Open-source News

After being more than ten years in the making after being started by Fujitsu engineers in 2008 but never going through all the steps for upstreaming, thanks to a SUSE engineer the Linux 5.17 kernel will finally have the Xen USB virtual host driver...

[Solved] Target Packages is configured multiple times Error in Ubuntu  It's FOSS

A screenplay is the blueprint for a movie, and it used to be written on a typewriter. You bought the typewriter, and you could write a screenplay. And not just one screenplay, but lots of them. You could write screenplays until typewriters fell out of fashion.

read more

Back in the early days of personal computers, I wrote the IBM training course for the original IBM PC. To complete the course in time for the IBM, ComputerLand, and Sears training, IBM gave me a PC to take home so I could work over evenings and weekends—arguably the first instance of anyone having an IBM PC in their home.

read more

How to install Linux on your Windows PC  ZDNet

China's Loongson Looks To Mainline LoongArch Support In LLVM  Phoronix

Not only is Loongson working on bringing up LoongArch ISA support for the GCC compiler and related GNU toolchain components, but the Chinese company has now laid out their plans for LoongArch on LLVM...

The Open Source Initiative has served as the key steward of open source software since its formation in 1998. In September 2021, the Open Source Initiative board hired Stefano Maffulli as its first Executive Director. I recently interviewed Stefano to learn more about him and his vision for the Open Source Initiative.

Tell us a little about yourself. What is your background in open source software?

read more

After introducing a lot of new AMDGPU feature code in prior weeks to DRM-Next for introduction with Linux 5.17, AMD developers have shifted their DRM-Next focus now onto driver fixes ahead of this next kernel cycle...

The post How to Setup MySQL Replication in RHEL, Rocky and AlmaLinux first appeared on Tecmint: Linux Howtos, Tutorials & Guides .

Data replication is the process of copying your data across multiple servers to improve data availability and enhance the reliability and performance of an application. In MySQL replication, data is copied from a database

The post How to Setup MySQL Replication in RHEL, Rocky and AlmaLinux first appeared on Tecmint: Linux Howtos, Tutorials & Guides.

Brian Behlendorf

As someone who has spent their entire career in open source software (OSS), the Log4Shell scramble (an industry-wide four-alarm-fire to address a serious vulnerability in the Apache Log4j package) is a humbling reminder of just how far we still have to go. OSS is now central to the functioning of modern society, as critical as highway bridges, bank payment platforms, and cell phone networks, and it’s time OSS foundations started to act like it.

Organizations like the Apache Software Foundation, the Linux Foundation, the Python Foundation, and many more, provide legal, infrastructural, marketing and other services for their communities of OSS developers. In many cases the security efforts at these organizations are under-resourced and hamstrung in their ability to set standards and requirements that would mitigate the chances of major vulnerabilities, for fear of scaring off new contributors. Too many organizations have failed to apply raised funds or set process standards to improve their security practices, and have unwisely tilted in favor of quantity over quality of code.

What would “acting like it” look like? Here are a few things that OSS foundations can do to mitigate security risks:

1. Set up an organization-wide security team to receive and triage vulnerability reports, as well as coordinate responses and disclosures to other affected projects and organizations.
2. Perform frequent security scans, through CI tooling, for detecting unknown vulnerabilities in the software and recognizing known vulnerabilities in dependencies.
3. Perform occasional outside security audits of critical code, particularly before new major releases.
4. Require projects to use test frameworks, and ensure high code coverage, so that features without tests are discouraged and underused features are weeded out proactively.
5. Require projects to remove deprecated or vulnerable dependencies. (Some Apache projects are not vulnerable to the Log4j v2 CVE, because they are still shipping with Log4j v1, which has known weaknesses and has not received an update since 2015!)
6. Encourage, and then eventually require, the use of SBOM formats like SPDX to help everyone track dependencies more easily and quickly, so that vulnerabilities are easier to find and fix.
7. Encourage, and then eventually require, maintainers to demonstrate familiarity with the basics of secure software development practices.

Many of these are incorporated into the CII Best Practices badge, one of the first attempts to codify these into an objective comparable metric, and an effort that has now moved to OpenSSF. The OpenSSF has also published a free course for developers on how to develop secure software, and SPDX has recently been published as an ISO standard.

None of the above practices is about paying developers more, or channeling funds directly from users of software to developers. Don’t get me wrong, open source developers and the people who support them should be paid more and appreciated more in general. However, it would be an insult to most maintainers to suggest that if you’d just slipped more money into their pockets they would have written more secure code. At the same time, it’s fair to say a tragedy-of-the-commons hits when every downstream user assumes that these practices are in place, being done and paid for by someone else.

Applying these security practices and providing the resources required to address them is what foundations are increasingly expected to do for their community. Foundations should begin to establish security-related requirements for their hosted and mature projects. They should fundraise from stakeholders the resources required for regular paid audits for their most critical projects, scanning tools and CI for all their projects, and have at least a few paid staff members on a cross-project security team so that time-critical responses aren’t left to individual volunteers. In the long term, foundations should consider providing resources to move critical projects or segments of code to memory-safe languages, or fund bounties for more tests.

The Apache Software Foundation seems to have much of this right, let’s be clear. Despite being notified just before the Thanksgiving holiday, their volunteer security team worked with the Log4j maintainers and responded quickly. Log4j also has almost 8000 passing tests in its CI pipeline, but even all that testing didn’t catch the way this vulnerability could be exploited. And in general, Apache projects are not required to have test coverage at all, let alone run the kind of SAST security scans or host third party audits that might have caught this.

Many other foundations, including those hosted at the Linux Foundation, also struggle to do all this – this is not easy to push through the laissez-faire philosophy that many foundations have regarding code quality, and third-party code audits and tests don’t come cheap. But for the sake of sustainability, reducing the impact on the broader community, and being more resilient, we have got to do better. And we’ve got to do this together, as a crisis of confidence in OSS affects us all.

This is where OpenSSF comes in, and what pulled me to the project in the first place. In the new year you’ll see us announce a set of new initiatives that build on the work we’ve been doing to “raise the floor” for security in the open source community. The only way we do this effectively is to develop tools, guidance, and standards that make adoption by the open source community encouraged and practical rather than burdensome or bureaucratic. We will be working with and making grants to other open source projects and foundations to help them improve their security game. If you want to stay close to what we’re doing, follow us on Twitter or get involved in other ways. For a taste of where we’ve been to date, read our segment in the Linux Foundation Annual Report, or watch our most recent Town Hall.

Hoping for a 2022 with fewer four alarm fires,

Brian

Brian Behlendorf is General Manager of the Linux Foundation’s Open Source Security Foundation (OpenSSF). He was a founding member of the Apache Group, which later became the Apache Software Foundation, and served as president of the foundation for three years.

The post Open Source Foundations Must Work Together to Prevent the Next Log4Shell Scramble appeared first on Linux Foundation.

Following the Richard Stallman situation, board members leaving, projects seeking greater transparency from the FSF, and other issues within the Free Software Foundation the past two years, the FSF has finally adopted a new governance framework for board members...

Already a lot of DRM display/graphics driver changes have been queued into DRM-Next ahead of the Linux 5.17 merge window while now is the latest weekly batch of drm-misc-next material. DRM-Misc maintainer Thomas Zimmermann of SUSE commented, "every single patchset in this [pull request] is awesome."..

Latest Linux 5.17 Graphics Drivers: "Every Single Patchset In This PR Is Awesome"  Phoronix

When it comes to the Radeon ROCm GPU software support AMD only officially supports it on SUSE Linux Enterprise Server, RHEL / CentOS, and Ubuntu LTS releases. But Arch Linux already makes it fairly easy to deploy with their third-party packages and now Fedora and Debian have developers also eyeing possible packaging of the Radeon Open eCosystem software for more easily deploying on those distributions...

A wide range of open source topics essential for OSPO related activities occurred in 2021, featured by OS experts coming from matured OSPOs like Bloomberg or RIT and communities behind open source standards like OpenChain or CHAOSS.

The TODO Group has been paving the OSPO path over a decade of change and is now composed of a worldwide community of open source professionals working in collaboration to drive Open Source Initiatives to the next level. 

The TODO Group Member Landscape

One of the many initiatives that the TODO Group has been working on since last August has been OSPOLogy. With OSPOLogy, the TODO Group aims to ease the access to more organizations across sectors to understand and adopt OSPOs by open and transparent networking: engaging with open source leaders through real-time conversations. 

“In OSPOLogy, we have have the participation of experienced OSPO leaders like Bloomberg, Microsoft or SAP, widely adopted project/Initiatives such as OpenChain, CHAOSS or SPDX, and industry open source specialists like LF Energy or FINOS. There is a huge diversity of folks in the open source ecosystem that help people and organizations to improve their Open Source Programs, their OSPO management skills, or advance in their OSPO careers. Thus, after listening to the community demands, we decided to offer a space with dedicated resources to make these connections happen, under an open governance model designed to encourage other organizations and communities to contribute.”

AJ – OSPO Program Manager at TODO Group What has OSPOlogy accomplished so far?

Within OSPOlogy 2021 series, we had insightful discussions coming from five different OSPO topics:

• [August 4, 2021] How to start an OSPO with Bloomberg
• [September 1, 2021] Mentoring and Talent Management within OS Ecosystems with US Bank
• [October 13, 2021] The State of OSPOs in 2021 with LF
• [November 17, 2021] Academic OSPOs with CHAOSS and RIT
• [December 1, 2021] Governance in the Context of Compliance and Security with OpenChain

For more information, please watch the video replays on our OSPOlogy YouTube channel here

The format is pretty simple: OSPOlogy kicks off the meetings with the OSPO news happening worldwide during that month and moves to the topic of the day where featured guests introduce a topic relevant to OSPO and ways to set up open source initiatives. These two sections are recorded and published within the LF Community platform and the new OSPOlogy youtube channel.

Once the presentation finishes, we stop the recording and move to real-time conversations and Q&A section under Chatham house rules in order to keep a safe environment for the community to freely share their opinions and issues.

“One of the biggest challenges when preparing the 2021 agenda was to get used to the new platform used to host these meetings and find contributors to kick off the initiative. We keep improving the quality and experience of these meetings every month and thanks to the feedback received by the community, building new stuff for 2022”

AJ – OSPO Program Manager at TODO Group TODO Mission: build the next OSPOlogy 2022 series together

The TODO Group gives big importance to neutrality. That’s why this project (same as the other TODO projects) is under an open governance model, to allow people from other organizations and peers across sectors to freely contribute and grow this initiative together.

OSPOlogy  has a planning doc, governance guidelines, and a topic pool agenda to:

• Propose new topics
• Offer to be a moderator
• Become speaker

https://github.com/todogroup/ospology/tree/main/meetings.

“During the past months, we have been reaching out to other communities like FINOS, LF Energy, OpenChain, SPDX, or CHAOSS. These projects have become of vital importance to many OSPO activities (either for specific activities, such as managing Open Source Compliance & ISO Standards, measuring the impact of relevant open source projects or helping to overcome entry barriers for more traditional sectors, like finance or energy industry)” 

OSPOlogy, along with the TODO Associates program, aims to bring together all these projects to introduce them to the OSPO community and drive insightful discussions. These are some of the topics proposed by the community for 2022:

• How to start an OSPOs within the Energy sector
• How to start an OSPOs within the Finance sector
• Measuring the impact of the open source projects that matters to your organization
• Open Source Compliance best practices in the lens of an OSPO

OSPOlogy is not just limited to LF projects and the TODO Community. Outside initiatives, foundations, or vendors that work closely with OSPOs and help the OSPO movement are also welcome to join.

We have just created a CFP form so people can easily add their OSPO topics for upcoming OSPOlogy sessions:

https://github.com/todogroup/ospology/blob/main/.github/ISSUE_TEMPLATE/call-for-papers.yml

In order to propose a topic, interested folks just need to open an issue using the call for papers GitHub form.

The TODO Group’s journey: Paving the OSPO path over a decade of change

Significant advancements and community shifts have occurred since (the year when TODO Group was formed) in the open source ecosystem and the way organizations advance in their open source journey. By that time, most of the OSPOs were gathered in the bay area and led by software companies, requesting to share limited information due to the uncertainty across this industry. 

OSPO Maturity Levels

However, this early version of TODO is far behind what it  (and OSPOs) represent in the present day.

With digital transformation forcing all organizations to be open source forward and OSPOs adopted by multiple sectors, the TODO Group is composed of a worldwide community of open source professionals working in collaboration to drive Open Source Initiatives to the next level.

It is well known that the TODO group members are also OSPO mentors and advocates who have been working in the open source industry for years.

At TODO group, we know the huge value these experienced OSPO leaders can bring to the community since they can help to pave the path for the new generation of OSPOs, cultivating the open source ecosystem. Two main challenges mark 2022:

1. Provide Structure and Guidance within the OSPO Industry based on the experience of Mature OSPO professionals across sectors and stages.
2. Collaborate with other communities to enhance this guidance

New OSPO challenges are coming, and new TODO milestones and initiatives are taking shape to adapt to help the OSPO movement succeed across sectors. You will hear from TODO 2022 strategic goals and direction news very soon!

The post OSPOlogy: Learnings from OSPOs in 2021 appeared first on Linux Foundation.

How to backup and restore MySQL/MariaDB data for a website  TechRepublic

What does 2022 have in store for Asahi Linux on Apple chips? Drivers aplenty, but that GPU still needs tackling  The Register

Through LF Research, the Linux Foundation is uniquely positioned to create the definitive repository of insights into open source. By engaging with our community members and leveraging the full resources of our data sources, including a new and improved LFX, we’re not only shining a light on the scope of the projects that comprise much of the open source paradigm but contextualizing their impact. In the process, we’re creating both a knowledge hub and an ecosystem-wide knowledge network. Because, after all, research is a team sport.

Taking inspiration from research on open innovation, LF Research will explore open source amidst the challenges of the current era. These include challenges like the COVID-19 pandemic, climate risk, and accelerating digital transformation — all changing what it means to be a technology company or an organization that deeply relies on innovation. By publishing a new suite of research deliverables that aid in strategy formation and decision-making, LF Research intends to create shared value for all stakeholders in our community and inspire greater levels of participation in it. 

Completed Core Research

• The 2021 Linux Foundation Report on Diversity, Equity, and Inclusion in Open Source, produced in partnership with AWS, CHAOSS, Comcast, Fujitsu, GitHub, GitLab, Hitachi, Huawei, Intel, NEC, Panasonic, Red Hat, Renesas, and VMware, seeks to understand the demographics and dynamics concerning overall participation in open source communities and to identify gaps to be addressed, all as a means to advancing inclusive cultures within open source environments. This research aims to drive data-driven decisions on future programming and interventions to benefit the people who develop and ultimately use open source technologies. Enterprise Digital Transformation, Techlash, Political Polarization, Social Media Ecosystem, and Content Moderation are all cited as trends that have exposed and amplified exclusionary narratives and designs, mandating increased awareness, and recalibrating individual and organizational attention. Beyond the survey findings that identify the state of DEI, this research explores a number of DEI initiatives and their efficacy and recommends action items for the entire stakeholder ecosystem to further their efforts and build inclusion by design.

Core Research in Progress

• The Software Bill of Materials (SBOM) Readiness Survey (estimated release: Q1 2022), produced in partnership with the Open Source Security Foundation, OpenChain, and SPDX, is the Linux Foundation’s first project in a series designed to explore ways to better secure the software supply chains. With a focus on SBOMs, the findings are based on a worldwide survey of IT professionals who understand their organization’s approach to software development, procurement, compliance, or security. An important driver for this survey is the recent U.S. Executive Order on Cybersecurity, which focuses on producing and consuming SBOMs. 

Completed Project-Focused Research

• The Fourth Annual Open Source Program Management (OSPO) Survey, produced In collaboration with the TODO Group and The New Stack, examines the prevalence and outcomes of open source programs, including the key benefits and barriers to adoption.
• The 2021 State of Open Source in Financial Services Report produced in partnership with FINOS, Scott Logic, Wipro, and GitHub, explores the state of open source in the financial services sector. The report identifies current levels of consumption and contribution of open source software and standards in this industry and the governance, cultural, and aspirational issues of open source among banks, asset managers, and hedge funds.
• The 2021 Data and Storage Trends Survey, produced in collaboration with the SODA Foundation, identifies the current challenges, gaps, and trends for data and storage in the era of cloud-native, edge, AI, and 5G.
• The 9th Annual Open Source Jobs Report, produced in partnership with edX, provides actionable insights on the state of open source talent that employers can use to inform their hiring, training, and diversity awareness efforts.

The post A 2021 Linux Foundation Research Year in Review appeared first on Linux Foundation.

New Fundamentals of Open Source IT and Cloud Computing Training Makes it Easy to Start an IT Career  PRNewswire