Show Notes: linuxactionnews.com/120

The post Linux Action News 120 first appeared on Jupiter Broadcasting.

##Headlines
###A EULA in FOSS clothing?

There was a tremendous amount of reaction to and discussion about my blog entry on the midlife crisis in open source. As part of this discussion on HN, Jay Kreps of Confluent took the time to write a detailed response — which he shortly thereafter elevated into a blog entry.

Let me be clear that I hold Jay in high regard, as both a software engineer and an entrepreneur — and I appreciate the time he took to write a thoughtful response. That said, there are aspects of his response that I found troubling enough to closely re-read the Confluent Community License — and that in turn has led me to a deeply disturbing realization about what is potentially going on here.

To GitHub: Assuming that this is in fact a EULA, I think it is perilous to allow EULAs to sit in public repositories. It’s one thing to have one click through to accept a license (though again, that itself is dubious), but to say that a git clone is an implicit acceptance of a contract that happens to be sitting somewhere in the repository beggars belief. With efforts like choosealicense.com, GitHub has been a model in guiding projects with respect to licensing; it would be helpful for GitHub’s counsel to weigh in on their view of this new strain of source-available proprietary software and the degree to which it comes into conflict with GitHub’s own terms of service.

To foundations concerned with software liberties, including the Apache Foundation, the Linux Foundation, the Free Software Foundation, the Electronic Frontier Foundation, the Open Source Initiative, and the Software Freedom Conservancy: the open source community needs your legal review on this! I don’t think I’m being too alarmist when I say that this is potentially a dangerous new precedent being set; it would be very helpful to have your lawyers offer their perspectives on this, even if they disagree with one another. We seem to be in some terrible new era of frankenlicenses, where the worst of proprietary licenses are bolted on to the goodwill created by open source licenses; we need your legal voices before these creatures destroy the village!

###NetBSD and LLVM
NetBSD entering 2019 with more complete LLVM support

I’m recently helping the NetBSD developers to improve the support for this operating system in various LLVM components. As you can read in my previous report, I’ve been focusing on fixing build and test failures for the purpose of improving the buildbot coverage.
Previously, I’ve resolved test failures in LLVM, Clang, LLD, libunwind, openmp and partially libc++. During the remainder of the month, I’ve been working on the remaining libc++ test failures, improving the NetBSD clang driver and helping Kamil Rytarowski with compiler-rt.

The process of upstreaming support to LLVM sanitizers has been finalized

I’ve finished the process of upstreaming patches to LLVM sanitizers (almost 2000LOC of local code) and submitted to upstream new improvements for the NetBSD support. Today out of the box (in unpatched version) we have support for a variety of compiler-rt LLVM features: ASan (finds unauthorized memory access), UBSan (finds unspecified code semantics), TSan (finds threading bugs), MSan (finds uninitialized memory use), SafeStack (double stack hardening), Profile (code coverage), XRay (dynamic code tracing); while other ones such as Scudo (hardened allocator) or DFSan (generic data flow sanitizer) are not far away from completeness.
The NetBSD support is no longer visibly lacking behind Linux in sanitizers, although there are still failing tests on NetBSD that are not observed on Linux. On the other hand there are features working on NetBSD that are not functional on Linux, like sanitizing programs during early initialization process of OS (this is caused by /proc dependency on Linux that is mounted by startup programs, while NetBSD relies on sysctl(3) interfaces that is always available).

##News Roundup
###Thoughts on FreeBSD 12.0

Playing with FreeBSD with past week I don’t feel as though there were any big surprises or changes in this release compared to FreeBSD 11. In typical FreeBSD fashion, progress tends to be evolutionary rather than revolutionary, and this release feels like a polished and improved incremental step forward. I like that the installer handles both UFS and ZFS guided partitioning now and in a friendly manner. In the past I had trouble getting FreeBSD’s boot menu to work with boot environments, but that has been fixed for this release.
I like the security options in the installer too. These are not new, but I think worth mentioning. FreeBSD, unlike most Linux distributions, offers several low-level security options (like hiding other users’ processes and randomizing PIDs) and I like having these presented at install time. It’s harder for people to attack what they cannot see, or predict, and FreeBSD optionally makes these little adjustment for us.
Something which stands out about FreeBSD, compared to most Linux distributions I run, is that FreeBSD rarely holds the user’s hand, but also rarely surprises the user. This means there is more reading to do up front and new users may struggle to get used to editing configuration files in a text editor. But FreeBSD rarely does anything unless told to do it. Updates rarely change the system’s behaviour, working technology rarely gets swapped out for something new, the system and its applications never crashed during my trial. Everything was rock solid. The operating system may seem like a minimal, blank slate to new users, but it’s wonderfully dependable and predictable in my experience.
I probably wouldn’t recommend FreeBSD for desktop use. It’s close relative, GhostBSD, ships with a friendly desktop and does special work to make end user applications run smoothly. But for people who want to run servers, possible for years without change or issues, FreeBSD is a great option. It’s also an attractive choice, in my opinion, for people who like to build their system from the ground up, like you would with Debian’s server install or Arch Linux. Apart from the base tools and documentation, there is nothing on a FreeBSD system apart from what we put on it.

###FreeBSD 12.0 Performance Against Windows & Linux On An Intel Xeon Server

Last week I posted benchmarks of Windows Server 2019 against various Linux distributions using a Tyan dual socket Intel Xeon server. In this article are some complementary results when adding in the performance of FreeBSD 11.2 against the new FreeBSD 12.0 stable release for this leading BSD operating system. As some fun benchmarks to end out 2018, here are the results of FreeBSD 11.2/12.0 (including an additional run when using GCC rather than Clang) up against Windows Server and several enterprise-ready Linux distributions.
While FreeBSD 12.0 had picked up just one win of the Windows/Linux comparisons run, the FreeBSD performance is moving in the right direction. FreeBSD 12.0 was certainly faster than FreeBSD 11.2 on this dual Intel Xeon Scalable server based on a Tyan 1U platform. Meanwhile, to no surprise given the data last week, Clear Linux was by far the fastest out-of-the-box operating system tested.
I did run some extra benchmarks on FreeBSD 11.2/12.0 with this hardware: in total I ran 120 benchmarks for these BSD tests. Of the 120 tests, there were just 15 cases where FreeBSD 11.2 was faster than 12.0. Seeing FreeBSD 12.0 faster than 11.2 nearly 90% of the time is an accomplishment and usually with other operating systems we see more of a mixed bag on new releases with not such solidly better performance. It was also great seeing the competitive performance out of FreeBSD when using the Clang compiler for the source-based tests compared to the GCC8 performance. Additional data available via this OpenBenchmarking.org result file.

###How NetBSD came to be shipped by Microsoft
Google cache in case the site is down

In 2000, Joe Britt, Matt Hershenson and Andy Rubin formed Danger Incorporated. Danger developed the world’s first recognizable smartphone, the Danger HipTop. T-Mobile sold the first HipTop under the brand name Sidekick in October of 2002.
Danger had a well developed kernel that had been designed and built in house. The kernel came to be viewed as not a core intellectual property and Danger started a search for a replacement. For business reasons, mostly to do with legal concerns over the Gnu Public License, Danger rejected Linux and began to consider BSD Unix as a replacement for the kernel.
In 2006 I was hired by Mike Chen, the manager of the kernel development group to investigate the feasibility of replacing the Danger kernel with a BSD kernel, to select the version of BSD to use, to develop a prototype and to develop the plan for adapting BSD to Danger’s requirements.
NetBSD was easily the best choice among the BSD variations at the time because it had well developed cross development tools. It was easy to use a NetBSD desktop running an Intel release to cross compile a NetBSD kernel and runtime for a device running an ARM processor. (Those interested in mailing list archaeology might be amused to investigate NetBSD technical mailing list for mail from picovex, particularly from Bucky Katz at picovex.)
We began product development on the specific prototype of the phone that would become the Sidekick LX2009 in 2007 and contracts for the phone were written with T-Mobile. We were about half way through the two year development cycle when Microsoft purchased Danger in 2008.
Microsoft would have preferred to ship the Sidekick running Windows/CE rather than NetBSD, but a schedule analysis performed by me, and another by an independent outside contractor, indicated that doing so would result in unacceptable delay.

##Beastie Bits

• Unleashed 1.2 Released
• 35th CCC – Taming the Chaos: Can we build systems that actually work?
• Potholes to avoid when migrating to IPv6
• XScreenSaver 5.42
• SSH Examples and Tunnels
• Help request – mbuf(9) – request for comment
• NSA to release free Reverse Engineering Tool
• Running FreeBSD on a Raspberry Pi3 using a custom image created with crochet and poudriere

##Feedback/Questions

• Dries – Lets talk a bit about VIMAGE jails
• ohb – Question About ZFS Root Dataset
• Micah – Active-Active NAS Sync recommendations

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post FOSS Clothing | BSD Now 280 first appeared on Jupiter Broadcasting.

The Chaos Computer Club gets blocked by UK “porn filters” & YouTube is ramping up the heat with secret exclusive deals to content creators.

Then its a full round-up in the Sony Pictures trainwreck of a hack, Fedora 21 is released, emails & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Chaos Computer Club website in blocked by UK “porn filter”

A significant portion of British citizens are currently blocked from accessing the Chaos Computer Club’s (CCC) website. On top of that, Vodafone customers are blocked from accessing the ticket sale to this year’s Chaos Communication Congress (31C3).

Since July 2013, a government-backed so-called opt out list censors the open internet. These internet filters, authorized by Prime Minister David Cameron, are implemented by UK’s major internet service providers (ISPs). Dubbed as the “Great Firewall of Britain”, the lists block adult content as well as material related to alcohol, drugs, smoking, and even opinions deemed “extremist”.

Users can opt-out of censorship, or bypass it by technical means, but only a minority of users know how to bypass those filters.

YouTube Offering Its Stars Bonuses – WSJ

Facebook Inc. and video startup Vessel, among others, have tried to lure YouTube creators to their services in recent months, according to people familiar with the discussions.

In response, Google is offering some of its top video makers bonuses to sign multiyear deals in which they agree to post content exclusively on YouTube for a time before putting it on a rival service. The bonuses can be tied to how well videos perform, but YouTube is making a wide range of offers to counter rivals, according to people involved in the discussions. For several months, YouTube also has been offering to fund additional programming by some of its video makers.

These people say YouTube executives are particularly concerned about Vessel, though the startup has yet to disclose any details about its service or video makers it has signed.

In recent weeks “YouTube has been in a fire drill” led by Robert Kyncl, global head of business, trying to hold on to its stars, according to a person close to the company.

It’s Here! Announcing Fedora 21!

Fedora 21 Release Announcement

The Fedora Project is pleased to announce Fedora 21, the final release, ready to run on your desktops, servers, and in the cloud. Fedora 21 is a game-changer for the Fedora Project, and we think you’re going to be very pleased with the results.

TL;DR?

Impatient? Go straight to https://getfedora.org/ and get started. Otherwise, read on!

Sony Pictures hack was a long time coming, say former employees — Fusion

“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”

The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.

Another former employee says the company did risk assessments to identify vulnerabilities but then failed to act on advice that came out of them. “The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.

Sony Pictures has said little about its security failures since the hack, but seven years ago, its information security director was very chatty about “good-enough security.” Back in 2007, Jason Spaltro, then the executive director of information security at Sony Pictures Entertainment, was shockingly cavalier about security in an interview with CIO Magazine. He said it was a “valid business decision to accept the risk” of a security breach, and that he wouldn’t invest $10 million to avoid a possible $1 million loss.

Seven years later, Spaltro is still overseeing data security. Now senior vice president of information security, his salary is over $300,000 this year according to one of the leaked salary documents — and will get bumped over $400,000 if he gets his bonus.

• Sony Describes Hack Attack as ‘Unprecedented’ | Re/code

In his comments, Mandia described the malicious software used in the attack against Sony as “undetectable by industry standard antivirus software.” He also said that the scope of the attack is unlike any other previously seen, primarily because its perpetrators sought to both destroy information and to release it to the public. The attack is one “for which neither SPE nor other companies could have been fully prepared,” Mandia said.

• Expat Newswire | Sony Pictures Hack Traced to Bangkok Hotel

The hacks were traced to the St. Regis Bangkok, a 4.5 star resort where basic rooms cost over $400 per night. It remains unclear whether the hacks were done from a room or a public area, but investigations into the breach have traced the attack to the hotel on December 2nd at 12:25 am, local time.

• Sony saved thousands of passwords in a folder named ‘Password’ – Telegraph

It appears that the leaked files include the Social
Security numbers of 47,000 employees and actors, including Sylvester
Stallone, Judd Apatow and Rebel Wilson.

They also include a file directory entitled ‘Password’, which includes 139
Word documents, Excel spreadsheets, zip files, and PDFs containing thousands
of passwords to Sony Pictures’ internal computers, social media accounts,
and web services accounts.

• DOJ Launches New Cybercrime Unit, Claims Privacy Top Priority – Slashdot

Leslie Caldwell, assistant attorney general in the criminal division of the Department of Justice, announced on Thursday the creation of a new Cybercrime Unit, tasked with enhancing public-private security efforts. A large part of the Cybersecurity Unit’s mission will be to quell the growing distrust many Americans have toward law enforcement’s high-tech investigative techniques. (Even if that lack of trust, as Caldwell claimed, is based largely on misinformation about the technical abilities of the law enforcement tools and the manners in which they are used.) “In fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, and we take that responsibility seriously,” Caldwell said. “Privacy concerns are not just tacked onto our investigations, they are baked in.”

Feedback:

• dyslexic pc readers

The post Sony Security Café | Tech Talk Today 102 first appeared on Jupiter Broadcasting.