Profile cover photo
Profile photo
Robert Marcano
About
Robert's posts

Post has shared content
GNOME 3.24 has just been released. Introducing an updated platform and applications including a number of major new features and enhancements as well as many smaller improvements and bug fixes. 3.24 represents another step forward for GNOME, and has much to offer both users and developers.



Post has shared content
Ah, the head-long race into mediocrity.

In the mid-90s I despaired that large companies would ruin the thing I loved doing. (Which is what got me into free software, incidentally..)

Today I despair that our industry is one that has the reputation for being a way to "get a good job", and which grants one no small measure of credibility and cool in many social circles ... so it's desirable. But many are simply not suited to it (just as most software developers are not suited to being professional chefs, to pick a random thing), but they (with the winds of industry at their back) seem intent on trying to wash software devel with low sights, limited vision.

Sorry, but software development is not a skill-less, talent-less, effort-less space. No thing done at a high level is.

Side note: github should stick to hosting git repositories and stay out of the social influence business. Everything I've seen from there there, including this example, is just cringe, cringe, cringe. 

Post has attachment

Post has shared content
Really really excited about XDC in Helsinki next month! Not least this from David Reveman:
'This talk will give an overview of the pieces that make up the ARC++ graphics stack, describe how Wayland is used as a compositor protocol and explain how we achieve the goal of running Android applications on ChromeOS with native graphics performance and window management capabilities expected from an application running on a Chromebook. It will also provide some basic pointers for running Wayland clients on ChromeOS, and future direction.'

Post has shared content
Yes, there is now a "fake" short fingerprint for my kernel signing key out there on the key servers, and yes, it's not really mine, and yes, we know who did it, and yes, it's revoked, and no, it wasn't just targeted at kernel developers, but at all 24000 keys in the "strong" ring of PGP trust, and yes something like this has been possible for a very long time now so it's not really that much news, and yes, gpg really is horrible to use and almost impossible to use correctly.

See the top comment here for more details:
https://news.ycombinator.com/item?id=12296974

And of course, read the evil32.com site for loads of details.

I guess I should be happy that people are checking the signature of my kernel releases, and emailing me that something is "wrong" on their system, that's nice to see. Too bad their scripts are "wrong" as they pull in all keys with a possible 32bit signature and things go boom.

Short answer, always use "long" keys when using gpg, and never auto-refresh keys from the keyservers.

Post has shared content
so I wrote up my thoughts on this whole #snappy thing long-form:

https://www.happyassassin.net/2016/06/16/on-snappy-and-flatpak-business-as-usual-in-the-canonical-propaganda-department/

summary: snappy is +Canonical's attempt to build an app-store like mechanism for Linux. It is not remotely 'done' yet, in the sense their PR claims it is. It does not have anything like the cross-distribution buy-in their PR heavily claims it has. It is not going to replace apt or dnf. The packages for other distributions are half-assed and have half the claimed features of snappy disabled. Canonical made no bona fide attempt to build consensus behind their system before issuing a press release claiming it was all ready to take over the world. There is a competing system, #flatpak , which arguably has greater cross-distro buy-in at this point (though really, neither system has any significant support outside of its sponsors). But sure, aside from that, it's all true!

Post has shared content
»Flatpak is the new name for GNOME’s XDG-App initiative, though ‘…95% of the commits come from one Red Hat employee,’ Shuttleworth cheekily noted. ‘We would be delighted if they’d work with us.'« – Sorry +Mark Shuttleworth, but this is FUD.
1. flatpack currently has 29 different committers, most of them not Red Hat employees; one is even a Debian developer.
2. +Alexander Larsson has 78% of the commits, not 95%.
3. snappy has 5 only committers, all of them Canonical employees.
4. If you want people to help you with your snaps, don't require them to sign Canonical's CLA, open all snap components (including the server side) and stop spreading FUD in first place.

Kthybye.

Post has shared content
PWN2OWN Mobile: Daniel Komaromy (@kutyacica) and Nico Golde (@iamnion) pwned the baseband radio in a brand new Samsung S6 Edge that I unsealed from the box and updated to latest software at the conference.

The software radios on the table are pretending to be a cellphone base station - we are doing this in an isolated room deep underground where there is no cellphone coverage to interfere with and I am the only other person in the room. As soon as we power up the new phone in the presence of their attack radio, their signal patches the radio runtime software of the baseband processor (the other cpu in your cellphone that users can't access that takes care of the radio to talk to the network) so that after the patch any phone calls I make are routed to them instead of their intended destination.

I tested this after when we went to where we did have cellphone coverage by trying to dial my Japanese cellphone and it rang on Nico's cellphone instead. The modified radio software also forwarded the original number dialled so in the real world an attacker would then use a VoIP proxy to forward the call imperceptibly and listen in on it.

Ironically enough, this year at PWN2OWN we have had some of the most significant research with the smallest prizes ever, in the true spirit of security research - to reward these guys since I don't have a lavish budget I'm going to fly them and their wives, girlfriends and family to CanSecWest next year to come snowboarding/skiing after they give a technical presentation on doing security research on baseband processors and this vulnerability. (Hat tip to the Blackberry security folks who got us in touch with the right folks to get the vulnerability information to Samsung through a VP they know there.) I would like to get these guys some further reward, beyond the bragging rights for winning PWN2OWN and being the first to show a successful baseband attack, for this significant research, especially since last year we were offering $150,000 rewards for an attack like this.

These guys have been doing this work in their spare time in addition to their day jobs and have put in a significant amount of time into doing this to secure the whole industry. So if you folks know a bounty program that would be interested in these and other significant cellphone baseband radio discoveries please contact me.
Photo

Post has shared content
A lesson in shortcuts.

Long ago, as the design of the Unix file system was being worked out, the entries . and .. appeared, to make navigation easier. I'm not sure but I believe .. went in during the Version 2 rewrite, when the file system became hierarchical (it had a very different structure early on).  When one typed ls, however, these files appeared, so either Ken or Dennis added a simple test to the program. It was in assembler then, but the code in question was equivalent to something like this:
   if (name[0] == '.') continue;
This statement was a little shorter than what it should have been, which is
   if (strcmp(name, ".") == 0 || strcmp(name, "..") == 0) continue;
but hey, it was easy.

Two things resulted.

First, a bad precedent was set. A lot of other lazy programmers introduced bugs by making the same simplification. Actual files beginning with periods are often skipped when they should be counted.

Second, and much worse, the idea of a "hidden" or "dot" file was created. As a consequence, more lazy programmers started dropping files into everyone's home directory. I don't have all that much stuff installed on the machine I'm using to type this, but my home directory has about a hundred dot files and I don't even know what most of them are or whether they're still needed. Every file name evaluation that goes through my home directory is slowed down by this accumulated sludge.

I'm pretty sure the concept of a hidden file was an unintended consequence. It was certainly a mistake.

How many bugs and wasted CPU cycles and instances of human frustration (not to mention bad design) have resulted from that one small shortcut about  40 years ago?

Keep that in mind next time you want to cut a corner in your code.

(For those who object that dot files serve a purpose, I don't dispute that but counter that it's the files that serve the purpose, not the convention for their names. They could just as easily be in $HOME/cfg or $HOME/lib, which is what we did in Plan 9, which had no dot files. Lessons can be learned.)

Post has shared content
Wait while more posts are being loaded