![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/bigpage.png)
|
|
|
Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
 Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsGartner: dump IIS. The analysts have released a new set of proclamations relating to Linux and free software. Analyst opinions should always be taken with a grain of salt (if not an entire shaker of salt); they do not always reveal a deep understanding of how free software works. Nonetheless, they are a good indicator of how a certain segment of the world views free software. The Gartner Group is one of those analyst operations that has shown, over time, an inability to "get" what makes Linux what it is. The Group's opinions have generally been hostile. So the latest words of wisdom from Gartner are doubly interesting when they state: Gartner recommends that businesses hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors such as iPlanet and Apache. Although those Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Apache, of course, is not a "vendor," but we'll let that pass. It's a slow process, but the corporate world is beginning to figure out that free software offers some real security advantages. It is important, too, that web servers are the subject of this discussion. Some have claimed that Linux is free of email viruses only because, as an obscure (on the desktop) platform, it is not an interesting target for virus authors. But Apache is the dominant web server platform; anybody wishing to attack large numbers of systems via a web server would look at Apache first. The "obscure and uninteresting" argument will not wash here. D.H. Brown's enterprise functionality study. A much more detailed proclamation can be found in the "2001 Linux Function Review" recently announced by D.H. Brown Associates. The full report is available from the D.H. Brown site, but only for those with $1500 to hand over. Those willing to register can get an "executive summary" in PDF format for free. The report looks at several Linux distributions and reviews their functionality in a number of areas. The boiled-down rankings, from best to worst, are:
The ranking between the distributions is, to a great extent, driven by how current they are. Distributions shipping a 2.4 kernel came out ahead of those still shipping 2.2 (Turbolinux and Debian). Beyond that, D.H. Brown looked mostly at the additional features built in by each distributor. Red Hat wins in the "scalability" category, seemingly because of its published SPECWeb results. SuSE got a lower rating because it lacks those results, and "a lack of support for key third-party load balancing software options." Caldera was penalized for not having a shipping 64-bit distribution. D.H. Brown remains unsatisfied, however, with Linux scalability: ...no Linux distribution yet provides scalability functions that are competitive with RISC-based Unix systems. The largest Unix systems can support up to 256 GB of main memory and 128 CPU's, far beyond Linux's practical limitation of eight processors. Among kernel developers (and others), the question of whether Linux should ever scale to that many processors remains highly controversial. Those wanting support of hundreds or thousands of processors in an SMP mode are likely to be disappointed with the mainstream Linux kernel; making a kernel work in that environment carries a number of performance and maintainability costs. SuSE, instead, wins the "Reliability, Availability, and Serviceability" (RAS) category. D.H. Brown liked the inclusion of ReiserFS, the S/390 partition support, and logical volume manager (LVM) support. But, says D.H. Brown, "True High Availability clustering options for Linux remain in their infancy." Also: ...leading Unix systems have added features for planned downtime reductions, such as live operating system upgrades and kernel hot-patching, which are not available in Linux. "Kernel hot-patching" in Linux may be problematic, but the comment on live upgrades shows an ignorance of the upgrade capabilities provided by a number of distributions, led by Debian's apt system. SuSE was also declared the leader in the "system management" category, due to the inclusion of LVM and its installation and administration tools. No distribution's administration tools were considered to be all that great, however. There was also an interesting comment: While ease of use has long been a point of differentiation between the various Linux distributions, most of the studied vendors have focused on easing installation and desktop usability, rather than enterprise systems management. All of the studied distributions provide strong tools for software installation and management, based on either the RPM package manager or the Debian packaging system, but none provide advanced event management capabilities, which are critical for administrators who must monitor a large number of systems. Given that a number of distributors have targeted the large enterprise market, they may wish to think about improving things in this area. Red Hat was declared to be the best for Internet and web application services, mostly for its support of proprietary, third-party platforms. Caldera's broad protocol support was also called out, however. All distributions were criticized for their lack of support for Java2 Enterprise Edition servers. The last category was "directory and security services," though security does not appear to enter much into their evaluations. SuSE came out on top as a result of its inclusion of the latest Samba Overall: Based on the results of this latest functional evaluation, DHBA believes that the leading Linux distributions are now quite capable of serving as general-purpose operating systems for a broad range of departmental and workgroup applications. The study is interesting as a comparison of the distributions, and as an expression of a certain type of shopping list. It remains, however, a shopping list. In its comparison of distributions, against each other and against proprietary Unix, it looks only at which features can be checked off for each. Features are important, but the drive to complete feature lists leads to bloated, immature software releases. A company looking at adopting Linux would be well advised to look beyond the feature comparison. After all, it is not hard to add a journaling filesystem to a distribution that lacks one. The real life and value of a distribution can be found in the openness of its development process, its approach to security, the strength of its user community, and the integration of the distribution as a whole. D.H. Brown has provided an interesting study, but it missed much that is important. A quick Sklyarov update. Current events in the world have turned eyes elsewhere, but Dmitry Sklyarov remains under indictment. Here's a quick update from the EFF on what's up. Dmitry has a new lawyer, John Keker, the "Lawyer Lawyers Would Hire If They Got Busted" Among other things, Mr. Keker handled the prosecution of Oliver North in the Iran-Contra scandal. The next hearing will happen on November 26. Inside this LWN.net weekly edition:
This Week's LWN was brought to you by:
|
September 27, 2001
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Security page. |
SecurityNews and EditorialsSerious vulnerability in PHPNuke. PHPNuke 5.2 has an embarrassing vulnerability in its file manager function that can allow the creation and overwriting of arbitrary files on the server system. The advisory contains a quick source-level fix; a simpler fix was also posted. Note that PostNuke 0.63 appears not to be vulnerable.More SQL code injection problems. This RUS-CERT advisory describes a new range of SQL code injection vulnerabilities. This time the problem is with the PAM and NSS libraries shipped with most Linux (and Unix) systems. Through the use of properly-crafted usernames and passwords, an attacker can cause arbitrary SQL code to be executed. This, in turn, can lead to database corruption and unauthorized access. No vendor updates for the affected modules are yet available. CRYPTO-GRAM for September. For those who haven't yet seen it: Bruce Schneier's CRYPTO-GRAM Newsletter for September covers the September 11 attacks and several other topics. Security ReportsOpenSSH restricted command vulnerability. OpenSSH 2.9 and 2.9p2 are subject to unauthorized access problems in certain scenarios. If you are using authorized key pairs to provide remote access, and have restricted the commands that may be executed via that key pair, and have the sftp capability enabled, the command restrictions can be evaded. The result can be access to a shell on the server system even though that access had been explicitly denied. The fix, for now, exists only in the OpenSSH cvs archive; concerned administrators should update to the cvs version, or simply disable sftp.slrn executes shell code. The Debian Project has released a security update to slrn fixing an interesting problem: evidently slrn will execute any shell code it finds within an article, on the theory that the article is a self-extracting archive. This may have been desirable behavior in 1982, but it presents certain difficulties in modern times. Users of slrn should apply the update; none have yet been seen from other distributors. Minor DOS problem with squid. Also from Debian is this update to squid. Evidently a malformed FTP PUT command can cause the server to restart. The problem has been fixed in version 2.2.5-3.2. Updates seen so far: Format string problems in HylaFax. The HylaFax package has some format string vulnerabilities. On some systems (i.e. FreeBSD), the affected binaries are installed setuid uucp, and could thus provide unauthorized access to the system. Most Linux systems seem to not install HylaFax with added privileges, however.
Filename vulnerability in Red Hat's serial init script. Red Hat has
issued an alert warning of a
potential vulnerability with the setserial package. This one is obscure:
you must have installed setserial, copied the init script from the
documentation directory over to /etc/rc.d/init.d, and built your
own kernel with serial support installed as a module. If you've done all
those things, there is a potential problem with predictable temporary file
names. Most users, it is expected, need not worry about this one.
Proprietary products.
UpdatesSource page buffer overflow in man zen-parse reported a buffer overflow in man that, when manual pages begin with a '.so' statement, may be exploited to execute arbitrary code under the 'man' group id. For more details, check BugTraq ID 2872. (First reported in the June 21 LWN security page). New updates: Uucp local user exploits. There is a vulnerability in the command-line argument handling of uucp which can be exploited by a local user to obtain uid/gid uucp. See the September 13, 2001 LWN security page for the initial report.New updates:
Buffer overruns in Window Maker A buffer overrun exists in Window Maker which could, conceivably, be exploited remotely if the user runs a hostile application. This problem initially appeared in the August 16, 2001 LWN security page. New updates: Previous updates:
ResourcesPort list available. Kurt Seifried has released a comprehensive list of TCP and UDP ports, including 363 known trojan ports.
By the numbers: Comparing Windows security to Linux (TechRepublic). TechRepublic uses BugTraq reports to determine just how secure Linux is versus Microsoft, and the numbers are not tilted the way you might think. "As these numbers illustrate, Windows NT 4.0 was the leader in bugs identified during 2000. But Linux was not far behind. And in 2001, Windows 2000 has stabilized a bit and is actually running in the middle of the pack." A free registration is required to access this article. (Thanks to Sean Walton) EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
September 27, 2001
LWN Resources | |||||||||||||||||||||
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Kernel page. |
Kernel developmentThe current kernel release is 2.4.10, which was released by Linus on September 23. 2.4.10 is a huge (11MB) patch with some far-reaching changes: jffs2 and NTFS updates, a large ACPI update, the latest version of min()/max(), lots of block device changes (including one that makes block device I/O use the page cache), a new multipath RAID personality, various architecture updates, and a great deal of merging from Alan Cox's "ac" series. And a virtual memory update from Andrea Arcangeli - we'll get to that shortly. The initial user reports on 2.4.10 are almost uniformly positive. Alan Cox's latest is 2.4.9-ac15, which includes many more fixes, and some virtual memory patches from Rik van Riel. Note that the finger server at finger.kernel.org now lists the latest "ac" patch along with the Linus releases. 2.0 lives. The 2.0 kernel may be ancient history to many, but David Weinehall is still carrying the torch: he has recently released 2.0.40-pre1, the first prepatch for a 2.0.40 stable release. The patch includes a small number of fixes and a number of code cleanups. Virtual memory: the plot thickens. Readers of this page know that the Linux kernel hackers have been working to improve virtual memory performance for a long time. Since somewhere in the 2.1 series, according to some of the more cynical observers. VM performance has been, perhaps, the largest remaining issue with the 2.4 kernel. Almost everything works very well, but memory exhaustion and massive swapping have been the bane of many 2.4 users. Quite a bit of incremental work has gone into fixing up 2.4 VM. Andrea Arcangeli, however, came to the conclusion that the incremental approach wasn't going to work; instead, he posted 2.4.10-pre10-aa1, which included a major rewrite of the VM code. This rewrite throws out much of the previous VM algorithm, including things like page aging, and replaces it with something simpler. The 2.4.10 kernel has a completely different virtual memory subsystem than its predecessors. Even for people who are getting used to seeing large changes slip into the "stable" kernel series, this patch came as a bit of a surprise. Initial reactions were not positive: But suddenly, the number of people who understand the Linux VM has gone from maybe 10 down to just one-and-a-bit. A large number of comments have been removed, and a year's worth of discussion has been invalidated.
I've never seen as invasive a patch merged that ran the risk of completely torpedoing stability merged into a STABLE KERNEL SERIES, nor would I ever consider submitting such a patch.
I have nothing against the code itself (the "old" code also had bugs), but a major VM rewrite at this point seems to be dangerous if we want a stable VM.
Linus 2.4.10pre is definitely 2.5 in disguise.
Look, the problem is that Linus is being an asshole and integrating conflicting ideas into both the VM and the VFS, without giving anybody prior notice and later blame others.
There is, however, one group whose complaints are notably absent: 2.4.10 users. With an occasional exception, people who have actually installed 2.4.10 seem to be running it happily. A lot of the swap-related problems from earlier 2.4.x kernels appear to have been solved. Wider use of 2.4.10 will doubtless turn up other problems - you can't make such large changes to such a complex and crucial subsystem without them - but the final judgement may well be that this was a good change. Not everybody has bought into it yet, however. The "ac" kernel series has stayed away from the mainline VM for a while now, and, as of 2.4.9ac15, Alan was still accepting changes to that code. In other words, the Linus and Alan kernels have diverged in a much more fundamental way than ever before. For the short term, the two kernel trees can function as a laboratory to see which VM approach works better - though one does not normally use stable kernels in this mode. In the longer term, however, one can only hope that some sort of VM consensus is reached. Should proprietary security modules be allowed? The Linux Security Module project has been working since last April to create a flexible framework that would allow the plugging of arbitrary enhanced security mechanisms into the kernel. To that end, the LSM hackers have created a lengthy series of hooks which will allow a security module to make decisions on just about any operation that a process can perform. Those who are interested in what the security module interface looks like can get a view from the well-documented security.h include file provided with the LSM patch. The LSM patch is approaching readiness for inclusion into the (2.5) kernel. This proximity caused Greg Kroah-Hartman, perhaps rather belatedly, to submit a patch limiting the use of the security.h file to modules licensed as free software. The effect of this change is to say that all security modules must be free software; no proprietary modules need apply. The longstanding policy for Linux kernel modules, of course, has been that closed-source modules are allowed, as long as they follow the (not well defined) module interface. Restricting security modules may seem, at first blush, to be a deviation from this policy. Proprietary driver modules may be loaded, why not proprietary security modules? Numerous objections to the restriction have been posted, mostly arguing along these lines. There has also been an argument that the restriction is, itself, a violation of the GPL. The security module patch, however, is a major change to the module interface. With this new interface, a module can easily hook code into many parts of the kernel; very few operations are left untouched. Thus, security modules can change the functionality of the kernel in ways that, under the current module interface, are not possible. Using this interface, a proprietary module could add much interesting new code, which may have nothing to do with security, to the kernel. Greg has, for now, removed the restriction as a result of the controversy. In the end, Linus will probably have to make the decision. Given that closed-source security modules will be able to do many things that are currently forbidden to proprietary code, however, there is a good chance that the security module patch will not be accepted without a licensing restriction. (The latest security module patch is the September 23 version). A proposal for module initialization changes. Rusty Russell has posted a proposal for changes to the module loading and initialization code in 2.5. These changes have a couple of goals: (1) decreasing even further the differences between linked-in and modular code, and (2) addressing the remaining race conditions associated with loadable modules. The changes also simplify the module loading code, allow the automatic exporting of module parameters to /proc, and provide a "warm fuzzy bleeding edge feel." If this scheme is adopted, the changes for modular code will be significant, but relatively straightforward. Module initialization, for example, will be split into two phases. The first sets everything up, but does not make the module visible to the rest of the kernel. It can fail, causing the entire module load to fail, without somebody else trying to access it halfway through. The second phase then makes the module visible, and is required to succeed. Unloading works in a similar way; the first phase makes the module invisible to new users in the kernel, while the second actually shuts the module down when no more users exist. As of this writing, there have been no comments on the proposal; people must either like it, or they don't think 2.5 will ever happen. Other patches and updates released this week (and the week before - we're catching up) include:
Section Editor: Jonathan Corbet |
September 27, 2001 For other kernel news, see: Other resources: |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsLinux DA. The Linux DA O/S, made by Empower Technologies, is an embedded, Palm compatible distribution that has been in the news this week. Some has been very favorable, and some has not. LinuxDevices covered the PowerPlay III PDA which runs Linux DA O/S for the Dragonball processor. Peter Kis wrote a review of LinuxDA that is mostly favorable. So far so good, but then this Newsforge article accused Empower of not playing by the rules of the GPL. LWN took a quick look at the Linux DA website. In the legal section the Linux trademark is mentioned, but the GPL is not. We did download the source code for Linux Kernel, available from the download section and used tar -t to look at the contents. There are some source files (.c and .h and Makefiles), but we also found gif files, core files, object files, and other things not usually found in a source package. The GNU GPL did not seem to be included. According to LinuxDevices, Empower has promised to comply with the terms of the GNU GPL. Time will tell. Distribution NewsDebian News. The latest edition of the Debian Weekly News includes discussions on using HFS+ with Linux, a summary of the talks on the use of the Java "repository" directory, and a preview of the new Ghostscript packages. The latest Kernel Cousin Debian Hurd includes discussions on syncing with Linux, xmalloc, xrealloc And Friends, and lists some packages that have been ported. Last week we posted a note about an opening for a Debian Security Secretary. Here is some clarification. You do not have to be a current Debian developer to apply, though a knowledge of Debian would certainly be helpful. Gibraltar News. Gibraltar is a Debian-based router/firewall distribution, fully workable from a bootable, live CD-ROM. Log files can be stored on a hard disk, and configuration data is stored on a floppy disk and kept on a RAM disk during run-time. Version 0.99.1 was released on September 24, 2001 and contains bug-fixes and new features. This product is "Free To Use But Restricted". Kaladix Linux. Kaladix Linux is designed to be a hyper-secure Linux distribution. Version pre-0.4 was recently released along with a move to a new domain. Old pointers to Kaladix no longer work, however the link in the LWN distributions list has been updated. LWN first covered Kaladix in the June 6, 2001 Security section. Since last June Kaladix has changed to the GNU General Public License and FormatGuard has been replaced by libsafe. Linux From Scratch. Linux From Scratch (LFS) is a project that provides you with the steps necessary to build your own custom Linux system. LFS has just released a new stable version, 3.0. See the change log for details on what's new. By allowing users to build their own custom system, LFS tries to teach users more about the internals of Linux. That's why we are now listing Linux From Scratch under 'Education' (on the right sidebar). Mandrake Linux News. Don't miss out on the Mandrake Linux Special 8.1 Preorders. Mandrake Linux 8.1 will be released soon. We also received the Mandrake Linux Community Newsletter in German this week. MSC.Linux News. MSC.Linux, self-styled as the "definitive cluster distribution" is designed for demanding computational environments in engineering and life sciences. On September 21, 2001 MSC.Linux version August 2001 was released. Version numbers just aren't for everyone. Slackware News. A new -current directory was started last Friday. For now, this will be used to hold upgrades to Slackware 8.0, starting with KDE-2.2.1. Those alert people who downloaded the above mentioned KDE-2.2.1 package right away may have noticed that something was missing. koffice-1.1/: source and packages for KOffice were added on September 24. Slack-Pack is an apt-get like program for Slackware Linux. Slack-Pack queries a mysql server and, if the package is found, Slack-Pack reports it, while a second program handles the downloading and installation. Please Note: Slack-Pack is not produced by the Slackware developers nor is it supported by them. (Found at userlocal.com) These step by step instructions on how to Build Securely a Shadow Sensor Step-by-Step Powered by Slackware Linux were also found at userlocal.com. SuSE Linux Firewall and Nimda. The recently introduced SuSE Linux Firewall on CD is capable of protecting your network from the Nimda worm. Of course the Nimda worm won't affect your Linux system, but it's not nice to pass it on to others, and that can happen. The Squid proxy server, one of the open source components of the SuSE Firewall on CD, can be configured to block files such as the one one in the Nimda worm. Wasabi Systems ships NetBSD v. 1.5.2. Wasabi Systems, Inc. announced shipment of NetBSD v. 1.5.2. This version includes additional machine support for Apple iBook and PowerBook laptops; security fixes for Kerberos, BIND, ssh, ntpd, ftpd, telnetd, and IP filter; performance enhancements for NFS, LFS, Symbios/NCR SCSI, sendmail, and dhcpd; and support for running Linux VMWare on NetBSD/i386. Minor Distribution updatesMindi v0.41. Mindi Linux builds boot/root disk images using your existing kernel, modules, tools and libraries. The latest release (tgz, RPM, SRPM), was made on September 23rd. See the changelog for details. Sorcerer GNU Linux 20010924. Sorcerer GNU Linux is a source-based ix86 Linux distribution designed for advanced Linux administration. You get a bzipped bootable ISO9660 installation CDROM image. Everything else will be built from the source code. It features menu and command line interfaces that enable sysadmins to download, compile, and install source tarballs directly from the software authors' homepages. The 20010924 release contains minor feature enhancements. The latest Install/Rescue ISO9660 contains glibc 2.2.4, linux 2.4.10, and utilities for kick-starting a new box such as the linux master boot record and a menu driven installer with support for ext2 and reiserfs. Sorcerer GNU Linux is released under the terms of the GNU General Public License. Distribution ReviewsRed Hat's market-leading Linux (ZDNet). ZDNet has posted an analysis of Red Hat Linux, covering the various product options and some of the limitations on those products. "Red Hat Linux is a bargain. The Red Hat package not only gives users the Linux source code to modify in any way they please, it offers a great deal more in terms of packaged applications, Apache, SMP support, and documentation. Further, clients have access to Red Hat Network, its online solution for managing a network of Red Hat Linux systems. All Security Alerts, Bug Fix Alerts, and Enhancement Alerts can be downloaded directly from Red Hat." SuSE Linux 7.2 Professional (ComputerShopper.co.uk). SuSE Linux 7.2 gets a favorable review on ComputerShopper. "In use, SuSE 7.2 is nice. It's a filesystem hierarchy standard-compliant (FHS) distribution based on the 2.4.4 release of the Linux kernel with features such as support for up to 64Gb of Ram and Pentium 4 processors. As well as up-to-date copies of a bunch of packages including KDE 2.1.2, Gnome 1.4, XFree86 4.0.3 and StarOffice 5.2, the big improvements in this version are support for encrypted and journalling filesystems." (Registration required - Flash required.) Section Editor: Rebecca Sobol |
September 27, 2001
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's On the Desktop page.
|
On The DesktopThe sound of Linux. While the desktop is often associated with graphical environments, word processors, spreadsheets, and games, there is one area that is often overlooked completely: audio. The Linux operating system is rich with audio support, especially in the 2.4 kernel based distributions. But the state of audio is rather confusing. Desktop users are looking for various things from their audio support, from playing simple sound files to streaming media support for things like radio, MP3, or Ogg Vorbis broadcasts. According to Dave Phillips, author of The Book Of Linux Music & Sound, Linux has done remarkably well in its support for these activities, especially when it comes to audio players. "Anyone migrating from other platforms will be looking for familiar software, things like media players," says Phillips. "Any media player that doesn't support audio is sort of a half media player. No one ever says much about audio but everybody expects it to be there. It's like salt in a cake: you know if it's gone." So where does audio come from for Linux? For most users with current distributions it comes from the kernel itself via the sound.o and soundcore.o kernel modules, plus a soundcard-specific module (users can run "lsmod" from a command line to see which modules are loaded, or "modprobe" to look for them and load them if they aren't already). These modules are sufficient for day to day desktop use for any of the available audio players, tools like XMMS or RealPlayer, and work with a majority of the available sound cards. Phillips adds, "You should be able to play 16 bit, stereo, CD quality sound files with no trouble, and that's the baseline audio for the desktop user." But the kernel drivers currently available aren't really sufficient if Linux is to make it into professional level audio markets. The OSS Linux drivers provide commercial support for audio that is somewhat better. But the future of Linux audio comes from the open source ALSA project. ALSA supports the OSS/Lite (the free version of OSS) API with a fully modularized sound driver. However, with ALSA the typical user will end up with half a dozen or more kernel modules loaded, rather more than with the current scheme. The hope is that the ALSA drivers will replace the kernel drivers with the release of the 2.5 Linux kernel sometime in the near future. Alan Cox has been amiable to this option but only Linus can make the final decision to make the switch, and that decision has yet to be made official even though many kernel developers fully expect it to happen. Phillips says that audio support has normally been pretty good for off the shelf Linux. "Kudos have to go to the major distributors. They did not ignore audio," he said with emphasis. Creative Labs and Hoontech have been very forthcoming (recently) with driver information. And laptop support has gotten better. "IBM is making special efforts to make sure their machines support sound right out of the box." Laptops and notebooks are often the toughest area of sound for the desktop user. But, like the difficulties encountered by the XFree86 project in trying to get programming information for new 3D cards, the audio world on Linux has to deal with the lack of information coming from audio hardware vendors. "I've lost track of how much energy has gone into cajoling and arm twisting the manufacturers," notes Phillips, "that it is in their interest to provide that information." And that is keeping Linux out of the professional audio arena. Phillips says, "We still don't have fully supported 3D audio or even hardware acceleration for audio. OpenAL is very promising with good cross platform support. But its success depends on its ability to compete with Direct3D. As far as I know we're still lagging there." Direct3D, however, is tied closely to Windows which gives OpenAL a chance if cross platform support is something the audio world really wants. The professional world has many needs, including 3D Sound and Dolby Surround sound. Both are very important for a number of professional applications, though he admits the most obvious use would be in games. "But in the world of academic music making, the wider electro-acustical music community want these features badly," he says. Simulation environments would also benefit from this support. Say Phillips, "You have to have multi-channel support for this, in other words fore and back speakers. This is just beginning to see full support out of the drivers for the Creative SBLive card." Interestingly, there are three different drivers for this card: Creative's, ALSA's, and OSS's. And each offers different features even though the source is open for this card. The reason for such differences is not clear but probably has something to do with the fact that the API for the card is rather extensive. "Effects processing is just being introduced with ALSA while Creative's driver provided it from the beginning," says Phillips. As far as applications go, for the desktop users wanting access to streaming media, Linux offers xmms which actually supports a variety of video formats such as MPEG and AVI along with the audio formats. Browser plugins with audio support include RealPlayer and RealVideo, Flash (which comes directly from Macromedia) and the Crossover plugin from CodeWeavers which now provides both Shockwave and Quicktime for Linux.
At the professional level the most sophisticated application at this point is probably ardour, by Paul Davis. "Ardour is a very ambitious project that is in very capable hands," says Phillips. "It is designed to be a fully professional, multitrack, multichannel, hard disk recording system." It's designed around the RME Hammerfall, a Hollywood post-production level card. RME provided the development specifications necessary to support this card by Ardour. Additionally, the application will work with just about any ALSA supported audio hardware. Professional level audio support may become a more pressing issue as the visual effects industry in Hollywood begins to adapt more and more Linux solutions. Phillips thinks the problems can be solved, but they haven't been addressed yet. "Some people from the Maya group [Alias|Wavefront's sophisticated 3D modeller and renderer] noted that audio is still a problem for them, and I believe the reason is that OSS 3 as it stands doesn't offer the kind of audio support they need for professionals and ALSA isn't quite there yet. So we're in a bit of an uncertain state, but our direction is clear and there are some very capable hands working on it." What audio lacks at this point is the killer app, the GIMP of audio. Phillips says that comment is made often. "Users coming from Windows often ask 'Where is the fucntional equivalent of CoolEdit 2000?', the most widely used sound editor on Windows. And we haven't really had an equivalent. There are maybe a dozen or so editors for Linux, all in various stages of development and many not very advanced." Some, he says, are nice, long lived programs such as DAP. But with that particular application you can only edit files in memory. That limits the size of the file you can edit to the amount of available RAM. Modern sound file editors are hard disk oriented, what Phillips called "non-destructive," and capable of handling much larger files. Snd, a sound file editor, is probably the most advanced along these lines but lacks a reasonable user interface. Phillips is working with the author of that program to address that issue. "Hopefully some of the advancements to snd will make it due for people looking for the audio GIMP." Or perhaps Ardour. It's just a matter of effort over time. With so many editor projects we have to wonder if there are too many projects or simply not enough developers. Phillips says we have plenty of both. The real answer is more about time and commitment. "Someone like Paul Davis is so committed to doing Ardour. CoolEdit has been in consistent development since the late 1980's. Linux has only been around since about 1992," which means the low level audio is just now getting to where the applications have begun to be written. "It's easy to write basic audio applications for Linux. OSS's API is pretty easy to work with. But when it comes to writing professional applications, OSS isn't enough. ALSA is needed, but not finished yet. So if you're writing a program like Ardour you can't have your 1.0 release till the audio reaches 1.0." And that means application developers have to be committed to their work, and patient in waiting for the underlying support. Phillips also says young programmers come along with the wrong ideas. "We don't need another MP3 player. We also don't need another sound file editor. Paul is dedicated to such a project and has been for some time. How many audio applications can you say that about? Not that many. Comparing the problem to the GIMP is useful - look how long it took for GIMP to become as good as it is." And in the process GIMP spawned things like GTK+. The same thing could happen with audio. With the right application, you'll have spinoffs. "But there just isn't anyone working on it yet", says Phillips. Audio Links
Desktop EnvironmentsKDE initiative aims for corporate desktops (ZDNet). ZDNet looks briefly at the KDE::Enterprise project which was announced yesterday. "KDE::Enterprise is an attempt to remedy one of the persistent limitations of Linux: its failure to achieve significant use as a desktop platform. This failure stands in stark contrast to Linux's success in back-end systems and particularly Web servers, where it controls up to a third of the market, according to some estimates." KDE 2.2.1: Linux desktop approaches maturity (ZDNet). ZDNet reviews KDE 2.2 (and 2.2.1) and says it will ease migration from Microsoft platforms. "A comprehensive user management program, KUser, lets you create, modify, and delete user logins on multi-user Linux systems. KCron provides similar functionality for managing automated background tasks. And KDE System Guard, like Windows' Task Manager, lets you view current tasks and kill problem applications. And since KDE is merely running on top of the X Window System, you can perform remote administration of any KDE-enabled system by redirecting application output to another X server on the network." Red Hat RPMs for KDE 2.2.1. There are now KDE 2.2.1 RPMs available for Red Hat 7.0 and 7.1. An Analysis of KDE Memory Usage. A SuSE employee notified KDE Dot News of an analysis he has done on the memory usage of KDE. His results apparently show that about "650KB of memory wasted per KDE application not launched via KDE Init", something he has reported to the GCC/binutils teams. Installation Guide For GNOME 1.4.1. GNOME Gnotices noted that a new installation guide covering GNOME 1.4.1 has been posted to the karubik.de site. This new guide joins the 1.2 guide prevously posted to this site. New GTK 1.3.8 libraries Released. A new developers version of the GTK+ toolkit has been released. This version is dependent on the JPEG/PNG/TIFF libraries and pkg-config 0.8 and addresses mostly bug fix issues. XFce 3.8.8. Olivier Fourdan has announced the release of XFce 3.8.8. This release includes improved sound support, better theme support and plenty of bug fixes. Office ApplicationsEvolution 0.14. Ximian has announced another beta for Evolution. The announcement includes the list of updates since the 0.13 release. AbiWord Weekly News. Two more issues of the AbiWord Weekly News have been published. Issue 58 notes that the release of 0.9.3 is not expected soon since there are still quite a few issues yet to be resolved. Issue 59 adds information on the work being done on dictionary RPMs, the availability of Darwin/X builds and details on release engineering requirements for the project. Desktop ApplicationsLinux browser wars (Canada Computes). This article on Canada Computes compares six web browsers for Linux. "It was a close call, but of the browsers tried, Galeon appears to be the best choice. Its not the fastest loading, it doesn't render pages quicker than the other browsers, nor does it look very nice. The fact is though, of the browsers tried, it offers what I feel is the best trade off between features and performance." KDE Edutainment Project Takes Off. The KDE Edutainment team officially launched the KDE Edutainment project today, noting the project already has several applications available for educational purposes including a form based exam tool and touch typing applications. gtkdial & gwvedit release. Modem configuration on Linux has always been a difficult proposition for the uninitiated. Part of the solution has been the evolution of wvdial, a system for setting up connections to multiple ISPs. A GTK based front end to this system, gtkdial, had a new release this week. Version 0.4.0 manages first time setup for users new to wvdial/gtkdial, and allows for secure and simple management of account data. Along with this application comes a new application - gwvedit - allows for direct editing of the wvdial configuration files. Rune For Linux Review (evil3D). Games site evil3D reviews the recently released Rune for Linux, from Loki. "I tried Mandrake 8.0, but the game wouldn't even load there. Someone later discovered a symlink issue that caused this, and proposed a fix for it in Loki's Fenris bug tracking system.. However, they still couldn't save games. Personally, I had to go all the way back to Mandrake 7.2 in order to get the game to run correctly. Not good. But like I said, only one other person reported as to be having the same problem." Sodipodi author interviewd. The author of Sodipodi, Lauris Kaplinski, was interviewed by Linux.com this week. "The good thing about using a published standard is that I do not have to spend time creating an imaging model. I just have to implement it. No extra headache keeping file format upwards/downwards compatible. Using SVG natively may give Sodipodi slight advantage in web development, as it will preserve 99.9% of hand-written structure." Sodipodi is a vector graphics project which is listed as part of the GNOME office suite. It offers a number of SVG based clipart files from the web site. And in other news...Interview: Trolltech's President Eirik Eng. KDE Dot News is carrying an interview of Trolltech's President, Eirik Eng which includes both business and technical Q&A. "We don't generate income from KDE directly, but KDE has certainly been instrumental in our success. Through KDE, many of our current customers learned about us. Many engineers hack on KDE in the evening, and then go into work in the morning and typically work as a developer. If they like Qt, they ask their boss if they can buy it." City of Largo uses Balsa as the e-mail program of choice. GNOME's Gnotices reports that the City of Largo, which reported its widescale use of Linux, is currently using the Balsa mail client. "I just looked, and there are about 50 people logged in right now and we are using about 200MB of memory for them. So in theory, we could run about 500 concurrently before it would swap. That is excellent." Section Editor: Michael J. Hammel |
September 27, 2001
| |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Development page. |
Development projectsNews and EditorialsA Potpourri of Web Projects This week, there were a number of interesting announcements for the web projects arena. Here is a summary of some of that recent work:
Audiompg321 0.2.0 released. A new version of mpg321, a free replacement for mpg123, has been announced. This release adds better compatibility with mpg123 flags, better Alsa and esd support, and bug fixes. (Thanks to Joe Drew) BrowsersMozilla license change. Mozilla has relicensed their project code to fall under the Netscape Public License (NPL), the GPL and the LGPL. "We are also repeating and reinforcing mozilla.org's policy that the NPL (either alone or in the form of an NPL-based dual or triple license) should not be used for new source files checked into the Mozilla source tree. Instead the new MPL/GPL/LGPL triple license described below should be used for all new files checked into the tree, unless you have specific instructions from mozilla.org to do otherwise." CryptographyHow to install GnuPG (LinuxWorld). Joe Barr tells us why encryption is necessary, how it works, and how we can use it as individuals. "Traditional cryptographic schemes use secret keys. This is called symmetric-key cryptography since both the encoding and decoding use the same key. One problem with secret-key cryptography is that everyone must have access to the same key. Not only are there logistical problems getting the secret key to all concerned, but there is always the chance that it will be compromised. A relatively new type of encryption, based on public keys, largely avoids those pitfalls." Embedded SystemsEmbedded Linux Newsletter for Sept. 20, 2001. LinuxDevices weekly summary of the embedded Linux market includes notes on the RTLinux vs FSF confrontation, the release of ColdFire as GPL, and Fujitsu's Linux-based humanoid robot. Device profile: FIC AquaPAD (LinuxDevices). The FIC AquaPAD is a handheld webpad that runs Midori Linux. LinuxDevices provides the details on this device. CNN is also carrying a short story on this device as well. FreeIO.org releases ColdFire uClinux SBC under GPL (LinuxDevices). LinuxDevices reports on the release under GPL of the design of the Toast ColdFire, a controller board with built in dual ethernet NICs. "The Toast board is the fifth design which FreeIO.org has released under GPL. Past designs have included programmable I/O boards for both PC and PC/104 bus interfaces. In each case the complete design files have been released, including all CAD files, programmable logic source files, manufacturing and programming files." Mail SoftwareTMDA 0.37 Spam Reduction System. Version 0.37 of the TMDA Spam Reduction System is available. TMDA is written in Python and works with the Qmail mail delivery system. This version improves the ability to pass mail from legitimate, but unknown senders. Printing SystemsLPRng 3.7.7 available. Version 3.7.7 of the LPRng print system has been released. This version fixes several bugs, and adds a new French translation. Web-site DevelopmentWriting Input Filters for Apache 2.0 (O'Reilly). Ryan Bloom discusses Apache Input Filters in an O'Reilly ONLamp article. Building Web Sites with Mason: Part I (Dr. Dobb's). Brent Michalski talks about installing Mason in part one of a series on Dr. Dobb's. "Mason is a tool for building web sites. There are hundreds of tool for building websites, but Mason is different. Mason gives you the full power of the Perl programming language without the bloat of unnecessary features." The latest ZopeNews. The latest ZopeNews includes discussions on exUserFolder, Graph Method 0.1.0, Latex Method 0.1.0, the MatLab DA and Method, ZBabel 2.0.0 beta 1, My Media Manager 0.9.2, and more. MiscellaneousGSView Beta 4.0.2 available. A new version of GSView Beta is available. GSView is a PostScript/PDF file viewer that is based on AFPL GhostScript, it is licensed under the Aladdin Free Public Licence. Version 4.0.2 features Greek and partial Dutch translations, bug fixes, and more. Section Editor: Forrest Cook |
September 27, 2001
|
|
|
Programming LanguagesCC/C++ developers: Fill your XML toolbox (IBM developerWorks). Rick Parrish informs us about XML tools for C and C++. "It seems as if everywhere you look there is some new XML-related tool being released in source code form written in Java. Despite Java's apparent dominance in the XML arena, many C/C++ programmers do XML development, and there are a large assortment of XML tools for the C and C++ programmer. We'll confront XML library issues like validation, schemas, and API models. Next, we'll look at a collection of generic XML tools like IDEs and schema designers. Finally, we'll conclude with a list and discussion of libraries either usable from or actually written in C and/or C++." CamlCaml Weekly News for September 19, 2001. The latest Caml Weekly News is out. Topics include the new OCamlODBC 2.5, configuring the O'Caml garbage collector, and updates to the Caml Hump, a collection of Caml projects. ErlangErlang Workshop Proceedings Online. The proceedings from the September 2, 2001 Erlang Workshop in Florence, Italy are now online. Eight different sets of notes are available covering many topics. More Erlang News. The Erlang Site also features a number of new articles on Erlang including writeups on STL, the Simple Template Language, a Unix domain socket driver, and more. HaskellThe (Interactive) Glasgow Haskell Compiler Version 5.02. A new major release of the Glasgow Haskell Compiler has been released. GHC 5.02 features new interactive capabilities, compatibility with the Revised Haskell 98 Language and Library Reports, and more. (Thanks to Jens Petersen). Perl1st CfP German Perl Workshop 4.0, 2002 (use Perl). A call for papers has been issued for the 4th German Perl Workshop to be held near Bonn in February 2002. How to interoperate between UTF-8, UTF-16, and UTF-32 (IBM developerWorks). Ken Lunde discusses conversions among character encodings on IBM's developerWorks. Example conversion algorithms are presented in Perl. Changing Hash Behaviour with tie (O'Reilly). Dave Cross looks at the uses of tied objects in an O'Reilly Perl.com article. "Tied objects are, in my opinion, an underused feature of Perl. The details (together with some very good examples) are in perltie and there are some extended examples in the ``Tied variables'' chapter of Programming Perl. Despite all of this great documentation, most people seem to believe that tieing is only used to tie a hash to a DBM file. The truth is that any type of Perl data structure can be tied to just about anything." Gartner: Java more than Perl?. A posting to use Perl suggests that both Gartner and Forrester cover Java far more than Perl. Does this mean Java is more important to business? PHPPHP Weekly News for September 20, 2001. The September 20, 2001 edition of the PHP Weekly News covers a new OpenSSL API, versioning and management of extensions, the Pcntl extension, more work on rand(), and other PHP developments. PHPReview 0.9.1 available. A new release of the PHPReview online reviewing system is available. The WHATSNEW file lists some security fixes, new support for InnoDB Support, and some page layout additions. PythonDr. Dobb's Python-URL!. This week's Python-URL! includes discussions on instance and class attributes, recursive generators, and bundled modules ala-Jars. What's So Special About Python 2.2? (Unix Review). Cameron Laird and Kathryn Soraiz take a look at Python 2.2 on Unix Review. "Part of what makes 2.2 excellent for newcomers is the enhancement of Python's longstanding strength as a "batteries included" language. When you install a Python distribution, you get not only the language in a narrow sense, but also a collection of libraries, utilities, and documentation that encompasses a large portion of working programmers' daily needs. Python seldom requires you to "go outside" its standard distribution to complete such common tasks as construction of a GUI, access of standard networking protocols, Unicode processing, or management of XML texts." Universal Serial Port Python library. Version 0.1 of the USPP library, the Universal Serial Port Python library has been announced. USPP allows Python to connect to serial ports using RS-232 mode and RS-485 is in the plans. Narval 1.1b1 announced. Version 1.1b1 of Narval has been released. "Narval is a framework (language + interpreter + GUI/IDE) dedicated to the setting up of intelligent personal assistants (IPAs)." This version drops support for Python 1.5.2 in lieu of Python 2.1, adds speed improvements, and a fully functional setup.py script. Pychecker 0.8.4 announced. A new version of Pychecker, the Python code checker, has been announced. This version finds even more bugs, and includes a couple of bug fixes. SmalltalkSeptember Squeak News. The September issue of Squeak news is out. This month features a focus on multimedia, a monthly digest of the Squeak mailing list, and more. Tcl/TkDr. Dobb's Tcl-URL!. The weekly Tcl-URL! is out. Topics include discussions on threads, compilers, extreme programming, server sockets and more. Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Linux in the news page. |
Linux in the newsRecommended ReadingPhil Zimmerman's response. The Washington Post has posted an article on how Phil Zimmerman, the man who brought the world PGP, was feeling after the attacks on the WTC. The article says that Zimmerman "has been overwhelmed with feelings of guilt" because of the possibility that PGP was used by the terrorists. Zimmerman, however, says this isn't quite right. "Because of the political sensitivity of how my views were to be expressed, Ms. Cha read to me most of the article by phone before she submitted it to her editors, and the article had no such statement or implication when she read it to me. The article that appeared in the Post was significantly shorter than the original, and had the abovementioned crucial change in wording. I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite." Copy-control Senator sleeps while fair-use rights burn (Register). The Register takes a look at the Security Systems Standards and Certification Act (SSSCA). "And yeah, what about Linux? How do you make the operating system, where every column inch of source code is available for inspection, SSSCA compliant? I think this may be a self-answering question: You can't - not unless some drastic changes to current licenses and code distribution are made. If there's a certain level of paranoia in Hollings' office regarding the SSSCA, perhaps it's understandable. From all perspectives, this is nothing more than a blatant attempt to offer a return on investment to campaign donors." Is Linux Going Mainstream? (Washington Technology). According to a Washington Technology article, Linux is moving beyond basic servic |