LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 2, 2005Red Hat's directory serverManaging large networks is a challenging task in a number of ways. One of those challenges is dealing with user information throughout a large institution. A single system can keep that information in /etc/passwd, and a small network can rely on tools like rsync or NIS. When the scale of the network gets large enough, however, and a sufficient number of levels of politics gets in the way, simple tools will no longer do the job in an easy or reliable manner. There comes a point where this information needs to live in a central database and be made available as needed across the network.The larger proprietary software vendors - Microsoft, Sun, Novell, etc. - have long offered directory server products aimed at large network ("enterprise") deployment. These products not only make basic user information available network-wide; they can also be used to distribute a wider array of information. Directory servers are a useful and necessary tool, and the competition in this area is fierce. Red Hat has set itself up to compete directly with the other "enterprise" software companies. To that end, Red Hat has put together a number of valuable products and services, but, so far, it has not been able to offer a directory server as part of its solution. That gap in Red Hat's offerings has increasingly looked like a liability, especially as Novell increases its efforts to compete in the same space. So Red Hat needed a directory server. It found one, some time ago, when it acquired many of the remaining bits of Netscape from AOL. Since the acquisition, however, little has been heard about the former Netscape's offerings. Until now. On June 1, Red Hat announced the availability of its directory server product. The (now) Red Hat Directory Server is fast, with an impressive array of capabilities; for the full list, see the product sheet [PDF]. The directory server product is sold like Red Hat Enterprise Linux: by subscription. Pricing is not yet available. The Red Hat Directory Server also resembles RHEL in another way: it has a Fedora equivalent. The Fedora Directory Server Project is where the development work will be done; the site offers source, documentation, mailing lists, etc. It is, in other words, just another free software development project. At the Fedora site, one can see that, in fact, not all of the directory server code has been released - yet. The server itself is available under a special GPL+Exception license. The code is generally governed by the terms of the GPL, with the exception that plugin modules can remain proprietary. Those modules, however, must restrict themselves to a carefully-specified set of interfaces; anything linking to any other part of the server can only be distributed under the GPL. Other parts of the system - the management console and admin server components - remain non-free, though they are available in binary format. Red Hat plans to free that code as well, but some work is involved; those components are written in Java, and do not play well with the free Java implementations. The Fedora project has some ambitious goals; the best description of what they have in mind can be found in Christopher Blizzard's weblog. The project claims to want to bring in outside developers, and to make them "feel that they are equals." Given all that the directory server hackers want to do, they will almost certainly need some help from outside. Consider this:
One of our larger technical objectives - as I've said - is to
integrate with as much software as possible. This means that when
possible we're a configuration store for every application on a
system. Every user pref. Every service on your machine can store
its configuration in one of these servers. Have you ever had the
vision of dropping a machine on a network and having it come up,
self-install, and just start working? We'd like to see it too
because it offers compelling cost of ownership argument that we
think free software is in a unique position to provide. But it
requires participation from the larger software development
community. This means you and your project.
To some readers, this vision sounds like the Windows registry - except that it's a nightmare, monster central registry for thousands of users. The "everything lives in the directory server" approach clearly will not be for everyone. But, for people wanting to create a single, integrated environment across a large organization, this vision will have some appeal. It is truly a view of the network as a single, large computer, with a minimum of boundaries. It promises to reduce the cost of administering large numbers of systems. One can see why Red Hat thinks it needs to go in this direction to remain competitive in the future. High-end directory servers have, so far, been the domain of expensive, proprietary software. The freeing of the Netscape server, if handled well, could bring an end to that era. So this move by Red Hat is important, and deserving of support. High-quality free infrastructure is a good thing.
A survey of RSS aggregatorsOver the years, the proliferation of news sites, weblogs and other sites with daily updates has made it nearly impossible for the average user to visit every site of interest in a timely fashion. For those of us who want or need to keep informed on a variety of topics, RSS, RDF and Atom feeds have become a nearly indispensable tool to skim the headlines for many sites at once without having to spend more than an hour per day clicking through bookmarks. However, this raises the question of how to manage news feeds effectively. There are a fair number of RSS aggregator projects on Freshmeat, but we decided to limit our scope to applications that are fairly mature, have been updated recently (many RSS aggregator projects listed on Freshmeat have not been updated in years) and run on the desktop. In particular, we were looking for aggregators that handle a large number of feeds, make it easy to manage feeds and integrate well with the Linux desktop and the average user's workflow. For some time now, this writer has used the Bloglines service to browse RSS feeds. For this article, the feed list from Bloglines, containing about 130 RSS/RDF and Atom feeds, was exported as an OPML file and imported that into each of the aggregators to see how they performed.
RSSOwl
There are a few interesting features in RSSOwl. First, RSSOwl has an export feature, which can be used to export a feed or individual article to PDF, Rich Text (RTF) or HTML. This might be handy for saving feeds and entries for later. RSSOwl also supports AmphetaRate, a centralized ratings service for rating articles found in news feeds. Oddly, it seems to display feeds as plain text rather than rendering the HTML. We're not sure if this is a glitch in RSSOwl or if we missed a step in setting it up. Otherwise, RSSOwl's performance was very good, and it handled a large number of feeds without any problems.
Snownews
Snownews does not support OPML directly, but there is an "opml2snow" script that comes with Snownews to convert OPML into the format that Snownews likes. It's a little more of a hassle than the easy-import offered by other readers, but it gets the job done. Snownews displays headlines and feeds inline. To follow the feed URL, one must use an external browser. It works fairly well with GUI browsers, but works best (at least in this writer's opinion) with a text-mode browser like w3m or Lynx. It's probably not going to be the first choice for most users, but those who prefer browsing in w3m or other text-mode browsers should definitely check it out.
Liferea
One interesting feature with Liferea is the ability to create a new feed from a Feedster search. This can be quite handy if you're interested in finding feeds on a specific topic from a variety of sources. If one wishes to be alerted, or interrupted, with updates from subscribed feeds, Liferea has a feature that will pop up a notification window at regular intervals with new headlines. We enabled this feature briefly, but turned it off after an hour or so, finding it quite distracting. We also found Liferea to be a bit less than stable, at least the 0.9.0 release that is available in Ubuntu Hoary. Liferea crashed a few times when doing something as simple as deleting a feed. Overall, its performance was quite good, and the interface is excellent -- but it might need to stabilize a bit before being our first choice of the available aggregators.
Blam
At first, Blam would not import the OPML from Bloglines. We tried subscribing a few feeds manually and then exporting Blam's list to OPML to find out what was different. The difference was that Bloglines uses "title" for the name of each feed, and Blam expects "text" -- after doing a quick search and replace in Vim, changing "title" to "text," Blam imported the list of feeds just fine. Blam is a good choice for users who want a very basic newsreader that's fast and light.
Akregator
For users who prefer Konqueror for Web browsing, Akregator is an excellent choice. Konqueror auto-discovers feeds on pages, and makes it easy to add those feed subscriptions to Akregator. Akregator has fewer frills than Liferea or RSSOwl, but it integrates very well with KDE and performs well.
Firefox and ThunderbirdWe should also mention Firefox and Thunderbird. While not dedicated aggregators, both applications allow users to read and manage news feeds. However, they lack a number of features that many users would want, at least natively. The advantage of using Firefox as an aggregator is that Firefox makes it very easy to create a "Live Bookmark" to subscribe to feeds, when the browser discovers the feed in a page. If Firefox doesn't detect the feed, that complicates things greatly. Firefox supports adding a bookmark manually, but does not support adding a feed manually. The Live Bookmark also doesn't allow the user to preview the content or full text, just the headlines from a feed. Firefox doesn't support importing OPML files natively, so users with large subscription lists would have to go through a lot of work to re-subscribe to sites using Firefox.
The integration with Firefox makes it a convenient aggregator for those of us who use Firefox exclusively or extensively. Sage had no problem importing the OPML list exported from Bloglines, and its performance was quite acceptable. There are a number of other news reading extensions for Firefox for those who are interested. Thunderbird, by itself, is also limited in its abilities to import and manage feeds. For users who spend a lot of time in their e-mail client, and who have a fairly limited number of feeds, it would work well -- but this writer would not like to have to import 100 or more feeds using the "Manage Subscription" dialog for Thunderbird. The advantage to using Thunderbird for feeds is the ability to mail links from subscribed feeds. We found the Forumzilla extension for Thunderbird, which adds OPML import and other features to Thunderbird. Unfortunately, it consistently crashed Thunderbird when trying to import the OPML exported from Bloglines.
SummaryAfter spending time with each of these aggregators, this writer prefers Liferea and Sage, though any of the aggregators would do in a pinch. Given the variety and maturity of the various options, Linux users should not have much trouble finding an aggregator that works well for them.
IP Software Compliance Tools -- Who Needs Them and Why?When Black Duck Software first made available its software compliance tool, ProtextIP, about a year ago, the typical first reaction was to view it as a response to SCO's lawsuit.Now there is a second such product, Palamida's IP Amplifier, and it's clear there is a market for such products. Cisco, for one, has just signed on with Palamida. Who really needs products like this, and why? And is there a difference between them? Who Needs Software Compliance Tools? Now that Free and Open Source software has hit the mainstream of the enterprise, businesses need to be certain that they are not taking on legal liabilities with the code. There are many licenses, and making sure a company is abiding by them all is complex. That's one reason you are hearing so many voices calling for simplifying and settling on fewer licenses. But it goes deeper than that. "Everyone who distributes software should know what goes into it," attorney Lawrence Rosen explains. "And almost everyone who distributes software wants to comply with the relevant licenses. Most reputable software-based businesses recognize that playing fast-and-loose with copyright claims isn't worthwhile." While most businesses today are pleased to adopt and incorporate open source products into their products and services, they want to know what licenses apply so that they can comply with the terms. "That's what Black Duck and Palamida make possible," Rosen adds. "A distributor or user can know what open source software is in its own software and act accordingly, early in the cycle. It's now possible to evaluate license compatibility for specific component sets and plan appropriate combinations for use in products to be developed." Unfortunately, developers sometimes use GPL code (or other licensed FOSS code) without telling management, thinking it's public domain. It isn't. And with outsourcing, sometimes developers are in other countries that may have more relaxed views on copyright and this can cause problems. So when developers let things happen they shouldn't (such as making unauthorized copies or derivative works), companies have an automated way to catch some of that and react appropriately before much bigger problems can develop. Software practices are also changing. Application development today is becoming more like an assembly line, more a matter of assembling bits of code from open source projects and from outsourced firms and incorporating them into proprietary products than handcrafting 100% custom software. This isn't a bad thing, because it makes it possible to avoid having to reinvent the wheel -- one of the advantages of Open Source -- but it also means that checking on license terms and making sure you are complying with them all is vital to the process. And there is no doubt that enforcement of GPL violations is increasing, as Fortinet learned recently when a German court banned their U.K. subsidiary from further distribution of their firewall and antivirus products until they complied with the GPL, which they promptly did. Then there is the Sarbanes-Oxley Act [PDF], and its requirements for IT audits. "The SECs new rules on heightened corporate responsibility for public company reporting known as Sarbanes-Oxley require public companies to abide by internal procedures that are sufficient to provide reasonable assurance that the financial and non-financial information required to be disclosed in its periodic and current reports is accurate," says Karen Copenhaver, executive vice president and general counsel for Black Duck Software. "Specifically, Sarbanes creates two new corporate governance requirements: assessment of internal controls over financial reporting (required by section 404 of the Act), and heightened corporate responsibility for financial reports (required by section 302 of the Act). It would be hard to overestimate the burden that compliance with these new rules has placed on public companies in the first few years since their enactment. "Even before Sarbanes, public companies were required to address intellectual property matters in their current and periodic reports. A reporting company traditionally discloses the importance of its intellectual property assets to the companys business and any third-party intellectual property encumbrances on the companys ability to conduct its business. To the extent that a failure to identify or comply with third party license obligations has an effect on the accuracy of any of this information, public companies will be concerned about compliance with their obligations under Sarbanes." Obviously, Sarbanes-Oxley has upped the ante considerably. But most businesses and developers want to do the right thing anyway, apart from outside pressures. The tools don't set policy for a company, but they surely make it easier to make sure policies are observed. What Do the Tools Offer? Before automated software compliance tools were available, due diligence in checking software for infringing code was done by assigning the tedious task to senior software programmers in the company, who, together with lawyers laboriously looked through the code. The problem with such a system, aside from the time it required and the drudgery, is that no one person knows all the Free and Open Source projects available by sight, let alone all the proprietary products you are not allowed to see without complex legal arrangements. Automated systems are an obvious answer. What they provide is a Google-like collection of code. They've collected it all for you. Both tools scan for copyright infringement and can spot more than verbatim matches. But they do more than scan. Palamida says its IP Amplifier product automatically detects, manages and reports on the third party, commercial and open source components that may exist in their software code base. It consists of two key modules -- the Compliance Library and the Detector. Using an automated collection system, the Compliance Library contains billions of source code snippets and millions of files of the most commonly used open source projects found in the market. Palamida: "The Palamida IP Amplifier uses three different types of technologies to automate detection, source code fingerprinting, file digest matching, and for Java files, namespace matching. This means the software is able to conduct both source code and binary code analysis. So for companies whose developers download whole libraries, compiled code, XML files, icons, text files, and include those resources into their code base, the software will still detect their usage even though their source code is not available and even if we do not have the components listed in our database." Next, there is a "layer of analysis that is beyond just code matching for reduction of false positives. We call this technology CodeRank. CodeRank looks at the code matches and evaluates the results on multiple levels, including uniqueness, coverage and clustering. How unique is that match to what is in the Palamida database? How much of a customer file matches a file in Palamidas database? How dense are the matches do they look like a continuous cut and paste or does it look like two engineers coded against the same API?" After their software evaluates the code matches, Palamida assigns a CodeRank number to the matches; the higher the CodeRank number the higher the chances of copying. In the scan results, users will see a list of all code that has matches and a list of all the third party products that they most likely came from, with the most likely on top. Reports identify all components that include open source and list their licenses, text and license information, in addition to the CodeRank. All the information and data is exportable in XML data format, allowing users to create custom reports, as well as via HTML reports. Black Duck too offers a great deal more than just code scanning. Black Duck's Copenhaver: "We do more than just scan code. Our product provides a full suite of services covering project planning, code analysis and detection, license analysis and management, auditing and archival capabilities for the complete life cycle of software projects. "From an open source perspective," Coperhaver adds, "we help developers manage the origins and obligations of code that they use so they can meet the expectations of the industry and community. But everything we do works for both open source and proprietary or commercial code. Users can add code prints and licenses into the system to manage their internal proprietary code along with open source. "Our product helps people manage the introduction of licensed materials into their code bases, understand the obligations associated with that code (and combinations of components from different sources), provide an environment for controlled remediation of issues that arise and create an archivable record of the actions that were taken by the team along the way. Our products are designed to bring together developers, lawyers and business decision makers into a collaborative environment." Black Duck offers an analysis 'engine' that processes licenses at a detailed level and alerts users to license conflicts and obligations of both software source and binary components and their combinations. The ProtexIP Knowledgebase contains detailed breakdowns of 500+ software licenses for automated comparison of license terms and notification of collective obligations, and the data is remotely updated frequently with new licenses as they come to market. It recently added what they call Custom Code Prints, which gives ProtextIP support for proprietary source code. Palmida claims a database of 40,000 of the most commonly used OSS projects and their associated licenses, monitoring more than 38 million open source files and billions of source code snippets. The Knowledge Base also contains all pertinent information regarding the open source projects: name, version number, project name, licensor, licensor information (when available), license, license text, and project URL, all using an automated collection toolset that incorporates information on all the new projects released on the major OSS repositories for real time updates. The Palamida database takes up less than 10 Gb disk space, thanks to a compression algorithm, and it's all kept on a customer's own servers, behind their firewall. Its code is written in Java. IP Amplifier can be configured to search daily or weekly and has a set of configuration tools to integrate it into build systems. Are There Any Differences? The biggest differentiator is cost. IP Amplifier 3.0 is licensed on an annual subscription basis, for unlimited number of users, at prices that begin at $50,000 and go up to $250,000 per year, depending on the customer's development environment. There is a 30-day Free Trial offer. Black Duck now offers two options. You can pay an annual licensing fee for its multiuser ProtextIP product, at $25,000 per year, and then add additional charges based on the amount of code you have. Or, you can use their new hosted ProtextIP/OnDemand product, an online system for a single user, single project, 90-day sessions, for which you pay based on the amount of code you wish to scan. It costs $3,000 for 10 MB of code and costs scale up to $25,000 for 100 MBs. A company thinking of acquiring another might wish to use the online tool, rather than purchase more costly version. Both products still require human analysis, naturally. There can be false matches, if two independent developers happen to write software that is very much the same, even if there has been no copying, just because there are only so many ways of writing the same instruction. Both tools provide not only identical matches but also flag similarities in your source code to others' programs that are worth your further investigation and list issues for review. It's important to realize, however, that the tools scan and analyze copyright issues and licensing issues, not patent infringement. That is an entirely separate ballgame. But for what they are designed to do, unquestionably they have simplified, organized, and improved the due diligence process.
Security A Look at The Onion Router (Tor)Last week we promised a look at Tor, a system for anonymous Internet communication, primarily developed by Nick Mathewson and Roger Dingledine. Current development is supported by the Electronic Frontier Foundation (EFF), but Tor was originally developed as part of the U.S. Naval Research Laboratory's Onion Routing program. As the Tor web page explains, Tor is a "toolset for a wide range of organizations and people that want to improve their safety and security on the Internet." What does that mean? In a nutshell, Tor is a client/server application that anonymizes traffic by routing it from the client through a series of nodes to hide the origin of a request. It can also be used to protect services against denial of service attacks and the like by hiding their origin. Tor routes traffic through nodes that "know" about the previous node and the next node -- but not the rest of the network. By routing traffic through a series of "onion routers" Tor makes it difficult for the receiver, observers and even other Tor routers to detect the source of traffic. A more complete description of Tor's design can be found in the design paper; a protocol specification is also available for those who wish to build compatible software. Tor works as both a server and as a client. By default, Tor runs as a client only, but it can be configured to allow other users to connect to your system as a Tor node. In addition, Tor can be used to run "hidden" services that do not reveal your IP address to others at all. The "hidden wiki" maintains a list of hidden services that users can see as an example. Finally, it's possible to set up one's own Tor network that does not interact with the public Tor network, for those who want to test the protocol but may lack access to the Internet. To achieve best results, one may need to use Tor in conjunction with other applications. For example, users who wish to browse anonymously would use Tor in conjunction with Privoxy. Other applications may require use of tsocks or ProxyChains. To see what Tor had to offer, we installed it on a Ubuntu Hoary machine, along with Privoxy, tsocks and ProxyChains. Configuring services to work with Tor is not terribly difficult, and there is a relatively detailed HOWTO for users who wish to configure specific applications like Gaim, X-Chat, SSH or BitTorrent with Tor. It should be noted that using Tor can have an impact on performance for client applications. Using Tor and Privoxy together for browsing, for example, introduced a notable lag. Firefox users may be interested in using the SwitchProxy Tool extension to switch Proxy use on and off, reserving Tor for specific sites rather than for all web browsing. Users should also be prepared for some odd behavior on some sites -- for example, we kept being redirected to country-specific versions of Google, rather than Google's main site, when using Tor and Privoxy. Tor itself didn't seem to have much of an impact on system performance overall. Tor is not completely foolproof. It could be possible for someone who's running a Tor server to modify Tor or use other software to monitor traffic going through the server. Traffic coming out of the "exit node" (the last hop in the Tor "circuit") is not encrypted, so a malicious user could set up a Tor server and browse traffic coming out of their machine. (It is possible to specify your exit node in the Tor configuration.) There are also potential JavaScript issues, and there are other ways to analyze traffic that passes through Tor. Interested users should also have a look at the EFF's legal issues page about Tor. Though Tor can be used for things like BitTorrent, it is not designed to assist copyright infringement or other illegal activity. There is still a lot of development ahead for Tor, but it is definitely worth a look for users who are interested in anonymous communication on the Internet. Users with bandwidth to spare are also encouraged to set up and run a Tor server to help test its scalability and to help provide a larger Tor network. See the download page for Tor packages and source code.
New vulnerabilities apache-utils: htpasswd buffer overflow
gxine: format string vulnerability
ImageMagick: xwd coder denial of service
Mailutils: multiple vulnerabilities in imap4d and mail
Updated vulnerabilities a2ps: input validation error
bzip2: race condition and infinite loop
cdrdao: local root vulnerability
cheetah: untrusted module search path
cpio - file permissions error
cURL: buffer overflow
cvs: multiple vulnerabilities
cyrus-imapd: buffer overflows
dhcp: format string vulnerability
Dnsmasq: poisoning and DoS
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
Ethereal: numerous vulnerabilities
evolution: message crash vulnerability
firefox: multiple vulnerabilities
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: buffer overflow and SQL injection
gdb: multiple vulnerabilities
gtk-pixbuf, gtk2: denial of service
gettext: Insecure temporary file handling
gftp: missing input sanitizing
ghostscript: symlink vulnerabilities
glibc: Information leak with LD_DEBUG
glibc: tempfile vulnerability in catchsegv script
gnupg: information leak
GnuTLS: Denial of Service vulnerability
grip: buffer overflow
groff: insecure temporary directory
gzip: race condition and directory traversal
htdig: cross site scripting
ImageMagick: heap corruption
imap: buffer overflow in c-client
imlib2: buffer overflows
infozip: privilege escalation, directory-traversal
junkbuster: heap corruption and settings modification
kdelibs: unsanitzied input
kernel: multiple vulnerabilities
kernel: ELF loader core dump vulnerability
kernel: multiple vulnerabilities
kimgio input validation errors
libconvert-uulib-perl: arbitrary code execution
libdbi-perl: insecure temporary file
libgd2: buffer overflows in PNG handling
libnet-ssleay-perl: weakened cryptographic operations
libTIFF: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
libXpm: new buffer overflows
lvm10: creates insecure temporary directory
mailman: path traversal
mc: buffer overflow
MediaWiki: multiple vulnerabilities
mikmod: buffer overflow
mod_python: remote access vulnerability
Mozilla Firefox, Mozilla Suite: multiple vulnerabilities
MPlayer: heap overflows
MySQL: input validation and temporary file vulnerabilities
ncpfs: multiple vulnerabilities
Net-SNMP: fixproc insecure temporary file creation
nfs-utils: arbitrary code execution
openssh: directory traversal
openssl: der_chop script temp file vulnerability
OpenSSL: information leak
OpenSSL: denial of service vulnerabilities
Opera: multiple vulnerabilities
pam: local vulnerability
perl: setuid vulnerabilities
perl: symlink vulnerability
php4: integer overflow and denial of service
php4: denial of service vulnerabilities
phpsysinfo: cross-site-scripting
postgresql: EXECUTE privilege vulnerability
postgresql: database initialization errors
Pound: buffer overflow
ppxp: missing privilege release
Qpopper: multiple vulnerabilities
realplayer: arbitrary code execution
rp-pppoe, pppoe: missing privilege dropping
samba: integer overflow vulnerability
SpamAssassin: Denial of Service vulnerability
squid: DNS spoofing
SquirrelMail: multiple vulnerabilities
File overwrite vulnerability in tar and unzip
tcpdump: multiple DoS issues
telnet: buffer overflows
UnAce: buffer overflow and directory traversal
vixie-cron: crontab allows any user to read another users crontabs
XChat 2.0.x SOCKS5 Vulnerability
xine-lib: two heap overflow vulnerabilities
xine-lib: buffer overflows
xine-ui - insecure temporary file creation
xorg-x11: integer overflows
xpdf: buffer overflow
XV: multiple vulnerabilities
zlib: denial of service
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current 2.6 prepatch remains 2.6.12-rc5. Linus's git repository contains 200 or so patches; these are mostly fixes, but there is also a conversion of the IDE driver code to the device model, a new Broadcom bcm5706 gigabit driver, the removal of the Philips webcam decompression code, an IPv4 "alias promotion" feature (make a secondary interface address into the primary if the previous primary is deleted), and an updated CPU frequency subsystem.The current -mm tree is 2.6.12-rc5-mm2. Recent changes to -mm include the pluggable congestion avoidance modules patch, some filesystem namespace patches, some scheduler tweaks, and lots of fixes. The current stable 2.6 kernel is 2.6.11.11, released on May 27. The current 2.4 kernel is 2.4.31, released by Marcelo on May 31. 2.4.31 contains quite a few fixes and some driver updates, but new features are no longer being added to 2.4.
Kernel development news The ongoing Philips webcam driver sagaLinus has just merged a patch from Alan Cox removing some of the new decompression code from the Philips webcam driver. "The original pwc author raised some questions about the reverse engineering of the decompressor algorithms used in the pwc driver. Having done some detailed investigation it appears those concerns that clean room policy was not followed are reasonable." The hope, at this point, is to merge an improved version of the driver in 2.6.13 which will support (properly reverse-engineered) decompression modules in user space.
Time to remove LSM?The first organized kernel summit, held in 2001, included a presentation on the NSA Security-Enhanced Linux project. Linus's response at the time was that there were several projects out there trying to find the best way to harden Linux, and that he did not want to have to choose between them. Instead, he asked for the creation of a generic framework which would allow an arbitrary security module to be plugged into the system. The result, some time later, was the Linux Security Module framework; LSM provides a long list of hooks into kernel operations which allow a security module to veto any action which violates the rules it is implementing.The LSM patch ran into some difficulties on its way into the kernel, but it is now an established part of the internal API. So some developers were surprised recently when James Morris suggested that perhaps the time has come to remove the LSM framework. His arguments are simple: there is only one serious module using the LSM framework in the intended manner, while unrelated projects are trying to use it in inappropriate ways.
In the years since LSM was included in the mainline kernel, SELinux
has been the only significant module implemented and also included
in the mainline kernel. So we have a generalized framework for one
user, SELinux, which itself is a generalized framework....
It's dead code, an unnecessary abstraction layer between its one real user, SELinux, and the core kernel. James asks: rather than forcing SELinux to conform to a general-purpose API (of which it is the sole user), why not just wire SELinux directly into the kernel, get rid of LSM, and be done with it? SELinux is not truly the only security module out there, of course. The kernel includes a couple of other modules: a reimplementation of the capabilities mechanism and "root plug," a module which prevents processes from running as root unless a specific USB device is plugged in. There are out-of-tree modules, such as the BSD securelevels patch and Trustees Linux. The Immunix (now Novell) AppArmor product includes a module which uses the LSM framework. AppArmor is a proprietary offering, but the security module portion of it is GPL-licensed (as is necessary, since the functions for loading security modules are exported GPL-only). There does not appear to be a groundswell of support for the idea of removing the LSM framework from the kernel at this time. That could change over time, however: increasingly, out-of-tree code is held to be irrelevant when decisions are made. If SELinux remains the only significant in-tree user of the LSM framework, LSM will look like useless baggage to more and more developers. If there are security modules out there which are reasonable alternatives to SELinux, their developers may want to think about getting them into the mainline sometime in the not-too-distant future.
Files with negative offsetsEvery open file on a Linux system has an associated offset - the current read or write position within that file. The virtual filesystem code, when dealing with file positions, performs some basic checks, such as ensuring that the position is not negative. After all, what sense does it make to talk about a file position before the beginning of the file?As it turns out, there is a situation where a negative file position makes sense. Special files (such as /dev/mem and /dev/kmem) provide a window into the system's main memory. The "position" within these files corresponds to the address of the memory of interest. The interesting thing is that, on the x86_64 platform, addresses can be negative numbers. This comes about as follows: this architecture currently uses a 48-bit address space. The hardware sign-extends the uppermost bit, however, so any address with that bit set will turn into a negative number. The x86_64 Linux port uses the upper bit to mark kernel space, so kernel addresses are, in fact, negative. A quick look at /proc/kallsyms confirms this:
ffffffff80100000 T startup_32
ffffffff80100100 T startup_64
ffffffff801001a0 T initial_code
ffffffff801001a8 T init_rsp
ffffffff801001b0 T early_idt_handler
...
The end result is that using /dev/kmem on an x86_64 system is difficult; any attempt to seek into kernel space will yield an error. The clear fix is to modify the VFS layer to let negative file positions be passed through to the underlying filesystem or device driver. The problem with doing that in a general way, however, is that not all code (especially in drivers) is prepared to deal with a negative offset. Suddenly exposing that code to negative offsets could open up no end of bugs and security problems. So the real solution, as worked out by Al Viro and Linus Torvalds, is to add a new flag for the file structure called FMODE_ANY_OFFSET. This flag can only be set within the kernel; user space has no access to it. So the /dev/kmem driver will be able to set the flag and work with the full range of offsets, but, for the rest of the system, nothing will change.
The beginning of the realtime preemption debateMerging Ingo Molnar's realtime preemption work was never going to be a quiet process. The noise has, in fact, begun long before Ingo has even proposed his work for inclusion. Now might be a good time to catch up with the debate as a way of seeing how the arguments might go in the future.The realtime preemption patches attempt to provide a guaranteed maximum response time for high-priority user-space processes - just like a "real" realtime operating system would. This goal is achieved by making everything in the kernel preemptible. No matter what the kernel is doing on a given processor, if a higher-priority process becomes runnable, it will be scheduled immediately. Many changes are required to make the whole kernel preemptible; the core parts are:
The realtime preemption patch set (at version -RT-2.6.12-rc5-V0.7.47-10 as of this writing) is clearly large and intrusive - it would be hard to make fundamental changes like those listed above any other way. It should be noted that Ingo has gone out of his way to minimize this intrusiveness, however: the patch is written to minimize code changes, and the kernel functions as always if realtime preemption is not selected at configuration time. The merging of this patch set would not force the new preemption model on users. According to Lee Revell, the realtime preemption patches are already seeing some serious use:
All of the Linux audio oriented distributions are already shipping
-RT kernels, and most of the serious Linux audio users who use
general purpose distros are running it. That's a few thousand
people running it 24/7 for months, and it's been at least a month
since any of these users found a real bug in -RT.
Certainly the discussions that inevitably follow the release of a new version of the patch set indicate that there is an active user community out there. Some members of the community are starting to wonder why the realtime preemption patches have not been merged, and when (if ever) that might change. The biggest reason is that Ingo has not yet requested that the patches be included - though many small pieces and fixes from the realtime patch set have found their way into the mainline. If and when Ingo does push for inclusion, however, there will be some opposition. To some developers, the realtime patch seems like a set of questionable and widespread changes aimed at the needs of a very small user community. Changing spinlocks into mutexes and moving interrupt handlers into threads are fundamental changes to how the kernel does things with the potential for the creation of subtle bugs and performance problems. Reworking things and adding complexity at that level is not a task that should be undertaken without a strong need - and many developers do not see a sufficiently strong need. There are some concerns about the performance impact of these changes. Acquiring an uncontended spinlock is a very fast operation; the rt_mutex type, with its wait queues and priority inheritance mechanisms, is bound to be slower. There is some anecdotal evidence that there is a performance hit to realtime preemption, but little in the way of real benchmarking has been done. In any case, the performance penalty should only affect users who have actually enabled the realtime preemption mode. Finally, not everybody is convinced that the realtime preemption approach can solve the real problem: providing an ironclad guarantee that a realtime process will be scheduled within a given maximum latency. Ingo believes that this guarantee can be made by eliminating all code within the kernel which can delay a reschedule; others feel that, to make a guarantee that can truly be trusted, the entire kernel must be audited and verified. They have a point: how strong a guarantee would you want before running realtime Linux in your car's braking system? Those who want true realtime guarantees, along with developers who simply do not want to clutter the kernel with realtime mechanisms, argue that a different approach should be taken. The most commonly suggested alternative is RTAI-Fusion, which works (at its core) by interposing a "nanokernel" between Linux and the bare hardware. The nanokernel guarantees latency by taking the lowest-level scheduling decisions out of the Linux kernel's hands; it is kept small and easy to verify. Another project taking a similar approach is Iguana, which is based on the L4 microkernel. Since the realtime preemption patch is not being proposed for merging at this time, no decisions are likely to result from the current, lengthy discussion. If Ingo has his way, there may never be one big decision; instead, pieces of the patch will be merged if and when it makes sense.
So i'm afraid nothing radical will happen anywhere. Maybe we can
have one final flamewar-party in the end when the .config options
are about to be added, just for nostalgia, ok?
There may be some interesting realtime-related sessions at next month's Kernel Summit in Ottawa, however. Meanwhile, should anybody wish to plow through the entire thread on linux-kernel, here is the starting point.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Page editor: Jonathan Corbet Distributions News and Editorials KANOTIX - The Knoppix ImprovedIs there a little-known Linux distribution consistently rated as one of the best by a large and varied spectrum of Linux users? If we were to name one, it would surely have to be KANOTIX, a Knoppix-based live and installation CD, which was, until recently, one of the best-kept secrets of the Linux distribution world. Launched in early 2004 by Joerg Schirottke, a computer science graduate from Kulmbach, Germany, the fame of the increasingly popular KANOTIX project has spread mainly due to the many time-saving improvements over its better-known parent. Here is a list of some of the more interesting features of KANOTIX:
Distribution News Preparation of the next stable Debian GNU/Linux update (IV)The (most probably) last revision of Debian 3.0 (Woody) is underway and may be out by the time you read this. There will be no more Woody updates once the Sarge release is finalized, which could be any day now.
Debian sarge release updateAn update on the Debian sarge release process has been posted. The release team is still chasing a few serious problems, so the release has been pushed back to June 6. "We're at a point now where more hands are not going to speed up the release, though, so if you aren't already involved in these tasks, you might want to just relax for a bit and start your Release Party preparations."
Cybernet Systems Sponsors the NetMAX Desktop ProjectCybernet Systems has announced that it is sponsoring the NetMAX Desktop Project, a development group that aims to produce a full-featured desktop package, licensed under the terms of the GNU GPL and based on the company's NetMAX Server distribution.
Trustix Secure Linux now available via BitTorrentTrustix has announced the availability of Trustix Secure Linux Installation ISO images for downloading via BitTorrent.
New Distributions Two new Gentoo based Live CD distributionsThanks to Michael Schuh we have added two new distributions to our list. Both are Gentoo-based live CD variants. Pentoo is a live CD that comes with GNOME and lots of tools for penetration testing, currently at version 2005.1. Navyn OS may be run as a live CD, or installed to hard drive. This one focuses on network security and comes with a variety of tools for port scanning, password sniffing, searching for vulnerabilities on remote systems, and more.
Distribution Newsletters Debian Weekly NewsThe Debian Weekly News for May 31, 2005 looks at plans to optimize the LDAP gateway to the bugtracking system (after the Sarge release), Nokia's Debian-powered device, debian-legal summaries, preparations for Debconf5, Debian Day at LinuxTag 2005, and several other topics.
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for the week of May 30, 2005 is out. This edition covers the donation of new AMD64 hardware, a documentation status update, developer of the week Damien Krotkine, and more.
DistroWatch Weekly, Issue 102The DistroWatch Weekly for May 30, 2005 is out. "Last week, your DistroWatch staff had the extreme pleasure to meet with Dr Richard M Stallman, a truly fascinating, albeit controversial figure, dedicated to fight for our computing freedom; Robert Storey has summarised the experience. Also in this week's issue - a brief look at Libranet GNU/Linux 3.0 and a call for voting on which new packages you want to see tracked by DistroWatch from next month."
Package updates Fedora updatesFedora Core 3 updates: system-config-netboot-0.1.16-1_FC3 (fixes problems with generating unusable initrd.img diskless boot images, missing snapshot files, running /sbin/init at boot, and various python warnings), system-config-bind-4.0.0-16 (fix out-of-zone data reporting), netpbm-10.27-4.FC3 (fix segfault in pnmcolormap).
Trustix Secure Linux updatesTSL-2005-0026 - multi addresses problems in anaconda, bittorrent, iptables, lilo, mod_perl, openldap, php, php4, pptpd, samba and squid for Trustix Secure Linux 2.1, Trustix Secure Linux 2.2 and Trustix Enterprise Server 2.
Distribution reviews Linspire 5.0, The Linux Desktop For The Masses (LinuxElectrons)LinuxElectrons reviews Linspire Five-0. "Linspire has chosen to eliminate some of the bloat that ships with most Distro's. Linspire doesn't have kmail, evolution, or even nine audio mixers. Most distributions ship with full versions of Gnome and KDE, plus some, that's a lot of overlap. Keven Carmony, CEO of Linspire, commented, "Linspire is Linspire because we touch pretty much every package in the OS". "We rarely just take a package and put it in our OS without polishing it up, adding features, fixing bugs, etc". Don't fret, you can still fire up CNR and download all the applications you want."
My Workstation OS: Scientific Linux (NewsForge)NewsForge hears from a Scientific Linux fan. "Scientific Linux (SL) might seem a strange choice as a desktop operating system for someone who is retired, disabled, and elderly, and who has relatively little scientific or programming knowledge, but I get great excitement from exploring the art of Linux distributions, and with Scientific Linux, that excitement is amplified by knowing I'm using the same operating system that is being used by many of the world's leading scientists."
Review: FreeBSD 5.4 (NewsForge)NewsForge has a short review of FreeBSD 5.4. "One of the oldest Unix-like operating systems, FreeBSD, continues its advancement with the sixth release in the FreeBSD-5 series. Its developers have added nothing major, but have made many modifications, fixing a number of problems introduced in previous releases. FreeBSD 5.4 is the best release since 5.1, but it still may not be ready for prime time."
Page editor: Rebecca Sobol Development Anyterm: A Terminal AnywhereAnyterm is a terminal emulator package that runs as a local Javascript application on a web browser, it is similar in concept to the commercial application MindTerm from the company appGATE. Anyterm uses SSL encryption to prevent snooping of terminal session information. The Comparisons page looks at the differences between Anyterm and several other remote login applications. The introduction describes Anyterm:
Anyterm is a box on a web page that behaves like a shell or other
text-mode application on the host machine. Performance is quite
respectable and it will run almost anywhere, even through firewalls,
since it uses only HTTP on standard ports. It consists of:
* Some Javascript on a web page.
* An XmlHTTP channel to the web server.
* An Apache module that receives the XmlHTTP requests and feeds them
to an emulated terminal, and thence to a shell or whatever.
The how it works document sheds light on the internal operation of an Anyterm session and the deployment document describes a number of possible configuration arrangements. The documentation also addresses a number of potential security concerns when running Anyterm. Anyterm stable version 1.0 and development version 1.1.0 were just announced: "This week the stable branch has reached the milestone of version 1.0, as I think that this is now good enough for widespread use. There's also a development branch where I'll be adding more experimental features, starting with WAP support in version 1.1.0 which was released today. So you can now get a shell prompt on your mobile phone. Some work is needed to make it useable though. Future plans include merging my QWAZERTY keyboard-layout mapping code." Dependencies include version 2 of the Apache web server and the ROTE terminal emulation library. Anyterm development is Debian-based, your editor was able to get Anyterm to build on a Fedora Core 3 system by adding some file paths various lines of several include files. The installation instructions provided sufficient information for getting the software up and running. The configuration instructions bring one issue to light: "If you're using a system with SE-Linux security features, such as Fedora Core 3, you may find that they prevent anygetty from invoking /bin/login. This probably just needs a slight change to a configuration file somewhere to make it work; if someone knows what is required please get in touch." A bit of SE-Linux configuration knowledge would be a useful addition to the documentation. To get a look at Anyterm in action, you can try running the Tetris clone "bastet" from the Anyterm web site.
System Applications Mail Software Mailman 2.1.6 ReleasedVersion 2.1.6 of GNU Mailman, a mailing list manager application, is out. "This is a significant release, which includes three important security patches, updated Chinese (zh_TW and zh_CN) support, better compatibility with Python 2.4, a few new features, and many bug fixes."
popa3d 1.0 announcedVersion 1.0 of popa3d has been announced. "For those few on the announcement list who don't know this yet, popa3d is a tiny POP3 daemon which attempts to be extremely secure, reliable, RFC compliant, and fast (in that order). Now, to the news: I've released popa3d 1.0. This means that I consider popa3d to be mature enough to enter its 1.x era."
Networking Tools Knettools 1.0 (stable) releasedStable version 1.0 of Knettools has been announced. "Knettools' is a collection of menu-based testing tools for IPv4 networks. Tools included in the package are Finger, Name Scan, Ping, Ping Scan, Port Scan, Service Scan, and Whois. It is developed using POSIX threads and gnome libraries. This package was formerly known as 'xNetTools'."
OpenSSH 4.1 releasedVersion 4.1 of OpenSSH is out with several bug fixes.
Twisted 2.0.1 ReleasedVersion 2.0.1 of the Twisted networking framework has been released. "This is a minor release, only including bugfixes since 2.0.0. One of the most important fixes was a bug causing many gtk GUI apps to crash. Twisted News is now properly included in the Sumo release."
Printing CUPS 1.2.x Weekly Snapshot, r4528A new weekly snapshot of the CUPS printing system is out. See the release announcement for details.
VPN Software SSL-Explorer 0.1.11 released! (SourceForge)Version 0.1.11 of SSL-Explorer, an open-source SSL VPN solution, is available. "This release of SSL-Explorer contains a number of new features such as the ability to view the currently logged-in users and disconnect their sessions if necessary. The software can detect when new SSL-Explorer releases become available and also detect when new versions of the provided extensions are released. Version 0.1.11 also provides new features required to enable the launch of 3SP's SSL-Explorer Xtra service that brings commercial support and additional features to the product."
Web Site Development Caravel CMS version 2.3 released (SourceForge)Version 2.3 of Caravel, a content management system, is available. "Version 2.3 marks the transition of our source code tree to Sourceforge's CVS server, accompanied by major cleanup and reorganization of the code tree. In addition, a number of bugs have been fixed. Flash, MP3, and Quicktime file types are now supported. The publish tool has been revamped. See the CHANGELOG for details."
SchoolBell 1.1 ReleasedVersion 1.1 of SchoolBell, a Zope 3-based calendaring server, is out. "In this release we round off and finish most of the functionality that was deferred from the last release (REST interface and proper timezone support). One important point is that we have started to import translations from the rosetta project and already have quite a large amount of translations done."
Web Services Constructing Services with J2EE (O'ReillyNet)Debu Panda covers the development of web services under J2EE. "Web services are a popular means of deploying service-oriented applications, and the standards in J2EE 1.4 make it easier to develop services that are portable and interoperable. Debu Panda shows you how, and takes a look at how things will get easier in J2EE 5.0."
Desktop Applications CAD PythonCAD release 25The twenty-fifth development release of PythonCAD, a CAD package for open-source software users, is out. "The twenty-fifth release consists primarily of bug fixes. The compatibility code for the GTK Action and ActionGroup classes introduced in the previous release had a number of bugs which have been fixed. People running PythonCAD on PyGTK releases prior to 2.4 should find this latest release working correctly due to these fixes."
Data Visualization Eman 1.7 ReleasedVersion 1.7 of Eman, a scientific image processing suite with Python language bindings, has been announced. Here is the change summary: " A major overhaul of the parallelism infrastructure (runpar) was done. It now uses fileserver for both reads and writes in the cluster versions. A binary release was made for AMD64, and support for OSX was improved. A new program, refine2d.py, was added for generating reference-free class-averages from a set of particles. A new program, makeinitialmodel.py, was added for constructing 3D models from blobs. The AIRS software was greatly expanded and improved with Chimera bindings. Major improvements were done to the experimental 2D crystallography preprocessing program (qindex)."
Desktop Environments KDE 3.4.1 releasedKDE 3.4.1 is out. This is a maintenance release limited to bug fixes and some translation improvements.
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
KDE Project Offers Kolab Groupware Services to its Contributors (KDE.News)KDE.News covers the announcement that groupware services will be available to all KDE contributors. "At the Dutch KDE-PIM meeting in Annahoeve last weekend it was announced that the KDE project will offer groupware services to all KDE contributors using the Free Software groupware server Kolab2. This means that every KDE project or contributor can get a Kolab2 account for sharing tasks, appointments, contacts and email. Every project can manage their own groupware services and decide with which users they want to share these resources. The Kolab2 server will run under the kdemail.net domain and will be administered by the KDE project."
KDE Commit Digest (KDE.News)The May 27, 2005 edition of the KDE Commit Digest is available, here's the content summary: "Kalzium adds gradients and crystal structure data. KOffice supports loading of embedded objects from OASIS format. khtml improves XHTML handling. Kopete adds full text search of history, styles, recieving files and buzzing in Yahoo, and work continues on video device support. KDE 4 work continues with some applications able to run."
Educational Software mnemo-0.5 released (SourceForge)Version 0.5 of mnemo, a memory training application, is available. "Release 0.5 contains a console-mode implementation (no multi-media, yet) along with some example training files for arithmetic, the "peg system" and Esperanto vocabulary."
Electronics Oscilloscope plugin 0.2.0 announcedVersion 0.2.0 of Oscilloscope plugin, a DSSI format plugin application, is available, here is the description: "It has two audio input ports and will display the two input signals as two waves in the display. The trigger level and direction is controllable, as well as the amplification and offset for each channel and the time resolution."
Qocs 0.0.6 ReleasedVersion 0.0.6 of Qocs is available. "Qucs is an integrated circuit simulator which means you are able to setup a circuit with a graphical user interface (GUI) and simulate the large-signal, small-signal and noise behaviour of the circuit. After that simulation has finished you can view the simulation results on a presentation page or window."
XCircuit 3.3.14 ReleasedVersion 3.3.14 of XCircuit, an electronic schematic drawing package, is out. The CHANGES file says: "Changed behavior of netlist generation to allow (finally!) info labels on a top-level schematic. These labels are written verbatim into the output. Probably needs checks to avoid attempting to process certain embedded escapes like pins."
Games New version of HLA Adventure for Linux/Red HatVersion 2.80 of HLA Adventure, an adventure game that was coded in the High Level Assembly programming language, is out with these modifications: "Bug fixes, additional features, program enhancements, code modifications, clearer documentation and other changes."
Medical Applications OpenEMR 2.7.2 Released (LinuxMedNews)Version 2.7.2 of OpenEMR, an electronic medical record system, has been released. "Some highlights of the 2.7.2 final release are: An overhauled, faster and nicer-looking appointment calendar Support for current versions of the SQL-Ledger accounting system, deprecating the old "forked" sql-ledger sub-project of OpenEMR Partial implementation of access controls based on the phpGACL project Improved tracking of immunizations Patient problems can be associated with specific encounters and vice versa New forms for EOB entry, payment posting and adjustments Patient statements and collection letters New reports including cash receipts and cross-referencing of appointments with encounters Demographics export to a commercial laboratory system Support for some FreeB (billing system) fixes".
Music Applications BEAST/BSE version 0.6.6 released (GnomeDesktop)Version 0.6.6 of BEAST/BSE, the BEdevilled Audio SysTem and the Bedevilled Sound Engine, has been announced. "Major bug fixes are incorporated in this release, in particular in the BSE file saving mechanism, so updating to 0.6.6 is recommended to prevent data loss. Also the dialog messages were significantly improved and we had translation updates to Canadian English, Czech, Italian, Spanish and Basque."
Office Suites OpenOffice.org NewsletterThe May, 2005 edition of the OpenOffice.org Newsletter is online with the latest OpenOffice.org news, events, and a guide to using special characters in OO.o documents.
Web Browsers Mozilla Deer Park Alpha 1 releasedThe Mozilla Project has made Deer Park Alpha 1 available. This is an early alpha release of what will eventually be Firefox 1.1. New features include a "sanitize" operation (which quickly removes personal information), image thumbnails in tab icons, the "fast back" page caching capability, better cookie management, and more.
Minutes of the mozilla.org Staff Meeting (MozillaZine)The minutes from the April 25, 2005 mozilla.org staff meeting have been announced. "Issues discussed include releases, security releases, the Volunteer Awards, the board meeting, search, Mozilla Firefox strategy and quarterly goals."
Languages and Tools Caml Caml Weekly NewsThe May 24-31, 2005 edition of the Caml Weekly News is online with the newest Caml language developments.
Haskell Issue Three of The Monad.ReaderIssue Three of The Monad.Reader is out with new Haskell language topics. "This month's issue has a definite introductory theme. It includes republished book reviews, notes on learning, a look at the differences between functional and object oriented programming, and distributed computation."
Lisp SBCL 0.9.1 releasedVersion 0.9.1 of Steel Bank Common Lisp has been announced. "This version implements SB-POSIX:MKSTEMP, provides some optimizations, and fixes some bugs."
Perl This Week in Perl 6 (O'Reilly)The May 18 - 24, 2005 edition of This Week in Perl 6 is available with all of the latest Perl 6 development news.
Python Dr. Dobb's Python-URL!The May 31, 2005 edition of Dr. Dobb's Python-URL! is online with the latest Python language articles.
Ruby Ruby Weekly NewsThe May 22nd, 2005 edition of the Ruby Weekly News has been posted. It is a summary of the ruby-talk mailing list.
Ruby Weekly NewsThe May 29th, 2005 edition of the Ruby Weekly News has been posted, summarizing the week's activities on the ruby-talk mailing list.
Emulators Bochs 2.2 released (SourceForge)Version 2.2 of Bochs has been released with some new features. "Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms. It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS. Currently, Bochs can be compiled to emulate a 386, 486, Pentium, Pentium Pro or AMD64 CPU, including optional MMX, SSE, SE2 and 3DNow! instructions."
Profilers OProfile 0.9 releasedVersion 0.9 of OProfile, a system profiler, is out. "New in this release is a new differential profile output, a reworked call-graph output format, and several important updates. As usual, upgrading is strongly recommended."
Page editor: Forrest Cook Linux in the news Recommended Reading How The Kernel Development Process Works (Groklaw)Groklaw is running an article by Greg Kroah-Hartman on how the kernel development process works. "People are claiming that code can just get "slipped into" the main kernel tree without realizing where it really came from, or without any sort of review process. Obviously they have never actually tried to get a major kernel patch accepted, otherwise they would not be making these kinds of claims :)"
Underground showdown (Register)The Register looks at an interesting phonomenon in the cracker world: web site defacers have are targeting phishing sites. "It's unlikely that many law enforcement officials will go after Web defacers who are posting warnings to potential victims of phishing fraud. Prosecutors can pick and choose the cases in which they want to invest time, and helping out bank fraudsters is not likely a high priority..."
Stallman: Nokia's announcement next to nothing (NewsForge)NewsForge has Richard Stallman's take on Nokia's limited patent grant. "We can honestly thank IBM for agreeing not to sue us with 500 of its patents, and we can thank Nokia too for agreeing not to attack one of our community's projects. But don't be distracted from the real issue at stake. Nokia most likely intends to use this announcement as a way to put us in more danger. Nokia, along with IBM and Microsoft, is lobbying hard for software patents in Europe. Nokia will surely point to its own small gesture as 'proof' that software patents will not be devastating to free software."
Trade Shows and Conferences India's Upcoming Free Software, Free Society Conference (Linux Journal)Linux Journal previews an upcoming Linux conference in India. ".. the Free Software Foundation of India is organising a four-country conference to be held May 28-29, 2005. The Free Software, Free Society conference brings together hackers from an unlikely set of nations, people who don't speak the same language but who do see much in the idea that knowledge is most powerful when it is shared freely."
Linux named "platform for the future" by PalmSource keynote speaker (DesktopLinux.com)Desktop Linux covers a keynote address by Dr. Dave Nagel at "Mobile Summit", PalmSource's annual developer event. ""Linux is our platform for the future," said Dr. Nagel, noting that CMS's (re-named PalmSource Asia) Linux-based products will make their way into PalmSource's offerings worldwide."
Big-business technologists talk up Linux (Computerworld Australia)Computerworld.au covers the LinuxWorld Summit. "Several IT executives at the LinuxWorld Summit last week reinforced the idea that Linux now has the technical brawn and industry support to accommodate the most demanding business applications in environments such as finance, airline reservations and stock trading."
IT giants accused of exploiting open source (News.com)News.com reports from the Holland Open Source Conference, where European Commission member Jesus Villasante made some comments about the community and business interests. "Villasante argued that open source is vital to the development of the European software industry, but that its progress has been inhibited by pressure from intellectual-property lobbyists and the traditional software industry, and by the fragmentation of the open-source community. 'Open source is a complete mess--many people do lots of different things. There's total confusion today,' Villasante said."
Companies Cyber fixers now at PC near you! (Hindustan Times)Hindustan Times reports that Bangalore-based DeepRoot Linux has come out with its 'DeepOfix' messaging server. ""It handles e-mail, fights spam and scans your mail. What most solutions take a week to do, our software does in 35 minutes. It has the ability to track e-mail, so that you know whether an e-mail you've sent has reached the receiver or not," Abhas Abhinav, who heads DeepRoot, said."
Novell reports loss as older business shrinks (News.com)News.com examines the latest financial report from Novell. "Revenue rose to $297 million from $294 million, but came in below Wall Street's average estimate of $302 million. Joe Tibbetts, Novell's chief financial officer, said revenue from the company's NetWare product line declined at a slightly faster pace than expected. "Revenue grew, but we'd like to see them grow more," Tibbetts said. "Even in our Linux business, we would have liked to do better there.""
Linux Adoption Detroit high school opens its desktops (NewsForge)NewsForge examines a switch to Linux and OpenOffice.org at the University of Detroit Jesuit High School and Academy. "The cost analysis was compelling -- the Linux option could be implemented for around $21,000, more than $100,000 less than the Microsoft Windows alternative. The key to enabling the move to Linux, however, was the ability to provide an acceptable office application suite that would run on both Windows XP and Linux. It was impractical for the school to support more than one office application suite, nor was it cost-effective nor beneficial to remove Windows XP from the newer systems."
Interviews The Meeks shall inherit the earth (GnomeDesktop)GnomeDesktop.org has announced the availability of Lug Radio Episode 28. "Lug Radio interviews Michael Meeks, Novell hacker and Busiest Man Alive, who talks about OpenOffice.org, Gnome, how you can get involved, and how to get lots of work done by not spending all day reading other people's weblogs..."
Interview with KDE-PIM Hacker Daniel Molkentin (KDE.News)KDE.News has an interview with Daniel Molkentin. "I am one of Kontact's maintainers, along with Don Sanders and Cornelius Schumacher. I mostly take care of the Kontact framework itself, the visible parts if you will. Other than that, I am the author or several fixes, features and hacks throughout KDE-PIM."
Interview with KDE PIM Hacker Cornelius Schumacher (KDE.News)KDE.News talks with Cornelius Schumacher, KDE-PIM module project leader. "We have seen several developers in interviews and blogs talk about the KDE PIM event in the Netherlands and what they are planning to work on during the meeting. Do you have any plans or ideas for this meeting? There are two big goals I would like to achieve at the meeting. First, creating a roadmap for KDE PIM 4. Second, relaunching the KDE-PIM web pages with some fresh and rejuvenated content. But I'm sure there will also come up some new ideas at the meeting."
An evening with the Guru of Python: Guido van Rossum (TuxJournal.net)Vincenzo Ciaglia interviews Guido Van Rossum on TuxJournal.net. "What's your role in the Python Developing Team? Are you still working on some projects or you just coordinate your guys? We're currently designing a new compound statement that lets you code resource acquisition and release pairs (such as acquiring and releasing a lock, or opening and closing a file) in a way that guarantees the release always happens without having to write a try-finally statement."
Resources The Daemon, the GNU and the Penguin - Ch. 10 (Groklaw)Groklaw has published chapter 10 of the book "The Daemon, the GNU and the Penguin," by Dr. Peter H. Salus. This chapter covers Sun and gcc.
Developing GNOME Applications with Java (Linux Journal)Linux Journal looks at the process of creating a GUI design in XML, writes Java code, and then plugs the whole thing in to the GNOME desktop. "With three existing Java GUI toolkits, one might ask why another alternative is necessary. GNOME's Java bindings are unique because they are tied directly to GNOME. An application written with GNOME's Java offerings looks and behaves exactly as if it had been written using GNOME's C libraries. It integrates seamlessly into the GNOME desktop and provides the same capabilities as any other GNOME application. The reason for this is GNOME's Java bindings use the Java Native Interface to delegate work directly to GNOME's C libraries."
Rexx: Power Through Simplicity (O'ReillyNet)O'ReillyNet covers Rexx. "Rexx was the first widely used scripting language. Though IBM invented it 25 years ago, it may come as a surprise that this language is more popular today than ever. There are now nine free and open source Rexx implementations. These run under virtually any operating system on any platform. All but one meet the Rexx language standard, and each has optimizations or extensions for a specific purpose."
Programming Tools: UML Tools (Linux Journal)The Linux Journal looks at tools (both free and proprietary) for creating UML diagrams. "At the moment, none of the open-source tools that I have tried match the richness of the commercial products. DIA is the most extensible, but it does not treat UML semantically, so logical connections and implications are not supported."
The Small Computer System Interface (SCSI) standard (IBM developerWorks)Peter Seebach profiles the history of SCSI on IBM developerWorks. "Alan Shugart, founder of Shugart Associates and Seagate, gets most of the credit for being the visionary who realized the world needed a standard like this one. The initial protocol was called the "Shugart Associates Systems Interface," or SASI. It had a fairly limited set of protocol commands, and performance peaked out at 1.5 MBps (which sounds pretty weak, but for 1979 this was incredible)."
Linux in Government: Optimizing Desktop Performance, Part III (Linux Journal)Linux Journal continues this series on optimizing the Linux desktop. "Some default features of Linux that seem slow to a new desktop user appear perfectly acceptable to long-time workstation users. When we begin to disable services that slow down the boot process, some Linux users might object. For instance, killing the mail transfer agent could mean that service messages meant for root or admin are not sent. Someone wanting to boot up her laptop quickly, however, might not care about that. For system administrators and developers, though, the missing chance to analyze a program flaw becomes a lost opportunity."
Miscellaneous EU puts funds toward global research on open source (News.com)News.com looks into a grant from the European Union for the support of open-source software around the world. "The newly approved funding--660,00 euros, or $825,594--is for the two-year FLOSSWorld project, Europe's first initiative to support international research and policy development on "free/libre/open source software." Previous FLOSS projects, starting as early as 2001, have concentrated on the use of open source in Europe alone."
Page editor: Forrest Cook Announcements Non-Commercial announcements Google's summer of codeGoogle has announced a program called the "Summer of Code." Students interested in hacking on free software can put in an application and, working with a mentor project, earn $4500 for completing a project. The participating projects include Python, Perl, Apache, Ubuntu, Mono, GNOME, Wine, Subversion, and Google itself.
Commercial announcements BitMover announces BitKeeper to CVS converterFor any free software projects which still have BitKeeper repositories: BitMover has announced the availability of a conversion utility which will turn those repositories into CVS repositories. Time to use it is running out: "Beginning July 1, 2005, all existing BitKeeper binaries will require license keys to enable continued use."
CAC Media Announces Digital Entertainment DevicesCAC Media, Inc. and VIA Technologies will demonstrate new Linux-based digital entertainment platforms at the VIA Technology Forum and Computex trade shows. "This combination of low cost / high performance hardware and software shows Original Design Manufacturers (ODMs) and Original Equipment Manufacturers VIA Technology's latest reference designs running CAC's MCSS platform. CAC's Media Convergence Software Suite (MCSS) is a Linux-based operating system the company licenses to consumer electronics manufacturers to drive new chip-sets available for their products. The innovative software / hardware combination enables them to combine PC, Internet, and CE functionality into "lean back" products designed to play, consume, store, and organize ALL digital media."
EarthLink and Microtel Partner to Offer $69.99 PCEarthLink and Microtel have announced a partnership to provide discounted Linux-based PCs and laptops for new subscribers. "New dial-up subscribers can receive the special Microtel pricing from May 25, 2005 - June 25, 2005, by going to http://www.microtelpc.com and placing an order for a $69.99 PC or $399 laptop. During the ordering process buyers will be directed to the EarthLink Website to fill in subscription details. The $150 discount will be applied to the cost of the computer at the point of purchase, and requires a one-year EarthLink dial-up Internet access commitment."
Nokia Makes Donation to GNOME FoundationNokia has announced a developer device program at the GNOME user and Developer European Conference (GUADEC). The developer device program will donate the proceeds from the sales of 500 Nokia 770 devices to the GNOME Foundation.
Novell's "Mono Kickstart" programNovell has announced the "Mono Kickstart Program," a support offering for companies developing desktop applications with Mono. This is clearly not a service intended for free software projects: "Mono Kickstart includes 25 developer support incidents along with one server or 50 desktop licenses for $12,995. Additional developer support incidents, server licenses and desktop licenses can be purchased separately."
SCO's second quarter resultsRemember SCO? That company has just announced its second quarter results: an almost $2 million loss on declining revenue. Even that figure includes almost $800,000 realized from the sale of all of SCO's stock in Trolltech last March.
Win4Lin Products Available for LinspireWin4Lin has announced "..that the company's Win4Lin 9x and Win4Lin Home products are now compatible with Linspire Five-0 and are available in the Linspire CNR Warehouse. The company also announced that their flagship Win4Lin Pro will be available in the CNR Warehouse by mid-summer 2005."
New Books Killer Game Programming in Java - O'Reilly's Latest ReleaseO'Reilly has published the book Killer Game Programming in Java by Andrew Davison.
Resources Table of analogs of Windows software in LinuxFiodor Sorex has announced the creation of a table that lists Linux equivalents for Windows software. "One of the biggest difficulties in migrating from Windows to Linux is the lack of knowledge about comparable software. Newbies usually search for Linux analogs of Windows software, and advanced Linux-users cannot answer their questions since they often don't know too much about Windows :). This list of Linux equivalents / replacements / analogs of Windows software is based on our own experience and on the information obtained from the visitors of this page (thanks!)."
Edition 2 of MyOSS MagazineEdition 2 of the Malaysian Online Open Source Magazine, MyOSS Magazine has been published. Topics include: Open Source Power Management, Open Source PBX/PABX, Daemon's Advocate, Virtualisation, Tip of The Month, Book Review : Free as in Freedom, and more.
Open source and the commoditization of softwareIan Murdock has posted his chapter from the upcoming O'Reilly book Open Sources 2.0; it is called "Open source and the commoditization of software. "If Red Hat's business model is wrong, then what is the right business model for Linux distribution vendors? In my view, the Dell model can be taken a step further than any of the Linux distributors have thought to take it. After all, what are open-source technologies but commodity software components, and what are Linux distributions but assemblers of those components into products the end customer finds useful?"
Contests and Awards First-Round Voting in 2005 Readers' Choice Awards (Linux Journal)Linux Journal has announced the first round of voting for the 2005 Readers' Choice Awards. "As you know by now, the Web form is gone, and voting is taking place by e-mail this time. We require plain text e-mail for votes, so no HTML or attachments."
Upcoming Events Debian Day at LinuxTag 2005The Debian Day mini-conference at LinuxTag has been announced. "It will take place on Thursday, 23rd of June during this year's LinuxTag in Karlsruhe, Germany. The talks will describe certain parts of the distribution or the project and will be held in English."
Europython 2005 updateAn Update notice has been sent out for the EuroPython 2005 conference. "Due to some technical problems with the registration website we have decided to extend the registration of talks until 8 May. We already have an impressive array of talks, but we do have room for some more. We are especially interested in talks focusing on the Python language and talks on Python usage in Science." The event takes place in Göteborg, Sweden on June 27-29, 2005.
Fedora Talk at USC Los Angeles, CAA talk on the Fedora Project will be held at the University of Southern California in Los Angeles, California on June 16, 2005. "Warren will explain the Fedora Project, do Q&A, and hand out a limited amount of schwag."
Joint Call for Participation: IEEE Conference on Web ServicesA Joint Call for Participants has gone out for the 2005 IEEE International Conference on Web Services. The event will take place on July 11-15, 2005 in Orlando, Florida.
Embedded Technology 2005, Yokohama, JapanThe Embedded Technology 2005 Conference has been announced. The event will be held in Yokohama, Japan on November 15-18, 2005.
Events: June 2 - July 28, 2005
Page editor: Forrest Cook Letters to the editor The gift of volunteering
Dear Editor
Letter to the Editor: Setback for Linux
Forbes' website's feedback form gives no indication of a successful
Page editor: Jonathan Corbet
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[RSSOwl]](/images/ns/agg/rss-owl-sm.jpg)
![[Snownews]](/images/ns/agg/rss-snownews-sm.jpg)
![[Liferea]](/images/ns/agg/rss-liferea-sm.jpg)
![[Blam]](/images/ns/agg/rss-blam-sm.jpg)
![[akregator]](/images/ns/agg/rss-akregator-sm.jpg)
![[Sage]](/images/ns/agg/rss-sage-sm.jpg)
![[Anyterm]](/images/ns/anyterm.png)