loading . . . Dear blog. This post is inspired by an old friend of mine who has been writing these for the past few years. I meant to do this for a while now, but ended up not preparing anything, so this post is me writing it from memory. Thereās likely stuff I forgot, me being gentle with myself Iāll probably just permit myself to complete this list the next couple of days.
I hate bragging, I try to not depend on external validation as much as possible, and being the anarcho-communist anti-capitalist that I am, I try to be content with knowing Iām ādoing good in the backgroundā. I donāt think people owe me for the work I did, I donāt expect anything in return, and itās my way of giving back to the community and the people around me. Consider us even.
That being said, I:
* Uploaded 689 packages to Arch Linux
* Most of which being reproducible, meaning I provably didnāt abuse my position of compiling the binaries
* 59 of those are signal-desktop
* 34 of those are metasploit
* Made 28 commits in Alpine Linuxā aports
* 24 of those being package releases
* Made 43 uploads to Debian
* All of them being related to my work in the debian-rust team, that Iāve been a part of since 2018
* Made 5 commits in NixOSā nixpkgs
* Made 1 commit in homebrew-core
* Was one of the people involved in rolling out `_FORTIFY_SOURCE=3` compiler hardening in Arch Linux, for the entire operating system. I wrote lists, tools, patches and my work got me quoted in an āAdditional Considerationsā section of the OpenSSF compiler hardening guide for C and C++. There are now more, stricter buffer-overflow checks at runtime that hopefully make your computer harder to exploit in 2025.
* Was one of the people behind the launch of `reproduce.debian.net` which is analogous to `reproducible.archlinux.org` that I also helped create 5 years ago. Reproducing these packages (and allowing anybody else to do the same) proves the binaries have not been backdoored by the build server (or whoever compiled them), and if thereās a backdoor, you can likely find it in the source code.
* Integrated librustls, a memory safe TLS implementation, into Arch Linuxā C dynamic linking ecosystem and became one of the authors of the rustls curl TLS backend
* In response to the XZ Jia Tan incident I created whatsrc.org, a source code indexing project. It doesnāt solve anything in itself, but itās framing the concept of source code inputs and how to reason about them in a way that I consider promising. It also documents and makes it very apparent what specifically is the source code weāre putting into our computers, that would benefit from code reviews.
* Contributed to the Reproducible Builds mailing list 33 times
* Volunteered at a soldering workshop for beginners for the 3rd year in a row, with people describing me as a good teacher, giving very calm vibes and having endless patience
* Reverse engineered the signal username and QR-code feature
* Rewrote my tooling for apt.vulns.xyz to use repro-env, the .deb files can now be verified through reproducible builds, and I switched to static Rust binaries because I had trouble targeting multiple Debian/Ubuntu releases with my previous tooling
* Wrote 0 blog posts (besides this one)
* Wrote 5.937 messages in irc channels
* Got mentioned 1.664 times on irc
* Attended FOSDEM, Fusion, the Reproducible Builds summit, Hackjunta 2024#2 and 38c3
* Made and printed 8 new sticker designs, and a custom hoodie
* Mastered the art of pragmatic zaza cultivation and processing
* Got 2 new piercings and 2-3 new tattoos (depending on how you count them)
Thanks to everybody who has been part of my human experience, past or present. Especially those whoāve been closest.
cheers,
kpcyrd āØ https://vulns.xyz/2024/12/2024-wrapped/
