Not only did LF pick Jack Dorsey's Goose to their umbrella but also its main discussion forums are Discord and X.

Everything wrong. Together.

https://aaif.io/

@aqunt thanks :-)

Wow, pretty cool. I think I passed Buildroot black belt test ;-)

I have latest GNOME packaged for Buildroot. The artifacts produced by each build are installer ISO and container images, and the build is fully reproducible.

There's other stuff too like all ostree shenanigans and NVIDIA Container Toolkit but honestly they are like walk in the park compared to GNOME.

#buildroot #gnome #wayland

tpm2_asymmetric.ko:

https://lore.kernel.org/linux-integrity/ahKKikSt249xjoqK@kernel.org/T/#t

Apparently I trashed subject line in cover letter.

Test program I wrote highlights what it does [1]:

export TPM2TOOLS_TCTI="${TPM2TOOLS_TCTI:-device:/dev/tpmrm0}"

WORK=$(mktemp -d)
trap 'rm -rf "$WORK"; tpm2_clear' EXIT

openssl ecparam -genkey -name prime256v1 -noout -out "$WORK/ec_key.pem"

tpm2_createprimary --hierarchy o -G ecc -c "$WORK/primary.ctx"
tpm2_evictcontrol -C o -c "$WORK/primary.ctx" 0x81000001

tpm2_import -C 0x81000001 -G ecc \
  -i "$WORK/ec_key.pem" \
  -u "$WORK/key.pub" -r "$WORK/key.priv"

tpm2_encodeobject -C 0x81000001 \
  -u "$WORK/key.pub" -r "$WORK/key.priv" \
  -o "$WORK/tpm2_key.pem"
openssl asn1parse -inform pem -in "$WORK/tpm2_key.pem" \
  -noout -out "$WORK/tpm2_key.der"

openssl req -new -x509 -key "$WORK/ec_key.pem" \
  -out "$WORK/cert.pem" -days 1 \
  -subj "/CN=tpm2_asymmetric_test" -sha256
openssl x509 -in "$WORK/cert.pem" -outform der -out "$WORK/cert.der"

TPM2_KEY=$(keyctl padd asymmetric "tpm2_asymmetric" @s < "$WORK/tpm2_key.der")
X509_KEY=$(keyctl padd asymmetric "x509_ecdsa" @s < "$WORK/cert.der")

printf "tpm2 asymmetric cross-verification test data" > "$WORK/testdata"
openssl dgst -sha256 -binary "$WORK/testdata" > "$WORK/hash.bin"

keyctl pkey_sign $TPM2_KEY 0 "$WORK/hash.bin" enc=x962 hash=sha256 \
  > "$WORK/sig_tpm.der"
keyctl pkey_verify $X509_KEY 0 "$WORK/hash.bin" "$WORK/sig_tpm.der" \
  enc=x962 hash=sha256
echo "PASS: TPM2 key signed, X.509 key verified"

openssl dgst -sha256 -sign "$WORK/ec_key.pem" \
  -out "$WORK/sig_sw.der" "$WORK/testdata"
keyctl pkey_verify $TPM2_KEY 0 "$WORK/hash.bin" "$WORK/sig_sw.der" \
  enc=x962 hash=sha256
echo "PASS: OpenSSL signed, TPM2 key verified"

[1] https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd-test.git/tree/overlay/usr/local/bin/tpmdd_tpm2_asymmetric.sh?h=main

@caesarcattus @caesarcattus Yeah, I mean tool was seriously bad. Without sarcasm I can say that it is pretty much what I would expect to get with an agent harness with recognizable LLM rot. It is bad PR for LF too because this great educative example how one should not apply AI tools :-) And great example of what happens when someone not seasoned with R&D goes into AI psychosis (

When people speak how AI replacing software engineers they tend to to get that popular leader/boss meme picture. Even if you work with agents you need to have skills and understanding how to go ground from that control panel and fixup things yourself. In that sense it is pretty much the same as with human participants. I've seen people who a great developers to begin with do good stuff but the difference is that they take mold and make it shine, and not get excited about mold.

@caesarcattus no idea but the comedy writes itself i suppose :-)

Being curious I tried it and it was really bad too.

It feels weird that LF made this pick exactly. I mean traditional it's not the source code but the community around that really establishes a project and there's at least two perfectly good clients that have reached up that level (OpenCode, Pi). And both have sane non-billionaire leadership too. Goose has no mentionable community, and for better or worse nobody seems to like Jack (I don't have an opinion). It's really bad basis to build anything. For me this appears from outside more like business transaction more than anything else.

Things change:

1. 2025: Jack Dorsey's talk was disqualified from FOSDEM.
2. 2026: Jack Dorsey's agent tool called 'goose' is inducted as a Linux Foundation project.

I miss the times when we only had slot machines.

https://github.com/srikanth-mg/riscv-tee-ibex

Cool, some years ago I fixed a bug in page table bootstrap code of Keystone Enclave.

It's at least more of my thing than Eurovision song contest, which I've never listened :-)

I often listen Google I/O talks while working and it was pretty good this year. It was also like the first sane delivery of how they see the world this year actually from any of the big tech companies. Overall it was also very much aligned with my own thinking, which made me really happy. So kudos for Google for delivering a positive message.

@oleksandr Turbo Pascal was the language that thought me actually how program :-)

There's huge problem, or unanswered qeustion, related purely to business, whenit comes to these agentic workflows that actually nobody is not talking about all that much.

We have zero idea of:

1. How the stuff coming from end of the pipeline will sell.
2. How the customers will react. I mean non-developer customers.

Answering to question 2 might be difficult tho given that most companies do AI tools to other AI companies.

I tried for experiment the end outcomes of one big promoter that I found from Youtube called "Theo*". I leave it there because I don't know what the letters are after that.

I downloaded his agent desktop tool, and run it in a sandbox. Well, it looked like me exactly kind of output I get when I *start* a project with AI. I do often ramp up initial stub of a projet with AI because it is great exactly for that part. It was slow and even with like good intentions I would except better UI even from college/university graduate. Super low quality software.

This tells me exactly what I've witnessed overall. People get a rush using these tools and feel of achievement when from outside perspective the results are not all that great. Yes, you can use them to run multiple project simultaneously but then none of them are what customers will be absolutely love because ultimately love for a product must come from its creator.

To summarize this, one has to ALWAYS remember that there is exactly one part of development pipeline that cares zero about R&D. It's the sink of that pipeline, i.e. a real customer.

This generative AI is so amazing, everyone gets the exact same web site.

If someone does something new and innovative or has an angle that no one else has ever thought of, and assists the development with AI, I absolutely don't have anything against that. Progress is awesome.

The problem is that by large it's unskilled people plus LLM of which only goal is to try to get near proximity with the learning data set.

It is probably good general security advice to state that it is not advicable to use open source software that has less than two years of backlog. It's quite too often "an dgentic dump".

I've started to use arXiv.org to look for open source projects when I need something. GitHub has been "slossed" (is that a word?). So yeah, arXiv.org is my Github search engine because if few article's reference to a project I have enough heuristical knowledge to considering trying it out :-)

This era reminds me most how factory lines worked in USSR.

If I use AI it is somewhat planned operation or like not anything what is going on right now. Totally different planet.

https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/

There has been bugs post Mythos. Some of them even somewhat low-hanging fruit.

Justin Frankel is also the creator of Reaper, one of the most innovative DAW's ever made :-)

https://www.youtube.com/watch?v=MqNSOU2ubnw

The thing that I dislike the most in uutils is that it is trying break the governance of basic tools that we use, not only the functionality and compatibility.

Most of them are not actually designed by humans tho. This makes it pattern.