jgmenu|{{Pkg|jgmenu}}}}
* {{App|Junction|Application chooser to open files and links.|https://apps.gnome.org/Junction/|{{Pkg|junction}}}}
* {{App|Kupfer|Convenient command and access tool for the GNOME desktop that can launch applications, open documents and access different types of objects and act on them.|https://kupferlauncher.github.io/|{{Pkg|kupfer}}}}
* {{App|launch|Simple command for launching applications from a terminal emulator.|https://github.com/silverhammermba/launch|{{AUR|launch-cmd}}}}
* {{App|[[Wikipedia:Launchy|Launchy]]|Very popular cross-platform application launcher with a plugin-based system used to provide extra functionality.|https://www.launchy.net/|{{Pkg|launchy}}}}
* {{App|Lighthouse|Simple scriptable popup dialog to run on X.|https://github.com/emgram769/lighthouse|{{AUR|lighthouse-git}}}}
* {{App|LXLauncher|Clone of the Asus launcher for EeePC.|https://github.com/lxde/lxlauncher|{{Pkg|lxlauncher}}}}
* {{App|nwg-drawer|GTK-based application drawer designed for Sway and Hyprland compositors.|https://github.com/nwg-piotr/nwg-drawer|{{Pkg|nwg-drawer}}}}
* {{App|nwg-menu|GTK-based application menu designed for Sway and Hyprland compositors.|https://github.com/nwg-piotr/nwg-menu|{{Pkg|nwg-menu}}}}
* {{App|rlaunch|An extremely fast and light-weight dmenu-like application launcher written in Rust.|https://github.com/PonasKovas/rlaunch|{{AUR|rlaunch}}}}
* {{App|[[rofi]]|Popup window switcher roughly based on superswitcher, requiring only xlib and pango.|https://github.com/davatorium/rofi/|{{Pkg|rofi}}}}
* {{App|Synapse|Semantic launcher written in Vala that you can use to start applications as well as find and access relevant documents and files by making use of the Zeitgeist engine.|https://launchpad.net/synapse-project|{{Pkg|synapse}}}}
* {{App|tofi|Tiny dynamic menu, fast and simple dmenu/rofi replacement for Wayland compositors such as {{Pkg|sway}}.|https://github.com/philj56/tofi|{{AUR|tofi}}}}
* {{App|Ulauncher|Modern and shiny launcher that provides fuzzy search, extensions, and themes.|https://ulauncher.io/|{{AUR|ulauncher}}}}
* {{App|vonal|Modern customizable global menu with unlimiting plugin system written in Rust.|https://github.com/fxdave/vonal-rust|{{AUR|vonal-bin}}}}
* {{App|wmenu|Dynamic menu for Sway and wlroots-based Wayland compositors. Provides a Wayland-native dmenu replacement which maintains the look and feel of dmenu.|https://codeberg.org/adnano/wmenu|{{Pkg|wmenu}}}}
* {{App|wofi|GTK-based popup window switcher for Wayland compositors such as {{Pkg|sway}}. Inspired by {{Pkg|rofi}}.|https://hg.sr.ht/~scoopta/wofi|{{Pkg|wofi}}}}
* {{App|yofi|Minimalistic menu for Wayland-based compositors.|https://github.com/l4l/yofi|{{AUR|yofi}}}}

=== Application menu editors ===

* {{App|[[Wikipedia:Alacarte|Alacarte]]|Add or remove applications from the main menu.|https://gitlab.gnome.org/GNOME/alacarte|{{Pkg|alacarte}}}}
* {{App|AppEditor|Edit application entries in the application menu.|https://github.com/donadigo/appeditor|{{AUR|appeditor-git}}}}
* {{App|Ezame|Desktop and menu file editor.|https://github.com/linux-man/ezame|{{AUR|ezame}}}}
* {{App|KMenuEdit|Edit one of the KDE application launchers. Part of {{Grp|plasma}}.|https://invent.kde.org/plasma/kmenuedit|{{Pkg|kmenuedit}}}}
* {{App|lxmed|Application menu editor written in Java.|https://sourceforge.net/projects/lxmed/|{{AUR|lxmed}}}}
* {{App|MenuLibre|Advanced menu editor that provides modern features in a clean, easy-to-use interface.|https://launchpad.net/menulibre|{{AUR|menulibre}}}}
* {{App|Meow|Application menu editor written in Java.|https://pnmougel.github.io/meow/|{{AUR|meow-bin}}}}
* {{App|Mozo|Change which applications are shown on the main menu.|https://github.com/mate-desktop/mozo|{{Pkg|mozo}}}}

=== Application menu generators ===

* {{App|MenuGenerator|Simple application menu generator following XDG menu spec for Fluxbox, Openbox and JWM.|https://github.com/BlackCodec/MenuGenerator/|{{AUR|menugenerator}}}}
* {{App|MenuMaker|Heuristics-driven menu generator for Blackbox, Fluxbox, IceWM, Openbox, PekWM and WindowMaker.|https://menumaker.sourceforge.net/|{{Pkg|menumaker}}}}
* {{App|[[xdg-menu]]|Generate XDG application menus for various window managers.|https://github.com/p5n/archlinux-stuff/tree/master/xdg-menu|{{Pkg|archlinux-xdg-menu}}}}
* {{App|xdgmenumaker|Command line tool that generates XDG menus for several window managers.|https://github.com/gapan/xdgmenumaker|{{AUR|xdgmenumaker}}}}

=== Wallpaper setters ===

See also [[Wikipedia:Wallpaper (computing)]].

* {{App|awww|Efficient animated wallpaper daemon for Wayland, controlled at runtime.|https://codeberg.org/LGFae/awww|{{Pkg|awww}}}}
* {{App|bgs|An extremely fast and small background setter for X based on imlib2.|https://github.com/Gottox/bgs/|{{AUR|bgs-git}}}}
* {{App|[[feh]]|A lightweight and powerful image viewer that can also be used to manage the desktop wallpaper.|https://feh.finalrewind.org/|{{Pkg|feh}}‎}}
* {{App|Fondo|Find a variety of the most beautiful wallpapers from Unsplash.com.|https://github.com/calo001/fondo|{{AUR|fondo}}}}
* {{App|Hanabi|Live Wallpaper for GNOME.|https://github.com/jeffshee/gnome-ext-hanabi|{{AUR|gnome-shell-extension-hanabi-git}}}}
* {{App|Hidamari|Video wallpaper for Linux. Written in Python.|https://github.com/jeffshee/hidamari|{{AUR|hidamari}}}}
* {{App|hsetroot|A tool to create compose wallpapers.|https://packages.debian.org/sid/hsetroot|{{Pkg|hsetroot}}}}
* {{App|HydraPaper|GTK utility to set two different backgrounds for each monitor on GNOME.|https://gabmus.gitlab.io/HydraPaper/|{{AUR|hydrapaper-git}}}}
* {{App|Hyprpaper|Hyprpaper is a blazing fast Wayland wallpaper utility with IPC controls.|https://github.com/hyprwm/hyprpaper|{{AUR|hyprpaper-git}}}}
* {{App|LiveWallpaper|Animated 3D wallpapers.|https://launchpad.net/livewallpaper|{{AUR|livewallpaper}}}}
* {{App|mpvpaper|A video wallpaper program for wlroots-based Wayland compositors.|https://github.com/GhostNaN/mpvpaper|{{AUR|mpvpaper}}}}
* {{App|[[Nitrogen]]|A fast and lightweight desktop background browser and setter for X windows.|https://github.com/l3ib/nitrogen|{{AUR|nitrogen}}}}
* {{App|oguri|An animated wallpaper daemon for Wayland compositors.|https://github.com/vilhalmer/oguri|{{AUR|oguri-git}}}}
* {{App|pacwall|A live wallpaper that shows the dependency graph and status of installed packages.|https://github.com/Kharacternyk/pacwall|{{AUR|pacwall-git}}}}
* {{App|pywal|Changes the wallpaper and creates matching color schemes for various applications (rofi, i3, terminals)|https://github.com/dylanaraps/pywal|{{Pkg|python-pywal}}}}
* {{App|swaybg|Wallpaper tool for Wayland compositors.|https://github.com/swaywm/swaybg|{{Pkg|swaybg}}}}
* {{App|Variety|Changes the wallpaper on a regular interval using user-specified or automatically downloaded images.|https://peterlevi.com/variety/|{{Pkg|variety}}}}
* {{App|[[Xlivebg]]|A live wallpaper framework and collection of live wallpapers for the X window system.|http://nuclear.mutantstargoat.com/sw/xlivebg/|{{AUR|xlivebg}}}}
* {{App|xwallpaper|Minimalist wallpaper setting utility for X.|https://github.com/stoeckmann/xwallpaper|{{Pkg|xwallpaper}}}}

{{Tip|In order to avoid installing one more package, you may find convenient to use the {{ic|display}} utility from {{Pkg|imagemagick}} or {{ic|gm display}} from {{Pkg|graphicsmagick}}. E.g.: {{ic|display -backdrop -background '#3f3f3f' -flatten -window root ''image''}}.}}

=== Virtual desktop pagers ===

See also [[Wikipedia:Pager (GUI)]].

* {{App|bbpager|Dockable pager for [[blackbox]] and other window managers.|https://sourceforge.net/projects/bbtools/|4={{Pkg|bbpager}}}}
* {{App|fbpager|Virtual desktop pager for fluxbox.|http://www.fluxbox.org/fbpager{{Dead link|2025|01|22|status=404}}|{{AUR|fbpager-git}}}}
* {{App|IPager|A configurable pager with transparency, originally developed for Fluxbox.|http://useperl.ru/ipager/index.en.html{{Dead link|2025|03|15|status=404}}|{{AUR|ipager}}}}
* {{App|Netwmpager|A NetWM/EWMH compatible pager.|https://sourceforge.net/projects/sf-xpaint/files/netwmpager/|{{AUR|netwmpager}}}}

=== Desktop widgets ===

* {{App|CoreAction|Side bar with some handy gadgets like system loads, calendar, calculator, notes etc. Part of C-Suite.|https://gitlab.com/cubocore|{{AUR|coreaction}}}}
* {{App|[[Wikipedia:gDesklets|gDesklets]]|System for bringing mini programs (desklets) onto your desktop.|https://launchpad.net/gdesklets|{{AUR|gdesklets}}}}
* {{App|KRuler|Displays on screen a ruler measuring pixels. Part of {{Grp|kde-graphics}}.|https://apps.kde.org/kruler/|{{Pkg|kruler}}}}

=== Desktop notifications ===

See: [[Desktop notifications#Notification servers|Notification servers]].

=== Clipboard managers ===

See [[Clipboard#Managers]].

=== Logout UI ===

* {{App|clearine|Beautiful Logout UI for X11 window manager|https://github.com/okitavera/clearine{{Dead link|2025|11|17|status=404}}|{{AUR|clearine-git}}}}
* {{App|nwg-bar|Configurable button bar for wlroots-based Wayland compositors.|https://github.com/nwg-piotr/nwg-bar|{{Pkg|nwg-bar}}}}
* {{App|[[oblogout]]|Openbox logout script|https://launchpad.net/oblogout|{{AUR|oblogout-py3-git}}}}
* {{App|wlogout|Logout menu for wayland|https://github.com/ArtsyMacaw/wlogout|{{AUR|wlogout}}}}

== Artificial intelligence ==

See also [[Wikipedia:Open-source artificial intelligence]], [[Wikipedia:Lists of open-source artificial intelligence software]], [[Wikipedia:Comparison of deep learning software]]

=== Machine learning frameworks ===

* {{App|cuDNN|NVIDIA CUDA Deep Neural Network library for high-performance GPU acceleration.|https://developer.nvidia.com/cudnn|{{Pkg|cudnn}}}}
* {{App|[[Wikipedia:Fast Artificial Neural Network|Fast Artificial Neural Network]]|Library for developing feedforward Artificial Neural Networks.|https://leenissen.dk/fann/wp/|{{AUR|fann}}}}
* {{App|ggml|Lightweight tensor library for on-device LLM inference.|https://github.com/ggml-org/ggml|{{AUR|libggml}}}}
* {{App|[[Wikipedia:Orange (software)|Orange]]|Visual programming toolkit for data mining, ML and interactive visualization.|https://orange.biolab.si/|{{AUR|python-orange}}}}
* {{App|[[Wikipedia:Prolog|Prolog]]|Logic-programming language for symbolic AI and computational linguistics.|https://www.swi-prolog.org/|{{Pkg|swi-prolog}}, {{AUR|gprolog}}, {{AUR|scryer-prolog}}}}
* {{App|[[Wikipedia:PyTorch|PyTorch]]|Dynamic neural-network framework with strong GPU acceleration.|https://pytorch.org/|{{Pkg|python-pytorch}}, {{Pkg|python-pytorch-cuda}}, {{Pkg|python-pytorch-opt}}, {{Pkg|python-pytorch-opt-cuda}}, {{Pkg|python-pytorch-rocm}}, {{Pkg|python-pytorch-opt-rocm}}}}
* {{App|libtorch|C++ frontend for PyTorch.|https://pytorch.org|{{AUR|libtorch-cuda}}, {{AUR|libtorch-cpu}}, {{AUR|libtorch-rocm}}}}
* {{App|mlpack|Fast, scalable C++ ML library with Python / R / Julia / Go bindings.|https://mlpack.org|{{AUR|mlpack}}}}
* {{App|SentencePiece|Unsupervised text tokenizer for neural text generation.|https://github.com/google/sentencepiece|{{AUR|sentencepiece}} / {{AUR|sentencepiece-bin}} (C++), {{AUR|python-sentencepiece}} / {{AUR|python-sentencepiece-bin}} (Python)}}
* {{App|Sentence Transformers|Python framework for state-of-the-art sentence / text / image embeddings.|https://github.com/UKPLab/sentence-transformers|{{AUR|python-sentence-transformers}}}}
* {{App|[[Wikipedia:TensorFlow|TensorFlow]]|End-to-end platform for scalable machine learning.|https://www.tensorflow.org/|{{Pkg|python-tensorflow}}, {{Pkg|python-tensorflow-cuda}}, {{Pkg|python-tensorflow-opt}}, {{Pkg|python-tensorflow-opt-cuda}}}}
* {{App|[[Wikipedia:Theano (software)|Theano]]|Python library for efficient multi-dimensional array math and deep learning.|http://deeplearning.net/software/theano/|{{AUR|python-theano-pymc}}}}
* {{App|[[Wikipedia:Torch (machine learning)|Torch]]|Scientific computing & ML framework for LuaJIT.|http://torch.ch/|{{AUR|torch7-git}}}}

=== Local AI model deployment ===

==== Inference engines ====

* {{App|CTranslate2|A C++ and Python library for efficient inference with Transformer models.|https://github.com/OpenNMT/CTranslate2|{{AUR|ctranslate2}}, {{AUR|python-ctranslate2}}}}
* {{App|describeimage|Describe images using Ollama.|https://github.com/ollama/ollama|{{Pkg|describeimage}}}}
* {{App|[[llama.cpp]]|A high-performance C/C++ port of Facebook's LLaMA model, optimized for local execution.|https://github.com/ggerganov/llama.cpp|{{AUR|llama.cpp}}, {{AUR|llama.cpp-cuda}}, {{AUR|llama.cpp-vulkan}}}}
* {{App|ik-llama.cpp|A fork of llama.cpp with additional state-of-the-art quantized models and improved performance.|https://github.com/ikawrakow/ik_llama.cpp |{{AUR|ik-llama.cpp}}, {{AUR|ik-llama.cpp-cuda}}, {{AUR|ik-llama.cpp-vulkan}}}}
* {{App|ONNX Runtime|High-performance scoring engine for ML models with cross-platform support.|https://onnxruntime.ai/ |{{Pkg|onnxruntime-cpu}}, {{Pkg|onnxruntime-cuda}}, {{Pkg|onnxruntime-opt-cuda}}, {{Pkg|onnxruntime-rocm}}, {{Pkg|onnxruntime-opt-rocm}}}}
* {{App|[[Ollama]]|A streamlined tool for creating, running, and sharing large language models locally.|https://ollama.com|{{Pkg|ollama}}, {{Pkg|ollama-cuda}}, {{Pkg|ollama-rocm}}}}
* {{App|ollama-amd-igpu|A specialized version of Ollama optimized for AMD iGPUs, supporting Llama 3.3, DeepSeek-R1, Phi-4 and other models.|https://github.com/Crandel/ollama-amd-igpu|{{AUR|ollama-amd-igpu}}, {{AUR|ollama-amd-igpu-cuda}}, {{AUR|ollama-amd-igpu-rocm}}}}

==== Translation====

* {{App|Argos Translate|Open-source offline translation library with GUI support.|https://www.argosopentech.com/|{{AUR|argos-translate}}, {{AUR|argos-translate-gui}}}}
* {{App|TranslateLocally|Fast and secure local translation using Bergamot (Mozilla).|https://github.com/XapaJIaMnu/translatelocally|{{AUR|translatelocally-git}}}}

=== AI applications ===

==== Desktop clients ====

* {{App|AIOne|An all-in-one AI desktop application that provides access to ChatGPT, Gemini, and Claude (uses system-wide Electron).|https://sumexxx.github.io/AIOne/|{{AUR|aione}}}}
* {{App|Alpaca AI|A flexible client for Ollama, enabling local AI model usage and integration with third-party services like ChatGPT and Gemini.|https://github.com/Jeffser/alpaca|{{AUR|alpaca-ai}}}}
* {{App|AnythingLLM|An all-in-one AI application suite supporting Retrieval-Augmented Generation (RAG) and multi-agent workflows for Docker and desktop environments.|https://anythingllm.com/|{{AUR|anythingllm-desktop-bin}}}}
* {{App|BrowserOS|An open-source agentic browser that runs AI agents locally.|https://github.com/browseros-ai/BrowserOS|{{AUR|browseros-bin}}}}
* {{App|Cherry Studio|Desktop client for multiple LLM providers (OpenAI, Claude, LocalAI, etc.).|https://cherry.studio|{{AUR|cherry-studio}}}}
* {{App|Chatbox|A cross-platform desktop application for interacting with GPT-4 and GPT-3.5 models via the OpenAI API.|https://chatboxai.app|{{AUR|chatbox-bin}}}}
* {{App|ChatWise|Fast AI chatbot desktop application.|https://chatwise.app/|{{AUR|chatwise}}}}
* {{App|clara-verse|Privacy-first, client-side AI assistant WebUI for LLMs with ComfyUI integration.|https://github.com/badboysm890/ClaraVerse|{{AUR|clara-verse}}}}
* {{App|GPT4All|A lightweight solution for running large language models locally on any device.|https://gpt4all.io/|{{AUR|gpt4all-chat}}}}
* {{App|Jan|An easy-to-use platform for deploying and managing AI models directly on your PC.|https://jan.ai/|{{AUR|jan}}}}
* {{App|KAIChat|Chat interface for AI models such as Ollama.|https://apps.kde.org/kaichat/|{{AUR|kaichat}}}}
* {{App|Lobe Chat|A modern, extensible chat framework for LLMs, supporting multiple AI providers, multi-modal interactions, and plugins.|https://github.com/lobehub/lobe-chat|{{AUR|lobe-chat}}}}
* {{App|LocalAI|Free, Open Source OpenAI alternative with CPU optimizations.|https://github.com/mudler/LocalAI|{{AUR|local-ai}}}}
* {{App|RisuAI|User-friendly software for LLM roleplaying with local AI models.|https://risuai.xyz|{{AUR|risuai-bin}}}}
* {{App|NextChat|A cross-platform ChatGPT client.|https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web|{{AUR|nextchat-bin}}}}
* {{App|noi-desktop|AI-powered desktop assistant for exploration and task automation.|https://noi.ai|{{AUR|noi-desktop-bin}}}}
* {{App|Open-GPT|A ChatGPT client using the OpenAI API.|https://github.com/BeanDx/open-gpt/tree/main|{{AUR|open-gpt-bin}}}}
* {{App|SillyTavern|A feature-rich local interface for interacting with large language models (LLMs), generating images, and synthesizing speech.|https://sillytavern.app/|{{AUR|sillytavern-git}}}}
* {{App|[[Wikipedia:Mycroft (software)|Mycroft]]|Intelligent personal assistant and knowledge navigator with speech recognition.|https://mycroft.ai/|{{AUR|mycroft-core}}}}

==== Terminal clients ====

* {{App|AICommits|CLI that writes your git commit messages with AI.|https://github.com/Nutlope/aicommits|{{AUR|aicommits}}}}
* {{App|AIChat|A versatile CLI tool for interacting with AI models, featuring REPL-like functionality, shell assistance, and support for multiple AI providers.|https://github.com/sigoden/aichat|{{Pkg|aichat}}}}
* {{App|AIChat NG|An enhanced fork of AIChat with advanced features for terminal-based AI interactions.|https://github.com/blob42/aichat-ng|{{AUR|aichat-ng}}}}
* {{App|Gemini CLI|Open-source AI agent that brings the power of Google Gemini directly into your terminal.|https://github.com/google-gemini/gemini-cli|{{Pkg|gemini-cli}}}}
* {{App|GitHub Copilot CLI|Official CLI interface for GitHub Copilot coding assistant.|https://github.com/github/copilot-cli|{{AUR|github-copilot-cli}}}}
* {{App|OpenCommit|Auto-generate meaningful git commit messages with AI.|https://github.com/di-sukharev/opencommit|{{AUR|opencommit}}}}
* {{App|TLM|Local CLI Copilot powered by Ollama.|https://github.com/yusufcanb/tlm|{{AUR|tlm}}}}
* {{App|ShellGPT|A productivity-focused CLI tool powered by OpenAI's ChatGPT, designed for efficient command-line workflows.|https://github.com/TheR1D/shell_gpt|{{AUR|shellgpt-git}}}}

=== Development tools ===

* {{App|hfdownloader|Utility to download HuggingFace Models and Datasets.|https://github.com/bodaay/HuggingFaceModelDownloader|{{AUR|hfdownloader-git}}}}
* {{App|Rivet|IDE for creating complex AI agents and prompt chaining.|https://rivet.ironcladapp.com|{{AUR|ironclad-rivet-bin}}}}
* {{App|Kiro|Amazon's closed-source, AI-powered IDE for rapid prototyping to production.|https://kiro.dev/|{{AUR|kiro-ide}}}}
* {{App|koboldcpp|A simple one-file way to run various GGML and GGUF models with a KoboldAI UI.|https://github.com/LostRuins/koboldcpp|{{AUR|koboldcpp}}, {{AUR|koboldcpp-cuda}}, {{AUR|koboldcpp-hipblas}}}}
* {{App|llamafile|Distribute and run LLMs with a single file.|https://github.com/Mozilla-Ocho/llamafile|{{AUR|llamafile}}}}
* {{App|LM Studio|A user-friendly interface for discovering, downloading, and running local LLMs.|https://lmstudio.ai/|{{AUR|lmstudio-bin}}}}
* {{App|Msty|A simple and intuitive interface for accessing both local and online AI models.|https://msty.app|{{AUR|msty-bin}}}}
* {{App|netron|Visualizer for neural network, deep learning and machine learning models.|https://netron.app/|{{AUR|netron}}}}
* {{App|open-webui|Extensible self-hosted AI platform with WebUI and OpenAI API support for LLM runners.|https://github.com/open-webui/open-webui|{{AUR|open-webui-git}}}}

=== Coding assistants ===

* {{App|Crush|A powerful terminal-based AI assistant for developers, providing intelligent coding assistance directly in your terminal.|https://charm.sh/crush|{{AUR|crush}}, {{AUR|crush-bin}}}}
* {{App|Codename Goose|An extensible AI agent that goes beyond code suggestions - can install, execute, edit, and test with any LLM.|https://github.com/block/goose|{{AUR|codename-goose-bin}}}}
* {{App|Claude Code|An agentic coding tool that lives in your terminal.|https://github.com/anthropics/claude-code|{{AUR|claude-code}}}}
* {{App|codai|AI code assistant with session-based CLI for intelligent suggestions and refactoring.|https://github.com/meysamhadeli/codai|{{AUR|codai}}}}
* {{App|CodeGPT|A CLI written in Go language that writes git commit messages or does a code review brief for you using ChatGPT AI (gpt-4, gpt-3.5-turbo model) and automatically installs a git prepare-commit-msg hook.|https://github.com/appleboy/CodeGPT|{{AUR|codegpt-bin}}}}
* {{App|Cursor|Write, edit, and chat about your code with GPT.|https://cursor.so|{{AUR|cursor-bin}}}}
* {{App|opencode|AI coding agent built for the terminal.|https://github.com/sst/opencode|{{Pkg|opencode}}}}
* {{App|Kiro|An AI-powered IDE for rapid prototyping to production.|https://kiro.dev/ |{{AUR|kiro-ide}}}}
* {{App|qwen-code|CLI coding agent (fork of gemini-cli) with AI-powered code generation and assistance.|https://github.com/QwenLM/Qwen-Code|{{Pkg|qwen-code}}}}

=== Multimedia processing ===

==== Image generation ====

* {{App|RapidOCR|A cross platform OCR Library based on OnnxRuntime.|https://github.com/RapidAI/RapidOCR|{{AUR|python-rapidocr-onnxruntime}}}}
* {{App|Krita AI Diffusion|An intuitive AI-powered plugin for Krita, enabling seamless image inpainting and outpainting with optional text prompts.|https://github.com/Acly/krita-ai-diffusion|{{AUR|krita-ai-diffusion}}}}
* {{App|StabilityMatrix|A versatile package manager for Stable Diffusion, simplifying model management and integration.|https://github.com/LykosAI/StabilityMatrix|{{AUR|stabilitymatrix}}}}
* {{App|Stable Diffusion C++|Pure C/C++ implementation of Stable Diffusion for efficient inference on local machines.|https://github.com/leejet/stable-diffusion.cpp|{{AUR|stable-diffusion.cpp-git}}}}
* {{App|Stable Diffusion Web UI|Powerful web-based interface for Stable Diffusion, enabling high-quality image generation with customizable parameters.|https://github.com/AUTOMATIC1111/stable-diffusion-webui|{{AUR|stable-diffusion-webui-git}}}}
* {{App|Upscayl|A free and open-source AI-based image upscaler, enhancing image resolution while preserving quality.|https://github.com/upscayl/upscayl|{{AUR|upscayl-bin}}}}

==== Speech processing ====

* {{App|Coqui TTS|Deep learning toolkit for Text-to-Speech with support for 20+ languages.|https://github.com/coqui-ai/TTS|{{AUR|coqui-tts}}}}
* {{App|faster-whisper|Faster Whisper transcription implementation using CTranslate2.|https://github.com/guillaumekln/faster-whisper|{{AUR|python-faster-whisper}}}}
* {{App|Handy|A free, open source, and extensible speech-to-text application that works completely offline.|https://github.com/cjpais/Handy|{{AUR|handy}}}}
* {{App|MaryTTS|Multilingual TTS synthesis platform written in Java.|https://marytts.github.io/|{{AUR|marytts}}}}
* {{App|Piper|A fast, local neural text-to-speech system.|https://github.com/rhasspy/piper|{{AUR|piper-tts}}}}
* {{App|Sherpa-ONNX|Speech-to-text, text-to-speech, speaker diarization, and VAD using next-gen Kaldi with onnxruntime.|https://github.com/k2-fsa/sherpa-onnx|{{AUR|sherpa-onnx}}}}
* {{App|shisper|Script to generate subtitles and transcriptions using whisper.cpp.|https://github.com/M0Rf30/shisper|{{AUR|shisper-git}}}}
* {{App|vibe|Transcribe audio/video offline using OpenAI Whisper with GUI interface.|https://thewh1teagle.github.io/vibe/|{{AUR|vibe-bin}}}}
* {{App|VOICEVOX|Japanese TTS engine with anime-style character voices.|https://voicevox.hiroshiba.jp/|{{AUR|voicevox-appimage}}}}
* {{App|whisper.cpp|A C/C++ port of OpenAI's Whisper model for efficient speech recognition.|https://github.com/ggerganov/whisper.cpp|{{AUR|whisper.cpp}}, {{AUR|whisper.cpp-cuda}}, {{AUR|whisper.cpp-openvino}}}}
* {{App|whisper.cpp-models|Pre-trained models for whisper.cpp in various sizes.|https://github.com/ggerganov/whisper.cpp|{{AUR|whisper.cpp-model-large-v3}}, {{AUR|whisper.cpp-model-medium}}, {{AUR|whisper.cpp-model-small}}, {{AUR|whisper.cpp-model-tiny}}}}
* {{App|whispering|Open-source transcription application with global speech-to-text functionality.|https://whispering.bradenwong.com/|{{AUR|whispering-bin}}}}
* {{App|wiggly-stt|Local speech-to-text with whisper.cpp and clipboard integration.|https://github.com/hansp27/wiggly-stt|{{AUR|wiggly-stt}}}}

User talk:Lahwaacz

2026-04-26T19:49:53Z

Lahwaacz: /* Nvidia container without CUDA */ Reply