Here are highlights of the event so far: 

AWS open sources Cedar policy language and SDK  

The Cedar language enables you to set permissions in your applications using easy-to-understand policies. By making use of Cedar, application teams can decouple access control from application logic. 

It supports role-based access control and attribute-based access control, and was developed using verification-guided development, which ensures Cedar is correct and secure. 

The language’s SDKs are also being made available, which include libraries for creating and evaluating policies. 

AWS hopes that by open sourcing the language, they can foster more innovation in the industry around fine-grained access management and make access control more accessible to all. 

AWS also announces new open-source fuzzing framework

According to AWS, current fuzzing practices require large codebases to be refactored in order to work properly. The new framework, Snapchange, allows targets to undergo fuzz testing with minimal modifications.

Built in Rust, Snapchange enables developers to build fuzzers that replay snapshots of physical memory in a KVM virtual machine.

SPDX Release Candidate 3.0 now available

Software Package Data Exchange (SPDX) is an open source standard for communicating the information in a bill of materials. It is currently hosted by the Linux Foundation. 

In RC 3.0, there are now six unique profiles that are designed for popular use cases, with the goal being that SPDX better meets the needs of the industry. The profiles were created based on community input and include specifications for security, licensing, AI, datasets, and software packaging build processes. 

According to the Linux Foundation, the United States’ executive order on cybersecurity and Europe’s Cyber Resiliency Act served as inspiration for the need to have an international standard for supply chain security, which SPDX hopes to be. 

OpenSSF gets major funding from Google and Microsoft, new members

Through its Alpha-Omega Project, OpenSSF has recently received $2.5 million from Google and $2.5 million from Microsoft. 

OpenSSF also announced that Hitachi, Lockheed Martin, Salesforce, and SAP have become general members.

The foundation also announced that Omkhar Arasaratnam will be its new general manager and Brian Behlendorf will be chief technology officer. 

Meta joins the OpenJS Foundation

The OpenJS Foundation provides support for the open source JavaScript community. With Meta joining the foundation as a Gold Member, they will be able to contribute and advocate in the community further.

Meta had already been highly involved with the open source JavaScript community, through its projects React, Jest, and Flow. Jest is an open source testing framework, which Meta contributed to the OpenJS Foundation last year. 

“The broader JavaScript ecosystem benefits from Meta becoming an OpenJS Foundation member. In fact, we’ve already been working together in multiple different ways, and this makes official what has already been a great relationship,” said Shayne Boyer, OpenJS Foundation Board Director. “

The post Open Source Summit: AWS open sources Cedar, SPDX Release Candidate 3.0, and OpenSSF updates appeared first on SD Times.

Rust has been growing steadily in popularity through the years, and though according to the 2022 Stack Overflow Developer Survey 9 percent of developers use it, it has spent seven years in the top spot for “most loved” language. In this year’s survey almost 87% of developers said they love Rust, which is about 10 percentage points higher than the second-most loved language, Elixir. 

According to Joel Marcey, director of advocacy and operations for the Rust Foundation, one of the benefits of Rust over C is that it provides security without sacrificing the performance and speed that C provides, the current language for the Linux kernel. One of the key points of the language that people love is that it is memory safe.  

“With Rust, you don’t have to concern yourself with explicit and precise memory management, right? So you don’t have to worry about, you know, allocating and de-allocating pointers, and those sorts of things, which can actually be really big causes of things like buffer overflows, and other really big security vulnerabilities,” said Marcey. 

In the release notes, Linus Torvalds described what is in 6.1 as “initial Rust scaffolding,” as no Rust code is actually present yet. 

“What they’re doing is actually providing the metal so that you can actually write Rust in the future,” Marcey explained. “So they’re providing the infrastructure so that you can compile Rust code. That’s what’s going to be needed initially in order to do any future work with Rust in the Linux kernel … You need to get all those things that can make sure that Rust can compile and, and you can do the debugging and all these things, and make sure that the memory safety is there and all that sort of stuff. And that has to happen first before you can actually write any real code in Rust for the Linux kernel itself.”

Marcey explained that Linux is going to be doing this inclusion very piecemeal, with lots of little integrations here and there over time so they can see how it is working.  

“I would imagine that over the next year, you’re going to see more small incremental changes to the kernel with Rust, but as people are seeing that it’s actually kind of working out, you’ll be able to maybe, for example, write Linux drivers or whatever with Rust,” said Marcey. 

In fact, work has already been done since the 6.1 release to add more infrastructure for Rust in the kernel, though still none of the code interacts with any C code. This patch series is part of the dedicated effort to continue adding Rust support. 

According to Rebecca Rumbul, executive director of the Rust Foundation, Rust being added to the kernel is an “enormous vote of confidence in the Rust programming language.” She explained that in the past other languages have been planned to make it into the kernel and ended up not getting put in. 

“I think having someone with the kind of intellectual gravity of Linus Torvalds saying ‘No, it’s going in there,’ that kind of says an awful lot about how reliable Rust already is and how much potential there is for the future as well,” she said. 

She believes that there will be an increased interest in the language, which is still relatively new (It first made its debut in 2010) compared to some of the other languages out there to choose from. 

“I suspect that because Rust is now in the kernel, and it’s just being talked about much … more widely, that it will seem like an attractive prospect to a lot of people that are looking to develop their skills and their knowledge,” she said.

She hopes people will also be inspired to participate in the language as contributors and maintainers, because those are some of the less popular roles within open source, but are extremely critical to the health of a language, she explained. 

Rumbul noted that the Rust community is a diverse and welcoming one as well. 

“Don’t think for a second, ‘oh, I’m not good enough.’ Or don’t be dazzled by people that you’ve seen in the project doing things publicly or doing things on GitHub. As I said, the community is incredibly welcoming. And we get an awful lot of imposter syndrome, I think, where people think they’re not quite good enough to take part or it looks like it’s working from the outside, therefore, we don’t need any help. I know the project teams are all incredibly enthusiastic about bringing new people in,” said Rumbul.

In addition to the Linux news, the Rust Foundation also made headlines recently for forming a new security program so they can explore how to solve global security issues with Rust. 

The program received significant funding from the OpenSSF’s Alpha-Omega initiative and is also being supported by DevOps company JFrog, which is a platinum member of the Rust Foundation. 

The first goal of the program is to “undertake a security audit and threat modeling exercises to identify how security can be economically maintained going forward,” a blog post from the Rust Foundation states. 

“We want to basically shore up to ensure that Rust itself is actually as secure as we always say it is,” said Marcey. 

Complaints over pull requests

There was also some controversy in this latest Linux release, as Torvalds expressed frustration at the number of pull requests coming in at the end of the merge window. 

“Yes, the merge window is two weeks, but that’s very much to allow me time to look things over, not ‘two weeks to hurriedly put together a branch that you send Linus on Friday of the second week.’ The whole ‘do an all-nighter to get the paper in the day before the deadline’ is something that should have gone out the window after high school. Not for kernel development,” he wrote. 

He clarified that pull requests should be sent before the merge window starts, not during it.

The post Rust’s addition to the Linux kernel seen as “enormous vote of confidence” in the language appeared first on SD Times.

As a training architect at A Cloud Guru (ACG), I teach courses about all things Linux and specialize in hands-on, lab-based learning. Before joining ACG, I worked as a Unix systems engineer at GE and IBM as well as Technical Account Manager and customer advocate for Red Hat. I’m hugely passionate about Linux because of its importance to my career, just like to the careers of so many other engineers and Linux enthusiasts.

In its 30 years of existence, the Linux kernel has had a massive impact on the modern computing landscape — revolutionizing what’s possible for operating systems and allowing countless tinkerers to get their hands dirty in the process. Linux has also become the foundation of paradigm shifting innovations over the years due to its ever-evolving nature. 

To commemorate 30 years of Linux, I’m sharing some of the key reasons why the kernel is so valuable and why it will continue to be a major player in the computing landscape for years to come. 

My Linux journey

My first exposure to Linux was in college in 1999. I took an introductory Unix Shell Scripting class and Fedora was installed on the lab servers because it was free and easily scalable. I view Linux as my entry-point into customizable operating systems. After learning basic Unix commands on Linux, I ultimately went on to pursue a career supporting multiple commercial Unix vendors. 

As Linux made its way into larger Enterprise level companies, I quickly returned to working with Linux distributions. Something I’ve always loved about Linux is the capacity to fine tune your system to support the applications and distros that work best for your projects. Linux improves the functionality of whatever applications you’re running. The Linux kernel has literally changed how the world processes information, which is why I’m so invested in the software. 

Now, it’s my job to share my knowledge and passion about Linux to other technologists. At ACG, I develop courses to help aspiring Linux experts learn how to optimize their systems. Additionally, I contribute to “Linux this Month,” an ACG-hosted web series that provides monthly updates from the global Linux community. 

The fact that I am able to build a career around teaching Linux and staying up to date with Linux news shows the vast uses and applications of the kernel. What makes Linux so unique and evergreen is its open-source nature – Linux innovations are only limited by the creativity of the technologists who use and adapt it. 

The open-source effect

When Linux first arrived, it was mostly a hobby for enthusiastic engineers and Computer Science students who could contribute by developing code. The steep learning curve associated with fitting Linux to your machine was a barrier for more novice programmers. 

Over time, this has changed considerably. Online forums, workshops, and classes have made Linux more accessible to the average internet user. The free sharing of ideas has come to epitomize the open-source community, and for software engineers, Linux is at the heart of this community. This democratization of Linux has had incredibly positive impacts on the computing world. 

Now, Linux is everywhere. Enterprise level companies use Linux distributions to process the biggest production workloads in the world. It has replaced proprietary commercial Unix operating systems in very large companies with better stability and less down time. Because Linux systems can be as small or as large as you want, it’s also now being used in our homes for smart and mobile devices as well.

The open-source nature of Linux is incredibly beneficial for these enterprise level companies. Linux distributors leverage the contributions of the entire open-source community. This wide range of contributors produces a more stable product with more features, but also ensures that the OS keeps growing and solving real world problems that are beneficial to a wide range of users. 

Linux runs the cloud 

Potentially the most impactful outcome of the kernel is the infrastructure of modern cloud computing. Linux’s scalability has paved the way for supercomputers and server farms to function efficiently while requiring relatively light-weight computing resources. In fact, Linux supports about 90% of the public cloud workload.  

Without Linux, the cloud as we know it would not exist. This is, in part, because Linux has become so ubiquitous – it’s use cases are nearly limitless. Because it has been time-tested, many engineers and IT professionals have a strong grasp on Linux fundamentals, making it an attractive choice for enterprise companies dealing in the cloud. 

Cloud-based softwares and products are increasingly becoming the norm in the engineering world. Unsurprisingly, major cloud providers such as AWS, Azure, and Google Cloud are all supported by Linux as well. Linux is unique because it is a shape-shifter that can conform to the needs of any given engineering environment, and it’s incredibly stable because of the army of contributors that fortify weak points in the software. 

Linux forever

The Linux “concept” is just as important as the Linux product. The concept allows a free and open source operating system to be refined, reinforced, and replicated across an endless web of contributors. Thirty years is a long time for a software to be relevant, especially with the ever-shortening tech product cycles. Because it was designed with the intention to be changed and updated by an open-source community, Linux has no foreseeable expiration date. 

Had Linux not achieved the prominence it has today, we would see more commercial Unix vendors attempting to solve some of the problems that Linux addresses, but none would address them all. Additionally, customers would have to choose which OS to invest in based on which addresses some of their use cases, but none would be as beneficial as the Linux OS. 

Linux is always growing and will become even more popular within the next few years. As more people become familiar with Linux and learn to use it, I see major potential for growth in the mobile computing space, within personal computers, and across small and large companies. In fact, we are already seeing it filter into home gaming systems and Raspberry Pi projects. With Linux, the sky’s the limit!

The post A Linux expert tells why she thinks the kernel is so important appeared first on SD Times.

The courses can be taken individually or combined to earn a Professional Certificate in Open Source Software Development, Linux and Git.

Open Source Software Development: Linux for Developers (LFD107x) covers concepts that are crucial in developing open-source software, as well as how to work productively in a Linux environment. Students will learn about Linux systems, including key concepts like installation, desktop environments, text editors, important commands and utilities, command shells and scripts, filesystems, and compiling software.

The second course, Linux Tools for Software Development (LFD108x) goes over the tools that one would use on everyday work in Linux development. It is intended for developers that are experienced with working on any operating system that want to learn the basics of open-source development. 

The final course, Git for Distributed Software Development (LFD109x), offers an introduction to Git and it will prepare participants to use Git to create new repositories or to clone existing ones, commit new changes, review revision histories, and more. 

To earn the professional certificate, participants must enroll in the program, complete all three courses, and pay a verified certificate fee of $149 per course. 

The post Linux Foundation announces new certification and courses in open source development appeared first on SD Times.

eBPF provides Linux kernels the extensibility to enable developers to program the Linux kernel to quickly build intelligent or feature-rich functions based on their business needs.

BumbleBee brings a Docker-like experience for eBPF, and through simple bee CLI commands, users can easily build, run, and distribute their eBPF programs as OCI (Open Container Initiative) images and plug the images to their existing OCI image workflows.

BumbleBee is built using libbpf and allows you to focus on writing your eBPF code while taking care of the user space components automatically. 

BumbleBee automatically detects and displays maps in your program that allow the user space and kernel space programs to share data. This is accomplished through the use of special BPF conventions and keywords.

“Through these simple bee init, build, run, list, and push commands, we are excited to bring the Docker-like experience to eBPF so that developers can not only easily build eBPF programs but also collaborate and share their eBPF programs with others through their favorite OCI image repositories,” Lin Sun, the director of open-source at Solo.io wrote in a blog post. 

The post SD Times Open-Source Project of the Week: BumbleBee appeared first on SD Times.

The guide offers an overview of the concept or use case, an explanation of a traditional solution to achieve it, key open-source projects, and a highlight of how major cloud providers are using open source to address the use case.

“Because every major cloud platform uses open-source software in their infrastructure, developing skills related to open technology makes developers more desirable to potential employers and helps developers compete in hybrid environments; that is, those that provide the ability and flexibility of running parts or all of your cloud solution and services on premises and/or on a public cloud, and/or in multiple clouds,” Todd Moore, VP of open technology at IBM, and Christopher Ferris, IBM Fellow and IBM’s CTO of open technology wrote in a blog post. 

A recent O’Reilly survey that IBM commissioned in late 2020 found that the most desired of the open-source skills are around Linux (containers), artificial intelligence and machine learning, and data storage, each of which IBM now has guides for. 

The guide aims to answer questions on how these skills translate to developing for hybrid cloud environments inclusive of the major cloud providers. 

The post IBM launches guide for contributing to open source cloud projects appeared first on SD Times.

With control flow analysis of aliased conditions enabled, developers don’t have to convince TypeScript of a variable’s type whenever it is used because the type-checker leverages something called control flow analysis to deduce the type within every language construct.

TypeScript also now lets users describe objects where every property has to have a certain type using index signatures to form dictionary-like types, where string keys can be used to index into them with square brackets.

Additional details on all of the highlights in the new version are available here. 

Rust support improvements in Linux kernel 

The Linux kernel received several major improvements to overall Rust support including removed panicking allocations, added support for the beta compiler as well as testing.

The goal with the improvements is to have everything the kernel needs in the upstream ‘alloc’ and to drop it from the kernel tree. ‘Alloc’ is now compiled with panicking allocation methods disabled, so that they cannot be used within the kernel by mistake.

As for compiler support, Linux is now using the 1.54-beta1 version as its reference compiler. At the end of this month, `rustc` 1.54 will be released, and the kernel will move to that version as the new reference. 

Additional details on all of the support improvements are available here.

Sauce Labs acquires Backtrace

Sauce Labs announced that it has acquired Backtrace, a provider of error monitoring solutions for software teams. 

 “Combined with our recent acquisitions of API Fortress, AutonomIQ, and TestFairy, the addition of Backtrace extends Sauce Labs solutions to meet every stage of the development journey. We’re thrilled to welcome the talented people and products of Backtrace and look forward to supporting their high-quality innovation as part of the Sauce Labs team,” said Aled Miles, president and CEO of Sauce Labs.

Backtrace offers a cross-platform error monitoring solution for desktop, mobile, devices, game consoles, and server platforms that helps organizations reduce debugging time and improve software quality.

Apache weekly update

Last week at the Apache Software Foundation (ASF) saw the release of Apache Camel 3.11, which includes a new ‘camel-kamelet-main’ component intended for developers to try out or develop custom Kamelets, a ‘getSourceTimestamp’ API on ‘Message’ and more.

Apache MetaModel, which was a common interface for discovery, exploration of metadata and querying of different types of data sources has been retired. 

Also, Apache Druid was found to have a vulnerability that authenticated users to read data from other sources than intended.

Other new releases last week included Apache Geode 1.13.3 and 1.12.3. Additional details on all news from the ASF are available here.  

The post SD Times news digest: TypeScript 4.4 beta, Rust support improvements in Linux kernel, Sauce Labs acquires Backtrace appeared first on SD Times.

UMN previously submitted many big fixes that were merged into kernel releases as part of an, but the breach of trust between the community and UMN first started when UMN researchers did an experimental research project on “Hyprocrite Commits” that involved intentionally submitting patches that caused issues with the kernel in August last year. 

As a result, Greg Kroah-Hartman, a Linux kernel maintainer, asked the community to stop accepting patches from UMN and began a re-review of all submissions previously accepted from the university after perceiving that they were sending compromised code.

The university has since retracted the “Hypocrite Commits” paper and Kroah-Hartman posted a final set of reverts this week.

The university allowed researchers to use fake identities when agreeing to the “Developers Certificate of Origin,” a legal statement that is required about the work being submitted. 

The university researchers then submitted five problematic patches that were submitted to the public Linux kernel mailing list. 

Patches 1 was rejected and put under a false name. Patch 2 tried to gain acceptance by quoting the syzbot tool, although it was quickly rejected. Patches 3 and 4 were reviewed to be incorrect and a reviewer offered possible changes, which the original submitter did not fix. Patch 5 was rejected after a reviewer noticed a similar fake name that was used for Patch 2. 

The Linux Advisory Board hopes that with due diligence in fixing the errors, it can restore faith in the kernel community to accept submissions from researchers. 

“The developer community should be able to trust that researchers are sending quality patches meant to improve the kernel, and researchers should trust the developer community will not undermine the researchers’ reputations when mistakes are made,” the Linux Technical Advisory Board stated in the report. “The recommendations in this report aim to move beyond this conflict, providing a way to help both communities to work together better.”

The post Linux Technical Advisory Board releases report on UMN patches appeared first on SD Times.

The paper stated: “As proof of concept, we take the Linux kernel as target OSS and safely demonstrate that it is practical for a malicious committer to introduce use-after-free bugs. Furthermore, we systematically measure and characterize the capabilities and opportunities of a malicious committee. At last, to improve the security of OSS, we propose mitigations against hypocrite commits, such as updating the code of conduct for OSS and developing tools for patch testing and verification.”

However, the experiment did not go over as planned and was not well received from the community. Linux kernel maintainer Greg Kroah-Hartman tweeted that: “Linux kernel developers do not like being experimented on, we have enough real work to do.”

Jered Floyd, a member of Red Hat’s technical staff, agreed tweeting: “This is worse than just being experimented upon; this is like saying you’re a “safety researcher” by going to a grocery store and cutting the brake lines on all the cars to see how many people crash when they leave. Enormously unethical.”

As a result, Kroah-Hartman decided to ban the university from contributing to the Linux kernel going forward. “Our community does not appreciate being experimented on, and being

“tested” by submitting known patches that either do nothing on purpose, or introduce bugs on purpose.  If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here,” he wrote. “I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.”

The UMN department of computer science and engineering published an open letter to the Linux community apologizing for its mistakes. “We sincerely apologize for any harm our research group did to the Linux kernel community. Our goal was to identify issues with the patching process and ways to address them, and we are very sorry that the method used in the “hypocrite commits” paper was inappropriate. As many observers have pointed out to us, we made a mistake by not finding a way to consult with the community and obtain permission before running this study; we did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches. While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission,” the letter stated. 

In another letter obtained by ZDNet, Linux Foundation’s senior vice president and general manager of projects Mike Dolan asked the researchers to “identify all proposals of known-vulnerable code from any U of MN experiment. The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code, so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments.”

The post UMN security researchers apologize to the Linux community appeared first on SD Times.

The solution utilizes the company’s Circonus Unified Agent (CUA), which is a single collection agent that consolidates all host and services monitoring.

“One of the top issues we hear from companies who are frustrated with their monitoring systems is lack of clarity into their data and time to identify and resolve issues. Our Linux host monitoring dashboard directly addresses this challenge,” Kevin Kamel, the vice president of product and customer success at Circonus wrote in a blog post. “It collects and graphs more metrics than other solutions, giving users immediate, deep insights into their systems. As a result, they can more efficiently make sense of their data, troubleshoot issues, and validate that everything is working as expected.”

API company Reshuffle joins Twitter
The Reshuffle team will join the Developer Platform team at Twitter, where they’ll focus on key areas across product, engineering and developer relations to advance the Twitter API. 

Reshuffle previously built an integration platform that lets developers easily build workflows and connect systems using any API. 

While Reshuffle will be winding down its commercial product, their team will continue to offer its open source project for the developer community, according to a blog post.

Python Package Index becomes a GitHub secret scanning integrator
Starting today, GitHub will scan every commit to a public repository for exposed PyPI API tokens. 

Then, any discovered tokens will be forwarded to PyPI, which will automatically disable them and notify their owners. 

In addition, GitHub Advanced Security customers can now also scan their private repositories for leaked secrets.

Additional details on the new features are available here.

UpConnectMe social media platform launched
The UpConnectMe social media platform offers a secure and ad-free environment for interaction with friends and family.

“Through countless hours of research, I have discovered that those who value privacy enough will be willing to pay for it. So now, for the price of one coffee per month, a safe and secure platform can be utilized to interact with friends and family without having to worry about ads or data mining,” said Anil Nimmagadda, a Naples, FL entrepreneur. 

UpConnectMe is available through monthly subscription fee of around $4 for users to have access to an ad-free environment with no data mining, AI or algorithms. 

The post SD Times news digest: Circonus’ new Linux host monitoring dashboard, API company Reshuffle joins Twitter, and PyPI becomes a GitHub secret scanning integrator appeared first on SD Times.