ALERT: A Software Security Transparency Breach Warning

(Image credit:  Wikipedia.org)

We've witnessed what happens when changes in source code to intentionally insert rogue code go unnoticed.

The example of how the NSA intentionally inserted weakened string constants into Elliptic Curve Cryptography lay hidden for several years, in fact, and was only exposed by a languishing open Red Hat trouble ticket.  What was odd was how given the potential seriousness of the incident, no action was being taken to look at the source code and change it.  As more comments appended to the ticket, the level of suspicion grew to the point of where NIST was forced to open up an investigation.

It was a potential public relations disaster in the making for them, as they pleaded being unaware of what the NSA had done.  Immediately, the code base was opened up for public comment.  The code has since received a thorough going over, particularly those merged diffs that sourced from the NSA and corrective action was taken.

But, this was a roadside billboard that should have alerted everyone in the FOSS Community to the realization that every corner of FOSS should be revisited for a thorough security review and vetting.

Code obfuscation should be a 'red flag' to anyone who has seen it.  The first concern should be:  Why is this code obfuscated?  If there isn't good documentation giving a reason for doing so, then, it's time to dig in and find out what the code is or isn't doing, at the very least.

It is believed, however, relative to all FOSS code, little obfuscated code exists.

It would be most difficult to secret rogue code otherwise, as it must pass several levels of code review to reach final merge.

This is why it is an imperative that the FOSS Community become rigid and not deviate on the issue of Security Transparency.

Security Transparency assurance can only be guaranteed if and only if ALL source code is vetted independently by more than one project maintainer.  Oversight must be maintained and all Linux Distribution binaries which don't provide accompanying Gnu General Public Licensed (GPL) source code should be rejected out of hand as not just a license violation but also a breach of Security Transparency.

That being the case, Linux Advocates is taking a position against the following software vendor sources of 'semi-open' code bases.  They are:

• Google ChromeOS
• Google Chrome Browser
• Opera Browser

Linux Advocates categorically does not support using the above-listed products which include a mix of open source and proprietary code.  There is an attendant heightened risk of exposure to cyber attack and exploitation when using any non-FOSS proprietary stack implementation on your computing device.

Enforce Security Transparency by insisting on using Linux with GPL open source code only.  -- Dietrich

Related articles

• Lions, Tigers, Bears, and FBI Warnings, Oh My!

Read More

Debian on Death's Doorstep: Developers Resist Systemd by Resigning

Is Debian Dying?

There is no shortage of consternation brewing over on the Debian Debacle Cul-de-sac where the nattering nabobs of negativity have forced yet another vote taking for the decoupling (or not) of the current plan to migrate to a replacement for sysvinit system.

The votes are in and it would appear no change in plans will take place.

So, it's full steam ahead with standards-compliant systemd replacing the aged sysvinit middle-ware design.

What lies ahead?  Much discussion preceding the vote taking took place including the proposition of forking Debian.  Yes.  A fork.

And, despite the issue of migrating over 40,000 applications, the proposition is still being taken seriously.

From my vantage point, Debian has always been a 'speed bump' on the road to innovation.  Their software management policy is simply unacceptable in today's world where life can change in a New York Minute.

The concern should present to those Debian derivatives, of which there are many, that delays in moving forward on systemd continue to mount.

Canonical Ltd. Mark Shuttleworth has intimated in a question and answer session (video) including Mir, their Wayland alternative, won't happen any sooner 2016.  I predict that there will be further delay as other unforeseen Debian issues present during their migration to systemd support.

Developers of Debian derivatives and application software ought to be giving serious consideration to the overall 'health status' of their beloved operating system.  They have their work cut out for themselves.  Not only must their Distro middle-ware be modified, but also the applications that run on it.  That is a 'double-whammy' and I'd suspect that when the going gets tough, you'll hear more kvetching and see Developers who can't knuckle-under hitting the exit doors seeking to retire their Derivative or joining up in the RPM camp.  I hope that the latter will be their preference.

Looking at the above chart from Wikipedia showing those major Distros that have adopted systemd, both Debian and Ubuntu stand out and, as a result, all their derivatives will fall into the same status until Debian can reach a stable systemd plateau.  It is interesting to note Gentoo and Slackware have indicated no plan to change over to systemd.

Are these indications that Debian is in the midst of her final initial death throws?

If developers align to advocating for a Fork, then the demise of Debian may well soon follow as a wholesale 'plate tectonic shift' occurs.

As for Me, I am wagering Debian's days are numbered.  What say you?

-- Dietrich

Related articles

• There is no Substitute for #1. Fedora 21 Workstation. Linux Done Right.
• Why Working Towards a Singular Purpose With Linux Matters
• Prominent developers pulling out of Debian as voting deadline nears
• Debian Developer Resigns From The Systemd Maintainership Team

Read More

Public Computer Security Misperceptions Abound

Gmail Google Phishing Message

Generally, I try to avoid giving out unsolicited advice, but, sometimes, will reflexively do so, especially for a friend who I know encountered some kind of "Windows" security issue.

Well, a friend posted up a gmail message they had received with concern to make their circle of friends aware of.

It is of the email 'click-bait' variety.  They all work the same on legacy Windows (x86) from present 8.1 back to Windows 2000.  The commonality is that all versions share the same core WinNT design that Microsoft cannot change as it will 'break' Enterprise software badly.

No, it's more what I call "shooting fish in a barrel" or "taking candy from a baby".  The email sent to the unwary Windows user is 'socially engineered' to steer them to opening the email and/or attachment, either of which (on Windows) will spawn Javascript to download and inject DLL code and run all silently unbeknownst to the user -- until, of course, it's too late when suddenly a rogue fake security warning comes up or the dreaded CryptoLocker virus has just finished locking (encrypting hard drive) the user out of their system and very professionally offers up a screen of payment credit card options for making payment, which will unlock said PC.  CryptoLocker is becoming endemic.

So, my weak moment was to offer unsolicited advice to the poster of Drive-by threats inherent in the use of Windows.  This kind of advice was coupled to my 'standard' recommendation to the poster to consider switching to Linux which I have used since 2005.

I've been in the IT business for 20 years and ought to know something at this point in my life about issues regarding computer security, one would think.  Yet, despite offering up this kind of friendly advice, there is always the random respondent who turns up and shows his/her ignorance with great facile, I might add.  Here are their remarks:

"I hate this kind "commercial" attitude some people have. I dont like Linux. It may be the safest whatever OS and good for servers. But I don't like it. How can someone possibly even think Linux is safer when its open source for God's sake the only reason Linux is safe is  because is not as popular as windows yet. Maybe it might become that much popular and be used almost everywhere but as far as I'm concerned almost all companies and 90 % of the users worldwide are still on windows. That is why its the most vulnerable because if I was a criminal who would I attack?  A bigger area of effect obviously. 

How little people think nowadays really. Thank you for your kind offer but I'm not going to an open source program. Keep your eyes open for "these kind of threats" and alert others.
No operating system that is on the internet is safe. Not even Linux. Linux has one of the biggest issues if anything for being open source. If anything attacking the Linux website one day for example and their downloads and all other server connections they have would  compromise absolutely every single user and you do not need to be a computer tech to realize that. 

Thank you, but no. Have a wonderful day. :)"

Okay, instead of responding in my friends post, I chose to submit to her woeful ignorance and put things into perspective here point by point:

1) "I hate this kind "commercial" attitude some people have."

Commercial?  This was posted to a 'friend' for her benefit and so wasn't a commercial or if she meant an endeavor to profit, Linux is FREE.  It wasn't motivated by money.

2) "How can someone possibly even think Linux is safer when its open source for God's sake."

Huh?  The user presumably associates the word 'open' with some form of security vulnerability like 'leaving the door open'?  One of the cornerstones of Linux is its Gnu Public License for sharing the entire source code base and making changes to it freely.   Because of this, user of Linux enjoy true "Transparency", which means many eyes (more so than what Microsoft has in employee headcount), around the globe are looking at and vetting source code to ensure no rogue code insertion occurs.  Unlike Linux, Windows is proprietary and the end-user cannot see their source code, cannot copy it, and thus have NO idea whatsoever what the employees of legacy Windows did or did not do to the code base.  Being proprietary means effectively, Microsoft can write the operating system and applications however they wish, and, that includes code insertion of functionality like 'back doors'.

Yep, back doors exist in Windows for both Microsoft's use and for their partnering governmental agencies which wish to access your PC.  They come and go silently with impunity.  After you've thought about that for a minute, go find some black electric tape and place it over your Laptop's camera, mmmkay?

This doesn't even speak to the unfixed zero-day exploits present and hidden because Microsoft's code base is not viewable by anyone other than their privileged but shrinking staff of programmers most of whom didn't write the original code and might not have a clue as to how to go about changing it.  Those programmers left 5-10-15 years ago.  So, Zero-Day exploits are rampant, and, the hackers that have discovered them sell their exploits on the black market to people on the other side of the globe who want access to you, usually for money.

Microsoft code doesn't get continually refactored like Linux and vetted for safety.  It gets written and then forgotten.  Their maintainers will fix what they can if they can do so without breaking the system, but their resources are limited.

3) "Linux is safe is because is not as popular as windows yet."

Oh right.  The security by obscurity argument.  Alright let me explain the central security issue with Windows:

If an exploit (drive-by, email attachment same difference) on Windows is 'successful' in running, it will make its own SYSTEM call() to perform an 'Administrative' function.  It is at this point that Windows should stop to check on what that 'action' is and by what process id (parent) is making the call.  It doesn't.  Nope.  Once the exploit gets a toe hold, it proceeds to run administratively with no other cross-check security mechanism.  Got that?  Your PC is officially owned.

With Fedora Linux, you have what is called sandboxing technology.  SELinux, a Linux Security Module (LSM), binds to the kernel at bootstrap and maintains a 'hook' api in the SYSTEM kernel.  This 'hook' gets called on each granular system administrative process invoked on Linux.  SELinux (the Sandbox or Mandatory Access Control), cross-checks each discrete action against its policy group for the calling app  and if it isn't an allowed action, it on returning from the hook sends a 'deny' to the kernel.  The rogue code, exploit, is stopped cold.

It doesn't matter from whenst it came, the sandbox blocks it from getting a toe hold in Fedora Linux.

Windows Legacy users?  To you I say: Go with God.

Fedora Linux: The safest operating system on the Planet.
I stake my reputation on it.  -- Dietrich

Related articles

• Sandbox? What Sandbox? -- Fedora Has You Covered
• Microsoft Windows 8.1 Legacy (x86) - UNSAFE FOR GENERAL USE
• Microsoft Windows 8 Legacy: An Unacceptable Level of Risk

Read More

Firefox Sponsored Tiles Advert Strategy: Do You Object?

Mozilla Firefox nightly builds now include Sponsored Tiles on the 'New Tab' page

Here is the issue:  Firefox has survived on Advertisement revenue right along.  Yes?   Most of their revenue is based on a contract with Google which has been confirmed will end in November 2014, unless Google has a change of heart and renews.

Consequently, Mozilla is looking at contingency planning and has now added Sponsored Tiles to their nightly Firefox builds.  Sponsored Tiles appear on the 'New Tab' page and won't appear in your regular browser stream.  Being found on the New Tab page means they won't get blocked by tools like Adblock.

Remember, Mozilla is an Open Source company and this will help them to continue to fund Firefox development and continue to expand Mozilla Corporation at the same time.

So, I am fine with it, as long as Firefox remains Open Source.  What say you?  -- Dietrich

Related articles

• Firefox faces uncertain future as Google deal apparently ends
• Mozilla presses forward with new revenue plan, debuts ads in Firefox preview

Read More

Patch as Patch Can

(Image credit:  theregister.co.uk)

What happens when you use proprietary code?  This story from The Register is quite representative.

Yes.  Google Chrome is proprietary.  Chromium is Open Source.

Open Source Chromium gets looked at by 'many eyes' and that is by Contributors across the Globe Folks.

Bugs get fixed quickly.

With any piece of proprietary code, including Chrome, only the employees who work as developers can make fixes to source code, no one else.  Unlike Open Source, Proprietary source code is not made accessible to the general public.  Only the binary executables get distributed.

It's a classic problem and has lent to a perpetual tread-mill of security issues for Microsoft Windows Legacy (x86) and the litany continues unabated to such an extent that Microsoft now wants to change the name of Internet Explorer to remove some of the legitimate stigma involved with user market perception.  It ain't gonna work.  The horse is out the barn door.

No, in fact, I made a policy decision some time ago not to use proprietary software whatsoever and wrote specifically about Google Chrome.

So, I strongly urge the readers to avoid Chrome like the plague and stick with Open Source developed software only, such as Chromium.

As for myself, I have Open Source dwb and Chromium installed, but use dwb 95% of the time.  dwb is written in pure C with gtk2/3 bindings and a webkit back-end on steroids.  It is understated, spartan, greased-lightning fast, and super lightweight with a 75MB startup RAM footprint.  Highly recommended.  Chromium is the easier of the two to install and use and will gobble up as much ram as it can find but, then, it has all the bells and whistles going for it.  -- Dietrich

Related articles

• dwb - A Webkit Browser, Highly Understated, Lightweight and FAST
• Advocating for Security through Transparency

Read More

It's Love All Over Again With New Improved Mozilla Firefox 29

Firefox logo (Photo credit: Titanas)

by Dietrich Schmitz

I go back to a time when in Linux Firefox didn't exist.  Then, I used Mozilla.  For me, Mozilla Application Suite, a fork of Netscape's Communicator, was the best browser available in Linux Distro-Land and when it came out with 'Tabbed-browsing' I thought that was the greatest thing since sliced bread.

It was 'love at first sight'.  My infatuation with Mozilla grew and I became a loyal user overnight.

Enter Mozilla Firefox.  The genesis of Firefox was born out of many of Mozilla's features and overnight it became a hit.

Naturally, I switched away from Mozilla to Open Source Firefox and remain a loyal user.

Today, when I think about Open Source, I cannot stress its importance enough.  The need for Transparency in today's world has become magnified by world events and the increased public awareness that software can be exploited for nefarious purposes has become all the more clear.

How can we overcome such exploitation?  I believe that Open Source is vital to ensuring that rogue software exploit code becomes a thing of the past.  Proprietary code, that which cannot be seen, vetted with oversight by the general public, has the increased potential to become exploited on various levels.

Take for example something as simple as your average Microsoft Windows license.  Most people never read it.  And nobody other than Microsoft's programmers know what is specifically in their code base on an intimate level.  

How did Stuxnet happen?  

I am inclined to believe, it could not have happened if Windows was Open Source and I am also inclined to believe that it could not have happened without Microsoft's participation on some level.  There are 'back doors' into Windows legacy (x86) software, of that I am sure.

These 'back doors' are undocumented APIs which facilitate various control levels and, depending on the need, Microsoft shares those APIs with law enforcement and governmental agencies who request their assistance, unbeknownst to the general public.

This is only possible if the code base is proprietary and thus the programming APIs remain hidden.  And, proprietary being what it is, the ability to not disclose the full extent of how software governs itself is always an option and that is why I believe Proprietary Software = Exploitation.

Recently, I wrote WARNING: Google Chrome UNSAFE FOR GENERAL USE.
In that story, I disclosed my decision to stop using Chrome was based on its not being Open Source.

With world events in mind, Stuxnet, North Korean satellite launch systems (Windows) disabled, Flight 370 Boeing 777 'fly by wire' remote control software being undocumented and alleged to have been used for controlling and diverting said flight, I remain a staunch Advocate of Open Source and Transparency.

Just the other day Mozilla released their newest version of Firefox, version 29.

My good Friend Igor has scorned the design decisions made by Mozilla.  Okay, let's get it out of the way -- it 'looks' (to a degree) like Chrome.  But, if you really stop to think -- so what?  These are critical usability design considerations which I feel, on net, make Firefox all the more usable and at the same time extend its feature set with new much-welcomed rich functionality.

Firefox 29: A big win for Mozilla.  

When you combine the open source features of Firefox with the vast repository of plugins at users' disposal, the result is a powerhouse web browser.  There is no equivocating on that!

In fact, I'll go as far to say, I am in love all over again with Firefox and would like to thank the Mozilla Firefox Developer Team for all the innovative work done to date.  

Thank you.  Thank you.  -- Dietrich

Related articles

• Firefox turns 29, gets a new look
• Mozilla Introduces the Most Customizable Firefox Ever with an Elegant New Design
• Now is the time to switch back to Firefox

Read More

WARNING: Google Chrome UNSAFE FOR GENERAL USE

by Dietrich Schmitz

You read that right.  I deem Google's proprietary Chrome (Freeware License) browser UNSAFE FOR GENERAL USE .

I can't make it any clearer than that.

Why is Google's Chrome browser unsafe?

It's pretty simple.  Google chose to not allow Chrome's code base to be shareable to the general public.

For your purposes, that means it doesn't operate under Open Source Gnu General Public License v2 (GPLv2) license terms which would allow the entire code base to be independently vetted by external audit for hidden vulnerabilities and exploits that may be resident much like HeartBleed in openSSL and NIST's Eliptical Curve Cryptography (ECC) which was discovered to have been weakened by the NSA.  The aforementioned rogue bugs lay hidden for quite some time, exploitable to those who knew of their presence.

The only ray of sunshine is that their source code is open source, which allowed discovery and corrective action to be taken.

Sadly, one has to draw the line in today's world.  We know the score with the NSA.  The Fox is in the hen house and now it's time to take action.

Severe action is needed.  

Accordingly, I am putting Google on notice and charging them with knowledge that their code base is 'closed' to the general public and must be 'opened' for independent external audit to assure no vulnerabilities exist of any kind (excluding discovered defects in Chrome's upstream dependencies).

It's no more Google Chrome for me.  And I hope you will follow suit.

Take action.  Switch to a 100% open source browser, like Mozilla's Firefox or Midori or Gnome's Web or KDE's Konqueror today.

I would remind the readers that despite assurances from Google to consumers that their privacy remains intact, it turns out last year that the NSA were able to drill through Google's SSL firewall and pitch camp on the inside for an unspecified period of time, unbeknownst to Google, as they sampled the clear text unencrypted Gmail and Drive meta data belonging to you.  Of course, publicly Google expressed outrage for what the NSA had done.

But actions speak louder than words.  You see, Google has had ample time to formally announce and roll out strong encryption for Gmail and Drive for their consumer-facing services.  To date, they have done nothing.  

Yet, on their commercial service side, they quickly reacted to the Fox in the Hen House last year and put in place FIPS governmental standard strong encryption.  

Corporate America is 'big business'.  Consumers play second fiddle, and because Google state in a revised language TOS agreement that they parse your clear text meta data to generate advertising revenue, the message to the consumer is that 'profit' takes precedence over their privacy.  

That is simply unacceptable and quite worrisome despite the 'lip service' they have given on tightening up their SSL standard.

No, consumer data, yours, is still sitting in clear text drive storage medium in the Gmail / Drive cloud where it can be read at will if/as/when it suits Google and/or any other governmental agency.

And, with Chrome being closed source, there is no way to know for sure what is or isn't happening during your Internet browser sessions is there?


Dear Reader, switching to open source is the only way that Security through Transparency can be achieved.  Do it today.

Google Chrome is UNSAFE FOR GENERAL USE.


-- Dietrich

Read More

Advocating for Security through Transparency

by Dietrich Schmitz

That's a screen shot (below) of the BitBucket repository for commits to ongoing development of dwb (dynamic web browser).

Oh, that's nice.  What's my point?

dwb is 100% pure Gnu Public Licensed code. That means, you, anyone, developers, users, the world, can see it, change it, for free. That has always been the basis for GPLv2 and the primary reason for why I opt to use dwb. Want to know what's going on with their code? Help yourself -- look around. Only, don't forget to turn the lights out when you leave. ;)

dwb (dynamic web browser) BitBucket repository commits page

You don't get that with Google's Chrome. Nope. Sorry. They won't let you see their code base. Of course, they are within their legal rights to do so, but, that doesn't mean I have to use their browser if I cannot know what it is doing, do I?

Ask yourself this question: Notice lately how Google Plus will periodically 'freeze' with the cpu utilization at 100%? 

What are they doing exactly?  (Shrugs)

That's Chrome doing whatever it does. :/ Whatever has a big question mark hanging over it for me.  My confidence in Google to 'Do No Evil' has fallen dramatically in the past 9 months since the Edward Snowden NSA Prism and other revelations.

You see, 'proprietary code' (not open source) often leads to some level of exploitation for commercial or 'other' purposes. Because Chrome is 'closed source', we cannot know for certain 'if' Google cooperates in some capacity with governmental information collection and sharing. That's because there is no public access for review of their code base, unlike dwb.

Taking the overt step to use dwb is my personal choice.  Yours may be different, but, if you truly believe in the power we (Humanity) hold over the "n'er-do-wells" of the world by embracing Open Source, then I urge you to make it your policy to not use proprietary software.  Take a stand and fight back. Set an example for others to follow and use open source applications only such as dwb, Mozilla Firefox, for the sake of security through transparency.

-- Dietrich

Related articles

• Moving Away from Google's Proprietary Ways
• Microsoft Windows 8.1 Legacy (x86) - UNSAFE FOR GENERAL USE
• dwb - A Webkit Browser, Highly Understated, Lightweight and FAST

Read More

Boycott Mozilla: CEO Brendan Eich Reveals Gay Bias

By Dietrich Schmitz

[Edit 4/3/2014 17:00 GMT-5: Brendan Eich steps down as Mozilla CEO ]
 

It never ceases to amaze me how narrow-minded and judgmental people can be.  Scary even.

I have worked with many people from different walks of life and can tell you that first-hand experience tells me that 'intolerance' is a form of hatred and leads to extremism.  The world is filled with extremists who unfortunately seek to further their own agendas at the expense of others, and who have created misery and death. (Image right: Brendan Eich)

So, that makes me what?  Anti-Extremist?  I hope so.  And I really don't like to see when a cross-section of 'Human Beings' is simply marginalized as though they should not be conferred equal rights.

It's time to take a stand against recently appointed Mozilla CEO Brendan Eich who has taken sides on Proposition 8 in favor of restricting the right to marry to heterosexuals only.

Gay people who want to marry, should, I believe, have as much a right to do so as any other sexually-oriented group.  Their love for one another is just as strong as yours and mine.  They feel the same things we do, share the same life hopes and desires, and deserve like treatment.  That should be obvious.  Sadly, it is not.

With that, I am making a statement:

If Brendan Eich does not step down from Mozilla, I will no longer use any Mozilla product whatsoever.


It is wrong in my judgment and Mozilla need a CEO who is 'fair and balanced' with respect not only to technical acumen but also with how they relate to others in real-world terms.

Thus, Dear Reader, I ask you to join me in boycotting Mozilla as well.

Collectively, we can influence Mozilla Governance to reconsider appointing a qualified replacement CEO candidate having unbiased, even-handed thinking.

-- Dietrich

Related articles

• Brendan Eich's Ascent To Mozilla CEO Prompts Boycott Over Prop 8 Donation
• Mozilla Employees Ask New CEO To 'Step Down' Over Prop 8 Support
• Mozilla workers take to Twitter, ask new CEO Eich to 'step down'

Read More

Linux Consolidation Continues: CentOS Joins Red Hat

by Dietrich Schmitz

The news that CentOS has joined the Red Hat family is positive.

"With today's announcement, Red Hat extends its commitment to rapid open source technology and solution development to deliver:

Commercial development and deployment:

• Red Hat Enterprise Linux, the world's leading enterprise Linux platform, offering an extensive ecosystem of partners, a comprehensive portfolio of certified hardware and software offerings, and Red Hat's award winning support, consulting, and training services. Red Hat subscriptions deliver this value combined with access to the industry's most extensive ecosystem of partners, customers, and Linux experts to support and accelerate success.  

• Community integration beyond the operating system: CentOS, a community-supported and produced Linux distribution that draws on Red Hat Enterprise Linux and other open source technologies to provide a platform that's open to variation. CentOS provides a base for community adoption and integration of open source cloud, storage, network, and infrastructure technologies on a Red Hat-based platform.  

• Operating system innovation across the stack: Fedora, a community-supported and produced Linux distribution that makes it easy for users to consume and contribute to leading-edge open source technologies from the kernel to the cloud. As a cutting edge development platform where every level of the stack is open to revision and improvement, Fedora will continue to serve as the upstream project on which future Red Hat Enterprise Linux releases are based."

The news is most positive in the sense that money doesn't grow on trees and funding to continue ongoing development has to come from somewhere.  I've maintained that this year, 2014, and going forward there will be an overall major consolidation of Linux Distributions as many will drop out by attrition and lack of financial ability to continue.

Last year, we saw evidence of that underway with first Fuduntu's demise, then Cloverleaf and SolusOS.  

However willing developers may be to work on Linux, the harsh reality is that one must have an income to sustain oneself, without which doing any sort of extracurricular project and particularly on a voluntary basis becomes exceedingly difficult if not impossible.

With that said, CentOS Project Leader +Karanbir Singh (left) shared some of his insights with +The Linux Foundation's esteemed +Libby Clark.

In Q&A fashion, here's some of what Karanbir had to say:

 "...Ten years ago when some of us were getting together to start the project, the aim was to get 300 people to use it, that was fantastic. From our perspective it's been fairly successful. How we define success is to build something we would use and that comes back to the user-driven approach. We cared about how things worked, where they worked, and overall it worked out well having that user perspective. 

I've never worked for a big open source company before but I hope to bring that user perspective to Red Hat and what I'll take a way is a large approach to user communities and hopefully manage that better. 

Otherwise, not much has changed. They sent me a phone and a laptop and that's how it's going to go. I feel quite privileged to have this opportunity to focus on the CentOS larger ecosystem side of things." 

... 

"...There's been no money involved in the project. We have a bank account that's never had more than a couple hundred dollars for printing t-shirts for events. This is the first time there's a group of people 'professionally' working on CentOS as a platform (emphasis mine). 

How CentOS used to happen was some of us would go to work and then work another 40 hours a week on CentOS. You can't sustain 80 hours a week. The reason I did it wasn't for compensation, it was because I wanted to."

Clearly, having a big organization the likes of Red Hat certainly will help fuel development efforts at CentOS.  And, as has been seen with Fedora, Red Hat understand well how to cultivate and nuture community-led research and development.  Assuming CentOS will find its way into the Fedora community of spins will round out and close a big gap on server side offerings.

Here's wishing the CentOS Distro Team the best of luck in their new relationship.

-- Dietrich

Related articles

• CentOS and Red Hat Are Now One Big Project
• Red Hat and CentOS become Voltron, build free operating system together
• Red Hat embraces adjacent ecosystem CentOS

Read More

Top 5 Linux Desktops: Where Do You Want to Go Today?

by Dietrich Schmitz

Overview

No one can disagree, the level of choice one can have for coupling a graphical user interface to Linux to achieve the Linux Desktop metaphor has grown and become quite extensive. (Image right: Fedora 20 Desktop Edition)

By comparison, Apple's OSX and Microsoft's Windows legacy x86 7/8 have little choice to offer, by default.

I've been thinking about whether or not having so much choice is a good thing or not.  Certainly everyone understands that 'choice' is a tenet or, if you will, a cornerstone of Open Source and Linux and breeds variety and stimulates creativity.

But to temper one's thoughts, should it come with a level of restraint lest we find ourselves ultimately floundering with 'too much choice'?  That is an important question and distinction.

If one considers the abstraction 'Linux Desktop', one may not necessarily and reflexively fix their mind on a singular idea of what that is.  No, there are quite a few good choices one can make insofar as which GUI to use.  Might there be a 'down side' to having so much choice?

Newcomers to Apple Macs know the GUI will always be what Apple provides -- one and only one GUI.

Newcomers to Microsoft Windows will have the same expectation.

And now, upcoming Google Chromebook provides uniformity of its own.

These three commercial products are designed not to encourage decoupling the gui from the kernel.  The technophile may try to do so, but by and large, consumers in the larger mass market accept without conscious thought the packaging and presentation as found and just use a given product, because 'it works' for them, by design.

That reduces common-denominators dramatically and allows to a large degree a level of standardization to be fostered.

With Linux, the story is different.  For example, the commercial Distros Red Hat and Ubuntu Linux offer one GUI.  That makes sense as far as the aforementioned is concerned, providing consistency across varying hardware platforms, along with meeting user expectation.  If assumptions can be made on how software behaves then cost of operation will also be lowered appreciably.

On the community side of Linux, we have a garden variety of multiple GUIs, package managers, File Hiearchical Standard variations, because with 'choice' comes the ability to depart from what was previously done.

Each Distro brings with it a variation or 'spin', if you will, on what constitutes a 'better mousetrap'.  The design goals can be modest to major departures from previous attempts.  In some cases, one might not be able to distinguish the difference between Distro A and Distro B.

Distrowatch Top Five

Taking a look at the 'Top 5' Distros listed on Distrowatch today (Image left: taken 1/12/2014 by DTS) we see Mint, Debian, Ubuntu, Mageia and Fedora are in the pack.

These 'players' have moved around a bit but for the most part have been dominant insofar as a Distrowatch measurement gives.  It's not scientific by any means, but, over time one can get a feel for where the modalities are.

So, is it safe to assume these are the top 5 players in the Linux Desktop market?  There is room for debate and if you have played 'horseshoes' in your life, you know that 'close' counts.

We are seeing a 'clustering' around these data points happening for a long period of time.  I don't think we'd be out on a limb to say they represent the most popular Distros in terms of traffic detected.

Then making that assumption, what GUIs appear to be used with each of these?  Let's take each one at a time.

Linux Mint

Linux Mint Lead Developer Clem LeFebvre has much to be proud of.  He has shown that a better mousetrap can be built and the level of thought, fit and finish to his several 'spins' are worthy candidates for any newcomer to Linux.  In fact, I'd probably offer them first to a newcomer than Fedora my mainstay Desktop of choice.  Why?  They just work and nothing needs to be tweaked out of the box.  In its current incarnation, Linux Mint 16 "Petra", users have several GUIs from which to choose: KDE, Xfce, Cinnamon, and MATE.

At one revision, I believe 12, Mint offered an LXDE spin.  How I wish they'd bring that back.  But, Xfce works really well as lightweight GUIs go.

Interestingly, Mint doesn't offer a GNOME spin and no Enlightenment either.  Enlightenment just released version 18.  I feel, Enlightenment is not getting the 'respect' that it deserves and the spins which offer it are few and far between.   Bodhi Linux is a good choice if you'd like a good out of the box experience.

Debian

Debian is the staid, pragmatist-favored Distro for reasons of intentional slow development to promote a stable operating environment.  If you want cutting edge technology, it won't be there by default.  The kernel will be at least 12 months old and packages will be likely aged the same.  As for GUIs, and if you want to stay in the present, you'll likely feel like you are living in the past if you opt for Debian's choices.  The website design hasn't changed much for many years, appears spartan, and if I were a new user, I'd be intimidated by it.  It certainly doesn't coddle the user by providing what I call user-friendly 'good guidance'.

It wouldn't cost much to improve its friendliness and that's why I won't ever have a new user first try Debian.  When you are drilled down to picking the isos from a barren directory tree structure, you'll find they offer GNOME, KDE, LXDE and Xfce 'flavored' isos.  Most will fit on a CD with 'overburn' but one or two require a DVD if you opt not to use a larger USB pen drive.

Ubuntu

To be fair, Canonical Ltd. has succeeded in making Ubuntu Linux a true 'user-friendly' experience.  From the moment you arrive on their website to downloading, to installing, you will be coddled and that breeds confidence.  As it should be, Ubuntu is made for commercial use and for the general consumer.  It is designed to fit most users' needs with just one GUI, called Unity.

Unity is the bastard child in the Open Source community, promulgated by Canonical Ltd.  But it has resulted in somewhat of a 'wedge' in upstream development standards.  Namely, despite their vocal support for nurturing and being behind Wayland, the follow-on new Display server standard to replace the aging and 'problematic' X.org, they did a switch of direction by choosing to write Xmir, a variant containing some of Wayland but mostly rewritten by the Canonical developer team.  As such, much contention has arisen around its development and the long story short is that Unity isn't supported by any other Distro.  It's an island.  It's how Canonical does things.  They are in full control of it.  So be it.  The long-term prognosis for Unity is unclear as more and more Distros hop on board with Wayland-driven technologies.  I would personally offer another spin of Ubuntu such as Kubuntu or Xubuntu before I would recommend Ubuntu.  Both will support Wayland going forward.

Mageia

Mageia is a community-based fork of commercial Mandriva Linux.  I cannot give you a statistic for it, but I would tend to believe that Mageia in terms of country of origin dominates in Europe since Mandriva was historically developed by a French concern.

Mageia is in the pack for very good reason and one need only go to their website to see the level of professional work and finish is a 'cut above'.  It's the same level of polish as that of Ubuntu, only they offer a comprehensive list of GUIs that include:

• KDE4 SC 4.10.2,
• GNOME 3.6,
• XFCE 4.10,
• LXDE,
• Razor-Qt,
• E17.

Fedora

Fedora is my Distro of choice.  By default, Fedora 20 Desktop Linux Edition installs GNOME 3.10.x.  In their 'family' of spins one will find GUIs of KDE, Xfce, LXDE, and MATE.



 

Conclusion

It would appear that Fedora is the only Distro that offers their default Desktop with Gnome.  I would add that this is the first experience I have had with Gnome in a long time where I feel that it has reached a plateau of usability in version 3.10.  It's not perfect and there are issues for the more technically inclined who quickly hit limitations, but for a newcomer and 'Joe Six-pack', I feel that Fedora 20 Desktop Edition is more than 'adequate' to get the job done in Gnome 3.10.

Looking at Mint 16 Petra's other 4 Distros, Mint seems to premier KDE and Cinnamon and MATE provide good Gnome alternatives, while Xfce offers Gtk2/3 support going forward and no Gnome dependencies.

Canonical Ltd. continues to chart their own course doing many things that simply depart from common sense.  Unity being what it is, will still give new users ease of use and the work done to keep to a standard and polished commercial product stands out, nonetheless.

I expect to see continuing big things from Mageia.  While they tend to lumber along, they are dealing with a lot of moving parts so necessarily must be pragmatic and plan their changes carefully executing them in good time.  They are worth waiting for whatever they bring to the next major revision level.

Debian are probably not going to change a lot in terms of their software policy management and so while work continues on the next Debian 8, it will be slow coming.  The Distro spins and website could use a major face lift.  Get out of that '90s Yahoo look.  Is Debian a 'speed bump'?  Yep.

Mint stays firmly entrenched in the top 5 slot numero uno and for good reason.  The reputation and expectation is that one can quickly, easily install any flavor of Mint and hit the ground running.  Just use.  Mint doesn't include Gnome but makes up for it with a set of jewel-like Distros, shiney and ready to go to work for you.

That's it for now.  Let me know what you think.  -- Dietrich

Related articles

• What Happened In Desktop Linux In 2013? Not Much
• Linux Mint 16 Improves Cinnamon Desktop
• Choosing the Right Linux Distro for Your Enterprise Servers

Read More