β ΒΆ Intro
Hello, friends, and welcome back to your weekly Linux talk show. My name is Chris.
My name is Wes.
And my name is Brent.
Hello, gentlemen. Coming up on the show today, we'll cover the copy-fail vulnerability, tearing through Linux distributions out there, plus Ubuntu 2604, the Resolute Raccoon, is here, and John Seeger will dig into the details with us. And then we'll round out the show with some great boosts and picks and a heck of a lot more. So before we get into that, this is like three big shows in one. We've got to bring in our virtual lug. time-appropriate greetings, Mumble Room.
Hello, Chris. Hello, Brent.
Hello.
Hello, hello.
And shout out to everybody up there in the quiet listening and everybody on the live stream. Pershing H.
We see you. You hear us.
Something like that. A version of that somewhere in there.
You boost? I don't know.
I don't know. Also, good morning to our friends over at Defined Networking. Go check out Manage Nebula from Defined Networking. It gives you a decentralized VPN built on the open-source Nebula platform that we just love. And what I really like is the flexibility. You can build the network you want and the way you actually want it, from maybe your home lab to a full enterprise setup. And you have the option to run your own lighthouse nodes so you own the stack
end-to-end. But you don't have to start the hard way.
β ΒΆ Deadly Pages
Define gives you a full managed experience, so that way you can get up and running fast with speed, security, and resilience baked in from day one. No big tech login required. Try it for free, 100 hosts, no credit card, at defined.net slash unplugged. That is defined.net slash unplugged. You go over there, you support the Unplugged program, defined.net slash unplugged. And a big thank you to the defined folks over there and the fine, fine folks at Defined for sponsoring this here program.
Let's get right into it. Gentlemen, we have ourselves quite the vulnerability this week. Copy fail, which is an unprivileged local attack that allows, say, even just a generic Brent user with no admin rights to pop your box.
Yeah, that's not great.
No. And it turns out it's been baked into most Linux distros since 2017-ish. Is that right?
Yeah.
So that's a while and just about everything that's shipping right now. And some distros are still working very hard to get it patched. ours writes it's the quote most severe linux threat to the to surface in years and it is catch it has caught the world flat-footed and my tongue what do you think there wes pano what i want to get your take on this first because you've actually been playing around with the exploit.
Yeah um it is worth noting right you do need some sort of access right so you need you if you don't have a user account on the box you need some other chain some other vulnerability maybe it's a you know some kind of injection in a web app whatever it is um but once you have that user access then yeah pretty much any system because it's a kernel logic issue the particular like the first poc that was released was like a python 3 thing and sort of made some assumptions about like particular
set uid binaries like su uh but those are all particular implementation details so it's important to realize that like the core thing is this is this kernel flaw uh which we could get into because it's it's kind of fascinating because it,
As often is the case. Well, one, I guess we should note, it was an AI-assisted finding, but began with insight from human researchers at Theore, Taiyang Li, who's studying how the Linux crypto subsystem interacts with page cache-backed data, and we'll get into that. So there's a few layers. The first is the VFS layer. There's this call called Splice that kind of lets you combine pipes and file descriptors.
So you can open a file for reading and then combine that with a pipe and then pipe it into other things that you're using when you're calling kernel APIs. And in particular, there's this AFALG API and it lets user space programs take advantage of all the cryptographic stuff or a lot of the cryptographic stuff that exists in the kernel, which is good, both because like you don't have to reimplement it, but also the kernel has access to hardware stuff.
Like there's various reasons the kernel might be able to do it faster or more securely or better than the random user space program that needs to handle encrypted data. The problem is that in 2017, there was an in-place optimization made. So basically to avoid allocating duplicate memory during decryption processes, you have some encrypted data, you're calling the kernel to say, hey, please decrypt this for me. The kernel tries this in-place operation.
Basically, you need to pass the data into the kernel for what you want to decrypt. And there's various parts. There's like some of the cryptographic primitives, which is the actual encrypted data, and there's the authentication tag.
and it builds this buffer that it's going to pass into the kernel and it copies some of the first parts in there but it doesn't actually copy the tag instead it basically passes a reference to the tag's memory at the end there instead of like allocating new memory and putting the tag in there. And unfortunately, later on in the cryptographic algorithms, this spot, the RxSGL, the destination, is inherently treated as writable. So in this stage, like kind of when you have the splice side of it,
it's all fine. It's like read-only. You're just kind of like splicing on this read-only reference. And we'll get more into that. But it's really the problem where we did this optimization in the mechanism that lets user space programs call into the kernel. And then you need another piece, which is there's a particular encryption mechanism for IPsec, auth and ESN for extended sequence numbers. And basically it's these 64-bit numbers that they need to do stuff and rearrange some of the bits for.
And it kind of cheats. It uses the caller's destination buffer, which is the thing we were just talking about, as a temporary scratch space.
That's okay, though.
And specifically, it uses scatter, walk, map, and copy to write four bytes past the end of the legitimate plain text data precisely at an offset. So you kind of put this all together, and this is what the actual, like, exploit does is... The attacker, so you basically, you need some sort of file that you have read access to. That's important. So you open that file for reading.
Which should just, I mean, that should be pretty easy. As long as you can get on the box.
Yeah, yeah. So there's some file that the user can read. We'll get into that.
But could that even be like a web server process? I mean, this is, that's pretty generic. Okay.
Yeah, it doesn't need special permissions or anything.
Yeah, yeah.
So it basically opens that file, which loads it into the page cache, right? which was the memory cache that sort of like you put things in so that you don't have to go fetch them from disk all the time in the kernel. And this ends up being system-wide, by the way. And so it has that available, and then it makes this splice call to sort of set up this pipe that gives it basically a memory reference to that data. So the attacker aligns the splice offset so that what it is thinking is this
tag reference, right? It's trying to pass a tag into the crypto API. That actually points exactly over where it's trying to write in whatever the target is. So it opens, say, the SU binary, right, with this. It opens it just for reading.
Yeah.
And then it kind of aligns things then so it passes a memory reference to wherever it's trying to overwrite. and then it calls into the crypto API, and then it just blindly changed that page cache reference because the actual reference it gets is the page cache. It's the page cache for the binary.
That's a key part of it, right? So it's like when it opens it for reading, the kernel happily goes and reads it and then gives it a reference to the memory that corresponds to the actual page cache entry. So then when the crypto stuff happens, it just changes that tag thing, which ends up being the page cache reference, onto the actual final buffer that it's going to be using.
And then the particular IPsec encryption algorithm does its byte shuffling stuff and writes those four bytes, which are now attacker controlled, past the normal sort of plain text stuff it's supposed to be using. And then that, because it was aligned from our first thing with the splice, then writes not to the file on disk, but it writes four bytes to whatever you like in the page cache version of the file.
They have a very clever little payload. it's like 158 bytes and people have been golfing this further but it's basically a super clever tiny little minimal elf thing that like all it really does is look so instead of having to figure out like target a particular binary to patch in a particular way they just override it from the start with a super minimal little tiny custom binary it's clever to be like as position independent as can be and like work is in
many places but it basically just it calls set uid zero to like really sort of sink in and like make sure it has full root permissions it's already running here in like a context of a set uid binary but like it makes sure that's synced to all the kernels places and then it just has like a nice clever way to call slash bin slash sh but it could do anything here that you wanted this was just a quick way to spawn a root shell.
Now, what's interesting is, like, if you just do it on, say, like, an affected Ubuntu instance, it'll just work. But the script that was first sort of put out there, hard-coded user bin SU. So, like, on a NixOS app, when I was trying to play with it, at first that didn't work just for the reason that that's not the right path for where SU lives on a Nix system. But then also, it turns out that on NixOS, a lot of SUID binaries, or the wrappers for them, are configured as execute only.
So you don't actually have read permissions. So that's another way it could fail. And you could think that you're not actually impacted, but those are all just implementation details because you could also, like, there are a bunch of stuff that you kind of have to be able to read, like shared libraries, libc, pamunix. You could also target something like etsypassword, say, right? There's like a lot of stuff that you could overwrite that you have to have read access to to be able to do.
And then what's so tricky about this, right, is then it's poisoned the page cache. but the kernel in all of this stuff that's happening it never there's like an error but it never sort of undoes anything and it never then marks that as dirty so it doesn't know that it needs to be re-read like anything's wrong and so, If you go try to hash it, the hash will go check the, like the hash thing command will actually go get the bytes on disk and it'll be fine.
But if you make an exec call, like the exeve call in the system call, the kernel is just going to use the page cache.
Yeah.
That's the whole thing. That's the point.
Oh, man.
And you're not checking that. Right. And so you have to be much more clever around how to detect it because you can't just like do the hash. Now, it does mean it's not persistent because if you reboot, then the page cache is gone. So that's a small blessing here.
Yeah.
But it's, yeah, it's widespread, kind of nasty. It does need some chaining in a lot of cases, but...
Containerization doesn't solve it because it's still using these same primitives. It does seem like systems that have strict SE Linux and perhaps AppArmor profiles might be better off. Or like you said, if you have it where execute is only and read isn't an option. So key takeaways are this is a bad one. And it's been on machines for a while. And we're going to have a lot of patching to do. and the bug was found by an AI-assisted coding analysis tool in roughly an hour.
So expect the cadence of deep kernel disclosures to pick up.
Yeah, I guess folks at the xint.io and they've got some various setups and harnesses to kind of go poke around. So they had some hypotheses, partly from human researchers, exploring various places that might have bugs and then I guess they threw some AI at it. It turned up a bunch of stuff and this is what it rated as the highest severity issue.
Mm-hmm. Mm-hmm. So 2604, not currently affected?
No, I believe not.
That's good. And, of course, the Debian security channel has a patch. Alma Linux has it patched. So the patch is getting out there. NixOS has something, even though, like you said, your box wasn't. But all the big distros are going to get it affected. There is a way people can tell, right? If they just look at their kernel version, if they have, well, basically anything since 2017.
And you can also, like, there are very safe, like, little test exploits you can run.
Yeah.
You can also check, like, you do need some of these modules. Like, some kernels have them built in. Some are as, like, loadable modules. So you could sort of remove them and prevent them from being loaded. So there's various mitigations per distro, sort of, depending on how your kernel is set up.
I think we're going to have to, as a community, look at this as an opportunity, not as a burden, even though it is absolutely going to be a massive workload. But as a community, we have always championed the idea that more eyes means shallower bugs. And now we are getting dramatically more eyes. We are getting exponentially more eyes.
More AIs means less shallow bugs.
More AIs means, yeah, exactly. And the upshot is our software will get more secure.
Yeah, so when they fixed this, they didn't actually fix the IPsec part where it was kind of cheating and using that little scratch part. They fixed the in-place optimization from 2017 so that it never passes this reference anymore. So there's no longer some sort of coupling between the input and output and reusing some of those stuff.
And the part that's so funny is in the commit message, they note there's actually no benefit in operating in-place in this way since the source and destination come from different mappings. So we didn't even really need to be doing this.
I have a question for you, Wes. It's more of maybe your opinion. Given this has come out now and is somewhat obscure for the kernel, any thoughts on, given the kernel's complexity, like how many of these little things are just hiding in there?
That's a good question.
Yeah.
It's hard to estimate.
And think about every library... every service, every service on the internet that listens remotely. But we probably have been needing to do this for a long time. We probably should have had a lot more humans focused on this, but we just weren't doing it.
It's a hard problem.
It is also right, like that where, you know, and maybe using the assistance where you can, whatever, to try and up your posture and do things more by default. Because like, if you do things like, you know, okay, fewer permissions on set UID binaries, or you try to take as much advantage of all the hardening that systemd services offers by default. so that it sees less of the system and has less access to things, even read-only. There are tools we have, and we need to grow better ones.
But I think it just means defense in depth will become even more important.
I do think when we see these, a lot of times, folks that have taken the time to actually have a solid SE Linux setup and actually use it have been validated over and over again that it's worth the effort because they end up protected from these kinds of things. I want to thank our members for supporting this here podcast. It really has made quite the difference recently as we're very lean on the advertising and we're trying to turn that around.
But in the meantime, the members and the boosters are really keeping us going. If you sign up to you get quite the bootleg this week, we had a chance to go to Valve and we tell that story in the bootleg. So go to linuxunplugged.com slash membership and sign up. You can get the bootleg edition or the ad-free edition, whichever fits your schedule better because the bootleg is kind of long. And, of course, you can support all the shows, including the launch,
β ΒΆ Interview with Jon Seager
This Week in Bitcoin, and more at jupyter.party, and you get special access to all of them, including the bootleg for this here show. You can also boost an episode with Fountain FM, and that gives a signal on what you thought about that particular topic, how we did, the value, et cetera. And it also goes to each one of us directly and to Editor Drew, as well as the developer, and the podcast index. So it's a nice way to kind of put it all around.
Support all the great things.
Mm-hmm. And it's nice, too, because it's all transparent. It's open source, free software stack. And like I like to say, the contract is in the RSS feed, so you as an audience get to see exactly where everything goes. But we appreciate the memberships as our foundation and the boosts as our signal. Well, this week, we had a chance to chat with John Seeger. He is the VP of Engineering over at Canonical for Ubuntu.
And, of course, the big news is 2604 is out. And this is one of the LTS releases, the 11th LTS release. Yeah, and this, as they often are, was a focus on stability. But a few bits of innovation worked in there. We have a couple of highlights in here, like TPM-backed full disk encryption. Wayland's now the default.
Obviously, they're now like, they're shipped in the interim, but now they're actually shipping some of that Rust stuff in the user land and the core utils, which is exciting.
And something I want to chat with John about, too, is they've done that thing they do in Ubuntu where they one-click something, kind of, and for now it's CUDA.
And Rock M. I don't hate on AMD.
No, I love Rock M. But it's just that there's so much demand out there, and you combine it with new hardware. It's just, that's a really nice thing, especially for an LTS release. And then John also made posts recently about an AI strategy that they're taking on at Canonical, which made a lot of news. So I think that's something we could chat with him about as well. So John is joining us on the Unplugged program. We didn't scare him away last time. Returning to the show, John Seeger from
Canonical. John, welcome back to the Unplugged program.
Hello there, thanks for having me.
Hello and congratulations on the LTS release, which, rumor has it, is also the first LTS under your watch.
That's right, yeah. So the questing release was my first kind of interim that I had, I guess, a full cycle, and then this is the first LTS, yeah.
Okay, is it a little different this time? I mean, does it feel different? being on the inside hit different john.
It uh i mean from the perspective of like the release and planning and uh the whole we do this sprint in london where the release team come along and we get everything together it all felt kind of similar but just with a little bit more pressure to you know it kind of has to fly a little bit quicker and be a bit less or even more bug free i suppose than an interim but we also decelerate slightly the pace of change and we we make the call slightly differently as we get close to the release date,
whether or not something's going to make it based on our view on whether it's going to cause any instability or issues. Whereas, you know, the early interims, we would maybe be a little bit more.
Risky so i i do hear that a lot but is there still something in the lts release that is like the thing that you're excited about releasing do you like i'm sure that happens with the interim releases where you're like this is the thing we're really looking at but does that happen with an lts release or is it all old by then you just it's all known.
And there's nothing new that we've never done in this release aside from the shipping rock m and cuda.
Oh part of canonical sure but.
Of course it is also the first time that everybody or 90% of our users will get the Rust core utils and the Rust sudo. And so as much as I'm confident in those changes, we've done testing, we've had lots of feedback, there are going to be a whole bunch more people getting that over the next few weeks.
Right. Now it's really getting out to a whole new group of users, the real base.
Yeah, I can kind of tell in some of your writing that there's obviously the regular sort of professional pride in releasing a nice product and running a good team and all that but it feels like you all get the you know just how much of the internet and the cloud sort of is underpinned especially by these lts releases it's.
One of honestly one of the most exciting things about working on ubuntu in my view i quite like that sort of sense of impending doom if you get it wrong uh keeps you sharp.
Yeah it means your work matters clearly okay.
Let's keep talking about the rest stuff for a minute because I saw a recent, I think it was a post on the community discourse that, I may be getting some of the details wrong, so John, so please fill in the details, that you hired a third-party audit firm to go through some of the Rust core utils. They found some stuff, and now you guys are working through bug fixing that. Can you work me through, because obviously I'm a little vague on the details, can you work me through that?
So when we first committed to doing this, our security team, which is pretty large at this point, as you would imagine, were keen to take a look and double check. They found a few issues themselves, and as a kind of abundance of caution, we decided to fund a third-party security audit with a company called Zellic. They found a bunch of stuff, fixed a bunch of stuff, worked with Sylvest, who runs the Utils project.
We were pretty happy, but we thought we would go again, do another round of security audit, and also get some assistance from Zellic on patching in some cases. I found a bunch more stuff. They were pretty great to work with. Sylvest, I have to say, did a phenomenal job. I think we, piled a lot on his plate. We gave some funding to the project and we tried to be as careful as possible, but we found a lot of issues.
There was a lot of bug reports from our users, et cetera, and he handled it superbly. And so where we've landed is we patched the vast majority of the vulnerabilities that we found or the issues that we found. There are three utilities which are still affected, which is CP, Move, and RM. And so we chose not to make those the default in the LTS, just sort of out of an abundance of caution. So this is a time of check, time of use error.
They're all linked to kind of the same problem and will get patched over the coming weeks and we will then switch those utilities out for the next interim.
I wonder if it's, you mentioned that specific vulnerability. I wonder if these rounds have been informative around sort of the things that like the Rust improvements can address and the things that, you know, still just need to be addressed via, you know, more traditional software techniques.
Right, that's it. Writing Rust code does not mean bug-free. means a much lower likelihood of memory safety violations were used correctly, and this is kind of proof of that. Although not all of the issues we found were exclusive to the Rust versions. We found issues in the GNU versions, and if you actually look at the latest GNU Core Utils release, Sylvester's one of the most prolific contributors to that release. So it's nice. There's nowhere near as much animosity as perhaps people might
suggest. It's quite collaborative. um the game here is not to discredit the new core utils as if we find things that can benefit them that work goes upstream too.
So that's that's great i mean especially because right having having two implementations is just all the better for the whole ecosystem it did strike me too you touched on you know working upstream and just especially with the the rust version just it's one thing to get funding and doing all the support that y'all are offering which is wonderful but it's kind of another to then i don't know implicitly be willing to accept some of your priorities
if in like an upstream way of you know being able to prioritize those things and keep the working relationship.
And this was, and I'll be honest, it got tough a couple of times. You know, there was a point midway through this cycle where I think we didn't quite get that balance right or our communication wasn't perfect and we had a bit of a shaky moment with Sylvester and we got on a call and we, you know, made it better. We found a little bit more funding to help.
But it is hard. And this is why when we started this project, before we ever announced it, we started with conversations for these projects to say, we'd love to do this, but it could get kind of intense. You know, what do you think? Like, is the project in a position to support this? You know, how could we help? What funding, what support could we try and extend where we have the resources to kind of make it as successful as possible and also not bury the project?
It's no good for us to switch it in the LTS if the project then flames out and disappears. Sure.
Yeah. Okay. I know we've touched on this before, but somebody listening maybe that hasn't heard our previous conversation, they've got to be asking themselves, why go through the trouble? You've already got these great utils. They've been around for 30 years. Why not just use those? John, why are you going through all this trouble for this buggy software?
It is. There are a lot of answers to that question. So one is it's a bit of a statement of intent. So I 90 some 90 percent of vulnerabilities in the software world are due to memory safety violations. and so I think if we move to a language where that becomes very difficult or impossible, that's great. And you could argue that starting with the core utils maybe isn't the best target, but starting with the core utils is kind of the statement in a sense. There's also loads of them.
And I think it is a way of us getting more people engaged with open source development. There's lots of new graduates who are learning Rust at university and think Rust is very exciting. And we need to keep thinking about ways to keep people involved in open source and having them learn or work in languages they're interested in with modern tooling, with a vibrant community is one way. There's the cynical angle, which was kind of highlighted to me after we committed to it, if I'm honest.
The cynical angle is we get paid for fixing security vulnerabilities in code. Like we, long-term support and security maintenance is how Canonical makes its money. And one assumes that over the next 15 years, we will have to address fewer with this change, though we bluntly have made quite a large upfront investment in this. So I think it'll be a few years.
But it is seen as a large, it's seen as an upfront investment in perhaps a long-term payoff for support a decade down the road.
I think it will be personally. I, you know, that wasn't particularly front of my mind in the decision-making calculus. What was front in my mind in the decision-making was, I want to ship the most resilient operating system I can. And the fewer things, or I'll say the more things that are written in a memory-safe language that are high-performance, that are well-tested, the better. So Core Utils is one of those projects where there was quite high conformance with the original test suite.
Pseudo-RS was another of those where it was quite a high-quality, quite a mature project already. the next one will be NTP DRS, which I'm actually really excited about because I think that'll be the first time we get a single binary that can handle NTP, NTS, and PTP all in one utility that is both the client and the server. Whereas previously, it has been a bit of a dance. So that's part of the work that we're funding on the way to rusty time syncing in Ubuntu.
Rusty time syncing.
Well, and that seems exactly kind of what you said, right? You're interested in a resilient, robust, well-functioning operating system. And, you know, most of us don't usually have to think about it, but especially in distributed systems, keeping the time is of critical importance.
Right. And another target is going to be compression libraries. And the bit that genuinely gets me fired up here is, okay, compression could be a little faster, maybe. What's even more exciting is the energy usage? You think the scale of Ubuntu and how many machines are running Ubuntu. Imagine if we took 1% energy usage of every single one of those machines on the planet. Now, we're not going to get there by changing CP and RM and move.
And we maybe even won't get there with compression or a single compression algorithm. But cumulatively, over the space of five years, we could genuinely make a meaningful difference to the idle consumption of a machine anywhere on the planet, which I think is an interesting goal.
Yeah, it's these are the kind of goals that you don't necessarily start an operating system having in mind. But something like Ubuntu being around so long, you can start to have the luxury of having these greater goals in mind. So I like hearing that. I do have a question about Rust. You mentioned an obvious reason to adopt Rust, the memory safety aspect of it. I'm curious how that has affected the team in adopting Rust and also why Rust if you ignore the memory safety?
There are other potential languages out there. How's it going, maybe, is the general way of putting all that?
It's going. I would say mixed. With any other push for a new tooling, there are people who are really excited by it and people who are less excited by it. Our foundation's team have really leaned in here. We're doing some work on boot at the moment, which will be in Rust. I am trying to get us away from, in as many places as possible from things that are becoming more antiquated. And so I have asked the team to stop writing new C code.
We still have to keep maintaining old C code. That's going to happen for a long time. We need to maintain our, you know, app is still written in C++, for example. Although we'll start to introduce Rust, I suspect, in the next year or so.
But when we're writing new code and when we're looking at bits of tooling that we use for building the distro, I would really prefer it if we stopped using C. we ideally didn't use bash and python bash is great for small scripts but, I don't know, like as they get bigger and bigger and bigger, they get harder to maintain and test. Python, language is nice, bit of a packaging distribution nightmare.
And so I'm steering my teams at the moment towards generally go for where things are very networky or very concurrent. So programming language designed for doing network, networking and concurrency. And I don't think that's kind of low level systems programming towards Rust.
I think Rust is the best option we have right now as a replacement or a successor to the c and c++ ecosystem so we we don't tend to adopt loads and loads and loads of programming languages at canonical we're not that big it wouldn't be very helpful if we had one team doing haskell and another team doing erlang and one doing rust and one doing zig and one doing java so we try to be quite deliberate and generally those languages at canonical are python go and rust well.
It makes sense that you can kind of like rust is one of those languages now that can target a lot of things between like a modern tool chain that, you know, I'm sure a bunch of, and Canuck has a lot of experience trying to find the limited pool of developers who are up to date on the sort of esoteric desktop Linux, you know, how you put together a distro.
So if you have that wider, but you also get, right, like abstractions that don't have as much runtime cost, and you can have security benefits. So you kind of get this all in a package, and there's just not that many other languages right now that compete with that.
Yeah, and I think the Rust Foundation, the core team take it very seriously. So we recently joined the Rust Foundation as gold members. And that was partially to support the ecosystem and the folks who develop the language, but also with a bit of an agenda of our own, which is to try and work with them on things like the crates.io security story, on things like hopefully enhancing the standard library.
I have some opinions about where Rust could go with that and potentially some of the mechanics around things like async.io or async, sorry. So we joined the foundation to give funding, but also to try and contribute expertise from Canonical where we have them in the right discussions, that kind of thing. And they've been, we only joined formally in 2018. When was it? Whenever KubeCon was February, I think, February or March.
But they've been great to work with so far. And I'm looking forward to seeing where that goes.
Well, there's a lot in there. I want to bring us back to Ubuntu a bit, because just before we got on the horn yesterday or so, you posted a post on the discourse that was titled The Future of AI in Ubuntu. And it's a rundown of Canonical's approach. your thoughts around integration of these toolings, how to get the balance right, and all of that.
And this, of course, it's a huge topic. AI is such a huge, encompassing term for a bunch of different technologies that users are going to want to use on top of Ubuntu. So, John, can you kind of walk us through what the announcement is here and what the plan is?
Yeah, so, I mean, I'll preface this by saying, like, I knew this was going to be spicy.
Yeah, I imagine, right?
This is, like...
If you thought the rough stuff was spicy.
Right, like I figured I'd annoyed all of the people I probably could with that, so it's time to shift on something even more exclusive. So I think the point here is. Anytime there's a change like this, and I see people reacting, I always think, I try to understand where they're coming from. And the thing that I would try to remind people of is whatever your feeling is valid, like if you really don't want AI in your operating system, that's a perfectly acceptable position.
But what I try to articulate in a way that isn't too brash is Ubuntu is not for me. It's not for you. Ubuntu is for millions of people. And for everyone who is desperately trying to avoid AI, who is an Ubuntu user, there are probably as many people who can't get it quick enough. And so the challenge that we have is always like, how do we walk that line?
Balancing either two sides of a feature like AI, but more broadly, making an operating system that is appealing to educators and students, to two-man startups, to Fortune 500 companies. It's a difficult line to walk. And so we haven't pounced on this too quickly. And really, this is the first post to open the conversation about how AI will play a part in Ubuntu's future.
It will play a part in Ubuntu's future, partly because I truly believe there is some value in the technology when it's applied correctly. And partly because it's kind of difficult not to in 2026. Like customers, partners are asking us what our plan is. So we've thought about this quite a lot. We've taken what I think is a really measured approach at Canonical.
You see lots of, frankly, quite scary things on the internet about companies setting token quotas for people and measuring the percentage of code they write with AI. And I don't really believe in that. That doesn't seem like the right approach. We're taking a more careful approach. We are heavily, as of this year, heavily encouraging, incentivizing our folks to go at the team level to go pick a vendor and a tool, ideally an open source harness if possible.
But if a team really wants to use Claude, we'll let them use Claude, understand it, get to know it. And then that way we can get a sense of which are the tools that work for Canonical, et cetera.
And we'll ramp up our expectations. It'll be start with experiment with something, then it'll be demonstrate that you've built a bit of a habit around it, perhaps demonstrate that you've been able to accelerate a roadmap feature with it, and then demonstrate that there There is rigor around it in terms of running evals and really understanding how it can be embedded into automation workflows, potentially things like Claws, I know you guys have been having fun with.
These are all possibilities, but not things to be taken lightly. There was news this week of, I forget the name of the company, an AI bot that supposedly went rogue and took out production infrastructure. The AI bot didn't go rogue. The AI bot was given far too broad of permissions, right? That's what happened there.
And probably vague instructions.
All right, so our challenge is how do we... Like if we're going to, how should we integrate AI into Ubuntu? And I see this in two camps. I laid this out in the post as kind of implicit features and explicit features. And the way I would think about this is implicit features are enhancements to things the OS already did.
So this could be screen reading, could be speech to text or text to speech, could be follow focus on a camera, things that people have kind of become accustomed to being enhanced by ML. And I wouldn't necessarily call those AI features, even as we add models to those features, I wouldn't necessarily be decorating them as AI features.
Right.
But think about, you know, from the perspective of a user who is hard of hearing or visually impaired in some way, this could be a huge game changer.
Right.
Screen readers are pretty tough to use. And imagine you could point a camera at the screen instead and ask it, I don't know what's going on.
And it's an area in particular that Linux could use some help with, right? It's an area that...
For sure.
Yeah.
For sure. So then the explicit side is a little bit harder to quantify because I don't want to tell you what we're planning yet because we're still planning it. The explicit is much more like this is an AI feature. And I would describe this as features that introduce a new mental model or a new way of working with your machine that you didn't have before. Like you guys have already explored this. You're sending telegram messages and matrix messages to a bot that is doing things on your behalf.
That is, like, you have not been able to Telegram message your computer before in such a rich way. That's a new, like, mental model for interacting with the machine.
Standing up infrastructure via Telegram, basically, you know?
Right.
It's a new area.
But also, like, Linux is so wildly powerful, but also kind of vexing for people who aren't experienced. Yeah. And imagine if, you know, you could bring up a box and say, my Wi-Fi is not working. Why isn't my Wi-Fi working? Can you help me fix it? Or, um... I don't know. I'd like to run a Postgres container. Can you help me with that?
Right, right.
And interestingly, lots of the things we've been working on over time, I don't think we could have necessarily predicted this much of a fit, but things like snaps turn out to be kind of a boon here. Like individual tools or models confined with individual profiles of confinement that say, this thing is allowed to read these directories, access the camera, you know, do this on the system.
And we can have a bunch of them on the machine with very, very tightly scoped permissions using a mechanism that we trust that is in the kernel that is AppArmor. And one of the questions that got asked a lot on that thread, and I posted a follow-up, was about would we do an AI kill switch in Ubuntu? Which I think controversially, I answered no to. And I answered no to because I don't think we can hand on heart honestly do that. There are so many ways which you can consume software on a machine.
What happens if I say, we're going to ship a kill switch, you turn the kill switch on, and then Mozilla ship a package update in their official dev that you just smell at them.
Yeah, or a driver even. I mean, it could happen at any level.
Or a driver.
Yeah, it could be.
Unless you're proxying every request that any system makes. Like, how could you even have that?
It could, yeah, it could just sneak in. Yeah, that's where we're at now. And for better or worse. Yeah. So how do you address that? Because it does seem like a user, there is some sort of user demand there for that.
Either for performance or for privacy or a variety of things.
We have seen Mozilla try to offer for some kind of kill switch in Firefox.
Yeah, and I think in something like the browser, it makes a bit more sense. It has a kind of product where you can, it's a bit more isolated. So no browsers are huge now. It's a bit more isolated than the whole OS. So my approach is, firstly, for all of the distaste people have for snaps, this is an area where it's actually going to be really beneficial. So we can't ship LLM models in the installer because our ISO will be.
It's already a little happy.
It carries a little bit of timber these days, so I don't want to make that decision. So my plan is that we will, as part of the first run onboarding wizard, you will get the opportunity. We'll say, hey, we have this thing to be defined. Do you want in or out? It uses AI. And if you are in, then it will go off and get the correctly sized model to run locally on your machine. And so the irony here is lots of the same people, I think, who have displayed
some distaste for snaps are now displaying distaste for AI. but it is the snaps that are going to allow them to remove the AI from their machine very cleanly.
Oh, that is ironic.
It does seem like the, you've mentioned a few things that snaps help here. It does seem like the sort of architecture awareness that snaps have is probably pretty helpful here considering all of the AI models and custom silicon and all that.
Yeah, really.
We did some work a few months ago called Inference. We did a product called Inference Snaps. I talked about this at a meetup, and if you search for Inference Snaps, you'll find the details. But this is essentially, we are packaging models like Gemma 3, DeepSeq, Quen, Nematron from NVIDIA. And then you say you can snap install Gemma 3, you can snap install Nematron, you can snap install DeepSeq.
But the work we're doing that's actually interesting is we then work with all the silicon vendors like AMD, NVIDIA, Qualcomm, MediaTek. And we work with them where they want to on particular models to get like silicon, how to describe it, silicon optimized versions of those models precisely for
your hardware. so there's like a, manifest your machine goes hey this is what i've got talks to our store and our store goes haha we know all about that gpu so does amd here's a model that works just great on that gpu.
Just the tensors for you wow that's amazing.
Right so it saves you having to do this go to hugging face hit search and then sit there scratching your head for a few minutes trying to work out that's going to fit on your machine right just go i've heard of gemma 4 i want gemma 4 let me install it and so the foundation for ai in ubuntu will be these snaps so local first local inference, with models that we distribute, having worked with the silicon vendors to get
the most efficient form of it to you that we can with some confinement around it as well, right?
So does part of this process work when, you know, you're looking at the roadmap for Ubuntu and hardware partners come to you or come to Canonical and they say, in the next two, three years, we're going to be building these inference chips into our laptops and desktops. We'd really like your desktop to take advantage of this. And then, so you're looking at the plan, you go, okay, this is some ways we can do that. Is that part of the calculation here?
Yeah, absolutely. It's actually quite interesting to me that I hadn't really appreciated this until I stepped into this role, even though I'd been at Canonical for some time. The silicon partnership side of our business is increasingly one of our strongest assets.
Oh, okay.
If you think about the work we just did to ship CUDA, so like apt install CUDA, ROCKM, apt install ROCKM, that's huge.
It is.
From the perspective of like a developer getting up and running, getting the right version that works with their kernel. you don't end up with loads of DKMS modules building every time.
100%, it's a huge deal for them.
Even just renting a GPU, it probably spins up an Ubuntu VPS, so the better that gets.
Yeah, really.
Right, and so the same is true of other kind of harbor and eggments. So one of the things we're shipping is the Docker OFED stack, which is the accelerated networking stack, like data center networking stack that NVIDIA, or that's the SDK that NVIDIA distributes. So I think it is really important. Things like AI in Ubuntu, Thank you.
and being able to, with some confidence, tell you that that will be plausible in a local first way is only really possible if we work with the people who are building the chips really closely. And it's quite a symbiotic thing, right? They want to build the best silicon possible. They don't want to concern themselves with Linux distribution packaging and, because they have their focus and we have ours. And that partnership worked out really nicely for us with NVIDIA, with the DGX Spark.
We sort of went on this journey with NVIDIA where they used to take ubuntu you know with agreement with us repackage it into a thing called dgx os, and then put some extra stuff on top of it and ship it with their dgx machines the dgx spark was the first time nvidia went you know what we're just going to ship ubuntu and so the dgx spark which is like a four thousand dollar ai workstation went out the door where the only supported os was,
ubuntu and it was just like not special nvidia ubuntu not like weird frank and ubuntu it was like just go download Ubuntu, put it on a USB stick, off you go. And I think it's a nice experience in the end.
It's really great. It's the perfect positioning at the right time. This could have gone a different direction where all of this was done on Windows or Macs or something like that. And it's, you know, have what people say about AI and how they feel about it. I am very grateful that it is... Linux is very much part of this, and people that are deploying all this infrastructure are deploying it on Linux.
And there's been a lot of great open source work here, just with LamaCPP, all kinds of stuff in this space. But there are some things that the open source community side is less well-situated for, which is things like working with partnerships with companies making hardware.
Yeah, that's very true.
And it's interesting. So one of the things I would argue that has been complicated for Linux's desktop adoption is the fragmentation. And I think fragmentation in the desktop space is simultaneously Linux's biggest strength and also weakness. It's its strength in the sense that there have been like thousands of really bright people who have scratched an itch that they've had over time and done amazing things.
The drawback is they're not always necessarily motivated to make it work seamlessly with other people's stuff, which is why if you look at the modern Linux desktop, it's like so many different things kind of stitched together. And every time something breaks on my Linux machine, I'm simultaneously kind of annoyed and also kind of stunned it works at all.
Yeah, I agree.
But I think in the world of agents and think about what I was saying about perhaps an experience where you could ask your machine to do something or troubleshoot itself. Like all of a sudden that fragmentation problem isn't such a problem if you've got a thing that already knows all the things, right? Or knows how to go and get information about all of the particular parts of
the system that you have. Like, in reality, I don't know anybody, even the best Linux admins I've ever met do not know everything about every package on their machine.
But now we have something that can pull the actual source and read it and teach itself a lay of the land in, you know, a few minutes.
I think we're going to end up with a lot more Linux usage. Yes. Don't you think we're just going to see even more free software, more Ubuntu, more Linux deployed because of this?
I do. And I totally recognize people's skepticism. I have a lot of empathy for the people who... are replying to my posts a little hot under the collar. And I guess it is our responsibility to demonstrate to our users that we will keep privacy in mind. We will try to pick models that are licensed in such a way that it feels aligned with the values of open source. Because I think even when you talk about things like open weight and open source, they just carry a different meaning in this space.
It's not the same thing that open source people have been used to. And so we have to work out how to navigate that in a way that is useful to the people who are all in and want to play and provides a nice on-ramp, but not offensive to the people who just want out at the end of the day. And my goal is absolutely not to start shipping a Clippy or a co-pilot button on everyone's dock and forcing you to use it. Do you know what I mean? That's not the model. No doubt.
I can almost hear people typing about the Amazon affiliate link that happened to you from like 15 years ago.
It's not going to be like that.
Now we're introducing Debbie.
Yeah, right?
Right. So we are going to, we are going to build a layer features in, I hope, as an experiment, but I'm quite committed to it. It's not an experiment that I think will fail. It's just that we have a few ideas. We'll try them out.
You know, I'm excited because, John, it has a lot of potential, especially when you're saying the solve my Wi-Fi, why won't my printer connect, my second monitor isn't turning on, because you have an opportunity to focus something that knows the system well. It knows the version of Ubuntu it's on. It knows it's on.
There's these things that will just the agent or whatever it'll be that's running on the system will be aware of that a user would have to spend a lot of time if they just opened up OpenCode or something the first time trying to get the same results out of. So I think that has a ton of potential there. That's exciting.
I'm curious if you gents think that that will make us Linux users less aware of our systems and how they're built. Because part of the joy, I think, early on in probably each of our Linux journey is breaking all the things and learning how it's all put together and then being able to customize it in such a way that makes it our own or makes you understand some users', challenges and solve them if you have that kind of position at somewhere like Canonical.
And so is using some of these tools going to take us away from understanding what's under the hood?
I don't think so if you have an interest in understanding what's under the hood. But I think if you are someone who wants your computer to work and you don't care how, it's a huge level up. So I have, you know, a year ago, I know I was very much in the skeptic category. I have completely immersed myself in clawed code and played around with claws and all this stuff. I've gone really deep on it and tried to learn as much as I can and use it as kind of natively as possible.
And I have found it the most unbelievable accelerator for learning some things I've always wanted to learn, for trying out perhaps new architecture patterns
that maybe I'd never have had the time to do. So of course one can, poke the machine blindly accept what it has and ship it and actually for little personal projects why not do you know what i mean like you want to do something for you do the thing but an example like i built this coffee tracking app i'm a insufferable filter coffee nerd i built this thing and i think you guys picked up on the book thing which was actually a fork of the coffee thing there was a bunch of stuff in
there that i had never done before and it took me a while to build it but like it was really interesting to be able to go through that process you know i was bringing the, this is how I want this application to be structured. I want to use domain-driven design. There are some rules I don't want you to break. And it was able to assist with the bits I didn't know. And I was, it felt more like a long-lived pair programmer than someone who was just doing the work for me.
It wasn't a vending machine for an app, do you know what I mean? I was heavily involved in it.
It's a fascinating journey I think people take. Similar one myself, very skeptical. It's just autocomplete. What's the point to finding an extremely useful and an accelerator myself, and realizing it's a very powerful Linux tool as well.
It does make me think we have an opportunity for the show, just in that to Brent's point, you learn a lot when you have to constantly fix things. The trade-off is you don't always get to choose, right? Sometimes you have to fix it when you'd much rather be using your computer for something, right?
So then the danger is maybe you never stop to ask. If you don't have to fix it, you never ask, but I think that's maybe an opportunity for us to make sure people who want to be curious know that there are questions they can't ask.
And I think, John, I don't know what for you, but it reminds me too of some of the arguments we're still having to this day about cloud computing versus spinning up your own Linux system or serverless computing is, you know, it's essentially abstracting away part of, if you do a one-app deployment on DigitalOcean or if you deploy something on AWS or use serverless technology, you're not really learning Linux either.
And you don't even know NTPD needs to be a thing.
And I see lots of the, lots of the arguments, and this is, I don't know, like, this is maybe a hot take, but like lots of the arguments sound exactly like the arguments people made when we first got compilers.
Yes. And package managers. I don't trust that to write code. And package managers as well. I'm not going to let that install stuff in my Linux box. Are you crazy? You're right.
Yeah. And so what I say is like, to people who perhaps have been skeptical, I've been there. I feel like I really get it. But the space moves so fast that if your opinion is even six months old, it's worth just playing around and seeing what happens.
I think that's so true.
I've also seen people who have bounced off it where they've said, okay, well, I've heard about this Vibe coding thing, and they've gone away and tweaked their Vim configuration and tried to get an LSP. And like, okay, cool, you can kind of make it work with Vim. But just spend a day with Antigravity or VS Code and Claude. Spend a day in an environment that was designed to be used in this way and just see, like, just poke around a bit, see how it feels.
Like, you know, my feeling is that this really isn't going anywhere. And I think there are two ways we could try and stop this or try and shape this. One is stamp our feet and say, we're not doing it. We don't like it. It's open source. It's big tech, blah, blah, blah. And be petulant over it. We're not going to win. The other way is to educate ourselves as much as we possibly can, be part of the conversation and influence it. so that it isn't a burden on open source, it is a positive force.
So right now, lots of projects are absolutely suffering because people are irresponsibly hurling commits at them that they haven't reviewed. I think it is the responsibility of us all to basically try to work with those people and say, hey, this isn't quite what we're looking for. Can we work with you to kind of like, we like the idea. Can we work with you to get this in a state that we can review it?
And over time, we will have a generation of people who really understand how to yield these tools in a way that gets great results.
Yeah, we don't have a lot of culture yet, you know?
Yeah.
We don't know how to use these. We're constantly discovering what we can even do, let alone how we should do it with each other.
However, I think that's the right mindset to start building a culture around this tooling in Ubuntu. I think you have the right recipe there to build something responsible in Ubuntu. So I'm looking forward to see where you take it.
It's an exciting time. I personally have gone from being, like I said, very skeptical to feeling like I'm more excited about coming to work and working on tech than I've been in a really long time.
Yeah.
There is something unlocked in my mind and I am building side projects at an alarming rate.
I love it.
It's just, it's been, I sort of also, I have sympathy for the, it's taking my craft and I can see that people are... I can see how people would have the other reaction. My experience has been the opposite. I'm like, all of a sudden, there's all this stuff I can build that I've been thinking about for years.
Yeah, we've been saying it's the most fun we've had with computers in years.
It feels like finding Linux again, in a way.
It really does. And to your point, too, you're right. There is a bit of a craft in art that I see Wes wince when I produce some slop things. But at the same time, it's a comparison that's a little cliche, but I was just thinking when you were talking, it's very much like digital photography. Everybody now has a camera in their pocket, And because of that, I have incredible pictures of my children that I wouldn't have had otherwise.
So I'm glad the digital photography and cameras came along, even though it sort of wrecked the art of photography a little bit for everybody trying to get that perfect golden hour sunset shot. It was a tradeoff, but now I have these keepsakes that I'll treasure forever that are extremely valuable to me. And I think it's kind of a similar tradeoff with, yes, some of the craft and the art of programming will be lost. That's not going away. They're still photographers.
but I also will have these keepsakes and these personal things that are extremely valuable to me and it makes me very excited and I'm glad that Ubuntu isn't shying away from it and that they seem that you seem to have a very responsible and practical pragmatic take for it so I think it's great. John I mean this is, it's been a great week, it's been a great chat. Is there anything else you want to touch on before we scoot?
No other than we're going to need help so if this sounds interesting then hit us up we are hiring like crazy which is a little unusual at the moment in tech, but we have a lot of openings and a very famous hiring process. If you'd like to come play, then I would recommend it. But otherwise, I think the next exciting thing is let's make the interims crazy again. I promised it when I took over Ubuntu. So the next release is going to be the stonking stingray.
Good name.
I like that.
Very excited about. And so, yeah, we'll start to see the first of these new features landing and we'll see where it goes.
We'll keep an eye. John, thank you so much. I hope we can chat again soon.
Likewise. Thanks very much.
β ΒΆ Daemon on my Shoulder
Well, dear listeners and distinguished hosts, you may have noticed this week is Linux Unplugged 6.6.5.
Oh, yeah.
And we've been teasing that, well, this week, this coming week, is the BSD Challenge week.
We officially are kicking off the BSD Challenge. This is my stupid stinger. is that what it.
Sounds like when you put BSD.
Yeah that's my that's BSD in a song in a stinger so.
You've mentioned BSD a great number of times this week compared to I don't know.
Every other.
Week this year so I'm wondering have you gotten any closer to deciding what you're going to do this.
Week yeah yes I have because I wanted to hit the ground running like we do with these challenges there's no rule that says you can't poke around a little bit before the starting line oh of course not you know like if you're going to race a car you take it on the track a few times so uh i wanted to have the best experience possible to to to flip my impression of bsd as a desktop operating system.
Oh what's your impression currently.
That it's it's it's for masochists it's for people that like to hurt themselves, and and just want to struggle the entire time they're using computers or trying to get software running or anything like that okay great um and so i thought ghost bsd would be a great way to kind of get a modern take on free bsd designed for the desktop to kind of smooth over some of those rough edges and give me a good shot of changing my impression and that may
be the case but i wanted to test the car out around the track a few times so i downloaded the latest release and try to get it going on my machine in qmu kvm and it just wouldn't it wouldn't start up it started to boot and would fail start to boot and fail and i looked into it and it turns out that gosh darn it wouldn't you know it for the most recent release of ghost bsd there is a currently open bug where the live session fails to start x under qmu and
so just your luck so i'm like oh okay okay before i saw this bug i'm like i'll go get the community iso which uses xfce instead of mate sure same problem same exact problem come on, And then I found this open bug report that exactly is my issue, which doesn't mean I couldn't use it on a desktop, and I still might. It's still a candidate.
You couldn't easily try it.
Yeah, I couldn't easily try it. So I decided to pivot to FreeBSD 15.1 because the beta just came out this week, and I like me some fresh stuff. And this version of FreeBSD is supposed to offer, in the TUI installer, Plasma Desktop.
Oh.
And I'm like, oh, imagine if I could get myself a modern Plasma desktop on BSD.
That's pretty good.
I'd have Kate, console. I'd have all the stuff I like. I think I could make that work, right?
This feels unfair already.
So I download this morning before the show thinking I'm going to get this in and I'm going to get a sense of it. So I have an answer for the segment. And I boot it up in the old VM and it starts and the installer, you know, classic free BSD text based installer, TUI, whatever. Doesn't have the Plasma option. It's not in there. They talked about it being in there. It's not in there. It's not in there. So what I got was a headless FreeBSD install.
Well, that's not that. That's always what you were going to get, really, right? Didn't we know that? Didn't we know that?
Good try, though.
But you could add it later, probably.
Well, I tried that. I tried that. And I do get SDDM working. And I can log in.
Okay.
And then I get a blank session. Because there's some kind of bug that's preventing X11 from working under QMU on FreeBSD.
Come on.
See, I've got that working on. I don't have 15.1.
Which one do you have 15.
Yeah maybe.
We should trade notes maybe i should try the 15.
Although i did then end up just for convenience so i started using a vnc session so you could also try that so.
You've been kicking tires.
Yeah i got an i3 going um oh yeah on free bsd that.
Seems like a good.
Choice i took the cheating route though because i noticed that props to free bsd they provide a bunch of pre-built images and stuff ready to go like cloud in it minimal ones and like more full ones including with zfs set up in a pool already just as a thing yeah.
I did do zfs on route why not.
So actually i need to do it play with the installer because this just meant i haven't actually tried the installer yet because i was able to just sort of dd that right into memory and then boot that in qemu and start mucking around you know get my rc conf you and.
Ram disc all the way.
Yeah nice just as because it was an exploratory setup right i do so like i was trying to i did have some issues i do think there probably are some some things we could figure out or work around perhaps maybe i mean look into around the qmu stuff specifically especially for the graphics side i.
Also at this point i could just give up i mean i'm ultimately for the week i'm gonna run it on hardware.
Yeah so i could.
I just i wanted to just try out a few options to see which one i wanted to commit to hardware i guess silly me but yeah all right i might i mean i don't know, So which one are you going with officially? 15? FreeBSD 15?
Yeah, well, I wanted to try 15 one. I was just having some issues. Maybe I needed to do some setup, because I think they've made some changes to how some of the package and user land stuff is getting shipped. But I was using it slightly before the beta was officially out, so I don't know.
Brantley, have you picked a BSD that you're going to roll?
I think my choices may be less responsible than both of yours. I was under a car for most of the week, and then I had this brilliant thought while I was under there, as you do, that I might give Nick's BSD a try.
Whoa.
I can't believe we didn't think of that.
Actually. I know. I know. I was waiting to see if either of you.
So you're going to have a real advantage, possibly, here.
Or disadvantage. We're going to find out.
Yeah, he might have some compiling to do.
Oh, I hope he does.
I think I also probably need a backup, because I'm not sure. So I would love to hear from the audience. You vote, and I will honor this, vote for which BSD Brent needs to try.
We better get in quick.
If next BSD doesn't work.
Gotta get in quick.
Yeah. So send in a boost. We will read them ahead of time because I probably in a day or two will desperately need an option B.
Yeah.
Or send us an email, linuxunplugged.com slash contact. Or even if you're on Matrix, we've got the Linux Unplugged feedback room. So I'll keep an eye on all three of those. And I will honor whatever crazy BSD choice you guys send out there.
Okay. I'm thinking, I'm thinking for me, I might go retro hardware too, which may increase the suffering. Now I have different degrees of retro.
Uh, we got the whole museum over there. What are you choosing?
PJ? I don't know if you remember, but did, is that Dell that, that prototype Dell laptop? Is that in working shape at the moment or did we have to harvest from that to make the Odroid work?
Uh, it should work fine. It just needs a drive actually.
Okay. Okay. So I may try and power. Right, right. And it takes a lot of power. I may try running BSD. Oh, there we go.
That's fine.
I mean, this laptop is- Whoa.
This is a chunker.
It's a Dell prototype that was gifted to us when I toured Dell way back, I don't know, four, five, six, seven years ago.
It needs 180 watts?
It takes 180 watts of power.
That's going to be the biggest issue.
Because the reason is it has two Xeons in it.
What?
It has two Xeons. It can have up to something like three or four drives, an insane amount of RAM, although it doesn't have an insane amount of RAM in it.
Oh, it's got that old docking connector of theirs.
The old classic docking connector.
Obviously came with Windows Pro.
It's beautiful on the inside. When you open it up, it is absolutely beautiful. It's huge, too. Open up that. Open up. Just go ahead and. How would you describe the size of that, Wes? It's larger than any laptop probably on the market.
I feel like I'm sinking into it.
Monstrous.
Yeah. I mean, it was a big one, so I don't think I were planning to ship a lot of them, so they just went crazy.
Small trackpad.
Yeah, tiny trackpad. Well, actually, it's a big trackpad. It does have a trackpoint.
Though.
It is actually a big trackpad. It's just a huge laptop. That's what's going on.
The perspectives are all shipped.
Because, look, it's got a full 10 key and a full QWERTY keyboard.
I have a question. When's the last time this thing booted?
The last couple days ago.
Really?
Jeff got it powered up.
Whoa.
Yeah.
What did he power it with.
Um some usbc battery thing some high power battery.
And he didn't he didn't leave that for you well.
It's his toy it.
Was pulling.
Nearly 100 watts from that by the way.
Oh this thing weighs a lot yeah.
It's very heavy too.
Holy yeah you've got hdmi though, Huh.
It's a USB-C.
This thing is...
It does have USB-C. However, it's sort of an early implementation of USB-C due to the era, and it does not pull enough power. So you have to use the barrel connector to actually properly power it.
Wow.
And I don't know if I'm going to find that.
Okay. Good luck.
So that's my leading candidate for hardware, just because it'd be a lot of fun to get that old thing running again. It's been on the shelf for a long time, and it's a one-of-one. However, I don't know. I may have to go a different direction. So that all kicks off after the show. We have to officially start knocking off the points. We do have the details. We'd love you to participate and let us know how it goes. LinuxUnplugged.com slash BSD.
And it will give you the details on the Linux Unplugged 666 BSD challenge.
Join us, won't you?
Oh, episode 666.
Please send in your experiences because we want to know how it went for you as well. by that episode. You've got one week.
Good luck. The scoring system is on the website.
β ΒΆ Shout-Outs
Ooh, Kongaroo Paradox kicks us off with a baller boost. 177,000 sats. Mr. Paradox writes, it's been a while since I boosted, so here's some value back for all the value you provide each week. I think you're also getting the right balance of your AI coverage. Keep it up.
Nice.
Woo-hoo! Thank you very much.
Did you mention how much the boost was for?
Yeah, $177,000.
Okay, great. I missed that. That's unbelievable.
It is.
I just was in a state of, yeah.
But you know what else is unbelievable?
Oh, Derivation Ding is coming in with $102,767.
What? Oh my goodness! Wow! All right. Also, we just got to see Derivation Dingus.
Yeah, such a treat.
So one of these is a live boost. Great seeing you guys. Linux Fest was a blast. I'm writing this while sitting directly in front of you.
Oh, amazing.
At our live show.
Uh-huh.
Right, right, right.
And then also props to Dingus for sending us a really nice breakdown to some of the copy-fail stuff, including some neat disassembly visualization there.
A little pre-value, because he saw the lit pending item, saw we were going to be talking about a copy-fail, and hooked us up with some 411.
Great.
Thank you, Derivation, for that. That's a double-layer value this episode. Very nice.
And it was indeed great seeing you at LinuxFail.
Yes, indeed.
You know what else is unbelievable?
What's that?
A Dude Trying Stuff is also a booster with 100,000 sats.
What?! Oh my goodness, what is going on?
Boosting in to celebrate getting a new job.
Hey, congratulations, buddy.
It is rough out there, gents. Been applying for over six months.
Way to stick with it.
Thank you for doing the most to keep us updated on the happenings in the community and helping me keep my passion and remember how awesome software really can be. Cheers.
Cheers to you and congratulations. Thanks for sending some value our way, dude. Nice to hear from you too.
Keep trying stuff.
Yeah. Keep trying stuff. The dude abides comes in with 65,432 satoshis. Quite nice as well. Hey, yo, I just realized the last time only a portion of my boost got to all you, so here's a little bit more. Live boost! Thank you. Very nice.
Amunday boosts in Big Ducks, 22,222 cents. Live show, LinuxFest Northwest boost.
Very nice. Thank you. Boosting right there from the audience. How about that?
That was fun last week. Well, tomato or tomato or tomato boosts in 4,444 sats.
You say tomato.
Love the LinuxFest Northwest coverage. I've got Dragonfly BSD and OpenBSD both downloaded. I've never run either of them before, so let's see how this goes. 666, devil horns, et cetera, et cetera.
Ah, yes. Dragonfly BSD. I'm surprised that didn't come up.
I don't know if you saw, Brant, but I started a little poll for you in the Matrix chat.
Oh, thank you. That's very kind of you.
Yes, good. Let's get to voting. And you know the mission. You know what the mission is here.
NetBSD, all the way.
So good. Hey, our buddicy, our buddicy, our buddicy, Odyssey. Odyssey Westriff from Spooking comes in with 5,151 sats. Great to see you all live. Odyssey, it is always great to see you live. I was saying to the guys and to Angela, it's like, it's not a Linux fest unless Albert shows up.
Oh, and I got a little 3D printed gift from Albert as well. These little tiny, really impressively printed penguins.
Super smooth 3D printed penguins.
Yeah, super nice. Thank you.
And he gave me 3D gift to the kids, which I did.
I saw them a little all over.
Yeah, yeah.
Also, Odyssey Westra is in the live chat right now saying, I'm just trying to get Ghost BSD to boot on this damn Chromebook. Can't get it to boot though. Can't mount the U2F mount.
Well, it is famous for its wide variety of Chromebook support. Thanks for the value, Albert. We appreciate it.
Moon and I boots in with 2,000 sets. I've been using Ventoy for a while, and I'm curious what baggage and edge cases y'all are referring to in this episode.
I don't know. These two guys don't like Ventoy.
Zero.
I love it.
I have never had success with Ventoy. I don't know what I'm doing wrong. I've tried several times, but I always run into an issue where it can't boot the specific ISO I want to be booting. And I don't know if it's a hardware issue. I don't know. I don't know.
We should try maybe one that we make.
Yeah maybe I mean the.
Long time No I.
Have He has one on a like really fancy USB drive.
With SSD in there Oh even that doesn't work Still.
Using that by the way from the very first time we covered it I'm still.
Using that same thing That's true NVMe.
In there and it rocks It's got C on one end A on the other end It works on every machine ever Not at all.
Wow Yeah.
So let us know what you think about Ventoy.
I will add so there's the some people struggle with it seems like maybe some firmwares or UFI setups similar just don't like it so mileage may vary but then separately there's some concern around binary blobs that are present in the code base and so it's been brought up it hasn't ever really been fully addressed, there's been more tension about it over time so some folks have sort of provenance and trust issues with the delivery of how you get Ventoy you.
Can pivot to that now that.
Makes me feel slightly better.
But thank you for that question clearly Moon and Night it needs addressing and I'd like to hear what people think about Ventoy.
I guess last year the dev did have some response saying that the blobs come from other open source and propose to build them from GitHub CI. I don't know if any of that's actually really happened yet.
Maybe instead of blobs.
Make your own judgment. I don't know. It kind of depends on what your trust.
What if we called them magic boxes instead of blobs? And then it's not so bad. You know, it's got some magic boxes. It ships with a few magic boxes. I mean, I'd like to know how it works, but it's magic. Okay, I'll accept that. And then we don't call them blobs. Blobs is something you fight in a video game. Distro Stu comes in with 3,333. And says, you're doing a great job. Well, thank you, Distro. You're doing a great job. Should we, you want to play a little, I got that for you.
I do like the Leonard Nimoy clips from time to time.
Indeed it does.
That's a good one. And then, as distrust to be requested, there you go.
I just need to let that steep for a bit.
Well, Monty comes in with a row of ducks. Thanks for the push to get my rescue drive system updated and in place.
Nice.
I added a rescue Nix config with boot to RAM now to my flake and have a USB drive plugged into my Proxmox host. From my laptop, I can update the config, build it, and flash it over the network to the USB drive.
Nice. with.
Just file so i don't forget and i can then boot a vm on proxmox that has the usb drive passed through to test it.
Now that's using your kidneys that's.
Fancy i can pull the rescue drive out whenever i need it and then we get a link to monty's config.
Oh monty's a baller you know we love the configs thank you oh yeah oh i'm just saying i like up front he's got the structure listed in the readme a real quick blurb for 30 plus hosts my goodness, and then even MIT licensing on there well done it's a clean lean machine.
Whomever whiz boosts in 10,011 sats, Eric here. I had the best time at LinuxFest Northwest. The brilliant and creative members of this community are intellectually inspiring, funny, astute, inclusive, and generous. I even managed to hook up on Matrix before I left this year so I can stay connected and keep that conversation going. Thank you so much for showing me the way to find my people. Fun will now commence.
Yeah, it really is great, isn't it, Eric? It's more than you can even imagine from afar, and I'm really glad that you had a chance to share that with us. Thank you for the value, too. Mr. Mayhem is here with 6,660 sats. Week one is done, and he posted a full write-up so far. He's started, and he is going for maximum points. The madman is repurposing what he calls a bad luck NixOS machine into a fresh free BSD setup. He's avoiding past ghost BSD concerns. He's going for full graphical desktop.
He's got a browser. He's got his user count and mounts. Audio are already working. He's got that done. System administration tasks include package updates, OS updates, SSH, service, and scripts. And apparently he has a BSD jail with NGINX running inside of it. We're going to need to see. Oh, we're going to need to see the submission. I don't know.
Yeah, I just think it's sounding like Mayhem is winning.
Yeah, so far. Stretch goals include a PF firewall rule, beehive virtualization, ZFS snapshots, and Dragonfly BSD.
And tailscale. Oh, yeah.
So Mayhem, if you want to.
I mean, that's a good playbook right there if you just want to join the challenge.
Do you want to just set mine up too?
If you want to be my challenge buddy.
Yeah, send us a disc image. Boost it in.
That would be great. Thank you, everybody, who boosted in. Also, thank you, everybody who streamed sats. 18 of you streamed sats as you listened, and collectively, you stacked 25,350 sats. When you combine that with our baller boosters and everybody who boosted, and we had some great ballers this week, it turned out to be a tremendous episode. And this is the interesting thing about Value for Value. About three days ago, it looked like it was going to be a rather low episode.
And then just a couple of members in the community stepped up.
Huge value storm.
It's one of our better episodes. And it's funny how that can happen sometimes. And we just ride the wave, and we're so grateful. So thank you, everybody. We stacked a grand total of 526,592 sats.
Thank you.
That is very, very great. We really do appreciate that. And if you would like to boost in, Fountain FM makes it really easy these days with Fiat or Sats, including multiple ways to do that and connecting to your own AlbiHub. Now, if you go AlbiHub, you can integrate with lots of different applications, including the podcast index, and you can just boost from the web. It's a great way to support the show, or you can become a member and put your support on Autopilot.
Thank you, everybody who supported episode 665, and we look forward to hearing from you and you boosted in on the BSD challenge. Let us know how it goes with a boost or the contact page.
β ΒΆ Picks
BSD boost.
We should have, yeah, 6,666 that's. Is that the BSD boost or something like that?
Any number of sixes will do.
All right, so we got a different kind of pick for you this week. This is kind of, we're going to ask you to try it and report back. Since we're busy with the BSD challenge.
Ask not what your show can pick for you, something like that?
I like that. Yeah. But what you can pick for your podcast.
There we go.
We'd like you to get nasty. N-A-S-T-Y. It is a NAS operating system built on NixOS and BcacheFS. It turns your hardware into a storage appliance that serves NFS, Samba, iSCSI, NVMe over Ethernet. Managed all from a nice web UI. Updated automatically. Has rollback support. New version just came out that integrates a complete backup system using Rustic Core.
So you can go to anything basically rustic supports, which is a lot of the things the new log viewer in the UI as services page with unified services configuration for NFS, Samba, iSCSI, MVME, over networking, UPS stuff, SSH, Docker, backup server, etc. And ARM support. It's GPL3. So if you are not participating in the BSD challenge. and have some time.
An alternate B-based challenge.
Try out nasty. And report in, because what we're trying to essentially get to is if it's worth us giving it a full go.
Finally a NAS built on BcashFS.
Yeah. Wes, is this your project? It feels like something you would want.
I am interested. I will also just sneak in here. BcashFS a day ago had V138.2 come out. A bunch of performance stuff. Cycle detector and six locks improvements. Btree write buffer multi-threading. btree node merge attempt thrashing fixed so now uh kent writes if you've got a workload where we're slower than butterfs or zfs let me know.
Oh it's open all right we'll ride that wave with nasty and let us know how it goes and if we should try it out now we do have a pick that i think is very handy it's one of those legacy pick here you know a standard pick but it's one of those you need it when you need it it's called diffuse and it allows you to remove backgrounds from images locally on your desktop. It's a GTK4-based application written in Python using Libidwadia, and it just uses web GPU acceleration on x86-64 systems.
So it's using web GPU to do an accelerated GPU removal of the background on just a little simple purpose-built application. You don't need to go to a website. You don't need to go to a service. You can just use Diffuse.
Processing is performed using the ISNet general model through Onyx Runtime.
And it is also GPL3.
Neat. Have you tried it? How does it work?
It's pretty good. It does have some challenges on hair, but for some of the stuff, I had a funny picture of Brent to make a sticker. I wanted to use it to make a sticker.
Oh, good.
Hey, no.
Yeah, we need Brent stickers.
And then there's also, I have this picture of Jeff when he's holding a long pole, and that made for a great sticker. I have them for when I need them, you know? If you get a moment, you make a sticker.
That's right. that's responsible sticker.
It's also available on flathub and no no diffuse we'll put a link to that in the show notes
β ΒΆ Outro
link to nass link to everything we talked about today will be in the show notes you can find those over at linuxunplugged.com slash six six five and of course you know what next week's it is the result of the bsd challenge and we'd love to hear how it went for you too and wes some pro tips for people before we get out of here you got any yeah um.
I'm hooked on structured metadata, maybe you are too. So we have an XML file. And in that XML file, we have a JSON file. Actually, maybe several.
What?
Yeah, and that has chapters.
Oh, nice.
Yeah, which is metadata about the show.
Uh-huh.
And we have even more metadata if you want like.
We do?
Yeah, well, if you want like an SRT file.
Mm.
Yeah, or a VTT file.
Oh.
And then that's like, who said what? When?
In there.
Right?
Ready.
Right, embedded. I mean, it's like a.
Good to go.
You go to the XML, and then that points you to the SRT, and then you got the data.
You got it.
Yeah.
I got it. All right.
But there's these things called podcast apps.
Yeah.
A lot of them do that for you.
Oh, what a great idea.
Yeah. It's quite the ecosystem. They call it podcasting 2.0.
They also support live streams. Yeah, that's right. We are live on a Sunday. You can make it a Tuesday by joining us over at jblive.tv or jblive.fm or like Wes said, in your podcasting 2.0 app of choice. A lot of them just support the live streaming. In there we go. We have it pending so you know like a day before the show when it's going to be. Boom, you hit the button, you're listening. It's incredible. It's amazing. It's a podcast app.
We also got the website, linuxunplugged.com. That uses HTML and CSS. It looks pretty good and it gives you links to stuff. Check it out. You're going to love it. But thank you so much for joining us on this week's episode of your Unplugged program. Hope you enjoyed it. Let us know what you thought. This is a big episode, and we'll see you right back here next Tuesday, as in Sunday!