if you think the greatest threat to effeminate gay boys is the trans movement and not the cis straight men who overwhelmingly exclude and brutalize them then you should walk into the ocean immediately
If you see this, post a rabbit π°
@panootsart.bsky.social
not exactly. capsudod itself does not have the notion of policies. you can put things in front of capsudod that impose policy requirements (the socket connection to capsudod is the "capability" here).
we are also looking into pre-opened FDs and other things though...
if you've noticed, i'm not particularly active on social media anymore. it is because social media is bad for you.
sudo & other SUID tools can be tricked by less-privileged user into using the inherited (ambient) authority for malicious purpose, ie undesired privilege escalation. OCAP requires user to provide a scoped token for each request, proving intent. IIUC Ariadne proposes capsudod as a gateway to resource
a list of RIP addresses grouped by function boundary. the user must supply a kallsyms file.
another fun day at @edera.dev leads me to build this sampling tracer thing that single-steps a guest and shows me what it is doing based on latencies...
cursed Intel IOMMU fact of the day: on some Intel platforms, the firmware did not provide TLB entries for the Intel HDA audio controller, which requires workarounds in Linux to this day.
yet another fun fact learned working at @edera.dev π΅βπ«
elixir.bootlin.com/linux/v6.18....
my dear friend @jsalazar.co relaunched his blog and has some poignant thoughts on the current state of "DevSecOps".
he thinks that security operations needs to have an SRE moment. in other words, that SecOps should be security *engineering*.
www.syscall.wtf/blog/securit...
before: caddy serving a static directory
after: static directory on host, mounted as 9pfs volume and served by darkhttpd in guest MicroVM (edera protect zone), which is proxied by traefik ingress (running in a different @edera.dev protect zone)
i used darkhttpd inside the container for irony purposes
distfiles.ariadne.space -- now powered by kubernetes and @edera.dev protect
how... webscale
visualizing an application's dependency set whose SBOM is managed with pkgconf's SBOM tools
amongst other things, we will discuss how you can *visualize* your dependency set using #pkgconf's advanced dependency resolver and SBOM tools :)
if you are interested in my #FOSDEM talk on Sunday at 15:30 in the #SBOM devroom, I have published a demo that outlines what we will be discussing: codeberg.org/kaniini/fosd...
as an update, capsudo 0.1.1 has been released to fix a shadowed-include problem on newer versions of GLIBC. usually it is musl that is more stringent about this.
Part 2 of the series will land sometime this weekend... and then finally after that we will get to the chapter the Hacker News and Lobsters people wanted to skip to after that.
If someone wants to send me the bits to make this all work with systemd, that would also be great.
the tl;dr: capsudo is essentially sudo, but done with object capabilities instead of an SUID binary.
My blog last month explains the theory side of it and how you can use object capabilities to stitch all sorts of interesting things together without the need of a complex policy engine.
If you want password authentication, use the capsudo-pwauth service which will challenge the capsudo client to provide your password, otherwise there is no authentication at all.
#capsudo 0.1 has been released!
distfiles.ariadne.space/capsudo/caps...
If you are on Alpine edge and have testing packages enabled, you can install capsudo from there and then start the capsudo service.
Why leaders often disappoint us: https://ariadne.space/2026/01/22/why-leaders-often-disappoint-us.html
planning to cut a capsudo release later this week ahead of FOSDEM
main things blocking:
- SELinux handwaving (ugh)
- CAPSUDO_SECRET and capsudo-pwverify filter
- getopt_long options
- help message
- manual pages
i have been on hold with verizon for over an hour to cancel a 5G data-only line i am not using. it should be illegal to require people to call in to cancel something they can sign up for online.
I'm going to go do something else now because using this app makes me physically sick with disgust.
Posting true facts without also acknowledging the fact that ICE responds violently to these 3 things is irresponsible.
Will you co-sponsor Senator Markey & Representative Pressley's Qualified Immunity Abolition Act of 2026? That's all I want to hear from Congresspeople today.
if you don't tell it, it will guess that the toolchain search paths are ${prefix}/lib and ${prefix}/include, which are reasonable for the typical GNU/Linux system (well, before multiarch anyway).
your irregular reminder that pkgconf needs to be told about the build toolchain's include and library search paths in order to filter said paths correctly.
A screenshot from the Telegram group which pretends to be an official Alpine one. FAKE is overlaid on top of the post which appears to be composed when the person in question, already banned from the Alpine community, was somehow intoxicated.
Your irregular reminder that Alpine Linux DOES NOT have any Telegram channels and any community use of the Alpine marks in a way which indicates an official relationship with or endorsement by the project is forbidden by our CoC.
Unfortunately, it is hard to get Telegram to do anything about this.
No one *licensed* anyone to make CSAM of their kids, and the tech company that provides both the production technology and the distribution system should be prosecuted out of existence.
The murdererβs name is Jonathan Ross. www.startribune.com/ice-agent-wh...
now I can talk about the context, which I do over on Mastodon: social.treehouse.systems/@ariadne/115...
