1. 2

    I really wish articles like this would provide more background on how to improve the status quo. At this point it is well known that package managers/repositories are definitely a weak link in the ecosystem. There’s nothing new I learned from this article that would increase the security of the code I am writing/the dependencies I am using.

    Ultimately it is up to the goodwill and trust I place in random strangers. Same way I trust that the maintainers for my operating system won’t package malware (even accidentally). At some point you have to place your trust somewhere.

    1. 3

      My personal takeaway is that it’s time to get serious about using machine level isolation for day-to-day development, since no better protections are coming along to help me. It kind of sucks to treat your own codebase as potential malware, but maybe that inconvenience is just a “cost of doing business” in development ecosystems driven by self-published libraries?

      1. 2

        I wish we had a better solution than this, because this doesn’t prevent malware from getting into executables, so your production environment or machines of your users remain vulnerable.

      2. 1

        Review the dependencies. Do it with cargo-crev, so others could benefit from your reviews and you could benefit from theirs.

        Even just looking through cargo tree and asking “what’s this crate?” is better than nothing (it could save you from typosquatting, at least).

        1. 1

          Start with signatures. The maintainers of my operating system cryptographically sign the packages I install. I choose to trust them because their signatures are tied to real identities verified in real life. Bad stuff can still sneak in through key theft, malicious trusted individuals and problems up the supply chain, but having a trust infrastructure is table stakes.

        1. 4

          I try to keep up with technology, but I also wish that announcements like this would at least provide an idea up front of what WirePlumber is, or PipeWire and why it is important that Fedora 35 now ships with this software.

          Doing a quick search:

          WirePlumber: Session / policy manager implementation for PipeWire

          PipeWire: Next-generation cross-desktop audio and video server

          This seems to be some sort of tool to help manage a replacement for PulseAudio and brings yet another sound stack to Linux? I found some more information here: https://pipewire.org

          1. 2

            This seems to be a common theme with Collabora’s blog posts… “Version X of Foobar Y released” without explaining anything about what it is, why it matters, and how it all fits together with related projects.

            It’s unfortunate because my impression is that Collabora does a lot of interesting work with various open source projects, but their announcements are quite hard to follow.

            1. 2

              Thanks for the feedback, we’ll try to make our blog posts easier to understand going forward!

            2. 2

              Take a look at this interview in Fedora Magazine, it answers quite a few questions! https://fedoramagazine.org/wireplumber-the-new-pipewire-session-manager/

              1. 1

                As mentioned in another reply it’s compatible with all other major sound stacks. But it also handles video devices like webcams so multiple applications can access a single webcam at the same time.

              1. 1

                Am I mistaken for having heard that ECMP is better for large scale data centers? Post makes no mention of alternatives and considerations for pursuing BGP as the chosen standard besides “it’s popular”

                1. 5

                  BGP distributes routes and sets next hop. ECMP allows multiple routes to a single destination to exist and the router can forward packets across all outgoing interfaces usually in a load balanced way (using a l4 hash usually).

                  BGP is just one protocol to distributes routes. Equal Cost Multi Pathing does not distribute routes.

                  1. 2

                    The longer paper linked in the post seems to mention ECMP, and the positives & negatives of BGMP. Link to the paper: https://research.fb.com/wp-content/uploads/2021/03/Running-BGP-in-Data-Centers-at-Scale_final.pdf

                  1. 2

                    Did you ever figure out why it did not like your custom image?

                    1. 6

                      I bought a 13” M1 MacBook Pro, 1TB SSD/16GB of RAM.

                      Compared to my old 16” Intel MBP, it’s a completely different beast. A large difference has nothing to do with the M1 itself, but I do find that 13” fits more with my portability needs than 16”, so I like that just from that perspective.

                      The thing is silent. It’s incredible. It’s room temperature if not plugged into an external monitor and barely (almost imperceptibly) warm with the external monitor connected.

                      Battery life is crazy. Went and sat outside to work yesterday and had the screen at full brightness, wrote code and listened to music, did a few Zoom calls, and the battery was at 89% after all that and leaving it powered on but asleep in my backpack overnight.

                      The only issues thus far:

                      • I miss being able to run Intel VMs on my laptop; that’s obviously something I knew wouldn’t work going in and it’s not a huge deal. (Honestly, the latest version of VirtualBox for Mac had been crashing so much that I wasn’t using it all that often anyway, and there were some serious data corruption bugs in VMWare last I looked, so I wasn’t really running as many VMs as I had been.)
                      • I’m trying really hard, solely out of a purist standpoint, to avoid installing Rosetta 2. I want to see how long I can go. Most everything I use works fine, but my company’s VPN client (OpenVPN) still needs Rosetta. I’ve gotten around it by having my old laptop around if needed. OpenVPN has said they’re going to release a fully native M1 version in the near future, so we’ll see…
                      1. 2

                        I’ve been using the same model as you since December. Rosetta is fine, by the way; I don’t notice any performance difference between Intel and native binaries, just a slight first startup delay if it’s a particularly large one. I was similarly pleased with the 13” in the end, even though I worried it might be too small. My old 15” Intel MBP looks like a massive eyesore next to it, and weighty as heck too.

                        1. 1

                          Take a look at Tunnelblick or Viscosity and see if those can meet your OpenVPN needs.

                          1. 3

                            Tunnelblick still requires Rosetta for its UI, but I’ll definitely give Viscosity a try, thank you!

                            (Again, my opposition to Rosetta isn’t dogmatic or even justifiable. It’s basically a game I’m playing with myself at this point.)

                            EDIT: Yep, Viscosity works great, thank you!

                        1. 3

                          I am looking forward to when this will be more widely available and works, because it will allow Rust to be used in more places where C is currently the mainstream language of choice due to the need to still compile and build on various esoteric platforms.

                          This will also help alleviate the concerns from the packagers attempting to package the Python cryptography package which now uses Rust in various places!

                          1. 1

                            even more when we can get rust+c code in one thing from gcc, like mozilla does use for rust+c(++) on LLVM

                            1. 1

                              various esoteric platforms

                              I am really curious. Which platform do you have in mind?

                              1. 4

                                All of the platforms that Linux runs on, for one thing. There is a project to enable the use of Rust in the Linux kernel, but for now it can only be used for platform specific device drivers. Rust doesn’t support most of the platforms that Linux runs on, so Rust can’t be used for platform-independent code in Linux, until it supports the same platforms that gcc supports.

                                For more information about the Python cryptography controversy, which concerns platforms unsupported by Rust, see https://github.com/pyca/cryptography/issues/5771

                                1. 3

                                  I myself work on a platform that implements AIX syscall emulation - and I maintain a C codebase targeting it. I’d love to use a safer language.

                                  1. 1

                                    Apparently IBM wants to support LLVM on AIX, see Adding LLVM Support for AIX.

                                  2. 3

                                    Can’t speak for the GP, but I imagine pretty much all microcontrollers ever would fall into this category :) IIRC Rust has been ported to a few, but being able to transpile into C would vastly increase its reach.

                                    1. 2

                                      being able to transpile into C would vastly increase its reach

                                      Do you get that from this work? As I understand it, libgccjit exposes C types[1] but it then generates GIMPLE, not C. It should be possible to use it to target any architecture that GCC can target[2], but it’s not clear that you can use it to generate C code. It exposes things such as unwind table structures that can’t be expressed in C and so any transformation to C would be lossy.

                                      [1] One of my pet peeves with LLVM is that it doesn’t. Most platform ABIs are defined in C types and so there’s an implicit (undocumented) contract between clang and each back end about what IR idioms map to which C constructs and each front-end needs to reimplement this logic.

                                      [2] With the limitation that, unlike LLVM, GCC is not intrinsically a cross-compiler and so you’d need a separate libgccjit binary for each target architecture. If you can dynamically load these into rustc then that’s probably fine, you can ship a load of them and just load the one you need based on the target.