Untitled Linux Show 171 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
00:00 - Jonathan Bennett (Host)
Hey, this week we have lots to cover, from the Winamp source code drop to the rumored 9.9 CVE for Linux, to Fair Source, cloudflare's new server, a release of Ardour and Valve, finally getting sick of Wayland. There's lots of stuff. You don't want to miss it, so stay tuned. Podcasts you love From people you trust.
00:29
This is Twit. This is the Untitled Linux Show, episode 171, recorded Saturday, september 28th. Too many maybes? Hey, folks, it is Saturday and you know what that means. It's time for Linux and geekiness and open source and security and gaming and all kinds of other fun stuff. It's the Untitled Linux Show. I'm your host, jonathan Bennett, and we've got Rob and we've got Jeff and it's just the trio. Today we are not doing the quartet, but that's all right, because there's been a bunch of news, some really cool stuff, some other stuff We'll get into it and stuff, lots of stuff, lots of stuff. Welcome guys, glad you're both here.
01:11 - Jeff Massie (Co-host)
Glad to be here and I think we're going to probably get into some discussion, so it's good that we don't have quite as many stories.
01:18 - Rob Campbell (Co-host)
Yeah, that'd be a longer show than normal with just three of us.
01:21 - Jeff Massie (Co-host)
Yeah that could be Showing the normal with just three of us. Yeah, that could be Maximum verbosity, yeah.
01:25 - Jonathan Bennett (Host)
All right, rob has us up first, and we've talked about this before. We talked about it when it was announced, and now code has dropped and I've seen this labeled as like a failure to open source or a couple of different things like that. What's the deal with Winamp.
01:42 - Rob Campbell (Co-host)
Let's get into that. Yeah, so earlier this year we told you that winamp was planning to release its source code in september. And well, this week it has been released on github and you can find it yourself there. Last time we talked it was. You know, there was language in the announcement that maybe concerned us, indicated. Maybe it won't be quite as open as we were hoping, maybe we're not going to get the Linux port due to whatever they do, but we didn't know at that time. So let's start by looking at the license. So the code was released this week under their own custom license, and you know that can be good and bad and you know whatever. But their custom license it's called the Winamp Collaborative License Sounds good, right and right near the top of the license they are calling it a Copy Left License. Even better, it keeps on going good.
02:46
So for those who don't know, a copyleft license basically allows you to do almost anything with the code, from editing, sharing, repackaging, distributing, whatever Almost anything you can think of. Copyleft license is the opposite of a copyright and practically it lets you do a lot. Unfortunately, they lied. This is not a copyleft license. The original license I believe it was the 1.0 version said quote. Users are not. Well, I guess not quote, but users are not allowed to fork the project. But a pull request pointed out that this is against the GitHub terms of service and so that was removed. It was updated, removed from the license. But there's other things. It was updated, removed from the license. But there's other things. The other crazy non-copyleft restrictions also apply in this license and right down there in the restrictions section says no distribution of modified versions. Okay, you may not distribute modified versions of the software, whether in source or binary form. Other distributions only the maintainers of the official repository are allowed to distribute the software and its modifications.
04:19
So this is not copyleft, quite the opposite. I mean, what at all is copyleft about this? So this is source available. You can look at it. You can't do anything with it. You can contribute to them and let them take your work and not let you do anything with it. But even when they had the non-fork fork that actually kind of makes it hard to you know fork do work merge it back in. Fortunately they removed that piece. So you know the source available is not. It's not open source.
04:57
But this isn't the only goof in publishing this source code. So license code was also published in this repo. It's like they didn't know what they're doing. They just yeah, here's what we got. Whatever you know, even though they knew is coming ahead months.
05:12
Look at what was in there. One of the things people pointed out is that code from Dolby laboratories that says says right on there it's confidential, do not copy, do not distribute copyright. I don't know, 2001, 2004, something like that. Uh, this, this was also has been pulled out, but it can still be found in the in the change uh history. So I guess I won't look at all that copyright stuff, because they just did it through a, a or whatever. And then also code for Shoutcast DNS is also in there, which is someone else's project.
05:54
And then the commercial release of QT was in there too, not things that they should be releasing Other people's code, but along with that, along with that, there was a leaking of certificates that you know. Fortunately, they actually expired in june, but if these certs were, if they weren't expired, anyone could just sign the software with those certificates and impersonate Winamp. So, yeah, this is Winamp software. Anyway, maybe that's not such a big deal, but it's just silly. You know. All this along with there's actually some other things that don't really belong in the repo. It's maybe not as harmful, but it really kind of shows that maybe they didn't know what they're doing. For a deeper dive into this issue, I'd really suggest checking out brody robertson's youtube video called. The winamp situation is crazy, because it really goes into this and you can really see a lot of what I just talked about.
07:07 - Jonathan Bennett (Host)
It's, it's, it's crazy yes, so hackaday has been covering this too and, uh, one of the things, one of the other things I don't think you mentioned it, but the hackaday authors have picked up on is, uh, it also contains gpl code. So, like there's that, um they have, they have fixed that by just removing the gpl code from the repo, but winamp has apparently been a gpl violation the entire time it's been available, um yeah, maybe, maybe should clarify why that's no, because it's gpl that an actual copyleft license which means everything else in there has to match that license.
07:47 - Rob Campbell (Co-host)
They have to be.
07:48 - Jonathan Bennett (Host)
It is a, so that means that it is considered a derivative work of the GPL, of the GPL code, and the license terms of the GPL says that you only get to use this code if the derivative work the downstream, is covered under a a gpl compatible license, which basically just says that you have to make the source available when you distribute the binary. If someone asks for it that you give the binary to. When they ask for the source, you have to give it to them in a reasonable way, and so the gpl says um, and win app has never been playing by those rules and so it has always been a copier. It's a copyright license violation. Um, I it's, it's great you know to be.
08:31 - Rob Campbell (Co-host)
Well, I don't know if it's to be fair or not. Who knows how far back this goes. It probably goes back to null soft. I suppose at least that this one thing that you're pointing out, because, uh, today it's a llama group that owns it, but they aren't the original creators of winamp. The original creators are null soft. But so all this publishing snafu, you can't really blame the original creators. But the gpl violation, yeah, that probably goes back yeah, it's a lib disk.
09:03 - Jonathan Bennett (Host)
Id is the is the exact library that's in there. And uh, yeah, I'm not sure exactly how old that particular release is, but you got to figure it's been around for a while yeah it's a gift that keeps giving.
09:16 - Rob Campbell (Co-host)
You know it's something you know a lot of proprietary uh software has gpl, oh yeah, and if nobody could tell, as I have, that's not there.
09:25 - Jonathan Bennett (Host)
Well, even even when you can tell there it's, it's difficult to do anything about it, um, without going to court. And that is extremely expensive. And most little projects do not have the you know they, they don't have the, the wherewithal to do that, to to do a lawsuit over it. So you end up with a lot of companies, especially those from other countries, where things are even more lax than they are here in the States. We'll just, eh, whatever, We'll ship the code, it's fine, Nobody will care.
09:54 - Rob Campbell (Co-host)
Winamp, infringing the Lama's bleep since 2000, says a charger on a yes that's exactly what they're doing. But yeah, so yeah. Speaking of the GPL infringement, I remember a story, probably the last few years, like a television provider I don't know if it was Vizio or who that was TLC, I don't remember but I know there was somebody who had like GPL software on there and people were requesting for that code and they weren't providing it.
10:28 - Jonathan Bennett (Host)
Yeah, I remember that story. They did actually go after them. It wasn't TCL, I think it was Vizio.
10:34 - Rob Campbell (Co-host)
I think it was.
10:34 - Jonathan Bennett (Host)
Vizio. Let's see if we can find out what happens to them. So our next story is also about open source. I'm going to research this and see what happened with that TV case, and we're going to let Jeff talk about the alternative to open source, which sort of terrifies me.
10:49 - Rob Campbell (Co-host)
but we'll see.
10:51 - Jeff Massie (Co-host)
You're not the only one. So, as we were just saying, you know open source licensing issues are nothing new to the Linux world or open source world and I can't count how many times where people would argue about different open source licenses and which one is correct. You know you get GNU and various revisions of that, various Apache level licenses, different levels. You know many, many others. You know which ones are compatible with another one and it, you know it really does get messy. Well, there's a new license called Fair Source being proposed by a software company named Sentry. The new license is going to be called Fair Source and they've been able to get a few other companies and organizations on board a few. I know the first thing that our viewers and listeners are asking. Well, what is Fair Source? Well, it's a licensing idea that helps companies align themselves with open source software so they're not having issues with current existing licenses. They do want to avoid the negative connotations that exist with proprietary software phrasing. Nvidia is a prime example of that when they had the closed source drivers in the kernel. That people didn't like it in the open source world. You know the term proprietary it. It doesn't go over very well, very negative connotations, so excuse me to to quote chad whittaker, century's head of open source. He said, and I quote open source is in a business model, open source is a distribution model. It's a software development model, primarily, and in fact it even places severe limits on what business models are available because of licensing terms. He goes on to say that most of the world's software is still closed source. For example, kubernetes is open source, but Google search is closed. React is open source, but Facebook newsfeed is closed. With FairSource, we're carving a space for companies to safely share not just these lower level infrastructure components, but share across, but share access to their core product. You know now, that sounds well and good, but it also sounds like a lot of marketing speak. We're going to maximize our synergy to align with our core competencies and our customer needs, to maximize our value. You know what did I just say? A whole lot of nothing, you know. So we've all heard that before. Before we directly say what FairPlay is, let's talk a little bit how we got there.
13:35
Now, sentry, who makes an app for performance monitoring so large companies can diagnose buggy software, had it initially available under a BSD3 open source license. In 2019, the product transitioned to a business source license, which is a more restrictive source available license. The reason for this was organizations would take the software source code that Sentry released and would freely release a product that directly competed with Sentry. Basically, sentry was tired of doing the work that undercut their business. Now here's where the devil's in the details. Fair Play Licensing says and I'm summarizing here source code will be available, but it has a non-compete stipulation that prohibit commercial use in competing products. This this is a quote with the same or substantial, substantially similar functionality as the original software.
14:33
Now, some of the criticism of this license is that it's legally fuzzy and will probably have to be hammered out in the courts, because what is substantially similar? Where's that line line? Well, some lawyer's going to get rich figuring that out. It doesn't clearly state what is allowed and what isn't allowed, as one critic stated. But Fair Play does turn into regular open source after two years, I believe.
15:02
If I remember correctly, I think it goes to the Apache 2.0 license, but I will have to check the article to fully get that. So you know, the whole idea is it's protecting the company doing most of the software work from having their own product freely distributed and harming their business. At this point. I think our story's probably gone on long enough, but I urge everyone to take a look at the show notes, because I've highly summarized the article and there are a ton of links to other documentation. You know different licenses, supporting documentation, all sorts of that to help support and critique the idea. There's also a ton more on the background of the players, both for and against this idea. So now I would love to hear from Jonathan on what he thinks about this license, or at least the concept.
15:51 - Jonathan Bennett (Host)
I, I am still not hugely in favor of it. I I know there are some things people are trying to do with, like, for example, I think, is it Bruce Perens is doing the the post open source license, and like there's some interesting things there. Uh, this one is just it's the business source license over again. Right, it's just, it's just that idea they.
16:12 - Jeff Massie (Co-host)
They mentioned that in the article and talk about it. It's supposed to be slightly freer, but it also both the business source and this one, you know I said had the legal fuzzy gray areas.
16:27 - Rob Campbell (Co-host)
I totally understand the non-competitive. You don't want to put all this time into something and then just have somebody else release it with a fancier logo and then take all your business. But at the same time I guess if you want it to be that kind of business, then make it proprietary.
16:49 - Jonathan Bennett (Host)
So I would. I would even go and I would say that there's another problem with that and that is that means you can't fork it If you can't compete. That's an anti-forking clause, and that sort of defeats about half of the purpose of what open source is all about.
17:03 - Rob Campbell (Co-host)
Well, it depends on how it's written exactly. I mean one, one could argue that you can fork it, but but then you can't use it. Well, I mean, you could maybe use it for yourself, or maybe, uh, try to be in a different market I don't know. Yeah, that maybe would be allowed maybe there's a lot of maybes, I think that's one of the problems with this.
17:32 - Jonathan Bennett (Host)
Now I I am I am pretty much a firm believer that when, when the, the guys and gals that first hammered out the definition of open source back, it's been what 30 years ago now, something like that 40. Maybe it's been what 30 years ago now, something like that 40, maybe it's been a while they got it right, and they got it right in some really important ways. And so every time one of these comes along where it's like we're going to do a new license that fixes all the things that open source gets wrong, but we're going to change it in such a way that we're going to violate one of these, there's like four or five principles of what open source actually means. In just about every case, it's a terrible idea for one reason or another, and I think this falls into that same category.
18:15
You know, you've had you've had people that have tried to do like the I don't remember what they wanted to call it but like we're going to write a license where we can exclude one person in particular because we think they're a terrible person. It's like this is a bad idea. This is a really, really bad idea. I don't know if you understand this yet, but just know that that person will eventually be you. That's one of the reasons why this is a bad idea.
18:40 - Rob Campbell (Co-host)
You could. You know you could make it maybe kind of like art, whereas it's not going to be completely open source. But you know, let's say art, you can't take this exact picture or song and release it as yours. But if you sample, do a derivative, change it enough, then you know you can release it as your own art. Now, maybe there's some something. I don't know how you'd say what is enough, but you know, maybe there's something that somebody could do. There's like okay, you can't take our code and just put, put your logo on and say it's yours, but you know, if you add enough to it and change it enough, you know now it's a new work of art.
19:28 - Jonathan Bennett (Host)
I don't know yeah, and I I get, I get the reason why people would want to do that, but like that's not what open source is, um, I do. I do think that the um, the, the, the other license I mentioned, which now I can't bring the name of it to mind is doing some license. No, no, no, not the business source license, the post open source, the idea, post open source, because what they're doing is they're going a step further and and talking about things like you've got to leave the data that's produced in control of the end users, and I think that's interesting. Um, they they're actually trying to do some interesting things with with the post open source movement. Um, I look forward to seeing where that is gonna go. Uh, but this, the business license stuff, I'm just I'm not terribly interested in it.
20:16 - Rob Campbell (Co-host)
As a developer myself. I mean hobbyist it's, it's not my profession, um, you know. So I'm not trying to make millions of dollars off of it either. I know a lot of these licenses require you to keep the copyright intact. So that way you still get the original developers or contributors get their credit. And you know, all I really want in the world is my credit. I mean money is nice.
20:43 - Jeff Massie (Co-host)
And a cup of coffee, and a cup of coffee and a cup of coffee. Rob doesn't need fortune or fame, he needs coffee.
20:52 - Jonathan Bennett (Host)
Yeah I mean, after that I'll go for the fortune, but you know, give me the credit, yeah so, uh, I did look briefly about the um, the vizio lawsuit. It is indeed it's, uh. It's between uh, the software freedom conservancy, and vizio, and the latest update that I found was from um like march of this year, and that is that vizio tried to get the uh trading the lawsuit thrown out, essentially for standing saying that, well, the end users aren't actually a party to the gpl, which would actually, it would destroy the gpl, like if, if a court ruled on it in this way, one of the one of the big components of what the gpl says would be thrown out the window. Uh, so that would be that problem. That would be kind of bad. So thankfully, the court denied that claim and the lawsuit is still continuing and the GPL has survived it and I think at this point they're just waiting to actually go to trial. So that's going to be interesting. It's one of the first times that I know of that the GPL is really really being tried in court. Uh, that's, yeah, that's real fascinating. So we will. If something happens on that, we will make sure and let folks know about it.
22:14
All right, I have got some happier news. This is not about a lawsuit. Uh, this is not about winamp being crazy this is about. This is about a company, a project that actually does open source properly and makes some money from it Ardor. Ardor has released 8.7, finally, they say in the release notes that they were thinking about just waiting for 9.0, because they have a lot of work already done for that, but the amount of bug fixes and things that were stacking up was just getting to be a lot and so they've pushed out 8.7.
22:49
This has some fun things in it, like the ability to reorder tracks by just clicking and dragging. That's been missing for a while. A bunch of midi stuff. One of the interesting ones here is that they've got parallel disc io, which should make things a little bit more stable while recording and playing back and hopefully a few less clicks and pops in your audio, which I'm looking forward to that working better. Then a bunch of other things. It's funny. You know, historically it's just been. You know you can use ALSA or Jack, and then they added Pulse Audio as a backend. Well, the Jack backend they've now renamed to Jack slash Pipewire because of Pipewire's growing adoption on that platform. And you know, that's kind of almost like Stallman saying you know Linux plus whatever. I find that. I find that quite humorous.
23:50
I didn't get credited, and that's fine. There is a little bit of me inside of this, this bit of our door. I guess I didn't actually write any of the code that fixes it, but I figured out why you were getting multiple actions repeated on certain touch controllers, so like when you would hit a cue button it would cue up three times, and it was a pain trying to use certain bits of hardware. I figured out why that was there and then Paul went in and actually did the fix. But all kinds of fixes, bunches of fixes. We've got this installed already on the machine behind me and I've not gone in yet to play with it. But uh, ardor 87 looks to be pretty cool. And then they've really, they've really teased us for the, the 9.0 release with some, uh, potentially cool stuff coming there.
24:37 - Rob Campbell (Co-host)
So fun, fun so what are you using ardor for these days, now that you know all the things I see is you're in. I know we used to do the show in Ardor, but today we're in Rstream yeah, we're in Restream, so Floss Weekly, um.
24:52 - Jonathan Bennett (Host)
I record the show with um, with OBS, but I mix it in Ardor. So I I pipe the video, I SSH, scp, the video over the desktop behind me and then I've got a little bash script that goes in and pulls out the individual tracks and drops those as FLAC files on the hard drive and then I can just import those straight into Ardour and do the mix there. And I like that because it gives me the ability to use plugins like for noise removal. I can do compression and all that good stuff.
25:21 - Rob Campbell (Co-host)
Maybe when I tune up my guitar off to get Ardour.
25:26 - Jonathan Bennett (Host)
So one of the other interesting things about Ardour and some of the fixes here is for this is you can do live music stuff with it, and so you can literally tune your guitar with Ardour. You can run a plugin Like so Ardour has the capability to run live plugins and there are several tuning plugins, so you can literally just set up a track to record your guitar, get it going through there live and then add the plugin over at the side, pull the plugin interface up and you, which you can tune right there could possibly be better than like another tuner, because, you know, maybe that tuner, electric tuner, here's something a little bit different than once it goes through your mic.
26:06
I personally. I find that I've done this a little bit. I like the Ardor, the, the using that plugin for tuning. I found it to be really useful.
26:13 - Rob Campbell (Co-host)
Um right, and and we, if Ardor is going to be the one recording it and that's where it's going in. Yeah, makes sense. You may get a better, better, uh, better results tuning from the same source.
26:23 - Jeff Massie (Co-host)
It's uh, hearing, hearing here I'm just hearing that rob's are auto-tuned.
26:29 - Rob Campbell (Co-host)
Yeah I'm sure I mean you can get back into music. If I could figure it out how to do that there's, there's.
26:39 - Jonathan Bennett (Host)
There's so much cool stuff. There is an auto to there. Actually there is an auto-tune plug-in. Uh, I think x42 is the one that writes that and it's. It's available in our door. I've not gone and played with it, I'm sold, but it's in there. You could do. I mean you could do other fun stuff like just just imagine so you you play guitar let's say it's electric guitar and you want to do something with um with you know you got an overdrive pedal. You can record both the wet and the dry. You could record the the raw from the guitar and the overdrive signal at the same time on two different tracks and be able to play with those to do different things, you know so you could custom mix them and or or apply another effect on top of them, or replace the pedal altogether, or you could.
27:19
you could also bounce your audio back through the pedal if you wanted to change the way the pedal was tuned, you know, make it a little bit fatter sound. Okay, we'll bounce the audio through live. Oh my gosh, the sky's the limit.
27:33 - Rob Campbell (Co-host)
My new album will be coming out in a few months. Anyone who's interested, donate a coffee and I'll send you the digital files.
27:44 - Jeff Massie (Co-host)
Yeah, and coincidentally that is the digital files. Yeah, and coincidentally that is the name of the album.
27:50 - Jonathan Bennett (Host)
Buy Me a Coffee. Oh, brilliant, brilliant, all right. Well, rob, what are you going to do with all that coffee money? Is there a tablet in your future?
28:01 - Rob Campbell (Co-host)
I think there's a tablet in your future. No, I think there's a tablet in your future. No, last week, when we talked about the Radza, I warned you that I would be trying Again this week to get Jonathan to buy Some more toys. The hardware on this device is similar to the Radza, but in a tablet Form factor. So I'm just going to get this out of the way right now.
28:23
Start out the night by saying that I am going to be a failure this week and Jonathan isn't going to want to buy this. What I'm talking about is the Juno Tab 3. So before I get into all the great things about the Juno Tab 3. I want to start out with why Jonathan won't want it. Then maybe when I, when I finish up with all the great stuff, he'll only remember the good stuff and he'll forget about the the stuff that he doesn't like at the beginning. So the first thing I know about Jonathan, after doing the show with him for a while, is Jonathan likes his mobile devices to have small screens. I know about Jonathan after doing the show with him for a while. Jonathan likes his mobile devices to have small screens, like seven inches. I think he said a seven inch tablet is perfectly safe for his jacket pocket.
29:15 - Jonathan Bennett (Host)
If you, if you show me one of these I was just thinking about this If you find one of these one day and you're like it's a seven inch tablet, you will probably now now maybe not for this amount of money, but a good seven inch tablet would be a much easier sell to me, a seven inch tablet is called a phone no, no this tablet.
29:37 - Rob Campbell (Co-host)
This tablet is a whopping 12.1 inches ips touch display, so that's saying getting close to twice the size of what jonathan likes so the second thing jonathan just already hinted at it is this thing retails for 699 us dollars, that's that's.
29:59
That's more expensive than most of the ipads. It it's more expensive than an iPad, ipad Mini or an iPad Air. I understand this runs Linux, so it's better, but I'm not seeing the Apple premium tax that we've all heard of. What premium tax do we got going on here? I don't know.
30:30
Like the radza, this does come with the intel n100 quad core processor and at first I was a little confused because omg ubuntu said that it was only a 1.10 gigahertz processor and I'm like, well, I guess they had to throttle it down for the form factor. But on the juno site itself it has it listed as a 3.4 gigahertz. Um, so that's the same as as the radza and so I guess it's a 3.4 gigahertz. And and uh uh, omg went to edit typo. I don't know, maybe something changed, maybe the page had a typo when theyo. I don't know, maybe something changed, maybe the page edit typo when they wrote it, I don't know. So it's a 3.4 gigahertz N100, same as the Radza. You're looking at the same chip here, same SOC, so I'm not sure if the processor is a plus or a minus. What they said about the Radza is it's faster than a Raspberry Pi five. So that probably pretty good for a for a tablet. I do wonder, though, also with that Radza, it was said that you have to have cooling. Uh, you have to have a fan, and I'm not sure how you fit a fan into a tablet, and I mean, I know you can't have a fan and kind of angle it out the side, but I don't know. We'll see if heat's a problem with that.
31:51
Otherwise it seems like a pretty fairly premium device. It has, like the RADS, it has a graphics, intel UHD or Intel UHD for graphics, 12 gigabits of RAM, storage is a 512 gigabit SSD. It has Wi-Fi 6 and Bluetooth, 5. 2 megapixel front camera and a 3.7 megapixel rear camera, micro SD card, micro HDMI, two USB-C 3.1s, a 5,000 milliamp battery. All sound a lot like what the Rad that had, at least one of their options, and it comes with the courage port Um, also known as the 3.5 millimeter audio jack. So, uh, I'm sure this is a nice premium tablet. It looks pretty slick, I guess.
32:44
But you know I went into the story totally hyped all about the price. But you know, I kind of taught myself down. I'm not as hyped anymore. I think for now I'm just going to stick with. You know, purchasing things like a used Surface Pro 3 tablet from eBay for $125. Does that work perfectly fine with Linux? I would love to support one of these, but $699. Maybe next week I could find something for Jonathan to buy. I have pointed in the direction of a couple more, but you know, and I got to keep. I got to keep doing this. I have to keep trying to find something for Jonathan to buy until his wife sends me a coffee my way, just one coffee.
33:37 - Jeff Massie (Co-host)
That's five bucks, Jonathan. A little blackmail there.
33:41 - Jonathan Bennett (Host)
Yeah, extortion. I think actually.
33:44 - Jeff Massie (Co-host)
You know, I think the most telling thing is this story is on a website. It's OMG, ubuntu. They are very pro-Ubuntu and for them to say, oh, it's kind of pricey. The heart's up. Yeah, your cheerleaders are kind of going.
34:02 - Rob Campbell (Co-host)
oh that there are a few other, a few other tablets that I found I think they're in the article, in other places.
34:09 - Jonathan Bennett (Host)
Uh, similar as hardware and the thing is they're all about similar ish prices somewhat a little bit cheaper but yeah, so I think, I think that it maybe the price makes a little more sense, if you're, if you see it as a surface pro competitor, right, but I don't think that's how most people will see this, so I don't know, it's a hard sell yeah, well, I guess, like I have a surface pro 3 used 125, so I guess I just have to wait for the uh juno tabs.
34:42 - Rob Campbell (Co-host)
To uh juno tab 3 there's a one and two.
34:45 - Jonathan Bennett (Host)
I guess too I'll have to wait for them to uh go on sale used yeah yep oh, all right, jeff, if we want a little bit more power than this little intel celeron thing. What does, uh, I guess, cloudflare recommend?
35:01 - Jeff Massie (Co-host)
Yeah, and this is another one Jonathan's probably not going to buy for the price, but it's a beefy little toy here. So now, while this next story doesn't deal directly with open source, we talk a lot about enterprise and servers. I found this article with the news at CloudFair going with AMD Epic Genoa X for their next gen servers. I thought it'd be nice to take a little bit of a deeper dive into what a server actually looks like. You know, I should state there's many different configurations of servers, but this is what Cloudflare uses and it'll get you in the ballpark of what major companies' servers look like. You can have many configurations, but it gives you a general idea.
35:49
So the specific process that you're going with is the AMD EPYC 9684X. It's going in a 2U1N form factor, while the previous generation was a 1U1N. The U is a unit of measure in the server world, so you can have various heights designated by U, and 1U is about 3.5 inches or 44.5 millimeters. The N stands for nodes and how many are in the server, but they're both one, so we're not going to worry about that. Now. Paired with this new CPU is 384 gigabytes of DDR5 memory, with 16 terabytes of NVMe storage and a dual 25 gigabit Ethernet NIC network interface card. And it's all powered by two 800 watt power supplies Now multiple supplies, because if one fails it'll give a warning. You can yank it out, slam in a new one and your server never goes down. There's a lot of redundancy in the server world.
36:47 - Jonathan Bennett (Host)
Yeah, they also have two different power circuits coming in, one for each of those.
36:51 - Jeff Massie (Co-host)
Yep. So if you blow a fuse it stays on. You know. I also thought the article was interesting because they describe how they went through their methodology of picking this new CPU and new platform. For example, they took an extensive survey of the CPUs available, they got in several samples and then they had three stand the different candidates that they used, their specifications and what they benchmarked it against. You know which was the cpu and configuration of their previous server.
37:27
The amd epic 9684x has 96 cores, the ability to handle 192 threads, base clock of 2.4 gigahertz with a max boost clock of 3.7 gigahertz single core and an all core boost clock of 3.42 gigahertz. It has 12 megabytes of cash per core with a total of 1152 megabytes of cash and a maximum configurable tdp of 400 watts. Do keep in mind tdp figure is not a direct correlation to power and both AMD and Intel have some funny math behind those values and it changes from generation to generation. So it's okay to use it to evaluate how much power is used relatively in a current generation, but it's not a good tool to go cross manufacturers or different generations of chips. So keep that in mind.
38:23
Now I'm not going to go into full details of the article because it's rather long.
38:27
But I think they do a good job of going over the methodology and what they're looking at when deciding to choose the configuration of their next server.
38:34
Not only do they go over the power and core efficiency, they even talk about the thermal design and how going from a 1U to a 2U chassis, which is an increase in height, would reduce the overall system power because they could slow down their fans and it gave them a power savings because they could also use a more efficient cooler. So there's a lot of great detail into what enterprise looks like when they're deciding what kind of configuration they're going to use. And you know it should go without saying. But no one is making a decision without a lot of data and testing. You know, because this is going into hundreds, maybe thousands or tens of thousands of servers, a 1% benefit might not sound like a lot, but when scaled to that size it turns into a sizable difference. Now I've got two articles linked in the show notes and you can see how they decided on the power and network and the memory and many other factors to come up with your final configuration and for those interested in enterprise server workings, this is kind of a good peek behind the curtain.
39:39 - Jonathan Bennett (Host)
There is something in here that is the best idea and I am super excited about it. I don't know that I'm ever going to be able to get a hold of one of these, but I can dream um the dc scm with project argus. It's a data center secure control module, so it's a baseband controller. For those. For those who've ever worked with with server motherboards, you usually have the ones that I've seen. It'll give you like two gigabit ethernet ports and there'll be a third ethernet port on it, but the os doesn't have access to that. That third ethernet port is just for being able to like get into.
40:17
Usually you use something like remote desktop, um, or it's, it's web-based the. The better ones nowadays are web-based. Build a remote into the computer and do things like turn it off, reboot it, uh. Some of them will even let you upload, uh isos and have like virtual disk drives to be able to make changes. Um, they're, they're really great. The problem is that it's also a terrible idea to expose them to make changes. Um, they're, they're really great. The problem is that it's also a terrible idea to expose them to the internet, because they tend to have security problems and you just don't want that on the internet. So you know, if you have one of those, it's a great, plug them in, but make sure they're only accessible through your vpn.
40:53
Um this they have project argus, which is the baseband controller. It's also got like a TPM on it and a couple of other things as a standalone card that slots into the back. I just think that's great Because, like, if you don't need it, you can buy a computer without it, and then if you decide you do need it, you can buy the server and punch it in there. And then you know five years down the road if you still want to use that server, or six months down the road, you know whatever. And oh, something is wrong with that baseband controller, or it needs a security update, or what have you? Plunk it out? Plunk the new one in. I think that's great.
41:29 - Rob Campbell (Co-host)
I think that's really amazing. I think that'd be great if you could get one of those cards and just plug them into any old non-server-grade server and have those features.
41:38 - Jonathan Bennett (Host)
So I was looking at this. It's interesting you say that I was looking at this and going I wonder if you could just do that with PCI Express, right? Could you get to enough of the stuff with a PCI Express bus?
41:49 - Jeff Massie (Co-host)
I don't know you could do a lot of interesting DMA off of. Pci Express, so maybe I bet you there's a little secret sauce you'd have to expose to do with PCIe.
41:59 - Rob Campbell (Co-host)
You could run some tiny little operating system right on the PCI card. Oh, yeah. I don't know.
42:07 - Jonathan Bennett (Host)
Oh, for sure, For sure, you could. Really, the thing that you would run into is do you have access to everything you need? So if your machine has a vga already, you know if it has a monitor output already. But like, so, think of it, you could. You could actually totally make this work. Make this pc express card not only your baseband controller, but also make it a display card and a usb host, and so if you don't have any other display card that bobs your uncle, you're in, in, that's all you need.
42:41
Yeah, I mean the biggest thing, the biggest uses.
42:45 - Rob Campbell (Co-host)
I've had is reboot or starting it up. If for some reason the host OS went down, somebody actually hit shut down instead of restart.
42:58 - Jonathan Bennett (Host)
So if you really need to, I'm sure you can reboot the machine from PCI Express Now, maybe a hard reboot, but I'm sure you can make that happen, oh sure.
43:09 - Jeff Massie (Co-host)
We're clearing those capacitors.
43:14 - Jonathan Bennett (Host)
Exactly.
43:15 - Rob Campbell (Co-host)
The thing that caught my eye on that story is how the clock speed was not much faster than the Radza.
43:24 - Jonathan Bennett (Host)
Yeah well, but I mean it's got like 64 or 96 cores. They're not looking for high clock speed 192 threads, oh well the Radza had four.
43:34 - Jeff Massie (Co-host)
And when you're figuring that, you know, was it 300, would I say 384 gigs of RAM. You know there's a lot of bandwidth being sucked up and that's also one of the differences between your home computers and server boards is the amount of pci lanes they expose to the outside world if you buy 25 rads and kind of put them together in a cluster, then you get about the same thing.
43:58 - Jonathan Bennett (Host)
I'm joking uh, so interesting. We talked about the, the pcie kvm idea. Uh, gearling has an article about something similar from back in 2022, so there are at least people thinking about it yeah, I've thought about different ways to to do things like that all right, we want to talk about Wayland.
44:21
Let's talk about Wayland. Yes, we do. Yes, yes, we do. We are fans of Wayland around here. We also get tired of things at Wayland either moving at extremely slow pace or some of the boneheaded decisions that Free Desktop makes. And, uh, yeah, it's, uh, it's sort of a double-edged sword, like we. We like Wayland, we love the idea of it, but it has, it has problems, um and uh, let's just say that, uh, people at valve are also sick and tired of Wayland. So there are two engineers at valve we and tired of Wayland. So there are two engineers at Valve.
45:00
We're going to talk about them Mike Blumenkrantz, and the first link is to his blog and he's got some stuff there. And then there is also let's see what is his name, I tried to say it, I'll find it here in a minute anyway, one of the other developers is, um, like I said, they're tired of things moving so slow, and so one of the first things that was done was the frog protocols, which, for those that have been a fan of the show for a while, or watch things at wayland for a while, that uh, that may actually sound familiar, because kde already has their hdr support is a frog protocol. Well, this is uh, this is an effort to make that a little bit more officially, unofficial, unofficially official. Official, it's basically staging. It's basically the same thing that wine staging is for wine. They are trying to make frog protocols of the Weyland staging and this is a place where, if you have a neat idea and for whatever reason it's languishing in Weyland, you can just go and try to get it into frog protocols and the people there are going to be a little bit more open to uh pulling in the.
46:23
The idea that you've got, um, yeah, it's, it sounds like a great idea to me. Uh, and I've, I've gotta, I've gotta say it sounds to me like valve has forked wayland, like it's a soft fork, it's a friendly fork, but valve joshua ashton that's the name I was trying to think of valve has essentially forked wayland. Um, and I see this as a shot across the bowel to free desktop that if you guys don't straighten up, we're just going to take our toys and go play somewhere else. Along with that, we have the uh, the work from Mike Blumenkratz, who has a series of blog posts where he has made a series of suggestions for how to do governance at Wayland a little bit better. And it's things like let's be a little more open to new ideas, let's try to manage these things a little bit better. Let's specify. So there's things like a timer starts, but it was never specified. Once something goes in, it's's got 30 days and then you have to vote on it. Like there's some things like that in governance, but it was, it was never, um, it was never specified when that timer starts, and so people were playing kind of loose and fast with that. Uh, and then one of the other ones in this one this one really tickles me because we've we've talked about this in the past. So one really tickles me because we've talked about this in the past. So Bluemocrats has yet another proposal and it's let's clean up the idea of the NAC in Wayland N-A-C-K, not acknowledge.
48:09
And in Wayland, technically speaking, there is a small group of people that are allowed to NAC new protocols and that's essentially a veto. There's a small group of people that have veto power, and the problem is that people that don't have that veto power have knacked Sebastian Wick is the one that comes to mind that really has abused this in the past have knacked things when they don't really get to. So this is a uh. It states only people in this file can knack a protocol, which that's not really a change. Uh. He also says knacks can only be used for extreme circumstances to block a protocol which does not belong in whaling protocols, like it's veto. We should not reach for veto first, but then like the last thing.
48:58
This is the one that gets me. Knacks now carry consequences if they're used improperly, including the potential removal of anyone using them improperly. We're gonna we're gonna vaxry them is essentially what he's saying. We're gonna kick out, we're gonna kick you out of the project for trying to knack things when you're not one of the knackers. It's hilarious. All of this tickles me a lot. I am, I am very, very humored by it. Um then, anyway, he's got it's like four blog post articles in here and you can then click through and find the actual proposals and uh, interestingly, they've been received rather well uh so far, which is good. But Valve is tired. These two engineers, particularly at Valve. They are sick and tired of putting up with Wayland's nonsense.
49:48 - Rob Campbell (Co-host)
Yeah, Well, that's not the only thing these sick guys are working on.
49:55 - Jeff Massie (Co-host)
I just thought it sounded kind of like everything I learned or everything I needed to know about running a software project I learned in kindergarten. We're all going to get along and we're going to be playing, but there is a lot of and I think this happens all over and we could make an analogous point sounds like to rust in the kernel. Sometimes there's people that like that's a different idea. I don't like it, you know it's and I don't know I'm. I'm one of those. Think outside the box, think thinking. New things just always evolve, always, change, always, you know.
50:38 - Jonathan Bennett (Host)
I mean. So one of the big problems with Wayland is that it is literally designed by committee right Like it's been its weakness for the longest time, and that committee has a thing for bike shedding every problem. Like, oh, you want to be able to set icons programmatically? Well, what if this and what if that? And what about a security problem? That has never, ever been a security problem, but it exists in my mind and therefore we should block this for it and just all kinds of weird stuff. We mentioned Brody earlier. Brody has a take on this and I think I agree with it. Wayland really, really needs a BDFL. It needs somebody in charge that can just make these decisions, because they don't needs somebody in charge that can just make these decisions because they don't have anyone in charge that can make decisions right now.
51:26 - Jeff Massie (Co-host)
I know in my professional life I never designed by committee. I will, you know, come up with an idea, or a small you know. Two or three of us will come up with an idea, lay out the framework, and then we present it and say what holes are there, or yeah, but it's kind of already got a direction and at least you know we, we got the house framed.
51:46 - Jonathan Bennett (Host)
Now we can argue about what color to paint it yeah, there's a there's a delicate balance to walk there, because otherwise you just get so bogged down and everybody's got an opinion on all these little details, and that's where wayland is. Um, I would imagine that you'll see some places like kde will start to pull in these different frog protocols and just kind of wash their hands of wayland for now and just fix stuff, which yay. But I very much see this as a shot across the bow from valve saying you guys need to get your act together or we will just, we'll just go, we'll just play without you.
52:26 - Jeff Massie (Co-host)
And, uh, and realistically, I think you could argue that Wayland's being driven, and in a large part by gaming. You know, because you know, I mean there is a security aspect of it. But you know, a lot of people like, oh, I want my games to play better, well, wayland is one of the things that can help that. Well, that's where Valve is and you know, you're playing in their sandbox now. Yes, yes, absolutely.
52:52 - Jonathan Bennett (Host)
So I see it as positive, I see it as a good thing and I hope it will be well received and changes get made and sanity reign. But we'll see. Rob, you've got some more Valve news about gaming and the Linux gaming industry. What is the rumor mill talking about these days that Valve might be up to?
53:16 - Rob Campbell (Co-host)
So let's keep this going.
53:18
Valve has completely changed the linux gaming landscape absolutely when they decided to build the steam deck on linux and push to get more windows games to work on linux with proton today, a majority of games windows games run great on linux, sometimes with some tweaks, but for the most part you can get them mostly working, even, you know, even for Linux users not using the Steam Deck. This pushes improved gaming for everyone and you know, although we aren't done yet taking over the gaming world, valve may be planning to change the gaming landscape again. One of the things I often like to talk about on the show is our future moving to the ARM architecture. But you know, one thing we seem to fail to miss every time we bring this up is that Steam games don't work on ARM, and you know I don't have any arm. Well, I don't have any main desktops that are armed that I would be gaming on. So I, you know I I never even thought about it, I didn't realize it, but that's the case. So if we are to have this arm future, we need to have gaming, as gaming often pushes the way for technology, and Valve might be getting ready to change that Linux gaming landscape again. Leaks in the Steam DB seem to show various VR and standard non-VR games being tested on ARM64 with Proton. In this leak it explains that, thanks to an open source project called FEX, f-e-x I think we mentioned it before, but it's been a while you to run x86 and x86-64 binaries on uh the arm 64 on on our 64 host, um. The leak also mentions wageroid. Uh, the open source app, allows you, which allows you to run android apps on games, android apps and games on Linux-based systems, provided you're running Wayland, which is why we love Wayland. But anyway, I digress there.
55:50
Many in this community appear to be skeptical, exclaiming there's no way it can be fast enough to be usable going through multiple translation layers. You know, first going through Proton to get Windows games to work on Linux, and then something like Fax and you know Box64, I saw people mention to translate that over to ARM. You know first if some Windows games can run faster on Linux with Proton than they do on Windows itself today. Who's to say there really will be that much of a loss going over to ARM? I don't know. It's likely there is, at the beginning at least you know, or maybe you know. Maybe they plan to somehow merge these technologies together. I mean they're testing it. Obviously they think they can do something with it. Steam's not valid. I mean, I guess it's not sure they failed in some things in the past, but they seem to be rather successful Either way, even if it starts out to be not very usable in the beginning.
57:03
You know the start. This might be the start. You know that it that it may. It may take to show the world. You know there's a market here also and there's a reason to be on arm.
57:16
You know, when steam first ported to linux, linux gaming wasn't that good. You know, did anybody say why is steam going to linux? Linux gaming on linux sucks, you know. Maybe people did and look at it today, you know. And then, even when the steam deck was first announced, gaming on linux still had quite a ways to go. And know, in just the last couple of years since we've had the Steam Deck, it's gone leaps and bounds, you know.
57:46
But these actions, you know they showed the world there was a market. It got the developers to make tiny tweaks needed to get their games to work with Proton so they could run on Linux. You know there's still work to be done, but these steps forward, you know, like the first steps needed to bring us to a fully armed future. You know, maybe it starts out slow, maybe it doesn't work very good at the beginning, but as people make tweaks and see there's a need there, you know, you know, maybe this is just what we need for our future. You know, the arm future that we deserve, rather than the arm future that we struggle to make work. You know.
58:33 - Jonathan Bennett (Host)
So there's a couple of interesting thoughts here. Steam has been working on putting Steam on the chromebook for a while now, and a lot of those are running arm, so this may be related to that. Um, it may be that steam is going to release a chromebook at some point. I don't know where they're going to partner with somebody that will, uh, but I tell you, the thing that comes to mind when I think about this is a a really cool use for VR could be portable VR, and I know there's a couple of companies that have tried that. But you don't do portable VR with X86. Like, it's just not a thing. But you can do portable VR with an arm hosts, and so you know there's been rumors about Valve making another headset. Yeah, I could see a headset that plugs into like a body pack that's an arm machine. Right, like you could see, you could imagine different scenarios. It's yeah, it's interesting. We will see what happens in the future. There's a lot of possibilities here.
59:42 - Jeff Massie (Co-host)
And I'll give you another one how relevant is ARM going to be if Intel comes out with their 86S processor that gets rid of all the 32 and 16-bit legacy stuff? Because they say that they can then become much more efficient and compete with ARM directly with the x86 code.
01:00:03 - Jonathan Bennett (Host)
I'm honestly a little dubious that it's going to make all that much difference. It will make a difference, I'm sure, but I'm not sure it's going to make that much Possibility. Yeah, yeah, we'll see All righty up. Next is more gaming news. Directx VK 2.4.1 is out, and there's something interesting in there, isn't there?
01:00:28 - Jeff Massie (Co-host)
Yeah. So after Rob's last story we're going to continue on with more gaming news and I probably am going to screw this up somewhere through here. So it's DXVK and it's that way. So if I transpose anything it's my bad.
01:00:46
Version 2.4.1 was released and for those that don't know, dxvk is a Vulkan based translation layer for DirectX 3D versions 8, 9, 10, and 11. So basically, it allows DirectX commands to work with Wine. It gets used in Steam, proton and other emulation tasks and it's mostly for gaming, or that's where the big majority of the use. It's for other programs too, but games are the meat and potatoes of it. Now, this is a point release, so it isn't a major rewrite, but it comes with a lot of fixes and some fairly significant changes. For example, the memory chunk size is now determined dynamically based on the amount of memory in the application that the application has already allocated. So developers say it should improve out-of-the-box behavior in various game launchers. So if you're fighting a game launcher, this should help ease some pain. Now there's a fix for where the Vulkan swap chain would not always be recreated appropriately in a native Wayland environment, and it also fixes an issue with descriptor pools growing too large on NVIDIA cards in some situations is an issue with descriptor pools growing too large on nvidia cards in some situations. Another general improvement is a change in the default shader code generation for dxbc and now this one really is dxbc instructions to work around flickering issues in games that use different vertex shaders to render the game geometry in multiple render passes. So I'm sure some of you have seen on Proton where you're looking around a scene in a game and once in a while you know certain textures will just flicker. This should help with that.
01:02:29
Now if you take a look at the article in the show notes you'll see where they list out the DirectX 9 and the 11 improvements. They also have a list of games and the specific things they fixed. For example, like Batman, arkham Knight, they worked around an issue where the game does not start when it detects an Intel GPU. Microsoft Flight Simulator, they fixed a garbled screen on startup and the Sims 4, they work around a crash caused by a use after free bug in the game. In total they list 17 games they've added fixes for and there's a whole lot of general improvements to make games not crash and to look better.
01:03:06
In the article there's a link to the GitHub page where you can get the latest version, and it should be coming though through your favorite distro very shortly, as Steam has started to include it If you're using another game engine or just need it for a wine program. It also has tar packages and source code. I also know it should show up on Flathub very shortly, if it's not already there by the time you hear this podcast. So game on.
01:03:32 - Jonathan Bennett (Host)
Very cool. Nice to see it fixes continuing to land there. I'll have to go and try some of the games that I've had trouble with and see if this makes things work a little bit better and because of this it uh that's.
01:03:43 - Jeff Massie (Co-host)
That's where my uh command line tip came from yeah, there you go, all right.
01:03:50 - Jonathan Bennett (Host)
Uh, shall we talk about the big, the, the big, scary cvs 9.9 from this week? Wow, let's chat. Yeah, yeah, let's talk about it. So I first saw this on twitter when, uh, simone it's a fellow's name it was talking about how that he found a linux 9.9 cbe and was getting ignored and it was going to be terrible. And red hat has confirmed it and, oh my goodness, the sky is falling.
01:04:20
People got a little nervous about this. Um and uh, it is a real thing, there is a problem, but it's complicated. Okay, so it's about cups. It's an issue in cups, and specifically it's something called CUPS Browse or CUPS Browse D, which is a little scary when you get your mind around what it does. Cups Browse D will automatically install printers that are found on the network, and so Linux has a couple of different ways that it finds printers, one of which is a dns-sd or sd dash dns, something like that. It's it's autoconf. It's one of the zero comp services. It'll go out and it'll look for printers, it'll find them and it'll automatically install them, which maybe that's not what you want. Um, so, for example, on fedora, this, this service, is not started by default on some ubuntu installs apparently it is um and so he discovered that on his fresh install of ubuntu, this service was out there listening on udp port 631. Well, he got to looking at that and he realized that sending a one of these special hey, I'm a printer UDP packets to port 631 will trigger a printer install and in that packet you can specify by the way, here's where you go find the IPP, internet Printing Protocol, here's where you find the IPP description file, the ipp, and you can specify any URL. Well, so you put this together and you can send a packet to a machine and it will go grab this essentially printer driver from wherever you tell it to. So we're beginning to see something maybe not great. Okay, so there is a printer driver called Fumatic-RIP, and part of this printer driver is it has the Fumatic-RIP command line specification that you can put inside of one of these IPP files, and so the whole thing looks like this.
01:06:38
Here's the whole issue. If a computer is running CUPS BrowseD and you can talk to its UDP port 631, then you can send it a packet that it will add a printer using a driver that you specify and when a when a print job is sent to that printer, an arbitrary command will run like that's, that's it. That's the vulnerability, that's the whole thing. And what's weird about this is, like you specifically, they gave him like four different cves for this right. But when you, when you look at each of the cves, it's like you know, one of the cves is udp.
01:07:26
Port 631 does not require any authorization. It's like by design, like they designed it to not. It's only supposed to be internal to your network. It's designed to require authentication. You don't want your printers to have to authenticate to be able to add them automatically. It's like one of the other ones is, uh, arbitrary command execution inside this driver. It's like the the name of the option is command line.
01:07:51
Like you can tell me that that's not a good idea, but it's not a. It's not actually a vulnerability, it's by design. So each of these you look at them, it's like it's doing what it tells you it's going to do. It's not a vulnerability. But then when you put them all together, by being able to access support that may be open by default, you can install a driver and then all someone has to do is try to print to it and you execute code. So like there's a problem there. It's not nothing. It's not entirely a nothing burger, but it's just. It's one of these weird situations where it's like it's difficult to kind of draw the line of right. Here is expected behavior, expected behavior.
01:08:24
This is a vulnerability, and I wrote about this for hackaday, of course, and I had somebody in the comments take me to task. It's like, well, obviously, if this is a thing, then um, it's, it's a vulnerability and and here's the quote the system will only be used as intended. Isn't a security policy. It's somewhere between wishful thinking and outright denial of reality. I'm like you can set your password to password and put SSH on the internet. Do you really want your computer to prevent you from doing that? You can expose Telnet to the internet. It's a terrible idea, these things that we interact with. They're user programmable machines. You can put them in insecure states if you really want to. Um, at some point, the end user has to take some responsibility for not doing dumb things with their machine, and I would say that exposing cups to the internet is a dumb thing that you should not do with your machine. And even before this came out, we really should have all known that it was dumb to expose cups to the internet.
01:09:30 - Rob Campbell (Co-host)
So that's my take on this so I only looked at this very briefly, but I thought. I thought there was something about somebody could trick you to print something and it would trigger it.
01:09:42 - Jonathan Bennett (Host)
You have to print to the new printer before it will trigger the arbitrary shellcode execution.
01:09:48 - Rob Campbell (Co-host)
Oh, that's right, it was something like. It does the thing, but then it doesn't actually trigger until you print to it. Is that Yep?
01:09:58 - Jonathan Bennett (Host)
Yep, actually trigger until you print to it. Is that yep, yep, because what? What this driver does is it lets you write like a shell script to handle the, the data manipulation, to print it, and so, like you've got some of these drivers that they use this and they will run your documents through a pearl script to be able to format it right for the printer to be happy with it.
01:10:16 - Rob Campbell (Co-host)
Yeah, it's kind of a thing that you need to have, but, like many things on a network, like almost everything on a business network, except for server or some web server type resources, they shouldn't be exposed to the internet. And I mean so if somebody got onto your network and was able to, you know, trigger this from within your network, there's maybe a problem already there.
01:10:44 - Jonathan Bennett (Host)
Yeah, it's not great. It's not like there is actually a problem here, but it's unclear, like where the vulnerability exactly lies and what the right solution is to fix it.
01:10:55 - Rob Campbell (Co-host)
So in a business environment. You know where you have a lot of employees on that network. Could you know one of the board employees or whatever you want to call them? That day like I'm going to trigger this on here, yeah, no, absolutely.
01:11:14 - Jonathan Bennett (Host)
It's very much a thing that someone could do In that kind of environment.
01:11:17 - Rob Campbell (Co-host)
that's not good.
01:11:23 - Jeff Massie (Co-host)
Yeah, but that would be a pretty insecure network, a thing that someone could do in that kind of environment.
01:11:25 - Jonathan Bennett (Host)
That's not good, yeah, but that would be a pretty insecure network. Usually corporates got that stuff really locked down and yeah. So my, my recommendation is use one of the two commands. So either system ctl or like in map and see if this is. If this thing is on your machine and if it's running and listening, just turn the service off. You're not really losing anything by turning uh cups, dash, browse d off. So just if it's there, just disable it, stop it and go about your business. It's, it's not the end of the world, it's not.
01:11:52
Oh, by the way, he he claimed that he thought it was going to be a cv, a cvss. So the common vulnerability scoring system a score of 9.9. It is not a 9.9 because you have to have user interaction to be a cv, a cvss. So the common vulnerability scoring system a score of 9.9. It is not a 9.9 because you have to have user interaction to be able to print to the printer. I'm not sure what it ended up scoring at, but it's definitely not a nine I was gonna say, if you knew what it.
01:12:09 - Rob Campbell (Co-host)
It recorded in the cv yes score yeah, not, not a 9.9.
01:12:16 - Jonathan Bennett (Host)
Last I checked, they hadn't actually given it a score yet. I can go back and look and see. Go back and see if it's been made public. That's not the link that I wanted. That's the link that I wanted, anyway. Oh, I have the last story, so I can't get one of you guys to stall for me oh, jeff can talk about nothing.
01:12:45 - Rob Campbell (Co-host)
Go for it been doing it all through the show already so, oh, shots fired, so anyway, um we was gonna say I was just going to say here's my commentary on Rob, then, ouch, I wrote nothing. Okay, got it.
01:13:05 - Jonathan Bennett (Host)
Anyway. So we mentioned something last week that I do want to circle back around to and I'm going to call this errata, and actually Rob mentioned it, and it was the idea that Microsoft is locking down their security driver and that might make it easier for Linux gaming to work. All right, you remember that last week we talked about that just a little bit, well, I remember. So I heard that mentioned in another context, and it was someone being rather dismissive of that idea, and so I went and I did some research on where this came from, and it is a notebook check article that is linking to a Microsoft oh what would you call it? It's sort of a. It's a Microsoft blog post, but, like it's a, industry leaders met together and discussed cybersecurity and resiliency.
01:14:07
You know, it's one of those corporate articles and it does not say very much. It's sort of it sort of gives you some hints about things that Microsoft is thinking about, but it does not say very much. It does not say that Microsoft is going to lock down what security vendors are allowed to do, and it definitely does not talk about anti-cheat for games, right? So we may have been a little over ambitious in covering this, and this notebook check article has gotten called out as being your guys are kind of just making this up. I don't know if that's entirely fair to say. Um, there are some things that are like slowly moving in the direction of let's not let everything in the kernel. Maybe that's a bad idea, uh, but you know it's not, it's not a sure thing there yet. It's uh, it's just.
01:14:54 - Jeff Massie (Co-host)
I think people are thinking about that now well, I think, uh think Steve Gibson talked about that right, that was part of the cloud strike and getting things out of the internals of the kernel, and the only reason they let him in is because he mentioned that they originally had stuff in the kernel. You know, the everybody's got to play fair. They can't have their anti-virus, anti-security software tied deep into the kernel and not let anybody, let anybody else in. So then there was talk and maybe they need to have a higher level api, that so it doesn't. You know, you kind of keep everybody out of the the deep, deepest corners of the kernel and then what?
01:15:36 - Jonathan Bennett (Host)
or linux just has to uh, mimic or match, or have their own api outside of the kernel that works along with that and boom, you got anti-cheat on linux yeah, so I I wanted to come back and cover that again because, like I said, we may have made a little bit too much of it, but it's not nothing either and we actually get the links in there for people talking about it. Um, and the the 9.9 cve. Uh, red hat here ranks it as a 6.1, so not not quite the hair on fire experience they got a little upside down.
01:16:09
Oh wait, I guess that'd be one that night yeah, all right, let's uh, let's talk about some tips. Let's get this command line tips. I think at least two of us are running command line tips. Uh, we're gonna let jeff go first with curl rob did I say I was looking at you. We're gonna let rob go first with curl.
01:16:34 - Rob Campbell (Co-host)
I was like you taking my story, jeff. Come on, why do you do this to me? All right, anyway. Uh, it's, I mean it's. I guess it's the curl command. Um, it's not, I don't know it's literally curl.
01:16:54
You're literally running curl the command is, it's how to get the weather in the command line and it uses curl to do that. So what? What we're doing here is if you type curl, space, wttrin and if you just do that and hit enter, it will, based off your ip, detect your location. Otherwise you could do a forward slash and your town and that will also work. I couldn't figure out necessarily how to do if your town is in multiple states or other locations. I don't know how to do that yet. But, uh, simply type in that, hit enter and it's going to pull down a nice weather. So right here in Mankato it's 82 degrees, 8 mile an hour wind, and it's got the morning, noon, evening and night forecast for three days. So for today, tomorrow, tomorrow and the next day. Um, if you want, you can actually. Obviously, this is just curling a http site out there, https site, a website out there, so you can also just put that in your web browser too and it's going to do the same thing.
01:18:16
Um, one thing I was doing when I was playing around with this is like what happens? What kinds of automation could you do with this? What happens if you put this into a file? I did curl WTTRin and not pipe, but redirect that into a testtxt file. Pipe, but redirect that into a testtxt file.
01:18:47
And now if I look in there with nano it looks a little messed up. But what's cool, if you uh cat that file, so cat testtxt, because it's, I suppose, because it's in the terminal, it is um reading the formats in there for the terminal, the nc color, do that and boom, it looks just as pretty as when I curled it out. So I don't know what. You got a quick little way to get the weather in the terminal and maybe you can do some automations. You could do all kinds of things programmatically with that and just have fun. If you ever want the weather in a script or who knows, maybe you can put that in your uh message of the day, your message of the day. So when you ssh in or start up your terminal, boom, nice weather forecast.
01:19:35 - Jonathan Bennett (Host)
And that's actually a cool idea. I like that. Um, so I I did. I did a little looking on this.
01:19:42
You can do a slash zip code to to also specify where you're at and uh it didn't work for me when I did it works for me, I don't know um, and then, for whatever reason, it gave me weather in celsius and I prefer freedom units and so you can do a question, mark you at the end to get the us units oh, I was just going to ask that very thing because I I pulled it up and I'm like, hey, it's all metric.
01:20:10 - Jeff Massie (Co-host)
I don't know what any of this means oh, okay, I did the zip code now.
01:20:13 - Rob Campbell (Co-host)
Maybe I had the wrong slash, I don't know, but uh, so. So I guess you can do slash zip code, slash zip code. Yeah, as you saw, with mine, mine was the Freedom Units and I didn't do anything special.
01:20:32 - Jonathan Bennett (Host)
So, for whatever reason, wttr does not see me as American enough for that, I guess. All right, that's fun though I like that I may have to make that part of my message of the day or part of my shell script for my prompt.
01:20:45 - Rob Campbell (Co-host)
All right. So the weird thing is, it does work with my zip code, but it doesn't necessarily work for other zip codes. I put in the zip code for a town where I work and it gave me someplace in Deutschland.
01:21:05 - Jonathan Bennett (Host)
Odd.
01:21:06 - Rob Campbell (Co-host)
And so it's a zip code in Deutschland too, I guess. I guess, Whatever, because it's Mine worked.
01:21:11 - Jonathan Bennett (Host)
Koblenz, Rainland, Dach Sol, Deutchland, dash fall 6o deutschland uh so it's not perfect it's, yeah, it's not perfect yeah uh, derecho points out that, oddly, mine's all in freedom units. So what it does, it tries to figure out like it uses ip geolocation and it says, okay, where is this ip address probably coming from? And it'll give it to you based on that. And so it depends upon whether you have an ip address that in their geo geolocation database comes up with being in the us or not.
01:21:45 - Rob Campbell (Co-host)
For whatever reason, mine just did you try yours without the slash and did it get your right location that you know, just the curl wttr-in um, mine it says, uh, weather report not found, but then it also gives me weather, but it doesn't have like a town.
01:22:06 - Jonathan Bennett (Host)
So I don't, I don't know where mine is coming from it doesn't know where you're at yeah, there's no idea where I'm at matt, which makes sense, so wherever it is currently uh 33 c and it's going to be a high of 28 c tomorrow and 21 c the day after that well, I did read something.
01:22:28 - Rob Campbell (Co-host)
I can't remember that it, if it can't find it like, it'll do a 404 and it'll give you the weather for a town.
01:22:36 - Jonathan Bennett (Host)
That's the coldest place in the world, or something I don't know if that's the coldest place in the world or something. I don't know if that's the coldest place in the world, but it's colder than it is here sad somewhere I don't know where I read that at, because I think I think 22c is about 70 fahrenheit or something. I mean it sounds nice. I would prefer it to be that cool as opposed to the.
01:22:58 - Rob Campbell (Co-host)
You know, and it may not be the coldest place in the world today but, like I think, historically so. So when you do, I get uh oi. My icon is the weather report at the top I see it's only 30 fahrenheit right now, so I mean I don't know, it's just summer there.
01:23:17 - Jonathan Bennett (Host)
I guess All right.
01:23:22 - Jeff Massie (Co-host)
Let's talk about proton tricks. Yeah, so this kind of can be both. You can run it in a GUI or in the command line, and I kind of hinted at this. So my last story generated this tip. So a little background I was playing a game and they did did an update and it started crashing for me. Whatever they did really wrecked up the gaming. For me it just made it unplayable, and this was on Steam. So I went to Proton Hub or Proton Database, and looked at the suggestions and how people tried to fix it and, long story short, I found where they said well, you need to install the latest DXVK to make this work, and they also suggested Proton tricks to install it.
01:24:11
Now I'm sure many of you have heard of WineTricks, which will install special libraries or DLLs to make wine work better with specific programs or Windows itself. Well, protontricks does this same thing and it does require WineTricks, but it will install special libraries and other code that will make your specific application, your gaming application, run. Protontricks itself is just a script that runs on top of Wine Tricks to give you a more targeted install of what you need to make your games run. Now, there isn't a lot to know about it other than you run it, and it's pretty self-explanatory. You know if you go by the GUI, you just go by the menus.
01:24:56
You know If you want to change something to make your game work better or make it work at all, you know proton tricks is how you do it and you know you just uh select what you need and it's it's good to go. You know probably the easiest way to get it is off flat hub. So when you you run it, it will then ask you know you you get off FlatHub, start it up. It asks you where your Steam is located, gives you a list of games that you have installed and then you can decide what you want to install for that specific game. Now I should note that if you have not run the game at all, it will not find the game, so you need to at least have tried to launch the game once. In the show notes I've linked the Flatathub and the GitHub for everyone so you can continue to have a great gaming experience Very cool.
01:25:46 - Jonathan Bennett (Host)
All right, I will probably be doing that sooner after I install my shiny new NVMe hard drive Upgrade. All right, I've got one that came up, uh, doing some work stuff this this week, last week, sometime relatively recently. Um, I, we are doing some custom hosted github runners and one of our guys had a problem with the uh the runner seeing the same name coming up multiple times, and github did not like that. So I thought to myself, well, surely there's a way to just get some randomness from dev u random and like express that as, let's say, a couple of hex bytes. Okay, so I've figured out a way to do it.
01:26:26
I don't think we've ever talked about this before, and so here's a. Here's a real quickie for you xxd dash, p, dash, l2, dev u random, and that will go get two bytes out of devu random and it'll print it as hex bytes and it'll output it, and so you can run this as part of a script. You know, you can use the back ticks to to run it and just use the output that it gives you. And so we, we now all some of our github runners it's uh, you know, for example, jp1 is one of mine, so it's like JP1 dash and then four random hex characters, two hex bytes and that is enough to keep them from colliding, because GitHub will clean all these ephemeral runners out after 24 hours anyways. So if you just need a couple of random bytes of hex, there you go.
01:27:14 - Rob Campbell (Co-host)
That's the quick way to do it. There you go.
01:27:19 - Jonathan Bennett (Host)
That's the quick way to do it. And I tell you, I tell you, if you go looking for the way to do this online, you will find some answers where people are like here's this Perl script that'll do it for you and here's how you do it in Python. How do you do it? Just on the command line. It should be quick. It should be a really short command for this it is. I found it uh, all right. That is uh. That's it for command line tips and for news. It has been been a lot of fun but a lot of stuff going on this week, uh and uh, I very much enjoyed it. We're gonna let each of the guys get the uh the chance to either get in the last word or plug something, or I suppose both. They want to Rob. What do you have?
01:28:04 - Rob Campbell (Co-host)
All right, this week I have something really special for you. I have on the screen the place you can come and connect with me, and that is at Robert P Campbellcom and on that website you'll see this right here that you see behind me With a spot to my LinkedIn. I've had some people connect with me there recently. Spot on my Twitter. Honestly, I'm not very active there so I'm not sure if anyone's connected there recently, but you, you know, you can tell people. You're my friend there.
01:28:42
Uh, mastodon, I am more active there. I check, at least check that regularly and post, uh, try to post often, ish. And then here is a spot to donate a coffee to me. And you know what? I got an idea since these other guys like um, jeff and david when he's on and ken, since they don't have a public uh persona like this, if you want to donate them a coffee, if you want to donate a bunch of us coffee you know four coffees and just put in the comments once for jeff, once for ken, once for david, for David, once for Rob, I'll make sure.
01:29:20
I'll make sure they get it and all they have to do is check on it and see if their name is on there, and then they can call me on the show that, hey, where's my money. So you know, just do that in the comments, I'll make sure they get it. And you know, if you don't want to give it to everybody, if you want to exclude Jeff, I completely understand. You could just put David, ken and Rob and have three on there, and yeah, it's right there.
01:29:50 - Jonathan Bennett (Host)
Shade getting thrown.
01:29:53 - Jeff Massie (Co-host)
All right, and, jeff, like I said, that one was pretty good Point for Rob on that one. If you want to connect with me I guess LinkedIn, but you'll have to probably just go find Rob and then I'm friends with Rob on there so you can connect with me that way. But it's just Poetry Corner, nothing too crazy. Cables have been cut southwest of northeast of somewhere. We are not amused.
01:30:23 - Jonathan Bennett (Host)
A great week everyone I remember rolling out to a job where somebody called us up, our telephone system's down, we can't make phone calls. We roll up to this place and we go inside and we're, like you know, clip on with the butt set and, well, no, no, we're not getting anything from at&t. And then you walk out back to the van to go back to the next stop. You turn and, like they were up on a hill, and you look down between the houses and you see a digger and three guys standing around it looking down into a hole and we're like I think we found it. And, yeah, that's what it was.
01:30:59 - Jeff Massie (Co-host)
They trenched through it yeah somebody going hey, there's a cable here, yeah, no, so what?
01:31:05 - Rob Campbell (Co-host)
construction cuts like copper and fiber yeah, yeah, a lot more often than you'd realize.
01:31:10 - Jonathan Bennett (Host)
Yes, and so what they, what they were doing. We went down there, we talked to them about it too and like they're like pull out a tape measure and like that's, that's totally 12 inches away, because they got it marked. But it's like if you hit it and it's within X number of inches of the marking, you get to pay for it. They're like no, no, we're totally, we were fine, we're not going to have to pay for that. I hope.
01:31:31 - Jeff Massie (Co-host)
Well, it happens with gas lines too. Ooh, yeah, that's even worse. But yes, it does. And side note, I know somebody who works at a gas company and handles calls for stuff like that, and it makes it worse when they're like, well, we're trying to pinch it off and it's like, no, just walk away calmly. Yeah.
01:31:50 - Jonathan Bennett (Host)
Far away. Yes.
01:31:52 - Jeff Massie (Co-host)
Sparks backs pressure. Don't want to do that. There's your safety tip of the week. Yes.
01:31:57 - Jonathan Bennett (Host)
Just walk. Don't want to do that. There's your safety tip of the week. Yes, just walk away. When you trench through something, just walk away and then call it in. Yeah, all right, thank you guys for being here. Uh, I am, of course, jonathan bennett.
01:32:08
You could find my work primarily at hackaday. We've got floss weekly and the security column goes live there. The security column on fridays, hackaday will record or floss weekly record on tuesdays and it goes live every Wednesday. We have a lot of fun with that. If you do feel like I've earned a tip just because I'm one of the cool kids and I have a, buy me a coffee as well. That mine is. Just slash, jay Bennett, keep it real simple there. We do appreciate everyone that catches this live and those that watch us on the download. And hey, we will see you next week on the Untitled Linux Show. Hey, folks, do you enjoy the show but just wish you could have more. Want to be more plugged in to Twit? Well, you should jump on Club Twit. It's about the price of a cup of coffee per month and it gets you access to Discord. It gets you access to the shows without the ads and a whole bunch more. Really need to check it out. Come join Club Twit today.