Esther Schindler (Slashdot reader #16,185), shares some thoughts from long-time tech reporter Steven J. Vaughan-Nichols: We'd like an easy way to judge open-source programs. It can be done. But easily? That's another matter... Plenty of people have created systems to collect, judge, and evaluate open-source projects, including information about a project's popularity, reliability, and activity. But each of those review sites — and their methodologies — have flaws.
The article looks at a variety of attempts, including freshmeat.net; Eric Raymond's attempt to revive Freecode; GitHub's star (which Docker's co-founder calls a "bullshit metric"); Synopsys's Black Duck Open Hub (formerly Ohloh); and even Google Trends. But it wraps up by pointing out that Brian Profitt, Red Hat's Open Source Program Office (OSPO) manager, is working with others on "Project CHAOSS," a new Linux Foundation project to make it easy to evaluate open-source projects.
This pulled together Grimoirelab and similar programs, such as Augur and Red Hat's own Prospector... Its metrics include what kinds of contributions are being made; when the contributions are made; and who's making the contributions. All of which are vital to understanding the overall health of a project.

CHAOSS is still a work in progress. Its official release is scheduled for February 2021... Ultimately, this data will be available to all, from end users to the project leads. "In fact, I hope this happens a lot, because we can refine our models more quickly," says Profitt.

Microsoft has submitted a series of patches to the Linux kernel with its aim being "to create a complete virtualization stack with Linux and Microsoft Hypervisor." The Register reports: The patches are designated "RFC" (Request for comments) and are a minimal implementation presented for discussion. The key change is that with the patched kernel, Linux will run as the Hyper-V root partition. In the Hyper-V architecture, the root partition has direct access to hardware and creates child partitions for the VMs it hosts. "Just think of it like Xen's Dom0," said Microsoft principal software engineer Wei Liu. Hyper-V's architecture is more similar to Xen than it is to KVM or to VMware's ESXi, and Liu acknowledged that "we drew inspiration from the Xen code in Linux," specifically for code handing interrupts. Until now, the Hyper-V root partition had to run Windows.

Microsoft has also ported Intel's open-source Cloud Hypervisor, a Virtual Machine Monitor (VMM) written in Rust that normally runs on KVM, the hypervisor that is built into the Linux kernel. Cloud Hypervisor itself is currently in "very early pre-alpha stage." Even when Linux is the root partition, it will still run on top of Microsoft's hypervisor, a thin layer running with ring -1 privileges. It will no longer be necessary to run Windows on that hypervisor, though, enabling Microsoft to call the new arrangement "a complete virtualization stack with Linux."

Researchers at Kaspersky "have warned that sophisticated hackers and crooks are increasingly targeting Linux-based devices — using tools specifically designed to exploit vulnerabilities in the platform," reports TechRepublic: While Windows tends to be more frequently targeted in mass malware attacks, this is not always the case when it comes to advanced persistent threats (APTs), in which an intruder — often a nation-state or state-sponsored group — establishes a long-term presence on a network. According to Kaspersky, these attackers are increasingly diversifying their arsenals to contain Linux tools, giving them a broader reach over the systems they can target.

Many organisations choose Linux for strategically important servers and systems, and with a "significant trend" towards using Linux as a desktop environment by big business as well as government bodies, attackers are in turn developing more malware for the platform... According to Kaspersky, over a dozen APT actors have been observed to use Linux malware or some Linux-based modules. Most recently, this has included the LightSpy and WellMess malware campaigns, both of which targeted both Windows and Linux devices. The LightSpy malware was also found to be capable of targeting iOS and Mac devices.

While targeted attacks on Linux-based systems are still uncommon, a suite of webshells, backdoors, rootkits and custom-made exploits are readily available to those that seek to use them. Kaspersky also suggested that the small number of recorded attacks was not representative of the danger they posed, pointing out that the compromise of a single Linux server "often leads to significant consequences", as the malware travelled through the network to endpoints running Windows or macOS, "thus providing wider access for attackers which might go unnoticed".

"Security researchers from Amsterdam have publicly detailed 'BlindSide' as a new speculative execution attack vector for both Intel and AMD processors," reports Phoronix: BlindSide is self-described as being able to "mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation. This works even in face of strong randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory, and state-of-the-art mitigations against Spectre and other transient execution attacks."

From a single buffer overflow in the kernel, researchers claim three BlindSide exploits in being able to break KASLR (Kernel Address Space Layout Randomization), break arbitrary randomization schemes, and even break fine-grained randomization.
There's more information on the researcher's web site, and they've also created an informational video.

And here's a crucial excerpt from their paper shared by Slashdot reader Hmmmmmm: In addition to the Intel Whiskey Lake CPU in our evaluation, we confirmed similar results on Intel Xeon E3-1505M v5, XeonE3-1270 v6 and Core i9-9900K CPUs, based on the Skylake, KabyLake and Coffee Lake microarchitectures, respectively, as well as on AMD Ryzen 7 2700X and Ryzen 7 3700X CPUs, which are based on the Zen+ and Zen2 microarchitectures.

Overall, our results confirm speculative probing is effective on a modern Linux system on different microarchitectures, hardened with the latest mitigations.

rastos1 writes: Starting with Windows Insiders preview build 20211, WSL 2 will be offering a new feature: wsl --mount. This new parameter allows a physical disk to be attached and mounted inside WSL 2, which enables you to access filesystems that aren't natively supported by Windows (such as ext4).

The Amiga Fast File System (AFFS) is making a minor comeback in the new version of the Linux kernel. The Register reports: As noted by chief penguin Linus Torvalds in his weekly state-of-the-kernel report, a change to AFFS popped up among what he described as a collection of "the usual suspects" in new submissions to the kernel over the last week. The Amiga was ahead of its time, but is now largely a curiosity. However Suse developer David Sterba has noticed that "The basic permission bits (protection bits in AmigaOS) have been broken in Linux' AFFS - it would only set bits, but never delete them. Also, contrary to the documentation, the Archived bit was not handled."

"Let's fix this for good, and set the bits such that Linux and classic AmigaOS can coexist in the most peaceful manner," he added. Torvalds appears to have agreed inasmuch as Sterba's code has made it into rc4 of version 5.9 of the Linux kernel. Torvalds said that while rc4 is a big release -- he rated it as "larger than usual" -- it's still "well within the normal range, and not something I'll lose any sleep over."

An anonymous reader shares this enthusiastic report from ZDNet: Earlier this year, Linus Torvalds approved of adding drivers and other components in Rust to Linux.* Last week, at the virtual Linux Plumbers Conference, developers gave serious thought to using the Rust language for new Linux inline code. ["Nothing firm has been determined yet," reported Phoronix, "but it's a topic that is still being discussed."] And, now Amazon Web Services (AWS) has announced that its just-released Bottlerocket Linux for containers is largely written in Rust.

Mozilla may have cut back on Rust's funding, but with Linux embracing Rust, after almost 30-years of nothing but C, Rust's future is assured. Rust was chosen because it lends itself more easily to writing secure software. Samartha Chandrashekar, an AWS Product Manager, said it "helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities." Many other developers agree with Chandrashekar.

Bottlerocket also improved its security by using Device-mapper's verity target. This is a Linux kernel feature that provides integrity checking to help prevent attackers from overwriting core system software or other rootkit type attacks. It also includes the extended Berkeley Packet Filter (eBPF), In Linux, eBPF is used for safe and efficient kernel function monitoring.
* Linus's exact words were "people are actively looking at, especially doing drivers and things that are not very central to the kernel itself, and having interfaces to do those, for example, in Rust. People have been looking at that for years now. I'm convinced it's going to happen one day."

The article also reminds readers that AWS's Bottlerocket "is also designed to be quick and easy to maintain... by including the bare essentials needed to run containers..."

"Besides its standard open-source elements, such as the Linux kernel and containerd container runtime, Bottlerocket's own code is licensed under your choice of either the Apache 2.0 or the MIT license."

Artem S. Tashkinov writes: 253 emails have been leaked from private (high-level) mailing lists of Debian, in which its representatives vocally complain about the talk Linus Torvalds gave at the most recent DebConf conference. Some people insist that he should be permanently banned from future conferences because the language he uses is inappropriate and infringes on the project's Code of Conduct. This could set a very bad precedent for the open source community, which has recently seen an influx of various CoC policies applied to a number of high-profile projects mostly after very vocal concerns from the people who barely participate in the open source community. Some observers believe that it's a plot by Microsoft to destroy the open source movement from the inside.
UPDATE: "Note: The complaints and the event itself happened in 2014," the article points out.

Today, Lenovo has released a ThinkPad with Red Hat's community Linux, Fedora. ZDNet reports: First in this new Linux-friendly lineup is the X1 Carbon Gen 8. It will be followed by forthcoming versions of the ThinkPad P1 Gen2 and ThinkPad P53. While ThinkPads are usually meant for business users, Lenovo will be happy to sell the Fedora-powered X1 Carbon to home users as well. The new X1 Carbon runs Fedora Workstation 32. This cutting-edge Linux distribution uses the Linux Kernel 5.6. It includes WireGuard virtual private network (VPN) support and USB4 support. This Fedora version uses the new GNOME 3.36 for its default desktop.

The system itself comes standard with a 10th Generation Intel Core 1.6Ghz i5-10210U CPU, with up to 4.20 GHz with Turbo Boost. This processor boasts 4 Cores, 8 Threads, and a 6 MB cache. It also comes with 8MBs of LPDDR3 RAM. Unfortunately, its memory is soldered in. While that reduces the manufacturing costs, Linux users tend to like to optimize their hardware and this restricts their ability to add RAM. You can upgrade it to 16MBs, of course, when you buy it for an additional $149. For storage, the X1 defaults to a 256GB SSD. You can push it up to a 1TB SSD. That upgrade will cost you $536.

The X1 Carbon Gen 8 has a 14.0" Full High Definition (FHD) (1920 x 1080) screen. For practical purposes, this is as high-a-resolution as you want on a laptop. I've used laptops with Ultra High Definition (UHD), aka 4K, with 3840x2160 resolution, and I've found the text to be painfully small. This display is powered by an integrated Intel HD Graphics chipset. For networking, the X1 uses an Intel Wi-Fi 6 AX201 802.11AX with vPro (2 x 2) & Bluetooth 5.0 chipset. I've used other laptops with this wireless networking hardware and it tends to work extremely well. The entire default package has a base price of $2,145. For now, it's available for $1,287. If you want to order one, be ready for a wait. You can expect to wait three weeks before Lenovo ships it to you.

Phoronix reports: As mentioned back in July, upstream Linux developers have been working to figure out a path for adding Rust code to the Linux kernel. That topic is now being further explored at this week's virtual Linux Plumbers Conference...

To be clear though, these Rust Linux kernel plans do not involve rewriting large parts of the kernel in Rust (at least for the foreseeable future...), there would be caveats on the extent to which Rust code could be used and what functionality, and the Rust support would be optional when building the Linux kernel. C would remain the dominant language of the kernel and then it's just a matter of what new functionality gets added around Rust if concerned by memory safety, concurrency, and other areas where Rust is popular with developers. Various upstream developers have been interested in Rust for those language benefits around memory safety and security as well as its syntax being close to C. There would be a to-be-determined subset of Rust to be supported by the Linux kernel.... While the Rust code would be optional, the developers do acknowledge there are limitations on where Rust is supported due to the LLVM compiler back-ends. But at least for x86/x86_64, ARM/ARM64, POWER, and other prominent targets there is support along with the likes of RISC-V.

Nothing firm has been determined yet but it's a topic that is still being discussed at the virtual LPC this week and surely over the weeks/months ahead on the kernel mailing list. There is Rust-For-Linux on GitHub with a prototype kernel module implementation. There is also the PDF slides from Thursday's talk on the matter.
It's not clear to me that this is a done deal. But the article argues that "it's still looking like it will happen, it's just a matter of when the initial infrastructure will be in place and how slowly the rollout will be..."

A review at the Android Police site calls Pine64's new Linux-based PinePhone "the most interesting smartphone I've tried in years," with 17 different operating systems available (including Fedora, Ubuntu Touch, SailfishOS, openSUSE, and Arch Linux ARM): There's a replaceable battery, which is compatible with batteries designed for older Samsung Galaxy J7 phones. It's good to know that even if PinePhone vanished overnight, you could still purchase new batteries for around $10-15...

There's a microSD card slot above the SIM tray, which supports cards up to 2TB in size. While it can be used as extra storage, just like the SD slots in Android phones and tablets, it can also function as a bootable drive. If you write an operating system image to the SD card and put it in the PinePhone, the phone will boot from the SD card. This means you can move between operating systems on the PinePhone by simply swapping microSD cards, which is amazing for trying out new Linux distributions without wiping data. How great would it be if Android phones could do that?

Finally, the inside of the PinePhone has six hardware killswitches that can be manipulated with a screwdriver. You can use them to turn off the modem, Wi-Fi/Bluetooth, microphone, rear camera, front camera, and headphone jack. No need to put a sticker over the selfie camera if you're worried about malicious software — just flip the switch and never worry about it again.... For a $150 phone produced in limited batches by a company with no previous experience in the smartphone industry, I'm impressed it's built as well as it is...

I look forward to seeing what the community around the PinePhone can accomplish.
A Pine64 blog post this weekend touts "a boat-load of cool and innovative things" being attempted by the PinePhone community, including users working on things like a fingerprint scanner or a thermal camera, plus a community that's 3D-printing their own custom PinePhone cases. And Pine64 has now identified three candidates for a future keyboard option (each of which can be configured as either a slide-out or clamshell keyboard): I feel like we have finally gotten into a good production rhythm; it was only last month we announced the postmarketOS Community Edition of the PinePhone, and this month I am here to tell you that the factory will deliver the phones to us at the end of this month... I don't know about you, but I think that this is a rather good production pace. At the time of writing, and based on current sale rates, the postmarketOS production-run will sell out in a matter of days...

While I have no further announcements at this time, what I will say is that we have no intention of slowing down the pace now until February 2021 (when Chinese New Year begins)...

27 years ago today, in 1993, Debian first appeared in the world. August 16th has since been recognized as "DebianDay," celebrated shortly before the annual Debian Conference — with lots of ways to get involved, according to Debian.org: Today is also an opportunity for you to start or resume your contributions to Debian. For example, you can scratch your creative itch and suggest a wallpaper to be part of the artwork for the next release, have a look at the DebConf20 schedule and register to participate online (August 23rd to 29th, 2020), or put a Debian live image in a DVD or USB and give it to some person near you, who still didn't discover Debian.

Our favorite operating system is the result of all the work we do together. Thanks to everybody who has contributed in these 27 years, and happy birthday Debian!
And the same day is also the 25th anniversary of CPAN, the Comprehensive Perl Archive Network: On the 16th August 1995, Andreas König uploaded Symdump 1.20 to CPAN. There were other things already on CPAN, but this was the first true upload, to be followed by more than 6,500 people who have released over 35,000 distributions in 230k releases.

So it seems appropriate that 16th August be designated CPAN Day, to celebrate CPAN, and all the authors who've made it what it is.
That blog post urges readers to celebrate the anniversary "by doing something related to CPAN: release something, blog about your favourite module, or email its author thanking her or him."

Finally, a Slashdot reader reminds us that Mutt is also enjoying a birthday: The email client that aims to suck a little bit less celebrates its 25th anniversary!

The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia's military hackers. From a report: The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks. Based on evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS). Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.

This week saw the release Linux 5.8, which Linus Torvalds called "one of our biggest releases of all time," reports TechRepublic: The new version of the Linux kernel brings a number of updates to Linux 5.7 spanning security, core components, drivers, memory management, networking and improvements to the kernel's design, amongst others. This includes updates for Microsoft's Hyper-V virtualization platform, Intel Tiger Lake Thunderbolt support, improvements to Microsoft's exFAT file system, and support for newer Intel and ARM chips.

Torvalds said the kernel had received over 15,000 merge requests and that around 20% of all the files in the kernel source repository had been modified. "That's really a fairly big percentage, and while some of it is scripted, on the whole it's really just the same pattern: 5.8 has simply seen a lot of development," Torvalds said.

Translated into numbers, Linux 5.8 includes over 800,000 new lines and over 14,000 changed files. It also received one of the biggest number of merge requests during its merge window — over 14,000 non-merge commits and more than 15,000 including merges, according to Torvalds. "5.8 looks big. Really big," he added.

PAjamian writes: A recently released Red Hat update for the BootHole Vulnerability (firehose link) is causing systems to become unbootable. It is widely reported that updates to the shim, grub2 and kernel packages in RHEL and CentOS 7 and 8 are leaving various systems that use secure boot unbootable. Current recommendations are to avoid updating your system until the issue is resolved, or at least avoid updating the shim, grub2 and kernel packages. Update, shared by PAjamian: Red Hat is now recommending that users do not apply grub2, fwupd, fwupdate or shim updates until new packages are available.

SUSE has released the next versions of its flagship operating system, SUSE Linux Enterprise (SLE) 15 Service Pack 2 and its latest infrastructure management program, SUSE Manager 4.1. ZDNet reports: SLE 15 SP2 is available on the x86-64, Arm, IBM POWER, IBM Z, and LinuxONE hardware architectures. This new Linux server edition is based on the Linux 5.3 kernel. This new kernel release includes upstream features such as utilization clamping support in the task scheduler, and power-efficient userspace waiting. Other new and noteworthy features include:

- Support for migration from openSUSE Leap to SUSE Linux Enterprise Server (SLES). With this, you can try the free, community openSUSE Linux distro, and then, if you find it's a good choice for your business, upgrade to SLES.
- Extended Package Search. By using the new Zypper, SUSE's command line package manager, command option -- zypper search-packages -- sysadmins can now search across all SUSE repositories, even unenabled ones. This makes it easier for administrators to find required software packages.
- SLE Software Development Kit (SDK) is now integrated into SLE. Development packages are packaged alongside regular packages. - Python 3: SLE 15 offers full support for Python 3 development. SLE still supports Python 2 for the time being.
- 389 Directory Server replaces OpenLDAP as the LDAP directory service.
- Repository Mirroring Tool (RMT) replaces Subscription Management Tool (SMT). RMT allows mirroring SUSE repositories and custom repositories. You can then register systems directly with RMT. In environments with tightened security, RMT can also proxy other RMT servers.
- Better business continuity with improved SLE Live Patching. SUSE claims Live Patching increases system uptime by up to 12 months. SLE Live Patching is also now available for IBM Z and LinuxONE mainframe architectures.

As for SUSE Manager 4.1, this is an improved open-source infrastructure management and automation solution that lowers costs, identifies risk, enhances availability, and reduces complexity in edge, cloud, and data center environments. With SUSE Manager you can keep servers, VMs, containers, and clusters secure, healthy, compliant, and low maintenance whether in private, public, or hybrid cloud. That's especially important these days thanks to coronavirus pandemic IT staff disruptions. SUSE Manager 4.1 can also be used with the Salt DevOps program. Its vertical-market brother, SUSE Manager for Retail 4.1, is optimized and tailored specifically for retail. This release comes with enhancements for small store operations, enhanced offline capabilities and image management over Wi-Fi, and enhanced virtual machine management and monitoring capabilities. Simultaneously it can scale retail environments to tens of thousands of end-point devices and help modernize point-of-service rollouts.

ProcMon for Linux is Microsoft's newest open-source Linux software. ProcMon is a rewritten and re-imagined version of its Processor Monitor found on Windows within their Sysinternals suite. From a report: Microsoft explains, "The Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system."

The Linux Foundation Public Health initiative has chosen the Covid Tracker Ireland app as one of its first two open-source Covid-19 projects. From a report: Since its launch, more than 1.3m people have downloaded the Covid Tracker Ireland app, which was developed to help track the future spread of the coronavirus. Now, the app has been chosen as one of the first two open-source contact-tracing projects by the newly established Linux Foundation Public Health (LFPH) initiative. Nearform, the Waterford-based company that developed the app with the HSE, has been made one of the initiative's seven premium members, along with Cisco, Doc.ai, Geometer, IBM, Tencent and VMware. Under the project name 'Covid Green', the source code of the Irish app is being made available for other public health authorities and their developers across the world to use and customise. As part of the agreement, Nearform will manage the source code repository on GitHub. In its announcement, the LFPH pointed to the "extraordinarily high" adoption rate of the Covid Tracker Ireland app.

TechRadar reports on Pine64's new "PinePhone Convergence Package" handset, calling it "a Linux desktop you can keep in your pocket" that can be used as a PC when plugged into an external display and a keyboard. The device costs just $199 and is aimed primarily at Linux enthusiasts. The PinePhone Linux smartphone is based on the Alpine Linux-based PostmarketOS that can be used both in smartphone and desktop modes... The main component that transforms the PinePhone into a PC-like device is its USB-C docking bar that features an HDMI display output, two USB Type-A connectors, and a 10/100Mb Ethernet port.

The idea of using a smartphone with an external display and keyboard to run certain applications has not gained much traction neither with HP's Elite x3 Windows Phone 10 handset nor with Samsung's smartphones with its DeX software. Perhaps, since Linux community is generally more inclined to experiment with their gadgets (and their time), Pine64's PinePhone Convergence has a better chance to be actually used as a desktop by its owners.

An intriguing exchange happened on the Linux Kernel Mailing List after a post by Nick Desaulniers, a Google software engineer working on compiling the Linux Kernel with Clang (and LLVM). Hackaday reports: Nick simply tested the waters for a possible future of Rust within the Linux kernel code base, which is something he's planning to bring up for discussion in this year's Linux Plumbers Conference — the annual kernel developer gathering. [Desaulniers thinks that discussion will include "a larger question of 'should we do this?' or 'how might we place limits on where this can be used?'"]

The interesting part is Linus Torvalds's response on the LKML thread, which leaves everyone hoping for a hearty signature Rust rant akin to his C++ one disappointed. Instead, his main concern is that a soft and optional introduction of the support in the build system would leave possible bugs hidden, and therefore should be automatically enabled if a Rust compiler is present — essentially implying that he seems otherwise on board.
Linus also touched on Rust earlier this month in his keynote interview with Dirk Hohndel, the chief open source officer at VMware, during the special virtual edition of the Linux Foundation's annual Open Source Summit and Embedded Linux Conference North America: Dirk Hohndel: Every new project is done in Go or Rust or another new language I've never heard of. Is there a risk that we are becoming the COBOL programmers of the 2030s?

Linus Torvalds: Well, I don't actually think it's true that nobody writes in C any more. I think C is still one of the top 10 languages easily, if you look at any of the statistics.

That said — I mean, people are actively looking at, especially doing drivers and things that are not very central to the kernel itself, and having interfaces to do those, for example, in Rust. People have been looking at that for years now. I'm convinced it's going to happen one day.

I mean, it might not be Rust, but it is going to happen that we will have different models for writing these kinds of things. And C won't be the only one. I mean right now, it's C or assembly, and most people would rather not touch the assembly parts. [Dirk laughs] But it is something that people are looking at. I'm probably the wrong person. Greg has been more involved, since he's the driver maintainer in general. But things are afoot, and these things take a long, long time. I mean, the kind of infrastructure you need to start integrating other languages into a kernel, and making people trust these other languages — that's a big step.