[1] https://symbiflow.github.io/
[2] https://github.com/freechipsproject/chisel3
[3] https://github.com/freechipsproject/firrtl
The issue is that the executive order would make it unlawful to share technology with foreign adversaries. So it effectively forces open source projects to hard fork along geopolitical boundaries. For example, if (and these are still if's) Huawei were to be designated a foreign adversary; and, if Huawei were to develop a RISC-V implementation of interest; it would be unlawful for a US person to use that implementation, or otherwise "acquire" said technology from Huawei.
The underlying premise of the executive order, as I understand it, is that technology developed by, or under the influence of, foreign adversaries is potentially tainted. Thus to defend the US national security interest, US persons shall be penalized for using their technology.
Thus the concern is that US-based open source developers and users would be directly at risk by interacting with the very projects you cite, should they fall under the influence of a foreign adversary.
Or to put it more concretely: ARM might be very happy if Huawei were designated a foreign adversary, and Huawei invested heavily in RISC-V. Because then ARM could lobby US lawmakers to rule that RISC-V technology is tainted under the theories contained in the executive order, thus reducing competition from open source alternatives.
(editted to clean up grammar)
Apparently, Mr. Trump summoned Mr. Cook last week, and extended an offer of a tax break and other "relocation packages" on the size "not seen in human history" if Apple moves to USA.
Hearing things like that keeps reminding me that Taiwanese engineering fraternity is one of worlds best intelligence agencies :)
If we take no other lesson from the past 2.5 years...
Of course we have a lot of new judges so who knows.
I have met Bunnie, and he has a bit of a warped view of the world. I think it caused him to gloss over things like https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversi... where Huawei did not give a single shit about security in their cellular basestation codebase.
Sure, Huawei will read CVEs and sometimes deal with them, but really basic things like updating OpenSSL libraries seem near impossible for Huawei. Their hardware is thus vulnerable to exploitation by any ill intentioned person wandering by :c
Part of this is the whole stolen codebase problem, where Huawei (as Nortel's Chinese manufacturing partner) took their designs and code, without fully understanding them. They've been able to tack on a lot of neat stuff, but the underlying architecture is still not understood by their engineers.
The Huawei ban is very clearly a political anti-China move, not one based on technical reasons.
I don't know Bunnie and I only follow his blog posts sometimes but he's a strong proponent of open source software and open source hardware [1]. Bunnie is helping to develop a fully open source hardware laptop, Novena [2], that requires companies providing components to not require non disclosure agreements [3]. Bunnie is also specifically interested in FPGAs and making them and their toolschains available [4].
Your post seems like it has a veiled nationalistic and anti-open source undercurrent. Is Bunnies silence on the matter of the Huawei security issue reason for you to have this view? If so, do others not mentioning Intel's vulnerabilities [5] the past years also mean they have the same "warped view of the world".
To be clear, I'm not trying to absolve Huawei or Intel of anything. I'm trying to address the claim that Bunnie turns a blind eye to proprietary chipset and hardware technology more than others.
[1] https://www.eff.org/press/releases/hardware-hacker-anti-acta...
[2] https://www.bunniestudios.com/blog/?cat=28
[3] https://en.wikipedia.org/wiki/Andrew_Huang_(hacker)#Novena
> Huawei (...) took their designs and code, without fully understanding them.
Do you want to say that there aren't people in China smart enough to "update OpenSSL" in their codebase? Whichever way the codebase started to be used by the company?
A lot of companies and developers inherit the products created in some other times in some other companies and generally are able to update them.
I recall that happening in the 90's with a few different types of software due to U.S. software patents and corporate legal departments. VLC hasn't always been the go-to Linux multimedia application, for example.
[1] The infrastructure part is easy, the giving away access/bandwidth for free part is hard.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
The bulwark defending the bulwark is the population.
Hope that works out for you. :-(
(I'd wager there'll be a few more Snowden types asking for asylum outside the US before this is all over.)
The division of the open source world into the “US part” and the “Chinese part” would be a roughly 50% cut in the efficiency of the FOSS ecosystem, and is on the table given the developments he describes.
Boom! I told people they might do that back in the crypto discussions. Custom crypto and high-assurance security are still munitions with only a few things re-classified such as mass-market, one-size-fits-all software and use of ciphers in browser (https). This is what they might do to the rest with the leverage if it was ever truly threatening. They’re already doing it to companies over Huawei.
I also speculated they might have done this to get backdoors in products. A combo of offering payment and threats together. We know they do the payments. I don’t know if they do export threats, though.
“some independent security research would have already found and published a paper on this. Given the level of fame and notoriety such a researcher would gain for finding the “smoking gun””
Bunny is being really naive here or maybe doesn’t understand computer espionage. Most subversion must be done in a way that doesn’t look like subversion. The system just has to be remotely exploitable. The best route to that is to intentionally leave in memory safety bugs or a configuration that enables privilege escalation. Hackers find those all the time in all kinds of devices. They say, “Hey, they just made a common mistake.” Maybe it was there on purpose. We won’t know.
“It’s no secret that the US has outsourced most of its electronics supply chain overseas. From the fabrication of silicon chips, to the injection molding of plastic cases, to the assembly of smartphones, it happens overseas, with several essential links going through or influenced by China.”
And this is why what the U.S. government is doing is incredibly stupid. You could substitute other industries in here. It’s a smarter move to minimize one’s dependency on a country before pissing that country off in a way that can prevent them getting what they depend on.
By that logic everyone from Apple to Xerox could possibly be enabling computer espionage. You’d never be able to prove a bug wasn’t a deliberate back door.
Take Obama's: 'If you like your health care plan, you'll be able to keep your health care plan' as an example. He repeated this message for many many times: https://www.politifact.com/obama-like-health-care-keep/
How do you objectively decide:
1) Is this statement true?
2) Did he lie about it?
Also, how do you handle "if there is something I should not know, do not tell me"?
Eg. Follow human rights, No great firewall and you can use it.
Global trade has done a lot of good for the world, in general, there hasn't been any big war in the last 70 years.
Why: 996
Presenting non sequitur as evidence has become par for the course. Let's step back to one day before the heartbleed bug was discovered in ssl libs, when a similar argument could've been made regarding the ssl library's security. Only to be disproven a day later.
