Morten Linderud

F/OSS Hacker. Arch Linux Developer, Security Team, Reproducible Builds. General Linux stuff and supply chain issues.

Writes in English and Norwegian from time to time.

He/Him

Public Key

npub1wvthm9yvfzly58n3z8hlcjymnly0cfpsyzkl0k8kyqsq6rv3qt4qx9y89f

NIP-05 Address

[email protected]

Profile Code

nprofile1qqs8x9majjxy30j2rec3rmlufzdelj8uysczpt0hmrmzqgqdpkgs96spz3mhxue69uhhyetvv9ujuerpd46hxtnfduqs6amnwvaz7tmwdaejumr0dsd0mu54

Publishing to

relay.damus.io

nos.lol

Author Public Key

npub1wvthm9yvfzly58n3z8hlcjymnly0cfpsyzkl0k8kyqsq6rv3qt4qx9y89f

Show more details

Last Notes

2026-03-28 23:34:28 UTC

The fun thing with working with an initramfs and busybox is that you'll do something seemingly simple like `echo "lol" > /sbin/init`.
The boot fails with "Too many levels of symbolic links".
Turns out that you have overwritten the busybox binary by accident 🫠

2026-03-26 21:22:46 UTC

Seems like the same troll has now realized writing slop articles dramatizing distro stuff is a way to get clicks.
Amazing.
Are people going to bite again?

2026-03-26 16:36:21 UTC

- reply

@nprofile…e46s
Everything written in this is either extremely misleading or just factually wrong.

2026-03-24 10:42:07 UTC

- reply

@nprofile…2x3t
Loooll, right

2026-03-24 10:26:13 UTC

- reply

@nprofile…2x3t
Wait, are you at kubecon?

2026-03-24 09:46:12 UTC

- reply

@nprofile…ywz4 and a slop pr!

2026-03-24 09:40:58 UTC

I was expecting a lot of LLM on #Kubecon but almost two continuous hours of keynote speakers 🫠?

2026-03-23 23:36:45 UTC

Gotten an LLM sales pitch on a rave: ✅
Guy had a QR code ready and everything.

2026-03-22 23:36:46 UTC

- reply

@nprofile…cxpn
Incus is honestly my most recommended software at this point

2026-03-22 11:29:59 UTC

- reply

@nprofile…88ff
Oh yeah! Totes up for that :)

2026-03-22 08:12:09 UTC

- reply

I also have a free spot for a Korean bbq booking today if anyone I know lack plans for tonight.

2026-03-22 08:11:41 UTC

Heading for #Kubecon today!
Holler if you want to come chat with me how the Norwegian Broadcasting Company (NRK) serves election results, tools, widget and components for journalists and tv production.
Alternatively, holler if you want to talk about Linux distributions, platform security, TPM or Secure Boot!

2026-03-22 07:15:28 UTC

- reply

@nprofile…559r
*complaining* doesn't help anyone.
Some projects will need to comply with this law, if you show up and tell them "don't do that" you are just asking a project to break the law on your behalf.
Does this apply to systemd? No, it's a component. But what then? Do we just tell the projects that *need* to comply to "get lost"?
Turning your anger towards the FOSS maintainers that are at the end of the stick is unproductive.

2026-03-21 23:18:12 UTC

- reply

@nprofile…6msw
If you write the dynamic library.

2026-03-21 22:35:58 UTC

Ah, I need to pack for #kubecon 🫠

2026-03-21 22:35:44 UTC

Wrote about my current project `attezt` that implements an attestation server for `device-attest-01`.
https://linderud.dev/blog/acme-device-attestation-smallstep-and-pkcs11-attezt/
#Secure #TPM

2026-03-21 21:38:49 UTC

- reply

@nprofile…sut4
There is a native way to use secure enclave with ssh on Mac these days.
It seems a bit more convoluted though.
https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb4acf
From @nprofile…27lr

2026-03-21 20:15:50 UTC

- reply

@nprofile…y6xt
Do you think harassment of FOSS maintainers, developer and contributors is fine?
Where harassment means writing dossiers/doxxing them or sending death threats?

2026-03-21 16:53:09 UTC

- reply

@nprofile…wuv3 Do you have any opinions on this?

2026-03-21 16:42:20 UTC

Hmmm,
My impression was that #Varnish Software would be based off on the #VinylCache upstream.
But now it seems like they have effectively created their a new "varnish" repository where they intend to follow upstream, with their own patches *and* features vinyl doesn't want?
I already see changed not upstreamed, and they seem to be pushing for existing varnish packages to point to the "new" upstream?

2026-03-21 15:08:03 UTC

- reply

@nprofile…upuh @nprofile…u622
Voicing disagreements is not harassment.

2026-03-21 14:40:30 UTC

- reply

@nprofile…u622
Do you think harassment of FOSS maintainers, developer and contributors is fine?
Where harassment means writing dossiers/doxxing them or sending death threats?

2026-03-21 14:11:08 UTC

- reply

@nprofile…46jr
It's fuck harassment.
People have gotten death threats, there is more happening then just one dossier.
Get the fuck out of my mentions.

2026-03-21 14:06:48 UTC

- reply

@nprofile…46jr
Are you seriously diminishing people getting death threats and dossiers posted with personal details as.... "criticism"?
Seriously?

2026-03-21 13:54:13 UTC

- reply

@nprofile…8epn
This is ridiculous. Ploink.

2026-03-21 13:50:58 UTC

- reply

@nprofile…8epn
Dehumanizing people this way to justify your hate and vitrol does not make you any better then them.

2026-03-21 13:21:55 UTC

People are rightfully angry at age verification laws.
That doesn't justify harassment campaigns towards *any* FOSS developers, maintainers nor contributors. Turn that anger towards something productive.
Get a grip people, holy shit.

2026-03-20 23:13:30 UTC

- reply

@nprofile…sut4
Oh, I had this on my todo-list for `ssh-tpm-agent` actually.

2026-03-19 14:17:22 UTC

Current modern problems:
#lobsters try to vet a person asking for an invite to the site.
The GitHub account doesn't look legitimate and the writing is off. A bunch of blog posts that smell like LLM content. The IRC communication is very "on edge" and insists on their own importance.
Are we vetting an openclaw agent begging for invites on IRC?
We don't know.

2026-03-19 12:14:49 UTC

- reply

@nprofile…3g4a
I did consider, in a weak moment, putting out package updates as NFTs.

2026-03-19 12:05:14 UTC

- reply

@nprofile…2x3t
Nah, just make it IPv6

2026-03-19 11:59:19 UTC

Someone on discord apparently got an email from someone begging for a PR review?
Turns out they are working for a Blockchain thing where you mine coins by contributing to FOSS?
What in the everliving dystopian hell.

2026-03-19 09:45:34 UTC

- reply

@nprofile…v2v2
Have you tried the mailing list mode in Discourse?

2026-03-17 12:42:16 UTC

- reply

Or as my tech lead described it; Sim City 2000.

2026-03-17 12:41:57 UTC

A myriad of merges.
Authors unknown.
1997 ASCII Art
96 x 61
https://assets.chaos.social/media_attachments/files/116/244/541/326/750/815/original/2b5110dd74029627.png

2026-03-16 18:56:04 UTC

> Man, fuck pkcs11
> Holy shit it doesn't work
> Wait it's not sending the intermediate cert
> Noooo, still 400 error
/me enables debug logging
> client SSL certificate verify error: (10:certificate has expired) while reading client request headers,
Right.

2026-03-15 21:37:10 UTC

> I let Claude Code configure my Arch install
Ah yes, I want one "cursed NixOS" thank you.

2026-03-15 21:26:44 UTC

Hot Water Music - VOWS
#Music #Vinyl
https://assets.chaos.social/media_attachments/files/116/235/300/943/600/750/original/bf8277d51a010b33.jpg

2026-03-10 13:15:53 UTC

- reply

@nprofile…nke3
"Hello Microsoft,
I have spent 3 billable hours on IT support. See attached invoice.

2026-03-10 12:47:00 UTC

Getting a personal email from a German IT company asking for clarification about the Microsoft Secure Boot CA rotation bricking their devices.
Life goals.
But, who do I bill for this?

2026-03-08 20:06:24 UTC

- reply

I realized now everything is hardcoded to my infrastructure, lol.

2026-03-08 20:05:19 UTC

So attezt now contains 3 components.
- `atteztd` which is an Attestation CA with an inventory API
- `attezt-agent` that implement device enrollment and an p11-kit agent.
- `attezt` that is the client for both the agent and the attestation ca. Modelled after step/step-ca
Everything has an #varlink APIs as well.
https://github.com/Foxboron/attezt
Very much a work in progress and not everything is wired up correctly. Readme also needs a bit more work.
#TPM #Attestation #Security #security

2026-03-06 10:55:29 UTC

`ssh-tpm-agent` is now available in Debian testing!
Thanks to @nprofile…jf6c for packaging it!
#Debian #ssh #TPM #security

2026-03-05 15:10:58 UTC

- reply

@nprofile…zaxj
Well, both problems really.
But just because it solves one social problem doesn't mean it can solve all of them.

2026-03-05 15:07:23 UTC

- reply

@nprofile…zaxj
I generally agree but I struggle to see how distros should/are capable of solving it.
It's a social problem more so than a technical one.

2026-03-05 14:40:33 UTC

- reply

@nprofile…zaxj @nprofile…w92z
From the @nprofile…4r8y side; there is not.
But code review of individual package bumps is something few distros do.

2026-03-04 23:16:17 UTC

I just realized I have 50 days to get into shape for a 10k race. 🫠🙃
#Running

2026-03-04 22:23:22 UTC

- reply

Seems like the original author saw this as well.
https://github.com/chardet/chardet/issues/327
Please do not brigade the project.

2026-03-04 20:47:45 UTC

- reply

@nprofile…2esm
Yes.
But lets not clutch pearls over how a understaffed FOSS project decides to merge their work.

2026-03-04 20:06:47 UTC

- reply

@nprofile…2esm
They have been the upstream maintainer for years, so I don't see any huge issue with that.
I would have done the same probably?

2026-03-04 14:13:01 UTC

- reply

@nprofile…c2r0
That would probably not be litigated under copyright law.

2026-03-04 13:32:27 UTC

- reply

@nprofile…hqp3
Public domain is not really a thing in most of the world. So "yes", for US. For EU it's more complicated.

2026-03-04 13:18:36 UTC

- reply

@nprofile…88ff @nprofile…qxkq
Sure, but we are not really looking at, nor discussing, cases where LLMs spits out something verbatim from another project in this case.

2026-03-04 13:16:45 UTC

- reply

@nprofile…5h2k @nprofile…qxkq
Sure.
But I'm not going to spend time on a strawman disguised as a logic puzzle. That isn't how laws work nor how they are formed.

2026-03-04 12:59:57 UTC

- reply

@nprofile…88ff @nprofile…qxkq
Supreme Court has already dismissed such cases.
https://www.cnbc.com/2026/03/02/us-supreme-court-declines-to-hear-dispute-over-copyrights-for-ai-generated-material.html
So we are getting a precedent in US law. Yet to be settled in any high court in the EU though.

2026-03-04 12:57:48 UTC

- reply

@nprofile…u622
Amazing.

2026-03-04 12:52:14 UTC

- reply

@nprofile…qxkq
I'm not a lawyer so I'm not going to try and debate what is and isn't a copyright violation.

2026-03-04 12:36:02 UTC

- reply

@nprofile…qxkq
A license violation usually implies that there is a copyright violation to begin with.

2026-03-04 12:23:13 UTC

- reply

@nprofile…qxkq
US court is leaning towards that LLM generated code is fundamentally not copyrightable.
This is a different problem to the moral issues I have with this.

2026-03-04 12:17:23 UTC

Apparently chardet got Claude to rewrite the entire codebase from LGPL to MIT?
https://github.com/chardet/chardet/releases/tag/7.0.0
That is one way to launder GPL code I guess?

2026-03-04 07:51:09 UTC

Took me uh... 5 years since setting the goal. But today I managed 5 pull-ups!

2026-03-03 22:24:00 UTC

Babe, wake up.
New timezone just dropped.

2026-03-03 11:10:09 UTC

- reply

@nprofile…5yrk
This doesn't solve the ACME case completely, but maybe acme should just support ssh certificates as an output type from a CSR, and the principals should be left out of the process and delegated to the attestation part. Similar to how device-attest-01 is defined anyway.

2026-03-03 11:08:29 UTC

- reply

@nprofile…5yrk
So we should have systemd (or a kernel) log the hostname into the tpm eventlog. That way you can have the information available during attestation.
We should include system username, and maybe a list of available users, as well.
This way you can enroll a device with an attestation of information relevant to establish known principals.
Associating roles and arbitrary roles needs to belong to the identity/attestation CA anyway.
Doesn't this get us closer to solving this?

2026-03-02 11:22:06 UTC

- reply

@nprofile…5yrk
I don't see why this can't be done through `device-attest-01`?
Why would you need a new scheme when we just only really want another format?

2026-03-02 11:19:26 UTC

- reply

@nprofile…5yrk
I'm thinking just add `ssh-certificate` to the Content-Type in the ACME response to fetch the certificate.
Map the CSR to the ssh certificate?
It should be enough?

2026-03-02 11:18:14 UTC

- reply

Okay, so what about some extensions to CSR that maps to the ssh certificate fields?
It should be completely doable?
Internet draft time? 🤔

2026-03-02 11:06:46 UTC

Has there been any work to issue ssh certificates through ACME?
You can pass custom content-type headers, so it should be possible to jam it inn there?

2026-03-02 09:56:26 UTC

- reply

@nprofile…2pwv
Ohhhh, totes up for drinking!

2026-03-02 09:05:23 UTC

- reply

@nprofile…27lr
I will acquire a replacement dutch in your stead!

2026-03-02 08:45:08 UTC

Ok, so do I know anyone heading for #Kubecon in Amsterdam?

2026-03-01 18:55:18 UTC

- reply

I've already learned that "test" is apparently not a valid TPM manufacturer.

2026-03-01 18:54:58 UTC

Okay, so I was doing some setup for my home infra 3 months ago, and wanted device bound ssh certificates.
Found smallstep and `device-attest-01`!
Now I have:
- An attestation CA for hardware identities
- An ACME client that can issue device bound certs.
- A POC PKCS11 client that supports TPM backed certificates for browsers.
And I still don't have ssh bound certificates.
#Security #TPM

2026-02-28 14:54:39 UTC

Never been so happy to see the following error before.
```
Error with C_Sign: asn1: syntax error: sequence truncated
cannot handle request, 43 failed: asn1: syntax error: sequence truncated
```

2026-02-27 16:49:50 UTC

- reply

@nprofile…2pwv
What more do you need then "Foxborons personal code runs on this machine"?

2026-02-27 14:47:45 UTC

- reply

https://chaos.social/@Foxboron/115950770238435523

2026-02-27 14:42:04 UTC

I should operate my own FoxWare sticker certification program.

2026-02-23 18:49:57 UTC

Y'all, I think that filesystem guy is lonely. Someone should go check up on him.

2026-02-22 21:47:16 UTC

- reply

@nprofile…alnl
Yes.

2026-02-22 20:08:18 UTC

- reply

@nprofile…2pg0
You can disable pull requests on github now! So it's just an empty interface because Github didn't actually do this properly.

2026-02-22 20:04:25 UTC

RIP https://github.com/torvalds/linux/pulls
#Linux #Github

2026-02-22 14:19:05 UTC

- reply

@nprofile…z3lm @nprofile…2vzh @nprofile…t7hh
@nprofile…j858 is also a decent conference to consider :)

2026-02-22 14:14:51 UTC

- reply

@nprofile…2vzh
Nice, can probably get a bunch to @nprofile…t7hh for distribution as well!

2026-02-21 23:10:24 UTC

- reply

@nprofile…hnec
Clave or Clive

2026-02-21 19:20:13 UTC

- reply

@nprofile…79yp
But :c

2026-02-21 19:10:31 UTC

So my ISP has been down for a few hours now.
At which point do I start throwing my openwrt router over the mobile hotspot?
I want to read my RSS feeds again.

2026-02-19 12:18:22 UTC

New Paged Out zine!
https://pagedout.institute/download/PagedOut_008.pdf
Submitted an article to this issue about ssh-tpm-agent :D
#TPM #Security #PagedOut

2026-02-09 21:29:23 UTC

- reply

@nprofile…2x3t
/me hides away his postfix pitch deck

2026-02-09 20:27:30 UTC

- reply

@nprofile…rhgx
1.0.0

2026-02-09 18:48:58 UTC

- reply

@nprofile…ux7q
Aha! I see you in the discord :) awesome

2026-02-09 18:37:08 UTC

- reply

@nprofile…ux7q
Warden, FMAT represent yo.
Capt or Maj I think? But I realize they have restructured everything now so not sure.

2026-02-09 18:13:36 UTC

- reply

@nprofile…ux7q :c

2026-02-09 15:55:48 UTC

- reply

I can either:
1) Write a blog post about my new TPM attestation pet project.
2) Read up on the TPM TAP specification.
3) Run over unsuspecting people with a truck while I deliver mammons to a frontline BB in a 24/7 perpetual war.

2026-02-09 15:54:39 UTC

Hm, maybe it's time to pick up #Foxhole again?
#UpdateWar

2026-01-29 12:12:00 UTC

FOSS is a gateway into cheese smuggling operations.

2026-01-17 16:38:04 UTC

- reply

@nprofile…uk7q Sorry, I don't understand the question?

2025-12-30 13:02:59 UTC

- reply

This is a DEFCON talk. [Negative]

2025-12-28 00:12:17 UTC

- reply

Update: it did still work!

2025-12-27 23:22:45 UTC

Honestly, half the fun of doing a release is to see if that workflow file creating pre-built binaries still work.

2025-12-11 17:43:36 UTC

- reply

@nprofile…unk3 lol, we just discussed this just now as well