• auth-tarball-from-git: Verifying tarballs with signed git tags

    by kpcyrd, short read, 2022-05-28

    I noticed there’s a common anti-pattern in some PKGBUILDs, the short scripts that are used to build Arch Linux packages. Specifically we’re looking at the part that references the source code used when building a package:

  • Reproducible Builds: Debian and the case of the missing version string

    by kpcyrd, long read, 2022-01-19

    If you’ve been following my twitter recently you probably noticed there’s now a rebuilderd based Debian rebuilder run by the Purdue Trustworthy Software Ecosystems Lab. The rebuilder backend - the code that’s actually re-creating the build environment and running the build - is debrebuild.py, written by Frédéric Pierret from the QubesOS project. The setup as a whole automatically monitors packages in Debian unstable, then downloads the source code, build-dependencies and attempts to compile a bit-for-bit identical binary package. If this succeeds, the package is marked as “reproducible”.

  • Release: rebuilderd v0.15.0

    by kpcyrd, medium read, 2021-10-18

    rebuilderd 0.15.0 very recently released, this is a short intro into what it is, how it works and how to build our own integrations!

  • Monthly Report (September 2021)

    by kpcyrd, medium read, 2021-09-30

    This is the monthly report of what I’ve been up to in September 2021. 🙌

  • Monthly Report (August 2021)

    by kpcyrd, medium read, 2021-08-31

    This is the monthly report of what I’ve been up to in August 2021. 🙌

  • Enumerating .gov.af

    by kpcyrd, medium read, 2021-08-17

    Due to recent political events there’s an increased interest in Afghanistan’s websites. This is a tutorial on how to run sn0int on .gov.af to enumerate as many sites as possible for archival purpose.

  • Reproducible Python Bytecode

    by kpcyrd, long read, 2021-08-13

    Some Linux distributions (like Alpine and Arch Linux) are shipping something called “python bytecode” in their packages. It’s stored in .pyc files and is generated during the package build. They’re stored in __pycache__ folders and can be seen here:

  • Monthly Report (July 2021)

    by kpcyrd, medium read, 2021-07-29

    During summer 2017 I picked up Rust as one of my programming languages. Since this was my first compiled programming language (ignoring some of my early C antics), I was faced with one inherent problem: “How do I distribute pre-compiled binaries without getting SolarWinded?”. Granted, those might not have been my exact words back in Fall 2017, but I was intrigued by this problem and got involved in the reproducible builds project as a volunteer contributor.

  • Disagreeing rebuilders and what that means

    by kpcyrd, medium read, 2021-07-23

    Today we’ve noticed a disagreement between the Arch Linux rebuilders about the “cross” package, a popular @rustlang cross-compile tool. One rebuilder reported they’ve succesfully reproduced the package, while the other reported they couldn’t. Let’s have a look what that means.

  • Reproducible Raspi images with Alpine (Part 2)

    by kpcyrd, long read, 2021-06-30

    Alrighty, we initially planned a part two with NixOS, but 1) we’d have to learn scheme (and we’d rather not) 2) somebody needs to to do it for alpine anyway. Pack yo toothbrush, we got supplychains that need securin’!

  • Reproducible Raspi images with Alpine (Part 1)

    by kpcyrd, medium read, 2021-06-26

    Ever wondered if that raspi is actually running the code it’s supposed to? Today we’re taking Alpine Linux as a base and trying to make a reproducible image, so an independent party can verify the image is legitimately built from source. All patches are going to be sent upstream.

  • Building the great cannon of session flooding

    by kpcyrd, long read, 2018-05-30

    If you have been around the internet for a while you may remember the DDoS attack on github that was carried out through the Great Firewall of China in 2015. The attack was simple, but effectively carried out; In a nutshell, when javascript was requested over unencrypted http, a malicious script was embedded that would load an url on github as an image and trigger a GET request, eventually causing significant load that would impact githubs service.

  • TCP the long way home

    by kpcyrd, medium read, 2018-02-28

    In addition to the last blogpost, I’ve extended rshijack with a ghetto tcp stack.

  • Hijacking TCP

    by kpcyrd, medium read, 2018-02-26

    I was working on a TAMUctf level which was a 2FA protected telnet server. Since I was already in a mitm position and I didn’t want to mess around with their authentication, I came up with the idea of hijacking the tcp connection.