cron.weekly issue #114: Debian, WireGuard, mkcert, make, htop, SSH & more

cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.
Image of Mattias Geniar

Mattias Geniar, December 15, 2019

Follow me on Twitter as @mattiasgeniar

Hi everyone!

I got some good feedback on the layout of the newsletter last week. Some things got tweaked a bit that’ll make things easier to read for Android users. If you still spot issues: reach out!

Now, on to the content. I got some more spare time this week to read and included a bunch of interesting articles. Might keep you busy for a while. :-)


News & General

Debian vote: Init systems and systemd

There’s a significant vote going on in the Debian community about the direction of the init system: should the focus be on systemd? Should it support alternatives? Should packages be required to support init systems others than systemd? If the entire vote is too long to read, there’s a summary available on the voting options.

Binary Planting with the npm CLI

tl;dr - Update to the latest npm/yarn as soon as possible on all your systems to fix a vulnerability allowing arbitrary path access.

On building an Ansible training environment on FreeBSD

I’m not using *BSD myself, but reading JP’s take on it makes me want to give it a try. This post is full of additional reading material that’ll keep you busy for days, a solid introduction to iocage, FreeBSD’s package manager, Ansible and a good allround intro to FreeBSD.

Why databases use ordered indexes but programming uses hash tables

A pretty low-level write-up on why there are differences in storing seemingly similar data in a DB vs. working with arrays/tables in code. The same logic for handling that data applies, but they’re both optimised for their particular uses.

WireGuard VPN is in net-next, scheduled for Kernel 5.6

WireGuard is a layer 3 secure networking tunnel made specifically for the kernel, that aims to be much simpler and easier to audit than IPsec. It’s now scheduled to be included when Kernel 5.6 ships. To read more on WireGuard, see the site, the research paper (PDF), these summarized docs or the merge request for the kernel.

The Go runtime scheduler’s clever way of dealing with system calls

I’m super interested in the Go programming language because if its goroutines, which are lightweight threads that are managed by the Go runtime. This post dives deeper into the tech to explain how Go schedules its internal threads to actual OS processes & threads.

W3C Recommends WebAssembly to push the limits for speed, efficiency and responsiveness

The WebAssembly Working Group has published the three WebAssembly specifications as W3C Recommendations, marking the arrival of a new language for the Web which allows code to run in the browser.

The “Great Cannon” has been deployed again

The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall of China. It was used heavily in 2015 to bring down Github, now it’s targeting sites used to organize protests in Hong Kong. If you control the edge of the network, you can inject malicious code like this without the site owner knowing about it.

It’s OK if you’re not running Kubernetes

I wrote an article for Sysadvent where I wanted to comfort sysadmins that are feeling left out because they can’t run the {newest,hottest,latest} technology stack. It’s OK, I’m not running it either. I know I’m guilty of it by virtue of this newsletter (you can’t test every tool, right?), but there’s nothing wrong with a traditional, stable, reliable Linux stack.

Tools & Projects


Don’t change anything in your Docker container image and minify it by up to 30x. Pretty impressive results!


With DB you can very easily save, restore, and archive snapshots of your database from the command line.


Finala is a resource cloud scanner that analyses and reports about wasteful and unused resources to cut unwanted expenses (in public clouds).

Reproducible Builds Tools

Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. In other words: a system that allows you to prove that a binary is the direct result of the source code and no intermediary (a compiler, processor, …) tampered with it. This is used by Arch, Debian, Bitcoin, Fedora, …


A list of SaaS-like solutions you can self-host and deploy on your own. A good summary of VPN, chat, video-call, email, … services for you to run.


crtshcrtsh is Golang utility that shows the result of, an online certificate transparency viewer.


mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.


Sourcetrail is a cross-platform source explorer that helps you get productive on unfamiliar source code. It uses static analysis on C, C++, Java and Python source code and lets you navigate the collected information within a user interface that interactively combines graph visualization and code display.


Lightweight Kubernetes. Easy to install, half the memory, all in a binary less than 40mb. Please see the official docs site for complete documentation on k3s.

Guides & Tutorials

Using Makefile(s) for Go

This is a write-up of using make as a build tool. Once again, the old & trusted tools do a really good job.

Going Serverless with OpenFaaS and Golang - Building Optimized Templates

This is a series of blogposts on how you can run your own code (aka “functions”) using OpenFaas.

Installing system packages in Docker with minimal bloat

Unlike the docker-slim tool mentioned above, this post looks at what you can do in your build process to make your Docker containers smaller in size.

Getting started with GitHub Actions and Laravel

A really good write-up on using Github Actions to set up a phpunit/ci environment, explaining each step in detail.

Everything you should know about certificates and PKI but are too afraid to ask

Certificates and public key infrastructure (PKI) can be hard. This post goes into really great lengths to explain how it all works.

Killing a process and all of its descendants

Killing processes in a Unix-like system can be trickier than expected. This post explains the parent/child relationship, process groups and several tools to help you debug.

htop explained

Have you ever wondered what every option in htop means? This post explains everything.

SSH Handshake Explained

Secure Shell (SSH) is a widely used Transport Layer Protocol to secure connections between clients and servers. This post offers a description of the handshake that occurs to establish a secure channel between a client and a server

The Illustrated TLS Connection

Every byte of a TLS connection explained and reproduced: in this demonstration a client connects to a server, negotiates a TLS 1.2 session, sends “ping”, receives “pong”, and then terminates the session.

How To Run Your Own Mail Server

A guide to self-hosting your email on FreeBSD using Postfix, Dovecot, Rspamd, and LDAP.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.