My package management cheatsheet

Lately I’ve been hopping between projects that use different Rust, Python, and TypeScript package managers, and I kept having to turn back to documentation to keep their subcommands straight when switching from one back to another. So I made this cheat sheet for my own reference, and I might as well share it with the class too…

Project dependencies

Common package management tasks include:

  • Prepare clone, or ensure the dependencies needed to work with the project are installed, such as after newly cloning the project’s sources.
  • Audit checks the current dependency versions against a public database for known security vulnerabilities.
  • Any outdated checks whether any dependencies have newer versions currently available, among either direct or indirect dependencies.
  • Compatible outdated checks specifically for newer available versions that are compatible with the project’s dependency specification.
  • Add adds a new regular dependency to the project, and add dev adds a new development-only dependency. This step includes locking the dependency.
  • Update brings an application’s locked packages up-to-date with the latest compatible version.

In the package managers I’ve been using lately, these look like:

  cargo uv pip-tools [1] pnpm
Prepare clone N/A uv sync (optional) pip-sync dev-requirements.txt pnpm install
Audit cargo audit [2] uv run pip-audit pip-audit pnpm audit
Any outdated cargo outdated [3] uv tree --outdated pip list --outdated [4] pnpm outdated
Compatible outdated cargo update -n uv lock -Un pip-compile -Un pnpm outdated --compatible
What requires cargo tree --invert uv tree --invert --package pipdeptree -r -p pnpm why
Add cargo add uv add Manually add to pyproject.toml, then run pip-compile pnpm add
Add dev cargo add --dev uv add --dev Add and run pip-compile pnpm add --save-dev
Update cargo update uv lock -U pip-compile -U pnpm update

Read more…

Tags:  code;

Juggling multiple SSH_AUTH_SOCKs in tmux

This post is about a portable Unix shell script, socklink.sh, written to keep SSH_AUTH_SOCK working within a long-running tmux session—even when switching between multiple clients that have different SSH agents, whether those clients are simultaneously connected or attaching and detaching over time. I also digresses into what I’ve learned from writing and testing a cross-platform shell script in 2025.

Target audience

If you’re reading this I’ll assume you have some knowledge of Secure Shell agent forwarding and how the SSH_AUTH_SOCK environment variable works. I also expect you already have SSH clients configured to use agent forwarding.

The problem

I use tmux almost everywhere I SSH to. I’m also a fan of hardware tokens with proof-of-presence for SSH authentication. [1]

But out of the box, this combination introduces major usability problems when I connect to my dev server from multiple clients. SSH agent requests need to be directed to whichever client I’m currently using so that I can provide proof-of-presence, like by touching the contacts on a YubiKey or using Face ID in Termius. However, in practice the request will go to whichever agent was defined when tmux started. Even if that one is no longer connected!

Diagram of a dev server use case

Different workarounds for scenario this have emerged. A previous employer had a wrapper script called tmx that would fix up SSH_AUTH_SOCK when re-attaching a session from a new client. Meanwhile, this popular gist uses ~/.ssh/rc to override SSH_AUTH_SOCK to the path of a symlink that can be updated as new clients connect. Other solutions involve configuring tmux’s update-environment to reconfigure the session-wide environment when new clients join.

Read more…

Tags:  code, unix;

In love with the BBC micro:bit

I finally got my hands on the micro:bit, the BBC’s new educational computer and spiritual successor to the legendary BBC Micro, and I’m absolutely in love with its potential as a platform for learning how to code.

The bottom side of the micro:bit, showing chip layout, pins, port, and reset button.

A lean (but not mean) learning machine. I like how the parts are all clearly labeled, as if to say: “There is no magic here. Everything that makes this board work can be understood.”

The platform

Microcontroller-based devices like the micro:bit offer some advantages over PCs as a tool for learning about programming. They can be connected directly to a variety of interesting peripherals to motivate experimentation. More importantly, they provide what is, in contrast, a radically simple programming environment: there are no operating systems, threads, processes, filesystems, or virtual memory to hinder a true understanding of what it means, in the most basic sense, for your program to run on a computer. When coding a microcontroller it is (to a certain extent) just you and the CPU.

On the other hand, it can take some effort to get up and running with most microcontrollers’ development environments. Even beginner-friendly kits like the Arduino will require special software and drivers to compile and load your firmware, which can make them a non-starter for some classrooms or casual beginners. And once all that’s set up, you’re likely going to be programming the thing in a dialect of C—not the most approachable choice for a new programmer.

So I’m delighted that the micro:bit delivers all the advantages of a microcontroller while providing an extraordinarily easy to use development system.

Read more…

Tags:  code;

WhatsApp is secure

Recently the Guardian published a story falsely claiming the existence of a “backdoor” in WhatsApp. They have since edited the article to instead refer to the behavior in question as a “vulnerability”, but even this is only true in a very specific and limited sense—a nuance absent from the paper’s bombshell presentation of the finding and which, unfortunately, much of the story’s audience will not understand.

This article risks grossly misleading people into abandoning an end-to-end encrypted and forward secure messaging app in favor of materially less-secure alternatives, so I feel it is important to point out:

  1. WhatsApp is among the most secure mainstream options for messaging.
  2. For the vast majority of users, the behavior described in the Guardian’s story does not detract from the real-world benefits of WhatsApp’s implementation of the Signal protocol.
  3. Sending messages over WhatsApp is strictly more secure than SMS.

Zeynep Tufekci wrote a wonderful open letter explaining the problems with the Guardian’s story and calling for its retraction. This letter is signed by more than 60 leading cryptography and security researchers and professionals, and is well worth a read if you’re interested in why this story is so …

Read more…

Tags:  security;

Pelican

I finally got around to modernizing this old site, which has included moving from WordPress to a statically-generated, Amazon-hosted site based on Pelican and Bootstrap 3.

I’ll write more about the site’s implementation later because I ended up diving into different areas I think are worth documenting, such as extending Pelican via plugins and some specific issues with hosting a static site on top of Amazon AWS. For now, suffice it to say that if you find any files missing please let me know, as this is probably something I’ve simply forgotten to copy over to the new site.

(Support for IE 8 and older is right out, on the other hand; use IE 10 or better to preserve your sanity.)

Tags:  web;

Debugging the OpenBSD kernel via QEMU

Recently I had to track down a minor bug in the OpenBSD kernel. I tapped QEMU and GDB as debugging tools for the task, running on Ubuntu 12.04 as the host OS. This combination worked extremely well, so for the record here’s how I set it all up.

OpenBSD comes equipped with two kernel debugging mechanisms: ddb and kgdb. ddb(4) is an in-kernel debugger, enabled by default in the GENERIC kernel, and can be invoked either explicitly from the console or automatically in the event of a panic. It is analogous to the Linux debugger kdb in that it can be used to set breakpoints and examine the stack or register state, but (like kdb) it is not a source-level debugger.

For source debugging there is kgdb(7), which offers the ability to remotely debug the kernel by way of a GDB stub running over a serial port; this is similar to the Linux debugger kgdboc. However, kgdb it is not available in the GENERIC kernel, and it imposes an additional set of configurations and debugger latencies on the user. If your debugging task is amenable to running OpenBSD within a virtual machine, as mine was, then …

Read more…

Tags:  computers, unix;

Pagination