The Free Software Foundation (FSF), a Massachusetts 501(c)(3) charity with a worldwide mission to protect and promote computer-user freedom, seeks a motivated and organized Boston-based individual to be our full-time operations assistant. Reporting to the executive director, this position works on the operations team to ensure all administrative, office, and retail functions of the FSF run smoothly and efficiently, preserving our 4-star Charity Navigator rating and boosting all areas of our work.

We already know that Copilot as it stands is unacceptable and unjust, from our perspective. It requires running software that is not free/libre (Visual Studio, or parts of Visual Studio Code), and Copilot is Service as a Software Substitute. These are settled questions as far as we are concerned.

Your editor has worked in the computing field for rather longer than he cares to admit; for all of that time it has been said that a day will come when all that tedious programming work will no longer be necessary. Instead, we'll just say what we want and the computer will figure it out. Arguably, the announcement of GitHub Copilot takes us another step in that direction. On the way, though, it raises some interesting questions about copyright and free-software licensing. Copilot is a machine-learning system that generates code. Given the beginning of a function or data-structure definition, it attempts to fill in the rest; it can also work from a comment describing the desired functionality. If one believes the testimonials on the Copilot site, it can do a miraculous job of figuring out the developer's intent and providing the needed code. It promises to take some of the grunge work out of development and increase developer productivity. Of course, it can happily generate security vulnerabilities; it also uploads the code you're working on and remembers if you took its suggestions, but that's the world we've built for ourselves. Machine-learning systems, of course, must be trained on large amounts of data. Happily for GitHub, it just happens to be sitting on a massive pile of code, most of which is under free-software licenses. So the company duly used the code in the publicly available repositories it hosts to train this model; evidently private repositories were not used for this purpose. For now, the result is available as a restricted beta offering; the company plans to turn it into a commercial product going forward.

Jonathan Bennett, Dan Lynch and Katherine Druckman join Doc Searls in a roundtable discussion of open source. QR codes are used as fishhooks for tracking. How can this be stopped? Then there's the report of "death of open source" which is wrong (again), rights to make and repair, and much more. Great discussions on FLOSS Weekly.

I've said it countless times but I really don't care about Native Linux Gaming and Valve has been showing recently that they may not care either and that's a good thing, I don't think developers will start releasing Linux binaries anytime soon and translation layers like Proton work exceptionally well.

Security Leftovers [JumpCloud] Recent Linux Releases: Desktop MFA & Security Commands Operating system diversity is a defining characteristic of today’s IT environments. Windows may have dominated historically, but enterprise Mac management has evolved in a meaningful way and Linux distributions have become a critical part of IT infrastructure. Cross-OS device management is here to stay, and presents a unique challenge for IT admins. Linux in particular can be a complex beast to manage because unlike MacOS and Windows, it is not a proprietary OS and can be found across multiple distros. There are many benefits to this openness however, including cost, interoperability, and flexibility. These factors, and more, have led to a strong Linux following among its community of users. With an increasing number of employee workstations running a wide variety of Linux distros, administrators need a way to increase visibility into their fleets, and improve the management of not only Linux systems, but Mac and Windows as well. IT admins can use the JumpCloud Directory Platform to comprehensively accomplish these tasks, thanks to the recent Linux releases detailed in this article.

Mozilla Security Blog: Making Client Certificates Available By Default in Firefox 90 Starting with version 90, Firefox will automatically find and offer to use client authentication certificates provided by the operating system on macOS and Windows. This security and usability improvement has been available in Firefox since version 75, but previously end users had to manually enable it. When a web browser negotiates a secure connection with a website, the web server sends a certificate to the browser to prove its identity. Some websites (most commonly corporate authentication systems) request that the browser sends a certificate back to it as well, so that the website visitor can prove their identity to the website (similar to logging in with a username and password). This is sometimes called “mutual authentication”.

The Sequoia seq_file vulnerability A local root hole in the Linux kernel, called Sequoia, was disclosed by Qualys on July 20. A full system compromise is possible until the kernel is patched (or mitigations that may not be fully effective are applied). At its core, the vulnerability relies on a path through the kernel where 64-bit size_t values are "converted" to signed integers, which effectively results in an overflow. The flaw was reported to Red Hat on June 9, along with a local systemd denial-of-service vulnerability, leading to a kernel crash, found at the same time. Systems with untrusted local users need updates for both problems applied as soon as they are available—out of an abundance of caution, other systems likely should be updated as well. Down in the guts of the kernel's seq_file interface, which is used for handling virtual files in /proc and the like, buffers are needed to store each line of the file's "contents". To start, a page of memory is allocated for the buffer, but if that is not sufficient, a new buffer that is twice the size of the old one is allocated. This is all done using a size_t, which is an unsigned 64-bit quantity (on x86_64) that is large enough to hold the results, so "the system would run out of memory long before this multiplication overflows".