Monocypher
linux
Our great sponsors
Monocypher | linux | |
---|---|---|
51 | 974 | |
564 | 168,342 | |
- | - | |
7.0 | 10.0 | |
20 days ago | 4 days ago | |
C | C | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Monocypher
-
In Defense of Simple Architectures
I rarely got to know the actual deployment scale of anything I've done. Let's make a list:
Ground software for an observation satellite. My internship was about implementing a dead simple neural "network" (2 hidden layers, no feedback), everything was specified from up top, we didn't even get to touch the learning algorithms. Impact? I guess a big flat zero, since all the differentiators was in the learning parameters.
Peer-to-peer social network before Facebook. Never made a cent.
Geographic Information System for the military. I was for obvious reasons not allowed to know enough to estimate the impact of my work. And even then all decisions was made by the customer, and once the user (a different entity) saw the Rube Goldberg contraption we dully made for them they predictably balked, and we did what we could from there. Which was, not that much. I did some useful stuff for sure, but mostly I participated in a system that was arguably worse than the one that preceded it.
A visualiser for civil radar data. Data in, little planes in the screen out. And other nice stuff. I designed a simple C++ API that allowed the client to write business code faster than we would have ourselves (if only because of communication overhead), saving weeks of work. That contribution was utterly ignored for personal reasons, and I was eventually out. I have no idea what my actual impact was, because I don't know how far the project even went, and how widely it was eventually deployed.
The maintenance of ground software for small civil observation drones. I did some cool stuff, but then was asked to transfer ownership of this software to a recently bought team (that did stuff similar to the company I worked for). I could have known how many drones were actually deployed, but to be honest my thing just saved a few minutes of flight, while most of the cost is to get the drone and its operator on site. That company was never really profitable, I hope the good people I met there are doing well.
Scripting language for a programmable logic controller test environment. For the military, so I don't think I was allowed to even know the size of the team we'd deliver the software to. I got good feedback from them (they were happy about what I did), and I'm pretty sure my static typing made things easier for them than if I had just picked Lua or something, but how easier, and how much money it will save in the long run I have no freaking clue.
Stuff in a missile company I cannot disclose. I believe my impact was almost nil, I couldn't stand their abysmal tech environment.
Prototype ADAS system. It was never deployed. Actual impact was therefore basically nil. Cool stuff to work on though, the CAN bus is a think of beauty. One of the rare instances where I could actually learn from example, instead of seeing yet again one of the gazillion obvious ways how not to do stuff.
Ground software for some IoT device. Impact fundamentally uncertain, we had yet to sell it to anyone.
Incident reporting software, based upon a more generic distributed base. I made the encryption layer (between users & company server), with a security based on PAKE (thus avoiding a PKI, which simplified the work of the sysadmin, at a slight loss of security). Impact fundamentally uncertain, we had yet to sell it to anyone.
Charging stations for electric vehicles. I did the TPM provisioning, and mentioned a low-key security issue along the way. I participated in a questionable micro-service that was meant to help user interfaces (yeah, their IoT stuff had a micro-service architecture). Impact: whatever I did didn't save them: one year after I left, they're now going under.
Preliminary study on the possible use of AMD-SEV to prevent users from peeking at our secret sauce (DRM). I don't think I was allowed to know the list of clients, and it's not even the only alternative. I don't think I could ever have assessed the long term impact of my work there.
Flight recorder for trains (not a flight recorder then, but you get the idea). I just did little tasks here and there, didn't get the chance to have a good bird's eye view of the thing or its environment. Deployment base was knowable, but the business impact of my work was likely minimal, beyond "finish this step so we can show the client we're on track for the next short term milestone". The whole thing is a heap of technical debt, common components are impossible to update (user projects aren't locked to a given revision, they all pull from trunk), the build system is a home made monstrosity that doesn't help more than the standard monstrosities (I hate build systems)… and I was just axed from a round of layoffs.
Cryptographic library I did on my free time: https://monocypher.org/ Nice little thing with a significant user base in the embedded ecosystem (not even my primary target). I controlled everything from start to finish, and I have no idea how many users I have, let alone how much time and money I saved them. In part because it is so simple, with such an outstanding documentation (which I mostly didn't write), that most users don't even have to bug me.
---
To sum this up, my resume looks fairly horrible with respect to what I know of my actual business impact. Most of it, I think, was entirely outside my control. And I don't think I'm exceptional in this.
-
Non-code contributions are the secret to open source success
As the dictator author/maintainer of a tiny library¹ (45 functions total), I can confirm the manual wouldn't be half as good without external contributions. And I daresay this manual is a major contributor to the usability of the whole project.
As a new user of libcurl, I was recently able to quickly implement FTP upload and adapt it to our specific use case thanks to their tutorials and API documentation. I was even made aware of the lack of thread safety in old versions thanks to that same documentation, so I could warn my team that we should update.
Documentation is bloody important. Almost as important as the code and the test suite themselves.
-
Learn Modern C++
Are you assuming I didn't already do that? For your information I've written an entire cryptographic library in C https://monocypher.org and routinely chose C over C++. My claim that C is broken beyond repair doesn't come from ignorance or hype, it comes from over 15 years of first hand experience.
And of course, GC and RC aren't fixes, they can't apply in the performance constrained settings C and C++ typically are used for (tiny embedded chips, video games, video encoding…).
Also there's no way I'll even look at a new language without some form of generics. They're just too damn useful. Sure we could try the Go approach and special case generics for a few core data structures, but I believe a general purpose language needs a way to add custom ones. Heck, even Go fixed its mistakes and added generics after all.
-
Libsodium: A modern, portable, easy to use crypto library
Then don’t forget https://monocypher.org as well. Bigger than libhydrogen but still small enough for many targets, faster across the board, and compatible with libsodium. If you can spare a couple more KB of flash in your microcontroller, you can get very good performance on the device and scale like crazy with top performance on the server side.
-
Six times faster than C
Compilers don’t find all the optimisations. Last time I saw this was when someone noticed that my code was 5% slower than the reference implementation. This patch fixed it.
-
How much secure is my UDP based network protocol?
If encryption performance is not that important (especially on the client side, which I expect won't use too much bandwidth), but you value minimising dependencies, consider using Monocypher instead of libsodium. Monocypher is a single-file library that has absolutely zero dependency (not even libc). The price to pay for that is (i) right now it's slower than libsodium, and (ii) it doesn't provide an RNG, you'll have to call your OS's RNG manually.
-
The Free Software Foundation is dying
I'm not yelling at you for your choice. See here for how hypocritical it would be of me.
We kind of are though. And in some circles this pendulum has even swung too far the other way, with people scolding me for writing and distributing a cryptographic library. Because it's dangerous, and users expect security, and I'm breaking a social contract if I release crap, no matter what's written in the licence (the no liability legalese bit).
-
Uncle Bob and Casey Muratori Discuss Clean Code
I believe my coding style is best shown by example. Some people have called it impressive. Some others have called it the worst they've ever seen. This may or may not come from the domain: cryptographic code tends to be pathologically straightline. At the very least it tend to produce longer functions than other domains.
linux
-
TinyMCE (also) moving from MIT to GPL
Correct. And the combined work needs to carry the MIT license text and copyright attributions for the MIT software authors. With binary distribution it must also be overt, not hidden in some source code drop, but directly accompanying the binary.
Many people who talk about relicensing never credit the MIT developers or distribute the MIT license text. "Because it's GPL now."
I don't think that you believe that, but many developers do.
Some don't see the need for source code scans for Open Source compliance, because the license.txt says GPL, so it's GPL. Prime example is the Linux kernel. There is code under different licenses in there, but people don't even read https://github.com/torvalds/linux/blob/master/COPYING till the end ("In addition, other licenses may also apply.") and conclude it's simply GPL 2 and nothing else.
Also be aware that sublicensing is not the same as relicensing.
-
The Linux Kernel Prepares for Rust 1.77 Upgrade
So If we would only count code and not comments, it is only 9489 LoC Rust. Which would be about 0.03% and if we take all lines and not only LoC it would be around 0.05%
[0] https://github.com/XAMPPRocky/tokei
[1] https://github.com/torvalds/linux/commit/b401b621758e46812da...
-
Proposed Windows NT sync driver brings big Wine/Proton performance improvements
AIUI fsync is built on futex_waitv which has been upstreamed. So this has to be more than that.
https://github.com/torvalds/linux/commit/a0eb2da92b715d0c97b...
-
Tell HN: GitHub no longer readable without JavaScript
git clone --no-checkout --depth 1 https://github.com/torvalds/linux.git $dir
-
PixieFail: Nine Vulnerabilities UEFI Implementations
Device trees are what you get if you don't implement ACPI.
While there are alternatives, you generally seem to get "device trees and a barebones bootloader" on ARM and "UEFI + ACPI" on amd64.
ACPI will list hardware and necessary hardware properties based on some basic API calls to the system interface. UEFI initialises the ACPI data structure and exposes it to the bootloader so the appropriate drivers can be loaded and configured.
With device trees, you basically configure and build the drivers and configuration into the kernel/OS you're trying to load. That's why compiling Linux on amd64 is generally easy and produces a single image, while for many other devices (smartphones, some SBCs) you need to compile a kernel per device. The device trees only need to be imported/written once per device (or device type, depending on how nice the manufacturers are), but that's how you get stuff like this: https://github.com/torvalds/linux/tree/master/arch/arm64/boo...
On ARM there are actually a few devices that implement UEFI, but most of them have Secure Boot locked in and configured to only boot Windows.
ACPI is not perfect and it's not technically required to have UEFI to implement something better than device trees, but I'm not sure if reinventing the wheel here is necessary or even preferable. UEFI already has open source implementations ready to go, with kernels and other tools already containing code to interact with those APIs, whereas a custom ACPI replacement protocol would need more implementation work,
-
Maestro: A Linux-compatible kernel in Rust
The Linux Kernel Driver Interface
(all of your questions answered and then some)
https://github.com/torvalds/linux/blob/master/Documentation/...
-
Uniting the Linux random-number devices
A bit later another commit [1] was merged that makes reads from /dev/urandom opportunistically initialize the RNG. In practice this has the same result as the reverted commit on non-obsolete architectures, which do have a cycle counter and thus jitter entropy.
[1] https://github.com/torvalds/linux/commit/48bff1053c172e6c7f3...
The commit [1] was eventually reverted [2]
[1] https://github.com/torvalds/linux/commit/6f98a4bfee72c22f50a...
-
Linux: Ext4 data corruption in 6.1.64-1
Here's my understanding so far:
In the upstream Linux kernel there were two fixes posted months from each other, one for direct io [0] and the other one for ext4 [1]. The ext4 one was marked for backport to stable (CC: [email protected]), the other was not. The problem is that these commits depend on each other for things to work properly. If you have both, you're fine. If you have only the backported one, you have a problem.
What versions are affected? We know for sure that 6.1.64 is affected, 6.1.55 is not (because it doesn't have the commit). As of right now, 6.1.64 is still marked as "stable" in Debian [2] but if you actually try to install it from the official mirrors (deb.debian.org), you will get error 403. The fix is included in version 6.1.66 which will soon be available.
The issue seems to be only highlighted in the context of Debian but it is not specific to it. The issue is/was in the official upstream release.
[0] https://github.com/torvalds/linux/commit/936e114a245b6e38e0d...
What are some alternatives?
zen-kernel - Zen Patched Kernel Sources
DS4Windows - Like those other ds4tools, but sexier
winapps - Run Windows apps such as Microsoft Office/Adobe in Linux (Ubuntu/Fedora) and GNOME/KDE as if they were a part of the native OS, including Nautilus integration.
Open and cheap DIY IP-KVM based on Raspberry Pi - Open and inexpensive DIY IP-KVM based on Raspberry Pi
DsHidMini - Virtual HID Mini-user-mode-driver for Sony DualShock 3 Controllers
serenity - The Serenity Operating System 🐞
RyzenAdj - Adjust power management settings for Ryzen APUs
void-packages - The Void source packages collection
edk2-sdm845 - (Maybe) Generic edk2 port for sdm845
illumos-gate - An open-source Unix operating system
vscode-gitlens - Supercharge Git inside VS Code and unlock untapped knowledge within each repository — Visualize code authorship at a glance via Git blame annotations and CodeLens, seamlessly navigate and explore Git repositories, gain valuable insights via rich visualizations and powerful comparison commands, and so much more
AutoEq - Automatic headphone equalization from frequency responses