Stefan Sperling @stsp@bsd.network

Backup all the things with #plakar and #OpenBSD !

https://x61.sh/log/2026/03/25032026151800-plakar.html

New blog post, Open Source and AI: https://kusma.xyz/blog/2026/03/26/open-source-and-ai/ #openSource #AI

I presented at the local planetary journal club this morning about the 3 articles I co-authored for The Conversation in the past weeks about the effects that one million satellites would have on the night sky, the atmosphere, and the orbital environment (spoiler alert: all very very bad)

https://theconversation.com/a-new-space-race-could-turn-our-atmosphere-into-a-crematorium-for-satellites-276366

https://theconversation.com/too-many-satellites-earths-orbit-is-on-track-for-a-catastrophe-but-we-can-stop-it-275430

And one on light pollution that I thought would get published today but might not be out until after the weekend.

"programming as theory building", peter naur, 1985

It has taken me a while to put into words why I dislike the use of AI in open source. I think I finally pin'd it down.

One of the best aspects of open source has always been sharing in the excitement around a project. An author spent time and energy to make this project that they were excited about, or solved a problem they had. You had the same problem or were inspired by their excitement and joined in on the fun.

Now people are shitting out entire code bases to do something and I just can't get excited about it. If you can't be ars'd to put in the effort, neither can I.

Then there are the other aspects: paying a company to be a Developer™, now there is an expectation of HyperProductivity®, environmental, ethical... the list goes on.

What happens to your codebase if you stop paying? Are you going to maintain the 200k lines it shat out in a week? Doubt it. Your skill set has been captured. Your project has been captured. Now you must pay to access it.

Fuck that.

What's if you could ~$ git clone SWHID?

"You’d end up with git clone as a content-addressed fetch primitive rather than just a URL fetch, which is an interesting building block for reproducible builds and supply chain verification."

A nice write-up by @andrewnez on git remote helpers 👉 https://nesbitt.io/2026/03/18/git-remote-helpers.html

#Git #SWHID #ReproducibleBuilds

Rooting OpenWRT from the parking lot: I discovered an XSS in the OpenWRT SSID scan page, that can be chained to remote root access 👾
Write-up and demo: https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/
CVE-2026-32721, fixed in 24.10.6 / 25.12.1

how to use civility to stop the borg

Très belle journée

Hab heute ein gehacktes GitRepo ein bisschen genauer angesehen. Es war das kubernetes-el Repo. Die Hack-Spuren sind mittlerweile weitgehend beseitigt, aber ich konnte sie mir zeitnah ansehen. Was passiert ist, ließ sich so für mich rekonstruieren:

• Angreifer forked das Repo
• Angreifer schickt einen Test-PR
• GitHub Worker läuft los, führt dabei aber malicious code durch den Worker aus
• Angreifer sieht, dass es geht und baut ein Script ein, dass einen GitHub Token an einen externen Webhook schickt und stellt damit erneut PR
• PR Check Worker läuft los, schickt den Token raus
• Angreifer nutzt den schreibberechtigten Token, um direkt von extern auf das Hauptrepo zuzugreifen
• Angreifer baut in das Paket ein "rm -rf" ein (ein Emacs Kubernetes Paket) und defaced das Repo; löscht letztlich alle Dateien im Repo bis auf ein Bild und einen Hack-Hinweis

Was hier zu sehen war: Der Angriff war letztlich einfach. Eine einfache Fehlkonfiguration - der GitHub Worker konnte Git Commits auf das eigene Repo durchfühfren und reagierte sehr gutgläubig auf PRs - hat gereicht, um theoretisch ein Tool mit Schadcode zu versehen, das viele Nutzende in Emacs haben. Das ist Supply Chain nicht nur auf großen Infrastrukturen, sondern direkt als Angriff auf einen Editor.

tl;dr: Pipeline und Worker Security ist ein Ding.

OpenBSD on the Pomera DM250(XY)

New on #blog: "Money isn’t going to solve the #burnout problem"

"""
The xz-utils backdoor situation brought the problem of FLOSS maintained burnout into the daylight. This in turn lead to numerous discussion on how to solve the problem, and the recurring theme was funding maintenance work.

While I’m definitely not opposed to giving people money for their FLOSS work, if you think that throwing some bucks will actually solve the problem, and especially if you think that you can just throw them once and then forget, I have bad news for you: it won’t. Surely, money is a big part of the problem, but it’s not the only reason people are getting burned out. It’s a systemic problem, and it’s in need of systemic solution, and that’s involves a lot of hard work to undo everything that’s happened in the last, say, 20 years.

But let’s start at the beginning and ask the important question: why do people make free software?
"""

https://blogs.gentoo.org/mgorny/2026/03/07/money-isnt-going-to-solve-the-burnout-problem/

#FreeSoftware #OpenSource #AI #NoAI #LLM #NoLLM #Gentoo

I moved all my repos to #GotHub:

https://gonzalo.gothub.org/

And you can do the same! Go to https://gothub.org/ and check it out!

Maybe you are interesting on this one too:

https://openbsd.gothub.org/index.html

#OpenBSD #got #GotHub

#gameoftrees #macOS #got

Hi all.

Just putting the feelers out as I'd love to know how many folks are using got on MacOs.

@teajaygrey does an amazing job every time I make a release of gameoftrees portable, but I could do with knowing how many of you are using it.

I made a change in the 0.123 release to fix socket handling for services such as gotwebd, which is good, but it's telling that it's taken this long, so I wonder how many users we have.

Let me know -- you can always email me at: thomas.adam22@gmail.com

Please boost this as much as possible, I'd appreciate it.