bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."
Follow Slashdot stories on Twitter
Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012." Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.
alphadogg writes: "An argument between developers of some of the most basic parts of Linux turned heated this week, resulting in a prominent Red Hat employee and code contributor being banned from working on the Linux kernel. Kay Sievers, a well-known open-source software engineer, is a key developer of systemd, a system management framework for Linux-based operating systems. Systemd is currently used by several prominent Linux distributions, including two of the most prominent enterprise distros, Red Hat and SUSE. It was recently announced that Ubuntu would adopt systemd in future versions as well. Sievers was banned by kernel maintainer Linus Torvalds on Wednesday for failing to address an issue that caused systemd to interact with the Linux kernel in negative ways."
itwbennett (1594911) writes "Google has made sizable price cuts across its storage, compute and BigQuery analysis services (e.g., Google BigQuery on-demand prices have been reduced by up to 85%). Google has also introduced a number of new services, including managed virtual machines, an extension of BigQuery for live data and the ability to run copies of the enterprise-ready Red Hat Enterprise Linux, Suse Linux and Windows Server 2008 R2. Collectively, these announcements show that Google may be coming to understand that 'they really need to step it up' in the market for cloud computing services, said John Rymer, Forrester Research's principal analyst covering application development and delivery."
cold fjord writes with news that Red Flag Software, makers of China's Red Hat derivative Red Flag Linux, has halted operations. From the article: "Once the world's second-largest Linux distributor, Red Flag Software has shuttered reportedly due to mismanagement and after owing employees months in unpaid wages. China's state-funded answer to global software giants like Microsoft ... filed for liquidation over the weekend and terminated all employee contracts. Set up in late-1999 amid the dot-com boom, Red Flag was touted as an alternative to Windows ... It thrived in the early days, inking deals with partners such as Oracle and Dell which products were certified to support and shipped with Red Flag Software. The Beijing-based vendor was primarily funded by the Chinese Academy of Sciences' Institute of Software Research, and later received additional funding from state-owned Shanghai NewMargin Venture Capital and the Ministry of Information Industry's VC arm ... 'A lack of brand awareness and sustained investments, coupled with the rise of rivals including Red Hat Enterprise Linux and SuSE Linux Enterprise, led to its downfall,' Eric Peng, Beijing-based research manager with IDC, said ... Peng noted that, during its hey days, Red Flag had enjoyed high adoption among government agencies, state-owned organizations, and schools.""
sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.
sfcrazy writes "Ironically while Netflix's infrastructure runs on Linux and Open Source technologies, the service doesn't support Linux, the platform. Netflix is available for Mac, Windows, iOS, Android and Chrome OS but not for desktop Linux. One of the reasons could be that Netflix still uses Microsoft's Silverlight which is not supported on Linux. However Linux users have managed to get it to work on their distros. Now openSUSE users can also run Netflix using Pipelight."
rjmarvin writes "Docker 0.7 was released today, with 7 major new features including support to run on all Linux distributions. No longer capable solely on running on Debian and Ubuntu Linux, Docker 0.7 adds support for distributions such as Red Hat, SUSE, Gentoo and Arch. From the announcement: 'A key feature of Docker is the ability to create many copies of the same base filesystem almost instantly. Under the hood Docker makes heavy use of AUFS by Junjiro R. Okajima as a copy-on-write storage mechanism. AUFS is an amazing piece of software and at this point it’s safe to say that it has safely copied billions of containers over the last few years, a great many of them in critical production environments. Unfortunately, AUFS is not part of the standard linux kernel and it’s unclear when it will be merged. This has prevented docker from being available on all Linux systems. Docker 0.7 solves this problem by introducing a storage driver API, and shipping with several drivers. Currently 3 drivers are available: AUFS, VFS (which uses simple directories and copy) and DEVICEMAPPER, developed in collaboration with Alex Larsson and the talented team at Red Hat, which uses an advanced variation of LVM snapshots to implement copy-on-write. An experimental BTRFS driver is also being developed, with even more coming soon: ZFS, Gluster, Ceph, etc. When the docker daemon is started it will automatically select a suitable driver depending on its capabilities.'"
An anonymous reader writes "The openSUSE Linux distribution looks like it may be the first major Linux distribution to ship the Btrfs file-system by default. The openSUSE 13.1 release is due out in November and is still using EXT4 by default, but after that the developers are looking at having openSUSE using Btrfs by default on new installations. The Btrfs features to be enabled would be the ones the developers feel are data-safe."
darthcamaro writes "The Linux Foundation's Who Writes Linux report (sign up required) is now out and after 22 yrs leading Linux, Linux creator Linus Torvalds has fallen out of the list of top 100 developers in terms of code contributions. He currently ranks 101st for number of patches generated from the Linux 3.3 to the Linux 3.10 kernel releases." Read below for a few highlights from the report.
An anonymous reader writes "Michael Meeks has announced that the core of SUSE's LibreOffice team is moving over to Collabora, which will now be providing commercial LibreOffice support. 'It seems to me that the ability to say "no" to profitable but peripheral business in order to strategically focus the company is a really important management task. In the final analysis I'm convinced that this is the right business decision for SUSE. It will allow Collabora's Productivity division to focus exclusively on driving LibreOffice into Windows, Mac and Consulting markets that are peripheral to SUSE. It will also retain the core of the existing skill base for the benefit of SUSE's customers, and the wider LibreOffice community, of which openSUSE is an important part.'"
Nerval's Lobster writes "Linux vendors Red Hat and SUSE are pushing to make sure Linux-based virtual machines are an important part of datacenter-based hybrid clouds. The two are taking significantly different tacks toward the same destination, however. SUSE is using the visibility and cloud hype of VMware by extending its partnership with the virtualization provider to promote its SUSE Linux Enterprise Server for VMware as an alternative operating system for virtual machines running on VMware's vCloud Hybrid Service. Red Hat is happy to include VMware in its plans, but isn't limiting itself either to VMware-based clouds or, in fact, the idea that a Linux vendor has to tag along with a cloud- or virtualization developer to find its place in mixed infrastructures. 'We do not buy into the premise that a private or a hybrid platform based on one vendor's technologies and products is the answer,' wrote Bryan Che, general manager of Red Hat's Cloud Business Unit. More than 25 percent of customers want clouds or datacenter infrastructures using virtualization products from more than one vendor, according to a buyers' guide published in August by market researcher IDC."
An anonymous reader writes "Best Buy and Barnes and Noble have a problem with showrooming — shoppers checking out the merchandise in their stores and then proceeding to order the goods at a discounted prices online. And Red Hat might have a similar problem with people (not just college kids and software professionals boning up on their skills at home, either) using the free-as-in-beer CentOS rather than licensing Red Hat Enterprise Linux and paying support fees. But according to CEO Jim Whitehurst, Red Hat's competitive position may actually be helped by CentOS in the same way that counterfeit Windows products sold on the streets in the Far East may have helped Microsoft — by cementing their position as the technology standard, in a marketplace that also includes entrants from SuSE, Debian, Oracle, and Ubuntu, just among Linux-based entrants. Who does Whitehurst consider to be Red Hat's most direct threat? VMWare."
darthcamaro writes "UEFI Secure Boot is a problem that only desktop users need to worry about right? Well kinda/sorta/maybe not. SeSE today is releasing SUSE Linux Enterprise 11 SP3 which will include for the first time — support for UEFI Secure Boot. Apparently SUSE sees market demand for Secure Boot on servers too. Quoting Matthias Eckermann, Senior Product Manager at SUSE: 'Our market analysis shows that UEFI Secure Boot is a UEFI extension that does not only cover desktops, but might very well also be deployed and even required on server systems going forward.'"
darthcamaro writes "We all know that the open source LibreOffice Calc has been slow — forever and a day. That's soon going to change thanks to a major investment made by AMD into the Document Foundation. AMD is helping LibreOffice developers to re-factor Calc to be more performance and to be able to leverage the full power of GPUs and APUs. From the article: '"The reality has been that Calc has not been the fastest spreadsheet in the world," Suse Engineer Michael Meeks admitted. "Quite a large chunk of this refactoring is long overdue, so it's great to have the resources to do the work so that Calc will be a compelling spreadsheet in its own right."'" Math operations will be accelerated using OpenCL, unit tests are being added for the first time, and the supposedly awful object oriented code is being rewritten with a "modern performance oriented approach."
darthcamaro writes "Red Hat still doesn't have a fully supported commercial version of OpenStack in the market yet (coming this summer) as it lags behind Ubuntu and SUSE. But Red Hat is doing something no other distro vendor has done, they are launching a brand new bleeding edge build of OpenStack that will update weekly (or faster). The best part? This isn't a fork. It's all upstream work, meaning everyone in the OpenStack Community benefits. From the article: '"Our developers will continue to work in the upstream OpenStack, and "whenever we find we need to make changes to make RDO work, we get that work done upstream first," Red Hat CTO Brian Stevens said. "RDO won't change in any way our active involvement in the upstream OpenStack development."'
jrepin writes "During Hack Week 9 at SUSE, longtime KDE hacker Will Stephenson started working on a project codenamed KLyDE. This project's aim is to bring KDE Plasma to the lightweight desktop market. It applies KDE's strengths of modularity and configurability to the challenge of making a lightweight desktop." Better said, Stephenson was able to devote lots of time to it; he's been working on the project for a few years now.
angry tapir writes "When Oracle purchased Sun, many in the open source community were bleak about the future of MySQL. According to MySQL co-creator Michael "Monty" Widenius, these fears have been proven by Oracle's attitude to MySQL and its community. In the wake of the Sun takeover, Monty forked MySQL to create MariaDB, which has picked up momentum (being included by default in Fedora, Open SUSE and, most recently, Slackware). I recently interviewed Monty about what he learned from the MySQL experience and the current state of MariaDB."
houghi writes "OpenSUSE 12.3 is out. There are several methods of downloading, as well as different media. It is also possible to boot the live CD from a USB stick. When using the DVD or Net install ISO, the standard is to select between KDE or GNOME, but XFCE and LXDE are also options. ARM images are available as well. More information about the release can be found in this feature guide."
Andy Prough writes "Jos Poortvliet of the openSUSE team has announced that openSUSE ARM RC2 is available for download and needs testing. The final version is due out on November 6th, and support has been expanded to include the following SoCs: Calxeda Highbank, CuBox, IMX 53, and Samsung Origen. Although Raspberry Pi is not yet supported, the openSUSE team plans to roll out support in the future. User Etam has posted a picture of it working without trouble in chroot on an N900, although Firefox is working "terribly slow" but not crashing."