< up
2025-02-04

FOSDEM 2025

I attended the FOSDEM 2025 in Brussels for the first time¹.

Some data:

• from 1st to 2nd of February 2025
• at the Université libre de Bruxelles in Brussels
• spotted creators of prominent software:
  • Badger: creator of cURL
  • PID 1: creator of systemd
  • Gerald Combs: creator of wireshark

Content

• Syd - Sandboxing for Linux
• Tightening every bolt
• The selfish contributor revisited
• 14 years of systemd
• Prometheus 3.0
• The performance impact of auto-instrumentation
• Was Leslie Lamport Right?
• Wiresharchaeology - How it started and where we’re headed
• Impressions

Syd - Sandboxing for Linux

Ali Polatel presented the sandboxing framework syd, giving insights about its mechanism and scopes. Originally named syd-box,

What makes this sandboxing tool stand out is the profile generation of an application, where syd records every resource access. It then creates a file containing a profile that would be needed to run the corresponding application.

Then the profile can be edited manually to restrict the behavior. The performance impact due to the sandboxing overhead is about 10-15%. The user can be unprivileged.

Some loose terms for further research: seccomp, ptrace, pleage, cgroup, landlock

checkout pandora

I’ve checked out the profile generation but couldn’t get syd to run with the generated profile for echo "Hello syd!".

Here is the generated profile anyway:

#
# Syd profile generated by Pandora-0.12.1
# PROG: echo
# ARGS: ["Hello syd!"]
# DATE: 20250203T130152Z

###
# Sandbox Rules
###

allow/exec,read+/usr/lib64/libc.so.6
allow/exec,read+/usr/lib64/libdl.so.2
allow/exec,read+/usr/lib64/libpthread.so.0

allow/exec+/usr/bin/echo

allow/read+/etc/ld.so.cache
allow/read,stat+/etc/ld.so.preload
allow/read+/proc/self/status
allow/read+/usr/lib/locale/***
allow/read+/usr/lib64/gconv/***

###
# Executable Verification
###
sandbox/force:on

force+/usr/bin/echo:238bfa90d90a7ec515b86fd173d61e27a4b647faa740f0960512107e03fb07b6443fa5be4482beeda34be755a6420029e1e305c91ca6e469a3af4dbd72aa8a7a
force+/usr/lib64/libc.so.6:5cea972d42489450435f2efc186a4e8feb843e87243575aec48e054e219620e513d663bb6613393fbffa7da7cd3ecb645b014b72e70bc574289ad2e4bbd08fc1
force+/usr/lib64/libdl.so.2:dd9ad3e5dee475491188902d009a1ca1f5e92812a51915b4535f88ea29628e2544cf05fb564584780c47d6e52c5eb4d8b888c2cfa7d14543cc0025a9b81a26b0
force+/usr/lib64/libpthread.so.0:8dfae8d5058d8681ef3110f8325d8b3bc9d4f0f243f583c2d3857e660a2a9ea8b31afd9dc69af03fde3396bddb453e1c83d0142e8398ea26410563fb46e7b10b

Tightening every bolt

Daniel Stenberg (aka Badger) talked about keeping a c project like curl reliable and maintainable. Curl has 180k lines of C code and has about 20 billion installations.

I’m fascinated about his commitment maintaining a project for such a long time and sticking with the language, resisting hypes such as rust-rewrites.

Some key concepts of keeping curl reliable:

• strict code
• banned c functions like gets or sprintf
• external audits
• torture tests, ci and testing in general

The selfish contributor revisited

The talk by James Bottomley was about the motivation of contributors and the dynamics of open source communities.

• different people with different interests and views are key
• politics: manipulation via incentives
• open source communities grow without funding
• switch roles and argument for the position of the opponent

14 years of systemd

Lennart Poettering is the developer behind the famous init system systemd which he created 14 years ago. His Talk reflects all those years.

Back in the days the most prominent systems sysvinit and upstart existed. They were more imperative and script oriented. There was the need of something more declarative where the system itself resolves the dependencies using a transactional system.

• 690k lines of C code
• babykit was the original project name inspired by polkit
• motivation for doing another init system was socket activation from Apple’s launchd
• All system Go! in Berlin is the systemd/service conference formerly known as systemd.conf
• vision: replace dbus with varlink

Prometheus 3.0

Prometheus is now 12 years old and while it belongs to CNCF for a while, it was originally created at soundcloud. This talk held by Jan Fajerski from Red Hat and Bryan Boreham from Grafana Labs.

Some new features with 3.0:

• new UI with reasoning about mismatching metrics
• Remote Write 2.0 specification
• UTF-8 support enabled by default

On a side note, they ironically talked about major and patch releases and that you should always wait for the patch release after a major one. That sounds pretty reasonable while major versions might contain breaking changes and sometimes real user workload is needed to identify issues.

The performance impact of auto-instrumentation

James Belchamber talked about the performance impact of open telemetries auto instrumentation in comparison with manual one. Auto instrumentation is about adding instrumentation to an application without doing the implementation work with defining spans.

• consistent while not reimplemented in every app
• little bit more ram
• application with significant load and does more than just request/response is mostly not impacted by auto instrumentation
• apache httpd with the it works site is significantly slower, static small content is hugely impacted by instrumentation

Was Leslie Lamport Right?

Sarah Christoff and Nic Jackson from HashiCorp talked about if Leslie Lamport and his work about distributed systems. He published a bunch of papers and the two revisit some of them and explain them.

It started with explaining the general Byzantine fault and the more specialized [two generals problem](https://en.wikipedia.org/wiki/Two_Generals’_Problem) which is about consensus between several systems/nodes. Lamport suggested 3m+1 generals to compensate t+1 traitors. Traitors are intercepting and manipulating the consensus.

Lamport clocks are used to avoid synchronization problems between different clocks. Such clocks are logical and consists of a counter increased for every event such as sent and received event.

Wiresharchaeology - How it started and where we’re headed

The create of wireshark Gerald Combs held a talk about its history. Back in the days, sniffers to debug networks only existed within expensive hardware. Since Gerald couldn’t convince his contrator back then to do this investment, he decided to build his own tool. This is how wireshark was born.

The original goal was to analyse packets in the network and evolved to “Help as many people as possible to understand their networks and systems”.

After switching companies for a few times he founded the non-profit wireshark foundation to ensure the financial situation.

Coming up next is StratoShark for analyze applications on a syscall level which sounds like strace with an user interface.

Impressions

• lots of levels
• visited eu parlament
• belgian waffles were super delicious

+rv=tch1b0

---

1. It was also the first time in Belgium for me.