Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

The changing perception of Linux. It has been interesting to watch, over the years, as the way Linux is seen outside the community has evolved. When LWN started publishing at the beginning of 1998, the few people who had actually heard of Linux dismissed it as a hobbyist's toy. Things are different now; it's worthwhile to look at just how different.

Those wondering if Linux is being taken seriously in the business world might well find their answer in the absurd vision of Sun CEO Scott McNealy in a penguin suit. A better example, however, may be found by looking at the treatment of IBM and its commitment to Linux. A year and a half ago, we could read things like this Gartner pronouncement:

But the Linux movement is fraught with potential hazards if companies such as IBM act too hastily. For example, the lack of standards, frequent releases, and variety of Linux distributions on Intel and various RISC implementations will increase the complexity of support. In addition, the earlier investment craze over Linux has died out, and most Linux-only companies are struggling financially.

Now fast-forward to a couple of weeks ago, and consider this interesting (but subscription-only) article in the Economist about Sam Palmisano taking the helm at IBM:

Mr. Palmisano was also involved with another of IBM's cunning strategic moves: its embrace of Linux, the free, open-source operating system that is maintained by a vast collective of programmers who collaborate online.

That which was once "fraught with potential hazards" is now seen as a "cunning strategic move." Linux is now seen, from far away, as a smart business strategy for a large, established technology company. The world has changed.

Something interesting has happened over the last six months or so. Many people clearly expected Linux to disappear with much of the dotcom economy; Microsoft explicitly compared Linux with dotcom business models. Many of the dotcoms are long gone at this point, and people are beginning to notice that Linux is not only still around, but it has gotten stronger. Linux (and free software in general) were never just another dotcom fad of the month. They not only have great value to offer; they are also well insulated from the fortunes of any particular company that chooses to work with them. Free software is now taken seriously, but we still have only begun to see where it will go.

Sun wakes up. Many in the Linux community have wondered when Sun would figure out that Linux isn't just going to go away. The company seems to be opening its eyes at last; here's Sun's press release on its new Linux strategy. Interestingly, this announcement happened the week after LinuxWorld.

The points in the announcement are vague and interesting. The first of those is that Sun "will ship a full implementation of the Linux operating system." That looks very much as if Sun is getting into the distribution business. We asked Sun's PR people what company was up to, only to be told "we're not clarifying." We'll have to wait and see what really comes out.

A Sun distribution could be an interesting force in the market. Sun, of course, has recently lost a number of high-profile customers to Linux in a very public way. Perhaps the company feels that, if its customers are going to switch to Linux, maybe they will be inclined toward a distribution with the Sun brand. A path which makes it easy to stick with the same vendor and to integrate Linux and Solaris systems might help Sun retain a number of those customers.

It is a bit of a stretch to imagine Sun as a major Linux distributor, however. There are many established players in that market whose support of the system seems rather more wholehearted than Sun's.

Next, Sun will be expanding the Cobalt line of Linux appliances, and adding a set of "low-end general purpose Linux/x86-based systems." In other words, Sun is getting into the cheap, commodity Linux systems business that has proved so difficult for a number of other vendors. The Sun name should help, but it still is a hard business to be in. If Sun envisions extending its Linux support to its higher-end SPARC systems, however, it might get somewhere.

Finally, there is a vague promise to offer "key components" of Solaris to the Linux community. Once again, the company refused to tell us just what those components might be, or what sort of licensing would be used.

So we will have to wait and see what Sun really has in mind - it's mostly words at the moment, and vague words at that. Sun played a large part in the commercialization of Unix, and it may yet have a large role to play in the Linux world as well. It will be interesting to see how it plays out.

Dave Whitinger joins LWN.net. We are pleased to announce that Dave Whitinger, co-founder of Linux Today, has agreed to join the LWN staff. His official title is "Director of Business Development," but he will be handling a variety of tasks from arranging partnerships to posting content on the site. Dave brings a wide variety of talents and a lot of ideas to LWN.net; expect to see a great many improvements as he makes his presence felt.

Inside this LWN.net weekly edition:

• Security: Multiple security problems with SNMP
• Kernel: Preemptible kernel patch merged; ALSA to be merged; How synchronous should sync() be?
• Distributions: Sun Linux?; The return of Halloween & DragonLinux.
• Development: The jack Audio Connection Kit, Standalone ZODB 1.0, Aide 0.8 GNU FDL 1.2 draft, GNOME 1.4.1rc1, GSview 4.2, new Gimps, Gnopher 0.2.
• Commerce: HP Issues Statement on Compaq Merger; E*TRADE Migrates to Linux; IBM launches low-end eServer.
• Letters: Counting security updates; system auditing.

This Week's LWN was brought to you by:

• Jonathan Corbet, Executive Editor

See also: last week's Security page.

Security

News and Editorials

The SNMP vulnerabilities were discovered by the Oulu University Secure Programming Group (OUSPG) of Oulu University, Finland. This is the same group which uncovered a wide variety of vulnerabilities across several LDAP products last year.

OUSPG developed and applied the PROTOS Test-Suite: c06-snmpv1 as a primary investigation tool. The test-suite's purpose is to "evaluate implementation level security and robustness of ... SNMP implementations." Licensed under version 2 of the GNU GPL, OUSPG encourages widespread use of the test-suite for the evaluation and development of SNMPv1 products.

Simple Network Management Protocol (SNMP) is routinely used in installations all over the Earth for monitoring and controlling systems that include printers, routers, ATM switches, servers of all kinds and workstations. Designed in the late 80's and widely deployed in the 90's, SNMP is the most popular protocol in use to manage networked devices. It has been so successful that finding a practical alternative for a network of even moderate complexity, that can quickly and easily be put into service, is unlikely.

CERT has received reports of SNMP port scanning and, as yet unverified, reports of exploitation of these vulnerabilities. If you are responsible for a network which uses SNMP for monitoring and control, you are strongly encouraged to read the CERT advisory.

Security Reports

Debian security update to CUPS. The Debian project has released a security update to the CUPS printing system fixing a buffer overflow vulnerability in that package.

Debian security update to faq-o-matic. The Debian Project has issued what appears to be the first update from a Linux distributor for the cross-site scripting vulnerability in faqomatic. (First LWN report: February, 7th).

Debian update to wmtv. Debian has released new packages that fix a symlink vulnerability in wmtv.

Autoresponder vulnerable to spamers. Autoresponder is a script for answering mail. Put it in your .forward or .qmail file, and it will reply to all incoming messages with a specified response. On Friday, 11 January 2002, someone reported on Bugtraq that autoresponder package "...could be tricked by spamers to send unsolicited mail to victim's address if option reply with copy of original message attached to response is enabled in autoresponder's configuration." The problem is fixed in version 1.15.0, and later, available from the MeepZor Free Software page.

GNU Ada compiler (GNAT) advisory. CERT has issued this advisory for handling of temporary files in an unsafe manner by the GNU Ada compiler. All POSIX multi-user systems running GNAT-compiled binaries which use Ada language facilities for creating temporary files are affected. GNAT versions known to have this defect are 3.12p, 3.13p and 3.14p. The advisory also notes that "the unreleased version of GNAT from the GCC CVS fixes this security defect on GNU/Linux, but introduces another one. Its use is strongly discouraged until this problem has been addressed."

Updates

This week's updates:

• Eridani Linux (February 22, 2002)

• Debian (January 16, 2002)
• Debian (January 18, 2002) (first update did not fix the problem).
• Mandrake (January 18, 2002)
• Red Hat (February 7, 2002) (update to the original advisory, issued January 22, 2002, to fix a Red Hat 6.2 specific problem)
• Red Hat (January 22, 2002) Red Hat Linux 7.2 is not vulnerable; earlier releases are.
• Slackware (January 22, 2002)
• SuSE (January 16, 2001)
• Yellow Dog (January 27, 2002)

Buffer overflow in groff. The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely.

This week's updates:

• Mandrake (February 7, 2002)

Previous updates:

• Red Hat (January 14, 2002)
• Trustix (January 18, 2002)
• Yellow Dog (January 27, 2002)

Flaw in OpenLDAP. OpenLDAP versions 2.0.0 through 2.0.19 do not properly check permissions when using access control lists and a user tries to remove an attribute from an object in the directory by replacing it's values with an empty list. Schema checking is still enforced, so a user can only remove attributes that the schema does not require the object to possess. Please note that in 2.0 versions prior to 2.0.8, this flaw is not restricted to authenticated users (i.e., anonymous users can abuse the flaw as well).

This week's updates:

• Caldera (January 16, 2002)
• Mandrake (February 11, 2002)

Previous updates:

• Conectiva (January 28, 2002)
• Red Hat (January 22, 2002)

Remotely exploitable security problem in mutt. Most of the major distributions have provided updates for this buffer overflow vulnerabilty which was fixed in mutt versions 1.2.5.1 and 1.3.25.

This is a remotely exploitable hole; applying the update is a very good idea. It was first mentioned in  the January 3rd LWN security page.

This week's updates:

• Caldera (January 25, 2002)

• Conectiva (January 7, 2002)
• Debian (January 2, 2002)
• Debian (January 3, 2002) (Sparc architecture)
• Mandrake (January 8, 2002)
• Red Hat (January 7, 2002)
• Slackware (January 8, 2002)
• SuSE (January 7, 2001)
• Trustix (January 4, 2002)
• Yellow Dog (January 27, 2002)

This week's updates:

• Caldera (January 24, 2002)
• Conectiva (January 25, 2002)
• Debian (February 3, 2002) (note: if you applied the original update, which broke rsync, you need to update again.)
• EnGarde (January 25, 2002)
• Mandrake (January 28, 2002)
• Red Hat (January 30, 2002) (note that this alert was updated; if you applied the original version you should update again.)
• Slackware (January 26, 2002)
• SuSE (January 25, 2002)
• Trustix (January 28, 2002)
• Yellow Dog (January 27, 2002)

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

• HP (February 12, 2002)

• Caldera (August 10, 2001)
• Conectiva (August 24, 2001)
• Debian (August 14, 2001) (SSL version)
• Debian (August 14, 2001) (Update for Sparc version)
• Mandrake (August 13, 2001)
• Mandrake (December 17, 2001) (kerberos version)
• Progeny (August 14, 2001)
• Red Hat (February 7, 2002) (Update, for Red Hat 5.2, 6.2, 7.0, and 7.1, to the original advisory, issued August 9, 2001.)
• Red Hat (August 9, 2001)
• Red Hat (August 9, 2001) (kerberos version)
• Slackware (August 9, 2001)
• SuSE (September 3, 2001)
• Yellow Dog (August 10, 2001)
• Yellow Dog (August 10, 2001) (kerberos version)

New updates:

• Debian (February 8, 2002) (update to the original advisory issued September 24, 2001.)

• Caldera (September 7, 2001)
• Conectiva (September 11, 2001)
• Debian (September 24, 2001)
• Mandrake (September 21, 2001)
• Progeny (October 5, 2001)
• SuSE (October 31, 2001)

Resources

Events

Upcoming Security Events.

Date	Event	Location
February 15 - 17, 2002	CODECON 2002	San Francisco, California, USA
February 18 - 22, 2002	RSA Conference 2002	San Jose, CA., USA
February 25 - March 1, 2002	Secure Trusted OS Consortium - Quarterly Meeting(STOS)	(Hyperdigm Research)Chantilly, VA, USA
March 11 - 14, 2002	Financial Cryptography 2002	Sothhampton, Bermuda
March 18 - 21, 2002	Sixth Annual Distributed Objects and Components Security Workshop	(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002	InfoSec World Conference and Expo/2002	Orlando, FL, USA
April 1 - 7, 2002	SANS 2002	Orlando, FL., USA
April 5 - 7, 2002	Rubicon	Detroit, Michigan, USA
April 7 - 10, 2002	Techno-Security 2002 Conference	Myrtle Beach, SC
April 14 - 15, 2002	Workshop on Privacy Enhancing Technologies 2002	(Cathedral Hill Hotel)San Francisco, California, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

LWN Resources
Security alerts archive

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

See also: last week's Kernel page.

Kernel development

Update: 2.5.5-pre1 was released just as this page was going to "press." It includes the ALSA sound system (see below), the new input driver scheme, the X86-64 merge, and a bunch of other stuff.

Dave Jones's latest prepatch is 2.5.4-dj1, which adds a number of fixes to the 2.5.4 release. This one should compile for most people.

Guillaume Boissiere's 2.5 status summary has been updated for 2.5.4.

The current stable kernel release is still 2.4.17. The first 2.4.18 release candidate was released on February 13; if all goes well it will become the next stable release.

Alan Cox's latest is 2.4.18-pre9-ac3; it adds the latest reverse mapping virtual memory patch, an updated DRM implementation, and a number of fixes.

Those who prefer a development-oriented 2.4 kernel can see 2.4.18-pre8-mjc from Michael Cohen. It adds the reverse mapping VM, the preemptible kernel patch, the new 2.5 scheduler, User-mode Linux, and many other things.

The preemptible kernel patch was merged into 2.5.4-pre6, thus ending, by fiat, a long debate on whether it was a good idea or not. This patch was discussed in detail almost a year ago on this page; it has evolved since then, but the basic idea remains the same.

There is still some nervousness about this patch. Anything that changes one of the basic assumptions of the kernel programming environment (that kernel code runs to completion unless it explicitly yields the processor) does need to be looked at carefully. The fact that kernel code will not be preempted when it holds a spinlock reduces the problem to something similar to the SMP situation - but not quite.

In particular, there is an increasing amount of processor-specific data used by the kernel. Limiting access to a specific data structure to a single processor brings some significant performance benefits - that data stays in a single processor's cache. It was also possible, until now, to work with single-processor data without locking; since no other processor will try to access that data, there is no need to lock the other processors out. If kernel code is preemptible, however, processor-specific data is no longer safe; other measures must be taken.

The preemptible kernel patch has been well tested over the better part of a year, and the obvious glitches have been worked out. Even so, chances are that a surprise or two remain - though there have been few complaints so far. Preemption makes the kernel more responsive, and is worth having. But it is a good patch to have integrated early in the 2.5 cycle.

Here comes ALSA. Jaroslav Kysela announced the availability of an Advanced Linux Sound Architecture patch for the 2.5.4 kernel. The announcement showed a certain degree of frustration - apparently Linus had not been answering mail from the ALSA maintainers, and they were not sure what the situation was.

Things have since settled out. Here's the word from Linus:

My main reason for being silent on it has been that I've been doing other things. I'll be merging ALSA in the not too distant future, but it's not been a high priority for me like some of the other stuff I have spent my time on..

And that, of course, is what happened; ALSA is in the first 2.5.5 prepatch.

ALSA will not immediately amaze Linux users with lots of new capabilities. For the most part, the only thing people should notice in the short term is that sound on their systems works as always. What ALSA brings is a new and more coherent design, a nice kernel API (which is normally hidden behind the well-defined library API), support for professional hardware, and better MIDI sequencing and routing support. A thorough emulation layer ensures that old OSS sound applications will work as always, but quite a few applications also support the ALSA native API.

In the longer term, the combination of ALSA and the low-latency work should help ensure that Linux is capable of handling the most demanding audio tasks.

How synchronous should sync be? Andrew Morton has posted a patch fixing a perceived problem with the sync() system call: as long as processes keep generating data, sync() will keep flushing it to disk. The result is that a sync command can take a long time to execute - as in several minutes. Andrew's patch changes sync() to just ensure that all data to be written when the call is made gets out - buffers generated thereafter may not be written immediately.

This patch, of course, changes a fundamental assumption made by many who use sync - that, upon completion, all data has been written to disk. In fact, according to the Single Unix Standard, this behavior is permissible: "The writing, although scheduled, is not necessarily complete upon return from sync()" It is, regardless, not the behavior that many expect.

There's no real consensus on what the proper behavior is. Unless Linus takes the patch, the current sync behavior will remain.

Other patches and updates released this week include:

Core kernel code:

• Christoph Hellwig has posted a new version of his kthread interface, which attempts to rationalize the creation and management of kernel threads.

• Here's the latest version of Rusty Russell's patch implementing easy per-CPU data areas.

• Rik van Riel has released version 12e of his reverse-mapping virtual memory patch.

• The 2.5.4 Linux security module patch is available.

Development tools:

• version 20020207 of the Linux Test Project test suite has been released.

• A new version of the patch enabling the gcov test coverage tool to be used with the kernel has been posted by Hubertus Franke.

Device drivers

• A new driverfs for USB patch has been posted by Greg Kroah-Hartman. "It differs from my previous patches, in that this one works well."

• Jens Axboe has posted a patch implementing queue barriers in the block I/O layer. Barriers allow higher level code (such as a journaling filesystem) to require that all data queued before the barrier is written to disk before any data after the barrier. A 2.4 version of this patch was posted by Chris Mason.

Filesystems:

• The University of Michigan has announced the first release of its NFSv4 implementation. This patch still has some rough edges, and only works with the 2.4.4 kernel (yes, 2.4.4 - a 2.5 port is in the works).

• Andrew Morton has posted a patch implementing the "dirsync" option on the ext2 and ext3 filesystems.

• Neil Brown has posted his linux.conf.au paper on the future of authentication in the kernel NFS daemon.

Kernel building:

• Anuradha Ratnaweera has announced the release of kernelconf 0.1.3. See this followup note if you would like to know where to actually get the code.

Miscellaneous:

• Denis Vlasenko has posted a new list of kernel maintainers.

• Zeta 0.1 has been released by Thomas Capricelli. Zeta is a port of Linux to a virtual platform, done as an exercise in learning the internals of the system.

• James Bottomley has released a new version of his port to the NCR Voyager architecture.

• Kernel Traffic for February 11 is available.

Section Editor: Jonathan Corbet

For other kernel news, see:

• Kernel traffic
• Kernel Newsflash
• Kernel Trap
• 2.5 Status

Other resources:

• L-K mailing list FAQ
• Linux-MM
• Linux Scalability Effort
• Kernel Newbies
• Linux Device Drivers

See also: last week's Distributions page.

Distributions

News and Editorials

Sun Linux?. A recent announcement from Sun Microsystems said, in part, "... Sun announced it will ship a full implementation of the Linux operating system." Is this a hint that Sun Linux will be released, along with the next generation of Sun Cobalt appliances? Little actual information is available at this time, so all we have is wild speculation.

Of course this announcement could mean that Sun will encourage the major distribution vendors to release versions tailored to Sun hardware, just as IBM has done. There are many versions of Linux to choose from, including several good Sparc ports.

We will go out on a limb and predict that Sun Linux (or SolLinux) will be a unique distribution, with versions supporting the spectrum of Sun and Sun Cobalt hardware. It will favor a GNOME desktop, of course. It will be able to run Solaris applications.

The return of Halloween & DragonLinux. Two more "lost" distributions have been found by alert LWN readers. These two distributions are now back in the LWN List bringing the total number of "active" distributions to 228.

DragonLinux was found for us by Hans Lunsing, and has returned to our list under DOS/Windows install.

Halloween Linux was found for us by Kay Marquardt. Halloween is German localized version of Red Hat, so it's been added to the Country Specific category.

New Distributions

GenDist. GENDIST (the Linux Distribution Generator) allows you to create your own special mini-distribution. It creates a makefile-based build system for your distribution, and helps you to automate the following three tasks: maintaining your root filesystem, maintaining your "CD filesystem" (in case you create a bootable CD), and packaging everything on media. GENDIST 0.9.4 (Stable) was released February 10, 2002.

Securepoint Firewall & VPN Server. The Securepoint Firewall & VPN server is a high end firewall and VPN solution for protecting your Internet gateway. Securepoint can also be used with existing firewalls and to protect interconnected locations or divisions and lets you create and manage VPN tunnels.

Distribution News

Debian News. The Debian Weekly News for February 6 is out, with coverage of one more Debian 2.2 release, handling donations, getting fixes into testing, Debian Jr., and more.

Join the Woody Bug-Squashing Party, on the third weekend of February: Friday 15th to Sunday 17th.

Mandrake Linux News. Here's the Mandrake Linux Communtity Newsletter for February 6, 2002. This issue covers 8.2 Beta Articles at MandrakeForum; New Support Plans for IA64; Report from N.Y. LinuxWorld Expo; and much more.

A second ML 8.2 beta is available now. This MandrakeForum article has information about what needs testing and how to report problems.

MandrakeSoft has also announced the availability of a new support offering for IA-64.

MontaVista to Enhance Embedded Linux for Intel's Next-Generation Wireless Platform. MontaVista Software announced that MontaVista Linux 2.1 (formerly Hard Hat Linux), will support the new Intel(R) PXA 210 and Intel(R) PXA250 Applications Processors.

Red Hat. Red Hat has updated printing packages available to fix minor bugs.

Slackware. A bug was fixed in installpkg which caused it to not actually install packages if the -menu option was used. Pkgtool works again. See the changelog for more information.

Trustix Secure Linux. Trustix has issued several bug fix advisories for TSL 1.5. Package cleanup occurred in LPRng, vixie-cron, and rp-pppoe. There were also minor bugfixes in ncurses and initscripts.

Minor Distribution updates

ClumpOS. ClumpOS has released R5.0 on February 12, 2002. This version contains major feature enhancements including a kernel update to Linux 2.4.17 and MOSIX 1.5.7 for 2.4.17.

Familiar Linux Distribution. The Familiar Project has released v0.5.1. Situation dependent bootstraps are now provided in this release, dependencies were fixed in various packages, bootloader splash screen and buttons are supported on H3100, H3600, H3700, and H3800, and the included kernel was updated to 2.4.16-rmk1.

LinuxFromScratch. LinuxFromScratch has released development version 3.2-rc1.

Mindi-Linux. Mindi Linux released v0.58 on February 11, 2002. This is a minor bugfix release.

Rock Linux 1.5.13. A new version of Rock Linux is planned for release at the upcoming FOSDEM conference. Rock Linux guru Stefan Koerner will be present at FOSDEM.

Distribution Reviews

BSD operating systems: Perspective (ZDNet). This ZDNet article looks at the flavors of BSD operating systems. "BSD implementations have retained commonality but also diverged into over 100 different distributions, four of which are prominent."

Section Editor: Rebecca Sobol

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
DistroWatch
ibiblio
Linux.com
LinuxLinks
Woven Goods

See also: last week's Development page.

Development projects

News and Editorials

The jack project aims to provide a low-latency audio server for connecting multiple audio applications together under Linux.

According to the Jack FAQ, Jack used to be called LAAGA, which stands for Linux Audio Application Glue API. The LAAGA concept was defined on the linux-audio-dev mailing list.

A LAAGA is supposed to solve the following problem: "Let's say you are using a multi-track recorder/mixer. It's working nicely on your Linux box. You can record and mix without problems. But now you've found a couple of interesting new apps, let's say a software synth and a virtual drum machine. They seem to work great, so why not use them in your recordings? But how to connect them to the multi-track recorder?" Jack was designed to perform that function.

The jack documentation is still in an early state of development. The project is seeking volunteers to help fill that out.

A number of audio applications already work with jack. Among them is the audio player AlsaPlayer, the audio processor ecasound, and the multi-track recorder Ardour. More applications are under development.

Developers should check out the jack API to get an idea of how it all goes together.

Update: we've received a note from the Jack developers that clarify some inaccuracies that were originally in this article. We regret the errors.

CORBA

Help with Designing or Debugging CORBA Applications (Linux Journal). Linux Journal is running an article by Frank Singleton on CORBA application design and debugging. "This article explores how I have added some useful extensions to an open-source protocol analyzer in order to allow the extraction of OMG IDL (interface definition language) defined data types from TCP/IP traffic (using GIOP/IIOP). I also discuss the development and use of a helpful tool (idl2eth) that can take your own OMG IDL file(s) and generate protocol analyzer plugins, and lead you through the steps of creating your own plugin for the CORBA project you are working on."

Databases

Standalone ZODB 1.0 released. The 1.0 release of the stand-alone Zope Object Database has been announced. The ZODB part of Zope is interesting in its own right, and it has many applications that have nothing to do with web serving; it's worth a look for Python programmers building complex and/or distributed applications.

New SAP DB Documentation. New online documentation is available for the SAP DB database.

Electronics

New stuff on the gEDA site. The gEDA site features new versions of Icarus Verilog, Gerber Viewer, and gEDA/gaf, a collection of tools which includes gschem, libgeda, gnetlist, gsymcheck, and associated utilities.

Embedded Systems

Embedded Linux Newsletter for February 7, 2002. The February 7, 2002 edition of the LinuxDevices Embedded Linux Newsletter is out with the latest embedded Linux news. This week features lots of new stuff from the LinuxWorld conference.

Embedded Development with Qt/Embedded (Dr. Dobb's). Dr. Dobb's Journal features an article on writing Qt applications for embedded Linux systems. "When developing software for handheld computers such as the iPAQ, Palm, and Visor, you often face challenges that are at odds with each other. On one hand, users expect applications with resource-hungry GUIs that can be manipulated via stylus, virtual keyboard, and the like. On the other hand, you must contend with the space and processing constraints that are normal in the embedded world. In part due to issues such as these, Linux is increasingly becoming the preferred platform for embedded devices such as handheld computers."

Mail Software

rbl-milter 0.1 released. The first release of rbl-milter, a spam filter that works with sendmail, has been released. Rbl-milter has been released with the GPL license.

Network Management

Aide 0.8 released. Version 0.8 of Aide, the Advanced Intrusion Detection Environment, has been announced. This release adds cleaner reports, syslog reporting, dead symlink warnings, bug fixes, and more.

Peer to Peer

Distributed Systems Topologies: Part 2 (O'Reilly). Nelson Minar covers Distributed Systems Topologies in the second part of a series on O'Reilly. "In this second part, I describe seven characteristics of distributed systems that are commonly used when talking about system design and then analyze each characteristic for each of the topologies." If you want to start from the beginning, Part 1 of the series is here.

Printing Software

LPRng 3.8.6 released. Version 3.8.6 of the LPRng print spooler has been released. The CHANGES include a number of bug fixes and documentation updates.

Web-site Development

The latest Zope Members News. This week's entries on the Zope Members News include new releases of NuxWidgets, ZCoMIX, Emil, and ManageInZODB and more.

Python Conference, Day One (ZopeZen). Zopista writes about Zope at the Python conference. "The conference kicked off with a talk from Andrew Koenig. Andrew has been programming for 5 years more than I have been alive and talked about languages he has used prior to Python."

Documentation

GNU FDL 1.2 draft available. A draft of version 1.2 of the GNU Free Documentation License (FDL) has been announced.

LDP Weekly News for February 5, 2002. The February 5, 2002 LDP Weekly News is out. News includes the release of documentation in the Plucker format for viewing on PDA devices. New documents include "How to Develop Accessible Linux Applications", and the "Linux Crash HOWTO".

Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

Desktop Development

Audio Applications

AlsaPlayer 0.99.53 released. A new version of the AlsaPlayer audio utility has been released. The project ChangeLog file lists improved support for Jack (see above), and some bug fixes.

Web Browsers

BugDays Are Back! (MozillaZine). Join the Mozilla developers for another BugDays event on February 14 and 15, 2002. "Join us this Thursday and Friday as we work to clean up the bug database, weeding out duplicate reports, confirming or resolving bugs, and adding comments and testcases to assist developers working on difficult issues. We're getting very close to Mozilla 1.0."

Desktop Environments

KDE Core Services: Trouble In Paradise. The KDE site has been having a few problems lately. As a result, the KDE 3.0 beta has been delayed.

First GNOME 1.4.1 release candidate. The first release candidate for GNOME 1.4.1 has been announced. A great many fixes and improvements have been worked into this release.

Graphics

GSview 4.2 Released. Ghostgum Software Pty Ltd has released version 4.2 of the GSview PostScript previewer. "This release works with the new Ghostscript 7.04 security updates. It includes a Swedish translation and a number of bug fixes." GSview has been released under the Aladdin Free Public License.

Gimp 1.2.3 and 1.3.3 released. Stable version 1.2.3 of the Gimp is available here. This version features a number of bug fixes.

Development version 1.3.3 of the Gimp is available here. "This release is targetted for developers and curious users. Don't use it for your daily work."

Interoperability

Wine contemplating a license switch to LGPL. The leaders of the Wine project have announced a plan to change the Wine license to the LGPL. "However, with some recent events I cannot disclose, it is clear to me that the opportunity for Wine to be used in a proprietary product is too tempting and has caused some harm to the Wine project. Based on experience, I feel strongly that the potential for harm is great enough that CodeWeavers needs to take two actions. First, we would like to release all new code we develop under an LGPL style license. Second, I would like to open another call for a license change and thereby strongly add my voice to Alexandre's." (Thanks to Dan Kegel.)

Wine Weekly News. The latest Wine Weekly News covers Wine 20020122, LindowsOS and Wine, a new SDL driver, Wine version numbers, and more.

Office Applications

Gorilla Released. Gorilla, a vector-icon based theme for Nautilus, has been released. Gorilla is also discussed on the Gnotices site.

Pan 0.11.2 released (Gnotices). Version 0.11.2 of the Pan news reader has been released. This version features bug fixes, performance improvements, and user interface tweaks.

Miscellaneous

Gnopher 0.2 released (Gnotices). Version 0.2 of Gnopher, the GNOME Gopher client, has been released. Gnopher claims to be the "first fully themeable Gopher client ever." See the Release Notes for all of the details.

Programming Languages

C

GCC now runs on the SuperH SH5. Support for the SuperH SH5 64-bit RISC microprocessor has been added to GCC, the Gnu Compiler Collection.

Caml

Caml Weekly News for February 12, 2002. The February 12, 2002 edition of the Caml Weekly News is out. Topics include a new OCAML beginner's list and OCamldoc 3.04 +1.

Java

DML Statements (O'Reilly). Jason Price writes about the SQL Data Manipulation Language (DML) on O'Reilly's OnJava site. "DML statements may be used to retrieve and modify the contents of database tables. In this article, you will also learn how to process database null values and handle database exceptions."

Ease your multithreaded application programming (IBM developerWorks). Joseph Hartal and Ze'ev Bubis discuss the Consumer class on IBM's developerWorks. "Multithreaded applications often make use of the producer-consumer programming scenario, wherein repetitive jobs are created by a producer thread, passed to a job queue, and processed by a consumer thread. While this programming method is very useful, it often results in duplicate code, which can be a real problem to debug and maintain."

Lisp

Two Lisp Books Available Online. Two Lisp books are now available online. On Lisp by Paul Graham, and The Common Lisp Cookbook, a collaborative work that aims to be the Lisp equivalent of the Perl Cookbook.

CL-PDF 0.41 released. CL-PDF 0.41, a Common Lisp library for generating Adobe Acrobat documents, has been released. This version adds support for internal PDF data compressin as well as new drawing primitives. The software is available here. CL-PDF is released with a FreeBSD style license.

Perl

An SVG Histogram (O'Reilly). J. David Eisenberg writes about using Perl and scalable vector graphics (SVG). "In this article, we'll generate a graphic from existing data. Specifically, we'll write a Perl program that draws a graph of the distribution of file sizes in a directory and its subdirectories."

Optimizing Your Perl (O'Reilly). Robert Spier offers some tips on Perl code optimization. "Is your Perl program taking too long to run? This might be because you've chosen a data structure or algorithm that takes a long time to run. By rethinking how you've implemented a function, you might be able to realize huge gains in speed."

This Fortnight on Perl 6 (O'Reilly). The latest Perl 6 Porters covers a Parrot problem, Unicode strings, the Regex Engine, Perl 6 On Mono, and more.

PHP

PHP Weekly Summary for February 10, 2002. The latest PHP Weekly Summary looks at a bug involving negative indices, talk of the addition of case sensitivity to PHP, manual translations, a new build system, and more.

Python

Dr. Dobb's Python-URL!. The February 11, 2001 edition of the Dr. Dobb's Python-URL! is out with all of the latest Python news.

The IPC10 Python Gathering (O'Reilly). Mark Lutz writes about the IPC10 Python Gathering. "First, and foremost to me, there is a tangible 'back to work' mindset in the Python world at large. People are busy having fun with Python again, whether they are getting paid for it or not. Really, there never was much of a pause. Most of what happens in Python has always been a labor of love, and so Python is by and large immune to Wall Street shenanigans."

The Daily Python-URL. This week's entries on the The Daily Python-URL looks at a Python based art project, the Python Routing Toolkit, the pyirclib IRC library for Python, the Frowns chemoinformatics system, coverage of the Python conference, and more.

Ruby

This week on the Ruby Garden. This week's Ruby Garden features articles on Advanced Programming Language Design, the Coerce-ability of bitwise operators, Obfuscated Ruby, the Radical 0.4 web framework, and more.

The Ruby Weekly News. The Ruby Weekly News for February 11, 2002 features software for generating libraries from XML schemas, and expert system shell with a TK front end, a Ruby task distribution system, OpenSSL for Ruby, and more.

Tcl/Tk

Dr. Dobb's Tcl-URL!. This week's Dr. Dobb's Tcl-URL! has been published. Check it out for all of the TCL news.

XML

Embed binary data in XML documents three ways (IBM developerWorks). Gowri Shankar writes about embedding binary data in XML. "Originally, HTML was supposed to handle only text, but today it is commonly used to refer and mark up non-text data as well. So it is quite natural that XML followed suit. Because XML does not follow a specified syntax (as HTML does) and is more extensible than HTML, people use it in any way they wish to mark up all types of data."

Second Generation Web Services (O'Reilly). Paul Prescod discusses the evolution of Web Services. "In fact, I believe that second generation web services will actually build much more heavily on the architecture that made the Web work, using the holy trinity: standardized formats (XML vocabularies), a standardized application protocol, and a single URI namespace."

Section Editor: Forrest Cook

See also: last week's Commerce page.

Linux and Business

HP Issues Statement on Compaq Merger. HP has issued a statement that discusses some internal issues as well as the company's business plans. "Mr. Hewlett does not understand the linkages between our businesses and the importance of profitability, growth and market leadership in our industry. For example, among his latest assertions is the suggestion that we exit the PC business and shut down PC manufacturing plants. The fact is we have already outsourced our PC manufacturing. This suggestion underscores the absence of a real plan and illustrates his disregard for the strategic, financial and human consequences of such a decision."

HP's plans for Linux are also outlined: "While HP is today a leader in UNIX servers, a market growing at 5-7 percent a year, the new HP also will be No. 1 in Windows servers, a market growing at more than 20 percent, and No. 1 in Linux servers, a market growing at more than 30 percent. Customers want freedom of choice and demand all three operating systems for price performance, flexibility and reduced time to market."

Danese Cooper replaces Chip Salzenberg on OSI board. We got a note from Russ Nelson stating that Chip Salzenberg has resigned from the Open Source Initiative board to pursue other interests. In his place will be Danese Cooper of Sun Microsystems.

E*TRADE Migrates to Linux. According to E*TRADE this press release E*TRADE is taking advantage of the cost and reliability benefits of open-source software. "By using open, standards-based architectures, E*TRADE continues its strategy of maintaining technology cost-efficiencies while providing a superior service experience for its customer households."

IBM launches low-end eServer. IBM has announced its new eServer product, which is very directly aimed at Sun's low-end servers. Among other things, IBM claims that the eServer uses half the electricity of Sun's offerings. It runs Linux, of course.

Linux NetworX Unveils ClusterWorX Lite and Releases ClusterWorX 2.1. Linux NetworX announced the unveiling of ClusterWorX Lite, an entry-level version of its cluster management software with limited functionality, designed for cluster systems with 16 nodes or less. ClusterWorX 2.1, the latest version of the company's cluster management software, is also being released with enhanced features.

Linux Stock Index for February 08 to February 13, 2002.

LSI at closing on February 08, 2002 ... 28.87
LSI at closing on February 13, 2002 ... 28.96

The high for the week was 28.97
The low for the week was 28.64

Press Releases:

Open Source Products

• Borland Software Corporation (SCOTTS VALLEY, Calif.): Borland Wins Again With Web Services Solution for Linux; Borland Kylix Garners LinuxWorld's Open Source Product Excellence Award for Best Developer Tool.

• Red Hat, Inc. (RESEARCH TRIANGLE PARK, N.C.): Red Hat and SuperH Develop Open Source Tools for New 64 Bit Processors.

Distributions and Bundled Products

• MontaVista Linux Software Inc. (SUNNYVALE, Calif.): MontaVista to Enhance Embedded Linux for Intel's Next-Generation Wireless Platform.

• Terra Soft Solutions, Inc. (Loveland, Colorado): 'mental ray' Video Render Engine for Yellow Dog Linux.

• Turbolinux Inc. (SAN FRANCISCO): Turbolinux 7 Server and IBM DB2 Database Software Delivers World-Record Performance on TPC-H Benchmark.

Proprietary Products for Linux

• Excel Software (Placitas, NM): QuickHelp for Linux 1.0.

• FastTango Inc. (AUSTIN, Texas): FastTango Announces the Acquisition of Coral Technologies and Debuts Patent-Pending TangoWorks Software Suite.

• IBM (): IBM Developer Kit for Linux.

• Sangoma (): Sangoma Technical Newsletter: Wanpipe for Linux beta-2.2.4 Released, Enhancements To WANPIPE for Linux..

• The Graphics Muse (Houston, Texas): Graphics Muse Tools CD V1.0.0 for GIMP 1.2.

• Thin Computing Inc. (): WinConnect Software enables Linux-based terminals to connect to Windows Servers: RDP 5.1 client for Linux released..

• Total Impact (Camarillo, CA): TOTAL IMPACT AND MENTAL IMAGES COLLABORATE ON NEW RENDERING SOLUTION.

• Turbolinux (SAN FRANCISCO): Turbolinux PowerCockpit Wins Product Excellence Award; PowerCockpit Recognized as The Best Network/Server Application in 2001.

• UEI (Canton, MA): UEI ships industry's first fully supported LabView drivers for Linux.

• VariCAD (): VariCAD 8.1 for Linux features a new look and a much improved user interface that makes learning and designing easier..

Products and Services Using Linux

• Gibraltar Software (SUNNYVALE, Calif.): Gibraltar Software Introduces First Security Appliance Offering: Everguard.

• Vericept Corporation (DENVER): Vericept Corporation Unveils Network Abuse Monitoring Solutions Designed Exclusively for Schools.

Products With Linux Versions

• ACCELERATED ENCRYPTION PROCESSING INC. (CAMPBELL, Calif. & DUBLIN, Ireland): AEP Announces the World's First 128,000 SSL Transactions Per Second; Real Solutions with Real Performance.

• ActiveState (VANCOUVER, BC): ActiveState's Perl Dev Kit 4.0 Shipping.

• First Virtual Communications (SANTA CLARA, Ca.): First Virtual Continues to Raise the Bar by Announcing the Industry's Most Scalable Multipoint Control Unit -- MCU.

• Norpath Inc. (TORONTO): Norpath Debuts New Generation of Interactive Authoring Software.

• Softimage Co. (MONTREAL): Softimage Expands SOFTIMAGE|XSI Family With New Models and Functionality; Industry's Leading Nonlinear Animation System Now Available for as Low as $4,995 U.S..

• Sphera (LONDON): Sphera Extends Its Reach in Europe With More Account Wins and Enhanced Participation at ISPCON Europe.

• Vista Imaging, Inc. (SAN CARLOS, Calif.): Vista Imaging Introduces ViCAM III Digital Imaging Engine; Targets Next Generation Intelligent Cameras.

Linux At Work

• E*TRADE Group, Inc. (MENLO PARK, Calif.): E*TRADE Maximizes Efficiencies With Migration to Linux.

• Sun Microsystems, Inc. (SANTA CLARA, Calif.): Sun Broadens Support for Linux.

• THE NIC COMPANY (SAN FRANCISCO): Larry Ellison's 'New Internet Computer' and ISP 'Senior Explorer' to Provide Affordable Internet Solution to the Nation's Senior Citizens.

Books & Documentation

• O'Reilly (Sebastopol, CA): "Programming with Qt, 2nd Edition" released by O'Reilly.

• O'Reilly (Sebastopol, CA): "IP Routing" Released by O'Reilly.

Personnel & New Offices

• WireX (PORTLAND, Ore.): Jim Miller Named CEO for WireX; WireX Provides Advanced Server Management and Protection While Lowering TCO.

Other

• ParaSoft Corporation (MONROVIA, Calif.): ParaSoft Addresses the Future of Embedded Linux Development at Bay Area Linux Users Group.

Section Editor: Rebecca Sobol.

See also: last week's Linux in the news page.

Linux in the news

Recommended Reading

Why This Link Patent Case Is Weak (Wired). Wired reports on the BT hyperlink patent suit. "'If BT won the right to collect fees-per-click you'd have a ton of seriously pissed-off programmers, with all the financial resources of every big business in the U.S. who has anything to do with the Internet behind them, working on coming up with a new protocol,' open-source developer Mike Markan said. 'Believe me, there is no way BT is going to get anything more tangible (than) a whole lot of ill will from Internet users.'"

Mom Moves to Linux (Open For Business). An Open For Business author describes the process of getting his mother running on SuSE Linux. "She hasn't had to reboot the machine since the day she installed it."

Torvalds looks into Linux bottleneck (News.com). News.com looks at bottlenecks in the process of producing the Linux kernel. "Two weeks ago, addressing the perceived delays in dealing with tweaks to the OS, one programmer proposed that Torvalds anoint a "patch penguin"--a person responsible for applying the oodles of patches and updates to the software." (Thanks to Peter Link)

Risky Business (SF Gate). Should you ever wonder why a business might want to run free software, look no further than this SF Gate article on the Business Software Alliance. "If the company refuses to settle or if the BSA feels the company is criminally negligent and deliberately ripping off software, the organization may decide to get a little nastier and organize a raid: The BSA makes its case in front of a federal court in the company's district and applies for a court order. If the order is granted, the BSA can legally storm the company's offices, accompanied by U.S. marshals, to search for unregistered software."

Lessig to set up digital rights group (ZDNet). The Copyright Commons project draws on the experience of open-source software programming to create new digital licenses that will cut out painful legal wrangling and rights disputes. "Stanford law professor Lawrence Lessig, one of the most articulate critics in today's online copyright battles, is kicking off a project he hopes can serve as neutral ground in the digital rights debates."

Stallman issues Porto Alegre clarification (Register). The Register reports on comments allegedly made by Richard Stallman concerning .NET/GNOME. "Richard Stallman has written to us about comments made on the .NET/GNOME controversy, reported by Brazilian tech site HotBits and cited here thanks to a translation provided to us by HotBits, Stallman asks de Icaza to explain himself to the community."

Advocating Open Source the 'good old boy' way (NewsForge) . NewsForge looks at the Open Source Software Institute. "Go ahead and say this all sounds cynical. It is. This is the way government works in the real world. When it comes to allocating funds, 200 studies showing how Linux scales better than Windows don't make as much of a political splash as the promise of an Open Source research center in a powerful senator's state or a powerful congressman's district that'll bring in 50 high-paying, permanent jobs and 1,000 or 2,000 expense-account visitors every year."

Run Streaming (Linux Journal). Radio broadcasts over the Internet are becoming increasingly more common. Linux Journal examines how open source technologies could take over this growing field. "But somebody inside the company recently told me the Force is stronger there than one might think. He writes, "we could have had a really good Linux player years ago. We had an absolutely brilliant developer working on it, but he quit after exceeding his pain threshold. Those of us who work here have players that work better than anything we have released. This place has Linux at its core despite having a WinTel face." He also says there are signs internally that the company is turning in a positive direction."

The Great Giveaway (NewScientist). NewScientist looks at the Copyleft, OpenCola, the EFF's Open Audio License (OAL), and other related topics. "What started as a technical debate over the best way to debug computer programs is developing into a political battle over the ownership of knowledge and how it is used, between those who put their faith in the free circulation of ideas and those who prefer to designate them 'intellectual property'. No one knows what the outcome will be. But in a world of growing opposition to corporate power, restrictive intellectual property rights and globalisation, open source is emerging as a possible alternative, a potentially potent means of fighting back." (Thanks to Ron Klumpes.)

Companies

BT in Fight to Establish Web Surfing Patent (Yahoo). Yahoo News reminds us that British Telecom's patent case against Prodigy is about to go to trial. BT claims to own the idea of hyperlinking; if it's successful, the shakedowns will not stop with Prodigy. "BT is calling the trial a test case whose outcome will determine whether it can commercialize a potentially lucrative patent. If successful, BT intends to go after other American internet service providers, the lone jurisdiction governed by the patent."

British Telecom seeking enforcement of old hyperlink patent (SF Gate). SFGate looks at BT's suit against Prodigy attempting to enforce its old hyperlinking patent. "BT tried to persuade the judge to interpret the language broadly for the jury -- to include a computer mouse, for example, as the 'keypad' mentioned in the patent. 'It has keys,' BT lawyer Robert Perry said."

Googlewhacking enters the office? (ZDNet). According to ZDNet, Google has introduced a new rack mounted Linux based device that searches the contents of client web sites. "'It was just a natural extension for us to take our existing search product and put it behind the firewall,' said Joan Braddi, vice president of search services at Google. 'We had been asked by many of (our) partners for something like that.'"

Wizards and Windows (HP World). HP World benchmarks SuSE Linux and Windows XP, both running on an HP laptop. According to this particular comparison, XP beats Linux in many of the tests performed. The report is, however, somewhat critical of the Wizards in XP, and has some good things to say about Linux. "Now, with open source rising up as the business-alliance tsunami of the century, Microsoft for the first time in a very long while faces both fundamental technology and business model challenges." (Thanks to Robert K. Nelson.)

MS chief lashes out at German Free Software petition (Register). The Register reports on Microsoft's reaction to the petition urging the use of free software in the German Bundestag. "One of the things likely to have worried Microsoft most is the fact that quite a few of the initial supporters of the petition are Bundestag members, meaning it looks much more like a genuine campaign with heft than just a clutch of crazed visionary lobbyists."

Sun to reveal administration, Linux plans (News.com). Sun's CEO Ed Zander discusses some upcoming plans, including Sun's involvement with Linux. "'We're doing a lot on Linux,' Zander said, mentioning the company's open-source StarOffice suite that competes with Microsoft Office, its Cobalt servers that run Linux, its open-source Forte programming tools and the iPlanet e-commerce software that runs on Linux. 'Maybe we haven't marketed it well.'"

Sun details plans for Linux servers (News.com). Here's more on Sun's recent Linux announcement. "The company added it will 'aggressively participate in the Linux community,' offering key components of its Solaris operating system for free. "

An observant reader pointed out that Tux the penguin has shown up on Sun's front page. (Thanks to Tim Hunt.)

Servers lead out Sun's Linux drive (ZDNet). ZDNet reports on the Sun Linux announcement. "Sun Microsystems said Thursday that it would sell general-purpose Linux servers, a dramatic departure for the company that for years has advocated the use of its own Solaris operating system." (Thanks to Peter Link.)

Sun embraces x86 in Linux overture (Register). The Register focuses on a different area in Sun's Linux announcement. "Pragmatism has trumped pride at Sun Microsystems: the company will expand its Intel-based Cobalt line at the low-end to win back some of the business currently being lost to white box and Dell x86 servers.

That was the most dramatic of nine announcements from Sun this morning, declaring that it is embracing Linux."

Sun's war against Microsoft (LinuxDevices). LinuxDevices.com interviews Vivek Mehra, VP and General Manager of Sun's Cobalt Server Appliance business unit. "Mehra, a key architect of Sun's Linux strategy, cofounded Cobalt Networks Inc. and served as Cobalt's chief technology officer prior to its acquisition by Sun. Mehra describes himself as having been "very involved in all aspects of the design" of the original Linux-based Cobalt Qube."

Sun's McNealy finds his inner penguin (ZDNet). Here's ZDNet's take on Sun's latest Linux moves. "Indeed, moments after advocating Linux at Sun, McNealy showed a mock advertisement disparaging IBM and bragging about Sun's single-OS, single-chip strategy."

Linux Moving to Heart of Sun (Wired). Here's Wired's take on Sun's announcements. "Is it damage control? In recent months, online trading company ETrade and retailer Amazon have announced a shift from Sun servers to Linux as money-saving measures to run their websites. Amazon said it saved $17 million in one quarter alone by using Intel/Linux systems. Also, Wall Street giant Morgan Stanley is moving its Solaris applications to Intel computers running Linux."

Sun Falls In Behind The Linux Juggernaut (IT-Director). Here's an IT-Director article on Sun's announcements. "So now Sun joins the party. It will be interesting to see how the contest pans out. 2002 is likely to be a good year for Linux and SUN may have been a little late for the party."

Sun gives Linux an equal billing (vnunet). Vnunet chimes in with its view of Sun's Linux announcements. "Speaking in San Francisco last week, Sun president Ed Zander insisted the company's support for Linux would not change its strategy for a single-platform architecture. "Linux was created over time and was mirrored on Solaris; you can go back and forth easily. We share the same philosophy, and are the one company that can do this," he said."

Business

Vendors Spur Linux On (TechWeb). Here's a TechWeb article on the continued success of Linux. "No one says businesses will soon dump everything in favor of Linux, but the fact that IBM concedes there may be a time when it's the only operating system IBM ships is surprising, considering the millions of dollars the vendor has spent developing Unix systems in the last decade."

The New Workhorse of Gene Sequencing, Proteomics and Drug Development (Drug Discovery). According to this article at Drug Discovery Online, Linux clusters are making big impacts in the bioinformatics arena. "Linux clusters, which network multiple processors together to form a unified and more powerful computing system, are becoming a major technology in the bioinformatics industry. Universities, government labs and commercial entities now boast Linux clusters of dozens, if not hundreds of these processors or 'nodes' for the explicit purpose of gene sequencing, proteomic research, or drug discovery and development."

Reviews

A Modern, Low Resources Linux Distribution (Linux Journal). The Linux Journal describes the RULE project, which is trying to put together a less resource-hungry Linux distribution. "Schools, families, developing countries, public and private offices with almost null budget (pretty big segment nowadays) must save on all costs, no matter how low they already are. Often, the only PCs they can afford are donated and really old, and Free Software can't leave them alone."

Wireless Gateway addresses security issues (ZDNet). ZDNet reviews the Bluesocket Wireless Gateway Appliance, which happens to run Linux. "Bluesocket Inc.'s $6,000 WG-1000 Wireless Gateway sits on a LAN between wireless access points and the rest of the corporate network. It acts as an authorization and VPN server. Any wireless data traffic can reach the device, but unauthorized users can't get past it. Authorized packets pass across the internal network (which is presumably secure), unencrypted."

A review of Qt Palmtop (LinuxDevices). LinuxDevices.com reviews Qt Palmtop (now called Qtopia). "Trolltech's Qt Palmtop has evolved over time into a fully functional application suite for handheld devices and internet appliances. It is based on the industry-proven Qt API and features a flexible and fast software platform, which also integrates Java technology. Qt Palmtop is an application suite that should be taken seriously by all manufacturers and developers of handheld products."

Resources

A Bison Tutorial: Do We Shift or Reduce? (Linux Journal). LinuxJournal presents a tutorial on Bison. "A shift-reduce conflict is the result of an ambiguity in the grammatical specification of a language, in our case, a programming language. The terms 'shift' and 'reduce' are explained in the course of this article."

Interviews

Interview: Andrew Morton (KernelTrap). KernelTrap interviews kernel hacker Andrew Morton. "One hot tip: if you spot a bug which is being ignored, send a completely botched fix to the mailing list. This causes thousands of kernel developers to rally to the cause. Nobody knows why this happens. (I really have deliberately done this several times. It works)."

Adam Wiggins Interview (KDE::Enterprise). KDE::Enterprise interviews Adam Wiggins of TrustCommerce. "It's simple: KDE makes the UNIX desktop usable for non-IT workers. If it wasn't for KDE, we'd have to pay a lot of money for proprietary hardware (Apple) or software (Microsoft). More importantly, the machines are more stable and easier for our sysadmin to maintain. That's a big savings in cost - not having to hire another sysadmin as our employee count continues to grow."

A conversation with Gaël Duval (DesktopLinux). DesktopLinux talks with Gaël Duval, the creator of Mandrake Linux. "Our recent IPO was quite small, yet nicely accepted, and it permitted us the luxury of cutting costs in many areas instead of just laying off people! Financially speaking, we're doing better and better with each passing month: MandrakeStore is very successful as well as the Mandrake Club, and we plan on reaching 'break-even' by September 2002 and on being a profitable company in 2003."

Three more FOSDEM speaker interviews. Three new FOSDEM 2002 speaker interviews are available, see what Philippe Aigrain, Ian Clarke, and Richard Morrell have to say.

Miscellaneous

LinuxPlanet: A Winding Path to KDE3. KDE.News discusses LinuxPlanet's review of KDE3.

Section Editor: Forrest Cook

See also: last week's Announcements page.

Announcements

Resources

LPI certification 101 prep, Part 4 (IBM developerWorks). Part 4 of the LPI certification exam preparation tutorial is available on IBM's developerWorks. The topic of this tutorial is advanced administration.

LinuxUser Issue 17 is available. Articles from the December 2001/January 2002 edition of LinuxUser are available online in pdf format.

The Book of Zope review (LinuxLookup). LinuxLookup reviews "The Book of Zope" by Jody Bryne. "I've just spent a few days with Beehive's The Book of Zope published by No Starch Press. Having never built a web application before, I was definitely part of the author's target audience. Beginning Zope users as well as experienced developers, however, have received equal attention in this guide on writing web applications"

MOSIX clustering tutorial (IBM developerWorks). Daniel Robbins has put together a tutorial on MOSIC clustering. "MOSIX is a special transparent form of clustering that is easy to set up and can produce positive results with only a minimal time and energy." Registration is required.

Events

The last set of FOSDEM interviews. The FOSDEM gathering, which happens in a few days, has released its last set of interviews with people who will be speaking at the event: Thierry Matusiak, Richard Moore, Loic Dachary, Jean-Michel Dalle, Andy Oram, Gilles Fedak, and Richard Stallman. "If people say I never compromise, they are entirely mistaken. The fact is I make deals all the time in support of the goals of freedom and free software. What I refuse to do is compromise away the goal. I know what I am trying to achieve, and I stick to it."

European Python and Zope Conference 2002. The European Python and Zope Conference 2002 (EuroPython 2002) has been announced. The conference will be in Charleroi, Belgium from June 26-28, 2002. Python creator Guido van Rossum will present one of the keynote speeches.

Book now for GUADEC 3. People who are planning on attending the GUADEC 3 conference in Seville, Spain are advised to make their hotel reservations early.

CEBIT 2002 accomodations. We received this notice which contains a list of housing suggestions for the Hannover CEBIT 2002 conference.

Linux Bangalore/2001 slide shows. Slides from the Linux Bangalore/2001 talks are online at the Linux Bangalore web site. (Thanks to Atul Chitnis.)

Nominations for the Dutch Big Brother Awards 2002. Nominations are being accepted for the Dutch Big Brother Awards 2002. "The first Dutch Big Brother Awards will be held in Amsterdam on the 15th of February. Today the jury announces the nominations in four categories: government, companies, persons and proposals. In every category one winner will be awarded with an 'Orwell'."

Google Progamming Contest. Google is holding the first annual Google Programming Contest. The grand prize includes a trip to Google, Inc, $10,000, and a chance for your code to be run on Google's site. "Google is providing a selection of about 900,000 web pages in pre-parsed and raw format, together with a 'ripper' program that provides a framework for processing the pre-parsed data. Your mission is to write a program (most likely by adding code to the ripper) that does something interesting with the data, in such a way that it would scale to a web-sized collection of documents. Part of your job is to convince us of why your program is interesting and why it will scale; other than that, you're free to implement whatever strikes your fancy." Code must compile with g++ on Linux 2.2 or 2.4, or be written in Java on Sun tools. Python code is also being accepted.

Report from the Python Conference, day one. Those who wish they could be at the Python conference can at least get a bit of the flavor of the event from this writeup on the ZopeZen site.

Andrew Kuchling wins the Frank Willison award. The first "Frank Willison Award for Contributions to the Python Community" has been given to Andrew Kuchling at the Python Conference. "'Besides being a prolific programmer who has contributed to many corners of the Python implementation (starting with his crypto toolkit), Andrew has done numerous writing projects related to Python,' says Guido van Rossum, one of the Award's judges."

Embedded Linux Forum at Bay Area Linux Users Group. The Bay Area Linux Users Group will feature a forum on Embedded Linux, presented by ParaSoft. The forum will be held on Tuesday, February 19 at 7 p.m. at the Four Seas Hotel in Chinatown, San Francisco.

Events: February 14 - April 11, 2002.

Date	Event	Location
February 14 - 15, 2002	1st CfP German Perl Workshop	(Fachhochschule Bonn-Rhein-Sieg, Sankt Augustin)Bonn, Germany
February 14, 2002	Workshop on the Practice and Theory in Public Key Cryptography(PKC 2002)	Paris,France
February 16 - 17, 2002	Free Software and Open Source Developer's Meeting(FOSDEM 2002)	(Brussels, Belgium)Brussels, Belgium
February 18, 2002	OMG Information Days Europe 2002	Milan
February 19, 2002	OMG Information Days Europe 2002	Zurich
February 20, 2002	OMG Information Days Europe 2002	Munich
February 21, 2002	OMG Information Days Europe 2002	Vienna
February 22, 2002	OMG Information Days Europe 2002	Budapest
February 25, 2002	OMG Information Days Europe 2002	Prague
February 25 - March 1, 2002	Secure Trusted OS Consortium - Quarterly Meeting(STOS)	(Hyperdigm Research)Chantilly, VA, USA
March 2, 2002	LinuxForum 2002	Copenhagen, Denmark
March 4 - 6, 2002	International Symposium on Advanced Radio Technologies(ISART 2002)	(Dept. of Commerce, 325 Broadway)Boulder, CO
March 5, 2002	OMG Information Days Europe 2002	Helsinki
March 6, 2002	OMG Information Days Europe 2002	Stockholm
March 7, 2002	OMG Information Days Europe 2002	Oslo
March 8, 2002	OMG Information Days Europe 2002	Copenhagen
March 12 - 16, 2002	Embedded Systems Conference	(Moscone Center)San Francisco, California
March 21 - 22, 2002	Annual Conference of Open Source Content Management Systems(OSCMSC)	(Swiss Federal Institute of Technology (ETH))Zurich, Switzerland
April 3 - 6, 2002	The Association of C & C + + Users Spring Conference(ACCU)	(Heritage Motor Centre)Warwick, England

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Web sites

GNU-Friends, a news site for friends of the GNU Project. GNU-Friends is a news site for friends of the GNU Project. It's based on the Kuro5hin Scoop-backend. GNU-Friends is intended to provide news from the GNU community, especially news that does not generally make it to other news channels.

Section Editor: Forrest Cook.

Software Announcements

The Alphabetical List and Sorted by license

Our software announcements are provided courtesy of FreshMeat

See also: last week's Letters page.

Letters to the editor

From:	 Phil Cameron <pcameron@CrescentNetworks.com>
To:	 letters@lwn.net, pecameron@mediaone.net
Subject: Security perspective
Date:	 Thu, 07 Feb 2002 12:56:48 -0500

There are a couple of more points to consider when counting the security
updates. 
1) Is this a fix for a known exploit or is it a fix for something that
can happen in theory.
2) What damage can be caused by the exploit?

Looking at this weeks updates:
Mandrake Linux Security Update - GZIP: 
This fixes two problems with the gzip archiving program; the first is a
crash when an input file name is over 1020 characters, and the second is
a buffer overflow that could be exploited if gzip is run on a server
such as an FTP server.

The first is not security related and the second looks like an exploit
that can cause damage. Is there a known exploit? A lot of things that
seem possible turn out to not be possible because of the interaction of
other software. 

Net::FTPServer security fix.
close a potential vulnerability "allowing users to list directories to
which they should not have access. If your configuration file uses 'list
rule', then you need to upgrade to version 1.034."

How bad is this? What actual damage can be done? You can't actually
"get" the files, just list them. There doesn't seem to be a known
exploit. Do we count it any way?

PHP Safe Mode Filesystem Circumvention Problem
"If an attacker has access to a MySQL server [...], he can use it as a
proxy by which to download files residing on the [PHP] safe_mode-enabled
web server".

OK how do you count this? Is there a known exploit? What does it take to
gain access to a MySQL server?


Much of the time, we see bugs that are uncovered by reviewing code and
during debugging. Every once in a while a really important vulnerability
is discovered.  How many of these bugs will actually be seen on
production machines? I personally like to see these reports because it
shows that people are taking security seriously and are trying to plug
holes that could possibly exist. The more we do this the stronger the
system gets. It is unfair to compare them with other vendors products
without carefully analyzing the nature of both systems problems.

As for distributions, I would like to see a basic out of the box secure
system. The entire system needs to operate in the secure mode so that
the installer or admin does not have a need to weaken it. Secure out of
the box is value that distributors can add that can distinguish them
from each other.

Phil Cameron

From:	 Armijn Hemel <armijn@nl.linux.org>
To:	 corbet@lwn.net
Subject: .NET stuff
Date:	 Thu, 7 Feb 2002 17:06:34 +0100

hello LWN,

with a lot of interest I've been following all this discussion about Mono
and .NET. One of my former teachers here at the university is now program
manager of the Common Language Runtime for .NET and I've read a few articles
and magazines (issued by Microsoft) about this whole .NET thing.

The .NET concept is indeed very nice. There is a good defined bytecode
language (Intermediate Language, IL), a decent runtime and a set of
compilers for different languages to compile to IL.
Sounds neat, because you can then write stuff you want in one language
and use it in another language. You can specialize in writing the language
that is best suited for the task.

What most people forget is that to ensure that this can happen there
is a specification (the Common Type System, CTS) which describes which
datatypes you can use in a language if you want to take full advantage of
the .NET framework.

A quote from the Microsoft MSDN site about the CTS:

\begin{quote}

The common type system defines how types are declared, used, and managed in
the runtime, and is also an important part of the runtime's support for
cross-language integration. The common type system performs the following
functions:

* Establishes a framework that enables cross-language integration, type
  safety, and high performance code execution.
* Provides an object-oriented model that supports the complete implementation
  of many programming languages.
* Defines rules that languages must follow, which helps ensure that objects
  written in different languages can interact with each other.

\end{quote}

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconthecommontypesystem.asp

So, while .NET does not limit you in the number of programming languages
it does limit how these languages are being used (see the third `function' of
the CTS above), which is (I think) a serious drawback if you want to do real
programming. Therefor I can't understand why Miguel is so positive about the
.NET framework...

armijn

-- 
 ---------------------------------------------------------------------------
   armijn@nl.linux.org | http://people.nl.linux.org/~armijn/ | Penguin Power
 ---------------------------------------------------------------------------
                 http://nl.linux.org/ | Alles over Linux
 ---------------------------------------------------------------------------

From:	 dps@io.stargate.co.uk
To:	 letters@lwn.net
Subject: Region coding---the truth vs. what is said
Date:	 Thu, 7 Feb 2002 18:44:36 GMT

I think most people believe the real reason for region coding
DVDs is that people can charge more for less in europe. The
studios would deny it but that is probably because saying so
would leave them liable to unpleasant prosection (under consumer
protection and free trade statutes). Let it suffice to say the
same DVD costs a lot less if bought in america... and you
might get more on the american version too.

I am fairly sure that what was said in court was that DeCSS and
other efforts that allow people to exervise their fair use rights
should not be allowed becuase that would allow piracy. The logic
is a little flimsy, for example I could just record the video
signal on a good quality video recorder and probably get something
close to the quality of the DVD, but when did logic get in the way
of attempting to abuse the law? Legal niceties like terms that are
legally null and void in licence agreements, because those terms
are illegal, are still present (the mnost common is the "by openning
this envelope you agree to these terms" language---legal advice is
that this has no force in the UK).

Fortunately america can not unilatterally abolish limits to their
juristiction, and the DMCA does not apply in europe. Even if it
did extradition to america is dubious because much of europe will
not allow extradition to anywhere with the death penality (and
defninitely not if the death penality might be applied).

P.S. As a person with no TV, sound card, or DVD reading equipment
the obvious DVD practices do not affect me. I am thinking about
a DVD writer for backing up *my own* data (CDs are just too
small).

From:	 jimd@starshine.org (Jim Dennis)
To:	 letters@lwn.net
Subject: chkrootkit and System Integrity Auditing
Date:	 Thu,  7 Feb 2002 16:10:07 -0800 (PST)

 Hi,

 The fundamental problem with any tool like tripwire, aide,
 chkrootkit, or any other system integrity system (including
 virus scanners under other operating systems) is that they
 MUST BE RUN FROM A KNOWN CLEAN SYSTEM BOOT.

 That is the first, foremost, and inescapable rules of 
 system integrity auditing.  You must boot from known clean,
 write-protected media.

 I realize that this advice rankles sysadmins with an
 uptime fetish.  However, I want to impress people that it
 is almost invariate.  The only scenario I've imagined where
 I *might* accept the integrity of "hot" system audit would
 be in a case where hardware mirroring or raid would allow me
 to randomly pull a set of system volumes, push them into
 a KNOWN CLEAN standby system and perform the audit therefrom.
 I have not yet implemented such a scenario and would only 
 recommend it for cases where the server had hard and fast 
 uptime requirements that couldn't be met through clustering,
 etc.  (In other words, I might consider that auditing model
 for zSeries and S390 mainframes running 24x7 database 
 services).
 
 That said I have to point out the second inviolable law of 
 system integrity auditing --- you MUST capture the reference
 data (checksums, permissions, backup copies, whatever) 
 BEFORE any exposure.  So, ideally, you install and configure
 the system on a workbench (no network connection), prepare your
 reference data set and then connect the system to your LAN or
 net.  

 My favorite system integrity reference data is a simple tar
 file.  My favorite system auditing technique is:

 	boot from LNX-BBC (or tom's root/boot, or ...)
	mount filesystems
	insert reference media (write-protected tape, CD-R, whatever)
	tar dzf /dev/st0 (or whatever)

 ... this should detect all difference in content, permissions,
 and some innocuous things like timestamps and squawk about them.

 Part of the beauty of this system is that it ensure ready recovery
 from any problems you detect (left as exercise to the student, but
 it might involve replace a 'd' with an 'x').

 Of course the principal disadvantage is that you have to also 
 manage all those nasty updates.  In practice we really care about
 the core kernel, shell, libc, and system utilities (up to and 
 including our gpg, aide, md5sum, and ssh tools).  Then we can
 (after insuring their integrity) reasonably rely on those tools
 for the rest of our tests.

 For Debian systems we can use commands like:
 
 	ar p $PACKAGE data.tar.gz | tar dzf -

 ... to perform a quick and dirty audit of a given package's files 
 versus those under our current directory (at the root of the 
 distribution's installation, but possibly mounted at an arbitrary 
 place because we've booted from BBC/CDR).

 On can perform similar tricks using rpm -Vp ... (though that will be
 checking checksums rather than doing a bit-for-bit comparison).

 I could give a full day class in system integrity auditing techniques.  
 However, these few tips should help.  There are numerous
 alternatives to tripwire/aide (recent versions of tripwire are not
 free).  I recommend installing aide (apt-get-able for Debianistas)
 and one other (more obscure one) like fcheck, viperdb, or maybe a
 custom perl script for redundancy.  Assume that your attacker knows
 about tools like chkrootkit, aide, and tripwire (the big ones) 
 so maintain an extra little surprise for the lazy and careless 
 cracker to miss.

 Having nightly cron job is useful, it will catch the most careless
 and lazy script kiddies.  However, it is wise to assume that your 
 cracker will search or compromise your cron subsystem, so squirrel 
 your backup alarm triggers into more obscure places such as a 
 user's at job (possiblly SUID root, but only executable to their group)
 or perhaps a custom little patch to syslogd, sshd, or some other daemon 
 which spawns the check every day (and sends a heart beat to some other
 system to alert it that *that* daemon hasn't been summarily replaced.)

 I realize that this all sounds like paranoid spy novel stuff.  But
 it's really silly to underestimate your attackers.

 (BTW: any cracker reading this: don't bother attacking my home systems,
 they are uninteresting play toys that are not particularly hardened 
 and my link to the net is a pathetic little IDSL.  There's no sport in
 defacing my web pages because I'm not noted enough for the bragging
 rights to mean anything.  I reserve my real work for giving free advice
 and for paying customers).

--
Jim Dennis,
Starshine Technical Services

From:	 chris.m.moore@amsjv.com
To:	 john.lettice@theregister.co.uk
Subject: The comments on the MS Seatlement
Date:	 Tue, 12 Feb 2002 11:35:02 +0000
Cc:	 letters@lwn.net

Hi,

By labelling the comments which only discuss the RPFJ as a starting
point as "substantive" the DOJ and the Register ("DoJ-MS comments: that
breakdown in full") have dismissed the vast majority of the comments
which "express an overall view of the RPFJ [Revised Proposed Final
Judgment] but do not contain any further discussion of it".

I count the letter I sent in this category (and Hans Reisers too, see
http://linuxpr.com/releases/4445.html).  I dismissed the current
settlement as ineffective (the MS stock price rose after it was
announced) and proposed an alternate solution based on the LGPL (with
certain restrictions to prevent vertical markets forming).  I suspect
many of these 19500 comments would start from the premise that the
current settlement is useless and propose alternatives.

In any battle a general wants to pick the ground on which to fight.  By
picking the RPFJ, the DOJ and MS hopes to curtail further discussion. 
I'm quietly encouraged that the judge has refused the application for a
limited oral hearing on this matter.
 
Chris M. Moore
Software engineer
Portsmouth, UK