Microsoft is working on a new feature for its Edge browser that will let you limit the amount of RAM it uses. Leopeva64, who is one of the best at finding new Edge features, has spotted a new settings section in test builds of the browser that includes a slider so you can limit how much RAM Edge gets access to. ↫ Tom Warren at The Verge Isn’t it the operating system’s job to manage memory? It seems very archaic to manually set memory limits on an application, or am I totally out of touch?

We’ve talked about Tribblix before on OSNews – it’s a distribution of illumos, built by Peter Tribble. In his latest blog post, Tribble details some of the changes he’s made to the live ISO and other images for the most recent release. All along, there’s been an overlay (think a group package) called base-iso that lists the packages that are present in the live image. On installation, this is augmented with a few extra packages that you would expect to be present in a running system but which don’t make much sense in a live image, to construct the base system. You can add additional software, but the base is assumed to be present. The snag with this is that base-iso is very much a single-purpose generic concept. By its very nature it has to be minimal enough to not be overly bloated, yet contain as many drivers as necessary to handle the majority of systems. As such, the regular ISO image has fallen between 2 stools – it doesn’t have every single driver, so some systems won’t work, while it has a lot of unnecessary drivers for a lot of common use cases. ↫ Peter Tribble Tribble then details how he addressed this issue, which is, unsurprisingly, rather clever. I’m not going to spoil it here, so go on over and read the details.

The SUSE security team restricts the installation of system wide D-Bus services and Polkit policies in openSUSE distributions and derived SUSE products. Any package that ships these features needs to be reviewed by us first, before it can be added to production repositories. In November, openSUSE KDE packagers approached us with a long list of KDE components for an upcoming KDE6 major release. The packages needed adjusted D-Bus and Polkit whitelistings due to renamed interfaces or other breaking changes. Looking into this many components at once was a unique experience that also led to new insights, which will be discussed in this article. For readers that are new to D-Bus and/or Polkit, the following sections offer a summary to get a better idea about these systems. ↫ Matthias Gerstner You don’t get these kinds of in-depth looks at how a major new release like KDE 6 gets implemented in a popular distribution like openSUSE. What’s especially crazy is that this only really covers D-Bus and Polkit, and those are just two of the countless aspects of openSUSE affected by KDE 6.

It was Stability’s armada of GPUs, the wildly powerful and equally expensive chips undergirding AI, that were so taxing the company’s finances. Hosted by AWS, they had long been one of Mostaque’s bragging points; he often touted them as one of the world’s 10 largest supercomputers. They were responsible for helping Stability’s researchers build and maintain one of the top AI image generators, as well as break important new ground on generative audio, video and 3D models. “Undeniably, Stability has continued to ship a lot of models,” said one former employee. “They may not have profited off of it, but the broader ecosystem benefitted in a huge, huge way.” But the costs associated with so much compute were now threatening to sink the company. According to an internal October financial forecast seen by Forbes, Stability was on track to spend $99 million on compute in 2023. It noted as well that Stability was “underpaying AWS bills for July (by $1M)” and “not planning to pay AWS at the end of October for August usage ($7M).” Then there were the September and October bills, plus $1 million owed to Google Cloud and $600,000 to GPU cloud data center CoreWeave. (Amazon, Google and CoreWeave declined to comment.) ↫ Kenrick Cai and Iain Martin As a Dutch person, I can smell a popping bubble from a mile away, even if tulipmania is most likely anti-Dutch British propaganda. In all seriousness, there’s definitely signs that the insane energy and compute costs of artificial image and video generation in particular are rising at such an insane pace it’s simply unsustainable for the popularity of these tools to just keep rising. Eventually someone’s going to have to pay, and I wonder just how much regular people are willing to pay for this kind of stuff.

Even with that said, those gray-hairs will frequently claim that of the many makers of floppies out there, 3M made the best ones. Given that, I was curious to figure out exactly why 3M became the most memorable brand in data storage during the formative days of computing, and why it abandoned the product. ↫ Ernie Smith I do not remember if I ever held any particular views on which brand of floppy disk (or diskettes, as we called them) was the best. We had a wide variety of brands, and I can’t recall any one of them being better than the other, but then, I’m sure people in professional settings had more experience with the little black squares and thus developed all kinds of feelings about them.

Windows 10 is reaching end of support on October 14, 2025, so if you’re still using Windows 10 – and let’s face it, if you’re somehow forced to still use Windows, better 10 than 11 – your time is running out. Luckily, end of support is a bit of a nebulous term when it comes to Microsoft products, and many among you, especially those managing larger fleets of systems, will know Microsoft offers something called the Extended Security Update (ESU) program, wherein you get additional security updates even after end of support. Microsoft just unveiled the prices for this program for Windows 10. While there’s several schemes, the one most of you will be interested in is this one: With the 5-by-5 activation method, you’ll download an activation key and apply it to individual Windows 10 devices that you’ve selected for your ESU program. Manage it via scripting or the Volume Activation Management Tool (VAMT), among other methods. You can use on-premises management tools such as Windows Server Update Services (WSUS) with Configuration Manager to download and apply the updates to your Windows 10 devices. The 5-by-5 activation subscription will establish the Year One list price of ESU for Windows 10. This is the base license and will cost $61 USD per device for Year 1, similar to the Windows 7 ESU Year 1 price. ↫ Jason Leznek Honestly, that’s not an egregious price, but do note that this price doubles every year for three years total, and note that if you want to start using ESU in year two, you’ll have to pay for year one as well. In other words, pricing ramps up fast. Furthermore, this program only includes security updates – no new features or anything like that, and it doesn’t include support either. So, if you’re still using Windows 10 after October 14, 2025, you’ll either have to pay up, have an insecure system, downgrade to Windows 11, or move to a better alternative. Choice’s yours.

Quests are a way for players to discover games and earn rewards for playing them on Discord. We started experimenting with them over the last year, and millions of you opted in and completed them. We’ve heard great feedback from developers who partnered with us to create them and from many of you who completed one. If you didn’t see firsthand, the “May the 4th” Fortnite Quest is a great example. Now, we’re opening up sponsored Quests to more game developers. ↫ Peter Sellis That’s a lot of fancy, hip words to say Discord is going to show you ads. I have an odd relationship with Discord – it holds a special place in my heart because through Discord is how I met my now-wife and mother of our children, so understandably, the chat platform has a special meaning for us. At the same time, though, Discord has been getting steadily worse and less usable over the years, and while my wife isn’t too bothered by that, I certainly am – and so we moved our instant messaging over to Signal instead. My wife still uses Discord with her friends. Seeing a platform that used to be quite usable, and easily the best way to manage a group of geographically spread-out friends, fall prey to the same kind of bullshit so many other platforms have succumbed to. Discord today is almost unrecognisable to what it was like 6-7 years ago, and now there’s even going to be ads – the final nail in the coffin for the possibility of me ever going back to using it.

Before the cancellation of The Problem with Jon Stewart on Apple TV+, Apple forbade the inclusion of Federal Trade Commission Chair Lina Khan as a guest and steered the show away from confronting issues related to artificial intelligence, according to Jon Stewart. ↫ Samuel Axon at Ars Technica Just when you thought Apple and Tim Cook couldn’t get any more unlikable.

Update: the proposal has now been formally announced on the devel mailing list and Fedora Discussions. I have been assured by the main author of the proposal itself that this is very much not an April Fools joke, but of course, there’s still the very real possibility we’re being led on here. Still, I’m taking the risk and treating this as a serious change proposal for Fedora, even though it’s likely to cause some controversy in the wider Fedora community. The proposal is written by Joshua Strobl, the lead developer of Budgie. Yes, this is a change proposal to make KDE the default desktop environment of Fedora Workstation. The reasoning is that KDE is more approachable for new users than GNOME, it supports standards better, the industry seems to be making moves to KDE (see the Steam Deck), and so on. KDE also has more advanced features people have come to expect from a desktop, like HDR, VRR, and more, and it’s the more advanced Wayland desktop. The important note here is that in the highly unlikely event this proposal would be accepted, it’s not like current Fedora GNOME users will be ‘upgraded’ to KDE when Fedora 42 gets released. The idea is to promote the current Fedora Plasma spin to the main Fedora Workstation release, and demote the Fedora GNOME release to a mere Fedora spin, like KDE is now. While I would personally support this change, it’s pretty much 100% unlikely this change proposal will make it through. Red Hat and Fedora are entirely GNOME-first, and no matter how much I believe that’s misguided when looking at the state of the two primary open source desktops today, that’s not going to change. Still, it’s an interesting discussion point, if only to highlight that the frustrations with GNOME run a lot deeper than people seem to think.

Way back in the day, back when I wasn’t even working at OSNews yet, I used to run QNX as my desktop operating system, together with a small number of other enthusiasts. It was a struggle, for sure, but it was fun, exciting, and nobody else was crazy enough to do so. Sadly, the small QNX desktop community wasn’t even remotely interesting to QNX, and later Blackberry when they acquired the company, and eventually the stand-alone Neutrino-powered version of QNX disappeared behind confusing signup screens and other dark patterns. It meant the end of our small little community. Much to my utter surprise and delight, I saw a post by js about how he ported GCC 10 to QNX – in this case, to QNX 6.5 SP1, released in 2012 – and submitted it to pkgsrc. His ultimate goal is to port one of his other projects, ObjFW, to QNX. He makes use of pkgsrc to do this kind of work, which also means he had to make pkgsrc bootstrap and a lot of other software work on QNX. We’re at QNX 8.0 by now, and as much as I bang my head against QNX and BlackBerry’s wall of marketing and corporate speak, I just can’t find out if it’s even still possible to download QNX Neutrino and install it on real generic hardware today.

On October 3, 2023, Google and Yahoo announced upcoming email security standards to prevent spam, phishing and malware attempts. Outlook.com (formerly Hotmail) is also enforcing these policies. With the big 3 Email Service Providers (ESP) in agreement, expect widespread adoption soon. Today’s threats are more complex than ever and more ESPs will begin tightening the reigns. Failure to comply with these guidelines will result in emails being blocked beginning April 2024. In this article, we’re going to cover these guidelines and explain what senders must do in order to achieve and maintain compliance. ↫ XOMedia Some of these changes – most of them impact bulk senders and spammers – should’ve been implemented ages ago, but seeing them being pushed by the three major email providers, who all happened to be owned, of course, by massive corporations, does raise quite a few red flags. Instinctively, this makes me worried about ulterior motives, especially since running your own email server is already fraught with issues due to the nebulous ways Gmail treats emails coming from small servers. With the rising interest in self-hosting and things like Mastodon, I hope we’re also going to see a resurgence in hosting your own e-mail. I really don’t like that all my email is going through Gmail – it’s what OSNews uses – but I don’t feel like dealing with all the delivery issues people who try self-hosting email lament about. With a possible renewed wave of interest in it, we might be able to make the process easier and more reliable.

Microsoft will sell its chat and video app Teams separately from its Office product globally, the U.S. tech giant said on Monday, six months after it unbundled the two products in Europe in a bid to avert a possible EU antitrust fine. The European Commission has been investigating Microsoft’s tying of Office and Teams since a 2020 complaint by Salesforce-owned competing workspace messaging app Slack. ↫ Foo Yun Chee at Reuters I honestly misread this as Microsoft selling Teams off, which would’ve been far bigger news. Unbundling Teams from Office globally is just Microsoft applying its recent European Union policy to the rest of the world. All we need now is Microsoft to stop trying to make Teams for families and friends happen, because nobody will ever want to use Teams for anything, let alone personal use.

As some of the dust around the xz backdoor is slowly starting to settle, we’ve been getting a pretty clear picture of what, exactly, happened, and it’s not pretty. This is a story of the sole maintainer of a crucial building block of the open source stack having mental health issues, which at least partly contributes to a lack of interest in maintaining xz. It seems a coordinated campaign – consensus seems to point to a state actor – is then started to infiltrate xz, with the goal of inserting a backdoor into the project. Evan Boehs has done the legwork of diving into the mailing lists and commit logs of various projects and the people involved, and it almost reads like the nerd version of a spy novel. It involves seemingly fake users and accounts violently pressuring the original xz maintainer to add a second maintainer; a second maintainer who mysteriously seems to appear at around the same time, like a saviour. This second maintainer manages to gain the original maintainer’s trust, and within months, this mysterious newcomer more or less takes over as the new maintainer. As the new maintainer, this person starts adding the malicious code in question. Sockpuppet accounts show up to add code to oss-fuzz to try and make sure the backdoor won’t be detected. Once all the code is in place for the backdoor to function, more fake accounts show up to push for the compromised versions of xz to be included in Debian, Red Hat, Ubuntu, and possibly others. Roughly at this point, the backdoor is discovered entirely by chance because Andres Freund noticed his SSH logins felt a fraction of a second slower, and he wanted to know why. What seems to have happened here is a bad actor – again, most likely a state actor – finding and targeting a vulnerable maintainer, who, through clever social engineering on both a personal level as well as the project level, gained control over a crucial but unexciting building block of the open source stack. Once enough control and trust was gained, the bad actor added a backdoor to do… Well, something. It seems nobody really knows yet what the ultimate goal was, but we can all make some educated guesses and none of them are any good. When we think of vulnerabilities in computer software, we tend to focus on bugs and mistakes that unintentionally create the conditions wherein someone with malicious intent can do, well, malicious things. We don’t often consider the possibility of maintainers being malicious, secretly adding backdoors for all kinds of nefarious purposes. The problem the xz backdoor highlights is that while we have quite a few ways to prevent, discover, mitigate, and fix unintentional security holes, we seem to have pretty much nothing in place to prevent intentional backdoors placed by trusted maintainers. And this is a real problem. There are so many utterly crucial but deeply boring building blocks all over the open source stacks pretty much the entire computing world makes use of that it has become a meme, spearheaded by xkcd’s classic comic. The weakness in many of these types of projects is not the code, but the people maintaining that code, most likely through no fault of their own. There are so many things life can throw at you that would make you susceptible to social engineering – money problems, health problems, mental health issues, burnout, relationship problems, god knows what else – and the open source community has nothing in place to help maintainers of obscure but crucial pieces of infrastructure deal with problems like these. That’s why I’m suggesting the idea of setting up a foundation – or whatever legal entity makes sense – that is dedicated to helping maintainers who face the kinds of problems like the maintainer of xz did. A place where a maintainer who is dealing with problems outside of the code repository can go to for help, advice, maybe even financial and health assistance if needed. Even if all this foundation offers to someone is a person to talk to in confidence, it might mean the difference between burning out completely, or recovering at least enough to then possibly find other ways to improve one’s situation. If someone is burnt-out or has a mental health crisis, they could contact the foundation, tell their story, and say, hey, I need a few months to recover and deal with my problems, can we put out a call among already trusted members of the open source community to step in for me for a while? Keep the ship steady as she goes without rocking it until I get back or we find someone to take over permanently? This way, the wider community will also know the regular, trusted maintainer is stepping down for a while, and that any new commits should be treated with extra care, solving the problem of some unknown maintainer of an obscure but important package suffering in obscurity, the only hints found in the low-volume mailing list well after something goes wrong. The financial responsibility for such a safety net should undoubtedly be borne by the long list of ultra-rich megacorporations who profit off the backs of these people toiling away in obscurity. The financial burden for something like this would be pocket change to the likes of Google, Apple, IBM, Microsoft, and so on, but could make a contribution to open source far greater than any code dump. Governments could probably be involved too, but that will most likely open up a whole can of worms, so I’m not sure if that would be a good idea. I’m not proposing this be some sort of glorified ATM where people can go to get some free money whenever they feel like it. The goal should be to help people who form crucial cogs in the delicate machinery of computing to live healthy, sustainable lives so their code and contributions to the community don’t get compromised. This

This month, after surpassing our legacy layout engine in the CSS test suites, we’re proud to share that Servo has surpassed legacy in the whole suite of Web Platform Tests as well! ↫ Servo blog Another months, another detailed progress report from Servo, the Rust browser engine once started by Mozilla. There’s a lot of interesting reading here for web developers.