1. 1

    It says that grub doesn’t verify secure boot signatures on the files they run, but the last time I worked on it (2 years ago), the kernel had to be signed by the SB keys and all the files (initrd, configs, kernel, grub modules) had to be signed with GPG to work. Is this different now ?

    1. 1

      There have been ~220 patches and around 30 (or something) CVEs for secure boot issues in GRUB so it’s more complicated. When I was looking at this around the same time (2019) grub allowed you to boot unsigned kernels.

      These days grub isn’t suppose to be used in secure boot without utilizing a shim.

    1. 1

      Excellent article. I have always considered “right tool for the job” as one of the most important principle. To my ind, building software is a far nuanced conversation with shades of gray, than being black and white.

      1. 3

        In my experience, “right tool for the job” is a two-edged sword. If pushed too far, you tend to have dozens of unique solutions to similar problems in the same company, and you may loose the benefits of having more similar solutions/approaches to similar problems. I prefer to see things as “global optimization” VS “local optimization”. As you say, this is a continuum anyway. Curious if you’ve been bitten by “right tool for the job” too ?

        1. 1

          I think we need to understand “right tool for the right job” also as what people who designed the tool have used / know. (Because of insights of how a tool work in opposition to what we may think a techno/framework/tool works).

          I guess the answer is always “well, it depends” and being pragmatic and open minded about things.

      1. 1

        Currently having one of these “Impossible bugs”, so I can relate…

        1. 4

          Yes, it’s a known problem that languages don’t respect the cgroup limits. AFAIK some languages do it correctly. Java for example does it automatically IIRC.

          1. 10

            We have the absurd situation that C, specifically constructed to write the UNIX kernel, cannot be used to write operating systems.

            That’s the money quote for me.

            1. 2

              Well. Considering kernels like Linux use non standard C (Gnu99 if I’m correct, or C99 with some compiler extensions), I’m not surprised. Some compiler extensions are really handy for kernel/low level development like inline assembly for instance.

              1. 1

                Yeah, I’m curious about that. And the following text:

                Linux and other operating systems are written in an unstable dialect of C that is produced by using a number of special flags that turn off compiler transformations based on undefined behavior

                I wish they’d given (or linked to) more details. What flags? What makes this an “unstable dialect”?

              1. 4

                Flakes are one of those things that feel like they could really simplify a lot of NixOS stuff (including being able to split stuff out of the massive nixpkgs monorepo), but the experimental status around them has me feeling a little nervous.

                1. 2

                  Me too. I tried to flake-ify some of my repos near the end of last year, and couldn’t make head or tail of what needs to go where. I’m aware of a few Tweag blog posts, and not much else in the way of good documentation. Has the documentation situation improved?

                  1. 5

                    I have found the flakes wiki page to be a good reference that I still consult regularly:

                    https://nixos.wiki/wiki/Flakes

                    1. 6

                      This and https://zimbatm.com/NixFlakes/ are quite good.

                    2. 4

                      Not really. One of the traps of it being “experimental, but merged” is some people have suffered through and figured it out… and others haven’t, but not much documentation is happening because it is “experimental” and could “change at any moment. Of course, it would be nice if there was something a referer could provide.

                      That said, nix flake --help has a good bit of stuff.

                      1. 7

                        I feel this might also be the general curse of the nix documentation, which typically has very thorough reference docs, but lacks simple guides for folks which just want to do things, without necessary understanding how it works under the hood.

                        With flakes, I feel that RFC and the series of tweag posts are an excellent reference, but I didn’t find a simple guide for my simple use-case. The docs are “here’s how you setup NixOS container” or “here’s how you use home-manager”, while what I want is a minimal diff to switch from minimal /etc/nixos/configuration.nix to minimal flake.

                        1. 2

                          That’s a shame. A sprint to document flakes as they currently are may help break the deadlock.

                    1. 6

                      Besides Firefox and Servo, SpiderMonkey is also used by GNOME and MongoDB.

                      1. 2

                        Also polkit.

                        1. 1

                          CouchDB also uses Spidermonkey.

                        1. 4

                          So can we watch Netflix on FreeBSD now?

                          1. 3

                            I suppose it’s more about the use of FreeBSD inside the Netflix infrastructure.

                            1. 5

                              Yeah, that was the point. Netflix happily uses FreeBSD but couldn’t care less about FreeBSD users.

                              1. 15

                                Of course not. Why would a for profit media company waste (expensive) resources to support an OS that basically nobody uses on the desktop?

                                I know it sounds harsh, but Freebsd desktop use is irrelevant to any company.

                                1. 1

                                  Gaming on Linux was mostly irrelevant until Steam found a reason to support/foster it (apply pressure on Microsoft + Apple and their app stores). Given that the PS4 (and presumably PS5) uses FreeBSD for it’s OS and Netflix supports that platform there’s probably some incentive there to upstream certain things. Though I presume Sony is happy to keep status quo for the moment.

                                  1. 2

                                    I imagine a lot of the PS4 graphics code they write is under NDA with AMD since they’re not just using off-the-shelf components, but I could be wrong. Has Sony given anything back?

                                    1. 1

                                      Has Sony given anything back?

                                      Not that I know of but then I’m totally the wrong person to answer that question.

                                2. 7

                                  Hey, at least they’re in the second largest donor class this year. I’d think FreeBSD Development would deserve more all things considered.

                              2. 3

                                Sure You can, In a Linux/Windows/Android VM under Bhyve :p