Comments by "" (@grokitall) on "Brodie Robertson" channel.

  1. The fundamental issue here is that you have an important maintainer (linus) slightly advocating for rust for linux, and blocking c only code which breaks the rust build, and a less important maintainer (christoph) basically saying he wants to burn that whole project to the ground. This basic incompatibility affects the basic survival of not just the rust for linux project, but also those c coders who for reasons compile the kernel with the rust flag set to off. Calling for a definitive answer to what the truth is is a long overdue request, and the faliure of linus ang greg to address that issue will continue to cause problems until it is resolved. As was said in the thread, it is a basic survival issue for the rust for linux project, and for those getting their c code bounced for rust incompatibility. Stating that in the end, the only solution in the absence of such an answer from linus is to try and submit directly to linus and get the answer that way is basically just stating the truth about how to deal with a maintainer who is just obstructing code for personal reasons. Given that the maintainer has publically stated he would like to burn the entire project to the ground, when breaking code in the project is already getting c code patches bounced, it just strikes me that refering this to the code of conduct guys seems fairly obvious, as this level of hostility towards other contributers, the late nacking for non technical reasons, and so on seem like the sort of thing they should have an opinion on if they are to be of any relevance. While there are valid issues about the inclusion of rust code, that is not what is happening here. It is not about the quality of rust code in the kernel, but the existence of such code, which by now seems to at least have implicit support from linus. The technical question of not having the wrapper duplicated in every driver is basic programming, and the undesirability of this has been accepted practice for well over a decade. Having such code exist was responded to by christoph basically telling the contributer to go pound sand, rather than giving a constructive suggestion as to an alternative location which would be acceptable. Almost nobody came out of this looking good. The maintainer got away with being toxic about a decision which in theory at least seems to have already been made by linus. The code of conduct guys got away with ignoring at the very least a request as to if the behaviour of the maintainer was in scope for them to consider. Linus and greg got away with refusing to address the core question of what is the status of rust code in the kernel. Either it is a first class citizen, and christoph should not be blocking it, or it is not, and linus should not be blocking pure c code for breaking it. You can't have it both ways.
    69
  2. everyone is missing one simple point, the rust binding maintainers are basically trying to force the c maintainers to turn every private api call they want to use into a future proofed public api, and the c maintainers are basically saying no, by choosing to use a different language you get to do the fixes if the private api changes, which it can because it is private. this is not about documentation, but about rust requiring stability guarantees for private apis which don't exist in any large code base, then complaining that the maintainers won't turn every api into a public api.
    53
  3. The biggest problem i have spotted is distribution managers who can't do the job, especially when package managers go off on their own thing. This happened on red hat when pottering decided to hijack the debugging flag from kernel developers. This is happening on debian with the idiot breaking userspace with package name choices. There are lots of other examples where the managers should step in an tell them off, but won't do it. I have yet to spot an example of maintainer overreach that has not been ignored by their managers.
    16
  4. all the rust advocates are missing the point. what they are basically demanding from the maintainers is that they do all of the work to turn any private api in the c code into a public api with stable semantics just so that the rust developers can use it, but that is not how big projects work. any big project will have a relatively small and stable public api, with everything else hidden in the private api and subject to change. moving anything into the public api comes with huge maintainence costs and development costs, which is a pain point for maintainers, so they resist doing it. by using a different language, even when in the tree, the code acts like it is out of tree when it comes to refactoring or modifying the private api. this means the rust binding maintainers get to enjoy the costs which go with this, but they want to force it on the c code maintainers instead. they also want the c code maintainers to provide additional future proofed semantics for these private apis, but that is not how the private apis of large projects work.
    14
  5. ​ @darukutsu what happened is that it is owned by Oracle, who like to sue, and do not like to change course. So you can't get them to put it under a compatible license, and even a complete rewrite from scratch is not safe from litigation, as seen by the drama over the Android usage of a subset of the java apis and register based jvm which is needed for mobile and Oracle still don't have. These were all written from scratch, and they still sued, so linus and the kernel lawyers basically say it is an out of tree fs until Oracle makes a move as they cannot take the risk.
    12
  6. this is the y2k / centos 8 mentality. in this scenario you get 3 choices. 1, start fixing your snowflake code early, and suffer low levels of pain for a long time. 2, leave it till the last minute, and scramble around with lots of pain and expense. 3, wait till the environment breaks, then have to fix it in panic mode when you might not be able to do it before it kills the company. too many places default towards 3 simply because they can delay it another quarter of a year, until they realise they can't.
    11
  7.  @BrunodeSouzaLino  the issue is not obfuscated, but that c encodes some information as spread out code, while the rust type system gathers it all together in the function header, which they claim is superior. this means that because they are binding from c they have to put in the work to find out where it lives, but they expect the c maintainers to do it for them, claiming it is just asking them to document the semantics. it is analogous to asking them to take procedural code and duplicate it in a logic programming system, as it is just documenting the business logic.
    10
  8. looks a lot like rust in the kernel, not playing well with others. the solution for both is simple. do the work by themselves outside the mainline, and as bits stabilise or need to update other parts of the kernel you get someone who can play nice specifically to work on getting that code from where it works and is stable to where it is in a shape that upstream is happy with. thats how the real-time branch got upstreamed, so it can work just as well for rust and bcachefs.
    10
  9. Live patching has its uses, but most problems can be run as sharded clusters, where you take one shard out of service, update, and reboot, then do the same for the next one. This preserves system uptime, but not machine uptime. The problem with live patching is that you end up with long running code still running the old library version except when you patch the kernel.
    10
  10. ​ @mmstick a lot of people here are missing the point. what the rust binding maintainers are asking for is not to document the code, but to turn any internal private api component into a future proofed public api component with all the costs involved, just so that the rust bindings won't break in the future. every large project has a large percentage of its code as internal private apis which are subject to breakage when needed, only constrained to fixing the mainline code you broke when it changes. this is how big projects work. the rust developers basically are ignoring this fact, and trying to get the c developers to do lots of additional work just so that it does not break the rust code in the future. if you want your rust code to use the private apis in your bindings, you cannot expect the same semantics as for public apis, so you get to pay the price for using those private apis.
    10
  11.  @KoopstaKlicca  they are two sides of the same coin. in the case of kent and his codevelopers it is exactly as you describe. in the case of rust in the kernel, there is a set of work to be done, and major disputes as to the cost and who is going to pay it, with the rust developers thinking it is minimal and wanting the maintainers to pay, while the maintainers think it is significant, and want the rust guys to do it. in both cases it is some project which on the kernel scale is relatively minor thinking that most of the playing well with others should be done by the kernel maintainers adapting to the needs of their project, with the maintainers resisting. note: i am not saying all the rust in the kernel developers are like this, just enough of them to be harming their own case.
    9
  12. obviously you did not watch the video you are commenting on, where it clearly stated that alma actively support an architecture not supported by red hat
    5
  13. ​ @anonymousalexander6005 that is not quite accurate. the problem with putting the drivers in a different ring than the core kernel code is that it comes with exactly the same costs and benefits as putting them in user space. it gives you a level of isolation which lets you crash the driver without crashing the kernel, but it comes with the cost of the massive context shift every time you need to talk across the boundary, with lots of talking across that boundary. it is the inability to solve these problems in a way that does not also improve monolithic kernels which prevented microkernels from gaining significant traction for mainstream operating systems.
    4
  14. one of the main reasons for the dislike of systemd is the mentality of the developers, starting with leonard and continuing through his fanboys. first, he identifies potentially valid problems. he did this with avahi, with pulseaudio and then with systemd. then he get the bit he is working on to be "dev complete", where it works on his machine (in a way that is deliberately incompatable with the alternatives) , and doesn't care if it works on anyone elses machine, and relies on his fanboys to get it to work on anything else, while he completely loses interest in it. this bit is then excused as being optional, and thus it doesn't matter that is incompatable, until one of the higher levels of stuff has a hard dependency on it, and suddenly the alternatives are squeezed out of the mainstream ecosystem, making it harder to remove it when it needs replacing. also, when they do something that causes problems for some other project, well that is ok, because we won't fix it because it in our code. these and other behaviours are just some of the reasons that people don't trust the systemd developers and the fact that redhat has not made any efforts to tone down these bad behaviours is why people don't trust redhat about systemd
    4
  15.  @kirglow4639  except for the fact that the "simple semantic information" that they are asking the maintainers to hunt up and provide is encoded as c code spread over a number of locations throughout the code base, and they are too lazy to just go and loo, it up themselves or write a parsing tool to go find it for them because doing so would be too much like hard work, and the provided information would only be needed by rust binding maintainers. the sense of entitlement or ignorance in the rust community to want maintainers of c code to do an amount of work which is the equivalent of requiring them to convert functions between iterative and recursive implementations, just because the rust maintainers need to encode it differently is quite silly. if it is as easy as the rust fanatics claim, why can't they be bothered to do it themselves, ot write a simple tool to do it for them. if it isn't, then why do they try and insist that it is an irrelevantly small amount of work for the c maintainers? it is because it is a non trivial amount of work that they are getting push back from the c maintainers.
    4
  16.  @kirglow4639  except they are not trying to do it with c++, with the nicer object and class encapsulations which would make these things simpler, but are trying to get the c maintainers to do it from a language where it is spread out over a significant amount of code. even worse, they are trying to force those same overworked maintainers to learn enough rust to take over the maintainence of the rust bindings for what to them is out of tree code due to being in a different language. the sort of level of documentation they are asking for is what happens at the stable public api, which is why i say that they are trying to force that on the c maintainers. if it is as quick and easy to create as the rust maintainers claim, then the cost to them of having to look it up themselves should be as little as they claim it will be for the c maintainers who don't need it.
    4
  17.  @tfemby  just because it is working c code, does not make it good code, and even good code is possibly not done in the best way to be compatible. i can think of a number of patch sets written in c which had further work done on top of them out of tree, where it took up to 20 reworks to get to the point where it was right and good enough to merge, and even then they had to then start working to get the extra stuff they built on top upstreamed. just because you wrote something that you think is great (and you might even be right) does not give you the automatic right to have it merged into someone else's project. the real time kernel work was out of tree for 20 years, working to move code from their patched fork into the main line, and every small patch that made it in made the fork easier to maintain. but it did take time and rework to get it in. this is a point kent at bcachefs does not seem to get, and he expects every change to just be accepted right away, turning main line into an experimental kernel, which is why he has the current problems.
    4
  18. python 2 to python 3 has the issue that it makes breaking changes, so the old code won't work anymore. most language updates just release a new version which is a superset of the old version, so they don't have this problem the other way this is avoided is how adding oop to c did it, where there were enough differences to make it a new language, but with minor code tweaks for the compiler, it could still use the old code. this is how we got c, c++ and objective c. python did neither, hence the mess. add to that big monolithic codebases, and the usual y2k ish procrastination, and we get to where we are today.
    4
  19.  @guiorgy  yes they could do it tomorrow, but the point is that they have not done so. Also, remember that a lot of these companies are now run by accountants, who upon seeing the money signs from the lawyers, do not bother looking at the costs if it goes wrong. Mostly it is not about making a balanced judgement call, if it was the sgi vs the world case would not have gone ahead, and neither would the Oracle vs Google case.
    3
  20. This is the actual reason for the regulation. Unlike the us, the EU recognises that climate change is a thing, and that most power is currently generated from fossil fuels. The best way and the cheapest is to not waste the power in the first place. Using a TV as an example, cheap tvs used to just turn off the tube when you put it on standby, wheras expensive ones did it properly, leaving just the remote control unit turned on, so it could turn the TV back on. The difference in power usage could sometimes be as high as 80% of the peak usage when using the TV, which is a lot of wasted power you have to generate. The same types of mistake were made with multiple generations of devices, including satellite TV boxes, fridges, home automation tech, etc, and to fix this they made this series of regulations basically saying that when you don't need to be wasting power, you should not do it if you do not need to. The issue with the kde and gnome suspend flag seems to come from conflating 2 different use cases under the same flag. The first case is the one relating to power usage and sleep, hibernate and power off. The default should be to reduce power usage when it is not needed, but is currently used as a flag to turn autosuspend on and off. The second use case is where no matter what you are doing, you need to force power off due to running low on battery power. This applies both to laptops and to any desktop or server running with a decent ups, and gradually degrading functionality can extend the time needed until forced shutdown is needed. An example would be to disable windows whole drive indexing on battery power, thus extending battery life. This second use case should have the default be forced shutdown for laptops and for desktops and servers on battery power, and is irrelevant to both on mains power. By conflating the 2 different use cases, you just end up with the currently broken understanding of what the flag should do, and the related arguments about the defaults.
    3
  21.  @kirglow4639  i don't dispute that the description i give does not apply to all of the rust team, only to too much of it, and even more so to the wider rust community. it is this lack of understanding of the level of work involved by the wider community, and their toxicity at getting push back which i am calling out. also there are a toxic subset of developers who do fit the problem child model i pointed out, and the rest of the rust community have either been conspicuous by their absence when these people are called out, or completely miss the points being raised against them and come back with resposes that while pointing out valid good points fail to address the issues actually raised. a simple example of this is when the author of bcachefs was called out for ignoring how the timings of the kernel development process worked, most rust developers were silent, and the few who could be bothered to comment ignored the issues raised and either were just saying that the code was brilliant because it was in rust, or that the work the developer was doing was great, neither of which had anything to do with why the guy got called out in the first place. if your community fails to accept that when building on top of other peoples work you need to learn how to play well with others, it is hardly surprising when that toxic community is not looked upon favourably by those other people.
    3
  22.  @kirglow4639  so you are saying the bcachefs maintainer did not do a large code dump of new code extremely late in the release cycle, causing him to get called out by linus, and that lots of rust people came out against him and in support of linus? or what about the rust in linux maintainer who quit, because while the real work was great, the political garbage was not worth putting up with, and the rust community was not helping fight back against it? what about all the people in the threads around multiple videos here claiming that despite not being rust programmers, the c kernel maintainers should just go into the rust binding and fix them just like they do with the c code they actually write? not to mention all of the people who say gathering the lifetime information is so trivial that it is not worth them doing it themselves, because it is only documentation, even though that information is not needed in c and takes quite a bit of time to collect? or how about the vitriol poured on ted tso for pointing out that at kernel scale, the rust code is a minority use case, and most of the work will continue to be done on the c code, which might break the rust code as it will not be part of the stable apis, and that the rust coders will need to fix it because most of the c maintainers don't write rust? all of these and more crop up repeatedly in these threads, but not a single voice from the rust side ever speaks up to say that the c maintainers might have valid points, or that the hard core rust advocates might be being less than fair to the c maintainers. this is not setting up a straw man, just observing that the rust community in these threads when seeing a problem with adding third party rust code to the c kernel seem to expect the c maintainers to do all of the work, even when they don't know rust and the things they want are not something that matters in c, and then seem surprised when the c maintainers quite reasonably say that they don't write rust, and that what they are asking for is a non trivial amount of work.
    3
  23.  @kirglow4639  i won't ask you to cover any points about most of the cases, but if you have any knowledge of any comment by any rust contributer who thinks that the bcachefs developer doing a huge dump of new code right at the end of the merge window is anything but perfectly fine, i would be pleased to hear about it. as to lifetimes, documentation, and api changes, the problem is that the rust community is approaching them from only a rust perspective. lifetimes are only of interest to rust programmers and compiler writers, so it is not really a c thing. the documentation being asked for is largely for how the rust semantics would work with the c code, so again their is a fairly significant mismatch. api changes in c are generally looked down on, and the level of resistance is proportional to the number of callers in the surrounding code. the more callers the less the desire to change the code. however then general method to do api changes in c is first to point out what the problems are in the existing code and why in a convincing manner, then to come up with a better api which can be wrapped by the existing api so that the existing code still works and does not need changing all at once, and then be better enough that other users find it preferable to the prior api and use it instead. this does not seem from the comments i have seen to be the way the rust developers try and get improved apis. note: i am not saying that the apis could not be better, or that the documentation could not be improved, or that extra tests could not be written to make how the existing apis are supposed to work clearer, only that from what i have seen the rust developers do not seem to be engaging with the c developers in the way that the c conventions usually have such interactions work, and if they did, it might work a lot better. after all, one of the purposes of testing is to document and clarify how the interface actually works.
    3
  24.  @kuhluhOG  yes lifetimes exist in every language, but rust seems to need them to be known at api definition time for every variable mentioned in those apis, unlike just about every other language. when you put this constraint on another language just to get your type system to work, it does not come for free. i do not doubt that it is possible to write kernel code in rust, nor do the c maintainers, in fact some people are writing a kernel in rust, and good luck to them. people are also writing code for the kernel, but when you can't even get a stable compiler to work and need to download the nightly builds to get the code to even compile (according to one of the compiler devs st a rust conference), and you need an unspecified amount of extra work to even be able to start doing work on the unstable internal apis, there naturally arises the question of how much work and who has to do it. as to the problem with the drm subsystem, i've not seen the thread, so i don't know if it was done as a discussion around "this variable is used this way here and an incompatible way there", or if they just went and fixed the more problematical one for them to work in the way that made it easier for the rust developers, and then did a big code dump with little prior discussion. if it is the second case, it is the same issue of not playing well with others except on your own terms, and the resulting problems are deserved. if it is the first, then the issue should be raised on the usual channels, and initial patches proposed, with ongoing work to figure out if those patches are the best fix to the identified problems, just like with any other c developer. i just don't have enough context to determine if it was the rust devs, the c maintainers, or both talking past each other, and thus do not have a right to an opinion on the details i do not know.
    3
  25. it should not make a major difference, as it is basically being set up to return us to the situation before the dissolution of centos. as far as i know, all significant enterprise linux offerings are based of rhel, as this was the position of red hat until recently, and why reinvent the wheel when you do not have to. as to the involvement of oracle, they are just one of the companies getting hosed by the actions of red hat, so this idea makes perfect sense for them to restore a proper upstream.
    3
  26. ​ @flamingscar5263 microsoft did backwards compatibility because they had to, not because they chose to. when the new version won't run the majority of existing code, or is a pain to use, you are stuck maintaining the old version. this is why xp hung around for so long, the replacement was both worse, and incompatible, so people just stuck with xp. the same issue is going to hit with 11 and 12, because they are full of anti features people don't want, and the increased cost of the base hardware is just not worth the antifeatures that are being forced on you.
    2
  27. i think this whole thread misses a basic point about developing large systems. in such systems you want a stable public api, and a flexible private api. this is further constrained by the in tree code, so that if you break it, you find out and fix it. with out of tree code, you have exactly the same problems you get with any long lived unmerged branch, that the ground underneath it changes over time, and like with the large snowflake block everyone is afraid to touch, it eventually gets broken because it is effectively being run as a long lived fork of the main code base. the only solution to this is to work hard to move more of the code into the mainline branch, to get all of the benefits and reduce the costs of maintaining it out of tree. this out of tree cost is further agravated for rust in that the bindings for the unstable private apis require an additional layer of future proofing semantics which the core c code does not need yet. for c (and most other languages) the idea of did that change break anything within the existing code determined at commit time is good enough, and those extra semantics the rust people want are only added as they are discovered by breaking code with the next change. the linux kernel usually does an exceptional job of providing a stable public api, but what the rust people are basically asking for is to make the private api a stable public api as well, and quite understandably the maintainers are saying that it does not make sense to do so, but feel free to do the work yourself, but don't be surprised if it breaks sometimes. to the maintainers, every piece of code not written in the core language of the project is effectively acting as out of tree code, so if you want to play in their sandbox, you get to enjoy the additional work that goes with it.
    2
  28.  @Pentium100MHz  if your car is relatively modern, it it is already computerised. The engine has a computer managing it, and most after market and a lot of built in entertainment systems run on android based embedded computers. As to your set top box shutting down during recordings, the word for that is broken. It should wake up when the recording is due to start, and stay awake during the recording, because it is doing something. However a lot of people here in the UK leave their tvs on in multiple rooms even when there is nobody there, or when they go out, and if the prompt comes up asking to verify you want to keep the TV on is not responded to, it goes into standby.
    2
  29.  @fhunter1test  the issues with "ways of avoiding it" has always been that any methods tried also improve the speed of monolithic kernels, nullifying the relative benefits. if there are any that only improve microkernels, i would be interested to find out.
    2
  30.  @rosomak8244  as the microkernel design is basically a minimal kernel with lots of microservices, it shares all of the known problems of microservices and adds so e more of its own.
    2
  31. microsoft are not in the clear on this one either, as it was crowdstrike who took the machines down, but microsoft not fixing known problems which made them require a manual reboot.
    2
  32.  @xabhax  no, but given that windows is less than 10% of their revenue now, how many lawsuits will it take before the lawyers and managers decide to just do it right the first time, rather than being dragged kicking and screaming to fix problems by the regulators. bear in mind that a lot of these software giants basically have no competition in their marketplace due to the network effect, and thus they are already under pressure from governments to do better. this includes microsoft, meta, google, etc
    2
  33. this is a non trivial task, as all major enterprise distributions have been rhel derived, so all software for enterprise uses the rhel assumption set. it does not matter if this is just assuming being rpm based, or lots more of the rhel options, every source of divergence needs to be addressed to make the code debian compatible. from a simple point of engineering, this takes both time, and actually being bothered about debian compatibility, and we currently have a bunch of rhel alternatives which do not need such major work, so third party suppliers will address those first.
    2
  34. it is worse than that, statements from the eula and red hat employees make it clear that even if you have a valid reason for having a developer license, they reserve the right to decide that even using one of the machines as a print server as part of that purpose gives the authority to decide you do not qualify, and come in and audit you for how many licenses they think they deserve paying for. this makes the value of the dev license almost zero due to future liability risks.
    2
  35. all that needs to happen for zfs to be ok in the kernel is for the other members of open ela to ship it in open ela. at that point you have an oracle backed organisation releasing the code under the gpl. this was what tripped up sco, as they were still shipping caldera linux gpl while trying to sue people for stuff in the kernel.
    2
  36.  @kirglow4639  just have a look at the threads here about the recent rust and kernel drama, and you will see plenty of examples of it. in all of the recent drama, i have literally not seen a single comment from the rust community which even hints that anyone on the rust side is not totally in the right, and anyone on the c side is not totally in the wrong. if you could assume for the sake of replying to this single comment that the examples i gave were not 100% fabricated (they were all real), the could you at least admit the possibility that the responses from the rust community could do with a better attempt to engage with the issues raised by the c community and that the responses could have been more constructive in looking for solutions?
    2
  37. the point is that you use fedora if you want red hat tooling in a non enterprise distro so you can use the same it staff to support both. the problem with red hat and their scorched earth policies towards existing classes of customers that they do not see the value of is that not only does it diminish the value of rhel, but also of non enterprise upstream.
    2
  38.  @marcogenovesi8570  no, i mean the subset of rust developers who think that searching for things like lifetimes and other things not a part of c is trivial, but are unwilling to do it themselves, then want to throw the code over the wall into the kernel and then want the kernel maintainers to do the work maintaining it (even th9se who don't know rust). very like the way that the kdbus people could not be bothered to do the work to speed up dbus, and just expected to throw the existing api into the kernel and hand the problem over to the kernel folks. this is not just about kent, but is a bigger problem of relatively minor developers thinking that they can work in their sandbox, and when they think the code 8s ready, just dump it on the kernel maintainers, who also have to do the work to make the kernel ready for their code dump and maintain it later.
    2
  39.  @roundduckkira  kent is a major problem for kent, but not all code that works gets accepted. what is the reason for rejections? not accepting that there is a problem. not liking the proposed solution? a large set of patches all dropping in o e big merge? the patches arriving late in the merge cycle? none of these is the maintainer being deliberately awkward, and all can have valid reasons for not accepting the merge. they all have responses which can be made to get them merged eventually. not having seen the threads, i can't tell if it is problems with the maintainers, if the developers are just feeling entitled and then butthurt because their code was not just immediately taken without comment, or if it is members of the two communities talking past each other.
    2
  40. ​ @VoicesInDark i would strongly disagree with the idea that kernel developers are replaceable, as most of the are doing critical work in important but obscure areas of development. as for them getting paid, so what if some company wants to pay them, with the idea of basically putting bug bounties on problems affecting their company. you still have a number of kernel contributors who are not tied to big companies. as to it being a community or not, i don't see any way you can define that word which would not cover 15,000 people trying to not get in each others way for years. if you mean the kernel project not being community driven like centos used to be and rocky is now, very few large projects or distributions fit that model. it certainly does not fit how systemd is developed, nor the kernel, and not gnome either.
    2
  41.  @MikkoRantalainen  kent obviously has an out of tree fork of the kernel where he does the development work, which is fine, and is where his current behaviour is heading. what he needs is someone else to work on upstreaming the code in small patches, doing rework to make the working code compatible with the rest of the code in the kernel. if he runs it like the real time patches project did, improvements can be made on his tree, while someone else manages reducing the delta between his tree and upstream, eventually getting his code into mainline. note: linus did not say no more bcachefs, only no more kent, and whoever takes over upstreaming needs to play well with the rest of the kernel developers..
    2
  42. microkernels always sound good, that is why they gained popularity in academia in the 1970s. unfortunately they come with huge costs for message passing and context switching, and there is still some types of code which must be in kernel space. people have tried to fix this issue ever since, and we are still waiting for a microkernel only solution, which makes them more practical.
    2
  43. it was not possible to prevent the update, the only option is to insist on not installing any software which works like this, which is often above the pay grade of the experts involved. for upgrades which did not require live patching, the companies already had policies and practices in place which would prevent this from happening. crowdstrike just chose to override them. microsoft chose not to fix the boot loop problem since 2016, so they share the rest of the blame with crowdstrike. crowdstrike crashed the kernel, microsoft made it so it could not recover from it.
    2
  44. ​ @turtlefrog369 a lot of these systems require internet access to do their job, so that needs securing. you cannot take payments or update your flight information boards without being able to talk to other machines.
    2
  45. the issue being ignored in this thread is that most of these machines which were hit were locked down and mission critical. this means that any method which does not do automatic recovery will cause the same issues. manual interaction with most of these machines is just not an easy option, usually for very good reasons.
    2
  46. because ken thomson's paper "on trusting trust" was the first to highlight a new way of hacking the supply chain, and fixing it is hard and expensive. the purpose is to make it so that you not only believe linus can be trusted when you get your kernel from him, but you know that you got the same kernel as you got from him. in his tech talk at google, he talked about how due to using cryptographic hashes, as long as he knows the hash, he can download the repository from anyone, and verify it is an exact copy of the one he put up which they copied. that verifies the audit trail for the sourde code. the way nixos uses semantically versioned bill of materials verifies the audit trail for the dependencies. reproducible builds verify the audit trail from source to binary files. different tools for different parts of the job.
    1
  47. @Silver-eb7zm yes, canonical consulted their lawyers and decided it was a risk worth taking. This was based upon the benefits they could receive from shipping it, the low likelyhood of being sued, and the odds of being able to settle or fund fighting it. This does not make it license compatible, which a lot of other top lawyers say it is not. Canonical is largely a newbie distro, which is not where the money is. Both the linux foundation and redhat are well funded, so the return from sueing and winning is high, so the risk for them shipping it is also high, which is why they don't.
    1
  48. no, the major question is can they do anything about it without shooting themselves in the head. all a backup checker needs to do is checksum every file, and export that audit report to a non rhel machine. this is a good idea for security auditing anyway, so banning it would be very difficult. so would banning any non rhel machine from the network. once you have this audit database, you can do the same for any other distribution, and instantly flag up any differences, which from a technical viewpoint is no different from comparing todays and yesterdays reports, so they cannot easily ban that either. once you have the list of files which is different, you can decide if it matters, and just tweak your patch list until you get the same checksum. as this bit is not being done on rhel, they have no say in the matter.
    1
  49.  @LuluTheCorgi  because the reason oracle linux exists in the first place was that red hat did not want to support their needs, so just paying them does not get them support, and requires them to sign the dodgy eula which stops them from getting support any other way. in this case using the lawyers would actually cost less.
    1
  50. An example of the difference would be to keep the screen turned on when playing a movie, but turning it off if doing computation or drive indexing without the need for a display. This lets the monitor go into standby, and also stops the graphics card from burning energy it does not need to use. Screensavers used to be about avoiding screen burn on tube based displays, but are now either about inactivity wallpaper or power saving depending on your option settings. Similarly, cpus have different power levels, depending on what level of usage is needed. You can step those levels down if you are barely doing anything, stepping things back up if you start a cpu intensive task. This means you could walk away from the computer when it started to do a task which was a cpu hog, but did not need the screen, and after a wait, it would blank the screen and let the monitor go into standby, and then when the task finishes, it can move the processor into a lower power mode. When you come back and move the mouse, it can turn the screen back on, waking up the monitor, and you can check if it is finished. You could even have it automatically power off when it is done.
    1
  51. ​ @Haydatsanime boxed distros were killed by being able to ask Ubuntu to send you a free cd.
    1
  52. there are some minor misunderstandings of somethings in the threads which need to be a little clearer, so here goes. to produce an operating system from scratch, you need to either 1, write everything yourself, or 2, go online and download a bunch of stuff from people you don't know and hope you can trust the code. 1 does not work very well, apple and microsoft did not do it, neither did google or steam. it is slow and expensive. look at how long it took reactos to get to the point where people who were not kernel developers could work on it. (not criticising them, this stuff is hard). this only leaves you with the second option, which you solve by going to conferences and establishing a network of trust through key signing parties. as this requires the person to show the other person id, it is moderately secure against everyone but state actors who can just issue an id, and id thieves. all the network of trust does is produce a lot of people who can assert that the person you just met has been verified to them as being the person they say they are (for a certain level of verified). these people then commit code to version control, and once you get to centralised and distributed version control, you also have the person signing that they produced the work. this means if it later turns out that they were a problem, you can easily go back, and track what they touched and audit it if needed. it does not stop a bad actor like the xz maintainer, you need other processes for that. this gets you to the point were you can confirm the code you got was the same as the code they distributed (at least if it does cryptographic hashing like git) and the network of trust identifies all of the contributers. then you need to link the code together with libraries it depends on. the original paper that started the nix package manager, which lead to nixos, described the purpose to be to declaratively manage the exact version dependencies so that you could be confident that what you used to build it last time is the same as what you used to build it this time. effectively semantically versioning the build dependencies. it appears that the people behind nixos have extended this a bit, but the principle remains the same. if the dependencies change, then the key for the dependent packages will also change. guix did not like the nonclomenture, and thus decided to declare it using scheme, but otherwise they do the same thing. this gets you to the point where you can compile stuff and be confident where all the code came from, as you have a complete audit trail. reproducible builds go one step further, validating that the stuff you then compile will always produce the same patterns of bits in storage. this is non trivial for various reasons mentioned by others, and many others. declarative dependency management systems might also give you reproducible builds, but it is not what they were designed for. then you take the output of the reproducible build, put it in a package, and sign it. this gets you to the point where you as the person installing it can be confident that the binary packages you just installed are exactly the same as the stuff the original upstream contributers intended with a few tweaks from your distribution maintainers to make it work better together. and you can audit this all the way back to the original contributer to the upstream project if needed. none of this says anything about the quality of the code, or about the character of the contributers, you need other steps for that. as the sysadmin for your business, you can go one step further, and create versioned ansible install scripts to do infrastructure as code, but it does not add to the model, as your ansible scripts are just another repository you use. i hope this clarifies things a bit.
    1
  53. if as intended it is bit compatible, not only the build dependencies can be hashed like in nixos, but so can the output binaries.
    1
  54. they have to change, as when they lose the lawsuits, the next time this happens the first question asked is what policies did you put in place after last time to stop it happening again, and why did they not work, leading to an easy loss. their lawyers will force the change.
    1
  55.  @fanshaw  it is not how hard it is to fix one machine which matters, but how much it costs to fix all of them. the lawsuit for delta airlines is looking for 500 million in damages, and it would be cheaper for them to start their own company and do it right than pay for another outage with the same impact. a number of other companies are in the same boat. how it will probably play out is that they will stick with crowdstrike for now, but talk with other companies looking to migrate as many machines away as possible if they can get acceptable conditions on the replacement software. now is the perfect time to start a competitor doing things right, and gradually migrate down the stack until it can replace crowdstrike. there are even open source projects out there which could form the basis of a good start. if you start with desktop users, and gradually work your way down to enterprise, a good profit could be had by someone.
    1
  56.  @fanshaw  for a lot of the machines which got hit, virtualisation is not an option, and neither is having enough backup machines. how do you have backups for flight status boards 20 feet in the air?, or for the tills and card payment systems built into your Restaurant? what about having a spare hotel booking system for your 200 room 5 star hotel? too many people in these discussions seem to be ignoring some pretty important facts about this outage. most of the machines which got hit are locked down for a good reason. most need access to internet services in order to do their job. lots of them are in places which make it impossible to allow the ordinary staff to undo the security in order to just reboot the machine in safe mode and do the simple fix. this is what made the disruption take so long, and cost so much, because you need specialist workers to physically go to these machines to get the things unlocked to escape the boot loop. and of course you cannot keep enough spare workers on staff to cover a once in a long while outage like this, because such staff are in short supply, and thus cost a lot to employ and retain. every business that got hit will need to revisit their resiliency plans, looking at what other steps they can take to make it less of a problem next time, wh8ch by definition will also include looking at how the outsourced software is delivered. if one of their competitors decides to do it properly, so it can be tested prior to installing the update, they will immediately jump up the list of providers. equally if a company does what cloudstrike did and deliberately subverts the testing and resilience plans of the customers, they will rapidly fall near the bottom of the list. a lot of the people who have moved to linux have made the choice that it is cheaper to move than it is to put up with all the nonsense that comes with staying on windows. i am sure software other than the operating system is equally liable to be vulnerable to the choice to move to an alternative supplier.
    1
  57. the only way to have microsoft work like apple is to move to only having a few microsoft approved all in one boards, and have microsoft take over doing everything that currently requires kernel access. as they could not even ship windows updates to the surface pro, which uses this model, without boot looping the kernel, it does not inspire confidence. also, it sounds like a solution that is worse than the problem.
    1
  58.  @mmstick  from what has been said in multiple threads, to get rust bindings in place requires multiple additional pieces of information about the code which is only normally needed by the compiler. the rust community seems to expect the maintainers to stop maintaining, and go and do the work for them. they also seem to ignore the split between the stable public apis, and the less stable private apis, and expect the maintainers to learn enough rust to effectively become the maintainers of the rust bindings as well. this would take a lot of time that the already overworked and understaffed maintainers don't have. the extra stuff i referred to was the rust specific information not needed by other language bindings, and the fact that as a different language from the core code, it needs them at all, neither of which should need to be the responsibility of those not using rust.
    1
  59.  @fuseteam  no, the distributors are not just just rebrands, they are supporting customers who red hat have decided they do not want to support, and thus are not costing red hat anything. it is the same broken argument that every customer not paying us for stuff that we do not do would just start paying us if only we could find a way of forcing them. also, when these companies produce a fix for a problem red hat does not support, it gets pushed upstream, either to stream, or the original project, or both.
    1
  60.  @fuseteam  you seem very set on the idea that every provider downstream of redhat is just a rebrand, which just is not true. there were whole classes of people who were only using redhat and their derivatives because redhat as part of their marketing said that if you need enterprise timescales, then use us as your stable base and do respins and derivatives based on us. that is what centos was. people are annoyed because redhat promissed 10 year support for centos 8, then ended it after only 1 year, while people were still migrating to it. even worse, they gave almost no warning. as to the derivatives, each exists for a specific reason, and supports customers redhat no longer wishes to support. clear linux is for an all intel hardware stack. rocky linux is for centos users where the move to rhel is not an option. scientific linux was a cantos derivative with extra software which was needed mainly in places like fermilab and cern. oracle linux needed specific optimisations which made running their databases better. others were used for embedded systems and infrastructure, or for alternative architectures. pretty much all of these use cases were at one time actively supported by redhat or centos, and are now prohibited under their dodgy eula. even the case where the city of Munich needed to create a respin specifically for their 15000 seat council rollout to include extra software only they needed is now banned. redhat used an opencore approach in order to grow, and a use us as upstream approach to enter markets that were not otherwise open to them. it had the added benefit of not fragmenting the enterprise linux market much. unfortunately for them, not everyone can suddenly switch to paying them lots of money on short notice, and even more cannot afford the rat on your boss tactic made disreputable by microsoft and their enforcement arm the business software alliance. when you run a business, you make a profit, and then decide how much of it to invest in research and innovation. the current management at redhat seems to think that it should work the other way around, where they decide what needs doing and how fast, and then tries to force people who never needed to pay with their blessing to make up the shortfall. the current fracturing of the enterprise market is a direct consequence of this attitude, as is the percentage of redhat customers looking for ways not to be held hostage by the next silly move they make. these people who have forked rhel had a total right to do so as redhat had encouraged them to do it. lots of them do testing for scenarios redhat does not support, and then pushes those changes both to stream, and to the primary upstream developers so that they do not have to keep large patchsets supported out of tree. these patches and extra bug finding are then made available to rhel from either upstream directly, through fedora, centos, or derectly as patches to redhat. this is fundamentally how open source works, someone finds a problem, develops a fix, and sends it upstream, and then the downstream users get to us it without necessarily having a need for support. when support is needed, then they find a company who is responsive to their support needs, which redhat increasingly is not. redhat has now become just another entitled proprietary software company who happens to use lots of open source software to try and keep the costs down, while the management has forgotten this fact and decided to stop playing well with others. this has already come back to bite them, and will continue to do so.
    1
  61. ​ @Fractal_32 yes, there is a reason why "may you live in interesting times" was regarded as a nasty curse. just look how interesting cloudstrike just made things.
    1
  62. by definition you cannot be bug compatible with rhel when working from stream. that is the entire point about the problem. centos used rhel sources minus branding. stream is rhel-next, which might be up to 1.5 years from being ready.
    1
  63. ​ @Pentium100MHz we have this rule because EU citizens care about climate change, but have not yet got the mindset of actively looking at power usage, and if things are actually required to be using the levels they are now. There is also the issue that people on low incomes have to buy the cheap tech, where the search for sensible defaults has not been done, and are thus a lot more wasteful. As an example a free view box last time I looked could be bought for £15 or £40, with the more expensive one using 20% of the power in standby mode, which is often triggered by default after a few hours in the EU. The only way to force manufacturers to get a clue was to introduce these regulations and make these considerations mandatory. Similar regulations for emissions is why EU cars use half the fuel of American ones.
    1
  64.  @audiolatroushearetic1822  as famously noted, common sense is not that common, especially if someone else is paying the bill.
    1
  65. there is only one lesson which needs to be learned here, which is for the accountants and managers to stop overriding technical decisions when the experts say "this software is not suitable for these reasons". all the other lessons are already well known, and a lot of them are standard practice.
    1
  66.  @CyroTheSpider  the killer is not the message passing, but the fact that you have to mode switch from user space to kernel space to ask the question, and then switch back again to use the answer, for every message which has to speak to the microkernel. this is very expensive, multiplied by a lot of messages. this has always been the problem with microkernel designs, and 50 years of trying to put lipstick on this pig has only proved how unsuitable pure microkernels are for most tasks. as soon as performance matters, you end up pulling that code into kernel space to avoid the delays. as to rust in the kernel, i am sceptical that the proposed advantages that would come with a pure rust kernel will transfer over when we just have a thin wrapper around the mostly c kernel, and if the costs of the rust bindings and only being able to extend it in rust are worth the price, especially as the rust binding maintainers seem to want to have the c maintainers pay it for the privilege of having rust code attached to the code they maintain.
    1
  67. what would be really interesting is if intel joins, and bases clear linux on it, as this would then make all intel contributions either upstream first or open ela first, instead of rhel first, and that could cause big problems for red hat.
    1
  68. ​ @knghtbrd but it is exactly his decision to break functionality silently and then double down on it that should trigger a process that should take weeks and require trying to work with upstream.
    1
  69. ​​ @travisSimon365 hurd would not have won if history was different. i was around at the rime, and everyone was looking to work from bsd code, but the at&t vs berkley case had a chilling effect. the other possibility was that lots of people wanted to extend minix to be more useful, but andrew tenenbaum not only wanted to keep it simple as a teaching tool, but also refused to allow others to maintain a set of patches in the same way as was done for the ntsc mosaic server, wjh8ch was h9w we got apache, literally a patchy servrr due the sequence of patches on patches on patches which were maintained at the time. also remember that it was not until someone wanted to support a third architecture that the default changed from forking the codebase, then getting it to work on the new architecture and instead got the code needed for arch architecture to be brought into the mainline kernel, managed with configuration flags. so you had 386bsd being slowed down by at&t, minix expansi9n being actively opposed by tenenbaum, gnu's kernel being delayed by indecisiveness over how it should work, and multiple commercial unixes just being too expensive for students. then along comes linus, who like a lot of students wanted a unix workalike and happened to be going to university 8n a country with a funding model that did not exist anywhere else. he even used the monolithic design which he thought was worse, for speed. it was not that linus was cleverer, withmsomemgrand plan, just that everyone else could not stop shooting themselves in the foot. also your alternatives at the time were either a primitive version if dos, or cpm.
    1
  70. microsoft wanted to implement a 2 tier system, essentially handing the anti virus market to them. the eu said no, think again. everything after that was choices made by microsoft.
    1
  71. that is basically the xz hack, and other steps caught that. however you can mitigate that one by having multiple tools from different providers to do the same job. gcc got hacked? switch to llvm and recompile everything.😊 it is all about auditability, and not having single points of failure.
    1
  72.  @RoelandJansen  you are mistaken. while it is true that sles is not a modern fork of rhel, the fact remains that in the same way clear linux forked to optimise for intel hardware, and oracle linux forked to be better optimised for database workloads, suse originally forked from red hat linux to optimise for german language speakers. while it was a long time ago, and they use a different installer and config system, they still maintain compatability with a lot more of the red hat choices than the debian choices, and that is before you add in the new red hat derivative and any convergence that happens between it and suse linux. this means that it is much easier to support software developed for red hat on suse than it is to do the same on debian.
    1
  73.  @RoelandJansen  you are right about it being slackware derived, but even the wikipedia entry says that it scoops up lots of red hat features, so the point about it being a lot closer to red hat than debian still applies, especially as regards red hat assumptions being baked into various code. the point about potential convergence between sles and their new red hat compatible system is also still valid.
    1
  74. no it would not. it solves a different issue. think of it as creating a bill of materials which contains the semantic version number of every dependency, and then hash it. that hash is unique, and says that this version of the package uses these exact versions of the dependencies. this is how nixos works. as soon as you change from the default upstream configuration, at the very least the patch number changes, and this happens for every package in the system which deviates from upstream. if it is a fairly core package like gcc, the bill of materials for most packages will have changed, meaning they almost all have completely different keys. so your semantically versioned dependency list says that it has these exact versions all the way down the dependency tree, and the reproducible build says that it always generates the same binaries for the given dependency list. different tools to verify different aspects of the job. to go further and audit across distributions, you would need some way to determine every code and configuration patch for every upstream package applied in every distribution, which is even more work.
    1
  75.  @jamesross3939  by its nature, diverse software stacks have some level of source incompatibility. just look at the problems in making the same program work across multiple versions of windows. as regards multiple distributions, we don't live in a world where everyone has identical needs so naturally at some point you start to get divergence. this even applies with windows where you have different releases for servers, desktops, oems, embedded, and others. these divergences naturally make it so that you cannot guarantee that a given program will work the same way, or at all on the different platforms, and the only way to deal with that is lots of testing. true binary compatibility requires a level of control by the vendor which results in large groups of people being ignored (causing divergence through making new systems which address their needs), or severe levels of bloat (to accommodate needs most users do not have). often it does both. in particular, you would need every variant to use exactly the same versions of every library on exactly the same compiler, all the way down. good luck getting blind people to move to wayland which currently has no support for them. the best mitigation we have at the moment is flatpacks, which package non interacting code with their needed library versions to produce cross distribution packages of user space applications. most distributions get created because their users have a need not covered by the mainstream ones, and a lot of them are extremely niche. their use case often will never become part of mainstream distributions, and their effect on the ecosystem as a whole is negligible. for others, the minority use case gradually becomes more important getting mainstream adoption as the work by these niche distributions becomes available in software used outside those distributions, and the niche distribution either becomes irrelevant, or remains as a testbed which feeds back into the wider ecosystem. this is what happened with the real time linux distroibutions, and as more of their work made it upstream, less of their users needed the full real time systems.
    1
  76. the virtualisation effort is a red herring. to the extent it works, it is incompatible with this level of security software. it might be of some use for some drivers, but not these ones.
    1
  77.  @9tailedyokai  kernel level anti cheat is a blind alley, just like dvd encryption is. in both cases you have a system the user can get at, and can probe to find out how it works, and then quickly circumvent. the only way to stop cheating is to do it server side, and spot patterns of behaviour which humans don't use. basically the same analysis methods used by malware detectors like crowdstrike or the way recapacha works.
    1
  78. ​ @darukutsu  the zfs story is simple. the people writing it for linux are doing a from scratch reimplimentation, so from that point of view the oracle licence only matters if those people have seen the original source code. where the issue comes for the kernel is that oracle has a history of suing people for look and feel and for work a likes, so the kernel people will not include it without a statement from oracle that they won't sue. for reiser fs, yhe issue is that it is version 3 in the kernel, it is barely used, and has some fundamental bugs around the 2038 date problem. as most of the developers moved on to other things, and the remaining ones have moved on to version 4 which has not been upstreamed, and version 5 which is a wor, i progress, the bugs in version 3 wi.l not be fixed, leaving the only choice being to remove it. as for kent, and bcachfs, he does not play well with others, so he needs someone else handling upstreaminb the code.
    1
  79.  @qwesx  sorry, but that is just wrong. the licence gives you the right to modify, distribute, and run the code. what compiling locally does is moves the legal liability from the distribution to individual user, who is usually not worth going after. as regards testing in court, the options are relatively few, and apply the same no matter what the license is. if you claim not to agree to the license, then the code defaults back to proprietary, and you just admitted in court to using proprietary code without a license. if the licences are incompatible, your only choice is to get one side or the other to relicense their code under a compatible license for your usage, which us usually somewhere between unlikely and nearly impossible with most projects, meaning that again you do not have a valid license for the derivative work, and you just admitted to it in court. with zfs, the problem is even worse, as you have oracle who sued google for having a compatible api, which was then resolved to be fair use, but only after costing millions to defend, and taking many years. because of this the linux kernel community will not take code providing any oracle apis without a signed statement from oracle that they will not sue, not because they do not think they will win, but because they cannot afford the problems that will occur if they do sue. individual distributions shipping zfs would face the same potential consequences, which is why most do not ship it. this leaves you back at moving the liability from the kernel, to the distribution, to the end user, where the benefits to suing most of them are just not worth it. as to trying it in court, there are lots of licenses, and lots of people either being too silly to check the licenses properly, or trying clever things to skirt the edges of legality because they think they have found a loophole. there are also lots of places to sue, and as floss is a worldwide effort, you have to consider all of them at once, which is why it is a really bad idea to try and write your own license. in america, people have tried the trick of not accepting the license, and have failed every time. the same is true in germany under a mix of european and german law. this covers the two biggest markets, and can thus be considered settled. what happens in every case, is that the license forms a contract for you to use the otherwise proprietary code under more liberal terms, and when you reject it it reverts back to the proprietary case, where you then have to prove why you are not using the software without a license. trying to be clever has also been tried, and while the law is less settled than for rejecting the license, you need every judge in every venue to agree with your interpretation of the license, which normally does not happen, so you are back at being in breach of the license, and hoping to get a friendly judge who does not look to give punitive damages for trying to be too clever. the insurance risk usually is not worth it. the only other option is to try and comply with the license, but when you have multiple incompatible licenses this is not a valid option.
    1
  80.  @marcogenovesi8570  if you mean the rust developers expecting the maintainers to go and hunt up a lot of extra semantic information not neded in c just to comply with rusts expensive typing system, and calling it documentation, that is one aspect of it. when you choose to work in a different language, which has tighter requirements, you make building the language api bindings harder. that is fine, but then you have to be prepared to do the work to find that estraminformation, and only after you think you have got it right do you get to call requesting confirmation documentation. this happened with the ssl project in debian, where the person who initially wrote the code was not the person who provided the clarification, resulting in a major security hole, but the patch developers did the work and asked is it case a or case b, and got the wrong answer back because the answer is not always obvious. this is why the c maintainers push back at the claims that it is just documenting the api, and it is cheap, when it is neither. like with kent, and some of the systemd developers, the issue is not the language the code is being developed in, but the semantic mismatch between the information needed by the existing work, and potential ambiguities relating to how people want to use the existing apis in a different way to how they are currently being used, which might require disambiguation, which might require digging around in the code base and mailing lists to see if a close enough use case came up in potentially thousands of posts in the discussion to clarify the new semantics for the previously unconsidered use case. the time for them to do this is at merge time if there is an issue, not all upfront because it is just documentatiron. the general principal in most code bases is that if you want to create new code, go for it, but when you want to merge it with the existing mainline code base, do it in small separate chunks and be prepared to do the extra work to not just get it working, but to move it to a shape that is compatible with the main code base, and if it is more than a drive by bug fix, expect to stick around and be prepared to do a lot of the maintainance yourself. this goes double if you are working in a different language than the maintainers. otherwise, it eventually gets treated as unmaintained code, and deprecated prior to removal. again, it comes down to respecting the existing development process, being willing to work within it, and if you need minor changes to that process to make the work easier for both sides, working within the existing change process to gradually move the standard way of doing things in the desired direction, while bearing in mind that in the kernel there are 15000 other people whose direction does not necessarily match yours. kent does not get this, so i see his code getting booted unless someone who does steps up to maintain it. the systemd guys did not get it either, which is why kdbus went nowhere, after getting a lot of push back from lots of kernel maintainers. a significant subset of the rust in the kernel developers don't seem to get it either, harming their case and making things harder for their codevelopers. this problem is not confined to the kernel. middleware developers like systemd, gtk, wayland, and others seem to forget that it is not just their pet project, and that in the case of middleware they not only have the same problems as the kernel, with new developers having to play nice with their rules, but as someone with other communities involved, they also need to play nice with those below them, and not cause too many problems for those above them in the stack.
    1
  81.  @alexisdumas84  i am not suggesting that every rust dev wants the maintainers to do everything, only that those who don't are being conspicuous in their absense with dissenting opinions or are failing to see how their additional semantic requirements to get the type system to work cause a semantic mismatch between what information is needed to do the work, and when. for c, it comes when the patch is finished and you try and upstream it, at which time any such problems result in considerable rework to get from working code to compatible code. this is why the real time patch set took nearly 20 years to get fully integrated into the mainline. for rust, all this work seems to need to be done upfront to get the type system to work in the first place. this is a major mismatch, and the language is too new and unstable for the true costs of this to be well known and understood. rust might indeed be as great as the early adopters think, with minimal costs for doing everything through the type system as some suggest, but there is an element of jumping the gun in the claims due to how new the language is. python 3 did not become good enough for a lot of people until the .4 release, and for others until the .6 release. as you maintain your out of tree rust kernel, with any c patches needed to make it work, have fun, just make sure that when it comes time to upstream the maintainers need to be able to turn on a fresh install of whatever distro they use, do the equivalent of apt get install kernel tools, and then just build the kernel with your patches applied. it is not there yet, and thus some code will stay in your out of tree branch until it is.
    1
  82.  @marcogenovesi8570  they do document them to the extent needed to do development work in c (in most cases), but the rust developers need even more information which the c developers don't need until it is time to upstream a patch, and an actual problem occurs, not just the potential problems the rust compiler finds. its like having ai find bugs. yes it can do it, but it cannot work out if it is a bug, a threat, or an exploit.
    1
  83. ​​ @joseoncrack the boot loop problem has gone unfixed since at least 2016, and possibly earlier. the solution is fairly easy. as you boot up, record which driver you are about to load to persistent storage. on reboot this should record a clean shutdown, but if it does not, don't load that driver. since windows 10, all kernel mode drivers need to go through testing, so check that a file with just a return statement does not crash the kernel, and if it does not you can use the existing bad driver disablement measures to stop it from loading. for the few drivers where it matters (like the driver for the filesystem you are booting from), your only option is to roll back to the previous version. nothing magic needed here to fix automatic recovery, which means that next time it does not cause such problems.
    1
  84. ​ @mikechappell4156 because it was obvious from the announcement of python 3 that 2 was on life support as far as the developers were concerned.
    1
  85.  @mikechappell4156  totally agree, but once it was clear that the developers were going to treat it the way x11 is now being treated, it should immediately stop people from starting new big projects in it, and should have them start getting proactive about splitting the big code up so it can become less of a roadblock later when you cannot replace any code without replacing all of the code.
    1
  86. every operating system has malware detection and mitigation software unless it is air gapped and stored in roms, which usually means embedded devices. as soon as you move to updatable software, you need protections.
    1
  87. it was not decided to make it into a second class citizen, but was just the recognition that when you add an additional language to a large project in a different language it will remain on the periphery for a long time and those pushing the new language will have to maintain the compatability layer. this minority use case with the work to maintain the bindings by its nature is what makes it a second class citizen. rust has an additional problem in requiring additional constraints when implementing those bindings, as the c code has the attitude of "don't break existing code", but the rust people want an additional level of semantic information on top of that to constrain future code, which is work not needed by any other bindings for any other language that i have seen, but they want the overworked c maintainers to do all of this additional work just for rust. as the maintainers are overworked, and this extra semantic information is not needed for any other language binding, they are quite reasonably saying to the rust advocates that if their language needs the extra information not needed by any other language, use the code to go and find it, and make your best guess, but don't expect your resulting conclusions which you encode into your bindings to constrain those not working in your language. to the extent this extra information is only required by rust, and does not constrain the underlying c code, it raises the question of how bad a match rust is for working with large existing c code bases. so far, i have yet to see a single rust advocate even acknowledge the validity of that question, let alone address it in any way, instead just trying to get the c maintainers to do all of the extra work in perpetuity.
    1
  88. by semantics, i mean all the additional information not needed by c which is needed by the api binding maintainers to make the rust bindings work, which is not needed by any other language, which includes lifetimes and other stuff. what the community seems to be asking for is that any code they want to link to should be equivalent to that seen in public apis, with a bunch of other information only needed by rust, but wanting the c maintainers to do all the work. then complaining when one of the maintainers points out that the private apis are prone to breakage, and using an external language makes it effectively out of tree code to the c developers, so the rust guys need to fix it themselves. they also seem to be clueless about refactoring private apis, expecting the same stability as public apis. this is not how big projects work.
    1
  89. which is why the response to a lot of the toxicity from the rust community is that it would be much easier to just go away and write a rust only kernel, where the low level stuff is already in rust, and this a binding layer is not needed. they also dkn't address the issue that the only code you can build on top of the rust code is more rust code, making the rust work hostile to further c work in the areas of interest. i cannot help thinking that the better approach to adding the advantages rust brings to the kernel is to develop tools to check the existing code for those properties, rather than trying to eat the c code from the outside in to force it all to be in rust, which is clearly the goal of some of the rust community.
    1
  90. it depends if rust stays at the edge. if not, then either you are limited to only rust developers building any further extensions, or you need to add c on top as the extension language, or you have to duplicate the blocking rust code in c and build the extension on top of the c. this is one of the many reasons i am sceptical as to the eventual outcome of the rust attempt to take over the kernel.
    1
  91. i agree that full rewrites are better, but the rust in linux approach of starting at the periphery and parasitically encroaching on the code above it strikes me as being either self delusional, or worse, deliberately dishonest. then wanting the c maintainers to do most of the work for them on the basis that it is just documentation is much worse. i don't doubt that a kernel could be written in rust from scratch, as many general purpose languages have been used to do the same thing, but i am sceptical about the almost religious fervour about the pro rust hype.
    1
  92. it is not just that it has more abstractions and capabilities (although the jury is currently out as to if it is more, or just different), but that with a lot of the differences, it is still way to early to tell if it is actually better. specifically, the issue of lifetimes probably has value in a pure rust code base, but there is a lot of doubt as to how much of the extra costs involved with working on top of languages which don't have the same system is actually worth the pain it introduces.
    1
  93. ​​ @sylviam6535 as they get closer to the core, not only will the existing costs increase, due to the larger interface between the two languages, but more and more code can only be extended in the second language, so as it moves closer to the core the risk of having to duplicate the code in the original language so the rest of the kernel can use it goes up a lot, making the benefits of those patches more doubtful, and increasing the push back against the encroachment into core kernel space.
    1
  94. the point is that in an enterprise setting, just moving away is not a question of just reinstalling one machine, it can be a multi year job covering thousands of machines. this is why rocky came into existence, to support centos 8 customers screwed over by red hat deciding to cut short the support period. be assured that a lot of rhel customers are saying internally that given the failures of trustworthiness and predictability, can we afford to use red hat for our next project rollout.
    1
  95. ​ @Mooooov0815 the sort of people this is targeted at will definitely be doing incremental development with continuous integration, where unit tests are not just good, but are essential.
    1
  96. ​ @pauldunecat if it is 19 years old, why does it need the nightly buildm9f the compiler to work with the rust in linux code?
    1
  97. there are a number of use cases where some form of automatic update is an anti feature. the classic example is the medical specialist remote working, who opened up his laptop to review a diagnostic image which needed immediate feedback, only to have windows trigger an immediate automatic update blocking use of the system for over half an hour. having systems where downloads are slow or expensive also need the option to defer downloading until you have a better connection. then you have laptops, where you might have to defer installation until you can plug it in to prevent partial updates from breaking things. finally, you need the update system to be pull based, as push based update systems add a whole extra set of problems if the push did not work. and all of that assumes that the update itself is not broken.
    1
  98. ​ @monad_tcp micro kernels are clearly a better design, apart from one small problem, the message passing model is painfully slow in practice. numerous tricks were tried to find ways to speed up micro kernels, unfortunately the same tricks also seem to work just as well with monolithic kernels, so soon after a speedup occurs in micro kernels, the same speedup is also applied to the monolithic kernels, meaning that the gains were quickly negated. almost all kernels now are modularised monolithic kernels.
    1
  99. because the term predates the ideas behind the nix package manager, which tries to solve a different problem. its like saying lets just rename the make program to be called fred. yes you can do it, but the amount of issues it would cause is just not worth it.
    1
  100. If you watched the video, when you download it from upstream, everything is compiled in but turned off, so just recompile the upgrade and don't turn anything on.
    1
  101. No, the problem is that dispite a number of user complaints, it was ever promoted out of sid, which raises wider concerns as to what sid is for if not to stop this sort of breakage getting though to unstable.
    1
  102. the point is that it is not about you trusting your distribution, but them being able to audit the trust for everyone upstream of them so they know that the stuff they built has identical source and output as what was got from upstream. it does not stop the xz hack, you need other methods for that.
    1
  103. they claimed it was company policy, because the threats left no time to do it right. the problem is that if you can't afford to do it right, you really can't afford to do it wrong. also, most threats are not that time critical.
    1
  104. @Vegemeister1  restarting a cluster is a solved problem. You can use wake on lan to wake up a machine from powered down, and doing update and reboot works if the kernel or core libraries change. If they don't, you can just shut down the service and restart it. Bearing in mind the only time it makes sense to live patch is for high throughput systems, sharding gives much better scalability. In this sort of throughput scenario, you are basically talking about high availability systems, so having multiple machines as part of the system is already a given for reliability and resilience reasons, so sharing does not add much load at all. Tools like ansible even make this whole process relatively easy. I think it was Netflix who intended to reboot a specific machine and accidentally rebooted their entire data center instead, which only took a couple of minutes to come back up.
    1
  105. only the first time when the build does not match, and you can automate some of that. you are basically having to debug what is different in the builds. once it builds reproducibly, the tooling stops you having to do all of the work again.
    1
  106.  @MaxusR  which is the entire point of reproducible builds. if you cross compile gcc using llvm, and then use that on a machine with another architecture to cross compile llvm using gcc, you can be fairly sure that your new llvm install has not been hacked by the compiler. if i can then do the same thing, and get a bit perfect copy, we can both be sure that the same source code produces the same output. it does not stop the xz attack, but there are other parts of the supply chain testing which help catch that.
    1
  107. ​ @warpedgeoid black box statistical ai has the issue that while it might give you the same results, you have a lot of trouble knowing how it got those results. this is due to the fact that it does not model the problem space, so is inherently about plausible results, not correct results. there is an example from early usage where they took photos of a forest, and later took photos of the same forest with tanks in it, and trained the system. it perfectly managed to split the two sets. then they took some more photos with tanks, and it failed miserably. it turned out it had learned to tell the difference between photos taken on a cloudy day, and photos taken on a sunny day. while this story is old, the point still applies. the nature of this sort of ai is inherently black box, so you by definition don't know how it gets its results, which makes all such systems not suitable for man rated and safety critical systems. symbolic ai like expert systems on the other hand have a fully auditable model of the problem space as part of how they work. this makes them just as checkable as any other software where you can access the source code. this is referred to as white box ai, as you can actually look inside and determine not just that it produces the right result, but why and how it does it. this sort of system should be compatible with aviation standards.
    1
  108. the point about refactorings is just wrong. even in the original book, you could change function signatures as long as you fixed all the callers at the same time. what the rust maintainers are asking for is to make every private api into a public one with future proofing guarantees for any piece of code which rust wants to call, and for the c code maintainers to have to do all of that work. the c maintainers reasonably point out that these are private apis without the guarantees provided by public apis, and by working in any different language, you win the right to fix them in your bindings when they break, as there is no reasonable way to expect kernel maintainers who are already overworked to put in the time to learn every language which wants to become part of kernel development just so as to not break bindings to private apis for languages they don't use.
    1
  109.  @davidpaulos2943  when not working in oo languages, adding an extra field to an object would change the signature of the function header, and a number of other refactorings can also affect the api, which is not a problem as long as it is fixed everywhere inside the private api. because these things are in the private api, the stability constraints on the public api are not enforced, but still good practice. the code from the public api still behaves the same, as the ci tests confirm, as long as all the calls are fixed at the same time. this is something that is not generally understood by oo practitioners, but is implicit in both opdykes phd, and in fowlers book, when talking about non oo languages. this is why the distinction between the public and private apis matter. for oo, the information hiding is done at the level of the object and the class, and the public private split is much less important. for non oo, the hiding occurs at that boundary, and api changing refactorings which would be hidden in oo only happen behind the boundary, or when doing a major semantic version update on the public api. the rust advocates ignore this difference, and various community mouthpieces make statements to the effect that if they want to use it in the bindings, it should act like a public api, or the c maintainers should be forced to stop work for a month to learn enough rust that they effectively take over as maintainers of the rust bindings. this just is not realistic in any large project, especially when the language is not oo. also requiring them to collect a lot of data including liveness, but not limited to it, which is not used in c is also silly. for both these reasons, the overworked and understaffed maintainers have the attitude that if the rust people want to write bindings for what in a project this size is a minority use case, fine, but don't expect us to not break the private api, or to have to learn a new language to fix your bindings, and if you need extra info that other languages don't need, well, here is the source code so find it yourself. as rust attaches itself to more of the periphery of the kernel, this tension between the two communities will only grow, and the c maintainers will have to push back harder. when coming to play in someone else's sandbox, first you need to learn how to play by the rules, then you can try and improve them, and this gets more important as the project gets bigger. the author of bcachfs proved he cannot do this regarding the stable development cycle rules, and plenty of others are proving the same thing about other conventions in kernel development.
    1
  110.  @klafbang  what they are admitting is looking for ways to get the code without signing the eula, and this not breaching the rules of the eula. every business big enough to need a legal department looks for the cheapest way to do this sort of thing, and then looks for alternatives, and that is legal.
    1
  111. lots of people want yo give microsoft a free pass on this one, but the big issue with this outage is the boot loop problem preventing easy recovery, which is fairly easy to fix, and which microsoft has repeatedly ignored since at least 2016. this is also why they are also in the cross hairs of the lawsuits, as from previous experience they knew or should have known the consequences of not fixing it, which is the standard for gross negligence. crowdstrike are in a similar position after seeing the way their previous releases crashed systems. this is why they are being sued, and why they stand a good chance of losing.
    1
  112.  @MarkusEicher70  people have different needs, which leads to different choices. red hat built it's business on the basis of always open, and base yourself on us. later the accountants started to complain, and instead of reducing the developer headcount through natural churn, they decided to go on a money hunt, closing source access to a lot of people who believed them, thus causing the current problems. rocky, alma, parts of suse, oracle linux and clear linux exist to provide support to people left high and dry after red hat decided not to support the needs of those customers. as red hat is an enterprise platform, the support needs can be up to 10 years if you get a problem at the right part of the cycle. third party software is often only tested against red hat, so you either have to pay them the money and sign up to their dodgy eula, or use one of the derivatives. the open source mentality views access restrictions as damage and looks for ways around it. moving to other non derived distributions comes with added costs, as not all the choices are the same and the software you need might not be tested against those choices, so you have to do a lot of testing to make sure it works, then either fix it if you can get the source, or find alternatives. this adds costs, hence people getting annoyed.
    1
  113.  @turtlefrog369  so how does the flight status board find out if a flight is on time or delayed or cancelled? how does the cash dispenser find out if you have enough money in the bank? how does the till get your card payment approved? all of these require connecting to a server which holds the information, and thus an internet connection. if the connection is there, people will try and get in, so you have to do something to keep them out.
    1
  114.  @turtlefrog369  i am a fan of dynamically updated static pages as well, but the issue is the need to have a network which is usually turned on. you could run the flight information board by regenerating the page when the data changes, and only having the board turn on the internet long enough to download the pages, but that does not work as well for things like tills. having said that, way more stuff could be done by having the machines on a private subnet, with each machine getting a dynamically assigned ip address when it turn the connection on to do the update, then off again, but that is not how it is currently done.
    1
  115.  @turtlefrog369  i know how to do things better. you are starting from the position that nothing needs internet access, which blatantly does not work for all sorts of use cases. air gapped machines have a very few use cases where they make any sense, and most of the machines that got hit do not fit those usages. this is the point you keep ignoring.
    1
  116.  @turtlefrog369  so how do you believe the card payment machine can check if it is ok to make the payment, or how does the flight status board get the updated information about the flights?
    1
  117. ibm have a history of dumb moves, and still have corporate memory of the debacle of giving the pc market to microsoft. however it is clear from statements from red hat employees that the decisions are coming from the current management whose every action and statement shows that despite being in the linux ecosystem for over a decade, they have no idea how it works, or what it means to be an enterprise distro. talk about failing upwards.
    1
  118. legacy code is a nightmare. snowflake systems nobody wants to touch have exactly one advantage, they have not failed YET!, but they will as the environment around them changes. so for these systems the question is "do we start trying to fix them now, or wait until they break and then have to try and fix them on an emergency priority basis". now is almost always the better answer. for unsupported legacy binary projects, you have only 2 choices, reverse engineer it to get code you can compile, or implement a replacement with a big bang switchover. neither are very good options, so it is better to try and avoid getting these systems in the first place. for legacy code where you have buildable source code, i can recommend michael feathers book "working effectively with legacy code". to summarise, it says get all new code under continuous integration and continuous delivery, and gradually migrate the rest to use it, making each change be covered by tests. this requires trunk based development, and everyone being committed to not breaking the tests. your only other question is if you are prepared to accept new legacy code.
    1
  119.  @aheendwhz1  about halfway through the thread, he said that he was not only opposed to rust in his part of the kernel, even though by this point it had been made clear that he literally had to nothing but get out of the way, but that he was going to do everything he could to kill the whole project. That sounds like wanting to burn it to the ground to me.
    1
  120. people depended on python 2 because it wasn't perl 6, and it was the new and shiny. then they built huge monolithic apps in it in a way that was hard to split up, requiring a major rewrite of the entire application to move to the new version. really bad design, but that is the history, and they are making the same mistakes with ruby as well.
    1
  121. Windows is already dying, as Linux has already killed it. A lot of tasks that used to be done on only windows have moved to new platforms not run by Microsoft. The only place windows is not dead is the desktop, but most things are either moving down the tech stack to smartphones and tablets using apps, up the stack to be web apps, or are open source and open standards cross platform programs. In all of these cases the underlying os is either not windows, or not relevant. This process is accelerating, and once it has gone far enough windows will go the way of the horse and cart, only a lot faster.
    1
  122. as long as the rust binding maintainers keep trying to force the c maintainers to turn private apis into future proofed public apis, you will have lots of push back, leading to further hostility to the rust community. this requirement seems to be fundamental to how the memory safety in rust works, so as more rust gets added to the periphery of the kernel, the problem is only going to get worse. this is further agravated by the problem of only being able to build on top of the rust code in rust. this makes the likelihood of a rust takeover of the main kernel highly unlikely, as the rust binding maintainers don't want to do the work that comes with effectively acting as if all the rust code is out of tree, as the c code maintainers probably don't have either the desire, time, or energy to put up with the garbage currently being shovelled in their direction.
    1
  123.  @szaszm_  except that is not what they are asking for. lots of rust fanboys in these threads expect various information only of interest to the compiler and the rust binding maintainers to be collected by the c maintainers just to support adding the rust bindings. others then expect these same c maintainers to do all the updates to the rust bindings if the c private apis change, and if they don't code in rust, then they should just do less maintainence and take the time off to learn how to take over as the rust binding maintainers. if they don't, they should be forced to keep the private apis as stable as the public ones, just to not break rust code. the amount of entitlement in those assumptions is staggering, only matched by the toxicity of the response when the c maintainers push back against the amount of extra work the rust advocates expect them to do just for the privilege of having rust code attached to the part of the kernel they maintain.
    1