claude-noether/marfrit-packages
1
0
Fork 0
forked from marfrit/marfrit-packages
Code Pull Requests Activity
181 Commits 6 Branches 0 Tags
a36cf85e06c0f1f01d9105f884a3f209ce948c76
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
marfrit a36cf85e06 mesa-panvk-bifrost: iter10 polish — drop sandbox bypass, pin sha256, tighten loader select 
iter10 of the panvk-bifrost campaign. Eliminates the cosmetic
'--disable-gpu-sandbox' warning at brave-vulkan launch + pins the
Mesa tarball hash + makes the Vulkan ICD selection deterministic
across filesystems.

PKGBUILD changes (pkgrel: 1 -> 2):
  - install ICD JSON at /usr/share/vulkan/icd.d/00-panvk-bifrost.json
    (was: /usr/lib/panvk-bifrost/icd.json — required VK_ICD_FILENAMES,
    which the GPU sandbox would strip, forcing --disable-gpu-sandbox)
  - libvulkan_panfrost.so install path unchanged at /usr/lib/panvk-bifrost/
  - sha256sums[0] pinned to 1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89
    (mesa-26.0.6.tar.xz from archive.mesa3d.org); patches + brave-vulkan +
    icd.json remain SKIP since they're in-tree (git-tracked)

brave-vulkan changes:
  - dropped --no-sandbox + --disable-gpu-sandbox: env vars MESA_VK_VERSION_OVERRIDE
    and PAN_I_WANT_A_BROKEN_VULKAN_DRIVER survive the GPU sandbox boundary
    (Mesa loader reads them pre-seccomp-lockdown)
  - dropped VK_ICD_FILENAMES (loader auto-picks via icd.d/ directory scan)
  - added VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' for deterministic
    ICD selection — Vulkan loader's readdir order is implementation-defined
    per Khronos LoaderDriverInterface, so the '00-' filename prefix is
    not spec-backed (ext4 happens to give insertion-order, other filesystems
    may not). VK_LOADER_DRIVERS_SELECT short-circuits readdir ambiguity.
    (Phase 5 review hardening.)

Test result on ohm (pre-push validation):
  - brave-vulkan launches Brave without sandbox bypass
  - seccomp-bpf sandboxes activate normally for utility/renderer processes
  - 'panvk is not a conformant Vulkan implementation' fires ONCE (loader-select
    excluded stock ICD from enumeration — only patched driver loads)
  - GPU process boots, no 'Exiting GPU process' error
  - Brave runs through full test timeout cleanly

README updated to reflect the new install layout + simplified wrapper.

Campaign artifacts: ~/src/panvk-bifrost/{phase0_findings_iter10.md,
phase8_iteration9_close.md (which iter10 polishes)}.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 12:28:29 +02:00
.gitea/workflows
mesa-panvk-bifrost: new package — Vulkan-compositor Brave for Bifrost SBCs
2026-05-20 11:03:59 +02:00
arch
mesa-panvk-bifrost: iter10 polish — drop sandbox bypass, pin sha256, tighten loader select
2026-05-20 12:28:29 +02:00
debian
daedalus-v4l2{,-dkms}: f0cd29a -> 481279c — systemd unit + auto-enable
2026-05-20 10:34:55 +02:00
kernel/vb2-dma-resv-rfc
kernel/vb2-dma-resv-rfc: regenerate via git format-patch + verify
2026-04-28 19:29:05 +00:00
tools
tools/lore-watch.sh: also watch dri-devel and linux-rockchip
2026-04-29 20:12:37 +00:00
upstream-submissions
upstream-submissions/fourier-campaign: YouTube HW decode delivery plan
2026-04-29 21:56:12 +00:00
README.md
README: document layout, client setup, signing key
2026-04-14 18:51:50 +00:00

README.md

marfrit-packages

Overlay package repository for the reauktion.de infrastructure.

Published at: https://packages.reauktion.de/

Scope

Tree Arches Notes
Arch Linux ARM (ALARM) aarch64 primary target — Pi 5, Rock 5, ampere, KU-1255 test rigs
Arch Linux x86_64 for nuccies / workstations
Debian arm64, amd64 for non-Arch hosts

MIPS is intentionally unsupported. The Fritz!Box is sacred.

Layout (served at packages.reauktion.de)

packages.reauktion.de/
├── arch/
│   ├── aarch64/{marfrit.db,marfrit.files,*.pkg.tar.{xz,zst}{,.sig}}
│   └── x86_64/...
├── debian/
│   ├── dists/
│   │   ├── bookworm/{Release,InRelease,Release.gpg,main/binary-{arm64,amd64}/...}
│   │   └── trixie/...
│   └── pool/main/...
└── marfrit.gpg      # public signing key

Adding the repo (Arch / ALARM)

curl -sO https://packages.reauktion.de/marfrit.gpg
sudo pacman-key --add marfrit.gpg
sudo pacman-key --lsign-key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C

# Paste at the end of /etc/pacman.conf:
[marfrit]
Server = https://packages.reauktion.de/arch/$arch
SigLevel = Required DatabaseRequired

sudo pacman -Sy

Adding the repo (Debian)

sudo install -m 755 -d /etc/apt/keyrings
curl -s https://packages.reauktion.de/marfrit.gpg | \
    sudo gpg --dearmor -o /etc/apt/keyrings/marfrit.gpg

echo "deb [signed-by=/etc/apt/keyrings/marfrit.gpg] https://packages.reauktion.de/debian $(lsb_release -cs) main" | \
    sudo tee /etc/apt/sources.list.d/marfrit.list

sudo apt update

Signing key

  • Fingerprint: 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C
  • UID: Markus Fritsche (marfrit-repo signing) <mfritsche@reauktion.de>
  • Expires: 2030-04-13

Key management procedures (renewal, rotation, revocation) live in DokuWiki at private:reauktion:marfrit_repo_key (admin-only).

Layout in this Git repo

marfrit-packages/
├── README.md
├── arch/
│   └── distcc-avahi/                # ALARM distcc with --with-avahi
├── debian/                          # (future) Debian source packages
└── .gitea/
    └── workflows/
        └── build.yml                # CI pipeline stub

Mail

mfritsche@reauktion.de.

View Git Blame Copy Permalink
S
Description
ALARM aarch64 + Arch x86_64 + Debian arm64/amd64 overlay repo — published at packages.reauktion.de
Readme 3.1 GiB
Languages
Shell 100%