![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/bigpage.png)
|
|
|
Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
 Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsTurbolinux and Linuxcare call it off. The word went out on May 1 that the planned merger between Turbolinux and Linuxcare had been cancelled. The full story may never come out, but it seems to have come down to a disagreement over the relative value of the two companies. Neither company, of course, is worth what people once thought it was, and it was not possible to come to an agreement over what the valuations should be at this time. This breakdown is going to be hard on Linuxcare. The company has lost important staff in the merger process, and the support business is proving rather harder than many had originally thought. Linuxcare will find itself short of staff, short of funds, and short of business. Not much fun. Life may not be all that easy for Turbolinux either. The North American market has been a hard one to crack, and several companies have set their sights on Asia, Turbolinux's stronghold. There has been a distinct lack of press releases hyping high-profile Turbolinux cluster deployments. The "we're a software company" strategy appears to be having some difficulties. And, in fact, it appears that Turbolinux is considering moving away from the distribution business and toward a more service-oriented model. LWN actually predicted this move back when the merger was announced. (Of course, we've predicted a lot of other things too, but we don't remind you of those...) Turbolinux is going to have to come up with a compelling strategy and set of products in a hurry, or life could get more difficult. Why is the support business so hard? Not that long ago, the prevailing FUD was that Linux needed credible support options to succeed. After all, nobody was going to bet their job on the system without 24x7 support and toll-free numbers. Linux has taken off, and the support options exist. So why are so few companies buying those support services? Perhaps there are far fewer important Linux deployments than people think. Without deployments, there is little need for support contracts. We don't believe it, though. What if the truth were something else: what if Linux users simply do not need support? One of the nice things about Linux, after all, is that it simply works. It is also true that setting up Linux and making it work in a specific role requires a certain amount of Linux expertise. By the time you've figured out how to make it do what you need it to do, you know enough to keep it working. And, for the times when external help is needed, it's still true that the best source of that help is the net. Searching out an answer or asking in the right forum can be faster and more effective than talking to a technical support call center employee - and cheaper. Could it be that, in the end, technical support services are only needed for proprietary, black-box systems? When the source is free, the development directions are known, the bug lists are public, and anybody with the requisite skills can fix a problem, there is little need to buy expensive support services. Free software empowers its users to take responsibility for keeping their own systems going. Another bad quarter at VA Linux. Last December, VA Linux Systems reported $56.0 million in quarterly revenue. Thereafter, with great disappointment, it produced its January, 2001 revenue figure: $42.5 million. At that time, the company suggested that revenues would fall further, perhaps even "under $30 million." Did they ever. VA has just put out a press release stating that revenues for the quarter just completed would be in the range of $18 to $20 million. Under $30 million indeed. In other words, the money flowing into VA is one-third of its peak, and is back at levels last seen in 1999. It looks bad; one might well wonder if we are seeing the death spiral of one of the oldest and most successful Linux companies. Probably not. VA has gotten hammered, but the company is not necessarily doomed. Now is not a good time to be trying to sell technical infrastructure; nobody is buying. Even Cisco has seen a 30% fall in revenues. The dotcoms are no longer spending money like drunken sailors (they rather resemble badly hungover sailors these days), and the tighter economy has caused a lot of companies to stop spending. Companies like VA are highly exposed to this market; they benefitted from that exposure over the last few years, and it is hurting them now. In other words, VA's problems are not inherent in its business model or Linux. It could have benefitted from a more diversified customer base, but the simple fact is that these are hard times. VA remains a company with a strong brand, good products, and a staff full of top-tier Linux hackers. It also has money in the bank to keep it going for a little while yet. It will never have an easy life, the market is far too competitive for that. VA may also find itself to be an acquisition target as long as its stock price remains low. But, when the economy begins to pick up again, VA should be well positioned to come back. S/390 Linux to power Banco Mercantil. Not all the news from the Linux business world is bad. IBM is expected to announce on Thursday, May 3, that Banco Mercantil, one of Venezuela's largest banks, will be deploying Linux on an S/390 mainframe. This installation thus becomes one of the first high-profile financial institution deployments for Linux. Initially, the S/390 (running SuSE Linux) will be replacing some 30 NT boxes and handling fairly mundane tasks: file serving, domain name service, firewalling, and web serving. It will also take on some simple financial functions, such as allowing customers to check their account balances; this capability is helped by the "two cryptographic processors" in the S/390 system. This step was a fairly easy one for Banco Mercantil to take - it already had the IBM mainframe in house. So it was just a matter of setting up the Linux partition and installing the SuSE distribution. The cleverness of IBM's strategy can be seen here: many banks and other large institutions have these mainframes. The S/390 port allows these institutions to dip their toes into Linux easily, and to experiment with moving their tasks and software over. It wouldn't be surprising to see more announcements of this variety in the near future.
SDMI followup. Last week's LWN Weekly Edition discussed the threats against professor Edward Felten, who was planning to present his paper on how he cracked the SDMI watermarking scheme. Prof. Felten, of course, decided not to present that paper, citing the expense and uncertainty of litigation as the reason. Many people have pointed out that this development isn't quite the defeat that it seems (see, for example, this Salon article). The paper, of course, has already been published on the net, so the information is out there. Meanwhile Prof. Felton has shown the world, in a graphic way, that the Digitial Millennium Copyright Act is a serious threat to freedom of speech in the U.S. That demonstration may prove to be far more valuable than a presentation of his SDMI paper. The DeCSS case reopens. One place where the withdrawal of the SDMI paper may have an effect is in the DeCSS appeal, for which testimony began on May 1. This case, of course, is based on the DMCA, so demonstrations of the DMCA's effect on freedom of speech are relevant. For coverage of how the testimony went, see this Wired News article, or this highly detailed Slashdot article. Predicting the outcome of these cases is always perilous, but this looks like it is going to be a tough battle. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
May 3, 2001
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Security page. |
SecurityNews and EditorialsCylantSecure for Linux. We generally don't profile new commercial products for Linux on this page, preferring to focus on Open Source products and solutions instead. However, the announcement of the availability of CylantSecure for Linux caught our eye for a couple of reasons. The first reason, a quite positive one, was the approach being used by the product. Most of the current focus of intrusion detection systems look either at the input to the system (e.g., network connections, attack signatures) or the output from the system (file checksums, etc.). CylantSecure looks instead at the behavior of the system itself, producing a model for what the "normal" behavior of the CPU is, when in production use, and therefore detecting "abnormal" behavior and actively dropping connections or terminating processes that display abnormal behavior. This was interesting to us because it, in many ways, resembles how a good systems administrator monitors a system, or would monitor a system, if they had the time to watch it closely 24 hours a day. The system administrator knows what the machine is used for, the people that use it and the behavior of the machine under normal load. Abnormal behavior means something needs to be fixed, whether the "something" is a security problem, a network problem, a disk problem, etc. So a security model that scientifically models the behavior that a system administrator "learns" as part of the job, was definitely of interest. The second reason CylantSecure for Linux caught our eye, though, was its implementation. To be specific, its implementation includes the use of binary kernel modules, which gave us strong concerns. Linus has strongly deprecated the use of binary kernel modules even for device drivers, for many good reasons. The use of binary kernel modules to implement core functionality in a new security product was, in our opinion, a very bad idea. Fortunately, a phone interview with Cylant CEO and founder John Munson and Scott Wimer, their Director of Product Development, cleared up our concern, as we explain below. Implementation. CylantSecure for Linux is implemented in four pieces. The first consists of two patches to the Linux kernel which modify the kernel data structure to allow the gathering of information about actions taken by the kernel, both the action taken and the process id associated with that action. This goes beyond just tagging system calls; the second of the two patches inserts instrumentation (new function calls) into over 3300 places in the kernel. The source code for these patches is fully available, and therefore not a concern. It is, however, large, running over 300K in size. The second piece of CylantSecure consists of binary kernel modules which actually collect the data from the kernel, create profiles from it and pass information on to the third piece, a user-space process called "Watcher". We were very happy to learn from our interview with John and Scott that the source code for these modules will be released in the near future and that they were never intended to remain closed source. Currently the modules are going through a re-design. As soon as that re-design is complete and, as a result, the code is clean and maintainable enough to be a "worthwhile gift to the Open Source community", Scott assured us that the code would be released. The remaining two pieces of CylantSecure are the Watcher, mentioned above, and the console management system. The management system may also be Open Sourced, but that decision has not yet been finalized. The Watcher program will remain closed source. In fact, a patent is pending on the techniques used in the Watcher program to model the system behavior. Software patent-watchers within the community will have to judge the virtue of this patent compared to the many other software patents that we have often deprecated, but it is certainly not quite the same as putting a patent on "point-and-click". Nonetheless, if someone believes there is already prior art for this patent, we would be interested to hear about it. It should be noted that CylantSecure for Linux was primarily a proof-of-concept product; they chose the Linux kernel for their first project because it is an extremely large, complex and stable piece of software. The techniques used, though, are just as applicable to any other large software system, such as accounting systems, payroll, traffic analysis, any software system where reliability and security is essential. In fact, they are as applicable to ensuring reliable data input as to preventing intrusions. But does it work? The folks at CylantSecure believe it does but state up front that they are engineers, implementing a scientific engineering principle, not security experts. They don't have a background in breaking into systems themselves. As a result, they have made a victim machine available and promised to give it to the first person that successfully "owns" the box. The box is running an unpatched installation of Red Hat Linux 6.2, so there are plenty of security holes available. The question is whether an attacker can gain access and keep it without being detected and shunted off the system by CylantSecure. We'll be interested to hear about the results. No non-disclosures are required and they even have an IRC channel available to allow attackers to chat directly with their developers. Overall, we found the new paradigm being explored very interesting and we are looking forward to seeing the reaction of the security community to their approach. New Linux-targeted worm: lpdw0rm. SecurityFocus has released their analysis of a new worm, lpdw0rm. This particular worm is targeted at systems running unpatched versions of Red Hat Linux 7.0 that are running the LPRng service, one of the vulnerabilities that previous worms have also targeted. Installing Red Hat's patch for LPRng (made available back in October) will prevent a system from being successfully attacked. Predictable TCP initial sequence numbers. We first mentioned the problem of preditable TCP initial sequence numbers in the March 15th LWN Security Summary. The original report came from Guardent, a Massachusetts-based security firm who published the existence of the weakness, but not their own research on the topic. This week, more information was released.
Security Hall of Shame: Tektronix. Elias Levy, moderator of BugTraq, found recent information posted about security vulnerabilities in the Tektronix Phaser Network Printer Administration Interface annoying enough to send out a personal comment on them. "This is not a major vulnerability. The only reason I bring it to your attention is because this is standard operating procedure for many companies. They release a products in the market with no or little security. When someone points this out to them they ignore him. When its pointed out in public they threaten to sue him. When they fix it they do it just as badly as the original security measure. And a few months latter the product is shown to be insecure once again". What was it that caught Elias' attention enough to generate so much ire? The original report of this vulnerability was made in November of 1999. The vulnerability is severe enough that it can be potentially used to permanently damage the printer. Instead of resolving the actual security problems, Tektronix simply changed the URL that could previously be used for the attack by adding an underscore at the beginning and changing the ".html" suffix to ".shtml". In addition, non-Tektronix posters had provided a workaround to improve the security of the printer, which Tektronix has since broken. Of course, the potential impact of the vulnerability can be mitigated by keeping the printer behind a firewall and restricting access to the local network. Meanwhile, Tektronix does not believe that anyone actually cares about this vulnerability. For our part, we would expect any security-conscious site to remove Tektronix from their list of acceptable vendors, given the level of cluelessness and ineptness demonstrated in the way this vulnerability has been handled. Call for Articles: SecurityFocus focuses on Incident Handling. SecurityFocus is developing articles for a planned series on Incident Handling, scheduled for publication from June onwards. If you are interested in provided an article for them, check their call for articles. Security ReportsZope Zclass security update. A new security bug has been found in all versions of Zope (up to and including 2.3.2) which can allow unauthorized access to a clever attacker. A patch is available which fixes the problem; sites running Zope should probably apply it soon.gnupg 1.0.5 released with multiple security fixes. gnupg 1.0.5 was released on April 29th. Multiple security patches have been released against gnupg 1.0.4; this new release includes all of those patches, including fixes for the gnupg web of trust vulnerability and false positives from detached signatures. Of course, in addition to security fixes, other feature enhancements and bug fixes are included. An upgrade to 1.0.5 is recommended.
Remote vulnerabilities in Bugzilla. Bugzilla 2.12 has been released and contains fixes for a couple of security problems that could allow remote users to execute commands on the Bugzilla server under a non-root account. Workarounds are documented, but an upgrade to the new version is recommended. For more details, check both 2671 and 2670.KDEsu tmplink vulnerability. KDEsu creates a world-readable temporary file to exchange authentication information and then deletes the file soon after. This allows a race condition under which the account of the local X user can be compromised. Fixes for the problem are included in kdelibs-2.1.2. The KDE Project recommends an upgrade both to kdelibs-2.1.2 and to KDE 2.1.1. For more details, check BugTraq ID 2669.
gftp format string vulnerability. gftp is a multi-threaded X-based ftp client. A format string vulnerability has been reported in gftp by Richard Johnson. The problem is fixed in gftp 2.0.8 and later. BugTraq ID 2657.
MandrakeSoft's rpmdrake tmplink vulnerability. Linux-Mandrake has issued an advisory and an updated package for rpmdrake, fixing a tmplink vulnerability in that package.web scripts. The following web scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesNEdit temporary file link vulnerability. Check the April 26th LWN Security Summary for the original report. BugTraq ID 2627.This week's updates: Previous updates:
Multiple security fixes in OpenSSL-0.9.6a. OpenSSL-0.9.6a was announced last week and contains fixes for four security issues. An upgrade to the latest version is recommended.This week's updates: SAFT/sendfile broken privileges. Check the April 26th LWN Security Summary for the original report. The vulnerabilities can be exploited locally to gain root privileges. BugTraq ID 2631 and 2645.This week, Florian Weimer pointed out that sendfile author Ulli Horlacher, released an updated version of sendfile in February which Florian indicated should correct the problems. Previous updates: Multiple FTP daemon globbing vulnerabilities. Check the April 12th LWN Security Summary for the original report.This week's updates: Previous updates:ntp remotely exploitable static buffer overflow. An exploit for a static buffer overflow in the Network Time Protocol (ntp) was published on April 4th. This exploit can allow a remote attacker to crash the ntp daemon and possibly execute arbitrary commands on the host. Patches and new packages to fix this problem came out quickly. It is recommended that you upgrade your ntp package immediately. If you cannot, disabling the service until you can is a good idea. For more details and links to related posts, check BugTraq ID 2540.This week's updates:
Previous updates:
Zope security update. Digital Creations released a security update to Zope (all versions up to 2.3b1) fixing a security vulnerability in how ZClasses are handled the week of March 1st. An upgrade is recommended.This week's updates:
ResourcesNew Turbolinux Public Key. Turbolinux has updated their public key. Security Breach Traced to Hole in Head of Admin (BBspot, humor). From BBspot to lighten your mood for the day, comes an article about a Security Breach in Linux and its source. "Work at Selby Communications ground to halt as their network server was wiped clean yesterday by a malicious virus. Security experts called in to investigate the incident discovered the virus exploited a hole in the head of Systems Administrator Matt Simmons". vsftpd-0.9.0. Chris Evans announced the release of vsftpd-0.9.0 this week. vsftpd is a small, fast ftp server written from the ground up to be free of security holes and/or to mitigate the impact of potential security problems. lcrzoex and lcrzo 3.10. New versions of the network test tools lcrzoex and lcrzo were released this week. EventsBlack Hat Briefings USA '01. A full announcement for the upcoming Black Hat Briefings USA, to be held July 11th-12th in Las Vegas, Nevada, USA, was released this week. "This year's topics include: Reverse Engineering, the Honey Net Project, the CVE, 802.11b WEP security, ICMP scanning, SQL security configuration, GSM and WAP security, and more". Early Bird registration for NetSec. Early bird registration for NetSec2001 Network Security Conference ends May 4th. NetSec2001 will be held June 18th through the 20th in New Orleans, Louisiana, USA. Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
May 3, 2001
LWN Resources | ||||||||||||||||||||||||||||||||||||||
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Kernel page. |
Kernel developmentThe current kernel release is 2.4.4, which was released on April 28. This release contains, of course, the zero-copy networking code, and a number of other enhancements and bug fixes. It also evidently contains some new bugs - the complaint level for 2.4.4 appears to be higher than with some of the other 2.4.x releases. The "run children first" change to the fork() system call (discussed in the April 19 LWN Kernel Page) seems to have caused quite a few problems, and it has already been reverted in Linus's 2.4.5pre1 prepatch. A number of other problems have been reported as well; people without a burning need to upgrade to 2.4.4 might just want to wait for 2.4.5. As noted, Linus has since released 2.4.5pre1 with some additional fixes. Alan Cox, meanwhile, is at 2.4.4ac3 with a rather longer set of fixes. Trashing your filesystem with dump. It has been known for a very long time that using dump to back up live filesystems can result in corrupt backups. It turns out that, with Linux kernels through 2.4.4, dumping a live filesystem has the potential to corrupt the filesystem in place, even if the dump process has no write access. Alexander Viro reported the bug which makes this possible. It can happen only on SMP systems, and is not easy to trigger, but it is there. Essentially, if the filesystem allocates a new metadata block for the filesystem, and a separate process reads that block at the wrong time, the wrong data will be written back to disk. The fix is relatively straightforward, and has already been incorporated into 2.4.5pre1. Linus pointed out an interesting little fact as part of this discussion: dump will not work correctly on 2.4-based systems in any case. The filesystem keeps quite a bit of useful information in the page cache - and will do so even more in the future. dump, however, works with the raw device, which deals with the buffer cache instead. The two are not always synchronized, and it is possible that dump will end up reading the wrong data. In case that's not clear enough: So anybody who depends on "dump" getting backups right is already playing russian rulette with their backups. It's not at all guaranteed to get the right results - you may end up having stale data in the buffer cache that ends up being "backed up".
For now, there is really no easy way to fix dump for 2.4. If you're using it, this might be a good time to go looking for a different tool. A 2.4 swap bug - maybe. A discussion of Linux swapping behavior turned to an interesting aspect of how the system handles swapping. Swap space, of course, is used to hold copies of pages which have been moved out of memory. It turns out that when a page is restored to main memory from swap, its slot in the swap file is not released. Thus, in some situations, Linux can "run out" of swap space even though much of that swap space is taken up by data that is not currently swapped out. According to Alan Cox, this behavior is forcing some large systems to remain with the 2.2 kernel. At first blush, the proper course of action seems simple: when a page is swapped back into memory, its swap slot should be freed. As is often the case, though, life is not that simple. Some of the twists that come up here (as pointed out by Stephen Tweedie) include:
The proper solution, thus, would appear to be to retain the copy in the swap cache for as long as there is no real virtual memory pressure. Once things get tight, it's time to start throwing things away. In some cases, though, (such as the one where the swap copy of a page is valid), it may be better to toss out the memory copy of the page. Moral: virtual memory is never simple. SGI releases XFS 1.0. SGI has announced the release of XFS 1.0. The 2.4 kernel now has another journaling filesystem in a stable release state; XFS also offers a number of features for users with intense I/O bandwidth requirements. It claims to work with NFS, and comes with an installer for Red Hat Linux 7.1 systems. Perhaps not wanting to be left out entirely, IBM has released JFS beta 3 release 0.3.0. ECN enabled on kernel.org. The kernel.org FTP server has enabled ECN (the Explicit Congestion Notification protocol). If you find you're now having a hard time downloading that new kernel, there's a chance you're behind a broken firewall which doesn't handle ECN properly. See Jeff Garzik's ECN page for help if you find yourself in that situation. Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
May 3, 2001 For other kernel news, see: Other resources: |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsConectiva's Snapshot and quality measurements. Conectiva provides access to a snapshot version of Conectiva Linux, containing all the current development work for the next release. As part of that process, they have put together a method for "measuring" the quality of the snapshot from a user's point of view (rather than from the developer's point of view, which is expected to be quite different). They sent to us this explanation of the snapshot measurement, which depends heavily on input from users. In fact, one of their assumptions is that if users are affected by a bug, they will report it to the bug tracking system. For the stable version of a distribution, this would be a rather unsafe assumption. Hopefully, though, people brave enough to work with a development snapshot probably want the opportunity to air the problems that they find. In any case, any type of quality measurement is interesting. As long as the measurement consistently improves as the distribution improves and degrades as the quality of the distribution degrades, then it will have some long-time value. Check out their snapshot page to see how they currently rate their own snapshot. They've got a ways to go to get it to a level acceptable by their own standards. Of course, it is good to have goals that challenge you! Do note that the snapshot quality measurement process is currently in draft form. PPC Linux news: Jason Haas quits, Yellow Dog 2.0 is coming. LinuxPPC co-founder Jason Haas has announced his resignation, and, indeed, his retirement from the computer world. You did a lot of good work, Jason, you'll be missed. Terra Soft Solutions, meanwhile, has announced that Yellow Dog Linux 2.0 will be demonstrated at the Macintosh Business Expo. ROCK Linux 1.4.0. The ROCK Linux 1.4.0 stable release is out. It includes a great many updates, including the 2.4.3 kernel. Although this is a stable release, it comes with a caveat: "ROCK Linux 1.4.0 is _intended_ for production usage, but given that it's a dot ohh!? (.0) release, you might proceed with care while we hold tight to the brown paper bags". For more information on Rock Linux, check the April 5th Distributions Page, which contains a link to the distributions survey for Rock Linux. Rock Linux 1.4.1 is promised in the near future and will include support for non-Intel platforms (which were not shipped with 1.4.0). New DistributionsConsole Linux. Thanks to Andre Leao Macedo for giving us a pointer to Console Linux, a new Linux distribution out of Brazil. The available information is in Portuguese. The distribution is based on Red Hat Linux and remains tied to Red Hat, promising 100% compatibility with Red Hat while providing Portuguese versions of the distribution and installer. Here is one rough quote from the site, translated using Babelfish and some guesses: "The Linux Console was created as the the result of a dream, the belief that open software is the only way to improve the technological growth in the area of computer science in Brazil. Stimulating new minds will not happen just in the classrooms, but also in on-line communities, thus allowing more Brazilians to develop their creativity and help democratize this area of Brazil". [Note that all translation errors are the fault of this editor, please accept my apologies in advance.] Distribution NewsRed Hat News. In addition to security-related updates for Red Hat (which are covered in the security section), Red Hat also released a slew of bug-fixes recently. Below is a list of them with some information on their relevance: In Red Hat Linux:
In Red Hat Powertools:
Debian News. A new version of dpkg was released this week, closing 90 bug reports. Many additional enhancements and new features are included as well. The Debian Project will be exhibiting at two upcoming events, the Multimedia-Market in Stuttgart, Germany, May 2nd through the 4th and the Braunschweiger Linux-Tage in Braunschweig, Germany, May 4th through the 6th. This will provide an excellent opportunity to talk with Debian members, particularly the speakers, Peter Ganten, Thomas Lange and Martin Schulze. A new Kernel Cousin Debian Hurd was published this week and includes discussion about what would be required to allow the Debian Hurd to join the upcoming release plans for Woody as an official Debian platform. No new Kernel Cousin Debian has been published since March 28th. Slackware News. No changes were recorded to the Intel or Alpha Changelogs this week, but the Sparc port finally got the upgrade to XFree86 4.0.3, along with a host of other small updates or fixes to maintain compatibility with the updated XFree86. Linux-Mandrake News. A summary of printing improvements in Linux-Mandrake 8.0 talks a bit about CUPS and other new features. Other comments on Linux-Mandrake 8.0 include a glowing report on the new firewall wizard, as well as links to several reviews of the new distribution from a variety of sources. ASPLinux News. Last week, we erroneously reported that ASPLinux 7.1 had already been released. This was incorrect. Unfortunately, there is a numbering difference between the Russian versions of ASPLinux and the Singapore versions of ASPLinux. The Russian ASPLinux 7.1 is functionally equivalent to the Singapore ASPLinux 7.0. The Singapore ASPLinux 7.1 is due out within the next three weeks and they promise it will be both different and more comprehensive than their release of ASPLinux 7.0. NBROK News. NBROK 0.5 was released this week. This is the first "stable" version of NBROK to be released. NBROK is based on Slackware and tailored to run off of a ZIP drive. SuperRescue CD News. A minor update to SuperRescue CD, version 1.3.1a, was released this week. It contains minor bugfixes. RT-Linux News. RT-Linux has announced support for several multi-processor PowerPC machines, including the dual G4 PowerMacs and the dual and quad IBM RS/6000 systems. SynergyMicro multiprocessor PowerPC boards will also be supported in the near future. Section Editor: Liz Coolbaugh |
May 3, 2001
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's On the Desktop page.
|
On The DesktopThis week, MoonGroup.com interviews Olivier Fourdan, creator of the ![[XFce]](/2001/0503/xfce.jpg)
XFce desktop environment.
"Xfce is very easy to configure since all common settings are managed
thru graphical tools, using the mouse. However, Xfce is definitely not a
clone of CDE. For me, a clone is just like Lesstif and Motif. You can use
one in place of the other. But you don't consider GNOME or KDE as clones
of windows, do you?"
So, what are XFce's strong points and what distinguishes it from other desktop environments? The XFce project home page claims that it is a fast, lightweight, and efficient system, and it is appealing to the eyes. Perhaps more to the point: "I believe that the desktop environment should be made to increase user productivity. Therefore, the goal is keep most system resources for the applications, and not to consume all memory and CPU usage with the desktop environment". Another interesting goal of XFce is to perform all desktop configuration with the mouse; configuration files are hidden from the user. This certainly separates it from older lightweight windowing environments such as fvwm2 and twm. XFce supports themes and comes with a reasonably full list of utility applications. Virtual screens and multiple pop-up menus are included as are support for multi-byte character sets and 18 language translations. Version 3 of XFce is GTK+ based, so running Gnome applications on it should be simplified. XFce is apparently going for the middle ground between the older, simple window managers and the big, full-featured systems like KDE and Gnome. If you have an inclination to try it out; version 3.8.1 of XFce was just released on April 29, 2001. (Thanks to Joseph J Klemmer.) Desktop EnvironmentsThe 'people' behind KDE: Konqi. The "People Behind KDE" series continues with this interview with Konqi the dragon, the KDE project's mascot. "When I was young I wanted to be a fireman, but I dropped that idea when they explained to me that fireman don't actually make fires. Firemen put fires out instead of making them." April 27 GNOME Summary. The GNOME Summary for April 27 is out. It covers the Ximian GNOME 1.4 release, the "Eazel Pal" program, and several other topics. Announcing the GNOME Packaging Project. Gregory Leblanc launched the GNOME Packaging Project in order to package binaries of GNOME. Volunteers are needed. Embedded GNOME - Sikigami. There is an embedded GNOME project going on in Japan called Sikigami, which means daemon in old Japanese. Mosfet.Org: New MegaGradient Widget Style. Mosfet is back and has released a a new funky widget style, dubbed MegaGradient. Mosfet is well-known for his previous work on KDE2. He also notes on his homepage that he has recently got a life, has left MandrakeSoft (amicably) and is looking for a new job, preferably allowing him to continue his work in the Linux/KDE area. Congratulations and best of luck, Mosfet. You can't always get what you font (ZDNet). ZDNet's Evan Leibovitch talks about his pet peeve regarding the Linux desktop. "As someone who's been using Linux as my primary workstation OS since the days of Caldera Network Desktop 1.0 (circa 1995) and its Looking Glass GUI, I don't just have one Linux desktop frustration; I have a list. At the top of that list is the ghastly manner in which Linux systems implement fonts." Office ApplicationsAbiWord Weekly News #41. The April 27, 2001 edition of the AbiWord Weekly News is out. This week's news includes the release of AbiWord 0.7.14, bug prioritization, and download stats. Desktop ApplicationsOpera for Linux beta 8 now available. Opera 5.0 beta 8 has been released. Opera is a commercial web browser that is available in freely-useable version (with an embedded sponsor ad) or a paid/registered mode. MiscellaneousOmni Printer Driver version 0.1.2. A new release of the Omni printer driver is available as of April 26, 2001. This release features a fix in the newFrame logic for each device class. Interview: Frank Hecker (OpenOffice.org). OpenOffice.org's Louis Suárez-Potts interviews Frank Hecker, one of the key people behind the open-sourcing of Netscape's code. "Over time I became very frustrated with the traditional proprietary software development model, where all development had to be done inside the company and the only developers who had access to source code were members of the internal engineering groups." Section Editor: Michael J. Hammel |
May 3, 2001
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Development page. |
Development projectsNews and EditorialsGLAME, the Gimp of Audio ProcessingA new stable version of GLAME, version 0.4.0, was released on April 26, 2001, just over a year after the last stable release, GLAME 0.2.0.
The GLAME 0.4.0 announcement has been covered on gnome.org and has been listed on Freshmeat, where the code is available for download. The GLAME Manual sheds some light on the capabilities of GLAME. GLAME supports numerous sound systems including ALSA, OSS, ESD, and native SGI. The common .wav file is the default format; other formats can be added with user-supplied helper libraries. GLAME has both a graphical and console based frontend. The GLAME graphical frontend has a main control window, a Wave Editor, and a Filterwork Editor, which allows audio filters to be graphically constructed from component parts. The Wave Editor has the usual oscilloscope audio display with support for cut/paste/delete operations. The Filterwork Editor appears to be where the real power of GLAME resides, with complex groupings of component filters being possible via simple mouse clicks. Similar to the GIMP, GLAME has been designed with extensibility in mind; user-supplied plug-in audio filters are supported. The console interface, cglame, provides a Guile-based scripting capability that allows for filters to be connected together via code. In all, GLAME 0.4.0 looks like an important new addition to the list of open-source audio processing tools. We hope that the project continues to grow and has the same success that the GIMP has had. EducationLinux in education report for April 30. Here's the latest Linux in education report. There's an online test bank that need testing, discussions about GRASS and other Free GIS software, and much more. Mail SoftwareMailman 2.0.4 released. Version 2.0.4 of Mailman, the GNU Mailing List Manager has been released. This version fixes some bugs in version 2.0.3 relating to Python 2.1 compatibility problems. TMDA 0.10 anti-spam software. Version 0.10 of TMDA, a Python-based anti-spam package, is now available. This release contains bug fixes and removes dependency on the amkCrypto package. Network ManagementOpenNMS Update. The OpenNMS Update for May 1 is out with the latest from the network management scene. It includes the 0.7.4 stealth release, an OpenNMS consulting position that is open, and more. ScienceFreePM-0.9.0b released (Linux Med News). Linux Med News reports on the release of FreePM version 0.9.0b. FreePM is an open-source medical practice management package. This version features a more mature template system, report examples and dynamic PDF generation. Web-site DevelopmentX15 web server alpha release. Fabio Riccardi has released X15, a web server which, he claims, is as fast as TUX (currently the record holder), but which, unlike TUX, runs entirely in user space. Mr. Riccardi is especially interested in hearing from people who can test X15's performance on high-end systems. Zope for the Perl/CGI programmer (developerWorks). IBM developerWorks presents Zope for the Perl/CGI programmer. "A parallel between traditional CGI and Zope occurred to me today: if you moved from C programming to Perl, you certainly remember how nice it was to work with strings under Perl as opposed to managing the memory buffers and pointers you need to do the same thing with C. The move from CGI to Zope also abstracts away a lot of the system detail that has nothing to do with the business of running Web sites. I think you'll like it." Zope 2.3.2 released. Zope 2.3.2 has been released. This is a bugfix release which contains no new features of note. Note that it was quickly followed by a security update which needs to be applied to 2.3.2 and earlier versions to prevent unauthorized access. Also out is the rough draft version of the Zope Developer's Guide. 'The Zope Book' is finished. The final version of The Zope Book, by Michel Pelletier and Amos Latteier, is now available. It will be published by New Riders, and should show up on the shelves in a couple of months; meanwhile, the online version is available now. Window SystemsSECURITY: New KDE Libraries Released. Now its official. The new KDE libraries have been released. Besides fixing the KDEsu security exploit, those who use Konqueror will be happy to know that the "protocol for http://x.y.z died unexpectedly" bug has also been fixed. Word ProcessorsAbiWord Weekly News. The AbiWord Weekly News has been reincarnated and promises a new layout and more weekly features. More information on bug status is included, recognizing that the average person doesn't browse the bug database on a regular basis. In addition, they are taking nominations for the most important bugs to be fixed before the 0.9.X and 1.X releases come out. LyX Development News. The April 25 LyX Development News is out, with the latest from the LyX community. Section Editor: Forrest Cook |
May 3, 2001
|
|
|
Programming LanguagesCamlHere is the Caml update from David Mentré, which, this week, concerns itself with the FORT regression testing framework.
C++RunTime: High-performance programming techniques on Linux and Windows 2000 (IBM developerWorks). In the first in a series of IBM developerWorks articles, Edward G. Bradford compares the performance of Linux and Windows running C++ code. "In this new series of articles, I'll focus on high-performance programming techniques for the Linux and Windows 2000 operating systems. I'll show you useful and efficient programming practices solving the same problems on Linux and Windows 2000. Once solved, we'll measure at least one aspect of the performance of each platform. A variety of performance testing scripts and programs will demonstrate the speed of operating system features. The goal is to show how to get the best possible performance from each operating system and, as an aside, compare the performance of the two platforms." JavaO'Reilly series on Jxta. Coinciding with the Jxta announcement from Sun, O'Reilly has published as a series of Jxta articles. LispLISA 0.8 available. From the better late than never department, a new version of LISA, the Lisp-based Intelligent Software Agents, was released on April 18. This version provides two important features: most of the support necessary for reasoning on instances of CLOS objects, and a syntax change in the DEFRULE macro that will allow the specification of things such as salience, containing module, etc. PerlPerl 5 Porters for April 29, 2001. The April 29, 2001 edition of the Perl 5 Porters is out. Topics this week include B::Deparse Hackery, Underscores in constants, Licensing Perl modules, M17N and POD, Regexp dumping, and more. PHPPHP Weekly Summary for April 30, 2001. The April 30, 2001 edition of the PHP Weekly News is out. Topics this week include Unix paths, a new SDL extension, a WDDX extension fix, a PHP 4.0.5 RC 8 release, and more. PHP 4.0.5 released. Version 4.0.5 of PHP is now available for download. The changelog details the many bug fixes and other changes. New features include output compression, experimental FastCGI support, and improved thread-safe operation. Common PHP Installation Problems (O'Reilly). Darrell Brogdon discusses common PHP installation problems in an O'Reilly ONLamp article. "What? You mean PHP isn't perfect?! Well, as a language it almost is, but installing it can be a bear for the inexperienced. So let's take a look at what might happen and try to keep that blood pressure down, will ya?" PythonThis week's Python-URL. Dr. Dobb's Python-URL for April 30 is out, with the latest interesting tidbits from the Python development community. Python-dev Summary. The Python-dev Summary for April 25 is out. It covers the new iterator implementation, class methods, and other topics of interest to the Python development community. Java-Python Extension beta.
The first beta release of JPE, the Java-Python Extension
has been announced:
Shell Scriptsdumbcode.org: live fast, die young, and leave zombies. Described by the folks at NTKnow as the moshpit freshmeat, dumbcode.org is now up and maintaining a collection of useful utility scripts. "If you've never been here, dumbcode is the only archive for really bad or worthless open source software, outside of /home/*/bin."
A
Bastard Operator from Hell
would certainly have fun with the rroulette command:
Tcl/TkDr. Dobb's weekly Tcl-URL! Summary. The latest summary of the Tcl development world has been posted in Dr. Dobb's Tcl-URL!. e4Graph 1.0a3 released. Version 1.0a3 of e4Graph has been announced. "e4Graph is a package for efficient persistent representation and manipulation of graph-like data. Using it you can concentrate on representing the data you care about and its relationships, rather than on the storage layout or persistence mechanism." XMLProduce WBMP for any platform (IBM developerWorks). Bilal Siddiqul writes about Wireless Bitmap programming in an IBM developerWorks article. "WBMP (Wireless BitMap) is the format for images in the WAP (Wireless Application Protocol) specification. WML (Wireless Markup Language) cards use this format to show images on WAP sites. In this article we will study this format and generate WBMP images from XML data through JSP and JavaBeans." Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Commerce page. |
Linux and BusinessSony releases Linux for the PlayStation 2. Thanks to Maya Tamiya we got the
scoop on Sony's announcement of a Beta Release 1 of its
PlayStation 2 Linux Kit. The kit includes a DVD with software (some
open source and some proprietary), a 40GB hard drive, keyboard and
mouse. The open source software includes a Red Hat based OS using a
2.2 kernel. It's also Ethernet ready. The Sony kit should be
available in Japan in June. Priced at 25,000 Yen (just over $200 USD at current exchange rates), this package isn't exactly cheap as beta products go, but it might well be worth the price to developers and people looking for a low end way to learn Linux. This machine is not just for playing games on, though it certainly can be used for that. It could, potentially be turned into a TV recorder, web browser or movie player, just for starters. Some of that will be limited by the proprietary software, but my guess is that Sony is counting on developers taking it apart and turning it into other things, with just enough proprietary bits that they'll get a piece of the pie when some Sony PlayStation-based must-have-toy sweeps the market. TurboGenomics releases TurboBLAST. TurboGenomics has announced the release of TurboBLAST, a genetic sequencing tool. This product may be one of the first commercial packages for Beowulf clusters: "Initial benchmarks of TurboBLAST on a network of 11 commodity PCs running Linux reduced a month-long BLAST run to just two days. Greater speed-up of BLAST is achieved simply by adding more machines to the TurboBLAST system." BlackCluster-2 for high speed web service. BankHacker.com, a Spanish Linux company, announced BlackCluster-2, a Linux cluster system for high performance HTTP servers. The cluster uses AMD Duron and AMD Athlon processors, and runs Red Hat Linux. NuSphere introduces NuSphere MySQL Advantage 2.0. NuSphere has announced the availability of "NuSphere MySQL Advantage 2.0," a MySQL-based web development package "for small- and medium-sized enterprises." New version of 'DNS and BIND' from O'Reilly. O'Reilly has announced a new edition (the fourth) of DNS and BIND. This edition covers BIND 9, various new DNS standards, and more. The security chapter has been made available online. Also out from O'Reilly is Oracle &Open Source: Tools and Applications. FreePM Adds 3000 Drug Objects to Formulary. FreePM is a template driven system that utilizes open-source software to provide physicians with an easy to use, easy to modify medical record management solution. FreePM recently announced that it now has 3000 drug objects available for download. April issue of LPI-News. Here's the latest issue of the Linux Professional Institute (LPI) Newsletter. This month includes:
Linux Stock Index for April 26 to May 02, 2001.
The high for the week was 33.58
Press Releases:Open source products
Distributions and bundled products
Proprietary Products for Linux
Servers and Desktop Systems
Products and Services Using Linux
Products With Linux Versions
Books & Training
Partnerships
Investments and Acquisitions
Personnel & New Offices
|
![[GLAME]](/2001/0503/glame.jpg)
The
