LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for September 30, 2004Marketing OpenOffice.orgIt is a rare free software development project which feels the need - or has the resources - to develop a 50-page strategic marketing plan. OpenOffice.org is anything but an ordinary project however. Its Strategic Marketing Plan 2010 is available in a glossy, printer-stressing PDF format; those wishing to support the project can also buy the plan in book format for $7.95. In many ways, the OpenOffice.org plan resembles many other, similar documents which have been putting meeting attendees to sleep for years. It is very much worth a read, however; it offers a view into the project's ambitions and worries for the coming years.OpenOffice.org cannot be faulted for lacking ambition: the marketing plan calls for a 50% penetration rate by 2010. There is a little table which reads a bit like a Bush administration budget forecast - usage is supposed to jump from 35% to 50% between 2009 and 2010. By the end of 2004, the project will be satisfied with 2% penetration. Getting that many users will be a challenge, so much of the plan concerns itself with how OpenOffice.org will find them. There is a big emphasis on establishing OpenOffice.org as a global brand. The project has also singled out seven target markets which, it thinks, are especially ready for a jump to OpenOffice.org:
To push OpenOffice.org into these markets, the project has a whole set of "marketing contacts," is working on promotional materials, and has a set of development goals, such as the creation of "OEM kits." Feeding the demand side of the equation is very much at the core of the OpenOffice.org plan. There are some interesting things which are missing. In its introduction, the plan states:
As of today (2004), both OpenOffice.org and the Community are
heavily dependent on the support of Sun for their continued
survival. The Community has set itself a challenge to become
completely self-sufficient, and rely on volunteer effort and/or
funds generated by the Community.
This would clearly be a good thing for OpenOffice.org to do. The marketing plan does not really address this goal again, however. Raising funds appears to not be a part of this plan at all. There also appears to be little concern about marketing OpenOffice.org to developers. By most accounts, the bulk of OpenOffice development is still done by Sun engineers, and the project remains difficult for new developers to approach. Forks like ooo-build have appeared in response to developer frustrations, and Sun's ties to Microsoft have recently led to Bruce Perens calling for developers to not donate their code to the project. If OpenOffice.org cannot get past this marketing problem, it will have a hard time achieving self-sufficiency and its usage goals. The project's relationship with Sun is a recurring issue in this document. Clearly, as long as OpenOffice.org is dependent on Sun for funding and developers, one of its priorities must not be marketing to users, but marketing itself to Sun. Thus, the plan worries:
Sun Microsystems may lose the ability or desire to fund non-revenue
generating activities such as the Community.
and recommends that:
The Community should put significant effort into understanding
Sun's goals for StarOffice and OpenOffice.org and selling the
benefits to Sun of their continuing support of the Community.
OpenOffice.org has to step carefully around its patron. So there are no plans to try to "sell" OpenOffice.org into large businesses and other places where Sun is trying to do deals involving StarOffice. A fair amount of new OpenOffice.org functionality is being written in Java, which creates problems for some Linux distributors - there is no free, certified Java runtime which can be shipped to run that new code. So OpenOffice.org's plan contemplates the creation of a "Java-free" configuration (something the distributors have been doing for a while), but there is no thought given to making it all work with a free, non-certified runtime engine. The plan spends some time contemplating the threats faced by the project. These include confusion with StarOffice, the fact that others can fork the project, missing functionality (email, web browsing, group calendars, etc.), and software patents. The biggest threat seen by the project, however, is clearly Microsoft; somehow the planners have gotten the idea that Microsoft might not just stand by and watch while OpenOffice.org grabs the 50% of the market it covets. The project intends to respond by making migration from Microsoft products even easier, stressing the "full functionality for free" nature of the software, and targeting users who are facing forced upgrades or who fear license compliance audits. There is one threat which is not even mentioned by the plan, however: other free software projects. Names like AbiWord, Gnumeric, Scribus, KOffice, etc. simply do not appear at all. Some of these are, perhaps, shrugged off by proclaiming that OpenOffice.org is the only free integrated office suite - though the KOffice developers might disagree. It can also only be true that the OpenOffice.org developers do not wish to upset parts of the free software community by overtly tagging them as competitors and making plans on how to beat them. The fact remains, however, that a number of free "productivity" tools exist, and many of them are held, by some users at least, to be superior to the corresponding parts of OpenOffice.org. These tools will not go away; a "strategic marketing plan" that aims for 50% penetration while ignoring the other free alternatives runs a real risk of an unpleasant collision with reality as things play out. It is worth noting that the plan is not in its final form; this is, in fact, the first public release, which was intended to encourage discussion and debate at OOoCon last week. There will be, without doubt, changes to the plan as a result of that discussion, but LWN was unable to attend the conference and reports have been relatively scarce so far. Even so, the plan gives valuable insights into an important free software project which is at a sort of turning point. It indicates that the project intends to concentrate on "selling" OpenOffice.org to vast numbers of users rather than on engagement with the free software community. More OpenOffice.org users can only be a good thing; one can only wish the project luck in achieving its goals.
Mandrake shoots for EAL5A consortium of five companies, including MandrakeSoft, has been awarded a contract from the French Ministry of Defense to deliver a Linux-based OS certified at Common Criteria Evaluation Assurance Level 5 (CC-EAL5). The three-year contract is worth €7 million, with MandrakeSoft's share totaling €1 million. Participating in the contract with MandrakeSoft are Bertin Technologies, Surlog, Jaluna, and Oppida. We contacted MandrakeSoft co-founder Gaël Duval about the contract and to get a little more information about the process. The EAL5 certification may seem a bit ambitious, particularly since no other Linux vendor has achieved that level of certification for a Linux OS. In fact, none of the competing OSes have reached that level of certification either. At the moment, the Linux distribution with the highest level of EAL certification is Novell's SUSE Linux Enterprise Server (SLES) 8 (PDF), which achieved EAL3+ with IBM's help. There are seven levels of CC-EAL certification. In a nutshell, a EAL5 certification designates that a system's features and security level are certified, and that development follows "formalized or semi-formalized methods." We asked Duval if MandrakeSoft had any prior experience with this type of project:
Not exactly but we introduced advanced security features in Mandrakelinux
products early (Mandrakelinux 7.0 which was released on early 2000). We
also sponsored projects several Open Source security projects. And we have
a line of security products (Single Network Firewall & Multi Network
Firewall). So security is a long-time tradition at Mandrakesoft.
Of course, MandrakeSoft is not the only vendor working on this project. Oppida is an officially authorized Common Criteria Information Technologies Security Evaluation Facility (ITSEF), making it an ideal partner for a project of this kind. Surlog's expertise is in providing tools to evaluate software and system dependability. Jaluna provides real-time and high-availability solutions, including solutions based on Linux. We also asked Duval how MandrakeSoft became involved with this effort, and how the consortium came into being. Duval didn't provide a great deal of detail:
We know these companies and they know us, so it's a natural arrangement
because every actor has some technology and expertise to bring.
Unfortunately, it will be some time before the work that the consortium is doing shows up for use by the community. According to Duval, the plan is to keep development separate from Mandrake Linux development:
It will be totally outside of the Mandrakelinux product roadmap. Several
actors take part in this project, which will be released in Open Source
after completion.
Duval did allow that some of the work might show up "later" in the development process. We also asked what license would be used for any work created for this project. Duval said that he doesn't have any information about licensing details, just that it would be an open source license. Three years is quite a long time, so it will be interesting to see whether MandrakeSoft is the first Linux vendor to reach EAL5, or if Novell or Red Hat beat them to the punch. Novell has already said that it hopes to gain EAL4 certification in the near future. No doubt, Novell will be setting its sights on EAL5 shortly thereafter. For the larger picture, of course, it won't matter whether Novell or MandrakeSoft reach the finish line first. Achieving EAL5 will be yet another feather in Linux's cap, another milestone reached that will allow governments and organizations to move to Linux instead of proprietary offerings.
Security Interview with Rootkit Hunter author Michael BoelenOne of the greatest joys we Linux users have is to say to our Windows-running friends, family and co-workers that we do not suffer from viruses like they do. However, the reality is that we aren't immune from being attacked. There are plenty of nasty things out there that would be happy to trash our systems. One of these nasty things is something called a rootkit. Rootkits allow a cracker to ensure future access to a compromised system while hiding the evidence from administrators and users; see LWN's look at the Adore rootkit for an example. So how do you detect them? One way is to use the tool Rootkit Hunter. The following is an interview with the author of this utility, Michael Boelen. Joe Klemmer: Tell us a bit about yourself. Who is Michael Boelen?
Michael Boelen: I'm a 22 years old guy, working for a
small company (small webhosting, maintaining servers/services
and application development). My task it to maintain the
internal servers and perform administration for our customers.
I live in The Netherlands at my parents. Computers are my hobby
and my work, so I'm the author of Rootkit Hunter :-)
My main interests are networking, hardware, security and small application development. As many people, I like to read, but especially interested in computer related stuff. JK: What led you into system security?
MB: It's a special part of computer services, which
attracts me because it's never the same. It's a dynamic world
inside the big computer world. Although a lot of companies
aren't aware of the consequences of (a missing plan for)
security, I think it's a very important part. That's why almost
everyone in the computer world will use/need some security
enhancements sooner or later. In my case, open relays, Trojans
and viruses were the first signals to have a better look at
security.
JK: What, specifically, are rootkits?
MB: Rootkits are often little packages with some
binaries, some sources and an easy-to-use installer. These
packages are being created to 'stay root' after a successful
comprise of a host. The installer in these packages do check
the host and replaces the default binaries with the one in the
package. Most times these are binaries like 'ps', 'ls', 'top',
'netstat', where traces of the hacker/cracker/scriptkiddie are
being filtered, with one purpose: hide evil processes, network
connections etc.
Because rootkits are unwanted and difficult to find without good searching, automated tools are being created. Although an UNIX specialist is often able to find bad things better/quicker than automated tools, it can be a very valuable tool. Of course it is a nice addition to UNIX specialists, but also for average UNIX users which aren't able to find out with things of a UNIX system are good or evil (like hidden files, bad strings, not usual network ports etc). JK: You've said elsewhere that you built rkhunter because you didn't find the existing tools to your liking. What was it about them that you felt needed changing?
MB: The lack of active development is the most important
one. I won't say my tool is better than the others, but I try
to maintain it as active as possible. When users come with
(nice) new ideas, most times I try to implement it as soon as
possible.
JK: Over the course of rkhunter's evolution, have you found anything interesting about root kits? Any similarities or differences? Are there any trends?
MB: Yes, a lot of interesting information. I also have a
better idea now (since the development) why
hackers/crackers/scriptkiddies use rootkits and what to do to
detect them. The most difficult part is to maintain an utility
which keeps smart enough to detect suspicious traces on a
system.
Most tools use the same approach, so I tried to combine as many as possible ways to detect these suspicious traces. And although it gets better every release, a lot of things have to be done. Rootkits don't have a 'normal' trend like viruses/worms have, because viruses aren't often used for a single person to achieve his goal (beside breaking up systems, sending spam or planting a trojan). In fact, some individuals create rootkits for their needs at the moment they need them. These custom made rootkits contain often simple things like IRC bots, backdoors and sniffers. Within the next few months, those things will be getting special attention from me and added to Rootkit Hunter. Rootkits won't quickly disappear, so the war isn't yet over. JK: Do you know if rkhunter has had an impact on the root kit community? Are they now trying to design kits to work around rkhunter?
MB: I have really no idea, because most rootkits and
backdoors are still being used by individuals and use private
parts (although there are a lot of often used public tools). So
I haven't seen any tools yet, which are build to hide for
Rootkit Hunter. But I'll guess there will be variants already
available.
JK: I would guess that the battle between the root kit "developers" and the security community is similar to the anti-virus wars. Is the bulk of your work spent in catching up to new root kits? Or are you in a position of developing preemptive technologies to head off the kit builders?
MB: On both ways, because maintaining a 'rootkit hunter'
is almost similar to maintaining an anti-virus tool, with one
exception, viruses aren't made to be hidden for the system
(yet?). So anti-virus developers try to discover as quick as
possible new (unknown) viruses. The approach on rootkits is a
little bit different. It means also adding unknown rootkits,
but more important, adding new ways to discover all kinds of
hack traces.
JK: What do you see for the future of rkhunter? With the advent of SElinux will there still be a need for rkhunter and it's kind?
MB: I guess tools like this one, won't be quickly
useless, because even if you have a secured system (like with
SElinux and all other kernel and application improvements),
it's always possible someone breaks your system. At that stage,
tools like Rootkit Hunter (and the few others) can provide an
administrator very useful information.
This interview gives me the opportunity to ask people an easy question: If you find something interesting for me, can you send it to me? The question above gives an answer to your question, because although I can improve Rootkit Hunter a lot, I really need input from the users and the guys on the field. Rootkits, sniffers, ideas and even books are needed to keep on improving. Till now I have already got a lot of input, but I still need more information. So have a simple thought about the future: it only will be better, but only if I get support from the community!
New vulnerabilities apache: protected pages vulnerability
getmail: filesystem overwrite vulnerability
jabberd: remote denial of service vulnerability
sendmail: pre-set password
subversion: metadata information disclosure
Updated vulnerabilities Apache mod_proxy: denial of service
apache2: stack-based buffer overflow in ssl_util.c
aspell: bounds checking problem
cdrecord: failure to drop privilege
cups: denial of service
Filename disclosure vulnerability in fam
flim: insecure file creation
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: denial of service
Gaim: remote code execution vulnerability
gtk2, gdk-pixbuf: buffer overflows
glFTPd: Local buffer overflow vulnerability
glibc: Information leak with LD_DEBUG
gnome-vfs: backend script vulnerabilities
gtkhtml: malformed messages cause crash
heimdal: root escalation
httpd: mod_ssl input filter denial of service vulnerability
apache2: IPv6 denial of service
imagemagick: buffer overflow vulnerability
imlib2: buffer overflows
iproute: local denial of service
kdebase: multiple vulnerabilities
kernel allows unauthorized changes to the group ID
kernel information leak
kernel-utils: setuid vulnerability
lha: stack-based buffer overflow
libpng: multiple vulnerabilities
libxml2 - arbitrary code execution
libxpm4: stack and integer overflows
logcheck: symlink vulnerability
Midnight Commander: extfs vfs vulnerability
mikmod: buffer overflow
mod_python: denial of service vulnerability
mozilla products: arbitrary code execution and other vulnerabilities
mpg123: buffer overflow bug
mpg321: format string vulnerability
neon: buffer overflow
netpbm: insecure temporary files
OpenOffice: information disclosure
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
pavuk: buffer overflow
php: remotely exploitable memory errors
phpGroupWare: cross site scripting vulnerability
PuTTY: pre-authentication arbitrary code execution problem
python: buffer overflow
qt3: BMP image parser heap overflow
rsync: path-sanitizing bug
ruby: insecure file permissions
Samba: Denial of Service vulnerabilities
SnipSnap: HTTP errors
sox: buffer overflow
SpamAssassin: Denial of Service vulnerability
squid: buffer overflow
SquirrelMail cross site scripting vulnerabilities
Subversion: Remote heap overflow
sysstat: temporary file vulnerability
File overwrite vulnerability in tar and unzip
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
Multiple vendor telnetd vulnerability
Webmin, Usermin: Multiple vulnerabilities in Usermin
wv: buffer overflow
XChat 2.0.x SOCKS5 Vulnerability
xine-lib: buffer overflows
xine-ui - insecure temporary file creation
zlib: denial of service
Page editor: Jonathan Corbet Kernel development Kernel release statusThe current 2.6 prepatch is still 2.6.9-rc2; there have been no 2.6.9 prepatches since September 13.Patches continue to accumulate in Linus's BitKeeper repository; changes queued up for -rc3 include the re-merging of the two in-kernel software suspend mechanisms, an XFS update, a new wait_event_timeout() primitive, more __iomem annotations (see The September 16 Kernel Page), new sparse annotations intended to flush out byte endianness errors, an NTFS update, ethtool support in the loopback driver, m32r architecture support, the "string" I/O memory access functions, support for more than eight partitions on BSD-labeled disks, some User-mode Linux cleanups, a tunable "max sectors" limit for block I/O requests (a latency reduction feature), a new prctl() option allowing programs to change their name, some shared memory scalability improvements, and a change in TCP ICMP source quench behavior (such messages are simply ignored now). The current prepatch from Andrew Morton is 2.6.9-rc2-mm4. Recent changes to -mm include the "big kernel semaphore" patch (see the September 16 Kernel Page), a consolidation of the x86-64 and i386 no-exec code, a remap_page_range() API change (see below), a rework of the filesystem external attribute code, the "Single Priority Array" scheduler, kernel crash dumps through kexec, and library functions implementing a simple circular buffer structure. The current 2.4 prepatch remains 2.4.28-pre3, which was released on September 11.
Kernel development news Proceedings of Netfilter Developer Workshop 2004Harald Welte has posted the proceedings from the 2004 Netfilter Developer Workshop. Click below for a plain text version; the proceedings are also available in a number of other formats over here.
Respite from the OOM killerThomas Habets had an unfortunate experience recently. His Linux system ran out of memory, and the dreaded "OOM killer" was loosed upon the system's unsuspecting processes. One of its victims turned out to be his screen locking program, leaving his session open to whoever might happen to walk by. His response was the oom_pardon patch, which allows the system administrator to exempt certain processes from the OOM killer's revenge. It turns out that SUSE has a similar patch which allows administrators to set the "OOM score" of specific processes, increasing or decreasing their chances of being chosen for an untimely demise.The OOM killer exists because the Linux kernel, by default, can commit to supplying more memory than it can actually provide. Overcommitting memory in this way allows the kernel to make fuller use of the system's resources, because processes typically do not use all of the memory they claim. As an example, consider the fork() system call, which copies all of a process's memory for the new child process. In fact, all it does is to mark the memory as "copy on write" and allow parent and child to share it. Should either change a page shared in this way, a true copy is made. In theory, the kernel could be called upon to copy all of the copy-on-write memory in this way; in practice, that does not happen. If the kernel reserved all of the necessary virtual memory (which includes swap space), some of that space would certainly go unused. Rather than waste that space - and fail to run programs or memory allocations that, in practice, it could have handled - the kernel overcommits itself and hopes for the best. When the best does not happen, the OOM killer comes into play; its job is to kill processes and free up some memory. Getting it to kill the right processes has been an ongoing challenge, however. One person's useless memory hog is another's crucial application. Thus, over the years, numerous efforts have been made to refine the OOM killer's heuristics, and patches like "oom_pardon" have been created. Not everybody agrees that this is a fruitful use of developer time. Andries Brouwer came up with this analogy:
An aircraft company discovered that it was cheaper to fly its
planes with less fuel on board. The planes would be lighter and use
less fuel and money was saved. On rare occasions however the amount
of fuel was insufficient, and the plane would crash. This problem
was solved by the engineers of the company by the development of a
special OOF (out-of-fuel) mechanism. In emergency cases a passenger
was selected and thrown out of the plane. (When necessary, the
procedure was repeated.) A large body of theory was developed and
many publications were devoted to the problem of properly selecting
the victim to be ejected. Should the victim be chosen at random?
Or should one choose the heaviest person? Or the oldest? Should
passengers pay in order not to be ejected, so that the victim would
be the poorest on board? And if for example the heaviest person was
chosen, should there be a special exception in case that was the
pilot? Should first class passengers be exempted? Now that the OOF
mechanism existed, it would be activated every now and then, and
eject passengers even when there was no fuel shortage. The
engineers are still studying precisely how this malfunction is
caused.
Overcommitting memory and fearing the OOM killer are not necessary parts of the Linux experience, however. Simply setting the sysctl parameter vm/overcommit_memory to 2 turns off the overcommit behavior and keeps the OOM killer forever at bay. Most modern systems should have enough disk space to provide an ample swap file for most situations. Rather than trying to keep pet processes from being killed when overcommitted memory runs out, it might be easier just to avoid the situation altogether.
remap_pfn_range()Last month we looked at a possible change to the heavily-used remap_page_range() function as a way of making io_remap_page_range() be the same on all architectures. Since then, a driver author has stepped forward with a different problem: he wants to remap some reserved memory which sits above the 4GB memory boundary. Since remap_page_range() takes a 32-bit "start" address, it cannot be used to remap memory above that boundary.In response, William Lee Irwin has posted a series of patches which changes remap_page_range() to:
int remap_pfn_range(struct vm_area_struct *vma, unsigned long from,
unsigned long pfn, unsigned long size,
pgprot_t prot);
The old "start" address has been changed to pfn, which is a page frame number. Since these mappings can only happen on page boundaries, this change does not take away any old functionality. It does, however, make twelve bits (typically) of address space available, making it possible to remap memory well above 4GB. William's patches fix all in-kernel callers of remap_page_range(), of which there are several dozen, and removes the old interface altogether. He also manages to eliminate a fair amount of related code - it seems that large numbers of drivers have their own, private copy of kvirt_to_pa(), which obtains a physical address for memory from vmalloc(). For in-kernel users, the change should be a purely positive thing. Out-of-kernel drivers which use remap_page_range() will have to be fixed, however. These patches have found their way into the -mm tree, and are thus likely to end up in the mainline eventually.
Watching filesystem events with inotifyIt is not uncommon for applications to want to know when something happens within a subtree of a filesystem. File managers are the most obvious example; if an application creates a new file within a directory represented in a file manager, users really like to see that new file show up, quickly. One could also imagine other sorts of applications - such as security monitoring code or just daemons wanting to know when their configuration files have changed - which can benefit from being told about filesystem activity.The Linux mechanism for communicating filesystem events to user space is called "dnotify." A program watches a directory by opening it, then issuing a fcntl(F_NOTIFY) call. Thereafter, changes in that directory will result in a SIGIO signal being sent to the process, which can then dig through its cached information and try to figure out just what happened. People like to complain about dnotify; the interface is ugly (signals are a pain), it is hard to figure out what the changes are, it requires keeping files open and thus blocks the unmounting of removable media, etc. So there has long been interest in a replacement. The most visible effort in that direction is inotify, which has been under development (by John McCutchan) for some time now; recently Robert Love has jumped in to help the project along. inotify 0.11 was released on September 28, and an increasingly strong push is being made to get it included into -mm for wider exposure and testing. inotify works through a new character pseudo-device. Any application which wants to monitor filesystem activity need only open /dev/inotify and issue one of two ioctl() commands to it:
Quite a few possible events can be watched for: IN_ACCESS (the file was accessed), IN_MODIFY (the file was changed), IN_ATTRIB (file attributes changed), IN_OPEN and IN_CLOSE (for open and close events), IN_MOVED_FROM and IN_MOVED_TO (when files are renamed), IN_CREATE_SUBDIR and IN_DELETE_SUBDIR (creation and deletion of subdirectories), IN_CREATE_FILE and IN_DELETE_FILE (creation and deletion of files within a directory), IN_DELETE_SELF (when a monitored file is deleted), IN_UNMOUNT (when the filesystem containing the file is unmounted), and a couple of others. The events themselves are obtained by simply reading from the device. Thus a program can block on the device itself, or use poll() to incorporate notifications into a larger event-processing loop. No signals are involved. The actual implementation of inotify is relatively simple. The in-core inode structure is augmented with a linked list of processes interested in events involving that inode. When an INOTIFY_WATCH call is made, an entry is made in the corresponding list (and the inode is pinned into memory for the duration). Various parts of the filesystem code get an extra inotify_inode_queue_event() call when an action succeeds. The rest is just the usual overhead of maintaining lists of events for processes, waking those processes up when new events arrive, etc. While most interest and activity seems to be around inotify, it is not the only dnotify replacement in circulation; nonotify is an alternative. There are also some remaining issues about the interface exported by inotify. It has been suggested that the inotify ioctl() calls should take file descriptors rather than file names; that change would eliminate problems in dealing with long file names and would also make access control checks happen automatically. The interface would have to be done in such a way that the application could close the file and still receive events, though; otherwise dnotify's problems with unmount blocking and excessive use of file descriptors would just come back again. These issues notwithstanding, inotify looks like it is headed for inclusion into a mainline kernel in the not-too-distant future.
Driver core functions: GPL onlyPatrick Mochel may have been expecting to start a flame war with this patch, which changes most of the driver core functions to be exported only to GPL-licensed modules. The affected functions include the bus-level code, classes (but not class_simple), device_register() and friends, the platform and system bus functions, low-level sysfs functions, and the kobject primitives. In fact, the flame war failed to materialize; nobody seems to be upset by these changes. Whether Patrick is pleased or disappointed by the silence is for him to say.The affected functions are a fundamental component of the Linux driver model; they are used by every device driver and filesystem, and by many other parts of the kernel as well. Even so, few, if any, proprietary modules will be affected by this change. The interfaces used by most modules are built on top of - and hide - the driver core. Thus, it is a rare driver which calls device_register(); instead, something like usb_register_dev() is used. Those upper-layer functions remain exported to all modules. So why make the change? Patrick's reasoning is that he wants all users of the low-level functions to be part of the mainline kernel tree.
In short, being able to audit all of the users of these functions
is necessary to their continued evolution (whatever that may
entail). It would make the most sense if all users were part of the
kernel, and it makes little sense to support their use by any
unknown or binary modules.
As the kernel tree becomes more dynamic internally, it will be increasingly hard for external modules - free or not - to keep up with the changes. It would not be surprising to see ever more "encouragement" to merge external modules into the mainline. Code which remains outside will require a higher level of maintenance, or it is likely to break frequently.
Patches and updates Kernel trees
Core kernel code
Device drivers
Filesystems and block I/O
Memory management
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Red Hat Releases RHEL 4 Public BetaThe announcement couldn't have been hidden more carefully. Unlike "Taroon", the previous public beta of Red Hat Enterprise Linux (RHEL), the first beta or RHEL 4, code name "Nahant", was not announced on Red Hat Watch mailing list, nor was it mentioned anywhere on Red Hat's web site. In fact, the only place the announcement was sent to was the just established Nahant Beta List, which couldn't have had many subscribers other than a handful of RHEL developers. But whatever the reason for this secrecy, the fact is that Red Hat Enterprise Linux 4 has now officially entered a public beta testing phase. We downloaded the 4 ISO image set of RHEL Enterprise Server to take an early look.First some general information. RHEL 4 is being developed in parallel with Fedora Core 3, which has been in beta testing since July. Some would have expected RHEL 4 to be based on the earlier and well-established Fedora Core 2, but remember that Fedora 3 will be released early in November this year, while RHEL 4 final is not expected until perhaps April or May next year. This will give Red Hat developers an extra 5 - 6 months to finalize the product and to iron out any outstanding bugs not caught during the Fedora Core 3 beta testing period. The platform support and product range has changed little since RHEL 3, the only exception being the low-cost Red Hat Enterprise Linux ES, which, in addition to i386, is now also built for ia64 and x86_64 architectures. Here is a quick summary of what is available for each hardware platform:
Besides platform support and price, the main difference between RHEL Enterprise Server (ES) and RHEL Advanced Server (AS) is in their respective target systems. RHEL ES is designed for small and medium size businesses using systems with up to two CPUs and 8 GB of memory; in contrast, RHEL AS is intended for large departmental and data center servers with up to 16 CPUs and 64 GB of RAM. On the client side, there is little difference between RHEL Desktop and RHEL WS from a technical point of view and packages included, but RHEL Desktop is sold as a package of either 10 or 50 units with management modules for mass deployments, while RHEL Workstation can be purchased as a stand-alone product. Apart from an extra Red Hat Network account screen during the post-install configuration, installing RHEL 4 doesn't differ much from installing any recent test build of Fedora Core 3. A subscription to Red Hat Network is, of course, an integral part of any RHEL product, providing updates and errata for the duration of the subscription period. RHEL 3 users will also note a new option to select one of the three SELinux states. The default is "Active", which enforces all policies, such as denying unauthorized users access to certain files and programs. On the other end of the spectrum is a self-explanatory "Disabled" state. The third state, "Warn", means that SELinux policies are turned on but not enforced, with a log file providing details of any access violations. This is a good way of testing SELinux, especially designed for those users who would eventually like to enable the policies, but are somewhat nervous about possible negative effects on their system operation. Like SUSE LINUX Enterprise Server (SLES) 9, the default installation of RHEL 4 is a full graphical system. Beta 1 comes with a preview release of GNOME 2.8 as the default desktop environment (KDE 3.3.0 is also included). Although it is possible to install a text-only system by deselecting the GNOME package set during installation, having a graphical system will benefit less experienced system administrators who would appreciate the many graphical utilities for painless configuration of Apache, Samba, NFS and other server applications, as well as an easy setup of the Red Hat Network update service. An interesting new feature (courtesy of GNOME 2.8) is the configurable Keyring Manager daemon for managing passwords. As an example, it allows users to keep administrative privileges after configuring the first module that requires root password - when done, a key set icon will appear in the system tray to indicate that the user will not need to enter root password again during the next 5 minutes (default). Besides the newly included SELinux functionality, users familiar with RHEL 3 will notice several other changes. Red Hat has now moved to Linux kernel 2.6 (2.6.8 to be exact), XFree86 has been replaced with X.Org (version 6.8.0), CVS with Subversion (1.0.6), UW IMAP with Cyrus IMAP (2.2.6) and OSS sound modules with ALSA (1.0.6). The package supplying Linux Volume Manager (now developed by Red Hat after acquiring Sistina earlier this year) is now called lvm2 (version 2.00.21) and it comes with many new features and commands. Users of Asian languages will be pleased to know that all of the various input method servers are now been deprecated in favor of IIIMF (Internet/Intranet Input Method Framework), a multilingual Unicode input framework which enables easy switching between languages, input methods and character sets, and it even allows for mixing different character sets in documents. Additionally, support for several Indic languages, including Bengali, Hindi, Punjabi and Tamil, is now available in the Anaconda installer and throughout most GTK+ applications. Overall, the list of newly added features in this beta release of RHEL 4 is impressive. What is needed now is intensive testing on all architectures to determine the capabilities and stability of the 2.6 kernel under extreme conditions. Then some 6 months down the road, when all the known bugs have been ironed out, RHEL 4 will undoubtedly provide enough reasons for many system administrators and IT decision makers to upgrade, deploy or migrate.
Distribution News Debian GNU/LinuxMartin Krafft has put together an organization chart for the Debian Project. PDF and PostScript versions are also available. If you have ever wondered how it all fits together, this chart is, at least, a place to start.The Debian Weekly News for September 28, 2004 is out. This week's issue covers an OSCON talk on the use of Free Software in a Debian-based large scale web application, a Sarge release update, a surveillance robot powered by Debian, and more. Steve Langasek provides a Sarge release update covering, in particular, "Qt, arts, arm, yes; freeze date, no". Jeroen van Wolffelaar adds this message to package maintainers. "Executive summary: If you maintain one or more packages that are out-of-sync in sarge, please go to http://www.wolffelaar.nl/~sarge/, read the guidelines, login, lookup your own packages, and fill in the questions." Andreas Barth looks at bts2ldap-gateway: updates. Martin "joey" Schulze provides a status report on the progress of the third revision of the current stable version (woody).
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for the week of September 27, 2004 is out. This edition revisits Gentoo documentation and other topics.
Ubuntu Traffic #5The fifth edition of Ubuntu Traffic is available; it looks at GNOME bindings, daily CD images, Mono packages, the Technical Board, and more.
DistroWatch WeeklyThe DistroWatch Weekly for September 27, 2004 covers Fedora Core 3, Debian Sarge, Hiweed GNU/Linux and more.
Red Hat Enterprise Linux 4 Beta 1 (LinuxElectrons)Red Hat has announced the release of Red Hat Enterprise Linux 4 (Nahant) Beta 1. "Red Hat Enterprise Linux 4 is the first RHEL release based on the 2.6 Linux kernel. We are particularly interested in feedback on hardware compatibility including sound, video, networking, storage device, and USB support on both server and desktop-class systems."
FedoraUdev testers on Fedora will be interested in this website that "tries to reveal the secrets of udev and how it works on Fedora".Fedora Core 2 updates:
Slackware LinuxThis week the slackware-current changelog shows upgrades to GNU automake-1.9.2, GNU libtool-1.5.10, oprofile-0.8.1, GNU gmp-4.1.4, bind-9.3.0, xsane-0.96, php-5.0.2, GNU gawk-3.1.4, mdadm-1.7.0, gkrellm-2.2.4, and more.
New Distributions TURKIXTURKIX is a Mandrake based live Linux distribution with support for Turkic languages like Turkish and Azerbaijani. The second major release (2.0) will be in English. Turkix comes with a rehack of rpm packaging system, called as "rpmx", an embedded wrapper of rpm that understands the new virtual file hierarchy used by TURKIX. This hierarchy is designed to make Windows and MacOS users feel at home while getting them acquainted with the classical UNIX file hierarchy. TURKIX joins the list at version 1.9, released September 26, 2004.
SAMSAM is a bootable Linux-CD based on Mandrakelinux. Installation on hard drive is not necessary with SAM, but it is possible. SAM is under 210mb, so it fits on a 8cm-mini-CD and is ideal for carrying in the pocket. Although it is small, it contains a full graphical desktop environment with office, Internet, multimedia and graphics applications, and even a few games. SAM joins the list at TestRelease 1.0, released September 28, 2004.
Minor distribution updates H3KnixH3Knix has released v1.5.2 with major feature enhancements. "Changes: This version features new install scripts, a rebuild of the base with more included libraries and applications, a new init for fast boot/low overhead, and new custom tools."
LormaLINUXLormaLINUX has released the first of a new line of server products. Server Edition 1.0beta 1 - LTSP Server combines the optimization, customization and features of Lormalinux 5 Workstation for low-powered thin client terminals, ideal for the classroom environment.
slimlinuxslimlinux has released v0.8.0. "Changes: A minimal distribution of XFree86 4.2.0, yeahwm 0.2.0, ratpoison 1.3.0, nano 1.2.4, mawk 1.33, mcdp 0.4, aumix 2.8, and bplay 0.99 were added. retawq 0.2.5a and OSS support were updated. zile, clex, and cmdftp were removed. From this release onward, there is no floppy version, only a FAT16/32 version. The system uses 16 MB of RAM, and the framebuffer console display is required."
Newsletters and articles of interest Linux live and kicking (vnunet)Vnunet suggests the use of CD-based Linux distributions for evaluating Linux. "Though different live options target different markets, most offer more or less automatic network configuration and a graphical desktop environment with supplied office suites, browsers and applications. There's also mileage in live distributions for the experienced user. It's possible to customise some live variants, burn them to a fresh CD and use them as a portable, instant personalised Linux environment with a writeable home directory stored on a USB memory key."
Page editor: Rebecca Sobol Development VDC: the Virtual Data CenterThe Virtual Data Center is: an operational, open-source, digital library to enable the sharing of quantitative research data. The project acknowledgments include a long list of authors and contributors working at the Harvard-MIT Data Center. The project is being funded by the National Science Foundation's Digital Libraries Initiative.
VDC provides a a complete open-source, digital library system for the management, dissemination, exchange, and citation of virtual collections of quantitative data The VDC functionality provides everything necessary to maintain and disseminate an individual collection of research studies: including facilities for the storage, archiving, cataloging, translation, and dissemination of each collection. On-line analysis is provided, powered by the R Statistical environment. The system provides extensive support for distributed and federated collections including: location-independent naming of objects, distributed authentication and access control, federated metadata harvesting, remote repository caching, and distributed virtual collections of remote objects.
Uses of VDC include:
The final version 1.0 of the Virtual Data Center (VDC) was released this week. "Release 1.0 provides all core features and contains no known bugs. Supported standards and protocols and formats include: DDI, Dublin Core, and MARC for metadata; R,SPSS, SAS,ASCII, and STATA for data; OAI and Z39.50 for queries; UNF's and Handle's for naming/citation.". For further reading, the VDC Documentation page contains a number of papers and other reference material about the project. The code is available for download here, packages are currently available for Red Hat Linux 9, Red Hat Advanced Server 3 and Fedora Core 1. Packages for SUSE are on the to-do list. Digging through the source code repository for VDC reveals a large collection of Perl code, shell scripts, and R code. The project Design Overview white paper (PDF) is a good starting point for more detailed information on the project's architecture. VDC has been released under version 2 of the GNU General Public License (GPL).
System Applications Database Software QtSqlBrowser 0.8 releasedVersion 0.8 of QtSqlBrowser has been released. "The purpose of this project is to provide a simple, generic GUI database browsing frontend. The tool is a very simple aggregation of the Qt database classes. The database abstraction is provided by the Qt database drivers. The drivers for PostgreSQL and MySQL have been found to work well." The software is in stable condition, but it is not yet feature-complete.
Interoperability Samba 3.0.8 pre1 releasedVersion 3.0.8 pre1 of Samba is available with bug fixes and new migration functionality for the net tool.
Samba 3.1.0 releasedVersion 3.1.0 of Samba, the first release of the 3.1.0 development branch, is out. "Samba 3.1.0 will include changes to winbindd (for scalability), code for implementing NT privileges, some proposed fixes to the printing code's background queue update daemon, and others."
Libraries libvorbis 1.1.0 and libogg 1.1.2 have been releasednew versions of libvorbis and libogg are available from the Ogg Vorbis audio compression project. "The new libogg fixes some FLAC issues and libvorbis 1.1.0 features the new tunings from aoTuV. "
Mail Software SpamBayes 1.0 releasedFor those looking for another tool for their anti-spam arsenal: SpamBayes 1.0 has been released. SpamBayes is a bayesian tool, but it takes a rather different approach to this technique; see the SpamBayes background page for details.
Networking Tools VPNs and Public Key Infrastructure (O'Reilly)Scott Brumbaugh explains virtual private networks on O'Reilly. "The virtual private network (VPN) is increasingly becoming an invaluable part of every business network. With broadband available in more and more places, small- and medium-size businesses are taking advantage of VPN technology and leveraging the investment they've made in their internal private networks, expanding services available to customers, partners, and staff. This article focuses on VPN tunneling. Because it is also necessary to understand the basic principles of data encryption, this article will also summarize the set of technologies that form a Public Key Infrastructure (PKI). We will see how to ensure privacy in a virtual private network."
Security The OpenSSH project turns fiveThe OpenSSH project is celebrating its fifth birthday. It is a rare project which can go from nonexistence to almost complete domination in that period of time, but OpenSSH has done it.
Web Site Development PHP Point Of Sale 8.0 Released (SourceForge)Version 8.0 of PHP Point Of Sale is out. "PHP Point Of Sale (POS) is designed to help small businesses with keeping track of customers, items and inventory, and generate reports based on sales. This program works great for businesses that use cash, check, or account numbers for their sales. PHP Point Of Sale 8.0 is a groundbreaking release for this application. This release adds multi language support!"
PHPSurveyor 0.98 final (SourceForge)Version 0.98 final of PHPSurveyor, set of PHP scripts for creating online surveys, is available. "While this is labelled a "stable" release, indicating that the recent months have been dedicated to bugfixing rather than the development of new features, PHPSurveyor should continue to be considered a development in beta. Although significant testing has taken place, bugs may still exist, and patches for these will be released where possible."
UnCommon Web 0.3.0 releasedVersion 0.3.0 of UnCommon Web, a web application development framework written in Common Lisp, is available. "This version exports the public interface from the UCW package, adds the new package UCW-USER and includes better support for expired session handling. It also features improvements to components and HTML generation, better documentation, and more."
Five 0.2b released (Zope 3 in Zope 2)Version 0.2b of Five, a Zope 2 product that allows the use of Zope 3 technologies, is out. "A lot is new and improved in this release, including improved traversal system, bridging system for Zope 2 interfaces, Zope 3 events for Zope 2 objects, and more."
A Day in the Life of #ApacheRich Bowen works with Apache configuration issues on O'Reilly. "This month he covers how to get Apache to send a different Server response so that no one can identify what version of Apache you're running, or any of the modules you have installed. The less information your server reveals, the safer it will be from crackers who want to try and break in."
Desktop Applications Audio Applications amaroK: Next Generation Audio Player Hits 1.1 (KDE.News)KDE.News covers release 1.1 of amaroK, an audio player application. "amaroK is the first KDE application to use the GStreamer Multimedia Framework without any dependency on external bindings. amaroK can also integrate with xine so you have the freedom of choosing your own flavor. With version 1.1 there are many exciting changes that make using amaroK even more fun."
Gnomoradio 0.14.1 announcedVersion 0.14.1 of Gnomoradio, a peer-to-peer music playing system, is available. "Version 0.14.1 fixes a bug that some people were experiencing downloading files, and it fixes a few bugs when scanning all local music on startup."
Jamboree 0.5 announcedVersion 0.5 of Jamboree, a music player for GNOME, is out. "This version adds support for typeahead search of albums and artists, contributed by Mats-Ola Persson. It also adds support for the latest stable branch of GStreamer, and features many small user interface improvements."
Desktop Environments KDE CVS-Digest (KDE.News)The September 24, 2004 edition of the KDE CVS-Digest is online. Here's the content summary: "KPDF supports table of contents. Krita adds scaling. Plastik is now the default style. The aKademy section introduces the requirements of the KDE 4 multimedia architecture, reports about kdemultimedia developers' plans and summarizes the first talk "MAS in KDE" of the multimedia track."
Electronics Electric 7.00 releasedVersion 7.00 of Electric, a VLSI Design System, is out. "Electric is moving from C to Java. Version 7 is the final, transitional, C version. A preliminary version of the Java implementation (Version 8) is also available and working, though missing some functionality."
Financial Applications SQL-Ledger 2.4.3 releasedSQL-Ledger version 2.4.3 has been announced. Changes include default customer/vendor/parts/employee numbers, start and end dates for deactivation, more search fields on the customer/vendor screen, AR/AP transaction printing, and check/receipt printing.
GUI Packages gob2 2.0.10 releasedVersion 2.0.10 of gob2, the GTK+ object generator, is out with numerous changes and bug fixes.
FLTK 1.1.5rc3 releasedVersion 1.1.5 rc 3 of FLTK, the Fast, Light ToolKit, has been announced. "The third release candidate for FLTK 1.1.5 is now available for download and testing. You now have until Ocotber 8th, 2004 to report any problems with this release candidate". The list of changes and bug fixes is lengthy.
PyGTK 2.3.97 (unstable) is outUnstable version 2.3.97 of PyGTK, the Python bindings to GTK, is available. "This is the final release candidate before 2.4.0 and if nothing serious turns up I'll rename this tarball and upload it as 2.4.0. Please test this thoroughly and report any serious bugs so they can be resolved before the final release."
PyQt v3.13 ReleasedVersion 3.13 of PyQt is available. "Changes since the last release include support for the QUuid, QMetaObject and QMetaProperty classes. PyQt is a comprehensive set of Qt bindings for the Python programming language and supports the same platforms as Qt. Like Qt, PyQt is available under the GPL (for UNIX, Linux and MacOS/X), a commercial license (for Windows, UNIX, Linux and MacOS/X) and a free educational license (for Windows)."
Qt 4 Preview 2 Highlights Accessibility; D-BUS Bindings for Qt 4 (KDE.News)KDE.News covers recent developments with QT 4 including the second Qt 4 Technical Preview which covers new accessibility support, and a preview of new D-BUS bindings.
Imaging Applications First Krita Preview Release (KDE.News)The first preview release of Krita, a painting and image editing application for KOffice, has been announced. "Krita, formerly known as Krayon, formerly known as KImageShop, never known as nor intended to be the Kimp, is available for your testing pleasure. For the first time since development started in 1999, Krita is complete enough to be packaged as the first preview release."
Instant Messaging Chatzilla 0.9.65 Now Available (MozillaZine)Version 0.9.65 of Chatzilla, a Mozilla IRC client, has been released. "Version 0.9.65 is a culmination of months of work from ChatZilla developers. It fixes 32 known bugs and adds many useful new features. Additions since version 0.9.64 include away-status coloration in the user list, SSL support, new user commands, and a revitalized assortment of emoticons."
Interoperability Wine TrafficThe September 24, 2004 edition of Wine Traffic is online with the latest Wine project news.
Music Applications OpenSong 0.9.9 Released! (SourceForge)Version 0.9.9 of OpenSong, a cross-platform application for managing chords and lyrics sheets, is available. "This next release contains quite a few bug fixes, set list printing, proxy support, module loading, a new background image chooser, backgrounds folders, songs folders, multiple themes per song, key field, aka field, key line field, ccli import now imports the new song fields, configurable alert font, live scripture browsing during presentations, HTML song export, and more!"
Q multimedia examples releasedSome examples of multimedia programs written in the Q functional programming language have been made available. The list includes the applications QAudioPlayer, QMidiCC, QMidiPlayer, and QSCSynth.
Web Browsers Epiphany 1.4.1 is outVersion 1.4.1 of Epiphany, the GNOME web browser, is available with numerous bug fixes. "Starting with version 1.4.1, Epiphany can be compiled against firefox' libraries as well as mozilla's libraries."
Epiphany Extensions 1.4.1 are outVersion 1.41 of the Epiphany Extensions are available. Changes include bug fixes, translation work, and a new sidebar extension.
Miscellaneous Blogfish 1.0 RC1 releasedVersion 1.0 RC1 of Blogfish, a Blogger's panel applet for the Gnome desktop, is available. Changes include improved networking code, more lifelike fish movement, better installation scripts, and more.
JXplorer v3.1 release candidate available (SourceForge)A stable release candidate of JXplorer 3.1, an ldap browser written in Java, has been announced. "This release includes a bunch of new security goodies, such as improved SSL handling with browser-like detection of server certificates, optional client side password hashing, and kerberos support."
Nautilus-Sendto 0.2-1 announcedVersion 0.2-1 of Nautilus-Sendto, an application that integrates nautilus, evolution and gaim, is out. Changes include new plugins support, an improved UI, bug fixes, and more.
Revelation 0.3.4 "Cellardoor" releasedVersion 0.3.4 of Revelation, a password manager for GNOME, is available. "This release fixes a couple of bugs; a crash when editing an entry on Python 2.2 systems, and the name for domain fields was accidentally replaced with the field tooltip. There has also been a couple of minor UI improvements."
Languages and Tools C GCC NewsletterThe GCC Newsletter for September 27, 2004 is available. "gcc is a rather old codebase which has gone through many maintainers and developers. Sometimes, it can be particularly glaring. Roger Sayle gives a detailed explanation of that specific issue."
Caml Caml Weekly NewsThe September 21-28, 2004 edition of the Caml Weekly News is available with the week's Caml language articles.
Java Developing Your First EJBs, Part 2 (O'Reilly)(O'Reilly) continues an excerpt series on EJB development with part two. "This week concludes this series with a look at how to develop a session bean, building on the examples presented in part one."
Introduction to Service Data Objects (IBM developerWorks)Bertrand Portier and Frank Budinsky introduce Service Data Objects on IBM's developerWorks. "Many Java developers are skeptical about how heterogeneous data can be accessed uniformly, and have been disappointed in the various programming frameworks that propose to solve the problem. In this article, Java developers Bertrand Portier and Frank Budinsky introduce you to next-generation data programming with Service Data Objects (SDO)."
Unit Test Your Struts Application (O'ReillyNet)Lu Jian introduces StrutsUT on O'Reilly. "Consistent unit testing is an essential part of development, but web applications aren't necessarily well-suited to unit testing--how to you validate the "correctness" of a returned stream of text or HTML? Lu Jian has an answer in the form of StrutsUT, a Cactus-based library for unit testing Struts web apps."
Struts Menu 2.3 Released (SourceForge)Version 2.3 of Struts Menu, a web menuing framework for JSP and Struts based applications, has been announced. "This release's major feature is the complete de-coupling from Struts - so that no struts.jar is required in the classpath anymore. Of course, if you have it in there, it's used as before."
Perl This Week on Perl 6The September 28, 2004 edition of This Week on Perl 6 is online with the latest Perl 6 discussion topics.
PHP PHP 5.0.2 releasedVersion 5.0.2 of PHP has been released. "This is a maintenance release that in addition to many non-critical bug fixes, addresses a problem with GPC input processing. All Users of PHP 5 are encouraged to upgrade to this release as soon as possible."
PostScript GPL Ghostscript 8.15Version 8.15 of GPL Ghostscript, a PostScript interpreter, has been announced. "This release includes many bug fixes over the previous AFPL Ghostscript 8.14 release, improved font rendering, and offers significantly better PDF generation and handling over GPL 8.01. We recommend upgrading to all our free users."
Python Dr. Dobb's Python-URL!The September 29, 2004 edition of Dr. Dobb's Python-URL is available with a new collection of Python language article links.
Ruby Alexander Kellett Announces Rubydium (KDE.News)KDE.News looks at Rubydium. "Now, another KDE developer has announced Rubydium, his efforts to bring Just-In-Time optimisations to the Ruby runtime. Could Ruby become a serious contender for KDE application development?"
Tcl/Tk Dr. Dobb's Tcl-URL!The September 27, 2004 edition of Dr. Dobb's Tcl-URL is out with the week's Tcl/Tk articles and resources.
XML XMP Lowdown (O'Reilly)Bob DuCharme reviews XMP on O'Reilly. "The Extensible Metadata Platform (XMP) is a specification describing RDF-based data and storage models for metadata about documents in any format. The specification includes information about embedding XMP in text files such as HTML and SVG/XML; image formats such as JPEG, TIFF, and GIF; and Adobe formats such as Illustrator, Photoshop, and Acrobat files."
Introduction to Device Independence (O'Reilly)Peter Mikhalenko discusses device independent browsing issues via XML on O'Reilly. "The mission of the Device Independence activity of the W3C is to avoid fragmentation of the Web into spaces that are accessible only from certain types of devices. The goal of the Device Independence Activity is to develop ways for future web content and applications to be authored, generated, or adapted for a better user experience when delivered via many device types."
Cross Assemblers GNU PIC Utilities updatesThe GNU PIC Utilities project (gputils) has released version 0.12.4 with bug fixes. Also: "We have started an effort to fix bugs in gputils COD files. The purpose is to improve compatibility with other tools."
Yet Another PicoBlaze Assembler (gEDA)Stephen Williams has announced a new cross-assembler for the PicoBlaze FPGA chips. "I anticipate my own possible need for a PicoBlaze (Xilinx) assembler written in C, so I made a start. This is really only a few hours of work, but I've got a shell going, that just needs to be fleshed out."
Miscellaneous Devhelp 0.9.2 announcedVersion 0.9.2 of Devhelp, an API documentation browser for GNOME, is out. "This release adds three new translations (nb, gu, mk), it also features updates to 11 other translations. Nickolay V. Shmyrev sent a patch to support searching for sub strings, for example "gtk new" will give you all gtk constructors. Johan Svedberg was kind enough to send a patch for adding accelerators for back and forward."
XPlanner 0.6.2 Released (SourceForge)Version 0.6.2 of XPlanner has been announced. "XPlanner is a web-based project planning and tracking tool for eXtreme Programming (XP) teams. XPlanner is implemented using Java, JSP, and Struts, and MySQL (user contributed support for other databases). XPlanner 0.6.2 provide many improvements and bug fixes including sortable tables, object ID quick queries, improved page printing (image-based progress bars), improved interfaces (history, role editing, time entry, iterations, and developer/customer tasks), dynamic attribute support for enhanced SOAP integration, and contributed functionality for NTLM authentication and WackoWiki-compatible text formatting."
Programming Language PopularityDavid N. Welton crunched some statistics and wrote the results up in his paper Programming Language Popularity. Take a look to see how your favorite language rates. "We examine four sources of information. First, the raw number of results found with Google's search engine. We also look at dollars per click information gleaned from an online advertising service (Overture). In other words, how much it costs you, the advertiser, per click for ads placed with search terms such as java consulting or perl training. In addition, to look at the open source community's take on the situation, we look at projects registered with freshmeat. We also use the Craig's List (http://www.craigslist.org) job search board as a source for rough job statistics."
Statistical programming with R (IBM developerWorks)David Mertz and Brad Huntting look at R on IBM's developerWorks. "In the first of a three-part series, David and Brad introduce you to R, a rich statistical environment, released as free software. It includes a programming language, an interactive shell, and extensive graphing capability. What's more, R comes with a spectacular collection of functions for mathematical and statistical manipulations -- with still more capabilities available in optional packages."
Page editor: Forrest Cook Linux in the news Recommended Reading The Lack of a Small Unified Database (Linux Journal)Linux Journal wants a single-file SQL format database. "Currently, free software users are missing a standard single-file SQL format, which may be a tar or ZIP archive, that contains everything needed by a generic frontend to let people work: schemas, data, indexes, forms structures and so on. Such databases could be copied immediately, uploaded to a Web server or sent by e-mail, the same as any other file. Users would have the certainty that the receiver immediately could access all the data, queries and forms, even if they might look different. Above all, it would be great if such a file format became an OASIS standard, because it would make it much easier to accept in corporate or government scenarios."
Closing the legal briefcase on Mambo vs. Furthermore copyright dispute (NewsForge)Here's a NewsForge article containing a fair amount of research into the allegations of code theft by the Mambo project. "The Connolly/Mambo situation boils down to one man not doing enough research into the licensing details of the GNU General Public License, then taking his case to public message forums instead of private communication with the project leadership and eventually resorting to threatening uninvolved people with litigation.... No code was stolen or taken; rather two separate modifications were made to the same GPL code to accomplish the same very basic and common task in two very different ways."
SPF Not Poisonous to Phish (O'ReillyNet)O'ReillyNet looks into the lack of adoption of SPF by banks, which, one would think, would welcome some protection against phishing attacks. "Wrong, says AOL's Hutzler. SPF only checks the hidden part of an email message known as the 'Return-Path' (or '821 header'). According to Hutzler, SPF completely ignores the From address (or '822 header,') which is used by phishers to 'social engineer' or dupe naïve recipients. In other words, the wily phisher can forge the From line and still get past SPF checks--as long as his mail comes from an SPF-compliant domain listed in the Return-Path."
Trade Shows and Conferences Italy is open for penguin business (NewsForge)NewsForge covers LinuxWorld Conference & Expo, Italian style. "This Expo was a good occasion to check the status of the current relationship between free and open source software and Italian public administrations of any size and scope. To sum it up, it looks promising, but it's still schizophrenic. From talk to talk, visitors noted that public administrations are required by a government directive to make documents available in non-proprietary formats, and that digital signatures can be exchanged with the central administration through Linux."
The SCO Problem SCO/IBM September 15th Hearing - transcript as text (Groklaw)GrokLaw has posted a transcript from the September 15 hearing in SCO v. IBM. "Normally, with legal documents, our text versions strive to be identical to the original. Here, we are doing two versions, one for simple readability and one with all the line numbers for reference, as per the original. This is the readable version."
Companies Lycoris acquires Mitel SME Server spin-off (NewsForge)NewsForge reports that Lycoris is taking over the Contribs.org SME Server project. "The SME Server platform has a chequered commercial history, and Lycoris is the third company to assume control of the project. Originally developed by Joe Morrison as a server distribution based on Red Hat Linux, e-smith Server and Gateway was commercialised in 1999 when Morrison co-founded e-smith, Inc. Mitel Networks, an IP telephony company based in Ontario, Canada, acquired e-smith in 2001, and product was rebranded "Mitel SME Server". However, Mitel subsequently discontinued community-based development of the product in November 2003, despite a mature and active community of volunteers inherited from e-smith. A volunteer team coordinated by Resource Strategies released an initial free version based on Mitel code at the beginning of 2004, but has subsequently achieved little."
Business BBC's Highfield beats Jobs as top man in tech (Silicon.com)Silicon.com names its list of Agenda Setters for 2004. "More individuals involved in open source and free software made the list than ever before. Along with Torvalds at 7, we have MySQL CEO Marten Mickos making his debut at 12, Open Source Risk Management's David Eggers at 37, Red Hat engineer Mark J Cox at 40 and free software advocate Richard Stallman at 44."
Linux Adoption Danish government agency opts for open source (News.com)News.com reports on the adoption of a Linux solution for improving data exchange in the Danish Ministry of Finance. "The data exchange system uses open-source application server JBoss running on Red Hat Linux. It transmits 1.5 megabits of data per second between about 400 public institutions and the ministry, according to a report on open source from Computer Sciences Corp. Peter Henningsen, the data exchange project manager at the Ministry of Finance, said the open-source combination was chosen over BizTalk Server, Microsoft's systems integration application."
Linux at Work Thanks to Linux, this beer's for you! (NewsForge)NewsForge reports on a novel new use of Linux. "Want to send your best buddy, boss, or promising client a drink "on you" via your wireless phone? You can, if your friend lives in London. Eagle Eye Solutions, based in the United Kingdom, is launching a new service today called Buymeabeer.com using a Linux-based server platform. It's a simple concept -- so simple, one wonders why no one else has implemented the idea until now." Your editors are eagerly awaiting the adoption of this technology by some of the local Colorado micro-breweries.
Legal Open-Source Copyright Conflict Heats Up (eWeek)eWeek covers a copyright dispute between Furthermore Inc. and Miro International Pty Ltd. over the open-source Mambo content management system. "Chicago-based Furthermore has claimed that some of the code used in Mambo OS was stolen from Furthermore and improperly placed into open source. Miro, of Melbourne, Australia, owns the copyright to Mambo."
Interviews Project penguin: Novell CIO Debra Anderson talks to vnunet.com (vnunet)Vnunet talks with Debra Anderson, Novell CIO. "Novell chief information officer (CIO) Debra Anderson was given the task of migrating all of the company's 6,000 staff from Microsoft Windows to Novell Linux on the desktop. In an exclusive interview with vnunet.com she details the project and the lessons it provided."
Interview with gaim Maintainer Rob Flynn (LinuxQuestions.org)LinuxQuestions talks with Rob Flynn about his role in maintaining Gaim. "LQ) What was your first introduction to Linux? What was the reason behind you using Linux and was anyone in particular responsible for turning you on to Linux?RF) I believe it was back when I had a 386. I was probably around 12 years old. The computer was a hand-me-down and I couldn't get Windows to run very well on the machine, so, instead, I spent about a million years downloading some slackware disks and installed it. That's also when I taught myself how to program in C."
An Interview with Tom Lord of Arch (O'ReillyNet)Steve Mallett talks with Tom Lord about the Arch Revision Control System, on O'ReillyNet's OSDir.com. "Tom Lord: First, when I was a working student, years and years ago, some of the people I respected, and was trying to learn from, were interested in a topic they called "programming in the large": the question of how to manage programming projects involving hundreds or thousands of programmers. I became interested in that problem and revision control is a subset of that problem."
Interview with Scribus Team (KDE.News)KDE.News has published an interview with the Scribus developers. "We know of countless semi-professional magazines and personal publications in production with Scribus. In more recent times we had also the pleasure of helping a weekly commercial newspaper (20,000+ copies) in the USA get off the ground using Scribus."
Resources 'Know Your Enemy': Everything you need to know about honeypots (NewsForge)NewsForge takes some excerpts from the book Know Your Enemy: Learning About Security Threats. "Firewalls are a prevention technology; they are network or host solutions that keep attackers out. IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity. Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more. For the purpose of this book, we will define a honeypot as follows: A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource."
Reviews Moving from Windows to Linux by Chuck Easttom (Linux Journal)Linux Journal reviews the book Moving from Windows to Linux by Chuck Easttom. "Using this book, Linux beginners certainly could install Linux and find their way to each of the applications described, but taking Linux to the next level will require an inquisitive person, another book or additional assistance. The text deals mainly with Red Hat 9."
GNOME, KDE Aim at Windows (eWeek)eWeek reviews the latest releases of both GNOME and KDE. "Some of the biggest changes in KDE 3.3 and GNOME 2.8 lie in the projects' respective e-mail and collaboration clients, Kontact and Evolution. Both applications are well-integrated into their desktop environments and cover a full range of groupware functionality, but eWEEK Labs found Evolution to be more refined and pleasant to use."
OOo Off the Wall: Macros and Add-ons (Linux Journal)The Linux Journal looks at OpenOffice.org add-ons. "In the current version, OpenOffice.org's Export to PDF tool is disappointing. Although it usually produces an acceptable PDF under Linux--it is more problematic under Windows--it sometimes chokes on documents with elaborately formated tables or spontaneously changes fonts. Moreover, even when it works, it cannot generate bookmarks or live links. These features are said to be coming in version 2.0. Meanwhile, Martin Brown's ExtendedPDF not only provides the missing functionality, but handles files that defeat the Export to PDF tool."
Open Source Content Management with Plone (O'ReillyNet)O'ReillyNet looks at Plone. "This article gives a high-level overview of what Plone is capable of, with pointers to resources to help you get started on the path to building your own Plone site. Future articles will pick up where this one leaves off, exploring topics such as defining workflows, skinning a site, and creating new content types quickly."
UT 2004 Linux Demo Released (Games Domain)Yahoo's Games Domain notes the release of a Linux demo for Unreal Tournament 2004. "Epic Games continues to shower the gaming community with gifts as the new Linux demo for Unreal Tournament 2004 is made available. The new demo contains all of the features that were implemented with the Windows version."
Miscellaneous Africans get tools to cross the digital divide (Globe & Mail)The Globe & Mail looks at the efforts of Translate.org.za. "Last week, Mr. Bailey's group, Translate.org.za, launched versions of the software Open Office (a free program that operates much like Microsoft Office) in Zulu, Afrikaans and Northern Sotho, the predominant languages in the three main language groups in South Africa -- the first software to exist in any of those languages." (Thanks to Philip Webb)
Page editor: Forrest Cook Announcements Non-Commercial announcements JBoss, Inc. Becomes a Member of the Eclipse FoundationThe Eclipse Foundation has announced its latest member, JBoss, Inc. "JBoss provides the industry's most widely used open source J2EE application server and a range of related open source middleware technologies and products. Additionally, it offers the JBoss-IDE, an open source integrated development environment that is used with Eclipse."
Jive Software to Open Source Its XMPP-based IM Server, Jive MessengerJive Software has announced that it will license its Jive Messenger application under the GPL. Jive Messenger, based on the open IETF standard XMPP protocol, is a Java-based server for comprehensive group chat and instant messaging (IM).
Commercial announcements Catapult Announces New Telecom Test SystemsCatapult Communications Corporation has announced five new telecom test systems, all of them are Linux-based devices.
Agricultural Bank Of China goes for Linux desktopsDevon IT has announced that the Agricultural Bank of China is deploying some 2500 of Devon's "NTA Virtual Office" Linux-based thin clients on desktops throughout the institution. "The NTAVO thin-client provides ABC with freedom from Windows' security concerns and an adherence to open standards, which gives their IT managers more flexibility in what they choose to deploy across back-end systems."
Mandrakesoft Wins One Million Euros ContractMandrakesoft has won a new contract with the French Ministry of Defense. "Mandrakesoft has won a 1 million euros three-year contract to help create a highly secure Linux based solution for the French Ministry of Defense. Part of a five member consortium, the project will take a Linux based solution to CC-EAL5 (Common Criteria Evaluation Assurance Level 5)."
Red Hat, Inc. Announces Analyst Day in New YorkRed Hat, Inc. has announced that it will be holding an Analyst Day on September 30, 2004. It will be possible to tune into the event on a live audio webcast.
SourceLabs Founded to Realize Vision of Dependable Open Source SystemsSourceLabs, Inc. has announced that it has secured a $3.5 million investment from Ignition Partners and Index Ventures, with the goal of creating Dependable Open Source Systems.
VA Software Adds Andrew Anker to Board of DirectorsVA Software has announced the appointment of Andrew Anker to its Board of Directors. "Anker brings more than 17 years of experience in the areas of Internet media, advertising, technology and financial analysis."
Xandros Desktop OS PowerTerm Edition Delivers Mainframe Access to Linux UsersXandros has announced the PowerTerm Edition of its Xandros Desktop Operating System. "By bundling Ericoms PowerTerm® InterConnect for Linux with the Xandros Desktop OS Business Edition, Linux desktop users can now connect to a wide range of applications running on IBM Mainframe, IBM AS/400, OpenVMS, Unix, Linux, Tandem, Data General, HP-3000, and other enterprise platforms."
New Books Linux Cookbook 2nd EditionNo Starch Press has published the second edition of The Linux Cookbook by Michael Stutz.
"PayPal Hacks" Released by O'ReillyO'Reilly has published the book PayPal Hacks by Shannon Sofield, Dave Nielsen, and Dave Burchell.
Resources Network World "Buzz Issue"Network World has published its annual Buzz Issue providing a look at some of the most talked-about technologies and trends. "Desktop Linux, now a focus of companies such as Sun Microsystems and Novell is explored in this Buzz Issue, which also takes a look at available Linux applications and what it will take to break the reliance on traditional Microsoft Windows desktops."
Contests and Awards The Open Group announces a Poster CompetitionThe Open Group will be holding a competition for the design of a new UNIX poster. "The design should capture the magic of the UNIX system, featuring images based on UNIX system interfaces, utilities, languages, and/or organizations. The winning design will be produced and distributed at future events such as LinuxWorld Expo 2005. The designer will be acknowledged on The Open Group's UNIX System web page and receive a Linspire Mobile PC, a number of copies of the poster, a collection of UNIX system memorabilia and a copy of the Single UNIX specification on CD ROM. The first twenty entrants whose work is accepted for display, will also receive UNIX license plates". Submissions are due by October 31.
Upcoming Events KDE at Linux World in London (KDE.News)KDE.News has a preview of things to come at the London Linux World Expo. "Next week sees the Linux World Expo (renamed from Linux Expo UK) in London's Olympia where KDE are teaming up with Gnome to run one of the biggest stands in the .org village."
Events: September 30 - November 25, 2004
Web sites KDE.org.uk Launched (KDE.News)KDE.News mentions the launching of the new KDE.org.uk web site. "KDE.org.uk promotes the K Desktop Environment and showcases activities of KDE developers and contributors around the United Kingdom."
Software announcements This week's software announcementsHere are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
Page editor: Forrest Cook Letters to the editor Presentation programs may find IndeView useful. :-)
Hello, just read your very interesting text on presentation programs http://lwn.net/Articles/101846/ and I wonder if you might want to add a few words on IndeView? :-) Since you spoke about OpenOffice and about KOffice, it might be interesting for readers, to learn that IndeView was made to convert Impress and/or KPresenter presentations into a platform-independent format that can be pressed onto a CD together with the small viewer application. So the user can send this CD to her customers/friends/whomever and let them watch the presentation slides on their Linux, Mac OS/X or Windows boxes: without the need of installing anything on their local harddisk. Have a look: http://www.indeview.org Note: IndeView is still in early development stage. It _is_ used in practice by many people already but it is limited since the current version can only show static images: no slide transision effects, no moving nor interactive parts inside a slide, no sound. Still we like it - and work on making it better! :-) Cheers Karl-Heinz - -- Karl-Heinz <mailto:khz@indeview.org>> <mailto:khz@kde.org>> Zimmer I n d e V i e w K D E Föhren Presentations Beyond Limitations Conquer your Desktop www.fiehr.de www.indeview.org www.kde.org
Free subscription offer
I have made this offer in the past and I would like to do it again. Anyone who would like a subscription for one year of LWN who cannot afford it or is not able to use a credit card (specifically those not in the US) I am offering to pay of it. I can't pay for a large number of subscriptions* but I will try to do as many as possible for those in need. This isn't a joke or a hoax or anything. It's a real offer from a real person. No one took me up on this offer last year. I hope someone does this time. Joe * To be honest I can barely afford my own subscription but I do this anyway to help support LWN and any Linux users who would find it beneficial. -- Joe Klemmer <klemmerj@webtrek.com> Unix System/Network Administrator & Ad Hoc Programmer
Government: opennes in data rather than software
Just an idea. We see a lot about government selecting FOSS, etc, rather than closed software. There is a whole other side that has the potential, not only for promoting open software directly, but also aiding the development of open software: What about more emphasis on the potential for governments insisting that their tax-funded work result in data that is stored in interchangeable formats? Most organizations distribute and store documents as Word files. If I were starting a company today I would insist on documents with an openly published specification so that there is a good chance of accessing them later. It is horrifying to think of the quantity of data generated by governments that will be irretrievable in just a few years time. To put it another way, I would not be so bothered to see files coming out of closed-source software if I knew that they were not adding to the difficulty of objective selection of software in the future. Alex. -- Alex Stark Outgoing address is temporary to avoid abuse: please use reply-to
MARID to close
I don't think I've seen you comment on this. The MARID working group which was looking at the possibility of standardising something based on Microsoft's SenderID or the equally fundamentally flawed SPF has terminated. Strike one for sanity :) The problem with SPF and SenderID was that they made flawed assumptions about how the world works -- in particular with respect to forwarding. They each put forward a plan to make their assumptions come true, but they required that _everyone_ out there should upgrade to make it all viable. Even if that were a realistic plan, their 'fix' was to make all mail servers rewrite the 'responsible' address when forwarding mail, to take responsibility for it themselves. When all mailservers are doing something like that, it becomes _only_ a way of checking how much you trust the individual mail server which is sending you the mail. For example, my server could send a mail claiming to be from SRS0+xx+yy+lwn.net+editor@srs.infradead.org ... which _looks_ like it was from editor@lwn.net, but via one of my servers. You have no idea; you only know how much you trust _me_. And it _is_ all about trust. With spammers publishing SPF records to get themselves a 'pass' you had to look up the domain in a blacklist/whitelist -- some kind of trust database. But given that SPF/SenderID could only really manage to work out a trust level for _one_ hop -- the mail server which was actually sending you the mail -- there was no point in what they were doing, and no point in all the breakage with forwarding. You might as well have done it based on the HELO instead, without breaking the whole world while you're at it. So let's let SPF and SenderID rest in peace. Now it's time we got together and fixed up a real end-to-end solution for verifying mail ownership, like DomainKeys or IIM. In the interim, if you want to be able to stop receiving bounces to mail you didn't actually send, try BATV. It's fairly trivial to implement and it's unilateral -- you can just _do_ it and nobody else needs to know or care. http://archives.listbox.com/spf-discuss@v2.listbox.com/20... http://brandenburg.com/CSV/draft-levine-mass-batv-00.html -- dwmw2
Page editor: Jonathan Corbet
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[VDC]](/images/ns/vdc.png)
The
