slack_justyb writes: As previously indicated on Slashdot, Rust was slated to be coming to the Linux Kernel sometime in the 6.x version. Well wonder no longer on which version of kernel 6.x will have the first bits of Rust officially in the kernel, as Linus has confirmed that 6.1 will be the first with the new NVMe kernel drivers being in Rust. The first version non-production ready code for the NVMe Rust based kernel drivers were already producing performance comparable to C code. So the final drivers to hit 6.1 are already looking promising. It also helped Rust's case that, thanks to the ground-breaking work of Linux kernel and Rust developer Miguel Ojeda, Rust on Linux has gotten much more mature. Kernel maintainers were convinced it is time to move forward with Rust in Linux. In short, they agreed that Rust on Linux was ready for work.

Recently the authors of Elements of Publishing shared an update. "After ten years in print, our publisher decided against further printings and has reverted the rights to us. We are publishing Elements of Programming in two forms: a free PDF and a no-markup paperback."

And that's not the only old book that's getting a new life on the web...

22 years ago, long-time Slashdot reader Stephen T. Satchell (satch89450) co-authored Linux IP Stacks Commentary, a book commenting the TCP/IP code in Linux kernel 2.0.34. ("Old-timers will remember the Lion's Unix Commentary, the book published by University xerographic copies on the sly. Same sort of thing.") But the print edition struggled to update as frequently as the Linux kernel itself, and Satchell wrote a Slashdot post exploring ways to fund a possible update.

At the time Slashdot's editors noted that "One of the largest complaints about Linux is that there is a lack of high-profile documentation. It would be sad if this publication were not made simply because of the lack of funds (which some people would see as a lack of interest) necessary to complete it." But that's how things seemed to end up — until Satchell suddenly reappeared to share this update from 2022: When I was released from my last job, I tried retirement. Wasn't for me. I started going crazy with nothing significant to do. So, going through old hard drives (that's another story), I found the original manuscript files, plus the page proof files, for that two-decade-old book. Aha! Maybe it's time for an update. But how to keep it fresh, as Torvalds continues to release new updates of the Linux kernel?

Publish it on the Web. Carefully.

After four months (and three job interviews) I have the beginnings of the second edition up and available for reading. At the moment it's an updated, corrected, and expanded version of the "gray matter", the exposition portions of the first edition....

The URL for the alpha-beta version of this Web book is satchell.net/ipstacks for your reading pleasure. The companion e-mail address is up and running for you to provide feedback. There is no paywall.
But there's also an ingenious solution to the problem of updating the text as the code of the kernel keeps changing: Thanks to the work of Professor Donald Knuth (thank you!) on his WEB and CWEB programming languages, I have made modifications, to devise a method for integrating code from the GIT repository of the Linux kernel without making any modifications (let alone submissions) to said kernel code. The proposed method is described in the About section of the Web book. I have scaffolded the process and it works. But that's not the hard part.

The hard part is to write the commentary itself, and crib some kind of Markup language to make the commentary publishing quality. The programs I write will integrate the kernel code with the commentary verbiage into a set of Web pages. Or two slightly different sets of web pages, if I want to support a mobile-friendly version of the commentary.

Another reason for making it a web book is that I can write it and publish it as it comes out of my virtual typewriter. No hard deadlines. No waiting for the printers. And while this can save trees, that's not my intent. The back-of-the-napkin schedule calls for me to to finish the expository text in September, start the Python coding for generating commentary pages at the same time, and start the writing the commentary on the Internet Control Message Protocol in October. By then, Linus should have version 6.0.0 of the Linux kernel released.

I really, really, really don't want to charge readers to view the web book. Especially as it's still in the virtual typewriter. There isn't any commentary (yet). One thing I have done is to make it as mobile-friendly as I can, because I suspect the target audience will want to read this on a smartphone or tablet, and not be forced to resort to a large-screen laptop or desktop. Also, the graphics are lightweight to minimize the cost for people who pay by the kilopacket. (Does anywhere in the world still do this? Inquiring minds want to know.)

I host this web site on a Protectli appliance in my apartment, so I don't have that continuing expense. The power draw is around 20 watts. My network connection is AT&T fiber — and if it becomes popular I can always upgrade the upstream speed.

The thing is, the cat needs his kibble. I still want to know if there is a source of funding available.

Also, is it worthwhile to make the pages available in a zip file? Then a reader could download a snapshot of the book, and read it off-line.

The Linux Foundation has announced plans for a new collaborative initiative designed to support interoperability across digital wallets, built on an open source bedrock. From a report: The OpenWallet Foundation (OWF), as the new effort is called, is the brainchild of Daniel Goldscheider, CEO of open banking startup Yes.com, though today's announcement reveals a broad gamut of buy-ins from multiple industry players including Okta, Ping Identity, Accenture, CVS Health, OpenID Foundation, among several other public and private bodies. With the Linux Foundation serving as the project's host, this gives OWF sizeable clout as it strives to enable what Goldscheider calls a "plurarity of wallets based on a common core," according to a press release. The news also comes as regulatory bodies across the globe are moving to support competition through enforcing interoperability across systems, including Europe which is currently trying to make messaging interoperability a thing.

VMware engineers have tested the Linux kernel's fix for the Retbleed speculative execution bug, and report it can impact compute performance by a whopping 70 percent. The Register reports: In a post to the Linux Kernel Mailing List titled "Performance Regression in Linux Kernel 5.19", VMware performance engineering staffer Manikandan Jagatheesan reports the virtualization giant's internal testing found that running Linux VMs on the ESXi hypervisor using version 5.19 of the Linux kernel saw compute performance dip by up to 70 percent when using single vCPU, networking fall by 30 percent and storage performance dip by up to 13 percent. Jagatheesan said VMware's testers turned off the Retbleed remediation in version 5.19 of the kernel and ESXi performance returned to levels experienced under version 5.18.

Because speculative execution exists to speed processing, it is no surprise that disabling it impacts performance. A 70 percent decrease in computing performance will, however, have a major impact on application performance that could lead to unacceptable delays for some business processes. VMware's tests were run on Intel Skylake CPUs -- silicon released between 2015 and 2017 that will still be present in many server fleets. Subsequent CPUs addressed the underlying issues that allowed Retbleed and other Spectre-like attacks.

"The GNOME desktop environment is one of the most popular user interfaces and suites of apps available for desktop Linux distributions," writes Liliputing.

"Now a team of developers have been working to bring GNOME to mobile devices running Linux-based operating systems." GNOME Shell for mobile provides a touch-friendly user interface optimized for smartphones and tablets. And while it looks a bit like Android or iOS at first glance, there are a few key differences. The GNOME team have outlined some of them in an article about recent updates to GNOME Shell on mobile.

Like other modern mobile user interfaces, you interact with GNOME shell using taps, swipes, and other gesture-based navigation. What's different is that Android has three different views for navigation: a home screen, app drawer, and multitasking view. iOS has two: home screen and multitasking. But GNOME Shell has a single screen that allows you to view and launch apps and switch between running apps using gestures. There's no need to wait for a new screen to load. In a nutshell, you can swipe up from the bottom of the any screen to view a list of installed apps, thumbnail images showing all currently running apps, and a search box. You can tap an app icon to launch a new app, enter a term in the search box to find an app, or swipe between running apps to switch which app runs in the foreground.

You can also keep swiping upward to shrink the multitasking thumbnails and provide more room for app icons. And you can flick thumbnail previews upward to remove an app from the multitasking section. Typing in the search box will bring up relevant results including apps and settings.
"One interesting new feature here is that notifications can be swiped away horizontally to close, and notification bubbles can be swiped up to hide them..." the developers point out. "While the current version is definitely still work in progress, it's quite usable overall, so we feel it would make sense to start having experimental GNOME OS Nightly images with it."

But Liliputing also notes that it's not the only GNOME-based UI for mobile devices. There's also Purism's Phosh UI — the default UI for the PureOS on its Librem 5 smartphone (and available for other mobile Linux distros including Debian).

And Purism recently bragged that its smartphone is now also "the first mobile computer with a truly convergent OS" — meaning it can run on multiple hardware platforms, with apps adapting to their hardware. The Librem 5 [smartphone] uses the same convergent PureOS as our Librem 14 laptop and Mini PCs, with the same adaptive applications that make the Librem 5 more than merely a phone, it's a mobile computer in your pocket that can shape shift into a laptop, tablet, desktop, or even a server.... Scale your Librem 5 up to be a full laptop by attaching the Nexdock. Because our core apps are adaptive, they are ready to run on whatever screen you have....

With phosh-mobile-settings installed, you can flip the nexdock around and use the big screen just like a tablet.... Don't have a laptop dock? The Librem 5 can also act like a desktop computer when connected to a screen, keyboard, and mouse using our USB-C dock. Using the beta phom virtual mouse app, you can turn your Librem 5 into a touchpad mouse while it's connected to the big screen.

With the Librem 5, you can keep your desktop computer in your pocket and connect to a bigger screen at home or at the office and use the same apps on the bigger screen without restarting....

With the Librem 5 phone, you're getting much more than smartphone to run mobile-only apps; you're getting a laptop, tablet, desktop, all running software that respects your privacy and freedom.

Here's a warning from the threat intelligence unit of AT&T Cybersecurity, AT&T Alien Labs: With a rise of nearly 650% in malware and ransomware for Linux this year, reaching an all-time high in the first half year of 2022, threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads. New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach.
But they've discovered a new malware targetting Linux endpoints and IoT devices, stealthily "delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist."

The Register summarizes their report: The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that's just 370 bytes... AT&T didn't say how the initial infection occurs, but it did say Shikitega exploits two Linux vulnerabilities disclosed in 2021 to achieve its ultimate objective, which AT&T said appears to be the installation and execution of the XMRig cryptocurrency miner.

The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available. Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name....>
>
Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.
Ars Technica reports: The ultimate objective of the malware isn't clear. It drops the XMRig software for mining the Monero cryptocurrency, so stealthy cryptojacking is one possibility. But Shikitega also downloads and executes a powerful Metasploit package known as Mettle, which bundles capabilities including webcam control, credential stealing, and multiple reverse shells into a package that runs on everything from "the smallest embedded Linux targets to big iron." Mettle's inclusion leaves open the potential that surreptitious Monero mining isn't the sole function....

Given the work the unknown threat actors responsible devoted to the malware's stealth, it wouldn't be surprising if the malware is lurking undetected on some systems.

"There's been a big rise in ransomware attacks targeting Linux," reports ZDNet, "as cyber criminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security." According to analysis by cybersecurity researchers at Trend Micro, Linux servers are "increasingly coming under fire" from ransomware attacks, with detections up by 75% over the course of the last year as cyber criminals look to expand their attacks beyond Windows operating systems.

Linux powers important enterprise IT infrastructure including servers, which makes it an attractive target for ransomware gangs — particularly when a perceived lack of threat to Linux systems compared with Windows means that cybersecurity teams might choose to focus on defending Windows networks against cybercrime. Researchers note that ransomware groups are increasingly tailoring their attacks to focus specifically on Linux systems. For example, LockBit is one of the most prolific and successful ransomware operations of recent times and now offers the option of a Linux-based variant that is designed to target Linux systems and has been used to conduct attacks in the wild....

And it isn't just ransomware groups that are increasingly turning their attentions towards Linux — according to Trend Micro, there's been a 145% increase in Linux-based cryptocurrency-mining malware attacks, where cyber criminals secretly exploit the power of infected computers and servers to mine for cryptocurrency for themselves. One of the ways cyber criminals are compromising Linux systems is by exploiting unpatched vulnerabilities. According to the report, these flaws include CVE-2022-0847 — also known as Dirty Pipe — a bug that affects the Linux kernel from versions 5.8 and up, which attackers can use to escalate their privileges and run code. Researchers warn that this bug is "relatively easy to exploit".
The article recommends installing all security patches as soon as they're available — and implementing multi-factor authentication across your organization.

And yes, it's the real ZDNet. They've just re-designed their web site...

Here's a Linux distro scoop from IT World Canada. "Gregory Kurtzer, who founded and once led the former open-source project CentOS Linux as well as The cAos Foundation, the organization where early development of it took place, said today a governance structure has been put in place that will keep Rocky Linux in the public domain forever." Development of Rocky Linux began shortly after, in late 2020, Red Hat terminated development of CentOS, a community-based Linux distribution derived from Red Hat Enterprise Linux (RHEL) that had been in existence since 2004. It is named after Jason Dale "Rocky" McGaugh, a talented programmer involved in CentOS development, who passed away in December 2004 at the age of only 30. Asked what McGaugh might have thought of the OS being named after him, Kurtzer told IT World Canada, "to be honest, he was a shy guy. I don't know if he would have liked the attention, but at the same token, he was a huge advocate of open source and a big fan of open source.

"Personally, I don't think he would have liked what happened with CentOS."

Kurtzer added that "what we are doing with Rocky Linux is really where he would have liked to see the project and open source going. When we named it Rocky Linux, it was a hat tip to him for everything he has done, not only in open source and high-performance computing (HPC), but also with the CentOS project.

"One of the last e-mails that he wrote to the e-mail list was that he was 99 per cent done development of CentOS. It was pretty much ready to go when he passed, but he never saw it released."

The key for an open-source initiative to grow and flourish, said Kurtzer, lies with registering it as a non-profit organization, which was the case with The cAos Foundation. He has done the same with Rocky Linux.
It's official name is the Rocky Enterprise Software Foundation, "backed by an advisory board of trusted individuals and team leads from the Rocky Linux community."

An anonymous reader quotes a story from the Linux/Open Source news site It's FOSS: While Firefox is still the default web browser in Debian, you can find the Chromium browser in the repositories. Chromium is the open source project upon which Google has built its Chrome web browser. It is also preferred by many Linux users as it provides almost the same features as Google Chrome.

Earlier, Chromium used Google as the default search engine in Debian. However, Debian is going to use DuckDuckGo as the default search engine for Chromium.

It all started when bug report #956012 was filed in April 2020, stating to use DuckDuckGo as the default search engine for the Chromium package. You can see the decision was not taken in any hurry, as the maintainers took more than two years to close the bug report.

The reason for the change goes as stated in the official package update announcement.

Change default search engine to DuckDuckGo for privacy reasons. Set a different search engine under Settings -> Search Engine (closes: #956012).

"Debian currently doesn't load non-free firmware by default on its systems," reports Phoronix, "even when it means no working hardware support/acceleration without those binary elements. Not loading the non-free firmware can also mean missing out on security updates or for addressing usability issues."

Now the Debian community is discussing three proposals on how non-free firmware should be handled going forward (before a vote in September).

Proposal A and B both start with the same two paragraphs: We will include non-free firmware packages from the "non-free-firmware" section of the Debian archive on our official media (installer images and live images). The included firmware binaries will normally be enabled by default where the system determines that they are required, but where possible we will include ways for users to disable this at boot (boot menu option, kernel command line etc.).

When the installer/live system is running we will provide information to the user about what firmware has been loaded (both free and non-free), and we will also store that information on the target system such that users will be able to find it later. The target system will also be configured to use the non-free-firmware component by default in the apt sources.list file. Our users should receive security updates and important fixes to firmware binaries just like any other installed software.
But Proposal A adds that "We will publish these images as official Debian media, replacing the current media sets that do not include non-free firmware packages," while Proposal B says those images "will not replace the current media sets," but will instead be offered alongside them.

And Proposal C? "The Debian project is permitted to make distribution media (installer images and live images) containing packages from the non-free section of the Debian archive available for download alongside with the free media in a way that the user is informed before downloading which media are the free ones.

An anonymous reader shares a report: While mostly of benefit to server administrators with large fleets of hardware, Linux 6.1 aims to make it easier to help spot problematic CPUs/cores by reporting the likely socket and core when a segmentation fault occurs, which can help in spotting any trends if routinely finding the same CPU/core is causing problems. Queued up now in TIP's x86/cpu branch for the Linux 6.1 merge window in October is a patch to print the likely CPU at segmentation fault time. Printing the likely CPU core and socket when a seg fault occurs can be beneficial if routinely finding seg faults happening on the same CPU package or particular core.

"After a slight delay due to an installer issue, the first point release for Ubuntu 22.04 has been officially released," swrites Jack Wallen for TechRepublic.

"Although point releases are often overlooked by users, because they aren't major upgrades, this time around you should certainly run the upgrade immediately." The biggest reason is that this point release combines all of the security fixes and improvements that have been added since the initial release of Jammy Jellyfish. So, if you haven't bothered to upgrade Ubuntu 22.04 since you first installed it, which you should have been doing all along, this point upgrade will add everything you've missed in one fell swoop. One of the biggest upgrades for end users will be the ability of 20.04 users to upgrade to the latest release without having to touch the command line. At some point, users of 20.04 will see an upgrade prompt on their desktops, allowing them to easily make the jump to 22.04.1. This is a big deal because previously such upgrades would have required running several commands. That means no more:

sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y
sudo do-release-upgrade -y

Another point release found in 22.04.1 is GNOME 42, which features a new enhanced dark mode and switches to Wayland by default, with the inclusion of Xorg for unsupported hardware.

An anonymous reader quotes a report from TechCrunch: A new company from the creators of the Godot game engine is setting out to grab a piece of the $200 billion global video game market -- and to do so, it's taking a cue from commercial open source software giant Red Hat. Godot, for the uninitiated, is a cross-platform game engine first released under an open source license back in 2014, though its initial development pre-dates that by several years. Today, Godot claims some 1,500 contributors, and is considered one of the world's top open source projects by various metrics. Godot has been used in high-profile games such as the Sonic Colors: Ultimate remaster, published by Sega last year as the first major mainstream game powered by Godot. But Tesla, too, has apparently used Godot to power some of the more graphically intensive animations in its mobile app.

Among Godot's founding creators is Juan Linietsky, who has served as head of development for the Godot project for the past 13 years, and who will now serve as CEO of W4 Games, a new venture that's setting out to take Godot to the next level. W4 quietly exited stealth last week, but today the Ireland-headquartered company has divulged more details about its goals to grow Godot and make it accessible for a wider array of commercial use cases. On top of that, the company told TechCrunch that it has raised $8.5 million in seed funding to make its mission a reality, with backers including OSS Capital, Lux Capital, Sisu Game Ventures and -- somewhat notably -- Bob Young, the co-founder and former CEO of Red Hat, an enterprise-focused open source company that IBM went on to acquire for $34 billion in 2019.

[...] "Companies like Red Hat have proven that with the right commercial offerings on top, the appeal of using open source in enterprise environments is enormous," Linietsky said. "W4 intends to do this very same thing for the game industry." In truth, Godot is nowhere near having the kind of impact in gaming that Linux has had in the enterprise, but it's still early days -- and this is exactly where W4 could make a difference. [...] W4's core target market will be broad -- it's gunning for independent developers and small studios, as well as medium and large gaming companies. The problem that it's looking to solve, ultimately, is that while Godot is popular with hobbyists and indie developers, companies are hesitant to use the engine on commercial projects due to its inherent limitations -- currently, there is no easy way to garner technical support, discuss the product's development roadmap, or access any other kind of value-added service. [...]

"W4 will offer console ports to developers under very accessible terms," Linietsky said. "Independent developers won't need to pay upfront to publish, while for larger companies there will be commercial packages that include support." Elsewhere, W4 is developing a range of products and services which it's currently keeping under wraps, with Linietsky noting that they will most likely be announced at Game Developers Conference (GDC) in San Francisco next March. "The aim of W4 is to help developers overcome any problem developers may stumble upon while trying to use Godot commercially," Linietsky added. It's worth noting that there are a handful of commercial companies out there already, such as Lone Wolf Technology and Pineapple Works, that help developers get the most out of Godot -- including console porting. But Linietsky was keen to highlight one core difference between W4 and these incumbents: its expertise. "The main distinctive feature of W4 is that it has been created by the Godot project leadership, which are the individuals with the most understanding and insight about Godot and its community," he said.

Linux creator Linus Torvalds has announced the first release candidate for the Linux kernel version 6.0, but he says the major number change doesn't signify anything especially different about this release. ZDNet: While there is nothing fundamentally different about this release compared with 5.19, Torvalds noted that there were over 13,500 non-merge commits and over 800 merged commits, meaning "6.0 looks to be another fairly sizable release." According to Torvalds, most of the updates are improvements to the GPU, networking and sound. Torvalds stuck to his word after releasing Linux kernel 5.19 last month, when he flagged he would likely call the next release 6.0 because he's "starting to worry about getting confused by big numbers again."

On Sunday's release of Linux 6.0 release candidate version 1 (rc-1), he explained his reasoning behind choosing a new major version number and its purpose for developers. Again, it's about avoiding confusion rather than signaling that the release has major new features. His threshold for changing the lead version number was .20 because it is difficult to remember incremental version numbers beyond that. "Despite the major number change, there's nothing fundamentally different about this release - I've long eschewed the notion that major numbers are meaningful, and the only reason for a 'hierarchical; numbering system is to make the numbers easier to remember and distinguish," said Torvalds. Torvalds lamented some Rust-enabling code didn't make it into the release. The Register adds: "I actually was hoping that we'd get some of the first rust infrastructure, and the multi-gen LRU VM, but neither of them happened this time around," he mused, before observing "There's always more releases. This is one of those releases where you should not look at the diffstat too closely, because more than half of it is yet another AMD GPU register dump," he added, noting that Intel's Gaudi2 Ai processors are also likely to produce plenty of similar kernel additions. "The CPU people also show up in the JSON files that describe the perf events, but they look absolutely tiny compared to the 'asic_reg' auto-generated GPU and AI hardware definitions," he added.

Google uses Linux "in almost everything," according to the leader of Google's "product security response" team — including Chromebooks, Android smartphones, and even Google Cloud.

"Because of this, we have heavily invested in Linux's security — and today, we're announcing how we're building on those investments and increasing our rewards." In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded.

All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability.

We've learned that finding and exploiting heap memory corruption vulnerabilities in the Linux kernel could be made a lot harder. Unfortunately, security mitigations are often hard to quantify, however, we think we've found a way to do so concretely going forward....

First, we are indefinitely extending the increased reward amounts we announced earlier this year, meaning we'll continue to pay $20,000 — $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the important work being done to understand and improve kernel security. This is in addition to our existing patch rewards for proactive security improvements.

Second, we're launching new instances with additional rewards to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we've built. Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations. Today, we are starting with a set of mitigations we believe will make most of the vulnerabilities (9/10 vulns and 10/13 exploits) we received this past year more difficult to exploit. For new exploits of vulnerabilities submitted which also compromise the latest Linux kernel, we will pay an additional $21,000 USD. For those which compromise our custom Linux kernel with our experimental mitigations, the reward will be another $21,000 USD (if they are clearly bypassing the mitigations we are testing). This brings the total rewards up to a maximum of $133,337 USD.

We hope this will allow us to learn more about how hard (or easy) it is to bypass our experimental mitigations.....

With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible.
"We don't care about vulnerabilities; we care about exploits," Vela told the Register. "We expect the vulnerabilities are there, they will get patched, and that's nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities." In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. "We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better," Vela said.

"If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this...."

[I]t's not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. "We are trying to find the right combination to captivate people."

Last month fans were worried about CuteFish OS, with its domain timing out, emails going unanswered, and a Twitter feed that hadn't posted anything since March.

But "now it looks like the original development team behind CuteFishOS is coming back to life," according to this report from The New Stack — with a Reddit user planning a fork now saying that's been put on hold, since "I'd be duplicating work for no reason." Last Sunday — on July 31st — CuteFish's official repository on GitHub was updated with a new announcement in its profile. "Your Favorite CutefishOS are back now!" [sic]

It also promised "New website in the works (coming soon)." and pointed to a new URL.

You can see the changes happening right before your eyes. That website's domain — OpenFish.org — was registered just ten days ago, on Thursday, July 28th — and it's still a work in progress. On Thursday afternoon it was pointing to a non-English-language page hosted on the Pakistani cloud platform QCloud — but by Thursday night it was showing a testing page for a NGNIX HTTP server running Red Hat Enterprise Linux.

And there's now also a new README file in CuteFish's GitHub repository listing five items as "progressing." The first item is "official website preparation," but other items include collating the previous pull requests and issues, "fix the existing problem," and eventually adding new features. The sole contributor to the repository appears to be a Chinese coder going under the name of Biukang.
"We are preparing for the restart of CutefishOS," says Biukang's GitHub profile now.

But the article still hails last month's discussion of a fork as "a chance to see open source communities mobilizing into action just to fill a perceived void."

Purism posted an announcement Thursday about their privacy-focused "Librem 5 USA" smartphones. "New orders placed today will ship within our standard 10-business-day window." The Librem 5 USA now joins the Librem Mini and Librem 14 as a post-Just In Time product, one where instead of relying on Just In Time supply chains to manufacture a product just as we need it, we have invested in maintaining much larger inventories so that we can better absorb future supply chain issues that may come our way.

For anyone who is new to the product, the Librem 5 USA is our premium phone that shares the same hardware design and features as our mass-produced Librem 5, but with electronics we make in the USA using a separate electronics supply chain that sources from US suppliers whenever possible. This results in a tighter, more secure supply chain for the Librem 5 USA.

The Librem 5 USA uses the same PureOS as our other computers and so it runs the same desktop Linux applications you might be used to, just on a small screen.

PureOS on the Librem 5 USA demonstrates real convergence, where the device becomes more than just a phone, it becomes a full-featured pocket-sized computer that can act like a desktop when connected to a monitor, keyboard and mouse, or even a laptop (or tablet!) when connected to a laptop docking station. All of your files and all of your software remains the same and follows you where you go. Applications just morph from the smaller screen to the larger screen when docked, just like connecting a external monitor to a laptop.

Everyone who has backed the Librem 5 and Librem 5 USA projects hasn't just supported the production of the hardware itself, they have also supported a massive, multi-year software development effort to bring the traditional Linux desktop to a phone form-factor. Projects such as Phosh (the GUI), Phoc (the Compositor), Squeekboard (the Keyboard), Calls (for calling), Chats (for texting and messaging), and libhandy/libadwaita (libraries to make GTK applications adaptive) all required massive investment and many of these projects have already been moved to the GNOME infrastructure to better share our effort with a larger community.

We are delighted to see that many other mobile projects have recognized the quality of our efforts and adopted our software into their own projects....

The Librem 5 USA was designed for longevity and because we support right to repair, we also offer a number of spare parts in our shop, including replacement modems so you can make sure you support all the cellular bands in a particular continent, replacement batteries for when you ultimately wear out your existing battery, and plenty of other spare parts that haven't had sufficient demand to post formally on our shop (yet). If you need a spare part that isn't yet on the shop, just ask.

ZDNet's Stephanie Condon spoke with Red Hat's new CEO, Matt Hicks, a veteran of the company that's been working there for over 14 years. An anonymous reader shares an excerpt from their discussion: Matt Hicks, Red Hat's new CEO, doesn't have the background of your typical chief executive. He studied computer hardware engineering in college. He began his career as an IT consultant at IBM. His on-the-ground experience, however, is one of his core assets as the company's new leader, Hicks says. "The markets are changing really quickly," he tells ZDNet. "And just having that intuition -- of where hardware is going, having spent time in the field with what enterprise IT shops struggle with and what they do well, and then having a lot of years in Red Hat engineering -- I know that's intuition that I'll lean on... Around that, there's a really good team at Red Hat, and I get to lean on their expertise of how to best deliver, but that I love having that core intuition."

Hicks believes his core knowledge helps him to guide the company's strategic bets. While his experience is an asset, Hicks says it's not a given that a good developer will make a good leader. You also need to know how to communicate your ideas persuasively. "You can't just be the best coder in the room," he says. "Especially in STEM and engineering, the softer skills of learning how to present, learning how to influence a group and show up really well in a leadership presentation or at a conference -- they really start to define people's careers."

Hicks says that focus on influence is an important part of his role now that he didn't relish earlier in his career. "I think a lot of people don't love that," he says. "And yet, you can be the best engineer on the planet and work hard, but if you can't be heard, if you can't influence, it's harder to deliver on those opportunities." Hicks embraced the art of persuasion to advance his career. And as an open-source developer, he learned to embrace enterprise products to advance Red Hat's mission. He joined Red Hat just a few years after Paul Cormier -- then Red Hat's VP of engineering, and later Hicks' predecessor as CEO -- moved the company from its early distribution, Red Hat Linux, to Red Hat Enterprise Linux (RHEL). It was a move that not everyone liked. [...] "As he settles into his new role as CEO, the main challenge ahead of Hicks will be picking the right industries and partners to pursue at the edge," writes Condon. "Red Hat is already working at the edge, in a range of different industries. It's working with General Motors on Ultifi, GM's end-to-end software platform, and it's partnering with ABB, one of the world's leading manufacturing automation companies. It's also working with Verizon on hybrid mobile edge computing. Even so, the opportunity is vast. Red Hat expects to see around $250 billion in spending at the edge by 2025."

"There'll be a tremendous growth of applications that are written to be able to deliver to that," Hicks says. "And so our goals in the short term are to pick the industries and build impactful partnerships in those industries -- because it's newer, and it's evolving."

Microsoft software engineer Stephen Hemminger has proposed removing the DECnet protocol handling code from the Linux kernel. The Register reports: The timing is ironic, as this comes just two weeks after VMS Software Inc announced that OpenVMS 9.2 was really ready this time... That announcement, of course, came some months after the first time it announced [PDF] version 9.2 [...]. The last maintainer of the DECnet code was Red Hat's Christine Caulfield, who flagged the code as orphaned in 2010. The change is unlikely to vastly inconvenience many people: VMS is the last even slightly mainstream OS that used DECnet, and VMS has supported TCP/IP for a long time. Indeed, for decades, the oldest email in this reporter's "sent" folder was a 1993 enquiry about the freeware CMUIP stack for VMS.

One of the easier ways to bootstrap VMS on an elderly VAX these days is to install it on the SimH VAX hardware simulator, and then net-boot the real VAX from the simulated one. Anyone keen enough to do that will be competent to run an older version of Linux just for the purpose. Although their existence is rapidly being forgotten today, TCP/IP is not the only network protocol around, and as late as the mid-1990s it wasn't even the dominant one. The Linux kernel used to support multiple network protocols, but they are disappearing fast. [...] For a long time, DECnet was a significant network protocol. DEC supplied a client stack called PathWorks to let DOS, Windows and Mac clients connect to VAX servers, not only for file and print, but also terminal connections and X.11. Whole worldwide WANs ran over DECnet, and as a teenage student, your correspondent enjoyed exploring them.

"Linus Torvalds just released Linux 5.19 as stable for the newest version of the Linux kernel..." reports Phoronix.

But they also note that on the Linux kernel mailing list, "Torvalds went on to write about his Arm-based MacBook [running an AArch64 Apple M1 SoC]... now under Linux thanks to the work of the Asahi Linux project."

Torvalds wrote: [T]he most interesting part here is that I did the release (and am writing this) on an arm64 laptop. It's something I've been waiting for for a _loong_ time, and it's finally reality, thanks to the Asahi team. We've had arm64 hardware around running Linux for a long time, but none of it has really been usable as a development platform until now.

It's the third time I'm using Apple hardware for Linux development — I did it many years ago for powerpc development on a ppc970 machine. And then a decade+ ago when the Macbook Air was the only real thin-and-lite around. And now as an arm64 platform.

Not that I've used it for any real work, I literally have only been doing test builds and boots and now the actual release tagging. But I'm trying to make sure that the next time I travel, I can travel with this as a laptop and finally dogfooding the arm64 side too.