Quick notes: I decided to skip the news digest in August as I was on vacation for most of that month. The September digest is pretty late, partly because of my trip to GRCon – which I will be writing about separately. But really, the biggest news of September is that we had a great GRCon!
Security issues in Open Source Software
A sure sign of Open Source becoming even more relevant and important is the large number of recent security issues surrounding OSS. AT&T Alien Labs discovered a new type of malware that’s both stealthy and capable (Ars Technica, heise.de), which they dubbed “Shikitega”. The news portal heise.de also quoted a security firm’s report which puts the increase on attacks on open source repositories at 700% over the last three years.
Heise.de published an article on creating SBOMs. SBOMs (Software Bill of Materials) are a way to declare which software is exactly running within a system, and at least provide transparency. When dealing with the US government, SBOMs might already be a requirement. Another article on heise.de introduces a tool for SBOMs called CycloneDX.
Another method to find security issues is fuzzing. Google has announced on their security blog (heise.de) that they will be paying a bounty (of $11337, of course) to open source projects that ues their framework to fuzz and find issues. Google says that their fuzzing tool has added new types of sanitizers to find new types of security bugs, rather than focusing on memory issues.
Of course, closed source software has been carrying security issues since its inception. Just recently, golem.de reported about security issues in Slack and Teams.
Rust receives funding to be more secure, will come to the kernel for sure
Rust is considered a good choice for writing memory-safe code, but there are plenty of other ways software can be unsafe. The Rust Foundation has now created a team to improve their security (heise.de) and has received $460000 from the OpenSSF (Open Source Security Foundation, part of the Linux Foundation) to do so. This is part of OpenSSF’s Alpha-Omega Project, which intends to give out $1.5M in grants for this purpose.
Rust is very interesting not just for their language, but also for their very effective governance model.
Also, it will be going into the kernel in 6.1. And of course, the CTO of MS Azure tweeted that people should stop using C/C++ and moving to Rust for all new projects.
NASA smashes spacecraft into Asteroid
All true nerds will have heard this, but I can’t leave this out. NASA crashed their spacecraft DART into an asteroid (heise.de). This is an effort to build capabilities for actually deflecting dangerous Asteroids. You know, like in the movie Armageddon.
heise.de featured a good interview with a researcher from DLR on the topic.
Wifi 7
Intel and Broadcom demoed a 5 GBit/s link over Wifi 7 (heise.de, intel.com).
What’s Wifi 7? Some bullets:
- It advertises higher speeds, lower latency, improved reliability… everything better. The lower latency is however worth highlighting.
- Up to 320 MHz wide channels in the unlicensed 6GHz band
- Higher order 4K QAM modulation
- Multi-link operation: Use multiple bands simultaneously!
USB 4
Also more data rate is coming with USB 4, Version 2.0. USB 4 uses USB C connectors (USB numbering is terribly confusing) and could be able to transfer 120 GBit/s by asymmetrically assigning data lanes. The regular (symmetric) mode of transferring data should be able to do up to 80 GBit/s. heise.de reports some internals: To increase the rate, Pulse Amplitude Modulation will be used, as well as higher clock rates. USB 4 remains backward compatible all the way down to USB 2 as well as DisplayPort.
OpenCoDE
In my series on what the German government does (poorly): They created a Gitlab-based, government-owned place to publish Open Source code coming out of government called OpenCoDE. Sounds good? Well, in principle, it is. But just throwing out source code is the smallest and easiest part of becoming involved in free software. As so often, heise.de has an article summarizing the criticisms.
Personally, I think a small step in the right direction is better than no small step, although I agree there’s still lots left to be done.
Chips, Chips, Chips
This month, chips were announced en masse. Intel announced the i9-13900K and for 2023 the i9-13900KS, both 24-core CPUs, the latter being able to clock at 6 GHz. There are also substantial rumours about an upcoming 34-core CPU with 8 DDR5-RAM controllers. The trend remains to serve servers, not so much desktops.
AMD also announced a bunch of chips, but there was nothing that stood out so much that it’s worth repeating.
We need more engineers, we need more women in engineering
The German IT and telecommunications association Bitkom has stated, quite strongly, in a recent press release that they don’t trust the German education system to train and motivate women for STEM jobs (my words, not theirs), and request that schools start teaching computer science starting in 7th grade (in Germany, that means students will be around 13 years old). heise.de further reports that countries with higher gender equality tend to have higher gender inequality when it comes to STEM jobs.
According to the same press release, we have 96000 STEM jobs to be filled in Germany alone. And from my work in various Open Source I can definitely say that even if we don’t always do a good job creating more diverse and equal communities, those more diverse communities are always better off for it.
One thing that would certainly help is to make it really easy to get childcare from 9-5. Germany, I’m looking at you. What certainly doesn’t help is to ban “Girls who code”, if that’s actually what happened at schools in Pennsylvania.
Random News
- Linux Foundation Europe has been created! Website: https://linuxfoundation.eu/, press release. The LFE has superficially the same goals as the LF, but with less of a US centric membership portfolio.
- Google is an excellent example of how to use Open Source as an offensive tool to mess up their competition. This sounds like another chapter from this same playbook: They are planning to create an open-source alternative to Dolby (via golem.de)
- Debian will allow non-free firmware in the installer image (lwn.net). I think this is sensible and good news, even though it dilutes the openness of the Debian OS. The thing is, firmware is similar to hardware, which also has rarely been open.