Re: Amending RFC40 to remove custom 0BSD license

2025-01-06 Thread kpcyrd
stem is enough work to warrant an interim solution. I've been doing this kind of copyright annotation work for Debian for just shy of about 300 packages and it's a heroic amount of work to do this for the entire operating system. cheers, kpcyrd

New supply-chain security tool: backseat-signed

2024-04-02 Thread kpcyrd
posed to give guidance on what to code review. This is also why I think code signing by upstream is somewhat low priority, since the big distros can form consensus around "what's the source code" regardless. https://github.com/kpcyrd/backseat-signed The README shows how to veri

Arch Linux minimal container userland 100% reproducible - now what?

2024-03-20 Thread kpcyrd
epro-env[4] that I'm currently trying to land[5] in ubuntu 24.04 LTS, but is blocked by Debian's libnettle[6]. [4]: https://github.com/kpcyrd/repro-env [5]: https://tracker.debian.org/pkg/rust-repro-env [6]: https://tracker.debian.org/pkg/nettle cheers, kpcyrd

Revising Go packaging guidelines (2024)

2024-03-18 Thread kpcyrd
ly any memory-corruption based exploits for Go software. ## Motivation - Most of our Go software is currently not reproducible due to Cgo, including core/libcap, which is the last unreproducible package in docker.io/library/archlinux - The barrier for packaging Go in Arch Linux is currently somewhat high (compared to e.g. packaging Rust), the guideline requires too much interpretation and could be improved - Quirks that are only needed for old Go projects (like 2.1.1) should be listed towards the end instead of being the first code block in the guideline --- cheers, kpcyrd

Forensic tool release: archlinux-userland-fs-cmp (reproducible pre-compiled binary available)

2024-01-31 Thread kpcyrd
hello, I released a tool recently that I'd like to share with this list: https://github.com/kpcyrd/archlinux-userland-fs-cmp It's supposed to be used from a rescue image (any Linux) with an Arch install mounted to e.g. /mnt. It does the following: - Open /mnt/var/lib/pacman and e

git 2.38.0: Change in `git archive` output

2022-10-16 Thread kpcyrd
t/4f4be00d302bc52d0d9d5a3d4738bb525066c710 I don't know if there's some kind of gzip standard that could be used to align the git internal gzip implementation with gnu gzip. I'm not saying this is necessarily a bug or regression but it makes it harder to reproduce github tar balls from a git repository. Just sharing what I've debugged. :) cheers, kpcyrd

Public release: updlockfiles 0.1.0

2022-10-16 Thread kpcyrd
dependencies. Announcement blog post: https://vulns.xyz/2022/10/updlockfiles/ Repository: https://github.com/kpcyrd/updlockfiles cheers, kpcyrd

auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

2022-05-29 Thread kpcyrd
ohai! I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum: https://vulns.xyz/2022/05/auth-tarball-from-git/ Let me know what you think - that's all, kpcyrd