Wayland in 2021

A year ago I wrote about my Wayland setup on Linux. This year I would like to give you a small update on how I am going with Wayland on Arch Linux and how it is my daily driver at home and work. The setup itself stayed pretty much the same: Operating System: Arch Linux Window Manager: Sway Status bar: Heavily customized Barista bar Screenshots: Bash script utilizing Grim + Slurp Screen recordings: Bash script utilizing wf-recorder Sharing Text: Bash script utilizing wl-clipboard Dynamic Menu: bemenu Password Management: A combination of gopass, bemenu and bash Screensharing: xdg-desktop-portal-wlr + pipewire You can find my full setup in my dotfiles repository on Github.

https://shibumi.dev/posts/wayland-in-2021/

Monitoring Arch Linux with Prometheus

For monitoring the Arch Linux infrastructure we've moved on from Zabbix to Prometheus as it fits more into our infrastructure is code goal. This required some research into how we could achieve the same monitoring with Prometheus. Our Zabbix setup monitored Host, MySQL, Borg and Arch Linux related metrics. For …

https://vdwaa.nl/arch-prometheus-monitoring.html

Installation medium with installer

The installation medium now provides a guided installer. This addition to the default method of installation (based on the installation guide) is similar to the other methods. If you use this installer, do not forget to mention it when asking for support and also to provide the archinstall log, when asked.

https://archlinux.org/news/installation-medium-with-installer/

FOSS Activities in March 2021

Yoooo! Another month has passed which means another status update. The python2 removal has been steady and several packages has been removed this month. Currently a query for python2 on archweb returns 139 matches. At the start of the month it was around 160-170. Progress! I have suggested we remove checkdepends on python2 packages to ease the cleanup of dependency cycles. The response has been lukewarm at best so we’ll see how that progresses.

https://linderud.dev/blog/foss-activities-in-march-2021/

Go Embed and Angular

Hi, there. Today’s article will be a rather short article. In this article I would like to showcase Go 1.16 new embed package. If you are familiar with Go you might know embedding functionality already from famous other libraries like go-bindata. The problem with go-bindata has been that upstream vanished one day and then multiple forks appeared and every company or person was doing their own thing with embedding assets into Go programs.

https://shibumi.dev/posts/go-embed-and-angular/

FOSS Activities in April 2021

Yo! Hope people have had a lovely spring. This month has passed quickly! I have put off writing the monthly post because I was busy with a weekend project. My master thesis was about how to apply transparency logs and reproducible builds to give package rebuilders the ability to produce tamper evident logs. This is handy since any one package build can easily be proven to be part of the log, and you can very easily fill inn the history from one point in time to another by hashing files in the correct order.

https://linderud.dev/blog/foss-activities-in-april-2021/

Boost your productivity with ZSH and Alacritty

In today’s article I would like to shine some light on my local terminal setup. My setup consists of ZSH and Alacritty. ZSH or the Z shell is an extended variant of the Bourne shell (bash). It comes with a few useful features and extensions. Many people use the ZSH mostly for nice shell prompts or tab completion. This article will be about more advanced features, like custom shortcuts. Alacritty is a terminal emulator written in Rust.

https://shibumi.dev/posts/zsh-and-alacritty/

Move of official IRC channels to libera.chat

As some of you may have read over the past days, there has been an ownership dispute over the freenode.net network. The IRC network has been used by Arch Linux and many other projects over the past decades as a platform for discussion and support. The dispute led to the exodus of most former freenode staff from the network and the founding of a new network: libera.chat Starting today, Arch Linux and its sister projects Arch Linux ARM and Arch Linux 32 will begin migrating the official IRC channels from freenode.net to libera.chat. Please bear with us as this can take some time to be fully settled in. We thank the freenode community for the many years of great service and collaboration.

https://archlinux.org/news/move-of-official-irc-channels-to-liberachat/

Sorting out old password hashes

Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. If the login just fails (for example from display manager) switch to a virtual terminal (Ctrl-Alt-F2) and log in there once.

https://archlinux.org/news/sorting-out-old-password-hashes/

Automated Website Testing with Selenium

Today’s blog article is a more unusual one. If you know me in person you would not connect me to web development, but yet here we are. So, how do I got here? One student at my university has asked me if I could help and have a look on their code. He was working on unit tests with Selenium on a very beginner friendly level. This is how I got more interested in this topic.

https://shibumi.dev/posts/automated-website-testing/

Arch Reproducible Progress July 2021

At the end of July, I had some days off and some more time to focus on some unreproducible packages in Arch Linux and get some of the issues resolved. This post goes through the resolved issues by category. gzipped man pages By default if a manpage is compressed with …

https://vdwaa.nl/arch-repro-july-2021.html

Kubermatic on Hetzner

Hello and welcome to another article about Kubernetes. In this article we will go through the Kubermatic installation on Hetzner Cloud. But first of all let us go through a few questions: What is Kubermatic and why do I need it? Kubermatic abstracts different Kubernetes clusters and providers for you. It does not matter if you want a cluster on Amazon, Google, Hetzner, vSphere or on-premise. With Kubermatic you can easily bootstrap new clusters in your favorite location with your favorite cloud provider or on-premise.

https://shibumi.dev/posts/kubermatic-on-hetzner/

Hardening Executables

Quite a while ago, Arch Linux has turned on many binary security features via compilation flags (2016)1 or turned off options that are known to help exploit software (debugging symbols, RPATH). Now we have 2021 and Arch Linux made good experience with the additional security options. We made good experience on Arch Linux with the following flags so far: FULL RELRO (Full Relocation Read-Only)2 STACK CANARY3 NX-Bit4 PIE (Position Independent Executable/Code)5 Setting no RPATH6 Setting no Symbols FORTIFY7 Some of these flags are known to have effects on performance.

https://shibumi.dev/posts/hardening-executables/

mkinitcpio v31 and UEFI stubs

A few months ago I wrote up some code for mkinitcpio which teaches it how to create UEFI executables utilizing the systemd stub. The change can be found here: https://github.com/archlinux/mkinitcpio/pull/53 This is a short introduction to why the feature is great, how it makes it easier to boot your system, and how it can be used to better secure your system with something like secure boot. The Boot Process For the past decade most computers have two ways to boot.

https://linderud.dev/blog/mkinitcpio-v31-and-uefi-stubs/

Monthly Report (August 2021)

This is the monthly report of what I’ve been up to in August 2021. 🙌 Reproducible Builds There are many different reasons to be interested in Reproducible Builds. When I originally got involved in the project I wasn’t a maintainer in any Linux distribution yet, instead I was wondering if there’s a way to distribute pre-compiled artifacts as an independent open source dev without carrying all the responsibility alone. A few years later I’ve now published a manual called i-probably-didnt-backdoor-this. It contains a hello world program and instructions on how to reproduce the various pre-compiled artifacts, explains all build …

https://vulns.xyz/2021/08/monthly-report/

Xandikos CardDAV/CalDAV server

In looking to moving my phone to LineageOS, I've started thinking about moving my mail, contacts and calendar data to my own server. After researching solutions for a while, I decided to try out xandikos. A simple Python carddav/caldav server intended for a single user with a basic feature …

https://vdwaa.nl/xandikos-server-setup.html

Cloud Native and Arch Linux

In this article I want to give a short overview over the current state of Arch Linux with respect to cloud native technologies. I would like to show why I think Arch Linux is perfect as a daily driver in the cloud native ecosystem and how the current state of cloud native software in Arch Linux looks like. Reason Nr 1: Security At Arch Linux we take security very seriously. Our newly selected project lead has a strong security background (founding member of the Arch Linux security team) and member in a CTF group.

https://shibumi.dev/posts/cncf-and-archlinux/

Monthly Report (September 2021)

This is the monthly report of what I’ve been up to in September 2021. 🙌 Reproducible Builds There have been 3 releases of rebuilderd this month, 0.14.0, and two minor bugfix releases, 0.14.1 and 0.14.2. The 0.14.0 release introduced experimental support to rebuild Tails images in #66. Tails is a portable operating system that’s known for it’s strong focus on privacy and security, and commonly used by activists, journalists and various human-rights NGOs. It already had reproducible images for a long time (since around 2017), but you had to reproduce the images manually. Starting with this release …

https://vulns.xyz/2021/09/monthly-report/

Release: rebuilderd v0.15.0

rebuilderd 0.15.0 very recently released, this is a short intro into what it is, how it works and how to build our own integrations! (https://vulns.xyz/img/Vx35qrG.png)rebuilderd monitors an index of artifacts and parses it into a datastructure that looks like this. In the most basic case, based on the distro field it’s going to pick the right build script and attempt to generate an artifact identical to the file linked to in url. (https://vulns.xyz/img/V6r1iXsRTpLp.png)We’re starting with a script that generates a json. In our case we’ll simply hard-code all values for demonstration purpose. Most of these values can be arbitrary …

https://vulns.xyz/2021/10/rebuilderd-v0.15.0/

Keyless signatures for blobs with cosign

While reading the cosign-installer I have stumbled upon these lines in the documentation: - name:SigntheimageswithGitHubOIDC**notproductionready**run:cosignsign-oidc-issuerhttps://token.actions.githubusercontent.com${TAGS}env:TAGS:${{steps.docker_meta.outputs.tags}}COSIGN_EXPERIMENTAL:1The shown lines are a step of a Github Action and are still experimental, but very interesting. It allows to sign a docker image via making use of the OpenID Connect standard. OpenID Connect can be summarized as follows: If you login into Github, Github will create a number of tokens. These tokens are then associated with your Github Action and with these tokens you can sign any artifact.

https://shibumi.dev/posts/first-look-into-cosign/

What are ephemeral certificates?

This article is a short followup to my last article about cosign. I received many questions for my last article. The most common one was: “But wait! If the certificates are only valid for 30 minutes, how are my users supposed to validate my artifacts?” This is very common misconception and to be honest: I ran into the same trap at first. The terms “ephemeral” or “short-lived” do not refer to the signature validation.

https://shibumi.dev/posts/what-are-ephemeral-certificates/