LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for May 5, 2005KOffice heads toward 1.4The first beta of the KOffice 1.4 release was announced on April 29, so we thought we'd take a look at this release and see how KOffice was shaping up. How does KOffice 1.4 stack up against the competition, namely OpenOffice.org and standalone applications like Gnumeric, Abiword and the Gimp? Since the release is still in beta, we were checking for features compared to the other suites, but ignored any stability issues. To try out KOffice we downloaded the "Klax" live CD. There are also binary packages and source code. We also compiled KOffice beta1 on Ubuntu "Hoary" with no problems. Since support for the Open Document Format is one of the big features in KOffice 1.4, we decided to test that out first. Unfortunately, we didn't have much luck. We started by opening a document in OOWriter (from one of the OpenOffice.org 2 preview releases from Ubuntu's package repository) and then saving it in the Open Document Format. KWord refused to open the document, complaining about the paper size. When we tried opening a document from KWord, saved in the Open Document Format, it also failed. KWord had no trouble opening other file types, including Microsoft Word, which is more likely to be found in the wild at the moment anyway. Next we tried out KSpread and KPresenter using some PowerPoint documents we found online using Google and the Gnumeric testing spreadsheets. Unfortunately, KSpread and KPresenter are a bit less capable than OpenOffice.org or Gnumeric when it comes to handling these documents. The test spreadsheets showed that KSpread doesn't implement many of the functions that are available in Gnumeric and OpenOffice.org Calc. KPresenter had trouble with the Microsoft PowerPoint document, only displaying the text for the slide show and badly mangling the text formatting. KWord, KSpread and KPresenter are fine for creating original documents, but users may wish to look to OpenOffice.org or Gnumeric and AbiWord for exchanging documents with users of Microsoft Office or OpenOffice.org. We did like Kivio, the KOffice diagram and flowchart program. It comes with a hefty selection of stencils, and the interface is clean and easy to use. The beta is a bit unstable, but we expect that problem will be taken care of before the final release.
Kexi could be the Access-like application that many Linux users are looking for. It's a bit rough around the edges at the moment, but it could be the answer for many Linux users who want to create simple databases that do not require MySQL or PostgreSQL backend. KOffice also includes KChart, Karbon14, KFormula and Kugar. Kugar is an application for generating "business quality reports." KChart is, as the name suggests, an application for generating charts. It can be used as a standalone application or within KSpread. It offers a fairly extensive variety of chart types, including bar charts, polar charts, and "ring" charts. Karbon14 is a Illustrator-like application. We didn't get time to test it extensively. Users who are interested in test-driving KOffice should check out the "Klax" live CD -- it's a relatively small download and offers the full range of KOffice apps and the KDE 3.4 desktop. The final KOffice 1.4 release is slated for June. In all, it looks like the KOffice 1.4 release will be a significant move forward for KOffice. In some ways, several of the KOffice components are still a way behind the other free office applications in terms of document format support and features, but the suite does provide a usable alternative for Linux users who don't require extensive Microsoft Office compatibility.
Where community and commerce meetFree software development projects and for-profit companies can often interact in ways which are rewarding for both. The interaction between the two is not always entirely smooth, however, and occasional frictions can emerge. Resolving these issues as they come up can yield insights about how the free software community operates, and how it interacts with the commercial world.As an example, consider this note posted by Bruce Momjian to a couple of PostgreSQL mailing lists. Interesting things are happening with free database management systems, and various companies are beginning to take note. Bruce welcomes commercial attention, but worries about some problems which could result if things are not handled carefully. The main issue would appear to be companies working on features for PostgreSQL without first discussing their proposed changes with the community. These companies risk finding that they have duplicated another company's work; merging overlapping patches then puts a stress on both companies - and on the community. Companies which keep their patches until a late stage may also find that the community is unwilling to merge the finished product for any of a number of reasons. This kind of problem can usually be dealt with relatively easily if it is caught in an early stage. By the time a large amount of effort has been expended, changing the direction of a project can be a harder task. For this reason, many development communities would like to see proposed additions as early in the process as possible. This desire often clashes with a company's goals: the company knows what sort of patch it wants to produce, and corporate management is often afraid to release code which has not been polished, run through a quality assurance process, and cleared by the lawyers. Releasing early-stage code with missing features and known problems so that the community can redirect the development process is just not the pointy-haired way of doing things. When a company owns a given free software project (think MySQL, OpenOffice.org, or JBoss), there is usually a certain level of predictability in its development process. The controlling company has its agenda, and will accept or reject patches based on whether the patches further that agenda. Many or most of the major developments are centrally planned from the outset. If another company wishes to encourage development in a certain direction, managers from both sides can get together and work a deal. Managers tend to like to work that way. A more community-driven project can be harder for companies to engage with. Promises to merge a given feature are hard to obtain and even harder to enforce. The whole process can seem whimsical and hostile to corporate five-year plans. But this is also the process which, at its best, produces high-quality code which is maintainable over the long term. Companies can learn to work with - and appreciate - the community development process, but there is a learning process involved. It all tends to work out with successful projects, but each project seems to have to find its own way to work with the commercial world. The other problem mentioned by Mr. Momjian is that companies are hiring PostgreSQL developers to work on closed-source extensions. This is OK in general: PostgreSQL carries a BSD license, and it is hard to argue with jobs for PostgreSQL hackers. But the project needs developers to survive; companies which hire those developers and prevent them from working on the core system risk killing their golden goose. Bruce asks that such companies at least allow their developers to spend some of their time working on the free PostgreSQL core. The interface between corporations and free software development projects has its share of traps and potential problems, just like any other relationship. Given time and sufficient will, these problems can be worked out. It is worth the trouble: each side has a lot which it can offer to the other.
Software, reverse engineering and the lawReading about proprietary software law is sometimes a shock, when you are used to the freedoms of the free software community, because your natural response to hearing how the law works outside the community is to say: "But that's awful. That can't be the law." And frankly there is nothing that advertises the benefits of free licenses as clearly as a brief rundown on what you can't do outside that realm of freedom. But with the recent flap about BitKeeper, it might be good to review what the current state of the law is on reverse engineering.Unfortunately, if we define reverse engineering as "trying to figure out how something works," then the state of the law is that there are places on Planet Earth where there are laws restricting what you are allowed to do. The center of that restrictive universe right now is the US. Cem Kaner, Professor of Software Engineering and Director, Center for Software Testing Education & Research at the Florida Institute of Technology, believes that restrictions on reverse engineering are holding American programmers back from being able to compete:
The recent flurry of rulings that reverse engineering of mass-market
products is not fair use have tied one arm behind American programmers'
backs while leaving everyone else free to compete with us.
. . .
These days I teach university courses (undergrad through doctoral) as a
Professor of Software Engineering at Florida Tech. We have a lot of grad
students from other countries. They are often surprised by our restrictions
on reverse engineering -- they certainly don't have their hands tied by
these restrictions in their companies.
The United States used to have a commanding lead in software development. We have been steadily losing that lead. Part of the reason for this is that for the last 15 years, lawyers for software publishers have been pushing for short-term advantages for their clients over the long term health of the industry. The ban on reverse engineering is just another example -- we are shooting the American industry in the head, with little actual benefit for anyone (publisher or engineer) in the United States, but plenty of benefit for engineers in all the rest of the world. Let's take a look at what you can and can't do around the world, when you wish to reverse engineer proprietary software. We can view it as we would learning about a repressive government's laws about dress code or some other issue you don't normally worry about, but need to study and obey for travel there, so you don't end up in the clink, so to speak, for wearing shorts or sandals or whatever else they have in their beanie as being worth making a law about. I polled attorneys and engineers in the US, the UK, and Australia, and I've collected some resources as well, and I've found that there is a good deal of flux and some confusion in this area of law. I am not a lawyer, as you know, so if you need to know how the law applies in a particular situation in your area, please get advice from an attorney.
Why Do People Reverse Engineer Anyway?People have many reasons why they might wish to reverse engineer software, but two important ones are 1) to make software that can interoperate with the software being studied and 2) to make a product that will compete with it. Why might the the knowledge not be visible? Dan Shearer, Samba Team and open source virtualization specialist, provides some possible reasons:
Having said that, the problem with seeking to know whether you can do reverse engineering or not is that it isn't consistent around the world, so your answer depends on where you do it and why.
A Brief US History of the Law on Reverse EngineeringReverse engineering of manufactured products was originally designed, in US law, as a kind of balancing limit on trade secret protection, to ensure that a company couldn't gain, through that back door, a perpetual, unlimited monopoly on unpatented inventions. With manufactured products, the system worked well. As long as you bought the product legally, you were free to take it apart and see how it ticked. Most of us did that to clocks, radios and various other appliances when we were kids. We were free to do that because trade secret law didn't grant the owner the exclusive right to possess the secret. It only protected the owner against improper acquisition and/or disclosure of the trade secret. That means that if I broke into your factory and stole your product and then reverse engineered it to figure out how you did it, it wasn't all right, but if I bought your product, it was perfectly legal, and you couldn't prevent me from discovering your secret, if I was willing to put in the time and effort to reverse engineer to obtain it. Reverse engineering was a lawful way to obtain a trade secret. And the time and effort involved was considered enough of a barrier that it gave the owner of the trade secret a measure of protection, by giving him a running start ahead of any copycats. In fact, reverse engineering was considered to be a good thing, and in the 1989 U.S. Supreme Court decision, Bonito Boats, Inc. v. Thunder Craft Boats, Inc., the court said that reverse engineering was "an essential part of innovation," because it could lead to advances in technology. If you remember the DVD Copy Control Association v. Andrew Bunner case in California, it was a trade secrets case that held that reverse engineering is presumptively legal. Both white box reverse engineering (decompiling the object code to reveal its structure and figure out the interface specifications for interoperability purposes) and black box reverse engineering (where you only look at a program's input and outputs) are legal normally in the US, if the goal is interoperability. I say normally because fair use is decided case by case. Bypassing anticircumvention devices, however, is a separate no no. Section 1201 of the DMCA forbids reverse engineering if it involves circumvention of a technological protection measure, with limited exceptions, such as for encryption research and security testing. You could probably get away with reverse engineering to fix something, and, while security testing is explicitly allowed under the DMCA, this exception is unclear enough that some have become afraid to avail themselves of it. Fred Von Lohmann of the EFF has described Section 1201 like this: "thou shalt not circumvent" and "do not break into my castle and do not violate my house rules -- seen from the perspective of a copyright holder".
Why Software is Different from a Cotton GinThere are differences between reverse engineering a mechanical device, like a cotton gin, and reverse engineering software. Shearer says this about the difference:
By reverse engineering in
software we generally mean one of the following:
Another term is "decrypting". This is a specialized subset of reverse engineering. Because computer software can be protected not only by trade secret law but by copyright and patent law as well, the issue of when you can and when you can't reverse engineer gets complex. If I invented the cotton gin, I could patent it for a time, gaining a monopoly for a time with the tradeoff that I must reveal all my secrets, or I could protect how I did it as a trade secret, and I couldn't use patents to protect the product at all. So my cotton gin invention got one form of protection, tops. With software, you can get at least two bites of the apple simultaneously. Software is automatically copyrighted, and it can be patented too. And you can opt for trade secret protection instead of patents. Then you can slap a restrictive license on top, if the market will let you get away with it. And that is part of what makes it so complicated to figure out when you can and when you can't reverse engineer. It's also why some view software patents as overkill. Kaner on recent US decisions that reverse engineering is not fair use:
The saddest aspect of these rulings is that judges seem
to have little understanding of what they are actually ruling on.
For example, the court in Bowers v Baystate Technologies (Federal
Circuit, 2002 U.S. App. LEXIS 17184) tells us that In this case, the contract unambiguously prohibits "reverse engineering." That term means ordinarily "to study or analyze (a device, as a microchip for computers) in order to learn details of design, construction, and operation, perhaps to produce a copy or an improved version." Random House Unabridged Dictionary (1993); see also The Free On-Line Dictionary of Computing (2001).... Thus, the contract in this case broadly prohibits any "reverse engineering" of the subject matter covered by the shrink-wrap agreement. This prohibits not only decompilation and disassembly but any detailed study of the product, including study by examining its behavior. It would forbid independent behavioral testing of a product by a third party (evaluating its security flaws, for example, prior to a purchase decision). It would forbid independent behavioral testing by a third party licensee for the purpose of publishing product reviews in a magazine. Even a narrow ban on reverse engineering bans much, much more than competitive activity by another business. Take a look at http://www.kaner.com/pdfs/ucreveng.pdf. The examples provided in that article are banned by the industry-wide practice of including a didn't-used-to-be-enforceable prohibition of reverse engineering in their licenses. The fact that software can be protected so many ways also means you can be sued on all of them - trade secret, copyright, patent and contract law theories - if you were unfortunate enough to have signed away your rights to reverse engineer (or to tell what you learned from doing so). Software licenses that forbid reverse engineering may or may not stand up to a challenge, but most folks think that they will. At any rate, there was a case where a federal court of appeals said that such a provision is enforceable and does not conflict with the Copyright Act, and the Supreme Court declined to review the decision, and they would have, if they had seriously disagreed. So be careful what you agree to. Software is therefore a separate issue when it comes to reverse engineering. The time and effort involved isn't equivalent to reverse engineering a cotton gin, particularly with computers automating some of the heavy lifting.
When Can You Reverse Engineer? -- It DependsCopyright protects the expression of an idea, but not the idea itself. That is why you can do reverse engineering to figure out how software works and then write your own program to do the same thing. The problem that arises with copyright and reverse engineering is well expressed in this explanation of how to avoid a copyright infringement claim:
If the same
person both reverse engineers the old product and designs the new product,
and there are similarities, it is hard to avoid an assumption that some
copying has taken place, and so reverse engineering "best practice"
involves breaking the chain, so far as possible, at the specification
stage. The specification is made as abstract and functional as possible by
the reverse engineers, and is then handed over to a "clean room" design
team who have no other contact with the old product, or the team who
analysed it, and who will then design the new product using as little
low-level information as possible from the old product.
Patents protect the implementation of the idea, and that makes it the bully on the block, particularly in software, where there may be limited optimal ways to accomplish something. There is no fair use or reverse engineering exemption with patents. So you can argue all you want about how you had a fair use right to reverse engineer under copyright law, but if the part of the software you reverse engineered was also patented, you are, with some limited exceptions, sunk. And how do you know in advance if you are going to end up violating a patent? Don't ask me. Nobody seems to know how to avoid violating someone's software patent under the current US system. You seem to find out mainly when someone sues you. Many observers believe the US patent system is broken and needs to be reformed, at a minimum, so that honest people can figure out how to avoid infringement. Meanwhile, ask your lawyer. But just know that there is no reverse engineering right per se with patented inventions to find out how they work. It was originally the case that with patents you were supposed to reveal the tricks you used. It was the tradeoff. Sadly, software patents are now granted in the US without applicants having to reveal all the inner workings, so some legal commentators have argued that reverse engineering doesn't infringe under the first sale principle of patent law, or if you do it to satisfy your scientific curiosity, that you could assert an experimental use defense. And note that while under copyright law interfaces are not protected, they can be under patent law. Whether or not reverse engineering is legal also depends, I've learned, on where you do it and why. Note that what matters is where the reverse engineering was done, not where the software was written. If you are in the US and you are doing it for interoperability purposes, as opposed to for the purpose of creating a similar and competitive product, you are probably safe from a copyright infringement claim, but may run afoul of a patent. (But in any particular situation, hire a lawyer to advise you.)
What About Outside the US?The US is easy to figure out, compared to, say, Japan. At least in the US, they put it in writing. In Japan, it's assumed that reverse engineering for interoperability purposes is probably legal, but the law doesn't come right out and say so. In Japan, the law has no "fair use" concept for computer software, so reverse engineering is technically copyright infringement. Yet, as noted, most legal scholars say that reverse engineering is probably legal in Japan in a practical sense, even though their copyright law doesn't explicitly say that. Note that Japan does accept software patents. Here's a PDF that tells you what you can use reverse engineering to accomplish in Australia, and as you can see, it's essentially similar to the US:
A computer program may be reproduced or adapted
in order to get information necessary to enable an interoperable product to
be made. The relevant provision also allows the person making the
interoperable product to reproduce or adapt the original program in the
interoperable product, but only to the extent necessary to enable
interoperability either with that program or any other program.
I asked Brendan Scott, of Open Source Law, an expert on tech law there, if it would be accurate to say that you can do more in Australia than in the US, or if their new law is as restrictive; here is his answer:
Hard to say, since I don't have a
good understanding of the US position. However, the A-US FTA [Free Trade
Agreement] requires
Australia to implement a provision relating to anti-circumvention. There is
a 2-year period from the implementation of the FTA in which the
anti-circumvention provisions must be implemented -- so they are not in our
law at the moment.
The anti-circumvention language in the FTA looks likely to keep lawyers
employed for some time:
At the moment there is an exception to infringement for the reproduction of literary works which are computer programs -- the issue is that a work may comprise both a literary work and subject matter which is not a literary work. If multiple copyright exists then the exception is a bit useless -- for the purposes of making interoperable programs (s 47D), to correct errors (s 47E) or for security testing (s 47F). Whether interoperability between programs includes interoperability between a program and some data has not been considered. Further, if analysis of the program relies on reproducing anything which is not a literary work the exception won't help. The Full Federal Court has held that the "aggregate of the visual images generated by the playing of [specific video games - the subject of the suit] constituted a cinematograph film [ie something other than a literary work]" (Galaxy Electronics v Sega Enterprises [1997] 403 FCA). So there is definitely scope to argue that these exceptions are even narrower than they seem.
The anti-circumvention provisions in the FTA are marvelously Byzantine.
I invite you to make sense of them on a first or second reading.
Stucturally:
(a) they set up a number of prohibitions and a number of possible exceptions; So, for example, 'non-infringing reverse engineering activities with regard to a lawfully obtained copy of a computer program, carried out in good faith with respect to particular elements of that computer program that have not been readily available to the person engaged in those activities, for the sole purpose of achieving interoperability of an independently created computer program with other programs' (17.4.7(e)(i)) is a possible exception to the prohibition, required to be implemented by the FTA, against circumventing protection measures. However, someone wishing to analyze a program covered by a protection measure would not only have to meet this requirement, they would also need to comply with section 47D of the Copyright Act. The relevant FTA provisions are here. The current Copyright Act is available here. In the European Union, reverse engineering is allowed under Article 6 of the European Software Directive, for interoperability purposes only, not for creating a competing program, and the law strictly limits what you can do with the knowledge you gain. You can't publish it, for example. As you know, the patent situation in the EU is a bit messy at the moment. Software patents are supposedly not allowed, after the Munich Convention, but folks have found ways, and that effort continues. Should the directive pass as presently written, it is expected to make reverse engineering of any patented materials illegal, except for limited exceptions. The directive also states that the ideas and principles underlying a program are not protected by copyright, and that logic, algorithms and programming languages may to some extent comprise ideas and principles. There are some differences between US and UK law, and here's a paragraph from the UK Patent Office website on what constitutes a copy of a computer program in the UK:
Computer programs are
protected on the same basis as literary works. Conversion of a program into
or between computer languages and codes corresponds to "adapting" a work
and storing any work in a computer amounts to "copying" the work. Also,
running a computer program or displaying a work on a VDU will usually
involve copying and thus require the consent of the copyright owner. The
copyright owner will usually need to give permission for 'adapting' and
'copying' a work, however you may not need permission to make transient or
incidental temporary copies.
There is no provision for decompilation (white-box reverse engineering) in UK copyright law, and no fair use defense if the reverse engineering is for commercial research or study. And, there is no right to breach confidentiality agreements. In Stac Electronics v. Microsoft Corp., Stac was found to have committed a trade secret violation by reverse engineering a beta version of MS DOS that they had gotten in confidence and then using the information they gained in making their own product. However, in the UK, the EU copyright directive trumps any contractual agreement that it contradicts, so decompilation carried out for the purpose of interoperability is allowed, under that umbrella, as long as you don't reveal any confidential data. There is also a provision (50BA) made for "observing, studying and testing of computer programs":
(1) It is not an
infringement of copyright for a lawful user of a copy of a computer program
to observe, study or test the functioning of the program in order to
determine the ideas and principles which underlie any element of the
program if he does so while performing any of the acts of loading,
displaying, running, transmitting or storing the program which he is
entitled to do.
(2) Where an act is permitted under this section, it is irrelevant whether or not there exists any term or condition in an agreement which purports to prohibit or restrict the act (such terms being, by virtue of section 296A, void). So, there is no fair use (or fair dealing, UK's much stricter escape hatch) for decompliation or copying during decompilation. However, sniffing (black-box reverse engineering) for interoperability purposes is allowed. Note that the UK began to revise its patent law in January of 2005.
Summing UpKaner points out that there is research going on to make reverse engineering technically impossible:
I think the most
interesting development in this area is technical, not
judicial. Significant progress is being made on making object code
essentially indecipherable. This is the subject of ongoing doctoral
research in computing, industrial research, and at least one book in
development.
Shearer brings up an interesting point:
Virtualization is the bane of the anti-reverse engineering crowd
and especially the DRM and we-lock-down-your-hardware subtypes,
although it is seldom identified as such. This is because if the
hardware is in fact software, we can trick it to tell all sorts of
lies or truths -- a bit like the old days of changing the operating
system date back in time so your legal but time-restricted program
would run. When a DRM-protected media player thinks it is drawing
on a big digital LCD screen in may in fact be a window on your
desktop - or a network connection to the world! And only run
certain software on frotz-certified chipsets? No problem, just
implement the chips in software.
The general trend in the law is to harmonize laws around the world, so they are interoperable, so to speak, to reach an international working consensus on what the laws on copyright and patents ought to be. It's obvious why that would bring benefits. Legislators can see that clearly. Unfortunately, not everyone in the world as readily sees the real benefits that come from interoperability in software. Everyone sees the benefits of having train tracks be uniform, so you can get on a train in New York and arrive in California safely, and without having to get off and then on another train for another width of tracks. It's no different with software. And as software becomes more and more obviously the underpinning of a globalized society, including its commerce, hopefully more and more legislation will reflect that awareness. In the meantime, please be careful. That includes using this article only as a jumping off point, and asking your attorney for advice for any real-world application of the law in your area of the world.
Additional resourcesPlease see this page for a set of pointers to additional reading in international copyright law and reverse engineering.
Security Umbrella 0.7This week the Umbrella team released version 0.7 of Umbrella, a "security mechanism" that implements Process-Based Access Control (PBAC) and authentication of signed binaries for Linux. Since Umbrella 0.7 is the first feature complete release, we thought now might be a good time to take a look at the project. Kristian Sørensen, one of the Umbrella Team members, was kind enough to respond to our questions about Umbrella. While Umbrella sounds a bit like Security-Enhanced Linux or other on the surface, Sørensen pointed out that Umbrella is designed for consumer devices rather than general-purpose servers or other systems, though it might be useful for "specific server environments." Sørensen provided this explanation of Umbrella:
Umbrella does not deal with users, roles, types or domains. The security
policy is _only_ enforced on running processes. Every time a new process is
created, the policy of its parent is inherited to the child - possibly with
additional policies, specified by the parent.
There are two categories of policies: File system restrictions (FSR) and Capability restrictions (CR). A FSR is simply a path (e.g. /etc/passwd), which restricts the process having this policy from accessing that file. If the restriction were "/etc" the entire directory is off limits, and thus a restriction on "/" denies access to the entire file system. The capability restrictions are non-file system restrictions, such as creation of sockets (IP networking, bluetooth etc.), sending signals, creation of new processes etc. Umbrella has no need for a security administrator to manage the security policy of an entire system. Umbrella relies of the programmers of to embed the security policy into programs. This is done in a very simple manner: By replacing fork() with rfork() and by embedding execute restrictions to the binary. The security policy in the binaries (both rfork and execute restrictions) is protected by a digital signature: A signed SHA1 hash of the binary is placed in the ELF header, and checked on time of execution. If the binary or its restrictions has been tampered with, the hash will not match and the binary is denied access to run. In order for the signed binaries to be authenticated in the first place, the public key of the vendor must be placed within the key ring of Umbrella. Umbrella requires a 2.6.9 kernel (or later) and includes a kernel patch, the Umbrella library and a user-space program. Binaries that will be restricted by Umbrella need to be signed using Bsign and GnuPG. Umbrella and DigSig are the only projects this author is aware of that check digital signatures of binaries. The policy for the application is stored in the binary itself. Since Umbrella can be used to restrict binaries unless they are signed by an authority, we asked Sørensen if Umbrella was similar to so-called "trusted computing" efforts. Sørensen confirmed that Umbrella was "related to 'trusted computing'."
As the binaries are signed you can verify that they are not tampered with
on each execution. The unique thing here, is that this "tamper-proof"
concept is utilized to protect the security policy and the binary at the
same time.
While it's desirable to prevent attacks on consumer electronics devices, we asked if Umbrella could also be used to prevent users from "hacking" devices to expand the capabilities of a device -- something that may not be desirable from the end-user's point of view. Sørensen acknowledged that a device could be designed so that it would be "very difficult" for a user to "tamper with the software of the device." What about performance? Sørensen said that the team had just finished benchmarking Umbrella, and found that it had "between 2.5% and 4.5% overhead, depending on how the system is stressed. Thus, having Umbrella in the kernel is not noticeable." According to Sørensen, the Umbrella project started as a master's project, but he has plans to start a company in the fall, based on the Umbrella technology, called Linnovative. It should be interesting to see how Umbrella develops and whether this approach catches on. It is simpler than SELinux, but doesn't look suitable for use in general systems at this time -- which is a shame, as it would be nice to have a simpler system that's usable for general purpose server and desktop systems. However, Umbrella may be another tool that helps Linux gain acceptance in the embedded and consumer electronics market.
New vulnerabilities ethereal: buffer overflow
gzip: race condition and directory traversal
Horde Framework: multiple XSS vulnerabilities
ImageMagick: heap corruption
infozip: privilege escalation, directory-traversal
libnet-ssleay-perl: weakened cryptographic operations
phpMyAdmin: insecure SQL script installation
postgresql: database initialization errors
Pound: buffer overflow
prozilla: format string vulnerabilities
smartlist: wrong input processing
tcpdump: multiple DoS issues
Updated vulnerabilities a2ps: input validation error
cdrecord: insecure temp file
Convert-UUlib: buffer overflow
cpio - file permissions error
cURL: buffer overflow
cvs: multiple vulnerabilities
cyrus-imapd: buffer overflows
dhcp: format string vulnerability
Dnsmasq: poisoning and DoS
eGroupWare: XSS and SQL injection vulnerabilities
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
evolution: arbitrary code execution
evolution: message crash vulnerability
Foomatic: Arbitrary command execution in foomatic-rip
gaim: client freezes
gaim: buffer overflow, DoS
gtk-pixbuf, gtk2: denial of service
gettext: Insecure temporary file handling
gftp: missing input sanitizing
ghostscript: symlink vulnerabilities
glibc: Information leak with LD_DEBUG
glibc: tempfile vulnerability in catchsegv script
gnupg: information leak
grip: buffer overflow
groff: insecure temporary directory
htdig: cross site scripting
imap: buffer overflow in c-client
imlib2: buffer overflows
junkbuster: heap corruption and settings modification
kdelibs: unsanitzied input
kdelibs: dcopserver vulnerability
kernel: multiple vulnerabilities
kernel: multiple vulnerabilities
kimgio input validation errors
Kommander untrusted code execution
libdbi-perl: insecure temporary file
libgd2: buffer overflows in PNG handling
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
libXpm: new buffer overflows
lsh: buffer overflow and more
lvm10: creates insecure temporary directory
mailman: path traversal
mc: buffer overflow
MediaWiki: multiple vulnerabilities
mikmod: buffer overflow
mod_python: remote access vulnerability
Mozilla Firefox, Mozilla Suite: multiple vulnerabilities
MPlayer: heap overflows
MySQL: input validation and temporary file vulnerabilities
nasm: Buffer overflow vulnerability
ncpfs: multiple vulnerabilities
nfs-utils: denial of service
nfs-utils: arbitrary code execution
openmosixview: insecure temp file
OpenOffice.org: .doc parser buffer overflow
openssl: der_chop script temp file vulnerability
OpenSSL: denial of service vulnerabilities
Opera: multiple vulnerabilities
perl: setuid vulnerabilities
perl: symlink vulnerability
php4: integer overflow and denial of service
php4: denial of service vulnerabilities
postgresql: EXECUTE privilege vulnerability
qt3: BMP image parser heap overflow
realplayer: arbitrary code execution
Rootkit Hunter: insecure temporary file creation
rp-pppoe, pppoe: missing privilege dropping
ruby: infinite loop
samba: integer overflow vulnerability
SpamAssassin: Denial of Service vulnerability
squid: denial of service
SquirrelMail: multiple vulnerabilities
sudo: environment variable sanitizing
File overwrite vulnerability in tar and unzip
telnet: buffer overflows
UnAce: buffer overflow and directory traversal
vixie-cron: crontab allows any user to read another users crontabs
XChat 2.0.x SOCKS5 Vulnerability
xine-lib: two heap overflow vulnerabilities
xine-lib: buffer overflows
xine-ui - insecure temporary file creation
xloadimage: missing input sanitizing, integer overflow
xorg-x11: integer overflows
xpdf: buffer overflow
XV: multiple vulnerabilities
zlib: denial of service
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current stable 2.6 kernel is 2.6.11.8, released on April 29.The current 2.6 prepatch remains 2.6.12-rc3. Linus's git repository contains a number of new "sparse" annotations, a CIFS update, various architecture updates, resource limits for niceness and realtime scheduling (see below), a new valid_signal() function (for testing signal numbers), a JFS update, some networking tweaks, and lots of fixes. The current -mm tree is 2.6.12-rc3-mm2. Recent changes to -mm include a number of new git trees, a cpufreq update, a new /proc/zoneinfo file, some preparatory patches for Xen, and some ext3 latency reduction work.
Kernel development news Quote of the week
We're still miles away from 2.6.12.
A web interface to gitFurther evidence that the the kernel source code management situation is slowly stabilizing: there is now a web interface to the kernel.org git repositories. Most people, perhaps, will be interested in Linus's tree, where the latest patches merged into the mainline can be viewed, but there are several developer trees available as well. (Thanks to Steven Cole).
Audio latency - resource limits winThe long debate on how to provide preferential scheduling for audio applications would appear to have come to an end. The realtime Linux security module has not been merged; instead, the mainline now includes a version of the rlimit patch. This is not the outcome which was most favored by the audio development community, but it will still be useful for them.The patch creates two new resource limits. RLIMIT_NICE controls the maximum "niceness" that the process can set for itself in the normal timesharing scheduler. The limit has a range of 0..39, with 39 corresponding to an internal niceness value of -20 - the highest priority. The difference between the resource limit value and the actual niceness values may seem confusing, but apparently it's unavoidable: the Single Unix Standard specifies that resource limits must be unsigned values. The other limit is RLIMIT_RTPRIO; it can have a range of 0..100. If it is nonzero, the process is empowered to use the realtime scheduling classes up to the indicated priority. The problem with this approach, from the point of view of the audio community, is that it is not currently supported by any distribution. It is easy to set up PAM to give expanded limits to specific users or groups - once PAM has been patched to understand the new limits. Shells, too, must be patched before their ulimit commands can be used to change the limits. So it will be some time before an "out of the box" Linux system will be able to take advantage of this new capability. In the long term, however, the rlimit patch looks like a minimally invasive way of making realtime scheduling available, in a relatively safe way, to ordinary users. Anybody wanting to play with the new mechanism before their distribution catches up can find instructions and patches on this web page.
API change: synchronize_kernel() deprecatedThe read-copy-update mechanism works with the fundamental assumption that, if no pointer to an RCU-protected data structure exists, there will be no references to that structure after every processor on the system has scheduled at least once. This assumption works because the rules require that accesses to RCU-protected data structures be atomic; scheduling while holding such a reference is not legal. When RCU was added to the kernel, it brought with it a function called synchronize_kernel() which would wait for every processor to schedule. Since it seemed that this capability could be useful outside of RCU itself, synchronize_kernel() was exported to the world.A quick grep of the 2.6.12-rc kernel shows a fair number of synchronize_kernel() calls. The module loader uses it to let things calm down when an attempted load fails. The AT keyboard driver calls it at disconnect time to ensure that no processor is still trying to work with the device. The kernel profiling code uses synchronize_kernel() to ensure that all processors notice the unregistration of its timer hook. And so on. The external uses of synchronize_kernel() have reached a point where they are putting extra demands on the RCU code. RCU, after all, does not really have to wait until every processor has scheduled; the important constraint, instead, is that every processor running within rcu_read_lock() exits from the critical section. This distinction has become more important as the kernel developers have sought ways to make RCU more compatible with the low-latency work. So, as of 2.6.12-rc4, synchronize_kernel() will be officially deprecated. Its replacements will be synchronize_sched(), which retains the current "wait for all processors to schedule" semantics, and synchronize_rcu(), which is only guaranteed to wait until any processors executing within rcu_read_lock() critical sections have exited those sections. Most external users probably need to be switched over to synchronize_sched(). The comments suggest that a synchronize_irq() variant is also envisioned, but it has not been added as of this writing. One other significant change: unlike synchronize_kernel(), the two replacements are exported GPL-only.
Defending against fork bombsStandard wisdom says that the proper defense against fork bomb attacks (where a simple script forks children until the system chokes under the load) is to use resource limits. Put a cap on the number of processes which can be created, and the problem goes away. In reality it's not quite so simple; the limit can be softened by logging in multiple times. And, in any case, some people feel that the system should not collapse when faced with such an attack. A Linux system, it is said, should not be so easy to bring down in its default configuration.The last defense against fork bombs is typically the out-of-memory (OOM) killer. As the system fills up with processes, it will eventually run out of memory and, in its desperation, start looking for processes to kill. The OOM killer has a set of heuristics which attempt to choose the "best" process to kill. These rules help the system to avoid (sometimes) killing processes which are vital to the continued operation of the system. They are not particularly helpful in dealing with fork bombs, however. Coywolf Qi Hunt has posted a patch which tries to do a better job of defending against fork bombs in the OOM killer. It works by extending the task structure to keep better track of a process's "biological" parent and children. These lists are maintained separately from the regular process hierarchy pointers, and are not actually used during normal system operation. They are, in other words, pure overhead most of the time. Things change, however, when an out-of-memory situation hits. When the OOM killer starts up, it will select its first victim in the usual way. When a second process is chosen for an untimely death, however, the new lists come into play. For both the current and previous victim, the OOM killer will traverse the "biological parent" pointers to create a path through the process hierarchy. Using those paths, the code can select the "least common ancestor," the lowest process which is an ancestor to both victims. Then, rather than killing the second chosen victim directly, the OOM killer goes after the ancestor - and all of its children. If the OOM situation persists, the killer should be able to quickly work its way up the process hierarchy until it finds (and eliminates) the process responsible for the whole mess. Coywolf has a set of test cases and a system he is willing to run them on; for all but the nastiest of the three, the patched system was able to put an end to the fork bomb attack without any ill effects beyond a temporary slowdown. In the worst case, the system still recovered, but with some collateral damage. The patch adds some significant overhead (one pointer and two list_head structures) to each process in the system, so it may encounter some resistance - most systems will pay that overhead, but never actually need to run the OOM killer. But, for systems which are exposed to that sort of attack, this patch could be a useful last line of defense.
The Philips webcam driver - againThe 2.6.12-rc kernels include, among many other things, the long-awaited return of the Philips web camera driver. This driver, remember, was removed at the original author's request; that author (known as "Nemosoft Unv") objected to the removal of a special-purpose hook which allowed a non-free decompression module to be loaded into the kernel. After the removal, Luc Saillard took over the driver, with the goal of getting it back into the mainline. As part of that process, he reverse engineered the image decompression code and included it in the GPL-licensed module. It would appear that this episode has led to a good result: the Philips driver is back, and more free than before.Nemosoft has recently resurfaced, however, to make the claim that things may not be quite as good as they seem. According to Nemosoft, no real reverse engineering job was done. Instead:
In case you hadn't noticed, that code has been reverse compiled (I
would not even call it "reverse engineered"), and is simply
illegal. Maybe not in every country, but certainly in some. There
are still some intellectual property rights being violated here,
you know, and I'm surprised at the contempt you and Linux kernel
maintainers show in this regard for a few lines of the law.
Mr. Saillard has been silent on how he performed the reverse engineering task. A look at the code (example - pwc-kiara.c) is somewhat unenlightening - the decompression code consists mostly of a set of tables filled with mysterious numbers. It is hard to imagine how those tables could be created in any way other than extracting them from the binary decompressor module. If the code was truly decompiled and relicensed, there could be a copyright issue here. On the other hand, the tables used for decompression will be hard to protect if they are truly the only way to interpret images produced by the camera. Alan Cox (who forwarded the PWC patches for merging) acknowledges that there could be an issue with the decompression code, but he is not overly worried about it:
The legal position on reverse engineering is in general fairly
clear. What you describe might not be. If so then we need to find
someone who hasn't read the code to rewrite it from the algorithm
description of the current code. Shouldn't take more than a week.
Alan also points out an issue others have raised: by Nemosoft's admission, the non-disclosure agreement which forced the decompression code to be proprietary ran out some time ago. Nemosoft could thus resolve the licensing issues by simply releasing the decompression code under a free license.
Patches and updates Kernel trees
Core kernel code
Development tools
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Testing Kubuntu 5.04Once you install Kubuntu on your desktop computer, it is easy to see why the Ubuntu project has been such a resounding success. A simple, text-based installation procedure, excellent hardware auto-detection and configuration, an intuitive desktop that most people will find easy-to-navigate, and a great support community. And although, in line with most other major distribution, setting up the playback of multimedia files or installing browser plugins requires extra effort, this has been made considerably easier - thanks to the excellent 60-page Unofficial Ubuntu Guide. The only complaint about the previous version of Ubuntu -- its strong preference for the GNOME desktop and brown colors -- has now also been addressed - by Kubuntu, an increasingly popular sub-project of Ubuntu Linux.As the name suggests, Kubuntu is essentially Ubuntu for users who prefer KDE over GNOME. The developers created DEB packages of the latest version of KDE and built installation and live CDs for three architectures - i386, PPC and x86_64. We installed the i386 edition of Kubuntu 5.04 ("Hoary Hedgehog") on a test computer powered by a Pentium 4 1.4GHz processor and Intel 850 chipset with 384 MB of RAM and a Matrox Millennium G450 graphics card. The installation program, based on a recent Debian Sarge installer, was a straightforward affair requiring little human intervention. At the end of it, we found ourselves looking at a KDM login screen, and shortly afterward, at a KDE desktop with a cool blue wallpaper and desktop theme. The first thing we normally do after installing a new distribution is to check for security updates. For package management, Kubuntu uses Kynaptic, a graphical front-end for apt-get, which comes pre-configured with sources pointing to Ubuntu's security and update servers. Kynaptic is obviously modeled on Synaptic, but despite its better integration with the KDE desktop, it fades in comparison with its better-known counterpart - it lacks a way to update the sources.list file from within its GUI and it also has some interface quirks, which usually indicate that the product has not quite reached the 1.0 status. Nevertheless, as a simple package management utility, it works fine and we were able to refresh the package information and upgrade a handful of packages that were listed as being already installed, but needed upgrades. As Kubuntu comes on only one CD, it goes without saying that many useful packages have been omitted from the CD and are only available from Ubuntu's online repositories (Kubuntu does not have its own repository). We went on to create a more functional developer's workstation by installing software that we normally use around here, including Apache, BitTorrent, gFTP, GIMP, Java, PHP, Firefox, Quanta, and a number of other packages. This completed without a hitch. Since Kubuntu basically represents a subset of Ubuntu Linux, we decided to install a full GNOME desktop too, just to prove the concept. This can be done by selecting the "ubuntu-desktop" package from the list and the 200+ dependent packages are then selected automatically. The installation completed flawlessly and a new "GNOME" entry has appeared under the KDM's "Session Type" menu; however the GNOME desktop came up with an unpopulated default panel and without the usual desktop icons. Nevertheless, the concept worked and we were able to turn the Kubuntu installation into a full Kubuntu + Ubuntu desktop. Usable as the default Kubuntu desktop is, some users will undoubtedly want more - notably some of the proprietary applications and multimedia codecs, but also some useful open source applications that are not in the official Ubuntu repositories. This is where the above-mentioned Unofficial Ubuntu Guide comes handy - it explains things in layman's terms and guides users through re-configuring sources.list and installing applications. We followed the instructions and installed and configured Java Runtime Environment, Macromedia Flash Plugin, Acrobat Reader, Skype, several multimedia codecs and DVD playback functionality, MPlayer and RealPlayer. With instructions about how to install non-Latin fonts and how to configure input method editors for inputting Asian character sets, international users are not neglected either. The guide also explains how to install several commercial applications, popular games, the NVIDIA driver, and drivers for certain winmodems. After less than an hour of following the instructions in the guide, we succeeded in turning a stock Kubuntu installation into a powerful and highly usable Linux workstation with just about everything a desktop user might need. And this is when we suddenly realized why the Ubuntu project has been such an enormous success. It is not just the wealthy sponsor and the skilled Linux developers that produce quality software, it is also the existence of various sub-projects and community efforts (such as Kubuntu or the Unofficial User Guide) that have contributed a great deal towards its growing acceptance. Of course, there are many excellent distributions on the market. But to our knowledge, none of them can boast an existence of a comprehensive free manual that tells its users how to install, configure and use some of the useful non-free software and how to enhance their Linux operating system to get, in terms of usability, as close as possible to Mac OS or MS Windows. This guide, already translated into a number of languages, should be the first stop of any new Ubuntu/Kubuntu user. Both Ubuntu and Kubuntu are impressive distributions that are deservedly becoming the leaders of the desktop Linux (of course, they can be used on servers too). In fact, it is very hard to find any fault with Hoary Hedgehog - it has a solid installer, hands-off hardware setup, and many little enhancements that makes computers so much more fun. Its community resources are hard to beat and it is still the only project that has produced both installation and live CDs for three architectures. If you haven't tried Ubuntu/Kubuntu, do yourself a favor and install it on a spare partition. Chances are that it will find a permanent home on your hard disk.
New Releases Nimbus 4.0 for secure supercomputingLinux Labs has announced the availability of Nimbus 4.0, a distribution aimed at secure supercomputing applications. Nimbus combines the bproc single system image patches with SELinux, and tosses in the cryptographic filesystem (CFS) as well. The distribution does not appear to be available for download, however.
Progeny Debian 3.0 Developer Edition PR1 releasedProgeny Componentized Linux has announced the release of Progeny Debian 3.0 Developer Edition PR1. "Progeny Debian 3.0 Developer Edition is an example distribution based on Componentized Linux. It is essentially a snapshot of Debian sarge as of April 2005 that includes an easy-to-use, graphical installer and a fully integrated GNOME desktop environment."
Mandriva Linux LE2005 available for downloadISO images for Mandriva's Linux LE2005 release are now available for download; click below for the announcement, or go straight to the product page to find a download site.
CDMEDIC PACS WEB 6 Released (LinuxMedNews)LinuxMedNews covers the release of version 6 of CDMEDIC, a live Linux CD with PACS WEB [Picture Archive and Communication System], medical spell checker and more.
Distribution News Debian Sarge freezesThose awaiting a stable Debian Sarge release may be encouraged by the news that the release managers have declared a freeze. "Now to explain what, exactly, we mean by "freeze". The base freeze upload policy of uploading changes in through unstable if you can, and testing-proposed-updates if you must, has worked well (or so is the subjective opinion of the release team), so we plan to continue to apply the same policy for the freeze of the rest of the archive."
Debian Sarge release notesThere will be a Bug Squashing Party May 5 to May 8, 2005 to squish RC bugs, test woody->sarge upgrades, fix remaining security issues (especially non-RC ones), and more.This update looks at the infrastructure and release status as of April 30, 2005.
GNOME 2.10 LiveCD (GnomeDesktop)Footnotes takes note that a live Linux CD showcasing GNOME 2.10 has been downloaded more than 50,000 times, and it is also available in Greek.
Announcing the availability of Unofficial Ubuntu 5.04 Add-On CDAn unofficial add-on CD is available for Ubuntu 5.04, with lots of extra packages.
Stateless Debian ProjectThe Stateless Debian Project is looking for active volunteers/developers. "Stateless Linux converts normal Linux desktop/clients to Stateless machines or appliances, which means if throw your computer out of window you still will be able to get exactly same same settings/data when you log from any other pc in the network ....A single administrator can easily manage network thousands of desktops ...Stateless Linux centralizes the state in a Gold server (different from CFengine) and rest of clients are updated regularly from it . This is different from thin clients as local processing power and memory of clients is used (or cached client)"
Debconf5 updateDebConf5 is coming up in July. This updates takes a look at the current sponsors, speakers and topics and more. "For people that want to hack together in a focused way, the location is available ahead of time. Note that it has proven to be of limited productivity to come and "just work on something" or "just help". You can read mail and browse the web at home. If you however work on a team (e.g. d-i, debian-edu, debian-cd, ...) you are very welcome: This is your opportunity for tight face-to-face cooperation and team work! Please let us know how many you are and when you want to come. The dorm is available for you from the 3rd. We will still be setting up the infrastructure, but basic net access will be there from the start."
Distribution Newsletters Debian Weekly NewsThe Debian Weekly News for May 3, 2005 is out with a look at the minutes of the leadership team meeting, some thoughts about dealing with PHP application design flaws, the Debian administration website, a Debconf update, and more.
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for the week of May 2, 2005 is out. This edition covers some officially unofficial developer documentation, speed bumps on the way to OpenLDAP 2.2, ebuild cruft, headhunter spam, KDE-look.org migrates to a Gentoo Linux host, and several other topics.
DistroWatch Weekly, Issue 98The DistroWatch Weekly for May 2, 2005 is out. "If you are losing patience waiting for the ISO images of the new Mandriva Linux 2005, why not perform a network installation instead? It is easy and we'll show you how. Will will also address the issue of the never-ending stream of new distributions vying for our attention, and point out some serious problems with the latest release of the GCC compiler. In the biggest DistroWatch Weekly ever, we have a user-contributed review of the increasingly popular SLAX live CD, and present FetchYahoo in Robert Storey's "Tips, tricks & hints" section."
Package updates Fedora updatesFedora Core 3 updates: wireless-tools-27-2.2.0.fc3 (fix iwlist command), spamassassin-3.0.3-3.fc3 (a bunch of bug fixes), gimp-2.2.6-0.fc3.2 (silence %post), bootparamd-0.17-19.FC3 (bug fixes), php-4.3.11-2.5 (fixes a compatibility issue), vte-0.11.13-1.fc3 (a whole bunch of upstream fixes), policycoreutils-1.18.1-2.12 (eliminate bogus error on upgrading policy), words-3.0-2.3 (sort with --dictionary-order and remove possessives), util-linux-2.12a-24.1 (bug fixes).The i386 perl package was accidentally shipped with FC3 x86_64. This causes updates to clash and fail on FC3 x86_64 systems. To recover from this error use: yum remove perl.i386
Mandriva Linux updatesMandriva Linux 10.2 (LE2005) updates: ldetect-lst (provides support for the XBook modem), rpmdrake (fixes a bug in the Software Media Manager), mdkonline (Mandriva domain name changes - also available for 10.0, 10.1, Corporate Server 3.0 and Multi Network Firewall 2.0).Mandriva Linux Corporate Server 3.0 updates: lsb (provides corrected install_initd, remove_initd scripts).
Slackware Linux updatesClick below for this week's slice of the Slackware change log. Upgraded packages include hdparm, Linux kernel 2.4.30, bind, getmail, gxine and more.
Trustix Secure Linux updatesTrustix Secure Linux Bugfix Advisory #2005-0017 covers bug fixes in apache, bind, imagemagick, initscripts, kernel, libcap, libpcap, perl-convert-uulib, php, pptpd, proftpd, setup and squid.
Distribution reviews SuSE Linux Professional 9.3 (eWeek)eWeek reviews SUSE Linux 9.3 Pro. "Novell Inc.'s SuSE Linux Professional 9.3 is an excellent general-purpose operating system. In fact, when it comes to combining leading-edge Linux and open-source software, Version 9.3 is the most polished and complete Linux distribution eWEEK Labs has tested."
Mandriva LE--The Drake Flies South for the Future (LinuxPlanet)LinuxPlanet reviews Mandriva Limited Edition. "Mandriva offers a nice, customized Control Center to enable you to customize your system's appearance, behavior, and configuration. It offers some truly cool features that I haven't seen in other control centers, such as the ability to set up an Uninterruptible Power Supply (UPS) for power monitoring and to define WebDAV mount points for accessing Web-based Distributed Authoring and Versioning sites as filesystems."
First Look at a Distro Changed: Mandriva LE 2005 (MadPenguin)MadPenguin reviews Mandriva Limited Edition 2005. "When everything is said and done and I've finally powered down the test system, I'd have to say that the Mandriva Limited Edition 2005 desktop was an all around good performer. Of all the applications I tested, none failed to open and the desktop was extremely responsive. The installation was simple enough for new users but had the capability of fine tuning for advanced users, boot time was good, device support was good for the systems I tested on (although it's high time we invested in some oddball systems to test on. Most of the hardware here is fairly standard and needs to be noted) and my overall opinion of this release is strong."
Ututo-e, the 'only free distribution' (NewsForge)NewsForge reviews the Ututo-e distribution. "Ututo-e is a Gentoo-based distribution developed in Argentina. Of all the x86 distributions listed on DistroWatch, Ututo-e is the only distribution endorsed by the Free Software Foundation (FSF). Since he first noticed Ututo-e while visiting Argentina last August, Richard Stallman has described it as "the only free GNU/Linux distro I know of" -- an endorsement that promises to boost its user base the way that John F. Kennedy's endorsement of the James Bond books boosted their sales."
My Workstation OS: VidaLinux (NewsForge)NewsForge has this article about VidaLinux. "Many call VidaLinux a "simpler Gentoo." It uses many of Gentoo's features, such as the Portage software distribution system, but also manages to make it all seem less intimidating. For instance, it uses Red Hat's Anaconda installation system. Anaconda is a graphical interface, which many find easier than Gentoo's command-line installation. Vida's system components also come prebuilt and ready for installation, whereas Gentoo's installation requires everything to be built from the command line, which intimidates some people."
Review: PCQuest Linux 2005 (NewsForge)NewsForge reviews PCQuest Linux 2005. "Two of the most interesting installation options provided with PCQ Linux 2005 are Supercomputing and Grid Computing. PCQ Linux includes OSCAR (Open Source Cluster Application Resources) and some management utilities to help you set up your own backyard supercomputer, limited only by the number of machines you have. An article in the magazine covers the initial setup, hardware requirements, and network configuration."
Page editor: Rebecca Sobol Development Amuc - the Amsterdam Music ComposerVersion 1.0 of Amuc, the Amsterdam Music Composer, was released by author Wouter Boeke in time for the 2005 Linux Audio Conference.Amuc is described as: "a Linux application for composing and playing music". The online manual and screen shots page explains more about Amuc's capabilities:
Amuc is quite different from other music software. It is especially focused on composing music, which is a very difficult but rewarding endeavor. The tool tries to place as little hurdles as possible on the user's road.
The entering of new tunes is done on a normal 5-bar staff (treble or bass clef) in one of the 2 panels at the left. There are 2 kinds of instruments: sampled instruments for percussive sounds, and sounds that are generated real-time. Fore each kind there is choice between 6 instruments, indicated by a color. The sound of a real-time instrument can be modified via its own control panel, that will appear when the appropriate color is selected.
Amuc uses graphical score entry windows for entry of a series of musical notes. Note pitches are displayed by vertical position on the score and time duration is displayed as line length. Synthesized waveforms include FM synthesis, variable frequency sine waves, random waveforms, pulse waveforms with chorus capabilities, and additive synthesis. The scores form the basic compositional building blocks, there are capabilities for doing various editing processes to the notes grouped in a score. The scores can be combined to form the big score that represents the entire musical composition. Scripting capabilities add a high-level control structure over the scores, they can be used to manipulate a variety of score parameters such as pitch, amplitude, and synthesis parameters. Once a composition has been assembled, it is possible to play it in real-time, or save it as a wave (.wav) or MIDI (.mid) file. The composition itself is saved as a score file (.sco) and a script file (.scr). The tune can be modified as it is played by adjusting various parameters including tempo, volume, and a multitude of synthesizer parameters. For an idea of how the software functions, see the example screen shot while listening to the matching dance.mp3 musical sample.
System Applications Audio Projects Planet CCRMA ChangesThe latest changes from the Planet CCRMA audio utility packaging project include new versions of ZynAddSybFX, Ardour, the rtirq startup script, Libcddb, Libcdio, Vcdimager, Libdvdread, Dvdauthor, OpenEXR, LCMS, Cinepaint, and Libjackasyn.
Backup Software Dump/restore 0.4b40 released.Version 0.4b40 of Dump/restore, an set of backup and restore tools, is out. "This release features a few bug fixes and support for ext2/ext3 extended attributes (EA)."
Database Software Daffodil Replicator v1.8 released (SourceForge)Version 1.8 of Daffodil Replicator, a database replication application, is out with new features. "Daffodil Replicator project team announced the release of Daffodil Replicator v1.8 with new features like Scheduling, Debugging, Special Character handling, and Replication Process Monitoring. Daffodil Replicator is Open Source data synchronization software that ensures high availability of data in environments that make use of heterogeneous databases."
Mail Software Sendmail XThe Alpha 0 release of Sendmail X, a mail transfer agent, has been announced. "sendmail X is a modularized message transfer system consisting of five (or more) persistent processes, four of which are multi-threaded. A central queue manager controls SMTP servers and SMTP clients to receive and send e-mails, an address resolver provides lookups in various maps including DNS for mail routing, and a main control program starts the others processes and watches over their execution. The queue manager organizes the flow of messages through the system and provides measures to avoid overloading the local or remote systems by implementing a central control instance." The code has been released under the Sendmail Open Source License.
Printing CUPS tipsThe CUPS site (Common Unix Printing System) has published a series of small articles with tips on customizing CUPS. The article topics include: Administrative Privileges From A Remote Location, What Printer Model Is A Printer Using?, Changing The Printing Prioity For A Queued Job, and How To Assign Printing Administration Capabilities To Users.
Security Two Factor Authentication on Linux / Mac / WindowsMohit Muthanna has announced a new two-factor authentication system. "If anyone is interested, I am currently testing my new two-factor authentication system and am offering the service for free. It does not use keys, tags or other special hardware since it authenticates a user by calling them on their land / cell phone and requesting a PIN code."
Secure programming with the OpenSSL API, Part 2 (IBM developerWorks)Kenneth Ballard presents part two of an IBM developerWorks series on secure programming. "Securing the handshake during a Secure Sockets Layer session (SSL) is vital, since almost all of the security involving the connection is set up inside the handshake. Learn how to secure the SSL handshake against a man in the middle (MITM) attack -- in which the intruding party masquerades as another, trusted source. This article also introduces the concept of digital certificates and how the OpenSSL API handles them."
Web Site Development IssueTrackerProduct 0.6.6 announcedVersion 0.6.6 of IssueTrackerProduct, an issue tracker web application for Zope, has been announced. Here are the change notes: "17 new features and 16 bug fixes makes the 0.6.6 one of the most exciting releases since the semi-rewrite 0.6 release. This release is considered a Development release because of the number of new features. Most of the new features are rather minor and none breaks old versions. Many of them are relatively cosmetic. There are some quite important bug fixes that makes it worth upgrading if you feel affected".
The REST of the Web (O'ReillyNet)Jason R. Briggs writes about REST on O'Reilly. "REST, Representational State Transfer, is a collection of design principles that use simple, stateless HTTP for data transfer, without the method-call-like abstractions of RMI or SOAP. Jason R. Briggs shows how you can use this simple architecture, with Jython and Velocity, to develop nimble, loosely coupled web applications."
A Day in the Life of #Apache (O'Reilly)Rich Bowen explains Apache's RewriteMap on O'Reilly. "A huge number of the questions on #apache have to do with mod_rewrite. And, fairly frequently, I find myself thinking that the problem being discussed would be so much easier to solve if we could just write a Perl script to deal with it. Of course, you can, using the RewriteMap, but it's moderately hard to come by good examples of using this, either in the documentation, or elsewhere online. As some of you may know, I'm working on the documentation, and, hopefully, it will soon contain some good examples of using RewriteMap. But, until then, this article will serve to provide a simple, as well as a not-so-simple, example."
Wiki 0.2.0 released (SourceForge)Version 0.2.0 of the Wiki module for phpWebSite has been announced. New features include BBCode support, Extended character support, Image Upload, Page locks, and more.
Miscellaneous ClamAV Releases Version 0.84Version 0.84 of ClamAV, an open-source anti-virus suite, is out. "The new version improves detection of JPEG (MS04-028) based exploits, introduces support for TNEF (Winmail.dat) files and new detection mechanisms. Various bugfixes and improvements have also been made."
Desktop Applications Audio Applications ReZound 0.12.0 beta is outVersion 0.12.0 beta of ReZound, a graphical audio file editor, is available. "This release adds a few new major features and some overdue bug fixes." See the changes document for more information.
CAD Twenty-fourth release of PythonCAD now availableRelease 24 of PythonCAD, a CAD package, is available. "The twenty-fourth release contains numerous improvements to the code used for constructing the user interface and the entity drawing routines. This release utilizes the GTK Action and ActionGroup classes for building and controlling the menubar and menus. Using these classes greatly simplifies and enhances the ability to manipulate the menu items, and these features are used extensively in this release. Many menu choices are now activated when the functionality they provide can be used, and deactivated when their use is not possible. More enhancements of this nature will be appearing in future releases. Another significant improvement is the refactoring of the entity drawing routines."
Desktop Environments GNOME Art (GnomeDesktop)GnomeDesktop.org looks at GNOME Art. "The GNOME Art Collection written in ruby is a collection of tools for managing art from the art.gnome.org website. The first app, GNOME Art is a graphical frontend for art.gnome.org. Backgrounds and all themes can be downloaded and previewed. Backgrounds, icon themes and splash screens can be installed directly. GNOME Splash Screen Manager is an application for managing the splash screens of your GNOME desktop."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
KDE CVS-Digest (KDE.News)The April 29, 2005 edition of the KDE CVS-Digest is online, here's the content summary: "amaroK and Kexi support KNewStuff for database examples, Context Themes and amaroK scripts. amaroK adds support for Helix multimedia backend. Kmail filters now can be applied to messages from IMAP accounts. KWifiManager implements switch network from GUI feature."
GUI Packages FLTK Weekly SnapshotsThe FLTK project has released the FLTK 2.0.x Weekly Snapshot and the FLTK 1.1.x Weekly Snapshot, both are dated April 29, 2005.
Imaging Applications Blender Development DigestIssue #5 of the Blender Development Digest is online with the latest news about Blender 3D, a three dimensional content creation and animation suite. Thanks to Tom M.
Medical Applications Free Open Source ED Patient tracking software (LinuxMedNews)LinuxMedNews introduces Free Ed, "A free emergency department patient tracking system. This is a tracking system similar to several commercial systems."
Music Applications Patchage 0.2.0 announcedVersion 0.2.0 of Patchage, a modular patch bay for Jack audio and Alsa Midi, is out. "This release adds Alsa Midi patching support, and numerous bugfixes."
wcnt 1.127 releasedRelease 1.127 of wcnt (Wav Composer Not Toilet), a not-real-time modular audio synthesis, sequencer, and sampler, is out. "This release has removed an enourmous amount of memory leaks, fixed several segmentation faults, and, other bug issues have been fixed. Validation of parameters is now updated, and working. Various re-codings have resulted in a slightly smaller executable."
Office Suites OpenOffice.org NewsletterThe April, 2005 edition of the OpenOffice.org Newsletter is online with the latest news about the OpenOffice.org office suite.
Digital Photography KimDaBa 2.1 ReleasedVersion 2.1 of KimDaBa, a photo management application, has been released. Changes include a new data/status bar, thumbnail viewing changes, the ability to attach keyboard tokens to images for grouping purposes, and more.
Web Browsers Mozilla Links NewsletterThe April 28, 2005 edition of the Mozilla Links Newsletter is online. Read about the latest anti-phishing features that have been added to Firefox and Thunderbird.
Miscellaneous Krusader v1.60.0 - The Twin-Panel File Manager for LinuxThe Krusader Krew has announced the latest stable release of Krusader v1.60.0. Krusader is fully integrated with the KDE Desktop Environment and operates reliably in all Linux graphical environments. "Krusader Version 1.60.0 is immediately available under the GNU General Public License and may be downloaded freely in a "ready to compile" package or in a variety of custom binaries for easy installation on most of the leading Linux distributions." See the Change Log for the complete list of new features, updates, and improvements.
Languages and Tools C GCC NewsletterIssue #16 of the GCC Newsletter was published on May 2, 2005. "After an extensive pause, I will now attempt to hit at least the highest of the high spots of the GCC mailing list for the last few months. My intention is to mention at least briefly the events of each month from November 2004 through April 2005 in retrospect."
Caml Caml Weekly NewsThe Caml Weekly News for April 26 - May 3, 2005 is online with the latest Caml language discussions.
Java GNU Classpath 0.15 releasedVersion 0.15 of GNU Classpath, a set of essential libraries for java, has been released. Here are the change highlights: "Optimized nio and nio.charset packages plus io streams integration leading to large speedups in character stream performance. To complement this new framework a native iconv based charset provider was added. Better support for free swing metal and pluggable lafs. Some org.omg.CORBA support added. Better java.beans support for the Eclipse Visual Editor Project. Completely lock free ThreadLocal implementation added. More javax.swing.text support for RTF and HTML. More flexible runtime interfaces and build configuration options added."
Generic Types, Part 1 (O'ReillyNet)O'Reilly has published part one in a book excerpt series. "In part one of this two-part excerpt from Java in a Nutshell, 5th Edition author David Flanagan explores the basic use of generics in typesafe collections, and then delves into their more complex uses. In addition, he covers type parameter wildcards and bounded wildcards."
Java theory and practice: Enable initialization atomicity (IBM developerWorks)Brian Goetz looks at API design issues on IBM developerWorks. "Decisions made during API design can have an effect on the API's usability. In designing an API, you need to put yourself in your user's shoes, imagining how the API might be used, and try and make the common use cases convenient for the user. This month, columnist Brian Goetz discusses an API design technique, the self-return idiom, that can make life easier for users of your API in certain circumstances."
Perl This Week in Perl 6 (O'Reilly)The April 20-26, 2005 edition of This Week in Perl 6 is online with new Perl 6 development news.
Python Dr. Dobb's Python-URL!The May 3, 2005 edition of Dr. Dobb's Python-URL! is out with the week's Python language articles and resources.
Tcl/Tk Dr. Dobb's Tcl-URL!The May 3, 2005 edition of Dr. Dobb's Tcl-URL! is out with the week's new Tcl/Tk articles.
XML Not Quite Restful (O'Reilly)John E. Simpson explores the Google Maps project on O'Reilly. "In this month's XML Tourist column, we'll take a look at a couple of web "services" that aren't quite formally RESTful, but demonstrate REST-like and nonetheless useful behaviors."
Forming Opinions, Part Two (O'Reilly)Micah Dubinko continues an O'Reilly series on Web Forms 2.0 with part two. "To resume the discussion, we'll continue our look inside WF2 where we left off in section 2. One of my favorite parts of this section consists of all the little tweaks suggested to classic forms as we know them. Anyone who has worked with form-scripting has probably run into one of these limitations."
Principles of XML design: When the order of XML elements matters (IBM developerWorks)Uche Ogbuji writes about XML element ordering on IBM developerWorks. "When multiple XML elements occur within another element, does element order matter? Whether it's the order in which the parser reports elements to applications, or the question of whether or not to mandate specific order in schema patterns, things are not always as simple as they may seem. In this article, Uche Ogbuji covers design and processing considerations related to the order of XML elements."
Managing XML data: Identify XML documents (IBM developerWorks)Elliotte Rusty Harold works with XML identification issues on IBM developerWorks. "The name of an XML file does not have to end in .xml. In fact, an XML document doesnt have to be in a file at all. It can be a database record, a piece of a file, a transitory stream of bytes in memory thats never written to disk, or a combination of several different files. However, many XML documents do reside on hard disks and other fixed media. When they do, its useful to be able to identify them quickly. This article summarizes the common file extensions and MIME media types that are used for XML documents."
IDEs DrPython 3.10.13 ReleasedVersion 3.10.13 of DrPython, an IDE for the Python language, is out. " This release fixes a critical bugfix in the file dialog (which caused the UI to freeze), adds major/critical bugfixes in indentation handling/autoindent, and includes an exact method for prompt sync, fixes in the drscript menu, support for numpad enter treated as enter, plus a few minor fixes and tweaks."
Version Control Git Traffic #1Zack Brown has published the first issue of Git Traffic, a (lengthy) summary of discussions on the development of the git source code management system.
Page editor: Forrest Cook Linux in the news Recommended Reading Ubuntu Linux backer tackles collaboration (ZDNet.au)ZDNet Australia looks at LaunchPad from Ubuntu Down Under. "The aim of the project -- called The Launchpad -- is to make it easier for Linux developers to find the latest enhancements to the operating system and its myriad packages, no matter which distribution they were contributed to. The effort encompasses distributed bug tracking, revision control, language translations and more."
History of the Linux Kernel Archives (KernelTrap)KernelTrap talks with Peter Anvin and others to provide a history of the Linux kernel archives. "Peter Anvin has been involved with Linux since nearly the beginning. When Linus Torvalds purchased his first computer on which he began writing the Linux kernel, the state-of-the art PC with 4 megabytes of RAM and running at 33 megahertz was too expensive for him to buy outright. Therefore, he financed much of the nearly $3,500 price, planning to pay it off over three years. Within a year as the Linux kernel began to evolve and a community of users formed, Peter organized an online collection that raised $3,000 and paid it off."
Trade Shows and Conferences Proceedings of the 2005 Linux Audio ConferenceThe proceedings from the 2005 International Linux Audio Conference (held last month in Karlsruhe, Germany) have been posted; a quick look shows just how much is going on in the area of free audio software. Dave Phillips's "Where are we going?" paper (PDF format) is a good overview of the state of the art.
MusE at LAD 2005The developers of the MusE MIDI/Audio sequencer have posted an account of a meeting they held at the 2005 Linux Audio Developer conference. "We have some good news for you! The first time nearly all MusE developers got together at the Linux Audio Developer conference. It took place at the "Zentrum für Kunst und Medien, short ZKM" in Karlsruhe, Germany. It was a nice meeting and we were discussing a lot about new features and implementation issues."
Linuxfest Northwest 2005 in review (NewsForge)News Forge is running a review of the recent Linuxfest Northwest conference. "If giving away T-shirts is an accurate way to estimate attendees, then at least 750 people made the trip to Linuxfest Northwest in Bellingham, Wash., last weekend. Linuxfest Northwest 2005 continued the conference's strong focus on highly technical presentations -- this is not a vendor-centric event."
European Common Lisp Meeting Materials OnlineMaterials from the recent European Common Lisp Meeting are online. "The European Common Lisp Meeting took place in Amsterdam on April, 24 2005. The organizers are making available pictures, slides and videos of some of the talks at the event's web site."
Companies Novell hires top Samba programmer from HP (News.com)News.com covers the hiring of Jeremy Allison by Novell. "Novell has hired Jeremy Allison, one of the core programmers behind a widely used open-source project called Samba. Allison previously worked for Hewlett-Packard. He said he made the switch because he believes that he can benefit from the experience Novell programmers have in the area of file servers. "These guys know a lot about file sharing," said Allison, who starts the new job on Thursday."
Linux Adoption Defense Department signs Red Hat deal (News.com)News.com reports that the US Department of Defense has renewed a major contract to use security software now sold by Red Hat. "The department's Defense Information Systems Agency agreed Monday to purchase subscriptions for Red Hat Certificate System software, Red Hat spokeswoman Leigh Day confirmed Friday. The deal renews support for software that was sold by America Online's Netscape Communications group until Red Hat acquired it in December." The DoD will also be switching its servers from Solaris to RHEL.
Linux at Work Linux Comes to Wall Street (eWeek)eWeek looks at the use of Linux by Wall Street financial firms. "Long relegated to menial file and print server duties in most enterprises, Linux is now playing a mission-critical role in financial trading and other highly sensitive networks on Wall Street. The traction in the financial sector is part of broader Linux adoption growth, which is expected to continue through this year and next, according to Deborah Williams, an analyst at IDC, in Framingham, Mass. "On Wall Street, time is money, and for 2005 the buzzword is going to be latency. If you can speed things up and address that latency, you can make more money," Williams said."
Interviews Mandriva (ex Mandrake) Linux Founder Gael Duval (LinuxQuestions.org)LinuxQuestions.org interviews Mandriva's Gaël Duval. "LQ) There have been rumors that some Linux distributors, including Novell, may follow what Red Hat has done and have an Enterprise release and a "Community" release. Is this direction something that has been considered by Mandriva? GD) No. Mandriva Linux will still be distributed as both a download edition and commercial offers, with full official support for updates (bugfixes, security)."
Jakub Stachowski: Zeroconf Support in KDE (KDE.News)KDE.News interviews Jakub Stachowski the man behind Zeroconf for KDE. "Zeroconf is a name used by IETF for several techniques that should allow you to setup and use a simple network with no need for any manual configuration. One of its parts, DNS-SD, is the service discovery protocol based on standard DNS. Rendezvous is just Apple's name for Zeroconf, this has recently been changed to Bonjour after a trademark dispute. It is trademarked so you will not find it anywhere in KDE code or documentation. SLP is another service discovery protocol used primarily by Novell. It has nothing to do with DNS-SD or Zeroconf."
People Behind Perl: brian d foy (O'Reilly)O'Reilly has posted an interview with Brian d Foy. "brian d foy is a longtime leader in the Perl community. Besides founding the Perl Mongers and being a trainer for Stonehenge Consulting Services, he founded and edits The Perl Review, a quarterly magazine for Perl users. If that weren't enough, he writes and contributes to several CPAN modules. Recently, Perl.com interviewed brian on his work and plans."
Resources The Daemon, The GNU and the Penguin - Ch. 6 ~ by Dr. Peter H. Salus (Groklaw)Groklaw has the next installment of Dr. Salus' history of free/open source software. "By and large, Unix users refer to "Sixth Edition" and "V6" interchangeably. At Bell Labs, there was a continually changing version of Unix running. Only when Doug McIlroy caused the first "UNIX PROGRAMMER'S MANUAL" to be written, did there appear to be a fixed form. So, the manuals were listed by "Edition," and the system referred to was the "Version."".
The Second Commandment of system administration (NewsForge)NewsForge takes a look at integrity checkers. "Each integrity checker is a little different, so do some research before deciding on one. There are many excellent integrity checking applications out there, but the one I recommend and prefer is called afick (Another File Integrity ChecKer). Afick offers several advantages over integrity checkers such as Tripwire and AIDE. The first and foremost difference is that afick is written in Perl, which gives it the advantage of speed. Afick finishes the initialization of the database that stores filesystem attributes almost a minute faster than AIDE. Being written in Perl also means that afick is highly portable between operating systems."
Rich Web Text Editing with Kupu (O'ReillyNet)O'ReillyNet looks at Kupu. "Kupu is an open source application, written in JavaScript, that implements a flexible, full-featured HTML editor that runs in a web page without any special plugins. Its primary use is as an embedded editor in content management systems (CMS), like Zope or Plone, where it allows users to create their own web pages. Its design is flexible enough so that you can embed it into pretty much any web application without too much difficulty."
Making Packager-Friendly Software, Part 2 (O'ReillyNet)O'ReillyNet continues making software that is easy to package, with a look at dependencies, configuration files and more. "Many packaging systems (including pkgsrc) let you build packages as a regular user and require only superuser privileges to install them (to have the right permissions, ownerships, setuid flags, and so on). Therefore, you should make sure that your program builds correctly without superuser privileges to ease the packaging task. I can't think of an example in which a program requires full privileges to build."
The ins and outs of USB (IBM developerWorks)Peter Seebach discusses the USB standard on IBM developerWorks. The article is mostly presented from a Window/Mac perspective. "The USB specification may be an example of that hybrid de jure or de facto standard, one that clearly earned wide acceptance through its technical merit. Learn the history of the USB standard and some of its benefits to users and vendors, as well as where it missed the boat."
Reviews Getting Flat, Part 2 (Linux Journal)Doc Searls looks at The World is Flat: A Brief History of the Twenty-First Century, by Tom Friedman. "In Part 2, I want to examine the human origins of the open-source materials we're using to build this new world. And I want to start by distinguishing them from corporate origins. Again, this is not to diminish the importance of big-company contributions to the flat-world revolution but to subordinate them to the profound work being done by individuals and small groups."
Debian on Steroids III: Libranet 3.0 (Linux Journal)The Linux Journal reviews Libranet 3.0. "The heavyweight classification I give this latest Libranet comes from its distribution size--five CDs or one DVD--and its comprehensive list of included applications. Although a number of Debian-based distributions are available at less or no cost, none include as many programs as Libranet 3.0 does. This is of primary interest to me and other Linux users who lack broadband or simply don't want to spend their time downloading packages in order to get the functionality we want."
Miscellaneous Linus Torvalds' BitKeeper blunder (InfoWorld)InfoWorld sounds off on the BitKeeper episode. "The business community likes to distance itself from the ideological debates surrounding free and open source software, but the BitKeeper case is a prime example of why enterprise IT management can't ignore software licensing issues. You don't want your PBX vendor telling you how to use your phone system, or your printer vendor telling you what to print. Wouldn't you prefer software that didn't tell you how to run your business either?" It's hard to imagine seeing such words in the mainstream press even a year or two ago.
Page editor: Forrest Cook Announcements Commercial announcements Carrier Grade Linux newsMontaVista Software has announced the registration of MontaVista Linux Carrier Grade Edition (CGE) with both the Service Availability(TM) Forum (SA Forum) specifications and Open Source Development Lab (OSDL) Carrier Grade Linux requirements.FSMLabs, Inc. has announced availability of Carrier Grade RTLinuxPro 2.2, a complete OSDL-registered Carrier Grade Linux implementation and development environment plus the hard real-time of FSMLabs RTCore real-time server.
Globus Toolkit, Version 4.0 (GT4) Released to Open Source Grid Development CommunityThe Globus Consortium has announced the release of Globus Toolkit, version 4.0 (GT4). "GT4 is the most stable, "enterprise ready" version of the Globus Toolkit ever -- incorporating the latest web services standards, new security and authorization features, and the collaborative efforts of a global community of open source Grid developers." Download GT4.
JBoss opens new office in IndiaJBoss, Inc. has announced the opening of a new office in Bangalore, India. "The expansion comes as the company scales to meet growing enterprise customer demand for the JBoss(R) Enterprise Middleware System (JEMS(TM)) in the Asia market. With this key office, JBoss can more effectively deliver services, including 24x7 production support and training, to customers."
Linbox Rescue Server under GPL.LinboxFAS has announced that the company will release the source code of its computer asset management software, the Linbox Rescue Server, under the terms of the GNU GPL. "The operation relies on the capitalization of software license sales. The goal of LinboxFAS is to open the source code of the software, as soon as the investments made around the product will have been amortized thanks to the selling of licenses."
Palamida offers license verification toolPalamida, Inc. has announced general availability of IP AMPlifier 3.0 in the new market for automated software intellectual property (IP) management and compliance. ""The sheer volume of software code in use at the average enterprise company today creates a profound need for a solution that automates the process of software intellectual property detection and identification," said Mark Driver, vice president and research director, Gartner Inc. "The right solution will help companies establish a competitive advantage by accelerating the use of third-party components and open source software free from the inefficiencies of manual methods of software license and IP verification.""
TimeSys Introduces New Linux Development KitsTimeSys has announced new Linux Development Kits for several Freescale (formerly Motorola) processor chips. "TimeSys(R) Corporation, a leader in embedded Linux(R) technologies and development tools, today introduced 2.6-based TimeStorm(R) Linux Development Kits (LDKs) for a wide range of Freescale PowerQUICC(TM) III, PowerQUICC II and PowerQUICC I integrated communications processors and MPC7XXX and MPC7XX high-performance PowerPC processors."
Win4Lin Pro updatedWin4Lin has announced the immediate shipping of Win4Lin Pro 1.1, a major upgrade to the company's flagship product. New in the product is full support for Windows XP, file system integration and major performance upgrades.
New Books O'Reilly's Releases The Art of Project ManagementO'Reilly has published the book The Art of Project Management by Scott Berkun.
"Digital Audio Essentials" Released by O'ReillyO'Reilly has published the book Digital Audio Essentials by Bruce Fries and Marty Fries.
Resources (IN)SECURE Magazine 1.1(IN)SECURE Magazine has released issue 1.1 in PDF format. Articles include Linux security - is it ready for the average user? and An introduction to securing Linux with Apache, ProFTPd & Samba, among other topics.
Contests and Awards 2005 Readers' Choice Awards nominations being accepted (Linux Journal)Linux Journal has announced that it is accepting nominations for the 2005 Readers' Choice Awards. "The nomination period closes on May 25, 2005. On May 27, we'll publish the ballot for the elimination round of voting. The categories receiving the most nominations and the top nominees in those categories will be on the ballot. Vote for your favorite in each of the categories and mail the ballot back to us. You will be able to do write-in votes at this stage."
Upcoming Events Dynamic Languages Symposium 2005The Dynamic Languages Symposium 2005 will be held on October 18, 2005 in San Diego, California.
AGNULA Libre Music at (L)eft MeetingSome folks from the AGNULA audio distribution project will attend the (L)eft meeting. "The AGNULA project will attend the (L)eft Meeting, a two-days event that will take place in Bologna, Italy on May 7 and 8, 2005. During the meeting Andrea Glorioso will talk about the AGNULA Libre Music web portal, its history, goals and the next steps."
Seattle OpenVistA R and D Meeting (LinuxMedNews)LinuxMedNews has an announcement for the Seattle OpenVistA R & D Meeting, the event will take place from May 12-15, 2005.
YAPC North America schedule is released (use Perl)use Perl has announced the schedule for YAPC North America conference. The event will be held in Toronto, Ontario, Canada from June 27-29, 2005.
Events: May 5 - June 30, 2005
Mailing Lists New open source free software healthcare mailing list (LinuxMedNews)LinuxMedNews mentions the creation of a new Open Health email discussion list. "The purpose of this group is to discuss issues pertaining to the use of open source free software in health care settings."
Page editor: Forrest Cook Letters to the editor Linus Torvalds' BitKeeper blunder
Mr. McAllister,
Page editor: Jonathan Corbet
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Krita screenshot]](/images/ns/KOffice-1.4beta-sm.jpg)