Advertisement
Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux applications on the same desktop.
Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for September 8, 2005Linux in Italian schools The region of Italy known as Trentino-Alto Adige or South Tyrol has an interesting history. It became part of Italy as a spoil of World War 1, and many of its residents have never been entirely comfortable with Italian control. It is a breathtakingly beautiful region, where German is heard more than Italian. The unique nature of this area has resulted in it being given a great deal of autonomy; Trentino-Alto Adige often does things its own way.Bolzano, a provincial capital in Trentino-Alto Adige, has just broken some new ground with this announcement that the area's Italian schools have switched to Linux. Your editor was able to discuss the project with three of its principals: Antonio J. Russo, Paolo Zilotti, and Christopher Gabriel. They deserve thanks for helping to fill in the details, and for putting up with your editor's Italian.
This project goes by the name "FUSS",
for "Free Upgrade South Tyrol's Schools." Over the course of two months,
And freedom is an important issue in this project; the introduction page starts out this way:
The decision to use free software in the schools is indeed, beyond
the economic and technical reasons, an ethical and political
choice. It is the choice of remaking oneself, both in the use
and teaching of computing, with the values of freedom and sharing,
and not just in the use of software which is efficient, stable, and
secure, which runs on older machines, and which is not subject to
licensing costs.
(The linked page, like most in this article, is in Italian; translations by the editor). To achieve its goals, the FUSS project decided early on that only free software could be used. All of the usual reasons apply for this choice: ethics, the ability to give the software to students, ability to modify the software, etc. Given this constraint, it is not surprising that FUSS decided to base its effort on Debian. The 100% free nature of the distribution, combined with its quality, vast array of packages, and adaptability are given as the reasons for this choice. The project developed its own version of Debian, which it calls "FUSS Soledad GNU/Linux," or just "Soledad." Soledad is based upon the Sarge release, but the FUSS developers have made a number of changes. The installer and default configuration have been adapted to the schools' needs, and a special GNOME-based desktop has been put together. The mix of packages has carefully selected for the target audience, with a strong bias toward educational software. The package list for the desktop configuration is available; there is also a version of Soledad for server deployments. ISO images of Soledad are available from the FUSS download page. Many of us who have dealt with the public school systems in their countries have often wondered why there is not more free software in use. But anybody who has tried to convince a school system to change knows what kind of inertia exists there. So how did the FUSS project supporters get the approval for a change of this magnitude? There are a few factors at play here. The Italian schools in Bolzano are (unlike those in much of Italy) organized around a central purchasing structure for information technology. Even better, the relationship between the schools and the central IT folks is good. This structure made it easier to convert the entire school system at once. The initial supporters of FUSS came from within the school administration, and thus had the advantage of pushing for change from the inside. Even so, the FUSS supporters had to work for years, and had to "assemble a fair amount of paper" before getting the project approved. Mr. Russo adds:
I don't think that there is a formula for bringing this sort of
project to conclusion; the only thing I can say is that, in
Bolzano, people active in the spread of free software have worked
hard for many years, organizing events, conferences, installation
parties, but, most of all, meeting people and explaining to them
the benefits of free software and how their work could be improved
and made more pleasant with the use of cooperatively-developed
tools.
The FUSS developers add that the autonomous nature of Bolzano helped, since decisions are made locally. But the importance of laying the groundwork is clear: spend enough time educating people about the benefits of free software, and they will eventually come around and support it. 2460 Linux installations may seem like a lot, but it is only a beginning. This deployment only covers Bolzano's Italian-language schools; the region also runs a great many German-language schools, and a rather smaller number based on Ladin. The FUSS developers have made offers of help to their German-speaking counterparts, but, so far, have received little response. School systems in various other regions of Italy are said to be interested, however, and are watching to see how it all turns out. The acid test will start on September 12, when 16,000 students return to school. It is hard to imagine that there would be no startup glitches on a project of this magnitude. How quickly they are ironed out, and how quickly students and teachers become comfortable with the new systems will have a big influence on whether other parts of Italy will make the jump to free software. The odds are in the project's favor: school systems have few needs which cannot be met nicely by currently-available free software. The hard part of this project is done; congratulations are due to the many people who have worked for years to make FUSS a reality.
A busy week for the courts Courts in various parts of the world have handed down decisions which, in one way or another, can affect users and developers of free software. These decisions are not particularly friendly to our community. Here is a quick overview of what the courts have said.
ACRA v. LexmarkWe have encountered Lexmark before; that company has attempted to use the DMCA to shut down alternative manufacturers of alternative ink cartridges for its printers. That attempt failed, but the company appears to have found another, stronger way of protecting itself from competition: the shrink-wrap patent license. In this case, the Arizona Cartridge Remanufacturers Association (ACRA) took Lexmark to court, challenging Lexmark's "prebate" offering. This marketing scheme involves "reduced price" cartridges which are explicitly marked, on the box, as being "single use only." Customers are supposed to return empty cartridges to Lexmark, and they are prohibited from giving the cartridges to other remanufacturers. ACRA alleged that the labeling on the box was deceptive, since it was not actually binding upon customers. ACRA failed to convinced the US 9th Circuit Court of Appeals, however; on August 30, it reaffirmed a lower-court decision [PDF] in Lexmark's favor. The two things which come out of this ruling are: (1) patents can be used to impose post-sale restrictions on customers, and (2) labeling on a package can be a valid shrink-wrap patent license. So anybody who disposes of a used Lexmark cartridge in a non-approved manner becomes a patent infringer - and remanufacturers which accept those cartridges are inducing infringement. It is not hard to see where this sort of logic can go. If a product contains technology subject to a patent, that patent can be used to impose no end of post-sale conditions. In the current climate, obtaining a patent which can cover any given product will not be an especially challenging task. Those patents could be used in interesting new ways. It is already annoying to buy a laptop with a "designed for Windows" sticker attached to the case with 1000-year glue. How fun would it be if the sticker read "designed for Windows only" - and have it be enforceable? Many of us use free software because it gives us greater control over our systems. The growing power granted to those who hold intellectual property rights threatens to take the control away. Increasingly, we do not truly own the hardware we thought we had purchased; we simply hold a set of limited rights to use that hardware in specific ways which do not threaten the manufacturers' interests. That does not seem like the path to freedom.
Universal Music Australia Pty Ltd v Sharman License Holdings LtdIn Australia, a large number of media companies took Sharman License Holdings to court, alleging several copyright-related violations. Sharman, the distributor of Kazaa, does not have entirely clean hands - nobody disputes that many people use Kazaa to engage in copyright infringement. In its defense, Sharman argued that it had no control over the behavior of Kazaa users, that it had warned them about infringing copyrights, and that the license agreement for the software prohibited its use to make unauthorized copies of copyrighted materials. The judge actually bought that argument - to an extent. The ruling in this case clears the defendants of many charges of copyright infringement. The judge did find, however, that the defendants had "authorized" users to infringe copyrights, and that this act violated Australian copyright law. The defendants will now have to pay damages. Kazaa will be allowed to continue to exist, but a new version must be released within two months with filters designed to block infringing uses. In particular, the software will have to accept a list (provided by publishers) of claimed works, and block attempts to trade files which match entries in the lists. It is not hard to imagine that file traders will respond to the keyword matching in the same way spammers have; expect to see some creative spellings attached to music files in the near future. The judge seemed to have a real interest in not shutting down peer-to-peer communications altogether, and mandated that the filtering be imposed "... without unnecessarily intruding on others' freedom of speech and communication." The fact is, however, that this is yet another ruling holding software developers responsible for the acts of certain of their users. Manufacturers of cutlery, automobiles, and firearms are not held to such standards, but people who innovate in the software area do so at their own risk. Thus far, most of the legal firepower has been aimed at commercial file sharing operations, but that does not mean that pure free software projects are immune to this sort of attack.
Blizzard v. bnetdOne free software project which has been subject to this sort of attack is bnetd, last mentioned here two weeks ago. The Eighth Circuit Court of Appeals has now issued its ruling in this case [PDF], and the news is not good: bnetd lost on all counts. The logic remains unchanged from the prior court's ruling; for example:
The bnetd.org emulator had limited commercial purpose because its
sole purpose was to avoid the limitations of Battle.net. There is
no genuine issue of material fact that Appellants designed and
developed the bnetd.org server and emulator for the purpose of
circumventing Blizzard's technological measures controlling access
to Battle.net and the Blizzard games. Summary was properly granted
in favor of Blizzard and Vivendi on the anti-trafficking
violations.
The idea that free software has fewer rights because it has "limited commercial purpose" is chilling, to say the least. In any case, the interoperability exception to the DMCA has been shown to mean little, once again.
Whither UserLinux? The UserLinux project was founded by Bruce Perens in 2003 with this mission:
Provide businesses with freely available, high quality Linux
operating systems accompanied by certifications, service, and
support options designed to encourage productivity and security
while reducing overall costs.
More informally, Bruce was disappointed with the currently-available "enterprise" Linux offerings, which he sees as taking much of the freedom out of free software. His goal was to create a new distribution (based on Debian) which would be 100% free, aimed at the needs of smaller businesses, and supported by a wide network of independent companies. UserLinux would thus fill in the gap between the unsupported "development" distributions and the expensive, restrictive packages offered by Red Hat and Novell. A small community coalesced around the idea and got busy with peripheral tasks: creating a web site (carrying the unfortunate tag line "Linux for Business" once used by Caldera), designing a logo, writing a trademark policy, and so on. But UserLinux never really got around to building a distribution. This was partly by design: UserLinux was intended to be a version of Debian Sarge with only minimal changes. A few metapackages would be put together, and the package mix as a whole would be greatly thinned down. But UserLinux never intended to create a new distribution; it was more of a repackaging effort with an attempt to build a support network around it. The UserLinux experience carries a warning for future efforts: any business or development plan which has a step reading like this:
is more than usually likely to encounter delays. UserLinux got to that step, and found itself waiting for the Sarge release. For a long time. This wait killed any momentum UserLinux may have had. Nonetheless, the Debian Sarge release happened in June. Three months later, nothing has been heard from UserLinux. So, finally, an interested observer asked what was going on. Bruce responded that UserLinux was, indeed, still alive, but, unfortunately, everything was waiting on him personally.
Essentially, the customer who was going to pay me to work on this
evaporated, and some time later I started running out of money to
support the project. I subsequently took a job with Sourcelabs. I
have 50% of my work time to work on whatever Open Source I choose
(courtesy of Sourcelabs) but so far have been pulled in a lot of
directions and thus not much has gotten done on UL of late.
Bruce may indeed succeed in getting others interested in doing some of the lifting to make UserLinux 1.0 a reality. But a distribution which can be stalled because one person gets busy is not going to be particularly appealing to businesses looking for an alternative to the current support offerings. UserLinux, in other words, appears to have little chance of achieving its initial goals, even if it does get a release out. The slow release of Sarge is one thing which happened to UserLinux, but there is another unexpected event which came along as well: Ubuntu. In many ways, Ubuntu is what UserLinux intended to be: a 100% free, Debian-based distribution with relatively long support periods and available commercial support offerings. Ubuntu seems to have beat out UserLinux by virtue of not waiting for a stable Debian release, putting a great deal of attention into ease of use and making things "just work," and the small advantages that come from having a few tens of millions of dollars of seed money in the bank. As a result, Ubuntu has a real distribution, with a large and enthusiastic user community. Not everybody is comfortable with Ubuntu, despite the fact that the company's models appear to have put their clothes back on. Bruce's message puts it this way:
I think the project continues to have value and I don't believe
that basing on the work of any one company, even Ubuntu which may
be more of a rich man's hobby project than a company, is the
solution for support of Linux distributions.
The creation of the Ubuntu Foundation may help to ease the concerns about the distribution being controlled by a single company. Meanwhile, Ubuntu has been building a distributed support network along the lines of the one envisioned by UserLinux, and a certification scheme is in the works. The 6.04 release, due next year, will be supported for five years (for server use) - if the Ubuntu Foundation lasts that long. In other words, it seems that the distribution UserLinux wanted to create has come to be - it just didn't happen quite the way they had intended. Anybody who wants to carry the UserLinux banner forward as a separate project should first be able to tell the world what they will do that existing distributors are not doing, and how they will turn UserLinux into a viable organization that businesses will trust. Without answers to those questions, UserLinux will remain a project with a nice logo, but with no software or users.
Page editor: Jonathan Corbet Security A selective look at response times It is often said that, while free software suffers from security flaws just like the proprietary variety does, fixes for those flaws come out much more quickly. For most users, however, security patches do not arrive until packaged by their distributor. So, every now and then, it is worthwhile to take a look at how quickly various distributors manage to get the fixes out. The following table lists a subset of recent vulnerabilities and the number of days required for each distributor to issue an update. For the purposes of this table, the clock starts when a vulnerability is disclosed, or when the first distributor alert is issued, whichever comes first.
The above table lists a subset of relatively important vulnerabilities disclosed since July, 2005. Distributions marked "n/a" do not ship the vulnerable package; a marking of "--" means that the update has not, yet, been released. Missing updates can mean one of two things: (1) the distributor simply has not gotten around to releasing an update yet, or (2) the relevant package is of the second class citizen variety, such as those found in Fedora Extras or Ubuntu's Universe. Even though the set of vulnerabilities above is relatively small, some patterns emerge. Some distributors (Fedora, Gentoo, Debian, Red Hat) have managed to close most of the listed vulnerabilities. A couple of others have fallen seriously behind, however, leaving users running vulnerable software. Some distributors tend to be quite fast in getting updates out; others are slower. Perhaps the biggest surprise is the current lag time on Debian's updates; Debian used to be one of the faster distributions to get updates out. It is worth noting, as well, that the increasingly popular "non-core" package repositories can be a hazard for administrators who are not paying attention. Clamav is used as a virus filter on many sites, and the recent vulnerability is real and exploitable. An administrator who relies upon a distribution's update mechanism may not have noticed that, when she used yum or apt-get to install clamav, it came from Fedora Extras or Ubuntu Universe. As a second class citizen package, clamav will not be updated by the distributor, and will remain vulnerable for an unknown period of time. Any security-conscious site which uses such packages should have a mechanism in place to note and respond to security problems in those packages.
New vulnerabilities affix: remote command execution
apache information disclosure if modssl=yes
courier: missing input sanitizing
kdebase: local root vulnerability
mplayer: heap overflow
net-SNMP: packaging flaw
openssh: privilege escalation
openssh: GSSAPI credential disclosure
OpenTTD: remote execution of arbitrary code
polygen: denial of service
smb4k: temporary file vulnerability
squid: DoS issues
Updated vulnerabilities a2ps: input validation error
affix: two remote vulnerabilities
apache2: CGI script denial of service
httpd: off-by-one overflow and cross-site scripting
awstats: command injection vulnerability
backup-manager: insecure permissions and tempfile
bzip2: race condition and infinite loop
courier: DNS failure vulnerability
cpio: directory traversal
CUPS: multiple vulnerabilities
cvs: insecure temp file
cyrus-imapd: buffer overflows
dhcpcd: denial of service
elm: buffer overflow
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
ethereal: dissector vulnerabilities
evolution: format string issues
Foomatic: Arbitrary command execution in foomatic-rip
gaim: buffer overflow
gdb: multiple vulnerabilities
gtk-pixbuf, gtk2: denial of service
gettext: Insecure temporary file handling
ghostscript: symlink vulnerabilities
glibc: tempfile vulnerability in catchsegv script
grip: buffer overflow
groff: insecure temporary directory
gzip: arbitrary command execution
htdig: cross site scripting
imap: buffer overflow in c-client
imlib2: buffer overflows
junkbuster: heap corruption and settings modification
kdeedu: tempfile handling vulnerabilities
kdelibs: kate backup file permission leak
kernel: multiple vulnerabilities
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[FUSS Logo]](/images/ns/FUSS.jpg){kind=small}
the entire computing infrastructure for the region's Italian-language
schools was converted over to a customized version of the Debian
distribution. This effort involved installing Linux on 2640 computers over
the course of 23 days; an