Day 2 @ FOSDEM 2023
Last update: 2023-03-03 20:18:32.254
The next talk we considered checking out was in Friends of OpenJDK devroom. The next talk was for rethinking ecosystem security after Log4Shell vulnerability incident. That vulnerability has caused so much of panic around Java community. I'm expecting these days that attack vectors can kick in through libraries, where malicious attackers can imitate a library and add malicious behavior to cause trouble for whoever tries to add that library into their project and cause some trouble. We'll have to prepare for checking vulnerability risks inside of our apps and take more caution when we have to trust some libraries. Next talk was Elasticsearch, but I was sort of slacking off at this talk, so I'll skip that. They really have to screw it up with damned SSPL license, AGPLv3 would still fit, but I'm not a corporation to mess with legal stuff.
Then there is a talk for securing supply chain in open source projects. When you think about it, there are many vectors of attacks where things can go wrong. From building process to deployment, there are various things to note. You have source code repository with developers writing code and using various dependencies. Reviewers have to ensure that the code fits the given pull request. Q&A part is doing manual and automatic testing and when all is done, it needs to be deployed to production. Even with so many layers, each section could be an attack vector, just with minor twist. At one point, Q&A automatic testing part through CI/CD unit or integrated tests could use a malicious library or request something from malicious server that gets improperly processed and escapes the isolated environment. The provider can also get under attack, or the attack can be from the beginning where either a developer or reviewer can go rogue with deploying malicious code with possibility of it being intentional. Overall, I think that most important part is just making sure you don't import random libraries in general as that's the most easy way to do some sort of an attack, I guess.
The next talk was about a developer who worked with Java for nearly two decades and has started to work on Kotlin few years ago. The sole reason why Kotlin is nicer overall. For example, even if Java has immutable references by appending "final" keyword, in Kotlin you just need to set "val" keyword for variable and it's immutable. For immutable classes, that's resolved at least with records in Java, before that you technically had to add hash code and equals override, along with getters and all that stuff. In Kotlin, you only need to use "data" keyword in class and that's done. Null safety is one of the reasons I freaked out initially when working with Java. I had to constantly check for null to see if it was okay or not and it caused so much of a headache, especially with Android. Null values were thrown out of all places that I didn't expect, but it went worse if I tried reflection, which was required because Android API didn't include some parts in older APIs and I had to improvise to get a damn large notification icon just to get thrown with an exception that it no longer exists. This is why I say I can't do some things even though they work right now. Goddamn clients. Sorry, back to the story.
Too many @NotNull and @Nullable annotations, which usually ended up with me using @Nullable most of the time to ensure constant indication of null checking. @Deprecated was the one I dreaded since Android kept killing so many things between API levels it was insane to the point they deprecated the annotation itself. For Kotlin, plain simple question mark with period "?." can be used for safe calling, or even without question mark if method supports nullable value. For utilities, making static methods within single utility class was pretty much mandatory considering that Java still doesn't support extensions like Kotlin does. This was one of the main reasons why I wanted to switch to Kotlin. Generics is a trainwreck overall. I even had problems in Kotlin initially, until some desugaring kicked in and solved the trouble to work on it. To this day, I have no clue how type erasure even works. The only thing I hope is that I can get rid of unchecked cast warning and figure out how to get the result without causing a crash with that. However, Kotlin's reified generics with extensions makes wonders and at that point you can have even more flexibility than usual, but also note that you can get lost easily if you abuse it.
The next talk was about running Java in Raspberry Pi with Pi4J. I never managed to get a Raspberry Pi, even though I want to get one. Still, the prices for those things are damn expensive due to demand. Just when I actually have the goddamn money to buy one, it gets insanely expensive. Even then, now I have no idea what should I do even if I get one. But hey, there is also support for Kotlin with Pi4J-Kotlin! I still can't think of any solid use case.
Talk about TornadoVM was basically having support for CUDA and most of GPU-like features available in Java, but with separate implementation of virtual machine. Not much for me. When it comes to next talk, it was about JIT as a service. Basically, you have one JIT running in one place and everywhere else suspended. Instead of each process doing it's own JIT, you would have only one JIT who would process everything from other processes as far I've understood. It's under Eclipse's OpenJ9 and IBM's Semeru Java virtual machines. Though, You can't get OpenJ9 directly because it doesn't comply with TCK which they don't have access to, but IBM does. Basically, IBM contributes most of work for OpenJ9 since they initially worked on it.
That was enough for now, so I've went with Benoit to get something to eat. He picked a pack of variety waffles, while I've picked waffle on a stick as I didn't want to get a variety of waffles that also had some with raisins, eugh. I've suggested to checkout few stands in the meantime, so we decided to go to AW building. I asked him if my face was clean as chocolate topping on waffle stick caused a lot of mess on face that I couldn't see without wiping it with napkins. At least it was clean, ready to go further. We did go around few stands over there, he mostly looked interested into Micropython stand as far I've seen due to gadgets in general. We did go to K building after that to check most of other stands over there. I did check out DAVx5 stand as they made a nice open-source Android client for CardDAV (basically contact list server). There was also Apache Foundation, LibreOffice, FossAsia, Open Culture Foundation, Free Software Foundation Europe and Software Freedom Conservancy as far I remember checking out. As we went outside and checked out another entrance to K building which was one level higher, we didn't realize there were more stands like for Ada, Mozilla, VideoLAN, Gitlab, Homebew, Jenkins, KDE, etc. I did pick up few stickers and badges.
After this, we went back to U building and took a bit of a break in the park. After a while, I've decided to go back to JS devroom to get in touch with Alex and Jakob. Me and Benoit did have done final greeting farewell and went our ways, though he decided to stay in a park for a bit. After meeting with Alex in devroom I've checked if everything went well for them and talked a bit. Jakob came a bit later as far I remember. After that, we went outside again and did another greeting farewell. Overall, it was great to get in touch with so many people today. To finish things up, I've decided to check out final keynote in J building. I wasn't taking a lot of attention while NASA keynote talk was going, but it's still incredible to see how many things they have available for public, it's just difficult to dig it out, along with legal mess. As final keynote goes where we see all statistics and volunteers (including Alex!), lots of clapping, lots of joy and lots of fun overall. Before ending the keynote, we were told that we might need few volunteers to clean up the hall and we'll get free food.
Sure, why not? I don't have anything else, so I've decided to help with cleaning the place along with few more people that also wanted to assist. It took about an hour more or less to clean up the hall. FYI, it's a damn huge hall, way too many people could be there it was amazing that there was barely any noise except for the speaker during the talk. As we were done with the hall, a staff member told me to follow them and check all entrances or any other defects. In upper hall, we did see some floor tiles being gone, so staff member contacted others to verify if that was there before the event, which was confirmed later. We also checked disinfectant pole stands and found one that was filled with garbage, so I did assist a bit in disassembling it to take out the garbage and then reassemble it. We went to H building and waited a bit over there as inventory was under check. I did meet another guy who also wanted to help so we did talk a bit in the meantime. After a while, we were told to go to K building and do some assistance over there.
We had to carry few stuff and clean up a bit, though it was mostly waiting time to see if there was something else to do. After one more hour, we were ready to deploy food that was a leftover from the event. We put all we had on the table and started having some damn good meal time. I also did talk with few more people around, they were from UK I think, I can't fully remember, but I know that one guy liked preferring Kotlin while other guy was using Go, so we did a lot of chitchat with development stuff. There was also talk with cheese as we had some variations and then the talk of wondering what kind of food it, as it was in some other language or odd to figure out. As we were done with food, we were also able to take leftovers. I did take few waffles, apples and one bottled drink, at least that's what it was still good to take. I have no idea if I was able to put even more as my backpack was full and I definitely can't carry that in airport. We were ready to close at this point, but we had to pack up the tables and clean up remaining leftovers and stuff. I've tried to pick up some bottles just in case to finally pack up the final table and out of all possible moments, I fucked up as that bottle that I've mentioned from before has fell and it was a glass bottle. Everyone instantly started getting lots of napkins and tried to carefully dispose of it. I was damn embarrassed. I didn't fuck up anything special until this moment. Though, everyone was generally not that concerned after some time and we did manage to close the building.
After this, we were walking to get to the restaurant for ending the event. I was talking a bit with one or two staff members about the situation I've caused, but they said that I don't have to worry about it. We get into the restaurant, waiters speaking french, no good for me, but we took the seats and waited for a bit. I did start to talk to another staff member at this point. Slowly we started to discuss things like what's on the menu, how is it to live in Flemish region of Belgiuml, the event itself, what does the staff usually work with and various other chitchat stuff, along with talking with other staff members, too. The guy also did help me with explaining what's on the menu and what we should pick. I did pick peach fruit beer and steak with fries. More talk kicked in and then there was constant confusion from waiters about orders. Techncially, I ended up without the food for a while as they provided wrong order. After a while, I've also got my food and started to eat. As we were done, we slowly started to leave the place and also said farewell to the staff member to helped a lot with taking a order and chitchatting.
I took a 1 hour walk through Brussels while it was like 1-2 AM. The streets were full of trash bags, assuming waiting to be picked up. They didn't smell badly as far I remember, though. Aside from constant ambulance or police sirens, it was quite peaceful. I went into the hotel, brushed teeth and back to bed, damn insane day overall.