[politics] Digital independence is nice and everything, but if the USA invasion of Europe starts a war, do I lose my .org domain due to not being able to renew? #diday #digitalsovereignty

My #2026 resolution was field-testing sha256 git repos and I converted one of my minor projects, but since Github only supports sha1 I've moved the repository to codeberg: https://codeberg.org/kpcyrd/ssh-keyonly Everything else worked well. I'm also mirroring the repo to Arch Linux' Gitlab […]

I did a writeup of things I was working on in 2025: https://vulns.xyz/2025/12/2025-wrapped/

RE: https://fosstodon.org/@orhun/115775969492350970 haha, maybe I can finally do android development now

In other news, very happy to see the most popular #rust http client library is switching their default TLS implementation from OpenSSL to #Rustls. https://github.com/seanmonstar/reqwest/releases/tag/v0.13.0-rc.1

#netcat is both really popular with #linux users, but also quite the train-wreck. There's multiple mainstream implementations, they all have incompatible commandline interfaces, two of them have been unmaintained for 20 years and lack ipv6 support (netcat-traditional and gnu-netcat). Debian […]

Out of the 789 npm packages on the Sha1-Hulud list, only 4 have showed up in the dependency trees of any Linux operating system. Not in the affected versions, but ever. #supplychainsecurity #infosec

I've published a writeup about the ongoing `hashFiles` incident on #github Actions: https://lists.reproducible-builds.org/pipermail/rb-general/2025-November/003941.html #supplychainsecurity #infosec

The sudo-rs CVE-2025-64517 is all over the news, but it looks like it's not really exploitable in the wild? It's a very cool find and I'm glad it's fixed, but it's not the unconditional local-root that people seem to think it is? Going from www-data to root with this bug seems to be almost […]

While the bug in async-tar/tokio-tar dubbed #tarmageddon / CVE-2025-62518 is cool on a technical and code-correctness level, I'm calling bullshit on the #rce claim. It's a severe overstatement that isn't backed by the advisory. Processing a tar stream with a vulnerable version won't execute […]

In 2025 your options when making a website as a non-webdev person are "everybody is upset because it looks AI generated", "everybody is upset because it's bootstrap" and "everybody is upset because you decided the only css is going to be `body { background-color: #db7093; font-family: sans-serif […]

Friendly reminder that many pseudonymous opensource developers are well prepared and equipped for things like "end-to-end encrypted chat gets outlawed". The cypherpunk movement never really died, it just wasn't necessary while regulators acted mostly reasonable and there are in fact some things […]

I always feel a little fancy when I get to decide about random implementation details during my #debian adventures, like how this error should be handled. The code assumes an outdated API of the library, that returned either a list of certificates, or a […] [Original post on chaos.social]

Just found this option in Github repository settings :) Very happy this is getting emphasized.

For the memes, there's now an apt-swarm node running in Nepal: 38.54.71.220:16169 Joining my collection of "p2p nodes running in countries with active conflicts". https://map.apt-swarm.orca.toys/

Sticker in der Post!!

"Open Source is one Person" https://opensourcesecurity.io/2025/08-oss-one-person/

If you do #embedded #rust on the #rp2040 with elf2uf2-rs, and you struggle with the recent "Unrecognized ABI" error due to a change in Rust's elf header for `thumbv6m-none-eabi`, I've landed StripedMonkey's patch in both Arch Linux and Homebrew, so if you use those packages, things should work […]

I locked myself out of an account by: 1) starting the process to enable 2FA 2) saving the TOTP secret into bitwarden/vaultwarden 3) enter the confirm code and continue 4) the website askes me to "add a security question", which I didn't want to do, I cancel the setup 5) I delete the TOTP secret […]

When I did my first Debian install, I didn't see coming that a tool I authored would be explicitly mentioned in the Debian release notes ~15 years later. 🖤 https://www.debian.org/releases/trixie/release-notes/whats-new.en.html#debian-progress-towards-reproducible-builds

For future reference, to crack the passphrase of your gpg secret key: ``` progpick -e 'env GNUPGHOME=/backup/.gnupg/ gpg --batch --passphrase-fd 0 --pinentry-mode loopback --export-secret-keys YOUR_FINGERPRINT' "$(cat pattern.txt)" ```

Malware was recently found in some popular npm pkgs: https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack I checked the affected versions against the whatsrc.org dataset, while most of the packages (eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core […]

For transparency: my #archlinux signing key is expiring, and other packagers have kindly started re-uploading my pkgs with different sigs (also taking care of updates meanwhile). I struggle to jump through the necessary hoops to recover the pgp key needed to renew my subkey - I chose "better […]

I sell software to software companies that sell software to companies that make software.

I did a writeup of things I was working on in 2024: https://vulns.xyz/2024/12/2024-wrapped/