RHSA-2018:1275-1: Important: redhat-virtualization-host security update

Red Hat Enterprise Linux: An update for redhat-release-virtualization-host and redhat-virtualization-host
is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2018-1088

Read More

RHSA-2018:1274-1: Low: python-paramiko security, bug fix, and enhancement update

Red Hat Enterprise Linux: An update for python-paramiko is now available for Red Hat Virtualization 4
Management Agent for RHEL 7 and Red Hat Virtualization Manager 4.1.

Red Hat Product Security has rated this update as having a security impact of
Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2018-7750

Read More

THRONES OF BRITANNIA Coming Soon to Linux, NVIDIA Tesla V100 GPUs Now on Google Cloud, LINBIT Announces LINSTOR and More

News briefs for May 2, 2018.

Feral Interactive tweeted
yesterday that THRONES OF BRITANNIA will be released for Linux
soon: “We are closing fast on the macOS and Linux versions, and are
currently *aiming* for macOS and Linux releases one to two months after the
Windows release on May 3rd.”

Google Cloud announced this week that NVIDIA Tesla V100 GPUs (beta) are now
available on Google Computer Engine and Kubernetes Engine. According to the
ZDNet
story
, “The Tesla V100 GPU equates to 100 CPUs, giving customers more
power to handle computationally demanding applications, like machine
learning, analytics, and video processing.”

LINBIT recently announced
the public beta of LINSTOR, “new open-source software-defined storage
available for Kubernetes and OpenShift environments”. According to the LINBIT
announcement, “LINSTOR takes advantage of DRBD, a part of the Linux kernel
for nearly a decade, to deliver fast and reliable data replication. By
simplifying storage cluster configuration and ongoing management, then
plugging into cloud and container front-ends, users get the resilient
infrastructure they need while retaining flexibility to choose vendors.”

Red Hat and the Kubernetes community yesterday announced the Operator Framework, a new
open-source toolkit for “managing Kubernetes native applications, called
Operators, in a more effective, automated and scalable way”.
They describe the concept like this: “an Operator takes human operational
knowledge and encodes it into software that is more easily packaged and
shared with consumers. Think of an Operator as an extension of the software
vendor’s engineering team that watches over your Kubernetes environment
and uses its current state to make decisions in milliseconds.”

Google Cloud yesterday launched Cloud Composer (beta), a “fully
managed workflow orchestration service built on Apache Airflow”. Cloud Composer “empowers you to author, schedule, and monitor pipelines that span
across clouds and on-premises data centers”. Also, as it is built on the
open-source Apache Airflow project and operated with Python, Cloud Composer
is “free from lock-in and easy to use”. See the TechCrunch
story
for more details.

Read More

The GDPR Takes Open Source to the Next Level

The GDPR Takes Open Source to the Next Level

Image

Glyn Moody
Wed, 05/02/2018 – 07:00

Richard Stallman will love the new GDPR.

It’s not every day that a new law comes into force that will
have major implications for digital industries around the
globe. It’s even rarer when a such law will also bolster free
software’s underlying philosophy. But the European Union’s General Data Protection
Regulation
(GDPR), which will be enforced from May 25, 2018, does
both of those things, making its appearance one of the most important
events in the history of open source.

Free software is famously about freedom,
not free beverages
:

“Free software” means software that respects users’
freedom and community. Roughly, it means that the users have the freedom
to run, copy, distribute, study, change and improve the software. Thus,
“free software” is a matter of liberty, not price. To understand the
concept, you should think of “free” as in “free speech,” not as
in “free beer”.

Richard Stallman’s great campaign to empower individuals by
enabling them to choose software that is under their control has
succeeded to the extent that anyone now can choose from among
a wide range of free software programs and avoid proprietary
lock-in. But a few years back, Stallman realized there was a
new threat to freedom
: cloud computing. As he told The Guardian
in 2008:

One reason you should not use web applications to do your
computing is that you lose control. It’s just as bad as using
a proprietary program. Do your own computing on your own computer with
your copy of a freedom-respecting program. If you use a proprietary
program or somebody else’s web server, you’re defenseless. You’re putty
in the hands of whoever developed that software.

Stallman pointed out that running a free software
operating system—for example Google’s ChromeOS—offered no
protection against this loss of control
. Nor does
requiring the cloud computing service to use the GNU Affero
GPL
license solve the problem: just because users have access to
the underlying code that is running on the servers does not mean they
are in the driver’s seat. The real problem lies not with the code,
but elsewhere—with the data.

Running free software on your own computer, you obviously retain control
of your own data. But that’s not the case with cloud computing services—or, indeed, most online services, such as e-commerce sites or social
networks. There, highly personal data about you is routinely held by
the companies in question. Whether or not they run their servers on open-source code—as most now do—is irrelevant; what matters is that they
control your data—and you don’t.

The new GDPR changes all that. Just as free software seeks to empower
individuals by giving them control over the code they run, so the GDPR
empowers people by giving them the ability to control their personal
data, wherever it is stored, and whichever company is processing it.
The GDPR will have a massive impact on the entire online world because
its reach is global,
as this EU website on the subject explains:

The GDPR not only applies to organisations located within
the EU but it will also apply to organisations located outside of the
EU if they offer goods or services to, or monitor the behaviour of,
EU data subjects. It applies to all companies processing and holding
the personal data of data subjects residing in the European Union,
regardless of the company’s location.

And if you think that the internet giants based outside
the EU will simply ignore the GDPR, think again: under
the legislation, companies that fail to comply with the new
regulation can be fined up to 4% of their global turnover,
wherever they are based. Google’s total turnover last year was $110
billion
, which means that non-compliance could cost it $4.4 billion.
Those kinds of figures guarantee that every business in the world that has
dealings with EU citizens anywhere, in any way, will be fully implementing
the GDPR. In effect, the GDPR will be a privacy law for the whole world,
and the whole world will benefit. According to a report in the Financial
Times
last year, the top 500 companies in the US alone will spend $7.8
billion in order to meet the new
rules
(paywall). The recent scandal over Cambridge
Analytica’s massive collection of personal data
using a Facebook app
is likely to increase pressure globally on businesses to strengthen their
protections for personal data for everyone, not just for EU citizens.

The GDPR’s main
features
are as follows.
Consent to data processing “must be clear
and distinguishable from other matters and provided in an intelligible
and easily accessible form, using clear and plain language. It must be as
easy to withdraw consent as it is to give it.”
Companies will no longer
be able to hide bad privacy policies in long and incomprehensible terms
and conditions.
The purpose of the data processing must be clearly
attached to the request for consent, and withdrawing consent must be as easy to do as giving it.

There are two important rights in the GDPR. The “right to access”
means people are able to find out from an organization whether or not
personal data concerning them is being processed, where and for what
purpose. They must be given a copy of the personal data, free of charge,
on request. That data must be in a “commonly used” and machine-readable
format so that it can be easily transferred to another service. The other
right is to data erasure, also known as the “right to be forgotten”.
This applies when data is no longer relevant to the original purposes
for processing, or people have withdrawn their consent. However, that
right is not absolute: the public interest in the availability of the
data may mean that it is not deleted.

One of the innovations of the GDPR is that it embraces “privacy by design and
default
“. That is, privacy must be built in to technology from the
start and not added as an afterthought. In many ways, this mirrors free
software’s insistence that freedom must suffuse computer code, not be
regarded as something that can be bolted on afterward. The original Privacy
by Design framework
explains what this will mean in practice:

Privacy must become integral to organizational priorities,
project objectives, design processes, and planning operations. Privacy
must be embedded into every standard, protocol and process that touches
our lives.

Open-source projects are probably in a good position to make
that happen, thanks to their transparent, flexible processes
and feedback mechanisms. In addition, under the GDPR, computer security
and encryption gain a heightened importance, not least because
there are new requirements for “breach notifications”. Both the relevant authorities
and those affected must
be informed rapidly of any breach. Again, open-source applications may
have an advantage here thanks to the ready availability of the source
code that can be examined for possible vulnerabilities. The new fines
for those who fail to comply with the breach notifications—up to 2%
of global turnover—could offer an additional incentive for companies
to require open-source solutions so that they have the option to look
for problems before they turn into expensive infractions of the GDPR.

It would be hard to overstate the importance of the GDPR, which will
have global ramifications for both the privacy sector in particular and
the digital world in general. Its impact on open source is more subtle,
but no less profound. Although it was never intended as such, it will
effectively address the key problem left unresolved by free software:
how to endow users with the same kind of control that they enjoy over
their own computers, when they use online services. As a result, May
25, 2018 should go down as the day when the freedom bestowed by open source
went up a notch.

Read More