Certain subjects return to these pages over and over again; one of those,
certainly, is the
BitKeeper source
management system. Despite concerns about its proprietary nature,
BitKeeper has become the tool of choice for many Linux kernel developers.
Those who are concerned about BitKeeper use for kernel development found
new flame fuel in a previously unnoticed clause in
the BitKeeper license, version 1.38, which
reads:
Notwithstanding any other terms in this License, this License is
not available to You if You and/or your employer develop, produce,
sell, and/or resell a product which contains substantially similar
capabilities of the BitKeeper Software, or, in the reasonable
opinion of BitMover, competes with the BitKeeper Software.
The purpose of this clause is to say "you can use BitKeeper free of charge,
but only if you are not using it to develop a competitor to BitKeeper." It
is arguably a reasonable licensing clause; regardless of what one thinks of
BitKeeper or proprietary software in general, BitMover can not be expected
to willingly provide its tools for the purpose of creating new
competition.
And BitMover does fear this competition. Many years of effort went into
the development of BitKeeper and the associated business; the creation of a
suitably capable free replacement could wipe out that investment in a short
time. BitMover founder Larry McVoy believes that the free software
community is not capable of creating from scratch a source management
system of BitKeeper's quality and with BitKeeper's innovations. He does,
however, think it could produce a clone that, while inferior, is good
enough to cost BitMover a lot of business. Coming up with ideas in the
first place is expensive; copying them is far easier. BitMover wants the
space to earn something from its (expensive) efforts to create BitKeeper;
it also wants to be able to develop the product into a far more capable
tool, a task requiring, they think, about four years. They have stated
their intention to fight back with every weapon at their disposal -
including copyright and patents - against anybody who threatens their
ability to carry out that plan.
Is all this a problem for free software and the Linux kernel? It could be,
but probably not on the scale that some people fear. The immediate concern
with the clause quoted above is that a number of free software developers
and companies do deal with other source management systems. In the case of
developers, the situation is fairly clear: if you work on a free source
management system, BitKeeper is not available to you. To emphasize the
point, Larry McVoy publicly told Ben
Collins, a kernel FireWire driver developer (and Subversion hacker) that he could
not use BitKeeper:
And you made it clear that you'd be delighted if Subversion was
made good enough to replace BK and you were working towards that
goal. I can't imagine a better example of someone who we
absolutely do not want to support and do not want using BK. I am
explicitly stating that it is our view that your use of BK is
violation of our license.
Ben's kernel work will not be affected, since he was not using BitKeeper
for that project. Other kernel developers could eventually run afoul of
this rule as well, however. For example, the ReiserFS team has no end of
ambitious plans for its filesystem; some of them, such as version
management, begin to push into BitKeeper's turf. Larry told us that, in
his opinion, it was "very likely" that ReiserFS would eventually cross the
line and become a BitKeeper competitor; at that point its developers would
be unable to use BitKeeper.
That is about as far as it goes, however. The license, says Larry, went
too far by excluding anybody whose employer works on source management
systems. The next "debugging" release of the license will tighten that
term so that it only affects developers working directly on source
management, and, perhaps, those very close to them. Thus, for example, Red
Hat developers will not lose their access to BitKeeper just because Red Hat
puts some patches into CVS. It is also BitMover's position the Linux
kernel developers as a whole will not lose
their BitKeeper access even if Linus merges a version of ReiserFS which
costs the ReiserFS team its access.
In evaluating the whole BitKeeper controversy, it is worth remembering a
few things. One is that BitMover could have avoided all this pain simply
by never giving gratis access to its product. Other vendors of commercial
source management systems do not make their products available for
free-of-charge use, and they are not routinely flamed the way BitMover is.
BitMover, instead, has chosen to make its product freely available to
groups developing free software. Kernel development has benefitted from
this gift in a number of ways:
- The capabilities of BitKeeper are much appreciated by developers who
choose to use it. BitKeeper really does make a lot of things easier,
especially in a distributed, multi-developer environment.
- Linus is merging patches at a tremendous rate, and appears to be far
less stressed than before. Patches still get dropped, but on a much
smaller scale. The process, by all appearances, is working more
smoothly than it has in a long time.
- Anybody who is interested can see the state of Linus's development
tree in near real time. There is no longer any need to wait for
prepatches or full releases. Thanks to BitKeeper, a new development
kernel is released many times a day. As an added bonus, Linus is now
able to post automatic changelogs as well, eliminating the need to
read through each release to see what patches were included.
It is also worth pointing out that nobody has been forced to use
BitKeeper. Many top-tier kernel developers have chosen not to use it, and
they have not had to change their ways of working. Getting repositories
and patches into and out of BitKeeper is easy by design; BitKeeper has a
stated "no lockin" policy. It is not even
necessary to use BitKeeper to keep track of Linus; several sites (like this
one) provide frequent access to the updates in his tree.
In other words, the adoption of BitKeeper has brought good things to
anybody who uses the Linux kernel. This has happened free of charge, with
no visible costs of any significance. Except, perhaps, for the time lost
in flame wars. Access to BitKeeper is a gift that its creator was under no
obligation to make. It is unfortunate that some members of the community
expend so much effort criticising those who have made that gift. It is
hard to see how the free software community would be better off if
BitKeeper were withdrawn.
All this is not to say that there is no reason for vigilance and concern.
The denial of access to some developers is a discriminatory action, to say
the least. If Larry McVoy (or his board of directors) wakes up hung over
one morning and decides to
end free access to BitKeeper, the show is over. Larry is uninclined to do
that - he has maintained free access despite the constant flames because he
wants to support the kernel project. But Larry could have an unfortunate
encounter with a bus (though, as Linus has pointed out, buses are rare in
California), or BitMover could be acquired by another company; in either
case, the new management could make changes to the license. The BitKeeper
binary does not come with source; it could be doing no end of evil things
and it would be difficult for people to know. Currently, BitKeeper makes
it easy to extract all data and metadata from a repository; moving an
entire repository into a different
source management system is an easy task. Linus also uses the BitKeeper
interfaces to export patches and tarballs in the same way he always has.
Future versions of BitKeeper, however,
could quietly shift over to a closed format that is harder to escape
from.
And so on. These are issues that come up with any proprietary package, and
they are certainly no worse than the issues raised by that other
proprietary source management platform which is even more heavily used in
the free software community: SourceForge. In the end, people who use
software should always look at the license, and not use a particular
package if the license is not to their taste. In the case of BitKeeper,
those who chose not to use it are no worse off than they were before, and
an easy path is open should a quick evacuation to another source management
system be required. BitKeeper is worth watching; one never knows where a
company might decide to go tomorrow. But the situation at the moment is
not that bad.
Comments (28 posted)
As of this writing, there are almost 1800 subscribers to LWN.net; we have
also sold a small number of (small) corporate subscriptions. This level of
support is almost sufficient for two full-time staff at minimal salaries - a
huge step in the right direction, but still not enough to keep LWN going in
its current form. While we hope and expect that the number of subscribers
will continue to grow, we will have to take steps to live within our
available means for the near future. It is fully our intent to deliver on
the full term of the one-year subscriptions that many of you have bought;
to do that we will have to be careful now.
So there will be some changes to LWN. We're working on the details now,
and will post another update soon. But it looks like LWN is
here to stay, and that is good news. Let it never be said that the free
software community is unwilling to support the services it finds valuable.
A few other notes:
- We have tracked down and solved the problem that was causing cookie
problems with a number of browsers - especially Internet Explorer. If
you have experienced trouble in the past, please try again; things
should work better.
- There have been some complaints that our initial subscription screens
are not as informative as they could be. We'll be reworking the
subscription information soon to address those concerns. Various
other glitches in the subscription system (i.e. changing between
monthly and fixed-term subscriptions) will also be fixed soon.
- We have, finally, managed to extract the last of the donation money
(from last July!) from our previous credit card processor. Happily,
our new processor seems to be far more, um, together, and has not yet
given us any trouble.
- Occasionally somebody asks what happened to our old donation screen.
That screen has been taken down for a couple of reasons. One is to
keep our new credit card processor happy - donations seem to be a
hot-button issue for those people. The other is that we are trying to
transition into a real business, which offers direct value for the
money received. For people who would like to send more money our way,
we'll work out a new way to take it - no need to worry.
- For those of you who are unwilling or unable to buy a subscription,
we have set up a new mailing list that sends out a daily notification
whenever a subscription article becomes freely available. To receive
these notifications, you can sign up via the "My Account" screen for
your account.
- We're a little behind on some of our subscription-oriented mail. Once
the Weekly Edition is out, we hope to get caught up again.
As always, thank you all for supporting LWN.net.
Comments (13 posted)
Page editor: Jonathan Corbet
Security
Brief items
As detailed in
this CERT advisory, the
sendmail source distribution on ftp.sendmail.org was replaced by a version
containing a trojan horse. The modified code stayed on the server from
September 28 through October 6. The trojan was invoked during
the build process; it would fire off a process that would listen for
commands on port 6667. If you downloaded and installed sendmail during
that time period, you need to take a serious look at the integrity of your
systems.
Free software is supposed to be more secure because the source can be
examined for this sort of thing. Yet this particular bit of malware
managed to stay on a high-profile server for over a week. When you
consider that, for example, the Interbase back door went undiscovered for
over a year, one week does not seem all that bad. But one week is plenty
of time to compromise a great many systems.
What is truly surprising is that we have not seen more of this sort of
problem. Trojanized source distributions are scary; a compromised binary
package is truly terrifying. There will be more - and worse -
episodes of this nature in the future.
Of course, we have the tools to defend against most of these attacks. If
you put up software for others to download, you should sign it with a
cryptographic key. If you download software, you should check that
signature. As long as the signing keys are handled carefully
(i.e. not stored on the FTP server!), this bit of hygene will detect
almost all tampering attacks. Without such checks, administrators are
placing a great deal of trust in the security of every system they download
software from.
Comments (2 posted)
New vulnerabilities
Apache shared memory scoreboard vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2002-0839
|
| Created: | October 9, 2002 |
Updated: | December 18, 2002 |
| Description: |
Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related
vulnerabilities which can be exploited by local users running under the
Apache user ID. In-server scripting languages, such as PHP, are the most
likely means of carrying out the attacks. One vulnerability causes the
server to fork off new processes, leading to denial of service scenarios;
the other allows an attacker to send SIGUSR1 to any process as root,
probably killing that process. See this
iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (3 posted)
SSL certificate validation vulnerability in evolution
| Package(s): | evolution |
CVE #(s): | |
| Created: | October 9, 2002 |
Updated: | October 9, 2002 |
| Description: |
The evolution mail client does not properly check SSL certificates, leaving
it open to man-in-the-middle attacks; see this
advisory for details. Versions 1.0.x are vulnerable; the 1.1 beta
branch is not. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
Buffer overflow in nss_ldap
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0825
CAN-2002-0374
|
| Created: | October 9, 2002 |
Updated: | December 11, 2002 |
| Description: |
The nss_ldap package has a buffer overflow which can be exploited when the
module configures itself from information in DNS. The problem is fixed in
nss_ldap-199 and later. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
Temporary file vulnerability in tkmail
| Package(s): | tkmail |
CVE #(s): | |
| Created: | October 9, 2002 |
Updated: | October 9, 2002 |
| Description: |
The tkmail package has a temporary file vulnerability; a local attacker can
use this hole to overwrite files owned by a local user. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache 2.0 cross-site scripting vulnerability
| Package(s): | apache |
CVE #(s): | CAN-2002-0840
|
| Created: | October 2, 2002 |
Updated: | October 2, 2002 |
| Description: |
Versions of Apache 2.0 prior to 2.0.43 have a
cross-site scripting vulnerability in the error page handling code. If
you are running Apache 2.0, this one is worth fixing. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 21, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Multiple vulnerabilities in bugzilla
| Package(s): | bugzilla |
CVE #(s): | |
| Created: | October 2, 2002 |
Updated: | October 9, 2002 |
| Description: |
The Bugzilla bug tracking system (versions prior to 2.14.4 or 2.16.1)
suffers from a number of vulnerablities, including one which could result
in remote command and SQL injection. An upgrade to 2.16.1 is recommended,
since the 2.14 branch will be unmaintained after the end of the year. See
the Bugzilla advisory for details. |
| Alerts: |
|
Comments (1 posted)
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | December 5, 2002 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream |
| Alerts: |
|
Comments (none posted)
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
CAN-2002-0353
CAN-2002-0401
CAN-2002-0402
CAN-2002-0403
CAN-2002-0404
|
| Created: | June 12, 2002 |
Updated: | October 27, 2002 |
| Description: |
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl |
CVE #(s): | |
| Created: | October 1, 2002 |
Updated: | December 17, 2002 |
| Description: |
e-matters GmbH has issued an advisory
warning of a new set of buffer overflows in the fetchmail header parsing
code. The vulnerabilities have been fixed in fetchmail 6.1.0. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 21, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 30, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 21, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in gv
| Package(s): | gv |
CVE #(s): | CAN-2002-0838
|
| Created: | October 1, 2002 |
Updated: | November 25, 2002 |
| Description: |
gv, a graphical front end to ghostscript, has a buffer overflow
vulnerability which can be exploited by a properly crafted PostScript or
PDF file. If a user can be tricked into viewing such a file, arbitrary
code can be executed with that user's privileges. See this iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (none posted)
Buffer overflows in heimdal
| Package(s): | heimdal |
CVE #(s): | |
| Created: | October 1, 2002 |
Updated: | October 17, 2002 |
| Description: |
A SuSE security team audit of the heimdal Kerberos implementation turned up sever buffer overflow vulnerabilities. No exploits are known as of this writing, but these vulnerabilities are almost certainly possible for a remote attacker to exploit; if you are running heimdal, you should upgrade at the first opportunity. |
| Alerts: |
|
Comments (none posted)
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax |
CVE #(s): | CAN-2001-1034
|
| Created: | July 30, 2002 |
Updated: | October 9, 2002 |
| Description: |
The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs |
CVE #(s): | |
| Created: | September 17, 2002 |
Updated: | November 18, 2002 |
| Description: |
Konqueror for KDE 3.0.3, and earlier versions, is subject to
this cross-site
scripting vulnerability.
Since the problem is in kdelibs, any other application which
uses the KHTML renderer is also vulnerable.
Javascript code running in one frame can
access other frames which should be inaccessible. The problem is
fixed in kdelibs 3.0.3a. |
| Alerts: |
|
Comments (2 posted)
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | October 29, 2002 |
| Description: |
A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this
potential division by zero bug in
code derived from the SunRPC library which is used
in many places, including the Kerberos 5 administration system.
Updating now is recommended.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc |
CVE #(s): | CAN-2002-0738
CAN-2002-1307
CAN-2002-1388
|
| Created: | September 11, 2002 |
Updated: | January 3, 2003 |
| Description: |
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 21, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
Safemode vulnerability in PHP
| Package(s): | PHP |
CVE #(s): | CAN-2001-1246
|
| Created: | August 20, 2002 |
Updated: | October 9, 2002 |
| Description: |
PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. |
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 21, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
PXE server denial of service vulnerability
| Package(s): | pxe |
CVE #(s): | CAN-2002-0835
|
| Created: | September 4, 2002 |
Updated: | November 11, 2002 |
| Description: |
The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
|
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
sendmail smrsh bypass vulnerability
| Package(s): | sendmail |
CVE #(s): | CAN-2002-1165
|
| Created: | October 2, 2002 |
Updated: | November 29, 2002 |
| Description: |
iDEFENSE has posted an advisory warning of a
couple of ways of bypassing the restrictions imposed by the sendmail
"smrsh" utility. smrsh puts limits on which programs a user may run out of
a .forward file; this vulnerability could give a local user
undesired access to the mail server system. A patch has
been made available from sendmail.org which closes the vulnerability. |
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 21, 2002 |
Updated: | October 31, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | November 15, 2002 |
| Description: |
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following
changes:
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- Security fixes in how Squid parses FTP directory listings into
HTML
- FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
|
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat |
CVE #(s): | |
| Created: | September 25, 2002 |
Updated: | January 29, 2003 |
| Description: |
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
|
| Alerts: |
|
Comments (none posted)
Local root vulnerability in chfn
| Package(s): | util-linux |
CVE #(s): | CAN-2002-0638
|
| Created: | July 30, 2002 |
Updated: | October 31, 2002 |
| Description: |
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans |
CVE #(s): | CAN-2002-0837
|
| Created: | September 11, 2002 |
Updated: | February 4, 2003 |
| Description: |
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. |
| Alerts: |
|
Comments (none posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
Local privilege escalation vulnerability in XFree86
| Package(s): | xf86 xfree86 |
CVE #(s): | |
| Created: | September 18, 2002 |
Updated: | October 27, 2002 |
| Description: |
XFree86 version 4.2.1 fixes a problem in
Xlib that made it possible to execute arbitrary code in privileged clients.
Other libraries are dynamically loaded by libX11.so as needed.
When linking against a setuid program, arbitrary code
could be loaded and executed from a pathname controlled by the user.
|
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in xinetd
| Package(s): | xinetd |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | December 3, 2002 |
| Description: |
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd. |
| Alerts: |
|
Comments (none posted)
Resources
The LinuxSecurity.com "Linux Security Week" newsletter for October 7
is available.
Full Story (comments: none)
News.com has
a report from Whitfield Diffie's talk at the RSA conference.
"
Diffie also said that security cannot be delegated, nor can a user rely on one company for security. 'Openness is essential for trust,' he said, referring to open-source code, as well as compatibility."
Comments (none posted)
Michael D. Bauer
talks about Linux security issues on O'Reilly.
"
I don't presume to know in any definitive way whether Linux is more or less securable than other Unix variants. What I do know is this: Linux is useful, stable, and securable enough to warrant the time and effort required to "harden" it against Internet threats. This article explains some of the reasons I believe it's both possible and worthwhile to secure Linux for use as an Internet server platform."
Comments (none posted)
Events
The 19th annual Chaos Computer Club Congress will be held in Berlin on
December 27 to 29. The Call for Papers has gone out; no deadline
for submissions has been specified. "
So, do you dare to speak in
front of people who might have downloaded your
script from your computer in advance and spotted all the logical
errors?"
Full Story (comments: none)
The 2003 Computers, Freedom, and Privacy conference will be held
April 1 to 4 in New York. The Call for Papers is out, with a
deadline of November 15.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current development kernel is 2.5.41, which was
released by Linus on October 7.
"
Mucho merges with the 'A-Team' (Alan, Al, Alexey, Andrew, Anton,
Arjan, Arnaldo and Art), but the 'M-Team' (Maksim, Marcel, Martin's and
Mike) is a close runner up." There's a bunch of patches from Alan
Cox, more disk management reworking, more memory management work, some SCSI
work, a big ALSA update, an ISDN update, some kbuild work, a big S390
update, and numerous other fixes. The
long-format changelog has all the details.
Linus's BitKeeper repository, which is destined to become 2.5.42, currently
contains some driver model work (with an emphasis on IDE devices), another
s390 update, the large block device patch (see below), the beginning of the
"asynchronous I/O for networking" merge, the return of IDE tagged command
queueing support, indexed directories for the ext3 filesystem, a number of
NUMA and discontiguous memory enhancements, long lists of small patches via
Dave Jones and Alan Cox, and quite a few other fixes and updates.
The current development prepatch from Alan Cox is 2.5.41-ac2. Since 2.5.41 came out, the -ac
patches have been mostly concerned with compilation fixes and other small
updates.
The latest 2.5 status summary from Guillaume
Boissiere is dated October 9.
The current stable kernel is 2.4.19. Marcelo released 2.4.20-pre10 on October 8. The lists of
patches applied are getting smaller, suggesting that there just might be a
release candidate before too long.
Comments (none posted)
Kernel development news
The lengthy BitKeeper flame war was not entirely without useful results.
Some developers expressed a wish to have a better view into what patches
were being applied without having to run BitKeeper to extract them; the
response was the creation of a couple of "bk commits" mailing lists on
vger.kernel.org. Every time Linus merges a patch, the "bk-commits-head"
list gets a message containing that patch. A similar list (bk-commits-24)
exists for those who want to track what's up with the 2.4 kernel instead.
Now there's no excuse for not knowing what got merged into 2.5 ten minutes
ago.
See the vger majordomo
page for information on how to subscribe to these lists.
Comments (none posted)
A linux-kernel reader recently
complained
that Red Hat had applied a patch to the kernel in its 8.0 distribution
which made the
sys_call_table data structure unavailable to
modules. He will not have been pleased with the 2.5.41 kernel release,
which did the same thing.
sys_call_table is a special table used to dispatch system calls
within the kernel. It is a simple array, indexed by the system call number
passed in from user space. The reason for wanting this array to be
exported, of course, is to allow modules to add or modify system calls. A
classic example is a module implementing the "streams" interface, which is
unlikely to ever be part of the mainline kernel. Some users need streams,
though; an exported system call table allows them to load a module and have
the streams call work as expected.
So why would this capability be taken away? The stated reason is that
tweaking the system call table is nonportable and unsafe. Each
architecture has a different system call table format, so code which wants
to be portable has to understand how each architecture does things. There
is also no locking mechanism for the system call table, so run-time changes
are subject to race conditions. And finally, there are even errata
problems on some processors; changing a table used the way
sys_call_table is used can have unfortunate and unexpected
results.
Many of these problems could be worked around with a bit of coding. But
the simple fact is that many kernel developers do not want loadable modules
to be able to add or change system calls. Binary modules are tolerated as
long as they stick to the "published" interfaces and implement
straightforward features (such as device drivers and filesystems). A
module which can add or change system calls can go well beyond that
interface. Removing access to the system call table keeps modules in their
place.
Working around this problem not all that difficult for modules which need
to do so. A patch was quickly posted which
made streams work again, for example. The solution is to have a set of
stub system calls wired into the kernel; when the associated module is
loaded, the stubs can make the appropriate calls with the necessary locks.
Otherwise they return an ENOSYS error.
Comments (none posted)
One would think that, after Eric Raymond's experience with trying to
overhaul the kernel configuration scheme, nobody else would want to venture
into that area for a long time. One would be wrong, however; Roman Zippel
has been working on his "LinuxKernelConf" package for some time, and has
recently posted
version 0.8, with a
statement that it is ready for inclusion.
LinuxKernelConf, like the ill-fated CML2 effort, defines a new
configuration language (specification) and
creates a single parser that can be used by all
configuration interfaces. The new language is purely declarative, unlike
the old one, which was really an imperative programming language. A
configuration file (there are now many, spread throughout the source tree)
contains declarations for the various configuration options, including all
the relevant information in one place. A typical entry looks something
like this:
config NETFILTER_DEBUG
bool "Network packet filtering debugging"
depends NETFILTER
help
You can say Y here if you want to get additional
messages useful in debugging the netfilter code.
Note that, among other things, this scheme includes the help information
with the rest of the configuration details.
Unlike CML2, Mr. Zippel's scheme avoids fancier scripting languages and
works with basic tools. That will help to avoid one set of flame wars.
LinuxKernelConf may well stumble over a different obstacle, however: the
(quite nice) graphical configuration tool is built on Qt. That is, in
fact, the source
of Linus's biggest concern about this patch:
But the fact that xconfig depends on QT is going to make some
people hate it.... In other words, I really think this needs to
pass the linux-kernel stink test. Will Al Viro rip your throat out?
Will it generate more positive feedback than death threats?
In fact, there have been very few death threats so far, perhaps because not
too many people have looked at the code. Regardless of the level of
promised violence, however, it looks like LinuxKernelConf may be merged
with some evasive action: the graphical interface will simply be omitted.
The kernel will thus ship with the basic configuration language; anybody
who wants to use a graphical tool will need to obtain and install it
separately. One a few other, smaller issues are resolved, it looks like
Linus may go ahead and merge this patch.
Comments (4 posted)
One set of patches which Linus has merged into his pre-2.5.42 BitKeeper
tree is the "large block device" patch by Peter Chubb. Current Linux
systems are limited to a mere 2TB in any one block device; this limitation
is beginning to hurt users of very large RAID arrays. With the LBD patch,
that limitation goes away.
The solution, of course, is to simply redefine the sector_t type
as a 64-bit quantity. Mr. Chubb's patches (which can be found in the
"patches" section below) do exactly that. Generally, the
transition is not that hard; the bulk of the changes, seemingly, are to
format strings in printk calls. Much of the rest is changing
variables which were defined as int or long over to the
sector_t type.
For the most part, it is said to work. Note, however, that software RAID
volumes are still limited to 2TB.
Comments (none posted)
Patches and updates
Kernel trees
Build system
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Benchmarks and bugs
Miscellaneous
- Ulrich Drepper: nptl 0.2.
(October 4, 2002)
- Brian F. G. Bidulock: export of sys_call_table . Makes the Linux streams module work without an exported <tt>sys_call_table</tt>.
(October 9, 2002)
Page editor: Jonathan Corbet
Distributions
News and Editorials
Red Hat 8.0 is out, and already a few gripes have crossed the LWN mailbox.
This latest version has
removed
support for Intel 80486, as was bound to happen sooner or later. It
seems they have also removed the national flag of Taiwan from the KDE 3.0
Control Center. This may well make it easier to do business in mainland
China, but it doesn't create good relations in Taiwan.
Then there were rumors that RH 8.0 is not completely free software anymore.
We checked into that and found that statement to be false. Red Hat has
always included some proprietary software packages in its boxed sets, but
the base Red Hat code is still released under the GNU General Public
License. Looking at the licensing
agreement, we see Red Hat, Inc. trying to protect its trademark. In
order to do this the Red Hat agreement asks those making copies for resale
to modify files identified as "Redhat-logos" and "anaconda-images" to
remove "All use of images containing the "Red Hat" trademark or Red
Hat's shadow man logo".
To make this just a tad more difficult the license also says, "Note
that mere deletion of those files may corrupt the software." This
implies that somewhere in the code there are checks to see that the files
still exist. So the files must be edited to remove these trademarked
logos. However we note that this only applies to those who wish to resell
the distribution without entering into a reseller agreement with Red Hat.
Why would the Linux giant do this? U.S. law takes a "use or lose it"
stance to trademarks. If Red Hat does not defend its trademarks they may be lost.
So Red Hat is taking steps to more vigorously protect its trademarks. Then
consider what happens when a third party modifies Red Hat 8.0 before
resale. If a bug is introduced, Red Hat takes the blame. With the
trademarks removed, Red Hat is distanced from the bug. Since Red Hat
doesn't know what unlicensed resellers are doing with their code, it is
better for them if the end user doesn't see the Red Hat logo. The
restriction also slows down those that download the distribution and make
copies for resale, giving Red Hat a chance a sell a few more copies for
itself. This won't result in big sales for Red Hat, but every little bit
helps.
All in all, the restriction does not seem terribly onerous. Those who
modify Red Hat before resale must edit a couple of extra files. The code
itself is free, and Red Hat maintains better control of what goes out under
its brand name.
Look for a review of Red Hat 8.0 in the review section below, along with
reviews of Libranet 2.7, Mandrake 9.0 and SuSE 8.1 Professional.
Comments (9 posted)
Distribution News
This week's DWN covers the Free Standards Group release of Linux Standard
Base 1.2 (LSB) and asks, 'is anything missing?' Also read about OpenSSL
with CPU optimization; the problematic BitKeeper license; and much more.
Full Story (comments: none)
New Distributions
AbulÉdu
is a Mandrake-based distribution for primary schools. It is currently in
French but most of the tools can be translated. An AbulÉdu server can
handle Mac (netatalk), Windows (samba), GNU/Linux and X terminal (with
LTSP) clients.
Development version 1.0.11 beta 4 features new French-Arabic keyboard
support (you can now use some applications such as Mozilla, write with a
French keyboard, or press AltGr and write with an Arabic keyboard), some
updates, and new features (new mathematical applications and childrens
software).
Comments (none posted)
Minor distribution updates
The
Aurora SPARC Linux Project
announced Build 0.42 (Douglas). This release is primarily for sparc64,
since it fixes a nasty bug that caused disk operations to take 10X as long.
As such, the kernel has been reverted to 2.4.18-1.000sparc.
Full Story (comments: none)
floppyfw has released
2.0.3 with minor security
fixes.
Comments (none posted)
Linux From Scratch has a new
stable release, version 4.0. The list of changes is quite extensive, so
please read the
changelog for the details.
Comments (none posted)
Mindi Linux
has released
v0.66 with
improved logging. Mindi now works around Debian's eccentricities more
effectively and handles DevFS better, too.
Comments (none posted)
Distribution reviews
The Linux Journal
reviews Libranet
2.7.
"
Libranet offers a
straightforward installer, simplified partitioning, automatic
detection and configuration of video and sound, system
administration tools and a well organized selection of
applications, all of which get a generously endowed Debian
installation up and running in short order. And since Libranet
is fully compatible with Debian, it offers fast and reliable
system updates and upgrades."
Comments (1 posted)
Libranet GNU/Linux 2.7 is
reviewed
by Linux Orbit. "
We focused a lot for this review on the desktop
aspects of Libranet GNU/Linux 2.7, since the effort to create an easy to
use desktop Linux distribution has obviously been considerable. But let's
not forget what lies underneath. Libranet 2.7 is based on Debian GNU/Linux
3.0 (now officially "stable"), with Libranet enhancements, like the latest
stable kernel and more. And if you don't need a desktop system, seasoned
Debian users can choose a minimal installation and rely on installing their
favorite server software packages via apt."
Comments (none posted)
The Register
describes a basic
Mandrake 9.0 installation and compares ML9.0 to ML8.2 on a ThinkPad
T20. "
I stick the coaster (CD #1) into the cupholder (CD Drive) and
look at the install screen. It's similar to the one I saw in earlier
Mandrake versions, with its choice of upgrade, rescue or full install. I
choose full install by hitting "Enter." The install begins. Mindlessly, I
click on the default choices as I begin, and partitions are created
automatically, with my 12 GB hard drive split more or less equally between
/ and /home (ext3) partitions separated by a 243 MB swap partition. Nothing
radical, no work to do, no thought required. It has been a while since
partitioning was a concern for new Linux users who chose "commercial"
distributions, and this latest Mandrake has made the partitioning process
literally invisible unless you choose the "expert" option."
Comments (none posted)
The Register
takes a look
at Mandrake 9.0 on the Xbox. "
Mandrake was chosen, according to the
Project, for purely utilitarian reasons. Red Hat is "quite conservative
with its package versions, and we wanted to provide the most modern
distribution available." SuSE doesn't have a GPLed distribution download,
and "Debian isn't the typical distribution for the end user, and besides,
Debian for the Xbox is already available." They also say that of the four,
they found Mandrake ran with the least modifications."
Comments (none posted)
The Register
reviews the installation of Red Hat 8.0 on an IBM ThinkPad laptop.
"
Shock number one was it installed without any hassle. No comments
here on partitioning and dual booting, as I was happy just vaping the
hard drive(which I appeared to have vaped already for some reason anyway), and accepting the defaults."
Comments (7 posted)
LinuxLookup.com
looks
at SuSE 8.1 Professional. "
SuSE software has always impressed me
by the attention to detail they employ in generating their best-in-class
Linux OS. The installation routine is simple and straightforward, the
progress bar (lie meter) is generally accurate, and the finished install is
relatively painless to configure. This release is no different in those
aspects and more improvements have made their way into the finished product
as well."
Comments (none posted)
Page editor: Rebecca Sobol
Development
System Applications
Database Software
Version 7.2.3 of PostgreSQL
has been released.
"
In order to address a potentially critical bug in the VACUUM code, the PostgreSQL Global Development Group is releasing v7.2.3 of PostgreSQL.
This release includes a fix for a serious problem that has affected all 7.2.* releases: if a VACUUM command is run by a non-superuser, it is sometimes possible for the system to prematurely remove old transaction log data (pg_clog files). This can result in data becoming unrecoverable. All 7.2.* installations are urged to update to 7.2.3 as soon as possible."
Comments (none posted)
Education
Issue #80 of the
Linux in Education Report is out. Topics include
the Free Software Foundation Europe's educational task force,
interviews with Pete St. Onge and Ben Armstrong, a
proposal for Software Freedom Season, several conference calls for
participation, Linux-based video bulletin board software,
and more.
Comments (none posted)
Printing
Version 1.1.16 of the
CUPS printing system is available.
"
CUPS 1.1.16 adds support for a new CUPS printer driver for Windows NT/2000/XP that provides accurate page accounting as well as support for the banner, job billing, job priority, and page label options. The new release also contains many small bug fixes and enhancements, including better USB printing support, support for printer names containing any printable character (123print, my-long-printer-name, etc.), and French language localization of the web interface and documentation." See the
release notes
for all of the details.
Comments (1 posted)
Web Site Development
This release of Apache is principally a security and bug fix release.
The announcement details a possible buffer overflow in ab.c, a XSS vulnerability in error 404 handling, and a SysV shared memory-based scoreboards attack. You can download the new release from
any of Apache's mirrors.
Comments (none posted)
Version 0.5.1 of the
Quixote
Python-based web publishing framework is available. See the source
code for change information.
Comments (none posted)
Builder.com has
an article by Nigel McFarlane about the optimization of cgi-bin
programs.
"
Efficient delivery of dynamic Web pages remains a challenge for Internet developers, especially when moving static HTML pages to CGI. I will review some performance numbers I obtained from testing three CGI strategies during the generation phase of page delivery."
Comments (none posted)
The most recent headlines on the
Zope Members News
include: the Infrae Content Management Sprinathon, RenderPM 0.3 released,
TextIndexNG 1.05 beta 2 released, DCOracle2 1.2 Released, and
ZWiki 0.11.0 released.
Comments (none posted)
mnoGoSearch-php-3.2.0.rc1, the php front-end to the mnoGoSearch
web site search engine has been released. See the
ChangeLog file
for release details.
Comments (none posted)
Miscellaneous
Version 2.0.10 of Procps is available.
"
Procps is the package containing various system monitoring tools, like
ps, top, vmstat, free, kill, sysctl, uptime and more. After a long
period of inactivity procps maintenance is active again and suggestions,
bugreports and patches are always welcome on the procps list.
The plan is to release a procps 2.1.0 around the time the 2.6.0 kernel
comes out, with regular releases until then. Code cleanups and all kinds
of enhancements are welcome."
Full Story (comments: none)
Version 0.2 of the GStreamer Pipeline Editor is available.
"
A first release of gst-editor, the GStreamer graphical pipeline
editor, is now available for public consumption! This tool allows
easy, graphical construction, inspection, and operation of media
processing pipelines. It can be used as a rapid prototyping tool as
well as a method to learn more about GStreamer."
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 1.4.5 of the
WaveSurfer
sound visualization and manipulation tool is available.
Changes include a new sound mixing functionality,
three new time display formats,
bug fixes, and minor improvements.
See the
Changes
document for the full history.
Comments (none posted)
Version 4-0 of Rosegarden, a MIDI and audio
sequencer and musical notation editor, is available.
Full Story (comments: 1)
Desktop Environments
KDE.News
reports on
the release of KDE 3.1beta2.
"
On top of the large number of improvements over KDE 3.0 which
have already been announced, this release offers a
number of significant improvements, such as a new Exchange 2000®
plugin for KOrganizer and a KVim plugin for KDevelop."
Comments (none posted)
KDE e.V., "the KDE developers' organisational body which controls the KDE
League," has put out
a
statement on the current furor over the KDE League's activities (or
lack therof). "
The Board of KDE e.V. has at this point and with the current knowledge
absolutely no reason to believe that there are any irregularities in the
bookkeeping of the KDE League....
The Board of KDE e.V. acknowledges that the KDE League has been mostly
dysfunctional the last few months. This is partly due to lack of enthusiasm
on the part of the KDE League members, partly due to KDE e.V. having been
dysfunctional itself."
Comments (none posted)
Snapshot 2.1.0 of the GNOME Development Series, dubbed "88MPH" is
available. Testers are being recruited.
Full Story (comments: none)
This week's GNOME Summary looks at more SVG candy; new GNOME Accessibility
Themes; GNOME Development Series Snapshot 2.1 released; and much more.
Full Story (comments: none)
Topics on the GNOME desktop
FootNotes site include:
Sodipodi 0.27, an Owen Taylor and Havoc Pennington Interview,
OpenOffice.org Developer Build 643,
Glade Beta for GTK+ 2 And GNOME 2, Gnumeric 1.0.10 & 1.1.9,
GNOME Accessibility Themes released, and more.
Comments (none posted)
Games
The October, 2002 issue of the World Forge Games
Chopping Block is out.
topics include project news, lagrangian mechanics, head textures,
the Kokatrix 2D World Editor, and more.
Comments (none posted)
GUI Packages
Version 1.1.0 of
FLTK, the Fast, Light ToolKit,
is available.
Comments (none posted)
Interoperability
Issue #138 of
Kernel Cousin Wine
has been published. Topics include
a LindowsOS 2.0 Review, DIB Engine, That Darn $!$!,
Anti-alias For Smaller Fonts, Remote Procedure Call Patch, and
Listview Changes.
Comments (none posted)
Developer Release 20021007 of Wine
has been announced.
Changes include a massive listview rewrite,
a new MS RLE codec, a fixed winemaker, the
beginnings of Direct3D 8 support, and lots of bug fixes.
Comments (none posted)
Office Applications
Developer build #643 of OpenOffice is available and ready for testing.
Full Story (comments: none)
Issue #112 of the
AbiWord Weekly News is out.
Topics include the AbiWord developer's release version 1.1.0, browser
width issues, elevators and the reload button, and lots more.
Comments (none posted)
Issue #49 of
Kernel Cousin GNUe is out with the latest GNU enterprise issues.
This week's topics include
GNUe in use in production environments,
a wxWindows bug in Designer Property Window,
Time and Expenses functionality,
a GNUe developers meeting in Germany,
New Releases of the GNUe Tools, and more.
Comments (none posted)
KDE.news has
an announcement
for a new release of KVim, a GUI version of the classic VI editor.
"
It provides
many new features and improvements: a new GUI for Qtopia systems, a new KDE
toolbar, full DCOP support, much improved support for internationalisation
and encodings, and improved portability."
Comments (none posted)
Web Browsers
The October 2, 2002
Mozilla Status Update is out with the latest Mozilla project news.
topics include Mozilla releases, Phoenix 0.3, Spellchecker, OS/2,
a dll/so cleanup, footprint reduction ideas, Spam/Junk mail filtering,
Typeahead, a Mozilla Book, and Xft/fontconfig support.
Comments (none posted)
The latest
mozillaZine topics
include Thunderbird, a lightweight stand-alone mail client,
Phoenix 0.3 Delayed, Mozilla in the Chicago Sun-Times,
Tree to Close for 1.2 Beta, Mozilla Featured in Open Source Study,
Adding Pop-up Blocking to Netscape and Spell Checking to Mozilla,
and more.
Comments (none posted)
Languages and Tools
Caml
The Caml Weekly News for September 10 through October 8, 2002 is out
with lots of Caml news topics.
Full Story (comments: none)
This week, the new software on
The Caml Hump includes one item,
htmlc, An HTML files generator.
Comments (none posted)
Eiffel
Release 0.4 of the ELJ Open-source projects and library bindings for
Eiffel have been released. Extensive Linux support has been brought
to the project with this version.
Full Story (comments: none)
Java
Ron Hitchens
writes about Java's NIO on O'Reilly's OnJava.com.
"
New I/O? Why do we need a new I/O? What's wrong with the old I/O?
There's nothing wrong with the classes in the java.io package; they work just dandy -- for what they do. But it turns out there are quite a lot of things the traditional Java I/O model can't handle. Things like non-blocking modes, file locks, readiness selection, scatter/gather, and so on. These capabilities are widely available on most serious operating systems today (and a few comical ones, as well). They're not just nice to have; they're essential for building high-volume, scalable, robust applications, especially in the enterprise arena."
Comments (none posted)
Lisp
Version 2.a1 of LISA, the Lisp-based Intelligent Software Agents
Lisp platform is available.
Full Story (comments: none)
Perl
The latest
Perl 5 Porters digest is out.
topics include Hash::Util::lock_keys inhibits bless,
Just in time subroutine loading,
Collections, Overriden built-in misparsing, The void context,
make too slow, a Safe.pm security hole, Memory stats interface,
and more.
Comments (none posted)
O'Reilly's
This week on Perl 6 for September 30 - October 6, 2002 is out.
Topics include
a Parrot getting started guide, debugging the Parrot debugger,
Patch Master status, a New allocator, Patches, library name collisions,
core.ops ate my (miniscule) RAM, a Parrot file list, Interfaces,
Subject-Oriented Programming, Matching, Who's Who in Perl6, and more.
Comments (none posted)
The October, 2002 edition of
The Perl Foundation Newsletter is out. Topics include YAPC 2003,
and an interview with White Camel winner Tim Maher.
Comments (none posted)
Abhijit Menon-Sen
explains
hashing in the context of Perl.
"
It's easy to take hashes for granted in Perl. They are simple, fast, and they usually "just work," so people never need to know or care about how they are implemented. Sometimes, though, it's interesting and rewarding to look at familiar tools in a different light. This article follows the development of a simple hash class in Perl in an attempt to find out how hashes really work."
Comments (none posted)
PHP
Topics on this week's
PHP Weekly Summary
include Embedded PHP, XSLT directions, More .phps support, Fixing streams,
cURL extension, String functions [clean|speed]ups, and
Rounding out Apache 2 support.
Comments (none posted)
Python
Guido van Rossum has released Python 2.2.2 beta 1.
"
Python 2.2.2 has a large number of bug fixes in all areas of the
interpreter and the library".
Full Story (comments: none)
The Python-dev summary for September 30 is now available. It looks at an
extended type system proposal, the upcoming Python 2.2.2 release, and
several other topics.
Full Story (comments: 1)
This week's
Daily Python-URL
topics include Win32 Extension Snapshot Builds, Python 2.2.2 beta 1,
the ICFP programming contest results, an
Introduction to random access files with module 'shelve',
ZPT basics (part 1), and more.
Comments (none posted)
Ruby
Topics on this week's
Ruby Weekly News
include JRuby beta 1.6/0.5.2, Blogtari 0.0.2, WNS XFormer version 0.0.0,
xmlscan-0.1.0rc1, ZenTest 1.0.1, ZenWeb 1.14.0,
Inline::C meeting, thoughts on typelessness,
an announce only mailing list,
Things That Newcomers to Ruby Should Know,
RubyConf: insurance problems solved, and a discussion about a MetaRWN.
Comments (none posted)
Scheme
The October 7, 2002 edition of the
Scheme Weekly News is out. Topics include a request for more
Scheme articles, TeXmacs 1.0.18, and SISC 1.6.0 beta.
Full Story (comments: none)
Tcl/Tk
The October 7, 2002 edition of the Dr. Dobb's Tcl-URL! is out
with all of the latest Tcl news.
Full Story (comments: none)
XML
Bob DuCharme
shows how
to clean up XML data on O'Reilly's XML.com.
"
Any manipulation of XML documents, whether with XSLT or not, often involves cleaning up the documents. Perhaps some company sends XML data to your company, and while it may be valid XML, it still needs to be beaten into shape a bit before your systems can use it.
Dealing with duplicate elements and empty elements are typical tasks of a cleanup process. Through no fault of XSLT, finding them can be a little trickier than you might at first think, but it's not too bad, and XSLT includes several features to make these cleanup tasks go more easily."
Comments (none posted)
Will Provost
talks about
metaschemas on O'Reilly's XML.com.
"
In this article we'll investigate the uses of metaschemas and the techniques for creating them. This will bring us in close contact with the existing WXS metamodel, an interesting study in and of itself. We'll consider several strategies for bending this metamodel to our application's purposes, and we'll see which strategies best suit which requirements. (To tip the hand a bit, the prize will go to the WXS redefine component as a way of redefining parts of the WXS metamodel itself.)"
Comments (none posted)
Page editor: Forrest Cook
Linux in Business
Business News
An analyst company called TowerGroup has put out
a
press release on the use of Linux in financial firms.
"
TowerGroup estimates that Linux is now deployed on 14% of total servers at
North American brokerage firms. In contrast, Microsoft has 54% of the market
(both NT and 2000 combined), while Unix has 27% of the market.
However, TowerGroup believes Linux use will grow at an annual rate of 22%
in the North American securities server market between 2002 and 2005,
outpacing growth in Windows 2000, NT and Unix deployments over that same
period."
Comments (none posted)
Bruce Perens reports that after a year of argument and see-sawing, W3C's
patent policy board has voted to recommend a royalty-free patent
policy. This recommendation will be put in the form of a draft and released
for public comment.
Full Story (comments: none)
Press Releases
Open Source Announcements
Distributions and Bundled Products
Software for Linux
Products and Services Using Linux
Hardware with Linux support
Linux at Work
Books and Documentation
Training and Certification
Trade Shows and Conferences
Partnerships
Financial Results
Personnel and New Offices
Miscellaneous
Page editor: Rebecca Sobol
Linux in the news
Recommended Reading
Here's
an editorial in The Register expressing fears that the "geek worldview" is becoming too uniform.
"
If geekdom becomes tied to a
Little Red Book of permitted beliefs, it is likely to go the same way as so
many other fixed belief systems, into decline. Another way of putting this is
to ask this question: If DRM comes crashing down on our heads, and we can't
do anything about it, do we all have to spend the rest of eternity fighting
the last war? And if we're fighting that war, who's going to be taking care
of the next one?"
Comments (3 posted)
O'Reilly has
an article by Richard Thieme on the meanings of the term "hacker".
"
In essence, hacking is a way of thinking about complex systems. It includes the skills required to cobble together seemingly disparate pieces of a puzzle in order to understand the system; whether modules of code or pieces of a bigger societal puzzle, hackers intuitively grasp and look for the bigger picture that makes sense of the parts. So defined, hacking is a high calling. Hacking includes defining and defending identity, creating safe boundaries, and searching for the larger truth in a maze of confusion and intentional disinformation."
Comments (none posted)
Bruce Perens has written
an editorial that looks at the W3C recommendation to maintain
a royalty-free policy.
"
Had the decision gone for so-called "RAND" patents--licensed with "reasonable and non-discriminatory terms," but sometimes requiring royalty payments--the effect would have been to create a tollbooth on the Internet, owned by the largest corporations, collecting a fee for the right to implement open standards.
Open-source developers, who do not collect royalties--and thus cannot afford to pay them--would have been locked out entirely. Smaller companies that develop proprietary software would have been at a disadvantage, compared with the largest corporations, which cross-license their patent portfolios to each other and thus would not be burdened by royalty payments."
Comments (none posted)
ZDNet
looks at reasons for the slow adoption of the Apache 2 web server.
"
Unfortunately, the changes in 2.0 necessary to implement the performance improvements were significant, and they break all of Apache's old module code. It all needs to be rewritten and--amazingly--six months after the release of 2.0, much of the job remains undone."
Comments (14 posted)
News.com
covers the
most recent worm to threaten Linux users. "
The newest variant,
dubbed "Mighty," exploits the same Linux Web server flaw that other
versions of the Slapper worm have used to slice through the security on
vulnerable servers. Russian antivirus company Kaspersky Labs said in a
release Friday that more than 1,600 servers had been infected by this
latest variant as of Friday morning and are now controlled by the worm via
special channels on the Internet relay chat system." Kaspersky's
press release can be found
here.
Comments (none posted)
Companies
The Register
reports
that Microsoft will be sending Steve Ballmer to Australia, in an effort
to head off Telstra's switch to Linux.
"
Whatever, the real Telstra deal's already gone anyway, and the best Microsoft
can now do is to the stop the backshop lockout it's already sustained from
turning into a whopping loss of 45,000 desktop software licences and a
massive PR triumph for whichever other company gets the gig instead.
Microsoft should surely be in with a shot at avoiding this, because junking
tens of thousands of Windows and Office installations and setting up an
alternative (e.g. Linux-StarOffice) remains a non-trivial exercise."
Comments (none posted)
IBM has a new service that lets customers rent access to IBM managed Linux
servers. News.com
covers the service and
its first major customer. "
[Mobil Travel Guide] will use the service
to meet seasonal peak demands, IBM said. The Linux Virtual Services
offering from IBM lets customers pay for the computing capacity they use
instead of purchasing computing power to accommodate peak demands."
Comments (none posted)
According to the Register, a UK chain store known as Evesham
will be
selling inexpensive Linux-based PCs.
"
Evesham is bundle the open source Lindows OS on a new bargain
basement PC knocked out at £249 inc.VAT.
Evesham's E-scape Li PC comes with Lindows preloaded, features a VIA C3
processor and the VIA Apollo PLE133
integrated chipset, 40Gb Hard disk, 256MB DRAM, CD drive, modem and mouse.
Monitors, speakers and other peripherals cost extra."
Comments (none posted)
eWeek
covers
Novell's new interest in Linux. "
While Linux support has already
been built into some Novell products and solutions, the efforts have
largely been piecemeal. The goal now is to make all Novell products run on
Linux or be Linux-enabled."
Thanks to Peter Link
Comments (none posted)
ZDNet
covers SCO
Group's changing focus, away from desktop Linux. "
The increased
focus on point of sale devices does not mean that SCO is totally giving up
on the desktop. Although the company no longer sells a desktop operating
system, it is continuing to develop its Volution Manager product, which
helps system administrators manage desktop versions of Linux, automatically
installing patches and so on, and plans to extend its reach to desktop
versions of Windows too."
Comments (none posted)
News.com
covers Jon
"maddog" Hall's new position with SGI. "
At SGI, Jon "maddog" Hall
will continue his company-neutral role as executive director of Linux
International, said Paul McNamara, SGI vice president of products and
platforms. SGI is sponsoring Hall the way VA Linux Systems and Compaq
Computer have done in the past, McNamara said."
Comments (none posted)
ZDNet's Larry Seltzer thinks that
Sun may have a chance for success with its attempt to put Linux
on the desktop.
"
Devaluing the desktop is central to Sun's strategy, and there's a lot to be said for this approach, which is why I think it might be well received. Even with Windows-based networks I've always thought it's a good administrative idea for an enterprise to centralize things and generally to make desktop systems as replaceable as possible."
Comments (none posted)
News.com
reports
that Sun will revive Solaris on Intel. "
Sun is relying on the
community of Solaris-x86 users to help support the product. Lovell said the
company will release the programming tools it uses to build the "driver"
software that lets Solaris communicate with hardware such as network
cards. Creating and supporting those drivers is a big part of the expense
of supporting Solaris on a wide variety of servers, not just the limited
number of models Sun sells." If sales are good for this product it
could impact future development of Sun Linux.
Comments (none posted)
Business
This ZDNet
article takes a long look how Linux is doing at "world domination".
"
Linux continues to play a role in enterprise markets, but its growth
spurt of recent years appears to have slowed a little. In 2001, Linux
server environment shipments declined in revenue by five percent to $80
million, according to IDC, after two years of solid growth. That decline
does need to be seen in context, however."
Comments (2 posted)
Linux Journal
further
explores the process of getting a refund for unused copies of Windows.
"
Common Misconception #1: "Microsoft is the problem.
The OEMs are not at fault.""
"There is nothing to win by going after Microsoft for resolution. The
End User License Agreement (EULA) already includes the provision for
a refund. At this point, is is the OEM's responsibility to make good
on this."
Comments (none posted)
According to TechWeb, ExxonMobil Travel Guide
will be using Linux for its online travel-planning and database system.
"
ExxonMobil Travel Guide this week begins the process of migrating newly developed travel-planning and database applications for its Mobil Companion service to IBM, which will host and maintain them on a mainframe running Linux."
Comments (none posted)
ZDNet
delves into the
truth about deals between Lindows.com and AOL Time Warner. "
On
Thursday, however, Lindows suggested that AOL might not have its facts
straight. "Our engineers have been to Dulles, Virginia, and have worked
with AOL," said Lindows' public relations director, Cheryl Schwarzman. "It
may be the case that the spokesperson was not informed of that
information." In response, AOL reiterated that it has "no formal
relationship" with Lindows.com."
Comments (1 posted)
Here's the
Register's
take on Lindows' "AOL PC". "
In answer to its own bullet point,
"why 35 million AOL users should buy a LindowsOS computer", Lindows PR
bunnies suggest strongly that the OS is ready to connect at the click of a
mouse button:"
Comments (none posted)
U.S. News has
an article about the increasing spread of Linux.
"
... Linux may be picking up interest from end users. Erica Simon, a San Francisco State University psychology major "fed up with Windows crashing and doing weird things," switched to Red Hat Linux on a Dell notebook computer. She needed help from her programmer fiancé but says the learning curve "was not really that hard, and the benefits far outweigh any pain.""
Thanks to Dan Kegel.
Comments (none posted)
Legal
The Register
takes a look
at a new bill announced by Congressman Rick Boucher. "
Boucher's bill
will specify that share denial CDs are labeled clearly, and like Lofgren's
attempt to superseded the draconian provisions of the DMCA. "Boucher would
essentially reverse the outcome, and fix the problems that gave us the 2600
case, the Felten case and the Sklyarov prosection," the EFF's Senior
Intellectual Property Attorney Fred von Lohmann told us today."
Comments (1 posted)
News.com
examines new
legislation designed to defeat the DMCA. "
Boucher, the most
outspoken opponent of the DMCA on Capitol Hill, has spent more than a year
rallying support for this measure. After Dmitry Sklyarov, a Russian
programmer visiting the United States, was arrested in Aug. 2001 on charges
of violating the DMCA, Boucher called the prosecution "a broad
overreach.""
Comments (none posted)
Here's an
article from
News.com examining the status of copyright laws in the United States.
"
In their legal briefs, Lessig and the other law professors correctly
stress the importance of paying attention to both of these two vital parts
of the U.S. Constitution: The copyright clause, which gives Congress the
power to create copyright laws for a limited time, and the First Amendment,
which prohibits Congress from curtailing speech or expression."
Comments (3 posted)
For anybody who has had trouble wading through a legal document: the "Law
School in a Nutshell" series on the LawMeme site is worth a read.
"
To understand why legalese is so incomprehensible, think about it as
the programming language Legal. It may have been clean and simple once, but
that was before it suffered from a thousand years of feature creep and
cut-and-paste coding." The
first
and
second
parts are available now.
Comments (none posted)
Interviews
The BBC News
interviews Linus
Torvalds. "
Part of doing Linux was that I had to communicate a
lot more instead of just being a geek in front of a computer. It has made
me more used to talking to people. I still like coding but I have other
things to do."
A companion article,
Linux
Lowdown, provides a brief introduction to Linux.
Thanks to Paul Sladen
Comments (none posted)
IBM developerWorks
interviews
David Mosberger about Intel's new 64-bit chip.. "
David Mosberger has
been a 64-bit Linux guy since day one. While pursuing a graduate degree at
the University of Arizona in the early '90s, Mosberger led the Linux port
to the Alpha processor and soon found that his Linux hobby was taking up as
much time as his graduate work."
Comments (none posted)
The Register
has interviewed Monte Davidoff, one of the authors of the original
Microsoft BASIC interpreter.
"
"I'm really excited about Linux," he says. "Having used Unix all these years and put out professional Unix products, they've done a really good job." His other passion, he tells us, is Python."
Comments (1 posted)
The Australian Financial Review
talks to Andrew
Tridgell about Samba and other programs. "
One of his programs,
rsync, was based on his PhD, and looks like it might become a standard part
of web browsers. It reduces, by up to 90 per cent, the amount of data that
has to travel over a network when someone requests a web page."
Thanks to Con Zymaris
Comments (none posted)
Resources
The October 3, 2002 edition of the LinuxDevices Embedded
Linux Newsletter is out with the latest Embedded Linux news.
Full Story (comments: none)
On2 Technologies and the Xiph.org foundation have announced
the first alpha release of Theora, a combination of VP3, Vorbis Audio,
and the Ogg media framework.
"
"This preliminary code release represents the first time developers will
have access to a completely license- and royalty-free system that includes
world-class video and audio codecs in an integrated, streaming-friendly
format, with all the source code and intellectual property open, customizable,
and available for immediate, anonymous download," said Dan Miller, CTO and
Founder of On2 Technologies.
Full Story (comments: none)
Linux Journal looks at some of the security tools available in different
Linux distributions.
Part 1 looks
at various HIDS and NIDS that come with Red Hat distributions.
Part 2 is an
overview of various tools included in SuSE distributions for hardening,
monitoring and securing your system.
Comments (none posted)
Reviews
PCLinuxOnline
introduces some WYSIWYG (What-You-See-Is-What-You-Get) Web page
editors. "
Amaya is an especially interesting project. It was created
by the W3C specifically to be 100% standards-compliant (like Mozilla). If
you didn't like the interface before, you should know that it was recently
ported to GTK+."
Comments (none posted)
Linux Orbit
reviews
the Phoenix 0.2 Web Browser. "
Depending on what you are looking for
in a web browser, Phoenix may be just the ticket. Though still in heavy
development, it's fast, snappy, surpassingly stable, somewhat configurable
and very useable. If it's not what you are looking for now, check back from
time to time as new features seem to be added on an almost daily
basis."
Comments (2 posted)
Miscellaneous
Builder.com
investigates the world of open-source content management systems.
"
We asked two experts, EuroZope Foundation founder Paul Everitt and CMS guru Gregor Rothfuss, to explain this open source CMS movements goals and motivations. The open source advocates compare the status of current CMS optionswhich run the gamut from simple flat-file data storage to robust database solutionsto that of Linux as it flirted with corporate acceptance a few years ago."
Comments (1 posted)
TechWeb
looks at how
Linux blade servers will create a flexible architecture for Nigeria's
first civilian-run election since military rule ended. "
BioLink will
deploy 456 800i single-processor Linux blade servers from RLX Technologies
Inc. to voter-registration sites in Nigeria's 37 states. The blades will
process data from scanned voter-registration cards, which will include
voters' thumbprints. BioLink's software will run on the blades, checking
for fraud or duplication."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Upcoming Events
A CFP has been issued for the 3rd annual workshop on Linux clusters for
super computing, to be held in Sweden on October 24 and 25, 2002.
Full Story (comments: none)
A Call For Papers has been issued for the Australian
educationaLinux 2003 conference, to be held in Perth, Australia
on January 20, 2003.
Full Story (comments: none)
| Date | Event | Location |
| October 10, 2002 | Linux EXPO-UK 2002 | (Olympia 2)London, England |
| October 11 - 13, 2002 | V Congreso Hispalinux | San Sebastian-Donostia, Spain |
| October 14 - 16, 2002 | The Singapore Linux Conference 2002 | (Le Meridien Singapore)Singapore |
| October 14 - 15, 2002 | The Open Group Conference | (Hotel Martinez Palace)Cannes, France |
| October 16 - 18, 2002 | Open Source: A Case for e-Government | (Marvin Center, George Washington University)Washington, D.C. |
| October 17 - 18, 2002 | Open Source for E-Government | Washington, DC |
| October 24 - 25, 2002 | PHPCon 2002 | (The Clarion Hotel SFO)Millbrae, California |
| October 28 - 31, 2002 | International Lisp Conference 2002 - The Art of Lisp | San Francisco, CA |
| October 30 - 31, 2002 | Think-Linux, The Solutions Show | (The Pinnacle)Toledo OH |
| November 1 - 3, 2002 | 2nd Annual Ruby Conference(RubyConf 2002) | (Washington State Trade and Convention Center)Seattle, Washington |
| November 2, 2002 | Southern CaliforniA Linux Expo 2002(SCALE) | (Davidson Conference Center, University of Southern California)Los Angeles, CA |
| November 3 - 6, 2002 | International PHP 2002 conference | Frankfurt, Germany |
| November 3 - 8, 2002 | 16th System Administration Conference(Lisa '02) | Philadelphia, PA |
| November 14 - 15, 2002 | The Open Source Health Care Alliance(OSHCA) | (UCLA Medical Center)Los Angeles, CA |
| November 18 - 21, 2002 | Embedded Systems Conference, Boston | (Hynes Convention Center)Boston, Mass |
| December 3 - 5, 2002 | Linux Bangalore/2002 | (J.N.Tata Auditorium)Bangalore, India |
Comments (none posted)
Web sites
Use Perl
comments on the state of the Perl Journal.
"
Rochlin writes "Looks like The Perl Journal might not make it up for air
after all. This blurb is on their website. 'Time is running short and we
need your help if The Perl Journal is to get another chance at being the real
deal."
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Ulrich Kunitz <ulrich.kunitz@freenet.de> |
| To: |
| letters@lwn.net |
| Subject: |
| BitKeeper License |
| Date: |
| Mon, 7 Oct 2002 03:50:04 +0200 (CEST) |
| Cc: |
| lwn@lwn.net |
Hello,
lwn.net had a long time the letters to the editor section.
Nowadays it seems to be gone, but the discussion around the
BitKeeper license is worth my first letter to the editor.
I tried today, 6 October 2002, to download the BitKeeper software
from the BitKeeper website. The download page contains a link to
the license, so I read
http://www.bitkeeper.com/Sales.Licensing.Free.html
The headline says "Free Use License" but right below it is called
BitKeeper License version 1.37 02/18/02. The definition section
clarifies: It is the BitKeeper license. But I couldn't find the
clause, which triggered all the discussion on the Linux kernel
mailing list.
Using the download link I had to fill an "Are you a sales
opportunity?" mask. The email response had a quite simple user
name and password. Annoying, next step: Calling the URL from the
E-Mail and entering the simple user name and password. There BKL
1.37 is printed again, this time without the "Free Use License"
header. I still couldn't find the now infamous clause. I
downloaded the binary 2.1.6-pre5 binary for Linux and glibc-2.2.
The binary creates a directory full of other binaries, including
GNU diffutils and GNU patch. The GNU source code is available
under ftp.bitmover.com. There is no file with license in its name.
I found the license with grep in the bkhelp.txt file. This is a
verbatim copy from the file:
bk bkl(1) BitKeeper User's Manual bk bkl(1)
NAME
bk bkl - BitKeeper License version 1.37, 02/18/02
LICENSE
BitKeeper License version 1.38, 03/28/02
The name says 1.37 and the license says it is 1.38. I assume
that's indeed 1.38, because the discussion-triggering clause is
there. A simpler way to display it, is
$ bk help bkl
Tell me now under which terms I've licensed BitKeeper 1.37 or
1.38? I don't know, I'm not a lawyer. But at least I've now an
explanation, why it took six month until the posting on the linux
kernel mailing list. Anyway for a company selling configuration management
tools, this is quite a mess.
I repeat here the discussed clause from the BitKeeper license
version 1.38 from 03/28/02 from section 3 LICENSE OBLIGATIONS:
(d) Notwithstanding any other terms in this License, this
License is not available to You if You and/or your
employer develop, produce, sell, and/or resell a
product which contains substantially similar capabil-
ities of the BitKeeper Software, or, in the reason-
able opinion of BitMover, competes with the BitKeeper
Software.
This is quite straight, this license takes away freedom from you.
For an open-source developer that means you can't use BitKeeper
free of charge if you want to build a "technical" better source
repository tool. According to the language you wouldn't even be
able to improve GNU diffutils and patch, if you use BitKeeper.
Both packages contain of course substantially similar
capabilities.
Larry McVoy isn't better than Disney. He build upon work of others
(diffutils and patch), but doesn't allow others to build upon his
own work. Linus gave Lary the incredible marketing position of
managing the Linux kernel sources with his proprietary tool. Larry
paid a price by providing BK free of charge and the T1 file for
the open logging server, which it is his tool to enforce the
license. I don't understand why the Linux kernel developers didn't
require Larry to negotiate any license change with them. Obviously
the GNU Public License doesn't protect you from political
blindness.
There is no problem, using non-open-source tools to develop open
source or free software---it happens all the time: think about Java
open source tools. Even Microsoft doesn't prevent the Mono
developers to use the C# SDK, free of charge, to develop a
competing open-source implementation.
I don't have the power to stop kernel developers to use a tool,
that limits the freedom of developers. But I've removed BitKeeper
from my computer and I will stay with CVS until a better tool with
a GPL or BSD style license will become available.
I've had a look at the alternatives, Arch looks very promising and
Subversion has a far to complicated architecture.
The most simple thing about the whole story, is the
prediction about the future. I can't remember exactly, because
nowadays it seems to be in a galaxy far, far away: Linus said
once, that if Motif doesn't become open source, it will be
history. Exchange Motif with BitKeeper and you will have a clear
view on the events to come.
Uli Kunitz
--
Ulrich Kunitz (ulrich.kunitz@freenet.de)
Comments (3 posted)
| From: |
| Dylan Thurston <dpt@math.harvard.edu> |
| To: |
| letters@lwn.net |
| Subject: |
| BitKeeper license |
| Date: |
| Mon, 7 Oct 2002 19:46:06 -0400 |
Dear LWN Editors,
I trust you are aware of the recent discussion around the BitKeeper
license on the kernel mailing list[1]. (Also see the thread[2] on
debian-devel.) Tom Gall noticed that the gratis BitKeeper license has
the following clause in Section 3:
(d) Notwithstanding any other terms in this License, this
License is not available to You if You and/or your
employer develop, produce, sell, and/or resell a
product which contains substantially similar capabil-
ities of the BitKeeper Software, or, in the reason-
able opinion of BitMover, competes with the BitKeeper
Software.
Larry McVoy has specifically stated[3] that Ben Collins (a developer
of Subversion, a replacement for CVS, and also a part-time kernel
developer) has no gratis license for BitKeeper as a result of this
clause. Elsewhere in the thread, he asserted[4] that if certain
(planned[5]) features were added to the kernel, the gratis license
would terminate (and, therefore, all kernel developers using BK would
have to scramble to find alternatives). In light of these
developments, I hope that you will reconsider your position from 1999:
In a front page article, you suggested[6] that the restrictions in the
BK license were not very severe:
The interesting thing is that, on a list for kernel hackers who
intend to use the system, nobody really cares all that much. Even
members of the OSI board have posted there, saying that the
license is a good one, and that the lack of the "Open Source"
designation should not be a problem. BitKeeper is free enough for
that crowd, and they tend to be pretty fussy on these things.
The license has changed since you wrote this; in particular, the
clause above was apparently added about 6 months ago. However, there
is another clause in the BK license requiring you to use the latest
version of the license. Here we see that BitKeeper is, in fact, quite
far from open source or free software: The non-free terms of the
license are being used to exert leverage, in exactly the same way that
(say) Microsoft exerts pressure on OEMs.
Larry McVoy and the BitMover corporation are, of course, free to
license BitKeeper however they want. But I would urge free software
developers to think carefully before relying on the tools of a vendor
that is so willing to change their license terms to satisfy personal
aims.
Sincerely yours,
Dylan Thurston
[1] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0210.0/1496.html
[2] http://lists.debian.org/debian-devel/2002/debian-devel-200210/msg00245.html
(Oddly, the original message from Branden Robinson seems to be
missing from the archive.)
[3] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0210.0/1725.html
[4] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0210.0/2096.html
[5] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0210.0/2133.html
[6] http://old.lwn.net/1999/features/BitKeeper.php3
(Please feel free to include this on the Letters to the Editor page.)
Comments (none posted)
| From: |
| "J. Lasser" <jon@lasser.org> |
| To: |
| zdnet@larryseltzer.com |
| Subject: |
| Apache 2.0 and Red Hat |
| Date: |
| Thu, 3 Oct 2002 19:08:24 -0400 |
| Cc: |
| techupdates@cnet.com, letters@lwn.net |
I know there's a lag between writing an article and its publication, but
Apache 2.0 _is_ the default Web server for Red Hat.
In version 8.0, released this past week. (You can see that at
http://www.redhat.com/software/linux/technical/packages.html) That
information was long available via the public beta releases.
Your article also mischaracterizes the Apache development process:
although the current version is 2.0.43, the first 'production' version
in the 2.0 series was 2.0.35. Everything prior to that was a beta, as is
documented at http://www.apacheweek.com/features/ap2
I suspect that the API has been quite stable since 2.0.35 was released
in April of this year, though I'll admit to not having verified this.
To characterize the Apache release process as having 30 incremental
releases is to misunderstand the open-source development process as it
applies to Apache. Surely you wouldn't claim that the Linux 2.4.2 kernel
was the 63rd incremental release of the system? (There were 51 patches
in the Linux 2.3.x development series, plus 9 patches at the 2.3.99
level.)
As far as the performance of Apache goes, it's true that Apache
1.3's primary concern was stability, not performance. But, as a
consultant and system administrator, I've found few instances where
the performance of the Web server was the bottleneck. (More often,
it's poorly-architected dynamic content that can be accelerated via
a code rewrite or mod_perl.)
None of the production environments I work in have upgraded to Apache
2.0. Why not? Because what isn't broken, and what isn't a performance
bottleneck, doesn't get replaced. This is not, as the article suggests,
a failing of Apache 2.0 but a mark of Apache 1.3's success.
I look forward to using Apache 2.0, either when it comes preinstalled
on a system I am using, or when I develop a site that needs its power.
Until then, as both a Web developer and a Unix systems administrator,
I'm satisfied with Apache 1.3.
Jon Lasser
--
Jon Lasser
Home: jon@lasser.org | Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/ | http://www.cluestickconsulting.com
Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/
Comments (none posted)
| From: |
| Tres Melton <class5@pacbell.net> |
| To: |
| letters@lwn.net |
| Subject: |
| Consumer's Rights |
| Date: |
| Thu, 03 Oct 2002 03:51:04 -0700 |
I wanted to thank Congresswoman Zoe Lofgren in her attempt to balance
the interests of copyright holders and consumers. To that affect I have
written her the following letter and I am seeking some feedback from the
readers of LWN as to their thoughts on the issue.
-----------------------------------------------------------------------
Congresswoman Lofgren,
I want to thank you for addressing the issue of Consumer's Rights. I
live in Sacramento so I cannot actually vote for you but if I could you
would have my vote for sure. I believe that the Internet -- including
the content that is transmitted by it -- has the largest potential to
transform the world as any invention since Johannes Gutenberg's printing
press. I'm not talking about transmitting a copy of a song to a million
of my closest friends but about transmitting a copy of a song from my
home file server to my home entertainment system or my office PC for my
personal enjoyment. I'm talking about information not falling into the
void because the applications that are needed to access it have become
obsolete. I'm talking about politicians being able to publish something
that can be easily accessed by those intended -- all of us (most
importantly their constituents). The ability to obtain tools that can
transform information from one format to another so that everyone (who
is legally authorized) can listen, view, or read it.
I will be writing my representatives to encourage them to support this
legislation. Again I would like to thank you for your courage in
introducing this legislation in the face of opposition from
organizations such as the MPAA and the RIAA.
I would like to put the seed of another thought into your head if at
all possible: the distinction between the cost of the media and the
cost of the Intellectual Property that it contains. Perhaps this seed
could flourish and grow into a future piece of legislation. I, like
many millions of other Americans, own both a VCR and a DVD player. I
have purchased a number of movies on VHS tapes and some of them I have
also purchased on DVDs. I have paid for both the tape of a movie and a
DVD of the same movie. I can understand paying twice for the media
since I have both a tape and a DVD but I have been forced to purchase
the same Intellectual Property twice! That doesn't seem right to me.
The same thing happened when I replaced many of my old phonograph
records with CDs: I had to repurchase the Intellectual Property that I
had already purchased once before. This is going to be happening again
soon as a new medium for home audio recordings will be coming out soon:
DVD audio. My right of 'first sale' would enable me to sell the older
works at a second hand store and recoup some of the expense but, as the
old formats are being phased out, demand for them is light and therefore
my return will be small.
A final thought for you in your pursuit for consumer rights might be
the right not to have equipment become obsolete after a very short
time. I bring this to your attention as it relates to the 'broadcast
flag' that the content creators wish to incorporate into digital TVs and
the audio/video content that they will be presenting. If this becomes
law then EVERY television sold on store shelves at the moment would
instantly become obsolete. Even the brand new high definition digital
ones that cost thousands of dollars. If you (as in Congress) wish to
move Americans to a digital TV format you should assure them that their
investment in the technology will last more than a few years. Budget
forecasts call for the auctioning off of the analog TV electro magnetic
spectrum; if this doesn't happen in a timely fashion then the money from
the auctions will not become available to help balance the budget. But
why should I (and other Americans) go out and spend money on new
equipment when the standard has not even been finalized yet? The short
answer is I won't and I don't believe a majority of others will either.
This has created a 'chicken and egg' scenario with the complication of
continuously modifying the chicken's genetic sequence. Which egg will
hatch into the correct chicken?
Thank you for your time in reading this and your efforts on behalf of
consumers.
Sincerely yours,
Tres ******
Registered and Active Voter
Sacramento, CA
P.S. I have included the text of this email in my correspondence with my
Senators and Representative.
-----------------------------------------------------------------------
Regards,
Tres
Comments (none posted)
Page editor: Jonathan Corbet