Big Blue

A 14” ThinkPad T420—repeatedly upgraded for more RAM, storage, and eventually even a faster CPU—carried me through college. I fell in love with its pragmatic design, hacker friendliness, and broad plug-and-play Linux kernel support (most kernel developers—at the time, anyway—were ThinkPad users).

But something happened at Lenovo: in 2015–2016, a string of generously-named security incidents shattered consumer confidence, and each year felt like a step backwards in ThinkPad quality: Lenovo dialed back repairability in favor of sleek design, and capped screen resolutions for flagship models at 1080/1440p. In 2020, when the soldered-in-place RAM module on my brand new X1 Carbon failed after mere months of use, I elected to replace Lenovo instead of the machine.

The AMD Framework 13 laptop is everything I loved about ThinkPad: repairable, upgradeable, with high-quality displays and mainline kernel support (Tainted kernels aren’t my thing). It is a wonderful, tiny machine with a 3:2 display is just large enough for comfortable daily use and a chassis just light enough for carry as a second laptop when I’m on-call at work.

Hardware Overview

I built the hardware myself, meaning my Framework 13 required last-mile assembly by the end-user. This gives a better sense of control & repairability and lets you customize the machine, and it only takes a few minutes to assemble. I read complaints online about build quality but haven’t personally noticed anything bothersome besides wishing the bezel were aluminum (a very minor thing).

The AMD Ryzen AI 7 350 with Radeon 860M provides excellent performance and Linux compatibility. The integrated graphics work well with ollama for local AI inference:

$ cat /proc/cpuinfo | grep '^model name' | head -n1
model name      : AMD Ryzen AI 7 350 w/ Radeon 860M

The trackpad impressed me—it allows full tactile buttonpress over most of the surface (everything except the top half-centimeter). The keyboard is good quality; I chose blank keycaps for style and to encourage memorizing my layout. The power button doubles as a fingerprint reader that works reliably with out-of-box drivers.

# # smartctl -a /dev/nvme0n1  | grep -i shutdown
Unsafe Shutdowns:                   44,053

Installation

NixOS is my distro of choice, but didn’t work for me: it failed to detect the Framework’s internal keyboard, using both the minimal and graphical NixOS ISOs. I tested external keyboards—which worked. As far as NixOS was concerned, the internal Framework keyboard device did not exist. I was able to successfully plug in external USB keyboards, however, and fell back to what I’m comfortable running: Arch.

To capture some of the benefits of Nix, I took a hybrid approach: Arch Linux as the base system with Nix (pacman -S nix) and home-manager for userspace configuration. This lets me reuse and improve configurations from my NixOS desktop while maintaining hardware compatibility. The dividing line I established: home-manager manages nearly all of my homedir, while pacman handles system packages and interactive configuration.

I plan to eventually migrate the full system NixOS. The nice thing about this is migrations from running systems are popular enough to be well-supported (at least by the community), and NixOS’s declarative nature lends itself particularly well to in-place upgrades.

$ lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1       259:0    0  1.8T  0 disk
├─nvme0n1p1   259:1    0    2G  0 part  /boot
├─nvme0n1p2   259:2    0  1.8T  0 part
│ └─cryptroot 253:0    0  1.8T  0 crypt
│   ├─vg-swap 253:1    0   32G  0 lvm   [SWAP]
│   └─vg-main 253:2    0  1.8T  0 lvm   /home
│                                       /var
│                                       /
└─nvme0n1p3   259:3    0    2G  0 part  /boot/efi

Security Configuration

With the base system and disk layout in place, next up is hardening the system security posture. The Framework 13 supports modern security functionality like secure boot, TPM-based disk encryption, and biometric authentication.

# sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     9df5ea07-e33e-4361-9c03-51d46b0dd9ed
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    none

# sbctl create-keys

# ls /var/lib/sbctl/keys
db  KEK  PK

# cat /etc/pacman.d/hooks/90-secureboot-systemd-update.hook
[Trigger]
Operation = Upgrade
Type = Package
Target = systemd # systemd-boot is part of the systemd package

[Action]
Description = Updating and signing systemd-boot on ESP for Secure Boot...
When = PostTransaction
Exec = /usr/local/bin/update-signed-bootloader
NeedsTargets

$ sbctl sign --save /boot/efi/EFI/Linux/arch-troubleshoot.efi

# sbctl list-files
/boot/efi/EFI/systemd/systemd-bootx64.efi
Signed:         ✓ Signed

...

/boot/efi/EFI/Manual/arch.efi
Signed:         ✓ Signed

/boot/efi/EFI/Manual/arch-troubleshoot.efi
Signed:         ✓ Signed

# sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     9df5ea07-e33e-4361-9c03-51d46b0dd9ed
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    none

[Trigger]
Operation = Upgrade
Type = Package
Target = linux
Target = amd-ucode # Add other relevant packages like 'systemd' if its updates affect initramfs build

[Action]
Description = Rebuilding UKIs and signing with sbctl...
When = PostTransaction
Exec = /usr/local/bin/rebuild-ukis-for-sbctl.sh
NeedsTargets

#!/bin/bash
set -euo pipefail

# Configuration
LUKS_UUID="$(blkid -s UUID -o value /dev/nvme0n1p2)"
SWAP_UUID="$(blkid -s UUID -o value /dev/mapper/vg-swap)"
UKI_PATH="/boot/efi/EFI/Manual"

# Basic kernel command line
CMDLINE="root=/dev/mapper/vg-main rw rootflags=subvol=@ rd.luks.name=${LUKS_UUID}=cryptroot rd.luks.options=${LUKS_UUID}=tpm2-device=auto,tries=3 resume=UUID=${SWAP_UUID} nvme_core.default_ps_max_latency_us=25000"

# Signing configuration
SECUREBOOT_KEY="/var/lib/sbctl/keys/db/db.key"
SECUREBOOT_CERT="/var/lib/sbctl/keys/db/db.pem"

build_uki() {
    local kernel="$1"
    local initrd="$2"
    local output="$3"
    local extra_cmdline="${4:-}"

    echo "Building $(basename "$output")..."

    ukify build \
        --linux="$kernel" \
        --initrd="$initrd" \
        --microcode='/boot/amd-ucode.img' \
        --os-release='@/etc/os-release' \
        --cmdline="${CMDLINE} ${extra_cmdline}" \
        --signtool='sbsign' \
        --output="$output"
    sbctl sign "${output}"
}

# Build main kernel
build_uki \
    "/boot/vmlinuz-linux" \
    "/boot/initramfs-linux.img" \
    "${UKI_PATH}/arch.efi"

echo "UKIs rebuilt and signed successfully."

# systemd-analyze pcrs
NR NAME                SHA256
 0 platform-code       [6aebf...                    sha256                    ...dea32]
 1 platform-config     [...                         sha256                         ...]
 2 external-code       [...                         sha256                         ...]
 3 external-config     [...                (same as external-code)                 ...]
 4 boot-loader-code    [...                         sha256                         ...]
 5 boot-loader-config  [...                         sha256                         ...]
 6 host-platform       [...                         sha256                         ...]
 7 secure-boot-policy  [...                         sha256                         ...]
 8 -                   0000000000000000000000000000000000000000000000000000000000000000
 9 kernel-initrd       [...                         sha256                         ...]
10 ima                 0000000000000000000000000000000000000000000000000000000000000000
11 kernel-boot         [...                         sha256                         ...]
12 kernel-config       0000000000000000000000000000000000000000000000000000000000000000
13 sysexts             0000000000000000000000000000000000000000000000000000000000000000
14 shim-policy         0000000000000000000000000000000000000000000000000000000000000000
15 system-identity     [...                         sha256                         ...]
16 debug               0000000000000000000000000000000000000000000000000000000000000000
17 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
18 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
19 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
20 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
21 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
22 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
23 application-support 0000000000000000000000000000000000000000000000000000000000000000

# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="0+6+7" /dev/nvme0n1p2

# cryptsetup luksDump /dev/nvme0n1p2 | grep "hash-pcrs"
        tpm2-hash-pcrs:   0+6+7

# systemd-cryptenroll /dev/nvme0n1p2 \
    --tpm2-device=auto \
    --tpm2-pcrs=0+6+7 \
    --tpm2-with-pin=yes
🔐 Please enter current passphrase for disk /dev/nvme0n1p2: •••••••••••••••••••••••••••••
🔐 Please enter TPM2 PIN: ••••••••••
🔐 Please enter TPM2 PIN (repeat): ••••••••••

rd.luks.options=${LUKS_UUID}=tpm2-device=auto,tries=3

UKIFY(1)                             ukify                             UKIFY(1)

NAME
       ukify - Combine components into a signed Unified Kernel Image for UEFI
       systems

       [...]

       If PCR signing keys are provided via the
       PCRPrivateKey=/--pcr-private-key= and PCRPublicKey=/--pcr-public-key=
       options, PCR values that will be seen after booting with the given
       kernel, initrd, and other sections, will be calculated, signed, and
       embedded in the UKI.  systemd-measure(1) is used to perform this
       calculation and signing.

# ukify genkey \
    --pcr-private-key=/var/lib/pcr-keys/pcr-initrd.key.pem \
    --pcr-public-key=/var/lib/pcr-keys/pcr-initrd.pub.pem

# ukify build \
    --linux='/boot/vmlinuz-linux' \
    --initrd='/boot/initramfs-linux' \
    --microcode='/boot/amd-ucode.img' \
    --os-release='@/etc/os-release' \
    --cmdline="${CMDLINE}" \
    --pcrs=0,6,7 \
    --pcr-private-key='/var/lib/pcr-keys/pcr-initrd.key.pem' \
    --pcr-public-key='/var/lib/pcr-keys/pcr-initrd.pub.pem' \
    --signtool='sbsign' \
    --secureboot-private-key='/var/lib/sbctl/keys/db/db.key' \
    --secureboot-certificate='/var/lib/sbctl/keys/db/db.pem' \
    --output='/boot/efi/EFI/Manual/arch.efi'

# systemd-cryptenroll --wipe-slot=tpm2 /dev/nvme0n1p2

# systemd-cryptenroll --tpm2-device=auto \
  --tpm2-pcrs=0+6+7 \
  --tpm2-public-key=/var/lib/pcr-keys/pcr-initrd.pub.pem \
  /dev/nvme0n1p2

# cryptsetup luksDump /dev/nvme0n1p2
    ...
0: systemd-tpm2
        tpm2-hash-pcrs:   0+6+7
        tpm2-pcr-bank:    sha256
        tpm2-pubkey:
        tpm2-pubkey-pcrs: 11
        tpm2-primary-alg: ecc
        tpm2-pin:         false
        tpm2-pcrlock:     false
        tpm2-salt:        false
        tpm2-srk:         true
        tpm2-pcrlock-nv:  false
        Keyslot:    1

#!/bin/bash

LOG_DIR=/run/pcr15
mkdir -p "${LOG_DIR}"

log() {
    local message="${@}"
    echo "$(/bin/date '+%Y-%m-%d %H:%M:%S') - $@" |
        tee -a "${LOG_DIR}/validation.log" >&2
}

parse_cmdline() {
    local cmdline
    cmdline="$(cat /proc/cmdline)"
    read -r cmdline < /proc/cmdline
    if [[ "${cmdline}" =~ expected_pcr15=([0-9a-fA-F]+) ]]; then
        echo "${BASH_REMATCH[1]}"
    else
        echo ""
    fi
}

get_pcr15() {
    local pcr_output
    pcr_output="$(systemd-analyze pcrs 15 --json=short 2>/dev/null)"

    # Extract sha256 field using bash string manipulation
    if [[ "${pcr_output}" =~ \"sha256\":\"([0-9a-fA-F]+)\" ]]; then
        echo "${BASH_REMATCH[1]}"
    else
        echo ""
    fi
}

expected_pcr15="$(parse_cmdline)"
actual_pcr15="$(get_pcr15)"

if [ -n "${expected_pcr15}" ]; then
    log "Checking PCR 15 value"
    if [ "${actual_pcr15}" != "${expected_pcr15}" ]; then
        log "PCR 15 check failed. Expected '${expected_pcr15}', got '${actual_pcr15}'"
        log "WARNING: PCR 15 check failed - values don't match"
        log "This could indicate filesystem tampering or normal system changes"
        log "pcr15 mismatch // expected: '${expected_pcr15}' // actual: '${actual_pcr15}'"
        systemctl start emergency.target
        exit 1
    else
        log "PCR 15 check succeeded with value ${actual_pcr15}"
    fi
else
    log "No expected PCR 15 value provided - capture this for future validation!"
    log "Add 'expected_pcr15=${actual_pcr15}' to your kernel command line."
fi

[Unit]
Description=Measure filesystem integrity into PCR 15
DefaultDependencies=no
After=cryptsetup.target
After=systemd-pcrphase-initrd.service
Before=initrd-switch-root.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/check-pcr15.sh
StandardOutput=journal+console
StandardError=journal+console

[Install]
WantedBy=initrd.target
RequiredBy=initrd-switch-root.target

#!/usr/bin/bash

run_hook() {
    true
}

#!/bin/bash

build() {
    # Include the TPM2 tools
    add_binary /usr/bin/tpm2_pcrread
    add_binary /usr/bin/systemd-analyze

    # Dependencies for tpm2_pcrread if needed
    add_binary /usr/lib/libtss2-tcti-device.so
    add_binary /usr/lib/libtss2-tcti-cmd.so
    add_binary /usr/lib/libtss2-mu.so
    add_binary /usr/lib/libtss2-esys.so
    add_binary /usr/lib/libtss2-tctildr.so
}

help() {
    cat <<HELPEOF
This hook includes TPM2 tools needed for PCR validation.
HELPEOF
}

HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block lvm2 resume check-pcr15 filesystems fsck)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=(/bin/bash /usr/bin/systemd-analyze /usr/bin/tpm2_pcrread /bin/date)

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=(/etc/systemd/system/check-pcr15.service /usr/local/bin/check-pcr15.sh /etc/systemd/system/initrd.target.wants/check-pcr15.service)

# systemctl status check-pcr15.service
○ check-pcr15.service - Measure filesystem integrity into PCR 15
     Loaded: loaded (/etc/systemd/system/check-pcr15.service; enabled; preset: disabled)
     Active: inactive (dead) since Mon 2025-07-14 04:08:52 EDT; 17h ago
   Duration: 72ms
 Invocation: 4e768bbf20c147d18521aecd5fd30778
   Main PID: 349 (code=exited, status=0/SUCCESS)

Jul 14 04:08:51 archlinux systemd[1]: Starting Measure filesystem integrity into PCR 15...
Jul 14 04:08:51 archlinux check-pcr15.sh[367]: 2025-07-14 08:08:51 - Checking PCR 15 value
Jul 14 04:08:52 archlinux check-pcr15.sh[370]: 2025-07-14 08:08:51 - PCR 15 check succeeded with value [...]
Jul 14 04:08:52 archlinux systemd[1]: Finished Measure filesystem integrity into PCR 15.
Jul 14 04:08:52 archlinux systemd[1]: check-pcr15.service: Deactivated successfully.
Jul 14 04:08:52 archlinux systemd[1]: Stopped Measure filesystem integrity into PCR 15.

# diff -c10 /etc/pam.d/system-auth.bk /etc/pam.d/system-auth
*** /etc/pam.d/system-auth.bk   2025-05-01 04:34:54.821598714 -0400
--- /etc/pam.d/system-auth      2025-04-29 23:22:27.302944835 -0400
***************
*** 1,16 ****
--- 1,17 ----
  #%PAM-1.0

  auth       required                    pam_faillock.so      preauth
  # Optionally use requisite above if you do not want to prompt for the password
  # on locked accounts.
  -auth      [success=2 default=ignore]  pam_systemd_home.so
+ auth       sufficient                  pam_fprintd.so
  auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
  auth       [default=die]               pam_faillock.so      authfail
  auth       optional                    pam_permit.so
  auth       required                    pam_env.so
  auth       required                    pam_faillock.so      authsucc
  # If you drop the above call to pam_faillock.so the lock will be done also
  # on non-consecutive authentication failures.

  -account   [success=1 default=ignore]  pam_systemd_home.so
  account    required                    pam_unix.so

# nvme id-ctrl /dev/nvme0 | grep -E "(fr|mn) "
mn        : WD_BLACK SN7100 2TB
fr        : 7612M0WD
# smartctl -a/dev/nvme0n1  | grep -i shutdown
Unsafe Shutdowns:                   44,055

# nvme id-ctrl /dev/nvme0n1 | grep -A6 '^ps '
ps      0 : mp:4.60W operational enlat:0 exlat:0 rrt:0 rrl:0
            rwt:0 rwl:0 idle_power:0.2200W active_power:4.60W
            active_power_workload:80K 128KiB SW
            emergency power fail recovery time: -
            forced quiescence vault time: 10 (unit: 1 second)
            emergency power fail vault time: -
ps      1 : mp:3.00W operational enlat:0 exlat:0 rrt:0 rrl:0
            rwt:0 rwl:0 idle_power:0.2200W active_power:3.00W
            active_power_workload:80K 128KiB SW
            emergency power fail recovery time: -
            forced quiescence vault time: 10 (unit: 1 second)
            emergency power fail vault time: -
ps      2 : mp:2.50W operational enlat:0 exlat:0 rrt:0 rrl:0
            rwt:0 rwl:0 idle_power:0.2200W active_power:2.50W
            active_power_workload:80K 128KiB SW
            emergency power fail recovery time: -
            forced quiescence vault time: 10 (unit: 1 second)
            emergency power fail vault time: -
ps      3 : mp:0.0200W non-operational enlat:2000 exlat:3000 rrt:3 rrl:3
            rwt:3 rwl:3 idle_power:0.0200W active_power:-
            active_power_workload:-
            emergency power fail recovery time: -
            forced quiescence vault time: 10 (unit: 1 second)
            emergency power fail vault time: -
ps      4 : mp:0.0050W non-operational enlat:4000 exlat:12000 rrt:4 rrl:4
            rwt:4 rwl:4 idle_power:0.0050W active_power:-
            active_power_workload:-
            emergency power fail recovery time: -
            forced quiescence vault time: 10 (unit: 1 second)
            emergency power fail vault time: -
ps      5 : mp:0.0030W non-operational enlat:176000 exlat:25000 rrt:5 rrl:5
            rwt:5 rwl:5 idle_power:0.0030W active_power:-
            active_power_workload:-
            emergency power fail recovery time: -
            forced quiescence vault time: 10 (unit: 1 second)

# echo 25000 | sudo tee /sys/module/nvme_core/parameters/default_ps_max_latency_us
# cat /sys/module/nvme_core/parameters/default_ps_max_latency_us
25000

Userspace management

I now use nix with home-manager to manage my homedir, similar to my NixOS machine.

Install Nix on Arch:

# pacman -S nix

The goal is, over time, more of the system will be eaten by Nix configuration. I view this as a good thing.

# echo "auto-optimise-store = true" >> /etc/nix/nix.conf

$ grep -E '(build|sandbox)' /etc/nix/nix.conf
sandbox = true
# Unix group containing the Nix build user accounts
build-users-group = nixbld
build-dir = /tmp/nix-build

substituters = https://cache.nixos.org https://nix-community.cachix.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=

# echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf

{
  description = "My full system config (Arch + Home Manager)";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, home-manager, ... }: let
    system = "x86_64-linux";
    username = builtins.getEnv "USER";
    homeDirectory = builtins.getEnv "HOME";

    secrets = {
      # ...
    };
  in {
    homeConfigurations.${username} = home-manager.lib.homeManagerConfiguration {
      pkgs = import nixpkgs {
        inherit system;
      };
      modules = [
        ../home-manager/arch.nix
        {
          programs.home-manager.enable = true;
          home.stateVersion = "24.11";
        }
      ];
      extraSpecialArgs = {
        inherit system;
        secrets = secrets;
        username = username;
        homeDirectory = homeDirectory;
      };
    };
  };
}

$ . ./secrets.sh
$ nix run github:nix-community/home-manager -- switch --impure --flake .

$ export SECRET_KEY='thxbud'
$ bash
(subshell) $ echo $$
13830

$ TARGET_PID=13830
$ bash -c 'cat "/proc/${TARGET_PID}/environ" | tr ":\0" "\n" | grep -ai secret'
SECRET_KEY=thxbud

$ nix-shell -p "rocmPackages.rocminfo" --run "rocminfo" | grep "gfx"
  Name:                    gfx1152
        Name:                    amdgcn-amd-amdhsa--gfx1152

#!/usr/bin/env bash

OLLAMA_PACKAGE=ollama-rocm
ENV_VARS='HCC_AMDGPU_DEVICES=gfx1152 HSA_OVERRIDE_GFX_VERSION="11.0.0" ROCR_VISIBLE_DEVICES=0'
COMMAND="$ENV_VARS ollama serve"
echo "running '${COMMAND}'"
echo nix-shell -p "${OLLAMA_PACKAGE}" --command "${COMMAND}"

time=2025-05-06T23:21:04.985-04:00 level=INFO source=types.go:130 msg="inference compute" id=0 library=rocm variant="" compute=gfx1152 driver=0.0 name=1002:1114 total="8.0 GiB" available="7.9 GiB"

What is Nix?

The term Nix can have three meanings, depending on context. I’ll cover each of them here.

nix-repl> mul = { left, right }: left * right

nix-repl> mul { left = 10; right = 30; }
300

Installation

Installing NixOS is similar to installing Arch Linux in many ways. There is no official installer, just live .iso and a giant manual. You boot the live USB, partition a disk, mount the disk, generate hardware configuration, and run the installer, which installs the necessary components of the operating system to the mounted disk(s). Unlike Arch, if you wish to customize this system, you have one file to modify: /etc/nixos/configuration.nix. This file defines the entire machine state.

Opt-in state

I used some modifications to this installation from grahamc’s Erase Your Darlings and mt-caret’s Encypted Btrfs Root with Opt-in State on NixOS. Although NixOS tries to make its systems fully reproducible, this is not always possible.

Consider /etc/resolv.conf. This file is generated by resolvconf on a typical systemd Linux system and expected to change if your device roams between networks. In lieu of persistently keeping (and tracking) all the state from /etc, we treat /etc as a semi-ephemeral filesystem, and link only the required persistent configuration from /persist/etc.

In /etc/nixos/configuration.nix:

  environment.etc = {
    nixos.source = "/persist/etc/nixos";
    machine-id.source = "/persist/etc/machine-id";
    NIXOS.source = "/persist/etc/NIXOS";
    adjtime.source = "/persist/etc/adjtime";
  };

Then /etc/nixos/configuration.nix is a hardlink to /persist/etc/nixos/configuration.nix:

# stat /etc/nixos/configuration.nix /persist/etc/nixos/configuration.nix
  File: /etc/nixos/configuration.nix
  Size: 5629            Blocks: 16         IO Block: 4096   regular file
Device: 0,55    Inode: 1141        Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-03-23 09:55:00.014521725 -0400
Modify: 2022-03-23 09:55:00.014521725 -0400
Change: 2022-03-23 09:55:00.015521737 -0400
 Birth: 2022-03-23 09:55:00.014521725 -0400
  File: /persist/etc/nixos/configuration.nix
  Size: 5629            Blocks: 16         IO Block: 4096   regular file
Device: 0,55    Inode: 1141        Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-03-23 09:55:00.014521725 -0400
Modify: 2022-03-23 09:55:00.014521725 -0400
Change: 2022-03-23 09:55:00.015521737 -0400
 Birth: 2022-03-23 09:55:00.014521725 -0400

If we wanted to keep additional state, we can expand the list of links in the Nix definition for our machine.

Config-as-code

A sufficiently complete specification of a system policy leads to the notion of an ideal average state for the system. Over time, the ideal average state of the system degrades. The aim of system administration is to keep the system as close to its ideal state as possible.

-M. Burgess, Theoretical System Administration

In my professional life, I’ve written a fair amount of Puppet, Ansible, and Chef code defining the state of Linux systems. These tools all share a model of Linux systems as mutable, living systems. Their policy is designed to take a system from an unknown initial state toward an ideal state. After sufficient repeated applications of this process of convergence, the system state should tend towards our ideal state.

Nix works differently. Its policies, like most configuration management tools, model the end-state of a system. Unlike traditional configuration management tools, Nix does not assume an unknown initial state. It relies heavily on sandboxing and build isolation to produce ideal states from known initial states.

In some sense, this is a strictly easier problem to solve than convergent configuration management. Nix takes steps to ensure there is only one possible path from initial state to ideal state, and therefore can ensure repeated applications of a Nix derivaiton always result in the same end-state.

Home directory management

Like many users of Unix-like operating systems, I spent a significant amount of time building and tweaking my dotfiles collection to configure new users the way I want. I went through repeated iterations of attempts at making this process manageable, but the tools were never quite sufficient for the job. Prior to Nix, the best solution I’d found was to use GNU Stow to create and manage symlinks from ~/.vimrc to ~/src/github.com/nathantypanski/dotfiles/vim/.vimrc and so on. This works well for individual files, but many tools also have plugin directories and other state that is easy to lose track of. Over time, the dotfiles repository diverges from local system state.

The Nix solution to this problem is home-manager. This is a tool that lets you use the same declarative configuraiton for your home directory (and its many configuration files) as you would for the NixOS operating system.

{ config, pkgs, lib, ... }:

{
  imports = [ ./zsh.nix ];

  home.username = "nathan";
  home.homeDirectory = "/home/nathan";
  home.stateVersion = "22.05";

  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;

  services.gpg-agent = {
    enable = true;
    defaultCacheTtl = 1800;
    enableSshSupport = false;
  };

  home.keyboard.options = ["ctrl:nocaps"];

  # continued below ...

  # continued from above ...

  wayland.windowManager.sway = {
    enable = true;
    wrapperFeatures.gtk = true ;
    config = {
      terminal = "alacritty";
      fonts = {
        names = ["pango:Terminus"];
        style = "normal";
        size = 10.0;
      };
    };
  };

  # continued below ...

  # continued from above ...

  home.packages = with pkgs; [
    haskell.compiler.ghc921
    pass
    rustup
    go-tools
    go
    python39
    python39Packages.pip
    python39Packages.virtualenv
  ];

  # continued below ...

  # continued from above ...

  programs.git = {
    enable = true;
    userName = "ndt";
    userEmail = "...";
  };

  # continued below ...

  # continued from above ...

  programs.zsh = {
    enable = true;
    enableCompletion = true;
    enableSyntaxHighlighting = true;
    history = {
      save = 10000;
      size = 10000;
      share = true;
      extended = true;
      ignoreSpace = true;
      ignorePatterns = [
        "rm *"
        "pkill *"
      ];
    };
    shellAliases = {
      x = "tmux";
    };
  };
}

$ home-manager generations | head
2022-04-11 09:07 : id 65 -> /nix/store/9j3s2canrz3q2rwh19maywlj0xgm27lr-home-manager-generation
2022-04-11 09:05 : id 64 -> /nix/store/gdcf7r29kphnq6mcmkj9zqjknlbh3gp7-home-manager-generation
2022-04-11 09:04 : id 63 -> /nix/store/rsqf8dyhz9lk1j5351r6zracaanwxq34-home-manager-generation
2022-04-05 20:49 : id 62 -> /nix/store/a2c65dx05595smgw58j02ffy2cm4rrq0-home-manager-generation
2022-03-12 18:09 : id 61 -> /nix/store/98b16il8x7rzma5pr75njwavwnadl7p4-home-manager-generation
2022-03-12 13:15 : id 60 -> /nix/store/d0rvr0nx3y2rj0ixa71n9q0a9lpc7dp8-home-manager-generation
2022-03-12 13:15 : id 59 -> /nix/store/73xqnpzsfm42hjp76kx4bi769ld4gzmm-home-manager-generation
2022-03-11 10:49 : id 58 -> /nix/store/waizbp6iqdp6zgxxrbvbn1pagxk7jh4f-home-manager-generation
2022-03-11 09:58 : id 57 -> /nix/store/bg169sw55c440f0rsd7pxsh31zsdw43q-home-manager-generation
2022-03-11 09:54 : id 56 -> /nix/store/m3bq41252rcrp8xc48982h5kfhgpbvix-home-manager-generation

$ /nix/store/gdcf7r29kphnq6mcmkj9zqjknlbh3gp7-home-manager-generation/activate
Starting Home Manager activation
Activating checkFilesChanged
Activating checkLinkTargets
Activating writeBoundary
Activating installPackages
replacing old 'home-manager-path'
installing 'home-manager-path'
Activating linkGeneration
Cleaning up orphan links from /home/nathan
Creating profile generation 66
Creating home file links in /home/nathan
Activating onFilesChange
Activating reloadSystemd

NixOS generations

The concept of generations doesn’t originate in home-manager. In fact, it’s a first-party feature of NixOS proper. Each version of your system configuration gets recorded in the generations list, and you can restore the system to any of those versions with a single command with nix-env --rollback (for the previous version) or nix-env -G 3. Note that you may have to set the profile to system in order to change the global system instead of per-user configuration.

# nix-env --list-generations --profile /nix/var/nix/profiles/system | tail
  91   2022-04-10 16:06:58
  92   2022-04-10 16:18:46
  93   2022-04-10 16:22:37
  94   2022-04-10 16:39:26
  95   2022-04-21 10:04:08
  96   2022-04-22 09:25:09
  97   2022-04-24 13:08:53
  98   2022-04-24 13:11:39
  99   2022-04-24 14:48:43
 100   2022-04-24 14:49:28   (current)

Shells

A feature I didn’t think I’d care for, but ended up using all the time was nix-shell -p ${package_name} to spawn a new Bash shell with some requested software available, but (crucially) without making that software available to the system as a whole.

Let’s say I want to use swayshot to take a screenshot, but I don’t have slurp or grim installed:

$ nix-shell -p slurp grim
these paths will be fetched (0.03 MiB download, 0.10 MiB unpacked):
  /nix/store/0silcp1jlicjbjbjhzvmkffj2wck4m5z-grim-1.4.0
  /nix/store/yc2sc0k5d3bm9n6wq57qmmv4dsndkzpn-slurp-1.3.2
$ ./swayshot.sh

Being able to experiment with different tools on-the-fly like this, grants a powerful feeling of freedom to try things. If you don’t like a tool you just tried, then don’t add it to /etc/nixos/configuration.nix and it won’t pollute your environment. The next time you run nixos-collect-garbage, it will be removed from the Nix store.

Likewise home-manager can list packages that are available only to a certain user, but not other users or the root user.

Downsides

NixOS is not perfect. In exchange for all this functional, immutable, reproducible OS magic, we need to trade a few things (at least today).

$ ls /nix/store | head
000yp1grcymcfbmncflf2bhbqyzb8p62-hook.drv
0018h2fjjq0zijmyknykxvwysaj24qw0-timeit-2.0.tar.gz.drv
001gp43bjqzx60cg345n2slzg7131za8-nix-nss-open-files.patch
001ybmr7k4bj79nknk7ykzfqa7wqw55h-source.drv
001ynjbfcyzg60w6y1x0hjx106ixydq8-unit-script-prepare-kexec-start
002gbsl500p1b9m4wlinazna58mcmn6z-gnum4-1.4.19.drv
003cl64qdhj7ng8pjmnihhda315q5czg-home-manager-path.drv
0042c0dpzvx4khk34wl8ikikjrsv3fwn-conduit-1.3.4.2.drv
004fc2vsbnzsw43ci25hqk08rpvyagy0-catalog-legacy-uris.patch.drv
004h9inrdzqj2sfgssfpmlsl8mp9dn23-source.drv

Conclusion

Nix is a radical approach to software packaging, and it makes reproducibility of complex software systems easier than any other tool I know of. At the same time, it’s a complex and largely undocumented beast. Working with Nix reminds me of pre-1.0 Rust: smart ideas, constant changes, and a growing push for stabilization and documentation that gets better each month.

I still have my gripes with it, but the promise of a new and innovative way to manage systems has finally ripped me away from Arch Linux in search of something better than Unix-style userspace organization. The ability to effortlessly experiment and rollback changes to my OS has made hacking on Linux fun again.

Cryptographic doom

Moxie Marlinspike coined the cryptographic doom principle in 2011 to refer to a pattern he had seen in implementations of message authentication codes (MACs). It generalizes the kinds of flaws found in Vaudenay’s famous 2002 paper and SSH plaintext recovery into a principle:

If you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom.

An extraordinarily common example of cryptographic doom is to calculate MACs based on plaintext in an encrypted message payload. To check the authenticity of a message, recipients must necessarily decrypt the message. In Vaudenay’s attack, we exploit this construction to recover plaintext from encrypted messages, using only a single bit of information in servers’ responses (padding error or MAC error).

Although Moxie’s article pertains only to MACs and traditional cryptographic operations, the spirit of his principle extends beyond: trusting data before verifying it is dangerous. When designing cryptographic protocols, we should strive to authenticate data as early as possible. Don’t design a protocol that requires processing attacker-controlled metadata before cryptographic verification! Keep that in mind as you read the rest of this post.

Verifying a JWS

Let’s take another look at the example JWS object from earlier.

{
 "payload":
  "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
 "protected":"eyJhbGciOiJFUzI1NiJ9",
 "header": {"kid":"e9bc097a-ce51-4036-9562-d2ade882db0d"},
 "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
}

In order to verify this, we need to do the following:

1. base64urldecode() the protected attribute.

2. Deserialize the protected attribute into JSON.

3. Calculate the JOSE header as the union of the protected object and the JWS (unprotected) object.

4. Verify that the implementation understands and can process the algorithm and any fields in the crit header.

5. base64urldecode() the payload attribute.

6. base64urldecode() the signature attribute.

7. Determine the verification algorithm to use by extracting it from the decoded protected header.

8. Construct the JWS signing input by concatenating encoded protected and payload headers together with a . character.

   \[ \begin{aligned} & \texttt{ascii}(\texttt{base64urlencode}(\texttt{utf-8}(\texttt{protected}))) \\ & \qquad || \quad ``." \\ & \qquad || \quad \texttt{base64urldecode}(\texttt{payload}) \end{aligned} \]

9. Using the algorithm from (8), verify the JWS.

Every step in this list prior to (9) is an opportunity for attackers to modify objects that are deserialized into JSON, control the algorithm in use by the system, and generally mess around where we expect contents to be integrity-protected.

Moreover, the fact that we are required to perform so many deserialization, decoding, and conditional algorithm selection operations prior to JWS verification invites implementations to make bad decisions about error handling. It might be tempting, to an implementor of JWS verification, to return helpful error messages about the validity of the JSON objects inside at step (5) before moving on to verification.

We should strive to introduce minimal transformations prior to signature verification. By requiring deserialization into JSON objects, the design invites implementations to perform early deserialization into application objects, potentially exposing themselves to major deserialization bugs with untrusted input data.

Protocols should be defensive against implementations

When I’m forced to grapple with something involving cryptography, I like it to be so stupid simple that it’s obviously correct. If I’m reviewing code that includes cryptography parts, I want it to be so obviously flawless that there’s no debate—even among relative amateurs—about its correctness.

Primitives should be outsourced to sound, well-regarded libraries where possible. In fact, as much as we can should build upon a battle-tested, fuzzed, expertly-developed implementation.

When designing security protocols, we should be making this kind of dead-simple implementation as easy and obvious as possible for software. Now, I’m not talking about primitives here, although certain modern primitives are remarkably simple. I mean that the composition of primitives into a functioning security protocol should, to the extent possible, by extremely obvious.

A major mistake we see again and again in the first generation of internet security protocols is kitchen-sink design. SSL/TLS with its configurable ciphersuites, the Eldritch horror of PGP email signatures, and other early security standards are victims of this. SSL/TLS assumes that implementations can correctly handle things like ciphersuite negotiation. PGP is a graveyard of this type of complexity. JWS, despite its marketing as just signed JSON objects, is the polar opposite of obvious protocol. It exposes algorithm selection to the client, verification requires multiple steps of deserialization, encoding, and serialization, and it is far too extensible for its own good.

Modern tools are going the other way. Minisign, OpenBSD Signify and age are relentlessly simple, electing to do one thing well and no more.² Facebook crypto auth tokens use a clever construction of nested MACs to support per-service auth tokens without explicit key sharing, but it’s still simple enough that you can implement it by nesting library calls.

A better way to sign JSON

Most mistakes in request signing protocols stem from serializing, parsing, and decoding the object prior to verification. Don’t do those steps. Most of the time it doesn’t matter.

If you need unforgeability of messages by the server, then use Ed25519. This is unnecessary for most web APIs, but it is important in some cases, like AWS multi-region access points. If you trust the server, then use HMAC-SHA256, a symmetric authentication algorithm. Do not support both of these at once. Think long and hard about what is appropriate for your application.

Have clients serialize the JSON object they wish to sign into a bytestring json_bytes. Now your signature algorithm becomes just:

\[ \texttt{sign}(\texttt{json_bytes},\ \texttt{key}).\]

And verification?

\[ \texttt{verify}(\texttt{json_bytes},\ \texttt{key}).\]

This is the method recommended by Latacora Security in How (not) to sign a JSON object.

Notice that verification does not require deserialization, nor character decoding! If the payload is a JSON object, we can safely deserialize it after verification. If you want, you can use OpenBSD Signify so that clients have readily available CLI and library tooling support.

Now, this has the downside that two identical JSON objects may not result in identical signatures. Fortunately, this does not generally matter, and in any case it probably matters less than the correctness of your cryptographic system. If you need to check the equality of two requests, you can generally verify, deserialize, canonicalize and compare them inside your application server logic as necessary. Plus, this way when you find a bug in your canonicalization logic, you can fix it without forcing your clients to update.

Free software backoff

What else has changed? Well, for a long time I was a very public advocate of using only free software, at least to the fullest extent that I could manage. I wrote all my school papers in LaTeX, which was the subject of some scorn from my professors when I could not submit .doc or .docx files. I still use LaTeX for some of my personal correspondence, but now I’m back to using Google Docs or Confluence for half of my things. It can be handy, sometimes, to have the editor get out of the way, and sometimes the benefit of collaborative work is worth the software philosophical tradeoff.

However, I will add that free software solutions to the problem of collaborative document editing, at least in the case of wikis, exist. You can use Gitit, which gives you a Git-backed wiki with Pandoc for document markup. Sure, it doesn’t have an LDAP connector, but it’s a wonderful system to write in, and something like Markdown is relatively easier to learn than MediaWiki markup.

Computer brand

Another switch: I use a Macbook. Not for my personal computing, but for my work stuff, ever since around September 2014. Getting used to OSX after spending something like 5 years running almost exclusively Arch Linux was a real change. But nearly every developer who I know in the industry uses OS X², and sometimes I just have to play by other people’s rules. I still put Arch on half of it, but to use that system I have to compile a custom kernel with Apple-specific patches to work around Bug 103211. This takes an annoying amount of effort when I have more important things to be doing than customizing my Linux distro.

Besides: when there’s an emergency, and I happen to be stranded in a coffee shop and need to access the internet immediately, not having to fumble around with netctl to access WiFi comes in handy. So, in those situations, I use OS X.

Programming languages

The other thing that has happened is my languages of choice have become a bit less dogmatic. I will probably always write Python, because it is ubiquitous, easy to write and read, and I know it quite well. But I’ve since picked up Ruby, worked on a Rails application, and now I’m a bit less dogmatic about languages in general. I’m no longer out there trying to get everyone to learn Haskell because strong static type systems and functional languages are just so damn cool. I understand when people look at Rust and tell me that high-level abstractions coupled with a serious type system and strong, compile-time guarantees of memory safety are not useful things to put in production or learn about (though I disagree with those people, and they probably enjoy writing Java).

Conclusion

People who knew me in 2014-2015 might be convinced that I’ve sold out. I’ve reneged on my free software idealism, am slowly tending toward anti-customization, bought an iPhone, and am becoming complacent with my gradual absorption into the general tech monoculture. But in some ways, this is OK. I’ve picked up new skills, tried out new things, and I would bet that people now find me a bit easier to work with.

The other bit is that I’ve moved more seriously into the private industry. When you’re just a student and researcher, it’s easy to be dogmatic about Linux and weird programming languages - especially when you’re broke and can’t afford to pay for computer programs. And when your day-to-day activities are math and electronics classes, it’s easy to go home and hack code in Haskell in your free time. But when you’re hacking code all day and working hard with complex Linux systems, sometimes nothing beats just being able to go home at the end of it, chill out, and watch Netflix on a MacBook.

This isn’t some giant announcement that everything I believed in college was wrong and proprietary software has no ethical issues. It’s more of just an acknowledgement that life is fluid, and reality is dynamic and difficult. Sometimes this means making concessions. I am willing to do that, now, just as long as I learn some new things and can get the job done.

Toy script comparisons

I wrote some toy scripts to show the most jarring differences so far. Yeah, I’m sure I’ll dig further into the language and all of this code will look silly, but as a budding Rubyist this is about as advanced as I can muster.

#!/usr/bin/env ruby

running_sum = []
args = []

[1,5,7].each do |x|
  args << x
  if running_sum.size > 0 then
    running_sum << running_sum.last + x
  else
    running_sum << x
  end
end

puts "Running sum: #{running_sum} from #{args}."

#!/usr/bin/env python3

running_sum = []
args = []

for n in [1, 5, 7]:
    args.append(args)
    if running_sum:
        running_sum.append(running_sum[-1] + n)
    else:
        running_sum.append(n)

print("Running sum: {} from {}.".format(running_sum, args))

#!/usr/bin/env ruby

module Nameable
  def name=(name)
    puts "changed name to #{name}"
    @name = name
  end

  def name
    @name
  end
end

class Dog
  include Nameable

  def initialize(name)
    @name = name
  end

  def bark
    puts 'Woof!'
  end
end

fido = Dog.new('Fido')
fido.send('bark')
fido.name = 'Cheese'
puts fido.name

#!/usr/bin/env python3

class Nameable(object):
    @property
    def name(self):
        return self._name

    @name.setter
    def name(self, value):
        print('Changed name to {}'.format(value))
        self._name = value

class Dog(Nameable):
    def __init__(self, name):
        self._name = name

    def bark(self):
        print("Woof!")

fido = Dog('Fido')
fido.bark()
fido.name = 'Cheese'
print(fido.name)

'hidden.rb':'xdotool windowactivate 0xc003ec windowraise 0xc003ec'
'[nathan@dionysus][~/dotfiles]%':'xdotool windowactivate 0xc0085c windowraise 0xc0085c'

#!/usr/bin/env ruby

hidden_windows = `hidden -c`.split(/\n/)

map = {}
hidden_windows.each do |line|
    match = /'(.*)':'(.*)'/.match(line)
    key = match[1]
    val = match[2]
    while map.has_key? key
        key = key + '*'
    end
    map[key] = val
end

choice = nil

IO.popen('dmenu', 'r+') do |dmenu|
    map.keys.each do |name|
        dmenu.write(name)
        dmenu.write("\n")
    end
    dmenu.close_write
    choice = dmenu.gets.rstrip
end

IO.popen(map[choice])

#!/usr/bin/env python3

import subprocess
import re

def main():
    hidden_windows = subprocess.check_output(['hidden', '-c'])
    hidden_windows = hidden_windows.splitlines()
    hidden_map = {}
    search = re.compile("^'(.*)':'(.*)'$")
    for window in hidden_windows:
        window = window.decode('utf-8')
        match = search.match(str(window))
        name, tool = match.group(1), match.group(2)
        while name in hidden_map:
            name += '*'
        hidden_map[name] = tool
    dmenu = subprocess.check_output(['dmenu'],
            input=bytes('\n'.join(hidden_map.keys()), encoding='utf-8'))
    subprocess.call(hidden_map[dmenu.rstrip().decode('utf-8')], shell=True)


if __name__ == '__main__':
    main()

with Popen(["ifconfig"], stdout=PIPE) as proc:
    log.write(proc.stdout.read())

Conclusion

My initial impression of Ruby is quite positive. It’s a strong candidate for replacing my one off Python scripts that often felt a bit too verbose for the tasks they were achieving. While I’m not comfortable enough to do serious development in it yet, I do get the feeling that Ruby will be quite readable over the equivalent Bash/Awk/Sed mashup that I might otherwise use to avoid writing a wordy Python script that uses subprocess.

There’s a distinct impression that Ruby is more fun than Python. There are many ways to achieve certain tasks, and the general goal is to find the most beautiful way. In Python, it seems like there’s a heavier focus on readability. I was skimming through some of the Rails codebase, and Rubyists seem to have no qualms about using the obscure ||= operator, in spite of the fact that it really doesn’t mean what you think it means. I think the most obscure syntactic construct in Python is just the wacky ternary operator.

I do not believe that Python and Ruby are really playing in the same niche. While Python dominates in academia and scientific programming, Ruby seems to win in the Perl-ish systems scripting and web development areas (though Django and Tornado put out some serious competition with Rails and Sinatra, and Python’s Pelican looks like a fine alternative to Jekyll).

Red Hat

Tom Callaway from Red Hat came to speak on March 24 for CNU’s PCSE¹ department and the LUG I founded. That was awesome. I don’t think anything could validate a newly-founded Linux user group more than having industry leaders come joke with you about tiling window managers. Quoting Tom:

The venn diagram between people who use tiling window managers and people who know Haskell is just a circle.

In complete good spirit, it’s worth mentioning i3 was written largely because the developers thought XMonad was cool, but didn’t want to learn Haskell.

After the presentation I was told by one of the LUG members that Tom’s talk was really inspiring for them. The student said It’s really great seeing industry leaders and finding out they’re just like us - only maybe a bit older or more knowledgeable - and feeling like I can be just like that, too, if I just work hard and dedicate myself.

It’s that kind of thing that makes me so glad I stuck with CNULUG. Even through all the lows, the awful turnout for the first year or so, we’ve pulled through - and now we matter so much that we’re making a real difference in students’ lives. Those sort of results, to me, almost makes my whole four years at CNU worth it on their own.

PCSE Coding Challenge

A team I was on (with Wilson Ho and Ian Miller) won my university’s PCSE Coding Challenge on April 3. That was fun. I totally embarrassed myself during the big-wig ACM programming competition last semester, so it’s relieving to see some sort of quantifiable progress.

Something struck me about the problems, though. We had three language options: Java, C (gcc with default flags), and C++ (g++ with default flags). At least two of these would be more well-suited to scripting languages, though.

Problem 4 is simple text substitution. The input two lines forming a substitution table (preceded by a less-than-helpful count), followed by a list of plaintext/cyphertext blocks:

3
a b c
B C D
2
PT: abc
CT: BCDDCB

You’re supposed to encrypt the plaintext blocks, and decrypt the cyphertext blocks. Normally I’d solve this in Bash:²

#!/bin/bash

while read -r cypher_count; do
    [[ ${cypher_count} -eq 0 ]] && break
    read -r plaintext
    read -r cyphertext
    read -r count
    for _ in $(seq ${count}); do
        read -r line
        if [[ ${line:0:2} == 'PT' ]]; then
            echo -n "CT: "
            echo ${line:4} | tr "$plaintext" "$cyphertext"
        else
            echo -n "PT: "
            echo ${line:4} | tr "$cyphertext" "$plaintext"
        fi
    done
done

Problems 1 and 5 were semi-interesting graph problems, but why bother with those when there are nice and easy text substitution problems to play with?

Anyway, I’m actually pretty embarrassed by the win. My team solved the above text translation problem and the Sudoku problem (problem 3). Neither of those are particularly difficult, or require any sort of serious algorithms knowledge to solve. They’re more like run-of-the-mill programming challenges. We were about 90% of the way through problem 2, another simple text processing/sorting problem, when the timer rang.

Main lesson learned: brush up on I/O in whatever language I’m choosing before the next algorithms competition. We could have performed a lot better if we spent less time fumbling around with a BufferedReader and more time thinking about algorithms.

Mike Bland, CNU research, Google, and the US Government

Mike Bland keynoted Paideia, CNU’s annual research conference on April 11. He gave a primer of his talk, itself a sort of toned-down variation of his slideshow behemoth Large Scale Development Culture Change: Google and the US Government to the PCSE department on Friday, April 10. Apparently no one told him that the April 10 event would be a talk, and not a Q&A, so Mike just ran through the same slides he’d be covering at Paideia.

Mike really did a great job relating to the audience at the keynote. Even though he covered somewhat technical material, I think everyone who was there (mostly non-programmers) managed to relate to his talk and took him seriously. He made 18F seem like the real deal, where Google was just like the training grounds for work that will have real, lasting impact on the United States.

One unfortunate consequence of Friday’s talk was that PCSE folks were notably absent on Saturday. In some sense that’s OK because they already saw most of it on Friday, but in another sense it’s not since Mike was quite obviously more well-prepared on Saturday.

Mike is locally famous for organizing student demonstrations to save, from bureaucratic shutdown, CNU’s graduate program, which basically makes him the reason I can write Christopher Newport University on my resumé instead of Christopher Newport College. But he was actually confused why he was relevant when Dr. Gore asked him to keynote CNU’s undergraduate/graduate research conference. Go figure.

One thing I noticed is that he put a lot of effort into engaging the audience during his presentations. Sometimes this was successful, and sometimes this wasn’t. The difference I noticed between successively captivating a live audience and not doing so is when he asked people in the audience to express themselves. I can recall this same dynamic from when I gave my talk advocating Git at NASA Langley: people were engaged when it seemed like I valued their opinions on things. Asking questions like How many have you have used version control? How many of you liked using it? engaged viewers way more than my 15-minute usage demo.

Similarly, when an audience members got to ask questions and be part of a conversation instead of just recipients of a speech, they seemed more alive and interested themselves, and the presentation seemed to have bigger impact.

This kind of thing reminds me not to focus too hard on slides when I do a presentation. What I should be doing is motivating the audience, and then letting them tell me what they’re interested in - not the other way around. Unless I have something truly original to say, people are probably going to be more interested in how what I’m saying applies to them than whatever it is that I’m saying. Maybe that’s a sad reality, and people should care more about the generalized intellectual pursuit than individual relevance, but feeling that way isn’t going to make people listen to you.

Making people relate to you will make them listen. Inspiring the hell out of people will make them listen. You don’t need to win everywhere to captivate an audience, but you better damn well captivate them or you’re just wasting a bunch of people’s time.

Previously.

Microcontrollers are fun

I’m in a microprocessors class this semester, and it’s awesome. It’s definitely among the hardest classes I’ve taken at CNU, but also one of the most rewarding. Among most programmers I meet, both hardware programming and C are seen as some crazy sort of black magic. I understand we all pine for the good ol’ days when C was taught to every budding programmer instead of Java, when Linus Torvalds’ comments on linked lists actually made sense to people with CS degrees, but modern CS departments apparently don’t throw students into the deep end with nothing but a C compiler and an assembly-language manual anymore.

Yeah, most people in the class weren’t ready for that. They freaked out at first. But, you know what? The students learned the material. Myself included. Dr. Wang didn’t spoonfeed us; he just gave us hardware manuals and told us when you get out in the industry, you’re not gonna have textbooks and let everyone sink or swim.

I spent this evening solving example problems from an exercise booklet on a PIC16F877A microcontroller. It was fun. I feel like I haven’t had fun programming in a while, but when you sit down and program hardware in C it can really reinvigorate love of the craft. The work wasn’t very interesting: make different LEDs light up depending on the voltage reading from a dial. Set a cutoff threshold whenever a button is pressed and light different LEDs depending on whether you’re above or below that threshold. Simple things, but the experience is rewarding. It reminds me of being in high school, writing my first Java classes to simulate the Monty Hall problem or whatever. There’s a sense of joy and wonder that programming can produce, and it’s when I find it that I do my best work.

Leaving college, joining Palantir

I graduate in May, and I’m absolutely terrified. I took an internship with Palantir this summer, on their Mission Operations team, instead of taking the safe route taking a full-time offer (like I might have gotten with SSAI, who have given me arguably the most rewarding work experience of my lifetime applying bleeding-edge industry practices to the US government). As apprehensive as this leaves me, I’m really excited about joining Palantir.

Why? I really can’t overstate the influence of the mission ops team lead in inspiring me to do this. Paraphrasing, this guy told me upfront:

You seem good, but you’re kind of green. There are specific things about Linux that you didn’t know - out of genuine ignorance - and our goal is gonna be to teach you those things, so you’re capable enough to do your day-to-day tasks with us and not need support from anyone else. You’re not on the level we need quite yet, and that’s why we’re offering you an internship, but my goal is going to be to get you there and make you that good so you can succeed with us.

Now, to understand why that kind of talk inspires me, you’ve gotta understand something about who I am. I’m naturally a bit arrogant. I founded the Linux user group at my school, and I built my first Arch system seven years ago with nothing but a paper printout of the beginner’s guide and a single desktop computer. I’ve been administering my own webservers for three years, and running other people’s Linux servers for money for two. At least among my peers at CNU, I’m simply not used to people knowing more than me about this operating system.

But the people at Palantir are better than me. They showed me up in the interview process, but it’s not just that - being smart isn’t the only requirement to win my respect - they’re willing to teach me. And that kind of attitude is what makes me fall in love with a company.

I’ll quote one of their cofounders, Stephen Cohen, to drive this point home:

We tend to massively underestimate the compounding returns of intelligence. As humans, we need to solve big problems. If you graduate Stanford at 22 and Google recruits you, you’ll work a 9-to-5. It’s probably more like an 11-to-3 in terms of hard work. They’ll pay well. It’s relaxing. But what they are actually doing is paying you to accept a much lower intellectual growth rate. When you recognize that intelligence is compounding, the cost of that missing long-term compounding is enormous. They’re not giving you the best opportunity of your life. Then a scary thing can happen: You might realize one day that you’ve lost your competitive edge. You won’t be the best anymore. You won’t be able to fall in love with new stuff. Things are cushy where you are. You get complacent and stall. So, run your prospective engineering hires through that narrative. Then show them the alternative: working at your startup.

Picking a rebase target

One of the most important choices before you start any interactive rebase is how far back am I rebasing. It’s only safe to rewrite the parts of history that haven’t been pushed to a remote yet,³ so the natural choice is to rebase against a remote.

I’ll pretend that I’m working on a codebase with multiple people, purely for didactic purposes, and do a fetch before I get started:

~/dotfiles/emacs/.emacs.d/ » git fetch origin
~/dotfiles/emacs/.emacs.d/ »

Since there was no output, that means I have the latest version of origin. Great! Let’s get started:

~/dotfiles/emacs/.emacs.d/ » git rebase -i origin/master
Cannot rebase: You have unstaged changes.
Please commit or stash them.

Woops.

Cleaning your worktree

When you start an interactive rebase, you need to have a clean worktree. To get there, I used to run git stash before the rebase, and git stash apply afterwards to reapply my old changes after modifying the log. As it turns out, there’s a better way (from man git-rebase):

--[no-]autostash
    Automatically create a temporary stash before the operation begins, and apply it
    after the operation ends. This means that you can run rebase on a dirty worktree.
    However, use with care: the final stash application after a successful rebase might
    result in non-trivial conflicts.

As mentioned, stashes don’t necessarily apply cleanly after a rebase. This works best if you know that your unstaged changes won’t conflict with anything you’re rebasing. In my case, I only start rebases if I think my stash (if any) will apply cleanly, so I’m going to make this a default in my config:⁴

~/dotfiles/emacs/.emacs.d/ » git config --get rebase.autostash
~/dotfiles/emacs/.emacs.d/ » git config --global rebase.autostash true
~/dotfiles/emacs/.emacs.d/ » git config --get rebase.autostash
true

Blasting apart history

Now we can get started, and Git will stash unstaged changes automatically before interactive rebases.

~/dotfiles/emacs/.emacs.d/ » git rebase -i origin/master

We’re dropped into the interactive rebase window:

pick 712edab eyecandy: just use zenburn theme

# Rebase 8edc222..712edab onto 8edc222
#
# Commands:
#  , pick = use commit
#  , reword = use commit, but edit the commit message
#  , edit = use commit, but stop for amending
#  , squash = use commit, but meld into previous commit
#  , fixup = like "squash", but discard this commit's log message
#  , exec = run command (the rest of the line) using shell
#
# These lines can be re-ordered; they are executed from top to bottom.
#
# If you remove a line here THAT COMMIT WILL BE LOST.
#
# However, if you remove everything, the rebase will be aborted.
#
# Note that empty commits are commented out

edit 712edab eyecandy: just use zenburn theme

~/dotfiles/emacs/.emacs.d/ » git rebase -i origin/master
Created autostash: ce6634c
HEAD is now at 712edab eyecandy: just use zenburn theme
Stopped at 712edab4e039cf2bd784031f04a202eec5f2195a... eyecandy: just use zenburn theme
You can amend the commit now, with

        git commit --amend

Once you are satisfied with your changes, run

        git rebase --continue

~/dotfiles/emacs/.emacs.d/ » git rm --cached .travis.yml
rm '.travis.yml'
~/dotfiles/emacs/.emacs.d/ » git commit --amend

eyecandy: just use zenburn theme

# Changes to be committed:
#       modified:   config/eyecandy/my-eyecandy.el
#

[detached HEAD cc71d68] eyecandy: just use zenburn theme
 Date: Sat Dec 13 20:45:54 2014 -0500
 1 file changed, 3 insertions(+), 19 deletions(-)
~/dotfiles/emacs/.emacs.d/ » ls .travis.yml
.travis.yml

~/dotfiles/emacs/.emacs.d/ » git add .travis.yml
~/dotfiles/emacs/.emacs.d/ » git commit -m 'test out travis CI for emacs'
[detached HEAD dab1f85] test out travis CI for emacs
 1 file changed, 11 insertions(+)
 create mode 100644 .travis.yml
~/dotfiles/emacs/.emacs.d/ » git rebase --continue
Successfully rebased and updated refs/heads/master.
Applied autostash.

Conclusion

Now the repo is how I wanted it:

2014-12-14 03:46 Unknown         o Unstaged changes
2014-12-13 22:42 Nathan Typanski o [master] test out travis CI for emacs
2014-12-13 20:45 Nathan Typanski o eyecandy: just use zenburn theme
2014-12-13 19:09 Nathan Typanski o {origin/master} evil: fancy smart indent behavior

This is just a little snapshot of my Git workflow. I wrote this post because I find myself constantly wondering if I’m using Git the right way, and find myself curious how other people solve problems like this one. Perhaps there’s a way to do this using only a handful of one-liners, and I’m going overkill by using git rebase for this kind of thing (it certainly feels that way).

But then I realize there’s no One True Workflow with Git. Git usage is a state function: we went from our initial state to our desired result state, and nobody cares how we got there. That’s the whole point.