Hope people have had a lovely spring. This month has passed quickly! I have put off writing the monthly post because I was busy with a weekend project.
My master thesis was about how to apply transparency logs and reproducible builds to give package rebuilders the ability to produce tamper evident logs. This is handy since any one package build can easily be proven to be part of the log, and you can very easily fill inn the history from one point in time to another by hashing files in the correct order.
These days transparency logs has seen a larger adoption with projects like sigstore and trustix. What’s interesting is that kernel.org publishes a transparency log of all the git push operations.
This is handy as it allows people to verify that a commit was actually pushed from a kernel developer. This prevents cases where someone with access to kernel.org can’t create a commit on the server without it being possible to detect. However, transparency logs are only really useful if people monitor them for changes and replicate them. Thus i decided to quickly hack up a monitor on the log to make the information easily digestible.
I’ll probably continue to hack on this project a little bit to get some statistics between kernel releases. Maybe some graphs? But currently it works quite nicely to display the information on the log. A fun little project!
While talking about kernel security, the Linux TAB published their report on the entire University of Minnesota fiasco. Whats interesting about the email is that they linked the IEEE complaint Santiago, me and a few others wrote after reading the abstract back in December. I have no clue how they got the link since the draft pad was never shared outside of the twitter group we had. Weird 😀
Other then that I have submitted a patch to Golang to default add full relro
flags when building with PIE and using the host compiler. I also did my first
patch to a kernel related mailing list to patch a bug in
Rest of the work has mostly been to get my secure boot tooling up to speed so I
can move off from the preexisting Canonical tooling and better test. This has
go-uefi, my Golang native library for interactive with
on Linux, having some form of integration tests towards OVMF. Which is great 😃
Lastly the work on debug packages in Arch has slowed down due to lack of feedback on the patches. I wanted to have the stuff out in February but sadly it’s going to take longer. Disappointing but stuff happens.
Cheers and see you next month!
Package Updates to [community]
Package removals from [community]
Potential new packages for
- Support Full RELRO with
- Patch b4: https://firstname.lastname@example.org/T/#u