A sad, but common experience in the 1990's was to see presentations at
Linux conferences which were clearly done with PowerPoint. When Linux
advocates need to use a 100% proprietary system to communicate with their
audience, something is clearly wrong. Fortunately, those days are behind
us, and PowerPoint only makes appearances in irrelevant corners at Linux
events - LinuxWorld keynotes, for example.
Your editor has given a fair number of talks this year in a number of
exotic locales, and that trend looks set to continue. So presentation
software is an area of interest; it is time to look at the current state of
the art. Your editor has found that, while the situation is better than it
has ever been, there is still room for improvement.
For what it is worth, here are some of the criteria which are to be used
when evaluating free presentation systems:
- The visual quality of the output. One assumes that the audience will
actually look at the slides when not heckling the speaker over IRC,
so the appearance of the slides will affect the overall impression left
by the talk. So things like clean transitions and antialiased fonts
are important.
- Responsiveness. If the speaker has to wait for the next slide to
appear on the screen, something is wrong.
- Random access. Questions from the audience can require moving around
quickly in the talk; the presentation program should provide random
access to any slide without a lot of trouble.
- Easy creation of slides. It is bad enough to be finishing a talk,
with a hangover, an hour before it is supposed to be presented. If
the presentation system makes slide creation slow or laborious, such a
situation can become intolerable. It should be possible to bash out
slides - especially simple slides, with a minimum of effort.
- Control. It should be possible to get rid of all those bullets,
achieve decent inter-line spacing, set code in a monospace font,
etc. without great effort.
- HTML output. People like it when the slides from a talk are posted to
the web; this should be a straightforward operation.
One thing which is not on your editor's list is nine-step
special-effects dominated slide transitions, trapeze-act bullet points,
bouncing penguins, etc. In your editor's grumpy opinion, such effects can
only serve to distract attention from the actual substance of the talk.
Good presentations can only be harmed by turning the slides into a cartoon
show, and bad presentations cannot be saved that way.
There are two fundamental approaches to presentation programs: graphical
editors and markup languages. Your editor found two active projects
of each type; we'll start with the graphical entries.
KPresenter
KPresenter is the KDE
project's presentation package. It has come a long way in recent years,
becoming a powerful, fully-featured system
with something for just about everybody. Basic text is easy to enter, with
nice fonts and full control over presentation. Spell checking is built
into the application. There is a simple drawing
capability which includes the ability to make connections between objects -
a crucial feature when presenting this week's new organization chart.
Objects can be rotated and have drop shadows added on to them.
KPresenter can import images in numerous formats - including PostScript and
SVG. Tables and charts can be generated with a simple, spreadsheet-like
data editor. It is also possible to import various KOffice objects
directly. If you present a lot of pie charts, this package is for you. If
you want animations and singing, dancing transitions, KPresenter will
provide them for you as well.
There is a basic set of templates which can be used to control the overall
formatting of presentations. The first time you use KPresenter, it can be
a little hard to figure out how to quickly make it add a new slide with the
same template - but it is possible. A "preview" window on the left side
can be used to navigate through the slides while editing them.
KPresenter works as one would expect when presenting; the output quality is
good, and the program is responsive. A quick right-click brings up a list
of slides for random movement. KPresenter also offers a "drawing mode,"
which lets the presenter scribble on the slides with a mouse. As a nice
touch, KPresenter makes the pointer disappear while presenting. It's
surprising how few presenters think to move the pointer to a corner, and
give their entire talk with an unrelated arrow in the middle of their
text; with KPresenter, they need not worry about that little detail.
Generation of HTML with KPresenter is a matter of stepping through a set of
dialogs allowing customization of the output. HTML configurations can be
saved, making things easier the second time. The quality of the output is
good.
Your editor, working with the Fedora Rawhide packaging of KPresenter 1.3.2,
encountered a few occasional bugs. Try to create a presentation with the
wrong template, and the whole thing just silently quits. There are minor
annoyances: when editing presentations, it is nice if the tab key increases
the bullet level, but KPresenter does not work that way. The online
documentation is spotty, with detailed tutorials on some relatively simple
operations, but no help for more obscure topics, such us using the
"autoform" feature.
Those issues are all minor, however. KPresenter is clearly a mature and
capable package for the creation of presentations. If it were the only
option available for free systems, we would be in good shape.
OpenOffice.org
One of the many features built into OpenOffice.org is a presentation
package. Like KPresenter, OOo is a fully graphical editor, and it, too, is
packed with features.
If you want to make fancy drawings, OOo is even more feature-rich than
KPresenter. It has various types of curve drawing operations, and a set of
three-dimensional objects as well. If you are giving a talk which relies
heavily on 3D, ray-traced cones and toruses, OOo is the package for you.
It can do connections between objects. The graph editor also looks very
similar; type your data into the spreadsheet window (or import an
OpenOffice spreadsheet) and any sort of 3D plot is available to you. There
is a brutally long list of available slide transitions.
OpenOffice offers a number of ways of viewing and navigating through a
presentation while working on it. A small set of tabs on the bottom of the
window is one such view; to make the tabs useful, however, the user must
explicitly set the title which appears on each one. There is an "outline
view" which lists the bullet points as text, a "slide view" for seeing the
presentation in thumbnail format, and a "notes view" which presents
additional speaker notes.
The presentation mode works mostly as expected. It is possible to pull up
the navigator and move to an arbitrary slide, but you must know that F5 is
the magic key to hit. Some of the slide transitions and bullet effects,
if, for some reason, you choose to use them, can take a long time and do
not appear to be interruptible. There is a rehearsal mode which puts a
stopwatch on the screen so you can see how long each slide takes - but it
does not seem to time the entire presentation. There is no on-screen
drawing mode.
OpenOffice has a dialog-driven HTML export mechanism which allows
customization of almost every aspect of the output and works reasonably
well. The program can also export to PDF, but it seems to get confused by
animated text effects - yet another good reason to avoid them. The PDF
output also seems to lack many of the graphical objects in the slides;
instead, it contains only the text.
OpenOffice.org differs from KPresenter in one key aspect: how templates are
handled. KPresenter generates each page from the template at insertion
time; thereafter, the page is disconnected from the template. OpenOffice,
instead, derives pages from a "master" page, and keeps that connection. As
a result, changes affecting the layout of the entire presentation can by
made by editing the master pages. With KPresenter, instead, it is
necessary to change each page individually.
Anybody who has worked with OpenOffice.org knows that it is a large,
unwieldy program. Once it gets going, it responds reasonably well,
however. Once again, the online documentation is not all that one might
hope for. If you want text with drop shadows, OpenOffice will disappoint
you. If you want a capable, graphical presentation package, however,
OpenOffice can certainly fill the bill.
MagicPoint
MagicPoint takes a very different
approach to the problem of editing presentations. This tool (along with
Pointless, which we will get to shortly) is based on plain text files and a
custom markup language. Editing of slides is done with an ordinary text
editor; the resulting file must be fed to the utility to see the final
result.
To many, this approach will seem like something straight out of the
1970's. There are advantages to doing things this way, however: the
creation of simple, textual presentations can be done very quickly, and the
plain text input file can provide extensive control over how the
presentation works. Purists will tell you that the markup approach helps
to focus the mind on the structure of the presentation rather than its
appearance. That may be true, but presentations are also very much about
appearance, so users of markup-based presentation programs usually end up
checking the formatting of their slides frequently as they write them.
MagicPoint's markup language takes a bit of getting used to. There is a
simple template for each page which describes how each line should be
formatted. In a typical MagicPoint presentation, the first line of a slide
is blank, the second holds the title, the third is blank, and the slide
text starts on the fourth line. Bullet levels are determined by the number
of tabs at the beginning of the line. The result is that a MagicPoint
input file tends to look like an outline of the talk with a bit of markup
language thrown in.
The markup language is fairly straightforward: %page to start a
page, %font to change fonts, etc. MagicPoint can use TrueType
fonts for high-quality output. If you change fonts frequently (using
monospace fonts for code fragments, for example), MagicPoint's markup can
get verbose and cumbersome; otherwise it is pretty unobtrusive.
There is simple support for background
images or gradients. There are no operations for creating graphics in
slides beyond drawing solid rectangles, but MagicPoint can
easily display images stored in external files. So, to create a slide with
graphics, one need only fire up one's favorite editing tool and export the
result as a PNG file.
In presentation mode, MagicPoint behaves much like the others. It has an
on-screen drawing mode, and supports easy random access to slides. There
is an option to put up a footer giving the titles of the next and previous
slides - useful for speakers who have a hard time remembering what's coming
next. MagicPoint also offers a rehearsal mode where it continually shows
how much of your allotted time has been used.
Generating an HTML version of a talk is a simple matter of running
MagicPoint with the right command line options. There is, however, little
flexibility in how that output is formatted.
MagicPoint is not a fast-moving project; the last release (1.10a) came out
in June, 2003; 1.09 was released in September, 2001. In other words,
not much is going on there. The lack of activity is somewhat surprising,
given that there are many MagicPoint users out there. This tool has,
evidently, reached the point where it is good enough; there is nothing so
irritating that it inspires people to tear into the code. MagicPoint does
have some bugs, some difficult features, and other issues - for example,
fonts can make presentations hard to move between machines. It would be
nice if this useful tool were to get some renewed developer attention.
(Those interested in MagicPoint input and output can see the editor's OLS 2004 talk and get a tarball with the sources and
images that go with it.)
Pointless
Pointless is another markup-based
presentation tool; it runs on most Linux and Unix systems. Your editor's
first impression was that the Pointless developers are trying to build a
system around a sort of object-oriented version of LaTeX. Pointless takes
some getting used to, and is in an early stage of development, but it shows
some real potential. Unfortunately, development appears to have stalled
since the beginning of this year.
Users of Pointless end up typing in a lot of markup. Each bulleted line
must be marked with =item, =subitem, etc. Plain text
lines need =par, or are marked by a
=begin-par/=end-par pair. Font and color changes follow
a TeX-like style ({=small some-text}), and are a bit easier than
the MagicPoint equivalents. Commands exist for importing images, setting
tables, importing fonts, etc. There is also a macro definition capability
which can be used isolate slide formatting decisions and cut down on the
typing.
Pointless is written in Python, and it has made Python's module importing
capability available to presentation files. The distribution comes with
additional modules which can display EPS images or LaTeX source, create
plots with gnuplot, or format source code.
There is one visual effect supported by pointless - a basic alpha fade out
and in. It uses that effect everywhere, however, and it can make the
rendering of slides quite slow. Commands exist for controlling the fader,
but an attempt to use them (uncommenting the versions in an example
presentation packaged with the source) resulted in Python tracebacks.
Actually, crashing Pointless 0.5 is an easy thing to do in general.
Random access to slides during a presentation is not supported, and there
is no drawing mode. Annoyingly, Pointless forces a pause before every
bulleted item in each slide, requiring the speaker to lean on the space bar
and watch each line fade in separately. This behavior can be changed by
putting in =nostep - before every single line.
HTML output is supported. The mechanism is flexible; it works from
templates and can substitute in many variable describing each slide. There
is no "just make me some HTML" operation, however; the user must specify
three different templates before Pointless will do the job.
Pointless has the potential to be come a highly-capable, extensible
presentation system. For the moment, it remains - as stated on its web
page - an alpha-phase project. Unless development picks up again,
unfortunately, it is likely to remain there.
Summary
As always, there are some other projects which were not reviewed here, but
which are worthy of mention:
- Agnubis is
another attempt to create a GNOME presentation program. It would
appear that development stalled in 2002, however, and the project,
while having put up some screenshots, has never made an actual
release. One of the authors posted a why
agnubis did not succeed message in 2003.
- Criawips
appears to be the current GNOME effort in this area.
Version 0.0.7 was announced
on September 9. Some screenshots are up, but little features
like "creating and editing of slides" are yet to be implemented.
- Imposter is a
standalone viewer for presentations made with OpenOffice.org.
- MinDia appears to be an
active project. Its focus is on display of photography, however,
rather than the creation of presentations.
- tpp is a markup-based
presentation system which uses ncurses for its display. If you need
to run presentations on a vt100 terminal, this system is for you.
So which package would a grumpy editor choose? On the graphical side,
OpenOffice.org comes through as being more mature, and its "master page"
mechanism can come in handy when one's employer is acquired and all of the
page footers have to be changed at once. From the outside, however,
KPresenter looks like a more vibrant, fast-moving project. Your editor
also likes the feel of KPresenter better; OpenOffice, while being capable
of almost anything, has always seemed unwieldy and aggravating to operate.
OpenOffice should not be written off by any means, but KPresenter looks
like it may be set to surpass it.
On the markup-based front, MagicPoint appears to be the only viable
alternative at this point. Your editor will likely stick to it despite its
slow-moving development and fairly primitive state. It has the features
your editor really needs, and it does better at staying out of the way than
any other system out there.
There seems to be a bit of a gap in the development of free presentation
programs. The pointy-haired set, which wants sound effects, dancing bullet
points, and easy pie charts, appears to be reasonably well served by the
available graphical offerings. There is less available for those who
prefer no-nonsense, text-centered presentations, quick talk preparation, easy display of
code samples, and who are not afraid of a text editor. And the GNOME
project, despite a few attempts (remember Achtung?) has yet to produce a
presentation system of its own.
Projects in this area seem to have a high probability of stalling before
reaching a stable state. Perhaps the problem is more difficult than it
seems at the outset.
That said, the state of the art is clearly better than it has ever been;
anybody wanting to do a presentation with free software has a few
alternatives to choose from. There is no longer any need to face the
embarrassment of being caught using PowerPoint at a Linux conference.
[As a postscript, your editor would like to let it be known that he has not
forgotten his promise to complete the email client series with a look at
terminal-based tools. That article is still in the works, and will show
up, hopefully, before too long.]
Comments (56 posted)
As
reported by
News.com: Sun will release Solaris 10 under an open source license by
the end of the year. Sun evidently wants to create a project around
Solaris similar to the Fedora effort. There are numerous ways of viewing
this announcement; in the absence of much in the way of real details, one
might as well succumb to the temptation to apply a significant amount of
imagination.
From a cynical viewpoint, one can argue that Sun is just acting from
commercial desperation. By putting Solaris out there, the company hopes to
attract attention, divert some developer and user interest from Linux, and,
with luck, dump some of its development and maintenance load onto the
community. Such a move would seem destined to failure; Sun's ability to
"get" free software has been mixed at best in recent years, and the company
is in no position to take a leadership position there now.
The paranoid among us wait, with trepidation, for Sun to specify a license
for the code it is releasing. At best, they fear, Solaris will be managed
like Java; source will be available, but the code will be managed with an
iron hand and there will be no opportunity for a true community to come
together around Solaris. In a worst-case scenario, the Solaris license
will not only forbid any sort of cross-pollination with the truly free
operating systems, but it will also "taint" any developer who looks at the
Solaris code. A license which attempts to forbid the transfer of code,
algorithms, techniques, etc. outside of Solaris could be fodder for the
next round of unpleasant lawsuits. Remember that Solaris is based on
SCO-owned code, Sun obtained options on SCO stock last year, and Sun dumped
several million dollars into the SCO Group for "licensing fees" as well.
The relationship between these two companies never has been explained in a
satisfactory way.
The optimistic observer, instead, will hope that Solaris goes out with a
GPL-compatible license. At that point, Solaris becomes another free Unix
system, alongside the various BSD projects. Useful code in Solaris can be
incorporated into other systems, and Solaris, too, can benefit from code
and ideas found in the other free systems. Solaris users will know that
their operating system can remain viable well into the future, regardless
of what happens to Sun. And the free software community will be that much
richer.
The gray-bearded True Unix People would still rather have the source for SunOS 4 (or even SunOS 3) and to heck with Solaris.
Until Sun tells us exactly what it plans to do, with an emphasis on which
code will be released and under which license, it is hard to say with any
certainty what the Solaris release will mean. Things could go in almost
any direction. We're most curious to see what Sun comes up with; hopefully
they will not make us wait too long before filling in the details.
Comments (4 posted)
September 14, 2004
This article was contributed by Tom Chance.
Little is known or said about the KDE e.V., the registered
non-profit organization that represents the KDE Project in legal and
financial matters. Created to deal with various problems faced by a young
free software project, the e.V. maintains a low profile and tries to merely
protect the project, but is faced with demands for a greater role, as well
as accusations of it being too
closed. This article sets out to disambiguate the e.V.'s role, and what
it means for KDE contributors and the wider free software community, from
the point of view of a writer who works with the KDE Project but who is
neither a member of the KDE e.V. nor a spokesperson for the KDE e.V. in any
way.
Since the KDE e.V.'s pages on the KDE web site are relatively
uninformative, I took the opportunity to talk to the Treasurer, Mirko
Böhm, while attending the KDE World Summit "aKademy". He began by explaining
the history of the organization. It started with three people in 1996 to
solve two problems faced by the KDE Project: the need for legal validity
when taking donations, and the concerns about the Qt licensing model that,
at the time, wasn't Free and could have seriously damaged KDE. To cut a
long story short, by late 1997, some German members of the project
registered the KDE e.V. with the German Association Registry. In 1998 the
KDE e.V. and Trolltech created the KDE Free Qt
Foundation whose purpose was "to secure the availability of the Qt
toolkit for the development of Free Software".
So from its start the key goals of KDE e.V. were to provide legal and
financial representation for the project. But it is more proactive than
those simple aims suggest. They provide an avenue for donations, they help
promotion efforts, they organize conferences, and just as Linus Torvalds
registered the trademark for Linux, so the KDE e.V. took control of the KDE
trademark, to protect and promote the identity of the project. For KDE
contributors, this means that they can use the legal and financial backing
of the KDE e.V. to pursue trademark disputes. For the wider world this
means that the KDE Project can force you to remove references to their
trademarks from your work from them if they don't like it. Of course the
KDE e.V. only intends to attack those who seek to damage the KDE Project
through trademark infringement - it isn't going to stop people saying their
work is a KDE application for the sake of it - but with this power comes
the need for clarity regarding who is responsible and accountable.
Aware of the problems this might cause in a community based upon individual
and community freedom, KDE e.V. claims to operate as an open membership
organization. Rather than being run by companies and sponsors, as many
other similar organizations are, the KDE e.V. is controlled by contributing
members (i.e. contributors, documenters, artists, etc.). The idea is that
the organization is run for free software contributors by free software
contributors. Yet the membership process is still not entirely open,
requiring that one existing member nominate you, and two further members
support your nomination, which the Board of Directors then
accepts. Enthusiastic users who feel they have a stake in the KDE e.V.'s
decisions are excluded, as may be unpopular contributors. Furthermore the
membership mailing list is closed, as are membership meetings, meaning that
the free software community can only learn of the proceedings of the KDE
e.V. through officially sanctioned channels.
For Rob Kaper, a KDE contributor who claims his views are not uncommon in
the community, these closed channels are not always necessary nor
useful. Whilst he recognizes that some matters such as financial reports
should be kept private, he told me that the KDE e.V. membership should be
calling "for a distinction between truly private matters and the
aspects of true open source development". In particular he objects
to the private-by-default membership mailing list, subscription moderated
development mailing lists (he gave the example of khtml-devel) and the
closed KDE.News editors, kde-security and
kde-packager mailing lists. He sees a trend that he told me "is
largely being ignored by the eV membership".'
Both the KDE e.V. Board of Directors, who are elected by the membership
with terms of three years, and the membership itself might well reject some
of these claims. Each decision to close an area of the project from the
public is made by the contributors concerned, not the KDE e.V., and so the
closed areas represent the concerns of the contributors. Of course Kaper
would contend that contributors should be making things more open, not more
closed, but then that becomes a separate matter of how free software
projects manage themselves.
As Mirko pointed out to me, it isn't the place of the KDE e.V. to dictate
how development and PR efforts ought to be conducted. One of the guiding
principles of the KDE e.V. is to separate politics from development,
although Mirko acknowledged that this isn't always possible. In this year's
membership meeting at aKademy, for example, the membership voted to have
the Board of Directors adopt a position on software patents that will allow
contributors to stick to their work without worrying that KDE is sitting on
the fence on such a crucial issue. And in the matter of closed mailing
lists, whilst the e.V. membership can discuss the issue, it is more a
matter of pragmatism. For Kaper though "the e.V. should protect KDE
from efforts to control that kind of free flow of information",
which "it can only do ... when it adopts more open policies
itself". Doing this would mean a major expansion in the scope and
power of the e.V. over contributors.
These minor disputes put the KDE e.V. in an awkward position. It wants to
leave the project to develop according to the regulation of the GPL and
their policy of letting the best code decide. Yet there seem to be issues
where consensus will not arise naturally, where the project requires a
space in which these issues can be debated and consensus can be built. When
I asked Mirko about the future of the organization, he admitted that they
don't have a clear idea of how it might evolve - that is up to the
membership. Whether it is appropriate that the KDE e.V. expand its current
role beyond that of protecting and promoting the project is undecided, as
is whether or not its current activities and policies properly fulfill that
role.
For KDE contributors it is a debate that needs to be engaged, and one that
will hopefully result in a democratic vision of the organization's
future. All contributors should understand and be part of that process. For
KDE users and the wider free software community there is little scope for
input, except through public debate that might influence the KDE
e.V. membership. It is nonetheless an interesting experiment in running a
formal entity that can represent a fairly anarchic community project, and
so we will continue to benefit from their experiences.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
Brief items
September 15, 2004
This article was contributed by Jake Edge.
Making sweeping statements about the security of a particular program
can come back to haunt you rather quickly as the recent case of a local
root exploit in cdrecord demonstrates. During a discussion of recent changes
in the 2.6 Linux kernel (as covered
by LWN), Jörg Schilling, the author of cdrecord, made a comment about
the security of that program:
Judging from the number of reports, I would guess that the Linux kernel is
much more insecure than cdrecord.
That statement could well be true, but in making it, Jörg may have
inspired someone to take a closer look at cdrecord.
Max Vozeler recently found that cdrecord fails to drop privileges when it executes
an external program, and that users can specify which external program is run
via the RSH environment variable. If cdrecord is
installed setuid root, any local user can exploit this vulnerability to
gain root access; multiple exploits have already been posted on bugtraq.
Jörg recommends installing
cdrecord as a setuid root.
cdrecord uses the elevated privileges to lock its buffers into physical
memory and to request real-time scheduling, both of which reduce the
chances of a buffer underrun. In addition, cdrecord opens the
SCSI device before dropping privileges back to that of the user who executed
it. In the case of a remote device, it executes the command to access
that device, but prior to this bug being fixed, it did that with
elevated privileges.
Other means for allowing non-root users to
burn CDs do exist, but they are less secure, according to Jörg:
What some people did (chmod on /dev/ entries) was definitely always a bigger
security risk than running cdrecord suid root.
Another alternative, which is used by some distribution vendors (notably
Red Hat and SuSE), is to disallow non-root users from burning CDs; clearly this
is the most secure choice, but can be inconvenient for users and
system administrators. Many administrators and some CD burning front end programs override
this choice and, in this case,
that could lead to a large security hole that may not be patched by the
distribution. To avoid this possibility, some distributions have issued
cdrecord updates even though they do not install the program in a setuid
mode; see the LWN vulnerability
entry for the current list.
Jörg has fixed this bug in the most recent version of his cdrtools
package (2.01a38, available from his
cdrecord page).
Comments (3 posted)
The announcements for the new releases from the Mozilla project discussed
new features at length, but were silent on one other point: those releases
include fixes for a number of security vulnerabilities, some of which can
lead to remote code execution. See
this
list of fixed vulnerabilities for several good reasons to upgrade.
Comments (none posted)
New vulnerabilities
apache2: IPv6 denial of service
| Package(s): | httpd apache2 |
CVE #(s): | CAN-2004-0747
CAN-2004-0751
CAN-2004-0786
CAN-2004-0809
|
| Created: | September 15, 2004 |
Updated: | October 6, 2004 |
| Description: |
Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups cupsys |
CVE #(s): | CAN-2004-0558
|
| Created: | September 15, 2004 |
Updated: | October 14, 2004 |
| Description: |
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
OpenOffice: information disclosure
| Package(s): | openoffice.org |
CVE #(s): | CAN-2004-0752
|
| Created: | September 15, 2004 |
Updated: | October 20, 2004 |
| Description: |
OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files. |
| Alerts: |
|
Comments (none posted)
Samba: Denial of Service vulnerabilities
| Package(s): | samba |
CVE #(s): | CAN-2004-0807
CAN-2004-0808
|
| Created: | September 13, 2004 |
Updated: | September 22, 2004 |
| Description: |
There is a defect in smbd's ASN.1 parsing. A bad packet received during
the authentication request could throw newly-spawned smbd processes
into an infinite loop (CAN-2004-0807). Another defect was found in
nmbd's processing of mailslot packets, where a bad NetBIOS request
could crash the nmbd process (CAN-2004-0808). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
SUS 2.0.2 local root vulnerability
| Package(s): | SUS |
CVE #(s): | |
| Created: | September 14, 2004 |
Updated: | September 15, 2004 |
| Description: |
SUS is a suid root program that allows ordinary users the execution of
certain programs with superuser privileges. SUS is run by default as setuid
root. A simple format string bug in the log() function allows any local
user to gain root privileges. See this
BugTraq advisory for more information. |
| Alerts: |
|
Comments (none posted)
Webmin, Usermin: Multiple vulnerabilities in Usermin
| Package(s): | webmin usermin |
CVE #(s): | CAN-2004-0559
|
| Created: | September 13, 2004 |
Updated: | September 23, 2004 |
| Description: |
There is an input validation bug in the webmail feature of Usermin.
Additionally, the Webmin and Usermin installation scripts write to
/tmp/.webmin without properly checking if it exists first.
The first vulnerability allows a remote attacker to inject arbitrary
shell code in a specially-crafted e-mail. This could lead to remote
code execution with the privileges of the user running Webmin or
Usermin.
The second could allow local users who know Webmin or Usermin is going
to be installed to have arbitrary files be overwritten by creating a
symlink by the name /tmp/.webmin that points to some target file, e.g.
/etc/passwd. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
eGroupWare: cross site scripting vulnerabilities in modules
| Package(s): | egroupware |
CVE #(s): | |
| Created: | September 2, 2004 |
Updated: | September 8, 2004 |
| Description: |
The eGroupWare has multiple vulnerabilities in the
calendar, address book, messenger and ticket modules.
An attacker can potentially execute script code and compromise
the victim's browser. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
gallery: temp file vulnerability in upload code
| Package(s): | gallery |
CVE #(s): | |
| Created: | September 2, 2004 |
Updated: | September 8, 2004 |
| Description: |
Gallery has a vulnerability with temp file handling in the
upload code. An attacker can run arbitrary code as the user
running PHP. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
httpd: mod_ssl input filter denial of service vulnerability
| Package(s): | httpd |
CVE #(s): | CAN-2004-0748
|
| Created: | September 2, 2004 |
Updated: | September 23, 2004 |
| Description: |
Apache httpd has a denial of service vulnerability in mod_ssl in which
an attacker can force
an SSL connection to abort, resulting in the Apache child process entering
an infinite loop. This affects httpd versions up to and including
2.0.50. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kdebase: multiple vulnerabilities
| Package(s): | kdebase |
CVE #(s): | CAN-2004-0689
CAN-2004-0690
CAN-2004-0721
CAN-2004-0746
|
| Created: | August 12, 2004 |
Updated: | October 4, 2004 |
| Description: |
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
krb5: double-free and ASN.1 parsing
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0642
CAN-2004-0643
CAN-2004-0644
CAN-2004-0772
|
| Created: | August 31, 2004 |
Updated: | September 21, 2004 |
| Description: |
Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execute arbitrary
code. See CAN-2004-0642, CAN-2004-0643 and CAN-2004-0772. An infinite
loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote
attacker may be able to trigger this flaw and cause a denial of
service. See CAN-2004-0644. See this CERT
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
lha: stack-based buffer overflow
| Package(s): | lha |
CVE #(s): | CAN-2004-0769
CAN-2004-0771
CAN-2004-0694
CAN-2004-0745
|
| Created: | September 2, 2004 |
Updated: | October 14, 2004 |
| Description: |
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc |
CVE #(s): | CAN-2004-0494
|
| Created: | September 2, 2004 |
Updated: | January 5, 2005 |
| Description: |
Midnight Commander has a vfs vulnerability with shell quoting
in extfs perl scripts. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
multi-gnome-terminal: Information leak
| Package(s): | multi-gnome-terminal |
CVE #(s): | |
| Created: | September 6, 2004 |
Updated: | September 8, 2004 |
| Description: |
multi-gnome-terminal contains debugging code that has been known to
output active keystrokes to a potentially unsafe location. Output has
been seen to show up in the '.xsession-errors' file in the users home
directory. Since this file is world-readable on many machines, this bug
has the potential to leak sensitive information to anyone using the
system. Any authorized user on the local machine has the ability to read
any critical data that has been entered into the terminal, including
passwords. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rsync: path-sanitizing bug
| Package(s): | rsync |
CVE #(s): | CAN-2004-0792
|
| Created: | August 16, 2004 |
Updated: | November 1, 2004 |
| Description: |
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written. |
| Alerts: |
|
Comments (none posted)
ruby: insecure file permissions
| Package(s): | ruby |
CVE #(s): | CAN-2004-0755
|
| Created: | August 16, 2004 |
Updated: | October 14, 2004 |
| Description: |
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
star: failure to drop privilege
| Package(s): | star |
CVE #(s): | |
| Created: | September 8, 2004 |
Updated: | September 8, 2004 |
| Description: |
Versions of star prior to 1.5alpha46 suffer from a failure to drop privileges which can lead to a local root exploit. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xv: image handling buffer overflows
| Package(s): | xv |
CVE #(s): | CAN-2004-0802
|
| Created: | September 3, 2004 |
Updated: | September 8, 2004 |
| Description: |
According to this
BugTraq advisory xv contains at least 5 exploitable buffer and heap
overflows in the image handling code. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for September is out. Covered
topics include
Beyond Fear, travel security, olympic security, and
the attacks against MD5 and SHA. "
The techniques
described by the researchers are likely to have other applications, and
we'll be better able to design secure systems as a result. This is how
the science of cryptography advances: we learn how to design new
algorithms by breaking other algorithms. Additionally, algorithms from
the NSA are considered a sort of alien technology: they come from a
superior race with no explanations. Any successful cryptanalysis
against an NSA algorithm is an interesting data point in the eternal
question of how good they really are in there."
Full Story (comments: 5)
CERT has gone through its annual PGP key change; click below for the new
public key.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
The current 2.6 prepatch is 2.6.9-rc2,
announced by Linus on September 13.
There is a lot of new stuff in this release, including some infrastructure
for catching illegal use of I/O memory addresses (see below), the
NETIF_F_LLTX
interface feature flag (discussed in
last
week's Kernel Page), the removal of the ancient, unused "busmouse"
driver, infrastructure for cluster-wide file locking, a number of DRM
subsystem cleanups, the
out-of-line spinlock
patch, AMD dual-core support, more filesystem conversions to the new
symbolic link resolution code (which will eventually allow an increase in
the maximum link depth), a new
waitid() system call implementing
the POSIX call by the same name, a "fake NUMA" mode for x86-64 testing, a
small-footprint tmpfs implementation, the base
KProbes patch, a
set of IDE updates, support for scheduler profiling (seeing where context
switches come from), automatic TCP window scaling calculation, a kobject
change (it uses kref now), a USB gadget interface update with "On The Go"
support, a big ALSA update, the removal of the Philips webcam driver,
numerous network driver updates, some random number generator fixes, a fix
for the audio CD writing memory leak, some VFS interface improvements,
executable support in hugetlb mappings, the Whirlpool digest algorithm,
some virtual memory tweaks, a number of asynchronous I/O fixes and
improvements, a User-mode Linux update, the "flex mmap" user-space memory
layout (covered here
last
June), a number of scheduler tweaks, the removal of the very last
suser() call, and lots of fixes. See
the long-format changelog for the details.
Linus's BitKeeper repository contains the "string" I/O memory access
functions, support for more than eight partitions on BSD-labeled disks,
some User-mode Linux cleanups, a tunable "max sectors" limit for block I/O
requests (a latency reduction feature), a new prctl() option
allowing programs to change their name, some shared memory scalability
improvements, and a change in TCP ICMP source quench behavior (such
messages are simply ignored now).
The current prepatch from Andrew Morton is 2.6.9-rc1-mm5. Recent additions to -mm
include some software suspend improvements, the return of a functioning
lockmeter patch, some ext3 reservation improvements, some scheduler tweaks,
a completely reworked "completely fair queueing" I/O scheduler, and
implementations of atomic_inc_return() for various architectures.
The current 2.4 prepatch is 2.4.28-pre3, which was released by Marcelo on September 11.
This patch is mainly "a bunch of scattered fixes"; there is also the
Whirlpool digest algorithm, and an XFS update.
Comments (1 posted)
Kernel development news
What makes you think kernel developers have a deep understanding of
the value of connectivity in the OS? They don't. The average kernel
developer is not particularly bright.
-- Hans Reiser.
But hey, the fact that I have better taste than anybody else in the
universe is just something I have to live with. It's not easy being
me.
-- Linus Torvalds.
Comments (5 posted)
We managed to pull together a bit of time to hack on the LWN site code over
the last week. The result is the
LWN Kernel Page
index, which can be used to find LWN's kernel-oriented articles for a
given topic. This mechanism will probably be extended to other parts of
LWN's content in the future.
As of this writing, all articles published in 2004 have been indexed;
earlier articles will be added as time permits. We'll also fix the
case-sensitive sorting when we get a chance. Even without that, however,
we hope that the new index will be helpful.
Comments (4 posted)
Most reasonably current cards for the PCI bus (and others) provide one or
more I/O memory regions to the bus. By accessing those regions, the
processor can communicate with the peripheral and make things happen. A
look at
/proc/iomem will show the I/O memory regions which have
been registered on a given system.
To work with an I/O memory region, a driver is supposed to map that region
with a call to ioremap(). The return value from
ioremap() is a magic cookie which can be passed to a set of
accessor functions (with names like readb() or writel())
to actually move data to or from the I/O memory. On some architectures
(notably x86), I/O memory is truly mapped into the kernel's memory space,
so those accessor functions turn into a straightforward pointer
dereference. Other architectures require more complicated operations.
There have been some longstanding problems with this scheme. Drivers
written for the x86 architecture have often been known to simply
dereference I/O memory addresses directly, rather than using the accessor
functions. That approach works on the x86, but breaks on other
architectures. Other drivers, knowing that I/O memory addresses are not
real pointers, store them in integer variables; that works until they
encounter a system with a physical address space which doesn't fit into 32
bits. And, in any case, readb() and friends perform no type
checking, and thus fail to catch errors which could be found at compile
time.
The 2.6.9 kernel will contain a series of changes designed to improve how
the kernel works with I/O memory. The first of these is a new
__iomem annotation used to mark pointers to I/O memory. These
annotations work much like the __user markers, except that they
reference a different address space. As with __user, the
__iomem marker serves a documentation role in the kernel code; it
is ignored by the compiler. When checking the code with sparse,
however, developers will see a whole new set of warnings caused by code
which mixes normal pointers with __iomem pointers, or which
dereferences those pointers.
The next step is the addition of a new set of accessor functions which
explicitly require a pointer argument. These functions are:
unsigned int ioread8(void __iomem *addr);
unsigned int ioread16(void __iomem *addr);
unsigned int ioread32(void __iomem *addr);
void iowrite8(u8 value, void __iomem *addr);
void iowrite16(u16 value, void __iomem *addr);
void iowrite32(u32 value, void __iomem *addr);
By default, these functions are simply wrappers around readb() and
friends. The explicit pointer type for the argument will generate
warnings, however, if a driver passes in an integer type.
There are "string" versions of these operations:
extern void ioread8_rep(void __iomem *port, void *buf,
unsigned long count);
All of the other variants are defined as well, of course.
There is actually one other twist to these functions. Some drivers have to
be able to use either I/O memory or I/O ports, depending on the
architecture and the device. Some such drivers have gone to considerable
lengths to try to avoid duplicating code in those two cases. With the new
accessors, a driver which finds it needs to work with x86-style ports can
call:
void __iomem *ioport_map(unsigned long port, unsigned int count);
The return value will be a cookie which allows the mapped ports to be
treated as if they were I/O memory; functions like ioread8() will
automatically do the right thing. For PCI devices, there is a new
function:
void __iomem *pci_iomap(struct pci_dev *dev, int base,
unsigned long maxlen);
For this function, the base can be either a port number or an I/O
memory address, and the right thing will be done.
As of 2.6.9-rc2, there are no in-tree users of the new interface. That can
be expected to change soon as patches get merged and the kernel janitors
get to work. For more information on the new I/O memory interface and the
motivation behind it, see this explanation from
Linus.
Comments (6 posted)
The removal of the Philips webcam driver from the kernel set off a long and
sometimes inflammatory discussion. Its return has, instead, been greeted
with almost total silence. Once people take a look, however, they might
see something worth yelling about.
The new maintainer is Luc Saillard. He has posted a patch which restores the PWC driver to the
kernel, but without the problematic hook for the proprietary compression
module. As an added bonus, the driver can deal with compressed streams
from some cameras (those using chipsets 2 or 3), in some modes. Work still
needs to be done for chipset 1 and the Bayer mode.
The final result is yet to be seen, but it would appear that the whole PWC
episode is heading toward a best-case conclusion: a 100% free driver. It
would be hard to see that outcome as anything but a good thing.
Comments (5 posted)
Much of the latency reduction work spearheaded by Ingo Molnar is reaching a
state of completion; a lengthy set of patches has been posted which breaks
up long lock hold times and adds "voluntary preemption" points at strategic
places. With these patches in place, most of the worst latency problems in
the 2.6 kernel have been addressed, even when kernel preemption is not
enabled. That is good news for multimedia users and others who feel that
their needs have been passed over in the 2.5/2.6 development period.
One issue remains, however: there are some old parts of the kernel which
still rely on the Big Kernel Lock (BKL) for mutual exclusion. Code which
uses the BKL is not performance critical itself (all such uses have been
fixed for a while). But the BKL is a lock, and code which holds the BKL
will not be preempted. That can mean long latencies if a code path holds
the BKL for a long time - and there are a few such paths.
Interest in eradicating use of the BKL has waned in the last year or two,
for a few reasons. Any code whose performance was seriously impacted
by the BKL has been fixed. And, perhaps more to the point, much of the
remaining code is ancient, crufty, and brittle. Finally, as Alan Cox (who
holds the dubious fame of having created the BKL) points out, the BKL is not a traditional lock:
The BKL turns on old style unix non-pre-emptive sematics between
all code that is within lock_kernel sections, that is it. That also
makes it hard to clean up because lock_kernel is delimiting code
properties (its essentially almost a function attribute) and
spin_lock/down/up and friends are real locks and lock data.
Fixing the remaining code is not an exercise for the timid. In most cases,
the prudent course has been to simply leave things alone. The latency
problem may just force this issue, however; by increasing latency,
BKL-protected code is harming the higher-performance parts of the kernel.
The BKL has one very interesting property which distinguishes it from an
ordinary spinlock: code holding the BKL can call schedule() at any
time. When that happens, the kernel releases the lock until the scheduling
thread is returned to the processor. If code holding the lock can
schedule, it ought to be preemptible as well - at least under some
circumstances.
Ingo Molnar has decided to mitigate the BKL problem by turning it into the
Big Kernel Semaphore. As seen in his
patch, the BKS is a special sort of semaphore; it is recursive (as is
the BKL), and it is released when the thread holding it voluntarily
schedules. The key difference from the BKL, however, is that a process
holding the BKS can be preempted - but the semaphore is not released in
that case. So code which uses lock_kernel() is still protected
against other such code, just like it is now. But that code can be
preempted (as long as it does not take any spinlocks). That change should
be sufficient to address the latency problems caused by long BKL hold
times.
Whether this patch will be accepted remains to be seen. Linus doesn't like it, but Ingo has reasonable responses to his objections.
Including Ingo's patch would mitigate the current problems caused by the
BKL, which may have an undesirable effect: once again, there will be little
motivation to truly fix users of the BKL. Some developers may prefer to
simply bite the bullet and eliminate those final BKL users for real.
Comments (1 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
With so many new Linux distributions being launched every month, you
will be forgiven to give most of them nothing but a passing glance.
Usually based on Debian GNU/Linux or Fedora Core, they often provide
little new besides a different application set and a pretty wallpaper
on the otherwise standard KDE or GNOME, or less commonly, XFce or
Fluxbox desktops. That said, every once in a while there is a new
distribution that makes an honest effort to depart from the standard
fare. One of them is Rocklyte Systems'
Athene, a new commercial
Linux distribution from New Zealand.
Three notable characteristics differentiate Athene from other Linux
distributions: fast boot times, integration of the SNAP Graphics
technology (in place of XFree86 or X.org), and the desktop look and
feel. The boot times are impressive - on this author's 1.6 GHz Pentium
4 machine it took 32 seconds to get from GRUB to Athene's graphical
login prompt and another 1 - 2 seconds to get to the full graphical
desktop, ready for user input. Shutdown times were equally striking,
with about 11 seconds needed to halt the system.
SciTech
SNAP Graphics is a commercial cross-platform driver architecture,
originally developed for OS/2 and DOS, but now also supporting Windows
and Linux. The major advantages of SNAP over XFree86 or X.org are ease
of installation and auto-configuration of most graphics cards,
including many of the latest NVIDIA and ATI cards. The company's web
site also claims substantial speed achievements and provides benchmarks
to prove them. However, a noteworthy disadvantage of SNAP is its lack
of support for the XVideo extension and GL direct rendering, which
makes it less acceptable on the home desktop market where video
playback and gaming represent a fairly common PC usage. But the low
cost of support and maintenance might make the $20 SNAP (trial editions
are available for download) an adequate solution for many businesses.
Athene's desktop environment is unlike anything else on the market. It
comes in three themes: Wintel,
Indigo
and Omega
Workbench, each of which has been developed by Rocklyte Systems.
They contribute towards that pleasant feeling of novelty and excitement
that normally accompanies any new purchase. The desktop is complemented
by a central configuration utility designed to perform basic tasks,
such as desktop and system configuration, as well as installation and
removal of applications from the system. Then there is a custom file
manager, a custom media player, a custom text editor, a custom picture
viewer, etc., but otherwise the available applications set is very
limited - perhaps on par with MS Windows, but certainly a lot scantier
than what one finds on a 4-CD Fedora Core set.
The good news is that the installation CD contains additional
applications in binary format to complement the Athene OS. Both Qt and
GTK+ libraries are available, together with many of the best open
source applications that make use of these libraries. Almost all of
KDE, including KOffice, are on the CD, as well as the GIMP,
OpenOffice.org, Firefox, and MPlayer - just to name a few of the more
interesting software packages. Development tools are available too and
menu entries are automatically populated with icons upon installation.
Because of these extra packages, Athene can be easily turned into a
full-featured desktop, ready for every-day use.
Unfortunately, the Athene OS is still in its infancy and as such, it has
unrefined edges, especially considering that the product seems to be
designed for non-technical persons. As an example, networking is not
configured during the initial installation. A quick trip to Athene's
forums revealed that the correct way to set up networking was to
install DHCP (available on the CD, but not installed by default), then
read the DHCP documentation to learn how to configure /etc/dhcpd.conf
and what to add to /etc/boot to bring networking up at boot. Hardly
something that your average aunt Tilly would be thrilled doing!
Furthermore, creation of user accounts is not enforced during or after
installation as Athene seems content to provide just one root account
for all.
There are usability issues that take the pleasure out of using some of
Athene's otherwise pretty-looking utilities. Take the application
installer, called QikInstall; it not only fails to auto-resolve
dependencies of installed applications (nowadays the only major
distribution that doesn't do this is Slackware), it merely displays the
name of the first immediate dependency. The user is then left to
navigate the application directories on the installation CD to find it!
Another problem is inconsistent interaction with icons throughout the
system - while the desktop icons require a single click to activate,
those in the file manager and QikInstall need a double click. Since
accidental double clicks are not detected, it is easy to end up with a
very messy desktop!
Overall though, Athene is an innovative and fun distribution, with speed
and stability as its most noticeable features. It is not difficult to
see how it could become a standard OS in some small company where most
work is accomplished in an office suite. Whereas users of RPM- or
DEB-based distributions could be tempted to install additional
applications and introduce potential instability into the system,
Athene's non-standard packaging and a limited set of applications
ensure that the operating system remains in its pristine and stable
state, thus reducing administration costs. If Rocklyte can fix a few
annoyances in Athene and design an effective marketing strategy, the
obvious talent of Athene's developers could be transformed into a
financial success for the entire company.
The Athene OS is available from Rocklyte Systems' online
store, starting at $47.95, while Athene's desktop component (to be
installed on top of an existing Windows or Linux installation) is
available as a free download from the distribution's download page.
Comments (7 posted)
Distribution News
The second beta of Progeny Debian 2.0 Developer Edition has been released.
Progeny Debian 2.0 DE is based on Debian sarge (with some components
derived from Debian sid) and includes features (click below for list) from
Componentized Linux.
Full Story (comments: none)
Fedora Core has become a test bed for something called "Stateless Linux".
Stateless Linux aims to provide a "best of both worlds" hybrid between thin
and fat clients among other things. The project is still young, and
currently seeking some feedback, particularly from those who have gone
through the
HOWTO.
Click below for the complete announcement from the Fedora-devel list.
Full Story (comments: 11)
Lycoris
Desktop/LX has
announced
that it has commenced shipping Desktop/LX 1.4 to customers. Desktop/LX 1.4
is now available in Personal, Deluxe and PowerPak editions.
Comments (none posted)
The Debian Weekly News for September 14, 2004 looks at the new Debian
GNU/Linux Desktop Survival Guide, the preparation of Sarge CD and DVD
images, using Debian in commercial environments, the GNOME 2.6 transition,
and more.
Full Story (comments: none)
The release of Fedora Core 3 Test 2 has been delayed until September 20,
2004, according to the
schedule. Fedora
Legacy will begin supporting Fedora Core 1 after FC3t2 has been released.
Comments (none posted)
Many packages have been upgraded in the
slackware-current tree, including cdrtools, dvd+rw-tools, mysql,
proftpd, reiserfsprogs, ccache, gdb, gnumeric, libpng, taglib, dnsmasq,
getmail, samba, imagemagick and gcc.
Comments (none posted)
The
DistroWatch
Weekly for September 13, 2004 looks at release schedules for Fedora,
Mandrakelinux (both have slipped) and FreeBSD, and has several other topics.
Comments (none posted)
New Distributions
Ubuntu is a new, Debian-based distribution which features a "focused"
subset of packages, a six-month release cycle, and 18 months of promised
security support for each release. Despite the fact that it is new, Ubuntu
has just released the "4.10 preview." Features include GNOME 2.8 and a
single-CD installation process; click below for the details.
Full Story (comments: 8)
Klinux is a modified
version of Slackware Linux 9.1 with the Zipslack kernel. It can be
installed on a FAT 32 file system with any version of Windows (9x, NT,
2000, XP). It comes on one CD-ROM (563MB) and requires at least 2.5 GB of
free space on the hard drive. The drive does not need to be partitioned.
The system will be accessible from Windows, appearing to be another folder,
or you can run Linux by booting from a floppy. (Thanks to Sareei Alsareei)
Comments (none posted)
Minor distribution updates
Devil-Linux v1.2-RC1 is available for download. The kernel has been
updated to 2.4.27 and many other progams have been updated as well. Click
below to see the change log.
Full Story (comments: none)
Fli4l has released
v2.1.8.
"
Changes: The kernel is now patched with some parts of
grsecurity. More flexible boot handling was added, which should make it
possible to support more different boot media. Routers can be switched off
automatically if APM is supported. The packet filter has a more flexible
configuration. A new time server package using chrony was added. Support
for Fritz!Card DSL USB, Fritz!X USB, and Fritz!Card USB was added. There
are software updates and several bugfixes."
Comments (none posted)
Quantian 0.5.9.4 adds more packages, including 50 new CRAN/BioConductor
packages for R, pcb, gpsim, gnucap, xcircuit, transcalc, xd3d, QtiPlot, the
Alliance VHDL and more. Click below for more details.
Full Story (comments: none)
ThinTUX has released v0.17,
adding support for the
ThinTUX Terminal Server
Project (TTSP). TTSP allows an organization to use centralized server
based computing and thin clients. The system has support for server
autodiscovery, high availability, load sharing, single sign on, encryption,
hot desking, plug-and-work and central administration management.
Comments (none posted)
Newsletters and articles of interest
IBM developerWorks
installs
Familiar Linux on an iPAQ. "
Familiar is available for download
in three distinct user flavors (a fourth, developer-only, flavor with no
GUI is also available). Each of these flavors consists of the same kernel
and base system but with different GUIs. The analogy in the desktop Linux
world is installing a distribution such as Red Hat or Mandrake and getting
a choice of desktop environments, such as KDE or GNOME. Indeed, once you
start to look at the options, you can see that the similarities to
different desktop environments run even deeper."
Comments (none posted)
In this O'ReillyNet article the author describes one method of
installing FreeBSD-5.2.1-Release as a server for diskless clients.
"
As I've confined myself to a single alternative, it's important to
lay out some conditions. First, the method here differs from the canonical
version in the way it uses rc files in the FreeBSD distribution. For
example, diskless stations won't put their file systems in virtual memory;
instead, they will use NFS to mount file systems as read-only (/ and /usr)
and read-and-write (/etc and /var)."
Comments (none posted)
Distribution reviews
LinuxForums.org has a
review of the
latest Yoper Linux. "
Yoper's claim to fame is the speed at which
it runs, out of the box. Yoper is a distro that targets the desktop Linux
user from a brand new convert to the legendary guru. The latests release
(2.1) improves upon the the installer, making it more user friendly and now
includes non-destructive partitioning." (Thanks to Jason Lambert)
Comments (none posted)
Page editor: Rebecca Sobol
Development
Version 2.8 of the
GNOME desktop
was announced
this week.
Released on schedule, to the day, it is the culmination of six months effort
by GNOME contributors around the world: hackers, documentors, usability and
accessibility specialists, translators, maintainers, sysadmins, companies,
artists, users and testers. Due to their hard work, we have another great
release to be proud of - thanks very much to every contributor!
The Release Notes
provide an overview of the current state of the project:
"GNOME runs on a variety of platforms, including GNU/Linux (commonly called Linux), Solaris, HP-UX, BSD and Apple's Darwin. GNOME includes powerful features such as world-class smooth text rendering, a first-class accessibility infrastructure, and a complete internationalization infrastructure that includes support for bi-directional text."
The
What's New page details most of the improvements.
The GNOME file manager has numerous new capabilities. These include a new
standardized file-type system that adds KDE compatibility, default handlers,
and support for opening alternate applications. DNS-Based Service Discovery
allows network resources to be visible locally. CDs, DVDs, memory sticks,
and digital cameras are now automatically mounted. Multi-session CDs
are now supported.
The GNOME desktop has a new Glider theme which is:
"simple, smooth, and aesthetically pleasing".
The GNOME control center adds a keyboard layout preview screen that
lights up when keys are pressed to show the key interpretations.
The GNOME Panel Applets have had several improvements.
The panel applet chooser application has been clarified.
The calendar now connects to the Evolution email client.
The network monitor adds support for wireless interfaces and features a
signal strength meter. The battery monitor has improved battery life
estimation and more visible warnings. The weather applet has support
for more locations.
GNOME 2.8 features several updated applications.
Version 2.0 of the Evolution integrated Email and Groupware client is
included. It adds support for Novell Groupwise and Microsoft Exchange,
S/MIME authentication and encryption, calendar improvements, offline IMAP
support, Usenet support, spam filtering, and user interface improvements.
The Epiphany web browser has numerous bookmark improvements, popup blocking,
an offline mode, and online calendar connectivity through Evolution.
System Administration improvements in GNOME 2.8 include a new
virtual network computing client for remote desktop control.
The gnome system tools, network tools, and configuration editor have
undergone numerous improvements.
Improvements to the GNOME 2.8 Development Platform include an expanded
API and official language bindings for Python, C++, Java, and Perl.
Internationalization is improving in GNOME 2.8.
"GNOME 2.8 offers support for 40 languages (at least 80 percent of strings translated)."
For a visual tour of GNOME 2.8, take a look at some of the
user submitted screenshots.
In all, this looks like an exciting new GNOME release with many
usability improvements, and features that should make the average
desktop user happy. Congratulations to the GNOME developers!
Comments (1 posted)
System Applications
Database Software
Version 1.2 of Durus is available.
"
Durus is a Python object database. It offers an easy way to
maintain a consistent persistent collection of Python object
instances used by one or more processes."
Changes include a new command line tool, a BTree class, and bug
fixes.
Full Story (comments: none)
Version 0.1.3 of
FlameRobin,
a database administration tool for Firebird DBMS, is out.
Change information is somewhat sparse, the documentation in the
source code refers to a missing changes.txt file.
Comments (1 posted)
Version v1.2 Beta of pgAdmin III
has been released.
"
Hot on the heels of the PostgreSQL 8 betas, the first beta release of pgAdmin III, the popular administration tool for PostgreSQL, has been released for testing." Several bug fixes are included.
Comments (none posted)
The September 13, 2004 PostgreSQL Weekly News is out with
information about the PostgreSQL 8.0 beta release and other database
news.
Full Story (comments: none)
Version 3.3c1 of ZODB, the Zope Object DataBase, is available.
"
3.3c1 incorporates a slew of small fixes, and one major incompatibility:
when a transaction commit fails, all previous versions of ZODB aborted the
transaction and implicitly began a new transaction. As discussed on the
zope-dev and zodb-dev mailing lists, that can be damaging if one in a
sequence of subtransaction commits mistakenly suppresses a commit exception."
Full Story (comments: none)
Interoperability
Stable version 3.0.7 of Samba is out with some important security fixes.
"
This is the latest stable release of Samba. This is the version
that production Samba servers should be running for all
current bug-fixes. There have been several important issues
fixes since the 3.0.6 release."
Full Story (comments: none)
Libraries
Version 0.8.4 of liboggz, a C library for reading
and writing Ogg compressed audio files and streams, is out.
Changes include expanded --help output, valgrind test support,
a single packet network read test, and more.
Full Story (comments: none)
Version 1.1.1 of libogg
has been released.
"
Changes include several platform and build fixes, documentation for multiplexed streams, and other goodies."
Comments (none posted)
Version 2.8.0 of libxml++,a C++ wrapper for the libxml XML parser library,
is out.
"
This is the first stable release on the 2.8 branch."
Changes include code cleanup, bug fixes, and new
Validator and DtdValidator functionality.
Full Story (comments: none)
Networking Tools
Jean-Luc Fontaine has announced version 19.0 of
Moodss,
a graphical monitoring application with plug-in support
for various operating systems, databases, and networking applications.
"
This new release add the capability to create mathematical
formulas f[r]om any module (locally or remotely monitoring), and use
the resulting data as any other, in graphical viewers, thresholds,
or archiving in database, ..."
Full Story (comments: none)
Printing
Version 1.1.21 of CUPS, the Common UNIX Printing System,
is out.
"
CUPS 1.1.21 is primarily a bug fix and performance tuning release and includes fixes for the IPP, LPD, parallel, serial, and USB backends, authentication and status processing issues in the CUPS API, and various PostScript and PDF printing issues. The new release also adds support for Zebra label printers and IPP device URI options."
Comments (none posted)
Security
Version 1.2 of chroot_safe, a tool for replacing chroot and friends,
is available.
"
Version 1.2 is an update to increase portability. The software is now verified on Solaris on addition to Linux and FreeBSD and is expected to run on mostly any UNIX like system with LD_PRELOAD support."
Comments (1 posted)
Web Site Development
Version 2.2.2 of ACal, a web-based event calendar,
is available.
"
ACal 2.2.2 was released to
fix two bugs. First of all a bug when clicking on single digit days in the
month view to get into the day view and second, a bug where after installing
you can login with a blank username and password."
Comments (none posted)
Version 1.8.2 of Bricolage, a Perl-based web content management
system, is out.
"
This maintenance release addresses quite a large
number of issues in Bricolage 1.8.1. The most important changes
were to enhance Unicode support in Bricolage. Bricolage now internally
handles all text content as UTF-8 strings, thus enabling templates
to better control the manipulation of multibyte characters.
Other changes include better performance for searches using
the ANY() operators and more intelligent transaction handling for
distribution jobs."
Full Story (comments: none)
The September 1-10, 2004 edition of the
ZopeMag Weekly News
is online with the latest Zope and Plone articles.
Comments (none posted)
Documentation
Chia-liang Kao
uses svk to keep documentation in different languages in sync.
"
If you've ever tried to write a document collaboratively, you know the pain
of tracking multiple edits. Programmers face the same difficulties with
source code, so why not borrow their version control solutions? Chia-liang
Kao demonstrates how to use svk, a distributed version control system, to
manage changes to translations and other collaborative documents."
Comments (none posted)
Standards
The Free Standards Group and The Open Group have announced the readiness of
certification efforts for the Linux Standard Base 2.0 Specification (LSB
2.0). Developers can work with The Open Group on certifying their
applications to the global standard for Linux.
Full Story (comments: 5)
Miscellaneous
Version 1.0 of GNOME System Tools is available, changes include
numerous updated translations.
Full Story (comments: none)
Version 1.17.0 of PIKT, the Problem Informant/Killer Tool, is out.
"
PIKT is a cross-categorical, multi-purpose toolkit to monitor
and configure computer systems, organize system security, format
documents, assist command-line work, and perform other common
systems administration tasks."
Changes include support for new preprocessor directives,
a backup restore option, piktf: a configuration find utility,
command-line item macros, and bug fixes.
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 0.7 of Marlin, a sample editor, is out. Changes include a new
a progress window icon, undo/redo functionality, bug fixes, and more.
Full Story (comments: none)
Version 0.0.4 of
Patchage,
a modular patch bay for Jack audio with planned alsa sequencer
capabilities, is out. Changes include some bug fixes.
Comments (none posted)
Version 0.2.11 of qjackctl, the Qt GUI Interface to the JACK Audio
Connection Kit, is available. Changes include a fix for the
Input/Output channels settings and user control of a shiny display effect.
Full Story (comments: none)
Version 0.2.5 of Timemachine, a JACK application for
recording sounds that have just happened, is out.
Changes include command line recording format and port selection, a new
desktop icon, and more.
Full Story (comments: none)
Desktop Environments
The September 10, 2004 edition of the
KDE CVS-Digest
is online with the following content summary:
"
Speedups in khtml javascript, Kate, Kmail and Kcminit. Macros and headers added to compile Kdelibs on win32. UI Recovery ToolKit (uirtk) improved. Support for building Smoke library on Mac OS X."
Comments (none posted)
Version 2.8.5 of Metacity, a window manager for GNOME, is available.
"
This is a stable release for Gnome 2.8. Only translations and some
new developer documentation were added since the last unstable release.
This release boasts improved standards-compliance and a number of bug
fixes since the last stable release."
Full Story (comments: none)
Electronics
The
Open Collector
site mentions the release of TkGate 1.8.5, an event driven digital
circuit simulator with a tcl/tk-based graphical editor, and
Alliance 5.0-20040909, a CAD framework for designing VLSI chips.
Comments (none posted)
Financial Applications
Version 2.5.1f of Compiere, an ERP+CRM business application,
is available.
"
The emphasis of this release was the improved Server infrastructure. You can now monitor the (accounting, request, workflow, alert) processors and their logs from the web."
Comments (none posted)
Games
New stable and development versions of Bygfoot, a graphical soccer game,
are available.
"
The new releases correct an extremely annoying bug that caused the game to hang. There's also an online update script in the source packages that helps you keep your Bygfoot version up-to-date without downloading new packages manually."
Comments (none posted)
Version 2.8 of gnome-games, a collection of games for GNOME, is out.
"
This is the first stable release of the 2.8 series. It should compile
happily in a GNOME 2.6 or GNOME 2.8 environment although a recent
librsvg is recommended."
Full Story (comments: none)
Version 2.8.0 of gnome-games-extra-data, the overflow graphics for
gnome-games, is out.
"
The only change since 2.7.0 is the addition of the old gnometris
backgrounds."
Full Story (comments: none)
Version 0.96 of
Takeover has been released.
"
Takeover is a turnbased strategy board game for two players. It could be described as a cross between Chess and Checkers. Each player starts with one "Leader" and six "Unit" pieces, centered around its own base, that has to be protected."
Comments (none posted)
GUI Packages
Version 2.5.0 of gtkmm, a C++ interface to GTK+, is out.
"
gtkmm 2.5 wraps new API in GTK+ 2.5, and is API/ABI-compatibile with gtkmm 2.4.
The new API is unstable, until this become the API/ABI-stable gtkmm 2.6 when
GTK+ 2.5 becomes the API-stable GTK+ 2.6."
Full Story (comments: none)
Version 2.8.0 of Gtk2-Perl, the Perl bindings to GTK+, is out.
This is the stable release for GNOME 2.8.0.
Full Story (comments: none)
Instant Messaging
O'Reilly is running
an article on converting IRC into synthesized speech.
"
Paul Mutton creates a multi-platform IRC bot that uses the
FreeTTS Java speech synthesizer library to convert IRC messages into
audible speech. Why would you want to use an IRC text-to-speech
system? By reading out messages as they arrive, you can keep
working, diverting your attention to IRC only when necessary."
Now, imagine working in a cubicle farm loaded with talking IRC clients.
Comments (none posted)
Interoperability
The September 10, 2004 edition of
Wine Traffic is online. Take a look for happenings in the
Wine (Wine Is Not an Emulator) world.
Comments (none posted)
Mail Clients
The Mozilla project has made
Thunderbird 0.8 available. New features include better POP support, an RSS reader, a master password for login information, and more; see
the release notes for details.
Comments (none posted)
Medical Applications
LinuxMedNews has
an announcement for a new version of OpenEMR, an electronic medical
records system. Here is the list of improvements:
"
Advanced document storage capabilities for scanned documents;
New user reporting interface - a separate interface from the phpMyAdmin to obtain reports;
Improved calendaring;
Support for specialty codes for billing;
Support for multiple X12 partners - the ability to submit X12 claims to different payers or clearinghouses; and
Many display and logic enhancements."
Comments (none posted)
Music Applications
Version 0.9.0 of Hydrogen, a versatile drum sequencer application,
is available.
Changes include support for multiple layers and patterns,
FLAC file support, control of instrument pitch and gain properties,
export to standard MIDI files, and other improvements.
Full Story (comments: none)
Version 0.8 of jMax-SDIF, the jMax 4.1 Sound Description Interchange Format
package, is out.
"
I just finished the jMax-SDIF package version 0.8 for jMax 4.1 CVS.
You can now import SDIF files into a track of matrices, and export a track to
SDIF. There is also an sdifinfo object that reads and outputs information
about the contents of an SDIF file."
Full Story (comments: none)
News Readers
Version 0.6.0 of Liferea. the Linux Feed Reader, is out
with numerous improvements and bug fixes.
Full Story (comments: none)
Office Applications
Version 0.0.7 of criawips, a presentation application for GNOME, is out.
"
After almost 2 months a new version of criawips is released. This
version includes several new translations". Also included are
bug fixes, resolution independent slide rendering, and a redesigned
main window.
Full Story (comments: none)
PDA Software
Version 1.5.3 of Guikachu, the GNOME Resource editor for
PalmOS projects, is out.
"
This release is part of the 1.5 development branch, so it's all about
crazy experimentations and not about providing a polished, well-tested
product -- so don't quite replace your 1.4 Guikachu just yet."
Full Story (comments: none)
Video Applications
Alpha version 0.4.2 of the
Dirac
general-purpose video codec is available, it features a number
of bug fixes.
Comments (none posted)
Web Browsers
Version 1.4.0 of Epiphany, the GNOME web browser, is out.
"
Epiphany 1.4.0 is the first stable release in the GNOME 2.8 series."
Full Story (comments: none)
Version 1.4.0 of Epiphany Extensions, the extensions to the Epiphany
browser, is out.
"
Epiphany Extensions 1.4.0 is the first stable release for use with the
stable 1.4.x series of Epiphany with GNOME 2.8."
Full Story (comments: none)
Version 1.2.9 of Epiphany is available.
"
Epiphany 1.2.9 is the last release in stable the GNOME 2.6 series."
Full Story (comments: none)
The
Firefox 1.0 preview release is now available. The
release notes show that a fair number of new features have been added: "live bookmarks" which generate a bookmark folder from an RSS feed, better popup control, incremental find, a "master password" to guard login information, and more.
Comments (14 posted)
Version 1.7.3 of Mozilla
has been announced.
"
mozilla.org today released Mozilla 1.7.3, which patches
some minor security holes".
Comments (none posted)
KDE.News
reports on yet another outcome from aKademy: a port of the Gecko rendering engine to Qt.
"
Within four days (and before the end of the marathon) the two had a working port: Gecko running on Qt. They credited the speed of implementation to the maturity of the respective technologies and KDE's component architecture (though the caliber of the hackers certainly didn't hamper the effort). In their implementation, Qt is just another platform for Mozilla, parallel to the drawing and widget layer for Mozilla's other platforms like GTK, Win32, or MacOS X."
Comments (14 posted)
Miscellaneous
Version 2.8.0 of gnome-applets, "
the little programs you run in
your panel", is out with improved documentation, bug fixes,
and compatibility with GNOME 2.8.
Full Story (comments: none)
Stable version 4.4.18 of gcalctool, the default GNOME desktop calculator,
has been released for GNOME 2.8. It features some localization changes.
Full Story (comments: none)
Languages and Tools
C
The September 15, 2004 edition of the
GCC Newsletter
is available with the latest Gnu Compiler Collection news.
Take a look to read about the upcoming GCC 3.5 release.
Comments (1 posted)
Caml
The September 7-14, 2004 edition of the Caml Weekly News is
out with this week's Caml language articles.
Full Story (comments: none)
Java
Markus Gebhard
demonstrates JDemo on a dice display application.
"
The nature of GUI development doesn't lend itself to test-oriented
methodologies very well. But that doesn't mean you shouldn't test your
components! Markus Gebhard has an alternative: JDemo, a tool patterned after
JUnit, for displaying and verifying GUI components."
Comments (none posted)
Perl
The September 9, 2004 edition of
This Week on Perl 6 is online with the latest Perl 6 development
discussions.
Comments (none posted)
Simon Cozens
has assembled several small Perl articles on O'Reilly.
"
While preparing perl.com one week, I was editing an article on how to give lightning talks by Mark Fowler and at the same time I was dealing with another author who said he was having difficulty stretching out an article -- a very good article, on a topic I wanted to see covered -- to a full 2,500-words-or-so length.
I then realized there were probably a load of people out there with interesting things to say about what they're doing with Perl, but who couldn't or didn't want to write a full-sized article."
Comments (none posted)
PHP
Version 0.1.1 of Gubed PHP Debugger, a cross platform program for
debugging PHP scripts,
has been released.
"
Improvements are mostly in the areas of session handling, documentation, packaging and windows compatibility."
Comments (1 posted)
PostScript
Version 2.8.0 of GGV, GNOME GhostView, is out.
"
Featuring updates to Welsh (Dafydd) and Turkish (Baris)
translations and nothing more."
Full Story (comments: none)
Python
Version 1.1.5 alpha 4 of PIL, the Python Imaging Library,
has been released.
"
This release contains a major change to the build procedure; instead
of the old configure/make/setup dance, there's now a single setup.py
file that does it best to do everything in one operation."
Comments (none posted)
Dr. Dobb's Python-URL! for September 14, 2004 is available.
Take a look for another round of Python language articles.
Full Story (comments: none)
Tcl/Tk
Dr. Dobb's Tcl-URL! for September 14, 2004 is available with
the week's Tcl/Tk articles.
Full Story (comments: none)
XML
Micah Dubinko
works with XForms validation on IBM's developerWorks.
"
Performing validation on mixed-namespace documents can be more art than science. XForms 1.0, which is used as a component inside arbitrary host languages, introduces some new questions about how a validator should process such documents. This article discusses some of the challenges that the author encountered while writing an online XForms validator tool, and techniques for overcoming these problems."
Comments (none posted)
Jirka Kosek
draws tree diagrams automatically with XSLT and SVG.
"
But if you need dozens of trees, you would do well to use a compact text syntax for describing trees that can later be turned into nice pictures. In this article I'll show you how to parse simple text notation by means of XSLT and turn it into SVG graphics."
Comments (none posted)
Uche Ogbuji
uses Python to clean and convert HTML to XML.
"
Lately I've seen HTML parsing problems everywhere. One project needed a web crawler with specialized features provided through Python code that processed arbitrary HTML. There have also been several threads on mailing lists I frequent (including XML-SIG) featuring discussions of mechanisms for dealing with broken HTML by converting it to decent XHTML."
Comments (none posted)
Editors
Stable version 2.8.0 of gedit, the official GNOME text editor, is available.
"
Among others, it features full UTF-8 support, syntax highlighting
and a powerful plugin system." A new plugin allows the case of
highlighted text to be changed.
Full Story (comments: none)
Profilers
Version 0.8.1 of OProfile, a code profiler, is available.
"
A new utility, oparchive, has been included. This allows you to
save all or part of a profile session, including the profiled
binaries; the archive can be processed later via the "archive:"
profile specifier.
The profile specifiers "sample-file:" and "binary:" have been
removed; oparchive is a more flexible solution to the problem.
Objective C debug info is now handled."
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
O'ReillyNet
wants to improve Linux driver installation. "
When compiling the
kernel, you can select the drivers you want to use. Linux also has the
capability to compile most drivers into special modules that it will load
only when you use the device. These loadable modules allow the kernel to
load certain drivers only when needed. This is particularly handy with
rarely used devices and removable USB peripherals. Although loading drivers
on the fly is flexible, the user experience of dealing with drivers has
required that users know how to deal with modules, mount disks and devices,
and low-level device information. These requirements have acted as a
barrier to Linux adoption for nontechnical users."
Comments (16 posted)
News.com
carries
a NY Times article on IBM's plans to release speech-recognition
software to two open-source software groups. "
IBM is donating code
that it estimates cost the company $10 million to develop. One collection
of speech software for handling basic words for dates, time and locations,
like cities and states, will go to the Apache Software Foundation. The
company is also contributing speech-editing tools to a second open-source
group, the Eclipse Foundation."
Comments (2 posted)
NewsForge
covers
an FFII effort to organize European LUGs. "
Last April, many
GNU/Linux users, organized by the Foundation for a Free Information
Infrastructure (FFII), met in Brussels to demonstrate before the European
Parliament (EP) against the introduction of software patents in the
European Union. During the event, further protests were coordinated for the
following month in many European cities. Eventually, the guys in Brussels
found themselves asking, why don't we do this systematically? More
precisely, why don't we create EuroLugs, a permanent network of all
European LUGS and FLOSS associations, so we can act faster, all together
and more effectively?"
Comments (none posted)
Trade Shows and Conferences
News.com
covers
Novell's Brainshare Europe conference in Barcelona. "
Shortly after
Messman finished justifying Novell's proprietary heritage, though, Novell
European President Richard Seibt said that businesses should move away from
a closed approach to their internal software development and adopt
open-source methods in order to cut costs and improve efficiency."
Comments (none posted)
The SCO Problem
There has been a serious flood of motions leading up to the September 15 hearing in SCO v. IBM. Groklaw has put together
a convenient list for those who are having trouble keeping the whole thing straight.
One of the more amusing recent filings is the reply memo opposing IBM's attempt to strike the declarations from SCO's non-expert witnesses. "Is SCO out of its mind? Not trying? Trying to lose elegantly? I have been debating it every which way, and my current hypothesis is that the only thing they fight hard for is delay. I think, therefore, that they don't mind losing, as long as they can preserve their opportunity to go after end users."
Comments (2 posted)
Companies
InfoWorld
covers
a new IBM LTC in Brazil. "
IBM Corp. will spend more than $1 million
to help fund a Linux technology center in Brazil. The center, created in
conjunction with the Brazilian government, aims to train 700 public service
professionals on the use of Linux by year's end."
Comments (none posted)
The Register
uncovers the funding of a supposedly independent report used in
a decision to use Microsoft software by the London borough of Newham.
"
According to Microsoft's press release of last month, "Newham's
decision to partner with Microsoft follows an extensive platform evaluation
at the Borough, in which the merits of, and overall value offered by
Microsoft's software were rigorously assessed by Capgemini. Capgemini were
selected to conduct the evaluation by Newham, and ran the evaluations as an
independent third party. Fact One: None of this is untrue, as such, but a study by Capgemini, funded
by Microsoft, was Microsoft's offer during pricing negotiations with Newham
last autumn. Note that Cap Gemini's brief was to assess value offered by
Microsoft software, and that it ran its evaluation as an independent third
party. The Beast chooses its words carefully here.""
Comments (13 posted)
vnunet
looks forward to SUSE's upcoming desktop release. "
Nat Friedman, Novell vice president of R&D for desktop development, told vnunet.com that this was what enterprise customers wanted.
'Large organisations tell us they want a well-integrated and supported product, not [things such as] text editors,' said Friedman, one of Ximian's founders."
Comments (9 posted)
ZDNet UK
covers the release by Sybase of the Express Edition
Adaptive Server Enterprise (ASE) database for Linux.
"
Simon Riggs, a PostgreSQL developer, said on Thursday that he is not worried about the impact that ASE could have. Instead, he sees it as another sign that companies are worried about the impact of open-source databases.
"It is not a threat at all," said Riggs. "In fact, it is a good sign. Companies obviously see free, open-source databases such as PostgreSQL as such a serious threat that they are going out of their way to produce a free database.""
Comments (12 posted)
Linux Adoption
The Register
covers a Butler Group report that finds the Linux is ready for the data
center. "
Butler recommends Novell/SuSE and Red Hat as the
distributions most worth considering for the data centre, but gives others
a look-in on the desktop. Which is a conservative stance, but probably a
sensible one if you're talking to people and companies without a great deal
of open source knowledge and technical expertise."
Comments (1 posted)
Sify.com is running
an interview with Jyoti Satyanathan General Manager of Linux
for IBM, India.
"Q: What, according to you, prompts the governments to adopt Linux in their day-to-day functions with citizens? What are the prime factors?"
"A: Linux is cost-effective. This is one of the factors. More than this, it is freedom one can get from single ownership and freedom from architecture attracting many governments to go for Linux. Adoption of Linux is prime time in government."
Comments (none posted)
O'ReillyNet
announces the results of its Great Linux Desktop Migration Contest.
"
The Great Linux Desktop Migration Contest asked for entries in three
categories: write an essay on the Benefits of Migrating to Linux; present
an example of a Phased Migration Plan; and give us three Tips for
Migrating."
Comments (none posted)
Linux at Work
NewsForge
looks at Orbital Sciences' use of Linux clusters for solving
fluid dynamics problems.
"
Orbital began to consider investing in its own high-power cluster. Fluent was using big Linux Networx clusters to do computations for Orbital and its other clients. A Linux cluster would be horizontally scalable, able to expand as Orbital's business grew.
"We looked at some Sun clusters, but finally decided to go with Linux Networx because of the lower costs involved," Holst said. So in October 2003, Orbital bought and installed one of Linux Networx' "Evolocity" clusters, equipped with 24 Intel Xeon processors and Fluent 6.1 CFD software."
Comments (none posted)
Interviews
KDE.News
talks to
Thomas Schneller about HP's nx5000 laptop, which is
available with Linux pre-installed.
"Does power management and the winmodem work on the nx5000 as they do under Microsoft Windows?"
"Yes, basically all hardware is working. ACPI is fully supported, so hibernating your Linux laptop is possible and also the winmodem works on this model. I also want to stress the fact that we welcome any feedback as we are eager to hear people's experiences with our product."
Comments (none posted)
KDE.News
presents an interview
with Lars Stetten on Unix accessibility. "
Dear Mr. Stetten, you
study computer science in Giessen. How do you estimate the situation for
handicapped working with computers?
The current situation with Linux is not so good. Sure, the SUSE
installation kernel has had support for the braille line for many years,
but you can't operate a graphical user interface with this feature
alone."
Comments (none posted)
Vnunet
interviews Michael
Robertson, founder of Linspire. "
One of the myths of open source
is that, well, you just put the free software out there and then it ends up
on computers. It just doesn't work that way. The original equipment
manufacturers need someone they can call, and they need to have an economic
incentive. The source code might be freely floating around on the
internet, but that doesn't mean it's free for the end consumer."
Comments (9 posted)
Resources
Linux Journal
presents an
overview of the creation and evolution of MIDI, from early standalone
equipment to an all-in-one computerized composition environment.
"
The ALSA sequencer API is a most welcome evolution in Linux MIDI
support. Compliant programs may be connected freely, with multiple inputs
allowable on a single port. Graphic patch bays are available that display
and edit the send/receive status of the available clients. Incidentally,
ALSA's virmidi (virtual MIDI) ports appear to the system as though they are
real ports, and their data may be routed to and from any other port, real
or virtual."
Comments (6 posted)
Martyn Honeyford
explains how to get Linux running on an iPAQ PDA.
"
Installing Linux on your iPAQ can be a great way to breathe new life into aging hardware or make an existing tool even better, particularly if you are a fan of Linux on the desktop. You can leverage your existing knowledge and enjoy the benefits of familiar (pun intended) free and open source software on the move. In this article, learn how to turbocharge your HP-Compaq iPAQ PDA with Linux."
Comments (none posted)
Linux Journal
introduces
ZenTest, with examples of how to use it on Ruby code. "
Ryan
Davis has written a great tool called ZenTest, which creates test suites
for existing bodies of code. Because a lot of people are new to
refactoring, unit testing and ZenTest, this article serves as an
introduction to this trio of tools."
Comments (4 posted)
Reviews
NewsForge
looks at
FreeMind. "
How do you organize all those little notes and ideas
that you have spread out all over the place in a way that you can actually
use them and make have them make some sense? That's one of the goals of a
class of software known as mind mapping. Once the realm only of
high-priced commercial applications, there is now at least one open source
option. It's called FreeMind and it's licensed under the GPL."
Comments (none posted)
Linux Journal
reviews GraphViz.
"
GraphViz is a collection of tools for manipulating graph structures and generating graph layouts. Graphs can be either directed or undirected. GraphViz offers both graphical and command-line tools. A Perl interface also is available, but it is not covered here for reasons of generality. Graphical tools are not going to be discussed in this article either. Instead, this article focuses on using GraphViz from the command line."
Comments (none posted)
The Register
takes
a look at IBM's new Power 5 Linux servers. "
The first system in
this new line will be the OpenPower 720, which arrives later this
month. The four-processor box will run on either 1.5GHz or 1.65GHz Power5
chips and support up to 64GB of memory. IBM will offer both Red Hat and
SuSE's enterprise Linux operating systems on the new box."
Comments (none posted)
O'ReillyNet
takes
a look at SpamAssassin 3.0. "
Naturally, SpamAssassin 3.0.0
includes many new static rules, and changes the definitions and scores of
several old ones to reflect the changing nature of spam. For example, many
rules focused on pharmaceutical spam are now included--drugs seem to have
caught up with mortgages and pornography in the distribution of
spam."
Comments (none posted)
Edd Dumbill
reviews some of the upcoming capabilities coming to the X window system
in an O'Reilly article.
"
I attended the talks given by X Window System wizards Keith Packard and Jim Gettys at the recent Linux Symposium and a got a taste of what's coming soon."
Comments (none posted)
Miscellaneous
Danny O'Brien
seeks out the
evildoers in the open source world in what appears to be the first of a
series of O'ReillyNet columns. "
Now, we know that the furthermost
pits of hell are reserved for those who break licensing agreements (unless
its clickthrough, where you get put in purgatory until the law can be
clarified). But we should also give pause before we place the epaullettes
of satan on someone who, let's be fair, learnt the intricacies of the SCSI
bus so that we do not. Anyone who has played with SCSI knows that the
interface is, frankly, Lovecraftian. A few terminators and DIP switches in,
and you're constantly running saving throws for your sanity. Jörg
[Schilling's] moment of alleged evil was fleeting, and he removed the
restriction in the subsequent increment of cdrecord. Let's say that he was
possessed by some old ide-scsi bug, and speaking in tongues at the
time."
Comments (1 posted)
Groklaw
looks at some of the controversy behind the Sender-ID mail standard.
""'The broadest adoption possible and the most consistent standards are in the interests of not just senders, not just ISPs, but of consumers,' said Trevor Hughes, executive director of the ESPC.
"Hughes also points out that even if it doesn't become a standard, Sender ID will still be a factor if the major ISPs adopt it.
"'Where we stand is that Sender ID is going to be a reality for large senders,' he said. 'We don't question the sincerity of the folks who are raising concerns over open source compatibility. We just haven't come up with the same concerns.'""
"Hmm. Did he just say the ESPC doesn't care about compatibility in a standard? Yes. I believe he did."
Comments (12 posted)
Richard M. Stallman has written
an article on NewsForge in which he compares software patents
to land mines.
"
fighting patents one by one will never eliminate the danger of software patents, any more than swatting mosquitoes will eliminate malaria. You cannot expect to defeat every patent that comes at you, any more than you can expect to kill every monster in a video game: sooner or later, one is going to defeat you and damage your program. The U.S. patent office issues around 100,000 software patents each year; our best efforts could never clear these mines as fast as they plant more."
Comments (none posted)
News.com
covers
LSB supporters. "
A number of software makers and well-known IT
vendors have agreed to endorse the Free Standards Group's latest Linux
standard to help create common ground for companies building open-source
technologies, the organization said Monday. The San Francisco-based
nonprofit reported that open-source software makers around the world have
already adopted the guideline, known as Linux Standard Base 2.0. In
addition, the Free Standards Group said a handful of high-profile vendors
already working with Linux technology are backing the standard, including
Advanced Micro Devices, Dell, Hewlett-Packard, IBM and Intel."
Comments (4 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Free Standards Group (FSG) and the Open Source Development Labs (OSDL)
have announced a collaboration to accelerate enterprise adoption of the
Linux Standard Base (LSB) with new services to support software vendors
developing applications for Linux.
Full Story (comments: none)
Commercial announcements
IBM has
announced
a new computer server using its Power5 microprocessor tuned for the Linux
operating system. "
The OpenPower 720 server will be available
Sept. 24 and can be powered by as many as four Power5 chips, IBM said. In
the first half of next year, the company will start selling OpenPower
servers using two Power5 processors."
Comments (none posted)
Intel has
announced a new telecom software package for Linux.
"
The Intel NetStructure Host Media Processing Software release 1.2
for Linux is the first high density, commercially supported software
offering the flexibility and value of open platforms. This
software-only building block for communications providers eliminates
the need for specialized telephony boards with digital signal
processors, but still provides the media processing power to develop
applications such as interactive voice response, voice mail, unified
messaging and conferencing."
Comments (none posted)
Modulus Video, Inc. has
announced a new Linux-based video encoder/decoder.
"
Built on an open Intel Linux platform, Modulus Video
products leverage the entire MPEG-4 AVC standard to offer an easily
deployable, highly scalable and cost-effective solution for reliably
delivering broadcast-quality video using significantly less bandwidth
than legacy MPEG-2 systems."
Comments (none posted)
MySQL has
announced the appointment of Maurizio Gianola as Vice President of
Software Engineering at its Silicon Valley Office.
Comments (none posted)
MySQL has
announced the appointment of Bernard Liautaud to its Board of Directors.
"
Liautaud is one of the most highly respected software executives
in Silicon Valley and Europe. He co-founded Business Objects in 1990
and has built it into a nearly $900 million enterprise software vendor
with more than 26,000 customers in over 80 countries. He took the
company public on NASDAQ in September 1994, making it the first French
software company listed in the United States."
Comments (none posted)
Navicat has released Navicat MySQL tools version 5.0.2, now with Stored
Procedure and Batch Job Scheduling.
Full Story (comments: none)
The next time a telemarketer interrupts your dinner to try to sell you something, you can take some comfort in the fact that they are likely to be running on Linux. SER Solutions, Inc. has
announced the availability of Call Processing System 8.0, with lots of great features like "third-party quality monitoring," and "sophisticated predictive dialing." "
By utilizing Novell SUSE LINUX, SER is
able to take advantage of new hardware and software available on the
platform and leverage the reliability, security, scalability, and
support Novell and SUSE LINUX are known for."
Comments (2 posted)
Sleepycat and MontaVista have announced that their embedded solutions have
been chosen for the Motorola A780 smart phones.
Full Story (comments: none)
SugarCRM Inc. has
announced
the release of Sugar Sales Professional, a LAMP based Customer Relationship
Management (CRM) application.
Comments (none posted)
New Books
O'Reilly has published the book
CSS Cookbook by Christopher Schmitt.
Full Story (comments: none)
O'Reilly has published the book
PDF Hacks by Sid Steward.
Full Story (comments: none)
O'Reilly has published the book
Managing Security with Snort and
IDS Tools by Kerry Cox and Christopher Gerg.
Full Story (comments: none)
No Starch Press has published the book
The Web Programmer's Desk Reference by Lazaro Issi Cohen and Joseph Issi Cohen.
Full Story (comments: none)
APress has published the book
Foundations of Python Network
Programming by John Goerzen.
Full Story (comments: none)
Resources
IOSN has released a draft version of a
primer on
free/open source software licensing. The primer is available for
review and feedback.
Comments (none posted)
The September 15, 2004 edition of the
Linux Documentation Project Weekly News
is out with the latest documentation releases.
Full Story (comments: none)
The July/August edition of the Linux Professional Institute
newsletter is online.
Full Story (comments: none)
Volker Lendecke's paper
Advances in Samba4
is available in PDF format.
"
The paper offers a nice overview of the reasoning behind creating Samba4, and outlines four areas of code where Samba4 is an improvement over Samba 3."
Comments (none posted)
Contests and Awards
The Economist has
announced the winners of its 3rd annual "Innovation Awards." The victor in the computing area is Linus Torvalds.
Comments (none posted)
KTurtle,
a Logo programming language interpreter for KDE,
has won third prize in a Dutch Educational contest.
"
The technical jury was very pleased with the looks of KTurtle, good configuration options and a very nice manual and the educational jury said "Some renewed attention to LOGO is very much welcome.""
Comments (none posted)
Fred Trotter
has been awarded the 2004 Linux Medical News Achievement Award.
"
Trotter is the founder of the Free Medical Billing (FreeB)
project as well as working on the FreeMed poject."
Comments (none posted)
Event Reports
LinuxMedNews
covers the open-source activity at the medinfo2004 conference.
"
The joint meeting of the IMIA, IMIA-NI and AMIA Open Source Working Groups was held yesterday, 8 September, at medinfo2004. We had a good attendance (40-50 people), with presentations on the 3 groups and then a discussion and session of interactive digital voting."
Comments (none posted)
Upcoming Events
The
Italian Code Jam
will be held on October 9, 2004 in the center of Engineering Department
of Ferrara's University.
"
Some of the speakers that will take part are: Andrea Arcangeli, Moshe Bar, Francesco Ciriaci, Dave Cross, Alex Martelli, Allison Randall, Michele Simionato, Simo Sorce, e Larry Wall."
Comments (none posted)
| Date | Event | Location |
| September 16 - 17, 2004 | YAPC::Europe 2004 | Belfast, Northern Ireland |
| September 16, 2004 | Embedded Systems Conference | (Hynes Convention Center)Boston, MA |
| September 19 - 22, 2004 | 2004 International Conference on Functional Programming(ICFP) | (Snowbird Ski and Summer Resort)Snowbird, Utah |
| September 20 - 23, 2004 | New Security Paradigms Workshop(NSPW) | (White Point Beach Resort)Nova Scotia |
| September 20 - 22, 2004 | Plone Conference 2004 | Vienna, Austria. |
| September 22 - 24, 2004 | OpenOffice.org Conference(OOoCon 2004) | (Humboldt University)Berlin, Germany |
| September 22 - 24, 2004 | php|works 2004 | (Holiday Inn Yorkdale Hotel and Conference Centre)Toronto, Canada |
| September 23 - 26, 2004 | FirenzeWorldVision | Firenze, Italy |
| September 27 - October 1, 2004 | 4th International SANE Conference(SANE) | (Amsterdam RAI Centre)Amsterdam, The Netherlands |
| September 27 - 29, 2004 | ConSec '04 | (J.J.Pickle Research Center)Austin, Texas |
| September 29 - October 1, 2004 | OSCOM 4 | (Swiss Federal Institute of Technology)Zurich, Switzerland |
| October 2, 2004 | Ohio LinuxFest | Columbus, Ohio |
| October 6 - 7, 2004 | LinuxWorld Conference and Expo | (Olympia Exhibition Centre)London, England, UK |
| October 8 - 10, 2004 | Linucon | (Red Lion Hotel)Austin, TX |
| October 9, 2004 | Italian Code Jam | (University of Ferrara)Ferrara, Italy |
| October 10 - 17, 2004 | MySQL Swell | Across the Mediterranean |
| October 11 - 15, 2004 | 11th Annual Tcl/Tk Conference | (Bourbon Orleans Hotel)New Orleans, LA |
| October 21 - 22, 2004 | Web.It 2004 | Bari, Italy |
| October 21 - 22, 2004 | 5. Encuentro Linux | Valparaiso, Chile |
| October 26 - 28, 2004 | LinuxWorld Conference and Expo | Frankfurt, Germany |
| October 27 - 29, 2004 | Sixth International Conference on Information and Communications Security(ICICS'04) | Malaga, Spain |
| November 1 - 6, 2004 | International Computer Music Conference(ICMC) | Miami, FL |
| November 4 - 5, 2004 | HiverCon 2004 | (The Davenport Hotel)Dublin, Ireland |
| November 7 - 10, 2004 | International PHP Conference 2004 | Frankfurt, Germany |
| November 8 - 10, 2004 | MySQL ComCon Europe | (NH Hotel Frankfurt-Mörfelden)Frankfurt, Germany |
Comments (none posted)
Web sites
The
LinuxQuestions.org Wiki
has reached the 2000 article mile mark.
"
Released in February 2004, the LQ Wiki allows users to
collaboratively build a free, complete and up-to-date Linux knowledgebase
and aims to become the largest general-knowledge Linux repository on the
web. It is free to join or use the LQ Wiki and any user can add or edit
content. All content is licensed under a Creative Commons license,
ensuring that it remains freely redistributable."
Full Story (comments: none)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook