After thinking about multi-stage Debian rebuilds I wanted to implement the idea. Recall my illustration: Earlier I rebuilt all packages that make up the difference between Ubuntu and Trisquel. It turned out to be a 42% bit-by-bit identical similarity. To Continue reading Building Debian in a GitLab Pipeline→| Simon Josefsson's blog
Remember the XZ Utils backdoor? One factor that enabled the attack was poor auditing of the release tarballs for differences compared to the Git version controlled source code. This proved to be a useful place to distribute malicious data.| Simon Josefsson's blog
I rebuilt (the top-50 popcon) Debian and Ubuntu packages, on amd and arm64, and compared the results a couple of months ago. Since then the Reproduce.Debian.net effort has been launched. Unlike my small experiment, that effort is a full-scale rebuild Continue reading On Binary Distribution Rebuilds→| Simon Josefsson's blog
Around a year ago I discussed two concerns with software release archives (tarball artifacts) that could be improved to increase confidence in the supply-chain security of software releases. Repeating the goals for simplicity:| Simon Josefsson's blog
On a new-to-me ThinkPad T440p, I’ve had the worst time with the TrackPoint. First, the stock configuration has a horrible touchpad - which shouldn’t matter if you don’t use the touchpad, but the horribleness of it is that the physical buttons that should be on the top of the touchpad, and are on the touchpads of models preceding and following the **40 line, are not there. But one can replace it, and so I did. The T440p is nice in that servicing the fan and other internals of the machine...| The Neo-Babbage Files
I am using GitLab CI/CD pipelines for several upstream projects (libidn, libidn2, gsasl, inetutils, libtasn1, libntlm, …) and a long-time concern for these have been that there is too little testing on GNU Guix. Several attempts have been made, and earlier this year Ludo’ came really close to finish this. My earlier effort to idempotently rebuild Debian recently led me to think about re-bootstrapping Debian. Since Debian is a binary distribution, it re-use earlier binary packages when ...| Simon Josefsson's blog
A personal reflection on how I moved from my Debian home to find two new homes with Trisquel and Guix for my own ethical computing, and while doing so settled my dilemma about further Debian contributions. Debian‘s contributions to the Continue reading Coping with non-free software in Debian→| Simon Josefsson's blog
Let’s reflect on some of my recent work that started with understanding Trisquel GNU/Linux, improving transparency into apt-archives, working on reproducible builds of Trisquel, strengthening verification of apt-archives with Sigstore, and finally thinking about security device threat models. A theme Continue reading How To Trust A Machine→| Simon Josefsson's blog
While my first impression of Guix 1.4rc2 on NV41PZ was only days ago, the final Guix 1.4 release has happened. I thought I should give it a second try, although being at my summer house with no wired ethernet I Continue reading Second impressions of Guix 1.4→| Simon Josefsson's blog
On the shortlist of things to try on my new laptop has been Guix. I have been using Guix on my rsnapshot-based backup server since 2018, and experimented using it on a second laptop but never on my primary daily Continue reading Guix 1.4 on NV41PZ→| Simon Josefsson's blog
One particularly powerful aspect of Clojure is that it allows you to use Java features without actually writing any Java. And the best way to get...| stumbles.id.au
By Christopher Allan Webber on| mediagoblin.org
It's still early days for Guix's guix deploy, but it may well be my server deployment tool of the future. I'm quite excited! guix deploy promises...| stumbles.id.au