Dear blog. This post is inspired by an old friend of mine who has been writing these for the past few years. I meant to do this for a while now, but ended up not preparing anything, so this post is me writing it from memory. There’s likely stuff I forgot, me being gentle with myself I’ll probably just permit myself to complete this list the next couple of days.

I hate bragging, I try to not depend on external validation as much as possible, and being the anarcho-communist anti-capitalist that I am, I try to be content with knowing I’m “doing good in the background”. I don’t think people owe me for the work I did, I don’t expect anything in return, and it’s my way of giving back to the community and the people around me. Consider us even.

That being said, I:

  • Uploaded 689 packages to Arch Linux
    • Most of which being reproducible, meaning I provably didn’t abuse my position of compiling the binaries
    • 59 of those are signal-desktop
    • 34 of those are metasploit
  • Made 28 commits in Alpine Linux’ aports
    • 24 of those being package releases
  • Made 43 uploads to Debian
    • All of them being related to my work in the debian-rust team, that I’ve been a part of since 2018
  • Made 5 commits in NixOS’ nixpkgs
  • Made 1 commit in homebrew-core
  • Was one of the people involved in rolling out _FORTIFY_SOURCE=3 compiler hardening in Arch Linux, for the entire operating system. I wrote lists, tools, patches and my work got me quoted in an “Additional Considerations” section of the OpenSSF compiler hardening guide for C and C++. There are now more, stricter buffer-overflow checks at runtime that hopefully make your computer harder to exploit in 2025.
  • Was one of the people behind the launch of reproduce.debian.net which is analogous to reproducible.archlinux.org that I also helped create 5 years ago. Reproducing these packages (and allowing anybody else to do the same) proves the binaries have not been backdoored by the build server (or whoever compiled them), and if there’s a backdoor, you can likely find it in the source code.
  • Integrated librustls, a memory safe TLS implementation, into Arch Linux’ C dynamic linking ecosystem and became one of the authors of the rustls curl TLS backend
  • In response to the XZ Jia Tan incident I created whatsrc.org, a source code indexing project. It doesn’t solve anything in itself, but it’s framing the concept of source code inputs and how to reason about them in a way that I consider promising. It also documents and makes it very apparent what specifically is the source code we’re putting into our computers, that would benefit from code reviews.
  • Contributed to the Reproducible Builds mailing list 33 times
  • Volunteered at a soldering workshop for beginners for the 3rd year in a row, with people describing me as a good teacher, giving very calm vibes and having endless patience (qualities that I value deeply)
  • Reverse engineered the signal username and QR-code feature
  • Rewrote my tooling for apt.vulns.xyz to use repro-env, the .deb files can now be verified through reproducible builds, and I switched to static Rust binaries because I had trouble targeting multiple Debian/Ubuntu releases with my previous tooling
  • Wrote 0 blog posts (besides this one)
  • Wrote 5.937 messages in irc channels
  • Got mentioned 1.664 times on irc
  • Attended FOSDEM, Fusion, the Reproducible Builds summit, Hackjunta 2024#2 and 38c3
  • Made and printed 8 new sticker designs, and a custom hoodie
  • Mastered the art of pragmatic zaza cultivation and processing
  • Got 2 new piercings and 2-3 new tattoos (depending on how you count them)

Thanks to everybody who has been part of my human experience, past or present. Especially those who’ve been closest.

cheers,
kpcyrd ✨