The gnulib project publish a git bundle as a stable archival copy of the gnulib git repository once in a while.| Simon Josefsson's blog
2025-07-13| www.fsij.org
When it comes to large volume of data management, health in general and health informatics in particular are in the top of the list. In this post I’d like to bring the attention on how we can…| MeanMicio
After thinking about multi-stage Debian rebuilds I wanted to implement the idea. Recall my illustration: Earlier I rebuilt all packages that make up the difference between Ubuntu and Trisquel. It turned out to be a 42% bit-by-bit identical similarity. To Continue reading Building Debian in a GitLab Pipeline→| Simon Josefsson's blog
Remember the XZ Utils backdoor? One factor that enabled the attack was poor auditing of the release tarballs for differences compared to the Git version controlled source code. This proved to be a useful place to distribute malicious data.| Simon Josefsson's blog
Around a year ago I discussed two concerns with software release archives (tarball artifacts) that could be improved to increase confidence in the supply-chain security of software releases. Repeating the goals for simplicity:| Simon Josefsson's blog
Problem statement I recently came across a situation in a project where I had the following code: 1 2 3 4 5 6 7 8 9 10 struct FaultInfo final { uint32_t r0; uint32_t r1; // And all the other register state of a Cortex-M0+ processor // ... uint32_t crc; }; [[gnu::section(".uninit")]] volatile FaultInfo fault_data; I was using this static region of data to persist some fault information across reboots, to log it on the next boot after recovering from the fault.| AllThingsEmbedded
Last night I was running our usual Greybeard AMA on FreeBSD’s Discord server, when someone asked “I’ve been using Linux for years, but I also like FreeBSD. what can I do for FreeBSD, and what can FreeBSD do for me, as a Python Full Stack Developer?” I started talking about FreeBSD Jails, ZFS, Boot Environments […]| Antranig Vartanian
A comparison of GPL, LGPL, and AGPL licenses, examining their key differences, use cases, and impact on software development and distribution| Chris Short
I am using GitLab CI/CD pipelines for several upstream projects (libidn, libidn2, gsasl, inetutils, libtasn1, libntlm, …) and a long-time concern for these have been that there is too little testing on GNU Guix. Several attempts have been made, and earlier this year Ludo’ came really close to finish this. My earlier effort to idempotently rebuild Debian recently led me to think about re-bootstrapping Debian. Since Debian is a binary distribution, it re-use earlier binary packages when ...| Simon Josefsson's blog
With the release of Libntlm version 1.8 the release tarball can be reproduced on several distributions. We also publish a signed minimal source-only tarball, produced by git-archive which is the same format used by Savannah, Codeberg, GitLab, GitHub and others. Continue reading Reproducible and minimal source-only tarballs→| Simon Josefsson's blog
While the work to analyze the xz backdoor is in progress, several ideas have been suggested to improve the software supply chain ecosystem. Some of those ideas are good, some of the ideas are at best irrelevant and harmless, and Continue reading Towards reproducible minimal source code tarballs? On *-src.tar.gz→| Simon Josefsson's blog
The release notes for Trisquel 11.0 “Aramo” mention support for POWER and ARM architectures, however the download area only contains links for x86, and forum posts suggest there is a lack of instructions how to run Trisquel on non-x86. Since Continue reading Trisquel on ppc64el: Talos II→| Simon Josefsson's blog
A personal reflection on how I moved from my Debian home to find two new homes with Trisquel and Guix for my own ethical computing, and while doing so settled my dilemma about further Debian contributions. Debian‘s contributions to the Continue reading Coping with non-free software in Debian→| Simon Josefsson's blog
Let’s reflect on some of my recent work that started with understanding Trisquel GNU/Linux, improving transparency into apt-archives, working on reproducible builds of Trisquel, strengthening verification of apt-archives with Sigstore, and finally thinking about security device threat models. A theme Continue reading How To Trust A Machine→| Simon Josefsson's blog
As suggested in my initial announcement of apt-sigstore my plan was to look into stronger uses of Sigstore than rekor, and I’m now happy to announce that the apt-cosign plugin has been added to apt-sigstore and the operational project debdistcanary Continue reading Sigstore for Apt Archives: apt-cosign→| Simon Josefsson's blog
Do you want your apt-get update to only ever use files whose hash checksum have been recorded in the globally immutable tamper-resistance ledger rekor provided by the Sigstore project? Well I thought you’d never ask, but now you can, thanks Continue reading Sigstore protects Apt archives: apt-verify & apt-sigstore→| Simon Josefsson's blog
The absolute number may not be impressive, but what I hope is at least a useful contribution is that there actually is a number on how much of Trisquel is reproducible. Hopefully this will inspire others to help improve the actual metric.| Simon Josefsson's blog
Ever wondered how Trisquel and Ubuntu differs and what’s behind the curtain from a developer perspective? I have. Sharing what I’ve learnt will allow you to increase knowledge and trust in Trisquel too. The scripts to convert an Ubuntu archive Continue reading Understanding Trisquel→| Simon Josefsson's blog
I’m migrating some self-hosted virtual machines to Trisquel, and noticed that Trisquel does not offer cloud-images similar to the Debian Cloud and Ubuntu Cloud images. Thus my earlier approach based on virt-install --cloud-init and cloud-localds does not work with Trisquel. Continue reading Preseeding Trisquel Virtual Machines Using “netinst” Images→| Simon Josefsson's blog
I’m about to migrate to a new laptop, having done a brief pre-purchase review of options on Fosstodon and reaching a decision to buy the NovaCustom NV41. Given the rapid launch and decline of Mastodon instances, I thought I’d better Continue reading How to complicate buying a laptop→| Simon Josefsson's blog
To protect web resources with Kerberos you may use Apache HTTPD with mod_auth_gssapi — however, all web scripts (e.g., PHP) run under Apache will have access to the Kerberos long-term symmetric secret credential (keytab). If someone can get it, they Continue reading Privilege separation of GSS-API credentials for Apache→| Simon Josefsson's blog
GSS-API is a standardized framework that is used by applications to, primarily, support Kerberos V5 authentication. GSS-API is standardized by IETF and supported by protocols like SSH, SMTP, IMAP and HTTP, and implemented by software projects such as OpenSSH, Exim, Continue reading Towards pluggable GSS-API modules→| Simon Josefsson's blog
I have been using Replicant on the Samsung SIII I9300 for over two years. I have written before on taking a backup of the phone using rsync but recently I automated my setup as described below. This work was prompted Continue reading Automatic Replicant Backup over USB using rsync→| Simon Josefsson's blog
Colin Percival and I have worked on an internet-draft on scrypt for some time. I realize now that the -00 draft was published over two years ago, turning this effort today somewhat into archeology rather than rocket science. Still, having Continue reading Scrypt in IETF→| Simon Josefsson's blog
I’m in the process of moving to a new OpenPGP key, and I want to include a small JPEG image of myself in it. The OpenPGP specification describes, in section 5.12.1 of RFC 4880, how an OpenPGP packet can contain Continue reading Creating a small JPEG photo for your OpenPGP key→| Simon Josefsson's blog
For the past weeks I have been working on implementing RFC 6030, also known as Portable Symmetric Key Container (PSKC). So what is PSKC? The Portable Symmetric Key Container (PSKC) format is used to transport and provision symmetric keys to Continue reading Portable Symmetric Key Container (PSKC) Library→| Simon Josefsson's blog
I have several backup servers that run the excellent rsnapshot software, which uses Secure Shell (SSH) for remote access. The SSH private key of the backup server can be a weak link in the overall security. To see how it Continue reading Unattended SSH with Smartcard→| Simon Josefsson's blog
I am happy to announce a project that I have been working quietly on for about a year: the OATH Toolkit. OATH stands for Open AuTHentication and is an organization that specify standards around authentication. That is a pretty broad Continue reading Introducing the OATH Toolkit→| Simon Josefsson's blog
I have finished the SCRAM implementation in GNU SASL. The remaining feature to be added were support for the “enhanced” SCRAM-SHA-1-PLUS variant instead of just the normal SCRAM-SHA-1 mechanism. The difference is that the latter supports channel bindings to TLS, Continue reading GNU SASL with SCRAM-SHA-1-PLUS→| Simon Josefsson's blog
I have blogged about GNU SASL and GS2-KRB5 with the native Kerberos on Mac OS X before, so the next logical step has been to support GS2-KRB5 on Windows through MIT Kerberos for Windows (KfW). With the latest release of Continue reading GS2-KRB5 using GNU SASL and MIT Kerberos for Windows→| Simon Josefsson's blog
I have worked in the IETF on the specification for the next generation GSSAPI-to-SASL bridge called GS2 (see my status page for background) for a couple of years now. The specification is (finally!) in the RFC editor’s queue, and is Continue reading GS2-KRB5 in GNU SASL 1.5.0→| Simon Josefsson's blog
At FSCONS I met Stian Rødven Eide who is doing a series of fellowship interviews for FSF Europe. He recently posted an interview with me.| Simon Josefsson's blog
Last night at FSCONS I was awarded the Nordic Free Software Award, sharing the price with Daniel Stenberg who incidentally (or perhaps not) I have been collaborating with on some projects. Receiving a price like this is a great motivator and I feel humbled when thinking about the many excellent hackers that were attending the FSCONS that cheered me on. Thank you everyone.| Simon Josefsson's blog
I have read Russel Coker’s nice article on identifying use of thread unsafe functions. This reminded me of a script I wrote a long time ago that is part of GNU SASL‘s regression suite: threadsafety. As you can see, my Continue reading Thread Safe Functions→| Simon Josefsson's blog
FSCONS / Nordic Free Software Award Nomination| Simon Josefsson's blog
Inspired by my own OWASP Sweden chapter talk last night, I learned more about Cyclomatic Code Complexity and did some practical experiments. Cyclomatic Code Complexity was described by Thomas J. McCabe in 1976. Read the Wikipedia entry for the entire Continue reading Cyclomatic Code Complexity→| Simon Josefsson's blog
If you are using ssh private/public keypair authentication, and get an almost immediate error like below: $ ssh -i id_rsa.pub myuser@a.b.c.d -p 22 Received disconnect from a.b.c.d port 22:2: Too many authentication failures Disconnected from a.b.c.d port 22 Then try again using the ‘IdentitiesOnly‘ option. ssh -o 'IdentitiesOnly yes' -i id_rsa.pub myuser@a.b.c.d -p 22 The ... Bash: fixing “Too many authentication failures” for ssh with private key authentication| Fabian Lee : Software Engineer
If you need to test for a file’s existence, content size, and whether it was recently modified, the ‘find‘ utility can provide this functionality in a single call. One scenario for this usage might be the cached results from a remote service call (database, REST service, etc). If fetching these results was a relatively costly ... Bash: testing if a file exists, has content, and is recently modified| Fabian Lee : Software Engineer
The Jérôme Lejeune Foundation adopts GNU Health for the research and management of Trisomy 21 and other intellectual disabilities of genetic origin.| MeanMicio