HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Foxboron

no profile record

Submissions

Show HN: SSH-TPM-agent · Release v0.9.0

github.com
6 points·by Foxboron·2 माह पहले·3 comments

Vinyl Cache and Varnish Cache

vinyl-cache.org
54 points·by Foxboron·3 माह पहले·26 comments

Acme device attestation, smallstep and pkcs11: attezt

linderud.dev
2 points·by Foxboron·4 माह पहले·0 comments

Personal Infrastructure Setup 2026

linderud.dev
3 points·by Foxboron·6 माह पहले·0 comments

Self-hosting DNS for no fun, but a little profit

linderud.dev
6 points·by Foxboron·7 माह पहले·0 comments

comments

Foxboron
·28 दिन पहले·discuss
> Could be one or one thousand. Frankly, the exact number doesn't matter.

It does. Manually checking a couple of AUR packages is easy. Installing a thousand AUR packages is not something anyone should be doing.

> I'm assuming people are using the AUR to install programs that are sufficiently complex and the idea one can trivially audit a complex program and all of its dependencies is foolish. The foolishness of that expectation scales with the number of complex programs installed.

Nobody is asking them to do that. The premise is that the `PKGBUILD` and auxillary files provided by the AUR should be checked.

> The idea that users should "just check the source code every single time" has never been, nor will it ever be, a reasonable solution to supply chain attacks.

Again, nobody is asking anyone to do this.
Foxboron
·29 दिन पहले·discuss
> Expecting users to manually review every single change, for every single AUR package they are using, every single time they do an update or installation is just unreasonable if you want to AUR to be useful at all for the general user.

How many AUR packages are you assuming people are installing?
Foxboron
·2 माह पहले·discuss
> The host key section makes me wonder about doing this with servers, but what are the security guarantees in places like the cloud with that? Are you relegated to a software TPM, and if so, what guarantees does a software TPM have?

For the cloud? You would probably have a software TPM so not super secure, but you would still prevent the keys from being extracted away from the server. And if you don't trust your hypervisor/cloud provider you probably have other issues?

In my head the security guarantees are more straightforward for physical servers where you have a fTPM or a dTPM.

> My question after reading the README.md: what are the requirements from the OS? Can it be Windows, Linux, etc?

This only supports Linux.
Foxboron
·3 माह पहले·discuss
This just reads like a LLM trying to come up with a conspiracy theory around systemd.

It somehow got hyper-fixated on "three" for no particular reason and seems like it decided to harpen down that fact without explaining anything around it?
Foxboron
·4 माह पहले·discuss
`mkinitcpio` supports both.

The `base` hook installs the shell PID 1, the `systemd` hook installs systemd as PID1. The default hook setup was changed with the latest'ish release to default too the `systemd` hook setup.

Shell `init`; https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio...
Foxboron
·4 माह पहले·discuss
> Maintainers: You’re a primary maintainer or core team member of a public repo with 5,000+ GitHub stars or 1M+ monthly NPM downloads. You've made commits, releases, or PR reviews within the last 3 months.

Laughable.

This is a tiny, if even unimportant, fraction of the FOSS community that runs the modern tech stack.
Foxboron
·4 माह पहले·discuss
I have reported several spam emails to Github and from what I can tell none has been acted upon.
Foxboron
·5 माह पहले·discuss
I mean, gitlab is only from ~2019.

The first hit I could find of a git repository hosted on `archlinux.org` is from 2007; https://web.archive.org/web/20070512063341/http://projects.a...
Foxboron
·5 माह पहले·discuss
Nor the 20 or so odd reimplementations of various filesystem drivers and LUKS encryption in the grub2 tree.

But, who is counting?
Foxboron
·5 माह पहले·discuss
> Sure, but can the system context-switch that PCR between two different users?

Right, no it can't.

But this was not really something the TPM was suppose to solve.
Foxboron
·5 माह पहले·discuss
UEFI on x86_64 and phones are not comparable when it comes to being "locked down".
Foxboron
·5 माह पहले·discuss
Phones don't implement UEFI.
Foxboron
·5 माह पहले·discuss
> * Secure Boot (vendor-keyed deployments)

I wish this myth would die at this point.

Secure Boot allows you to enroll your own keys. This is part of the spec, and there are no shipped firmwares that prevents you from going through this process.
Foxboron
·6 माह पहले·discuss
> The TPM has nothing remotely resembling per-user PCRs.

The system could extend one of the PCRs, or an NVPCR, with some unique user credential locked to the user directory. Then you can't recreate the PCR records in any immediate way.

But you can't just recreate a key under one of the hierarchies anyway. You still need to posses the keyfile.
Foxboron
·6 माह पहले·discuss
> Who exactly are you thinking of that needs a job but doesn't have one?

That is not your claim. Your claim is that they "are on the payroll of one of the big tech interests or a foundation funded by them". Which is simply not true.

You can easily find several maintainers of these projects doing this as their part-time hobby project, have cut a deal at work or simply don't work at place that funds Linux development.

I'm not going to call out individual I know the situation and/or their employment history.
Foxboron
·6 माह पहले·discuss
> Linux, clang, python, react, blink, v8, openssl... You know what I mean. I stand by what I said. Do you have a counterexample you think is clearly unfunded? They exist[1], but they're rare.

For Linux "all the major contributors and maintainers are on the payroll of one of the big tech interests or a foundation funded by them" is simply not true. It's trivial to prove this by just looking at the maintainers of the subsystems. Making this claim is nonsense to begin with.

Same is true for several major contributors to the Python compiler and subsequent libraries as well.

You will move the goalpost by trying to narrow down what "major contributor" means.

> It's software subject to economic coercion owing to the lack of means of its maintainership. It's 100% fine for you to write and release software for free, but if a third party bets their own product on it they're subject to an attack where I hand you $7M to look the other way while I borrow your shell.

So without knowing anyone you are making a value judgement on the (probable?) lack of ethics? Excuse me?
Foxboron
·6 माह पहले·discuss
> but for almost any economically important project all the major contributors and maintainers are on the payroll of one of the big tech interests or a foundation funded by them.

"almost" is the load bearing word here, and/or a weasel word. Define what an "economically important project" is.

> Also just to be clear: node is filled with povertyware and you should be extremely careful what you grab from npm.

Is "povertyware" what we call software written by people and released for free now?
Foxboron
·6 माह पहले·discuss
> What else could they do? The government represent the country. If their business model is not welcome there then they withdraw. It's very fair to say "if you insist on those rules I choose not to play".

They can just not threaten the population of Italy? They are a 2 billion dollar company that has apparently scheduled a meeting with the vice president of the US on short notice? This is going to be resolved politically.

> Btw, I recently "threatened" Switzerland to withdraw my business from there because the cost of doing business there (complying with their VAT regulation) is higher than my revenue from there (maybe 1-2 licenses a year). The whole Switzerland will not be able to buy my software because of that. I didn't think of posting about it on Twitter though.

You have not given "free services" to 20% of the world wide web that you are now using as leverage.
Foxboron
·6 माह पहले·discuss
And the correct response to that is to write up a threat towards the entire population of a country?
Foxboron
·6 माह पहले·discuss
They are a conglomerate and per Matthews words "an internet infrastructure provider". Why does the local revenue matter when they are serving a global market?

EDIT: And fwiw, "Why would you continue doing business in Italy?" is not what is being proposed. They are threatening to block 55 million people from ~20% of the world wide web.