An anonymous reader shares a report: New interface styles and feature improvements are available in version 6.2 of LibreOffice -- the most popular open-source office suite -- released Thursday by The Document Foundation. As with any software update, bug fixes and feature enhancements are present, making this release a significant upgrade, particularly for users coming from Microsoft Office, or working with files created with those programs. LibreOffice now supports SVG-based icons for toolbars in the Breeze, Colibre, and Elementary icon sets as an experimental feature, to better support HiDPI displays increasingly found in notebook PCs. The Elementary icon set was also improved significantly, adding a 32px PNG version, and fixing inconsistencies between the 16, 24, and 32px versions, as well as adding more icons across the set to prevent reverting to defaults. In LibreOffice 6.2, the "Tabbed" interface is now available for Writer, Calc, Impress, and Draw, and is considered sufficiently stable to be a default option. This interface mimics the oft-maligned "Ribbon interface" in Office 2007. The "traditional" Office-style toolbar is default, though the Tabbed interface can be enabled through the "View > User Interface" menus.

Despite being more than one year old, the Meltdown or Spectre vulnerabilities have remained a theoretical threat, and no malware strain or threat actor has ever used any in a real-world attack. Over the course of the last year, system and network administrators have called on the Linux project for options to disable these protections. A report adds: Many argued that the threat is theoretical and could easily be mitigated with proper perimeter defenses, in some scenarios. Even Linus Torvalds has called for a slowdown in the deployment of some performance-hitting Spectre mitigations. The Linux kernel team has reacted positively towards these requests and has been slowly adding controls to disable some of the more problematic mitigations.

[...] The latest effort to have mitigations turned off -- and stay down -- is the addition of the PR_SPEC_DISABLE_NOEXEC control bit to the Linux kernel. This bit will prevent child processes from starting in a state where the protections for Spectre v4 are still activated, despite being deactivated in the parent process.

"Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches," reports eWeek. "But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk?" That's what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities. On January 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on January 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries....

In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website... Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.

Microsoft on Thursday said that it's acquiring Citus Data, a start-up that has commercialized open-source database software called PostgreSQL. Terms of the deal weren't disclosed. From a report: The deal could help Microsoft make its argument that it supports open-source technologies, particularly in the cloud, while continuing to make money from popular proprietary software like Windows and Office. In the cloud business, Microsoft wants to use openness as a way to pick up business amid competition from Google, market leader Amazon and others. Currently, Citus Data's website advertises a version of its database software that's hosted on Amazon Web Services. Microsoft's blog post announcing the acquisition mentions the competing Azure cloud 10 times.

Devon Zuegel, "a developer with a passion for governance and economics," recently became GitHub's open source product manager to "support maintainers in cultivating vital, productive communities" -- specifically open source software (OSS).

Thursday they put out a call for feedback from open source developers about their contribution hours, their projects, and especially their issues: As the OSS community has grown in scale and importance, the way we think about working together has to evolve, too. What works in a village or a town needs to evolve to serve a metropolis. Open source has grown from a small, academic sharing network to a giant, global web of dependencies. It now forms the backbone of the internet and technology in general. Just like any growing city, we have to coordinate the knowledge, infrastructure, and tools for the good of the whole community. OSS is an essential and special part of software development.

OSS has also been the heart of GitHub since the beginning. However, there is so much more we could do to support the people behind it. I have many ideas, but first I want to hear from you.
The essay argues OSS maintainers and contributors "don't have all the tools, support, and environment they need to succeed," including analytics, communication resources, recognition and "proportionate incentive to contribute time and money to creating and maintaining projects." (As well as deficiencies in both governance and mentorship.) And at the bottom of the blog post, there's a contact form.

"I want you to be part of the conversation and our roadmap. These challenges are nuanced, and they are unique to each project and community, so it's crucial that we have an open dialogue as we focus on helping you address them."

An anonymous reader quotes ZDNet: MongoDB is an open-source document NoSQL database with a problem. While very popular, cloud companies, such as Amazon Web Services (AWS), IBM Cloud, Scalegrid, and ObjectRocket has profited from it by offering it as a service while MongoDB Inc. hasn't been able to monetize it to the same degree. MongoDB's answer? Relicense the program under its new Server Side Public License (SSPL).

Open-source powerhouse Red Hat's reaction? Drop MongoDB from Red Hat Enterprise Linux 8. Red Hat's Technical and Community Outreach Program Manager Tom Callaway explained, in a note stating MongoDB is being removed from Fedora Linux, that "It is the belief of Fedora that the SSPL is intentionally crafted to be aggressively discriminatory towards a specific class of users." Debian Linux had already dropped MongoDB from its distribution....

The business point behind MongoDB's license change is to force cloud companies to use one of MongoDB's commercial cloud offerings. This hasn't worked either. AWS just launched DocumentDB, a database, which "is designed to be compatible with your existing MongoDB applications and tools," wrote AWS evangelist Jeff Barr.

An anonymous reader quotes a report from ZDNet: Amazon Web Services (AWS) has announced a fully-managed document database service, building the Amazon DocumentDB (with MongoDB compatibility) to support existing MongoDB workloads. The cloud giant said developers can use the same MongoDB application code, drivers, and tools as they currently do to run, manage, and scale workloads on Amazon DocumentDB. Amazon DocumentDB uses an SSD-based storage layer, with 6x replication across three separate Availability Zones. This means that Amazon DocumentDB can failover from a primary to a replica within 30 seconds, and supports MongoDB replica set emulation so applications can handle failover quickly. Each MongoDB database contains a set of collections -- similar to a relational database table -- with each collection containing a set of documents in BSON format. Amazon DocumentDB is compatible with version 3.6 of MongoDB and storage can be scaled from 10 GB up to 64 TB in increments of 10 GB. The new offering implements the MongoDB 3.6 API that allows customers to use their existing MongoDB drivers and tools with Amazon DocumentDB. In a separate report, TechCrunch's Frederic Lardinois says AWS is "giving open source the middle finger" by "taking the best open-source projects and re-using and re-branding them without always giving back to those communities."

"The wrinkle here is that MongoDB was one of the first companies that aimed to put a stop to this by re-licensing its open-source tools under a new license that explicitly stated that companies that wanted to do this had to buy a commercial license," Frederic writes. "Since then, others have followed."

"Imitation is the sincerest form of flattery, so it's not surprising that Amazon would try to capitalize on the popularity and momentum of MongoDB's document model," MongoDB CEO and president Dev Ittycheria told us. "However, developers are technically savvy enough to distinguish between the real thing and a poor imitation. MongoDB will continue to outperform any impersonations in the market."

Several reports indict that at least some of Sony's recent Android TVs are actively blocking Kodi, the open-source, cross-platform streaming and media player that allows you to access and play local, network, and remote content. Android Police reports: The official Kodi project Twitter account pointed out Sony's deficiency a couple of days ago, but reports on the Kodi forums of issues installing and running the app from the Play Store go even further back to last year. A handful of affected enthusiasts believe they have discovered the cause of the problem: Sony seems to be blocking the package ID for the app from being installed/run. Supporting this theory is the fact that recompiling the app from scratch with a different ID allows it to work.

The US National Security Agency will release a free reverse engineering tool at the upcoming RSA security conference that will be held at the start of March, in San Francisco. From a report: The software's name is GHIDRA and in technical terms, is a disassembler, a piece of software that breaks down executable files into assembly code that can then be analyzed by humans. The NSA developed GHIDRA at the start of the 2000s, and for the past few years, it's been sharing it with other US government agencies that have cyber teams who need to look at the inner workings of malware strains or suspicious software. GHIDRA's existence was never a state secret, but the rest of the world learned about it in March 2017 when WikiLeaks published Vault7, a collection of internal documentation files that were allegedly stolen from the CIA's internal network. Those documents showed that the CIA was one of the agencies that had access to the tool.

Tech Republic re-visits the story of the earliest attempts to build the Raspberry Pi, and the dramatic launch of a quest "to rekindle the curiosity about computing in a generation immersed in technology but indifferent to how it worked." [T]he dominant computers -- games consoles and later tablets and smartphones -- no longer offered an invitation to create, but rather to consume. Eben Upton recalls a bonfire party in 2007 where an 11-year-old boy told him he wanted to be an electrical engineer, and his disappointment at realizing the boy didn't have access to a computer he could program on. "I said, 'Oh, what computer have you got?'. He said, 'I've got a Nintendo Wii'. And there was just that awful feeling about there being a kid who was excited, a kid who was showing concrete interest in our profession, and who didn't have access to a programmable computer, a computer of any sort. He just had a games console."

At this time Upton was working as a system-on-a-chip architect at chip designer Broadcom, and realized he had the skills to try to halt this drift away from computers that encouraged users to code.
Upton describes the Raspberry Pi as "a very conscious attempt" to bring back the easily programmable home computers that he remembered as a child in the 1980s -- and he was gratified at its success. "Even early on you started to see those pictures of kids lying on the living room floor, looking up at the TV with Raspberry Pi plugged into it, the same way we used to."

It was named "Pi" because it booted into a version of Python, and Raspberry because "There's a lot of fruit-named computer companies, and the 'blowing a raspberry' thing was also deliberate."

It's gone on to become the world's third best-selling general-purpose computer.

ZDNet reports that by 2020, "many, if not most, new cars will be running with Linux." While some companies, like Tesla, run their own homebrew Linux distros, most rely on Automotive Grade Linux (AGL). AGL is a collaborative cross-industry effort developing an open platform for connected cars with over 140 members... Its membership includes Audi, Ford, Honda, Mazda, Nissan, Mercedes, Suzuki, and the world's biggest automobile company: Toyota. Why? "Automakers are becoming software companies, and just like in the tech industry, they are realizing that open source is the way forward," said Dan Cauchy, AGL's executive director, in a statement.

Car companies know that while horsepower sells, customers also want smart infotainment systems, automated safe drive features, and, eventually, self-driving cars. Linux and open-source company can give them all of that. The AGL's goal is to develop an open-source, common platform for infotainment systems: The Unified Code Base (UCB). This is a Linux distribution and open-source software platform for car infotainment, telematics, and instrument cluster applications... The AGL's hope is that this will serve as a de facto industry standard. It's well on its way.
Yesterday Hyundai announced that they were also joining both the AGL effort and the Linux Foundation.

The GIMP developers on Wednesday published a blog post in which they look back at the year 2018 (release of GIMP 2.10) and outline the things that they intend to get around this year. From the post: We expect to be shipping 2.10.x updates throughout 2019, starting with the version 2.10.10 currently expected in January/February. This version will feature faster layer groups rendering, smart colorization with the Bucket Fill tool, and various usability improvements. We are also planning the first unstable release of GIMP that will have version 2.99.2, eventually leading up to version 3.0. The prerequisite for releasing that version will be the completion of the space invasion. ZeMarmot project (which can be supported on Patreon or Tipeee) is also planning to focus a bit more on better canvas interactions, as well as animation support improvements, starting from merging existing work. On the GEGL and babl front, we expect to continue working towards better CMYK support and performance.

Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.

Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.

Click through for a list of the software projects for which bug bounties will be offered.

Linus Torvalds has announced the general availability of v4.20 of the Linux kernel. In a post to the Linux Kernel Mailing List, Torvalds said that there was no point in delaying the release of the latest stable version of the kernel just because so many people are taking a break for the holiday season. From a report: He says that while there are no known issues with the release, the shortlog is a little longer than he would have liked. However "nothing screams 'oh, that's scary'", he insists. The most notable features and changes in the new version includes: New hardware support! New hardware support includes bringing up the graphics for AMD Picasso and Raven 2 APUs, continued work on bringing up Vega 20, Intel has continued putting together its Icelake Gen 11 graphics support, there is support for the Hygon Dhyana CPUs out of China based upon AMD Zen, C-SKY 32-bit CPU support, Qualcomm Snapdragon 835 SoC enablement, Intel 2.5G Ethernet controller support for "Foxville", Creative Sound Blaster ZxR and AE-5 sound card support, and a lot of smaller additions.

Besides new hardware support when it comes to graphics processors, in the DRM driver space there is also VCN JPEG acceleration for Raven Ridge, GPUVM performance work resulting in some nice Vulkan gaming boosts, Intel DRM now has full PPGTT support for Haswell/IvyBridge/ValleyView, and HDMI 2.0 support for the NVIDIA/Nouveau driver. On the CPU front there are some early signs of AMD Zen 2 bring-up, nested virtualization now enabled by default for AMD/Intel CPUs, faster context switching for IBM POWER9, and various x86_64 optimizations. Fortunately the STIBP work for cross-hyperthread Spectre V2 mitigation was smoothed out over the release candidates that the performance there is all good now.

Btrfs performance improvements, new F2FS features, faster FUSE performance, and MDRAID improvements for RAID10 round out the file-system/storage work. One of the technical highlights of Linux 4.20 that will be built up moving forward is the PCIe peer-to-peer memory support for device-to-device memory copies over PCIe for use-cases like data going directly from NICs to SSD storage or between multiple GPUs.

Junko Yoshida, writing for EETimes: Without question, 2018 was the year RISC-V genuinely began to build momentum among chip architects hungry for open-source instruction sets. That was then. By 2019, RISC-V won't be the only game in town. Wave Computing (Campbell, Calif.) announced Monday (Dec. 17) that it is putting MIPS on open source, with MIPS Instruction Set Architecture (ISA) and MIPS' latest core R6 available in the first quarter of 2019. Art Swift, hired by Wave this month as president of its MIPS licensing business, described the move as critical to accelerate the adoption of MIPS in an ecosystem.

Going open source is "a big plan" that Wave CEO Derek Meyer, a MIPS veteran, has been quietly fostering since Wave acquired MIPS Technologies in June, explained Swift. Swift himself is a MIPS alumnus who worked at the company as a vice president of marketing and business development for four years. Wave, which styles itself as a tech startup poised to bring "AI and deep learning from the datacenter to the edge," sees MIPS as a key to advancing Wave's AI into a host of uses and applications. Included in MIPS instruction sets are extensions such as SIMD (single instruction, multiple data) and DSP. Swift promised that MIPS will bring to the open-source community "commercial-ready" instruction sets with "industrial-strength" architecture. "Chip designers will have opportunities to design their own cores based on proven and well tested instruction sets for any purposes," said Swift.

Steve Dower, a Python developer at Microsoft, describes how the language become popular internally: In 2010, our few Pythonistas were flying under the radar, in case somebody noticed that they could reassign a few developers to their own project. The team was small, leftover from a previous job, but was chipping away at a company culture that suffered from "not invented here" syndrome: Python was a language that belonged to other people, and so Microsoft was not interested. Over the last eight years, the change has been dramatic. Many Microsoft products now include Python support, and some of the newest only support Python. Some of our critical tools are written in Python, and we are actively investing in the language and community....

In 2018, we are out and proud about Python, supporting it in our developer tools such as Visual Studio and Visual Studio Code, hosting it in Azure Notebooks, and using it to build end-user experiences like the Azure CLI. We employ five core CPython developers and many other contributors, are strong supporters of open-source data science through NumFOCUS and PyData, and regularly sponsor, host, and attend Python events around the world.
"We often felt like a small startup within a very large company" Downer writes, in a post for the Medium community "Microsoft Open Source Stories."

"it is clear to me that open source -- now several decades old and fully adult -- is going through its own midlife crisis," writes Joyent CTO Bryan Cantrill. [O]pen source business models are really tough, selling software-as-a-service is one of the most natural of them, the cloud service providers are really good at it -- and their commercial appetites seem boundless. And, like a new cherry red two-seater sports car next to a minivan in a suburban driveway, some open source companies are dealing with this crisis exceptionally poorly: they are trying to restrict the way that their open source software can be used. These companies want it both ways: they want the advantages of open source -- the community, the positivity, the energy, the adoption, the downloads -- but they also want to enjoy the fruits of proprietary software companies in software lock-in and its concomitant monopolistic rents.

If this were entirely transparent (that is, if some bits were merely being made explicitly proprietary), it would be fine: we could accept these companies as essentially proprietary software companies, albeit with an open source loss-leader. But instead, these companies are trying to license their way into this self-contradictory world: continuing to claim to be entirely open source, but perverting the license under which portions of that source are available. Most gallingly, they are doing this by hijacking open source nomenclature. Of these, the laughably named commons clause is the worst offender (it is plainly designed to be confused with the purely virtuous creative commons), but others...are little better...
"[T]heir business model isn't their community's problem, and they should please stop trying to make it one," Cantrill writes, adding letter that "As we collectively internalize that open source is not a business model on its own, we will likely see fewer VC-funded open source companies (though I'm honestly not sure that that's a bad thing)..." He also points out that "Even though the VC that led the last round wants to puke into a trashcan whenever they hear it, business models like 'support', 'services' and 'training' are entirely viable!"

Jay Kreps, Co-founder of @confluentinc, has posted a rebuttal on Medium. "How do you describe a license that lets you run, modify, fork, and redistribute the code and do virtually anything other than offer a competing SaaS offering of the product? I think Bryan's sentiment may be that it should be called the Evil Proprietary Corruption of Open Source License or something like that, but, well, we disagree."

Thursday a bug report complained that the source code for OpenJDK, the free and open-source implementation of Java, "has too many swear words." An anonymous reader writes: "There are many instances of swear words inside OpenJDK jdk/jdk source, scattered all over the place," reads the bug report. "As OpenJDK is used in a professional context, it seems inappropriate to leave these 12 instances in there, so here's a changeset to remove them."
IBM software developer (and OpenJDK team member and contributor) Adam Farley responded that "after discussion with the community, three determinations were reached":

• "Damn" and "Crap" are not swear words.

• Three of the four f-bombs are located in jszip.js, which should be corrected upstream (will follow up).

• The f-bomb in BitArray.java, as well as the rude typo in SoftChannel.java, *are* swear words and should be removed to resolve this work item.

He promised a new webrev would be uploaded to reflect these determinations, and the bug has been marked as "resolved."

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

Seeking compliance with Linux's new Code of Conduct, Intel software engineer Jarkko Sakkinen recently requested comments on a set of changes to kernel code comments which Neowin described as "replacing the F-word with 'hug'. "

80 comments quickly followed on the Linux Kernel Maintainer's List: Several contributors responded to the alterations calling them insane. One wondered if Sakkinen was just trying to make a joke, and another called it censorship and said he'd refuse to apply any sort of patches like this to the code he's in charge of...

Some of the post-change comments read "Some Athlon laptops have really hugged PST tables", "If you don't see why, please stay the hug away from my code", and "Only Sun can take such nice parts and hug up the programming interface".
Eventually LWN.net publisher Jonathan Corbet deflated most of the controversy by pointing out that Linux's new Code of Conduct applies to future comments but clearly indicates that it does not apply explicitly to past comments.

And Jarkko Sakkinen acknowledged that he had missed that part of the discussion.