Privacy startup Proton already offers an email app, a VPN tool, cloud storage, a password manager, and a calendar app. In April 2022, Proton acquired SimpleLogin, an open-source product that generates email aliases to protect inboxes from spam and phishing. Today, Proton acquired Standard Notes, advancing its already strong commitment to the open-source community. From a report: Standard Notes is an open-source note-taking app, available on both mobile and desktop platforms, with a user base of over 300,000. [...] Proton founder and CEO Andy Yen makes a point of stating that Standard Notes will remain open-source, will continue to undergo independent audits, will continue to develop new features and updates, and that prices for the app/service will not change. Standard Notes has three tiers: Free, which includes 100MB of storage, offline access, and unlimited device sync; Productivity for $90 per year, which includes features like markdown, spreadsheets with advanced formulas, Daily Notebooks, and two-factor authentication; and Professional for $120 per year, which includes 100GB of cloud storage, sharing for up to five accounts, no file limit size, and more.

Intel on Tuesday unveiled its new "Gaudi 3" AI chip that the company claims is over twice as power-efficient and can run AI models one-and-a-half times faster than Nvidia's H100 GPU. "It also comes in different configurations like a bundle of eight Gaudi 3 chips on one motherboard or a card that can slot into existing systems," adds CNBC. From the report: Intel tested the chip on models like Meta's open-source Llama and the Abu Dhabi-backed Falcon. It said Gaudi 3 can help train or deploy models, including Stable Diffusion or OpenAI's Whisper model for speech recognition. Intel says its chips use less power than Nvidia's. Intel said that the new Gaudi 3 chips would be available to customers in the third quarter, and companies including Dell, Hewlett Packard Enterprise, and Supermicro will build systems with the chips. Intel didn't provide a price range for Gaudi 3.

Gaudi 3 is built on a five nanometer process, a relatively recent manufacturing technique, suggesting that the company is using an outside foundry to manufacture the chips. In addition to designing Gaudi 3, Intel also plans to manufacture AI chips, potentially for outside companies, at a new Ohio factory expected to open in 2027 or 2028, CEO Patrick Gelsinger told reporters last month. "We do expect it to be highly competitive" with Nvidia's latest chips, said Das Kamhout, vice president of Xeon software at Intel, on a call with reporters. "From our competitive pricing, our distinctive open integrated network on chip, we're using industry-standard Ethernet. We believe it's a strong offering."

Meta Platforms is planning to launch two small versions of its forthcoming Llama 3 large-language model next week, The Information has reported [non-paywalled link]. From the report: The models will serve as a precursor to the launch of the biggest version of Llama 3, expected this summer. Release of the two small models will likely help spark excitement for the forthcoming Llama 3, which will be coming out roughly a year after Llama 2 launched last July.

It comes as several companies, including Google, Elon Musk's xAI and Mistral, have released open-source LLMs. Meta hopes Llama 3 will catch up with OpenAI's GPT-4, which can answer questions based on images users upload to the chatbot. The biggest version will be multimodal, which means it will be capable of understanding and generating both texts and images. In contrast, the two small models to be released next week won't be multimodal, the employee said.

The foundations behind Rust, Python, Apache, Eclipse, PHP, OpenSSL, and Blender announced plans to create "common specifications for secure software development," based on "existing open source best practices."

From the Eclipse Foundation: This collaborative effort will be hosted at the Brussels-based Eclipse Foundation [an international non-profit association] under the auspices of the Eclipse Foundation Specification Process and a new working group... Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well.

The starting point for this highly technical standardisation effort will be today's existing security policies and procedures of the respective open source foundations, and similar documents describing best practices.

The governance of the working group will follow the Eclipse Foundation's usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence... While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation.

The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The Apache Foundation notes the working group is forming partly "to demonstrate our commitment to cooperation with and implementation of" the EU's Cyber Resilience Act. But the Eclipse Foundation adds that even before it goes into effect in 2027, they're recognizing open source software's "increasingly vital role in modern society" and an increasing need for reliability, safety, and security, so new regulations like the CRA "underscore the urgency for secure by design and robust supply chain security standards."

Their announcement adds that "It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises." But at the same time, "Today's global software infrastructure is over 80% open source... [W]hen we discuss the 'software supply chain,' we are primarily, but not exclusively, referring to open source."

"We invite you to join our collaborative effort to create specifications for secure open source development," their announcement concludes," promising initiative updates on a new mailing list. "Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges."

The Python Foundation's announcement calls it a "community-driven initiative" that will have "a lasting impact on the future of cybersecurity and our shared open source communities."

AMD plans to document and open source its Micro Engine Scheduler (MES) firmware for GPUs, giving users more control over Radeon graphics cards. From a report: It's part of a larger effort AMD confirmed earlier this week about making its GPUs more open source at both a software level in respect to the ROCm stack for GPU programming and a hardware level. Details were scarce with this initial announcement, and the only concrete thing it introduced was a GitHub tracker.

However, yesterday AMD divulged more details, specifying that one of the things it would be making open source was the MES firmware for Radeon GPUs. AMD says it will be publishing documentation for MES around the end of May, and will then release the source code some time afterward. For one George Hotz and his startup, Tiny Corp, this is great news. Throughout March, Hotz had agitated for AMD to make MES open source in order to fix issues he was experiencing with his RX 7900 XTX-powered AI server box. He had talked several times to AMD representatives, and even the company's CEO, Lisa Su.

The Document Foundation: Following a successful pilot project, the northern German federal state of Schleswig-Holstein has decided to move from Microsoft Windows and Microsoft Office to Linux and LibreOffice (and other free and open source software) on the 30,000 PCs used in the local government. As reported on the homepage of the Minister-President: "Independent, sustainable, secure: Schleswig-Holstein will be a digital pioneer region and the first German state to introduce a digitally sovereign IT workplace in its state administration. With a cabinet decision to introduce the open-source software LibreOffice as the standard office solution across the board, the government has given the go-ahead for the first step towards complete digital sovereignty in the state, with further steps to follow."

The UK and US have signed a landmark deal to work together on testing advanced artificial intelligence (AI) and develop "robust" safety methods for AI tools and their underlying systems. "It is the first bilateral agreement of its kind," reports the BBC. From the report: UK tech minister Michelle Donelan said it is "the defining technology challenge of our generation." "We have always been clear that ensuring the safe development of AI is a shared global issue," she said. "Only by working together can we address the technology's risks head on and harness its enormous potential to help us all live easier and healthier lives."

The secretary of state for science, innovation and technology added that the agreement builds upon commitments made at the AI Safety Summit held in Bletchley Park in November 2023. The event, attended by AI bosses including OpenAI's Sam Altman, Google DeepMind's Demis Hassabis and tech billionaire Elon Musk, saw both the UK and US create AI Safety Institutes which aim to evaluate open and closed-source AI systems. [...]

Gina Raimondo, the US commerce secretary, said the agreement will give the governments a better understanding of AI systems, which will allow them to give better guidance. "It will accelerate both of our Institutes' work across the full spectrum of risks, whether to our national security or to our broader society," she said. "Our partnership makes clear that we aren't running away from these concerns - we're running at them."

An anonymous reader quotes a report from Reuters: The U.S. Federal Communications Commission will vote to reinstate landmark net neutrality rules and assume new regulatory oversight of broadband internet that was rescinded under former President Donald Trump, the agency's chair said. The FCC told advocates on Tuesday of the plan to vote on the final rule at its April 25 meeting. The commission voted 3-2 in October on the proposal to reinstate open internet rules adopted in 2015 and re-establish the commission's authority over broadband internet.

Net neutrality refers to the principle that internet service providers should enable access to all content and applications regardless of the source, and without favoring or blocking particular products or websites. FCC Chair Jessica Rosenworcel confirmed the planned commission vote in an interview with Reuters. "The pandemic made clear that broadband is an essential service, that every one of us -- no matter who we are or where we live -- needs it to have a fair shot at success in the digital age," she said. "An essential service requires oversight and in this case we are just putting back in place the rules that have already been court-approved that ensures that broadband access is fast, open and fair."

Lindsay Clark reports via The Register: Analytics platform Databricks has launched an open source foundational large language model, hoping enterprises will opt to use its tools to jump on the LLM bandwagon. The biz, founded around Apache Spark, published a slew of benchmarks claiming its general-purpose LLM -- dubbed DBRX -- beat open source rivals on language understanding, programming, and math. The developer also claimed it beat OpenAI's proprietary GPT-3.5 across the same measures.

DBRX was developed by Mosaic AI, which Databricks acquired for $1.3 billion, and trained on Nvidia DGX Cloud. Databricks claims it optimized DBRX for efficiency with what it calls a mixture-of-experts (MoE) architecture â" where multiple expert networks or learners divide up a problem. Databricks explained that the model possesses 132 billion parameters, but only 36 billion are active on any one input. Joel Minnick, Databricks marketing vice president, told The Register: "That is a big reason why the model is able to run as efficiently as it does, but also runs blazingly fast. In practical terms, if you use any kind of major chatbots that are out there today, you're probably used to waiting and watching the answer get generated. With DBRX it is near instantaneous."

But the performance of the model itself is not the point for Databricks. The biz is, after all, making DBRX available for free on GitHub and Hugging Face. Databricks is hoping customers use the model as the basis for their own LLMs. If that happens it might improve customer chatbots or internal question answering, while also showing how DBRX was built using Databricks's proprietary tools. Databricks put together the dataset from which DBRX was developed using Apache Spark and Databricks notebooks for data processing, Unity Catalog for data management and governance, and MLflow for experiment tracking.

"After taking a look at Floorp Browser, I was left wondering whether there was a Chromium-based web browser that was as good, or even better than Chrome," writes a "First Look" reviewer at It's Foss News.

"That is when I came across Thorium, a web-browser that claims to be the 'the fastest browser on Earth'." [Thorium] is backed by a myriad of tweaks that include, compiler optimizations for SSE4.2, AVS, AES, various mods to CFLAGS, LDFLAGS, thinLTO flags, and more. The developer shares performance stats using popular benchmarking tools... I tested it using Speedometer 3.0 benchmark on Fedora 39 and compared it to Brave, and the scores were:

Thorium: 19.2; Brave: 19.5

So, it may not be the "fastest" always, probably one of the fastest, that comes close to Brave or sometimes even beats it (depends on the version you tested it and your system).

Alexander Frick, the lead developer, also insists on providing support for older operating systems such as Windows 7 so that its user base can use a capable modern browser without much fuss... As Thorium is a cross-platform web browser, you can find packages for a wide range of platforms such as Linux, Raspberry Pi, Windows, Android, macOS, and more.
Thorium can sync to your Google account to import your bookmarks, extensions, and themes, according to the article.

"Overall, I can confidently say that it is a web browser I could daily drive, if I were to ditch Chrome completely. It gels in quite well with the Google ecosystem and has a familiar user interface that doesn't get in the way."

A Linux Foundation subsidiary has developed a free and open-source 3D game engine distributed under the Apache license. And last week the Open 3D Foundation announced "a big step forward, showcasing the power of open-source technologies in giving gamers around the globe unforgettable gaming experiences."

"We are proud to unveil MadWorld as the first mobile title powered by O3DE," said Joe Bryant, Executive Director of the Open 3D Foundation, "demonstrating the large potential of open-source technologies in game development."

And then this week Los Angeles Business Journal reported that El Segundo-based gaming studio Carbonated Inc. "has raised $11 million of series A funding to finance the development and release of its debut game title... Prior to its most recent round, Carbonated closed an $8.5 million seed funding round in 2020, which also included participation from Andreessen and Bitkraft." Since its founding [in 2015], the company has been focusing on research and development for its upcoming first title, called "MadWorld." The third-person, multiplayer shooter game is set in a post-apocalyptic world and features both player-versus-player and player-versus-environment features. Players of the game will battle for land control in a dystopian setting. Using a combination of open-source mapping tools and Carbonated's proprietary custom operations technology, called Carbyne, the game's world is designed around real-life cities and locations. Players are initially dropped into the game's version of their own real-time location.

The game allows players to optionally engage using blockchain technology with a digital asset-ownership layer powered by a blockchain network called XPLA.
Earlier this month Madworld "opened up for Early Access registration," reports the egamers web site, arguing that the game "is set to redefine the gaming landscape and will make its public debut later this year." After a catastrophic event named "The Collapse," MadWorld takes place in a desolate Earth where players engage in a battle for survival, highlighting the game's unique setting and immersive experience. The game's world is intricately designed with 250,000 land plots mapped out on a hexagonal grid, each presenting unique resources and strategic benefits. This innovative approach to game design enhances the gameplay experience and introduces a new layer of strategy and competition.

MadWorld's gameplay is centered around integrating Web3 technologies, which allows for the ownership, enhancement, and trading of tokenized representations of real-world locations. This feature encourages players to create clans and work together or compete for essential resources that are spread across the vast game world. Clans can acquire these resources by paying tributes to NFT landowners using "Rounds," the in-game currency. This mechanism not only fosters a sense of community and teamwork but also creates unique economic opportunities within the game by blending traditional gaming elements with the emerging field of digital assets.
"With its use of O3DE, Carbonated can enhance the game's visual fidelity, performance, and scalability," according to the Linux Foundation's announcement, "in order to deliver a fast-paced adventure on mobile platforms." O3DE is an open-source game engine developed by a collaborative community of industry experts. It includes state-of-the-art rendering capabilities, dynamic lighting, and realistic physics simulation. These features have enabled Carbonated to build realistic dystopian environments and create action-packed gameplay in MadWorld.
According to its official site, MadWorld "is set to be released to the public sometime in 2024 and is currently being tested on iOS and Android operating systems."

Carbonated's CEO Travis Boatman made this prediction to the site Decrypt. "We think mobile is where the breakout will happen for Web3."

The Record reports: Ross Anderson, a professor of security engineering at the University of Cambridge who is widely recognized for his contributions to computing, passed away at home on Thursday according to friends and colleagues who have been in touch with his family and the University.

Anderson, who also taught at Edinburgh University, was one of the most respected academic engineers and computer scientists of his generation. His research included machine learning, cryptographic protocols, hardware reverse engineering and breaking ciphers, among other topics. His public achievements include, but are by no means limited to, being awarded the British Computer Society's Lovelace Medal in 2015, and publishing several editions of the Security Engineering textbook.
Anderson's security research made headlines throughout his career, with his name appearing in over a dozen Slashdot stories...

• 2023: Researchers Warn of 'Model Collapse' As AI Trains On AI-Generated Content

• 2021: 'Trojan Source' Bug Threatens the Security of All Code

• 2015: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

• 2012: UK Web Snooping Plan Invades Privacy, Despite Claims To the Contrary

• 2010: Why "Verified By Visa" System Is Insecure

• 2008: Researchers Expose New Credit Card Fraud Risk

• 2006: "Security Engineering" Is Now Online. [The link from that 2006 post still works. Slashdot called Anderson's book "arguably the best information security book ever written" in one of two reviews, published in 2002 and 2010.]

• 2002:Security of Open vs. Closed Source Software.

• 2002: Analyzing Palladium

My favorite story? UK Banks Attempt To Censor Academic Publication.

"Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online..."

An anonymous reader shares a report: Mutterings of alarm are emerging from the cloisters of Red Hat after the world's largest management consultancy was hired to help the IBM subsidiary focus engineers on their highest-value work. Red Hat confirmed the partnership with McKinsey & Company to The Reg, sharing this extract from an email from CTO Chris Wright to the Global Engineering Team:

"Hey everyone -- as I mentioned during the recent Q1 All Hands, my goal is to have Global Engineering recognized as the world's greatest open-source software engineering organization. This team is already doing amazing work, and we have several initiatives in progress to help us achieve the goal I've set. One of those is a partnership with McKinsey. The objective of this project is to help us understand and incorporate learnings on working models, development practices, and tooling from across the software industry.

"We've heard your feedback in person, during All Hands, and through RHAS [the annual Red Hat Associate Survey]. This project will help us to identify and remove mundane tasks that drain your energy so that you can focus on the most engaging and highest value work â" to make your job better. The work with McKinsey is one piece of the overall plan to help us become the world's greatest open-source software engineering organization"

Lyle Smith reports via StorageReview.com: Proxmox has introduced a new import wizard for Proxmox Virtual Environment (VE), aiming to simplify the migration process for importing VMware ESXi VMs. This new feature comes at an important time in the industry, as it aims to ease the transition for these organizations looking to move away from VMware's vSphere due to high renewal costs.

The new import wizard is integrated into Proxmox VE's existing storage plugin system, allowing for direct integration into the platform's API and web-based user interface. It offers users the ability to import VMware ESXi VMs in their entirety, translating most of the original VM's configuration settings to Proxmox VE's configuration model (all while minimizing downtime). Currently, the import wizard is in a technical preview state, having been added during the Proxmox VE 8.2 development cycle. Although it is still under active development, early reports suggest the wizard is stable and holds considerable promise for future enhancements, including the planned addition of support for other import sources like OVF/OVA files. [...]

This tool represents Proxmox's commitment to providing accessible, open-source virtualization solutions. By leveraging the official ESXi API and implementing a user space filesystem with optimized read-ahead caching in Rust (a safe, fast, and modern programming language ideal for system-level tasks), Proxmox aims to ensure that this new feature can be integrated smoothly into its broader ecosystem.

An anonymous reader quotes a report from the New York Times: They're vast expanses that can be as big as towns: open landfills where household waste ends up, whether it's vegetable scraps or old appliances. These landfills also belch methane, a powerful, planet-warming gas, on average at almost three times the rate reported to federal regulators, according to a study published Thursday in the journal Science.

For the new study, scientists gathered data from airplane flyovers using a technology called imaging spectrometers designed to measure concentrations of methane in the air. Between 2018 and 2022, they flew planes over 250 sites across 18 states, about 20 percent of the nation's open landfills. At more than half the landfills they surveyed, researchers detected emissions hot spots, or sizable methane plumes that sometimes lasted months or years. That suggested something had gone awry at the site, like a big leak of trapped methane from layers of long-buried, decomposing trash, the researchers said.

"You can sometimes get decades of trash that's sitting under the landfill," said Daniel H. Cusworth, a climate scientist at Carbon Mapper and the University of Arizona, who led the study. "We call it a garbage lasagna." Many landfills are fitted with specialized wells and pipes that collect the methane gas that seeps out of rotting garbage in order to either burn it off or sometimes to use it to generate electricity or heat. But those wells and pipes can leak. The researchers said pinpointing leaks doesn't just help scientists get a better picture of emissions, it also helps landfill operators fix leaks. Keeping more waste out of the landfill, for example by composting food scraps, is another fix. "The Environmental Protection Agency estimates that landfills are the third largest source of human-caused methane emissions in the United States, emitting as much greenhouse gas as 23 million gasoline cars driven for a year," notes the NYT. "Overseas, the picture can be less clear, particularly in countries where landfills aren't strictly regulated. Previous surveys using satellite technology have estimated that globally, landfill methane makes up nearly 20 percent of human-linked methane emissions."

Michael Larabel reports via Phoronix: Given the recent change by Redis to adopt dual source-available licensing for all their releases moving forward (Redis Source Available License v2 and Server Side Public License v1), the Linux Foundation announced today their fork of Redis. The Linux Foundation went public today with their intent to fork Valkey as an open-source alternative to the Redis in-memory store. Due to the Redis licensing changes, Valkey is forking from Redis 7.2.4 and will maintain a BSD 3-clause license. Google, AWS, Oracle, and others are helping form this new Valkey project.

The Linux Foundation press release shares: "To continue improving on this important technology and allow for unfettered distribution of the project, the community created Valkey, an open source high performance key-value store. Valkey supports the Linux, macOS, OpenBSD, NetBSD, and FreeBSD platforms. In addition, the community will continue working on its existing roadmap including new features such as a more reliable slot migration, dramatic scalability and stability improvements to the clustering system, multi-threaded performance improvements, triggers, new commands, vector search support, and more. Industry participants, including Amazon Web Services (AWS), Google Cloud, Oracle, Ericsson, and Snap Inc. are supporting Valkey. They are focused on making contributions that support the long-term health and viability of the project so that everyone can benefit from it."

Steven J. Vaughan-Nichols, writing for ComputerWorld: Essentially, all software is built using open source. By Synopsys' count, 96% of all codebases contain open-source software. Lately, though, there's been a very disturbing trend. A company will make its program using open source, make millions from it, and then -- and only then -- switch licenses, leaving their contributors, customers, and partners in the lurch as they try to grab billions. I'm sick of it. The latest IT melodrama baddie is Redis. Its program, which goes by the same name, is an extremely popular in-memory database. (Unless you're a developer, chances are you've never heard of it.) One recent valuation shows Redis to be worth about $2 billion -- even without an AI play! That, anyone can understand.

What did it do? To quote Redis: "Beginning today, all future versions of Redis will be released with source-available licenses. Starting with Redis 7.4, Redis will be dual-licensed under the Redis Source Available License (RSALv2) and Server Side Public License (SSPLv1). Consequently, Redis will no longer be distributed under the three-clause Berkeley Software Distribution (BSD)." For those of you who aren't open-source licensing experts, this means developers can no longer use Redis' code. Sure, they can look at it, but they can't export, borrow from, or touch it.

Redis pulled this same kind of trick in 2018 with some of its subsidiary code. Now it's done so with the company's crown jewels. Redis is far from the only company to make such a move. Last year, HashiCorp dumped its main program Terraform's Mozilla Public License (MPL) for the Business Source License (BSL) 1.1. Here, the name of the new license game is to prevent anyone from competing with Terraform. Would it surprise you to learn that not long after this, HashiCorp started shopping itself around for a buyer? Before this latest round of license changes, MongoDB and Elastic made similar shifts. Again, you might never have heard of these companies or their programs, but each is worth, at a minimum, hundreds of millions of dollars. And, while you might not know it, if your company uses cloud services behind the scenes, chances are you're using one or more of their programs,

BrianFagioli shares a report from BetaNews: Canonical, the company behind the popular Ubuntu operating system, has announced a significant extension to the support lifecycle of its long-term support (LTS) releases. The new paid Legacy Support add-on for Ubuntu Pro subscribers will now provide security maintenance and support for an impressive 12 years, extending the previous 10-year commitment. This enhancement is available starting with Ubuntu 14.04 LTS and will benefit both enterprises and individual users who rely on the stability and security of Ubuntu for their critical systems. By default, Ubuntu LTS releases receive five years of standard security maintenance. However, with Ubuntu Pro, this is expanded to 10 years for both the main and universe repositories, offering access to a broader range of secure open-source software.

The Legacy Support add-on further extends this period by an additional two years, ensuring that organizations can maintain their systems with the latest security patches and support services without the immediate need to upgrade to a newer OS version. This is particularly beneficial for large, established production systems where transitioning to a new OS can be a complex and risky endeavor due to the potential need to update the entire software stack. The extended support includes continuous vulnerability management for critical, high, and medium Common Vulnerabilities and Exposures (CVEs) across all software packages shipped with Ubuntu. Canonical's security team actively backports crucial fixes to all supported Ubuntu LTS releases, providing peace of mind to users and enterprises. In addition to security maintenance, the Legacy Support add-on also offers phone and ticket support, enhancing Canonical's commitment to assisting customers with troubleshooting, break fixes, bug fixes, and guidance.

An anonymous reader shares a report: Nvidia earned its $2.2 trillion market cap by producing AI chips that have become the lifeblood powering the new era of generative AI developers from startups to Microsoft, OpenAI and Google parent Alphabet. Almost as important to its hardware is the company's nearly 20 years' worth of computer code, which helps make competition with the company nearly impossible. More than 4 million global developers rely on Nvidia's CUDA software platform to build AI and other apps. Now a coalition of tech companies that includes Qualcomm, Google and Intel, plans to loosen Nvidia's chokehold by going after the chip giant's secret weapon: the software that keeps developers tied to Nvidia chips.

They are part of an expanding group of financiers and companies hacking away at Nvidia's dominance in AI. "We're actually showing developers how you migrate out from an Nvidia platform," Vinesh Sukumar, Qualcomm's head of AI and machine learning, said in an interview with Reuters. Starting with a piece of technology developed by Intel called OneAPI, the UXL Foundation, a consortium of tech companies, plans to build a suite of software and tools that will be able to power multiple types of AI accelerator chips, executives involved with the group told Reuters. The open-source project aims to make computer code run on any machine, regardless of what chip and hardware powers it.

"It's about specifically - in the context of machine learning frameworks - how do we create an open ecosystem, and promote productivity and choice in hardware," Google's director and chief technologist of high-performance computing, Bill Hugo, told Reuters in an interview. Google is one of the founding members of UXL and helps determine the technical direction of the project, Hugo said. UXL's technical steering committee is preparing to nail down technical specifications in the first half of this year. Engineers plan to refine the technical details to a "mature" state by the end of the year, executives said. These executives stressed the need to build a solid foundation to include contributions from multiple companies that can also be deployed on any chip or hardware.

"On December 28 2023, bugreport 12604 was filed in the curl issue tracker," writes cURL lead developer Daniel Stenberg: The title stated of the problem in this case was quite clear: flag -cacert behavior isn't consistent between macOS and Linux , and it was filed by Yuedong Wu.

The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine.

The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error. This particular behavior and functionality in curl has been established since many years (this option was added to curl in December 2000) and of course is provided to allow users to know that it communicates with a known and trusted server. A pretty fundamental part of what TLS does really.

When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server!

This is a security problem because now suddenly certificate checks pass that should not pass.
"We don't consider this something that needs to be addressed in our platforms," Apple Product Security responded. Stenberg's blog post responds, "I disagree."

Long-time Slashdot reader lee1 shares their reaction: I started to sour on MacOS about 20 years ago when I discovered that they had, without notice, substituted their own, nonstandard version of the Readline library for the one that the rest of the Unix-like world was using. This broke gnuplot and a lot of other free software...

Apple is still breaking things, this time with serious security and privacy implications.