News briefs for February 8, 2019.
Microsoft has joined the OpenChain Project[1], "which builds trust in open source by making open source license compliance simpler and more consistent". Uber, Google and Facebook joined it last month. According to the announcement, "By joining OpenChain, Microsoft will help create best practices and define standards for open source software compliance, so that its customers have even greater choice and opportunity to bridge Microsoft and other technologies together in heterogeneous environments."
Google today announced it is open-sourcing ClusterFuzz[2] and making it available for anyone to use. Fuzzing[3] is "an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program", and it's "effective at finding memory corruption bugs". ClusterFuzz is "a fuzzing infrastructure running on over 25,000 cores" was written to aid in the Chrome development process. You can check it out at the ClusterFuzz GitHub repository[4].
A security vulnerability discovered in Android gives attackers access to your phone if you open a .png file. ZDNet reports[5] that "All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim's device. Should the user open the file, the exploit is triggered." This bug affects Android versions 7.0–9.0.
The Free Software Foundation has certified new hardware with its "Respect Your Freedom" endorsement: the Vikings D8 mainboard and D8 workstation. According to Phoronix[6], "The Vikings D8 is a re-branded ASUS KCMA-D8 but flashed with Libreboot+Coreboot to free the hardware down to the BIOS." In addition, "the D8 Workstation also ships with the FSF-approved Trisquel operating system that is free of any Linux binary blobs and proprietary software." See also the FSF post[7] on the Respects Your Freedom certification.