C SBOMs, and how pkgconf can solve this problem

2025-02-08

I recently attended FOSDEM, and saw a talk in the SBOM devroom about a software engineer’s attempts to build an SBOM for a C project. There are a number of reasons why the C ecosystem is difficult to reflect in SBOMs, but the largest problem is that the C ecosystem is fractured across a handful of build systems: GNU Autotools, CMake and Meson are the primary build systems used by projects but there are hundreds of others in the long tail.

The XZ Utils backdoor is a symptom of a larger problem

2024-04-01

On March 29th, Andres Freund dropped a bombshell on the oss-security mailing list: recent XZ Utils source code tarball releases made by Jia Tan were released with a backdoor. Thankfully, for multiple reasons, Alpine was not impacted by this backdoor, despite the recent source code tarball releases being published in Alpine edge. But what lessons do we need to learn from this incident? The software “supply chain” is not real As a community of hackers, we have built an exhaustive commons of free software released under various free licenses such as the GPL and the Apache 2.

Most breaches actually begin in corp

2023-12-06

Readers of my blog will note that while I believe Rust is an excellent tool for developers to leverage when building software, that there is a disconnect between the developers leveraging Rust features to improve their software and many of the advocates who talk about the language, which I believe is counterproductive when it comes to Rust advocacy. For example, I see takes like these frequently, which generally advocate that if only we adopted memory safe languages, we would solve all security problems in computing forever:

Writing portable ARM64 assembly

2023-04-12

An unfortunate side effect of the rising popularity of Apple’s ARM-based computers is an increase in unportable assembly code which targets the 64-bit ARM ISA. This is because developers are writing these bits of assembly code to speed up their programs when run on Apple’s ARM-based computers, without considering the other 64-bit ARM devices out there, such as SBCs and servers running Linux or BSD. The good news is that it is very easy to write assembly which targets Apple’s computers as well as the other 64-bit ARM devices running operating systems other than Darwin.

Help migrate a community from Discord to something else

2023-03-07

During the height of the pandemic, I set up a community using Discord. Since then, it has evolved into being one of the most active (yet tight-knit) technical communities on Discord: members ranging from all around the world and from all sorts of technical and social backgrounds participate in conversations every day on a variety of topics. Why leave Discord? The current situation sounds pretty good, right? Well, as Richard Stallman warned, proprietary services masquerading as software do not necessarily act on behalf of the user.

pkgconf, CVE-2023-24056 and disinformation

2023-01-23

Readers will have noticed that two maintenance releases of pkgconf were cut over the weekend, 1.9.4 and 1.8.1 respectively, to address CVE-2023-24056, a pkg-config specific variation of the now-classic “billion laughs attack”. While fixing software defects is important, a lot went wrong with how this CVE was reported and the motivations behind its disclosure, and for my own catharsis, I want to talk about this. The origin of pkgconf To hopefully explain why I am so bothered by all of this, let’s first understand the history of pkgconf: a project I began noodling on in March 2011.

The internet is broken due to structural injustice

2022-10-26

Over the past few years, I’ve come to realize that the Internet as we know it is utterly broken. Lately, I’ve also been pondering how participants in the modern Internet have enabled and perpetuated harm to society at large. Repeatedly, we have seen the independence of the commons chipped away by powerful men who wish for participants to serve their own whims, while those who raise concerns with these developments are either shunned, banned or doxed.

How efficient can cat(1) be?

2022-07-16

There have been a few initiatives in recent years to implement a new userspace base system for Linux distributions as an alternative to the GNU coreutils and BusyBox. Recently, one of the authors of one of these proposed implementations made the pitch in a few IRC channels that her cat implementation, which was derived from OpenBSD’s implementation, was the most efficient. But is it actually? Understanding what cat actually does At the most basic level, cat takes one or more files and dumps them to stdout.