https://ariadne.space/ Recent content on Ariadne's Space Hugo -- gohugo.io en-us Thu, 07 Dec 2023 00:00:00 +0000 https://ariadne.space/2023/12/07/most-breaches-actually-begin-in-corp/ Thu, 07 Dec 2023 00:00:00 +0000 https://ariadne.space/2023/12/07/most-breaches-actually-begin-in-corp/ Readers of my blog will note that while I believe Rust is an excellent tool for developers to leverage when building software, that there is a disconnect between the developers leveraging Rust features to improve their software and many of the advocates who talk about the language, which I believe is counterproductive when it comes to Rust advocacy. https://ariadne.space/2023/04/13/writing-portable-arm64-assembly/ Thu, 13 Apr 2023 00:00:00 +0000 https://ariadne.space/2023/04/13/writing-portable-arm64-assembly/ An unfortunate side effect of the rising popularity of Apple’s ARM-based computers is an increase in unportable assembly code which targets the 64-bit ARM ISA. This is because developers are writing these bits of assembly code to speed up their programs when run on Apple’s ARM-based computers, without considering the other 64-bit ARM devices out there, such as SBCs and servers running Linux or BSD. https://ariadne.space/2023/03/08/help-migrate-a-community-from-discord-to-something-else/ Wed, 08 Mar 2023 00:00:00 +0000 https://ariadne.space/2023/03/08/help-migrate-a-community-from-discord-to-something-else/ During the height of the pandemic, I set up a community using Discord. Since then, it has evolved into being one of the most active (yet tight-knit) technical communities on Discord: members ranging from all around the world and from all sorts of technical and social backgrounds participate in conversations every day on a variety of topics. https://ariadne.space/2023/01/24/pkgconf-cve-2023-24056-and-disinformation/ Tue, 24 Jan 2023 00:00:00 +0000 https://ariadne.space/2023/01/24/pkgconf-cve-2023-24056-and-disinformation/ Readers will have noticed that two maintenance releases of pkgconf were cut over the weekend, 1.9.4 and 1.8.1 respectively, to address CVE-2023-24056, a pkg-config specific variation of the now-classic “billion laughs attack”. While fixing software defects is important, a lot went wrong with how this CVE was reported and the motivations behind its disclosure, and for my own catharsis, I want to talk about this. https://ariadne.space/2022/12/03/building-fair-webs-of-trust-by-leveraging-the-ocap-model/ Sat, 03 Dec 2022 00:00:00 +0000 https://ariadne.space/2022/12/03/building-fair-webs-of-trust-by-leveraging-the-ocap-model/ Since the beginning of the Internet, determining the trustworthiness of participants and published information has been a significant point of contention. Many systems have been proposed to solve these underlying concerns, usually pertaining to specific niches and communities, but these pre-existing solutions are nebulous at best. How can we build infrastructure for truly democratic Webs of Trust? https://ariadne.space/2022/11/12/twitters-demise-is-activitypubs-future/ Sat, 12 Nov 2022 00:00:00 +0000 https://ariadne.space/2022/11/12/twitters-demise-is-activitypubs-future/ Earlier today, I deleted all of my tweets and left Twitter forever. While I plan on leaving a nightlight thread for a while, I will eventually close my account, assuming Elon doesn’t do it for me. The past week has been an emotional rollercoaster for me as I have watched everything play out. https://ariadne.space/2022/10/27/the-internet-is-broken-due-to-structural-injustice/ Thu, 27 Oct 2022 00:00:00 +0000 https://ariadne.space/2022/10/27/the-internet-is-broken-due-to-structural-injustice/ Over the past few years, I’ve come to realize that the Internet as we know it is utterly broken. Lately, I’ve also been pondering how participants in the modern Internet have enabled and perpetuated harm to society at large. Repeatedly, we have seen the independence of the commons chipped away by powerful men who wish for participants to serve their own whims, while those who raise concerns with these developments are either shunned, banned or doxed. https://ariadne.space/2022/08/11/so-youve-decided-to-start-a-free-software-consultancy.../ Thu, 11 Aug 2022 00:00:00 +0000 https://ariadne.space/2022/08/11/so-youve-decided-to-start-a-free-software-consultancy.../ Recently a friend of mine told me that he was planning to start a free software consultancy, and asked for my advice, as I have an extensive background doing free software consulting for a living. While I have already given him some advice on how to proceed, I thought it might be nice to write a blog expanding on my answer, so that others who are interested in pursuing free software consulting may benefit. https://ariadne.space/2022/08/06/free-software-grows-as-a-function-of-social-utility/ Sat, 06 Aug 2022 00:00:00 +0000 https://ariadne.space/2022/08/06/free-software-grows-as-a-function-of-social-utility/ A frequent complaint I see from users and inexperienced contributors concerning free software projects is that they are allegedly not doing enough to grow the userbase, sometimes even asserting that a fork is necessary to right the course of the project. Are these complaints missing the point, or do they have merit? https://ariadne.space/2022/08/04/migrating-away-from-wordpress/ Thu, 04 Aug 2022 00:00:00 +0000 https://ariadne.space/2022/08/04/migrating-away-from-wordpress/ Astute followers of this blog might have noticed that the layout has dramatically changed. This is because I migrated away from WordPress last weekend, switching back to Hugo after a few years. This time around, the blog is fully self-hosted, rather than depending on GitHub pages, and the deployment pipeline is reasonably secure. https://ariadne.space/2022/07/17/how-efficient-can-cat1-be/ Sun, 17 Jul 2022 00:00:00 +0000 https://ariadne.space/2022/07/17/how-efficient-can-cat1-be/ There have been a few initiatives in recent years to implement a new userspace base system for Linux distributions as an alternative to the GNU coreutils and BusyBox. Recently, one of the authors of one of these proposed implementations made the pitch in a few IRC channels that her cat implementation, which was derived from OpenBSD’s implementation, was the most efficient. https://ariadne.space/2022/07/01/a-silo-can-never-provide-digital-autonomy-to-its-users/ Fri, 01 Jul 2022 00:00:00 +0000 https://ariadne.space/2022/07/01/a-silo-can-never-provide-digital-autonomy-to-its-users/ Lately there has been a lot of discussion about various silos and their activities, notably GitHub and an up and coming alternative to Tumblr called Cohost. I’d like to talk about both to make the point that silos do not, and can not elevate user freedoms, by design, even if they are run with the best of intentions, by analyzing the behavior of both of these silos. https://ariadne.space/2022/03/30/it-is-correct-to-refer-to-gnu/linux-as-gnu/linux/ Wed, 30 Mar 2022 00:00:00 +0000 https://ariadne.space/2022/03/30/it-is-correct-to-refer-to-gnu/linux-as-gnu/linux/ You’ve probably seen the “I’d like to interject for a moment” quotation that is frequently attributed to Richard Stallman about how Linux should be referred to as GNU/Linux. While I disagree with that particular assertion, I do believe it is important to refer to GNU/Linux distributions as such, because GNU/Linux is a distinct operating system in the family of operating systems which use the Linux kernel, and it is technically correct to recognize this, especially as different Linux-based operating systems have different behavior, and different advantages and disadvantages. https://ariadne.space/2022/03/27/the-tragedy-of-gethostbyname/ Sun, 27 Mar 2022 00:00:00 +0000 https://ariadne.space/2022/03/27/the-tragedy-of-gethostbyname/ A frequent complaint expressed on a certain website about Alpine is related to the deficiencies regarding the musl DNS resolver when querying large zones. In response, it is usually mentioned that applications which are expecting reliable DNS lookups should be using a dedicated DNS library for this task, not the getaddrinfo or gethostbyname APIs, but this is usually rebuffed by comments saying that these APIs are fine to use because they are allegedly reliable on GNU/Linux. https://ariadne.space/2022/02/12/how-to-refresh-older-stuffed-animals/ Sat, 12 Feb 2022 00:00:00 +0000 https://ariadne.space/2022/02/12/how-to-refresh-older-stuffed-animals/ As many of my readers are likely aware, I have a large collection of stuffed animals, but my favorite one is the first generation Jellycat Bashful Bunny that I have had for the past 10 years or so. Recently I noticed that my bunny was starting to turn purple, likely from the purple stain that is applied to my hair, which bleeds onto anything when given the opportunity to do so. https://ariadne.space/2022/02/11/json-ld-is-ideal-for-cloud-native-technologies/ Fri, 11 Feb 2022 00:00:00 +0000 https://ariadne.space/2022/02/11/json-ld-is-ideal-for-cloud-native-technologies/ Frequently I have been told by developers that it is impossible to have extensible JSON documents underpinning their projects, because there may be collisions later. For those of us who are unaware of more capable graph serializations such as JSON-LD and Turtle, this seems like a reasonable position. Accordingly, I would like to introduce you all to JSON-LD, using a practical real-world deployment as an example, as well as how one might use JSON-LD to extend something like OCI container manifests. https://ariadne.space/2022/02/04/how-i-wound-up-causing-a-major-outage-of-my-services-and-destroying-my-home-directory-by-accident/ Fri, 04 Feb 2022 00:00:00 +0000 https://ariadne.space/2022/02/04/how-i-wound-up-causing-a-major-outage-of-my-services-and-destroying-my-home-directory-by-accident/ As a result of my FOSS maintenance and activism work, I have a significant IT footprint, to support the services and development environments needed to facilitate everything I do. Unfortunately, I am also my own system administrator, and I am quite terrible at this. This is a story about how I wound up knocking most of my services offline and wiping out my home directory, because of a combination of Linux mdraid bugs and a faulty SSD. https://ariadne.space/2022/01/27/cve-2021-4034/ Thu, 27 Jan 2022 00:00:00 +0000 https://ariadne.space/2022/01/27/cve-2021-4034/ A few days ago, Qualys dropped CVE-2021-4034, which they have called “Pwnkit”. While Alpine itself was not directly vulnerable to this issue due to different engineering decisions made in the way musl and glibc handle SUID binaries, this is intended to be a deeper look into what went wrong to enable successful exploitation on GNU/Linux systems. https://ariadne.space/2022/01/22/the-fsfs-relationship-with-firmware-is-harmful-to-free-software-users/ Sat, 22 Jan 2022 00:00:00 +0000 https://ariadne.space/2022/01/22/the-fsfs-relationship-with-firmware-is-harmful-to-free-software-users/ The FSF has an unfortunate relationship with firmware, resulting in policies that made sense in the late 1980s, but actively harm users today, through recommending obsolescent equipment, requiring increased complexity in RYF-certified hardware designs and discouraging both good security practices and the creation of free replacement firmware. As a result of these policies, deficient hardware often winds up in the hands of those who need software freedom the most, in the name of RYF-certification. https://ariadne.space/2022/01/18/delegation-of-authority-from-the-systems-programming-perspective/ Tue, 18 Jan 2022 00:00:00 +0000 https://ariadne.space/2022/01/18/delegation-of-authority-from-the-systems-programming-perspective/ As I have been griping on Twitter lately, about how I dislike the design of modern UNIX operating systems, an interesting conversation about object capabilities came up with the author of musl-libc. This conversation caused me to realize that systems programmers don’t really have a understanding of object capabilities, and how they can be used to achieve environments that are aligned with the principle of least authority. https://ariadne.space/2021/12/29/glibc-is-still-not-y2038-compliant-by-default/ Wed, 29 Dec 2021 00:00:00 +0000 https://ariadne.space/2021/12/29/glibc-is-still-not-y2038-compliant-by-default/ Most of my readers are probably aware of the Y2038 issue by now. If not, it refers to 3:14:07 UTC on January 19, 2038, when 32-bit time_t will overflow. The Linux kernel has internally switched to 64-bit timekeeping several years ago, and Alpine made the jump to 64-bit time_t with the release of Alpine 3. https://ariadne.space/2021/12/21/stop-defining-feature-test-macros-in-your-code/ Tue, 21 Dec 2021 00:00:00 +0000 https://ariadne.space/2021/12/21/stop-defining-feature-test-macros-in-your-code/ If there is any change in the C world I would like to see in 2022, it would be the abolition of #define _GNU_SOURCE. In many cases, defining this macro in C code can have harmful side effects ranging from subtle breakage to miscompilation, because of how feature-test macros work. https://ariadne.space/2021/12/11/to-secure-the-supply-chain-you-must-properly-fund-it/ Sat, 11 Dec 2021 00:00:00 +0000 https://ariadne.space/2021/12/11/to-secure-the-supply-chain-you-must-properly-fund-it/ Yesterday, a new 0day vulnerability dropped in Apache Log4j. It turned out to be worse than the initial analysis: because of recursive nesting of substitutions, it is possible to execute remote code in any program which passes user data to Log4j for logging. Needless to say, the way this disclosure was handled was a disaster, as it was quickly discovered that many popular services were using Log4j, but how did we get here? https://ariadne.space/2021/12/06/open-cores-isas-etc-what-is-actually-open-about-them/ Mon, 06 Dec 2021 00:00:00 +0000 https://ariadne.space/2021/12/06/open-cores-isas-etc-what-is-actually-open-about-them/ In the past few years, with the launch of RISC-V, and IBM’s OpenPOWER initiative (backed up with hardware releases such as Talos) there has been lots of talk about open hardware projects, and vendors talking about how anyone can go and make a RISC-V or OpenPOWER CPU. While there is a modicum of truth to the assertion that an upstart company could start fabricating their own RISC-V or OpenPOWER CPUs tomorrow, the reality is a lot more complex, and it basically comes down to patents. https://ariadne.space/2021/12/02/on-centralized-development-forges/ Thu, 02 Dec 2021 00:00:00 +0000 https://ariadne.space/2021/12/02/on-centralized-development-forges/ Since the launch of SourceForge in 1999, development of FOSS has started to concentrate in centralized development forges, the latest one of course being GitHub, now owned by Microsoft. While the centralization of development talent achieved by GitHub has had positive effects on software development output towards the commons, it is also a liability: GitHub is now effectively a single point of failure for the commons, since the overwhelming majority of software is developed there. https://ariadne.space/2021/11/22/on-cve-2019-5021/ Mon, 22 Nov 2021 00:00:00 +0000 https://ariadne.space/2021/11/22/on-cve-2019-5021/ A few years ago, it was discovered that the root account was not locked out in Alpine’s Docker images. This was not the first time that this was the case, an actually exploitable case of this was first fixed with a hotfix in 2015, but when the hotfix was replaced with appropriate use of /etc/securetty, the regression was inadvertently reintroduced for some configurations. https://ariadne.space/2021/11/16/the-problematic-gpl-or-later-clause/ Tue, 16 Nov 2021 00:00:00 +0000 https://ariadne.space/2021/11/16/the-problematic-gpl-or-later-clause/ The GNU General Public License started life as the GNU Emacs Public License in 1987 (the linked version is from February 1988), and has been built on the principle of copyleft: the use of the copyright system to enforce software freedom through licensing. This prototype version of the GPL was used for other packages, such as GNU Bison (in 1988), and Nethack (in 1989), and was most likely written by Richard Stallman himself. https://ariadne.space/2021/11/04/an-inside-look-into-the-illicit-ad-industry/ Thu, 04 Nov 2021 00:00:00 +0000 https://ariadne.space/2021/11/04/an-inside-look-into-the-illicit-ad-industry/ So, you want to work in ad tech, do you? Perhaps this will be a cautionary tale… I have worked my entire life as a contractor. This has had advantages and disadvantages. For example, I am free to set my own schedule, and undertake engagements at my own leisure, but as a result my tax situation is more complicated. https://ariadne.space/2021/10/31/spelunking-through-the-apk-tools-dependency-solver/ Sun, 31 Oct 2021 00:00:00 +0000 https://ariadne.space/2021/10/31/spelunking-through-the-apk-tools-dependency-solver/ In our previous episode, I wrote a high level overview of apk’s differences verses traditional package managers, which many have cited as a helpful resource for understanding the behavior of apk when it does something different than a traditional package manager would. But that article didn’t go into depth in enough detail to explain how it all actually works. https://ariadne.space/2021/10/26/its-time-to-boycott-aws/ Tue, 26 Oct 2021 00:00:00 +0000 https://ariadne.space/2021/10/26/its-time-to-boycott-aws/ I woke up this morning not planning to write anything on this blog, much less anything about AWS. But then, as I was eating breakfast, I read a horrifying story in Mother Jones about how an AWS employee was treated as he did his best to cope with his wife’s terminal cancer. https://ariadne.space/2021/10/25/dont-do-clever-things-in-configure-scripts/ Mon, 25 Oct 2021 00:00:00 +0000 https://ariadne.space/2021/10/25/dont-do-clever-things-in-configure-scripts/ Recently, a new version of ncurses was released and pushed to Alpine. The maintainer of ncurses in Alpine successfully built it on his machine, so he pushed it to the builders, expecting it to build fine on them. Of course, it promptly failed to build from source on the builders, because make install did not install the pkg-config . https://ariadne.space/2021/10/22/the-alpine-release-process/ Fri, 22 Oct 2021 00:00:00 +0000 https://ariadne.space/2021/10/22/the-alpine-release-process/ It’s almost Halloween, which means it’s almost time for an Alpine release, and all hands are on deck to make sure the process goes smoothly. But what goes into making an Alpine release? What are all the moving parts? Since we are in the process of cutting a new release series, I figured I would write about how it is actually done. https://ariadne.space/2021/10/19/trustworthy-computing-in-2021/ Tue, 19 Oct 2021 00:00:00 +0000 https://ariadne.space/2021/10/19/trustworthy-computing-in-2021/ Normally, when you hear the phrase “trusted computing,” you think about schemes designed to create roots of trust for companies, rather than the end user. For example, Microsoft’s Palladium project during the Longhorn development cycle of Windows is a classically cited example of trusted computing used as a basis to enforce Digital Restrictions Management against the end user. https://ariadne.space/2021/10/01/bits-related-to-alpine-security-initiatives-in-september/ Fri, 01 Oct 2021 00:00:00 +0000 https://ariadne.space/2021/10/01/bits-related-to-alpine-security-initiatives-in-september/ The past month has been quite busy as we prepare to wrap up major security-related initiatives for the Alpine 3.15 release. Some progress has been made on long-term initiatives as well. OpenSSL 3 migration As I noted in my last status update, we began the process to migrate the distribution to using OpenSSL 3. https://ariadne.space/2021/09/28/you-cant-stop-the-corporate-music/ Tue, 28 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/28/you-cant-stop-the-corporate-music/ I’ve frequently said that marketing departments are the most damaging appendage of any modern corporation. However, there is one example of this which really proves the point: corporate songs, and more recently, corporate music videos. These Lovecraftian horrors are usually created in order to raise employee morale, typically at the cost of hundreds of thousands of dollars and thousands of man-hours being wasted on meetings to compose the song by committee. https://ariadne.space/2021/09/20/monitoring-for-process-completion-in-2021/ Mon, 20 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/20/monitoring-for-process-completion-in-2021/ A historical defect in the ifupdown suite has been the lack of proper supervision of processes run by the system in order to bring up and down interfaces. Specifically, it is possible in historical ifupdown for a process to hang forever, at which point the system will fail to finish configuring interfaces. https://ariadne.space/2021/09/16/the-long-term-consequences-of-maintainers-actions/ Thu, 16 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/16/the-long-term-consequences-of-maintainers-actions/ OpenSSL 3 has entered Alpine, and we have been switching software to use it over the past week. While OpenSSL 1.1 is not going anywhere any time soon, it will eventually leave the distribution, once it no longer has any dependents. I mostly bring this up because it highlights a few examples of maintainers not thinking about the big picture, let me explain. https://ariadne.space/2021/09/13/efficient-service-isolation-on-alpine-with-vrfs/ Mon, 13 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/13/efficient-service-isolation-on-alpine-with-vrfs/ Over the weekend, a reader of my blog contacted me basically asking about firewalls. Firewalls themselves are boring in my opinion, so let’s talk about something Alpine can do that, as far as I know, no other distribution can easily do out of the box yet: service isolation using the base networking stack itself instead of netfilter. https://ariadne.space/2021/09/09/introducing-witchery-tools-for-building-distroless-images-with-alpine/ Thu, 09 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/09/introducing-witchery-tools-for-building-distroless-images-with-alpine/ As I noted in my last blog, I have been working on a set of tools which enable the building of so-called “distroless” images based on Alpine. These tools have now evolved to a point where they are usable for testing in lab environments, thus I am happy to announce the witchery project. https://ariadne.space/2021/09/07/bits-relating-to-alpine-security-initiatives-in-august/ Tue, 07 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/07/bits-relating-to-alpine-security-initiatives-in-august/ As always, the primary focus of my work in Alpine is related to security, either through non-maintainer updates to address CVEs, new initiatives for hardening Alpine, maintenance of critical security-related packages or working with other projects to improve our workflows with better information sharing. Here are some updates on that, which are slightly delayed because of the long weekend. https://ariadne.space/2021/09/05/i-drove-1700-miles-for-a-bl%C3%A5haj-last-weekend-and-it-was-worth-it/ Sun, 05 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/05/i-drove-1700-miles-for-a-bl%C3%A5haj-last-weekend-and-it-was-worth-it/ My grandmother has Alzheimer’s and has recently had to move into an assisted living facility. You’ve probably seen bits and pieces outlining my frustration with that process on Twitter over the past year or so. Anyway, I try to visit her once or twice a month, as time permits. But what does that have to do with blåhaj, and what is a blåhaj, anyway? https://ariadne.space/2021/09/03/how-networks-of-consent-can-fix-social-platforms/ Fri, 03 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/03/how-networks-of-consent-can-fix-social-platforms/ Social platforms are powerful tools which allow a user to communicate with their friends and family. They also allow for activists to organize and manage political movements. Unfortunately, they also allow for users to harass other users and the mitigations available for that harassment are generally lacking. By implementing networks of consent using the techniques presented, centralized, federated and distributed social networking platforms alike can build effective mitigations against harassment. https://ariadne.space/2021/09/02/i-am-planning-to-move-to-europe/ Thu, 02 Sep 2021 00:00:00 +0000 https://ariadne.space/2021/09/02/i-am-planning-to-move-to-europe/ I have been considering a move to Europe since the 2018 midterm election, though a combination of friends being persuasive and the COVID-19 pandemic put a damper on those plans. Accordingly, I have tried my best to give Biden and the democrats an opportunity to show even the most basic modicum of progress on putting the country on a different path. https://ariadne.space/2021/08/26/there-is-no-such-thing-as-a-glibc-based-alpine-image/ Thu, 26 Aug 2021 00:00:00 +0000 https://ariadne.space/2021/08/26/there-is-no-such-thing-as-a-glibc-based-alpine-image/ For whatever reason, the alpine-glibc project is apparently being used in production. Worse yet, some are led to believe that Alpine officially supports or at least approves of its usage. For the reasons I am about to outline, we don’t. I have also proposed an update to Alpine which will block the installation of the glibc packages produced by the alpine-glibc project, and have referred acceptance of that update to the TSC to determine if we actually want to put our foot down or not. https://ariadne.space/2021/08/21/a-tail-of-two-bunnies/ Sat, 21 Aug 2021 00:00:00 +0000 https://ariadne.space/2021/08/21/a-tail-of-two-bunnies/ As many people know, I collect stuffed animals. Accordingly, I get a lot of questions about what to look for in a quality stuffed animal which will last a long time. While there are a lot of factors to consider when evaluating a design, I hope the two examples I present here in contrast to each other will help most people get the basic idea. https://ariadne.space/2021/08/16/free-software-does-not-come-with-any-guarantees-of-support/ Mon, 16 Aug 2021 00:00:00 +0000 https://ariadne.space/2021/08/16/free-software-does-not-come-with-any-guarantees-of-support/ This evening, I stumbled upon a Twitter post by an account which tracks features being added to GitHub: To be absolutely clear, this is a terrible idea. Free software maintainers already have to deal with a subset of users who believe they are automatically entitled to support and, in some cases, SLAs from the maintainer. https://ariadne.space/2021/08/13/gnu-nano-is-my-editor-of-choice/ Fri, 13 Aug 2021 00:00:00 +0000 https://ariadne.space/2021/08/13/gnu-nano-is-my-editor-of-choice/ I have been using GNU nano for the overwhelming majority of my life. Like an old friend, nano has always been reliable and has never failed me where other text editors have. By far, it has been the most influential software I have ever used regarding how I approach the design of my own software. https://ariadne.space/2021/08/08/on-the-topic-of-community-management-cocs-etc./ Sun, 08 Aug 2021 00:00:00 +0000 https://ariadne.space/2021/08/08/on-the-topic-of-community-management-cocs-etc./ Many people may remember that at one point, Alpine had a rather troubled community, which to put it diplomatically, resulted in a developer leaving the project. This was the result of not properly managing the Alpine community as it grew – had we taken early actions to ensure appropriate moderation and community management, that particular incident would never have happened. https://ariadne.space/2021/08/04/bits-relating-to-alpine-security-initiatives-in-july/ Wed, 04 Aug 2021 00:00:00 +0000 https://ariadne.space/2021/08/04/bits-relating-to-alpine-security-initiatives-in-july/ Another month has passed, and we’ve gotten a lot of work done. No big announcements to make, but lots of incremental progress, bikeshedding and meetings. We have been laying the ground work for several initiatives in Alpine 3.15, as well as working with other groups to find a path forward on vulnerability information sharing. https://ariadne.space/2021/07/18/moving-my-blog-to-oracle-cloud/ Sun, 18 Jul 2021 00:00:00 +0000 https://ariadne.space/2021/07/18/moving-my-blog-to-oracle-cloud/ In my past few blog posts, I have been talking about the current state of affairs concerning ARM VPS hosting. To put my money where my mouth is, I have now migrated my blog to the ARM instances Oracle has to offer, as an actual production use of their cloud. You might find this surprising, given the last post, but Oracle reached out and explained why their system terminated my original account and we found a solution for that problem. https://ariadne.space/2021/07/14/oracle-cloud-sucks/ Wed, 14 Jul 2021 00:00:00 +0000 https://ariadne.space/2021/07/14/oracle-cloud-sucks/ Update: Oracle have made this right, and I am in fact, now running production services on their cloud. Thanks to Ross and the other Oracle engineers who reached out offering assistance. The rest of the blog post is retained for historical purposes. In my previous blog, I said that Oracle was the best option for cheap ARM hosting. https://ariadne.space/2021/07/10/its-time-for-arm-to-embrace-traditional-hosting/ Sat, 10 Jul 2021 00:00:00 +0000 https://ariadne.space/2021/07/10/its-time-for-arm-to-embrace-traditional-hosting/ ARM is everywhere these days – from phones to hyperscale server deployments. There is even an ARM workstation available that has decent specs at an acceptable price. Amazon and Oracle tout white paper after white paper about how their customers have switched to ARM, gotten performance wins and saved money. Sounds like everything is on the right track, yes? https://ariadne.space/2021/07/03/the-three-taps-of-doom/ Sat, 03 Jul 2021 00:00:00 +0000 https://ariadne.space/2021/07/03/the-three-taps-of-doom/ A few years ago, I worked as the CTO of an advertising startup. At first, we used Skype for messaging amongst the employees, and then later, we switched to Slack. The main reason for switching to Slack was because they had an IRC gateway – you could connect to a Slack workspace with an IRC client, which allowed for the people who wanted to use IRC to do so, while providing a polished experience for those who were unfamiliar with IRC. https://ariadne.space/2021/07/01/bits-relating-to-alpine-security-initiatives-in-june/ Thu, 01 Jul 2021 00:00:00 +0000 https://ariadne.space/2021/07/01/bits-relating-to-alpine-security-initiatives-in-june/ As usual, I have been hard at work on various security initiatives in Alpine the past month. Here is what I have been up to: Alpine 3.14 release and remediation efforts in general Alpine 3.14.0 was released on June 15, with the lowest unpatched vulnerability count of any release in the past several years. https://ariadne.space/2021/06/25/understanding-thread-stack-sizes-and-how-alpine-is-different/ Fri, 25 Jun 2021 00:00:00 +0000 https://ariadne.space/2021/06/25/understanding-thread-stack-sizes-and-how-alpine-is-different/ From time to time, somebody reports a bug to some project about their program crashing on Alpine. Usually, one of two things happens: the developer doesn’t care and doesn’t fix the issue, because it works under GNU/Linux, or the developer fixes their program to behave correctly only for the Alpine case, and it remains silently broken on other platforms. https://ariadne.space/2021/06/14/the-end-of-freenode/ Mon, 14 Jun 2021 00:00:00 +0000 https://ariadne.space/2021/06/14/the-end-of-freenode/ My first experience with IRC was in 1999. I was in middle school, and a friend of mine ordered a Slackware CD from Walnut Creek CDROM. This was Slackware 3.4, and contained the GNOME 1.x desktop environment on the disc, which came with the BitchX IRC client. At first, I didn’t really know what BitchX was, I just thought it was a cool program that displayed random ascii art, and then tried to connect to various servers. https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/ Tue, 08 Jun 2021 00:00:00 +0000 https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/ Anybody who has the responsibility of maintaining a cluster of systems knows about the vulnerability remediation lifecycle: vulnerabilities are discovered, disclosed to vendors, mitigated by vendors and then consumers deploy the mitigations as they update their systems. In the proprietary software world, the deployment phase is colloquially known as Patch Tuesday, because many vendors release patches on the second and fourth Tuesday of each month. https://ariadne.space/2021/06/06/actually-bsd-kqueue-is-a-mountain-of-technical-debt/ Sun, 06 Jun 2021 00:00:00 +0000 https://ariadne.space/2021/06/06/actually-bsd-kqueue-is-a-mountain-of-technical-debt/ A side effect of the whole freenode kerfluffle is that I’ve been looking at IRCD again. IRC, is of course a very weird and interesting place, and the smaller community of people who run IRCDs are largely weirder and even more interesting. However, in that community of IRCD administrators there happens to be a few incorrect systems programming opinions that have been cargo culted around for years. https://ariadne.space/2021/06/04/a-slightly-delayed-monthly-status-update/ Fri, 04 Jun 2021 00:00:00 +0000 https://ariadne.space/2021/06/04/a-slightly-delayed-monthly-status-update/ A few weeks ago, I announced the creation of a security response team for Alpine, of which I am presently the chair. Since then, the team has been fully chartered by both the previous Alpine core team, and the new Alpine council, and we have gotten a few members on board working on security issues in Alpine. https://ariadne.space/2021/05/20/the-whole-freenode-kerfluffle/ Thu, 20 May 2021 00:00:00 +0000 https://ariadne.space/2021/05/20/the-whole-freenode-kerfluffle/ But the thing is IRC has always been a glorious thing. The infra has always been sponsored by companies or people. But the great thing about IRC is you can always vote and let the networks and world know which you choose - by using /server. — Andrew Lee (rasengan), chairman of freenode limited https://ariadne.space/2021/05/18/alpineconf-2021-recap/ Tue, 18 May 2021 00:00:00 +0000 https://ariadne.space/2021/05/18/alpineconf-2021-recap/ Last weekend was AlpineConf, the first one ever. We held it as a virtual event, and over 700 participants came and went during the weekend. Although there were many things we learned up to and during the conference that could be improved, I think that the first AlpineConf was a great success! https://ariadne.space/2021/05/05/using-qemu-user-emulation-to-reverse-engineer-binaries/ Wed, 05 May 2021 00:00:00 +0000 https://ariadne.space/2021/05/05/using-qemu-user-emulation-to-reverse-engineer-binaries/ QEMU is primarily known as the software which provides full system emulation under Linux’s KVM. Also, it can be used without KVM to do full emulation of machines from the hardware level up. Finally, there is qemu-user, which allows for emulation of individual programs. That’s what this blog post is about. https://ariadne.space/2021/04/27/the-various-ways-to-check-if-an-integer-is-even/ Tue, 27 Apr 2021 00:00:00 +0000 https://ariadne.space/2021/04/27/the-various-ways-to-check-if-an-integer-is-even/ You have probably seen this post on Twitter by now: But actually, the way most people test whether a number is even is wrong. It’s not your fault, computers think differently than we do. And in most cases, the compiler fixes your mistake for you. But it’s been a long day of talking about Alpine governance, so I thought I would have some fun. https://ariadne.space/2021/04/25/why-apk-tools-is-different-than-other-package-managers/ Sun, 25 Apr 2021 00:00:00 +0000 https://ariadne.space/2021/04/25/why-apk-tools-is-different-than-other-package-managers/ Alpine as you may know uses the apk-tools package manager, which we built because pre-existing package managers did not meet the design requirements needed to build Alpine. But what makes it different, and why does that matter? apk add and apk del manipulate the desired state In traditional package managers like dnf and apt, requesting the installation or removal of packages causes those packages to be directly installed or removed, after a consistency check. https://ariadne.space/2021/04/20/building-a-security-response-team-in-alpine/ Tue, 20 Apr 2021 00:00:00 +0000 https://ariadne.space/2021/04/20/building-a-security-response-team-in-alpine/ Starting this past month, thanks to the generous support of Google and the Linux Foundation, instead of working on the usual Alpine-related consulting work that I do, I’ve had the privilege of working on various initiatives in Alpine relating to security that we’ve needed to tackle for a long time. Some things are purely technical, others involve formulating policy, planning and recruiting volunteers to help with the security effort. https://ariadne.space/2021/04/15/a-tale-of-two-envsubst-implementations/ Thu, 15 Apr 2021 00:00:00 +0000 https://ariadne.space/2021/04/15/a-tale-of-two-envsubst-implementations/ Yesterday, Dermot Bradley brought up in IRC that gettext-tiny’s lack of an envsubst utility could be a potential problem, as many Alpine users use it to generate configuration from templates. So I decided to look into writing a replacement, as the tool did not seem that complex. That rewrite is now available on GitHub, and is already in Alpine testing for experimental use. https://ariadne.space/2021/04/06/a-brief-history-of-configuration-defined-image-builders/ Tue, 06 Apr 2021 00:00:00 +0000 https://ariadne.space/2021/04/06/a-brief-history-of-configuration-defined-image-builders/ When you think of a configuration-defined image builder, most likely you think of Docker (which builds images for containers). But before Docker, there were several other projects, all of which came out of a vibrant community of Debian-using sysadmins looking for better ways to build VM and container images, which lead to a series of projects that built off each other to build something better. https://ariadne.space/2021/03/30/cryptocurrencies-from-10000-feet-the-good-the-bad-and-the-fixes/ Tue, 30 Mar 2021 00:00:00 +0000 https://ariadne.space/2021/03/30/cryptocurrencies-from-10000-feet-the-good-the-bad-and-the-fixes/ I’ve followed cryptocurrency for a long time. The first concept I read about was Hashcash, which was a mechanism designed to reduce e-mail spam by acting as a sort of “stamp”. The proof of work concept introduced by Hashcash of course lead to Bitcoin, which lead to Ethereum and the other popular Proof of Work consensus blockchain-based cryptocurrency platforms out in the world today. https://ariadne.space/2021/03/25/lets-build-a-new-service-manager-for-alpine/ Thu, 25 Mar 2021 00:00:00 +0000 https://ariadne.space/2021/03/25/lets-build-a-new-service-manager-for-alpine/ Update (April 27): Please visit Laurent’s website on this issue for a more detailed proposal. If you work at a company which has budget for this, please get in touch with him directly. As many of you already know, Alpine presently uses an fairly modified version of OpenRC as its service manager. https://ariadne.space/2021/03/23/why-rms-should-not-be-leading-the-free-software-movement/ Tue, 23 Mar 2021 00:00:00 +0000 https://ariadne.space/2021/03/23/why-rms-should-not-be-leading-the-free-software-movement/ Earlier today, I was invited to sign the open letter calling for the FSF board to resign, which I did. To me, it was obvious to sign the letter, which on it’s own makes a compelling argument for why RMS should not be an executive director at FSF. But I believe there is an even more compelling reason. https://ariadne.space/2021/03/21/nfts-a-scam-that-artists-should-avoid/ Sun, 21 Mar 2021 00:00:00 +0000 https://ariadne.space/2021/03/21/nfts-a-scam-that-artists-should-avoid/ Non-fungible tokens (NFTs) are the latest craze being pitched toward the artistic communities. But, they are ultimately a meaningless token which fails to accomplish any of the things artists are looking for in an NFT-based solution. Let me explain… So, What are NFTs? Non-fungible tokens are a form of smart contracts (program) which runs on a decentralized finance platform. https://ariadne.space/2021/03/21/the-end-of-a-short-era/ Sun, 21 Mar 2021 00:00:00 +0000 https://ariadne.space/2021/03/21/the-end-of-a-short-era/ Earlier this year, I started a project called Jejune and migrated my blog to it. For various reasons, I have decided to switch to WordPress instead. The main reason why is because WordPress has plugins which do everything I wanted Jejune to do, so using an already established platform provides more time for me to work on my more important projects. https://ariadne.space/2019/10/21/using-otp-asn.1-support-with-elixir/ Mon, 21 Oct 2019 00:00:00 +0000 https://ariadne.space/2019/10/21/using-otp-asn.1-support-with-elixir/ The OTP ecosystem which grew out of Erlang has all sorts of useful applications included with it, such as support for encoding and decoding ASN.1 messages based on ASN.1 definition files. I recently began work on Cacophony, which is a programmable LDAP server implementation, intended to be embedded in the Pleroma platform as part of the authentication components. https://ariadne.space/2019/10/11/demystifying-bearer-capability-uris/ Fri, 11 Oct 2019 00:00:00 +0000 https://ariadne.space/2019/10/11/demystifying-bearer-capability-uris/ Historically, there has been a practice of combining URIs with access tokens containing sufficient entropy to make them difficult to brute force. A few different techniques have been implemented to do this, but those techniques can be considered implementation specific. One of the earliest and most notable uses of this technique can be observed in the Second Life backend APIs. https://ariadne.space/2019/10/02/leveraging-json-ld-compound-typing-for-behavioural-hinting-in-activitypub/ Wed, 02 Oct 2019 00:00:00 +0000 https://ariadne.space/2019/10/02/leveraging-json-ld-compound-typing-for-behavioural-hinting-in-activitypub/ ActivityStreams provides for a multitude of different actor and object types, which ActivityPub capitalizes on effectively. However, neither ActivityPub nor ActivityStreams provide a method for hinting how a given actor or object should be interpreted in the vocabulary. The purpose of this blog post is to document how the litepub community intends to provide behavioural hinting in ActivityPub, as well as demonstrate an edge case where behavioural hinting is useful. https://ariadne.space/2019/09/19/introducing-lvis-a-programmable-audio-visualizer/ Thu, 19 Sep 2019 00:00:00 +0000 https://ariadne.space/2019/09/19/introducing-lvis-a-programmable-audio-visualizer/ One of my areas of interest in multimedia coding has always been writing audio visualizers. Audio visualizers are software which take audio data as input, run various equations on it and use the results of those equations to render visuals. You may remember from your childhood using WinAmp to listen to music. https://ariadne.space/2019/09/08/libreplayer-toward-a-generic-interface-for-replayer-cores-and-music-players/ Sun, 08 Sep 2019 00:00:00 +0000 https://ariadne.space/2019/09/08/libreplayer-toward-a-generic-interface-for-replayer-cores-and-music-players/ I’ve been taking a break from focusing on fediverse development for the past couple of weeks — I’ve done some things, but it’s not my focus right now because I’m waiting for Pleroma’s develop tree to stabilize enough to branch it for the 1.1 stable releases. So, I’ve been doing some multimedia coding instead. https://ariadne.space/2019/07/13/federation-what-flows-where-and-why/ Sat, 13 Jul 2019 00:00:00 +0000 https://ariadne.space/2019/07/13/federation-what-flows-where-and-why/ With all of the recent hullabaloo with Gab, and then, today Kiwi Farms joining the fediverse, there has been a lot of people asking questions about how data flows in the fediverse and what exposure they actually have. I’m not really particularly a fan of either of those websites, but that’s beside the point. https://ariadne.space/2019/06/28/what-is-ocap-and-why-should-i-care/ Fri, 28 Jun 2019 00:00:00 +0000 https://ariadne.space/2019/06/28/what-is-ocap-and-why-should-i-care/ OCAP refers to Object CAPabilities. Object Capabilities are one of many possible ways to achieve capability-based security. OAuth Bearer Tokens, for example, are an example of an OCAP-style implementation. In this context, OCAP refers to an adaptation of ActivityPub which utilizes capability tokens. But why should we care about OCAP? OCAP is a more flexible approach that allows for more efficient federation (considerably reduced cryptography overhead! https://ariadne.space/2019/04/28/software-does-not-make-a-product/ Sun, 28 Apr 2019 00:00:00 +0000 https://ariadne.space/2019/04/28/software-does-not-make-a-product/ Some fediverse developers approach project management from the philosophy that they are building a product in it’s own right instead of a tool. But does that approach really make sense for the fediverse? It’s that time again, patches have been presented which improve Mastodon’s compatibility with the rest of the fediverse. https://ariadne.space/2019/01/18/what-would-activitypub-look-like-with-capability-based-security-anyway/ Fri, 18 Jan 2019 00:00:00 +0000 https://ariadne.space/2019/01/18/what-would-activitypub-look-like-with-capability-based-security-anyway/ This is the third article in a series of articles about ActivityPub detailing the challenges of building a trustworthy, secure implementation of the protocol stack. In this case, it also does a significant technical deep dive into informally specifying a set of protocol extensions to ActivityPub. Formal specification of these extensions will be done in the Litepub working group, and will likely see some amount of change, so this blog entry should be considered non-normative in it’s entirety. https://ariadne.space/2019/01/10/activitypub-the-present-state-or-why-saving-the-worse-is-better-virus-is-both-possible-and-important/ Thu, 10 Jan 2019 00:00:00 +0000 https://ariadne.space/2019/01/10/activitypub-the-present-state-or-why-saving-the-worse-is-better-virus-is-both-possible-and-important/ This is the second article in a series that will be a fairly critical review of ActivityPub from a trust & safety perspective. Stay tuned for more. In our previous episode, I laid out some personal observations about implementing an AP stack from scratch over the past year. When we started this arduous task, there were only three other AP implementations in progress: Mastodon, Kroeg and PubCrawl (the AP transport for Hubzilla), so it has been a pretty significant journey. https://ariadne.space/2019/01/07/activitypub-the-worse-is-better-approach-to-federated-social-networking/ Mon, 07 Jan 2019 00:00:00 +0000 https://ariadne.space/2019/01/07/activitypub-the-worse-is-better-approach-to-federated-social-networking/ This is the first article in a series that will be a fairly critical review of ActivityPub from a trust & safety perspective. Stay tuned for more. In the modern day, myself and many other developers working on libre software have been exposed to a protocol design philosophy that emphasizes safety and correctness. https://ariadne.space/2018/12/30/the-case-for-blind-key-rotation/ Sun, 30 Dec 2018 00:00:00 +0000 https://ariadne.space/2018/12/30/the-case-for-blind-key-rotation/ ActivityPub uses cryptographic signatures, mainly for the purpose of authenticating messages. This is largely for the purpose of spoofing prevention, but as any observant person would understand, digital signatures carry strong forensic value. Unfortunately, while ActivityPub uses cryptographic signatures, the types of cryptographic signatures to use have been left unspecified. This has lead to various implementations having to choose on their own which signature types to use. https://ariadne.space/2018/11/12/pleroma-litepub-activitypub-and-json-ld/ Mon, 12 Nov 2018 00:00:00 +0000 https://ariadne.space/2018/11/12/pleroma-litepub-activitypub-and-json-ld/ A lot of people make assumptions about my position on whether or not JSON-LD is actually good or not. The reality is that my view is more nuanced than that: there are great uses for JSON-LD, but it’s not appropriate in the scenario it is used in ActivityPub. What is JSON-LD anyway? https://ariadne.space/2014/12/26/do-not-use-or-provide-dh-aes-or-dh-blowfish-for-sasl/ial-authentication/ Fri, 26 Dec 2014 00:00:00 +0000 https://ariadne.space/2014/12/26/do-not-use-or-provide-dh-aes-or-dh-blowfish-for-sasl/ial-authentication/ Atheme 7.2 dropped support for the DH-AES and DH-BLOWFISH mechanisms. This was for very good reason. At the time that DH-BLOWFISH was created, IRC was a very different place… SSL was not ubiquitous, and it was thought that having some lightweight encryption on the authentication exchange might be useful, without opening services to a DoS vector. https://ariadne.space/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://ariadne.space/about/ Friendly greetings! I’m Ariadne Conill, the operator of this website. I have spent the majority of my life hacking on free software. My work includes starting the IRCv3 project, writing a lot of the code commonly used on IRC servers, writing Audacious (a popular music player for Unix-like systems), libucontext, pkgconf, ifupdown-ng and several other key components of the Alpine Linux system. https://ariadne.space/specs/elf-references/ Mon, 01 Jan 0001 00:00:00 +0000 https://ariadne.space/specs/elf-references/ This specification is a work in progress, and has not been submitted to any standards body for peer review. Do not use this specification in any production capacity. Abstract This section is non-normative. Identifying the provenance of binary software components is an important topic in the software servicing lifecycle with numerous use-cases.