Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for February 3, 2005Interview: OSI's new president On January 31, the Open Source Initiative announced an expansion of its efforts and the appointment of Russ Nelson as its president. Mr. Nelson was kind enough to answer a few questions from LWN on the OSI and where he thinks it is headed. The questions, and his answers, can be found below. We thank Russ for taking the time to fill us in.LWN: So you're the new president of OSI. Why did you take on that role, and where do you anticipate taking the OSI in the near future?
To Infinity ... and Beyond!
No, wait, that's Bruce Perens' line [Bruce worked for Pixar and is in the Toy Story credits]. Never before in history have we had a time when one person of ordinary intelligence can write a program which becomes used by half the worldwide computer-using population. This creates so many problems between countries that I really feel they have to be addressed with a treaty. I think that the end goal is an international treaty concerning Open Source. Just to take one tiny portion of that issue: today somebody asked us for an "official Spanish version de license MIT". We can't do that. I mean, we could translate it (or more properly find a volunteer to translate it and publish it on opensource.org), but the problem is that almost certainly the author of the MIT-licensed software didn't give us permission to license his software under the Spanish-language MIT license. In many ways, the OSI appears to have fallen from view. Until this news hit, the most recent item listed on the front page was dated October, 2001. The OSI gets called upon to put its stamp on a license occasionally; what else does the OSI do now? Is it relevant to the free software development process, and how?
When were we ever relevant to the free software development process?
We've always been an education/advocacy group. If you're already
convinced that open source is a good thing, what more would we say to
you? Really, the only time somebody inside the open source community
needs to be concerned with us is when they talk to someone outside the
community. If that person needs to be whupped around a little, send
'em to us and we'll give 'em what for.
We continue to do what we've always done: talk to people about open source. Calm their fears, and renew their hopes. The press release states that OSI will set out on "the establishment of principles of Open Source development and best practices" and "the creation of a registry of software projects that adhere to those principles." What need is driving the creation of these principles and the associated registry?
I believe that there is such a thing as an "Open Source effect". That
effect requires more than just a license that complies with the Open
Source Definition (OSD). We need to be more clear about that, because
we sometimes have people who come along and want to create a license
which complies with the letter of the OSD but not the spirit. The
trouble is that the benefits come with the spirit. We need to do a
better job of codifying the spirit.
When you talk about "inclusion of international perspectives and initiatives related to Open Source," what do you mean?
Working towards the end goal (as above) and adding board members from
outside the US. We're starting to get some non-US, non-Europe (if you
look at the map of locations of Debian developers, there are a LOT of
them in Europe) countries that are signing on to open source in a BIG
way. Take Brazil for example. We need better representation in those
countries.
Why does the OSI need *two* legal counselors? What do they do?
Why does a computer need *two* power supplies? We felt that the job
had grown to the point that one sole-proprietor lawyer (Larry Rosen)
couldn't do the job anymore, and Larry's open source practice had
expanded. It's possible that one law-firm lawyer could have brought
in enough resources, but we wanted to share the work. In essence,
Mark is inward-facing and Laura is outward-facing. She has been on
the license-discuss mailing list for years now. She has also started
to help with legally-oriented correspondence. Mark will help us with,
among other things, registering the OSI-Certified mark, and with
overhauling our bylaws.
How will the new OSI board members be selected? In general, how is the OSI kept accountable to the community it hopes to represent?
We are still a small, self-selecting board. We expect to change that
in some way, but the details are still in the air. Having a larger
board will take us in that direction no matter what.
How do you expect OSI to work with other free software-oriented groups, such as OSDL and the FSF? Will there be more cooperation in the future?
CAGE MATCH!! BLOOD, GORE, AND DEATH! Er, um, sorry. We had a dinner
last summer with OSDL to talk about license proliferation issues. We
are on cordial relations with the FSF, AND EXPECT TO TAKE THEM OVER
SHORTLY! Sorry, I must apologize for all these capital letters. I
don't know where they're coming from. I'll be in Boston in a couple
of weeks for Linux World. I expect that I'll run into Bradley Kuhn
and HE'LL DIE we'll talk about further ways in which the OSI and FSF
could cooperate. I know of no reason why any animosities between us
cannot be overcome AND CRUSHED LIKE A BUG.
Is there anything else which you would like to communicate to LWN readers?
Is this the point at which I add various mealy-mouthed corporate
statements?
I think it's great to be President of the OSI at this point in time. We've had a strong president in Eric Raymond who took us from nothing to a highly respected member of the open source community. As corporations and governments come to be part of the community, we have to double and redouble our educational and advocacy efforts. We need to make sure that corporations know how to work with individual developers, and that governments know how to set the rules so everybody can work together. And we have to squash software patents, but that's a different interview.
GNOME and KDE priorities With the KDE 3.4 and GNOME 2.10 releases on the horizon, we decided to take a look at both projects to see where both desktop teams were focusing their efforts. To get a feel for the priorities of each team, this reporter "test drove" the KDE 3.4 beta 1 using the SUSE 9.2 packages and GNOME 2.9.4 with Ubuntu's Live CD. We also spoke to KDE core developer Zack Rusin about the 3.4 release and GNOME release team member Luis Villa about GNOME's 2.10 release.
Both KDE 3.4 and GNOME 2.10 are incremental releases. That is to say,
neither desktop is undergoing dramatic changes in the upcoming release and
casual users may not notice many changes. Instead, there are a number of
Both projects are concentrating on backward compatibility. KDE's Rusin said that the 3.x series is basically in "maintenance" mode, with the KDE team trying to add features that users want, without major changes that would compromise compatibility with older releases. He noted that one of the goals for the 3.4 release is to maintain binary compatibility with the earlier 3.x releases. GNOME's Villa said that the GTK core toolkit has a strict ABI/API compatibility policy. "If you build against GTK 2.0, you should be able to run against GTK 2.6 with no problems." He also said that other core GNOME libraries provide the same guarantee, "that's why we have Firefox and Eclipse building against us."
According to Villa, the 2.10 release will see more bugfixes than
usual. He said that, depending on how you track bugs, the 2.10 release
Another focus for the GNOME team in 2.10 is implementation of freedesktop.org standards agreed upon by the GNOME and KDE teams. Villa noted that the GNOME team had revamped the menu structure to comply with the freedesktop.org menu specification. The GNOME release adds a new "Places" menu to the panel that allows the user to quickly navigate between their home folder, the desktop, CD-ROM and network locations. Villa said that the GNOME team has also addressed some of the complaints about the file chooser from the last version of GNOME, and that the typeahead feature has returned. Both desktops are increasingly friendly for users with disabilities. Villa said that the 2.10 release did not focus on improvements to accessibility because GNOME is "already far and away the leaders in accessiblity." The KDE team, on the other hand, has made accessibility a major priority in 3.4. One major new feature that users will find in 3.4 is the text to speech system in 3.4, which would be available in many applications. Rusin said there is also a new "mono" theme for 3.4 that would be better for users who had difficulty with the high-color styles used in KDE. Rusin noted that working on accessibility was difficult because it is "such a hugely complicated area," and that the KDE team will continue to add functionality in future releases. Multimedia has also gotten a boost in GNOME 2.10. According to Villa, the Gstreamer integration is greatly improved in GNOME 2.10. This is the first release where Totem has been integrated into the GNOME release process, and Villa also said it was the first release where the Totem team had worked more closely with the Gstreamer team. Totem had previously worked with Xine, but Villa said that Xine had "legal encumbrances" that made it more difficult for vendors to distribute. There is also a new and improved mixer applet in GNOME 2.10 that hides some of the complexity from the user, at least at first. Villa said users would still be able to get to all of the functionality of their sound card with the mixer, but wouldn't be presented with it at first glance. Both KDE and GNOME teams have been beefing up their groupware offerings. Rusin told LWN that KDE PIM had been "hugely improved" for 3.4. Kontact has expanded its support of GroupWare servers with support for Novell GroupWise and OpenGroupware.org, and partial support for Microsoft Exchange Server 2000. Kontact also supports OpenExchange Server, eGroupWare and Kolab. Evolution's latest release includes eplugin, a plugin architecture to allow developers to extend Evolution with new features. Some of the plugins available now include an inline audio player for Evolution, an Exchange account setup plugin and an "automatic contacts" plugin that creates address book entries when a user replies to e-mails. Evolution already includes the Exchange plugin, and Villa said that Evolution was also getting a lot of work to be compatible with Novell GroupWise. KDE 3.4 marks the first inclusion of aKregator, a feed aggregator for KDE. This writer found aKregator very easy to use, and its integration with Konqueror and Kontact makes it a great choice for KDE users. The KDE team has also beefed up KPDF to include support for the text-to-speech features. From talking to developers on both teams, it's clear that both desktops are trying to move towards better "enterprise" capability, and making it easier for others to develop applications for the respective desktops. From using both, it's clear to this writer that GNOME and KDE view users differently. GNOME continues to move towards a simple end-user interface, while KDE is more about adding features that users want -- even if it increases complexity. Users who want to try out GNOME 2.10, without the hassle of compiling GNOME or installing it, should look to the Ubuntu Live CD for the upcoming Hoary Hedgehog release. Rusin said he wasn't aware of any Live CDs with KDE 3.4 beta just yet, but something might pop up on the Knoppix lists.
Grokster, the Little Engine that Could, Chugs Up One Last Hill
There is a lot more at stake than just the fate of a couple of peer-to-peer file sharing services. What's at stake, to quote from one of the many amici briefs filed in this high-profile case (this one by the Computer & Communications Industry Association and NetCoalition) is nothing less than this: it's a push to overturn the court's ruling in Sony Corp. of America v. Universal City Studios, 464 U.S. 417 (1984) (the "Betamax case") and replace it "with new standards that would as a practical matter give the entertainment industry a veto power over the development of innovative products and services." [Editor's note: due to the length of this article, we have not put the whole thing inline in the Weekly Edition. The full text of PJ's Grokster article may be found on its own page.]
European software patent update On 24 September 2003, after 19 months of consideration, the European Parliament voted on the software patent directive, and made substantial amendments to exclude patents on pure software and business methods. However, regular rows between the European Council and Parliament; the Council ignoring many of the Parliaments amendments; and the Committee for Legal Affairs of the European Parliament's (JURI) subterfuge tactics to try and push it through, mean that pure software patents in Europe are still a scary possibilityRestart the process? Under the co-decision rules for European lawmaking, the European Parliament, Commission and the Council all have to agree to the text of the directive before it can come into force. However at this stage in the legislative process (it is now at its second reading), if the European Council continues to ignore the Parliament's amendments, it will be extremely difficult for the European Parliament to keep them. An absolute majority (two thirds of all MEPs, or at least 367 votes) is required in a second reading for each Council amendment the Parliament wishes to reject. Every MEP absent in the plenary chamber that day and every abstention vote would count in favor of the Council proposal. In 2004, the University of Duisburg-Essen released a study which showed that on average only 56.2% of Italian MEPs took part in the 4,437 roll call votes held in European Parliament between 1999 and 2003. The most diligent MEPs are from Luxembourg with a presence of 85.2%. We would, in other words, have to encourage an abnormally high turnout of MEPs for an issue that struggles to capture their imaginations. This is even more worrying when you consider that a majority of the MEPs currently in parliament were elected in 2004 and did not even participate in the first reading of the directive. Ten new countries, with no previous say in the directive, also joined the EU in 2004. If the council position is officially announced, the Parliament will be forced to vote on the second reading within three to four months. This would give a relatively new Parliament little opportunity for discussion and consultation, and could lead to software patent loopholes if critical amendments were left out. On the 2nd of February, JURI is set to decide whether or not to restart the procedure. This decision has only been possible because of a motion, signed by 61 members of the European Parliament, calling for a new first reading of the software patent directive. Poland has also helped significantly by repeatedly postponing the adoption of the Council's software patent agreement, but can only do this for so long before other states pressure them on issues more important to the Polish economy. A complete restart is one of the best (and only) feasible solutions left. As there are no absolute majority requirements in first readings, it would be easier for European Parliament to pass amendments. The Council would have to have a new first reading, canceling their current pro-software patent position and putting pressure on them to avoid adopting a similar stance so contrary to the will of Parliament. A restart would also enable new member states to have their say from the beginning, making it a more democratic directive. What can you do? The only reason we don't have software patents in Europe is because of the efforts of activists protesting and lobbying against them. In Europe, according to the European Patent Office, already 7% of applicants hold more than 50% of patents. If we don't want to go down a path whereby a start-up or open source company with no patents will be forced to pay whatever price larger corporations choose to impose, we must get out there and fight to stop it happening. Here are a few ideas to get you started:
(Edward Griffith-Jones contributed to the writing of this article).
Page editor: Jonathan Corbet Security Address space randomization in 2.6 Arjan van de Ven has posted a series of patches which add some address space randomization to the 2.6 kernel. With these patches applied, each process's stack will begin at a random location, and the beginning of the memory area used for mmap() (which is where shared libraries go, among other things) will be randomized as well. These patches represent an improvement in the kernel's security infrastructure, but the reception on the public lists has been surprisingly hostile.Many buffer overflow exploits, especially those used in large-scale attacks, contain hardcoded addresses. An exploit which overflows a stack variable will place some executable code on the stack; it then overwrites the return pointer so that the broken function "returns" into the exploit code. If you look at a given distribution's shipped version of a vulnerable program, an exploit will always be able to place its payload at the same address on the stack, so it can contain that address directly. If, instead, the exploit author does not know ahead of time where the payload will end up, actually getting the computer to execute that code will be much harder. That is why the stack randomization patch helps. When the stack location is deterministic, a relatively simple exploit can be made to work on all systems running the vulnerable distribution. If the stack moves, instead, hardcoded addresses no longer work. Moving the mmap() area has similar benefits. One popular type of exploit prepares the stack and then "returns" into a shared library somewhere. That return can, for example, cause the application to behave as if it had intentionally called system() or a similar library function. Moving the libraries around makes these attacks harder. One of the biggest complaints that has been raised is that the amount of randomization is insufficient. The patches, as posted, vary the stack base within a 64KB area and the mmap() base within a 1MB range. Alignment requirements prevent just any address from being used with the result that only a relatively small number of possible base addresses exists. So a determined attacker could repeatedly run a hardcoded exploit with some assurance that, within a reasonable amount of time, the stack would land at the right place and the exploit would work. Placing a long series of no-op instructions at the beginning of the payload can also make an exploit more robust when faced with randomization. Arjan responds that the amount of randomization is not the issue at the moment. He is trying to get the infrastructure into the kernel and tested in a minimally disruptive way; the degree of randomization can be tweaked upward later on. That amount may never get as high as some people would like, at least on 32-bit systems, because it cuts back on the available virtual address space. But it is likely to go up once the developers are convinced that things are working. In any case, a larger randomness makes the problem harder, but does not change its fundamental nature. With the ability to keep trying, an attacker will eventually get around any degree of randomization possible on 32-bit systems (64-bit systems are a different story). Thus, says Ingo Molnar:
conclusion: stack randomisation (and other VM randomisations) are
not a tool against local attacks (which are much easier and faster
to brute-force) or against targeted remote attacks, but mainly a
tool to degrade the economy of automated remote attacks.
Randomization is not a magic bullet which solves a wide range of security problems. It does make an attack harder, however, and that can only be a good thing.
New vulnerabilities bind: validator function denial of service
ClamAV: multiple issues
cpio - file permissions error
f2c: insecure temp files
FireHOL: insecure temporary file creation
Gallery: cross-site scripting vulnerability
ncpfs: multiple vulnerabilities
ngIRCd: buffer overflow
openswan: stack based buffer overflow
perl: setuid vulnerabilities
postgresql: privilege escalation via LOAD
SquirrelMail: multiple vulnerabilities
uw-imap: authentication bypass
Updated vulnerabilities a2ps: input validation error
AWStats: remote code execution
cdrecord: failure to drop privilege
chbg: buffer overflow
cups: multiple vulnerabilities
cyrus-sasl: remote buffer overflow
dhcp: format string vulnerability
enscript: arbitrary code execution
ethereal: multiple vulnerabilites
evolution: arbitrary code execution
exim: buffer overflows
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: denial of service
gaim: buffer overflow in MSN protocol
gtk2, gdk-pixbuf: buffer overflows
gettext: Insecure temporary file handling
ghostscript: symlink vulnerabilities
glibc: Information leak with LD_DEBUG
glibc: tempfile vulnerability in catchsegv script
gnome-vfs: backend script vulnerabilities
groff: insecure temporary directory
gtkhtml: malformed messages cause crash
imagemagick: .psd image file decode vulnerability
imlib2: buffer overflows
iptables: missing initialization
kdebase: screen saver crash
kdelibs: unsanitzied input
kerberos5: execution of arbitrary code by authenticated user
kernel: i386 SMP page fault handler privilege escalation
Konversation: multiple vulnerabilities
libdbi-perl: insecure temporary file
libgd2: buffer overflows in PNG handling
libpam-radius-auth
libpng: multiple vulnerabilities
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[KDE screenshot]](/images/ns/kde-3.4-sm.png)
![[GNOME screenshot]](/images/ns/gnome-2.10-sm.png)