Matt Asay answered questions from Slashdot readers in 2010 (as the then-COO of Canonical). He currently runs developer relations at MongoDB (after holding similar positions at AWS and Adobe).

This week he contributed an opinion piece to InfoWorld arguing that DeepSeek "may have originated in China, but it stopped being Chinese the minute it was released on Hugging Face with an accompanying paper detailing its development." Soon after, a range of developers, including the Beijing Academy of Artificial Intelligence (BAAI), scrambled to replicate DeepSeek's success but this time as open source software. BAAI, for its part, launched OpenSeek, an ambitious effort to take DeepSeek's open-weight models and create a project that surpasses DeepSeek while uniting "the global open source communities to drive collaborative innovation in algorithms, data, and systems."

If that sounds cool to you, it didn't to the U.S. government, which promptly put BAAI on its "baddie" list. Someone needs to remind U.S. (and global) policymakers that no single country, company, or government can contain community-driven open source... DeepSeek didn't just have a moment. It's now very much a movement, one that will frustrate all efforts to contain it. DeepSeek, and the open source AI ecosystem surrounding it, has rapidly evolved from a brief snapshot of technological brilliance into something much bigger — and much harder to stop. Tens of thousands of developers, from seasoned researchers to passionate hobbyists, are now working on enhancing, tuning, and extending these open source models in ways no centralized entity could manage alone.

For example, it's perhaps not surprising that Hugging Face is actively attempting to reverse engineer and publicly disseminate DeepSeek's R1 model. Hugging Face, while important, is just one company, just one platform. But Hugging Face has attracted hundreds of thousands of developers who actively contribute to, adapt, and build on open source models, driving AI innovation at a speed and scale unmatched even by the most agile corporate labs.

Hugging Face by itself could be stopped. But the communities it enables and accelerates cannot. Through the influence of Hugging Face and many others, variants of DeepSeek models are already finding their way into a wide range of applications. Companies like Perplexity are embedding these powerful open source models into consumer-facing services, proving their real-world utility. This democratization of technology ensures that cutting-edge AI capabilities are no longer locked behind the walls of large corporations or elite government labs but are instead openly accessible, adaptable, and improvable by a global community.
"It's Linux all over again..." Asay writes at one point. "What started as the passion project of a lone developer quickly blossomed into an essential, foundational technology embraced by enterprises worldwide," winning out "precisely because it captivated developers who embraced its promise and contributed toward its potential."

We are witnessing a similar phenomenon with DeepSeek and the broader open source AI ecosystem, but this time it's happening much, much faster...

Organizations that cling to proprietary approaches (looking at you, OpenAI!) or attempt to exert control through restrictive policies (you again, OpenAI!) are not just swimming upstream — they're attempting to dam an ocean. (Yes, OpenAI has now started to talk up open source, but it's a long way from releasing a DeepSeek/OpenSeek equivalent on GitHub.)

Canonical today released Ubuntu 25.04 "Plucky Puffin," bringing significant upgrades to the non-LTS distribution including Linux kernel 6.14, GNOME 48 with triple buffering, and expanded hardware support.

For the first time, Ubuntu ships an official generic ARM64 desktop ISO targeting virtual machines and Snapdragon-based devices, with initial enablement for the Snapdragon X Elite platform. The release also adds full support for Intel Core Ultra Xe2 integrated graphics and "Battlemage" discrete GPUs, delivering improved ray tracing performance and hardware-accelerated video encoding.

Networking improvements include wpa-psk-sha256 Wi-Fi support and enhanced DNS resolution detection. The installer now better handles BitLocker-protected Windows partitions for dual-boot scenarios. Other notable changes include JPEG XL support by default, NVIDIA Dynamic Boost enabled on supported laptops, Papers replacing Evince as the default document viewer, and APT 3.0 becoming the standard package manager. Ubuntu 25.04 will receive nine months of support until January 2026.

Linux Mint Debian Edition 7 "will come with full support for OEM installations," according to their monthly newsletter, so Linux Mint "can be pre-installed on computers which are sold throughout the World. It's a very important feature and it's one of the very few remaining things which wasn't supported by Linux Mint Debian Edition."

Slashdot reader BrianFagioli speculates that "this could be a sign of something much bigger." OEM installs are typically reserved for operating systems meant to ship on hardware. It's how companies preload Linux on laptops without setting a username, password, or timezone... Mint has supported this for years — but only in its Ubuntu-based version. So why is this feature suddenly coming to Linux Mint Debian Edition, which the team has repeatedly described as a contingency? In other words, if the Debian variant is merely a plan B, why make it ready for OEMs?
Their blog post goes on to speculate about possible explanations (like the hypothetical possibility of dissatisfaction with Snap packages or Canonical's decisions around telemetry and packaging).

Slashdot reached out to Linux Mint project leader Clement Lefebvre, who responded cheerfully that "I know people love to speculate on this. There's no hidden agenda on our side though.

"Improving LMDE is a continuous effort. It's something we do regularly." "Any LMDE improvement facilitates a future potential transition to Debian, of course. But there are other reasons to implement OEM support.

"We depend on Ubiquity in Linux Mint. We have a much simpler installer, with no dependencies, no technical debt and with a design we're in control of in LMDE. Porting LMDE's live-installer to Linux Mint is something we're looking into. Implementing OEM support in live-installer kills two birds with one stone. It improves LMDE and opens the door to switching away from Ubiquity in Linux Mint."

Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.
Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).
This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."

An anonymous reader shared this report from BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default...

Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by vulnerability researcher Roddux, who published the details on March 21.

Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.
Canonical shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.

An anonymous reader quotes a report from ZDNet, written by Steven Vaughan-Nichols: Despite the minor delay, Linux 6.14 arrives packed with cutting-edge features and improvements to power upcoming Linux distributions, such as the forthcoming Ubuntu 25.04 and Fedora 42. The big news for desktop users is the improved NTSYNC driver, especially those who like to play Windows games or run Windows programs on Linux. This driver is designed to emulate Windows NT synchronization primitives. What that feature means for you and me is that it will significantly improve the performance of Windows programs running on Wine and Steam Play. [...] Gamers always want the best possible graphics performance, so they'll also be happy to see that Linux now supports recently launched AMD RDNA 4 graphics cards. This approach includes support for the AMD Radeon RX 9070 XT and RX 9070 graphics cards. Combine this support with the recently improved open-source RADV driver and AMD gamers should see the best speed yet on their gaming rigs.

Of course, the release is not just for gamers. Linux 6.14 also includes several AMD and Intel processor enhancements. These boosts focus on power management, thermal control, and compute performance optimizations. These updates are expected to improve overall system efficiency and performance. This release also comes with the AMDXDNA driver, which provides official support for AMD's neural processing units based on the XDNA architecture. This integration enables efficient execution of AI workloads, such as convolutional neural networks and large language models, directly on supported AMD hardware. While Rust has faced some difficulties in recent months in Linux, more Rust programming language abstractions have been integrated into the kernel, laying the groundwork for future drivers written in Rust. [...] Besides drivers, Miguel Ojeda, Rust for Linux's lead developer, said recently that the introduction of the macro for smart pointers with Rust 1.84: derive(CoercePointee) is an "important milestone on the way to building a kernel that only uses stable Rust functions." This approach will also make integrating C and Rust code easier. We're getting much closer to Rust being grafted into Linux's tree.

In addition, Linux 6.14 supports Qualcomm's latest Snapdragon 8 Elite mobile processor, enhancing performance and stability for devices powered by this chipset. That support means you can expect to see much faster Android-based smartphones later this year. This release includes a patch for the so-called GhostWrite vulnerability, which can be used to root some RISC-V processors. This fix will block such attacks. Additionally, Linux 6.14 includes improvements for the copy-on-write Btrfs file system/logical volume manager. These primarily read-balancing methods offer flexibility for different RAID hardware configurations and workloads. Additionally, support for uncached buffered I/O optimizes memory usage on systems with fast storage devices. Linux 6.14 is available for download here.

With Microsoft ending free security updates for Windows 10 in October, millions of PCs that don't meet Windows 11's hardware requirements face an uncertain fate... Charities that refurbish and distribute computers to low-income individuals must choose between providing soon-to-be-insecure Windows 10 machines, transitioning to Linux -- despite usability challenges for non-tech-savvy users -- or recycling the hardware, contributing to ewaste. Tom's Hardware reports: So how bad will it really be to run an end-of-lifed Windows 10? Should people worry? [Chester Wisniewski, who serves as Director and Global Field CISO for Sophos, a major security services company] and other experts I talked to are unequivocal. You're at risk. "To put this in perspective, today [the day we talked] was Patch Tuesday," he said. "There were 57 vulnerabilities, 6 of which have already been abused by criminals before the fixes were available. There were also 57 in February and 159 in January. Windows 10 and Windows 11 largely have a shared codebase, meaning most, if not all, vulnerabilities each month are exploitable on both OSs. These will be actively turned into digital weapons by criminals and nation-states alike and Windows 10 users will be somewhat defenseless against them."

So, in short, even though Windows 10 has been around since 2015, there are still massive security holes being patched. Even within the past few weeks, dozens of vulnerabilities were fixed by Microsoft. So what's a charity to do when these updates are running out and clients will be left vulnerable? "What we decided to do is one year ahead of the cutoff, we discontinued Windows 10," said Casey Sorensen, CEO of PCs for People, one of the U.S.'s largest non-profit computer refurbishers. "We will distribute Linux laptops that are 6th or 7th gen. If we distribute a Windows laptop, it will be 8th gen or newer." Sorensen said that any PC that's fifth gen or older will be sent to an ewaste recycler.

[...] Sorensen, who founded the company in 1998, told us that he's comfortable giving clients computers that run Linux Mint, a free OS that's based on Ubuntu. The latest version of Mint, version 22.1, will be supported until 2029. "Ten years ago if we distributed Linux, they would be like what is it," he said. But today, he notes that many view their computers as windows to the Internet and, for that, a user-friendly version of Linux is acceptable. Further reading: Is 2025 the Year of the Linux Desktop?

On Wednesday Mozilla president Mark Surman "announced plans to tackle what he says are 'major headwinds' facing the company's ability to grow, make money, and remain relevant," reports the blog OMG Ubuntu: "Mozilla's impact and survival depend on us simultaneously strengthening Firefox AND finding new sources of revenue AND manifesting our mission in fresh ways," says Surman... It will continue to invest in privacy-respecting advertising; fund, develop and push open-source AI features in order to retain 'product relevance'; and will go all-out on novel new fundraising initiatives to er, get us all to chip in and pay for it!

Mozilla is all-in on AI; Surman describes it as Mozilla's North Star for the work it will do over the next few years. I wrote about its new 'Orbit' AI add-on for Firefox recently...

Helping to co-ordinate, collaborate and come up with ways to keep the company fixed and focused on these fledgling effort is a brand new Mozilla Leadership Council.
The article argues that without Mozilla the web would be "a far poorer, much ickier, and notably less FOSS-ier place..." Or, as Mozilla's blog post put it Wednesday, "Mozilla is entering a new chapter — one where we need to both defend what is good about the web and steer the technology and business models of the AI era in a better direction.

"I believe that we have the people — indeed, we ARE the people — to do this, and that there are millions around the world ready to help us. I am driven and excited by what lies ahead."

Software developer and prolific blogger Herman Ounapuu, writing in a blog post: I liked Ubuntu. For a very long time, it was the sensible default option. Around 2016, I used the Ubuntu GNOME flavor, and after they ditched the Unity desktop environment, GNOME became the default option.

I was really happy with it, both for work and personal computing needs. Estonian ID card software was also officially supported on Ubuntu, which made Ubuntu a good choice for family members.

But then something changed. Ounapuu recounts how Ubuntu's bi-annual long-term support releases consistently broke functionality, from minor interface glitches to catastrophic system failures that left computers unresponsive. His breaking point came after multiple problematic upgrades affecting family members' computers, including one that rendered a laptop completely unusable during an upgrade from Ubuntu 20.04 to 22.04. Another incident left a relative's system with broken Firefox shortcuts and duplicate status bar icons after updating Lubuntu 18.04.

Canonical's aggressive push of Snap packages has drawn particular criticism. The forced migration of system components from traditional Debian packages to Snaps resulted in compatibility issues, broken desktop shortcuts, and government ID card authentication failures. In one instance, he writes, a Snap-related bug in the GNOME desktop environment severely disrupted workplace productivity, requiring multiple system restarts to resolve. The author has since switched to Fedora, praising its implementation of Flatpak as a superior alternative to Snaps.

The blog OMG Ubuntu reports: Ubuntu's key developers have agreed to switch to Matrix as the primary platform for real-time development communications involving the distro. From March, Matrix will replace IRC as the place where critical Ubuntu development conversations, requests, meetings, and other vital chatter must take place... Only the current #ubuntu-devel and #ubuntu-release Libera IRC channels are moving to Matrix, but other Ubuntu development-related channels can choose to move — officially, given some projects were using Matrix over IRC already.

As a result, any major requests to/of the key Ubuntu development teams with privileged access can only be actioned if requests are made on Matrix. Canonical-employed Ubuntu developers will be expected to be present on Matrix during working hours... The aim is to streamline organisation, speed up decision making, ensure key developers are reliably reachable, and avoid discussions and conversations from fragmenting across multiple platforms... It's hoped that in picking one platform as the 'chosen one' the split in where the distro's development discourse takes place can be reduced and greater transparency in how and when decisions are made restored.

IRC remains popular with many Ubuntu developers but its old-school, lo-fi nature is said to be off-putting to newer contributors. They're used to richer real-time chat platforms with more features (like discussion history, search, offline messaging, etc). It's felt this is why many newer developers employed by Canonical prefer to discuss and message through the company's internal Mattermost instance — which isn't publicly accessible. Many Ubuntu teams, flavours, and community chats already take place on Matrix...
"End-users aren't directly affected, of course," they point out. But an earlier post on the same blog notes that Matrix "is increasingly ubiquitous in open-source circles. GNOME uses it, KDE embraces it, Linux Mint migrated last year, Mozilla a few years before, and it's already widely used by Ubuntu community members and developers." IRC remains unmatched in many areas but is, rightly or wrongly, viewed as an antiquated communication platform. IRC clients aren't pretty or plentiful, the syntax is obtuse, and support for 'modern' comforts like media sending, read receipts, etc., is lacking.To newer, younger contributors IRC could feel ancient or cumbersome to learn.

Though many of IRC's real and perceived shortcomings are surmountable with workarounds, clients, bots, scripts, and so on, support for those varies between channels, clients, servers, and user configurations. Unlike IRC, which is a centralised protocol relying on individual servers, Matrix is federated. It lets users on different servers to communicate without friction. Plus, Matrix features encryption, message history, media support, and so, meeting modern expectations.

An anonymous reader shared this post from the blog OMG Ubuntu Want to find out if the text you're reading online was written by an real human or spat out by a large language model trying to sound like one? Mozilla's Fakespot Deepfake Detector Firefox add-on may help give you an indication. Similar to online AI detector tools, the add-on can analyse text (of 32 words or more) to identify patterns, traits, and tells common in AI generated or manipulated text.

It uses Mozilla's proprietary ApolloDFT engine and a set of open-source detection models. But unlike some tools, Mozilla's Fakespot Deepfake Detector browser extension is free to use, does not require a signup, nor an app download. "After installing the extension, it is simple to highlight any text online and request an instant analysis. Our Detector will tell you right away if the words are likely to be written by a human or if they show AI patterns," Mozilla says.

Fakespot, acquired by Mozilla in 2023, is best known for its fake product review detection tool which grades user-submitted reviews left on online shopping sites. Mozilla is now expanding the use of Fakespot's AI tech to cover other kinds of online content. At present, Mozilla's Fakespot Deepfake Detector only works with highlighted text on websites but the company says it image and video analysis is planned for the future.
The Fakespot web site will also analyze the reviews on any product-listing pages if you paste in its URL.

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..."

Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as:

• Software composition analysis for installed packages, standalone binaries, as well as source code

• OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac

• Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)

• Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac

• Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats

• Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical

"OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

"I know, I know: 'Year of the Linux desktop ... yadda, yadda'," writes Steven Vaughan-Nichols, a ZDNet senior contributing editor. "You've heard it all before. But now there's a Linux-powered PC that many people will want..."

He's talking about Nvidia's newly-announced Project Digits, describing it as "a desktop with AI supercomputer power that runs DGX OS, a customized Ubuntu Linux 22.04 distro." Powered by MediaTek and Nvidia's Grace Blackwell Superchip, Project DIGITS is a $3,000 personal AI that combines Nvidia's Blackwell GPU with a 20-core Grace CPU built on the Arm architecture... At CES, Nvidia CEO Jensen Huang confirmed plans to make this technology available to everyone, not just AI developers. "We're going to make this a mainstream product," Huang said. His statement suggests that Nvidia and MediaTek are positioning themselves to challenge established players — including Intel and AMD — in the desktop CPU market. This move to the desktop and perhaps even laptops has been coming for a while. As early as 2023, Nvidia was hinting that a consumer desktop chip would be in its future... [W]hy not use native Linux as the primary operating system on this new chip family?

Linux, after all, already runs on the Grace Blackwell Superchip. Windows doesn't. It's that simple. Nowadays, Linux runs well with Nvidia chips. Recent benchmarks show that open-source Linux graphic drivers work with Nvidia GPUs as well as its proprietary drivers. Even Linus Torvalds thinks Nvidia has gotten its open-source and Linux act together. In August 2023, Torvalds said, "Nvidia got much more involved in the kernel. Nvidia went from being on my list of companies who are not good to my list of companies who are doing really good work." Canonical, Ubuntu Linux's parent company, has long worked closely with Nvidia. Ubuntu already provides Blackwell drivers.
The article strays into speculation, when it adds "maybe you wouldn't pay three grand for a Project DIGITS PC. But what about a $1,000 Blackwell PC from Acer, Asus, or Lenovo? All three of these companies are already selling MediaTek-powered Chromebooks...."

"The first consumer products featuring this technology are expected to hit the market later this year. I'm looking forward to running Linux on it. Come on in! The operating system's fine."

An anonymous reader quotes a report from Ars Technica: Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines. Researchers at security firm ESET said Wednesday that Bootkitty -- the name unknown threat actors gave to their Linux bootkit -- was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input. The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.

An anonymous reader quotes a report from The Register: Framework CEO Nirav Patel had one of the bravest tech demos that we've seen at a conference yet -- modifying a Framework Laptop from x86 to RISC-V live on stage. In the five-minute duration of one of the Ubuntu Summit's Lightning Talks, he opened up a Framework machine, removed its motherboard, installed a RISC-V-powered replacement, reconnected it, and closed the machine up again. All while presenting the talk live, and pretty much without hesitation, deviation, or repetition. It was an impressive performance, and you can watch it yourself at the 8:56:30 mark in the video recording.

Now DeepComputing is taking orders for the DC-ROMA board, at least to those in its early access program. The new main board is powered by a StarFive JH7110 System-on-Chip. (Note: there are two tabs on the page, for both the JH7110 and JH7100, and we can't link directly to the latter.) CNX Software has more details about the SoC. Although the SoC has six CPU cores, two are dedicated processors, making it a quad-core 64-bit device. The four general-purpose cores are 64-bit and run at up to 1.5 GHz. It supports 8 GB of RAM and eMMC storage. [...]

In our opinion, RISC-V is not yet competitive with Arm in performance. However, this is a real, usable, general-purpose computer, based on an open instruction set. That's no mean feat, and it's got more than enough performance for less demanding work. It's also the first third-party main board for the Framework hardware, which is another welcome achievement. The company has now delivered several new generations of hardware, including a 16-inch model, and continues to upgrade its machines' specs.

Slashdot unixbhaskar writes: Linus has released a fresh Linux kernel for public consumption. Please give it a try and report any glitches to the maintainers for improvement. Also, please do not forget to express your appreciation to those tireless folks who did all the hard work for you.
The blog OMG Ubuntu calls it "one of the most biggest kernel releases for a while," joking that it's a "really real-time kernel." The headline feature in Linux 6.12 is mainline support for PREEMPT_RT. This patch set dramatically improves the performance of real-time applications by making kernel processes pre-emptible — effectively enabled proper real-time computing... Meanwhile, Linus Torvalds himself contributes a new method for user-space address masking designed to claw back some of the performance lost due to Spectre-v1 mitigations.

You might have heard that kernel devs have been working to add QR error codes to Linux's kernel panic BSOD screen (as a waterfall of error text is often cut off and not easily copied for ad-hoc debugging). Well, Linux 6.12 adds support for those during Direct Rendering Manager panics...

A slew of new RISC-V CPU ISA extensions are supported in Linux 6.12; hybrid CPU scaling in the Intel P-State driver lands ahead of upcoming Intel Core Ultra 2000 chips; and AMD P-State driver improves AMD Boost and AMD Preferred Core features.
More coverage from the blog 9to5Linux highlights a new scheduler called sched_ext, Clang support (including LTO) for nolibc, support for NVIDIA's virtual command queue implementation for SMMUv3, and "an updated cpuidle tool that now displays the residency value of cpuidle states for a clearer and more detailed view of idle state information when using cpuidle-info." Linux kernel 6.12 also introduces SWIG bindings for libcpupower to make it easier for developers to write scripts that use and extend the functionality of libcpupower, support for translating normalized error addresses reported by an AMD memory controller into system physical addresses using a UEFI mechanism called platform runtime mechanism (PRM), as well as simplified loading of microcode patches on AMD Zen and newer CPUs by using the family, model, and stepping encoded in the patch revision number...

Moreover, Linux 6.12 adds support for running as a protected guest on Android as well as perf and support for a bunch of new interconnect PMUs. It also adds the final conversions to the new Intel VFM CPU model matching macros, rewrites the PCM buffer allocation handling and locking optimizations, and improves the USB audio driver...

This week's Ubuntu Summit 2024 was attended by Lproven (Slashdot reader #6,030). He's also a FOSS correspondent for the Register, where he's filed this report: One of the first full-length sessions was presented by David Morin, executive director of the Academy Software Foundation, introducing his organization in a talk about Open Source Software for Motion Pictures. Morin linked to the Visual Effects Society's VFX/Animation Studio Workstation Linux Report, highlighting the market share pie-chart, showing Rocky Linux 9 with at some 58 percent and the RHELatives in general at 90 percent of the market. Ubuntu 22 and 24 — the report's nomenclature, not this vulture's — got just 10.5 percent. We certainly didn't expect to see that at an Ubuntu event, with the latest two versions of Rocky Linux taking 80 percent of the studio workstation market...

What also struck us over the next three quarters of an hour is that Linux and open source in general seem to be huge components of the movie special effects industry — to an extent that we had not previously realized.
There's a "sizzle reel" showing examples of how major motion pictures used OpenColorIO, an open-source production tool for syncing color representations originally developed by Sony Pictures Imageworks. That tool is hosted by a collaboration between the Linux Foundation with the Science and Technology Council of the Academy of Motion Picture Arts and Sciences (the "Academy" of the Academy Awards). The collaboration — which goes by the name of the Academy Software Foundation — hosts 14 different projects The ASWF hasn't been around all that long — it was only founded in 2018. Despite the impact of the COVID pandemic, by 2022 it had achieved enough to fill a 45-page history called Open Source in Entertainment [PDF]. Morin told the crowd that it runs events, provides project marketing and infrastructure, as well as funding, training and education, and legal assistance. It tries to facilitate industry standards and does open source evangelism in the industry. An impressive list of members — with 17 Premier companies, 16 General ones, and another half a dozen Associate members — shows where some of the money comes from. It's a big list of big names. [Adobe, AMD, AWS, Autodesk...]
The presentation started with OpenVBD, a C++ library developed and donated by Dreamworks for working with three-dimensional voxel-based shapes. (In 2020 they created this sizzle reel, but this year they've unveiled a theme song.) Also featured was OpenEXR, originally developed at Industrial Light and Magic and sourced in 1999. (The article calls it "a specification and reference implementation of the EXR file format — a losslessly compressed image storage format for moving images at the highest possible dynamic range.")

"For an organization that is not one of the better-known ones in the FOSS space, we came away with the impression that the ASWF is busy," the article concludes. (Besides running Open Source Days and ASWF Dev Days, it also hosts several working groups like the Language Interop Project works on Rust bindings and the Continuous Integration Working Group on CI tools, There's generally very little of the old razzle-dazzle in the Linux world, but with the demise of SGI as the primary maker of graphics workstations — its brand now absorbed by Hewlett Packard Enterprise — the visual effects industry moved to Linux and it's doing amazing things with it. And Kubernetes wasn't even mentioned once.

An anonymous reader shared this report from the blog OMG Ubuntu: Having recently announced is own range of Raspberry Pi-branded SD cards (with support for command queuing on the Pi 5 and reliable read/write speeds) the company is now offering its own range of branded Raspberry Pi SSDs... And for those who don't have an M.2 expansion board? Well, that's where the new Raspberry Pi SSD Kit comes in. It bundles the official M.2 HAT+ with an SSD for an all-in-one, ready-to-roll solution.
Eben Upton expects it to be a popular feature: When we launched Raspberry Pi 5, almost exactly a year ago, I thought the thing people would get most excited about was the three-fold increase in performance over 2019's Raspberry Pi 4. But very quickly it became clear that it was the other new features — the power button (!), and the PCI Express port — that had captured people's imagination. We've seen everything from Ethernet adapters, to AI accelerators, to regular PC graphics cards attached to the PCI Express port... We've also released an AI Kit, which bundles the M.2 HAT+ with an AI inference accelerator from our friends at Hailo. But the most popular use case for the PCI Express port on Raspberry Pi 5 is to attach an NVMe solid-state disk (SSD).

SSDs are fast; faster even than our branded A2-class SD cards. If no-compromises performance is your goal, you'll want to run Raspberry Pi OS from an SSD, and Raspberry Pi SSDs are the perfect choice. The entry-level 256GB drive is priced at $30 on its own, or $40 as a kit; its 512GB big brother is priced at $45 on its own, or $55 as a kit... The 256GB SSD and SSD Kit are available to buy today, while the 512GB variants are available to pre-order now for shipping by the end of November.

So, there you have it: a cost-effective way to squeeze even more performance out of your Raspberry Pi 5. Enjoy!

"Six years after the Spectre transient execution processor design flaws were disclosed, efforts to patch the problem continue to fall short," writes the Register: Johannes Wikner and Kaveh Razavi of Swiss University ETH Zurich on Friday published details about a cross-process Spectre attack that derandomizes Address Space Layout Randomization and leaks the hash of the root password from the Set User ID (suid) process on recent Intel processors. The researchers claim they successfully conducted such an attack.... [Read their upcomong paper here.] The indirect branch predictor barrier (IBPB) was intended as a defense against Spectre v2 (CVE-2017-5715) attacks on x86 Intel and AMD chips. IBPB is designed to prevent forwarding of previously learned indirect branch target predictions for speculative execution. Evidently, the barrier wasn't implemented properly.

"We found a microcode bug in the recent Intel microarchitectures — like Golden Cove and Raptor Cove, found in the 12th, 13th and 14th generations of Intel Core processors, and the 5th and 6th generations of Xeon processors — which retains branch predictions such that they may still be used after IBPB should have invalidated them," explained Wikner. "Such post-barrier speculation allows an attacker to bypass security boundaries imposed by process contexts and virtual machines." Wikner and Razavi also managed to leak arbitrary kernel memory from an unprivileged process on AMD silicon built with its Zen 2 architecture.

Videos of the Intel and AMD attacks have been posted, with all the cinematic dynamism one might expect from command line interaction.

Intel chips — including Intel Core 12th, 13th, and 14th generation and Xeon 5th and 6th — may be vulnerable. On AMD Zen 1(+) and Zen 2 hardware, the issue potentially affects Linux users. The relevant details were disclosed in June 2024, but Intel and AMD found the problem independently. Intel fixed the issue in a microcode patch (INTEL-SA-00982) released in March, 2024. Nonetheless, some Intel hardware may not have received that microcode update. In their technical summary, Wikner and Razavi observe: "This microcode update was, however, not available in Ubuntu repositories at the time of writing this paper." It appears Ubuntu has subsequently dealt with the issue.

AMD issued its own advisory in November 2022, in security bulletin AMD-SB-1040. The firm notes that hypervisor and/or operating system vendors have work to do on their own mitigations. "Because AMD's issue was previously known and tracked under AMD-SB-1040, AMD considers the issue a software bug," the researchers explain. "We are currently working with the Linux kernel maintainers to merge our proposed software patch."
BleepingComputer adds that the ETH Zurich team "is working with Linux kernel maintainers to develop a patch for AMD processors, which will be available here when ready."