Active since 1995, the Comprehensive Perl Archive Network (or CPAN) hosts 221,742 Perl modules written by 14,548 authors. This week they announced that the CPAN Security Group "was authorized by the CVE Program as a CVE Numbering Authority (CNA)" to assign and manage CVE vulnerability identifications for Perl and CPAN Modules.

"This is great news!" posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to become a CNA in 2023.)

444 CNAs have now partnered with the CVE Program, according to their official web site. The announcement from PerlMonks.org: Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as CPANSec.

The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN

The Ninth Circuit Court of Appeals is set to review a California district court's ruling in Neo4j v. PureThink, which upheld Neo4j's right to modify the GNU AGPLv3 with additional binding terms. If the appellate court affirms this decision, it could set a precedent allowing licensors to impose unremovable restrictions on open-source software, potentially undermining the enforceability of GPL-based licenses and threatening the integrity of the open-source ecosystem. The Register reports: The GNU AGPLv3 is a free and open source software (FOSS) license largely based on the GNU GPLv3, both of which are published by the Free Software Foundation (FSF). Neo4j provided database software under the AGPLv3, then tweaked the license, leading to legal battles over forks of the software. The AGPLv3 includes language that says any added restrictions or requirements are removable, meaning someone could just file off Neo4j's changes to the usage and distribution license, reverting it back to the standard AGPLv3, which the biz has argued and successfully fought against in that California district court.

Now the matter, the validity of that modified FOSS license, is before an appeals court in the USA. "I don't think the community realizes that if the Ninth Circuit upholds the lower court's ruling, it won't just kill GPLv3," PureThink's John Mark Suhy told The Register. "It will create a dangerous legal precedent that could be used to undermine all open-source licenses, allowing licensors to impose unexpected restrictions and fundamentally eroding the trust that makes open source possible."

Perhaps equally concerning is the fact that Suhy, founder and CTO of PureThink and iGov (the two firms sued by Neo4j), and presently CTO of IT consultancy Greystones Group, is defending GPL licenses on his own, pro se, without the help of the FSF, founded by Richard Stallman, creator of the GNU General Public License. "I'm actually doing everything pro se because I used up all my savings to fight it in the lower court," said Suhy. "I'm surprised the Free Software Foundation didn't care too much about it. They always had an excuse about not having the money for it. Luckily the Software Freedom Conservancy came in and helped out there."

EA has released the source code for several classic Command & Conquer games, including Tiberian Dawn, Red Alert, Renegade, and Generals & Zero Hour. "They're being released under the GPL license, meaning folks can mix, match, and redistribute them to their hearts' content without EA lawyers smashing down the door," adds PC Gamer. Additionally, Steam Workshop support has been added for multiple C&C titles, along with updated mission editor tools and a modding support pack. From the report: As for the Steam Workshop? That's getting switched on for C&C Renegade, C&C Generals and Zero Hour, C&C 3 Tiberium Wars and Kane's Wrath, and C&C 4 Tiberium Twilight (they can't all be winners). EA's also gone and "updated all the Mission Editor and World Builder tools so you can publish maps directly to the Steam Workshop." Plus, it's putting out a modding support pack that "contains the source Xml, Schema, Script, Shader and Map files for all the games that use the SAGE engine."

Per C&C producer Jim Vessella, EA commissioned C&C community veteran Luke 'CCHyper' Feenan to officially research improvements to many of the games in the Ultimate Collection," and this is the fruit of his labor.

When it comes to application packaging, earlier this month the site Its FOSS complained that Fedora Flatpaks "are often unmaintained or broken, leading to a poor experience for users who aren't usually aware they're using them." And this apparently created friction with OBS Studio, the free/open-source screencasting and streaming app.

"We are now considering the Fedora Flatpaks distribution of OBS Studio a hostile fork," OBS Studio lead Joel Bethke posted in on GitLab's page for Fedora Flatpaks. They said they were making "a formal request to remove all of our branding, including but not limited to, our name, our logo, any additional IP belonging to the OBS Project, from your distribution. Failure to comply may result in further legal action taken...." (Issues with Fedora's packaging led "to users complaining upstream thinking they are being served the official package..." Bethke said in his original Issue. "I would also like some sort of explanation on why someone thought it was a good idea to take a Flatpak that was working perfectly fine, break it, and publish it at a higher priority to our official builds.")

23 people clicked "Like" on the original Issue — but threatening legal action only happened after Bethke felt Fedora was unresponsive, according to It's FOSS: In a comment on a video by Brodi Robertson (check pinned comment), Joel shared that folks from Fedora were not taking this issue seriously, with one of them even resorting to name-calling by labeling the OBS Studio devs as being "terrible maintainers". Since then, a major step has been taken by Neal Gompa, a well-known Fedora contributor and member of the Fedora Engineering Steering Committee (FESCo). He has opened a new issue to remove Fedora's OBS Studio flatpak from the registry as soon as possible.
But by Tuesday Bethke posted in a new comment on GitLab announcing that "a very good conversation" with the Flatpak SIG and Fedora Project Leader seemed to have cleared the tension. "We discussed the issues, how we got here, and what next steps are... [T]he OBS Project is no longer requesting a removal of IP or rebrand of the OBS Studio application provided by Fedora Flatpaks." To the issue of not knowing where to report bugs for the downstream package, "We had some very good discussion on how this might be accomplished in the medium-long term, but don't consider it a blocker at this point." As for other issues with Fedora's Flatpak for OBS Studio, "The discussion was positive and they are actively working to resolve..."

And similar sentiments were echoed on Fedora's own issue tracker. "We had a good conversation today, and there is a hopeful path forward that does not require the OBS Project distancing itself from Fedora Flatpaks..."

Chinese startup DeepSeek will make its models' code publicly available, it said on Friday, doubling down on its commitment to open-source artificial intelligence. From a report: The company said in a post on social media platform X that it will open source 5 code repositories next week, describing the move as "small but sincere progress" that it will share "with full transparency."

"These humble building blocks in our online service have been documented, deployed and battle-tested in production." the post said. DeepSeek rattled the global AI industry last month when it released its open-source R1 reasoning model, which rivaled Western systems in performance while being developed at a lower cost.

For over a decade Karol Herbst has been a developer on the open-source Nouveau driver, a reverse-engineered NVIDIA graphics driver for Linux. "He went on to become employed by Red Hat," notes Phoronix. "While he's known more these days for his work on the Mesa 3D Graphics Library and the Rusticl OpenCL driver for it, he's still remained a maintainer of the Nouveau kernel driver."

But Saturday Herbst stepped down as a nouveau kernel maintainer, in a mailing list message that begins "I was pondering with myself for a while if I should just make it official that I'm not really involved in the kernel community anymore, neither as a reviewer, nor as a maintainer." (Another message begins "I often thought about at least contributing some patches again once I find the time, but...")

Their resignation message hints at some long-running unhappiness. "I got burned out enough by myself caring about the bits I maintained, but eventually I had to realize my limits. The obligation I felt was eating me from inside. It stopped being fun at some point and I reached a point where I simply couldn't continue the work I was so motivated doing as I've did in the early days." And they point to one specific discussion on the kernel mailing list February 8th as "The moment I made up my mind."

It happened in a thread about whether Rust would create difficulty for maintainers. (Someone had posted that "The all powerful sub-system maintainer model works well if the big technology companies can employ omniscient individuals in these roles, but those types are a bit hard to come by.") In response, someone else had posted "I'll let you in a secret. The maintainers are not 'all-powerful'. We are the 'thin blue line' that is trying to keep the code to be maintainable and high quality. Like most leaders of volunteer organization, whether it is the Internet Engineerint Task Force (the standards body for the Internet), we actually have very little power. We can not *command* people to work on retiring technical debt, or to improve testing infrastructure, or work on some particular feature that we'd very like for our users. All we can do is stop things from being accepted..."

Saturday Herbst wrote: The moment I made up my mind about this was reading the following words written by a maintainer within the kernel community:

"we are the thin blue line"

This isn't okay. This isn't creating an inclusive environment. This isn't okay with the current political situation especially in the US. A maintainer speaking those words can't be kept. No matter how important or critical or relevant they are. They need to be removed until they learn. Learn what those words mean for a lot of marginalized people. Learn about what horrors it evokes in their minds.

I can't in good faith remain to be part of a project and its community where those words are tolerated. Those words are not technical, they are a political statement. Even if unintentionally, such words carry power, they carry meanings one needs to be aware of. They do cause an immense amount of harm.
The phrase thin blue line "typically refers to the concept of the police as the line between law-and-order and chaos," according to Wikipedia, but more recently became associated with a"countermovement" to the Black Lives Matter movement and "a number of far-right movements in the U.S."

Phoronix writes: Lyude Paul and Danilo Krummrich both of Red Hat remain Nouveau kernel maintainers. Red Hat developers are also working on developing NOVA as the new Rust-based open-source NVIDIA kernel driver leveraging the GSP interface for Turing GPUs and newer.

LibreOffice, the open-source office suite that began as StarOffice in 1985, has marked its 40th anniversary with new features that it says could transform how users interact with the software. At the FOSDEM 2025 conference, developers unveiled LibreOffice 25.2, which introduces browser-based functionality and real-time collaboration capabilities through a technology called conflict-free replicated data types.

A key development is ZetaOffice, a version built for the WebAssembly runtime that enables the full office suite to run inside web browsers across operating systems and CPU architectures. The project, which entered public beta last November, allows websites to embed LibreOffice applications with complete user interfaces for editing documents, spreadsheets and presentations.

While the browser-based version currently requires about a gigabyte of code and additional memory to run, developers at Allotropia are working to modularize the codebase for faster loading times. The software, released under the MIT license, can be controlled via JavaScript and operates without requiring an internet connection, unlike Google Docs or LibreOffice's existing Collabora Online version.

"Open source can be something of an illusion," writes TechCrunch. "A lack of real independence can mean a lack of agency for those who would like to properly get involved in a project."
Their article makes the case that the "spirit" of open source means more than a license... "Android, in a license sense, is perhaps the most well-documented, perfectly open 'thing' that there is," Luis Villa, co-founder and general counsel at Tidelift, said in a panel discussion at the State of Open Con25 in London this week. "All the licenses are exactly as you want them — but good luck getting a patch into that, and good luck figuring out when the next release even is...."

"If you think about the practical accessibility of open source, it goes beyond the license, right?" Peter Zaitsev, founder of open source database services company Percona, said in the panel discussion. "Governance is very important, because if it's a single corporation, they can change a license like 'that.'" These sentiments were echoed in a separate talk by Dotan Horovits, open source evangelist at the Cloud Native Computing Foundation (CNCF), where he mused about open source "turning to the dark side." He noted that in most cases, issues arise when a single-vendor project decides to make changes based on its own business needs among other pressures. "Which begs the question, is vendor-owned open source an oxymoron?" Horovits said. "I've been asking this question for a good few years, and in 2025 this question is more relevant than ever."
The article adds that in 2025, "These debates won't be going anywhere anytime soon, as open source has emerged as a major focal point in the AI realm." And it includes this quote from Tidelift's co-founder.

"I have my quibbles and concerns about the open source AI definition, but it's really clear that what Llama is doing isn't open source," Villa said. Emily Omier, a consultant for open source businesses and host of the Business of Open Source podcast, added that such attempts to "corrupt" the meaning behind "open source" is testament to its inherent power.

Much of this may be for regulatory reasons, however. The EU AI Act has a special carve-out for "free and open source" AI systems (aside from those deemed to pose an "unacceptable risk"). And Villa says this goes some way toward explaining why a company might want to rewrite the rulebook on what "open source" actually means. "There are plenty of actors right now who, because of the brand equity [of open source] and the regulatory implications, want to change the definition, and that's terrible," Villa said.

The Free Software Foundation "hinted that it would organize an unprecedented virtual memorabilia auction" in March to celebrate this year's 40th anniversary, according to an announcement this week. Those hints "left collectors and free software fans wondering which of the pieces of the FSF's history would be auctioned off."

But Tuesday the FSF "lifted the veil and gave a sneak peak of some of the more prestigious entries in the memorabilia auction." First of all, the memorabilia auction will feature an item that could be especially interesting for art collectors but will certainly also draw the attention of free software fans from all over: the original GNU head drawing by Etienne Suvasa, which became the blueprint for the iconic GNU logo present everywhere in the free software world.

The list of memorabilia for sale also entails some rare and historic hardware, such as a "terminus-est" microcomputer, and an Amiga 3000UX that was used in the FSF's old office at the Massachusetts Institute of Technology (MIT) in the early days of GNU, when these machines were capable of running a GNU-like operating system. Another meaningful item to be auctioned off, and one that collectors will want to keep a keen eye on, is the Internet Hall of Fame medal awarded to founder Richard Stallman. When Stallman was inducted into the Internet Hall of Fame, it was the ultimate recognition of free software's immense impact on the development and advancement of the Internet. This medal is definitely worthy of joining a fine historical collection...! [T]here are several more historic awards, more original GNU artwork, and a legendary katana [as seen in an XKCD comic] that became a lighthearted weapon in the fight for computer user freedom.

The auction is only the opening act to a whole agenda of activities celebrating forty years of free software activism. In May, the FSF invites free software supporters all over the world to gather for local in-person community meetups to network, discuss what people can do next to make the world freer, and celebrate forty years of commitment to software freedom. Then, on the actual birthday of the FSF on October 4, 2025, the organization intends to bring the international free software community to Boston for a celebration featuring keynotes and workshops by prominent personalities of the free software movement.
"The bidding will start as a virtual silent auction on March 17 and run through March 21, with more auction items revealed each day, and will culminate in an virtual live auction on March 23, 2025, 14:00 to 17:00 EDT," according to the announcement.

"Register here to attend the live auction. There's no need to register for the silent auction; you can simply join the bidding on the FSF's LibrePlanet wiki."

An anonymous reader quotes a report from Ars Technica: On Tuesday, Hugging Face researchers released an open source AI research agent called "Open Deep Research," created by an in-house team as a challenge 24 hours after the launch of OpenAI's Deep Research feature, which can autonomously browse the web and create research reports. The project seeks to match Deep Research's performance while making the technology freely available to developers. "While powerful LLMs are now freely available in open-source, OpenAI didn't disclose much about the agentic framework underlying Deep Research," writes Hugging Face on its announcement page. "So we decided to embark on a 24-hour mission to reproduce their results and open-source the needed framework along the way!"

Similar to both OpenAI's Deep Research and Google's implementation of its own "Deep Research" using Gemini (first introduced in December -- before OpenAI), Hugging Face's solution adds an "agent" framework to an existing AI model to allow it to perform multi-step tasks, such as collecting information and building the report as it goes along that it presents to the user at the end. The open source clone is already racking up comparable benchmark results. After only a day's work, Hugging Face's Open Deep Research has reached 55.15 percent accuracy on the General AI Assistants (GAIA) benchmark, which tests an AI model's ability to gather and synthesize information from multiple sources. OpenAI's Deep Research scored 67.36 percent accuracy on the same benchmark with a single-pass response (OpenAI's score went up to 72.57 percent when 64 responses were combined using a consensus mechanism).

As Hugging Face points out in its post, GAIA includes complex multi-step questions such as this one: "Which of the fruits shown in the 2008 painting 'Embroidery from Uzbekistan' were served as part of the October 1949 breakfast menu for the ocean liner that was later used as a floating prop for the film 'The Last Voyage'? Give the items as a comma-separated list, ordering them in clockwise order based on their arrangement in the painting starting from the 12 o'clock position. Use the plural form of each fruit." To correctly answer that type of question, the AI agent must seek out multiple disparate sources and assemble them into a coherent answer. Many of the questions in GAIA represent no easy task, even for a human, so they test agentic AI's mettle quite well. Open Deep Research "builds on OpenAI's large language models (such as GPT-4o) or simulated reasoning models (such as o1 and o3-mini) through an API," notes Ars. "But it can also be adapted to open-weights AI models. The novel part here is the agentic structure that holds it all together and allows an AI language model to autonomously complete a research task."

The code has been made public on GitHub.

The DeepComputing RISC-V Mainboard that Framework announced last year for its 13-inch laptops is now available for $199. Liliputing reports: If you already have a Framework Laptop 13 with an Intel or AMD motherboard, the new board is a drop-in replacement. But if you don't have a Framework Laptop you can also use the mainboard as a standalone computer: Framework sells a $39 Cooler Master case that effectively turns its mainboards into mini desktop computers. The RISC-V Mainboard comes from a partnership between Framework and DeepComputing, the Chinese company behind the DC-ROMA laptops, which were some of the first notebook computers to ship with RISC-V processors.

The board features a StarFive JH7110 processor, which is a 1.5 GHz quad-core chip featuring SiFive U74 RISC-V CPU cores and Imagination BXE-4-32 graphics, 8GB of onboard RAM, and a a 64GB SD card for storage (there's also support for an optional eMMC module, but you'll need to bring your own). Since the board is designed to fit in existing laptop frames, it's the same size and shape as AMD or Intel models and has four USB ports in the same locations. But these ports are a little less versatile than the ones you might find on other Framework Laptop 13 Mainboards [...]. There's also a 3.5mm audio jack. You can check out the new board via the Framework Marketplace.

Further reading: Late last year, Framework CEO Nirav Patel delivered one of the best live demos we've ever seen at a tech conference -- modifying a Framework Laptop from x86 to RISC-V live on stage.

The blog OMG Ubuntu reports: Ubuntu's key developers have agreed to switch to Matrix as the primary platform for real-time development communications involving the distro. From March, Matrix will replace IRC as the place where critical Ubuntu development conversations, requests, meetings, and other vital chatter must take place... Only the current #ubuntu-devel and #ubuntu-release Libera IRC channels are moving to Matrix, but other Ubuntu development-related channels can choose to move — officially, given some projects were using Matrix over IRC already.

As a result, any major requests to/of the key Ubuntu development teams with privileged access can only be actioned if requests are made on Matrix. Canonical-employed Ubuntu developers will be expected to be present on Matrix during working hours... The aim is to streamline organisation, speed up decision making, ensure key developers are reliably reachable, and avoid discussions and conversations from fragmenting across multiple platforms... It's hoped that in picking one platform as the 'chosen one' the split in where the distro's development discourse takes place can be reduced and greater transparency in how and when decisions are made restored.

IRC remains popular with many Ubuntu developers but its old-school, lo-fi nature is said to be off-putting to newer contributors. They're used to richer real-time chat platforms with more features (like discussion history, search, offline messaging, etc). It's felt this is why many newer developers employed by Canonical prefer to discuss and message through the company's internal Mattermost instance — which isn't publicly accessible. Many Ubuntu teams, flavours, and community chats already take place on Matrix...
"End-users aren't directly affected, of course," they point out. But an earlier post on the same blog notes that Matrix "is increasingly ubiquitous in open-source circles. GNOME uses it, KDE embraces it, Linux Mint migrated last year, Mozilla a few years before, and it's already widely used by Ubuntu community members and developers." IRC remains unmatched in many areas but is, rightly or wrongly, viewed as an antiquated communication platform. IRC clients aren't pretty or plentiful, the syntax is obtuse, and support for 'modern' comforts like media sending, read receipts, etc., is lacking.To newer, younger contributors IRC could feel ancient or cumbersome to learn.

Though many of IRC's real and perceived shortcomings are surmountable with workarounds, clients, bots, scripts, and so on, support for those varies between channels, clients, servers, and user configurations. Unlike IRC, which is a centralised protocol relying on individual servers, Matrix is federated. It lets users on different servers to communicate without friction. Plus, Matrix features encryption, message history, media support, and so, meeting modern expectations.

Wednesday the Linux Foundation wrote that both "regulatory compliance" and "increased cybersecurity risk" were "creating burdens...that must be met" for open source communities.

And so, as Steven J. Vaughan-Nichols writes, "the Linux Foundation has released a comprehensive guide to help open source developers navigate the complex landscape of the U.S. Office of Foreign Assets Control (OFAC) sanctions..." These rules, aimed at achieving economic, foreign policy, and national security goals, apply to various interactions, including those in the open source community. The total Sanctions Programs and Country list amounts to over 17 thousand entries ranging from individuals to terrorist organizations to countries.

If that rings a bell, it's because, in October 2024, the Linux kernel developers ran right into this issue. The Linux kernel's leadership, including Greg Kroah-Hartman, the stable Linux kernel maintainer, and Linus Torvalds, Linux's founder, announced that eleven Russian kernel developers had been removed from their roles working on the Linux kernel. Why? Because, as Torvalds said, of "Russian sanctions." This, he added, in a Linux kernel mailing list (LKML) message was because "the 'various compliance requirements' are not just a US thing."

For developers, this means exercising caution about who they interact with and where their contributions originate. The sanctions target specific countries, regions, and individuals or organizations, many of which are listed on the Specially Designated Nationals and Blocked Persons (SDN) List... Most OFAC sanctions are exempted for "informational materials," which generally include open source code. However, this only applies to existing code and not to requests for new code or modifications. So, for example, working with a Russian developer on a code patch could land you in hot water... While reviewing unsolicited patches from contributors in sanctioned regions is generally acceptable, actively engaging them in discussions or improvements could cross legal boundaries... Developers are warned to be cautious of sanctioned entities attempting to contribute indirectly through third parties or developers acting "individually."
Countries currently sanctioned include:

• Russia
• Cuba
• Iran
• North Korea
• Syria
• The following regions of Ukraine: Crimea, Donetsk and Luhansk regions of the Ukraine.

The Linux Foundation had written that the OFAC sanctions rules are "strict liability" rules, "which means it does not matter whether you know about them or not. Violating these rules can lead to serious penalties, so it's important to understand how they might affect your open source work." But J. Vaughan-Nichols offers this quote from open source licensing attorney Heather Meeker.

"Let's be honest: Smaller companies usually ignore regulations like this because they just don't have the resources to analyze them, and a government usually ignores smaller companies because it doesn't have the resources to enforce against them. Big companies that are on the radar need specialized counsel."

An anonymous reader quotes a report from TechCrunch: To cap off a day of product releases, OpenAI researchers, engineers, and executives, including OpenAI CEO Sam Altman, answered questions in a wide-ranging Reddit AMA on Friday. OpenAI the company finds itself in a bit of a precarious position. It's battling the perception that it's ceding ground in the AI race to Chinese companies like DeepSeek, which OpenAI alleges might've stolen its IP. The ChatGPT maker has been trying to shore up its relationship with Washington and simultaneously pursue an ambitious data center project, while reportedly laying groundwork for one of the largest financing rounds in history. Altman admitted that DeepSeek has lessened OpenAI's lead in AI, and he also said he believes OpenAI has been "on the wrong side of history" when it comes to open-sourcing its technologies. While OpenAI has open-sourced models in the past, the company has generally favored a proprietary, closed-source development approach.

"[I personally think we need to] figure out a different open source strategy," Altman said. "Not everyone at OpenAI shares this view, and it's also not our current highest priority [] We will produce better models [going forward], but we will maintain less of a lead than we did in previous years." In a follow-up reply, Kevin Weil, OpenAI's chief product officer, said that OpenAI is considering open-sourcing older models that aren't state-of-the-art anymore. "We'll definitely think about doing more of this," he said, without going into greater detail.

Google has open-sourced the PebbleOS, with the original founder, Eric Migicovsky, starting a company to continue where he left off in 2016. "This is part of an effort from Google to help and support the volunteers who have come together to maintain functionality for Pebble watches after the original company ceased operations in 2016," said Google in a blog post. The Verge reports: The company -- which can't be named Pebble because Google still owns that -- doesn't have a name yet. For now, Migicovsky is hosting a waitlist and news signup at a website called RePebble. Later this year, once the company has a name and access to all that Pebble software, the plan is to start shipping new wearables that look, feel, and work like the Pebbles of old. The reason, Migicovsky tells me, is simple. "I've tried literally everything else," he says, "and nothing else comes close." Sure, he may just have a very specific set of requirements -- lots of people are clearly happy with what Apple, Garmin, Google, and others are making. But it's true that there's been nothing like Pebble since Pebble. "For the things I want out of it, like a good e-paper screen, long battery life, good and simple user experience, hackable, there's just nothing."

The core of Pebble, he says, is a few things. A Pebble should be quirky and fun and should feel like a gadget in an important way. It shows notifications, lets you control your music with buttons, lasts a long time, and doesn't try to do too much. It sounds like Migicovsky might have Pebble-y ambitions beyond smartwatches, but he appears to be starting with smartwatches. If that sounds like the old Pebble and not much else, that's precisely the point. [...] Migicovsky also hopes to be part of a broader open-source community around Pebble OS. The Pebble diehards still exist: a group of developers at Rebble have worked to keep many of the platform's apps alive, for instance, along with the Cobble app for connecting to phones, and the Pebble subreddit is surprisingly active for a product that hasn't been updated since the Obama administration. Migicovsky says he plans to open-source whatever his new company builds and hopes lots of other folks will build stuff, too. Thank you Slashdot reader sziring for sharing this story.

July saw the news that Meta had launched a powerful open-source AI model, Llama 3.1.

But the Free Software Foundation evaluated Llama 3.1's license agreement, and announced this week that "this is not a free software license and you should not use it, nor any software released under it." Not only does it deny users their freedom, but it also purports to hand over powers to the licensors that should only be exercised through lawmaking by democratically-elected governments.

Moreover, it has been applied by Meta to a machine-learning (ML) application, even though the license completely fails to address software freedom challenges inherent in such applications....

We decided to review the Llama license because it is being applied to an ML application and model, while at the same time being presented by Meta as if it grants users a degree of software freedom. This is certainly not the case, and we want the free software community to have clarity on this.
In other news, the FSF also announced the winner of the logo contest for their big upcoming 40th anniversary celebration.

An anonymous reader quotes an op-ed from 404 Media's Jason Koebler: If it wasn't already obvious, the last 72 hours have made it crystal clear that it is urgent to build and mainstream alternative, decentralized social media platforms that are resistant to government censorship and control, are not owned by oligarchs and dominated by their algorithms, and in which users own their follower list and can port it elsewhere easily and without restriction. [...] Mastodon's ActivityPub and Bluesky's AT.Protocol have provided the base technology layer to make this possible, and have laid important groundwork over the last few years to decorporatize and decentralize the social internet.

The problem with decentralized social media platforms thus far is that their user base is minuscule compared to platforms like TikTok, Facebook, and Instagram, meaning the cultural and political influence has lagged behind them. You also cannot directly monetize an audience on Bluesky or Mastodon -- which, to be clear, is a feature, not a bug -- but also means that the value proposition for an influencer who makes money through the TikTok creator program or a small business that makes money selling chewing gum on TikTok shop or a clothes brand that has figured out how to arbitrage Instagram ads to sell flannel shirts is not exactly clear. I am not advocating for decentralized social media to implement ads and creator payment programs. I'm just saying that many TikTok influencers were directing their collective hundreds of millions of fans to follow them to Instagram or YouTube, not a decentralized alternative.

This doesn't mean that the fediverse or that a decentralized Instagram or TikTok competitor that runs on the AT.Protocol is doomed. But there is a lot of work to do. There is development work that needs to be done (and is being done) to make decentralized protocols easier to join and use and more interoperable with each other. And there is a massive education and recruitment challenge required to get the masses to not just try out decentralized platforms but to earnestly use them. Bluesky's growing user base and rise as a legitimately impressive platform that one can post to without feeling like it's going into the void is a massive step forward, and proof that it is possible to build thriving alternative platforms. The fact that Meta recently blocked links to a decentralized Instagram alternative shows that big tech sees these platforms, potentially, as a real threat. "This is all to say that it is possible to build alternatives to Elon Musk's X, Mark Zuckerberg's Instagram, and whatever TikTok will become," concludes Koebler. "It is happening, and it is necessary. The richest, most powerful people in the world have all aligned themselves and their platforms with Donald Trump. But their platforms' relevance and importance doesn't necessarily have to last forever. A different way is possible, if we build it."

Further reading: 'The Tech Oligarchy Arrives' (The Atlantic)

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..."

Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as:

• Software composition analysis for installed packages, standalone binaries, as well as source code

• OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac

• Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)

• Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac

• Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats

• Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical

"OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

Independent developer Sebastian Vogelsang is building a photo-sharing app for the decentralized social network Bluesky, leveraging its AT Protocol and his earlier app, Skeets. The app, called Flashes, will offer features like photo and short video posts while integrating seamlessly with Bluesky. TechCrunch reports: When launched, Flashes could tap into growing consumer demand for alternatives to Big Tech's social media monopoly. [...] To make this work, Flashes simply filters Bluesky's existing timeline for posts with photos and video posts. (In the future, Vogelsang also plans to add metadata to Flashes' posts so Bluesky users would have a way to keep their feeds on Bluesky's main app from being flooded with photo posts if that became a problem.) Flashes didn't take too long to build because it was able to reuse Skeets' existing code. The app will also be able to market to Skeets' existing user base, who have now downloaded the app some 30,500 times to date.

Vogelsang says he's now working to integrate subscription-based features from both his apps so users don't have to pay twice for the premium features, like Skeets' bookmarks, drafts, muting, rich push notifications, and others specific to Flashes. (Both apps are free to use without a subscription, we should note.) Later, Vogelsang says he wants to launch a video-only app, too, called Blue Screen.

At launch, Flashes will support photo posts of up to four images and videos of up to 1 minute in length, just like Bluesky. Users who post to Flashes will also have their posts appear on Bluesky and comments on those posts will also feed back into the app as if it were just another Bluesky client. It will also support Bluesky's direct messages. The developer expects to be able to launch Flashes to the public in a matter of weeks with a TestFlight beta arriving ahead of that. Interested users can follow Flashes' account on Bluesky for further updates. Flashes could satiate the growing demand for alternatives to Big Tech's social media monopoly, especially after Meta CEO Mark Zuckerberg announced that he will end fact-checking on its platforms.

The Register's Simon Sharwood reports: Broadcom has lost another sizable customer for its VMware platform: Austrian cloud provider Anexia has moved 12,000 VMs, some of them rented by major European businesses, to an open-source system based on the KVM hypervisor. Anexia was founded in 2006, is based in Austria, and provides cloud services from over 100 locations around the world by placing equipment in third party datacenters. Clients include remote access and control vendor TeamViewer, and airline Lufthansa -- plus plenty more outfits that need reliable hosting and service to match.

CEO Alexander Windbichler told The Register that after Broadcom acquired VMware, increased licensing costs, and made big changes to its partner program, Anexia remained eligible to operate a VMware-powered cloud. But Windbichler felt he couldn't afford to continue, because Broadcom offered new terms that saw the cost of VMware licenses rise sharply. The CEO preferred not to enumerate the increase precisely however The Register understands it exceeded 500 percent. Whatever the actual figure, Windbichler said the cost increase "Would have been existential for us."

"We used to pay for VMware software one month in arrears," he said. "With Broadcom we had to pay a year in advance with a two-year contract." That arrangement, the CEO said, would have created extreme stress on company cashflow. "We would not be able to compete with the market," he said. "We had customers on contracts, and they would not pay for a price increase." Windbichler considered legal action, but felt the fight would have been slow and expensive. Anexia therefore resolved to migrate, a choice made easier by its ownership of another hosting business called Netcup that ran on a KVM-based platform.