Language Selection

English French German Italian Portuguese Spanish

OSS

SpamAssassin is back

Filed under
OSS
Security

The SpamAssassin 3.4.2 release was the first from that project in well over three years. At the 2018 Open Source Summit Europe, Giovanni Bechis talked about that release and those that will be coming in the near future. It would seem that, after an extended period of quiet, the SpamAssassin project is back and has rededicated itself to the task of keeping junk out of our inboxes.
Bechis started by noting that spam filtering is hard because everybody's spam is different. It varies depending on which languages you speak, what your personal interests are, which social networks you use, and so on. People vary, so results vary; he knows a lot of Gmail users who say that its spam filtering works well, but his Gmail account is full of spam. Since Google knows little about him, it is unable to train itself to properly filter his mail.

Just like Gmail, SpamAssassin isn't the perfect filter for everybody right out of the box; it's really a framework that can be used to create that filter. Getting the best out of it can involve spending some time to write rules, for example.

Read more

OSS: Finos, Identity and Access Management, Free Open Source Techologies Are Big Business, Fundraising Software for Non-Profits Joins Conservancy

Filed under
OSS
  • Finos launches open source programme

    Finos (the Fintech Open Source Foundation), a nonprofit foundation promoting open innovation in financial services, today announced the launch of a new Program focused on Decentralized Ecosystem Growth (DEG).

    Amber Baldet, CEO of Clovyr and former Blockchain Program Lead for J.P. Morgan Chase, revealed the Program in London during her keynote at FINOS’ annual flagship Open Source Strategy Forum - the only conference dedicated to open source in financial services. IHS Markit, FINOS Gold Member, will sponsor the program with Baldet serving as the first Program Management Committee (PMC) lead.

  • Open Source Identity and Access Management

    Looking back on the year as we enter the homestretch of 2018, one thing is apparent. With 2018 on track to be one of the worst years for security breaches ever, strong identity and access management (IAM) needs to be at the top of any IT organization’s checklist. Those that are cost conscious are asking, are there any viable open source identity and access management solutions on the market?

  • Free Open Source Techologies Are Big Business. Wait, What?
  • The Houdini Project: Fundraising Software for Non-Profits Joins Conservancy

    First we were excited find out that a project like the Houdini Project even existed and now we can proudly say that they are also a Conservancy member! Services and applications for non-profits -- that are also free software -- are very close to our fiscal umbrella heart here at Conservancy. Houdini is our second incoming project this year that specifically caters to the needs of non-profits. Back in May, we welcomed Backdrop CMS a lightweight content management system that is great for non-profits, to the Conservancy fold. As long-time readers of the Conservancy blog know, the offerings for non-profits that care about software freedom are pretty slim, which is why we've also been working on our own non-profit accounting solution.

    The Houdini Project's ('Houdini's) software is used by many worthy and hard-working organizations, but perhaps the most notable is the Panzi Foundation. The foundation focuses on ending sexual violence in wars and supporting survivors at the Panzi Hospital in the Democratic Republic of Congo as they rebuild their lives. Panzi Foundation's co-founder, Dr. Denis Mukwege, a surgeon and activist who has devoted his life to this work received a Nobel Peace Prize this year. Other major users include Public Radio Exchange,WeMove.eu and Charter for Compassion.

Meet TiDB: An open source NewSQL database

Filed under
Server
OSS

As businesses adopt cloud-native architectures, conversations will naturally lead to what we can do to make the database horizontally scalable. The answer will likely be to take a closer look at TiDB.

TiDB is an open source NewSQL database released under the Apache 2.0 License. Because it speaks the MySQL protocol, your existing applications will be able to connect to it using any MySQL connector, and most SQL functionality remains identical (joins, subqueries, transactions, etc.).

Step under the covers, however, and there are differences. If your architecture is based on MySQL with Read Replicas, you'll see things work a little bit differently with TiDB. In this post, I'll go through the top five key differences I've found between TiDB and MySQL.

Read more

Is your startup built on open source? 9 tips for getting started

Filed under
OSS

When I started Gluu in 2009, I had no idea how difficult it would be to start an open source software company. Using the open source development methodology seemed like a good idea, especially for infrastructure software based on protocols defined by open standards. By nature, entrepreneurs are optimistic—we underestimate the difficulty of starting a business. However, Gluu was my fourth business, so I thought I knew what I was in for. But I was in for a surprise!

Every business is unique. One of the challenges of serial entrepreneurship is that a truth that was core to the success of a previous business may be incorrect in your next business. Building a business around open source forced me to change my plan. How to find the right team members, how to price our offering, how to market our product—all of these aspects of starting a business (and more) were impacted by the open source mission and required an adjustment from my previous experience.

A few years ago, we started to question whether Gluu was pursuing the right business model. The business was growing, but not as fast as we would have liked.

Read more

Also: Cisco partners using open source gain 10% sales advantage over rivals

OpenStack Now Powers 75 Public Clouds Worldwide

Filed under
Server
OSS

While there is a lot of talk about large public cloud providers and other open-source cloud efforts in the media and elsewhere, the OpenStack Foundation continues to move forward, albeit with less hype than it once was able to muster.

On Nov. 13, the OpenStack Foundation announced that it is rebranding its OpenStack Summit event, which is running here Nov. 13-15, to the Open Infrastructure Summit, as part of the open-source organization’s continued movement to look beyond just its own core open-source cloud effort.

On the other hand, even as the OpenStack Foundation looks beyond its namesake project for the future, the present reality is that OpenStack is quietly powering a lot of cloud infrastructure. Although OpenStack is not thought of among the big three public cloud providers—Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure—it does power more than 75 other public cloud providers worldwide. At the OpenStack Summit, multiple operators and vendors including Huawei, Deutsche Telekom and OVH detailed how they are scaling increasingly larger cloud platforms, all powered by OpenStack.

Read more

Openwashing With GitHub

Filed under
OSS
  • Twistlock Improves Cloud-Native Security With Discovery Tool

    There is a simple truism in much of IT, and that is that organizations can't manage what they're not aware of. As organizations increasingly make use of distributed teams that use cloud-native services, there is a nontrivial risk of application sprawl.

    On Nov. 13, container security vendor Twistlock announced its new open-source cloud-native discovery tool, in an effort to help identify and locate applications running on different public cloud services. The Cloud Discovery tool's initial release supports scanning on the three major public cloud providers: Amazon Web Services (AWS), Google Cloud Platform and Microsoft Azure.

    "Most customers tend to have a multicloud cloud strategy and then you combine that with the fact that everybody has got multiple accounts for different projects or business units, and so forth," John Morello, chief technology officer at Twistlock, told eWEEK. "You get this big equation where organizations try to figure out all the possible things that could be out there deployed and running.

  • Twistlock Releases Cloud Discovery Open Source Tool for Cloud Native Services
  • Microsoft's New Open-Source Project Is "Shader Conductor" For Cross-Compiling HLSL [Ed: Why does Phoronix help Microsoft's openwashing of proprietary lock-in, DX?]

Michael Howard: Embrace of open source is destroying 'artificial definitions' of legacy vendors

Filed under
Interviews
OSS

Michael Howard, Berkley grad and alumnus of Oracle and EMC, took the helm at open-source biz MariaDB almost three years ago. Reflecting on how things have changed, he reckons the biggest shift is in how both investors and enterprise have embrace open-source. Now, he has an IPO on his mind.

In an interview with El Reg, Howard – who, as noted at the time of his appointment, has worked for a number of companies who were slurped up by bigger businesses – said the end of 2018 will see the end of the first year of a three-year plan he devised for the firm.

Broadly, Howard sets out an overall roadmap of three pieces for the firm. Unsurprisingly, cloud native technology is first up. The other two are adaptive scalability, with the aim of supporting “mom and pop shops all the way to planet-scale processing for the largest social platforms”, and boosting the quality of service by professionalising people and technology, for instance through machine learning.

But in addition to these technical goals, there’s the business side of things, and the boss said the plan “is being able to go public; to be able to get the company buttoned up at the right revenue level to go public”.

“We have a voracious appetite for getting to our strategic goals, and part of that is revenue and going public.”

Read more

Events: Jesień Linuksowa 2018, Sustain OSS 2018, Hacktoberfest Celebrates 5th Anniversary

Filed under
OSS
  • Jesień Linuksowa 2018

    Last weekend I participated in the conference Jesień Linuksowa 2018 in Krakow, Poland. It was my first time in a country with so much tragic historical experiences.

    On the hand, I was impressed by the community members and the organization of the event. We celebrated another edition of Linux Autumn in the hotel Gwarek and my post-event wrap up will take into consideration seven basic points:

    Organizers

    This time I was accompanied by my friend Ana Garcia, who is a student at the University of Edinburgh and the members of the organization were supportive and kind all the time with us. We felt a warm environment since we arrive at night in the middle of the fog at midnight. They helped us with our talks and workshops we offer related to parallelization.

    We meet new friends! Thanks to Dominik, Rafal, Filip, Linter and Matej from Red Hat.

  • Sustain OSS 2018: quick rewind

    This year, I attended the second edition of the Sustain Open Source Summit (a.k.a. Sustain OSS) on October 25th, 2018 in London. Sustain OSS is a one-day discussion on various topics about sustainability in open source ecosystems. It’s also a collection of diverse roles across the world of open source. From small project maintainers to open source program managers at the largest tech companies in the world, designers to government employees, there is a mix of backgrounds in the room. Yet there is a shared context around the most systemic problems faced by open source projects, communities, and people around the world.

    The shared context is the most valuable piece of the conference. As a first-time attendee, I was blown away by the depth and range of topics covered by attendees. This blog post covers a narrow perspective of Sustain OSS through the sessions I participated and co-facilitated in.

  • A Review of Hacktoberfest Year 5!
  • Hacktoberfest Celebrates 5th Anniversary

    Five years ago the community team at DigitalOcean wanted to create a program to inspire open source contributions. That first year, in 2014, the first Hacktoberfest participants were asked for 50 commits, and those who completed the challenge received a reward of swag. 676 people signed up and 505 forged ahead to the finish line, earning stickers and a custom limited-edition T-shirt.

    This year that number is an astounding 46,088 completions out of 106,582 sign-ups. We’ve seen it become an entry point to developers contributing to open source projects: much more than a program, it’s clear that Hacktoberfest has become a global community movement with a shared set of values and passion for giving back.

What you need to know about the GPL Cooperation Commitment

Filed under
OSS

Imagine what the world would look like if growth, innovation, and development were free from fear. Innovation without fear is fostered by consistent, predictable, and fair license enforcement. That is what the GPL Cooperation Commitment aims to accomplish.

Last year, I wrote an article about licensing effects on downstream users of open source software. As I was conducting research for that article, it became apparent that license enforcement is infrequent and often unpredictable. In that article, I offered potential solutions to the need to make open source license enforcement consistent and predictable. However, I only considered "traditional" methods (e.g., through the court system or some form of legislative action) that a law student might consider.

Read more

Have you seen these personalities in open source?

Filed under
OSS

When I worked with the Mozilla Foundation, long before the organization boasted more than a hundred and fifty staff members, we conducted a foundation-wide Myers-Briggs indicator. The Myers-Briggs is a popular personality assessment, one used widely in career planning and the business world. Created in the early twentieth century, it's the product of two women: Katharine Cook Briggs and her daughter Isabel Briggs Myers, who built the tool on Carl Jung's Theory of Psychological Types (which was itself based on clinical observations, as opposed to "controlled" scientific studies). Each of my co-workers (53 at the time) answered the questions. We were curious about what kind of insights we would gain into our individual personalities, and, by extension, about how we'd best work together.

Read more

Syndicate content

More in Tux Machines

Deepin 15.8 - Attractive and Efficient, Excellent User Experience

Deepin is an open source GNU/Linux operating system, based on Linux kernel and desktop applications, supporting laptops, desktops and all-in-ones. deepin preinstalls Deepin Desktop Environment (DDE) and nearly 30 deepin native applications, as well as several applications from the open source community to meet users’ daily learning and work needs. In addition, about a thousand of applications are offered in Deepin Store to meet your more needs. deepin, developed by a professional operating system R&D team and deepin technical community (www.deepin.org), is from the name of deepin technical community - “deepin”, which means deep pursuit and exploration of the life and the future. Compared with deepin 15.7, the ISO size of deepin 15.8 has been reduced by 200MB. The new release is featured with newly designed control center, dock tray and boot theme, as well as improved deepin native applications, hoping to bring users a more beautiful and efficient experience. Read more

Kernel: Zinc and 4.20 Merge Window

  • Zinc: a new kernel cryptography API
    We looked at the WireGuard virtual private network (VPN) back in August and noted that it is built on top of a new cryptographic API being developed for the kernel, which is called Zinc. There has been some controversy about Zinc and why a brand new API was needed when the kernel already has an extensive crypto API. A recent talk by lead WireGuard developer Jason Donenfeld at Kernel Recipes 2018 would appear to be a serious attempt to reach out, engage with that question, and explain the what, how, and why of Zinc. WireGuard itself is small and, according to Linus Torvalds, a work of art. Two of its stated objectives are maximal simplicity and high auditability. Donenfeld initially did try to implement WireGuard using the existing kernel cryptography API, but after trying to do so, he found it impossible to do in any sane way. That led him to question whether it was even possible to meet those objectives using the existing API. By way of a case study, he considered big_key.c. This is kernel code that is designed to take a key, store it encrypted on disk, and then return the key to someone asking for it if they are allowed to have access to it. Donenfeld had taken a look at it, and found that the crypto was totally broken. For a start, it used ciphers in Electronic Codebook (ECB) mode, which is known to leave gross structure in ciphertext — the encrypted image of Tux on the left may still contain data perceptible to your eye — and so is not recommended for any serious cryptographic use. Furthermore, according to Donenfeld, it was missing authentication tags (allowing ciphertext to be undetectably modified), it didn't zero keys out of memory after use, and it didn't use its sources of randomness correctly; there were many CVEs associated with it. So he set out to rewrite it using the crypto API, hoping to better learn the API with a view to using it for WireGuard. The first step with the existing API is to allocate an instance of a cipher "object". The syntax for so doing is arguably confusing — for example, you pass the argument CRYPTO_ALG_ASYNC to indicate that you don't want the instance to be asynchronous. When you've got it set up and want to encrypt something, you can't simply pass data by address. You must use scatter/gather to pass it, which in turn means that data in the vmalloc() area or on the stack can't just be encrypted with this API. The key you're using ends up attached not to the object you just allocated, but to the global instance of the algorithm in question, so if you want to set the key you must take a mutex lock before doing so, in order to be sure that someone else isn't changing the key underneath you at the same time. This complexity has an associated resource cost: the memory requirements for a single key can approach a megabyte, and some platforms just can't spare that much. Normally one would use kvalloc() to get around this, but the crypto API doesn't permit it. Although this was eventually addressed, the fix was not trivial.
  • 4.20 Merge window part 2
    At the end of the 4.20 merge window, 12,125 non-merge changesets had been pulled into the mainline kernel repository; 6,390 came in since last week's summary was written. As is often the case, the latter part of the merge window contained a larger portion of cleanups and fixes, but there were a number of new features in the mix as well.

Limiting the power of package installation in Debian

There is always at least a small risk when installing a package for a distribution. By its very nature, package installation is an invasive process; some packages require the ability to make radical changes to the system—changes that users surely would not want other packages to take advantage of. Packages that are made available by distributions are vetted for problems of this sort, though, of course, mistakes can be made. Third-party packages are an even bigger potential problem because they lack this vetting, as was discussed in early October on the debian-devel mailing list. Solutions in this area are not particularly easy, however. Lars Wirzenius brought up the problem: "when a .deb package is installed, upgraded, or removed, the maintainer scripts are run as root and can thus do anything." Maintainer scripts are included in a .deb file to be run before and after installation or removal. As he noted, maintainer scripts for third-party packages (e.g. Skype, Chrome) sometimes add entries to the lists of package sources and signing keys; they do so in order to get security updates to their packages safely, but it may still be surprising or unwanted. Even simple mistakes made in Debian-released packages might contain unwelcome surprises of various sorts. He suggested that there could be a set of "profiles" that describe the kinds of changes that might be made by a package installation. He gave a few different examples, such as a "default" profile that only allowed file installation in /usr, a "kernel" profile that can install in /boot and trigger rebuilds of the initramfs, or "core" that can do anything. Packages would then declare which profile they required. The dpkg command could arrange that package's install scripts could only make the kinds of changes allowed by its profile. Read more

SpamAssassin is back

The SpamAssassin 3.4.2 release was the first from that project in well over three years. At the 2018 Open Source Summit Europe, Giovanni Bechis talked about that release and those that will be coming in the near future. It would seem that, after an extended period of quiet, the SpamAssassin project is back and has rededicated itself to the task of keeping junk out of our inboxes. Bechis started by noting that spam filtering is hard because everybody's spam is different. It varies depending on which languages you speak, what your personal interests are, which social networks you use, and so on. People vary, so results vary; he knows a lot of Gmail users who say that its spam filtering works well, but his Gmail account is full of spam. Since Google knows little about him, it is unable to train itself to properly filter his mail. Just like Gmail, SpamAssassin isn't the perfect filter for everybody right out of the box; it's really a framework that can be used to create that filter. Getting the best out of it can involve spending some time to write rules, for example. Read more