No more big 32-bit cores for RISC OS from 2022

Yes, there’s big holes in that, too… but it’s better than not doing it, and there was a need to start from somewhere and move in the right direction.

+1

@ Rick

thanks for your detailed replay.

Few, little notes:

DigitalCD?

Well the world has moved on a bit you know? Spotify, SoundCloud and others, but yes DigitalCD is still cool and can do quite a lot of things.

However my original point was not about asking for software who does X or Y, it was about tracking what “we” as a community envision as a target for the so called Main Desktop System, in other words what people use a main desktop system for.

As Steve Pampling said multiple times, let’s focus on the HLD first, what are the goals to reach and then we can look at the details of HOW to reach each and every one of them.

To the point of “it’s a mistake asking questions to the community…” I don’t agree. I think that for years we have lost opportunities to discuss together because there were people more interested in showing they were somehow knowledgable, or because they were frustrated or because passion was taking over rationality etc… all stuff that is ok, but that doesn’t help to solve a problem for RISC OS.

TBH I have seen already plenty of interesting ideas been thrown by so many (you included). Yes sometimes it appears we disagree, but I am seeing people refocusing or being willing to refocus and that is great :)

@ Charlotte

Paolo: I pretty much agree with your list. The only exception I’d make would be AAA games,

Good point, however AAA games are a big selling point for desktop systems. Also you are absolutely correct on the price tag for a RPi, but the Titanium and few oder boards have actually more desktop-y price tags and so (for a general audience) may be perceived as more gaming-capable systems, obviously not as powerful as properly designed gaming PCs which have triple 0 in their price tags as well.

what is the point of signing apps when there exists a system call that will happily give full kernel level privileges to the caller

To trust them. You know it’s the original one and not a hacked one.

Zero day flaws tend to show us everyday that system hardening never really work. Perimeter protection does not work so well too.

Security is a risk: my copy of DigitalCD is signed → then can I trust Andre ? → then use it, or throw it or use it inside a closed container, with limited rights and functionalities. I remember that Jon were talking a long time ago of very fast ‘emulation’ layer, running at almost native speed. It could be the base of a software hypervisor system, with filtered API for the different levels of security (from limited access to some SWI and system memory to completely virtualised system).

In a way, it’s a liberal variation of the Qubes OS approach with one more layer: trusted applications that can work at system level. Trusted = you can trust or you choose to trust because it’s OK for you.
https://www.qubes-os.org/intro/

Nota: it’s also exactly the macOS approach.

We have also the multiuser thing. But I think it would be much better to manage it at boot: different passwords for different mounting options. And a common partition (RO for non privileged user) for apps. Of course that would not be very efficient in term of disc usage efficiency. But since flash systems like unused space, it could solve this problem :)

Which could put people off rolling their own?

No, but they will know for sure that the one they use is not official.

It seems to me that Chain of Trust in its broadest applications is not about providing trust but removing user control.

And you’re both right. With a complete chain of trust, you don’t need security checks any more.
(well, you still need some)

We have also the multiuser thing. But I think it would be much better to manage it at boot: different passwords for different mounting options. And a common partition (RO for non privileged user) for apps. Of course that would not be very efficient in term of disc usage efficiency.

No, I would suggest that the applications sit in a read only location (as far as unsecured users are concerned) and people use AddToApps (in their own boot environment) to bring in any others.
The secure boot wouldn’t run unsigned apps for obvious reasons. Signed apps would need to be transferred in using a specific routine that checked the signature before writing them to their new home.

Disc efficiency?
Has anyone found out how to fill a modern disc with RO applications and their data?

…however AAA games are a big selling point for desktop systems.

The ability to run AAA games is indeed a selling point, but it’s also recognized as a luxury feature, the absence of which would be seen as a capability-vs-price purchase choice rather than a glaring flaw.

Some of us don’t even know what AAA games are… Amateur Athletics Association???

Some of us don’t even know what AAA games are… Amateur Athletics Association???

AAA (it’s a designation rather than an acronym) games are the big budget ones which require graphics cards that look like fan heaters with a circuit board attached.

It’s like the silly energy ratings these days, when A wasnt enough, you started to get pluses, now we’re up to something like A+++.

Yet, for games, its AAA for the expensive big publisher games, and nothing for everything else.

To return to the subject of security (by obscurity in this case) – something wicked this way comes.

Well, not quite here but recent GitHub based malware GitPaste-12 affects ARM devices with IoT being a target.

RISC OS isn’t, purely because the authors either don’t know about it or can’t be bothered.

So, anyone for a secure boot partition and signed(by ROOL) applications?

Disc efficiency? Has anyone found out how to fill a modern disc with RO applications and their data?

Keep multiple backups of your whole disc as ISO images for BD-R XL media.

Have your rather large music collection in FLAC or WAV format.

Thank god we don’t have good video playback…

Keep multiple backups of your whole disc as ISO images for BD-R XL media.

Well, yes, it’s always been possible to duplicate data to the point that you have no space¹
In these days of cost effective storage solutions I find that dropping the bulk of the data onto a NAS saves space on the client machines.

¹ Some years ago the finance department proved that an effective way of filling mailboxes was to mail spreadsheets to each other, alter them and send them back. Everybody keeps all the revisions. Doing this rather than using a fileshare they deemed “more efficient”.

So, anyone for a secure boot partition and signed(by ROOL) applications?

Sure, sounds a good idea. What about the !Boot procedure? (also note for later, ensure updates are still easy in such a case)

Some of us don’t even know what AAA games are… Amateur Athletics Association???

Brilliant Clive :D

Yeah so Charlotte explained it really well, I’d like to add just that we may identify also On-Line Games, which are not necessarily needing big GPUs, but that still need some degree of security (countless successful attacks on things like PlayStation and XBox etc..). On-Line games can still be considered quite big budget given the need to maintain servers and protocols etc…

With a RISC OS full of security holes no game company that produces on-line game will be interested on investing porting their games on RISC OS (just as a note).

Disc efficiency? Has anyone found out how to fill a modern disc with RO applications and their data?

Software preservation can take quite some space, but beside of that RISC OS doesn’t have applications like Apple Logic Pro (or PRO Tools) that take tons of disc space when recording bands and artists’ song in the studio…

Sure, sounds a good idea. What about the !Boot procedure?

Which bit? The element in the ROM: all signed and match the requirements embedded when the ROM was built.
NB. This might well mean that the only secure ROM is one from ROOL, but then developers working on the ROM won’t be doing a secure boot as they want the open, flexible, hackable setup.

(also note for later, ensure updates are still easy in such a case)

Assuming you mean for the disc based element here.
Signed update checked by the installer in the secure ROM

In the non-secure we’re looking at something similar to current although a packaged update is probably a better idea.

Software preservation can take quite some space,

Indeed it can. Even the ROM and Disc updates total up eventually if you collect all the individual images, but there’s a few TB of space in the NAS so no worries about disc space on a client machine.

but beside of that RISC OS doesn’t have applications like Apple Logic Pro (or PRO Tools) that take tons of disc space when recording bands and artists’ song in the studio…

I’d be surprised if those keep the data on local storage rather than network attached. I’d also be surprised if anyone professional¹ uses the cheaper end of the market for their storage solution.

¹ Could ask someone like Steve Hackett, I know he does quite a bit of recording work at home (both convenience and currently Covid reasons). The latest album has been done with his living room as the central point but the other artists are scattered round the planet.

there was a need to start from somewhere and move in the right direction.

That’s true. I’m just thinking of how non-nerds might perceive things.

Three examples:

1. Local expat about ten years ago – uninstalled the antivirus from her computer “as it makes everything really slow and anyway I never got any viruses”. I told her that she really needs to use some sort of protection (especially as she has a habit of installing stuff that “looks fascinating” but invariably forgetting about it shortly after). She told me her friend’s uncle knows these things and says I’m an idiot… I didn’t appreciate that, especially after fixing dumb stuff (how to shut down XP – the off button doesn’t ¹ so yank out the power cable) for little more than cups of tea, so I didn’t hang around to see what happened.
2. Another local expat at around the same time. Was unhappy that her grandson got bits of toast and jam on the keyboard. So she put it in the dishwasher.
3. Anybody who believes Trump won. Or Covid came from 5G masts. Or the Earth is flat. Or any of a dozen other crackpot ideas that you wonder how sane people can actually be suckered by such nonsense.

The tl;dr version: a number of people who don’t understand technical stuff associate the little padlock icon with “this site is safe”.

If they do what they need in BASIC where’s the point in learning anything else,

Oh, I wasn’t knocking it. Just pointing out that not everybody speaks C, plus we have something of a lack of friendly compiled languages; so it’s still quite possible to see bits of assembler lurking in the slow parts of BASIC programs.
Especially given that it’s not entirely unreasonable that there are people that still expect the likes of RISC OS 3.7 and 4.0x to be supported (and those could be running on a processor orders of magnitude slower than the average Pi).

There’s a reason we’re all here.

Mom died / we’re in lockdown (again!) / I have no life / all of the above.

My money’s on the fourth option. ;-)

Amending what exists, but while doing it rewriting portions in C (or whatever is portable)

So, basically then, RISC OS now.

Having learned their lesson and producing Win7 they forgot and did Win8.0

There’s a theory that the odd numbered ones are good and the even numbered ones suck.

and the site isn’t setup securely anyway.

One could say that anywhere that asks for your credit card details instead of using a recognised intermediary isn’t secure by default.

That may have changed following the info from Rick on how easy it really is.

Uh… Rob did all the hard work. I just followed instructions. We both agreed that only “web space offered by the ISP” would be use something like plain FTP (and again, probably because their targeted user base would not know any better).
Example: https://pages.perso.orange.fr/pages-perso-more
5 sites if you use their app, or 1 site with FTP if you want to roll your own HTML (plain HTML, no php).

Hmm, looks like ovh uses FTP as well. https://www.ovh.com/fr/hebergement-web/faq/
(sigh)

Well the world has moved on a bit you know? Spotify, SoundCloud and others,

Funny thing is, those usually exist in the form of either a dedicated app of some sort, or accessible through a browser (though one might need to trick the site by using desktop mode so it stops pushing you to the app).

However my original point was not about asking for software who does X or Y,

You gave some examples, I pointed out that solutions already exist for some things.

however AAA games are a big selling point for desktop systems.

Sort of. Have you seen the sorts of specs that modern games expect? Give up now if you think a Pi (any incarnation) will cut it.

It’s also something of a never ending battle between general purpose computers and specialised consoles (though Microsoft did cheat a bit with the original XBox).

then can I trust Andre ?

That’s an interesting question, and given the work that he has put into DigitalCD over the years, I would feel more inclined to trust him than some randomly named LLC that turns up on an app store.

with filtered API for the different levels of security

In other words, a sandbox.

Well, I guess something not so different underpins both Aemulor and ADFFS in order to run 26 bit code on a 32 bit machine. Perhaps the concept could be expanded to vet what “untrusted” apps are able to do.
Oh, if this ever happens, please do it better than Android’s on/off switch, as savvy apps can detect this and refuse to run without all the unnecessary permissions that it thinks it needs. So what would be better is a third choice: bullshit, where the app thinks it has GPS access, say, but the coordinates given are a randomly chosen place in the same state/county/country.

No, but they will know for sure that the one they use is not official.

One would imagine that somebody making their own OS would be aware that it isn’t “official”!

With a complete chain of trust, you don’t need security checks any more.

There are some that would argue that “complete chain of trust” is an oxymoron.

Here’s one for you. Which ARM processors used on RISC OS devices have TrustZone? Do you know what it runs?

Note also that one cannot trust any Pi. The “boot processor” is the GPU, that runs a binary blob, and also appears to have some fairly capable built in firmware (looking at how stuff like Noobs boots). What else does it have and what is it capable of accessing?

If you think I’m getting ridiculously paranoid here, I should point out that technically the world’s most popular OS is… Minix! Because every Intel processor since around 2008 has contained a Management Engine which is an autonomous subsystem what has complete access to the processor, the memory, the harddisc, and even contains it’s own network stack with the ability to make use of the network card. Not only that, but it is one of the parts of the machine that remains powered when the machine is “off”, so long as it is actually plugged in.
Oh, and not only is it pretty much invisible to the operating systems, it runs at a level lower than hypervisors and system management facilities.
https://en.m.wikipedia.org/wiki/Intel_Management_Engine

This isn’t paranoia, this is probably hiding within your PC…

So, how goes the chain of trust if you don’t know and can’t audit what your computer is actually running?

now we’re up to something like A+++.

That’s because the original scale was A-G or something, but as things improved in efficiency, they added three extra A ratings and ditched the old E-G. It’s because they can’t retroactively redefine everything. So, yeah, A+++ is a bit dumb but it makes sense how it came about.

I’ll patiently wait until I can buy an A++++++ fridge. If it ain’t got six pluses, I’m not interested.

I think my current fridge is probably C++. ;-)

with IoT being a target.

Really? That’s a hurdle about the height of a baby chihuahua, isn’t it?

¹ It actually was shutting down, but she lacked patience. The number of times I’ve fixed the boot BSOD from a messed up NTFS isn’t funny.

There’s a theory that the odd numbered ones are good and the even numbered ones suck.

Did you notice my mention of Win10 Fisher-Price? (Forgotten where that was)

So, basically then, RISC OS now.

First iteration along from.

So what would be better is a third choice: bullshit, where the app thinks it has GPS access, say, but the coordinates given are a randomly chosen place in the same state/county/country.

Like. I’d be telling them the mid-point of Ladybower reservoir (the dam was a favourite childhood day out)

Oh, and not only is it pretty much invisible to the operating systems, it runs at a level lower than hypervisors and system management facilities.

And also has an exploit, that as I recall has no available patch.

I’ll patiently wait until I can buy an A++++++ fridge. If it ain’t got six pluses, I’m not interested.

Surely they would be tagging it as A⁶ because that’s got style. Just change the superscript number as things go further.

That’s a hurdle about the height of a baby chihuahua, isn’t it?

Dunno, how does a baby chihuahua match up against current RO?
Which we could, potentially improve.
So, if we had a password module and an encrypt/decrypt module where in the ROM module sequence would you insert them?

I don’t thing things likely to truly fork and it’s extremely unlikely to approach to within a planetary orbit of the level of disagreeableness in the ROL-Castle feuding.

Although it depends on what you mean by “fork”. It’s possible to diverge in the end-product sense, while retaining unity and cooperation in the community sense. Conversely, ROL-vs-Castle was just straight-out infighting.

Conversely, ROL-vs-Castle was just straight-out infighting.

Wonderfully delicately phrased. :)

Although it depends on what you mean by “fork”. It’s possible to diverge in the end-product sense, while retaining unity and cooperation in the community sense.

I tend to think of a software “fork” as something akin to a fork in the road where the two rarely ever meet again and most likely wider and wider apart over time.
Whereas the secure/non-secure difference, or “fork” if you like, is akin to the tines on a fork (as in fork and knife) i.e. alongside a short distance away parallel and pretty much identical, just one significant difference.

@ Steve Pampling

Which bit? The element in the ROM: all signed and match the requirements embedded when the ROM was built.

So the whole !Boot.Utils and !Boot.Choices.Boot right now can be used to “patch” the Rom after the rom is loaded and used and while we are still in the boot process.

However details probably best for later, so just a “reminder”…

So the whole !Boot.Utils and !Boot.Choices.Boot right now can be used to “patch” the Rom after the rom is loaded and used and while we are still in the boot process.

Secure boot. on the proviso that the content of those were all signed, then it’s OK.
Really though the ROM shouldn’t need a patch in the secure boot or were you thinking of third party extensions that, while approved and signed, might not be eligible to sit in the ROM. (GPL?)

For the non-secure boot, nothing changed and since the non-secure doesn’t block loading on the basis of a signature untested and tested resources can be treated equally.

Edit Or do we want to restrict slightly there?

@ Steve Pampling

Really though the ROM shouldn’t need a patch in the secure boot or were you thinking of third party extensions that, while approved and signed, might not be eligible to sit in the ROM. (GPL?)

I am thinking of some separate situations:

• Malware
  • Can patch the ROM on the fly to avoid being detected by antivirus. The ROM is no longer a real ROM. Once it’s loaded signature is checked, if the malware doesn’t store it back the image on FAT32 is still correctly signed now potential checksums are changed. Hard to catch, any idea of how we could prevent this without major rewriting of the OS itself?

• Good software
  • May want to patch the ROM to improve features. How do we deal with this? No more possible?

• ROM Modules replacements
  • For instance how do we consider SharedCLibrary RAM when it replaces ShareCLibrary ROM?

• Special RISC OS Distributions
  • like RComp RISC OS for their own hardware?