Two weeks of wayback

A poorly kept secret is that the X11 graphics stack is under-maintained as resources shift towards the maintenance of Wayland’s graphics stack instead. To some extent, technical steering committees in major distributions have been watching this situation develop for the past few years with increasing concern, as limited maintenance becomes a security risk: bugs accumulate and already burdened distribution security teams have to carry the security maintenance load in an absence of new releases.

C SBOMs, and how pkgconf can solve this problem

I recently attended FOSDEM, and saw a talk in the SBOM devroom about a software engineer’s attempts to build an SBOM for a C project. There are a number of reasons why the C ecosystem is difficult to reflect in SBOMs, but the largest problem is that the C ecosystem is fractured across a handful of build systems: GNU Autotools, CMake and Meson are the primary build systems used by projects but there are hundreds of others in the long tail.

The XZ Utils backdoor is a symptom of a larger problem

On March 29th, Andres Freund dropped a bombshell on the oss-security mailing list: recent XZ Utils source code tarball releases made by Jia Tan were released with a backdoor. Thankfully, for multiple reasons, Alpine was not impacted by this backdoor, despite the recent source code tarball releases being published in Alpine edge. But what lessons do we need to learn from this incident? The software “supply chain” is not real As a community of hackers, we have built an exhaustive commons of free software released under various free licenses such as the GPL and the Apache 2.

Most breaches actually begin in corp

Readers of my blog will note that while I believe Rust is an excellent tool for developers to leverage when building software, that there is a disconnect between the developers leveraging Rust features to improve their software and many of the advocates who talk about the language, which I believe is counterproductive when it comes to Rust advocacy. For example, I see takes like these frequently, which generally advocate that if only we adopted memory safe languages, we would solve all security problems in computing forever:

Writing portable ARM64 assembly

An unfortunate side effect of the rising popularity of Apple’s ARM-based computers is an increase in unportable assembly code which targets the 64-bit ARM ISA. This is because developers are writing these bits of assembly code to speed up their programs when run on Apple’s ARM-based computers, without considering the other 64-bit ARM devices out there, such as SBCs and servers running Linux or BSD. The good news is that it is very easy to write assembly which targets Apple’s computers as well as the other 64-bit ARM devices running operating systems other than Darwin.

Help migrate a community from Discord to something else

During the height of the pandemic, I set up a community using Discord. Since then, it has evolved into being one of the most active (yet tight-knit) technical communities on Discord: members ranging from all around the world and from all sorts of technical and social backgrounds participate in conversations every day on a variety of topics. Why leave Discord? The current situation sounds pretty good, right? Well, as Richard Stallman warned, proprietary services masquerading as software do not necessarily act on behalf of the user.

pkgconf, CVE-2023-24056 and disinformation

Readers will have noticed that two maintenance releases of pkgconf were cut over the weekend, 1.9.4 and 1.8.1 respectively, to address CVE-2023-24056, a pkg-config specific variation of the now-classic “billion laughs attack”. While fixing software defects is important, a lot went wrong with how this CVE was reported and the motivations behind its disclosure, and for my own catharsis, I want to talk about this. The origin of pkgconf To hopefully explain why I am so bothered by all of this, let’s first understand the history of pkgconf: a project I began noodling on in March 2011.

Building fair webs of trust by leveraging the OCAP model

Since the beginning of the Internet, determining the trustworthiness of participants and published information has been a significant point of contention. Many systems have been proposed to solve these underlying concerns, usually pertaining to specific niches and communities, but these pre-existing solutions are nebulous at best. How can we build infrastructure for truly democratic Webs of Trust? Fairness in reputation-based systems When considering the design of a reputation-based system, fairness must be paramount, but what is fairness in this context?

Twitter's demise is ActivityPub's future

Earlier today, I deleted all of my tweets and left Twitter forever. While I plan on leaving a nightlight thread for a while, I will eventually close my account, assuming Elon doesn’t do it for me. The past week has been an emotional rollercoaster for me as I have watched everything play out. I was one of the original fediverse users when Indymedia UK stood up the indy.im StatusNet instance at the end of 2010.

The internet is broken due to structural injustice

Over the past few years, I’ve come to realize that the Internet as we know it is utterly broken. Lately, I’ve also been pondering how participants in the modern Internet have enabled and perpetuated harm to society at large. Repeatedly, we have seen the independence of the commons chipped away by powerful men who wish for participants to serve their own whims, while those who raise concerns with these developments are either shunned, banned or doxed.

So you've decided to start a free software consultancy...

Recently a friend of mine told me that he was planning to start a free software consultancy, and asked for my advice, as I have an extensive background doing free software consulting for a living. While I have already given him some advice on how to proceed, I thought it might be nice to write a blog expanding on my answer, so that others who are interested in pursuing free software consulting may benefit.

Free software grows as a function of social utility

A frequent complaint I see from users and inexperienced contributors concerning free software projects is that they are allegedly not doing enough to grow the userbase, sometimes even asserting that a fork is necessary to right the course of the project. Are these complaints missing the point, or do they have merit? How do free software projects grow their userbase into thriving communities? In general, these complaints go something like this:

Migrating away from WordPress

Astute followers of this blog might have noticed that the layout has dramatically changed. This is because I migrated away from WordPress last weekend, switching back to Hugo after a few years. This time around, the blog is fully self-hosted, rather than depending on GitHub pages, and the deployment pipeline is reasonably secure. Perhaps we can call it a “secure blog factory” with some further work, even. When most people deploy static websites anymore, they use a service like Netlify, or GitHub pages to do it.

How efficient can cat(1) be?

There have been a few initiatives in recent years to implement a new userspace base system for Linux distributions as an alternative to the GNU coreutils and BusyBox. Recently, one of the authors of one of these proposed implementations made the pitch in a few IRC channels that her cat implementation, which was derived from OpenBSD’s implementation, was the most efficient. But is it actually? Understanding what cat actually does At the most basic level, cat takes one or more files and dumps them to stdout.

a silo can never provide digital autonomy to its users

Lately there has been a lot of discussion about various silos and their activities, notably GitHub and an up and coming alternative to Tumblr called Cohost. I’d like to talk about both to make the point that silos do not, and can not elevate user freedoms, by design, even if they are run with the best of intentions, by analyzing the behavior of both of these silos. It is said that if you are not paying for a service, that you are the product.