LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->Multipage format
This page
Previous weekFollowing week
Recent Features
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for March 3, 2005A day in the life of emacsYour editor is often asked that most fundamental of Linux-user questions: vi or emacs? The answer - that both editors often come in useful over the course of a working day - tends to please nobody. The truth of the matter, however, is that most of the serious work of producing LWN is done in emacs. Until very recently, the current version of GNU emacs was 21.3, which was released on March 19, 2003 - almost exactly two years ago. Your editor got to wondering about the current state of emacs, and whether it was still under active development or no. Some time digging through the emacs development mailing list turned up a few interesting things.First and foremost, it should be said that the emacs developers are, indeed, active. Whenever the project gets around to making a new release, emacs users will be surprised at how much as been done - more on that shortly. It was surprising to see that Richard Stallman, the creator of GNU emacs, remains very active in its development. He may not produce as much code as he used to, but he is active in the discussions, and still functions very much as the final decision maker on patches. When RMS makes a decree, things happen that way. A reading of Richard's postings indicate a real concern for the utility of emacs and the creation of a useful user interface. Emacs detractors may differ, but the fact is that quite a bit of thought is going into how emacs works. Development is not the only issue to be found on a list like this, of course. Back in December Ben Wing requested permission to use parts of the GNU emacs manual in the XEmacs manual. This sort of reuse would seem to be just the sort of freedom that the GNU project is working for; XEmacs is free software, and its manual is licensed under the GPL. Unfortunately, since the GNU emacs manual is licensed under the GFDL, it is not possible to reuse portions of it in the XEmacs manual. Mr. Stallman's responses indicate that he has no problem with this state of affairs:
I did not choose this license with a view to its effects on you; it
is the general FSF policy for manuals. However, the fact that it
is inconvenient for XEmacs does not strike me as a disadvantage.
After all, you have been uncooperative towards us for 10 years, and
you don't see that as a disadvantage. We don't owe you anything,
not even small favors.
The XEmacs developers would appear to have gone away empty-handed. Shortly thereafter, Steve Youngs showed up with an announcement of a brand new emacs fork called SXEmacs. It appears to be a new version of XEmacs with different coding conventions, Windows support removed, and various other changes planned. Not much discussion resulted, but Mr. Youngs is still working on SXEmacs. At the end of January, Per Abrahamsen proposed that emacs go into a "regression fixes only" freeze so that a release could actually happen. Nobody even responded. On February 7, Richard Stallman noted that he had rushed out version 21.4, which adds a single security fix to 21.3. This move surprised a number of developers who had been telling people about the great new features 21.4 would have. Richard suggested instead that the next release should be version 22, since "It has plenty of new features." A plan to use negative version numbers for test releases (e.g. 22.1.-998) was, fortunately, turned down.
There are hundreds of other changes; the NEWS file has all the detail anybody could want. As for when emacs users will see all these changes: it's hard to say. Mr. Stallman has never been willing to project release dates for software. In this case, back in December, all he would commit to was: "It isn't around the corner, but I hope we are getting closer to it."
IBM's latest gift to the communityThe press release was titled "IBM Helps Drive Open Source Development." Part of IBM's help in driving development is the contribution of "more than 30" projects to SourceForge.net. The press release was somewhat vague on exactly what was contributed - the only projects actually listed were the Jikes Java compiler and "Life Science Identifier,", which somehow scans networks for "biologically significant data." The latter project is not particularly active; its mailing list archive shows all of three messages last December - and none thereafter.A look at this jikes-dev message gives a rather less rosy view of the change than the press release does:
As quite a few of you know by now, IBM has decided to pull out of
the project hosting space. As a result the developerWorks/Open
Source Server (aka dw/oss) where we and a number of other projects
have been hosted for the last several years is being shutdown. IBM
negotiated with SourceForge.net to migrate a number of projects
from dw/oss to sf.net's hosting environment, as the hands down #1
most popular project on dw/oss, Jikes was on that list of projects.
So it seems that IBM, rather than "driving open source development" through the contribution of various projects, is actually driving open source development away and into the arms of SourceForge which, despite some rosy PR of its own, has not signed up a whole lot of high-profile projects recently. We asked IBM why this move was being done now, and got this response:
When IBM launched developerWorks in 1999, IBM wanted to start a
community for open source developers. Over the past few years, as
open source has gained momentum, more appropriate hosts for open
source projects have come to fruition - Eclipse, Apache,
Sourceforge.net for example.
We also asked IBM for a full list of projects which had been moved. Interestingly, no such list appears to exist; at least, IBM's representative could not give us one. We did get a partial list, however; it includes, beyond Jikes and LSI:
Unlike these high-profile projects, the other 24 or so were too obscure to make IBM's list. The perception that IBM is simply dumping a set of projects which have lost its interest is confirmed by going back to the jikes-dev posting:
We've had 240,548 downloads from the dw/oss server in the 1061 days
we've been there - as of now() at least... not a bad run for a
project that has been pretty much abandoned by the company for the
last few years, and has survived purely on the scraps of free time
feed to it by a small handfull of folks.
So IBM's donation isn't quite all that the hype would suggest. The company is guilty of walking away from a handful of projects, then trying to use PR to make lemonade out of the whole thing. In other words, IBM is behaving like a corporation. There is nothing particularly new here; companies have abandoned development projects since the beginning. The free software method has brought an interesting and worthwhile change, however. In the past, abandoned projects would simply disappear from sight, and any code would simply stagnate on a backup tape somewhere. A company which is aware of free software, however, can make the choice to toss its abandonware into the community. If there is anything useful in that code, somebody will pick it up and run with it. And that can only be a good thing.
Mandrake acquires ConectivaLast week, MandrakeSoft announced that it had reached an agreement to acquire Conectiva for €1.7 million in stock. The announcement shouldn't come as a surprise to anyone following the Linux industry. The market has been ripe for consolidation for some time, and MandrakeSoft and Conectiva were already working together on the Linux Core Consortium.To get more information on the acquisition, we sat in on the conference call last week with Jaques Rosenzvaig, CEO of Conectiva and François Bancilhon, CEO of Mandrakesoft. We also touched base with MandrakeSoft's co-founder Gaël Duval about the deal and to see what it meant for MandrakeSoft. According to Duval, MandrakeSoft's recent growth was a driving factor in acquiring Conectiva:
Mandrakesoft is growing, and that is a key factor for us. For instance, the
acquisition of Conectiva results into twice more full-time developers than
before at Mandrakesoft, while we are going to have a single line of
products. This means that we can do still more innovative products &
services.
In addition to the need for developers, Duval said that the decision to pursue Conectiva was a result of the "excellent 'cultural fit' between Mandrakesoft and Conectiva." The move also gives MandrakeSoft a presence in a new market. Duval said that the Conectiva's presence in the South American market was "very nice for us" because MandrakeSoft had "basically no business in Brazil or South America besides a few customers on our online store." While the South American market is important, we were curious if MandrakeSoft was planning to make any moves towards the Asian market. Duval said that MandrakeSoft was "looking at every opportunity to develop there" and that the company has had some success in China and Japan because the Mandrake Linux distribution is "well localized." Since MandrakeSoft and Conectiva made up one-half of the Linux Core Consortium (LCC), we asked Duval if the acquisition would have any impact on the LCC. Duval said that the LCC will continue as planned.
There is basically no impact. We are still planing to release a common and
public core implementation of a LSB-compliant Linux distro this year in
both RPM & DEB package formats.
During the conference call, Bancilhon said that the acquisition would "strengthen the LCC since we're bigger, we can deliver more technology to the LCC." The two distributions will be merged at some point, but Duval did not give a timeline for the first joint release. He did say that it would be done "progressively," so it may be some time before the distributions are fully merged. Bancilhon said that the "convergence product" should be on the market by the end of the year. Of course, we had to ask if MandrakeSoft had any other companies in its sights. Duval said that MandrakeSoft is "looking at every purchase opportunity for MandrakeSoft," though he did not provide any specific examples. It is interesting to note that Conectiva is actually an older company than MandrakeSoft. Conectiva was founded in 1995, while MandrakeSoft got its start in 1998. Not long ago, it wasn't clear that MandrakeSoft would be around for the long haul. When MandrakeSoft entered bankruptcy, many believed that the company would have a difficult time staying afloat. On the contrary, MandrakeSoft finished off the last fiscal year with revenues of about $6.7 million and a profit of $1.8 million. While the company is still small compared to Red Hat and SUSE, its continued success indicates that it may still become one of the "tier one" players in the Linux market. We're looking forward to seeing the results of the combined companies. As long as MandrakeSoft continues its commitment to releasing its work under open source licenses, this merger should be good for the Linux community in general as well as for MandrakeSoft and Conectiva.
Security Firefox 1.0.1 and automatic updatesThe Firefox 1.0.1 release was announced on February 24. As expected, this release had a fix for the IDN spoofing vulnerability which did not actually disable international domain names; instead, such names are mangled into punycode and presented to the user in that form. Various other security-related problems were also fixed in 1.0.1.One of Firefox's features is automatic updates: the browser can phone home to find out whether an updated version has been released and, if so, offer an upgrade to the user. Many people have been surprised that the automatic update mechanism apparently did not work with 1.0.1. Instead, they had to notice some other way that a new version was available and download it themselves. Not, perhaps, the best example of how Firefox can respond to security issues. It turns out that a couple of problems were at work here. The first is that the Mozilla Project's infrastructure simply wasn't up to trying to update millions of users at once. So the project decided to spread things out. Automatic updates were disabled entirely for a while, then they were turned on for parts of the network at a time. According to Asa Dotzler's weblog, the folks in Argentina and Andorra were the first to get their updates, followed by Russia, then, eventually, the rest of the world. Even then, however, it turns out that only Windows users were offered updates. A bug in the automatic updater rendered it unusable for versions of Firefox running on other operating systems, so it was disabled for non-Windows users. And that is why most readers of this page, likely as not, never saw an update notification. Now was a good time for this sort of shakedown of the Firefox update system. There were real security problems to fix, but none of them were screamingly urgent. Sooner or later, there will be a vulnerability for which a rapid update is required. Hopefully, by then, the infrastructural issues and update system glitches will have been ironed out.
New vulnerabilities bsmtpd: missing input sanitizing
cmd5checkpw: local password leak
cURL: buffer overflow
gaim: DoS issue in parsing malformed HTML
MediaWiki: multiple vulnerabilities
Mozilla and Mozilla Firefox: out of memory heap corruption
phpBB: multiple vulnerabilities
phpWebSite: arbitrary PHP execution and path disclosure
Qt: untrusted library search path
reportbug: world readable files
uim: local privilege escalation
UnAce: buffer overflow and directory traversal
xloadimage, xli: buffer overflows
Updated vulnerabilities a2ps: input validation error
bidwatcher: format string vulnerability
ClamAV: multiple issues
cpio - file permissions error
cyrus-imapd: buffer overflows
cyrus-sasl: remote buffer overflow
dhcp: format string vulnerability
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
evolution: arbitrary code execution
f2c: insecure temp files
Foomatic: Arbitrary command execution in foomatic-rip
gaim: client freezes
gtk2, gdk-pixbuf: buffer overflows
gettext: Insecure temporary file handling
gftp: missing input sanitizing
ghostscript: symlink vulnerabilities
glibc: Information leak with LD_DEBUG
glibc: tempfile vulnerability in catchsegv script
GProFTPD: gprostats format string vulnerability
groff: insecure temporary directory
gtkhtml: malformed messages cause crash
htdig: cross site scripting
imagemagick: .psd image file decode vulnerability
imap: buffer overflow in c-client
imlib2: buffer overflows
kdelibs: unsanitzied input
kernel: i386 SMP page fault handler privilege escalation
libdbi-perl: insecure temporary file
libgd2: buffer overflows in PNG handling
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
linux-source-2.6.8.1: multiple vulnerabilities
lvm10: creates insecure temporary directory
mailman: cross-site scripting
mailman: path traversal
mc: multiple vulnerabilities
mikmod: buffer overflow
mod_python: remote access vulnerability
mpg321: format string vulnerability
mysql: several vulnerabilities
mysql-dfsg: insecure temporary files
nasm: Buffer overflow vulnerability
ncpfs: multiple vulnerabilities
netkit-telnet: invalid free pointer
nfs-utils: denial of service
nfs-utils: arbitrary code execution
openssl: der_chop script temp file vulnerability
OpenSSL: denial of service vulnerabilities
Opera: multiple vulnerabilities
perl: setuid vulnerabilities
php: multiple vulnerabilities
postfix: error in IPv6 handling
postgresql: EXECUTE privilege vulnerability
PuTTY: remote code execution
python: illegal function internals access
qt3: BMP image parser heap overflow
rp-pppoe, pppoe: missing privilege dropping
ruby: infinite loop
samba: integer overflow vulnerability
sharutils: arbitrary code execution
SpamAssassin: Denial of Service vulnerability
squid: multiple vulnerabilities
Squid: DNS response handling
SquirrelMail: multiple vulnerabilities
Subversion: Remote heap overflow
sudo: environment variable sanitizing
File overwrite vulnerability in tar and unzip
tiff: buffer overflows
uw-imap: authentication bypass
vim: modeline problems
XChat 2.0.x SOCKS5 Vulnerability
xine-lib: buffer overflows
xine-ui - insecure temporary file creation
xorg-x11: integer overflows
xpdf: buffer overflow
xpdf: buffer overflow
xpdf: vulnerabilities on 64 bit platforms
zlib: denial of service
Events WORM 2005The third Workshop on Rapid Malcode is happening on November 11 in Fairfax, FA. The call for papers is out; submissions are due by June 23.
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current 2.6 kernel is 2.6.11, released, finally, on March 2. Only a small number of fixes went in after 2.6.11-rc5, which had, itself, consisted of a slightly larger number of fixes. For those just tuning in, 2.6.11 includes InfiniBand support, four-level page tables, debugfs, a rework of the direct rendering code, in-inode extended attributes for ext3 (gives better Samba performance), a new pipe implementation, a bunch of latency reduction work (though some latency issues remain), the Big Kernel Semaphore patch, and lots more. The long-format changelog has the details.As of this writing, no post-2.6.11 patches have been merged into Linus's BitKeeper repository. It's worth noting that Linus has started a discussion on making some (relatively small) changes to the kernel release process. The current -mm tree is 2.6.11-rc5-mm1. Recent changes to -mm include a new set of scheduler patches, a reiser4 update, some /dev/mem tweaks to get around cache coherency problems, a new NFS access control list patch set, and a big set of PCMCIA patches which make that subsystem work with the hotplug mechanism (and obsolete the longstanding cardmgr daemon). The LWN 2.6 API changes document has recently been updated, and should be current to the 2.6.11 release. The current 2.4 prepatch remains 2.4.30-pre2; there have been no 2.4 prepatches released since February 23.
Kernel development news Quote of the week
It's a pity: for a while we were thinking 2.6.11 would be a big
step forward for mainline latency; but it now looks to me like
these tests have come too late in the cycle to be dealt with
safely.
-- Hugh Dickins It seems that a lock-breaking patch in the VM subsystem got pushed aside by the four-level page table work, and thus didn't make it into 2.6.11. Hugh has posted a fix, but, by the time it came, 2.6.11 was close enough that putting in locking changes didn't seem like a good idea.
Linux Device Drivers, 3rd Edition releasedThe book has been out for a couple of weeks, but now that there is a press release (click below), it's official: Linux Device Drivers, Third Edition by Jonathan Corbet, Alessandro Rubini, and Greg Kroah-Hartman, is now available. Look for it at your favorite bookstore. This book will also be released online under the Creative Commons Attribution-ShareAlike license, but we do not currently have an estimate for when it will be available.
A proposal for a major memory management reworkAs has been described in previous Kernel Page articles, the Linux kernel works with a four-level, hierarchical page table mechanism. A virtual address is translated to a physical address by walking down the table until the relevant page table entry is found. When running on hardware which does not implement a four-level tree, the kernel transparently "folds" the missing layers out of existence. So the same high-level memory management code runs on all hardware, regardless of the depth of page table tree that hardware implements.There is one interesting issue with this scheme: not all hardware uses this sort of hierarchical page table mechanism. It matches the i386 hardware well - to the point that the processor works directly from the same page tables that the generic kernel memory management code manipulates. Other processors have different ways of handling address translation, however. The ia-64 architecture uses a linear page table which is, itself, mapped in virtual memory; there is a "virtual hashed page table walker" hardware function which can quickly resolve page faults in many situations. The hierarchical page tables carefully maintained by the core kernel are never used directly by the hardware; instead, the architecture-specific code takes care of moving information between the core kernel tables and the hardware versions. This impedance matching requires extra code and work; it also makes it harder to take advantage of any high-level features that the hardware may offer. (See this chapter from ia-64 Linux Kernel for a detailed description of how the ia-64 architecture handles page tables). Christoph Lameter would like to get rid of the disconnect between in-kernel and hardware page tables; to that end, he has proposed a new abstraction layer which would handle access to the processor's memory management unit (MMU). With the new layer in place, there would be no more hierarchical page tables in the core kernel. If the hardware uses hierarchical tables, the architecture-specific code would still work with them, but they would be hidden from the core. The proposed replacement interface is somewhat vague at this stage, but some features have been sketched out:
Initially, the new interface would be implemented on top of the existing hierarchical page tables. The transition could thus be made a little smoother, and architectures which actually use the hierarchical tables could continue to function as always. Eventually, however, direct access to those tables from the core kernel code would be removed, and architectures with different ideas of how page tables should be managed would be able to drop the hierarchical tables. Once the transition has been made, other things would become possible as well. The current memory management system is really only comfortable when pages are all the same size. The support for huge pages has been bolted on to the side, and it does not really hide the fact that different processors handle large pages in very different ways. The new scheme would present a simple mksize() function to change the size of a page, and would hide from the kernel the details of how that size change is actually done. In addition, the new scheme would allow for global pages which appear in every process's address space, and for keeping statistics of the various types of pages in the system. Discussion of the proposal has been muted. Actually, it has been almost nonexistent. Unfortunately, things often happen that way when abstract proposals are posted to the kernel lists. Kernel developers respect actual code far more than design ideas; they will often wait until an implementation is posted for review, then talk about how it should have been done. So the new memory management interface may have to make some more progress before the discussion can truly begin.
Removing exported symbols in a stable kernelThe kernel developers have set a long term goal: reduce the number of kernel symbols exported to modules. There is a general feeling that the module interface has gone out of control, and that modules are allowed to reach into too many parts of the core kernel. Additionally, there seems to be no reason for many exports; quite a few exported symbols are not used by any modules in the mainline kernel. So almost every 2.6.x release has unexported at least a handful of symbols, sometimes to the detriment of out-of-tree modules.It looked like more of the same when Adrian Bunk posted a patch unexporting do_settimeofday(), which is not used by any mainline modules. There didn't seem to be any reason to allow modules to change the kernel's idea of what time it is, so the symbol could go. Andrew Morton has drawn the line, however, on symbol removals. He now wants them to be marked as being deprecated (when used in a module), added to the feature removal schedule, and actually removed a year down the line. His position is:
I don't see much point in playing these games. Deprecate it, pull
it out next year, done.
If this view sticks, it means that the days of abrupt disappearance of exported symbols are done. Symbols can still go away, but there will be some advance warning before it happens. Whether it will stick remains to be seen, however; there is a definite subset of kernel hackers who feel that there is no need to make life easier for out-of-tree modules. So what happened with the patch? It turns out that the ARM architecture has a number of out-of-tree real-time clock modules which need to be able to call do_settimeofday(). So Adrian withdrew the patch, and the symbol remains exported.
Toward the merging of XenThe Xen virtual machine has been getting a great deal of attention. Xen allows virtual systems to be run, over Linux, with high performance. Each machine can run a different operating system (perhaps even Windows, eventually), can have its resource usage limited, and can even be moved between physical hosts while it is running. Xen is of interest to people doing kernel development, or who are interested in providing virtual hosting services.Xen works by creating its own virtual hardware architecture, to which guest kernels are ported. The separate architecture is required to enable Xen to truly isolate guest systems in such a way that they cannot break out. This approach also allows Xen to perform various performance-enhancing tricks, such as allowing Xen systems to communicate by transparently remapping pages between them. For Linux, the Xen patches create a completely new architecture (arch/xen) which, while resembling the i386 architecture (and copying many files from it), is separate from it. For some time now, certain kernel developers have been saying that the merging of Xen was imminent. Nobody seems to object to having support for Xen in the mainline kernel, but there is one little glitch: back in December, Andi Kleen objected to the creation of a separate Xen architecture. The creation of a completely new architecture which duplicates much of the i386 code will, says Andi, lead to long-term maintenance problems. He would much rather see Xen support merged into an i386 subarchitecture. Xen developer Ian Pratt initially responded that such a merge was not feasible, and, besides, maintaining the separate architecture had not been a problem for them so far. Andi remained convinced, however, that things would not work well in the long term. The discussion slowed to a halt without any real decisions being made, one way or another. Andrew Morton recently decided to restart the conversation with an opinion of his own:
I tend to agree with Andi, and I'm not sure that the Xen team fully
appreciate the downside of having an own-architecture in the
kernel.org kernel and the upside of having their code integrated
with the most-maintained architecture. It could be that the
potential problems haven't been sufficiently well communicated.
Ian Pratt came back with a new proposal. The Xen group would start by doing the easy parts of merging the Xen code directly into the i386 architecture. Most of this work, he says, would involve cleaning up the i386 code; the result would be a halving of the number of files modified by the Xen patches. The remaining changes would then go in as an i386 subarchitecture except for any Xen code which is useful for all architectures; that, instead, would end up in drivers/xen/core. Further unification and cleanup could happen after the merge takes place. This approach appears to have satisfied the critics, the obligatory minor quibbles notwithstanding. So that is probably the path Xen will take to get into the mainline. There is, it would seem, a fair amount of work to be done before that mainline merge can actually happen, though, so it's not at all clear that it can be done in time for 2.6.12.
Patches and updates Kernel trees
Core kernel code
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Debian vs. FreeBSD as a Web Serving Platform, Part 2In Part 1 of this article we looked at general differences between Debian GNU/Linux and FreeBSD from the point of view of a system administrator maintaining a web server. In the second part, we'll investigate the security aspects of each operating system and briefly look at some issues requiring consideration when migrating applications and scripts between Linux and BSD.In this age of increasing Internet vandalism, it is vital that system administrators keep close eyes on vulnerabilities discovered in any of the software packages deployed on their servers. Luckily, both Debian and FreeBSD have developed solid infrastructures for keeping their operating systems patched and/or updated in a speedy manner whenever a security problem arises. However, the two differ radically in the way they implement these security updates. This is probably one area that will have the greatest weight on a system administrator's decision to choose an operating system, so let's get it out right away: keeping a Debian installation up-to-date with respect to security patches is extremely simple, straightforward, and well-established. On the other hand, keeping FreeBSD up-to-date is a complex issue involving many steps. While this might sound like a discouraging remark, there are certain advantages to the FreeBSD approach. We'll investigate these in the next few paragraphs. A stable Debian release has a security team which is normally very fast in issuing security advisories and releasing patches to fix known vulnerabilities. System administrators running Debian systems can subscribe to the debian-security-announce mailing list, then every time a security advisory is announced on the list, a simple "apt-get update && apt-get upgrade" will patch all known security holes in the system. This is a simple, well-proven method that has worked for Debian for many years. It can even be automated so that patches are applied automatically (with a custom script or with cron-apt) on a daily basis, although many users prefer to oversee these updates, just in case something needs extra attention. It is important to realize that in a stable Debian branch, a package with a security problem is almost never upgraded to a later versions to fix the problem; instead, the existing version is patched to fix the vulnerable code. Apart from that, there is little else that needs to be said here. Because of the power of apt-get, combined with fast work of the Debian security team, it is extremely easy to maintain a Debian system that is free of security problems. This is perhaps the strongest case for using Debian stable as a web server. Things are quite a bit more involved in FreeBSD. But before we get into the details, let's make one thing clear - an observation that may not be immediately apparent to a user who has been using a Linux distribution for a while and who is now looking to migrate to one of the BSD operating systems. As already mentioned in the first part of this article, FreeBSD consist of two independently maintained layers: a base system (commonly referred to as the "kernel and userland") and additional applications (or "ports" in BSD speak). This separation of the base system and applications has its advantages - as an example, administrators who are still running the legacy 4.x FreeBSD systems can install the latest versions of most applications without having to upgrade to the newer FreeBSD 5.x series. On the negative side, this separation means that they need to pay attention to security issues on two fronts - in the base system, and in any of the installed ports. These can be handled in several different ways, but BSD's "cvsup", with a combination of another automation tool, is probably the most common method in use. First let's take a look at the base system. All administrators running FreeBSD should subscribe to the freebsd-security-notifications mailing list to keep informed about any security advisories issued by the FreeBSD project. This list is strictly limited to security issues found in the FreeBSD base system, never in the ports. As such, it is a low-volume list - in 2004 there were only 17 security advisories published on this list (in contrast, the Debian security team published a total of 228 security advisories during the same period). Once system administrators receive a security advisory, they have three options. The first one (and the easiest) is to download and install the updated binary userland package or kernel. While this is generally a simple task, it is only relevant to systems running the FreeBSD GENERIC kernel and userland. In practice, however, most administrators will probably run a modified kernel and therefore will need to use one of the alternative update methods. The second option is manual patching; this involves downloading the patch, verifying the GPG signature, applying the patch, then recompiling the userland (or a part of it), kernel, or both. The third option is probably the most widely used - by tracking the security branch of a FreeBSD release, system administrators can use the cvsup tool to update their userland and kernel after each security advisory, then recompile both (if necessary), and reboot the system. As for security issues in FreeBSD ports, probably the easiest way to keep informed about the potential vulnerabilities in any of the installed ports is with the "portaudit" tool. Portaudit uses the Vulnerability and eXposure Markup Language, an XML application for documenting security issues in a software package collection. Once installed, it will scan for security vulnerabilities once per day and report any problems as part of the FreeBSD's daily security report. When vulnerabilities are found, the administrator has a choice of either applying binary updates, or downloading updated ports and recompiling them on the system. Again, the former option is only relevant to vanilla systems and is rarely used in practice. Compiling ports, however, can be time-consuming; it involves updating the local ports tree with cvsup, then checking a relevant text file for potential caveats, before running the usual 'make install' command. Some packages might need manual intervention, while others might require that their dependencies be recompiled as well. To make the task of upgrading ports less tedious, many system administrators prefer to use "portupgrade", probably the best tool for this task. Nevertheless, even with portupgrade, manual intervention is often needed. It is worth mentioning that, besides cvsup, a new tool, called "portsnap" is gaining increasing acceptance among FreeBSD users. An important consideration arises where administrators run mixed-OS environments, or decide to migrate custom applications and scripts from Linux to FreeBSD and vice versa. While most general-language scripts written in Perl or Python will work equally well on both system, shell scripts will often not. This is because most Linux distributions use GNU utilities, while BSD operating systems have developed their own shell utilities with arguments and switches that often differ from the GNU ones. A good case in point is "sed", which is part of the FreeBSD userland and which sometimes behaves differently from GNU sed. That said, GNU sed is available in FreeBSD as a port called "gsed", so something like 's/sed/gsed/g' might come handy to convert scripts between the two systems. Other shell scripts might need manual update - even commands like "date" or "stat" behave differently under the two operating systems. Given the above analysis, it is clear that Debian GNU/Linux is a system administrator's dream come true. It is stable, secure, and extremely easy to maintain. Its main disadvantage is that stable releases are increasingly few and far between, so a Debian system tends to get out of date. If this is unacceptable, administrators have an option to install newer packages from third-party repositories or perhaps upgrade to one of the Debian-based distributions with more frequent stable releases, such as Ubuntu Linux. On the other hand, if it is desirable to keep applications up-to-date to take advantage of new features in them, FreeBSD is hard to beat. The applications in its ports tree are maintained independently of the base system and can be updated regularly with relative ease. On the negative side, maintaining a FreeBSD system and keeping it up-to-date with security and bug-fix updates is a complex and time-consuming task, sometimes requiring hours of compiling software.
Distribution News Minutes from the Fedora Extras Steering CommitteeClick below for the minutes from the February 24, 2005 meeting of the Fedora Extras Steering Committee. Included are pointers to the schedule for Fedora Extras, news about the creation of an accounts system, the CVS infrastructure and more.
Ubuntu Community Council MeetingsThe summaries and full logs of the last two Ubuntu Community Council Meetings are available. For the meeting on February 8 topics included Reply-To Redux (for ubuntu-users list), LoCo Teams, and New Members and Maintainers. Here is the summary and the full log. The next meeting was held February 22, with a look at Reply-To revisited, a new MOTU (Master Of The Universe) to review packages, a review of LoCo team leader candidates, and more. Here is the summary and the full log.
Debian GNU/LinuxHere is the latest update on Debian Project Leader Election 2005. There are six candidates: Matthew Garrett, Andreas Schuldei, Angus Lees, Anthony Towns, Jonathan Walther and Branden Robinson. Platforms should be available soon, if they are not already posted at the Debian Vote 2005 website.Bits from SPI looks at the latest news from SPI (Software in the Public Interest). There are some new pages at the web site, one for meetings another now accepts donations by check from Canada, plus a president's page and a secretary's page. The next SPI meeting will be held on IRC on March 15, 2005.
Dropline Releases Gnome 2.8.3 for SlackwareDropline GNOME has announced the release of Dropline GNOME 2.8.3 desktop, for Slackware Linux. This release has been built for Slackware 10.0, it has also been tested on Slackware 10.1.
New Distributions Asterisk Live!Asterisk PBX is Linux based, open source PBX software that provides voice over IP in three protocols and is interoperable with most standards-based telephony equipment using comparatively inexpensive hardware. If you want an easy way to play around with Asterisk check out Asterisk Live! This distribution is available as a Live CD and a Compact Flash install. The Getting Started With Asterisk guide provides an excellent starting point for both Asterisk and Asterisk Live!
BioBrew LinuxBioBrew Linux is an open source Linux distribution based on the NPACI Rocks cluster software and enhanced for bioinformaticists and life scientists. It automates cluster installation, includes all the HPC software a cluster enthusiast needs, and contains popular bioinformatics applications.
Pie Box Enterprise Linux 4 AS launchedPie Box Enterprise Linux is a product of UK-based PixExcel. This distribution is built from Red Hat source RPMs to remain compatible with Red Hat Enterprise Linux. The lastest offering, Pie Box Enterprise Linux 4 AS was announced (click below) February 28, 2005.
Distribution Newsletters Debian Weekly NewsThe Debian Weekly News for March 1, 2005 is out, with a look at an open letter to OASIS, an update on the Sarge release status, Debian Cluster Components, a report on Debian at LinuxWorld, GNU/Hurd progress with L4, some answers to common release questions, a status update for the AMD64 Port, and more.
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for the week of February 28, 2005 is out. This issue covers the first European Gentoo developer meeting, Gentoo at FOSDEM 2005, package updates from the Gentoo Apache Team, new documentation for Gentoo/FreeBSD, and several other topics.
Ubuntu MOTU report - Issue 1Ubuntu fans are already accustomed to the term Universe as the repository of packages available for Ubuntu, but not part of the core system. MOTU or Masters Of The Universe are those people who maintain packages in Universe. In this first issue of the MOTU report the current team is introduced, there's a look at how to get involved, and a look at future plans.
Ubuntu Traffic #23Here is the Ubuntu Traffic covering the final week in January. Some of the threads covered include Testing Language Packs, Fedora Plans and Ubuntu, Array CD 3, GTK2 CD Burning in Hoary, Translating and Rosetta, Ubuntu Documentation Team Happenings, and more.
DistroWatch Weekly, Issue 89The DistroWatch Weekly for February 28, 2005 is out. "Welcome to this year's 9th issue of DistroWatch Weekly! In this week's issue we will take a look at Fedora Core 4 which, despite its delay, is no doubt going to be an exciting release with many new features. Mandrakesoft and Conectiva announced a surprise merger last week, but don't expect their products to merge too, at least not in the short term. And those who are thinking about buying the recently released Red Hat Enterprise Linux 4 can now sign up for a 30-day evaluation period at no cost. Many more topics are covered in this issue, so without further ado: happy reading!"
Minor distribution updates Lineox Releases Lineox Enterprise Linux 4.0Lineox has released Lineox Enterprise Linux 4.0, built from Red Hat Enterprise Linux 4.0 source packages. "Lineox has replaced some graphics files and changed or replaced some other files mainly because of trademark issues while retaining full compatibility. This release includes also updated packages which were built from 28 source packages..."
Puppy Linux UnleashedPuppy Linux has released Puppy Linux version 0.9.9, and the first official release of Puppy Unleashed. "If Puppy does not have the application you need, now there is a very simple solution: use Puppy Unleashed to create your own custom live-CD or USB-stick with exactly the apps you need. Even get Puppy smaller if you want, like 35M or less. Unleashed currently has about 260 packages, and our Puppy enthusiasts are preparing more. The build script is highly intelligent, with dependency checking and automatic generation of menus for the window managers."
tinysofatinysofa has released tinysofa enterprise server v2.0 Update 1 (Odin). "This maintenance release incorporates updates issued since the release of 2.0 and addresses all known security issues."
Package updates Fedora Core updatesFedora Core 3 updates: gimp-help-2-0.1.0.7.0.fc3.1 (version 2-0.7), bind-9.2.5rc1-1 (upgrade to ISC BIND v9.2.5rc1), gnucash-1.8.11-0.fc3 (upgrade to v1.8.11), dhcp-3.0.1-40_FC3 (bug fixes), at-3.1.8-64_FC3 (now supports access control with PAM), vixie-cron-4.1-24_FC3 (bug fixes and enhancements), lam-7.1.1-1_FC3 (upgrade to v7.1.1), pvm-3.4.5-2_FC3 (bug fixes), radvd-0.7.3-1_FC3 (upgrade to v0.7.3), selinux-policy-targeted-1.17.30-2.83 (allow squirrelmail spell checking to work), openoffice.org-1.1.3-6.5.0.fc3 (fix individual programs not launching), tcsh-6.13-10.FC3.1 (fix incorrect message output), gamin-0.0.25-1.FC3 (fixes some problems with gamin-0.0.24).
Trustix Secure Linux Bugfix AdvisoryTrustix Secure Linux has issued a bug fix advisory for cyrus-imapd, dev, postfix, ppp, samba, and squid. Click below for details.
Newsletters and articles of interest NetBSD 2.0 Rendezvous (O'ReillyNet)O'ReillyNet has an interview with several core NetBSD developers. "NetBSD's goal is to port the OS to as many platforms as it can. Which missing platforms would you like to support?Christos Zoulas: We are currently working on IA64 and we should have something to show soon. As far as other platforms go, it is quite random."
Distribution reviews Desktop Face-Off: Xandros vs. Mepis (Linux Times.net)Linux Times.net compares Xandros v3 Open Circulation Edition with SimplyMEPIS 2004.6. "Xandros is a commercial company, but they are offering the so called "Open Circulation Edition" for free download via BitTorrent. However, the OCE does not have all the features as the boxed versions, but more about this later. SimplyMEPIS on the other hand gives you a full version of MEPIS, while they ask you to register your copy by making a small donation."
Page editor: Rebecca Sobol Development Version Control with GNU ArchThere was a time when there were only a few open source version control systems: CVS and RCS were the most prominent examples and there was little else. Since the late 1990s a huge number of Source Code Management (SCM) systems have come into existence. GNU Arch, Subversion and Monotone are some of the more prominent projects, but there seems to be no consensus as to what constitutes a good approach to Source Code Management. As a result, open source SCMs fill a huge number of niches, although - as Larry McVoy has pointed out a while ago - except for systems that scale well for hundreds of users, there is little money to be made from consultancy or support. Famously, Linus Torvalds uses Larry's commercial package BitKeeper.
Architecture and FeaturesGNU Arch is a distributed version control management system, i.e. it allows the "cloning" of a tree containing the source or binary files stored at a local or remote repository. The word "directory" is used advisedly here, since Arch creates new repositories and archives by creating new directories inside ftp, sftp or WebDav servers. There is no underlying database or special file format underlying GNU Arch; as the documentation points out, "remote archives do not require an Arch specific server." GNU Arch setup is therefore remarkably simple. Tom Lord designed and wrote GNU Arch. In keeping with the fractious history of open source SCM tools, GNU Arch spawned its own secessionist project named ArX, which was written in C++ and is being led by Walter Landry.Tom Lord started the GNU Arch project as a shell script collection to avoid having to use CVS; CVS uses a client-server model and does not support certain types of merge operations, among other things. Since each branch has its own version of the source tree, and all commands work across local and remote version of the source tree, it is perfectly possible for someone with read access to a remote source branch to merge the changes committed by a different user at the remote branch with her own source tree: no centralized server is necessary. Commits are always accomplished atomically on source trees; the changesets in Arch handle a huge variety of data, for instance symbolic link additions, directory changes, and very importantly, renames. Revisions are always uniquely and globally identifiable. It is perfectly possible to remove and add the same changes to permit experimentation with the code. The merging process will forgive such cruelty, recording the change history and even making the subsets of changes viewable by other developers. Atomic commits make it possible for changes to propagate to all repositories. If the commiter is working from an http repository, the remote user can only accept changes. The commiter cannot write the changes to the remote repository. If all users of GNU Arch use ftp, sftp or WebDav, the commiter can work from whatever repository he chooses, since he is likely to have cloned the master repository. Once he is finished working, he can propagate the changes to the master repository, or he can just make them available to all members of the project. It helps that GNU Arch is built on standard Unix utilities, since the files Arch is working with essentially consist of a number of tar files saved in a Unix directory tree with a few control files thrown in for good measure. All commits and imports just send compressed tar files to the remote repository. This, as Tom Lord elaborates on in some depth, could lead to performance problems. GNU Arch is trying to transfer the performance load mostly onto client side machines and it is also taking advantage of the fact that disk space is a lot cheaper (in terms of cost and performance) than bandwidth. In short, there are several mechanisms to cope with this problem: one is cached revisions. The user is able to choose a reasonably spaced interval at which a cached revision is going to be stored in the master or local repository. This avoids the problem of sucking down dozens of change sets during a major update, and having to live with the concomitant strong network bandwidth burden. After comparing the size of the compressed source tree revision and the number and size of changesets, a caching policy can be chosen by the user. This is not always considered an advantage by some users, and high-traffic developmental sites might find this feature problematic. Another policy consists in using so-called read-only archive mirrors. It is perfectly possible to store revisions and changesets at special archive mirror locations. This can lessen the load on the master repository, and simplify the work for a developer who is making all and sundry changes. A final - and completely client-side - feature of GNU arch configuration is called a revision library. Again, by using local disk space, pre-built copies of read-only source tree revisions are stored locally, but files that have been left unmodified during changes are shared between revisions. It uses some file-linking magic that makes new changesets that are not shared with previous source incarnations private to the newly patched tree. Other features make GNU arch truly shine, in particular in with regard to merging, although it has to be said that low-level work with GNU Arch can be demanding. It has an extremely complex command set, allowing a level of control and granularity that is unusual, even for source code management professionals. It is not easy to compare GNU Arch to other OSS version control management systems, unless one is willing to compare it to other distributed architectures. Neither CVS nor Subversion fall into that category. For anyone migrating from CVS or Subversion, it is possible to feel at home, since the base command sets are similar. It is useful to budget some time for the migration, since GNU Arch documentation is not entirely comprehensive. But in all, it is a very fast, very powerful version control management system perfectly suited to the distributed world of open source development.
System Applications Audio Projects Planet CCRMA ChangesThe latest changes from the Planet CCRMA audio utility packaging project include new versions of Ardour, Liblo, and Iemlib.
Database Software PostgreSQL Weekly NewsThe February 25, 2005 edition of the PostgreSQL Weekly News is online with the week's PostgreSQL database news.
DBD::Pg 1.40 releasedVersion 1.40 of DBD::Pg, the DBI PostgreSQL interface for Perl, has been announced. "This version has many changes from 1.32, including support for server-side prepares, SQLSTATE codes, a last_insert_id function, and improved Win32 support."
Filesystem Utilities Lustre 1.2.4 releasedVersion 1.2.4 of Lustre, a cluster filesystem, is now available as open-source software. "Lustre 1.2.4 was first released to our customers in July 2004, and contains a number of improvements over the previous public release".
Interoperability Samba 3.0.12pre1 Available for DownloadVersion 3.0.12 pre-1 of Samba is available. "This release is *not* intended for production servers. However, there have been several bug fixes and new features added since 3.0.11 that we feel are important to make available to the Samba community for wider testing."
Libraries FreeImage 3.6.1 released (SourceForge)Version 3.6.1 of FreeImage, a cross-platform library with support for popular image formats, is out. "This maintenance release fixes a memory leak occuring in the metadata API. As this also affects bitmap loading, upgrade is highly recommended."
Announcing PopplerA new PDF rendering library called Poppler has been announced. "A couple of weeks ago there was some discussion about forking xpdf into a pdf rendering library. The thread sort of died, but it's an important issue, so I've gone ahead a created this thing and called it poppler."
Networking Tools moodss 19.7 (stable) released (SourceForge)Stable version 19.7 of Moodss, a modular GUI application for monitoring systems, networks, and databases, is available. "In this version, an annoying bug that prevented database browsing was fixed. The title areas of displayed data tables now change color to reflect the states of the corresponding modules. A standard deviation column was added to the statistics table."
Printing accsnmp 1.0 releasedVersion 1.0 of accsnmp is available for CUPS, the project description states: "A Perl backend wrapper that accounts for jobs by querying the printer over SNMP for its pagecount before and after the job. Built-in support for job and user blacklisting. Simple accounting function stores user pagecounts in text files. Easily customizable."
Web Site Development GrokLaw News Picks Plugin Released (Groklaw)The News Picks feature from the GrokLaw site has been released as open-source code. "I just wanted to let you know that stevem's code for our News Picks feature has been accepted by Geeklog, and it's downloadable as a plugin on Geeklog's website. So now anyone who wishes can use this new feature on their websites too. Enjoy. It's under the GPL, naturally. So, Son of Groklaw and Bride of Groklaw websites and everyone else too: Have at it. : )"
Desktop Applications Data Visualization Grace 5.1.18 releasedVersion 5.1.18 of Grace, a WYSIWYG 2D plotting tool, has been announced. "This is a maintenance release of the 5.1 series; an upgrade is recommended."
Desktop Environments Announcing KDE 3.4 Release CandidateThe first release candidate for KDE 3.4 is now available for source download. "We want to have this tested as much as often, so we can't wait for vendor binaries, so please test the sources if you have experience in this." Click below for additional information on using konstruct to help build the RC1 from sources.
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
XFree86 4.4.99 Release Candidate 2Release Candidate 2 of XFree86 4.4.99 has been announced. " Well it seems that the last candidate has some, ehem, problems and so our Release Engineer David Dawes has rolled another Candidate. This puts us squarely into the midst of the xtest. phase of our Release cycle. All the source and the particular notes for xtest are included with the Candidate, so this is very much One-Stop Shopping."
Electronics XCircuit 3.3.10 releasedVersion 3.3.10 of XCircuit, an electronic schematic drawing package, is available with several bug fixes.
GUI Packages wxWidgets 2.5.4 releasedVersion 2.5.4 of wxWidgets, a cross-platform GUI package, is available. "This is a development snapshot; we intend to make one more snapshot release (2.5.5) and then make the stable 2.6 release in March. Please let us have feedback and patches based on your experience on 2.5.4!"
Medical Applications OpenVistA VivA FOIA Gold 20050212 available (LinuxMedNews)LinuxMedNews has announced the availablilty of OpenVistA VivA FOIA Gold 20050212, an electronic medical records system. "OpenVistA VivA FOIA Gold 20050212 is available as is OpenVistA SemiVivA FOIA Gold 20050212. Effective this release, release numbers will reflect the date of the VistA release on the US Department of Veterans Affairs FTP site; in this case, Feb 12, 2005."
Music Applications System exclusive librarian for Roland SC88The initial release of sc88sysex, a MIDI system exclusive data utility for the Roland SC-88 synthesizer, is out.
liblo 0.17 announcedVersion 0.17 of liblo, a library that implements the Open Sound Control protocol, is out with bug fixes and new features.
Office Suites OpenOffice.org NewsletterVolume 02, Issue 8 of the OpenOffice.org Newsletter is online with the latest OpenOffice.org project information.
ooo-build-1.9.79 releasedVersion 1.9.79 of the ooo-build OpenOffice.org fork has been released. This version includes numerous bug fixes, some documentation improvements, and more.
Video Applications Video for jack: xjadeo 0.1.0 releasedVersion 0.1.0 of xjadeo has been announced. "xjadeo is a rather featureless video player (it understands just one single video encoding) that displays the video frame corresponding to jack's timebase. Its purpose is to make possible visual feedback when working on the soundtrack of a video clip."
Web Browsers Firefox 1.0.1 releasedThe Mozilla Foundation has announced the availability of Firefox 1.0.1. This release contains a number of security fixes, including a patch for the IDN spoofing vulnerability. See the release notes for the details.
Mozilla 1.8 Beta 1 Released (MozillaZine)Version 1.8 Beta 1 of the Mozilla browser has been announced. "Web developers may be interested to hear that this release has partial support for ECMAScript for XML (E4X), which adds native XML support to JavaScript." See the change log for details.
Mozilla Foundation reaches an agreement with AOL on DevEdge content (MozillaZine)MozillaZine covers an agreement between the Mozilla Foundation and AOL. "Mozilla Foundation has reached an agreement with America Online, which allows them to host and improve former Netscape DevEdge Content. Mitchell Baker posted a blog entry informing that Deb Richardson would join Mozilla Foundation as a technical editor and project manager of DevMo. DevMo is the new community based project focussed on developer documentation and resources."
Minutes of the mozilla.org Staff Meeting (MozillaZine)MozillaZine has announced the minutes from the February 22, 2005 mozilla.org Staff Meeting. "Issues discussed include Mozilla Firefox 1.0.1, Mozilla 1.8 Beta, Spread Firefox, update.mozilla.org and the international domain name Punycode spoofing issue.
Languages and Tools C++ C++ exception-handling tricks for Linux (IBM developerWorks)Sachin O. Agrawal covers C++ exception-handling on IBM developerWorks. "Handling exceptions in C++ has a few implicit restrictions at the language level, but you can get around them in some instances. Learn ways to make exceptions work for you so you can produce more reliable applications."
Caml Caml Weekly NewsThe February 22 - March 1, 2005 edition of the Caml Weekly News is online with the latest Caml language articles.
Java IBM Helps Drive Open Source Development (SourceForge)SourceForge has announced a contribution of over 30 open-source projects from IBM. The IBM Jikes Compiler for the Java Language and several other Java-based projects are part of the release.
Internationalization, Part 2 (O'ReillyNet)O'Reilly has published part two in an excerpt series on internationalization under Java. "Part one of this two-part excerpt from Java Examples in a Nutshell, 3rd Edition covered the first two steps to internationalization in Java: using Unicode character encoding and handling local customs. This week deals with the third step in the process: localizing user-visible messages."
JSP The JSF application lifecycle (IBM developerWorks)Rick Hightower discusses the JSF application lifecycle on IBM developerWorks. "In this second article in his four-part JSF for nonbelievers series, Rick Hightower introduces the major phases of the JavaServer Faces (JSF) request processing lifecycle. Using a sample application, he walks you through the six phases of a request process. Along the way, he shows you how to combine JSF with JavaScript technology for immediate event handling and completes your introduction to the JSF component model with a first look at many of the components that ship with JSF."
Lisp Foil - Foreign Object Interface for LispThe Foil project has been announced. "Rich Hickey has announced on Feb 24, 2005 the availability of Foil (Foreign Object Interface for Lisp). It "[...] consists of a protocol and a set of libraries that facilitate access to popular object runtimes, such as the JVM and the CLI/CLR, and their libraries [...]" from Common Lisp."
Perl The Perl Review, Spring 2005 (use Perl)use Perl has announced the Spring 2005 edition of The Perl Review. Articles include: Hashes with History, Test::Number::Delta, 9-Block Quilt Patterns in Perl, Packet Sniffing with Perl, Serious Perl, Barcodes from Perl, and more.
Pugs Apocryphon 1 released (use Perl)Use Perl has announced the availabilty of the document Pugs Apocryphon 1, a description of Pugs. "Started in February 2005, Pugs is an implementation of the Perl 6 language. Autrijus Tang is responsible for the design and development of Pugs with help from a group of committers and contributors."
This Fortnight in Perl 6The February 9-22, 2005 edition of This Fortnight in Perl 6 is online with the latest Perl 6 news.
PHP PHP Weekly Summary for January 24, 2005The PHP Weekly Summary for January 24, 2005 is out. Topics include: auto_globals_jit, build issues, stream_socket_accept(), unwanted fixes, win32 freetds support, PHP-GTK 2 on a roll, and --prefer-non-pic fixed.
PHP Weekly Summary for January 31, 2005The PHP Weekly Summary for January 31, 2005 is out. Topics include: More PHP-GTK 2 development, checking for installed modules, superglobals and variable variables, build issues continued, uploading files and ext/mbstring, commits to stable branch, and SPL-based exceptions.
PHP Weekly Summary for February 7, 2005The PHP Weekly Summary for February 7, 2005 is out. Topics include: Referencing superglobals, planning PHP 5.1, PHP-GTK 2 development (continued), shared resources between extensions, moving to PECL, and Call for Papers: ApacheCon Europe.
Access an enterprise application from a PHP scriptCaroline Maynard, Graham Charters, and Matthew Peters use PHP for business logic on IBM developerWorks. "Many Web developers enjoy the versatility and ease of use of PHP, but sometimes they need to access existing business logic in a J2EE application server. In this article and through code examples, learn how to use the new SOAP extension in PHP 5 to access a J2EE application using Web services, without having to leave the PHP environment or learn a new programming model."
PostScript GSview 4.62 beta releaseBeta version 4.62 of GSview, a PostScript viewing application, has been announced, it features multiple bug fixes and other improvements.
Python Dr. Dobb's Python-URL!The February 24, 2005 edition of Dr. Dobb's Python-URL! is out with links to numerous Python language articles and resources.
Dr. Dobb's Python-URL!The March 1, 2005 edition of Dr. Dobb's Python-URL! is online with the latest Python language news and resources.
python-dev SummaryThe January 16-31, 2005 edition of the python-dev Summary is online with a summary of traffic on the python-dev mailing list.
Ruby Ruby Weekly NewsThe February 27, 2005 edition of the Ruby Weekly News is available with the latest news and discussion from the ruby-talk mailing list.
Tcl/Tk Dr. Dobb's Tcl-URL!The February 28, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk news and resources.
XML Sarissa to the Rescue (O'Reilly)Emmanouil Batsis explores Sarissa on O'Reilly. "Client-side XML processing. Today's browsers do cover the basics and some of them go even further, offering support for XHTML, SVG, XSLT, XPath , XLink, validation using W3C XML Schema, and more. This article will introduce you to basic cross-browser XML development with the aid of Sarissa, an ECMAScript library designed to stop those nasty incompatibilities before they get too close."
The xml:id Conundrum (O'Reilly)Rich Salz covers the benefits and shortcomings of xml:id on O'Reilly. "XML attributes whose type is ID are very important. They are the only fundamental way to identify a piece of XML. While we have XPath, XPointer, and so on, the only identification mechanism that every XML parser, and therefore every XML application, must understand is ID attributes."
IDEs Some Eclipse releasesEclipseCon 2005 is happening this week, with the result that a number of announcements have been made. One is the release of a set of tools for "business intelligence and reporting," created by Actuate Corporation. This is a developer release; the 1.0 release is expected within the next few months. Also announced is the first developer release from the Web Tools Platform project.
Page editor: Forrest Cook Linux in the news Recommended Reading Stallman Calls for Action on Free BIOS (Groklaw)Groklaw has the text of Richard Stallman's FOSDEM talk, which was about freeing the BIOS. "But once in a while the manufacturer suggests installing another BIOS, which is available only as an executable. This, clearly, is installing a non-free program--it is just as bad as installing Microsoft Windows, or Adobe Photoshop, or Sun's Java Platform. As the unethical practice of installing another BIOS executable becomes common, the version delivered inside the computer starts to raise an ethical problem issue as well."
The ups and downs of life with Linus (ZDNet)ZDNet reports from Alan Cox's FOSDEM talk. "'One of the hard problems to fix are design errors,' said Cox. 'These are a pain because they need a lot of refactoring. Linus' approach is to re-write it to a better design. But to get a stable kernel you tend to do small horrible fixes. Linus is very keen to have maintainable code, while to have a stable kernel I'm keen to have code that works.'"
Trade Shows and Conferences New FSF Europe fellowship program announced (NewsForge)NewsForge covers an announcement from the Free Software Foundation Europe on a new Fellowship program. "The Fellowship program was officially launched at FOSDEM -- the Free and Open Source Developers' European Meeting -- with the call to "stand up to protect our freedom to shape and participate in a digital society that respects liberty and privacy." Its logo encapsulates the aims of the program: a person, representing the freedom for individuals, that looks like an addition symbol, reflecting the community as a sum of its parts, with each fellow adding something."
SCALE 3x Wrap Ups, Articles, and Presentations Now Online. (LinuxMedNews)LinuxMedNews has complete coverage of the SCALE 3x conference. "Wrap up reports and reviews are in and SCALE 3x, the third annual Southern California Linux Expo appears to have been a huge success, with over 900 attendees, 30 seminars and 42 booths on their exhibit floor."
Report of Paris Solutions Linux 2005 (KDE.News)KDE.News reports on Solutions Linux 2005. "Solutions Linux trade show is the French annual rendez-vous of Free Software technologies and their commercial applications. This year, it ran from February 1st to February 3rd. Like preceding years, KDE-France was present and benefited of a free booth in the "Associative Village"."
The SCO Problem SCO and The Titanic (IT-Director)Robin Bloor writes off SCO in this IT-Director article. "From a legal perspective, Open Source licenses and intellectual property may be a valid point for debate and legal action, but from a fashion perspective, taking on Linux and Open Source is a stupidity, and severely damaging to an organization's brand as SCO has proved quite comprehensively. Open Source is an idea whose time has come."
Companies IBM project pushes for OS efficiency (News.com)News.com considers the effects that IBM's source code release for their Research Hypervisor (rHype) software may have on the open-source Xen virtual machine monitor project. "But given rHype's open-source nature and IBM's actions so far, rHype is more likely to be a help than a hindrance to Xen. Specifically, it could help Xen move from its current base of x86 chips to IBM's Power. "We've spent quite some time talking to its authors," Xen founder Ian Pratt said. "Now that the rHype code is open source, it's a great starting point for a port of Xen to Power.""
Big Blue backs PHP for Web development (News.com)News.com covers a partnership agreement between IBM and Zend Technologies. "The two companies intend to devote programmers to make PHP work better with corporate databases and Web services protocols. IBM also plans to establish an area dedicated to PHP on its developer Web site, which will include technical resources such as white papers. Zend Core will be available as a free download in the second half of the year."
IBM tests new ways to support open source (News.com)News.com looks at a couple of IBM initiatives aimed at increasing the pool of open source developers - or, perhaps, job applicants. "The database is scheduled to launch in the third quarter, cataloging the resumes of university students who have open-source expertise. People eligible for inclusion in the database will include those who attend a post-secondary institution covered under IBM's Academic Initiative and pass IBM's professional certification exams in open source. The database will be searchable by IBM customers and business partners."
Linux Adoption Current Problems with Linux (CoolTechZone)CoolTechZone has some suggestions on how Linux could be made more attractive to Windows users. "Which one is Linux? The single most confusing thing about Linux is this. What is Linux? Yes, we know that it's a kernel coupled with other utilities, but what in tarnation is a kernel? We can understand it if you tell us that Windows 95 is different from Windows 98, but what do you mean by saying that Fedora Core 3 is similar to Debian testing, but is better than Core 2. And of course, Mandrake 10.1 is better than 10.0, but SuSE is only on 9.2. All this gets very confusing after a while."
The Hard Truth About Linux on the Desktop - The Benefit Side (OSDir)OSDir concludes its "hard truths" series with this look at the benefits of desktop Linux, which are deemed to be insufficient. "I argue that an excess of software choice actually operates to reduce ease of use. The presence of a lot of alternatives means choices must be made, and while it is great to have choice if you know how to choose, novices finds it at best baffling, and at worst mind-numbingly complex."
Legal So, *Now* How Do You Feel About Software Patents? (Groklaw)Groklaw looks at an example of how software patents can wreak havoc in the corporate world. "FT.com has the jaw-dropping story about European futures exchanges, brokers and traders preparing for patent infringement claims from Trading Technologies, a US software company, natch, located in Chicago -- where else? -- which has hit on what it appears to view as a pot of gold for itself by obtaining two patents on its MD Trader software product in August of 2004, patents it is now aggressively enforcing. It settled two patent infringement cases already, under circumstances some are questioning, for some licensing dough, and it is currently suing eSpeed, the electronic arm of Cantor Fitzgerald. eSpeed just had one of its patents ruled invalid in a patent infringement lawsuit it brought in July of 2003, after getting the patent in May, so it's been playing the patent game too. Game? It's like musical chairs. You may also recall eSpeed's Wagner patent."
Interviews Remixing Culture: An Interview with Lawrence Lessig (O'ReillyNet)Here's an O'ReillyNet interview with Lawrence Lessig. "What do you get when you mix P2P, inexpensive digital input devices, open source software, easy editing tools, and reasonably affordable bandwidth? Potentially, you get what Lawrence Lessig calls remix culture: a rich, diverse outpouring of creativity based on creativity. This is not a certain future, however. Peer-to-peer is on the verge of being effectively outlawed. Continuation of the current copyright regime would mean that vast quantities of creative content will be forever locked away from remix artists."
Perl and Mandrakelinux (O'Reilly)Mark Stosberg interviews Rafael Garcia-Suarez on O'Reilly "Besides being heavily involved with Perl at Mandrakesoft, Rafael is also the pumpking for the Perl 5.10 release. Rafael answered my questions about using Perl for GUI programming and how he balances his day job with being pumpking."
Inside the Multiple Emulator Super System (O'Reilly)Howard Wen interviews Nathan Woods on O'Reilly. "Developing code to emulate the hardware and functionality of any computer system is a challenge. Multiply that by over 150 systems and you now have some inkling as to what development is like for MESS, the Multiple Emulator Super System. Started in 1998, this open source program emulates the processors of scores of classic computer systems and video game consoles, all under one program."
Resources Free Software Magazine #2The second issue of Free Software Magazine is available online. Read about the history of SMTP, spam filtering with Postfix, poking at iTunes, a FUD-based Encyclopedia, and more.
Basic button-pushing with OpenOffice.org macros (NewsForge)NewsForge presents a tutorial on using OpenOffice.org macros. "OpenOffice.org is gaining popularity in the corporate mainstream, yet one of its most powerful features, macros, can be pretty intimidating to new users. Let's see how easy it is to create an OpenOffice.org macro and connect it to a simple pushbutton."
Building the Perfect Budget PC, Part 2 (O'ReillyNet)O'Reilly has published part two in a series by Robert Bruce Thompson and Barbara Fritchman Thompson on assembling a budget AMD Sempron 2400+ PC from the ground up. "In our last article, we detailed our component selections for perfect AMD and Intel budget PCs. In this article, we'll actually build the AMD system. We chose the AMD system as our example because we're more concerned about Linux compatibility on this platform than on the Intel-based system."
Building the PostgreSQL BuildFarm (O'ReillyNet)O'ReillyNet takes a look at the PostgreSQL BuildFarm. "One of the problems that the PostgreSQL project faces, as many other similar projects do, is how to know whether some change has broken things on some platform. We don't have the resources to run every possible combination, nor even a tiny proportion of them. On several occasions it has happened that breakage only became apparent some time after a change went in. We created PostgreSQL BuildFarm to address that difficulty."
Reviews Gammu open source cell phone synchronization tool (NewsForge)NewsForge reviews Gammu. "Gammu is a nice cell phone management tool that simply works. It is open source, stable, intelligent, feature-rich, complex, and at the same time it is fun to experiment with. The Wammu interface, however, will have to reach a stable 1.0 release before I consider it to be a reasonable competitor to any of the commercial counterparts available for Windows. Because of the time and fiddling required to make everything work, I recommend this software mainly to experienced Linux users."
Gentoo Linux Is Coming into Its Own (eWeek)eWeek looks at Gentoo Linux. "Gentoo's non-commercial status, as well as its reputation as a bleeding-edge distribution for Linux system tweakers, has so far dimmed its prospects for enterprise adoption. That said, Gentoo Linux is maturing quickly, and the system's source code-based software installation mechanism makes Gentoo a flexible distribution and a good fit for testing the latest versions of key open-source software components."
Inkscape: Vector Graphics For Linux (Linux Planet)Linux Planet takes a look at Inkscape. "Inkscape is also an open source vector graphics editor that uses the SVG (scalable vector graphics) file format. This is neat because SVG is an evolving standard based on XML that can be massaged via programs, scripts or a simple text editor. In this story we'll do a quick primer on how you can get up to speed on Inkscape."
First look: OpenOffice.org version 2.0 beta (NewsForge)NewsForge takes a look at the upcoming version of OOo. "Although a list of new features in version 2.0 has been posted, some have yet to be implemented. Some may never be implemented. Original plans to rewrite the charting module, for instance, were dropped early in development. Others may still change before final release."
Page editor: Forrest Cook Announcements Non-Commercial announcements European patent restart request deniedNoSoftwarePatents.com is reporting that the European Commission has turned down the European Parliament's request for a restart of the software patent directive process. There is not a whole lot more information available yet.
Join the Fellowship and protect your freedom!The Free Software Foundation Europe has announced a fellowship program. ""We stand up to protect our freedom to shape and participate in a digital society that respects liberty and privacy." With this slogan, the Free Software Foundation Europe (FSFE) started its fellowship program at the FOSDEM fair for Free Software last weekend in Brussels."
A new brief in the Grokster caseEd Felten notes that he and sixteen other CS professors (with names like Abelson, Bellovin, Farber, Kernighan, Rubin, Spafford, Touretzky, etc.) have filed a friend of the court brief in the Grokster case, which may have wide-ranging effects on the sort of software which can be written and distributed. The full brief is available in PDF format. "The very first Internet standards document, dated April 7, 1969 and known as RFC 1, discusses the use of the nascent network to connect any user to any remote computer in what is now called a P2P fashion, and to transmit files between computers via these connections. Indeed, these are the only specific network building blocks (called 'primitives') discussed in RFC 1. Development of P2P interaction and file transfer has continued as the Internet has grown. Accordingly, any rules that might be applied to P2P technologies in general, or to file sharing systems in general, necessarily would apply to the Internet in general."
Russ Nelson proposes new license requirementsRuss Nelson has floated a proposal that any new licenses accepted by the Open Source Initiative must satisfy three new requirements to be added to the Open Source Definition. These terms are that the license solves a problem not addressed by current licenses, that it be simple and understandable, and that it not be tied to any particular group or project. Click below for the full message.
Commercial announcements IBM contributes 30 projects to open sourceHere's a press release from IBM announcing the company's contribution of more than thirty open source projects to SourceForge.net and the launch of new online skills-building programs. "The projects include IBM's Jikes(TM) software, a fast Java(TM) compiler that helps developers speed their development time, and the Life Science Identifier, which helps developers in healthcare build life sciences applications by automatically scanning networks for biologically significant data."
JBoss, Inc. Reports Fourth Quarter ResultsJBoss, Inc. has released its fourth quarter financial results. "JBoss, Inc., the Professional Open Source company, today announced fourth quarter results for 2004, which closes out the company's most successful year to date."
Mandrakesoft, Conectiva to mergeMandrakesoft has sent out a press release announcing that it will be acquiring Conectiva. Mandrakesoft will be paying €1.79 million (in stock) for the acquisition. "Both Mandrakesoft and Conectiva are profitable companies. The resulting corporation will benefit from several synergies by sharing development resources, commercial prospects and larger economies of scale, resulting in improved development potential for both companies."
MP3beamer Makes Personal Music Catalog Available From Any DeviceMP3tunes has announced its MP3beamer product. ""The MP3beamer is the jukebox in the sky, but it lives in your computer room," said Michael Robertson, CEO of MP3tunes. "It acts like your own personal digital music recorder [DMR]. Just as a digital video recorder stores video and allows you to play it back on TVs, a DMR lets you add a music track or album to MP3beamer and immediately have it available on your home stereo, iTunes, PDA or portable device -- virtually any device with speakers or a headphone jack.""
OpenIB Workshop CompletedThe OpenIB Alliance announced the conclusion of the OpenIB Developer's Workshop. "The OpenIB Alliance announced the successful conclusion of the first OpenIB Developer's Workshop for open source InfiniBand software development. The workshop was organized in response to the Linux community's acceptance of the OpenIB software stack into the 2.6 kernel and focused on accelerating software development and testing for key database, storage and parallel computing applications."
Opera launches Beta 2Opera Software released the second Beta version of its next browser, which includes an answer to the recent security debate over Web site spoofing. In this Beta, the browser displays security information inside the address bar, located next to the padlock icon that indicates the level of security present on a site.
PathScale wins Supercomputing Product of the YearPathScale has won the 2004 Supercomputing Product of the Year poll. "PathScale, developer of innovative software and hardware solutions to accelerate the performance and efficiency of Linux clusters, has been voted the 2004 Supercomputing Product of the Year in an online reader's poll conducted annually by SupercomputingOnline.com, a leading Web-based news source for high performance computing, networking and communications professionals."
VA Linux and Sun Wah Linux Join Forces Around DebianVA Linux Systems Japan K.K. has announced a strategic alliance with Sun Wah Linux Limited (SWL) to jointly develop a universal Debian GNU/Linux infrastructure and actively promote the adoption of Debian-based systems in both the Japan and China markets.
Win4Lin Pro ShipsWin4Lin, Inc. has announced that they had begun quantity shipments of Win4Lin Pro. The shipping version of Win4Lin Pro fully delivers both the Windows 2000 Operating System and Windows 2000 applications on Linux as well as early support for Windows XP.
New Books "Linux Network Administrator's Guide, 3rd Edition" Released by O'ReillyO'Reilly has published the book Linux Network Administrator's Guide, 3rd Edition by Tony Bautts, Terry Dawson, and Gregor N. Purdy.
"Linux in a Windows World" Released by O'ReillyO'Reilly has published the book Linux in a Windows World by Roderick W. Smith.
"PC Hardware Buyer's Guide" Released by O'ReillyO'Reilly has published the book PC Hardware Buyer's Guide by Robert Bruce Thompson and Barbara Fritchman Thompson.
"Pragmatic Version Control Using Subversion" Released by Pragmatic BookshelfPragmatic Bookshelf has published the book Pragmatic Version Control Using Subversion by Mike Mason.
Contests and Awards aKademy 2005 Logo Contest Launched (KDE.News)KDE.News mentions a new logo contest, this time for aKademy 2005. The KDE project is looking for a great new logo for our biggest event of the year: The KDE Developers and Users Conference 2005, also known as aKademy 2005. This logo will be seen everywhere including websites, on t-shirts and in magazines. kde-look is hosting the contest to find the new aKademy logo."
GNOME 2.10 splash screen contest (GnomeDesktop)A GNOME 2.10 splash screen contest has been announced. "GNOME 2.10 is coming closer and is ready to rock you to the socks. But to make sure everyone gets rocked properly we need a superterrific splashscreen. Now is your chance to join the ranks of the precious few who have had their artwork associated with a major release of the GNOME!"
Upcoming Events FAVE 2005 - CFP Workshops and ArtistsA call for presentations has gone out for FAVE 2005. "FAVE is a get-together for creative people who are interested in free and open source software on Linux and other computer platforms. It's taking place on Saturday August 13th 2005 at the Trinity Community & Arts Centre in Bristol, UK."
ICMC2005 Paper Deadline less than 10 days away!Papers are due soon for the international computer music conference, ICMC 2005. The event will take place in Barcelona, Spain on September 5-9, 2005.
LAC 2005: Conference program online, register now!The LAC 2005 conference program has been announced. "the conference programme of the International Linux Audio Conference 2005 (LAC2005) in Karlsruhe, Germany, on April 21st-24th, 2005, is now online at http://lac.zkm.de (link broken). Small changes are still possible, though."
linux.conf.au 2005 hackfestThe 2005 linux.conf.au hackfest has been announced. "This is your chance to show how good your programming capabilities really are as well as be in the running for a cool prize. The competition this year has two sections, one similar to last year involves writing an AI to play a game. The second is to build a user interface for humans to play the same game. So those of you with user interface design and artistic skills can also participate."
Announcing Ubuntu Down Under ConferenceThe Ubuntu Down Under Conference will take place in Sydney, Australia on April 25-30, 2005.
12th Annual VistA Community Meeting (LinuxMedNews)LinuxMedNews has announced the next WorldVistA community meeting. "Per the website, The meeting will be held in Boston, Massachusetts April 7th to 10th, 2005. The conference will offer VistA tutorials, OpenVistA installs on laptops, OpenVistA programming projects, and setting WorldVistA's strategy for 2005."
Events: March 3 - April 28, 2005
Web sites Rocking Development Action on live.gnome.orgThe live.gnome.org site has undergone a content change: "live.gnome.org was originally set up to host live content for GNOME events, but is now the focus of intense developer documentation and collaboration, and today we'd like to welcome all developers of GNOME and related projects to use the wiki for this purpose."
Page editor: Forrest Cook Letters to the editor The FUD-based Encyclopedia
Dear Editor,
Page editor: Jonathan Corbet
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Emacs screenshot]](/images/ns/emacs-22-sm.png)