Announcing a new Ruby gem, agent99, as a reference implementation of the Agent99 Framework whose goal is to enable all software agents regardless of their language of implementation to work together, cooperating to accomplish the goals of the large application system. https://madbomber.github.io/blog/engineering/Gotting-Smart-with-Agebt99/

We are pleased to announce the release of Ruby 3.4.0-rc1.

Prism

Switch the default parser from parse.y to Prism. [Feature #20564]

Modular GC

• Alternative garbage collector (GC) implementations can be loaded dynamically
  through the modular garbage collector feature. To enable this feature,
  configure Ruby with --with-modular-gc at build time. GC libraries can be
  loaded at runtime using the environment variable RUBY_GC_LIBRARY.
  [Feature #20351]

• Ruby’s built-in garbage collector has been split into a separate file at
  gc/default/default.c and interacts with Ruby using an API defined in
  gc/gc_impl.h. The built-in garbage collector can now also be built as a
  library using make modular-gc MODULAR_GC=default and enabled using the
  environment variable RUBY_GC_LIBRARY=default. [Feature #20470]

• An experimental GC library is provided based on MMTk.
  This GC library can be built using make modular-gc MODULAR_GC=mmtk and
  enabled using the environment variable RUBY_GC_LIBRARY=mmtk. This requires
  the Rust toolchain on the build machine. [Feature #20860]

Language changes

• String literals in files without a frozen_string_literal comment now emit a deprecation warning
  when they are mutated.
  These warnings can be enabled with -W:deprecated or by setting Warning[:deprecated] = true.
  To disable this change, you can run Ruby with the --disable-frozen-string-literal
  command line argument. [Feature #20205]

• it is added to reference a block parameter. [Feature #18980]

• Keyword splatting nil when calling methods is now supported.
  **nil is treated similarly to **{}, passing no keywords,
  and not calling any conversion methods. [Bug #20064]

• Block passing is no longer allowed in index. [Bug #19918]

• Keyword arguments are no longer allowed in index. [Bug #20218]

YJIT

TL;DR:

• Better performance on most benchmarks on both x86-64 and arm64 platforms.
• Reduced memory usage of compilation metadata
• Multiple bug fixes. YJIT is now even more robust and better tested.

New features:

• Add unified memory limit via --yjit-mem-size command-line option (default 128MiB)
  which tracks total YJIT memory usage and is more intuitive than the
  old --yjit-exec-mem-size.
• More statistics now always available via RubyVM::YJIT.runtime_stats
• Add compilation log to track what gets compiled via --yjit-log
  • Tail of the log also available at run-time via RubyVM::YJIT.log
• Add support for shareable consts in multi-ractor mode
• Can now trace counted exits with --yjit-trace-exits=COUNTER

New optimizations:

• Compressed context reduces memory needed to store YJIT metadata
• Improved allocator with ability to allocate registers for local variables
• When YJIT is enabled, use more Core primitives written in Ruby:
  • Array#each, Array#select, Array#map rewritten in Ruby for better performance [Feature #20182].
• Ability to inline small/trivial methods such as:
  • Empty methods
  • Methods returning a constant
  • Methods returning self
  • Methods directly returning an argument
• Specialized codegen for many more runtime methods
• Optimize String#getbyte, String#setbyte and other string methods
• Optimize bitwise operations to speed up low-level bit/byte manipulation
• Various other incremental optimizations

Core classes updates

Note: We’re only listing outstanding class updates.

• Exception

  • Exception#set_backtrace now accepts an array of Thread::Backtrace::Location.
    Kernel#raise, Thread#raise and Fiber#raise also accept this new format. [Feature #13557]

• Range

  • Range#size now raises TypeError if the range is not iterable. [Misc #18984]

Compatibility issues

Note: Excluding feature bug fixes.

• Error messages and backtrace displays have been changed.
  • Use a single quote instead of a backtick as a opening quote. [Feature #16495]
  • Display a class name before a method name (only when the class has a permanent name). [Feature #19117]
  • Kernel#caller, Thread::Backtrace::Location’s methods, etc. are also changed accordingly.

  Old:
  test.rb:1:in `foo': undefined method `time' for an instance of Integer
          from test.rb:2:in `<main>'
  
  New:
  test.rb:1:in 'Object#foo': undefined method 'time' for an instance of Integer
          from test.rb:2:in '<main>'
  

C API updates

• rb_newobj and rb_newobj_of (and corresponding macros RB_NEWOBJ, RB_NEWOBJ_OF, NEWOBJ, NEWOBJ_OF) have been removed. [Feature #20265]
• Removed deprecated function rb_gc_force_recycle. [Feature #18290]

Miscellaneous changes

• Passing a block to a method which doesn’t use the passed block will show
  a warning on verbose mode (-w).
  [Feature #15554]

• Redefining some core methods that are specially optimized by the interpeter
  and JIT like String.freeze or Integer#+ now emits a performance class
  warning (-W:performance or Warning[:performance] = true).
  [Feature #20429]

See GitHub releases like Logger or
changelog for details of the default gems or bundled gems.

See NEWS
or commit logs
for more details.

With those changes, 4820 files changed, 196907 insertions(+), 253488 deletions(-)
since Ruby 3.3.0!

Download

• https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-rc1.tar.gz

  SIZE: 23055998
  SHA1: 216e3085ab8b886b9f74943ee5b62bd2e3d86671
  SHA256: 1f3187d3366e90af6d760994f8bfe1fe8999a8ba3553ea4dcfae63e548236e2a
  SHA512: 0b0420a39c0bf3b38600d4e28805a581c4b5a6cf2abe41be8c8164276a8044a19e676de74eea5dd5b4d7d667d821a6144119795fea510fd4ba6e34865a2ae172
  

• https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-rc1.tar.xz

  SIZE: 17116016
  SHA1: 1424671cdc9c4bfe3778ac159d917c8bfe6107bd
  SHA256: 9c54225747f7a786727aa6213503083d5d8ff7097505d4b7456ff60880ee4a17
  SHA512: 5b92a2b5829ab23735617945839e45df984b319b8932e790a8e0c6f681b9bd74249511a76345516cc216c002ed7887bdd27151501491d5ecedc20acd3fb57cc5
  

• https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.0-rc1.zip

  SIZE: 28323595
  SHA1: 4ae8ce4b15ccc3f0c6f42e408c44aa287a1ccc14
  SHA256: 653162a2db627e8e5feee22a00b20acf215509d88b06ffb281bc8788ed12c74c
  SHA512: c6c6b9a0e61308e3f3303cd148613feabb2ee12d8e2fefc1f4aa1403237310f7c9be5e2031248ea89ff01cdc0bca1a66ff60f9f1f19ed9c9fccef3d7a3bbebb8
  

What is Ruby

Ruby was first developed by Matz (Yukihiro Matsumoto) in 1993,
and is now developed as Open Source. It runs on multiple platforms
and is used all over the world especially for web development.

Posted by naruse on 12 Dec 2024

Don’t let computers go to waste and join us in fighting restriction on December 20 for the eighteenth International Day Against Digital Restrictions Management (IDAD).

Automation is one key factor that lets the small F-Droid team provide apps
to millions. The @checkupdates-bot
is a new reworking of an old piece of automation in F-Droid:
checkupdates. This goes through all of the existing apps, checks if they
are set up for automatic updates,
and if so, runs the process to automatically generate a new build entry for
that release. That gets added to
fdroiddata, which is what the
production buildserver processes in order to build and ship apps.

Since the best security is provided by systems that follow the principal of
least
privilege, we
recently reorganized our setup and workflow around that principal so that
the @checkupdates-bot has the least privileges needed to do its job. The
checkupdates process now runs in its own isolated project, separate from
fdroiddata and any other F-Droid project on gitlab.com. It now only
pushes commits to its own dedicated
project, then makes
a merge
request
per app to fdroiddata. Both our automated CI processes and our trusted
human reviewers now handle all updates using the same process as for new
apps.

At the same time, we removed a key bit of cruft in our code:
stats/known_apks.txt. This file was the place that stored the dates when
each app was added to the collection. This file was updated on the
buildserver and maintained in fdroiddata. That information is also in
the index file, so we
switched to
fetching it from there instead. That meant we could remove the last deploy
key in use in fdroiddata. Our operations no longer require any deploy
keys in fdroiddata.

While we were at it, we added some additional checks via the merge
requests. For example, now any time an image file is added or modified, a
CI job checks
whether the image contains any EXIF metadata, which can be used as an
exploit vector. We also added some additional enforcement to make sure
changes to key files go through human review via merge requests.

Security issue as inspiration

About a month ago, @SomberNight reported a
security issue to us
in a confidential issue. We appreciate this detailed report, and also want
to highlight their diligent follow up. In specific situations, the old
setup was leaking the private deploy key which granted access to directly
push commits to fdroiddata. We immediately revoked that key, then removed
all privileges from the @fdroidci user that
was associated with that private key. We also investigated all the leads we
could follow to see if someone had used this key to insert something into
F-Droid. We searched the activity of the @fdroidci user and found no
evidence that unauthorized commits were added.

To be sure, we did some additional investigations. Since checkupdates had
been running as part of the fdroiddata project on gitlab.com, a malicious
app build recipe could have also read the CHECKUPDATES_SSH_DEPLOY_KEY
variable which contained the private key. We checked fdroiddata’s history
for signs of exfiltration and found nothing. We require that apps are built
from source code, and that source code is in a source code management system
like Git. That ensures a local copy with history is retained on our
buildserver. We searched our local copy source code and found no evidence
that any app build processes where trying to exfiltrate the checkupdates
private key.

Do you have more ideas for things to search? Please dig in and let us know
if you find anything suspicious. Working in public means everyone is free
to investigate and come to their own conclusions, and contribute to a more
secure free software ecosystem on Android.

Learn about the top articles published at OpenSource.net in 2024. This site is dedicated to fostering knowledge sharing about Open Source software, hardware, open culture, and open knowledge.

I’ve been dropping a lot of hints about my journey to rid myself of Google’s Android on my Pixel 8 Pro lately, a quest which grew in scope until it covered everything from moving to GrapheneOS to dropping Gmail, from moving to open source “stock” Android application replacements to reconsidering my use of Google Photos, from dropping my dependency on Google Keep to setting up Home Assistant, and much, much more. You get the idea: this has turned into a very complex process where I evaluated my every remaining use of big tech, replacing them with alternatives where possible, leaving only a few cases where I’m sticking with what I was using. And yes, this whole process will turn into an article detailing my quest, because I think recent events have made remocing big tech from your life a lot more important than it already was. Anyway, one of the few things I couldn’t find an alternative for was Google Pay’s tap-to-pay functionality in stores. I don’t like using cash – I haven’t held paper money in my hands in like 15 years – and I’d rather keep my bank cards, credit card, and other important documents at home instead of carrying them around and losing them (or worse). As such, I had completely embraced the tap-to-pay lifestyle, with my phone and my Pixel Watch II. Sadly, Google Pay tap-to-pay NFC payments are simply not possible on GrapheneOS (or other de-Googled ROMS, for that matter), because of Google’s stringent certification requirements. Some banks do offer NFC payments through their own applications, but mine does not. I thought this is where the story ended, but as it turns out, there is actually a way to get tap-to-pay NFC payments in stores back: Garmin Pay. Garmin offers this functionality on a number of its watches, and it pretty much works wherever Google Pay or Apple Pay is accepted, too. And best of all: it works just fine on de-Googled Android ROMs. Peope have been asking me to check this out and make it part of my quest, and ever the people-pleaser, I would love to oblige. Sadly, it does require owning a supported Garmin watch, which I don’t have. To guage interest in me testing this, I’ve set up a Ko-Fi goal of €400 you can contribute to. Obviously, this is by no means a must, but if you’re interested in finding out if you can ditch big tech, but keep enjoying the convenience of tap-to-pay NFC payments – this is your chance.