Slashdot reader Finuz writes: Offensive Security has released Kali Linux 2021.1, the latest version of its popular open source penetration testing platform. You can download it or upgrade to it. Kali NetHunter, the distro's mobile pentesting platform, now has an upgraded BusyBox engine and tools updated to the latest version (or, in some cases, completely rewritten). There are two new Kali ARM images: one that can be used with VMs on Apple Silicon Macs (Apple M1) and the other for the Raspberry Pi 400's wireless card.

ZDNet brings an update about the future of Red Hat Enterprise Linux: When Red Hat, CentOS's Linux parent company, announced it was "shifting focus from CentOS Linux, the rebuild of Red Hat Enterprise Linux (RHEL), to CentOS Stream," CentOS users were not happy. Now, in an effort to mollify them and to keep its promise to open-source organizations, Red Hat is introducing a new, free RHEL for Open Source Infrastructure. If your non-profit organization, project, standard body, or foundation is "engaged with open source," you can get a free RHEL subscription via this program. Earlier this year, Red Hat introduced no-cost RHEL for small production workloads and for customer development teams...

Jason Brooks, a Red Hat Open Source Program Office Manager explained:

Supporting the open-source software ecosystem is a core objective for Red Hat... We know that we are part of a larger, interdependent ecosystem that we benefit from and which we do our best to foster and support. This support comes in many forms, but often includes helping open source software projects, foundations, and standards bodies access enterprise technologies for development and testing.

We frequently provide no-cost access to RHEL to these groups, but the process isn't as formalized, consistent, accessible, or transparent as we'd like it to be. With the announcement that we will be shifting our resources to CentOS Stream at the end of 2021, we want to make sure that those organizations engaged with open source have access to RHEL as they build and test the future of open-source software...

The GNOME Foundation's executive director Neil McGovern, said:

As a non-profit, we rely on donations to help us achieve our goal of a world where everyone is empowered by technology they can trust. RHEL subscriptions are an essential part of this. With full operating system management and security updates, we can concentrate on the services we provide to GNOME users and developers without having to worry about the underlying systems. Red Hat has generously provided these services to GNOME at zero cost for years, and we look forward to continuing our relationship for a long time to come.

GNOME is also the default desktop in RHEL Workstation.

Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel's security. From a report: The internet giant builds code from its own repositories rather than downloading outside binaries, though given the pace at which code is being added to Linux, this task is non-trivial. Google's open-source security team lead Dan Lorenc spoke to The Register about its approach, and why it will not use pre-built binaries despite their convenience. But first: the two individuals full-time sponsored by Google are Gustavo Silva, whose work includes eliminating some classes of buffer overflow risks and on kernel self-protection, and Nathan Chancellor, who fixes bugs in the Clang/LLVM compilers and improves compiler warnings. Both are already working at the Linux Foundation, so what is new?

"Gustavo's been working on the Linux kernel at the Linux Foundation for several years now," Lorenc tells us. "We've actually been sponsoring it within the Foundation for a number of years. The main change is that we're trying to talk about it more, to encourage other companies to participate. It's a model that works, we're trying to expand it, find contributors that want to turn this into a full-time thing, and giving them the funding to do that." It is in the nature of open source that Google's funding benefits other Linux users, and it is also in the company's interests. How important is Linux to Google? "It's absolutely critical. Google started on Linux. We use it everywhere," says Lorenc. That being the case, why can Google only manage "Gold" membership of the Linux Foundation ($100,000 per annum), whereas others including Microsoft, Intel, Facebook, and Red Hat are "Platinum", which contributes $500,000 annually? "I'm not sure about that stuff. There are dozens of sub-foundations which we are also members of," he adds. Google is ahead of AWS, which is a mere "Silver" member ($20,000 a year).

"When NASA's Perseverance rover landed on Mars this week, it also brought the Linux operating system to the Red Planet," reports PC Magazine: The tidbit was mentioned in an interview NASA software engineer Tim Canham gave to IEEE Spectrum. The helicopter-like drone on board the Perseverance rover uses a Linux-powered software framework the space agency open-sourced a few years ago. "This the first time we'll be flying Linux on Mars. We're actually running on a Linux operating system," Canham said.

It also might be the first time NASA has brought a Linux-based device to Mars. "There isn't a previous use of Linux that I'm aware of, definitely on the previous rovers," Canham told PCMag in an email.

Past Mars rovers have used proprietary OSes, largely from the software company Wind River Systems. The same is true for the Perseverance rover itself; the machine has been installed with Wind River's VxWorks, which was used on past Mars missions.
The article also notes that the helicopter-like drone Ingenuity "was built using off-the-shelf parts, including Qualcomm's Snapdragon 801 processor, a smartphone chip."

"Ingenuity is purely a technology demonstration," notes ZDNet. "It's not designed to support the Perseverance mission, which is searching for signs of ancient life and collecting rock and dirt samples for later missions to return to Earth. Its mission is to show that it's possible to fly on Mars using commercial off-the-shelf hardware and open-source software."

When Dave McKay first used computers, punched paper tape was in vogue, "and he has been programming ever since," according to his biography page at How-To Geek. It adds that "His use of computers pre-dates the birth of the PC and the public release of Unix."

Now long-time Slashdot reader sbinning shares McKay's "short history of UNIX and how Linux got its start," which ultimately asks if commercial Unix was killed by Linux: Unix is still out there, running mission-critical systems that are functioning correctly, and operating stably. That'll continue until the support for the applications, operating systems or hardware platform ceases. If something's genuinely mission-critical and it's working, you leave it working. I suspect someone, somewhere, will always be running a commercial UNIX or Unix-like operating system.

But for new installs? There are enough variations of Linux to make the case to go for a commercial Unix very, very difficult.

According to Phoronix, AMD currently has several interesting job openings on the Linux front. From the report: While AMD has been delivering reliable Linux support with their recent launches, there is room for improvement in areas like more timely compiler support for new processors, better alignment of their new hardware enablement for getting the code not only upstreamed but into distributions for launch-day, and similar areas. Based on recent job postings, it looks like AMD is working to make such strides.

Here is a look at some of the new and currently active Linux-related job openings at AMD: [Manager Linux Kernel Development, Linux Technical Lead, Linux Engineer, and Linux Systems Architect, among other traditional software/hardware engineering roles].

Several of these new job descriptions do begin with, "step up into a new organization built to engage more strategically and deeply with the technical teams of our commercial customers." Interestingly, I only see that opening line on their current Linux job postings. When asking AMD if there is a "new (Linux) organization" at AMD, the comment was there is no organization to announce but this is part of the overall expansion at AMD. So for now it's back to dreaming about a new unit akin to the defunct AMD Operating System Research Center that previously drove their Linux support or Intel's former Open-Source Technology Center.

AlmaLinux describes itself as "an open-source, community-driven project that intends to fill the gap left by the demise of the CentOS stable release." And now AlmaLinux "has announced their beta release of their CentOS/RHEL 8 fork," writes Slashdot reader juniorkindergarten.

AlmaLinux will be getting $1 million a year in development funding from CloudLinux (the company behind CloudLinux OS, a CentOS clone with over 200,000 active server instances). Their CEO stresses that AlmaLinux "is built with CloudLinux expertise but will be owned and governed by the community. We intend to deliver this forever-free Linux distribution this quarter." And they've committed to supporting it through 2029.

Their press release touts AlmaLinux as "a 1:1 binary compatible fork of RHEL 8, with an effortless migration path from CentOS to AlmaLinux. Future RHEL releases will also be forked into a new AlmaLinux release."

From the AlmaLinux blog: We've collected community feedback and built our new beta release around what you would expect from an enterprise-level Linux distribution...inspired by the community and built by the engineers and talent behind CloudLinux. Visit https://almalinux.org to download the Beta images.

With the Beta release deployed, we'd like to ask the community to be involved and provide feedback. We aim to build a Linux distribution entirely from community contributions and feedback. During AlmaLinux Beta, we ask for assistance in testing, documentation, support and future direction for the operating system. Together, we can build a Linux distribution that fills the gap left by the now unsupported CentOS distribution.
On Wednesday they'll be hosting a live QA webinar with the AlmaLinux team. And there's also a small AlmaLinux forum on Reddit.

An anonymous reader quotes a report from ZDNet: Magma was developed by Facebook to help telecom operators deploy mobile networks quickly and easily. The project, which Facebook open-sourced in 2019, does this by providing a software-centric distributed mobile packet core and tools for automating network management. This containerized network function integrates with the existing back end of a mobile network and makes it easy to launch new services at the network edge. Magma operators can build and augment modern and efficient mobile networks at scale. It integrates with existing LTE and newly minted 5G networks. Several Magma community members are also collaborating in the Telecom Infra Project (TIP)'s Open Core Network project group. The plan is to define, build, test, and deploy core network products that integrate Magma with TIP Open Core disaggregated hardware and software solutions.

The Linux Foundation will help oversee this new stage in Magma's organizational future. Magma will be managed under a neutral governance framework at the Linux Foundation. Arm, Deutsche Telekom, Facebook, FreedomFi, Qualcomm, the Institute of Wireless Internet of Things at Northeastern University, the OpenAirInterface(OAI) Software Alliance, and the Open Infrastructure Foundation (OIF). You may ask, since Magma is already working with OIF, which is something of a Linux Foundation rival, why Magma will be working with both? Arpit Joshipura, the Linux Foundation's general manager of Networking, Edge, and IoT, explained, "Magma has gotten great community support from several ecosystem players and foundations including OIF, OAI etc. What we are announcing today is the next evolution of the project where the actual hosting of the project is being set up under the Linux Foundation with neutral governance that has been accepted by the community for a long time. OIF, OAI, and LF will work with their communities of Software Developers to contribute to Magma's core project."

"Gregory Kurtzer, co-founder of the now-defunct CentOS Linux distribution, has founded a new startup company called Ctrl IQ, which will serve in part as a sponsoring company for the upcoming Rocky Linux distribution," Ars Technica reports: Kurtzer co-founded CentOS Linux in 2004 with mentor Rocky McGaugh, and it operated independently for 10 years until being acquired by Red Hat in 2014. When Red Hat killed off CentOS Linux in a highly controversial December 2020 announcement, Kurtzer immediately announced his intention to recreate CentOS with a new distribution named after his deceased mentor.

The Rocky Linux concept got immediate, positive community reaction — but there's an awful lot of work and expense that goes into creating and maintaining a Linux distribution. The CentOS Linux project itself made that clear when it went for the Red Hat acquisition in 2014; without its own source of funding, the odds of Rocky Linux becoming a complete 1:1 replacement — serving the same massive volume of users that CentOS did — seemed dicey at best.
In a statement Ctrl IQ notes the Rocky Linux community was already "in the thousands of people driving the foundation of the organization..."

And as for Gregory Kurtzer, he was "originally basing Ctrl IQ's stack on CentOS, but he needed to pivot, as did most of the community to something else. Due to the alignment, Greg chose Rocky, and has been asked to help support it." Ars Technica adds: The company describes itself in its announcement as the suppliers of a "full technology stack integrating key capabilities of enterprise, hyper-scale, cloud and high-performance computing..."

Wading through the buzzword bingo, Ctrl IQ's real business seems to be in supplying relatively turn-key infrastructure for high-performance computing (HPC) workloads, capable of running distributed across multiple sites and/or cloud providers... Not all of Ctrl IQ's offerings are theoretical. Warewulf, also founded by Kurtzer, is currently developed and maintained by the US Department of Energy. Anyone can freely download and use Warewulf, but it's not difficult to imagine value added in consulting with one of its founders...

Ctrl IQ is one of three Tier 1 sponsors identified by the Rocky Linux project, along with Amazon Web Services (which provides core build infrastructure) and Mattermost, which is providing enterprise collaboration services...

Rocky Linux is generally expected to be widely available in Q2 2021, with a first-release candidate build expected on March 31.

A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users. From a report: The vulnerability, which received a CVE identifier of CVE-2021-3156, but is more commonly known as "Baron Samedit," was discovered by security auditing firm Qualys two weeks ago and was patched earlier today with the release of Sudo v1.9.5p2. In a simple explanation provided by the Sudo team today, the Baron Samedit bug can be exploited by an attacker who has gained access to a low-privileged account to gain root access, even if the account isn't listed in /etc/sudoers -- a config file that controls which users are allowed access to su or sudo commands in the first place.

An anonymous reader quotes a report from Ars Technica: Last month, Red Hat caused a lot of consternation in the enthusiast and small business Linux world when it announced the discontinuation of CentOS Linux. Long-standing tradition -- and ambiguity in Red Hat's posted terms -- led users to believe that CentOS 8 would be available until 2029, just like the RHEL 8 it was based on. Red Hat's early termination of CentOS 8 in 2021 cut eight of those 10 years away, leaving thousands of users stranded. Red Hat's December announcement of CentOS Stream -- which it initially billed as a "replacement" for CentOS Linux -- left many users confused about its role in the updated Red Hat ecosystem.

As of February 1, 2021, Red Hat will make RHEL available at no cost for small-production workloads -- with "small" defined as 16 systems or fewer. This access to no-cost production RHEL is by way of the newly expanded Red Hat Developer Subscription program, and it comes with no strings -- in Red Hat's words, "this isn't a sales program, and no sales representative will follow up." Red Hat is also expanding the availability of developer subscriptions to teams, as well as individual users. Moving forward, subscribing RHEL customers can add entire dev teams to the developer subscription program at no cost. This allows the entire team to use Red Hat Cloud Access for simplified deployment and maintenance of RHEL on well-known cloud providers, including AWS, Google Cloud, and Microsoft Azure.

Wine 6.0 has been released today and contains over 8,300 changes, according to its full release notes. Windows Central reports: The new release of version 6.0 has thousands of changes, but Wine's website highlights some of the biggest improvements: Core modules in PE format; Vulkan backend for WineD3D; DirectShow and Media Foundation support; and Text console redesign. The full release notes for Wine 6.0 explain that the core DLLs, which include NTDLL, KERNEL32, GDI32, and USER32 are now built in the Portable Executable (PE) format. As a result, people should see improvements for certain copy protection schemes.

The update also includes a new mechanism to associate a Unix library with the PE module. This change makes it so systems can call Unix libraries from PE when trying to perform a function that can't be handled by Win32 APIs. Wine 6.0 also includes an experimental Vulkan rendered that translates Direct3D shaders to SPIR-V shaders. In another change related to Direct3D, the Direct3D graphics card database now recognizes more graphics cards and includes updated driver versions.

Legendary programmer Jamie Zawinski has worked on everything from the earliest releases of the Netscape Navigator browser to XEmacs, Mozilla, and, of course, the XScreenSaver project.

Now Slashdot reader e432776 writes: JWZ continues to track issues with screensavers on Linux (since 2004!), and discusses a new bug in cinnamon-screensaver. Long-standing topics like X11, developer interaction, and code licensing all feature. Solutions to these long-standing issues remain elusive.
Jamie titled his blog post "I told you so, 2021 edition": You will recall that in 2004 , which is now seventeen years ago, I wrote a document explaining why I made the design trade-offs that I did in XScreenSaver, and in that document I predicted this exact bug as my example of, "this is what will happen if you don't do it this way."

And they went and made that happen.

Repeatedly.

Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe .

Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!

These bugs are a shameful embarrassment of design -- as opposed to merely bad code...
ZDNet reports that Linux Mint has issued a patch for Cinnamon that fixes the screensaver bug. But HotHardware notes that it was discovered when "one Dad let the kids play with the keyboard. This button-mashing actually crashed the machine's screensaver by sheer luck, allowing them onto the desktop, ultimately leading to the discovery of a high priority security vulnerability for the Linux Mint team."

But that's not the only thing bothering Jamie Zawinski: Just to add insult to injury, it has recently come to my attention that not only are Gnome-screensaver, Mint-screensaver and Cinnamon-screensaver buggy and insecure dumpster fires, but they are also in violation of my license and infringing my copyright.

XScreenSaver was released under the BSD license, one of the oldest and most permissive of the free software licenses. It turns out, the Gnome-screensaver authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead -- and also removed my name. Rude...

Mint-screensaver and Cinnamon-screensaver, being forks and descendants of Gnome-screensaver, have inherited this license violation and continue to perpetuate it. Every Linux distro is shipping this copyright- and license-infringing code.

I eagerly await hearing how they're going to make this right.

Yesterday long-time tech pundit Robert Cringley reviewed the predictions he'd made at the beginning of last year. "Having done this for over 20 years, historically I'm correct abut 70 percent of the time, but this year could be a disappointment given that I'm pretty sure I didn't predict 370,000 deaths and an economy in free-fall.

"We'll just have to see whether I was vague enough to get a couple right."

Here's some of the highlights: I predicted that IBM would dump a big division and essentially remake itself as Red Hat, its Linux company. Well yes and no. IBM did announce a major restructuring, spinning-off Global Technology Services just as I predicted (score one for me) but it has all happened slowly because everything slows down during a pandemic. The resulting company won't be called Red Hat (yet), but the rest of it was correct so I'm going to claim this one, not that anybody cares about IBM anymore...

I predicted that working from home would accelerate a trend I identified as the end of IT, by which I meant the kind of business IT provided and maintained by kids from that office in the basement. By working from home, we'd all become our own IT guys and that would lead to acceleration in the transition of certain technologies, especially SD-WAN and Secure Access Service Edge (SASE)... "That's the end-game if there is one — everything in the cloud with your device strictly for input and output, painting screens compressed with HTML5. It's the end of IT because your device will no longer contain anything, so it can be simply replaced via Amazon if it is damaged or lost, with the IT kid in the white shirt becoming an Uber driver (if any of those survive)."

It was a no-brainer, really, and I was correct: Internet-connected hardware sales surged, SASE took over whether you even knew it or not, and hardly any working from home was enabled by technology owned by the business, itself. It's key here that the operant term for working from home became "Zooming" — a third-party public brand built solely in the cloud.

Finally, I predicted that COVID-19 would accelerate the demise of not just traditional IT, but also IT contractors, because the more things that could be done in the cloud the less people would be required to do them. So what actually happened? Well I was right about the trend but wrong about the extent. IT consulting dropped in 2020 by about 19 percent, from $160 billion to $140 billion. That's a huge impact, but I said "kill" and 19 percent isn't even close to dead. So I was wrong.