more drm

A couple of things I didn’t mention in the last post.

Some people think that if you keep the player keys secret you can just set up a website where people upload their videos and get them cracked by a web service, or that it’s feasable for the attacker to just crack all the titles himself. Apart from the fact that it doesn’t scale, AACS has traitor-tracing algorithms that can track down the individual player or software instance used to decrypt the movies. This includes the case of a central web services. If tracked down, a jail sentence could be the result, which would make people think twice about uploading cracked movies. You could try and avoid that by using a stolen player or fake cc number, but that just increases the crimes you’re guilty of to include theft and/or card fraud so not many people are likely to do it.

Others think that if you compromise the PS3, the scheme is broken because Sony will never revoke the PS3 BluRay key. The point is, there isn’t one PS3 key (or shouldn’t be if AACS was implemented as designed). Instead they can revoke the exact piece of metal that was attacked, closing the hole without inconveniencing any other owners.

Finally, some people think breaking hardware security is a matter of using a logic analyser. In reality it requires at minimum a scanning electron microscope which are pretty hard to obtain – it often requires much more, such as working in an entirely dark room to avoid tripping light sensors that will cause the chips to self destruct, or the ability to remove wire meshes. Breaking hardware security is generally so expensive that industrial espionage, blackmail, etc will always be easier.

on drm

Via Slashdot we learn that HD-DVD/BluRay protection is cracked. Or is it?

Reading the comments or the interview, you’d think the whole scheme had come tumbling down like a house of cards. Slashdotters want to believe that so badly, it almost feels like it’s true.

Well, AACS is not cracked. It probably never will be – the mathematics is sound, and is basically an extension of CSS with the weak point (limited key revocation) removed. They might discover a weakness in key generation again or something similar, but it seems unlikely. Given the set of massive flukes that were required to beat CSS, with each revision of the scheme it becomes less likely to break.

DRM schemes in particular tend to make people spout a lot of crap. Here’s the short’n’skinny:

1. This guy has not cracked AACS. He has written a program that can extract title keys from a weakly protected player. The whole reason AACS exists is to solve this very problem of poorly made players. I suspect there are not that many HD-DVD/BluRay players out there right now, so it won’t be hard to figure out which one he is debugging and revoke it. It’ll mean a software upgrade for the early adopters, but who cares?
2. More software players will be cracked in future, but it’s not inevitable any player can be cracked. Having spent many hours in the debugger myself, I know that increasing complexity of an app by a small amount is simple and following that small increase in complexity as an attacker is hard. It can be done, I’ve done it myself, but every time you add another anti-debugger check, encrypt another piece of code, or hide the data you need inside other pieces, the number of attackers that can/will continue drops. As there is a finite number of motivated people to start with, it is in fact possible for that number to reach zero. Then you win, at least for a time. This is especially true if the software is adaptive, that is, the protections can be changed by the programmers at any time, Warden being a good example of that.
3. Hardware protection is much harder to beat than software protection, for obvious reasons. Satellite TV encryption has remained unbroken for years, which proves the point that DRM can work (giving you data you can’t access unless you pay is what it does, after all). Vista supports streaming encrypted data direct to the video card, which largely solves the problem of exposed title keys and as the type of people who play BluRay videos are likely to want to do so on new machines that can handle the requirements.

There are three mistakes people make when thinking about DRM.

you give me the data and the key, therefore I can beat you

Wrong. You might be able to beat them, but you might not. It’s possible to make a scheme so hard to beat that nobody manages it. Defeating the smartcards using by Rupert Murdochs satellite companies requires you to find a vulnerability in the microprocessor on the chip, then obtain a dump of its memory, then reverse engineer an unknown instruction set, then look for a weakness in the software on the smartcard, then somehow manage to turn all of that into a repeatable hack. There is tremendous profit involved for people who can manufacture then sell the final tool or program, but despite the millions up for grabs cracks are long since history. Severe jail terms for those involved act as an additional deterrant (we’re not talking DMCA here, we’re talking Economic Espionage Act).

the analog hole exists, therefore I can beat you

Sure, go ahead and point a video camera at the screen and make your own video copy. It might even be good quality! Point is, nobody cares. DRM is meant to discourage copying at scale. If it requires somebody to set up a darkroom, a HD camera and to “rip” videos in less than real-time, so few people will do it the impact on sales won’t be significant. You win the battle but lose the war. If all it requires is for you to click a few buttons, then you get every video being uploaded to LimeWire and that’s a bigger problem. The iTunes DRM is defeatable by burning to CD then re-ripping, which would in theory lead to all the iTunes tracks being available via peer to peer. Yet it still sells millions of tracks.

drm is anti-consumer so nobody will accept it

Wrong. People already accepted it en-masse when DVDs first came out, when the iTunes Music Store came out, when World of Warcraft came out, and when satellite TV came out. Most people can’t even explain what DRM is, let alone argue that it’s bad. Well implemented DRM does not inconvenience people much, beyond the “inconvenience” of having to pay for media. A lot of DRM is not well implemented but that says more about the people implementing it than anything else.

I don’t know if the RIAA, the MPAA, the book publishers, and so on will keep persuing DRM until they win. The struggle might wear them out, they might give up. Nonetheless, the fact that the TV companies were successful shows it can be done. Also, even though in the software realm copy protection and anti-hack programs are fallible, they are still used which implies the value they give outweighs their cost.

Eventually, it seems likely that commodity PCs will move all the vulnerable parts into hardware. The TPM already does this for key storage, but it can’t do streaming decryption. Secure Audio Path/Secure Video Path allow you to move audio/video decryption into hardware, meaning only the key manipulation part is still in software. Combine the two and it’s not a stretch to ensure the keys are never “in the clear” in the processor at all. Even if that’s still required, Intels LaGrande already allows a program to insulate itself from other programs and the kernel at the hardware level, which makes debugging it into a hardware cracking problem rather than a software one. It’s only shipping in some chips right now, but presumably it’ll end up in all their chips at some point.

Desktop computer users have got this mentality that DRM can always be defeated, re-enforced by a history of weak schemes that were eventually cracked (even though it took years to beat CSS, something often forgotten). It seems likely that eventually they’ll be proven wrong.

on platforms

I’ve worked for Google for about 4 months now, perhaps a bit less. In that time, my thinking on the future of computing has changed (because I’m sad I think about this a lot).

This thinking is the result of a vague feeling that the existing client platforms have all run out of steam. Windows Vista, OS X and the latest Linux distros are all, give or take a few details, pretty much the same. Most of the new features are not inspiring. Apple are doing some good work in UI design, but it’s mostly just polishing the edges and in some cases, they are just coming up with fancy workarounds for deeper problems (expose, time machine, etc).

Progress seems slow. The Big Problems that we’ve known about for years don’t get solved. There are 3 big problems that interest me:

• Usability
• Security
• Environmental impact

I’ll only talk about usability today.

Usability

Luis Villa articulated one side to this long before I really understood it, which just goes to show that he’s smarter than me and in about 5 years I’ll probably wish I’d gone to law school. Some things are easy to do with web apps, and hard or impossible to do with client side apps. Of course the opposite is also true, but in general, when an app can be implemented as a web app, it usually is. This says to me that most people prefer it if they can get it.

Luis says:

Three big things:

• Web development/deployment is easy, and desktop is not.
• Web development makes certain things easy; primarily location independence and collaboration.
• Desktop development has advantages web devel does not (rich inter-app integration, localized search, etc.) but taking advantage of them is a PITA.

Luis is thinking from a developers perspective so it’s fair enough that he doesn’t mention the user experience in all this. But what I’ve realised in the last 4 months is that a well written web app gives a significantly better user experience than the equivalent client app. This is the opposite of conventional wisdom, which is that web apps are “less rich” and therefore somehow worse.

The way web apps beat client side apps works like this:

1. Firstly, people love speed. I knew this in a vague sort of way before, but now I can quantify it. Every millisecond you can shave off an operation will increase your userbase. Most good clientside developers know this, but web apps let you actually watch traffic come and go as latency changes. The correlation is remarkable and it really focusses the mind on making things happen NOW.

2. Secondly, less is more. Web apps make it hard to pull off stuff we take for granted in the desktop world – customisable toolbars, tree views, file dialogs, tab widgets etc. This is a good thing.

   The “richness” that we (programmers) love, is despised by many people. They’ll never tell you that if you ask, because they won’t know how to express it, or even what’s wrong. Instead the people who do understand it and have learned all its quirks and odd little features will tell you how important it is. This is really misleading. Don’t be fooled.

   A classic example of this is tree view controls. Programmers love trees. We think about them all the time, we see them everywhere we go. To us a tree is the most natural thing in the world. Because we love trees so much, it’s an obvious step to represent them in the user interface in some way. Like, say, by using a tree view widget. Some people love tree widgets so much they spent weeks recreating them in DHTML and JavaScript. Big mistake! Usability studies and real world experience indicates time and time again that lots of people have difficulty with trees. Some people will just avoid using them completely. Most will maybe use the top level of the tree, but won’t go in for nesting (ie they’ll have Documents/Foo and Documents/Bar but not Documents/Foo/Bar).

   Because trees are such a PITA to recreate using HTML, most people don’t bother with them in their web apps. They find some other way of doing it. GMail uses labels, Flickr uses tag clouds, the web itself uses search. Most web apps just somehow avoid it entirely. All those users who never really cared much for tree views but couldn’t really identify why are suddenly happier. They can’t explain it but somehow they know this new thing is better than the old thing.

   This follows for quite a few other kinds of client side UI construct that are now avoided because they are known to be bad. MDI, multi-level tab widgets, and incredibly complicated pref panes for instance. Once upon a time, MDI and multi-level tabs was the height of cool. Everybody wanted them. Nowadays they are avoided like the plague. How many other widgets that we take for granted will follow this fate? The humble toolbar, perhaps, which is cursed with ugly and small buttons identified only by an obscure picture? Is the “less is more” web solution of hyperlinks and image buttons sized in proportion to their importance going to replace them? I hope so.

3. Luis touches on deployment but doesn’t discuss it further. Havoc Pennington also talks about it in the context of well behaved desktop apps. One of the good yet annoying things about the Mac is that many apps now ship with Sparkle and auto-update themselves. It’s a slick little library and works well, but unfortunately it shows release notes before doing the update and generally requires user interaction/thought. Once all your apps use this, you quickly realise that (a) every app has bazillions of small releases and (b) every developer lists every change in excruciating detail.

   Web apps don’t install. They don’t update. They just appear when you need them and magically get better over time. In a world where people don’t even want to wait 2 seconds for something to appear, this is a HUGE deal! Software installation and update is, even in the best cases, slow fragile and annoying. Better to dispense with it entirely (as ZeroInstall tries to do).

4. Often, web apps have more information, so can do a better job. For instance GMails spam filtering can take advantage of knowing who is in your address book, whether a message is part of an existing thread you took part in, and so on (disclaimer: i am not saying it actually does this, just that it could do theoretically). The traditional server/client split prevents this setup, reducing the quality of the spam filtering for everyone.
5. Final point. There is no cult of consistency in web app development. You are free to create something as ugly or beautiful as you are able. Users really respond to looks, all companies know the importance of appearance and brand but traditional client side development makes it hard to achieve this. Apple, Microsoft and many other companies therefore waste millions of dollars whilst each app creates their own widget toolkit to get a distinctive look. The web recognises the importance of style from the get-go.

There are many things web apps cannot do, but perhaps to bring about the fundamental improvements I talked about in a previous entry the right solution is to extend the web (as opposed to Luis’ approach of making a client side platform that has the same advantages as the web).

the global baby bust

The global baby bust

Summary: Most people think overpopulation is one of the worst dangers facing the globe. In fact, the opposite is true. As countries get richer, their populations age and their birthrates plummet. And this is not just a problem of rich countries: the developing world is also getting older fast. Falling birthrates might seem beneficial, but the economic and social price is too steep to pay. The right policies could help turn the tide, but only if enacted before it’s too late.

more conferences

Busy week! On Monday/Tuesday/Wednesday I went on-call for Google Earth. Fortunately nothing much went wrong (that wasn’t of my own doing). We now have very cool Wikipedia integration, and have connected the app to a database of location photos. Sweet!

On Wednesday morning I got up at 5:30 to give a presentation on autopackage to the LSB meeting in Berlin. Unfortunately I wasn’t able to stick around and hear feedback. On Wednesday evening I flew out to Oregon for the OSDL Desktop Architects Meeting. This was a combination of cool and depressing. Cool things: meeting Paul Davis of the Ardour project at last. Uncool things: hearing (and speaking about) a litany of essentially unsolvable problems with the Linux desktop. Breakout sessions supposed to target these things came back with the conclusion “cannot or will not be fixed”.

It seems now that as desktop Linux has matured, all the easy problems have now been solved, leaving only the hard ones left. 3D composited desktops? Easy. Desktop search engines? Easy. Solving the 3rd party driver problem? Hard. Solving the problems ISVs have? Hard.

To me, this says a lot. The remaining problems discussed at DAM 3 are not, in fact, technical. They are all social. Hardware manufacturers don’t want to wait a year before people can use their hardware, but the kernel developers won’t compromise (even for open drivers). Distros don’t want to “ossify” the platform by leaving old libraries in the base install sets, but ISVs don’t want to port apps between each distro release. Audio developers still can’t agree on a simple way to solve audio mixing, but it’s considered a basic feature the desktop must have.

The list goes on and on. The amount of time spent discussing print dialogs, of all things, was astonishing and disturbing – zoomed in so far the big picture becomes lost, it seems the more insignificant the problem the more community brain cycles it takes.

But there is a bigger point, that I thought about bringing up at the end of the meeting but then didn’t have the heart to do so.

If every hard problem discussed at DAM 3 was to be somehow magically solved by tomorrow we would at best have created something competitive with MacOS X. However, MacOS X is not at all competitive.

Have you ever wondered why Apple has no competitors in the integrated-hardware-OS space? It’s because it’s a fundamentally insane business to be in. Nobody in their right mind would want to produce something like the Mac today. The expense of implementing a desktop OS from scratch is mind-blowing. The risks of losing ISV support are terrifying. Most of all the rewards are too small.

I say the Mac exists only because Apples history requires it to exist, because Jobs requires it to exist, because Apples shareholders require it to exist. It doesn’t exist because it actually makes sense, as a project.

But how can I say it doesn’t make sense? Hasn’t MacOS had a huge impact? Is it not potentially the inheritor of the Windows throne?

I don’t believe so. MacOS X is no longer the new and hopeful youngster it once was. No longer can it claim to be a serious challenger to the Windows desktop. It’s now been years since it first came out, and its main achievement has been to keep the Mac platform alive. It has failed to win significant marketshare, it has failed to truly revolutionise computing (sorry but I don’t consider 128×128 icons to be a revolution), most damningly of all it’s completely failed to gain traction in business and as a result, the size of its userbase remains tiny and inconsequential.

Windows has won, completely and utterly. It has fended off two challengers with key advantages it couldn’t match: in Apples case, seamless hardware/software integration combined with a fresh start. In the case of Linux, the open development model that made financial failure impossible and broke the catch-22 of “where does the software come from?”. In both cases, those advantages were not enough. Windows remained and even extended its lead, despite simultaneously stagnating as a project.

How did that happen? Put simply, people always over-estimate the importance of something new and always under-estimate the cost of removing something old. A software ecosystem is like a pond. If you keep draining it to clean the water, you’ll kill most of the fish swimming in it. Those fish will never breed and so the fish population will never expand. This is the problem Linux has today – the constant churn massively increases support costs for a Linux port. As a result, many companies decide not to bother (sometimes even after they did the work of producing the port!), and so there aren’t many ISV applications, and so it always seems like the cost of yet another API break is minor. It’s a self-fulfilling prophecy.

Apple are trying to drain the ocean. By creating an alternative to Win32 and asking developers to use it, they are throwing out the old and replacing it with ….. something pretty much the same. C++ changes to Objective C, CWindow changes to NSWindow, but ultimately the bread and butter of desktop applications doesn’t change. It’s still boils down to putting widgets in windows. This then is the key to their failure: the benefits of the Mac are trivial and the costs of moving our infrastructure to it are enormous. No matter what Apple might like to believe MacOS is not a big enough leap over Windows, it’s not revolutionary enough to justify rewriting all that software and retraining all those people. Neither is Linux, hence our problem.

You could argue that the goal of “Linux”, whatever that is, is simply to be free and not to necessarily be an improvement. RMS would argue that. It’s a fine argument and a fine position to take, but it makes OSDL and the DAM meetings pretty much irrelevant because they are focussed on solving practical usability problems. It also means you can’t ever complain when your laptop fails to suspend or some cool new app comes out that you can’t run.

To stand a chance of displacing Windows, you must build something fundamentally better. Not a little bit better, not even a lot better. Something fundamentally better. For a certain class of programs web apps were fundamentally better and over time huge amounts of software were indeed rewritten on top of the browser. That never happened for operating computers as a whole though. So … what might such a thing look like? Well, it’s not likely to be an installable operating system. More likely, it’ll be some new kind of computing device based on many of the technical innovations of the past 20 years – digital paper, 3D mice, provable type systems, whatever. I don’t know what it might look like. But when a significant number of people own both the new device along with a Windows based PC, and never think anything of it, you know you’re winning.

olpc is genius

If you haven’t done so already, go read the OLPC HIG now. I swear to God, this document is a work of pure, inspired genius. Will it work? I don’t know. But if you have an ounce of interest in your body for design, you will admire their balls and creativity.

This UI is quite simply one of the deepest and most interesting redesigns of the desktop user interface ever produced. It makes MacOS look like what it is – boring and unoriginal. The list of things this UI gets right is so long it makes my head spin:

• It actually uses Fitts Law effectively. Compare that to Windows/MacOS/GNOME/KDE which basically do nothing with the 4 corners of the screen (maybe you can set a corner to activate the screensaver or something similarly rare).
• Network and presence is fully integrated into the core of the design
• They threw out the clipboard and replaced it with something that doesn’t suck
• They junked 2.5D, which is something that regularly confuses less technical types or people who are older and haven’t grown up with WIMP style ui (notice how many Windows users have every window maximized all the time and simply use the taskbar to switch between active tasks).
• They junked the address bar. You can still type in URLs but now it just shows you the title of the page. I want them to make anything you type in here go to a search if it doesn’t parse as a URL – Firefox almost but not quite gets this right. Given that nearly all the top queries on Google are the names of websites, it’s quite clear that huge numbers of people still don’t understand the address bar and the structure of URLs despite them being everywhere around us. Usability studies done on web browsers also confirm this. And who can blame them? URLs not only have a stupid TLA as a name, they are full of weird punctuation and bizarre acronyms like “http”, “www”, “com” etc.
• The Bulletin Board sharing concept is marvellous – a single, simple idea can be used to not only keep track of your own work, but to share it with others, and review/collaborate using spatial comments.
• They junked open/save – wow, it only took like 15 years! The “Journal” acts as a temporal log of major things you do with the laptop, allowing for easy rewinding of any particular object (file/document) or even the state of the whole machine. The filing system is of course fully versioned. The Journal can even be used to track progress on a particular project or piece of work.
• Process vs document has been cleaned up – every document is a separate instance of an activity (application) in the UI. This means an end to the confusing separation between “running application” and “document within that application”, the legacy of which still haunts us to this day.
• Icons transmit information, and are SVG only. Basic activity icons are simplified to monochrome black/white icons. Once started, they are filled with the childs unique XO colour that represents them in the mesh. Therefore an instance of an activity can always be linked to who started it (assuming the users pick unique colours for themselves and aren’t totally colourblind like me). That’s a neat way of further integrating presence with the system, at the cost of reducing the visual attractiveness of the system significantly. Given that a lot of the time the screen will be in the black/white outdoor mode though, it probably makes sense.
• Application bundles can be signed by whoever works on them – because there is a “view source” key on the keyboard, anybody can modify an app and distribute it. Some bundles can be signed by official authorities as a mark of trust. Signing or watermarking is used to keep track of the history of the object, allowing credit to be given. Officially signed bundles automatically update across the mesh, allowing updates to be distributed virally through a mix of the mesh and the sneakernet. There is no notification a bundle has been updated – it just happens behind the scenes. There is no explicit software installation, instead joining an activity found via the mesh will download it automatically.
• However, writing viruses for this thing will be much harder if Ivan gets his stuff right (and I think he will), because the security model is totally different – bundles have a very limited but fine grained set of permissions. For instance a bundle cannot trigger a global/system notification. In other words the old user vs root security model has also been dumped.
• The keyboard is adapted to the UI. They need to be careful with this – one of the buttons has a picture of lips and eyes, which I believe are considered offensive in some cultures. There is a “view source” key (overloads +=) that lets you see under the hood. There are analog slider keys for things like volume, etc. They removed caps lock (hurrah). I think they could have gone further with this, for instance, the “alt gr” key still exists. It has a legitimate use here but the label is still rather questionable. The trackpad area can be used both as a regular trackpad/mouse input and also as a graphics tablet (it’s much wider than a regular trackpad for this reason).

The HIG is not finished and significant work remains (eg widget definitions). Still, what’s there is fantastic. The existing computer design we use has changed only a bit since the Xerox PARC days, and OLPC is breathing some fresh air into the space. It could be a complete disaster, we won’t know until it’s been tried, but at least they are trying.

Incidentally I have now seen an actual laptop in real life. They are quite cute, much smaller than a regular laptop, though there were quite a lot of random holes/buttons/etc on the laptop that I think they should cut down on.

the ubuntu devconf

A week or so ago I went along to the Ubuntu Developer Summit at Google HQ. I saw Mirco demo some of his new toys, met up with Christian and Alex from VMware, but more importantly had an interesting hour-long session with the Ubunterians about packaging and third party software – all the usual stuff.

I’ll be doing it all over again in a few weeks at the OSDL summit, as well.

Here are some notes on the result of that chat:

• It was generally agreed there were problems and it’d be nice to resolve them. Some time was spent talking about the issues that 3rd parties have (eg ELF misdesigns)
• There was disagreement about the solutions. The Ubuntu guys see themselves as not being Linux but rather something else. “There is a reason it’s not called Ubuntu Linux”, it was said. They don’t want ISVs to write software for Linux but instead write it for Ubuntu (and by implication, either not bother with Red Hat/Novell or “port” apps individually). The fact that Ubuntu doesn’t really have enough market share to justify porting apps to it specifically doesn’t really matter.
• There was a strong feeling that the goal of standardisation across distributions is inherantly incompatible with the fundamental idea of a distro. The logic goes, what is a distro if not a set of patched packages? Standardisation takes away the ability to modify packages. Therefore we can no longer improve things beyond the base. Therefore we cannot build a distro. Therefore standardisation is a bad thing.
• There was talk of using virtualisation, efficiency tradeoffs etc – so if the Ubuntu guys want to fork GTK and mess around with some API then patch the apps which break, that’s fine, as long as they provide a “pristine” upstream copy that standardised apps run against. It means less efficiency if you run both upstream binaries and downstream binaries at once but it improves reliability. But they weren’t keen on even this compromise.
• They were surprised that Inkscape considered itself as an ISV. There wasn’t much awareness of the problems open source projects can have with distributions – like slow updates, odd patches etc. The fact that Inkscape are building autopackages I think was a surprise.
• I had to leave after an hour for a cap planning meeting, but I asked wasabi (who was present) what the conclusions were afterwards. Apparently it boiled down to “well this sucks but what are we going to do about it?”. Answer: nothing.

This sort of conversation makes me very cynical about the relevance of the OSDL and LSB. It is easy to pick on Ubuntu here but in practice I know this kind of thinking is endemic to the distributions … it would have been exactly the same at a Fedora conference. It was a shame that Mark Shuttleworth didn’t show up – his blog entry is the only reason I went along, as I’ve had similar conversations via email before so knew what to expect. Unfortunately it sounded like he had a lot of pushback on those plans and they are now being watered down to simply being “it’d be nice if source compiled the same on every distro”, which is basically where we are today, sort of, except because there are no ISVs there’s no real incentive to keep it that way and sometimes it breaks.

Nonetheless I’ll be going to the OSDL DAG meeting in Oregon in December, this time representing Google instead of only myself. And I’ll be saying exactly the same things as we always have done.

macos vs linux

When you join Google as an SRE they ask you what kind of laptop you want. When I joined the choice was between a MacBook Pro and a Windows based ThinkPad. I believe Linux laptops are either going to be supported “real soon now” or were just added, but given the choice I went for the MacBook. This was a smart move – SRE work revolves around UNIX and the Mac is the lesser of the two evils in this respect.

Eventually the plan is to get a desktop and move entirely back to Linux. For various reasons that can’t happen until 2007 though.

Until then, I am stuck with a Mac. Here are some things I like about it:

• I can search for and download pretty much any random app and it’ll work.
• It suspends and boots very fast. The boot/shutdown is very polished.
• VPN integration is seamless
• It has an integrated webcam that works really well
• The magnetic power connector is neat
• I can scroll by putting two fingers together on the touch pad and dragging
• Having the menu bar at the top allows for some nice unified app/toolbar aesthetics

Unfortunately the list of things I don’t like is much longer. For most of these issues Linux or non-Apple hardware is better.

• Heat
• You can’t adjust the font size on a global basis (!!)
• Awkward keyboard. One key is labelled with an unpronouncable symbol. The ctrl button doesn’t extend all the way to the end, so I’m constantly hitting “fn” instead of control, or the command key instead of alt. No right mouse button. Eject is just above delete, so I eject CDs into my stomach.
• Crap window management, eg, there are no virtual desktops, you cannot maximize anything, and the only way to select a window you can’t see is to use they keyboard or expose, which is worthless for windows that all look the same when shrunk (eg, emacs buffers or terminals).
• Talking of emacs, the native version seems to be “Aquamacs”, which has some extremely questionable modifications. By default every buffer opens in its own window. This is apparently The Mac Way, but it’s also The Wrong Way. In a big emacs session I can easily have 10-20 buffers open at once, and having each one in a separate window would be insane. Another annoying Mac-ism: Command-Q is bound to quit, which is right next to Alt-Q (fill paragraph).
• The terminal emulator is crap. It uses some non-standard font that doesn’t resize or anti-alias correctly, there are no tabs, hitting Ctrl-C doesn’t do what you’d expect and it has to be closed manually after the shell ends. It doesn’t have desktop transparency either …. it can only do real transparency which is too distracting.
• Even if the terminal emulator ruled, the FreeBSD userland would let it down. I’m sure it’s great if you’re used to it, but I grew up with GNU and trivial stuff like the lack of colour ls now bugs me all the time. Half the command line options I try to use either don’t exist or have different names.
• Basic developer tools like subversion are not installed even with the developer tools pack. Installing them using the system installer doesn’t tell you where the files went ….. in this case into /usr/local/bin which isn’t in the path!
• Riddled with pointless inconsistency. Some apps unload when you can’t see them anymore, others don’t. Some apps use one theme, some use another, and “plastic” apps using the newest theme switch back to the original pinstripe when not focussed. This is way more distracting that it sounds!
• Many apps, including the Finder, like to block for long periods on network IO. You can’t bring them to the front when this happens.

Looks are a wash. A lot of people say MacOS is prettier than Linux, and that was certainly true 3 years ago but these days the differences are irrelevant. Apple have toned down the eyecandy progressively over time and the Linux guys have increased it, so they now meet somewhere in the middle. The latest iTunes uses the same shade of grey that Windows 95 did, and uses custom scrollbars that are no longer patterned. It still looks professional, but it’s no longer got any “wow” factor left. Meanwhile the latest Ubuntu looks great. When Christian was using his tricked out compiz/gnome desktop in Happy Donuts a few weeks ago, a stranger came over and started asking about it. He’d seen the cube and wanted it on his machine. Explaining what an OS was proved interesting …

why is heap allocation slow

A few months ago I wrote an article on garbage collection, Java and C++. One of the comments asked why heap allocation is so slow.

Heap allocators are slow because they are complex. The real trick is, why are they complex?

A malloc has to balance several competing factors with each other. Different mallocs are tuned for different things, and a common trick to improve performance in C/C++ based apps is to use a different heap allocator to normal. The malloc used on Linux is an improved version of Doug Lea’s generic malloc which is tuned for typical workloads.

A malloc must:

• Be able to quickly find a chunk of memory of at least the requested size
• Be able to quickly free that chunk again
• Avoid wasting space
• Try to keep allocations together contiguously, as that improves locality and cache utilisation

The simplest implementation of malloc() just increments a pointer each time it’s called, so advancing the edge of the heap, and the simplest implementation of free() does nothing. In fact that’s what modern Java mallocs actually do (when you call new). Of course it’s not quite that simple – if you use new inside a tight loop expect to see a large speed hit. The last time I optimised a piece of Java code, removing new from loops was one of the biggest wins.

In a C++ app with no garbage collector, of course this is a fast but naive strategy. It won’t be long until you run out of memory. Instead free() has to mark that block as no longer in use, then malloc() needs to reuse it when it can.

This sounds simple but can quickly lead to poor performance. The next simplest implementation of malloc() would scan the heap looking for blocks marked as free of the right size, return that if found else increment the edge of the heap. On UNIX this is done by using the sbrk syscall to move the “program break”.

But what if there are no blocks of exactly the right size? The obvious improvement is to let malloc() return freed blocks that are equal to or larger than the requested size. The app won’t use all the returned space of course so we’re still wasting some, but we can chop the returned block in two before returning it.

Hmm. This works but for some reason our app is seeing large random drops in performance. What’s up with that?

mallocs must understand the hardware

Let’s take a quick detour into hardware design. When a CPU wants to read a value from memory into a register, the cache controller might eventually need to communicate with main RAM. When it does so, it writes the address required onto the bus, and the RAM controller circuitry at the other end will write the requested values back. For various reasons, CPUs don’t see memory as an array of bytes but rather machine words which on a 32 bit system will be 32 bits long, on 64bit systems 64 bits and so on. Despite this, as a programmer you see memory in terms of an array of bytes (or bits) and you can access any one of them as you wish.

The impedence mismatch between the two views can sometimes cause weird problems. If you attempt to read into the middle of a machine word, most CPUs will trigger an exception and stop running your program. We say the access was not aligned. x86 chips are a bit more friendly, they have dedicated circuitry that will “fix up” the access and trigger two reads, merge them together and return the unaligned value as the programmer might expect. Because of the extra work involved, unaligned access is slow.

For this reason, it’s important that a malloc implementation ensure that it always returns aligned memory. Compilers will also pad structures to ensure that the members fall on aligned addresses (meaning that a structure may actually be bigger than you’d think). Between the compiler and the malloc, the system co-operates to keep unaligned accesses to a minimum and so improve performance.

back to malloc

OK, so we fix our malloc to ensure it always returns blocks that are properly aligned and performance is back to what we’d expect. Great. Well, there is still work to do. Let’s say we allocate a block of 12 bytes, another one of 12 bytes, then free both of them. Now we allocate a block of 24 bytes. The obvious thing to do is re-use both of the freed blocks, but under our previous algorithm that won’t happen. We need to merge the two freed blocks together, so we can find them again inside malloc().

Where should this merging take place? The obvious place is inside free, but then code that expects free to be fast will suddenly start to suck. Worse, merging could take arbitrarily long …. we could merge two blocks, and find that we can suddenly merge many more freed blocks together. How long should we spend doing this? It depends on the behaviour of the app.

Most allocators don’t provide any time guarantees at all for malloc or free. They can take as long as they want, for this sort of reason.

OK, so we merge free blocks together, make sure to allocate aligned memory, re-use freed memory where possible …. hmm what else? Well, our malloc is still quite slow because it has to scan the entire heap looking for freed memory. This could actually be slower than just grabbing some space at the end, because you might swap in the entire heap.

A better solution would partition the heap into partitions of different sizes, allowing you to scan only the part that might contain free chunks of the required size. Of course if you also merge free blocks then these partitions may stop being accurate, and once allocated memory cannot be moved without special tricks.

Unfortunately, it’s still possible to lose with such an allocator. An obvious case is a process that allocates lots of small blocks while it processes some data, then allocates another block to hold the result, then frees the intermediate blocks. The result is a large span of empty space within the heap available to be reused, but at the top of the heap right next to the program break is a result block that is still in use. This high block now pins the break so the empty space cannot be returned to the operating system, forcing other processes into swap.

A smart allocator can use mmap rather than relying on sbrk and unmap the intermediate free pages, so returning the memory to the operating systems global free pool. However, this requires you to track free-ness not only at a block but also page level.

Phew! As you can see, making a semi-decent allocator is a lot of work. Doug Lea has been at it for literally decades, and todays modern allocators are a careful balance of compromises. Nowadays the Linux glibc can even do error detection and spot heap corruption.

GLib provides special purpose allocators you can use if you find malloc to be a bottleneck, but if you do first check to see if you can eliminate the allocation entirely.

Photo by Shannon Mary and atonal

autopackage 1.2 finally released

Hear ye, hear ye. Autopackage 1.2 is finally out!

It’s been a long time in coming, largely due to a lack of time and motivation on my part but thanks to the hard work of Curtis, Isak and Taj the release has finally seen the light of day – a huge relief for all concerned I’m sure!

The list in the announcement makes it look like the changes are far smaller than they really are. A throwaway statement about statistical analysis hides a complete framework for optimisation of installer success rates. That was one of Curtis’ successes. In the spirit of open source collaboration you can now see which projects are frequently failing to install and could use work, along with hard numbers to show how many users are having problems. The statistics collection process itself is entirely anonymous (we don’t even record IP addresses) and can be easily disabled by the user if they so wish.

Other changes include improved user interfaces in many parts, improved localisation, the ability to uninstall older versions installed using RPM, better C++ support and more. Most of the new features are interesting for developers rather than end users, but I think this is correct and as it should be – the job of an installer is to be as boring and inconspicuous as possible. There’s also the usual assortment of many small bug fixes, new APIs and distro compatibility improvements.

Well done everyone! Well done.