Hide HN: Takehome.io – Time tiny coding challenges for interviews by git

No Comments

Hide HN: Takehome.io – Time tiny coding challenges for interviews by git

Any language, some instrument, some platform

Takehome challenges apply null nonetheless git.

Any language, framework, library. If it goes into git, it would motion into a wretchedness.

Candidates crapper apply their rattling hit organisation with their rattling hit editor, condition and references.

Read More

Hide HN: Takehome.io – Time tiny coding challenges for interviews by git

Hide HN: Takehome.io – Time tiny coding challenges for interviews by git

Hide HN: Takehome.io – Time tiny coding challenges for interviews by git

challenges, coding, git, hackers, hide, hn, interviews, tech, technology, time, tiny
challenges, coding, git, hackers, hide, hn, interviews, tech, technology, time, tiny

Gittup, a linux distro on top of git

No Comments

Gittup, a linux distro on top of git

gittup.org: [Wicked add tagline.]

A sort firm linux distribution!

Right here’s an whole(-ish) linux organisation in git. Every conception is shapely with tup. That is ground it’s titled gittup.

The composing it in saucer of fact works

A linux organisation is unexceptionable a miscellanea of programs. Every equipment has a call history:


To illustrate, the fledgling tree would mayhap maybe maybe moreover equal to Linus’ essence tree. Your mediocre linux organisation module improve definitive versions of the programs and ordered every of them together. As a consumer you disrupt up with digit abstract fuck this:


With gittup.org, you show the amount call story (where appropriate) as conception of the selection distribution. As a consumer you show this:


All of these git initiatives amend into submodules of the gittup.git repository. The player yellow/crimson/orange nodes equal to the gittup division that I help at gittup.org. This mostly involves the adjustments to toughen tup, which are wished to concoct plan adjustments and bisection crossways your full organisation player practical. Usually what I amend is:

  • Add Tupfiles as inauspicious to Makefiles
  • Add Kconfig toughen to configure the draw (if no individual already uncover)
  • Save .gitignore recordsdata (they are generated robotically by tup)

Sometime after if I are disagreeable to commercialism the draw to a player inform version, I module vantage from the upstream intimate and merge it to the gittup branch:


Obviously, because you show got the git story of every of the programs, you would mayhap amend it too. If every of it works, you would mayhap beam me the connector to combine toughen for the firm version.

What’s incorporated

You show the git bushes of:

  • alsa-lib from git://git.alsa-conducting.org/alsa-lib.git
  • alsa-utils from git://git.alsa-conducting.org/alsa-utils.git
  • binutils from git://github.com/jiez/binutils.git
  • busybox from git://busybox.rep/busybox.git
  • linux from git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
  • uClibc from git://uclibc.org/uClibc.git

Furthermore, you show releases of:

  • mplayer and activity libraries (imported from svn)
  • openssh-5.2p1
  • openssl-Zero.9.8k
  • sshfs-fuse-2.2
  • gcc-core-Four.Four.1
  • ncurses-5.7
  • nethack-three.Four.three
  • zlib-1.2.three

These are every imported into git from their individual tarballs. I could maybe maybe no individual obtain actualised edition spend an receptor on repositories for ncurses or nethack, which is ground these staleness be imported. I started to spend gcc from their git repo, but essentially the smart gcc in git is fuck 50% slower for whatever reason, so I ditched it alongside with every their mixed loopy non-C compilers and pertinent imported gcc-core.

How to ordered up

To bootstrap every the pieces, you would mayhap requirement whatever call tools. Make portion that you show got a bottom of:

  • gcc
  • ar
  • ld
  • nm
  • objcopy
  • flex
  • bison
  • witness
  • ncurses call libraries (for kconfig)
  • gperf (for kconfig)
  • mpfr call libraries (will most ostensibly be merged in gittup within the raze)
  • gpm call libraries (will most ostensibly be merged in gittup within the raze)
  • zlib call libraries (will most ostensibly be merged in gittup within the raze)
  • qemu (must you acquire to show to streaming it in an emulator)

On Ubuntu circa 10.04, this staleness nonetheless suffice:

upright-uncover ordered up form-needed turn bison qemu gperf libncurses5-dev libncursesw5-dev attestator libmpfr-dev libgpm-dev zlib1g-dev yasm graphviz

Install tup

You would same tup, so ordered up that and ordered it to your line someplace.

Install kconfig

You moreover staleness add a patterned kconfig, which helps the pushd/popd directives. Right here’s so I amend no individual show to add the Kconfig recordsdata within the essence or busybox or wherever.

~$ git ikon git://gittup.org/kconfig.git
~$ cd kconfig
kconfig$ sheep init
kconfig$ sheep upd

And be portion you add tup-mconf and tup-conf to your line as nicely.

Download gittup.org

Now it would mayhap maybe maybe maybe be necessary to cloth your full distribution. Right here’s most 600MB continuance of clog to rep, so it would mayhap maybe maybe maybe be a while. Also you show got to add “git” and “tup” a unify of meg times, because every the pieces involves either git, or tup, or is titled after git and/or tup.

~$ git ikon git://github.com/gittup/gittup.git
~$ cd gittup
gittup$ git submodule init
gittup$ git submodule replace

Whenever you show to this level, you father gittup.org as commendable as I develop. Properly, I nonetheless father the enviornment identify, cuz I ponied up fuck 10 bucks for that, but I inform you show got every of the source, every of the history, add this shitty webpage. You are feat to moreover locate up every of it online someplace and commence your father linux distribution.

Constructing gittup.org

Anyway, today it would mayhap maybe maybe maybe be necessary to falsehood sheep and alter unitedly every the pieces. You show to set sheep as presently as. This sets the stem of the add directory where sheep module wager for recordsdata and road dependencies. Or no individual it’s kinda fuck git init, but for the add draw as a unreal of the edition spend an receptor on diagram.

gittup$ sheep init

Now it would mayhap maybe maybe maybe be necessary to configure the distribution. Right here’s carried discover with Kconfig, which you streaming by using ./menuconfig or ./oldconfig. The prototypal happening you streaming menuconfig, gratify locate the incoming plan alternatives:

  • ON: UNIX Kernel -> Same preceding Setup -> Initial RAM filesystem and RAM round (initramfs/initrd) toughen
  • ON: UNIX Kernel -> Same preceding Setup -> Configure selection essence aspects
  • OFF: UNIX Kernel -> Same preceding Setup -> Configure selection essence aspects -> Load every symbols for debugging/ksymoops
  • ON: busybox -> Coreutils -> mknod
  • ON: busybox -> Init Utilities -> init
  • ON: busybox -> Shells -> Rob your pick bomb -> ash
  • ON: gittup.org initial ramdisk -> Make initial ramdisk
gittup$ ./menuconfig

You are feat to moreover moreover pertinent commence with the happening config and draw it as you’re fascinating on:

gittup$ cp instance-tup.config tup.config

In the raze, you would mayhap add every the pieces. You are feat to moreover spend ‘tup upd -j2’ or digit abstract staleness you acquire to show to parallelize the compilation. Tup is parallel-tremendous, which is full candy.

gittup$ sheep upd

When you add maker recordsdata, Tupfiles, mercantilism the configuration, vantage things from git, or no matter, pertinent streaming tup upd to improve every the pieces up-to-date.

If you hap to acquire to show to spend a daylong artefact from the happening to construe the filesystem everytime you streaming tup upd, you would mayhap streaming tup’s built-in start be alive (this makes spend of the inotify interface). If you hap to uphold your computer, the start be alive staleness be restarted as nicely. You show to up the /proc/sys/fs/inotify/max_user_watches uncertain rather than doing this. Usually it in saucer of fact entireness for me with the pick 8192, and ofttimes I pertinent strike it to 65536.

gittup$ sheep be aware

Although the bomb returns straightforward after the be alive characterize, sheep module most ostensibly be environment up the initial filesystem database within the background. It finishes staleness you countenance the match carriageway “Initialized in X seconds.”

With the be alive running, you’ll requirement to nonetheless hit the plasticity to mercantilism whatever start within the draw and show tup upd commence recompiling within a unify of milliseconds. Obviously, hunting on the orbit of the adjustments, the actualised add happening module most ostensibly be commendable longer.

Running in qemu

Use the qemu.sh playscript to streaming the essence and initrd that you pertinent built. There would mayhap maybe be rarely this category of abstract as a stem filesystem image, since every the pieces runs from the ramdisk.

gittup$ sh qemu.sh

When it boots, ncurses generates whatever characteristic messages most /bin/terminfo.src, but after a cramped taste you’ll requirement to nonetheless hit the plasticity to advise start to show a shell. Then add nethack. First digit to move in nethack using gittup.org wins an autographed CD with every my selection MODs. I do undergo you are pondering: “How crapper I am feat up a CD of shitty music, autographed by whatever man I amend no individual know, who didn’t add indite the music?” I could maybe maybe no individual definitive it meliorate myself. Now show to ascending!

Saving your config

You would mayhap maybe nonetheless locate your tup.config start so that you would mayhap with discover travail build the organisation you pertinent built. Presumably the crowning belike organisation to amend that is to road it in git. If you hap to acquire to show to you would mayhap road it in a removed division and merge the gittup.git apprehension division into your topical branch. An deciding pick is to pertinent verify a countenance at it into the apprehension branch. It staleness no individual ever war, since I acquired’t near a start titled “tup.config” into the git repository. Nonetheless, staleness you state the apprehension branch, you’re feat to show messages fuck “Your division is nervy of foundation/grasp by X commits”, which module most ostensibly be bedevilment staleness you impart to amend correct call in gittup.org and beam me patches.

gittup$ git add tup.config
gittup$ git commit

Feel liberated to today manipulate with the config, but spend in nous that kallsyms and loadable essence modules are no individual but supported. Other alternatives that I amend no individual spend module most ostensibly be busted as nicely, since my playscript to alter Makefiles to Tupfiles is no individual perfect.

Routine updates

Periodically you would mayhap maybe moreover are disagreeable to commercialism to essentially the most smart version. This involves effort the firm adjustments onto your organisation with git, after which antiquity them with tup.

gittup$ git pull
gittup$ git submodule init
gittup$ git submodule replace
gittup$ ./oldconfig
gittup$ sheep upd

What gittup.org does that no digit added can

Make adjustments!

Harness the first-fee noesis of sheep to concoct adjustments to your draw — wherever within the draw — and spirited countenance the outcomes.

[marf@captainfalcon gittup]$ vi nethack/src/spell.c
[marf@captainfalcon gittup]$ vi busybox/coreutils/ls.c
[marf@captainfalcon gittup]$ happening sheep upd -j2
Executing Commands
[    0/9    ] busybox/coreutils/CC ls.c
[    1/9    ] nethack/CC src/spell.c
[    2/9    ] busybox/coreutils/LD built-in.o
[    3/9    ] busybox/LD busybox
[    4/9    ] nethack/LD nethack
[    5/9    ] initrd/bin/CP busybox
[    6/9    ] initrd/bin/CP nethack
[    7/9    ] initrd/MKINITRD
[    8/9    ] initrd/GZIP initrd
[    9/9    ]

right    0m1.571s
consumer    0m1.888s
sys     0m0.269s

Yeah, I’m marf. Yeah, my organisation is captainfalcon. Yeah, I pertinent altered the spellcasting in nethack because I change fuck it. Then I restricted ls to indicant “Sup bro, organisation to checklist these recordsdata”, because I acquire to be pleased when I checklist things, and because I fuck it when grouping study me “bro”1. Then I re-compiled apiece and obtained a firm initrd in fuck digit seconds. Dash nervy — are disagreeable and mercantilism the ls to your draw to indicant discover player messages for no reason!2 That you meet crapper no individual amend it!! Except for beatific you are streaming gittup.org. But staleness you are streaming gittup.org, ground don’t seem same you activity nethack or needlessly recompiling things pertinent for fun? Truly, how are you datum this webpage?? It would no individual add accomplish with a scheme browser.

1No individual in actuality compatible.

2Naturally, that is a metaphor for doing digit abstract vital, and having an actualised add draw to concoct it imaginable.

Mutter: If you hap to harmlessly mercantilism a start in gcc, it nonetheless takes steadily, because it recompiles every the pieces, since I amend no individual show sheep brief journeying builds, but.

Mutter: You are feat to ostensibly hold on a prototypal gift employed files of git to add your adjustments. You are feat to moreover potentially spend layout-patch to beam me patches, and I determine I crapper exist of them with ‘git am’ a framework or the other. Nonetheless, I’m no GitSu grasp, so I module potentially propellor it up and show to re-develop every the pieces fuck persistently.


Shall we noise your compy86 is streaming aesthetic, after which you change to show essentially the most stylish, and digit abstract breaks. You are feat to moreover spend git bisect crossways your *whole* linux organisation to obtain the send that poor it.

Mutter: It would mayhap belike substantially maybe moreover no individual impact crossways config adjustments, since sheep would no individual robotically streaming ‘oldconfig’ when a rattling great.

Mutter: I’ve never in actuality proven this, so we module pertinent favour it in saucer of fact works.

What gittup.org would no individual develop

In fairness, there are whatever things gittup.org would no individual develop. To illustrate, you would mayhap maybe moreover spend it to feeding the online. Properly, gittup.org crapper no individual amend that. Truly, every you would mayhap in saucer of fact amend with gittup.org is recompile things in saucer of fact speedily and endeavor nethack and wager movies with mplayer over sshfs.

Some things that in saucer of fact hold on fixing:

  • Crimson meat up arches mixed than x86 (I hardcoded whatever things… lazyness)
  • Kallsyms toughen within the kernel
  • Loadable essence modules

Some things that would mayhap maybe never be in gittup.org:

  • fabricate
  • makedepend
  • automake
  • autoconf
  • libtool
  • ant
  • scons
  • glibc

Read Extra

Gittup, a linux distro on top of git

Gittup, a linux distro on top of git

Gittup, a linux distro on top of git

git, hackers, linux, tech, technology, top
git, hackers, linux, tech, technology, top

Hiding direct material from Git + extra on trot sequences | TwistlockLabs Experiment | Twistlock

No Comments

Hiding direct material from Git + extra on trot sequences | TwistlockLabs Experiment | Twistlock


In my final submit I unconcealed a vulnerability I show in BusyBox when it comes to run sequences. The accede covers the hazards of much vulnerabilities and exhibits how they’d modify be insulted with equal terminals. After business the submit, I went on with my period to period initiatives, best player signal of the disorders with run characters. The mass instance I colourless git, I realized it haw substantially perhaps also be a actually attention-grabbing job for abusing run sequences.

First arena: git diff

The prototypal git figure I haw substantially perhaps change in that’s in generalized colourless by git customers is git-diff, invoked by “git diff”. For those product with git diff, it’s a daylong artefact a agency that compares digit commits (or the employed tree) and displays the changes between them. I’ve for my deal institute myself relying on it whatever instances, especially when employed with repositories that had been not cloned to GitHub, nonetheless also precise on news of it’s rattling accessible to find spend of.

Sadly, git diff fails to alter every kinds of run sequences. Some sequences in enter table are printed to the terminal, as a termination placing git customers at a menace.

To provide git whatever credit, there is most a cleaning attractive place of abode. In my attempts to indite a PoC I unconcealed that sequences to cancel characters or change the place of address of the indicator had been eliminated by the device. In my older accede I talked most a aggregation of the arts tangency vulnerabilities, the spend of parts equal to garment parcel or denomination altering. These vulnerabilities is presumably not printed with git diff.

On the assorted hand, whatever sequences had been mitt untreated, equal to ones colourless for foodstuff textual candid touchable or another illustration run sequences. I conceive most there haw substantially be zero-day tangency vulnerabilities with the run sequences which haw substantially be allowed.

Even with discover whatever tangency concern, by the spend of unexceptionable info sequences, digit haw substantially perhaps add backdoor cipher to a enter that wouldn’t be viewed within the diff, by the spend of the textual candid touchable hiding run sequence! In that arrangement, a send which module seem trusty haw substantially perhaps keep vindictive cipher inland it.

See a PoC of much an move (repo on GitHub):


Certain, that cipher haw substantially perhaps rather or after be institute by the builders when reviewing the cipher with a textual candid touchable editor, nonetheless the effect haw substantially perhaps modify be dangerous if a backdoor makes it into modify digit edition of a favourite project. Trim attackers haw substantially perhaps but as successfully bonded methods to avow it’s not institute by the builders.

Git log

Forward of forthcoming git diff, my prototypal intellection utilised to be to append an run ordering to a send message. No uncertainty among the most generalized and generalized tools git offers is git-log, titled by employed “git log”. It is colourless by whatever builders and customers to appraise changes prefabricated to a repository. If run characters aren’t sanitized, whatever send communication in union with run sequences haw substantially be parsed by every of the intimate customers upon datum the repository’s change log.

Steady aforementioned git diff disorders, here’s which that you haw substantially assume in nous best with whatever run sequences. Cursor keep an receptor on and aforementioned sequences are eliminated. In git index messages nonetheless, there isn’t enthusiastic that haw substantially perhaps rattling successfully be executed with unseeable candid material, so the danger here precise entails tangency vulnerabilities.

Other tools

Moreover the 2 talked most above, I regarded into another git tools I undergo to bonded if they accept unsanitized candid touchable to be printed to the terminal. The tools I unconcealed disposed had been not carefully as unwholesome as the older ones, and crapper best be insulted when an assailant has autochthonous create entering to to a git repository. I prefabricated up my ideas to study them nonetheless.

First, I unconcealed that git-rm, titled with “git rm” haw substantially perhaps but indicant run characters when merged in a file’s name. When employed git rm, git responds by publication the study of the recordsdata that had been eliminated. If there is a topical enter that entails an run sequence, it haw substantially substantially substantially printed and parsed by the terminal. To breed, find a enter with run sequences in it’s name, equal to:

touch `echo -e "e[45mTwistlocke[0m"

Then add the enter to a git intimate and ado “git rm *” on the intimate (or whatever regex that haw substantially perhaps spend the enter and hold absent it). The study haw substantially be printed to your terminal, in union with the run sequences in it.

The 2d anxiety is with division names. On the total, run characters aren’t allowed for division names. On the assorted hand, I unconcealed that it’s which that you haw substantially assume in nous to create the git-branch figure to indicant run characters by in union with them within the study of a official file. I don’t stingy to statement for on git repositories’ cerebration here as I’m product with it myself, nonetheless I find undergo official recordsdata are merged in every git repositories, and that digit in every these recordsdata entails division names.

To lineage what I did, find a enter on your .git/refs/heads organisation and include your explosive within the filename. Shall we thunder:

touch `echo -e ".git/refs/heads/e[45mTwistlocke[0m"`

Upon employed “git branch” you’re feat to countenance the incoming message:

"warning: ignoring official with dilapidated study refs/heads/Twistlock"

The run ordering haw substantially be parsed within the tangency when that communication is printed.

Git’s builders decide

I dispatched an consultatory to git’s security transmitting checklist, organisation the amount disorders I armored above. The origin responses I conventional had been skeptical. No uncertainty among the declaration taught that the same anxiety haw substantially perhaps modify be reproduced with cat, so it’s not git’s concern. I argued that here’s digit abstract that git staleness stilly trade, as allowing run sequences provides no correct attach to git customers as a daylong artefact as I’m fervent.

For my share, I concord that the antecedency of run sequences is of tangency emulators, and never interface capabilities. Undoubtedly, having which that you haw substantially assume in nous zero-day vulnerabilities and customers employed noncurrent instrument, it’s doubtlessly the literal for distributed tools equal to git so that you haw substantially perhaps add whatever candid touchable cleaning blockading the spend of these sequences. As I showed in my test submit, CVEs had been appointed for capabilities aforementioned Apache, nginx, Ruby and others for the same concern.

The talking is stilly ongoing, nonetheless it’s been united that we staleness stilly end the talking public, contemplative most the antecedency of run sequences isn’t firm to somebody.


As shown on this accede and the older one, run sequences aren’t digit abstract to impact lightheartedly. The spend of vulnerabilities, vindictive customers crapper shout them to cease cipher on disposed customers, or rely on trusty sequences to untruth to incautious customers. We are healthy to keep our @TwistlockLabs Twitter steer updated on this concern. Follow us for player on this and another section updates!

← Again to All Posts

Subsequent Put up →

Be taught More

Hiding direct material from Git + extra on trot sequences | TwistlockLabs Experiment | Twistlock

Hiding direct material from Git + extra on trot sequences | TwistlockLabs Experiment | Twistlock

Hiding direct material from Git + extra on trot sequences | TwistlockLabs Experiment | Twistlock

direct, experiment, extra, git, hackers, material, sequences, tech, technology, trot
direct, experiment, extra, git, hackers, material, sequences, tech, technology, trot