Red Hat has joined the RISC-V Foundation to help foster this open-source processor ISA. Phoronix reports: While we're still likely years away from seeing any serious RISC-V powered servers at least that can deliver meaningful performance, Red Hat has been active in promoting RISC-V as an open-source processor instruction set architecture and one of the most promising libre architectures we have seen over the years. Red Hat developers have already helped in working on Fedora's RISC-V support and now the IBM-owned company is helping out more and showing their commitment by joining the RISC-V Foundation. Red Hat joins the likes of Google, NVIDIA, Qualcomm, SiFive, Western Digital, IBM, and Samsung as among the many RISC-V members.

The last RHEL release, RHEL 7.7, is now available for current Red Hat Enterprise Linux subscribers via the Red Hat Customer Portal. ZDNet reports on what's new: RHEL 7.7's most important updates are support for the latest generation of enterprise hardware and remediation for the recently disclosed ZombieLoad vulnerabilities. The latest RHEL 7 also includes network stack performance enhancements. With this release, you can offload virtual switching operations to network interface card (NIC) hardware. What that means for you is, if you're using virtual switching and network function virtualization (NFV), you'll see better network performance on cloud and container platforms such as Red Hat OpenStack Platform and Red Hat OpenShift.

RHEL 7.7 users can also use Red Hat's new predictive problem shooter: Red Hat Insights. This uses a software-as-a-service (SaaS)-based predictive analytics approach to spot, assess, and mitigate potential problems to their systems before they can cause trouble. For developers, RHEL 7.7 comes with Python 3.6 interpreter, and the pip and setup tools utilities. Previously, Python 3 versions were available only as a part of Red Hat Software Collections. Moving on to the cloud, RHEL 7.7 Red Hat Image Builder is now supported. This feature, which is also in RHEL 8, enables you to easily create custom RHEL system images for cloud and virtualization platforms such as Amazon Web Services (AWS), VMware vSphere, and OpenStack. To help cloud-native developers, RHEL 7.7 includes full support for Red Hat's distributed-container toolkit -- buildah, podman, and skopeo -- on RHEL workstations. After building on the desktop, programmers can use Red Hat Universal Base Image to build, run, and manage containerized applications across the hybrid cloud.

IBM closed its $34 billion acquisition of Red Hat, the companies announced Tuesday. From a report: The deal was originally announced in October, when the companies said IBM would buy all shares in Red Hat for $190 each in cash. The acquisition of Red Hat, an open-source, enterprise software maker, marks the close of IBM's largest deal ever. It's one of the biggest in U.S. tech history. Excluding the AOL-Time Warner merger, it follows the $67 billion deal between Dell and EMC in 2016 and JDS Uniphase's $41 billion acquisition of optical-component supplier SDL in 2000. Under the deal, Red Hat will now be a unit of IBM's hybrid cloud division, according to the original announcement. The companies said Red Hat's CEO, Jim Whitehurst, would join IBM's senior management team and report to CEO Ginni Rometty. IBM previously said it hoped its acquisition of Red Hat will help it do more work in the cloud, one of its four key growth drivers, which are also social, mobile and analytics. The company lags behind Amazon and Microsoft in the cloud infrastructure business. IBM has seen three consecutive quarters of declining year-over-year revenue. But some analysts are hopeful about the Red Hat deal's opportunity to bring in new business.

An anonymous reader reminded us about the open source reimplementation of Java Web Start, a framework originally developed by Sun Microsystems that allowed users to more easily run Java applications in an applet-like sandbox using a web browser.

From OpenWebStart.com: Java Web Start (JWS) was deprecated in Java 9, and starting with Java 11, Oracle removed JWS from their JDK distributions. This means that clients that have the latest version of Java installed can no longer use JWS-based applications. And since public support of Java 8 has ended in Q2/2019, companies no longer get any updates and security fixes for Java Web Start.

This is why we decided to create OpenWebStart, an open source reimplementation of the Java Web Start technology. Our replacement will provide the most commonly used features of Java Web Start and the JNLP standard, so that your customers can continue using applications based on Java Web Start and JNLP without any change.
Red Hat is apparently involved in its parent project, IcedTea-Web, which it distributes as part of their Windows OpenJDK distribution.

Red Hat's chief marketing officer discovered their logo was rendering poorly in digital formats (especially on small devices like smartphones). But then they discovered even bigger problems in surveys (including with potential customers) about what feelings the logo evoked: Sinister. Secretive. Evil. Sneaky. These respondents might not have known anything about Red Hat, but they did believe that man lurking in the shadows didn't immediately inspire their trust. In their survey responses, they wondered who he was and what he was doing in the logo.... Our iconic logo -- including the partially veiled, fedora-wearing "Shadowman," as we Red Hatters affectionately call him -- wasn't squaring with the values we firmly believed the logo stands for...

When we decided to undertake an evolution of the Red Hat logo -- the first in nearly 20 years -- we set two guiding principles for ourselves. First, we'd do the work the Red Hat way, in the open. And second, we'd take this opportunity not just to improve our logo, but to make a bold statement about the ways Red Hat has evolved over its 26-year history... In December 2017, I announced our plans to update our look with a global invitation to collaborate. And since then, Red Hat's Brand team has been collecting feedback from customers and partners, coordinating work with well-known design consultancy Pentagram, poring over survey data, and iterating, iterating, iterating on the new design -- which we're now ready to unveil....

The new logo reflects Red Hat's evolution -- from a scrappy upstart "sneaking" into data centers with boxed copies of a Linux-based operating system (not to mention mugs and t-shirts) to the world's leading provider of open source solutions for enterprise hybrid cloud environments, someone working daily with the largest companies and agencies in the world to develop and run mission-critical solutions. We've truly stepped out of the shadows.

"Let's abandon the notion that open source is exclusively charity," writes Havoc Pennington, a free software engineer (and former Red Hat engineer) who's now a co-founder of Tidelift: Look around. We do have a problem, and it's time we do something about it.... The lack of compensation isn't just bad for individual developers -- it also creates social problems, by amplifying existing privilege.... The narrative around open source is that it's completely OK -- even an expectation -- that we're all doing this for fun and exposure; and that giant companies should get huge publicity credit for throwing peanuts-to-them donations at a small subset of open source projects.

There's nothing wrong with doing stuff for fun and exposure, or making donations, as an option. It becomes a problem when the free work is expected and the donations are seen as enough... What would open source be like if we had a professional class of independent maintainers, constantly improving the code we all rely on?
The essay suggests some things consider, including asking people to pay for:

• Support requests

• Security audits/hardening and extremely good test coverage

• Supporting old releases

• License-metadata-annotation practices that are helpful for big companies trying to audit the code they use, but sort of a pain in the ass and nobody cares other than these big companies.

"Right now many users expect, and demand, that all of this will be free. As an industry, perhaps we should push back harder on that expectation. It's OK to set some boundaries..."

"Of course this relates to what we do at Tidelift -- the company came out of discussions about this problem, among others... In our day-to-day right now we're specifically striving to give subscribers a way to pay maintainers of their application dependencies for additional value, through the Tidelift Subscription. But we hope to see many more efforts and discussions in this area.... [I]n between a virtual tip jar and $100 million in funding, there's a vast solution space to explore."

"Red Hat is taking over maintenance responsibilities for OpenJDK 8 and OpenJDK 11 from Oracle," reports InfoWorld: Red Hat will now oversee bug fixes and security patches for the two older releases, which serve as the basis for two long-term support releases of Java. Red Hat's updates will feed into releases of Java from Oracle, Red Hat, and other providers... Previously, Red Hat led the OpenJDK 6 and OpenJDK 7 projects. Red Hat is not taking over OpenJDK 9 or OpenJDK 10, which were short-term releases with a six-month support window.

At SUSECon in Nashville, Tennessee, European Linux power SUSE CEO Nils Brauckmann said his company would soon be the largest independent Linux company. "That's because, of course, IBM is acquiring Red Hat," reports ZDNet. "But, simultaneously, SUSE has continued to grow for seven-straight years." From the report: Brauckmann said, "We believe that makes our status as a truly independent open source company more important than ever. Our genuinely open-source solutions, flexible business practices, lack of enforced vendor lock-in, and exceptional service are more critical to customer and partner organizations, and our independence coincides with our single-minded focus on delivering what is best for them." Practically speaking, SUSE has been growing by focusing on delivering high-quality Linux and open-source programs and services to enterprise customers. Looking ahead Brauckmann said, "SUSE is better positioned to bring more innovation to customers and partners faster through both organic growth and acquisitions, keeping us on track to provide them with the open solutions that keep them ahead with their own customers in their own markets. We continue to adapt so our customers and partners can succeed."

Last year SUSE's revenue grew by 15 percent in fiscal year 2018, and the business is about to surpass the $400 million revenue mark for the first time. SUSE, which sees not quite half of its business in Europe, is also seeing revenue growth around the world. North America, for example, now accounts for almost 40 percent of SUSE's revenues. The company is also expanding. SUSE added more than 300 employees in the last 12 months. For the most part this has been in engineering followed by sales and services. SUSE staff is now approaching 1,750 globally and its plans on continuing to hire aggressively.

An anonymous reader quotes ZDNet: MongoDB is an open-source document NoSQL database with a problem. While very popular, cloud companies, such as Amazon Web Services (AWS), IBM Cloud, Scalegrid, and ObjectRocket has profited from it by offering it as a service while MongoDB Inc. hasn't been able to monetize it to the same degree. MongoDB's answer? Relicense the program under its new Server Side Public License (SSPL).

Open-source powerhouse Red Hat's reaction? Drop MongoDB from Red Hat Enterprise Linux 8. Red Hat's Technical and Community Outreach Program Manager Tom Callaway explained, in a note stating MongoDB is being removed from Fedora Linux, that "It is the belief of Fedora that the SSPL is intentionally crafted to be aggressively discriminatory towards a specific class of users." Debian Linux had already dropped MongoDB from its distribution....

The business point behind MongoDB's license change is to force cloud companies to use one of MongoDB's commercial cloud offerings. This hasn't worked either. AWS just launched DocumentDB, a database, which "is designed to be compatible with your existing MongoDB applications and tools," wrote AWS evangelist Jeff Barr.

Mark Wilson writes: Earlier in the year open-source software startup Whitewater Foundry brought WLinux to the Windows Subsystem for Linux (WSL). Not content with creating the first native Linux distribution for WSL, the company has now gone a step further, targeting enterprise users with WLinux Enterprise. Whitewater Foundry says that WLinux Enterprise is the first product to support the industry-standard Red Hat Enterprise Linux on Windows Subsystem for Linux.

An anonymous reader shares a report: This week, the Linux distro biz emitted Fedora 29 and RHEL 7.6, and in the latter's changelog the following appears, which a Reg reader kindly just alerted us to: "KDE Plasma Workspaces (KDE), which has been provided as an alternative to the default GNOME desktop environment has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support using KDE instead of the default GNOME desktop environment." In other words, if you're using RHEL on the desktop, at some point KDE will not be supported. As our tipster remarked: "Red Hat has never exactly been a massive supporter of KDE, but at least they shipped it and supported you using it."

Donald Fischer, who served as a product manager for Red Hat Enterprise Linux during its creation and early years of growth, writes: Red Hat saw, earlier than most, that the ascendance of open source made the need to pay for code go away, but the need for support and maintenance grew larger than ever. Thus Red Hat was never in the business of selling software, rather it was in the business of addressing the practical challenges that have always come along for the ride with software. [...] As an open source developer, you created that software. You can keep your package secure, legally documented, and maintained; who could possibly do it better? So why does Red Hat make the fat profits, and not you? Unfortunately, doing business with large companies requires a lot of bureaucratic toil. That's doubly true for organizations that require security, legal, and operational standards for every product they bring in the door. Working with these organizations requires a sales and marketing team, a customer support organization, a finance back-office, and lots of other "business stuff" in addition to technology. Red Hat has had that stuff, but you haven't.

And just like you don't have time to sell to large companies, they don't have time to buy from you alongside a thousand other open source creators, one at a time. Sure, big companies know how to install and use your software. (And good news! They already do.) But they can't afford to put each of 1100 npm packages through a procurement process that costs $20k per iteration. Red Hat solved this problem for one corner of open source by collecting 2,000+ open source projects together, adding assurances on top, and selling it as one subscription product. That worked for them, to the tune of billions. But did you get paid for your contributions?

Etcetera writes: Fresh on the heels of the IBM purchase announcement, Red Hat released RHEL 7.6 today. Business press release is here and full release notes are here. It's been a busy week for Red Hat, as Fedora 29 also released earlier this morning. No doubt CentOS and various other rebuilds will begin their build cycles shortly. The release offers improved security, such as support for the Trusted Platform Module (TPM) 2.0 specification for security authentication. It also provides enhanced support for the open-source nftables firewall technology.

"TPM 2.0 support has been added incrementally over recent releases of Red Hat Enterprise Linux 7, as the technology has matured," Steve Almy, principal product manager, Red Hat Enterprise Linux at Red Hat, told eWEEK. "The TPM 2.0 integration in 7.6 provides an additional level of security by tying the hands-off decryption to server hardware in addition to the network bound disk encryption (NBDE) capability, which operates across the hybrid cloud footprint from on-premise servers to public cloud deployments."

ekimd writes: Fedora 29 is released today. Among the new features are the ability to allow parallel installation of packages such as Node.js. Fedora 29 also supports ZRAM (formerly called compcache) for ARMv7 and v8. In addition to the more efficient use of RAM, it also increases the lifespan of microSD cards on the Raspberry Pi as well as other SBCs.

"Additionally, UEFI for ARMv7 is now supported in Fedora 29, which also benefits Raspberry Pi users," reports TechRepublic. "Fedora already supported UEFI on 64-bit ARM devices."

International Business Machines (IBM) is acquiring software maker Red Hat in a deal valued at $34 billion, the companies said Sunday. From a report: The purchase, announced on Sunday afternoon, is the latest competitive step among large business software companies to gain an edge in the fast-growing market for Internet-style cloud computing. In June, Microsoft acquired GitHub, a major code-sharing platform for software developers, for $7.5 billion. IBM said its acquisition of Red Hat was a move to open up software development on computer clouds, in which software developers write applications that run on remote data centers. From a press release: This acquisition brings together the best-in-class hybrid cloud providers and will enable companies to securely move all business applications to the cloud. Companies today are already using multiple clouds. However, research shows that 80 percent of business workloads have yet to move to the cloud, held back by the proprietary nature of today's cloud market. This prevents portability of data and applications across multiple clouds, data security in a multi-cloud environment and consistent cloud management.

IBM and Red Hat will be strongly positioned to address this issue and accelerate hybrid multi-cloud adoption. Together, they will help clients create cloud-native business applications faster, drive greater portability and security of data and applications across multiple public and private clouds, all with consistent cloud management. In doing so, they will draw on their shared leadership in key technologies, such as Linux, containers, Kubernetes, multi-cloud management, and cloud management and automation. IBM's and Red Hat's partnership has spanned 20 years, with IBM serving as an early supporter of Linux, collaborating with Red Hat to help develop and grow enterprise-grade Linux and more recently to bring enterprise Kubernetes and hybrid cloud solutions to customers. These innovations have become core technologies within IBM's $19 billion hybrid cloud business. Between them, IBM and Red Hat have contributed more to the open source community than any other organization.

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."

An anonymous reader quotes ZDNet: When leading Linux company Red Hat announces that -- from here on out -- all new Red Hat-initiated open-source projects that use the GNU General Public License (GPLv2) or GNU Lesser General Public License (LGPL) v2.1 licenses will be expected to supplement the license with GPL version 3 (GPLv3)'s cure commitment language, it's a big deal. Both older open-source licenses are widely used.

When the GPLv3 was released, it came with an express termination approach that offered developers the chance to cure license compliance errors. This termination policy in GPLv3 provided a way for companies to repair licensing errors and mistakes... Other companies -- CA Technologies, Cisco, HPE, Microsoft, SAP, and SUSE -- have taken similar GPL positions... In its new position statement, Red Hat explained that the GPLv2 and LGPL, as written, has led to the belief that automatic license termination and copyright infringement claims can result from a single act of inadvertent non-compliance.
"We hope that others will also join in this endeavor," says Red Hat's senior commercial counsel, Richard Fontana, "to reassure the open source community that good faith efforts to fix noncompliance will be embraced."

ZDNet points out that the move to new licenses "doesn't apply, of course, to Linux itself. Linus Torvalds has made it abundantly clear that Linux has been, will now, and always shall be under the GPLv2."