An anonymous reader shares a report: When Mike McGrath, Red Hat's Red Hat Core Platforms vice president, announced that Red Hat was putting new restrictions on who could access Red Hat Enterprise Linux (RHEL)'s code, other Linux companies that depended on RHEL's code for their own distro releases were, in a word, unhappy. Three of them, CIQ, Oracle, and SUSE, came together to form the Open Enterprise Linux Association (OpenELA). Their united goal was to foster "the development of distributions compatible with Red Hat Enterprise Linux (RHEL) by providing open and free enterprise Linux source code." Now, the first OpenELA code release is available.

As Thomas Di Giacomo, SUSE's chief technology and product officer, said in a statement, "We're pleased to deliver on our promise of making source code available and to continue our work together to provide choice to our customers while we ensure that Enterprise Linux source code remains freely accessible to the public." Why are they doing this? Gregory Kurtzer, CIQ's CEO, and Rocky Linux's founder, explained: "Organizations worldwide standardized on CentOS because it was freely available, followed the Enterprise Linux standard, and was well supported. After CentOS was discontinued, it left not only a gaping hole in the ecosystem but also clearly showed how the community needs to come together and do better. OpenELA is exactly that -- the community's answer to ensuring a collaborative and stable future for all professional IT departments and enterprise use cases."

Richard Speed reports via The Register: Asahi Linux, a project to port Linux to Apple Silicon Macs, has reported a combination of bugs in Apple's macOS that could leave users with hardware in a difficult-to-recover state. The issues revolve around how recent versions of macOS handle refresh rates, and MacBook Pro models with ProMotion displays (the 14 and 16-inch versions) are affected. According to the Asahi team, the bugs lurk in the upgrade and boot process and, when combined, can create a condition where a machine always boots to a black screen, and a Device Firmware Update (DFU) recovery is needed.

Asahi Linux's techies have looked into the issue, having first suspected it had something to do with either having an Asahi Linux installation on a Mac and then upgrading to macOS Sonoma or installing Asahi Linux after a Sonoma upgrade. However, the issue appears to be unconnected to the project. The team said: "As far as we can tell, ALL users who upgraded to Sonoma the normal way have an out-of-date or even broken System RecoveryOS, and in particular MacBook Pro 14" and 16" owners are vulnerable to ending up with a completely unbootable system." While this might sound alarming, the team was at pains to assure users that data was not at risk and only certain versions of macOS were affected -- Sonoma 14.0+ and Ventura 13.6+.

The first bug is related to macOS Sonoma using the previously installed version as System Recovery, which can cause problems when an older RecoveryOS runs into newer firmware. The second occurs if a display is configured to a refresh rate other than ProMotion. According to the Asahi Linux team, the system will no longer be able to boot into old macOS installs or Asahi Linux. "This includes recovery mode when those systems are set as the default boot OS, and also System Recovery at least until the next subsequent OS upgrade." The team noted: "Even users with just 13.6 installed single-boot are affected by this issue (no Asahi Linux needed).

"We do not understand how Apple managed to release an OS update that, when upgraded to normally, leaves machines unbootable if their display refresh rate is not the default. This seems to have been a major QA oversight by Apple."

The new open-source, copy-on-write file system known as Bcachefs has been successfully merged into the Linux 6.7 kernel. "Given the past struggles to get Bcachefs mainlined, I certainly didn't expect to see Linus Torvalds act so soon on merging it," writes Phoronix's Michael Larabel. "But after it spent all of the 6.6 cycle within Linux-Next, overnight Linus Torvalds did in fact land this new file-system developed by Kent Overstreet."

From a Slashdot story published on Friday August 21, 2015: Bcachefs is a new open-source file-system derived from the bcache Linux kernel block layer cache. Bcachefs was announced by Kent Overstreet, the lead Bcache author. Bcachefs hopes to provide performance like XFS/EXT4 while having features similar to Btrfs and ZFS. The bachefs on-disk format hasn't yet been finalized and the code isn't yet ready for the Linux kernel. That said, initial performance results are okay and "It probably won't eat your data -- but no promises." Features so far for Bcachefs are support for multiple devices, built-in caching/tiering, CRC32C checksumming, and Zlib transparent compression. Support for snapshots is to be worked on.

"The work started on Wayland," the Linux Mint project announced in their monthly newsletter.

An anonymous reader shared this report from 9to5Linux about an upcoming new option in the Ubuntu-based distro: Linux Mint 21.3 [planned for Christmas of 2023] will be the first Linux Mint release to offer a Wayland session, but in an experimental state. The default session will still be the X11 one, but users who want to try Wayland can do so by selecting the "Cinnamon on Wayland" session from the login screen.

"The Wayland session won't be as stable as the default one. It will lack features and it will come with its own limitations. We won't recommend it but you'll be able to give it a shot if you want to and it'll be there for interested people if they want to give us feedback," said Linux Mint project leader Clement Lefebvre.

I said that "2024 is the year of the Wayland desktop", but Clement Lefebvre doesn't think Linux Mint needs Wayland support before 2026... By that time, I believe Xfce will also be fully Wayland compatible so that Linux Mint can fully switch to Wayland by default.
The newsletter says the 2026 target "leaves us two years to identify and to fix all the issues. It's something we'll continue to work on.

"Whenever it happens, assuming it does, we'll consider switching defaults. We'll use the best tools to do the job and provide the best experience. Today that means Xorg. Tomorrow it might mean Wayland. We'll be ready and compatible with both."

Long-time Slashdot reader CJSHayward shares "an attempt at Python virtual shell."

The home-brewed project "mixes your native shell with Python with the goal of letting you use your regular shell but also use Python as effectively a shell scripting language, as an alternative to your shell's built-in scripting language... I invite you to explore and improve it!"

From the web site: The Python Virtual Shell (pvsh or 'p' on the command line) lets you mix zsh / bash / etc. built-in shell scripting with slightly modified Python scripting. It's kind of like Brython [a Python implementation for client-side web programming], but for the Linux / Unix / Mac command line...

The core concept is that all Python code is indented with tabs, with an extra tab at the beginning to mark Python code, and all shell commands (including some shell builtins) have zero tabs of indentation. They can be mixed line-by-line, offering an opportunity to use built-in zsh, bash, etc. scripting or Python scripting as desired.

The Python is an incomplete implementation; it doesn't support breaking a line into multiple lines. Nonetheless, this offers a tool to fuse shell- and Python-based interactions from the Linux / Unix / Mac command line.

Last week the Linux Foundation announced its Civil Infrastructure Platform project "has expanded its super-long-term stable kernel program with a 6.1-based series.

"Just like for the previously started kernel series (4.4-cip, 4.19-cip and 5.10-cip), the project is committed to maintaining the 6.1-cip kernel for a minimum of 10 years after its initial release." The Civil Infrastructure Platform project is establishing an open source base layer of industrial grade Linux to enable the use and implementation of software building blocks for civil infrastructure. The project's kernels are maintained like regular long-term-stable kernels, and developers of the CIP kernel are also involved in long-term-stable kernel review and testing.

While regular long-term-stable kernels are moving back to 2 years maintenance, CIP kernels are set up for 10 years. In order to enable this extended lifetime, CIP kernels are scoped-down in actively supported kernel features and target architecture. At the same time, CIP kernels accept non-invasive backports from newer mainline kernels that enable new hardware...

"The CIP kernels are developed and reviewed with the same meticulous attention as regular Long-Term-Stable kernels," said Yoshi Kobayashi, Technical Steering Committee Chair at the CIP project. "Our developers actively participate in reviewing and testing long-term-stable kernels, contributing to the overall quality and security of the platform. A key highlight is our work on the IEC 62443 security standard, aimed at fortifying the resilience of critical infrastructure systems."

"As 2023 comes to a close, the CIP project has stood as a beacon of stability and innovation, with a commitment to driving collaboration to strengthen this essential initiative," said Urs Gleim, Governing Board Chair at the CIP project...

The Civil Infrastructure Platform is driving open source collaboration and innovation around industrial grade software for prodúcts used in industrial automation and for civil infrastructure, such as trains and power grids. To learn more about the CIP project, including how to get involved and contribute, please visit our booth at the Linux Foundation Open Source Summit Japan, December 5 — 6, or visit our website.

Linus Torvalds has said he bought a Dell XPS-13 with Ubuntu Linux for his daughter. Now ZDNet shares some trivia from the history of "the most well-known Linux laptop," citing a presentation by Barton George, Dell Technologies' Developer Community manager, at the Linux/open-source conference All Things Open: First, however, you should know that Dell has supported Linux desktops and laptops since the middle 2000s. In 2006, Michael Dell told me that Dell would be the first major PC vendor to release and support desktop Linux — and this proved to be a success. Barton George explained that Dell had always done great volume with these computers. Not volume, like the Windows machines, of course, but enough that Dell has always offered Linux-based — primarily Red Hat Enterprise Linux (RHEL) powered — workstations.

Still, none of these machines really appealed to developers... George announced on his personal blog what Dell was planning, and his traffic went from 60 views a day to 15,000. Then, as now, there's a lot of interest in laptops that come with Linux ready to go... Dell got together with Canonical, Ubuntu Linux's parent company, to make sure all the drivers were in place for a top-notch Ubuntu Linux developer desktop experience. Indeed, the name 'Project Sputnik' is a nod to Mark Shuttleworth, Ubuntu founder and Canonical CEO. A decade before the project itself, Shuttleworth had spent eight days orbiting the Earth in a Soviet Soyuz spacecraft. George and the crew decided "Soyuz" didn't have an inspiring ring to it, so the company went with "Sputnik" instead.

George continued: "We announced a beta program for the machine with a 10% off offer. We thought, well, we'll probably get 300 people. Instead, we got 6,000. This is where senior management said OK, you've got something real."

AlmaLinux is creating a Red Hat Enterprise Linux (RHEL) without any Red Hat code. Instead, AlmaLinux OS will aim to be Application Binary Interface (ABI) compatible and use the CentOS Stream source code that Red Hat continues to offer. Additional code is pulled from Red Hat Universal Base Images, and upstream Linux code. Benny Vasquez, chairperson of the AlmaLinux OF Foundation, explained how all this works at the open-source community convention All Things Open. ZDNet's Steven Vaughan-Nichols reports: The hardest part is Red Hat's Linux kernel updates because, added Vasquez, "you can't get those kernel updates without violating Red Hat's licensing agreements." Therefore, she continued, "What we do is we pull the security patches from various other sources, and, if nothing else, we can find them when Oracle releases them." Vasquez did note one blessing from this change in production: "AlmaLinux, no longer bound to Red Hat's releases, has been able to release upstream security fixes faster than Red Hat. "For example, the AMD microcode exploits were patched before Red Hat because they took a little bit of extra time to get out the door. We then pulled in, tested, and out the door about a week ahead of them." The overall goal remains to maintain RHEL compatibility. "Any breaking changes between RHEL and AlmaLinux, any application that stops working, is a bug and must be fixed."

That's not to say AlmaLinux will be simply an excellent RHEL clone going forward. It plans to add features of its own. For instance, Red Hat users who want programs not bundled in RHEL often turn to Extra Packages for Enterprise Linux (EPEL). These typically are programs included in Fedora Linux. Besides supporting EPEL software, AlmaLinux has its own extra software package -- called Synergy -- which holds programs that the AlmaLinux community wants but are not available in either EPEL or RHEL. If one such program is subsequently added to EPEL or RHEL, AlmaLinux drops it from Synergy to prevent confusion and duplication of effort.

This has not been an easy road for AlmaLinux. Even a 1% code difference is a lot to write and maintain. For example, when AlmaLinux tried to patch CentOS Stream code to fix a problem, Red Hat was downright grumpy about AlmaLinux's attempt to fix a security hole. Vasquez acknowledged it was tough sledding at first, but noted: "The good news is that they have been improving the process, and things will look a little bit smoother." AlmaLinux, she noted, is also not so much worried as aware that Red Hat may throw a monkey wrench into their efforts. Vasquez added: "Internally, we're working on stopgap things we'd need to do to anticipate Red Hat changing everything terribly." She doesn't think Red Hat will do it, but "we want to be as prepared as possible."

An anonymous reader shared this article from the Linux blog OMG! Ubuntu: The System Monitor app Ubuntu comes with does an okay job of letting you monitor system resources and oversee running processes — but it does look dated... [T]he app's graphs and charts are tiny, compact, and lack the glanceability and granular-detail that similar tools on other systems offer.

Thankfully, there are plenty of ace System Monitor alternatives available on Linux, with the Rust-based Resources being the latest tool to the join the club. And it's a real looker... Resources shows real-time graphs showing the utilisation of core system components... You can also see a [sortable and searchable] list of running apps and processes, which are separated in this app.
It's also possible to select a refresh interval "from very slow/slow/normal/fast/very fast (though tempting to select, 'very fast' can increase CPU usage)." And selecting an app or process "activates a big red button you can click to 'end' the app/process (a submenu has options to kill, halt, or continue the app/process instead)..."

"If you don't like the 'Windows-iness' of Mission Center — which you may have briefly spotted it in my Ubuntu 23.10 release video — then Resources is a solid alternative."

T2 SDE is not just a Linux distribution, but "a flexible Open Source System Development Environment or Distribution Build Kit," according to a 2022 announcement of its support for 25 CPU architectures, variants, and C libraries. ("Others might even name it Meta Distribution. T2 allows the creation of custom distributions with state of the art technology, up-to-date packages and integrated support for cross compilation.")

And while working on it, Berlin-based T2 Linux developer René Rebe (long-time Slashdot reader ReneR) discovered random illegal instruction speculation on AMD Ryzen 7000-Series and Epyc Zen 4 CPU.

ReneR writes: Merged to Linux 6.6 Git is a fix for the bug now known at AMD as Erratum 1485.

The discovery was possible through continued high CPU load cross-compiling the T2 Linux distribution with support for all CPU architectures from ARM, MIPS, PowerPC, RISC-V to x86 (and more) for 33 build variants. With sustained high CPU load and various instruction sequences being compiled, pseudo random illegal instruction errors were observed and subsequently analyzed.

ExactCODE Research GmbH CTO René Rebe is thrilled that working with AMD engineers lead to a timely mitigation to increase system stability of the still new and highest performance Zen4 platform.
"I found real-world code that might be similar or actually trigger the same bugs in the CPU that are also used for all the Spectre Meltdown and other side-channel security vulnerability mitigations," Rebe says in a video announcement on YouTube.

It took Rebe a tremendous amount of research, and he says now that "all the excessive work changed my mind. Mitigations equals considered harmful... If you want stable, reliable computational results — no, you can't do this. Because as Spectre Meltdown and all the other security issues have proven, the CPUs are nowadays as complex as complex software systems..."

SpzToid writes: Ubuntu 23.10, codenamed Mantic Minotaur, is the 39th Ubuntu release, and it's one of the three smaller interim releases Canonical puts out between long-term support (LTS) versions. This last interim before the next LTS doesn't stand out with bold features you can identify at a glance. But it does set up some useful options and upgrades that should persist in Ubuntu for some time.

Two of the biggest changes in Ubuntu 23.10 are in the installer. Ubuntu now defaults to a "Default installation," which is quite different from what the "default" was even just one release prior. "Default" is described as "Just the essentials, web browser, and basic utilities," while "Full" is "An offline-friendly selection of office tools, utilities, web browser, and games." "Default" is somewhat similar to what "Minimal" used to be in prior versions, while "Full" is intended for those who are offline or have slow connections or just want as many options as possible right away.

Elsewhere in the installer, you can now choose ZFS as your primary file system. There's also an experimental option to set up Trusted Platform Module (TPM) full-disk encryption rather than rely entirely on passphrases to encrypt your disk. This brings Ubuntu up to speed with Windows in offering a way to both secure your system and find out the hard way that you lack a backup key to get in after messing with your boot options. (Kidding! Somewhat.)

Michael Larabel reports via Phoronix: For those making use of GPU-accelerated AV1 video encoding with the latest AMD Radeon graphics hardware on Linux, the upcoming Mesa 23.3 release will support the high-quality AV1 preset for offering higher quality encodes. Merged this week to Mesa 23.3 are the RadeonSI Video Core Next (VCN) changes for supporting the high quality AV1 encoding mode preset.

Mesa 23.3 will be out as stable later this quarter for those after slightly higher quality AV1 encode support for Radeon graphics on this open-source driver stack alongside many other recent Mesa driver improvements especially on the Vulkan side with Radeon RADV and Intel ANV.

Hell freezes over and pigs fly south to their winter feeding grounds. Microsoft has published guidance on how to download and install Linux. From a report: The Seattle-area proprietary OS vendor has published a helpful guide entitled "How to download and install Linux," inspiring reactions from incredulity to amusement. In the humble opinion of The Reg FOSS Desk, it really isn't bad at all. Microsoft suggests four alternative installation methods: using Windows Subsystem for Linux 2, using a local VM, using a cloud VM, or on bare metal. It almost feels cruel to criticize it, but it seems that this really amounts to two methods. WSL version 2 is a VM. It's right there in the screenshots, where it says:

Installing: Virtual Machine Platform
Virtual Machine Platform has been installed.

So the choices boil down to either on the metal, or in a VM. That leaves only the question of what kind of VM: the built-in one, an add-on VM, or a cloud VM. Perhaps the subtext of the article is something more subtle. Could it be a tacit admission that you might need a free-of-charge OS for your PC? The Windows 10 upgrade program that began back in 2015 was meant to end a year later. In fact, it didn't. We described a documented workaround in 2016, but the free upgrades continued to work, even in 2020. Which? magazine reported it was still working in July 2023.

Thursday ZDNet reported... As security holes go, CVE-2023-4911, aka "Looney Tunables," isn't horrid. It has a Common Vulnerability Scoring System score of 7.8, which is ranked as important, not critical.

On the other hand, this GNU C Library's (glibc) dynamic loader vulnerability is a buffer overflow, which is always big trouble, and it's in pretty much all Linux distributions, so it's more than bad enough. After all, its discoverers, the Qualys Threat Research Unit, were able to exploit "this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13." Other distributions are almost certainly vulnerable to attack. The one major exception is the highly secure Alpine Linux. Thanks to this vulnerability, it's trivial to take over most Linux systems as a root user. As the researchers noted, this exploitation method "works against almost all of the SUID-root programs that are installed by default on Linux...."

The good news is that Red Hat, Ubuntu, Debian, and Gentoo have all released their own updates. In addition, the upstream glibc code has been patched with the fix. If you can't patch it, Red Hat has a script that should work on most Linux systems to mitigate the problem by setting your system to terminate any setuid program invoked with GLIBC_TUNABLES in the environment.

It started when Linux blogger Bryan Lunduke complained about how the Linux Foundation was reducing the six-year long-term support (LTS) window for the Linux kernel to two years. Lunduke argued that the Foundation seemed more interested in funding compliance best practices — as well as artificial intelligence and blockchain projects.

In an online discussion, Linux kernel maintainer Greg Kroah-Hartman had this response: Did anyone think to actually ask the developer who is maintaining the long-term support kernel versions why he made that change (back in February?), i.e. me...? No, I guess that would take too much effort, and wouldn't result in such a click-bait headline.

"LTS kernels are no longer supported for 6 years because it turns out no one used them." doesn't have that same fun sound... In a second comment Kroah-Hartman also clarified that in fact "The amount of resources and other stuff that the Linux Foundation provides to the Linux kernel community has increased over the years, including last year. " Just because new people are brought in with new projects (that the LF member companies want to host) does not mean that somehow less is being given to the kernel community at all. It is not a zero-sum game here at all, that's not how the LF works in any way.

Again, this would have been easy to verify if someone just asked us.

So to repeat, no "abandonment" is happening here at all, the opposite is happening, just like it has for the entirety of the Linux Foundation's existence, support has grown every year.
Thanks to long-time Slashdot reader whoever57 for sharing the news.

An anonymous reader quotes a report from ZDNet: Microsoft's proprietary protocol, Remote Network Driver Interface Specification (RNDIS), started with a good idea. It would enable hardware vendors to add networking support to USB devices without having to build them from scratch. There was only one little problem. RNDIS has no security to speak of. As Greg Kroah-Hartman, the Linux Foundation fellow responsible for stable Linux kernel releases, wrote in November 2022 on the Linux Kernel Mailing List (LKML), "The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on any system that uses it with untrusted hosts or devices. Because the protocol is impossible to make secure, just disable all RNDIS drivers to prevent anyone from using them again."

He added, in another message, "The protocol was never designed to be used with untrusted devices. It was created, and we implemented support for it, when we trusted USB devices that we plugged into our systems, AND we trusted the systems we plugged our USB devices into." That's no longer the case. Kroah-Hartman concluded, "Today, with untrusted hosts and devices, it's time just to retire this protocol. As I mentioned in the patch comments, Android disabled this many years ago in their devices, with no loss of functionality."

[...] But now, sick and tired of having a built-in Windows security exploit in Linux, Kroah-Hartman has decided that enough was enough. He's disabled all the RNDIS protocol drivers in Linux's Git repository. That means that while the RNDIS code is still in the Linux kernel, if you try to build Linux using this new patch, all your RNDIS drivers will be broken and won't build. This is one step short of purging RNDIS from Linux.

Yesterday the "temporary suspension" of automatic Snap registrations was announced on Canonical's Snapcraft forum by developer advocate Igor Ljubuncic, after what was described as a "security incident". On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately...

We apologize for any inconvenience this may cause our snap publishers and developers. However, we believe it is the most prudent action at this moment. We want to thoroughly investigate this incident without introducing any noise into the system, and more importantly, we want to make sure our users have a safe and trusted experience with the Snap Store. Please bear with us while we conduct our investigation. We will provide a more detailed update in the coming days.
Some background from the Linux blog OMG Ubuntu: This isn't the first time the Snap Store has had issues with icky uploads. In 2018 an innocuous-sounding app hid crypto-mining capabilities unbeknownst to users. Not disclosing this in its description rendered it malware (Canonical later clarified to say crypto-miners are allowed so long as they're disclosed).

In this instance it appears that folks have uploaded apps purporting to be official apps/tools for crypto ledger tool Ledger and these apps were able to get folks backups codes (which people enter thinking it's legit) and ...the bad actors can use that to extract funds.

Liam Proven writes via The Register: Steam OS is the Arch-based distro for a handheld Linux games console, and Valve is aggressively pushing Linux's usability and Windows interoperability for the device. Two unusual companies, Valve Software and Igalia, are working together to improve the Linux-based OS of the Steam Deck handheld games console. The device runs a Linux distro called Steam OS 3.0, but this is a totally different distro from the original Steam OS it announced a decade ago. Steam OS 1 and 2 were based on Debian, but Steam OS 3 is based on Arch Linux, as Igalia developer Alberto Garcia described in a talk entitled How SteamOS is contributing to the Linux ecosystem.

He explained that although Steam OS is built from some fairly standard components -- the normal filesystem hierarchy, GNU user space, systemd and dbus -- Steam OS has quite a few unique features. It has two distinct user interfaces: by default, it starts with the Steam games launcher, but users can also choose an option called Switch to Desktop, which results in a regular KDE Plasma desktop, with the ability to install anything: a web browser, normal Linux tools, and non-Steam games.

Obviously, though, Steam OS's raison d'etre is to run Steam games, and most of those are Windows games which will never get native Linux versions. Valve's solution is Proton, an open-source tool to run Windows games on Linux. It's formed from a collection of different FOSS packages, notably: [Wine, DXVK, VKD3D-Proton, and GStreamer]. The result is a remarkable degree of compatibility for some of the most demanding Windows apps around [...]. You can view Garcia's 49-page presentation here (PDF).

slack_justyb writes: Richard Stallman revealed his diagnosis of lymphoma at the GNU Hacker's meeting in Biel, Switzerland yesterday. He did not share much about his health condition but did indicate that it is "manageable" and that he expects to be around for many more years ahead.

An anonymous reader shares a report: The Cloud Native Computing Foundation has returned to Shanghai for the city's first Kubecon since the pandemic. During a keynote that switched languages several times, demonstrating the challenges faced by both AI and human translators in keeping up, Jim Zemlin, executive director of the Linux Foundation, threw out several crowd-pleasing statistics while also highlighting some projects likely to make one or two companies squirm a little. On the statistics front, Zemlin joked that the Linux Foundation was likely the largest software company in the world, noting that if one took an average software developer's salary -- he put the worldwide mean as being $40,000 -- and multiplied it by the number of developers contributing to the foundation, the payroll would come to around $26 billion -- more than Microsoft's $24 billion R&D payroll.

The statistic was somewhat tongue in cheek as Zemlin pointed out that none of the developers working on Linux Foundation projects actually work for the Linux Foundation. However, the sheer quantity of engineers involved highlighted another issue noted by Zemlin: the "paradox of choice" when selecting the correct open source project for a given purpose when the number on offer reaches the hundreds, thousands, and beyond. Reflecting the increasing maturity of some elements of the open source world, he also emphasized the opportunities for companies to increase revenues and profits through the use of open source. WeChat, Alibaba, and Huawei all received nods -- unsurprising considering the location -- as Zemlin noted a virtuous circle whereby improvements go back into projects, meaning better profits, meaning more improvements, and so on. It all sounded very utopian, although darkening clouds were signaled by the addition of OpenTofu to the list of projects Zemlin was keen to boast about, including open source efforts around large language models.