Language Selection

English French German Italian Portuguese Spanish

OSS

Top 6 open source desktop email clients

Filed under
OSS

Mobile and web technologies still haven't made the desktop obsolete, and despite some regular claims to the contrary, desktop clients don't seem to be going away anytime soon.

And with good reason. For many, the preference for a native application (and corresponding native performance), easy offline use, a vast array of plugins, and meeting security needs will long outweigh pressures to switch to a webmail email client. Whether you're sticking with a desktop email client because of a corporate mandate or just personal preference, there are still many great options to choose from. And just because you may be stuck on Windows doesn't mean Outlook is your only option; many open source clients are cross-platform.

Read more

OSS: Jio, VMware Openwashing, and Testing Jobs

Filed under
OSS
  • Jio is committed to use open source technology: Akash Ambani

    Speaking at the India Digital Open Summit 2018, Akash Ambani, Director of Reliance Jio Infocomm, said that open source is very important for his company.

    “The year 2017 was the tipping point for AR and VR globally. In India, AR and VR are in the initial stages of adoption but at Jio, we believe it will grow at a 50 percent compounded rate for the next five years,” Akash said.

    He also spoke on the evolution of artificial intelligence and blockchain.

  • VMware and Pivotal’s PKS Distribution Marries Kubernetes with BOSH [Ed: It looks like the author has been reduced to Microsoft propaganda and other openwashing puff pieces sponsored by proprietary software giants. We have given up on several writers who used to support GNU/Linux. Seeing their activity, it seems as though they ended up with neither gigs nor credibility (used to get far more writing assignments from LF, often for Microsoft openwashing).]
  • Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

    Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering.

    And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities.

    A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company's data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that's 2.7 times that of typical software engineers in their home countries.

    In some places, the gap is far more pronounced. In India, for example, hackers make as much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.

OSS Leftovers

Filed under
OSS
  • Reliance Jio and global tech leaders come together to push Open Source in India

    The India Digital Open Summit which will be held tomorrow at the Reliance Corporate Park campus in Navi Mumbai -is a must-attend event for industry leaders, policymakers, technologists, academia, and developer communities working towards India’s digital leadership through Open Source platforms.

    The summit is hosted by Reliance Jio in partnership with the Linux Foundation and supported by Cisco Systems.

  • Open-source software simulates river and runoff resources

    Freshwater resources are finite, unevenly distributed, and changing through time. The demand—and competition—for water is expected to grow both in the United States and in the developing/developed world. To examine the connection between supply and demand and resulting regional and global water stresses, a team developed Xanthos. The open-source hydrologic model is available for free and helps researchers explore the details and analyze global water availability.

    Researchers can use Xanthos to examine the implications of different climate, socioeconomic, and/or energy scenarios over the 21st century. They can then assess the effects of the scenarios on regional and global water availability. Xanthos can be used in three different ways. It can operate as an independent hydrologic model, driven, for example, by scenarios. It can serve as the core freshwater supply component of the Global Change Assessment Model, where multiple sectors and natural systems are modeled simultaneously as part of an interconnected, complex system. Further, it can be used by other integrated models and multi-model frameworks that focus on energy-water-land interactions.

  • “The Apache Way” — Open source done well

    I was at an industry conference and was happy to see many people stopping by the Apache booth. I was pleased that they were familiar with the Apache brand, yet puzzled to learn that so many were unfamiliar with The Apache Software Foundation (ASF).

    For this special issue, “All Eyes On Open Source”, it’s important to recognize not just Apache’s diverse projects and communities, but also the entity behind their success.

    Gone are the days when software and technology, in general, were developed privately for the benefit of the few. As technology evolves, the challenges we face become more complex, and the only way to effectively move forward to create the technology of the future is to collaborate and work together. Open Source is a perfect framework for that, and organizations like the ASF carry out a decisive role in protecting its spirit and principles.

  • ​Learn how to run Linux on Microsoft's Azure cloud
  • LLVM 6.0-RC1 Makes Its Belated Debut

    While LLVM/Clang 6.0 was branched earlier this month and under a feature freeze with master/trunk moving to LLVM 7.0, two weeks later the first release candidate is now available.

    Normally the first release candidate comes immediately following the branching / feature freeze, but not this time due to the shifted schedule with a slow start to satisfy an unnamed company seeking to align their internal testing with LLVM 6.0.

  • Hackers can’t dig into latest Xiaomi phone due to GPL violations

     

    Yet another Android OEM is dragging its feet with its GPL compliance. This time, it's Xiaomi with the Mi A1 Android One device, which still hasn't seen a kernel source code release.
     

    Android vendors are required to release their kernel sources thanks to the Linux kernel's GPLv2 licensing. The Mi A1 has been out for about three months now, and there's still no source code release on Xiaomi's official github account.

  • 2017 - The Year in Which Copyright Went Beyond Source Code

    2017 was a big year for raising the profile of copyright in protecting computer programs. Two cases in particular helped bring attention to a myth that was addressed and dispelled some time ago but persists in some circles nonetheless. Many lawyers hold on to the notion that copyright protection for software is weak because such protection inheres in the source code of computer programs. Because most companies that generate code take extensive (and often successful) measures to keep source code out of the hands of third parties, the utility of copyright protection for code is often viewed as limited. However, copyright also extends to the “non-literal elements” of computer programs, such as their sequence, structure and organization, as well as to things such as screen displays and certain user interfaces. In other words, copyright infringement can occur when copying certain outputs of the code without there ever having been access to the underlying code itself.

  • Announcing WebBook Level 1, a new Web-based format for electronic books

    Eons ago, at a time BlueGriffon was only a Wysiwyg editor for the Web, my friend Mohamed Zergaoui asked why I was not turning BlueGriffon into an EPUB editor... I had been observing the electronic book market since the early days of Cytale and its Cybook but I was not involved into it on a daily basis. That seemed not only an excellent idea, but also a fairly workable one. EPUB is based on flavors of HTML so I would not have to reinvent the wheel.

    I started diving into the EPUB specs the very same day, EPUB 2.0.1 (released in 2009) at that time. I immediately discovered a technology that was not far away from the Web but that was also clearly not the Web. In particular, I immediately saw that two crucial features were missing: it was impossible to aggregate a set of Web pages into a EPUB book through a trivial zip, and it was impossible to unzip a EPUB book and make it trivially readable inside a Web browser even with graceful degradation.

    When the IDPF started working on EPUB 3.0 (with its 3.0.1 revision) and 3.1, I said this was coming too fast, and that the lack of Test Suites with interoperable implementations as we often have in W3C exit criteria was a critical issue. More importantly, the market was, in my opinion, not ready to absorb so quickly two major and one minor revisions of EPUB given the huge cost on both publishing chains and existing ebook bases. I also thought - and said - the EPUB 3.x specifications were suffering from clear technical issues, including the two missing features quoted above.

  • Firefox 58 Bringing Faster WebAssembly Compilation With Two-Tiered Compiler

    With the launch of Mozilla Firefox 58 slated for next week, WebAssembly will become even faster thanks to a new two-tiered compiler.

  • New Kernel Releases, Net Neutrality, Thunderbird Survey and More

    In an effort to protect Net Neutrality (and the internet), Mozilla filed a petition in federal court yesterday against the FCC. The idea behind Net Neutrality is to treat all internet traffic equally and without discrimination against content or type.

    Make your opinions heard: Monterail and the Thunderbird email client development team are asking for your assistance to help improve the user interface in the redesign of the Thunderbird application. Be sure to take the survey.

OSS Leftovers and Security

Filed under
OSS
Security
  • How to get all the benefits of open source software

    Open source software continues its meteoric rise, as more and more large enterprises weave open source code into various areas of their operations, increasingly shunning the big-name, proprietary software vendors.

    In fact, according to open source software development company, Sonatype, represented locally by 9TH BIT Consulting, 7,000 new open source software projects kick-off around the world every week, while 70,000 new open source components are released. Accessing this massive ‘hivemind’ of software development expertise is a highly attractive prospect for CIOs and business managers in all industries.

  • What is open source?

    What is open source software and how do vendors make their money? We answer your questions

    Open source is the foundation of modern technology. Even if you don't know what it is, chances are you've already used it at least once today. Open source technology helped build Android, Firefox, and even the Apache HTTP server, and without it, the internet as we know it would simply not exist.

    The central idea behind open source is a simple one: many hands make light work. In short, the more people you have working on something, the quicker and easier it is to do. As it applies to software development, this means opening projects up to the public to let people freely access, read and modify the source code.

  • Open Source Initiative Announces New Partnership With Adblock Plus

    Adblock Plus, the most popular Internet ad blocker today, joins The Open Source Initiative® (OSI) as corporate sponsors. Since its very first version, Adblock Plus has been an open source project that has developed into a successful business with over 100 million users worldwide. As such, the German company behind it, eyeo GmbH, has decided it is time to give back to the open source community.

    Founded in 1998, the OSI protects and promotes open source software, development and communities, championing software freedom in society through education, collaboration, and infrastructure. Adblock Plus is an open source project that aims to rid the Internet of annoying and intrusive online advertising. Its free web browser extensions (add-ons) put users in control by letting them block or filter which ads they want to see.

  • What if Open-Source Software Can Replace Dozens of Multi-Billion Dollar Companies? That is Exactly What Origin Protocol Wants to do Using Blockchain
  • Bonitasoft gets cute on AWS for low-code BPM

    There has been an undeniable popularisation of so-called ‘low-code’ programming platforms.

    This is a strain of technology designed to provide automated blocks of functionality that can be brought together by non-technical staff to perform specific compute and analysis tasks to serve their own business objectives.

  • Red Hat Certification: for developers too!

    Red Hat’s certification program provides validation of IT professionals’ skills and knowledge using our subscription products. Red Hat’s certifications carry credibility in the market because they are all earned by taking one or more hands-on, practical exams that last multiple hours. Like most programs offered by technology vendors, our most familiar certifications are those for system administrators.

  • LXD Weekly Status #30

    The main highlight for this week was the inclusion of the new proxy device in LXD, thanks to the hard work of some University of Texas students!

    The rest of the time was spent fixing a number of bugs, working on various bits of kernel work, getting the upcoming clustering work to go through our CI process and preparing for a number of planning meetings that are going on this week.

  • GitHub Alternative SourceForge Vies for Comeback with Redesigned Site

    SourceForge wants to be more than just another GitHub alternative, but an additional repository for developers to utilize to help gain users.

  • The Clock Is Ticking for Chip Flaw Fixes to Start Working

    Cures for the pervasive Meltdown and Spectre chip flaws aren’t working, and hacks may soon be incoming.

  • Intel: No Financial Meltdown

    Yves here. It is telling that the very measured Bruegel website is pretty bothered that Intel looks likely to get away with relatively little in the way of financial consequences as a result of its Spectre and Meltdown security disasters. This is a marked contrast with Volkswagen, where the company paid huge fines and executives went to jail.

    However, it was the US that went after a foreign national champion. The US-dominated tech press is still frustratingly given the Intel train wrecks paltry coverage relative to their importance.

  • CIP related work during the second half of 2017

    As you probably know by now, I have been involved in the Civil Infrastructure Project (CIP), a Linux Foundation Initiative formed in 2016, representing Codethink, a founder Member and coordinating the engineering work in two areas within the project:

Open Source in 3-D Printing

Filed under
OSS
  • 17,000% Cost Reduction with Open Source 3D Printing: Michigan Tech Study Showcases Parametric 3D Printed Slot Die System

    We often cover the work of prolific Dr. Joshua Pearce, an Associate Professor of Materials Science & Engineering and Electrical & Computer Engineering at Michigan Technological University (Michigan Tech); he also runs the university’s Open Sustainability Technology (MOST) Research Group.

    Dr. Pearce, a major proponent for sustainability and open source technology, has previously taught an undergraduate engineering course on how to build open source 3D printers, and four of his former students, in an effort to promote environmental sustainability in 3D printing, launched a business to manufacture and sell recycled and biodegradable filaments.

  • Open Source 3D printing cuts cost from $4,000 to only $0.25 says new study

    Slot die coating is a means of adding a thin, uniform film of material to a substrate. It is a widely used method for the manufacturing of electronic devices – including flat screen televisions, printed electronics, lithium-ion batteries and sensors.

    Up until recently, slot die components were only machined from stainless steel, restricting development and making the process expensive. Now slot dies for in-lab experimental use can be made on a 3D printer at a fraction of the cost.

  • Dutch firm unveils world's first 3-D-printed propeller

    Three-dimensional (3-D) printing technology has caught the logistics world's attention for its potential to save on warehouse and shipping costs by producing items on demand at any location. In the past two years, for example, UPS Inc. announced plans to partner with software developer SAP SE to build a nationwide network of 3-D printers for use by its customers, and General Electric Co. spent nearly $600 million to buy a three-quarters stake in the German 3-D printing firm Concept Laser GmbH.

    Recently, transportation companies have begun turning to the same technology for another application, creating the actual hardware used in vehicles that move the freight. For instance, in late 2016, global aircraft maker Airbus S.A.S. contracted with manufacturing firm Arconic Inc. to supply 3-D printed metal parts for its commercial aircraft.

AT&T in Open Network Automation Platform (ONAP)

Filed under
OSS

An introduction to Inkscape for absolute beginners

Filed under
OSS

Inkscape is a powerful, open source desktop application for creating two-dimensional scalable vector graphics. Although it's primarily an illustration tool, Inkscape is used for a wide range of computer graphic tasks.

The variety of what can be done with Inkscape is vast and sometimes surprising. It is used to make diagrams, logos, programmatic marketing materials, web graphics, and even for paper scrapbooking. People also draw game sprites, produce banners, posters, and brochures. Others use Inkscape to draft web design mockups, detail layouts for printed circuit boards, or produce outline files to send to laser cutting equipment.

Read more

Leftovers: Proprietary Software, HowTos, and GXml

Filed under
Software
OSS
HowTos

OSS Leftovers

Filed under
OSS
  • Google's Kelsey Hightower talks Kubernetes and community

    Google developer advocate Kelsey Hightower says that he always figured that the (now wildly successful) Kubernetes container orchestration platform "would get big on its own at some point." He shared some of the reasons he sees for Kubernetes' success in a podcast recorded in December at CloudNativeCon in Austin.

    The first is that Kubernetes is an effective platform on which to do other things. It provides "better primitives than I had before" as Hightower puts it. At the same time, he says that this is something people misunderstand about Kubernetes. "It's not the end game," he says. Rather, at some point, it increasingly becomes "the new platform for building other platforms."

  • A FOSS Year Resolution

    It’s that time of year again. The time when some people are taking a long hard look at their lives and trying to decide what they want to change about themselves over the course of the next year. Some of us want to lose weight, or exercise more, or spend more time with our kids. The trouble is only about 9% of these resolutions actually happen.

  • Do not limit yourself

    The motto of Learn yourself, teach others is still very strong among us. We try to break any such stupid limits others try to force on our lives. We dream, we try to enjoying talking about that book someone just finished. We discuss about our favorite food. I will end this post saying one thing again. Do not bound yourself in some non existing limits. Always remember, What a great teacher, failure is (I hope I quoted Master Yoda properly). Not everything we will try in life will be a super successful thing, but we can always try to learn from those incidents. You don’t have to bow down in front of anyone, you can do things you love in your life without asking for others’ permissions.

  • Benjamin Mako Hill: OpenSym 2017 Program Postmortem

    The International Symposium on Open Collaboration (OpenSym, formerly WikiSym) is the premier academic venue exclusively focused on scholarly research into open collaboration. OpenSym is an ACM conference which means that, like conferences in computer science, it’s really more like a journal that gets published once a year than it is like most social science conferences. The “journal”, in iithis case, is called the Proceedings of the International Symposium on Open Collaboration and it consists of final copies of papers which are typically also presented at the conference. Like journal articles, papers that are published in the proceedings are not typically published elsewhere.

  • NVDA and Firefox 58 – The team is regaining strength

    A week before the Firefox 57 “Quantum” release in November, I published an Article detailing some bits to be aware of when using Firefox and the NVDA screen reader together. In Firefox 58, due on January 23, 2018, the reliable team is regaining strength in playing well together and offering you good and fast web accessibility.

    After the Firefox 57 release, due to many changes under the hood, NVDA and Firefox temporarily lapsed in performance. Statistics quickly showed that about two thirds of the NVDA user base stayed with us despite of this. So to all of you who stuck with us on this difficult release: Thank you! Many of the others moved to the extended support release of Firefox 52. Thank you to those of you as well, you decided to stick with Firefox! Also, statistics show that barely any of those of you who stuck with 57 decided to turn off multi-process Firefox, but instead used the new technology, and some of you even reported problems to us.

  • Retpoline-enabled GCC

    There will be upstream backports at least to GCC 7, but probably pretty far back (I've seen people talk about all the way to 4.3). So you won't have to run my crappy home-grown build for very long—it's a temporary measure. Smile

    Oh, and it made Stockfish 3% faster than with GCC 6.3! Hooray.

  • Payara Services to Embed Secure, Stable Open Source Java Runtime from Azul SystemsPayara Server 2018 Update Includes Azul Zulu Enterprise Builds of OpenJDK
  • Eclipse Che – A Next-Generation Cloud IDE and Workspace Server

    We have a couple of posts on developer workspaces and cloud IDEs but in my opinion, none of them has the combined features of beauty, flexibility, and efficiency while being free. That is why it is with great pleasure that I introduce to you the (arguably) best cloud-based IDE you will ever need, Eclipse Che.

    Eclipse Che is a beautiful and customizable open-source developer workspace and cloud Integrated Development Environment.

Syndicate content

More in Tux Machines

KDE: Linux and Qt in Automotive, KDE Discover, Plasma5 18.01 in Slackware

  • Linux and Qt in Automotive? Let’s meet up!
    For anyone around the Gothenburg area on Feb 1st, you are most welcome to the Automotive MeetUp held at the Pelagicore and Luxoft offices. There will be talks about Qt/QML, our embedded Linux platform PELUX and some ramblings about open source in automotive by yours truly ;-)
  • What about AppImage?
    I see a lot of people asking about state of AppImage support in Discover. It’s non-existent, because AppImage does not require centralized software management interfaces like Discover and GNOME Software (or a command-line package manager). AppImage bundles are totally self-contained, and come straight from the developer with zero middlemen, and can be managed on the filesystem using your file manager This should sound awfully familiar to former Mac users (like myself), because Mac App bundles are totally self-contained, come straight from the developer with zero middlemen, and are managed using the Finder file manager.
  • What’s new for January? Plasma5 18.01, and more
    When I sat down to write a new post I noticed that I had not written a single post since the previous Plasma 5 announcement. Well, I guess the past month was a busy one. Also I bought a new e-reader (the Kobo Aura H2O 2nd edition) to replace my ageing Sony PRS-T1. That made me spend a lot of time just reading books and enjoying a proper back-lit E-ink screen. What I read? The War of the Flowers by Tad Williams, A Shadow all of Light by Fred Chappell, Persepolis Rising and several of the short stories (Drive, The Butcher of Anderson Station, The Churn and Strange Dogs) by James SA Corey and finally Red Sister by Mark Lawrence. All very much worth your time.

GNU/Linux: Live Patching, Gravity of Kubernetes, Welcome to 2018

  • How Live Patching Has Improved Xen Virtualization
    The open-source Xen virtualization hypervisor is widely deployed by enterprises and cloud providers alike, which benefit from the continuous innovation that the project delivers. In a video interview with ServerWatch, Lars Kurth, Chairman of the Xen Project Advisory Board and Director, Open Source Solutions at Citrix, details some of the recent additions to Xen and how they are helping move the project forward.
  • The Gravity of Kubernetes
    Most new internet businesses started in the foreseeable future will leverage Kubernetes (whether they realize it or not). Many old applications are migrating to Kubernetes too. Before Kubernetes, there was no standardization around a specific distributed systems platform. Just like Linux became the standard server-side operating system for a single node, Kubernetes has become the standard way to orchestrate all of the nodes in your application. With Kubernetes, distributed systems tools can have network effects. Every time someone builds a new tool for Kubernetes, it makes all the other tools better. And it further cements Kubernetes as the standard.
  • Welcome to 2018
    The image of the technology industry as a whole suffered in 2017, and that process is likely to continue this year as well. That should lead to an increased level of introspection that will certainly affect the free-software community. Many of us got into free software to, among other things, make the world a better place. It is not at all clear that all of our activities are doing that, or what we should do to change that situation. Expect a lively conversation on how our projects should be run and what they should be trying to achieve. Some of that introspection will certainly carry into projects related to machine learning and similar topics. There will be more interesting AI-related free software in 2018, but it may not all be beneficial. How well will the world be served, for example, by a highly capable, free facial-recognition system and associated global database? Our community will be no more effective than anybody else at limiting progress of potentially freedom-reducing technologies, but we should try harder to ensure that our technologies promote and support freedom to the greatest extent possible. Our 2017 predictions missed the fact that an increasing number of security problems are being found at the hardware level. We'll not make the same mistake in 2018. Much of what we think of as "hardware" has a great deal of software built into it — highly proprietary software that runs at the highest privilege levels and which is not subject to third-party review. Of course that software has bugs and security issues of its own; it couldn't really be any other way. We will see more of those issues in 2018, and many of them are likely to prove difficult to fix.

Linux Kernel Development

  • New Sound Drivers Coming In Linux 4.16 Kernel
    Due to longtime SUSE developer Takashi Iwai going on holiday the next few weeks, he has already sent in the sound driver feature updates targeting the upcoming Linux 4.16 kernel cycle. The sound subsystem in Linux 4.16 sees continued changes to the ASoC code, clean-ups to the existing drivers, and a number of new drivers.
  • Varlink: a protocol for IPC
    One of the motivations behind projects like kdbus and bus1, both of which have fallen short of mainline inclusion, is to have an interprocess communication (IPC) mechanism available early in the boot process. The D-Bus IPC mechanism has a daemon that cannot be started until filesystems are mounted and the like, but what if the early boot process wants to perform IPC? A new project, varlink, was recently announced; it aims to provide IPC from early boot onward, though it does not really address the longtime D-Bus performance complaints that also served as motivation for kdbus and bus1. The announcement came from Harald Hoyer, but he credited Kay Sievers and Lars Karlitski with much of the work. At its core, varlink is simply a JSON-based protocol that can be used to exchange messages over any connection-oriented transport. No kernel "special sauce" (such as kdbus or bus1) is needed to support it as TCP or Unix-domain sockets will provide the necessary functionality. The messages can be used as a kind of remote procedure call (RPC) using an API defined in an interface file.
  • Statistics for the 4.15 kernel
    The 4.15 kernel is likely to require a relatively long development cycle as a result of the post-rc5 merge of the kernel page-table isolation patches. That said, it should be in something close to its final form, modulo some inevitable bug fixes. The development statistics for this kernel release look fairly normal, but they do reveal an unexpectedly busy cycle overall. This development cycle was supposed to be relatively calm after the anticipated rush to get work into the 4.14 long-term-support release. But, while 4.14 ended up with 13,452 non-merge changesets at release, 4.15-rc6 already has 14,226, making it one of the busiest releases in the kernel project's history. Only 4.9 (16,214 changesets) and 4.12 (14,570) brought in more work, and 4.15 may exceed 4.12 by the time it is finished. So far, 1,707 developers have contributed to this kernel; they added 725,000 lines of code while removing 407,000, for a net growth of 318,000 lines of code.
  • A new kernel polling interface
    Polling a set of file descriptors to see which ones can perform I/O without blocking is a useful thing to do — so useful that the kernel provides three different system calls (select(), poll(), and epoll_wait() — plus some variants) to perform it. But sometimes three is not enough; there is now a proposal circulating for a fourth kernel polling interface. As is usually the case, the motivation for this change is performance. On January 4, Christoph Hellwig posted a new polling API based on the asynchronous I/O (AIO) mechanism. This may come as a surprise to some, since AIO is not the most loved of kernel interfaces and it tends not to get a lot of attention. AIO allows for the submission of I/O operations without waiting for their completion; that waiting can be done at some other time if need be. The kernel has had AIO support since the 2.5 days, but it has always been somewhat incomplete. Direct file I/O (the original use case) works well, as does network I/O. Many other types of I/O are not supported for asynchronous use, though; attempts to use the AIO interface with them will yield synchronous behavior. In a sense, polling is a natural addition to AIO; the whole point of polling is usually to avoid waiting for operations to complete.

Security: OpenSSL, IoT, and LWN Coverage of 'Intelpocalypse'

  • Another Face to Face: Email Changes and Crypto Policy
    The OpenSSL OMC met last month for a two-day face-to-face meeting in London, and like previous F2F meetings, most of the team was present and we addressed a great many issues. This blog posts talks about some of them, and most of the others will get their own blog posts, or notices, later. Red Hat graciously hosted us for the two days, and both Red Hat and Cryptsoft covered the costs of their employees who attended. One of the overall threads of the meeting was about increasing the transparency of the project. By default, everything should be done in public. We decided to try some major changes to email and such.
  • Some Basic Rules for Securing Your IoT Stuff

    Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked [sic] IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

  • A look at the handling of Meltdown and Spectre
    The Meltdown/Spectre debacle has, deservedly, reached the mainstream press and, likely, most of the public that has even a remote interest in computers and security. It only took a day or so from the accelerated disclosure date of January 3—it was originally scheduled for January 9—before the bugs were making big headlines. But Spectre has been known for at least six months and Meltdown for nearly as long—at least to some in the industry. Others that were affected were completely blindsided by the announcements and have joined the scramble to mitigate these hardware bugs before they bite users. Whatever else can be said about Meltdown and Spectre, the handling (or, in truth, mishandling) of this whole incident has been a horrific failure. For those just tuning in, Meltdown and Spectre are two types of hardware bugs that affect most modern CPUs. They allow attackers to cause the CPU to do speculative execution of code, while timing memory accesses to deduce what has or has not been cached, to disclose the contents of memory. These disclosures can span various security boundaries such as between user space and the kernel or between guest operating systems running in virtual machines. For more information, see the LWN article on the flaws and the blog post by Raspberry Pi founder Eben Upton that well describes modern CPU architectures and speculative execution to explain why the Raspberry Pi is not affected.
  • Addressing Meltdown and Spectre in the kernel
    When the Meltdown and Spectre vulnerabilities were disclosed on January 3, attention quickly turned to mitigations. There was already a clear defense against Meltdown in the form of kernel page-table isolation (KPTI), but the defenses against the two Spectre variants had not been developed in public and still do not exist in the mainline kernel. Initial versions of proposed defenses have now been disclosed. The resulting picture shows what has been done to fend off Spectre-based attacks in the near future, but the situation remains chaotic, to put it lightly. First, a couple of notes with regard to Meltdown. KPTI has been merged for the 4.15 release, followed by a steady trickle of fixes that is undoubtedly not yet finished. The X86_BUG_CPU_INSECURE processor bit is being renamed to X86_BUG_CPU_MELTDOWN now that the details are public; there will be bug flags for the other two variants added in the near future. 4.9.75 and 4.4.110 have been released with their own KPTI variants. The older kernels do not have mainline KPTI, though; instead, they have a backport of the older KAISER patches that more closely matches what distributors shipped. Those backports have not fully stabilized yet either. KPTI patches for ARM are circulating, but have not yet been merged.
  • Is it time for open processors?
    The disclosure of the Meltdown and Spectre vulnerabilities has brought a new level of attention to the security bugs that can lurk at the hardware level. Massive amounts of work have gone into improving the (still poor) security of our software, but all of that is in vain if the hardware gives away the game. The CPUs that we run in our systems are highly proprietary and have been shown to contain unpleasant surprises (the Intel management engine, for example). It is thus natural to wonder whether it is time to make a move to open-source hardware, much like we have done with our software. Such a move may well be possible, and it would certainly offer some benefits, but it would be no panacea. Given the complexity of modern CPUs and the fierceness of the market in which they are sold, it might be surprising to think that they could be developed in an open manner. But there are serious initiatives working in this area; the idea of an open CPU design is not pure fantasy. A quick look around turns up several efforts; the following list is necessarily incomplete.
  • Notes from the Intelpocalypse
    Rumors of an undisclosed CPU security issue have been circulating since before LWN first covered the kernel page-table isolation patch set in November 2017. Now, finally, the information is out — and the problem is even worse than had been expected. Read on for a summary of these issues and what has to be done to respond to them in the kernel. All three disclosed vulnerabilities take advantage of the CPU's speculative execution mechanism. In a simple view, a CPU is a deterministic machine executing a set of instructions in sequence in a predictable manner. Real-world CPUs are more complex, and that complexity has opened the door to some unpleasant attacks. A CPU is typically working on the execution of multiple instructions at once, for performance reasons. Executing instructions in parallel allows the processor to keep more of its subunits busy at once, which speeds things up. But parallel execution is also driven by the slowness of access to main memory. A cache miss requiring a fetch from RAM can stall the execution of an instruction for hundreds of processor cycles, with a clear impact on performance. To minimize the amount of time it spends waiting for data, the CPU will, to the extent it can, execute instructions after the stalled one, essentially reordering the code in the program. That reordering is often invisible, but it occasionally leads to the sort of fun that caused Documentation/memory-barriers.txt to be written.