![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/bigpage.png)
|
|
|
|
Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
 Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsThe Caldera/SCO deal completes. Caldera Systems - now Caldera International - announced on May 7 that its acquisition of much of SCO had finally been completed. It has been a long process - the deal was originally announced last August. With this ![[Caldera/SCO]](/2001/0510/caldera-sco.png)
acquisition, Caldera now claims to be "the largest Linux company in the
world." Certainly it will be a change for the company, and perhaps for the
Linux industry in general.
Caldera is getting SCO's Server Software and Professional Services divisions, along with UnixWare and OpenServer. This all brings:
None of this comes for free, of course. SCO gets $23 million in cash now, another $8 million in installments after a year, and 16 million shares in Caldera. If Caldera manages to make more than expected from OpenServer, SCO gets a 45% cut of the excess as well. All that revenue looks nice, but it's best not to lose sight of the overall picture, as found in the registration statement (warning: 2MB of legalese) filed in March: Caldera has not been profitable. The server and professional services groups have not been profitable and their revenue has been declining. Somehow Caldera is going to have to find a way to arrest the fall in SCO's revenues while cutting enough costs to actually make a profit. As an added little challenge, Caldera gets the costs of the SCO groups immediately, but none of their accounts receivable or bank balances, meaning that those groups will be a dead weight until the new invoices go out and get paid. Caldera has money in the bank, even after handing $23 million to SCO, but it may well see those reserves shrink quickly in the near future. Caldera's hopes, of course, are to work the company firmly into the enterprise market by way of SCO's existing extensive customer base and deployments. The current UnixWare and OpenServer business can be extended by improving those products' interoperability with Linux. Meanwhile, as SCO customers begin to think about transitioning over to Linux, Caldera will be very nicely positioned to help them out. With luck, SCO's customers will drive Caldera's Unix and Linux business for years to come. It might just work, if Caldera can manage to keep the attention and loyalty of SCO's customer base, and if it can get revenue and expenses a little better in line. Those are big ifs, but nobody said that the business world was easy. This is a new phase in the development of the Linux business community, we're most curious to see how it will turn out. No profitable businesses? That said, give us a moment to gripe about one sentence buried deep within the Caldera/SCO registration statement: Caldera knows of no company that has built a profitable business based in whole or in part on open source software. Is it really true that no open source company has been profitable? How about:
Business is hard, and free software business may yet prove to be harder than many others. But it should not be said that nobody has succeeded. PriorArt.org enters the software patent fray. A new site called PriorArt.org has announced its existence. This site is positioned as a way for free software developers to avoid having their techniques patented out from underneath them. The idea is this: patents can be invalidated by a demonstration of "prior art" - proof that somebody else had already invented the technology of interest. Prior art must be documented, however; it's not enough for somebody to say that they were using a technique years ago. It is also highly preferable that the prior art be available to patent examiners when a patent is applied for. When the information is easily available, the patent should be denied at that stage. Otherwise a court case may be required to bust a patent that has been issued, and that is an expensive proposition. So PriorArt.org is inviting free software developers to disclose their innovations through their site. Disclosures go into a large database, which may be searched by anybody. It is claimed that this database, which is maintained by IP.com, is consulted by patent examiners. Disclosures are timestamped and notarized (somehow) so that there is no doubt as to the timing of any particular discovery. This approach thus differs from BountyQuest, which focuses on digging up prior art to break patents which have already been granted. The service is not truly free. The normal charge for this sort of disclosure through IP.com is $19.95. This charge is not being waived for free software disclosures; instead, donations are being solicited to purchase "publication vouchers" for free software inventions. IP.com thus hopes to make money from this operation - and an extensive database full of inventions could prove useful as well. Any effort which helps defeat software patents is helpful, certainly. There are some problems with this approach, though, that could affect its long-term success. For example, consider the problem of who will actually disclose inventions through this system. Free software developers are busy people who are unlikely to find the time to write up every "invention" and feed it to a web site - especially a web site for a proprietary database which requires a credit card number even to submit a "free" disclosure. Remember also that the most obnoxious software patents cover techniques that seem obvious to developers. Reasonable hackers don't tend to think that a little function they just put together might be patentable. Disclosures will also be limited, of course, by the number of donations received to pay for them. At $20 per disclosure, the bill could get high fairly quickly. But, more to the point, free software developers already disclose everything they invent, in the clearest possible form: working code. Source repositories on SourceForge and many other sites contain a detailed, time-stamped history of free software development. Rather than try to convince developers to write up their techniques, it would be preferable to find a way to mine the incredible database of prior art that already exists. A detailed of the kernel, gcc, emacs, PostgreSQL, or any other significant free software project would probably yield more prior art than will ever find its way into PriorArt.org. In the end, however, this is all defensive action, based on the idea that the patent system is really OK, the only problem is that insufficient information is available to patent examiners. If you believe that the real problem is in the concept of software patents to begin with, these approaches will seem inadequate. Wouldn't it be better if we could fix the patent laws, and prevent software patents from being implemented where they do not yet exist? Bruce Perens: Software Patents vs. Free Software. For a different approach to software patents, consider this lengthy piece by Bruce Perens: Ironically, some of the biggest patent holders are the Free Software Community's own partners, companies like IBM and HP that have aggressively incorporated GNU/Linux into their business plans and expect significant revenue from it before long. IBM is said to hold 10% of software patents, and HP is one of the largest patent holders in general. It's important for us to start a dialogue with these and other partners. That's why I am calling a summit meeting on Free Software and The Law.
This meeting will have some specific goals, including getting a formal promise from the companies involved that they will not sue free software developers for patent infringement. Even better would be a promise to defend developers from patent suits brought by others. The companies involved in the meeting are, after all, benefitting from the work of these developers. It will be interesting to see what comes of this summit, but patience will be required - it's happening at the end of August, after the LinuxWorld conference.
Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
May 10, 2001
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Security page. |
SecurityNews and EditorialsImmunix 7.0 commercial release. Immunix 7.0 is now commercially available for those wishing to buy their own CD. It comes with a subset of Red Hat 7.0 with the majority of the binaries recompiled using StackGuard and FormatGuard-enhanced compilers, thus protecting users from most buffer overflows and format string vulnerabilities, whether known or unknown. It also includes SubDomain, a kernel extension providing "least privilege confinement", the ability to specify exactly precisely what files a program can access and what actions it can perform. Before you go out to purchase Immunix 7.0, though, you need to be aware of the licensing changes that have occurred between the release of Immunix 6.2 and the release of Immunix 7.0. Immunix 6.2 was available as a free download under the GPL. Immunix 7.0 is, instead, under a new license, which includes this phrase: The license granted to End User by WireX shall be a non-exclusive, non-transferable license to use Licensed Software on the Designated Equipment in machine-readable form only, solely for End User?s internal business purposes (Authorized Use). End User is not entitled to receipt or use of the source code to any Licensed Software. End User shall not modify, decompile, disassemble or otherwise reverse engineer the Licensed Products.
This language means that the Immunix distribution itself cannot be freely redistributed. That may, initially, seem to be impossible legally, since it includes a great deal of software licensed under the GPL. However, there is no restriction on the GPL'd software within Immunix, just on the bundled product itself. The restrictions on Immunix stem from both the inclusion of the SubDomain product, the non-kernel portions of which are both proprietary and closed source, and the inclusion of BSD-licensed binaries, for which they currently include source (but may not in the future) but which they place under a proprietary license. This would imply that you could take Immunix, remove SubDomain from it, remove or replace the BSD-based binaries with ones that you've compiled yourself (with or without StackGuard or FormatGuard) and then distribute the result freely. However, if you haven't done the above, then legally you are not allowed to freely distribute what you download or purchase or to use the CD on multiple machines. A full discussion of WireX's choice of license for Immunix can be found in this thread on the immunix-users mailing list. As a result of this licensing choice, the Immunix distribution itself no longer meets the requirements of the Debian Free Software Guidelines. In essence, it is a Linux distribution that is not Free Software; although built primarily with free software, it is a proprietary product. It is notable that this move resembles comments made this week by Caldera's Ransom Love. "Love said he thinks Microsoft was right in its claim that the GPL doesn't make much business sense. Consequently, Caldera is likely to add a non-GPL licensing mechanism -- most likely one based on the BSD license -- to its repertoire in the coming months". We disagree with Mr. Love on this point; we believe the GPL makes a great deal of sense, both for business and non-business users. Nonetheless, both Caldera and WireX are, to the best of our knowledge, making choices that are legal. It is possible that, in reaction to these licensing changes, someone else may step forward to make a competing Linux distribution with StackGuard and FormatGuard-protected binaries that is actually Free Software. This would mirror what happened when the licensing behind QT affected KDE and speared the development of Gnome. Alternately, if the audience for this product is small and does not, in general, care about the issue of free software versus proprietary software, Immunix may move forward uncontested in this arena. We have always been strong proponents of WireX and their work in the past; StackGuard and FormatGuard have been important contributions to the community and Immunix 7.0 looks like an excellent product. Their licensing choices, though, while understandable from a revenue perspective, may end up hampering the adoption of Immunix. In particular, the use of closed source programs for security is one that we particularly distrust, so their choice to make portions of SubDomain closed source is a bit disheartening. Turbolinux security advisories return. After a period of total inactivity lasting almost six months, Turbolinux has issued a spate of new advisories this week. The turnaround on the advisories is admittedly terrible; the vulnerabilities that they fix go as far back as July 20, 2000. Presumably, the cause of that terrible response has now been addressed. As a result, Turbolinux appears to be doing a general house-cleaning, checking known vulnerabilities against its distribution and trying to get fixes out for them (no matter how old). Before Turbolinux gets all the negative attention, though, it is worth taking a look at the vulnerabilities they've now addressed, as we've done below in our Update Section. The vulnerabilities in it are listed in reverse order of when they were reported (most recent ones first). You'll quickly notice that many of the vulnerabilities, even the ones that have been known for quite a while, have not been addressed by all the other distributions either. Perhaps a "spring cleaning" should be on the list for all the security teams. OpenSSH 2.9 released. OpenSSH 2.9 has been announced. This release includes a number of new features, some fixes, and makes version 2 of the SSH protocol the default. "OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support." 'No limits' browser planned (BBC News). The BBC News talks about a promised new browser, Peekabooty, which The Cult of the Dead Cow is planning on releasing this year. The goal of Peekabooty is to combine encryption and a Gnutella-like network to circumvent censorship. "The inventors of the new browser said they were developing it for people living under restrictive regimes who wanted to see information they were otherwise denied." Although China, Malaysia, Singapore and many Arabic countries are given as specific examples of countries that restrict what their constituents can view on the web, the DeCSS case might arguably add the USA to the list and Germany could be argued for inclusion as well. (Thanks to Fred Mobach). Open Source Security Testing Methods (LinuxSecurity.com). The folks at LinuxSecurity.com talk with Pete Herzog, creator of the Open-Source Security Testing Methodology Manual. "As it is, security testers are an innovative group who need to be both methodical and radical to perform their job well. This manual works with them, guiding their hand, not forcing it." Security Reportsvixie-cron crontab permissions lowering failure. It has been reported that a security fix applied to fix a problem back in January has resulted in a failure to drop permissions properly. As a result, a local root exploit has been introduced. Paul Vixie Vixie Cron 3.0pl1 fixes this latest problem.
Samba 2.0.9 released (security fix). Andrew Tridgell has released Samba 2.0.9, which fixes the security bug (from April 19th) that he had thought was fixed in 2.0.8. If you're running a 2.0 version of Samba, an upgrade is recommended; look for one from your favorite distributor soon. 2.2.0 users are not affected by this problem.
Minicom XModem Format String Vulnerability. Multiple format string vulnerabilities have been reported in Minicom which can be triggered when sending files via XModem. As a result, uucp privileges can be gained by a local user. An exploit has been published. No patch or update has been published so far, though removing the setgid bit from minicom will close the hole (and disable minicom for non-privileged users) temporarily. Check BugTraq ID 2681 for more details.
Red Hat 7.1-specific improper swapfile creation vulnerability. Red Hat has issued an advisory warning swap files (not swap partitions) created during an upgrade to installation of Red Hat 7.1 are created with improper permissions, allowing world-read access. Red Hat Linux 7.1 offers the option of creating swapfiles during the upgrade if the amount of swap space available is less than the physical RAM. The world read-access exposes data in the swapfile, including potentially passwords. An updated mount package has been issued to fix the problem. mandb symlink vulnerability. Debian reported a symlink vulnerability in mandb, a tool distributed with the man-db package. The vulnerability was found by Ethan Benson. Debian has provided updated packages to fix the problem. Other distributions that install man setgid will also be impacted.
web scripts. The following web scripts were reported to contain vulnerabilities:
Proprietary products. The following proprietary products were reported to contain vulnerabilities:
Updatesgnupg 1.0.5 released with multiple security fixes. gnupg 1.0.5 was released on April 29th. Check the May 3rd LWN Security Summary for details. An upgrade to 1.0.5 is recommended.This week's updates: Previous updates:
KDEsu tmplink vulnerability. Check the May 3rd LWN Security summary for details. Fixes for the problem are included in kdelibs-2.1.2. The KDE Project recommends an upgrade both to kdelibs-2.1.2 and to KDE 2.1.1.This week's updates: Previous updates:
Zope Zclass security update. Check the May 3rd LWN Security Summary for the original report. Sites running Zope should upgrade as soon as possible.This week's updates: gftp format string vulnerability. Check the May 3rd LWN Security Summary for the original report or BugTraq ID 2657 for additional details. The problem is fixed in gftp 2.0.8 and later.This week's updates: Previous updates:
NEdit temporary file link vulnerability. Check the April 26th LWN Security Summary for the original report or BugTraq ID 2627 for additional details.This week's updates: Previous updates:
ntp remotely exploitable static buffer overflow. Check the April 12th LWN Security Summary for the original report. An exploit for this vulnerability has been published and it is remotely exploitable to gain root access, so updating ntp is a high priority for anyone using it. For more details and links to related posts, check BugTraq ID 2540.This week's updates: Previous updates:
Netscape 4.76 GIF comment vulnerability. Check the April 12th LWN Security Summary for the original report. The vulnerability can be used to embed executable Javascript in GIF comments which are then executed by the viewer when loading the GIF file. This has been fixed in Netscape 4.77, which is available for download from ftp.netscape.com.This week's updates: Previous updates:
sgml-tools temporary file vulnerability. See the March 15th LWN security page for the initial report or 2683 for more details.This week's updates: Previous updates:
vixie-cron long username buffer overflow. Check the February 22nd LWN Security Summary for the original report.This week's updates: Previous updates:
Analog buffer overflow. An exploitable buffer overflow in analog was reported in the February 22nd LWN Security Summary. Version 4.16 contains a fix for the problem, which affects all earlier versions. Check BugTraq ID 2377 for additional details.This week's updates: Previous updates:dhcp buffer overflow. Check the January 18th LWN Security Summary for the original report from Caldera.This week's updates: Previous updates:
squid tmprace problem. Check the January 11th LWN Security Summary for the initial report.This week's updates: Previous updates:
dialog lockfile symlink vulnerability. Check the December 28th, 2000 LWN Security Summary for the original report of this problem.This week's updates: Previous updates:
pico symbolic link vulnerability. Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.This week's update: Previous updates:ed symlink vulnerability. Originally reported on November 30th, 2000, Alan Cox noticed that GNU ed, a basic line editor, creates temporary files unsafely. The problem has subsequently been fixed in ed 0.2-18.1.This week's updates: Previous updates:
ncurses buffer overflow. Check the October 12th, 2000 LWN Security Summary for the initial report of this problem.This week's updates: Previous updates:
Format string vulnerability in locale. Check the September 7th, 2000 LWN Security Summary for the initial report or BugTraq ID 1634 (updated January 18th, 2001) for more details. The updates below also address other glibc security issues discussed in the past five months, including the glibc LD_PRELOAD file overwriting vulnerability and the glibc RESOLV_HOST_CONF file read access vulnerability. This week's updates:
Previous updates:
cvsweb. Versions of cvsweb prior to 1.86 may allow remote reading/writing of arbitrary files as the cvsweb user. Check the July 20th, 2000 Security Summary for the original report from Joey Hess. The FreeBSD advisory also contains a good summary of the problem.
ResourcesPrelude 0.3. Prelude is a Network Intrusion Detection system that MandrakeSoft will be shipping with MandrakeSecurity as an alternative to Snort. Version 0.3 has just been released, but is reportedly much further along than one might expect from a 0.3 level release. PIKT 1.13.0. PIKT, otherwise known as the Problem Informant/Killer Tool, version 1.13.0 was released on Tuesday, May 8th. "PIKT, an innovative new paradigm for administering heterogeneous networked workstations, is a cross-platform, multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. You can also use PIKT as a basis for managing system security". EventsKernel Security Extensions BOF at Usenix. NAI Labs is sponsoring a Kernel Security Extensions BOF (Birds of a Feather session) at the upcoming USENIX Technical Conference being held June 25th through the 30th in Boston, Massachusetts, USA. "Crispin Cowan (WireX), Peter Loscocco (NSA), Amon Ott (RSBAC) and Robert Watson (NAI Labs and the FreeBSD Project) have kindly agreed to kick off the session with short presentations on their work". For those people unfamiliar with Birds of a Feather (BOF) sessions, they are generally informal events that bring together experts and enthusiasts in a given field. This looks like an excellent one; we wish we could be there. Digital Rights v. Free Speech: a focus of the upcoming Internet Security Conference. TISC 2001 is coming up June 4th through the 8th, in Los Angeles, CA, USA. It will include a CEO Roundtable entitled "Digital Rights Enforcement". "The TISC CEO Roundtable will include discussion of the current events, technologies and constitutional rights debate surrounding the Secure Digital Music Initiative (SDMI) as it relates to the Digital Millennium Copyright Act (DMCA)". Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
May 10, 2001
Security alerts archive Secured Distributions: Astaro Security Castle Engarde Secure Linux Immunix Kaladix Linux NSA Security Enhanced Openwall GNU/Linux Trustix Security Projects Bastille Linux Security Audit Project Linux Security Module OpenSSH Security List Archives Bugtraq Archive Firewall Wizards Archive ISN Archive Distribution-specific links Caldera Advisories Conectiva Updates Debian Alerts Kondara Advisories Esware Alerts LinuxPPC Security Updates Mandrake Updates Red Hat Errata SuSE Announcements Turbolinux Yellow Dog Errata BSD-specific links BSDi FreeBSD NetBSD OpenBSD Security mailing lists Caldera Cobalt Conectiva Debian Esware FreeBSD Kondara LASER5 Linux From Scratch Linux-Mandrake NetBSD OpenBSD Red Hat Slackware Stampede SuSE Trustix turboLinux Yellow Dog Security Software Archives munitions ZedZ.net (formerly replay.com) Miscellaneous Resources CERT CIAC Comp Sec News Daily Crypto-GRAM LinuxLock.org LinuxSecurity.com Security Focus SecurityPortal | ||||||||||||||||||||||||||||||||||||||
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Kernel page. |
Kernel developmentThe current kernel release is 2.4.4. There have been no kernel releases (not even prepatches) from Linus since 2.4.5pre1came out on May 2. Alan Cox remains busy; his latest is 2.4.4ac6, which contains another long list of fixes but nothing radical. To top it off, Alan has also started the 2.2.20 prepatch series with 2.2.20pre1. At this point, only serious fixes are going in at this point: "Expect me to be very picky on changes to the core code now." Moving block devices to the page cache. In last week's kernel page we looked at a subtle metadata corruption bug brought about by the fact that I/O to block devices uses the buffer cache, while the filesystem code uses the page cache. Conversation on this topic has continued in this (otherwise slow) week, so it's worth another look. Some background first... Linux systems use two distinct caches to improve performance. Both are used to keep copies of disk-resident data in main memory, and thus to avoid excessive disk I/O operations. These caches are:
The individual blocks of a page cache entry, of course, are still managed through the buffer cache. But, as we saw last week, accessing the buffer cache directly can create confusion between the two levels of caching. Reading and writing a block device directly, as is done by utilities like dump and fsck, works only with the buffer cache. It turns out that Linus wants to change this behavior, even though he is not tremendously concerned about the corruption problem discussed last week. Having block devices use the page cache will clean up a lot of design issues, improve performance, and gets away from the idea of using the buffer cache as a cache. The buffer cache, for Linus, really should just be a low-level block I/O mechanism that leaves the actual caching tasks to higher levels. Not much time passed before Andrea Arcangeli released a patch moving block I/O into the page cache. Essentially, he has eliminated the special-purpose block_read and block_write functions, and made a block device look like a large file. So now the general-purpose file I/O functions may be used instead. As an added bonus, Andrea has obsoleted the raw I/O interface, implementing instead an O_DIRECT flag which may be used to perform I/O directly between the device and user space. This change makes raw I/O a much more straightforward affair, since it's no longer necessary to set up and bind the separate /dev/raw devices. A change of this magnitude, of course, would not normally be expected to go into the 2.4 kernel - though some other surprising things have made it in. Expect to see something like Andrea's patch be incorporated early in the 2.5 cycle, however. ReiserFS - ready for prime time. Hans Reiser has posted a note saying, essentially, that all of the real bugs in the ReiserFS filesystem have been fixed as of 2.4.4. Since the filesystem was included in 2.4.1, its user base has grown greatly and that has, not surprisingly, led to an increase in bug reports. The ReiserFS hackers have been tracking down these problems quickly, and many fixes have come out. As a result, the "beta period" appears to have come to a close. There are a few outstanding issues, though. ReiserFS still only works on small-endian machines, for example (a patch exists which fixes this problem, but it hasn't seen wide testing yet). You still need to apply an additional patch to use ReiserFS and the NFS server together. And the filesystem checker tool still needs some work. But the biggest problems appear to have been overcome; the "experimental" label may be removed from ReiserFS in a kernel release soon. The problem of broken configurations in CML2. Now that a lot of the CML2 issues have been resolved, people are starting to think more about how they will actually use the new kernel configuration system. And a bit of a problem has come up. Anybody who builds a lot of kernels becomes quickly enamored of the "make oldconfig" operation, which makes a configuration from an old kernel work with a new one. It will stop and ask about any new configuration options, and it makes some attempts to resolve things when an old configuration violates the rules in the new kernel. Some hackers noticed that CML2 did not handle things well when a new kernel adds rules that make an old configuration invalid. Eric Raymond's initial response was to say that recovering from broken configurations was too hard. He had the numbers to back the point up: But wait! There's more! If some of the variables participate in multiple constraints, the numbers get *really* large. Worst-case you wind up having to filter 3^1976 or
People might have been more impressed with this display of mathematical analysis skills if it weren't for the fact that make oldconfig works with the old configuration system. The problem, perhaps, is that the technique used (configure out anything that breaks the rules in the new kernel) lacks the sort of elegance that Eric would like to see in his code: I guess you didn't know that I trained as a mathematical logician. On the one hand, that predisposes me to try to find "elegant" solutions where you might regard brutality and heuristics as more appropriate.
Elegance appears to have lost, though - witness the announcement of CML2 1.4.0, the "brutality and heuristics" release... Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
May 10, 2001 For other kernel news, see: Other resources: |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Distributions page.
Lists of Distributions
|
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsYellow Dog Linux 2.0. We spoke with Kai Stats, co-founder and CEO of Terra Soft Solutions this week about their upcoming release of Yellow Dog Linux 2.0. Yellow Dog Linux is one of two Linux distributions that focus exclusively on the Apple PowerPC and IBM RS/6000 hardware platforms (the other is LinuxPPC). For the past two years, Terra Soft Solutions (makers of Yellow Dog Linux and Black Lab Linux) have felt that the biggest barrier to adoption has been the installer. As a result, the Yellow Dog Linux development team has spent the last fourteen months building a brand-new installer for YDL 2.0 from the ground up. Kai Stats just returned from a road tour demonstrating beta versions of YDL 2.0, culminating last week with a presentation at the Macintosh Business Expo in Portland, Oregon. Kai commented: During my road tour, I had the chance to watch resellers (who are not always that technically-savvy) install Yellow Dog Linux without needing a manual or guide. That was really exciting for me. The feedback from the audience was very positive.
The team of people who put the new release of Yellow Dog Linux together include a couple of TerraSoft executives wearing dual hats, Kevyn Shortell, former Linux Technologies manager from Apple Computer, who is now Chief Technology Officer for Terrasoft Solutions and Dan Burcaw, co-founder of the company, and also Chief Information Officer. In addition, Hollis Blanchard and Ben Mesander have both worked part-time on the new release under contract to TerraSoft Solutions. There is another big change coming with the release of Yellow Dog Linux 2.0. Formerly, TerraSoft Solutions supported two PowerPC-based distributions, Yellow Dog Linux, the more general-purpose distribution, and Black Lab Linux, which was tailored both for embedded systems development and for high-performance, parallel computing. Now, however, the two distributions will become one. Black Lab Linux, instead of being separate from Yellow Dog Linux, will be available as an enhancement CD providing developer tools for Yellow Dog Linux customers. This has allowed Black Lab Linux developer Jeremias Sauceda to focus on adding new functionality to the developer tool set rather than on the many tasks involved with supporting a full distribution. Like most Linux distributions, looking at the staff actually paid by the company behind the distribution (if there is one) only tells part of the story. TerraSoft Solutions also thanks community members Tom Rini, from MontaVista Systems, who helped with various video driver issues, Andrew Clauson, the author of parted and Jeremy Smith, for his work on "propaganda". The source code to the new installer will be released under the GNU GPL. Meanwhile, the development team is turning their attention to the next release of Yellow Dog Linux where they will be fine-tuning the new installer, and porting some new applications. "We expect to gain a lot of feedback from our customers, both upgrade and new, and put their suggestions into action", said Kai in summary. The ROCK Linux Philosophy (O'Reilly Net). From the O'Reilly Network we get this essay on the philosophy behind the ROCK Linux distribution. "ROCK Linux aims to be admin-friendly. There is no YaST, Linuxconf, or Control-Panel. Configuration is done where it has to be done: in the config files. A configuration tool has to help an administrator -- not replace him (I don't think that it's possible to replace an administrator with a config tool.)." Distribution NewsRed Hat News. For those of you who have been following Red Hat's development of Red Hat Linux 7.1 via the Wolverine mailing list, note that the Seawolf mailing list opened up on April 16th and is covering issues in the new version of the distribution. Debian News. The Debian Weekly News has returned, as of Sunday, May 6th with a new three-person editorial team to replace former editor Joey Hess. The new editors are Jean-Christophe Helary, Joe 'Zonker' Brockmeier and Tollef Fog Heen. We're happy to see DWN return and we wish all the new editors the best of luck. Meanwhile, after this week's DWN was published, Anthony Towns sent out his second progress report on the state of the Woody freeze. Most importantly, strong progress has been made solving the problems with the boot-floppies, so a preview release of Woody is now expected to make it out in the next few weeks. The Kernel Cousin Debian Hurd for May 8th is also available. Linux-Mandrake News. Those of you interested in Linux installations on laptops may want to check out this description, covering installing Linux-Mandrake 8.0 on an IBM Thinkpad. "Wobo has sent me a description of Tractopel instalation on his Thinkpad, and his description starts with 'WOW, that was really smooth'." If you're in Germany and would like to meet up with a couple other Linux-Mandrake enthusiasts, check out the planned road-trip. Slackware News. Massive changes have gone into the Slackware trees this past week, the highlight of which is an upgrade to Gnome 1.4. Mozilla, Galeon and Nautilus packages have been made available, along with a package of Ogg Vorbis utilities, Samba updates, new elflibs, mc, xf86prog and freefont packages. "Do we know how to prep for beta, or what?" Linux Router Project News. The Linux Router Project reports that Sangoma has recently become an LRP Sponsor and has provided "very generous support to further the LRP effort". FreeBSD News. The FreeBSD'zine is a bi-weekly on-line magazine that reports on FreeBSD. Here is the May 2nd edition. Linux for the S/390 News. A bug database has been added to the Think Blue site, along with some updated packages. Minor Distribution updates
Distribution ReviewsComparison: Red Hat 7.1 and Linux-Mandrake 8.0 (Newsforge). Newsforge is running an article by Jeff Field comparing Red Hat 7.1 and Linux-Mandrake 8.0. "Mandrake and Red Hat are very similar, at most one revision off from each other. Already in this fast-paced world both are outdated, as the 2.4.4 Linux kernel has just been released. However, Mandrake is the winner in up-to-date major software releases." Distribution ErrataPer reader-request, three of the distributions on our distributions list have officially been moved to the inactive list: Alphanet, Gentus, and Storm Linux.Section Editor: Liz Coolbaugh |
May 10, 2001
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's On the Desktop page.
|
On The DesktopThe latest poll from the KDE.com gives people a chance to vote on what feature they would most like to see in KDE soon. "I just installed Linux Mandrake 7.2 (until my SuSE package arrives), and after upgrading to KDE 2.1.1, I feel that a KDE port of the configuration utilities could bring a huge amount of polish to this distribution. A KDE interface to Linuxconf might be a good start. Others would however prefer a KDE installer, and some simply think that KDE should be faster and/or less of a memory hog. Here's your chance to cast a vote and voice an opinion". The answers are coming in on the poll and KDE dot News reports that the area of greatest concern for KDE 2.2 is speed. The report includes suggestions for C++ program speed improvements from KDE developer Waldo Bastian. This discussion on speed brings some interesting questions to mind. Some of us (but not all of us) at LWN still use the ancient, but reliable FVWM window manager for our daily needs and tend to work with KDE and GNOME only for testing purposes. Some of us are also running relatively old (300 MHz and slower) CPUs. Older hardware tends to amplify the effects of slowness. It would be interesting to run a speed test of FVWM, GNOME, and KDE on what these days is considered a slow machine, for example, a 200 MHz or even a 120 MHz Pentium if one can be found. Non-scientific, but real-world experience shows that FVWM is the fastest environment and, at least last year, KDE tended to be a bit more snappy than GNOME. The standard disclaimer that KDE and GNOME are much more than simple window managers such as FVWM applies as always. An interesting phenomenon of moving to a slower machine is how sluggish everything feels. Try working on a faster machine for a few weeks, then go back to the slower machine. What used to seem normal now feels very slow and unresponsive. Perhaps the KDE and GNOME developers should consider this approach for optimizing performance if they don't already do so. Of course, with the slowdown in the tech economy, good deals are to be found on fast machines. The most practical solution for most people may well be to get a new motherboard with a 1.3 GHz CPU, install the latest KDE or GNOME, and not worry about small differences in window system performance. Desktop EnvironmentsThis week's GNOME Summary. The GNOME Summary for May 5, 2001 is out. It includes brief coverage of the May 1 GNOME board meeting, the GNOME Packaging Project, and more. GTK+ 1.3.5. A new beta of GTK+ (and dependent libs) is now available. This beta has a draft of the new default look and adds a dependency on the Accessibility Toolkit (ATK). Installing the beta won't affect your stable GTK+ version and RPMs are available. So install it, break it and report bugs. Ximian GNOME 1.4: The Monkey Has Landed (LinuxPlanet). LinuxPlanet also takes a look at Ximian's package. "Ximian has also added a pair of applications unique to the company's release: MonkeyTalk and Red Carpet 1.0, both of which we'll look at further on in this review. Briefly, MonkeyTalk is a help application that connects users with a live chat session in a stripped-down version of the IRC program xchat; and Red Carpet is a package management tool designed to ease software installation and removal." Miguel de Icaza: Can't We All Just Get Along? [A Response to Dennis Powell] (LinuxToday). Miguel has put out his response (via LinuxToday) to Dennis Powell's article in the LinuxPlanet. "As with anyone who has questions about what we are trying to achieve or how we are doing things, I'd like to address and bring clarity to some of the issues surrounding GNOME and Ximian in Dennis' column, especially as they regard the control of GNOME, the role of my and other companies". GNOME 1.4 reviewed (C|Net). GNOME 1.4 is reviewed by CNet. They like it, for the most part. "Linux (and Unix) users will find that GNOME 1.4 offers an effective and stable environment. GNOME 1.4 setup is hampered by its sheer size and download time, but current GNOME users will find this upgrade more than worth the effort." Release of a new set of XML/XSLT libraries. Updated versions of both libxml and libxslt have been announced. They promise bug-fixes, speed improvements and full readiness to handle the GNOME project documentation formatting needs (note that KDE is also reportedly deploying the libraries). People Behind KDE: Werner Trobin. Werner Trobin, a member of the KOffice team, is interviewed as part of the continuing People Behind KDE series. "How and when did you get involved in KDE? About three years ago I installed Linux for the first time and started to use KDE. As I already did a lot of programming before on DOS/Windows I tried to play with some toy applications and enjoyed it. After reading Kalle's article in the c't archive (yes, *this* Kalle article) I decided to do some KDE program as my final project on school (with another guy from my class). Fortunately our teachers agreed and so it all started." Desktop ApplicationsNautilus 1.0.3 is out. As announced on Gnotices, Nautilus 1.0.3 is out. It has a number of performance improvements, and a few new features, like a news sidebar. Mozilla 0.9 released. Mozilla 0.9 has been released. There are a few new features (such as automatic proxy configuration), but most of the work appears to have been in the area of performance improvements. Fer de Lance - Truly Intelligent Multimedia Browsing. The dot (dot.kde.org) is covering the Fer de Lance project. This project aims to properly integrate GIFT's technology in Free Software desktop environments and browsers. Defenestrating Windows (LinuxDevices). LinuxDevices founder Rick Lehrbaum discusses his experiences in moving from Windows to Linux on his daytime work machine. "It all started back in December of '99. Since I was going to be running a Linux-related website, it only made sense to try to do my work on a Linux-powered desktop computer." Section Editor: Forrest Cook |
May 10, 2001
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Development page. |
Development projectsNews and EditorialsThe LinuxFund funds a new round of grants.The LinuxFund has announced the funding of a new round of grants for open-source software and open-hardware developers. Five projects will each receive a $1000 grant. This round's projects include the Simple DirectMedia Layer, Ocularis, the Leviathan Project, OpenDecoder, and GNUpdate.
StandardsLinux Standard Base 0.9. The Linux Standard Base project is getting toward the end of its specification process. Version 0.9 of the LSB has been released, and is in a 30-day comment period. Once the comments have been addressed, the LSB will go to the Free Standards Group for adoption. AudioGLAME 0.4.1 released. A new version of the GLAME audio editing tool has been released. This version fixes some bugs that turned up in the recently released GLAME 0.4.0. CORBAManage CORBA with scripting (Unix Insider). Unix Insider takes a look at CORBA in a Regular Expressions article: "For the purpose of this column, the main point to take from CORBA's history is that the protocol is a smashing success. We mean this in a precise sense: CORBA 1.0 was difficult, expensive, and esoteric. Ten years later, CORBA costs little or nothing (at least in some varieties), it is widely used, and hobbyists and students expect to use it safely." DatabasesPostgreSQL version 7.1.1 released. A new version of the PostgreSQL database has been released. Version 7.1.1 contains mostly bug fixes and optimizations. upgrading from version 7.1 does not require a dump/restore operation. Some new interactive documentation is also available for PostgreSQL version 7.1. DocumentationLinux Documentation Project News for May 8, 2001. Here's the May 8 edition of the LDP weekly news. Embedded SystemsLinuxDevices.com Embedded Linux newsletter. Here's the latest LinuxDevices.com Embedded Linux newsletter, with pointers to the LinuxDevices articles for the past week. Topics include an updated tiny SBC list, conference information, an open-source camera server, several video systems, and more. GraphicsCal3D - 3d character animation library. The initial release of Cal3D, a free, skeletal based character animation library has been announced. "This release is significant due to the extreme scarcity of Free Software options for skeletal-based animation, and thus may provide a very important advancement for Free Game development projects." Mail SoftwareMailman version 2.0.5 released. Another new release of Mailman, the Gnu mailing list manager has been announced. Version 2.0.5 is a bugfix release that fixes a problem with stale lock files. Network ManagementOpenNMS Update v2.19. For the latest news on OpenNMS, a project that is building a fully distributed network management platform, check this week's OpenNMS Update v2.19. The OpenNMS team will be talking tomorrow at the Boulder Linux User Group, if you are interested in meeting them in person. Printing SystemsCUPS 1.17 released. Version 1.1.7 of the Common Unix Printing System (CUPS) has been released. This version has improved configuration scripts, better documentation, a number of non-root command modes, and lots of bug fixes. SecurityOpenSSH 2.9 released. OpenSSH 2.9 has been announced. This release includes a number of new features, some fixes, and makes version 2 of the SSH protocol the default. Software DevelopmentAn Introduction to Extreme Programming (O'Reilly). O'Reilly's Linux DevCenter features an article on Extreme Programming, somewhat of a catch-phrase these days. "In its purest form, Extreme Programming is simple. The central tenet is, 'Find the essential elements of creating good software, do them all of the time, and discard everything else.'" Web-site DevelopmentOpenACS 3.2.5 announced. OpenACS is an Open Source toolkit for creating "Web services with a collaborative dimension". It is based on the ArsDigita Community System (ACS) but uses PostgreSQL instead of Oracle. OpenACS 3.2.5 has just been announced and includes multiple, important security fixes as well as support for PostgreSQL 7.1. Midgard Weekly Summary (May 4th). Like many "weekly" development reports recently, the Midgard Weekly Summary took a hiatus for a month or two. However, it is back now with a lot of news to cover. One particular highlight, Henri Bergius (one of Midgard's original architects) has started a new commercial firm, Nemein Solutions, which uses Midgard as a core technology. Zope Weekly News for May 4th. The Zope Weekly News for May 4th is out. Topics include a Berkeley Storage beta, the Zope book, Zope 2.4 progress, SmartObjects compared to an ODB, and more. Squishdot 1.1.0 released. A new version of the Zope based Squishdot news publication system has been announced. The Squishdot 1.1.0 The list of changes includes a number of changes, including improved searching, modified HTML parsing, and use of Zope 2.3.2 Btrees. MoinMoin 0.9 released. A new version of MoinMoin, a Python based Wiki program has been announced. Version 0.9 adds some new XSLT features, more user configuration actions, and several bug fixes. Section Editor: Forrest Cook |
May 10, 2001
|
|
|
Programming LanguagesC++Convert C to C++ with a Python program. A new Python script that converts C code to C++ has been announced. CamlCaml Weekly News for May 9, 2001. The latest edition of the Caml Weekly News is out. Topics this week include an announcement for a new French Caml book and a beta release of the Caml Development Kit. JavaSimplify XML programming with JDOM (IBM developerWorks). IBM's developerWorks features an article by Wes Biggs and Harry Evans on XML programming with JDOM. "In many ways, the Java language has become the programming language of choice for XML. With groundbreaking work from the Apache Software Foundation and IBM alphaWorks, there are now complete tool chains for creating, manipulating, transforming, and parsing XML documents." LispSBCL 0.6.12 released. Version 0.6.12 of SBCL, Steel Bank Common Lisp, has been released. This version includes bug fixes, optimizations, and some patches from CMU Common Lisp have been worked in. PerlApocalypse 2. Larry Wall has released Apocalypse 2, the second article in a series describing Perl 6. Atoms, molecules, data types, variables, names, literals, context, lists, files, and properties are covered. Using SOAP::Lite with Perl (IBM developerWorks). Joe Johnston discusses the use of Perl to work with SOAP. "Marrying SOAP, the darling protocol of the Web services world, to Perl, the grande dame of Web programming languages, is a natural fit. This article will present a no-nonsense approach to using SOAP::Lite, Perl's window into SOAP Web services." PHPPHP Weekly News for May 7, 2001. The May 7, 2001 edition of the PHP Weekly News is out. This issue covers PHP 4.0.6 RC1, Advanced Data Types, extension dependencies, variable, class and function naming issues, and more. PythonThis week's Python-URL. Dr. Dobb's Python-URL for May 7 is out, with coverage of the new iterator proposal, the Java Python Extension, dealing with fixed point calculations for currency, and more. Developing a full-text indexer in Python (IBM developerWorks). The next installment in the Charming Python series looks at an indexer module for better searches. Tcl/TkThis week's Tcl-URL. Dr. Dobb's Tcl-URL for May 7 is out, with the latest from the Tcl/Tk development community. Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Commerce page. |
Linux and BusinessCraig Mundie's speech. Is anyone really suprised that Microsoft execs attack open source software? It has happened before and it will happen again (and again and again). They don't 'get it' and people that invested in the cathedral model will not easily understand the bazaar (to borrow a metaphor). The more Microsoft attacks open source the more obvious it becomes just how threatened they are by it. The latest incident happened on Thursday May 3, when Microsoft Senior Vice President Craig Mundie gave a speech entitled "The Commercial Software Model" at the New York University Stern School of Business. The speech talks about Microsoft's "shared source" model, which, of course, avoids all of the problems of free software. Of the open source model he says: The OSS development model leads to a strong possibility of unhealthy 'forking' of a code base, resulting in the development of multiple incompatible versions of programs, weakened interoperability, product instability, and hindering businesses' ability to strategically plan for the future. Furthermore, it has inherent security risks and can force intellectual property into the public domain.
Given the timing of the speech, on LWN publication day, we've had a week to gather the many replies. Others have already said everything that needs to be said, and then some, so without further ado here are some of the replies.
|