bos-settings 0.3.1: bread-theme v0.2.8 (working live reload)

Pick up the directory-watch fix so bos-settings hot-reloads the shared stylesheet
on `bread-theme reload` like the rest of the desktop (its v0.2.6 build had the
broken file-watch). No code change — only the dependency + version bump.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.forgejo/workflows/release-iso.yml

@@ -1,207 +0,0 @@
-name: Build and release ISO
-
-# Builds the BOS ISO on the hestia self-hosted runner (native Arch container),
-# downloads all bakery ecosystem binaries from their GitHub releases, compiles
-# bread-theme from source, and uploads the resulting ISO to a Forgejo pre-release.
-# A matching GitHub release is created that points to Forgejo for the download
-# (GitHub releases cannot host files larger than 2 GB).
-#
-# Required secrets:
-#   RELEASE_TOKEN  — Forgejo API token with write:repository scope
-#   MIRROR_TOKEN   — GitHub personal access token with repo scope (already used by mirror.yml)
-
-on:
-  push:
-    tags: ['v*']
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Git tag to build (e.g. v0.4.0)'
-        required: true
-
-jobs:
-  release-iso:
-    runs-on: [self-hosted, hestia]
-    container:
-      image: archlinux:latest
-      # --privileged: mkarchiso needs CAP_SYS_ADMIN for loop mounts + mknod
-      # --network=host: gives localhost:3002 access to Forgejo (avoids the
-      #   public git.breadway.dev → Aegis → Tailscale round-trip for pacman)
-      options: --privileged --network=host
-
-    steps:
-      - name: Install build dependencies
-        run: |
-          pacman -Syu --noconfirm archiso curl python git rust
-
-      - name: Determine tag and version
-        id: vars
-        run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            TAG="${{ github.event.inputs.tag }}"
-          else
-            TAG="${{ github.ref_name }}"
-          fi
-          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
-          echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
-
-      - name: Clone repository at tag
-        run: |
-          git clone --branch "${{ steps.vars.outputs.tag }}" --depth 1 \
-            "https://git.breadway.dev/${GITHUB_REPOSITORY}.git" /bos
-
-      - name: Download bakery ecosystem binaries
-        run: |
-          set -euo pipefail
-          mkdir -p /build-home/.local/bin \
-                   /build-home/.local/state/bakery \
-                   /build-home/.cache/bakery
-
-          # Fetch the canonical bakery index
-          curl -fsSL "https://dl.breadway.dev/index.json" \
-            -o /build-home/.cache/bakery/index.json
-
-          # Download each binary from dl.breadway.dev (canonical source; github_url
-          # is not always published for dev/patch releases) and generate the
-          # installed.json that bakery expects in ~/.local/state.
-          python3 << 'PYEOF'
-          import json, urllib.request, os
-
-          with open('/build-home/.cache/bakery/index.json') as f:
-              idx = json.load(f)
-
-          BIN_DIR = '/build-home/.local/bin'
-          installed = {}
-
-          for pkg_name, pkg in idx['packages'].items():
-              bins = []
-              for b in pkg['binaries']:
-                  dest_name = b['name'].removesuffix('-x86_64')
-                  dest = os.path.join(BIN_DIR, dest_name)
-                  url = b['dl_url']
-                  print(f'  {dest_name}  <-  {url}', flush=True)
-                  urllib.request.urlretrieve(url, dest)
-                  os.chmod(dest, 0o755)
-                  bins.append(dest_name)
-
-              # installed.json services field is a flat list of unit-name strings
-              services = [
-                  (s['unit'] if isinstance(s, dict) else s)
-                  for s in pkg.get('services', [])
-              ]
-              installed[pkg_name] = {
-                  'name': pkg_name,
-                  'version': pkg['version'],
-                  'binaries': bins,
-                  'services': services,
-                  'installed_at': '2024-01-01T00:00:00+00:00',
-              }
-
-          with open('/build-home/.local/state/bakery/installed.json', 'w') as f:
-              json.dump({'packages': installed}, f, indent=2)
-          print('installed.json written', flush=True)
-          PYEOF
-
-      - name: Build bread-theme from source
-        run: |
-          set -euo pipefail
-          # bread-theme is not in the bakery index; build it at the tag pinned
-          # in bos-settings/Cargo.toml so the CLI matches the library version.
-          THEME_TAG=$(grep 'bread-theme.*tag' /bos/bos-settings/Cargo.toml \
-                      | grep -oP '"v[^"]+"' | tr -d '"')
-          echo "Building bread-theme @ $THEME_TAG"
-          git clone --branch "$THEME_TAG" --depth 1 \
-            https://github.com/Breadway/bread-ecosystem /bread-ecosystem
-          cd /bread-ecosystem
-          cargo build --release -p bread-theme
-          install -m 755 target/release/bread-theme /build-home/.local/bin/bread-theme
-          echo "bread-theme built OK"
-
-      - name: Build ISO
-        run: |
-          set -euo pipefail
-          mkdir -p /bos-work /bos-out
-          cd /bos
-          LAPTOP_HOME=/build-home \
-          WORK=/bos-work \
-          OUT=/bos-out \
-          CI_BUILD=1 \
-          bash build-local.sh
-          ls -lh /bos-out/*.iso
-
-      - name: Create Forgejo release and upload ISO
-        env:
-          FORGEJO_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          set -euo pipefail
-          TAG="${{ steps.vars.outputs.tag }}"
-          VERSION="${{ steps.vars.outputs.version }}"
-          ISO=$(ls /bos-out/*.iso | head -1)
-          ISO_NAME="bos-${VERSION}-x86_64.iso"
-
-          # Use an existing release for this tag if one exists (e.g. created
-          # manually or by a prior re-run), otherwise create a fresh one.
-          EXISTING=$(curl -sf \
-            -H "Authorization: token ${FORGEJO_TOKEN}" \
-            "http://localhost:3002/api/v1/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}" \
-            2>/dev/null || true)
-          RELEASE_ID=$(echo "${EXISTING}" | python3 -c \
-            "import json,sys; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
-
-          if [ -z "${RELEASE_ID}" ]; then
-            RELEASE=$(curl -fsS -X POST \
-              -H "Authorization: token ${FORGEJO_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "http://localhost:3002/api/v1/repos/${GITHUB_REPOSITORY}/releases" \
-              -d "{
-                \"tag_name\": \"${TAG}\",
-                \"name\": \"BOS ${TAG}\",
-                \"prerelease\": false,
-                \"body\": \"ISO image attached below.\\n\\nSee the [README](https://github.com/Breadway/bos#testing-in-a-vm) for VM testing instructions.\"
-              }")
-            RELEASE_ID=$(echo "${RELEASE}" | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])")
-          fi
-          echo "Using release ID: ${RELEASE_ID}"
-
-          # Remove any existing asset with the same name before uploading
-          ASSET_ID=$(curl -sf \
-            -H "Authorization: token ${FORGEJO_TOKEN}" \
-            "http://localhost:3002/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets" \
-            | python3 -c "
-          import json,sys
-          assets=json.load(sys.stdin)
-          match=[a['id'] for a in assets if a['name']=='${ISO_NAME}']
-          print(match[0] if match else '')
-          " 2>/dev/null || true)
-
-          if [ -n "${ASSET_ID}" ]; then
-            curl -fsS -X DELETE \
-              -H "Authorization: token ${FORGEJO_TOKEN}" \
-              "http://localhost:3002/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets/${ASSET_ID}"
-            echo "Removed existing ${ISO_NAME} asset"
-          fi
-
-          curl -fsS -X POST \
-            -H "Authorization: token ${FORGEJO_TOKEN}" \
-            -F "attachment=@${ISO};filename=${ISO_NAME}" \
-            "http://localhost:3002/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets"
-          echo "Uploaded: ${ISO_NAME}"
-
-      - name: Create GitHub release
-        env:
-          GH_TOKEN: ${{ secrets.MIRROR_TOKEN }}
-        run: |
-          set -euo pipefail
-          TAG="${{ steps.vars.outputs.tag }}"
-          VERSION="${{ steps.vars.outputs.version }}"
-          FORGEJO_URL="https://git.breadway.dev/${GITHUB_REPOSITORY}/releases/tag/${TAG}"
-
-          printf '**Download ISO:** %s\n\nGitHub releases cannot host files >2 GB; the `bos-%s-x86_64.iso` (~2.5 GB) is on Forgejo.\n\nSee the [README](https://github.com/Breadway/bos#testing-in-a-vm) for VM testing instructions.' \
-            "${FORGEJO_URL}" "${VERSION}" > /tmp/gh-release-notes.md
-
-          gh release create "${TAG}" \
-            --repo "Breadway/bos" \
-            --title "BOS ${TAG}" \
-            \
-            --notes-file /tmp/gh-release-notes.md \
-          2>/dev/null || echo "GitHub release already exists — skipping"

.gitignore

@@ -27,7 +27,6 @@ secrets/
 # archiso build artifacts (these are large and reproducible)
 /iso-build/
 /iso-out/
-/out/
 *.iso
 *.img
 

Cargo.lock

@@ -28,7 +28,7 @@ checksum = "b4388bee8683e3d04af747c73422af53102d2bd24d9eadb6cbc100baef4b43f8"
 
 [[package]]
 name = "bos-settings"
-version = "0.4.0"
+version = "0.3.1"
 dependencies = [
  "async-channel",
  "bread-theme",

bos-settings/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bos-settings"
-version = "0.4.0"
+version = "0.3.1"
 edition = "2021"
 
 [dependencies]

bos-settings/src/ui/views/breadbar.rs

@@ -6,6 +6,7 @@ fn css_path() -> PathBuf {
     crate::config::config_dir().join("breadbar/style.css")
 }
 
+
 pub fn build() -> GBox {
     let path = css_path();
     let existing_css = std::fs::read_to_string(&path).unwrap_or_default();

bos-settings/src/ui/views/packages.rs

@@ -50,10 +50,9 @@ fn stream_command(args: &[&str], log_buf: gtk4::TextBuffer) {
             }
         };
 
-        // Merge stderr into the channel too.
-        // Both are Some because we spawned with Stdio::piped() above.
-        let stdout = child.stdout.take().expect("stdout piped");
-        let stderr = child.stderr.take().expect("stderr piped");
+        // Merge stderr into the channel too
+        let stdout = child.stdout.take().unwrap();
+        let stderr = child.stderr.take().unwrap();
 
         let tx2 = sender.clone();
         std::thread::spawn(move || {

build-local.sh

@@ -25,15 +25,10 @@ OUT="${OUT:-$REPO/out}"
 STAGE=/tmp/bos-iso-stage
 rm -rf "$STAGE" && cp -a "$REPO/iso" "$STAGE"
 
-# Rewrite the [breadway] pacman repo URL to the fastest reachable address.
-#   CI_BUILD=1  — container runs on hestia with --network=host; localhost:3002 is direct
-#   default     — building on hermes; git.breadway.dev is flaky from there, use Tailscale
-# Only ever rewrites the staged copy, never the committed pacman.conf.
-if [ "${CI_BUILD:-0}" = "1" ]; then
-  sed -i 's#https://git.breadway.dev/api/packages/Breadway/arch/os#http://localhost:3002/api/packages/Breadway/arch/os#' "$STAGE/pacman.conf"
-else
-  sed -i 's#https://git.breadway.dev/api/packages/Breadway/arch/os#http://100.66.238.26:3002/api/packages/Breadway/arch/os#' "$STAGE/pacman.conf"
-fi
+# The public git.breadway.dev URL is flaky/unreachable from hermes; Forgejo is
+# directly reachable over Tailscale (hestia 100.66.238.26:3002). Only rewrites
+# the staged copy, never the committed pacman.conf.
+sed -i 's#https://git.breadway.dev/api/packages/Breadway/arch/os#http://100.66.238.26:3002/api/packages/Breadway/arch/os#' "$STAGE/pacman.conf"
 
 if [ "${FAST_BUILD:-0}" = "1" ]; then
   echo "=== FAST_BUILD: squashfs -> zstd level 6 ==="
@@ -49,7 +44,7 @@ grep airootfs_image_tool_options "$STAGE/profiledef.sh"
 # created from skel (the live user and the installed user) then gets the same
 # versions `bakery list` reports here, fully offline. Copied at build time so the
 # binaries never bloat the git repo and always track the current bakery state.
-BREAD_BINS=(bakery bread breadd breadman breadbar breadbox breadbox-sync breadcrumbs breadpad breadpaper bread-theme)
+BREAD_BINS=(bakery bread breadd breadman breadbar breadbox breadbox-sync breadcrumbs breadpad bread-theme)
 LAPTOP_HOME="${LAPTOP_HOME:-$(getent passwd "${SUDO_USER:-$USER}" | cut -d: -f6)}"
 BAKERY_BIN="$LAPTOP_HOME/.local/bin"
 BAKERY_STATE="$LAPTOP_HOME/.local/state/bakery"

iso/airootfs/etc/calamares/post-install.sh

@@ -24,46 +24,23 @@ userdel -r liveuser 2>/dev/null || true
 passwd -l root || true
 
 # ---------------------------------------------------------------------------
-# Pacman keyring. The live medium's /etc/pacman.d/gnupg doesn't reliably carry
-# over to the target (unpackfs may skip it / perms differ), leaving the installed
-# system unable to verify package signatures — the first `pacman -Syu` then dies
-# with "keyring is not writable / required key missing". Initialise it here so a
-# fresh install can update out of the box. archlinux-keyring is already present;
-# [breadway] is SigLevel=Never so it needs no key.
+# Boot splash (Plymouth) — BOS logo + spinner instead of kernel text. Done
+# BEFORE grub so grub.cfg picks up the new cmdline and the rebuilt initramfs.
+# All best-effort: if anything here fails the system still boots (just without
+# the splash) — the initramfs the initcpio module already built stays valid.
 # ---------------------------------------------------------------------------
-if command -v pacman-key &>/dev/null; then
-    pacman-key --init || echo "WARN: pacman-key --init failed"
-    pacman-key --populate archlinux || echo "WARN: pacman-key --populate failed"
-fi
-
-# ---------------------------------------------------------------------------
-# Initramfs HOOKS: microcode + plymouth. Edit HOOKS first, rebuild once below.
-#   microcode — embeds the (autodetect-pruned) CPU microcode into the initramfs
-#     so it loads at early boot. The live ISO embeds ucode the same way, so the
-#     ISO /boot carries no separate ucode image and bos-copy-kernel stages none
-#     onto the target — the installed initramfs must therefore carry it itself.
-#     Must sit AFTER `autodetect` so it's pruned to the running CPU's microcode.
-#   plymouth — the BOS boot splash. Only the udev `plymouth` hook exists (there
-#     is NO `sd-plymouth`), so always insert it after `udev`.
-# All best-effort: a failure here still leaves a bootable initramfs.
-# ---------------------------------------------------------------------------
-if [[ -f /etc/mkinitcpio.conf ]]; then
-    if ! grep -qE '^HOOKS=.*\bmicrocode\b' /etc/mkinitcpio.conf; then
-        sed -i 's/^\(HOOKS=.*\bautodetect\b\)/\1 microcode/' /etc/mkinitcpio.conf \
-            || echo "WARN: adding microcode hook failed"
-    fi
-    if command -v plymouth-set-default-theme &>/dev/null \
-       && ! grep -qE '^HOOKS=.*\bplymouth\b' /etc/mkinitcpio.conf; then
+if command -v plymouth-set-default-theme &>/dev/null; then
+    # Ensure the plymouth hook is in HOOKS (plymouthcfg/initcpiocfg usually add it;
+    # this is the belt). Handle both the udev and systemd initramfs styles.
+    if ! grep -q 'plymouth' /etc/mkinitcpio.conf 2>/dev/null; then
+        if grep -qE '^HOOKS=.*\bsystemd\b' /etc/mkinitcpio.conf; then
+            sed -i 's/^\(HOOKS=.*\bsystemd\b\)/\1 sd-plymouth/' /etc/mkinitcpio.conf \
+                || echo "WARN: adding sd-plymouth hook failed"
+        else
             sed -i 's/^\(HOOKS=.*\budev\b\)/\1 plymouth/' /etc/mkinitcpio.conf \
                 || echo "WARN: adding plymouth hook failed"
         fi
-fi
-
-# ---------------------------------------------------------------------------
-# Boot splash (Plymouth) — BOS logo + spinner instead of kernel text. Set the
-# theme + cmdline BEFORE grub so grub.cfg picks up the new cmdline.
-# ---------------------------------------------------------------------------
-if command -v plymouth-set-default-theme &>/dev/null; then
+    fi
     # Clean boot: splash activates plymouth; hiding systemd status removes the
     # "[ OK ] Started ..." text (what looked like kernel output) even if the
     # splash itself doesn't grab the display (e.g. in some VMs).
@@ -71,13 +48,10 @@ if command -v plymouth-set-default-theme &>/dev/null; then
         sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT="\)/\1splash quiet vt.global_cursor_default=0 systemd.show_status=false rd.systemd.show_status=false rd.udev.log_level=3 /' \
             /etc/default/grub || echo "WARN: adding splash cmdline failed"
     fi
-    plymouth-set-default-theme bos || echo "WARN: plymouth-set-default-theme failed"
+    # Set the BOS theme and rebuild the initramfs (-R) with the plymouth hook.
+    plymouth-set-default-theme -R bos || echo "WARN: plymouth-set-default-theme failed"
 fi
 
-# Rebuild every preset (default + fallback that bos-copy-kernel wrote) so the
-# microcode + plymouth HOOKS above are actually baked into the initramfs.
-mkinitcpio -P || echo "WARN: mkinitcpio -P failed"
-
 # ---------------------------------------------------------------------------
 # Install GRUB (UEFI). /boot now has the kernel + initramfs, and the mount
 # module has bind-mounted /proc /sys /dev /run + efivars into this chroot, so

iso/airootfs/etc/default/useradd

@@ -1,7 +0,0 @@
-SHELL=/usr/bin/zsh
-GROUP=users
-HOME=/home
-INACTIVE=-1
-EXPIRE=
-SKEL=/etc/skel
-CREATE_MAIL_SPOOL=no

iso/airootfs/etc/pacman.conf

@@ -35,8 +35,7 @@ Include = /etc/pacman.d/mirrorlist
 #
 # Forgejo signs the repo db with a key pacman can't look up, so TrustAll
 # fails. SigLevel = Never skips verification (acceptable for this private
-# repo over TLS). Future improvement: import Forgejo's signing key and
-# switch to SigLevel = Required for full package verification.
+# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.

iso/airootfs/etc/skel/.config/hypr/hyprland.lua

@@ -90,7 +90,6 @@ end
 -- ---------------------------------------------------------------------------
 hl.window_rule({ name = "bos-keybinds", match = { class = "^(bos-keybinds)$" }, float = true, size = { 760, 720 } })
 hl.window_rule({ name = "bos-welcome",  match = { class = "^(bos-welcome)$" },  float = true, size = { 700, 560 } })
-hl.window_rule({ name = "bos-netsetup", match = { class = "^(bos-netsetup)$" }, float = true, size = { 700, 560 } })
 
 -- ---------------------------------------------------------------------------
 -- Environment (vendor-neutral; no GPU-specific vars so it works on Intel/AMD).
@@ -204,12 +203,7 @@ hl.on("hyprland.start", function()
         "awww-daemon",
         -- set the default wallpaper once the daemon is up (retry until ready)
         [[bash -c 'until awww img /usr/share/backgrounds/bos/bread-background.png 2>/dev/null; do sleep 0.3; done']],
-        -- breadd runs as a systemd user service (~/.config/systemd/user/breadd.service,
-        -- enabled in skel). It autostarts at login but before Hyprland exists, so
-        -- push the compositor's Wayland env into the user manager and restart breadd
-        -- to pick it up — that's how it gets HYPRLAND_INSTANCE_SIGNATURE to talk to Hyprland.
-        "dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP HYPRLAND_INSTANCE_SIGNATURE",
-        "systemctl --user restart breadd",
+        "breadd",
         "breadbar",
         "breadbox-sync",
         "hypridle",

iso/airootfs/etc/skel/.config/systemd/user/breadd.service

@@ -1,21 +0,0 @@
-[Unit]
-Description=Bread Runtime Daemon
-
-[Service]
-Type=simple
-# %h = the user's home — works for any account created from this skel.
-ExecStart=%h/.local/bin/breadd
-Restart=on-failure
-RestartSec=2
-UMask=0077
-RuntimeDirectory=bread
-RuntimeDirectoryMode=0700
-# Keep /run/user/<uid>/bread across restarts so the shared theme.css that
-# bread-theme writes there (and the daemon socket) survive a `restart breadd`.
-RuntimeDirectoryPreserve=yes
-KillSignal=SIGTERM
-TimeoutStopSec=5
-Environment=RUST_LOG=info
-
-[Install]
-WantedBy=default.target

iso/airootfs/etc/skel/.config/systemd/user/default.target.wants/breadd.service

@@ -1 +0,0 @@
-../breadd.service

iso/airootfs/usr/local/bin/bos-live-setup

@@ -11,7 +11,7 @@ set -e
 # (breadd + breadbar + breadbox + keybinds) — proper live-media functionality,
 # not an installer kiosk.
 if ! id liveuser &>/dev/null; then
-    useradd -m -s /usr/bin/zsh liveuser
+    useradd -m -s /bin/bash liveuser
     for g in wheel video input audio storage power; do
         getent group "$g" >/dev/null 2>&1 && gpasswd -a liveuser "$g" >/dev/null || true
     done

iso/airootfs/usr/local/bin/bos-welcome

@@ -10,25 +10,6 @@ set -u
 marker="${XDG_CONFIG_HOME:-$HOME/.config}/bos/.welcomed"
 [[ -f "$marker" ]] && exit 0
 mkdir -p "$(dirname "$marker")"
-
-# First-run network check. A fresh install usually boots with no connection
-# (Wi-Fi isn't configured during install), and the first `bos-update`/pacman run
-# then fails with confusing DNS/"could not resolve host" errors. If
-# NetworkManager reports we're not fully online, open nmtui so the user can join
-# a network before anything else. Best-effort: missing nmcli/nmtui/kitty, or the
-# user quitting nmtui, must never block the welcome below.
-if command -v nmcli &>/dev/null; then
-    conn="$(nmcli networking connectivity check 2>/dev/null)"
-    if [[ "$conn" != "full" ]]; then
-        notify-send -u normal "BOS" "No internet yet — opening network setup so updates work." 2>/dev/null || true
-        if command -v nmtui &>/dev/null; then
-            kitty --class bos-netsetup --title "Connect to a network" -- nmtui connect 2>/dev/null || true
-        fi
-    fi
-fi
-
-# Mark welcomed only now, so an interrupted/aborted network step still re-prompts
-# next login rather than being suppressed forever.
 touch "$marker"
 
 exec kitty --class bos-welcome --title "Welcome to BOS" -- less -R /usr/share/bos/welcome.txt

iso/packages.x86_64

@@ -139,13 +139,10 @@ file-roller
 
 # GUI applications a general desktop is expected to have out of the box.
 # gnome-text-editor: graphical editor (terminal editors aside); gnome-calculator:
-# calculator; loupe: Wayland-native image viewer (default for image files);
-# zathura(+pdf-mupdf): lightweight Wayland PDF viewer (BOS had no PDF reader).
+# calculator; loupe: Wayland-native image viewer (default for image files).
 gnome-text-editor
 gnome-calculator
 loupe
-zathura
-zathura-pdf-mupdf
 # Media player — BOS ships gstreamer codecs but otherwise has no player app.
 vlc
 # Web browser (served from the [Breadway] repo; AUR zen-browser-bin republished
@@ -193,12 +190,6 @@ plymouth
 gst-plugins-good
 gst-plugins-bad
 gst-plugins-ugly
-# Hardware video acceleration (VA-API) — lets the AMD/Intel GPU decode H.264/HEVC/
-# VP9 in mpv, VLC, and browsers instead of the CPU (cooler, longer battery on
-# video). The open Mesa VA-API backend (radeonsi_drv_video.so etc.) now ships in
-# the `mesa` package itself (pulled in already), so only libva (deps) + the
-# `vainfo` verification tool need listing here.
-libva-utils
 # GUI audio mixer — useful when output device needs manual switching.
 pavucontrol
 

iso/pacman.conf

@@ -35,8 +35,7 @@ Include = /etc/pacman.d/mirrorlist
 #
 # Forgejo signs the repo db with a key pacman can't look up, so TrustAll
 # fails. SigLevel = Never skips verification (acceptable for this private
-# repo over TLS). Future improvement: import Forgejo's signing key and
-# switch to SigLevel = Required for full package verification.
+# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required.
 # -----------------------------------------------------------------------
 # The section name must match Forgejo's served db filename
 # ({owner}.{group}.{domain}.db) — pacman fetches "<section>.db" from Server.