Profile

Cover photo
Lucas Alvares Gomes
Works at Red Hat
Lives in Dublin, Dublin, Ireland
217,528 views
AboutPostsPhotosYouTube+1's

Stream

Lucas Alvares Gomes

Shared publicly  - 
 
 
Here's a video of a talk I gave two weeks ago at Sesja Linuksowa in Wroclaw, Poland. It's about containers and +systemd​, in particular where nspawn/machined/importd fit into the big picture, and what we actually intend to turn it into.
16 comments on original post
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
I see more and more projects doing the "curl | sudo bash" method of installing something.  Not good on huge number of levels.  This is a good rant of people doing this for containers.

Yes, I know docker doesn't support signed images yet, hopefully that will happen someday...
None of these "fancy" tools still builds by a traditional make command. Every tool has to come up with their own, incomptaible, and non-portable "method of the day" of building. And since nobody is still able to compile things from scratch, everybody just downloads precompiled binaries from ...
51 comments on original post
3
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
Interesting ☺
The graphs indicate the number of various words in c, h and S source files in the linux kernel, updated monthly or whenever I hear of a new release. It's inspired by the linux kernel fuck count, which unfortunatly is very outdated. As is apparent from the graphs, the number of swear words has ...
View original post
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
Cool - +David Miller 's keynote from NetDev 0.1 is online on YouTube! :-)
1 comment on original post
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
Brilliant talk, kudos Nicolelis and team! 
You may remember neuroscientist Miguel Nicolelis — he built the brain-controlled exoskeleton that allowed a paralyzed man to kick the first ball of the 2014 World Cup. What’s he working on now? Building ways for two minds (rats and monkeys, for now) to send messages brain to brain. Watch to the end for an experiment that, as he says, will go to "the limit of your imagination."
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
Some discussion of what Intel Boot Guard actually means for users
PC World wrote an article on how the use of Intel Boot Guard by PC manufacturers is making it impossible for end-users to install replacement firmware such as Coreboot on their hardware. It's easy to interpret this as Intel acting to restrict competition in the firmware market, but the reality ...
18 comments on original post
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
But, but, but... MongoDB is fast! ;-) Breathtaking read. Via +Daniel Lobato 
In May of 2013, we showed that MongoDB 2.4.3 would lose acknowledged writes at all consistency levels. Every write concern less than MAJORITY loses data by design due to rollbacks–but even WriteConcern.MAJORITY lost acknowledged writes, because when the server encountered a network error, ...
View original post
2
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
Nice post about why a text label is often better than an icon.
Thomas Byttebier is a freelance web designer creating minimalist and easy to use websites and user interfaces. Thomas lives and works in Gent, Belgium.
5 comments on original post
1
Ben Nemec's profile photo
 
As someone who recently spent five minutes looking for Google Calendar while on the phone, I wholeheartedly agree with this.
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
Deprecating Old Crypto in a Linux Distro: A tale of something that looked obvious but .. there's a lesson in it somewhere.

While working on my Linux distro project at work, one of the things I recently wanted to do is phase out old crypto.

Yes we all read Bruce Schneider's text and how important it is, but nothing drives it home like reading The Guardian articles followed
by OpenSSL downgrade attacks in the last year or two.

Now, nothing should be defaulting to some of the antique crypto, but the only way to know 100% sure  that the algorithms in question aren't being used, is to just not compile them into the various crypto libraries of your distro.

So.. step 1 was to look at the algorithm list of openssl:

arjan@clr:~$ openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA




A few things stand out immediately.

RC4. This like seriously predates MD5, and MD5 is already suspect.

DES. Yes really. DES. in 1995 I worked at a company as an intern that made DES chips that you could use to brute force DES. In 1995, when Twin Peaks was on TV  and you measured transistor sizes of a chip in micrometers not nanometers.

MD5. The general consensus seems to be that for crypto, you shouldn't use MD5 anymore. I'm not talking about SHA1, where one can argue that existing uses are still ok, but MD5.

I decided to draw my first line there, stick to the consensus and all that.

The good news is that OpenSSL is very configurable, and it's pretty easy to say

no-rc4 no-des no-md5

on the configure line (and for good measure, I added no-ssl2 and no-ssl3).

At this point, I thought I was on a roll, removing old crypto is easy, lets finish this 15 minute project before the project meeting starts.

So now on to the bad news. And sadly, there is plenty to be had.

openssl does not even compile with the no-md5 option:

make[1]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/ssl'
In file included from s3_srvr.c:171:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
In file included from s3_clnt.c:158:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
....


Ok, so MD5 is technically not insane broken for small packets, and
it's just consensus not so much hard earned proof, so maybe deprecating md5 is a project for another day.

openssl does not even compile with the no-des option:

make[2]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/apps'
../libcrypto.so: undefined reference to `EVP_des_ede3_wrap'

or when you fix that, it does not pass its test suite (I'll spare you the details). 

Now here I had to draw a line. 20 years ago DES was not secure.. never mind today. I wouldn't  be surprised if someone will chime in and say that their smartwatch can brute force DES in realtime now.
So.. fixing it is.

I suppose the good news is that no-rc4 went just fine.

The success story then, with the list of crypto from openssl after no-rc4 and no-des:

$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA

no DES, no RC4.




But, as it was a Monday, the misery only started there (Dave Jones should have taught me that misery is like lawyers, it always comes in pairs).

I threw the no-rc4/no-des package into our build system, and in no time the world came apart on me. Half the distro broke!
Well not half, but several very important pieces.

It turns out that components like curl, libcurl (so anything speaking http), wget, openssh, mariadb, ...

all hard-code DES usage. Now, I'll give curl credit, with creative use of configure options, you can make it not compile DES in, but you can't then make it pass its testsuite.

There must be a lesson in here somewhere.

One, our team will be fixing these projects to not require DES (or RC4), and we'll send those patches to the upstream projects of course.

But more, and this is a call to action: If you're working on an open source project that uses crypto, please please don't opencode crypto algorithm usage.
The algorithm may be outdated at any time and might have to go away in a hurry. 
And if you have to use a very specific algorithm anyway (for compatibility or otherwise), at least be kind and make a
configure option for each algorithm in your project, so that when things go bad (be it in 5 or 20 years), its very feasible to disable the algorithm entirely. 
29 comments on original post
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
Apple has always been known for their reality distortion field, in which it will cherry pick specific statements in such a way that they sound kind of true, but isn't really when you think about it. 

For instance, yesterday, Apple told us that the iPhone is the best selling smartphone. Well, if you define all iPhones as a single product, and define all Android phones as separate products, that statement is kind of true. 

See what I mean?

Then we had the battery life of the new MacBook (see image). Tim Cook said it had an 'all-day' battery. That message is repeated on their website, and the press is gobbling it up and repeating it in their stories. 

Of course, it doesn't have an all-day battery life at all. It has a 9-hour battery, if you only use it for simple web browsing. Of course, by calling this 'all-day' battery life, they mean that most people probably only use it for 9-hours each day. But this is a reality distortion.

You know what other laptops that also have 9-hours battery life (and thus would also be all-day in Apple's terms?). Well... the MacBook Pro that I own also have a 9-hour battery life (in fact, it has 10 hours): http://goo.gl/oGhbQ8

The Lenovo X Series all have 9-10 hours of battery life. Dell claims to have 8 hours and 43 minutes of battery life for it XPS series of laptops. Many of Samsung's laptops have, yes, you guessed it, 8.8 hours of battery. 

And, none of these are able to last all day. Apple didn't actually extend the battery life with the new MacBook. It's the same as for everyone else in the market. But they made you think they did because they called it 'all day', and at that moment, it kind of made sense. 

My MacBook Pro is rated for 9 hours of web browsing as well, but it runs out after only about two if I actually use it for work. Granted, when I bought it and it was brand new, I could use for 3.5 hours before running out. 

Now, I do love the new MacBook. I think it's amazing. And they did manage to make it incredibly thin and light. I'm even considering buying one because it sound like a perfect device to use for writing. But it's nowhere near all-day. It also doesn't have that much performance, the graphic chip is seriously under-powered, and the FaceTime camera is 480p... yes... 480p! Not 720p. WTH?

None of the matters for writing, but it matters for many other things. I could not use it as a primary device, and, as such, it's more of an accessory than a real laptop.

Apple is an amazing company. But I wish they wouldn't twist the truth as much as they do.

Also, the new one-connection thing is problematic in so many ways. I have to look into the USB-C format some more, but... it means you can't recharge your iPhone with it. It's another example of the mono-culture that exists within Apple. I don't really get it. It's like Apple is never doing more than one thing at the time. Even their OS is increasingly designed for full-screen apps (one-app at the time). 

As an accessory this is fine... But as a work device, I live in a multi-world. Right now I am working across 8 apps, my MacBook is recharging, and my phone is plugged into and recharging as well. It's connected to my external screen, and I'm using headphones to listen to music (also plugged in). That's four ports... and that's normal for me.

Add that even if you tried to connect these things, you would have to buy adapters. A USB-adapter costs $19, and a multiport adapter is $79. Why are these not included when you buy it? I don't understand this. Apple is the most profitable company in the world. It has hundreds of billions in cash, but they still won't include a $19 accessory when you buy a MacBook for $1,599. 

What's even crazier. You can buy a spare power adapter for $49... but that doesn't even come with the wire. Instead, to be able to actually use it, you also have to buy a 'charging cable' for $29. Seriously Apple? Seriously?!?!?

It's the same with the new Apple Watch. you can buy a 'magnetic charging cable' for $29, but that's just the wire. Sure, you can plug that into your computer (but not your new MacBook without also buying the $19 USB adaptor), but in reality you need to also buy the $49 power adapter to plug into your $29 power cable. And do not even get me started about the cost of the Apple Watch straps. 

And it's not like it costs $29 to make. It probably only costs 50 cents to make. It's a god damn cable!

There is no other explanation for this than pure greed. No other business would be able to get away with selling you a new power adapter for your laptop without the wire to connect it with. 

When I bought my Dell 29" Ultra-wide screen display, it came, by default, with 3-4 different types of connecting cables so that I could connect it to whatever I wanted. That was part of the package. 

It's things like these that makes me have a love/hate relationship with Apple. I love Apple for many things, but my god, they also piss me off in so many ways.
141 comments on original post
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
edit. February 24 Bullet_white Derek. Understanding Linux CPU stats. Posted in HowTo | Comments. Your Linux server is running slow, so you follow standard procedure and run top . You see the CPU metrics: But what do all of those 2-letter abbreviations mean? The 3 CPU states ...
1
Add a comment...

Lucas Alvares Gomes

Shared publicly  - 
 
 
Got a fully sandboxed game running under xdg-app in a wayland session!
Its not a secret that I've been working on sandboxed desktop applications recently. In fact, I recently gave a talk at devconf.cz about it. However, up until now I've mainly been focusing on the bundling and deployment aspects of the problem. I've been running applications in their own ...
19 comments on original post
3
Add a comment...
Work
Occupation
Software Engineer
Employment
  • Red Hat
    Software Engineer, 2013 - present
Basic Information
Gender
Male
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Dublin, Dublin, Ireland
Previously
Bauru, São Paulo, Brazil
Links
Contributor to
Lucas Alvares Gomes's +1's are the things they like, agree with, or want to recommend.
Homens preferem mulheres com pouca maquiagem - Testosterona
www.testosterona.blog.br

E quem falou que as mulheres usam maquiagem só para agradar os homens? Quer dizer, se alguém aí for desse tipo, melhor repensar a vida. Home

Fedora Project
plus.google.com

FREEDOM. FRIENDS. FEATURES. FIRST.

Linus Torvalds: Software and Process Patents Don't Make Sense | Muktware
www.muktware.com

I think copyrights, and especially patent disputes, get really nasty really quickly. Especially on patents, it's like winner take all on co

Vem comigo pra Irlanda: Tudo sobre Intercâmbio
vemcomigoprairlanda.blogspot.com

Bom, confesso que intercâmbio é algo que sempre tive vontade de fazer, pra conhecer outras culturas, países, poder viajar e sem dúvida nenhu

fstream::open - C++ Reference
www.cplusplus.com

Open file. Opens a file whose name is filename, associating its content with the stream object to perform input/output operations on it. The

Linux Today - Fedora 17 heads up: gnome-shell for everyone!:Fedora 17 he...
linuxtoday.com

Internet.com - The Network for Technology Professionals. IT Professionals. IT Management; CIO Update; Security; Storage; Server; Networking;

Linux Today - Richard Stallman's Personal Ad:Richard Stallman's Personal Ad
linuxtoday.com

Login. Manage My Profile. Register. Click here. Click here. Linux Today: Linux News On. search.internet.com. Linux News Sections: Blog - Dev

Khan Academy
www.khanacademy.org

Watch. Practice. Learn almost anything for free.