exomondo shares a report from The Hacker News: A vulnerability has been discovered in Sudo -- one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system. The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access. Sudo, stands for "superuser do," is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments -- most often, for running commands as the root user.

The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password. What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295." That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user. The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today.

System76, the Denver-based Linux PC manufacturer and developer of Pop OS, has some stellar news for those who prefer their laptops a little more open. Later this month the company will begin shipping two of their laptop models with its Coreboot-powered open source firmware. From a report: Beginning today, System76 will start taking pre-orders for both the Galago Pro and Darter Pro laptops. The systems will ship out later in October, and include the company's Coreboot-based open source firmware which was previously teased at the 2019 Open Source Firmware Conference. (Coreboot, formerly known as LinuxBIOS, is a software project aimed at replacing proprietary firmware found in most computers with a lightweight firmware designed to perform only the minimum number of tasks necessary to load and run a modern 32-bit or 64-bit operating system.) What's so great about ripping out the proprietary firmware included in machines like this and replacing it with an open alternative? To begin with, it's leaner. System76 claims that users can boot from power off to the desktop 29% faster with its Coreboot-based firmware.

[...] Both of these laptops can be kitted out with 10th-Generation Intel CPUs (specifically the i5-10210U and the i7-10510U), and both have glare-resistant matte 1080p IPS displays. Beginning at $949, the Galago Pro features an all-aluminum chassis, a wealth of connectivity options including HDMI, DisplayPort to USB-C and Thunderbolt, and can be configured with up to 32GB of RAM and up to 6TB of storage space. The Darter Pro, meanwhile, can be built out with 32GB of RAM and up to 2TB of storage, and features up to 10 hours of battery life.

Collapse OS is a new open-source operating system built specifically for use during humanity's darkest days. According to its creator, software developer Virgil Dupras, Collapse OS is what the people of the future will need to reconfigure their scavenged iPhones. For now, though, he's hosting the project on GitHub and looking for contributors. Motherboard reports: According to the Collapse OS site, Dupras envisions a world where the global supply chain collapses by 2030. In this possible future -- kind of a medium-apocalypse -- populations won't be able to mass produce electronics anymore, but they'll still be an enormous source of political and social power. Anyone who can scavenge electronics and reprogram them will gain a huge advantage over those who don't. Dupras believes that the biggest problem for tech savvy post-apocalyptic people will be microcontrollers -- tiny computers embedded in circuit boards that control the functions of computer systems.

Collapse OS will work with Z80 8-bit microprocessors. Though less common today than 16- and 32-bit components, the 8-bit Z80 can be found in desktop computers, cash registers, musical instruments, graphing calculators, and everything in between. In a Reddit Q&A, Dupras explained that the Z80 was chosen "because it's been in production for so long and because it's been used in so many machines, scavenger have good chances of getting their hands on it." According to the product page, Collapse OS currently can run on a homebrew Z80-based computer called the RC2014, and on Reddit Dupras said it could theoretically run on a Sega Genesis console.

An anonymous reader quotes a report from ZDNet: At the 2019 Linux Plumbers Conference, I talked to Linus Torvalds and several other of the Linux kernel's top programmers. They universally agreed Microsoft wants to control Linux, but they're not worried about it. That's because Linux, by its very nature and its GPL2 open-source licensing, can't be controlled by any single third-party. Torvalds said: "The whole anti-Microsoft thing was sometimes funny as a joke, but not really. Today, they're actually much friendlier. I talk to Microsoft engineers at various conferences, and I feel like, yes, they have changed, and the engineers are happy. And they're like really happy working on Linux. So I completely dismissed all the anti-Microsoft stuff."

But that doesn't mean the Microsoft leopard can't change its spots. Sure, he hears, "This is the old Microsoft, and they're just biding their time." But, Torvalds said, "I don't think that's true. I mean, there will be tension. But that's true with any company that comes into Linux; they have their own objectives. And they want to do things their way because they have a reason for it." So, with Linux, "Microsoft tends to be mainly about Azure and doing all the stuff to make Linux work well for them," he explained. Torvalds emphasized this is normal: "I mean, that's just being part of the community." James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, sees Microsoft as going through the same process as all other corporate Linux supporters: "This is a thread that runs through Linux. You can't work on the kernel to your own proprietary advantage. A lot of companies, as they came in with the proprietary business model, assumed they could. They have to be persuaded that, if you want something in Linux, that will assist your business -- absolutely fine. But it has to go through an open development process. And if someone else finds it useful, you end up cooperating or collaborating with them to produce this feature." That means, to get things done, even Microsoft is "eventually forced to collaborate with others."

Bottomley concluded: "So it doesn't matter if Microsoft has a competing agenda to Red Hat or IBM or anybody else. Developers are still expected to work together in the Linux kernel with a transparent agenda."

The Transaction Processing Performance Council is a many-decades-old nonprofit that defines transaction processing and database benchmarks and shares its performance results with the industry.

Long-time Slashdot reader hackingbear says they've just released some surprising news: The TPC organization reported on October 5 that OceanBase, an open-source relational database from Ant Financial, a business unit of Chinese e-commerce giant Alibaba Group, has topped the TPC-C benchmark, more than doubling the score achieved by Oracle Corp. which had held the world record for the past 9 years.

OceanBase v2.2 Enterprise Edition with Partitioning scored at 60,880,800, while Oracle Database 11g R2 Enterprise Edition w/RAC and Partitioning achieved 30,249,688.

TPC Benchmark C is industrial standard OLTP benchmark, measuring on-line transactions per minute (tpmC).

Google has been testing the Linux kernel with its "sanitizer" testing software that hunts for memory corruption bugs and undefined behaviors. Now Phoronix reports on Google's newest sanitizer: Kernel Concurrency Sanitizer (KCSAN) is focused on discovering data-race issues within the kernel code. This dynamic data-race detector is an alternative to the Kernel Thread Sanitizer. In their testing just last month, in two days they found over 300 unique data race conditions within the mainline kernel.

There was a recent discussion about the Kernel Concurrency Sanitizer on the LKML.

An anonymous reader quotes ZDNet: Microsoft has launched a new 44-part series called Python for Beginners on YouTube, consisting of three- to four-minute lessons from two self-described geeks at Microsoft who love programming and teaching.

The course isn't quite for total beginners as it assumes people have done a little programming in JavaScript or played around with the MIT-developed Scratch visual programming language aimed at kids. But it could help beginners kick-start ambitions to build machine-learning apps, web applications, or automate processes on a desktop.... It has published a page on GitHub containing additional resources, including slides and code samples to help students become better at Python.

The NLNet Foundation is a non-profit supporting privacy, security, and the "open internet". Now the open source Libre RISC-V hybrid CPU/GPU is applying for eight additional grants from the NLNet Foundation, according to this update from the project's Luke Kenneth Casson Leighton (Slashdot reader #517,947): Details on each Grant Application are on the newly-opened RISC-V Community Forum.

The general idea is to kick RISC-V into a commercially-viable mass-volume high gear by putting forward funding proposals for NEON/SSE-style Video Acceleration to be upstreamed for use by ffmpeg, vlc, mplayer and gstreamer; hardware-assisted Mesa 3D (a port of the RADV Vulkan Driver to RISC-V), and a hardware-accelerated OpenCL port to RISC-V. This all in a "Hybrid" fashion (a la NEON/SSE) as opposed to the "usual" way that 3D and Video is done, which hugely complicate both software drivers and applications debugging.

In addition, the Libre RISC-V SoC itself is applying for grants to do a gcc port supporting its Vectorisation Engine including auto-vectorisation, and, crucially, to do an entirely Libre-licensed ASIC Layout using LIP6.fr coriolis2, working in tandem with Chips4Makers to create a 180nm commercially-viable single-core dual-issue test ASIC.

The process takes approximately 2-3 months for approval. Once accepted, anyone may be the direct (tax-deductible) recipient of NLNet donations, for sub-tasks completed. Worth noting: Puri.sm is sponsoring the project, and, given NLNet's Charitable Status, donations from Corporations (or individuals) are 100% tax-deductible.

"It's that time of year again when we come together to support and celebrate the open source technologies we use and love," announces a post on Digital Ocean's blog. Hacktoberfest is a monthlong celebration of open source software. It was started at DigitalOcean as a way to foster a sense of community and encourage more participation in open source projects. To reward Hacktoberfest contributors, we've designed a limited edition T-shirt for those who complete the challenge each year. This year, the first 50,000 participants will be eligible to receive the limited edition shirt...

One of the enticing elements of this celebration is that you don't have to leave the comfort of your office or home to participate. But each year, more and more Hacktoberfest events have been organized since we introduced the Event Kit. In 2018 alone, there were 251 Hacktoberfest events. All of these took place during October and happened in 50 countries. With October five days away, we're already expecting to exceed last year's number of events! Wow... if you're in or around New York City, we invite you to join us at the Hacktoberfest kickoff celebration at the DigitalOcean headquarters...

This year, we're also hoping to drive awareness of the negative impacts many people around the world are experiencing due to the many environmental crises we're faced with -- and encourage participation in projects that are targeting these causes. We've identified a handful of projects on GitHub that focus on supporting the environment, which you can find in our Climate section. We hope you'll consider contributing to some of the impactful work being done by activists, scientists, and mission-driven organizations around the globe... Let's join forces to make a difference!
Last year's Hacktoberfest saw 401,231 pull requests on GitHub, according to the blog post.

On Tuesday Purism announced their first Librem 5 smartphones were rolling off the assembly line and heading to customers. "Seeing the amazing effort of the Purism team, and holding the first fully functioning Librem 5, has been the most inspirational moment of Purism's five year history," said their founder and CEO Todd Weaver.

On Wednesday they posted a video announcing that the phones were now shipping, and Friday they posted a short walk-through video. "The crowdsourced $700 Linux phone is actually becoming a real product," reports Ars Technica: Purism's demand that everything be open means most of the major component manufacturers were out of the question. Perhaps because of the limited hardware options, the internal construction of the Librem 5 is absolutely wild. While smartphones today are mostly a single mainboard with every component integrated into it, the Librem 5 actually has a pair of M.2 slots that house full-size, off-the-shelf LTE and Wi-Fi cards for connectivity, just like what you would find in an old laptop. The M.2 sockets look massive on top of the tiny phone motherboard, but you could probably replace or upgrade the cards if you wanted...

[Y]ou're not going to get cutting-edge hardware at a great price with the Librem 5. That's not the point, though. The point is that you are buying a Linux phone, with privacy and open source at the forefront of the design. There are hardware kill switches for the camera, microphone, WiFi/Bluetooth, and baseband on the side of the phone, ensuring none of the I/O turns on unless you want it to. The OS is the Free Software Foundation-endorsed PureOS, a Linux distribution that, in this case, has been reworked with a mobile UI. Purism says it will provide updates for the "lifetime" of the device, which would be a stark contrast to the two years of updates you get with an Android phone.

PureOS is a Debian-based Linux distro, and on the Librem 5, you'll get to switch between mobile versions of the Gnome and KDE environments. If you're at all interested in PureOS, Purism's YouTube page is worth picking through. Dozens of short videos show that, yes, this phone really runs full desktop-class Linux. Those same videos show the dev kit running things like the APT package manager through a terminal, a desktop version of Solitaire, Emacs, the Gnome disk utility, DOSBox, Apache Web Server, and more. If it runs on your desktop Linux computer, it will probably run on the Librem 5, albeit with a possibly not-touch-friendly UI. The Librem 5 can even be hooked up to a monitor, keyboard, and mouse, and you can run all these Linux apps with the normal input tools...

Selling a smartphone is a cutthroat business, and we've seen dozens of companies try and fail over the years. Purism didn't just survive long enough to ship a product -- it survived in what is probably the hardest way possible, by building a non-Android phone with demands that all the hardware components use open code. Making it this far is an amazing accomplishment.

Matthew Garrett is a security developer at Google and a Linux contributor who in 2014 won the Free Software Foundation's annual "Advancement of Free Software" award. But now he's asking if we need to re-think what free software is: If users can pay Amazon to provide a hosted version of a piece of software, there's little incentive for them to pay the authors of that software. This has led to various projects adopting license terms such as the Commons Clause that effectively make it nonviable to provide such a service, forcing providers to pay for a commercial use license instead. In general the entities pushing for these licenses are VC backed companies who are themselves benefiting from free software written by volunteers that they give nothing back to, so I have very little sympathy. But it does raise a larger issue -- how do we ensure that production of free software isn't just a mechanism for the transformation of unpaid labour into corporate profit...?

At the same time, people are spending more time considering some of the other ethical outcomes of free software. Copyleft ensures that you can share your code with your neighbour without your neighbour being able to deny the same freedom to others, but it does nothing to prevent your neighbour using your code to deny other fundamental, non-software, freedoms. As governments make more and more use of technology to perform acts of mass surveillance, detention, and even genocide, software authors may feel legitimately appalled at the idea that they are helping enable this by allowing their software to be used for any purpose. The JSON license includes a requirement that "The Software shall be used for Good, not Evil", but the lack of any meaningful clarity around what "Good" and "Evil" actually mean makes it hard to determine whether it achieved its aims.

As stewards of the free software definition, the Free Software Foundation should be taking the lead in ensuring that these issues are discussed. The priority of the board right now should be to restructure itself to ensure that it can legitimately claim to represent the community and play the leadership role it's been failing to in recent years, otherwise the opportunity will be lost and much of the activist energy that underpins free software will be spent elsewhere. If free software is going to maintain relevance, it needs to continue to explain how it interacts with contemporary social issues. If any organisation is going to claim to lead the community, it needs to be doing that.

It's been five years since the release of CentOS 7, but Indy1 (Slashdot reader #99,447) reminded us that CentOS 8 finally arrived this week -- along with a big new plan for rolling releases.

It Pro Today points out that CentOS already runs on about 16% of all servers, "a number that's only bested by Ubuntu with an estimated 28%," and says that this move "points to CentOS taking a more important role within Red Hat [and] indicates a sea change not only for CentOS, but for the Red Hat Enterprise Linux (RHEL) development pipeline." According to Karanbir Singh, CentOS project lead and Red Hat engineer, Stream will contain the code under development for the next minor RHEL release, which will allow the developer community to discuss, suggest, and contribute features and fixes into RHEL more quickly. "To do this, Red Hat Engineering is planning to move parts of RHEL development into the CentOS Project in order to collaborate with everyone on updates to RHEL," he said.

This would seem to mean that not only will CentOS remain under Red Hat's care and protection, but that CentOS will play a more important role within Red Hat going forward.

An anonymous reader quotes a report from ZDNet: Gael Duval, creator of the popular early Linux distribution, Mandrake Linux, wanted a smartphone, which was open source, would run a wide variety of popular software, and protect your privacy. His answer was the Android-based /e/ operating system and smartphones. While it's still in beta, both its code and refurbished Samsung phones running it are now available. Duval's approach hasn't been to reinvent the mobile operating system wheel, but instead to clean up Android of its Google privacy-invading features and replace them with privacy-respecting one, in which, as Duval said in an interview, "Your data is your data."

To do this, he's started with LineageOS. This is an Android-based operating system, which is descended from the failed CyanogenMod Android fork. According to Duval, the /e/ operating system is a Lineage OS fork. It also blends in features from the Android Open Source Project (AOSP) 7, 8, and 9 source-code trees. In the /e/ OS all Google services have been removed and replaced with MicroG services. MicroG replaces Google's libraries with purely open-source implementations without hooks to Google's services. This includes libraries and apps which provide Google Play, Maps, Geolocation, and Messaging services for the Android applications when they need them. What this means is that you can run some Android apps, which normally only work on a fully Google-enabled Android phone on an /e/ phone. These compatible apps are available via the /e/ app store. The /e/ platform also comes with its own services, the report notes. For example, its search program uses Qwant, a popular, privacy-first European-based search engine, and for cloud storage, you get /e/'s own cloud, which is based on the open-source NextCloud.

You can download and install /e/ on 85 different smartphone models. You can also buy an /e/ phone today if you're in the EU.

An anonymous reader quotes a report from Motherboard: Meet AdBlock Radio, an adblocker for live radio streams and podcasts. Its creator, Alexandre Storelli, told Motherboard he hopes to help companies "develop alternative business models for radio and podcast lovers that do not want ads." "Ads exploit the weaknesses of many defenseless souls," Storelli told Motherboard. "Ads dishonestly tempt people, steal their time and promise them a higher social status. Blocking them will be a relieving experience for many."

Most audio ads exploit "auditory artifacts" to produce an ad that can't be ignored or tuned out because it feels louder than it actually is -- this has gotten so bad that there has actually been a "sonic arms race" where ads have been made increasingly louder over the years. "Adblock Radio detects audio ads with machine-learning and Shazam-like techniques," Storelli wrote about the project. He said he's been working on it for more than three years and that it uses techniques such as speech recognition, acoustic fingerprinting, and machine learning to detect known ad formats. It uses a crowdsourced database of ads and "acoustic fingerprinting," which converts audio features into a series of numbers that can be combed by an algorithm. Storelli has made Adblock Radio open-source and given detailed instructions on how to build on it, integrate it into user devices, and deploy it in a way that pressures radio stations (and podcasts) to self-regulate the quality of their ads.

"Debian Project Leader Sam Hartman has shared his August 2019 notes where he outlines the frustrations and issues that have come up as a result of init system diversity with some developers still aiming to viably support systemd alternatives within Debian," reports Phoronix: Stemming from elogind being blocked from transitioning to testing and the lack of clarity into that, Hartman was pulled in to try to help mediate the matter and get to the bottom of the situation with a lack of cooperation between the elogind and systemd maintainers for Debian as well as the release team. Elogind is used by some distributions as an implementation of systemd's logind, well, outside of systemd as a standalone daemon. Elogind is one of the pieces to the puzzle for trying to maintain a modern, systemd-free Linux distribution.

Various issues were raised that are trying to be worked through albeit many Debian developers face time limitations and other factors like emotional exhaustion. Hartman noted in his August notes, "I think we may be approaching a point where we need to poll the project -- to have a GR and ask ourselves how committed we are to the different parts of this init diversity discussion. Reaffirming our support for sysvinit and elogind would be one of the options in any such GR. If that option passed, we'd expect all the maintainers involved to work together or to appoint and empower people who could work on this issue. It would be fine for maintainers not to be involved so long as they did not block progress. And of course we would hold the discussions to the highest standards of respect."

MojoKid writes: Lakka with RetroArch is one of the most comprehensive open-source retro-gaming console front ends available, with support for a wide array of single-board computers and multiple operating systems. Although the more powerful Raspberry Pi 4 was released months ago, the developers of Lakka had a number of bugs to contend with that prevented an official stable release, until yesterday. Lakka 2.3 (with RetroArch 1.7.8) is available now though, and it appears to leverage the additional horsepower of the Pi 4 quite well. It's even able to play some of the more demanding Sega Dreamcast and Saturn games -- among many other retro-consoles, like the Atari 2600, SuperNES, and many others. In addition to the Pi 4, this latest Lakka release also adds support for the ROCKPro64 and incorporates a wide range of bug fixes and feature enhancements.

Who should be responsible for maintaining and troubleshooting open-source projects? From a report: When you buy a product like Philips Hue's smart lights or an iPhone, you probably assume the people who wrote their code are being paid. While that's true for those who directly author a product's software, virtually every tech company also relies on thousands of bits of free code, made available through "open-source" projects on sites like GitHub and GitLab. Often these developers are happy to work for free. Writing open-source software allows them to sharpen their skills, gain perspectives from the community, or simply help the industry by making innovations available at no cost. According to Google, which maintains hundreds of open-source projects, open source "enables and encourages collaboration and the development of technology, solving real-world problems."

But when software used by millions of people is maintained by a community of people, or a single person, all on a volunteer basis, sometimes things can go horribly wrong. The catastrophic Heartbleed bug of 2014, which compromised the security of hundreds of millions of sites, was caused by a problem in an open-source library called OpenSSL, which relied on a single full-time developer not making a mistake as they updated and changed that code, used by millions. Other times, developers grow bored and abandon their projects, which can be breached while they aren't paying attention. It's hard to demand that programmers who are working for free troubleshoot problems or continue to maintain software that they've lost interest in for whatever reason -- though some companies certainly try. Not adequately maintaining these projects, on the other hand, makes the entire tech ecosystem weaker. So some open-source programmers are asking companies to pay, not for their code, but for their support services. Daniel Stenberg is one of those programmers. He created cURL, one of the world's most popular open-source projects.

New submitter JDShewey writes: The CentOS Project has announced that CentOS 8.0 will be available for download beginning Tuesday, September 24. This release was deferred so that work to release CentOS 7.7 could be completed, which means that CentOS 7.7 will be out shortly as well (and 7.7 it is already beginning to appear in mirrors and repos). This comes 20 weeks to the day from the release of Red Hat Enterprise Linux 8.

Besides their Linux laptops, single-board computers, and tablets, Pine64 is now also working on "PineTime," a new $25 smartwatch for Linux smartphones running open source software (and based on either ARM Mbed or FreeRTOS), reports Liliputing.com: The company describes the PineTime watch as a companion for Linux smartphones... you know, like the company's upcoming $150 PinePhone. For either or both of those reasons, it could appeal to folks who may not have wanted in on the smartphone space until now...

The PineTime uses an existing watch body that's used by other device makers, but Pine64 is choosing custom internal hardware. The PineTime will support Bluetooth 5.0, a heart rate monitor, and multi-day battery life and the watch features a zinc alloy & plastic case and comes with a charging dock...

At this point the PineTime is described as a side project, which means it's not a top priority for Pine64. While the company says the picture above is an actual photo of a prototype, Pine64 is still seeking software developers interested in contributing to the project, and the company's primary focus at this point will still be other upcoming devices like the PineBook Pro laptop and PinePhone smartphone.

"Given how dependent we've become upon open source software, one would think that we would have a bevy of options for supporting the developers who write the code, but we don't..." writes InfoWorld's Matt Asay, in an essay defending Feross Aboukhadijeh for experimenting with ads in his open source JavaScript style guide library.

"We have some inchoate business and funding models that serve open source companies and open source developers more or less well, and too often less. What we need is more people like Aboukhadijeh earnestly experimenting with ways to make things better, more companies like Tidelift introducing novel ways to fund developers, and more organizations recognizing their own self-interest in employing or otherwise paying the developers who build the software they rely on... [U]ltimately, we need more experimentation, and less criticism." What about donations? As Aboukhadijeh has noted, "Lots of maintainers struggle to reach a barely livable wage via donations...." Linux Foundation Chris Aniszczyk has derisively described the approach [and] goes on to put the onus for paying developers on those companies that most benefit from their work: "[A] big part of innovation comes from developers working at organizations adopting open source software at scale and using it in interesting ways. It's these organizations that should be tasked to sustain open source software versus individuals, especially since they depend on open source software to survive as a business."

Aniszczyk isn't talking about mega-corps throwing money at mega-tip jars. Rather, he's talking about the big beneficiaries employing the developers who build the projects upon which they depend. It's a great idea, and one that has borne fruit in the Linux community and currently in the Kubernetes world. However it's done, there's an underlying principle that is critical to all of this: We need more experimentation.

The first requirement for ensuring open source sustainability is to allow and encourage experimentation. Concerned at his (and other open source developers') inability to make a comfortable living writing popular open source software, Standard co-founder Aboukhadijeh decided to experiment with an ad-supported model...