: C SBOMs, and how pkgconf can solve this problem I recently attended FOSDEM, and saw a talk in the SBOM devroom about a software engineer’s …
: The XZ Utils backdoor is a symptom of a larger problem On March 29th, Andres Freund dropped a bombshell on the oss-security mailing list: recent XZ Utils …
: Most breaches actually begin in corp Readers of my blog will note that while I believe Rust is an excellent tool for developers to …
: Writing portable ARM64 assembly An unfortunate side effect of the rising popularity of Apple’s ARM-based computers is an …
: Help migrate a community from Discord to something else During the height of the pandemic, I set up a community using Discord. Since then, it has evolved …
: pkgconf, CVE-2023-24056 and disinformation Readers will have noticed that two maintenance releases of pkgconf were cut over the weekend, 1.9.4 …
: Building fair webs of trust by leveraging the OCAP model Since the beginning of the Internet, determining the trustworthiness of participants and published …
: Twitter's demise is ActivityPub's future Earlier today, I deleted all of my tweets and left Twitter forever. While I plan on leaving a …
: The internet is broken due to structural injustice Over the past few years, I’ve come to realize that the Internet as we know it is utterly …
: So you've decided to start a free software consultancy... Recently a friend of mine told me that he was planning to start a free software consultancy, and …
: Free software grows as a function of social utility A frequent complaint I see from users and inexperienced contributors concerning free software …
: Migrating away from WordPress Astute followers of this blog might have noticed that the layout has dramatically changed. This is …
: How efficient can cat(1) be? There have been a few initiatives in recent years to implement a new userspace base system for Linux …
: a silo can never provide digital autonomy to its users Lately there has been a lot of discussion about various silos and their activities, notably GitHub …
: it is correct to refer to GNU/Linux as GNU/Linux You’ve probably seen the “I’d like to interject for a moment” quotation that …
: the tragedy of gethostbyname A frequent complaint expressed on a certain website about Alpine is related to the deficiencies …
: how to refresh older stuffed animals As many of my readers are likely aware, I have a large collection of stuffed animals, but my …
: JSON-LD is ideal for Cloud Native technologies Frequently I have been told by developers that it is impossible to have extensible JSON documents …
: how I wound up causing a major outage of my services and destroying my home directory by accident As a result of my FOSS maintenance and activism work, I have a significant IT footprint, to support …
: CVE-2021-4034 A few days ago, Qualys dropped CVE-2021-4034, which they have called “Pwnkit”. While …
: the FSF’s relationship with firmware is harmful to free software users The FSF has an unfortunate relationship with firmware, resulting in policies that made sense in the …
: delegation of authority from the systems programming perspective As I have been griping on Twitter lately, about how I dislike the design of modern UNIX operating …
: glibc is still not Y2038 compliant by default Most of my readers are probably aware of the Y2038 issue by now. If not, it refers to 3:14:07 UTC on …
: stop defining feature-test macros in your code If there is any change in the C world I would like to see in 2022, it would be the abolition of …
: to secure the supply chain, you must properly fund it Yesterday, a new 0day vulnerability dropped in Apache Log4j. It turned out to be worse than the …
: open cores, ISAs, etc: what is actually open about them? In the past few years, with the launch of RISC-V, and IBM’s OpenPOWER initiative (backed up …
: On centralized development forges Since the launch of SourceForge in 1999, development of FOSS has started to concentrate in …
: On CVE-2019-5021 A few years ago, it was discovered that the root account was not locked out in Alpine’s Docker …
: the problematic GPL "or later" clause The GNU General Public License started life as the GNU Emacs Public License in 1987 (the linked …
: an inside look into the illicit ad industry So, you want to work in ad tech, do you? Perhaps this will be a cautionary tale… I have …
: spelunking through the apk-tools dependency solver In our previous episode, I wrote a high level overview of apk’s differences verses traditional …
: It’s time to boycott AWS I woke up this morning not planning to write anything on this blog, much less anything about AWS. …
: don't do clever things in configure scripts Recently, a new version of ncurses was released and pushed to Alpine. The maintainer of ncurses in …
: the Alpine release process It’s almost Halloween, which means it’s almost time for an Alpine release, and all hands …
: Trustworthy computing in 2021 Normally, when you hear the phrase “trusted computing,” you think about schemes designed to create …
: Bits related to Alpine Security Initiatives in September The past month has been quite busy as we prepare to wrap up major security-related initiatives for …
: you can't stop the (corporate) music I’ve frequently said that marketing departments are the most damaging appendage of any modern …
: Monitoring for process completion in 2021 A historical defect in the ifupdown suite has been the lack of proper supervision of processes run …
: The long-term consequences of maintainers' actions OpenSSL 3 has entered Alpine, and we have been switching software to use it over the past week. …
: Efficient service isolation on Alpine with VRFs Over the weekend, a reader of my blog contacted me basically asking about firewalls. Firewalls …
: introducing witchery: tools for building distroless images with alpine As I noted in my last blog, I have been working on a set of tools which enable the building of …
: Bits relating to Alpine security initiatives in August As always, the primary focus of my work in Alpine is related to security, either through …
: I drove 1700 miles for a Blåhaj last weekend and it was worth it My grandmother has Alzheimer’s and has recently had to move into an assisted living facility. You’ve …
: How networks of consent can fix social platforms Social platforms are powerful tools which allow a user to communicate with their friends and family. …
: I am planning to move to Europe I have been considering a move to Europe since the 2018 midterm election, though a combination of …
: there is no such thing as a "glibc based alpine image" For whatever reason, the alpine-glibc project is apparently being used in production. Worse yet, …
: a tail of two bunnies As many people know, I collect stuffed animals. Accordingly, I get a lot of questions about what to …
: free software does not come with any guarantees of support This evening, I stumbled upon a Twitter post by an account which tracks features being added to …
: GNU nano is my editor of choice I have been using GNU nano for the overwhelming majority of my life. Like an old friend, nano has …
: On the topic of community management, CoCs, etc. Many people may remember that at one point, Alpine had a rather troubled community, which to put it …
: Bits relating to Alpine security initiatives in July Another month has passed, and we’ve gotten a lot of work done. No big announcements to make, …
: Moving my blog to Oracle cloud In my past few blog posts, I have been talking about the current state of affairs concerning ARM VPS …
: Oracle cloud sucks Update: Oracle have made this right, and I am in fact, now running production services on their …
: It's time for ARM to embrace traditional hosting ARM is everywhere these days – from phones to hyperscale server deployments. There is even an …
: the three taps of doom A few years ago, I worked as the CTO of an advertising startup. At first, we used Skype for …
: Bits relating to Alpine security initiatives in June As usual, I have been hard at work on various security initiatives in Alpine the past month. Here is …
: understanding thread stack sizes and how alpine is different From time to time, somebody reports a bug to some project about their program crashing on Alpine. …
: the end of freenode My first experience with IRC was in 1999. I was in middle school, and a friend of mine ordered a …
: the vulnerability remediation lifecycle of Alpine containers Anybody who has the responsibility of maintaining a cluster of systems knows about the vulnerability …
: actually, BSD kqueue is a mountain of technical debt A side effect of the whole freenode kerfluffle is that I’ve been looking at IRCD again. IRC, …
: A slightly-delayed monthly status update A few weeks ago, I announced the creation of a security response team for Alpine, of which I am …
: the whole freenode kerfluffle But the thing is IRC has always been a glorious thing. The infra has always been sponsored by …
: AlpineConf 2021 recap Last weekend was AlpineConf, the first one ever. We held it as a virtual event, and over 700 …
: using qemu-user emulation to reverse engineer binaries QEMU is primarily known as the software which provides full system emulation under Linux’s …
: The various ways to check if an integer is even You have probably seen this post on Twitter by now: God I wish there was an easier way to do this …
: Why apk-tools is different than other package managers Alpine as you may know uses the apk-tools package manager, which we built because pre-existing …
: Building a security response team in Alpine Starting this past month, thanks to the generous support of Google and the Linux Foundation, instead …
: A tale of two envsubst implementations Yesterday, Dermot Bradley brought up in IRC that gettext-tiny’s lack of an envsubst utility …
: A Brief History of Configuration-Defined Image Builders When you think of a configuration-defined image builder, most likely you think of Docker (which …
: Cryptocurrencies from 10000 feet: the good, the bad, and the fixes I’ve followed cryptocurrency for a long time. The first concept I read about was Hashcash, …
: Let's build a new service manager for Alpine! Update (April 27): Please visit Laurent’s website on this issue for a more detailed proposal. …
: Why RMS should not be leading the free software movement Earlier today, I was invited to sign the open letter calling for the FSF board to resign, which I …
: NFTs: A Scam that Artists Should Avoid Non-fungible tokens (NFTs) are the latest craze being pitched toward the artistic communities. But, …
: The End of a Short Era Earlier this year, I started a project called Jejune and migrated my blog to it. For various …
: Using OTP ASN.1 support with Elixir The OTP ecosystem which grew out of Erlang has all sorts of useful applications included with it, …
: Demystifying Bearer Capability URIs Historically, there has been a practice of combining URIs with access tokens containing sufficient …
: Leveraging JSON-LD compound typing for behavioural hinting in ActivityPub ActivityStreams provides for a multitude of different actor and object types, which ActivityPub …
: Introducing LVis: a programmable audio visualizer One of my areas of interest in multimedia coding has always been writing audio visualizers. Audio …
: libreplayer: toward a generic interface for replayer cores and music players I’ve been taking a break from focusing on fediverse development for the past couple of weeks — …
: Federation – what flows where, and why? With all of the recent hullabaloo with Gab, and then, today Kiwi Farms joining the fediverse, there …
: What is OCAP and why should I care? OCAP refers to Object CAPabilities. Object Capabilities are one of many possible ways to achieve …
: Software Does Not Make A Product Some fediverse developers approach project management from the philosophy that they are building a …
: What would ActivityPub look like with capability-based security, anyway? This is the third article in a series of articles about ActivityPub detailing the challenges of …
: ActivityPub: the present state, or why saving the 'worse is better' virus is both possible and important This is the second article in a series that will be a fairly critical review of ActivityPub from a …
: ActivityPub: The “Worse Is Better” Approach to Federated Social Networking This is the first article in a series that will be a fairly critical review of ActivityPub from a …
: The Case For Blind Key Rotation ActivityPub uses cryptographic signatures, mainly for the purpose of authenticating messages. This …
: Pleroma, LitePub, ActivityPub and JSON-LD A lot of people make assumptions about my position on whether or not JSON-LD is actually good or …
: Do not use or provide DH-AES or DH-BLOWFISH for SASL/IAL authentication Atheme 7.2 dropped support for the DH-AES and DH-BLOWFISH mechanisms. This was for very good reason. …