iTWire - Open Source

Time to rethink enterprise demicrosoftification: open source expert

2024-09-01T13:12:35+10:00

With a vivid demonstration of how fragile the world's technology ecosystem is when one cybersecurity vendor makes a configuration mistake, 45Drives president Dr Doug Milburn says it's time for organisations of all sizes to take greater control of their infrastructure, in a move he dubs demicrosoftification.

Dr Milburn heads 45Drives, a Sydney, Nova Scotia-based company with global reach. 45Drives specialises in big, strong, fast, high-capacity data storage solutions. It has an impressive client list that includes Apple, Google, Amazon, NASA, Intel, FedEx, the US Department of Justice, and more. They have contracts with major tier one players, as well as media and entertainment, education, University researchers, and numerous others. What binds the customers together is a need and demand for performant, robust, reliable storage on a consistent platform. 45Drives has made it its mission to be the partner who provides and supports such mission-critical storage, and what's more, on a purely open platform based on open source.

Open source software is a wonderful thing; we've all benefited in some way from the altruistic offerings of such notable titles like Apache, MySQL, 7-Zip, VLC, WordPress, not to mention the Linux operating system itself. Yet, the question many ask is would you really trust your income-earning to open source products? When something goes wrong, and boy, can things go wrong, you need iron-clad support options - not to simply rely on nebulous online forums where your questions may attract criticism, skepticism, and mocking - if any reply at all. In fact, iTWire finds many a managed service provider (MSP) refuses to use open source software, with a policy any product it implements must have a paid support option.

Well, as the world saw vividly only last July, proprietary software isn't immune from risk. The CrowdStrike outage took down airports, banks, media, and all kinds of businesses around the world. Millions of systems were disrupted and the cost is estimated at billions of dollars. The root was a confluence of misconfiguration coupled with inadequate testing, and unfettered access to Windows servers at the highest level. Maybe it's time to rethink open source. 45Drives president and co-founder Dr Doug Milburn says his business proves open source has what it takes, and what's more, it provides far greater trust and control over your environment than proprietary software can ever dream of doing.

{loadposition david08}

First things first; Milburn has plenty of healthy respect for Microsoft and a lot of what it's done. He's of an age where he grew up side-by-side with the evolution of modern computing. "As an undergrad in electronics and then a grad student, I did a lot of software development on the way," he said. "I go back to the PDP, the VAX, and 6502 CPU, and watched the world evolve."

In those days software developers did their own systems administration and networking out of necessity. Tech grew; operating systems grew. Milburn watched as the major personal computer contenders of the day - Apple and Microsoft - went their own ways. "Apple went with closed hardware and software, while Microsoft went with an open hardware ecosystem. They closed off the software because you've got to make a buck," he said, "and Billy has done successfully."

"Microsoft did quite the job of taming the hardware world. They made it very open around them and reasonably open around the applications world. They pulled it off and did a great job," Milburn said. "They may be shaky tactically, but I've got no big grudge out to get those guys."

By contrast, other companies followed the Apple route of closed systems, to today's enterprise storage and computing world with proprietary platforms that want to own both the hardware and software your data lives on, that your business depends on. There's a lot of lock-in. Though, even then, Milburn is also pragmatic and congratulatory. "The proprietary world has developed and done a lot of good things for people; proprietary has been the backbone of computing for a lot of years," he said.

With these sentiments it's plain to see Milburn isn't your classic stereotypical open source advocate who blindly follows their passion as a religion; instead, he calmly reflects on what's the right tech for the right situation.

Pictured: Dilbert - NOT Dr Doug Milburn who embraces a different view

And it's here, he says, open platforms and open source are the right thing if you don't want your company to collapse in a screaming heap. "CrowdStrike became a nightmare due to a forced update."

"CrowdStrike really enunciates that when you give over control to security software, when we as keepers of IT systems give over something like that, we become vulnerable," he said. "It's convenient, it gives one-stop shopping, and it's one call to fix things - but when things go wrong, it goes really wrong."

45Drives is the opposite; "At 45Drives we're about open source storage and virtualised computing. We run Proxmox, ZFS, Ceph, and other options," he said.

To be clear, Milburn says, this isn't to say an outage like the CrowdStrike one won't happen in an open source world - "if anyone said that they'd be lying" - but you gain greater options; you can mitigate risk.

"The more you go out, the more your life is in other people's hands," he said. Yet, at the same time, "open source can be a lot of work to build. It's not in scope for the vast majority of organisations."

With this tension - proprietary takes away control and transparency; open source requires support and integration - what, realistically, can regular organisations do here?

According to Dr Milburn, the answer is companies like his. "We're just like your legacy options. We will provide the services to people under one purchase order, and with the full service and support organisations need," he said. "But - with the flexibility of open source. And we don't own you. It's an open model, an open hardware platform, and open source software."

"You have a contractual risk with proprietary options," Milburn noted, with one highly visible modern example coming straight to mind - "VMware was a gigantic carpet pull under everybody. The size of Broadcom and VMware is mind-boggling, but when someone owns your future by contract it's a risk," he said, referring to Broadcom's dramatic wide-sweeping changes to VMware agreements. Perpetual licenses changed to subscription models; subscription plans became bundled with other products that may not be needed but at a higher price-tag; partners had their status canceeled; licensing increased in price overall.

It's the same with the traditional enterprise storage and virtualisation world, Milburn said. "It's the old model around since the dawn of time. When ti gets old - like a snowball rolling downhill - they've still got to deliver. When these companies gather too much cost structure they struggle and profitability suffers."

"It's like Mr Burns and Smithers," he said. "It's the same guys who run enterprise computing companies. When they need profit elsewhere they'll yank the carpet under you."

By contrast, open source isn't such a risk. It's not without rugpulls, "Red Hat and IBM cancelled CentOS," he noted as an example. "However, a whole lot of people had a stake in enterprise Linux. So they forked and founded Rocky Linux," he said. "And we're a founding member."

If your in-house infrastructure is based on open source, "a carpet pull can still rattle your world," he said, but at the end of the day, "it's only a little indigestion when it's announced. When all is said, it ends up not being a big deal when you're running your own shop under an open source license. You can go on as long as you like."

Sure, "there's obsolesence at some point, but you can run in-house forever."

"Nobody owns you," he said.

Hence, with a supplier like 45Drives you gain the benefits of both worlds; "we bring open source for enterprise and move with the zeal of the open source world - but have the support of the proprietary world. It's world class. We answer the phone, support the products, sell you systems, service, and support under one purchase order."

45Drives customers have tended to be those who understand the value of open source for enterprise and buy it, but, Milburn said, they're getting increasing interest from those who are sick of the rug pull, and sick of the forced update. "We're talking to MSPs all the time," Milburn said. "They're starting to be open and curious to possibilities."

A common prevailing view of open source is it's all do-it-yourself and you must wade through a massive number of options, evaluate distro upon distro, figure out how to handle updates, how to validate your implementation. "This is the open source caveat," Milburn said. "It powers the majority of servers and applications worldwide and brings immense power. But you can create yourself some true misery if you don't know what you're doing when you set it up."

45Drives can tame this zoo for you. "We're a mass customiser. Our approach to open source - and how you do it really well - is to match hardware and software. You need to get the architecture right, out of the gate."

"We have a wide variety of hardware and open source solutions we utilise, and we develop," he said. "We make these modular and offer mass customisation. The modules and components we put together are finely honed and highly proceduralised. Our people, our service, and our culture is extremely structured."

"Our models snap together like Lego. We create systems that just work, and work straight out of the gate, and our after-sales elements are the same way."

It was a fascinating talk with Dr Milburn, and clearly, he's doing things right with a model that's proving popular and successful. "We're successful in the enterprise world, and now blown to the MSP world," Milburn said.

The company is seeing 30% year-on-year growth all over the world. It has a team of 400 people, and more than 8,000 enterprise customers.

One public example is Oregon City, who recognised the need for 45Drives after suffering critical data loss through ransomware encryption with their previous platform. As well as 45Drives-supplied hardware and its platform, the Oregon City solution includes Snapshield, a security system developed by 45Drives that brings firewalls and endpoint scanning and smart analytics to protect and lock down data from malware.

Snapshield is constantly monitored, identifying ransomware patterns within a few tens of files. “On top of that, it has a complete logging of any file that is touched in there and it’s snapshotting," Milburn said, "thus you can role any file back to any state that you want."

Contrast this with having your systems shut down, and being helpless to do anything about it, simply because your key provider made a configuration issue and failed to perform basic testing - and the update was forced upon you. Imagine being an IT Manager or business owner who has to face the reality they're simply an end user on their own systems? That's what the proprietary world forces upon you.

There's a better way, Milburn wants you to know. And you can do it yourself; open source is, after all, free for anybody to use and execute.

Or, you can bring in an expert - such as Dr Milburn and 45Drives - to make it all run like a finely-oiled machine, providing the support guarantees and SLAs your business demands, while ensuring you still own your platform, own your data, and won't have the rug pulled out from under you.

Perhaps it's time for you to re-evaluate the critical enterprise systems in your business and give demicrosoftification a serious go.

AlmaLinux offers installation images for Raspberry Pi

2024-06-12T12:23:23+10:00

The AlmaLinux Foundation, which produces the community-owned and governed CentOS alternative AlmaLinux, has announced support for the Raspberry Pi.

In a statement, the Foundation said the most recent Raspberry Pi had a sizeable presence in the education sector for teaching programming and computing.

Support for AlmaLinux Raspberry Pi 5 has been contributed by Koichiro Iwao, an engineer who works at Cybertrust Japan.

“Here in Japan, the Raspberry Pi community is vibrant,” said Iwao aka @metalefty on GitHub. “The incredible hardware improvements that the Raspberry Pi 5 brings over the Raspberry Pi 4, along with the increasing urgency with which the community was requesting this support, galvanised my commitment to building Raspberry Pi 5 support for AlmaLinux OS.”

{loadposition sam08}The statement said Iwao had built on existing knowledge and been supported by his employer. He had taken the initiative to gather information and suggestions from the community at large and worked with enthusiasts and experts in the field to build these images.

Cybertrust Japan has been a platinum sponsor member of the AlmaLinux OS Foundation since 2023.

“This kind of community-focused support from our sponsors helps us meet the needs of our community that don't also have the immediate backing of a named volunteer,” said benny Vasquez, chair of the AlmaLinux OS Foundation.

“The coupling of AlmaLinux OS and Raspberry Pi5 is a win-win for all.”

With this release, AlmaLinux supports the following architectures in the Raspberry Pi ecosystem:

Raspberry Pi 5
Raspberry Pi 4 Model B
Raspberry Pi 400
Raspberry Pi 3 Model B+
Raspberry Pi 3 Model A+

AlmaLinux Raspberry images can be downloaded from here.

CentOS replacement AlmaLinux releases version 8.10

2024-05-29T08:59:18+10:00

The AlmaLinux OS Foundation has announced the general availability of AlmaLinux 8.10, a community-owned open-source alternative to CentOS.

In a statement, the Foundation said the new release, including pre-built ISO images, could be downloaded from its system of more than 350 mirror sites.

“Our consistently speedy releases, as illustrated by today’s announcement and the recent release of 9.4, underscore the reliability and timeliness offered via AlmaLinux,” said benny Vasquez, chair of the AlmaLinux OS Foundation.

“With AlmaLinux, users can confidently deploy robust, scalable, and secure Linux environments, ensuring seamless integration and maximum operational efficiency.”

{loadposition sam08}AlmaLinux is one of a number of Linux distributions that have risen to prominence after Red Hat, the biggest open source company, decided to make it difficult to gain access to the source of its enterprise distribution.

Red Hat acquired CentOS in 2014, but then shut it down in December 2020. CentOS is basically Red Hat's Enterprise Linux without the trademarks.

In June 2023, Red Hat, which is owned by IBM which bought it in 2019, tightened its grip on RHEL source code, and said it would make it available only to its paying customers.

After that, enterprise distributions like AlmaLinux and Rocky Linux have presented themselves as alternatives to CentOS. Plus, SUSE has said it would invest more than US$10 million (A$15.1 million) to fork the publicly available RHEL source code and make it available to world+dog with no restrictions.

In the wake of that decision, SUSE, the second biggest open source company, recently announced SUSE Liberty Linux, " a technology and support solution that lets you keep your current operating system while getting the support, maintenance updates, and security patches you need for your existing Linux estates without the need to migrate".

Rocky Linux is another replacement for CentOS and the company behind it, CIQ, offers something called CIQ Bridge "with up to three years of additional life for CentOS 7 beyond the official EOL, covering critical security updates for CVSS scores of 7 and above".

AlmaLinux has also devised a solution to allow people running CentOS 6 to migrate to AlmaLinux.

The AlmaLinux statement said it would continue to offer support for older hardware such as:

Aacraid – Dell PERC2, 2/Si, 3/Si, 3/Di, Adaptec Advanced Raid Products, HPNetRAID-4M, IBM serveRAID & ICP SCSI

be2iscsi – Emulex OneConnect Open-iSCSI for BladeEngine 2 and 3 adapters

hpsa – HP Smart Array Controller

lpfc – Emulex LightPulse Fibre Channel SCSI

megaraid_sas – Broadcom MegaRAID SAS

mlx4_core – Mellanox Gen2 and ConnectX-2 adapters

mpt3sas – LSI MPT Fusion SAS 3.0

mptsas – Fusion MPT SAS Host

qla2xxx – QLogic Fibre Channel HBA

qla4xxx – QLogic iSCSI HBA

be2net – Emulex BladeEngine 2 and 3 adapters

“Releasing AlmaLinux 8.10 less than one week after the release of RHEL 8.10 proves again the power of AlmaLinux community and its ability to deliver on speed, quality, and security,” said the distribution's lead architect, Andrew Lukoshko.

“Powered by people and organizations that provide infrastructure and deep technical knowledge, we have proven our commitment to deliver the enterprise Linux that people need.”

Kernels shipped by Linux vendors 'less secure than upstream stable offering'

2024-05-19T18:34:41+10:00

Three software engineers from CIQ, a Linux company, have found that the kernels shipped by commercial firms have more unpatched flaws than the upstream stable kernel which is maintained by Linux developer Greg Kroah-Hartman.

In a statement issued on Wednesday, Jeremy Allison, Ronnie Sahlberg and Jonathan Maple said on the surface it would appear that "carefully curated software patches applied to a known Linux kernel, frozen at a specific release, would obviously seem to be preferable to the random walk of an upstream open source Linux project".

However, after a great deal of data analysis, the trio came to the inescapable conclusion that kernels that came with a commercial distribution were not preferable.

"The data shows that 'frozen' vendor Linux kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream “stable” Linux kernel created by Kroah-Hartman," they said.

{loadposition sam08}Allison, Sahlberg and Maple have written a detailed white paper outlining their reasoning for this conclusion. CIQ produces an enterprise Linux distribution known as Rocky Linus which claims to be a drop-in replacement for CentOS, an enterprise distribution that was bought by Red Hat in 2014 and then shut down.

In June 2023, Red Hat, which is owned by IBM which bought it in 2019, tightened its grip on RHEL source code, and said it would make source code available only to its paying customers.

Rocky Linux has presented itself as an alternative to CentOS, something that takes on added significance given that CentOS 7, the last version that was put out before Red Hat's restrictions made it impossible to have a new version, reaching its end-of-life on 30 June.

CIQ is offering something called CIQ Bridge "with up to three years of additional life for CentOS 7 beyond the official EOL, covering critical security updates for CVSS scores of 7 and above".

Allison, Sahlberg and Maple said they had reached the following conclusions from their research:

A 'frozen' vendor kernel is an insecure kernel. A vendor kernel released later in the release schedule is doubly so.
The number of known bugs in a 'frozen' vendor kernel grows over time.
The growth in the number of bugs even accelerates over time.
There are too many open bugs in these kernels for it to be feasible to analyse or even classify them.

"There are still reasons you might still select a 'frozen' vendor kernel," the trio said. "One of them [is that] a vendor-defined internal kernel application binary interface doesn’t change over the lifetime of the release.

"If you are using hardware where the device driver hasn’t (or won’t, due to the attitude of the manufacturer) been submitted to the upstream Linux code tree then you may have no choice, but to use a vendor kernel.

"Having said that, the Linux kernel used by Android devices is based on the upstream kernel and also has a stable internal kernel ABI, so this isn’t an insurmountable problem.

"But thinking that you’re making a more secure choice by using a 'frozen' vendor kernel isn’t a luxury we can still afford to believe."

SUSE appoints seasoned tech industry hand as vice-president of AI

2024-05-17T09:25:37+10:00

Germany-based open source vendor SUSE has appointed technology and marketing veteran Pilar Santamaria as its new vice-president of AI.

She will report to Frank Feldmann, the chief strategy officer, and be in charge of development and execution of the company's AI strategy.

A statement from SUSE said Santamaria had more than 25 years experience in technology and go-to-market leadership, with expertise in AI, IoT, cyber security and cloud.

Before joining SUSE, she was the head of EMEA Cloud Solutions at Google, where she introduced Vertex AI.

{loadposition sam08}Santamaria has also held senior leadership roles at Dell, Microsoft, Cisco, Nortel and Siemens, and serves as a cloud expert for the European Commission, the executive arm of the European Union.

“Since joining the team, Pilar has evolved SUSE’s AI strategy at pace, acting as a true catalyst across the company. She and her team are going to deliver outstanding results for our customers and change how we innovate as an organisation,” said Feldmann.

“I’m excited to see the fruits of those developments come to life on stage at SUSECON.”

Santamaria will take the stage at SUSE’s annual developer conference, SUSECON, in June in Berlin and outline her vision for SUSE’s approach to AI and share exciting updates about the company’s developments in AI.

“It's clear that open source is the future of AI. Compared to the first wave of AI solutions we’ve seen emerge over the past few years, open source AI has noticeable advantages when it comes to privacy, compliance, security, flexibility and cost,” she said.

“SUSE is ideally positioned to bring these benefits to customers, and I'm thrilled to be a part of the team that will make that happen.”

SUSECON allows SUSE customers, partners and community members to get together and explore how the latest open source advances can meet the technical needs and business challenges of the enterprise IT customer. This year, the annual conference will take place from 17 to 19 June in Berlin.

SUSE Liberty Linux rides to the rescue as CentOS 7 nears end of life

2024-05-14T10:52:05+10:00

The world's second-biggest open source company, SUSE, has a solution to offer those firms that are using CentOS 7, an enterprise Linux distribution that reaches its end of life on 30 June.

Vishal Ghariwala, senior director and chief technology officer for SUSE in the Asia-Pacific region, told iTWire in response to queries that the company had an offering known as SUSE Liberty Linux to cope with the EOL of CentOS 7.

"When we speak to CIOs and IT directors, we hear that they need an easy way to keep existing systems supported, so workloads continue to run," he said.

"They admit that multi-Linux is a reality. They’re looking for a trusted partner that supports their choice of Linux operating system, and need solutions that simplify IT operations to focus on business needs."

{loadposition sam08}As iTWire has reported, the company that produces Rocky Linux, one of the replacements for CentOS, is offering something called CIQ Bridge "with up to three years of additional life for CentOS 7 beyond the official EOL, covering critical security updates for CVSS scores of 7 and above".

AlmaLinux, another distribution that came to prominence in the wake of Red Hat's decision to make source code for its enterprise Linux available only to its paying customers, has devised a solution to allow people running CentOS 6 to migrate to AlmaLinux.

The need to look for replacements for CentOS arose because of Red Hat's restrictive moves. Red Hat acquired CentOS in 2014, but then shut it down in December 2020. CentOS is basically Red Hat's Enterprise Linux without the trademarks.

In June 2023, Red Hat, which is owned by IBM which bought it in 2019, tightened its grip on RHEL source code, and said it would make source code available only to its paying customers.

"SUSE Liberty Linux is a technology and support solution that lets you keep your current operating system while getting the support, maintenance updates, and security patches you need for your existing Linux estates without the need to migrate," Ghariwala pointed out.

"And I'd like to say that again - 'you don't need to perform any migration'. You simply switch to SUSE Liberty Linux. It's like switching from one telco to another telco where there is absolutely no impact on your mobile number."

Red Hat's June 2023 announcement that a new line of development, CentOS Stream, would be started, focused attention on the fact that this new line would be the only way to obtain RHEL source code. However, it would predate RHEL releases and thus forever be out of date.

Red Hat's community distribution, Fedora, is upstream to CentOS Stream, making its source even older.

Ghariwala said one customer in APAC who had opted for SUSE Liberty Linux, and demonstrated how it could save costs and support resiliency, was Tyro Payments in Australia.

"As Tyro was expanding their infrastructure, it was a key requirement that they were able to incorporate a strong level of resiliency within their business and technology stack," he explained.

"Tyro also needed to expand its infrastructure to handle a rising volume of transactions, to ensure that the integration between point-of-sale and payment transacting remained direct and seamless. SUSE Liberty Linux offered them that flexibility as well as strong support.

"Adopting SUSE Liberty Linux further resulted in an immediate 50% saving in total subscription costs for Tyro. With SUSE Manager on top of Liberty Linux, Tyro also saves time and effort in patch management and reporting, which the team can then reinvest in adding value to their core business of payments processing.

"Overall, as we’ve mentioned before and continue to reinforce, SUSE Liberty Linux is also SUSE’s commitment to 'open'. Liberty Linux, and our US$10 million (A$15.1 million) continued investment in maintaining it, is focused on upholding open choice in the market and lack of vendor lock-in."

Asked whether SUSE had any plans to try and lure businesses running CentOS 7 to switch to SUSE, Ghariwala replied: "In my conversations with CIOs, I hear that uncertainty, keeping workloads running, and support as well as security are top-of-mind concerns.

"For customers impacted by the end-of-life of CentOS, our top priority is to provide them with true choice. Customers are looking for a trusted partner that supports their choice of Linux operating system, and simplifies their operations.

"Such customers are typically hoping to buy some time so they can make a well thought out decision for their business. Customers also want to simplify their operations so they can continue to support, maintain, and secure their Linux distributions. In addition, they would like to continuously patch their systems to keep them healthy and secure. After all, unpatched vulnerabilities are a common cause of security breaches.

"With SUSE Liberty Linux, users also will receive fully application binary compatible security patches and maintenance updates for their entire Linux estate. This keeps infrastructure up-to-date and secure, ensuring high availability, resilient storage, and bulletproof load balancing.

"SUSE Liberty Linux customers also get enterprise support and predictable releases for a multi-distro world, from a trusted partner who understands Linux and the value of open source."

He said he could not comment on plans being created by Rocky Linux. "However as CIQ [the parent body of Rocky Linux] is a part of the OpenELA effort, I can talk more from that perspective," Ghariwala added.

"The OpenELA as a whole continues to explore ways to ensure openness, transparency and flexibility, all of which remain core tenets of the enterprise open source ecosystem, so that businesses and users of that software can all benefit.

"OpenELA is committed to always acting in the best interests of the open source community and all downstream derivatives and to create an inclusive community of organisations and individuals to ensure the longevity, stability, and management of this project."

Rocky Linux sponsor offers lifeline for firms using CentOS 7

2024-05-13T10:22:52+10:00

The organisation that builds Rocky Linux, an enterprise Linux distribution that emerged in the wake of Red Hat's decision to block availability of its source code to the public, has announced an initiative called CIQ Bridge which it describes as "a lifeline for enterprises still using CentOS Linux 7".

CentOS 7 reaches its end-of-life on 30 June. This project which produced an enterprise Linux distribution, was bought by Red Hat in 2014, but then shut down in December 2020, leaving many users angry. The distribution was basically Red Hat's Enterprise Linux without the trademarks, the only copyrighted portion.

In June 2023, Red Hat, which was bought by IBM in 2019, tightened its grip on RHEL source code, and said it would make source code available only to its customers.

CIQ said in its pitch that businesses could "gain peace of mind with up to three years of additional life for CentOS 7 beyond the official EOL, covering critical security updates for CVSS scores of 7 and above".

{loadposition sam08}And it added, "When you're ready, CIQ offers expert guidance to smoothly transition your infrastructure to CIQ-supported Rocky Linux, ensuring minimal disruption to your operations."

As iTWire reported last month, Yuriy Kohut, an engineer with the ELevate project at AlmaLinux, has already devised a plan for migration away from CentOS, beginning with version 6 itself.

The CentOS Stream, set up in December 2020 by Red Hat and which is upstream to RHEL, is now the only way to obtain source code. This source would, however, always predate the RHEL source and thus be out of date.

Red Hat's community distribution, Fedora, would be upstream to CentOS Stream which would mean it is even more outdated.

Given these restrictive actions by Red Hat, the biggest open source company, it is but natural that users of CentOS would be a little edgy as the EOL date approaches.

The CIQ statement said: "Rocky Linux emerged in 2021 as a formidable alternative to CentOS, built with enterprise-grade performance in mind. As the founding support and services partner of Rocky Linux, CIQ is uniquely positioned to provide enterprise-level support, making your migration as seamless as possible."

Apart from AlmaLinux and Rocky Linux, SUSE, the second biggest open source company, has said it would invest more than US$10 million (A$14.97 million) to fork the publicly available RHEL source code and make it available to world+dog with no restrictions.

Debian project not keen on drafting policy to cover AI contributions

2024-05-13T09:45:59+10:00

The Debian GNU/Linux project, which produces a free Linux distribution, does not appear to be interested in taking a position on allowing contributions generated through AI.

A discussion about AI contributions to the Debian project started after the Gentoo Linux project said in April it was banning the use of generative AI tools like AI and ML, due to copyright, ethical and quality concerns.

Gentoo is a project which created packages from source through user compilation, Installing Gentoo is thus quite a laborious process.

The Linux Weekly News site said the Debian discussion about the issue had been begun on 2 May by Tiago Bortoletto Vaz who suggested that the project should have a policy on using AI and ML tools to generate content.

{loadposition sam08}Saying he agreed with the Gentoo rationale, Vaz added: "But at this point I guess we might have more questions than answers, that's why I think it'd be helpful to have some input before suggesting any concrete proposals.

"Perhaps the most important step now is to get an idea of how Debian folks actually feel about this matter. And how we feel about moving in a similar direction to what the Gentoo project did."

Former Debian leader Sam Hartman said: "AI is just another tool, and I trust DDs [Debian developers] to use it appropriately.

"I probably would not use AI to write large blocks of code, because I find that auditing the quality of AI generated code is harder than just writing the code in most cases.

"I might:

"use debgpt to guess answers to questions about packaging that I could verify in some manner.
"Use generative AI to suggest names of projects, help improve descriptions, summarise content, etc.
"See if generative AI could help producing a message with a desired tone."

Another developer, Russ Allbery, said he was dubious of the approach taken by Gentoo because it was - as they admitted - unenforceable, "which to me means that it's not a great policy. A position statement, maybe, but that's a different sort of thing".

He added: "I think the piece that has the most direct impact on Debian is if the output from the AI software is found to be a copyright infringement and therefore something that Debian does not have permission to redistribute or that violates the DFSG (Debian free software guidelines).

"But we're going to be facing that problem with upstreams as well, so the scope of that problem goes far beyond the question of direct contributions to Debian, and I don't think direct contributions to Debian will be the most significant part of that problem."

A fourth developer, Charles Plessy, raised another point. "As a Debian developer I refrain from using commercial AI to generate code used in my packaging work or native packages, because I think that these systems are copyright laundering machines that allow to suck the energy invested in Free Software and transfer it in proprietary works (and to a lower extent to un-GPL works)," he said.

"If I would hear that other Debian developers use them in that context, I would seriously question whether there is any value to spend my volunteer time in keeping Debian/copyright files accurate to the level of details our policy asks for.

"When the world and ourselves will have given up on respecting free software copyrights and passing attribution, I will not see the point spending time doing more than the bare minimum, for instance like in Anaconda, where you just get Licence: MIT and the right to download the sources and check yourself the year of attribution and names of contributors."

AlmaLinux 9.4 release comes close on the heels of RHEL 9.4

2024-05-07T07:00:41+10:00

The AlmaLinux OS Foundation has announced the release of AlmaLinux 9.4 just a week after the release of Red Hat Enterprise Linux 9.4, with hardware support for those devices deprecated in RHEL.

AlmaLinux is an alternative to CentOS, the distribution that has been discontinued by Red Hat after acquiring it.

The CentOS project, which produced an enterprise Linux distribution, was bought by Red Hat in 2014, but then shut down in December 2020, leaving many users angry. The distribution was basically Red Hat's Enterprise Linux without the trademarks, the only copyrighted elements.

Six months later, Red Hat, which was bought by IBM in 2019, tightened its grip on RHEL source code, said it would make source code available only to its customers.

At that point, AlmaLinux, and distributions like Rocky Linux and SUSE also pledged to provide alternatives to both CentOS and RHEL.

A statement from the AlmaLinux OS Foundation said version 9.4 was built from the same source as RHEL, promised complete compatibility with RHEL, and did so from freely available open source code.

"This makes it the only choice for anyone looking for a truly open source Enterprise Linux," the statement claimed. "AlmaLinux 9.4 is available to download via the over-350-device AlmaLinux mirror system, including pre-built ISOs.

“Releasing AlmaLinux 9.4 less than one week after the release of Red Hat 9.4 is a testament to the strength and depth of knowledge of the AlmaLinux community and its commitment to speed as well as stability,” said Andrew Lukushko, lead architect at AlmaLinux.

“We have the backing of companies and organisations that provide the infrastructure and fundamental understanding needed to deliver the enterprise Linux that our community needs.”

The Foundation statement said introducing updates to enhance machine security and data protection, AlmaLinux 9.4 also provided improvements in web-console and system roles that automated additional operations and promoted consistency in complex environments.

Its new system roles are claimed to enable the creation and management of logical volume manager (LVM) snapshots for improved data back-up and recovery processes while its new features also aim to improve system availability and reliability, facilitate easier recovery operations, and enhance virtual machine snapshot capabilities in hybrid cloud environments.

“The release of 9.4 stands as the latest testament to AlmaLinux’s steadfast commitment to our community while maintaining the ever-improved performance, scalability and reliability,” said benny Vasquez, chair of the AlmaLinux OS Foundation.

“This is our second point release for AlmaLinux 9 since last year’s shift from copying Red Hat bit-for-bit, and we are starting to take advantage of our freedom.”

The statement said with RHEL 9.4, Red Hat had changed how it managed device drivers that are deprecated, disabled, or unmaintained, and it also removed support for several older hardware devices.

It said the way those device were managed made it easy for AlmaLinux to restore support for those devices that the AlmaLinux community still needed.

The statement claimed the release of AlmaLinux 9.4 marked a pivotal moment for any industry looking to keep hardware and human costs low by extending the life of still-good, but aging servers.

“This significant enhancement not only streamlines installation and updates for our clusters but also revitalises older systems, particularly in VFX studios where legacy CPU rendering blades still play a vital role,” said Tristan Theroux, IT infrastructure & security director for SHED, an animation studio and post-production house in Montreal.

“In the realm of VFX, where every resource counts, these trusted, resilient servers tackle less intensive tasks, allowing more powerful rendering servers to be reserved for more intensive projects. AlmaLinux 9.4 doesn't just bridge the gap between the past and present; it propels us toward a future where innovation knows no bounds.”

AlmaLinux 9.4 includes support for the following devices that were disabled upstream:

aacraid - Dell PERC2, 2/Si, 3/Si, 3/Di, Adaptec Advanced Raid Products, HP
NetRAID-4M, IBM ServeRAID & ICP SCSI
be2iscsi - Emulex OneConnectOpen-iSCSI for BladeEngine 2 and 3 adapters
hpsa - HP Smart Array Controller
lpfc - Emulex LightPulse Fibre Channel SCSI
megaraid_sas - Broadcom MegaRAID SAS
mlx4_core - Mellanox Gen2 and ConnectX-2 adapters
mpt3sas - LSI MPT Fusion SAS 3.0
mptsas - Fusion MPT SAS Host
qla2xxx - QLogic Fibre Channel HBA
qla4xxx - QLogic iSCSI HBA

Perens proposes new licence for today's open source world

2024-05-03T09:59:57+10:00

Veteran open source advocate Bruce Perens, creator of the open source definition that has provided the rules for open source software for the last 26 years, has proposed a new licence known as the Post-Open Zero-Cost Licence which, he says, will address existing problems faced by this genre of software.

He has outlined the goals for the post-open licence, saying open source could continue as it is today, with the addition that it could be dual-licensed and the creator could start getting paid.

Perens said users who joined the paid licence - to get the rights to exclusively Post-Open licensed software - would also pay for dual-licensed open source.

This would preserve software freedom for individuals and small businesses, "the folks we really should be helping, rather than the richest corporations in the world".

{loadposition sam08}It would also provide individuals and small businesses the right to use, redistribute, and modify, and to get paid for their modifications [if they] published all source code.

The Post-Open licence would require payment from entities with deep pockets — over US$5 million (A$7.6 million) end-user revenue in a year — or companies that included the software in a paid-for product, and companies that wished to keep modifications private.

Perens noted that compliance would be simple: "once a year, paid users account for their software use and end-user revenue, and pay a small portion (we’re considering 1%) of it for all Post-Open software, not just one program. Then compliance is over until next year."

He proposed one zero-cost licence, one paid licence which included the zero-cost one by reference and one operating agreement between all of the developers.

On privacy, Perens suggested all compliance information and the amount of the cheques that companies wrote be under a non-disclosure agreement, with data and payment sequestered to a CPA firm rather than being provided to the overall organisation.

"The public organisation sees totals (use of a program, end-user revenue, etc.) rather than your private data," he added.

"Pay developers fairly for their work," Perens wrote. "Make it possible for an individual developer to stay at home and code all day, and make their living that way. Apportion payment to developers based on software use and the size of their contribution.

"Improve security and quality by reliably identifying developers, providing proper funding for developers to maintain their software, provide cryptographic-hardware-backed authentication and software chain-of-custody.

"Service all Post-Open software through one entity and share profit with developers. Developers maintain their own software rather than operating the front-line service organisation.

"Fulfil the software needs of non-technical people, a job that open source mostly fails at today.

"Collect fair payment from providers and users of software-as-a-service and manufacturers of embedded systems.

"Reverse the power differential of open source, where user corporations with deep pockets exercise control and the actual creators of the software are often unfunded.

"Governance is exclusively by individual software creators, the way it always should have been. Users have a voice, corporations cannot dominate governance and exploit the developers.

"One entity is empowered to enforce on behalf of all developers, and is funded to do so. No more rampant licence violation. Infringement or breach of contract results in loss of rights regarding the entire Post-Open software collection, not just one program."

He visualised there being strong anti-software-patent terms. "Bring a suit and you lose privileges regarding all software in the Post-Open software collection, not just one program."

Perens also outlined the challenges that lay ahead in trying to get this licence up and running.

"This is all a lot more complicated than open source, and requires funding for legal and process work that we don’t yet have," he admitted. "To work, this needs lots of developers. Fortunately, it’s easy for existing open source developers to dual-licence Post-Open, and getting paid is a strong incentive to do so.

"It will be slow to accumulate paid users. Long-term, their expenses will probably be lower than today. Open source compliance departments at large companies can cost US$7 million per year, and security of unmaintained open source is becoming a serious threat.

Post-Open requires a central entity that receives and apportions payment, does enforcement, and operates the service entity (or three central entities, one for each purpose). Open source developers are very independent, and have not had to deal with a central entity until now, even one that they own.

"The apportionment process is complicated and not completely developed. It measures deltas to git repositories, and may require time accounting from people whose work cannot be measured by lines of code. There may be issues with it being gamed, etc.

"There’s an operating agreement to make this all work, and it requires some responsibility of the developer. Open source developers don’t even like contributor licence agreements, this will be an additional challenge."

Perens said developer identification would be necessary for the security mechanism. "Sorry, no anonymity," he added. "Governance that all developers can trust will be a severe issue."

He said processes and legal documents for the new licence were still under development.

Asked if he had presented the idea to others, Perens responded: "OpenUK kindly featured me as a keynote in their "State of Open Source 2024" conference, and I presented the idea there. They had a wide attendance of people from other organisations and the video is here.

"The job of the existing Free Software and Open Source organizations is to promote the definition of Open Source that I created 27 years ago, or the Four Freedoms from Richard Stallman, which actually started as Three Freedoms a whole 38 years ago.

"Most of these groups have that definition written into their constitution in some way, so they are not capable of driving radical change, much as they might want to. It's not fair to ask them for much more than allowing me to speak at their conferences, and to ask their members to participate individually. There are public discussion lists for the project and my personal email is easy to find. I'm available to speak at more conferences. Google will tell you my email."

Asked what was the biggest challenge to be overcome, he said: "I wish there was just one! The most difficult one will be developing governance that developers can trust. Only individual developers should vote. Right now, although a lot of people don't realize, the strongest force governing Open Source is the corporate users rather than the software creators. They own organisations like Linux Foundation, and provide most of the funds for all of the other organisations. That's upside down. The individual developers have to control this, and not development corporations because concentration of power will bias the system toward their needs. And we need to make money independently of those corporations, so that we can be true to our own priorities.

"I have written one document, the zero-cost licence, and an 'elevator talk' which is the front page of PostOpen.org. I have to write the paid licence which I think will be simpler because it includes zero-cost one by reference. I have to write the operating agreement - which will be somewhat big. And then I need legal review for all of those, which either will cost real money or I need sponsorship of a lawyer or a volunteer lawyer. I also have legal questions about anti-trust, and about forming the organisation to support this, and I probably even need to talk with a tax attorney. I currently have a little non-profit that can accept donations and grants to carry out the research and development of Post-Open, we will need a different organisation to actually run Post-Open.

"And I need to develop the system of apportionment of funds to developers. The paid licensees account for their software use and their end-user revenue, and write a cheque, and that all goes to a CPA that keeps it confidential and just gives us the totals. So, companies have privacy. With those totals, we instrument git repositories and get a reading of who the contributors are and how funds should be allocated between them. But there are some people who can't be accounted for by lines of code or text. Code, documentation and translation are easy to price but not illustrations, and not the work of people who have architect or janitor roles for the project. Some folks might have something like a time-card. There would also be vulnerability to cheats like writing something very long without much real thought in it, and both the algorithm and the operating agreement would have to combat that.

"There is also the big PR problem. I think I can get current Open Source developers to dual-license because money is a good motivator. I think I can get businesses, especially the ones that start on the free tier and grow. I am not thinking really hard about the world's largest companies, they will jump on when there is sufficient value, a long time from now, or not. But all of these things are difficult.

"Much as this is a big and maybe impossible job. I know that I will regret it for the rest of my life if I don't try."