System76 is ready to share specifics about its new computer. From a report: There are three models from which to choose, and all three can apparently be configured with with Intel or AMD processors. This is refreshing news, as historically, System76 machines were an Intel-only affair. AMD has been more friendly to the Linux community over recent years, so I am happy to see System76 giving that option too.

1. Thelio (Up to 32GB RAM, 24TB storage) treks through tasks with ease despite its compact footprint.
2. Thelio Major (Up to 128GB RAM, 46TB storage) boasts stellar performance, allowing maximum configurability with up to 4 GPUs to tackle the most astronomical projects.
3. Thelio Massive (Up to 768GB of ECC Memory, 86TB storage) is the epitome of performance among workstations, offering maximum throughput and accuracy for demanding computational workloads.

Pricing starts at $1099.99, but that will obviously increase based on the specs you choose. Keep in mind, however, the computer will not ship until December. Full specs in the story above. In a statement, the company said, "Thelio Systems are designed to be easily expandable, making personalizing the computer a tantalizingly easy process. Slip in drives, add memory, and upgrade graphics cards at will. Additionally, the open hardware design that Thelio is built upon allows the user to easily learn how their computer works and make modifications using this information. Customization is simple to ensure that the computer encompasses people's needs, as well as their personality."

Donald Fischer, who served as a product manager for Red Hat Enterprise Linux during its creation and early years of growth, writes: Red Hat saw, earlier than most, that the ascendance of open source made the need to pay for code go away, but the need for support and maintenance grew larger than ever. Thus Red Hat was never in the business of selling software, rather it was in the business of addressing the practical challenges that have always come along for the ride with software. [...] As an open source developer, you created that software. You can keep your package secure, legally documented, and maintained; who could possibly do it better? So why does Red Hat make the fat profits, and not you? Unfortunately, doing business with large companies requires a lot of bureaucratic toil. That's doubly true for organizations that require security, legal, and operational standards for every product they bring in the door. Working with these organizations requires a sales and marketing team, a customer support organization, a finance back-office, and lots of other "business stuff" in addition to technology. Red Hat has had that stuff, but you haven't.

And just like you don't have time to sell to large companies, they don't have time to buy from you alongside a thousand other open source creators, one at a time. Sure, big companies know how to install and use your software. (And good news! They already do.) But they can't afford to put each of 1100 npm packages through a procurement process that costs $20k per iteration. Red Hat solved this problem for one corner of open source by collecting 2,000+ open source projects together, adding assurances on top, and selling it as one subscription product. That worked for them, to the tune of billions. But did you get paid for your contributions?

Etcetera writes: Fresh on the heels of the IBM purchase announcement, Red Hat released RHEL 7.6 today. Business press release is here and full release notes are here. It's been a busy week for Red Hat, as Fedora 29 also released earlier this morning. No doubt CentOS and various other rebuilds will begin their build cycles shortly. The release offers improved security, such as support for the Trusted Platform Module (TPM) 2.0 specification for security authentication. It also provides enhanced support for the open-source nftables firewall technology.

"TPM 2.0 support has been added incrementally over recent releases of Red Hat Enterprise Linux 7, as the technology has matured," Steve Almy, principal product manager, Red Hat Enterprise Linux at Red Hat, told eWEEK. "The TPM 2.0 integration in 7.6 provides an additional level of security by tying the hands-off decryption to server hardware in addition to the network bound disk encryption (NBDE) capability, which operates across the hybrid cloud footprint from on-premise servers to public cloud deployments."

ekimd writes: Fedora 29 is released today. Among the new features are the ability to allow parallel installation of packages such as Node.js. Fedora 29 also supports ZRAM (formerly called compcache) for ARMv7 and v8. In addition to the more efficient use of RAM, it also increases the lifespan of microSD cards on the Raspberry Pi as well as other SBCs.

"Additionally, UEFI for ARMv7 is now supported in Fedora 29, which also benefits Raspberry Pi users," reports TechRepublic. "Fedora already supported UEFI on 64-bit ARM devices."

With the in-development Linux 4.20 kernel, it is now effectively VLA-free. From a report: The variable-length arrays (VLAs) that can be convenient and part of the C99 standard but can have unintended consequences. VLAs allow for array lengths to be determined at run-time rather than compile time. The Linux kernel has long relied upon VLAs in different parts of the kernel -- including within structures -- but going on for months now (and years if counting the kernel Clang'ing efforts) has been to remove the usage of variable-length arrays within the kernel. The problems with them are:
1. Using variable-length arrays can add some minor run-time overhead to the code due to needing to determine the size of the array at run-time.
2. VLAs within structures is not supported by the LLVM Clang compiler and thus an issue for those wanting to build the kernel outside of GCC, Clang only supports the C99-style VLAs.
3. Arguably most importantly is there can be security implications from VLAs around the kernel's stack usage.

At the end of August, Valve announced a new version of Steam Play for Linux that included Proton, a WINE fork that made many Windows games, including more recent ones ,such as Witcher 3, Dark Souls 3 and Dishonored, playable on Linux. Just two months later, ProtonDB says there are over 2,600 Windows games that users can play on Linux, and the number is rapidly growing daily. From a report: When Valve Software launched Steam Play with Proton, it made it easier for gamers to play Windows games that hadn't yet been ported to Linux with the click of a button. Not all games may run perfectly on Linux, but that's also often the case with Windows 10, which can not play older games as well as previous versions of Windows did, even under Compatibility Mode. In only two months, the database of games that work with Proton has increased to over 2,600 -- more than half of the 5,000 Linux-native games that can be obtained through the Steam store.

International Business Machines (IBM) is acquiring software maker Red Hat in a deal valued at $34 billion, the companies said Sunday. From a report: The purchase, announced on Sunday afternoon, is the latest competitive step among large business software companies to gain an edge in the fast-growing market for Internet-style cloud computing. In June, Microsoft acquired GitHub, a major code-sharing platform for software developers, for $7.5 billion. IBM said its acquisition of Red Hat was a move to open up software development on computer clouds, in which software developers write applications that run on remote data centers. From a press release: This acquisition brings together the best-in-class hybrid cloud providers and will enable companies to securely move all business applications to the cloud. Companies today are already using multiple clouds. However, research shows that 80 percent of business workloads have yet to move to the cloud, held back by the proprietary nature of today's cloud market. This prevents portability of data and applications across multiple clouds, data security in a multi-cloud environment and consistent cloud management.

IBM and Red Hat will be strongly positioned to address this issue and accelerate hybrid multi-cloud adoption. Together, they will help clients create cloud-native business applications faster, drive greater portability and security of data and applications across multiple public and private clouds, all with consistent cloud management. In doing so, they will draw on their shared leadership in key technologies, such as Linux, containers, Kubernetes, multi-cloud management, and cloud management and automation. IBM's and Red Hat's partnership has spanned 20 years, with IBM serving as an early supporter of Linux, collaborating with Red Hat to help develop and grow enterprise-grade Linux and more recently to bring enterprise Kubernetes and hybrid cloud solutions to customers. These innovations have become core technologies within IBM's $19 billion hybrid cloud business. Between them, IBM and Red Hat have contributed more to the open source community than any other organization.

Swapnil Bhartiya, who runs the blog TFIR, had a chance to interview Linus Torvalds at Open Source Summit in the second half of August this year. (Some context: The interview, which was published this week, took place before Mr. Torvalds said he needs to take a step back to reflect on how he has dealt with the community over the years. Since then, we have learned that Mr. Torvalds is returning to his position.) In the wide-ranging interview, Mr. Torvalds has touched a wide-range of subjects, including formulating workarounds for the problematic hardware bugs (Meltdown, Spectre), and Chromebooks gaining traction (though it is still not a machine that he could use for his work yet). He also talked about companies gleaning a lot of data about their users, regulations, (a tad bit of politics), Linux community.

Greg Kroah-Hartman (aka Greg K-H) joined Mr. Bhartiya and Mr. Torvalds for the second half of the interview. On Sunday, Mr. Bhartiya published an additional interview of Mr. Kroah-Hartman.

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Canonical is applauding what it calls "exceptional adoption" of snaps -- and has shared some new statistics about its whole "Snappy" software deployment and package management system. Long-time Slashdot reader AmiMoJo shared this article from Neowin: snaps are seeing 100,000 installs every day on cloud, server, container, desktop and on IoT devices, which works out to around three million installs each month. Of course, these statistics don't only take into account snap installs on Ubuntu, but other distributions too. Canonical said that snaps are supported on 41 Linux distributions including Ubuntu, Debian, Linux Mint, Arch Linux, Fedora, and many more...

Snap packages first launched alongside Ubuntu 16.04 which was released in 2016. They have several benefits over typical Linux packages, for example, their dependencies are bundled into the package making them easy to install, they get automatic updates and can be rolled back by the maintainer if issues arise, and they're sandboxed, giving the user more security.

An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

At Open Source Summit Europe in Edinburgh, Scotland, Linus Torvalds is meeting with Linux's top 40 or so developers at the Maintainers' Summit. This is his first step back in taking over Linux's reins. From a report: A little over a month ago, Torvalds stepped back from running the Linux development community. In a note to the Linux Kernel Mailing List (LKML), Torvalds said, "I need to change some of my behavior, and I want to apologize to the people that my personal behavior hurt and possibly drove away from kernel development entirely. I am going to take time off and get some assistance on how to understand people's emotions and respond appropriately." That time is over. Torvalds is back.

Whether he'll be a kinder and gentler Torvalds remains to be seen. In the Linux 4.19 announcement, Greg Kroah-Hartman, Linux's temporary leader and maintainer of the stable branch, wrote: "Linus, I'm handing the kernel tree back to you. You can have the joy of dealing with the merge window :)"

Ubuntu 18.10 Cosmic Cuttlefish, the latest version of Ubuntu, is now available to download. From a report: Under the hood, the Cosmic Cuttlefish boasts the 4.18 Linux Kernel. This updates comes with better support for for AMD and Nvidia GPU, USB Type-C and Thunderbolt, a way for unprivileged users to mount Filesystem in Userspace (FUSE) can be mounted by, and CPUfreq performance improvements. On top of this, you'll find the freshest version of GNOME 3.30. You can, of course, use other desktops, but GNOME, since Ubuntu 17.10, is Ubuntu's default desktop. You'll be glad to know that GNOME is faster than it has been for a while. That's because some nasty memory leaks have been patched. Canonical has also added some performance tweaks that didn't make it into the GNOME 3.30 upstream. Ubuntu 18.10 also comes with a new desktop theme, the Yaru Community theme installed by default, for your visual enjoyment. Further reading: Ubuntu 18.10: What's New? [Video]; Ubuntu 18.10 Review; and Ubuntu 18.10 Flavors Released, Ready to Download.

Earlier this week, Microsoft announced that it was joining the open-source patent consortium Open Invention Network (OIN). The press release the two shared this week was short on details on how the two organizations intend to work together and what does the move mean to, for instance, the billions of dollars Microsoft earns each year from its Android patents (since Google is a member of OIN, too.) Software Freedom Conservancy (SFC), a non-profit organization that promotes open-source software, has weighed in on the subject: While [this week's] announcement is a step forward, we call on Microsoft to make this just the beginning of their efforts to stop their patent aggression efforts against the software freedom community. The OIN patent non-aggression pact is governed by something called the Linux System Definition. This is the most important component of the OIN non-aggression pact, because it's often surprising what is not included in that Definition especially when compared with Microsoft's patent aggression activities. Most importantly, the non-aggression pact only applies to the upstream versions of software, including Linux itself.

We know that Microsoft has done patent troll shakedowns in the past on Linux products related to the exfat filesystem. While we at Conservancy were successful in getting the code that implements exfat for Linux released under GPL (by Samsung), that code has not been upstreamed into Linux. So, Microsoft has not included any patents they might hold on exfat into the patent non-aggression pact.

We now ask Microsoft, as a sign of good faith and to confirm its intention to end all patent aggression against Linux and its users, to now submit to upstream the exfat code themselves under GPLv2-or-later. This would provide two important protections to Linux users regarding exfat: (a) it would include any patents that read on exfat as part of OIN's non-aggression pact while Microsoft participates in OIN, and (b) it would provide the various benefits that GPLv2-or-later provides regarding patents, including an implied patent license and those protections provided by GPLv2 (and possibly other GPL protections and assurances as well).

An anonymous reader shares a report: Today, a very popular app, Plex Media Server, gets the Snap treatment. In other words, you can install the media server program without any headaches -- right from the Snap store. "In adopting the universal Linux app packaging format, Plex will make its multimedia platform available to an ever-growing community of Linux users, including those on KDE Neon, Debian, Fedora, Manjaro, OpenSUSE, Zorin and Ubuntu. Automatic updates and rollback capabilities are staples of Snap software, meaning Plex users will always have the best and latest version running," says Canonical.

jrepin writes: KDE has released Plasma 5.14 desktop. Among many other things, Plasma 5.14 simplifies managing multiple displays thanks to its new Display Configuration widget; Global Menus a la macOS now work also with GTK applications like GIMP; a new safeguard feature warns you if other users are logged in when you log out; and Discover now lets you install Snaps from all available channels (not just the default), orders software by release date, and shows package dependencies. Downloads can be found here.

"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!" One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")

Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.

"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."

At an event this month (you can find the video of it here), Davide Cavalca, a production engineer at Facebook, spoke about the growing adoption of systemd at the data centers of the company. From a report: Facebook continues making use of systemd's many features inside their data centers. Some of their highlights for systemd use in 2018 includes: Facebook's servers have been relying on systemd for about the past two years. Facebook is using CentOS 7 everywhere from hosts to containers. While relying on CentOS 7, Facebook backports a lot of packages including new systemd releases, Meson, other dependencies, and of course new Linux kernel releases. Facebook is working on "pystemd" as a Python (Cython) wrapper on top of SD-BUS.

Roughly three weeks ahead of the scheduled release of Ubuntu Linux 18.10 "Cosmic Cuttlefish", the latest major update for the popular Linux distro, beta of all of its flavors -- desktop, cloud and server -- is now available for download. From a report: Codenamed 'Cosmic Cuttlefish,' 18.10 continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, introducing new features and fixing bugs," says Adam Conrad, Software Engineer, Canonical. Conrad further says, "This beta release includes images from not only the Ubuntu Desktop, Server, and Cloud products, but also the Kubuntu, Lubuntu, Ubuntu Budgie, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu flavours. The beta images are known to be reasonably free of showstopper CD build or installer bugs, while representing a very recent snapshot of 18.10 that should be representative of the features intended to ship with the final release expected on October 18th, 2018." Further reading: Canonical Shares Desktop Plans For Ubuntu 18.10.

Michael Larabel, writing for Phoronix: Apple announced the Magic Trackpad 2 almost three years ago to the day while the mainline Linux kernel will finally be supporting this multi-touch device soon. The Magic Trackpad 2 is a wired/wireless touchpad with haptic feedback support and is a much larger touchpad compared to the original Magic Trackpad. There unfortunately hasn't been any mainline Linux kernel support for the Magic Trackpad 2, but some out-of-tree options. [...] However, as seen by this bug report there have been plenty of people since 2015 interested in using the Magic Trackpad 2 on Linux. Fortunately, Sean O'Brien of Google's Chrome OS team has been working on Magic Trackpad 2 support with a focus on getting it mainlined. The patch, which was also reviewed by other Google/ChromeOS developers, is now up to its third and perhaps final revision.