The /e/OS-powered Murena One is the first smartphone from Murena that does its best to free you from Google without sacrificing too many core features. There are no Google apps, Google Play Services, or even the Google Assistant. It's all been replaced by open-source software alternatives with privacy-respecting features. ZDNet's Steven Vaughan-Nichols reports: Murena and Mandrake Linux founder Gael Duval was sick of it by 2017. He wanted his data to be his data, and he wanted open-source software. Almost five years later, Duval and his co-developers launched the Murena One X2. It's the first high-end Android phone using the open-source /e/OS Android fork to arrive on the market. The privacy heart of the Murena One is /e/OS V1. There have been many attempts to create an alternative to Google-based Android and Apple's iOS -- Ubuntu One, FirefoxOS, and Windows Mobile -- but all failed. Duval's approach isn't to reinvent the mobile operating system wheel, but to clean up Android of its squeaky Google privacy-invading features and replace them with privacy-respecting ones. To make this happen, Duval started with LineageOS -- an Android-based operating system, which is descended from the failed CyanogenMod Android fork. It also blends in features from the Android Open Source Project (AOSP) source-code trees.

In the /e/OS, most (but not all) Google services have been removed and replaced with MicroG services. MicroG replaces Google's libraries with purely open-source implementations without hooks to Google's services. This includes libraries and apps which provide Google Play, Maps, Geolocation, and Messaging services for Android applications. In addition, /e/OS does its best to free you from higher-level Google services. For instance, Google's default search engine has been replaced with Murena's own meta-search engine. Other internet-based services, such as Domain Name Server (DNS) and Network Time Protocol (NTP), use non-Google servers. Above the operating system, you'll find Google-free applications. This includes a web browser; an e-mail client; a messaging app; a calendar; a contact manager; and a maps app that relies on Mozilla Location Service and OpenStreetMap. While it's not here yet, Murena is also working on its own take on Google Assistant, Elivia-AI. You can also run many, but not all Android apps. You'll find these apps on the operating system's App Lounge. [...]

There's still one big problem: the App Lounge still relies on you logging in with your Google account. In short, the App Lounge is mainly a gateway to Google Store apps. Munera assures me that the Lounge anonymizes your data -- except if you use apps that require payment. Still, this is annoying for people who want to cut all their ties with Google. The fundamental problem is this: Muena does all it can to separate its operating system and applications from Google, but it can't -- yet -- replace Google's e-commerce and software store system. As for hardware specs, the $379 Murena One features a 6.5-inch IPS LCD display, eight-core MediaTek Helio P60 processor, side-mounted fingerprint scanner, three rear cameras (48MP + 8MP + 5MP) and 25MP front camera, and 4,500mAh battery. It also features a microSD card slot for expandable storage and headphone port.

A farmer in Missouri said he had to go to complain to the Federal Trade Commission in order to get his tractor repaired by the only John Deere dealership in his area, showing how without the right to repair farmers are bound by the whims of the corporations who have a monopoly on repair. From a report:Jared Wilson had a problem with the AC in his John Deere tractor. It wasn't running and he needed to finish planting his corn and soybeans. The tractor would run, but finishing the plant would be a miserable experience in the heat of the Missouri spring. According to an affidavit Wilson filed to the FTC, he called the local John Deere dealership and asked for an appointment. The manager told him he didn't want his business. In the FTC complaint, Wilson is asking the commission to open a consumer protection investigation. Wilson and the manager talked on April 14, according to an affidavit about the incident filed with the FTC on April 16. Wilson told Motherboard he didn't know the AC had gone out until temperatures started creeping up in April. "When it hits 70 degrees it's almost unbearable inside the cab because it's all just glass and you've got a super hot motor sitting in front of you," he said.

"There's no guarantee that robot umpires will make their way to the majors," writes the San Francisco Chronicle. "But the system is as close as it has been now, one level below."

Here's how it looks for a minor league/Triple-A team, the Albuquerque Isotopes: Using the same computerized optical tracking technology known as Hawk-Eye that has been used for several years now in pro tennis and some other sports, MLB's new Automated ball-strike system is a rather in-depth setup. In early April, MLB set up eight high-speed cameras and hundreds of receivers around Isotopes Park that, along with the video from the cameras, add to a triangulation process that can help determine exactly where the ball crosses the strike zone — despite there being no camera directly over or behind the plate.

The MLB says it is confident a foul ball hitting one camera or a light drizzle of rain during a game won't affect the data accuracy.

"It's here," said Albuquerque Isotopes manager Warren Schaeffer. "We'll all get used to it. As long as we don't see it really messing things up, we'll adjust."
The manager also added, "I don't know what human umpires miss in a game — maybe three or four calls a game? And this system seems like it's missing three or four a game, I guess. I'm sure that they can improve it and it's always going to keep improving I guess." "The technology is there," said an MLB official who spoke to the Journal about the implementation of the automated ball-strike system... At this point, MLB is trying to get enough of a sample size to see how the game is affected and troubleshoot any unforeseen issues.
There's still an umpire behind the plate making the punching gesture for a strike — but he's just repeating whatever call the system has beamed into his ear.

The paper shares this story from a relief pitcher watching another pitcher disagree with a "called ball" early in the game, and asking the umpire whether it was in the strike zone and why it wasn't called a strike.

"And the umpire just shrugged and said, 'I don't know.'"

"Ukrainian fighters are using electric bikes in the battle against Russia," reports the Washington Post, "mostly in support of reconnaissance missions, demining operations and medical deliveries, according to one of the Ukrainian e-bike makers involved."

"They've reportedly also been used for carrying out sniper attacks." The bikes have a top speed of 55 miles per hour and are relatively silent — helping their riders evade Russian fire.

Ukrainian e-bike firm Eleek initially gave a few bikes to the military when the war began, according to manager Roman Kulchytskyi. Soon after, they began to mass-produce bikes — kitted out in military green, with a small Ukrainian flag on the rear wheel — for Ukraine's fighters.... Working from a bomb shelter, Eleek began making a power bank based on lithium-ion battery cells it had left in stock. After struggling for parts, it turned to electronic cigarettes — launching a social media campaign to get people to send in their devices....

The company added footrests for passengers, improved the charging time, installed a battery control system and included a 220V output that allows soldiers to charge gadgets and can help power Starlink satellite Internet terminals, Kulchytskyi said.... Another advantage of the bikes is that they may not be visible on thermal imaging systems, which are used to detect differences in temperature and help militaries pinpoint potential targets. That's because the electric motor doesn't heat up like an internal combustion engine, Kulchytskyi said.

Daniel Tonkopi, founder of e-bike company Delfast, wrote on Facebook this month that his California-based firm has been donating electric bikes to the Ukrainian army since the war broke out. He included pictures of the bikes carrying antitank weapons and said he had received feedback from the military that they planned to use the bikes to target Russian armored vehicles. During one recent mission, they recounted to him that several vehicles came back with holes but that the riders were intact.... The company is donating 5 percent of all sales to fund humanitarian efforts in Ukraine.
The article notes electric bikes are also being tested by Asutralia's military and New Zealand's Air Force.

25 gigabits per second — both downloading and uploading. CRN reports broadband infrastructure wholesaler Chorus demonstrated those speeds over their existing passive optical fiber network [PON]. The demonstration in Auckland achieved 21.4 Gbps throughput, tested simultaneously on the same strand of fibre that ran an 8 Gbps symmetric HyperFibre connection, and a 900/550 Mbps UFB link.... Chorus uses Nokia's Lightspan FX and MX access nodes for multiple types of fibre service, including standard GPON, the XGS-PON behind HyperFibre, point-to-point Ethernet, and envisages the 25 GPON service to run on it as well. It is based on the Quillion chip set line cards, which Nokia says are 50 per cent more energy efficient than earlier models.

Currently, Chorus has no wholesale 25 GPON product, with its fastest offering topping out at 8/8 Gbps HyperFibre. The wholesaler expects to develop a 25 GPON based services within the next two to three years, with a Nokia optical network termination unit that supports either 25/25 Gbps or 25/10 Gbps options. Kurt Rodgers, network strategy manager at Chorus, said the faster broadband service would come into its own for industrial metaverse applications, the Internet of Things, and low-latency cloud connectivity....

Chorus chief technology officer Ewen Powell said the 25 GPON service demonstrated "a future-proofed technology." Although two-wavelength 50 Gbps service is appearing as a choice for providers, with 100 GPON on the horizon, Chorus is betting that the 25 Gbps variant will offer the best cost benefit overall for providers, as it can use existing optics equipment.
Thanks to long-time Slashdot reader Bismillah for submitting the article.

ZDNet writes that in late 2020 Red Hat decided "they'd no longer release CentOS Linux as a standalone distribution. Instead, CentOS Stream would work as a beta for RHEL."

So where are we now? The competition immediately sprang up to replace CentOS. The two most important of these are the AlmaLinux OS Foundation's AlmaLinux and Rocky Enterprise Software Foundation's Rocky Linux. [May 16th saw the release of Rocky Linux 8.6.] Now, mere weeks after the release of RHEL 9, AlmaLinux 9 has arrived.

Like RHEL itself, AlmaLinux 9 starts from CentOS Stream via RHEL. Indeed, AlmaLinux developers are CentOS Stream contributors. The bottom line is that CentOS 9 is an identical twin to RHEL 9 — except for the names and trademarks. It has all the same features, all the same advances, and, for better or worse, all the same bugs.
Besides the big server architectures, AlmaLinux is also ready to run on everything from cloud and Docker images to Microsoft's Windows Subsystem for Linux and Raspberry Pi, the article points out.

And Jack Aboutboul, AlmaLinux's Community Manager, tells ZDNet "We are building AlmaLinux with the specific goal of creating an independent CentOS successor that is truly community-centric and designed for everyone... We offer everyone a uniform platform that is safe, secure, easy to use, and dependable to build your tomorrow on."

"Let's popularize image-based OSes," writes Lennart Poettering, "with modernized security properties built around immutability, SecureBoot, TPM2, adaptability, auto-updating, factory reset, uniformity — built from traditional distribution packages, but deployed via images."

Or, as the Register puts it, the Systemd Linux init system "continues to grow and develop, as does Linux itself." They delve into the rationale for the new systemd-sysupdate and kernel-install features, noting "The former is still described as an experimental feature, so relax — for now." No, this does not mean that systemd is becoming a package manager. Like it or not, though, the nature of operating systems is changing. Modern ones are large, complex, and need regular updates, and as The Register has examined in depth recently, this means that the design of Linux distributions is changing radically....

ChromeOS doesn't have a package manager; neither do Fedora's Silverblue and Kinoite versions. You get a tested, known-good image of the OS. Updates are distributed as a complete image, like they are today with Android or iOS. ChromeOS has two root partitions: one live and one spare. The currently running OS updates the spare partition, then you reboot into that one. If everything works, it updates the now-idle second root partition. If it doesn't all work perfectly, then you still have the previous version available to use, and you can just reboot into that again. When a fixed image becomes available, the OS automatically tries again on the spare instance.

The idea is that you always have a known-good OS partition available, which sounds like a benefit to us. Presumably the users are happy too: Chromebook sales may be down, and they only have a fixed lifespan, but there are still well over a hundred million of them out there.

So, no, systemd is not going to become a package manager, because ordinary distros won't have a package manager at all, except maybe Flatpak, or Snap or something similar. The new functionality, including managing installed kernels, is to facilitate A/B type dual-live-system partitions.

For some insight into this vision, Lennart Poettering, lead architect of systemd, has described this in a blog post titled "Bringing Everything Together."
Other updates include "changes to systemd-networkd, such as systemd-resolved starting earlier in the boot sequence, and more cautious allocation of default routes," the article points out, adding that new releases of systemd "ppear roughly twice a year, so the chances are that this will appear in the fall releases of Ubuntu and Fedora...

"If you still prefer to avoid systemd, don't despair. There are still a selection of distros that eschew it altogether, including Devuan GNU+Linux, Alpine Linux, and Void Linux.

With the latest preview patch, Windows Server 2022 now supports WSL2 Linux distros, the Register reports: The move ends an odyssey that began with the arrival of the Windows Subsystem for Linux (WSL) 2 on Windows 10 several years ago and with users' calls for Windows Server to get the same treatment. The change is also somewhat of an about-face from Microsoft. In 2021, in response to pleas from users to backport the tech to Windows Server 2019, [Principal program manager for Windows Server Jeff] Woolsey described WSL in early 2021 as "fantastic for dev" and "perfect for Windows client" but warned: "If we put it in Windows Server, people will use it in production scenarios for which it isn't intended." The approved path was to spin up a full Linux VM. Quite a bit heftier than the lighter-weight WSL2.

Signs of Microsoft listening to feedback showed up earlier this year, as Microsoft Program Manager Craig Loewen "clarified" that WSL2 distros would work on Windows Server version 2004 and 20H2, although the LTSC versions found in many data centers remained free of WSL2. Until this week, that is.
TechRadar provides some context: WSL 2, which was originally released in May 2019 (opens in new tab), uses virtualization technology to run an open source Linux kernel inside of a lightweight utility virtual machine (VM). This empowers Windows users to run popular Linux apps such as Docker. Microsoft claims that unlike a traditional VM experience — which it says can be slow to boot up, is isolated, consumes a lot of resources, and requires your time to manage it — WSL 2 does not have these attributes....

The KB5014021 update is currently optional, but will be automatically rolled out to users next month....

Windows Server updates have not been without issues in recent months, however, with Microsoft having to address various problems caused by the January 2021 Patch Tuesday updates. The company issued an emergency out-of-band update to address bugs that forced domain controllers to reboot endlessly, broke Hyper-V, and rendered ReFS volumes inaccessible while showing them as RAW file systems.

Boeing's Orbital Flight Test 2 (OFT-2) "is officially a success," reports Space.com: That's the verdict that leaders at NASA and Boeing gave during a press briefing on Wednesday night (May 25), a few hours after the aerospace giant's Starliner capsule returned to Earth to wrap up OFT-2, a crucial uncrewed demonstration mission to the International Space Station.

Starliner touched down in the White Sands Missile Range, a U.S. Army facility in New Mexico, at 6:49 p.m EDT (2249 GMT) on Wednesday, hitting the desert dirt just 0.3 miles (0.5 kilometers) from its target landing point. Steve Stich, manager of NASA's Commercial Crew Program, described the landing as "picture perfect" during Wednesday night's briefing, saying that the test flight accomplished all of its mission objectives....

OFT-2 went smoothly from start to finish, though it did have a few minor hiccups. For example, two thrusters on Starliner's service module failed during the orbital insertion burn, which occurred about 30 minutes after launch. And as Starliner approached the space station on Friday (May 20), an additional two thrusters needed to be shut down, this time in the capsule's reaction control system. In both cases, backups for each system worked as they were designed to do, and neither issue substantially affected the mission. But Starliner's thrusters will be a focus of several post-flight checks and tests in the near future.
The Washington Post writes that on-the-ground engineers "won't be able to examine the two main thrusters that cut out since they are housed in the spacecraft's service module, which was jettisoned during the return." (And during the flight, their article adds, "the spacecraft's thermal control system, used to keep the spacecraft at the right temperature, also failed.") But NASA's Steve Stich tells Space.com that "Putting the vehicle through its paces on this flight is really the only way to prepare us for the crewed flight test.

"Once we work through all the data, we'll be ready to fly crew on this vehicle."

UnknowingFool writes: The current Linux kernel in development, 5.19, added 495,793 new lines of code for graphic driver updates. David Airlie sent in the new lines as part of Direct Rendering Manager (DRM) subsystem of Linux. The majority of additions were for AMD's RDNA and CDNA platforms but Intel also submitted changes for their DG2 graphics as well. Updates also came from Qualcomm and MediaTek for their GPU offerings.

Microsoft Dev Box is intended to simplify the process of getting new developer workstations up and running quickly, with all necessary tools and dependencies installed and working out-of-the-box (so to speak), along with access to up-to-date source code and fresh copies of any nightly builds. Ars Technica reports: Dev Box is built on Windows 365, a service that IT admins can use to provide preconfigured virtual PCs to users. Admins can build operating system images and offer hardware configurations with different amounts of CPU power, storage, and RAM based on what particular users (or workloads) need. Windows 365 virtual machines, including but not limited to Dev Box VMs, can be accessed from other Windows PCs, or devices running macOS, iOS, Android, Linux, or ChromeOS.

"Microsoft Dev Box supports any developer IDE, SDK, or internal tool that runs on Windows," writes Microsoft product manager Anthony Cangialosi [in a blog post introducing the service]. "Dev Boxes can target any development workload you can build from a Windows desktop and are particularly well-suited for desktop, mobile, IoT, and gaming. You can even build cross-platform apps using Windows Subsystem for Linux." Dev Box is currently available in a private preview. If you're interested in testing it when the preview goes public, you can sign up to learn more here.

An anonymous reader shares a report: While not every user is actively monitoring hardware resource usage when gaming, enthusiasts and reviewers often turn the stats on to see how certain games and other applications are being handled by the hardware. During such a test run, CapFrameX, which developed a useful frametime analysis tool, noticed a weird anomaly when gauging the performance of the Ryzen 7 5800X3D on Lara Croft Shadow of the Tomb Raider (SotTR). The processor usage reported on Windows 11 is seemingly unusually low in one of the scenes in the game which is typically known to be quite intense on the CPU. Only one out the 16 threads seem to be reporting the correct usage whereas all the other threads are under 10% utilization. CapFrameX notes the issue though it isn't sure what could be causing it: " The core usage reporting on Window 11 is completely broken. Should be >80% for SotTR + this particular scene and settings. What happened? Did the recent update change the timer behavior?"

"The developer of the open source email client FairEmail pulled all of his applications from Google Play and announced that he would stop development," reports gHacks. The announcement comes shortly after the developer received an email from Google stating that they believed the app was spyware. From the report: FairEmail was a popular email client for Google's Android operating system that was free to use. It was privacy-friendly, had no limitations in regards to email accounts that users could set up in the app, supported unified inbox, conversation threading, two-way synchronizing, support for OpenPGP, and a lot more. Marcel Bokhorst, the developer of the application, announced major changes to the project yesterday on XDA Developers.

Earlier that week, Bokhorst received a policy violation email from Google stating that Google believed that the FairEmail application was spyware. The full statement has not been published, but Bokhorst believes that Google might have misinterpreted the use of favicons in the app. He resubmitted a new version of the application that had the use of favicons removed. The appeal he received as a response "resulted in a standard answer". While the content of the answer is unclear, it appears to have been a generic answer that Google Play Store developers have been frustrated with for a long time. Bokhorst decided to pull the application and all of his other applications from the Google Play Store. The apps won't be maintained and supported anymore according to the info.

Other factors played a role in Bokhorst's decision, including the discrepancy between answering thousands of support questions per month and the application's revenue, and the inability to do something against unfair reviews in the Google Play Store. He considered keeping the applications on GitHub, but this would result in an 98% loss of audience. Google also recently forced Total Commander's developer to remove the ability to install APKs from the File Manager.

If you're looking for an alternative email client, gHacks recommends the open-source app K-9 Mail.

An anonymous reader quotes a report from NewsNation: Blackouts could plague a number of states in the U.S. this summer, regulators warn, as a combination of drought, heat, potential cyber attacks, geopolitical conflicts and supply chain problems could disrupt the power supply, according to a grim new report (PDF) from the North American Electric Reliability Corporation (NERC). The regulatory body found that large swathes of the U.S. and parts of Canada are at an elevated or high risk of energy shortfalls during the summer's hottest months.

The Midwest is at especially high risk due to the retirement of older plants, which has caused a 2.3% decrease in capacity from last summer, as well as increased demand, according to NERC. In the Southwest, plummeting river levels may cripple hydropower production, the group warned, and in Texas drought-related heat events could cause extreme energy demand. A NERC map shows all states in the western half of the continental U.S., including North Dakota, South Dakota, Nebraska, Kansas, Oklahoma and Texas are at least under elevated risk of energy shortfalls, with parts of the northeastern-most states under high risk. Many states under the Midcontinent Independent System Operator (MISO), such as Arkansas, Louisiana, Michigan, Wisconsin, Iowa, Minnesota, Iowa, Illinois and Indiana are either entirely or partly at high risk. "Industry prepares its equipment and operators for challenging summer conditions. Persistent, extreme drought and its accompanying weather patterns, however, are out-of-the-ordinary and tend to create extra stresses on electricity supply and demand," said Mark Olson, NERC's manager of Reliability Assessments. "Grid operators in affected areas will need all available tools to keep the system in balance this summer."

A recent cybersecurity report shows how immensely idiotic many CEOs and business owners can be, considering the strength of their chosen account passwords. PC Gamer reports: The research comes from NordPass password manager which identified back in 2020 that the general public's most commonly used passwords were sequential numbers like '123456', 'picture1', and yep, you guessed it: 'password'. The more recent research sample consists of 290 million cybersecurity data breaches around the globe, and denotes the job level of those affected. Turns out, when it comes to CEOs and other high-ranking businesses execs, their password choices are much the same as the general public, although many often feature names. Tiffany was spotted in 100,534 breaches; then there was Charlie with 33,699; Michael was found 10,647 times; and Jordan, 10,472 times.

The report also ranks mythical creatures and animals as some of the top passwords to have been cracked in data breaches. 'Dragon' was spotted 11,926 times, and 'monkey' comes in at 11,675. I spoke to IT support engineer Ash Smith, who recommends that companies should consider handing out randomly generated passwords as new accounts are created. "Arguably the strongest passwords are 3 random words, something that you can make a story about in your head to help you remember," he says.

An anonymous reader shares a report: Total Commander has been around since the 90s, eventually expanding into Android after the platform launched over a decade ago. The app has more than 10 million downloads on the Play Store, still supporting OS versions as far back as Android 2.2. With a new update, developer Christian Ghisler has removed the ability to install APK files on Android, blaming Google Play policies in the patch notes for the app. It's a shocking twist for the service and, seemingly, a bad omen of things to come for other mobile file managers. A forum post from Ghisler sheds some more light on what's going on here, as Google sent him a notice warning of his app's removal from the Play Store within a week if the app went unmodified. The company's automated response pointed the developer to the "Device and Network Abuse" policy.

Google announced a new initiative Tuesday aimed at securing the open-source software supply chain by curating and distributing a security-vetted collection of open-source packages to Google Cloud customers. From a report: The new service, branded Assured Open Source Software, was introduced in a blog post from the company. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, pointed to some of the challenges of securing open-source software and stressed Google's commitment to open source. "There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks," Chang wrote, citing last year's major log4j vulnerability as an example. "Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure." Per Google's announcement, the Assured Open Source Software service will extend the benefits of Google's own extensive software auditing experience to Cloud customers. All open-source packages made available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.

ZDNet reports there's more than just the one Microsoft-created Linux distribution for internal use only called CBL (Common Base Linux) Mariner.

"It turns out there's another Microsoft-developed Linux distribution that's also for internal use that's known as CBL-Delridge or CBL-D." I discovered the existence of CBL-D for the first time this week in a rather round-about way. I stumbled onto a February 2 blog post from Hayden Barnes. a Senior Engineering Manager at SuSE who led the Windows on Rancher engineering team, which traced his steps in discovering and building his own image of CBL-D. Barnes noted that Microsoft published CBL-Delridge in 2020, the same year that it also published CBL-Mariner. The main difference between the two: Delridge is a custom Debian derivative, while Mariner is a custom Linux From Scratch-style distribution.

CBL-D powers Azure's Cloud Shell. The Azure Cloud Shell provides a set of cloud-management tools packaged in a container. In a note on the GitHub repo for the Cloud Shell, officials noted that "the primary difference between Debian and CBL-D is that Microsoft compiles all the packages included in the CBL-D repository internally. This helps guard against supply chain attacks...."

CBL-Mariner and CBL-Delridge are just two of the Microsoft-developed Linux-related deliverables from the Linux Systems Group. Others include the Windows Subsystem for Linux version 2 (WSL2), which is part of Windows 10; an Azure-tuned Linux kernel which is designed for optimal performance as Hyper-V guests; and Integrity Policy Enforcement (IPE), a proposed Linux Security Module (LSM) from the Enterprise and Security team.

An anonymous reader quotes a report from ZDNet: Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they're calling for $150 million in funding over two years to fix ten major open-source security problems.

The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, "I want to be clear: We're not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful."

Here are the ten goals the open-source industry is committed to meeting:

1. Security Education: Deliver baseline secure software development education and certification to all.
2. Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.
4. Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.
5. Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Today at the Open Source Software Security Summit II in Washington, D.C., OpenSSF announced an ambitious, multipronged plan with 10 key goals to better secure the entire open-source software ecosystem. From a report: While open-source software itself can sometimes be freely available, securing it will have a price. OpenSSF has estimated that its plan will require $147.9 million in funding over a two-year period. In a press conference held after the summit, Brian Behlendorf, general manager of OpenSSF, said that $30 million has already been pledged by OpenSSF members including Amazon, Intel, VMware, Ericsson, Google and Microsoft.