wg-best-practices-os-developers
QEMU
Our great sponsors
wg-best-practices-os-developers | QEMU | |
---|---|---|
16 | 189 | |
622 | 9,236 | |
5.9% | 2.4% | |
9.7 | 10.0 | |
8 days ago | 5 days ago | |
JavaScript | C | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
wg-best-practices-os-developers
-
12 Free Courses To Help You Develop More Secure Software - Shift Security Left
You will learn about the different checks provided by OpenSSF Scorecard, how to configure the checks for your environment, and how to automate their implementation.
-
Heartbleed and XZ Backdoor Learnings: Open Source Infrastructure Can Be Improved Efficiently With Moderate Funding
In April 2014, the Linux Foundation Executive Director Jim Zemlin seized the opportunity to get visibility and managed to get Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware to all pledge to commit at least $100,000 a year for at least three years to the Core Infrastructure Initiative. The initiative continued for many years and eventually transformed into the Open Source Security Foundation. Also due to Heartbleed, the European Commission launched the EU-Free and Open Source Software Auditing project and spent at least a million euros on auditing OpenSSL, the Apache Server, KeePass, and other security-critical open source software.
-
Compiler Options Hardening Guide for C and C++
https://github.com/ossf/wg-best-practices-os-developers/issu...
The idea of using `-fsanitize-minimal-runtime` is interesting. I don't have any direct experience with that option. I've created an issue to investigate maybe adding that to the guide. Thanks for the tip!
-
OSCM: The Open Source Consumption Manifesto
These are technical details that are out of the scope of this article, but we think that it is important to mention them because the security strategy of a company should be based on a solid foundation, and these frameworks show that there are already some good starting points, companies don't have to start from scratch. If you want to know more about them or other ways to improve the security of your software supply chain, visit the OpenSSF website.
-
Best practices for effective attack surface analysis
Participating in the cybersecurity community can be a useful way to gain information about security trends and possible risks. Organizations such as the OWASP, OpenSSF, SANS Institute, and ISC2 promote the exchange of information between organizations and can raise the alarm about emerging issues or hacking strategies.
-
Need help with use cases for my new open-source project that deals with open-source security
You might find Awesome Security or Other Security Awesome Lists and the Open Source Security Foundation helpful
-
Wake-up call: why it's urgent to deal with your hardcoded credentials
Today corporations, open source projects, nonprofit foundations, and even governments are all trying to figure out how to improve the global software supply chain security. While these efforts are more than welcome, for the moment, there is hardly any straightforward way for organizations to improve on that front.
-
'Securing Open Source Software Act' Introduced to US Senate
https://github.com/ossf/wg-best-practices-os-developers/blob...
-
Great Time at JavaZone 2022
Cross industry best practices - openssf.org
- Ask HN: Who is hiring? (June 2022)
QEMU
-
Autoconf makes me think we stopped evolving too soon
A better solution is just to write a plain ass shell script that tests if various C snippets compile.
https://github.com/oilshell/oil/blob/master/configure
https://github.com/oilshell/oil/blob/master/build/detect-pwe...
Not an unholy mix of m4, shell, and C, all in the same file.
---
These are the same style as a the configure scripts that Fabrice Bellard wrote for tcc and QEMU.
They are plain ass shell scripts, because he actually understands the code he writes.
https://github.com/qemu/qemu/blob/master/configure
https://github.com/TinyCC/tinycc/blob/mob/configure
OCaml’s configure script is also “normal”.
You don’t have to copy and paste thousands of lines of GNU stuff that you don’t understand.
(copy of lobste.rs comment)
-
WASM Instructions
Related:
A fast Pascal (Delphi) WebAssembly interpreter:
https://github.com/marat1961/wasm
WASM-4:
https://github.com/aduros/wasm4
Curated list of awesome things regarding WebAssembly (wasm) ecosystem:
https://github.com/mbasso/awesome-wasm
Also, it would be nice if there was a WASM (soft) CPU for QEMU, which (if it existed!) would go here:
https://github.com/qemu/qemu/tree/master/target
-
Revng translates (i386, x86-64, MIPS, ARM, AArch64, s390x) binaries to LLVM IR
> architectural registers are always updated
In tiny code, the guest registers (global TCG variables) are stored in the host's registers until you either call an helper which can access the CPU state or you return (`git grep la_global_sync`). This is the reason why QEMU is not so terribly slow.
But after a check, this also happens when you access the guest memory address space! https://github.com/qemu/qemu/blob/master/include/tcg/tcg-opc... (TCG_OPF_SIDE_EFFECTS is what matters)
But still, in the end, it's the same problem. What QEMU does, can be done in LLVM too. You could probably be more efficient in LLVM by using the exception handling mechanism (invoke and friends) to only serialize back to memory when there's an actual exception, at the cost of higher register pressure. More or less what we do here: https://rev.ng/downloads/bar-2019-paper.pdf
-
State of x86-64 emulation of non-MacOS binaries
Um, in case you don't know, UTM (based on QEMU) is out for quite a while.
-
Multipass: Ubuntu Virtual Machines Made Easy
Some of these tools include Oracle VM VirtualBox (that I've used since before the acquisition of Sun Microsystems by Oracle), VMWare Workstation Player, and QEMU, but last year, I found out about Multipass.
-
Libsodium: A modern, portable, easy to use crypto library
For C/C++ projects that use meson as the build system, there is an excellent way to manage dependencies:
https://mesonbuild.com/Wrapdb-projects.html
https://mesonbuild.com/Wrap-dependency-system-manual.html
meson will download and build the libraries automatically and give you a variable which you pass as a regular dependency into the built target:
https://github.com/qemu/qemu/tree/005ad32358f12fe9313a4a0191...
https://github.com/harfbuzz/harfbuzz/tree/main/subprojects
https://github.com/harfbuzz/harfbuzz/blob/37457412b3212463c5...
Or, if you're using proper operating systems, they're managed by the usual package manager, just like everything else.
-
Top 6 Virtual Machine Software in 2023
For all the users of the Linux platform, QEMU is the VM that you should go for. This software comes without any price tag and works as an emulator of various machines with utmost ease and completion; the software uses dynamic translations to emulate hardware peripherals and enhances its overall performance. If you are using QEMU as a virtualizer, then it will function exactly like the host system (provided you have the right set of hardware).
- Show HN: I'm 17 and wrote this guide on how CPUs run programs
-
UTM for Developers
In this tutorial, we set up macOS and Windows virtual machines on UTM, a macOS application that provides a GUI wrapper for QEMU, a powerful open-source emulator and virtualizer. UTM allows you to easily manage and run virtual machines without memorizing complex commands. It also has special handling for macOS, making it simpler to install compared to other virtual machine software.
-
Where to get a full version of QEMU?
I think you will need to build it yourself which you can do so by: Checkout the qemu repo and its submodules using the steps here: https://en.wikibooks.org/wiki/QEMU/Installing_QEMU in 'Building from Source' except for step 1 use the 'git clone https://github.com/qemu/qemu.git' Step 9 is where you enable the features, the build system does this by checking if you have the dev and or lib packages for the feature installed i.e. spice development packages will enable spice functionality, use the output from configure to help you with this then continue to step 10
What are some alternatives?
tpm2-tss - OSS implementation of the TCG TPM2 Software Stack (TSS2)
UTM - Virtual machines for iOS and macOS
tz - Time zone database and code
TermuxArch - Experience the pleasure of the Linux command prompt in Android, Chromebook, Fire OS and Windows on smartphone, smartTV, tablet and wearable https://termuxarch.github.io/TermuxArch/
aper - A Rust data structure library built on state machines.
Unicorn Engine - Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, S390x, TriCore, X86)
Plausible Analytics - Simple, open source, lightweight (< 1 KB) and privacy-friendly web analytics alternative to Google Analytics.
Vagrant - Vagrant is a tool for building and distributing development environments.
bicep - Bicep is a declarative language for describing and deploying Azure resources
xemu - Original Xbox Emulator for Windows, macOS, and Linux (Active Development)
Zulip - Zulip server and web application. Open-source team chat that helps teams stay productive and focused.
em-dosbox - An Emscripten port of DOSBox