Posts
320
Following
92
Followers
3460
Saving this here to use later. As seen in the comments on yet-another-ai story on Lobsters:

"How could you claim to have a neutral, informed opinion on LLMs without signing up for a bunch of subscriptions and constantly talking to the liar machine to see if it told a truth today?"
1
16
32
repeated

One of my fav quotes from this @gregkh interview:

"Open source ends up having better depth of knowledge than closed source has."

(Because for careers in companies you get shifted around while many people in OSS stay in the same field/code for decades.)

https://www.youtube.com/watch?v=-1-OjxPJZcs

0
3
2
repeated

Christian Brauner 🦊🐺

7
9
4
repeated

Linux Kernel Hardening: Ten Years Deep

Talk by @kees about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.

Video: https://www.youtube.com/watch?v=c_NxzSRG50g
Slides: https://static.sched.com/hosted_files/lssna2025/9f/KSPP%20Ten%20Years%20Deep.pdf

0
7
0
repeated
All the slides at this meeting talk about how much time and effort "AI" would help us save, and all I want to do is point out how much time and effort I've sunk so far into keeping AI crawlers from DDoS'ing our infra.
2
42
75
repeated

@gregkh linters literally do their job better than a speculation machine

1
1
1
@ptesarik That's what `drivers/staging/` is for, we just took 10+ patches for that subsystem from new submitters yesterday. That's much easier to accomplish than trying to parse the output of an "AI tool" :)
1
0
5
@liw We assign 13 CVEs for Linux every single day. "Fame and fortune" is not something that happens for any of those reports, as a CVE is trivial to get if you actually want to just fix a kernel bug for real.
2
0
7
Days since an "AI found security bug" turned out to be totally false due to the inability of the tool to actually parse C code: 0

I'm seeing multiple of these type of "reports" per week now for Linux. Why do people think that an LLM can somehow do better than a compiler and also not even test their proposed changes to verify they even do anything?

{sigh}
21
104
159
@codonell @brauner Yes, just add them at the end.

And we don't use the "(cherry picked from..." text in the kernel for stable backports, we do a much larger "commit XXXXXX upstream" at the top of the changelog text to make it easier for tools to catch.
0
0
0
@brauner @codonell That is correct, in the kernel we do NOT clear any of them out, only add new ones as that would "erase" the work that the original developers/reviewers did on the original change, which isn't a kind thing to do in my opinion.
1
0
1
The second hardest thing in working in an open source developer community is learning who to ignore, be it in patch reviews or other places.

The hardest thing in working in an open source community is realizing that you are the one that everyone is ignoring.
3
32
88
@totenlegionChris As the other key works, AND the command line tool test passes with the bad key, yes, the device nodes are correct.
0
0
1
@brauner Yeah, but they are out of stock :(
1
0
0
@brauner No idea, I just went and ordered a few more, and some solokeys as I really would like to just use USB C and not have a A->C converter to lug around.
1
0
1

Dear lazyweb. One of my nitrokey 3 devices seems to have “stopped working” when attempting to access the key in it. Running the command line tools seems to say all is good (i.e. nitrocpy nk3 test says all is fine) but yet ssh seems to hate it with an error of:

ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_NO_CREDENTIALS

and it never even attempts to let me “push the button”.

It’s running the latest firmware. Any hints on what to attempt/test to debug this or should I just give up on the thing?

My backup key is working just fine, so it’s not the USB kernel code on my system that is the issue for once :)

4
0
9
@aho "Don't panic and just follow standard security reporting guidelines".
0
0
4
Yet another thing I never thought I would be doing as a kernel developer, talking about EU regulations with open source finance people...
1
9
43
repeated

@joshbressers indeed. I just find that pURL advocates sometimes forget this gap and there are even online forms now where the pURL is a mandatory field, which have prevented for example me to enter curl in some places because curl nor libcurl have no pURL. So I keep having to remind people...

1
1
1
Show older