Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for October 21, 2004Ubuntu Linux and the future of Debian The much-anticipated Ubuntu 4.10 release happened on October 20. There are a number of interesting things about Ubuntu, including its commercial backing, use of "4.10" as its initial release number, and its desire to change the world through provocative artwork. But the most interesting thing, perhaps, is the amount of attention that Ubuntu has received. New distributions are not exactly an unusual thing; why all the excitement about Ubuntu?The money behind Ubuntu is certainly one reason; new distributions may pop up every week, but few of them have a reported 40 paid developers behind them. When a new distribution has that sort of backing, people have a reason to assume that there is something interesting going on, and that it may stay around for a while. The quality of the hackers that Ubuntu was able to attract is also clearly a factor. Ubuntu employs a number of well-known developers from the GNOME, FreeDesktop.org, and Debian communities, among others. When top-quality developers get together behind a new project, interesting things tend to happen. Ubuntu also makes promises which resonate with a great many users. A quick, single-CD installation process backed up by a huge network-based package repository. A strong emphasis on the best desktop experience that Linux can offer. Bleeding-edge packages combined with a promise of free support for 18 months. A promise of a six-month release cycle backed up by some of the developers who lived up to that promise with the GNOME project. A general sort of cool buzz. Those are all good reasons for Ubuntu to succeed, but there may be something else going on here. Ubuntu may have found a way to become the preferred interface between users and the Debian project. Debian has a lot of appeal. It is an excruciatingly free distribution characterized by a widely recognized technical excellence. It offers a variety of packages which is second to none and a package management system which is unequaled elsewhere. But Debian scares away a number of potential users. Its "stable" release is painfully out of date most of the time, the "unstable" release is rather too bleeding-edge for many users (while still being slow to pick up new releases at times), and the middle-of-the-road "testing" release seems to offer the worst of both "stable" and "unstable." The process of creating a new stable release looks chaotic, with no timeline for an actual release in sight. The community seems to spend rather too much time arguing about the free status of firmware and documentation and packaging up obscure tools and too little time simply creating a current distribution with a broader appeal. Debian is a great institution, but it worries a number of people. Ubuntu is the promise of all the good things about Debian without many of the problems. As a stabilized version of Debian sid, it has a remarkably current set of packages. For some software (e.g. GNOME 2.8) Ubuntu was, by design, ahead of everybody else. The release cycle is well defined, and the support period has been made clear from the beginning. There is the obligatory friendly installer as well. Ubuntu looks like a Debian which stays current, and which is safe for ordinary people to use. Ubuntu is certainly not the first company which has made a go at being a more civilized Debian distribution; others include Progeny, Linspire, Lycoris, UserLinux, and even Corel's old offering. Ubuntu looks rather more community-oriented than many of the other commercial, Debian-based distributions, however; Linspire may be good at attracting attention and lawsuits, but few people would consider it to be truly open or part of the community. Appearances matter, and Ubuntu appears to have the right people and attitude. Interestingly, Ubuntu appears to have made a bigger splash than even UserLinux, which is arguably a more community-oriented, Debian-based distribution. The UserLinux project is clearly well aware of Ubuntu, to the point of adding an entry to the UserLinux FAQ on the differences between the two distributions:
A key difference is UbuntuLinux is a (free) product offering from a single
commercial entity (Canonical Ltd.) whereas UserLinux is created through a
community development model.
UserLinux aims to create a standard core for ISV's/whomever to support. This includes very little real packaging of custom software beyond pieces to 'brand' the system. Most of the system is packaged upstream and maintained upstream. Ubuntu aims to create a Debian based desktop distribution and contains a very large number of custom packages. For example, Debian Sarge ships with GNOME 2.6 while Ubuntu is forked off of Unstable around the same time that Sarge did, but ships GNOME 2.8 with significant modifications. For the purposes of public image in mid-October, 2004, one might state the Ubuntu has added a significant amount of value (or at least changes) to Debian, and has a stable release out now. UserLinux looks to be mostly a rebranding effort with no releases available yet. From that viewpoint, it's not surprising that Ubuntu is currently hogging the spotlight. That situation could change as UserLinux pulls its first release together and gets its distributed support network going. UserLinux would be well advised to do these things soon. There is clearly a market for distributors who impose some order upon the Debian development process. With these distributors in place, the undisciplined nature of the Debian release process does not matter anywhere near as much. The emergence of successful, value-added, Debian-based distributions may be one of the best things to happen to Debian in some time.
A look at LionShare Peer-to-peer (P2P) technologies have been continually vilified, not to mention legally challenged, by the entertainment industry and other groups as a haven for anonymously sharing digital content illegally. The LionShare project seeks to legitimize P2P as an academic resource by doing away with anonymous file-sharing and adding features appropriate to an educational environment. LionShare is in development at Penn State University thanks to a grant from the Andrew W. Mellon Foundation. To get up to speed on LionShare, we talked with four members of the LionShare team, project leader Mike Halm and LionShare developers Alex Valentine, Lorin Metzger and Derek Morr.The major influence for the LionShare project was the Visual Image User Study (VIUS) that was completed last September. LionShare came from a proof-of-concept prototype developed during work on VIUS. The project now has a $1.1 million grant from the Andrew W. Mellon Foundation to develop LionShare 1.0. The grant started last year on October 1, and the team plans to have the 1.0 release ready by September 30, 2005. The first public release alpha went live at the end of September. LionShare differs from traditional P2P networks in a number of ways. First and foremost, LionShare is designed to be a private, secure network. LionShare users will communicate with "PeerServers" to provide file sharing even when users are not online and for centralized management. The PeerServers will allow users to make files available to others authorized to retrieve the files, or even just as a backup of local files they wish to have available from multiple locations. Morr did note that the software will feature user quotas, to ensure that users do not abuse the backup features. The software will also feature collaboration tools, such as P2P chat, not present in some file sharing utilities. Authentication will not be required for a user to search the network, but authentication will be necessary to actually retrieve or share files. The LionShare white paper also calls for the LionShare client to provide organizational features as well as search and retrieval capability already present in clients like LimeWire. The LionShare will allow users to search their own filesystems, though Morr pointed out that LionShare's organizational features are not as comprehensive as tools like Beagle or Apple's SpotLight. At this point, however, LionShare's codebase is still in an alpha state. Morr said that the current alpha that's available on the website is missing the security components that will set LionShare apart from other P2P networks. Metzger noted that the next release should have the security integration, though the release will still be an alpha release. LionShare is based on the LimeWire 4.0 codebase using a modified Gnutella protocol, and is entirely written in Java. The client and server software are available under the GNU General Public License, while the SASL-CA software is under a BSD-type license. At this point, the LionShare team said that there are "some discussions here and there" between the LionShare developers and the LimeWire developers, but not a "concrete, everyday partnership," but that the LimeWire developers are pleased to see their codebase being used in other projects. Since the LionShare source code is available, how will the developers ensure that others aren't able to utilize the source to build anonymous LionShare client software? According to Morr, it wouldn't matter if someone were to tamper with the client software. "In order to get any kind of public file, you have to certify or authenticate...the other end wouldn't authorize you to access the file." In addition to requiring authentication, LionShare is designed to allow file restriction based on identity or user roles. Users will be able to set Access Control Lists (ACLs) to restrict sharing of a file to individual users, groups or to all authenticated members. Morr said that the attributes will come from the authentication servers, so that the institutions running LionShare servers will be able to fine-tune the criteria for file sharing. One potential hurdle for educational institutions looking to join a LionShare network is the lack of a standardized schema for ACLs. Morr acknowledged that each institution was likely to have its own schema at the moment, that wouldn't be compatible with other institutions. However, a standardized LDAP schema for higher education called eduPerson is being developed by Internet2, a partner organization for LionShare. Morr also pointed out that LionShare was designed to allow users to authenticate against a number of different sources. He said that the project was doing a lot of work to make LionShare work with "whatever authentication you have," including LDAP directories and Kerberos sources. Morr said that LionShare should be compatible with Microsoft's Active Directory as well, though they haven't tested that as of yet. We also asked whether LionShare would protect authorized users from accidentally sharing sensitive or personal files with the wrong set of users. For example, could LionShare prevent a user from accidentally sharing all of their files with all authenticated LionShare users? The LionShare developers said that they had thought about this, and would try to solve the problem with by having "a good UI" that would let users know that they were sharing files. Whether LionShare will catch on beyond the academic setting is anyone's guess. There are valid reasons for integrating authentication into P2P for academic or business uses, but that approach will become unwieldy for larger P2P uses such as downloading Linux ISOs. We'll be watching the development of LionShare with interest, and are looking forward to further releases to evaluate how useful the project will be in the long run.
A couple of applications from your future desktop By many (but not all) accounts, the Linux desktop has achieved something close to parity with some of the proprietary alternatives, in terms of both capability and usability. The desktop developers are certainly not ready to declare victory and sit back, however; the pace of development is, if anything, still increasing. As an example of where things are going, we decided to take a quick look at a couple of bleeding-edge applications which have been attracting attention recently.The first of these is tomboy, a simple desktop note-taking tool. Tomboy implements a set of note cards, each of which contains text and links to other cards. The idea is not particularly new, but the implementation has been thought out well. Some of the best ideas from Wiki-style web sites have been absorbed - typing a WikiWord into a note creates and links to a new note using that word as its title. Links can also be created through a "link" button or by dragging and dropping. A simple search capability can quickly find notes containing a given string. Nat Friedman was impressed by this application:
Note taking is something I do all the time, and which previously
was the realm of "emacs ~/randomname.txt" for me.... We all had
our horrible little solutions to this problem, and Tomboy has
stepped in to fill the gap in a big way.
I'm not sure it's clear to everyone just how big a space Tomboy has carved out. If Tomboy can own note taking for me, that's one of the main purposes of my computer. ![[Tomboy screenshot]](/images/ns/tomboy-sm.png)
Your editor was, with some effort, able to get tomboy running on a Debian unstable system; this application requires a number of highly-current Mono and GTK libraries. There are some rough edges and missing capabilities, which should come as little surprise for an application this new. Even so, tomboy makes note taking and organization into a quick and easy task; it is good at staying out of the way. If the current trend continues, tomboy should quickly reach a level of functionality and stability that will earn it a place on most distribution disks. Meanwhile, quite a bit of attention has recently been focused on beagle, which is currently at a lofty 0.0.2 release. Beagle appears to be the GNOME project's answer to Microsoft's search plans and Google's (Windows) offering; it provides a quick way to find things on the desktop. Think of it as a modern version of locate, but with a few enhancements. One core beagle feature is its collection of "filters," which enable searches of a wide variety of files typically found on a Linux desktop system - and some that aren't. Supported file types include Microsoft Office, OpenOffice.org, PDF, source code in a number of programming languages, and a number of image and audio file formats (only metadata is indexed). Beagle can also search email (mostly limited to evolution users for now), tomboy notes, weblog entries in the "Blam!" format, application launchers, and more. Underneath it all, beagle uses the (still unmerged) inotify mechanism to learn about changes to the filesystem. New or modified files can be indexed immediately; there should be no need for a massive "thrash the disk" job running in the middle of the night. As an added touch, search results which are currently displayed for the user are updated to reflect the latest filesystem changes. There is a command-line search tool which may be used to search beagle, but the primary interface to the system is best ("bleeding-edge search tool"). The project has put together a collection of best screenshots which gives a good idea of what beagle can currently do. While tomboy is primarily the work of one developer (Alex Graveley), beagle is a rather larger affair. The beagle roadmap posted on October 4 shows that quite a few Novell hackers have been set to work on beagle. At the top of their list is basic usability work, things like "Not crashing or failing, most of the time." Among other things, it seems there are memory leak problems in Mono which have to be worked around. Email integration remains on the list ("The primary goal will be Evolution mail integration; patches for other mail clients will, of course, be accepted."). Work continues on the search interface; among other things, search will be integrated into the GNOME file selection dialog. Longer-term goals include reworking dashboard to sit on top of beagle, adding beagle searches to nautilus, and, somehow, better encapsulating the relationships between desktop objects. Beagle is very much an early-stage project; it can be difficult to install, and it is not available in packaged form for most distributions. There is also that "not crashing for failing" issue. But it has reached a point where the suicidally early adopters are finding it useful, and progress is happening quickly. Linux, it seems, will not be left behind when it comes to desktop search capabilities.
Page editor: Jonathan Corbet Security How to kill a web browser Michal Zalewski recently decided to look for exploitable vulnerabilities in web browsers. So he write a little CGI script which generates random HTML and feeds it to the browser; a refresh tag is used so that the browser will repeatedly request new pages - until things come to a crashing halt. Mr. Zalewski reported his results on Bugtraq as "a mini-farce." It seems that most of the browsers he tested fared rather poorly.The key word here is "most." One browser was able to absorb noisy input indefinitely without crashing; that browser was Internet Explorer. There has been quite a bit of talk recently about Internet Explorer's security problems, and how the alternatives - both free and proprietary - are more secure. So this kind of result is somewhat embarrassing. As Mr. Zalewski put it:
It appears that the overall quality of code, and more importantly,
the amount of QA, on various browsers touted as "secure", is not up
to par with MSIE; the type of a test I performed requires no human
interaction and involves nearly no effort. Only MSIE appears to be
able to consistently handle malformed input well, suggesting
this is the only program that underwent rudimentary security QA
testing with a similar fuzz utility.
So what sort of HTML turned out to be problematic? A few examples have been posted - but all you smug, free-software-using folks might want to think twice before clicking on them. Use of a tool like wget is probably more appropriate. One of the examples, which, as your smug, free-software-using editor can attest, kills Firefox is, in its entirety:
<HTML><INPUT
The post notes that this bug is probably exploitable, and that many others certainly exist. The tester also does nothing involving either cascading style sheets or JavaScript - one suspect that those areas might, just maybe, be the source of a bug or two themselves. The Mozilla project has been quick to capitalize on the recent bout of Internet Explorer security problems. This incident demonstrates, however, that the free software community can, at times, be a little too quick to claim better security. Testing against malformed input has been a standard quality assurance technique for decades; the fact that Mozilla, seemingly, has not done this testing is a little discouraging. Security can be a winning point for free software, but it doesn't happen automatically. If we're going to claim to have a more secure product, we should be sure we've done the homework first. Meanwhile, expect a new set of Mozilla patches sometime soon.
Security news Security fixes in 2.6.9 Alan Cox has sent out an announcement regarding a couple of tty-related security fixes which were included in the 2.6.9 kernel release. One of them is, conceivably, remotely exploitable, though it appears to be impossible to exploit in most cases. 2.4 and 2.2 kernels are also vulnerable; expect distributor updates shortly. Click below for the details.
New vulnerabilities apache: mod_ssl cipher negotiation problem
BNC: input validation flaw
cvs: information disclosure
ghostscript: symlink vulnerabilities
libpng: integer overflows
phpMyAdmin: Vulnerability in MIME-based transformation
PostgreSQL: Insecure temporary file use in make_oidjoins_check
WordPress: HTTP response splitting and XSS vulnerabilities
Updated vulnerabilities Apache mod_proxy: denial of service
apache2: stack-based buffer overflow in ssl_util.c
aspell: bounds checking problem
cdrecord: failure to drop privilege
ncompress: Buffer overflow
cups: information leak
cups: denial of service
cyrus-sasl: remote buffer overflow
ed: Insecure temporary file handling
Filename disclosure vulnerability in fam
flim: insecure file creation
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: denial of service
Gaim: remote code execution vulnerability
gtk2, gdk-pixbuf: buffer overflows
gettext: Insecure temporary file handling
glibc: Information leak with LD_DEBUG
gnome-vfs: backend script vulnerabilities
gtkhtml: malformed messages cause crash
imagemagick: buffer overflow vulnerability
imlib2: buffer overflows
iproute: local denial of service
kernel information leak
kernel-utils: setuid vulnerability
lha: stack-based buffer overflow
libpng: multiple vulnerabilities
libxpm4: stack and integer overflows
logcheck: symlink vulnerability
Midnight Commander: extfs vfs vulnerability
mikmod: buffer overflow
mozilla products: arbitrary code execution and other vulnerabilities
mpg123: buffer overflow bug
mpg321: format string vulnerability
mysql: several vulnerabilities
netkit-telnet: invalid free pointer
netpbm: insecure temporary files
OpenOffice: information disclosure
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
pavuk: buffer overflow
php: remotely exploitable memory errors
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||