Untitled Linux Show 255 Transcript
Please be advised that this transcript is AI-generated and may not be word-for-word. Time codes refer to the approximate times in the ad-free version of the show.
Jonathan Bennett [00:00:00]:
This week we're talking about GCC 16 and the surprising advantages it brings. Photo Flare has an out of nowhere update. Linux has something of a security problem, but Windows has a security nightmare on its hands and Debian is insisting on reproducible builds. All that and more. You don't want to miss it, so stay tuned.
Ken McDonald [00:00:22]:
Podcasts you love from people you trust.
Jonathan Bennett [00:00:27]:
This is Twit. This is the Untitled Linux show, episode 255, recorded Saturday, May 16. End of the eight bit era. Hey folks, it is Saturday and you know that means it's time to get geeky about Linux. We're back. I'm back. I missed the week last week because I was kneeling before the porcelain throne with the rest of my family for the weekend. But we're thankfully over that and I am back feeling pretty good and we're going to talk about Linux and I've got a couple of guys here to do it with me.
Jonathan Bennett [00:01:01]:
I got Ken, I got Jeff. Welcome to the show, each of you.
Ken McDonald [00:01:06]:
Well, glad to see you back, Jonathan.
Jonathan Bennett [00:01:08]:
Oh, it's good to be back and
Ken McDonald [00:01:10]:
I hope everybody's over whatever was passing through.
Jonathan Bennett [00:01:15]:
Kids are almost over it. It was, it's, it's been a week
Jeff Massie [00:01:18]:
but we're here and I'll say it's good for me to be back too. I missed, missed the show but I was on, on some helping a relative
Jonathan Bennett [00:01:27]:
who's off on family duty for a couple of weeks. Yes, yeah, yep, absolutely.
Jeff Massie [00:01:32]:
Oh, and just so everybody knows, if I sound a little stuffy or anything, I don't have an illness. It's. Our pollen count is like 389 or something like that. It's just ridiculous.
Ken McDonald [00:01:42]:
So in other words it's seasonal.
Jonathan Bennett [00:01:45]:
If you could, if you could just bump those numbers up a little bit, you could do the meme that it's, it's, it's over 9,000 rookie numbers.
Jeff Massie [00:01:53]:
Yeah, well outside everything's like in, covered in yellow from the pollen. So it's like indeed couldn't imagine, you know, I guess, I guess if it over 9,000 I'd just be wading through it. It'd be like snow, you know, pollen everywhere.
Ken McDonald [00:02:08]:
We'll probably have cottonwood trees letting go of their.
Jonathan Bennett [00:02:14]:
Thankfully those have all been cut out of my neighborhood. When we first moved here there were some of those. It was real bad for those that are not in this part of the country. Cottonwood it actually there's a male and a female cottonwood tree. I think it's the male that has the, it puts off like Little bits of fluff and it's essentially, it's pollen. But yeah, it looks like cotton floating through the air and it gets stuck in the air conditioners and it's such a mess.
Jeff Massie [00:02:37]:
It can, it can look like a blizzard in June.
Jonathan Bennett [00:02:41]:
Indeed.
Jeff Massie [00:02:41]:
From all the cotton.
Jonathan Bennett [00:02:42]:
Yeah. Now finally, the last guy that had one in the neighborhood cut his down a couple of years ago and we were all thankful.
Jeff Massie [00:02:48]:
And a lot of cities won't even let you plant cottonwood or if. Unless it's the one that doesn't produce
Ken McDonald [00:02:55]:
the cotton, the female.
Jonathan Bennett [00:02:58]:
Yeah. All right, well, something else that someone else is we are all thankful for is that GCC 16 is about here and Jeff has the story. What is new? What are we thankful for with GCC16?
Jeff Massie [00:03:14]:
Well, GCC 16.1 arrived at the end of April as the newest major release of the GNU compiler collection. And early testing showed it delivered faster performance than GCC15. Now, continuing continued benchmarks confirm that GCC16 consistently produces quicker binaries when using the same hardware and the same optimization flags. Now to see how it compares more broadly, Michael Larabel over at Phronix evaluated GCC 16 against both GCC 15 and the current LLVM Clang 22 compiler. Now, all tests were run on a powerful system 76 Theo Major workstation, so equipped with an AMD 64 core Ryzen Threadripper 9980X processor and 128 gigabytes of RAM. So not your normal gaming machine. Now, Fedora Workstation 44 was used for the testing, which is. Now that's different because usually Michael's usually putting on Ubuntu, but he used Fortifadora this time because it was the first major Linux distribution to ship with GCC 16 as its default compiler.
Jeff Massie [00:04:30]:
GCC 15 and CLang 22 were also installed from the Fedora repositories. So just just to produce a fair and reproducible comparison. So it's just basically out of the box how it's handed out in Fedora now. And every compiler was tested with the same optimization settings. They used the dash 03 and the dash march equals native. So otherwise bone stock. Now, looking at the benchmark results, it's rather interesting to me how GCC stomps all over clang on some tests and then in others. Clang leaves GCC in the dust.
Jeff Massie [00:05:13]:
Now, a lot are fairly close, but there are some definitely, you know, there's some outliers now looking at the geometric mean, which removes some of the effect of the flyers on the data at the overall GCC 16 came out on top with a close second place finish in with Clang 22. Not terribly far behind was GCC 15. So while it didn't do terrible, you know, it was, it was behind and the slowest out of the three. Not catastrophically so or anything like that. It was, you know, maybe 5 to percent slower roughly. Now I do want to mention that these benchmarks were geared to the Threadripper, meaning they were heavy into encoding, decoding, ray tracing, you know, and other numerically intensive tests. No games or other desktop software like Office workloads were tested. You know, I guess unless you're really into signal analysis and data mining, you know, but so when these, say these are faster, keep in mind that these are the heavy duty workloads, you know, for your browser and things like that, you're probably not really going to see a difference.
Jeff Massie [00:06:25]:
Now I say GC 16.1 because GCC arrived the 16.1 as the first stable release of this year's major update to the GNU Compiler collection. Now it brought a wide range of improvements and new capabilities. It has better error messages, including experimental HTML based output. Adds a brand new front end for the Algol68 programming language. GCC 16.1 also expands its platform support with Pico libc integration, ARM AGI CPU targeting, early support for AMD's Instinct Mi300 accelerators, and there's even initial support for the upcoming AMD Zen 6 processors. Now on the language side, GCC now uses C20 standard as its default and it includes many enhancements for both C and C. Take a look at the article linked in the show notes for more details on the benchmarks and see if a new compiler is in your future.
Jonathan Bennett [00:07:36]:
Yeah, I think most of us will just sort of get it by default by upgrading to Fedora 44 with the Ubuntu version that comes with it. Whether that's, I don't know. What will that be? 2610? Maybe someone that'll ship with it?
Jeff Massie [00:07:50]:
Yeah, probably. Probably. 2604 is an LTS, so they're a little conservative, at least with a lot of software. The kernels, they've been becoming more aggressive, but compilers a lot of time will be an optional upgrade later if you really want it, but usually they're a little slower.
Jonathan Bennett [00:08:16]:
Yeah, yeah, interesting. All right, cool to cover. Looking forward to, you know, the laptop here I do the show on. It's a framework, the framework 16 and I was about to do the upgrade to Fedora 44 and then a buddy of mine is like, hey, are you running 44 yet? None of my USB ports work on my framework after I did the upgrade. Maybe I better wait. So I'm holding off a little bit
Jeff Massie [00:08:39]:
longer, or at least after Saturday.
Jonathan Bennett [00:08:42]:
Well, for me it's after I get back from this upcoming trip. So I'm doing the Abanti Summit. This laptop I'm bringing, I'm going to try to do my slides from and I'm going to try to do a live demo. And so, you know, I'm. I'm praying and sacrificing things to the demo gods to try to make.
Ken McDonald [00:08:56]:
So maybe put it off till June.
Jonathan Bennett [00:08:58]:
Yeah, yeah, put it off until June. That's about the way that it's going to go.
Ken McDonald [00:09:00]:
Maybe there'll be opportunities to get some updates that may correct that issue.
Jonathan Bennett [00:09:07]:
I would hope. I would hope.
Ken McDonald [00:09:09]:
And I may be covering one way to do that later in the show.
Jonathan Bennett [00:09:13]:
Interesting. Well, there is an update that you are ready to cover and that is Photo Flare. And I've got to admit, I don't know what Photo Flare is. I'm assuming it has something to do with photography, other than that I'm not familiar with it, so. Ken, take it away.
Ken McDonald [00:09:28]:
Okay. Now by taking it away, I'm going to go ahead and refer to Bobby Boris's off art article since he's the one that wrote about the first release in years. I repeat, years multiple for the lightweight image editor for quick photo edits, simple graphics work and basic image adjustments. What am I talking about? Photoflare, and in this case it's version 1.7. Now it's arriving more than six years after Photoflare 1.6, which was released back in September of 2019. Now I did a little digging and according to the project's blog, development slowed due to real life commitments, but the app has returned with a much larger update than a routine maintenance release. Also, according to the Photo Flare roadmap, this project was born as version 0.3 and with the name Big Birth back on March 30, 2015. Oh my goodness, 11 years ago now.
Ken McDonald [00:10:38]:
It was inspired by the Image Editor photo filter that somebody had come out with for Microsoft Windows. Excuse me. According to Bobby, the headline change is the move from Qt 5 to Qt 6. The migration removes deprecated APIs, updates the build system and refreshes Linux Snap and Flatpak dependencies. It also improves high DPI scaling with additional work on scaling policy tool cursors and canvas selection behavior on high density displays. Photo FLIR 1.7 also introduces a rewritten canvas rendering pipeline based on a dirty zone editing model, which significantly improves painting and filter performance, especially on larger images where the previous canvas could become sluggish or memory heavy. Another major addition is GMIC integration. Now the actually the correct name for the open source image processing framework this refers to that was developed by researchers at the CR CNRS in France is GR Gracie's magic for image computing.
Ken McDonald [00:12:03]:
It's just the initials from all that.
Jonathan Bennett [00:12:08]:
It's easier to type out gmaic.
Ken McDonald [00:12:11]:
Now, Photo Flare ships with a custom build of its QT interface, so the whole thing works without any extra downloads or setup, and provides a searchable library of over 500 filters, categorized, previewed in real time and completely free. Since I don't want to spend the next 10 minutes going over every detail in Bobby's article, I do recommend reading it at your leisure.
Jonathan Bennett [00:12:40]:
Yeah, very cool. I'm not. I'm not familiar with this particular tool, but a, you know, a quick and lightweight photo editor with a bunch of different filters. It sounds pretty interesting.
Ken McDonald [00:12:48]:
Yes.
Jonathan Bennett [00:12:49]:
I meant to go grab it and add it to my toolkit and when
Ken McDonald [00:12:53]:
I finish setting up so I can easily dual boot between Ubuntu 2510 that I've currently own and Ubuntu 2604 that I've got on the other partition, I may play with it as well.
Jonathan Bennett [00:13:07]:
Yeah, yeah, very cool. Sounds great.
Jeff Massie [00:13:09]:
I hope they stick with it after such a big break in there and it's not an update and then another several years.
Ken McDonald [00:13:18]:
Well, for those who are looking for a commercial option, he's also got a Photo Flare studio that he's working on that you can purchase.
Jonathan Bennett [00:13:27]:
Yeah, that's interesting. I wonder if they're sharing source between the two and so it's a little bit of a freemium open core model. I mean, not that that's a terrible bad thing. I've seen companies do that well and I've seen companies do it very poorly.
Ken McDonald [00:13:45]:
I think what he's got with that is some features that's not in the free flare. Photo Flare itself.
Jonathan Bennett [00:13:53]:
Yep. Yeah, exactly. That's almost word for word the definition of open core, but that's. That's.
Ken McDonald [00:14:02]:
All right.
Jonathan Bennett [00:14:02]:
All right, so we've got some security stuff to cover the security. The security parade never ends around here and we're going to get into that. Several things to talk about there, but we'll do a quick break first. We'll be right back.
Ken McDonald [00:14:16]:
Good. I need to get something to popcorn to eat.
Jonathan Bennett [00:14:25]:
So there are interesting things afoot in the world of Linux security and security in general. So over in Linux land we've got, well, it's being called the SSH key sign pwn, which is not very accurate of a name because it doesn't have anything to do with SSH at all. It is in fact another sort of follow on to the Copy Fail and dirty Frag and Fragnesia. I think we've talked specifically about the first two of those. Fragnesia is just another one that does something similar. This one is a little bit different because it uses a different mechanism to leak information. This is actually a race condition. What's happening is first off, we have to talk about suid binaries.
Jonathan Bennett [00:15:22]:
We've discussed this before, but essentially an suid or setuid binary that's something like ping is one of the super simple examples. So for ping to work, it has to get a RAW socket to be able to send this sort of custom bit of code out the network port. You can't do that as a regular user. But people want to be able to send pings. And so when you run the ping command, what technically now with Ping in particular, it doesn't use suid anymore, it uses capabilities, I think, but, but we're going to ignore that little detail. So when you run Ping, the ping binary basically becomes root for a moment and it does the thing that it's supposed to do and then it closes. And that's the way that you get to send this RAW socket data out your network pipe. Sudo, for example, does the exact same thing.
Jonathan Bennett [00:16:21]:
When you run sudo sudo itself, it starts running, it becomes root, and then it checks to make sure that you, the user are allowed to do the thing that you've told it to do. And so there are a bunch of applications under Linux that work this way. They're the suid applications. What was discovered is that when an SUID application like this opens a file, sometimes the order in which it closes the file is not ideal. And this happens in the kernel. And so it, it's, it's the memory descriptor being detached versus the file descriptor. Table closing. So those are two different things that happen in the kernel when the.
Jonathan Bennett [00:17:10]:
When basically when the program is done running and starts shutting down. And so there are these things that, that, you know, they happen in order. Well, it turns out there's a little tiny gap of time in between those two things happening. Your memory descriptor detaching and the file descriptor. Table closing. And during that gap of time, what can happen is another program can come along and open its own file. Sort of it's like it fakes a file opening and then there's the possibility that it will get the same file descriptor. Basically it's cloning that same file descriptor and because that's not been closed out of the table, it can then say hey, I'm an suid binary, let me do the thing.
Jonathan Bennett [00:17:58]:
And the kernel goes oh yeah, we checked this out, it's fine, do the thing. And so it essentially what it allows is a low privileged user can read any file as root on the file system. Essentially what it allows you to do does not write, but you can read, which is enough to really cause problems. Pretty, pretty bad vulnerability. The real bad thing about this one is that I don't think this one is fixed yet. There is a public proof of concept. There is a CVE for it. I don't know.
Jonathan Bennett [00:18:37]:
I don't know that there's actually a patch available for it yet. And so there were maybe in some cases there are upstream fix. Let me look here. We do indeed have an upstream fix. It landed on the 14th, so a couple of days ago, decent chance it's not in your kernel yet. So watch for that to come out. So that's in Linux land. That is the, that is the latest problem, the latest escalation of privilege problem that has been found reported working on getting fixed now I know there's been several of these in Linux recently.
Jonathan Bennett [00:19:16]:
So much so that like Ars Technica ran an article basically saying what in the world's going on in Linux? And I think we could talk about what it is and the fact that, you know, AI security research has a lot to do with these. But that other operating system that we don't talk about very much, it has a catastrophic failure in security that is just. It's catastrophic. I don't know if I can, I don't know if I can overstate how bad this is. And that is that Windows 11 BitLocker can be completely bypassed simply by plugging in a USB key from a stone cold turned off machine. All right. And so the exploit is named yellow key. It was published by a researcher known as Nightmare Eclipse.
Jonathan Bennett [00:20:11]:
Yes, hackers and computer people, we sometimes go by weird names. Apparently Microsoft ticked this guy off by considering, I don't know the full story. I don't think the full story has been published yet. But it's something like he found a security vulnerability and Microsoft's like no, no, no, no, this is just a regular bug and they like stealth patched it and wouldn't give him any credit for it. And so he got really ticked. And so I don't know how long he's been doing this, but he's sort of made it his life's work to make Microsoft look bad in the security department. It's kind of hilarious, but. So Windows 11 BitLocker, let's talk about this briefly on Windows, the way BitLocker tends to work.
Jonathan Bennett [00:20:58]:
So on the Linux side, like LKMS, the. The. Is that the right acronym? LKMS, that may not be the right acronym. Anyway, the Linux equivalent where you do full disk encryption, it asks for basically an encryption password. And you have to type that in at first. Boot my laptop set up that way, you know, you turn it on and the very first thing it does, it asks you for a password to build a decrypt hard drive. On Windows, they don't want L, U, K s. Yes, thank you.
Jonathan Bennett [00:21:33]:
So on Windows, they don't want to do that. They use the TPM, the trusted platform module. And so you set up BitLocker, it talks to TPM and the TPM actually keeps a hold of that BitLocker key for you. And so you turn the computer on, the TPM gives to the operating system the decryption key and it unlocks the drive and then it allows you to boot up. And it is intended such that. And this is part of why Secure Boot exists, is it Only the real OS is the one that gets the key to be able to do the unlock. And so you have to know your username and password to log in to actually be able to get to those files. So BitLocker works over on Windows.
Jonathan Bennett [00:22:14]:
Well, this attack is essentially a folder inside of an NTFS formatted drive that has some transactional NTFS operations. And this is something that's not very well documented inside of Windows. So like, people are still actively trying to figure out how exactly this works and what all it's doing. But the basics is you copy this folder onto an NTFS or a FAT format USB drive, you plug it in, you boot it up, and then you tell Windows, I need to go into recovery mode. And so one of the ways that you can do that is by just yanking the power partway through boot and the next time you plug it in, the computer's going to go, windows didn't successfully boot last time. Do you want to go into recovery mode? You say, yes. Well, once it goes into recovery mode, it sees this folder with this weird name, tries to do whatever's in it. And the next thing you know, you're at a command line prompt with BitLocker unlocked and you can get into all of those encrypted files.
Jonathan Bennett [00:23:30]:
Now they're actually encrypted. But what's happening is, you know, your TPM has given you the password and you've just, you've completely broken the stuff that's supposed to not allow you to do this. Now, a couple of things about this. One people are saying, well, you should really use your TPM plus pin, right? And so that's, that's one of the ways that you could harden your system against this is like having a BIOS pin so that when you, when you boot it up, it's going to talk to your BIOS and it's also going to request a pin. The guy that discovered this has stated on his blog that, no, no, there's a workaround. We can defeat the pin. I don't know exactly how that works, but apparently that too is bypassable. So there's that.
Jonathan Bennett [00:24:21]:
And then the other thing is people have looked at this and one of the weird things about this particular attack is when you plug the drive in and you pull off this attack, part of it, part of the process is it deletes the folder, it wipes the drive, and people are looking at and going, boy, this is getting into the territory where it sounds like an intentional backdoor more than anything else. I'm not going to go that far. I think it's probably not on purpose, but there are, there are researchers that are looking at this and sort of coming to that conclusion that, well, if Microsoft were to have. And boy, this is a big thing to say. If Microsoft were to have a bitlocker backdoor, this is how it would work. So Linux right now we are having our security moment, but Windows 11 BitLocker catastrophically broken. That's what's going on in the world of security this week. It's been fun.
Jeff Massie [00:25:20]:
And I believe the Linux issue was patched in. I think kernel 7.0.8. Okay, it came out
Ken McDonald [00:25:30]:
and I think
Jeff Massie [00:25:33]:
said that the update is there in the kernel and. But he said that the kernel's been updating almost daily lately.
Jonathan Bennett [00:25:40]:
Yeah. Yes, 708 appears to be correct.
Ken McDonald [00:25:44]:
But I think some people were saying this is a sure sign that we've gotten to the year of the Linux desktop. Well, they've moved away from Windows to concentrating on Linux now.
Jonathan Bennett [00:25:59]:
No, I think it's actually a sign that, that AI security research is really is coming into its own. It's the year of AI security research more than anything else. Yeah, because, I mean, these flaws aren't necessarily related to Linux on the desktop. They're more like just Linux on machines, Linux on servers. And we've had that for. It's been the year of the Linux server for like two decades now.
Jeff Massie [00:26:25]:
So, yeah, Linux is basically one everywhere except the desktop.
Jonathan Bennett [00:26:31]:
Yeah, it's true. It is true.
Jeff Massie [00:26:33]:
Well, and a lot of this, you know, is if people had the ability to hold all that code in their head, they could figure this out as well. It's just that with AI, it can hold it all in their head. I mean, that's really kind of what it comes down to when you're, when you're thinking about it. We just lack the 99.999% of the people can't hold a, you know, bajillion lines of code in their head and go, oh, you know, I could.
Ken McDonald [00:27:00]:
Yeah, and I'm thankful I can't hold more than a half a book in my head because otherwise it wouldn't be any fun going back to reread it.
Jonathan Bennett [00:27:11]:
You got to forget part of it to be able to go back and enjoy it like you did the first time. That's hilarious.
Jeff Massie [00:27:16]:
Everything's new again, huh?
Jonathan Bennett [00:27:19]:
All right, Jeff, let's talk about Debian. Debian has some security updates too. There's some interesting stuff going on there. This was a surprise too, because it's come like halfway through the release cycle.
Jeff Massie [00:27:31]:
Yeah. It ties in both with the compiler story I just did and Jonathan security story. To give you more detail, Debian is making a major change to how software in its Linux distribution is built and verified. The goal is simple but powerful. When you download software, you should be able to prove that nobody tampered with it. This is what reproducible builds are all about. A reproducible build means that anyone, anywhere can take the same source code and produce a bit for bit identical binary. Now, if two builds match exactly, their cryptographic hashes match too, so you know the software is genuine.
Jeff Massie [00:28:16]:
Now this matters because it protects the software supply chain. Normally, users trust that Debian's build servers compiled the code honestly. But if a server were hacked and an attacker could slip in a back door without changing the visible source code, with reproducible builds, that trick becomes impossible. A tampered binary would fail to match an independently rebuilt version. Now, achieving this isn't easy. Now you might think, oh well, source code always builds to the same binary. Well, many build systems accidentally introduce randomness into the process. You Know like timestamps, file ordering, local file paths or even the number of CPU cores can change the final output.
Jeff Massie [00:29:06]:
Debian developers have spent years eliminating these sources of variation using tools like Source date, epoch and disorder fs. So that disorder FS that forces assorted predictable file order during the build and compiler flags that strip machine specific paths are included. Now Debian's making reproducibility a requirement. Starting with Debian 14.4Key expected in 2027, a package must be reproducible before it can enter the testing or stable repositories. If it isn't reproducible, it won't ship. To enforce this, Debian continuously rebuilds every package using tools like Rebuilder D. It's like Rebuild erd now that manages the packages to be tested. It kind of keeps track of the queue deb rebuild so it looks at file versions of the dependencies which were used to build the original package.
Jeff Massie [00:30:15]:
And S build, that's the tool that recreates the environment and builds the code to see if the hash matches the original. So today Debian already achieves over 97% reproducibility on major architectures like AMD64 and ARM64. One of the articles has an image that shows across all the architectures that they've got 23,729 packages which are reproducible and 411 that didn't match exactly with zero failure to builds. Now, reproducibility ensures a binary matches the source. But Debian also tests whether the software works works using autopkgtest, which runs full integration tests in isolated environments. Now Debian isn't alone. Projects like F Droid are also adopting reproducible builds. But Debian's new mandate sets one of the strongest standards in the open source world.
Jeff Massie [00:31:16]:
It's a major step towards transparency, accountability and stronger security for everyone who relies on open source software. Take a look at the two articles linked in the show notes for more details. And it'll be interesting to see how many other distributions make this hard requirement in the future. If nothing else, I could see the Ubuntu's and other distributions which are based off Debian following this same path.
Jonathan Bennett [00:31:45]:
Yeah, it's a surprising challenge to get reproducible builds and they're at 97%. So you think about that. That means 3% of the system right now does not hit it because those packages have some little bit of weirdness in them that makes it hard to get bit reproducible builds. Really, really interesting stuff.
Jeff Massie [00:32:10]:
Yeah, and it could be just as simple as like there's config files to list the libraries and things like that that maybe they're not quite set up quite right. So it says Oh, I use Inversion 2 of this library but actually you compiled it with version version 2.1. Well they're all right now. It doesn't match and it's. It's can be some little things like that that just throw differences in code that you normal person doesn't think about.
Ken McDonald [00:32:38]:
Warren X did a little update of a text file or man page that you don't even think about.
Jonathan Bennett [00:32:47]:
Yeah, I mean it shouldn't be that. I would. Yeah. It would not entirely surprise me though if there are some packages out there that include, you know, bit of randomness on purpose like a unique ID that they want to build in every time it gets built. So you know, just all kinds of stuff that you don't normally think about could cause these sorts of deals.
Jeff Massie [00:33:10]:
But I'm impressed that you know they're going to release in 27 and they're. They only have to clean up 3%.
Ken McDonald [00:33:16]:
Mm. It's that 3% probably going to be the hardest.
Jonathan Bennett [00:33:20]:
Yeah. Oh no, I'm sure it will. You kind of got the, the the 8020 rule going on there. So we quick comment says reproducible builds are extremely difficult because it could be as it as hard as a bad CPU or physical RAM making matching builds almost impossible. I would actually say if you've got. If your builds are different because of a CPU problem or a RAM problem, that's a much bigger problem than just not having reproducible builds like phantom bit flips. That's a. Take that piece of hardware offline and put something else in there because those are going to cause you actual runtime problems anyway.
Jeff Massie [00:33:59]:
Yes, the file build order and other things. That's what they're doing by having those lists to make sure it builds in the exact same order with the exact same libraries using epic time. So it's time zones don't come into it. You know, a bunch of things like that just to eliminate that variability that you'll never see in the finished product. Because if mine is built at a different time zone than say Jonathan's, it's still going to run the same. It. It's not going to break anything. But you can't prove that nobody messed with it.
Jonathan Bennett [00:34:35]:
Yep, yep, Absolutely. All right, let's talk pipewire. Ken, it looks like we got a 165 is out the gate.
Ken McDonald [00:34:44]:
Yes, it is. In fact we can thank both Bobby Barzoff and Marcus Nestor. They also wrote about the fifth maintenance update in the latest PipeWire 1.6 series. Now PipeWire 1.6.5 release adds a whole bunch of extra security checks and hardening things. Fixes to the PipeWire Pulse server Improves renegotiation and audio convert when the graph rate changes and the resampler is disabled, and fixes a crash in ALSA when logging. It also improves the ROC receiver start and stop behavior, fixes memory leaks, and the jack tunnel module now uses the correct midi buffer size. Pipewire 1.6.5 release notes say the pipe filter from the filter graph was broken by design and was a security problem, so it has been dropped. Now I'm going to recommend reading Bobby and Marcus's article, especially if you want to find out about the simple plugin API updates.
Jonathan Bennett [00:35:56]:
Interesting stuff again.
Ken McDonald [00:36:00]:
Here we are seeing some stuff that's security related.
Jonathan Bennett [00:36:05]:
Yes. Boy, the thing that really interests me thinking about it that's really fascinating is pipewire just works these days. I haven't thought about pipewire much recently because it does almost everything I need it to do.
Ken McDonald [00:36:21]:
Almost.
Jonathan Bennett [00:36:22]:
Yes. I want pipewire to be able to give me video input and output from obs. And that. That's more of an OBS problem than a pipewire problem. That's. That's. That's the obs people bike shedding over something that they really should just stop and pull the patch. Anyway, they.
Jonathan Bennett [00:36:44]:
They remind me.
Ken McDonald [00:36:44]:
That's another article.
Jonathan Bennett [00:36:46]:
Yeah, they remind me a lot of Wayland in this particular case. And it's like I just want to reach through the screen and slap somebody around like a. Just pull the dang pull request. It works. It works for 95 of us anyway. Well, I broke it just yesterday and
Ken McDonald [00:37:01]:
the guy that pulls it's the part of the 5% that it doesn't work for, I guess.
Jonathan Bennett [00:37:06]:
I don't know.
Jeff Massie [00:37:07]:
Yeah, like me, I get in there and play with stuff and I break it. I couldn't get pipewire to run. I was trying to set up different sampling rates and wasn't going so well, which was weird.
Ken McDonald [00:37:21]:
I think maybe as long as you've got a backup that you can go back to, it's fun playing with that.
Jeff Massie [00:37:29]:
Well, the problem was I actually put everything back to original and it still didn't work.
Jonathan Bennett [00:37:37]:
It's a quantum. Quantum variation. Much be. Must be.
Ken McDonald [00:37:40]:
Yeah, but I figured simple command. In fact, I think I've shown it in the past that would help with that.
Jonathan Bennett [00:37:51]:
What's that?
Ken McDonald [00:37:53]:
It's the system control restart a wire Plumber or pipewire.
Jeff Massie [00:38:00]:
I was restarting pipewire. It wasn't working. I just reinstalled. I was kind of like, the hell with it because I just had reinstalled because I played with the root partition and resized and moved it and I'm like, yeah, I'm just going to reinstate. It's faster than going through. And I was kind of in a hurry anyway. But I did figure out I put my config file in the local directory and that made it work. They said you could put it in the etc pipewire.
Jeff Massie [00:38:34]:
And for the global config they said don't mess with the one in the user slash share because they said any updates could stomp on that config file. But I put it into local. For me, it was just being able to output the proper frequencies. So I'm kind of an audio nerd. So I wanted to make sure my 44.1 played at 44.1 and the 48s and the 96 played at 96 kilohertz and so on. And I know people say, wow, you can't hear the difference. But I, I worry about sampling mismatch when you don't have, you know, you, you got it, you got a 96 kilohertz source and maybe 48, well, that's probably a bad example. But like you had 44.1 with 48, you know, you can maybe get some variation.
Jeff Massie [00:39:25]:
I just like it to be equal.
Ken McDonald [00:39:29]:
I think I put mine in the my. In my home dot config slash pipewire.
Jeff Massie [00:39:38]:
That's where I put mine. And then it worked. It's just one line. You don't need the whole config file. It's just a single line of basically say, here's your sample rates and you just list them. And I've got a list about four or five in there. And it's like, oh, and I could use that PW top which we've talked about before. So I could play audio at different frequencies and I could see it switching.
Jeff Massie [00:40:03]:
So it was handling it perfectly. And a side note, people that say that they can hear like say 96khz difference, they probably can not because the frequency is better, but because when they actually have audio produced at that, they master it differently. They say, oh, somebody's really caring about audio quality. So they're much more carefully mastering that track than they are just the regular sampling rate. It's not that the frequency is needed, it's a flag for audio files. Somebody's going to care about the sound quality.
Jonathan Bennett [00:40:43]:
There you go. All right, we are going to take a quick break and then we're going to talk about AI and bugs in the kernel, continuing on that theme, but some interesting stuff here will be Freidaq. So there is, as I'm sure you've seen, there's been a lot of security changes around the kernel and they have begun embracing AI code research. And this is really just something that's becoming more and more widespread across the coding world. And so there is a merge that landed this week that has adds documentation for two things about this sort of security research and AI research. And it's, it's two separate items and one is what is considered a security bug and what is considered just a regular bug and how those two things should be recorded differently. Then the second thing is the responsible use of AI for finding kernel bugs. There's some interesting things in here, a little bit at odds with the kernel's own CVE request policy, which was interesting to me.
Jonathan Bennett [00:42:02]:
They make the statement here that it's important that most bugs are handled publicly to involve the widest possible audience, find the best solution. They say bugs that are handled in a closed discussion between a small set of participants are less likely to produce the best possible fix, for example, risk of missing valid use cases and limited testing ability. So they're saying, we prefer to fix these things out in the open. And then it turns out that the majority of bugs reported via the security team are just regular bugs that have been improperly qualified as security bugs due to a lack of awareness of the Linux kernels threat model described in documentation Process Threat model It should have been sent through the normal channels. And so they go on to say that the security list exists for urgent debugs that grant an attacker a capability that they are not supposed to have on a correctly configured production system and can be easily exploited, representing an imminent threat to many users. Okay, before reporting to this group, the security team, you should consider whether the issue actually crosses a trust boundary on such a system. And then there's an interesting note here. If you resorted to AI assistance to identify a bug, you must treat it as public.
Jonathan Bennett [00:43:24]:
And it says, well, you may have valid reasons to believe it is not. The security team's experience shows that bugs discovered this way systematically surface simultaneously across multiple researchers, often on the same day. So this is, this is really fascinating to me. So what they're saying is, look, Claude, you know, there's a new version of Claude or a new version of whatever, you know, OpenAI's tool, they, they reduce a new version, use it to find a new bug. You're not the only one that's doing that. And so like every time one of these things gets bumped or somebody releases a new tool, there's going to be like five or six of you finding this bug on the same day. Just go ahead and get the. Consider it to be out there.
Jonathan Bennett [00:44:09]:
If you used AI because everybody else can do it like this is very fascinating.
Jeff Massie [00:44:14]:
How are they being surprised that two calculators come up with the same answer?
Jonathan Bennett [00:44:19]:
Sure, yeah. They all, they do go on to say, please don't publicly share your reproducers. Like don't, don't share the proof of concept code if it's not been fixed yet. And then they do all go on to say, if you're unsure, err on the side of reporting. Privately, the security team would rather triage a borderline report than miss a real vulnerability. So they're saying better safe than sorry. However, goes on to say, reporting ordinary bugs to the security list does not make them move faster. Instead it consumes triage capacity that other reports need.
Jonathan Bennett [00:44:57]:
AKA, if you do this, you're just wasting our time. And that time is valuable. And then the other part of this was that there are a lot of bugs being reported that are used by AI that are, sorry, they're found by AI and they've got some guidelines here on how to do this, how to do this the right way. And that's first off, when your AI writes the bug report, it's going to be excessively long and verbose. Don't do that. Cut that down, make it, make it shorter, format it without the markdown tags, go in and fix the impact evaluation. Because the AI is going to think that, oh, everything is a serious vulnerability. It's not going to fix that before you send it to us.
Jonathan Bennett [00:45:48]:
Please always ensure that your reproducer, your test case, works before you send it to us. Because you can ask an AI to write your code and it'll gladly do it, but it can't guarantee it works. Then they're also suggesting please propose a fix and test the fix. It's interesting to think about this. I've heard it said that friction is one of the things that has made the kernel work so well that it's difficult to sit. So you have to have a certain level of competence to even be able to send something into the mailing list that doesn't just get immediately kicked. And I think we're coming to the point where LLMs have reached that level of Competence. And so now they're essentially saying, look, we need to introduce a little bit more friction into this process to slow down the onslaught of these LLM reported bugs that in some cases are not real.
Jonathan Bennett [00:46:46]:
It's just. Yeah, even the kernel is having to deal with it. And the kernel is embracing the AI technology to fix things. You know that you've got the. I forget what he called it. Greg kh. The Greg bot? Is that what he called it? But you know, he's doing AI stuff. I'm sure Torvalds is too, to some extent.
Jonathan Bennett [00:47:06]:
And they've been doing it for, you know, looking for security bugs for a long time. Real fascinating to see and something that I'm sure the Colonel as well as the rest of us will be wrestling with for years to come.
Jeff Massie [00:47:20]:
Yeah, I think a lot of it for me boils down to how it's used. Too many people just trust it outright. I'm very happy to let it try to find bugs, but to me you got to have the person. Like you said, is it verifiable, Is it real? Or did it just come up with some random garbage? And even writing code I'd be okay with as long as somebody's actually looking, looking at it and responsibly using it, which is the hard part, right, where I'm just going to have it crank out code and throw it in and it's good enough and not realize it's got a lot of mistakes in it.
Jonathan Bennett [00:47:58]:
Yeah, well, you can do that for your own project and that's one thing, but trying to send that code up to an open source project where other people have to look at it. And sometimes it's not even that the AI is writing broken code, it's just the, it's writing code in bad taste. Like it'll, it'll, it'll do these things where it'll have, and this is what I've seen when I've used it to generate code. It'll have multiple one line functions. Like, here's the name of the function and all it does is it calls this one line with an extra argument on it. And then that is a function. That is a one line function that calls yet another function with an extra argument on it. And it's like, oh, I kind of see why you're doing this.
Jonathan Bennett [00:48:38]:
But it's not, not the way we want our code to work. I don't want to have to jump through all five of those functions to be able to figure out where the code is flowing. You know, where the, where the process execution is flowing and so we call it making lasagna. We have to go pull some lasagna noodles out of the code that the AI wrote.
Ken McDonald [00:48:56]:
When you turn around, give that code back to your AI and say, can you consolidate this into one function?
Jonathan Bennett [00:49:03]:
I've done that. I've told the AI before. So I use LLMs and Copilot in VS code. I've done one or two, I don't remember one or two new features for code base. I've written that way and I've exactly done that. I said, hey, look, this is what I don't like about your code. Please go in and fix it and it'll do so. And if you give it the, you know, if you give it a good enough prompt, it'll go in and give you something that's reasonable.
Jonathan Bennett [00:49:26]:
I think I still ended up going in and fixing a few things by hand just because it was faster. But yeah, it's definitely, it's an interesting back and forth to get the machine to write good code for you.
Ken McDonald [00:49:37]:
Well, what I'm finding, especially with Chrome's built in AI, is it's great for finding the flags that I can't remember off the top of my head.
Jonathan Bennett [00:49:49]:
Yeah, there you go.
Jeff Massie [00:49:50]:
Oh, it could be a good search engine. But you know, just here, here's in case anybody hasn't heard this, but here's a well known little test. You go to your local AI and you say, I need to wash my car. The car wash is 100ft away. Should I walk or should I drive? And a lot of times it'll tell you, well, you should walk. That's just better, you know, it doesn't always get everything.
Jonathan Bennett [00:50:18]:
Yes, yes. It doesn't actually understand. Yeah. All right, well, let's move on. And the next thing to chat about is something I'm looking forward to and that's KDE Plasma 6.7. What's new there, Jeff?
Jeff Massie [00:50:35]:
Give us the scoop. Oh yeah, well, we've Talked about Plasma 6.7 on and off and as more and more features come to light, you know, we've kind of covered a lot of these. But some of the things in 6.7, which we're looking forward to, and there's just real high level stuff, is per screen virtual desktops, Wayland Session restore, a global push to talk feature, a dedicated setup UI for configuring shared printers, a multi GPU swap chain feature that's for when you have multiple GPUs and Vulkan support can be used across multiple GPUs and a full featured print queue viewer app. Now like I said, it's just a few of the updates and just a few of the high points. There's a major list of changes when looking at the link in the show notes as it has a link back to the KDE wiki with all the changes in 6.7. What I mentioned is a tiny fraction of the fixes and features added. Now one feature I didn't mention yet is the Union style engine which is in the KDE 6.7 beta blog and they have a call out that they need beta testers. Well what is it? Well it's KDE's upcoming CSS based style engine designed to unify theme creation across both QT Quick and QT Widgets in the plasma desktop environment.
Jeff Massie [00:52:05]:
Now it solves the long standing fragmentation of KDE themes by introducing an abstraction layer that converts diverse inputs into a single rendering engine. So the creator of this, Arjun Himestra, had this to say about it. Over the years, the way we style our applications has become increasingly complex. Initially we only had QT widgets and a system to style them. Then came plasma with SVG based styling, followed by QT Quick which introduced yet another styling system. At this point we have several methods of styling and most of them are quite challenging to use. Now Union has been in development for more than a year and the announcement calls out several app examples which would run on Union and put it through its paces and if there's an issue, how to toggle back to the old system to make sure the issue is truly with Union and not an app or widget issue. So now for those wanting to jump in and test, download and go, there will be a second beta on May 28 to fix the bugs called out in the first beta and hammer the code a little more so you can you can play reports and bugs.
Jeff Massie [00:53:24]:
Then you can verify in May 28 that they got them fixed. You know, hammer that second one and you know if you're not a new if you're a new user and not sure you're up for beta testing and you know you want to just wait for the official release from your distribution, that will happen sometime after June 16th because that's when as of now 6.7 is officially scheduled to release. So happy testing.
Ken McDonald [00:53:53]:
Yeah, I don't think I'm going to see 6.7 with Ubuntu 25.10.
Jonathan Bennett [00:54:00]:
No, Ubuntu is 25. Definitely not. No, Ubuntu is not likely to push out a new Kde release midway through an Ubuntu release. Fedora probably will. Ubuntu probably will not. They'll probably wait for the next. So it'll. It'll show up, I'm sure, in 2016, 26, 10.
Jeff Massie [00:54:19]:
Yeah, well, Kubuntu usually has a back ports that you could probably get it in, which is why you have to enable those repositories.
Jonathan Bennett [00:54:30]:
Yeah, you got to opt in.
Jeff Massie [00:54:32]:
Yeah.
Ken McDonald [00:54:33]:
I don't know if Ubuntu Studio opts into it or not, since it does use Kubuntu as a default desktop.
Jonathan Bennett [00:54:40]:
Probably not. I would assume that it wants the stability more than it wants the new shiny.
Jeff Massie [00:54:45]:
Whereas I, on the other hand, more production.
Jonathan Bennett [00:54:47]:
I like the new shiny. I'm going to have to go try the revamped Air theme. I remember KDE with aer. It was pretty cool to give that a try.
Jeff Massie [00:55:01]:
Yeah. Bringing it back.
Jonathan Bennett [00:55:02]:
Bringing it back.
Jeff Massie [00:55:04]:
Well, and the global push to talk is one that a ton of people have been clamoring for. Yeah.
Jonathan Bennett [00:55:11]:
And so that's like basically what mutes your microphone until you hit the button.
Jeff Massie [00:55:17]:
Yeah. So when you push a certain button, so like if you're on a discord or teams or team speak or whatever, you'd hit that and you could talk. But with Wayland, because they kind of didn't have that glow, the, the security. You didn't have those global.
Ken McDonald [00:55:36]:
You know, nothing's global with Waylon.
Jonathan Bennett [00:55:38]:
Yeah.
Jeff Massie [00:55:38]:
You can't have a key press or program monitoring for all key presses and it kind of locks the system down more. And there wasn't an easy way around it. But they've figured it out. I don't know the details behind it, but.
Jonathan Bennett [00:55:54]:
Yeah, probably got.
Ken McDonald [00:55:57]:
Go ahead, Jonathan.
Jonathan Bennett [00:55:58]:
I know there has been for a while now in KDE the ability to go in and say, basically to give like a legacy support for X11 programs to pass through those key presses to them. Because I know I've been doing that with Bumble for quite some time and that works. So the fact that this is a global. Actually, it sounds to me like it's KDE muting your microphone until you hit the button, which is a really sort of clever and interesting ulterior way of doing that. So I look forward to playing with that as well. It could be fun.
Ken McDonald [00:56:35]:
Or it could have been PipeWire.
Jonathan Bennett [00:56:38]:
Well, I'm sure it's done via PipeWire, but it's a KDE feature. It's in the KDE changelog. It's not in the PipeWire changelog.
Ken McDonald [00:56:45]:
Well, because the latest release of PipeWire did fix a problem with the audio mute. Stay muted even when you unplugged and then plugged your headset back in.
Jonathan Bennett [00:56:57]:
Yeah, got it. All right, well, we are going to talk about firmware and some updates, but first we're going to take a quick break. We'll be right back.
Ken McDonald [00:57:08]:
Time to go get some popcorn.
Jonathan Bennett [00:57:10]:
Yeah.
Ken McDonald [00:57:11]:
Well, Jonathan, this week we have two different stories regarding both LVFS and fupd. First we hear from Marcus Nestor about two companies stepping up to support lvfs, the firmware update service for Linux. Lenovo and Dell are the first to sign up as Premier sponsors for LVFs, each contributing $100,000 per year to help fund the project. According to the to Richard Hughes, the huge industry support from Lenovo and Dell and our existing sponsors of Framework, OSFF, and of course both the Linux foundation and Red Hat, we can build this ecosystem stronger and higher than before. We can continue the great work we've done long into the future. According to Marcus, the first Premier sponsors are also two of the most Linux invested OEMs in the industry. Lenovo, one of the largest PC vendors around, ships Ubuntu on laptops, desktops and workstations worldwide and has over 700 Ubuntu certified devices to its name. Now Dell has 140 plus certified configurations and partnerships with Canac, Canonical, Red Hat and suse.
Ken McDonald [00:58:39]:
Now Bobby Borisov and Marcus also wrote about the Latest flipd maintenance update 2.1.3. According to Bobby, the most notable additions are support for Redfish Bearer Token authentication, support for several XMC SPI chips, and the ability to parse JCAT files directly in LIB Flupty without Lib jcat. As always, you can get more details from Bobby and Marcus's articles. And are you still online?
Jeff Massie [00:59:23]:
Oh, Harry, there was Jonathan, what'd you do? Are you there, Jonathan?
Jonathan Bennett [00:59:32]:
Sort of. Can you guys hear me now?
Ken McDonald [00:59:34]:
I can hear. We can hear you.
Jonathan Bennett [00:59:37]:
I'm sure some of that will get edited out, but that was fun. We were talking about LVFs and I was like, oh, I haven't checked this in a while and I know on Fedora under KDE you do this through Discover. So I opened up Discover and the moment that I hit Discover, my second monitor went down. Disconnected. And guess how my headphones are plugged in. Yes, currently the second monitor, through the second monitor. So I was blind and deaf, just. And if, if you guys, if the video cut to me at any point through all that, I was going, oh no, am I going to get it Back in time.
Jonathan Bennett [01:00:12]:
I'm sure he's talking by now. Oh no. Oh no. Ended up having to unplug the framework module and replug it back in.
Ken McDonald [01:00:19]:
That does explain the expression on your face when I muted my video.
Jonathan Bennett [01:00:27]:
Oh, that's hilarious. But I've got one more story that we want to cover before we finish up and that is stop killing our games. It's kind of like the right to repair, but for gaming. And so for this story, we're going out over to gaming on Linux and talking about a bit of legislation that's working its way through the system in California. It is the California Protect Our Games Act. And this is, this is a bit of law that would essentially say when you're going to retire a game that requires online access to play, you have to either release a patch to allow people to play it offline, or you have to release the server to allow people to self host. And part of the reason for this is like people are paying money for these games, they have purchased these games. And then for a gaming company to then turn the game off and make it no longer work in a very real way, that's fraudulent.
Jonathan Bennett [01:01:34]:
And that is a gaming company stealing those games back. It's piracy. Right. I hadn't quite thought of it like that, but there you go. That's an interesting turn of phrase. EA is pirating games from us instead of the other way around. And so this is, this is a potential law. It, it has made it out of the Appropriations Committee in California and then it's going to go to the broader floor where they're going to look at maybe adding some amendments to the law.
Jonathan Bennett [01:02:08]:
And then, you know, at some point the, the legislature out there in California will vote on it hopefully and see if it actually passes. I'm actually very much in favor of this. Now. This is the sort of thing where you have to write the law very carefully because you could have some unintended consequences. But I absolutely, I 100% think that this is a huge problem. This is one of the, I don't know if it's unintended or intentional, but it's one of the consequences of DRM and things like the Digital Millennium Copyright Act. And that is that it is so easy for a publisher to steal content that back from the consumers. And I think it's wrong.
Jonathan Bennett [01:02:46]:
I think you could literally make the case that it's fraudulent. And as I said, it's piracy. It's a publisher pirating content away from its users. And if it's wrong for A user to pirate a game, then it's wrong for a game publisher to pirate a game in the exact same way. And so I'm 100% for it. I think it should be law in the same way that I like the right to repair acts and give people ownership of their stuff back. It'd be very interesting to watch. And next time we, yeah, next time we get an update on this, we'll try to remember to bring it and cover it.
Jonathan Bennett [01:03:20]:
Keep an eye out for it. Interesting stuff.
Jeff Massie [01:03:23]:
Yeah, they're, they're counter. You know, the corporation's counter argument is you don't really own it, you're just renting it so we can take it away whenever. That's, that's kind of what the angle they're trying for. And they don't want you spending time on that old game because they want.
Ken McDonald [01:03:39]:
I've got physical media with it.
Jonathan Bennett [01:03:43]:
Yeah, that's, that's one of the. Well, it actually, it does. Well, that has been covered in court before. That is, that is established case law that it does matter if there's physical media. Physical media means that you have purchased something and is not just a license because that comes back from, you know, the, the old days where we actually had books. You, you got a, you know, you, when you purchase something and you physically had something, it is not just a license. And there have been companies that have tried that with even books before and the courts have shot that down. So.
Jonathan Bennett [01:04:13]:
No, no, no, no, no. That is not how this has ever worked and that's not how this is going to start working now.
Ken McDonald [01:04:18]:
Thankfully, that's what, for years drove the secondhand book market, which also expanded to cover reselling your Vinyl and your CDs.
Jeff Massie [01:04:30]:
Yeah, yeah, they tried to stop that. And, you know, it's the same argument all the time. They've tried to stop used records and CDs from getting sold. They said, oh, VHS, you know, you can record off TV, that it's going to kill movie sales. It's going to. They have the same argument again and again and it never actually ever pans out.
Ken McDonald [01:04:53]:
VHS is going to stop movie sales. I hate to say it. You know how many times I have, I've had to buy a very popular VHS tape for a movie in our
Jonathan Bennett [01:05:03]:
house multiple times because it's gotten worn out, I'm sure. Yeah, yeah. So I, yeah, I'm, I'm, I'm very glad. It's really interesting to go back, actually, look at the Supreme Court case about vhs. But that, that's one of those that has, has been a, a, a real win for consumers. That's been referenced several times over the
Ken McDonald [01:05:24]:
years, which is, and I'm probably going to be in trouble for suggesting this. I use Bookbub to find out when those ebooks are going at real cheap prices for copies that I want to get that I can have, you know, DRM free because then I'll use all the links and when there's that cheap, I'll buy them on for the Kindle for, from Barnes and Noble through Google Books and in some cases I'll even go and see if it's available through one of those sources. DRM free.
Jeff Massie [01:06:03]:
Yeah, well, and that's why like I movies and music, my music I do have digital, but it's DRM free. So I own the copy. But every movie I have, I don't go through streaming services. I get a physical disc.
Jonathan Bennett [01:06:22]:
Speaking of court cases around this, we actually in the US we just had a Supreme Court ruling. There were no good guys. In this particular case, it was Cox Communications versus Sony Entertainment, but they were
Ken McDonald [01:06:39]:
both in the wrong.
Jeff Massie [01:06:40]:
Well, do you root for the devil or do you root for the demon?
Jonathan Bennett [01:06:43]:
Yeah, you know, in this case it was a good thing that Cox Communications won because the alternative was a law withstand that said that ISPs were liable for people's downloading of pirated content. And it was like a billion dollar judgment against Cox Communications. And it really would have been really bad case law for that to stick around. But you know, it's a good thing. I think anytime that the insane DMCA copyright can be toned down a little bit is a good thing. And so, you know, probably about the best possible outcome of this that the Supreme Court looked at this and said, no, we're not going to play this game with copyright. It doesn't, it's not going to work the way you think it does. And interestingly in this they went back to the VHS and Betamax ruling where they said that, you know, there is a legitimate use for this.
Jonathan Bennett [01:07:38]:
So you can't outlaw, you can't outlaw VCRS altogether just because you're afraid people will use them to copy movies.
Jeff Massie [01:07:46]:
Well, and you know, to me I don't see a difference re, you know, at, at a higher level of, you know, you know, okay, I'm pirating a movie or can the phone company be liable? Because I talked to Jonathan and we decided we were going to rob a bank. So now the phone company is responsible because we did that communication over the phone. I mean it, to me it's like you can't hold the carrier responsible for.
Ken McDonald [01:08:15]:
And you know who fought to make sure that never happened.
Jonathan Bennett [01:08:21]:
That's what the whole common carrier rules were about here in the US is essentially that you can't hold the carrier responsible in that case.
Ken McDonald [01:08:30]:
But if you're going to use that logic, I can think of another company that would definitely fight against or another industry that would definitely fight against it.
Jonathan Bennett [01:08:40]:
I mean I think there's a whole bunch of them. Automobiles. Automobiles. Firearms. I mean, you know, more, more beyond that.
Ken McDonald [01:08:49]:
Tool manufacturers, period.
Jeff Massie [01:08:51]:
Yeah, well. And you.
Jonathan Bennett [01:08:52]:
There are.
Jeff Massie [01:08:53]:
There is law in the United States that you can't hold a company liable. Like I'm probably mangling this a bit. But you, you cannot hold a company liable for somebody misusing their product. You know, if it was, you know, a baseball bat.
Jonathan Bennett [01:09:13]:
Okay.
Jeff Massie [01:09:13]:
I got. I'm. They make them and then I go and I, I hurt somebody with a baseball bat. You can't sue the Louisville Slugger Company because I misused their product when it wasn't. That's not what its design was for.
Ken McDonald [01:09:27]:
It was intended, intended to knock that baseball off the top of the somebody's head.
Jonathan Bennett [01:09:33]:
Not like that.
Jeff Massie [01:09:34]:
Yeah, but, but just for the record, you know, I, when I was saying earlier was just devil's advocate. I'm all for less drm. I mean I, I get. They don't want to lose everything but there's also a little. A few steps too far. And I am very pro right to repair. And I grew up on a farm slash ranch and that's a pretty big deal nowadays with the modern farm equipment that cars have. The law that say you have.
Jeff Massie [01:10:05]:
They have to have that OBD2 port that you can get error codes and troubleshooting and big equipment does not have that. You have to tie into their proprietary system if you're at all allowed or you have to just go to the dealer if there's any kind of issue and you have to use their.
Ken McDonald [01:10:24]:
Oh, I'd love to see somebody that could afford to take that. Say this is a vehicle. Doesn't it fall under the OBD law?
Jonathan Bennett [01:10:34]:
I'm sure that, I'm sure that's been tried. There is a. There, there is a John Deere carve out to that law is. Is exactly what it is.
Jeff Massie [01:10:42]:
Yeah. You know, New York, New York had a big right to repair law but then there was all these carve outs in there that made it just basically fluff. It was all the important stuff kind of got. Was an exception made for. But then it got hollowed out. Yeah. But on the flip side, there is a lot of farmers and a lot of Eastern Europeans are leading the charge in this. They're hacking their tractors and farm equipment to get around a lot of this stuff.
Jeff Massie [01:11:11]:
I mean, it's.
Jonathan Bennett [01:11:12]:
I remember talking to a hacker, goes by the name of Sick Codes, got Doom running on the controller for John Deere tractors several years ago. That was a big deal. Yeah, there's a lot of research going on into that. How did Jailbreak.
Ken McDonald [01:11:25]:
I can see where farmers would want to be able to play Doom while they're out in the field.
Jonathan Bennett [01:11:29]:
Exactly. All right, well, we have had fun. Let's get into some command line tips. And I think before we do that, we're going to take our final break. We'll be right back. Who's got our first command line tip? Jeff. Jeff has a question. Yeah.
Jonathan Bennett [01:11:44]:
What is cooler control?
Jeff Massie [01:11:47]:
Well, for people who want to take better control of their system temperatures, I ran across cooler control. Now, it can monitor temperatures, you know, fan speed, power in real time, automatically adjust speeds based on your profiles and sensors. You can add hysteresis thresholds, directionality, and response time, tuning to profiles along with setting modes. So you can, for example, switch between silent and gaming mode. Now, I will add that while cooler control automatically discovers supported Linux hardware drivers and connects to devices that expose compatible sensor interfaces, you know, for example, hardware Mon and nvml Liquid Control, it does not ship device drivers or access hardware directly, so it's not gonna totally do this on its own. Or to put it another way, Cooler control only supports hardware that the kernel or another module supports. Now, I'm not gonna go into installing the program other than to say that depending on the hardware and how supported it is, there might be some extra steps. But they have a great document showing what to do.
Jeff Massie [01:12:59]:
For example, you might need to install LM sensors and then have it discover your hardware. Take a look at the link in the show notes for the website so you can get all the instructions and details on everything this program can do. I was impressed, you know, on my laptop, how much you could monitor and display at once. Which, of course, it. You know, the display and all that.
Jonathan Bennett [01:13:21]:
It's.
Jeff Massie [01:13:22]:
Of course, it's totally configurable. You can pick and choose and fold, mangle, staple and mutilate as you need. So take a look at it and keep cool.
Jonathan Bennett [01:13:34]:
And keep cool. I like it. All right. And Ken? Yes, Stowe. What are we stowing?
Ken McDonald [01:13:42]:
Yes. Depends on what you're working with. But I had stumbled upon this week's command line tip while setting up my system to share my files and application configurations between the Ubuntu Studio 25.10 that I do the podcast from and Ubuntu Studio 2604 that I'm trying out. The command is GNU STO. It's a symlink farm manager that takes distinct sets of software and or data located in separate directories on the file system and makes them appear to be installed in a single directory tree. Now, I am using it to manage the shared configuration and data files between my Ubuntu installations. Today's example is how I shared my SSH configuration between both. Let me go ahead and get this up so you can read this a little easier.
Ken McDonald [01:14:51]:
And let's switch over to this one for a minute. Okay, now in the left terminal I've got my home directory and I've got listed here all the files that are in it. And you'll see that with the listing I did. It also allows you to see where there's any links for that particular file or directory to another location. Now, here's my ssh. Now the way I set that up is on the terminal on the right. I've got the location for where I'm storing everything actually. And you'll see I've got some configurations that I set up.
Ken McDonald [01:15:42]:
One is called SSH config.
Jonathan Bennett [01:15:46]:
So let's see. Yeah,
Ken McDonald [01:15:51]:
go back to my notes here and I'm going to do a copy. That way I don't have to retype everything. But the command of course that I mentioned is stow. Now, it's got some options that allow you to say, do us dry run or simulate. That's the dash N V is verbose. I'm also using dash, dash, target and set. Tell it the directory that I want as the target directory. In this case it's my home directory.
Ken McDonald [01:16:28]:
And then dash dash D tells it the directory I'm wanting to set up from. And in this case it's pointing to the dot files that I'm currently in. And in that dot files I've got a subdirectory SSH dash config. Now when I run this and as you see, it says warning in simulation mode. So not modifying file system. So it didn't really do anything since it's already there. So what I'm going to do, come over here. It's come up here so I don't have to try to type everything out.
Ken McDonald [01:17:18]:
And. Copy ssh, I'm going to remove that sounds dangerous right there, doesn't it? So with that removed, if I try doing a SSH command, There it is,
Jonathan Bennett [01:17:59]:
1900 in your history list and it
Ken McDonald [01:18:03]:
comes up with this. It can't be established, so I'm going to go ahead and cancel that out. And with that deleted, if I run this, here's what it would do. It would create a link for dot ssh to that. So I can go in. Now that I've seen that, it will do that, remove that in, run that and it actually does it. And now let's try it. And now I was able to log into my remote system.
Jonathan Bennett [01:18:42]:
So it. It has a list of symlinks and it will automatically recreate them on demand
Ken McDonald [01:18:51]:
or create a symlink to a directory that basically has all the files that you need for what you want to do. Cool,
Jonathan Bennett [01:19:03]:
interesting stuff.
Jeff Massie [01:19:05]:
All right.
Ken McDonald [01:19:08]:
I'm playing around with doing that with some of the other configurations. The fun one's going to be with
Jonathan Bennett [01:19:15]:
obs trying to get all your dot files wrangled.
Ken McDonald [01:19:20]:
Yep. The ones that will allow me to be used in multiple locations. The easy ones are the BashRC, the bash dot- aliases file I've got and. And my functions files, because those I'll have, I'll be using all the time.
Jeff Massie [01:19:41]:
Yeah.
Jonathan Bennett [01:19:42]:
All right.
Jeff Massie [01:19:43]:
There should be some kind of herding concatenations joke in there somewhere.
Jonathan Bennett [01:19:49]:
Indeed.
Ken McDonald [01:19:52]:
It is a SIM link farm.
Jonathan Bennett [01:19:54]:
There you go. It's a farm of cats, apparently. I've got a command line tip. It's a different one. This one is interesting. I stumbled across this and it is bb, which this is a really old ASCII art demo. The source is still available. It was apparently originated in FreeBSD.
Jonathan Bennett [01:20:16]:
The source is available, you can try to compile it. Although I've seen some reports that it doesn't actually work terribly well on modern Linux. Like the audio may not work, so you may have to compile it just the text. And I've not yet taken the time. I briefly tried to compile it, but I've not taken the time to actually try to compile it very seriously yet. I've got a link off to actually the YouTube capture of it. Pretty interesting stuff. But I always like these old ASCII demos and having one that runs natively on Linux is not something we see very often.
Jonathan Bennett [01:20:54]:
And so I thought it was pretty cool to highlight. And there's more of these out there if you go looking for it. But it would be an interesting challenge to try to get this compiled on a modern Linux system. And I don't know, maybe somebody needs to fork it and fix it so that we can all get our ASCII art demos in. Watching the YouTube video, it's not short, it's like seven or eight minutes, but it's a eight and a half minutes. But it's a. It's a pretty cool little demo and some. Some neat screen candy.
Jonathan Bennett [01:21:20]:
I don't know, you get it running, you could then set it as your screensaver. We talked about how to do that a few weeks ago, so. Cool stuff out there.
Jeff Massie [01:21:28]:
Yeah, I was looking at that. It is. It is really cool.
Jonathan Bennett [01:21:31]:
Yeah.
Jeff Massie [01:21:31]:
It kind of takes me back to the Amiga days where they used to thrive on demos.
Jonathan Bennett [01:21:37]:
There's still. There's still a demo scene out there. People going back and making demos for some of the old machines. Yeah, cool stuff happening.
Ken McDonald [01:21:44]:
I remember the psycho delic demos that come across for the Atari 800.
Jonathan Bennett [01:21:51]:
Oh, yeah, there's a bunch of them out there. All right, well, that is the show. I'm gonna let the guys get the last word in on whatever they want to, really. We're like. Ken, go first. I see you've got a story here that you want to briefly talk about.
Ken McDonald [01:22:03]:
Yeah. If y' all look in the show notes, you'll see I've got two links to articles from both Bobby Borisoff and Mars Nestor where they wrote about the Document Foundation's release of Liberty Office 25. I do recommend checking it out so you can find out when this will actually be reaching end of life.
Jonathan Bennett [01:22:25]:
All right. And Jeff,
Jeff Massie [01:22:28]:
nothing major to cover, so I'm going to have a poem. With Searching Comes Loss and the Presence of Absence. My novel Not Found. Have a great week, everybody.
Jonathan Bennett [01:22:43]:
All right, well, yeah, just for me, the thing I'll mention is over at Hackaday, you can find Floss Weekly. We've missed a couple of shows here recently. My. And the family being sick was a big part of that. Hoping to pick back up on that shortly. And then here in a week and a half, I'm going to be at the Ubuntu Summit. I am the. The first presenter on the second day.
Jonathan Bennett [01:23:09]:
And so you can, you can. Actually, it's a. It's a remote. Remote first event, they call it, which means that you can. You can sign up online and be part of the remote audience and ask questions. So anybody that wants to catch my talk there, certainly welcome to. And that should be a lot of fun. Other than that, I just want to say thank you.
Jonathan Bennett [01:23:29]:
Appreciate everybody being here. Whether you get us live or on the download, those that watch and those that listen, we very much would love to have you with us. And we will be back next week. We will see you then on the Untitled Linux Show
