November put a shining spotlight on the progress open-source technology offers:
- Significant announcements at the ONE Summit North America in Seattle showed that non-proprietary software continues to thrive and innovate.
- News involving The Linux Foundation and Amazon demonstrate the power of open-source technology in improving global networking for retail and business operations.
- Red Hat and the AlmaLinux OS Foundation continue to drive enterprise advancements.
First, let’s begin this rundown of open-source industry highlights with GitHub now limiting some public access to vulnerability alerts so researchers can communicate with devs secretly.
GitHub Closes Door to Public Vulnerabilities View
Sometimes, a little secrecy may be a better way to handle software vulnerability issues. But is keeping public awareness of open-source code problems a good thing or a way to avoid transparency?
Now, anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository. GitHub just disclosed its plan to give security researchers a way to report vulnerabilities to owners of public repositories privately.
Bug bounties and Cisco’s Product Security Incident Response Team (PSIRT) already take private reports outside the open-source world. There is no issues repository for Microsoft or Apple. It is superficially counterintuitive to do this in the open-source world. But from a security perspective, it makes great sense, according to John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company.
Casey Ellis, founder and CTO at crowdsourced cybersecurity firm Bugcrowd, noted that the plan normalizes the importance of security feedback from the outside world for FOSS maintainers and developers.
A need exists for better collaboration between security researchers and software vendors, added Andrew Barratt, vice president at Coalfire, a provider of cybersecurity advisory services.
“If the open source community can more quickly address vulnerabilities without the name and shame culture — and without bad actors creating exploit code [without doing the research] — it will be a significant step forward that other code repo products should also support,” Barratt told LinuxInsider.
Other cybersecurity experts told LinuxInsider they agree with GitHub’s new policy.
Giving researchers a way to report issues directly to developers in GitHub is a welcome addition, praised Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation. Some prominent software developers, such as Microsoft, already have a way to contact them about vulnerabilities privately.
“Now, projects using GitHub will be able to get reports directly to the people responsible for fixing them and will have an easy way to collaborate with the researchers that discovered the problem,” he said.
GitHub’s default method of reporting uses the issues functionality — or potentially a git request. Both are public, allowing attackers to know there is a problem, according to Netenrich’s Bambenek.
“They can use the age of the initial report to further inform their targeting. Attackers still have the window between when a patch is available and when it is universally applied. We do not need to give them even more time,” he said.
New RHEL Release Packs Powerful Cloud and Security Tweak
Red Hat on Nov. 16 announced the release of Red Hat Enterprise Linux 9.1, the first minor release of the RHEL 9 platform. The new version comes with various enhancements, tweaks, and new features.
Along with the recently announced Red Hat Enterprise Linux 8.7, these minor versions add and refine capabilities for a wide range of enterprise IT needs. A key benefit is helping to streamline complex infrastructure environments to improve the security stance of containerized applications.
The latest versions of Red Hat Enterprise Linux continue to make hybrid cloud computing accessible and successful at global business scale by pairing reliability and stability with features designed for innovation and flexibility, according to Gunnar Hellekson, Red Hat vice president and general manager for RHEL.
AlmaLinux 8.7 Now Available
The open-source CentOS replacement AlmaLinux, released version 8.7 on Nov. 10 as a one-to-one binary compatibility with RHEL. It includes Linux kernel version 4.18.0-423.el8 and supports four architectures: x86_64, aarch64, ppc64le, and s390x.
AlmaLinux 8.7 features changes in the system configuration. Installer and image creation now support building images with custom /boot mount point partitions and sizes. It has security updates for the Network Security Services (NSS) libraries that change the minimum key size for all RSA operations from 128 to 1023 bits.
There are also updates and improvements to infrastructure services and dynamic programming languages shipped with AlmaLinux 8.7.
“We are driven by our duty to the community to continue to offer a platform that is secure, easy to use, and dependable,” said Benny Vasquez, chair of the AlmaLinux OS Foundation Board. “We aim to deliver the quality and timeliness end users require from the leading CentOS successor and to provide a free and open, community-owned and governed, enterprise-grade Linux operating system.”
New LF Branch Brings Open-Source Collaboration, Innovation
Linux Foundation Europe, which launched in collaboration with The Linux Foundation on Sept. 14, announced its first hosted project on Nov. 15.
Project Sylva, designed to create an open-source production-grade telco cloud stack, will reduce the fragmentation of the cloud infrastructure layer for telecommunication and edge services.
Supporters formed LF Europe as an independent vendor-neutral home for European open-source projects. Its goal is to reduce complexity and accelerate the cloudification of the network within the EU’s privacy, security, and energy efficiency requirements.
Project Sylva intends to have broader ambitions as a global player within the telco cloud ecosystem. It is open to collaborators outside the European Union as well.
“It directly delivers our vision to accelerate the impact that European-centric collaborations can have in the global ecosystem,” said Gabriele Columbro, general manager of Linux Foundation Europe.
Amazon Employs DentOS for Third-Party Stores
The DENT Project, an open-source ecosystem utilizing the Linux Kernel, Switchdev, and other Linux-based ventures, is now part of Amazon’s Just Walk Out technology that lets shoppers enter a retail environment, grab what they want, and leave without the need for a checkout line.
Amazon, on Nov. 15, announced the DentOS deployment in third-party customer stores worldwide to streamline the customer experience and scale in-store operations. DentOS enables the Just Walk Out technology to connect and manage thousands of devices like cameras, sensors, entry and exit gates, and access points on the network edge.
According to Amazon, DENT provides access to open source-based switches at a lower cost and more flexibility than proprietary switches with locked ecosystems. Amazon’s adoption and deployment is an example of open-source power, noted Arpit Joshipura, general manager of Networking, Edge, and IoT at The Linux Foundation.
“In just three years, the DENT community created a working platform for disaggregated networks to power multiple device locations at the edge, now used by top retail giants to streamline operations. This undertaking is only possible by the power of collaborative open-source development,” he said.
TLF GM on OS Growth
At ONE Summit, The Linux Foundation and LF Networking announced an expanding industry evolution across the entire networking stack.
The opening keynote by Arpit Joshipura focused on substantial ecosystem growth and the maturation of open source. He said that the industry has surpassed the tipping point for leveraging open source to enable digital transformation.
“Leading organizations are using our project code — which continues to evolve and mature — in real-world deployments to scale. The community’s collaborative work across the ecosystem is humbling and impressive; we can’t wait to see what’s next,” said Joshipura.