0:01

This week on BSD Now we

0:03

are depriving deployment of

0:06

PNFS while sharing the

0:08

sharing the free BSD as a to

0:10

use instead of what to

0:12

use instead of PGP this or

0:14

background in this or opinions. The also slow

0:16

of the FOS of the

0:18

foster plus iconic consoles of

0:20

the IBM System of the

0:22

IBM years later 55 week

0:24

on BSD. week on BSD now.

0:43

BSD now, episode 588 PGP alternatives, recorded on the of November

0:45

on the 25th of November now

0:47

is brought to you by episode of BSD

0:49

Now is brought to you

0:51

by slash BSD to tarsnap .com backup for

0:53

find online backup for truly paranoid

0:55

people. support you want to support

0:57

this show in one way

0:59

or the other, out check out

1:01

our Patreon page at patreon .com BSD

1:03

bsd now. And we thank

1:05

you in advance for that. Hi, I'm

1:08

I'm your host, Erik Treuschling.

1:10

And I'm Tom Jones. And

1:12

I'm everyone. Hey We have, well, surprise,

1:14

surprise, surprise, a a new show

1:16

for you today. Where's Benedict? Where's the

1:18

year going? How is it How

1:21

is it Remember what? How is

1:23

it November? November? How is it November?

1:25

Oh, time passes? I passes? I

1:27

think it... No, I thought I thought we got some

1:29

got some control over that. When

1:32

was the last time you recorded? recorded,

1:34

was It might have been September.

1:36

It might have been September. September even, okay. That be

1:38

why time is disappearing, because

1:41

I'm not experiencing it. It's

1:43

just a continuous. flow

1:46

no, not a flow of, a flow flow of,

1:48

just just every day is the same? No,

1:50

that can't be. be. day is differently the

1:52

same. the same. It's unpredictably, unpredictable,

1:54

but that's the same

1:56

but that's the same. Yeah, that's the

1:58

same for me, me, but. least I

2:01

have schedules and stuff planned.

2:03

Why make plans when they

2:06

will change? Failing to plan

2:08

as planning to fail? I

2:10

mean, I was on the

2:13

way to a planned hospital

2:15

appointment on Friday and we

2:18

managed to schedule an unplanned

2:20

hospital appointment from the journey.

2:23

Like, what's the point of planning? It's

2:25

all just going to fall apart. Having

2:27

no schedule is just chaos. But it's

2:29

already chaos with a schedule. Yeah, I

2:31

mean, I'd rather do a schedule that

2:34

deviates rather than having no plan what

2:36

I'm doing this week or the next.

2:38

I'd like to live my life via

2:40

a crontab. I could just like set

2:42

up a crontab on my watch and

2:44

vibrate and be like... So you have

2:46

these at-report entries? Yeah, repeat for everything.

2:48

Or at random, like open BSD has,

2:50

where you can say, ah, whatever. Yeah,

2:53

we don't have that random freebie. We

2:55

should have, this is a nice feature,

2:57

like do a random prototype execution. I

2:59

have a lot of computers, as I

3:01

might have said before. The last two

3:03

computers I set up, one of them

3:05

is a backup mirror, and the other

3:07

one is just a test bench machine,

3:09

like it's plugged into a serial console

3:11

and a J-tag adapter and loads of

3:14

stuff. And for both of those they

3:16

come up via DHCP and I'm not

3:18

sure where they'll be or I'm not

3:20

sure when they will come back up

3:22

or if they will because who knows.

3:24

And the backup machine I need to

3:26

put in disc pass phrases for the

3:28

ZFS volume but at least it will

3:30

boot so I don't have to go

3:33

to the attic. And for both of

3:35

those I put in a reboot directive

3:37

with Nifty so it sends a message

3:39

via pushover. But I was speaking to

3:41

DCH, they've called Huber about this and

3:43

he's like, it didn't work. Like it's

3:45

really inconsistent. Like you might not get

3:47

it if the network's not they were

3:49

after a reboot. And as far as

3:51

I can tell, because obviously I don't

3:54

know when the machines restart, when they

3:56

restart, they tell me. Then maybe you

3:58

put it in ETC, ETC, RC. because

4:00

by that time the network might

4:03

be up. So maybe, I mean,

4:05

one of these is on Wi-Fi

4:07

and it's come up fine. The

4:09

other one is wired into the

4:11

Wi-Fi. But yeah, there must. People

4:15

talk a lot about system D

4:17

and they complain about system D.

4:19

And yeah, it's definitely a big

4:21

model with it. It's got a

4:23

lot of problems. But free BSU

4:25

is definitely lacking a system layer

4:27

where like on MacOS, you can

4:29

have launch D run a job

4:31

once a day or once a

4:33

period and it will deal with

4:35

suspend. So you can suspend overnight

4:37

and it will do something sensible

4:39

or you can spend overnight and

4:41

it will reboot. And I don't

4:43

think we have anything like that.

4:45

Like I want this to run

4:47

once when the machine starts, once

4:49

there's networking, because part of this

4:51

part of the pushover message tells

4:53

me the IP address of the

4:55

machine. And if there's not networking,

4:57

it doesn't matter if it's booted

4:59

or not, because I can't SSH

5:01

into it. And that's the sort

5:03

of stuff we get from a

5:05

system layer, but I think we're

5:07

still lacking it. I have a

5:09

similar thing where I have like

5:11

the raspberry pie with the ZFS

5:13

storage on it and I of

5:15

course do add monthly to a

5:17

ZFS scrub. But the thing is

5:19

not on all the time, so

5:21

it could be that it's missing

5:23

the spot where the month happens.

5:25

So what I did, I installed

5:27

anachron, which is anachronous, anachronous, anachronistic,

5:29

that picks up, oh, a month

5:31

has passed and I should run

5:33

the ZFS scrub, or Zepul scrub.

5:35

But so if you had a

5:37

machine with a bunch of daily

5:39

jobs like that and you turned

5:41

it on, would they all just

5:43

run it once, right? It's

5:46

hard. Like, I don't think it's an

5:48

easy, easy solution. But it's, yeah. Okay,

5:50

we'll let our users decide. Please send

5:52

us emails. Like, I want to know

5:54

how you handle this. How do you

5:56

get machines to tell you they've reboot?

5:58

And if the answer is, um... Monitoring?

6:00

I'm not going to do that. I

6:02

want the machine to tell me. I

6:04

don't want to set up monitoring for

6:06

the stuff in my house. I mean,

6:08

I do want to set up monitoring

6:10

for all the stuff in my house.

6:13

I don't have time to set up

6:15

monitoring for all the stuff in my

6:17

house. I don't have time to set

6:19

up monitoring for all the stuff in

6:21

my house. So I need to stop

6:23

monitoring for all the stuff in my

6:25

house. So I need to set up

6:27

monitoring for them. Okay

6:32

we're all already knee deep into

6:34

our daily daily problems but we

6:36

also have headlines for you this

6:38

week and this one starts off

6:40

with a chloro article about deploying

6:43

PMFS files or file sharing with

6:45

freebie. What is PMFS you ask?

6:47

That's the parallel NFS. So we

6:49

get into this. The article starts

6:52

with the venerable network file system

6:54

NFS, has been expanded with distributed

6:56

capabilities. PNFS version 4.2 allows distributing

6:58

data across multiple servers to increase

7:01

performance and fault tolerance. Learn how

7:03

to deploy high speed resilient storage

7:05

system quickly and easily with 3BST.

7:07

So that's the new part, the

7:09

parallel part. So it's distributed, not

7:12

a single server. It's over multiple

7:14

such NFS servers. Okay, let's start.

7:16

Previously supports a variety of protocols

7:18

for sharing files over a network.

7:21

The most common ones are NFS.

7:23

and SMB, which is a server

7:25

message block, NFS originally came from

7:27

some microsystems and is widely used

7:30

between UNIX systems, comparatively SMB comes

7:32

to us from the Windows world.

7:34

So SMB is a good fit

7:36

when sharing files with end-user systems

7:38

and when relying primarily on user-based

7:41

authentication. NFS is more appropriate in

7:43

the following ways. First, where client

7:45

machines are trusted. Second, tied tightly

7:47

to the local infrastructure. And third,

7:50

We have a one-to-one mapping of

7:52

file ownership and permissions between the

7:54

client and server. Okay, with the

7:56

ability to map identities and the

7:58

optional use of NFS

8:01

version 4, offers more flexibility than

8:03

the earlier versions of NFS did.

8:05

As a non-proprietary protocol, that is

8:07

widely supported by many operating systems,

8:09

NFS remains a popular choice for

8:11

network file sharing. And here, one

8:14

of the newer innovations in NFS

8:16

is P-NFS. The P lowercaseP stands

8:18

for parallel. That is what we'll

8:20

introduce in this article. This article

8:22

is, by the way, written by

8:24

Oliver Kittle on Clara Systems.com, if

8:27

I haven't mentioned that yet. So

8:30

what is the P&FS part? Traditional

8:32

network file systems typically rely on

8:34

a single server to handle all

8:36

data storage requests that causes a

8:39

limit to how far they can

8:41

scale as the volume of data

8:43

and the number of clients increases.

8:45

P&FS enables operations to be distributed.

8:47

across multiple servers in a parallel

8:49

but coordinated manner. This distributed architecture

8:51

allows for increased data throughput. There

8:54

are other solutions that take a

8:56

similar approach, such as the luster

8:58

file systems. However, PMFS can leverage

9:00

existing NFS infrastructure and supporting technologies.

9:02

The fundamental concept behind PMFS involves

9:04

separating the control and data plane,

9:07

so that is in both, so

9:09

separation of control and data plane.

9:11

While the control plane remains responsible

9:13

for managing metadata and coordinating access

9:15

to the distributed file system, the

9:17

data plane handles actual data transfers.

9:19

By decoupling these two functions, PMFS

9:22

can support parallelism with multiple clients

9:24

able to access data simultaneously from

9:26

different back-end storage devices. Clients access

9:28

data directly from the data servers

9:30

by passing the controlling metadata server.

9:32

This allows for a significantly greater

9:34

scale. The metadata server does remain

9:37

as a single point of failure

9:39

and a bottleneck for metadata operations,

9:41

however. That's good to know. The

9:43

NFS protocol standard allows for a

9:45

variety of possible back-end storage layouts

9:47

for the NFS, including block-based storage,

9:49

like disks, fiber channel, or ice-gazi.

9:52

Then there's object-based storage and files

9:54

stored directly onto a traditional. system.

9:56

And PMS exposes aspects of how

9:58

the data is stored and distributed,

10:00

such as mirroring, to the clients

10:02

as layouts. The client gets via

10:04

a request to the metadata server,

10:07

and the metadata server can delegate

10:09

control to an area of storage

10:11

to a client and recall it

10:13

at any point if needed. The

10:15

metadata server can also decide to

10:17

degrade to a normal NFS operation.

10:19

This is either to improve performance

10:22

for a particular request or to

10:24

support an older client. And how

10:26

do I configure this with our

10:28

free BSD in particular? So previously

10:30

12 and later support file-based layouts

10:32

of both the server and clients

10:35

and the metadata server and all

10:37

data servers need to be free

10:39

BSD systems but the clients can

10:41

run any other operating system. What

10:43

to do is you add the

10:45

following lines to your RC.conf, NFS

10:47

server enabled equals yes, NFS4 server

10:50

enabled equals yes, NFS4 underscore server

10:52

only equals yes, and NFS server

10:54

flags is dash T minus dash

10:56

n32. So these are the ones

10:58

you need. The metadata server needs

11:00

to have the dash map route

11:02

equals root option, but this can

11:05

be skipped for other clients. And

11:07

here's an example in your ETC

11:09

exports. So here they have slash

11:11

data with dash map road equals

11:13

root and NFS dash MDS. and

11:15

the rest is a regular NFS

11:17

share as far as I can

11:20

tell. Okay, in the NFS server

11:22

was already running, restart Mount D,

11:24

for the changes to be activated,

11:26

and if it isn't already running,

11:28

start with the service NFSD Start.

11:30

You should then be able to

11:32

see the exported file system listed

11:35

in the output of Show Mount

11:37

minus E. and

11:39

the data directory, so they

11:41

create a couple of data

11:43

directories from zero DS0 to

11:46

DS19, and these directories include

11:48

the top level needed by

11:50

the root owner, the actual

11:53

number of subdirectories can be

11:55

configured on the metadata server

11:57

with VFS.NFS.0 deersize CISCTL. Okay.

12:01

So the criteria for that depends

12:03

on how many files in the

12:05

sub-directory, the underlying file system can

12:07

handle before performance, the grades, and

12:10

this is less problematic on modern

12:12

file systems. It can also be

12:14

increased respectively if you only anticipate

12:16

a moderate number of files, the

12:18

default may be sufficient. So how

12:20

to configure the PMFS metadata server?

12:23

The metadata server needs to mount

12:25

the file systems from each of

12:27

the data service on itself using

12:29

NFS 4.2. Demand page is very

12:31

specific about the amount options and

12:33

what you say there is in

12:36

ETCFS tab, one example NFS 4

12:38

dash data 0. Mount to data

12:40

zero, NFSRW options, NFS version 4,

12:42

minor version equals 2, soft and

12:44

retrans equals 2. So, and they

12:46

have the same entry for data

12:49

1, 2, and 3. So

12:52

they also enable NFS at RC.conf on

12:55

this client as we did on the

12:57

data server. We also add the dash

12:59

P option in FS server flag. So

13:01

all of these examples are provided in

13:04

the article of course and they go

13:06

through configuring the server part as well

13:08

as the clients where they also say

13:11

in the mount option for example providing

13:13

a PNFS option. Otherwise it doesn't recognize

13:15

that it's running on PNFS. So data

13:18

mirroring for storage data, data mirroring can

13:20

be configured so that each data store

13:22

file is on two or more data

13:25

servers, which is important for redundancy. The

13:27

PMFS service as a whole can be

13:29

resilient to failures as a single data

13:32

server in the configuration. However, mirroring may

13:34

defeat some of the benefits of PMFS

13:36

as data rights need to be sent

13:38

to multiple servers. The app so reading

13:41

will be quicker, but writing needs to

13:43

be slower because you need to write

13:45

the copy to all servers involved. So

13:49

when using P&F as mirroring there

13:51

are two utilities to control the

13:53

cluster run from the metadata server

13:56

P&FSDS kill allows a particular data

13:58

server to be brought offline and

14:00

P DS copy MR which is

14:02

used to restore files onto the

14:05

repair data server or onto a

14:07

repair data server. There

14:10

are a little section about local file

14:12

access as well, but the conclusion is,

14:14

with the P&FS functionality, 3BSD gains support

14:16

for a distributed file system in the

14:19

form that builds on the stable and

14:21

familiar base of the existing NFS implementation,

14:23

and while there are some notable limitations

14:25

stemming from the separation of data in

14:27

control planes, P&FS offers improved performance and

14:29

scalability, and provides a useful additional tool

14:31

for organizations wishing to optimize the storage

14:33

infrastructure. That's cool. Have

14:36

you ever used this Benedict? I tried

14:38

to because I was also looking at

14:40

writing an article for the journal, but

14:43

I was lost in the documentation a

14:45

bit so that didn't happen. So I'm

14:47

glad to have this article from Clara

14:50

now to kind of try it out

14:52

on my own. So when you have

14:54

multiple mirrors, you get better read performance

14:57

and worse write performance. So if you

14:59

run PNFS on top of ZFS mirrors,

15:01

Would you just get the worst right

15:04

performance possible? Yeah. That would be fun.

15:06

That would be fun. That would be

15:08

a great article to put together, like,

15:11

how to get the worst right performance?

15:13

So I can definitely see the benefits,

15:15

like I have a couple of read-only

15:18

things that I export via NFS. That

15:20

will be beneficial for reading, but since

15:22

I have these I read only, I

15:25

will probably have no problem there. And

15:27

if one server goes down, then the

15:29

other one can still provide the files.

15:33

But in different scenarios, that needs

15:35

to be considered. I just always

15:37

fascinated the idea of making the

15:40

worst possible things. More layers, more

15:42

layers. Well, you get all the

15:44

important lessons. Like if you set

15:47

out to do something terribly, you

15:49

have a great standard, right? Like.

15:51

Then make it fast again by

15:54

removing stuff or optimizing it. There's

15:56

like a really famous tail scale

15:58

blog post about. and

16:01

the first line is like going

16:03

on social media again right now

16:05

and the first line is like

16:07

oh and I used K8 to

16:09

scale up to 500,000 requests per

16:11

day and they're like but that's

16:14

point two requests per second and

16:16

I saw this yesterday and I

16:18

was like my my 386 free

16:20

BSC mission could do 22 requests

16:22

a second yeah scale without all

16:24

the other difficulties you get by

16:26

using Kubernetes or complexity So,

16:29

talking of complexity that leads us

16:32

into the next article, this comes

16:34

from, oh I don't know how

16:36

to say this name, Sautok, Sautok,

16:39

Sautok, please tell me how to

16:41

pronounce your name, send us an

16:43

email, it'd be great. At Sautok,

16:46

they wrote me how to pronounce

16:48

your name, send us an email,

16:50

it'd be great. At Sautok, they

16:53

wrote this on the 15th of

16:55

November this year, and I refuse.

16:59

They write, he writes, it's been more

17:01

than five years since the PGP problem

17:04

was published and I still hear from

17:06

people who believe that using PGP, whether

17:08

Gannu Piji, or open PGP implementation, is

17:11

a thing we should be doing. It

17:13

isn't. I don't blame individual internet users

17:15

for this confusion, but there is a

17:18

lot of cargo culting around communication tools

17:20

in the software community and the evangelists

17:22

for the various projects muddy the waters

17:25

for the rest of us. in

17:28

between like every I can say

17:30

paragraph but it's not not true

17:32

every paragraph there are Pictures from

17:34

their furry sticker collection which are

17:37

great to see, always wonderful to

17:39

see art. The part of the

17:41

free and open source software community

17:43

that thinks PGP is just dandy

17:46

and therefore evangelize the hell out

17:48

of it to unsuspecting people are

17:50

the same kind of people that

17:53

happily use XMPP and O Memo

17:55

matrix or weird signal forks that

17:57

remove forward secrecy and think it's

17:59

fun. to Mintz words, the same

18:02

people who believe PGP is good

18:04

are also famously not great at

18:06

cryptographic engineering. If you're going to

18:09

outsource your opinions on privacy technology

18:11

to someone else, make sure it's

18:13

someone who's actually found vulnerabilities in

18:15

cryptographic software before, most evangelists have

18:18

not. This is bold. I'm not

18:20

here to litigate the demerits of

18:22

PGP. The latter core article

18:24

I looked above makes the same arguments

18:27

I would make today and is more

18:29

entertaining read. It is of my opinion

18:31

that a security engineer who specializes in

18:34

applied cryptography that nobody should use PTP

18:36

and there's virtually always a better tool

18:38

for the job you want to use

18:40

PTP for. And for the uncommon use

18:43

cases offering a secure purpose but replacement

18:45

is a work in progress. Note, I'm

18:47

deliberately being born in this post because

18:50

literally more than a decade of soft-spokenness

18:52

from cryptography experts has done nothing to

18:54

talk with users off the PGP cliff.

18:56

Being direct seems more effective than being

18:59

tactful. If you want a gentler touch,

19:01

ask your cryptographer. If you don't have

19:03

a cryptographer, hire one. Did it? Okay,

19:06

yeah, cool. I don't have one. If

19:08

you can accept that every billionaire is

19:10

the result of a failed system, that's

19:12

how cryptographers feel about people using PGP.

19:15

Instead, let's examine the use cases of

19:17

PTP and what you should be using

19:19

instead. Some of this is redundant with

19:22

the latter core article, but I'm also

19:24

writing it five years later, so some

19:26

things have changed. I'm focusing on the

19:28

what in this blog post, not the

19:31

why. If you want to know the

19:33

why, read the Latin or a blog

19:35

or the Matthew Green blog, both linked.

19:38

If you're curious about the credibility of

19:40

my recommendations, read my other blog posts

19:42

or ask your cartographer or hire one.

19:44

Instead of PDP, use this. This selection

19:47

contains specific tools to solve the same

19:49

problems that PDP has tried to solve

19:51

but better. What makes these recommendations better

19:54

than PDP, simply they don't make cartographers.

19:56

people are forced to use PGP because

19:58

they work for a government that legally

20:00

requires them to use PGP. In that

20:03

quarter case, your hands are tied by

20:05

the lawyers, so you don't need to

20:07

bother with what cryptographic cryptographic... with what

20:10

cryptographers recommend. On that note, the hackerspace

20:12

of which I started, and I'm still

20:14

a director of Dunno why, I can't

20:16

escape, until last year in our articles

20:19

of association, so the laws of the

20:21

company, we were required to PGP sign

20:23

things to ask for money. Which is

20:26

really funny because basically nobody knows how

20:28

to use PGP, including several directors who

20:30

have gone through, never figured it out.

20:33

One time, just to see if anyone

20:35

was paying any attention, I just reused

20:37

someone else's signature on a message to

20:39

acknowledge it. I just copied and pasted

20:42

the plain text blob around it. So

20:44

it just, it did the ex-KCD check

20:46

of like, is this signed? Well, it

20:49

starts with PGP, it must be, it

20:51

must be, it must be correct, this

20:53

idea. Someone checked, they totally called me

20:55

out, I was like, I was like,

20:58

it, I was like, it, it, it,

21:00

it, it, it, it, it, it, it,

21:02

it, it, it, it, it, it, it,

21:05

it, it, it, it, it, it, it,

21:07

it, it, it, it, it, it, it,

21:09

it, it, it, it, it, it, it,

21:11

it, it, it, it, it, it, it,

21:14

it This is your article then. I

21:16

didn't write this, but like... Yeah, you

21:18

will see yourself in there many times.

21:21

And there's also solutions in there, not

21:23

just... So it's 2024. So I'm going

21:25

to 38C3. This is also 10 years

21:27

since the first CCCC2, C3, because of

21:30

a global event. And

21:32

things were very different in 2014.

21:34

There were crypto parties and that

21:36

was not anything to do with

21:38

blockchain. There was a big key

21:40

signing party which I refused to

21:42

go to because it just seemed

21:44

like utter nonsense to me, which

21:46

is very funny because a key

21:48

signing party you signed people's PGP

21:50

keys by looking at their passport,

21:52

which is just insane. But it

21:54

was also before the release of

21:56

Let's Incrypt and Let's Incrypt popped

21:58

up. soon afterwards, but there was

22:00

an organization there who would take

22:02

your legal ID and give you

22:04

a free SSL certificate. Eventually, I

22:06

never got my SSL certificate because

22:08

let's encrypt happened before I could

22:10

do this. But like the world

22:12

has changed a ton. And yet

22:14

we're still here telling about PGP

22:16

and how to get rid of

22:18

it because it's like you go

22:20

to be direct sometimes. It really

22:22

needs to go away. Yeah,

22:24

and have alternatives that are usable

22:27

and secure, of course, and all

22:29

that. For context, right? So Benignon,

22:31

the editorial board of the free

22:34

BST journal, and we were looking

22:36

through the back catalog on Friday

22:38

in our normal call, and one

22:40

of the issues we looked through,

22:43

which was missing on the archive,

22:45

but she'll hopefully be fixed, was

22:47

the arrival of MIPP's in free

22:49

BSD. That was 2015. Mips left

22:52

for BSD last year and yet

22:54

PDP still everywhere and there's been

22:56

no progress. We removed an entire

22:59

processor architecture, added and removed. I've

23:01

also added more since. Anyway, I

23:03

promise I can focus normally. It's

23:05

just time of day. Like

23:11

who is the idea or

23:13

authority on PGP? Like is

23:15

there is a software behind

23:17

it or a company that

23:19

manages it? It's kind of.

23:21

And there's also GPG, like

23:23

it's... Okay, so you... What

23:25

needs changing if we want

23:27

to have something else? Like

23:30

for free BSD, we probably

23:32

just need to pick a

23:34

tool, right? Like open BSD

23:36

uses Signify, which is a

23:38

tool they wrote for signing

23:40

distribution releases. They mentioned in

23:42

the article something like Mini

23:44

Sign. Yeah, so there's other

23:46

stuff available. I'm not the

23:48

person to ask. Someone... I'm

23:52

not the present to ask about cryptographic properties,

23:54

but I use computers a lot and I

23:56

have a lot of opinions. I am very

23:58

annoyed at computers right now. I

24:01

installed iOS 18 and it

24:03

changed stuff and I'm not

24:05

happy about it. That's a

24:07

different podcast. But I know

24:10

what usability is like and

24:12

GPG, the tools are not

24:14

usable at all. They are

24:16

a nightmare. I have a

24:19

friend who does. He

24:21

works in providing software to activists in

24:23

seriously dangerous places, and he could not

24:26

figure out how to get GPG to

24:28

show the dialogue you type your password

24:30

into. Too much for hours, he couldn't

24:32

figure out, like it just wouldn't work.

24:35

And there was no, there's nothing there.

24:37

And the software shouldn't be in this

24:39

complex. It's too much. As we'll see,

24:41

and we'll go serious. always

24:44

write to the show like feedback at

24:46

base you know dot TV because um

24:48

engagement content there's no algorithm we don't

24:51

need to engage we're gonna do a

24:53

show no matter what but it's good

24:55

to hear from people because so much

24:58

to get lost in here so in

25:00

the early 90s the cipher punks mailing

25:02

list which you can acquire was like

25:05

a home for a lot of cryptography

25:07

and strong cryptography was illegal to export

25:09

from the US there's lots of like

25:12

um It was a place

25:14

to build up a strong community and

25:16

people had very strong opinions and a

25:18

lot of software was being invented. And

25:20

GPD was one of these things and

25:23

it escaped the US by being published

25:25

in a book so it became free

25:27

speech so the constitution protected it and

25:29

so it was exported this way. So

25:31

you could sit and you could type

25:33

in all of the source code and

25:36

there was a check on the end

25:38

of it line. And

25:40

this is a wonderful story and it's

25:42

great fiction, but it's 2024. It's not

25:44

90-94 anymore. It's been 30 years. We

25:46

don't need to use this. We can

25:49

use tools which work well. Yeah. And

25:51

all the security things that are happening,

25:53

the every day you hear something, data

25:55

breaches and stuff, is that part of

25:57

the problem? No. doesn't have to be

25:59

attributed, right? Like it doesn't need to

26:01

be a failure with GPG or tools

26:03

like this. The fact that they're difficult

26:05

means they're not used. And so we're

26:07

missing good tooling. Or used wrong, yeah.

26:09

But it's not that they're used wrong.

26:11

It's just they're not used at all

26:14

because people like was too hard. Or

26:16

they just pick another default. Or what

26:18

people really do is they just. Bacon,

26:21

whatever, like they just use what

26:23

someone else recommends them to do.

26:25

And the recommendations being GPG and

26:27

it's really easy to use wrong.

26:30

And these recommendations are things which

26:32

you can use right. And so,

26:34

software, signing, software distributions. Use six-store.

26:36

Note that this is an ecosystem-wide

26:38

consideration, not something that specific individuals

26:40

must manually opt into for their

26:42

hobby projects. The only downside to

26:44

six-store is it what isn't widely

26:46

adopted yet. If you're a Python

26:48

developer, you can just use PEP

26:51

740 to get attestations with trusted

26:53

publishers, which gives you Six Store

26:55

for free. For most developers, this

26:57

is as simple as setting up

26:59

a GitHub action to publish to

27:01

Pi-Fi. This is a developing trend.

27:03

Other programming languages and package management

27:05

ecosystems are following suit. I expect

27:07

to see Six Store attestation attestations,

27:10

baked into NPM before the next

27:12

US presidential election. This is November

27:14

24. With any luck, your favourite

27:16

programming language could be on the

27:18

list list too. Sigstore doesn't just

27:20

give you a signature that you

27:22

check with a long-lived public key,

27:24

nor does it require you to

27:26

do the web of trust rigmarole.

27:29

Rather, Sigstore gives you a lot

27:31

for free. Sigstore was designed around

27:33

ephemeral signing certificates rather than long-lived

27:35

private key. It was purpose built

27:37

for preventing a supply chain attacks

27:39

against open source software. combined with

27:41

reproducible builds, Sigstore involves the triangle

27:43

of secure code delivery. I wonder

27:45

what the third part is. I'm

27:48

not going to read this though,

27:50

I've been very distracted. Alternatively, use

27:52

mini-sign. If your package ecosystem doesn't

27:54

support Sigstore yet, you can get

27:56

it get by with mini-sign, which

27:58

is Signify, compatible to thing on

28:00

BSD uses, until the modern. can

28:02

use SSA signatures, you'd prefer more

28:04

than that below. Signing get tags

28:07

and commits, use SSA signatures with

28:09

ED 25519. Stop using RSA. Signing

28:11

files between computers. Use magic wormhole.

28:13

You can use SSA and RNSH

28:15

and R sink, that's fine too.

28:17

Encrypting backups. Tar SNAP is the

28:19

usual recommendation here. Tar SNAP is

28:21

what we would recommend for BSD

28:23

now because we're paid to. The

28:26

author of this article then says

28:28

there are a lot of other

28:30

encrypted backup tools that work fun.

28:32

If you don't want to give

28:34

Colin Percival your business, I don't

28:36

have a financial stake in any

28:38

of them, nor have I ordered

28:40

them thoroughly. I do want you

28:42

to give Colin your business. You

28:44

should give Colin your business. He's

28:47

great. There are worse situations than

28:49

letting Colin your data. It's, it's

28:51

great. There are worse situations than

28:53

letting Colin your data. It's such

28:55

a funny. There's really good. It's

28:58

been a long time since anyone's time. Our own

29:00

experience and having that good experience, we recommend it

29:02

to other people. Part of the quality of tar

29:04

snap is that the client is open, but the

29:06

server isn't. But there's been a really thorough review

29:08

of the client. I mean, it used to be

29:10

a talking point in the BSD now ads, but

29:12

I think it stopped being interesting, so we still

29:14

talking about it. So being more code review, code

29:17

review, code review is good. Everyone loves code review.

29:20

Or, other than Tarsap at Borg uses

29:23

reasonable cryptography, but I haven't had time

29:25

to review it carefully. Copia looks fine.

29:27

I really hate that they misuse zero

29:29

knowledge to describe an encryption protocol rather

29:32

than a proof system. We should not

29:34

reward this behaviour by marketers. The point

29:36

is you've got options. Too many options

29:38

to sell for PGP. Incrypting

29:41

application data, use Tink or

29:43

Lib sodium, avoid open PGP,

29:45

open SSL and its competitors,

29:47

yeah, encrypting files, use Age.

29:49

Age is what PGP file

29:51

encryption would be if PGP

29:54

didn't suck shit, and it's

29:56

probably going to be be

29:58

beeped. It's in the. yeah.

30:00

Age has two modes, public key encryption

30:03

and password based key derivation. Here's a

30:05

quick comparison table. I'm not going to

30:07

read a table to you. If you

30:09

want, you should go and look at

30:11

it. Some PDP proponents

30:13

will insist that AED is possible now,

30:16

but as long as the install-based PDP

30:18

remains backwards compatible with the lowest common

30:20

denominator, that's what your software uses. Just

30:22

use age or rage if you're a

30:24

rust enthusiast, and if you have concerned

30:26

about which age key should I trust,

30:28

and we're ready planning an age v1

30:31

extension for the public key directory project,

30:33

more in that below. Private

30:35

messaging use signal. Security teams around the world

30:38

insist that they need PDP for bug bounty

30:40

submissions or security operations, but signal does this

30:42

job better than PGP ever did. Once upon

30:44

a time, you needed to give people a

30:47

phone number to use signal. That hasn't been

30:49

the case for a long time. Still many

30:51

people have missed that memo when they think

30:54

it's a requirement. My signal username is so

30:56

talk.45. Go ahead and message me. You won't

30:58

learn my phone number that way. In

31:01

the near future I plan on developing

31:03

end-to-end encryption for direct messages on the

31:05

Fediverse. This is what motivated me to

31:07

work on public key directory to begin

31:09

with. But it's not a signal competitor

31:11

by anyway. It's a bar raising activity,

31:14

nothing more. I understand why some people

31:16

don't like her trust signal for whatever

31:18

reason, but every single alternative that's been

31:20

suggested to signal has offered inferior cryptography

31:22

to signals, so I'll continue to recommend

31:24

signal. Miscellaneous PGP

31:26

alternatives, this section contains things people

31:28

think they need PGP for, identity

31:31

verification. I'm working on something better,

31:33

but it's been worked on. And

31:35

there's this ex-case CD comic of

31:37

P signed message. If you want

31:39

the ability to say If you

31:42

want the ability to vend a

31:44

transparently verifiable public key for a

31:46

given user, that's one of the

31:48

use cases of the public key

31:50

directory I'm designing in order to

31:53

build end-to-end encryption for the Fediverse.

31:55

Although this is purpose built for

31:57

the Fediverse, I've deliberately included support.

31:59

auxiliary data messages whose formats will

32:01

be specified by protocol extensions. Rather

32:03

than trying to grow up the

32:06

web of trust, you can simply

32:08

have your software check that multiple

32:10

independent key directories have verified the

32:12

record, since its inclusion is published

32:14

in an append-only transparency log secured

32:17

by a murkle tree. Some people

32:19

know what that means. I

32:22

know what it means, but some people

32:24

are like shouting at the podcast. My

32:26

design doesn't preclude any manual key verification

32:28

or key signing parties or other PGP

32:30

cultural weirdness you want to do with

32:32

these weird public keys. It just establishes

32:34

a baseline trustworthiness even if you're not

32:36

a paranoid computer nerd. If you want

32:38

to have a key signing party, you

32:40

could just have a normal party where

32:42

you talk about computers. Or we could

32:44

have an assembly party, library, just to

32:46

look at some assembly together. It was

32:48

great fun at BSD. but you don't

32:50

have to have a key signing price.

32:53

It's just nonsense. My project isn't finished

32:55

yet. In the meantime, you can manually

32:57

check public keys when using other recommendations

32:59

on this page. Encripted email. Don't encrypt

33:01

email. No,

33:03

I'll call it, I'll read the

33:05

description. Email is insecure. Even with

33:07

PGP, its default plain text means

33:10

that you can do everything right.

33:12

Some totally reasonable person, you email,

33:14

doing totally reasonable things, will invariably

33:16

see the quoted plain text of

33:18

your encrypted message to someone else.

33:20

We don't know what PGP email

33:23

user who hasn't seen this happen.

33:25

PGP email is forward insecure. Email

33:27

metadata, data, including the subject, which

33:29

is literally message content, or always

33:31

plain text. There

33:33

isn't a recommendation for encrypted email

33:36

because it's not a thing people

33:38

should be doing. There exists a

33:40

minority of extremely technical computer user

33:42

for which signal is a non-starter

33:44

because you need a smartphone and

33:46

valid phone number to roll in

33:48

the first place. Because these people

33:50

are generally not the highest priority

33:52

of cryptographers who are commonly focused

33:54

on the privacy of common folk,

33:56

including people in foreign developing countries

33:58

where smartphones are more common in

34:01

the desktop computers, there presently isn't

34:03

a really good recommendation. private messaging

34:05

that meets their constraints. Not matrix,

34:07

not X-N-P-P-P-P-P-P-E-M-O. Certainly not P-G-P either.

34:09

What P-G-P offers here is security

34:11

theatre, the illusion of safety, and

34:13

a lot of difficulty, but it's

34:15

not actively a robust private communication

34:17

mechanism as latter core argues. I

34:20

insist that I need encrypted email. If

34:22

you find someone insisting what they need

34:24

encrypted email, read up on the X

34:27

by problem, in a lot of cases

34:29

that's what's happening here. Do they ipso

34:31

facto need email, as in specifically the

34:33

email protocols and email software? And do

34:35

they care more about this constraint or

34:37

the privacy of their communications? Because if

34:40

their goal is to communicate privately, look

34:42

above, If the tool they're using being

34:44

email is more important than privacy, they

34:46

should consider sending empty messages with an

34:48

attachment and use age to encrypt the

34:50

actual message before attaching it. That's serviceable.

34:53

Just be aware that everything using, that

34:55

everything lacquera about encrypted email still applies

34:57

to your use case to expect someone

34:59

to CC or forward your message as

35:01

plain text. Unless you're legally required to

35:03

use PBPP. Finally, miss

35:05

me with the, but someone can

35:08

screenshot signal a genre of objection.

35:10

As Latin worded people accidentally fuck

35:12

up PGP all the time. It's

35:14

very easy to do. Conversely, you

35:16

have to deliberately leak something from

35:18

signal. There's no plain text mode.

35:20

And then they have a watch

35:22

of the space. Yeah, this is

35:24

a great article. Thank you for

35:26

writing it. Oh, there was an

35:28

update the next day. And with

35:30

more, someone tried to use their

35:33

fettera for a comment to this

35:35

blog post, so I've added more

35:37

furry art to it. Yeah, there's

35:39

a lot of further on this,

35:41

but it's a great blog post.

35:43

You should go and read it

35:45

and you shouldn't send us really

35:47

negative stuff about this. Check out

35:49

the tools and try them out

35:51

as alternatives. You can send us

35:53

comments on the things I've said.

35:56

I don't mind. I can not

35:58

read email. I'm really good at

36:00

not reading it. encrypted email benefit.

36:02

I think I did once and

36:04

then the key expired and then

36:06

they couldn't do email anymore years

36:08

later and then they were like

36:10

can you still decrypt this or

36:12

forward me that message which is

36:14

exactly what they were talking about

36:16

and yeah I don't even read

36:18

your own messages anymore. Yeah of

36:21

course not. If you didn't see

36:23

it to yourself encrypted with your

36:25

own key then it's not it

36:27

but then Yeah,

36:29

madness. It's a mess. Okay. The

36:31

slow evaporation of the fossil surplus

36:33

is what we also have in

36:36

the headlines. from Baldur,

36:38

Biena son. And that goes free open

36:40

source has been on my mind lately

36:43

more than usual. So far as in

36:45

this case or OSS for short the

36:47

distinction matters a lot but for the

36:50

purpose of this post we are two

36:52

different they are too similar enough to

36:54

lump together. So this was triggered by

36:56

reading a couple of posts the other

36:59

day. The first is is the open

37:01

source bubble about to burst and the

37:03

other one is the post that links

37:06

to it but adds their own thoughts

37:08

okay. So they have been worried about

37:10

the state of open source software in

37:13

general and having read these two posts

37:15

is a good excuse as any of

37:17

them to getting the rudimentary outline for

37:20

the worry out of the page. So,

37:22

short version. Their mental model of FOS

37:24

is that it's a function of industry

37:27

and labour surplus. First, industry. The software

37:29

industry has extremely high margins, products that

37:31

are both non-rivalers and non-excludable will do

37:33

that, and historically easy access to investment

37:36

because of both low interest rates and

37:38

the pervasive belief among the financial class

37:40

that successful tech companies grow exponentially for

37:43

extended periods. And the second is labor,

37:45

even though coders come from varying backgrounds,

37:47

once they have a career, many, if

37:50

not most, become relatively high-income middle class

37:52

with significant spare time. A non-trivial number

37:54

of coders in California also have moderate

37:57

wealth from being secondary or tertiary beneficiaries

37:59

of industry. events which

38:01

let them work on FOSS as

38:03

much as they want. This is

38:05

what keeps a surprising number of

38:07

FOSS projects afloat. So industry surplus

38:09

also leads to a labor surplus

38:12

in that companies let coders work

38:14

on related FOSS projects during work.

38:16

They derive FOSS surplus generates billions.

38:18

There are trillions of dollars of

38:20

value for the economy and most

38:22

of the costs, cost of creation

38:24

and opportunity costs and the FOSS

38:26

competition with your more lucrative proprietary

38:29

products. Where it appeared were the

38:31

surpluses that the false surpluses derived

38:33

from are decreasing. Why? Because first,

38:35

high interest rates decreases available investment.

38:37

Second, less investments in any software

38:39

that isn't AI which itself doesn't

38:41

really do real open source. And

38:43

the third is COVID growth reverting

38:46

to the mean triggering reassessment or

38:48

reassessment of tech industry growth. Fourth

38:50

is industry management pop culture as

38:52

fixated on layoffs as a magic

38:54

cure and increased coder unemployment leads

38:56

to less time for OSS. Fifth

38:58

is OSS burnout. Very few frost

39:01

projects are lucky enough to have

39:03

grown a sustainable and supportive community.

39:05

Most of the time it seems

39:07

to be a never-ending parade of

39:09

angry demands with very little rewards.

39:11

When the software labour market was

39:13

growing steadily, maintainers often got replaced

39:15

by fresh-eyed graduates or coders who

39:18

relieved or relied on the project

39:20

at work. And number six is

39:22

companies and many sectors are cutting

39:24

costs of the years of overspending.

39:26

So as the surplus decreases, the

39:28

costs associated with FOSS participation become

39:30

less tenable to most organizations. Why

39:32

compete with AWS or similar services

39:35

that will offer your own FOSS

39:37

projects at a dramatically lower price?

39:39

Why subsidize projects of little to

39:41

no strategic value that contribute anything

39:43

meaningful to the bottom line? or

39:45

why spend on OSS when other

39:47

work is likely to have higher

39:49

ROI? Or why give your work

39:52

away to an industry that treats

39:54

you as disposable? Anecdotally, Fos also

39:56

seems to be losing users. funding

39:58

for non-A-I software are

40:00

usually very heavy

40:02

OSS users. OSAs users. Some

40:04

reaching for LLM generated code before

40:06

even look for for an OSS project, both disconnecting

40:08

those those projects from opportunities to

40:10

grow a sustainable community and

40:12

nullifying the strategic advantage of having

40:14

made an OSS solution for OSS

40:16

solution for a problem. Note trained on are originally

40:18

trained People OSS. are unemployed or

40:20

jaded by the software industry have

40:23

fewer site projects side let's be

40:25

honest, let's be there are healthier hobbies

40:27

available. available. Best scenario seems to is that

40:29

that open for software and has

40:31

a period of decline. After all,

40:33

that's generally what happens to

40:35

complex systems with less investment. Worst

40:37

case scenario is a vicious cycle

40:39

to a collapse. collapse. First, declining

40:41

surplus and burnout leads to maintainers

40:43

increasingly stepping back from their projects. Second,

40:45

many of these these projects either bitrod, bugs

40:48

or get taken over by malicious actors

40:50

who are highly motivated because they they

40:52

rely on pervasive memory bugs bugs exploits. exploits.

40:54

The third is OSAs increasingly gets a

40:56

reputation to serve deserved or being unsafe

40:58

and unreliable. And the fourth is

41:01

that is in users leads to

41:03

even more leads to stepping back. So

41:05

this is an inevitable correction.

41:07

The The JSPM PM ecosystem, for

41:09

example, is almost certainly unsustainable

41:12

in its current form form and

41:14

has coasted. of years of O

41:16

investment in useless startups and

41:18

Microsoft's to own the entirety

41:20

of software development. But a

41:22

correction is still destructive if you're

41:24

unknowingly relying on an unsustainable system. We

41:27

don't yet know which parts of

41:29

the yet know which parts of the fast system is

41:31

and which is and which is on the

41:33

hot air of startup funding, the

41:35

funding, the past of startup employees of startup

41:37

believe that Microsoft for all of this

41:40

shit helps them. this should make money

41:42

somewhere else. else. And we don't know,

41:44

it's hard not to worry about all

41:46

of it. all of it. Okay, Okay,

41:48

interesting points. I think I

41:50

think the BSD

41:52

ecosystem has demonstrated sustainable.

41:54

Over the years. And I the years.

41:56

And I think been has been

41:58

demonstrated sustainable. and it would

42:01

be great, I don't expect someone

42:03

to listen to our podcast, just

42:05

to have an argument with them,

42:07

maybe I will send you a

42:09

larger and email, but no, like,

42:11

I mean, what criteria would it

42:13

take to understand if an open

42:15

source project is sustainable? And, oh,

42:17

there's an effort working in this,

42:19

because Alice Southerby, Southernby, yeah, the,

42:22

the new project manager, the previous

42:24

issue, she talked about this at

42:26

the, at the, vendor

42:28

summit, EuroBSTCon, EuroBSTCon, like having,

42:30

I mean we can say

42:32

that the JavaScript NPM ecosystem

42:34

is not sustainable and I

42:36

don't think anyone would argue

42:39

because a joint put a

42:41

lot of money into this.

42:44

There isn't a lot of money going into

42:46

free BSD and there's definitely not a lot

42:49

of money going into Debbie, even if they

42:51

can buy a lot of pizza. They buy

42:53

pizza for many debit cups. But what about

42:55

other projects? Because I mean, we have pretty

42:57

good experience with free BSD. We have an

43:00

understanding of the availability of money. There's the

43:02

free BSD foundation. There's definitely a lot more

43:04

work happening than this being paid for. There's

43:06

a lot of volunteer work and a lot

43:08

of shirt burnout. And a lot of bus

43:10

factors were the number of people that need

43:13

to get hit by a bus is several

43:15

and they're already missing. But it's definitely got

43:17

a sustainable model, right? We could reduce scope

43:19

drastically and keep the project going for a

43:21

long time. I still have releases and yeah.

43:24

It'd be good to hear more opinions about

43:26

what's sustainable as well. Hang on. I've read

43:28

a lot of notes on this BSD now

43:30

for things to follow up on, which is

43:32

weird. I never normally do that I never

43:35

normally do that. I think it's the time

43:37

of the recordings to the recordings to the

43:39

recordings to the recordings to the morning. Could

43:44

very well be. Yeah, and this

43:46

is an interesting talking point because

43:48

it kind of affects all these

43:50

open source projects and it comes

43:52

down to a how much money

43:55

and talent can they attract to

43:57

continue and is the one required

43:59

for the other like. you don't

44:01

have money, can you attract talent

44:03

or if you don't have talent

44:06

and money? I think that that

44:08

side, we've a lot of evidence

44:10

for it. So there's a lot

44:12

of open source projects where there's

44:14

definitely no money. There's no money

44:17

in nine front. Like no one

44:19

is leveraging off working on nine

44:21

front and starting a career from

44:23

there. There's not money in most

44:25

open source operating systems at all.

44:28

There might be paths, but in a

44:31

lot of cases, the more need you

44:33

get as soon as you get away

44:35

from a BSD, which is already very

44:37

obscure, but it's a BSD podcast so

44:40

we don't feel like that. Once you

44:42

get away from a BSD, then it

44:44

feels like, what are your steps? I

44:46

spoke to some of the developers of

44:49

artems. It's a real-time operating system. It

44:51

happens to... include

44:53

the whole freebie network stack. It's a real-time

44:56

operating system runs in a flat address space

44:58

and everything without virtual memory. So everything is

45:00

addressable. And one of the people in that

45:02

project, he works for a company that does

45:05

a lot of the funding behind our times.

45:07

So maybe that's not really sustainable because it's

45:09

one company driving it. But he said that

45:11

they try and hire people. And he has

45:14

to argue with the people he interviews that

45:16

they have experience working on real-time systems. Like

45:19

they interview like students coming into the

45:21

industry because they at least in 2018,

45:23

2019, that was like how we was

45:26

trying to hire people and you had

45:28

conversations with them that they have experience.

45:30

Yeah, I mean, real-time operating systems or

45:33

real-time systems in general, that's probably in

45:35

the university that I can oversee. Like,

45:37

you've done some art doing our programming

45:39

and that is enough real-time experience for

45:42

us because you have experience of bare

45:44

metal. Okay, so not a specific course

45:46

they took? Yeah, no, but genuinely genuine,

45:48

like that's the level he was breaking

45:51

it down to. And that is a

45:53

very niche operating system, right? If you

45:55

went and worked on our Thames, it

45:58

wouldn't be obvious how you would... progress

46:01

from that into a job

46:04

somewhere else, else. You would need to cross

46:06

to right? Like if you yourself, knew

46:08

right? times you you went looking for jobs

46:10

you went looking for jobs you

46:12

for be you would always

46:14

be explaining what this is and

46:16

why your experience is relevant. And that

46:18

happens as you go more niche.

46:20

And so, yeah, I yeah, I think without

46:23

money and an obvious path of

46:25

the money, there is a lot of

46:27

continued work on open source. source. There's

46:29

maybe middle grounds where it where it doesn't

46:31

work. It's probably a lot smaller possibility of going

46:33

to work for somewhere where you would

46:35

earn work for from where you live

46:37

is a big draw you live working in

46:39

open source. working course, yeah, because it's

46:41

yeah, because it's people talented people. been involved in

46:43

GSOC for a very long time a

46:45

very from the or watched from the edges, that doesn't

46:47

lead to contributors that hang around. around.

46:51

Yeah, it's a a guarantee at

46:53

least. Okay, yeah, it's a great Yeah, it's

46:55

a great article. gonna email a

46:57

to and we'll see if I

46:59

get any response. I will

47:01

not tell you off I will not

47:03

tell you I'll next recording will

47:05

be like recording will be like January. So yeah,

47:07

who knows? Okay. Well, yeah. Okay,

47:18

next up we have a blog

47:20

post from Cullen Smith Cullen his

47:22

blog blog at Sacred Hearts, heartsc.com or Sacred Heartc.com, or Previously

47:24

14 on the the desktop. We've got a lot

47:27

of got a lot of stuff

47:29

from November. It's very confusing.

47:31

We're normally very far very far behind. After

47:33

Cullen writes, after much after much deliberation,

47:35

I finally decided to migrate my

47:37

entire infrastructure from Rocky to FreeBSD.

47:40

Why FreeBSD? Perhaps

47:42

you yearn for a

47:45

simpler time config configured your

47:47

network interfaces when when ETCMOTD didn't

47:49

download didn't download advertisements. also

47:51

has Yeah, but it

47:53

also has Benedict in

47:56

it. It's very confusing. When

47:58

adults adults their package their

48:00

software of of shipping 400

48:02

megabyte flat packs that make cis

48:05

over debo. eerie, weary netizen while the teenagers

48:07

busy themselves with system-d resolved to the net

48:09

plan and other horrors, you can still find

48:11

peace in the tranquility of ETCRC.com. The enemy

48:13

ensnared by Yamalt Harpet is not yet at

48:16

our gates. Sick, transient, Gloria Monday, etc. Sorry.

48:19

Anyway, let's build a previously desktop

48:21

system with KDE. This guide will

48:23

assume you're using Intel graphics with

48:25

X11. Don't at me. On my

48:27

five-year-old think pad X1 carbon and

48:29

getting six to seven hours battery

48:31

life for Frubiously, not too bad.

48:33

And there's a screenshot. I'm going

48:35

to skip through a lot of

48:37

this because it's like a set

48:39

up blog post and... You

48:41

know, is it tutorial? Yeah, it's a

48:44

tutorial. Just if you want to install

48:46

for a BSA, go read it or

48:48

some other documentation. Grab a free BSA

48:50

image from the download. FreeBSA.org. Oh, no,

48:52

this free BSA.org/wear. And deed it to

48:54

a USG stick. But also don't deed

48:57

it over your hard drive. That's a

48:59

common for me. I have a friend

49:01

who did deed a hard drive three

49:03

times. Like in one year. It was

49:05

very... Funny? Not funny. It

49:07

was like the first time it

49:10

was probably funny. Every time for

49:12

me it was funny. Yeah for

49:14

you. None of the times for

49:16

him it was funny. I think

49:18

the first time he could reforce

49:20

it only got like the first

49:22

sector of the disk and so

49:24

he recovered it. For me it

49:27

was very funny. Follow the installation

49:29

wizard. Devices drivers in tuning. In

49:31

this section we'll configure device drivers

49:33

and make various tweaks to get

49:35

optimum and performance. Anyone following us

49:37

should be very careful about tweaks

49:39

the device drivers and how they

49:42

change over time because you're changing

49:44

defaults and defaults get changed over

49:46

time but your tweaks will still

49:48

be there. You should always right

49:50

next to your tweak what it

49:52

does and why it's there so

49:54

you can stop doing it. Okay,

49:56

all boot delay equals three. I

49:59

prefer one. Do you change the

50:01

all boot delay on things Benedict?

50:03

three? Oh, it's the magic number.

50:05

Yeah, okay. Um, PDF load equals

50:07

yes. Um, CPU control load. I

50:09

don't know what that does. What

50:11

CPU? CTL. Yeah, I wouldn't know

50:13

out of the top of my

50:16

head. Cool. I don't have any

50:18

space on my piece of paper.

50:20

Always something to learn. Doing a

50:22

podcast. I'll

50:27

show Benedict, no one can see this. So

50:29

I take a piece of A4 paper, and

50:31

fold it in half, and then I write

50:33

on one side, and then the next side,

50:36

and then I fold it over, and then

50:38

I write on the one side and the

50:40

next side. They've

50:42

fallen into the burn bag, but there's

50:44

a lot of them. I thought about

50:47

just binding them together. I think you'd

50:49

make a really funny scene, like. Oh

50:51

yeah, to remember or to collect. No,

50:53

like, I take it, like, hear all

50:55

the notes from porting VP or something.

50:57

I mean, the VP wants already burnt.

51:00

Are you reviewing those occasionally or? It's

51:02

right only. Like, it's aid to memory,

51:04

but the actual written words are unimportant.

51:06

I probably never look at them. I

51:08

mean, I come back to my desk

51:11

today and I've come back to my

51:13

desk today and I've got like, and

51:15

I've got like, I've done everything on

51:17

this piece of paper, there's no help

51:19

at all. And I've not forgotten the

51:21

thing I had to do. If I

51:24

need to remember things, I put it

51:26

in the code so it doesn't compile,

51:28

and then I have to deal with

51:30

it when I get there. Like to

51:32

do something? Or fix me's? Yeah, I

51:34

need to write about this, but it's

51:37

very embarrassing. Like, God. Jason, I'm sorry,

51:39

I have no focus. I don't know,

51:41

I don't know where you're going to

51:43

do this show. It's very funny. Yeah,

51:45

I thought about binding them together. I

51:47

thought it would be very funny, like

51:50

BST and our patron benefit will send

51:52

you Tom's gibberish notes about porting VP.

51:54

But it would take a lot and

51:56

you'd have to read my handrai. It

51:58

might be a funny. interrupt

52:01

source in the house. Cortamplode equals

52:03

yes, okay. Allow destructive detrace equals

52:05

zero. I didn't know about the

52:07

saying. Yeah, I wouldn't say this

52:09

because I use detrace, but other

52:11

people should. I guess we don't

52:13

need to go through all of

52:15

these. They're well-downed. But they're interesting,

52:17

right? Because he's changing like shared

52:20

memory sizes for desktop usage and

52:22

Max Prock. And maybe they're useful.

52:26

If your system supports Intel

52:28

speed shift, set this to

52:30

zero, so you might want

52:32

to, I don't know if

52:34

you want to do that,

52:36

that's an interesting piece of

52:38

advice. Things change, right? I

52:40

fixed the driver that was

52:42

crashing to do with power

52:44

management, API, like this, and

52:46

when it gets fixed, if

52:49

you're hack still there, you

52:51

might have worse power management,

52:53

and I-915, you are in

52:55

DS, C-C-C-T-T-C-T-C-C-T-C-C-T-P-C-C-P-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S- If

52:57

you don't know what you're doing,

52:59

don't change the TCP congestion control.

53:02

Expert. Those very small field of

53:04

expertise I have. Yeah, don't just

53:06

change stuff like this if you

53:08

don't know what it is. Be

53:10

very careful with network tuning advice

53:12

if it's like core things like

53:15

this. Especially if this is a

53:17

desktop article, we're not sure how

53:19

the benefit will be for a

53:21

desktop. So I don't know what

53:23

HDCP is. I've seen it. I

53:25

could go and read an RFC,

53:28

like it's, I don't, so that

53:30

I can't learn. I don't know

53:32

off the top of my head

53:34

what it is and what the

53:36

benefits are. It's not been relevant

53:38

in congestion control for the last

53:41

10 years. This module probably isn't

53:43

very well maintained. I, every two

53:45

weeks, I am on the 3BSD

53:47

transport protocol meeting call where we

53:49

talk about improving the transport stack.

53:51

And I'm saying I don't really

53:53

know what the benefits of this

53:56

would be. So that should give

53:58

you enough criteria of what it

54:00

is. I have published two RFCs.

54:02

I sat in the TCPM meetings

54:04

many times. I exposed to this.

54:06

And yeah. have no idea. It

54:09

might help, it might not. We've

54:11

changed, we're changing the default congestion

54:13

control to be, oh, brain at

54:15

rack base, which gives you very

54:17

measurable benefits. And this would stop

54:19

that. This will have, yeah, yeah,

54:22

who knows, like defaults are dangerous.

54:24

You should be really careful. ISR

54:26

limits, not sure. ZFS TXG turnout

54:28

and then more our 9-5 stuff

54:30

and load the think pad ACPI

54:32

buttons. Yeah, you should have that.

54:35

But when you move the system

54:37

to another one, you should maybe

54:39

get rid of it. There's a

54:41

bunch of SIS control tweaks, all

54:43

poking at TCP. It makes, yeah,

54:45

okay, more poking at TCP. Oh,

54:48

hey, cool. They turned on Abe.

54:50

There's like a. Understanding a lot

54:52

of these is a lot of

54:54

work. There's like a PhD worth

54:56

of knowledge in all these CIS

54:58

controls about TCP. Maybe the defaults

55:01

are worth it. VFS user amount

55:03

is great. Suspense which equals zero.

55:05

Wi-Fi. Wi-Fi is not where Freebie

55:07

shines, but people are working on

55:09

it. First, you'll need to figure

55:11

out which driver supports your card.

55:13

For Intel cards, it'll likely be

55:16

IWR, IwL Wi-Fi. Check the M

55:18

pages. I have AC wireless 8265,

55:20

which is supported by I-W-M. Make

55:22

sure it loads. use

55:24

SRC to set stuff, install the

55:27

way it's microcode, install the Intel

55:29

graphics driver which is loaded earlier,

55:31

turn on Linux binary compatibility if

55:33

you're going to use Linux binaries,

55:35

configure webcam D, so you can

55:38

have a webcam if you want

55:40

a webcam, I have the hard

55:42

shutter switch on my laptop to

55:44

not have the webcam there or

55:46

the microphone, configure SND, if you

55:49

want to. default

55:51

device permissions via DevFS, DRM,

55:54

backlight, video and USB. I

55:56

don't know if you need

55:58

to change the backlight. permissions.

56:01

I think they're default

56:03

to operator already. I've

56:05

never done that. Or

56:07

maybe being the video

56:09

group will get you

56:11

there. There's recommends changing

56:13

for USB to be

56:15

060 for group operator,

56:17

which allows anyone of

56:19

the operator group to

56:21

directly access USB devices.

56:23

It might be good.

56:25

It might be bad.

56:31

If you're using a laptop

56:34

you want to power down

56:36

inactive USB devices to save

56:38

battery life, add the following

56:41

to EDRC or C. Local,

56:43

USB config, Grap, Print1, Exorgs,

56:45

USP config power save, I

56:48

don't know what that does.

56:50

Thinkpad backlight controls, PF firewall,

56:57

It's sensible to block unexpected

56:59

incoming connections. Doesn't PF just

57:01

do this by default benedict?

57:03

Do you know? The default

57:05

rule set? Probably. It's like

57:07

the default rule set is

57:09

keep state block all, which

57:11

allows outgoing connections keeping state

57:13

because there's a staple firewall.

57:16

Yeah, that's it. I

57:18

have on all my desktop machines

57:20

internal NAT and a bridge so

57:22

I can have jails and virtual

57:24

machines without ever having to think

57:26

about it. And I create a

57:28

bunch of interfaces for that because

57:31

it is really helpful. There's a

57:33

big list of periodic scripts to

57:35

disable. I'd be careful, but they

57:37

also might just run whenever. Who

57:39

knows? I mean, that's what we

57:41

talked about earlier. Add users, set

57:43

locale, enable NTP. There's also RC.com

57:45

for NTP update at boot, so

57:47

you get a timesink at boot,

57:49

which if your clock drifts a

57:52

lot while your machine is turned

57:54

off, will shut NTP up so

57:56

it's not spamming your console. They

57:58

moved to Open SSH Portable. for

58:01

Business is heavily patched with stuff

58:03

I don't use. I prefer to

58:05

use within open SSH Portable from

58:07

ports. You might want to check

58:09

that assertion. I'm not sure how

58:11

true it is. Root certificates. We

58:13

now ship a root certificate bundle

58:16

in the base system, so you

58:18

shouldn't need to do this. And

58:20

install Desktop Environment, fonts, default, configure

58:22

SDDM, which has never worked for

58:24

me. Finally, known issues.

58:26

What doesn't work on free BSD is

58:28

the potential workarounds. User switching is broken.

58:31

There's a longstanding console kit to bug

58:33

that prevents user switching from working reliably

58:35

in free BSD. There is another bug

58:37

that results in broken graphics acceleration when

58:39

VT switch is performed. Therefore, it's best

58:41

to just disable user switching. Processes aren't

58:43

killed on logout. I think this is

58:46

all a KDE stuff. I didn't know

58:48

that. I've never logged out. Blue creates

58:50

a gazillion. NFS files. Yeah, I turned

58:52

BALU off because it just drowned the

58:54

machine to a halt. Harderoe acceleration has

58:56

broken in chrome and there's screen tearing.

58:58

I use KDE and free BSD as

59:00

my desktop every day. Not for this

59:03

cult, but every day. And I have

59:05

wobbly windows turned on because I think

59:07

it's very funny. I was so much

59:09

screen tearing. Whenever I show anyone my

59:11

Windows wobble, they're like, wow, there's a

59:13

lot of tearing. I'm like, but that's

59:15

not what I'm showing you. The Windows

59:18

wobbled. It's really sad being on a

59:20

Mac and the Windows don't wobble. Thank

59:22

you, Colin, there's a great article. I

59:24

just want anyone that if you're changing

59:26

defaults, you need to review the defaults

59:28

in the future. And if you don't

59:30

know what the change does, maybe you

59:32

don't do it. it's hard. You have

59:35

to learn. Only change them when you

59:37

like use the defaults and only change

59:39

them when there's a need to, like

59:41

slow performance or something, because otherwise you're

59:43

making tweaks and have no idea what

59:45

they do. So like this the scientist

59:47

Emmy says that you should leave defaults

59:49

alone and if you change defaults you

59:52

should measure before and after to some

59:54

level of confidence because yeah. change might

59:56

not actually do the thing you expect.

59:58

It might not help in your use

1:00:00

case. Your hardware might be different. But

1:00:02

this is too much of a bar,

1:00:04

right? Set the defaults you need to

1:00:07

set based on your knowledge and how

1:00:09

much time you have, like work to

1:00:11

your own capacity. And if it doesn't

1:00:13

work, it doesn't work. But yeah, if

1:00:15

you use the computer more and become

1:00:17

more of a computer person, you'll get

1:00:19

more knowledgeable about what the defaults might

1:00:21

do and how to work out what

1:00:24

they should do. But just be careful,

1:00:26

like write down if not what they

1:00:28

do at least where you found them

1:00:30

so you can check again in the

1:00:32

future. And a lot of the articles

1:00:34

about changing defaults, especially on TCP are

1:00:36

more than a decade old now and

1:00:39

not up to date. Okay,

1:00:41

in this last article we have,

1:00:43

we have iconic consoles on the

1:00:45

IBM System 360 mainframes, 55 years

1:00:48

old. And wow, that is a

1:00:50

lot of history in one article.

1:00:52

So I just read the beginning

1:00:54

so that we went to appetite

1:00:57

for the whole article which is

1:00:59

linked from our show notes. And

1:01:01

this goes, the IBM System 360

1:01:03

was a groundbreaking family of mainframe

1:01:06

computers announced on April 7th 1964.

1:01:08

Designing the System 360 was an

1:01:10

extremely risky bet the company project

1:01:12

for IBM costing over $5 billion.

1:01:15

Although the project ran into severe

1:01:17

problems, especially with the software, it

1:01:19

was a huge success, one of

1:01:21

the top three business accomplishments of

1:01:24

all time. System 360 was, or

1:01:26

set the direction of the computer

1:01:28

industry for decades in popularized features

1:01:30

such as the byte, 32-bit words,

1:01:33

microcode, and standardized interfaces. The S360

1:01:35

architecture was so successful that it's

1:01:37

still supported by IBM's latest Z

1:01:40

architecture mainframes, 55 years later. And

1:01:42

prior to System 360, IBM, the

1:01:44

most... Like the most computer manufacturers,

1:01:46

produced multiple computers with entirely incompatible

1:01:49

architectures. System 360, on the other

1:01:51

hand, was a complete line of

1:01:53

computers sharing a single architecture. The

1:01:55

fastest model in the original lineup

1:01:58

was 50 times as powerful as

1:02:00

the slowest, but they could all

1:02:02

run on the same software. The

1:02:04

general purpose system 360 handles business

1:02:07

and scientific applications at its name

1:02:09

symbolize 360 degrees to cover the

1:02:11

entire circle of possible uses. And

1:02:13

the article goes into all kinds

1:02:16

of details about the development, details,

1:02:18

history, with a lot of pictures,

1:02:20

of course, to kind of relive

1:02:23

those memories if you're that old.

1:02:26

and we definitely recommend you the

1:02:28

whole thing. It's too long to

1:02:31

read and it's full of pictures

1:02:33

from good old days. The pictures

1:02:35

are beautiful and they show a

1:02:37

world where the computers had a

1:02:40

room but it wasn't a day

1:02:42

center for themselves. It's just a

1:02:44

nice room. Yeah, that is certainly

1:02:46

classic. Okay, that I think

1:02:48

pretty much covers all we have for

1:02:50

you this week with the time that

1:02:52

we have available. So check back next

1:02:54

week where we have another episode for

1:02:56

you as always. BSD now is sponsored

1:02:58

by Tar Snap. Everyone needs backups and

1:03:00

Tar snap ensures that your backups are

1:03:02

not only safe but also secure. Your

1:03:05

data is encrypted on your device before

1:03:07

being sent to the cloud. You can

1:03:09

be sure that only you have the

1:03:11

ability to read your data. Tar snap

1:03:13

takes your data and works out what

1:03:15

is duplicated. It then assembles the data

1:03:17

into compressed blocks and creates them with

1:03:19

your local private key and this key

1:03:21

never leaves your system. The data is

1:03:23

then uploaded into the cloud. Even if

1:03:25

someone is able to obtain your data

1:03:27

in the cloud, they will not be

1:03:29

able to decrypt it and access your

1:03:31

files. Tar Snap is easy to use.

1:03:33

If you can use Tar, then you

1:03:35

can use Tar Snap. Tar Snap is

1:03:37

prepaid, so you never have to worry

1:03:39

about an unexpected bill. Tarsnap is fully

1:03:41

open source allowing you to inspect the

1:03:43

code and make sure it does what

1:03:45

we say it does. Tarsnap has bug

1:03:47

advantages so that if you find errors

1:03:49

in the code you can get paid

1:03:51

for helping make the software better. With

1:03:53

clients and all major platforms there's no

1:03:55

excuse not to have good backups. Go

1:03:57

to tarsnap.com to learn more.