Stefan Sperling

@[email protected]
692 Followers
700 Following
203 Posts

Posting mostly about tech stuff I'm working on but happy to read and chat about non-tech stuff too. I'm grateful to be learning so much about the world from all of you.

Tech stuff I'm working on currently includes OpenBSD, Apache Subversion, Software Heritage, Game of Trees, @gothub, and Dulwich.

Toots get auto-deleted after one month.

wwwhttps://stsp.name
languagesde/en, a little fr
citiesBerlin / Brussels
pronounshe/him/his
Stefan Sperling2d ago
Riker Googling2d ago
how to use civility to stop the borg
Stefan Sperling3d ago

Finally found out why Tx was broken with iwx(4) on Intel AX211 BZ devices. Another one of those bugs which cannot be found without persistence and some amount of good luck.

https://marc.info/?l=openbsd-cvs&m=177341485313105&w=2

#OpenBSD #WiFi

'CVS: cvs.openbsd.org: src' - MARC

Stefan Sperling3d ago

Looks like the one year long process it took to get my company's external accountants to play along with setting up our own fiscal host for @gothub was very much worth it! Our initial plan was to be fiscally hosted by Open Collective Europe but OCE rejected our application as too commercial for reasons I could never figure out. They suggested we should try applying to the Open Source Collective instead. I am glad we never did!

Anyway, I hope this story will end with OC/OSC not using stricter identity checks than already performed by payment providers. Or at least hire a less dangerous partner company for identity checks. I doubt they can completely get around KYC rules in their jurisdiction. The worst outcome could be OC/OSC getting fined or shut down for non-compliance. They will likely have to pick some least bad option from some set of bad options to comply.

Stefan Sperling3d ago

Huh, so my fennec fdroid had "remote improvements" enabled (settings - advanced - remote improvements). Since I have turned that off the main menu has finally stopped flipping between old and new style. It is just sticking to old style now.

Bit crazy that a feature which loads additional code over the network can be enabled in the fdroid version, isn't it?

Stefan Sperling5d ago
Lëspreüh5d ago
Très belle journée
Stefan Sperling5d ago
Caspar C. Mierau6d ago

Hab heute ein gehacktes GitRepo ein bisschen genauer angesehen. Es war das kubernetes-el Repo. Die Hack-Spuren sind mittlerweile weitgehend beseitigt, aber ich konnte sie mir zeitnah ansehen. Was passiert ist, ließ sich so für mich rekonstruieren:

  • Angreifer forked das Repo
  • Angreifer schickt einen Test-PR
  • GitHub Worker läuft los, führt dabei aber malicious code durch den Worker aus
  • Angreifer sieht, dass es geht und baut ein Script ein, dass einen GitHub Token an einen externen Webhook schickt und stellt damit erneut PR
  • PR Check Worker läuft los, schickt den Token raus
  • Angreifer nutzt den schreibberechtigten Token, um direkt von extern auf das Hauptrepo zuzugreifen
  • Angreifer baut in das Paket ein "rm -rf" ein (ein Emacs Kubernetes Paket) und defaced das Repo; löscht letztlich alle Dateien im Repo bis auf ein Bild und einen Hack-Hinweis

Was hier zu sehen war: Der Angriff war letztlich einfach. Eine einfache Fehlkonfiguration - der GitHub Worker konnte Git Commits auf das eigene Repo durchfühfren und reagierte sehr gutgläubig auf PRs - hat gereicht, um theoretisch ein Tool mit Schadcode zu versehen, das viele Nutzende in Emacs haben. Das ist Supply Chain nicht nur auf großen Infrastrukturen, sondern direkt als Angriff auf einen Editor.

tl;dr: Pipeline und Worker Security ist ein Ding.

Stefan SperlingMar 8
joshua steinMar 6
OpenBSD on the Pomera DM250(XY)
Stefan SperlingMar 7
Jesus Michał "Le Sigh" 🏔 (he)Mar 7

New on #blog: "Money isn’t going to solve the #burnout problem"

"""
The xz-utils backdoor situation brought the problem of FLOSS maintained burnout into the daylight. This in turn lead to numerous discussion on how to solve the problem, and the recurring theme was funding maintenance work.

While I’m definitely not opposed to giving people money for their FLOSS work, if you think that throwing some bucks will actually solve the problem, and especially if you think that you can just throw them once and then forget, I have bad news for you: it won’t. Surely, money is a big part of the problem, but it’s not the only reason people are getting burned out. It’s a systemic problem, and it’s in need of systemic solution, and that’s involves a lot of hard work to undo everything that’s happened in the last, say, 20 years.

But let’s start at the beginning and ask the important question: why do people make free software?
"""

https://blogs.gentoo.org/mgorny/2026/03/07/money-isnt-going-to-solve-the-burnout-problem/

#FreeSoftware #OpenSource #AI #NoAI #LLM #NoLLM #Gentoo

Money isn’t going to solve the burnout problem

The xz-utils backdoor situation brought the problem of FLOSS maintained burnout into the daylight. This in turn lead to numerous discussion on how to solve the problem, and the recurring theme was …

Michał Górny
Stefan SperlingMar 7
gonzaloMar 6

I moved all my repos to #GotHub:

https://gonzalo.gothub.org/

And you can do the same! Go to https://gothub.org/ and check it out!

Maybe you are interesting on this one too:

https://openbsd.gothub.org/index.html

#OpenBSD #got #GotHub

Stefan SperlingMar 7
Thomas AdamMar 6

#gameoftrees #macOS #got

Hi all.

Just putting the feelers out as I'd love to know how many folks are using got on MacOs.

@teajaygrey does an amazing job every time I make a release of gameoftrees portable, but I could do with knowing how many of you are using it.

I made a change in the 0.123 release to fix socket handling for services such as gotwebd, which is good, but it's telling that it's taken this long, so I wonder how many users we have.

Let me know -- you can always email me at: [email protected]

Please boost this as much as possible, I'd appreciate it.