140Mandak262Jamuna writes: CleanTechnica is reporting that someone hacked the infotainment system of a Tesla Model 3 and got root access and installed Linux distribution Ubuntu. Redditor trsohmers is able to show an Ubuntu command shell running alongside the Tesla OS. Since Tesla supports a browser that allows you to visit any site, could this be leveraged into remote hacks? It could also mean that if Tesla sells a long-range version of the Model 3, but limits it via software, people might try to remove the block. One could potentially get a 15-day trial of full self-driving for free and extend that 15-day window forever. At least he had some guts messing with $50,000 hardware that phones home all the time. Will Tesla brick his car to attempt to disprove the security issue?

An anonymous reader shared a report: It was just several years ago that the open-source ecosystem began supporting the x32 ABI, but already kernel developers are talking of potentially deprecating the support and for it to be ultimately removed..

[...] While the x32 support was plumbed through the Linux landscape, it really hasn't been used much. Kernel developers are now discussing the future of the x32 ABI due to the maintenance cost involved in still supporting this code but with minimal users. Linus Torvalds is in favor of sunsetting x32 and many other upstream contributors in favor of seeing it deprecated and removed.

In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

Seeking compliance with Linux's new Code of Conduct, Intel software engineer Jarkko Sakkinen recently requested comments on a set of changes to kernel code comments which Neowin described as "replacing the F-word with 'hug'. "

80 comments quickly followed on the Linux Kernel Maintainer's List: Several contributors responded to the alterations calling them insane. One wondered if Sakkinen was just trying to make a joke, and another called it censorship and said he'd refuse to apply any sort of patches like this to the code he's in charge of...

Some of the post-change comments read "Some Athlon laptops have really hugged PST tables", "If you don't see why, please stay the hug away from my code", and "Only Sun can take such nice parts and hug up the programming interface".
Eventually LWN.net publisher Jonathan Corbet deflated most of the controversy by pointing out that Linux's new Code of Conduct applies to future comments but clearly indicates that it does not apply explicitly to past comments.

And Jarkko Sakkinen acknowledged that he had missed that part of the discussion.

"2019 just might be the Year of Linux -- the year in which Linux is fully recognized as the powerhouse it has become," writes Network World's "Unix dweeb." The fact is that most people today are using Linux without ever knowing it -- whether on their phones, online when using Google, Facebook, Twitter, GPS devices, and maybe even in their cars, or when using cloud storage for personal or business use. While the presence of Linux on all of these systems may go largely unnoticed by consumers, the role that Linux plays in this market is a sign of how critical it has become. Most IoT and embedded devices -- those small, limited functionality devices that require good security and a small footprint and fill so many niches in our technology-driven lives -- run some variety of Linux, and this isn't likely to change. Instead, we'll just be seeing more devices and a continued reliance on open source to drive them.

According to the Cloud Industry Forum, for the first time, businesses are spending more on cloud than on internal infrastructure. The cloud is taking over the role that data centers used to play, and it's largely Linux that's making the transition so advantageous. Even on Microsoft's Azure, the most popular operating system is Linux. In its first Voice of the Enterprise survey, 451 Research predicted that 60 percent of nearly 1,000 IT leaders surveyed plan to run the majority of their IT off premises by 2019. That equates to a lot of IT efforts relying on Linux. Gartner states that 80 percent of internally developed software is now either cloud-enabled or cloud-native.
The article also cites Linux's use in AI, data lakes, and in the Sierra supercomputer that monitors America's nuclear stockpile, concluding that "In its domination of IoT, cloud technology, supercomputing and AI, Linux is heading into 2019 with a lot of momentum."

And there's even a long list of upcoming Linux conferences...

"The Linux Foundation and RISC-V Foundation announced yesterday a joint collaboration project to promote open source development and commercial adoption of the RISC-V instruction set architecture (ISA)," reports TechRepublic: Though some devices that integrate RISC-V will use real-time operating systems rather than Linux, the use of Linux in development will be instrumental as existing tools are being extended to support the RISC-V ISA when developing software on traditional computers. "This joint collaboration with the Linux Foundation will enable the RISC-V Foundation to offer more robust support and educational tools for the active RISC-V community, and enable operating systems, hardware implementations and development tools to scale faster," said Rick O'Connor, executive director of the RISC-V Foundation, in a press release.

In many ways, RISC-V is a hardware equivalent to the open source principles that guide the Linux project, as the ISA is open source, is not subject to patent encumbrances, and is available under the BSD license. [L]icensing fees for Arm or MIPS ISAs -- both of which are fundamentally RISC in principle -- can be avoided by using RISC-V.... As alternatives like Alpha, SuperH, MIPS, and even Intel's own Itanium processors have fallen by the wayside, organizations using those ISAs in their products have had difficult adjustment periods transitioning away, while patent encumbrances largely prevent third parties from continuing development or providing drop-in replacements for those technologies. RISC-V's open nature prevents these issues, as it is possible for any organization to extend or customize their own implementation, and any organization can produce their own RISC-V processors.
Manufacturers like how RISC-V CPUs aren't restricted to a single manufacturer, according to the article, which points out that NVIDIA and Western Digital have both announced plans to use RISC-V in some upcoming products.

RISC-V is also "gaining popularity in Internet of Things, low-power, and embedded applications," and Western Digital even plans to ultimately transition its annual consumption of processors -- one billion cores per yer -- to RISC-V.

Friday Greg Kroah-Hartman released stable point releases of Linux kernel 4.19.4, as well as 4.14.83 and 4.9.139. While they were basic maintenance updates, the 4.19.4 and 4.14.83 releases are significant because they also reverted the performance-killing Spectre patches (involving "Single Thread Indirect Branch Predictors", or STIBP) that had been back-ported from Linux 4.20, according to Phoronix:

There is improved STIBP code on the way for Linux 4.20 that by default just applies STIBP to SECCOMP threads and processes requesting it via prctl() but otherwise is off by default (that behavior can also be changed via kernel parameters). Once that code is ready to go for Linux 4.20, we may see it then back-ported to these stable trees.

Aside from reverting STIBP, these point releases just have various fixes in them as noted for 4.19.4, 4.14.83, and 4.9.139.
Last Sunday Linus Torvalds complained that the performance impact of the STIPB code "was clearly way more expensive than people were told," according to ZDNet: "When performance goes down by 50 percent on some loads, people need to start asking themselves whether it was worth it. It's apparently better to just disable SMT entirely, which is what security-conscious people do anyway," wrote Torvalds. "So why do that STIBP slow-down by default when the people who *really* care already disabled SMT?"

Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by. ZDNet reports: The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn't have a distinctive name, yet, being only tracked under its generic detection name of Linux.BtcMine.174. But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules. Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.

At the OpenStack Summit in Berlin last week, Ubuntu Linux founder Mark Shuttleworth said in a keynote that Ubuntu 18.04 Long Term Support (LTS) support lifespan would be extended from five years to 10 years. "I'm delighted to announce that Ubuntu 18.04 will be supported for a full 10 years," said Shuttleworth, "In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade." ZDNet reports: Ubuntu 18.04 released in April 2018. While the Ubuntu desktop gets most of the ink, most of Canonical's dollars comes from server and cloud customers. It's for these corporate users Canonical first extended Ubuntu 12.04 security support, then Ubuntu 14.04's support, and now, preemptively, Ubuntu 18.04. In an interview after the keynote, Shuttleworth said Ubuntu 16.04, which is scheduled to reach its end of life in April 2021, will also be given a longer support life span.

When it comes to OpenStack, Shuttleworth promised again to support versions of OpenStack dating back to 2014's IceHouse. Shuttleworth said, "What matters isn't day two, what matters is day 1,500." He also doubled-down on Canonical's promise to easily enable OpenStack customers to migrate from one version of OpenStack to another. Generally speaking, upgrading from one version of OpenStack is like a root canal: Long and painful but necessary. With Canonical OpenStack, you can step up all the way from the oldest supported version to the newest one with no more than a second of downtime.

Freshly Exhumed writes: An intentional kernel change in Linux kernel 4.20 for enhanced Spectre mitigation is unfortunately causing Intel Linux performance to be much slower than with 4.19. That change is 'STIBP' (Single Thread Indirect Branch Predictors), which allows for preventing cross-hyperthread control of decisions that are made by indirect branch predictors. It affects Intel systems that have up-to-date microcode and CPU Hyper Threading enabled. Phoronix gives the evidence.

At the 2018 Uber Open Summit, Uber announced it was joining the Linux Foundation as a Gold Member, making a firm commitment to using and contributing to open source tools. TechCrunch reports: Uber CTO Thuan Pham sees the Linux Foundation as a place for companies like his to nurture and develop open source projects. "Open source technology is the backbone of many of Uber's core services and as we continue to mature, these solutions will become ever more important," he said in a blog post announcing the partnership. "Uber has made significant investments in shared software development and community collaboration through open source over the years, including contributing the popular open source project Jaeger, a distributed tracing system, to the Linux Foundation's Cloud Native Computing Foundation in 2017," an Uber spokesperson told TechCrunch. As the report mentions, it took the ride-hailing service a long time for them to join the Linux Foundation. "Uber has been long known for making use of open source in its core tools working on over 320 open source projects and repositories from 1500 contributors involving over 70,000 commits, according to data provided by the company," reports TechCrunch.

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

puddingebola shares a report: WLinux is a $20 open-source, Debian-based distribution, designed to run on Windows 10's Windows Subsystem for Linux (WSL). The WSL allows Windows 10 to run various GNU/Linux distros inside Windows as Microsoft Store apps, providing access to Ubuntu, openSUSE, Debian, Fedora, Kali Linux, and others. The WSL has disadvantages over a running a dedicated GNU/Linux system. For example, there's no official support for desktop environments or graphical applications, and I/O performance bottlenecks, but it is being improved over time. The developers of WLinux describe it as a "fast Linux terminal environment for developers", saying it is the first distribution to be "pre-configured and optimized to run specifically on Windows Subsystem for Linux". Announcing WLinux's availability, Microsoft program manager Tara Raj, called out the wlinux-setup tool, "which allows users to easily set up common developer toolchains, and removes unsupported features like systemd."

TechCrunch is reporting that GraphQL, the Facebook-incubated data query language, is moving into its own open-source foundation. "Like so many other similar open-source foundations, the aptly named GraphQL Foundation will be hosted by the Linux Foundation." From the report: Facebook announced GraphQL back in 2012 and open sourced it in 2015. Today, it's being used by companies that range from Airbnb to Audi, GitHub, Netflix, Shopify, Twitter and The New York Times . At Facebook itself, the GraphQL API powers billions of API calls every day. At its core, GraphQL is basically a language for querying databases from client-side applications and a set of specifications for how the API on the backend should present this data to the client. It presents an alternative to REST-based APIs and promises to offer developers more flexibility and the ability to write faster and more secure applications. Virtually every major programming language now supports it through a variety of libraries.

"GraphQL has redefined how developers work with APIs and client-server interactions. We look forward to working with the GraphQL community to become an independent foundation, draft their governance and continue to foster the growth and adoption of GraphQL," said Chris Aniszczyk, vice president of Developer Relations at the Linux Foundation. As Aniszczyk noted, the new foundation will have an open governance model, similar to that of other Linux Foundation projects. The exact details are still a work in progress, though. The list of founding members is also still in flux, but for now, it includes Airbnb, Apollo, Coursera, Elementl, Facebook, GitHub, Hasura, Prisma, Shopify and Twitter.

An anonymous reader writes: A Microsoft exec has confirmed yesterday that the company's engineers are working on porting the highly popular Sysinternals software package to Linux. Microsoft engineers have already ported the ProcDump utility and are currently working on porting ProcMon as well. More tools to follow.

Microsoft's decision to port this highly popular debugging utility to Linux comes after two months ago, in September, Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, revealed that "sometimes slightly over half of Azure VMs are Linux." With Linux's growing adoption as the preferred OS for running Azure VMs, it's only natural that Azure engineers are now looking into porting their favorite debugging utilities to Linux, for both themselves but also for the company's customers.

Linus Torvalds "has shown already for the new Linux 4.20~5.0 cycle he isn't relaxing his standards but is communicating better when it comes to bringing up coding," reports Phoronix, adding "So far it looks like Linus' brief retreat is paying off with still addressing code quality issues -- and not blatantly accepting new code into the kernel as some feared -- but in doing so in a professional manner compared to his past manner of exclaiming himself over capitalized sentences and profanity that at time put him at odds with some in the Linux kernel community."

AmiMoJo quotes their report: Last Saturday he took issue with the HID pull request and its introduction of the BigBen game controller driver that was introduced: the developer enabled this new driver by default. Linus Torvalds has always frowned upon random new drivers being enabled by default in the kernel configuration driver. [H]e still voiced his opinion over this driver's default "Y" build configuration, but did so in a more professional manner than he has done in the past:

We do *not* enable new random drivers by default. And we most *definitely* don't do it when they are odd-ball ones that most people have never heard of.

Yet the new "BigBen Interactive" driver that was added this merge window did exactly that.

Just don't do it.

Yes, yes, every developer always thinks that _their_ driver is so special and so magically important that it should be enabled by default. But no. When we have thousands of drivers, we don't randomly pick one new driver to be enabled by default just because some developer thinks it is special. It's not.... Please don't do things like this.
Phoronix also describes another "kernel oops" testing Torvalds' patience, in which Linus responded tactfully that "What makes me *very* unhappy about this is that if I'm right, I think it means that code was literally not tested at all by anybody who didn't have one of the entries in that list."

An anonymous reader shares a report: This week, the Linux distro biz emitted Fedora 29 and RHEL 7.6, and in the latter's changelog the following appears, which a Reg reader kindly just alerted us to: "KDE Plasma Workspaces (KDE), which has been provided as an alternative to the default GNOME desktop environment has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support using KDE instead of the default GNOME desktop environment." In other words, if you're using RHEL on the desktop, at some point KDE will not be supported. As our tipster remarked: "Red Hat has never exactly been a massive supporter of KDE, but at least they shipped it and supported you using it."

System76 is ready to share specifics about its new computer. From a report: There are three models from which to choose, and all three can apparently be configured with with Intel or AMD processors. This is refreshing news, as historically, System76 machines were an Intel-only affair. AMD has been more friendly to the Linux community over recent years, so I am happy to see System76 giving that option too.

1. Thelio (Up to 32GB RAM, 24TB storage) treks through tasks with ease despite its compact footprint.
2. Thelio Major (Up to 128GB RAM, 46TB storage) boasts stellar performance, allowing maximum configurability with up to 4 GPUs to tackle the most astronomical projects.
3. Thelio Massive (Up to 768GB of ECC Memory, 86TB storage) is the epitome of performance among workstations, offering maximum throughput and accuracy for demanding computational workloads.

Pricing starts at $1099.99, but that will obviously increase based on the specs you choose. Keep in mind, however, the computer will not ship until December. Full specs in the story above. In a statement, the company said, "Thelio Systems are designed to be easily expandable, making personalizing the computer a tantalizingly easy process. Slip in drives, add memory, and upgrade graphics cards at will. Additionally, the open hardware design that Thelio is built upon allows the user to easily learn how their computer works and make modifications using this information. Customization is simple to ensure that the computer encompasses people's needs, as well as their personality."

Donald Fischer, who served as a product manager for Red Hat Enterprise Linux during its creation and early years of growth, writes: Red Hat saw, earlier than most, that the ascendance of open source made the need to pay for code go away, but the need for support and maintenance grew larger than ever. Thus Red Hat was never in the business of selling software, rather it was in the business of addressing the practical challenges that have always come along for the ride with software. [...] As an open source developer, you created that software. You can keep your package secure, legally documented, and maintained; who could possibly do it better? So why does Red Hat make the fat profits, and not you? Unfortunately, doing business with large companies requires a lot of bureaucratic toil. That's doubly true for organizations that require security, legal, and operational standards for every product they bring in the door. Working with these organizations requires a sales and marketing team, a customer support organization, a finance back-office, and lots of other "business stuff" in addition to technology. Red Hat has had that stuff, but you haven't.

And just like you don't have time to sell to large companies, they don't have time to buy from you alongside a thousand other open source creators, one at a time. Sure, big companies know how to install and use your software. (And good news! They already do.) But they can't afford to put each of 1100 npm packages through a procurement process that costs $20k per iteration. Red Hat solved this problem for one corner of open source by collecting 2,000+ open source projects together, adding assurances on top, and selling it as one subscription product. That worked for them, to the tune of billions. But did you get paid for your contributions?

Etcetera writes: Fresh on the heels of the IBM purchase announcement, Red Hat released RHEL 7.6 today. Business press release is here and full release notes are here. It's been a busy week for Red Hat, as Fedora 29 also released earlier this morning. No doubt CentOS and various other rebuilds will begin their build cycles shortly. The release offers improved security, such as support for the Trusted Platform Module (TPM) 2.0 specification for security authentication. It also provides enhanced support for the open-source nftables firewall technology.

"TPM 2.0 support has been added incrementally over recent releases of Red Hat Enterprise Linux 7, as the technology has matured," Steve Almy, principal product manager, Red Hat Enterprise Linux at Red Hat, told eWEEK. "The TPM 2.0 integration in 7.6 provides an additional level of security by tying the hands-off decryption to server hardware in addition to the network bound disk encryption (NBDE) capability, which operates across the hybrid cloud footprint from on-premise servers to public cloud deployments."