Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Core Infrastructure Initiative (CII), Crypto AG, More Issues

Filed under
Linux
Security
  • Security updates for Tuesday

    Security updates have been issued by Arch Linux (systemd and thunderbird), Debian (clamav, libgd2, php7.3, spamassassin, and webkit2gtk), Fedora (kernel, kernel-headers, and sway), Mageia (firefox, kernel-linus, mutt, python-pillow, sphinx, thunderbird, and webkit2), openSUSE (firefox, nextcloud, and thunderbird), Oracle (firefox and ksh), Red Hat (curl, java-1.7.0-openjdk, kernel, and ruby), Scientific Linux (firefox and ksh), SUSE (sudo and xen), and Ubuntu (clamav, php5, php7.0, php7.2, php7.3, postgresql-10, postgresql-11, and webkit2gtk).

  • The Linux Foundation and Harvard’s Lab for Innovation Science Release Census for Open Source Software Security

    The Linux Foundation’s Core Infrastructure Initiative (CII), a project that helps support best practices and the security of critical open source software projects, and the Laboratory for Innovation Science at Harvard (LISH), today announced the release of ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.`

    This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.

    “The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open source software packages and components in the global supply chain,” said Jim Zemlin, executive director at the Linux Foundation. “The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software.”

  •                    

  • [Attackers] are demanding nude photos to unlock files in a new ransomware scheme targeting women

                         

                           

    The malware doesn’t appear to be the first to demand explicit images: In 2017, security firm Kaspersky reported another type of ransomware that demanded nude photos in exchange for unlocking access to infected computers. In other cases, scammers on dating apps have requested nude photos from would-be suitors, then held them for ransom by threatening to leak the photos.

  • Alarming ‘Hidden’ Cyber Attack Leaves Millions Of Windows And Linux Systems Vulnerable [Ed: Misleading headline from decades-long Microsoft booster. This isn't an OS level issue.]

    Vulnerabilities that can be hidden away out of sight are amongst the most-coveted by cyber-criminals and spooks alike. That's why zero-day vulnerabilities are deemed so valuable, and cause so much high-level concern when they are exposed. It's also why the CIA secretly purchased an encryption equipment provider to be able to hide backdoors in the products and spy upon more than 100 governments.

    While we are almost accustomed to reading government warnings about vulnerabilities in the Windows operating system, Linux cybersecurity threat warnings are less common. Which is partly why this report on the hidden exploit threat within both Linux and Windows systems caught my eye. The Eclypsium researchers concentrated on unsigned firmware as this is a known attack vector, which can have devastating implications, yet one in which vendors have appeared to be slow taking seriously enough. The unsigned firmware in question was found in peripherals used in computers from Dell, Lenovo and HP as well as other major manufacturers. They also demonstrated a successful attack using a network interface card with, you guessed it, unsigned firmware that is used by the big three server manufacturers. "Despite previous in-the-wild attacks," the report said, "peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware."

    The truth is that, as far as cybersecurity is concerned, much of the defensive effort is focused on the operating system and applications. Hardly surprising, given these are the most visible attack surfaces. By not adding firmware into the threat prevention model, however, organizations are leaving a gaping hole just waiting to be filled by threat actors. "This could lead to implanted backdoors, network traffic sniffing, data exfiltration, and more," says Katie Teitler, a senior analyst at TAG Cyber. "Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch," she says, "best practice is to deploy automated scanning for vulnerabilities and misconfigurations at the component level, and continuously monitor for new issues or exploits."

  • The Week in Internet News: CIA Had Encryption Backdoor for Decades

    The U.S. CIA secretly had an ownership stake in Swiss encryption company Crypto AG for decades and was able to read encrypted messages sent using the company’s technology, the Washington Post reports. West German intelligence agencies worked with the CIA. Forbes columnist Jody Westby called for a congressional investigation.

  • Insights from Avast/Jumpshot data: Pitfalls of data anonymization

    There has been a surprising development after my previous article on the topic, Avast having announced that they will terminate Jumpshot and stop selling users’ data. That’s not the end of the story however, with the Czech Office for Personal Data Protection starting an investigation into Avast’s practices. I’m very curious to see whether this investigation will confirm Avast’s claims that they were always fully compliant with the GDPR requirements. For my part, I now got a glimpse of what the Jumpshot data actually looks like. And I learned that I massively overestimated Avast’s success when anonymizing this data.

    [...]

    The data I saw was an example that Jumpshot provided to potential customers: an excerpt of real data for one week of 2019. Each record included an exact timestamp (milliseconds precision), a persistent user identifier, the platform used (desktop or mobile, which browser), the approximate geographic location (country, city and ZIP code derived from the user’s IP address), a guess for user’s gender and age group.

    What it didn’t contain was “every click, on every site.” This data sample didn’t belong to the “All Clicks Feed” which has received much media attention. Instead, it was the “Limited Insights Pro Feed” which is supposed to merely cover user’s shopping behavior: which products they looked at, what they added to the cart and whether they completed the order. All of that limited to shopping sites and grouped by country (Germany, UK and USA) as well as product category such as Shoes or Men’s Clothing.

    This doesn’t sound like there would be all too much personal data? But there is, thanks to a “referrer” field being there. This one is supposed to indicate how the user came to the shopping site, e.g. from a Google search page or by clicking an ad on another website. Given the detailed information collected by Avast, determining this referrer website should have been easy – yet Avast somehow failed this task. And so the supposed referrer is typically a completely unrelated random web page that this user visited, and sometimes not even a page but an image or JSON data.

    If you extract a list of these referrers (which I did), you see news that people read, their web mail sessions, search queries completely unrelated to shopping, and of course porn. You get a glimpse into what porn sites are most popular, what people watch there and even what they search for. For each user, the “limited insights” actually contain a tiny slice of their entire browsing behavior. Over the course of a week this exposed way too much information on some users however, and Jumpshot customers watching users over longer periods of time could learn a lot about each user even without the “All Clicks Feed.”

  • Byos Cautions RSA Conference 2020 Attendees, Travelers and General Public to “Dirty Half-Dozen” Public Wi-Fi Risks

    Byos, Inc., an endpoint security company focused on concept of Endpoint Microsegmentation through Hardware-Enforced Isolation, recommends caution for attendees of major conferences and events such as the RSA Conference 2020, a leading cybersecurity conference in San Francisco, February 24-28, and travelers in general risks of Free Wi-Fi. Many attendees will access the Internet via multiple free Wi-Fi connection points from Hotels, Airports, Coffee Shops and the Conference itself, and every free Wi-Fi access presents security risks for users that Byos calls “The Dirty Half-Dozen.”

    [...]

    The Dirty Half-Dozen risks are:

    Scanning, enumerating, and fingerprinting
    Eavesdropping
    Evil-Twin Wi-Fi
    Exploits
    Lateral network infections
    DNS hijacking

The Linux Foundation identifies most important open-source...

  • The Linux Foundation identifies most important open-source software components and their problems

    Red Hat recently reported open-source software now dominates the enterprise. Actually, it does more than that. Another older study found open-source software makes up 80% to 90% of all software. You may not know that, because many of these programs are built on deeply buried open-source components. Now, The Linux Foundation's Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH) have revealed -- in "Vulnerabilities in the Core, a preliminary report and Census II of open-source software" -- the most frequently used components and the vulnerabilities they share.

The Linux Foundation reveals the most commonly open-source

  • The Linux Foundation reveals the most commonly open-source software components

    The Linux Foundation is addressing structural and security complexities in today’s modern software supply chains with the release of the ‘Vulnerabilities in the Core,’ a preliminary report and census II of open-source software.

    The report was put together by the Linux Foundation’s Core Infrastructure Initiative and the Laboratory for Innovation Science at Harvard (LISH).

LWN's mention of it

The Trouble with Free and Open Source Software

  • The Trouble with Free and Open Source Software

    Insecure developer accounts, legacy software, and nonstandard naming schemes are major problems, Linux Foundation and Harvard study concludes.
    A wide-ranging study by researchers at the Linux Foundation and the Laboratory for Innovation Science at Harvard has yielded vital new information on the most widely used free and open source software (FOSS) within enterprises — and potential security risks related to that use.

    The researchers found that a lack of a standardized naming scheme for FOSS components has made it hard for organizations and other stakeholders to quickly and precisely identify questionable or vulnerable components.

    They also discovered that accounts belonging to developers contributing most actively to some of the most widely deployed open source software need to be secured much better. A third finding was that legacy packages within the open source space are becoming riskier by the day, just like any other older hardware or software technology.

    "FOSS components underpin nearly all other software out there — both open and proprietary — but we know so little about which ones might be the most widely used and most vulnerable," says Frank Nagle, professor at Harvard Business School and co-author of the report. "Given the estimated economic impact of FOSS, far too little attention is paid to systematic efforts to support and maintain this core infrastructure," he says.

    For the study, the researchers from the Linux Foundation and Harvard analyzed enterprise software usage data provided by, among others, software composition analysis firms and application security companies such as Snyk and the Synopsys Cybersecurity Research Center. In trying to identify the most widely used open source software, the researchers considered all of the dependencies that might exist between a FOSS package or component and other enterprise applications and systems.

Linux Foundation Works With -- and For -- Microsoft Proxies

Linux Foundation study throws the open source sustainability

  • Linux Foundation study throws the open source sustainability debate into question

    Open source developers, it turns out, tend to be well paid. That's one possible conclusion to be drawn from a recent Linux Foundation report (PDF), which found that over 75% of the top maintainers for the 200 most active open source projects are paid to work on open source full or part-time. This isn't a new development (I wrote about it back in 2008), but it bears repeating since we are apparently in the midst of an open source sustainability crisis (again).

    As Luis Villa has suggested, "getting paid" isn't the same thing as "comfortable work," which can lead to burnout. But it does suggest we may need to approach the conversation with more data and less hand waving.

Census For Open Source Software Security Released

  • Census For Open Source Software Security Released

    “The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open source software packages and components in the global supply chain,” said Jim Zemlin, executive director at the Linux Foundation.

    “The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software,” Zemlin added.

Top 10 Most Used Open Source Software: Linux Foundation Report

  • Top 10 Most Used Open Source Software: Linux Foundation Report

    Accounting for 80-90 percent of all software, Free and Open Source Software (FOSS) ecosystem is booming with high dependency usage by all sector companies.

    Accordingly, The Linux Foundation’s Core Infrastructure Initiative (CII) in collaboration with Harvard’s Lab for Innovation Science has released a census report titled “Vulnerabilities in the Core, a Preliminary Report and Census II of Open Source Software.”

Linux Foundation in 2020 still amplifies stigma that FOSS is bad

  • 7 of the World’s Top 10 Open Source Packages Come with This Warning

    “Changes to code under the control of these individual developer accounts are significantly easier to make, and to make without detection”

    Of the world’s top 10 most-used open source packages, seven are hosted on individual developer accounts, the Linux Foundation’s Core Infrastructure Initiative has warned, saying this could pose a security risk to code at the heart of the global economy.

    The finding came as the CII delivered the first major census of the free and open source software (FOSS) components that are most widely used in production applications.

  • The great big open-source census: Most-used libraries revealed – plus 10 things developers should be doing to keep their code secure

    With modern applications now composed of 80 to 90 per cent Free and Open Source Software (FOSS), the Linux Foundation and Laboratory for Innovation Science at Harvard University (LISH) on Wednesday published their second open-source census to promote better security and code management practices.

    The first such report appeared in 2015, and focused on enumerating critical components in the Debian GNU/Linux distribution. The latest one, "Vulnerabilities in the Core, a Preliminary Report and Census II of Open Source Software," examines the most commonly used FOSS packages in production applications with an eye toward potential vulnerabilities so organizations can develop better management and security tools

"Linux Foundation’s recipe for security disaster"

  • Individual accounts, missing naming standards, and legacy – Linux Foundation’s recipe for security disaster [Ed: Another new example of Linux Foundation (LF) speaking against FOSS on behalf of companies like Snyk that work for Microsoft and sell proprietary software. LF: Join Microsoft GitHub today and pay Black Duck/Snyk for their proprietary software for 'security' (they pay us to market them).]

    The Linux Foundation has, together with Harvard’s Lab for Innovation Science, released its second go at a FOSS census, attempting to identify the most used open source components and their potential vulnerabilities.

    The preliminary report titled “Vulnerabilities at the core” is a product of the foundation’s Core Infrastructure Initiative, which was started in 2014 in the wake of an OpenSSL security bug, which had an impact on about half a million secure web servers. Members of the CII now provide funding and support for critical open source infrastructure projects in the hopes of preventing a rerun of the so-called Heartbleed vulnerability.

Harvard as FUD vendor for proprietary software companies

  • Linux Foundation & Harvard carry out open source ‘security census’

    The Linux Foundation’s Core Infrastructure Initiative (CII) is a project designed to support best practices with a key eye on the security of critical open source software projects.

    The CII team has this month worked with the Laboratory for Innovation Science at Harvard (LISH).

  • The Linux Foundation and Harvard’s Lab for Innovation Science Release Census for Open Source Software Security

    The Linux Foundation’s Core Infrastructure Initiative (CII), a project that helps support best practices and the security of critical open source software projects, and the Laboratory for Innovation Science at Harvard (LISH), today announced the release of ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.`

    This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.

Linux and LISH release census for open source security

  • Linux and LISH release census for open source security

    The Linux Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH), announced the release of ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.

    This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern-day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open-source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.

"Key Lessons from a Major Open Source Census"

  • Vulnerabilities in the Core: Key Lessons from a Major Open Source Census

    A major new Open Source census has identified the Top 20 most commonly used free and open source software (FOSS) components in production applications.

    The Linux Foundation/ Laboratory for Innovation Science at Harvard (LISH) “Census II” report, published this week, represents what it describes as the “first steps toward addressing the structural issues that threaten the FOSS ecosystem.”

More bad press

  • What Are The Most Common Issues With Free Open Source Software?

    Free and Open Source Software (FOSS) has become a prominent aspect of the new age global economy. It has been analysed that FOSS makes up about 80-90% of any particular piece of today’s software. It is to be noted that software is an increasingly-critical resource in almost all businesses, both public and private. But, there are many issues with FOSS, according to the Linux Foundation.

    The Linux Foundation established the Core Infrastructure Initiative (CII) in 2014 as a part of which its members gave funding and support for FOSS projects, which are important to worldwide data and information infrastructure. In 2015, CII finished the Census Project (“Census I”) to find out which software packages in the Debian Linux distribution had been the most important to the kernel’s overall security.

    While the Census I project emphasised on analysing the Linux kernel distribution packages, it did not go deep into which software was utilised in production applications. That’s where Census II comes in.

LF as Spokesperson of Foes of FOSS

  • Linux Foundation and LISH publish latest open-source census with suggestions to boost security

    The latest open-source census has been published by the Linux Foundation and Laboratory for Innovation Science at Harvard University (LISH) with some interesting observations.

    Now in its second edition, the census examines the current state of open-source software. The latest report, catchily titled “Vulnerabilities in the Core, a Preliminary Report and Census II of Open Source Software," focuses on common Free and Open Source Software (FOSS) used in production applications.

Linux Foundation 'research' still in 'the news'

  • The Elements And Benefits Of Open-Source Compliance [Ed: Linux Foundation 'research' is an attack on Free software. It's like it's run for Microsoft, Oracle etc.]

    The goal of the Linux Foundation’s[1] OpenChain Project, and the specification[2] it maintains, is to promote predictability and uniformity in the management of open source. The project also aims to create consistency in how critical open-source compliance information is collected and retained so that it may be properly communicated to others. The specification is gaining momentum and will likely be adopted by the International Organization for Standardization by mid-2020. With open-source use on the rise and more and more demanding proof of compliance becoming mainstream, this is a perfect time to reevaluate how you address compliance. But first, let’s explore....

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's leftovers

  • Linux Magazine Celebrates 20 Years

    With Issue 240, Linux Magazine is celebrating its 20th year of print publication. Given the transformations that have taken place in Linux, open source, and in publishing during the past 20 years, this is a remarkable achievement. Reflecting on these changes, Linux Magazine editor-in-chief Joe Casad said, “I’m struck by how much Linux has changed since I started this job—and how much the publishing industry has itself remained in a perpetual state of reinvention. It is one thing when the subject of the magazine is continually transforming—and quite another when the very context in which you operate is a moving target.” [...] Linux Magazine has weathered the various industry shifts with consistency of vision and a small, dedicated workforce. Casad credits the internationally distributed team of professionals, “who stay calm under pressure and show up every day with ideas and good energy,” with much of the magazine’s long-running success.

  • Security updates for Thursday

    Security updates have been issued by Fedora (firefox, libproxy, mbedtls, samba, and zeromq), openSUSE (chromium and virtualbox), Red Hat (firefox and kernel), SUSE (cifs-utils, conmon, fuse-overlayfs, libcontainers-common, podman, libcdio, python-pip, samba, and wavpack), and Ubuntu (rdflib). 

  • LibreOffice Documentation Team Status

    While this progress in shortened documentation development time is fairly good, it can be substantially improved by having more contributors on the team. It would be terrific if all contributors were a skilled technical writers, but in reality anyone with a reasonable command of the English language and an eye for detail can make a valuable contribution. No contributor is expected to rewrite entire guide books, although some of our most experienced, long term contributors do exactly that. In fact nothing is expected or demanded of any contributor, other than to let other members of the team know what they what they have chosen to work on. In some cases that might be to update a chapter of an existing guide, or reviewing the work of another team member. Reviewing can take the form of proof reading, or researching the accuracy of the guide information in relation to the software’s actual operation. By identifying yourself as a Docs Team contributor does not mean you are making any permanent or long term commitment, many contributors come and go over long periods according to the demands of their “real” life.

  • Mozilla VR Blog: Firefox Reality 12

    The latest version of Firefox Reality for standalone VR headsets brings a host of long-awaited features we're excited to reveal, as well as improved stability and performance. [...] Look for Firefox Reality 12 available now in the HTC, Pico and Oculus stores. This feature-packed release of Firefox Reality will be the last major feature release for a while as we gear up for a deeper investment in Hubs. But not to worry! Firefox Reality will still be well supported and maintained on your favorite standalone VR platform.

  • Daniel Stenberg: everything curl five years

    At the time of that blog post, the book was already at 13,000 words and 115 written subsections. I still had that naive hope that I would have it nearly “complete” by the summer of 2016. Always the optimist. Today, the book is at over 72,000 words with content in 600 subsections – with just 21 subtitles noted “TBD” to signal that there’s still content to add there. The PDF version of it now clocks in at over 400 pages. I’ve come to realize and accept that it will never be “complete” and that we will just keep on working on it indefinitely since curl itself keeps changing and we keep improving and expanding texts in the book.

  • Amazon announces 'Luna', their own take on cloud game streaming

    Amazon Luna will give you access to certain Channels of games which you subscribe to. The first two announced are Amazon's own Luna+ to get access to a "growing" library and Ubisoft are also confirmed to have their own subscription channel coming to it too. The Luna+ subscription will have 100s of games from big names too like Resident Evil 7, Control, The Surge 2, A Plague Tale: Innocence and a great many more. By the time it launches, it's going to have quite a full library already.

  • How to Install Discord on Ubuntu & Linux Mint (GUI & CLI)
  • Granulate Applies AI to Linux Server Optimization

    Granulate today announced that a platform that leverages machine learning algorithms to optimize Linux server environments running on-premises or in the cloud is now generally available. [...] According to the company, more than 40,000 instances of gAgent have already been deployed by IT teams at PicsArt, Perion, AppsFlyer and Coralogix.

Programming Leftovers

  • In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

    Web developers resent having to deal with Microsoft Internet Explorer and Apple Safari, which they cite among their top three pain points, alongside layout and styling inconsistencies among browsers. This finding comes from the Mozilla Developer Network's 2020 Browser Compatibility Report [PDF], a survey of web development concerns culled from 1,429 responses out of 3,236 – the remainder having been tossed for invalid or missing data. The purpose of the report is to alert the browser vendors to problems so they can be addressed.

  • chemfp's chemistry toolkit I/O API

    This is part of a series of essays about working with SD files at the record and simple text level. In the last two essays I showed examples of using chemfp to process SDF records and to read two record data items. In this essay I'll introduce chemfp's chemistry toolkit I/O API, which I developed to have a consistent way to handle structure input and output when working with the OEChem, RDKit, and Open Babel toolkits.

  • 10 Things We Picked Up From Code Reviewing

    Ever wondered what you could learn from a code review?

  • Mike Driscoll: CodingNomads Tech Talk Series!

    Recently CodingNomads invited me on their Tech Talk series. CodingNomads does online code camps for Python and Java. The Tech Talks are a series of videos that teach or talk about tech. In my case, I got to talk about my favorite programming language, Python!

  • Arm Begins Bringing Up Neoverse N2, Neoverse V1 Support In The GNU Toolchain

    It was just a few days ago that Arm outlined the Neoverse N2 "Perseus" design as a follow-on to the Neoverse N1 and coming concurrently to the next-generation Cortex-A. Now the company has already jumped on beginning their open-source/Linux enablement work around the Neoverse N2. There haven't been any Neoverse N2 additions yet to LLVM/Clang or GCC as the most interesting aspects where it would reveal any new instruction set extensions / capabilities not yet formally announced by Arm (there also isn't any patches out under review on that front either), but a patch out this morning adds Neoverse N2 support to the GNU Assembler (Gas).

  • autoconf-2.69c released [beta]
    We are pleased to announce beta release 2.69c of GNU Autoconf.
    
    This release includes two months of bug fixes since the previous beta,
    2.68b, and eight years of development work since the previous full
    release, 2.69.  See below for the list of significant changes since
    the previous beta.  See the NEWS file for a complete list of
    significant changes since 2.69.
    
    We tentatively plan to make the final release of Autoconf 2.70 at the
    end of October 2020.  Please test this beta with your autoconf
    scripts, and report any problems you find to the Savannah bug tracker:
    
       https://savannah.gnu.org/support/?func=additem&group=autoconf
    
    Please also send general comments and feedback to <autoconf@gnu.org>.
    
    Please also spread this announcement widely, so that as many Autoconf
    users as possible hear about it.
    
    Here are the compressed sources:
      https://alpha.gnu.org/gnu/autoconf/autoconf-2.69c.tar.gz   (2.0MB)
      https://alpha.gnu.org/gnu/autoconf/autoconf-2.69c.tar.xz   (1.3MB)
    
    Here are the GPG detached signatures[*]:
      https://alpha.gnu.org/gnu/autoconf/autoconf-2.69c.tar.gz.sig
      https://alpha.gnu.org/gnu/autoconf/autoconf-2.69c.tar.xz.sig
    
    Use a mirror for higher download bandwidth:
      https://www.gnu.org/order/ftp.html
    
    [*] Use a .sig file to verify that the corresponding file (without the
    .sig suffix) is intact.  First, be sure to download both the .sig file
    and the corresponding tarball.  Then, run a command like this:
    
      gpg --verify autoconf-2.69c.tar.gz.sig
    
    If that command fails because you don't have the required public key,
    then run this command to import it:
    
      gpg --keyserver keys.gnupg.net --recv-keys 384F8E68AC65B0D5
    
    and rerun the 'gpg --verify' command.
    
    This release was bootstrapped with the following tools:
      Automake 1.16.2
    
    Noteworthy changes and bug fixes since the previous beta (2.69b):
    
    * A performance regression in AC_PROG_CXX has been corrected.
      See https://savannah.gnu.org/support/index.php?110285 for details.
    
    * AC_PROG_YACC has been reverted to using ‘bison -y’.  After 2.70,
      we will instead add an AC_PROG_BISON macro for programs that
      require Bison extensions.
      See https://savannah.gnu.org/support/index.php?110266 for details.
    
    * AC_PROG_LEX no longer looks for a library providing the function
      ‘yywrap’.  LEXLIB will only be set to ‘-lfl’ or ‘-ll’ if a
      scanner that defines both ‘main’ and ‘yywrap’ itself still needs
      something else from that library.
    
      Packages should define yywrap themselves, or use %noyywrap.
    
    * When ‘$CC -E’ doesn’t run the C preprocessor, AC_PROG_CPP now looks
      in $PATH for ‘cpp’ before falling back to ‘/lib/cpp’.
    
    * AC_TYPE_PID_T now gives pid_t the correct definition on 64-bit
      native Microsoft Windows.
    
    * AC_INIT now trims extra white space from its arguments.  For instance,
    
        AC_INIT([  GNU  Hello  ], [1.0])
    
      will set PACKAGE_NAME to “GNU Hello”.
    
    * autoreconf will now run gtkdocize and intltoolize when appropriate.
    
    * autoreconf now avoids complaints from subsidiary tools about
      unknown warning categories.  For example, ‘autoreconf -Wcross’
      will no longer cause complaints from (current released versions of)
      aclocal and automake.
    
    * Generated configure scripts no longer fail catastrophically when
      stdin, stdout, or stderr is closed on startup.
    
    * Many bugs related to building Autoconf itself have been corrected.
      These mostly affected non-GNU operating systems and situations where
      optional tools are not available.
    
    * The obsolete macros AC_DIAGNOSE, AC_FATAL, AC_WARNING, and
      _AC_COMPUTE_INT are now replaced with modern equivalents by
      autoupdate.
    
    * The macro AC_OBSOLETE is obsolete.  Autoupdate will replace it with
      m4_warn([obsolete], [explanation]).  If possible, macros using
      AC_OBSOLETE should be converted to use AU_DEFUN or AU_ALIAS instead,
      which enables autoupdate to replace them, but this has to be done by
      hand and is not always possible.
    
    * AC_FC_LINE_LENGTH now documents the maximum portable length of
      "unlimited" Fortran source code lines to be 250 columns, not 254.
    
    * Warnings about obsolete constructs are now on by default.
      They can be turned off with '-Wno-obsolete'.
    
    * autoconf will now issue warnings (in the ‘syntax’ category) if the
      input file is missing a call to AC_INIT and/or AC_OUTPUT.
    
    * AC_INIT will now issue warnings (in the “syntax” category) for a
      non-literal URL argument, and for a TARNAME argument which is either
      non-literal or contains characters that should not be used in file
      names (e.g. ‘*’).
    

JDK 16: What’s coming in Java 16

Although not due to arrive until March 2021, Java Development Kit (JDK) 16 has begun to take shape, with proposed features including concurrent thread-stack processing for garbage collection, support for C++ 14 language features, and an “elastic metaspace” capability to more quickly return unused class metadata memory to the OS. JDK 16 will be the reference implementation of the version of standard Java set to follow JDK 15, which arrived September 15. The six-month release cadence for standard Java would have JDK 16 arriving next March. Read more

Linux Kernel Latest Developments and New Linux Foundation Report

  • AMD Ryzen 9 3900XT CPUFreq Governor Comparison With Linux 5.9

    One of the most frequent questions received at Phoronix in recent times is whether the "schedutil" governor is ready for widespread use and if it can compare in performance to, well, the "performance" governor on AMD Linux systems. Here are some benchmarks of an AMD Ryzen 9 3900XT using the latest Linux 5.9 development kernel in looking at the performance differences between the CPUFreq governor options of Ondemand, Powersave, Performance, and Schedutil.

  • Intel Engineers Begin Landing Open-Source Support For TDX, Intel Key Locker

    Last month Intel published a whitepaper on TDX as Trust Domain Extensions as a means of better securing virtual machines. TDX allows for isolating VMs from the hypervisor and other non-VMM system software. Intel TDX builds off other recent work around MKTME memory encryption and other features. We are now beginning to see that software side support roll-out along with the also-new Key Locker instructions.

  • HPE Preparing SGI UV5 Support For The Linux Kernel

    Recent hardware enablement work on the Linux kernel is HPE bringing up UV5 support. Succeeding the SGI UV4 support is now UV5 under the ownership of HPE. UV5 is the latest iteration of their x86_64 based supercomputer architecture.

  • Linux 5.10 To Support Nitro Enclaves For Security-Critical Applications

    The kernel support for Nitro Enclaves landed this week in char-misc-next ahead of the Linux 5.10 cycle kicking off next month. Nitro Enclaves is a capability of Amazon AWS' EC2 cloud for protecting highly sensitive data. Nitro Enclaves provide additional isolation and security by punting the sensitive work/data off to an isolated virtual machine without persistent storage access and other reductions to possible attack surfaces while also providing cryptographic attestation for ensuring only trusted/authorized code is running.

  • Linux Foundation Adds Entry-Level Certification

    The Linux Foundation has announced the development of a new entry-level certification exam to complement their existing Linux Foundation Certified Sysadmin (LFCS) and Linux Foundation Certified Engineer (LFCE) exams. This new certification, the Linux Foundation Certified IT Associate (LFCA), targets people just moving into systems administration.

  • How open-source software transformed the business world [Ed: Today ZDNet deletes GNU and Free software from history, citing this 'report' from LF (made using proprietary software)]

    The Linux Foundation goes into many examples, but I'm going to focus on telecommunications and networking since it's a field I know well. 

  • Software-defined vertical industries: transformation through open source

    What do some of the world’s largest, most regulated, complex, centuries-old industries such as banking, telecommunications, and energy have in common with rapid development, bleeding-edge innovative, creative industries such as the motion pictures industry? They’re all dependent on open source software.  That would be a great answer and correct, but it doesn’t tell the whole story. A complete answer is these industries not only depend on open source, but they’re building open source into the fabric of their R&D and development models. They are all dependent on the speed of innovation that collaborating in open source enables.