Let’s rebuild Nginx with CVE-2026-9256 patch according to the Debian-way.

Debian Nginx CVE-2026-9256 1600x900 CVE-2026-9256.png

A critical vulnerability in nginx allows remote code execution with the privileges of the nginx worker process by sending a specially crafted HTTP request.
But that’s not the point.
The problem is that Debian maintainers are in no hurry to release a new patch package.

apt --no-install-recommends \
    --no-install-suggests install \
    build-essential \
    fakeroot \
    devscripts

nano /etc/apt/sources.list

# trixie sources
deb-src https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security/ trixie-security main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware

Critical remote vulnerability...

You were given the choice between security and convenience. You chose convenience, and you will have neither convenience nor security

Security Engineer imported a malicious script to his account 1280x1080 nice-security-engineering_exw.png

Only six months had passed, but the news feed continued to bring new funny vulnerabilities.
As usual, I don’t focus on system vulnerabilities in snapd / Rust Coreutils / Flatpak, or kernel (Copy Fail, Dirty Frag, Fragnesia, pidfd, PinTheft, GRO Frag) or AppArmor.

No matter how dangerous they may be, they are “conditionally” passive, meaning that if they are present, a number of factors and active actions from within or outside are required for successful exploitation.

I’m much more interested in tracking compromises of package distribution systems, libraries, and other package repositories.

Because these are “active” and direct attacks, they require almost no combination of factors; after downloading, they will immediately hit the developer’s repository, then collect their personal/financial/authorization information, and then continue to act in a chain fashion on all servers to which they had access.

You were given...

Connecting to isolated system environments using Waypipe

A Right Mental Attitude 1200x1000
aluminium-tin-foil-hat_exw.jpg

Continuing with the previous boring opuses about environment isolation, it’s time to remember Wayland.
Of course, this is not a call to action, but just simple examples and reflections.
I personally adhere to a philosophy where the user is the center of the system, and he has the right to configure everything as he sees fit, and not as it is imposed by general trends, or as it is implemented in a specific distribution, at the same time understanding and accepting all the risks and consequences of these actions.
As the saying goes, “If you know what you are doing.”

And before we begin, it’s worth writing again that:

Yes, I understand that this is all very superficial.
Yes, any connections to the local graphical shell are not allowed for anything dangerous, and you must use VNC or virt-viewer/spice.
Unprivileged LXC should be replaced with Xen / KVM
And yes, I know that it is possible to breakout from KVM isolation too.
I know about Flatpak.
And finally, yes, I have known about Qubes OS and its architecture, let’s say, since its inception, which was 2010.

And, simplifying and adapting QubesOS ideas to my everyday needs, I prefer to use either other local users or lightweight unprivileged LXC environments.

And yes, I don’t run anything potentially dangerous in them, but rather something that many of you use directly under your system account, for example:

Firefox for everyday use and casual browsing.
Several projects using packages from PyPI, RubyGems.
Separately, what I compile from sources from GitHub.
Third-party programs, such as element-desktop, Telegram, Zoom.

Connecting to isolated...

Installing Debian on a RAID with LUKS encryption, ZFS root, and booting from USB with Detached Header

LUKS encryption with Detached Header file on USB drive 5504x3096 luks-encrypted-brick.jpg

Introduction from afar

Not long ago I felt nostalgic inside FreeBSD again, everything is wonderful, everything is familiar, everything is convenient.
There is just one point that completely rules it out from desktop use, at least for me.
On almost all my laptops, FreeBSD does not support either sleep or standby modes (s2disk/s2ram).
And I couldn’t do anything with the hardware/drivers/ACPI, but I tried a lot.

Without standby mode, it is completely impossible to use a laptop, since after transportation, you need to load everything again, turn it on, and restore a complex work session.
And I only reboot workstations after applying updates that require it.

One of the many nice little things that Beastie has that Debian lacks is ZFS Boot Environments, this is somewhat more convenient than, say, LVM snapshots.
And the second is GEOM_ELI, which supports not only, like LUKS, the OR password OR key mode, but also supports password WITH key mode.

I thought and thought, and decided to deploy Debian from scratch, taking into account all the tools I use, my experience, and, importantly, my habits.

Debian is still my main system, so the only way to get a hardware (physical) encryption key in addition to the password is to make it from the header and place it on a bootable USB flash drive.

Installing Debian on...