• 2024 wrapped

    by kpcyrd, medium read, 2024-12-31

    Dear blog. This post is inspired by an old friend of mine who has been writing these for the past few years. I meant to do this for a while now, but ended up not preparing anything, so this post is me writing it from memory. There’s likely stuff I forgot, me being gentle with myself I’ll probably just permit myself to complete this list the next couple of days.

  • Writing a Linux executable from scratch with x86_64-unknown-none and Rust

    by kpcyrd, long read, 2023-03-28

    I recently mentioned on the internet I did work in this direction and a friend of mine asked me to write a blogpost on this. I didn’t blog for a long time (keeping all the goodness for myself hehe), so here we go. 🦝 To set the scene, let’s assume we want to make an exectuable binary for x86_64 Linux that’s supposed to be extremely portable. It should work on both Debian and Arch Linux. It should work on systems without glibc like Alpine Linux. It should even work in a FROM scratch Docker container. In a more serious setting you would statically link musl-libc with your Rust program, but today we’re in a silly-goofy mood so we’re going to try to make this work without a libc. And we’re also going to use Rust for this, more specifically the stable release channel of Rust, so this blog post won’t use any nightly-only features that might still change/break. If you’re using a Rust 1.0 version that was recent at the time of writing or later (>= 1.68.0 according to my computer), you should be able to try this at home just fine™.

  • updlockfiles: Manage dependency lockfiles in PKGBUILDs for upstreams that don't ship them

    by kpcyrd, short read, 2022-10-16

    I’ve released a new tool to manage dependency lockfiles for Arch Linux packages that can’t use a lockfile from the official upstream release. It integrates closely with other Arch Linux tooling like updpkgsums that’s already used to pin the content of build inputs in PKGBUILD.

  • auth-tarball-from-git: Verifying tarballs with signed git tags

    by kpcyrd, short read, 2022-05-28

    I noticed there’s a common anti-pattern in some PKGBUILDs, the short scripts that are used to build Arch Linux packages. Specifically we’re looking at the part that references the source code used when building a package:

  • Reproducible Builds: Debian and the case of the missing version string

    by kpcyrd, long read, 2022-01-19

    If you’ve been following my twitter recently you probably noticed there’s now a rebuilderd based Debian rebuilder run by the Purdue Trustworthy Software Ecosystems Lab. The rebuilder backend - the code that’s actually re-creating the build environment and running the build - is debrebuild.py, written by Frédéric Pierret from the QubesOS project. The setup as a whole automatically monitors packages in Debian unstable, then downloads the source code, build-dependencies and attempts to compile a bit-for-bit identical binary package. If this succeeds, the package is marked as “reproducible”.

  • Release: rebuilderd v0.15.0

    by kpcyrd, medium read, 2021-10-18

    rebuilderd 0.15.0 very recently released, this is a short intro into what it is, how it works and how to build our own integrations!

  • Monthly Report (September 2021)

    by kpcyrd, medium read, 2021-09-30

    This is the monthly report of what I’ve been up to in September 2021. 🙌

  • Monthly Report (August 2021)

    by kpcyrd, medium read, 2021-08-31

    This is the monthly report of what I’ve been up to in August 2021. 🙌

  • Enumerating .gov.af

    by kpcyrd, medium read, 2021-08-17

    Due to recent political events there’s an increased interest in Afghanistan’s websites. This is a tutorial on how to run sn0int on .gov.af to enumerate as many sites as possible for archival purpose.

  • Reproducible Python Bytecode

    by kpcyrd, long read, 2021-08-13

    Some Linux distributions (like Alpine and Arch Linux) are shipping something called “python bytecode” in their packages. It’s stored in .pyc files and is generated during the package build. They’re stored in __pycache__ folders and can be seen here:

  • Monthly Report (July 2021)

    by kpcyrd, medium read, 2021-07-29

    During summer 2017 I picked up Rust as one of my programming languages. Since this was my first compiled programming language (ignoring some of my early C antics), I was faced with one inherent problem: “How do I distribute pre-compiled binaries without getting SolarWinded?”. Granted, those might not have been my exact words back in Fall 2017, but I was intrigued by this problem and got involved in the reproducible builds project as a volunteer contributor.

  • Disagreeing rebuilders and what that means

    by kpcyrd, medium read, 2021-07-23

    Today we’ve noticed a disagreement between the Arch Linux rebuilders about the “cross” package, a popular @rustlang cross-compile tool. One rebuilder reported they’ve succesfully reproduced the package, while the other reported they couldn’t. Let’s have a look what that means.

  • Reproducible Raspi images with Alpine (Part 2)

    by kpcyrd, long read, 2021-06-30

    Alrighty, we initially planned a part two with NixOS, but 1) we’d have to learn scheme (and we’d rather not) 2) somebody needs to to do it for alpine anyway. Pack yo toothbrush, we got supplychains that need securin’!

  • Reproducible Raspi images with Alpine (Part 1)

    by kpcyrd, medium read, 2021-06-26

    Ever wondered if that raspi is actually running the code it’s supposed to? Today we’re taking Alpine Linux as a base and trying to make a reproducible image, so an independent party can verify the image is legitimately built from source. All patches are going to be sent upstream.

  • Building the great cannon of session flooding

    by kpcyrd, long read, 2018-05-30

    If you have been around the internet for a while you may remember the DDoS attack on github that was carried out through the Great Firewall of China in 2015. The attack was simple, but effectively carried out; In a nutshell, when javascript was requested over unencrypted http, a malicious script was embedded that would load an url on github as an image and trigger a GET request, eventually causing significant load that would impact githubs service.

  • TCP the long way home

    by kpcyrd, medium read, 2018-02-28

    In addition to the last blogpost, I’ve extended rshijack with a ghetto tcp stack.

  • Hijacking TCP

    by kpcyrd, medium read, 2018-02-26

    I was working on a TAMUctf level which was a 2FA protected telnet server. Since I was already in a mitm position and I didn’t want to mess around with their authentication, I came up with the idea of hijacking the tcp connection.