Users of the Fedora Core distribution (or any other distribution, for that
matter) are well advised to understand its security update policies.
Fedora does not backport security fixes into the version of the affected
program which was originally shipped with the distribution; instead, the
application is simply updated to the current version. Security updates are
made for approximately one year, after which the Fedora project moves on to
supporting its newer versions. Sometimes the support period is shorter;
Fedora Core 2, which was released
May 18, 2004, is currently scheduled
to become unsupported on March 21.
It is worth noting that, for as long as it lasts, the Fedora Project's
security support is excellent. Updates are released quickly, and are
easily tracked using yum, up2date, or apt.
When Fedora stops supporting a release, it "transfers" that release to the
Fedora Legacy project. Fedora
Legacy is not part of Fedora itself; it is, instead, a separate,
community-based effort dedicated to making security updates available to
older Fedora Core and Red Hat Linux releases. The project's policy, as
stated in the FAQ, is
to support old Fedora Core releases for two release cycles after the
When Fedora Legacy is working well, it is a highly useful service. With a
simple tweak to a yum configuration file, it is possible to keep
an older system current with almost no effort.
Unfortunately, the last update to Fedora Core 1 came out on
December 3, 2004. Any Fedora Core 1 systems which rely upon
Fedora Legacy for updates are currently vulnerable to holes in the kernel,
xpdf, vim, KDE, PHP, sudo, etc. The process, it would seem, has come to a
complete stop for over a month. We attempted to ask (via the posted
contact address) what was going on, but got no response.
A look at the project's mailing list shows that there are still signs of
life. There is an open
issues document which is still being maintained; it shows a substantial
number of packages needing updates, along with their bugzilla URLs. There
was also one message about the stoppage and
whether support for Fedora Core 1 had been dropped:
No, but a combination of lack of manpower, downtime on the build
server and the fact that we are releasing Red Hat 7.3, Red Hat 9
and Fedora Core 1 packages together means that the project is
grinding to a halt. As soon as the build server comes back I will
try and clear a lot of the backlog.
Keeping a distribution current with security patches is hard, tedious, and
often thankless work. It's the sort of work that people tend to demand to
be paid to do. Projects like Debian and Gentoo demonstrate that this job
can be done, and done well, on a volunteer basis, however. But it would
appear that the requisite effort is not there for the Fedora Legacy
project. Without the needed resources - developer time, systems to build
packages on, and testing - a project like Fedora Legacy will fail. People
who care about the security of older Fedora Core distributions - and the
long-term value of Fedora releases in general - might want to think about
what they can do to help the Fedora Legacy project get its process
Comments (7 posted)
While Linux has made great strides in terms of application availability in
recent years, one area where Linux is still quite weak is accounting
software. More than a few open source diehards still turn to Quicken,
QuickBooks and/or TurboTax when it comes time to do the counting up.
When the GPL'ed version of Quasar
Accounting was announced
last week by Linux Canada, Inc., we decided it was time to take a look to
see if Quasar could give Linux users the features they need to do their
accounting solely on Linux. We also interviewed Linux Canada's Phil
Tonnellier about the application, and the decision to release parts of the
application under the GPL.
The GPL'ed components of Quasar include its client and server accounting
software. The point-of-sale components are not available under the GPL and
require a commercial license. Still, the accounting software components provide
all the features necessary for users who need to use Quasar for small
Tonnellier said that the company chose to release Quasar under the GPL for
several reasons. First, he said that the company "wanted to give
something back" since the company had been using Linux for retail
systems since 1995. He also said that there is a bit of pride in the
product as well:
We believe in our product. We believe in the quality of the source code,
and we believe that FOSS is the future of software. We feel that Quasar in
GPL can be the leading FOSS accounting system for the world. There is a
desire to get more eyes on the code and more testers to make Quasar a
In addition, Tonnellier said that making the source code available was part
of trying to build a strong reseller network for Quasar. As for keeping
part of the code closed, Tonnellier said that the company's revenues have
been primarily derived from sales to retail businesses, and that
"most retailers requiring point-of-sale can easily afford the Quasar
license fees, and indeed they may feel better knowing we have an income
stream and will remain strong for them in the future."
Quasar requires a database backend, either PostgreSQL, Firebird or
Sybase. Since MySQL is also extremely popular with the open source
community, we asked Tonnellier why Quasar didn't support MySQL as
well. According to Tonnellier, they didn't feel MySQL was quite ready in
2000 when Quasar development started:
We felt that MySQL did not meet all of our requirements for handling
referential integrity and PostgreSQL actually failed some tests. Thus we
chose Firebird and Sybase to work with. Since then PostgreSQL and MySQL
have come a long way in features and reliability. But to be honest, we have
been so busy working on features that we did not revisit the use of
PostgreSQL and MySQL. With the release to open source, we did take another
look at PostgreSQL and created the interface. One day we want to do the
same for MySQL, but just have not had the time.
Since Quasar has long been a closed-source application, we asked what kind
of preparation Linux Canada had to do in order to release the code under
the GPL. Tonnellier said that it was more complicated than just throwing
the source out into the wild:
There is a tremendous amount of work to prepare for open source. Especially
when you consider that the work has to be done in addition to running your
regular business to maintain a revenue stream. We needed to make sure that
the code is presentable and easy to build. We needed to remove any third
party dependencies. We needed to figure out a way to earn a living after
open source. We needed to define all of our new support packages. We needed
to prepare the web site and all of the manuals. We needed to set up proper
mailing lists and support forums. We needed to ensure our Internet server
could handle the traffic and was properly configured.
How does Quasar compare with QuickBooks? Tonnellier noted that Quasar is
missing QuickBooks' payroll component, but that Quasar "has very
powerful inventory control, including auto ordering and merchandise cost
landing." A list of Quasar's features can be found on the Linux
This reporter downloaded the Quasar packages for SUSE Linux 9.2. and took
Quasar for a test drive. Linux Canada has provided source code and packages
for Fedora Core, Mandrake Red Hat, Slackware, and SUSE. We tested Quasar
with the PostgreSQL backend, which was a bit tricky to set up initially,
but once we got it working it was smooth sailing.
For Linux users who want an accounting package for individual use, Quasar
is probably overkill. However, the package has plenty of features that make
it attractive to small businesses that have to manage invoices, inventory,
purchase orders, vendor payments and so forth.
The interface was fairly intuitive, even though this reporter is decidedly
not well-versed in accounting. Quasar also includes an extensive online
help system so that almost every window and dialog has an associated help
file that explains the current operation. We did run into the occasional
glitch, such as the Item Lookup dialog. When searching for a Department for
an item, clicking on "New" brings up a "Department Master" dialog that
refuses to accept user input until the Item Lookup window is
closed. However, we didn't find many glitches of this nature.
Overall, Quasar is a decent accounting application that seems to have most
of the features that a small business would need, excepting the payroll
functions that Tonnellier alluded to. This is, of course, a feature that
many businesses will still need to have, and will probably keep many
businesses from turning to Quasar.
Despite the rough edges, we'd recommend that users evaluate Quasar to see
if it would suit their needs. Since Quasar is now licensed under the GPL, the Linux community
can help Linux Canada add the features and polish it needs to be
competitive with proprietary accounting applications. Given the number of
users and organizations that would benefit from, and have been looking for,
an open source accounting software system, Quasar shouldn't have any
shortage of developers willing to take it to the next level.
Comments (5 posted)
The state of California has long been known for innovative public policies
and laws. Sometimes, the state can be truly visionary in its policies,
Senator Kevin Murray, from Los Angeles, has put forward a
proposed law which would attack the dreaded scourge of peer-to-peer
file sharing networks. In particular, the proposed law reads:
Any person or entity that sells, offers for sale, advertises,
distributes, disseminates, provides, or otherwise makes available
peer-to-peer file sharing software that enables its user to
electronically disseminate commercial recordings or audiovisual
works via the Internet or any other digital network, and who fails
to exercise reasonable care in preventing use of that software to
commit an unlawful act with respect to a commercial recording or
audiovisual work... is punishable, in addition to any other penalty or
fine imposed, by a fine not exceeding two thousand five hundred
dollars ($2,500), imprisonment in a county jail for a period not to
exceed one year, or by both that fine and imprisonment.
Of course, "peer-to-peer file sharing software" is a vague term, so
Sen. Murray makes it even more so:
As used in this section, "peer-to-peer file sharing software" means
software that once installed and launched, enables the user to
connect his or her computer to a network of other computers on
which the users of these computers have made available recording or
audiovisual works for electronic dissemination to other users who
are connected to the network.
It does not require a particularly expansive reading of that language to
conclude that, say, a Linux distribution with an FTP client or web browser
meets that definition. The law does not address what "reasonable care"
means, but, presumably, "no attempt whatsoever to prevent the distribution
of proprietary materials" would not make the grade. The paranoid among us
might well see an attempt to outlaw free software here....except for the
little problem that this law would be equally applicable
to any general-purpose, proprietary operating system.
This bill will most probably encounter a rough road, and, with luck, will
not be passed. It is, however, another result of a view which is being
encouraged by the entertainment industry (and others): software is an inherently
dangerous tool which must be heavily regulated. Manufacturers and
distributors of cooking knives, hand guns, gasoline, automobiles, etc. are
not required to design their products in such a way as to prevent the
commission of the obvious crimes which those products enable. But software
is a riskier item, and cannot be trusted.
The free software community values the freedom it has: if we have a
particular need, the only thing that stands between us and satisfying that
need is the requisite hacking time. Increasingly, however, we are hearing
that our code is illegal in some part of the world or other, regardless of
its intent or legitimate uses. This problem is only likely to get worse as
the Powers That Be try to get a handle on the strong, but relatively
uncontrolled free software world.
Comments (12 posted)
Page editor: Jonathan Corbet
Inside this week's LWN.net Weekly Edition
- Security: Vulnerabilities and alerts in 2004; New vulnerabilities in apache, kernel, imagemagick, mozilla, squid, vim, ...
- Kernel: The new way of ioctl(); The evolution of circular pipes; 2.6 API changes.
- Distributions: A Look at Xandros Desktop 3; Fedora Core 4 plans announced; Debian and Mozilla: a new proposal
- Development: PostgreSQL Version 8.0.0,
new JACK apps, Samba 3 and 4 Integration, new versions of
Sendmail, AOLserver, Zope, PythonCAD, Xfce, GNOME, KDE, BZFlag, Wine,
MusE, HylaFAX, Bugzilla, AbiWord, Nvu, Bluefish.
- Press: The Prospect for 2005, HP to rejuvenate OpenVMS, Chilean schools welcome Linux,
George Staikos interview, Free Software Magazine launches, Linux MIDI part 4,
- Announcements: New flight simulator, CELF officially non-profit, Ubuntu website contest,
database survey, Open Source Software Workshop in Syria,
Southern California Linux Expo.
- Letters: Leon Brooks sets the journalists straight.