My Unix blog: scripts, software, /etc - anthesis

Font comparison and review: Atkinson Hyperlegible Mono

Tue, 22 Jul 2025 00:00:00 +0200

Font comparison and review: Atkinson Hyperlegible Mono

Published: July 22nd, 2025

Updated: July 25th, 2025

Recently, I modified anthes.is to use my own subsetted versions of Atkinson Hyperlegible Next and Atkinson Hyperlegible Mono. Following the principle of eating your own dog food, I also switched to Atkinson Hyperlegible Mono in my terminal. After a month of daily use, I can now assess this font’s practical advantages and compare it to established programming fonts like JetBrains Mono and Fira Code.

Download links:

On character distinction and readability

Understanding Atkinson Hyperlegible Mono’s strengths requires examining the readability challenges programming fonts must address. While many fonts distinguish between 0 and O, or 1, l, and I, these represent only two of many cases where character distinction matters.

Typographers call lookalike characters “homoglyphs.” The examples below showcase both homoglyphs and “mirror image” glyphs. Screenshots in this section come from Evaluating Fonts: Font Family Selection for Accessibility & Display Readability.

Multi-character homoglyphs

Multi-character homoglyphs occur when a sequence of glyphs appear to form a single character. For example, cl can resemble d. Monospace fonts reduce this problem, since each character occupies equal horizontal space.

In the “worse” example, letters blend together to resemble different characters. The “better” examples use subtle details to prevent this—like Convergence’s curly y and Quando’s serifs.

Single character homoglyphs

Single character homoglyphs occur when one glyph resembles another—such as 8 and B.

Several problems emerge in the “worse” examples.

In Fugaz One, the O and 0 appear indistinguishable. Nearly the same applies to u, v, and w.
The 1, l, and I look identical in Gill Sans.

The “better” examples address these concerns through deliberate design choices. SecularOne uses a circle for O and an oval for 0, while the u, v, and w maintain distinct shapes.

Mirror image glyphs

Mirror image glyphs occur when flipping one character creates another—like d and b. Serif fonts address this by adding distinguishing serifs, but sans-serif fonts must find other solutions.

Montserrat achieves visual harmony, but creates mirror images. Convergence solves this with a curly q tail and asymmetrical spurs that distinguish d from b.

Scenarios where character distinction matters

Character distinction proves important in several scenarios:

Debugging the results of a Structured Query Language (SQL) query, like SELECT * FROM users WHERE id = 'B510', only to realize you meant SELECT * FROM users WHERE id = '8510'.
Copying hexadecimal output by hand from an airgapped machine. Or writing down GNU Privacy Guard (GPG) key fingerprints down on paper.
Distinguishing between similar commit hashes when cherry-picking or reverting in git, such as a1c4e8b versus a1c4e8d.
Command-line flags, like -1 and -l.

These examples illustrate that visual distinctiveness proves important in many situations. Still, some questions remain: what informed Atkinson Hyperlegible’s design process, and what makes Atkinson Hyperlegible Mono special compared to other programming fonts?

About the Atkinson Hyperlegible font family

The Atkinson Hyperlegible family comes from the Braille Institute. Approaching their centennial in 2019, the institute hired Applied Design Works to develop a new brand identity. Applied Design Works needed a font that balanced character differentiation with visual harmony. When existing fonts failed to meet their specific accessibility and branding requirements, they designed their own, naming it after the institute’s founder: J. Robert Atkinson.

Atkinson Hyperlegible earned Fast Company’s 2019 Innovation By Design award. By 2025, Atkinson Hyperlegible generated over 43 million weekly impressions via Google Fonts. The Braille Institute then released enhanced versions: Atkinson Hyperlegible Next and Atkinson Hyperlegible Mono.

The Next variant of Atkinson Hyperlegible expands from 2 to 7 weights and extends language support from 27 to 150+ languages. The Mono version addresses what the Braille Institute called “one of the most requested additions”—a variant for developers.

The Atkinson Hyperlegible family’s unique design features

The Braille Institute, Applied Design Works, and Material Design all detail these design features. Since visual examples showcase typography better than descriptions, this article includes images from Material Design’s blog post.

Annotated images show the proportional version. Where the monospace version differs significantly, non-annotated comparison images follow.

Distinct silhouettes

The B features two bowls of different sizes while the 8 combines a small circle atop a larger oval.

Enhanced letterforms

This image highlights several enhancements: the j features an exaggerated tail, the I gains horizontal top and bottom bars, the i and l get serifs, and the ! increases spacing between its dot and vertical stroke.

Since these specific glyphs differ significantly between versions, here’s the monospace variant for comparison:

Key differences include:

The j and l gain longer feet and leftward serifs.
The I extends its horizontal bars.
The i adds a horizontal bottom and longer leftward serif.

Asymmetrical spurs and exaggerated descenders

The designers used two techniques to distinguish mirror image glyphs:

Asymmetrical spurs distinguish b and d—the d features a thicker spur that juts out more.
Exaggerated descenders separate p and q—the q extends out into a longer, sweeping tail.

Comparison to JetBrains Mono and Fira Code

How does Atkinson Hyperlegible Mono compare to established programming fonts like JetBrains Mono and Fira Code? While many monospace fonts target readability, direct comparison reveals Atkinson Hyperlegible Mono’s specific advantages.

This comparison focuses on legibility features rather than stylistic preferences or minor aesthetic differences.

Single homoglyphs comparison

These fonts appear nearly identical at first glance, requiring closer examination to spot the differences.

JetBrains Mono adds a serif to the 7 to distinguish it from the Z.
Fira Code uses a curved hook on the j and smaller curved serif on the l, distinguishing them within the jIil1! group.
Atkinson Hyperlegible Mono provides the strongest distinction between 8, B, 5, and S. The j and l feature asymmetrical serifs, while the 5 uses a diagonal rather than vertical downstroke.

Here the differences become more apparent.

JetBrains Mono struggles with 0, O, and Q similarity, though G and 6 maintain good distinction. y and v appear more similar than in other fonts.
Fira Code’s 0 and O distinguish themselves through a slash and width variation, but G and 6 appear similar.
Atkinson Hyperlegible Mono excels in this comparison. The Q features a distinctive middle line, while the 0 uses a reverse slash to avoid confusion with the null sign in math and the slashed O in Danish/Norwegian.

Mirror glyphs comparison

JetBrains Mono provides the least distinction, with d, b, q, and p appearing as true mirrors. The a and e also show similarity.
Fira Code provides subtle distinction between d, b, q, and p, though noticing the differences requires close examination. The g and p face the same way, and the g appears more ornate. a and e remain distinct.
Atkinson Hyperlegible Mono achieves the strongest distinction between d, b, q, and p through its asymmetrical design features. The a and e also maintain clear differentiation.

Programming symbols comparison

The programming symbols comparison reveals interesting trade-offs for Atkinson Hyperlegible Mono.

JetBrains Mono excels at distinguishing . from , and : from ;. Ditto for (), [], and {}.
Fira Code also handles (), [], and {} well.
Atkinson Hyperlegible Mono shows weaker [] and {} distinction.

' across JetBrains Mono, Fira Code, and Atkinson Hyperlegible Mono." />

JetBrains Mono maintains consistent horizontal length for + and =, but shortens - relative to those operators.
Fira Code uses uniform length for +, =, and -. - and _ share similar length. The /\ characters join together and render smaller compared to the other fonts.
Atkinson Hyperlegible Mono varies all operator lengths for distinction. The - and _ show great differentiation, while * reduces in size and ascends above + for clarity. The <> characters remain separate rather than joining.

Alphabet comparison

Installation and configuration

These instructions apply to Unix-like operating systems. In other words: Linux, Berkeley Software Distribution (BSD) derivatives, and other similar operating systems.

While the Braille Institute offers direct downloads, they require email registration and End User License Agreement (EULA) acceptance for an open source font. Open source repositories provide a better alternative.

Make sure you have git installed and available, then clone the googlefonts/atkinson-hyperlegible-next-mono repository on Github.

$ git clone https://github.com/googlefonts/atkinson-hyperlegible-next-mono

Create the ~/.local/share/fonts directory.

$ mkdir -p ~/.local/share/fonts

Install Atkinson Hyperlegible Mono in ~/.local/share/fonts.

$ cp ./atkinson-hyperlegible-next-mono/fonts/ttf/*.ttf ~/.local/share/fonts/

Build font information cache files.

$ fc-cache -fv

Configure Atkinson Hyperlegible Mono as your default monospace font system-wide and per application. The Arch Wiki’s font configuration guide covers system-wide setup. Terminal emulators and code editors typically set font through settings menus or configuration files.

Caveats

Some versions of Atkinson Hyperlegible Mono don’t include the backtick/grave symbol.
Applied Design Works specializes in branding rather than typeface design.
Max Kohler’s development notes indicate Applied Design Works focused primarily on readers with vision difficulties rather than readers with dyslexia, though they expect the accessibility features to benefit both groups.
The font’s commercial origins and the creators’ branding incentives may influence legibility claims.
Atkinson Hyperlegible Mono lacks programming ligature support.
Legibility claims lack peer-reviewed research support. While Atkinson Hyperlegible performed well in the Readability Group Survey, this measured preference rather than objective performance. Internal testing used vision simulation and reading metrics, but independent scientific validation remains absent.

Other resources

Pimp My Type offers reviews of both the original Atkinson Hyperlegible and Atkinson Hyperlegible Next, as well as font pairing guidance.
My bookmarks page contains links related to typography, legibility, and fonts.
Coding Font hosts a dedicated page for Atkinson Hyperlegible Mono. You can compare fonts side-by-side there.

A note on licensing

The Braille Institute and the designers they collaborated with released the Atkinson Hyperlegible fonts under the SIL Open Font License, version 1.1. The website links to a license that reserves “ATKINSON” and “HYPERLEGIBLE” as Reserved Font Names. Anyone that modifies the font must remove those words from the name and metadata. Subsetting counts as modification in many cases.

Since I subset these fonts for performance reasons, I named the derivative versions “Anthesis Legible Sans” and “Anthesis Legible Mono” to honor the license.

Gentoo one-liners for a rainy day

Wed, 04 Jun 2025 00:00:00 +0200

Gentoo one-liners for a rainy day

Published: June 4th, 2025

Updated: July 3rd, 2025

Prerequisites

Install the necessary Portage utilities and GNU Parallel:

emerge -av app-portage/portage-utils app-portage/gentoolkit sys-process/parallel

Finding packages with the most dependencies

Show which packages pull in the greatest number of dependencies:

qlist -CI | sort -u | parallel 'echo $(qdepends -CqqQ {} | wc -l) {}' | sort -n > pkgs_with_most_deps.txt

What each part does:

qlist -CI: lists all installed packages without color output in category/package format.
sort -u: sorts output and removes duplicate entries.
parallel: executes dependency counting through GNU Parallel for better performance.
qdepends -CqqQ {}: queries dependencies without color output, quietly.
wc -l: counts the dependency lines.
sort -n: sorts numerically by dependency count.

The output shows dependency count followed by package name, from packages with the least dependencies to greatest.

Finding the largest packages

Find which packages consume the most storage:

qlist -CI | sort -u | parallel qsize -C | awk '{print $NF,$1}' | cut -d ':' -f 1 | sort -h > biggest_pkgs.txt

Breaking this down:

qsize -C: reports package sizes in human-readable format without color output.
awk '{print $NF,$1}': reorders output to put size first, then package name.
cut -d ':' -f 1: removes trailing colon.
sort -h: sorts by human-readable numbers (handles K, M, G suffixes).

This arranges packages from smallest to largest.

Combining package size and dependency count

Merge dependency and size data in one file for analysis:

join -j 2 -o 1.1,2.1,0 <(sort -k2 pkgs_with_most_deps.txt) <(sort -k2 biggest_pkgs.txt) | sort -n | tr ' ' '	' > combined.txt

The join command joins lines of two files on a common field:

-j 2: join on field 2 (package names).
-o 1.1,2.1,0: output format (dependencies, size, package name).
<(sort -k2 ...): process substitution with secondary key sorting.
tr ' ' ' ': converts spaces to tabs for cleaner formatting.

Print packages without a package.env entry

Print packages not yet customized in /etc/portage/package.env:

comm -13 <(awk 'match($1, /^[a-zA-Z0-9_+-]+\/[a-zA-Z0-9_+-]+$/) {print $1}' /etc/portage/package.env/* | sort -u) <(qlist -CI | sort -u)

This comm usage compares sorted lists:

-13: shows only lines unique to installation.
awk 'match($1, /^[a-zA-Z0-9_+-]+\/[a-zA-Z0-9_+-]+$/)': extracts package in category/package format.

As above, but only larger packages

Focus on packages large enough to warrant optimization attention:

comm -13 <(awk 'match($1, /^[a-zA-Z0-9_+-]+\/[a-zA-Z0-9_+-]+$/) {print $1}' /etc/portage/package.env/* | sort -u) <(qlist -CI | sort -u) | grep -f - combined.txt | awk 'match($2, /^([0-9]{4}\.[0-9]K)|([0-9]+\.[0-9][MG])$/)' | sort -n

This adds size filtering:

grep -f -: uses the uncustomized package list as search patterns.
awk 'match($2, /^([0-9]{4}\.[0-9]K)|([0-9]+\.[0-9][MG])$/)': matches packages >=1000K.

Analyzing upgradeable packages

Find packages not yet customized in /etc/portage/package.env that already need an upgrade:

comm -13 <(awk 'match($1, /^[a-zA-Z0-9_+-]+\/[a-zA-Z0-9_+-]+$/) {print $1}' /etc/portage/package.env/* | sort -u) <(EIX_LIMIT=0 eix -u -# | sort -u)

EIX_LIMIT=0: removes eix output limits.
eix -u -#: lists upgradeable packages in category/package format.

Multi-column sorting

Use multiple sort keys for different analysis priorities:

sort -k1,1n -k2,2h combined.txt
sort -k2,2h -k1,1n combined.txt

The first command prioritizes dependency count, using size as a tiebreaker. The second makes size the primary criterion. The h and n refer to human-readable and numeric sorting.

Practical applications

These commands identify large packages that can be replaced with lightweight alternatives, which proves useful for several reasons:

Freeing up storage space.
Creating a more minimal system.

I used these commands to guide CFLAGS tweaking to better optimize Gentoo in a Virtual Machine (VM), since VMs have limited resources. I use a setup where video playback doesn’t benefit from hardware acceleration at the time of writing (Qubes OS). I wanted to see if this approach could make a difference.

I think I managed to gain a few Frames Per Second (FPS) from this, but I didn’t benchmark it beyond comparing frame timings in mpv. The gain was relatively minor (<=10fps).

These days I believe strongly in benchmarking and profiling, as they make a real difference. The gains from those techniques typically exceed the gains from CFLAGS tweaking.

OpenPGP Key Transition Statement

Sun, 06 Apr 2025 00:00:00 +0200

OpenPGP Key Transition Statement

Date: April 6, 2025

I am transitioning from my old GPG key to a new one. The old key will continue to be valid until its expiration date (August 8th, 2025). However, I’d prefer for all encrypted email correspondence to be encrypted to the new key, and will be making all signatures going forward with the new key.

This transition document is signed by both keys to validate the transition.

Key Details

Old Key

pub   ed25519/0x53670DEBCF375780 2021-07-14 [SC] [expires: 2025-08-08]
      Key fingerprint = 9096 5AE1 20F8 E848 979D  EA48 5367 0DEB CF37 5780

New Key

pub   ed25519/0xF1B59F496EE704B0 2025-04-02 [SC] [expires: 2026-04-04]
      Key fingerprint = 4A21 44F7 48E4 F5DC 17C5  E707 F1B5 9F49 6EE7 04B0

Verification Instructions

To fetch both my keys and the clear-signed transition document for verification:

Keys

# Get old key
$ curl -O https://www.anthes.is/pubkeys/eurydice.asc
$ gpg --import eurydice.asc

# Get new key
$ curl -O https://www.anthes.is/pubkeys/F1B59F496EE704B0.asc
$ gpg --import F1B59F496EE704B0.asc

Transition Document

# Get the transition statement document
$ curl -O https://www.anthes.is/gpg-transition-20250406.txt

Verification Steps

Check the full fingerprints against those listed in this document:

$ gpg --fingerprint 0x53670DEBCF375780
$ gpg --fingerprint 0xF1B59F496EE704B0

Verify that my old key is signed by my new key, and that the new key is signed by my old key:

$ gpg --check-sigs 0x53670DEBCF375780
$ gpg --check-sigs 0xF1B59F496EE704B0

Verify the transition document has been signed by both keys:

$ gpg --verify gpg-transition-20250406.txt

Linux/Unix internals: x86_64 CFLAGS/CXXFLAGS

Sun, 29 Dec 2024 00:00:00 +0100

Linux/Unix internals: x86_64 CFLAGS/CXXFLAGS

Published: December 29th, 2024

Updated: July 3rd, 2025

As I’ve used Gentoo, I’ve become curious about what kinds of interesting build flags other systems use to compile their binaries on a global level, as well as what configure-time flags they set on GNU Compiler Collection (GCC) and Clang. This article collects these flags for some distributions to make them easier for me to track down and compare in the future.

Because this is a rabbit hole, there are some things I won’t be doing in the interest of time. They’re listed in the Caveats section.

Some relevant documentation can be found in these places:

GCC flag docs
Clang flag docs
ld(1) (documents RELocation Read-Only (RELRO), BIND_NOW, etc)

Arch

According to this poster, the build flags can be found in the x86_64.conf file in the devtools package.

CFLAGS:

-march=x86-64
-mtune=generic
-O2
-pipe
-fno-plt
-fexceptions
-Wp,-D_FORTIFY_SOURCE=3
-Wformat
-Werror=format-security
-fstack-clash-protection
-fcf-protection
-fno-omit-frame-pointer
-mno-omit-leaf-frame-pointer

CXXFLAGS:

$CFLAGS
-Wp,-D_GLIBCXX_ASSERTIONS

LDFLAGS:

-Wl,-O1
-Wl,--sort-common
-Wl,--as-needed
-Wl,-z,relro
-Wl,-z,now
-Wl,-z,pack-relative-relocs

LTOFLAGS:

-flto=auto

Here are the configure-time GCC flags for Arch.

Here are the configure-time Clang flags for Arch.

Here are the configure-time Low Level Virtual Machine (LLVM) flags for Arch.

Alpine

Alpine compiles packages using abuild. The default.conf file contains the compiler flags used for the distribution.

CFLAGS:

-Os
-fstack-clash-protection
-Wformat
-Werror=format-security

CXXFLAGS:

-Os
-fstack-clash-protection
-Wformat
-Werror=format-security
-D_GLIBCXX_ASSERTIONS=1
-D_LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS=1
-D_LIBCPP_ENABLE_HARDENED_MODE=1

LDFLAGS:

-Wl,--as-needed,-O1,--sort-common

GCC configuration for Alpine.

Clang configuration for Alpine.

LLVM configuration for Alpine.

This discussion has some interesting details.

Clear Linux

The performance section in the documentation lays everything out nicely.

For x86_64, here is what that looks like:

-O2
-g
-feliminate-unused-debug-types
-pipe
-Wall
-Wp,-D_FORTIFY_SOURCE=2
-fexceptions
-fstack-protector
--param=ssp-buffer-size=64
-Wformat
-Wformat-security
-Wl,-z,now,-z,relro,-z,max-page-size=0x4000,-z,separate-code
-Wno-error
-ftree-vectorize
-ftree-slp-vectorize
-Wl,--enable-new-dtags
-Wl,--build-id=sha1
-ftrivial-auto-var-init=zero
-mrelax-cmpxchg-loop
-m64
-march=westmere
-mtune=skylake-avx512
-fasynchronous-unwind-tables
-Wp,-D_REENTRANT

The configuration contains some interesting flags. Two flags in particular I find noteworthy: -ftrivial-auto-var-init=zero and -mrelax-cmpxchg-loop.

-ftrivial-auto-var-init is a security-related flag. I’ve heard that both ChromiumOS and Android use that flag in some form. Gentoo may add it to their hardened builds, at least this open bug suggests so.

-mrelax-cmpxchg-loop relaxes spin loops in certain conditions, benefiting thread synchronization. Here is the GCC bug where it’s discussed. Intel discusses it here.

The question of compiler configure-time flags for Clear Linux gets complicated, because they have separate GCC builds for Advanced Vector Extensions 2 (AVX2) and Advanced Vector Extensions 512 (AVX512) Here are the configure-time flags for the main GCC build.

Similar situation for Clang. Here are the Clear Linux configuration-time flags for Clang/LLVM.

I’m breaking a rule I made for myself a little bit (no per-package CFLAGS/CXXFLAGS reviewing) to discuss some interesting tweaks Clear Linux does. autospec is at the heart of this. A couple of interesting things about autospec and the packages in clearlinux-pkgs:

On x86_64, it enables -fzero-call-used-regs=used on security-sensitive packages. I found this due to Seirdy’s note on the subject.
On packages where the funroll-loops option is set (no doubt a reference/inside joke), -O3 gets added if use_clang was also set. Otherwise, -fno-semantic-interposition and -falign-functions=32 get added.

There’s a lot to learn from this distribution.

Debian

dpkg-buildflags is a Perl script, provided by the dpkg-dev package. A lot of the heavy lifting gets done by the libraries sourced by the script, which live in /usr/share/perl5/Dpkg. Those libraries come from the libdpkg-perl package (a dependency of dpkg-dev).

Debian 12 (Bookworm).

$ dpkg-buildflags --query
Vendor: Debian
Environment:

Area: future
Features:
 lfs=no
Builtins:

Area: hardening
Features:
 bindnow=no
 format=yes
 fortify=yes
 pie=yes
 relro=yes
 stackprotector=yes
 stackprotectorstrong=yes
Builtins:
 pie=yes

Area: optimize
Features:
 lto=no
Builtins:

Area: qa
Features:
 bug=no
 canary=no
Builtins:

Area: reproducible
Features:
 fixdebugpath=yes
 fixfilepath=yes
 timeless=yes
Builtins:

Area: sanitize
Features:
 address=no
 leak=no
 thread=no
 undefined=no
Builtins:

Flag: ASFLAGS
Value:
Origin: vendor

Flag: CFLAGS
Value: -g -O2 -ffile-prefix-map=/home/user=. -fstack-protector-strong -Wformat -Werror=format-security
Origin: vendor

Flag: CPPFLAGS
Value: -Wdate-time -D_FORTIFY_SOURCE=2
Origin: vendor

Flag: CXXFLAGS
Value: -g -O2 -ffile-prefix-map=/home/user=. -fstack-protector-strong -Wformat -Werror=format-security
Origin: vendor

Flag: DFLAGS
Value: -frelease
Origin: vendor

Flag: FCFLAGS
Value: -g -O2 -ffile-prefix-map=/home/user=. -fstack-protector-strong
Origin: vendor

Flag: FFLAGS
Value: -g -O2 -ffile-prefix-map=/home/user=. -fstack-protector-strong
Origin: vendor

Flag: GCJFLAGS
Value: -g -O2 -ffile-prefix-map=/home/user=. -fstack-protector-strong
Origin: vendor

Flag: LDFLAGS
Value: -Wl,-z,relro
Origin: vendor

Flag: OBJCFLAGS
Value: -g -O2 -ffile-prefix-map=/home/user=. -fstack-protector-strong -Wformat -Werror=format-security
Origin: vendor

Flag: OBJCXXFLAGS
Value: -g -O2 -ffile-prefix-map=/home/user=. -fstack-protector-strong -Wformat -Werror=format-security
Origin: vendor

Debian’s GCC configure-time flags can be found in this file, stored in the CONFARGS variable.

Debian’s Clang/LLVM configure-time flags.

Fedora

Obtained via Red Hat Package Manager (RPM) macros.

Build flags docs here.

These commands were run in a Fedora 40 virtual machine.

$ rpm --eval "%{optflags}" | tr ' ' '
' | grep -v '^$'
-O2
-flto=auto
-ffat-lto-objects
-fexceptions
-g
-grecord-gcc-switches
-pipe
-Wall
-Wno-complain-wrong-lang
-Werror=format-security
-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3
-Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
-m64
-march=x86-64
-mtune=generic
-fasynchronous-unwind-tables
-fstack-clash-protection
-fcf-protection
-fno-omit-frame-pointer
-mno-omit-leaf-frame-pointer

$ rpm --eval "%{build_ldflags}" | tr ' ' '
' | grep -v '^$'
-Wl,-z,relro
-Wl,--as-needed
-Wl,-z,pack-relative-relocs
-Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
-Wl,--build-id=sha1

Fedora’s GCC configure-time flags.

Fedora’s Clang configure-time flags.

Gentoo

/etc/portage/make.conf. But additional flags get set implicitly as well. The settings depend on things like what USE flags get set, as an example.

The build flags mainly live in toolchain.eclass. Gentoo’s configure-time flags for GCC live in toolchain.eclass as well.

The referenced patches can be found here.

Current GCC.

Current Clang.

Current LLVM.

The hardened toolchain changes table in Project:Toolchain is worth mentioning as well.

While on the subject of Gentoo, ChromiumOS is interesting to think about. ChromiumOS is the open source base for ChromeOS on Chromebooks. It uses Portage, Gentoo’s package management system. I haven’t looked into it enough to offer insightful commentary on it—I’d have to sift through a lot of code to talk about it halfway intelligently.

NixOS

I’m presuming something here: that NixOS doesn’t add CFLAGS/CXXFLAGS beyond what nixpkgs does. I don’t see why it would, after all, but I felt it was important to note that all the same.

Hardening flags get mentioned here.

Here are the ones used by default at the time of writing (I verified this by copying the .nix file from this guide and setting NIX_DEBUG = 2; in the pkgs.stdenv.mkDerivation section, then built the package):

-fPIC
-Wformat
-Wformat-security
-Werror=format-security
-fstack-protector-strong
--param ssp-buffer-size=4
-O2
-D_FORTIFY_SOURCE=2
-fno-strict-overflow
-Wl,-z,relro
-Wl,-z,now

If -fzero-call-used-regs=used-gpr gets used, it wasn’t printed during the test build.

GCC nixpkg.

Clang nixpkg.

LLVM nixpkg.

OpenBSD

Local changes to their integrated (and old) version of GCC get described in gcc-local. The same applies to clang-local, although it’s a current version.

OpenBSD’s GCC port and OpenBSD’s LLVM port.

Here is the source code for OpenBSD’s version of LLVM/Clang. Same for GCC.

OpenSUSE

Line 3581 here should list the options. OpenSUSE:Factory is what they use to build Tumbleweed packages.

-O2
-Wall
-U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=3
-fstack-protector-strong
-funwind-tables
-fasynchronous-unwind-tables
-fstack-clash-protection
-Werror=return-type
%%{?_lto_cflags}

There is a dummy package for GCC here, and ditto for clang/llvm. At the time of writing, the relevant versions are 14 and 19, respectively.

So, OpenSUSE’s GCC configure-time flags can be found here. Starts on line 2510.

OpenSUSE’s Clang configure-time flags can be found here. Starts on line 1092.

Solus

These flags come from this GitHub issue. From what I can tell, the flags get set by ypkg. Specifically, ypkgcontext.py.

To get the latest flags, I guess one would have to figure out how to get ypkg (or some other piece of the Solus build system) to output them somehow. I haven’t done so, but it certainly seems possible.

CFLAGS:

-mtune=generic
-march=x86-64
-g2
-O2
-pipe
-fno-plt
-fPIC
-Wformat
-Wformat-security
-D_FORTIFY_SOURCE=2
-fstack-protector-strong
--param=ssp-buffer-size=32
-fasynchronous-unwind-tables
-ftree-vectorize
-feliminate-unused-debug-types
-Wall
-Wno-error
-Wp,-D_REENTRANT

CXXFLAGS:

-mtune=generic
-march=x86-64
-g2
-O2
-pipe
-fno-plt
-fPIC
-D_FORTIFY_SOURCE=2
-fstack-protector-strong
--param=ssp-buffer-size=32
-fasynchronous-unwind-tables
-ftree-vectorize
-feliminate-unused-debug-types
-Wall
-Wno-error
-Wp,-D_REENTRANT

LDFLAGS:

-Wl,--copy-dt-needed-entries
-Wl,-O1
-Wl,-z,relro
-Wl,-z,now
-Wl,-z,max-page-size=0x1000
-Wl,-Bsymbolic-functions
-Wl,--sort-common

Solus’ GCC configure-time flags can be found here.

Solus’ Clang/LLVM configure-time flags can be found here.

Ubuntu

Retrieved the same way as Debian. Ubuntu 24.10 (oracular).

$ dpkg-buildflags --query
Vendor: Ubuntu
Environment:

Area: abi
Features:
 lfs=no
 time64=yes
Builtins:
 lfs=yes
 time64=yes

Area: future
Features:
 lfs=no
Builtins:

Area: hardening
Features:
 bindnow=no
 branch=yes
 format=yes
 fortify=yes
 pie=yes
 relro=yes
 stackclash=yes
 stackprotector=yes
 stackprotectorstrong=yes
Builtins:
 pie=yes

Area: optimize
Features:
 lto=yes
Builtins:

Area: qa
Features:
 bug=no
 bug-implicit-func=yes
 canary=no
 elfpackagemetadata=no
 framepointer=yes
Builtins:

Area: reproducible
Features:
 fixdebugpath=yes
 fixfilepath=yes
 timeless=yes
Builtins:

Area: sanitize
Features:
 address=no
 leak=no
 thread=no
 undefined=no
Builtins:

Flag: ASFLAGS
Value:
Origin: vendor

Flag: ASFLAGS_FOR_BUILD
Value:
Origin: vendor

Flag: CFLAGS
Value: -g -O2 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: CFLAGS_FOR_BUILD
Value: -g -O2 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: CPPFLAGS
Value: -Wdate-time -D_FORTIFY_SOURCE=3
Origin: vendor

Flag: CPPFLAGS_FOR_BUILD
Value: -Wdate-time -D_FORTIFY_SOURCE=3
Origin: vendor

Flag: CXXFLAGS
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: CXXFLAGS_FOR_BUILD
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: DFLAGS
Value: -frelease
Origin: vendor

Flag: DFLAGS_FOR_BUILD
Value: -frelease
Origin: vendor

Flag: FCFLAGS
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -fcf-protection
Origin: vendor

Flag: FCFLAGS_FOR_BUILD
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -fcf-protection
Origin: vendor

Flag: FFLAGS
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -fcf-protection
Origin: vendor

Flag: FFLAGS_FOR_BUILD
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -fcf-protection
Origin: vendor

Flag: LDFLAGS
Value: -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro
Origin: vendor

Flag: LDFLAGS_FOR_BUILD
Value: -flto=auto -ffat-lto-objects -Wl,-z,relro
Origin: vendor

Flag: OBJCFLAGS
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: OBJCFLAGS_FOR_BUILD
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: OBJCXXFLAGS
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: OBJCXXFLAGS_FOR_BUILD
Value: -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
Origin: vendor

Flag: RUSTFLAGS
Value: -Cforce-frame-pointers=yes
Origin: vendor

Flag: RUSTFLAGS_FOR_BUILD
Value:
Origin: vendor

Ubuntu Oracular GCC version appears to be 14. Here is the relevant Ubuntu GCC file that I figured that out from. Ditto for Clang/LLVM, which appears to be 19.

Ubuntu’s GCC configure-time flags begin here.

Ubuntu’s LLVM configure-time flags can be found here.

Void

I found these by reasoning out what these files in the void-packages repo set:

CFLAGS:

-mtune=generic
-O2
-pipe
-fstack-clash-protection
-D_FORTIFY_SOURCE=2

CXXFLAGS:

-mtune=generic
-O2
-pipe
-fstack-clash-protection
-D_FORTIFY_SOURCE=2

LDFLAGS:

-Wl,--as-needed
-Wl,-z,relro
-Wl,-z,now

Void’s GCC configure-time flags can be found here.

Void’s Clang configure-time flags can be found here. The main version of clang used by the distro can be found in the llvm package template.

Caveats

Here are things I haven’t done, and why I haven’t done them.

Reviewing each patch for gcc/clang for compilation flags. I had a look at their configure-time flags, but reviewing patches takes more time than I want to invest at the moment.
Reviewing the configuration and patches of things other than the compiler that influence binary execution, such as binutils, libc, etc. These aren’t really compilation flags, although still interesting. I guess I do make an exception for LDFLAGS.
Reviewing the configuration of every supported compiler. I’m only doing GCC and Clang. I won’t include their configure-time flags inline, but I’ll link to where they can be found (since the configuration of the compiler often ties closely to build flags).
Comparing each architecture per distribution to find architecture specific flags. I’m only doing x86_64 for now.
Covering every single distribution. Generally speaking, outside of large forks like Ubuntu, I’m interested in independent distributions rather than forks. Mainly because I have a feeling this is where the most difference is likely to be observed.
Covering build flags for every compiled language (Rust, Go, etc). These are indeed interesting, but my focus is on C/C++, specifically CFLAGS and CXXFLAGS.

My approach favored coverage, not extreme precision. I gathered compilation flags that I could find in a configuration file (the equivalent of /etc/portage/make.conf for other distributions), through some light source code reading, or by executing some utility. I had to limit myself in some ways because otherwise it was unlikely that I’d release this article anytime soon.

Please don’t take what I’ve written here as gospel. Something being absent doesn’t necessarily prove anything, as the distribution may have enabled it in a place that I didn’t look. However, something being present and reflected in the linked source code does prove that a distribution uses it in that context, or at least used it at the time of writing.

Areas for improvement

Including more distributions and systems. There are a lot of them to consider and some of them would be a pain to gather flags for (lots of source code review).
Investigating ChromiumOS and Android in particular.
Looking more into areas mentioned in the Caveats section (reviewing patches, other toolchain components, etc).
Many others I haven’t thought of.

Other resources

Compiler Options Hardening Guide for C and C++
compiler-flags-distro: usage of enabled-by-default hardening-related compiler flags across Linux distributions.

Encrypted headless Raspberry Pi running Gentoo

Sat, 06 Jul 2024 00:00:00 +0200

Encrypted headless Raspberry Pi running Gentoo

Published: July 6th, 2024

Last updated: July 3rd, 2025

Setting up Gentoo on a Raspberry Pi 4B with full disk encryption took me about a week, but I’m happy with the result and learned several things along the way. I want to share my findings so others don’t have to spend as much time figuring this out.

Note that this provides a rough outline, not a step-by-step guide for installing Gentoo.

What my setup involves

Here are the components my setup uses:

Raspberry Pi 4 Model B, Revision 1.2
Universal Serial Bus (USB) to Universal Asynchronous Receiver/Transmitter (UART) serial cable
Argon One M.2 case
Non-Volatile Memory Express (NVMe) Solid State Drive (SSD)
Micro Secure Digital (microSD) card

I could have used a monitor and keyboard instead of a serial connection. This would have been easier overall. Since I planned to use the Raspberry Pi headlessly, I wanted to learn how to set it up without a keyboard and monitor.

Covering the microSD card installation

I mainly followed Gentoo’s official Raspberry Pi Install Guide and Raspberry Pi4 64 Bit Install to get an initial Gentoo installation on a microSD card. I want to discuss some difficulties I encountered during this process.

The most challenging parts of the installation were getting wireless networking and the serial console working. I’ll cover each separately.

Wireless networking

Getting wireless networking functional required handling a couple of tasks correctly:

Download the firmware, place it in the appropriate locations, and create symbolic links. The Gentoo wiki covers this process. I found that referencing the Raspberry Pi Operating System (OS) directory listing for /usr/lib/firmware/brcm/ helped me understand the symbolic link naming scheme.

Here’s what a working /usr/lib/firmware/brcm/ looks like for me (though note that I haven’t tested bluetooth):

$ ls -lh /usr/lib/firmware/brcm/
total 704K
-rw-r--r-- 1 root root  63K Jun 24 12:07 BCM4345C0.hcd
lrwxrwxrwx 1 root root   13 Jun 24 12:07 BCM4345C0.raspberrypi,4-model-b.hcd -> BCM4345C0.hcd
-rw-r--r-- 1 root root 629K Jun 24 12:04 brcmfmac43455-sdio.bin
-rw-r--r-- 1 root root 2.7K Jun 24 12:05 brcmfmac43455-sdio.clm_blob
lrwxrwxrwx 1 root root   22 Jun 24 12:06 brcmfmac43455-sdio.raspberrypi,4-model-b.bin -> brcmfmac43455-sdio.bin
lrwxrwxrwx 1 root root   27 Jun 24 12:06 brcmfmac43455-sdio.raspberrypi,4-model-b.clm_blob -> brcmfmac43455-sdio.clm_blob
lrwxrwxrwx 1 root root   22 Jun 24 12:06 brcmfmac43455-sdio.raspberrypi,4-model-b.txt -> brcmfmac43455-sdio.txt
-rw-r--r-- 1 root root 2.1K Jun 24 12:05 brcmfmac43455-sdio.txt

Install networking software like net-misc/dhcpcd and net-misc/wpa_supplicant, then configure the software as needed. The Gentoo handbook documents these steps.

Despite the second step appearing straightforward, I encountered an issue. How do I install networking tools when I need those same tools to configure networking?

For many people, the easiest solution would be plugging in an Ethernet cable and installing packages that way. I also read that downloading the distfiles and copying them over manually works, since in theory, emerge won’t need to download anything.

I already knew that I wouldn’t have Ethernet access, so I tried the distfiles method and received this error:

root@nasberry /etc/portage # emerge --ask net-misc/dhcpcd net-wireless/wpa_supplicant

!!! /etc/portage/make.profile is not a symlink and will probably prevent most merges.
!!! It should point into a profile within /var/db/repos/gentoo/profiles/
!!! (You can safely ignore this message when syncing. It's harmless.)


!!! Your current profile is invalid. If you have just changed your profile
!!! configuration, you should revert back to the previous configuration.
!!! Allowed actions are limited to --help, --info, --search, --sync, and
!!! --version.

After investigating further, I realized that /var/db/repos/gentoo didn’t exist. I would need to run emerge-webrsync to get it, which requires networking.

What worked for me was to plug the microSD card into a USB adapter, mount the root filesystem on my laptop, create a Quick Emulator (QEMU) chroot, and then compile the software I needed inside the chroot using my laptop’s networking.

Serial console

To get the serial console working, I completed these steps:

I ensured that enable_uart=1 appeared in /boot/config.txt. I found this in the Raspberry Pi documentation for config.txt.
I added console=tty console=serial0,115200 to /boot/cmdline.txt. cmdline.txt documentation is available here.

Note that the order matters because whichever console= entry appears last becomes the destination for /dev/console. I discovered this because mine were in the wrong order and the Linux Unified Key Setup (LUKS) decryption prompt, as well as OpenRC output, never appeared on my serial console.

More information is available at the kernel.org documentation for the serial console.
For early console support, I added earlycon=uart8250,mmio32,0xfe215040 to /boot/cmdline.txt.

To get a tty, I uncommented the line in /etc/inittab that points to the /dev/ttyS0 device.

# SERIAL CONSOLES
s0:12345:respawn:/sbin/agetty -L 115200 ttyS0 vt100
#s1:12345:respawn:/sbin/agetty -L 115200 ttyS1 vt100

Summarizing the rest

At this point, I had a fully functioning Gentoo installation with wireless networking and serial console access on the microSD card. The next challenge was transferring the root filesystem to an encrypted SSD and getting it working.

The approach I used involves having the Raspberry Pi 4B read firmware files and everything else needed to boot from the unencrypted Extensible Firmware Interface (EFI) partition on the microSD card. /boot/config.txt and /boot/cmdline.txt contain configuration entries and parameters relevant to the boot process.

Preparing the disk

I securely wiped the disk by overwriting the SSD with random data to hinder cryptanalysis and performed a memory cell clearing (also known as “secure erase”).

After that, I created a LUKS volume with Logical Volume Manager (LVM) inside it on the SSD. Then I created filesystems on the logical volumes.

Ensuring kernel support

I ensured that the kernel included support for relevant technologies. In my case, this included LVM, dm-crypt, and X File System (XFS), as the system needs these during the boot process.

You can choose between sys-kernel/raspberrypi-sources and sys-kernel/gentoo-sources. I can confirm that both work, although I started with sys-kernel/raspberrypi-sources first. sys-kernel/gentoo-sources lacks some features like device tree overlay support, but it works for my use case.

Other kernels like the distribution kernel could work, but I haven’t tested them.

Compiling the Raspberry Pi foundation kernel and installing it

I followed instructions from the Linux kernel section of the Raspberry Pi docs, adjusting where necessary:

Create a backup of the previous kernel image if present.

# cp /boot/kernel8.img /boot/kernel8.img.bak

Change directory to kernel sources.

# cd /usr/src/linux

Build the kernel. The Raspberry Pi docs recommend setting make jobs to 1.5x the number of processors.

# make -j6 Image.gz modules dtbs

Install the kernel modules. Complete this step before generating the initramfs, since the initramfs uses the modules created from this step.

# make -j6 modules_install

Run make install to generate the initramfs since you’ll need it to decrypt and mount the root filesystem. -j6 doesn’t seem to provide any benefit here.

# make install

Copy necessary files to the correct locations.

# cp arch/arm64/boot/Image.gz /boot/kernel8.img
# cp arch/arm64/boot/dts/broadcom/*.dtb /boot/
# cp arch/arm64/boot/dts/overlays/*.dtb* /boot/overlays/
# cp arch/arm64/boot/dts/overlays/README /boot/overlays/

Editing configuration files

Update /etc/fstab to include the NVMe disk instead of the SD card.

#/dev/mmcblk0p3 /   ext4    defaults    0   0
/dev/gentoolvm/root /   xfs defaults    0   1

Update /boot/config.txt. The system will automatically select kernel8.img as the default kernel, but you need to add the initramfs.

initramfs initramfs-6.6.31_p20240529-raspberrypi-v8.img followkernel

Update /boot/cmdline.txt so it provides information about the root filesystem location (root=UUID=...), which LUKS volume to decrypt (rd.luks.uuid=...), and which LVM volume group to activate (rd.lvm.vg=gentoolvm). You can find UUIDs with blkid.

root=UUID=... rd.luks.uuid=... rd.lvm.vg=gentoolvm

Copying the filesystem contents over

I created a full system backup of the Raspberry Pi’s microSD card with bsdtar.

# bsdtar \
    --acls \
    --xattrs \
    --zstd \
    --exclude='/dev/*' \
    --exclude='/proc/*' \
    --exclude='/sys/*' \
    --exclude='/tmp/*' \
    --exclude='/run/*' \
    --exclude='/mnt/*' \
    --exclude='/media/*' \
    --exclude='/lost+found/' \
    -cvaf /home/user/backup.tar.zst \
    /

Then I unpacked it onto the SSD. I had decrypted the LUKS partition and mounted the filesystems at /mnt.

# cd /mnt
# bsdtar --acls --xattrs -xvpf /home/user/backup.tar.zst

After rebooting, the system presented the decryption prompt and I could boot successfully.

Switching to gentoo-sources

The Raspberry Pi foundation kernel lacks security support from Gentoo, so I wanted to switch to sys-kernel/gentoo-sources. This process is straightforward.

Change directory to the new kernel sources.

$ cd /usr/src/linux-6.6.30-gentoo

Copy the working config over.

# cp /usr/src/linux-6.6.31_p20240529-raspberrypi/.config .

Update the current kernel configuration so it works with this kernel.

# make oldconfig

Follow the previous process to build the kernel, except skip copying the overlay files since sys-kernel/gentoo-sources doesn’t create them. Once complete, update /boot/config.txt so it points to the correct initramfs file.

Another step I had to complete was updating /boot/cmdline.txt to include 8250.nr_uarts=1, otherwise the serial console fails to initialize.

Conclusion and thoughts

This setup won’t prevent a determined adversary from removing the microSD card and tampering with anything on the boot partition (the kernel, the initramfs, or the firmware). It also doesn’t prevent hardware-level attacks. If an attacker leverages these, they can obtain the encryption password entered on boot.

Still, the encryption protects the data when the Raspberry Pi is powered off. This setup raises the difficulty level for data recovery, but it doesn’t account for sophisticated attacks like this.

If those types of attacks ever became part of my threat model, I would look into Secure Boot on the Raspberry Pi.

How to find the best software for you

Wed, 14 Feb 2024 00:00:00 +0100

How to find the best software for you

Published: February 14th, 2024

Last updated: July 4th, 2025

With software, there can be so many choices that figuring out where to start is less easy than it could be, let alone deciding which project fits your needs best. In my experience, finding good quality software usually involves taking a moment to ask the right questions and look in the right places.

One important thing to remember: don’t let perfect get in the way of good enough. The best software for you is whatever helps you achieve your goals while meeting your requirements.

Also, note that I rarely go through this formal of a process. Think of it as a collection of ideas that I wanted to organize.

What’s your use case for the software?

Plenty of software exists. But whether that software is useful to you depends on if it matches your specific use case. Here’s a list of questions that can help determine exactly what you need.

Questions to determine your software use case

What problem does the software solve? If it replaces a prior solution, what about the previous approach didn’t work and what needs to be different this time? Understanding these things provides the foundation for everything else. At its core, choosing software involves finding what solves a problem you have.
Can you break that problem into smaller ones so that specialized tools can handle each part? Sometimes you may not need another application and can handle it with programs you already have, especially if you’re good at shell scripting.
Who are the target users and what do they require? Consider their accessibility requirements and whether the program fulfills those. User Interface (UI) and User Experience (UX) considerations most likely fall under this category as well.
What capabilities do you need? Let’s say you have a list of web pages and need to take a screenshot of each one. A utility that only checks if those websites remain online may prove useful for other reasons, but it won’t handle everything you need on its own. You might also need features related to tool integration, like the ability to work with certain data formats, databases, Application Programming Interfaces (APIs), or other common data exchange systems.
What capabilities aren’t needed? The simpler a piece of software, the fewer places exist in the code for bugs. Perhaps you’re thinking of creating a blog written in Markdown, one that doesn’t need dynamic elements like JavaScript or PHP. With this in mind, you could rule out content management systems and start looking at static site generators or Markdown to HyperText Markup Language (HTML) converters instead.
What operating systems and/or environments must the software support? Software proves more useful when you can actually install and run it. On that note, you can often deploy programs in a container or virtual machine if needed. Or you can try porting it yourself.
What are your privacy and security requirements? To give a meaningful answer, you need to know your threat model first. There’s little sense in assuming that something provides privacy or security without a threat model, since it remains unknown what it protects from or what stays private from whom. Thinking about these things helps you protect your assets and could save you some headaches.
Do you have any preferences or requirements when it comes to software licensing, source code availability, and similar factors? Here are some examples where the differences between open source licenses in particular matter:
- Perhaps you need to incorporate some open source code into proprietary software, or maybe you favor ease of adoption. In this case, something with a permissive license could work well. Massachusetts Institute of Technology (MIT), Berkeley Software Distribution (BSD), and Internet Systems Consortium (ISC) all fall under the permissive license category.
- If you feel strongly that source code, including any derivative works, should always remain open to all, then you may want to consider a copyleft license. GNU General Public License (GPL), Affero General Public License (AGPL), and Mozilla Public License (MPL) all fall under the copyleft license category.
What other constraints do you have? These can include factors like performance, scalability, user support, compliance with standards and regulations, and so on. Knowing these things helps you focus on the options that will most likely work for you.

What are some methods to find software?

Now that you have a better idea of what you need, you can start searching for software. Remember to verify that a given resource deserves your trust before following any instructions or taking any advice.

Searching websites or applications that provide or index software. This offers the most direct option. However, sometimes it can take some digging to figure out how to find things. Browsing topics or “awesome lists” on a place like GitHub can provide some insight into what’s available.
Reading discussions (think forums, chat rooms, and mailing lists, to name a few), wikis, blogs, or other written resources. You can get some good ideas by visiting these places and skimming through them.
Consulting other forms of media such as videos. These tend to take more time, or at least they do for me. However, they remain valuable and can lead to some good finds.
Prompting Large Language Models (LLMs) to brainstorm ideas with you, make suggestions, and explain concepts. Remember to stay somewhat skeptical and fact-check the output to verify legitimacy. Still, Artificial Intelligence (AI) shows promise despite its current limitations.
Asking knowledgeable people what they use, how they found it, and why they chose it over the alternatives. You’ll likely get a better response from people if you ask good questions and show them that you value their time; in other words, it should be evident that you’ve already done some research, such as using a search engine and consulting other publicly available resources.

What are some ways to compare software projects?

Once you’ve found some software through trustworthy means that fits your use case, another question arises: how do you decide between them?

Certain positive signals can indicate that a project deserves consideration. The signals themselves don’t offer any guarantee of code quality; only examining the code itself can provide that. Even so, these have been good heuristics (rules of thumb) to follow for me because many of them correlate with code quality.

Though if you have time, motivation, and skill, reading through the source code remains a good idea.

How to review open source repositories

Here are some things to examine when reviewing open source projects. Some of these will depend on the frontend (GitHub, GitLab, etc).

Check the license and README, ensuring that everything there fits with your goals and use case.
Check what programming languages the project uses. Can you fix or extend software written in those languages? Do you prefer something about the programming language used for one project more than the language used by another?
Does a security policy exist? If so, what does it say? Vulnerability disclosure programs, bug bounties, and regular audits are good signals.
Do they incorporate best practices and standards in the industry?
- Tests
- Linters
- Static analysis tools
- Continuous Integration and Continuous Delivery (CI/CD)
- Conventional commits
- Semantic versioning
When did the project first start? Repositories that have remained active for a while may be more likely to stick around.
What different types of activity occur and how recently have they happened? These show whether a project receives active maintenance, which often means quicker resolution of bugs and vulnerabilities. Remember that the simpler the code, the less maintenance it probably needs.
- When did the last commit occur?
- How frequently does this repository get new commits?
- When did the last release happen?
- How frequently do new releases appear?
- What other kinds of activity happened in the past month?
Indicators of popularity, such as the number of stars and forks. But exercise caution with these. People have been able to buy fake stars and forks in various places for a while now.
- One idea: glance at the forks and see if any of them show significant activity. Look at the accounts responsible for the more popular forks and check for things that are more difficult to fake, like merged pull requests in reputable repositories that they don’t own.
The number of people that contribute regularly. Bus factor deserves consideration—how many people would have to get hit by a bus for the entire thing to stall indefinitely? Does that represent an acceptable level of risk for something you may use consistently? Are you willing to maintain it yourself if the project goes dormant?
Open and closed issues. Observe the ratio between them and apply various filters, combining them if it seems interesting. The manner in which maintainers resolve problems can speak volumes about the level of care they put into the software.
- Sort by number of comments, from greatest to least. These are significant to the community in some way. The same goes for sorting by reactions.
- Sort by update time, from most recent to least, as a way of gleaning where people’s attention goes.
- Any issues with interesting labels, especially those related to security. Closed issues with a label like “wontfix” or “invalid” can also be illuminating.
- Issues opened by important people, like the repository author.
- Pinned issues.
Pull requests. Ideally, some degree of scrutiny exists, and yet also a willingness to accept good contributions. You can use many of the same sorting and filtering options as before.
- Closed pull requests, both merged and unmerged.
- Open pull requests that link to issues (you can do this the other way around, too).
- Do procedures exist that contributors need to follow? Do multiple people review pull requests before merge? Both are good signals.
The documentation. READMEs, manuals, official wikis and blogs, release notes, etc.
- How much effort went into the documentation? You could look at commits and pull requests related to this, but you can also determine this by feel.
- Does the documentation stay up to date? Does it make sense to you?
How many external dependencies does the project pull in? These represent unknowns that you implicitly trust when you use the software. Dependencies aren’t inherently good or bad. They just provide another data point to consider.

Other things to review and ask

See if you can find the project on a website that lists publicly disclosed vulnerabilities. What vulnerabilities have appeared before and do any patterns exist? For instance: does the same class of vulnerability keep cropping up? Do vulnerabilities typically prove severe with low exploit complexity?
Have security researchers performed audits, and do they happen on a consistent basis? What were the results? What did the security researchers think of the product’s design?
How have the developers handled vulnerabilities in the past? Have they maintained transparency with their users when it comes to security issues?
Do the developers cryptographically sign their releases and/or commits?
Can you install the software through your system’s package manager?
Do some research and find other places that mention the software, especially community-oriented ones that the creators don’t own or moderate. What do other people say about it?
If there’s a company behind the software, what are the public’s impressions of that company? Do signs exist that the company cares about its users and the quality of its product? Where does their money come from and where does it go?
Look through any important documents, like terms of service and privacy policy. Does anything interesting or out of place appear there?
If there’s a dedicated website, did they put it together in a logical, effective fashion?
Does the software use a memory-safe programming language?
You can run the software in a virtual machine you don’t use for anything else and study its behavior.

domain-sift: extract and format domains

Mon, 04 Sep 2023 00:00:00 +0200

domain-sift: extract and format domains

Last updated: July 8th, 2025

domain-sift is a Perl script that extracts unique domains from at least one provided file and prints them to standard output in a given format. If you don’t provide a file, domain-sift reads from Standard Input (STDIN) instead.

One use of this utility: extract domains from blocklists that contain known malicious or otherwise undesirable domains, then format them so that a Domain Name System (DNS) resolver can block those domains.

Project structure

|-- Changes
|-- LICENSE
|-- MANIFEST
|-- Makefile.PL
|-- README.md
|-- bin
|   `-- domain-sift
|-- lib
|   `-- Domain
|       |-- Sift
|       |   |-- Manipulate.pm
|       |   `-- Match.pm
|       `-- Sift.pm
`-- t
    |-- 00-load.t
    |-- Domain-Sift-Manipulate.t
    |-- Domain-Sift-Match.t
    |-- manifest.t
    |-- pod-coverage.t
    `-- pod.t

Installation

To install domain-sift, download the most recent release and run the following commands inside the source directory. Note that domain-sift requires Perl 5.36 or later, since subroutine signatures are no longer experimental in that release.

$ perl Makefile.PL
$ make
$ make test
# make install

Documentation

After installation, you can read the documentation with perldoc. man often works as well.

$ perldoc Domain::Sift
$ perldoc Domain::Sift::Match
$ perldoc Domain::Sift::Manipulate
$ perldoc domain-sift

domain-sift and unwind

Here’s how to use domain-sift with unwind(8) on OpenBSD.

Get domains from your blocklist source:

$ domain-sift /path/to/blocklist_source > blocklist

Move your blocklist to /etc/blocklist:

# mv blocklist /etc/blocklist

Edit your unwind.conf to include your new blocklist:

block list "/etc/blocklist"

Restart unwind:

# rcctl restart unwind

domain-sift and Unbound

Here’s how to use domain-sift with unbound(8) on OpenBSD.

Get domains from your blocklist source:

$ domain-sift -f unbound /path/to/blocklist_source > blocklist

Move the blocklist to /var/unbound/etc.

# mv blocklist /var/unbound/etc/blocklist

Edit your unbound.conf to include your new blocklist:

include: "/var/unbound/etc/blocklist"

Restart Unbound.

# rcctl restart unbound

domain-sift and Unbound (RPZ)

domain-sift also supports the Response Policy Zone (RPZ) format. This Internet Draft defines the RPZ format.

With RPZ, you can create DNS blocking policies in a standardized way. You can even block wildcarded domains (*.example.com also blocks subdomain.example.com, subdomain.subdomain.example.com, and so on).

Here’s how to use domain-sift with Unbound and RPZ on OpenBSD.

Get domains from your blocklist source:

$ domain-sift -f rpz /path/to/blocklist_source > blocklist

Edit your unbound.conf:

rpz:
  name: rpz.home.arpa
  zonefile: /var/unbound/etc/rpz-block.zone
  #rpz-log: yes
  rpz-signal-nxdomain-ra: yes

NOTE: rpz.home.arpa serves as an example. The name entry may be different in your case. In a Local Area Network (LAN) where Unbound runs on the gateway/router, make sure that a local-data entry exists somewhere so that the name you chose resolves. Something like this should work:

local-data: "rpz.home.arpa. IN A x.x.x.x"

You’ll need to replace x.x.x.x with the machine’s actual IP address.

Create /var/unbound/etc/rpz-block.zone:

$ORIGIN rpz.home.arpa.
$INCLUDE /var/unbound/etc/blocklist

Make sure that you move blocklist to the correct location:

# mv /path/to/blocklist /var/unbound/etc/blocklist

Restart Unbound:

# rcctl restart unbound

About blocklist sources

domain-sift only deals with extracting domains from text files and formatting them. It doesn’t fetch blocklists or provide them.

The design explicitly includes this limitation for a few reasons:

It follows the Unix philosophy: do one thing well; read from a file or STDIN; print to Standard Output (STDOUT).
It lets domain-sift use minimal pledge(2) promises through OpenBSD::Pledge(3p).
The simple design makes it much more flexible and portable.

Here’s roughly what I use to fetch blocklists:

$ grep -Ev '^#' blocklist_urls | xargs -- ftp -o - | domain-sift > blocklist

You can find blocklist sources in many places, such as firebog.net.

Caveats

If you’ve pulled in a lot of domains, Unbound may fail to start on OpenBSD because it doesn’t have enough time to process them all. You can fix this by increasing Unbound’s timeout value.

$ rcctl get unbound timeout
30
# rcctl set unbound timeout 120
$ rcctl get unbound timeout
120

License

This software uses the Internet Systems Consortium License (ISC License). For more details, see the LICENSE file in the project root.

Domain name meanings

Mon, 28 Nov 2022 00:00:00 +0100

Domain name meanings

This article is about the personal meaning of amissing.link and anthes.is.

What was the meaning of “a missing link?”

I think of it this way: when something goes missing, you find it in the last place you look. I figured “a missing link” could represent a website someone hasn’t visited yet. There’s a certain feeling you can experience when you stumble upon a link to something, select it, and end up appreciating what you found. I hoped people would experience that feeling when they discovered this website, and I still do.

What’s the meaning of “anthesis?”

Anthesis refers to the time when a flower opens fully and functions, or the beginning of that time. Another way to express this concept is “blossoming” or “blooming.”

As a metaphor, anthesis holds significance for me because I’ve searched for my path for a long time. In the past, I felt my life lacked brightness. Fortunately, these days I have more of what’s necessary to grow.

I don’t think blossoming means life’s difficult aspects disappear permanently. Sometimes it still seems like there isn’t enough light, and storms still rage from time to time. These things arrive, stay for a while, and eventually fade away.

Instead, to flourish means understanding that nothing stays the same and embracing these challenges for what they truly represent, rather than avoiding or trying to control them. If we only had clear, sunny days, there would be no rain. Without rain, there would be no growth—no anthesis.

Creating a DNS sinkhole with Perl and unbound(8)

Thu, 14 Apr 2022 00:00:00 +0200

Creating a DNS sinkhole with Perl and unbound(8)

Tested on OpenBSD 7.0 and OpenBSD 7.1-current

NOTE (2023-09-10): I’m deprecating genblock, please use domain-sift instead. domain-sift has a proper test suite and packaging, unlike genblock. This page and genblock remain available for historical purposes, at least for now.

What is a DNS sinkhole?

A Domain Name System (DNS) sinkhole is a domain name server that doesn’t perform domain name resolution for certain domains (typically those that contain undesired content, such as trackers, malware, and ads).

Ordinarily, a client asks for the Internet Protocol (IP) address associated with a domain and the configured DNS server provides it. Here, the canary domain “use-application-dns.net” serves as an example.

$ host use-application-dns.net
use-application-dns.net has address 44.236.72.93
use-application-dns.net has address 44.235.246.155
use-application-dns.net has address 44.236.48.31

Domains provide a human-readable way to represent one or more IP addresses, and DNS forms one part of a larger system for communications. On a website, for instance, TCP/IP (Transmission Control Protocol/ Internet Protocol) enables a client to access the resources on the web server. DNS merely provides the road map that shows how to get there.

A DNS sinkhole refuses to provide answers for certain domains. Since the client trying to connect doesn’t know the IP address of the server to connect to, it won’t make the connection.¹

$ host use-application-dns.net
Host use-application-dns.net not found: 5(REFUSED)

Why not just use an adblocker?

Nothing prevents you from using a browser extension to block ads, provided it’s open source and trustworthy (I recommend uBlock Origin).

DNS sinkholes have unique strengths that an adblocker alone cannot provide. You can apply domain filtering to the entire network, meaning individual configuration for every device isn’t necessary. You can block domains on devices that aren’t easily configurable otherwise (think Internet of Things, smart TVs, mobile devices, guest devices, and so forth).

Where to get the domains to block?

Many different sources exist. The ticked lists from firebog.net are worth considering. Here’s how ticked lists work:

Sites with preferably no falsely blocked sites, for Pi-hole installs that require minimal maintenance

Pi-hole is a popular DNS sinkhole with a web interface.

Searching for hosts(5) files also works.

Processing domains with genblock

genblock is a tool I wrote in Perl to extract domains from a given input. Previously a shell script handled this, but I realized that shell wasn’t ideal for this task and scrapped it in favor of something more structured and maintainable. Here’s how to use genblock.

The basics

Pretend a file named examplefile exists in the current directory with these contents.

$ cat examplefile
# Look at how awesome this blocklist is. Isn't it cool?
# It only uses 100% verified and real domains.
# Don't worry, bing.com is still accessible.
google.com
microsoft.com
3.1415926
www.apple.com
FACEBOOK.com
foobar
127.0.0.1 instagram.com
127.0.0.1 amazon.com
192.168.1.1
GOOGLE.COM

The simplest way to process it with genblock looks like this.

$ ./genblock examplefile
amazon.com
facebook.com
google.com
instagram.com
microsoft.com
www.apple.com

Notice several things:

Uppercase converts to lowercase. DNS is case insensitive.
Duplicate entries are removed.
Bogus entries don’t appear.
Lines that start with a comment are ignored completely (otherwise bing.com would appear in the list).
Lines are sorted (easier to diff(1) that way)

Making genblock more useful

Here’s a more realistic example that fetches a blocklist and processes it with genblock, then writes the output to a file in a format accepted by unbound(8).

$ ftp -o - https://adaway.org/hosts.txt |
> ./genblock -t unbound > blocklist.txt
$ cat blocklist.txt
local-zone: "0ce3c-1fd43.api.pushwoosh.com" always_refuse
local-zone: "100016075.collect.igodigital.com" always_refuse
local-zone: "10148.engine.mobileapptracking.com" always_refuse
local-zone: "10870841.collect.igodigital.com" always_refuse
local-zone: "1170.api.swrve.com" always_refuse
local-zone: "1170.content.swrve.com" always_refuse
local-zone: "1188.api.swrve.com" always_refuse
[many more lines like this]

Note that always_nxdomain isn’t used here. Giving the impression that these domains don’t exist when we aren’t checking for existence complicates troubleshooting. A clear response back shows that the blocking is part of a policy, and that the DNS isn’t broken.

Getting more help

Access the help output like this.

$ ./genblock -h

Configuring a DNS resolver to use the blocklist

Remember to check after setup that domain filtering works properly with something like host(1) or dig(1).

Unbound

Move the file somewhere that indicates it’s a system configuration file (so /etc, or alternatively /var/unbound/etc on OpenBSD) and give it world readable permissions, but nothing else.

# mv blocklist.txt /etc/blocklist.txt
# chmod 0444 /etc/blocklist.txt

For unbound, add this somewhere in unbound.conf(5).

include: /etc/blocklist.txt

Check the config for validity.

# unbound-checkconf /var/unbound/etc/unbound.conf
unbound-checkconf: no errors in /var/unbound/etc/unbound.conf

Restart the service, assuming it’s enabled and already running.

# rcctl restart unbound
unbound(ok)
unbound(ok)

Unwind

unwind(8) is a validating DNS resolver that’s part of the OpenBSD base system. It’s meant for workstations or laptops and only listens on localhost.

One domain per line is the format unwind accepts per unwind.conf(5), so no need to do anything special there. Move the file and modify permissions as before.

# mv blocklist.txt /etc/blocklist.txt
# chmod 0444 /etc/blocklist.txt

To include the file in unwind.conf, add this (optionally, with log at the end as shown here to log blocked queries).

block list /etc/blocklist.txt log

Check the config for validity.

# unwind -n
configuration OK

Restart the service, assuming it’s enabled and already running.

# rcctl restart unwind
unwind(ok)
unwind(ok)

Automation

Create /etc/sysadm and move genblock and a list of blocklist URLs there (a different directory works fine, too. This is just what I use).

# mkdir -m 700 /etc/sysadm
# mv genblock /etc/sysadm/
# mv blocklist_urls /etc/sysadm/

cron(8) can handle the automation. To generate a new blocklist weekly for unbound and check for validity before restarting DNS, add this to /etc/weekly.local.

# For genblock. Does blocklist handling so the script doesn't have
# to. Generates blocklist from content of URLs and reloads daemons.
/bin/test -e /etc/blocklist.txt \
    && /bin/mv /etc/blocklist.txt /etc/blocklist.txt.bak

/usr/bin/xargs -- /usr/bin/ftp -o - -- < /etc/sysadm/blocklist_urls \
    | /etc/sysadm/genblock -t unbound > /etc/blocklist.txt

# https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
echo 'local-zone: "use-application-dns.net" always_refuse' >> /etc/blocklist.txt

if /usr/sbin/unbound-checkconf; then
    /bin/chmod 0444 /etc/blocklist.txt
    /usr/sbin/rcctl restart unbound
else
    /bin/mv /etc/blocklist.txt.bak /etc/blocklist.txt
fi

I keep these portions outside of genblock for portability and to reduce code complexity. That way, there’s no need to worry about all the different init systems, DNS resolvers, methods of fetching, websites to fetch from, and so forth.

Source code

You can find the source code for genblock in my sysadm repo, accessible on this website or on GitHub.

Addendum I: Enforcing DNS provider in pf.conf

None of this prevents queries to a different server.

# host use-application-dns.net
Host use-application-dns.net not found: 5(REFUSED)
# host use-application-dns.net 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:

use-application-dns.net has address 44.236.72.93
use-application-dns.net has address 44.235.246.155
use-application-dns.net has address 44.236.48.31

If the DNS sinkhole runs on a router, place this in pf.conf(5) to block queries to an external DNS server.

block return in log quick proto { tcp udp } to !($int_if) port { domain domain-s }

The correct value for $int_if may vary. It’s vport0 in my case, which is the same interface that hands out Dynamic Host Configuration Protocol (DHCP) leases. Either way, this step matters because many devices come with a fallback DNS entry that renders these efforts useless.

Addendum II: Getting around it

You can still circumvent these measures even with firewall rules in place. Encrypting outgoing traffic to be later decrypted with something like a Virtual Private Network (VPN), Secure Shell (SSH) tunnel, or Tor accomplishes this.

Please note that theoretically nothing prevents the client from connecting to the IP address itself, if it’s known or can be discovered some other way. ↩

On overwriting disks

Wed, 02 Mar 2022 00:00:00 +0100

On overwriting disks

Tested on OpenBSD 7.0-current

NOTE: data loss may occur if you run commands in this article without care. Ensure you target the correct disk before executing anything.

The usual method

It’s common (and good) advice to first overwrite a disk with random data if you plan to create an encrypted volume. The typical suggestion involves using dd(1) in some fashion like this:

# dd if=/dev/urandom of=/dev/rsd0c bs=1m

dd handles this task just fine. Certain versions of dd support status=progress. This isn’t the case for OpenBSD’s dd, but sending SIGINFO will display the current status.

That said, nothing particularly distinguishes how dd handles overwriting disks. As far as I can tell, dd leverages the power of input and output streams in a *nix environment. Something that a tool as simple as cat(1) can also do.

# cat /dev/urandom > /dev/rsd0c

Don’t mistake that as an endorsement of cat for this job. Better tools exist.

Overwriting disks with a progress bar

When overwriting disks with little storage capacity, the lack of progress bar isn’t pressing because the operation doesn’t take long. For larger disks, an Estimated Time of Arrival (ETA) proves invaluable. I like pv for this task.

Install pv as a package.

# pkg_add pv

Here, I’m plugging in a flash drive for testing purposes and running dmesg(8) for the device name.

$ dmesg
[...]
sd5 at scsibus6 targ 1 lun 0: <, USB DISK 3.0, PMAP> removable serial.655716319B52EBB03391
sd5: 15120MB, 512 bytes/sector, 30965760 sectors

Incidentally, this already gives us the info we need to move forward (number of sectors and number of bytes per sector). But, let’s check disk details with disklabel(8) anyway for more information.

# disklabel sd5
# /dev/rsd5c:
type: SCSI
disk: VOID_LIVE
label:
duid: 0000000000000000
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 1927
total sectors: 30965760
boundstart: 0
boundend: 30965760
drivedata: 0

16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  a:         30965760                0 ISO9660
  c:         30965760                0 ISO9660

One last step before overwriting: determine how many bytes total are on this disk by multiplying the bytes/sector value by total sectors.

$ echo $((512 * 30965760))
15854469120

Now we can overwrite the disk. We need -s for the total amount of data to transfer, and -S to stop transferring once that amount has been transferred. Without these, pv will display the rate of data transfer, but not an ETA since it doesn’t know how much data it will process. This makes sense because /dev/urandom will never send an “end of file,” so we must tell pv when to stop.

# pv -s 15854469120 -S /dev/urandom > /dev/rsd5c
47.5MiB 0:00:02 [23.4MiB/s] [>                                                                                                                                              ]  0% ETA 0:10:34

Writing image files to disk with a progress bar

Let’s say for the sake of demonstration that I made a terrible mistake and I really needed that live disk. No problem, we can write the data back. I’ve already downloaded and cryptographically verified the image file I’m using here. The usage is simpler here, since pv will detect the size of the image file and will receive an “end of file."

# pv void-live-x86_64-20210930.iso > /dev/rsd5c
26.5MiB 0:00:01 [26.4MiB/s] [====>                                                                                                                                          ]  4% ETA 0:00:19

Why use dd at all then?

dd offers a level of control beyond these other tools, and proves helpful in other contexts besides writing arbitrary data to disk. seek= and skip= are two options that come to mind for carving out data, along with count= for terminating the process at a specific point.

dd also eliminates the need to find the total number of bytes, since it knows when to stop writing. This happens mainly because dd doesn’t redirect STDOUT with the shell to perform writing, but rather uses the of= feature built into dd. dd can learn things about the nature of the output file that pv won’t know due to design/implementation differences.

As an aside, it’s straightforward to pipe pv into dd or vice versa, but I haven’t encountered a situation where that was necessary.

Conclusion

I realize none of this is exactly groundbreaking—this demonstrates pretty basic stuff, and only shows one use case for pv. Wacky things are possible, like creating tarballs with a progress bar, for instance.

Nothing is wrong with keeping it traditional and using dd. I found pv useful when writing random data to large disks so I had some idea of when the process would end.

Local authoritative DNS on OpenBSD using dhcpd(8) and unbound(8)

Fri, 07 Jan 2022 00:00:00 +0100

Local authoritative DNS on OpenBSD using dhcpd(8) and unbound(8)

Tested on OpenBSD 7.0

One meaningful addition to home networks is the ability to refer to devices using domain names instead of IP addresses. Domain names are more memorable and human readable. Local authoritative Domain Name System (DNS) enables things like this to work:

$ host peterepeat
peterepeat.home.arpa has address 192.168.1.241

$ ping -c 1 peterepeat
PING peterepeat.home.arpa (192.168.1.241): 56 data bytes
64 bytes from 192.168.1.241: icmp_seq=0 ttl=255 time=0.395 ms

--- peterepeat.home.arpa ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.395/0.395/0.395/0.000 ms

This document makes some assumptions. Primarily, that there’s a router running OpenBSD that serves Dynamic Host Configuration Protocol (DHCP) and DNS with dhcpd(8) and unbound(8). Local authoritative DNS extends this setup.

RFC8375 (why we use home.arpa.)

Often people choose a domain name for their home network on a whim, something like localdomain or lan. I used lan for a while. It turns out there’s a specific-use domain name explicitly reserved for this purpose: home.arpa. (Check out RFC8375 for more information).

Now that we’ve chosen a domain name, let’s configure it.

Configuring unbound(8)

Unbound functions primarily as a caching recursive resolver. But it can also serve zones authoritatively,¹ as shown by this commented out section in the default configuration file.

# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"

I prefer to include a separate file in unbound.conf(5) so that this part of the configuration remains distinct. Edit /var/unbound/etc/unbound.conf and place the desired filename in there somewhere.

include: /var/unbound/etc/unbound.conf.lan

After writing those changes, create the included file and add these contents. Adjust things as needed. Unbound already includes RFC8375 support, so you only need to add local-data and local-data-ptr.

# Define individual hosts here. Both an A record and a PTR
# record are needed. Note that local-data-ptr reverses local-data.
local-data: "peterepeat.home.arpa. IN A 192.168.1.241"
local-data-ptr: 192.168.1.241 peterepeat.home.arpa"

Save the file. Check that the syntax is valid (unbound checks the syntax of the included file, too).

# unbound-checkconf
unbound-checkconf: no errors in /var/unbound/etc/unbound.conf

Configuring dhcpd(8)

A viable dhcpd.conf(5) needs to declare a domain name and at least one host, along with mandatory parameters. A working configuration looks like this (note that fixed-address takes a domain name, not an IP address).

subnet 192.168.1.0 netmask 255.255.255.0 {
    option domain-name "home.arpa";
    option domain-name-servers 192.168.1.1;
    option routers 192.168.1.1;
    range 192.168.1.10 192.168.1.200;

    host peterepeat {
        fixed-address peterepeat.home.arpa;
        hardware ethernet 34:cb:02:02:2c:0a;
        option host-name "peterepeat";
    }
}

I prefer to add use-host-decl-names to assign the hostname automatically based on the host declaration like so.

subnet 192.168.1.0 netmask 255.255.255.0 {
    option domain-name "home.arpa";
    option domain-name-servers 192.168.1.1;
    option routers 192.168.1.1;
    range 192.168.1.10 192.168.1.200;

    group {
        use-host-decl-names on;

        host peterepeat {
            fixed-address peterepeat.home.arpa;
            hardware ethernet 34:cb:02:02:2c:0a;
        }
    }
}

Check that dhcpd accepts the configuration. If there are no complaints, restart both daemons.

# dhcpd -n
# rcctl restart dhcpd unbound

Testing DNS resolution

Get a new DHCP lease on the client side (as of OpenBSD 6.9, you can do this with dhcpleasectl(8). The correct interface varies).

# dhcpleasectl re0

Then, try to resolve the new hostname.

$ host peterepeat.home.arpa
peterepeat.home.arpa has address 192.168.1.241
$ host 192.168.1.241
241.1.168.192.in-addr.arpa domain name pointer peterepeat.home.arpa.

Querying hosts without a FQDN

This setup works well enough as-is, but you might not be able to query hosts without a Fully-Qualified Domain Name (FQDN) out of the box. Check to see if host(1) fails with a partial hostname.

$ host peterepeat
Host peterepeat not found: 3(NXDOMAIN)

This happens because the system doesn’t append .home.arpa to peterepeat before the lookup. The machine trying to perform the lookup needs to have this line added to resolv.conf(5).

domain home.arpa

Now things work as expected, saving a few keystrokes.

$ host peterepeat
peterepeat.home.arpa has address 192.168.1.241

nsd(8) can also fulfill this function if you forward lookups to home.arpa. to it with unbound, but that’s a more involved setup. RFC8375 states that combining the recursive resolver function for general DNS lookups with an authoritative resolver for home.arpa. is permissible. ↩

Setting up a 4K Kodi box with sndio on FreeBSD

Sun, 13 Jun 2021 00:00:00 +0200

Setting up a 4K Kodi box with sndio on FreeBSD

Tested on FreeBSD 13.0-RELEASE

Installation

For brevity, this guide doesn’t cover the FreeBSD installation process in depth. The FreeBSD handbook documents this process.

The short version:

Download an installation image for amd64.
Verify the image’s checksum and GNU Privacy Guard (GPG) signature. Without this verification, you can’t confirm the installation image’s authenticity or detect tampering.
Flash the image to a Universal Serial Bus (USB) drive.
Boot from the USB drive and complete the installation procedure.

After installation

The post-installation setup becomes more specific here. This guide uses ports instead of packages because Kodi lacks built-in sndio support by default. This choice makes the post-installation phase more involved.

Setting up power management

Enable and start powerd(8) for power management. This reduces power consumption when the entertainment center sits idle.

# sysrc powerd_enable="YES"
# service powerd start

Creating make.conf

To make changes take effect immediately, set up make.conf(5) before compiling anything.

To stay current, my make.conf lives in git, but don’t copy it without understanding it first. The configuration includes everything needed to compile with sndio, LibreSSL, and Intel Quick Sync Video support.

Checking out source code

Checking out the ports tree

See the FreeBSD handbook entry on ports for more details.

# portsnap fetch extract

Installing portmaster

Install a ports management tool. For simplicity, this guide uses ports-mgmt/portmaster. While ports-mgmt/poudriere also works well, teaching poudriere exceeds this guide’s scope. Portmaster gets the job done.

# make -C /usr/ports/ports-mgmt/portmaster install clean

Checking out FreeBSD’s source code

Install git, as the source tree checkout requires it. The git-tiny flavor works well.

# portmaster devel/git@tiny

Check out the source tree. Building graphics/drm-kmod requires the source tree.

# git clone https://git.freebsd.org/src.git -b releng/13.0 /usr/src

Odds and ends before compiling Kodi

Installing needed tools

Install a few tools to make the build process more manageable before building Kodi. sysutils/tmux proves essential because you can detach from a tmux session and log out while portmaster builds, then later log in and reattach to check the build progress.

security/doas provides a more minimalist method of privilege elevation.

Consider installing a text editor and shell if desired. I like editors/neovim and shells/oksh.

# portmaster sysutils/tmux security/doas

Setting up doas.conf

If you installed security/doas, set up doas.conf(5). Since FreeBSD currently lacks persistence support, adding nopass improves usability.

# echo 'permit nopass :wheel' >/usr/local/etc/doas.conf

Entering a tmux session

This step matters for the next section. The one-liner below checks whether the current user has a tmux session open. If not, it first tries to attach to an existing session, and creates a new session if that fails.

$ [ -z "${TMUX}" ] && { tmux attach || tmux; }

Compiling Kodi

Using portmaster to compile ports

Now compile Kodi.

Note: if you don’t want ports configuration beyond what make.conf specifies, prepend BATCH=1 to the below command. I recommend at least reviewing the options available for multimedia/ffmpeg and multimedia/kodi with make config.

Remember to install packages needed for Hardware video acceleration. For the Latte Panda Delta, these packages include multimedia/libva-intel-media-driver and multimedia/libvdpau-va-gl.

# portmaster audio/sndio graphics/drm-kmod multimedia/libva-intel-media-driver \
> multimedia/libvdpau-va-gl x11/xorg misc/unclutter-xfixes multimedia/kodi \
> multimedia/kodi-addon-inputstream.adaptive

After giving portmaster permission to build everything, detach from the tmux session (CTRL-b d by default. Or create a second window with CTRL-b c and issue tmux detach). Then, close the SSH connection and take a fifteen-minute break.

After the initial break, SSH back in and tmux attach to check for early errors that need attention. Waiting hours only to discover that portmaster encountered an early error and stopped building is frustrating.

Now, relax—compiling Kodi and Xorg on a single board computer takes time.

Reviewing installation messages

Review installation messages to check for needed interventions.

$ pkg query '%M' | less

Setting up a user environment for Kodi

Creating the kodi user

Create a separate user for Kodi (named kodi here). Add the kodi user to the video group.

# adduser

If you didn’t add kodi to the video group during user creation, go ahead and fix it now:

# pw groupmod video -m kodi

After that, log in as the kodi user.

Creating .xinitrc

Create /home/kodi/.xinitrc to configure part of the startup process for the graphical environment.

The xset commands prevent interference with Kodi’s screen blanking mechanisms. unclutter hides the cursor when idle. By default, the cursor stays invisible during ordinary usage, but if you bump a pointer device, it sticks around. unclutter helpfully hides it again after a short period of inactivity.

$ cat <<EOF >~/.xinitrc
> . "${HOME}/.profile"
> xset s noblank
> xset s off
> xset -dpms
> unclutter &
>
> exec kodi
> EOF

Starting X

From a console (not SSH), start X.

$ startx

If X starts successfully, log out of the kodi user and back in to the user with root access.

Starting Kodi automatically

Setting up gettytab

Having Kodi start automatically on boot can help. This requires the kodi user to log in automatically. To enable this, append some configuration to gettytab(5).

# cat <<EOF >>/etc/gettytab
> # autologin kodi
> A|Al|Autologin console:\
>   :ht:np:sp#115200:al=kodi
> EOF

Editing ttys

Edit ttys(5) to match the following configuration.

# Virtual terminals
#ttyv1  "/usr/libexec/getty Pc" xterm   onifexists  secure
ttyv1   "/usr/libexec/getty Al" xterm   onifexists  secure

Ensuring X only starts in the correct terminal

As the kodi user, append this check to /home/kodi/.profile. The check makes X start only in the correct terminal and prevents X from starting if already running.

$ cat <<EOF >>~/.profile
> if [ -z "${DISPLAY}" ] && [ "$(tty)" = '/dev/ttyv1' ]; then
>   exec startx
> fi
> EOF

Finally, reboot the system.

# reboot

Configuring the sound system

If everything works correctly, configure the sound system. Set the default device with sysctl(8) if needed (check /dev/sndstat for available devices).

# sysctl hw.snd.default.unit=1 # needed for HDMI in this case

Now, decide whether to use bit-perfect mode and consult the relevant section below. Note that the “Sync playback to display” option in Kodi conflicts with bit-perfect audio. It resamples both video and audio to match the display’s refresh rate.

Bit-perfect

To use bit-perfect mode, apply two sysctl tweaks. This example uses the first device, but check which device needs tweaking.

# sysctl dev.pcm.1.bitperfect=1
# sysctl hw.snd.maxautovchans=0

Not bit-perfect

Change hw.snd.feeder_rate_quality from its default value of 1. According to sound(4), the default linear interpolation doesn’t provide antialiasing filtering. I prefer to start with the highest resampling quality possible and lower the value if needed.

# sysctl hw.snd.feeder_rate_quality=4

Remember that regardless of which mode you select, to make sysctl tweaks permanent, you must edit sysctl.conf(5) accordingly.

Note that sndiod isn’t needed in either case.

Staying up to date

Setting up cron to fetch updates nightly

Pull in updates every night at 03:00 using portsnap(8) and freebsd-update(8).

Note that neither portsnap cron nor freebsd-update cron applies updates. They only download updates.

# cat <<EOF | crontab -
> 0 3 * * * root /usr/sbin/portsnap cron
> 0 3 * * * root /usr/sbin/freebsd-update cron
> EOF

Updating the system and ports

When ready to update, run these commands to apply changes to the ports and source tree. They also apply binary updates to the base system.

# portsnap fetch update
# freebsd-update fetch install
# git -C /usr/src pull

If freebsd-update fetch install installs any updates, rebuild graphics/drm-kmod per the FreeBSD handbook.

# portmaster -f graphics/drm-kmod

Always check /usr/ports/UPDATING before upgrading any ports. Then, upgrade.

$ less /usr/ports/UPDATING
# portmaster -a

Reboot the system.

# reboot

Parting words

The entertainment center works well once configured. Setup proves involved initially (due to my specific requirements and preferences), but maintenance stays manageable.

Resources

Video levels and color space. Helpful entry from the Kodi Wiki.
Calibration media for TV brightness, contrast, and other settings, as mentioned in this thread. The original poster provides this as an alternate download link (other links point to Google Docs).

Recommended F-Droid apps

Mon, 12 Apr 2021 00:00:00 +0200

Recommended F-Droid apps

NOTE: Though I care about open source software, I can no longer recommend F-Droid as an app store as of 2023-04-18. Please see F-Droid Security Issues. These days I prefer to update apps via Really Simple Syndication (RSS) instead.

I may rewrite this post or delete it later, but I felt I should at least mention this concern first.

What is F-Droid?

From the F-Droid website:

“F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.”

F-Droid apps

ImagePipe or Scrambled Exif. Both apps remove Exchangeable Image File Format (EXIF) data, metadata in photos that can reveal personal information, before you send pictures. Despite serving a similar purpose, the two apps differ in implementation and features. Notably, ImagePipe also reduces image size (though it keeps the original unaltered and stores the changed copy in a separate folder), which may or may not be desirable depending on your use case.
Keep It Simple, Stupid (KISS) Launcher. I find that pinning a few choice apps and searching for the rest with KISS Launcher provides a more pleasant experience relative to the default GrapheneOS launcher. Also, launchers let you use custom icons (I use Arcticons Dark).
Meditation Assistant. Practice agnostic and doesn’t do more than I need it to–in other words, perfect for my use case.
mpv-android. For those that love mpv and want it on their phone, too.
Netguard. Block internet access per app. Unfortunately, I haven’t found a way to combine it with Orbot yet.
NewPipe. NewPipe lets you watch YouTube privately on your phone; you can also keep up with your favorite content creators without signing up for an account.
Orbot. An invaluable tool for privacy, Orbot tunnels the traffic of selected apps through Tor.
RedReader, an unofficial open source client for Reddit. It has a clean UI with no nonsense. I found it through word of mouth, as I’ve never liked the redesign and wanted to find a less feature-rich (and less buggy) client than Slide. This is exactly what RedReader delivers.
Termux. Termux provides a terminal emulator for Android and offers an incredible amount of power. I use Termux to securely transfer files between my phone and computer using SSH.
Yet Another Call Blocker (YACB). A useful app. You can add problematic area codes to YACB and it filters them out automatically. You can exempt contacts from being treated as unknown callers, and YACB even has an option to stop the call before the phone starts ringing on Android 7+.
UntrackMe. UntrackMe transforms certain links, such as YouTube, Twitter, and Instagram, to point at a Free/Libre and Open Source Software (FLOSS) privacy respecting alternative. In the case of Twitter, it changes the domain to a Nitter instance.

Why OpenBSD?

Thu, 25 Mar 2021 00:00:00 +0100

Why OpenBSD?

Previously, I scattered my thoughts on OpenBSD around my website, alluding to its strengths when needed. However, that approach made my argumentation feel disjointed as a result. It seems more sensible to have a central place to discuss these things.

Why not OpenBSD?

First, I’d like to bring up the ‘dealbreakers.’ I wouldn’t recommend OpenBSD to those that:

Dislike reading/are unwilling to learn.
Prioritize performance above all else.
Desire a powerful filesystem like Z File System (ZFS).
Want all the latest features.
Need every task or detail to be abstracted away graphically.
Want it to work like $PREVIOUS_OS.

Simplicity

When I say simplicity, I mean simplicity from a software design/development perspective. OpenBSD follows the Unix philosophy and consciously avoids feature creep. There aren’t as many bells and whistles compared to other operating systems and that’s good. That means there’s less to sift through if something breaks.

Less decision paralysis

One of Linux’s strengths is also a grave weakness: the abundance of choice. Deciding what implementation to use for a mail, web, Domain Name System (DNS), or Network Time Protocol (NTP) server is a task in itself, as there are many out there.

With OpenBSD, one already has a sane, powerful, and secure suite of software to choose from, also known as the base system. For instance, a web server with HyperText Transfer Protocol Secure (HTTPS) and automated certificate renewal can be had with httpd(8), acme-client(1), and cron(8), all without installing any additional software.

See OpenBSD’s “innovations” page for more cool software and ideas developed by the OpenBSD project. Did you know that OpenSSH is an OpenBSD project?

Great documentation

OpenBSD feels transparent and comprehensible. Between the Frequently Asked Questions (FAQ), man pages, and mailing lists, as well as other resources like /etc/examples and /usr/local/share/doc/pkg-readmes, the user isn’t lacking in ways to understand how the system works under the hood. An OpenBSD installation is a didactic environment well-suited to anyone with a Do It Yourself (DIY) attitude.

Security

No discussion of OpenBSD’s strengths would be complete without mention of its focus on security.

One example I like, albeit one not strictly focused on the base system, is how the OpenBSD project packages Firefox and Tor Browser with pledge(2) and unveil(2) in mind. Speaking to the latter system call, there’s no reason these browsers should be able to read ~/.ssh or ~/.gnupg, so they can’t. They can only interact with allowlisted paths (with permission to read, write, execute, create, or any combination thereof, depending on what’s stipulated). As a result, the amount of damage a malicious extension or browser exploit could wreak is much less than usual.

Privacy

kern.video.record and kern.audio.record are both set to 0 by default, meaning that no video or audio recording can occur without permission.

Stability

I mean this both in terms of system stability and how fast things change. A constantly changing system is a nightmare to maintain for system administrators.

Users can depend on the project making a new release available about once every 6 months. Every new release comes with documentation on changes made and how to upgrade, which is a painless process with the sysupgrade(8) tool.

Sane defaults

OpenBSD is certainly configurable, but the project’s attitudes toward knobs is different from some others. OpenBSD tries to set good defaults that work for everyone in the hopes that people won’t need to fiddle around much (the more someone who doesn’t totally understand what they’re doing changes a system, the more likely they are to break something).

Unlike many minimal Linux distributions, these services are all enabled by default on a new OpenBSD installation:

time synchronization
cron
log rotation
a stateful packet filter/firewall
local mail delivery

Versatile

OpenBSD makes a good OS for both the desktop and the server, at least for my needs.

Other resources

Tagging and managing music with beets

Thu, 05 Nov 2020 00:00:00 +0100

Tagging and managing music with beets

Last updated: July 8th, 2025

Why metadata matters

Tagged music files come with significant benefits. To name just a few:

You know what to expect from your music without relying on long filenames or navigating through a forest of directories.
You can find music of a specific type by querying the metadata. For instance, you can list all music from a specific genre or year.
ReplayGain normalizes loudness so that your hand can rest somewhere other than the volume knob.

Beets as a music manager

If you’ve never tagged music before or want to change your workflow, maybe you can use beets to manage your library. You can gain many of the benefits mentioned before through fetching and applying metadata from sources like MusicBrainz. Plugins fill in the gaps.

You may like to keep the documentation for beets in a separate tab while you read this. This blog post provides an overview, but the docs provide more exhaustive detail.

How to install beets

You can install beets with a package manager, either the one your operating system provides or a Python package manager like pip.

If you use OpenBSD, you can install beets with pkg_add:

# pkg_add beets

How to configure beets

By default, beets places imported music in ~/Music. If you need to change that, add the desired path to the config.yaml file like so:

directory: /path/to/music/library

Often you can go straight to importing music without any further modifications after this. Otherwise, the documentation on configuration can help you if you run into any issues.

How to import music

Beets needs a music library to work with, which means you need to import some music.

$ beet import /path/to/album

If the similarity score meets the threshold, beets tags the music automatically and moves on. Otherwise, beets asks for more details.

How to query music

To list your music, use beet ls. But beware: this lists all music currently managed by beets.

To narrow down your query, you can use the available metadata fields. You can list those metadata fields with beet fields. The output includes fields like album, artist, year, country, and others.

Some plugins provide metadata fields as well. For instance, with the lastgenre plugin installed, you can query by genre like this.

$ beet ls genre:'Progressive Rock'

What plugins does beets have?

Beets includes many high quality plugins that extend its capabilities. I show only a fraction of them here, so make sure to read through the documentation on plugins afterward.

Album art with fetchart

If you use a minimal music player without album art display capabilities, then this may not matter to you. Still, with more full-featured media applications, missing artwork bothers some people.

To fetch album art with the fetchart plugin, add the following to your config.yaml:

plugins: fetchart

Then, update the library.

$ beet fetchart

Genre metadata with lastgenre

Out of the box, beets doesn’t deal with genres at all because MusicBrainz doesn’t have that information.

To add genre information to your collection by pulling it from Last.fm, put this inside your config.yaml:

plugins: lastgenre

Then, update the library.

$ beet lastgenre

Cue sheets and how to use them

Beets needs a separate file for each track to tag music. Yet sometimes only one Free Lossless Audio Codec (FLAC) file exists for an entire album. Although many other formats besides FLAC exist, pretend for now that your album came with one FLAC file that contains all the tracks.

In this case, look for a text file that describes the album’s track layout with timestamps. People refer to a text file like this as a “cue sheet.” With a cue sheet, you can split that single FLAC file into separate files by track, through a process known as “cue splitting.”

Given a cue sheet and a FLAC file with many tracks, you can perform cue splitting like this.

Install shntool for cue splitting, and cuetools to tag the resulting files.
```
# pkg_add shntool cuetools
```
Navigate to the album in question.
```
$ cd /path/to/album
```
Split the FLAC file.
```
$ shnsplit -f example.cue -o flac example.flac
```
-f points to the cue sheet. -o specifies the encoder, which defaults to Waveform Audio File Format (WAV).

By default, shnsplit creates files with this format: split-track01.flac. beet import renames files according to their metadata, so the filenames don’t matter.
Rename the FLAC file so that it ends in .bak.
```
$ mv example.flac{,.bak}
```
You need to perform this step so that cuetag won’t target the original FLAC file later on.
Tag the split files with the original metadata.
```
$ cuetag example.cue ./*.flac
```
./*.flac targets all FLAC files in the current directory. See shellcheck’s wiki entry for SC2035 for an explanation of why I use ./*.flac instead of *.flac.
If satisfied, delete the original FLAC file.
```
$ rm example.flac.bak
```
Now that you performed cue splitting, you can import the music.
```
$ beet import .
```

Scripting cue splitting

Given that this process can feel tedious, I wrote a small shell script to automate cue splitting. splitflac works like so:

$ splitflac example.cue example.flac

By default, splitflac doesn’t delete the original FLAC file. To do so on a successful split, pass -d.

$ splitflac -d example.cue example.flac

Building an OpenBSD router using an APU4D4

Thu, 01 Jan 1970 00:00:00 +0100

Building an OpenBSD router using an APU4D4

Tested on OpenBSD 6.8

NOTE (2023-07-22): the Accelerated Processing Unit (APU) platform is end-of-life. This article may need updating, though many principles still apply. Proceed with caution.

Foreword

Consumer routers are riddled with security problems. Between 1999 and 2017, researchers disclosed 600 Common Vulnerabilities and Exposures (CVEs) for router software—and those represent only the public vulnerabilities. The paper “So You Think Your Router Is Safe?” addresses this subject well.

Faced with this reality, and as someone who’s caught the OpenBSD bug (or pufferfish, same difference), I decided to build my own router. Here’s how I did it.

Hardware

To buy an APU4D4 or similar, visit PC Engines. Their boards come with coreboot preinstalled and the experience has been great.

Include a USB to DB9F serial adapter in your order, as you’ll need it for installation.

Consult the manual for assembly instructions.

Download OpenBSD

Download, verify, and flash the amd64 image that includes the file sets (installXX.img) to a USB drive. OpenBSD’s FAQ covers this.

Install OpenBSD

Connect to the serial port. I run OpenBSD on my laptop, so I use cu(1) for serial connections. The user must belong to the dialer group to use cua(4) devices.

Display the current user and their groups with id(1).

$ id

Add the user to the dialer group if necessary with usermod(8).

# usermod -G dialer [user]

Finally, connect to the serial port. This specifies the line to use (-l) and the baud rate (-s). The APU4D4 requires a baud rate of 115200.

$ cu -l cuaU0 -s 115200

Remember to enter this at the boot prompt afterward to configure the serial connection. The installer sets these later.

boot> stty com0 115200
boot> set tty com0
boot> boot

From here, the FAQ provides enough information to complete the installation. Check the documentation for the relevant architecture. In this case, consult the notes on amd64.

After installation

Complete the usual tasks (read afterboot(8), check system mail, etc.). After that, you need to implement several components:

A firewall, Dynamic Host Configuration Protocol (DHCP) server, and Domain Name System (DNS) server. See my pf.conf.
A way to connect to the Internet, which varies between providers. For some, you may need a Point-To-Point Protocol over Ethernet (PPPoE) connection. See pppoe(4).

You can also add these components:

Many use cases require a network bridge for Ethernet interfaces. As of 6.9, I use veb(4) with good results.
IPv6, depending on your use case and whether your Internet Service Provider (ISP) supports it.
DNS sinkhole with unbound(8), see Creating a DNS sinkhole with Perl and unbound(8).
Authoritative DNS for devices on the home network with the special-use domain home.arpa, see Local authoritative DNS on OpenBSD using dhcpd(8) and unbound(8).

Always give official OpenBSD documentation preferential treatment and cross-reference it when using unofficial documentation. Keep it simple and avoid changing settings unless you understand what they do.

WireGuard

Solene has a great article on this.

Firefox keyword search: bookmark method

Thu, 01 Jan 1970 00:00:00 +0100

Firefox keyword search: bookmark method

Last updated: July 8th, 2025

Introduction

Many people use a search engine to navigate the Internet, but not everyone knows about Firefox keyword search. This feature lets you assign keywords to bookmarks so that you can query virtually any site with ease.¹ Read on to learn how to set it up.

Why use bookmark keywords?

Smart keywords (Mozilla’s term for this feature) can be a useful tool for several reasons.

Better online privacy. Only query and send data to the site you want answers from, right?
They save time. Once you set them up, you can effortlessly search your favorite websites from the address bar.

Defining a keyword for Wiktionary

Let’s use Wiktionary, the multilingual dictionary as an example.

Open up Firefox and navigate to www.wiktionary.org. Right click Wiktionary’s search bar to pull up a context menu with several entries. Left click the “Add a Keyword for this Search…” entry.

Firefox now presents a dialog box with three options.

The name of the bookmark.
The location to save the bookmark in.
The keyword to use for the bookmark.

Choose a name and location if you like. Then, type in your desired keyword and click “Save” to add it. I chose wkt.

Test it out: search Wiktionary for definitions

Now you can use keyword search to find the definition of a word. Type wkt (or whatever you chose) into Firefox’s address bar, followed by the word you want to know the meaning of.

Here’s an exercise: what’s the difference between “somnambulism” and “funambulism?”

What else can you do?

You can edit your regular bookmarks in the same way to navigate to any site in a couple of keystrokes. Note that because there’s no query to make, you only type in the keyword itself.

Pretty much anything based on Firefox can add keywords to bookmarks as well. This includes Tor Browser. ↩

NixOS review: 8 important pros and cons

Thu, 01 Jan 1970 00:00:00 +0100

NixOS review: 8 important pros and cons

Last updated: July 4th, 2025

Before you continue on with my review of NixOS, here’s a short list of the advantages and disadvantages I talk about for reference.

Strengths: Abstraction; Reproducible builds; Atomic upgrades; Rollbacks; Immutability
Weaknesses: The learning curve; Some security concerns; Requires systemd

What’s NixOS, and why use it?

NixOS is a unique Linux distribution. The main thing that makes NixOS special is the ability to describe your desired system layout with the Nix language. To do this, you edit a file named /etc/nixos/configuration.nix and then rebuild the system.

Declarative package management and system configuration have some benefits over the imperative approach used by more traditional operating systems. But to meaningfully review the pros and cons of NixOS, we must first understand these terms and how they relate to one another.

If you already know the differences between them, feel free to skip ahead.

What do imperative and declarative mean?

The easiest way for me to explain these two concepts is to talk about them in the context of software development.

Imperative programming languages are things like Python and C. To make languages like this useful, you provide step-by-step instructions that lead to your end goal. In other words, imperative means you write out how to do something.

Meanwhile, Haskell and Nix are examples of declarative programming languages. Their design allows them to perform the necessary steps on their own when given a proper description. In other words, declarative means you describe what the end result should be.

Let’s compare the process of activating a Secure Shell (SSH) service on Arch Linux and NixOS to demonstrate the differences between these two paradigms.

Enable SSH imperatively

Install the openssh package.

# pacman -S openssh

Enable the service.

# systemctl enable ssh

Enable SSH declaratively

Edit the /etc/nixos/configuration.nix file.

services.sshd.enable = true;

Rebuild and switch to the new configuration. During the build, NixOS detects that the sshd service depends on the openssh package, so it installs it.

# nixos-rebuild switch

NixOS advantages

Pro #1: Abstraction

The nice thing about NixOS is that different software packages can use the same syntax for configuration. Compare the way that default fonts are set in Extensible Markup Language (XML) to the Nix expression.

You may notice that the XML sample only defines serif. Yet right below it, Nix declares default serif, sans-serif, and monospace fonts in less space.

<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
    <alias>
        <family>serif</family>
        <prefer>
        <family>Liberation Serif</family>
        </prefer>
    </alias>
</fontconfig>

fonts.fontconfig.defaultFonts = {
    serif = [ "Liberation Serif" ];
    sansSerif = [ "Liberation Sans" ];
    monospace = [ "Liberation Mono" ];
};

Note that this will not install font packages for you. The system provides a separate fonts.fonts option where you list each package out.

Pro #2: Reproducible builds

Reproducibility and deterministic behavior are dense topics. When it comes to NixOS, the idea is that recreating a given system configuration is straightforward. You can copy /etc/nixos/configuration.nix over to a different machine and build from it. Assuming that file contains valid Nix expressions, it should yield the same system state.

NixOS excels as a Linux distribution for cloud servers, as reliable system deployment is straightforward and built into the operating system itself. Additionally, Nix itself is a powerful collaborative tool because creating a development environment with the same version of important libraries is relatively straightforward.

Pro #3: Atomic upgrades

Another helpful feature Nix developers included is the avoidance of partial states. When software follows this principle, either everything takes effect or nothing does. This principle is also known as atomicity.

NixOS treats upgrading as an atomic transaction. Here’s a practical example of how that can be useful: if a power outage happens during a rebuild, the packages remain in a consistent state. The system uses either the entire working set of packages from before or after.

Pro #4: Rollbacks

“Generations” are a key feature of NixOS. If you mess something up, you can roll back to a previous working configuration. The boot loader includes a list of generations to select from as well.

Pro #5: Immutability

The system installs packages in unique locations within the Nix store (/nix/store), and they always remain the same once built. The subdirectory for each package comes from a cryptographic hash of its build dependency graph.

Setting the jargon aside, this design means you can use multiple versions of the same software—this even applies to identical versions with different build dependencies or flags.

NixOS disadvantages

Con #1: The learning curve

To manage your NixOS system, you need to invest some time and effort into learning Nix and related tools. After all, most of the system configuration you would perform by hand with another Linux distribution gets handled through a programming language instead.

Here’s my recommendation: experiment with Nix and see how you feel about it before installing NixOS on bare metal. Check the Nix language guide and follow along to get a sense of how the language works.

Con #2: Some security concerns

Reviewing what open issues a software project has before using it is a good idea—especially those relating to security. Here are a few issues in the nixpkgs repository to consider before using NixOS.

Most software projects of notable size and scope have some security issues. Decide for yourself what an acceptable threshold is. You might also consult the NixOS security page.

Con #3: Requires systemd

NixOS depends on systemd. No option exists to use something different like OpenRC or runit. This will probably remain the case for the foreseeable future.

If you’re fine with using a Linux distribution that has systemd, then this isn’t a concern for you. All the same, one drawback of NixOS is that it doesn’t enjoy the level of freedom that something like Gentoo has in this regard.

Concluding my NixOS review

Every system has its strengths and weaknesses, whether it’s a Linux distribution or otherwise. Software is a tool: to select the right tool for the job, you need to first understand the problem you’re looking to solve.

Hopefully my NixOS review has given you some reasons to explore the Nix ecosystem, as well as some knowledge to arm yourself with if you do so. Assuming the benefits were compelling to you and the drawbacks are things you can live with, you may as well give it a try. Experience is one of the best ways to learn.

Benefits and drawbacks of self-hosting

Thu, 01 Jan 1970 00:00:00 +0100

Benefits and drawbacks of self-hosting

Last updated: July 7th, 2025

As someone who has run many services for a while now, I feel I can speak to the advantages and disadvantages of self-hosting. In my case, the benefits have more than made up for the drawbacks. Still, each person or organization must decide for themselves whether the pros outweigh the cons.

Benefits

Learning more about system administration and software stacks by building it yourself. Few teachers beat hands-on experience. When I first started, I didn’t even know what the term “A record” meant (for those who don’t already know, an A record refers to a Domain Name System (DNS) record that maps a domain to an Internet Protocol (IP) address).
Control and choice. For instance, you can decide what operating system to use. Often many software choices exist for a particular use case, and you can control the configuration details.
Transparency. Self-hostable software typically uses open source code. Because you assembled the pieces, you can more readily understand how everything fits together. That means when something goes wrong, you have some idea of where to start looking.
Repairability. When something breaks, you can fix it yourself without waiting for someone else to get to it.
Privacy. This relates to the other points—because you have control and transparency, you can know how the system processes sensitive data and what parties can gain access to it.

Drawbacks

Time investment. Learning the necessary skills and setting everything up takes patience, and the time investment doesn’t end there. Managing your own server requires regular system maintenance. This involves making sure everything still functions correctly and performing upgrades, among other tasks.
Full responsibility. You bear responsibility for everything that happens on your server. Not only can you fix it yourself, you must fix it yourself. Sometimes this creates real inconvenience because things often break at inopportune times.
Ongoing costs. Self-hosting typically costs money. Recurring costs for a virtual private server and domain name can add up over time. But these may cost less than what you would otherwise pay for cloud computing, so context matters here.
Security risk. You can create vulnerabilities without even realizing it. This is why taking your time and acquiring the knowledge needed to do things right matters. Starting small also helps. For example, hosting a static website carries little risk.

Open source operating system recommendations

Thu, 01 Jan 1970 00:00:00 +0100

Open source operating system recommendations

The xkcd comic above illustrates the difficulties of creating a universal standard, and why it often creates yet another competing standard instead. This broadly applicable lesson explains the wide array of open source operating systems available today.

One of the most common experiences that someone exploring alternative operating systems on their own may encounter is feeling overwhelmed by the sheer amount of choice available. While I have no real solution for this feeling, I hope that my own “best of kind” list can be useful regardless.

Resources

Before my recommendations, here are some resources that I find helpful:

Librehunt first explains in clear terms the concepts that anyone would need to know to make an informed decision about Linux. After that, the second part involves a quiz so that Librehunt can suggest relevant Linux distributions.
Distrochooser resembles Librehunt in that it uses the answers to a quiz to recommend Linux distributions, except I’d say the target audience is more technically inclined.
Distrowatch presents a more visually busy and dense website, to say the least. But it’s a decent tool to search operating systems by category, discover new ones, or read a little about what’s happening in the Linux world. Note the way they measure popularity: the numbers by each distribution reflect how many times visitors accessed that page on the Distrowatch website in the last 6 months.
Repology offers a way to search the software repositories of many different open source operating systems at once.

User friendly and just works

Many options exist in this space, but a great all-around pick that I always fall back to is Linux Mint. The Cinnamon edition stands out in particular, as it feels user friendly and polished, yet it also empowers the user. The large, helpful community provides exactly what someone new to Linux will appreciate. I feel confident pointing to Linux Mint for this use case, as it showcases the unique strengths of Linux in an approachable way to new users.

Innovative and for power users

Red Hat, the largest Linux company in the world, backs Fedora. It offers many compelling features out of the box, such as the SELinux (Security-Enhanced Linux) mandatory access control system and the copy-on-write filesystem known as btrfs. If taking advantage of new Linux features and keeping a finger on its pulse matters to you, Fedora is a sensible choice.

Reasonably secure and paranoid

Qubes OS focuses on security as an operating system designed to separate different aspects of your digital life into virtual machines, also called qubes. The idea is to compartmentalize everything so that if one qube gets compromised, the rest of the system remains unaffected. Qubes OS integrates Whonix which is a huge privacy gain. I highly recommend it to anyone that prioritizes the security of their machine over all else.

Run the latest software and do it your way

Arch often serves as the first advanced Linux distribution that people try. A distribution you install from the command-line, Arch aims to provide the newest releases of software in its repositories. The Arch wiki provides an excellent source of information, and a massive selection of software is available through the Arch User Repository (AUR). Arch offers a middle ground between customization and practicality that many people appreciate.

Customize everything and learn a lot about Linux

Gentoo prioritizes extensive customization and choice. Portage (Gentoo’s package management system) exposes a wealth of options to the user, allowing them to adjust the compile time options of software they install through something called “USE flags.” Additionally, you choose components like the system logger and init system during the installation process, which also takes place at the command-line. Gentoo’s wiki and its knowledgeable yet friendly community make it one of the best ways to learn about the deep inner workings of Linux.

The minimal Unix-like cousin of Arch

Void falls somewhere between Arch and Gentoo in my eyes. It feels more Unix-like than Arch, yet it doesn’t lean as heavily into customization as Gentoo. Void’s package manager (xbps), init system (runit), and alternative C library support (musl) serve as major selling points of the distribution. I can see the logic behind many of the decisions and design choices that the project makes. For example, I think mandoc provides an excellent manual page system, and Void uses it by default.

Simple, stable, and follows the Unix philosophy

OpenBSD is a Berkeley Software Distribution (BSD) system that has a strong focus on security, portability, simplicity, and correctness. OpenBSD features some of the best documentation of any project I’ve used, and it introduced me to a lot of software that I still admire to this day. For me, it remains unmatched on the server side due to OpenBSD’s simplicity and secure by default approach. Development moves in a more deliberate, controlled manner compared to Linux, which moves rapidly and more chaotically. Here are some more of my thoughts on OpenBSD.

A secure mobile operating system

GrapheneOS is a version of the Android operating system that focuses on privacy and security. It’s specifically designed for Google Pixel devices due to the merits of that hardware. GrapheneOS delivers unique advantages including sandboxed Google Play services, extensive system hardening, and secure replacement applications. For mobile operating systems, I know of nothing more secure.

Reproducible, declaratively built operating system

NixOS presents a different method of system management: describing your desired system in a configuration file and then issuing a single command to build it. This approach offers definite advantages and I’ve written more about NixOS here.

Migrating to anthes.is

Mon, 03 Oct 2022 00:00:00 +0200

Migrating to anthes.is

Hey all. I know it has been a while since I have written anything. I am still around and I have some articles planned that I would like to write, though I feel it is important to first announce that this website’s domain name is changing.

When is this happening?

Though I have already registered anthes.is, I would like to wait a short period before creating a 301 Moved Permanently redirect. I plan to do the migration at some point after this date and time.

Wed Oct  5 18:00:00 UTC 2022

What will happen to the old domain name?

My plan at the moment is to keep amissing.link registered indefinitely. If I change my mind and decide to drop ownership of amissing.link, I will try my best to write about it several months in advance.

That said, do try to switch bookmarks and anything else like that to the new domain, as this was a decision made with more than aesthetics in mind.

Why change the domain name?

DNSSEC

I have wanted to support DNSSEC for some time, given that DNS has some known weaknesses. It is important to me that readers are directed to the right place when they try to visit my website, and adding DNSSEC support makes this outcome more likely.

Note that this will only make a difference under the right conditions (when those trying to access my website are using resolvers that support DNSSEC). Even so, I want to do my part in securing DNS. As I understand it, anything that relies on DNS can benefit from the integrity provided by DNSSEC, so any other services I host here will benefit from this change as well.

Unfortunately, the domain registrar I use does not support DNSSEC for the .link top-level domain. Certainly there are ways to keep the old domain and support DNSSEC, such as transferring to a different registrar or using an external name server, but neither address a separate issue that this does.

Top-level domains matter

I have learned more about top-level domains between the time amissing.link was first registered and now. The location and jurisdiction of the registry that owns a top-level domain can have some consequences, and I did not know that until recently. For instance, the .us top-level domain stipulates, among other things, that all contact information must be provided without omission so that it can be made public.

I am not all that interested in law or reading through legal documents. There are many other things I would much rather learn about or do. So I hope it is no surprise that I want to run this server in peace, and that I would prefer to worry about things like this as little as possible. Although I have not personally been in a situation where this was relevant, I would also like to keep it that way, so that is why I opted for .is as a top-level domain.

The EFF has a white-paper on Internet registries that may explain this whole thing better than I can.

Wrapping up

Originally I had planned to write some about the personal meaning behind the new domain name I chose, but it turned out to be a lengthier explanation than I anticipated. I decided against including it in this announcement to keep things brief and on topic, but I would like to write about it in the next article, so stay tuned.

Verification (optional)

For those interested in verifying that I am really the one doing this, I have made the Markdown for this page available as a .txt file, and added a signed SHA256 file. The signature can be validated with the appropriate public key.

I also decided to create a signify(1) keypair for those that prefer signify to GPG. As before, the signed SHA256 file is validated with the appropriate public key.

I think it makes sense to support both methods because I have not published that signify key before, despite preferring the simplicity of signify.

With GPG

Create a temporary directory and change directory.

$ mktemp -d
/tmp/tmp.jeT8T5wNgp
$ cd /tmp/tmp.jeT8T5wNgp

Fetch needed files.

$ ftp https://amissing.link/migration/domain-migration.txt \
> https://amissing.link/migration/gpg/SHA256.sig \
> https://amissing.link/pubkeys/eurydice.asc > /dev/null

Import the public key.

$ gpg --import eurydice.asc
gpg: key 53670DEBCF375780: public key "Ashlen <eurydice@riseup.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

Verify that I issued the checksum. Note the placeholders for hours, minutes, and seconds.

$ TZ=UTC gpg --verify SHA256.sig
gpg: Signature made Mon Oct  3 hh:mm:ss 2022 UTC
gpg:                using EDDSA key 90965AE120F8E848979DEA4853670DEBCF375780
gpg: Good signature from "Ashlen <eurydice@riseup.net>" [ultimate]

Verify that the checksum of domain-migration.txt matches.

$ sha256 -C SHA256.sig domain-migration.txt
(SHA256) domain-migration.txt: OK

With signify

Create a temporary directory and change directory.

$ mktemp -d
/tmp/tmp.RVBcIwTTal
$ cd /tmp/tmp.RVBcIwTTal

Fetch needed files.

$ ftp https://amissing.link/migration/domain-migration.txt \
> https://amissing.link/migration/signify/SHA256.sig \
> https://amissing.link/pubkeys/sigkey.pub > /dev/null

Verify that I issued the checksum and that the checksum of domain-migration.txt matches.

$ signify -Cp sigkey.pub -x SHA256.sig
Signature Verified
domain-migration.txt: OK

My Unix blog: scripts, software, /etc - anthesis

Font comparison and review: Atkinson Hyperlegible Mono

Font comparison and review: Atkinson Hyperlegible Mono

Table of contents

On character distinction and readability

Multi-character homoglyphs

Single character homoglyphs

Mirror image glyphs

Scenarios where character distinction matters

About the Atkinson Hyperlegible font family

The Atkinson Hyperlegible family’s unique design features

Distinct silhouettes

Enhanced letterforms

Asymmetrical spurs and exaggerated descenders

Comparison to JetBrains Mono and Fira Code

Single homoglyphs comparison

Mirror glyphs comparison

Programming symbols comparison

Alphabet comparison

Installation and configuration

Caveats

Other resources

A note on licensing

Gentoo one-liners for a rainy day

Gentoo one-liners for a rainy day

Table of contents

Prerequisites

Finding packages with the most dependencies

Finding the largest packages

Combining package size and dependency count

Print packages without a package.env entry

As above, but only larger packages

Analyzing upgradeable packages

Multi-column sorting

Practical applications

OpenPGP Key Transition Statement

OpenPGP Key Transition Statement

Table of contents

Key Details

Old Key

New Key

Verification Instructions

Keys

Transition Document

Verification Steps

Linux/Unix internals: x86_64 CFLAGS/CXXFLAGS

Linux/Unix internals: x86_64 CFLAGS/CXXFLAGS

Table of contents

Arch

Alpine

Clear Linux

Debian

Fedora

Gentoo

NixOS

OpenBSD

OpenSUSE

Solus

Ubuntu

Void

Caveats

Areas for improvement

Other resources

Encrypted headless Raspberry Pi running Gentoo

Encrypted headless Raspberry Pi running Gentoo

Table of contents

What my setup involves

Covering the microSD card installation

Wireless networking

Serial console

Summarizing the rest

Preparing the disk

Ensuring kernel support

Compiling the Raspberry Pi foundation kernel and installing it

Editing configuration files

Copying the filesystem contents over

Switching to gentoo-sources

Conclusion and thoughts

How to find the best software for you

How to find the best software for you