LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for March 10, 2005A big setback on software patentsUp until the last moment, it looked like things might go the right way. The European Council's attempt to adopt the software patent directive as a no-debate item seemed doomed as a result of opposition from Denmark and a few other countries. In the end, however, the Council violated its own procedural rules by adopting the directive anyway, and nobody stood up to stop it. Barring an unlikely sequence of events, software patents will become the law in the European Union.The unlikely sequence of events is this: the European Parliament will have a second reading of the directive in the next few months; at that reading, it will have the opportunity to reject or amend the directive. The Parliament had, the first time through, added amendments which made it clear that the patenting of software was not to be allowed, so there is reason for hope. The problem is that, on the second reading, an absolute majority of votes is required for any amendment. Simply getting enough members into the chamber to create a majority is often a problem with the European Parliament, so getting enough of them to vote for positive changes in the patent directive will be doubly challenging. To many observers, fixing a directive on the second reading seems just about impossible. There is reason to hope, however. The fact that the Council ignored the Parliament's request to restart the procedure and the manner in which the directive was adopted has upset a number of members of Parliament. These members may just find enough energy to haul themselves down to the debate and vote to reassert the Parliament's authority. If these members continue to hear from their constituents in the mean time, they should be even more motivated. In other words, now is not the time to give up and let up on the pressure. Instead, it is more important than ever that EU citizens express their views to their representatives. With enough effort, this battle might, just yet, be won. And it is an important battle. The possible effects of software patents on small European businesses have been well discussed. But the absence of software patents in Europe has had a chilling effect on software patent enforcement in general. Currently, a patent holder could make life difficult for free software in the U.S., but European developers would just sneer in that smug manner unique to Europeans talking about American ways. So a patent challenge against, say, the Linux kernel could be a problem for an American company or developer, but it would be unlikely to impede Linux itself. In a world with global software patent legislation, however, the situation is different. A patent challenge could shut down Linux over much of the planet; there would be no place for the software to run to. For this reason, European resistance to software patents helps to protect all of us; the forces behind software patenting understand that fact well. So we must hope that the European Parliament can find the energy to stand up for its rights.
Is the kernel development process broken?According to some, the 2.6 development process has gone far out of control. Wildly destabilizing patches are routinely accepted, to the point that every 2.6.x release is really a development kernel in disguise. There are no more stable kernels anymore. As evidence, they point out certain high-profile regressions, such as the failure of 2.6.11 to work with certain Dell keyboards.It is true that the process has changed in 2.6, and that each 2.6 release tends to contain a great deal of new stuff. The situation is nowhere near as bad as some people claim, however. The problems which have turned up have tended to be minor, and most have not affected all that many users. Big, embarrassing security bugs, data corruption issues, etc. have been mostly notable in their absence. Kernel developers like Andrew Morton don't think there is a problem:
I would maintain that we're still fixing stuff faster than we're
breaking stuff. If you look at the fixes which are going into the
tree (and there are a HUGE number of fixes), many of them are
addressing problems which have been there for a long time.
Even so, there is a certain feeling that some 2.6 kernels have been released with problems which should not have been there. Last week, in an effort to improve the situation, Linus posted a proposal for a slight modification to the kernel release process. The new scheme would have set aside even-numbered kernel releases (2.6.12, 2.6.14, ...) as "extra-stable" kernels which would include nothing but bug fixes. Odd-numbered releases would continue to include more invasive patches. The idea was that an even-numbered release would follow fairly closely after the previous odd-numbered release and would fix any regressions or other problems which had turned up. With luck, people could install an even-numbered release with relative confidence. Over the course of a lengthy discussion, an apparent consensus formed: the real problem is a lack of testing. In theory, most patches are extensively tested in the -mm tree before being merged. -mm does work well for many things, and it has helped to improve the quality of patches being merged into the mainline. But the -mm kernels are considered to be far too unstable by many users, so they are not tested as widely as anybody would like. Even quite a few kernel developers work with the mainline kernels, since they provide a more stable development platform. The next step in the testing process is Linus's -rc releases. These kernels, too, are not tested as heavily as one might like. Many developers blame the fact that most of the -rc kernels are not really release candidates; they are merge points and an indication that a release is getting closer. Since users do not see the -rc kernels as true release candidates, they tend to shy away from them. For what it's worth, Linus disagrees with the perception of his -rc kernels:
Have people actually _looked_ at the -rc releases? They are very much
done when I reach the point and say "ok, let's calm down". The
first one is usually pretty big and often needs some fixing, simply
because the first one is _inevitably_ (and by design) the one that
gets the pent-up demand from the previous calming down period.
But it's very much a call to "ok, guys, calm down now". The fact remains, however, that many people see a "release candidate" rather differently than Linus does. There are some -rc kernels which clearly are release candidates; 2.6.11-rc5 is an obvious example. But even that kernel did not see enough testing to turn up the Dell keyboard problem. The real problem seems to have two components. The first is that widespread testing by users is a vital part of the free software development process. This is especially true for the kernel: no kernel developer has access to all of the strange hardware out there, but the user community, as a whole, does. The only way to get the necessary level of testing coverage is to have large numbers of users do it. But here is where the second piece of the puzzle comes in: most users are unwilling to perform this testing on anything other than official mainline kernel releases. So certain classes of bugs are only found after such a release takes place. A solution which was proposed was to bring back the concept of a four-number release: 2.6.11.1, for example. These releases would exist solely to deal with any show-stopper bugs which turn up after a major mainline release. Linus was negative about this idea, mostly because he didn't think anybody would be willing to do that work:
I'll tell you what the problem is: I don't think you'll find
anybody to do the parallel "only trivial patches" tree. They'll go
crazy in a couple of weeks. Why? Because it's a _damn_ hard
problem. Where do you draw the line? What's an acceptable patch?
And if you get it wrong, people will complain _very_ loudly, since
by now you've "promised" them a kernel that is better than the
mainline. In other words: there's almost zero glory, there are no
interesting problems, and there will absolutely be people who claim
that you're a dick-head and worse, probably on a weekly basis.
Linus went on, however, to outline how the process might work if a "sucker" were found who wanted to do it. The charter for this tree would have to be extremely restricted, with many rules limiting which patches could be accepted. The "sucker tree" would only take very small, clearly correct patches which fix a serious, user-visible bug. Some sort of committee would rule on patches, and would easily be able to exclude any which do not appear to meet the criteria. These conditions, says Linus, might make it possible to maintain the sucker tree, if a suitable sucker could be found. As it turns out, a sucker stepped forward. Greg Kroah-Hartman has volunteered to maintain this tree for now, and to find a new maintainer when he reaches his limit. Chris Wright has volunteered to help. Greg released 2.6.11.1 as an example of how the process would work; it contains three patches: two compile fixes, and the obligatory Dell keyboard fix. 2.6.11.2 followed on March 9 with a single security fix. So the process has begun to operate. Greg and Chris have also put together a set of rules on how the extra-stable tree will operate. To be considered for this tree, a patch must be "obviously correct," no bigger than 100 lines, a fix for a real bug which is seen to be affecting users, etc. There is a new stable@kernel.org address to which such patches should be sent. Patches which appear to qualify will be added to the queue and considered by a review committee (which has not yet been named, but it "will be made up of a number of kernel developers who have volunteered for this task, and a few that haven't"). The rules seem to be acceptable to most developers. There was one suggestion that, to qualify, patches must also be accepted into the mainline kernel. Being merged into the mainline would ensure wider testing of the patches, and would also serve to minimize the differences between the stable and mainline trees. The problem with this idea is that, often, the minimal fix which is best suited to an extra-stable tree is not the fix that the developers want for the long term. The real fix for a bug may involve wide-ranging changes, API changes, etc., but that sort of patch conflicts with the other rules for the extra-stable tree. So a "must be merged into the mainline" rule probably will not be added, at least not in that form. How much this new tree will help is yet to be seen. It may be that its presence will simply cause many users to hold off testing until the first extra-stable release is made. This tree provides a safe repository for critical fixes, but those fixes cannot be made until the bugs are found. Finding those bugs requires widespread testing; no new kernel tree can change that fact.
The 2005 Debian Project Leader electionThe Debian Project Leader (DPL) election is fast approaching. The nomination period ended on February 28, and the campaigning period runs through March 21. The field of candidates is much broader than in recent years, with six serious candidates vying for the role of Debian Project Leader. Current DPL Martin Michlmayr is not running for re-election. The candidates, and their platforms, for 2005 are Matthew Garrett, Andreas Schuldei, Angus Lees, Anthony Towns, Jonathan Walther, and Branden Robinson. We sent a list of questions to each candidate to find out where they stand on issues facing Debian in 2005. The first question we posed to the candidates was how they would help to ensure that Sarge would be released this year, and if too much emphasis was placed on a new stable release. In his platform, Walther endorsed the idea of a six-month release cycle, borrowed from the OpenBSD project, saying it could "turn Debian into a monster powerhouse of software goodness." In his response, he added that he was unsure of the limits of the DPL's authority, but would do "everything in my power to get Sarge out the door immediately, as-is, and formalize the OpenBSD/Ubuntu/Xouvert 6-month release cycle." Towns responded that there were a variety of reasons that Sarge had been delayed, and that "the release team currently have a handle on them." He also said that releasing Sarge is "the highest priority for the project at this point, and the highest priority of the DPL is to do everything possible to ensure that the release team and those working on resolving the remaining issues have the support and resources they need to do their work quickly and effectively." Lees pointed out that the DPL "is not a position with direct control over Debian's actions" and that the DPL "is there to provide a single point of contact with the outside world and to ensure the relevant groups within Debian coordinate effectively." He also said that he is confident that the Sarge release would go out this year without intervention from the DPL, but "would of course try to ensure that the relevant technical teams have the resources they need to avoid any further delays." As for the importance of stable releases, Lees said that the stable releases are necessary to provide "a static fork to provide security fixes against and a known minimum point from which package maintainers must ensure smooth upgrades." The ideal release point, according to Lees, would be "around the 1.5-2.5 year point, so shorter than the Sarge release cycle - but not by much." Garrett noted that Sarge is close enough to release that "anything the DPL does is more likely to slow things down than speed them up."
The release team have assured me that the list of awkward problems is now
small and under control, and I'm inclined to trust them on this.
A more interesting question is probably how we can prevent Sarge from happening again. A large part of the problem is that many people have lost faith in us ever making timely releases, which ends up costing us a lot - without the feeling that you're working towards a release, there's far less incentive to make sure that your code is in good condition and help track down bugs in other packages. I want to deal with this problem by making people believe that we can actually make releases when we say we will, and I think the first step towards that will be to make sure that we have a list of concrete goals for our next release the moment we've finished with Sarge. He also said that slow releases not only cost Debian users, but development effort as well. Robinson told LWN that he would work closely with the Release Management team to find out what they need and "try to get those needs satisfied, whether they involve hardware for build daemons, additional personnel for the security or debian-installer teams, or simply general encouragement (some would say whip-cracking) to get the release-critical bug count down." He also said that Debian is compared "unfairly and unfavorably to the bleeding-edge nature of some distributions" and could "greatly mitigate that criticism by establishing a more predictable and regular release cycle.." Finally, Schuldei said that Sarge should be in "deep freeze already" by the time the next DPL takes office on April 17. Schuldei also said that regular releases "are important for Debian and are one of my priorities." The next question we posed to the candidates is whether Ubuntu had hurt Debian by drawing away development effort, how Debian should work with projects derived from Debian and if Debian was "infrastructure" for other projects. Schuldei responded that Ubuntu "cherry-picked from Debian's most active developers."
When your hobby becomes your job, it is easy to lose interest in
participating in the hobby outside of work. And working in a start-up
company can easily become an all-consuming activity. Given this
combination, it was probably inevitable that developers working on Ubuntu
would have less time and energy to expend on Debian itself.
Those Ubuntu developers who used to work on Debian infrastructure were missed painfully, indeed. I hope that "Small Teams" as described in my platform can help by building lots of small multiplying knowledge pools which would make Debian resilient against loss of single individuals and enable it to grow able successors very quickly. Schuldei told LWN that Debian "should more actively incorporate the good things that it sees other distributions" do and that if Debian "managed the 'taking' as well as the 'giving' [to other projects] there would be little limit to its potential." Robinson says that Canonical Ltd. (the company that sponsors Ubuntu) is a "mixed blessing."
Previous companies that centered their identities around Debian (such as
Stormix and Progeny) have not had the resources to hire more than a handful
of Debian developers. Canonical has hired many. It's a good thing to see
so many Debian developers able to more closely align their careers with
their passions -- it's something I've enjoyed for nearly five years, so I
can hardly begrudge others that same condition.
At the same time, Canonical's interests are not identical to Debian's. If Canonical is to operate anything like a conventional business that realizes revenue, it cannot help but pursue paths to do so. The Debian Project doesn't have that pressure on it. Inevitably in such an environment, at least some Debian developers who work for a commercial interest are going to experience tension between what's good for Debian and what's good for their employer, even if that divergence is perceived as merely short-term. In the short term, Debian needs to release sarge. We cannot count on Canonical, Linspire, Progeny, Xandros, Hewlett-Packard, or any of Debian's other benefactors to solve our problems for us -- they will not supply the magical second step between "collect underpants" and "RELEASE!", to spin an old joke. He also said that Debian has to be "frank about it" and accept that some developers may be drawn away from Debian. Garrett pointed out that Ubuntu "has taken some effort away from Debian, but it's also contributed a lot back."
One of the major advantages that Ubuntu has over Debian is that their
development process makes it much easier to push new technologies. We've
already gained from that in at least one case, since Debian's Project
Utopia stack is heavily based on the code in Ubuntu. That would have been
much harder to coordinate if it hadn't been demonstrated in a working
scenario first. Remember that Ubuntu hasn't existed for all that long -
it's hard to have any great certainty what the long-term effects will be.
One of the fundamental reasons for free software is the right to produce derived works, and I think that making it as easy as possible for others to produce derived distributions is the best way for Debian to support that. The number of distributions based on Debian is large enough that I think we class as infrastructure, but don't think that's incompatible with making releases. Providing employment for Debian developers is "a good thing" according to Lees, though he notes that "some inevitable divergence between Ubuntu and Debian as Ubuntu strives to differentiate itself."
The core axiom of free software however is that having someone copy and
modify your software doesn't reduce its value to you. Whatever happens,
Debian is a process not a product and it will eventually incorporate any
code that the Developers deem worthwhile.
What I'm really excited about from Ubuntu is some of the tools they're working on, like bug trackers and version control tools. These tools are being developed specifically for the unique needs of distributors, rather than authors, and it will be very interesting to see what they become. Towns said that the only way Ubuntu draws developers away from Debian "is by providing a better environment for hacking -- whether that be by paying for the work, or being more fun, or being more satisfying, or all of the above."
I think it's great that there are projects that some people find more
enjoyable than Debian, and the great thing about free software is that
those of us who prefer Debian can just take the work they do for Ubuntu and
use it ourselves. And vice-versa, too -- all without anyone being unhappy
about code theft or having to involve lawyers or formal agreements or
anything of the sort.
I think Debian works quite well both as a distribution of its own, and as infrastructure for other distributions; I hope it will improve as both. According to Walther, projects like Ubuntu or Knoppix help Debian rather than hurt it. "Because of our licensing, we can always fold things back in from other projects that work out well." We also asked candidates if they had any idea why so many people were running this year, as opposed to past years that saw only a few candidates. Walther quipped, "because the incumbent decided not to run for re-election." Schuldei told LWN "some of the candidates clearly believe that Debian is in need of their special knowledge or ability. I myself believe that my vision for Debian and my experience in implementing change in social groups will help the Debian Project to reach new heights and strength." Robinson said that "people are getting a better idea of what they want out of a Project Leader."
I don't know of many precedents in our field; no other free software
project of Debian's size entrusts its entire membership with electing its
leadership. We're striving to identify the right balance of personality
traits and experience that will equip us to face new challenges with
confidence, rather than butting our heads against the same old brick walls
that have stymied us for years.
Garrett said that he can't speak for the other candidates, but "I'm standing because I think Debian has problems that need fixing, and I think being DPL is the best way that I can help fix them. Perhaps our problems are more obvious this year than in the past?" Lees told LWN that he has no idea why so many people are running for DPL, and that he's running "at the insistence of several other Debian developers, probably in response to some of the more radical factions that are gaining influence within Debian." Towns said that there have been "a lot of fairly controversial questions raised or decided...and in the midst of all this the next release of our operating system has continued slipping. It seems plausible to me that the range of candidates represent the range of different views within the project of how to approach these issues." Another topic that comes up frequently when discussing delays for Sarge is dropping architectures. We asked the candidates if they thought Debian should drop any of its architectures in order to release on a more timely basis. There was not a great deal of enthusiasm for this idea among DPL candidates. Walther is against the idea of dropping architectures altogether. "I see no need to drop any architecture, but I do see it as a good thing to release each architecture separately. This prevents the lowest common denominator from retarding the distribution as a whole." Towns said, simply, "That's a decision for the release and archive teams to make." Lees said that there was "no correlation between the number of architectures and any delay in release," as far as he could see. Schuldei said, "yes, that's one possible option." Garrett told LWN that dropping architectures would not speed up the release, and would "undoubtedly reduce the quality of our distribution. There are whole classes of bugs that only show up when you port to a wide range of platforms."
In any case, which architectures should we drop? M68K is often used as an
example, but is actually one of the better architectures in terms of
keeping up. Mips and Arm aren't widely used on the desktop, but we get a
great deal of enthusiasm from embedded developers.
If we get to the point where an architecture can't pull its weight, then we'll drop it. We're not there yet. Robinson said that the idea that dropping an architecture would benefit the release cycle "seems to meander between a vague notion and an article of faith." He also said that he has yet to see a proposal that explains how it would benefit the release cycle, and that he needs "more convincing...to support such a dramatic step. For some architectures, Debian is the only modern option for a GNU/Linux installation. It'd be a shame to give that in exchange for an unproven benefit." Finally, we asked the candidates what the biggest challenge facing the DPL would be. Schuldei told LWN that scalability was the biggest problem facing Debian.
A lot of Debian's hottest issues over the past few years have been capacity
issues: making sure the autobuilder network scales to handle our package
count; making sure the NM process scales to meet the number of incoming
applicants; making sure the security team scales to handle the architecture
count; etc. While many of these issues are largely technical in nature,
the task of identifying and resolving chokepoints before they become a
problem is one that requires managerial attention, and the DPL is best
suited to provide this oversight. The social structure of Debian still
stems from its early years. With the size of 900+ active developers the
social bonds and self-regulatory functions are just not good enough any
more nowadays for it to work as smoothly and effectively as it used to be.
The changes in the leadership and small team infrastructure as well as nurturing of good working climate will address this effectively and will allow Debian a new growth cycle. Garrett sees communication as the largest hurdle for Debian:
We're bad at it. A large part of the problem facing the release is that
half the time nobody's sure why we can't release yet. People get into
arguments over whether or not people are passing on enough
information. It's all wasted effort, and it's all entirely unnecessary. If
there's one thing that I would hope to do as DPL, it's to ensure that
people know who they're supposed to be speaking to whenever they have a
problem. In principle, that's not too difficult, but it's something
nobody's really succeeded at yet.
Lees told LWN that Debian "basically works" and said it was difficult to sort out a minor issue to highlight as a problem. He also touched on communication as a problem, and said VoIP would be an "interesting way to improve the quality of communication...since email seems to bring out the worst in people. I would hope that improving the nature of the communication would make it easier to address other issues that arise within Debian." Towns said that the biggest single issue was "getting Sarge out the door, but that's primarily an issue for the release team to handle." Robinson didn't respond directly to the question of the biggest challenge for Debian, but also pointed out in his responses that "the collective psyche of the project gets antsy when a release process has dragged on for too long."
The general level of irritability seems to go up. We are nearly three
years pregnant with sarge, and we need to be delivering our latest
offspring soon. The challenge is to practice good obstetrics, and preserve
the health and well-being of ourselves and our release. In my campaigns
for Debian Project Leader over the years I've consistently prescribed
medicine for our ails, and I'm ready to assist my fellow developers with
the delivery.
Walther also told LWN that the release cycle is the largest problem for the project.
It has caused a stagnation where we focus on putting in new packages and
fixing old bugs, but the mantle of fresh new innovation that made us stand
out in the early days has been passing on to other distributions. With a
quicker release cycle we can definitely get that back in short order. We
have all the resources and manpower.
Debian Developers may begin voting for DPL on March 21, through April 11. The voting procedure is described in section A of the Debian Constitution. We'd like to thank each of the candidates for responding to our questions, and wish them good luck in the election.
Security A hole in PaXSecurity software is, as a general rule, supposed to make a system more secure. So it is always discouraging when security code, instead, opens up new holes. The PaX patches are intended to harden the Linux kernel against various sorts of attacks; its developers have, at times, been quite harsh in their criticism of security in the mainline kernel. But, as this advisory shows, the PaX code, too, is not without its troubles.One of the techniques used by PaX is VMA mirroring. The PaX code tries to defeat various types of code injection attacks by completely separating the instruction and data areas of memory as seen by Linux processes. The idea is that, even if an attacker is able to overrun a buffer and direct the processor to execute the resulting code, the attack will be foiled by the processor's segmentation hardware. Any part of memory which can be accessed via a data pointer is simply not accessible as code. The problem is that some code segments in an executable file contain data as well - constant strings and such. So, when an executable ELF section is mapped into the code segment, it must also be "mirrored" in the data segment. This mirroring is accomplished by creating a special sort of virtual memory area (VMA) which refers to the same physical pages and backing store as code VMA, but which resides in the data portion of the address space. The details of the exploit have not yet been released. From a quick reading of the PaX patches before and after the fix, it would appear that the PaX code did not adequately restrict the changes user space could make to the mirrored VMAs. The resulting inconsistencies in the kernel's representation of the address space could then be exploited to run arbitrary code. The advisory notes that this vulnerability "...pretty much destroys what PaX has always stood and been trusted for." So the author is taking his marbles and going home; PaX will be discontinued at the end of this month. Certainly, introducing an exploitable hole into a security-related patch, where it lurked for a year and a half, could harm the trust users have in that patch. But giving up and leaving those users completely unsupported into the future seems likely to cause rather more damage. Bugs happen, even in the most carefully-written code. The best thing to do is to fix them and get on with life.
New vulnerabilities abuse: several vulnerabilities
KDE dcopidlng: insecure temporary file creation
hashcash: format string vulnerability
HelixPlayer: buffer overflows
imagemagick: format string vulnerability
kdenetwork: file descriptor leak
less: heap based buffer overflow
libexif: improper validation
libXpm: new buffer overflows
mlterm: integer overflow
perl: symlink vulnerability
phpMyAdmin: multiple vulnerabilities
RealPlayer: buffer overflows
squid: race condition
xv: filename handling vulnerability
Updated vulnerabilities a2ps: input validation error
bidwatcher: format string vulnerability
bsmtpd: missing input sanitizing
ClamAV: multiple issues
cmd5checkpw: local password leak
cpio - file permissions error
cURL: buffer overflow
cyrus-imapd: buffer overflows
cyrus-sasl: remote buffer overflow
dhcp: format string vulnerability
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
evolution: arbitrary code execution
f2c: insecure temp files
Foomatic: Arbitrary command execution in foomatic-rip
gaim: DoS issue in parsing malformed HTML
gaim: client freezes
gettext: Insecure temporary file handling
gftp: missing input sanitizing
ghostscript: symlink vulnerabilities
glibc: Information leak with LD_DEBUG
glibc: tempfile vulnerability in catchsegv script
groff: insecure temporary directory
gtkhtml: malformed messages cause crash
htdig: cross site scripting
imagemagick: .psd image file decode vulnerability
imap: buffer overflow in c-client
imlib2: buffer overflows
kdelibs: unsanitzied input
libdbi-perl: insecure temporary file
libgd2: buffer overflows in PNG handling
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
linux-source-2.6.8.1: multiple vulnerabilities
lvm10: creates insecure temporary directory
mailman: cross-site scripting
mailman: path traversal
mc: multiple vulnerabilities
MediaWiki: multiple vulnerabilities
mikmod: buffer overflow
mod_python: remote access vulnerability
Mozilla and Mozilla Firefox: out of memory heap corruption
mpg321: format string vulnerability
mysql: several vulnerabilities
mysql-dfsg: insecure temporary files
nasm: Buffer overflow vulnerability
ncpfs: multiple vulnerabilities
netkit-telnet: invalid free pointer
nfs-utils: denial of service
nfs-utils: arbitrary code execution
openssl: der_chop script temp file vulnerability
OpenSSL: denial of service vulnerabilities
Opera: multiple vulnerabilities
perl: setuid vulnerabilities
php: multiple vulnerabilities
phpBB: multiple vulnerabilities
phpWebSite: arbitrary PHP execution and path disclosure
postfix: error in IPv6 handling
postgresql: EXECUTE privilege vulnerability
PuTTY: remote code execution
python: illegal function internals access
Qt: untrusted library search path
qt3: BMP image parser heap overflow
reportbug: world readable files
rp-pppoe, pppoe: missing privilege dropping
ruby: infinite loop
samba: integer overflow vulnerability
sharutils: arbitrary code execution
SpamAssassin: Denial of Service vulnerability
squid: multiple vulnerabilities
Squid: DNS response handling
SquirrelMail: multiple vulnerabilities
Subversion: Remote heap overflow
sudo: environment variable sanitizing
File overwrite vulnerability in tar and unzip
tiff: buffer overflows
uim: local privilege escalation
UnAce: buffer overflow and directory traversal
XChat 2.0.x SOCKS5 Vulnerability
xine-lib: buffer overflows
xine-ui - insecure temporary file creation
xloadimage, xli: buffer overflows
xorg-x11: integer overflows
xpdf: buffer overflow
xpdf: buffer overflow
xpdf: vulnerabilities on 64 bit platforms
zlib: denial of service
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current extra-stable 2.6 release is 2.6.11.2, which was announced by Greg Kroah-Hartman on March 9.The current 2.6 release remains 2.6.11; Linus has not yet released any 2.6.12 prepatch. About 1000 patches have been merged into his BitKeeper repository, however; they include numerous driver updates, the address space randomization patches, a new packet classifier mechanism for the networking layer, a new workqueue API function (see below), a new function (set_pte_at()) which is intended to replace set_pte() in the memory management code, a Tiger digest algorithm implementation, the restoration of the Philips webcam driver, some software suspend improvements, some readahead improvements, a big block I/O barrier rewrite (which enables full barrier support on serial ATA drives), a set of patches to shrink the kernel for embedded use, a generic sort() function, high-resolution POSIX CPU clock support (not the full high-resolution timers patch), a USB API change (usb_control_msg() and usb_bulk_msg() now take a timeout in milliseconds rather than in jiffies), and lots of fixes. The current -mm kernel is 2.6.11-mm2. Recent changes to -mm include a reiser4 update, the Open-iSCSI driver, a new SELinux multi-level security implementation, the return of the real-time rlimit patch (yes, that discussion is going again), and a big set of NFS and FAT filesystem updates. The current 2.4 prepatch is 2.4.30-pre3, released by Marcelo on March 9. It consists of some driver updates and a few fixes.
Kernel development news Quotes of the week
I want to have people test things out, but it doesn't matter how
many -rc kernels I'd do, it just won't happen. It's not a "real
release".
-- Linus Torvalds
It's nice that patches are called "fix the frobnozzle gadget", but
this analysis would be a lot easier if people would also label
their patches "break the frobnozzle gadget" when that's what they
do. Oh well
-- Andrew Morton
I don't think 2.2 and 2.4 models are applicable any more. There
are more of us, we're better (and older) than we used to be, we're
better paid (and hence able to work more), our human processes are
better and the tools are better. This all adds up to a qualitative
shift in the rate and accuracy of development. We need to take
this into account when thinking about processes.
-- Andrew Morton
I think we should call the tree the "sucker tree", and if somebody
wants to make a logo for it, make it be a penguin with a jokers'
hat: exactly to remind people that it's not about the glory.
-- Linus Torvalds
The kernel gets a formal security contactThe Linux kernel has been nearly unique in that it has operated without any sort of formal security organization. Security-related patches would be sent to a (hopefully) relevant maintainer, who would (hopefully) get it merged into the mainline. With luck, distributors would notice the merging of security-related patches and issue the appropriate updates.The whole system was somewhat unwieldy (though it worked most of the time), but, with this message from Chris Wright, things are beginning to change. There is now an official security contact address - security@kernel.org - which is distributed to a set of "security officers" who will take the appropriate action in response to security-related bugs. The people behind that alias, as of this writing, are Linus Torvalds, Andrew Morton, Alan Cox, Marcelo Tosatti, H. Peter Anvin, and Chris Wright The posting also includes a disclosure policy, which reads as:
The goal of the Linux kernel security team is to work with the bug
submitter to bug resolution as well as disclosure. We prefer to
fully disclose the bug as soon as possible. It is reasonable to
delay disclosure when the bug or the fix is not yet fully
understood, the solution is not well-tested or for vendor
coordination. However, we expect these delays to be short,
measurable in days, not weeks or months. A disclosure date is
negotiated by the security team working with the bug submitter as
well as vendors. However, the kernel security team holds the final
say when setting a disclosure date. The timeframe for disclosure
is from immediate (esp. if it's already publically known) to a few
weeks. As a basic default policy, we expect report date to
disclosure date to be on the order of 7 days.
So the mechanism is now in place. What remains to be seen is how well it works when the next security hole turns up.
A unified device number allocatorTraditionally, device drivers have added their devices to the system with calls to register_chrdev() or register_blkdev(). These functions served two functions: allocating a portion of the device number space, and making specific devices available to user space. In 2.6, things changed a bit. For character devices, register_chrdev() was replaced by the combination of alloc_chrdev_region(), which allocates device numbers, and cdev_add(), which attaches a device to a specific number. On the block side, register_blkdev() has become optional, but it can still be used to allocate a block major number. The association of block devices with numbers is done with add_disk().In other words, the allocation of device number space and the association of specific numbers with devices have been split in the 2.6 kernel. Matt Mackall was looking at the allocation side recently, where he noticed a fair amount of duplicated code between the char and block implementations. The current code is also unable to perform dynamic allocation of major numbers outside of the traditional 0..255 range. So Matt put together a patch which cleans things up a bit. The new allocation scheme relies on simple linked lists. When a new device number request comes in, the code searches the (sorted) list to see if the request can be satisfied. If so, a new entry is added to the list, and the starting device number is returned. This work is done by the new function register_dev():
int register_dev(dev_t base, dev_t top, int size, const char *name,
struct list_head *list, dev_t *ret);
This function requests that a range of size numbers be allocated from the given list. The first number should fall between base and top; if a suitable range is found, that first number will be returned in ret. The list is a simple, list_head structure which is initially empty; the caller must provide locking to prevent concurrent calls to register_dev() using the same list. The new interface works; it also replaces a fair amount of common code in the char and block code. Other than some quibbles about potential performance problems resulting from the linear list search algorithm (which should not really matter, since device number allocation is a rare operation), there seem to be no real objections to the new scheme. So it may find its way into a -mm kernel before too long. A future change would allow the dynamic allocation of device numbers in the expanded range; for now, dynamic major numbers are allocated from 254 in descending order, as has been done for many years. The patch also retains the register_chrdev() and register_blkdev() interfaces in a compatibility mode - even though both were essentially obsolete even before the change. At some point in the future, there may be an attempt to deprecate those interfaces; that move would force changes in a great many drivers.
Some 2.6.12 API changesThe workqueue interface allows kernel code to request that a function be called at a later time, in process context. It can thus be used to arrange for work which cannot be performed immediately, perhaps because the current thread is running in an atomic mode. It is also possible to queue delayed work requests which are guaranteed not to run for a caller-requested delay period.Sometimes the need arises to cancel tasks which have been queued to a workqueue in a delayed mode. The function which performs this task is:
int cancel_delayed_work(struct work_struct *work);
This function attempts to intercept the given work before it runs and remove it from the queue. If it is successful, it returns a nonzero value. If, instead, cancel_delayed_work() returns zero, it means that the delayed work request was fired off before the call; it might, in fact, be running on another CPU when the cancel attempt is made. The caller usually needs to know that the work function is not running, so the standard procedure is to call flush_workqueue(), which waits until all tasks currently in the queue are run. After flush_workqueue() returns, the work function is guaranteed not to be running anywhere in the system. There is one remaining obnoxious detail, however: what if the work function resubmits itself to the workqueue while it is running? In this case, that function could run again when the rest of the kernel least expects it - possibly after the module which contains that function has been removed from the kernel. That is the sort of race condition which gives kernel developers cold sweats. In general, this problem can be avoided by creating a "do not resubmit yourself" flag which is set before calling cancel_delayed_work(), but not all programmers make that effort. In an attempt to make safe cancellation easier, Arjan van de Ven has added a new function to the workqueue API:
void cancel_rearming_delayed_work(struct work_struct *work);
The implementation is straightforward; at its core, this function does the following:
while (!cancel_delayed_work(work)) flush_workqueue(wq); In other words, it simply keeps trying until it is able to catch the work request when it is not executing, and, thus, cannot resubmit itself. This approach works because it applies to delayed work - there has to be some time when the work request is sitting in the timer queue waiting to run. Sooner or later, the kernel is sure to catch it during that time and keep it from running again. The new function has been merged for 2.6.12. Meanwhile, there are two functions which are used by drivers to send messages to USB peripherals:
int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
void *data, int len, int *actual_length,
int timeout);
int usb_control_msg(struct usb_device *dev, unsigned int pipe,
__u8 request, __u8 requesttype,
__u16 value, __u16 index,
void *data, __u16 size, int timeout);
In 2.6.11 and prior kernels, the timeout value is expressed in jiffies; for 2.6.12, the units of that parameter has been changed to milliseconds. Dozens of patches were merged to bring in-tree drivers up to the new version of the interface, but out-of-tree drivers will need to be changed explicitly. The situation is complicated a bit by the fact that the prototype of the function did not change, so the compiler will not flag callers which have not been updated. Finally, David Howells has changed the rwsem implementation to use interrupt-disabling spinlocks. This change should be transparent to most callers. Anybody who calls down_read() or down_write() with interrupts already disabled will be in for a surprise, however. There should be no such callers, since those functions can sleep, but one never knows...
Linux Kernel Development, Second EditionThe second edition of Robert Love's Linux Kernel Development is out. Actually, it has been out for a month or two, but your editor's copy has only just arrived. It should be noted that your editor is the author of a book which could be seen, by some, as a competitor to Mr. Love's work, and![[Book cover]](/images/ns/kernel/lkd2.jpg)
thus might be biased in what he writes. Let it be known, however, that
your editor would never let such concerns get in the way of a fair review.
Linux Kernel Development really is only suitable for
paperweight duty, and, even then, only until the cheesy binding gives out.
Seriously, though, the first edition of Linux Kernel Development was reviewed here in November, 2003. It was, at that time, the only book covering version 2.6 of the kernel, and it did a good job of it. The coverage was not always as deep as one might like, but it was broad, touching on most parts of the kernel. It was, beyond doubt, a book that belonged on every kernel hacker's bookshelf. The second edition has not messed with that format very much. The book now appears under the Novell Press imprint, but Novell does not appear to have called for any changes. So the basic structure of the book remains the same. The introductory chapter has been split into two, with some additional information on obtaining and building the kernel. There are two completely new chapters; the first looks at working with modules, and the other is a low-level introduction to kobjects and sysfs. The new chapters, like the existing material, are clearly and accurately written. Beyond that, the table of contents reads much like it did in the first edition. Arguably, the most significant change is that the entire book has been updated to the 2.6.10 kernel. As readers of the LWN Kernel Page are aware, much has changed inside the kernel since the 2.6.0-test release which was the base for the first edition. It was time for an update, and Robert has done it with style. Your editor feels confident in saying that the second edition, once again, belongs on every kernel hacker's bookshelf. Then the first edition can be demoted to paperweight duty.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Linux in EuropeTwo years ago Mandrakesoft was on the verge of bankruptcy and SUSE was trotting along with a 6-month release cycle and a shrink-wrapped software sales model. Now, Mandrakesoft is a profitable company, SUSE is part of Novell, and many large cities and regions of Europe are actively migrating to Linux-based solutions. Has the center of Linux adoption shifted from North America to Europe?The widely reported decision of the European Council earlier this week to adopt software patent agreement highlighted the key difference between public participation in legal proceedings in the USA and Europe. While software patents were adopted in the USA without much publicity or protests, the European open source community has put up a strong fight and, at the very least, succeeded in delaying the adoption of the controversial law. It has mobilized many open source web sites to launch online protests against the patents, asked EU citizens to write to their legislators with explanations why software patents are wrong, and gathered a decent number of protesters, many of whom came from distant countries, in front of the EU Council in Brussels on the days when important decisions were being made. These actions not only resulted in several unscheduled trips by Bill Gates to Brussels to lobby for the speedy legalization of software patents, they have also attracted the attention of the mainstream European media. As such, Europeans are probably more aware of the open source movement than citizens of most other parts of the world. SUSE especially has to be commended for maintaining their distribution agreements with many retailers around Europe. While practically all other distribution makers have abandoned the shrink-wrapped business model and rely exclusively on digital delivery of their software, SUSE Linux boxes continue to be available in book and software stores throughout Germany, Austria and most other European countries. In fact, walking into any medium-size news stand in Germany is like entering a Linux paradise, as you are likely to find perhaps a dozen Linux-related magazines in both German and English. Many of these magazines are regular monthly publications designed for Linux beginners, with friendly tutorials and easy explanations. This is in sharp contrast with the United States, where the only available Linux magazines are Linux Journal and Linux Magazine, both of which cater for senior system administrators, rather than general public. At present, there is no US-made printed magazine targeting Linux beginners. Speaking about magazines, Poland's Software Wydawnictwo has emerged as one of the top open source publishers in Europe. It is currently offering a number of titles ranging from a general Linux magazine with a cover CD and DVD (Linux+) to specialist monthlies for PHP developers (PHP Solutions) and security topics (Hakin9). The publishing house also produces its own distribution (Aurox Linux), which it sells as part of the Aurox Linux magazine. All these publications are available not only in Polish, but also in German, French, Spanish and Czech, with more languages planned for the future. Recently, Software Wydawnictwo also launched a new title for the domestic market entitled "Linux w Szkole" (Linux in Schools), which leaves little doubt that Linux is already well-established in Polish educational institutions. Mandrakesoft has emerged from its financial disaster two years ago rather nicely. It returned to profitability last year and has since been awarded two large contracts - one by the European Union and the other by the French Ministry of Education and Research. Its surprising acquisition last month of Conectiva, South America's oldest and best-known open source company might not be the only one; the recent trips of Mandrakesoft's CEO François Bancilhon to China and other countries seem to indicate that the company is looking around to further strengthen its position as a global Linux solution provider. Besides its successful range of Mandrakelinux products for the home user, Mandrakesoft has also been expanding into the corporate sector with its Corporate Desktop and Corporate Server editions. Ubuntu Linux is another European project that has gained rapid momentum since its launch 6 months ago. The distribution has succeeded in creating large user communities in many European countries, as witnessed by several rapidly growing user forums and community web sites in Dutch, French, German and Spanish. Ubuntu has seemingly done everything right - as if they studied the mistakes of other similar projects and avoided them right from the start. Of course, the GNOME-centric distribution has the backing of a wealthy individual, but their work is still highly innovative, especially considering that no other distribution before has been able to build fully functional live CDs for PowerPC and AMD64 processors. With the upcoming release of version 5.04 next month, accompanied by a sister edition for the KDE fans (Kubuntu), the Ubuntu Linux user base is likely to grow even further. No article about the European Linux scene will be complete without visiting Spain. Spain is one country that has gone further than any other in converting a large number of computers and users to Linux. It all started a few years ago by an initiative of the regional government of Extremadura (gnuLinEx) and spread like a virus to other parts of the country. Nowadays there are large areas of Spain where all school and public administration computers are running Linux exclusively! It is interesting to note that Spain has virtually standardized on Debian and Debian-based solutions and many of these regional initiatives are now forging closer ties with Ubuntu, which is seen as a more progressive project than Debian itself. Other countries, regions and cities are, if not moving to Linux outright, doing feasibility studies or have set up pilot projects. Reports about the migration of Germany's Munich and Norway's Bergen have been well-publicized, but other large cities, including Paris, Rome and Vienna have also been in the headlines recently. It is likely that many smaller projects, both governmental and in the private sector, are under way without them wanting to raise any publicity. This is not only great news for Mandrakesoft, SUSE and Ubuntu, but also an opportunity for many smaller open source companies, such as the recently unveiled, Malta-based 2X Software, which is offering Linux-based terminal servers and thin clients for large-scale deployments. Many other small Linux companies are showcasing their solutions on this week's CeBIT exhibition. All this evidence leads us to believe that Europe is now the undisputed leader in developing strategies for migration to Linux and open source software. In the process, it has created a vibrant open source economy, as well as a strong awareness among its population to resist controversial laws favoring large software monopolies and their commercial agendas. The tide is unstoppable. Let's hope that other regions will follow Europe's example.
Distribution News Ubuntu LinuxThe first test image of KUbuntu is available. "PLEASE DO NOT FILE BUG REPORTS IN BUGZILLA YET. Send any and all feedback to the ubuntu-devel mailing list. This is the first set of working CD images, and we're announcing them to the community in order to promote testing. They are likely to have many bugs, known and unknown."The latest snapshot of Ubuntu's Hoary Hedgehog Array CD 6 is available for testing. The existence of the ubuntu-hardened mailing list has been announced. "The list aims to be the place where Hardened Debian developers and contributors get in touch with both Ubuntu Linux users and developers, a place to collaborate, work together and give help to others to achieve and make possible the goals we want to achieve." Here's a summary of the first Masters Of The Universe (MOTU) meeting.
Debian Project Leader candidate platforms postedThe candidates for the role of Debian Project Leader in the coming year have posted their platforms on the election site.
debconf5 CFP reminder and updateThe period to submit papers for debconf5 expires March 15, 2005, 23h59 UTC. This debconf will be held in Helsinki in July.
New Distributions GoodGoat LinuxGoodGoat Linux is based on Gentoo. It's a simple desktop that can run from a USB key, hard drive or CDROM disk. Version 1.2(beta) was released March 4, 2005.
Distribution Newsletters Debian Weekly NewsThe Debian Weekly News for March 8, 2005 is out. This week's news includes campaigning on debian-vote, Debian derived distributions, better Asian support, the recent release team meeting, a Debian project leader team, and several other topics.
Gentoo Weekly NewsletterHere's the Gentoo Weekly Newsletter for the week of March 7, 2005. In this issue there is a look at the Gentoo 2005.0 security rebuild, the donation of an Opteron 246 server from Nvidia is now running the staging mirror and master rsync mirror, enhancements to the Gentoo Forums, and several other topics.
Mandrakelinux Community Newsletter #101This edition of the Mandrakelinux Community Newsletter looks at the Mandrakelinux and Conectiva merger, the Mandrakelinux 10.2 Beta 3 release, the media on the merger, Mandrakeclub interviews Wobo, and more.
DistroWatch Weekly, Issue 90The DistroWatch Weekly for March 7, 2005 is out. "Welcome to this year's 10th issue of DistroWatch Weekly! This week we will tell you about a secret meeting of Debian developers in Vancouver where they were to unveil their "Stunning New Release Strategy", give you a link to a valuable resource that will turn you into a better system administrator of Debian-based systems and direct you to a great new HOWTO to configure multimedia on SUSE LINUX. Also, a surprise for fans of the amaroK media player - a new PCLinuxOS-based live CD, bundled with some great free music. Enjoy!"
Minor distribution updates Astaro Security Linux 5.2 releasedAstaro Security Linux has announced the release of v5.2 which adds gateway-based spyware protection.
Puppy Linux Live-CD saves back to CDPuppy Linux has learned a new trick with the multi-session-1.0.0alpha release. Just put your live CD in a CD-RW drive and at the end the session Puppy will save your configuration back to its CD.
SME ServerThe SME Server and its home Contribs.org have been going through some changes. After a short go-round with Lycoris, ownership of the distribution reverted to Resource Strategies, Inc. That didn't last either. As of March 5, 2005 Ruffdogs has taken possession of Contribs.org and is developing a Roadmap for the rebuilding of the Contribs.org community. The current stable release of SME Server is at version 6.0.1. The first release candidate for SME Server 6.5 is also available.
Announcing YES Linux 2.2 Build 0YES Linux Release Team has announced the immediate availability of YES Linux 2.2 Build 0. This is the first build of the YES Linux 2.2, with lots of updated packages, and a few new ones.
Package updates Fedora Core updatesFedora Core 3 updates: tzdata-2005f-1.fc3 (updates for Israel and Azerbaijan), kernel-2.6.10-1.770_FC3 (various bug fixes), libtooll-1.5.6-4.FC3.1 (dependency on gcc version), firefox-1.0.1-1.3.2 (fix spacing issues in textareas), ipsec-tools-0.5-0.fc3 (update to 0.5), dmraid-1.0.0.rc6-1_FC3 (update v1.0.0.rc6), selinux-policy-targeted-1.17.30-2.85 (fixes for postfix in squirrelmail), ipsec-tools-0.5-1.fc3 (fix some packaging errors), gaim-1.1.4-1.FC3 (bug fixes), gimp-2.2.4-0.fc3.1 (update to v2.2.4), yum-2.2.0-0.fc3 (bug fixes).Fedora Core 2 updates: tzdata-2005f-1.fc2 (updates for Israel and Azerbaijan), kernel-2.6.10-1.770_FC2 (various bug fixes), ipsec-tools-0.5-0.fc2 (update to 0.5), ipsec-tools-0.5-1.fc2 (fix some packaging errors), gaim-1.1.4-1.FC2 (bug fixes).
Mandrakelinux updatesMandrakelinux 10.1 updates: imap (adds a requires for xinetd - also for 10.0, Corporate Server 2.1, 3.0), unixODBC (fixes some issues with the GUI config tools), dynamic (now launches kaffeine).
Slackware LinuxThis week in slackware-current, mozilla-firefox-1.0.1-i686-1 and mozilla-thunderbird-1.0-i686-1 were added, some older browser packages were removed; new linux-2.6.11 packages are in testing. See the change log for details.
Trustix Secure Linux bug fix advisoryNew, improved apache, etcskel, gdbm, rootfiles, samba, squid and sudo packages are available for TSL 2.2.
Distribution reviews Review: Mandrake Corporate Desktop (NewsForge)NewsForge has a review of Mandrakesoft's Corporate Desktop. "Mandrake Corporate Desktop is a little different, though: it is based on Mandrake Corporate Server, which is a tested and mature product on a calculated and lengthy release cycle. If you're used to some degree of instability or unpredictability with Mandrakelinux, you won't find it in Mandrake Corporate Desktop. One could roughly equate Mandrake Corporate Desktop to Red Hat Desktop, and Mandrakelinux to Fedora Core."
Review: Astaro Security Linux 5.1 (NewsForge)NewsForge reviews Astaro Security Linux 5.1. "One of the more popular uses for Linux is as a router/firewall to secure a local area network (LAN) against intruders and share an Internet connection. Several specialized distributions have sprung up to simplify this task. These range from small, diskette-based distros like the Linux Router Project and FREESCO to larger systems requiring a hard disk installation. Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which I recently reviewed as part of ongoing research into content filtering products. ASL is an RPM-based distribution that allows an administrator to easily turn an x86 PC or server into a router/firewall appliance."
My Workstation OS: Knoppix (NewsForge)Irfan Habib explains why he likes Knoppix on his desktop. "Knoppix has many uses. Many use it as a GNU/Linux advocacy tool, for which it is well-suited, as it comes with the latest and greatest FOSS software, which can be readily demonstrated to potential users. Knoppix is also a great rescue CD. And Knoppix lets me take my desktop anywhere by letting me save my settings to a configuration file. I can load Knoppix on any computer, load my customized settings, and mount a USB storage device as the home directory, and voilà! there's my desktop."
Page editor: Rebecca Sobol Development The GNOME 2.10 Desktop and Developer PlatformVersion 2.10 of the GNOME 2.10 Desktop & Developer Platform was announced this week.
GNOME 2.10
includes a number of interesting new features, such as a video player and a
CD ripping utility, and hundreds of bug fixes.
Released on schedule, to the day, it is the culmination of six months effort
by GNOME contributors around the world: hackers, documentors, usability and
accessibility specialists, translators, maintainers, sysadmins, companies,
artists, users and testers.
The Release Notes mention improved internationalization, continuing standards compliance, a few known issues (bugs) and more. There is also a GNOME 2.12 release schedule, look for the next version in about 6 months. GNOME 2.10 adds some useful features to what is already a mature and stable desktop environment. The source code for GNOME 2.10 and a live CD are available for download here.
System Applications Database Software Firebird 2.0 Call for testersA call for testers has gone out for version 2.0 of the Firebird database. "The Firebird Project will soon be releasing the first public "alpha" release of Firebird 2.0. Version 2.0 is a long-awaited important major release of Firebird with many new features, enhancements and bugfixes (see alpha Release Notes for details). In number of changes, the jump in this release is equivalent if not greater than the transition from version 1.0 to version 1.5."
Filesystem Utilities Detox 1.1.0 is availableVersion 1.1.0 of Detox is out. "Detox is a utility designed to clean up filenames. It replaces non-standard characters, such as spaces, with standard equivalents." See the Change Log for change information on this version.
Networking Tools Release of iptables 1.3.1Version 1.3.1 of iptables, a firewall application, is out. "The final 1.3.1 version contains some minor bugfixes to the recently-released version 1.3.0".
OpenSSH 4.0 releasedOpenSSH 4.0 is out. There does not appear to be a big pile of new features to motivate the dot-zero version number; click below for the announcement and list of changes.
Peer to Peer MantaRay version 1.6 released (SourceForge)Version 1.6 of MantaRay, a peer-to-peer communication and messaging solution, has been annnounced. "MantaRay 1.6 includes new delivery algorithms that enforce stricter once and only once guaranteed delivery in queues and durable topic subscribers. The new algorithms also improved MantaRay's persistency. In order to better align MantaRay with the JMS specification, the receiver can now determine the message acknowledgment mode. In addition, several JMS bugs were fixed in this release."
Printing PyKota 1.21 releasedVersion 1.21 of PyKota, a Python-based print quota system for CUPS, has been announced. Changes include bug fixes, better documentation, and more.
Telecom Speex 1.1.7 ReleasedVersion 1.1.7 of Speex, an audio CODEC, is out. "The changes for this release are very broad and include generic optimizations in the encoder, ARM-specific optimizations (gcc inline assembly), optional shortcuts in the encoder sacrificing quality for speed, fixed-point improvements (perceptual enhancement converted), reduction in memory usage, the Symbian code now uses the same API, and several bug fixes."
Web Site Development Midgard 1.6.3 "Threadened by Patents" ReleasedVersion 1.6.3 of the Midgard Open Source Content Management Framework is out. "This is a maintenance release that includes some bug fixes and support for the new Zend Thread Safety (ZTS) mode in PHP."
UnCommon Web 0.3.7 releasedVersion 0.3.7 of UnCommon Web, a web application development framework written in Common Lisp, is out. "This version makes it easier to upgrade live applications and provides a few changes to components."
libannodex 0.6.1 ReleaseVersion 0.6.1 of libannodex, a library for working with Annodex media, is available with bug fixes and other improvements.
mod_annodex 0.2.1 ReleaseVersion 0.2.1 of mod_annodex, an Apache module for working with Annodex media, has been released. It features support for a new time range format.
Datamining Apache Logs with PostgreSQL (O'ReillyNet)Robert Bernier looks at Apache log files through PostgreSQL on O'Reilly. "System log files encapsulate a wealth of information for administrators and developers. Teasing that data out of the logs into a format that reveals patterns may be a challenge, though. Robert Bernier shows how to parse, store, and query Apache httpd log data from PostgreSQL to find useful information."
Desktop Applications Desktop Environments GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
KDE CVS-Digest (KDE.News)The March 4, 2005 edition of the KDE CVS-Digest is online, here's the content summary: "Beginnings of Subversion support in Cervisia. Cleanup of initial application sizing. KDevelop adds QT Designer support for Python. IDN issues fixed in Konqueror. Digikam adds more plugins: Insert Text, Channel Mixer, Infrared, Blur, Distortion, and a new ratio crop tool. Kmail adds an account setup wizard."
Xfce Weekly News launchedThe first issue of the Xfce Weekly News has been launched, it covers the week of February 25 - March 3, 2005. Thanks to Biju Chacko.
Xfce Foundation Classes Website OnlineThe Xfce project has announced the availablilty of a new Xfce Foundation Classes web site. "In October of last year Jeff Franks made an interesting proposition on the Xfce-Dev list. Jeff had developed a relatively complete and lightweight GTK+ binding for C++ called GTK+ Foundation Classes. For a number of reasons, Jeff felt that GFC needed a new home, and Xfce seemed the best bet. Now, after many months of hard work, Jeff announced the new Xfce Foundation Classes, with a first developer release and stack of well written documentation, all available from the new." Thanks to Biju Chacko.
Music Applications Jesusonic for Linux 0.99 betaChristian heavy metal rockers should checkout the latest version of Jesusonic, a Freeware-licensed guitar effects processor for the Debian distribution. "The Jesusonic is a fully programmable effects processor for guitar, bass, vocal and general use. Effects can interact with each other (for example, a volume detection effect can trigger a tremolo effect), or (especially in the case of the Jesusonic CrusFX 1000) with the user (you can assign triggers to effects like loop samplers, for example). A wide assortment of built-in effects are included and users can modify effects or write completely new effects on the fly."
liblo 0.18 announcedVersion 0.18 of liblo, an implementation of the Open Sound Control protocol for POSIX systems, has been announced. "This is bugfix release and fixes a critical bug in 0.17 that bites when trying to connect multiple clients to one server. All users of 0.17 should upgrade as soon as possible."
soprano sax soundfontA new soprano saxophone soundfont has been announced.
Office Applications DataVision 0.9.0 released (SourceForge)Version 0.9.0 of DataVision, a reporting tool, is available with numerous changes. "DataVision is an Open Source reporting tool similar to Crystal Reports. Reports can be designed using a drag-and-drop GUI. They may be run, viewed, and printed from the application or exported as HTML, XML, PDF, LaTeX2e, DocBook, or tab- or comma-delimited text files."
Office Suites OpenOffice.org 2.0 beta releasedVersion 2.0 beta of OpenOffice.org has been released. "This beta release is the result of many months work in expanding the functionality, performance and compatibility of the office suite. This intense effort has yielded impressive results including the addition of a new database module, implementation of the OASIS OpenDocument XML file format and a host of other new features and capabilities."
OpenOffice.org build 1.9.79.1 is outBuild 1.9.79.1 of OpenOffice.org has been announced. "This package contains Desktop integration work for OpenOffice.org, several back-ported features & speedups, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to stock OO.o."
Web Browsers Mozilla's Weekend at FOSDEM 2005 (MozillaZine)MozillaZine covers browser issues from FOSDEM 2005. "Marson reports that Tristan Nitot, president of Mozilla Europe, said that "a few companies" have installed Mozilla Firefox or Mozilla Thunderbird on 100,000 systems. He also says that some parts of the French government are considering switching to Firefox. Based on comments from Gerv, the story reports that a US-based Fortune 100 company has rolled out Thunderbird to 50,000 PCs and is paying the Mozilla Foundation to customise it. According to Tristan, enterprises that are deploying Mozilla aren't shouting about it because they want to avoid damaging their relationships with Microsoft."
Minutes of the mozilla.org Staff Meeting (MozillaZine)The minutes from the February 28, 2005 mozilla.org staff meeting are online. "Issues discussed include Mozilla 1.8 Beta 1, Mozilla 1.8 final, Mozilla Firefox 1.0.1, Mozilla Firefox 1.1, Mozilla Thunderbird 1.1, FOSDEM, update.mozilla.org, developer.mozilla.org and the international domain name Punycode spoofing issue."
Word Processors AbiWord 2.2.5 Released (GnomeDesktop)GnomeDesktop covers the release of AbiWord 2.2.5, a word processor. "While AbiWord v2.2.4 had a nice list of bugfixes, our users were kind enough to report that there were still nasty bugs running around. So here we are releasing AbiWord v2.2.5, shorty after the previous release. This release is a bugfix release only."
Miscellaneous Gourmet Recipe Manager 0.8.0 Released! (SourceForge)Version 0.8.0 of Gourmet Recipe Manager has been announced. "Gourmet can import most major recipe formats, including mealmaster and mastercook, and can export a number of useful formats, including HTML. Version 0.8.0 marks a number of major improvements, including a new improved speed for imports, a new recipe card interface, infinite Undo throughout the interface, and experimental MySQL and SQLite backends."
Nvu 0.9RC1 Released (MozillaZine)MozillaZine has an announcement for the first beta release of Nvu 0.9, a cross-platform web authoring system. "Nvu 0.9RC1 includes improvements to the Link dialogue, printing fixes and a new default theme. There are builds for Windows, Linspire 5.0, Fedora Core 3 and Mac OS X, with a source tarball also available."
Open Clip Art Library Release 0.11 Announcement (GnomeDesktop)GnomeDesktop.org has the announcement for release 0.11 of the Open Clip Art Library, a collection of small images. "Some of the new clip art received this month includes more images of food, computer-related items and even a little boombox. In addition to the collected 0.11 package, each clip art file can now be found by keywords using developer Jonadab's new Keyword Search Tool."
Languages and Tools Caml Caml Weekly NewsThe March 1-8, 2005 edition of the Caml Weekly News is out with the week's Caml language development news.
Haskell The Monad.Reader debutThe initial publication of The Monad.Reader, a monthly online Haskell language e-zine, is out. Thanks to Shae Matijs Erisson.
HTML Linking in XHTML 2.0 (IBM developerWorks)Micah Dubinko explores the details of XHTML 2.0 hyperlinks on IBM developerWorks. "As a fundamental part of the Web, hypertext linking has been the subject of repeated attempts at standardization beyond the basic format allowed in simple HTML. Such attempts can be characterized as efforts to balance machine processing ability with authoring convenience. The latest specification in this area, XHTML 2.0, just might have gotten it right."
Java A Look at Commons Chain: The New Java Framework (O'ReillyNet)Bill Siggelkow explores chains and the Java Framework on O'Reilly. "In part one of a two-part series, Bill Siggelkow covers the basics of Chain, a promising new framework from the Jakarta Commons subproject that lets you integrate Chain into the Struts build process."
AOP and metadata: A perfect match, Part 1Ramnivas Laddad discusses aspect oriented programming and metadata on IBM developerWorks. "In this first half of a two-part article, author Ramnivas Laddad provides a conceptual overview of the new Java metadata facility and shows where AOP could most benefit from the addition of metadata annotations. He then walks you through a five-part design refactoring, starting with a metadata-free AOP implementation and concluding with one that combines the Participant design pattern with annotator-supplier aspects."
Aspect-Oriented Annotations (O'Reilly)Bill Burke covers Aspect-Oriented Annotations on O'Reilly. "Annotations are one of the new language features in J2SE 5.0, and allow you to attach metadata onto any Java construct. Meanwhile, Aspect-Oriented Programming (AOP) is a fairly new technology that makes it easier for you to encapsulate behavior that is usually messier, harder, or impossible to do with regular object-oriented (OO) techniques. Together, they make a new powerful combination that gives framework developers a more expressive way of providing their APIs. This article dives into combining these technologies using the JBoss AOP framework in various coding examples to show how you can use this combination to actually extend the Java language."
Assertion Extensions for JUnitTony Morris introduces the Assertion Extensions for JUnit on IBM developerWorks. "Unit lets you test software code units by making assertions that the intended requirements are met, but these assertions are limited to primitive operations. IBM Software Engineer Tony Morris fills the gap by introducing Assertion Extensions for JUnit, which provides a set of complex assertions that execute within the JUnit framework. Follow along as the author shows you how using this new package from alphaWorks can increase the reliability and robustness of your Java software."
Lisp McCLIM 0.9.1 releasedVersion 0.9.1 of McCLIM, an open-source implementation of the CLIM 2 (Common Lisp Interface Manager) specification, has been released. "This version changes the installation process, includes a new Max OS X Cocoa backend, provides improved documentation and new applications/examples, and more."
SBCL 0.8.20 releasedVersion 0.8.20 of SBCL (Steel Bank Common Lisp) has been released. "This version provides performance improvements and several bug fixes."
Perl Parrot 0.1.2 'Phoenix' Released (use Perl)Version 0.1.2 of Parrot, the Perl 6 virtual machine, has been announced. Changes include new string handling code, the beginnings of a generational garbage collector, better Python support, improved test coverage, and more.
A Plan for Pugs (O'Reilly)chromatic interviews Autrijus Tang on O'Reilly. "Autrijus Tang is a talented Perl hacker, a dedicated CPAN contributor, and a truly smart man. His announcement of starting an implementation of Perl 6 in Haskell on February 1, 2005 might have seemed like a joke from almost anyone else. A month later, his little experiment runs more code and has attracted a community larger than anyone could have predicted. Perl.com recently caught up with Autrijus on #Perl6 to discuss his new project: Pugs"
Automate Perl module deployment (IBM developerWorks)Martin C. Brown works with Perl module deployment on IBM developerWorks. "If you run Perl across many different computers of any sort, you know how frustrating it can be to install Perl extension modules across those machines. The administrative process is even worse if you have a Web server farm and need to keep each machine up to date with a set suite of extension modules for your installation. CPAN helps, but there are issues with CPAN that make it an unwieldy solution for use on a network. This article provides possible solutions before covering the final system. The main goals are a unified installation/module set, a single download, and a guaranteed unified set of version numbers across all the computers in the network."
Python Dr. Dobb's Python-URL!The March 7, 2005 edition of Dr. Dobb's Python-URL! is out with the week's Python language articles.
python-dev SummaryThe February 2-14, 2005 edition of the python-dev Summary is out with coverage of activity from the python-dev mailing list.
python-dev SummaryThe February 15-28, 2005 edition of the python-dev Summary is online with coverage of the python-dev mailing list traffic.
Ruby Ruby Weekly NewsThe March 6, 2005 edition of the Ruby Weekly News is available with the latest news and discussion from the ruby-talk mailing list.
Rolling with Ruby on Rails, Part 2 (O'ReillyNet)O'Reilly has published part two of a series on Rails with Ruby. "Curt Hibbs introduced Ruby on Rails by building a simple but functional web application in just a few minutes. Does the ease of use continue? He thinks so. In the second of two parts, Curt completes his example Rails application in merely 47 lines of code."
Og: Teaching Ruby objects how to persistGeorge Moschovitis explains ObjectGraph (Og) on the RubyGarden. "RDBMS systems are a proven and robust technology for storing and querying data, but after experiencing the wonders of Ruby, it is hard not to wish for a better way to integrate the OOP and Relational paradigms. Og makes your dream come true! Og stands for ObjectGraph and provides a transparent way to make your objects persistent while leveraging the full querying power of an RDBMS system. In fact, Og is designed to use an RDBMS system like MySQL or PostgreSQL to implement the actual data store where the objects are serialized."
Tcl/Tk Dr. Dobb's Tcl-URL!The March 7, 2005 edition of Dr. Dobb's Tcl-URL! is online with another weekly roundup of Tcl/Tk articles and resources.
XML Batch processing XML with XSLT 2.0 (IBM developerWorks)Jack Herrington writes about XML batch processing on IBM developerWorks. "A common problem with XSLT is that it takes only a single XML file as input. You can use a cross-platform Java tool to create an XML directory listing, then use XSLT to process every file in the directory from that listing. This tip covers installation and use of such a tool, as well as the corresponding XSL that processes multiple files from the directory listing."
Show Me the Code (O'Reilly)Joe Gregorio codes a bookmark service on O'Reilly. "In my inaugural article, I outlined the four basic steps you needed to follow when creating a RESTful web service. Now let's take those basic steps and follow them through a worked example. To stay on familiar ground we'll create something that you may find familiar: a web bookmark service."
Getting Started with XQuery (O'Reilly)Bob DuCharme has put together an introductory article about XQuery on O'Reilly. "Although the W3C's XQuery language for querying XML data sources is still in Working Draft status, the recent XML 2004 conference showed that there's already plenty of interest and many implementations. While the Saxon implementation may not scale up as much as the disk-based versions that use persistent indexes and other traditional database features, you can download the free version of Saxon, install it, and use XQuery so quickly that it's a great way to start playing with the language in order to learn about what this new standard can offer you."
Gems from the Mines: 2002 to 2003 (O'Reilly)Uche Ogbuji mines the XML-SIG mailing list on O'Reilly. "In this article I continue where the last one left off, mining the XML-SIG archives for 2002 and 2003. As always, I have updated code where necessary to use current APIs, style, and conventions in order to make it more immediately useful to readers. All code listings are tested using Python 2.3.4 and PyXML 0.8.4."
Miscellaneous Introducing the IBM Rational Unified Process (IBM developerWorks)Mats Wessberg introduces IBM's Rational Unified Process (RUP) framework, and discusses improvements that can be made to the traditional process of software development. "To introduce beginners to the RUP framework, the process of software development is often compared to the construction process. But software development with the RUP is actually more like making a movie than building a house, as this article suggests."
Page editor: Forrest Cook Linux in the news Recommended Reading Seven tips to help FOSS companies succeed (NewsForge)NewsForge has some tips on how to make money with open source software. "The business community wants to know that a company is a reliable partner, a message that can be easily lost in the static of lingering suspicions about FOSS. By contrast, the FOSS communities want reassurance that the company does not simply exist to exploit their volunteer labor. They'll also ask questions about when the company is going to make contributions to the community -- usually code, but possibly also cash and marketing or the sponsorship of a conference. They want proof that the company is a credible member of the community."
Sowing the Seeds of Open Source Advocacy (O'Reilly)Jono Bacon suggests techniques for advocating open-source software on O'Reilly. "Within the open source community, advocacy is as critical as contributing source code, patches, or documentation. Although advocacy is not a technical contribution, it is critically important to spread the message of open source to other people in a language that is cohesive to their context. It is easy to preach to the converted when advocating open source to people at Linux user groups and trade shows, but standing in front of a board of executives who care little about computers--let alone a facet of computers, such as open source--is quite a challenge."
Trade Shows and Conferences KDE at FOSDEM 2005 Report (KDE.News)KDE.News covers the KDE events at FOSDEM 2005. "FOSDEM is Europe's biggest meeting of Free Software developers and KDE turned out in force at it last weekend. As well as talks in the main track on KDE and KDevelop, the KDE Developers' room hosted a series of other talks. We also ran a stall and still found time for some hacking."
Success Story: KDE for Science (KDE.News)KDE.News looks at the use of multi-headed machines at the Tübinger Perception Conference 2005. "This setup was a little bit special, because one PC served 3 GeForce graphic adapters with 2 TFTs and 1 old SGI monitor, 3 keyboards and 3 mice attached. Under normal circumstances, you can only attach 1 monitor, 1 keyboard and one mouse to a computer."
The SCO Problem A Linux Nemesis on the Rocks (Business Week)Business Week has a surprisingly complete article about the slow implosion of the SCO Group; it includes a report of today's announced restatement of SCO's 2004 numbers. "Well, the mouse that roared is barely squeaking these days. A string of recent setbacks raises grave questions about SCO's finances, its court case, and its management."
Bumbling Bully (Forbes)Remember the long series of unpleasant Daniel Lyons stories about SCO in Forbes? It seems that even Mr. Lyons is figuring things out. "After two years, SCO still hasn't provided any evidence to back up its claim against IBM, something a judge recently chided it for. Now we find out it can't even handle basic accounting.... So maybe there is no big conspiracy. Maybe these guys are just in over their heads."
Declaration of SCO's Chris Sontag of December, 2004 (SCO v. IBM) (Groklaw)GrokLaw has posted a declaration by Chris Sontag in the SCO case. "Here's Chris Sontag's latest declaration, in which he tries to support SCO's accusation IBM broke the law when it downloaded, from SCO's website, GPL'd Linux kernel code IBM itself wrote and owns the copyright on. IBM at the time was looking for evidence of copyright infringement, by the way. You know, like SCO's hero, the RIAA? SCO was in violation, IBM says, of the GPL by distributing that code in the first place, and hence SCO had no right to distribute that code to anyone, because they were violating IBM's copyright by so doing."
Novell and SCO (Finally) Agree to Postpone Until May (Groklaw)Groklaw reports that the next hearing on the SCO/Novell case (on Novell's motion to dismiss) has been pushed back to May. "I guess SCO decided, after reading the Novell motion, not to fight, and they stipulated eventually. But first they forced Novell to go to the expense and effort of drawing up a motion that both sides must have known Novell couldn't lose from day one. Just totally unnecessary. So it's May 25th at 3 PM, on stipulation by the parties, and so ordered by Judge Kimball."
The Canopy-Noorda Answer (Yarro v Canopy) (Groklaw)For those of you following along with the mess at the Canopy Group: Groklaw has the Noordas' side of the story from the court. "These Canopy lawyers thought of everything to throw in there. Like the song says, you have to know when to hold them and know when to fold them, and a settlement must have looked mighty good after Yarro, Mott and Christensen's attorneys read this Answer and realized the mountain they'd need to climb in this litigation to prevail."It's worth noting that the Deseret News has posted an article stating that the rumors of a settlement in this case are premature.
Companies Wind River aims for open-source expansion (News.com)News.com gives an overview of Wind River's open source makeover. "A week ago, Eclipse project organizers said they planned to expand Eclipse into the embedded-software arena. But Wind River's effort isn't a shoo-in. The company has weeks of work ahead in navigating a complicated approval process for top-level projects, said Mike Milinkovich, executive director of the Eclipse Foundation, adding that he expects Wind River's project eventually to be approved."
Donors, takers size up free open source certificate support (NewsForge)NewsForge looks at the GoDaddy.com offer of free SSL certificates to open source projects. "We thought it might be interesting to see what kind of response GoDaddy got, what it is doing to filter out the open source noise from the truly open source projects, and what it really takes to cash in on open source authenticity to score a free Turbo SSL Certificate from the Arizona company. Conversely, what must open source projects do to take advantage of this kind of free support -- whether it be SSL certs, hosting, or other services that can put more time and energy back on the code -- without compromising any control?"
Legal Software patents make a mockery of European ideals (ZDNet)ZDNet UK has run a critical column on the adoption of the software patent directive. "This affair has highlighted the mandarin mechanisms of Europe at their baleful worst. The killer argument that won the day for software patents? 'We are adopting the position for institutional reasons so as not to create a precedent which might have a consequence of creating future delays in other processes.' Lay down your keyboards, ye knights of open source; you have lost your freedom in a noble cause."
Interviews The Spam Assassin Behind SpamAssassin (OSDir.com)OSDir.com has an interview with Daniel Quinlan. "When most of us get email offering questionable herbal alternatives to Viagra or dubiously low prices on Adobe software, we simply delete it, having accepted long ago that receiving at least some unsolicited email comes with the price of using the Internet. But for Daniel Quinlan, it motivates him to figure out how to stop it -- for not just his sake but everybody else's. It's his job: He works as an anti-spam architect for an email security provider. And his paid work also carries over to his contributions to SpamAssassin, of which he currently chairs this free software's Project Management Committee."
Conversation with a successful Linux services entrepreneur (NewsForge)Here's a NewsForge interview with Con Zymaris. "Con Zymaris runs Cybersource, an IT service company in Melbourne, Australia. Cybersource started as a one-man Unix shop in 2001 and has gradually evolved into a decent-sized Linux/FOSS-based business that serves a client base Zymaris says is now 20% government, 20% corporate, and 60% small/medium-sized businesses."
Resources An Introduction to Embedded Linux Development, Part 4 (Linux Journal)Linux Journal presents Part 4 in a four part series of articles on Embedded Linux Development. "We continue with the particular SBC that we used in Part 1, Part 2 and Part 3, the LBox from Engineering Technologies Canada Ltd. (Engtech). Despite the use of a specific SBC here, much of the material has broader application and should be useful generally for using the Background Debug Mode (BDM) with Motorola microcontrollers."
Rev up your presentations with masks and movement (NewsForge)NewsForge shows how to use OpenOffice.org and the Gimp to create truly obnoxious animated presentation slides. "Using masks and animating the resultant graphics along a path is an appealing way of getting an idea across to your audience. It's straightforward, clean, and high-impact."
Reviews Review: Blender 3D (NewsForge)NewsForge has published a review of Blender 3D, a three dimensional content creation and animation suite. "Modeling in Blender is quite fun, especially if you're doing organic modeling and using Blender's Subdivision Surface option. You can use optimal iso-lines for mesh editing, which makes it easy on the eye. Add to this the option to model meshes using vertex, edge or face, selection mode, and many tools such as extrude, bevel, cut and spin, screw and warp, noise and smooth, subdivision, and much more, and you have a complete modeling toolkit."
An open source cookbook (NewsForge)NewsForge has a review of two open-source recipe managers. "There are a number of different open source cookbook-related applications currently under active development in the community; a few of them even actually deal with food. If you're hungry for some open source code that will help feed you, Gourmet Recipe Manager and PHPRecipeBook are two applications that can help satiate your appetite."
2005 Text Mode Browser Roundup (Linux Journal)Linux Journal takes a look at text mode browsers. "Considering the speed and convenience text mode browsers offer, even over SSH connection from half a continent away, text mode browsing is supremely useful. So let's take a look at the current state of text mode browsers."
Review: VIA Epia MII-12000 motherboard (NewsForge)NewsForge reviews the VIA Epia MII-12000 Mini-ITX form-factor motherboard. "It's quiet, it's small, it's powerful enough for everyday desktop use and versatile enough to be a set-top media device or small home server. It takes PCMCIA cards, IDE drives, DDR memory, and a standard ATX power supply, yet it's smaller than a laptop computer. It has a built-in DVD decoder (no more DeCSS!) and with its built-in RSA chip it can encrypt and decrypt data faster than the most powerful Athlon 64 system."
Miscellaneous Red Hat exec takes over Open Source Initiative (News.com)News.com reports that Michael Tiemann has taken over as president of the Open Source Initiative. "[Russel] Nelson was named OSI president Feb. 1, taking over from co-founder Eric Raymond. Tiemann took over Feb. 23 and will continue in his role at Red Hat. "We thought that Michael would be a better president," Nelson said of the change, declining to share further details. Nelson will remain a board member and active in the group, he said."
Firefox Is Heading Towards Trouble (eWeek)Steven J. Vaughan-Nichols worries about the future of Firefox in eWeek. "Here's the long and short of it. If the Mozilla Foundation and Firefox friends like Google don't start spending money - right now - to hire more programmers, more project managers and more servers, it won't matter how many ads in the New York Times Firefox supporters take out, Firefox will have already reached its high tide of popularity and we can only wait for the ebb to begin." (Thanks to Steven G. Johnson).
Security patches issued for RealPlayers (News.com)News.com mentions the availability of security updates for RealPlayer and Helix Player on Linux and other platforms. "RealNetwork's patches, released Tuesday, address vulnerabilities in the software that could allow an attacker to run arbitrary or malicious code on a person's computer when a malicious WAV or SMIL file is processed. Secunia, a security information company, rated the vulnerabilities as critical."
Page editor: Forrest Cook Announcements Non-Commercial announcements European Cities will suffer from software patentsThe Free Software Foundation Europe has sent an open letter to an EU official concerning the effect of software patents on European cities. "This will become a significant cost factor for three main reasons: Both software developers and users can be asked for almost any amount of money the software patent holder chooses. Many developers and companies will not be able to pay such demands and thus go out of business, turning tax-payers into people in need of social welfare. Finally, the price of the remaining software companies products will increase because of the need to refinance their software patent expenses and also because of reduced competition in the market."
FFII: The patent directive and the European constitutionFFII has sent out a lengthy release containing a letter from Jonas Maebe on how the European Council reached its decision on the patent directive, and what the implications are for Europe and the proposed EU constitution. "There was simply no qualified majority (possibly not even a simple majority) in the Council for this text. It was purely due to diplomatic inertia and fear of doing something against whatever is customary that it slipped through. Unless the Constitution says somewhere 'the written rules always have precedence over diplomatic customs and fears', it won't change this."
Commercial announcements eEye Announces Retina 5.2 Network Security ScannereEye Digital Security has announced version 5.2 of its Retina Network Security Scanner. "Retina 5.2 is one of the first in the industry to provide security and IT professionals with a more in-depth view of the Linux, UNIX and other non-Windows(R) devices on their network."
Empower Technologies to Exhibit at ESCEmpower Technologies has announced that it will be demonstrating its Linux-based LDK5910 platform at the Embedded Systems Conference in San Francisco on March 6-10, 2005. "The LDK5910 combines LEOs, the OMAP5910 dual processor and an evaluation module (EVM) to afford a new level of cost and production efficiency to application development."
Etnus Announces TotalView for IBM Blue Gene/LEtnus has announced the availability of their TotalView debugger for the IBM Blue Gene/L supercomputer. "TotalView is an advanced 32- and 64-bit graphical debugger providing software engineers with complete control over parallel and threaded applications written in C, C++ or Fortran. Not your average debugger, TotalView also provides unique, proprietary memory debugging technology that neither instruments code nor alters libraries."
Mandrakesoft signs agreement with French Ministry of Education and ResearchMandrakesoft has announced the signing of a distribution agreement with the French Ministry of Education and Research. "Mandrakesoft today announced an agreement with the French Ministry of Education and Research which allows the distribution of its line of products and services to Higher Education institutions, including universities and research laboratories, throughout France."
Micro Focus Launches Support for 64-bit LinuxMicro Focus International Ltd. has announced at the Intel Developer Forum in San Francisco general availability of Server Express(TM) for 64-bit Linux applications running on Intel(R) Itanium(R) 2 processor-based platforms.
PalmSource Joins the Consumer Electronics Linux ForumPalmSource, Inc. has announced it has joined the Consumer Electronics Linux Forum (CELF) as an Associate member. ""We are pleased to join the Consumer Electronics Linux Forum and collaborate with other industry-leading companies and the open source community to advance the development of Linux-based products," said John Ostrem, lead scientist of PalmSource. "With PalmSource's recent acquisition of China MobileSoft and the Company's Linux expertise, we believe PalmSource is poised to make significant contributions to the CELF as it develops Linux-based phone software products.""
Plextor releases open source SDK for videoPlextor Corp. has announced the availability of a free Linux Software Developers Kit (SDK) for ConvertX video capture devices. "Licensed under the GNU General Public License, the Linux SDK supports the popular Video for Linux 2 (V4L2) and Advanced Linux Sound Architecture (ALSA) specifications. It also supports deprecated Open Sound System (OSS) applications via the OSS compatibility layer provided by ALSA. The new driver, which requires the Linux 2.6 kernel, includes sample code that can be reused in open source or proprietary applications to help developers get started quickly."
Bootable Linux iPods from Terra SoftTerra Soft Solutions has announced that it is shipping iPods which are configured to boot Yellow Dog Linux. Note that Linux does not run on the iPod itself (though that is possible); instead, the iPod serves as a boot drive for Apple G4/G5 systems. Click below for the details.
XACML 2.0 Access Control Markup Language Approved as OASIS StandardThe OASIS standards consortium has approved the XACML 2.0 Access Control Markup Language as a standard. "To meet the needs of a wide range of users across many different environments, XACML 2.0 incorporates new profiles for Role Based Access Control (RBAC), Privacy, and Lightweight Directory Access Protocol (LDAP). XACML 2.0 profiles also provide integration and hierarchical resources for the Security Assertion Markup Language (SAML) OASIS Standard."
New Books Signate's Asterisk Book and CD SetLooking to set up your own VOIP private branch exchange? Signate is offering a book and CD set which includes a Linux distribution and the Asterisk PBX system.
Syngress Releases "Black Hat Physical Device Security"Syngress has published the book Black Hat Physical Device Security by Drew Miller.
"Intrusion Prevention and Active Response" Released by SyngressSyngress has published the book Intrusion Prevention and Active Response by Michael Rash and Angela Orebaugh.
"Jakarta Struts Cookbook" Released by O'ReillyO'Reilly has published the book Jakarta Struts Cookbook by Bill Siggelkow.
Resources Electric Cloud Creates Open Source ''GNU Make Standard Library''Electric Cloud has announced the release of their GNU Make Standard Library (GMSL) under the GPL. "Until now, when developers wished to create a complex Makefile they were often forced to code, from scratch, common functions, or search the Internet for snippets of GNU Make code that could assist them. Now, with the GMSL, GNU Make developers have a single free collection of functions implemented using native GNU Make functionality. The GMSL includes list and string manipulation, integer arithmetic, associative arrays, stacks, debugging facilities and more."
FSF Europe NewsletterThe March 6, 2005 edition of the FSF Europe Newsletter is online with the latest FSFE news.
Linux Gazette #112The March issue of Linux Gazette is out. Articles in this issue include Running XBoard in Irssi, by Jason Creighton, RSA 2005 Conference and Expo, San Francisco - Special Report, by Howard Dyckoff, Free as in Freedom: Part Three: Open Source to the Corporate Bazaar, by Adam Engel, Experiments with the Linux Kernel: Process Segments, by R. Krishnakumar, and more.
The LDP Weekly NewsThe March 9, 2005 edition of the Linux Documentation Project Weekly News is online with the latest documentation additions.
LPI January NewsletterThe January 2005 edition of the LPI Newsletter is online with the latest Linux Professional Institute news.
Updated Wheeler on Open Source: Look at the Numbers!David Wheeler has recently updated his article on Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers!. (Found on LinuxMedNews)
Contests and Awards GNOME 2.10 Splash Screen Contest Results (GnomeDesktop)GnomeDesktop has announced the closure of the GNOME 2.10 splash screen contest, the winning selection has been chosen.
Upcoming Events Debian-Edu developer meeting in Nafplion, GreeceThe Debian-Edu developer meeting will be held in in Nafplion, Greece on April 15-17, 2005.
Libre Software Meeting 2005 : Call for ContributionsA Call for Contributions has been posted for the Libre Software Meeting 2005. The event will be held on July 5-9, 2005 in Dijon, France.
Linux Server Virtualization D.C. EventA Linux Server Virtualization event will be held in Herndon, VA on March 22, 2005.
LugRadio Live 2005LugRadio Live 2005 is the expo for people who like some fun with their Linux. It will be held June 25, 2005 at the Terrace Bar, Molyneux Stadium, Wolverhampton, UK.
Open Source Business Conference AnnouncedThe second annual Open Source Business Conference (OSBC) will be held in San Francisco, CA on April 5 and 6, 2005.
Events: March 10 - May 5, 2005
Web sites KDE Wiki Gains New Host and Sponsor (KDE.News)KDE.News has announced the movement of the KDE Wiki Home page. "I'm pleased to announce that the KDE Wiki has been moved to a new hosting solution sponsored by our very own Jason Bainbridge of the the KDE Web Team. As you might have noticed, we had outgrown the previous server which had been hosting both the Dot and the Wiki. After extended downtime and performance issues often related to having both services on the same machine as well as limited administration resources, Navindra Umanee and I decided to search for an alternate host for the Wiki."
Miscellaneous The latest version of the 'Cal-Induce Act'Ed Felten comments on the latest version of a proposed California law which would require that all peer-to-peer software have built-in copyright and porn filters. "Fourth, it's not clear what the bill says about situations where there is no workable filtering software, or where the only available filtering software is seriously flawed. Is there an obligation to install some filtering software, even if doesn't work very well, and even if it makes the P2P software unusable in practice? The bill's language seems to assume that there is available filtering software that is known to work well, which is not necessarily the case."
Page editor: Forrest Cook Letters to the editor Haters of Open Source... use Open Source.
As everyone knows, the Alexis *de Tocqueville Institute hates Open
Conclusions aren't bad, but your working-out's badly broken
http://enterprise-linux-it.newsfactor.com/story.xhtml?sto...
Page editor: Jonathan Corbet
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[GNOME 2.10]](/images/ns/gnome210.png)
Digging a bit deeper, the