"Let's abandon the notion that open source is exclusively charity," writes Havoc Pennington, a free software engineer (and former Red Hat engineer) who's now a co-founder of Tidelift: Look around. We do have a problem, and it's time we do something about it.... The lack of compensation isn't just bad for individual developers -- it also creates social problems, by amplifying existing privilege.... The narrative around open source is that it's completely OK -- even an expectation -- that we're all doing this for fun and exposure; and that giant companies should get huge publicity credit for throwing peanuts-to-them donations at a small subset of open source projects.

There's nothing wrong with doing stuff for fun and exposure, or making donations, as an option. It becomes a problem when the free work is expected and the donations are seen as enough... What would open source be like if we had a professional class of independent maintainers, constantly improving the code we all rely on?
The essay suggests some things consider, including asking people to pay for:

• Support requests

• Security audits/hardening and extremely good test coverage

• Supporting old releases

• License-metadata-annotation practices that are helpful for big companies trying to audit the code they use, but sort of a pain in the ass and nobody cares other than these big companies.

"Right now many users expect, and demand, that all of this will be free. As an industry, perhaps we should push back harder on that expectation. It's OK to set some boundaries..."

"Of course this relates to what we do at Tidelift -- the company came out of discussions about this problem, among others... In our day-to-day right now we're specifically striving to give subscribers a way to pay maintainers of their application dependencies for additional value, through the Tidelift Subscription. But we hope to see many more efforts and discussions in this area.... [I]n between a virtual tip jar and $100 million in funding, there's a vast solution space to explore."

"Red Hat is taking over maintenance responsibilities for OpenJDK 8 and OpenJDK 11 from Oracle," reports InfoWorld: Red Hat will now oversee bug fixes and security patches for the two older releases, which serve as the basis for two long-term support releases of Java. Red Hat's updates will feed into releases of Java from Oracle, Red Hat, and other providers... Previously, Red Hat led the OpenJDK 6 and OpenJDK 7 projects. Red Hat is not taking over OpenJDK 9 or OpenJDK 10, which were short-term releases with a six-month support window.

At SUSECon in Nashville, Tennessee, European Linux power SUSE CEO Nils Brauckmann said his company would soon be the largest independent Linux company. "That's because, of course, IBM is acquiring Red Hat," reports ZDNet. "But, simultaneously, SUSE has continued to grow for seven-straight years." From the report: Brauckmann said, "We believe that makes our status as a truly independent open source company more important than ever. Our genuinely open-source solutions, flexible business practices, lack of enforced vendor lock-in, and exceptional service are more critical to customer and partner organizations, and our independence coincides with our single-minded focus on delivering what is best for them." Practically speaking, SUSE has been growing by focusing on delivering high-quality Linux and open-source programs and services to enterprise customers. Looking ahead Brauckmann said, "SUSE is better positioned to bring more innovation to customers and partners faster through both organic growth and acquisitions, keeping us on track to provide them with the open solutions that keep them ahead with their own customers in their own markets. We continue to adapt so our customers and partners can succeed."

Last year SUSE's revenue grew by 15 percent in fiscal year 2018, and the business is about to surpass the $400 million revenue mark for the first time. SUSE, which sees not quite half of its business in Europe, is also seeing revenue growth around the world. North America, for example, now accounts for almost 40 percent of SUSE's revenues. The company is also expanding. SUSE added more than 300 employees in the last 12 months. For the most part this has been in engineering followed by sales and services. SUSE staff is now approaching 1,750 globally and its plans on continuing to hire aggressively.

An anonymous reader quotes ZDNet: MongoDB is an open-source document NoSQL database with a problem. While very popular, cloud companies, such as Amazon Web Services (AWS), IBM Cloud, Scalegrid, and ObjectRocket has profited from it by offering it as a service while MongoDB Inc. hasn't been able to monetize it to the same degree. MongoDB's answer? Relicense the program under its new Server Side Public License (SSPL).

Open-source powerhouse Red Hat's reaction? Drop MongoDB from Red Hat Enterprise Linux 8. Red Hat's Technical and Community Outreach Program Manager Tom Callaway explained, in a note stating MongoDB is being removed from Fedora Linux, that "It is the belief of Fedora that the SSPL is intentionally crafted to be aggressively discriminatory towards a specific class of users." Debian Linux had already dropped MongoDB from its distribution....

The business point behind MongoDB's license change is to force cloud companies to use one of MongoDB's commercial cloud offerings. This hasn't worked either. AWS just launched DocumentDB, a database, which "is designed to be compatible with your existing MongoDB applications and tools," wrote AWS evangelist Jeff Barr.

Mark Wilson writes: Earlier in the year open-source software startup Whitewater Foundry brought WLinux to the Windows Subsystem for Linux (WSL). Not content with creating the first native Linux distribution for WSL, the company has now gone a step further, targeting enterprise users with WLinux Enterprise. Whitewater Foundry says that WLinux Enterprise is the first product to support the industry-standard Red Hat Enterprise Linux on Windows Subsystem for Linux.

An anonymous reader shares a report: This week, the Linux distro biz emitted Fedora 29 and RHEL 7.6, and in the latter's changelog the following appears, which a Reg reader kindly just alerted us to: "KDE Plasma Workspaces (KDE), which has been provided as an alternative to the default GNOME desktop environment has been deprecated. A future major release of Red Hat Enterprise Linux will no longer support using KDE instead of the default GNOME desktop environment." In other words, if you're using RHEL on the desktop, at some point KDE will not be supported. As our tipster remarked: "Red Hat has never exactly been a massive supporter of KDE, but at least they shipped it and supported you using it."

Donald Fischer, who served as a product manager for Red Hat Enterprise Linux during its creation and early years of growth, writes: Red Hat saw, earlier than most, that the ascendance of open source made the need to pay for code go away, but the need for support and maintenance grew larger than ever. Thus Red Hat was never in the business of selling software, rather it was in the business of addressing the practical challenges that have always come along for the ride with software. [...] As an open source developer, you created that software. You can keep your package secure, legally documented, and maintained; who could possibly do it better? So why does Red Hat make the fat profits, and not you? Unfortunately, doing business with large companies requires a lot of bureaucratic toil. That's doubly true for organizations that require security, legal, and operational standards for every product they bring in the door. Working with these organizations requires a sales and marketing team, a customer support organization, a finance back-office, and lots of other "business stuff" in addition to technology. Red Hat has had that stuff, but you haven't.

And just like you don't have time to sell to large companies, they don't have time to buy from you alongside a thousand other open source creators, one at a time. Sure, big companies know how to install and use your software. (And good news! They already do.) But they can't afford to put each of 1100 npm packages through a procurement process that costs $20k per iteration. Red Hat solved this problem for one corner of open source by collecting 2,000+ open source projects together, adding assurances on top, and selling it as one subscription product. That worked for them, to the tune of billions. But did you get paid for your contributions?

Etcetera writes: Fresh on the heels of the IBM purchase announcement, Red Hat released RHEL 7.6 today. Business press release is here and full release notes are here. It's been a busy week for Red Hat, as Fedora 29 also released earlier this morning. No doubt CentOS and various other rebuilds will begin their build cycles shortly. The release offers improved security, such as support for the Trusted Platform Module (TPM) 2.0 specification for security authentication. It also provides enhanced support for the open-source nftables firewall technology.

"TPM 2.0 support has been added incrementally over recent releases of Red Hat Enterprise Linux 7, as the technology has matured," Steve Almy, principal product manager, Red Hat Enterprise Linux at Red Hat, told eWEEK. "The TPM 2.0 integration in 7.6 provides an additional level of security by tying the hands-off decryption to server hardware in addition to the network bound disk encryption (NBDE) capability, which operates across the hybrid cloud footprint from on-premise servers to public cloud deployments."

ekimd writes: Fedora 29 is released today. Among the new features are the ability to allow parallel installation of packages such as Node.js. Fedora 29 also supports ZRAM (formerly called compcache) for ARMv7 and v8. In addition to the more efficient use of RAM, it also increases the lifespan of microSD cards on the Raspberry Pi as well as other SBCs.

"Additionally, UEFI for ARMv7 is now supported in Fedora 29, which also benefits Raspberry Pi users," reports TechRepublic. "Fedora already supported UEFI on 64-bit ARM devices."

International Business Machines (IBM) is acquiring software maker Red Hat in a deal valued at $34 billion, the companies said Sunday. From a report: The purchase, announced on Sunday afternoon, is the latest competitive step among large business software companies to gain an edge in the fast-growing market for Internet-style cloud computing. In June, Microsoft acquired GitHub, a major code-sharing platform for software developers, for $7.5 billion. IBM said its acquisition of Red Hat was a move to open up software development on computer clouds, in which software developers write applications that run on remote data centers. From a press release: This acquisition brings together the best-in-class hybrid cloud providers and will enable companies to securely move all business applications to the cloud. Companies today are already using multiple clouds. However, research shows that 80 percent of business workloads have yet to move to the cloud, held back by the proprietary nature of today's cloud market. This prevents portability of data and applications across multiple clouds, data security in a multi-cloud environment and consistent cloud management.

IBM and Red Hat will be strongly positioned to address this issue and accelerate hybrid multi-cloud adoption. Together, they will help clients create cloud-native business applications faster, drive greater portability and security of data and applications across multiple public and private clouds, all with consistent cloud management. In doing so, they will draw on their shared leadership in key technologies, such as Linux, containers, Kubernetes, multi-cloud management, and cloud management and automation. IBM's and Red Hat's partnership has spanned 20 years, with IBM serving as an early supporter of Linux, collaborating with Red Hat to help develop and grow enterprise-grade Linux and more recently to bring enterprise Kubernetes and hybrid cloud solutions to customers. These innovations have become core technologies within IBM's $19 billion hybrid cloud business. Between them, IBM and Red Hat have contributed more to the open source community than any other organization.

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."

An anonymous reader quotes ZDNet: When leading Linux company Red Hat announces that -- from here on out -- all new Red Hat-initiated open-source projects that use the GNU General Public License (GPLv2) or GNU Lesser General Public License (LGPL) v2.1 licenses will be expected to supplement the license with GPL version 3 (GPLv3)'s cure commitment language, it's a big deal. Both older open-source licenses are widely used.

When the GPLv3 was released, it came with an express termination approach that offered developers the chance to cure license compliance errors. This termination policy in GPLv3 provided a way for companies to repair licensing errors and mistakes... Other companies -- CA Technologies, Cisco, HPE, Microsoft, SAP, and SUSE -- have taken similar GPL positions... In its new position statement, Red Hat explained that the GPLv2 and LGPL, as written, has led to the belief that automatic license termination and copyright infringement claims can result from a single act of inadvertent non-compliance.
"We hope that others will also join in this endeavor," says Red Hat's senior commercial counsel, Richard Fontana, "to reassure the open source community that good faith efforts to fix noncompliance will be embraced."

ZDNet points out that the move to new licenses "doesn't apply, of course, to Linux itself. Linus Torvalds has made it abundantly clear that Linux has been, will now, and always shall be under the GPLv2."

At OpenStack Summit in Vancouver, Canada this week, Canonical CEO and Ubuntu Linux founder Mark Shuttleworth came out firing at two of his major enterprise OpenStack competitors: Red Hat and VMware. He claimed that Canonical OpenStack is a better deal than either Red Hat or VMware's OpenStack offerings. From a report: Shuttleworth opened quietly enough, saying, "Mission is to remove all the friction from deploying OpenStack. We can deliver OpenStack deployments with two people in less two weeks anywhere in the world." So far, so typical for a keynote speech. But, then Shuttleworth started to heat things up: "Amazon increased efficiency, so now everyone is driving down cost of infrastructure. Everyone engages with Ubuntu, not Red Hat or VMware. Google, IBM, Microsoft are investing and innovating to drive down the cost of infrastructure. Every single one of those companies works with Canonical to deliver public services."

Then, Shuttleworth got down to brass tacks: "Not one of them engages with VMware to offer those public services. They can't afford to. Clearly, they have the cash, but they have to compete on efficiencies, and so does your private cloud." So, Canonical is rolling rolling out a migration service to help users shift from VMware to a "fully managed" version of Canonical's Ubuntu OpenStack distribution. Customers want this, Shuttleworth said, because, "When we take out VMware we are regularly told that our fully managed OpenStack solution costs half of the equivalent VMware service."

An anonymous reader quotes The Register: Late last month, open-source contributor Raymond Nicholson proposed a change to the manual for glibc, the GNU implementation of the C programming language's standard library, to remove "the abortion joke," which accompanied the explanation of libc's abort() function... The joke, which has been around since the 1990s and is referred to as a censorship joke by those supporting its inclusion, reads as follows:

25.7.4 Aborting a Program... Future Change Warning: Proposed Federal censorship regulations may prohibit us from giving you information about the possibility of calling this function. We would be required to say that this is not an acceptable way of terminating a program.

On April 30, the proposed change was made, removing the passage from the documentation. That didn't sit well with a number of people involved in the glibc project, including the joke's author, none other than Free Software Foundation president and firebrand Richard Stallman, who argued that the removal of the joke qualified as censorship... Carlos O'Donnell, a senior software engineer at Red Hat, recommended avoiding jokes altogether, a position supported by many of those weighing in on the issue. Among those voicing opinions, a majority appears to favor removal.
But in a post to the project mailing list, Stallman wrote "Please do not remove it. GNU is not a purely technical project, so the fact that this is not strictly and grimly technical is not a reason to remove this." He added later that "I exercise my authority over glibc very rarely -- and when I have done so, I have talked with the official maintainers. So rarely that some of you thought that you are entirely autonomous. But that is not the case. On this particular question, I made a decision long ago and stated it where all of you could see it."

The Register reports that "On Monday, the joke was restored by project contributor Alexandre Oliva, having taken Stallman's demand as approval to do so."

On Tuesday Red Hat announced the general availability of Red Hat Enterprise Linux version 7.5. An anonymous reader writes: Serving as a consistent foundation for hybrid cloud environments, Red Hat Enterprise Linux 7.5 provides enhanced security and compliance controls, tools to reduce storage costs, and improved usability, as well as further integration with Microsoft Windows infrastructure both on-premise and in Microsoft Azure.

New features include a large combination of Ansible Automation with OpenSCAP, and LUKS-encrypted removable storage devices can be now automatically unlocked using NBDE. The Gnome shell has been re-based to version 3.26, the Kernel version is 3.10.0-862, and the kernel-alt packages include kernel version 4.14 with support for 64-bit ARM, IBM POWER9 (little endian), and IBM z Systems, while KVM virtualization is now supported on IBM POWER8/POWER9 systems.
See the detailed release notes here.

To mark Red Hat's 25th anniversary, TechCrunch spoke with the company's CEO Jim Whitehurst to talk about the past, present and future of the company, and open-source software in general. An excerpt: "Ten years ago, open source at the time was really focused on offering viable alternatives to traditional software," he told me. "We were selling layers of technology to replace existing technology. [...] At the time, it was open source showing that we can build open-source tech at lower cost. The value proposition was that it was cheaper." At the time, he argues, the market was about replacing Windows with Linux or IBM's WebSphere with JBoss. And that defined Red Hat's role in the ecosystem, too, which was less about technological information than about packaging. "For Red Hat, we started off taking these open-source projects and making them usable for traditional enterprises," said Whitehurst.

About five or six ago, something changed, though. Large corporations, including Google and Facebook, started open sourcing their own projects because they didn't look at some of the infrastructure technologies they opened up as competitive advantages. Instead, having them out in the open allowed them to profit from the ecosystems that formed around that. "The biggest part is it's not just Google and Facebook finding religion," said Whitehurst. "The social tech around open source made it easy to make projects happen. Companies got credit for that." He also noted that developers now look at their open-source contributions as part of their resume. With an increasingly mobile workforce that regularly moves between jobs, companies that want to compete for talent are almost forced to open source at least some of the technologies that don't give them a competitive advantage.
In October, Whitehurst also answered questions from Slashdot readers.

Microsoft is joining Red Hat, Facebook, Google and IBM in committing to extending right to "cure" open source licensing noncompliance before taking legal measures. From a report: On March 19, officials from Microsoft -- along with CA Technologies, Cisco, HPE, SAP and SUSE -- said they'd work with open together with the already-committed vendors to provide more "predictability" for users of open source software. "The large ecosystems of projects using the GPLv2 and LGPLv2.x licenses will benefit from adoption of this more balanced approach to termination derived from GPLv3," explained Red Hat in a press release announcing the new license-compliance partners. The companies which have agreed to adopt the "Common Cure Rights Commitment" said before they file or continue to prosecute those accused of violating covered licenses, they will allow for users to cure and reinstate their licenses.