LWN.net Weekly Edition for January 20, 2005 [LWN.net]

Whither Fedora Legacy?

Users of the Fedora Core distribution (or any other distribution, for that matter) are well advised to understand its security update policies. Fedora does not backport security fixes into the version of the affected program which was originally shipped with the distribution; instead, the application is simply updated to the current version. Security updates are made for approximately one year, after which the Fedora project moves on to supporting its newer versions. Sometimes the support period is shorter; Fedora Core 2, which was released on May 18, 2004, is currently scheduled to become unsupported on March 21.

It is worth noting that, for as long as it lasts, the Fedora Project's security support is excellent. Updates are released quickly, and are easily tracked using yum, up2date, or apt.

When Fedora stops supporting a release, it "transfers" that release to the Fedora Legacy project. Fedora Legacy is not part of Fedora itself; it is, instead, a separate, community-based effort dedicated to making security updates available to older Fedora Core and Red Hat Linux releases. The project's policy, as stated in the FAQ, is to support old Fedora Core releases for two release cycles after the transfer.

When Fedora Legacy is working well, it is a highly useful service. With a simple tweak to a yum configuration file, it is possible to keep an older system current with almost no effort.

Unfortunately, the last update to Fedora Core 1 came out on December 3, 2004. Any Fedora Core 1 systems which rely upon Fedora Legacy for updates are currently vulnerable to holes in the kernel, xpdf, vim, KDE, PHP, sudo, etc. The process, it would seem, has come to a complete stop for over a month. We attempted to ask (via the posted contact address) what was going on, but got no response.

A look at the project's mailing list shows that there are still signs of life. There is an open issues document which is still being maintained; it shows a substantial number of packages needing updates, along with their bugzilla URLs. There was also one message about the stoppage and whether support for Fedora Core 1 had been dropped:

No, but a combination of lack of manpower, downtime on the build server and the fact that we are releasing Red Hat 7.3, Red Hat 9 and Fedora Core 1 packages together means that the project is grinding to a halt. As soon as the build server comes back I will try and clear a lot of the backlog.

Keeping a distribution current with security patches is hard, tedious, and often thankless work. It's the sort of work that people tend to demand to be paid to do. Projects like Debian and Gentoo demonstrate that this job can be done, and done well, on a volunteer basis, however. But it would appear that the requisite effort is not there for the Fedora Legacy project. Without the needed resources - developer time, systems to build packages on, and testing - a project like Fedora Legacy will fail. People who care about the security of older Fedora Core distributions - and the long-term value of Fedora releases in general - might want to think about what they can do to help the Fedora Legacy project get its process restarted.

Comments (7 posted)

A look at Quasar Accounting

January 19, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

While Linux has made great strides in terms of application availability in recent years, one area where Linux is still quite weak is accounting software. More than a few open source diehards still turn to Quicken, QuickBooks and/or TurboTax when it comes time to do the counting up.

When the GPL'ed version of Quasar Accounting was announced last week by Linux Canada, Inc., we decided it was time to take a look to see if Quasar could give Linux users the features they need to do their accounting solely on Linux. We also interviewed Linux Canada's Phil Tonnellier about the application, and the decision to release parts of the application under the GPL.

The GPL'ed components of Quasar include its client and server accounting software. The point-of-sale components are not available under the GPL and require a commercial license. Still, the accounting software components provide all the features necessary for users who need to use Quasar for small business accounting.

Tonnellier said that the company chose to release Quasar under the GPL for several reasons. First, he said that the company "wanted to give something back" since the company had been using Linux for retail systems since 1995. He also said that there is a bit of pride in the product as well:

We believe in our product. We believe in the quality of the source code, and we believe that FOSS is the future of software. We feel that Quasar in GPL can be the leading FOSS accounting system for the world. There is a desire to get more eyes on the code and more testers to make Quasar a better product.

In addition, Tonnellier said that making the source code available was part of trying to build a strong reseller network for Quasar. As for keeping part of the code closed, Tonnellier said that the company's revenues have been primarily derived from sales to retail businesses, and that "most retailers requiring point-of-sale can easily afford the Quasar license fees, and indeed they may feel better knowing we have an income stream and will remain strong for them in the future."

Quasar requires a database backend, either PostgreSQL, Firebird or Sybase. Since MySQL is also extremely popular with the open source community, we asked Tonnellier why Quasar didn't support MySQL as well. According to Tonnellier, they didn't feel MySQL was quite ready in 2000 when Quasar development started:

We felt that MySQL did not meet all of our requirements for handling referential integrity and PostgreSQL actually failed some tests. Thus we chose Firebird and Sybase to work with. Since then PostgreSQL and MySQL have come a long way in features and reliability. But to be honest, we have been so busy working on features that we did not revisit the use of PostgreSQL and MySQL. With the release to open source, we did take another look at PostgreSQL and created the interface. One day we want to do the same for MySQL, but just have not had the time.

Since Quasar has long been a closed-source application, we asked what kind of preparation Linux Canada had to do in order to release the code under the GPL. Tonnellier said that it was more complicated than just throwing the source out into the wild:

There is a tremendous amount of work to prepare for open source. Especially when you consider that the work has to be done in addition to running your regular business to maintain a revenue stream. We needed to make sure that the code is presentable and easy to build. We needed to remove any third party dependencies. We needed to figure out a way to earn a living after open source. We needed to define all of our new support packages. We needed to prepare the web site and all of the manuals. We needed to set up proper mailing lists and support forums. We needed to ensure our Internet server could handle the traffic and was properly configured.

How does Quasar compare with QuickBooks? Tonnellier noted that Quasar is missing QuickBooks' payroll component, but that Quasar "has very powerful inventory control, including auto ordering and merchandise cost landing." A list of Quasar's features can be found on the Linux Canada website.

This reporter downloaded the Quasar packages for SUSE Linux 9.2. and took Quasar for a test drive. Linux Canada has provided source code and packages for Fedora Core, Mandrake Red Hat, Slackware, and SUSE. We tested Quasar with the PostgreSQL backend, which was a bit tricky to set up initially, but once we got it working it was smooth sailing.

For Linux users who want an accounting package for individual use, Quasar is probably overkill. However, the package has plenty of features that make it attractive to small businesses that have to manage invoices, inventory, purchase orders, vendor payments and so forth.

The interface was fairly intuitive, even though this reporter is decidedly not well-versed in accounting. Quasar also includes an extensive online help system so that almost every window and dialog has an associated help file that explains the current operation. We did run into the occasional glitch, such as the Item Lookup dialog. When searching for a Department for an item, clicking on "New" brings up a "Department Master" dialog that refuses to accept user input until the Item Lookup window is closed. However, we didn't find many glitches of this nature.

Overall, Quasar is a decent accounting application that seems to have most of the features that a small business would need, excepting the payroll functions that Tonnellier alluded to. This is, of course, a feature that many businesses will still need to have, and will probably keep many businesses from turning to Quasar.

Despite the rough edges, we'd recommend that users evaluate Quasar to see if it would suit their needs. Since Quasar is now licensed under the GPL, the Linux community can help Linux Canada add the features and polish it needs to be competitive with proprietary accounting applications. Given the number of users and organizations that would benefit from, and have been looking for, an open source accounting software system, Quasar shouldn't have any shortage of developers willing to take it to the next level.

Comments (5 posted)

This week's Bad Law Proposal

The state of California has long been known for innovative public policies and laws. Sometimes, the state can be truly visionary in its policies, and, sometimes...

Senator Kevin Murray, from Los Angeles, has put forward a proposed law which would attack the dreaded scourge of peer-to-peer file sharing networks. In particular, the proposed law reads:

Any person or entity that sells, offers for sale, advertises, distributes, disseminates, provides, or otherwise makes available peer-to-peer file sharing software that enables its user to electronically disseminate commercial recordings or audiovisual works via the Internet or any other digital network, and who fails to exercise reasonable care in preventing use of that software to commit an unlawful act with respect to a commercial recording or audiovisual work... is punishable, in addition to any other penalty or fine imposed, by a fine not exceeding two thousand five hundred dollars ($2,500), imprisonment in a county jail for a period not to exceed one year, or by both that fine and imprisonment.

Of course, "peer-to-peer file sharing software" is a vague term, so Sen. Murray makes it even more so:

As used in this section, "peer-to-peer file sharing software" means software that once installed and launched, enables the user to connect his or her computer to a network of other computers on which the users of these computers have made available recording or audiovisual works for electronic dissemination to other users who are connected to the network.

It does not require a particularly expansive reading of that language to conclude that, say, a Linux distribution with an FTP client or web browser meets that definition. The law does not address what "reasonable care" means, but, presumably, "no attempt whatsoever to prevent the distribution of proprietary materials" would not make the grade. The paranoid among us might well see an attempt to outlaw free software here....except for the little problem that this law would be equally applicable to any general-purpose, proprietary operating system.

This bill will most probably encounter a rough road, and, with luck, will not be passed. It is, however, another result of a view which is being encouraged by the entertainment industry (and others): software is an inherently dangerous tool which must be heavily regulated. Manufacturers and distributors of cooking knives, hand guns, gasoline, automobiles, etc. are not required to design their products in such a way as to prevent the commission of the obvious crimes which those products enable. But software is a riskier item, and cannot be trusted.

The free software community values the freedom it has: if we have a particular need, the only thing that stands between us and satisfying that need is the requisite hacking time. Increasingly, however, we are hearing that our code is illegal in some part of the world or other, regardless of its intent or legitimate uses. This problem is only likely to get worse as the Powers That Be try to get a handle on the strong, but relatively uncontrolled free software world.

Comments (12 posted)

Page editor: Jonathan Corbet

Inside this week's LWN.net Weekly Edition

Security: Vulnerabilities and alerts in 2004; New vulnerabilities in apache, kernel, imagemagick, mozilla, squid, vim, ...
Kernel: The new way of ioctl(); The evolution of circular pipes; 2.6 API changes.
Distributions: A Look at Xandros Desktop 3; Fedora Core 4 plans announced; Debian and Mozilla: a new proposal
Development: PostgreSQL Version 8.0.0, new JACK apps, Samba 3 and 4 Integration, new versions of Sendmail, AOLserver, Zope, PythonCAD, Xfce, GNOME, KDE, BZFlag, Wine, MusE, HylaFAX, Bugzilla, AbiWord, Nvu, Bluefish.
Press: The Prospect for 2005, HP to rejuvenate OpenVMS, Chilean schools welcome Linux, George Staikos interview, Free Software Magazine launches, Linux MIDI part 4, zazzybob.com review.
Announcements: New flight simulator, CELF officially non-profit, Ubuntu website contest, database survey, Open Source Software Workshop in Syria, Southern California Linux Expo.
Letters: Leon Brooks sets the journalists straight.

Next page: Security>>