It is a rare free software development project which feels the need - or
has the resources - to develop a 50-page strategic marketing plan.
OpenOffice.org is anything but an
ordinary project however. Its
Strategic Marketing Plan
2010 is available in a glossy, printer-stressing PDF format; those
wishing to support the project can also buy the plan in book format for
$7.95. In many ways, the OpenOffice.org plan resembles many other, similar
documents which have been putting meeting attendees to sleep for years. It
is very much worth a read, however; it offers a view into the project's
ambitions and worries for the coming years.
OpenOffice.org cannot be faulted for lacking ambition: the marketing plan
calls for a 50% penetration rate by 2010. There is a little table which
reads a bit like a Bush administration budget forecast - usage is supposed
to jump from 35% to 50% between 2009 and 2010. By the end of 2004, the
project will be satisfied with 2% penetration.
Getting that many users will be a challenge, so much of the plan concerns
itself with how OpenOffice.org will find them.
There is a big emphasis on establishing OpenOffice.org as a global
brand. The project has also singled out seven target markets which, it
thinks, are especially ready for a jump to OpenOffice.org:
- Governments - with an emphasis on developing countries. Reading
between the lines, it appears that OpenOffice.org does not wish to
compete with Sun's StarOffice sales in richer countries.
- Education. As a way of competing with Microsoft's education programs,
which target teenagers, OpenOffice.org's plan suggests trying to hook
kids when they are seven or eight years old.
- Public libraries - especially smaller ones without lots of extra
cash.
- Non-profit organizations.
- Small and medium-sized businesses.
- Original equipment manufactures, who should be encouraged to bundle
OpenOffice.org with their systems.
- Linux distributors; OpenOffice.org would like to have its software
shipped with every general-purpose distribution.
To push OpenOffice.org into these markets, the project has a whole set of
"marketing contacts," is working on promotional materials, and has a set of
development goals, such as the creation of "OEM kits." Feeding the demand
side of the equation is very much at the core of the OpenOffice.org plan.
There are some interesting things which are missing. In its introduction,
the plan states:
As of today (2004), both OpenOffice.org and the Community are
heavily dependent on the support of Sun for their continued
survival. The Community has set itself a challenge to become
completely self-sufficient, and rely on volunteer effort and/or
funds generated by the Community.
This would clearly be a good thing for OpenOffice.org to do. The marketing
plan does not really address this goal again, however. Raising funds
appears to not be a part of this plan at all. There also appears to be
little concern about marketing OpenOffice.org to developers. By most
accounts, the bulk of OpenOffice development is still done by Sun
engineers, and the project remains difficult for new developers to
approach. Forks like ooo-build have appeared in
response to developer frustrations, and Sun's ties to Microsoft have
recently led to Bruce Perens calling for developers to not
donate their code to the project. If OpenOffice.org cannot get past this
marketing problem, it will have a hard time achieving self-sufficiency and
its usage goals.
The project's relationship with Sun is a recurring issue in this document.
Clearly, as long as OpenOffice.org is dependent on Sun for funding and
developers, one of its priorities must not be marketing to users, but
marketing itself to Sun. Thus, the plan worries:
Sun Microsystems may lose the ability or desire to fund non-revenue
generating activities such as the Community.
and recommends that:
The Community should put significant effort into understanding
Sun's goals for StarOffice and OpenOffice.org and selling the
benefits to Sun of their continuing support of the Community.
OpenOffice.org has to step carefully around its patron. So there are no
plans to try to "sell" OpenOffice.org into large businesses and other
places where Sun is trying to do deals involving StarOffice. A fair amount
of new OpenOffice.org functionality is being written in Java, which creates
problems for some Linux distributors - there is no free, certified Java
runtime which can be shipped to run that new code. So OpenOffice.org's
plan contemplates the creation of a "Java-free" configuration (something
the distributors have been doing for a while), but there is no thought
given to making it all work with a free, non-certified runtime engine.
The plan spends some time contemplating the threats faced by the project.
These include confusion with StarOffice, the fact that others can fork the
project, missing functionality (email, web browsing, group calendars,
etc.), and software patents. The biggest threat seen by the project,
however, is clearly Microsoft; somehow the planners have gotten the idea
that Microsoft might not just stand by and watch while OpenOffice.org grabs
the 50% of the market it covets. The project intends to respond by making
migration from Microsoft products even easier, stressing the "full
functionality for free" nature of the software, and targeting users who are
facing forced upgrades or who fear license compliance audits.
There is one threat which is not even mentioned by the plan, however: other
free software projects. Names like AbiWord, Gnumeric, Scribus, KOffice,
etc. simply do not appear at all. Some of these are, perhaps, shrugged off
by proclaiming that OpenOffice.org is the only free integrated
office suite - though the KOffice developers might disagree. It can also
only be true that the OpenOffice.org developers do not wish to upset parts
of the free software community by overtly tagging them as competitors and
making plans on how to beat them. The fact remains, however, that a number
of free "productivity" tools exist, and many of them are held, by some
users at least, to be superior to the corresponding parts of
OpenOffice.org. These tools will not go away; a "strategic marketing plan"
that aims for 50% penetration while ignoring the other free alternatives
runs a real risk of an unpleasant collision with reality as things play
out.
It is worth noting that the plan is not in its final form; this is, in
fact, the first public release, which was intended to encourage discussion
and debate at OOoCon last week.
There will be, without doubt, changes to the plan as a result of that
discussion, but LWN was unable to attend the conference and reports have
been relatively scarce so far. Even so, the plan gives valuable insights
into an important free software project which is at a sort of turning
point. It indicates that the project intends to concentrate on "selling"
OpenOffice.org to vast numbers of users rather than on engagement with the
free software community. More OpenOffice.org users can only be a good
thing; one can only wish the project luck in achieving its goals.
Comments (15 posted)
A consortium of five companies, including MandrakeSoft, has
been awarded a contract from the French Ministry of Defense to deliver
a Linux-based OS certified at Common
Criteria Evaluation Assurance Level 5 (CC-EAL5). The three-year
contract is worth €7 million, with MandrakeSoft's share totaling
€1 million. Participating in the contract with MandrakeSoft are Bertin
Technologies, Surlog, Jaluna, and Oppida.
We contacted MandrakeSoft co-founder Gaël Duval about the contract and
to get a little more information about the process. The EAL5 certification may
seem a bit ambitious, particularly since no other Linux vendor has achieved
that level of certification for a Linux OS. In fact, none of the competing
OSes have reached that level of certification either.
At the moment, the Linux distribution with the highest level of EAL
certification is Novell's SUSE
Linux Enterprise Server (SLES) 8 (PDF), which achieved EAL3+ with IBM's help.
There are seven levels of CC-EAL certification. In a nutshell, a EAL5
certification designates that a system's features and security level are
certified, and that development follows "formalized or
semi-formalized methods."
We asked Duval if MandrakeSoft had any prior experience with this type of
project:
Not exactly but we introduced advanced security features in Mandrakelinux
products early (Mandrakelinux 7.0 which was released on early 2000). We
also sponsored projects several Open Source security projects. And we have
a line of security products (Single Network Firewall & Multi Network
Firewall). So security is a long-time tradition at Mandrakesoft.
Of course, MandrakeSoft is not the only vendor working on this project. Oppida is an officially
authorized Common Criteria Information Technologies Security Evaluation Facility
(ITSEF), making it an ideal partner for a project of this kind. Surlog's expertise is in
providing tools to evaluate software and system dependability. Jaluna provides real-time and
high-availability solutions, including solutions based on Linux.
We also asked Duval how MandrakeSoft became involved with this effort, and
how the consortium came into being. Duval didn't provide a great deal of
detail:
We know these companies and they know us, so it's a natural arrangement
because every actor has some technology and expertise to bring.
Unfortunately, it will be some time before the work that the consortium is
doing shows up for use by the community. According to Duval, the plan is to
keep development separate from Mandrake Linux development:
It will be totally outside of the Mandrakelinux product roadmap. Several
actors take part in this project, which will be released in Open Source
after completion.
Duval did allow that some of the work might show up "later" in
the development process. We also asked what license would be used for any
work created for this project. Duval said that he doesn't have any
information about licensing details, just that it would be an open source
license.
Three years is quite a long time, so it will be interesting to see whether
MandrakeSoft is the first Linux vendor to reach EAL5, or if Novell or Red
Hat beat them to the punch. Novell has already said
that it hopes to gain EAL4 certification in the near future. No doubt,
Novell will be setting its sights on EAL5 shortly thereafter.
For the larger picture, of course, it won't matter whether Novell or
MandrakeSoft reach the finish line first. Achieving EAL5 will be yet
another feather in Linux's cap, another milestone reached that will allow
governments and organizations to move to Linux instead of proprietary
offerings.
Comments (6 posted)
Page editor: Jonathan Corbet
Security
September 29, 2004
This article was contributed by Joe Klemmer
One of the greatest joys we Linux users have is to say to our
Windows-running friends, family and co-workers that we do not
suffer from viruses like they do. However,
the reality is that we aren't immune from being attacked. There are
plenty of nasty things out there that would be happy to trash our
systems. One of these nasty things is something called a rootkit.
Rootkits allow a cracker to ensure future access to a compromised system
while hiding the evidence from administrators and users; see LWN's look at the Adore rootkit for an
example.
So how do you detect them? One way is to use the tool
Rootkit Hunter. The
following is an interview with the author of this utility,
Michael Boelen.
Joe Klemmer: Tell us a bit about yourself. Who is
Michael Boelen?
Michael Boelen: I'm a 22 years old guy, working for a
small company (small webhosting, maintaining servers/services
and application development). My task it to maintain the
internal servers and perform administration for our customers.
I live in The Netherlands at my parents. Computers are my hobby
and my work, so I'm the author of Rootkit Hunter :-)
My main interests are networking, hardware, security and
small application development. As many people, I like to read,
but especially interested in computer related stuff.
JK: What led you into system security?
MB: It's a special part of computer services, which
attracts me because it's never the same. It's a dynamic world
inside the big computer world. Although a lot of companies
aren't aware of the consequences of (a missing plan for)
security, I think it's a very important part. That's why almost
everyone in the computer world will use/need some security
enhancements sooner or later. In my case, open relays, Trojans
and viruses were the first signals to have a better look at
security.
JK: What, specifically, are rootkits?
MB: Rootkits are often little packages with some
binaries, some sources and an easy-to-use installer. These
packages are being created to 'stay root' after a successful
comprise of a host. The installer in these packages do check
the host and replaces the default binaries with the one in the
package. Most times these are binaries like 'ps', 'ls', 'top',
'netstat', where traces of the hacker/cracker/scriptkiddie are
being filtered, with one purpose: hide evil processes, network
connections etc.
Because rootkits are unwanted and difficult to find without
good searching, automated tools are being created. Although an
UNIX specialist is often able to find bad things better/quicker
than automated tools, it can be a very valuable tool. Of course
it is a nice addition to UNIX specialists, but also for average
UNIX users which aren't able to find out with things of a UNIX
system are good or evil (like hidden files, bad strings, not
usual network ports etc).
JK: You've said elsewhere that you built rkhunter
because you didn't find the existing tools to your liking. What
was it about them that you felt needed changing?
MB: The lack of active development is the most important
one. I won't say my tool is better than the others, but I try
to maintain it as active as possible. When users come with
(nice) new ideas, most times I try to implement it as soon as
possible.
JK: Over the course of rkhunter's evolution, have you
found anything interesting about root kits? Any similarities or
differences? Are there any trends?
MB: Yes, a lot of interesting information. I also have a
better idea now (since the development) why
hackers/crackers/scriptkiddies use rootkits and what to do to
detect them. The most difficult part is to maintain an utility
which keeps smart enough to detect suspicious traces on a
system.
Most tools use the same approach, so I tried to combine as
many as possible ways to detect these suspicious traces. And
although it gets better every release, a lot of things have to
be done.
Rootkits don't have a 'normal' trend like viruses/worms
have, because viruses aren't often used for a single person to
achieve his goal (beside breaking up systems, sending spam or
planting a trojan). In fact, some individuals create rootkits
for their needs at the moment they need them. These custom made
rootkits contain often simple things like IRC bots, backdoors
and sniffers. Within the next few months, those things will be
getting special attention from me and added to Rootkit Hunter.
Rootkits won't quickly disappear, so the war isn't yet
over.
JK: Do you know if rkhunter has had an impact on the
root kit community? Are they now trying to design kits to work
around rkhunter?
MB: I have really no idea, because most rootkits and
backdoors are still being used by individuals and use private
parts (although there are a lot of often used public tools). So
I haven't seen any tools yet, which are build to hide for
Rootkit Hunter. But I'll guess there will be variants already
available.
JK: I would guess that the battle between the root kit
"developers" and the security community is similar to the
anti-virus wars. Is the bulk of your work spent in catching up to
new root kits? Or are you in a position of developing preemptive
technologies to head off the kit builders?
MB: On both ways, because maintaining a 'rootkit hunter'
is almost similar to maintaining an anti-virus tool, with one
exception, viruses aren't made to be hidden for the system
(yet?). So anti-virus developers try to discover as quick as
possible new (unknown) viruses. The approach on rootkits is a
little bit different. It means also adding unknown rootkits,
but more important, adding new ways to discover all kinds of
hack traces.
JK: What do you see for the future of rkhunter? With
the advent of SElinux will there still be a need for rkhunter and
it's kind?
MB: I guess tools like this one, won't be quickly
useless, because even if you have a secured system (like with
SElinux and all other kernel and application improvements),
it's always possible someone breaks your system. At that stage,
tools like Rootkit Hunter (and the few others) can provide an
administrator very useful information.
This interview gives me the opportunity to ask people an
easy question: If you find something interesting for me, can you
send it to me?
The question above gives an answer to your question, because
although I can improve Rootkit Hunter a lot, I really need
input from the users and the guys on the field. Rootkits,
sniffers, ideas and even books are needed to keep on improving.
Till now I have already got a lot of input, but I still need
more information. So have a simple thought about the future: it
only will be better, but only if I get support from the
community!
Comments (3 posted)
New vulnerabilities
apache: protected pages vulnerability
| Package(s): | apache |
CVE #(s): | CAN-2004-0811
|
| Created: | September 23, 2004 |
Updated: | September 29, 2004 |
| Description: |
Apache 2.0.51 may allow the viewing of protected pages
because of a problem merging the Satisfy directive. |
| Alerts: |
|
Comments (none posted)
getmail: filesystem overwrite vulnerability
| Package(s): | getmail |
CVE #(s): | CAN-2004-0880
CAN-2004-0881
|
| Created: | September 23, 2004 |
Updated: | October 4, 2004 |
| Description: |
Getmail has a vulnerability that may allow a local user to
create or overwrite files in any directory on the system. |
| Alerts: |
|
Comments (none posted)
jabberd: remote denial of service vulnerability
| Package(s): | jabberd |
CVE #(s): | |
| Created: | September 23, 2004 |
Updated: | September 29, 2004 |
| Description: |
Jabberd's XML parsing routines have a vulnerability that may
be exploited to create a remote denial of service. |
| Alerts: |
|
Comments (none posted)
sendmail: pre-set password
| Package(s): | sendmail |
CVE #(s): | CAN-2004-0833
|
| Created: | September 27, 2004 |
Updated: | September 29, 2004 |
| Description: |
Hugo Espuny discovered a problem in sendmail, a commonly used program
to deliver electronic mail. When installing "sasl-bin" to use sasl in
connection with sendmail, the sendmail configuration script use fixed
user/pass information to initialize the sasl database. Any spammer
with Debian systems knowledge could utilize such a sendmail
installation to relay spam. |
| Alerts: |
|
Comments (none posted)
subversion: metadata information disclosure
| Package(s): | subversion |
CVE #(s): | CAN-2004-0749
|
| Created: | September 23, 2004 |
Updated: | November 4, 2004 |
| Description: |
The subversion version control system has vulnerabilities
in the handling of metadata such as log file entries related
to using mod_authz_svn. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups cupsys |
CVE #(s): | CAN-2004-0558
|
| Created: | September 15, 2004 |
Updated: | October 14, 2004 |
| Description: |
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
glFTPd: Local buffer overflow vulnerability
| Package(s): | glFTPd |
CVE #(s): | |
| Created: | September 21, 2004 |
Updated: | September 22, 2004 |
| Description: |
The glFTPd server is vulnerable to a buffer overflow in the 'dupescan'
program. This vulnerability is due to an unsafe strcpy() call which can
cause the program to crash when a large argument is passed. A local user
with malicious intent can pass a parameter to the dupescan program that
exceeds the size of the buffer, causing it to overflow. This can lead the
program to crash, and potentially allow arbitrary code execution with the
permissions of the user running glFTPd, which could be the root user. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
heimdal: root escalation
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0794
|
| Created: | September 16, 2004 |
Updated: | September 22, 2004 |
| Description: |
The Heimdal FTP daemon has several bugs that can allow a remote
attacker to gain root privileges. |
| Alerts: |
|
Comments (none posted)
httpd: mod_ssl input filter denial of service vulnerability
| Package(s): | httpd |
CVE #(s): | CAN-2004-0748
|
| Created: | September 2, 2004 |
Updated: | September 23, 2004 |
| Description: |
Apache httpd has a denial of service vulnerability in mod_ssl in which
an attacker can force
an SSL connection to abort, resulting in the Apache child process entering
an infinite loop. This affects httpd versions up to and including
2.0.50. |
| Alerts: |
|
Comments (none posted)
apache2: IPv6 denial of service
| Package(s): | httpd apache2 |
CVE #(s): | CAN-2004-0747
CAN-2004-0751
CAN-2004-0786
CAN-2004-0809
|
| Created: | September 15, 2004 |
Updated: | October 6, 2004 |
| Description: |
Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux. |
| Alerts: |
|
Comments (none posted)
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2004-0827
|
| Created: | September 16, 2004 |
Updated: | November 30, 2004 |
| Description: |
The ImageMagick graphics library has several buffer overflow
vulnerabilities that allow an attacker to crash the reading process
by creating mal-formed video or image files in the AVI, BMP, or DIB format. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kdebase: multiple vulnerabilities
| Package(s): | kdebase |
CVE #(s): | CAN-2004-0689
CAN-2004-0690
CAN-2004-0721
CAN-2004-0746
|
| Created: | August 12, 2004 |
Updated: | October 4, 2004 |
| Description: |
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
lha: stack-based buffer overflow
| Package(s): | lha |
CVE #(s): | CAN-2004-0769
CAN-2004-0771
CAN-2004-0694
CAN-2004-0745
|
| Created: | September 2, 2004 |
Updated: | October 14, 2004 |
| Description: |
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc |
CVE #(s): | CAN-2004-0494
|
| Created: | September 2, 2004 |
Updated: | January 5, 2005 |
| Description: |
Midnight Commander has a vfs vulnerability with shell quoting
in extfs perl scripts. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908
|
| Created: | September 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg123: buffer overflow bug
| Package(s): | mpg123 |
CVE #(s): | CAN-2004-0805
|
| Created: | September 16, 2004 |
Updated: | January 11, 2005 |
| Description: |
The mpg123 audio playing utility has a buffer overflow
bug that may allow arbitrary execution of code. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
OpenOffice: information disclosure
| Package(s): | openoffice.org |
CVE #(s): | CAN-2004-0752
|
| Created: | September 15, 2004 |
Updated: | October 20, 2004 |
| Description: |
OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
phpGroupWare: cross site scripting vulnerability
| Package(s): | phpgroupware |
CVE #(s): | |
| Created: | September 16, 2004 |
Updated: | September 22, 2004 |
| Description: |
The wiki module in phpGroupWare has a cross-site scripting vulnerability. |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rsync: path-sanitizing bug
| Package(s): | rsync |
CVE #(s): | CAN-2004-0792
|
| Created: | August 16, 2004 |
Updated: | November 1, 2004 |
| Description: |
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written. |
| Alerts: |
|
Comments (none posted)
ruby: insecure file permissions
| Package(s): | ruby |
CVE #(s): | CAN-2004-0755
|
| Created: | August 16, 2004 |
Updated: | October 14, 2004 |
| Description: |
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session. |
| Alerts: |
|
Comments (none posted)
Samba: Denial of Service vulnerabilities
| Package(s): | samba |
CVE #(s): | CAN-2004-0807
CAN-2004-0808
|
| Created: | September 13, 2004 |
Updated: | September 22, 2004 |
| Description: |
There is a defect in smbd's ASN.1 parsing. A bad packet received during
the authentication request could throw newly-spawned smbd processes
into an infinite loop (CAN-2004-0807). Another defect was found in
nmbd's processing of mailslot packets, where a bad NetBIOS request
could crash the nmbd process (CAN-2004-0808). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
SnipSnap: HTTP errors
| Package(s): | snipsnap-bin |
CVE #(s): | |
| Created: | September 22, 2004 |
Updated: | September 22, 2004 |
| Description: |
SnipSnap, a content management system, is vulnerable to several "HTTP response splitting" attacks, leading to cross-site scripting and cache poisoning problems. Version 1.0_beta1 fixes things. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Webmin, Usermin: Multiple vulnerabilities in Usermin
| Package(s): | webmin usermin |
CVE #(s): | CAN-2004-0559
|
| Created: | September 13, 2004 |
Updated: | September 23, 2004 |
| Description: |
There is an input validation bug in the webmail feature of Usermin.
Additionally, the Webmin and Usermin installation scripts write to
/tmp/.webmin without properly checking if it exists first.
The first vulnerability allows a remote attacker to inject arbitrary
shell code in a specially-crafted e-mail. This could lead to remote
code execution with the privileges of the user running Webmin or
Usermin.
The second could allow local users who know Webmin or Usermin is going
to be installed to have arbitrary files be overwritten by creating a
symlink by the name /tmp/.webmin that points to some target file, e.g.
/etc/passwd. |
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
The current 2.6 prepatch is still 2.6.9-rc2; there have been no
2.6.9 prepatches since September 13.
Patches continue to accumulate in Linus's BitKeeper repository; changes
queued up for -rc3 include the re-merging of the two in-kernel software
suspend mechanisms, an XFS update, a new
wait_event_timeout() primitive,
more __iomem annotations
(see The September 16 Kernel Page), new
sparse annotations intended to flush out byte endianness errors, an NTFS
update, ethtool support in the loopback driver, m32r architecture support,
the "string" I/O memory access
functions, support for more than eight partitions on BSD-labeled disks,
some User-mode Linux cleanups, a tunable "max sectors" limit for block I/O
requests (a latency reduction feature), a new prctl() option
allowing programs to change their name, some shared memory scalability
improvements, and a change in TCP ICMP source quench behavior (such
messages are simply ignored now).
The current prepatch from Andrew Morton is 2.6.9-rc2-mm4. Recent changes to -mm include
the "big kernel semaphore" patch (see the
September 16 Kernel Page), a consolidation of the x86-64 and i386
no-exec code, a remap_page_range() API change (see below), a
rework of the filesystem external attribute code, the "Single Priority
Array" scheduler, kernel crash dumps through kexec, and library functions
implementing a simple circular buffer structure.
The current 2.4 prepatch remains 2.4.28-pre3, which was released on
September 11.
Comments (1 posted)
Kernel development news
Harald Welte has posted the proceedings from the 2004 Netfilter Developer
Workshop. Click below for a plain text version; the proceedings are also
available in a number of other formats
over
here.
Full Story (comments: none)
Thomas Habets had an unfortunate experience recently. His Linux system ran
out of memory, and the dreaded "OOM killer" was loosed upon the system's
unsuspecting processes. One of its victims turned out to be his screen
locking program, leaving his session open to whoever might happen to walk
by. His response was
the oom_pardon patch,
which allows the system administrator to exempt certain processes from the
OOM killer's revenge. It turns out that SUSE has
a similar patch which allows administrators to
set the "OOM score" of specific processes, increasing or decreasing their
chances of being chosen for an untimely demise.
The OOM killer exists because the Linux kernel, by default, can commit to
supplying more memory than it can actually provide. Overcommitting memory
in this way allows the kernel to make fuller use of the system's resources,
because processes typically do not use all of the memory they claim. As an
example, consider the fork() system call, which copies all of a
process's memory for the new child process. In fact, all it does is to
mark the memory as "copy on write" and allow parent and child to share it.
Should either change a page shared in this way, a true copy is made. In
theory, the kernel could be called upon to copy all of the copy-on-write
memory in this way; in practice, that does not happen. If the kernel
reserved all of the necessary virtual memory (which includes swap space),
some of that space would certainly go unused. Rather than waste that space
- and fail to run programs or memory allocations that, in practice, it
could have handled - the kernel overcommits itself and hopes for the best.
When the best does not happen, the OOM killer comes into play; its job is
to kill processes and free up some memory. Getting it to kill the right
processes has been an ongoing challenge, however. One person's useless
memory hog is another's crucial application. Thus, over the years,
numerous efforts have been made to refine the OOM killer's heuristics, and
patches like "oom_pardon" have been created.
Not everybody agrees that this is a fruitful use of developer time.
Andries Brouwer came up with this analogy:
An aircraft company discovered that it was cheaper to fly its
planes with less fuel on board. The planes would be lighter and use
less fuel and money was saved. On rare occasions however the amount
of fuel was insufficient, and the plane would crash. This problem
was solved by the engineers of the company by the development of a
special OOF (out-of-fuel) mechanism. In emergency cases a passenger
was selected and thrown out of the plane. (When necessary, the
procedure was repeated.) A large body of theory was developed and
many publications were devoted to the problem of properly selecting
the victim to be ejected. Should the victim be chosen at random?
Or should one choose the heaviest person? Or the oldest? Should
passengers pay in order not to be ejected, so that the victim would
be the poorest on board? And if for example the heaviest person was
chosen, should there be a special exception in case that was the
pilot? Should first class passengers be exempted? Now that the OOF
mechanism existed, it would be activated every now and then, and
eject passengers even when there was no fuel shortage. The
engineers are still studying precisely how this malfunction is
caused.
Overcommitting memory and fearing the OOM killer are not necessary parts of
the Linux experience, however. Simply setting the sysctl parameter
vm/overcommit_memory to 2 turns off the overcommit
behavior and keeps the OOM killer forever at bay. Most modern systems
should have enough disk space to provide an ample swap file for most
situations. Rather than trying to keep pet processes from being killed
when overcommitted memory runs out, it might be easier just to avoid the
situation altogether.
Comments (22 posted)
Last month we looked at a possible change to
the heavily-used
remap_page_range() function as a way of making
io_remap_page_range() be the same on all architectures. Since
then, a driver author has stepped forward with a different problem: he
wants to remap some reserved memory which sits above the 4GB memory
boundary. Since
remap_page_range() takes a 32-bit "start"
address, it cannot be used to remap memory above that boundary.
In response, William Lee Irwin has posted a
series of patches which changes remap_page_range() to:
int remap_pfn_range(struct vm_area_struct *vma, unsigned long from,
unsigned long pfn, unsigned long size,
pgprot_t prot);
The old "start" address has been changed to pfn, which is a page
frame number. Since these mappings can only happen on page boundaries,
this change does not take away any old functionality. It does,
however, make twelve bits (typically) of address space available, making it
possible to remap memory well above 4GB.
William's patches fix all in-kernel callers of remap_page_range(),
of which there are several dozen, and removes the old interface
altogether. He also manages to eliminate a fair amount of related code -
it seems that large numbers of drivers have their own, private copy of
kvirt_to_pa(), which obtains a physical address for memory from
vmalloc(). For in-kernel users, the change should be a purely
positive thing. Out-of-kernel drivers which use
remap_page_range() will have to be fixed, however.
These patches have found their way into the -mm tree, and are thus likely
to end up in the mainline eventually.
Comments (none posted)
It is not uncommon for applications to want to know when something happens
within a subtree of a filesystem. File managers are the most obvious
example; if an application creates a new file within a directory
represented in a file manager, users really like to see that new file show
up, quickly. One could also imagine other sorts of applications - such as
security monitoring code or just daemons wanting to know when their
configuration files have changed - which can benefit from being told about
filesystem activity.
The Linux mechanism for communicating filesystem events to user space is
called "dnotify." A program watches a directory by opening it, then
issuing a fcntl(F_NOTIFY) call. Thereafter, changes in that
directory will result in a SIGIO signal being sent to the process,
which can then dig through its cached information and try to figure out
just what happened. People like to complain about dnotify; the interface
is ugly (signals are a pain), it is hard to figure out what the changes
are, it requires keeping files open and thus blocks the unmounting of
removable media, etc. So there has long been interest in a replacement.
The most visible effort in that direction is inotify, which has been under
development (by John McCutchan) for some time now; recently Robert Love has
jumped in to help the project along. inotify
0.11 was released on September 28, and an increasingly strong push
is being made to get it included into -mm for wider exposure and testing.
inotify works through a new character pseudo-device. Any application which
wants to monitor filesystem activity need only open /dev/inotify
and issue one of two ioctl() commands to it:
- INOTIFY_WATCH
- This call provides a filename and a mask of desired events; inotify
will begin watching the given file (or directory) for activity.
- INOTIFY_IGNORE
- This call will stop the stream of events for the given file.
Quite a few possible events can be watched for: IN_ACCESS (the
file was accessed), IN_MODIFY (the file was changed),
IN_ATTRIB (file attributes changed), IN_OPEN and
IN_CLOSE (for open and close events), IN_MOVED_FROM and
IN_MOVED_TO (when files are renamed), IN_CREATE_SUBDIR
and IN_DELETE_SUBDIR (creation and deletion of subdirectories),
IN_CREATE_FILE and IN_DELETE_FILE (creation and deletion
of files within a directory), IN_DELETE_SELF (when a monitored
file is deleted), IN_UNMOUNT (when the filesystem containing the
file is unmounted), and a couple of others. The events themselves are
obtained by simply reading from the device. Thus a program can block on
the device itself, or use poll() to incorporate notifications into
a larger event-processing loop. No signals are involved.
The actual implementation of inotify is relatively simple. The in-core
inode structure is augmented with a linked list of processes interested in
events involving that inode. When an INOTIFY_WATCH call is made,
an entry is made in the corresponding list (and the inode is pinned into
memory for the duration). Various parts of the filesystem code get an
extra inotify_inode_queue_event() call when an action succeeds.
The rest is just the usual overhead of maintaining lists of events for
processes, waking those processes up when new events arrive, etc.
While most interest and activity seems to be around
inotify, it is not the only dnotify replacement in circulation; nonotify is an alternative. There
are also some remaining issues about the interface exported by inotify. It
has been suggested that the inotify ioctl() calls should take file
descriptors rather than file names; that change would eliminate problems in
dealing with long file names and would also make access control checks
happen automatically. The interface would have to be done in such a way
that the application could close the file and still receive events, though;
otherwise dnotify's problems with unmount blocking and excessive use of
file descriptors would just come back again. These issues notwithstanding,
inotify looks like it is headed for inclusion into a mainline kernel in the
not-too-distant future.
Comments (17 posted)
Patrick Mochel may have been expecting to start a flame war with
this patch, which changes most of the driver
core functions to be exported only to GPL-licensed modules. The affected
functions include the bus-level code, classes (but not
class_simple),
device_register() and friends, the
platform and system bus functions, low-level sysfs functions, and the
kobject primitives. In fact, the flame war failed to materialize; nobody
seems to be upset by these changes. Whether Patrick is pleased or
disappointed by the silence is for him to say.
The affected functions are a fundamental component of the Linux driver
model; they are used by every device driver and filesystem, and by many
other parts of the kernel as well. Even so, few, if any, proprietary
modules will be affected by this change. The interfaces used by most
modules are built on top of - and hide - the driver core. Thus, it is a
rare driver which calls device_register(); instead, something like
usb_register_dev() is used. Those upper-layer functions remain
exported to all modules.
So why make the change? Patrick's reasoning is that he wants all users of
the low-level functions to be part of the mainline kernel tree.
In short, being able to audit all of the users of these functions
is necessary to their continued evolution (whatever that may
entail). It would make the most sense if all users were part of the
kernel, and it makes little sense to support their use by any
unknown or binary modules.
As the kernel tree becomes more dynamic internally, it will be increasingly
hard for external modules - free or not - to keep up with the changes. It
would not be surprising to see ever more "encouragement" to merge external
modules into the mainline. Code which remains outside will require a
higher level of maintenance, or it is likely to break frequently.
Comments (16 posted)
Patches and updates
Kernel trees
Core kernel code
Device drivers
Filesystems and block I/O
Memory management
Architecture-specific
Security-related
- =?iso-8859-1?Q?Kristian_S=F8rensen?=: Umbrella 0.4.1.
(September 27, 2004)
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
The
announcement
couldn't have been hidden more carefully. Unlike "Taroon", the previous
public beta of Red Hat Enterprise Linux (RHEL), the first beta or RHEL
4, code name "Nahant", was not announced on Red Hat Watch mailing list,
nor was it mentioned anywhere on Red Hat's web site. In fact, the only
place the announcement was sent to was the just established
Nahant
Beta List, which couldn't have had many subscribers other than a
handful of RHEL developers. But whatever the reason for this secrecy,
the fact is that Red Hat Enterprise Linux 4 has now officially entered
a public beta testing phase. We downloaded the 4 ISO image set of RHEL
Enterprise Server to take an early look.
First some general information. RHEL 4 is being developed in parallel
with Fedora Core 3, which has been in beta testing since July. Some
would have expected RHEL 4 to be based on the earlier and
well-established Fedora Core 2, but remember that Fedora 3 will be released
early in November this year, while RHEL 4 final is not expected until
perhaps April or May next year. This will give Red Hat developers an extra
5 - 6 months to finalize the product and to iron out any outstanding
bugs not caught during the Fedora Core 3 beta testing period.
The platform support and product range has changed little since RHEL 3,
the only exception being the low-cost Red Hat Enterprise Linux ES,
which, in addition to i386, is now also built for ia64 and x86_64
architectures. Here is a quick summary of what is available for each
hardware platform:
- i386: Advanced Server, Desktop, Enterprise Server, Workstation
- ia64: Advanced Server, Enterprise Server, Workstation
- ppc: Advanced Server
- s390: Advanced Server
- s390x: Advanced Server
- x86_64: Advanced Server, Desktop, Enterprise Server,
Workstation
Besides platform support and price, the main difference between RHEL
Enterprise Server (ES) and RHEL Advanced Server (AS) is in their
respective target systems. RHEL ES is designed for small and medium
size businesses using systems with up to two CPUs and 8 GB of memory;
in contrast, RHEL AS is intended for large departmental and data center
servers with up to 16 CPUs and 64 GB of RAM. On the client side, there
is little difference between RHEL Desktop and RHEL WS from a technical
point of view and packages included, but RHEL Desktop is sold as a
package of either 10 or 50 units with management modules for mass
deployments, while RHEL Workstation can be purchased as a stand-alone
product.
Apart from an extra Red Hat Network account screen during the
post-install configuration, installing RHEL 4 doesn't differ much from
installing any recent test build of Fedora Core 3. A subscription to
Red Hat Network is, of course, an integral part of any RHEL product,
providing updates and errata for the duration of the subscription
period. RHEL 3 users will also note a new option to select
one of the three SELinux states. The default is "Active", which
enforces all policies, such as denying unauthorized users access to
certain files and programs. On the other end of the spectrum is a
self-explanatory "Disabled" state. The third state, "Warn", means that
SELinux policies are turned on but not enforced, with a log file
providing details of any access violations. This is a good way of
testing SELinux, especially designed for those users who would
eventually like to enable the policies, but are somewhat nervous about
possible negative effects on their system operation.
Like SUSE LINUX Enterprise Server (SLES) 9, the default installation of
RHEL 4 is a full graphical system. Beta 1 comes with a preview release
of GNOME 2.8 as the default desktop environment (KDE 3.3.0 is also
included). Although it is possible to install a text-only system by
deselecting the GNOME package set during installation, having a
graphical system will benefit less experienced system administrators who
would appreciate the many graphical utilities for painless
configuration of Apache, Samba, NFS and other server applications, as
well as an easy setup of the Red Hat Network update service. An
interesting new feature (courtesy of GNOME 2.8) is the configurable
Keyring Manager daemon for managing passwords. As an example, it allows
users to keep administrative privileges after configuring the first
module that requires root password - when done, a key set icon will
appear in the system tray to indicate that the user will not need to
enter root password again during the next 5 minutes (default).
Besides the newly included SELinux functionality, users familiar with
RHEL 3 will notice several other changes. Red Hat has now moved to
Linux kernel 2.6 (2.6.8 to be exact), XFree86 has been replaced with
X.Org (version 6.8.0), CVS with Subversion (1.0.6), UW IMAP with Cyrus
IMAP (2.2.6) and OSS sound modules with ALSA (1.0.6). The package
supplying Linux Volume Manager (now developed by Red Hat after
acquiring Sistina earlier this year) is now called lvm2 (version
2.00.21) and it comes with many new features and commands. Users of
Asian languages will be pleased to know that all of the various input
method servers are now been deprecated in favor of IIIMF
(Internet/Intranet Input Method Framework), a multilingual Unicode
input framework which enables easy switching between languages, input
methods and character sets, and it even allows for mixing different
character sets in documents. Additionally, support for several Indic
languages, including Bengali, Hindi, Punjabi and Tamil, is now
available in the Anaconda installer and throughout most GTK+
applications.
Overall, the list of newly added features in this beta release of RHEL 4
is impressive. What is needed now is intensive testing on all
architectures to determine the capabilities and stability of the 2.6
kernel under extreme conditions. Then some 6 months down the road, when
all the known bugs have been ironed out, RHEL 4 will undoubtedly
provide enough reasons for many system administrators and IT decision
makers to upgrade, deploy or migrate.
Comments (10 posted)
Distribution News
Martin Krafft has put together
an
organization chart for the Debian Project. PDF and PostScript versions
are
also
available. If you have ever wondered how it all fits together, this
chart is, at least, a place to start.
The Debian Weekly News for September 28,
2004 is out. This week's issue covers an OSCON talk on the use of Free
Software in a Debian-based large scale web application, a Sarge release
update, a surveillance robot powered by Debian, and more.
Steve Langasek provides a Sarge release
update covering, in particular, "Qt, arts, arm, yes; freeze date,
no".
Jeroen van Wolffelaar adds this message to
package maintainers. "Executive summary: If you maintain one or
more packages that are out-of-sync in sarge, please go to
http://www.wolffelaar.nl/~sarge/, read the guidelines, login, lookup your
own packages, and fill in the questions."
Andreas Barth looks at bts2ldap-gateway:
updates.
Martin "joey" Schulze provides a status
report on the progress of the third revision of the current stable
version (woody).
Comments (none posted)
The Gentoo Weekly Newsletter for the week of September 27, 2004 is out.
This edition revisits Gentoo documentation and other topics.
Full Story (comments: none)
The
fifth edition of Ubuntu Traffic is available; it looks at GNOME
bindings, daily CD images, Mono packages, the Technical Board, and more.
Comments (1 posted)
The
DistroWatch
Weekly for September 27, 2004 covers Fedora Core 3, Debian Sarge,
Hiweed GNU/Linux and more.
Comments (none posted)
Red Hat has
announced
the release of Red Hat Enterprise Linux 4 (Nahant) Beta 1. "
Red
Hat Enterprise Linux 4 is the first RHEL release based on the 2.6 Linux
kernel. We are particularly interested in feedback on hardware
compatibility including sound, video, networking, storage device, and USB
support on both server and desktop-class systems."
Comments (8 posted)
Udev testers on Fedora will be interested in
this website that
"
tries to reveal the secrets of udev and how it works on
Fedora".
Fedora Core 2 updates:
Comments (none posted)
This week the
slackware-current changelog shows upgrades to GNU automake-1.9.2, GNU
libtool-1.5.10, oprofile-0.8.1, GNU gmp-4.1.4, bind-9.3.0, xsane-0.96,
php-5.0.2, GNU gawk-3.1.4, mdadm-1.7.0, gkrellm-2.2.4, and more.
Comments (none posted)
New Distributions
TURKIX is a Mandrake based live Linux
distribution with support for Turkic languages like Turkish and
Azerbaijani. The second major release (2.0) will be in English. Turkix
comes with a rehack of rpm packaging system, called as "rpmx", an embedded
wrapper of rpm that understands the new virtual file hierarchy used by
TURKIX. This hierarchy is designed to make Windows and MacOS users feel at
home while getting them acquainted with the classical UNIX file hierarchy.
TURKIX joins the list at version 1.9, released September 26, 2004.
Comments (none posted)
SAM is a bootable Linux-CD based on
Mandrakelinux. Installation on hard drive is not necessary with SAM, but
it is possible. SAM is under 210mb, so it fits on a 8cm-mini-CD and is
ideal for carrying in the pocket. Although it is small, it contains a full
graphical desktop environment with office, Internet, multimedia and
graphics applications, and even a few games. SAM joins the list at
TestRelease 1.0, released September 28, 2004.
Comments (none posted)
Minor distribution updates
H3Knix has released
v1.5.2
with major feature enhancements. "
Changes: This version features new
install scripts, a rebuild of the base with more included libraries and
applications, a new init for fast boot/low overhead, and new custom
tools."
Comments (none posted)
LormaLINUX has
released the
first of a new line of server products. Server Edition 1.0beta 1 - LTSP
Server combines the optimization, customization and features of Lormalinux
5 Workstation for low-powered thin client terminals, ideal for the
classroom environment.
Comments (none posted)
slimlinux has released
v0.8.0.
"
Changes: A minimal distribution of XFree86 4.2.0, yeahwm 0.2.0,
ratpoison 1.3.0, nano 1.2.4, mawk 1.33, mcdp 0.4, aumix 2.8, and bplay 0.99
were added. retawq 0.2.5a and OSS support were updated. zile, clex, and
cmdftp were removed. From this release onward, there is no floppy version,
only a FAT16/32 version. The system uses 16 MB of RAM, and the framebuffer
console display is required."
Comments (none posted)
Newsletters and articles of interest
Vnunet
suggests
the use of CD-based Linux distributions for evaluating Linux.
"
Though different live options target different markets, most offer more or less automatic network configuration and a graphical desktop environment with supplied office suites, browsers and applications.
There's also mileage in live distributions for the experienced user. It's possible to customise some live variants, burn them to a fresh CD and use them as a portable, instant personalised Linux environment with a writeable home directory stored on a USB memory key."
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
Virtual Data Center
is:
an operational, open-source, digital library to
enable the sharing of quantitative research data.
The project
acknowledgments include a long list of authors and contributors
working at the Harvard-MIT Data Center. The project is being
funded by the National Science Foundation's Digital Libraries Initiative.
The
project description gives a deeper description of what
VDC can be used for:
VDC provides a a complete open-source, digital library system for the management, dissemination, exchange, and citation of virtual collections of quantitative data The VDC functionality provides everything necessary to maintain and disseminate an individual collection of research studies: including facilities for the storage, archiving, cataloging, translation, and dissemination of each collection. On-line analysis is provided, powered by the R Statistical environment. The system provides extensive support for distributed and federated collections including: location-independent naming of objects, distributed authentication and access control, federated metadata harvesting, remote repository caching, and distributed virtual collections of remote objects.
Uses of VDC include:
- Study preparation for format conversion of data.
- Study management for data archiving and cataloging.
- Interoperability with data in a number of standard research formats.
- Dissemination of data including downloading, format conversion, and subset generation.
- On-line analysis for generating statistics and graphics.
- Distribution and federation for making the data available widely.
- Replication for creating and managing persistent dataset identifiers.
VDC is being used by a number of fairly high-profile
projects
including a social science data archive at the Harvard-MIT Data Center,
TheDataWeb: a collaboration between
the U.S. Census Bureau and the Centers for Disease Control,
Harvard University's Library Digital Initiative, and
the Henry A. Murray Research Center. You can take an online test drive
of VDC at the
HMDC VDC Server Virtual Data Center Site,
a large collection of research papers are available.
The final version 1.0 of the Virtual Data Center (VDC)
was released this week.
"Release 1.0 provides all core features and contains no known bugs. Supported standards and protocols and formats include: DDI, Dublin Core, and MARC for metadata; R,SPSS, SAS,ASCII, and STATA for data; OAI and Z39.50 for queries; UNF's and Handle's for naming/citation.".
For further reading, the VDC
Documentation page contains a number of papers and other
reference material about the project.
The code is available for download
here,
packages are currently available for Red Hat Linux 9, Red Hat
Advanced Server 3 and Fedora Core 1.
Packages for SUSE are on the to-do list.
Digging through the source code repository for VDC reveals a
large collection of Perl code, shell scripts, and R code.
The project
Design Overview
white paper (PDF) is a good starting point for more detailed
information on the project's architecture.
VDC has been released under version 2 of the GNU General Public License (GPL).
Comments (1 posted)
System Applications
Database Software
Version 0.8 of QtSqlBrowser
has been released.
"
The purpose of this project is to provide a simple, generic GUI database browsing frontend. The tool is a very simple aggregation of the Qt database classes. The database abstraction is provided by the Qt database drivers. The drivers for PostgreSQL and MySQL have been found to work well." The software is in stable condition, but it is not
yet feature-complete.
Comments (none posted)
Interoperability
Version 3.0.8 pre1 of Samba is available with bug fixes and new
migration functionality for the net tool.
Full Story (comments: none)
Version 3.1.0 of Samba, the first release of the 3.1.0 development branch,
is out.
"
Samba 3.1.0 will include changes to winbindd (for scalability),
code for implementing NT privileges, some proposed fixes to
the printing code's background queue update daemon, and others."
Full Story (comments: none)
Libraries
new versions of libvorbis and libogg are available from the
Ogg Vorbis
audio compression project.
"
The new libogg fixes some FLAC issues and libvorbis 1.1.0 features the new tunings from aoTuV. "
Comments (none posted)
Mail Software
For those looking for another tool for their anti-spam arsenal: SpamBayes
1.0 has been released. SpamBayes is a bayesian tool, but it takes a rather
different approach to this technique; see
the SpamBayes
background page for details.
Full Story (comments: 6)
Networking Tools
Scott Brumbaugh
explains virtual private networks on O'Reilly.
"
The virtual private network (VPN) is increasingly becoming an invaluable part of every business network. With broadband available in more and more places, small- and medium-size businesses are taking advantage of VPN technology and leveraging the investment they've made in their internal private networks, expanding services available to customers, partners, and staff. This article focuses on VPN tunneling. Because it is also necessary to understand the basic principles of data encryption, this article will also summarize the set of technologies that form a Public Key Infrastructure (PKI). We will see how to ensure privacy in a virtual private network."
Comments (none posted)
Security
The OpenSSH project is celebrating its fifth birthday. It is a rare
project which can go from nonexistence to almost complete domination in
that period of time, but OpenSSH has done it.
Full Story (comments: 8)
Web Site Development
Version 8.0 of PHP Point Of Sale
is out.
"
PHP Point Of Sale (POS) is designed to help small businesses with keeping
track of customers, items and inventory, and generate reports based on sales.
This program works great for businesses that use cash, check, or account
numbers for their sales. PHP Point Of Sale 8.0 is a groundbreaking release
for this application. This release adds multi language support!"
Comments (none posted)
Version 0.98 final of
PHPSurveyor,
set of PHP scripts for creating online surveys, is available.
"
While this is labelled a "stable" release, indicating that the recent months have been dedicated to bugfixing rather than the development of new features, PHPSurveyor should continue to be considered a development in beta. Although significant testing has taken place, bugs may still exist, and patches for these will be released where possible."
Comments (none posted)
Version 0.3.0 of UnCommon Web, a web application development
framework written in Common Lisp, is available.
"
This version exports the public interface from the
UCW package, adds the new package UCW-USER and includes better support
for expired session handling. It also features improvements to
components and HTML generation, better documentation, and more."
Full Story (comments: none)
Version 0.2b of Five, a Zope 2 product that allows the use of
Zope 3 technologies, is out.
"
A lot is new and improved in this release, including improved traversal
system, bridging system for Zope 2 interfaces, Zope 3 events for Zope 2
objects, and more."
Full Story (comments: none)
Rich Bowen
works with Apache configuration issues on O'Reilly.
"
This month he covers how to get Apache to send a different Server response so that no one can identify what version of Apache you're running, or any of the modules you have installed. The less information your server reveals, the safer it will be from crackers who want to try and break in."
Comments (none posted)
Desktop Applications
Audio Applications
KDE.News
covers release 1.1 of
amaroK, an audio player application.
"
amaroK is the first KDE application to use the GStreamer Multimedia Framework without any dependency on external bindings. amaroK can also integrate with xine so you have the freedom of choosing your own flavor. With version 1.1 there are many exciting changes that make using amaroK even more fun."
Comments (none posted)
Version 0.14.1 of Gnomoradio, a peer-to-peer music playing
system, is available.
"
Version 0.14.1 fixes a bug that some people were experiencing
downloading files, and it fixes a few bugs when scanning all local music
on startup."
Full Story (comments: none)
Version 0.5 of Jamboree, a music player for GNOME, is out.
"
This version adds support for typeahead search of albums and artists,
contributed by Mats-Ola Persson. It also adds support for the latest
stable branch of GStreamer, and features many small user interface
improvements."
Full Story (comments: none)
Desktop Environments
The September 24, 2004 edition of the
KDE CVS-Digest is online. Here's the content summary:
"
KPDF supports table of
contents. Krita adds scaling. Plastik is now the default style. The aKademy
section introduces the requirements of the KDE 4 multimedia architecture,
reports about kdemultimedia developers' plans and summarizes the first talk
"MAS in KDE" of the multimedia track."
Comments (none posted)
Electronics
Version 7.00 of Electric, a VLSI Design System,
is out.
"
Electric is moving from C to Java. Version 7 is the final, transitional, C version. A preliminary version of the Java implementation (Version 8) is also available and working, though missing some functionality."
Comments (none posted)
Financial Applications
SQL-Ledger version 2.4.3
has been announced.
Changes include default customer/vendor/parts/employee numbers,
start and end dates for deactivation, more search fields on the
customer/vendor screen, AR/AP transaction printing, and check/receipt
printing.
Comments (none posted)
GUI Packages
Version 2.0.10 of gob2, the GTK+ object generator, is out
with numerous changes and bug fixes.
Full Story (comments: none)
Version 1.1.5 rc 3 of FLTK, the Fast, Light ToolKit,
has been announced.
"
The third release candidate for FLTK 1.1.5 is now available for download and testing. You now have until Ocotber 8th, 2004 to report any problems with this release candidate". The list of changes and
bug fixes is lengthy.
Comments (none posted)
Unstable version 2.3.97 of PyGTK, the Python bindings to GTK, is available.
"
This is the final release candidate before 2.4.0 and if nothing serious
turns up I'll rename this tarball and upload it as 2.4.0.
Please test this thoroughly and report any serious bugs so they can be
resolved before the final release."
Full Story (comments: none)
Version 3.13 of PyQt is available.
"
Changes since the last release include support for the QUuid, QMetaObject and
QMetaProperty classes.
PyQt is a comprehensive set of Qt bindings for the Python programming language
and supports the same platforms as Qt. Like Qt, PyQt is available under the
GPL (for UNIX, Linux and MacOS/X), a commercial license (for Windows, UNIX,
Linux and MacOS/X) and a free educational license (for Windows)."
Full Story (comments: none)
KDE.News
covers
recent developments with QT 4 including the second Qt 4 Technical Preview
which covers new accessibility support, and a preview of new D-BUS bindings.
Comments (none posted)
Imaging Applications
The first preview release of Krita, a painting and image
editing application for KOffice,
has been announced.
"
Krita, formerly known as Krayon, formerly known as KImageShop, never known as nor intended to be the Kimp, is available for your testing pleasure.
For the first time since development started in 1999, Krita is complete enough to be packaged as the first preview release."
Comments (none posted)
Instant Messaging
Version 0.9.65 of Chatzilla, a Mozilla IRC client,
has been released.
"
Version 0.9.65 is a culmination of months of work from ChatZilla developers. It fixes 32 known bugs and adds many useful new features. Additions since version 0.9.64 include away-status coloration in the user list, SSL support, new user commands, and a revitalized assortment of emoticons."
Comments (none posted)
Interoperability
The September 24, 2004 edition of
Wine Traffic is online with the latest Wine project news.
Comments (none posted)
Music Applications
Version 0.9.9 of OpenSong, a cross-platform application for managing
chords and lyrics sheets,
is available.
"
This next release
contains quite a few bug fixes, set list printing, proxy support, module
loading, a new background image chooser, backgrounds folders, songs folders,
multiple themes per song, key field, aka field, key line field, ccli import
now imports the new song fields, configurable alert font, live scripture
browsing during presentations, HTML song export, and more!"
Comments (1 posted)
Some examples of multimedia programs written in
the Q functional programming language have been made available.
The list includes the applications QAudioPlayer, QMidiCC, QMidiPlayer,
and QSCSynth.
Full Story (comments: none)
Web Browsers
Version 1.4.1 of Epiphany, the GNOME web browser, is available
with numerous bug fixes.
"
Starting with version 1.4.1, Epiphany can be compiled against firefox'
libraries as well as mozilla's libraries."
Full Story (comments: none)
Version 1.41 of the Epiphany Extensions are available.
Changes include bug fixes, translation work, and a new
sidebar extension.
Full Story (comments: none)
Miscellaneous
Version 1.0 RC1 of Blogfish, a Blogger's panel applet for the Gnome desktop,
is available. Changes include improved networking code, more lifelike
fish movement, better installation scripts, and more.
Full Story (comments: none)
A stable release candidate of JXplorer 3.1, an ldap browser written in Java,
has been announced.
"
This release includes a bunch of new security goodies, such as improved SSL handling with browser-like detection of server certificates, optional client side password hashing, and kerberos support."
Comments (none posted)
Version 0.2-1 of Nautilus-Sendto, an application that integrates
nautilus, evolution and gaim, is out.
Changes include new plugins support, an improved UI, bug fixes, and
more.
Full Story (comments: none)
Version 0.3.4 of Revelation, a password manager for GNOME, is available.
"
This release fixes a couple of bugs; a crash when editing
an entry on Python 2.2 systems, and the name for domain fields
was accidentally replaced with the field tooltip. There has
also been a couple of minor UI improvements."
Full Story (comments: none)
Languages and Tools
C
The
GCC Newsletter
for September 27, 2004 is available.
"
gcc is a rather old codebase which has gone through many maintainers and developers. Sometimes, it can be particularly glaring. Roger Sayle gives a detailed explanation of that specific issue."
Comments (none posted)
Caml
The September 21-28, 2004 edition of the Caml Weekly News is
available with the week's Caml language articles.
Full Story (comments: none)
Java
(O'Reilly)
continues an excerpt series on EJB development with part two.
"
This week concludes this series with a look at how to develop a session bean, building on the examples presented in part one."
Comments (none posted)
Bertrand Portier and Frank Budinsky
introduce Service Data Objects on IBM's developerWorks.
"
Many Java developers are skeptical about how heterogeneous data can be accessed uniformly, and have been disappointed in the various programming frameworks that propose to solve the problem. In this article, Java developers Bertrand Portier and Frank Budinsky introduce you to next-generation data programming with Service Data Objects (SDO)."
Comments (none posted)
Lu Jian
introduces StrutsUT on O'Reilly.
"
Consistent unit testing is an essential part of development, but web
applications aren't necessarily well-suited to unit testing--how to you
validate the "correctness" of a returned stream of text or HTML? Lu Jian has
an answer in the form of StrutsUT, a Cactus-based library for unit testing
Struts web apps."
Comments (none posted)
Version 2.3 of Struts Menu, a web menuing framework for JSP and
Struts based applications,
has been announced.
"
This release's major
feature is the complete de-coupling from Struts - so that no struts.jar is
required in the classpath anymore. Of course, if you have it in there, it's
used as before."
Comments (none posted)
Perl
The September 28, 2004 edition of
This Week on Perl 6 is online with the latest Perl 6 discussion topics.
Comments (none posted)
PHP
Version 5.0.2 of PHP
has been released.
"
This is a maintenance release that in addition to many non-critical bug fixes, addresses a problem with GPC input processing. All Users of PHP 5 are encouraged to upgrade to this release as soon as possible."
Comments (none posted)
PostScript
Version 8.15 of GPL Ghostscript, a PostScript interpreter,
has been announced.
"
This release includes many bug fixes over the previous AFPL Ghostscript 8.14 release, improved font rendering, and offers significantly better PDF generation and handling over GPL 8.01. We recommend upgrading to all our free users."
Comments (none posted)
Python
The September 29, 2004 edition of Dr. Dobb's Python-URL
is available with a new collection of Python language article links.
Full Story (comments: none)
Ruby
KDE.News
looks at
Rubydium.
"
Now,
another KDE developer has announced Rubydium, his efforts to bring
Just-In-Time optimisations to the Ruby runtime. Could Ruby become a serious
contender for KDE application development?"
Comments (none posted)
Tcl/Tk
The September 27, 2004 edition of Dr. Dobb's Tcl-URL is
out with the week's Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Bob DuCharme
reviews XMP on O'Reilly.
"
The Extensible Metadata Platform (XMP) is a specification describing RDF-based data and storage models for metadata about documents in any format. The specification includes information about embedding XMP in text files such as HTML and SVG/XML; image formats such as JPEG, TIFF, and GIF; and Adobe formats such as Illustrator, Photoshop, and Acrobat files."
Comments (none posted)
Peter Mikhalenko
discusses
device independent browsing issues via XML on O'Reilly.
"
The mission of the Device Independence activity of the W3C is to avoid fragmentation of the Web into spaces that are accessible only from certain types of devices. The goal of the Device Independence Activity is to develop ways for future web content and applications to be authored, generated, or adapted for a better user experience when delivered via many device types."
Comments (none posted)
Cross Assemblers
The
GNU PIC Utilities
project (gputils) has released version 0.12.4 with bug fixes.
Also:
"
We have started an effort to fix bugs in gputils COD files. The purpose is to improve compatibility with other tools."
Comments (none posted)
Stephen Williams
has announced a new cross-assembler for the PicoBlaze
FPGA chips.
"
I anticipate my own possible need for a PicoBlaze (Xilinx) assembler
written in C, so I made a start. This is really only a few hours of
work, but I've got a shell going, that just needs to be fleshed out."
Comments (none posted)
Miscellaneous
Version 0.9.2 of Devhelp, an API documentation browser for GNOME, is out.
"
This release adds three new translations (nb, gu, mk), it also features
updates to 11 other translations. Nickolay V. Shmyrev sent a patch to
support searching for sub strings, for example "gtk new" will give you
all gtk constructors. Johan Svedberg was kind enough to send a patch for
adding accelerators for back and forward."
Full Story (comments: none)
Version 0.6.2 of XPlanner
has been announced.
"
XPlanner is a web-based project planning and tracking tool for eXtreme
Programming (XP) teams. XPlanner is implemented using Java, JSP, and Struts,
and MySQL (user contributed support for other databases). XPlanner 0.6.2
provide many improvements and bug fixes including sortable tables, object ID
quick queries, improved page printing (image-based progress bars), improved
interfaces (history, role editing, time entry, iterations, and
developer/customer tasks), dynamic attribute support for enhanced SOAP
integration, and contributed functionality for NTLM authentication and
WackoWiki-compatible text formatting."
Comments (none posted)
David N. Welton crunched some statistics and wrote the results up in
his paper
Programming Language Popularity. Take a look to see how
your favorite language rates.
"
We examine four sources of information. First, the raw number of results found with Google's search engine. We also look at dollars per click information gleaned from an online advertising service (Overture). In other words, how much it costs you, the advertiser, per click for ads placed with search terms such as java consulting or perl training. In addition, to look at the open source community's take on the situation, we look at projects registered with freshmeat. We also use the Craig's List (http://www.craigslist.org) job search board as a source for rough job statistics."
Comments (20 posted)
David Mertz and Brad Huntting
look at R on IBM's developerWorks.
"
In the first of a three-part series, David and Brad introduce you to R, a rich statistical environment, released as free software. It includes a programming language, an interactive shell, and extensive graphing capability. What's more, R comes with a spectacular collection of functions for mathematical and statistical manipulations -- with still more capabilities available in optional packages."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Linux Journal
wants a
single-file SQL format database. "
Currently, free software users
are missing a standard single-file SQL format, which may be a tar or ZIP
archive, that contains everything needed by a generic frontend to let
people work: schemas, data, indexes, forms structures and so on. Such
databases could be copied immediately, uploaded to a Web server or sent by
e-mail, the same as any other file. Users would have the certainty that the
receiver immediately could access all the data, queries and forms, even if
they might look different. Above all, it would be great if such a file
format became an OASIS standard, because it would make it much easier to
accept in corporate or government scenarios."
Comments (28 posted)
Here's
a NewsForge article containing a fair amount of research into the allegations of code theft by the Mambo project. "
The Connolly/Mambo situation boils down to one man not doing enough research into the licensing details of the GNU General Public License, then taking his case to public message forums instead of private communication with the project leadership and eventually resorting to threatening uninvolved people with litigation....
No code was stolen or taken; rather two separate modifications were made to the same GPL code to accomplish the same very basic and common task in two very different ways."
Comments (8 posted)
O'ReillyNet
looks into the lack of adoption of SPF by banks, which, one would think, would welcome some protection against phishing attacks. "
Wrong, says AOL's Hutzler. SPF only checks the hidden part of an email message known as the 'Return-Path' (or '821 header'). According to Hutzler, SPF completely ignores the From address (or '822 header,') which is used by phishers to 'social engineer' or dupe naïve recipients.
In other words, the wily phisher can forge the From line and still get past SPF checks--as long as his mail comes from an SPF-compliant domain listed in the Return-Path."
Comments (14 posted)
Trade Shows and Conferences
NewsForge
covers
LinuxWorld Conference & Expo, Italian style. "
This Expo was a
good occasion to check the status of the current relationship between free
and open source software and Italian public administrations of any size and
scope. To sum it up, it looks promising, but it's still schizophrenic. From
talk to talk, visitors noted that public administrations are required by a
government directive to make documents available in non-proprietary
formats, and that digital signatures can be exchanged with the central
administration through Linux."
Comments (1 posted)
The SCO Problem
GrokLaw
has posted a transcript from the September 15 hearing in SCO v. IBM.
"
Normally, with legal
documents, our text versions strive to be identical to the original. Here,
we are doing two versions, one for simple readability and one with all the
line numbers for reference, as per the original. This is the readable
version."
Comments (none posted)
Companies
NewsForge
reports
that Lycoris is taking over the Contribs.org SME Server project.
"
The SME Server platform has a chequered commercial history, and
Lycoris is the third company to assume control of the project. Originally
developed by Joe Morrison as a server distribution based on Red Hat Linux,
e-smith Server and Gateway was commercialised in 1999 when Morrison
co-founded e-smith, Inc. Mitel Networks, an IP telephony company based in
Ontario, Canada, acquired e-smith in 2001, and product was rebranded
"Mitel SME Server". However, Mitel subsequently discontinued
community-based development of the product in November 2003, despite a
mature and active community of volunteers inherited from e-smith. A
volunteer team coordinated by Resource Strategies released an initial free
version based on Mitel code at the beginning of 2004, but has subsequently
achieved little."
Comments (none posted)
Business
Silicon.com
names its list of Agenda Setters for 2004. "
More individuals
involved in open source and free software made the list than ever
before. Along with Torvalds at 7, we have MySQL CEO Marten Mickos making
his debut at 12, Open Source Risk Management's David Eggers at 37, Red Hat
engineer Mark J Cox at 40 and free software advocate Richard Stallman at
44."
Comments (1 posted)
Linux Adoption
News.com
reports on the adoption of a Linux solution for improving
data exchange in the Danish Ministry of Finance.
"
The data exchange system uses open-source application server JBoss running on Red Hat Linux. It transmits 1.5 megabits of data per second between about 400 public institutions and the ministry, according to a report on open source from Computer Sciences Corp.
Peter Henningsen, the data exchange project manager at the Ministry of Finance, said the open-source combination was chosen over BizTalk Server, Microsoft's systems integration application."
Comments (none posted)
Linux at Work
NewsForge
reports on a novel new use of Linux.
"
Want to send your best buddy, boss, or promising client a drink "on you" via your wireless phone? You can, if your friend lives in London. Eagle Eye Solutions, based in the United Kingdom, is launching a new service today called Buymeabeer.com using a Linux-based server platform.
It's
a simple concept -- so simple, one wonders why no one else has implemented the idea until now."
Your editors are eagerly awaiting the adoption of this technology by
some of the local Colorado micro-breweries.
Comments (3 posted)
Legal
eWeek
covers a
copyright dispute between Furthermore Inc. and Miro International Pty
Ltd. over the open-source Mambo content management system.
"
Chicago-based Furthermore has claimed that some of the code used in
Mambo OS was stolen from Furthermore and improperly placed into open
source. Miro, of Melbourne, Australia, owns the copyright to Mambo."
Comments (5 posted)
Interviews
Vnunet
talks with Debra
Anderson, Novell CIO. "
Novell chief information officer (CIO)
Debra Anderson was given the task of migrating all of the company's 6,000
staff from Microsoft Windows to Novell Linux on the desktop. In an
exclusive interview with vnunet.com she details the project and the lessons
it provided."
Comments (1 posted)
LinuxQuestions
talks with Rob
Flynn about his role in maintaining Gaim. "
LQ) What was your
first introduction to Linux? What was the reason behind you using Linux and
was anyone in particular responsible for turning you on to Linux?
RF) I believe it was back when I had a 386. I was probably around 12 years
old. The computer was a hand-me-down and I couldn't get Windows to run very
well on the machine, so, instead, I spent about a million years downloading
some slackware disks and installed it. That's also when I taught myself how
to program in C."
Comments (none posted)
Steve Mallett
talks with Tom
Lord about the Arch Revision Control System, on O'ReillyNet's
OSDir.com. "
Tom Lord: First, when I was a working student, years and
years ago, some of the people I respected, and was trying to learn from,
were interested in a topic they called "programming in the large": the
question of how to manage programming projects involving hundreds or
thousands of programmers. I became interested in that problem and revision
control is a subset of that problem."
Comments (76 posted)
KDE.News has published
an interview with the Scribus developers. "
We know of countless semi-professional magazines and personal publications in production with Scribus. In more recent times we had also the pleasure of helping a weekly commercial newspaper (20,000+ copies) in the USA get off the ground using Scribus."
Comments (2 posted)
Resources
NewsForge
takes some
excerpts from the book
Know Your Enemy: Learning About Security
Threats. "
Firewalls are a prevention technology; they are
network or host solutions that keep attackers out. IDSs are a detection
technology; their purpose is to detect and alert security professionals
about unauthorized or malicious activity. Honeypots are tougher to define
because they can be involved in aspects of prevention, detection,
information gathering, and much more. For the purpose of this book, we will
define a honeypot as follows: A honeypot is an information system
resource whose value lies in unauthorized or illicit use of that
resource."
Comments (none posted)
Reviews
Linux Journal
reviews the book
Moving from Windows to Linux
by Chuck Easttom.
"
Using this book, Linux beginners certainly
could install Linux and find their way to each of
the applications described, but taking Linux to
the next level will require an inquisitive person,
another book or additional assistance. The text
deals mainly with Red Hat 9."
Comments (none posted)
eWeek
reviews the
latest releases of both GNOME and KDE. "
Some of the biggest changes
in KDE 3.3 and GNOME 2.8 lie in the projects' respective e-mail and
collaboration clients, Kontact and Evolution. Both applications are
well-integrated into their desktop environments and cover a full range of
groupware functionality, but eWEEK Labs found Evolution to be more refined
and pleasant to use."
Comments (2 posted)
The Linux Journal
looks at OpenOffice.org add-ons. "
In the current version, OpenOffice.org's Export to PDF tool is disappointing. Although it usually produces an acceptable PDF under Linux--it is more problematic under Windows--it sometimes chokes on documents with elaborately formated tables or spontaneously changes fonts. Moreover, even when it works, it cannot generate bookmarks or live links. These features are said to be coming in version 2.0. Meanwhile, Martin Brown's ExtendedPDF not only provides the missing functionality, but handles files that defeat the Export to PDF tool."
Comments (2 posted)
O'ReillyNet
looks
at Plone. "
This article gives a high-level overview of what
Plone is capable of, with pointers to resources to help you get started on
the path to building your own Plone site. Future articles will pick up
where this one leaves off, exploring topics such as defining workflows,
skinning a site, and creating new content types quickly."
Comments (none posted)
Yahoo's Games Domain
notes the release of
a Linux demo for Unreal Tournament 2004. "
Epic Games continues to
shower the gaming community with gifts as the new Linux demo for Unreal
Tournament 2004 is made available. The new demo contains all of the
features that were implemented with the Windows version."
Comments (4 posted)
Miscellaneous
The Globe & Mail
looks
at the efforts of Translate.org.za. "
Last week, Mr. Bailey's
group, Translate.org.za, launched versions of the software Open Office (a
free program that operates much like Microsoft Office) in Zulu, Afrikaans
and Northern Sotho, the predominant languages in the three main language
groups in South Africa -- the first software to exist in any of those
languages." (Thanks to Philip Webb)
Comments (2 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Eclipse Foundation has
announced its latest member, JBoss, Inc.
"
JBoss provides the industry's most widely used open source J2EE application server and a range of related open source middleware technologies and products. Additionally, it offers the JBoss-IDE, an open source integrated development environment that is used with Eclipse."
Comments (none posted)
Jive Software has
announced
that it will license its Jive Messenger application under the GPL. Jive
Messenger, based on the open IETF standard XMPP protocol, is a Java-based
server for comprehensive group chat and instant messaging (IM).
Comments (none posted)
Commercial announcements
Catapult Communications Corporation has
announced five new telecom test systems, all of them are
Linux-based devices.
Comments (none posted)
Devon IT has
announced that the Agricultural Bank of China is deploying some 2500 of Devon's "NTA Virtual Office" Linux-based thin clients on desktops throughout the institution. "
The NTAVO thin-client provides ABC with freedom from Windows' security
concerns and an adherence to open standards, which gives their IT
managers more flexibility in what they choose to deploy across
back-end systems."
Comments (none posted)
Mandrakesoft has won a new contract
with the French Ministry of Defense.
"
Mandrakesoft has won a 1 million euros three-year contract to help
create a highly secure Linux based solution for the French Ministry of
Defense. Part of a five member consortium, the project will take a
Linux based solution to CC-EAL5 (Common Criteria Evaluation Assurance
Level 5)."
Full Story (comments: 1)
Red Hat, Inc. has
announced that it will be holding an Analyst Day on September 30,
2004. It will be possible to tune into the event on a live audio webcast.
Comments (none posted)
SourceLabs, Inc. has
announced
that it has secured a $3.5 million investment from Ignition Partners and
Index Ventures, with the goal of creating Dependable Open Source Systems.
Comments (none posted)
VA Software has
announced the appointment of Andrew Anker to its Board of
Directors.
"
Anker
brings more than 17 years of experience in the areas of Internet
media, advertising, technology and financial analysis."
Comments (none posted)
Xandros has announced the PowerTerm Edition of its
Xandros Desktop Operating System.
"
By bundling Ericoms PowerTerm® InterConnect for Linux with the Xandros
Desktop OS Business Edition, Linux desktop users can now connect to a
wide range of applications running on IBM Mainframe, IBM AS/400,
OpenVMS, Unix, Linux, Tandem, Data General, HP-3000, and other
enterprise platforms."
Full Story (comments: none)
New Books
No Starch Press
has published the second edition of
The Linux Cookbook by Michael Stutz.
Comments (none posted)
O'Reilly has published the book
PayPal Hacks by
Shannon Sofield, Dave Nielsen, and Dave Burchell.
Full Story (comments: none)
Resources
Network World has
published its annual Buzz Issue providing a look at some of the most
talked-about technologies and trends. "
Desktop Linux, now a focus of
companies such as Sun Microsystems and Novell is explored in this Buzz
Issue, which also takes a look at available Linux applications and what it
will take to break the reliance on traditional Microsoft Windows
desktops."
Comments (none posted)
Contests and Awards
The Open Group will be holding a competition for the design of a new
UNIX poster.
"
The design should capture the magic of the UNIX system, featuring
images based on UNIX system interfaces, utilities, languages, and/or
organizations. The winning design will be produced and distributed
at future events such as LinuxWorld Expo 2005. The designer will be
acknowledged on The Open Group's UNIX System web page and receive a
Linspire Mobile PC, a number of copies of the poster, a collection of
UNIX system memorabilia and a copy of the Single UNIX specification on
CD ROM. The first twenty entrants whose work is accepted for display,
will also receive UNIX license plates". Submissions are due
by October 31.
Full Story (comments: none)
Upcoming Events
KDE.News has
a preview
of things to come at the London Linux World Expo.
"
Next week sees the Linux World Expo (renamed from Linux Expo UK) in London's Olympia where KDE are teaming up with Gnome to run one of the biggest stands in the .org village."
Comments (none posted)
| Date | Event | Location |
| September 30 - October 1, 2004 | OSCOM 4 | (Swiss Federal Institute of Technology)Zurich, Switzerland |
| September 30 - October 1, 2004 | 4th International SANE Conference(SANE) | (Amsterdam RAI Centre)Amsterdam, The Netherlands |
| September 30, 2004 | HPC Is Changing - Seminar | (National Space Centre)Leicester, UK |
| September 30, 2004 | Independent High Performance Computing Seminar | (National Space Centre)Leicester, UK |
| October 2, 2004 | Ohio LinuxFest | Columbus, Ohio |
| October 6 - 7, 2004 | LinuxWorld Conference and Expo | (Olympia Exhibition Centre)London, England, UK |
| October 8 - 10, 2004 | Linucon | (Red Lion Hotel)Austin, TX |
| October 9, 2004 | Italian Code Jam | (University of Ferrara)Ferrara, Italy |
| October 10 - 17, 2004 | MySQL Swell | Across the Mediterranean |
| October 11 - 15, 2004 | 11th Annual Tcl/Tk Conference | (Bourbon Orleans Hotel)New Orleans, LA |
| October 21 - 22, 2004 | Web.It 2004 | Bari, Italy |
| October 21 - 22, 2004 | 5. Encuentro Linux | Valparaiso, Chile |
| October 26 - 28, 2004 | LinuxWorld Conference and Expo | Frankfurt, Germany |
| October 27 - 29, 2004 | Sixth International Conference on Information and Communications Security(ICICS'04) | Malaga, Spain |
| November 1 - 6, 2004 | International Computer Music Conference(ICMC) | Miami, FL |
| November 4 - 5, 2004 | HiverCon 2004 | (The Davenport Hotel)Dublin, Ireland |
| November 6 - 12, 2004 | High Performance Computing, Networking, and Storage Conf(SCnn) | Pittsburgh, PA |
| November 7 - 10, 2004 | International PHP Conference 2004 | Frankfurt, Germany |
| November 8 - 10, 2004 | MySQL ComCon Europe | (NH Hotel Frankfurt-Mörfelden)Frankfurt, Germany |
| November 14 - 18, 2004 | COMDEX Conference and Exposition | (Las Vegas Convention Center)Las Vegas, Nevada |
| November 14 - 17, 2004 | ApacheCon 2004 US | (Alexis Park Resort)Las Vegas, NV |
| November 14 - 19, 2004 | Large Installation System Administration Conference(LISA '04) | (Atlanta Marriott Marquis)Atlanta, GA |
| November 25 - 26, 2004 | Le forum PHP 2004 | (FIAP Jean Monnet)Paris, France |
Comments (none posted)
Web sites
KDE.News
mentions
the launching of the new
KDE.org.uk web site.
"
KDE.org.uk promotes the K Desktop
Environment and showcases activities of KDE developers and contributors
around the United Kingdom."
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Karl-Heinz Zimmer <khz-AT-indeview.org> |
| To: |
| lwn-AT-lwn.net |
| Subject: |
| Presentation programs may find IndeView useful. :-) |
| Date: |
| Mon, 27 Sep 2004 15:35:50 +0200 |
Hello,
just read your very interesting text on presentation programs
http://lwn.net/Articles/101846/
and I wonder if you might want to add a few words on IndeView?
:-)
Since you spoke about OpenOffice and about KOffice, it might be
interesting for readers, to learn that IndeView was made to convert
Impress and/or KPresenter presentations into a platform-independent
format that can be pressed onto a CD together with the small viewer
application.
So the user can send this CD to her customers/friends/whomever and let
them watch the presentation slides on their Linux, Mac OS/X or Windows
boxes: without the need of installing anything on their local harddisk.
Have a look: http://www.indeview.org
Note: IndeView is still in early development stage.
It _is_ used in practice by many people already but it
is limited since the current version can only show static
images: no slide transision effects, no moving nor interactive
parts inside a slide, no sound.
Still we like it - and work on making it better! :-)
Cheers
Karl-Heinz
- --
Karl-Heinz <mailto:khz@indeview.org>> <mailto:khz@kde.org>>
Zimmer I n d e V i e w K D E
Föhren Presentations Beyond Limitations Conquer your Desktop
www.fiehr.de www.indeview.org www.kde.org
Comments (none posted)
| From: |
| Joe Klemmer <klemmerj-AT-webtrek.com> |
| To: |
| letters-AT-lwn.net |
| Subject: |
| Free subscription offer |
| Date: |
| Sun, 26 Sep 2004 12:49:44 -0400 |
I have made this offer in the past and I would like to do it again.
Anyone who would like a subscription for one year of LWN who cannot
afford it or is not able to use a credit card (specifically those not in
the US) I am offering to pay of it. I can't pay for a large number of
subscriptions* but I will try to do as many as possible for those in
need. This isn't a joke or a hoax or anything. It's a real offer from
a real person.
No one took me up on this offer last year. I hope someone does this
time.
Joe
* To be honest I can barely afford my own subscription but I do this
anyway to help support LWN and any Linux users who would find it
beneficial.
--
Joe Klemmer <klemmerj@webtrek.com>
Unix System/Network Administrator & Ad Hoc Programmer
Comments (6 posted)
| From: |
| Alex Stark <outgoing-mail-x-AT-mdag.org> |
| To: |
| lwn-AT-lwn.net |
| Subject: |
| Government: opennes in data rather than software |
| Date: |
| Mon, 20 Sep 2004 22:20:45 -0400 |
Just an idea. We see a lot about government selecting FOSS, etc, rather than
closed software.
There is a whole other side that has the potential, not only for promoting open
software directly, but also aiding the development of open software:
What about more emphasis on the potential for governments insisting that their
tax-funded work result in data that is stored in interchangeable formats?
Most organizations distribute and store documents as Word files. If I were
starting a company today I would insist on documents with an openly published
specification so that there is a good chance of accessing them later. It is
horrifying to think of the quantity of data generated by governments that will
be irretrievable in just a few years time.
To put it another way, I would not be so bothered to see files coming out of
closed-source software if I knew that they were not adding to the difficulty of
objective selection of software in the future.
Alex.
--
Alex Stark
Outgoing address is temporary to avoid abuse: please use reply-to
Comments (1 posted)
| From: |
| David Woodhouse <dwmw2-AT-infradead.org> |
| To: |
| editor-AT-lwn.net |
| Subject: |
| [Fwd: MARID to close] |
| Date: |
| Thu, 23 Sep 2004 12:09:10 +0100 |
I don't think I've seen you comment on this. The MARID working group
which was looking at the possibility of standardising something based on
Microsoft's SenderID or the equally fundamentally flawed SPF has
terminated.
Strike one for sanity :)
The problem with SPF and SenderID was that they made flawed assumptions
about how the world works -- in particular with respect to forwarding.
They each put forward a plan to make their assumptions come true, but
they required that _everyone_ out there should upgrade to make it all
viable.
Even if that were a realistic plan, their 'fix' was to make all mail
servers rewrite the 'responsible' address when forwarding mail, to take
responsibility for it themselves. When all mailservers are doing
something like that, it becomes _only_ a way of checking how much you
trust the individual mail server which is sending you the mail.
For example, my server could send a mail claiming to be from
SRS0+xx+yy+lwn.net+editor@srs.infradead.org
... which _looks_ like it was from editor@lwn.net, but via one of my
servers. You have no idea; you only know how much you trust _me_.
And it _is_ all about trust. With spammers publishing SPF records to get
themselves a 'pass' you had to look up the domain in a
blacklist/whitelist -- some kind of trust database.
But given that SPF/SenderID could only really manage to work out a trust
level for _one_ hop -- the mail server which was actually sending you
the mail -- there was no point in what they were doing, and no point in
all the breakage with forwarding. You might as well have done it based
on the HELO instead, without breaking the whole world while you're at
it.
So let's let SPF and SenderID rest in peace.
Now it's time we got together and fixed up a real end-to-end solution
for verifying mail ownership, like DomainKeys or IIM.
In the interim, if you want to be able to stop receiving bounces to mail
you didn't actually send, try BATV. It's fairly trivial to implement and
it's unilateral -- you can just _do_ it and nobody else needs to know or
care.
http://archives.listbox.com/spf-discuss@v2.listbox.com/20...
http://brandenburg.com/CSV/draft-levine-mass-batv-00.html
--
dwmw2
Comments (6 posted)
Page editor: Jonathan Corbet