The /e/OS-powered Murena One is the first smartphone from Murena that does its best to free you from Google without sacrificing too many core features. There are no Google apps, Google Play Services, or even the Google Assistant. It's all been replaced by open-source software alternatives with privacy-respecting features. ZDNet's Steven Vaughan-Nichols reports: Murena and Mandrake Linux founder Gael Duval was sick of it by 2017. He wanted his data to be his data, and he wanted open-source software. Almost five years later, Duval and his co-developers launched the Murena One X2. It's the first high-end Android phone using the open-source /e/OS Android fork to arrive on the market. The privacy heart of the Murena One is /e/OS V1. There have been many attempts to create an alternative to Google-based Android and Apple's iOS -- Ubuntu One, FirefoxOS, and Windows Mobile -- but all failed. Duval's approach isn't to reinvent the mobile operating system wheel, but to clean up Android of its squeaky Google privacy-invading features and replace them with privacy-respecting ones. To make this happen, Duval started with LineageOS -- an Android-based operating system, which is descended from the failed CyanogenMod Android fork. It also blends in features from the Android Open Source Project (AOSP) source-code trees.

In the /e/OS, most (but not all) Google services have been removed and replaced with MicroG services. MicroG replaces Google's libraries with purely open-source implementations without hooks to Google's services. This includes libraries and apps which provide Google Play, Maps, Geolocation, and Messaging services for Android applications. In addition, /e/OS does its best to free you from higher-level Google services. For instance, Google's default search engine has been replaced with Murena's own meta-search engine. Other internet-based services, such as Domain Name Server (DNS) and Network Time Protocol (NTP), use non-Google servers. Above the operating system, you'll find Google-free applications. This includes a web browser; an e-mail client; a messaging app; a calendar; a contact manager; and a maps app that relies on Mozilla Location Service and OpenStreetMap. While it's not here yet, Murena is also working on its own take on Google Assistant, Elivia-AI. You can also run many, but not all Android apps. You'll find these apps on the operating system's App Lounge. [...]

There's still one big problem: the App Lounge still relies on you logging in with your Google account. In short, the App Lounge is mainly a gateway to Google Store apps. Munera assures me that the Lounge anonymizes your data -- except if you use apps that require payment. Still, this is annoying for people who want to cut all their ties with Google. The fundamental problem is this: Muena does all it can to separate its operating system and applications from Google, but it can't -- yet -- replace Google's e-commerce and software store system. As for hardware specs, the $379 Murena One features a 6.5-inch IPS LCD display, eight-core MediaTek Helio P60 processor, side-mounted fingerprint scanner, three rear cameras (48MP + 8MP + 5MP) and 25MP front camera, and 4,500mAh battery. It also features a microSD card slot for expandable storage and headphone port.

"Let's popularize image-based OSes," writes Lennart Poettering, "with modernized security properties built around immutability, SecureBoot, TPM2, adaptability, auto-updating, factory reset, uniformity — built from traditional distribution packages, but deployed via images."

Or, as the Register puts it, the Systemd Linux init system "continues to grow and develop, as does Linux itself." They delve into the rationale for the new systemd-sysupdate and kernel-install features, noting "The former is still described as an experimental feature, so relax — for now." No, this does not mean that systemd is becoming a package manager. Like it or not, though, the nature of operating systems is changing. Modern ones are large, complex, and need regular updates, and as The Register has examined in depth recently, this means that the design of Linux distributions is changing radically....

ChromeOS doesn't have a package manager; neither do Fedora's Silverblue and Kinoite versions. You get a tested, known-good image of the OS. Updates are distributed as a complete image, like they are today with Android or iOS. ChromeOS has two root partitions: one live and one spare. The currently running OS updates the spare partition, then you reboot into that one. If everything works, it updates the now-idle second root partition. If it doesn't all work perfectly, then you still have the previous version available to use, and you can just reboot into that again. When a fixed image becomes available, the OS automatically tries again on the spare instance.

The idea is that you always have a known-good OS partition available, which sounds like a benefit to us. Presumably the users are happy too: Chromebook sales may be down, and they only have a fixed lifespan, but there are still well over a hundred million of them out there.

So, no, systemd is not going to become a package manager, because ordinary distros won't have a package manager at all, except maybe Flatpak, or Snap or something similar. The new functionality, including managing installed kernels, is to facilitate A/B type dual-live-system partitions.

For some insight into this vision, Lennart Poettering, lead architect of systemd, has described this in a blog post titled "Bringing Everything Together."
Other updates include "changes to systemd-networkd, such as systemd-resolved starting earlier in the boot sequence, and more cautious allocation of default routes," the article points out, adding that new releases of systemd "ppear roughly twice a year, so the chances are that this will appear in the fall releases of Ubuntu and Fedora...

"If you still prefer to avoid systemd, don't despair. There are still a selection of distros that eschew it altogether, including Devuan GNU+Linux, Alpine Linux, and Void Linux.

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000....

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.
With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event).

A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop.

System76's CEO Carl Richell announced that HP has chosen the Ubuntu-based Pop!_OS operating system to run on its 14-inch developer-focused notebook called "Dev One." Brian Fagioli from BetaNews speculates that a HP acquisition of System76 "could be a possibility in the future -- if this new relationship pans out at least." He continues: HP could be testing the waters with the upcoming Dev One. Keep in mind, System76 does not even build its own laptops, so we could see the company leave the notebook business and focus on desktops only -- let HP handle the Pop!_OS laptops. "We've got you covered. Experience exceptional multi-core performance from the AMD Ryzen 7 PRO processor and multitask with ease. Compile code, run a build, and keep all your apps running with more speed from the 16GB memory. Plus, load and save files in a flash, thanks to 1TB fast PCIe NVMe M.2 storage. We've even added a Linux Super key so shortcuts are a click away. Simply put, HP Dev One is built to help you code better," explains HP.

The company adds, "Pop!_OS is at your service. Create your ideal work experience with multiple tools to help you perform with peak efficiency. Use Stacking to organize and access multiple applications, browsers, and terminal windows. Move, resize, and arrange windows with ease or, let Pop!_OS keep you organized and efficient with Auto-tiling. And use Workspaces to reduce clutter by organizing windows across multiple desktops." Apparently, there will only be one configuration priced at $1,099. So far, no details about a release date have been announced other than "coming soon."

An anonymous reader quotes a report from XDA Developers: Google created Flutter a number of years ago, with the aim to make a cross-platform software framework. Flutter's biggest strength is that it can be used to build applications for Android, iOS, Linux, Windows, macOS, and even the web, and all from the same shared codebase. While building apps for Windows received stable support back in February, both macOS and Linux were still only in beta. Now that's changing, as Google has announced Flutter 3 at this year's Google I/O, complete with stable support for building apps for macOS and Linux.

Of course, cross-platform support for both of these new platforms requires more than just programs being able to run. They need to fit in with the rest of the experience, and they need to support specific features that may be unique, as well. That's why Google is highlighting two things: the first is that Linux support helped by Canonical (the publisher of Ubuntu) and Google collaborating in order to "offer a highly-integrated, best-of-breed option for development."

As Google puts it, Canonical is already developing with "Flutter for key shell experiences including installation and firmware updates." What's more, their Linux-specific packages "provide an idiomatic API for core operating system services including dbus, gsettings, networkmanager, Bluetooth and desktop notifications, as well as a comprehensive theme and widget set for Yaru, the Ubuntu look and feel." As for macOS, Google invested in supporting both Intel and Apple Silicon devices, with Universal Binary support that allows apps to package executables that run natively on both architectures. Tim Sneath, Director of Product and UX for Flutter & Dart, highlights all the new improvements in a Medium post.

InfoWorld reports that "While still the industry's leading Java distribution, Oracle Java's popularity is half what it was just two years ago, according to a report from application monitoring company New Relic." (With the usual caveat that data from New Relic's report "was drawn entirely from applications reporting to New Relic in January 2022 and does not provide a global picture of Java usage,") The finding was included the company's 2022 State of the Java Ecosystem report, released April 26, which is based on data culled from millions of applications providing performance data to New Relic. Among Java Development Kit (JDK) distributions, Oracle had roughly 75% of the market in 2020, but just 34.48% in 2022, New Relic reported. Not far behind was Amazon, at 22.04%, up from 2.18% in 2020.

New Relic said its numbers show movement away from Oracle binaries after the company's "more restrictive licensing" of its JDK 11 distribution before returning to a more open stance with JDK 17, released in September 2021. Behind Oracle and Amazon were Eclipse Adoptium (11.48%), Azul Systems (8.17%), Red Hat (6.05%), IcedTea (5.38%), Ubuntu (2.91%), and BellSoft (2.5%).

The Register noted this week that two "unofficial" Ubuntu remixes "came out on the same day as the official flavors."

- Ubuntu Cinnamon (Linux Mint's flagship desktop environment)

- Ubuntu Unity, a revival of what used to be the official Ubuntu desktop by Ubuntu team member Rudra B. Saraswat (described the Register as "a 12-year-old wunderkind") Ubuntu Cinnamon is the older of the two and first appeared in 2019, while Ubuntu Unity came out in May 2020, soon after the release of Ubuntu 20.04.

Ubuntu Unity....has the macOS-like desktop that was Ubuntu's standard offering from 2011 until the company pensioned it off in 2017.... Ubuntu Unity is as free as Ubuntu itself, and the new remix continues to evolve. In 22.04, most of the GNOME-based accessory apps have been replaced with the MATE equivalents, such as the Pluma text editor and Atril document viewer. (A handful remain, such as the GNOME system monitor rather than the MATE one, but the differences are trivial.) The System Settings app is the original Unity one, and the Unity Tweaks app comes pre-installed.... The new "Jammy Jellyfish" version of Ubuntu Unity also adds support for Flatpak packages alongside Ubuntu's native Snap packages. To do this, it replaces Ubuntu's Software Store with version 41.5 of GNOME Software. Interestingly, this also supports Snap packages, so sometimes, when you search for a package, you might get multiple results: one for the OS-native DEB package, possibly one for a Flatpak, and maybe a Snap version too....

[I]f you dislike both the Unity and GNOME desktops and want something more Windows-like, but you don't mind GNOME's CSD windows, then Joshua Peisach's Ubuntu Cinnamon remix may appeal. Cinnamon is the default desktop of both Ubuntu-based Linux Mint and its Debian variant. Ubuntu Cinnamon combines the latest upstream version of Mint's Cinnamon desktop, 5.2.7, with the standard app selection of upstream Ubuntu. This means most of its apps lack menu bars, except for the Nemo file manager and LibreOffice. For these classic-style apps, the Ubuntu Cinnamon distro has tweaked the GNOME title-bar layout to be more Windows-like: minimize/maximize/close buttons at top right, and a window-management menu at top left....

Cinnamon's roots as a fork of GNOME 3 do offer a significant potential feature that MATE, Xfce and indeed Unity cannot do: fractional scaling. This is clearly labelled as an experimental feature, and in testing, we couldn't get it to work, so for now, this remains a theoretical advantage.... These caveats aside, though, Ubuntu Cinnamon is maturing nicely in the new version. While Ubuntu and Ubuntu Unity are now purple-toned, Ubuntu Cinnamon has switched to a restrained theme in shades of dark orange and brown, which reminded us of the tasteful earth-toned Ubuntu of the old GNOME 2 days...

Both these desktops are X.11-based, so there's not a trace of Wayland in either distro. Both also benefit from having working 3D acceleration.
Both remixes "are aiming for inclusion as official Ubuntu flavors," the article points out.

But then again, "There are dozens of Ubuntu remixes and flavors out there. The official Ubuntu Derivatives page links to 30, and DistroWatch has more than five times as many, including many which are no longer maintained."

An anonymous reader shares a report: The saga of Ubuntu-maker Canonical's IPO efforts now stretches back quite a few years. I think the first time I talked to the company's founder Mark Shuttleworth about going public was in 2018, though there had already been some chatter about it in previous years. But the timing never quite worked out for Canonical. In a press briefing ahead of today's launch of Ubuntu 22.04 LTS, Shuttleworth noted he now expects it to go public next year. "We are on track to float the business. And now I'm pretty confident that we will do that in 2023," said Shuttleworth, who was calling in from an undisclosed island off the coast of West Africa. "And so we're taking active steps at the board level and in our finance operation -- various other parts of the business -- to be prepared for that. We're now effectively on a very clear program to a flotation of the business next year."

He stressed that Canonical is not in a situation where it has to raise outside money and that going public for him is not about fundraising. He noted that Canonical's revenue last year was $175 million and that the company's biggest challenge right now is that demand is bigger that the company's ability to service it, in large part because there isn't enough talent on the market for the company to hire.

The Volla Phone 22, a new smartphone available for preorder via a Kickstarter campaign, is unlike any other smartphone on the market today in that it ships with a choice of the Android-based Volla OS or the Ubuntu Touch mobile Linux distribution. "It also supports multi-boot functionality, allowing you to install more than one operating system and choose which to run at startup," writes Liliputing's Brad Linder. Some of the hardware specs include a 6.3-inch FHD+ display, a MediaTek Helio G85 processor, 4GB of RAM, 128GB storage, 3.5mm audio jack and a microSD card reader. There's also a 48-megapixel main camera sensor and replaceable 4,500mAh battery. From the report: While Volla works with the folks at UBPorts to ensure its phones are compatible with Ubuntu Touch, the company develops the Android-based Volla OS in-house. It's based on Google's Android Open Source Project code, but includes a custom launcher, user interface, and set of apps with an emphasis on privacy. The Google Play Store is not included, as this is a phone aimed at folks who want to minimize tracking from big tech companies. Other Google apps and services like the Chrome web browser, Google Maps, Google Drive, and Gmail are also omitted. The upshot is that no user data is collected or stored by Volla, Google, or other companies unless you decide to install apps that track your data. Of course, that could make using the phone a little less convenient if you've come to rely on those apps, so the Volla Phone might not be the best choice for everyone.

Volla OS also has a built-in user-customizable firewall, an App Locker feature for disabling and hiding apps, and optional support for using the Hide.me VPN for anonymous internet usage. The source code for Volla OS is also available for anyone that wants to inspect the code. The operating system also has a custom user interface including a Springboard that allows you to quickly launch frequently-used apps by pressing a red dot for a list, or by starting to type in a search box for automatic suggestions such as placing a phone call, sending a text message, or opening a web page. You can also create notes or calendar events from the Springboard or send an encrypted message with Signal. The phone is expected to ship in June at an early bird price of about $408.

Last week 69-year-old Richard Stallman gave a 92-minute presentation on the state of the free software movement. Stallman covered numerous topics, but also added as an aside at one point: Ubuntu of course is a non-free distro, and I wouldn't recommend that anyone use it. Some important packages are now distributed only through their non-freedom-respecting package system, and not as Debian packages. So it's even harder than before to get any freedom out of an Ubuntu installation.
But Stallman also sees a larger issue: Another area where we have problems is there are several languages which come with a package library -- basically people post packages in them. And that might be fine if they had a good criterion for the licensing of the libraries people upload into those sites -- but they're not developed by free software activists, and they don't have such a criterion. There are non-free packages in those libraries too.

Now, some of them make it possible to find out whether a library is free. Some of them, it's difficult. Sometimes -- yeah, you could probably look at the source code and see what licenses are in it, and then you could look up those licenses in GNU.org/licenses/license-list.html and see if all those licenses are free... The problem is, they don't help you. At the very least they should make it easy to say, "Show me only the free packages." And then, "Show me only the GPL-compatible packages, because I'm writing a GPL-covered program, and I can't use the libraries that are not GPL compatible. And I certainly won't ever think of using a non-free library."

They're not interested in helping people move forward in freedom. And so we need people to write front-ends for those package archives, which will show only the freely-licensed packages, and which can be asked to show which ones are GPL-compatible, or show only those. This way they will be usable easily by the free software community. If you like one of the languages that has this problem, please show your appreciation for that language by reconciling its use with maintaining freedom.
And this leads Stallman to a related setback for the free software movement: the containers themselves that are packaging some programs with the libraries they need: The old way of doing this was you would make sure that your program said which versions of libraries it was compiled to work with, and in the source code you'd use something like Autoconf so that it could work with the various library versions. And this way you could build the program for a wide variety of free operating systems and versions of them.

Well, that's some work, so some developers, they release a free program -- not all of them release free programs, but some of them do release free programs -- using containers. And the container has one set of libraries in it. And how do you really know what's in there? It's not straightforward to verify that all the libraries in the container are free, and a lot of people won't realize that they should even think about it. So the use of containers, as they are implemented nowadays by people who are not free software activists and are not particularly concerned with this question, is an obstacle to verifying that you're installing free software.

Well, maybe some of these container systems could be improved, or maybe another one could be designed to solve these problems. If a container packaging system were designed by people who care about freedom, they might find good ways to satisfy this goal, as well as others. So it's something you could possibly work on.

A headline at Hot Hardware calls it "a sexy Linux laptop with deep learning chops... being pitched as the world's most powerful laptop for machine learning workloads."

And here's how Ars Technica describes the Razer x Lambda Tensorbook (announced Tuesday): Made in collaboration with Lambda, the Linux-based clamshell focuses on deep-learning development. Lambda, which has been around since 2012, is a deep-learning infrastructure provider used by the US Department of Defense and "97 percent of the top research universities in the US," according to the company's announcement. Lambda's offerings include GPU clusters, servers, workstations, and cloud instances that train neural networks for various use cases, including self-driving cars, cancer detection, and drug discovery.

Dubbed "The Deep Learning Laptop," the Tensorbook has an Nvidia RTX 3080 Max-Q (16GB) and targets machine-learning engineers, especially those who lack a laptop with a discrete GPU and thus have to share a remote machine's resources, which negatively affects development.... "When you're stuck SSHing into a remote server, you don't have any of your local data or code and even have a hard time demoing your model to colleagues," Lambda co-founder and CEO Stephen Balaban said in a statement, noting that the laptop comes with PyTorch and TensorFlow for quickly training and demoing models from a local GUI interface without SSH. Lambda isn't a laptop maker, so it recruited Razer to build the machine....

While there are more powerful laptops available, the Tensorbook stands out because of its software package and Ubuntu Linux 20.04 LTS.
The Verge writes: While Razer currently offers faster CPU, GPU and screens in today's Blade lineup, it's not necessarily a bad deal if you love the design, considering how pricey Razer's laptops can be. But we've generally found that Razer's thin machines run quite hot in our reviews, and the Blade in question was no exception even with a quarter of the memory and a less powerful RTX 3060 GPU. Lambda's FAQ page does not address heat as of today.

Lambda is clearly aiming this one at prospective MacBook Pro buyers, and I don't just say that because of the silver tones. The primary hardware comparison the company touts is a 4x speedup over Apple's M1 Max in a 16-inch MacBook Pro when running TensorFlow.
Specifically, Lambda's web site claims the new laptop "delivers model training performance up to 4x faster than Apple's M1 Max, and up to 10x faster than Google Colab instances." And it credits this to the laptop's use of NVIDIA's GeForce RTX 3080 Max-Q 16GB GPU, adding that NVIDIA GPUs "are the industry standard for parallel processing, ensuring leading performance and compatibility with all machine learning frameworks and tools."

"It looks like a fine package and machine, but pricing starts at $3,499," notes Hot Hardware, adding "There's a $500 up-charge to have it configured to dual-boot Windows 10."

The Verge speculates on what this might portend for the future. "Perhaps the recently renewed interest in Linux gaming, driven by the Steam Deck, will push Razer to consider Linux for its own core products as well."

"Rolling Rhino is a tool long ago created by Martin Wimpress, who until recently was part of the Canonical team," one Linux blog pointed out recently. "What it does is basically change the repositories of the DailyLive developers...."

Neowin sees it as a competitive advantage. After more than 17 years, there's a way to get a Ubuntu distro offering the same "rolling" release cycles that helped popularize Arch Linux: While there are many positive qualities that would draw a user into the world of Arch, its headlining feature would be the one that remains the most relevant in today's world of continuous integration and delivery and that's its rolling release strategy. While I don't think Judd Vinet could have predicted the proliferation of DevOps or the massive shift to cloud computing, it must be interesting to see that the entire industry is following the Arch strategy in all sorts of different places. One could even argue that Microsoft Windows has become a rolling release.

While many of Arch's contemporaries have joined the fray, one notable open-source giant has yet to make the leap.

Rolling Rhino looks to change that by converting Ubuntu into a rolling release.
Thanks to Slashdot reader segaboy81 for submitting the story...

Slashdot reader mmanciop reminded us that Ubuntu released a new version of its "circle of friends" logo this week (which its designer says gives it "a more contemporary look and feel.")

From the Ubuntu blog: We proudly present to you the transformation of the Circle of Friends logo for Ubuntu. The new logo isn't a revolution; rather, it's an evolution of the Circle of Friends. As you can see at the top of the post, the classic white-on-orange colour scheme hasn't changed. But the new version sports sleek lines which bind the Circle of Friends even more closely together.

While it is important to have a respectful continuity with the previous Circle of Friends, the updated version is leaner, more focused, more sophisticated. It also makes a little more sense that the heads are now inside the circle, facing each other and connecting more directly. The rectangular orange tag is a break from the conventional square or circle, as it allows for the boldness of the orange to express itself and provides a recognisable colourful mark across media. Finally, the logo moves from a tiny superscript to a large, dynamic and leading presence.

Some might wonder why we had to touch the Ubuntu logo at all. As one can imagine, it is a daunting honour to work on something so many of us have such a strong connection to. But in the end, a logo should match what it represents. Similar to how Ubuntu continues to evolve and adapt to new uses in technology, its logo should follow suit to encapsulate and reflect such ongoing change.
For comparison, here's the original logo.

Share your reactions in the comments. (For example, how do you think it compares to other logos?) Do you like it more or less than, say, the logo for Raku?

Sophos threat researcher Nick Gregory discovered a hole in Linux's netfilter firewall program that's "exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want." ZDNet reports: Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux's network stack. It's an essential Linux security program, so when a security hole is found in it, it's a big deal. [...] This problem exists because netfilter doesn't handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn't have offload functionality! That's because, as Gregory wrote to a security list, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails."

This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It's listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. How bad? In its advisory, Red Hat said, "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat." So, yes, this is bad. Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn't available yet in all distribution releases.

An anonymous reader quotes a report from Ars Technica: Setting up a Raspberry Pi board has always required a second computer, which is used to flash your operating system of choice to an SD card so your Pi can boot. But the Pi Foundation is working on a new version of its bootloader that could connect an OS-less Pi board directly to the Internet, allowing it to download and install the official Raspberry Pi OS to a blank SD card without requiring another computer. To test the networked booting feature, you'll need to use the Pi Imager on a separate computer to copy an updater for the bootloader over to an SD card -- Pi firmware updates are normally installed along with new OS updates rather than separately, but since this is still in testing, it requires extra steps.

Once it's installed, there are a number of conditions that have to be met for network booting to work. It only works on Pi 4 boards (and Pi 4-derived devices, like the Pi 400 computer) that have both a keyboard and an Ethernet cable connected. If you already have an SD card or USB drive with a bootable OS connected, the Pi will boot from those as it normally does so it doesn't slow down the regular boot process. And you'll be limited to the OS image selection in the official Pi imager, though this covers a wide range of popular distributions, including Ubuntu, LibreELEC, a couple of retro-gaming emulation OSes, and Homebridge. For other OSes, downloading the image on a separate PC and installing it to an SD card manually is still the best way to go. To learn more about installing the bootloader or download the Pi OS over a network, you can view the Raspberry Pi Foundation's documentation here.

An anonymous reader quotes a report from ZDNet: [S]ecurity company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, CVE-2021-4034. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true." Why is it so bad? Let us count the ways:

- Pkexec is installed by default on all major Linux distributions.
- Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
- Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
- An unprivileged local user can exploit this vulnerability to get full root privileges.
- Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
- And, last but not least, it's exploitable even if the polkit daemon itself is not running.

Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high. [...] This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]." While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack. It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability.

"If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation," adds ZDNet. "For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec."

The Linux Foundation has released three new training courses on the edX platform: Open Source Software Development: Linux for Developers (LFD107x), Linux Tools for Software Development (LFD108x), and Git for Distributed Software Development (LFD109x). The three courses can be taken individually or combined to earn a Professional Certificate in Open Source Software Development, Linux, and Git. ZDNet reports: The first class, Open Source Software Development: Linux for Developers (LFD107x) explores the key concepts of developing open-source software and how to work productively in Linux. You don't need to know Linux before starting this class, as it's an introduction to Linux designed for developers. In it, you'll learn how to install Linux and programs, how to use desktop environments, text editors, important commands and utilities, command shells and scripts, filesystems, and compilers. For this class, the Foundation recommends you use a computer installed with a current Linux distribution. I'd go further and recommend you use one with one of the professional Linux distributions. In particular, you should focus on one of the three main enterprise Linux families: Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu. There are hundreds of other distros, but these are the ones that matter to companies looking for Linux developers.

The next course, Linux Tools for Software Development (LFD108x) examines the tools necessary to do everyday work in Linux development environments and beyond. It is designed for developers with experience working on any operating system who want to understand the basics of open-source development. Upon completion, participants will be familiar with essential shell tools, so they can work comfortably and productively in Linux environments. In addition, I recommend you come to this class with a working knowledge of the C programming language.

Finally, Git for Distributed Software Development (LFD109x) provides a thorough introduction to Git. Git is Linux Torvalds' other great accomplishment. This source control system was first used by the Linux kernel community to enable developers from around the world to operate efficiently. In addition, thanks to such sites as GitHub and GitLab, Git has become the lingua franca of all software development. Everyone uses Git today. With this class, you'll learn to use Git to create new repositories or clone existing ones, commit new changes, review revision histories, examine differences with older versions, work with different branches, merge repositories, and work with a distributed development team. Whether or not you end up programming in Linux, knowing how to use Git is essential for the modern programmer. As ZDNet's Steven Vaughan-Nichols notes, you can take the three courses through edX in audit mode for no cost. However, you'll need to earn the professional certificate so employers will know you're capable of open-source programming.

"To do this, you must enroll in the program, complete all three courses, and pay a verified certificate fee of $149 per course."

"Qt, the framework that powers the KDE desktop, is announcing support for ads in client-side applications," reports Neowin: This means that application developers will now be able to serve ads in traditional desktop applications.... Windows users have been dealing with this in Metro UI apps since Windows 8 and it's something that's never gone over well on the desktop.

While it's doubtful you'll see ads in KDE's core applications, it would be possible for distributions that wish to further monetize their work to fork these applications, placing ads in them.... According to the documentation, the advertising plugin supports a variety of platforms. They are as follows:

- Windows 10
- Ubuntu 20.04
- Raspbian Buster
- macOS
- Android 7.0
— iOS

"Our offering aims to disrupt the IoT industry," explains Qt's press release, "enabling new business models and business cases that before were not possible."

Reactions have been mixed. Comments on Phoronix ranged from calling it "a great way for boost development on KDE" to "Not sure if I like this."

Thanks to Slashdot reader segaboy81 for sharing the story

Brian Fagioli, reporting for BetaNews: The developers of the Ubuntu-based operating system have agreed to accept an undisclosed amount of money from Mozilla in exchange for making significant changes to Linux Mint. This includes removal of modifications to Firefox and a big change for search. The devs share the upcoming changes to Firefox in Linux Mint 19 and higher.
The default start page no longer points to https://www.linuxmint.com/start/
The default search engines no longer include Linux Mint search partners (Yahoo, DuckDuckGo...) but Mozilla search partners (Google, Amazon, Bing, DuckDuckGo, Ebay...)
The default configuration switches from Mint defaults to Mozilla defaults.
Firefox no longer includes code changes or patches from Linux Mint, Debian or Ubuntu.

A year after releasing the first preview build of its Chromium-based Edge browser for Linux, Microsoft is announcing its general availability. From a report: The new release supports a variety of Linux distributions, including Ubuntu, Debian, Fedora and openSUSE. Microsoft announced Linux on Edge's availability milestone during the first day of its Ignite IT Pro conference. As of the release of Edge for Linux to the "stable" (mainstream user) channel, Edge is now available on Windows, Mac, iOS, Android and Linux. As it did when introducing the new Edge on macOS, Microsoft has been positioning Edge on Linux as more of an offering for IT pros and developers who want to test web sites than as a browser for "normal" users on those platforms. However, any user on any supported platform can use the new Edge.