Untitled Linux Show 208: One Step Below Horribly Broken

Jonathan

Hey folks, this week we're talking about X11 and Wayland. No surprise there. We talk about how long KDE is going to stick with X11. Talk about only Office releasing version 9. There's vcashfs drama in the kernel. The ZED editor has a debugger and lots more. You don't want to miss it, so stay tuned.

Ryan Seacrest

25 years ago, a small group of business and government leaders met in Washington, D.C. they envisioned the creation of an independent nonprofit organization with a mission to help people, businesses and government mitigate the growing threat of cyber attacks. Today, the center for Internet Security embodies that vision. For 25 years, it's worked with a global community of IT and cybersecurity experts to develop the CIS benchmarks and CIS critical security controls. These proven security best practices defend against common cyber threats and streamline compliance with industry frameworks, regulations and standards. Today, CIS provides cybersecurity services, threat intelligence, and critical resources to help public and private sector organizations alike strengthen their Cyber defenses. Visit cisecurity.org today. That's the letters cisecurity.org to find out how CIS can help your organization as we create confidence in the connected world.

LinkedIn Ad Voice

Does it ever feel like you're a marketing professional just speaking into the void? Well, with LinkedIn ads, you can know you're reaching the right decision makers. You can even target buyers by job title, industry, company seniority skills. Wait, did I say job title yet? Get started today and see how you can avoid the void and reach the right buyers with LinkedIn ads. We'll even give you a $100 credit on your next campaign. Get started at LinkedIn.com results, terms and conditions applied.

Rob Campbell

Hey, it's Ryan Reynolds here from Mint Mobile. Now I was looking for fun ways.

LinkedIn Ad Voice

To tell you that Mint's offer of.

Rob Campbell

Unlimited Premium Wireless for $15 a month is back.

LinkedIn Ad Voice

So I thought it would be fun.

Rob Campbell

If we made $15 bills, but it.

LinkedIn Ad Voice

Turns out that's very illegal. So there goes my big idea for the commercial.

Rob Campbell

Give it a try@mintmobile.com Switch upfront payment.

Jonathan

Of $45 for a three month plan equivalent to $15 per month required new customer offer for first three months only. Speed slow after 35 gigabytes of network's busy taxes and fees extra. See mintmobile.com Podcasts you love from people you trust. This is TWiT. This is the Untitled Linux show, episode 208, recorded Saturday, June 21, one step below horribly Broken. Hey folks, it is Saturday and you know what that means. It's time for Linux we're gonna get geeky with it, the Untitled Linux show, and we're gonna talk about software and some hardware, all kinds of fun. St up. It is not just me. We've got Rob Campbell and We've got Ken McDonald. I remembered your last name this time and it's going to be a lot of fun. Jeff is still. Jeff is still not here. He is still out playing hooky, but he'll be back here in another couple of weeks. But we're going to let Rob go first and we sort of have a theme that we're going to be talking about at least for our first stories this morning, and we're going to let Rob kick it off.

Rob Campbell

So not only is it time for Linux, but it's also time for your weekly reminder to get off of X, Xorg, X11, whatever you want to call it and get on over to Whalen. Recently we mentioned the X11 Libre fork of X11 to replace the essentially deprecated X11 and keep things going. I believe the opinion on the show from the panel was mostly generally just let it die. And Michael over at Pharonics seems to have a similar response, saying that his lack of coverage of X11 libre was essentially a vote of no confidence. He kind of said due to inexperience of the people that are taking it over many of the X and with showing that inexperienced many of the X11 libre commits to X11 have been recently reverted due to issues such as not handling copyright and licensing license notices correctly. So most seem to agree that X11 libre isn't the way of the future. So just get on over to to Wayland, you know, and if that's not enough for you, here's our what seems to be a regular weekly monthly roundup of the new, not even new, but newly discovered CVE vulnerabilities that have propped up in X and relative things. So you got CVE 20, 25, 49, 175, 49, 176, 177, 178, 179 and 180. So that's six of them right there. And from the top the first one is a out of bounds access and X rendering extensions and animated cursors. The next one is a integer overflow in big requests extensions. Then you have a data leak and xf x fixes I guess extension 6x fixes set client disconnect mode. You have unprocessed client request via bytes to ignore an integer overflow in X record extensions and then you the last One on there the 49180 is integer overflow in R&R extension, the RR change provider property. These flows, you know why I said they're not new is because a lot of these flaws, not flows, they date back years, many years. And you know, like as noted by Niles Emmerich over at the one research company that found a lot of these, he says quote the x dot RX server is a, is a aged and large project that grew over time with the help of the open source community. All of these issues gave me a feeling that the source code itself can best be described as party underscore. Like underscore. It's underscore. 1989 equals true. So you know, these, there's. We just keep finding more and more vulnerabilities over the years. You know, X was developed at a time when Internet security and you know, just overall security wasn't really much of a thing to be concerned about. No, people weren't getting a compromise. So. And it's, it's just a lot to, to, to go back and fix. You keep fighting old vulnerabilities over and over and over again. Which is, you know, really why they decided, decided some time ago just to start over from scratch. And really Wayland's there. They've pretty much moved away from X and it's time for Wayland. Come on, guys.

Jonathan

Yeah, so there's a, there's a little detail here at the end of this article, the insinuator.net article where they actually talk about the vulnerabilities. At the very, very end of it it says we want to thank Red Hat. We want to thank Red Hat for the smoothly coordinating the vulnerability remediation process and preparing publishing a security advisory as well as issuing the CVEs. So this is a point that I've made before the company, the reason that XORG is maintained at all, the reason that things get fixed, is because Red Hat is still using it and Red Hat is still paying employees to fix it. And when that goes away, it will be entirely up to the community. And as of right now, that's pretty much one guy who's working on his fork. Yeah, it will be unmaintained software when Red Hat stops paying for maintenance. It's just the way it is.

Rob Campbell

Red Hat's going to have supported versions of X for some time to come, but I believe new versions of Red Hat are already moving away from it.

Jonathan

So I don't think new versions of Red Hat support X at all.

Rob Campbell

They have moved away, I should say.

Jonathan

I think. I think that's the case.

Ken McDonald

Then there's one application they no longer support either.

Rob Campbell

Now. More than one, I'm sure, but yeah.

Jonathan

Which one are you thinking of though?

Ken McDonald

It's one that Bobby Borisoff wrote an article about.

Jonathan

Oh, do tell.

Ken McDonald

Yeah, it's one. Application development team are reporting their application having significant limitations and known issues that substantially degrade the user experience when running on Wayland systems. The application in question is kicad, an open source tool for electronic design automation for engineers, hobbyists and printed circuit board designers. The KICAD development team recently published a blog titled KICAD and Wayland Support. It provides a detailed update on Wayland compatibility with major distributions like Fedora and Ubuntu. Moving toward Wayland by default, the KICAD development team wants to set clear user expectations. Though far from a seamless experience, KICAD does function under Wayland. Now, the blog states there are window management issues, input and interaction problems, performance and stability issues, and probably the most is dialogue and user interface limitations. Are you asking why do these issues persist? According to the KICAD development team, these problems aren't within KICAD's control and exists because Wayland's design omits basic functionality that desktop applications for X11, Windows and Mac OS have relied on for decades. Things like being able to position Windows or warp the mouse cursor. This functionality was omitted by design, not oversight. They also state the desktop environment fragmentation doesn't help. Their blog also includes a bug report policy for Wayland users and provides a list of what the KICAD development team consider Wayland specific issues. Now I do admire the way they end their blog. The last line is for now, if you need to use KICAD On Linux, use X11. Now I'm going to recommend reading Bobby's article for his take and to get the link for the KICAD blog. Jonathan the KICAD website also provides information about various projects made with kicad. I found some of those extremely interesting to look at.

Jonathan

Oh yeah, I've used KICAD for some things over the years too. It's a useful tool. Yeah. So some of the things that they talk about that's missing. It's. It's sort of unfortunate and really it's from a time in Wayland development where the peop, some of the people that were in charge of it were very opinionated about what should and shouldn't be there. And they were wrong. Let's just be clear, they were wrong about what should and shouldn't be in Wayland and history has proved that out things like mouse warping and being able to put Windows in specific places, it is just, it has been proven that that is a thing that needs to be in Wayland because it's a thing that the desktops need and the various applications need. The Wayland team was shown the light by a sort of a coalition of both those in desktop environment folks like the people from kde, the people from Fedora were involved in this and the people from Valve were involved with this. And you know, I've said. I've said a couple of times and I actually was. I was told that this is accurate, that yeah, there was. There was sort of an implicit threat that we're just going to fork Wayland and go play in our own sandbox if you guys aren't going to. Aren't going to play ball. And so that sort of straightened things up and we are now back on the path to getting all of these things merged in Wayland. Some of them are there already. In fact, when I talked with Nate Graham on Floss Weekly a couple of weeks ago, his comment was their punch list of things that needed added to Wayland is very, very short now, but it takes time for that to get added to the Wayland protocol and then make it into the gnome desktop, the KDE desktop and all these different places. So it's getting there much closer by.

Ken McDonald

The end of the decade, I would.

Jonathan

Think so that by then it should be all ironed out.

Rob Campbell

Billy or Mr. Lawson on Facebook asked how whan is spelled. It is whan W A Y L A N D. And it's like, like the aliens on Home World Lost by JN Cheney. I don't know about the alien, the aliens movie, those whings, but yeah, that's, that's. There's a way. There's a Wayland and home. Home were lost.

Jonathan

Yeah, that's W E Y L A N D. I believe it's way whand Yutani. Different different place. Not. Not related as far as I know.

Ken McDonald

The.

Rob Campbell

The wh. I don't even know how that wh in the book that I was referring to as that is an audiobook because I don't have time to actually read anymore.

Refresh Ad Voice

Are dry eye symptoms frequently interrupting your day? Keep dry eyes off your schedule with Refresh Relieva PF Extra Lubricant eye drops offering an advanced formula to soothe and hydrate your eyes with innovative hydrocell technology to lock in moisture and prevent further irritation. Refresh Relieva PF Extra gives you lasting relief. Equipped with a soft squeeze multi dose bottle featuring a double lockout system that keeps drops sterile so you can feel confident using it, Refresh has been delivering relief from dry eye symptoms for 35 years. It's a track record of success that has earned the trust of physicians and patients alike. You deserve relief from your dry eye symptoms and your eyes deserve extra. Find Refresh online or in the Eye Drop section at all major retailers. FSA and HSA eligible.

Albertsons Ad Voice

Hey, it's Ryan Seacrest for Albertsons and safeway now through June 24th. Score hot summer savings and earn four times the points. Look for in store tags on items like Kinder, Bueno, Cheez It Crackers, Oscar Mayer Lunchables and Just Bear Chicken Bites. Then clip the offer in the app for automatic event long savings. Enjoy savings on top of savings when you shop in store or online. For easy drive up and go pick up or delivery subject to availability restrictions apply. Visit Albertsons or Safeway.com for more details.

Jonathan

Yeah, so interesting stuff. So I've got a a Wayland slash X11 story. This one is a different take on it. This one is from KDE and I just mentioned his name. This is from Nate Graham himself and it is it's his response to X11 being in the news again. And I have to say this is actually a really nuanced and thoughtful take on it. He doesn't directly address the criticisms and things going on, but what he does address is what KDE is going to do and what he is going to do as part of KDE. And that is that Plasmas KDE Plasma's X11 session is being maintained. So the plasma side of it, they are continuing to maintain it. He says specifically this means the following things. Plasma will continue to compile and deploy on X11. They're going to make sure of that. Bug reports about Plasma X11 being horribly broken will be fixed so things like you can't log into it at all. They'll fix those Very bad. This is one step below horribly broken very bad x11 specific regressions will probably be fixed eventually. Less bad x11 specific bugs will probably not be fixed unless someone pays for it. And then he's got a link off to the KDE Consultants page and Then he says x11 specific features will definitely not be implemented until someone pays for it. I think that's a very interesting and very useful sort of snapshot of where they are at. And then he says that there are actually not very many. There's a very small group of open and fixable x11 specific bugs. So remember, that's the whole thing, that there are certain bugs in X11 that are just. They're not fixable. Right. The solution was to create Wayland. And so there are some of these things that are just never going to get fixed. Like some of the security problems in X11 are not going to get fixed because they are baked into the specifications. And then he has this interesting thought that eventually it will be lights out for X11. So eventually support for it's just going to completely go away. And he says, yes, but it's not going to happen soon. So his thoughts on this is it's not going to happen in the next year, probably not even in the next two years. He says that's a guess. And then he links to the Plasma Wayland Known Significant issues page, which in and of itself has another link off to another K Win issues page. Between these two, you've got a list of problems or shortcomings for KDE on Wayland that they sort of. They're aware of and they feel like they need to fix it before they can actually drop support for X11. There are things like the accessibility problems, some of those are mentioned. There's problems with graphical tablets. There are some things upstream that they're waiting on for various, you know, project various elements, various parts of the desktop. He talks about some things that are already fixed. The links he has here goes on talking about things that are already fixed upstream and are coming in a future version. And then he says, why are you guys doing this? Don't you like X11 anymore? And his comment is the plasma team isn't emotional about display servers. It's just obvious that X11 is in the process of outliving its usefulness. Someday Wayland will eventually be in this boat too, such as the eventual fate of all technologies, which I think is a interesting point and very true. Wayland is better for modern hardware, he points out, and that maintaining code to interact with two display servers and session types is exactly as unpleasant as it sounds. There's a lot of great quotables in here and that's another one of them. Regardless of when you pull the trigger, isn't it premature? And he sort of disagrees with this and says that the majority they have some telemetry. The majority of plasma users are already using the Wayland session. 73% of Plasma 6. And he anticipates that's going to go up Once things like SteamOS come out using Wayland by default. Debian the next Ubuntu lts come out, they're going to be Wayland by default. And then we would expect to see those numbers go even, you know, through the roof, much closer to 100%. So he says the goal here is to make everyone happy, which that is a very lofty goal.

Rob Campbell

Yeah, that's going to fail.

Jonathan

Yeah, but that's the reason why they're still maintaining the X11 session. They're going to try very hard not to get rid of it until everyone is happy with Wayland. And yeah, that seems like that is not going to be possible because there are some people that have legitimate complaints with Weyland and then there are a group of people that are just. They have decided that they're never going to like it. But yeah, so the. And he ends with saying that long transitions are tough, but ultimately it's worth it to get something better in the end. And I think that sums it up rather well. So that is where KDE is at with Wayland. They are trying to move to it. Lots of places are moving to it by default, but they're going to stick with it and keep the maintenance tail up until more people are happy with Wayland.

Rob Campbell

I think. Yeah, I think he played it really safe there in his comment where he said it's not going away anytime soon. And then his reference of soon is one to two years. I mean, yeah, that's obvious. There are distros that have promised because they have support for the next five to maybe some is close to 10 years still for X support, which pretty much says it's not going away for.

Jonathan

Right, well, okay, so you're talking about two different things though. You're talking about getting security updates for this stack versus what Nate is talking about is not ripping all the code, all the X11 code out of KDE.

Rob Campbell

Right now out of newer versions of KDE.

Jonathan

Right. So they just released what, KDE 6.4. And so there would be nothing stopping them from saying, all right, that's the last KDE version that's ever going to support X11. We're going to rip all this code out in 6.5. You only get to run on Wayland.

Rob Campbell

I still think if you tell me it goes away in the next five years, that's still soon in my opinion. Five years is soon.

Jonathan

Yeah, it sort of is.

Ken McDonald

What do you consider a second.

Jonathan

Really soon?

Rob Campbell

Yeah, I mean, considering it's been around for what, 40, 40, almost four years.

Ken McDonald

Four decades.

Jonathan

Yeah.

Rob Campbell

Yeah. So, you know, five years is soon. I think it's going to be Going away soon in that reference. Yep, yep.

Ken McDonald

By the end of the decade.

Jonathan

Yeah, yeah, that's pretty, that's pretty accurate.

Ken McDonald

Five years sounds shorter than by the end of the decade, though, doesn't it?

Rob Campbell

And to clarify, as you kind of pointed out, going away as a. Not in new code, like new versions of kde, but X itself will not be going away that quickly.

Jonathan

X Wayland is going to be around for more than five years. X Wayland will be around probably for another 20 years. Just the reality of it all. Right.

Ken McDonald

Around and used.

Jonathan

Yes, yes.

Rob Campbell

There may be a point sooner where it's not installed by default, though.

Jonathan

That's possible. Yeah, I can see that. All right, so let's move off of X and Wayland. We've talked about that plenty. Let's talk about Office Suites. There's more than just LibreOffice and Open Office and Microsoft Office. What's this other one that I keep hearing about, Rob?

Rob Campbell

Yeah, so there is more than just that. We always talk about LibreOffice as the Microsoft Office alternative to use on Linux, but that isn't the only option. I mean, there's even others, but some might argue it is even the best alternative. So, like I said, we're talking about only Office here. What sets OnlyOffice apart is its focus on collaboration and generally reliable compatibility with Microsoft Office files, even when compared to the likes of LibreOffice. This week, OpenOffice 9.0 has been released, bringing even more great features to it and to you, the user. So the first thing, and in some ways the biggest, is the redesign of the interface to prove a more intuitive and accessible experience. For taking advantage of this, you have to go in. Well, from what I read, you have to go in and do it. Select either enable either the Modern Light or the Modern Dark theme. Now, to me, for me, I installed on Linux Mint. It's right there in the, in the Software center. As a FlatPak, I got 9.0 and it had the. So if I go over here to view, it had the Modern Light theme already on by default. For those watching, this is a Modern Light. If I, if I go to the Classic Light, it's a little more compressed and maybe more like older versions. I don't know. I. I'm not even sure if I like the Modern better or not. The modern kind of takes up more room, it's more bubbly. I kind of like the old. But anyway, to each his own. I guess this is maybe more the kind of look that Microsoft is driving with their. You know, what they call A modern look and people follow them and, and the Mac guys. But you know, look shouldn't be that important, but you know, it, it is actually one of the big things that drive people away from LibreOffice. I think, I think open office looks better than LibreOffice. You know, a lot of people, you know, if you, if you look old and outdated, people are just going to assume that, that you'll function that way as well. So I. As little as looks should be important, they kind of are. Only Office 9 also adds AI tools. Okay, AI, but hear me out, hear me out. So some of those features are extract text from scanning PDF files using ocr. Is that AI? I don't know, whatever, whatever you want to call it. It's cool. Apply smart formulas and run complex data analysis and spreadsheets. Create new Only Office macros based on prompts. Convert VBA macros to Only Office macros, which could be very useful. I know one of the things that people cite why they can't leave Microsoft Office is because their tools have VBA macros built in that they need to run their business they built over years. If this conversion tool actually does a good job, that might be a real serious way to migrate away from it and not even have to rely on Ms. Office anymore. Other improvements to various components of Only Office include PDF editor, drag and drop reordering of pages, PDF editor, page duplicate duplication pages using copy and paste spreadsheet editor, RLT support, spreadsheet editor, asynchronous calculations, document editor, improve content controls and paragraph borders toolbar button. Then the presentation editor, which is your PowerPoint or whatever alternative, has a text, animation, previews in slideshow mode. Other changes across the suite include defined font size, type in simplified Chinese, display numbers using Hindi numerals, text art, text settings inside chart labels, improve data and chart customizations, print files without using OS dialog, and on Linux you can enable disable spelling, language detection and only Office settings. Like I said, I was able to find it, install it on Linux Mint and get the latest version and get to see what all the fun new features and look is. So Only Office Libre is not the only alternative. This is open source too.

Jonathan

Yeah, absolutely. You know, I've never, I've never played with it. I've never gone and played with Open Office or, excuse me, with Only Office.

Ken McDonald

I wonder how difficult the macros are to write in OnlyOffice compared to LibreOffice.

Jonathan

In LibreOffice you can do it in Python.

Ken McDonald

I think that's what I was thinking too.

Rob Campbell

Yeah, I haven't tried writing in it yet, so I don't know what that is.

Jonathan

I'm gonna say doing it in Python is probably a better idea than doing in VBA.

Rob Campbell

Well, I'm guessing they don't use VBA though, though.

Ken McDonald

OnlyOffice gives you the ability to convert VBA macros to only Office macros.

Jonathan

Right? But what language is it in? Is it. Is it Python? Like, I'm also curious, where did OnlyOffice come from? Is it like a from the ground up rewrite or is it based on something? Is this the open source continuation of Claris Works from back in the day? Who knows?

Ken McDonald

Now you're giving us homework.

Jonathan

I am doing it right now.

Rob Campbell

I'm looking up the macros thing. It is a JavaScript syntax, so it depends what you're used to writing with.

Jonathan

I see. So only Office was formerly TeamLabs, a group of software developers from Asensio System SIA, a Latvian based company and new communication technologies, Russian based, launched a project called TeamLab, a platform for internal team collaboration. In March 2012, they introduced an HTML5 based online document editor at CBIT. In 2014, TeamLab Office was officially rebranded to OnlyOffice and the source code was published under the AGPL3. So, wow, it is a very software freedom. Yeah, it's a restrict. Is it restricted? Do we call it restrictive? It is a very opinionated license, we'll put it that way.

Rob Campbell

But yes, it is open source.

Jonathan

It definitely is open source. Yes, it is one of the licenses that does away with the cloud loophole, as it were. Yeah, very cool. So there you go, there's the history. No, it was not descended from Claris Works.

Rob Campbell

No, I did not.

Jonathan

I did not particularly think it was either.

Ken McDonald

But you think it would make a good editor for writing code in.

Jonathan

No, probably not. There are some new good editors for writing code in. What's one of your favorite new code editors, Ken?

Ken McDonald

I'll have to admit that I actually like using Zed myself and you'll see that I've got it up in the background at the moment. But I do want to tell you about another feature that's coming this to ZED that Michael Larabel reported on. And this is. Now, I do want to point out that I first talked about Zed back in Episode one six. So if y' all want to go back and hear about it from the beginning, yeah, y' all can go back and listen. But according to Michael, the Zed developers announced the Zed debugger support has been merged. He goes on to say it took eight months of development, nearly 1,000 commits and is comprised of more than 25,000 lines of code while in turn being able to use also being able to also interface with GNU GDB or the LLVM lldb. According to the Zed editor developers, Zed supports debugging popular languages including Rust, C or C, JavaScript, Go, and Python out of the box. They also introduced a system that translate build configurations into debug configurations. This means you can write a build task once in a task JSON and reference it from debug JSON or rely on zed's automatic configuration. Now the system they came up they introduced is called Locators with current support for Cargo, Python, JavaScript and Go. With more languages coming in the future, ZED makes it easy to inspect your program state such as threads, variables, breakpoints, the call stack and a lot more that you could think of. You can customize the debugger panel and move it to fit your workflow. Now if you prefer to keep your hands on the keyboard then you will enjoy ZED support for keyboard driven debugging. It allows you to step through code, toggle breakpoints and navigate a debug session without ever touching the mouse. If you want to look under the hood then definitely read Zed's blog.

Jonathan

Yeah.

Ken McDonald

Have you played around with ZED yet? Jonathan?

Jonathan

No, not Zed. I am stuck on VS code because that's what the project I do so much work on uses pretty much all the other developers use.

Rob Campbell

Yeah, because it's Microsoft and all.

Jonathan

Yeah, that's totally why. No, it's because VS code has really good support for scripts to do things like flashing embedded devices. We would have to rebuild all that stuff from scratch and Z and I'm not sure how much of it would be supported there even. But no folks out there that are programmers. If you've not used a good debugger, particularly like a debugger that's inside of a code environment, it is so nice once you finally start using it and working with it. Good for the guys at ZED and good for all of their folks to be able to finally have access to this.

Ken McDonald

Has VS code got a good debugger?

Jonathan

Yeah, it's pretty good. It's pretty decent. It too can talk directly to GDB and all that good stuff.

Rob Campbell

Now if you prefer something that does not have a good bugger Debugger bugger. It's a clean command line base. I got a great tip for you later. Oh, and it's from Microsoft Edit.

Jonathan

We already talked about that.

Ryan Seacrest

25 years ago, a small group of business and government leaders met in Washington, D.C. they envisioned the creation of an independent nonprofit organization with a mission to help people, businesses and government mitigate the growing threat of cyber attacks. Today, the center for Internet Security embodies that vision. For 25 years, it's worked with a global community of IT and cybersecurity experts to develop the CIS benchmarks and and CIS Critical Security Controls. These proven security best practices defend against common cyber threats and streamline compliance with industry frameworks, regulations and standards. Today, CIS provides cybersecurity services, threat intelligence, and critical resources to help public and private sector organizations alike strengthen their Cyber defenses. Visit cisecurity.org today. That's the letters CSE cisecurity.org to find out how CIS can help your organization as we create confidence in the connected.

LinkedIn Ad Voice

World does it ever feel like you're a marketing professional just speaking into the void? Well, with LinkedIn ads, you can know you're reaching the right decision makers. You can even target buyers by job title, industry, company seniority skills. Wait, did I say job title yet? Get started today and see how you can avoid the void and reach the right buyers with LinkedIn ads. We'll even give you a $100 credit on your next campaign. Get started at LinkedIn.com results terms and.

Refresh Ad Voice

Conditions apply Are dry eye symptoms frequently interrupting your day? Keep dry eyes off your schedule with Refresh Relieva PF Extra Lubricant Eye Drops offering an advanced formula to soothe and hydrate your eyes with innovative hydrocell technology to lock in moisture and prevent further irritation, Refresh Relieva PF Extra gives you lasting relief. Equipped with a soft squeeze multi dose bottle featuring a double lockout system that keeps drops sterile so you can feel confident using it. Refresh has been delivering relief from dry eye symptoms for 35 years. It's a track record of success that has earned the trust of physicians and patients alone. Like you deserve relief from your dry eye symptoms and your eyes deserve extra. Find Refresh online or in the Eye Drop section at all major retailers. FSA and HSA eligible.

Jonathan

All right, we'll see what exactly what that is. What's coming up? Let's see. So that was Zed. Let's talk about. Let's talk about Servo. This is a kind of an interesting update in the Servo browser and it's caught my eye because in 2025, halfway through 2025, the day after the summer solstice. So like literally halfway through 2025, the Servo browser finally adds support for animated GIFs, SVG images. And those are the two big things, I suppose. Other, other CV or other JavaScript and CSS things like transform stream and set HTML on, save scrolling elements properly on documents pipe through. So you know, it's hard to re implement a browser from scratch. But Servo is getting there, being the Rust based browser that sort of descended from Firefox, has broken out of the lab, so to speak, and is now getting worked on by a bunch of different people. But I was so humored that their big thing was that they now support animated gifs. It's like, oh well, the Internet's usable again on Servo. It's fun.

Rob Campbell

Yeah, we all rule the day. Then animated gifs became a thing in other browsers.

Jonathan

So we rue the day. I find it quite fun.

Rob Campbell

We ruled.

Jonathan

I find it quite fun. But you know, there's quite a bit going on with Servo. They seem to have a bit of backing and I think one of the reasons for that is that the, the license of Servo. Let me double check before I tell you this because I can't remember for sure what it is. I think Servo is actually a. Yeah, it's, it's the Mozilla Public License 2.0 and it is rather permissive.

Rob Campbell

You know, if you think gifs are fun on websites, you must be a little too young to remember the days when websites would come up and there would be the same dancing.

Jonathan

Oh no, I remember that.

Rob Campbell

And it would. And there'd be midi music everywhere. And.

Jonathan

What'S really fun is to go back to Stuart Chef's Computer Chronicles and watch some of their early web episodes where they're like, we can put music on websites so that it plays automatically when you visit the site. And they're like, oh, this is so cool. And now we're like, oh, why did you do this to us?

Rob Campbell

It seemed fun. Briefly.

Jonathan

It was fun the first time.

Ken McDonald

It was fun the first 20 years.

Jonathan

Yeah.

Rob Campbell

No, that's a little far.

Jonathan

I don't know if it was fun for that long.

Rob Campbell

Twenty years ago, maybe two.

Jonathan

It was fun the first time. So anyway, Servo is coming along. It is very fascinating to watch Servo and Lady Bird get closer and closer to usable. I was looking at Lady Bird and they don't have a web or they don't have a dev blog quite in the same way that Servo does. But I did see there that they were talking about doing the first alpha next year of Ladybird. So we'll be in a position where suddenly there's a couple of new browsers that are worth looking at to see what happens with that.

Ken McDonald

What engine is Serv using?

Jonathan

Servo and Ladybird are both writing their own web engines from scratch. So that's the whole thing. That's why the two of those are notable. It's not just another Firefox Reskin or Google Chrome.

Rob Campbell

Using another web engine is nothing. I mean, I can make a browser using another web engine.

Jonathan

Using one of the available ones.

Rob Campbell

Yeah, one of the available ones. It's creating your web engine that is a real feat.

Jonathan

Yes, yes. It's not using chromium that's really the hard thing. Yeah, don't pull any chromium code and then you're doing something. So, you know, this year, next year, maybe it'll be, it'll be usable and there'll be ways to try them without building it from source yourself. That's the deal with Ladybird right now. If you want to try it, it's like, well, here's the source. Have fun.

Rob Campbell

That's why I haven't tried it yet.

Jonathan

Yeah, it's sort of on my long to do list. I'm, I'm, I'm way up at the top of that to do list right now. And that's more down, you know, where's my hand in the camera? That one's down here. Right, you know, hovering right around where the microphone is and right above my name tag. That's where that one is on that to do list.

Rob Campbell

Yeah. By the time you get there, there'll be a binary for you.

Jonathan

That's the plan. That's my game plan. All right, let's see here. Oh, Colonel Drama. Rob's bringing the drama today.

Rob Campbell

I like to do that.

Jonathan

Yep.

Rob Campbell

So Linus is once again building drama around the kernel and bcash FSS commits to it. You know, this isn't the first time for any of this. In the past he has complained about BCash FS's FS adding new features during the merge window or you know, the release candidate testing phase of development and you know, it's just happened again. But there is, you know, there's some fun back and forth. I mean, it's mostly been one sided actually. And I'm not going to go through the whole thing. I'm picking out some highlights here. I'll go through all of Linus's bit because it's short, so Linus says. You seem to have forgotten what the point of the merge window was again.

Jonathan

Why did Linus start talking like Schwarzenegger.

Rob Campbell

There for a second because I don't do accents. We don't start adding new features. I was starting to.

Jonathan

You were trying for finish and you just failed. Spectacular.

Rob Campbell

And then after I realized it's not work and I just, I dropped out of it. I'm like, yeah, I can't do finish again. Okay, okay. You seem to have forgotten what the point of the merge window was again. We don't start adding new features just because you found other bugs. I remain steadfastly convinced that anybody who uses BCash FS is expecting it to be experimental. They had better make the dash RC fixes be pure fixes. So that's Linus's point. But B Cash, you know, the fsi, they didn't keep silent. With the developer Kent Overstreet responding, he had a lot to say. I'm not going to say it all because. Because I'm not. So I picked out some of the quotes. He says the goal is to get users code that works, is it not? Honestly, most of the people using bcachefs, from what I've seen, just want something that works. There are a lot of people who've been burned by Butterfs or BTRFs. I've even been seeing more and more people in recent discussions talking about unrecoverable file systems from xfs. If you go looking, you won't find those stories about BCASH fs. Except for me when I'm telling people what to watch out for. And that's because of a lot of hard work and because I'm dead set on not representing past mistakes. I actively hunt down bugs right reports and frequently tell people I don't care if you think it's a hardware issue or pebcheck person. What is that person between keyboard and computer and keyboard. It's the file system's job to not lose data. Get me the info I need and I'll get it sorted out and get it working again. The goal here, delivering something that users can trust and rely on. Okay, that's all good stuff. But you know, in other comments he says, you know, in response to to what Linus says, he says that's an easy rule for the rest of the kernel where all your mistakes are erased at a reboot. File systems don't have that luxury. You know, basically saying that, you know, if we make mistakes, your files are gone unless you have a good backup, which everyone should. That's my interjection. He also says there's a time and place for rules and there is a time and place for using your head and exercising some common sense and judgment. And Ken goes on to say a lot of things that comes down to bcashfs works hard to put out good code. But in the entire rant, I never did see an excuse or explanation for adding features during the release candidate stage. You know, I almost think Linus defended it better when he said anybody who uses BCash FS is expecting it to be experimental. Experimental, you know, and if that's the case, you know, then who cares if it's added during the RC stage. I almost felt like he defended it better. But, you know, at the end of Ken's rant, he says there's no need for any of the mic this micromanaging, which is what this has turned into, all it's been doing is generating conflict and drama. Yeah, conflict and drama. That's why we're here. But I say, you know, maybe, maybe not. You know, micromanaging maybe, maybe that's kind of something that, that's kept the, the kernel stable all these years. And you know, Linus maybe is a little harsh on this. And I think BK B Cash FS probably has a great feature. But, you know, we all know what the RC stage of development is for. I mean, anyone who knows a little bit about development, Linux kernel, stuff like that, you know, and the BCache FS developers, you know, they should also know by now since it isn't their first time getting scolded for this, you know, adding features during that stage, you know, they should know that's going to cause them some grief. So, you know, I guess at this point I just hope everyone has learned something from this. You know, let's all say sorry and move on and, and you know, do it right next time. But I don't know, I never heard a good explanation or excuse. You know, I heard a lot of talk is like, we do hard work, we try hard, we fix things. I'm like, okay, but why did you put new features at the release candidate stage?

Jonathan

This is a debate on exactly how the rules in the kernel development should be handled and whether this new feature is a feature or if it's a bug fix. The argument that Kent is making is without this feature, there is a way that people can lose data and so it should be considered a bug fix. And Torvalds is basically arguing that no, it is a new feature, it does not matter. I'm also looking through here, I'm kind of getting the impression that there is a bit of difference between things that are considered marked experimental and things that are not as far as like where in the RC process they're allowed to push. I don't have a link to those exact rules, but based on comments people are making, I would, would assume that that's what's going on. Yeah, there's. It's, it's, it's fun, it's fun drama. I don't know. I don't know who's right.

Rob Campbell

Maybe it's how he commented. I. I don't know. I didn't dig into his actual commits, but maybe the comments on it were denoted as a new feature rather than a fix to stop from losing fossil. Or maybe not. Maybe. Maybe perfectly labeled it appropriately.

Jonathan

Yeah, he makes the statement that that's an easy rule for the rest of the kernel where all your mistakes are erased at reboot, but file systems don't have that luxury. Talking about fixing bugs at RCX and I don't know, on one hand I understand that. On the other hand, it is sort of a grating comment to say that, well, that rule shouldn't apply to me. I think that's why he has so many people that's ticked at him because that is almost word for word what he said. That rule shouldn't apply to me because I'm doing a file system.

Rob Campbell

I mean, there are plenty of other bugs, I think, in the kernel that a reboot is not going to fix, such as something that opens it up to a compromise.

Jonathan

Yeah, well, you know, anyway, it's an interesting thing to watch and we'll see if he gives him if he gets a little bit more rope from the kernel devs or if they continue to give him a hard no. Your new features need to land during the merge window. It's cat hurting, right? This is what Torvalds does full time, is cat herd. All these developers, that's just part of it. That's what you do.

Ken McDonald

Be a cat herd.

Jonathan

I am a cat herder. And it's oftentimes fun and then sometimes very hard and stressful.

Ken McDonald

And you still have hair.

Jonathan

I do. It's going. It's going gray, though.

Rob Campbell

It's okay to be a cat herder, not a cat herder.

Jonathan

Sometimes you have to hurt the cat's neighbor to hurt. Tough love, man. All right, so when we're all stressed out, what do we turn to Ken.

Rob Campbell

To blow Linux show?

Jonathan

No, you messed up the segue.

Ken McDonald

I like to play around. But we've got some good news coming from Liam Doll and xda's Simon Bat. They both wrote about the latest Steam beta simplifying gaming on Linux. According to Liam, at some point recently, Valve updated the Steam beta client with a change to the way Proton is enabled, making Linux gaming easier. Currently, there's still an option in the stable Steam client that you need to manually check to enable Steam play or using Proton for all other titles. This is something of a leftover from when Proton was initially revealed and only worked for a specific set of games on Valve's white list. It now covers what Valve set by default for Steam Deck and steamos verification. The for all other titles option is gone. In the latest beta, you can still get into the settings and tweak which version of Proton you want to use for a particular game. Apparently Valve has managed to get Proton working well with its entire library. This should mean Linux users don't have to activate options or guess which Proton version is needed for a game. Just boot up Linux, load Steam and play. Now, as Simon put it, gaming on Linux is here to stay. Don't take my word for it, folks. Read both Liam and Simon's articles. I've got the link in our show notes.

Jonathan

Yeah, very interesting. So Steam Valve is confident enough in Proton that they're just opening the floodgates and you get to run all your games through it.

Ken McDonald

And I notice with mine that looks like some of the games give me Proton. Hot fix is a one to go with.

Jonathan

Interesting.

Rob Campbell

Yeah, I've had better experience with Proton than Native for quite some time now. In fact, the bigger problem I've seen with Proton, Steam, Linux in general is people online asking hey, I can't get this to work. Oh, you got to go into Properties and go here and enable Proton. So I mean, I think this would be a world of difference.

Jonathan

Yeah, that'd be great. There's still the anti cheat problem though, right? That's still an ongoing thing where games are throwing out anti cheat or they have anti cheat features that expect to find the Windows kernel and when they don't, they just kind of freak out.

Rob Campbell

Yeah, I saw want to be able.

Ken McDonald

To talk straight to the kernel, period.

Jonathan

Right, right.

Rob Campbell

I saw it on Reddit this week. I don't remember the game but what, it just popped up an error said change your OS or use a different OS or something like that and and kick them out. It wasn't that it wouldn't work on it probably, but.

Jonathan

Yeah, it would. It likely would work without the anti cheat layer. But you know your online games, man, you got to have it because the games that don't, they're popular, you know, anywhere close to Popular people will cheat. They'll install, they'll install cheats and hacks and then the next thing you know, you're trying to fight in the death match and somebody is invincible and flying and, you know, holding a tank and has to click a button and you die. And it's just no fun.

Rob Campbell

And even with, with the anti cheat, it still happens.

Jonathan

Yeah, yeah, it does. That's true. Nothing is perfect.

Ken McDonald

I'm not cheating when I die.

Rob Campbell

I'm cheating death when I don't die.

Jonathan

Yeah. All right. Well, there's an interesting thing that has happened this week, and that is that the Framework 12 laptop is out, or at least it's out to reviewers. And I've got a link to a couple of different reviewers that took a look at it, and one is Michael over at Pharonix and he seems to like it. Likes it quite a bit, actually. It's intel only, at least for the moment. There are a couple of dings against it. So it does have only one DIMM of ram. Only one stick of ram rather than two bigger laptops will take two. The performance seems to be really quite decent. And in fact I've seen. And it has support for all of those, the Framework modules. So you can, you can drop Framework modules into it. It's got the fun colors, which is really neat. So, you know, there's some stuff to really like about it. The second link that I've got is actually over to Ars Technica and that was a reviewer that had some of the same things to say that, you know, he really liked it, his family liked it because of the size and the colors and all of that stuff. Um, but the price doesn't necessarily make sense right now because you can get something that is compatible, you know, comparable to it for so much less. So that's, that's really sort of where this is at. The Framework 12, really great device, but the price isn't really quite there. And, you know, part of that may be because of the tariff situation. You know, these things are made overseas. A lot of them are put together in China. And so that I'm sure is part of this because they have to handle the imports. But the DIY, the arsenic article ends with the DIY edition of the laptop. 12 ships with the Windows license and all the components you need, but you get to assemble yourself. It runs you at least $1,176 to get a working Windows machine. You can do a Pre built for 1049 without any of the special colors. You can get one obviously with Linux for just a little bit cheaper than that because you don't have to pay the Windows tax. But again, the cost, it's kind of a high cost, especially compared to some of the other things that you can get in that same performance ballpark. But the performance itself does look decent. It looks like it's going to be a great machine for Linux. If you really want to do the framework thing and you really want the 12 inch form factor, the ability to fold it all around and use it kind of like a tablet and you can afford it, then it looks like it's a great one to go with. I, I still have a framework on the wish list and I'm probably still going to go with framework 13 at this point.

Ken McDonald

Maybe Santa will bring it to you.

Rob Campbell

Maybe you gotta grow your beard out this year then and deliver it yourself.

Ken McDonald

I'll probably start growing it out in September.

Jonathan

Michael Ephronics talks about the starting DIY price of being $549. I think that is probably the price with just not even the barren essentials to run anything. That's probably the no hard drive, no rent, no memory price.

Rob Campbell

You could buy a piece by piece and eventually have a computer one piece at a time.

Jonathan

It's like the old Johnny Cash song building the Cadillac one piece at a time.

Rob Campbell

I've known people who build desktop gaming computers that way.

Jonathan

Oh yeah, of course.

Rob Campbell

Like, oh, I got, I got this, I got that. I can't do anything with any of it yet. But I'm still waiting on, waiting for the case now.

Jonathan

Yeah, yeah. So you can do a. You can do the i3 1315 U, that's a 2 plus 4 core, 4.5 GHz. And that one starts you at the 549 that he talked about. But that's not going to have any memory in it. It's not going to have a hard drive just like you can.

Rob Campbell

No memory.

Ken McDonald

What did you say, Rob?

Jonathan

His hearing is going too, apparently. So yeah, 549. But again, that does not get you a working computer. You got to add at least some memory and at least a. Well, the cheapest hard drive that they support is $100. You can get one cheaper than that obviously on Amazon.

Rob Campbell

Well, those are things you may already have around. I think that's probably what they figure.

Jonathan

I mean, that's true. It's possible. I think that may also not have a power supply. Maybe it does have a power supply, it's unclear. So you know, you add memory, you add a hard Drive, you're talking $688 and that actually gets you a low end but working computer, which is not terrible. It's really not.

Ken McDonald

You're gonna want, then every year you upgrade one of the modules in it, right?

Jonathan

I mean, then you start putting more RAM into it. I guess you're probably gonna want more than eight gigs of RAM. So, you know, you drop another 40 bucks on that. But yeah, if you're, if you're willing to get by with just the quad core processor, the two plus four. So I guess that's four fat cores and then two, two skinny cores. So a total of six cores. That's not terrible.

Ken McDonald

How long before you can swap that intel chip out for an amd?

Jonathan

Well, so that's the thing with frameworks is they do that sort of thing where they'll make replacement motherboards for them. And I guess really the question is, is the framework 12 going to do well enough that they're going to take that line into the future or is it going to be a once and done? Right. And so if you, if you believe that it's going to do well enough that they're going to do it in the future, then yeah, there probably will be an AMD version of it at some point and you kind of hope that you'll be able to swap it in. But yeah.

Refresh Ad Voice

Are dry eye symptoms frequently interrupting your day? Keep dry eyes off your schedule with Refresh Relieva PF Extra Lubricant eye drops offering an advanced formula to soothe and hydrate your eyes with innovative hydrocell technology to lock in moisture and prevent further irritation. Refresh Relieva PF Extra gives you lasting relief. Equipped with a soft squeeze multi dose bottle featuring a double lockout system that keeps drops sterile so you can feel confident using it. Refresh has been delivering relief from dry eye symptoms for 35 years. It's a track record of success that has earned the trust of physicians and patients alike. You deserve relief from your dry eye symptoms and your eyes deserve extra. Fine. Refresh online or in the eye drop section at all major retailers. FSA and HSA eligible.

Albertsons Ad Voice

Hey, it's Ryan Seacrest for Albertsons and safeway. Now through June 24th. Score hot summer savings and earn four times the points. Look for in store tags on items like Kinder Bueno cheese crackers, Oscar Mayer lunchables and just Bear chicken bites. Then clip the offer in the app for automatic event long savings. Enjoy savings on top of savings when you shop in store or online for easy drive up and go Pickup or delivery subject to availability restrictions. Apply. Visit Albertsons or Safeway.com for more details.

Jonathan

Anyway, that is, that is our news. Let's get into some command line tips. And Rob, we, we sort of teased this one earlier, but what do you have to, to tip us off about?

Rob Campbell

Well, you were exactly right. I was talking about Microsoft Edit and we did talk about this on the show, I don't know, a few weeks ago how they were open sourcing or creating this new open source edit project, which is like a kind of a clone of their old edit. And you know, we speculated that, you know, how soon is somebody going to compile this for Linux? How soon it's going to work? Well, it's on Linux you can, today you can either just go there, run the, apparently run the binary. But I took the easier way on, on Ubuntu and I just did the snap. So I did Snap Install Edit or what. What did I do anyway? Oh yeah, Snap Install Ms. Edit. And there was. So here, right here on a version of Ubuntu server, I have Ms. Edit running. And that was very quick to install. So it's, it's a very basic and in some ways probably more of a modern command line editor tool. And, and why I say modern is because, you know, Nano's great. It has all your commands at the bottom. Vivem. You know, that's great too. Definitely a different paradigm. But for those who are used to working a graphical text editor at the top, you know, you're used to a file menu, an edit menu, a view menu and you get, you have that right here. So easily alt F and I got my file menu, new file, open file, save, save as close I can tab over to Edit or I could just alt E. You know, you got the define, replace, all that. You got the view. You could focus the status bar at the bottom which has some details, go to file, etc. Etc. There's a help turn on Word Wrap. So you know, it's, it's basic at this time, which is what some people love. Very simple to use. You know, has find, replace, Word Wrap, set tab space indentations, set change file encoding, line feeder, carriage return plus line feed, open multiple files. So really if it's, it's another text editor option that you don't need a GUI for at all. There's not even a GUI installed on this server that I am remoted into and I don't know, just a simple, very simple, very clean text editor, no frills.

Jonathan

Are you actually using it?

Rob Campbell

I Just installed it today.

Jonathan

Does it remind you of the old edit from years of Windows gone by Windows and DOS gone by?

Rob Campbell

It's reminiscent. I believe the old one had like blue on the top and I believe if you run this in a gui, that file edit view, that the. The menu bar up there is actually blue along with the the bar at the bottom according to the screenshots. But usually get more things when you run like in a terminal emulator right on your browser desktop. As in here I'm like I'm ssh in so I have those colors here. But yeah, it's very reminiscent of it.

Jonathan

Fun, fun, fun. All right, Ken, you've got more pipewire stuff?

Ken McDonald

Yes, I do.

Jonathan

What are we doing with pipewire this week?

Ken McDonald

Well, we're going to create links this week using the Create dash link or CL command. Now, I want to go ahead and give you a little bit of background first. You do need to know the node and the port IDs of the objects that you're wanting to link. Now, I personally found the easiest way for getting this information was borrowing back from episode 197 where I covered PW Dot. So you're going to see me demonstrating that again to create a graph with the details of my current pipewire session at. Do it mean current? Because this information may change as you open and close applications or even from one startup session to another. Now, I already have it set up with a link between my VLC media player going to my built in audio analog stereo. I am going to go ahead and destroy those. If y' all remember from last week or from a couple of weeks ago, I showed how we can destroy objects in using the pwcli destroy command. First thing I need to do is find those links. In this case, their IDs are 75 and 76. I'm going to go ahead and quickly destroy those by typing PWCLI destroy with O not just Y.

Jonathan

Destri is something else.

Ken McDonald

Yeah, do 75 first and I'm going to go ahead and destroy both of them at the same time. We're almost the same time. There's going to be a millisecond difference between one being destroyed in the next one. Type the command in to destroy object 75 and 76 hit enter. And for those of y' all listening, I've got QPW graph up and it shows that the link between my VLC media player and the built in audio analog stereo on my Tupleweed vm, it just disappeared. As I said, I prepped for this by going Ahead and looking up what the nodes and port IDs are, I'm going to first create the link for the front right. It doesn't.

Jonathan

Oh.

Ken McDonald

Because I didn't forgot to put the PwC.

Jonathan

That's important.

Ken McDonald

But it's also important that it stays active. Doing it from the command line, it creates it and then immediately goes away. So you never see it. We're going to go into interactive mode this time. That will work. For those of you all listening, I typed pwcli to go into the interactive mode. Then I typed the Create link with a node ID of 72, port ID of 74, node ID of 49 and a port ID of 54 that I had gotten using the PW dot commander earlier. Also, to keep everything the same, I've paused the display the VLC play in the and I'll show you in a minute why. But let's go ahead and get the front left connection.

Jonathan

You said that it would go away immediately.

Ken McDonald

In other words, you never see it even up here in the graph.

Jonathan

Right. So my question is now when you exit the bwcli, is it also going to go away?

Ken McDonald

Well, let's go ahead and do that.

Jonathan

It does. I thought it might.

Ken McDonald

Which is why I've got three terminals up. One for pw, top one for doing. Now you remember I went and did a link this time. It doesn't show anything. Let's go ahead and create those again.

Jonathan

Yeah. So create the front right and the front left links.

Ken McDonald

There's the front left. And now you'll notice that the ID for the link nodes has changed because before it was 75 and 76. Now it's 68 and 75.

Jonathan

Probably just grabbing the first available IDs.

Ken McDonald

Correct. In fact, let's go to VLC, started playing.

Jonathan

Open Sousa music video.

Rob Campbell

Of course.

Ken McDonald

What else would you play on? Tumbleweed.

Jonathan

Of course.

Ken McDonald

And it just wrapped around.

Rob Campbell

I hope it's open source, permissively licensed.

Ken McDonald

And now if you look, for those of you listening, pwdop is showing VLC link to my built in audio stereo output as well as QPW graph.

Jonathan

Yeah.

Ken McDonald

And look what the link IDs are.

Jonathan

68 and 73 different again. Yep. So how do you make it permanent? Is that part of the. Is that part of the tip?

Ken McDonald

How do I make it what?

Jonathan

Permanent. So that it doesn't go away when you close pwcli.

Ken McDonald

There. You have to. I'm going to go ahead and mute it so I can hear myself.

Jonathan

Yeah.

Ken McDonald

There we go. But you'd have to add it to A config file.

Jonathan

Makes sense.

Ken McDonald

You do your playing around using pwcli. Figure out what parameters you need or all. Or you could use PW link.

Jonathan

Makes sense. Makes sense.

Ken McDonald

Every time it loops around it's going to update again. Let's go ahead and drag it all the way to the end here. Bring that back down. Any guesses on what it's going to.

Jonathan

Be 73 and 74 this time?

Rob Campbell

5.

Jonathan

Very cool.

Ken McDonald

That's a way you can test out, see if you've got the nodes correct. As I said, I had grafted this is what it was before we started playing around with it. See, it was 70. The front right was coming out of the VLC node 72 port id 74 into the link id 76 out of the link id to the port id 54 for the node id 49 for my audio out.

Jonathan

Something to talk about in the future then is how do you refer to these things not using these ID numbers that are going to jump around. I know there are ways to do it. I've had to do it too. But that seems like that would be an interesting next step.

Ken McDonald

Think if you go back and watch where I was doing a link to a virtual device. I actually used PWLink in that one.

Jonathan

Okay.

Ken McDonald

And you saw me using the names.

Jonathan

There you go. Yeah, that's the way to do it. Use the names, not the numbers. If you want the command to always be the same. All right, well, I've got a command line tip and this one is we're actually going to do the screen share thing because you kind of have to see this one for it to make sense. And we've got here, it's OpenSSL is the beginning of it. And OpenSSL has the GenP key command. This is will generate private keys. You can give it different algorithms. I am actually using the X25519 algorithm which is an asymmetric elliptical cryptography approach. And let's see do I'm sure that there is a way to zoom in and I'm not sure exactly how to do it. See, is there a shortcut that will zoom? Control++ I thought I tried that. There we go. Now you can read it open SSL GenP key and then the algorithm. And if you run this, it's going to give you a private key inside what's called ASCII armor. And that's the begin private key, the end private key. And also a portion of the beginning of this is not part of the private key. It is again part of that Armor. And then this is in something called base 64 encoding. And so you might say to yourself, I want to get the actual key, not this open SSL armored version of it. Is there a way to do that? Well, sure there is. And so one of the things you can do, and this is still not exactly what you're looking for, but this will take away the ASCII armor itself. And instead of doing it giving it to you in base 64 form, it will give it to you in raw bytes. And that is the outform dash outform der. Now, if we run this a few times, you will see that all of these start with, well, I've goobered my terminal. That that is one of the downsides of doing this. You can, you can really goober up your terminal by writing those random bytes to it. But when you do this, you see that you always get this 0.0 plus E in quotation mark, blah blah, blah. And that is not part of the bytes. We don't want that. That's not actually part of the key. Again, that's part of the der specifications. Well, is there a way to get rid of that? Well, sure there is. And with this you actually run, you pipe it into a different command, you pipe it into tail and you say, I only want the last 32 characters because x25519 gives you a 32 byte key. So you pipe this into tail and say, give me the last 32 characters and it will then give you exactly 32 characters. Again, you're writing bytes to the terminal. It will not be happy about that because not all of those bytes are printable ASCII characters. In fact, most of them are not. And so then you say, well, how can I do something with that? I can't even copy and paste from that. I guess I could write it into a file, but that's not very useful either. Okay, so you can then pipe that command into base64 and then you get an x25519 key in base64 format. And if you run this multiple times, it'll be different each time. One of the nice things here is that OpenSSL uses the kernel's random pool, which I think it uses the blocking random, the dev random. But even if it's U random on modern kernels, that is an extremely good source of entropy as well. This key then is a well generated high entropy key. And so if you are running something like say meshtastic that uses these particular keys, you might want to generate it on your Linux machine. To make sure that you have a high entropy key. Because some devices, particularly embedded devices, may not have an easy way to generate a bunch of entropy. And so this is how you would do that. And it's also a really neat example of how to chain commands in one to another, how to pipe things. I thought it was a really cool, really cool example of the Linux way, the UNIX way of piping one thing into another to get something done.

Rob Campbell

So if you ran that on a machine without much entropy, it would frequently be the same.

Jonathan

If you ran it on a machine without any entropy, then you could feasibly get into the situation where you would get the same key multiple times. Yes.

Rob Campbell

Have you seen that?

Jonathan

Not on a Linux machine. That was a concern. Like on the open WRT routers, those embedded routers, some of those didn't have any sources of entropy other than like the system clock. And so if you were generating a key on boot, there was the possibility that it would generate the same thing or really. So really what the concern was is, you know, that's a 32 byte key, so you're talking about 32 times 8. The key space then was like 256 bits of key space. So that's, you know, 2 to the 256 different possible keys. But if you're in one of these reduced entropy scenarios where you don't have any hardware entropy sources and you're just relying on the system clock, well, rather than two to the 256 possible keys, which is a huge number by the way. It's a really big number. You might have 1,000 possible keys, you might have 2,000 possible keys. Well, the problem when you get in that scenario is that's a small enough number of keys that you can brute force. If you can figure out what the range is, you can then just brute force those keys and figure out which one is in play. Why you want that entropy so that it is not predictable.

Ken McDonald

Or if you've got an embedded system that when it boots up calculates it so many seconds after using that.

Jonathan

Yes, exactly. If you don't have any other sources of entropy other than just the time, which that was something that we were seeing on a few meshtastic devices. That was part of the problem is that you may be in that scenario where the only source of entropy was the system's micros clock. So that was basically the number of microseconds since boot. Well, there's going to be a little bit of jitter in that, but not nearly enough to be, to be Cryptographically safe.

Rob Campbell

You wouldn't know that from running that command over and over unless you ran it within a microsecond of each other, though.

Jonathan

So what you would have to do. And so this is, this is what I never got around to doing this, but, like, if somebody ever paid me to do it, this is what I was going to do for Open WRT is just hook it up to a harness, basically like an external control, where you could reboot it, make it generate a key, pull the key off, save it to a file, reset it to where next time it rebooted, it would generate the key again and then reboot it and then just start that as fast as it could do it. Start that process, let it run for a few days.

Rob Campbell

So if it's time sense boot, that's what that was, you said. Yeah. Okay.

Ken McDonald

Make clones of it, the device, and you have five different devices booting up and they all give you the same key. That kind of tells you there's a problem.

Jonathan

Right, right. And I don't think with OpenWRT it wasn't that bad. And with Meshtastic it wasn't that bad either. It wasn't immediately obvious. But when you start talking about you have thousands of devices and then you start looking at the keys that they generate, then you might start seeing some collisions.

Ken McDonald

Didn't meshtashik find that they had that problem early on when they had expanded it for quite a few devices, like maybe a couple of hundred or a thousand?

Jonathan

What we discovered actually within the last week, somebody bought two devices and put them both on their desk and started setting them up and realized that both devices had the same key. In that case, it was actually because the manufacturer flashed meshtastic to one device and then just used like a JTAG debugger to copy it off. And then that was their golden image. And they just put that on all of the devices and turns out the key was part of that. So that was one half of it. But then in the process of triaging, we also discovered that, oh, on some of these devices, we do not have a good source of randomness at boot. And so above and beyond what the vendor did to it, multiple vendors, actually what the vendors were doing to us, we also could have this problem with entropy. And so we got that fixed too.

Ken McDonald

By moving it into the later in the boot cycle where you've had a chance to actually generate a random.

Jonathan

Half of the solution was to add it later into the boot cycle. The other half was to go in and manually say, all right, on this device, we know we have this piece of hardware entropy and we also know we have this unique identifier that's burned into these particular devices. So we're going to seed our entropy pool with both that unique identifier that nobody knows. Like it's kind of. It's sort of a pseudo secret in and of itself. It doesn't get transmitted over the network anywhere. And then we're also going to seed with this other piece of hardware entropy that we know about. And so we fixed that problem up pretty well too. So anyway, that's what that is.

Ken McDonald

All that to explain this command.

Jonathan

Indeed, indeed. I will still say that if you're on any system, this is not a problem limited in meshtastic. If you're on any system that has a key like this built into it, if it has the key when it comes from the manufacturer, if you really care about your security, you need to generate your own key. And because there is absolutely the possibility, you know, I'm not throwing shade on any manufacturer, but in that particular case there's absolutely the possibility that the manufacturer has a table of all of the keys of all the devices. Right. Or depending upon your threat model, maybe the NSA intercepted that package and pulled your key off. Or there's multiple ways. So generate your own key.

Ken McDonald

NSA just has a table of all the keys for all the devices out there.

Jonathan

Sure. And then if it's an embedded device, it's worth thinking about generating the key on something with really good entropy. Like a full blown Linux desktop that's on the Internet.

Ken McDonald

It's been up for days.

Jonathan

Uptime is good. Uptime helps with entropy. On modern devices though, they've got multiple entropy sources that are able to see that really well pretty quickly on modern desktops, particularly if you've got WI fi. Right. Like having WI Fi and Bluetooth are really good sources of entropy because they turn those things. It's not quite SDR mode, but it's something similar to that. Like they'll turn them on into promiscuous mode is what they call it, and they'll just sit there and collect all the data they can about everything that's going by on the network and every Bluetooth thing that they can find and all of that feeds that entropy pool and it, you know, it gets pretty chaotic pretty quick. So anyway, that's all of that it could be. So let's, let's dive into our ending show. I know Ken at least has some ending notes here, but we're going to let Rob go first because he is the one on the left, that's right to left across your radio dial. So it's an old joke, man. Never mind. Rob, any closing thoughts for us?

Rob Campbell

Just the usual. If you want more of me, come, come connect. You can find me@robertp Campbell.com and on that site you can find links to my LinkedIn, my Twitter, my Blue sky mastodon, and a spot to donate me coffee in five dollar increments.

Jonathan

Yeah, very cool. All right.

Ken McDonald

And Ken, well, let me unmute myself first.

Jonathan

You did, but.

Ken McDonald

Got a link in the show notes that I thought might be interesting. It's a article by Joe Brock Meyer about a emacs like web browser called Nix.

Jonathan

Cool.

Ken McDonald

What if Emix was a good web browser, huh?

Jonathan

That's great. And to explain my joke, there was a US sports commentator way back in the day, Kwood Ledford. And one of the things that he would say at the beginning of games, like a football game is he would talk about, you know, the, the they're moving from left to right. That's right to left on your radio dial. That was just one of his, you know, one of his jokes that he would tell in, in introducing in the sport. I'm kind of surprised that Rob's not familiar with this. It's a piece of Americana, man. Oh, well, I live pretty close to.

Rob Campbell

Canada, so I don't know, explain.

Jonathan

That explains a lot actually, Rob. All right, it has been fun. Thank you guys, we appreciate it. I will quickly plug Hackaday. If you want to follow what's up with Security and you want to read about it, that is you can come check out the security blog over there. Friday mornings is when that goes live. We've also got Floss Weekly now at Hackaday and that goes live on Wednesdays and we have a lot of fun with that as well. Occasionally get some of the guys from here over there and we, we sure enjoy it. Hope you appreciate, check it out. Appreciate everybody being here for Twit. And if you're not part of Club Twit, you should really think about it. It's the price of one or two coffees depends upon where you live per month and definitely worth it. Worth looking at. If you're not part of Club Twit, you should take a look. We appreciate it. Thank you everyone that gets us both live and on the download. And we will see you next week on the Untitled Linux Show.

H

Hey Bob, are you a geek? Are you a tech enthusiast? Then I would love to invite you to join a tech community like no other. You can gain exclusive access to our incomparable quality tech content with Club Twit as a member, you'll Enjoy all twit TV shows ad free plus access private video feeds for insider shows like iOS today, home theater Geeks and so much more. Dive into into the members only Twit plus bonus feed for behind the scenes content club discussions and special events. But here's the best Join our incredible Discord community to watch live show productions, chat with hosts and participate in exclusive members only activities. It's your backstage pass to the world of twit. Whether you're a tech enthusiast or a lifelong learner, Club Twit elevates your knowledge while entertaining. Get two weeks free when you sign up now and unlock unparalleled access at Twit TV Club Twit. That's Twit TV Club Twit and from the bottom of my heart, thank you and welcome to the.

I

Hi, I'm Chris Gethard and I'm very excited to tell you about Beautiful Anonymous, a podcast where I talk to random people on the phone. I tweet out a phone number. Thousands of people try to call. Talk to one of them. They stay anonymous. I can't hang up. That's all the rules. I never know what's gonna happen. We get serious ones. I've talked with meth dealers on their way to prison. I've talked to people who survived mass shootings, Crazy funny ones. I talked to a guy with a goose laugh, somebody who dresses up as a pirate on the weekends. I never know what's gonna happen. It's a great show. Subscribe today. Beautiful Anonymous.