Australian AI infrastructure provider IREN is acquiring cloud‑native software specialist Mirantis in an all‑stock deal valued at about $625 million. Now you may be wondering: Why? The answer's simple: IREN, best known for its large‑scale data center footprint, wants to be an AI powerhouse. To make that happen, the company is betting that integrating its data centers and Mirantis's Kubernetes and cloud-native software stack will give it an edge in the surging AI infrastructure market. 

With Mirantis’ software and services, IREN aims to shift from simply offering GPU‑rich facilities to selling a full AI cloud platform that includes orchestration, observability, lifecycle management, and enterprise support. The hope is that a full data center and software infrastructure stack will command higher margins and appeal to enterprises looking for alternatives to hyperscale public clouds for AI workloads.

What Mirantis brings to the plan is its comprehensive open-source, cloud-native software stack. It started as an OpenStack integrator and has evolved into a broader cloud‑native infrastructure company centered on Kubernetes, multi‑cloud operations, developer tools, and, more recently, AI‑focused platforms. Its portfolio now spans Kubernetes management, container platforms, and the k0rdent AI infrastructure stack, all of which have been validated under NVIDIA’s AI Cloud Ready program.

Mirantis also brings over 1,500 enterprise customers to the table. This gives IREN a ready‑made channel into organizations already running cloud‑native workloads. For Mirantis, the acquisition pairs its software and operational expertise with the large‑scale GPU, power, and data center capacity that many of its AI‑minded customers are seeking but cannot easily put together on their own.

For those of you who are new to Mirantis's AI plans, K0rdent AI is the company's enterprise platform for building, deploying, and operating AI applications and inference services on top of Kubernetes. It sits on top of the open-source k0rdent project. This stack is aimed at platform engineers, MLOps teams, and service providers who need to manage AI workloads at scale across clouds and on‑prem.

Oh, and for those who've been wondering about this newly merged company and Mirantis's open-source plans, Mirantis CTO Shaun O'Meara wants you to know that the company's staying loyal to its open-source roots. In a blog post, O'Meara said, "Our contributions to k0rdent, Kubernetes, k0s, OpenStack, and more continue. The maintainers and contributors working on those projects stay in place. k0rdent remains open source. K0s will continue to be curated. Our participation in community governance, our upstream contributions, and our commitment to open standards are not transitional. They are structural to how we build products and how we engage with the ecosystem. That does not change."

As for everything else, Mirantis, Alex Freedland, Mirantis's co-founder and CEO, wants to assure customers, partners, and employees that the company will be staying its course. There will be no radical changes, except now. If you need data center power, Mirantis can provide that as well. In short, the deal is a strategic match between “infrastructure at scale” and the software needed to make that infrastructure useful for AI workloads. 

Since this deal was signed, Nvidia announced a partnership under which IREN will provide up to 5 gigawatts of Nvidia DSX designs to power AI workloads across its global data centers. This bodes well for the pairing of IREN and Mirantis.

Noteworthy Linux and open-source stories:

• 10 trillion downloads are crushing open-source repositories - here's what they're doing about it

• Meta abandons open-source Llama for proprietary Muse Spark

• Warp’s gamble: Going open source to take on closed-source rivals

Every headline satisfies an opinion. Except ours.

Remember when the news was about what happened, not how to feel about it? 1440's Daily Digest is bringing that back. Every morning, they sift through 100+ sources to deliver a concise, unbiased briefing — no pundits, no paywalls, no politics. Just the facts, all in five minutes. For free.

Read the newsletter trusted by 4.5 million fact-seekers.

If you know Airbyte, you know it as an important open-source data integration and Extract, Load, Transform (ELT) platform that you use to move data from many sources, e.g., APIs, databases, SaaS apps, and files into data warehouses, lakes, and databases. Now, the company is using its data superpowers to provide AI agents with a unified, query-ready view of enterprise data before they even start working with the data.

The company uses Airbyte Agents to do this. Instead of having agents orchestrate chains of ad hoc API calls at runtime, Airbyte Agents pre-replicate data into a search-optimized index, a "context layer" that can be accessed in one or two calls.

Why? Airbyte argues that most production issues with AI agents are rooted not in model quality but in unreliable data access. Agents built on traditional runtime API orchestration. These often require chaining together five or six calls across disconnected systems to answer a single question. This drives up latency, burns tokens, and increases the likelihood that your Agents deliver stale or contradictory answers. By shifting the problem to the data layer, Airbyte is betting it can make agents more robust and predictable.

As Michel Tricot, Airbyte co-founder and CEO, said in a statement, "Most agent projects stall for the same reason: The model is fine, the data is a mess. Five disconnected systems, inconsistent entities, no shared state. Airbyte Agents gives every agent a unified view of the business, replicated and ready to query. That is what separates an agent that can do the work from one that just talks about it."

At the heart of the new offering is what Airbyte calls the Context Store. This is a replicated, search-optimized index that unifies data from across business systems in advance. For example, it can retrieve and clean up Salesforce customer records, Zendesk tickets, Jira issues, and Slack conversations into a single queryable store. With context assembled in advance, agents query the Context Store directly rather than “chasing” live APIs, typically shrinking those five or six network calls down to one or two while cutting token consumption.

Early adopters say the approach is already speeding up development. Nate Chambers, chief product officer at ORCA Analytics, said Airbyte’s Agent Engine compressed what the company thought would be a six-month roadmap into the first week of its beta test. According to Chambers, Airbyte is shipping the pieces needed for production-grade agentic workflows and delivering new connections faster than his team can integrate them on their own, making it easier to stop building custom pipelines and focus on product features.

Airbyte Agents are available through two primary interfaces. The first is support for the Model Context Protocol (MCP). With this approach, you can connect sources to Airbyte once, then build and run agents within clients like Claude, ChatGPT, and Cursor, or any MCP-compatible interface. With this approach, the company claims you won't need to do any coding at all. 

The second is an Agent SDK aimed at engineering teams that want to build custom agents and applications directly on top of the Context Store. With this approach, you get more control over your data's retrieval logic, permissions, and state.

In either case, Michel Tricot, Airbyte's co-founder and CEO, explained, “Most agent projects stall for the same reason: The model is fine, the data is a mess. Five disconnected systems, inconsistent entities, no shared state.” He argued that giving every agent a unified, replicated view of business data is what separates agents that can actually execute work from those that merely generate plausible-sounding responses.

Tricot added, "We’ve spent years solving how to move and standardize data across systems. What’s changed is how that data gets used. Instead of powering dashboards, it’s now powering decisions and actions through AI agents. The underlying problem hasn’t changed—only the interface has.”

You may be asking, why not just use Retrieval-Augmented Generation (RAG) and APIs? Don't they let you fetch data when you need it, too? Well, yes, they do. But, Tricot said,  What’s missing is a persistent, structured layer that maintains relationships and state across systems. Without that, agents are constantly reconstructing context at runtime, which is inefficient and error-prone.” He's got a point. 

At launch, Airbyte Agents ships with 50 connectors that can feed the Context Store from commonly used enterprise systems. The company plans to bring its catalog of over 600 connectors to Context Store in the coming months. 

Many of these integrations are evolving beyond read-only access: an increasing number support write actions, enabling agents to update records, create support tickets, or post messages directly into systems of record. All connectors are designed to honor OAuth-based authentication and row-level permissions so that agents see only the data their invoking users are authorized to access.

Airbyte is also previewing a complementary feature called Automations. This is a single pane of glass for composing and running agents directly inside the Airbyte platform. Built on the same Context Store foundation, Automations allows teams to design agentic workflows across connected systems without writing code. Automations is expected to reach general availability in a future release.

To encourage customers to test the new capabilities, Airbyte is offering existing Airbyte users three months of access to Airbyte Agents with defined usage limits. Usage is metered in “Agent Operations.” This measuring stick bundles reads, searches, actions, and reasoning calls against the Context Store. This gives you a clear way to track and manage consumption as they bring agents into production.

The key question is: Will this work? Well, there's one way to find out, and that's to give it a try. What I can say is that the approach certainly sounds promising to me. 

Noteworthy AI stories:

• When AI Goes Really, Really Wrong: How PocketOS Lost All Its Data

• Canonical's approach to AI is refreshingly thoughtful - Microsoft should take note

• Locked, stocked, and losing budget: AI vendor lock-in bites back

Become An AI Expert In Just 5 Minutes

If you’re a decision maker at your company, you need to be on the bleeding edge of, well, everything. But before you go signing up for seminars, conferences, lunch ‘n learns, and all that jazz, just know there’s a far better (and simpler) way: Subscribing to The Deep View.

This daily newsletter condenses everything you need to know about the latest and greatest AI developments into a 5-minute read. Squeeze it into your morning coffee break and before you know it, you’ll be an expert too.

Subscribe right here. It’s totally free, wildly informative, and trusted by 600,000+ readers at Google, Meta, Microsoft, and beyond.

Copy Fail isn't the worst Linux bug that was ever discovered, but it's more than bad enough. This local privilege escalation (LPE) flaw enables an unprivileged local user to easily obtain root. That's never good news. Worse still, this isn't a theoretical bug. Both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) both report spotting attacks in the wild. Oh joy!

Theori and Xint Code AI-assisted security researchers discovered CVE‑2026‑31431, a logic flaw in the Linux kernel’s crypto subsystem. This hole enabled a tiny 732‑byte Python script to become a reliable root exploit across major distributions, including Ubuntu, Amazon Linux, RHEL, SUSE, and others.

The bug sits in the authencesn cryptographic template and the AF_ALG userspace crypto socket path. The problem was that a design change made in 2017 allowed page‑cache pages from read‑only files to be treated as writable buffers.

By abusing this path, an unprivileged user can make the kernel perform a controlled 4‑byte overwrite in the page cache of any file they can read, such as a setuid‑root binary, such as /usr/bin/su.

Adding insult to injury, because the corruption only touches the in‑memory page cache and never marks the underlying file as dirty, on‑disk checksums and standard integrity tools see a clean file even while the live system is executing attacker‑supplied code.

The proof‑of‑concept exploit published by the researchers uses only standard Python 3.10 libraries and works unchanged on the four distributions they tested, turning a regular user shell into root in a single run. A demo showed the same script producing root shells on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 in one continuous session.

Kernel privilege‑escalation bugs are not new. But the researchers argue that Copy Fail combines properties that make it unusually severe. Unlike race‑condition‑driven exploits such as 2016's Dirty COW or 2022's Dirty Pipe, Copy Fail is a straightforward logic bug with no timing window, no crash‑prone retry loop, and no per‑distro offsets.

Critically, the vulnerability requires only local code execution as a non‑privileged user. It doesn't need special kernel debugging options or pre‑existing exploitation primitives to successfully attack a system.

Worse still, the exploit primitive can work across containers. Since the page cache is shared across all of a host's processes, a compromised container can corrupt a host‑level setuid binary, allowing it to break out of Kubernetes or other multi‑tenant container platforms.

This is bad news with a capital B. 

The underlying error dates back over a decade. It's the result of three different Linux kernel changes, all of which were harmless by themselves. Together, they equaled trouble. 

First, support for the authencesn Authenticated Encryption With Associated Data (AEAD) algorithm used by IPsec ESP with extended sequence numbers landed in 2011. This enabled the caller’s destination buffer to be used as scratch space to reshuffle sequence number bytes for Hash-based Message Authentication Code (HMAC) processing.

Next, in 2015, the kernel added AEAD support to AF_ALG, the socket interface that exposes crypto operations to userspace. This change also refactored authencesn to a newer AEAD interface that writes four bytes past the nominal output buffer into what it assumes is expendable scratch. So far, so harmless.

The final deadly step came in 2017, when an optimization in algif_aead switched decryption to operate “in‑place,” chaining tag data from page‑cache‑backed file pages directly into the writable scatterlist and then setting the same list as both the source and destination for the crypto operation. Once that change shipped, authencesn’s four‑byte scratch write crossed the boundary into page‑cache pages of arbitrary readable files, turning the design quirk into a universal local privilege‑escalation bug.

Whoops!

The upstream fix removes the 2017 in‑place optimization and restores out‑of‑place operation for algif_aead, ensuring that page‑cache pages from splice() calls reside only in the source scatterlist, not the writable destination. This cleanly severs the path that allowed authencesn to scribble into cached file contents while leaving user‑visible crypto behavior intact.

Since then, distributions have raced to ship patched kernels that incorporate the upstream change. 

As of May 4th, here's the status of the major Linux distros.

• Arch Linux and Gentoo: Both are rolling‑release and pulled the upstream fix into their default kernels shortly after the 7.0 / 6.19‑series patch landed.

• Amazon Linux 2 / 2023: Amazon has released updated kernel packages that include the Copy‑Fail fix for affected versions.

• Debian: Updated kernel packages (e.g., Linux 6.12.85‑1 and later) for supported suites such as Bookworm and Trixie carry the patch once you pull from the *-security repo.

• Fedora: Recent Fedora 42+ kernels pulled in the upstream revert commit, so systems on recent updates are already protected.

• RHEL / AlmaLinux / Rocky:

  • AlmaLinux has released patched kernels for all supported streams (8, 9, and 10) via its main production repos. You can pull the new kernel-4.18.0-553.121.1.el8_10‑style packages and above.

  • CloudLinux provides KernelCare live patches (e.g., K20260501_10 for Alma/Rocky 9) that apply the Copy‑Fail fix without rebooting.

  • Red Hat and Rocky have been slower. Red Hat released its fix late on May 4th, and it's expected that Rocky will quickly floor. 

• SUSE / openSUSE: SUSE‑branded kernels for recent SLES and openSUSE releases have been updated with the Copy‑Fail patch, which is exposed via the normal zypper/zypper patch channels.

• Ubuntu: Canonical has published updated kernel packages for all affected releases (including 18.04, 20.04, 22.04, 24.04, and 26.04) that include the Copy‑Fail fix.

Once you have the patch installed, reboot your system, and all should be well. Don't wait. Since the exploit is both trivial, tiny, and public, you can assume that weaponized scripts will quickly appear in real‑world attack chains.

Can't patch it yet? I recommend disabling the algif_aead module as a temporary mitigation.  That can be done by adding a modprobe rule that replaces the module with a no‑op and then unloading it from the running kernel:

bash

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf

sudo rmmod algif_aead 2>/dev/null

For most environments, this mitigation shouldn't hurt a bit. However, if you know you use AF_ALG, for example, with OpenSSL’s afalg engine, you should weigh the trade‑off between risk and performance. Since I think we can safely assume attacks are already underway, you should lock down my system right now. 

Noteworthy Linux and open-source stories:

• Meta abandons open-source Llama for proprietary Muse Spark

• Warp’s gamble: Going open source to take on closed-source rivals

• Microsoft finally open sources DOS 1.0 - and it's so much more than the code

Become An AI Expert In Just 5 Minutes

If you’re a decision maker at your company, you need to be on the bleeding edge of, well, everything. But before you go signing up for seminars, conferences, lunch ‘n learns, and all that jazz, just know there’s a far better (and simpler) way: Subscribing to The Deep View.

This daily newsletter condenses everything you need to know about the latest and greatest AI developments into a 5-minute read. Squeeze it into your morning coffee break and before you know it, you’ll be an expert too.

Subscribe right here. It’s totally free, wildly informative, and trusted by 600,000+ readers at Google, Meta, Microsoft, and beyond.

Legally, Linux and open-source software owe an enormous debt of gratitude to the Open Invention Network (OIN). The organization, the largest patent non-aggression community in the world, has protected open-source patents from patent trolls for over twenty years. Now, with OIN 2.0, members formally commit to share their Linux System patents and applications royalty‑free with all other OIN 2.0 participants worldwide.

The scope of that commitment is defined by OIN’s Linux System Definition, which covers both the Linux kernel and an ever-growing set of adjacent programs that are now critical to modern infrastructure. The Linux System definition page explicitly anchors the 2.0 framework, distinguishing 2.0 Participants from those still on predecessor releases of the license.

Over the last 18 months, OIN has systematically broadened the Linux System to cover more of the stack that enterprises actually deploy, from cloud and observability to automotive and IoT. Recent updates pulled in cloud‑native components such as Istio, Falco, Argo, Grafana, and Spire, alongside existing coverage for Kubernetes and OpenStack, and added Apache Atlas and Apache Solr on the enterprise data side.

Networking, embedded, and automotive coverage have been beefed up with packages like OpenThread, agl‑compositor. and kukusa.val, reflecting the surge of Linux‑based systems in cars and connected devices. OIN describes these Linux System expansions as incremental, conservative additions designed to keep pace with open source innovation without destabilizing the cross‑license baseline that members rely on.

OIN turned 20 in 2025, and it used the anniversary to underline the scale behind the 2.0 shift: community membership has grown to more than 4,000 participants from 157 countries and virtually every industry. Collectively, OIN community members now control more than 3 million patents and patent applications that are cross‑licensed royalty‑free within the Linux System scope.

As Keith Bergelt, OIN's CEO, explained, "For over 20 years, our mission has not wavered. We’ve protected open source, reduced patent litigation risks; provided an exclusive cross-license through our evolving Linux System definition; supported key open-source projects; contributed leadership and insights to the open-source ecosystem; empowered the continued growth of Open Source; and offered a suite of defense strategies for our global community of 4,000+ and growing members."

The OIN also established and funded, with Unified Patents, the Open Source Zone. This organization has helped invalidate or review dozens of harmful patents since 2019. 

Today, needing more funding, OIN 2.0 has introduced its first fee structure. This was forced on the OIN because patent troll litigation cases increased by 20% in 2024, and each case costs between $2 and $4 million to fight. 

In a statement, Michael Lee, Google's Director and Head of Patents, explained, 

“The unparalleled success of open source has created a shared responsibility to ensure its future. OIN 2.0 represents a necessary evolution in how we collectively steward this resource. By transitioning to a shared, community-driven funding model, we ensure that OIN remains sustainable, robust, and capable of protecting the open-source commons.”

These new fees still cost companies with less than $10-million annual revenue and individuals not a penny. Even the largest companies, those with more than $500-million in revenue, only pay $24-thousand a year. This provides potent patent protection at a dirt-cheap price. There is no automatic enrollment in OIN 2.0. Existing OIN members must sign up for OIN 2.0.

So far, 129 companies and groups have joined OIN 2.0. These range from tech giants such as IBM/Red Hat, Google, and Microsoft to small community open-source groups such as GNU Parallel, The FreeBSD Foundation, and The Document Foundation (LibreOffice).

For developers, vendors, and users, OIN 2.0 effectively raises the bar for would-be patent aggressors by binding more participants, in more jurisdictions, into a single non‑aggression pact around a broader slice of the open source stack. OIN is also pushing to lower the friction of joining: its membership form and 2.0 license can now be executed entirely online through its regional portals, reflecting a shift from back‑room IP deals to a more transparent, web-first enrollment process.

From here, the success of OIN 2.0 will be measured less by splashy announcements than by what doesn’t happen: Patent lawsuits that never get filed, trolls that look elsewhere, and open-source projects that can ship without an in‑house patent war chest. For an ecosystem that now depends on Linux from phone to car to cloud cluster, that kind of peace may be the most important news of all.

Noteworthy Linux and open-source stories:

• Drowning in AI slop, cURL ends bug bounties

• This OS quietly powers all AI - and most future IT jobs, too

• Just because Linus Torvalds vibe codes doesn't mean it's a good idea

beehiiv — The newsletter platform built for growth

Access the best tools available in email, helping your newsletter scale and monetize like never before.

AI, in theory, can be a big help in getting work done. The reality, as we now know, is messier. One of the problems keeping AI from being more useful, though, is the inability of AI to safely use your private data is being addressed by Airbyte, the open-source data company, with its newest program: Enterprise Flex.

Enterprise Flex delivers data sovereignty and cloud flexibility for enterprises deploying AI and analytics at a global scale. It enables organizations to manage and activate their data with complete control via a unified cloud-based control plane while ensuring that critical data never leaves your company’s environment. With it, even if you have data silos located in multiple regions and infrastructure types—on-premises, private cloud, or multi-cloud — you can manage all their data safely. 

How? By decoupling the control plane (management interface) from the data plane (where data physically moves), you can manage integrations in the cloud while your actual data stays within their secure infrastructure.

With this approach, your sensitive data remains within a company’s regional infrastructure. This way, you can continue to meet each location's strict regulatory and privacy requirements.

How Airbyte Enterprise Flex works.

The program serves as a bridge between AI applications and data. This bridge is built from "source connectors," which connect to the APIs, files, databases, or data warehouses from which you want to pull data. "Destination connectors" are the data warehouses, data lakes, databases, or analytics tools to which you want to push data. Airbyte and its partners supply over 600 of these connectors with a no-code AI-powered connector builder, so you can easily deploy them wherever you need them.

The platform’s new Data Activation feature, AKA often referred to as reverse Extract, Transform, Load (ETL), enables users to move their data back and forth into business-critical applications for AI and analytics use cases. This lets you push insights directly from data warehouses into business apps, such as Salesforce, HubSpot, an in-house AI engine, or what have you. As the company boasts, this gives "Your AI agents context in minutes."

Earlier versions enabled you to replicate your data from a list of source connectors (APIs, DBs, files, or your own custom connector) to destination connectors (data warehouses, lakes, or databases). It integrates with dbt for the transformation part at the destination level, and with data orchestrators such as Prefect, Dagster, and Airflow. This latest version, with the rise of AI, was the next logical step.

Companies can deploy Enterprise Flex globally and train AI models within their own environment. With data activation and increased speed, AI innovation continues to progress rapidly, accompanied by enhanced data protection. This is in addition to the logistical and support advantages Airbyte Flex offers by decoupling the control plane, which determines how data is managed, routed, and processed, from the data plane, which is responsible for actually moving the data.

To keep the data safe, all data pipelines use enterprise-grade encryption for data in transit, including TLS/SSL and HTTPS channels, to prevent unauthorized access during transfers. Airbyte also supports granular, role-based access control (RBAC) and single sign-on (SSO), letting administrators restrict who can interact with connections and datasets. Finally, it includes comprehensive audit logging and workspace isolation, helping teams maintain visibility and separation across projects and roles, strengthening security postures.

Airbyte Flex uses the quasi-open-source Elastic License 2.0 (ELv2). The core difference between this and a true open-source license is that you can't offer the program's resources as a managed service. You can, of course, use it within your own company. 

If you can live with that license, Airbyte’s open-core architecture offers all its important features, including deployment flexibility, data connectors, and protocol support, as part of a single, unified, community-driven codebase. Enterprises can access, self-host, and extend the software without vendor lock-in.

Airbyte, as I'm sure you figured out by now, will be happy to run Flex Enterprise for you. The service is available now. 

Michel Tricot, CEO and co-founder of Airbyte, explained, “Flex simplifies data infrastructure, taking deployments from months to days while delivering true data sovereignty to solve the fragmentation problem that prevents organizations from realizing the full value of their data. With hybrid deployments, organizations can integrate and activate data wherever it lives, cloud or on-prem,  without the burden of heavy infrastructure management. Flex makes that data AI-ready by default, enabling companies to power AI securely and seamlessly.”

Noteworthy Linux and open-source stories:

• Just got Linux Mint 22.2? Two more versions are coming soon - and they're big

• How to easily switch your PC from Windows to Linux Mint - for free

• The Open Source Initiative's executive director departs - what it means for the OSAID debate

Linux has over 6% of the desktop market? Yes, you read that right

At long last, after years of waiting for the "Year of the Linux desktop," we're getting somewhere. 

According to the US Federal Government Website and App Analytics, which I trust more than StatCounter, 6% of its visitors over the last month were using Linux operating systems.

This website keeps track of US government website visits and analyzes them. On average, there have been 1.6 billion sessions in the last 30 days, with millions of users participating daily.

If you add in Android (16.2%) and Chromebooks (0.8%), you're talking about 23% of visitors using Linux, which puts it above MacOS (11.7%), Windows 10 (15.7%), and Windows 11 (15.3%), which is downright impressive. Take that, Windows!

More>

WordPress Turmoil and the FAIR Package Manager

I’d been a happy WordPress user since I switched from the Vignette content management system (CMS) for WordPress in 2003. Many others quickly joined me. Today, 43.5% of all websites use WordPress. But, then in 2024, WordPress co-founder Matt Mullenweg, who founded and is the CEO of Automattic, WordPress’s parent company, declared that WordPress hosting power WP Engine was a “cancer to WordPress” and things got really ugly really fast.

…

In the meantime, Automattic stopped contributing to the WordPress Core code and associated projects such as Gutenberg, the default WordPress editor. In late May, Automattic started contributing code again. Mullenweg has also restored some, but not all, of his critics’ WordPress accounts. However, the conflict, both inside and outside WordPress, has continued to leave developers and users worried about the program’s fate.

Thus, the Linux Foundation decided to get involved by launching the FAIR Package Manager. FAIR, which stands for Federated And Independent Repositories. It is led by WordPress developers, including some of its internal critics. It’s meant to address the problem that, practically speaking, WordPress is under Mullenweg’s control since he’s both CEO of the WordPress company and the “steward” of the WordPress non-profit organization.

More>

Fed up with AI scraping your content? This open-source bot blocker can help - here's how

Anyone who runs a website knows how annoying AI bots are these days. 

F5, the application delivery network company, found that more than half of all web visits come not from people but from data scrapers, including OpenAI, Anthropic, Google, and Perplexity AI bots. 

People are sick and tired of wasting money on their sites only to have AI companies rip off everything of value. So, Xe Iaso, a technical educator and part-time bot fighter, wrote an open-source program, Anubis, to stop AI bots in their tracks.

More>

Other noteworthy Linux and open-source stories:

• Bash 5.3 Has Some Big Improvements

• Open Source Is Too Important To Dilute

• Red Hat just expanded free access to RHEL for business developers

Tux handing out the code.

When I was a young--well, younger anyway--squirt, I ftped my Linux kernel code from Ted T’so, one of the first Linux kernel developers, personal PC, tsx-11.mit.edu. I was glad to do it! Before T'so set up his repository, you had to download the files from Linus Toravalds' machine in Helsinki, Finland, which was s l o w.  Mind you, at the time, I recall I downloaded it at a "blazing" fast 64 Kilobits per second (Kbps) over an ISDN line. Hey, it was great in its day. 

Things have gotten orders of magnitude faster since those days! Now, Akamai, the well-known content delivery network (CDN) and cloud company, has announced a multi-year partnership with the Linux Kernel Organization. This collaboration aims to provide critical infrastructure support for the development and distribution of the Linux kernel, ensuring uninterrupted access for its global network of developers.

Akamai will leverage its infrastructure to support kernel.org, the primary platform for Linux kernel source code distribution. This partnership is crucial for maintaining Linux security and performance.

The first version of Linux weighed in at 10,239 lines of code. Today, it weighs in at about  28 million lines of code. Akamai's infrastructure will enable these developers to access kernel sources quickly and reliably, regardless of their location. This support is provided at no cost, reflecting Akamai's commitment to giving back to the open-source community.

"Akamai depends on Linux, just like the rest of the world," noted Alex Chircop, Chief Architect of Akamai Cloud. "By supporting kernel.org, we are contributing to the preservation of the world's most widely deployed open-source software."

Chris Aniszczyk, Chief Technology Officer of the Cloud Native Computing Foundation (CNCF), highlighted Akamai's deep roots in the open-source community, citing their contributions to projects like OpenTelemetry and Prometheus. Akamai's recent pledge of $1 million to CNCF projects further underscores its commitment to open-source stewardship.

In addition to supporting the Linux kernel, Akamai also provides infrastructure support for Alpine Linux, a popular, lightweight Linux distribution. Alpine is Akamai's preferred DevOps Linux architecture. This is all of a piece with Akamai's recent embrace of Linux-based cloud offerings, such as its 2022 acquisition of Linux cloud pioneer Linode and its 2023 acquisition of the Linux and Kubernetes-based, cloud-native storage software company Ondat. 

Noteworthy Linux and open-source stories:

• Want to learn Linux from legends? This mentorship pairs you with top developers

• Linux kernel 6.14 is a big leap forward in performance and Windows compatibility

• Linux Foundation's trust scorecards aim to battle rising open-source security threats

The gold standard of business news

Morning Brew is transforming the way working professionals consume business news.

They skip the jargon and lengthy stories, and instead serve up the news impacting your life and career with a hint of wit and humor. This way, you’ll actually enjoy reading the news—and the information sticks.

Best part? Morning Brew’s newsletter is completely free. Sign up in just 10 seconds and if you realize that you prefer long, dense, and boring business news—you can always go back to it.

Join 4.3 Million Readers Now

Open Source Initiative Election

The Open Source Initiative (OSI) has confirmed the results of its recent board elections. The winners and new affiliate directors are Carlo Piana, an Italian corporate attorney who helped write the controversial Open Source AI Definition (OSAID), and Ruth Suehle, SAS Open Source Director and President of the Apache Software Foundation. At the same time, McCoy Smith, an American intellectual property (IP) lawyer, will join as an individual director. The election was conducted using the Scottish Single Transferable Vote (STV) system.

In the Affiliate director polls, Piana and Suehle emerged as winners from a field of four valid candidates. The election saw 48 ballots, 47 being valid and one empty. Suehle was recommended by OSI Affiliates, while Piana secured his position through the Affiliate vote.

Smith, recommended by Individual supporters, won the Individual director seat from a pool of five candidates. The Individual polls received 159 ballots, with 148 being valid and 11 empty. Stefano Maffulli, the OSI's Executive Director, lauded the new board members, writing on LinkedIn that "a strong community [had]  selected them, [so]  you know you're on the path to continue improving."

For the record, the OSI board consists of four directors elected by OSI individual members for two-year terms; four directors elected by OSI affiliate members for three-year terms; and four directors appointed for two-year terms by the board itself. Once elected, the board oversees the organization, approves its budget, and supports the executive director and staff in fulfilling its mission.

However, the OSI also stated in the election results, "Three candidates have been excluded from the final tally: Two were ineligible as they did not sign the current board agreement; one returned the signed agreement after the deadline passed."

The OSI Board Agreement simply states the board's responsibilities and duties. It also requires them to keep disagreements inside the board once a decision has been made, and they'll obey the OSI Code of Conduct. The specific language, which will become a bone of contention, is "Disagree during Board deliberation but support publicly all Board decisions, especially those that do not have unanimous consent."

Matfulli explained the OSI had insisted that candidates sign on to the OSI Board Agreement because "While the polls were open, we’ve heard that there may be candidates with no intention to sign the board agreement, which has become a mandatory requirement."

Both Richard Fontana, Red Hat’s principal commercial counsel and a former OSI board member, and  Bradley M. Kuhn, Policy Fellow & Hacker-in-Residence at Software Freedom Conservancy, disagreed with the "support publicly" clause. In Fontana's Shared Platform for OSI Reform, he stated, "While obviously well-intentioned, the quoted provision goes too far. Under it, Directors agree to a code of silence — a self-imposed gag order covering all issues (great and small) for which the Board did not have unanimous consent. We insist that this provision be reformulated with less sweeping and more conventional language."

The result was, as Tracy Hinds, the OSI chair, told me at the Linux Foundation Members Summit in Napa, CA, "We had to remove three ineligible candidates from our list before we ran the tally." Thierry Carrez, the OSI vice-chair and General Manager of the Open Infrastructure Foundation, added, "It's the first time that we had candidates running that would not sign the board agreement."

Specifically, Hinds added, "Bradley Kuhn and Richard Fontana refused to sign the board agreement Code of Conduct, and therefore decided to make themselves ineligible.

This board agreement has existed for five years in its current form, but it is the first

time that candidates decided to run while publicly communicating they would not sign it. A third candidate, Bentley Hensel, signed it but well past the communicated deadline, and were therefore also removed from the final results tally."

Kuhn, however, claimed in a blog post that he and Fontana had signed the OSI Board agreement. In both signed documents, however, both had struck out the controversial clause. Hence, Hinds and the OSI had ruled that they hadn't officially signed off and were thus ineligible. 

Kuhn later insisted that this was sufficient and that the "@osi proceeded to tamper with the ballots anyway." Matfulli replied, "The agreement you and @richardfontana signed was not the one the board sent you and, most importantly, is not the one everyone else (candidates and sitting directors) signed. This is my last message on the topic."

Looking ahead, the newly elected directors will be formally welcomed at the OSI's April board meeting. Additionally, the Board Development Committee has been tasked with conducting a retrospective by April 19, 2025, to provide recommendations for future election improvements. 

Needless to say, this isn't the last word. Kuhn is asking concerned people to reach out to him to "discuss what's happened with other concerned parties and make a plan on how we should organize to respond."

Other noteworthy Linux and open-source stories:

• OSI election ends with unsatisfying results

• Open Source Initiative: AI Debate Roils Board Elections

• Open Infrastructure Foundation Joins Forces With Linux Foundation

I am getting sick and tired of Python Package Index (PyPI) being used as a malware pipeline. In the latest supply-chain violation, the popular AI/computer vision library Ultralytics, known for its YOLO (You Only Look Once) object detection model, fell victim to a sophisticated supply-chain attack.

Ultralytics, for those of you who don't know the library, is used in all kinds of applications. These range from the obvious—finding objects in a video stream, satellite surveillance, and autonomous driving—to the obscure—crop and livestock monitoring and wildlife surveying. So, it's no surprise that when there's a new release, the library has had over 260,000 downloads from PyPI in a single 24-hour period.

Thus, it was bad news with a capital B when the software supply chain security company ReversingLabs found malicious attackers had compromised its build environment. The result? The new version 8.3.41 contained malicious code that, once installed, would deploy a cryptocurrency miner.

The good news was that the project maintainers caught it and immediately released a patched version, 8.3.42. The bad news was that they hadn't caught the real problem. So, the "fixed" edition came with the same trojan hidden inside. At least this time, they quickly realized they hadn't really fixed the problem. So, on the same day, the maintainers released a clean version, 8.3.43. 

This happened because the attackers had exploited a known vulnerability in GitHub Actions that enabled the attacker to inject malicious code during the automated build process. This clever maneuver bypassed the usual code review safeguards, as the malicious code was only present in the package pushed to PyPI, not in the GitHub repository itself.

The impact was immediate and widespread. Users who installed the compromised versions experienced sudden spikes in CPU usage, a telltale sign of cryptocurrency mining activity. The Ultralytics team, led by founder and CEO Glenn Jocher, quickly sprang into action upon receiving reports of the suspicious behavior.

This incident sent shockwaves through Ultralytics's community. It also highlighted the potential for software supply chains to be abused and served as a stark reminder of the potential for seemingly trustworthy packages to be weaponized, potentially affecting millions of users and systems worldwide.

The Ultralytics compromise underscored the need for enhanced security measures in package distribution and the importance of vigilance in the open-source ecosystem. It's yet another cautionary tale that we can't just trust our dependencies, no matter how reliable they've been in the past. Instead, we must verify every last lousy update before pushing any outside code into production. 

I wish it weren't that way, but it is what it is. 

Other noteworthy Linux and open-source stories:

• The next LTS Linux kernel is no surprise but it is packed with goodies

• Jim Zemlin, 'head janitor of open source,' marks 20 years at Linux Foundation

• Nearly half of Gen AI adopters want it open source - here's why

Securing top talent with our guide is a click away

• Finding and attracting global talent

• Processing international payroll on time

• Staying compliant with employment & tax laws abroad

Get the Guide

Spacelift is not a SpaceX rival nor a science-fiction fansite. No, it's an innovative infrastructure orchestration platform that has been making waves in the cloud computing industry since its inception four years ago. The company's mission is to streamline the management of Infrastructure as Code (IaC), bridging the gap between provisioning and long-term configuration management.

As Dimitri Vlachos, Spacelift's CMO, told me at KubeCon North America in Salt Lake City, while IaC tools such as Terraform and OpenTofu have dominated the provisioning aspect of cloud-native environments, Spacelift recognized a crucial missing piece: The integration of provisioning with long-term configuration management.

At its core, Spacelift allows organizations to seamlessly integrate DevOps and IaC programs, including Terraform, OpenTofu, Terragrunt, Kubernetes, Ansible, Pulumi, and Amazon Web Services (AWS) CloudFormation. This multi-tool support sets Spacelift apart from many competitors, providing a unified platform for managing diverse infrastructure needs.

"What we're seeing is an evolution," Vlachos explained. "People start by playing with IaC, then they mature it, and finally, they try to scale it out." This progression has led to a growing demand for solutions that can handle the entire infrastructure lifecycle, from initial deployment to ongoing management and governance.

Spacelift's special sauce in its comprehensiveness. The platform allows users to seamlessly transition from provisioning infrastructure to configuring it, all within a single workflow. This integration extends to popular DevOps tools such as Ansible. 

This addresses a long-standing pain point in the industry: The disconnect between cloud provisioning and on-premises configuration management.

But Spacelift's vision goes beyond mere integration. The company is tackling one of the most significant challenges in infrastructure management: Visibility and control at scale. 

For example, with Ansible, Spacelift's Application Programming Interface (API)-level integration with Ansible playbooks addresses the challenges of visibility and execution speed in the following ways:

• Visibility: Spacelift provides enhanced visibility into the execution of Ansible playbooks, especially at scale. The platform gives users better diagnostics and insights into the status of their Ansible deployments, allowing them to understand where failures are occurring and troubleshoot more effectively.

• Execution Speed: Spacelift aims to improve the speed of running Ansible playbooks at a large scale. By managing the execution of the playbooks through its platform, Spacelift can optimize the process and address the performance challenges that organizations often face when running Ansible across many resources.

The key is that Spacelift's integration goes beyond running the playbooks. It provides a centralized management and observability layer that gives users more control and visibility over their Ansible-based infrastructure automation. This helps address the common pain points around large-scale Ansible deployments.

This focus on observability and governance sets Spacelift apart in a crowded market. The platform provides robust policy controls, allowing organizations to define who can deploy what and under what conditions. This balance between speed and control is at the heart of Spacelift's philosophy, addressing the core tension in many DevOps practices.

In addition, Vlachos said Spacelift is not just "provisioning the whole life cycle of your infrastructure." We allow them to do this in one workflow, go from provisioning your infrastructure to configuring it, and then have a very robust governance layer that allows you to write policies so you can control what gets deployed and who has to approve it."

Using Open Policy Agent (OPA), Spacelift allows organizations to implement fine-grained control over their infrastructure deployments. These policies can govern everything from resource creation and parameters to approval processes and notifications.

Looking to the future, Spacelift is positioning itself at the forefront of hybrid cloud management. While many of their current customers are cloud-native, Vlachos sees a growing opportunity in bridging the gap between on-premises and cloud infrastructure. "We really think hybrid is the future," he stated, highlighting Spacelift's position to offer a unified management solution for both environments.

As the infrastructure management landscape continues to evolve, Spacelift stands out as a visionary player. By combining provisioning, configuration, and governance in a single platform and extending its reach across cloud and on-premises environments, Spacelift is not just solving today's problems; it's anticipating the challenges of tomorrow's hybrid, multi-cloud world.

So, if you don't want a high-maintenance cloud experience, give Spacelift a try. You'll be glad you did. 

Other noteworthy Linux and open-source stories:

• Even the Linux Foundation has Cyber Monday deals - get 60% off tech training courses

• eBPF Foundation Releases Security Threat Model and Audit Reports

• Beyond Upstream First: The Linux Kernel Contribution Maturity Model

There’s a reason 400,000 professionals read this daily.

Join The AI Report, trusted by 400,000+ professionals at Google, Microsoft, and OpenAI. Get daily insights, tools, and strategies to master practical AI skills that drive results.

Sign up now for free and work smarter, not harder.

OpenInfra has let the OpenStack Dalmatian dogs out.

OpenStack Dalmatian, the 30th release of the popular open-source Infrastructure-as-a-Service (IaaS) cloud, has bounded onto the scene, bringing with it a host of enhancements tailored for AI workloads, improved security, and a refined user experience.

For years, OpenStack has been the cloud of choice for telecoms deploying 5G. In recent years, however, it's expanded well beyond that marketplace. Today, more than 45 million cores are in production. OpenStack has been embraced by thousands of users of all sizes and across industries, including mega-users such as Walmart, Hyundai, GEICO, and Yahoo. It is becoming a popular replacement for VMWare. 

With the Dalmatian release, OpenStack has also been expanding into Artificial Intelligence (AI) and High-Performance Computing (HPC) markets. 

Specifically, Blazar,  OpenStack's resource reservation service, now supports reserving GPU instances on  Nova, OpenStack's compute flavors. In addition, in Nova, with the libvirt driver, the open-source application programming interface (API) virtualization daemon and management tool and libvirt version 7.3.0 or newer, mediated devices for vGPUs are now persisted across reboots of a compute host. This offers more convenience and efficiency improvements for machine learning (ML) systems.

In addition, OpenStack's security has been improved.  For example, the Ironic bare-metal provisioning service now requires hashed rescue passwords and mandates HTTPS for inter-service communication. Nova can also now detect virtual Trusted Platform Module (vTPM) support for compute services running libvirt version 8.0.0 or higher.

The Skyline dashboard is also now fully production-ready. It's also added support for Masakari (high-availability instance recovery), Designate, DNS-as-a-Service, and Firewall-as-a-Service (FWaaS). The Skyline dashboard also provides a more intuitive and user-friendly interface, making OpenStack more accessible to organizations transitioning from VMware.

Indeed, in August 2024, Rackspace announced its newest service, Rackspace OpenStack Enterprise, which will include Skyline as its dashboard instead of the older Horizon. Kevin Carter, Rackspace's product director, said,  "At Rackspace, we are all about simplifying the management of cloud systems. OpenStack Skyline, with its intuitive and user-friendly interface, simplifies the complex task of managing cloud services. It creates beautiful administrative experiences allowing users to manage services at scale, with ease and efficiency." That sounds good to me!

OpenStack is also adding yet more compatibility with other open-source cloud-native systems. Thierry Carrez, the OpenInfra Foundation's general manager, said. "Also reflected in the Dalmatian release is the community's determination to integrate with a wide variety of open-source tools and platforms as well as cutting-edge hardware. We want to thank all of the organizations and individuals who actively use and contribute to OpenStack, especially the 487 contributors who submitted 7,640 changes over the past six months to keep OpenStack powering advancement and innovation all over the world."

At the same time, though, OpenStack remains solid and mature. The Dalmatian changes are improvements that are building on what has gone before. As Mark Collier, OpenStack's COO, told me at OpenInfra Summit Asia in Suwon, South Korea, "OpenStack has been proven to work. It's been bulletproof for so many years." In addition, "Thanks to the best practices being documented and the software's maturity, we have one company where each OpenStack administrator covers two data centers. The number of people it takes to operate this stuff has just gone way down. That, in turn, means when the CFO says, 'Can we do it in-house?' The answer is yes." 

If your question is, "Can OpenStack Dalmation help me with my private cloud? Can it replace VMWare? Can I use it to deploy AI and ML in my company?" The answer is, again, yes.  

Beat Black Friday with BILL

Take a demo of BILL Spend & Expense by the end of the month to see why so many businesses choose BILL to streamline their finances.

Then choose your exclusive gift—a Nintendo Switch, Apple AirPods Pro, Samsung 50" TV, or Xbox Series S—and show Black Friday who's boss¹ .

Request a demo

¹ Terms and Conditions apply. See offer page for more details.
BILL Divvy Card is issued by Cross River Bank, Member FDIC, and is not a deposit product.

WinAmp Classic

Llama Group, owners of Winamp, the media player that defined the digital music experience for a generation, has "sort of" opened its code. While they claim to be open-sourced, the code is not open at all.

Even a quick look at the Winamp Collaborative License (WCL) Version 1.0 reveals the following non-open-source rules.

  * No Distribution of Modified Versions: You may not distribute modified versions of the software, whether in source or binary form.

    * No Forking: You may not create, maintain, or distribute a forked version of the software.

    * Official Distribution: Only the maintainers of the official repository are allowed to distribute the software and its modifications.

Llama knows exactly what it's doing. They're open-washing the program to get attention. It worked. As I write this, the GitHub site for this "open" project is the top YComb story. But, the released WinAmp source code is in no way, shape, or form open source. 

Indeed Winamp CEO Alexandre Saboundjian said, "Winamp will remain the owner of the software and will decide on the innovations made in the official version." 

Open washing, by the way, is when a company pretends its product is open source, but it's not. Companies do this because "open source" sounds good to developers and buyers alike these days. In addition, in the European Union, programs that can pass for open source can take advantage of the recently passed Cyber Resilience Act (CRA), which protects open-source development from onerous regulations.

This new code is meant for only Windows. The Mac, Android, and iOS editions will continue to be entirely proprietary. That said, with the code in hand, you could, in theory, fork it for your personal use and port it to another platform while still staying within Winamp's new license rules. 

Winamp users who still love their old music player with its user-friendly interface, customizable skins, and robust functionality will probably like it. At its peak, Winamp boasted a staggering 90 million users, so there are still millions who like it. 

Since its heyday in the late '90s and early '00s, when it went hand-in-hand with the once wildly popular Napster peer-to-peer file-sharing program, Winamp's journey has had its ups and downs. After being acquired by AOL in 1999 for $80 million, the software faced stiff competition from emerging technologies like the iPod. Despite this, Winamp maintained a dedicated user base, with many preferring its flexibility and customization options over newer alternatives.

In 2013, AOL announced plans to discontinue Winamp. But the software found new life when Radionomy, a Belgian online media company now known as Llama, acquired it. Since then, development has been sporadic, with significant updates few and far between. 

Now, Winamp is hoping for a renaissance. By opening its source code, the company aims to leverage the creativity and expertise of the global developer community. Good luck with that. Its parent company also promises that new freemium releases will be coming out much more often.  The newer versions also offer streaming and cloud support that the classic editions lacked. 

We'll see. As Winamp embarks on this new journey, it faces a dramatically different digital landscape than the one it dominated decades ago. With streaming giants like Spotify and Apple Music now ruling the market, Winamp's challenge will be to carve out a niche that combines its nostalgic appeal with modern functionality. I'd feel a lot better about its chances if it actually open-sourced its code rather than play games with its licensing. 

Other noteworthy Linux and open-source stories:

• AWS Transfers OpenSearch to the Linux Foundation

• 5 Linux commands you should never run (and why)

• Linux kernel 6.11 is out - with its own BSOD

Valkey 8

Vienna, Austria: Valkey, the Redis fork, is kicking rump and taking names. At Open Source Summit Europe, the Linux Foundation announced the release of Valkey 8.0, a giant step forward to the open-source in-memory NoSQL data store. This release focuses on enhancing performance, reliability, and observability, marking a major milestone for the project initially forked from Redis due to licensing changes.

While Valkey 8.0 is fully compatible with Redis OSS 7.2.4, it also includes features that Redis users have been waiting for for years. As Madelyn Olson, an Amazon Web Services (AWS) principal engineer, former longtime Redis maintainer, and one of the co-launchers of Valkey, said earlier this year, "The previous Redis core team was actually pretty technically conservative." This new crew is not conservative in the least, and the results are impressive.

Valkey 8.0's updates include:

• Performance Enhancements: Intelligent multi-core utilization and asynchronous I/O threading boost throughput to 1.2 million requests per second, tripling the performance of previous versions. By switching from Redis's archaic single-thread event loop threading model to a sophisticated, I/O operations multithreaded approach, Valkey has vastly increased its speed.

• Improved Scalability and Reliability: The update introduces dual-channel replication and enhanced cluster scaling.

• Advanced Observability: Comprehensive metrics for performance monitoring, including pubsub clients and event loop latency, are now available.

• Memory Efficiency: Optimized key storage reduces memory overhead by up to 10%.

Automatic Failover: Automatic failover ensures that if a primary server or shard fails, a backup can take over immediately, reducing downtime and maintaining service availability.

Users and programmers alike were impressed by the new release. A software engineer, not connected with Valkey, told me, "This is what Redis should have been doing all along."  As Dirk Hohndel, a Linux kernel developer and long-time open-source leader, said at the KubeCon + CloudNativeCon + Open Source Summit China 2024 Summit China a few weeks  ago, on his small Valkey-powered aircraft tracking system, “I see roughly a threefold improvement in performance, and I stream a lot of data, 60 million data points a day.”

He wasn't the only one who liked what he saw. The release has garnered support from major tech companies like AWS, Google Cloud, and Oracle, indicating strong industry backing for this open-source initiative.

Indeed, while Valkey may not be the most successful fork of all time, it's certainly the fastest to move from a dead stop to greatly improved performance and mass-market acceptance. 

Just look at the record. In March, Redis announced that it was dumping the open source BSD 3-clause license for its Redis in-memory key-value database for a “source-available” Redis Source Available License (RSALv2) and Server Side Public License (SSPLv1). That made both developers and users unhappy. 

So, as open-source people do, community members immediately forked the code into Valkey with the support of the Linux Foundation. Redis might have been wiser not to announce this move during KubeCon Europe 2024 in Paris, where literally all the top Redis developers were meeting with their cloud-native computing buddies. 

In days, with the help of the Linux Foundation, they set up their own foundation, Valkey Community Foundation. In weeks, they launched the first release of Valkey. Michael Dolan, the Linux Foundation's SVP and GM of Projects, and I agreed. We'd never seen a fork project move so quickly, and between us, we've seen a ton of projects. 

Looking ahead, the future is bright for Valkey. As for Redis, I foresee nothing but storm clouds ahead.  

Other noteworthy Linux and open-source stories:

• Wind River Unveils Linux Distro for AI and Critical Workloads

• 20 years later, real-time Linux makes it to the kernel - really

• Linus Torvalds muses about maintainer gray hairs and the next 'King of Linux'

Looking for unbiased, fact-based news? Join 1440 today.

Upgrade your news intake with 1440! Dive into a daily newsletter trusted by millions for its comprehensive, 5-minute snapshot of the world's happenings. We navigate through over 100 sources to bring you fact-based news on politics, business, and culture—minus the bias and absolutely free.

Subscribe to 1440 today.

AlmaLinux Hardware Certification

To bolster its position in the enterprise Linux market, the AlmaLinux OS Foundation has unveiled a comprehensive Hardware Certification Program. It aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.

This is done via an AlmaLinux certification for hardware special interest group (SIG)l. Jonathan Wright, the infrastructure team lead for AlmaLinux, will serve as SIG’s first chair. 

It's noteworthy that AlmaLinux has long been interested in hardware support. For example, AlmaLinux has extended support for older gear that Red Hat no longer supports.

The AlmaLinux Hardware Certification Program will verify and certify AlmaLinux OS hardware compatibility. 

The certification process involves several key steps:

1. Submission of hardware for testing

2. Rigorous testing by AlmaLinux or an authorized partner

3. Issuance of certification upon successful completion of tests

4. Listing of certified hardware in AlmaLinux's official catalog

This program offers two distinct certification levels:

1. AlmaLinux Compatible: This basic level confirms that the hardware functions correctly with AlmaLinux OS.

2. AlmaLinux Certified: A more rigorous certification that guarantees the hardware works and meets specific performance and reliability standards.

“The creation of the Certification SIG and the program around it illustrates that AlmaLinux continually empowers its community and enables action based on the feedback from users all around the world,”  said benny Vasquez, chair of the AlmaLinux OS Foundation.  “Our users depend upon and appreciate the interactive approach to governance that leads to ongoing advancements in the community. We're committed to providing a clear and consistent path toward hardware certification.”

The new certification SIG offers a simple yet comprehensive certification procedure that will take days, not months. It aims to establish a streamlined, collaborative framework for Independent Hardware Vendors (IHVs) and the AlmaLinux OS Foundation to certify hardware compatibility with AlmaLinux OS. The program leverages an open-source certification toolkit developed by ALOSF, built upon various open-source hardware and software testing projects and tools. 

The certification program offers numerous advantages to AlmaLinux ecosystem stakeholders:

Hardware Vendors: Gain a competitive edge by demonstrating their products' compatibility with AlmaLinux.

System Integrators: Can confidently build and deploy AlmaLinux-based solutions on certified hardware.

End Users: Enjoy peace of mind knowing their hardware choices are fully supported by AlmaLinux.

This move by AlmaLinux is expected to enhance its appeal to enterprise users and hardware manufacturers significantly. AlmaLinux is positioning itself as a robust alternative in the enterprise Linux space by ensuring hardware compatibility and performance. 

Other noteworthy Linux and open-source stories:

• The rocky road to upgrading Ubuntu Linux 24.04

• Ceph: 20 Years of Cutting-Edge Storage at the Edge

• Red Hat unleashes Enterprise Linux AI - and it's truly useful

This cannabis startup pioneered “rapid onset” gummies

Most people prefer to smoke cannabis but that isn’t an option if you’re at work or in public.

That’s why we were so excited when we found out about Mood’s new Rapid Onset THC Gummies. They can take effect in as little as 5 minutes without the need for a lighter, lingering smells or any coughing.

Nobody will ever know you’re enjoying some THC.

We recommend you try them out because they offer a 100% money-back guarantee. And for a limited time, you can receive 20% off with code FIRST20.

Shop Now.

Steam Deck

Over a decade ago, Gabe Newell, CEO of Valve and its Steam game platform, said, "Linux is the future of gaming." It was a great idea, but it didn't work out that way. However, Valve's Linux-powered, handheld Steam Deck console has carved out a niche in the gaming market.

True, Steam Deck sales, an estimated 4 million units globally in 2024, are modest compared to its closest rival, the Nintendo Switch, with approximately 200 million units in the hands of gamers. Still, the people who have Steam Decks really like them. Valve says nearly half of all Steam Deck owners prefer it to other gaming platforms. 

They prefer it because it gives them access to the large Steam library of games. In addition, you can use the Steam console as a computer in its own right. With its larger screen, a 7.4” diagonal on the OLED models, 3-12 hours of gameplay, and top-notch haptic feedback, it's a pleasure to use. The Steam Deck also offers more powerful hardware than the Switch.

The Steam Deck comes in three different models. The entry-level $399 256GB LCD Model comes with 256GBs of NVMe SSD storage, a 7" diagonal 1280 x 800 LCD, a 2.4-3.5GHz AMD Zen 2 CPU, an 8 RDNA GPU, and 16GBs of RAM. The $549 512GB OLED Model and the $649 1TB OLED Model offer better graphics, a 7.4" OLED  diagonal display, greater storage, and a larger battery for more gaming time.

I also like that the Steam Deck is an excellent bridge to the Linux desktop. Indeed, the Steam Deck is also a SteamOS, an Arch Linux distro variant, powered PC with a KDE Plasma interface. Perhaps the biggest argument against the Linux desktop has long been that you can't play games on it. Thanks to the technology behind Steam Desk, however, you can now play Windows games on Linux without any fuss or muss.

That’s due to an open-source software translation layer called Proton. With it, you can run Windows games on Linux distributions, not just the Valve Deck. Valve developed Proton in collaboration with CodeWeavers. Proton is built upon the Wine project, which has long enabled users to run Windows programs on Linux. Here's how it works:

• Translation of Windows API Calls: Proton translates Windows application programming interface (API) calls into Linux-compatible Portable Operating System Interface (POSIX) calls. There's no emulation or virtualization, which makes it quite fast for running Windows applications on Linux.

• Direct3D to Vulkan Translation: A significant part of Proton's functionality is its ability to translate Direct3D API calls, which are used by Windows games, into Vulkan API calls that Linux can natively use. This is achieved through tools like DXVK for Direct3D 9, 10, and 11 and VKD3D-Proton for Direct3D 12.

• Integration with Steam: Proton is integrated directly into the Steam client as part of Steam Play, allowing users to install and play Windows games on Linux without manually configuring compatibility settings. This seamless integration is a major advantage for users who want to play games without bothering with the technical complexities under the hood.

Most of you don't need to worry about the technical details. In practice, all a Linux user needs to know is to install and use Proton on Linux using the following simple steps.

1. Install Steam: First, you must install the Steam client on your Linux distribution. On modern distros, that consists of little more than searching for it and clicking the install button. Proton is integrated into Steam, so once you have Steam, Proton is already built in.

2. Enable Steam Play: In the Steam client, go to Settings and navigate to the Steam Play section. Here, you can enable Steam Play for all titles and select the latest version of Proton from the dropdown menu.

3. Install and Play Games: Once Steam Play is enabled, you can install Windows games from your Steam library. Steam will automatically use Proton to run these games on your Linux system.

That's it. That's all. 

Of course, not all games are created equal for the platform. Some games will work perfectly out of the box, while others may require additional tweaks or not work due to issues such as anti-cheat software incompatibility. To find out what's what, go to ProtonDB to check out the compatibility of specific games with Proton and Linux. 

So, if you like gaming and want a portable system, whether you care about Linux or not, I urge you to try the Steam Deck. If you like it, I suggest you try a Linux desktop for desktop gaming. I think you may just find that the Linux desktop is a fine gaming platform that also works darn well as a production desktop. 

For Those Who Seek Unbiased News.

Be informed with 1440! Join 3.5 million readers who enjoy our daily, factual news updates. We compile insights from over 100 sources, offering a comprehensive look at politics, global events, business, and culture in just 5 minutes. Free from bias and political spin, get your news straight.

Join for free today!

A fresh, young Tux Linux kernel is ready for Ubuntu.

Canonical, the company behind the popular Linux distribution Ubuntu, has announced a significant change in its approach to integrating Linux kernels into its operating system. Moving forward with the forthcoming Ubuntu 24.10, Oracular Oriole release, Canonical will be using more up-to-date Linux kernels.

Traditionally, Ubuntu has opted for stability by including the most recent stable Linux kernel available at the time of the release freeze. This approach, while ensuring reliability, often meant that Ubuntu releases did not feature the very latest kernel versions, sometimes missing out on new features and hardware support that newer kernels provide. Other popular distros, such as Fedora, opted for cutting-edge kernels. 

Canonical's new strategy involves shipping the latest upstream Linux kernel available at the time of the Ubuntu release freeze date, even if the kernel is still in a Release Candidate (RC) status. 

This shift is expected to make dissatisfied users who want the latest features and hardware compatibility happier. By adopting newer kernels, Ubuntu aims to better support bleeding-edge hardware and align more closely with the rapid development pace of the Linux kernel itself.

However, this approach also introduces potential challenges. Using a kernel in RC status could pose stability risks if unforeseen issues arise before the kernel reaches a stable release. Canonical has acknowledged this risk and plans to manage any such occurrences promptly

For users of Ubuntu's interim releases, Canonical will provide a "bridge kernel" if the latest kernel turns out to have issues. This will ensure stability while still allowing access to new features. 

Long-term support (LTS) release users won't need a bridge kernel, as updates are disabled until stabilization is complete. Additionally, users of Ubuntu Pro's Livepatch service will continue to receive seamless updates without disruption. This change is coming after Canonical announced that it would support its Linux distros for 12 years. 

As Ubuntu continues to evolve, this new approach promises to enhance the user experience by delivering the kernel's latest capabilities alongside stability. I think this is a smart move that both Ubuntu fans and administrators will appreciate. 

Other noteworthy Linux and open-source stories:

• AlmaLinux Makes In-Place Upgrades Easier for CentOS Users

• Meet OpenShift Lightspeed, Red Hat's AI tool for Kubernetes admins

• Could eBPF Save Us From CrowdStrike-Style Disasters?

We put your money to work

Betterment’s financial experts and automated investing technology are working behind the scenes to make your money hustle while you do whatever you want.

Learn more

Patching up open-source software made easier.

Endor’s new features are helping ease the burden of managing security vulnerabilities in open-source software.

Endor Labs, a software supply chain security leader, announced the launch of two new, innovative capabilities, "Upgrade Impact Analysis" and "Endor Magic Patches," at Black Hat in Las Vegas. These two features aim to streamline the process of upgrading software versions and mitigating security vulnerabilities in open-source software (OSS) dependencies.

We must often upgrade software versions to fix critical vulnerabilities in OSS. However, such upgrades can be challenging and risk causing breaking existing applications. Fear of this and the complexity of determining what effect a patch will have on programs can deter administrators from implementing necessary upgrades. That's a mistake. 

Endor quotes a Director of AppSec Operations at a major Fintech company, explaining, “Developers fear upgrades because of breaking changes. Imagine if the product could emulate an upgrade to show which upgrade could impact which packages. With this information, I could prioritize fixes based on how hard the upgrade will be and how many other packages will be affected.”

In response, Endor Labs has released its new Upgrade Impact Analysis feature. This tool provides detailed insights into the potential difficulties and consequences of a given upgrade, enabling AppSec teams to have informed discussions with engineering teams about the scope of security fixes and set service-level agreements (SLAs). When an upgrade is deemed too costly or complex, teams can opt to mitigate the vulnerability with a backported security patch maintained by Endor Labs.

This feature extends Endor Labs' program analysis engine to identify unintended consequences, such as breaking changes to an application. AppSec teams can now manage risk in the context of upgrade difficulty, improving the return on investment of remediation efforts, reducing developer manual research, and enabling IT teams to address risks more swiftly. In short, it reduces the pain. 

In addition, Endor Magic Patches enables security patches to be backported to the vulnerable version of the software, eliminating the need for difficult upgrades. These patches include source code, tests, build, and deployment steps, ensuring reproducibility and security. This capability allows AppSec teams to respond quickly to emerging threats, balance developer workloads, and support FedRAMP compliance.

Marcelo Oliveira, VP of Product Management at Endor Labs, emphasized the significance of these new tools: “One of the best characteristics of OSS is the degree of constant improvement—there’s a regular flow of upgrades to just about every package. However, the merits can often be outweighed by the dangers. With these new capabilities, teams can clear this hurdle by sharply reducing the work required to understand the impact of dependency upgrades and stay safe when the risk of upgrades is too high. It’s always been our mission to make security less of a burden on software engineers, and with this launch, we continue to help security teams become better partners”.

I wouldn't go that far. The merits almost always outweigh the dangers. That said, there's no question that upgrading code always comes with some measure of menace. Yes, I'm looking at you CrowdStrike. So, tools like these certainly have their place for any DevOpsSec team. 

Other noteworthy Linux and open-source stories:

• Meet OpenShift Lightspeed, RedHat's AI tool for Kubernetes admins

• Can AI even be open source? It's complicated

• Russ Cox Steps Down as Tech Lead of Go Programming Language

We put your money to work

Betterment’s financial experts and automated investing technology are working behind the scenes to make your money hustle while you do whatever you want.

Learn more

Decisions! Decisions!

The other day, Dan Lorenc, CEO and co-founder of the software supply chain company Chainguard, wrote on LinkedIn that "open source is not a good strategy for startups."

What? Do you think I was going to disagree because I'm a big open-source fan? Think again!

Yep, it's a great development model, but it never has been, isn't now, and never will be a business model. I am so, so tired of seeing people confusing them. 

Lorenic continued, "There are many open-source strategies that can lead to financial success, and some are easier than others or more relevant to certain use cases than others."

That's true, too. Just ask Red Hat. A dozen years ago, Red Hat became the first billion-dollar open-source company not because it offered a great Linux distro—although Red Hat Enterprise Linux (RHEL) certainly is that—but because the company paired it with an excellent support offering.

Let me take you back to 2003. Red Hat is selling Red Hat Linux in retail boxes. It was a business, but it wasn't a big business.  As Paul Cormier, then Red Hat's vice president of engineering, told me years later, "The people who were here during that period sometimes forget the leap we took, and there's a lot of people who are at Red Hat now who don't understand what a big moment that was in our history. We literally stopped our product line."

Needless to say, at this remove it all worked out. 

However, it was the enterprise support model that made Red Hat its cash, not the open-source model per se.

You can also use open source as a top-of-the-funnel offering to get customers to pay for your company's other offerings. Strapi, for example, does well by using its eponymous headless content management system (CMS) to get its customers to buy into its other offerings.  

A close relative and more popular version of this take is open core. Here, the idea is to offer a free, open-source version of a core program and then offer commercial proprietary versions or add-ons. More companies than I can name use this model. Their numbers include Automatic, Docker, and GitLab.

Another, less-talked-about model is one I call building-block open source. Here, the company doesn't offer its core program as open source. Instead, it offers useful open-source components and libraries that you could build a useful program from, but it's just easier and cheaper to use the company's offering. 

Joe Morrison, a map specialist, has pointed out that Mapbox, a custom online map vendor for websites and applications, has been very successful with this approach. As he wrote, "You’ve seen their maps, even if you don’t know it — their clients range from Snapchat to Tableau to the New York Times. They aim their product at developers trying to build an app that just happens to need a map interface in order to make sense — which in today’s world of phones perennially in pockets, is honestly kind of hard to avoid."

Notice something about all these business plans? They're all fairly sophisticated. 

Lorenc observed that many "open-source" startups are "afraid of sales and selling." 

It took all their courage to get venture capitalist or angel investment funding. After all, they're developers first and business people a long way second.

That seems to be endemic in tech startups. Way back before open source even existed, when I first started working in tech, I saw business after business fail. Why? Their founders may have been great network engineers, developers, or system administrators, but they were helpless as babies at Business 101. In particular, they were clueless about sales. 

If you don't know the nuts and bolts of turning your great idea into sales, find someone to partner with who does. 

As Lorenc pointed out, "It's never easy to monetize an open-source project. It's doable, but it's not easy. If you're not 100 percent sure on how you're going to monetize, with evidence that it will work, future-you is in for a world of hurt." He's right.

Lorenc doesn't think building a community will help you in the long run because "they will inevitably slow you down." Here, we disagree.

I think, though, that simply assuming a community will somehow miraculously help you turn your open-source project into a viable business is foolish. Find an open-source community expert like my friend Jono Bacon and read books such as People Powered and The Art of Community. Once you know what a community can—and can't—do for you, then you can make an intelligent, informed opinion. 

Finally, Lorenc and I are in complete agreement when he wrote if you "do open-source your core product, please, please, please don't start getting bitter and referring to users (or competitors) that make use of the licenses you provided as freeloaders or complain that they're taking advantage of you."

Dumping open source ends up ticking off your customers and partners, and you'll never be welcome in open-source circles again. And, then, where will you find programmers for your next "can't miss project?"

Other noteworthy Linux and open-source stories:

• I've tried a zillion desktop distros - it doesn't get any better than Linux Mint 22

• Meta inches toward open source AI with new LLaMA 3.1

• OpenELA Liberates Red Hat Enterprise Linux Source Code

Take a demo, get a Blackstone Griddle

• Automate expense reports so you can focus on strategy

• Uncapped virtual corporate cards

• Access scalable credit lines from $500 to $15M

Request a demo

The original Apache HTTP Server Logo

The Apache Software Foundation (ASF) has announced plans to evolve its corporate logo and brand system to better represent its "community over code" ethos and promote inclusivity. Why? Because the ASF took seriously concerns raised by Natives in Tech and other members of the open-source community regarding the appropriateness of using Indigenous imagery.

So, the ASF will retire its iconic feather logo, which has been a central part of the foundation's identity since 1999. The organization acknowledges that, as a non-Indigenous entity, it is inappropriate to continue using Indigenous themes or language in its branding. The group also realizes that the logo has been very popular for almost 30 years, but they feel this is the right thing to do. This comes after ASF  changed the name of its flagship event to Community Over Code from ApacheCon. 

The ASF's Marketing and publicity team, along with a Branding Steering Committee composed of ASF Members, is collaborating with branding and design vendors to develop a new logo. This new visual identity will embody the Foundation's history of providing software for the public good while reflecting its global contributor base.

The decision to update the brand extends beyond the logo. Changes also apply to ASF open-source projects that currently use Indigenous imagery. It will not--I and the ASF repeat--not change the Apache License or any released software.

While the logo and branding are changing, the Apache name will not change, for now, at least. That's because changing its name would cause too much legal, technical, and financial trouble. This may sound like a small matter to you, but  ASF leadership feels it would divert significant resources from the group's primary mission of providing software for the public good.

They're not wrong. I know enough about trademarks, logos, and names to know that changing an organization's branding is complicated and expensive. 

If it goes well, the new logo and brand identity will be unveiled at the Community Over Code NA conference in Denver, Colorado, in October 2024. Do you have any ideas for its new logo? The ASF wants to hear from you. 

Other noteworthy Linux and open-source stories:

• The graying open-source community needs fresh blood

• What’s New With the Just-Released Linux 6.10 Kernel

• How open source attracts some of the world's top innovators

Yow!

A few months back, CVE-2024-1086, a nasty use-after-free vulnerability in the Linux kernel's netfilter, was revealed. With a  Common Vulnerability Scoring System (CVSS) score of 7.8, this bug, with the foundation for most Linux network firewall and Network Address Translation (NAT) programs, was a nasty little security hole. With it, Netfliter's table component could be exploited to achieve local privilege escalation. 

Worse still, you didn't need to be terribly clever to use it, so a local attacker could escalate privileges from a regular user to root in no time flat. Adding insult to injury, this vulnerability was present in pretty much all the major Linux distributions, including Debian, Fedora, Red Hat, and Ubuntu. In short, pretty much any Linux distribution using any kernel version between 5.14 and 6.6.14 could be hacked.

Ouch!

But, the fix has been in place since January 2024, when the flaw was patched. So, if we've been good little system administrators, we shouldn't have anything to worry about, right? Right!?

Wrong. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged it and added it to the Known Exploited Vulnerabilities (KEV) catalog. It turns out that it's being actively exploited in the wild.

Now, if this were happening back in March, I wouldn't be surprised. That's when the flaw finder, who went by the name Notselwyn, published a CVE-2024-1086  proof-of-concept exploit. He reported that it had a 99.4% success rate on kernel 6.4.16 and provided a detailed technical report. His method, called Dirty Pagedirectory, builds on the earlier Dirty Pagetable technique, allowing unlimited, stable read/write access to all memory pages in a Linux system.

I don't think you need to be a security expert to know that's bad. 

NIST reports that "This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary."

I wonder, though, I really do, whether it's really been updated or whether it's just that there's now a bot toolkit using it. As a result, thousands of automated attempts are discovering that far too many people never patched their Linux machines in the first place. As Hanlon's Razor explains, "Never attribute to malice that which is adequately explained by stupidity.

So, may I suggest you check to see if your distro is still open to the original attack? You can do that by running the command:

$ uname -r

In your terminal. 

If the output of any of these commands shows a kernel version between 3.15 and 6.8-rc1, your system is potentially vulnerable to CVE-2024-1086. For instance, if uname—r returns 5.13.0-39-generic, your system is within the affected range and should be updated.

The patched kernels for the major Linux distros include:

Debian

• Kernel-Version: 6.1.76-1

Ubuntu

• Ubuntu 18.04: 4.15.0-223.235

• Ubuntu 20.04: 5.4.0-174.193

• Ubuntu 22.04: 5.15.0-101.111

• Ubuntu 23.10: 6.5.0-26.26

Red Hat and Red Hat-based distros:

• RHEL 7: 3.10.0-1062.4.1.el7

• RHEL 8: 4.18.0-147.el8

• RHEL 9: 5.14.0-362.24.2.el9_3

SUSE

• There are various fixed kernel versions for the SUSE Linux Enterprise distros.

To be safe, update your systems and then reboot them with the following commands: 

Update Package Lists:

$ sudo apt update  # For Debian/Ubuntu

$ sudo yum update  # For Red Hat/CentOS

$ sudo zypper refresh  # For SUSE

$ sudo dnf update  # For AlmaLinux/Rocky Linux

Upgrade Kernel:

$ sudo apt upgrade  # For Debian/Ubuntu

$ sudo yum update kernel  # For Red Hat/CentOS

$ sudo zypper update  # For SUSE

$ sudo dnf update kernel  # For AlmaLinux/Rocky Linux

Reboot System: 

$ sudo reboot

All should be well.  

But, if you can't patch it or think there may indeed be a new version of the vulnerability out there? In that case, you can mitigate it by disabling the ability for unprivileged users to create namespaces. To do this temporarily, in the Debian/Ubuntu world run:

$ sudo sysctl -w kernel.unprivileged_userns_clone=0

To disable it for once and all:

 echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf

Personally, I've never been keen on granting unprivileged users the ability to create namespaces. As a wise admin once said, "Unless you truly need it, just disable it."

Noteworthy Linux and open-source stories:

• Are all Linux vendor kernels insecure? A new study says yes, but there's a fix

• Winamp is not going open source. Here's what it is doing - and why

• More than money, open-source pros want these 2 things from their next jobs