Apple has released MLX, a free and open-source machine learning framework for Apple Silicon. Computerworld reports: The idea is that it streamlines training and deployment of ML models for researchers who use Apple hardware. MLX is a NumPy-like array framework designed for efficient and flexible machine learning on Apple's processors. This isn't a consumer-facing tool; it equips developers with what appears to be a powerful environment within which to build ML models. The company also seems to have worked to embrace the languages developers want to use, rather than force a language on them -- and it apparently invented powerful LLM tools in the process.

MLX design is inspired by existing frameworks such as PyTorch, Jax, and ArrayFire. However, MLX adds support for a unified memory model, which means arrays live in shared memory and operations can be performed on any of the supported device types without performing data copies. The team explains: "The Python API closely follows NumPy with a few exceptions. MLX also has a fully featured C++ API which closely follows the Python API."

Apple has provided a collection of examples of what MLX can do. These appear to confirm the company now has a highly-efficient language model, powerful tools for image generation using Stable Diffusion, and highly accurate speech recognition. This tallies with claims earlier this year, and some speculation concerning infinite virtual world creation for future Vision Pro experiences. Ultimately, Apple seems to want to democratize machine learning. "MLX is designed by machine learning researchers for machine learning researchers," the team explains.

Liam Proven reports via The Register: One of the best FOSS text editors for Windows, Notepad++, is turning 20, while cross platform Geany just hit version 2.0 as it turns 18 years old. Notepad++'s version 8.6 is the twentieth anniversary release of one of the go-to FOSS text editors for Windows. [...] If you use an Arm-powered Windows machine, such as the ThinkPad X13S, there is now a native Arm64 version. It still supports x86-32 as well, and there are portable versions which work without being installed locally -- handy if you don't have admin rights. There is even a usefully recent version for Windows XP if you are still using that geriatric OS. This release adds multi-select, allowing you to manipulate multiple instances of the same text at once, which looks confusing but very powerful.

It is a staple on all of the Reg FOSS desk's Windows partitions, thanks to its inclusion in the essential Windows post-install setup tool Ninite. Ninite will install -- and update -- a whole swath of FOSS and freeware tools for Windows, making setup of a new machine doable in just a couple of clicks. And if you keep the Ninite installer file around, you can re-run it later and it will update everything it installed first time around. Ninite does offer other programmers' editors, such as Eclipse and Microsoft Visual Studio Code -- but they are behemoths by comparison. VSCode is implemented as an Electron app, meaning that it's huge, embeds an entire copy of Chromium, and scoffs RAM like it's going out of fashion. Notepad++ is a native Win32 app, making it tiny and fast: the download is less than 5MB, one twentieth the size of VSCode.

Sluggish, bloated editors are not just a problem on Windows. Gargantuan Electron apps are distressingly prevalent on Linux and macOS as well. This vulture is guilty of using some, and even recommending them -- because some of them can do things that nothing else can. That's not true in the case of plain text editors, though. You don't have to put up with apps that take a good fraction of a gigabyte for this. Geany is a good example. It straddles the line between a text editor and an IDE: it can manage multi-project files, automatically call out to compilers and suchlike, and parse their output to highlight errors. We last mentioned it nearly a decade ago but the project recently reached voting age -- at least for humans -- and after this milestone in maturity its developers called the latest release version 2.0. It has better support for dark mode, a new tree view in its sidebar, adds a bunch of new supported file types, and can detect if the user changes the type of a file and re-do its syntax highlighting to match.

The free open-source text editor Notepad++ is celebrating its 20th anniversary, the blog OMG! Ubuntu reported this week, "with a new release filled with some neat new features." In Notepad++ 8.6 (the 238th release since 2003, for those keeping count) the Windows-based code tool [which can also be used on Linux] adds to its extensive feature set with an improved multi-edit feature.

A few 3rd-party Notepad++ plugins have offered similar functionality for a while, including BetterMultiSelection. And a bug report requesting to ability to "transform the column mode to multi-caret on HOME/END/Arrow keys" led to this native addition.
Their blog post includes an animated GIF of Notepad++ multi-edit in action.

"You can install Notepad++ on Ubuntu straight from the Ubuntu Software/App Center app (it's a Snap Store). Alternatively, install the Windows build via WINE/CrossOver or, if you got the l33t skillz, build it by hand, from source."

A pull request has been merged to fix a data corruption issue in OpenZFS (the open-source implementation of the ZFS file system and volume manager). "OpenZFS 2.2.2 and 2.1.14 released with fix in place," reports a Thursday comment on GitHub.

Earlier this week, jd (Slashdot reader #1,658) wrote: All versions of OpenZFS 2.2 suffer from a defect that can corrupt the data. Attempts to mitigate the bug have reduced the likelihood of it occurring, but so far nobody has been able to pinpoint what is going wrong or why.

Phoronix reported on Monday: Over the US holiday weekend it became more clear that this OpenZFS data corruption bug isn't isolated to just the v2.2 release — older versions are also susceptible — and that v2.2.1 is still prone to possible data corruption. The good news at least is that data corruption in real-world scenarios is believed to be limited but with some scripting help the corruption can be reproduced. It's also now believed that the OpenZFS 2.2 block cloning feature just makes encountering the problem more likely.

Meta executives said there's been no major drawbacks to openly sharing its AI technology, even as many peers take the opposite approach. From a report: Over the past few months, Meta has been releasing open-source versions of its large language models -- the technology behind AI chatbots like ChatGPT. The idea is to keep those models free and then gain an advantage by building products and services on top of them, executives said at an event for the company's AI research Lab FAIR. "There is really no commercial downside to also making it available to other people," said Yann LeCun, Meta's chief AI scientist. Meta has joined most of the world's biggest technology companies in embracing generative AI, which can create text, images and even video based on simple prompts. But they aren't taking the same path.

Many of the top AI developers, including OpenAI and Google's DeepMind, don't currently open-source their large language models. Companies are often fearful of opening up their work because competitors could steal it, said Mike Schroepfer, Meta's senior fellow and former chief technology officer. "I feel like we're approaching this world where everyone is closing down as it becomes competitively important," he said. But staying open has its advantages. Meta can rely on thousands of developers across the world to help enhance its AI models.

Michael Larabel reports via Phoronix: The open-source Roundcube webmail software project has "merged" with Nextcloud, the prominent open-source personal cloud software. In boosting Nextcloud's webmail software capabilities, Roundcube is joining Nextcloud as what's been described as a merger. In 2024 Nextcloud is to invest into Roundcube to accelerate the development of this widely-used webmail open-source software. Today's press release says Roundcube will not replace Nextcloud Mail with at least no plans for merging the two in the short-term.

Today's press release says that there are no immediate changes for Roundcube and Nextcloud users besides looking forward to improved integration and accelerated development beginning in the short term.

"The cornerstone of the open-source philosophy is that the recipients of technology should have access to all its building blocks..." writes the European Organization for Nuclear Research, "in order to study it, modify it and redistribute it to others." This includes mechanical designs, schematics for electronics, and software code. Ever since releasing the World Wide Web software under an open-source model in 1994, CERN has continuously been a pioneer in this field, supporting open-source hardware (with the CERN Open Hardware Licence), open access (with the Sponsoring Consortium for Open Access Publishing in Particle Physics — SCOAP3) and open data (with the Open Data Portal for the LHC experiments).

The CERN Open Data portal is a testimony to CERN's policy of Open Access and Open Data. The portal allows the LHC experiments to share their data with a double focus: for the scientific community, including researchers outside the CERN experimental teams, as well as citizen scientists, and for the purposes of training and education through specially curated resources. The first papers based on data from the CERN Open Data portal have been published. Several CERN technologies are being developed with open access in mind. Invenio is an open-source library management package, now benefiting from international contributions from collaborating institutes, typically used for digital libraries. Indico is another open-source tool developed at CERN for conference and event management and used by more than 200 sites worldwide, including the United Nations. INSPIRE, the High Energy Physics information system, is another example of open source software developed by CERN together with DESY, Fermilab and SLAC.
And on Wednesday the European Organization for Nuclear Research launches its new Open Source Program Office "to help you with all issues relating to the release of your software and hardware designs." Sharing your work with collaborators in research and industry has many advantages, but it may also present some questions and challenges... The OSPO will support you, whether you are a member of the personnel or a user, to find the best solution by giving you access to a set of best practices, tools and recommendations. With representatives from all sectors at CERN, it brings together a broad range of expertise on open source practices... As well as supporting the CERN internal community, the OSPO will engage with external partners to strengthen CERN's role as a promoter of open source.

Open source is a key pillar of open science. By promoting open source practices, the OSPO thus seeks to address one of CERN's core ambitions: sharing our knowledge with the world. Ultimately, the aim is to increase the reach of open source projects from CERN to maximise their benefits for the scientific community, industry and society at large.
For Wednesday's launch event "We will host distinguished open source experts and advocates from Nvidia, the World Health Organization and the Open Source Hardware Association to discuss the impact and future of open source." There will be a live webcast of the event.

Long-time Slashdot reader destinyland writes: The Linux Foundation recently funded a new "security developer in residence" position for Python. (It's funded through the Linux Foundation's own "Open Software Security foundation", which has a stated mission of partnering with open source project maintainers "to systematically find new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed to improve global software supply chain security.") The position went to the lead maintainer for the HTTP client library urllib3, the most downloaded package on the Python Package Index with over 10 billion downloads. But he hopes to create a ripple effect by demonstrating the impact of security investments in critical communities — ultimately instigating a wave of improvements to all software supply chains. (And he's also documenting everything for easy replication by other communities...)

So far he's improved the security of Python's release processes with signature audits and security-hardening automation. But he also learned that CVE numbers were being assigned to newly-discovered vulnerabilities by the National Cyber Security Division of the America's Department of Homeland Security — often without talking to anyone at the Python project. So by August he'd gotten the Python Software Foundation authorized as a CVE Numbering Authority, which should lead to more detailed advisories (including remediation information), now reviewed and approved by Python's security response teams.

"The Python Software wants to help other Open Source organizations, and will be sharing lessons learned," he writes in a blog post. And he now says he's already been communicating with the Curl program about his experiences to help them take the same step, and even authored a guide to the process for other open source projects.

Mononymous writes: FreeBSD 14 has been officially released. You can get it from FreeBSD.org, or via freebsd-update and source update methods for existing systems. Some highlights:
- OpenSSH version 9.5p1
- OpenSSL version 3.0.12, a major upgrade from OpenSSL 1.1.1t in FreeBSD 13.2
- OpenZFS release 2.2
- The bhyve hypervisor now supports TPM and GPU passthrough

This version will now create user home directories in /home by default, instead of the traditional /usr/home. More information on the release and changes can be found via the release announcement page.

This week the Linux Foundation "announced the intention to form the High Performance Software Foundation.

"Through a series of technical projects, the High Performance Software Foundation aims to build, promote, and advance a portable software stack for high performance computing by increasing adoption, lowering barriers to contribution, and supporting development efforts." As use of high performance computing becomes ubiquitous in scientific computing and digital engineering, and AI use cases multiply, more and more data centers deploy GPUs and other compute accelerators. The High Performance Software Foundation intends to leverage investments made by the United States Department of Energy's Exascale Computing Project, the EuroHPC Joint Undertaking, and other international projects in accelerated high performance computing to exploit the performance of this diversifying set of architectures. As an umbrella project under the Linux Foundation, HPSF intends to provide a neutral space for pivotal projects in the high performance software ecosystem, enabling industry, academia, and government entities to collaborate together on the scientific software stack.

The High Performance Software Foundation already benefits from strong support across the high performance computing landscape, including leading companies and organizations like Amazon Web Services, Argonne National Laboratory, CEA, CIQ, Hewlett Packard Enterprise, Intel, Kitware, Lawrence Berkeley National Laboratory, Lawrence Livermore National Laboratory, Los Alamos National Laboratory, NVIDIA, Oak Ridge National Laboratory, Sandia National Laboratory, and the University of Oregon.
Its first open source technical projects include:

• Spack: the high performance computing package manager
• Kokkos: a performance-portable programming model for writing modern C++ applications in a hardware-agnostic way.
• AMReX: a performance-portable software framework designed to accelerate solving partial differential equations on block-structured, adaptively refined meshes.
• WarpX: a performance-portable Particle-in-Cell code with advanced algorithms that won the 2022 Gordon Bell Prize
• Trilinos: a collection of reusable scientific software libraries, known in particular for linear, non-linear, and transient solvers, as well as optimization and uncertainty quantification.
• Apptainer: a container system and image format specifically designed for secure high-performance computing.
• VTK-m: a toolkit of scientific visualization algorithms for accelerator architectures.
• HPCToolkit: performance measurement and analysis tools for computers ranging from laptops to the world's largest GPU-accelerated supercomputers.
• E4S: the Extreme-scale Scientific Software Stack
• Charliecloud: high performance computing-tailored, lightweight, fully unprivileged container implementation.

The Free Sofware Foundation issued a clarifying blog post this week, saying the organization is "pleased when people use GNU licenses to distribute and license software."

But "we condemn the use of unauthorized, confusing derivatives of the licenses." Unfortunately, some authors engage in confusing practices by drafting licenses using existing terms and conditions of GNU free software licenses, without the intention of granting all four freedoms to users. For example, we have long seen attempts to add restrictions to the license text itself, placed in the LICENSE file, or included elsewhere in the program's release. An example is the so-called "Commons Clause," which, when applied to a free software license, affirms that the program is covered by the license. But, at the same time, is contradicting in its meaning by asserting that selling copies of the program or implementing a commercial service with the program is prohibited.

The immediate consequence of the practice of inserting a restriction into a GNU license in this way is the confusion it causes for the community. Users still see the name of the original license, with its preamble and terms and conditions intact, transmitting a strong message that the purpose of the license is to enable users — grant users — their essential software freedoms. This message is clear from the license's text, and is bolstered from the renown accrued by the FSF and GNU trademarks, and their decades of free software advocacy. At the same time, these same users see a contradictory statement of the "Commons Clause," which is clearly contrary to the sprit of the free software movement and the Free Software Definition...

[T]o make it even clearer that added restrictions are incompatible with our license, we gave users the right to delete such added restrictions [in 2007] and preserve the program's freedom. But we at the FSF have another legal tool against attempts to release programs under GNU General Public Licenses that have been wrongly altered to become nonfree licenses. The FSF holds copyrights and common law trademarks to the GNU family of General Public Licenses. Moreover, the FSF holds registered trademarks for "FSF," "Free Software Foundation," and "GNU." [...] We can't control the drafting by others of proprietary software licenses, but we can and do forbid doing this in a way that misleadingly associates those licenses with GNU or GNU licenses... [W]e are entitled to legally enforce our copyright and trademark for FSF licenses that have been altered by added restrictions to a verbatim GNU license...

Licenses that confuse users about the freedoms they grant are damaging to the free software movement because they threaten to dilute the value and power of these licenses. When GNU licenses are misused through such confusing practices, it harms the renown accrued by the GNU project and the FSF over decades of free software advocacy. It is our duty to all computer users to stop these practices, and, if necessary, we will use our legal rights to this end.

An anonymous reader quotes a report from TechCrunch: Facebook parent Meta is teaming up with Hugging Face and European cloud infrastructure company Scaleway to launch a new AI-focused startup program at the Station F startup megacampus in Paris. The underlying goal of the program is to promote a more "open and collaborative" approach to AI development across the French technology world. The timing of the announcement is notable, coming amid a growing push for regulation and a marked conflict between the "open" and "closed" AI realms. [...]

While Meta itself has been open sourcing its own generative AI models, Hugging Face -- a billion-dollar VC-backed startup in its own right -- has set out its stall as a sort of open source alternative to OpenAI, replete with open alternatives to the likes of ChatGPT and spearheading community projects such as BigScience. So in many ways, Meta and Hugging Face's tie-up today makes a great deal of sense, given their respective stances on the whole "open" versus "closed" AI discussion. "For me, open source AI is the most important topic of the decade as it is the cornerstone toward democratizing ethical AI," Hugging Face CEO Clement Delangue said in a statement.

From today through December 1 (2023), startups can apply to join the new "AI Startup Program" at Station F, with five winners proceeding to the accelerator program that will run from January to June. The chosen startups, selected by a panel of judges from Meta, Hugging Face and French cloud company Scaleway, will have at least one thing in common -- they will be working on projects substantively built on open foundation models, or at the very least can demonstrate a "willingness to integrate these models into their products and services," according to the announcement issued by Meta today. "With the proliferation of foundation models and generative artificial intelligence models, the aim is to bring the economic and technological benefits of open, state-of-the-art models to the French ecosystem," the announcement noted. Indeed, the winning startups will receive mentoring from researchers and engineers at Meta, gain access to Hugging Face's various platforms and tools, and compute resources from Scaleway.

In Raleigh, North Carolina — the home of Red Hat — local newspaper the News & Observer takes an in-depth look at the "announcement that split the open source software community." (Alternate URL here.) [M]any saw Red Hat's decision to essentially paywall Red Hat Enterprise Linux, or RHEL, as sacrilegious... Red Hat employees were also conflicted about the new policy, [Red Hat Vice President Mike] McGrath acknowledged. "I think a lot of even internal associates didn't fully understand what we had announced and why," he said...

At issue, he wrote, were emerging competitors who copied Red Hat Enterprise Linux, down to even the code's mistakes, and then offered these Red Hat-replicas to customers for free. These weren't community members adding value, he contended, but undercutting rivals. And in a year when Red Hat laid off 4% of its total workforce, McGrath said, the company could not justify allowing this to continue. "I feel that while this was a difficult decision between community and business, we're still on the right side of it," he told the News & Observer. Not everyone agrees...

McGrath offered little consolation to customers who were relying on one-for-one versions of RHEL. They could stay with the downstream distributions, find another provider, or pay for Red Hat. "I think (people) were just so used to the way things work," he said. "There's a vocal group of people that probably need Red Hat's level of support, but simply don't want to pay for it. And I don't really have... there's not much we can tell them."

Since its RHEL decision, Red Hat has secured several prominent partnerships. In September, the cloud-based software company Salesforce moved 200,000 of its systems from the free CentOS Linux to Red Hat Enterprise Linux. The same month, Red Hat announced RHEL would begin to support Oracle's cloud infrastructure. Oracle was one of the few major companies this summer to publicly criticize Red Hat for essentially paywalling its most popular code. On Oct. 24, Red Hat notched another win when the data security firm Cohesity said it would also ditch CentOS Linux for RHEL.
The article delves into the history of Red Hat — and of Linux — before culminating with this quote from McGrath. "I think long gone are the times of that sort of romantic view of hobbyists working in their spare time to build open source. I think there's still room for that — we still have that — but quite a lot of open source is now built from people that are paid full time."

Red Hat likes to point out that 90% of Fortune 500 companies use its services, according to the article. But it also quotes Jonathan Wright, infrastructure team lead at the nonprofit AlmaLinux, as saying that Red Hat played "fast and loose" with the GPL. The newspaper then adds that "For many open source believers, such a threat to its hallowed text isn't forgivable."

It happened a quarter of a century ago. The New York Times wrote that "An internal memorandum reflecting the views of some of Microsoft's top executives and software development managers reveals deep concern about the threat of free software and proposes a number of strategies for competing against free programs that have recently been gaining in popularity." The memo warns that the quality of free software can meet or exceed that of commercial programs and describes it as a potentially serious threat to Microsoft. The document was sent anonymously last week to Eric Raymond, a key figure in a loosely knit group of software developers who collaboratively create and distribute free programs ranging from operating systems to Web browsers. Microsoft executives acknowledged that the document was authentic...

In addition to acknowledging that free programs can compete with commercial software in terms of quality, the memorandum calls the free software movement a "long-term credible" threat and warns that employing a traditional Microsoft marketing strategy known as "FUD," an acronym for "fear, uncertainty and doubt," will not succeed against the developers of free software. The memorandum also voices concern that Linux is rapidly becoming the dominant version of Unix for computers powered by Intel microprocessors.

The competitive issues, the note warns, go beyond the fact that the software is free. It is also part of the open-source software, or O.S.S., movement, which encourages widespread, rapid development efforts by making the source code — that is, the original lines of code written by programmers — readily available to anyone. This enables programmers the world over to continually write or suggest improvements or to warn of bugs that need to be fixed. The memorandum notes that open software presents a threat because of its ability to mobilize thousands of programmers. "The ability of the O.S.S. process to collect and harness the collective I.Q. of thousands of individuals across the Internet is simply amazing," the memo states. "More importantly, O.S.S. evangelization scales with the size of the Internet much faster than our own evangelization efforts appear to scale."
Back in 1998, Slashdot's CmdrTaco covered the whole brouhaha — including this CNN article: A second internal Microsoft memo on the threat Linux poses to Windows NT calls the operating system "a best-of-breed Unix" and wonders aloud if the open-source operating system's momentum could be slowed in the courts.

As with the first "Halloween Document," the memo — written by product manager Vinod Valloppillil and another Microsoft employee, Josh Cohen — was obtained by Linux developer Eric Raymond and posted on the Internet. In it, Cohen and Valloppillil, who also authored the first "Halloween Document," appear to suggest that Microsoft could slow the open-source development of Linux with legal battles. "The effect of patents and copyright in combating Linux remains to be investigated," the duo wrote.
Microsoft's slogain in 1998 was "Where do you want to go today?" So Eric Raymond published the documents on his web site under the headline "Where will Microsoft try to drag you today? Do you really want to go there?"

25 years later, and it's all still up there and preserved for posterity on Raymond's web page — a collection of leaked Microsoft documents and related materials known collectively as "the Halloween documents." And Raymond made a point of thanking the writers of the documents, "for authoring such remarkable and effective testimonials to the excellence of Linux and open-source software in general."

Thanks to long-time Slashdot reader mtaht for remembering the documents' 25th anniversary...

The new open-source, copy-on-write file system known as Bcachefs has been successfully merged into the Linux 6.7 kernel. "Given the past struggles to get Bcachefs mainlined, I certainly didn't expect to see Linus Torvalds act so soon on merging it," writes Phoronix's Michael Larabel. "But after it spent all of the 6.6 cycle within Linux-Next, overnight Linus Torvalds did in fact land this new file-system developed by Kent Overstreet."

From a Slashdot story published on Friday August 21, 2015: Bcachefs is a new open-source file-system derived from the bcache Linux kernel block layer cache. Bcachefs was announced by Kent Overstreet, the lead Bcache author. Bcachefs hopes to provide performance like XFS/EXT4 while having features similar to Btrfs and ZFS. The bachefs on-disk format hasn't yet been finalized and the code isn't yet ready for the Linux kernel. That said, initial performance results are okay and "It probably won't eat your data -- but no promises." Features so far for Bcachefs are support for multiple devices, built-in caching/tiering, CRC32C checksumming, and Zlib transparent compression. Support for snapshots is to be worked on.

An anonymous reader quotes a report from Ars Technica: Android is slowly entering the RISC-V era. So far we've seen Google say it wants to give the up-and-coming CPU architecture "tier-1" support in Android, putting RISC-V on equal footing with Arm. Qualcomm has announced the first mass-market RISC-V Android chip, a still-untitled Snapdragon Wear chip for smartwatches. Now Google has announced a timeline for developer tools via the Google Open Source Blog. The last post is titled "Android and RISC-V: What you need to know to be ready."

Getting the Android OS and app ecosystem to support a new architecture is going to take an incredible amount of work from Google and developers, and these tools are laying the foundation for that work. First up, Google already has the "Cuttlefish" virtual device emulator running, including a gif of it booting up. This isn't the official "Android Emulator" -- which is targeted at app developers doing app development -- Cuttlefish is a hardware emulator for Android OS development. It's the same idea as the Android Emulator but for the bottom half of the tech stack -- the kernel, framework, and hardware bits. Cuttlefish lets Google and other Android OS contributors work on a RISC-V Android build without messing with an individual RISC-V device. Google says it's working well enough now that you can download and emulate a RISC-V device today, though the company warns that nothing is optimized yet.

The next step is getting the Android Emulator (for app developers) up and running, and Google says: "By 2024, the plan is to have emulators available publicly, with a full feature set to test applications for various device form factors!" The nice thing about Android is that most app code is written with no architecture in mind -- it's all just Java/Kotlin. So once the Android RunTime starts spitting out RISC-V code, a lot of app code should Just Work. That means most of the porting work will need to go into things written in the NDK, the native developer kit, like libraries and games. The emulator will still be great for testing, though.

Slashdot reader Striek remembers Silicon Valley's long history of open source develoipment — and how HashiCorp "made the controversial decision to change licenses from the Mozilla Public License to MariaDB's Business Source Licesne. The key difference between these two licenses is that the BSL limits its grant to "non-production use".

HashiCorp's CEO is now predicting there would be âoeno more open source companies in Silicon Valleyâ unless the community rethinks how it protects innovation, reports The Stack: While open source advocates had slammed [HashiCorp's] license switch, CEO Dave McJannet described the reaction from its largest customers as "Great. Because you're a critical partner to us and we need you to be a big, big company." Indeed, he claimed that "A lot of the feedback was, 'we wished you had done that sooner'" — adding that the move had been discussed with the major cloud vendors ahead of the announcement. "Every vendor over the last three or four years that has reached any modicum of scale has come to the same conclusion," said McJannet. "It's just the realisation that the open source model has to evolve, given the incentives that are now in the market."

He claimed the historic model of foundations was broken, as they were dominated by legacy vendors. Citing the case of Hadoop, he said: "They're a way for big companies to protect themselves from innovation, by making sure that if Hadoop becomes popular, IBM can take it and sell it for less because they are part of that foundation." The evolution to putting open source products on GitHub had worked "really, really well" but once a project became popular, there was an incentive for "clone vendors to start taking that stuff." He claimed that "My phone started ringing materially after we made our announcement from every open source startup in Silicon Valley going 'I think this is the right model'."

He said the Linux Foundation's adoption of Open Tofu raised serious questions. "What does it say for the future of open source, if foundations will just take it and give it a home. That is tragic for open source innovation. I will tell you, if that were to happen, there'll be no more open source companies in Silicon Valley."
Hashicorp also announced a beta using generative AI to produce new module tests, and HCP Vault Radar, which scans code for secrets, personally identifiable information, dependency vulnerabilities, and non-inclusive language.

AlmaLinux is creating a Red Hat Enterprise Linux (RHEL) without any Red Hat code. Instead, AlmaLinux OS will aim to be Application Binary Interface (ABI) compatible and use the CentOS Stream source code that Red Hat continues to offer. Additional code is pulled from Red Hat Universal Base Images, and upstream Linux code. Benny Vasquez, chairperson of the AlmaLinux OF Foundation, explained how all this works at the open-source community convention All Things Open. ZDNet's Steven Vaughan-Nichols reports: The hardest part is Red Hat's Linux kernel updates because, added Vasquez, "you can't get those kernel updates without violating Red Hat's licensing agreements." Therefore, she continued, "What we do is we pull the security patches from various other sources, and, if nothing else, we can find them when Oracle releases them." Vasquez did note one blessing from this change in production: "AlmaLinux, no longer bound to Red Hat's releases, has been able to release upstream security fixes faster than Red Hat. "For example, the AMD microcode exploits were patched before Red Hat because they took a little bit of extra time to get out the door. We then pulled in, tested, and out the door about a week ahead of them." The overall goal remains to maintain RHEL compatibility. "Any breaking changes between RHEL and AlmaLinux, any application that stops working, is a bug and must be fixed."

That's not to say AlmaLinux will be simply an excellent RHEL clone going forward. It plans to add features of its own. For instance, Red Hat users who want programs not bundled in RHEL often turn to Extra Packages for Enterprise Linux (EPEL). These typically are programs included in Fedora Linux. Besides supporting EPEL software, AlmaLinux has its own extra software package -- called Synergy -- which holds programs that the AlmaLinux community wants but are not available in either EPEL or RHEL. If one such program is subsequently added to EPEL or RHEL, AlmaLinux drops it from Synergy to prevent confusion and duplication of effort.

This has not been an easy road for AlmaLinux. Even a 1% code difference is a lot to write and maintain. For example, when AlmaLinux tried to patch CentOS Stream code to fix a problem, Red Hat was downright grumpy about AlmaLinux's attempt to fix a security hole. Vasquez acknowledged it was tough sledding at first, but noted: "The good news is that they have been improving the process, and things will look a little bit smoother." AlmaLinux, she noted, is also not so much worried as aware that Red Hat may throw a monkey wrench into their efforts. Vasquez added: "Internally, we're working on stopgap things we'd need to do to anticipate Red Hat changing everything terribly." She doesn't think Red Hat will do it, but "we want to be as prepared as possible."

"A recent analysis accounting for nearly 1.2 million open source software projects primarily across four major ecosystems found that only about 11% of projects were actively maintained," reports InfoWorld: In its 9th Annual State of the Software Supply Chain report, published October 3, software supply chain management company Sonatype assessed 1,176,407 projects and reported an 18% decline this year in actively maintained projects. Just 11% of projects — 118,028 — were receiving active maintenance.

The report also found some new projects, unmaintained in 2022, now being maintained.

The four ecosystems included JavaScript, via NPM; Java, via the Maven project management tool; Python, via the PyPI package index; and .NET, through the NuGet gallery. Some Go projects also were included. According to the report, 18.6% of Java and JavaScript projects that were being maintained in 2022 are no longer being maintained today.
Other interesting findings:

• Nearly 10% reported security breaches due to open source vulnerabilities in the past 12 months.

• Use of AI and machine learning software components within corporate environments surged 135% over the last year.

Jessica Lyons Hardcastle reports via The Register: The European Telecommunications Standards Institute (ETSI) may open source the proprietary encryption algorithms used to secure emergency radio communications after a public backlash over security flaws found this summer. "The ETSI Technical Committee in charge of TETRA algorithms is discussing whether to make them public," Claire Boyer, a spokesperson for the European standards body, told The Register. The committee will discuss the issue at its next meeting on October 26, she said, adding: "If the consensus is not reached, it will go to a vote."

TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations. In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception. At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."

At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks." It did, however, face criticism from the security community over its response to the vulnerabilities -- and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system. "This whole idea of secret encryption algorithms is crazy, old-fashioned stuff," said security author Kim Zetter who first reported the story. "It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."