The Open Source Initiative's board of directors recently issued the following statement: Richard M. Stallman recently announced that he will be returning to the board of directors of the Free Software Foundation (FSF), a statement that the FSF has not denied. We believe it is inappropriate for Stallman to hold any leadership position in the free and open source software community. If we do not speak out against this, our silence may be misinterpreted as support.

The Open Source Initiative calls upon the Free Software Foundation to hold Stallman responsible for past behavior, remove him from the organization's leadership and work to address the harm he caused to all those he has excluded: those he considers less worthy, and those he has hurt with his words and actions. We will not participate in any events that include Richard M. Stallman and we cannot collaborate with the Free Software Foundation until Stallman is removed from the organization's leadership.

Free and open source software will not be accessible to all until it is safe for everyone to participate, and we therefore call upon our peers in the broader software community to join us in making these commitments.
Another perspective turns up in the "This Week in Programming" column: YouTuber Brodie Roberston offers his take on the return of RMS, saying "Like it or not, Richard Stallman is the face of free software. When you think about the free software movement, he is the one person that comes to mind." He then goes on to argue that the FSF is essentially the "ideological arm" of Stallman himself and that he is essentially irreplaceable not only because of his thoughts around free software but his passion for it, before going on to list the things that are "part of his charm."

"Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or you've compromised some service that doesn't have repaired permissions, you can do whatever you want basically," said Adam Nichols, principal of the Software Security practice at GRIMM. While the vulnerabilities "are in code that is not remotely accessible, so this isn't like a remote exploit," said Nichols, they are still troublesome. They take "any existing threat that might be there. It just makes it that much worse," he explained. "And if you have users on the system that you don't really trust with root access it, it breaks them as well."

Referring to the theory that 'many eyes make all bugs shallow,' Linux code "is not getting many eyes or the eyes are looking at it and saying that seems fine," said Nichols. "But, [the bugs] have been in there since the code was first written, and they haven't really changed over the last 15 years...." That the flaws slipped detection for so long has a lot to do with the sprawl of the the Linux kernel. It "has gotten so big" and "there's so much code there," said Nichols. "The real strategy is make sure you're loading as little code as possible."

The bugs are in all Linux distributions, Nichols said, although the kernel driver is not loaded by default. Whether a normal user can load the vulnerable kernel module varies. They can, for instance, on all Red Hat based distros that GRIMM tested, he said. "Even though it's not loaded by default, you can get it loaded and then of course you can exploit it without any trouble...."

The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches.

samleecole writes from a report via Motherboard: MacOS is generally intended as a desktop operating system, and while it's a very functional operating system, Apple expects it to run on a single piece of hardware. As any developer or infrastructure architect can tell you, virtualization is an impressive technique that allows programmers and infrastructure pros to expand reach and scale things up far beyond a single user. A Github project that has gotten a bit of attention in recent months aims to make MacOS scalable in ways that it has basically never been.

Its secret weapon is a serial code generator: Docker-OSX has the ability to generate serial codes for unique pieces of MacOS hardware, and its main developer, an open-source developer and security researcher who goes by the pseudonym Sick Codes, recently released a standalone serial code generator that can replicate codes for nonexistent devices by the thousands. Just type in a command, and it will set up a CSV file full of serial codes.

"You can generate hundreds and thousands of serial numbers, just like that," Sick Codes, who used a pseudonym due to the nature of his work, said. "And it just generates a massive list." A valid serial code allows you to use Apple-based tools such as iMessage, iCloud, and the App Store inside of MacOS. It's the confirmation that you're using something seen as valid in the eyes of Apple. "I actually went through, and I've got like 15 iMac Pros in my Apple account now, and it says that they're all valid for iMessage," the creator said.

SysEngineer shares a report from HuffPost: Some of the citizen sleuths behind the open-source effort to identify the hundreds of Donald Trump-loving rioters who stormed the U.S. Capitol have launched an impressive new website that organizes the stunning amount of digital evidence collected about the Jan. 6 insurrection.

The website, Jan6evidence.com, was built by a small team of volunteer software developers, using the work of open-source investigators looking into the deadly Capitol attack. The site features a color-coded timeline that reflects the time of day, and allows users to click around on a map of the Capitol and pull up any video evidence from a particular location and time frame. Users can even track an individual suspect's movements over the course of Jan. 6.

MIPS Technologies, the company that had been synonymous with the MIPS processor architecture, will now be developing processors based on RISC-V architecture. TuxPhones reports: The MIPS silicon manufacturer is one of the oldest RISC chip manufacturers, used in several systems since the late 80s. Characterized by clean and efficient designs, allowing adaption in varied applications, this company has been considered one of the most innovative in the market during its golden age - to the point that the Windows OS had a MIPS port in the early 90s. However, the company has been struggling with an increasingly lower market share and risked bankruptcy in recent years, ultimately leading to acquisition by start-up Wave Computing, which faced bankruptcy last year.

How this company was reborn just weeks ago, exiting the state of bankruptcy, is surprising, but not at all irrational: in its official statement, (the new) MIPS has become a member of RISC-V International, the non-profit organization managing the fully open-hardware ISA, substantially replacing their current architecture with the de facto open chip standard in its entirety. Licensing of the original MIPS architecture to third parties will probably be managed as before, so that the "old" architecture will remain available upon need. This is officially known as the "8th generation" of MIPS chips, indicating a total architectural gap from the previous seven iterations, essentially leaving the old architecture and fully embracing the new one. The Electronic Engineering Journal says it's likely that the new MIPS will continue to honor pre-existing licensing agreements, but it's unclear what level of support the company will offer for older MIPS-based chip designs.

"In a message to the Linux Kernel Mailing List Wednesday, founding developer Linus Torvalds warned the world not to use the 5.12-rc1 kernel in his public git tree..." writes Ars Technica: As it turns out, when Linus Torvalds flags some code dontuse, he really means it — the problem with this 5.12 release candidate broke swapfile handling in a very unpleasant way. Specifically, the updated code would lose the proper offset pointing to the beginning of the swapfile. Again, in Torvalds' own words, "swapping still happened, but it happened to the wrong part of the filesystem, with the obvious catastrophic end results."

If your imagination is insufficient, this means that when the kernel paged contents of memory out to disk, the data would land on random parts of the same disk and partition the swapfile lived on... not as files, mind you, but as garbage spewed directly to raw sectors on the disk. This means overwriting not only data in existing files, but also rather large chunks of metadata whose corruption would likely render the entire filesystem unmountable and unusable.

Torvalds goes on to point out that if you aren't using swap at all, this problem wouldn't bite you. And if you're using swap partitions, rather than swap files, you'd be similarly unaffected...
Torvalds also advised anyone who'd already pulled his git tree to do a git tag -d v5.12-rc1 "to actually get rid of the original tag name..." — or at least, to not use it for anything.

"I want everybody to be aware..." Torvalds writes, "because _if_ it bites you, it bites you hard, and you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call 'double ungood'."

Microsoft today announced Power Fx, a new low-code language that "will become the standard for writing logic customization across Microsoft's own low-code Power Platform," reports TechCrunch. "[S]ince the company is open-sourcing the language, Microsoft also hopes others will implement it as well and that it will become the de facto standard for these kinds of use cases." From the report: Microsoft says the language was developed by a team led by Vijay Mital, Robin Abraham, Shon Katzenberger and Darryl Rubin. Beyond Excel, the team also took inspiration from tools and languages like Pascal, Mathematica and Miranda, a functional programming language developed in the 1980s. Microsoft plans to bring Power Fx to all of its low-code platforms, but given the focus on community, it'll start making appearances in Power Automate, Power Virtual Agents and elsewhere soon.

But the team clearly hopes that others will adopt it as well. Low-code developers will see it pop up in the formula bars of products like Power Apps Studio, but more sophisticated users will also be able to use it to go to Visual Studio Code and build more complex applications with it. As the team noted, it focused on not just making the language Excel-like but also having it behave like Excel -- or like a REPL, for you high-code programmers out there. That means formulas are declarative and instantly recalculate as developers update their code.

"Maker Andreas Spiess talks about the Open Source that really goes into a RISC-V chip and the ESP32-C3," writes Slashdot reader nickwinlund77 — sharing a link to this article from Hackaday: It's an exciting time in the world of microprocessors, as the long-held promise of devices with open-source RISC-V cores is coming to fruition. Finally we might be about to see open-source from the silicon to the user interface, or so goes the optimistic promise. In fact the real story is considerably more complex than that, and it's a topic [Andreas Speiss] explores in a video that looks at the issue with a wide lens...
nickwinlund77 writes: The YouTube video starts out with a good general history of competition between large businesses over architectures and embracing the standards for tech which many of us have depended on throughout the years. The video then gets into the technical specifics of the ESP32-C3.
Hackaday adds: His conclusion is that while a truly open-source RISC-V chip is entirely possible (as demonstrated with a cameo Superconference badge appearance), the importance of the RISC-V ISA is in its likely emergence as a heavyweight counterbalance to ARM's dominance in the sector.

ZDNet reports: When it comes to defending the intellectual property (IP) rights of Linux and open-source software, global leading banks aren't the first businesses to come to mind. Things have changed. Barclays, the London-based global corporate and investment bank, and the TD Bank Group, with its 26-million global customers, have joined the leading open-source IP defense group, the Open Invention Network (OIN).

For years, the OIN, the largest patent non-aggression consortium, has protected Linux from patent attacks and patent trolls. Recently, it expanded its scope from core Linux programs and adjacent open-source code by expanding its Linux System Definition. In particular, that means patents relating to the Android Open Source Project (AOSP) 10 and the Extended File Allocation Table exFAT file system are now protected...

Besides joining the OIN, Barclay is also joining the LOT Network. This is another fast-growing nonprofit group of companies that aims to stop patent trolls in their tracks. It has more than 1,100 member companies and covers over 2 million patent assets.
Why? The "IP and Patentable Innovations Lead" at TD noted that activity from so-called patent assertion entities "continues to trend upward in the banking industry," according to ZDNet. He argues they "have become a tax on business and we're willing to explore any reasonable means to address such risks..."

Slashdot reader b-dayyy quotes the Linux Security blog: What if you could block connections to your network in real-time from countries around the world such as Russia, China and Brazil where the majority of cyberattacks originate? What if you could redirect connections to a single network based on their origin? As you can imagine, being able to control these things would reduce the number of attack vectors on your network, improving its security. You may be surprised that this is not only possible, but straightforward and easy, by implementing GeoIP filtering on your nftables firewall with GeoIP for nftables.

GeoIp for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project's lead developer Mike Baxter explained the mission of GeoIP for nftables, "I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill GeoIP sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections."

This article will examine the concept of GeoIP filtering and how it could add a valuable layer of security to your firewall, and will then explore how the GeoIP for nftables project is leveraging Open Source to provide intuitive, customizable GeoIP filtering on Linux.

When Dave McKay first used computers, punched paper tape was in vogue, "and he has been programming ever since," according to his biography page at How-To Geek. It adds that "His use of computers pre-dates the birth of the PC and the public release of Unix."

Now long-time Slashdot reader sbinning shares McKay's "short history of UNIX and how Linux got its start," which ultimately asks if commercial Unix was killed by Linux: Unix is still out there, running mission-critical systems that are functioning correctly, and operating stably. That'll continue until the support for the applications, operating systems or hardware platform ceases. If something's genuinely mission-critical and it's working, you leave it working. I suspect someone, somewhere, will always be running a commercial UNIX or Unix-like operating system.

But for new installs? There are enough variations of Linux to make the case to go for a commercial Unix very, very difficult.

An anonymous reader quotes a report from Ars Technica: News website Protocol ran an extensive piece on the history and status of the popular open source video player VLC, and the story includes new details about the next major version of the software. Among other things, VLC 4.0 will bring a complete user interface overhaul. "We modified the interface to be a bit more modern," VideoLAN foundation President Jean-Baptiste Kempf told the publication. Kempf had previously shown some version of a new interface about two years ago, but it's unclear at this point how much that one resembles the one the team plans to introduce with VLC 4.0.

While the article doesn't list every change coming, it does outline a couple other possible directions and priorities for VLC. The VideoLAN foundation has not generally sought ways to monetize VLC, but some source of funding or revenue could help ensure long-term support for the project. To that end, Kempf said VideoLAN is exploring a Plex-like business model, with ad-supported free video streams available in the player. "That is something that could work for VLC," he explained. But it was clear nothing is final on that front yet. VLC will also ultimately get support the AV1 and AV2 codecs; AV1 is gaining a great deal of traction for streaming services and other video products these days. Finally, VideoLAN is developing a new way to run VLC on the Web, using Webassembly and JavaScript. VLC 4.0 is expected "in the coming months," but we don't know any more than that at this stage.

Tokolosh writes: On February 13, 2018 the FreeBSD Foundation posted its Code of Conduct. This included a system for reporting offenders, plus a Code of Conduct Committee to review charges and issue sanctions. The resulting story on Slashdot on February 17 triggered 859 comments. Needless to say, it was controversial.

In 2020, a survey indicated that some 35% of the FreeBSD developer community was dissatisfied with their 2018 Code of Conduct, 34% were neutral, and only 30% satisfied. So they set out to adopt a new CoC. A second survey asked which code of conduct should FreeBSD adopt? 4% favored keeping the 2018 code of conduct, 33% favored the Go-derived code of conduct, 63% favored the LLVM-derived code of conduct. The LLVM Project code was thus adopted.

My pragmatic question back in 2018 was, will this CoC lead to a better FreeBSD, more engagement, a larger, more productive community, and more market share for FreeBSD? In other words, does the CoC give FreeBSD an evolutionary advantage? If a different or no CoC had been imposed, would the FreeBSD of today be different? If so, in what way? The answer is not clear, so I am submitting this story to gather input.

AlmaLinux describes itself as "an open-source, community-driven project that intends to fill the gap left by the demise of the CentOS stable release." And now AlmaLinux "has announced their beta release of their CentOS/RHEL 8 fork," writes Slashdot reader juniorkindergarten.

AlmaLinux will be getting $1 million a year in development funding from CloudLinux (the company behind CloudLinux OS, a CentOS clone with over 200,000 active server instances). Their CEO stresses that AlmaLinux "is built with CloudLinux expertise but will be owned and governed by the community. We intend to deliver this forever-free Linux distribution this quarter." And they've committed to supporting it through 2029.

Their press release touts AlmaLinux as "a 1:1 binary compatible fork of RHEL 8, with an effortless migration path from CentOS to AlmaLinux. Future RHEL releases will also be forked into a new AlmaLinux release."

From the AlmaLinux blog: We've collected community feedback and built our new beta release around what you would expect from an enterprise-level Linux distribution...inspired by the community and built by the engineers and talent behind CloudLinux. Visit https://almalinux.org to download the Beta images.

With the Beta release deployed, we'd like to ask the community to be involved and provide feedback. We aim to build a Linux distribution entirely from community contributions and feedback. During AlmaLinux Beta, we ask for assistance in testing, documentation, support and future direction for the operating system. Together, we can build a Linux distribution that fills the gap left by the now unsupported CentOS distribution.
On Wednesday they'll be hosting a live QA webinar with the AlmaLinux team. And there's also a small AlmaLinux forum on Reddit.

An anonymous reader quotes a report from ZDNet: Magma was developed by Facebook to help telecom operators deploy mobile networks quickly and easily. The project, which Facebook open-sourced in 2019, does this by providing a software-centric distributed mobile packet core and tools for automating network management. This containerized network function integrates with the existing back end of a mobile network and makes it easy to launch new services at the network edge. Magma operators can build and augment modern and efficient mobile networks at scale. It integrates with existing LTE and newly minted 5G networks. Several Magma community members are also collaborating in the Telecom Infra Project (TIP)'s Open Core Network project group. The plan is to define, build, test, and deploy core network products that integrate Magma with TIP Open Core disaggregated hardware and software solutions.

The Linux Foundation will help oversee this new stage in Magma's organizational future. Magma will be managed under a neutral governance framework at the Linux Foundation. Arm, Deutsche Telekom, Facebook, FreedomFi, Qualcomm, the Institute of Wireless Internet of Things at Northeastern University, the OpenAirInterface(OAI) Software Alliance, and the Open Infrastructure Foundation (OIF). You may ask, since Magma is already working with OIF, which is something of a Linux Foundation rival, why Magma will be working with both? Arpit Joshipura, the Linux Foundation's general manager of Networking, Edge, and IoT, explained, "Magma has gotten great community support from several ecosystem players and foundations including OIF, OAI etc. What we are announcing today is the next evolution of the project where the actual hosting of the project is being set up under the Linux Foundation with neutral governance that has been accepted by the community for a long time. OIF, OAI, and LF will work with their communities of Software Developers to contribute to Magma's core project."

VideoLAN, in a blog post: The VideoLAN project and the VideoLAN non-profit organization are happy to celebrate today the 20th anniversary of the open-sourcing of the project. VideoLAN originally started as a project from the Via Centrale Reseaux student association, after the successful Network 2000 project. But the true release of the project to the world was on 1st of February 2001, the Ecole Centrale Paris director, Mr. Gourisse, allowed the open-sourcing of the whole VideoLAN project under the GNU GPL. This open sourcing concerned all the software developed by the VideoLAN project, including VideoLAN Client, VideoLAN Server, VideoLAN Bridge, VideoLAN Channel Switcher, but also libraries to decode DVDs, like libdca, liba52 or libmpeg2. At that time, this was a risky decision for the Ecole Centrale Paris, and the VideoLAN project is very grateful.

Since then, the project evolved to become a French non-profit organization, and continued developing numerous solutions around the free software multimedia world. Today, VLC media player is used regularly by hundreds of millions of users, and has been downloaded more than 3.5 billion times over the years. VLC is today available on Windows, macOS, Linux, Android (including TV and Auto versions), iOS (and AppleTV), OS/2 and BSD. Over the years, around 1000 volunteers worked to make VLC a reality.

"Gregory Kurtzer, co-founder of the now-defunct CentOS Linux distribution, has founded a new startup company called Ctrl IQ, which will serve in part as a sponsoring company for the upcoming Rocky Linux distribution," Ars Technica reports: Kurtzer co-founded CentOS Linux in 2004 with mentor Rocky McGaugh, and it operated independently for 10 years until being acquired by Red Hat in 2014. When Red Hat killed off CentOS Linux in a highly controversial December 2020 announcement, Kurtzer immediately announced his intention to recreate CentOS with a new distribution named after his deceased mentor.

The Rocky Linux concept got immediate, positive community reaction — but there's an awful lot of work and expense that goes into creating and maintaining a Linux distribution. The CentOS Linux project itself made that clear when it went for the Red Hat acquisition in 2014; without its own source of funding, the odds of Rocky Linux becoming a complete 1:1 replacement — serving the same massive volume of users that CentOS did — seemed dicey at best.
In a statement Ctrl IQ notes the Rocky Linux community was already "in the thousands of people driving the foundation of the organization..."

And as for Gregory Kurtzer, he was "originally basing Ctrl IQ's stack on CentOS, but he needed to pivot, as did most of the community to something else. Due to the alignment, Greg chose Rocky, and has been asked to help support it." Ars Technica adds: The company describes itself in its announcement as the suppliers of a "full technology stack integrating key capabilities of enterprise, hyper-scale, cloud and high-performance computing..."

Wading through the buzzword bingo, Ctrl IQ's real business seems to be in supplying relatively turn-key infrastructure for high-performance computing (HPC) workloads, capable of running distributed across multiple sites and/or cloud providers... Not all of Ctrl IQ's offerings are theoretical. Warewulf, also founded by Kurtzer, is currently developed and maintained by the US Department of Energy. Anyone can freely download and use Warewulf, but it's not difficult to imagine value added in consulting with one of its founders...

Ctrl IQ is one of three Tier 1 sponsors identified by the Rocky Linux project, along with Amazon Web Services (which provides core build infrastructure) and Mattermost, which is providing enterprise collaboration services...

Rocky Linux is generally expected to be widely available in Q2 2021, with a first-release candidate build expected on March 31.

Camel Pilot writes: Pyston 2.1, a closed-source but faster and highly-compatible implementation of the Python programming language, significantly outperforms Python 3 in a variety of benchmarks. All the system details and benchmarks in full can be found over on OpenBenchmarking.org.

ZDNet takes a look at a new nonprofit group called the Organization for Ethical Source (OES): The OES is devoted to the idea that the free software and open-source concept of "Freedom Zero" are outdated. Freedom Zero is "the freedom to run the program as you wish, for any purpose." It's fundamental to how open-source software is made and used... They hate the notion that open-source software can be used for any purpose including "evil" purposes. The group states:

The world has changed since the Open Source Definition was created — open source has become ubiquitous, and is now being leveraged by bad actors for mass surveillance, racist policing, and other human rights abuses all over the world. The OES believes that the open-source community must evolve to address the magnitude and complexity of today's social, political, and technological challenges...

How does this actually work in a license...?

The Software shall not be used by any person or entity for any systems, activities, or other uses that violate any Human Rights Laws. "Human Rights Laws" means any applicable laws, regulations, or rules (collectively, "Laws") that protect human, civil, labor, privacy, political, environmental, security, economic, due process, or similar rights....

This latest version of the license was developed in collaboration with a pro-bono legal team from Corporate Accountability Lab (CAL). It has been adopted by many open-source projects including the Ruby library VCR; mobile app development tool Gryphon; Javascript mapping library react-leaflet; and WeTransfer's entire open-source portfolio...

The organization adds, though, the license's most significant impact may be the debate it sparked between ethical-minded developers and open-source traditionalists around the primacy of Freedom Zero.
The article includes this quote from someone described as an open source-savvy lawyer.

"To me, ethical licensing is a case of someone with a very small hammer seeing every problem as a nail, and not even acknowledging that the nail is far too big for the hammer."

Steven J. Vaughan-Nichols writes at ZDNet: When Elastic, makers of the open-source search and analytic engine Elasticsearch, went after Amazon Web Services (AWS) by changing its license from the open-source Apache 2.0-license ALv2) to the non-open-source friendly Server Side Public License, I predicted "we'd soon see AWS-sponsored Elasticsearch and Kibana forks." The next day, AWS tweeted it "will launch new forks of both Elasticsearch and Kibana based on the latest Apache 2.0 licensed codebases." Well, that didn't take long!

In a blog post, AWS explained that since Elastic is no longer making its search and analytic engine Elasticsearch and its companion data visualization dashboard Kibana available as open source, AWS is taking action. "In order to ensure open source versions of both packages remain available and well supported, including in our own offerings, we are announcing today that AWS will step up to create and maintain an ALv2-licensed fork of open-source Elasticsearch and Kibana.... AWS brings years of experience working with these codebases, as well as making upstream code contributions to both Elasticsearch and Apache Lucene, the core search library that Elasticsearch is built on — with more than 230 Lucene contributions in 2020 alone... We're in this for the long haul, and will work in a way that fosters healthy and sustainable open source practices — including implementing shared project governance with a community of contributors..."

Yet another company, Logz.io, a cloud-monitoring company, and some partners have announced that it will launch a "true" open source distribution for Elasticsearch and Kibana.