If the net seems slow over the next week or so, it may well be due to the
near-simultaneous releases from two major distributions. The long-awaited
release of Debian GNU/Linux 3.1 (also known as "sarge") was
announced on June 6. As it happens,
Fedora Core 4 was due on the same day, but has been pushed back one
week to June 13. This delay was not due to any particular technical
problems; instead, it seems, the lawyers were a little slow to sign off on
the code name for this release.
A comparison of a few key packages in these two distributions can be
instructive:
| Package | Debian 3.1 | Fedora Core 4 |
| Kernel | 2.4.27 2.6.8 | 2.6.11 |
| GNOME | 2.8 | 2.10 |
| KDE | 3.3 | 3.4 |
| X | XFree86 4.3.0 | Xorg 6.8.2 |
| gcc | 3.3.5 | 4.0 |
| postgresql | 7.4.7 | 8.0.2 |
| MySQL | 4.0.24/4.1.11a | 4.1.11 |
These numbers will come as little surprise to most; it is in the nature of
Debian releases to be slow in coming and mildly obsolete when they arrive,
while Fedora releases run closer to the bleeding edge.
The two distributions have different goals: Debian seeks to produce a
highly stable distribution for its users; Fedora, instead, is a rapidly
updated distribution providing current software to users and a real-world
test bed for Red Hat.
The table listed above is not entirely fair; many packages in Debian sarge
(including important ones, like Firefox) are at or near their current
versions. Then, there is this table, which provides a different view:
| Package | Debian 3.1 | Fedora Core 4 |
| xine-ui |
0.99.3 | -- |
| monotone |
0.18 | -- |
| gforge |
3.1 | -- |
| shorewall |
2.2.3 | -- |
| GNUStep |
3 | -- |
| xfce |
4.0.5 | -- |
This table could be made much longer, but the point should be clear: few
distributions can offer the sheer variety of packages found in Debian. In
all fairness, one should note that the Fedora Extras repository fills in
some of the gaps on the Fedora side. Fedora Extras works reasonably well,
but it remains a "second class citizen" repository without any commitment
to future updates or security support. Debian also supports a much wider
range of architectures than Fedora.
As these milestones are reached, both distributions are considering where
they want to go in the future. On the Debian side, there is a general
desire to improve the release process so that the next major release
("etch") comes a little more quickly. There is some planning happening for
a painful gcc upgrade and a PostgreSQL transition, among other things.
There is a continual low-level rumble on how Debian and derivatives (Ubuntu
in particular) should work with each other. The "how many architectures
should Debian support?" question still lacks a definitive answer. It also
seems, however, that the Debian developers are taking a well-deserved break
and deferring much of the "what now?" discussion until Debconf5, happening in mid-July.
(As luck would have it, the conference has offered to fly LWN Distributions
Page editor Rebecca Sobol to the event, so LWN will have coverage from
Debconf5).
On the Fedora side, a deliberate effort was
made to start a discussion on what should be in Fedora Core 5. A few
goals were
suggested: more security features and faster booting, for
example. Most of the discussion, however, has centered around a suggestion to increase the length of the
development cycle somewhat (to nine months or so). The current six-month cycle
allows for a maximum of about two or three months before the stabilization efforts
set in, and some developers are finding it difficult to get their changes
in within that window. The suggestion has not been particularly well
received by the powers that be within Red Hat, however.
In theory, opposition from Red Hat should matter less in the future. At
the recently-concluded Red Hat Summit, the company announced that it
planned to set Fedora free, and to put it under the control of an
independent foundation. There have been no communications from the company
on this subject outside of the conference, so details are scarce. Nothing
has been said on how this foundation will be formed, funded, or governed.
It remains to be seen whether Red Hat is truly willing to give up enough
control to allow Fedora to pick its own directions. A truly independent
Fedora, however, has the potential to combine a strong base distribution
with a larger, more enthusiastic developer community; it could be a force
to be reckoned with.
Debian and Fedora are two very different distributions. Debian is a huge,
community-driven project with a "when it's ready" release policy. Fedora
is, for now, a company-controlled, smaller distribution with scheduled
releases. In many ways, however, they appear to be converging. Debian is
facing the size issue (by considering which packages and architectures
truly belong in the core distribution), release cycles, and, via efforts
like Ubuntu, commercial appeal. Fedora, meanwhile, aims for a stronger
community orientation and is debating package policies and release cycle
issues of its own. Both distributions will remain part of our community
for a long time - and we are richer for having both of them. But they are
responding to many of the same pressures, so it would not be entirely
surprising to see them look more alike in the future.
Comments (15 posted)
The Mozilla project recently released alpha builds of
Firefox 1.1 and
Thunderbird
1.1. In addition to bugfixes and performance enhancements, there are
several new features in Firefox and Thunderbird that look interesting. So,
what's slated for Firefox 1.1 and Thunderbird 1.1? Let's start by looking
at the "Deer Park" alpha build of Firefox 1.1.
Firefox 1.1
Firefox 1.1 is the first major milestone on the way to Firefox 2.0. Firefox
1.5, planned for sometime in 2006, is the second milestone, with 2.0 being
the final milestone. Overall, the 1.1 release isn't a radical change from
1.0, but there are some pleasant new features to look forward to, and a few
user interface changes as well.
The "Preferences" dialog has been modified quite a bit, which may throw
users at first, but the overall layout seems a bit more logical. Some of
the finer-grained controls have gone away, which may or may not be seen as
a good thing. For example, in Firefox 1.0, users can disable specific
JavaScript features such as "Move or resize existing windows," "Hide the
status bar," and so forth. Firefox 1.1 gives users the option to enable
JavaScript and then the option to "disable common annoyances." Firefox 1.1
also adds a "Tabs" dialog dealing with all of the tab functions in
Firefox. The new Preferences dialog, and the new Thunderbird dialog, is
very similar in layout to Apple's Safari browser Preferences dialog.
There is a new tool to quickly remove information from Firefox, called
"Sanitize." One can choose to clear browsing history, saved form
information, download history, cache, cookies and saved passwords with a
hotkey or by choosing the "Sanitize" option from the tools menu. Sanitize
is configurable, so one can choose to erase download history, cache and
browsing history, for example, without erasing saved passwords or
cookies. Users also have the option of erasing these items each time
Firefox is shut down. This is a very useful option for those who share
computers with other family members, roommates and co-workers.
Firefox 1.1 also improves browsing pages in the cache, so browsing forward
and backward seems much faster than in Firefox 1.0. Granted, Firefox 1.0
isn't terribly slow, but even a few seconds improves the user experience
drastically.
Users will also be able to report "broken" websites using Firefox 1.1. The
release includes a "Report a Broken Web Site" wizard which provides the
URL, a list of possible problems ("Browser not supported," "Can't log in,"
"Plugin not showing," and so forth) and a field to describe the problem in
full. According to the Privacy Policy page for the
feature, the Mozilla team will use this feature to work with webmasters to
correct interoperability problems with Firefox. Whether the feature will
actually encourage webmasters to fix the problems is another story.
The "Cookies" dialog has changed somewhat. Cookies are now organized in
folders by site, and users can search to find the cookies that they're
looking for rather than scrolling through the list, which can be handy if
one has accumulated a long list of cookies.
Despite its alpha status, we didn't run into any serious glitches, crashes
or other nastiness using Firefox 1.1. This writer plans to continue using
Firefox 1.1 alpha as his primary browser, since it has proven to be stable
(at least over the past three days) and offers some modest improvements
over the 1.0 release.
Thunderbird
As with Firefox 1.1, there are no drastic interface changes or radical
feature changes slated for Thunderbird 1.1, but there are a number of
interesting improvements and new features that will make the upgrade
worthwhile.
One spiffy new feature slated for 1.1, and working fine in the alpha
release, is the "inline" spelling checker that underlines misspelled words (or
words not yet in Thunderbird's dictionary) while you type. Thunderbird 1.0
does have spelling checking, but not as you type. Thunderbird also allows the
user to add a word to the dictionary, or ignore it, on the fly by
right-clicking on the word.
The Preferences dialog for Thunderbird has also been reworked, and is
similar to the new Preferences dialog for Firefox. Users can now get to the
"about:config" interface for Thunderbird easily, by going to the "Advanced"
tab and selecting "Config editor." Several of the features in 1.1 seem to
be inspired by Thunderbird extensions. The RSS features, and the
"about:config" access are both available for Thunderbird 1.0 as
extensions, for example. It will be interesting to see if the Mozilla developers manage
to keep Thunderbird and Firefox free of the kitchen-sink syndrome that
plagued the Mozilla suite. We're not suggesting these should only be
available as extensions, but we do hope the Mozilla team will resist adding
in popular functionality from extensions in order to keep Firefox and
Thunderbird lean and allow users to pick and choose the extensions they
desire.
Users who wish to use Thunderbird as an RSS reader will like the OPML
import capability in Thunderbird 1.1. We tested Thunderbird with an OPML
file exported from Bloglines with more than 130 feeds. Thunderbird handled
it gracefully, and imported all the feeds with no apparent problems. There
should be an "export" capability in the final 1.1 release, but it is not in
the current release.
Thunderbird 1.1 will also come with features to help users avoid being
scammed by phishing
attacks. We didn't actually get any phishing scams to test this out with
Thunderbird, but the client is supposed to display a warning message if a
message looks like a phishing attack.
Again, as with Firefox's alpha, the Thunderbird alpha handled well enough
that this writer will probably employ it for day to day use -- while making
regular backups of mail, just in case.
The Firefox roadmap
calls for a second alpha release in June, and a beta and final 1.1 release
sometime later this year. The Thunderbird
roadmap calls for a final 1.1 release in June, but that may need to be
pushed back since the alpha release is only a few days old.
Comments (7 posted)
The
Center for Democracy & Technology has
long been "working for democratic values in a digital age." CDT has taken
on many issues, including encryption, freedom of speech, privacy, and
more. So the new
copyright policy
paper [PDF] from CDT seemed worth a look. Unfortunately, the CDT
appears to have lost track of some important goals in its desire to
compromise.
The stated goal of the paper is:
... to outline a general framework for protecting copyright in a
manner that is consistent with the open architecture of the
Internet and with the interests of creators, consumers, and
technology innovators.
Most of us, probably, can agree with the goal of "protecting copyright."
The whole structure of free software licensing, after all, is based on
copyright law. Without copyright, there could be no General Public
License. Free software could still exist in such a world, but the rules
would be different.
So how do we "protect copyright"? The CDT offers a three-pronged approach,
the first of which is "punishing bad actors." The authors, it seems, are
enthusiastic supporters of actions like mass lawsuits against file
traders. Also big on their list is "secondary liability" for people who
encourage file sharing - Grokster, for example. There is a token mention
of how secondary liability should only target "bad activity" without
"chilling the development of new technologies or the provision of online
services," but no discussion of how the two can be separated. There is no
mention of any situation where "secondary liability" has gone too far,
leaving the reader with the impression that the CDT is entirely happy with
the enforcement activities which have happened to this point.
Well, not entirely happy; the CDT would like to see more laws passed to get
the Federal government more heavily involved in copyright enforcement.
They would also like to see:
Cooperation between content owners and ISPs on a voluntary basis to
find practical and appropriate ways to pass crucial information on
to specific individuals while protecting their anonymity (and while
steering well clear of putting ISPs in the role of tracking and
policing subscribers' behavior) could be a positive step.
How this "positive step" would actually work is not discussed.
The core of the CDT paper, however, relates to the creation of
"consumer-friendly" DRM schemes. Given a suitable "open market," the CDT
believes that DRM can "enable" the flow of digital content we all hunger
for in our souls without making life overly frustrating for us "consumers."
The CDT does argue against specific mandates by government (but the group
appears to favor broadcast flag regulations which provide "reasonable
balance") and in favor of preserving consumer privacy. But, as a whole,
DRM schemes are clearly seen as a good thing.
The final step advocated by the CDT is "public education." The paper tells
us:
It is particularly important to send the message to younger
consumers that infringement is unlawful and unethical. This effort
cannot be pursued by industry alone...
"Younger consumers" (and older ones too) could certainly benefit from a
better understanding of copyright law. It is probably true that educating
these "consumers" about fair use, ever-lengthening copyright periods, the
starvation of the public domain, etc. is not something that we can expect
industry to accomplish on its own. But, of course, the CDT shows no
particular interest in helping industry out on that score; it's mostly
interested in the infringement problem.
Remember that the CDT is supposed to be an advocate for democracy, civil
rights, and the consumer. But this group has, perhaps out of fear of even
worse alternatives, entirely given in to the demands of the entertainment
industry in the name of making content available to "consumers." The CDT
has sold out entirely on this issue.
There are numerous things the CDT could have addressed, were it truly
interested in the wider debate. Perhaps a little mention of the DMCA would
have been nice; seeing programmers arrested in the defense of DRM schemes
might just have a "chilling effect" or two. An examination of just how
well the market has done in producing "consumer-friendly" DRM so far might
have been in order. And it might have been nice to see at least a passing
mention of the public domain, the source of many of the ideas which have
been incorporated into current, eternally-copyrighted content.
But there are two larger failures here. The first is the firm distinction
between "producers" and "industry" on one side, and "consumers" on the
other. We are, it seems, supposed to go off, be good little consumers, and
not worry our pretty little heads about how the "producers," out there
somewhere, will protect their content in a "friendly" manner. When your
editor was young, it was often noted that freedom of the press is great if
you happen to own a press. Now that your editor is no longer so young, we
all own presses. We are no longer to be called "consumers," told to enjoy
the products from "industry" in some business-friendly way. We, too, are
producers, and we have a stake in this game. The CDT has not yet figured
that out.
One of the most dramatic ways in which we are producers can be seen in the
free software community. LWN readers are not "consumers" of Linux; they
are its producers. And we have produced a world where many copyright
infringement issues are no longer relevant. But, to the CDT, we do not
exist. Any balanced look at DRM must include this fact: free software and
DRM are absolutely incompatible with each other. When "consumers" actually
have control over their computers (and DRM-capable devices are computers),
they need not accept externally-imposed restrictions on what those
computers can do. The CDT's "consumer-friendly" DRM vision, almost by
definition, cannot include free software.
Certainly, we wish to live in a world where producers can make a living
from their work. We are all producers now, remember? Besides, how else
will we ever get to see the final three Star Wars movies we were promised
back in the 1970's? The CDT's answer to this problem, however, does not
describe a world that many of us would want to live in. Some of us,
evidently, have a different idea of what constitutes "democratic values."
Comments (9 posted)
Page editor: Jonathan Corbet
Security
There has been a persistent round of rumors stating that upcoming Intel
processors come with an additional, unwelcome feature: hardware digital
restrictions management (DRM) capabilities. According to some, this
built-in DRM is the motivating force behind Apple's just-announced switch
to Intel processors. If Intel is to be believed, the reality of the
situation is not as bad as one might fear.
According to Donald Whiteside, an Intel VP,
there is no secret DRM in Intel's chips:
The rights management technology referred to in the article was not
a secret DRM from Intel, but the DTCP-IP technology publicly
offered by the 5C Entity; which Intel is a Founder. Intel believes
that the DTCP-IP technology is an important element in enabling
protected transport of compressed content within the home network,
and we continue to promote DTCP-IP for this application which
enables greater consumer flexibility & use of premium
entertainment content.
The DTCP web site has some information
on this technology - though one must pay significant money and sign some
highly restrictive documents to get the full scoop. Essentially, DTCP is a
way for devices to talk over local links - an IEEE1394 connection or home
wireless network, for example - without creating fears that somebody's
Valuable Intellectual Property will leak out into the world and bring an
end to civilization. It's a fairly straightforward combination of
encryption and remote attestation protocols.
Essentially, a DTCP-enabled device has, buried within it, a signed
certificate identifying it as being approved by the powers that be. When
two such devices communicate, they send challenges and check certificates
to ensure that they are both approved; if the authentication step fails, no
content will be exchanged. Assuming the authentication succeeds, encrypted
content can be sent in one direction or the other; this content includes a
set of flags specifying the rules which are to apply to the copying of that
content. Anybody who makes an approved device must, of course, promise to
implement those rules.
The DTCP designers have not left things to chance; each device includes
within it a "revoked certificates" list. When somebody's gadget is shown
to be insufficiently attentive to the restrictions applied to Valuable
Intellectual Property, its certificate can be added to that list. Every
device, and every piece of content as well, carries a copy of the list, and
devices will update their list when a newer version comes along. So your
compromised video player may well make copies for a while, until you bring
in a disk with a new revocation list; after that, none of your other
gadgets will talk to it any more.
It is still not clear what features Intel has added to its chips to support
DTCP. It is unlikely to be anything which will be useful to Linux users.
But, at least, it does not appear to be a system to lock "unauthorized"
operating systems out of the processor. And certainly none of us expected
any sort of free multimedia software to get a stamp of approval from the
entertainment industry anyway.
Comments (9 posted)
Brief items
Bruce Schneier has posted
some predictions on the types of security problems we'll see in the near future. "
Targeted worms are another trend we're starting to see. Recently there have been worms that use third-party information-gathering techniques, such as Google, for advanced reconnaissance. This leads to a more intelligent propagation methodology; instead of propagating scattershot, these worms are focusing on specific targets. By identifying targets through third-party information gathering, the worms reduce the noise they would normally make when randomly selecting targets, thus increasing the window of opportunity between release and first detection."
Comments (1 posted)
New vulnerabilities
dbus: information disclosure
| Package(s): | dbus |
CVE #(s): | CAN-2005-0201
|
| Created: | June 8, 2005 |
Updated: | August 30, 2005 |
| Description: |
From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another
user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening. |
| Alerts: |
|
Comments (none posted)
Dzip: directory traversal
| Package(s): | dzip |
CVE #(s): | |
| Created: | June 6, 2005 |
Updated: | June 8, 2005 |
| Description: |
Dzip is vulnerable to a directory traversal attack when extracting
archives. An attacker could exploit this vulnerability by creating a
specially crafted archive to extract files to arbitrary locations. |
| Alerts: |
|
Comments (none posted)
kdbg: command injection vulnerability
| Package(s): | kdbg |
CVE #(s): | CAN-2003-0644
|
| Created: | June 2, 2005 |
Updated: | June 8, 2005 |
| Description: |
Versions of the kdbg debugger from 1.1.0 through 1.2.8 have a problem
with permission checking in the .kdbgrc run command file.
A local user may use this to inject malicious commands in the file. |
| Alerts: |
|
Comments (none posted)
kernel: local denial of service, possible compromise
| Package(s): | kernel |
CVE #(s): | CAN-2005-0756
CAN-2005-1265
|
| Created: | June 8, 2005 |
Updated: | June 9, 2005 |
| Description: |
The mmap() system call does not perform proper checking of its parameters, leading to a possible kernel crash and possible code execution.
The ptrace() system call does not perform proper checking of addresses (on the x86-64 platform only), leading to a possible kernel crash. |
| Alerts: |
|
Comments (none posted)
Mailutils: SQL injection
| Package(s): | mailutils |
CVE #(s): | CAN-2005-1824
|
| Created: | June 6, 2005 |
Updated: | June 8, 2005 |
| Description: |
When GNU Mailutils is built with the "mysql" or "postgres" USE flag,
the sql_escape_string function of the authentication module fails to
properly escape the "\" character, rendering it vulnerable to a SQL
command injection. A malicious remote user could exploit this
vulnerability to inject SQL commands to the underlying database. |
| Alerts: |
|
Comments (none posted)
Wordpress: multiple vulnerabilities
| Package(s): | wordpress |
CVE #(s): | |
| Created: | June 6, 2005 |
Updated: | July 4, 2005 |
| Description: |
Due to a lack of input validation, WordPress is vulnerable to SQL
injection and XSS attacks. An attacker could use the SQL injection
vulnerabilities to gain information from the database. Furthermore the
cross-site scripting issues give an attacker the ability to inject and
execute malicious script code or to steal cookie-based authentication
credentials, potentially compromising the victim's browser. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
apache-utils: htpasswd buffer overflow
| Package(s): | apache-utils |
CVE #(s): | |
| Created: | May 26, 2005 |
Updated: | June 1, 2005 |
| Description: |
The htpasswd utility has a buffer overflow vulnerability.
Web sites that use an unchecked public interface to htpasswd
can be used to execute arbitrary code with the privileges of
the user who runs htpasswd. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cURL: buffer overflow
| Package(s): | curl |
CVE #(s): | CAN-2005-0490
|
| Created: | February 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded. |
| Alerts: |
|
Comments (none posted)
cvs: multiple vulnerabilities
| Package(s): | cvs |
CVE #(s): | CAN-2005-0753
|
| Created: | April 18, 2005 |
Updated: | July 13, 2005 |
| Description: |
CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error.
These can be used to launch a remote denial of service or to remotely
execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq |
CVE #(s): | |
| Created: | April 4, 2005 |
Updated: | July 21, 2005 |
| Description: |
Dnsmasq does not properly detect that DNS replies received do not
correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux
Security Audit team also discovered two off-by-one buffer overflows that
could crash DHCP lease files parsing. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
Ethereal: numerous vulnerabilities
Comments (none posted)
evolution: message crash vulnerability
| Package(s): | evolution |
CVE #(s): | CAN-2005-0806
|
| Created: | March 17, 2005 |
Updated: | August 11, 2005 |
| Description: |
The Evolution mail client can be crashed when reading
certain types of messages. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: buffer overflow and SQL injection
| Package(s): | freeradius |
CVE #(s): | CAN-2005-1454
CAN-2005-1455
|
| Created: | May 17, 2005 |
Updated: | June 23, 2005 |
| Description: |
Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS
1.0.2 and earlier may be vulnerable to a buffer overflow. He also
discovered that FreeRADIUS fails to sanitize user-input before using it in
a SQL query, possibly allowing SQL command injection. |
| Alerts: |
|
Comments (1 posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
GnuTLS: Denial of Service vulnerability
| Package(s): | gnutls |
CVE #(s): | CAN-2005-1431
|
| Created: | May 9, 2005 |
Updated: | June 1, 2005 |
| Description: |
GnuTLS 1.2.3 and 1.0.25 have been
released, fixing a denial of service problem. |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gxine: format string vulnerability
| Package(s): | gxine |
CVE #(s): | CAN-2005-1692
|
| Created: | May 26, 2005 |
Updated: | July 23, 2005 |
| Description: |
The gxine media player has a format string vulnerability in the
hostname decoding function. A specially crafted file can be used
to cause a user to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gzip: race condition and directory traversal
| Package(s): | gzip |
CVE #(s): | CAN-2005-0988
CAN-2005-1228
|
| Created: | May 4, 2005 |
Updated: | July 13, 2005 |
| Description: |
gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
|
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
ImageMagick: xwd coder denial of service
| Package(s): | ImageMagick |
CVE #(s): | CAN-2005-1739
|
| Created: | May 26, 2005 |
Updated: | July 19, 2005 |
| Description: |
The xwd coder in ImageMagick has a vulnerability that
can be accessed by working on a maliciously created image.
A denial of service can result. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
infozip: privilege escalation, directory-traversal
| Package(s): | infozip |
CVE #(s): | CAN-2003-0282
CAN-2004-1010
CAN-2005-0602
|
| Created: | May 2, 2005 |
Updated: | August 1, 2005 |
| Description: |
InfoZip reports that Zip 2.3 and
(presumably) all previous versions have a buffer-overrun vulnerability
relating to deep directory paths that could potentially lead to local
privilege escalation (e.g., in the case of automated, Zip-based backups).
All versions of UnZip through 5.50 have a number of directory-traversal
vulnerabilities. |
| Alerts: |
|
Comments (1 posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-0400
CAN-2005-0749
CAN-2005-0750
CAN-2005-0815
CAN-2005-0839
|
| Created: | April 1, 2005 |
Updated: | July 1, 2005 |
| Description: |
More kernel vulnerabilities have been discovered including:
- Mathieu Lafon discovered
an information leak in the ext2 file system driver. (CAN-2005-0400)
- Yichen Xie discovered a Denial of Service vulnerability in the ELF
loader. (CAN-2005-0749)
- Ilja van Sprundel discovered that the bluez_sock_create() function
did not check its "protocol" argument for negative values.
(CAN-2005-0750)
- Michal Zalewski discovered that the iso9660 file system driver fails
to check ranges properly in several cases. (CAN-2005-0815)
- Previous kernels did not restrict the use of the N_MOUSE line
discipline in the serial driver. (CAN-2005-0839)
|
| Alerts: |
|
Comments (1 posted)
kernel: ELF loader core dump vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2005-1263
|
| Created: | May 11, 2005 |
Updated: | August 25, 2005 |
| Description: |
Paul Starzetz has posted an
advisory for yet another kernel vulnerability.
In this case, by using a specially manipulated ELF binary, a local attacker
can compromise the system (via the core dump code) and obtain root access.
This vulnerability affects all kernels from 2.2 through 2.6.12-rc4. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kimgio input validation errors
| Package(s): | kimgio |
CVE #(s): | CAN-2005-1046
|
| Created: | April 22, 2005 |
Updated: | July 19, 2005 |
| Description: |
KDE has issued a security advisory for
kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including
KDE 3.4. kimgio contains a PCX image file format reader that does not
properly perform input validation. A source code audit performed by the KDE
security team discovered several vulnerabilities in the PCX and other image
file format readers, some of them exploitable to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 18, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: path traversal
| Package(s): | mailman |
CVE #(s): | CAN-2005-0202
|
| Created: | February 9, 2005 |
Updated: | July 13, 2005 |
| Description: |
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. |
| Alerts: |
|
Comments (none posted)
Mailutils: multiple vulnerabilities in imap4d and mail
| Package(s): | mailutils |
CVE #(s): | CAN-2005-1520
CAN-2005-1521
CAN-2005-1522
CAN-2005-1523
|
| Created: | May 27, 2005 |
Updated: | June 3, 2005 |
| Description: |
infamous41d discovered several vulnerabilities in GNU Mailutils. imap4d
does not correctly implement formatted printing of command tags
(CAN-2005-1523), fails to validate the range sequence of the "FETCH"
command (CAN-2005-1522), and contains an integer overflow in the
"fetch_io" routine (CAN-2005-1521). mail contains a buffer overflow in
"header_get_field_name()" (CAN-2005-1520). |
| Alerts: |
|
Comments (none posted)
mc: buffer overflow
| Package(s): | mc |
CVE #(s): | CAN-2005-0763
|
| Created: | March 29, 2005 |
Updated: | August 11, 2005 |
| Description: |
An unfixed buffer overflow has been discovered by Andrew V. Samoilov
in mc, the midnight commander, a file browser and manager. |
| Alerts: |
|
Comments (none posted)
MediaWiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CAN-2005-0534
CAN-2005-0535
CAN-2005-0536
|
| Created: | February 28, 2005 |
Updated: | June 13, 2005 |
| Description: |
A security audit of the MediaWiki project discovered that MediaWiki is
vulnerable to several cross-site scripting and cross-site request
forgery attacks, and that the image deletion code does not sufficiently
sanitize input parameters. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
Mozilla Firefox, Mozilla Suite: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CAN-2005-0989
|
| Created: | April 19, 2005 |
Updated: | July 18, 2005 |
| Description: |
The following vulnerabilities were found and fixed in the Mozilla Suite
and Mozilla Firefox:
- Vladimir V. Perepelitsa reported a memory disclosure bug in
JavaScript's regular expression string replacement when using an
anonymous function as the replacement argument (CAN-2005-0989).
- moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM
nodes from the content window, allowing privilege escalation via DOM
property overrides.
- Michael Krax reported a possibility to run JavaScript code with
elevated privileges through the use of javascript: favicons.
- Michael Krax also discovered that malicious Search plugins could
run JavaScript in the context of the displayed page or stealthily
replace existing search plugins.
- shutdown discovered a technique to pollute the global scope of a
window in a way that persists from page to page.
- Doron Rosenberg discovered a possibility to run JavaScript with
elevated privileges when the user asks to "Show" a blocked popup that
contains a JavaScript URL.
- Finally, Georgi Guninski reported missing Install object instance
checks in the native implementations of XPInstall-related JavaScript
objects.
The following Firefox-specific vulnerabilities have also been
discovered:
- Kohei Yoshino discovered a new way to abuse the sidebar panel to
execute JavaScript with elevated privileges.
- Omar Khan reported that the Plugin Finder Service can be tricked to
open javascript: URLs with elevated privileges.
|
| Alerts: |
|
Comments (none posted)
MPlayer: heap overflows
| Package(s): | mplayer |
CVE #(s): | |
| Created: | April 20, 2005 |
Updated: | July 12, 2005 |
| Description: |
Heap overflows have been found in the code handling RealMedia RTSP and
Microsoft Media Services streams over TCP (MMST). By setting up a
malicious server and enticing a user to use its streaming data, a remote
attacker could possibly execute arbitrary code on the client computer with
the permissions of the user running MPlayer. |
| Alerts: |
|
Comments (none posted)
MySQL: input validation and temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2005-0709
CAN-2005-0710
CAN-2005-0711
|
| Created: | March 16, 2005 |
Updated: | July 19, 2005 |
| Description: |
MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
|
| Alerts: |
|
Comments (none posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
Net-SNMP: fixproc insecure temporary file creation
| Package(s): | net-snmp |
CVE #(s): | CAN-2005-1740
|
| Created: | May 23, 2005 |
Updated: | July 13, 2005 |
| Description: |
The fixproc application of Net-SNMP creates temporary files with
predictable filenames. |
| Alerts: |
|
Comments (1 posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssh: directory traversal
| Package(s): | openssh |
CVE #(s): | CAN-2004-0175
|
| Created: | May 18, 2005 |
Updated: | July 13, 2005 |
| Description: |
The OpenSSH scp client can, when connected to a hostile server, be instructed to overwrite arbitrary files.
|
| Alerts: |
|
Comments (1 posted)
openssl: der_chop script temp file vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2004-0975
|
| Created: | November 11, 2004 |
Updated: | July 19, 2005 |
| Description: |
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: information leak
| Package(s): | openssl |
CVE #(s): | CAN-2005-0109
|
| Created: | May 23, 2005 |
Updated: | October 11, 2005 |
| Description: |
Hyper-Threading technology, as used in FreeBSD other operating systems and
implemented on Intel Pentium and other processors, allows local users to
use a malicious thread to create covert channels, monitor the execution of
other threads, and obtain sensitive information such as cryptographic keys,
via a timing attack on memory cache misses. See this LWN article for more information. |
| Alerts: |
|
Comments (none posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
Opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | February 14, 2005 |
Updated: | June 22, 2005 |
| Description: |
Opera is vulnerable to several vulnerabilities which could result in
information disclosure and facilitate execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
php4: integer overflow and denial of service
| Package(s): | php4 |
CVE #(s): | CAN-2005-1042
CAN-2005-1043
|
| Created: | April 14, 2005 |
Updated: | July 13, 2005 |
| Description: |
The php4 EXIF module has two vulnerabilities. An
integer overflow in the exif_process_IFD_TAG() function
can be exploited to cause a buffer overflow for the
purpose of arbitrary code execution.
EXIF headers with a large IFD nesting level can be used
to cause a denial of service. Remote exploits are possible. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: cross-site-scripting
| Package(s): | phpsysinfo |
CVE #(s): | CAN-2005-0870
|
| Created: | May 18, 2005 |
Updated: | November 15, 2005 |
| Description: |
The phpsysinfo program contains several cross-site scripting vulnerabilities. |
| Alerts: |
|
Comments (none posted)
postgresql: EXECUTE privilege vulnerability
| Package(s): | postgresql |
CVE #(s): | CAN-2005-0244
CAN-2005-0245
CAN-2005-0246
CAN-2005-0247
|
| Created: | February 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
postgresql has a vulnerability in which the EXECUTE privilege may
not be checked on custom functions. This may allow any database user to
circumvent the EXECUTE restriction on functions. |
| Alerts: |
|
Comments (none posted)
postgresql: database initialization errors
| Package(s): | postgresql |
CVE #(s): | CAN-2005-1409
CAN-2005-1410
|
| Created: | May 4, 2005 |
Updated: | February 28, 2006 |
| Description: |
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
|
| Alerts: |
|
Comments (none posted)
Pound: buffer overflow
| Package(s): | pound |
CVE #(s): | CVE-2005-1391
|
| Created: | May 2, 2005 |
Updated: | January 10, 2006 |
| Description: |
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process. |
| Alerts: |
|
Comments (none posted)
ppxp: missing privilege release
| Package(s): | ppxp |
CVE #(s): | CAN-2005-0392
|
| Created: | May 19, 2005 |
Updated: | July 5, 2005 |
| Description: |
The ppxp PPP program has a log file vulnerability that can
allow the root privileges used by the software to remain active,
enabling the opening of a root shell by a local user. |
| Alerts: |
|
Comments (none posted)
realplayer: arbitrary code execution
| Package(s): | realplayer helixplayer |
CVE #(s): | CAN-2005-0755
|
| Created: | April 20, 2005 |
Updated: | June 27, 2005 |
| Description: |
RealNetworks, Inc. has fixed a
security vulnerability that offered the potential for an attacker to
run arbitrary or malicious code on a customer's machine. Linux RealPlayer
10 (10.0.0 - 3) and Helix Player (10.0.0 - 3) are vulnerable. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
samba: integer overflow vulnerability
| Package(s): | samba |
CVE #(s): | CAN-2004-1154
|
| Created: | December 16, 2004 |
Updated: | July 19, 2005 |
| Description: |
Samba has an integer overflow vulnerability
that may allow an authenticated remote user to
execute arbitrary code on the Samba server. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: DNS spoofing
| Package(s): | squid |
CVE #(s): | CAN-2005-1519
|
| Created: | May 18, 2005 |
Updated: | July 13, 2005 |
| Description: |
The squid proxy server performs DNS lookups in a way which is susceptible to answers injected by a hostile user, and, thus, DNS spoofing attacks. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-0075
CAN-2005-0103
CAN-2005-0104
|
| Created: | January 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
SquirrelMail 1.4.4 has been
released, fixing a number of security issues that have been resolved
since 1.4.3a. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
telnet: buffer overflows
| Package(s): | telnet |
CVE #(s): | CAN-2005-0468
CAN-2005-0469
|
| Created: | March 28, 2005 |
Updated: | August 1, 2005 |
| Description: |
Two buffer overflow flaws were discovered in the way the telnet client
handles messages from a server. An attacker may be able to execute
arbitrary code on a victim's machine if the victim can be tricked into
connecting to a malicious telnet server. |
| Alerts: |
|
Comments (none posted)
UnAce: buffer overflow and directory traversal
| Package(s): | unace |
CVE #(s): | CAN-2005-0160
CAN-2005-0161
|
| Created: | February 28, 2005 |
Updated: | June 17, 2005 |
| Description: |
Ulf Harnhammar discovered that UnAce suffers from buffer overflows when
testing, unpacking or listing specially crafted ACE archives
(CAN-2005-0160). He also found out that UnAce is vulnerable to
directory traversal attacks, if an archive contains "./.." sequences or
absolute filenames (CAN-2005-0161). |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: two heap overflow vulnerabilities
| Package(s): | xine-lib |
CVE #(s): | CAN-2005-1195
|
| Created: | April 26, 2005 |
Updated: | June 2, 2005 |
| Description: |
Heap overflows have been found in the code handling RealMedia RTSP and
Microsoft Media Services streams over TCP (MMST). See Xine Advisory
XSA-2004-8 for details. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
XV: multiple vulnerabilities
| Package(s): | xv |
CVE #(s): | |
| Created: | April 19, 2005 |
Updated: | July 19, 2005 |
| Description: |
Greg Roelofs has reported multiple input validation errors in XV image
decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team has
reported insufficient validation in the PDS (Planetary Data System)
image decoder, format string vulnerabilities in the TIFF and PDS
decoders, and insufficient protection from shell meta-characters in
malformed filenames. Successful exploitation would require a victim to
view a specially created image file using XV, potentially resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch is 2.6.12-rc6,
released by Linus on
June 6. This one
should, if all goes well, be the final testing release before 2.6.12 comes
out. Most of the patches are basic fixes, but there is also the
(temporary, hopefully) removal of the Philips webcam decompression code,
the conversion of the IDE code over to the device model way of doing
things, a CPU frequency controller update, and a user-mode Linux update.
See
the long-format changelog for the
details.
Linus's git repository has since accumulated a few dozen small fixes.
The current -mm tree is 2.6.12-rc6-mm1.
Recent additions to -mm include semi-persistent permissions for sysfs
files, the "scalable TCP" congestion control algorithm, hotplug CPU support
for the x86_64 architecture, RapidIO support (see below), an NFS update,
an unlocked_ioctl() operation for block devices,
and the v9fs filesystem (covered here last
month).
Comments (none posted)
Kernel development news
My things-to-worry-about folder still has 244 entries. Nobody
seems to care much. Poor me.
--
Andrew Morton
This is the kind of crap that happens when drivers in the kernel
are not self contained, and need "external stuff" to work properly.
It means that simple things like NFS root over the device do not
work in a straightforward, simple, and elegant manner.
I am likely to always take the position that device firmware
belongs in the kernel proper, not via these userland and filesystem
loading mechanism, none of which may be even _available_ when
we first need to get the device going.
--
David Miller
Comments (4 posted)
Paul McKenney has taken some time and written up a detailed summary of the
current status of Linux realtime support. The resulting document (click
below) starts with a discussion of the problem, then works through the
various approaches being taken to provide realtime response with Linux.
Worth a read if you have any interest in this area.
Full Story (comments: 5)
The timer interrupt is one of the most predictable events on a Linux
system. Like a heartbeat, it pokes the kernel every so often (about every
1ms on most systems), enabling the kernel to note the passage of time, run
internal timers, etc. Most of the time, the timer interrupt handler just
does its job and nobody really notices.
There are times, however, when this interrupt can be unwelcome. Many
processors, when idle, can go into a low-power state until some work comes
along. To such processors, the timer interrupt looks like work. If there
is nothing which actually needs to be done, however, then the processor
might be powering up 1000 times per second for no real purpose. Timer
interrupts can also be an issue on virtualized systems; if a system is
hosting dozens of Linux instances simultaneously, the combined load from
each instance's timer interrupt can add up to a substantial amount of
work. So it has often been thought that there would be a benefit to
turning off the timer interrupt when there is nothing for the system to do.
Tony Lindgren's dynamic tick patch is
another attempt to put a lid on the timer interrupt. This version of the
patch only works on the i386 architecture, but it is simple enough that
porting it to other platforms should not be particularly difficult.
The core of the patch is a hook into the architecture-specific
cpu_idle() function. If a processor has run out of work and is
about to go idle, it first makes a call to
dyn_tick_reprogram_timer(). That function checks to see whether
all other processors on the system are idle; if at least one processor
remains busy, the timer interrupt continues as always. Experience has
shown that trying to play games with the timer interrupt while the system
is loaded leads to a net loss in performance - the overhead of reprogramming
the clock outweighs the savings. So, if the system is working, no changes
are made to the timer.
If, instead, all CPUs on the system are idle, there may be an opportunity
to shut down the timer interrupt for a while. When the system goes idle,
there are only two events which can create new work to do: the completion
of an I/O operation or the expiration of an internal kernel timer. The
dynamic tick code looks at when the next internal timer is set to go off,
and figures it might be able to get away with turning off the hardware
timer interrupt until then. After applying some tests (there are minimum
and maximum allowable numbers of interrupts to skip), the code reprograms
the hardware clock to interrupt after this time period, and puts the
processor to sleep.
At some point in the future, an interrupt will come along and wake the
processor. It might be the clock interrupt which had been requested
before, or it could be some other device - a keyboard or network interface,
for example. The dynamic tick code hooks into the main interrupt handler,
causing its own handler to be invoked for every interrupt on the system,
regardless of source. This code will figure out how many clock interrupts
were actually skipped, then loop calling do_timer_interrupt()
until it catches up with the current time. Finally, the interrupt handler
restores the regular timer interrupt, and the system continues as usual.
The end result is a system which can drop down to about 6 timer interrupts
per second when nothing is going on. That should eventually translate into
welcome news for laptop users and virtual hosters running Linux.
Comments (7 posted)
One of the patch sets which showed up in the 2.6.12-rc6-mm1 kernel is the
RapidIO subsystem, contributed by Matt
Porter (of Montavista). Your editor, being ignorant of the
RapidIO standard, decided to have a look.
RapidIO turns out to be a sort of backplane interconnect intended mainly
for embedded systems. It allows for multiple hosts to exist on the same
bus and work collaboratively with the available peripherals. It is a sort
of highly local area network.
The RapidIO site provides no end of highly detailed specifications for the
truly curious. The rest of us, however, can learn a lot by looking at a network driver packaged with the rest of the
Linux RapidIO patch. This driver provides a simple example of how to use
the API provided by the RapidIO layer; it enables network packets to be
exchanged with another host on the RapidIO bus.
The RapidIO subsystem is integrated with the device model, so it provides
the expected structures: rio_dev and rio_driver.
Drivers can register a probe() function which enables them to take
responsibility for devices (which can be other hosts) as they turn up on
the interconnect. The example network driver uses a wildcard ID table so
that it is given the opportunity to work with all other devices out there;
it will happily send packets to any suitably capable device.
"Suitably capable," in this case, means that the device implements the two
basic primitives used to communicate across the RapidIO interconnect.
"Doorbells" are a way of sending simple, out-of-band signals to remote
nodes; the doorbells used by the network driver are those which announce
device addition and removal events. Most work, however, is done with
"mailboxes," essentially a reliable packet delivery service. If one
RapidIO device sends a message to another via a mailbox, the lower levels
will do their best to ensure that the message arrives uncorrupted and in
the right order.
So how does one RapidIO network node send a packet to another? Taking out
the usual overhead and error handling, it comes down to the following:
static int rionet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
{
struct rionet_private *rnet = ndev->priv;
rio_add_outb_message(rnet->mport, rdev, 0, skb->data, skb->len);
}
rdev is a rio_dev structure corresponding to the
destination host on the RapidIO backplane. This call sends the data in the
network packet (skb) out through the given mailbox to the desired
device. When the transmission is
complete, the driver will receive a callback so that it can perform any
necessary cleanup (freeing the skb in this case).
Packet reception requires setting up a ring of receive buffers, much like
one would see in any network driver. In this case, the necessary code
looks like:
do {
rnet->rx_skb[i] = dev_alloc_skb(RIO_MAX_MSG_SIZE);
if (!rnet->rx_skb[i])
break;
rio_add_inb_buffer(rnet->mport, RIONET_MAILBOX,
rnet->rx_skb[i]->data);
} while ((i = (i + 1) % RIONET_RX_RING_SIZE) != end);
The RapidIO subsystem maintains a list of buffers waiting for incoming
mailbox messages; new buffers are added with
rio_add_inb_buffer(). When a message actually shows up, the
driver gets a callback (established when the mailbox is allocated), which,
in the end, does the following:
if (!(data = rio_get_inb_message(rnet->mport, RIONET_MAILBOX)))
break;
rnet->rx_skb[i]->data = data;
skb_put(rnet->rx_skb[i], RIO_MAX_MSG_SIZE);
error = netif_rx(rnet->rx_skb[i]);
The code assumes that anything arriving on the given mailbox will be a
network packet. Beyond that, little checking is required; all of the
details, including data integrity checks, will have been taken care of by
the lower levels.
The list of RapidIO-capable devices is small at the moment, but appears to
be growing. As these devices become available, Linux will have the
low-level infrastructure needed to support them. The embedded Linux
community has often been accused of keeping its work to itself and not
contributing back to the kernel as a whole. The contribution of the
RapidIO subsystem is another sign that this situation may be changing;
that, perhaps, is more welcome than the code itself.
Comments (none posted)
If there is one thing that almost all kernel developers agree with, it's
that more testing is a good thing - especially if the results are presented
in a useful way. Martin Bligh thus got a warm reception when he
announced a new kernel testing facility. As
he put it:
Currently it builds and boots any mainline, -mjb, -mm kernel within
about 15 minutes of release. runs dbench, tbench, kernbench, reaim
and fsx. Currently I'm using a 4x AMD64 box, a 16x NUMA-Q, 4x
NUMA-Q, 32x x440 (ia32) PPC64 Power 5 LPAR, PPC64 Power 4 LPAR, and
PPC64 Power 4 bare metal system.
This is, indeed, a fairly wide range of coverage. The results
are presented as a simple table, showing which kernels passed the tests and
which did not. When a kernel fails a test, the relevant information is
provided (though, often, that information is simply "did not boot," which
is not entirely helpful).
These results have been augmented with benchmark
results, presented in a handy graphic form. The graph shown on the
right, for example, notes that kernbench performance improved significantly
around 2.6.6, and has held steady since 2.6.10. The -mm trees, however,
perform notably worse than the mainline, and the difference between the two
has been growing. The results have already led to some investigation into
what is going on; the current suspect is the (36!) scheduler patches
currently living in -mm.
Numerous others have worked at testing and benchmarking kernel releases.
Martin's work, however, has the advantages of being automated and
presenting the results in a reasonable way. With these attributes, this
project stands a good chance of helping the developers to produce better
kernels in the near future.
Comments (6 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Michael K. Johnson
announced the 0.24 release of
rpath Linux, formerly known as "Specifix Linux," last Thursday. This release includes 0.60.4 of the Conary Software Provisioning System. Conary is meant to replace package managers like RPM and dpkg.
We downloaded the rpath ISOs and took the distribution for a little test drive, and we e-mailed Johnson and chatted with him in the #conary channel on freenode.net about the distribution and Conary to find out what it has to offer over other packaging systems.
In terms of the rpath distribution itself, Johnson said that it wasn't particularly unique, apart from the Conary packaging system. "Because the whole point is to be quite 'vanilla' outside of Conary, rpath Linux's main unique feature is that it is built with Conary. (Even that is not quite unique, actually, since Foresight Linux exists and is built with Conary as a derivative of rpath Linux.)" The rpath distribution uses an Anaconda installer, and basically is a "vanilla" distribution with a GNOME 2.10 desktop and a lot of the applications you'd expect to see in a basic desktop distribution.
As the introduction to the Conary system explains, Conary is a packaging system that works like a Source Control Management (SCM) system. Everything is stored in a distributed repository, rather than package files. Components and packages in Conary are called "Troves." A source component may be built with different configurations and/or for different architectures. This is called a "flavor." A good example of this would be kernels built for SMP systems, or with different instruction sets. The SMP and UMP kernels would be different "flavors" of a component.
Versioning in Conary works a bit differently than with package systems like RPM and dpkg. For example, the RPM naming convention provides the name of the package, the version, the package release number, and the architecture. So the Abiword package for Fedora Core 3 is abiword-2.0.12-3.i386.rpm. Conary, on the other hand, names files according to the repository, the version number of the software, source revision number and binary revision number.
In practice, Conary's design allows one to install a package like Abiword and its dependencies without necessarily installing additional packages. For example, installing the Abiword "Trove" added the Enchant library component, but not the Enchant runtime or document components. Johnson also said that Conary makes it easy to install multiple versions of libraries. For example, users who run x86_64 should be able to easily install x86 and x86_64 versions of libraries.
Conary divides files up between components automatically (with manual overrides, of course) and the defaults make it easy to have multiple non-conflicting libraries installed on a system that supports them both. We simply build all packages with these default settings. Furthermore, Conary automatically checks for several problems that would break a multi-lib setup, and halts the build with errors if it sees them. This means that we don't have to have a special rebuild to make some core set of x86 libraries available on x86_64; instead, any of the x86 :lib components can install and function on x86_64. This is going to become more and more important now that both AMD and Intel's mainstream is entirely 64-bit x86_64.
Conary also works like an SCM in that one can rollback transactions. By running "conary rblist" one can see the recent commits to the system and one can also move backwards by running "conary rollback r.nnn" where "nnn" is the number of the revision. The list of commits to the system appears to start from the very beginning of the installation, so one could conceivably roll back quite a few changes rather easily. Note that rollbacks cannot be applied out of order, so one must progress backwards one rollback at a time.
The system can also be used to generate local changesets that can be committed to a local repository, and updated on other machines from that repository. This makes Conary interesting for system admins who need to customize software across a group of machines.
Conary also supports "branches" for development of Troves, so one may install a branch of an application and continue to follow that development tree rather than worrying about a conflict between versions of the application. If the main rpath distribution includes Firefox, for example, and there's an experimental version of Firefox in the "contrib" repository the user can install the experimental version from the contrib repository and then follow that branch of development without worrying about conflicts with the "official" version in the main repository. This also works with Conary flavors, so once one installs a specific flavor, that flavor will be installed when the user updates the package.
The rpath distribution also includes a Conary GUI application that serves as a browser for repositories, and which makes it easy to see what Troves are available for installation and so forth. It was easy to install Abiword and other applications from the Conary GUI, though the GUI works on the metaphor of applying updates rather than "installing" a package -- which might throw some users off. The Conary command-line tools took a bit of getting used to, but this is probably more a symptom of many years experience with RPM and dpkg, rather than a sign that Conary is overly complex. It's not quite as slick as APT or Yum just yet, but Johnson did say that work is still being done on Conary.
We also asked Johnson what the goals for rpath Linux were, and where rpath could "fit" in the already-crowded distribution market. According to Johnson, the problem is not that the market is too crowded, but that it's "crowded in the wrong way."
It is crowded with lots of little effectively unrelated operating system images, all different, and different in ways that aren't immediately obvious, easily discoverable, or even intentional. There's no real reason, for example, to think of every Knoppix derivative as a separate "distribution", except that the technology doesn't explicitly working with them as a set of related and interoperable sources of operating system data. With Conary and rpath Linux, we are separating the concepts of "distribution" and "installation image". The repository is the canonical source of the bits, not a set of ISO images. Why should it be hard to create a custom installation image that represents exactly what you want to install on your system? That's a trick question; the answer is that it shouldn't be! Doing that should not be counted as creating "another distribution".
Think more about a set of custom, interoperable operating system images instead of "distributions". Then you can pick the best operating system image without worrying about choosing a distribution putting you in a corner. Conary is the core technology which enables this view, and rpath Linux is a foundation or cornerstone.
He also said that the goal for rpath was "to make it a good distribution on which to base a derivative."
Ken VanDine joined the Conary community immediately after we announced Conary, and he quickly saw the potential Conary's new model provides. He then set to work on a derivative distribution called
Foresight Linux which has about 20% changed or new content relative to rpath Linux...
Being a good source for derivative operating system images has some definite implications. rpath Linux must not be too heavily patched, because the more patches we apply to an upstream project, the less likely it is that some other patch (which someone building a derivative wants to apply in their derivative) will apply. The distribution needs to be functional and coherent, because otherwise who will want to use it as a source for their derivative work? It needs to be relatively current, because new patches aren't likely to apply easily to old source code.
Some people ask whether this approach will make "distribution hell" that much worse. Fortunately, the answer is, "no". When Conary is widely adopted (the only case that actually matters from this perspective), we'll have lots of interoperable slices, with rich dependencies that make it clear what actually interoperates. Already, rpath Linux users sometimes cherry-pick the bits that they want from the Foresight Linux repositories. Rich dependencies and explicit distribution and package inheritance will make this continue to work. Conary will mean that there are more customized installation images available, but will alleviate unnecessary incompatibilities by allowing derivatives to differ in distinctives only, and not drift apart into mutually-incompatible projects.
Obviously, Conary will achieve these goals by being adopted. Since Conary is currently in beta, and rpath Linux is in the last few stages of being alpha, I'm looking a little bit into the future here!
Conary is not limited to Linux systems. Johnson said that Conary should work "just fine on BSDs, and that they've had a report of successful Conary installation on Cygwin. The rpath distribution is probably not ready for production use, we ran into some spectacular Python errors using Conary after just a few updates and rollbacks, but the Conary package system is definitely worth a look. It should be interesting to see whether or not the Conary package system catches on. It has some worthwhile features, but it won't be easy to convert users who are already familiar (and have strong biases towards) existing packaging systems.
Comments (5 posted)
New Releases
The Debian Project has announced (click below) the official release of
Debian GNU/Linux version 3.1 (Sarge). "
This release includes a
number of up-to-date large software packages, such as the K Desktop
Environment 3.3 (KDE), the GNOME desktop environment 2.8, the GNUstep
desktop, XFree86 4.3.0, GIMP 2.2.6, Mozilla 1.7.8, Galeon 1.3.20, Mozilla
Thunderbird 1.0.2, Firefox 1.0.4, PostgreSQL 7.4.7, MySQL 4.0.24 and
4.1.11a, GNU Compiler Collection 3.3.5 (GCC), Linux kernel versions 2.4.27
and 2.6.8, Apache 1.3.33 and 2.0.54, Samba 3.0.14, Python 2.3.5 and 2.4.1,
Perl 5.8.4 and much more."
Full Story (comments: 17)
Version 3.0 r6 of Debian GNU/Linux 3.0 (woody) is out.
"
This is the sixth and final update of Debian GNU/Linux 3.0 (codename
`woody') which mainly adds security updates to the stable release,
along with a few corrections to serious problems."
Full Story (comments: none)
rpath Linux, the distribution formerly known as Specifix Linux, has been
released; it is available for the x86 and x86-64 architectures. Click
below for details and download information.
Full Story (comments: none)
64 Studio Ltd., a company developing a collection of software for digital
content creation on x86_64 hardware, has made an iso image for v0.2.0
alpha. This will install Debian Pure 64 with X.org, the Gnome desktop and
an initial selection of creative applications including music, graphics and
publishing tools.
Full Story (comments: 2)
Xandros Business Desktop 3.0 is out. This distribution is being heavily
pitched as a Windows replacement; it claims a high level of Windows
interoperability and the ability to run many Windows programs.
Full Story (comments: 5)
Distribution News
There is both good news and bad news in the
Bits from GNU/kFreeBSD maintainer report. The
good news is that the port is very nearly complete. The bad news is that
one of its maintainers is quitting.
Arnaud Vandyck has this report on Debian Java
in Sarge, which provides an overview of what has changed between Woody
and Sarge.
A bug has been discovered in the 3.1r0 CD/DVD
images. "new installs from these images will have a
commented-out entry in /etc/apt/sources.list for
"http://security.debian.org/ testing/updates" rather than an active entry
for "http://security.debian.org/ stable/updates", and thus will not get
security updates by default" You should read the release notes
before that Woody upgrade or new Sarge install too.
Roberto C. Sanchez has announced a Debian
Package Customization HOWTO. This looks like a good starting place if
you want to customize your Debian installation.
Comments (none posted)
A draft
release
schedule is available for Ubuntu's Breezy Badger. The final release is
expected on October 13, 2005, with several milestones between here and there.
Full Story (comments: none)
Apple has decided to started using Intel chips. See this
eWeek
article for more information. We have a response (click below) from
Kai Staats, CEO of Terra Soft Solutions, Inc., provider of Yellow Dog
Linux. "
We remain a Linux development company with 100% focus on the
Power Architecture (IBM, Freescale). We will not transition to support an
x86/ia64 architecture."
Full Story (comments: 37)
The Fedora Project is
participating in
Google's Summer of
Code. It is an opportunity for students to be paid for working on
Fedora.
Fedora Core 4 has been postponed. It's now
due out on June 13, 2005.
Comments (none posted)
Distribution Newsletters
The Gentoo Weekly Newsletter the week of June 6, 2005 is out. This week's
news includes the unmasking of Python 2.4, containment for the busybox
glitch, Gentoo for Zaurus, developer of the week Bryan Østergaard aka
kloeri and more.
Full Story (comments: none)
Fedora Documentation Steering Committee (FDSCo) has released
the minutes from the May 31, 2005 meeting.
Items on the agenda included FC4 Release notes status, FC4 Installation
Guide status, Documentation Guide thoughts, and Tools status.
The FDSCo meeting for June 7, 2005 looked
at Release notes really completed, Installation Guide completed, and DOCG
meeting tentative for 27 June.
Comments (none posted)
The Mandriva Linux Community Newsletter for June 3, 2005 is out. This
edition covers the public release of Mandriva Linux Limited Edition 2005,
LE2005 for PowerPC, a monthly payment option for Mandriva Club memberships,
and more.
Full Story (comments: none)
The DistroWatch Weekly for June 6, 2005 is out. "
Amid obvious signs
that the long-awaited new Debian stable release is about to be unleashed on
the impatient public, the euphoria in the Debian land was spoilt last week
by a truly sad news about the death of Libranet's founder and President Jon
Danzig. Meanwhile, the Fedora users will have to wait another week before
they can put their hands on the distribution's latest release - Fedora Core
4. GoboLinux is our featured distribution of the week and Robert Storey
shows you how to configure SpamAssassin to kill off email from online
pharmacies and other unscrupulous businesses."
Comments (none posted)
Minor distribution updates
Version 2.6.11.10 of the Crash Recovery Kit for Linux is available
for the X86_64/AMD64 architecture:
"
I want to announce here the availability of the
Crash Recovery Kit for Linux 2.6.11.10 (X86_64/AMD64)
with S.M.A.R.T. monitoring support using smartmontools 5.33
which also can monitor SATA drives using kernel 2.6.11.10."
Also, a version for the i586 architecture
is available.
Full Story (comments: none)
Package updates
Mandriva updates
kdenetwork (MSN protocol
changes for v10.1),
lsb-release (LSB
requirements for Corporate 3.0).
Comments (none posted)
This week's updates for Slackware are centered around the kernel packages,
with updates to the default 2.4.31 kernel and the 2.6.11.11 kernel in
testing.
Full Story (comments: none)
Trustix Secure Linux Bugfix Advisory #2005-0027 covers various package
fixes to apache, bittorrent, cyrus-imapd, mailman, mod_perl, mysql and
zlib.
Full Story (comments: none)
Newsletters and articles of interest
developerWorks
takes
a look at Linux From Scratch and related projects. "
Linux® From
Scratch (LFS) and its descendants represent a new way to teach users how
the Linux operating systems work. LFS is based on the assumption that
compiling a complete operating system piece by piece not only teaches how
the operating system works but also allows an independent operator to build
systems for speed, footprint, or security."
Comments (none posted)
Distribution reviews
Heise Online
takes a look
at the latest KNOPPIX release. "
Knoppix 3.9 contains even more
updates for the UNIX/Linux desktop KDE and the OpenOffice suite. Version
3.4 of KDE is now included, while beta version 2.0 of OpenOffice is
included in Knoppix 3.9. In addition, all of the other software packages
were tailored to the latest version of Debian/sid (the developer version of
the Linux distribution from Debian)."
Comments (none posted)
NewsForge
hears
from a LFS fan. "
LFS is probably the only Linux distribution in
which building the system is as much part of the experience as working on
it. LFS must be built alongside an existing Linux distribution. This allows
you flexibility in choosing the best compiler options for a particular
package. It lets you research packages on the Net or elsewhere throughly
before installing them. You can revert to your existing system if something
goes awry. For a tinkerer such as I, this is manna. When I built my system,
I happily spent hours looking around, selecting packages and options to use
on my system. The whole procedure entails an unbeatable learning experience
in that you actually watch your system grow from the basic toolchain to a
desktop."
Comments (none posted)
Page editor: Rebecca Sobol
Development
GePhex is a real-time
video effect framework. In a previous LWN article,
Fun with video effects on Linux, some lower-level video effect
utilities were examined. GePhex uses software from other applications
as component pieces in a high-level video effector system.
GePhex is a modular video jockey software. The base visuals can be chosen from sources like video files or cameras. Then they can be modified by filters and mixers. Each modifier has several parameters, that can be controlled by signal-generators, input devices like joysticks, sound cards, or midi-devices.
GePhex runs on GNU/Linux, Win32, Mac OS X, and FreeBSD. The effect engine is independent from the user interface, which can be de- and attached at runtime. All effects and media streams are extendible by plugins. GePhex is written in C++.
The list of
features
summarizes the project's main capabilities.
The GePhex Book has tutorial-style examples of some of the
capabilities of the software, it also includes installation and
api information as well as the project history.
The GePhex Book explains which audience the software is aimed at:
"Video jockeys can use this system to modify or recombine existing footage or create new video effects in an interactive process. External devices like joysticks, midi-keyboards, or web-cams can influence the real-time video generation."
In other words, GePhex can be used to turn your computer into a
stand-alone light show.
The GePhex project was started in 2001, the first stable version
was released in 2003. The project has been put together by
this list of
developers.
Version 0.4.3 of gephex
was announced
this week, it features the addition of most of the
effecTV effects,
experimental Mac OS X support, initial OSC support, usability improvements,
and bug fixes.
GePhex configured and built with no problems on a Fedora Core 3
system, and it
was possible to activate the rendering engine and run most of the
demo configurations, or "graphs" in GePhex terminology. Playing with
the properties of the various inputs and filters and tweaking some of
the GUI controls produced some very interesting visual effects.
The GePhex gallery
has some still images that were produced by application, but one
should really run GePhex to get an idea its the real-time capabilities.
Several
example effects
are also available for extending the initial set of configurations.
Comments (2 posted)
System Applications
Audio Projects
Version 1.1.9 of
Speex,
an audio CODEC, is out with the following changes:
"
The main improvement in this release is that the acoustic echo canceller is finally usable. This work has been sponsored by Tipic Inc. Also, several bugs have been fixed for the TI C5x port."
Comments (none posted)
Database Software
KDE.News
reviews
the latest additions to Knoda.
"
Knoda is a database frontend for KDE. With its latest release, Knoda
introduces support for Firebird and Paradox databases, now supporting all
open source SQL servers. Besides managing tables and queries, Knoda also
lets you create forms and reports, scriptable via Python."
Comments (none posted)
The June 6, 2005 edition of the PostgreSQL Weekly News is online
with coverage of PostgreSQL database development.
Full Story (comments: none)
Harish Singh has sent in an announcement for the
PyDO2 utility.
"
I'd like to suggest an announcement for PyDO2 which is "an ORM (Object-Relational Mapper) database
access library for Python". The new release is in alpha but is already shaping up to be a killer app."
Full Story (comments: 1)
Web Site Development
Version 1.5 RC 1 of ATutor, a Web-based Learning Content Management System,
is out.
"
ATutor 1.5RC1 has been released, and there are some big changes. This release
candidate is primarily a call to the ATutor community to provide feedback and
suggestions before the final release coming in early July. Some features to
look for: modular Student Tools, a SCORM Run-Time Environment, and extended
templating capabilities, among many others."
Comments (none posted)
Version 1.7 beta 1 of the Midgard content management framework is out.
"
Midgard provides a reliable, carrier-grade CMS framework build for the the LAMP platform.
Midgard's core features include internationalization, accessibility, scalability and PHP connectivity.
This development release includes a Midgard2 technology preview."
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 0.2.1 of the Oscilloscope DSSI plugin is available
with bug fixes.
Full Story (comments: none)
Desktop Environments
The following new GNOME software has been announced this week:
Comments (none posted)
The following new KDE software has been announced this week:
Comments (none posted)
The June 3, 2005 edition of the
KDE Commit Digest
is online, here's the content summary:
"
Kexi supports CSV import. kttsd adds support for Cepstral voices. Kopete add webcam receiving support for yahoo. Kopete implements global identity for all the IM services. KTorrent add search capability. Kopete support for Skype is in progress. Datakiosk adds prompts for sql queries and search."
Comments (none posted)
Electronics
Version 0.0.2 and pre-beta version 0.0.3 of
Simted, an engine for modeling software for the solution of nonlinear systems, is out.
"
The modern level of technical development puts forward high requirements to accuracy and time of modeling of devices: electronic, micromechanical (MEMS), thermodynamic, hydraulic, etc. Such systems can be described with the help of the nonlinear ordinary differential equations."
Comments (none posted)
GUI Packages
Version 2.6.1 of
wxWidgets, a
cross-platform GUI framework, is available.
"
Bug fixes include refresh improvements on Windows, better wxX11 menu support, wxMac fixes for Tiger, and the ability to compile wxMSW with Winelib under Unix."
Comments (none posted)
Interoperability
Issue #277 of
Wine Traffic is available with the latest Wine project news.
Topics include: Summer of Code, Wine on Solaris,
Copy Protection Status #1 and #2, and Forking and Printing.
Comments (none posted)
Mail Clients
MozillaZine
covers the
announcement of version 1.1 Alpha 1 of Mozilla Thunderbird, a mail and newsgroup client.
"
Major new features in Thunderbird 1.1 Alpha 1 include a phishing detector, an
improved spell checker (including inline as-you-type checking in the Compose
window), support for removing attachments from received messages, enhanced
RSS/Atom feed functionality (including support for podcasting) and a better
user interface."
Comments (none posted)
Office Suites
KDE.News has
an announcement
for a new KOffice 1.4 Release Candidate.
"
If nothing disastrous is found in this release, it will be renamed
and become KOffice 1.4. A Live-CD has been created so that you can try out
KOffice 1.4 RC without having to commit your hard disc to it."
Comments (none posted)
Web Browsers
The minutes from the May 16, 2005 mozilla.org staff meeting
have been announced.
"
Issues discussed include Mozilla Foundation people, Mozilla
Firefox 1.0.4, the 1.1 releases, in-tree localisation, build systems, XTech,
the Mozilla Store and the Community Awards."
Comments (none posted)
The minutes
from the May 31, 2005 mozilla.org staff meeting
have been announced.
"
Issues discussed include Deer Park and XTech."
Comments (none posted)
Word Processors
Version 2.2.8 of the AbiWord word processor
has been announced.
"
This release has seen a lot of bugfixes, polish, and cleanups as
we are nearing the end of the 2.2 release cycle. We are working hard
towards AbiWord v2.4, which is shaping up nicely. This release
is mostly a bugfix release, with some minor new features."
Comments (none posted)
Miscellaneous
Version 2.0.5 of KnowledgeTree
has been announced.
"
KnowledgeTree is an Open Source Document Management System, and version 2.0.5
has focussed mostly on minor bugfixes, improved error reporting around upload
failures, and preliminary support for PostgreSQL."
Comments (none posted)
Languages and Tools
C
Issue #16 of the
GCC Newsletter is online.
"
After an extensive pause, I will now attempt to hit at least the highest of the high spots of the GCC mailing list for the last few months. My intention is to mention at least briefly the events of each month from November 2004 through April 2005 in retrospect."
Comments (none posted)
Caml
The June 7, 2005 edition of the Caml Weekly News is online with
the latest new Caml language articles.
Full Story (comments: none)
Perl
Release 5.8.7 of Perl
has been announced:
"
5.8.7 is a maintenance release for perl 5.8, incorporating various minor bugfixes and optimisations. Please see the perldelta for the full details. Please report bugs using the perlbug utility".
Comments (none posted)
The May 25-31, 2005 edition of
This Week in Perl 6 is available with the latest Perl 6 development
news.
Comments (none posted)
PHP
Unstable version 1.1.0 alpha 4 of GeSHi, a syntax-highlighting PHP
class with support for over 30 languages,
is available.
"
New features to this release include auto-linkifying of e-mail addresses and URLs in highlighted source code, CSS
support again greatly improved and a language file added for CSS (so you can try highlighting CSS files at the demo
form at http://geshi.org/), the get-keywords script has been improved with new options and now uses its own copy of the PEAR files it needs, and context naming support has been greatly improved, which will lead to an important optimisation in speed and RAM usage in the next build."
Comments (none posted)
The
PHP Weekly Summary for March 7, 2005 is out. Topics include:
How to add a logo, PHP-GTK 2 development, embedding, PHP, and multi-threading, generated files in CVS?, integrated encryption request, help with segfault tracking, new egg, and shutdown order changes.
Comments (none posted)
Python
Jeremy Jones
discusses Python logging on O'Reilly.
"
Tracking down what your application does seems easy; just add a few print
statements here and there. Unfortunately, effectively tracing a program is
more difficult. That's where Python's standard logging module comes in."
Comments (none posted)
The June 7, 2005 edition of Dr. Dobb's Python-URL! is online
with a new collection of articles about the Python language.
Full Story (comments: none)
Scheme
Issue #7 of the Schemer's Gazette was published on June 7, take a look
for new Scheme language discussions, resources and events.
Full Story (comments: none)
Tcl/Tk
The June 1, 2005 edition of Dr. Dobb's Tcl-URL! is online with the
latest Tcl/Tk news and resources.
Full Story (comments: none)
Test Suites
GnomeDesktop.org
looks at
the GtkPerf application.
"
GtkPerf is an application designed to test GTK+ performance. The point is to create common testing platform to run predefined GTK+ widgets (opening comboboxes, toggling buttons, scrolling text etc.) and this way define the speed of device/platform."
Comments (none posted)
Version Control
Version 1.0.3 of Darcs, a revision control system, is out.
"
Darcs development has continued to pick up steam since the last release. Along
with the project growth came some important leadership delegation. Author
David Roundy worked with Tomasz Zielonka and Ian Lynagh, as they picked up
responsibility for the Stable and Unstable branches respectively. David
continues to focus us work in a third 'conflicts' branch, where he is in the
middle of a project to make drastic performance improvements to the darcs
conflict commutation algorithm."
Full Story (comments: none)
Miscellaneous
KDE.News
reports that Apple
Computer has announced the immediate availability of the
WebKit Open Source Project. It
includes full access to the CVS of WebKit as well as an open bug database.
WebKit is the KHTML-based system framework used on Mac OS X by Safari,
Dashboard, Mail.app, and many other OS X applications.
Comments (7 posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
PC World has posted
its list of the top 100 products of 2005. Firefox appears at the top of the list; other entries include Thunderbird, Ubuntu 5.04, Wikipedia, and Tor (which was covered on
this week's LWN Security page).
Comments (4 posted)
NewsForge
covers
the GPLFlash project. "
If you've seen the recently redesigned
Free Software Foundation Web site, you may have noticed that the FSF has
listed three projects that it says the community is in "vital need" of help
with: GPLFlash, GNU Classpath, and the GNU Compiler for Java. The reason
listed for their importance is the allure of using proprietary Java and
Flash browser plugins and proprietary operating systems that include
them. A competent, free replacement for Macromedia Flash Player would
remove a significant hurdle in the FSF's goal of encouraging a complete
desktop GNU/Linux operating system that is devoid of proprietary
software."
Comments (2 posted)
KDE.News has a
report from the
International Free Software Forum in Porto Alegre/RS, Brazil. "
The
event is a combined exhibition and talks, an exhibitions which this year
big companies wanted to be and are present, like IBM, Sun, UniSys. There
are also a number of booths belonging to the Brazilian federal and local
government. For free software groups and organizations free booths were
offered, so there is a small KDE booth as well, mainly run by local KDE
enthusiastic and developers, like Helio Chissini de Castro and Thiago
Macieira as well. Helio participated on a discussion about object oriented
programming, while I gave a presentation about how can one adapt Quanta
Plus for his own needs. The slides for my presentation are downloadable in
KPresenter format."
Comments (2 posted)
Trade Shows and Conferences
Linux Journal has
a
report on this year's LinuxFest Northwest. "
LinuxFest Northwest
is a non-commercial one-day conference and exhibition of open-source
technology with an emphasis on Linux. It is held in the city of Bellingham,
Washington, which is about 90 miles north of Seattle and about 20 miles
south of the Canadian border. It is run by the Bellingham Linux Users Group
(BLUG) with the help of other users groups. Admission is free and open to
all."
Comments (none posted)
NewsForge covers
day two of the Red Hat Summit in New Orleans.
"
Michael Tiemann, Red Hat's vice president for open source affairs, kicked off the second day of the Summit with an academic and historical explanation of the open source phenomenon. Tiemann drew parallels from works like "Guns, Germs and Steel: The Fate of Human Societies" by Jared Diamond and "Democracy in America" by Alexis de Tocqueville, and discussed the impact of collaborative software development on today's software industry."
Comments (none posted)
NewsForge
covers
the third and final day of the inaugural Red Hat Summit. "
Rik
van Riel gave a Thursday afternoon session for programmers on how to get
involved with open source development work. He talked about how best to
submit a patch to an existing project -- such as the Linux kernel -- and
also about how to make your own closed project open."
Comments (4 posted)
The Linux Journal
reports from the Red Hat Summit. "
When I sit through the keynote speeches at these conferences, it amazes me how these top executives can come up with the most bizarre looking graphs and charts to explain the open-source development trend thus far, thereby attempting to predict accurately where it's heading. These executives seem to be trying to take data they've accumulated on the open-source industry and squeeze it into traditional business models so they can explain it in ways they as business managers can understand. From that, they hope to be able to control or at least to predict future trends."
Comments (6 posted)
MozillaZine
covers talks concerning Mozilla at the recent XTech 2005 Conference.
"
There were several Mozilla-related talks at the XTech 2005 Conference, which
took place in Amsterdam in the last week of May. All the Mozilla XTech
presentations can now be viewed online and papers for most of the other XTech
talks are also available."
Comments (none posted)
The SCO Problem
Groklaw
covers the latest SCO conference call and follows developments in
the AutoZone case:
"
They announced at the beginning that they would only take questions about their "core Unix business". Blake Stowell, Darl McBride and Bert Young attended. They increased revenues in their Unix business this
quarter slightly, so they are cash flow positive in that area. They are
launching their new product later this month. They made money from selling
their TrollTech stock. They had lower expenses this quarter. There were only
two questions. Mr. McBride seemed a little startled that there were no
further questions. Maybe the last conference call left a bad taste in
people's mouths."
Comments (none posted)
Companies
eWeek
tells
us relations between Microsoft and the open-source community are
thawing. "
In continuing its outreach to the most prominent members
of the open-source community, Microsoft has invited Michael Tiemann,
president of the Open Source Initiative and vice president of open-source
affairs at Linux vendor Red Hat, to meet and start a constructive
dialogue."
Comments (15 posted)
Working Knowledge (a Harvard Business School publication)
talks
with two professors who have attempted to apply economic models to the
competition between Microsoft and Linux. "
Our main result is that in
the absence of cost asymmetries and as long as Windows has a first-mover
advantage (a larger installed base at time zero), Linux never displaces
Windows of its leadership position. This result holds true regardless of
the strength of Linux's demand-side learning. Furthermore, the result
persists regardless of the intrinsically better design and potential
differential value of Linux. In other words, harnessing demand-side
learning more efficiently is not sufficient for Linux to win the
competitive battle against Windows."
Comments (25 posted)
InformationWeek
covers
an agreement between Novell and the U.S. Department of Health and Human
Services. "
The U.S. Department of Health and Human Services has
signed a multi-million-dollar, multi-year enterprise deal to use Linux and
identity management products from Novell Inc., the vendor revealed on
Tuesday. Financial terms of the deal between Novell and HHS weren't
disclosed. However a Novell spokesman says the agreement is the first
"enterprise site license" between a large federal department and a Linux
vendor."
Comments (none posted)
eWeek
reports
that Red Hat has decided to put the Fedora project under the control of an
independent foundation. "
Asked if there was any Fedora technology or
patented technology that would not be available to the community, [Red Hat
counsel Mark] Webbink
said there was not at this point, but 'as we go forward,
non-technology-related things like business method patents we register will
not be available to the community.'"
Meanwhile, it's worth noting that the release of Fedora Core 4 has
been pushed back to June 13.
Comments (11 posted)
Interviews
TuxJournal
interviews
OpenBSD and OpenSSH creator Theo de Raadt.
"
Q:Are you scared from the latest SSH-1 security problems for your OpenSSH ? In which way could worry the security of your package?
A:Since I understand the actual problems that exist in the SSH-1 protocol, at a technical level, and do not simply pander to ridiculous fears, no, I am entirely unafraid of the CRC issues. I would be far more worried about any other unknown issue than something which is known, but boring, and very difficult to exploit."
Comments (5 posted)
Linux Journal
talks with
Dr. Ari Jaaksi about the Nokia 770 Internet Tablet. "
Nokia is
encouraging external development for the 770 with the release of the maemo
platform. Furthermore, the company actively is supporting mainstream
open-source applications, while encouraging maemo developers not to fork
from these foundational applications."
Comments (12 posted)
Resources
An excursus on UUNET and Chapter 11 of the online book
"The Daemon, The GNU and the Penguin" by Dr. Peter H. Salus
is online at Groklaw. Chapter 11 looks at OSF and UNIX International.
Comments (none posted)
Issue #115 of the
Linux Gazette has been published. The contents include:
The Mailbag, News Bytes,
Python for scientific use, Part II: Data analysis,
Piercing Firewalls with OpenSSH,
Gmail on Home Linux Box using Postfix and Fetchmail, HelpDex,
Ponders Corner, Exploring procfs, Staying Connected,
Introduction to Shell Scripting, part 5, WSGI Explorations in Python, and
Design Awareness.
Comments (none posted)
IBM developerWorks begins the Linux on board series with
this
look at Linux and old hardware. "
People say Linux can make old
machines useful. Can it really? In this new series, Peter Seebach takes a
busted laptop and a $50-a-month budget and builds a household appliance
that actually does something worthwhile."
Comments (none posted)
Linux Journal presents
part two
of an article on OOo Writer table formulas by Bruce Byfield.
"
Table formulas--or should I say formulae?--are one of OpenOffice.org Writer's unique features. Writer uses a formula bar similar to the one in OpenOffice.org Calc, but with a more limited set of options. The syntax for table formulas is similar to spreadsheet formulas, with just enough differences to be frustrating to a spreadsheet expert. Yet, despite these apparent shortcomings, table formulas are a welcome addition to the Writer toolbox. As a practical example can show, with a little planning, you can use Writer's table formulas to build surprisingly complex documents and, more importantly, to reduce the boredom of routine tasks.
By Bruce Byfield on Wed, 2005-06-01 23:00."
Comments (2 posted)
A new
Tutorial
is available for the Xen virtual machine monitor.
"
consider this version 0.1 ...
an OpenSkills tutorial to start using Xen on Suse 9.3 Professional.
an I, System short story,
a tale of graphical madness,
the first chapter of a interactive story for Xen configuration and understanding...
... or just another half born fun project."
Comments (none posted)
Reviews
KDE.News
picks amaroK for the
application of the month. "
The overview takes a look at
functionality including Audioscrobbler, cover management and scripting. We
also have an interview with amaroK's team of developers covering their
development process, usability and accusations of being hopeless IRC
junkies."
Comments (1 posted)
OSNews
takes a look
at ClearHealth, an open source medical application for scheduling, billing,
EMR, HIPAA security, and accounts receivable. "
Day to day
operations in a medical clinic have a lot to do with the capabilities of
the scheduling package used. ClearHealth was designed for clinics large and
small, but has several features applicable to multi-facility
organizations." (Found on
LinuxMedNews)
Comments (none posted)
Linux Journal
looks at
FreeNX. "
For technically inclined people, imagine X server
technology with compression so tight that GNOME and KDE sessions run over
modems with SSH encryption. Image lightening-fast thin clients that use
tiny amounts of bandwidth and handle audio and video, printing and session
suspension instead of termination. Imagine real virtual KVM switches
without hardware. Say goodbye to SunRay servers and all the thin clients
that never lived up to their promise. Think about real heterogeneous
interoperability on PCs and devices that scale."
Comments (2 posted)
A second-edition
review
of QT Designer, a user interface design tool, has been published.
"
When writing this article I used the open source Qt 4 snapshot from 2005-05-28. Figure D2-1 shows how Designer looks without any project loaded. Since the last time the resource editing window and the connections' window have appeared. Apart from that the interface looks the same, which suites my working multi-head environment well. For those of you who want the old approach with a single surrounding window, check out figure D2-2. It is back!"
Comments (none posted)
Miscellaneous
NewsForge
does
a follow-up on the LinuxFund, the fund that was supposed to support
Linux through credit card use. "
Where has the money gone? It has
been adding up in the LinuxFund bank account, with minimal overhead costs
and no payments to developers coming out. The project's executive director,
Jerritt Collord, reported the organization's funds -- checking and savings
accounts totaling $126,155.29 -- have been sitting idle since he stopped
running the largely one-man organization last June. In an email response to
NewsForge, Collord added, "Of course F/OSS will get the money." To get
those funds to Linux coders and supporters, however, some other individual
or group will have to take up the cause, since the current participants
have given up."
Comments (5 posted)
robots.net
covers
the release of Python-based drive-by-wire code by DARPA.
"
This code is a simplified, early version used during testing to control the Pegasus robot remotely from a Laptop by using keyboard commands to accelerate, brake, and turn."
Comments (none posted)
eGov monitor is running
an article
about the deployment of a Gaelic translation of OpenOffice.org
in Scotland.
"
A version of the OpenOffice suite specially adapted to the Gaelic language was launched on 2 June.
The open source software was said to have performed well in trials at a school in North Lanarkshire, with the complete product due to be distributed to Gaelic language schools in the Autumn.
The translation project was funded by the Scottish Executive through the education body, Learning and Teaching Scotland."
Thanks to Ian Cuddy.
Comments (none posted)
ComputerWorld
notes that the kernel is not the only project affected by the end of the BitKeeper era. "
As the July 1 deadline approaches, BitMover is trying to work with as many projects as it can to either come to licensing terms or move their source code onto another system, [Larry] McVoy said. Still, some may be in for a nasty surprise a month from now, when they can no longer add software to their source code repositories.
'As July 1 approaches and people start to realize that it's not just about the kernel, it's about these other projects, there's going to be some crap hitting the fan,' McVoy said."
Comments (44 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Free Software Foundation Europe (FSFE) responds to a press release
from the European Commission regarding new proposals from Microsoft in the
pending antitrust suit. FSFE is participating as a third party and as a
representative of the Samba Project. "
According to this release,
Microsoft wants to ban software developers from publishing Free Software on
the basis of the interface information requested. This information is
needed for Windows and GNU/Linux-based computers to interoperate in a
company network."
Full Story (comments: 4)
A new version of the Carrier Grade Linux Requirements Definitions
has been released.
"
The latest CGL Requirements Definition, CGL v3.1, is now available for evaluation by developers and
Linux distributors and will be discussed at SUPERCOMM. The new Requirements Definition addresses
new capabilities, particularly in the areas of clustering, manageability and security."
Full Story (comments: none)
Libranet president and founder Jon
Danzig died on June 1, 2005. There are no details on the website.
Libranet offices will be closed until June 13, 2005. "
During this
time emails may not be responded to and delivery of pre-ordered CDs will be
delayed." (Thanks to John Amoroso)
Comments (1 posted)
Commercial announcements
ARCHOS, Inc. has announced the release of a Software Development Kit (SDK)
for the Pocket Media Assistant PMA400. "
The PMA400 is a 30-gigabyte
pocket-sized device and the most versatile portable video recorder and
player on the market today, combining full video and audio capabilities
with wireless connectivity and a new Linux platform."
Full Story (comments: 1)
Arkeia Corp. has
announced the certification of its network backup software on
Red Hat Enterprise Linux version 4.
Certified products include Arkeia Server Backup, Arkeia Network Backup,
Arkeia Disaster Recovery, and Arkeia Hot-Backup plug-ins for
database applications.
Comments (none posted)
VoX Communications, a subsidiary of eLEC Communications Corp, has
announced a new Linux-based VoIP-Server Clustering Technology.
"
VoX's President Mark Richards commented, "Our initial
single-cluster deployment in Orlando, Fla. can support 10,000
subscribers, but the technology is now scalable to millions of
subscribers."
Comments (none posted)
Guru Labs, L.C. has updated their GL314 Linux Troubleshooting Course
with support for new distributions.
"
The GL314 is a five day course built around Guru Lab's innovative tsmenu
(troubleshooting menu) program. Using tsmenu, students are able to
browse problem descriptions, launch a problem to break their system,
obtain hints and check for successful resolution. The process of finding
an appropriate fix allows students to test their knowledge of Linux
while improving troubleshooting skills."
Full Story (comments: none)
CIGNEX Technologies, Inc. has
announced
a partnership with JBoss, Inc. to expand the worldwide implementation of
the JBoss Enterprise Middleware System (JEMS), the leading open source
middleware platform. As a JBoss Certified Systems Integrator, CIGNEX will
work with JBoss to help their joint customers implement Professional Open
Source solutions.
Comments (none posted)
Linspire, Inc. has
announced the availability of Appgen Business Software's MyBooks
Professional, an accounting and
finance package, for the Linspire desktop.
Comments (none posted)
Mandriva has announced its "Academia program," an offering for universities
and research labs. "
Academia is sold to educational
bodies on an unlimited site license basis. Only one license is needed
to be able to run Mandriva Linux on all the computers of a given
site. This means that there's a single price for an unlimited number
of installations. No usage report is thus needed."
Full Story (comments: none)
PolyServe Inc. has
announced
the release of its PolyServe File Serving Solution 3.0 on Linux.
"
Release 3.0 features a new cluster volume manager (CVM) and other
expanded storage management capabilities. The PolyServe CVM adds another
key piece for superior file serving by enabling higher storage utilization
rates and better performance for any brand of storage connected to a
storage area network (SAN)."
Comments (none posted)
The rSmart Group has
announced a teaming with IBM on the Kuali Project.
"
Together they will focus
on the long term success and market adoption of Kuali -- a powerful
combination of open source code, open standards and an open
architecture that defines the next generation of administrative
applications for higher education".
Comments (none posted)
SourceLabs Inc. has
announced that it has hired Bruce Perens as "vice president of developer relations and policy." "
As a member of
SourceLabs' executive team, Perens will continue his work as a leading open
source policy advocate, as well as support SourceLabs' mission to ensure open
source systems for enterprise IT departments work dependably together and are
well-supported." SourceLabs sells support services centered around the Apache/MySQL/PHP software stack.
Comments (11 posted)
SSC Publications Ltd announced the passing of the 50,000 subscriber
mark with its TUX Magazine.
"
TUX Magazine is
a controlled-circulation, digital publication that supports the new user of
the Linux operating
system, from novices through to intermediate-level users. The growth of TUX
Magazine is reflective
of the rapid growth rate for Linux worldwide."
Full Story (comments: 1)
New Books
Paraglyph has published the book
Degunking Linux by Roderick W. Smith.
Full Story (comments: none)
Mozillazine
mentions a new online book about Greasemonkey.
"
Greasemonkey, the popular Mozilla Firefox extension that lets users install
scripts to change the way various websites work, is continuing to attract
attention. Mark Pilgrim, the man who brought you Dive Into Python and Dive
Into Accessibility, has written a comprehensive online book about
Greasemonkey called Dive Into Greasemonkey. In the guide, Mark describes what
Greasemonkey is, explains how to write Greasemonkey user scripts and
discusses some Greasemonkey case studies."
Comments (none posted)
O'Reilly has published the book
Learning Java, Third Edition
by Patrick Niemeyer and Jonathan Knudsen.
Full Story (comments: none)
Pascal Chevrel
has announced the publication of his book (in French)
Mozilla Firefox & Thunderbird.
Comments (none posted)
A sample chapter of the book Linux Performance Tools by Phillip Ezolt
is available online.
Full Story (comments: none)
The book
PloneLive 1.0 has been published.
"
Plone Live is the result of a year of work, full- and part-time, of the
two authors, Michel Pelletier and Munwar Shariff, our technical editor,
Jean Jordaan, and our copy editor, Amy Kesic. But this book is more than
what you are holding (or reading on the screen), because this book is
live; every month, the authors add new content and fix typos, responding
to the feedback our readers leave on our site, http://plonelive.com."
Full Story (comments: none)
Resources
The June 7, 2005 edition of the Free Software Foundation Europe Newsletter
is online with the latest European free software news.
Full Story (comments: none)
The June 1, 2005 edition of the Linux Documentation Project Weekly News
is online with the newest documentation releases and other news.
Full Story (comments: none)
The June 7, 2005 edition of the Linux Documentation Project Weekly News
is online with the latest new documentation releases.
Full Story (comments: none)
Contests and Awards
Xtops.DE and the Free Software Foundation Europe will be raffling a
Linux-based SL-C1000 handheld computer on June 25.
"
Berlin based mail order company Xtops.DE has become what FSFE hopes is
the first of many hardware vendors to support FSFE's Fellowship program
by offering a hardware prize to reward those who join.
The SL-C1000 up for grabs runs GNU/Linux on a 416MHz processor, with
64MB RAM and 128MB of Flash memory for the Free Software you want, and
has a 3.7-inch full colour screen and QWERTY keyboard for easy use."
Full Story (comments: none)
Education and Certification
High-Level Certifications is offering a Python language certification
program.
"
This certification seeks to provide the Python
community with an up-to-date, platform-neutral, vendor-neutral
certification administered in a secure proctored environment.
As Python's popularity continues to grow, High-Level Certifications' Python
cert provides a way for Python programmers to prove their proficiency at
this powerful language. The exams take a "pure programming" approach to
Python, emphasizing a thorough understanding of the most important elements
of the language."
Full Story (comments: none)
Upcoming Events
The
Firebird Conference 2005 will be held in Prague, Czech Republic
from November 13-15, 2005. A call for papers has been announced.
Comments (none posted)
An open-source workshop will be held at the IFIP Technical Committee 2.
"
A workshop aimed at formulating the proposal of a 'open source software'
working group within the IFIP Technical Committee 2, will be held in Milan,
italy, on tuesday, june 14."
Full Story (comments: none)
The World Intellectual Property Organization (WIPO) is holding an
Online Forum
on Intellectual Property in the Information Society.
The forum runs from June 1-15.
"
The WIPO Online Forum is designed to enable and encourage an open debate on issues related to intellectual property in the information society, and in light of the goals of the World Summit on the Information Society (WSIS). This presents a unique opportunity for all to engage in the emerging debate on intellectual property in our day."
Thanks to Krishna Pagadala.
Comments (1 posted)
The Open Culture Conference will be held in Milan, Italy on June 27-29,
2005.
Full Story (comments: none)
A Linux Vacation/Eastern Europe event has been announced.
"
The Minsk Linux Users Group invites you to take part in "Linux
Vacation/Eastern Europe" (LVEE) that will take place on June 30-July 3,
2005. What does this name stand for? Obviously it is a vacation for
associates who are involved in Free Software and particularly Linux. We
offer to spend 4 unforgettable days on the shore of a lake in a
landscape reserve near the old Belarusian city of Hrodna."
Full Story (comments: none)
A number of new PHP conferences
have been announced on the PHP web
site:
php|works
(Toronto, Canada, September 14-16, 2005)
International PHP Conference 2005 (Frankfurt, Germany, November 6-9, 2005)
AFUP
(Paris, France, November 8-9, 2005).
Comments (none posted)
Use Perl has
a reminder for the Yet Another Perl Conference, North America.
The event will be held in Toronto, Ontario, Canada on June 27-29, 2005.
Comments (none posted)
The schedule for the YAPC::EU::2005 conference is online.
The event will be held in Braga, Portugal on August 31 - September 2, 2005.
Comments (none posted)
| Date | Event | Location |
| June 9 - 10, 2005 | Austrian
Perl Workshop | (Kapsch CarrierCom)Vienna, Austria |
| June 9 - 10, 2005 | The French
Perl Workshop | (Faculté des Sciences de Luminy)Marseille, France |
| June 11, 2005 | PHP West | Vancouver, BC, Canada |
| June 15 - 17, 2005 | AstriCon Europe
2005 | (Auditorium Madrid Hotel)Madrid, Spain |
| June 17 - 19, 2005 | RECON 2005 | Montreal,
Quebec, Canada |
| June 18, 2005 | Perl Dag
2005 | Copenhagen, Denmark |
| June 19 - 22, 2005 | International Lisp Conference 2005(ILC
2005) | (Stanford University)Palo Alto, CA |
| June 20 - 21, 2005 | Linux
Cluster Summit 2005 | Walldorf, Germany |
| June 22 - 25, 2005 | LinuxTag
2005 | (Kongresszentrum)Karlsruhe, Germany |
| June 23 - 24, 2005 | Italian
Perl Workshop 2005 | (University of Pisa)Pisa, Italy |
| June 25, 2005 | LugRadio Live
2005 | (Molyneux Stadium)Wolverhampton, UK |
| June 25, 2005 | XML Prague
2005 | Malá Strana, Prague, Czech Republic |
| June 27 - 29, 2005 | Yet Another Perl
Conference(YAPC::NA 2005) | (University of Toronto)Toronto, Ontario, Canada |
| June 27 - 29, 2005 | EuroPython
2005 | Göteborg, Sweden |
| June 27 - 29, 2005 | Open Culture | (Via Festa del
Perdono 7)Milan, Italy |
| June 29 - 30, 2005 | Where 2.0
Conference | (Westin St. Francis Hotel)San Francisco, CA |
| June 30 - July 3, 2005 | Linux Vacation/Eastern
Europe(LVEE) | Hronda, Belarusia |
| July 1 - 6, 2005 | Linux Desktop Development and KDevelop Developers Conference 2005 | Kiev, Ukraine |
| July 5 - 9, 2005 | LSM 2005 Libre Software
Meeting for Medicine | Dijon, France |
| July 6 - 9, 2005 | IV Jornades de Programari
Lliure | Campus de Vilanova i la Geltrú, Spain |
| July 10 - 18, 2005 | Debconf
5 | Helsinki, Finland |
| July 11, 2005 | Evolution of Open-Source
Code Bases(EVOSC05) | Genova, Italy |
| July 11 - 15, 2005 | First International
Conference on Open Source Systems(OSS2005) | Genova, Italy |
| July 11 - 14, 2005 | GOTO10
workshop | (OKNO)Brussels, Belgium |
| July 11 - 15, 2005 | IEEE
International Conference on Web Services(ICWS 2005) | Orlando, Florida |
| July 17 - 19, 2005 | Desktop
Developer's Conference | (Ottawa Congress Centre)Ottawa, Ontario, Canada |
| July 18 - 22, 2005 | ApacheCon
Europe 2005 | Stuttgart, Germany |
| July 18 - 22, 2005 | PostgreSQL Bootcamp | (Big
Nerd Ranch)Atlanta, GA |
| July 20 - 23, 2005 | Ottawa Linux
Symposium(OLS 2005) | Ottawa, Canada |
| July 20 - 22, 2005 | North American
Plone Symposium | (The Astro Crowne Plaza)New Orleans, Louisiana |
| July 26, 2005 | 2nd European LISP and
Scheme Workshop | Glasgow, Scotland |
| July 27 - 28, 2005 | Black
Hat Briefings USA 2005 | Las Vegas, NV |
| July 31 - August 4, 2005 | 2005 SIGGRAPH
Computer Animation Festival | Los Angeles, CA |
| August 1 - 5, 2005 | O'Reilly
Open Source Convention | (Oregon Convention Center)Portland, Oregon |
| August 1 - 5, 2005 | CIFS 2005
Conference and Plugfest | (Doubletree Hotel)San Jose, CA |
| August 4, 2005 | Penguicon
2005 | Israel |
| August 4 - 7, 2005 | Linux
2005 | (University of Wales)Swansea, UK |
Comments (none posted)
Web sites
GnomeDesktop
has announced
a new web site about
Getting Involved in GNOME development.
"
Some ideas: improving the exposure of projects needing help in the gnome.org sites, looking for contributors instead of developers, inviting Windows/Mac users to get a first GNOME experience through GTK applications they can install..."
Comments (none posted)
The new
KDE-Artists.org site
has been announced.
"
KDE-Artists.org is a new KDE sister website created specifically for artists
and coders to use for reference and direction in creating a high quality
consistant user interface. It is also the home of Kollaboration, a new
concept created by several people to give dreamers, artists, and coders a
place to work together."
Comments (none posted)
KDE.News has
an announcement
for the new
Code Skipper site.
"
The Code Skipper, a new free Qt community resource site has been founded to provide our community of developers with a place to meet. This is a site where tutorials and articles that can be found on a range of Qt related subjects including a Programming with Qt tutorial, Building a Universal SQL Client and 3D Programming. The Code Skipper also contains a lot of code that can be easily integrated into your applications. Learn Qt tricks from there and share your own ideas."
Comments (none posted)
KDE.News
has announced
the launch of the
khtml.info site.
"
In an effort to open up their development process the developers of the Konqueror components KHTML, KJS and KSVG have launched the open Web portal KHTML.info. By providing a central contact point and source of information in form of an open Wiki the developers want to promote their work and embrace users and developers from both Open Source as well as commercial environments."
Comments (none posted)
Miscellaneous
KDE
has joined the Google Summer of Code program.
"
If you are a student
looking to get into KDE development this is the perfect opportunity. We have
a list of rules and suggested projects. The deadline is soon, June 14th, for
a completed proposal and you will probably need a week of communication first
to ensure a good proposal for Google, so move quickly."
Comments (none posted)
The Samba project
has joined
the Google Summer of Code program.
"
If you haven't yet heard, Google recently announced its Summer of Code program. Samba is proud to be involved as a mentor organization, so if you're a student and have some time on your hands..."
Comments (none posted)
Page editor: Forrest Cook