Security

📝 Too Long; Didn’t Read We are already at the halfway mark of 2026, and these first six months have been intense. Between coding, conferences, and workshops across Europe, I worked on systems management, green computing, local AI, and software security. This post is a recap of the projects and talks that shaped my February-to-June journey. 🛠️ February to May: deep dive into the Uyuni project For the first four months of this year, my main engineering focus was almost entirely dedicated to the fascinating world of the Uyuni project. If you have not had a chance to work with it yet, Uyuni is an incredibly powerful, completely open-source configuration and infrastructure management solution. It originally started as an evolution of Spacewalk, and today it serves as the upstream community project that feeds directly into SUSE Multi-Linux Manager, which was formerly known as SUSE Manager. ...

📦 That new package smell We’ve all been there: you see a shiny new app on GitHub and you want to “unwrap” it immediately. But in the traditional Linux world, opening a package often feels like opening a box of glitter in your living room—before you know it, dependencies are scattered everywhere, and you’re still finding weird library versions in /usr/lib three months later. This is why I’ve started reaching for the Flatpak. It’s like an unboxing experience where the box stays a box. You get all the “goodies” inside, but the mess stays contained. Let’s see what happens when we tear off the shrink-wrap. ...

👋 Intro If you have ever spent time hardening Linux applications, you probably know the frustration of the all-or-nothing permission model. In the standard Linux environment, once a process starts running, it usually has far more filesystem access than it actually needs. While we have tools like seccomp, chroot, or heavy-duty modules like SELinux and AppArmor, they often feel too complex for simple, application-level sandboxing. Landlock changes this. Since its merge into the Linux kernel in version 5.13, it has become a game-changer for developers. It allows a process to restrict itself without requiring root privileges, moving security away from global system policies and directly into your application code. ...

🔐 Intro As an experienced sysadmin, you might be familiar with the traditional “all-or-nothing” approach: if a shell or process is running with UID==0, it can do almost everything on a system; while a plain user process is restricted by some means: tipically it can’t open RAW sockets, can’t bind “privileged” ports under 1024, can’t change a file ownership and so on. Linux capabilities is a feature, gradually introduced starting from kernel 2.2, that permits a more fine-grained control over privileged operations, breaking the traditional binary root/non-root distinction. Just as by using sudo we can run specific commands as another user (even root), without permanently becoming that user, by using capabilities, we can grant a program only certain privileges without having to run it as root. ...