Ariadne Conill 🐰

"how do elves feel about the elf on the shelf" and other questions i have that i will never ask

very cool. this is why i hate the modern web.

Polymarket and Kalshi have honestly been some of the worst things to happen to society in some time.

are you fallin in love?
i've a feelin' you are
are you falling in love with a feeling?

-- imogen heap

https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me/

As a free software maintainer, this is entirely unacceptable. Now I have to spend time figuring out how to tell AI agents to *fuck off* so I don't have to deal with this.

THE CHAT PROTOCOL OF THE FUTURE

my dear friend @jed@infosec.exchange recently relaunched his blog with some poignant thoughts on the state of so-called "DevSecOps".

he believes (and I agree) that the SecOps part of this needs to have an SRE moment, in other words that security operations is not enough -- we should consider security from an engineering perspective rather than an operational one.

https://www.syscall.wtf/blog/security-sre-moment

important notes from @fossdd@chaos.social

meow
meow :3

#capsudo 0.1.1 has been released!

https://distfiles.ariadne.space/capsudo/capsudo-0.1.1.tar.xz

If you are on Alpine edge and have testing packages enabled, you can install capsudo from there and then start the capsudo service.

If you want password authentication, use the capsudo-pwauth service which will challenge the capsudo client to provide your password, otherwise there is no authentication at all.

the tl;dr: capsudo is essentially sudo, but done with object capabilities instead of an SUID binary.

My blog last month explains the theory side of it and how you can use object capabilities to stitch all sorts of interesting things together without the need of a complex policy engine.

Part 2 of the series will land sometime this weekend... and then finally after that we will get to the chapter the Hacker News and Lobsters people wanted to skip to after that.

If someone wants to send me the bits to make this all work with systemd, that would also be great, but as I don't use systemd, I would have to otherwise guess.

I need to get in touch with anyone who manages trust & safety for the matrix.org homeserver regarding the same person who is impersonating Alpine on Telegram. I have been made aware that he is also impersonating the project on Matrix...

🚨 PSA! 🚨

Alpine 3.23 moved mariadb-connector-c from the 3.3 release series to the 3.4 release series, which has different TLS validation behavior.

If you are using self-signed certificates, you need to either trust the self-signed CA or set the MARIADB_TLS_DISABLE_PEER_VERIFICATION=1 environment variable.

https://gitlab.alpinelinux.org/alpine/aports/-/issues/17798

#alpinelinux

we need more energy, we need a TOP

so true: https://www.youtube.com/watch?v=hFSwWzxrqUA

apk-tools 3.0.0 final is out

#wayback, a small project gluing together wayland components to turn Xwayland into a full X environment, is now published: https://github.com/kaniini/wayback

there's definitely a gazillion bugs, which will need work across the entire stack to solve.

however, unlike Xlibre, this is a sustainable path that is intended to reduce the number of X components in distributions.

A more formal announcement is coming later this week (probably tomorrow), but W^X will return to Alpine via Edera's OpenPaX patchset: https://github.com/edera-dev/linux-openpax

If you want to play along at home, be sure to put the following in your .config:

CONFIG_OPENPAX=y
CONFIG_OPENPAX_XATTR_PAX_FLAGS=y
CONFIG_OPENPAX_MPROTECT=y

The screenshot of a paxtest run is attached, showing rough equivalence with grsecurity when it comes to killing exploitation attempts, though grsecurity/PaX's ASLR behavior is still far more aggressive than the default Linux behavior.

in https://www.form3.tech/engineering/content/exploiting-distroless-images the original google distroless images get popped using the openssl command.

the ones i built with apko do not include unnecessary binaries :)