Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 9, 2005A tale of two distributions If the net seems slow over the next week or so, it may well be due to the near-simultaneous releases from two major distributions. The long-awaited release of Debian GNU/Linux 3.1 (also known as "sarge") was announced on June 6. As it happens, Fedora Core 4 was due on the same day, but has been pushed back one week to June 13. This delay was not due to any particular technical problems; instead, it seems, the lawyers were a little slow to sign off on the code name for this release.A comparison of a few key packages in these two distributions can be instructive:
These numbers will come as little surprise to most; it is in the nature of Debian releases to be slow in coming and mildly obsolete when they arrive, while Fedora releases run closer to the bleeding edge. The two distributions have different goals: Debian seeks to produce a highly stable distribution for its users; Fedora, instead, is a rapidly updated distribution providing current software to users and a real-world test bed for Red Hat. The table listed above is not entirely fair; many packages in Debian sarge (including important ones, like Firefox) are at or near their current versions. Then, there is this table, which provides a different view:
This table could be made much longer, but the point should be clear: few distributions can offer the sheer variety of packages found in Debian. In all fairness, one should note that the Fedora Extras repository fills in some of the gaps on the Fedora side. Fedora Extras works reasonably well, but it remains a "second class citizen" repository without any commitment to future updates or security support. Debian also supports a much wider range of architectures than Fedora. As these milestones are reached, both distributions are considering where they want to go in the future. On the Debian side, there is a general desire to improve the release process so that the next major release ("etch") comes a little more quickly. There is some planning happening for a painful gcc upgrade and a PostgreSQL transition, among other things. There is a continual low-level rumble on how Debian and derivatives (Ubuntu in particular) should work with each other. The "how many architectures should Debian support?" question still lacks a definitive answer. It also seems, however, that the Debian developers are taking a well-deserved break and deferring much of the "what now?" discussion until Debconf5, happening in mid-July. (As luck would have it, the conference has offered to fly LWN Distributions Page editor Rebecca Sobol to the event, so LWN will have coverage from Debconf5). On the Fedora side, a deliberate effort was made to start a discussion on what should be in Fedora Core 5. A few goals were suggested: more security features and faster booting, for example. Most of the discussion, however, has centered around a suggestion to increase the length of the development cycle somewhat (to nine months or so). The current six-month cycle allows for a maximum of about two or three months before the stabilization efforts set in, and some developers are finding it difficult to get their changes in within that window. The suggestion has not been particularly well received by the powers that be within Red Hat, however. In theory, opposition from Red Hat should matter less in the future. At the recently-concluded Red Hat Summit, the company announced that it planned to set Fedora free, and to put it under the control of an independent foundation. There have been no communications from the company on this subject outside of the conference, so details are scarce. Nothing has been said on how this foundation will be formed, funded, or governed. It remains to be seen whether Red Hat is truly willing to give up enough control to allow Fedora to pick its own directions. A truly independent Fedora, however, has the potential to combine a strong base distribution with a larger, more enthusiastic developer community; it could be a force to be reckoned with. Debian and Fedora are two very different distributions. Debian is a huge, community-driven project with a "when it's ready" release policy. Fedora is, for now, a company-controlled, smaller distribution with scheduled releases. In many ways, however, they appear to be converging. Debian is facing the size issue (by considering which packages and architectures truly belong in the core distribution), release cycles, and, via efforts like Ubuntu, commercial appeal. Fedora, meanwhile, aims for a stronger community orientation and is debating package policies and release cycle issues of its own. Both distributions will remain part of our community for a long time - and we are richer for having both of them. But they are responding to many of the same pressures, so it would not be entirely surprising to see them look more alike in the future.
A sneak peak at Firefox and Thunderbird 1.1 The Mozilla project recently released alpha builds of Firefox 1.1 and Thunderbird 1.1. In addition to bugfixes and performance enhancements, there are several new features in Firefox and Thunderbird that look interesting. So, what's slated for Firefox 1.1 and Thunderbird 1.1? Let's start by looking at the "Deer Park" alpha build of Firefox 1.1.
Firefox 1.1Firefox 1.1 is the first major milestone on the way to Firefox 2.0. Firefox 1.5, planned for sometime in 2006, is the second milestone, with 2.0 being the final milestone. Overall, the 1.1 release isn't a radical change from 1.0, but there are some pleasant new features to look forward to, and a few user interface changes as well.
There is a new tool to quickly remove information from Firefox, called "Sanitize." One can choose to clear browsing history, saved form information, download history, cache, cookies and saved passwords with a hotkey or by choosing the "Sanitize" option from the tools menu. Sanitize is configurable, so one can choose to erase download history, cache and browsing history, for example, without erasing saved passwords or cookies. Users also have the option of erasing these items each time Firefox is shut down. This is a very useful option for those who share computers with other family members, roommates and co-workers. Firefox 1.1 also improves browsing pages in the cache, so browsing forward and backward seems much faster than in Firefox 1.0. Granted, Firefox 1.0 isn't terribly slow, but even a few seconds improves the user experience drastically. Users will also be able to report "broken" websites using Firefox 1.1. The release includes a "Report a Broken Web Site" wizard which provides the URL, a list of possible problems ("Browser not supported," "Can't log in," "Plugin not showing," and so forth) and a field to describe the problem in full. According to the Privacy Policy page for the feature, the Mozilla team will use this feature to work with webmasters to correct interoperability problems with Firefox. Whether the feature will actually encourage webmasters to fix the problems is another story. The "Cookies" dialog has changed somewhat. Cookies are now organized in folders by site, and users can search to find the cookies that they're looking for rather than scrolling through the list, which can be handy if one has accumulated a long list of cookies. Despite its alpha status, we didn't run into any serious glitches, crashes or other nastiness using Firefox 1.1. This writer plans to continue using Firefox 1.1 alpha as his primary browser, since it has proven to be stable (at least over the past three days) and offers some modest improvements over the 1.0 release.
ThunderbirdAs with Firefox 1.1, there are no drastic interface changes or radical feature changes slated for Thunderbird 1.1, but there are a number of interesting improvements and new features that will make the upgrade worthwhile. One spiffy new feature slated for 1.1, and working fine in the alpha release, is the "inline" spelling checker that underlines misspelled words (or words not yet in Thunderbird's dictionary) while you type. Thunderbird 1.0 does have spelling checking, but not as you type. Thunderbird also allows the user to add a word to the dictionary, or ignore it, on the fly by right-clicking on the word.
Users who wish to use Thunderbird as an RSS reader will like the OPML import capability in Thunderbird 1.1. We tested Thunderbird with an OPML file exported from Bloglines with more than 130 feeds. Thunderbird handled it gracefully, and imported all the feeds with no apparent problems. There should be an "export" capability in the final 1.1 release, but it is not in the current release. Thunderbird 1.1 will also come with features to help users avoid being scammed by phishing attacks. We didn't actually get any phishing scams to test this out with Thunderbird, but the client is supposed to display a warning message if a message looks like a phishing attack. Again, as with Firefox's alpha, the Thunderbird alpha handled well enough that this writer will probably employ it for day to day use -- while making regular backups of mail, just in case. The Firefox roadmap calls for a second alpha release in June, and a beta and final 1.1 release sometime later this year. The Thunderbird roadmap calls for a final 1.1 release in June, but that may need to be pushed back since the alpha release is only a few days old.
The CDT takes on infringement The Center for Democracy & Technology has long been "working for democratic values in a digital age." CDT has taken on many issues, including encryption, freedom of speech, privacy, and more. So the new copyright policy paper [PDF] from CDT seemed worth a look. Unfortunately, the CDT appears to have lost track of some important goals in its desire to compromise.The stated goal of the paper is:
... to outline a general framework for protecting copyright in a
manner that is consistent with the open architecture of the
Internet and with the interests of creators, consumers, and
technology innovators.
Most of us, probably, can agree with the goal of "protecting copyright." The whole structure of free software licensing, after all, is based on copyright law. Without copyright, there could be no General Public License. Free software could still exist in such a world, but the rules would be different. So how do we "protect copyright"? The CDT offers a three-pronged approach, the first of which is "punishing bad actors." The authors, it seems, are enthusiastic supporters of actions like mass lawsuits against file traders. Also big on their list is "secondary liability" for people who encourage file sharing - Grokster, for example. There is a token mention of how secondary liability should only target "bad activity" without "chilling the development of new technologies or the provision of online services," but no discussion of how the two can be separated. There is no mention of any situation where "secondary liability" has gone too far, leaving the reader with the impression that the CDT is entirely happy with the enforcement activities which have happened to this point. Well, not entirely happy; the CDT would like to see more laws passed to get the Federal government more heavily involved in copyright enforcement. They would also like to see:
Cooperation between content owners and ISPs on a voluntary basis to
find practical and appropriate ways to pass crucial information on
to specific individuals while protecting their anonymity (and while
steering well clear of putting ISPs in the role of tracking and
policing subscribers' behavior) could be a positive step.
How this "positive step" would actually work is not discussed. The core of the CDT paper, however, relates to the creation of "consumer-friendly" DRM schemes. Given a suitable "open market," the CDT believes that DRM can "enable" the flow of digital content we all hunger for in our souls without making life overly frustrating for us "consumers." The CDT does argue against specific mandates by government (but the group appears to favor broadcast flag regulations which provide "reasonable balance") and in favor of preserving consumer privacy. But, as a whole, DRM schemes are clearly seen as a good thing. The final step advocated by the CDT is "public education." The paper tells us:
It is particularly important to send the message to younger
consumers that infringement is unlawful and unethical. This effort
cannot be pursued by industry alone...
"Younger consumers" (and older ones too) could certainly benefit from a better understanding of copyright law. It is probably true that educating these "consumers" about fair use, ever-lengthening copyright periods, the starvation of the public domain, etc. is not something that we can expect industry to accomplish on its own. But, of course, the CDT shows no particular interest in helping industry out on that score; it's mostly interested in the infringement problem. Remember that the CDT is supposed to be an advocate for democracy, civil rights, and the consumer. But this group has, perhaps out of fear of even worse alternatives, entirely given in to the demands of the entertainment industry in the name of making content available to "consumers." The CDT has sold out entirely on this issue. There are numerous things the CDT could have addressed, were it truly interested in the wider debate. Perhaps a little mention of the DMCA would have been nice; seeing programmers arrested in the defense of DRM schemes might just have a "chilling effect" or two. An examination of just how well the market has done in producing "consumer-friendly" DRM so far might have been in order. And it might have been nice to see at least a passing mention of the public domain, the source of many of the ideas which have been incorporated into current, eternally-copyrighted content. But there are two larger failures here. The first is the firm distinction between "producers" and "industry" on one side, and "consumers" on the other. We are, it seems, supposed to go off, be good little consumers, and not worry our pretty little heads about how the "producers," out there somewhere, will protect their content in a "friendly" manner. When your editor was young, it was often noted that freedom of the press is great if you happen to own a press. Now that your editor is no longer so young, we all own presses. We are no longer to be called "consumers," told to enjoy the products from "industry" in some business-friendly way. We, too, are producers, and we have a stake in this game. The CDT has not yet figured that out. One of the most dramatic ways in which we are producers can be seen in the free software community. LWN readers are not "consumers" of Linux; they are its producers. And we have produced a world where many copyright infringement issues are no longer relevant. But, to the CDT, we do not exist. Any balanced look at DRM must include this fact: free software and DRM are absolutely incompatible with each other. When "consumers" actually have control over their computers (and DRM-capable devices are computers), they need not accept externally-imposed restrictions on what those computers can do. The CDT's "consumer-friendly" DRM vision, almost by definition, cannot include free software. Certainly, we wish to live in a world where producers can make a living from their work. We are all producers now, remember? Besides, how else will we ever get to see the final three Star Wars movies we were promised back in the 1970's? The CDT's answer to this problem, however, does not describe a world that many of us would want to live in. Some of us, evidently, have a different idea of what constitutes "democratic values."
Page editor: Jonathan Corbet Security Intel processors and DRM There has been a persistent round of rumors stating that upcoming Intel processors come with an additional, unwelcome feature: hardware digital restrictions management (DRM) capabilities. According to some, this built-in DRM is the motivating force behind Apple's just-announced switch to Intel processors. If Intel is to be believed, the reality of the situation is not as bad as one might fear.According to Donald Whiteside, an Intel VP, there is no secret DRM in Intel's chips:
The rights management technology referred to in the article was not
a secret DRM from Intel, but the DTCP-IP technology publicly
offered by the 5C Entity; which Intel is a Founder. Intel believes
that the DTCP-IP technology is an important element in enabling
protected transport of compressed content within the home network,
and we continue to promote DTCP-IP for this application which
enables greater consumer flexibility & use of premium
entertainment content.
The DTCP web site has some information on this technology - though one must pay significant money and sign some highly restrictive documents to get the full scoop. Essentially, DTCP is a way for devices to talk over local links - an IEEE1394 connection or home wireless network, for example - without creating fears that somebody's Valuable Intellectual Property will leak out into the world and bring an end to civilization. It's a fairly straightforward combination of encryption and remote attestation protocols. Essentially, a DTCP-enabled device has, buried within it, a signed certificate identifying it as being approved by the powers that be. When two such devices communicate, they send challenges and check certificates to ensure that they are both approved; if the authentication step fails, no content will be exchanged. Assuming the authentication succeeds, encrypted content can be sent in one direction or the other; this content includes a set of flags specifying the rules which are to apply to the copying of that content. Anybody who makes an approved device must, of course, promise to implement those rules. The DTCP designers have not left things to chance; each device includes within it a "revoked certificates" list. When somebody's gadget is shown to be insufficiently attentive to the restrictions applied to Valuable Intellectual Property, its certificate can be added to that list. Every device, and every piece of content as well, carries a copy of the list, and devices will update their list when a newer version comes along. So your compromised video player may well make copies for a while, until you bring in a disk with a new revocation list; after that, none of your other gadgets will talk to it any more. It is still not clear what features Intel has added to its chips to support DTCP. It is unlikely to be anything which will be useful to Linux users. But, at least, it does not appear to be a system to lock "unauthorized" operating systems out of the processor. And certainly none of us expected any sort of free multimedia software to get a stamp of approval from the entertainment industry anyway.
Security news Schneier: Attack Trends: 2004 and 2005 Bruce Schneier has posted some predictions on the types of security problems we'll see in the near future. "Targeted worms are another trend we're starting to see. Recently there have been worms that use third-party information-gathering techniques, such as Google, for advanced reconnaissance. This leads to a more intelligent propagation methodology; instead of propagating scattershot, these worms are focusing on specific targets. By identifying targets through third-party information gathering, the worms reduce the noise they would normally make when randomly selecting targets, thus increasing the window of opportunity between release and first detection."
New vulnerabilities dbus: information disclosure
Dzip: directory traversal
kdbg: command injection vulnerability
kernel: local denial of service, possible compromise
Mailutils: SQL injection
Wordpress: multiple vulnerabilities
Updated vulnerabilities a2ps: input validation error
apache-utils: htpasswd buffer overflow
bzip2: race condition and infinite loop
cpio - file permissions error
cURL: buffer overflow
cvs: multiple vulnerabilities
cyrus-imapd: buffer overflows
dhcp: format string vulnerability
Dnsmasq: poisoning and DoS
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
Ethereal: numerous vulnerabilities
evolution: message crash vulnerability
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: buffer overflow and SQL injection
gdb: multiple vulnerabilities
gtk-pixbuf, gtk2: denial of service
gettext: Insecure temporary file handling
gftp: missing input sanitizing
ghostscript: symlink vulnerabilities
glibc: tempfile vulnerability in catchsegv script
gnupg: information leak
GnuTLS: Denial of Service vulnerability
grip: buffer overflow
groff: insecure temporary directory
gxine: format string vulnerability
gzip: race condition and directory traversal
htdig: cross site scripting
ImageMagick: xwd coder denial of service
imap: buffer overflow in c-client
imlib2: buffer overflows
infozip: privilege escalation, directory-traversal
junkbuster: heap corruption and settings modification
kdelibs: unsanitzied input
kernel: multiple vulnerabilities
kernel: ELF loader core dump vulnerability
kernel: multiple vulnerabilities
kimgio input validation errors
libconvert-uulib-perl: arbitrary code execution
libdbi-perl: insecure temporary file
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[deer park]](/images/ns/deer-park-sm.jpg)
![[Thunderbird prefs]](/images/ns/thunderbird-1.1a-prefs-sm.jpg)