Podcasts about OpenSSL

Open-source implementation of the SSL and TLS protocols

  • 192PODCASTS
  • 473EPISODES
  • 58mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • Oct 2, 2025LATEST
OpenSSL

POPULARITY

20172018201920202021202220232024


Best podcasts about OpenSSL

Show all podcasts related to openssl

Latest podcast episodes about OpenSSL

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
SANS Stormcast Thursday, October 2nd, 2025: Honeypot Passwords; OneLogin Vuln; Breaking Intel SGX; OpenSSL Patch

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Play Episode Listen Later Oct 2, 2025 8:11


Comparing Honeypot Passwords with HIBP Most passwords used against our honeypots are also found in the Have I been pwn3d list. However, the few percent that are not found tend to be variations of known passwords, extending them to find likely mutations. https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Comparing%20Honeypot%20Passwords%20with%20HIBP/32310 Breaking Server SGX via DRAM Inspection By observing read and write operations to memory, it is possible to derive keys stored in SGX and break the security of systems relying on SGX. https://wiretap.fail/files/wiretap.pdf OneLogin OIDC Vulnerability A vulnerability in OneLogin can be used to read secret application keys https://www.clutch.security/blog/onelogin-many-secrets-clutch-uncovers-vulnerability-exposing-client-credentials OpenSSL Patch OpenSSL patched three vulnerabilities. One could lead to remote code execution, but the feature is used infrequently, and the exploit is difficult, according to OpenSSL

Software Engineering Radio - The Podcast for Professional Software Developers
SE Radio 688: Daniel Stenberg on Removing Rust from Curl

Software Engineering Radio - The Podcast for Professional Software Developers

Play Episode Listen Later Oct 1, 2025 57:14


Daniel Stenberg, Swedish Internet protocol expert and founder and lead developer of the Curl project, speaks with SE Radio host Gavin Henry about removing Rust from Curl. They discuss why Hyper was removed from curl, why the last five percent of making it a success was difficult, what the project gained from the 5-year attempt to tackle bringing Rust into a C project, lessons learned for next time, why user support is critical, and the positive long-lasting impact this attempt had. Brought to you by IEEE Computer Society and IEEE Software magazine.

Open Source Security Podcast
OpenSSL with Hana Andersen and Anton Arapov

Open Source Security Podcast

Play Episode Listen Later Sep 22, 2025 28:48


I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of post-quantum cryptography, and the evolution of OpenSSL from a small team to a global community. Whether you're a seasoned cryptographer or just curious about the future of secure communications, this episode offers insights and stories. Don't miss out on learning how OpenSSL is still shaping the future of cryptography. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-09-openssl-hana-anton/

To The Point - Cybersecurity
Keep People At The Center of it All with Mishi Choudhary Part 2 Rerun

To The Point - Cybersecurity

Play Episode Listen Later Jul 29, 2025 34:25


Joining the podcast this week is Mishi Choudhary, SVP and General Counsel at Virtru. Mishi shares with us some legal perspective on the privacy discussion including freedom of thought, the right to be forgotten, end-to-end encryption for protecting user data, finding a middle ground between meeting customer privacy demands and complying with legal requirements, getting to a federal privacy regulation, and so much more! You won't want to miss what is a truly spirited and candid conversation – in two parts! Mishi Choudhary SVP and General Counsel, Virtru A technology lawyer with over 17 years of legal experience, Mishi has served as a legal representative for many of the world's most prominent free and open source software developers and distributors, including the Free Software Foundation, Cloud Native Computing Foundation, Linux Foundation, Debian, the Apache Software Foundation, and OpenSSL. At Virtru, she leads all legal and compliance activities, builds internal processes to continue to accelerate growth, helps shape Virtru and open source strategy, and activates global business development efforts. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e343

To The Point - Cybersecurity
Privacy: Keep People At The Center of it All with Mishi Choudhary Rerun

To The Point - Cybersecurity

Play Episode Listen Later Jul 22, 2025 23:37


Joining the podcast this week is Mishi Choudhary, SVP and General Counsel at Virtru. Mishi shares with us some legal perspective on the privacy discussion including freedom of thought, the right to be forgotten, end-to-end encryption for protecting user data, finding a middle ground between meeting customer privacy demands and complying with legal requirements, getting to a federal privacy regulation, and so much more! You won't want to miss what is a truly spirited and candid conversation – in two parts! Mishi Choudhary, SVP and General Counsel, Virtru A technology lawyer with over 17 years of legal experience, Mishi has served as a legal representative for many of the world's most prominent free and open source software developers and distributors, including the Free Software Foundation, Cloud Native Computing Foundation, Linux Foundation, Debian, the Apache Software Foundation, and OpenSSL. At Virtru, she leads all legal and compliance activities, builds internal processes to continue to accelerate growth, helps shape Virtru and open source strategy, and activates global business development efforts. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e342

Ask Noah Show
Ask Noah Show 437

Ask Noah Show

Play Episode Listen Later Apr 16, 2025 53:52


This week we dig into how you can host your own 5G and Ubuntu's new certification program! -- During The Show -- 00:45 Technology Another Way Cell Phone sales and inventory Market uncertainty Erasing a phone Moving to GrapheneOS Used equipment Fdroid (https://f-droid.org/) Opportunities to move people to open source Routes to take 14:00 News Wire OpenSSH 10.0p2 - openssh.com (https://www.openssh.com/releasenotes.html) OpenSSL 3.5 - github.com (https://github.com/openssl/openssl/releases) GNU Coreutils 9.7 - gnu.org (https://www.gnu.org/software/coreutils/manual/coreutils.html) Pinta 3.0 - pinta-project.com (https://www.pinta-project.com/releases/3-0.html) OpenELA Leapp - techzine.eu (https://www.techzine.eu/news/devops/130476/openela-introduces-leapp-project-for-in-place-upgrades-of-enterprise-linux/) Linux Mint OEM Support - linuxmint.com (https://blog.linuxmint.com/?p=4825) Asahi Linux Roadblock - appleinsider.com (https://appleinsider.com/articles/25/04/08/asahi-linux-m4-support-hits-a-roadblock-because-of-apple-silicon-changes) Proxmox VW 8.4 - proxmox.com (https://www.proxmox.com/en/about/company-details/press-releases/proxmox-virtual-environment-8-4) Archbang 0904 - sourceforge.net (https://sourceforge.net/projects/archbang/files/ArchBang/archbang-0904-x86_64.iso/download) Feren OS 2025.03 - feren-os.com (https://medium.com/feren-os/feren-os-2025-03-minor-rebase-update-for-feren-os-f82ce0a47a52) Pardus 23.4 - pardus.org (https://pardus.org.tr/en/pardus-23-4-changelog/) SparkyLinux - sparkylinux.org (https://sparkylinux.org/sparky-7-7/) MX 26.3 - mxlinux.org (https://mxlinux.org/blog/mx-23-6-now-available/) Particle OS - itsfoss.com (https://news.itsfoss.com/systemd-particle-os/) Malware "Patches" - darkreading.com (https://www.darkreading.com/cloud-security/open-source-poisoned-patches-infect-local-software) Slopsquatting - theregister.com (https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/) Luminary Cloud and Honda's AI Model - engineering.com (https://www.engineering.com/luminary-cloud-releases-open-source-physics-ai-model-with-honda-nvidia/) 15:50 Canonical Certifications Adriana Frick's Story Why Adriana left tech BGP What did the creation process look like? Defining standards Making it measurable Proving skills How did you learn what employers want Mauricio Buschinelli's Story Verifying completion of a task What does the test look like Easter Eggs through out As close to real as possible Care about outcomes Accessibility Testing (https://ubuntu.com/credentials) A lot more coming 41:00 5G Cellphone companies want to be at the tower 5G Hardware Entire stack is open source Provisioning Sim Cards Roaming Charmed Ether SD Core 50:00 FCC Licensing Not a walk in the park FCC starting to require receiver registration Spectrum is crowded -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/437) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

This Week in Linux
306: Debian levels up APT, Sony serious about Steam Deck, Quantum Cryptography & more Linux news

This Week in Linux

Play Episode Listen Later Apr 12, 2025 23:04


video: https://youtu.be/ua-RPOtdcF8 Comment on the TWIL Forum (https://thisweekinlinux.com/forum) This week in Linux, App 3.0 drops, bringing big changes under the hood. Amiga OS, yes, that Amiga OS, is still alive and getting updates, apparently. Open SSL 3.5 and Open SSH 10.0 both rolled out new features this week with also some future-proofing involved. And Sony, yes, that Sony, has released The Last of Us Part II on PC and it's Steam Deck verified. All that and much more on This Week in Linux, the weekly news show that keeps you plugged into everything happening in the Linux and Open Source world. Now let's jump right into Your Source for Linux GNews. Download as MP3 (https://aphid.fireside.fm/d/1437767933/2389be04-5c79-485e-b1ca-3a5b2cebb006/c5514bc1-148c-43d2-a6eb-4d0fcbfd6966.mp3) Support the Show Become a Patron = tuxdigital.com/membership (https://tuxdigital.com/membership) Store = tuxdigital.com/store (https://tuxdigital.com/store) Chapters: 00:00 Intro 00:39 APT 3.0 Released 02:48 Last of US Part 2 Verified for Steam Deck 05:47 MPV 0.40 Released 08:58 Sandfly Security [ad] 10:54 AmigaOS still exists and getting updates apparently 14:24 TUXEDO Provides Update On Their Snapdragon X Elite Linux Laptop 17:20 OpenSSL 3.5 Released 19:19 OpenSSH 10.0 Released 21:41 Support the show Links: APT 3.0 Released https://tracker.debian.org/news/1635519/accepted-apt-300-source-into-unstable/ (https://tracker.debian.org/news/1635519/accepted-apt-300-source-into-unstable/) https://9to5linux.com/apt-3-0-debian-package-manager-released-with-revamped-command-line-interface (https://9to5linux.com/apt-3-0-debian-package-manager-released-with-revamped-command-line-interface) https://www.phoronix.com/news/Debian-APT-3.0-Released (https://www.phoronix.com/news/Debian-APT-3.0-Released) Last of US Part 2 Verified for Steam Deck https://gameinformer.com/interview/2025/04/01/naughty-dog-and-nixxes-on-the-pc-port-of-the-last-of-us-part-ii-we-take-the (https://gameinformer.com/interview/2025/04/01/naughty-dog-and-nixxes-on-the-pc-port-of-the-last-of-us-part-ii-we-take-the) https://www.pcguide.com/news/steam-deck-support-is-so-important-says-the-last-of-us-part-2-pc-project-director/ (https://www.pcguide.com/news/steam-deck-support-is-so-important-says-the-last-of-us-part-2-pc-project-director/) MPV 0.40 Released https://mpv.io/ (https://mpv.io/) https://github.com/mpv-player/mpv/releases/tag/v0.40.0 (https://github.com/mpv-player/mpv/releases/tag/v0.40.0) https://www.phoronix.com/news/MPV-0.40-Released (https://www.phoronix.com/news/MPV-0.40-Released) https://9to5linux.com/mpv-0-40-open-source-video-player-released-with-native-hdr-support-on-linux (https://9to5linux.com/mpv-0-40-open-source-video-player-released-with-native-hdr-support-on-linux) Sandfly Security [ad] https://thisweekinlinux.com/sandfly (https://thisweekinlinux.com/sandfly) https://destinationlinux.net/409 (https://destinationlinux.net/409) discount code: destination50 (Home Edition) AmigaOS still exists and getting updates apparently https://www.hyperion-entertainment.com/index.php/news/1-latest-news/320-new-update-3-for-amigaos-32-available-for-download (https://www.hyperion-entertainment.com/index.php/news/1-latest-news/320-new-update-3-for-amigaos-32-available-for-download) https://www.theregister.com/2025/04/10/amigaos32_3/ (https://www.theregister.com/2025/04/10/amigaos_3_2_3/) TUXEDO Provides Update On Their Snapdragon X Elite Linux Laptop https://www.tuxedocomputers.com/en/How-is-TUXEDOCOes-ARM-Notebook-Coming-Along.tuxedo (https://www.tuxedocomputers.com/en/How-is-TUXEDOCOes-ARM-Notebook-Coming-Along.tuxedo) https://www.qualcomm.com/products/mobile/snapdragon/laptops-and-tablets/snapdragon-x-elite (https://www.qualcomm.com/products/mobile/snapdragon/laptops-and-tablets/snapdragon-x-elite) https://www.linaro.org/ (https://www.linaro.org/) https://www.phoronix.com/news/TUXEDO-Snapdragon-Laptop-Update (https://www.phoronix.com/news/TUXEDO-Snapdragon-Laptop-Update) OpenSSL 3.5 Released https://openssl-library.org/ (https://openssl-library.org/) https://github.com/openssl/openssl/releases/tag/openssl-3.5.0 (https://github.com/openssl/openssl/releases/tag/openssl-3.5.0) https://lwn.net/Articles/1016851/ (https://lwn.net/Articles/1016851/) https://9to5linux.com/openssl-3-5-released-with-support-for-pqc-algorithms-server-side-quic (https://9to5linux.com/openssl-3-5-released-with-support-for-pqc-algorithms-server-side-quic) https://www.phoronix.com/news/OpenSSL-3.5-Released (https://www.phoronix.com/news/OpenSSL-3.5-Released) OpenSSH 10.0 Released https://www.openssh.com/ (https://www.openssh.com/) https://www.openssh.com/releasenotes.html#10.0p1 (https://www.openssh.com/releasenotes.html#10.0p1) https://www.phoronix.com/news/OpenSSH-10.0-Released (https://www.phoronix.com/news/OpenSSH-10.0-Released) https://lwn.net/Articles/1016924/ (https://lwn.net/Articles/1016924/) Support the show https://tuxdigital.com/membership (https://tuxdigital.com/membership) https://store.tuxdigital.com/ (https://store.tuxdigital.com/)

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
SANS Stormcast Tuesday, April 8th: Microsoft Patch Tuesday; Adobe Patches; OpenSSL 3.5 with PQC; Fortinet

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Play Episode Listen Later Apr 9, 2025 7:19


Microsoft Patch Tuesday Microsoft patched over 120 vulnerabilities this month. 11 of these were rated critical, and one vulnerability is already being exploited. https://isc.sans.edu/diary/Microsoft%20April%202025%20Patch%20Tuesday/31838 Adobe Updates Adobe released patches for 12 different products. In particular important are patches for Coldfusion addressing several remote code execution vulnerabilities. Adobe Commercse got patches as well, but none of the vulnerabilities are rated critical. https://helpx.adobe.com/security/security-bulletin.html OpenSSL 3.5 Released OpenSSL 3.5 was released with support to post quantum ciphers. This is a long term support release. https://groups.google.com/a/openssl.org/g/openssl-project/c/9ZYdIaExmIA Fortiswitch Update Fortinet released an update for Fortiswitch addressing a vulnerability that may be used to reset a password without verification. https://fortiguard.fortinet.com/psirt/FG-IR-24-435

All TWiT.tv Shows (MP3)
Untitled Linux Show 181: Run Rootless

All TWiT.tv Shows (MP3)

Play Episode Listen Later Dec 9, 2024 103:37


There's been a bit of a shakeup this week, with Torvalds criticizing Docker, Rustls dominating the TLS performance war, and Intel releasing a graphics card while "retiring" their CEO. Then, Flathub and KDE are working on their finances, OpenVPN has modernized its kernel driver, and Steam Machines may be back! Oh, and don't forget OBS 31 or the potential security issue with OpenWRT! For tips, we have eza as an ls replacement, pv for pipe progress viewing, IMSProg for EEPROM hacking, and HandlePowerKey for customizing what your machine does when you hit the power button. Grab the show notes at https://bit.ly/4gl1VtB and enjoy! Host: Jonathan Bennett Co-Hosts: Rob Campbell, David Ruggles, and Jeff Massie Want access to the video version and exclusive features? Become a member of Club TWiT today! https://twit.tv/clubtwit Club TWiT members can discuss this episode and leave feedback in the Club TWiT Discord.

Cyber Security Today
Google's AI Driven Fuzz Tool Finds Decades Old Vulnerability: Cyber Security Today, Friday November 22, 2024

Cyber Security Today

Play Episode Listen Later Nov 22, 2024 9:43 Transcription Available


Cybersecurity Today: Zero Day Flaws, FinTech Breach, Phishing Scams & More In today's episode, host Jim Love discusses critical updates in the cybersecurity world. Discover the latest zero day vulnerabilities patched by Apple, a significant data breach at Fintech giant Finastra, emerging phishing attack tactics using Microsoft Visio files and SVG attachments, and the launch of a new privacy-focused telecom service, CAPE. Additionally, learn about Google's AI-powered OSS Fuzz tool, which uncovered a critical flaw in the OpenSSL library. Stay informed to protect yourself and your organization from sophisticated cyber threats. 00:00 Introduction and Sponsor Message 00:59 Emerging Phishing Attack Strategies 03:12 Finastra Data Breach Investigation 04:49 Launch of CAPE: A Privacy-Focused Telecom Service 06:19 Apple's Emergency Updates for Zero-Day Vulnerabilities 07:29 Google's OSS Fuzz Uncovers Critical Vulnerabilities 09:07 Conclusion and Podcast Information

FileMaker DevCast: Everything Claris FileMaker
Ep19: Claris FileMaker 21.1 with Guest Lucy Chen, VP of FileMaker Engineering

FileMaker DevCast: Everything Claris FileMaker

Play Episode Listen Later Nov 14, 2024 52:47


Join us for a very special in-depth interview with Lucy Chen, VP of Claris Engineering. Kate Waldhauser hosts this special edition of the FileMaker DevCast, as Lucy gives us a glimpse behind the scenes of the engineering world at Claris, an Apple Company. Lucy shares insights as to how new features get into the product and how the latest version improves performance, reliability and security. She takes us under the hood, diving into the new enhancements of FileMaker 21.1, including the move to newer technologies like Java 17, Xcode 16, and OpenSSL 3.3. She also covers new features in FileMaker 21.1, such as HTTPS tunneling, improvements to the Admin Console, and the integration of AI-powered semantic search, for both natural language and image content searches. These changes have come about through Claris's ongoing commitment to understanding customer feedback. Join Kate & Lucy as they explore how the FileMaker platform continues to empower businesses with innovative capabilities.   Portage Bay Solutions is a custom software development firm based in Seattle, WA, with additional offices in the Austin, Chicago, Dallas, Omaha, Orange County, and Vancouver areas. For more than thirty years, we have been helping businesses of all sizes get the most out of their FileMaker investments. As a full-service Claris FileMaker Platinum Partner, Portage Bay is committed to helping you optimize your software investments and improve your business processes. #claris #filemaker #devtools #devs #devcast #openSSL #https #tunneling #AI #semanticsearch #innovation #portagebaysolutions #portagebay  #FileMaker21.1

Ask Noah Show
Episode 413: Ask Noah Show 413 | Contributing to Ubuntu

Ask Noah Show

Play Episode Listen Later Oct 30, 2024 55:14


This week Robie Basak joins Noah from the Ubuntu Summit and gives an introduction on how to get started contributing to Ubuntu. -- During The Show -- 01:26 HexOS - Craig Start with the Command Line When is a GUI appropriate Start with make a ZFS pool make a samba share Help us understand your goal What is HexOS Ubuntu and ZFS DKMS kABI Advantages of TrueNAS Snapshots Send/Receive 1 Click Re-silvering 17:08 Questions about HDMI switch - Andy Theater Receiver Decimator (https://www.amazon.com/Decimator-DMON-QUAD-SD-SDI-Multi-Viewer-Outputs/dp/B072NGFDMR) 21:14 News Wire SQLite 3.47.0 - sqlite.org (https://sqlite.org/releaselog/3_47_0.html) Peazip 10 - github.io (https://peazip.github.io) Jellyfin 10.10.0 - jellyfin.org (https://jellyfin.org/posts/jellyfin-release-10.10.0/) EasyOS 6.4 - puppylinux.com (https://forum.puppylinux.com/viewtopic.php?t=12973) Gnome 47.1 - gnome.org (https://discourse.gnome.org/t/gnome-47-1-released/24670) Tor Browser 14.0 - torproject.org (https://blog.torproject.org/new-release-tor-browser-140/) AlmaLinux Kitten 10 - almalinux.org (https://almalinux.org/blog/2024-10-22-introducing-almalinux-os-kitten/) Gentoo & DTrace 2.0 - gentoo.org (https://www.gentoo.org/news/2024/10/23/DTrace-for-Gentoo.html) NASA $15.6M Grant for Open Source Tools - spaceanddefense.io (https://spaceanddefense.io/nasa-awards-15-6-million-in-open-source-software-funding/) Open Source Printable Lathe - hackaday.com (https://hackaday.com/2024/10/23/a-3d-printed-open-source-lathe/) Thelio Astra - system76.com (https://system76.com/desktops/thelio-astra) Eight Nvidia High Severity Vulnerabilities - forbes.com (https://www.forbes.com/sites/daveywinder/2024/10/25/urgent-new-nvidia-security-warning-for-200-million-linux-and-windows-gamers/) OpenSSL 3.4 - github.com (https://github.com/openssl/openssl/releases/tag/openssl-3.4.0) IPS Snort v3.5 - github.com (https://github.com/snort3/snort3/releases) Parrot OS 6.2 - parrotsec.org (https://parrotsec.org/blog/2024-10-23-parrot-6.2-release-notes/) New Granite 3.0 - zdnet.com (https://www.zdnet.com/article/ibm-doubles-down-on-open-source-ai-with-new-granite-3-0-models/) HUGS - reuters.com (https://www.reuters.com/technology/startup-hugging-face-aims-cut-ai-costs-with-open-source-offering-2024-10-23/) SynthID Now Open Source - theverge.com (https://www.theverge.com/2024/10/23/24277873/google-artificial-intelligence-synthid-watermarking-open-source) Mochi 1 - venturebeat.com (https://venturebeat.com/ai/video-ai-startup-genmo-launches-mochi-1-an-open-source-model-to-rival-runway-kling-and-others/) Ubuntu Turns 20 - ubuntu.com (https://ubuntu.com/20years) 23:23 Robie Basak - Ubuntu Technical Council What drew you to Linux? Why did you decide to work for Canonical? What is the Ubuntu Technical Board? Difference between Ubuntu and Canonical The process of granting commit rights Conflict resolution Cloud init Unique ID Ubuntu Summit Range of interaction Membership Board Meeting Full Hour Long Meeting Recording YouTube (https://www.youtube.com/live/pyRcIZskKNE?si=frx3zrPhUoeLrHi8) 43:40 Fedora 41 Fedora 41 available early! New DNF bootc Plasma Mobile Spin (https://fedoramagazine.org/announcing-fedora-linux-41/) Fedora Magazine (https://fedoramagazine.org/announcing-fedora-linux-41/) Minisforum v3 (https://store.minisforum.com/products/minisforum-v3?) Steve, Fedora, hardware 50:30 Russian Kernel Maintainers Removed Greg Kroah-Hartman removed them due to "various compliance requirements" Removed developers Russian and not minor contributors We live in a world where decisions are made for political reasons zdnet.com (https://www.zdnet.com/article/why-remove-russian-maintainers-of-linux-kernel-heres-what-torvalds-says/) therecord.media (https://therecord.media/russia-separate-linux-community-kernel-maintainers-delisted) -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/413) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

Passwort - der Podcast von heise security
News: Protokolle, Messenger, Bootloader – alles unsicher

Passwort - der Podcast von heise security

Play Episode Listen Later Sep 4, 2024 74:52


In der Folge mit der Unglückszahl 13 geht es um diverse Dinge, die unglücklich gelaufen sind, von Linux-Bootloadern, die Microsoft nur teilweise unabsichtlich blockiert hat, bis zur mangelhaften Sicherheit bei "MLOps", also dem KI-Pendant zu DevOps. Zuerst schauen sich Christopher und Sylvester aber eine sehr erfreuliche Diskussion zu OpenSSL an; die Entwickler haben ihre Community um Meinungen zu einer sicherheitsrelevanten Änderung gebeten. Außerdem geht es um die Festnahme von Pavel Durov, den Schöpfer des gar-nicht-so-sicheren Messengers Telegram, und das altehrwürdige Hacker-ezine "Phrack", das in Ausgabe 71 erschienen ist.

Ubuntu Security Podcast

This week we take a deep dive behind-the-scenes look into how the team handled a recent report from Snyk's Security Lab of a local privilege escalation vulnerability in `wpa_supplicant` plus we cover security updates in Prometheus Alertmanager, OpenSSL, Exim, snapd, Gross, curl and more.

Paul's Security Weekly
Building Successful Security Champions Programs - Marisa Fagan - ASW #294

Paul's Security Weekly

Play Episode Listen Later Aug 6, 2024 70:17


Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-294

Paul's Security Weekly TV
Dead Code, CrowdStrike's Kernel Lessons, VMs & Security Boundaries, SLUBStick Attack - ASW #294

Paul's Security Weekly TV

Play Episode Listen Later Aug 6, 2024 33:55


The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Show Notes: https://securityweekly.com/asw-294

Application Security Weekly (Audio)
Building Successful Security Champions Programs - Marisa Fagan - ASW #294

Application Security Weekly (Audio)

Play Episode Listen Later Aug 6, 2024 70:17


Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-294

Application Security Weekly (Video)
Dead Code, CrowdStrike's Kernel Lessons, VMs & Security Boundaries, SLUBStick Attack - ASW #294

Application Security Weekly (Video)

Play Episode Listen Later Aug 6, 2024 33:55


The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Show Notes: https://securityweekly.com/asw-294

Ubuntu Security Podcast
Episode 229

Ubuntu Security Podcast

Play Episode Listen Later May 31, 2024 13:22


As the podcast winds down for a break over the next month, this week we talk about RSA timing side-channel attacks and the recently announced DNSBomb vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK, amavisd-new, Unbound, Intel Microcode and more.

Coder Radio
566: FOSS Feed & Care

Coder Radio

Play Episode Listen Later Apr 17, 2024 29:51


We delve into the top 3 open-source revenue streams, expose the pitfalls, and discuss what could be done quickly to improve the situation.

Ask Noah Show
Ask Noah Show 385

Ask Noah Show

Play Episode Listen Later Apr 17, 2024 44:11


-- During The Show -- 00:50 MIDI MIDI a better mouse trap Pitch bending Special snowflake Firewire hardware Motu UltraLite AVB (https://motu.com/products/avb/ultralite-avb) Ardour (https://ardour.org/) Musicians please send in feedback! 11:25 News Wire Dynebolic is Back - ZDnet (https://www.zdnet.com/article/dynebolic-is-a-portable-linux-distribution-that-can-be-used-without-installation/) OpenSSL 3.3 - OpenSSL (https://www.openssl.org/news/openssl-3.3-notes.html) OpenTTD - OpenTTD (https://www.openttd.org/news/2024/04/13/openttd-14-0) Ardour - Ardour (https://ardour.org/whatsnew.html) KDE Frameworks 6.1.0 - KDE (https://kde.org/announcements/frameworks/6/6.1.0/) Descent 3 MIT Licensed - Gaming on Linux (https://www.gamingonlinux.com/2024/04/descent-3-has-been-made-open-source/) - Github (https://github.com/kevinbentley/Descent3) Opentofu vs Hashicorps - Opentofu (https://opentofu.org/blog/our-response-to-hashicorps-cease-and-desist/) Huggingface Updated - Venture Beat (https://venturebeat.com/ai/hugging-face-introduces-idefics2-an-8b-open-source-visual-language-model/) Samll Verson of LLaMA-3 - CCN (https://www.ccn.com/news/technology/llama-3-release-date/) Spectre v2 Attacks - Bleeping Computer (https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impacts-linux-systems-on-intel-cpus/) OpenSFF and OpenJS Foundation Warning - Computer Weekly (https://www.computerweekly.com/news/366580938/More-social-engineering-attacks-on-open-source-projects-observed) 12:56 Framework Laptops Matt Hartley Linux Support Lead Reddit welcome post (https://old.reddit.com/r/framework/comments/yoslxe/welcome_to_the_framework_cx_team_matt_hartley/) First impressions Assembly How Framework supports Linux Officially supported distros Community support program Community support Ansible for other distros Support Framework 16 Alternative uses of Frameworks 27:48 Tailscale Tailscale (https://tailscale.com/) Alex Kretzschmar (https://blog.ktz.me/author/alex/) How Tailscale stays free How to get started How Tailscale works Headscale (https://headscale.net/) Tailscale for business (Paid) Features 35:37 QLC+ QLC+ (https://www.qlcplus.org/) DMX Lighting Control Boards Lighting Cues DMX King (https://dmxking.com/) Chases Built in web interface Network interfacing Elation Enode4 (https://www.elationlighting.com/enode4) Please write in about lighting on Linux! -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/385) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

Security Now (MP3)
SN 960: Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL

Security Now (MP3)

Play Episode Listen Later Feb 7, 2024 124:13


CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

All TWiT.tv Shows (MP3)
Security Now 960: Unforeseen Consequences

All TWiT.tv Shows (MP3)

Play Episode Listen Later Feb 7, 2024 124:13


CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

Security Now (Video HD)
SN 960: Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL

Security Now (Video HD)

Play Episode Listen Later Feb 7, 2024 124:13


CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

Security Now (Video HI)
SN 960: Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL

Security Now (Video HI)

Play Episode Listen Later Feb 7, 2024 124:13


CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

Radio Leo (Audio)
Security Now 960: Unforeseen Consequences

Radio Leo (Audio)

Play Episode Listen Later Feb 7, 2024 124:13


CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

Security Now (Video LO)
SN 960: Unforeseen Consequences - CISA's "Secure by Design" Initiative, Fastly's BoringSSL

Security Now (Video LO)

Play Episode Listen Later Feb 7, 2024 124:13


CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

All TWiT.tv Shows (Video LO)
Security Now 960: Unforeseen Consequences

All TWiT.tv Shows (Video LO)

Play Episode Listen Later Feb 7, 2024 124:13


CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

Paul's Security Weekly
Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272

Paul's Security Weekly

Play Episode Listen Later Feb 6, 2024 74:25


We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

Paul's Security Weekly TV
Sorting Out Glibc Vulns, Apple's Security Research Device, BoringSSL, Old C Vulns - ASW #272

Paul's Security Weekly TV

Play Episode Listen Later Feb 6, 2024 36:41


Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272

Application Security Weekly (Audio)
Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272

Application Security Weekly (Audio)

Play Episode Listen Later Feb 6, 2024 74:25


We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

Ask Noah Show
Episode 365: Ask Noah Show 365 | Data Migration Success!

Ask Noah Show

Play Episode Listen Later Nov 29, 2023 63:50


This week Steve goes through his data migration story at his house. What things should you consider before moving large datasets around, and what things need to be taken into account for a solid backup plan? -- During The Show -- 01:52 Home Automation Leak Detection - Jeremy You can't really Using cameras 08:06 mmWave sensor update/comparison Seedstudio mmWave Sensor (https://wiki.seeedstudio.com/mmwave_human_detection_kit/) Space for other sensors Way better than a PIR sensor Aqara Water Sensor (https://cloudfree.shop/product/aqara-water-sensor/) 11:19 Point of sale gear? - Charlie Odoo (https://github.com/odoo/odoo) Open Source POS (https://github.com/opensourcepos/opensourcepos) UniCenta (https://unicenta.com/) Squirrel Systems (https://www.squirrelsystems.com/squirrel-pos-for-hotels) 13:28 Succession Planning - David Password dump Bitwarden Network diagram with pictures Good documentation Techy friends Dave Ramsey - Legacy box Legacy Folder Data, external drives 23:23 Odoo for Accounting and Bookkeeping - Tiny Looks like a solid platform Expensive Self hosting not really an option Accounting solid but very basic no payroll Not fully open source 25:51 Backups? - Mike Copying the file MIGHT be ok if file system has bit rot protection works till it doesn't Better to use database tools External drives 3.5 StarTech Enclosure (https://www.amazon.com/StarTech-com-10Gbps-Enclosure-SATA-Drives/dp/B00XLAZEFC) Pelican 1120 Case 2.5 Cable Matters Enclosure (https://www.amazon.com/Cable-Matters-Aluminum-External-Enclosure/dp/B07CQD6M5B) Steve's M.2 Enclosure (https://www.amazon.com/gp/product/B09T97Z7DM) ASUS ROG M.2 Enclosure (https://www.amazon.com/ASUS-ROG-Arion-Aluminum-Enclosure/dp/B07ZKB4SLK) 37:57 News Wire OpenZFS 2.2.1 - Phoronix (https://www.phoronix.com/news/OpenZFS-2.2.1-Released) Weston 13.0 - Freedesktop.org (https://lists.freedesktop.org/archives/wayland-devel/2023-November/043326.html) OpenSSL 3.2 - GitHub (https://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.md) PipeWire 1.0 - Phoronix (https://www.phoronix.com/news/PipeWire-1.0-Released) LibreOffice 7.6.3 On Android - Document Foundation (https://blog.documentfoundation.org/blog/2023/11/23/libreoffice-763-and-android-viewer-app/) Wine 8.21 - Gaming On Linux (https://www.gamingonlinux.com/2023/11/wine-821-brings-high-dpi-scaling-and-initial-vulkan-support-for-wayland/) Studio One 6.5 - Presonus Software (https://www.presonussoftware.com/en_US/blog/studio-one-6-5-for-linux) PeerTube v6 - Frama Blog (https://framablog.org/2023/11/28/peertube-v6-is-out-and-powered-by-your-ideas/) Proxmox 8.1 - Proxmox (https://www.proxmox.com/en/about/press-releases/proxmox-virtual-environment-8-1) OpenMandriva - LX 5.0 - Beta News (https://betanews.com/2023/11/25/openmandriva-lx-50-linux-download/) Nitrix 3.2.0 - NXOS.org (https://nxos.org/changelog/release-announcement-nitrux-3-2-0/) Ultra Marine Linux 39 - Fyra Labs (https://blog.fyralabs.com/ultramarine-39-released/) Linux 6.6 tagged LTS - Security Boulevard (https://securityboulevard.com/2023/11/linux-6-6-is-now-officially-an-lts-release/) Linux Runs 20% Faster on Ryzen 7995WX - Toms Hardware (https://www.tomshardware.com/news/ubuntu-runs-20-faster-than-windows-11-on-amd-threadripper-pro-7995wx) MicroCloud - Infoq (https://www.infoq.com/news/2023/11/canonical-microcloud-open-source/) GIMP Team Targeting May 2024 - Librearts.org (https://librearts.org/2023/11/gimp-3-0-roadmap/) X11 Being Removed from RHEL 10 - Red Hat (https://www.redhat.com/en/blog/rhel-10-plans-wayland-and-xorg-server) Fuctional Source License - The Register (https://www.theregister.com/2023/11/24/opinion_column/) Kinsing Malware - Hack Read (https://www.hackread.com/kinsing-crypto-malware-linux-apache-activemq-flaw/) SysJoker Malware - Cyber Security News (https://cybersecuritynews.com/sysjoker-malware-attacking-windows-linux-and-mac-users-abusing-onedrive/) Looney Tunables - Security Affairs (https://securityaffairs.com/154573/security/cisa-known-exploited-vulnerabilities-catalog-looney-tunables.html) Open Source Tesla - The Verge (https://www.theverge.com/2023/11/23/23973701/tesla-roadster-is-now-fully-open-source) AMD GPU & RISC-V - Toms Hardware (https://www.tomshardware.com/pc-components/gpus/amds-fastest-gaming-gpu-now-works-with-risc-v-cpus-amd-radeon-rx-7900-xtx-open-source-linux-drivers-available) Real AI - Mark Tech Post (https://www.marktechpost.com/2023/11/23/real-ai-wins-project-to-build-europes-open-source-large-language-model/) Synthetic Machine Learning Data - SD Times (https://sdtimes.com/data/capital-one-open-sources-new-project-for-generating-synthetic-data/) Uploading Minds - Crypto Slate (https://cryptoslate.com/buterin-sees-benefit-of-uploading-minds-and-need-for-open-source-innovation-in-ai/) AI Linux Optimization - Toms Hardware (https://www.tomshardware.com/news/chinese-company-uses-ai-to-optimize-linux-kernel) 41:11 Nativefier Makes native Linux app out of web pages Saves credentials and session Mind Drip One (http://docs.minddripone.com/how-to/install-use-nativefier/) Nativefier GUI GitHub (https://github.com/mattruzzi/nativefier-gui) 45:44 Data Migration Good to rotate drives Disk burn in (bunch of rsync) Rsync 26 hours rsync will preserve hard links with the right flags software raid is more portable nuke & pave 2 vdevs, 3 drives per vdev can only loose one drive ZFS send/receive is much faster and better IDrive (https://www.idrive.com/) Kopia (https://kopia.io/) Spider Oak One Plan for your target rsync commands a: Archive mode, which preserves permissions, ownership, and timestamps. v: Verbose mode, which prints out detailed information about the transfer. H: Preserve hard links. P: Preserve permissions. Dumping a database is intensive Proxmox gets in the way doesn't gain Steve anything Special snowflake Custom UI Good for multi node No updates KVM works the same everywhere Cockpit GUI Will eventually replace virtmanager -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/365) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

The Bike Shed
408: Work Device Management

The Bike Shed

Play Episode Listen Later Nov 28, 2023 32:57


Joël recaps his time at RubyConf! He shares insights from his talk about different aspects of time in software development, emphasizing the interaction with the audience and the importance of post-talk discussions. Stephanie talks about wrapping up a long-term client project, the benefits of change and variety in consulting, and maintaining a balance between project engagement and avoiding burnout. They also discuss strategies for maintaining work-life balance, such as physical separation and device management, particularly in a remote work environment. Rubyconf (https://rubyconf.org/) Joël's talk slides (https://speakerdeck.com/joelq/which-time-is-it) Flaky test summary slide (https://speakerdeck.com/aridlehoover/the-secret-ingredient-how-to-understand-and-resolve-just-about-any-flaky-test?slide=170) Transcript: STEPHANIE: Hello and welcome to another episode of The Bike Shed, a weekly podcast from your friends at thoughtbot about developing great software. I'm Stephanie Minn. JOËL: And I'm Joël Quenneville. And together, we're here to share a bit of what we've learned along the way. STEPHANIE: So, Joël, what's new in your world? JOËL: Well, as of this recording, I have just gotten back from spending the week in San Diego for RubyConf. STEPHANIE: Yay, so fun. JOËL: It's always so much fun to connect with the community over there, talk to other people from different companies who work in Ruby, to be inspired by the talks. This year, I was speaking, so I gave a talk on time and how it's not a single thing but multiple different quantities. In particular, I distinguish between a moment in time like a point, a duration and amount of time, and then a time of day, which is time unconnected to a particular day, and how those all connect together in the software that we write. STEPHANIE: Awesome. How did it go? How was it received? JOËL: It was very well received. I got a lot of people come up to me afterwards and make a variety of time puns, which those are so easy to make. I had to hold myself back not to put too many in the talk itself. I think I kept it pretty clean. There were definitely a couple of time puns in the description of the talk, though. STEPHANIE: Yeah, absolutely. You have to keep some in there. But I hear you that you don't want it to become too punny [laughs]. What I really love about conferences, and we've talked a little bit about this before, is the, you know, like, engagement and being able to connect with people. And you give a talk, but then that ends up leading to a lot of, like, discussions about it and related topics afterwards in the hallway or sitting together over a meal. JOËL: I like to, in my talks, give little kind of hooks for people who want to have those conversations in the hallway. You know, sometimes it's intimidating to just go up to a speaker and be like, oh, I want to, like, dig into their talk a little bit. But I don't have anything to say other than just, like, "I liked your talk." So, if there's any sort of side trails I had to cut for the talk, I might give a shout-out to it and say, "Hey, if you want to learn more about this aspect, come talk to me afterwards." So, one thing that I put in this particular talk was like, "Hey, we're looking at these different graphical ways to think about time. These are similar to but not the same as thinking of time as a one-dimensional vector and applying vector math to it, which is a whole other side topic. If you want to nerd out about that, come find me in the hallway afterwards, and I'd love to go deeper on it." And yeah, some people did. STEPHANIE: That's really smart. I like that a lot. You're inviting more conversation about it, which I know, like, you also really enjoy just, like, taking it further or, like, caring about other people's experiences or their thoughts about vector math [laughs]. JOËL: I think it serves two purposes, right? It allows people to connect with me as a speaker. And it also allows me to feel better about pruning certain parts of my talk and saying, look, this didn't make sense to keep in the talk, but it's cool material. I'd love to have a continuing conversation about this. So, here's a path we could have taken. I'm choosing not to, as a speaker, but if you want to take that branch with me, let's have that afterwards in the hallway. STEPHANIE: Yeah. Or even as, like, new content for yourself or for someone else to take with them if they want to explore that further because, you know, there's always something more to explore [chuckles]. JOËL: I've absolutely done that with past talks. I've taken a thing I had to prune and turned it into a blog post. A recent example of that was when I gave a talk at RailsConf Portland, which I guess is not so recent. I was talking about ways to deal with a test suite that's making too many database requests. And talking about how sometimes misusing let in your RSpec tests can lead to more database requests than you expect. And I had a whole section about how to better understand what database requests will actually be made by a series of let expressions and dealing with the eager versus lazy and all of that. I had to cut it. But I was then able to make a blog post about it and then talk about this really cool technique involving dependency graphs. And that was really fun. So, that was a thing where I was able to say, look, here's some content that didn't make it into the talk because I needed to focus on other things. But as its own little, like, side piece of content, it absolutely works, and here's a blog post. STEPHANIE: Yeah. And then I think it turned into a Bike Shed episode, too [laughs]. JOËL: I think it did, yes. I think, in many ways, creativity begets creativity. It's hard to get started writing or producing content or whatever, but once you do, every idea you have kind of spawns new ideas. And then, pretty soon, you have a backlog that you can't go through. STEPHANIE: That's awesome. Any other highlights from the conference you want to shout out? JOËL: I'd love to give a shout-out to a couple of talks that I went to, Aji Slater's talk on the Enigma machine as a German code machine from World War II and how we can sort of implement our own in Ruby and an exploration of object-oriented programming was fantastic. Aji is just a masterful storyteller. So, that was really great. And then Alan Ridlehoover's talk on dealing with flaky tests that one, I think, was particularly useful because I think it's one of the talks that is going to be immediately relevant on Monday morning for, like, every developer that was in that room and is going back to their regular day job. And they can immediately use all of those principles that Alan talked about to deal with the flaky tests in their test suite. And there's, in particular, at the end of his presentation, Alan has this summary slide. He kind of broke down flakiness across three different categories and then talked about different strategies for identifying and then fixing tests that were flaky because of those reasons. And he has this table where he sort of summarizes basically the entire talk. And I feel like that's the kind of thing that I'm going to save as a cheat sheet. And that can be, like, I'm going to link to this and share it all over because it's really useful. Alan has already put his slides up online. It's all linked to that particular slide in the show notes because I think that all of you would benefit from seeing that. The talks themselves are recorded, but they're not going to be out for a couple of weeks. I'm sure when they do, we're going to go through and watch some and probably comment on some of the talks as well. So, Stephanie, what is new in your world? STEPHANIE: Yeah. So, I'm celebrating wrapping up a client project after a nine-month engagement. JOËL: Whoa, that's a pretty long project. STEPHANIE: Yeah, that's definitely on the longer side for thoughtbot. And I'm, I don't know, just, like, feeling really excited for a change, feeling really, you know, proud of kind of, like, all of the work that we had done. You know, we had been working with this client for a long time and had been, you know, continuing to deliver value to them to want to keep working with us for that long. But I'm, yeah, just looking forward to a refresh. And I think that's one of my favorite things about consulting is that, you know, you can inject something new into your work life at a kind of regular cadence. And, at least for me, that's really important in reducing or, like, preventing the burnout. So, this time around, I kind of started to notice, and other people, too, like my manager, that I was maybe losing a bit of steam on this client project because I had been working on it for so long. And part of, you know, what success at thoughtbot means is that, like, we as employees are also feeling fulfilled, right? And, you know, what are the different ways that we can try to make sure that that remains the case? And kind of rotating folks on different projects and kind of making sure that things do feel fresh and exciting is really important. And so, I feel very grateful that other people were able to point that out for me, too, when I wasn't even fully realizing it. You know, I had people checking in on me and being like, "Hey, like, you've been on this for a while now. Kind of what I've been hearing is that, like, maybe you do need something new." I'm just excited to get that change. JOËL: How do you find the balance between sort of feeling fulfilled and maybe, you know, finding that point where maybe you're feeling you're running out of steam–versus, you know, some projects are really complex, take a while to ramp up; you want to feel productive; you want to feel like you have contributed in a significant way to a project? How do you navigate that balance? STEPHANIE: Yeah. So, the flip side is, like, I also don't think I would enjoy having to be changing projects all the time like every couple of months. That maybe is a little too much for me because I do like to...on our team, Boost, we embed on our team. We get to know our teammates. We are, like, building relationships with them, and supporting them, and teaching them. And all of that is really also fulfilling for me, but you can't really do that as much if you're on more shorter-term engagements. And then all of that, like, becomes worthwhile once you're kind of in that, like, maybe four or five six month period where you're like, you've finally gotten your groove. And you're like, I'm contributing. I know how this team works. I can start to see patterns or, like, maybe opportunities or gaps. And that is all really cool, and I think also another part of what I really like about being on Boost. But yeah, I think what I...that losing steam feeling, I started to identify, like, I didn't have as much energy or excitement to push forward change. When you kind of get a little bit too comfortable or start to get that feeling of, well, these things are the way they are [laughs], -- JOËL: Right. Right. STEPHANIE: I've now identified that that is kind of, like, a signal, right? JOËL: Maybe time for a new project. STEPHANIE: Right. Like starting to feel a little bit less motivated or, like, less excited to push myself and push the team a little bit in areas that it needs to be pushed. And so, that might be a good time for someone else at thoughtbot to, like, rotate in or maybe kind of close the chapter on what we've been able to do for a client. JOËL: It's hard to be at 100% all the time and sort of always have that motivation to push things to the max, and yeah, variety definitely helps with that. How do you feel about finding signals that maybe you need a break, maybe not from the project but just in general? The idea of taking PTO or having kind of a rest day. STEPHANIE: Oh yeah. I, this year, have tried out taking time off but not going anywhere just, like, being at home but being on vacation. And that was really great because then it was kind of, like, less about, like, oh, I want to take this trip in this time of year to this place and more like, oh, I need some rest or, like, I just need a little break. And that can be at home, right? Maybe during the day, I'm able to do stuff that I keep putting off or trying out new things that I just can't seem to find the time to do [chuckles] during my normal work schedule. So, that has been fun. JOËL: I think, yeah, sometimes, for me, I will sort of hit that moment where I feel like I don't have the ability to give 100%. And sometimes that can be a signal to be like, hey, have you taken any time off recently? Maybe you should schedule something. Because being able to refresh, even short-term, can sort of give an extra boost of energy in a way where...maybe it's not time for a rotation yet, but just taking a little bit of a break in there can sort of, I guess, extend the time where I feel like I'm contributing at the level that I want to be. STEPHANIE: Yeah. And I actually want to point out that a lot of that can also be, like, investing in your life outside of work, too, so that you can come to work with a different approach. I've mentioned the month that I spent in the Hudson Valley in New York and, like, when I was there, I felt, like, so different. I was, you know, just, like, so much more excited about all the, like, novel things that I was experiencing that I could show up to work and be like, oh yeah, like, I'm feeling good today. So, I have all this, you know, energy to bring to the tasks that I have at work. And yeah, so even though it wasn't necessarily time off, it was investing in other things in my life that then brought that refresh at work, even though nothing at work really changed [laughs]. JOËL: I think there's something to be said for the sort of energy boost you get from novelty and change, and some of that you get it from maybe rotating to a different project. But like you were saying, you can change your environment, and that can happen as well. And, you know, sometimes it's going halfway across the country to live in a place for a month. I sometimes do that in a smaller way by saying, oh, I'm going to work this morning from a coffee shop or something like that. And just say, look, by changing the environment, I can maybe get some focus or some energy that I wouldn't have if I were just doing same old, same old. STEPHANIE: Yeah, that's a good point. So, one particularly surprising refresh that I experienced in offboarding from my client work is coming back to my thoughtbot, like, internal company laptop, which had been sitting gathering dust [laughs] a little bit because I had a client-issued laptop that I was working in most of the time. And yeah, I didn't realize how different it would feel. I had, you know, gotten everything set up on my, you know, my thoughtbot computer just the way that I liked it, stuff that I'd never kind of bothered to set up on my other client-issued laptop. And then I came back to it, and then it ended up being a little bit surprising. I was like, oh, the icons are smaller on this [laughs] computer than the other computer. But it definitely did feel like returning to home, I think, instead of, like, being a guest in someone else's house that you haven't quite, like, put all your clothes in the closet or in the drawers. You're still maybe, like, living out of a suitcase a little bit [laughs]. So yeah, I was kind of very excited to be in my own space on my computer again. JOËL: I love the metaphor of coming home, and yeah, being in your own space, sleeping in your own bed. There's definitely some of that that I feel, I think, when I come back to my thoughtbot laptop as well. Do you feel like you get a different sense of connection with the rest of our thoughtbot colleagues when you're working on the thoughtbot-issued laptop versus a client-issued one? STEPHANIE: Yeah. Even though on my client-issued computer I had the thoughtbot Slack, like, open on there so I could be checking in, I wasn't necessarily in, like, other thoughtbot digital spaces as much, right? So, our, like, project management tools and our, like, internal company web app, those were things that I was on less of naturally because, like, the majority of my work was client work, and I was all in their digital spaces. But coming back and checking in on, like, all the GitHub discussions that have been happening while I haven't had enough time to catch up on them, just realizing that things were happening [laughs] even when I was doing something else, that is both cool and also like, oh wow, like, kind of sad that I [chuckles] missed out on some of this as it was going on. JOËL: That's pretty similar to my experience. For me, it almost feels a little bit like the difference between back when we used to be in person because thoughtbot is now fully remote. I would go, usually, depending on the client, maybe a couple of days a week working from their offices if they had an office. Versus some clients, they would come to our office, and we would work all week out of the thoughtbot offices, particularly if it was like a startup founder or something, and they might not already have office space. And that difference and feeling the connection that I would have from the rest of the thoughtbot team if I were, let's say, four days a week out of a client office versus two or four days a week out of the thoughtbot office feels kind of similar to what it's like working on a client-issued laptop versus on a thoughtbot-issued one. STEPHANIE: Another thing that I guess I forgot about or, like, wasn't expecting to do was all the cleanup, just the updating of things on my laptop as I kind of had it been sitting. And it reminded me to, I guess, extend that, like, coming home metaphor a little bit more. In the game Animal Crossing, if you haven't played the game in a while because it tracks, like, real-time, so it knows if you haven't, you know, played the game in a few months, when you wake up in your home, there's a bunch of cockroaches running around [laughs], and you have to go and chase and, like, squash them to clean it up. JOËL: Oh no. STEPHANIE: And it kind of felt like that opening my computer. I was like, oh, like, my, like, you know, OS is out of date. My browsers are out of date. I decided to get an internal company project running in my local development again, and I had to update so many things, you know, like, install the new Ruby version that the app had, you know, been upgraded to and upgrade, like, OpenSSL and all of that stuff on my machine to, yeah, get the app running again. And like I mentioned earlier, just the idea of like, oh yeah, this has evolved and changed, like, without me [laughs] was just, you know, interesting to see. And catching myself up to speed on that was not trivial work. So yeah, like, all that maintenance stuff still got to do it. It's, like, the digital cleanup, right? JOËL: Exactly. So, you mentioned that on the client machine, you still had the thoughtbot Slack. So, you were able to keep up at least some messages there on one device. I'm curious about the experience, maybe going the other way. How much does thoughtbot stuff bleed into your personal devices, if at all? STEPHANIE: Barely. I am very strict about that, I think. I used to have Slack on my phone, I don't know, just, like, in an earlier time in my career. But now I have it a rule to keep it off. I think the only thing that I have is my calendar, so no email either. Like, that is something that I, like, don't like to check on my personal time. Yeah, so it really just is calendar just in case I'm, like, out in the morning and need to be, like, oh, when is my first meeting? But [laughs] I will say that the one kind of silly thing is that I also refuse to sign into my Google account for work. So, I just have the calendar, like, added to my personal calendar but all the events are private. So, I can't actually see what the events are [laughs]. I just know that I have something going on at, like, 10:00 a.m. So, I got to make sure I'm back home by then [laughs], which is not so ideal. But at the risk of being signed in and having other things bleed into my personal devices, I'm just living with that for now [laughs]. JOËL: What I'm hearing is that I could put some mystery events on your calendar, and you would have a fun surprise in the morning because you wouldn't know what it is. STEPHANIE: Yeah, that is true [laughs]. If you put, like, a meeting at, like, 8:00 a.m., [laughs] then I'm like, oh no, what's this? And then I arrive, and it's just, like [laughs], a fun prank meeting. So, you know, you were talking about how you were at the conference this week. And I'm wondering, how connected were you to work life? JOËL: Uh, not very. I tried to be very present in the moment at the conference. So, I'm, you know, connected to all the other thoughtboters who were there and connecting with the attendees. I do have Slack on my phone, so if I do need to check it for something. There was a little bit of communication that was going on for different things regarding the conference, so I did check in for that. But otherwise, I tried to really stay focused on the in-person things that are happening. I'm not doing any client work during those days that I'm at RubyConf, and so I don't need to deal with anything there. I had my thoughtbot laptop with me because that's what I used to give my presentation. But once the presentation was done, I closed that laptop and didn't open it again, and, honestly, that felt kind of good. STEPHANIE: Yeah, that is really nice. I'm the same way, where I try to be pretty connected at conferences, and, like, I will actually redownload Slack sometimes just for, like, coordinating purposes with other folks who are there. But I think I make it pretty clear that I'm, like, away. You know, like, I'm not actually...like, even though I'm on work time, I'm not doing any other work besides just being present there. JOËL: So, you mentioned the idea of work time. Do you have, like, a pretty strict boundary between personal time and work time and, like, try not to allow either to bleed into each other? STEPHANIE: Yeah. I can't remember if I've mentioned this on the show. I think I have, but I'm going to again because one of my favorite things that I picked up from The Bike Shed back when Chris Toomey and Steph Viccari were hosting the show is Chris had, like, a little ritual that he would do every day to signal that he was done with work. He would close his laptop and say, "Schedule shutdown complete," I think. And I've started adopting it because then it helps me be like, I'm not going to reopen my laptop after this because I have said the words. And even if I think of something that I maybe need to add to my to-do list, I will, instead of opening my computer and adding to my, like, whatever digital to-do list, I will, like, write it down on a piece of paper instead for the sake of, you know, not risking getting sucked back into, you know, whatever might be going on after the time that I've, like, decided that I need to be done. JOËL: So, you have a very strict divisioning between work time and personal time. STEPHANIE: Yeah, I would say so. I think it's important for me because even when I take time off, you know, sometimes folks might work a half day or something, right? I really struggle with having even a half day feel like, once I'm done with work, having that feel like okay, like, now I'm back in my personal time. I'd much prefer not working the entire day at all because that is kind of the only way that I can feel like I've totally reclaimed that time. Otherwise, it's like, once I start thinking about work stuff, it's like I need a mental boundary, right? Because if I'm thinking about a work problem, or, like, an interaction or, like, just anything, it's frustrating because it doesn't feel like time in my own brain [laughs] is my own. What do work and personal time boundaries look like for you? JOËL: I think it's evolved over time. Device usage is definitely a little bit more blurry for me. One thing that I have started doing since we've gone fully remote as the pandemic has been winding down and, you know, you can do things, but we're still working from home, is that more days than not, I work from home during the day, and then I leave my home during the evening. I do a variety of social activities. And because I like to be sort of present in the moment, that means that by being physically gone, I have totally disconnected because I'm not checking emails or anything like that. Even though I do have thoughtbot email on my phone, Gmail allows me to like log into my personal account and my thoughtbot account. I have to, like, switch between the two accounts, and so, that's, like, more work than I would want. I don't have any notifications come in for the thoughtbot account. So, unless I'm, like, really wanting to see if a particular email I'm waiting for has come in, I don't even look at it, ever. It's mostly just there in case I need to see something. And then, by being focused in the moment doing social things with other people, I don't find too much of a temptation to, like, let work life bleed into personal life. So, there's a bit of a physical disconnect that ends up happening by moving out of the space I work in into leaving my home. STEPHANIE: Yeah. And I'm sure it's different for everyone. As you were saying that, I was reminded of a funny meme that I saw a long time ago. I don't think I could find it if I tried to search for it. But basically, it's this guy who is, you know, sitting on one side of the couch, clearly working. And he's kind of hunched over and, like, typing and looking very serious. And then he, like, closes his laptop, moves over, like, just slides to the other side of the couch, opens his laptop. And then you see him, like, lay back, like, legs up on the coffee table. And it's, like, work computer, personal computer, but it's the same computer [laughs]. It's just the, like, how you've decided like, oh, it's time for, you know, legs up, Netflix watching [laughs]. JOËL: Yeah. Yeah. I'm curious: do you use your thoughtbot computer for any personal things? Or is it just you shut that down; you do the closing ritual, and then you do things on a separate device? STEPHANIE: Yeah, I do things on a separate device. I think the only thing there might be some overlap for are, like, career-related extracurriculars or just, like, development stuff that I'm interested in doing, like, separate from what I am paid to do. But that, you know, kind of overlaps a little bit because of, like, the tools and the stuff I have installed on my computer. And, you know, with our investment time, too, that ends up having a bit of a crossover. JOËL: I think I'm similar in that I'll tend to do development things on my thoughtbot machine, even though they're not necessarily thoughtbot-related, although they could be things that might slot into something like investment time. STEPHANIE: Yeah, yeah. And it's because you have all your stuff set up for it. Like, you're not [laughs] trying to install the latest Ruby version on two different machines, probably [laughs]. JOËL: Yeah. Also, my personal device is a Windows machine. And I've not wanted to bother learning how to set that up or use the Windows Subsystem for Linux or any of those tools, which, you know, may be good professional learning activities. But that's not where I've decided to invest my time. STEPHANIE: That makes sense. I had an interesting conversation with someone else today, actually, about devices because I had mentioned that, you know, sometimes I still need to incorporate my personal devices into work stuff, especially, like, two-factor authentication. And specifically on my last client project...I have a very old iPhone [laughs]. I need to start out by saying it's an iPhone 8 that I've had for, like, six or seven years. And so, it's old. Like, one time I went to the Apple store, and I was like, "Oh, I'm looking for a screen protector for this." And they're like, "Oh, it's an iPhone 8. Yikes." [laughs] This was, you know, like, not too long ago [laughs]. And the multi-factor authentication policy for my client was that, you know, we had to use this specific app. And it also had, like, security checks. Like, there's a security policy that it needed to be updated to the latest iOS. So, even if I personally didn't want to update my iOS [laughs], I felt compelled to because, otherwise, I would be locked out of the things that I needed to do at work [laughs]. JOËL: Yeah, that can be a challenge sometimes when you're adding work things to personal devices, maybe not because it's convenient and you want to, but because you don't have a choice for things like two-factor auth. STEPHANIE: Yeah, yeah. And then the person I was talking to actually suggested something I hadn't even thought about, which is like, "Oh, you know, if you really can't make it work, then, like, consider having that company issue another device for you to do the things that they're, like, requiring of you." And I hadn't even thought of that, so... And I'm not quite at the point where I'm like, everything has to be, like, completely separate [laughs], including two-factor auth. But, I don't know, something to consider, like, maybe that might be a place I get to if I'm feeling like I really want to keep those boundaries strict. JOËL: And I think it's interesting because, you know, when you think of the kind of work that we do, it's like, oh, we work with computers, but there are so many subfields within it. And device management and, just maybe, corporate IT, in general, is a whole subfield that is separate and almost a little bit alien. Two, I feel like me, as a software developer, I'm just aware of a little bit...like, I've read a couple of articles around...and this was, you know, years ago when the trend was starting called Bring Your Own Device. So, people who want to say, "Hey, I want to use my phone. I want to have my work email on my phone." But then does that mean that potentially you're leaking company memos and things? So, how do you secure that kind of thing? And everything that IT had to think through in order to allow that, the pros and cons. So, I think we're just kind of, as users of that system, touching the surface of it. But there's a lot of thought and discussion that, as an industry, the kind of corporate IT folks have gone through to struggle with how to balance a lot of those things. STEPHANIE: Yeah, yeah. I bet there's a lot of complexity or nuance there. I mean, we're just talking about, like, ways that we do or don't mix work and personal life. And for that kind of work, you know, that's, like, the job is to think really thoroughly about how people use their devices and what should and shouldn't be permissible. The last thing that I wanted to kind of ask about in terms of device management or, like, work and personal intermixing is the idea of being on call and your device being a way for work to reach you and that being a requirement, right? I feel very lucky to obviously not really be in that position. As consultants, like, we're not usually so embedded into a team that we're then brought into, like, an on-call rotation, and I think that's good for me. Like, I don't think that that is something I'd be interested in doing anytime soon. Do you have any experience with that? JOËL: I have not been on a project where I've had to be on call, and I think that's generally true for most of us at thoughtbot who are doing software development. I know those who are doing more kind of platformy SRE-type things are on call. And, in fact, we have specifically hired people in different regions around the world so that we can provide 24-hour coverage for that kind of thing. STEPHANIE: Yeah. And I imagine kind of like what we're talking about with work device management looks even different for that kind of role, where maybe you do need a lot more access to things, like, wherever you might be. JOËL: And maybe the answer there is you get issued a work-specific device and a work phone or something like that, or an old-school work pager. STEPHANIE: [laughs] JOËL: PagerDuty is not just a metaphoric thing. Back in the day, they used actual pagers. STEPHANIE: Yeah, that would be very funny. JOËL: So yeah, I can't speak to it from personal experience, but I could imagine that maybe some of the dynamics there might be a little bit different. And, you know, for some people, maybe it's fine to just have an app on your phone that pings you when something happens, and you have to be on call. And you're able to be present while waiting, like, in case you get pinged, but also let it go while you're on call. I can imagine that's, like, a really weird kind of, like, shadow, like, working, not working experience that I can't really speak to because I have not been in that position. STEPHANIE: Yeah. As you were saying that, I also had the thought that, like, our ability to step away from work and our devices is also very much dependent on, like, a company culture and those types of factors, right? Where, you know, it is okay for me to not be able to look at that stuff and just come back to it Monday morning, and I am very grateful [laughs] for that. Because I recognize that, like, not everyone is in that position where there might be a lot more pressure or urgency to be on top of that. But right now, for this time in my life, like, that's kind of how I like to work. JOËL: I think it kind of sits at the intersection of a few different things, right? There's sort of where you are personally. It might be a combination, like, personality and maybe, like, mental health, things like that, how you respond to how sharp or blurry those lines between work and personal life can be. Like you said, it's also an element of company culture. If there's a company culture that's really pushing to get into your personal life, maybe you need firmer boundaries. And then, finally, what we spent most of this episode talking about: technical solutions, whether that's, like, physically separating everything such that there are two devices. And you close down your laptop, and you're done for the day. And whether or not you allow any apps on your personal phone to carry with you after you leave for the day. So, I think at the intersection of those three is sort of how you're going to experience that, and every person is going to be a little bit different. Because those three...I guess I'm thinking of a Venn diagram. Those three circles are going to be different for everyone. STEPHANIE: Yeah, that makes complete sense. JOËL: On that note, shall we wrap up? STEPHANIE: Let's wrap up. Show notes for this episode can be found at bikeshed.fm. JOËL: This show has been produced and edited by Mandy Moore. STEPHANIE: If you enjoyed listening, one really easy way to support the show is to leave us a quick rating or even a review in iTunes. It really helps other folks find the show. JOËL: If you have any feedback for this or any of our other episodes, you can reach us @_bikeshed, or you can reach me @joelquen on Twitter. STEPHANIE: Or reach both of us at hosts@bikeshed.fm via email. JOËL: Thanks so much for listening to The Bike Shed, and we'll see you next week. ALL: Byeeeeeee!!!!!! AD: Did you know thoughtbot has a referral program? If you introduce us to someone looking for a design or development partner, we will compensate you if they decide to work with us. More info on our website at: tbot.io/referral. Or you can email us at: referrals@thoughtbot.com with any questions.

Software Sessions
Mike Perham on Keeping it solo (RubyConf 2023)

Software Sessions

Play Episode Listen Later Nov 21, 2023 51:26


Mike Perham is the creator of Sidekiq, a background job processor for Ruby. He's also the creator of Faktory a similar product for multiple language environments. We talk about the RubyConf keynote and Ruby's limitations, supporting products as a solo developer, and some ideas for funding open source like a public utility. Recorded at RubyConf 2023 in San Diego. -- A few topics covered: Sidekiq (Ruby) vs Faktory (Polyglot) Why background job solutions are so common in Ruby Global Interpreter Lock (GIL) Ractors (Actor concurrency) Downsides of Multiprocess applications When to use other languages Getting people to pay for Sidekiq Keeping a solo business Being selective about customers Ways to keep support needs low Open source as a public utility Mike Mike's blog mastodon Sidekiq faktory From Employment to Independence Ruby Ractor The Practical Effects of the GVL on Scaling in Ruby Transcript You can help correct transcripts on GitHub. Introduction [00:00:00] Jeremy: I'm here at RubyConf San Diego with Mike Perham. He's the creator of Sidekiq and Faktory. [00:00:07] Mike: Thank you, Jeremy, for having me here. It's a pleasure. Sidekiq [00:00:11] Jeremy: So for people who aren't familiar with, I guess we'll start with Sidekiq because I think that's what you're most known for. If people don't know what it is, maybe you can give like a small little explanation. [00:00:22] Mike: Ruby apps generally have two major pieces of infrastructure powering them. You've got your app server, which serves your webpages and the browser. And then you generally have something off on the side that... It processes, you know, data for a million different reasons, and that's generally called a background job framework, and that's what Sidekiq is. [00:00:41] It, Rails is usually the thing that, that handles your web stuff, and then Sidekiq is the Sidekiq to Rails, so to speak. [00:00:50] Jeremy: And so this would fit the same role as, I think in Python, there's celery. and then in the Ruby world, I guess there is, uh, Resque is another kind of job. [00:01:02] Mike: Yeah, background job frameworks are quite prolific in Ruby. the Ruby community's kind of settled on that as the, the standard pattern for application development. So yeah, we've got, a half a dozen to a dozen different, different examples throughout history, but the major ones today are, Sidekiq, Resque, DelayedJob, GoodJob, and, and, and others down the line, yeah. Why background jobs are so common in Ruby [00:01:25] Jeremy: I think working in other languages, you mentioned how in Ruby, there's this very clear, preference to use these job scheduling systems, these job queuing systems, and I'm not. I'm not sure if that's as true in, say, if somebody's working in Java, or C sharp, or whatnot. And I wonder if there's something specific about Ruby that makes people kind of gravitate towards this as the default thing they would use. [00:01:52] Mike: That's a good question. What makes Ruby... The one that so needs a background job system. I think Ruby, has historically been very single threaded. And so, every Ruby process can only do so much work. And so Ruby oftentimes does, uh, spin up a lot of different processes, and so having processes that are more focused on one thing is, is, is more standard. [00:02:24] So you'll have your application server processes, which focus on just serving HTTP responses. And then you have some other sort of focused process and that just became background job processes. but yeah, I haven't really thought of it all that much. But, uh, you know, something like Java, for instance, heavily multi threaded. [00:02:45] And so, and extremely heavyweight in terms of memory and startup time. So it's much more frequent in Java that you just start up one process and that's it. Right, you just do everything in that one process. And so you may have dozens and dozens of threads, both serving HTTP and doing work on the side too. Um, whereas in Ruby that just kind of naturally, there was a natural split there. Global Interpreter Lock [00:03:10] Jeremy: So that's actually a really good insight, because... in the keynote at RubyConf, Mats, the creator of Ruby, you know, he mentioned the, how the fact that there is this global, interpreter lock, [00:03:23] or, or global VM lock in Ruby, and so you can't, really do multiple things in parallel and make use of all the different cores. And so it makes a lot of sense why you would say like, okay, I need to spin up separate processes so that I can actually take advantage of, of my, system. [00:03:43] Mike: Right. Yeah. And the, um, the GVL. is the acronym we use in the Ruby community, or GIL. Uh, that global lock really kind of is a forcing function for much of the application architecture in Ruby. Ruby, uh, applications because it does limit how much processing a single Ruby process can do. So, uh, even though Sidekiq is heavily multi threaded, you can only have so many threads executing. [00:04:14] Because they all have to share one core because of that global lock. So unfortunately, that's, that's been, um, one of the limiter, limiting factors to Sidekiq scalability is that, that lock and boy, I would pay a lot of money to just have that lock go away, but. You know, Python is going through a very long term experiment about trying to remove that lock and I'm very curious to see how well that goes because I would love to see Ruby do the same and we'll see what happens in the future, but, it's always frustrating when I come to another RubyConf and I hear another Matt's keynote where he's asked about the GIL and he continues to say, well, the GIL is going to be around, as long as I can tell. [00:04:57] so it's a little bit frustrating, but. It's, it's just what you have to deal with. Ractors [00:05:02] Jeremy: I'm not too familiar with them, but they, they did mention during the keynote I think there Ractors or something like that. There, there, there's some way of being able to get around the GIL but there are these constraints on them. And in the context of Sidekiq and, and maybe Ruby in general, how do you feel about those options or those solutions? [00:05:22] Mike: Yeah, so, I think it was Ruby 3. 2 that introduced this concept of what they call a Ractor, which is like a thread, except it does not have the global lock. It can run independent to the global lock. The problem is, is because it doesn't use the global lock, it has pretty severe constraints on what it can do. [00:05:47] And the, and more specifically, the data it can access. So, Ruby apps and Rails apps throughout history have traditionally accessed a lot of global data, a lot of class level data, and accessed all this data in a, in a read only fashion. so there's no race conditions because no one's changing any of it, but it's still, lots of threads all accessing the same variables. [00:06:19] Well, Ractors can't do that at all. The only data Ractors can access is data that they own. And so that is completely foreign to Ruby application, traditional Ruby applications. So essentially, Ractors aren't compatible with the vast majority of existing Ruby code. So I, I, I toyed with the idea of prototyping Sidekiq and Ractors, and within about a minute or two, I just ran into these, these, uh... [00:06:51] These very severe constraints, and so that's why you don't see a lot of people using Ractors, even still, even though they've been out for a year or two now, you just don't see a lot of people using them, because they're, they're really limited, limited in what they can do. But, on the other hand, they're unlimited in how well they can scale. [00:07:12] So, we'll see, we'll see. Hopefully in the future, they'll make a lot of improvements and, uh, maybe they'll become more usable over time. Downsides of multiprocess (Memory usage) [00:07:19] Jeremy: And with the existence of a job queue or job scheduler like Sidekiq, you're able to create additional processes to get around that global lock, I suppose. What are the... downsides of doing so versus another language like we mentioned Java earlier, which is capable of having true parallelism in the same process. [00:07:47] Mike: Yeah, so you can start up multiple Ruby processes to process things truly in parallel. The issue is that you do get some duplication in terms of memory. So your Ruby app maybe take a gigabyte per process. And, you can do copy on write forking. You can fork and get some memory sharing with copy on write semantics on Unix operating systems. [00:08:21] But you may only get, let's say, 30 percent memory savings. So, there's still a significant memory overhead to forking, you know, let's say, eight processes versus having eight threads. You know, you, you, you may have, uh, eight threads can operate in a gigabyte process, but if you want to have eight processes, that may take, let's say, four gigabytes of RAM. [00:08:48] So you, you still, it's not going to cost you eight gigabytes of RAM, you know, it's not like just one times eight, but, there's still a overhead of having those separate processes. [00:08:58] Jeremy: would you say it's more of a cost restriction, like it costs you more to run these applications, or are there actual problems that you can't solve because of this restriction. [00:09:13] Mike: Help me understand, what do you mean by restriction? Do you mean just the GVL in general, or the fact that forking processes still costs memory? [00:09:22] Jeremy: I think, well, it would be both, right? So you're, you have two restrictions right now. You have the, the GVL, which means you can't have parallelism within the same process. And then your other option is to spin up a bunch of processes, which you have said is the downside there is that you're using a lot more RAM. [00:09:43] I suppose my question is that Does that actually stop you from doing anything? Like, if you throw more money at the problem, you go like, we're going to have more instances, I'll pay for the RAM, it's fine, can that basically get you out of these situations or are these limitations actually stopping you from, from doing things you could do in other languages? [00:10:04] Mike: Well, you certainly have to manage the multiple processes, right? So you've gotta, you know, if one child process crashes, you've gotta have a parent or supervisor process watching all that and monitoring and restarting the process. I don't think it restricts you. Necessarily, it just, it adds complexity to your deployment. [00:10:24] and, and it's just a question of efficiency, right? Instead of being able to deploy on a, on a one gigabyte droplet, I've got to deploy to a four gigabyte droplet, right? Because I just, I need the RAM to run the eight processes. So it, it, it's more of just a purely a function of how much money am I going to have to throw at this problem. [00:10:45] And what's it going to cost me in operational costs to operate this application in production? When to use other languages? [00:10:53] Jeremy: So during the. Keynote, uh, Matz had mentioned that Rails, is really suitable as this one person framework, like you can have a very small team or maybe even yourself and, and build this product. And so I guess from... Your perspective, once you cross a certain threshold, is like, what Ruby and what Sidekiq provides not enough, and that's why you need to start looking into other languages? [00:11:24] Or like, where's the, turning point, or the, if you [00:11:29] Mike: Right, right. The, it's all about the problem you're trying to solve, right? At the end of the day, uh, the, the question is just what are we trying to solve and how are we trying to solve it? So at a higher level, you got to think about the architecture. if the problem you're trying to solve, if the service you're trying to build, if the app you're trying to operate. [00:11:51] If that doesn't really fall into the traditional Ruby application architecture, then you, you might look at it in another language or another ecosystem. something like Go, for instance, can compile down to a single binary, which makes deployment really easy. It makes shipping up a product. on to a user's machine, much simpler than deploying a Ruby application onto a user's desktop machine, for instance, right? [00:12:22] Um, Ruby does have this, this problem of how do you package everything together and deploy it somewhere? Whereas Go, when you can just compile to a single binary, now you've just got a single thing. And it's just... Drop it on the file system and execute it. It's easy. So, um, different, different ecosystems have different application architectures, which empower different ways of solving the same problems. [00:12:48] But, you know, Rails as a, as a one man framework, or sorry, one person framework, It, it, I don't, I don't necessarily, that's a, that's sort of a catchy marketing slogan, but I just think of Rails as the most productive framework you can use. So you, as a single person, you can maximize what you ship and the, the, the value that you can create because Rails is so productive. [00:13:13] Jeremy: So it, seems like it's maybe the, the domain or the type of application you're making. Like you mentioned the command line application, because you want to be able to deliver it to your user easily. Just give them a binary, something like Go or perhaps Rust makes a lot more sense. and then I could see people saying that if you're doing something with machine learning, like the community behind Python, it's, they're just, they're all there. [00:13:41] So Room for more domains in Ruby [00:13:41] Mike: That was exactly the example I was going to use also. Yeah, if you're doing something with data or AI, Python is going to be a more, a more traditional, natural choice. that doesn't mean Ruby can't do it. That doesn't mean, you wouldn't be able to solve the problem with Ruby. And, and there's, that just also means that there's more space for someone who wants to come in and make an impact in the Ruby community. [00:14:03] Find a problem that Ruby's not really well suited to solving right now and build the tooling out there to, to try and solve it. You know, I, I saw a talk, from the fellow who makes the Glimmer gem, which is a native UI toolkit. Uh, a gem for building native UIs in Ruby, which Ruby traditionally can't do, but he's, he's done an amazing job at sort of surfacing APIs to build these, um, these native, uh, native applications, which I think is great. [00:14:32] It's awesome. It's, it's so invigorating to see Ruby in a new space like that. Um, I talked to someone else who's doing the Polars gem, which is focused on data processing. So it kind of takes, um, Python and Pandas and brings that to Ruby, which is, is awesome because if you're a Ruby developer, now you've got all these additional tools which can allow you to solve new sets of problems out there. [00:14:57] So that's, that's kind of what's exciting in the Ruby community right now is just bring it into new spaces. Faktory [00:15:03] Jeremy: In addition to Sidekiq, you have, uh, another product called Faktory, I believe. And so does that serve a, a similar purpose? Is that another job scheduling, job queueing system? [00:15:16] Mike: It is, yes. And it's, it's, it's similar in a way to Sidekiq. It looks similar. It's got similar concepts at the core of it. At the end of the day, Sidekiq is limited to Ruby. Because Sidekiq executes in a Ruby VM, it executes the jobs, and the jobs are, have to be written in Ruby because you're running in the Ruby VM. [00:15:38] Faktory was my attempt to bring, Sidekiq functionality to every other language. I wanted, I wanted Sidekiq for JavaScript. I wanted Sidekiq for Go. I wanted Sidekiq for Python because A, a lot of these other languages also could use a system, a background job system. And the problem though is that. [00:16:04] As a single man, I can't port Sidekiq to every other language. I don't know all the languages, right? So, Faktory kind of changes the architecture and, um, allows you to execute jobs in any language. it, it replaces Redis and provides a server where you just fetch jobs, and you can use it from it. [00:16:26] You can use that protocol from any language to, to build your own worker processes that execute jobs in whatever language you want. [00:16:35] Jeremy: When you say it replaces Redis, so it doesn't use Redis, um, internally, it has its own. [00:16:41] Mike: It does use Redis under the covers. Yeah, it starts Redis as a child process and, connects to it over a Unix socket. And so it's really stable. It's really fast. from the outside, the, the worker processes, they just talk to Faktory. They don't know anything about Redis at all. [00:16:59] Jeremy: I see. And for someone who, like we mentioned earlier in the Python community, for example, there is, um, Celery. For someone who is using a task scheduler like that, what's the incentive to switch or use something different? [00:17:17] Mike: Well, I, I always say if you're using something right now, I'm not going to try and convince you to switch necessarily. It's when you have pain that you want to switch and move away. Maybe you have Maybe there's capabilities in the newer system that you really need that the old system doesn't provide, but Celery is such a widely known system that I'm not necessarily going to try and convince people to move away from it, but if people are looking for a new system, one of the things that Celery does that Faktory does not do is Celery provides like data adapters for using store, lots of different storage systems, right? [00:17:55] Faktory doesn't do that. Faktory is more, has more of the Rails mantra of, you know, Omakase where we choose, I choose to use Redis and that's it. You don't, you don't have a choice for what to use because who cares, you know, at the end of the day, let Faktory deal with it. it's, it's not something that, You should even necessarily be concerned about it. [00:18:17] Just, just try Faktory out and see how it works for you. Um, so I, I try to take those operational concerns off the table and just have the user focus on, you know, usability, performance, and that sort of thing. but it is, it's, it's another background job system out there for people to try out and see if they like that. [00:18:36] And, and if they want to, um, if they know Celery and they want to use Celery, more power to Faktory them. Sidekiq (Ruby) or Faktory (Polyglot) [00:18:43] Jeremy: And Sidekiq and Faktory, they serve a very similar purpose. For someone who they have a new project, they haven't chosen a job. scheduling system, if they were using Ruby, would it ever make sense for them to use Faktory versus use Sidekiq? [00:19:05] Mike: Uh Faktory is excellent in a polyglot situation. So if you're using multiple languages, if you're creating jobs in Ruby, but you're executing them in Python, for instance, um, you know, if you've, I have people who are, Creating jobs in PHP and executing them in Python, for instance. That kind of polyglot scenario, Sidekiq can't do that at all. [00:19:31] So, Faktory is useful there. In terms of Ruby, Ruby is just another language to Faktory. So, there is a Ruby API for using Faktory, and you can create and execute Ruby jobs with Faktory. But, you'll find that in the Ruby community, Sidekiq is much widely... much more widely used and understood and known. So if you're just using Ruby, I think, I think Sidekiq is the right choice. [00:19:59] I wouldn't look at Faktory. But if you do need, find yourself needing that polyglot tool, then Faktory is there. Temporal [00:20:07] Jeremy: And this is maybe one, maybe one layer of abstraction higher, but there's a product called Temporal that has some of this job scheduling, but also this workflow component. I wonder if you've tried that out and how you think about that product? [00:20:25] Mike: I've heard of them. I don't know a lot about the product. I do have a workflow API, the Sidekiq batches, which allow you to fan out jobs and then, and then execute callbacks when all the jobs in that, in that batch are done. But I don't, provide sort of a, a high level. Graphical Workflow Editor or anything like that. [00:20:50] Those to me are more marketing tools that you use to sell the tool for six figures. And I don't think they're usable. And I don't think they're actually used day to day. I provide an API for developers to use. And developers don't like moving blocks of code around in a GUI. They want to write code. And, um, so yeah, temporal, I, like I said, I don't know much about them. [00:21:19] I also, are they a venture capital backed startup? [00:21:22] Jeremy: They are, is my understanding, [00:21:24] Mike: Yeah, that, uh, any, any sort of venture capital backed startup, um, who's building technical infrastructure. I, I would look long and hard at, I'm, I think open source is the right core to build on. Of course I sell commercial software, but. I'm bootstrapped. I'm profitable. [00:21:46] I'm going to be around forever. A VC backed startup, they tend to go bankrupt, because they either get big or they go out of business. So that would be my only comment is, is, be a little bit leery about relying on commercial venture capital based infrastructure for, for companies, uh, long term. Getting people to pay for Sidekiq [00:22:05] Jeremy: So I think that's a really interesting part about your business is that I think a lot of open source maintainers have a really big challenge figuring out how to make it as a living. The, there are so many projects that they all have a very permissive license and you can use them freely one example I can think of is, I, I talked with, uh, David Kramer, who's the CTO at Sentry, and he, I don't think they use it anymore, but they, they were using Nginx, right? [00:22:39] And he's like, well, Nginx, they have a paid product, like Nginx. Plus that or something. I don't know what the name is, but he was like, but I'm not going to pay for it. Right. I'm just going to use the free one. Why would I, you know, pay for the, um, the paid thing? So I, I, I'm kind of curious from your perspective when you were coming up with Sidekiq both as an open source product, but also as a commercial one, how did you make that determination of like to make a product where it's going to be useful in its open source form? [00:23:15] I can still convince people to pay money for it. [00:23:19] Mike: Yeah, the, I was terrified, to be blunt, when I first started out. when I started the Sidekiq project, I knew it was going to take a lot of time. I knew if it was successful, I was going to be doing it for the next decade. Right? So I started in 2012, and here I am in 2023, over a decade, and I'm still doing it. [00:23:38] So my expectation was met in that regard. And I knew I was not going to be able to last that long. If I was making zero dollars, right? You just, you burn out. Nobody can last that long. Well, I guess there are a few exceptions to that rule, but yeah, money, I tend to think makes things a little more sustainable for sure. [00:23:58] Especially if you can turn it into a full time job solving and supporting a project that you, you love and, and is, is, you know, your, your, your baby, your child, so to speak, your software, uh, uh, creation that you've given to the world. but I was terrified. but one thing I did was at the time I was blogging a lot. [00:24:22] And so I was telling people about Sidekiq. I was telling people what was to come. I was talking about ideas and. The one thing that I blogged about was financial experiments. I said bluntly to the, to, to the Ruby community, I'm going to be experimenting with financial stability and sustainability with this project. [00:24:42] So not only did I create this open source project, but I was also publicly saying I I need to figure out how to make this work for the next decade. And so eventually that led to Sidekiq Pro. And I had to figure out how to build a closed source Ruby gem, which, uh, There's not a lot of, so I was kind of in the wild there. [00:25:11] But, you know, thankfully all the pieces came together and it was actually possible. I couldn't have done it if it wasn't possible. Like, we would not be talking if I couldn't make a private gem. So, um, but it happened to work out. Uh, and it allowed me to, to gate features behind a paywall effectively. And, and yeah, you're right. [00:25:33] It can be tough to make people pay for software. but I'm a developer who's selling to other developers, not, not just developers, open source developers, and they know that they have this financial problem, right? They know that there's this sustainability problem. And I was blunt in saying, this is my solution to my sustainability. [00:25:56] So, I charge what I think is a very fair price. It's only a thousand dollars a year to a hobbyist. That may seem like a lot of money to a business. It's a drop in the bucket. So it was easy for developers to say, Hey, listen, we want to buy this tool for a thousand bucks. It'll ensure our infrastructure is maintained for the next decade. [00:26:18] And it's, and it's. And it's relatively cheap. It's way less than, uh, you know, a salary or even a laptop. So, so that's, that's what I did. And, um, it's, it worked out great. People, people really understood. Even today, I talk to people and they say, we, we signed up for Sidekiq Pro to support you. So it's, it's, it's really, um, invigorating to hear people, uh, thank me and, and they're, they're actively happy that they're paying me and our customers. [00:26:49] Jeremy: it's sort of, uh, maybe a not super common story, right, in terms of what you went through. Because when I think of open core businesses, I think of companies like, uh, GitLab, which are venture funded, uh, very different scenario there. I wonder, like, in your case, so you started in 2012, and there were probably no venture backed competitors, right? [00:27:19] People saying that we're going to make this job scheduling system and some VC is going to give me five million dollars and build a team to work on this. It was probably at the time, maybe it was Rescue, which was... [00:27:35] Mike: There was a venture backed system called IronMQ, [00:27:40] Jeremy: Hmm. [00:27:41] Mike: And I'm not sure if they're still around or not, but they... They took, uh, one or more funding rounds. I'm not sure exactly, but they were VC backed. They were doing, background jobs, scheduled jobs, uh, you know, running container, running container jobs. They, they eventually, I think, wound up sort of settling on Docker containers. [00:28:06] They'll basically spin up a Docker container. And that container can do whatever it wants. It can execute for a second and then shut down, or it can run for, for however long, but they would, um, yeah, I, yeah, I'll, I'll stop there because I don't know the actual details of exactly their system, but I'm not sure if they're still around, but that's the only one that I remember offhand that was around, you know, years ago. [00:28:32] Yeah, it's, it's mostly, you know, low level open source infrastructure. And so, anytime you have funded startups, they're generally using that open source infrastructure to build their own SaaS. And so SaaS's are the vast majority of where you see sort of, uh, commercial software. [00:28:51] Jeremy: so I guess in that way it, it, it gave you this, this window or this area where you could come in and there wasn't, other than that iron, product, there wasn't this big money that you were fighting against. It was sort of, it was you telling people openly, I'm, I'm working on this thing. [00:29:11] I need to make money so that I can sustain it. And, if you, yeah. like the work I do, then, you know, basically support me. Right. And, and so I think that, I'm wondering how we can reproduce that more often because when you see new products, a lot of times it is VC backed, right? [00:29:35] Because people say, I need to work on this. I need to be paid. and I can't ask a team to do this. For nothing, right? So [00:29:44] Mike: Yeah. It's. It's a wicked problem. Uh, it's a really, really hard problem to solve if you take vc you there, that that really kind of means that you need to be making tens if not hundreds of millions of dollars in sales. If you are building a small or relatively small. You know, put small in quotes there because I don't really know what that means, but if you have a small open source project, you can't charge huge amounts for it, right? [00:30:18] I mean, Sidekiq is a, I would call a medium sized open source project, and I'm charging a thousand bucks for it. So if you're building, you know, I don't know, I don't even want to necessarily give example, but if you're building some open source project, and It's one of 300 libraries that people's applications will depend on. [00:30:40] You can't necessarily charge a thousand dollars for that library. depending on the size and the capabilities, maybe you can, maybe you can't. But there's going to be a long tail of open source projects that just, they can't, they can't charge much, if anything, for them. So, unfortunately, we have, you know, these You kind of have two pathways. [00:31:07] Venture capital, where you've got to sell a ton, or free. And I've kind of walked that fine line where I'm a small business, I can charge a small amount because I'm bootstrapped. And, and I don't need huge amounts of money, and I, and I have a project that is of the right size to where I can charge a decent amount of money. [00:31:32] That means that I can survive with 500 or a thousand customers. I don't need to have a hundred million dollars worth of customers. Because I, you know, when I started the business, one of the constraints I said is I don't want to hire anybody. I'm just going to be solo. And part of the, part of my ability to keep a low price and, and keep running sustainably, even with just You know, only a few hundred customers is because I'm solo. [00:32:03] I don't have the overhead of investors. I don't have the overhead of other employees. I don't have an office space. You know, my overhead is very small. So that is, um, you know, I just kind of have a unique business in that way, I guess you might say. Keeping the business solo [00:32:21] Jeremy: I think that's that's interesting about your business as well But the fact that you've kept it you've kept it solo which I would imagine in most businesses, they need support people. they need, developers outside of maybe just one. Um, there's all sorts of other, I don't think overhead is the right word, but you just need more people, right? [00:32:45] And, and what do you think it is about Sidekiq that's made it possible for it to just be a one person operation? [00:32:52] Mike: There's so much administrative overhead in a business. I explicitly create business policies so that I can run solo. you know, my support policy is officially you get one email ticket or issue per quarter. And, and anything more than that, I can bounce back and say, well, you're, you're requiring too much support. [00:33:23] In reality, I don't enforce that at all. And people email me all the time, but, but things like. Things like dealing with accounting and bookkeeping and taxes and legal stuff, licensing, all that is, yeah, a little bit of overhead, but I've kept it as minimal as I can. And part of that is I don't want to hire another employee because then that increases the administrative overhead that I have. [00:33:53] And Sidekiq is so tied to me and my knowledge that if I hire somebody, they're probably not going to know Ruby and threading and all the intricate technical detail necessary to build and maintain and support the system. And so really you'll kind of regress a little bit. We won't be able to give as good support because I'm busy helping that other employee. Being selective about customers [00:34:23] Mike: So, yeah, it's, it's a tightrope act where you've got to really figure out how can I scale myself as far as possible without overwhelming myself. The, the overwhelming thing that I have that I've never been able to solve. It's just dealing with billing inquiries, customers, companies, emailing me saying, how do we buy this thing? [00:34:46] Can I get an invoice? Every company out there, it seems wants an invoice. And the problem with invoicing is it takes a lot more. manual labor and administrative overhead to issue that invoice to collect payment on the invoice. So that's one of the reasons why I have a very strict policy about credit card only for, for the vast majority of my customers. [00:35:11] And I demand that companies pay a lot more. You have to have a pretty big enterprise license if you want an invoice. And if the company, if the company comes back and complains and says, well, you know, that's ridiculous. We don't, we don't want to pay that much. We don't need it that much. Uh, you know, I, I say, okay, well then you have two, two things, two, uh, two things. [00:35:36] You can either pay with a credit card or you can not use Sidekiq. Like, that's, that's it. I'm, I don't need your money. I don't want the administrative overhead of dealing with your accounting department. I just want to support my, my customers and build my software. And, and so, yeah, I don't want to turn into a billing clerk. [00:35:55] So sometimes, sometimes the, the, the best thing in business that you can do is just say no. [00:36:01] Jeremy: That's very interesting because I think being a solo... Person is what probably makes that possible, right? Because if you had the additional staff, then you might say like, Well, I need to pay my staff, so we should be getting, you know, as much business as [00:36:19] Mike: Yeah. Chasing every customer you can, right. But yeah. [00:36:22] Every customer is different. I mean, I have some customers that just, they never contact me. They pay their bill really fast or right on time. And they're paying me, you know, five figures, 20, a year. And they just, it's a, God bless them because those are, are the. [00:36:40] Best customers to have and the worst customers are the ones who are paying 99 bucks a month and everything that they don't understand or whatever is a complaint. So sometimes, sometimes you, you want to, vet your customers from that perspective and say, which one of these customers are going to be good? [00:36:58] Which ones are going to be problematic? [00:37:01] Jeremy: And you're only only person... And I'm not sure how many customers you have, but [00:37:08] Mike: I have 2000 [00:37:09] Jeremy: 2000 customers. [00:37:10] Okay. [00:37:11] Mike: Yeah. [00:37:11] Jeremy: And has that been relatively stable or has there been growth [00:37:16] Mike: It's been relatively stable the last couple of years. Ruby has, has sort of plateaued. Um, it's, you don't see a lot of growth. I'm getting probably, um, 15, 20 percent growth maybe. Uh, so I'm not growing like a weed, like, you know, venture capital would want to see, but steady incremental growth is, is, uh, wonderful, especially since I do very little. [00:37:42] Sales and marketing. you know, I come to RubyConf I, I I tweet out, you know, or I, I toot out funny Mastodon Toots occasionally and, and, um, and, and put out new releases of the software. And, and that's, that's essentially my, my marketing. My marketing is just staying in front of developers and, and, and being a presence in the Ruby community. [00:38:06] But yeah, it, it's, uh. I, I, I see not a, not a huge amount of churn, but I see enough sales to, to, to stay up and keep my head above water and to keep growing, um, slowly but surely. Support needs haven't grown [00:38:20] Jeremy: And as you've had that steady growth, has the support burden not grown with it? [00:38:27] Mike: Not as much because once customers are on Sidekiq and they've got it working, then by and large, you don't hear from them all that much. There's always GitHub issues, you know, customers open GitHub issues. I love that. but yeah, by and large, the community finds bugs. and opens up issues. And so things remain relatively stable. [00:38:51] I don't get a lot of the complete newbie who has no idea what they're doing and wants me to, to tell them how to use Sidekiq that I just don't see much of that at all. Um, I have seen it before, but in that case, generally, I, I, I politely tell that person that, listen, I'm not here to educate you on the product. [00:39:14] It's there's documentation in the wiki. Uh, and there's tons of, of more Ruby, generic Ruby, uh, educational material out there. That's just not, not what I do. So, so yeah, by and large, the support burden is, is not too bad because once people are, are up and running, it's stable and, and they don't, they don't need to contact me. [00:39:36] Jeremy: I wonder too, if that's perhaps a function of the price, because if you're a. new developer or someone who's not too familiar with how to do job processing or what they want to do when you, there is the open source product, of course. but then the next step up, I believe is about a hundred dollars a month. [00:39:58] And if you're somebody who is kind of just getting started and learning how things work, you're probably not going to pay that, is my guess. And so you'll never hear from them. [00:40:11] Mike: Right, yeah, that's a good point too, is the open source version, which is what people inevitably are going to use and integrate into their app at first. Because it's open source, you're not going to email me directly, um, and when people do email me directly, Sidekiq support questions, I do, I reply literally, I'm sorry I don't respond to private email, unless you're a customer. [00:40:35] Please open a GitHub issue and, um, that I try to educate both my open source users and my commercial customers to try and stay in GitHub issues because private email is a silo, right? Private email doesn't help anybody else but them. If I can get people to go into GitHub issues, then that's a public record. [00:40:58] that people can search. Because if one person has that problem, there's probably a dozen other people that have that same problem. And then that other, those other 11 people can search and find the solution to their problem at four in the morning when I'm asleep. Right? So that's, that's what I'm trying to do is, is keep, uh, keep everything out in the open so that people can self service as much as possible. Sidekiq open source [00:41:24] Jeremy: And on the open source side, are you still primarily the main contributor? Or do you have other people that are [00:41:35] Mike: I mean, I'd say I do 90 percent of the work, which is why I don't feel guilty about keeping 100 percent of the money. A lot of open source projects, when they look for financial sustainability, they also look for how can we split this money amongst the team. And that's, that's a completely different topic that I've. [00:41:55] is another reason why I've stayed solo is if I hire an employee and I pay them 200, 000 a year as a developer, I'm meanwhile keeping all the rest of the profits of the company. And so that almost seems a little bit unfair. because we're both still working 40 hours a week, right? Why am I the one making the vast majority of the, of the profit and the money? [00:42:19] Um, so, uh, I've always, uh, that's another reason why I've stayed solo, but, but yeah, having a team of people working on something, I do get, regular commits, regular pull requests from people, fixing a bug that they found or just making a tweak that. that they saw, that they thought they could improve. [00:42:42] A little more rarely I get a significant improvement or feature, as a pull request. but Sidekiq is so stable these days that it really doesn't need a team of people maintaining it. The volume of changes necessary, I can easily keep up with that. So, I'm still doing 90 95 percent of the work. Are there other Sidekiq-like opportunities out there? [00:43:07] Jeremy: Yeah, so I think Sidekiq has sort of a unique positioning where it's the code base itself is small enough where you can maintain it yourself and you have some help, but primarily you're the main maintainer. And then you have enough customers who are willing to, to pay for the benefit it gives them on top of what the open source product provides. [00:43:36] cause it's, it's, you were talking about how. Every project people work on, they have, they could have hundreds of dependencies, right? And to ask somebody to, to pay for each of them is, is probably not ever going to happen. And so it's interesting to think about how you have things like, say, you know, OpenSSL, you know, it's a library that a whole bunch of people rely on, but nobody is going to pay a monthly fee to use it. [00:44:06] You have things like, uh, recently there was HashiCorp with Terraform, right? They, they decided to change their license because they, they wanted to get, you know, some of that value back, some of the money back, and the community basically revolted. Right? And did a fork. And so I'm kind of curious, like, yeah, where people can find these sweet spots like, like Sidekiq, where they can find this space where it's just small enough where you can work on it on your own and still get people to pay for it. [00:44:43] It's, I'm trying to picture, like, where are the spaces? Open source as a public utility [00:44:48] Mike: We need to look at other forms of financing beyond pure capitalism. If this is truly public infrastructure that needs to be maintained for the long term, then why are we, why is it that we depend on capitalism to do that? Our roads, our water, our sewer, those are not Capitalist, right? Those are utilities, that's public infrastructure that we maintain, that the government helps us maintain. [00:45:27] And in a sense, tech infrastructure is similar or could be thought of in a similar fashion. So things like Open Collective, things like, uh, there's a, there's a organization in Europe called NLNet, I think, out of the Netherlands. And they do a lot of grants to various open source projects to help them improve the state of digital infrastructure. [00:45:57] They support, for instance, Mastodon as a open source project that doesn't have any sort of corporate backing. They see that as necessary social media infrastructure, uh, for the long term. And, and I, and I think that's wonderful. I like to see those new directions being explored where you don't have to turn everything into a product, right? [00:46:27] And, and try and market and sale, um, and, and run ads and, and do all this stuff. If you can just make the case that, hey, this is, this is useful public infrastructure that so many different, um, Technical, uh, you know, applications and businesses could rely on, much like FedEx and DHL use our roads to the benefit of their own, their own corporate profits. [00:46:53] Um, why, why, why shouldn't we think of tech infrastructure sort of in a similar way? So, yeah, I would like to see us explore more. in that direction. I understand that in America that may not happen for quite a while because we are very, capitalist focused, but it's encouraging to see, um, places like Europe, uh, a little more open to, to trialing things like, cooperatives and, and grants and large long term grants to, to projects to see if they can, uh, provide sustainability in, in, you know, in a new way. [00:47:29] Jeremy: Yeah, that's a good point because I think right now, a lot of the open source infrastructure that we all rely on, either it's being paid for by large companies and at the whim of those large companies, if Google decides we don't want to pay for you to work on this project anymore, where does the money come from? [00:47:53] Right? And on the other hand, there's the thousands, tens of thousands of people who are doing it. just for free out of the, you know, the goodness of their, their heart. And that's where a lot of the burnout comes from. Right. So I think what you're saying is that perhaps a lot of these pieces that we all rely on, that our, our governments, you know, here in the United States, but also around the world should perhaps recognize as this is, like you said, this is infrastructure, and we should be. [00:48:29] Paying these people to keep the equivalent of the roads and, and, uh, all that working. [00:48:37] Mike: Yeah, I mean, I'm not, I'm not claiming that it's a perfect analogy. There's, there's, there's lots of questions that are unanswered in that, right? How do you, how do you ensure that a project is well maintained? What does that even look like? What does that mean? you know, you can look at a road and say, is it full of potholes or is it smooth as glass, right? [00:48:59] It's just perfectly obvious, but to a, to a digital project, it's, it's not as clear. So, yeah, but, but, but exploring those new ways because turning everybody into a businessman so that they can, they can keep their project going, it, it, it itself is not sustainable, right? so yeah, and that's why everything turns into a SaaS because a SaaS is easy to control. [00:49:24] It's easy to gatekeep behind a paywall and it's easy to charge for, whereas a library on GitHub. Yeah. You know, what do you do there? You know, obviously GitHub has sponsors, the sponsors feature. You've got Patreon, you've got Open Collective, you've got Tidelift. There's, there's other, you know, experiments that have been run, but nothing has risen to the top yet. [00:49:47] and it's still, it's still a bit of a grind. but yeah, we'll see, we'll see what happens, but hopefully people will keep experimenting and, and maybe, maybe governments will start. Thinking in the direction of, you know, what does it mean to have a budget for digital infrastructure maintenance? [00:50:04] Jeremy: Yeah, it's interesting because we, we started thinking about like, okay, where can we find spaces for other Sidekiqs? But it sounds like maybe, maybe that's just not realistic, right? Like maybe we need more of a... Yeah, a rethinking of, I guess the, the structure of how people get funded. Yeah. [00:50:23] Mike: Yeah, sometimes the best way to solve a problem is to think at a higher level. You know, we, the, the sustainability problem in American Silicon Valley based open source developers is naturally going to tend toward venture capital and, and capitalism. And I, you know, I think, I think that's, uh, extremely problematic on a, on a lot of different, in a lot of different ways. [00:50:47] And, and so sometimes you need to step back and say, well, maybe we're, maybe we just don't have the right tool set to solve this problem. But, you know, I, I. More than that, I'm not going to speculate on because it is a wicked problem to solve. [00:51:04] Jeremy: Is there anything else you wanted to, to mention or thought we should have talked about? [00:51:08] Mike: No, I, I, I loved the talk, of sustainability and, and open source. And I, it's, it's a, it's a topic really dear to my heart, obviously. So I, I am happy to talk about it at length with anybody, anytime. So thank you for having me. [00:51:25] Jeremy: All right. Thank you very much, Mike.

Ubuntu Security Podcast
Episode 212

Ubuntu Security Podcast

Play Episode Listen Later Oct 27, 2023 23:06


With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.

linux openssl aom ubuntu summit
Paul's Security Weekly
Supply Chain Security Security with Containers and CI/CD Systems - Kirsten Newcomer - #ASW 256

Paul's Security Weekly

Play Episode Listen Later Sep 26, 2023 87:11


Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

Paul's Security Weekly TV
Equifax's Breach, CISA's 1,000 Vulns, Rust's TLS Library, Complexity vs. Design - ASW #256

Paul's Security Weekly TV

Play Episode Listen Later Sep 26, 2023 40:23


A stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security). Show Notes: https://securityweekly.com/asw-256

Application Security Weekly (Audio)
Supply Chain Security Security with Containers and CI/CD Systems - Kirsten Newcomer - #ASW 256

Application Security Weekly (Audio)

Play Episode Listen Later Sep 26, 2023 87:11


Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

Ask Noah Show
Ask Noah Show 355

Ask Noah Show

Play Episode Listen Later Sep 20, 2023 53:51


What if you could purchase a computer built like a Mac but run a free and open source operating system on it that you can't break, would you buy one? Steve and Noah discuss the Malibal, and an immutable distro with Flatpaks that "just works" -- During The Show -- 00:58 Intro Steve's Nvidea Issue trouble shooting process root cause = it's dirty why dig for the root cause Good News! Axia fixed our board! 06:50 Google Ad Policy - Ahmed Google ads used for phishing Google ads placement confusing Why google don't clearly label ads 12:05 TPM & Drive Encryption On Fedora - Tiny Clevis (https://github.com/latchset/clevis) SystemD Cryptenroll Fedora TPM Blog Post (https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/) Fedora Security Keys Blog Post (https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/) 15:09 Linux Mint Issues - penguin prince Maybe re-seat things? 15:55 Current Grafana Setup - Tiny Current Usage Network CPU RAM Disk Matrix database Added to Ansible Grafana can be more than graphs 21:00 News Wire Fedora KDE Plasma 6 Dropping X11 - 9 to 5 Linux (https://9to5linux.com/fedora-linux-40-to-offer-the-kde-plasma-6-desktop-on-wayland-and-drop-x11-session) Linux 6.7 Drops Itanium IA-64 - Phoronix (https://www.phoronix.com/news/Linux-6.7-To-Drop-Itanium-IA-64) ReiserFS Removed From Default Kernel - Phoronix (https://www.phoronix.com/news/ReiserFS-Drop-From-Defconfigs) Tails 5.17.1 - Tails (https://tails.net/news/version_5.17.1/index.en.html) Real-Time Linux on AWS - The News Stack (https://thenewstack.io/canonical-brings-real-time-linux-to-amazon-web-services/) Delayed Module Signature Verification - Phoronix (https://www.phoronix.com/news/Linux-Delay-Module-Verification) OpenSUSE Seeks LEAP Replacement - ZDNet (https://www.zdnet.com/article/opensuse-seeks-a-leap-replacement-but-will-distro-community-rise-to-the-challenge/) OpenSource.com Reborn - Open SOurce Watch (https://opensourcewatch.beehiiv.com/p/invaluable-opensourcecom-site-reborn-opensourcenet) Intel FPGA & RISC-V - The Register (https://www.theregister.com/2023/09/15/intel_fpga_updates/) OpenSSL 1.1.1 is EOL - The News Stack (https://thenewstack.io/update-now-openssl-1-1-1s-shelf-life-has-ended/) Earth Lusca & SprySOCKS backdoor - Bleeping Computer (https://www.bleepingcomputer.com/news/security/new-sprysocks-linux-malware-used-in-cyber-espionage-attacks/) NCurses Flaw - The Hacker News (https://thehackernews.com/2023/09/microsoft-uncovers-flaws-in-ncurses.html) CISA Announcement - CISA.gov (https://www.cisa.gov/news-events/news/cisa-announces-open-source-software-security-roadmap) VC Bill Gurley - Fortune.com (https://fortune.com/2023/09/17/bill-gurley-warns-regulatory-capture-ai-hails-open-source/) 6.1.14 Kernel in Scratch - MIT.edu (https://scratch.mit.edu/projects/892602496) 23:00 OpenSuse Aeon "It Just Works" Linux MicroOS & Gnome as immmutable base Software via FlatPak and distrobox Good for some users What problem does this solve? Purpose Driven OpenSuse Aeon (https://en.opensuse.org/Portal:Aeon) All Systems GO Talk (https://www.youtube.com/watch?v=1K_kGbmlewo) 34:30 Penguin Prince Calls Adding a Page to WordPress Issue Page refuses to go live 38:55 The US Assembled Linux Laptop You Haven't Heard Of Malibal (https://www.malibal.com/) Final Assembly in the US Expensive Making a powerful sleek computer Most have graphics cards Optimus Manager (https://github.com/Askannz/optimus-manager) Coreboot Commitment to sustainability Barrel Power vs Type-C charging Dell's commitment to Linux System76 (https://system76.com/) Framework Laptops (https://frame.work/) 51:36 NextCloud Hub 6 They have to have email Mail in a Box (https://mailinabox.email/) LInux Today (https://www.linuxtoday.com/news/nextcloud-hub-6-more-than-a-foss-replacement-for-microsoft-365-business-standard/) Linux UnPlugged 528 (https://linuxunplugged.com/528) 52:25 LFNW Moved to Next Year Had to move the date Will still have things to do -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/355) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed) • Ask Noah Show © CC-BY-ND 2021 •

Python Bytes
#331 Python From the Future

Python Bytes

Play Episode Listen Later Apr 12, 2023 35:57


Watch on YouTube About the show Sponsored by InfluxDB from Influxdata. Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 11am PT. Older video versions available there too. Michael #1: makeapp via Felix Ingram Simplifies Python application rollout and publishing. Link to its mention on Talk Python. Simplifies Python application rollout and publishing: Make a skeleton for your new application with one console command Automatically create a VCS repository for your application. Automatically check whether the chosen application name is not already in use. Customize new application layouts with skeleton templates. Put some skeleton default settings into a configuration file not to mess with command line switches anymore. Easily add entries to your changelog. Publish your application to remotes (VCS, PyPI) with single command. Brian #2: Looking forward to Python 3.12 We're on 3.12.0a7 now, the last alpha, final is scheduled for October schedule So far, in 3.12.0a7 What's new in Python 3.12 page has some examples of the Improved Error Messages Recent addition, PEP 684 - A Per-Interpreter GIL was approved recently “… sufficient isolation would facilitate true multi-core parallelism …” seems like a good thing. But also, “… this is an advanced feature meant for a narrow set of users of the C-API. “, so not really sure how this will affect us. Still, seems cool. Michael #3: Python 3.11.3 is out Fixes a HIGH level CVE in OpenSSL (so patch it) Lots of changes in Core and Builtins Brian #4: How to Make a Great Conference Talk Sebastian Witowski Lots of great advice for tech conf talks. Don't skip the last half of this, getting your talk accepted is really when the work starts. Good sections to make sure you don't miss Live demos “First of all - do you really need a demo? …” Rehearsing Don't skip this. Do this. A lot. Out loud. With a timer. While standing. Memorize the first few minutes, and the last few. Know how you're going to open and close. Night before get enough sleep Day of eat well. Don't drink too much liquids. Be comfortable. Sebastian was honest in saying this stuff works for him, but do what works for you. From Brian: I deviate from Sebastian in quite a few places, but still don't disagree with his advice. I can't give a talk without slides, as I use them for prompts to know what I'm talking about next. My talks usually have a lot of code snippets. Obviously, that would be difficult without slides. I write my talk and my slides in Markdown. Sebastian writes in something else, then builds slides as visual aids. That's cool. Do what works for you. Bonus tool from the article: demo-magic - If I'm ever tempted to live code again, I think I'll try this instead. Extras Michael: NOW the CDN course is out. Django 4.2 released. Joke: Using A.I. for Efficiency

Paul's Security Weekly
ASW #229 - Nick Selby

Paul's Security Weekly

Play Episode Listen Later Feb 14, 2023 81:27


Organizations spend hundreds of work hours to build applications and services that will benefit customers and employees alike. Whether the application/service is externally facing or for internal use only, it is mandatory to identify and understand the scope of potential cyber risks and threats it poses to the organization. But where and how do you start with an accurate threat model? Nick can discuss how to approach this and create a model that's useful to security and developers alike. Segment Resources https://github.com/trailofbits/publications/blob/master/reviews/2022-12-curl-threatmodel.pdf   Reddit's breach disclosure, simple vulns in Toyota's web portals, OpenSSL vulns, voting results for Portswigger's top 10 web hacking techniques of 2022, tiny IoT cryptography implementations, real world migration of a million lines of code    Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw229

reddit organizations toyota iot openssl nick selby segment resources
Paul's Security Weekly
ESW #305 - Tom Goings, Ashley Leonard

Paul's Security Weekly

Play Episode Listen Later Feb 10, 2023 147:03


Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. • What is Tanium SBOM • Why is it different and why do you need it • How to configure SBOM • How to query for the details about every software application in your environment • Where your vulnerable packages exist • Ways that Tanium can remediate vulnerabilities from OpenSSL to Struts to Log4j today as well as new supply-chain vulnerabilities in the future   No one knows what the next supply chain vulnerability is going to be, but with Tanium, you will have access to data about how your applications are affected before it happens so that when it does, you're ready to take action to remediate the issue from within the Tanium XEM platform.   Segment Resources: https://www.tanium.com/products/tanium-sbom/  https://www.tanium.com/press-releases/tanium-launches-software-bill-of-materials-for-unprecedented-visibility-to-combat-supply-chain-threats/  https://www.tanium.com/blog/software-bill-of-materials-openssl/   This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Syxsense and Enterprise Management Associates (EMA) recently teamed up to publish a survey around the current state of Zero Trust within enterprises as well as where it's going. This interview will discuss the key findings and insights into the challenges many organizations face around Zero Trust, as well as endpoint security and network access. Segment Resources: https://www.syxsense.com/advancing-zero-trust-priorities   In the Enterprise News: Whether you want insurtechs or not, they're here and you're getting them! Don't worry - we'll explain what insurtechs are. Two potential deals to take security companies private: Sumo Logic and Rapid 7! Looks like 32 year old security company Cyren is shutting down, hoping for an asset sale. They've already laid off all their employees. Big drama: a firm shorts Darktrace and releases a scathing report. We've got yet more more layoffs this week, but don't fret - the NSA is hiring!  For our squirrel stories, we'll be deciding between three stories: codebreakers solve 500 year old ciphers, the real cost of meetings visualized, and sushi terrorists! All that and more, on this episode of Enterprise Security Weekly.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw305

Software Engineering Daily
OpenSSL Vulnerability with Ilkka Turunen

Software Engineering Daily

Play Episode Listen Later Dec 7, 2022 50:34


OpenSSL is a free, open-source cryptographic library that provides secure communications over computer networks. It's widely used to implement the secure socket layer (SSL) and transport layer security (TLS) protocols, which are the basis for secure, encrypted connections on the internet. On Oct 25th, the OpenSSL project informed its users of a critical vulnerability that The post OpenSSL Vulnerability with Ilkka Turunen appeared first on Software Engineering Daily.

Security Now (MP3)
SN 896: Something for Everyone - Dropbox breach, cyber bank heists, Russia goes Linux, OpenSSL flaw update

Security Now (MP3)

Play Episode Listen Later Nov 9, 2022 115:31


Picture of the Week. A minor Dropbox breach. OpenSSL follow-up. FTC sued and settled with a repeated offender. $1.2 billion in reported ransomware payments during 2021. Akamai's Q3 Threat Report. Initial Access Brokerages. How do today's bank heists work? De-Fi De-struction De-jour. Russia moves to Linux. We're The Red Cross. Don't attack us, please! Where there's a will, there's a way. From China with Love. The UK's NCSC scan plan. Miscellany. Closing The Loop. SpinRite. We invite you to read our show notes at https://www.grc.com/sn/SN-896-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT drata.com/twit

The CyberWire
OpenSSL indeed patched. CISA is confident of election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. BEC and gift cards. And that's one sweet ride.

The CyberWire

Play Episode Listen Later Nov 2, 2022 24:48 Very Popular


OpenSSL patches two vulnerabilities. CISA and election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. Business email compromise and gift cards. Tim Starks from the Washington Posts' Cybersecurity 202 has the latest on election security. A visit to the CyberWire's Women in Cyber Security event. And consequences for Raccoon Stealer from the war in Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/211 Selected reading. OpenSSL patched today. (CyberWire) OpenSSL Releases Security Update (CISA)  OpenSSL releases fixes for two ‘high' severity vulnerabilities (The Record by Recorded Future) OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway! (Naked Security) Threat Advisory: High Severity OpenSSL Vulnerabilities (Cisco Talos Blog) OpenSSL Vulnerability Patch Released (Sectigo® Official) Clearing the Fog Over the New OpenSSL Vulnerabilities (Rezilion) OpenSSL vulnerability CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) Check Point Research Update (Check Point Software) Undisclosed OpenSSL vulnerability: Free scripts for target scoping (Lightspin) Discussions of CISA's part in elections and the JCDC. (CyberWire) U.S. Treasury thwarted attack by Russian hacker group last month-official (Reuters)  XDR data reveals threat trends. (CyberWire) What happens to a gift card given to a scammer? (CyberWire) How Russia's war in Ukraine helped the FBI crack one of the biggest cybercrime cases in years (MarketWatch)

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
ISC StormCast for Wednesday, November 2nd, 2022

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Play Episode Listen Later Nov 2, 2022 8:06 Very Popular


OpenSSL 3.0 Punycode Vulnerability Fix https://isc.sans.edu/forums/diary/Critical+OpenSSL+30+Update+Released+Patches+CVE20223786+CVE20223602/29208 https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

OpenSSL 3.0 Punycode Vulnerability Fix https://isc.sans.edu/forums/diary/Critical+OpenSSL+30+Update+Released+Patches+CVE20223786+CVE20223602/29208 https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

Risky Business
Risky Business #683 -- OpenSSL bug is a fizzer, ASD responds to Medibank hack

Risky Business

Play Episode Listen Later Nov 2, 2022 62:51


On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Twitter bluechecks face phishing barrage Australian government goes berserk on Medibank hack response Former WSJ journalist sues law firm over email hack and info op that got him fired OpenSSL bug lands with a whimper Apple macOS Ventura update breaks security tools Much, much more This week's show is brought to you by Thinkst Canary. Marco Slaviero, Thinkst's head of engineering, joins us this week to talk through the company's latest release, codenamed Quokka. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Twitter's verification chaos is now a cybersecurity problem | TechCrunch Unconfirmed hack of Liz Truss' phone prompts calls for “urgent investigation” | Ars Technica Chinese hackers are scanning state political party headquarters, FBI says - The Washington Post Former WSJ reporter says law firm used Indian hackers to sabotage his career | Reuters The source - Columbia Journalism Review Upcoming ‘critical' OpenSSL update prompts feverish speculation | The Daily Swig OpenSSL vulnerability downgraded to ‘high' severity | The Daily Swig Medibank says hackers had access to ‘all personal data' belonging to all customers - The Record by Recorded Future Australia to tighten privacy laws, increase fines after series of data breaches - The Record by Recorded Future Votes in Slovakia's parliament suspended after alleged ‘cybersecurity incident' - The Record by Recorded Future NY Post confirms hack after website, Twitter feed flooded with threats toward Biden, AOC - The Record by Recorded Future Apple MacOS Ventura Bug Breaks Third-Party Security Tools | WIRED Microsoft ties Vice Society hackers to additional ransomware strains - The Record by Recorded Future How Vice Society Got Away With a Global Ransomware Spree | WIRED FTC seeks action against Drizly — and its CEO — for cybersecurity failures - The Record by Recorded Future Critical authentication bug in Fortinet products actively exploited in the wild | The Daily Swig Google Play apps with >20M downloads depleted batteries and network bandwidth | Ars Technica Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn – Krebs on Security Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica Microsoft disputes report on Office 365 Message encryption issue after awarding bug bounty - The Record by Recorded Future Microsoft Office Online Server open to SSRF-to-RCE exploit | The Daily Swig Microsoft's Sociopathic Cybersecurity Pedantry Brazilian police announce arrest of alleged Lapsus$ member - The Record by Recorded Future Accused ‘Raccoon' Malware Developer Fled Ukraine After Russian Invasion – Krebs on Security European gang that sold car hacking tools to thieves arrested - The Record by Recorded Future How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica

The CyberWire
OpenSSL patched today. The risk of misconfiguration. Cyberespionage (and the risk of mixing the personal with the official). Assistance for Ukraine's cyber defense., And a quick look at DNS threats.

The CyberWire

Play Episode Listen Later Nov 1, 2022 31:21


OpenSSL is patched today. The misconfiguration risk to US government networks' security and compliance. Hacking Ms Truss's phone. Assistance for Ukraine's cyber defense. Joe Carrigan looks at the latest round of apps pulled from the Google Play Store. Our guest is Matias Madou of Secure Code Warrior on why cultivating a positive culture among security and developer teams continues to fall short. And a quick look at DNS threats. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/210 Selected reading. Effectively Preparing for the OpenSSL 3.x Vulnerability (Akamai) O How The OpenSSL 3 Vulnerability Will Really Affect Your Environment (Nucleus Security)  New Critical Flaw in OpenSSL: How to Know if You're at Risk (Rezilion) Experts warn of critical security vulnerability discovered in OpenSSL (Application Security Blog) The impact of exploitable misconfigurations on network security within US Federal organizations (Titania) Liz Truss's personal phone hacked by Putin's spies (Mail Online) O Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters)  Liz Truss phone hack claim prompts calls for investigation (BBC News)  Russian spies hacked Truss's personal phone (Computing) Government urged to investigate report Liz Truss's phone was hacked (the Guardian) Ministers creating ‘wild west' conditions with use of personal phones (the Guardian) Suella Braverman admits sending official documents to personal email six times (The Telegraph)  Ukraine War: UK reveals £6m package for cyber defence (BBC News) DNS Threat Report — Q3 2022 (Akamai)

Security Now (MP3)
SN 879: The Rolling Pwn - OpenSSL patch, iOS Lockdown Mode, Yubikey's to Ukraine, Office Macros re-enabled

Security Now (MP3)

Play Episode Listen Later Jul 13, 2022 133:15 Very Popular


 Picture of the Week.   OpenSSL's Patch For Heap Memory Corruption Vulnerability.   NIST Announces First Four Quantum-Resistant Cryptographic Algorithms.   Yubico donated 30,000 Yubikeys to Ukraine.   Apple's new extreme "Lockdown Mode".   Microsoft to re-enable Office Macros.   This Is the Code the FBI Used to Wiretap the World.   Closing The Loop.   The Rolling Pwn. We invite you to read our show notes at https://www.grc.com/sn/SN-879-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: expressvpn.com/securitynow tanium.com/twit canary.tools/twit - use code: TWIT