An anonymous reader quotes a report from Android Authority: No matter the manufacturer, every Android phone has one thing in common: its software base. Manufacturers can heavily customize the look and feel of the Android OS they ship on their Android devices, but under the hood, the core system functionality is derived from the same open-source foundation: the Android Open Source Project. After over 16 years, Google is making big changes to how it develops the open source version of Android in an effort to streamline its development. [...] Beginning next week, all Android development will occur within Google's internal branches, and the source code for changes will only be released when Google publishes a new branch containing those changes. As this is already the practice for most Android component changes, Google is simply consolidating its development efforts into a single branch.

This change will have minimal impact on regular users. While it streamlines Android OS development for Google, potentially affecting the speed of new version development and bug reduction, the overall effect will likely be imperceptible. Therefore, don't expect this change to accelerate OS updates for your phone. This change will also have minimal impact on most developers. App developers are unaffected, as it pertains only to platform development. Platform developers, including those who build custom ROMs, will largely also see little change, since they typically base their work on specific tags or release branches, not the main AOSP branch. Similarly, companies that release forked AOSP products rarely use the main AOSP branch due to its inherent instability.

External developers who enjoy reading or contributing to AOSP will likely be dismayed by this news, as it reduces their insight into Google's development efforts. Without a GMS license, contributing to Android OS development becomes more challenging, as the available code will consistently lag behind by weeks or months. This news will also make it more challenging for some developers to keep up with new Android platform changes, as they'll no longer be able to track changes in AOSP. For reporters, this change means less access to potentially revealing information, as AOSP patches often provide insights into Google's development plans. [...] Google will share more details about this change when it announces it later this week. If you're interested in learning more, be sure to keep an eye out for the announcement and new documentation on source.android.com. Android Authority's Mishaal Rahman says Google is "committed to publishing Android's source code, so this change doesn't mean that Android is becoming closed-source."

"What will change is the frequency of public source code releases for specific Android components," says Rahman. "Some components like the build system, update engine, Bluetooth stack, Virtualization framework, and SELinux configuration are currently AOSP-first, meaning they're developed fully in public. Most Android components like the core OS framework are primarily developed internally, although some features, such as the unlocked-only storage area API, are still developed within AOSP."

An anonymous reader quotes a report from Ars Technica: Software developer Xe Iaso reached a breaking point earlier this year when aggressive AI crawler traffic from Amazon overwhelmed their Git repository service, repeatedly causing instability and downtime. Despite configuring standard defensive measures -- adjusting robots.txt, blocking known crawler user-agents, and filtering suspicious traffic -- Iaso found that AI crawlers continued evading all attempts to stop them, spoofing user-agents and cycling through residential IP addresses as proxies. Desperate for a solution, Iaso eventually resorted to moving their server behind a VPN and creating "Anubis," a custom-built proof-of-work challenge system that forces web browsers to solve computational puzzles before accessing the site. "It's futile to block AI crawler bots because they lie, change their user agent, use residential IP addresses as proxies, and more," Iaso wrote in a blog post titled "a desperate cry for help." "I don't want to have to close off my Gitea server to the public, but I will if I have to."

Iaso's story highlights a broader crisis rapidly spreading across the open source community, as what appear to be aggressive AI crawlers increasingly overload community-maintained infrastructure, causing what amounts to persistent distributed denial-of-service (DDoS) attacks on vital public resources. According to a comprehensive recent report from LibreNews, some open source projects now see as much as 97 percent of their traffic originating from AI companies' bots, dramatically increasing bandwidth costs, service instability, and burdening already stretched-thin maintainers.

Kevin Fenzi, a member of the Fedora Pagure project's sysadmin team, reported on his blog that the project had to block all traffic from Brazil after repeated attempts to mitigate bot traffic failed. GNOME GitLab implemented Iaso's "Anubis" system, requiring browsers to solve computational puzzles before accessing content. GNOME sysadmin Bart Piotrowski shared on Mastodon that only about 3.2 percent of requests (2,690 out of 84,056) passed their challenge system, suggesting the vast majority of traffic was automated. KDE's GitLab infrastructure was temporarily knocked offline by crawler traffic originating from Alibaba IP ranges, according to LibreNews, citing a KDE Development chat. While Anubis has proven effective at filtering out bot traffic, it comes with drawbacks for legitimate users. When many people access the same link simultaneously -- such as when a GitLab link is shared in a chat room -- site visitors can face significant delays. Some mobile users have reported waiting up to two minutes for the proof-of-work challenge to complete, according to the news outlet.

FaunaDB, a serverless database combining relational and document features, will shut down by the end of May due to unsustainable capital demands. The company plans to open source its core technology, including its FQL query language, in hopes of continuing its legacy within the developer community. The Register reports: The startup pocketed $27 million in VC funding in 2020 and boasted that 25,000 developers worldwide were using its serverless database. However, last week, FaunaDB announced that it would sunset its database services. FaunaDB said it plans to release an open-source version of its core database technology. The system stores data in JSON documents but retains relational features like consistency, support for joins and foreign keys, and full schema enforcement. Fauna's query language, FQL, will also be made available to the open-source community. "Driving broad based adoption of a new operational database that runs as a service globally is very capital intensive. In the current market environment, our board and investors have determined that it is not possible to raise the capital needed to achieve that goal independently," the leadership team said.

"While we will no longer be accepting new customers, existing Fauna customers will experience no immediate change. We will gradually transition customers off Fauna and are committed to ensuring a smooth process over the next several months," it added.

"There's no shortage of videos showing Steam running on expensive ARM single-board computers with discrete GPUs," writes Slashdot reader VennStone. "So I thought it would be worthwhile to make a guide for doing it on (relatively) inexpensive RK3588-powered single-board computers, using Box86/64 and Armbian." The guides I came across were out of date, had a bunch of extra steps thrown in, or were outright incorrect... Up first, we need to add the Box86 and Box64 ARM repositories [along with dependencies, ARMHF architecture, and the Mesa graphics driver]...
The guide closes with a multi-line script and advice to "Just close your eyes and run this. It's not pretty, but it will download the Steam Debian package, extract the needed bits, and set up a launch script." (And then the final step is sudo reboot now.)

"At this point, all you have to do is open a terminal, type 'steam', and tap Enter. You'll have about five minutes to wait... Check out the video to see how some of the tested games perform." At 720p, performance is all over the place, but the games I tested typically managed to stay above 30 FPS. This is better than I was expecting from a four-year-old SOC emulating x86 titles under ARM.

Is this a practical way to play your Steam games? Nope, not even a little bit. For now, this is merely an exercise in ludicrous neatness. Things might get a wee bit better, considering Collabora is working on upstream support for RK3588 and Valve is up to something ARM-related, but ya know, "Valve Time"...
"You might be tempted to enable Steam Play for your Windows games, but don't waste your time. I mean, you can try, but it ain't gonna work."

Two "groundbreaking research reports" on open source security were announced this week by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe. The reports specifically address the EU's Cyber Resilience Act (or CRA) and "highlight knowledge gaps and best practices for CRA compliance."

"Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source" includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.") Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)

"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."

This week the Free Software Foundation published memorabilia items for an online silent auction — part of their big 40th anniversary celebration. "Starting March 17, the FSF will unlock items each day for bidding on the LibrePlanet wiki at 12:00 EDT.. Bidding on all items will conclude at 15:00 EDT on March 21, 2025...

"During the auction, the FSF welcomes everyone who supports user freedom to bid on historical and symbolic free software memorabilia," they annouced this week: The auction is split into two parts: a silent auction hosted on the LibrePlanet wiki from March 17 through March 21 and a live auction held on the FSF's Galène videoconferencing server on March 23 from 14:00-17:00. The auction is only the opening act to a months-long itinerary celebrating forty years of free software activism...

Executive director Zoë Kooyman adds: "These items are valuable pieces of FSF history, and some of them are emblematic of the free software movement. We want to entrust these memorabilia in the hands of the free software community for preservation and would love to see some of these items displayed in exhibitions." All in all, there are twenty-five pieces that are either directly part of the FSF's history and/or representative of the free software movement that will be available in the silent auction.

Winning bidders can rest assured that all proceeds from this auction will go towards the FSF's continued work to promote computer user freedom worldwide.
Silent auction items include:

• A print of the famous Gnu-with-Tux-as-superheroes poster signed by Richard Stallman and artist Lissanne Lake. Bids start at $300...

• A mid-1980s VT220 terminal that "still works, and can be connected to your favorite free machine over the serial interface... This is the same terminal that was on the FSF reception desk for some time, introducing visitors to ASCII art, NetHack, and other free software lore." Bids start at $250... (with estimate shipping costs of $100)

• An Amiga 3000UX donated to the GNU project "sometime in 1990." While it now has a damaged battery, "FSF staff programmers used it at MIT to help further some early development of the GNU operating system." Starting bid: $300 (with estimated shipping costs of $400).

• "A variety of plush animals that had greeted visitors at its former offices in Boston on 51 Franklin Street..."

"The most notable items have been reserved for the live auction on Sunday, March 23," they note — including the Internet Hall of Fame medal awarded to FSF founder Richard Stallman in 2013 "as ultimate recognition of free software's immense impact on the development and advancement of the Internet."

"The number of discrete GPU developers from the U.S. and Western Europe shrank to three companies in 2025," notes Tom's Hardware, "from around 10 in 2000." (Nvidia, AMD, and Intel...) No company in the recent years — at least outside of China — was bold enough to engage into competition against these three contenders, so the very emergence of Bolt Graphics seems like a breakthrough. However, the major focuses of Bolt's Zeus are high-quality rendering for movie and scientific industries as well as high-performance supercomputer simulations. If Zeus delivers on its promises, it could establish itself as a serious alternative for scientific computing, path tracing, and offline rendering. But without strong software support, it risks struggling against dominant market leaders.
This week the Sunnyvale, California-based startup introduced its Zeus GPU platform designed for gaming, rendering, and supercomputer simulations, according to the article. "The company says that its Zeus GPU not only supports features like upgradeable memory and built-in Ethernet interfaces, but it can also beat Nvidia's GeForce RTX 5090 by around 10 times in path tracing workloads, according to slide published by technology news site ServeTheHome." There is one catch: Zeus can only beat the RTX 5090 GPU in path tracing and FP64 compute workloads. It's not clear how well it will handle traditional rendering techniques, as that was less of a focus. In speaking with Bolt Graphics, the card does support rasterization, but there was less emphasis on that aspect of the GPU, and it may struggle to compete with the best graphics cards when it comes to gaming. And when it comes to data center options like Nvidia's Blackwell B200, it's an entirely different matter.

Unlike GPUs from AMD, Intel, and Nvidia that rely on proprietary instruction set architectures, Bolt's Zeus relies on the open-source RISC-V ISA, according to the published slides. The Zeus core relies on an open-source out-of-order general-purpose RVA23 scalar core mated with FP64 ALUs and the RVV 1.0 (RISC-V Vector Extension Version 1.0) that can handle 8-bit, 16-bit, 32-bit, and 64-bit data types as well as Bolt's additional proprietary extensions designed for acceleration of scientific workloads... Like many processors these days, Zeus relies on a multi-chiplet design... Unlike high-end GPUs that prioritize bandwidth, Bolt is evidently focusing on greater memory size to handle larger datasets for rendering and simulations. Also, built-in 400GbE and 800GbE ports to enable faster data transfer across networked GPUs indicates the data center focus of Zeus.

High-quality rendering, real-time path tracing, and compute are key focus areas for Zeus. As a result, even the entry-level Zeus 1c26-32 offers significantly higher FP64 compute performance than Nvidia's GeForce RTX 5090 — up to 5 TFLOPS vs. 1.6 TFLOPS — and considerably higher path tracing performance: 77 Gigarays vs. 32 Gigarays. Zeus also features a larger on-chip cache than Nvidia's flagship — up to 128MB vs. 96MB — and lower power consumption of 120W vs. 575W, making it more efficient for simulations, path tracing, and offline rendering. However, the RTX 5090 dominates in AI workloads with its 105 FP16 TFLOPS and 1,637 INT8 TFLOPS compared to the 10 FP16 TFLOPS and 614 INT8 TFLOPS offered by a single-chiplet Zeus...
The article emphasizes that Zeus "is only running in simulation right now... Bolt Graphics says that the first developer kits will be available in late 2025, with full production set for late 2026."

Thanks to long-time Slashdot reader arvn for sharing the news.

Slashdot reader rikfarrow summarizes an article they wrote for Usenix.org about the Open Source Python compiler Codon: In 2023 I tried out Codon. At the time I had difficulty compiling the scripts I most commonly used, but was excited by the prospect. Python is essentially single threaded and checks the shape (type) of each variable as it interprets scripts. Codon fixes types and compiles Python into compact, executable binaries that execute much faster.

Several things have changed with their latest release: I have successful compiles, the committers have added a compiled version of NumPy (high performance math algorithms), and changed their open source license to Apache 2.
"The other big news is that Exaloop, the company that is behind Codon, has changed their license to Apache 2..." according to the article, so "commercial use and derivations of Codon are now permitted without licensing."

"Why can't we each have our own AI software that runs locally," asks long-time Slashdot reader BrendaEM — and that doesn't steal the work of others.

Imagine a powerful-but-locally-hosted LLM that "doesn't spy... and no one else owns it." We download it, from souce-code if you like, install it, if we want. And it assists: us... No one gate-keeps it. It's not out to get us...

And this is important: because no one owns it, the AI software is ours and leaks no data anywhere — to no one, no company, for no political nor financial purpose. No one profits — but you!
Their longer original submission also asks a series of related questions — like why can't we have software without AI? (Along with "Why is AMD stamping AI on local-processors?" and "Should AI be crowned the ultimate hype?") But this question seems to be at the heart of their concern. "What future will anyone have if anything they really wanted to do — could be mimicked and sold by the ill-gotten work of others...?"

"Could local, open-source, AI software be the only answer to dishearten billionaire companies from taking and selling back to their customers — everything we have done? Could we not...instead — steal their dream?!"

Share your own thoughts and answers in the comments. Where are the open-source, local-only AI solutions?

Long-time Slashdot reader BenFenner writes: For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with promises to do better. (See 2024-03-11, 2024-07-08, and 2025-01-30.)

This time around it has been over six weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs.
That last link is an update posted today by Pale Moon's main developer: Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.

I wish I had better news.
In a comment, Slashdot reader BenFenner shares a list posted by Pale Moon's developer of reportedly affected browsers:

• Pale Moon
• Basilisk
• Waterfox
• Falkon
• SeaMonkey
• Various Firefox ESR flavors
• Thorium (on some systems)
• Ungoogled Chromium
• K-Meleon
• LibreWolf
• MyPal 68
• Otter browser

Slashdot reader Z00L00K speculates that "this is some kind of anti-bot measure that fails. I suspect that the reason for them wanting a NDA to be signed is to prevent ways to circumvent the anti-bot measures..."

Google says its new open-source AI model, Gemma 3, achieves nearly the same performance as DeepSeek AI's R1 while using just one Nvidia H100 GPU, compared to an estimated 32 for R1. ZDNet reports: Using "Elo" scores, a common measurement system used to rank chess and athletes, Google claims Gemma 3 comes within 98% of the score of DeepSeek's R1, 1338 versus 1363 for R1. That means R1 is superior to Gemma 3. However, based on Google's estimate, the search giant claims that it would take 32 of Nvidia's mainstream "H100" GPU chips to achieve R1's score, whereas Gemma 3 uses only one H100 GPU.

Google's balance of compute and Elo score is a "sweet spot," the company claims. In a blog post, Google bills the new program as "the most capable model you can run on a single GPU or TPU," referring to the company's custom AI chip, the "tensor processing unit." "Gemma 3 delivers state-of-the-art performance for its size, outperforming Llama-405B, DeepSeek-V3, and o3-mini in preliminary human preference evaluations on LMArena's leaderboard," the blog post relates, referring to the Elo scores. "This helps you to create engaging user experiences that can fit on a single GPU or TPU host."

Google's model also tops Meta's Llama 3's Elo score, which it estimates would require 16 GPUs. (Note that the numbers of H100 chips used by the competition are Google's estimate; DeepSeek AI has only disclosed an example of using 1,814 of Nvidia's less-powerful H800 GPUs to server answers with R1.) More detailed information is provided in a developer blog post on HuggingFace, where the Gemma 3 repository is offered.

Red Hat product manager Pau Garcia Quiles (also long-time Slashdot reader paugq) spotted an interesting project on GitHub: Free95, a new lean, Windows-compatible operating system is available from GitHub. In its current form, it can run very basic Win32 GUI and console applications, but its developer promises to keep working on it to reach DirectX and even game compatibility.
"Free95 is your friendly Windows Environment with an added trust of the open source community," according to its README file. (It's licensed under the GPL-3.0 license.) And in answer to the question "Why?" it responds "To remove Windows's bloat, and security problems. Being controlled by a large corporation is unsettling."

"It's still in-development of course," the developer post recently on Reddit, "and I'll appreciate anyone who'd like to contribute." In one comment they claim Free95 is "much more lightweight, simpler and faster than ReactOS." And looking to the future, they add "I might do DirectX stuff and make some games run. Or, what about DOOM?"

This week the Free Software Foundation "backed a lone developer's brave effort to overturn a pivotal court ruling that threatens to undermine the AGPLv3 — the foundation's GNU Affero General Public License, version 3," reports the Register.

"At stake is the future of not just the AGPLv3, but the FSF's widely used GNU Public License it is largely based on, and the software covered by those agreements." A core tenet of the GPL series is that free software remains free forever, and this is woven into the licenses' fine print. This ongoing legal battle is a matter of whether people can alter those licenses and redistribute code as they see fit in a non-free way, or if they must stick to the terms of an agreement that says the terms cannot be changed... If the Ninth Circuit upholds the [original district court] ruling, it's likely to create a binding precedent that would limit one of the major freedoms that AGPLv3 and other GPL licenses aim to protect — the ability to remove restrictions added to GPL licensed code.
"Neo4j appended an additional nonfree commercial restriction, the Commons Clause, to a verbatim version of the GNU AGPLv3 in a version of its software..." according to an FSF announcement this week. "The FSF's position on such confusing licensing practices has always been clear: the GNU licenses explicitly allow users to remove restrictions incompatible with the four freedoms." (You can read their amicus brief here.)

Thanks to Slashdot reader jms00 for sharing the news.

The Open Source Initiative's Board of Directors election "has become embroiled in controversy..." writes Steven J. Vaughan-Nichols at The New Stack.

"The real issue is the community's opposition to the open source AI definition (OSAID), which the organization released last October," he adds — but "the election process has been criticized because the OSI has refused to accept the candidacy of Debian developer Luke Faraone, citing a missed application deadline." Faraone claims they submitted their application around 9 p.m. PST on Feb. 17, while the OSI maintains the deadline was 11:59 p.m. UTC (3:59 p.m. PST) on the same day.

The dispute has raised a firestorm about the clarity of communication regarding deadlines and time zones. Critics argue that the deadline's time zone was not clearly specified on the OSI's public-facing website. Tracy Hinds, chair of OSI, acknowledged this oversight but stated that full members received multiple emails with the correct time zone information. "Everyone who is qualified to run for elections (full members of OSI) received emails with the time zone," wrote Hinds, in an email to The New Stack. "The public-facing web page did not have the time zone, and we've now updated it for clarity going forward.

"Extending the deadline would be unfair to the other candidates...."

On LinkedIn, Bruce Perens, one of the OSI's founders wrote, "Open Source Initiative invents rule at the last minute to deny opposition candidate's nomination for their board election."
There are three board sets up for election in March, the article points out. "Two well-known figures in the open source world — Richard Fontana, Red Hat's principal commercial counsel and a former OSI board member, and [Bradley] Kuhn, policy fellow and hacker-in-residence at the Software Freedom Conservancy — are running on a joint platform of repealing the open source AI definition."

In a blog post Faraone promised a similar platform (also supporting a repeal of the definition) — had their candidacy not been rejected.

Equuleus42 (Slashdot reader #723) brings word that the Electronic Frontier Foundation (EFF) is sharing a new tool for fighting back against cellphone surveillance by Stingray cell-site simulators.

Android Authority reports: "Rayhunter" uses an open-source software package designed to look for evidence of IMSI catchers in action, running on an old Orbic Speed RC400L mobile hotspot. The great thing about that choice is that you can pick one up for practically nothing — we're seeing them listed for barely over $10 on Amazon, and you can find them even cheaper on eBay. There's an installation script for Macs and Linux to automate getting set up, but once the Orbic is flashed with the Rayhunter software, it should be ready go, collecting data about sketchy-looking "cell towers" it picks up.

Right now, much of the use of IMSI catchers is still shrouded in mystery, with the groups who regularly employ them extremely hesitant to disclose their methods. As a result, a big focus of this EFF project is just getting more info on how and where these are actually used, giving protestors a better sense of the steps they'll need to take if they want to protect their privacy.

AmiMoJo writes: China plans to issue guidance to encourage the use of open-source RISC-V chips nationwide for the first time, Reuters reports, citing two sources briefed on the matter, as Beijing accelerates efforts to curb the country's dependence on Western-owned technology.

The policy guidance on boosting the use of RISC-V chips could be released as soon as this month, although the final date could change, the sources said. It is being drafted jointly by eight government bodies, including the Cyberspace Administration of China, China's Ministry of Industry and Information Technology, the Ministry of Science and Technology, and the China National Intellectual Property Administration, they added.

It's a feature-length film "rendered on a free and open-source software platform called Blender," reports Reuters. And it just won the Oscar for best animated feature film, beating movies from major studios like Disney/Pixar and Dreamworks.

In January Blender.org called Flow "the manifestation of Blender's mission, where a small, independent team with a limited budget is able to create a story that moves audiences worldwide, and achieve recognition with over 60 awards, including a Golden Globe for Best Animation and two Oscar nominations." The entire project cost just $3.7 million, reports NPR — though writer/director Gints Zilbalodis tells Blender.org that it took about five and a half years.

"I think a certain level of naivety is necessary when starting a project," Zilbalodis tells Blender. "If I had known how difficult it would be, I might never have started. But because I didn't fully grasp the challenges ahead, I just dove in and figured things out along the way..." Zilbalodis: [A]fter making a few shorts, I realized that I'm not good at drawing, and I switched to 3D because I could model things, and move the camera... After finishing my first feature Away, I decided to switch to Blender [from Maya] in 2019, mainly because of EEVEE... It took a while to learn some of the stuff, but it was actually pretty straightforward. Many of the animators in Flow took less than a week to switch to Blender...

I've never worked in a big studio, so I don't really know exactly how they operate. But I think that if you're working on a smaller indie-scale project, you shouldn't try to copy what big studios do. Instead, you should develop a workflow that best suits you and your smaller team.
You can get a glimpse of their animation style in Flow's official trailer.

NPR says that ultimately Flow's images "possess a kinetic elegance. They have the alluring immersiveness of a video game..."

Active since 1995, the Comprehensive Perl Archive Network (or CPAN) hosts 221,742 Perl modules written by 14,548 authors. This week they announced that the CPAN Security Group "was authorized by the CVE Program as a CVE Numbering Authority (CNA)" to assign and manage CVE vulnerability identifications for Perl and CPAN Modules.

"This is great news!" posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to become a CNA in 2023.)

444 CNAs have now partnered with the CVE Program, according to their official web site. The announcement from PerlMonks.org: Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as CPANSec.

The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN

The Ninth Circuit Court of Appeals is set to review a California district court's ruling in Neo4j v. PureThink, which upheld Neo4j's right to modify the GNU AGPLv3 with additional binding terms. If the appellate court affirms this decision, it could set a precedent allowing licensors to impose unremovable restrictions on open-source software, potentially undermining the enforceability of GPL-based licenses and threatening the integrity of the open-source ecosystem. The Register reports: The GNU AGPLv3 is a free and open source software (FOSS) license largely based on the GNU GPLv3, both of which are published by the Free Software Foundation (FSF). Neo4j provided database software under the AGPLv3, then tweaked the license, leading to legal battles over forks of the software. The AGPLv3 includes language that says any added restrictions or requirements are removable, meaning someone could just file off Neo4j's changes to the usage and distribution license, reverting it back to the standard AGPLv3, which the biz has argued and successfully fought against in that California district court.

Now the matter, the validity of that modified FOSS license, is before an appeals court in the USA. "I don't think the community realizes that if the Ninth Circuit upholds the lower court's ruling, it won't just kill GPLv3," PureThink's John Mark Suhy told The Register. "It will create a dangerous legal precedent that could be used to undermine all open-source licenses, allowing licensors to impose unexpected restrictions and fundamentally eroding the trust that makes open source possible."

Perhaps equally concerning is the fact that Suhy, founder and CTO of PureThink and iGov (the two firms sued by Neo4j), and presently CTO of IT consultancy Greystones Group, is defending GPL licenses on his own, pro se, without the help of the FSF, founded by Richard Stallman, creator of the GNU General Public License. "I'm actually doing everything pro se because I used up all my savings to fight it in the lower court," said Suhy. "I'm surprised the Free Software Foundation didn't care too much about it. They always had an excuse about not having the money for it. Luckily the Software Freedom Conservancy came in and helped out there."

EA has released the source code for several classic Command & Conquer games, including Tiberian Dawn, Red Alert, Renegade, and Generals & Zero Hour. "They're being released under the GPL license, meaning folks can mix, match, and redistribute them to their hearts' content without EA lawyers smashing down the door," adds PC Gamer. Additionally, Steam Workshop support has been added for multiple C&C titles, along with updated mission editor tools and a modding support pack. From the report: As for the Steam Workshop? That's getting switched on for C&C Renegade, C&C Generals and Zero Hour, C&C 3 Tiberium Wars and Kane's Wrath, and C&C 4 Tiberium Twilight (they can't all be winners). EA's also gone and "updated all the Mission Editor and World Builder tools so you can publish maps directly to the Steam Workshop." Plus, it's putting out a modding support pack that "contains the source Xml, Schema, Script, Shader and Map files for all the games that use the SAGE engine."

Per C&C producer Jim Vessella, EA commissioned C&C community veteran Luke 'CCHyper' Feenan to officially research improvements to many of the games in the Ultimate Collection," and this is the fruit of his labor.