Morten Linderud

F/OSS Hacker. Arch Linux Developer, Security Team, Reproducible Builds. General Linux stuff and supply chain issues.

Writes in English and Norwegian from time to time

Public Key

npub1wvthm9yvfzly58n3z8hlcjymnly0cfpsyzkl0k8kyqsq6rv3qt4qx9y89f

NIP-05 Address

[email protected]

Profile Code

nprofile1qqs8x9majjxy30j2rec3rmlufzdelj8uysczpt0hmrmzqgqdpkgs96spz3mhxue69uhhyetvv9ujuerpd46hxtnfduqs6amnwvaz7tmwdaejumr0dsd0mu54

Publishing to

relay.damus.io

nos.lol

Author Public Key

npub1wvthm9yvfzly58n3z8hlcjymnly0cfpsyzkl0k8kyqsq6rv3qt4qx9y89f

Show more details

Last Notes

2024-09-15 13:47:35

- reply

@npub1qk7…lptq
Yes, I was planning on finding you tomorrow. I'll be at your talk :)

2024-09-02 13:48:06

- reply

@npub1lks…a4mq
The week after is ASG in Berlin which has mostly platform security talks this year.
https://cfp.all-systems-go.io/all-systems-go-2024/schedule/

2024-08-08 00:18:16

- reply

@npub1pt8…eexx
So next time in Oslo go to Jæger and ask for a tschunk.
It will help me make this a thing.

2024-08-07 00:48:02

Reading the Open-Source Summit and the SOSS Community Days schedules and being irrationally annoyed..angry(?) at the space mainly being occupied by companies talking about risk management for FOSS consumption.
Give me just *one* talk about funding maintainers or giving back to FOSS.

2024-08-06 13:41:30

Lazyvim feels like someone looked at vim and said "We can do a NixOS here".
Cool to see what neovim can do these days, but lord I'm getting "oh-my-zsh"-reimplement-all-the-things vibes.

2024-08-06 12:24:16

- reply

@npub1dgr…ssty
Seems to me like /etc/mkinitcpio.conf contains modules in the MODULES array that doesn't exist?

2024-08-05 19:31:24

- reply

@npub1tpx…33ew
https://github.com/getsops/sops
I'm trying to implement native TPM keys.

2024-08-04 13:27:35

- reply

@npub16r0…z5pl
Linux should support passkeys natively like Windows and OSX.

2024-08-03 17:59:59

- reply

Lol, it works.

2024-07-31 23:53:06

- reply

Lol, three bugfix releases in a day. I need a beer.

2024-07-31 15:59:47

Pushing landlock in the same release I refactored *everything* was a mistake.

2024-07-30 16:19:30

- reply

@npub17yy…3gvz
It's tied up with the gnupg ecosystem and requires reading the `gpg-agent.conf` file to even figure out what binary the user wants.
Not great if you appliction has nothing to do with gnupg to begin with.

2024-07-30 16:11:38

Okay, what is the modern way to request a password or secret from the user in this day and age?
Pinentry and ssh-askpass is no go and I can't quite grok the dbus secret service from the polkit auth?
#Linux #dbus #polkit

2024-07-25 20:58:16

I was like "getting TPM support into sops is easy".
And now I'm sitting here realizing I don't really like asymmetric encryption at all.

2024-07-25 19:07:13

- reply

@npub1hyp…aehm
Just the title with the CFP announcement :)
https://x.com/binarly_io/status/1815876366073749596

2024-07-25 19:04:41

- reply

@npub1hyp…aehm
Bro, Binarly already wrote the title yesterday. You can do with a bit more details.
> "PKFAIL: Supply-Chain Failures in Secure Boot Key Management"

2024-07-23 23:59:02

- reply

@npub19cv…qnc3
λ ~ » find /usr/share/info | wc -l
251
λ ~ » find /usr/share/man | wc -l
34805

2024-07-23 23:02:45

Writing man pages is one of the least great parts of working out new features.

2024-07-18 08:16:59

- reply

@npub1lks…a4mq
I saw the 4k in a cinema with proper audio and you hear the difference in background noise when they overdub lines. It super weird

2024-07-15 20:36:14

Half of the code on sbctl makes me feel bad and I get a strong desire to rewrite most of it.
But that seems futile so probably just implement a new key storage backend and try to decouple stuff?
Getting support for TPM keys, and more backends, would be nice really.

2024-07-15 13:28:03

- reply

Status update:
There is now a registered Arch Linux "club" running.

2024-07-14 23:52:09

Registered myself for my first 5K during Berlin Marathon, excited and we'll see if I regret it.

2024-07-14 18:41:52

I've written `ssh-tpm-ca-authority` which issues short-lived SSH certificates bound to the clients that asked for them.
https://github.com/Foxboron/ssh-tpm-ca-authority
Very much a WIP/POC thing and I'm totes not certain about the security aspects of it.
But it works!
#OpenSSH #TPM #Security

2024-07-01 12:49:54

- reply

@npub1u9d…s50s
As a wrote, you can apply the updates yourself. It's trivial. You are not at anyone's mercy.
The update needs to be rolled out through your distro regardless.

2024-07-01 11:40:54

- reply

@npub1u9d…s50s
Microsoft signs updates and they are trivial to apply.
This is also something we are depending on fwupdmgr/LVFS to fix.

2024-06-23 00:25:21

New release of `ssh-tpm-agent`.
v0.5.0 deprecates all your existing keys (sorry, not sorry).
The pros is that you get proper keys and can even use existing TSS keys created with `openssl` with `ssh-tpm-agent`.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.5.0
#TPM #Openssh #TSS #Security

2024-06-22 21:56:53

- reply

Reading up on AK/EK attestation and realizing I should probably just finish up the ssh-tpm-agent release 🙃

2024-06-16 13:51:03

- reply

@npub1336…n6rn
Nono, dis mine now.

2024-06-16 13:29:26

- reply

Apparently this is the(?) pedal Kurt Cobain used on Nevermind. Expensive thing.

2024-06-16 13:16:59

The hackerspace has a lot of trash, but I did find a 25 year old working Big Muff guitar pedal.
https://assets.chaos.social/media_attachments/files/112/626/011/430/775/316/original/0f98ceea86d3d47d.jpg

2024-06-15 23:59:00

Managed to grok TPM2_Import after a week.
It turns out passing around 32 null bytes makes for poor integrity checks.

2024-06-13 22:50:06

- reply

I disabled legacy boot and now there is no video.
Argh, fml.

2024-06-13 21:19:39

- reply

@npub1ql8…qshz
Well, archiso to clone the disk.
But yes, the NAS runs on Arch with BTRFS in Raid 1.

2024-06-13 20:54:31

Today is NAS maintenance day.
Unclear if I mixed up /dev/sdc or /dev/sdd. We'll see.
https://assets.chaos.social/media_attachments/files/112/610/817/876/254/022/original/92379d2c5abc7d83.jpg

2024-06-11 15:19:00

- reply

@npub10pk…lv8z
I prefer having a security boundary.

2024-06-11 15:14:56

Days since `sbctl` soft-bricked a machine because of terrible OEM firmware: 0
Don't buy a slimbook.
#SecureBoot #Linux #sbctl #slimbook

2024-06-10 09:32:34

- reply

@npub1tny…z6px
The new terminal at Oslo Airport works the same way :) I was extremely mind boogled when I realized it worked this way.

2024-06-07 22:00:56

> 12 files changed, 157 insertions(+), 1176 deletions(-)
Yasssssss

2024-06-07 12:01:09

- reply

@npub19re…r8k9
I don't deal with CUDA

2024-06-06 14:46:02

- reply

@npub1gpn…uhp5
It's another meme yo :)
But I'll sign anything you give me with my gnupg key for 200 NOK.

2024-06-06 13:12:37

- reply

It's always interesting to me how security people do end up having a level headed approach to things like "physical threat scenarios" while your avg Joe keeps on inventing Hollywood level heist scenarios to try and subvert this.

2024-06-06 11:51:33

Apparently 🟧-site is not very happy over the suggestion that glitter nail polish defeats their entire imaginary "let's sniff the keyboard signals to figure out the password" threat scenario.
#Security

2024-05-26 21:23:51

Been promised thunderstorms two times this week and all I've gotten has been two puny rumbles.

2024-05-22 17:36:21

- reply

@npub1arj…7y8j
Adding jq implies we need to add it to the `[core]` repos in Arch, and I'd prefer if we didn't.

2024-05-22 17:19:37

How do you parse json in bash?
Asking for a friend.
(No, `jq` is not a solution here)
#json #bash

2024-05-22 10:39:05

I was complaining about hotel prices in Vienna for Plumbers and stuff.
However #AllSystemsGo is the same week as Berlin Marathon and holy fuck those prices are insane.

2024-05-18 16:10:35

Selling one sun for some clouds.
https://assets.chaos.social/media_attachments/files/112/462/489/531/977/665/original/5275996020ef066e.jpg

2024-05-10 12:35:56

- reply

@npub1stn…3829
I say this with all the love I can give; top 5 worst hack I've seen.

2024-05-06 12:21:08

Oh god no.
https://assets.chaos.social/media_attachments/files/112/393/640/998/241/400/original/522260d7ca158ad9.png

2024-05-05 13:52:54

Johnny Mnemonic in Black and White?
https://assets.chaos.social/media_attachments/files/112/388/336/625/753/889/original/cdf4c78a7a822293.jpg

2024-04-28 14:48:54

Someone pointed out that rpm strips packages faster than pacman so a little bit of xargs hacking later and I've shaved off 1.5/2 seconds of the pacman package building.
https://gitlab.archlinux.org/pacman/pacman/-/merge_requests/175
#rpm #pacman #ArchLinux

2024-04-26 00:07:58

- reply

@npub18g6…jwmp
Or a veryvery glorified loop automator :)

2024-04-26 00:05:59

- reply

@npub18g6…jwmp
Ah, that is cool. But at the same time I'm doing this as an excuse to learn more gstreamer :)

2024-04-26 00:01:40

Organizing a "rave" and figured we had 3 chromecasts on 3 screens so we need some *visual*.
Instead of doing obs + `nginx-rtpm-server` I figured out how I could do obs -> srt -> gstreamer -> hls -> python http.server -> chromecast
Using the below website is also quite neat instead of trying to hack something else together.
https://chromecast.link/
Not going to be in-sync at all. But at least the VJ loops will be on the screens.

2024-04-15 10:46:23

- reply

@npub17xj…0938
I think we are very much on the same page on this topic :)

2024-04-15 10:31:39

- reply

@npub17xj…0938
And then they demand you add the scorecard to ensure you are a responsible project.

2024-04-14 15:58:14

I realized I have been doing substantial Open-Source contributions for a *decade* now.
My first blogpost on my current blog was also published a *decade* ago in January.

2024-04-11 20:36:54

- reply

Found the issue.
TPMs doesn't really support SHA512 and `ssh-keygen` just defaults to `rsa-sha2-512` even if you set `hashalg=sha256`.
https://github.com/openssh/openssh-portable/blob/master/sshsig.c#L193-L194

2024-04-11 19:46:30

I have a local copy of openssh so I can debug a weird `ssh-keygen -Y sign` error I'm getting for my TPM RSA keys (ecdsa keys... just work?) ooorrrrr
I can play Helldivers.
Decisions, decisions, decision.

2024-04-10 21:54:18

- reply

@npub1z7y…zyfs
Redis never had a CLA.
I also suspect you meant the Redis fork and not Redis itself?

2024-04-07 01:58:05

- reply

@npub10sm…hjqm
Norwegian!

2024-04-06 00:20:25

> This is zqpvr. Thank you for adding the conflicts to this package. I live in New Brighton, PA. I am actually a criminal of the felon level here in the US. Your assistance is much obliged.
#PackagerLife

2024-04-05 20:57:09

- reply

I'm mostly just getting surprised about packages I apparently maintain.
Uploaded once two years ago and never touched.

2024-04-05 20:45:06

The wheels on the rebuild goes build build build. Build Build Build. BUILD BUILD BUILD.
The wheels on the rebuild goes BUILD BUILD BUILD.
All through Python3.12.
#ArchLinux #PackagerLife

2024-04-04 12:42:05

- reply

@npub1p5f…u6aj
Fwiw, your blog post writes "ensure reproducible builds". But this isn't true.
That is what the blog post is talking about.

2024-04-02 19:42:44

- reply

@npub19f9…jcyn
Thanks for fixing!

2024-04-02 19:33:49

- reply

@npub10sm…hjqm
Okay, fair. But it's so prevelent that nobody has fixed it over several years. It's part of the reason why I wnated to write this for a year or two.

2024-04-02 18:43:52

NixOS linking to reproducible builds in their wiki 🤌
I should post the spicy post.

2024-04-02 09:58:28

- reply

@npub1zla…a22s
Above or below 0?

2024-04-02 09:34:23

It's weird going from the weekend discourse of xz backdoors to work and dependabot MRs.
Idk, `yolo/which-files-changed-watch update 43 to 44` with an autogenerated conventional commits changelog, are you backdoored or are you fine?
*Hits approve*

2024-04-01 21:15:46

If people think the actor behind Jia an/or the #xzbackdoor needs to be *sued* you need to deeply consider the implications it will have for the FOSS community.
#Security #FOSS #linux #xz

2024-04-01 17:31:57

- reply

@npub19xr…gkcq
That implies a power dynamic I'm not sure I'd agree with :p

2024-04-01 01:26:49

- reply

@npub1gaa…uv3v
The show this year was much better. The screens were crashing at Ally Pally and the venue had poor acoustics.
Much better all in all.

2024-04-01 01:25:58

- reply

@npub1gaa…uv3v
Ah cool, I was also at Ally Pally last year :)
Decided for Glasgow this year as we had never been here and London *again* is a bit boring.

2024-04-01 00:17:28

#Pendulum in Glasgow was pretty good.
https://assets.chaos.social/media_attachments/files/112/192/614/962/465/229/original/935ea4f748da0653.jpg

2024-03-31 03:43:07

I lost a lot of faith in #OpenSSF during the vote for supporting openwall.
> The problem here is if Solar gets bored to maintain this infra in a year or two, then we would be back to square one finding another maintainer. We should avoid single points of failure and instead try to have a long-term managed cloud solution which would mostly operate in autopilot mode and in some cases, openssf staff can step in if needed.
Which is quite a comment to write.
https://lists.openssf.org/g/openssf-tac/topic/96818564#

2024-03-31 01:45:32

- reply

@npub1xla…nh8l
When the GM of OpenSSF is going "yes, the scorecard for xz isn't good" then they are focusing on the wrong thing.
This is ultimately why I stopped contributing my free time to the initiative.

2024-03-30 22:21:59

- reply

@npub1l20…0c0w
The silver lining is that the people with auto update probably got the latest package faster than the manually updated machines :p

2024-03-30 21:14:18

- reply

https://assets.chaos.social/media_attachments/files/112/186/468/492/554/042/original/1773fdc7a3db26c6.jpg

2024-03-30 21:12:46

- reply

I mean.
https://assets.chaos.social/media_attachments/files/112/186/462/323/205/899/original/472ddcf1adb5caf8.jpg

2024-03-30 21:12:19

Weekend trip to Glasgow summarized
- xz
- Haggis
- xz?
- Beer
- xz!
- More beer
- xz
- Breakfast
- xz?!
- Whiskey destillery (Glengoyne)
- xz
- Ramen
- xz?!
- Even more beer!

2024-03-30 11:57:31

- reply

@npub19aw…wevf
I don't think blaming this on *systemd* is productive. They could have chosen other ways and lzma is pulled through libselinux-libpam as well.

2024-03-30 11:10:55

- reply

@npub128z…dec0
Least clever reaction from GitHub. I don't think kneejerk reactions like that help in situations like this.

2024-03-29 17:57:59

- reply

Guy that did this was also recently added as an upstream kernel maintainer.
Much oof.
https://lore.kernel.org/lkml/[email protected]/
@npub1hfe…k5ww

2024-03-29 10:35:29

Accidental Easter plans:
Heading to Glasgow to see #Pendulum live for the second time.
We didn't check the dates for Easter when we ordered the tickets during #CCCamp23 🙃

2024-03-21 14:22:32

- reply

@npub17xj…0938
Have you considered a service-generator? Examples would be the podman quadlet things that consume their own format to generate services.

2024-03-13 15:09:08

- reply

@npub14d3…7npp
"Latest and greatest" doesn't mean things gets pushed to repos on a timeline that doesn't fit the volunteers of the project.
Pragmatism and the volunteers >>> pushing things because we "have to be first".

2024-03-11 21:25:46

The swedish are getting their third packager, and I can't let them win.
Am I aware of any Norwegians interested in becoming an Arch packager?
#ArchLinux #Linux #NorskTut

2024-01-21 12:40:57

- reply

@npub10zm…zrpx @npub1shg…y3ry
Right, so you haven't tried.

2024-01-21 12:33:12

- reply

@npub10zm…zrpx @npub1shg…y3ry
https://github.com/archlinux/archinstall/issues/created_by/DarkXero-dev

2023-12-11 12:20:18

Largely how I feel about the entire push towards FIDO and hardware tokens.
#FIDO #Yubikey #Security
https://assets.chaos.social/media_attachments/files/111/561/507/909/761/510/original/2962e592572741ef.jpg

2023-09-22 13:12:45

🥲 @npub1s4l…aap3
https://assets.chaos.social/media_attachments/files/111/108/496/054/320/133/original/4f27fabcbd91018b.jpg

2023-08-17 01:41:53

#cccamp23 #cccamp2023
https://assets.chaos.social/media_attachments/files/110/901/939/013/117/068/original/11bb6ab5d9da840a.jpg

2023-06-23 15:22:50

- reply

@npub1rzy…zpg7 where is the document published?