Der Chaos Computer Club ist die größte europäische Hackervereinigung, und seit über 25 Jahren Vermittler im Spannungsfeld technischer und sozialer Entwicklungen.
…
continue reading
Ccc Congress Hacking Security Netzpolitik Podcasts

1
Closing session of All Systems Go! 2025 (asg2025)
2:22
2:22
Play later
Play later
Lists
Like
Liked
2:22Closing session of All Systems Go! 2025Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/DR8ELH/
…
continue reading

1
One Boot Config to Rule Them All: Bringing UAPI Boot Specification to Legacy BIOS (asg2025)
24:59
24:59
Play later
Play later
Lists
Like
Liked
24:59The UAPI Boot Loader Specification defines conventions that let multiple operating systems and bootloaders share boot config files. So far, only systemd-boot implements it - and it’s UEFI-only by design.As a result, hybrid UEFI/BIOS images require maintaining (and keeping in sync) two sets of bootloader configs: one for systemd-boot, and one for a …
…
continue reading

1
OS as a Service at Meta Platforms (asg2025)
25:30
25:30
Play later
Play later
Lists
Like
Liked
25:30I overview how OS management is done at Meta. We run millions of Linux servers and we have to make sure that OS gets updated on all of them in a given period of time. To do that we developed several products: MetalOS (Image based version of CentOS), Antlir (image builder) and Rolling OS Update (a service that keeps a set of DNF repos in sync with u…
…
continue reading
`test.thing` is a VM runner which targets guests using an API defined by systemd. It started after a conversation at devconf about turning `mkosi qemu` into a library. A quick intro.~~composefs is an approach to image-mode systems without the disk images. Files are stored in a de-duplicated content-addressed storage with integrity guaranteed throug…
…
continue reading

1
Yocto's hidden gem: OTA and seamless updates with systemd-sysupdate (asg2025)
26:33
26:33
Play later
Play later
Lists
Like
Liked
26:33Updates are a critical piece of managing your fleet of devices. Nowadays, Yocto-based distributions can utilize layers for well-established update mechanisms. But, did you know that recent releases of Yocto already come with a simple update mechanism?Enter systemd-sysupdate: a mechanism capable of automatically discovering, downloading, and install…
…
continue reading

1
UKI, composefs and remote attestation for Bootable Containers (asg2025)
42:50
42:50
Play later
Play later
Lists
Like
Liked
42:50With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.Using composefs and fs-ve…
…
continue reading

1
A terminal for operating clouds: administering S3NS with image-based NixOS (asg2025)
34:54
34:54
Play later
Play later
Lists
Like
Liked
34:54S3NS is a trusted cloud operator that self-hosts Google Cloud infrastructure in France, targeting the SecNumCloud certification, the most stringent Cloud certification framework. SecNumCloud includes strict legal and operational constraints. To manage these systems securely and reproducibly, we’ve built a family of dedicated administration terminal…
…
continue reading

1
Introducing ue-rs, minimal and secure rewrite of update engine in Flatcar (asg2025)
24:20
24:20
Play later
Play later
Lists
Like
Liked
24:20Introduce ue-rs, a fresh project that aims to be a drop-in reimplementation of update engine, written in Rust.The goal of ue-rs is to have a minimal, secure and robust implementation of update engine, required by A/B update mechanism of Flatcar Container Linux. Just like the existing update engine, it downloads OS update payloads from a Nebraska se…
…
continue reading

1
Leveraging bootable OCI images in Fedora CoreOS and RHEL CoreOS (asg2025)
25:51
25:51
Play later
Play later
Lists
Like
Liked
25:51In last year's ASG!, bootc and bootable containers were introduced. In this talk, we'll go over what changed since last year, and how Fedora CoreOS and RHEL CoreOS are leveraging bootable containers to reduce maintenance and increase sharing.Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.al…
…
continue reading

1
Dirlock: a new tool to manage encrypted filesystems (asg2025)
26:27
26:27
Play later
Play later
Lists
Like
Liked
26:27In the Linux world there are several tools and technologies to encrypt data on a hard drive, most falling into one of two categories: block device encryption (like LUKS) or stacked filesystem encryption (like EncFs or gocryptfs). This presentation will introduce Dirlock, a new tool that belongs to a third category: native filesystem encryption, usi…
…
continue reading

1
container-snap: Atomic Updates from OCI Images using Podman’s Btrfs Driver (asg2025)
22:46
22:46
Play later
Play later
Lists
Like
Liked
22:46Traditional package updates using tools like RPM or Zypper can introduce risks, such as incomplete updates or accidentally breaking the running system. To overcome these challenges, we developed **container-snap**, a prototype plugin designed to deliver atomic OS updates—updates that are fully applied or rolled back without compromising the system'…
…
continue reading

1
pidfd: What have we been up to? (asg2025)
39:28
39:28
Play later
Play later
Lists
Like
Liked
39:28File descriptors for processes on Linux have been available for quite some time now. Userspace has adapted them widely.Over the last two years or so we've extended the abilities of pidfds significantly. This talk will go over all the new features and deep dive into their implementation and usage.Licensed to the public under https://creativecommons.…
…
continue reading

1
Forget zbus, zlink is the future of IPC in Rust (asg2025)
38:14
38:14
Play later
Play later
Lists
Like
Liked
38:14Last year, Lennart Poettering of the systemd fame, [gave a presentation](https://media.ccc.de/v/all-systems-go-2024-276-varlink-now-) at this very same conference, where he introduced Varlink, a modern yet simple IPC mechanism. He presented a case for Varlink, rather than [D-Bus](https://en.wikipedia.org/wiki/D-Bus) to be the future of Inter-proces…
…
continue reading

1
CentOS Proposed Updates: Bridging the Gap between development and production (asg2025)
25:32
25:32
Play later
Play later
Lists
Like
Liked
25:32CentOS Stream is especially suited for production deployments. In these environments it's often common to develop improvements to distribution packages and want to contribute them upstream. Unfortunately, until very recently that required one to then maintain their own build and deployment pipeline for the packages, at least until the changes made …
…
continue reading

1
Privilege delegation for rootless containers, what choices do we have? (asg2025)
21:43
21:43
Play later
Play later
Lists
Like
Liked
21:43Going for minimal containers with restricted system calls and unprivileged users is the usual Kubernetes approach these days, and it works great for most web apps. However, the development of more complex infrastructure extensions frequently hinders application functionality.While looking for a solution to deploy virtiofsd in an unprivileged contai…
…
continue reading
GNOME has collected some very old code over the years. During the recent GNOME 49 release, we've made some drastic cleanups. Most visibly, we've dropped support for X11 and gained many dependencies on systemd. Let's explore some of the what and why for these changes!Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about t…
…
continue reading

1
New Linux Kernel Coredump Infrastructure (asg2025)
41:04
41:04
Play later
Play later
Lists
Like
Liked
41:04Coredumping on Linux has long been a nightmare. Currently two modes are supported:(1) Dumping directly into a file somewhere on the filesystem.(2) Dumping into a pipe connected to a usermode helper process spawned as a child of the system_unbound_wq or kthreadd.For simplicity I'm mostly ignoring (1). There's probably still some users of (1) out the…
…
continue reading

1
Slim device software with systemd targets and nspawn (asg2025)
24:23
24:23
Play later
Play later
Lists
Like
Liked
24:23It has been 10 years since Axis Communications had a presentation at the systemd conference. Back then, we have shown how we have increased our product quality, stability and boot times by porting our platform to systemd. 10 years later, we had different challenges to keep the resource usages and boot times under control. We have started from botto…
…
continue reading
GNOME OS is a distribution based around systemd-sysupdate. This year, we finally created a live installer image using the same /usr partition as the installed OS. The main innovation however is the ability to install without the need to reboot. The user can start working while the installation is happening.This live image is built using systemd-rep…
…
continue reading

1
Shipping Flatpak applications with an image based system (asg2025)
27:58
27:58
Play later
Play later
Lists
Like
Liked
27:58Flatpak is the de-facto standard for distributing desktop applications across various Linux based systems. It also offers other advantages such as sandboxing. It is particularly useful for image based systems as it installs the applications into a separate location and doesn't try to modify the system.GNOME OS is GNOME's development, testing and QA…
…
continue reading

1
Unprivileged Containers, with Transient User Namespaces and ID Mapping, but Without SETUID Binaries (asg2025)
41:53
41:53
Play later
Play later
Lists
Like
Liked
41:53Many traditional container engines make use of the "subuid" concept and the "newuidmap" tool to implement a concept of "unprivileged" user-namespace containers on Linux. This approach has many shortcomings in my PoV, from both a security and scalability standpoint.Recent systemd versions provide a more powerful, more secure, mor scalable alternativ…
…
continue reading

1
oo7-daemon: One year later – Progress, Challenges, and What’s next (asg2025)
3:08
3:08
Play later
Play later
Lists
Like
Liked
3:08oo7-daemon is the new D-Bus Secret Service provider that aims to fully replace gnome-keyring. In this followup (continuation of my 2024 talk) lightning talk, I will go through the progress made, the challenges faced and the status of systemd credentials integration.Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about th…
…
continue reading

1
From initramfs-tools to mkosi-initrd (asg2025)
6:55
6:55
Play later
Play later
Lists
Like
Liked
6:55Marco will review the features available in the initramfs-tools ecosystem, the initrd generator used by Debian and Ubuntu, and how they can be implemented (or not) by adopting mkosi-initrd.Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/E989ZX/…
…
continue reading

1
A new systemd container runtime?! (asg2025)
27:25
27:25
Play later
Play later
Lists
Like
Liked
27:25At Meta, we've been looking to revamp our internal container runtime (Twine). Instead of maintaining all the low level container runtime code ourselves, we'd much prefer having more of this managed by systemd. This talk will go over what we did to make systemd transient units a suitable environment for running system containers (pid namespace suppo…
…
continue reading
Simplify systemd management with `isd`! `isd` is a TUI offering fuzzy search for units, auto-refreshing previews, smart sudo handling, and a fully customizable interface for power-users and newcomers alike.If you ever became frustrated while typing:- `systemctl start --user unit-A.service` (manually starting a unit)- `systemctl status --user unit-A…
…
continue reading

1
Verification of OS artifacts without stateful keyrings (asg2025)
21:40
21:40
Play later
Play later
Lists
Like
Liked
21:40Many OS artifacts today are still verified using proprietary, stateful keyring formats.With the "File Hierarchy for the Verification of OS Artifacts (VOA)" an attempt is made to rid the ecosystem of this limitation by implementing a generic lookup directory.With extensibility in mind, this unifying hierarchy currently provides integration for OpenP…
…
continue reading

1
ParticleOS: Why is Lennart still not dogfooding systemd?! (asg2025)
37:46
37:46
Play later
Play later
Lists
Like
Liked
37:46More than six months have passed since Daan tried to ~~shame~~ gently peer pressure Lennart to actually use the stuff he builds, via a FOSDEM talk:https://fosdem.org/2025/schedule/event/fosdem-2025-4057-particleos-can-we-make-lennart-poettering-run-an-image-based-distribution-/Did he succeed? Is dogfooding standard practice now in the systemd devel…
…
continue reading

1
A simpler and faster firewall with bpfilter (asg2025)
39:39
39:39
Play later
Play later
Lists
Like
Liked
39:39For many years, firewall solutions on Linux have grown and evolved, without any major change, until eBPF. While eBPF can allow very fast and efficient packet filtering, the learning curve doesn't make it easily accessible to non-developers. bpfilter aims to bridge the gap between existing tools (nftables, iptables) and modern technologies such as e…
…
continue reading

1
Sandboxing services with Landlock (asg2025)
25:01
25:01
Play later
Play later
Lists
Like
Liked
25:01Landlock is an unprivileged kernel feature that enables all Linux users to sandbox their processes. Complementary to seccomp, developers can leverage Landlock to restrict their programs in a fine-grained way. While Landlock can be used by end users through sandboxer tools, there is currently no well-integrated solution to define security policies t…
…
continue reading

1
Integrating systemd-sysext images in an update stack (asg2025)
26:19
26:19
Play later
Play later
Lists
Like
Liked
26:19systemd-sysext provides a nice way to enhance a distribution with a read-only root filesystem without the need to reboot. But there is additional tooling necessary to manage the sysext images:* install an image which is compatible with the installed OS version* update installed images to the newest compatible version* rollback images in case of an …
…
continue reading

1
Look ma, no secrets! - bootstrapping cryptographic trust in my homelab using Nix, UKIs, TPMs and SPIFFE (asg2025)
27:35
27:35
Play later
Play later
Lists
Like
Liked
27:35All the big cloud providers provide your machines with a unique cryptographic identity that can be used to talk to their cloud services securely without having to manage or rotate any cryptographic secrets yourself. For example GCP has Service accounts and AWS has IAM roles. This ubiquity of cloud identity and the seamless integration with all the …
…
continue reading

1
Extending Fedora Atomic Desktops using systemd system extensions (asg2025)
25:54
25:54
Play later
Play later
Lists
Like
Liked
25:54On image based desktops distributions such as Fedora Atomic desktops and Universal Blue, users are expected to run their graphical applications using Flatpaks and their command line ones using containers. But that approach does not work well for some applications that require more privileges, direct access to devices or kernel interfaces.With syste…
…
continue reading

1
Accessing shadow records via varlink (asg2025)
26:12
26:12
Play later
Play later
Lists
Like
Liked
26:12Provide a varlink service to access /etc/passwd and /etc/shadow so that no setuid and setgid binaries are necessary for this task.There are two independent "problems" which can be solved with the same idea: all files in /usr should be owned by root:root and no setuid binary should be needed. The first one is a requirement of image based updates of …
…
continue reading

1
systemd-confext Two Years On: Versioned Overlays for /etc, Reloaded (asg2025)
25:45
25:45
Play later
Play later
Lists
Like
Liked
25:45systemd-confext is a lightweight overlay mechanism for /etc, allowing you to drop in a configuration extension ("confext") bundle and let systemd make it visible to your service as though it was already shipped with the base image. Building on the same extension magic as systemd-sysext, confext also introduces extra features tailored for the /etc u…
…
continue reading

1
How I optimized away 94% CPU from zbus (asg2025)
24:03
24:03
Play later
Play later
Lists
Like
Liked
24:03Haven’t you ever wanted to find ways to make your Rust code the most optimal in the world? I know how you feel. This is a talk, where I’d tell you how easy it is to profile your Rust software and how most often the solutions are trivial.This is a story of how I used a few readily-available Open Source tools to achieve huge optimizations in [zbus](h…
…
continue reading
Let's have an open discussion with systemd developers who are at ASG and users in the audience. We will open with the developers saying what they plan to work on in the near future, and then allow questions / comments from the audience.Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.all-syst…
…
continue reading

1
Linux IPC: Lost between Threading and Networking (asg2025)
25:57
25:57
Play later
Play later
Lists
Like
Liked
25:57Communication is paramount in modern application development. This applies equally well to the process of writing applications and to the code itself. The complexity of the tasks ahead of us calls for a distributed and coordinated development effort, and this often manifests in our code: We design distributed, communicating systems to split complex…
…
continue reading
Same as every year, a lot has happened in the systemd project since last year'sASG. We released multiple versions, packed with new components and features.This talk will provide an overview of these changes, commenting on successes andchallenges, and a sneak peak at what lies ahead.Licensed to the public under https://creativecommons.org/licenses/b…
…
continue reading
Systing helps you solve problems in minutes rather than days. Out of the box it gives you everything you could possibly need, combined with perfetto’s visualization you will never be confused again.This talk will introduce systing, a tracer that is built on modern BPF tooling, purpose built to debug large applications with complicated interactions.…
…
continue reading
Running **BPF** programs today requires *CAP_BPF* capability, which is an all or nothing BPF capability.But BPF nowadays spans a large area, from simple monitoring to potentially invasive fields like network or tracing.BPF Tokens aims to add fine grained BPF capabilities to systemd units and containers, avoiding to give the whole *CAP_BPF* capabili…
…
continue reading

1
Why you should contribute to systemd! (asg2025)
23:28
23:28
Play later
Play later
Lists
Like
Liked
23:28I'll use these 20 minutes to explain why and why contributing to systemd is a great experience. We'll avoid beating dead horses by not discussing git forges and email, but instead focus on the development experience, from building systemd distribution packages from git main, running integration tests against those distribution packages, debugging f…
…
continue reading
Linux lacks a coherent security model, and by extension we never defined one for the systemd project either.In this talk I'd like to start changing this, and begin defining some general security design guidelines that we so far mostly followed implicitly, and make them more explicit. After all, systemd to a large degree is involved in security subs…
…
continue reading
Kurzer Talk, indem ich kurz vorstelle wie wir die Quellcode organisiert haben.https://creativecommons.org/licenses/by-sa/4.0/about this event: https://pretalx.0x90.space/quellcode-2/talk/QVGLUD/By Hännetz
…
continue reading

1
Siemens Systemtelefon hacken for fun and giggles (quellcode25)
17:18
17:18
Play later
Play later
Lists
Like
Liked
17:18Im Hackspace sind Systemtelefone von Siemens aufgetaucht. Wir hatten sehr viel Spass mit ihnen und ich will davon erzählen.Zusammen mit zwei anderen Mitgliedern aus dem Nerdberg haben wir uns das "Unify OpenStage 60" Telefon angeschaut, Root-Zugriff bekommen und schlussendlich ein paar nette Anwendungen darauf zum laufen bekommen. Das ganze war abe…
…
continue reading
Lightning talk slot, to present some lightning talks.A slot for short talks about different topics, Can be in English or German.Ein Programm Punkt in dem kurze Vorträge über verschiedene Themen vorgetragen werden können. Die Vorträge können in Deutsch oder Englisch gehalten werden.https://creativecommons.org/licenses/by-sa/4.0/about this event: htt…
…
continue reading

1
Make your personal website, it's easy! (quellcode25)
12:52
12:52
Play later
Play later
Lists
Like
Liked
12:52Lighting Talk about how to make your own personal website and lose your fears and doubts about how to do it.In a world where social media platforms keeps degrading and closing, where more and more places of Internet get subjected to "Enshittification", to the loss of personalization and even censorship, there's this call to oppose this.A countercul…
…
continue reading

1
Gegen die Angst - was will der intersektionale Anarchismus? (quellcode25)
1:17:18
1:17:18
Play later
Play later
Lists
Like
Liked
1:17:18Unsere Beziehungen sind von Herrschaftssystemen vergiftet - wir alle werden willkürlich nach Geschlecht, Ordnung, Herkunft, Leistung, und Fähigkeiten eingeteilt. Wie können wir diese Zwänge abschaffen, und einen Umgang auf Augenhöhe finden?https://creativecommons.org/licenses/by-sa/4.0/about this event: https://pretalx.0x90.space/quellcode-2/talk/Z…
…
continue reading

1
Einführung in die numerische Strömungssimulation mit Free Open Source Software (quellcode25)
57:44
57:44
Play later
Play later
Lists
Like
Liked
57:44Einführung in die numerische Strömungssimulation mit Free Open Source Software - Grundgleichungen, Software, BeispielrechnungenAus den Fingern gesogen, ohne Erwartungshaltunghttps://creativecommons.org/licenses/by-sa/4.0/about this event: https://pretalx.0x90.space/quellcode-2/talk/G3UJNG/
…
continue reading

1
Dein Smartphone, ein Werkzeug für die Wildnis (Meine liebsten Offline open-source Android Apps) (quellcode25)
47:31
47:31
Play later
Play later
Lists
Like
Liked
47:31Du findest dich plötzlich in der **Wildnis**, was tun?Na klar, als allererstes das Smartphone herausholen und Empfang prüfen. Verdammt, wo bin ich eigentlich?In diesen Talk stelle ich dir drei Tolle Apps vor, die dir in der Wildnis eine große Hilfe sein werden. Auch im Bastler*in Alltag können sie aber sehr nützlich sein.https://creativecommons.org…
…
continue reading

1
Liberating DJing from Mega Corps (quellcode25)
54:19
54:19
Play later
Play later
Lists
Like
Liked
54:19Introducing a fresh'n tiny DJing Software for Linux to battle the enshittification of DJingThe art of DJing has been shifting and progressing over the last 2 decades by the introduction of digital djing. But since then it has been in the greedy hands of a couple of big players, namely Pioneer (now AlphaTheta). Cloud & subscription is now on the pla…
…
continue reading