Thom Holwerda Archive

Google preparing to upgrade Nest Audio as Fuchsia’s first smart speaker

Google is working on upgrading its Nest Audio smart speaker to run on the company’s own Fuchsia operating system. For the last few years, Google has been steadily working on switching its Nest Hub smart displays from running on “Cast OS” to the company’s in-house OS, Fuchsia. The original Nest Hub was the first to make the jump in 2021, and the Nest Hub Max made a similar move earlier this year. In all likelihood, the Nest Hub 2nd Gen should get its Fuchsia update soon too. The slow, deliberate, and calculated rollout of Fuchsia continues.

Intel using DXVK (part of Steam Proton) for their Windows Arc GPU DX 9 drivers

Intel recently announced a big driver update for their Arc GPUs on Windows, because their DirectX 9 performance wasn’t as good as it could have been. Turns out, they’re using code from the open source DXVK which is part of Steam Play Proton. DXVK translates Direct3D 9, Direct3D 10 and Direct3D 11 to Vulkan. Primarily written for Wine, the Windows compatibility layer, which is what Proton is made from (Proton is what the majority of games on Steam Deck run through). However, it also has a Native implementation for Linux and it can be used even on Windows too. So it’s not a big surprise to see this. Heck, even NVIDIA use DXVK for RTX Remix. Windows gamers benefiting from open source technology for gaming on Linux. My my, the turntables!

Adobe releases PostScript source code

The story of PostScript has many different facets. It is a story about profound changes in human literacy as well as a story of trade secrets within source code. It is a story about the importance of teams, and of geometry. And it is a story of the motivations and educations of engineer-entrepreneurs. The Computer History Museum is excited to publicly release, for the first time, the source code for the breakthrough printing technology, PostScript. We thank Adobe, Inc. for their permission and support, and John Warnock for championing this release. There’s definitely progress being made when it comes to open sourcing old software, but we’ve still got a long, long way to go for this to become the norm – as it should be.

Apple adds end-to-end encryption to iCloud device backups and more

End-to-end encryption is coming to most of iCloud with a new optional feature called Advanced Data Protection, according to Apple’s announcement on Wednesday. Previously, 14 data categories within iCloud were protected. This new feature brings that count to 23, including photos, notes, voice memos, reminders, Safari bookmarks, and iCloud backups of the contents of your devices. Not everything is encrypted in this way, though. Critically, calendar and mail are untouched here. Apple says they are not covered “because of the need to interoperate with the global email, contacts, and calendar systems.” Good step, and something every cloud provider ought to be offering.

Apple GPU drivers now in Asahi Linux

This release features work-in-progress OpenGL 2.1 and OpenGL ES 2.0 support for all current Apple M-series systems. That’s enough for hardware acceleration with desktop environments, like GNOME and KDE. It’s also enough for older 3D games, like Quake3 and Neverball. While there’s always room for improvement, the driver is fast enough to run all of the above at 60 frames per second at 4K. Please note: these drivers have not yet passed the OpenGL (ES) conformance tests. There will be bugs! Increasingly impressive work.

OpenIndiana Hipster 2022.10 released

As you may already have noticed we have released new ISO and USB images for OpenIndiana Hipster some days ago. As usual we have received many updates via illumos-gate, eg. the latest Intel and AMD CPU microcode updates, the latest time zone changes and lots of enhancements for BHyVe and the internal SMB server. Does anybody still legitimately use any of the variants of Solaris? It certainly had a moment in the final days of Sun, but ever since Oracle got their hands on it it’s been pretty much strangled to death, it seems.

Samsung’s Android app-signing key has leaked, is being used to sign malware

Ars Technica: Guess what has happened! Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets. These companies somehow had their signing keys leaked to outsiders, and now you can’t trust that apps that claim to be from these companies are really from them. To make matters worse, the “platform certificate keys” that they lost have some serious permissions. I tend to not really focus on security issues, because more often than not they amount to baseless scaremongering for clicks (or worse, to scare people into buying antivirus software), but this one seems possibly serious enough to warrant attention. I’m just not entirely sure how bad this can actually turn out to be, and the vague statements from Samsung, Google, and other sure aren’t helping in cleaning up the confusion.

Snap updates happen without user consent

Traditionally, updates on Linux systems are controlled by the user. You get an icon in the system tray that looks important; you click on it; it asks you if you want to install updates; you say “yes” or “no”; updates are applied, or not; when you next restart any applications that you have running that were updated, the new version is picked up. Data isn’t lost, because updates don’t restart the application. You can (and do) update the Linux kernel in this way, and your computer just stays up (usually running on the old version of the kernel until you next restart.) Mechanisms have been added over time to allow auto updates to take place for critical security patches (“unattended upgrades”) but these have typically to be opt in. And again, they don’t restart running applications. Snap breaks this contract. The update channel for Snap is independent from the KDE updater (on Kubuntu), and seemingly the Gnome updater (on Ubuntu). If you consent to applying updates from the general system tray “updates needed” notification, Snap updates are not included; they’re not even listed in the pending notifications from the system tray. Snap updates only happen when the Snap updater is running, either if the application is not running or after the period of time required to force updates has expired. Snap updates happen without consent. I would really, really suggest moving away from Ubuntu, and opting for the countless better alternatives instead, like Fedora (the best desktop, in my view), Linux Mint (a great desktop, but a bit more conservative than Fedora), any of the Arch derivatives (for bleeding edge and tons of fooling around with AUR), or Void (for those of us with taste). Or any, any of the others. Ubuntu just does not seem to have its users’ best interests at heart, and Snap is the best example of that.

Why we can’t trust Apple

This is a problem for all of us. Most people who can afford one have bought their iPhone or iPad already. The programmers already have their MacBooks. And while everyone will need to buy replacements at some point, that’s a steady-state or at best low-growth business. When Apple says more, it means the Wall Street kind of “more”: a hockey stick of growth. Which means, Apple needs to find growth outside its usual business. And these days, that means: advertising. And online advertising requires: surveillance. And a surveillance-enabled ad business leads, inevitably, to deceiving customers. It’s already happening, and like the boiling frog (which is not actually how it works – the frog will definitely jump out if it’s being slowly boiled; the tiny detail not part of most retellings is that the researcher had removed the frogs’ brains), Apple users are slowly being prepped for slaughter.

Memory safe languages in Android 13

In Android 13, about 21% of all new native code (C/C++/Rust) is in Rust. There are approximately 1.5 million total lines of Rust code in AOSP across new functionality and components such as Keystore2, the new Ultra-wideband (UWB) stack, DNS-over-HTTP3, Android’s Virtualization framework (AVF), and various other components and their open source dependencies. These are low-level components that require a systems language which otherwise would have been implemented in C++. To date, there have been zero memory safety vulnerabilities discovered in Android’s Rust code. We don’t expect that number to stay zero forever, but given the volume of new Rust code across two Android releases, and the security-sensitive components where it’s being used, it’s a significant result. It demonstrates that Rust is fulfilling its intended purpose of preventing Android’s most common source of vulnerabilities. Historical vulnerability density is greater than 1/kLOC (1 vulnerability per thousand lines of code) in many of Android’s C/C++ components (e.g. media, Bluetooth, NFC, etc). Based on this historical vulnerability density, it’s likely that using Rust has already prevented hundreds of vulnerabilities from reaching production. These numbers don’t lie.

Secure Boot: this is not the protection we are looking for

So there you have it: recommending idly Secure Boot for all systems requiring intermediate security level accomplishes nothing, except maybe giving more work to system administrators that are recompiling their kernel, while offering exactly no measurable security against many threats if UEFI Administrative password and MOK Manager passwords are not set. This is especially true for laptop systems where physical access cannot be prevented for obvious reasons. For servers in colocation, the risk of physical access is not null. And finally for many servers, the risk of a rogue employee somewhere in the supply chain, or the maintenance chain cannot be easily ruled out. The author makes a compelling case, but my knowledge on this topic is too limited to confidently present this article as a good one. I’ll leave it to those among us with more experience on this subject to shoot holes in the article, or to affirm it.

Do not use services that hate the internet

As you look around for a new social media platform, I implore you, only use one that is a part of the World Wide Web. If posts in a social media app do not have URLs that can be linked to and viewed in an unauthenticated browser, or if there is no way to make a new post from a browser, then that program is not a part of the World Wide Web in any meaningful way. Consign that app to oblivion. Yep.

Used thin client PCs are an unsexy, readily available Raspberry Pi alternative

“Raspberry Pi boards are hard to get, probably also next year,” says Andreas Spiess, single-board enthusiast and YouTuber, in his distinctive Swiss accent. He’s not wrong. Spiess says he and his fellow Pi devotees need “a strategy to survive” without new boards, so he suggests looking in one of the least captivating, most overlooked areas of computing: used, corporate-minded thin client PCs. Spiess’ Pi replacements, suggested and refined by many of his YouTube commenters and Patreon subscribers, are Fujitsu Futros, Lenovo ThinkCentres, and other small systems (some or all of which could be semantically considered “thick clients” or simply “mini PCs,” depending on your tastes and retro-grouch sensibilities). They’re the kind of systems you can easily find used on eBay, refurbished on Amazon Renewed, or through other enterprise and IT asset disposition sources. They’re typically in good shape, given their use and environment. And compared to single-board enthusiast systems, many more are being made and replaced each year. A project I want to undertake is set up an UltraSPARC machine, and then tie several Sun Rays to them. I also want to mess around with using Linux as the host for several thin clients – they’re so cheap, and it seems like they’re really fun to mess around with.

Tales of the M1 GPU

There is still a long road ahead! The UAPI that we are using right now is still a prototype, and there are a lot of new features that need to be added or redesigned in order to support a full Vulkan driver in the future. Since Linux mandates that the UAPI needs to remain stable and backwards compatible across versions (unlike macOS), that means that the kernel driver will not be heading upstream for many months, until we have a more complete understanding of the GPU rendering parameters and have implemented all the new design features needed by Vulkan. The current UAPI also has performance limitations… it can’t even run GPU rendering concurrently with CPU processing yet! And of course there is still a lot of work to do on the userspace side, improving conformance and performance and adding support for more GL extensions and features! Some features like tesselation and geometry shaders are very tricky to implement (since they need to be partially or fully emulated), so don’t expect full OpenGL 3.2+ for quite a long time. This article is a detailed look at the work done by Asahi Lina to create a Linux GPU driver for Apple’s M1, after Alyssa Rosenzweig reverse engineered the M1 GPU on macOS. This is a tour de force of excellence, and every current and future M1/M2 Linux user should be thankful for the amazing work these people are doing.

Ubuntu Touch OTA-24 released for Ubuntu Phone users

Highlights of this release include initial gesture support with double-tap to wake for selected devices, improvements to fingerprint unlock by allowing more backoff time between read retries, as well as support for media buttons on headsets for most Ubuntu Phone devices. In addition, the Ubuntu Touch OTA-24 update adds support for handling the sms:// URL scheme for properly opening the Messaging app, adds Full HD 1080p support to the Aethercast implementation, improves SMS and MMS support, and adds various performance tweaks to the Mir-Android-Platform. I’m kind of surprised the current releases are still based on Ubuntu 16.04 – that’s quite an old release. They are working on upgrading the base to 20.04, and the switchover should happen relatively soon.

The Internet Archive just put 565 Palm Pilot apps in your web browser

Yes, I am playing Dope Wars on a Palm Pilot inside my iPhone. It’s thanks to The Internet Archive, which is once again launching a giant collection of software you can instantly play on any web browser, up to and including your touchscreen-equipped phone. There are currently 565 classic Palm apps in all, including games, widgets, and even free trials from both the greyscale and color eras. This is probably the easiest way to experience Palm OS applications now. I will still opt for any of my dozen or so real devices, but having so many applications safe and sound on the Archive is amazingly awesome.

89 operating systems

I occasionally do talks about curl. In these talks I often include a few slides that say something about curl’s coverage and presence on different platforms. Mostly to boast of course, but also to help explain to the audience how curl has manged to reach its ten billion installations. Curl is literally everywhere – even on another planet.

Mac OS 9 on an unmodified Wii

Via Hackaday: We’re used to the so-called “Hackintoshes”, non-Apple hardware running MacOS. One we featured recently was even built into the case of a Nintendo Wii. But Dandu has gone one better than that, by running MacOS on an unmodified Wii, original Nintendo hardware (French, Google Translate link). How has this seemingly impossible task been achieved? Seasoned Mac enthusiasts will remember the days when Apple machines used PowerPC processors, and the Wii uses a PowerPC chip that’s a close cousin of those used in the Mac G3 series of computers. Since the Wii can run a Linux-based OS, it can therefore run Mac-on-Linux, providing in theory an environment in which it can host one of the PowerPC versions of MacOS. So it’s not really running MacOS 9.2.2 directly on the hardware, but it’s close enough. Impressive work.