Slashdot

Google's New Bug Bounties Include Their Custom Linux Kernel's Experimental Security Mitigations

Google uses Linux "in almost everything," according to the leader of Google's "product security response" team — including Chromebooks, Android smartphones, and even Google Cloud. "Because of this, we have heavily invested in Linux's security — and today, we're announcing how we're building on those investments and increasing our rewards." In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded. All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability. We've learned that finding and exploiting heap memory corruption vulnerabilities in the Linux kernel could be made a lot harder. Unfortunately, security mitigations are often hard to quantify, however, we think we've found a way to do so concretely going forward.... First, we are indefinitely extending the increased reward amounts we announced earlier this year, meaning we'll continue to pay $20,000 — $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the important work being done to understand and improve kernel security. This is in addition to our existing patch rewards for proactive security improvements. Second, we're launching new instances with additional rewards to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we've built. Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations. Today, we are starting with a set of mitigations we believe will make most of the vulnerabilities (9/10 vulns and 10/13 exploits) we received this past year more difficult to exploit. For new exploits of vulnerabilities submitted which also compromise the latest Linux kernel, we will pay an additional $21,000 USD. For those which compromise our custom Linux kernel with our experimental mitigations, the reward will be another $21,000 USD (if they are clearly bypassing the mitigations we are testing). This brings the total rewards up to a maximum of $133,337 USD. We hope this will allow us to learn more about how hard (or easy) it is to bypass our experimental mitigations..... With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible. "We don't care about vulnerabilities; we care about exploits," Vela told the Register. "We expect the vulnerabilities are there, they will get patched, and that's nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities." In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. "We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better," Vela said. "If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this...." [I]t's not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. "We are trying to find the right combination to captivate people."

Read more of this story at Slashdot.

Development Suddenly Resumes on Linux Distro CutefishOS

Last month fans were worried about CuteFish OS, with its domain timing out, emails going unanswered, and a Twitter feed that hadn't posted anything since March. But "now it looks like the original development team behind CuteFishOS is coming back to life," according to this report from The New Stack — with a Reddit user planning a fork now saying that's been put on hold, since "I'd be duplicating work for no reason." Last Sunday — on July 31st — CuteFish's official repository on GitHub was updated with a new announcement in its profile. "Your Favorite CutefishOS are back now!" [sic] It also promised "New website in the works (coming soon)." and pointed to a new URL. You can see the changes happening right before your eyes. That website's domain — OpenFish.org — was registered just ten days ago, on Thursday, July 28th — and it's still a work in progress. On Thursday afternoon it was pointing to a non-English-language page hosted on the Pakistani cloud platform QCloud — but by Thursday night it was showing a testing page for a NGNIX HTTP server running Red Hat Enterprise Linux. And there's now also a new README file in CuteFish's GitHub repository listing five items as "progressing." The first item is "official website preparation," but other items include collating the previous pull requests and issues, "fix the existing problem," and eventually adding new features. The sole contributor to the repository appears to be a Chinese coder going under the name of Biukang. "We are preparing for the restart of CutefishOS," says Biukang's GitHub profile now. But the article still hails last month's discussion of a fork as "a chance to see open source communities mobilizing into action just to fill a perceived void."

Read more of this story at Slashdot.

Purism's 'Librem 5 USA' Smartphone Achieves Major New Shipping Milestone

Purism posted an announcement Thursday about their privacy-focused "Librem 5 USA" smartphones. "New orders placed today will ship within our standard 10-business-day window." The Librem 5 USA now joins the Librem Mini and Librem 14 as a post-Just In Time product, one where instead of relying on Just In Time supply chains to manufacture a product just as we need it, we have invested in maintaining much larger inventories so that we can better absorb future supply chain issues that may come our way. For anyone who is new to the product, the Librem 5 USA is our premium phone that shares the same hardware design and features as our mass-produced Librem 5, but with electronics we make in the USA using a separate electronics supply chain that sources from US suppliers whenever possible. This results in a tighter, more secure supply chain for the Librem 5 USA. The Librem 5 USA uses the same PureOS as our other computers and so it runs the same desktop Linux applications you might be used to, just on a small screen. PureOS on the Librem 5 USA demonstrates real convergence, where the device becomes more than just a phone, it becomes a full-featured pocket-sized computer that can act like a desktop when connected to a monitor, keyboard and mouse, or even a laptop (or tablet!) when connected to a laptop docking station. All of your files and all of your software remains the same and follows you where you go. Applications just morph from the smaller screen to the larger screen when docked, just like connecting a external monitor to a laptop. Everyone who has backed the Librem 5 and Librem 5 USA projects hasn't just supported the production of the hardware itself, they have also supported a massive, multi-year software development effort to bring the traditional Linux desktop to a phone form-factor. Projects such as Phosh (the GUI), Phoc (the Compositor), Squeekboard (the Keyboard), Calls (for calling), Chats (for texting and messaging), and libhandy/libadwaita (libraries to make GTK applications adaptive) all required massive investment and many of these projects have already been moved to the GNOME infrastructure to better share our effort with a larger community. We are delighted to see that many other mobile projects have recognized the quality of our efforts and adopted our software into their own projects.... The Librem 5 USA was designed for longevity and because we support right to repair, we also offer a number of spare parts in our shop, including replacement modems so you can make sure you support all the cellular bands in a particular continent, replacement batteries for when you ultimately wear out your existing battery, and plenty of other spare parts that haven't had sufficient demand to post formally on our shop (yet). If you need a spare part that isn't yet on the shop, just ask.

Read more of this story at Slashdot.

From Software Developer To CEO: Red Hat's Matt Hicks On His Journey To the Top

ZDNet's Stephanie Condon spoke with Red Hat's new CEO, Matt Hicks, a veteran of the company that's been working there for over 14 years. An anonymous reader shares an excerpt from their discussion: Matt Hicks, Red Hat's new CEO, doesn't have the background of your typical chief executive. He studied computer hardware engineering in college. He began his career as an IT consultant at IBM. His on-the-ground experience, however, is one of his core assets as the company's new leader, Hicks says. "The markets are changing really quickly," he tells ZDNet. "And just having that intuition -- of where hardware is going, having spent time in the field with what enterprise IT shops struggle with and what they do well, and then having a lot of years in Red Hat engineering -- I know that's intuition that I'll lean on... Around that, there's a really good team at Red Hat, and I get to lean on their expertise of how to best deliver, but that I love having that core intuition." Hicks believes his core knowledge helps him to guide the company's strategic bets. While his experience is an asset, Hicks says it's not a given that a good developer will make a good leader. You also need to know how to communicate your ideas persuasively. "You can't just be the best coder in the room," he says. "Especially in STEM and engineering, the softer skills of learning how to present, learning how to influence a group and show up really well in a leadership presentation or at a conference -- they really start to define people's careers." Hicks says that focus on influence is an important part of his role now that he didn't relish earlier in his career. "I think a lot of people don't love that," he says. "And yet, you can be the best engineer on the planet and work hard, but if you can't be heard, if you can't influence, it's harder to deliver on those opportunities." Hicks embraced the art of persuasion to advance his career. And as an open-source developer, he learned to embrace enterprise products to advance Red Hat's mission. He joined Red Hat just a few years after Paul Cormier -- then Red Hat's VP of engineering, and later Hicks' predecessor as CEO -- moved the company from its early distribution, Red Hat Linux, to Red Hat Enterprise Linux (RHEL). It was a move that not everyone liked. [...] "As he settles into his new role as CEO, the main challenge ahead of Hicks will be picking the right industries and partners to pursue at the edge," writes Condon. "Red Hat is already working at the edge, in a range of different industries. It's working with General Motors on Ultifi, GM's end-to-end software platform, and it's partnering with ABB, one of the world's leading manufacturing automation companies. It's also working with Verizon on hybrid mobile edge computing. Even so, the opportunity is vast. Red Hat expects to see around $250 billion in spending at the edge by 2025." "There'll be a tremendous growth of applications that are written to be able to deliver to that," Hicks says. "And so our goals in the short term are to pick the industries and build impactful partnerships in those industries -- because it's newer, and it's evolving."

Read more of this story at Slashdot.

Linux May Soon Lose Support For the DECnet Protocol

Microsoft software engineer Stephen Hemminger has proposed removing the DECnet protocol handling code from the Linux kernel. The Register reports: The timing is ironic, as this comes just two weeks after VMS Software Inc announced that OpenVMS 9.2 was really ready this time... That announcement, of course, came some months after the first time it announced [PDF] version 9.2 [...]. The last maintainer of the DECnet code was Red Hat's Christine Caulfield, who flagged the code as orphaned in 2010. The change is unlikely to vastly inconvenience many people: VMS is the last even slightly mainstream OS that used DECnet, and VMS has supported TCP/IP for a long time. Indeed, for decades, the oldest email in this reporter's "sent" folder was a 1993 enquiry about the freeware CMUIP stack for VMS. One of the easier ways to bootstrap VMS on an elderly VAX these days is to install it on the SimH VAX hardware simulator, and then net-boot the real VAX from the simulated one. Anyone keen enough to do that will be competent to run an older version of Linux just for the purpose. Although their existence is rapidly being forgotten today, TCP/IP is not the only network protocol around, and as late as the mid-1990s it wasn't even the dominant one. The Linux kernel used to support multiple network protocols, but they are disappearing fast. [...] For a long time, DECnet was a significant network protocol. DEC supplied a client stack called PathWorks to let DOS, Windows and Mac clients connect to VAX servers, not only for file and print, but also terminal connections and X.11. Whole worldwide WANs ran over DECnet, and as a teenage student, your correspondent enjoyed exploring them.

Read more of this story at Slashdot.

Linus Torvalds Releases Linux 5.19 - From an Apple Silicon MacBook

"Linus Torvalds just released Linux 5.19 as stable for the newest version of the Linux kernel..." reports Phoronix. But they also note that on the Linux kernel mailing list, "Torvalds went on to write about his Arm-based MacBook [running an AArch64 Apple M1 SoC]... now under Linux thanks to the work of the Asahi Linux project." Torvalds wrote: [T]he most interesting part here is that I did the release (and am writing this) on an arm64 laptop. It's something I've been waiting for for a _loong_ time, and it's finally reality, thanks to the Asahi team. We've had arm64 hardware around running Linux for a long time, but none of it has really been usable as a development platform until now. It's the third time I'm using Apple hardware for Linux development — I did it many years ago for powerpc development on a ppc970 machine. And then a decade+ ago when the Macbook Air was the only real thin-and-lite around. And now as an arm64 platform. Not that I've used it for any real work, I literally have only been doing test builds and boots and now the actual release tagging. But I'm trying to make sure that the next time I travel, I can travel with this as a laptop and finally dogfooding the arm64 side too.

Read more of this story at Slashdot.

What's New in Linux Mint 21 Cinnamon

Today saw the release of Linux Mint 21 "Vanessa" Cinnamon Edition, a long term support release (supported until 2027). Release notes at LinuxMint.com promise that it comes with "refinements and many new features to make your desktop experience more comfortable." Among the highlights: its Bluetooth manager is now Blueman (instead of Blueberry). Blueberry depended on gnome-bluetooth, which was developed exclusively for GNOME. In contrast, Blueman relies on the standard Bluez stack which works everywhere and can even be used or queried from the command line. The Blueman manager and tray icon provide many features that weren't available in Blueberry and a lot more information which can be used to monitor your connection or troubleshoot Bluetooth issues. Out of the box Blueman features better connectivity, especially when it comes to headsets and audio profiles. In preparation for Linux Mint 21 the Blueman user interface was improved and received support for symbolic icons. Upstream, Blueman and Bluez are actively developed and used in many environments. The lack of thumbnails for some common file types was identified as a usability issue. To address it a new Xapp project called xapp-thumbnailers was started and is now featured in Linux Mint 21. The project brings support for the following mimetypes: - AppImage - ePub - MP3 (album cover) - RAW pictures (most formats) - Webp Automated tasks are great to keep your computer safe but they can sometimes affect the system's performance while you're working on it. A little process monitor was added to Linux Mint to detect automated updates and automated system snapshots running in the background. Whenever an automated task is running the monitor places an icon in your system tray. Your computer might still become slow momentarily during an update or a snapshot, but with a quick look on the tray you'll immediately know what's going on.... Linux Mint 21 uses IPP, also known as Driverless Printing and Scanning (i.e. a standard protocol which communicates with printers/scanners without using drivers). For most printers and scanners no drivers are needed, and the device is detected automatically. And there's also a fabulous collection of new backgrounds.

Read more of this story at Slashdot.

The Story Behind Google's In-house Desktop Linux

"For more than a decade, Google has been baking and eating its own homemade Linux desktop distribution," writes Computerworld. Long-time Slashdot reader waspleg shared their report: The first version was Goobuntu. (As you'd guess from the name, it was based on Ubuntu.) In 2018, Google moved its in-house Linux desktop from the Goobuntu to a new Linux distro, the Debian-based gLinux. Why? Because, as Google explained, Ubuntu's Long Term Support (LTS) two-year release "meant that we had to upgrade every machine in our fleet of over 100,000 devices before the end-of-life date of the OS." That was a pain. Add in the time-consuming need to fully customize engineers' PCs, and Google decided that it cost too much. Besides, the "effort to upgrade our Goobuntu fleet usually took the better part of a year. With a two-year support window, there was only one year left until we had to go through the same process all over again for the next LTS. This entire process was a huge stress factor for our team, as we got hundreds of bugs with requests for help for corner cases." So, when Google had enough of that, it moved to Debian Linux (though not just vanilla Debian). The company created a rolling Debian distribution: GLinux Rolling Debian Testing (Rodete). The idea is that users and developers are best served by giving them the latest updates and patches as they're created and deemed ready for production. Google's using what appears to be an automated build system (along with virtualized test suites, and eventually "incremental canarying"), the article points out. The end result? "The entire gLinux development team consists of a single on-duty release engineer position that rotates among team members."

Read more of this story at Slashdot.

Fedora Sours On Creative Commons 'No Rights Reserved' License

waspleg writes: Fedora, the popular Linux distribution, will no longer incorporate software licensed under CC0, the Creative Commons "No Rights Reserved" license. In order to support the wide re-use of copyrighted content in new works, CC0 provides authors "a way to waive all their copyright and related rights in their works to the fullest extent allowed by law." The license arose in response to the 1998 Sonny Bono Copyright Term Extension Act (CTEA), which extended the duration of copyright by 20 years at the expense of the public domain. But CC0 explicitly says the licensor does not waive patent rights, which for free and open source software (FOSS) is a potential problem. That means, for instance as described here, if you use CC0-licensed code in your project, and the author of that code later claims your project is infringing a patent they own regarding that code, your defense will be limited. Avoiding the use of CC0-licensed code is one way to steer clear of these so-called submarine patents that could years later torpedo you. In a message to The Fedora Project's mailing list for legal issues, Richard Fontana, a technology lawyer for Red Hat (which sponsors Fedora), explained that while CC0 is cited as a "good license," it won't be for much longer. "We plan to classify CC0 as allowed-content only, so that CC0 would no longer be allowed for code," said Fontana. "This is a fairly unusual change and may have an impact on a nontrivial number of Fedora packages (that is not clear to me right now), and we may grant a carveout for existing packages that include CC0-covered code." Fontana said there's a growing consensus in the FOSS community that licenses without any form of patent licensing or forbearance aren't suitable. CC0, he said, like other Creative Commons licenses, includes a clause that explicitly states no patent rights are waived by the licensor.

Read more of this story at Slashdot.

T2 SDE Linux 22.6 Released - and an AI Bot Contributed More Revisions Than Humans

"T2 SDE is not just a regular Linux distribution," reads the announcement. "It is a flexible Open Source System Development Environment or Distribution Build Kit (others might even name it Meta Distribution). T2 allows the creation of custom distributions with state of the art technology, up-to-date packages and integrated support for cross compilation." Slashdot reader ReneR writes: The T2 project released a major milestone update, shipping full support for 25 CPU architectures, variants, and C libraries. Support for cross compiling was further improved to also cover Rust, Ada, ObjC, Fortran, and Go! This is also the first major release where an AI powered package update bot named 'data' contributed more changes than human contributors combined! [Data: 164, humans: 141] T2 is known for its sophisticated cross compile support as well as supporting nearly all existing CPU architectures: alpha, arc, arm, arm64, avr32, hppa, ia64, m68k, mipsel, mips64, nios2, ppc, ppc64-32, ppc64le, riscv, riscv64, s390x, spare, sparc64, superh x86, x86-64 and x32 for a wide use in Embedded systems. The project also still supports the Sony PS3, Sgi Octane and Sun workstations as well as state of the art ARM64, RISCV64 as well as AMD64 for regular cloud, server, or simply enthusiast workstation use.

Read more of this story at Slashdot.

Red Hat's Next Steps, According to Its New CEO

IBM saw its hybrid-cloud revenue jump 18% to $5.9 billion in the last three months, reports ZDNet — while also experiencing "its highest sales growth in a decade. "Much of that is due to its stand-alone Red Hat division." True, Red Hat sales increased by "only" 12%, which is low by Red Hat standards but darn good by any other standard. So what will Red Hat do now that it has a new CEO, Matt Hicks, and chairman, Paul Cormier? The answer: Stay the course. In an interview, Hicks, who's been with Red Hat since 2006, said, "[We'll keep using] the same core fundamentals that we built 20-plus years ago." Why? Because the combination of Linux, open-source software, and top support, "continues to play in new markets, whether that's the shift to cloud and cloud services or to edge computing. In the next couple of quarters. we'll just focus on executing. There's great momentum right now around the open hybrid cloud." It's not just the cloud, though. Hicks continued, "We have a lot of opportunities. We're also working with General Motors on Ultifi, GM's end-to-end software platform, and two days ago, we announced a partnership with ABB, one of the world's leading manufacturing automation companies. It's pretty cool to see Linux and open source technologies being pulled into these totally new markets in the industry. So my job is not to change anything but keep us executing and capturing the opportunities ahead...." Moving to the technical side, I asked about Red Hat and CentOS. Hicks replied, "I think it was a necessary shift and change. I'm a big believer in what makes open source work is the contribution cycle, and that wasn't happening with CentOS." Cormier adds that going forward Linux's biggest contribution to the world may be innovation (and not accessbility), "and that needs contributions. Without it driving open source and Linux, the cloud wouldn't be here."

Read more of this story at Slashdot.

The Dell XPS Developer Edition Will Soon Arrive With Ubuntu Linux 22.04

The Dell XPS 13 Plus Developer Edition with Ubuntu 22.04 Long Term Support (LTS) will arrive on August 23rd. "This means, of course, Canonical and Dell officially have been certified for Ubuntu 22.04 LTS," writes ZDNet's Steven Vaughan-Nichols. "So if you already have a current XPS 13 Plus, you can install Ubuntu 22.04 and automatically receive the same hardware-optimized experience that will ship with the new Developer Edition." From the report: What this certification means is that all of XPS's components have been tested to deliver the best possible experience out of the box. Ubuntu-certified devices are based on Long Term Support (LTS) releases and therefore receive updates for up to 10 years. So if you actually still have an XPS 13 that came with Ubuntu back in the day, it's still supported today. [...] Dell and Canonical have been at this for years. Today's Dell's Developer Editions are the official continuation of Project Sputnik. This initiative began 10 years ago to create high-end Dell systems with Ubuntu preinstalled. These were, and are, designed with programmer input and built for developers. As Jaewook Woo, Dell's product manager, Linux, explained: "XPS is an innovation portal for Dell -- from its application of cutting-edge technology to experimentation of new user interfaces and experiential design. By bringing the enhanced performance and power management features of Ubuntu 22.04 LTS to our most advanced premium laptop, Dell and Canonical reinforce our joint commitment to continue delivering the best computing experience for developers using Ubuntu." The forthcoming Dell XPS Plus Developer Edition's specifications are impressive. The base configuration is powered by a 12th-generation Intel i5 1240P processor that runs up to 4.4GHz. For graphics, it uses Intel Iris Xe Graphics. This backs up the 13.4-inch 1920x1200 60Hz display. For storage, it uses a 512GB SSD. The list price is $1,389.

Read more of this story at Slashdot.

Linux Distro For Apple Silicon Macs Is Already Up and Running On the Brand-New M2

An anonymous reader quotes a report from Ars Technica: Unlike Intel Macs, Apple silicon Macs were designed to run only Apple's software. But the developers on the Asahi Linux team have been working to change that, painstakingly reverse-engineering support for Apple's processors and other Mac hardware and releasing it as a work-in-progress distro that can actually boot up and run on bare metal, no virtualization required. The Asahi Linux team put out a new release today with plenty of additions and improvements. Most notably, the distro now supports the M1 Ultra and the Mac Studio and has added preliminary support for the M2 MacBook Pro (which has been tested firsthand by the team) and the M2 MacBook Air (which hasn't been tested but ought to work). Preliminary Bluetooth support for all Apple silicon Macs has also been added, though the team notes that it works poorly when connected to a 2.4GHz Wi-Fi network because "Wi-Fi/Bluetooth coexistence isn't properly configured yet." There are still many other things that aren't working properly, including the USB-A ports on the Studio, faster-than-USB-2.0 speeds from any Type-C/Thunderbolt ports, and GPU acceleration, but progress is being made on all of those fronts. GPU work in particular is coming along, with a "prototype driver" that is "good enough to run real graphics applications and benchmarks" already up and running, though it's not included in this release. The Asahi team has said in the past that it expects support for new chips to be relatively easy to add to Asahi since Apple's chip designers frequently reuse things and don't make extensive hardware changes unless there's a good reason for it. Adding basic support for the M2 to Asahi happened over the course of a single 12-hour development session, and just "a few days" of additional effort were needed to get the rest of the hardware working as well as it does with M1-based Macs.

Read more of this story at Slashdot.