Facebook CEO Mark Zuckerberg ordered his management team to only use Android phones, given that the operating system has more total users worldwide. According to The New York Times, the decision reportedly occurred after Apple CEO Tim Cook criticized Facebook in an MSNBC interview for being a service that traffics “in your personal life.”

In those comments made back in March, Cook dismissed a question asking him what he would do if he were in Zuckerberg’s shoes dealing with the fallout from the Cambridge Analytica scandal by saying, “I wouldn’t be in this situation.” Zuckerberg soon after retorted in an interview with Recode that he found Cook’s comments to be “extremely glib,” and that “I think it’s important that we don’t all get Stockholm syndrome and let the companies that work hard to charge you more convince you that they actually care more about you. Because that sounds ridiculous to me.”

Raspberry Pi 3 Model A+ is a smaller, cheaper, lower-powered Pi 3 and it's on sale now at just US$ 25. The newest Pi is ideal for projects in which you need the speed and processing power of the Pi 3 but can live without ethernet, multiple USB ports, and extra RAM.

Before the first Raspberry Pi was launched, the Raspberry Pi Foundation said it planned to do two product lines: Model A (US$ 25) and Model B (US$ 35). The Model B was launched in 2012, and the Model A a year later. Originally the Model A was just a Model B with half the RAM, and one USB port and the ethernet port removed, but otherwise at the same size and in the same form factor. In 2014, the Model B+ was launched, with more GPIOs and two additional USB ports, and was promptly followed by the A+, in which the board took a size reduction owing to the space created by removal of components.

The term serverless has been coming up in more conversations recently. Let’s clarify the concept, and those related to it, such as serverless computing and serverless platform.

Serverless is often used interchangeably with the term FaaS (Functions-as-a-Service). But serverless doesn’t mean that there is no server. In fact, there are many servers—serverful—because a public cloud provider provides the servers that deploy, run, and manage your application.

Serverless computing is an emerging category that represents a shift in the way developers build and deliver software systems. Abstracting application infrastructure away from the code can greatly simplify the development process while introducing new cost and efficiency benefits. I believe serverless computing and FaaS will play an important role in helping to define the next era of enterprise IT, along with cloud-native services and the hybrid cloud.

• OpenVAS image for Docker on Ubuntu

• How to install the Zabbix enterprise-grade monitor on Ubuntu Server 16.04

• How to Install VirtualBox and Extension Pack on Elementary OS 5.0 (Juno)

• How to Change or Set System Locales in Linux

• Redirect http to https: Apache Server

A "joke" in the glibc manual—targeting a topic that is, at best, sensitive—has come up for discussion on the glibc-alpha mailing list again. When we looked at the controversy in May, Richard Stallman had put his foot down and a patch removing the joke—though opinions of its amusement value vary—was reverted. Shortly after that article was published, a "cool down period" was requested (and honored), but that time has expired. Other developments in the GNU project have given some reason to believe that the time is ripe to finally purge the joke, but that may not work out any better than the last attempt.

The joke in question refers to a US government "censorship rule" from over two decades ago regarding sharing of information about abortion. It is attached to documentation of the abort() call in glibc and the text of it can be seen in the patch to remove it. One might think that an age-old US-centric joke would be a good candidate for removal regardless of its subject matter. That it touches on a topic that is emotionally fraught for many might also make it unwelcoming—thus unwelcome in documentation. But, according to Stallman, that's not so clear cut.

[...]

When pressed for more information about what these larger issues are, as O'Donell did, Stallman counseled patience. He did not offer any more information than that; perhaps the discussion has moved to a private mailing list or the like.

For many, including me, it is a little hard to understand why there is any opposition to removing the joke at all. It is clearly out of place, not particularly funny, and doesn't really push the GNU anti-censorship philosophy forward in any real way even if you grant that anti-censorship is a goal of the project (which some do not). There are, of course, those who oppose removing it because they are opposed to "political correctness" and do not see how it could be "unwelcoming", but even they might concede that it is an oddity that is poked into a back corner of a entirely unrelated document. And it is not hard for many to see that tying the topic of abortion to a C function might be upsetting to some; why waste a bunch of project time defending it when it has effectively no impact in the direction that Stallman wants, while putting off some (possibly small) percentage of glibc manual readers?

• Linux Day 2018 – Italy

  Every year, on the last Saturday of October, in Italy there is a national event called “Linux Day”. This year was the 18th edition and it was held on October 27.

  The event is promoted by the Italian Linux Society, and it is independently organized in many cities all around the country by groups of volunteers, LUGs and various associations. Even if it is highly fragmented (many little events in many cities), it is probably the biggest Italian event related to Linux and FLOSS, that is directly organized by people involved in the communities and by ordinary users.

  The aim of such event is to to promote Linux and FLOSS in general: in each city there are many talks, presentations and installation parties. The target audience is not limited to computer enthusiasts, hackers or IT professionals, but newbies, students and curious citizens are welcome as well.

• Red Hat expands PHL operations, opens new office in Makati

• Protecting the open-source license commons

  Enforcement, especially involving version 2 of the GPL, has always been a part of the open-source landscape. It only reached the point of actual litigation in the early 2000s, where we saw enforcement efforts showing up in three broad classes. Community enforcement came directly from the developers, either individually or through organizations like the Software Freedom Conservancy (SFC). Commercial entities have done some enforcement, usually in support of an associated proprietary licensing model. And "non-community developers", such as Patrick McHardy, have been pursuing extortionate actions in search of commercial gain. These are the so-called copyright trolls, though he does not like that term. There has been an increase in all three types of enforcement in the last few years; one outcome has been the SFC enforcement principles that try to distinguish the first two types of enforcement from the last, he said.

  A lot of thought has gone into enforcement at his employer Red Hat; Fontana said that enforcement activities should be judged by whether they promote collaboration or not. Enforcement that promotes certainty, predictability, and a level playing field will do that, while commercially motivated enforcement will reduce the incentive to collaborate. So he believes, like many others, that enforcement should not be done for commercial gain. Beyond that, there needs to be transparency around the funding of litigation and the selection of targets. Proceedings should be open; the secrecy built into the German legal system (where much enforcement activity to date has taken place) has not helped here. And, overall, litigation is a poor way to achieve license compliance.

Deepin is an open source GNU/Linux operating system, based on Linux kernel and desktop applications, supporting laptops, desktops and all-in-ones. deepin preinstalls Deepin Desktop Environment (DDE) and nearly 30 deepin native applications, as well as several applications from the open source community to meet users’ daily learning and work needs. In addition, about a thousand of applications are offered in Deepin Store to meet your more needs. deepin, developed by a professional operating system R&D team and deepin technical community (www.deepin.org), is from the name of deepin technical community - “deepin”, which means deep pursuit and exploration of the life and the future.

Compared with deepin 15.7, the ISO size of deepin 15.8 has been reduced by 200MB. The new release is featured with newly designed control center, dock tray and boot theme, as well as improved deepin native applications, hoping to bring users a more beautiful and efficient experience.

• Zinc: a new kernel cryptography API

  We looked at the WireGuard virtual private network (VPN) back in August and noted that it is built on top of a new cryptographic API being developed for the kernel, which is called Zinc. There has been some controversy about Zinc and why a brand new API was needed when the kernel already has an extensive crypto API. A recent talk by lead WireGuard developer Jason Donenfeld at Kernel Recipes 2018 would appear to be a serious attempt to reach out, engage with that question, and explain the what, how, and why of Zinc.

  WireGuard itself is small and, according to Linus Torvalds, a work of art. Two of its stated objectives are maximal simplicity and high auditability. Donenfeld initially did try to implement WireGuard using the existing kernel cryptography API, but after trying to do so, he found it impossible to do in any sane way. That led him to question whether it was even possible to meet those objectives using the existing API.

  By way of a case study, he considered big_key.c. This is kernel code that is designed to take a key, store it encrypted on disk, and then return the key to someone asking for it if they are allowed to have access to it. Donenfeld had taken a look at it, and found that the crypto was totally broken. For a start, it used ciphers in Electronic Codebook (ECB) mode, which is known to leave gross structure in ciphertext — the encrypted image of Tux on the left may still contain data perceptible to your eye — and so is not recommended for any serious cryptographic use. Furthermore, according to Donenfeld, it was missing authentication tags (allowing ciphertext to be undetectably modified), it didn't zero keys out of memory after use, and it didn't use its sources of randomness correctly; there were many CVEs associated with it. So he set out to rewrite it using the crypto API, hoping to better learn the API with a view to using it for WireGuard.

  The first step with the existing API is to allocate an instance of a cipher "object". The syntax for so doing is arguably confusing — for example, you pass the argument CRYPTO_ALG_ASYNC to indicate that you don't want the instance to be asynchronous. When you've got it set up and want to encrypt something, you can't simply pass data by address. You must use scatter/gather to pass it, which in turn means that data in the vmalloc() area or on the stack can't just be encrypted with this API. The key you're using ends up attached not to the object you just allocated, but to the global instance of the algorithm in question, so if you want to set the key you must take a mutex lock before doing so, in order to be sure that someone else isn't changing the key underneath you at the same time. This complexity has an associated resource cost: the memory requirements for a single key can approach a megabyte, and some platforms just can't spare that much. Normally one would use kvalloc() to get around this, but the crypto API doesn't permit it. Although this was eventually addressed, the fix was not trivial.

• 4.20 Merge window part 2

  At the end of the 4.20 merge window, 12,125 non-merge changesets had been pulled into the mainline kernel repository; 6,390 came in since last week's summary was written. As is often the case, the latter part of the merge window contained a larger portion of cleanups and fixes, but there were a number of new features in the mix as well.

There is always at least a small risk when installing a package for a distribution. By its very nature, package installation is an invasive process; some packages require the ability to make radical changes to the system—changes that users surely would not want other packages to take advantage of. Packages that are made available by distributions are vetted for problems of this sort, though, of course, mistakes can be made. Third-party packages are an even bigger potential problem because they lack this vetting, as was discussed in early October on the debian-devel mailing list. Solutions in this area are not particularly easy, however.

Lars Wirzenius brought up the problem: "when a .deb package is installed, upgraded, or removed, the maintainer scripts are run as root and can thus do anything." Maintainer scripts are included in a .deb file to be run before and after installation or removal. As he noted, maintainer scripts for third-party packages (e.g. Skype, Chrome) sometimes add entries to the lists of package sources and signing keys; they do so in order to get security updates to their packages safely, but it may still be surprising or unwanted. Even simple mistakes made in Debian-released packages might contain unwelcome surprises of various sorts.

He suggested that there could be a set of "profiles" that describe the kinds of changes that might be made by a package installation. He gave a few different examples, such as a "default" profile that only allowed file installation in /usr, a "kernel" profile that can install in /boot and trigger rebuilds of the initramfs, or "core" that can do anything. Packages would then declare which profile they required. The dpkg command could arrange that package's install scripts could only make the kinds of changes allowed by its profile.

The SpamAssassin 3.4.2 release was the first from that project in well over three years. At the 2018 Open Source Summit Europe, Giovanni Bechis talked about that release and those that will be coming in the near future. It would seem that, after an extended period of quiet, the SpamAssassin project is back and has rededicated itself to the task of keeping junk out of our inboxes.
Bechis started by noting that spam filtering is hard because everybody's spam is different. It varies depending on which languages you speak, what your personal interests are, which social networks you use, and so on. People vary, so results vary; he knows a lot of Gmail users who say that its spam filtering works well, but his Gmail account is full of spam. Since Google knows little about him, it is unable to train itself to properly filter his mail.

Just like Gmail, SpamAssassin isn't the perfect filter for everybody right out of the box; it's really a framework that can be used to create that filter. Getting the best out of it can involve spending some time to write rules, for example.

• Carlos Garnacho: On the track for 3.32

  It happens sneakily, but there’s more things going on in the Tracker front than the occasional fallout. Yesterday 2.2.0-alpha1 was released, containing some notable changes.

  On and off during the last year, I’ve been working on a massive rework of the SPARQL parser. The current parser was fairly solid, but hard to extend for some of the syntax in the SPARQL 1.1 spec. After multiple attempts and failures at implementing property paths, I convinced myself this was the way forward.

• Robert Ancell: Counting Code in GNOME Settings

  I've been spending a bit of time recently working on GNOME Settings. One part of this has been bringing some of the older panel code up to modern standards, one of which is making use of GtkBuilder templates.

  I wondered if any of these changes would show in the stats, so I wrote a program to analyse each branch in the git repository and break down the code between C and GtkBuilder.

• Zentyal 6.0 Announcement

  Zentyal Development Team is proud to announce Zentyal Server 6.0, a new release of the Zentyal Open Source Linux Server with native Microsoft Active Directory® interoperability.

• Zentyal Open Source Linux Server Version 6.0 Now Available, KDevelop 5.3 Released, Scalyr Announces New Features, Mozilla Launches Version 2.0 of Its *Privacy Not Included Buyer's Guide and Debian No Longer Allowing Vendor-Specific Patches

  The Zentyal development team announces a new major version of its Zentyal Open Source Linux Server with native Microsoft Active Directory interoperability. Version 6.0 is based on Ubuntu 18.04 LTS with the Linux 4.15 kernel, Samba 4.7, and it includes a new RADIUS module and virtualization manager module. See the full Changelog for more details.

Since the launch of Firefox Monitor, a free service that notifies you when your email has been part of a breach, hundreds of thousands of people have signed up.

In response to the excitement from our global audience, Firefox Monitor is now being made available in more than 26 languages. We’re excited to bring Firefox Monitor to users in their native languages and make it easier for people to learn about data breaches and take action to protect themselves.

When your personal information is possibly at risk in a data breach, reading news and information in the language you understand best helps you to feel more in control. Now, Firefox Monitor will be available in Albanian, Traditional and Simplified Chinese, Czech, Dutch, English (Canadian), French, Frisian, German, Hungarian, Indonesian, Italian, Japanese, Malay, Portuguese (Brazil), Portuguese (Portugal), Russian, Slovak, Slovenian, Spanish (Argentina, Mexico, and Spain), Swedish, Turkish, Ukranian and Welsh.

We couldn’t have accomplished this feat without our awesome Mozilla community of volunteers who worked together to make this happen. We’re so grateful for their support in making Firefox Monitor available to more than 2.5 billion non-English speakers.

Mark Shuttleworth, CEO of Canonical, made some negative comments about his competitors’ licensing fees during his speech at the OpenStack Summit in Vancouver in May. People in the audience were looking at each other with raised eyebrows, and a few people even laughed out loud at the audacity. Still, Shuttleworth was invited to keynote the OpenStack Summit in Berlin this week. But this time, he says he was asked “not to name names.”

Shuttleworth said for his keynote this week he planned to continue the discussion about the long-term operability of OpenStack and the economics of operating it. “We’re very conscious that organizations will only do private cloud if it makes common sense,” he said. “And they can also work in public cloud. We’re very focused on deploying the cloud cost effectively.”

Also: Scalyr Rolls Out New Troubleshooting Features to Advance Engineering Productivity and Collaboration Across Modern Architectures

• Amazon Web Services promises to support OpenJDK through 2023 with release of internal tool as new open source project

  Developers using the popular OpenJDK (Java Development Kit) software tool can breathe a little easier Wednesday after Amazon Web Services announced it would support the tool with bug fixes and enhancements for the next several years with the release of an internally developed implementation of OpenJDK known as Amazon Coretto.

  Announced at Devoxx in Europe Wednesday, Coretto is an open-source distribution of OpenJDK developed for internal use at Amazon to manage Java applications. While Java is widely used to build enterprise applications, the future of OpenJDK has been in doubt thanks to Oracle’s decision to end support for the free version of OpenJDK as of this coming January.

• One More Reaction to IBM's Acquisition of Red Hat

  Now that the dust has settled around the explosive announcement that IBM will be acquiring open source software provider and longtime Java Community Process (JCP) leader Red Hat, I wanted to share the reaction to the deal of one of the keenest (and most fearless) observers of the Java universe.

• Finos launches open source programme

  Finos (the Fintech Open Source Foundation), a nonprofit foundation promoting open innovation in financial services, today announced the launch of a new Program focused on Decentralized Ecosystem Growth (DEG).

  Amber Baldet, CEO of Clovyr and former Blockchain Program Lead for J.P. Morgan Chase, revealed the Program in London during her keynote at FINOS’ annual flagship Open Source Strategy Forum - the only conference dedicated to open source in financial services. IHS Markit, FINOS Gold Member, will sponsor the program with Baldet serving as the first Program Management Committee (PMC) lead.

• Open Source Identity and Access Management

  Looking back on the year as we enter the homestretch of 2018, one thing is apparent. With 2018 on track to be one of the worst years for security breaches ever, strong identity and access management (IAM) needs to be at the top of any IT organization’s checklist. Those that are cost conscious are asking, are there any viable open source identity and access management solutions on the market?

• Free Open Source Techologies Are Big Business. Wait, What?

• The Houdini Project: Fundraising Software for Non-Profits Joins Conservancy

  First we were excited find out that a project like the Houdini Project even existed and now we can proudly say that they are also a Conservancy member! Services and applications for non-profits -- that are also free software -- are very close to our fiscal umbrella heart here at Conservancy. Houdini is our second incoming project this year that specifically caters to the needs of non-profits. Back in May, we welcomed Backdrop CMS a lightweight content management system that is great for non-profits, to the Conservancy fold. As long-time readers of the Conservancy blog know, the offerings for non-profits that care about software freedom are pretty slim, which is why we've also been working on our own non-profit accounting solution.

  The Houdini Project's ('Houdini's) software is used by many worthy and hard-working organizations, but perhaps the most notable is the Panzi Foundation. The foundation focuses on ending sexual violence in wars and supporting survivors at the Panzi Hospital in the Democratic Republic of Congo as they rebuild their lives. Panzi Foundation's co-founder, Dr. Denis Mukwege, a surgeon and activist who has devoted his life to this work received a Nobel Peace Prize this year. Other major users include Public Radio Exchange,WeMove.eu and Charter for Compassion.

• 11 bit studios actually will put the latest This War of Mine DLC on Linux

  As an update to the previous article where 11 bit studios told me they didn't have the resources for Linux, turns out they will be putting the latest This War of Mine DLC on Linux after-all.

• Help Test SuperTuxKart Online Multiplayer Feature

  SuperTuxKart, a free and open-source kart racing video game, is getting closer to a major release which will include online multiplayer support (both WAN and LAN).

  The game developers need help test the new network implementation. Those willing to help will need to compile SuperTuxKart from Git (switch to the "network" branch), create an online account in SuperTuxKart, go to the online section and join a server.

  There are currently over 20 servers located in different parts of the world, for multiple game modes, including normal race, soccer, battle mode, and the new capture-the-flag and free-for-all modes.

  You can also create your own server and ask some friends to join. In case you're interested in hosting your own public SuperTuxKart server, see the instructions from this page.

• Microsoft’s open source AirSim platform comes to Unity [Ed: Hardly surprising that Microsoft Mono Trojan horse Unity, which keeps breaking games on GNU/Linux, works with Microsoft]

• Microsoft launches AirSim on Unity, giving developers new tools to train AI models

• Google Chrome Labs: Use our open-source Squoosh image tool for faster page loads

  The tool is aimed at helping web developers quickly compress images and reduce image quality to an acceptable level, with the aim of making web apps that are light and fast.

  However, it will also help Google promote its WebP image lossy and lossless image-compression format, which until recently was only supported by Chrome.

  WebP aside, Squoosh is a progressive web app (PWA) that works with any browser on desktop and mobile, and offers several "best-in-class codecs" to compress and compare images within the browser.

• Google Chrome Labs unveils Squoosh, an open-source image compression tool that runs in your browser

  Google Chrome Labs has just revealed Squoosh, an in-browser image compression tool that can use non-browser image codecs to compress images without much loss in quality. The app can also be run offline after it is loaded in a browser at least once. Squoosh is aimed at web designers that hope to reduce web page load times by using compressed images.

• Google ‘Squoosh’ apps makes reducing image file sizes a breeze

• Recap: What Google announced at the 2018 Chrome Dev Summit

• Scale down the images through Google’s new web app “Squoosh”

• This Nifty Web Tool Lets You Mess With Image Compression

• Google's 'Squoosh' Image Compression Tool Shows Off the Power of Web Apps

• WebP images won’t load in Microsoft Edge with Application Guard

  This issue affects a lot of prominent websites who’ve opted to take advantage of the higher compression gains they get with a modern image format like WebP. You can also see it here on Ctrl blog where most images will just not work in Microsoft Edge.

  There isn’t really anything web developers can do to work around this issue other than strip out unsupported photo formats when encountering the Microsoft Edge User-Agent. The images won’t fire an error even when it fails to display, and you can’t detect that Microsoft Edge is running in Application Guard mode from the web platform.

• SBC showcases Qualcomm’s 10nm, octa-core QCS605 IoT SoC

  Intrinsyc’s compact “Open-Q 605” SBC for computer vision and edge AI applications runs Android 8.1 and Qualcomm’s Vision Intelligence Platform on Qualcomm’s IoT-focused, octa-core QCS605.

  In April, Qualcomm announced its QCS605 SoC, calling it “the first 10nm FinFET fabricated SoC purpose built for the Internet of Things.” The octa-core Arm SoC is available in an Intrinsyc Open-Q 605 SBC with full development kit with a 12V power supply is open for pre-orders at $429. The products will ship in early December.

• Second-gen Intel Neural Compute Stick shows off new Myriad X VPU

  Intel has launched a $99 “Neural Compute Stick 2” AI accelerator built around a new Myriad X VPU that adds a Neural Compute Engine and more cores for up to 8x greater performance.

  Intel may be scaling back a bit on its IoT business, but it continues to push hard with the Myriad neural network acceleration technology it acquired when it bought Movidius. Intel has just released its third-gen “Myriad X” technology for AI acceleration on edge devices, debuting on a $99 Intel Neural Compute Stick 2 (NCS2).

• That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards

  If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers.

  [...]

  If you’re on the fence about whether to renew a domain and it’s one of several you own, it may make sense to hold onto it and simply forward any incoming traffic to a domain you do want people to visit. In the event you decide to relinquish a domain, make sure you take stock of any online accounts you created with email addresses tied to that domain and move those to another email address, as those accounts will likely come under someone else’s control when the domain expires.

• Stolen credit card details of nearly 250,000 British Airways customers on sale for up to £9.4m

• Watch a real hacker hack into Hollywood's hacky hacking scenes
  

  As with bad sex, most bad hacking scenes in movies and television involve someone needing to announce, “I’m in!” Since not long after people started connecting computers to other computers, Hollywood has been depicting fictional people attempting to use those connections for nefarious means. Naturally, Hollywood has also spent a lot of its time getting those depictions wrong. In the above clip from Wired, security researcher Samy Kamkar assesses a number of famous hacking scenes from TV and film to see just how off they are.

• Red Team 101: Understanding Kali Linux

  Your security environment is complicated. You’re invested in multiple security tools – antivirus, firewalls, IDS, IPS, SIEM, DLP, and more. If you haven’t invested in a red team, however, you’re doing security wrong. How could you know that your expensive defenses are working unless you’ve tested them out?

  A red team is a great way to test your defenses. In brief, a red team is a small group of employees whose job is to try to hack into your organization, understand its vulnerabilities, and then help you patch them up.

• Adobe Flash Player Update Version 31.0.0.148 Addresses a Significant Vulnerability Issue