 have a loud voice. Welcome everyone. We organize the minimalism death room and there's been some very interesting talks. I'm going to take a slightly more generic approach and discuss why we set up the room and why minimalism matters in our opinion. So the crux of the matter is that to really trust systems we need to understand them. And these days even the Debian bootstrap is 350 megabytes of binary blob. Did you know that? And it includes a GCC compiler and a host of other tools. So how do we really know what's in there is secure? Also typically these days we are downloading one gigabyte Docker images and if you try to do a post mortem on them it's very hard to find out what's actually in there. I mean you can find what is in there but how was it built? How was it created? How are you sure that there's nothing untrustworthy in there? So are we driving on luck alone? Are we getting away with murder? I think the answer is yes. So what is minimalism really about? It's about things being simple, being transparent, where the dependencies are really clear. We have clear APIs, you have well defined behavior and especially the stuff should be easy to understand and read. How much of a software today actually matches these criteria? None, as far as I know. Well maybe some scheme programs. Minimalism. Yeah. So the hardly disaster you've probably all heard about and maybe looked into because it's hurt almost everyone. Cisco system by identify 78 of its products as vulnerable including IP phone system, telepresence, video conferencing systems. It costs millions of dollars which I guess is an understatement. And the truth of the matter is it's an open source project and at the time there were only two people working there on it and it has half a million lines of code. And what actually happened with hard bleed is there was some code left in there which was not supposed to do anything. I mean it maybe was supposed to do something but it was really just left in there and nobody looked at it again and it was the problem. So how many lines of source code do you think there's in the Linux kernel and drivers today? 24 million. All too low. How much is in Windows? Even more. OSX, Android, Android. 20 million. Mozilla. Yeah. Facebook. You know that their code that they use? The answers. So this is the Linux kernel. You know it's grown a little bit over time. So it's now close to 30 million lines I guess. Oops sorry. 25 million lines got including drivers. You can see how it's grown since really small print. I can't really see it anymore but just in a few years you know it's come from 5 million. Browsers. Yeah so 36, well almost 37 million lines of code in Firefox. That is more than Linux. Seriously. You know and I mean at the time remember when Microsoft was really worried that the browser would become the desktop? We've done it. And it's C++ too. Right? Scary. So Windows, they're 50 million. OSX that's not officially known. Android sorry it's only 12 million. Android is only 12 million. And then Facebook apparently has 60 million lines of code to run you know everything. How many transistors do we have in the CPU today? Billions. Billions. It's scary. Yeah so the original 8386 which I used to program and I also did the Trash 80 by the way. Yeah so it had under 300,000 transistors. You know then it went in 2007 to 400 million. Then in 2014 we surpassed the billion mark. And today we are at you know sort of close to 20 billion transistors. ARM is it simpler? That's what you'd hope right? Finally we get a new architecture. It's going to be a lot simpler right? 8.5 billion. So it's less than AMD but yeah I think actually for what it offers it's more. Let's discuss the Intel management engine for a bit. You are aware that every CPU produced since 2008 contains a full operating system. Hardwired on the chip and it's Minix. Minix? Any Linux users here today? Minix. Right. So and they found weaknesses in it right? In 2017 and you know this is an exploit that goes back all the way to 2008. And you know a normal user cannot disable the management engine. This is actually the last line of computers you could disable it. It's a 2011 one. It's not strange I'm using it. You can read about it on Wikipedia. So Intel claims it's a good thing. They manage an engine. You know they give an X service to corporate customers. They can actually get network access on the CPU. But we don't really know what it does. Right? So I mean I plugged this from the internet. Oh sorry. It can read any byte in RAM. It can send data through the network interface. Communicate with the operating system. You know. I mean it could be just right. Could be. We trust Intel. We all do. And Tannenbaum I mean Intel you know fired a host of questions to a Tannenbaum at the time they were introducing Minix on the chip. Right. And he didn't know what it was about. So for the record he says you know you know if I suspected they might be building a spy engine I certainly wouldn't have cooperated. AMD any better? No. No. They actually have a management engine and we know nothing about it. You can check this right up by someone. So Minix itself is minimalistic. It's about 4,000 lines of code they claim for the kernel itself. It's a microkernel and they think that they within these 4,000 lines they can eventually make it bug free. They're not stating it's bug free now. But small helps with minimalism. Right. And that's also why probably Intel put it on their chip. It's ironic. So when it comes to minimalism you really are talking about simple components and composability. You know how these components fit together. And the Unix philosophy the original one. I'm not talking about system D here. They have this. It served as well. Right. So we have Janneke here who is working on GNUMS which is replacing that 350 megabyte binary blob. And he wants to reduce it. The team wants to reduce it to 500 bytes of binary blob. Well, that would be an improvement, no? And it will affect all Linux distributions. So this is also about components and composable and also about readable. It's a binary blob. It's got a GCC compiler in there. Ben, you tell us, Janne? Also it's a distribution. Yeah. It's a small distribution itself. It's used to compile Debbie and you need to compile something. Yeah. But this is what Debbie does. And the others are no better. They've heard in other group, GNU projects, they had 400,000 lines of code. So it's not minimal, but it's a microcurtle. And it aims to surpass the Unix kernel functionality, security and stability. So what it means security, you know, it has to be more composable and more components, component mentalized, what does it work? And composable, right? So while the GNU hard doesn't, it's not a very active project today, you can see that in time it could become important. GNU Geeks, anyone heard of GNU Geeks to hear today? Yeah, so this is another attempt at, you know, making things in smaller components and making them composable. I'll say a bit more about that if I have time. Sorry. So is this minimalistic? So this is a billion transistor chip and it looks like, you know, they're components and it certainly probably is composable. But no one, you know, today can understand what's really there. It's all done by machines. But also, you know, it is actually pretty complex. I mean, if you look at the street map of Brussels, yeah, it also looks like it's components, you know, their house is there and, you know, there's an API, they're functioning together. But what's really happening at that level? We have no concept of understanding anymore, right? I mean, we've never really had when we left villages, small villages. So modern CPUs actually look like city maps today, you know, many, many components, they look composable, but they're actually complex and we rely on that technology throughout, right? That's why that's the way stuff is such a concern. This is a graph and the graph is a dependency tree from GnuGeeks. So this shows Python with its dependencies. Sorry about this small size. I probably have it open somewhere. Yeah, there you go. Yeah, so if you zoom in a little bit, you can see how it all hangs together, okay? So this is your typical stuff that you run on your computer. Switch. Are they components? These individual pieces of software? You know, well, this is a graph and it looks like it's components, components. These are not components really, you know, these are components of software, but how they really interact with each other, we don't know, right? We only can show how they depend on each other. So, you know, what we are running on our systems is not really component, it doesn't consist, I mean, it consists of components, but they're not understandable components. So one thing you can improve things to make it more minimalist is say, okay, when I need something to run, I may create a container or a computer which only has a software on it that I actually need to run it, right? So basically you take the graph and you reduce it. If you take a typical Debian distribution, there will be a lot of installed pieces of software and you may never even run, right? But to make it more minimalistic, what you could do with GnuGeeks and it allows it because it controls the dependency graph is to say, okay, I'm going to create a container and I'm only going to put the software that I need to run my service, right? And GnuGeeks makes it reproducible but also minimizes the attack surface, you know, and in a way for embedded systems it could be redefining the future. So the message really is that things should be simple, transparent, there should be clear dependencies, clear APIs, well-defined behavior, easy to read, you know, we should aim for that in an ideal world. So why do we want minimalism? To avoid dependency hell, I guess. Backdoors, spying, malicious intent, in a nutshell. Questions? Many reasons, I think, you know, but because we can, it's one word. Because we can. I mean, if you think about, you know, the language like Go with all the dependencies and the modules that they pull in, you know, typically hundreds or, you know, JavaScript is also an infamous one. Joe Armstrong who created Erlang, you know, he claims that he always avoided dependencies, yes, so for the Erlang compiler and environment. And he says, you know, that's the reason why it's still running today or most of the systems are still running today. There's something to be said for that. Yeah, how much time do I have? Yeah. Never learning. Yes. I'm no philosopher. Yeah. For every simple thing or solution? Yeah, simple, clean and wrong. Yes. It's, you know, it's really a complex topic. Yeah. Yeah. That's a whole area of research, an active area of research, in fact. Yes. Yeah. Are you ready? So what do we do? Well, we should aim for simpler hardware and simpler software. Yeah, and with software we can already do a lot. Hardware is going to be a different story for the time being. But I think if open and free hardware platforms come along that are affordable and, you know, almost are fast enough to beat my 11-year-old computer, we'll take them. You know, I'll take free hardware. Yeah. There are trade-offs, you know. So minimalism, there are trade-offs for sure, and companies will, you know, Microsoft will not opt for minimalism, normal Google. Yeah, but I think for ourselves we need to drive for it hard. And when a phone comes along, you know, which is free hardware and it has a relatively simple operating system and free software, some people opt for it, you know, and get more privacy out of it. Yeah. How do you measure complexity? It's a difficult one, again. And it also depends on what you are trying to create, right? So, you know, we are dealing with complexity in many ways and it's an active area of research also. Yeah, I think with computing we are going, you know, a little bit off the rails lately. Yes, Mark? This is the DNA which junk all over the place and the software is the same. Yeah. So, yeah, actually nature is highly efficient, it gets rid of junk. It takes a long time. It takes a long time, yeah.