April is usualy tax season for most people in Norway, and as I got some “money back on the skætt” I wound up purchasing an OpenWrt One to replace my 13-14 year old Asus router. I’ve been meaning to learn a bit more about networking in general and getting an OpenWrt router seemed like a fun project. Last year I bought a Beryl AX from GL-Inet as I was travelling for a few weeks.| Morten Linderud
The past year I have been hacking around on tools utilizing TPMs, and one of the features I have been interested to learn more about is the device attestation features. After being a bit inspired by some ideas from people at work, the hackerspace and toots on mastodon, I figure out a SSH certificate authority would be a cool small project to hack on. Last year I wrote an SSH agent with TPM bound keys so this would nicely fit into the existing tooling.| Morten Linderud
Okay, sorry for the clickbait. NixOS is not reproducible according to the Reproducible Builds definition. I keep reading people making this claim repeatedly on orange-site, even LWN.net made a similar claim when writing about Nix and Guix earlier this week.1 Along with their recently launched wiki. So, what is the Reproducible Builds definition?2 When is a build reproducible? A build is reproducible if given the same source code, build environment and build instructions, any party can recreat...| linderud.dev
Lets prefix this with: I really love Transparency Logs! It’s a fairly simple concept: If you hash elements together in a binary tree, you can validate and verify if elements are present on a tree by hashing a couple of elements. This is what is commonly known as a Merkle tree. I forget the math, but if you have a tree with a million items, you would only really need less than 10 hashes (I think) to figure out what the hash of the top node would be.| linderud.dev
Valve was kind enough to send Steam Deck devkits to Arch Linux maintainers and developers which gave us an opportunity to mess around with the device. Personally I find it a bit fun to mess around with video streaming, thus one of the first things I wanted to try figure out was how I could stream the gamemode on the Steam Deck. Installing the OBS flatpak and adding it to the menu doesn’t actually work so we sadly have to be a bit more clever.| linderud.dev
Chromecast is one of those devices I just generally use a lot. They are small practical and enables me to stream video or music to my TV from multiple devices. But it also requires you to have a supported browser or video player. This is obviously a bit boring. There has been multiple command line chromecast streamers through the years. But their ffmpeg usage has been shoddy at best with no hardware decoding support and usually quite bad implementations.| linderud.dev
After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has ...| linderud.dev
The past year I have been trying to learn more about the Trusted Platform Module (TPM). This is a small device found on most modern laptops that has several cool security features like key creation, sealing and attestation, however I have been struggling to find a small project where I can learn more about it. To my surprised I learned a couple of months ago that nobody has written a TPM plugin for age!| linderud.dev
I have lately been trying to learn more about the Trusted Platform Module (TPM) as they are capable of key creation and sealing secrets in a secure manner. They are common hardware these days and make for a reasonable ways to store secrets. age is a file encryption/decryption tool from Filippo Valsorda which a lot of people have been using to replace GnuPG for things like password-store. It has a few plugins doing things like storing keys on Yubikey, Trezor hardware wallets or the Apple Secur...| linderud.dev
I have spent a fair amount of time hacking on debug packages the past two years. This work resulted in Arch Linux announcing the public debuginfod server which allows users to download symbols and source code to debug software running on their system. With this service users don’t need to figure out what the debug packages are called, installing them and maybe removing it afterwards. It also saves a fair amount of data you need to download.| linderud.dev
So, with the recent hipster attitude of posting a “State of *” every year, I thought i’d try and do it for something I have been contributing to for the past 6 months, Hy. Short introduction Hy is a Lisp leechingliving off the Python world. It compiles down to Python’s AST and is completely bidirectional, you can import Hy into Python and vica versa seamlessly! It just works. Hy is also more portable then normal Python code.| linderud.dev
What is Mailpile? [Mailpile] (https://www.mailpile.is) is mail client with a rather unusual goal in todays world. It wants to be free, open-source, privacy oriented and easy to use with encryption. This all comes with the goal of being self-hosted. This is a contrast to Protonmail who still keeps all your information on their servers, making people with a slight trust issue look at you in a rather funny way. However, Protonmail and Mailpile is among several email providers in the wake of the ...| linderud.dev
Arch Linux has been involved with the reproducible builds efforts since 2016. The goal is to achieve deterministic building of software packages to enhance the security of the distribution. After almost 3 years of continued effort, along with the release of pacman 5.2 and contributions from a lot of people, we are finally able to reproduce packages distributed by Arch Linux! This enables users to build packages and compare them with the ones distributed by the Arch Linux team.| linderud.dev
With the release of 3.20, LXD was included into the community repository of Arch Linux in January, and has currently been sitting there happily for the past months. LXD is a container manager from Canonical that manages containers as if they where independent machines in a cluster. I have somehow taken to calling them “containers-as-machines”. This is in contrast to podman and docker which would be “containers-as-applications”. Think of lxd as ganeti, but for containers.| linderud.dev
Secure boot tooling is terrible, can we do better? Currently the most widely used tooling for secure boot is the Ubuntu sbsigntools and efitools. If you are currently using secure boot both of these packages are probably installed on your system. Both of them support the basics of generating signature lists and signing the EFI variables with certificates, but they still have differences which is a source of confusion. efitools has 3 different ways of generating signature lists: cert-to-efi-ha...| linderud.dev
I wanted to start writing these for myself as I have been reading quite a few monthly resports from Chris Lamb and other Debian contributors. They make for interesting content for readers curious about what distribution maintainers do during a month, and motivation for myself as not everything one does is visible work. I’ll try have some sort of structure with them, by starting off with the menial tasks, and add the meeting notes and misc contributions at the bottom.| linderud.dev
The Problem Someone enters an IRC support channel and proclaims their dovecot server has been hacked and a non existing user sends spam email from their server. The initial reaction might be something along the lines of Wat ಠ_ಠ With the following assumption that the user clearly did something wrong. Hosting email is difficult after all. I don’t quite recall how rest of the support went, but it was solved and the root cause was not found.| linderud.dev
Second month of doing these posts. In short not much has been happening the past weeks, but that would be a slight lie. I have sponsored rgacognes Trusted User application. The application was posted to the mailing list, and it’s currently being voted and decided by a weeks time. There has also been some discussion for years about bringing debug packages into Arch. This has largely been stalled but I brought it back to life again.| linderud.dev
Arch Linux got kubernetes packaged into the [community] repository the past week with the hard work of David Runge. I contribute to testing the packages so I thought it would be interesting to write up quickly the testing that was done. Originally I did the testing with docker but with the dockershim deprecation I rewrote the blog to utilize containerd instead. David has reworked the kubernetes archwiki article as well. It currently doesn’t cover all use cases and contributions welcome.| linderud.dev
End of the year and third blog post! Hope everyone has had a nice new years eve :) The first news of the month is that Remi Gacogne was accepted as Trusted User. Congratulations to him and super exciting. Other then that I have had a meeting with the devops team discussing how we should implement the debuginfod system on our infrastructure. I have written up the ansible role for debuginfod and it was more or less decided that we want to host it on a small VPS for the service itself, and sync ...| linderud.dev
And January is over! Time has frankly been moving fast the past days. Packaging wise, things has been fine. Added tailscale and some other minor packages, but had a real purge of old packages from resigned maintainers. Also dropped ntop to the AUR which hasn’t been actively developed for years at this point. I’m curious when people are going to bug me about that one :) On the security side of things there has been quite a lot happening just the past week.| linderud.dev
Yo! New month, new update! The start of this month was marked with FOSDEM! I held a talk about secure boot and the tooling stuff I have written, sbctl. It’s a tool to help you manage secure boot keys and signing files. With help from sbsigntools it also does live enrollment of keys. The talk went great (I think) and it was fun to see how FOSDEM pulled off the conference with matrix and jitsi.| linderud.dev
Yoooo! Another month has passed which means another status update. The python2 removal has been steady and several packages has been removed this month. Currently a query for python2 on archweb returns 139 matches. At the start of the month it was around 160-170. Progress! I have suggested we remove checkdepends on python2 packages to ease the cleanup of dependency cycles. The response has been lukewarm at best so we’ll see how that progresses.| linderud.dev
Yo! Hope people have had a lovely spring. This month has passed quickly! I have put off writing the monthly post because I was busy with a weekend project. My master thesis was about how to apply transparency logs and reproducible builds to give package rebuilders the ability to produce tamper evident logs. This is handy since any one package build can easily be proven to be part of the log, and you can very easily fill inn the history from one point in time to another by hashing files in the...| linderud.dev
A few months ago I wrote up some code for mkinitcpio which teaches it how to create UEFI executables utilizing the systemd stub. The change can be found here: https://github.com/archlinux/mkinitcpio/pull/53 This is a short introduction to why the feature is great, how it makes it easier to boot your system, and how it can be used to better secure your system with something like secure boot. The Boot Process For the past decade most computers have two ways to boot.| linderud.dev