Same as last year, this is a summary of what I’ve been up to throughout the year. See also the recap/retrospection published by my friends (antiz, jvoisin, orhun). * Uploaded 467 packages to Arch Linux * Most of them being reproducible, meaning I provably didn’t abuse my position of compiling the binaries * 35 of them are signal-desktop * 29 of them are metasploit * Made 53 uploads to Debian * All of them being related to my work in the debian-rust team, that I’ve been a part of since 2018 * Also applied for Debian Developer status (with 4 Debian Developers advocating for me) * Made 14 commits in Alpine Linux’ aports * 13 of them being package releases * Made 2 commits in NixOS’ nixpkgs * Also joined their Github org * Made 4 commits in homebrew-core * With special focus on polishing the Rust development experience for the RP2040 microcontroller * Lost Onion, my cat of 13 years, to inoperable cancer. He has been with me throughout my entire open source journey (sometimes being credited as co-author) and who looked after me for my entire adult life. You won’t be forgotten. 🐈‍⬛ * Developed 6 hand-held games with embedded Rust, most of them being birthday gifts for people close to me * game-taco-burglar * A motorcycling lockpicker * game-antifa-syndikitty * A nurse with a secret double life * At that point the longest and most in-depth game I built throughout my life * game-chop-chop * A French tetris-spinoff, this was one of my Fusion projects this year * The hardware was specifically designed to be easy to solder/make from readily available parts (~€5 per unit) * I gave away a few devices I made, some people successfully built one on their own * game-ratatat * A space-invader like game about a very enthusiastic seamster * game-octo-space-irs * As an employee of the intergalactic revenue service, you tax the rich through reversing and cracking computer programs * I gifted another copy to a Tor directory authority operator I’m friends with, who was very excited about the concept and levels I designed * game-the-curse-of-the-headless-goose * A turn-based game about an underground kickboxing club * This one was meant to be a rogue-lite (which I needed the savegame library for), but only managed to build the introduction/tutorial unfortunately * Picked up work on apt-swarm again * Replaced the old database code with a custom engine, reducing RAM usage from multiple gigabytes down to ~9MB * Ran a small p2p network all over the world, with ~10-15 locations/countries on average * As part of this, found a bug in tokio that could lead to silent data loss in some cases * Had 2 of my projects explicitly mentioned in the Debian release notes in their “What’s new in Debian 13” summary * Was mentioned in multiple academic papers on arxiv.org: * Reproducible Builds and Insights from an Independent Verifier for Arch Linux (explicitly in the “Acknowledgments” section) * Beneath the Mask: Can Contribution Data Unveil Malicious Personas in Open-Source Projects? * Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack * Causes and Canonicalization of Unreproducible Builds in Java * Reproducible Builds for Quantum Computing (mentions rebuilderd) * Was referenced twice on LWN: * Hash-based module integrity checking (mentions me directly) * Fedora change aims for 99% package reproducibility (doesn’t mention me, but rebuilderd 10x) * Published a draft version of PlatypOS, an “Experimental toy unix-like userspace operating system with strong preference towards Rust”. As part of this: * Developed custom pacman-database tooling in Rust instead of bash * During this project I found and reported issues in uutils’ `install` (uutils/coreutils#8033) and `mv` (uutils/coreutils#8044) (both fixed shortly after) * The project stalled because it’s too big to side-quest * Had the first ever CVE issued for software I wrote: CVE-2025-52926 * Found, reported and fixed by a c’t Open Source editor * Published 9 repositories related to my embedded Rust work * embedded-mono-img for all the graphics in my games * rp2040-psp-joystick to demo use of an analog joystick input * rp2040-demo-st7789 to demo a higher resolution screen I experimented with * rp2040-demo-w25qxx to demo how to store data in NOR flash * rp2040-demo-at24cxx to demo how to store data in an EEPROM * embedded-graphics-colorcast a library I developed so I can keep using embedded-mono-img on ST7789/ILI9486 screens - I used tinybmp in one project but it was fairly slow * ch32v003-demo to demo and document the lowend ch32v003 RISC-V microcontroller, with devboards that are commonly sold for €0.50-0.70 on AliExpress (it’s cute but lacks the required 5.1kΩ resistors on the USB-C configuration pins that tell the host to provide 5V, so it won’t work with many USB-C chargers, which is quite annoying) * embedded-savegame an atomic/transactional savegame library, with powerfail-safety and wear-leveling, optimized for flash and EEPROM storage * djb2 a very lightweight non-cryptographic checksum algorithm that replaced my use of CRC32 in the embedded-savegame library, to make it more suitable for the ch32v003 * Contributed to the Reproducible Builds mailing list 30 times * Developed repro-threshold, an integration for apt to act as a rebuilderd client, enforcing a reproducible builds trust policy of your choice * The feature was suggested/requested by a CCC member during MiniDebConf Hamburg 2025 * Collaborated with an openSUSE engineer I’ve known for several years to debug and fix an issue in gtk-rs that caused indeterministic build output for many desktop programs * Volunteered at a soldering workshop for beginners for the 4th year in a row * Completed the first year of volunteering in an awareness team * Wrote 1 blog post (besides this one) * Attended FOSDEM, MiniDebConf, Fusion, the Reproducible Builds summit, the Arch Summit and 39c3 * Hosted sessions at both FOSDEM (1st time) and Fusion (2nd time) * Grew and harvested 2 plants * Traveled to * Denmark * Sweden * Turkey, visiting a good friend * Belgium * Austria * Made and printed * 2 new sticker designs * 2 new hoodie designs * Changed my medication plan * Got 4 new tattoos Thanks to everybody who has been part of my human experience, past or present. Especially those who’ve been closest.

👀 Discussion here if you give it try, thanks! Main breaking changes rustls is now default instead of native-tls rustls provider defaults to aws-lc instead of ring (rustls-no-provider exists if you...

🌏⛏ hack the planet 🌈✨

Comments

Dear blog. This post is inspired by an old friend of mine who has been writing these for the past few years. I meant to do this for a while now, but ended up not preparing anything, so this post is me writing it from memory. There’s likely stuff I forgot, me being gentle with myself I’ll probably just permit myself to complete this list the next couple of days. I hate bragging, I try to not depend on external validation as much as possible, and being the anarcho-communist anti-capitalist that I am, I try to be content with knowing I’m “doing good in the background”. I don’t think people owe me for the work I did, I don’t expect anything in return, and it’s my way of giving back to the community and the people around me. Consider us even. That being said, I: * Uploaded 689 packages to Arch Linux * Most of which being reproducible, meaning I provably didn’t abuse my position of compiling the binaries * 59 of those are signal-desktop * 34 of those are metasploit * Made 28 commits in Alpine Linux’ aports * 24 of those being package releases * Made 43 uploads to Debian * All of them being related to my work in the debian-rust team, that I’ve been a part of since 2018 * Made 5 commits in NixOS’ nixpkgs * Made 1 commit in homebrew-core * Was one of the people involved in rolling out `_FORTIFY_SOURCE=3` compiler hardening in Arch Linux, for the entire operating system. I wrote lists, tools, patches and my work got me quoted in an “Additional Considerations” section of the OpenSSF compiler hardening guide for C and C++. There are now more, stricter buffer-overflow checks at runtime that hopefully make your computer harder to exploit in 2025. * Was one of the people behind the launch of `reproduce.debian.net` which is analogous to `reproducible.archlinux.org` that I also helped create 5 years ago. Reproducing these packages (and allowing anybody else to do the same) proves the binaries have not been backdoored by the build server (or whoever compiled them), and if there’s a backdoor, you can likely find it in the source code. * Integrated librustls, a memory safe TLS implementation, into Arch Linux’ C dynamic linking ecosystem and became one of the authors of the rustls curl TLS backend * In response to the XZ Jia Tan incident I created whatsrc.org, a source code indexing project. It doesn’t solve anything in itself, but it’s framing the concept of source code inputs and how to reason about them in a way that I consider promising. It also documents and makes it very apparent what specifically is the source code we’re putting into our computers, that would benefit from code reviews. * Contributed to the Reproducible Builds mailing list 33 times * Volunteered at a soldering workshop for beginners for the 3rd year in a row, with people describing me as a good teacher, giving very calm vibes and having endless patience * Reverse engineered the signal username and QR-code feature * Rewrote my tooling for apt.vulns.xyz to use repro-env, the .deb files can now be verified through reproducible builds, and I switched to static Rust binaries because I had trouble targeting multiple Debian/Ubuntu releases with my previous tooling * Wrote 0 blog posts (besides this one) * Wrote 5.937 messages in irc channels * Got mentioned 1.664 times on irc * Attended FOSDEM, Fusion, the Reproducible Builds summit, Hackjunta 2024#2 and 38c3 * Made and printed 8 new sticker designs, and a custom hoodie * Mastered the art of pragmatic zaza cultivation and processing * Got 2 new piercings and 2-3 new tattoos (depending on how you count them) Thanks to everybody who has been part of my human experience, past or present. Especially those who’ve been closest. cheers, kpcyrd ✨