Untitled Linux Show 255: End of the 8-Bit Era

Summary8 min read

Date: May 17, 2026
Host: Jonathan Bennett (A)
Panelists: Ken (C), Jeff (B)

Episode Overview

This week, Jonathan, Ken, and Jeff return to dive into the Linux ecosystem's latest news. Major topics include the performance advances in GCC 16, a surprise update to Photo Flare, ongoing security vulnerabilities impacting both Linux and Windows, Debian’s push toward reproducible builds, the latest PipeWire releases, KDE Plasma 6.7's imminent features, firmware updates from major OEMs, right-to-repair for games, the role of AI in kernel development, and handy command-line tools.

Key Discussions & Insights

Welcome Back & Introductions

The crew jokes about pollen allergies and neighborhood cottonwood trees, sharing a bit of personal catch-up after missing the previous week.
- “The kids are almost over it. It’s, it's been a week but we're here.” – Jonathan (A) [02:33]

GCC 16: Faster, Smarter, More Capable

Timestamps: [04:14] – [09:31]

Performance: GCC 16.1, released end of April, outperforms both GCC 15 and Clang 22, particularly for heavy workloads (encoding, ray tracing).
New Features:
- More user-friendly error messages and HTML output.
- Algorithm 68 front end.
- Expanded platform support (Picolibc, ARM AGI, AMD MI300/Zen 6 CPUs).
- C20 standard by default.
Benchmarks: Michael Larabel at Phoronix ran tests on Fedora Workstation 44 with a 64-core Threadripper. Benchmarks show fastest binaries yet, but mainly for compute-heavy tasks.
Adoption: Fedora 44 first to ship with GCC 16 as default; Ubuntu likely to lag behind with their LTS model.

"GCC 16 came out on top with a close second place finish in with Clang 22... These benchmarks were geared to the Threadripper... so when these say these are faster, keep in mind these are the heavy duty workloads." – Jeff (B) [06:09]

Photo Flare: A Surprise Resurrection

Timestamps: [10:29] – [14:42]

Overview: Lightweight image editor receives first major update since 2019, now at v1.7.
Major changes:
- Transition from Qt 5 to Qt 6 for better support and scaling.
- New canvas rendering for better performance.
- GMIC filter integration: over 500 free, real-time filters.
Open-core/Freemium Model: “Photo Flare Studio” as paid option with advanced features.

"It was inspired by the image editor Photo Filtre... The headline change is the move from Qt 5 to Qt 6... also introduces a rewritten canvas rendering pipeline... GMIC integration provides a searchable library of over 500 filters." – Ken (C) [11:50]

Security Spotlight: Linux and Windows Vulnerabilities

Timestamps: [15:40] – [27:27]

Linux: The “SSH Key Sign Pwn”

Not about SSH, but a privilege escalation via suid binaries and a kernel race condition.
Potential for a regular user to read root-owned files.
Patch merged upstream but not yet widely distributed.

"During that gap of time... another program can open its own file... and because that's not been closed out of the table, it can then say, hey, I'm an suid binary, let me do the thing..." – Jonathan (A) [16:33]

Windows: BitLocker “Yellow Key” Catastrophe

BitLocker bypass accomplished with a “Yellow Key” exploit.
Plug in a USB with a tampered folder, enter recovery mode, and BitLocker unlocks the disk—TPM protection irrelevant.
Possible “intentional backdoor” suspicion.
Using a TPM+PIN “doesn’t help,” according to researcher.

"Windows 11 BitLocker can be completely bypassed simply by plugging in a USB key from a stone cold turned off machine... it deletes the folder, wipes the drive... sounding like an intentional backdoor more than anything else." – Jonathan (A) [22:50]

Meta-Discussion: AI & Security Research

Many recent Linux bugs found through AI-enabled code analysis (“the year of AI security research”).
Kernel 7.0.8 patching the current issue; security problems increasingly cross-platform.
“Linux is basically one everywhere except the desktop.” – Jeff (B) [27:41]

Debian’s Reproducible Builds: No Compromises

Timestamps: [28:34] – [35:50]

Mandate: From Debian 14 (2027+), all packages must be bit-for-bit reproducible to enter testing or stable.
Why it matters: Ensures packages weren’t tampered with on the server; protects software supply chain; cryptographic hash verification.
How: Eliminating randomness in builds (timestamps, paths, file order).
Current success: Over 97% of packages reproducible on major architectures; only about 3% non-compliant remain.

"Debian is making reproducibility a requirement. Starting with Debian 14, a package must be reproducible before it can enter the testing or stable repositories. If it isn't reproducible, it won't ship." – Jeff (B) [30:09]

PipeWire 1.6.5: Security And Stability

Timestamps: [35:59] – [39:06]

Fifth update in the 1.6 series—extra hardening, better ALSA, and memory leak fixes.
A broken and insecure filter module dropped.
PipeWire “just works” for most users now—few complaints or issues.
User tips and issues with configuration and sample rates.

"Pipewire just works these days. I haven't thought about pipewire much recently because it does almost everything I need it to do." – Jonathan (A) [37:20]

AI, the Kernel, and Bug Reporting

Timestamps: [41:58] – [50:52]

New guidelines: If AI finds the bug, treat it as public—multiple researchers will independently hit it simultaneously.
Report responsibly: Don't flood security triage queues with non-critical AI-discovered bugs.
AI code: Useful for finding and even fixing—if humans carefully revise and test it.

"If you resorted to AI assistance to identify a bug, you must treat it as public... these bugs surface simultaneously across multiple researchers, often on the same day." – Jonathan (A) [44:40]
"Too many people just trust [AI] outright. I'm very happy to let it try to find bugs, but you gotta have the person... responsibly using it, which is the hard part." – Jeff (B) [48:35]

KDE Plasma 6.7 Preview: Theme Engine & User Features

Timestamps: [51:51] – [58:00]

Expected Release: After June 16, 2026.
Highlights: Per-screen virtual desktops, session restore on Wayland, global push-to-talk, new print queue viewer, and multi-GPU Vulkan support.
Union Style Engine: Aims to unify theme creation across Qt Quick and Qt Widgets.
Beta testing ongoing: Official release scheduled for Fedora soon, Ubuntu likely to wait.

"Union has been in development for more than a year... designed to unify theme creation across both QT Quick and QT Widgets in the plasma desktop environment." – Jeff (B) [53:11]

Firmware: Lenovo & Dell Now LVFS Sponsors

Timestamps: [58:26] – [61:16]

Big news: Lenovo and Dell each contributing $100,000+ per year as LVFS premier sponsors.
LVFS ensures users can get firmware updates on Linux.
fwupd gains more hardware support (SPI chips, Redfish tokens, JCAT parsing).

Right-to-Repair for Games: California Weighs In

Timestamps: [61:42] – [66:08]

Protect Our Games Act: If an online-only game is retired, publishers must patch for offline play or release the server.
Framed as anti-piracy: Publishers shouldn’t be able to “pirate” games back from paying users.
Legal precedent: Physical media confers ownership rights; law may face publisher resistance.

"In a very real way, that's fraudulent... EA is pirating games from us instead of the other way around... if it's wrong for a user to pirate a game, then it's wrong for a publisher to pirate a game in the exact same way." – Jonathan (A) [63:54]

Copyright, Carriers, and Right-to-Repair

Timestamps: [66:08] – [72:45]

Supreme Court affirms ISPs aren’t liable for user piracy; links to long precedent of media and hardware resisted by content publishers.
Discussion of OBD-II auto repair ports, John Deere tractors, and digital ownership.

Command Line Tips

Timestamps: [72:57] – [82:51]

CoolerControl: For fine-grained fan/thermal management; needs compatible drivers. [73:02]
GNU Stow: Simlink management for dotfiles and config sharing across installations. [74:57]
bb: Classic ASCII art demo—fun for modern terminals, though challenging to compile.

Notable Quotes & Memorable Moments

"Everything is new again." – Jeff (B), on forgetting books [28:31]
"Reporting ordinary bugs to the security list does not make them move faster... If you do this, you're just wasting our time and that time is valuable." – Jonathan (A) [45:54]
"You have to have a certain level of competence to even be able to send something into the [kernel] mailing list that doesn't just get immediately kicked. And I think we're coming to the point where LLMs have reached that level of competence. So now they're saying, 'we need to introduce a little bit more friction.'" – Jonathan (A) [47:10]
"The demo gods... I'm praying and sacrificing things to the demo gods to try to make [it work]." – Jonathan (A), on live presentations [09:58]
"It's a sim link farm. It is a farm of cats, apparently." – Jonathan (A) [81:09]

Closing & Final Words

Timestamps: [83:18] – [84:59]

Ken flags LibreOffice 25 release links in show notes.
Jeff closes with a poem:

“With searching comes loss and the presence of absence. My novel not found. Have a great week, everybody.” [83:44]
Jonathan invites listeners to tune into the Ubuntu Summit and thanks the community.

Useful Timestamps

[04:14] GCC 16 deep dive
[10:29] Photo Flare update
[15:40] Security issues: Linux & Windows
[28:34] Debian reproducible builds
[35:59] PipeWire 1.6.5
[41:58] AI and kernel bugs
[51:51] KDE Plasma 6.7 preview
[58:26] Firmware updates, LVFS
[61:42] Right-to-repair gaming
[72:57] Command-line tips
[83:18] Lightning round and wrap-up

Summary

This episode spotlights the relentless progress—and thorny challenges—across the Linux world: compilers outpacing their predecessors, grassroots open-source projects revived, new security headaches with both Linux and Windows, rising demands for software traceability, and the impact of AI on open-source workflows. Long-term trends like open hardware and right-to-repair echo through lively stories about dotfiles, firmware, and even ASCII art demos. The team blends personal tales, deep technical dives, and the current pulse of the free software world, making this a must-listen for Linux enthusiasts.

Loading summary

Transcript215 lines

[00:00]
A
Get business done with the new American Express Graphite Business Cash unlimited card with unlimited 2% cash back on all eligible purchases. Unlimited 5% cash back on flights and prepaid hotels booked through American Express. Travel online and a flexible spending capacity that can grow with your business. You'll have the confidence to keep building. Apply today and earn a welcome offer of $1,500 cash back after you spend $50,000 in qualifying purchases on your new card within the first six months of card membership terms apply. Learn more at Go Amex Graphite. You can where is Daredevil? I'm right here. Don't miss the return of Marvel Television's Daredevil Born Again. So what's next?
[00:39]
B
I feel liberated.
[00:41]
A
We're gonna take this city back over medicated in an all new season. Now streaming only on Disney. They're hunting us. It's time we started hunting them. I can work with them. This should be tons of fun. Marvel Television's Daredevil Born Again now streaming only on Disney. Morning Decision. How about a creamy mocha Frappuccino drink? Or sweet vanilla smooth caramel maybe? Or white chocolate mocha? Whichever you choose, delicious coffee awaits.
[01:12]
B
Find Starbucks Frappuccino drinks wherever you buy your groceries.
[01:16]
A
This week we're talking about GCC 16 and the surprising advantages it brings. Photo Flare has an out of nowhere update. Linux has something of a security problem, but Windows has a security nightmare on its hands and Debian is insisting on reproducible builds. All that and more. You don't want to miss it, so stay tuned. Podcasts you love from people you trust. This is Twit. This is the Untitled Linux show, episode 255, recorded Saturday, May 16th. End of the eight bit era. Hey folks, it is Saturday and you know that means it's time to get geeky about Linux. We're back. I'm back. I missed the week last week because I was kneeling before the porcelain throne with the rest of my family for the. For the weekend. But we're thankfully over that and I am back, feeling pretty good. And we're going to talk about Linux and I've got a couple of guys here to do it with me. I got Ken, I got Jeff. Welcome to the show, each of you.
[02:22]
C
Glad to see you back, Jonathan.
[02:24]
A
Oh, it's good to be back and
[02:26]
C
I hope everybody's over whatever was passing through.
[02:31]
A
The kids are almost over it. It was, it's, it's been a week
[02:34]
B
but we're here and I'll say it's good for me to be back too. I missed, missed the show, but I was on, on some helping a relative
[02:43]
A
who's off on family duty for a couple of weeks. Yes, yeah, yep, absolutely.
[02:48]
B
Oh, and just so everybody knows, if I sound a little stuffy or anything, I don't have an illness. It's. Our pollen count is like 389 or something like that. It's just ridiculous.
[02:58]
C
So in other words, it's seasonal.
[03:01]
A
If you could, if you could just bump those numbers up a little bit, you could do the meme that It's. It's over 9,000 rookie numbers.
[03:09]
B
Yeah, well, outside everything's like in. Covered in yellow from the pollen. So it's like I couldn't imagine, you know, I guess, I guess if it over 9,000, I'd just be wading through it. It'd be like snow, you know, pollen everywhere.
[03:24]
C
Probably have cottonwood trees letting go of their.
[03:30]
A
Thankfully those have all been cut out of my neighborhood. When we first moved here, there were some of those. It was real bad for those that are not in this part of the country. Cottonwood. It actually there's a male and a female cottonwood tree. I think it's the male that has the. It puts off like little bits of fluff and it's essentially it's pollen. But yeah, it looks like cotton floating through the air and it gets stuck in the air conditioners and oh, it's such a mess.
[03:53]
B
It can look like a blizzard in June.
[03:56]
A
Indeed.
[03:57]
B
From all the cotton.
[03:58]
A
Yeah. Now finally, the last guy that had one in the neighborhood cut his down a couple of years ago and we were all thankful.
[04:04]
B
And a lot of cities won't even let you plant cottonwood or if. Unless it's the one that doesn't produce the cotton.
[04:12]
C
The female. Yeah.
[04:15]
A
All right, well, something else that someone else is we are all, all thankful for is that GCC 16 is about here. And Jeff has the story. What is new? What are we thankful for with GCC16?
[04:29]
B
Well, GCC 16.1 arrived at the end of April as the newest major release of the GNU compiler collection. And early testing showed it delivered faster performance than GCC15. Now, continued benchmarks confirm that GCC16 consistently produces quicker binaries when using the same hardware and the same optimization flags. Now, to see how it compares more broadly, Michael Larable over at Phronix evaluated GCC 16 against both GCC 15 and the current LLVM Clang 22 compiler. Now, all tests were run on a powerful system 76 Theo Major workstation. So equipped with an AMD 64 core Ryzen Threadripper 9980X processor and 128 gigabytes of RAM. So not your normal gaming machine. Now Fedora Workstation 44 was used for the testing, which is. Now that's different because usually Michael's usually putting on Ubuntu, but he used Fortifadora this time because it was the first major Linux distribution to ship with GCC 16 as its default compiler. GCC 15 and CLang 22 were also installed from the Fedora repositories. So just to produce a fair and reproducible comparison. So it's just basically out of the box how it's handed out in Fedora now. And every compiler was tested with the same optimization settings. They used the dash 03 and the dash march equals native, so it otherwise bone stock. Now, looking at the benchmark results, it's rather interesting to me how GCC stomps all over Clang on some tests and then in others. Clang leaves GCC in the dust. Now, a lot are fairly close, but there are some definitely, you know, there's some outliers now looking at the geometric mean, which removes some of the effect of the flyers on the data. But the overall GCC 16 came out on top with a close second place finish in with Clang 22. Not terribly far behind was GCC 15. So while it didn't do terrible, you know, it was, it was behind in the slowest out of the three, not catastrophically so, or anything like that. It was, you know, maybe five to slower roughly. Now I do want to mention that these benchmarks were geared to the Threadripper, meaning they were heavy into encoding, decoding, ray tracing, you know, and other numerically intensive tests. No games or other desktop software like Office workloads were tested. You know, I guess unless you're really into signal analysis and data mining, you know, but so when these, say these are faster, keep in mind that these are the heavy duty workloads, you know, for your browser and things like that. You're probably not really going to see a difference. Now I say GC 16.1 because GCC arrived the 16.1 as the first stable release of this year's major update to the GNU Compiler collection. Now it brought a wide range of improvements and new capabilities. You know, it has better error messages, including experimental HTML based output. Adds a brand new front end for the Algol68 programming language. GCC 16.1 also expands its platform support with Pico LibC integration, ARM AGI CPU targeting, early support for AMD's Instinct Mi 300 accelerators and there's even initial support for the upcoming AMD Zen 6 processors now on the language side, GCC now uses C20 standard as its default, and it includes many enhancements for both C and C. Take a look at the article linked in the show notes for more details on the benchmarks and see if a new compiler is in your future.
[08:52]
A
Yeah, I think most of us will just sort of get it by default by upgrading to Fedora 44 with the Ubuntu version that comes with it. Whether that's. I don't know. What will that be? 2610, maybe someone that'll ship with it?
[09:06]
B
Yeah, probably. 2604 is an LTS, so they're a little conservative, at least with a lot of software. The kernels, they've been becoming more aggressive, but compilers a lot of time will be an optional upgrade later if you really want it, but usually it. They're a little slower.
[09:32]
A
Yeah, yeah, Interesting. All right, cool to cover. Looking forward to. You know, I.
[09:39]
C
The.
[09:39]
A
The laptop here I do the show on. It's a framework, the framework 16 and I was about to do the upgrade to Fedora 44 and then a buddy of mine is like, hey, are you running 44 yet? None of my USB ports work on my framework after I did the upgrade, maybe I better wait. So I'm holding off a little bit
[09:55]
B
longer, or at least after Saturday.
[09:58]
A
Well, for me it's after I get back from this upcoming trip. So I'm doing the Abanti Summit. This laptop I'm bringing. I'm going to try to, you know, do my slides from and I'm going to try to do a live demo. And so, you know, I'm. I'm praying and sacrificing things to the demo gods to try to make.
[10:11]
C
So maybe put it off till June.
[10:13]
A
Yeah, put it off until June. That's about. That's about the way that it's going to go.
[10:16]
C
Maybe there'll be opportunities to get some updates that may correct that issue.
[10:23]
A
I would hope.
[10:24]
C
I would hope and I may be covering one way to do that later in the show.
[10:29]
A
Interesting. Well, there's an update that you are ready to cover and that is Photo Flare. And I've got to admit, I don't know what Photo Flare is. I've. I'm assuming it has something to do with photography, but other than that I'm not familiar with it. So. Ken, take it away.
[10:44]
C
Okay. And by taking it away, I'm going to go ahead and refer to Bobby Boris's Off Art article, since he's the one that wrote about the first release in years. I repeat, years multiple for the lightweight Image Editor for quick photo edits, simple graphics work and basic image adjustments. What am I talking about? Photo Flare and in this case it's version 1.7. Now it's arriving more than six years after photo flare 1.6, which was released back in September of 2019. Now I did a little digging and according to the project's blog, development slowed due to real life commitments, but the app has returned with a much larger update than a routine maintenance release. Also, according to the Photo Flare roadmap, this project was born as version 0.3 and with the name Big Birth back on March 30, 2015.
[11:49]
A
Oh my goodness.
[11:51]
C
11 years ago. Over a decade now. It was inspired by the Image Editor photo filter that somebody had come out with for Microsoft Windows. Excuse me? According to Bobby, the headline change is the move from Qt 5 to Qt 6. The migration removes deprecated APIs, updates the build system and refreshes Linux, Snap and Flatpak dependencies. It also improves high DPI scaling with additional work on scaling policy tool cursors and canvas selection behavior on high density displays. Photo FLIR 1.7 also introduces a rewitten canvas rendering pipeline based on a dirty zone editing model, which significantly improves painting and filter performance, especially on larger images where the previous canvas could become sluggish or memory heavy. Another major addition is GMIC Integration. Now actually the correct name for the open source image processing framework this refers to that was developed by researchers at the Cross CNRS in France is Gracie's Magic for Image Computing. It's just the initials from all that.
[13:24]
A
It's easier to type out GMIC now.
[13:27]
C
Photo Flare ships with a custom build of its QT interface, so the whole thing works without any extra downloads or setup, and provides a searchable library of over 500 filters, categorized, previewed in real time and completely free. Since I don't want to spend the next 10 minutes going over every detail in Bobby's article, I do recommend reading it at your leisure.
[13:56]
A
Yeah, very cool. I'm not familiar with this particular tool, but a you know, a quick and lightweight photo editor with a bunch of different filters. It sounds pretty interesting. Yes, I meant to go grab it and add it to my toolkit and
[14:08]
C
when I finish setting up so I can easily dual boot between Ubuntu 2510 that I currently own and Ubuntu 2604 that I've got on the other partition. I may play with it as well.
[14:22]
A
Yeah, yeah, very cool. Sounds great.
[14:25]
B
I hope they stick with it after such a big break in there and it's not an update and then another several years.
[14:34]
C
Well, for those who are looking for a commercial option, he's also got a photo flare studio that he's working on that you can purchase.
[14:43]
A
Yeah, that's interesting. I wonder if they're sharing source between the two. And so it's a little bit of a freemium open core model. I mean not that that's a terrible bad thing. I've seen companies do that well and I've seen companies do it very poorly.
[15:01]
C
I think what he's got with that is some features that's not in the free photo flare itself.
[15:09]
A
Yep, yeah, exactly. That's almost word for word the definition of open core. But that's all right. All right, so we've got some security stuff to cover. The security parade never ends around here and we're going to get into that. Several things to talk about there, but we're going to do a quick break first and be right back.
[15:32]
C
Good. I need to get something to popcorn to eat.
[15:41]
A
There are interesting things afoot in the world of Linux security and security in general. Over in Linux land we've got, well, it's being called the SSH key sign pwn, which is. Is not very accurate of a name because it doesn't have anything to do with SSH at all. It is in fact another sort of follow on to the Copy Fail and dirty Frag and Fragnesia. I think we've talked specifically about the first two of those. Fragmentsia is just another one that does something similar. This one is a little bit different because it uses a different mechanism to leak information. This is actually a race condition. What's happening is when first off we have to talk about suid binaries, we've discussed this before but essentially an suid or setuid binary that's something like ping is one of the super simple examples. For ping to work it has to get a RAW socket to be able to send this customer, you know, bit of code out the. Out the network port. You can't do that as a regular user, but people want to be able to send pings. And so when you run the ping command, what technically now with Ping in particular, it doesn't use suid anymore. It uses capabilities I think, but we're going to ignore that little detail. So when you run Ping, the ping binary basically becomes root for a moment and it does the thing that it's supposed to do and then it closes. And that, that, that's the way that you get to send this, you know, this, this raw socket data out your network pipe. Sudo, for example, does the exact same thing. When you run sudo sudo itself, it starts running, it becomes root and then it checks to make sure that you, the user are allowed to do the thing that you've told it to do. And so there are a bunch of applications under Linux that work this way. They're the suid applications. What was discovered is that when an suid application like this opens a file, sometimes the order in which it closes the file is not ideal. And this happens in the kernel. And so it, it's, it's the memory descriptor being detached versus the file descriptor. TABLE closing so those are two different things that happen in the kernel when the, when basically when the program is done running and starts shutting down. And so there are these things that, you know, they happen in order. Well, it turns out there's a little tiny gap of time in between those two things happening. Your memory descriptor detaching and the file descriptor TABLE Closing and during that gap of time, what can happen is another program can come along and open its own file. Sort of. It's like it fakes a file opening and then there's the possibility that it will get the same file descriptor. Basically it's cloning that same file descriptor and because that's not been closed out of the table, it can then say, hey, I'm an suid binary, let me do the thing. And the kernel goes, oh yeah, we check this out, it's fine, do the thing. And so essentially what it allows is a low privilege user can read any file as root on the file system. Essentially what it allows you to do does not write, but you can read, which is enough to really cause problems. Pretty, pretty bad vulnerability. The real bad thing about this one is that I don't think this one is fixed yet. There is a public proof of concept. There is a CVE for it. I don't know, I don't know that there's actually a patch available for it yet. And so there were maybe in some cases there are upstream fix. Let me look here. We do indeed have an upstream fix. It landed on the 14th, so a couple of days ago, decent chance it's not in your kernel yet. So watch for that to come out. So that's in Linux land. That is the, that is the latest Problem. The latest escalation of privilege problem that has been found reported working on getting fixed. Now I know there's been several of these in Linux recently. So much so that like Ars Technica ran an article basically saying what in the world's going on in Linux? And I think we could talk about what it is and the fact that, you know, AI security research has a lot to do with these. But that other operating system that we don't talk about very much, it has a catastrophic failure in security that is just. It's catastrophic. I don't know if I can, I don't know if I can overstate how bad this is. And that is that Windows 11 BitLocker can be completely bypassed simply by plugging in a USB key from a stone cold turned off machine. All right, and so the exploit is named yellow key. It was published by a researcher known as Nightmare Eclipse. Yes, hackers and computer people, we sometimes go by weird names. Apparently Microsoft ticked this guy off by considering. I don't know the full story. I don't think the full story has been published yet. But it's something like he found a security vulnerability and Microsoft like no, no, no, no, this is just a regular bug and they like stealth patched it and wouldn't give him any credit for it. And so he got really ticked. And so I don't know how long he's been doing this, but he's sort of made it his life's work to make Microsoft look bad in the security department. It's kind of hilarious, but. So Windows 11 BitLocker. Let's talk about this briefly. On Windows, the way BitLocker tends to work. So on the Linux side, like LKMS, the. The. Is that the right acronym? LKMS, that may not be the right acronym anyway, the Linux equivalent where you do full disk encryption, it asks for basically an encryption password. And you have to type that in at first. Boot my laptop set up that way, you know, you turn it on and the very first thing it does, it asks you for password to build a decrypt hard drive. On Windows they don't want L, U, K s. Yes, thank you. So on Windows they don't want to do that. They use the TPM, the trusted platform module. And so you set up BitLocker, it talks to TPM and the TPM actually keeps a hold of that BitLocker key for you. And so you turn the computer on, the TPM gives to the operating system the decryption key and it unlocks the drive and then it allows you to boot up. And it is intended such that this is part of why Secure Boot exists, is it only the real OS is the one that gets the key to be able to do the unlock. And so you have to know your username and password to log in to actually be able to get to those files. So a BitLocker works over on Windows. Well, this attack is. It is essentially a folder inside of an NTFS formatted drive that has some transactional NTFS operations. And this is something that's not very well documented inside of Windows. So, like, people are still actively trying to figure out how exactly this works and what all it's doing. But the basics is you copy this folder onto an NTFS or a FAT format USB drive, you plug it in, you boot it up, and then you tell Windows, I need to go into recovery mode. And so one of the ways that you can do that is by just yanking the power partway through a boot and the next time you plug it in, the computer's going to go, windows didn't successfully boot last time. Do you want to go into recovery mode? You say, yes. Well, once it goes into recovery mode, it sees this folder with this weird name, tries to do whatever's in it, and the next thing you know, you're at a command line prompt with BitLocker unlocked and you can get into all of those encrypted files. Now, they're actually encrypted, but what's happening is, you know, your TPM has given you the password and you've just, you've completely broken the stuff that's supposed to not allow you to do this. Now, a couple of things about this. One, people are saying, well, you should really use your TPM plus pin, right? And so that's, that's one of the ways that you could harden your system against this is like having a BIOS pin, so that when you, when you boot it up, it's going to talk to your BIOS and it's also going to request a pin. The guy that discovered this has stated on his blog that, no, no, there is a workaround. We can defeat the pin. I don't know exactly how that works, but apparently that too is bypassable. So there's that. And then the other thing is people have looked at this and one of the weird things about this particular attack is when you plug the drive in and you pull off this attack, part of the process is it deletes the folder, it wipes the drive, and people are looking at and going, boy, this is getting into the territory where it sounds like an intentional backdoor more than anything else. I'm not going to go that far. I think it's probably not on purpose, but there are researchers that are looking at this and sort of coming to that conclusion that, well, if Microsoft were to have. And boy, this is a big thing to say. If Microsoft were to have a bitlocker backdoor, this is how it would work. So Linux right now, we are having our security moment, but Windows 11 BitLocker catastrophically broken. That's what's going on in the world of security this week. It's been fun.
[26:35]
B
And I believe the Linux issue was patched in. I think kernel 7.0.8.
[26:43]
A
Okay.
[26:43]
B
It came out
[26:46]
C
and I think
[26:48]
B
said that the update is there in the kernel and. But he said that the kernel's been updating almost daily lately.
[26:56]
A
Yeah. Yes, 708 appears to be correct.
[27:00]
C
But I think some people were saying this is a sure sign that we've gotten to the year of the Linux desktop. Well, they've moved away from Windows to concentrating on Linux now.
[27:15]
A
No, I think it's actually a sign that AI security research is coming into its own. It's. It's the, it's the year of AI security research more than anything else.
[27:27]
C
Yeah.
[27:28]
A
Because, I mean, these flaws aren't necessarily related to Linux on the desktop. They're. They're more like just Linux on, on machines, Linux on servers. And we've had that for, you know, it's been the year of the Linux server for like two decades now.
[27:41]
B
So, yeah, Linux is basically one everywhere except the desktop.
[27:46]
A
Yeah, it's true. It is true.
[27:49]
B
Well, and a lot of this, you know, is if people had the ability to hold all that code in their head, they could figure this out as well. It's just that with AI, it can hold it all in their head. I mean, that's really kind of what it comes down to when you're, when you're thinking about it. We just lack the 99.999% of people can't hold a, you know, bajillion lines of code in their head and go, oh, you know, I could.
[28:15]
A
Yeah.
[28:18]
C
And I'm thankful I can't hold more than a half a book in my head because otherwise it wouldn't be any fun going back to reread it.
[28:27]
A
You got to forget part of it to be able to go back and enjoy it like you did the first time. That's hilarious.
[28:32]
B
Everything's new again.
[28:34]
A
All right, Jeff, let's talk about Debian Debian has some security updates too. There's some interesting stuff going on there. This was sort of a surprise too, because it's come like halfway through the release cycle.
[28:47]
C
Yeah.
[28:47]
B
And it ties in both with the compiler story I just did and Jonathan security story. To give you more detail, Debian is making a major change to how software in its Linux distribution is built and verified. The goal is simple but powerful. When you download software, you should be able to prove that nobody tampered with it. This is what reproducible builds are all about. A reproducible build means that anyone, anywhere can take the same source code and produce a bit for bit identical binary. Now, if two builds match exactly, their cryptographic hashes match too, so you know the software is genuine. Now this matters because it protects the software supply chain. Normally, users trust that Debian's build servers compiled the code honestly. But if a server were hacked and an attacker could slip in a back door without changing the visible source code. With reproducible builds, that trick becomes impossible. A tampered binary would fail to match an independently rebuilt version. Now, achieving this isn't easy. Now you might think, oh well, source code always builds to the same binary. Well, many build systems accidentally introduce randomness into the process, like timestamps, file ordering, local file paths, or even the number of CPU cores can change the final output. Debian developers have spent years eliminating these sources of variation using tools like source date, epoch and disorder fs. So that disorder FS that forces assorted predictable file order during the build, and compiler flags that strip machine specific paths are included. Now Debian's making reproducibility a requirement. Starting with Debian 14 ForKey expected in 2027, a package must be reproducible before it can enter the testing or stable repositories. If it isn't reproducible, it won't ship. To enforce this, Debian continuously rebuilds every package using tools like RebuilderD. It's like Rebuild ERD now that manages the packages to be tested. It kind of keeps track of the queue deb rebuild, so it looks at file versions of the dependencies which were used to build the original package. And sBuild, that's the tool that recreates the environment and builds the code to see if the hash matches the original. Today, Debian already achieves over 97% reproducibility on major architectures like AMD64 and ARM64. One of the articles has an image that shows across all the architectures that they've got. 23,729 packages which are reproducible and 411 that didn't match exactly with zero failure to builds. Now, reproducibility ensures a binary matches the source. But Debian also tests whether the software works using autopkgtest, which runs full integration tests in isolated environments. Now, Debian isn't alone. Projects like F Droid are also adopting reproducible builds. But Debian's new mandate sets one of the strongest standards in the open source world. It's a major step towards transparency, accountability and stronger security for everyone who relies on open source software. Take a look at the two articles linked in the show Notes for more details. And it'll be interesting to see how many other distributions make this hard requirement in the future. If nothing else, I could see the Ubuntu's and other distributions which are based off Debian following this same path.
[33:01]
A
Yeah, it's a surprising challenge to get reproducible builds and they're at 97%. So you think about that. That means 3% of the system right now does not hit it because those packages have some little bit of weirdness in them that makes it hard to get bit reproducible builds. Really interesting stuff.
[33:26]
B
Yeah, and it could be just as simple as there's config files to list the libraries and things like that that maybe they're not quite set up quite right. So it says, oh, I use in version 2 of this library, but actually you compiled it with version 2.1. Well, they're all right now. It doesn't match and it can be some little things like that that just throw differences in code that normal person
[33:52]
C
doesn't think about, or an accidental update of a text file or man page that you don't even think about.
[34:03]
A
Yeah, I mean it shouldn't be that. It would not entirely surprise me though if there are some packages out there that include, you know, bit of randomness on purpose, like a unique ID that they want to build in every time it gets built. So, you know, just all kinds of stuff that you don't normally think about could cause these sorts of deals.
[34:25]
B
But I'm impressed that you know, they're going to release in 27 and they only have to clean up 3%.
[34:32]
C
That 3% is probably going to be the hardest.
[34:35]
A
Yeah, no, I'm sure it will. You kind of got the 8020 rule going on there. Um, so we quick comment says reproducible builds are extremely difficult because it could be as as hard as a bad CPU or physical ram, making matching builds almost impossible. I would actually say if you've got. If your builds are different because of a CPU problem or a RAM problem, that's a much bigger problem than just not having reproducible builds like phantom bit flips. That's a. Take that piece of hardware offline and put something else in there because those are going to. Those are going to cause you actual runtime problems anyway.
[35:14]
B
Yes, the file build order and other things, that's what they're doing by having those lists to make sure it builds in the exact same order with the exact same libraries using epic time. So it's time zones don't come into it. A bunch of things like that just to eliminate that variability that you'll never see in the finished product. Because if mine is built at a different time zone than say, Jonathan's, it's still going to run the same. It. It's not going to break anything. But you can't prove that nobody messed with it.
[35:51]
A
Yeah, yeah, absolutely. All right, let's talk pipewire. Ken, it looks like we got a 165 is out the gate.
[35:59]
C
Yes, it is. In fact, we can thank both Bobby Barzoff and Marcus Nestor. They also wrote about the fifth maintenance update in the latest PipeWire 1.6 series. Now PipeWire 1.6.5 release adds a whole bunch of extra security checks and hardening fixes to the pipewire pulse server, improves renegotiation and audio convert when the graph rate changes and the resampler is disabled, and fixes a crash in the in ALSA when logging. It also improves the ROC receiver start and stop behavior, fixes memory leaks, and the Jack tunnel module now uses the correct midi buffer size. Pipewire 1.6.5 release notes say the pipe filter from the filter graph was broken by design and was a security problem, so it has been dropped. Now I'm going to recommend reading Bobby and Marcus's article, especially if you want to find out about the simple plugin API updates.
[37:12]
A
Interesting stuff again.
[37:15]
C
Here we are seeing some stuff that's security related.
[37:21]
A
Yes. Boy, the thing that really interests me thinking about it that's really fascinating is pipewire. Pipewire just works these days. I haven't thought about pipewire much recently because it does almost everything I need it to do.
[37:37]
C
Almost.
[37:38]
A
Yes. I want pipewire to be able to give me video input and output from obs. And that's more of an OBS problem than a pipewire problem. That's the obs people bike shedding over something that they really should just stop and pull the patch anyway.
[37:59]
C
They remind Me, that's another article.
[38:01]
A
Yeah, they remind me a lot of Wayland in this particular case. And it's like I just want to reach through the screen and slap somebody around. Like a. Just pull the dang pull request. It works. It works for 95% of us anyway. Well, I broke it irritated just yesterday.
[38:16]
C
And the guy that pulls it's the part of the 5% that it doesn't work for, I guess.
[38:22]
A
I don't know.
[38:23]
B
Yeah, like me, I get in there and play with stuff and I break it. I couldn't get pipewire to run. I was trying to set up different sampling rates and wasn't going so well, which was weird. I think
[38:39]
C
as long as you've got a backup that you can go back to, it's fun playing with that.
[38:45]
B
Well, the problem was I actually put everything back to original and it still didn't work.
[38:52]
A
It's a quantum. Quantum variation. Much be. Must be.
[38:56]
C
Yeah, but I got a simple command. In fact, I think I've shown it in the past that would help with that. It's.
[39:06]
A
What's that?
[39:09]
C
It's the system control restart a wire plumber or pipewire.
[39:16]
B
I was restarting pipewire. It wasn't working. I just reinstalled. I was kind of like, the hell with it, because I just had reinstalled because I played with the root partition and resized and moved it. And I'm like, yeah, I'm just gonna.
[39:31]
A
It.
[39:32]
B
It's faster than going through. And I was kind of in the. Kind of in a hurry anyway, so. But I did figure out I put my config file in the local directory and that made it work. They said you could put it in the. Etc. Pipewire. And for the global config, they said don't mess with the one in the user share because they said any updates could stomp on that config file. But I put it into local. For me, it was just being able to output the property frequencies. So I. I'm kind of an audio nerd. So I wanted to make sure my 44.1 played at 44.1 and the 48s and the 96 played at 96 kilohertz and so on. And I know people say, well, you can't hear the difference, but I, I worry about sampling mismatch when you don't have, you know, you, you got it. You got a 96 kilohertz source and maybe 48. Well, that's probably a bad example. But like, you had 44.1 with 48. You know, you can maybe get some variation. I just like it to be equal.
[40:45]
C
I think I put mine in the. My. In my home dot config slash pipewire.
[40:54]
B
That's where I put mine. And then it, then it worked. It's just one line. You don't need the whole config file. It's just a, a single line of, you know, basically say, here, here's your sample rates and you just list them. And I've got a list about four or five in there. And it's like, oh, and I could, I could use that PW top, which we've talked about before. So I could play audio at different frequencies and I could see it switching. So it was handling it perfectly. And a side note, people that say that they can hear like, say, 96 kilohertz difference, they probably can not because the frequency is better, but because when they actually have audio produced at that, they master it differently. They say, oh, somebody's really caring about audio quality. So they're much more carefully mastering that track than they are just the regular sampling rate. So it's not that the frequency is needed, it's a flag for audio files. Somebody's going to care about the sound quality.
[41:58]
A
There you go. All right, we are going to take a quick break and then we're going to talk about AI and bugs in the kernel, continuing on that theme. But some interesting stuff here will be Freidak. As I'm sure you've seen, there's been a lot of security changes around the kernel and they have begun embracing AI code research. And this is really just something that's becoming more and more widespread across the coding world. And so there is a merge that landed this week that has adds documentation for two things about this sort of security research and AI research. And it's two separate items. And one is what is considered a security bug and what is considered just a regular bug and how those two things should be recorded differently. Then the second thing is the responsible use of AI for finding kernel bugs. There's some interesting things in here, a little bit at odds with the kernel's own CVE request policy, which was interesting to me. So they make the statement here that it's important that most bugs are handled publicly to involve the widest possible audience, find the best solution, they say bugs that are handled in a closed discussion between a small set of participants are less likely to produce the best possible fix, for example, risk of missing valid use cases and limited testing ability. So they're saying, we prefer to fix these things out in the open. And then it turns out that the majority of bugs reported via the security team are just regular bugs that have been improperly qualified as security bugs due to a lack of awareness of the Linux kernel's threat model described in documentation Process threat model, it should have been sent through the normal channels. And so they go on to say that the security list exists for urgent debugs that grant an attacker capability that they are not supposed to have on a correctly configured production system and can be easily exploited, representing an imminent threat to many users. Okay, before reporting to this group, the security team, you should consider whether the issue actually crosses a trust boundary on such a system. And then there's an interesting note here. If you resorted to AI assistance to identify a bug, you must treat it as public, and it says, well, you may have valid reasons to believe it is not. The security team's experience shows that bugs discovered this way systematically surface simultaneously across multiple researchers, often on the same day. So this is really fascinating to me. So what they're saying is, look, Claude, there's a new version of Claude, or a new version of whatever, you know, OpenAI's tool, they, they reduce a new version, use it to find a new bug. You're not the only one that's doing that. And so like, every time one of these things gets bumped or somebody releases a new tool, there's going to be like five or six of you finding this bug on the same day. Just go ahead and consider it to be out there. If you used AI, because everybody else can do it, like, this is very fascinating.
[45:30]
B
How are you being surprised that two calculators come up with the same answer?
[45:35]
A
Sure. Yeah. They all, they do go on to say, please don't publicly share your reproducers. Like, don't share the proof of concept code if it's not been fixed yet. And then they do all go on to say, if you're unsure, err on the side of reporting. Privately, the security team would rather triage a borderline report than miss a real vulnerability. So they're saying, better safe than sor, however, goes on to say, reporting ordinary bugs to the security list does not make them move faster. Instead it consumes triage capacity that other reports need. AKA, if you do this, you're just wasting our time and that time is valuable. And then the other part of this was that there are a lot of bugs being reported that are used by AI that are, sorry, they're found by AI, and they've got some guidelines here on how to, how to do this. How to do this the right way. And that's first off, when your AI writes the bug report, it's going to be excessively long and verbose. Don't do that. Cut that down, make it, make it shorter, format it without the markdown tags, go in and fix the impact evaluation. Because the AI is going to think that, oh, everything is a serious vulnerability. It's not going to fix that. Before you send it to us, please always ensure that your reproducer, your test case, works before you send it to us. Because you know, you can ask an AI to write your code and it'll gladly do it, but it just, it can't guarantee it works. And then they're also suggesting, please propose a fix and test the fix. And so it's interesting to think about this. I've heard it said that friction is one of the things that has made the kernel work so well that it's difficult to sit. So like you have to have a certain level of competence to even be able to send something into the mailing list that doesn't just get immediately kicked. And I think we're coming to the point where LLMs have reached that level of competence. And so now they're essentially saying, look, we need to introduce a little bit more friction into this process to slow down the onslaught of these LLM reported bugs that in some cases are not real. It's just, yeah, even the kernel is having to deal with it. And the kernel is embracing the AI technology to fix things. You know, that you've got the. Oh, I forget what he called it. Greg kh. The Gregbot? Is that what he called it? But you know, he's doing AI stuff. I'm sure Torvalds is too, to some extent. And they've been doing it for, you know, looking for security bugs for a long time. Real fascinating to see and something that I'm sure the kernel, as well as the rest of us will be wrestling with for years to come.
[48:35]
B
Yeah, I think a lot of it for me boils down to how it's used. Too many people just trust it outright. You know, I'm very happy to let it try to find bugs, but to me, you got to have the person. Like you said, is it verifiable, is it real? Or did it just come up with some random garbage? Even writing code I'd be okay with as long as somebody's actually looking at it and responsibly using it, which is the hard part, right, where I'm just going to have it crank out code and throw it in and it's good enough and not realize it's got a lot of mistakes in it.
[49:14]
A
Yeah, well you can do that for your own project and that's one thing. But trying to send that code up to like an open source project where other people have to look at it. And sometimes it's not even that the AI is writing broken code, it's just, it's writing code in bad taste. Like it'll do these things where it'll have, and this is what I've seen when I've used it to generate code. It'll have multiple one line functions like here's the name of the function and all it does is it calls this one line with an extra argument on it. Then that is a function. That is a one line function that calls yet another function with an extra argument on it. It's like, I see why you're doing this, but it's not the way we want our code to work. I don't want to have to jump through all five of those functions to be able to figure out where the code is flowing, where the process execution is flowing. We call it making lasagna. We have to go pull some lasagna noodles out of the code that the
[50:09]
C
AI wrote and when you turn around, give that code back to your AI and say, can you consolidate this into one function?
[50:19]
A
I've done that. I've told the AI before. So I use LLMs and copilot in, in VS code. I've done one, one or two, I don't remember one or two new features for code base. I've written that way and I've exactly done that. I said, hey look, this is what I don't like about your code. Please go in and fix it and it'll do so. And if you give it the, you know, if you give it a good enough prompt, it'll go in and give you something that's reasonable. I think I still ended up going in and fixing a few things by hand just because it was faster. But yeah, it's definitely, it's, it's an interesting back and forth to get the machine to write good code for you.
[50:53]
C
Well, what I'm finding, especially with Chrome's built in AI is it's great for finding the flags that I can't remember off the top of my head.
[51:04]
A
Yeah, there you go.
[51:06]
B
Oh, it could be a good search engine. But you know, just here, here's in case anybody hasn't heard this, but here's a well known little test. You go to your local AI and you say I need to wash my car. It's the car wash is 100ft away. Should I walk or should I drive? And a lot of times it'll tell you, well, you should walk. That's just better, you know, it doesn't always get everything.
[51:34]
A
Yes, yes. It doesn't actually understand. Yeah. All right, well, let's move on. And the next thing to chat about is something I'm looking forward to and That's KDE Plasma 6.7. What's new there, Jeff?
[51:51]
B
Give us the scooter. Oh yeah, well We've talked about Plasma 67 on and off and as more and more features come to light, you know, we've kind of covered a lot of these, but some of the things in 6.7 which are we're looking forward to, you know, and it's just real high level stuff is per screen virtual desktops, Wayland Session Restore, a global Push to Talk feature, a dedicated setup UI for configuring shared printers, a multi GPU swap chain feature that's for when you have multiple GPUs and Vulkan support can be used across multiple GPUs and a full featured Print Queue viewer app. Now it's like I said, it's just a few of the updates and I just just a few of the high points. There's a major list of changes when looking at the link in the show notes as it has a link back to the KDE wiki with all the changes in 6.7, what I mentioned is a tiny fraction of the fixes and features added. Now one feature I didn't mention yet is the Union style engine which is in the KDE 6.7 beta blog and they have a call out that they need, you know, beta testers. Well, what is it? Well, it's KDE's upcoming CSS based style engine designed to unify theme creation across both QT Quick and QT Widgets in the plasma desktop environment. Now it solves the long standing fragmentation of KDE themes by introducing an abstraction layer that converts diverse inputs into a single rendering engine. So the creator of this, Arjun Himestra, had this to say about it. Over the years, the way we style our applications has become increasingly complex. Initially we only had QT widgets and a system to style them. Then came Plasma with SVG based styling, followed by QT Quick which introduced yet another styling system. At this point we have several methods of styling and most of them are quite challenging to use. Now Union has been in development for more than a Year. And the announcement calls out several app examples which would run on Union and put it through its paces. And if there's an issue, how to toggle back to the old system to make sure the issue is truly with Union and not an app or widget issue. So now for those wanting to jump in and test, download and go. There will be a second beta on May 28 to fix the bugs called out in the first beta and hammer the code a little more so you can, you can play reports and bugs, then you can verify in May 28 that they got them fixed. You know, hammer that second one and you know, if you're not a new you, if you're a new user and not sure you're up for beta testing and, or, you know, you want to just wait for the official release from your distribution, that will happen sometime after June 16, because that's when, as of now, 6.7 is officially scheduled to release. So happy testing.
[55:09]
C
Yeah, I don't think I'm going to see 6.7 with Ubuntu 25.10.
[55:15]
A
No, definitely not. No. Ubuntu is not likely to push out a new KDE release midway through an Ubuntu release. Fedora probably will. Ubuntu probably will not. They'll probably wait for the next. So it'll. It'll show up, I'm sure, in 2020.
[55:35]
B
Yeah, well, Kubuntu usually has a back ports that you could probably get it in, which is why you have to enable those repositories.
[55:46]
A
Yeah, you gotta opt in. Yeah.
[55:48]
C
I don't know if Ubuntu Studio opts into it or not, since it does use Kubuntu as a default desktop.
[55:55]
A
Probably not. I would assume that it wants the stability more than it wants the new Shiny.
[56:01]
B
Whereas I, on the other hand, more production.
[56:03]
A
I like the new Shiny. I'm going to have to go try the revamped Air theme. I remember KDE with Air. It was pretty cool to give that a try.
[56:16]
B
Yeah. Bringing it back.
[56:18]
A
Bringing it back.
[56:19]
B
Well, and the global push to talk is one that a ton of people have been clamoring for.
[56:27]
C
Yeah.
[56:27]
A
And so that's like basically what mutes your microphone until you hit the button.
[56:33]
B
Yeah. So. So when you push a certain button. So like if you're on a discord or teams or teamspeak or whatever, you'd hit that and you could talk, but with Waylon, because they kind of didn't have that glow, the security, you didn't have those global, you know, nothing's global with Whelen. Yeah, you can't have a key press or program monitoring for all key presses and it kind of locks the system down more. And there wasn't an easy way around it, but they've figured it out. I don't know the details behind it,
[57:08]
A
but yeah, probably got.
[57:13]
C
Go ahead, Jonathan.
[57:14]
A
I know there has been for a while now in KDE the ability to go in and say basically to give like a legacy support for X11 programs to pass through those key presses to them. Because I know I've been doing that with Bumble for quite some time and that that works. And so the fact that this is a global, it actually, it sounds to me like it's KDE muting your microphone until you hit the button, which is a really sort of clever and interesting ulterior way of doing that. So I look forward to playing with that as well.
[57:50]
C
It could be fun or it could have been pipewire.
[57:54]
A
Well, I'm sure it's done via pipewire, but it's a KDE feature. It's in the KDE change log. It's not in the pipeware changelog.
[58:00]
C
Well, because the latest release of pipewire did fix a problem with the audio mute. Stay muted even when you unplugged and then plugged your headset back in.
[58:13]
A
Yeah, got it. All right, well, we are going to talk about firmware and some updates, but first we're going to take a quick break. We'll be right back.
[58:24]
C
Time to go get some popcorn.
[58:25]
A
Yeah.
[58:27]
C
Well, Jonathan, this week we have two different stories regarding both LVFS and Floppy. First, we hear from Marcus Nister About 2 to companies stepping up to support LVFS, the firmware update service for Linux. Lenovo and Dell are the first to sign up as Premier sponsors for LVFs, each contributing $100,000 per year to help fund the project. According to the to Richard Hughes, the huge industry support from Lenovo and Dell and our existing sponsors of Framework, OSFF and of course both the Linux foundation and Red Hat. We can build this ecosystem stronger and higher than before. We can continue the great work we've done long into the future. According to Marcus, the first Premier sponsors are also two of the most Linux invested OEMs in the industry. Lenovo, one of the largest PC vendors around, ships Ubuntu on laptops, desktops and workstations worldwide and has over 700 Ubuntu certified devices to its name. Now Dell has 140 plus certified configurations and partnerships with Canonical, Red Hat and SUSE. Now Bobby Borisov and Marcus also wrote about the latest flip the maintenance update 2.1.3. According to Bobby, the most notable additions are support for Redfish Bearer token authentication, support for several XMC SPI chips, and the ability to parse JCAT files directly in libfupti without libjcat. As always, you can get more details from Bobby and Marcus's articles. And are you still online?
[60:39]
B
Oh Harry. There was Jonathan, what'd you do? Are you there, Jonathan?
[60:47]
A
Sort of. Can you guys hear me now?
[60:50]
C
I can hear.
[60:50]
B
We can hear you now. We can hear you.
[60:52]
A
So I'm sure some of that will get edited out, but that was, that was fun. So we were talking about LVFs and I was like, oh, I haven't checked this in a while and I know on Fedora under KDE you do this through Discover. So I opened up Discover and the moment that I hit Discover my second monitor went down. Disconnected. And guess how my headphones are plugged in.
[61:16]
B
Yes, currently through the second monitor.
[61:18]
A
Through the second monitor. So I was blind and deaf. Just. And if you guys, if the video cut to me at any point through all that I was going, oh no, am I going to get it back in time? I'm sure he's still talking by now. Oh no. Oh no. Ended up having to unplug the Framework module and replug it back in.
[61:34]
C
That does explain the expression on your face when I mute my video.
[61:42]
A
Oh, that's hilarious. But I've got one more story that we want to cover before we finish up and that is stop killing our games. It's kind of like the right to repair, but for gaming. And so for this story we're going out over to gaming on Linux and talking about a bit of legislation that's working its way through the system in California. It is the California Protect Our Games act. And this is a bit of law that would essentially say when you are going to retire a game that requires online access to play, you have to either release a patch to allow people to play it offline or you have to release the server to allow people to self host. And part of the reason for this is like people are paying money for these games, they have purchased these games and then for a gaming company to then turn the game off and make it no longer work in a very real way that's fraudulent and that is a, that is a gaming company stealing those games back. It's, it's piracy. Right? It's. I hadn't quite thought of it like that but there you go. That's an interesting turn of phrase. EA is pirating games from us instead of the other way around. And so this is, this is potential law. It, it has made it out of the Appropriations Committee in California. And then it's going to go to the broader floor where they're going to look at maybe adding some amendments to the law. And then, you know, at some point, the legislature out there in California will vote on it, hopefully, and see if it actually passes. I'm actually very much in favor of this. Now. This is the sort of thing where you have to write the law very carefully because you could have some unintended consequences. But I absolutely, I 100% think that this is a huge problem. This is one of the, I don't know if it's unintended or intentional, but it's one of the consequences of DRM and things like the Digital Millennium Copyright Act. And that is that it is so easy for a publisher to steal content back from the consumers. And I think it's wrong. I think you could literally make the case that it's fraudulent. And as I said, it's piracy. It's a publisher pirating content away from its users. And, you know, if, if it's wrong for a user to pirate a game, then it's wrong for a game publisher to pirate a game in the exact same way. And so I'm 100% for it. I think it, I think it should be law in the same way that I like the right to repair acts and give people ownership of their stuff back. It'd be very interesting to watch. And next time we, yeah, next time we get an update on this, we'll try to remember to bring it and cover it. Keep an eye out for it. Interesting stuff.
[64:39]
B
Yeah, they're, they're counter, you know, the corporations counter argument is you don't really own it, you're just renting it. So we can take it away whenever. That's. That's kind of what the angle they're trying for. And they don't want you spending time on that old game because they want.
[64:55]
C
I've got physical media with it.
[64:58]
A
Yeah, that's, that's one of the key. Well, it actually, it does. Well, that has been covered in court before. That is, that is established case law that it does matter if there's physical media. Physical media means that you have purchased something and it's not just a license because that comes back from, you know, the, the old days where we actually had books. You, you got a, you know, you, when you purchase Something and you physically had something. It is not just a license. And there have been companies that have tried that with even books before. And the courts have shot that down and said, no, no, no, no, no, that is not how this has ever worked and that's not how this is going to start working now.
[65:34]
C
Thankfully, that's what for years drove the secondhand book market, which also expanded to cover reselling your Vinyl and your CDs.
[65:46]
B
Yeah, yeah, they tried to stop that. And you know, it's the same argument all the time. They've tried to stop used records and CDs from getting sold. They said, oh, VHS, you know, you can record off TV, that it's going to kill movie sales. It's going to. They had the same argument again and again. And it never actually ever pans out.
[66:09]
C
VHS is going to stop movie sales. I hate to say it. You know how many times I have, I've had to buy a very popular VHS tape for a movie in our
[66:19]
A
house multiple times because it's gotten worn out, I'm sure. Yeah, yeah. So I, yeah, I'm, I'm, I'm very glad. It's really interesting to go back actually look at the Supreme Court case about vhs. But that's one of those that has been a real win for consumers that's been referenced several times over the years,
[66:40]
C
which is, and I'm probably going to be in trouble for suggesting this, I use Bookbub to find out when those ebooks are going at real cheap prices for copies that I want to get that I can have, you know, DRM free. Because then I'll use all the links and when there's that cheap, I'll buy them on for the Kindle for bar from Barnes and Noble through Google Books and in some cases I'll even go and see if it's available through one of those sources. DRM free.
[67:19]
B
Yeah, well, and that's why like I movies and music, my music I do have digital, but it's DRM free, so I own the copy. But every movie I have, I don't go through streaming services. I get a physical disc.
[67:37]
A
Speaking of court cases around this, we actually in the US we just had a Supreme Court ruling. There were no good guys. In this particular case, it was Cox Communications versus Sony Entertainment, but they were
[67:55]
C
both in the wrong.
[67:56]
B
Well, do you root for the devil or do you root for the demon? Yeah, you know,
[68:01]
A
in this case it was a good thing that Cox Communications won because the alternative was a law withstand. That said that ISPs were liable for people's downloading of pirated content. And it was like a billion dollar judgment against Cox Communications. And it really would have been really bad case law for that to stick around. But, you know, it's a, it's a good thing. I think anytime that the insane DMCA copyright can be toned down a little bit is a good thing. And so, you know, probably about the, the best possible outcome of this that the, the Supreme Court looked at this and said, no, we're not going to play this game with copyright. It doesn't, it's not going to work the way you think it does. And interestingly in this, they went back to the, the VHS and Betamax ruling where they said that, you know, there is a legitimate use for this, so you can't outlaw, you can't outlaw VCRS altogether just because you're afraid people will use them to copy movies.
[69:02]
B
Well, and you know, to me, I don't see a difference at a higher level of, you know, you know, okay, I'm pirating a movie or can the phone company be liable? Because I talked to Jonathan and we decided we were going to rob a bank. So now the phone company is responsible because we did that communication over the phone. I mean it, to me, it's like you can't hold the carrier responsible for.
[69:31]
C
And you know, who fought to make sure that never happened.
[69:37]
A
That's what the whole common carrier rules were about here in the US Is essentially that you can't hold the carrier responsible in that case.
[69:46]
C
But if you're going to use that logic, I can think of another company that would definitely fight against or another industry that would definitely fight against it.
[69:55]
A
I mean, I think there's a whole bunch of them. Automobiles. Automobiles, firearms. I mean, you know, more, more beyond that.
[70:05]
C
Tool manufacturers, period.
[70:07]
B
Yeah, well, and you. There are, there is law in the United States that you can't hold a company liable. Like, I'm probably mangling this a bit, but you, you cannot hold a company liable for somebody misusing their product. You know, if it was, you know, a baseball bat, okay, I got, I'm, they make them and then I go and I, I hurt somebody with a baseball bat. You can't sue the Louisville Slugger Company because I misused their product when it wasn't. That's not what it sued. This design was for.
[70:43]
C
It was intended, intended to knock that baseball off the top of the somebody's head.
[70:49]
A
Not like that.
[70:50]
B
Yeah, but, but just for the record, you know, I, when I was saying earlier was just devil's Advocate. I'm all for less drm. I mean I, I get. They don't want to lose everything, but there's also a little. A few steps too far. And I am very proud. Right to repair. And I grew up on a farm slash ranch and that's a pretty big deal nowadays with the modern farm equipment that cars have. The law that say you have, they have to have that OBD2 port that you can get error codes and troubleshooting and big equipment does not have that you have to tie into their proprietary system if you're at all allowed or you have to just go to the dealer if there's any kind of issue and you have to use their.
[71:40]
C
Oh, I'd love to see somebody that could afford to take that say this is a vehicle. Doesn't it fall under the OBD law?
[71:49]
A
I'm sure that, I'm sure that's been tried. There is a. There, there is a John Deere carve out to that law is. Is exactly what it is.
[71:57]
B
Yeah. You know, New York, New York had a big right to repair law, but then there was all these carve outs in there that made it just basically fluff. It was all the important stuff kind of got. Was an exception made for. But then it got hollowed out. Yeah. But on the flip side, there is a lot of farmers and a lot of Eastern Europeans are leading the charge in this. They're hacking their tractors and farm equipment to get around a lot of this stuff. I mean it's.
[72:28]
A
I remember talking to a hacker goes by the name of Sick Codes got Doom running on the controller for John Deere tractors several years ago. That was a big deal. Yeah, there's a lot of research going on into that. How did Jailbreak.
[72:40]
C
I can see where farmers would want to be able to play Doom while they're out in the field.
[72:45]
A
Exactly. All right, well, we have had fun. Let's get into some command line tips and I think before we do that, we're going to take our final break. We'll be right back. Who's got a first command line tip? Jeff.
[72:57]
C
Jeff has.
[73:00]
A
What is cooler control?
[73:03]
B
Well, for people who want to take better control of their system temperatures. I ran across cooler control. Now it can monitor temperatures, you know, fan speed, power in real time, automatically adjust speeds based on your profiles and sensors. You can add hysteresis thresholds, directionality and response time, tuning to profiles along with setting modes. So you can, for example, switch between silent and gaming mode. Now I will add that while cooler control automatically discovers supported Linux Hardware drivers and connects to devices that expose compatible sensor interfaces. You know, for example, hardware mon NVML liquid control. It does not ship device drivers or access hardware directly, so it's not gonna totally do this on its own. Or to put it another way, cooler control only supports hardware that the kernel or another module supports. Now, I'm not gonna go into installing the program other than to say that depending on the hardware and how supported it is, there might be some extra steps, but they have a great document showing what to do. For example, you might need to install LM sensors and then have it discover your hardware. Take a look at the link in the show Notes for the website so you can get all the instructions and details on everything this program can do. I was impressed, you know, on my laptop how much I could monitor and display at once. Which of course it, you know, the display and all that.
[74:37]
A
It's.
[74:37]
B
Of course it's totally configurable. You can pick and choose and fold, mangle, staple and mutilate as you need. So take a look at it and keep cool.
[74:50]
A
And keep cool. I like it.
[74:53]
C
All right.
[74:54]
A
And Ken? Yes, Stowe. What are we stowing?
[74:58]
C
Yes. Depends on what you're working with. But I had stumbled upon this week's command line tip while setting up my system to share my files and application configurations between the Ubuntu Studio 25.10 that I do the podcast from and Ubuntu Studio 2604 that I'm trying out. The command is GNU's STO. It's a SIM link farm manager that takes distinct sets of software and or data located in separate directories on the file system and makes them appear to be installed in a single directory tree. Now, I am using it to manage the shared configuration and data files between my Ubuntu installations. Today's example is how I shared my SSH configuration between both. Let me go ahead and get this up so you can read this a little easier. And let's switch over to this one for a minute. Okay. Now in the left terminal I've got my home directory and I've got listed here all the files that are in it. And you'll see that with the listing I did. It also allows you to see where there's any links for that particular file or directory to another location. Now, here's my ssh. Now the way I set that up is on the terminal on the right. I've got the location for where I'm storing everything actually. And you'll see I've Got some configurations that I set up. One is called SSH config.
[77:01]
A
So let's see.
[77:04]
C
Yeah, go back to my notes here. And I'm going to do a copy. That way I don't have to retype everything. But the command, of course, that I mentioned is stow. Now, it's got some options that allow you to say, do a dry run or simulate. That's the dash N V is verbose. I'm also using dash dash target and tell it the directory that I want as the target directory. In this case it's my home directory. And then dash dash D tells it the directory I'm wanting to set up from. And in this case it's pointing to the dot files that I'm currently in. And in that dot files I've got a subdirectory SSH config. Now when I run this and as you see, it says warning in simulation mode. So not modifying file system. So it didn't really do anything since it's already there. So what I'm going to do is come over here. Yeah, it's come up here. So I don't have to try to type everything out. And. Copy ssh, I'm going to remove. That sounds dangerous right there, doesn't it? So with that removed, if I try doing a SSH command, There it is,
[79:15]
A
1900 in your history list and it
[79:19]
C
comes up with this. It can't be established, so I'm going to go ahead and cancel that out. And with that deleted, if I run this, here's what it would do. It would create a link for dot ssh to that. So I can go in now that I've seen that, it will do that. Remove that in, run that and it actually does it. And now let's try it. And now I was able to log into my remote system.
[79:58]
A
So it has a list of symlinks and it will automatically recreate them on demand
[80:07]
C
or create a symlink to a directory that basically has the all the files that you need for what you want to do.
[80:16]
A
Cool. Interesting stuff. All right.
[80:24]
C
I'm playing around with doing that with some of the other configurations. The fun one's going to be with
[80:31]
A
obs trying to get all your dot files wrangled.
[80:36]
C
Yep. The ones that will allow me to be used in multiple locations. The easiest ones are the bashrc, the bash dash aliases file I've got and my functions files, because those I'll have, I'll be using all the time. Yeah.
[80:58]
B
All right. There should be some kind of Herding concatenations joke in there somewhere.
[81:05]
A
Indeed.
[81:07]
C
It is a SIM link farm.
[81:09]
A
There you go. It's a farm of cats, apparently. I've got a command line tip. That's a different one. This one is interesting. I stumbled across this, and it is bb, which. This is a really old ASCII art demo. The source is still available. It was apparently originated in FreeBSD. The source is available. You can try to compile it, although I've seen some reports that it doesn't actually work terribly well on modern Linux. Like the audio may not work. You may have to compile it just the text. I've not yet taken the time. I briefly tried to compile it, but I've not taken the time to actually try to compile it very seriously yet. I've got a link off to actually, the YouTube capture of it. Pretty interesting stuff. But I always like these old ASCII demos, and having one that runs natively on Linux is not something we see very often. And so I thought it was pretty cool to highlight. And there's more of these out there if you go looking for it. But it would be an interesting challenge to try to get this compiled on a modern Linux system. And I don't know, maybe somebody needs to fork it and fix it so that we can all get our ASCII art demos in. Watching the YouTube video, it's not short, it's like seven or eight minutes, but it's a.8 and a half minutes. But it's a. It's a pretty cool little demo. And some. Some neat screen candy. I don't know, you get it running, you could then set it as your screen saver. We talked about how to do that a few weeks ago.
[82:40]
B
So.
[82:41]
A
Cool stuff out there.
[82:43]
B
Yeah, I was looking at that. It is really cool.
[82:47]
A
Yeah.
[82:47]
B
It kind of takes me back to the Amiga days, where they used to thrive on demos.
[82:52]
A
Mm. There's still. There's still a demo scene out there. People going back and making demos for some of the old machines. Yeah, cool stuff happening.
[83:00]
C
I remember the psychodelic demos that come across for the Atari 800.
[83:07]
A
Oh, yeah, there's a bunch of them out there. All right, well, that is the show. I'm gonna let the guys get the last word in on whatever they want to, really. We're like, ken, go first. I see you've got a story here that you want to briefly talk about.
[83:19]
C
Yeah. If y' all look in the show notes, you'll see I've got two links to articles from both Bobby Borisoff and Mars Nestor, where they wrote about the document Foundation's release of Liberty Office 25. I do recommend checking it out so you can find out when this will actually be reaching end of life.
[83:41]
B
All right.
[83:42]
A
And Jeff,
[83:44]
B
nothing major to cover, so I'm gonna have a poem. With Searching Comes loss and the presence of absence. My novel not found. Have a great week, everybody.
[83:59]
A
All right, well, yeah, just for me, the thing I'll mention is over at Hackaday, you can find Floss Weekly. We've missed a couple of shows here recently. Maya and the family being sick was a big part of that. Hoping to pick back up on that shortly. And then here in a week and a half, I'm going to be at the Ubuntu Summit. I am the, the first presenter on the second day. And so you can, you can actually, it's a, it's a remote, Remote first event, they call it, which means that you can, you can sign up online and be part of the remote audience and ask questions. So anybody that wants to catch my talk there, certainly welcome to. And that should be a lot of fun. Other than that, I just want to say thank you. Appreciate everybody being here. Whether you get us live or on the download, those that watch and those that listen, we very much would love to have you with us. And we will be back next week. We will see you then on the Untitled Linux Show.
[85:00]
C
Sam.