news
Free, Libre, and Open Source Software Leftovers
-
Undeadly ☛ OpenBGPD 8.9 released
Claudio Jeker (claudio@) announced the release of version 8.9 of OpenBGPD, the OpenBSD project's Border Gateway Protocol (BGP) daemon: [...]
-
SaaS/Back End/Databases
-
Rui Carmo ☛ SQLite
SQLite is my database engine of choice for simple, no-frills stuff, and has of late become popular enough for me not to have to bother compiling it from scratch anywhere.
-
-
Content Management Systems (CMS) / Static Site Generators (SSG)
-
Annie Mueller ☛ Why do I love my Pika guestbook so fucking much? Let’s discuss.
Dealing with comments and comment spam feels like pressure.
Receiving and responding to an email feels like a conversation.
Knowing how many clicks or visits happened on my blog feels like pressure.
-
-
Education
-
Don Marti ☛ a new library book
This is the new edition of Automate the Boring Stuff with Python which is not really a Linux book specifically—the material should work on all the commonly used OS—but a lot of the kind of stuff that people get Linux for.
-
-
FSF
-
The Register UK ☛ Just using open source isn't radical any more, Europe
It is 2025. Linux will turn 34 and the Free Software Foundation (FSF) 40. For the EU and Europe at large, which is famously experimental with government deployments of open source tech, behind initiatives to promote open licensing, and whose governments promote equal opportunity for FOSS vendors in public tendering, it's a crunch point.
-
-
Standards/Consortia
-
arXiv ☛ [2509.10895] Finding SSH Strict Key Exchange Violations by State Learning
We investigate the security of ten SSH implementations supporting strict KEX for up to five key exchange algorithms. In total, we learn 33 state machines, revealing significant differences in the implementations. We show that seven implementations violate the strict KEX specification and find two critical security vulnerabilities. One results in a rogue session attack in the proprietary Tectia SSH implementation. Another affects the official SSH implementation of the Erlang Open Telecom Platform, and enables unauthenticated remote code execution in the security context of the SSH server.
-
arXiv ☛ [2509.09331] On the Security of SSH Client Signatures
We extracted 31,622,338 keys from three public sources in two scans. Compared to previous work, we see a clear tendency to abandon RSA signatures in favor of EdDSA signatures. Still, in January 2025, we found 98 broken short keys, 139 keys generated from weak randomness, and 149 keys with common or small factors-the large majority of the retrieved keys exposed no weakness. Weak randomness can not only compromise a secret key through its public key, but also through signatures. It is well-known that a bias in random nonces in ECDSA can reveal the secret key through public signatures.
For the first time, we show that the use of deterministic nonces in ECDSA can also be dangerous: The private signing key of a PuTTY client can be recovered from just 58 valid signatures if ECDSA with NIST curve P-521 is used. PuTTY acknowledged our finding in CVE-2024-31497, and they subsequently replaced the nonce generation algorithm.
-
Feld ☛ SenseCAP T1000-E As An NTP Clock Source
I have a SenseCAP T1000-E as my first foray into Meshtastic / LoRa. These devices are fairly cheap, and it has a serial over USB. When I realized this device also has GPS I wondered if it would be possible to use this with NTP. I think more people would join the mesh if they could buy a cheap device that doubles as a mesh client/repeater and can be utilized as a clock source for NTP. Even if you stop caring about Meshtastic you can just forget it exists and keep using the GPS functionality.
-