Greg Kroah-Hartman, who is one of the head honchos of the Linux kernel development and maintenance team, has banned the University of Minnesota (UMN) from further contributing to the Linux Kernel. The University had apparently introduced questionable patches into the kernel of Linux. From a report: The UMN had worked on a research paper dubbed "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits". Obviously, the "Open-Source Software" (OSS) here is indicating the Linux kernel and the University had stealthily introduced Use-After-Free (UAF) vulnerability to test the susceptibility of Linux. So far so good perhaps as one can see it as ethical experimenting. However, the UMN apparently sent another round of "obviously-incorrect patches" into the kernel in the form of "a new static analyzer" causing distaste to Greg Kroah-Hartman who has now decided to ban the University from making any further contributions.

An anonymous reader writes: Debian Project Secretary Kurt Roeckx has announced the results of a closely-watched vote on what statement would be made about Richard Stallman's readmission to the Free Software Foundation's board.
Seven options were considered, with the Debian project's 420 voting developers also asked to rank their preferred outcomes:

• Option 1: "Call for the FSF board removal, as in rms-open-letter.github.io"

• Option 2: "Call for Stallman's resignation from all FSF bodies"

• Option 3: "Discourage collaboration with the FSF while Stallman is in a leading position"

• Option 4: "Call on the FSF to further its governance processes"

• Option 5: "Support Stallman's reinstatement, as in rms-support-letter.github.io"

• Option 6: "Denounce the witch-hunt against RMS and the FSF"

• Option 7: "Debian will not issue a public statement on this issue"

While all seven options achieved a quorum of votes, two failed to achieve a majority — options 5 and 6. ("Support Stallman's reinstatement" and "Denounce the witch-hunt...") The option receiving the most votes was #7 (not issuing a public statement) — but it wasn't that simple. The vote's final outcome was determined by comparing every possible pair of options to determine which option would still be preferred by a majority of voters in each possible comparision.

In this case, that winner was still the option which had also received the most votes:


Debian will not issue a public statement on this issue.
The Debian Project will not issue a public statement on whether Richard Stallman should be removed from leadership positions or not.

Any individual (including Debian members) wishing to (co-)sign any of the open letters on this subject is invited to do this in a personal capacity.


The results are captured in an elaborate graph. Numbers inside the ovals show the final ratio of yes to no votes (so a number higher than 1.00 indicates a majority, with much higher numbers indicating much larger majorities). Numbers outside the ovals (along the lines) indicate the number of voters who'd preferred the winning choice over the losing choice (toward which the arrow is pointing).

The winning option is highlighted in blue.

Long-time Slashdot reader xiando shares news from LinuxReviews: Linux Kernel Runtime Guard (LKRG) is a security module for the Linux kernel developed by Openwall. The latest release adds compatibility with Linux kernels up to soon to be released 5.12, support for building LKRG into kernel images, support for old 32-bit x86 machines and more...

The Linux Kernel Runtime Guard is an out-of-tree kernel module you can install as a kernel module, or, with the 0.9.0 release, build into your Linux kernel. It does run-time integrity checks to detect security vulnerability exploits against the Linux kernel.
An Openwall developer also notes in the announcement that "During LKRG development and testing I've found 7 Linux kernel bugs, 4 of them have CVE numbers."

Slashdot reader LeeLynx shares news from The Register about a Slackware 15 beta release (following the debut of February's alpha), "nearly five years after the distribution last saw a major update." (And nearly 28 years after its initial release back in 1993...) Created by Patrick Volkerding (who still lays claim to the title Benevolent Dictator For Life), the current release version arrived in the form of 2016's 14.2... The Linux kernel has been updated to 5.10.30 (at time of writing) with 5.11.14 available for testing. Desktop fans may be pleased to see, among the many updates, KDE Plasma hitting 5.21.4 as well as updates for old faithfuls, such as Mozilla Firefox and Thunderbird.

The beta itself dropped on 12 April (with the 5.10.29 kernel) and Volkerding noted: "I'm going to go ahead and call this a beta even though there's still no fix for the illegal instruction issue with 32-bit mariadb. But there should be soon."

Tinkering has continued since, judging by the change log, although the beta tag brings hope there will be a release before long.

Google's Android team supports Rust for developing the Android operating system. Now they're also helping evaluate Rust for Linux kernel development. Their hopes, among other things, are that "New code written in Rust has a reduced risk of memory safety bugs, data races and logic bugs overall," that "abstractions that are easier to reason about," and "More people get involved overall in developing the kernel, thanks to the usage of a modern language."

Linus Torvalds responded in a new interview with IT Wire (shared by Slashdot reader juul_advocate): The first patches for Rust support in the Linux kernel have been posted and the man behind the kernel says the fact that these are being discussed is much more important than a long post by Google about the language. Linus Torvalds told iTWire in response to queries that Rust support was "not there yet", adding that things were "getting to the point where maybe it might be mergeable for 5.14 or something like that..." Torvalds said that it was still early days for Rust support, "but at least it's in a 'this kind of works, there's an example, we can build on it'."

Asked about a suggestion by a commenter on the Linux Weekly News website, who said, during a discussion on the Google post, "The solution here is simple: just use C++ instead of Rust", Torvalds could not restrain himself from chortling. "LOL," was his response. "C++ solves _none_ of the C issues, and only makes things worse. It really is a crap language.

"For people who don't like C, go to a language that actually offers you something worthwhile. Like languages with memory safety and [which] can avoid some of the dangers of C, or languages that have internal GC [garbage collection] support and make memory management easier. C++ solves all the wrong problems, and anybody who says 'rewrite the kernel in C++' is too ignorant to even know that."

He said that when one spoke of the dangers of C, one was also speaking about part of what made C so powerful, "and allows you to implement all those low-level things efficiently".
Torvalds added that, while garbage collection is "a very good thing in most other situations," it's "generally not necessarily something you can do in a low-level system programming."

Long-time Slashdot reader xiando quotes LinuxReviews: The community distribution Arch Linux has up to now required you to manually install it by entering a whole lot of scary commands in a terminal. Arch version 2021.04.01 features a new guided installer [reached by] typing python -m archinstall guided into the console you get when you boot the Arch Linux installation ISO.

It is not very novice-friendly, or user-friendly, but it gets the job done and it will work fine for those with some basic GNU/Linux knowledge.
Tech Radar writes that previously Arch Linux had "a rather convoluted installation process, which has given rise to a stream of Arch-based distros that are easier to install," adding that the new installer "was reportedly promoted as an official installation mechanism back in January, and was actively worked upon leading to its inclusion in the installation medium." Users have been calling on Arch Linux for simplifying the installation process for a long time, to bring it in line with other Linux distros. However, the Arch philosophy has always been to put the users in charge of every aspect of their installation, which is the antithesis of automated installers.
Phoronix calls the new installer "very quick and easy," although "granted not as user-friendly / polished as say the Debian Installer, Red Hat's Anaconda installer, even Ubuntu's Subiquity, and other TUI/GUI Linux installers out there." They also note that Archinstall "does allow automatically partitioning the drive with your choice of file-system options, automatically installing a desktop environment if desired, configuring the network interfaces, and all the other basics." The method is quick enough that I'll likely use archinstall for future Arch Linux benchmarks on Phoronix as it also then applies a sane set of defaults for users... Five minutes or less and off to the races, ready for Arch Linux."
But Slashdot reader I75BJC still favors "scary commands in a terminal," leaving this comment on the original submission: If you can't type with the big adults, stay on your PlayStation.

Even Apple, with its very good GUI has a command line. The command line commands are more flexible, more specific, more subtle than the pointy-clicky GUI.

IBM has announced a COBOL compiler for Linux on x86. "IBM COBOL for Linux on x86 1.1 brings IBM's COBOL compilation technologies and capabilities to the Linux on x86 environment," said IBM in an announcement, describing it as "the latest addition to the IBM COBOL compiler family, which includes Enterprise COBOL for z/OS and COBOL for AIX." The Register reports: COBOL -- the common business-oriented language -- has its roots in the 1950s and is synonymous with the mainframe age and difficulties paying down technical debt accrued since a bygone era of computing. So why is IBM -- which is today obsessed with hybrid clouds -- bothering to offer a COBOL compiler for Linux on x86? Because IBM thinks you may want your COBOL apps in a hybrid cloud, albeit the kind of hybrid IBM fancies, which can mean a mix of z/OS, AIX, mainframes, POWER systems and actual public clouds.
[...]
But the announcement also suggests IBM doesn't completely believe this COBOL on x86 Linux caper has a future as it concludes: "This solution also provides organizations with the flexibility to move workloads back to IBM Z should performance and throughput requirements increase, or to share business logic and data with CICS Transaction Server for z/OS." The new offering requires RHEL 7.8 or later, or Ubuntu Server 16.04 LTS, 18.04 LTS, or later.

New submitter juul_advocate shares a report from iTWire: The outcome of a general resolution proposed by the Debian GNU/Linux project, to decide how to react to the return of Free Software Foundation founder Richard Stallman to the board, will be known on April 17, with voting now underway. The original proposal for a GR was made by Steve Langasek, who also works for Canonical, the company behind Ubuntu, and calls for co-signing an existing letter which wants Stallman gone and the FSF board sacked. There has been a lot of discussion around the issue.

Six alternatives have been proposed. The proposals are:
- remove the entire FSF board as in an existing letter;
- seek Stallman's resignation from all FSF bodies;
- discourage collaboration with the FSF while Stallman remains in a leading position;
- ask FSF to further its governance processes;
- support Stallman's reinstatement;
- denounce the witch hunt against Stallman and the FSF; and
- issue no public statement on the issue. During the organization's LibrePlanet virtual event on March 19, Stallman announced that he was rejoining the board and does not intend to resign again. His return has drawn condemnation from many people in the free software community. Just days after his announcement, an open letter calling for Stallman to be removed again and for the FSF's entire board to resign was signed by hundreds of people.

Linux giant Red Hat has decided to pull funding, while the 'Open Source Initiative' said that it "will not participate in any events that include Richard M. Stallman," adding that it "cannot collaborate with the Free Software Foundation until Stallman is removed from the organization's leadership."

Long-time Slashdot reader xiando quotes the backstory from LinuxReviews.org: CentOS used to be the go-to alternative for those who wanted to use Red Hat Enterprise Linux (RHEL) without having to pay RedHat to use it. It was a almost 1:1 clone until RedHat took control of it and turned it into what is now a RHEL beta-version, not a stable RHEL release without the branding. Almalinux is one of several projects that have made their own RHEL forks in response. The first Almalinux version is now released.
ZDNet notes that CentOS co-founder Gregory Kurtzer has announced his own RHEL clone and CentOS replacement named Rocky Linux. But they offer this report on AlmaLinux: CloudLinux — which was founded in 2009 to provide a customized, high-performance, lightweight RHEL/CentOS server clone for multitenancy web and server hosting companies — came ready to deliver. The new free AlmaLinux is now stable and ready for production workloads. The company also announced the formation of a non-profit organization: AlmaLinux Open Source Foundation. This group will take over managing the AlmaLinux project going forward. CloudLinux has committed a $1 million annual endowment to support the project.

Jack Aboutboul, former Red Hat and Fedora engineer and architect, will be AlmaLinux's community manager. Altogether, Aboutboul brings over 20 years of experience in open-source communities as a participant, manager, and evangelist... "In an effort to fill the void soon to be left by the demise of CentOS as a stable release, AlmaLinux has been developed in close collaboration with the Linux community," said Aboutaboul in a statement. "These efforts resulted in a production-ready alternative to CentOS that is supported by community members...."

In talking with CentOS business users, who deployed CentOS on web and host servers, I found many of them to be very hopeful about AlmaLinux. One from a mid-Atlantic-based Linux hosting company said, "What we want is a stable Linux that our customers can rely on from year to year. Since CentOS Stream can't deliver that, we think — hope — that AlmaLinux can do it for us and our users instead...."

This first release of AlmaLinux is a one-to-one binary compatible fork of RHEL 8.3. Looking ahead, AlmaLinux will seek to keep step-in-step with future RHEL releases... The GitHub page has already been published and the completed source code has been published in the main download repository. The CloudLinux engineering team has also published FAQ on AlmaLinux Wiki.
"The sudden shift in direction for CentOS that was announced in December created a big void for millions of CentOS users," said Simon Phipps, open source advocate and a former president of the Open Source Initiative who is on the governing board of the AlmaLinux project. In a statement, Phipps said that "As a drop-in open-source replacement, AlmaLinux provides those users with continuity and new opportunity to be part of a vibrant community built around creating and supporting this new Linux distribution under non-profit governance.

"I give a lot of credit to CloudLinux for stepping in to offer CentOS users a lifeline to continue with AlmaLinux."

wiredog shares a ZDNet report: I have literally been covering SCO's legal attempts to prove that IBM illegally copied Unix's source code into Linux for over 17 years. I've written well over 500 stories on this lawsuit and its variants. I really thought it was dead, done, and buried. I was wrong. Xinuos, which bought SCO's Unix products and intellectual property (IP) in 2011, like a bad zombie movie, is now suing IBM and Red Hat [for] "illegally Copying Xinuos' software code for its server operating systems." For those of you who haven't been around for this epic IP lawsuit, you can get the full story with "27 eight-by-ten color glossy photographs and circles and arrows and a paragraph on the back of each one" from Groklaw. If you'd rather not spend a couple of weeks going over the cases, here's my shortened version. Back in 2001, SCO, a Unix company, joined forces with Caldera, a Linux company, to form what should have been a major Red Hat rival. Instead, two years later, SCO sued IBM in an all-out legal attack against Linux.

The fact that most of you don't know either company's name gives you an idea of how well that lawsuit went. SCO's Linux lawsuit made no sense and no one at the time gave it much of a chance of succeeding. Over time it was revealed that Microsoft had been using SCO as a sock puppet against Linux. Unfortunately for Microsoft and SCO, it soon became abundantly clear that SCO didn't have a real case against Linux and its allies. SCO lost battle after battle. The fatal blow came in 2007 when SCO was proven to have never owned the copyrights to Unix. So, by 2011, the only thing of value left in SCO, its Unix operating systems, was sold to UnXis. This acquisition, which puzzled most, actually made some sense. SCO's Unix products, OpenServer and Unixware, still had a small, but real market. At the time, UnXis now under the name, Xinuos, stated it had no interest in SCO's worthless lawsuits. In 2016, CEO Sean Synder said, "We are not SCO. We are investors who bought the products. We did not buy the ability to pursue litigation against IBM, and we have absolutely no interest in that." So, what changed? The company appears to have fallen on hard times. As Synder stated: "systems, like our FreeBSD-based OpenServer 10, have been pushed out of the market." Officially, in his statement, Snyder now says, "While this case is about Xinuos and the theft of our intellectual property, it is also about market manipulation that has harmed consumers, competitors, the open-source community, and innovation itself."

nickwinlund77 shares a report from The Register: The chorus of disapproval over Richard M Stallman, founder and former president of the Free Software Foundation (FSF), rejoining the organization has intensified as Linux giant Red Hat confirmed it was pulling funding. Stallman announced he had returned to the FSF's Board of Directors last weekend -- news that has not gone down well with all in the community and Red Hat is the latest to register its dismay.

CTO Chris Wright tweeted overnight: "I am really outraged by FSF's decision to reinstate RMS. At a moment in time where diversity and inclusion awareness is growing, this is a step backwards." Describing itself as "appalled" at the return of Stallman to the FSF board of directors "considering the circumstances of Richard Stallman's original resignation in 2019," Red Hat said it decided to act. "We are immediately suspending all Red Hat funding of the FSF and any FSF-hosted events. In addition, many Red Hat contributors have told us they no longer plan to participate in FSF-led or backed events, and we stand behind them," said Red Hat.

An anonymous reader shares an excerpt from a ZDNet article, written by Steven J. Vaughan-Nichols: Linux is the poster-child for the C language. But times change. The Rust language has been slowly gathering support for use as a system language in Linux. For example, at the 2020 Linux Plumbers Conference, developers gave serious thought to using the Rust language for new Linux inline code. So, where is it today? I asked Linux's creator, Linus Torvalds, and the Linux stable kernel maintainer Greg Kroah-Hartman for their thoughts. [...] What does Torvalds make of all this? He's in "the 'wait and see' camp -- I'm interested in the project, but I think it's driven by people who are very excited about Rust, and I want to see how it actually then ends up working in practice." "Personally," Torvalds is "in no way "pushing" for Rust, [but] I'm open to it considering the promised advantages and avoiding some safety pitfalls, but I also know that sometimes promises don't pan out."

Torvalds thinks "Rust's primary first target seems to be drivers, simply because that's where you find just a lot of different possible targets, and you have these individual parts of the kernel that are fairly small and independent. That may not be a very interesting target to some people, but it's the obvious one." Another point is taking on drivers first for "any initial trials to drivers is simply the architecture side," said Torvalds. "Lots of drivers are only relevant on a couple of target architectures, so the whole issue with Rust code not being supported on some architectures is less of an issue." Kroah-Hartman agrees that "drivers are probably the first place for an attempt like this as they are the 'end leafs' of the tree of dependencies in the kernel source. They depend on core kernel functionality, but nothing depends on them."

Torvalds knows some people don't like the idea of Rust in userspace at all. "People complain[ing] about "Rustification" in userspace isn't a great sign for any future kernel use, but hey, we'll see. The kernel is different from userspace projects -- more difficult in some respects (we use a lot of very odd header files that pushes the boundary of what can be called "C"), but easier in many other respects (mainly in the sense that the kernel is fairly self-contained, and then doesn't rely on other projects for the final binary)." From where Kroah-Hartman sits, "it will all come down to how well the interaction between the kernel core structures and lifetime rules that are written in C can be mapped into Rust structures and lifetime rules for drivers in Rust to be able to use them properly. That's going to take a lot of careful work by the developers wanting to hook this all up and I wish them the best of luck."

In his This Week in Programming column, Mike Melanson writes: Rustaceans' dreams of Rust's inclusion in the Linux kernel are one tiny, ever so slight step closer to becoming a reality, with this week's "intentionally bare-bones" inclusion in Linux-next, the development branch of the Linux kernel... Curb your enthusiasm, however, as this remains a rather tentative first step of many necessary steps before Rust fully lands in the Linux kernel.

A rather brief post on LWN.net summarizes where we are rather succinctly:

Followers of the linux-next integration tree may have noticed a significant addition: initial support for writing device drivers in the Rust language. There is some documentation in Documentation/rust, while the code itself is in the rust top-level directory. Appearance in linux-next generally implies readiness for the upcoming merge window, but it is not clear if that is the case here; this code has not seen a lot of wider review yet. It is, regardless, an important step toward the ability to write drivers in a safer language.

Indeed, Miguel Ojeda, a software developer and maintainer of the Rust for Linux project writes that the proposed inclusion "does not mean we will make it into mainline, of course, but it is a nice step to make things as smooth as possible," with some changes expected before any decision as to Rust's inclusion are made.

For those of you less familiar with Rust, part of the appeal here comes with Rust's memory safety features, especially in comparison to C, which the Linux kernel is currently coded in. Part of the problem, however, is that Rust is compiled based on LLVM, as opposed to GCC, and subsequently supports fewer architectures. This is a problem we've seen play out recently, as the Python cryptography library has replaced some old C code with Rust, leading to a situation where certain architectures will not be supported. Presently, the proposal to include Rust in the Linux kernel limits this issue by saying that Rust would be used, at least initially, for writing drivers that, as noted in another LWN.net article on the topic, "would never be used on the more obscure architectures anyway."

"Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or you've compromised some service that doesn't have repaired permissions, you can do whatever you want basically," said Adam Nichols, principal of the Software Security practice at GRIMM. While the vulnerabilities "are in code that is not remotely accessible, so this isn't like a remote exploit," said Nichols, they are still troublesome. They take "any existing threat that might be there. It just makes it that much worse," he explained. "And if you have users on the system that you don't really trust with root access it, it breaks them as well."

Referring to the theory that 'many eyes make all bugs shallow,' Linux code "is not getting many eyes or the eyes are looking at it and saying that seems fine," said Nichols. "But, [the bugs] have been in there since the code was first written, and they haven't really changed over the last 15 years...." That the flaws slipped detection for so long has a lot to do with the sprawl of the the Linux kernel. It "has gotten so big" and "there's so much code there," said Nichols. "The real strategy is make sure you're loading as little code as possible."

The bugs are in all Linux distributions, Nichols said, although the kernel driver is not loaded by default. Whether a normal user can load the vulnerable kernel module varies. They can, for instance, on all Red Hat based distros that GRIMM tested, he said. "Even though it's not loaded by default, you can get it loaded and then of course you can exploit it without any trouble...."

The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches.

An official version of the popular 7-zip archiving program has been released for Linux for the first time. Bleeping Computer reports: Linux already had support for the 7-zip archive file format through a POSIX port called p7zip but it was maintained by a different developer. As the p7zip developer has not maintained their project for 4-5 years, 7-Zip developer Igor Pavlov decided to create a new official Linux version based on the latest 7-Zip source code. Pavlov has released 7-Zip for Linux in AMD64, ARM64, x86, and armhf versions, which users can download [via their respective links].

"These new 7-Zip binaries for Linux were linked (compiled) by GCC without -static switch. And compiled 32-bit executables (x86 and armhf) didn't work on some arm64 and amd64 systems, probably because of missing of some required .so files." "Please write here, if you have some advices how to compile and link binaries that will work in most Linux systems," Pavlov stated on his release page.

The Linux Foundation has announced the launch of Sigstore, a new nonprofit initiative that aims to improve open source software supply chain security by making it easier for developers to adopt cryptographic signing for different components of the software development process. From a report: Sigstore will be free for software providers and developers, who can use it to securely sign software artifacts such as release files, container images, binaries, and bill-of-material manifests. Signing materials are then stored in a tamper-proof public log. The service's code and operation tooling will be fully open source and maintained and developed by the Sigstore community. Founding members include Red Hat, Google, and Purdue University. The idea for the service came from Luke Hinds, security engineering lead in Red Hat's Office of the CTO. He pitched the concept to Google software engineer Dan Lorenc, and the two began to work on it. Now the Sigstore project has a "small but agile community" working on its development, Lorenc says.

David Plummer is a retired Microsoft operating systems engineer, "going back to the MS-DOS and Windows 95 days." (He adds that in the early '90s he'd fixed a few handle leaks in the early source code of Linux, "and sent my changes off to Linus at Rutgers.")

This weekend on YouTube he shared his thoughts on "the classic confrontation: Windows versus Linux," promising an "epic operating systems face-off." Some highlights: On Usability: "Linux's itself lacks a proper user interface beyond the command line. That command line can be incredibly powerful, particularly if you're adept with Bash or Zsh or similar, but you can't really describe it as particularly usable. Of course most distributions do come with a desktop user interface of some kind if you prefer, but as a bit of a shell designer myself, if I might be so bold, they're generally pretty terrible. At least the Mint distribution looks pretty nice.

"Windows, on the other hand, includes by default a desktop shell interface that, if you set aside the entirely subjective design aesthetics, is professionally designed, usability tested and takes into consideration the varying levels of accessibility required by people with different limitations. In terms of usability, particularly if you do include accessibility in that metric, Windows comes out ahead..."

On Updates: "Windows users are well served by a dedicated Windows Update team at Microsoft, but the process has occasionally had its hiccups and growing pains. It's very easy to update a Linux system, and while there's no professional team sitting by the big red phone ready to respond to Day Zero exploits, the updates do come out with reasonable alacrity, and in some cases you can even update the kernel without rebooting.

"Keep in mind, however, that Linux is a monolithic kernel, which means that it's all one big happy kernel. Almost everything is in there. If they hadn't started to add that ability a few years back, you'd be rebooting for every driver install. The reality is that some parts of the Linux kernel are just going to require a reboot, just as some parts of the Windows system are going to as well. I think we can likely all agree, however, that Windows software is hardly selective about rebooting the system, and you're asked to do it far too often.

"While we're on the topic of upgrades, we can't overlook the fact that upgrades are generally free in the Open Source world, unless you're using a pre-built distribution from a vendor. To it's credit, though, I don't remember the last time Microsoft actually charged for an operating system upgrade if you were just a normal end user or enthusiast. Still, this point goes to Linux."
Plummer also says he agrees with the argument that open source software is more open to security exploits, "simply because, all else equal, it's easy to figure out where the bugs are to exploit in the first place," while proprietary software has professional test organizations hunting for bugs. "I think it's a bit of a fallacy to rely on the 'many eyeballs' approach..."

Yet he still ultimately concludes Linux is more secure simply because the vast universe of Windows makes it a much more attractive target. Especially since most Windows users retain full administrator privileges...

Slashdot reader b-dayyy quotes the Linux Security blog: While all Linux 'distros' — or distributed versions of Linux software — are secure by design, certain distros go above and beyond when it comes to protecting users' privacy and security. We've put together a list of our favorite specialized secure Linux distros and spoken with some of their lead developers to find out first-hand what makes these distros so great.
This "favorites" list cites six "excellent specialized secure Linux distros." Some highlights from the article:

• In a conversation with the LinuxSecurity editors, Qubes OS Community Manager Andrew David Wong elaborated, "Rather than attempting to fix all of the security bugs in software, Qubes assumes that all software is buggy and compartmentalizes it accordingly, so that when flaws are inevitably exploited, the damage is contained and the user's most valuable data is protected."

• A Kali Linux contributor provides some insight into the distro's history and the benefits it offers users: "Named after a Hindu goddess, Kali has been around for a long time — but it's still updated weekly, can be run in live mode or installed to a drive, and can also be used on ARM devices like Raspberry Pi."

Obviously there's strong opinions among Slashdot readers. So share your own thoughts in the comments.

What's the best Linux distro for enhanced privacy and security?

"In a message to the Linux Kernel Mailing List Wednesday, founding developer Linus Torvalds warned the world not to use the 5.12-rc1 kernel in his public git tree..." writes Ars Technica: As it turns out, when Linus Torvalds flags some code dontuse, he really means it — the problem with this 5.12 release candidate broke swapfile handling in a very unpleasant way. Specifically, the updated code would lose the proper offset pointing to the beginning of the swapfile. Again, in Torvalds' own words, "swapping still happened, but it happened to the wrong part of the filesystem, with the obvious catastrophic end results."

If your imagination is insufficient, this means that when the kernel paged contents of memory out to disk, the data would land on random parts of the same disk and partition the swapfile lived on... not as files, mind you, but as garbage spewed directly to raw sectors on the disk. This means overwriting not only data in existing files, but also rather large chunks of metadata whose corruption would likely render the entire filesystem unmountable and unusable.

Torvalds goes on to point out that if you aren't using swap at all, this problem wouldn't bite you. And if you're using swap partitions, rather than swap files, you'd be similarly unaffected...
Torvalds also advised anyone who'd already pulled his git tree to do a git tag -d v5.12-rc1 "to actually get rid of the original tag name..." — or at least, to not use it for anything.

"I want everybody to be aware..." Torvalds writes, "because _if_ it bites you, it bites you hard, and you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call 'double ungood'."

Linux overlord Linus Torvalds has revealed that inclement weather in the USA meant he recently endured six electricity-free days in his Portland, Oregon, home during which he was unable to tend to the kernel. As a result he therefore pondered adding an extra week to the merge window for version 5.12 of the Linux kernel. The Register reports: "As you can tell, I didn't do that," he said in his State of The Kernel update that announced release candidate one of the new kernel cut. "To a large part because people were actually very good about sending in their pull requests, so by the time I finally got power back, everything was nicely lined up and I got things merged up ok." It wasn't just penguinistas behaving well that helped. Torvalds said this version of the kernel has received around 10,000 commits. That's rather fewer than the 12,000 or 13,000 he usually sees.

In case anyone was inconvenienced by blackout-induced inability to merge, Torvalds said he's open to help any kernel devs for whom his unavailability caused problems but is not open to all late pulls. Torvalds rated the new release as offering "a fair amount of historical cleanup" on account of "removing the legacy OPROFILE support (the user tools have been using the "perf" interface for years), and removing several legacy SoC platforms and various drivers that no longer make any sense." Among the big inclusions in 5.12 are Clang Link-Time Optimizations, which make for better compiler performance, and support for Intel's eASIC NX5 silicon that aims to offer an alternative to FPGAs in edge and cloud applications. Qualcomm's Snapdragon 888 5G SoC also gains support.

AmiMoJo shares a report: Last month, the Linux Mint team published a post on the organization's official blog about the importance of installing security updates on machines running the Linux distribution. The essence of the post was that a sizeable number of Linux Mint devices was running outdated applications, packages or even an outdated version of the operating system itself. A sizeable number of devices run on Linux Mint 17.x, according to the blog post, a version of Linux Mint that reached end of support in April 2019. A new blog post, published yesterday, provides information on how the team plans to reduce the update reluctance of Linux Mint users. Next to showing reminders to users, Linux Mint's Update Manager may enforce some of the updates according to the blog post.

"In some cases the Update Manager will be able to remind you to apply updates. In a few of them it might even insist." Upcoming versions will provide information on the implementation, how the "insisting" part may look like, and whether the installation of updates will be enforced. All of this boils down to a single question: how far should operating system developers go when it comes to updates? BetaNews adds: "And now, it seems the Linux Mint developers are taking a page out of Microsoft's playbook by planning to force some updates on its users. Yes, folks, Linux Mint is becoming more like Windows 10."

Slashdot reader b-dayyy writes: CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool.

CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub. It uses a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to 'immunize' them against this IP.

The goal is to leverage the power of the crowd to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the community to create an extremely accurate IP reputation system that benefits all its users.

It was clear to the founders that Open Source was going to be one of the main pillars of CrowdSec. The project's founders have been working on open-source projects for decades — they didn't just jump on the train. Rather, they are strong Open Source believers. They believe that the crowd is key to the mass hacking plague we are experiencing, and that Open Source is the best lever to create a community and have people contribute their knowledge to the project, ultimately make it better and more secure.

The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API.

Slashdot reader Finuz writes: Offensive Security has released Kali Linux 2021.1, the latest version of its popular open source penetration testing platform. You can download it or upgrade to it. Kali NetHunter, the distro's mobile pentesting platform, now has an upgraded BusyBox engine and tools updated to the latest version (or, in some cases, completely rewritten). There are two new Kali ARM images: one that can be used with VMs on Apple Silicon Macs (Apple M1) and the other for the Raspberry Pi 400's wireless card.

ZDNet brings an update about the future of Red Hat Enterprise Linux: When Red Hat, CentOS's Linux parent company, announced it was "shifting focus from CentOS Linux, the rebuild of Red Hat Enterprise Linux (RHEL), to CentOS Stream," CentOS users were not happy. Now, in an effort to mollify them and to keep its promise to open-source organizations, Red Hat is introducing a new, free RHEL for Open Source Infrastructure. If your non-profit organization, project, standard body, or foundation is "engaged with open source," you can get a free RHEL subscription via this program. Earlier this year, Red Hat introduced no-cost RHEL for small production workloads and for customer development teams...

Jason Brooks, a Red Hat Open Source Program Office Manager explained:

Supporting the open-source software ecosystem is a core objective for Red Hat... We know that we are part of a larger, interdependent ecosystem that we benefit from and which we do our best to foster and support. This support comes in many forms, but often includes helping open source software projects, foundations, and standards bodies access enterprise technologies for development and testing.

We frequently provide no-cost access to RHEL to these groups, but the process isn't as formalized, consistent, accessible, or transparent as we'd like it to be. With the announcement that we will be shifting our resources to CentOS Stream at the end of 2021, we want to make sure that those organizations engaged with open source have access to RHEL as they build and test the future of open-source software...

The GNOME Foundation's executive director Neil McGovern, said:

As a non-profit, we rely on donations to help us achieve our goal of a world where everyone is empowered by technology they can trust. RHEL subscriptions are an essential part of this. With full operating system management and security updates, we can concentrate on the services we provide to GNOME users and developers without having to worry about the underlying systems. Red Hat has generously provided these services to GNOME at zero cost for years, and we look forward to continuing our relationship for a long time to come.

GNOME is also the default desktop in RHEL Workstation.

Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel's security. From a report: The internet giant builds code from its own repositories rather than downloading outside binaries, though given the pace at which code is being added to Linux, this task is non-trivial. Google's open-source security team lead Dan Lorenc spoke to The Register about its approach, and why it will not use pre-built binaries despite their convenience. But first: the two individuals full-time sponsored by Google are Gustavo Silva, whose work includes eliminating some classes of buffer overflow risks and on kernel self-protection, and Nathan Chancellor, who fixes bugs in the Clang/LLVM compilers and improves compiler warnings. Both are already working at the Linux Foundation, so what is new?

"Gustavo's been working on the Linux kernel at the Linux Foundation for several years now," Lorenc tells us. "We've actually been sponsoring it within the Foundation for a number of years. The main change is that we're trying to talk about it more, to encourage other companies to participate. It's a model that works, we're trying to expand it, find contributors that want to turn this into a full-time thing, and giving them the funding to do that." It is in the nature of open source that Google's funding benefits other Linux users, and it is also in the company's interests. How important is Linux to Google? "It's absolutely critical. Google started on Linux. We use it everywhere," says Lorenc. That being the case, why can Google only manage "Gold" membership of the Linux Foundation ($100,000 per annum), whereas others including Microsoft, Intel, Facebook, and Red Hat are "Platinum", which contributes $500,000 annually? "I'm not sure about that stuff. There are dozens of sub-foundations which we are also members of," he adds. Google is ahead of AWS, which is a mere "Silver" member ($20,000 a year).

"When NASA's Perseverance rover landed on Mars this week, it also brought the Linux operating system to the Red Planet," reports PC Magazine: The tidbit was mentioned in an interview NASA software engineer Tim Canham gave to IEEE Spectrum. The helicopter-like drone on board the Perseverance rover uses a Linux-powered software framework the space agency open-sourced a few years ago. "This the first time we'll be flying Linux on Mars. We're actually running on a Linux operating system," Canham said.

It also might be the first time NASA has brought a Linux-based device to Mars. "There isn't a previous use of Linux that I'm aware of, definitely on the previous rovers," Canham told PCMag in an email.

Past Mars rovers have used proprietary OSes, largely from the software company Wind River Systems. The same is true for the Perseverance rover itself; the machine has been installed with Wind River's VxWorks, which was used on past Mars missions.
The article also notes that the helicopter-like drone Ingenuity "was built using off-the-shelf parts, including Qualcomm's Snapdragon 801 processor, a smartphone chip."

"Ingenuity is purely a technology demonstration," notes ZDNet. "It's not designed to support the Perseverance mission, which is searching for signs of ancient life and collecting rock and dirt samples for later missions to return to Earth. Its mission is to show that it's possible to fly on Mars using commercial off-the-shelf hardware and open-source software."

When Dave McKay first used computers, punched paper tape was in vogue, "and he has been programming ever since," according to his biography page at How-To Geek. It adds that "His use of computers pre-dates the birth of the PC and the public release of Unix."

Now long-time Slashdot reader sbinning shares McKay's "short history of UNIX and how Linux got its start," which ultimately asks if commercial Unix was killed by Linux: Unix is still out there, running mission-critical systems that are functioning correctly, and operating stably. That'll continue until the support for the applications, operating systems or hardware platform ceases. If something's genuinely mission-critical and it's working, you leave it working. I suspect someone, somewhere, will always be running a commercial UNIX or Unix-like operating system.

But for new installs? There are enough variations of Linux to make the case to go for a commercial Unix very, very difficult.

According to Phoronix, AMD currently has several interesting job openings on the Linux front. From the report: While AMD has been delivering reliable Linux support with their recent launches, there is room for improvement in areas like more timely compiler support for new processors, better alignment of their new hardware enablement for getting the code not only upstreamed but into distributions for launch-day, and similar areas. Based on recent job postings, it looks like AMD is working to make such strides.

Here is a look at some of the new and currently active Linux-related job openings at AMD: [Manager Linux Kernel Development, Linux Technical Lead, Linux Engineer, and Linux Systems Architect, among other traditional software/hardware engineering roles].

Several of these new job descriptions do begin with, "step up into a new organization built to engage more strategically and deeply with the technical teams of our commercial customers." Interestingly, I only see that opening line on their current Linux job postings. When asking AMD if there is a "new (Linux) organization" at AMD, the comment was there is no organization to announce but this is part of the overall expansion at AMD. So for now it's back to dreaming about a new unit akin to the defunct AMD Operating System Research Center that previously drove their Linux support or Intel's former Open-Source Technology Center.

AlmaLinux describes itself as "an open-source, community-driven project that intends to fill the gap left by the demise of the CentOS stable release." And now AlmaLinux "has announced their beta release of their CentOS/RHEL 8 fork," writes Slashdot reader juniorkindergarten.

AlmaLinux will be getting $1 million a year in development funding from CloudLinux (the company behind CloudLinux OS, a CentOS clone with over 200,000 active server instances). Their CEO stresses that AlmaLinux "is built with CloudLinux expertise but will be owned and governed by the community. We intend to deliver this forever-free Linux distribution this quarter." And they've committed to supporting it through 2029.

Their press release touts AlmaLinux as "a 1:1 binary compatible fork of RHEL 8, with an effortless migration path from CentOS to AlmaLinux. Future RHEL releases will also be forked into a new AlmaLinux release."

From the AlmaLinux blog: We've collected community feedback and built our new beta release around what you would expect from an enterprise-level Linux distribution...inspired by the community and built by the engineers and talent behind CloudLinux. Visit https://almalinux.org to download the Beta images.

With the Beta release deployed, we'd like to ask the community to be involved and provide feedback. We aim to build a Linux distribution entirely from community contributions and feedback. During AlmaLinux Beta, we ask for assistance in testing, documentation, support and future direction for the operating system. Together, we can build a Linux distribution that fills the gap left by the now unsupported CentOS distribution.
On Wednesday they'll be hosting a live QA webinar with the AlmaLinux team. And there's also a small AlmaLinux forum on Reddit.

An anonymous reader quotes a report from ZDNet: Magma was developed by Facebook to help telecom operators deploy mobile networks quickly and easily. The project, which Facebook open-sourced in 2019, does this by providing a software-centric distributed mobile packet core and tools for automating network management. This containerized network function integrates with the existing back end of a mobile network and makes it easy to launch new services at the network edge. Magma operators can build and augment modern and efficient mobile networks at scale. It integrates with existing LTE and newly minted 5G networks. Several Magma community members are also collaborating in the Telecom Infra Project (TIP)'s Open Core Network project group. The plan is to define, build, test, and deploy core network products that integrate Magma with TIP Open Core disaggregated hardware and software solutions.

The Linux Foundation will help oversee this new stage in Magma's organizational future. Magma will be managed under a neutral governance framework at the Linux Foundation. Arm, Deutsche Telekom, Facebook, FreedomFi, Qualcomm, the Institute of Wireless Internet of Things at Northeastern University, the OpenAirInterface(OAI) Software Alliance, and the Open Infrastructure Foundation (OIF). You may ask, since Magma is already working with OIF, which is something of a Linux Foundation rival, why Magma will be working with both? Arpit Joshipura, the Linux Foundation's general manager of Networking, Edge, and IoT, explained, "Magma has gotten great community support from several ecosystem players and foundations including OIF, OAI etc. What we are announcing today is the next evolution of the project where the actual hosting of the project is being set up under the Linux Foundation with neutral governance that has been accepted by the community for a long time. OIF, OAI, and LF will work with their communities of Software Developers to contribute to Magma's core project."

"Gregory Kurtzer, co-founder of the now-defunct CentOS Linux distribution, has founded a new startup company called Ctrl IQ, which will serve in part as a sponsoring company for the upcoming Rocky Linux distribution," Ars Technica reports: Kurtzer co-founded CentOS Linux in 2004 with mentor Rocky McGaugh, and it operated independently for 10 years until being acquired by Red Hat in 2014. When Red Hat killed off CentOS Linux in a highly controversial December 2020 announcement, Kurtzer immediately announced his intention to recreate CentOS with a new distribution named after his deceased mentor.

The Rocky Linux concept got immediate, positive community reaction — but there's an awful lot of work and expense that goes into creating and maintaining a Linux distribution. The CentOS Linux project itself made that clear when it went for the Red Hat acquisition in 2014; without its own source of funding, the odds of Rocky Linux becoming a complete 1:1 replacement — serving the same massive volume of users that CentOS did — seemed dicey at best.
In a statement Ctrl IQ notes the Rocky Linux community was already "in the thousands of people driving the foundation of the organization..."

And as for Gregory Kurtzer, he was "originally basing Ctrl IQ's stack on CentOS, but he needed to pivot, as did most of the community to something else. Due to the alignment, Greg chose Rocky, and has been asked to help support it." Ars Technica adds: The company describes itself in its announcement as the suppliers of a "full technology stack integrating key capabilities of enterprise, hyper-scale, cloud and high-performance computing..."

Wading through the buzzword bingo, Ctrl IQ's real business seems to be in supplying relatively turn-key infrastructure for high-performance computing (HPC) workloads, capable of running distributed across multiple sites and/or cloud providers... Not all of Ctrl IQ's offerings are theoretical. Warewulf, also founded by Kurtzer, is currently developed and maintained by the US Department of Energy. Anyone can freely download and use Warewulf, but it's not difficult to imagine value added in consulting with one of its founders...

Ctrl IQ is one of three Tier 1 sponsors identified by the Rocky Linux project, along with Amazon Web Services (which provides core build infrastructure) and Mattermost, which is providing enterprise collaboration services...

Rocky Linux is generally expected to be widely available in Q2 2021, with a first-release candidate build expected on March 31.

A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users. From a report: The vulnerability, which received a CVE identifier of CVE-2021-3156, but is more commonly known as "Baron Samedit," was discovered by security auditing firm Qualys two weeks ago and was patched earlier today with the release of Sudo v1.9.5p2. In a simple explanation provided by the Sudo team today, the Baron Samedit bug can be exploited by an attacker who has gained access to a low-privileged account to gain root access, even if the account isn't listed in /etc/sudoers -- a config file that controls which users are allowed access to su or sudo commands in the first place.

An anonymous reader quotes a report from Ars Technica: Last month, Red Hat caused a lot of consternation in the enthusiast and small business Linux world when it announced the discontinuation of CentOS Linux. Long-standing tradition -- and ambiguity in Red Hat's posted terms -- led users to believe that CentOS 8 would be available until 2029, just like the RHEL 8 it was based on. Red Hat's early termination of CentOS 8 in 2021 cut eight of those 10 years away, leaving thousands of users stranded. Red Hat's December announcement of CentOS Stream -- which it initially billed as a "replacement" for CentOS Linux -- left many users confused about its role in the updated Red Hat ecosystem.

As of February 1, 2021, Red Hat will make RHEL available at no cost for small-production workloads -- with "small" defined as 16 systems or fewer. This access to no-cost production RHEL is by way of the newly expanded Red Hat Developer Subscription program, and it comes with no strings -- in Red Hat's words, "this isn't a sales program, and no sales representative will follow up." Red Hat is also expanding the availability of developer subscriptions to teams, as well as individual users. Moving forward, subscribing RHEL customers can add entire dev teams to the developer subscription program at no cost. This allows the entire team to use Red Hat Cloud Access for simplified deployment and maintenance of RHEL on well-known cloud providers, including AWS, Google Cloud, and Microsoft Azure.

Wine 6.0 has been released today and contains over 8,300 changes, according to its full release notes. Windows Central reports: The new release of version 6.0 has thousands of changes, but Wine's website highlights some of the biggest improvements: Core modules in PE format; Vulkan backend for WineD3D; DirectShow and Media Foundation support; and Text console redesign. The full release notes for Wine 6.0 explain that the core DLLs, which include NTDLL, KERNEL32, GDI32, and USER32 are now built in the Portable Executable (PE) format. As a result, people should see improvements for certain copy protection schemes.

The update also includes a new mechanism to associate a Unix library with the PE module. This change makes it so systems can call Unix libraries from PE when trying to perform a function that can't be handled by Win32 APIs. Wine 6.0 also includes an experimental Vulkan rendered that translates Direct3D shaders to SPIR-V shaders. In another change related to Direct3D, the Direct3D graphics card database now recognizes more graphics cards and includes updated driver versions.

Legendary programmer Jamie Zawinski has worked on everything from the earliest releases of the Netscape Navigator browser to XEmacs, Mozilla, and, of course, the XScreenSaver project.

Now Slashdot reader e432776 writes: JWZ continues to track issues with screensavers on Linux (since 2004!), and discusses a new bug in cinnamon-screensaver. Long-standing topics like X11, developer interaction, and code licensing all feature. Solutions to these long-standing issues remain elusive.
Jamie titled his blog post "I told you so, 2021 edition": You will recall that in 2004 , which is now seventeen years ago, I wrote a document explaining why I made the design trade-offs that I did in XScreenSaver, and in that document I predicted this exact bug as my example of, "this is what will happen if you don't do it this way."

And they went and made that happen.

Repeatedly.

Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe .

Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!

These bugs are a shameful embarrassment of design -- as opposed to merely bad code...
ZDNet reports that Linux Mint has issued a patch for Cinnamon that fixes the screensaver bug. But HotHardware notes that it was discovered when "one Dad let the kids play with the keyboard. This button-mashing actually crashed the machine's screensaver by sheer luck, allowing them onto the desktop, ultimately leading to the discovery of a high priority security vulnerability for the Linux Mint team."

But that's not the only thing bothering Jamie Zawinski: Just to add insult to injury, it has recently come to my attention that not only are Gnome-screensaver, Mint-screensaver and Cinnamon-screensaver buggy and insecure dumpster fires, but they are also in violation of my license and infringing my copyright.

XScreenSaver was released under the BSD license, one of the oldest and most permissive of the free software licenses. It turns out, the Gnome-screensaver authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead -- and also removed my name. Rude...

Mint-screensaver and Cinnamon-screensaver, being forks and descendants of Gnome-screensaver, have inherited this license violation and continue to perpetuate it. Every Linux distro is shipping this copyright- and license-infringing code.

I eagerly await hearing how they're going to make this right.

Yesterday long-time tech pundit Robert Cringley reviewed the predictions he'd made at the beginning of last year. "Having done this for over 20 years, historically I'm correct abut 70 percent of the time, but this year could be a disappointment given that I'm pretty sure I didn't predict 370,000 deaths and an economy in free-fall.

"We'll just have to see whether I was vague enough to get a couple right."

Here's some of the highlights: I predicted that IBM would dump a big division and essentially remake itself as Red Hat, its Linux company. Well yes and no. IBM did announce a major restructuring, spinning-off Global Technology Services just as I predicted (score one for me) but it has all happened slowly because everything slows down during a pandemic. The resulting company won't be called Red Hat (yet), but the rest of it was correct so I'm going to claim this one, not that anybody cares about IBM anymore...

I predicted that working from home would accelerate a trend I identified as the end of IT, by which I meant the kind of business IT provided and maintained by kids from that office in the basement. By working from home, we'd all become our own IT guys and that would lead to acceleration in the transition of certain technologies, especially SD-WAN and Secure Access Service Edge (SASE)... "That's the end-game if there is one — everything in the cloud with your device strictly for input and output, painting screens compressed with HTML5. It's the end of IT because your device will no longer contain anything, so it can be simply replaced via Amazon if it is damaged or lost, with the IT kid in the white shirt becoming an Uber driver (if any of those survive)."

It was a no-brainer, really, and I was correct: Internet-connected hardware sales surged, SASE took over whether you even knew it or not, and hardly any working from home was enabled by technology owned by the business, itself. It's key here that the operant term for working from home became "Zooming" — a third-party public brand built solely in the cloud.

Finally, I predicted that COVID-19 would accelerate the demise of not just traditional IT, but also IT contractors, because the more things that could be done in the cloud the less people would be required to do them. So what actually happened? Well I was right about the trend but wrong about the extent. IT consulting dropped in 2020 by about 19 percent, from $160 billion to $140 billion. That's a huge impact, but I said "kill" and 19 percent isn't even close to dead. So I was wrong.

The Linux Foundation has new courses to help you manage open-source projects and technical staff within your organization. Steven J. Vaughan-Nichols writes via ZDNet: Previously, if you want to know how to run open-source well in your company, you had to work with OASIS Open or the TODO Group. Both are non-profit organizations supporting best open source and open standards practices. But, to work with either group, effectively, you already had to know a lot about open source. [...] This 7-module course series is designed to help executives, managers, software developers, and engineers understand the basic concepts for building effective open-source practices. It's also helpful to those in the C suite who want to set up effective open-source program management, including how to create an Open Source Program Office (OSPO).

The program builds on the accumulated wisdom of many previous training modules on open-source best practices while adding fresh and updated content to explain all of the critical elements of working effectively with open source in enterprises. The courses are designed to be self-paced, and reasonably high-level, but with enough detail to get new open-source practitioners up and running quickly. Guy Martin, OASIS Open's executive director, developed these courses. Martin knows his way around open source. He has a unique blend of over 25 years' experience both as a software engineer and open-source strategist. Marin has helped build open-source programs at Red Hat, Samsung, and Autodesk. He was also instrumental in founding the Academy Software Foundation, the Open Connectivity Foundation, and has contributed to TODO Group's best practices and learning guides. The "Open Source Management & Strategy program" costs $499 and is available to begin immediately. A certificate is awarded upon completion.

New submitter shoor writes: Seeed Studios -- the makers of the Odyssey mini-PC -- have teamed up with well-known SBC vendor BeagleBoard to produce an affordable RISC-V system designed to run Linux. The new BeagleV (pronounced "Beagle Five") system features a dual-core, 1GHz RISC-V CPU made by StarFive -- one of a network of RISC-V startups created by better-known RISC-V vendor SiFive. The CPU is based on two of SiFive's U74 Standard Cores -- and unlike simpler microcontroller-only designs, it features a MMU and all the other trimmings necessary to run full-fledged modern operating systems such as Linux distributions. StarFive's VIC7100 processor design is aimed at edge AI tasks as well as general-purpose computing. In addition to the two RISC-V CPU cores, it features a Tensilica Vision VP6 DSP for machine-vision applications, a Neural Network Engine, and a single-core NVDLA (Nvidia Deep Learning Accelerator) engine.

Jake Edge, writing at LWN: The problems with "vendoring" in packages -- bundling dependencies rather than getting them from other packages -- seems to crop up frequently these days. We looked at Debian's concerns about packaging Kubernetes and its myriad of Go dependencies back in October. A more recent discussion in that distribution's community looks at another famously dependency-heavy ecosystem: JavaScript libraries from the npm repository. Even C-based ecosystems are not immune to the problem, as we saw with iproute2 and libbpf back in November; the discussion of vendoring seems likely to recur over the coming years. Many application projects, particularly those written in languages like JavaScript, PHP, and Go, tend to have a rather large pile of dependencies. These projects typically simply download specific versions of the needed dependencies at build time. This works well for fast-moving projects using collections of fast-moving libraries and frameworks, but it works rather less well for traditional Linux distributions. So distribution projects have been trying to figure out how best to incorporate these types of applications.

This time around, Raphael Hertzog raised the issue with regard to the Greenbone Security Assistant (gsa), which provides a web front-end to the OpenVAS vulnerability scanner (which is now known as Greenbone Vulnerability Management or gvm). "the version currently in Debian no longer works with the latest gvm so we have to update it to the latest upstream release... but the latest upstream release has significant changes, in particular it now relies on yarn or npm from the node ecosystem to download all the node modules that it needs (and there are many of them, and there's no way that we will package them individually). The Debian policy forbids download during the build so we can't run the upstream build system as is."

Hertzog suggested three possible solutions: collecting all of the dependencies into the Debian source package (though there would be problems creating the copyright file), moving the package to the contrib repository and adding a post-install step to download the dependencies, or removing gsa from Debian entirely. He is working on updating gsa as part of his work on Kali Linux, which is a Debian derivative that is focused on penetration testing and security auditing. Kali Linux does not have the same restrictions on downloading during builds that Debian has, so the Kali gsa package can simply use the upstream build process. He would prefer to keep gsa in Debian, "but there's only so much busy-work that I'm willing to do to achieve this goal". He wondered if it made more sense for Debian to consider relaxing its requirements. But Jonas Smedegaard offered another possible approach: analyzing what packages are needed by gsa and then either using existing Debian packages for those dependencies or creating new ones for those that are not available. Hertzog was convinced that wouldn't be done, but Smedegaard said that the JavaScript team is already working on that process for multiple projects.

Charlotte Web writes: With Linux 5.10 having shipped as the latest Long Term Support (LTS) release to be maintained for at least the next five years, a discussion has begun over dropping a number of old and obsolete CPU platform support currently found within the mainline kernel. For many of the architectures being considered for removal they haven't seen any new commits in years but as is the case once proposals are made for them to be removed there are often passionate users wanting the support to be kept.

Thelasko quotes gHacks: Linux Mint 20.1 is now available.

The first stable release of Linux Mint in 2021 is available in the three flavors Cinnamon, MATE and Xfce. The new version of the Linux distribution is based on Ubuntu 20.04 LTS and Linux kernel 5.4...

- Linux Mint 20.1 comes with a unified file system that sees certain directories being merged with their counterparts in /usr, e.g. /bin merged with /usr/bin, /lib merged with /usr/lib for compatibility purposes...

- The developers have added an option to turn websites into desktop applications in the new version [using the new Web App manager]... Web apps behave like desktop programs for the most part; they start in their own window and use a custom icon, and you find them in the Alt-Tab interface when you use it. Web apps can be pinned and they are found in the application menu after they have been created.

Bleeping Computer reports: NVIDIA has released security updates to address six security vulnerabilities found in Windows and Linux GPU display drivers, as well as ten additional flaws affecting the NVIDIA Virtual GPU (vGPU) management software. The vulnerabilities expose Windows and Linux machines to attacks leading to denial of service, escalation of privileges, data tampering, or information disclosure.

All these security bugs require local user access, which means that potential attackers will first have to gain access to vulnerable devices using an additional attack vector. Following successful exploitation of one of the vulnerabilities patched today, attackers can easily escalate privileges to gain permissions above the default ones granted by the OS.

An anonymous reader quotes a report from The Register: Linux creator Linus Torvalds has accused Intel of preventing widespread use of error-correcting memory and being "instrumental in killing the whole ECC industry with its horribly bad market segmentation." ECC stands for error-correcting code. ECC memory uses additional parity bits to verify that the data read from memory is the same as the data that was written. Without this check, memory is vulnerable to occasional corruption where a bit is flipped spontaneously, for example, by background radiation. Memory can also be attacked using a technique called Rowhammer, where rapid repeated reads of the same memory locations can cause adjacent locations to change their state. ECC memory solves these problems and has been available for over 50 years yet most personal computers do not use it. Cost is a factor but what riles Torvalds is that Intel has made ECC support a feature of its Xeon range, aimed at servers and high-end workstations, and does not support it in other ranges such as the Core series.

The topic came up in a discussion about AMD's new Zen 3 Ryzen 9 5000 series processors on the Real World Tech forum site. AMD has semi-official ECC support in most of its processors. "I don't really see AMD's unofficial ECC support being a big deal," said an unwary contributor. "ECC absolutely matters," retorted Torvalds. "Intel has been detrimental to the whole industry and to users because of their bad and misguided policies wrt ECC. Seriously. And if you don't believe me, then just look at multiple generations of rowhammer, where each time Intel and memory manufacturers bleated about how it's going to be fixed next time... And yes, that was -- again -- entirely about the misguided and arse-backwards policy of 'consumers don't need ECC', which made the market for ECC memory go away."

The accusation is significant particularly at a time when security issues are high on the agenda. The suggestion is that Intel's marketing decisions have held back adoption of a technology that makes users more secure -- though rowhammer is only one of many potential attack mechanisms -- as well as making PCs more stable. "The arguments against ECC were always complete and utter garbage. Now even the memory manufacturers are starting to do ECC internally because they finally owned up to the fact that they absolutely have to," said Torvalds. Torvalds said that Xeon prices deterred usage. "I used to look at the Xeon CPU's, and I could never really make the math work. The Intel math was basically that you get twice the CPU for five times the price. So for my personal workstations, I ended up using Intel consumer CPU's." Prices, he said, dropped last year "because of Ryzen and Threadripper... but it was a 'too little, much too late' situation." By way of mitigation, he added that "apart from their ECC stance I was perfectly happy with [Intel's] consumer offerings."

Phoronix reports: It's been a turbulent year and 2020 is certainly ending interesting in the Linux/open-source space... If it wasn't odd enough seeing Sony providing a new official Linux driver for their PlayStation 5 DualSense controller for ending out the year, there is also a new Linux port to the Nintendo 64 game console... Yes, a brand new port to the game console that launched more than two decades ago.

Open-source developer Lauri Kasanen who has contributed to Mesa and the Linux graphics stack took to developing a new Nintendo 64 port and announced it this Christmas day. This isn't the first time Linux has been ported to the N64 but prior attempts weren't aimed at potentially upstreaming it into the mainline Linux kernel...

This fresh port to the N64 was pursued in part to help port emulators and frame-buffer or console games.
And also, the announcement adds, "Most importantly, because I can."

Long-term Slashdot reader couchslug believes that "Howls of anguish from betrayed CentOS 8 users highlight the value of its long support cycles..." Earlier this month it was announced that at the end of 2021, the community-supported rebuild of Red Hat Enterprise Linux, CentOS 8, "will no longer be maintained," though CentOS 7 "will stick around in a supported maintenance state until 2024."

This leads Slashdot reader couchslug to an interesting question. "Should competitors like Ubuntu and SUSE offer truly long-term-support versions to seize that (obviously large and thus important to widespread adoption) user base?" As distros become more refined, how important are changes vs. stability for users running tens, thousands and hundreds of thousands of servers, or who just want stability and security over change for its own sake...? Why do you think distro leadership are so eager for distro life cycles? Boredom, progress or what mix of both?

What sayeth the hive mind and what distros do you use to achieve your goals?
The original submission argues that "Distro-hopping is fun but people with work to do and a fixed task set have different needs." But what do Slashdot's readers thinks? Leave your own thoughts in the comments.

And how long do you think a vendor should support a distro?

Sony has published a new "hid-playstation" Linux kernel driver for bringing up the PlayStation 5 DualSense controller and will also be used for supporting other PlayStation hardware on Linux. Phoronix reports: This new Linux kernel driver supports the PlayStation 5 "DualSense" game controller both in USB and Bluetooth modes. All key functionality along with LEDs, motion sensors, touchpad, battery, lightbar, and rumble are all supported by this official Sony Linux driver. The Linux kernel already has the existing "hid-sony" driver while this PlayStation 5 game controller comes with the hid-playstation driver. In announcing the new driver, they are planning to move some of the Sony Interactive Entertainment hardware support from the existing hid-sony to hid-playstation drivers. The hid-sony driver will continue to be maintained and used by broader Sony devices. This new driver follows the move from about a year ago of Sony "officially" maintaining the hid-sony Linux input driver.

This new driver comes in at just over 1,400 lines of code in its initial form catering to the PS5 controller. When transitioning support for older hardware to this new driver there is also a promise of unit test coverage and more. The new HID-PlayStation driver is currently under review and isn't yet queued up for mainlining but those wanting to try it out can find the 13 patches up for testing.

An anonymous reader quotes a report from ZDNet: When Red Hat, CentOS's Linux parent company, announced it was "shifting focus from CentOS Linux, the rebuild of Red Hat Enterprise Linux (RHEL), to CentOS Stream, which tracks just ahead of a current RHEL release," it lost a lot of friends. CentOS co-founder, Gregory Kurtzer, immediately announced he'd create his own RHEL clone and CentOS replacement: Rocky Linux. He wasn't the only one. CloudLinux also proclaimed it would create a new CentOS clone Lenix. And, CloudLinux will be putting over a million dollars a year behind it.

Why? Igor Seletskiy, CloudLinux CEO and founder, explained, "Red Hat's announcement has left users looking for an alternative with all that CentOS provides and without the disruption of having to move to alternative distributions. We promise to dedicate the resources required to Project Lenix that will ensure impartiality and a not-for-profit community initiative. CloudLinux already has the assets, infrastructure, and experience to carry out the mission, and we promise to be open about the process of developing Project Lenix." [...] Project Lenix will be a free, open-source, community-driven, 1:1 binary compatible fork of RHEL 8 (and future releases). For CentOS users, the company promises Lenix will provide an uninterrupted way to convert existing CentOS servers with absolutely zero downtime or need to reinstall anything. The company even claims you'll be able to port entire CentOS server fleets with a single command with no reinstallation or reboots required. That's a bold claim. But CloudLinux already does that trick with its commercial Linux distribution. If the company says it can do it, I think it can. Lenix is only a placeholder name, notes ZDNet. "[A] yet to be formed governing board will decide on a permanent name for the distribution. If all goes well, the first software release will appear in the first quarter of 2021."

Well here is a surprise for those that have long used CentOS as the community-supported rebuild of Red Hat Enterprise Linux... CentOS 8 will end in 2021 and moving forward CentOS 7 will remain supported until the end of its lifecycle but CentOS Stream will be the focus as the future upstream of RHEL. From a report: For those relying on CentOS 8 to enjoy the reliability and features of Red Hat Enterprise Linux 8 but without the licensing costs, etc, that will end in 2021. At the end of 2021, CentOS 8 will no longer be maintained but CentOS 7 will stick around in a supported maintenance state until 2024. The CentOS Project will be focused moving forward just on CentOS Stream as the upstream/development branch of Red Hat Enterprise Linux. CentOS 8 users are encouraged to begin transitioning to CentOS Stream 8. The CentOS Project announced this shift in focus today via the CentOS Blog. Red Hat's announcement meanwhile is promoting the change as beneficial to CentOS Stream.

Writing for TechRepublic, open source advocate Jack Wallen predicts 2021 will be a year where open source technology dominates the world of big data even more than 2021 (with a big role predicted for SUSE). But he also sees businesses cutting costs by switching to open source solutions — including a big move to Linux on enterprise desktops, thanks to enterprise-ready options now available from System76, Lenovo, and Dell: This will have the added benefit of even more companies jumping into the mix and offering more and more desktops and laptops, all powered by Linux and open source technology.

One added bonus for this movement is that System76 will finally gain the recognition they've deserved for so many years. Linux on the desktop would not be where it is today, had it not been for their stalwart support for open source technology. Year after year, System76 has proved that high-quality, business-class systems, powered by Linux, can be produced at a level befitting the enterprise.

That success within the realm of business will start trickling down to consumers. As more and more people start using Linux at their place of business, they'll begin seeing the benefits of the open source operating system and desire to adopt it for their home computers. I suspect that by the end of 2021, we'll see Linux desktop market share to finally break the 10% bubble. It may not sound like much, but given how Linux has hovered around 2% and maxed out at 5%, that 10% figure is like a dream come true.

That's only the tip of the iceberg. Although Linux will max out at around 10% by the end of the year, it will lead to continued growth over the coming years.

Joe2020 writes: Famous developer Hector Martin who put Linux on the PS4 now wants to port Linux to the new Apple M1, and he wants to do it with the help of crowdfunding by making it his full-time job. One can find his official pledge for support here. "Since these devices are brand new and bespoke silicon, porting Linux to run on them is a huge undertaking. Well beyond a hobby project, it is a full-time job," the developer explains.

"The goal is to bring Linux support on Apple Silicon macs to the point where it is not merely a tech demo, but is actually an OS you would want to use on a daily driver device. To do this, there is a huge amount of work to be done. Running Linux on things is easy, but making it work well is hard. Drivers need to be written for all devices. The driver for the completely custom Apple GPU is the most complicated component, which is necessary to have a good desktop experience. Power management needs to work well too, for your battery life to be reasonable," the dev explains. Martin says he hopes to have enough donations to purchase the new Apple Silicon-powered devices and hire other people to help with the job.

Slashdot reader NoMoreACs also shared the news via Mac Rumors.