The XZ Utils backdoor is a symptom of a larger problem

Apr 2, 2024
On March 29th, Andres Freund dropped a bombshell on the oss-security mailing list: recent XZ Utils source code tarball releases made by Jia Tan were released with a backdoor. Thankfully, for multiple reasons, Alpine was not impacted by this backdoor, despite the recent source code tarball releases being published in Alpine edge.

Most breaches actually begin in corp

Dec 7, 2023
Readers of my blog will note that while I believe Rust is an excellent tool for developers to leverage when building software, that there is a disconnect between the developers leveraging Rust features to improve their software and many of the advocates who talk about the language, which I believe is counterproductive when it comes to Rust advocacy.

Writing portable ARM64 assembly

Apr 13, 2023
An unfortunate side effect of the rising popularity of Apple’s ARM-based computers is an increase in unportable assembly code which targets the 64-bit ARM ISA. This is because developers are writing these bits of assembly code to speed up their programs when run on Apple’s ARM-based computers, without considering the other 64-bit ARM devices out there, such as SBCs and servers running Linux or BSD.

Help migrate a community from Discord to something else

Mar 8, 2023
During the height of the pandemic, I set up a community using Discord. Since then, it has evolved into being one of the most active (yet tight-knit) technical communities on Discord: members ranging from all around the world and from all sorts of technical and social backgrounds participate in conversations every day on a variety of topics.

pkgconf, CVE-2023-24056 and disinformation

Jan 24, 2023
Readers will have noticed that two maintenance releases of pkgconf were cut over the weekend, 1.9.4 and 1.8.1 respectively, to address CVE-2023-24056, a pkg-config specific variation of the now-classic “billion laughs attack”. While fixing software defects is important, a lot went wrong with how this CVE was reported and the motivations behind its disclosure, and for my own catharsis, I want to talk about this.

Building fair webs of trust by leveraging the OCAP model

Dec 3, 2022
Since the beginning of the Internet, determining the trustworthiness of participants and published information has been a significant point of contention. Many systems have been proposed to solve these underlying concerns, usually pertaining to specific niches and communities, but these pre-existing solutions are nebulous at best. How can we build infrastructure for truly democratic Webs of Trust?

Twitter's demise is ActivityPub's future

Nov 12, 2022
Earlier today, I deleted all of my tweets and left Twitter forever. While I plan on leaving a nightlight thread for a while, I will eventually close my account, assuming Elon doesn’t do it for me. The past week has been an emotional rollercoaster for me as I have watched everything play out.

The internet is broken due to structural injustice

Oct 27, 2022
Over the past few years, I’ve come to realize that the Internet as we know it is utterly broken. Lately, I’ve also been pondering how participants in the modern Internet have enabled and perpetuated harm to society at large. Repeatedly, we have seen the independence of the commons chipped away by powerful men who wish for participants to serve their own whims, while those who raise concerns with these developments are either shunned, banned or doxed.

So you've decided to start a free software consultancy...

Aug 11, 2022
Recently a friend of mine told me that he was planning to start a free software consultancy, and asked for my advice, as I have an extensive background doing free software consulting for a living. While I have already given him some advice on how to proceed, I thought it might be nice to write a blog expanding on my answer, so that others who are interested in pursuing free software consulting may benefit.

Free software grows as a function of social utility

Aug 6, 2022
A frequent complaint I see from users and inexperienced contributors concerning free software projects is that they are allegedly not doing enough to grow the userbase, sometimes even asserting that a fork is necessary to right the course of the project. Are these complaints missing the point, or do they have merit?