Wow, pretty cool. I think I passed Buildroot black belt test ;-)

I have latest GNOME packaged for Buildroot. The artifacts produced by each build are installer ISO and container images, and the build is fully reproducible.

There's other stuff too like all ostree shenanigans and NVIDIA Container Toolkit but honestly they are like walk in the park compared to GNOME.

#buildroot #gnome #wayland

tpm2_asymmetric.ko:

https://lore.kernel.org/linux-integrity/ahKKikSt249xjoqK@kernel.org/T/#t

Apparently I trashed subject line in cover letter.

Test program I wrote highlights what it does [1]:

export TPM2TOOLS_TCTI="${TPM2TOOLS_TCTI:-device:/dev/tpmrm0}"

WORK=$(mktemp -d)
trap 'rm -rf "$WORK"; tpm2_clear' EXIT

openssl ecparam -genkey -name prime256v1 -noout -out "$WORK/ec_key.pem"

tpm2_createprimary --hierarchy o -G ecc -c "$WORK/primary.ctx"
tpm2_evictcontrol -C o -c "$WORK/primary.ctx" 0x81000001

tpm2_import -C 0x81000001 -G ecc \
  -i "$WORK/ec_key.pem" \
  -u "$WORK/key.pub" -r "$WORK/key.priv"

tpm2_encodeobject -C 0x81000001 \
  -u "$WORK/key.pub" -r "$WORK/key.priv" \
  -o "$WORK/tpm2_key.pem"
openssl asn1parse -inform pem -in "$WORK/tpm2_key.pem" \
  -noout -out "$WORK/tpm2_key.der"

openssl req -new -x509 -key "$WORK/ec_key.pem" \
  -out "$WORK/cert.pem" -days 1 \
  -subj "/CN=tpm2_asymmetric_test" -sha256
openssl x509 -in "$WORK/cert.pem" -outform der -out "$WORK/cert.der"

TPM2_KEY=$(keyctl padd asymmetric "tpm2_asymmetric" @s < "$WORK/tpm2_key.der")
X509_KEY=$(keyctl padd asymmetric "x509_ecdsa" @s < "$WORK/cert.der")

printf "tpm2 asymmetric cross-verification test data" > "$WORK/testdata"
openssl dgst -sha256 -binary "$WORK/testdata" > "$WORK/hash.bin"

keyctl pkey_sign $TPM2_KEY 0 "$WORK/hash.bin" enc=x962 hash=sha256 \
  > "$WORK/sig_tpm.der"
keyctl pkey_verify $X509_KEY 0 "$WORK/hash.bin" "$WORK/sig_tpm.der" \
  enc=x962 hash=sha256
echo "PASS: TPM2 key signed, X.509 key verified"

openssl dgst -sha256 -sign "$WORK/ec_key.pem" \
  -out "$WORK/sig_sw.der" "$WORK/testdata"
keyctl pkey_verify $TPM2_KEY 0 "$WORK/hash.bin" "$WORK/sig_sw.der" \
  enc=x962 hash=sha256
echo "PASS: OpenSSL signed, TPM2 key verified"

[1] https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd-test.git/tree/overlay/usr/local/bin/tpmdd_tpm2_asymmetric.sh?h=main

Things change:

1. 2025: Jack Dorsey's talk was disqualified from FOSDEM.
2. 2026: Jack Dorsey's agent tool called 'goose' is inducted as a Linux Foundation project.

I miss the times when we only had slot machines.

https://github.com/srikanth-mg/riscv-tee-ibex

Cool, some years ago I fixed a bug in page table bootstrap code of Keystone Enclave.

I often listen Google I/O talks while working and it was pretty good this year. It was also like the first sane delivery of how they see the world this year actually from any of the big tech companies. Overall it was also very much aligned with my own thinking, which made me really happy. So kudos for Google for delivering a positive message.

There's huge problem, or unanswered qeustion, related purely to business, whenit comes to these agentic workflows that actually nobody is not talking about all that much.

We have zero idea of:

1. How the stuff coming from end of the pipeline will sell.
2. How the customers will react. I mean non-developer customers.

Answering to question 2 might be difficult tho given that most companies do AI tools to other AI companies.

I tried for experiment the end outcomes of one big promoter that I found from Youtube called "Theo*". I leave it there because I don't know what the letters are after that.

I downloaded his agent desktop tool, and run it in a sandbox. Well, it looked like me exactly kind of output I get when I *start* a project with AI. I do often ramp up initial stub of a projet with AI because it is great exactly for that part. It was slow and even with like good intentions I would except better UI even from college/university graduate. Super low quality software.

This tells me exactly what I've witnessed overall. People get a rush using these tools and feel of achievement when from outside perspective the results are not all that great. Yes, you can use them to run multiple project simultaneously but then none of them are what customers will be absolutely love because ultimately love for a product must come from its creator.

To summarize this, one has to ALWAYS remember that there is exactly one part of development pipeline that cares zero about R&D. It's the sink of that pipeline, i.e. a real customer.

This generative AI is so amazing, everyone gets the exact same web site.

It is probably good general security advice to state that it is not advicable to use open source software that has less than two years of backlog. It's quite too often "an dgentic dump".

I've started to use arXiv.org to look for open source projects when I need something. GitHub has been "slossed" (is that a word?). So yeah, arXiv.org is my Github search engine because if few article's reference to a project I have enough heuristical knowledge to considering trying it out :-)

This era reminds me most how factory lines worked in USSR.

If I use AI it is somewhat planned operation or like not anything what is going on right now. Totally different planet.

https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/

There has been bugs post Mythos. Some of them even somewhat low-hanging fruit.

Justin Frankel is also the creator of Reaper, one of the most innovative DAW's ever made :-)

https://www.youtube.com/watch?v=MqNSOU2ubnw

The thing that I dislike the most in uutils is that it is trying break the governance of basic tools that we use, not only the functionality and compatibility.

I guess since Anthropic has AI philosopher, it is starting to trend also among "AI natives" at career sites :-) Some of Anthropic's shit is so weird that I enjoy it almost.

Keynote speaker is last season.

Further, neither Anthropic nor OpenAI have a product that has any growth in their value.

DeepSeek pretty much does the stuff that they do with way lower amount of teraflops, and it's open source. Majority of customer base can probably do 95% of tasks locally within only few years. Buying AI will become like buying a printer or something.

I would never buy their stocks because it does not compute to a cash flow to have a worthless business.a

And their brand suck too. There are crazy people of course who think they are "builders" but most people are just scared of them and think that they are fucking weird (like they should tbh).

Everybody loosing their income and dignitty is not a business model. Tech is tech and we choose as a non-technical decision how we apply it in the end.

Believing in magic creatures is the professional standard of 2026. I wonder when this AGI bullshit will stop. It's sad and ridiculous.

Talking about contradictory actions. I'm using Pi to do some QA, some research for sandboxing agents etc. Lots of unrelated on writing code. Actually more like providing more focus on just writing code would be better description. I was also happy to see that QEMU has AI guidelines that match pretty much how I see the world right now.

With some of the plugins I've found i've UNVIBE coded the implementations because there's like really weirdly ineffective patterns used.

For pulling a full WASM runtime to be able to call WASM version of xxhash is awkward :-) And that async routine. I replaced it with stock library SHA-256 and no bullshit function call. I guess LLM had made these ridiculous choices based on algorithm completely ignoring the context.

I'm glad that this is moving forward:

https://lore.kernel.org/linux-integrity/20260515211410.31440-1-ross.philipson@gmail.com/

By all means and purposes it does much the same as conifdential computing for in-premises.

That is sort of high-level use case difference between confidential computing and D-RTM.

CoC makes sense when renting from cloud, or when "untrust" is part of the product (e.g., as in Signal which uses SGX for contact delivery).

I wonder is there specific reason for NVIDIA driver in Buildroot being so old?

I've made update to the latest.

#buildroot

weekly ed zitron delivery: https://www.youtube.com/watch?v=TCeXwFWmv1U