It has often been said that free software developers are a self-interested
bunch. They will work on programs which are interesting to them
personally, while avoiding projects which they may never use. That is why
we have several complex window managers but little in the way of free
payroll systems.
If this saying is true, one might well wonder: why has it taken the
community so long to develop a truly capable personal finance manager?
Almost every developer will have a checking account of some variety, bills
to pay, taxes to deal with, etc. Tracking accounts in paper registers is
tedious and error prone - and nearly impossible once a few complications
(such as, say, a spouse whose attention to detail in these matters is sporadic at
best, not that your editor would know about such things, honest) are thrown
in. Keeping track of one's finances is clearly a job for
a computer.
Be that as it may, this is an area which has not drawn much attention from
the development community. There has long been little choice for those
wanting a free finance manager, and the available applications have lagged
behind the proprietary offerings. Perhaps all those desktop hackers are
simply pretending not to notice as their spouses balance their checkbooks
with Quicken.
That said, the situation is not all bad. Your editor has managed his
eternally frightening finances with free software for some years. In more
recent times, the number of available packages with a minimum of useful
functionality has grown. So it's time for your editor to put together a
review of what's available. Personal finance managers are complex
applications; as a result, a comprehensive review will be long. This
review will be done in two parts; this part looks at basic account
functionality, while the next will cover more advanced features.
There are a number of projects out there, but this review will concentrate
on three of them. Many of the others have not advanced beyond a simple
list of transactions, and many of them have seen no development for years.
There are also a few proprietary alternatives available for Linux, but they
will not be reviewed here.
This review looks at:
- GnuCash. This package is the
reigning champion of free money managers; it was first reviewed in LWN in
1999. The most recent release is 1.8.11, which came out in February,
2005. GnuCash is a GNOME application, but it has not yet made the
transition to GTK2.
As we will see, GnuCash remains the most featureful of the free money
managers, though the others are starting to catch up. This package
also has high aspirations: it would like to be a full accounting
package suitable for use in businesses as well as at home. So,
GnuCash is unique in using double entry bookkeeping for all accounts.
This is a mixed blessing; the business-related features of GnuCash
have been slow to mature, and they seem to have distracted some
attention from the personal finance side of the application.
Nonetheless, GnuCash is the program to beat in the free software
community. For this reason, both of the other programs reviewed here
are able to import data from GnuCash files.
- Grisbi is a GNOME-based money
manager with a distinctly European feel - in fact, the program is
developed primarily in French, with an English-language version only
becoming available in 2004. Much of the documentation still lacks an
English translation. The current version of Grisbi is 0.5.7, released
in June, 2005.
- The leading KDE-based application is KMyMoney. Like GnuCash,
KMyMoney aims high, and would like to be useful for small business
needs. It features double-entry accounting, but lacks some of the
other features implemented by GnuCash. KMyMoney 0.8 was released
in August, 2005.
First impressions
First impressions matter, especially when one is dealing with one's money.
So Grisbi's initial screen - essentially a large, empty, gray box with a
small menu bar on top - can be a bit disconcerting. A personal finance
manager should be designed to work well for people who are not particularly
familiar with computers, so it would be polite, when starting from the
beginning, to lead the user through some sort of initial setup. Or, at
least, give a pointer in that direction.
KMyMoney starts in the usual manner for KDE applications - slowly, and with
a lot of strange stuff written to the standard output. Once you get past
that, a splash screen comes up, followed by a window with a place to click
to go through a set of setup screens. It asks for a bunch of personal
information, the purpose of which is not entirely clear. Next, the user
gets to pick a "base currency," with the Afghani being the rather unhelpful
default. Almost every imaginable currency is available, from the Mongolian
Tugrik to "Gold." After picking from a directory of account templates
(they could have set a default from the currency the user just
chose, but don't), the user lands in the main KMyMoney2 screen.
GnuCash throws up a "tip of the day," immediately overlaid by a little
window giving an opportunity to create accounts from scratch or import a
QIF file. The former option yields a "druid" which enables a choice of
currency and presents a set of common accounts to create. GnuCash arguably
has the most capable and friendly startup mechanism, but it must be said
that its continued use of GTK1 shows. It simply is not as pretty as other
GNOME applications, large pulldown menus (currency choice, for example)
cannot be navigated with the scroll wheel, and it feels generally older.
Account creation
One way or another, users will have to create accounts in their shiny new
finance manager. So each application provides an account creation screen.
We'll get into those shortly, but, first, it's worth looking at the types
of accounts which are supported by each application.
- A money manager must support accounts which hold money. All three
of them understand basic bank accounts - KMyMoney distinguishes
between checking and savings accounts, though it is not clear how it
treats them differently. All three have "cash" accounts - bank
accounts without the bank, essentially.
- Another common feature is accounts for liabilities - loans, credit
cards, etc. Grisbi provides only a single "liability" account.
GnuCash adds credit card accounts as a separate type, while KMyMoney
goes even further with a separate loan account type.
- All three packages have accounts for assets - a place to keep track of
the value of your car, for example. Many dotcom veterans will
appreciate this; it makes the "net worth" calculation look much nicer
if you can include the value of that 1999 Ferrari. GnuCash has a
separate "equity" account type which is used for initial conditions -
your net worth before GnuCash entered the picture. The equity account
is needed to make all of the double-entry accounts balance out.
- GnuCash is alone in having income and expense accounts. This type of
account is required if you are going to do double-entry bookkeeping -
every transaction must be represented as a transfer between accounts.
Since KMyMoney claims double-entry capability as well, it presumably
implements a similar type of account, but they are presented to the
user as "categories."
- Grisbi does not have any sort of account for investments. There is a
general "investment" account type in KMyMoney; GnuCash, instead,
provides separate currency, stock and mutual fund account types.
- Finally, GnuCash has "accounts payable" and "accounts receivable"
account types which are used with its small business features.
GnuCash takes a "one big window" approach to account creation - everything
one may wish to add is to be found there. Some of the fields are obvious,
others less so. "Commodity" is, for most accounts, the currency in which
the account is denominated. The "account code" is a number which,
seemingly, only affects the order in which the accounts are sorted in the
main window. It is nice to have the control, but a modern user expects to
be able to effect that sort of ordering just by dragging the accounts
around. The account type must be chosen from a tiny, scrolling window.
With GnuCash, one must also choose a "parent account," because accounts are
stored in a hierarchical manner.
What the GnuCash account creation window lacks is any way of creating
accounts (such as mortgages) involving regular, complicated payments. That
capability does exist, but it is to be found deeply under the
"actions" menu in the main window. The "Mortgage/Loan Druid" is highly
capable, though with some strange defaults (interest rate of 0.001%, for
example). It understands things like escrow accounts and mortgage
insurance, and can set up everything which is needed to track the loan. It
gives every impression of being a feature which was bolted on relatively
late in the game, however.
KMyMoney has the slickest new account creation dialogs. A request to
create an account leads to a series of graphics-heavy windows appropriate for the type of
the account. Unlike GnuCash, KMyMoney tracks "institutions" as separate
entities, and can (optionally) associate accounts with them. Accounts
involving regular payments (such as credit cards) will draw an offer to set
up a scheduled transaction. Setting up a loan requires entering interest
and payment information as well. The mortgage mechanism is a little less
sophisticated (it does not understand escrow accounts, for example), but it
has everything which is truly needed.
KMyMoney implements hierarchical accounts, but there is no way, in the
account creation process, to specify where in the hierarchy an account
should be created. Accounts can be moved later, however.
Creating an account with Grisbi starts with selecting the account type.
Then the main application window is taken over by a form where the relevant
information can be filled in. Grisbi, like KMyMoney, keeps track of
financial institutions. Grisbi accounts can also have minimum balances
associated with them; running an account below the minimum yields a
warning.
Grisbi accounts have a currency associated with them; your editor was
somewhat surprised to see that the Euro was the only option provided. As
much as your editor would have rather had all of his accounts in Euro over
the last few years, that is not the case. Currencies, as it turns out, are
one of the stranger corners of the Grisbi interface. It is possible to
change the list of "known currencies" under the Edit->Preferences menu.
Clicking on the "Add" button yields the usual lengthy list of currencies,
sorted in a way seemingly designed to force both North Americans and
Europeans to scroll for a long time before finding anything useful. Once
the currency has been "added," it is available for use in new accounts.
But this dialog is not available until at least one account has been
created. So those of us unlucky enough to have our accounts in $US must
first create a throwaway Euro account before adding our native currency
(which Grisbi clearly knows about) to the "known currencies" list.
Grisbi has no notion of hierarchical accounts, and no "druids" for the
addition of more complicated accounts.
Entering transactions
Personal finance applications offer no end of features and capabilities to
users. What most of those users will spend their time actually
doing, however, is entering transactions into the program. It would
thus make sense for those working on this kind of software to focus a great
deal of effort toward making this task quick, easy, and relatively easy to
get right.
GnuCash is the clear winner in this area. The register window has all of
the information required, and is highly configurable. Transactions can be
entered quickly, with no need to use the mouse once the process is
started. GnuCash remembers transactions, so it can expand names and cut
back on typing. Nicely, it seems to have some way of tracking which
descriptions are used most often, so the suggested expansion is usually the
one you want. For payees which have been seen before, GnuCash will fill in
the transfer account (read "category") and the dollar amount seen the
previous time. As a result, many transactions can be entered with very few
keystrokes. The only slight glitch is that the transaction memory is local
to each account, so things do not always expand when one might expect them
to.
GnuCash allows the date to be changed with the + and -
keys (= works in place of +, saving wear on the little
finger). A + in the number field will generate the next check
number. This number is calculated from whatever was entered last, rather
than from the largest number ever seen; this feature is much appreciated in
households where more than one checkbook is in use for the same account.
Unfortunately, there is no way for GnuCash to help effect any control over
what the spouse does with that other checkbook.
The KMyMoney register, instead, is harder to work with. Starting a new
transaction requires an action with the mouse. Thereafter, everything can
be done with the keyboard, but more keystrokes are required. When GnuCash
proposes an expansion for a payee, a single tab is sufficient to accept it,
set the category, and move the cursor to the amount field. KMyMoney
requires a combination of tabs and carriage returns before it will move on
to the category field - and, if you get the combination wrong, it will
simply enter an incomplete transaction.
Several fields must be tabbed through to get to the
amount. KMyMoney will remember categories and amounts (but only after you
find and turn on the relevant configuration option).
KMyMoney can also guess check numbers (again, after an option has been
explicitly turned on), but it is a simple "biggest yet" calculation with no
attention to the numbers the user is entering at the time. The check
number cannot be incremented or decremented with any keys that your editor
was able to find. KMyMoney will warn the user if a transaction with a
duplicate number is about to be entered; GnuCash does not perform that check.
The date can be adjusted using the up and down arrows, but
something inspired the KMyMoney developers to have the arrow keys adjust
the year of the transaction by default. Even your editor does not
normally get quite that far behind in his checkbook maintenance; it should
not be necessary to hit two right-arrows to be able to change the day of
the month.
KMyMoney requires the user to choose between five different types of
transaction to enter: checks, deposits, transfers, withdrawals, and "ATM."
GnuCash has done away with that distinction; everything is a transfer.
Things are simpler that way; there should be no need to categorize
transactions for the application in this manner.
While KMyMoney is, in many ways, a very nice application, the slower
transaction entry process would, on its own, be enough to disqualify it as
far as your editor is concerned. Fortunately, none of the issues mentioned
here should be particularly hard to fix.
In many ways, Grisbi almost gets transaction entry right. It is possible
to get through most of the form by tabbing, payees are expanded and
previous information substituted, and check numbers are guessed based on
what was entered previously. Your editor had some difficulty at the
beginning, where Grisbi was convinced that transactions were being entered
in Euro; since the account was in dollars, Grisbi asked for a conversion
factor. Once told to use dollars for transactions, however, Grisbi
remembered - but transactions should default to the currency associated
with the account.
Dates can be adjusted with + and -. Unlike GnuCash (and
a number of other programs), Grisbi does not accept = as a
substitute for +. Each Grisbi transaction always starts with the
current date; it would be more useful to use the date of the previous
transaction, as GnuCash and KMyMoney do. But the truly obnoxious feature
is that Grisbi assumes that all transactions are done with a credit card
(for a checking account, even), and telling it that a check is involved
requires using the mouse. That slows down the entire process.
GnuCash is also able to work with banks supporting the (German) Home
Banking Computer Information (HBCI) protocol, but your editor, lacking bank
accounts in Germany, was unable to test this feature.
There is much to be said for not typing in transactions at all. Quite a
few banks will make transaction information available via the OFX/QFX file
format, and all three programs reviewed here are able to import that
format. GnuCash sorts imported transactions into three piles - those which
it cannot import at all, those which need to manually have transfer
accounts (categories) set, and those for which it was able to guess
categories itself. The category assignment process is a bit cumbersome (it
would be nicer if the same interface was used here as in the register) but
effective. The automatic assignments appear error prone, so one needs to
glance them over before finishing the task.
Grisbi will simply import the whole set of transactions into the indicated
account with no category information at all; the user must go in afterward
and fix things up one by one. Unfortunately, your editor was unable to
build OFX support for KMyMoney.
Reconciliation
The other common time-consuming task performed with personal finance
managers is account reconciliation, otherwise known as the process of
figuring out why the bank thinks you have less money than you thought you
had. The reconciliation process tends to be tedious, with occasional
unpleasant surprises. A finance manager can do nothing about the financial
pain involved in reconciliation, but it should at least make the process as
quick and straightforward as possible.
The GnuCash reconciliation process starts with a request for a statement
date and ending balance. GnuCash attempts to come up with a default date,
but the results are occasionally strange. The window also asks whether
subaccounts should be included in the process, and gives the opportunity to
enter an interest payment. The actual reconciliation window contains two
panes; GnuCash, unlike other programs, separates deposits and debits for
this process. The key by which items are sorted can be selected by
clicking on the column heading - a nice feature if you like to have checks
listed in number order, rather than by date. Reconciling items is a simple
matter of clicking on them. Double-clicking on an item will bring up a
register window with the cursor at that item, allowing quick corrections to
be made. The register window can also be used to enter new transactions
(all those ATM withdrawals you forgot, for example) at any time.
The reconciliation process in KMyMoney is similar; during the setup phase,
it also allows the entry of bank charges, however. The reconciliation
window has a single pane, with deposits and debits mixed together and
sorted in date order. There does not appear to be any way to change the
sorting order. Double-clicking on a transaction allows it to be edited in
place. KMyMoney allows the user to "postpone" the completion of the
reconciliation process, and will remember the relevant information for the
next time.
The Grisbi reconciliation option is hard to find - it is not anywhere in
the menubar. Instead, one must go to the "transactions" window, then
hit the "reconcile" button on the lower left. Statement information is
then entered in the left column; there is no provision for the entry of
interest payments or bank fees. Clicking on transactions will cause them
to be marked as reconciled (at least, one assumes that "P" means reconciled
in some language); double-clicking allows them to be edited in the bottom
part of the window. The process is ended with the "OK" button on the lower
left; that button is not active until everything balances out (there is no
"postpone" option).
Conclusion to Part I
With the features described above, any of these three programs can be used
to keep track of a set of bank accounts. Personal finance programs can
offer much more, however. The second part of this article will cover some
of the other capabilities expected of a contemporary finance application,
including:
- Scheduled transactions - tracking (and reminding about) payment which
are to happen in the future.
- Loan tracking, including tracking the current principal balance.
- Reports. Can you see where the money is going, how it got there, and
make a nice pie chart out of it?
- Investment tracking: stocks and funds, dividend reinvestments, capital
gains, use of online price information, etc.
- Budget creation and tracking.
If space and time allow, the second part may also include a look at the
business features offered by GnuCash. Or that part may have to wait for
the Exceedingly Grumpy Editor's Guide to Small Business Accounting
Packages.
Your editor's final comment is this: for many years, there was only one
free personal finance application of any note: GnuCash. It is now
interesting to see there are three viable programs out there. The
situation has changed significantly - for the better - over the past year.
Come back for the second part (to be published, probably, near the
beginning of October) to complete the tour of what these programs can do,
and a final recommendation from the editor.
[Part 2 is now available]
Comments (61 posted)
September 14, 2005
This article was contributed by Jake Edge.
One of the more visible outcomes of the BitKeeper fiasco earlier this year
was the development of
git
to replace the use of BitKeeper for kernel development. A less prominent,
but equally capable alternative began development at roughly the same time.
Matt Mackall started work on
Mercurial just a few
days after git and since that time it has made great strides
as a distributed source code management system. It has matured to the
point where at least one large project, the virtual machine monitor
Xen, is using it to manage their code.
Mercurial, like BitKeeper, git and others is targeted at projects where
the developers are spread out geographically and need to be able to
perform source code management functions without the bottleneck of a
central repository. Matt adopted the design goals that Linus
used
for git (speed, distributed operation, and trustability) and added the
additional constraints that it should be CPU, storage, and bandwidth
efficient. Mercurial is written in Python, with some C extensions for
CPU intensive pieces and is fairly small, weighing in around 7500 lines
of code.
Disk based storage of Mercurial revisions is done using delta compressed
revision logs (revlogs) that are stored with disk access optimization in
mind. The revlogs are stored in a directory structure that mirrors the
structure of the project and filesystems are generally optimized for this
kind of access. Over time, fragmentation of revlogs will occur, but a
tar or copy of the directory will have the side effect of defragmentation.
Other SCMs that use filenames based on the SHA1 hash of the contents (git
for example) tend to require more disk seeking because file locality is
a function of the hash rather than the filename.
Because the revlogs are smaller than keeping each individual revision of a
file as a separate object, Mercurial uses less bandwidth when syncing
repositories as well.
A single command, called 'hg' after the chemical symbol for mercury, is the
command line interface to Mercurial and provides a consistent set of
switches used for various source code management tasks. Users of CVS or
subversion will find it immediately familiar to type commands like 'hg commit'
or 'hg update'. Also, there is the 'hg help' command which gives a quick
overview of the commands available and a summary line for each of the
individual commands.
The framework that Mercurial provides will be familiar to anyone who has used
a distributed SCM. The push/pull style of development where tree maintainers
pull changes from contributor's feature branches and merge them into their
current working tree is the model best supported by Mercurial. Both HTTP and
SSH are supported for network syncing and the hg command itself can be run
as a server to export a repository for pulling via hg and for browsing
via the web.
Various extensions and other tools have been created for Mercurial, or, in
some cases, ported from git. Visualization tools for examining repositories
are available as well as conversion utilities to convert repositories from
other SCM systems. Chris Mason's
Mercurial
Queues extension adds patch management features, similar to
quilt, to hg.
Interoperability with git is clearly a feature desired by Matt and the other
developers. Matt's intent with Mercurial was to create a tool that he
could use for kernel development and since the various official kernel
trees are using git repositories, tools to extract information from git
and into Mercurial have been created. There is a
repository that tracks
Linus' git repository for the 2.6 kernel and there are plans to add a git
export feature to Mercurial.
Mercurial has an active development community, a
wiki with a great deal
of information for new users, and a very responsive
mailing list.
It is a fast, scalable, easy to use, and generally well thought out
system that is being used for kernel and other development. It currently
lacks a few features that developers might want (a way to compare
repositories for example), but the pace of development has been rapid
and these holes are likely to be filled quickly. For anyone who is
thinking about using a distributed SCM, Mercurial is definitely worth
a look.
Comments (28 posted)
Page editor: Rebecca Sobol
Security
Brief items
September 14, 2005
This article was contributed by Jake Edge.
Tom Ferris
announced
a potentially exploitable buffer overflow in Firefox this week and the
discussion surrounding the flaw has focused on the nature of the
announcement more than the bug itself. Advocates of full disclosure
and those opposed to it have clashed on various internet sites.
The bug is in the handling of international domain names (IDN) and
the proof of concept released by Ferris is
a specially crafted URL that will cause Firefox 1.0.6 and earlier to crash.
Unlike other similar bugs, the user does not need to actually follow
the link, just parsing the URL in the page will cause Firefox to crash.
It is not yet known whether a malicious person can exploit this
to execute arbitrary code on the host but Ferris claims that it can be
done
in his bug
report.
A workaround
that disables IDN parsing was quickly released by the Mozilla team, and
both Red Hat and Fedora released
updates to fix the
buffer overflow.
Complaints have been heard about the amount of time Ferris gave to
the Mozilla team to fix the problem before he announced the flaw on
the full-disclosure mailing list. His report states that he reported
the problem on September 4, but the entry in bugzilla was made on
September 6. He disclosed the problem on September 8 before a fix was
available and many people find that to be irresponsible.
Full disclosure is a contentious issue and many people argue that security
flaws should be reported to the author of the software, and that they should
be given a 'reasonable' amount of time to investigate and fix the problem
before it is announced to the world. The presumption is that the delay
reduces or eliminates the possibility of an exploit being crafted while
the program is vulnerable. The proponents of disclosure point out that
it is quite possible that other people, possibly having bad intentions,
know about the flaw already and
are working on exploits or have already deployed them. Even if there is
no known exploit 'in the wild', security conscious users may wish to
stop using the affected program until it can be fixed, and without disclosure
they do not have the information necessary to take that step.
An additional complication arises
because Firefox has been touted as a more secure alternative to Internet
Explorer and many less than technically savvy people have installed it.
These users do not tend to frequent LWN or other sites that
report on security issues and, unfortunately, are likely to ignore
the problem even if they do find out about it. This problem is not
unique to Firefox, of course, nor to free software in general, but as
free software extends its reach, it is a problem that needs to be
addressed. A widespread exploit in a free software package, even if
the vulnerability has already been fixed, will provide the competition
with ample opportunities to suggest that all free software is insecure.
Comments (32 posted)
New vulnerabilities
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
|
Comments (none posted)
mozilla: buffer overflow
| Package(s): | mozilla |
CVE #(s): | CAN-2005-2871
|
| Created: | September 12, 2005 |
Updated: | October 20, 2005 |
| Description: |
The Mozilla browser, Firefox and Thunderbird have a buffer overflow
vulnerability. A local user can be tricked into clicking URL that
can cause the local application to crash, and possibly execute arbitrary
code. See this article
for more information. |
| Alerts: |
|
Comments (none posted)
mysql: buffer overflow
| Package(s): | mysql |
CVE #(s): | CAN-2005-2558
|
| Created: | September 12, 2005 |
Updated: | January 12, 2006 |
| Description: |
The mysql CREATE FUNCTION can be used to create a buffer overflow.
A specially crafted long function name can be used by a local attacker
to crash the server or execute arbitrary code with the privileges of
the server. |
| Alerts: |
|
Comments (none posted)
tdiary: cross-site request forgery
| Package(s): | tdiary |
CVE #(s): | CAN-2005-2411
|
| Created: | September 12, 2005 |
Updated: | September 13, 2005 |
| Description: |
The tdiary web log utility has a cross-site request forgery
that can be used by remote attackers to alter a user's local
information. |
| Alerts: |
|
Comments (none posted)
util-linux: unintentional grant of privileges by umount
| Package(s): | util-linux |
CVE #(s): | CAN-2005-2876
|
| Created: | September 13, 2005 |
Updated: | December 19, 2005 |
| Description: |
Linux umount command as provided in the util-linux package in
versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information. |
| Alerts: |
|
Comments (none posted)
xorg-x11: heap overflow
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2005-2495
|
| Created: | September 12, 2005 |
Updated: | March 8, 2006 |
| Description: |
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
apache information disclosure if modssl=yes
| Package(s): | apache |
CVE #(s): | CAN-2005-2700
|
| Created: | September 2, 2005 |
Updated: | November 10, 2005 |
| Description: |
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
|
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
CUPS: multiple vulnerabilities
| Package(s): | CUPS |
CVE #(s): | CAN-2004-2154
|
| Created: | July 14, 2005 |
Updated: | September 20, 2005 |
| Description: |
The CUPS printing system has a problem with queue name
case-sensitivity matching that can cause a security policy override. An
unauthorized user can use this to gain print to a protected queue. |
| Alerts: |
|
Comments (none posted)
cvs: insecure temp file
| Package(s): | cvs |
CVE #(s): | CAN-2005-2693
|
| Created: | August 23, 2005 |
Updated: | September 9, 2005 |
| Description: |
Insecure temporary file usage was found in the cvsbug program. It is possible that a malicious user could use this to execute arbitrary
instructions as the user running cvsbug. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 10, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dhcpcd: denial of service
| Package(s): | dhcpcd |
CVE #(s): | CAN-2005-1848
|
| Created: | July 13, 2005 |
Updated: | September 13, 2005 |
| Description: |
The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
|
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 11, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: dissector vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 10, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdeedu: tempfile handling vulnerabilities
| Package(s): | kdeedu |
CVE #(s): | CAN-2005-2101
|
| Created: | August 15, 2005 |
Updated: | September 22, 2005 |
| Description: |
Ben Burton notified the KDE security team about several tempfile
handling related vulnerabilities in langen2kvtml, a conversion
script for kvoctrain. The script must be manually invoked. The
script uses known filenames in /tmp which allow an local
attacker to overwrite files writeable by the user invoking the
conversion script. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-1913
CAN-2005-1761
|
| Created: | July 1, 2005 |
Updated: | September 9, 2005 |
| Description: |
Several vulnerabilities in the 2.6 kernel have been
fixed, including a subthread exec problem (CAN-2005-1913)
and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761). |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-2098
CAN-2005-2099
CAN-2005-2456
CAN-2005-2457
CAN-2005-2458
CAN-2005-2459
CAN-2005-2548
CAN-2005-2555
|
| Created: | August 19, 2005 |
Updated: | September 19, 2005 |
| Description: |
David Howells discovered a local Denial of Service vulnerability in
the key session joining function. Under certain user-triggerable
conditions, a semaphore was not released properly, which caused
processes which also attempted to join a key session to hang forever.
(CAN-2005-2098)
David Howells discovered a local Denial of Service vulnerability in
the keyring allocator. A local attacker could exploit this to crash
the kernel by attempting to add a specially crafted invalid keyring.
(CAN-2005-2099)
Balazs Scheidler discovered a local Denial of Service vulnerability in
the xfrm_compile_policy() function. By calling setsockopt() with an
invalid xfrm_user policy message, a local attacker could cause the
kernel to write to an array beyond its boundaries, thus causing a
kernel crash. (CAN-2005-2456)
Tim Yamin discovered that the driver for compressed ISO file systems
did not sufficiently validate the input data. By tricking an user into
mounting a malicious CD-ROM with a specially crafted compressed ISO
file system, he could cause a kernel crash. (CAN-2005-2457)
It was discovered that the kernel's embedded zlib compression library
was still vulnerable to two old vulnerabilities of the standalone zlib
library. This library is used by various drivers and can also be used
by third party modules, so the impact varies. (CAN-2005-2458,
CAN-2005-2459)
Peter Sandstrom discovered a remote Denial of Service vulnerability in
the SNMP handler. Certain UDP packages lead to a function call with
the wrong argument, which resulted in a crash of the network stack.
(CAN-2005-2548)
Herbert Xu discovered that the setsockopt() function was not
restricted to privileged users. This allowed a local attacker to
bypass intended IPSec policies, set invalid policies to exploit flaws
like CAN-2005-2456, or cause a Denial of Service by adding policies
until kernel memory is exhausted. Now the call is restricted to
processes with the CAP_NET_ADMIN capability. (CAN-2005-2555) |
| Alerts: |
|
Comments (3 posted)
kernel: multiple vulnerabilities
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0175
CAN-2005-0488
CAN-2005-1175
CAN-2005-1689
|
| Created: | July 12, 2005 |
Updated: | December 6, 2005 |
| Description: |
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl |
CVE #(s): | CAN-2005-0106
|
| Created: | May 3, 2005 |
Updated: | January 27, 2006 |
| Description: |
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libTIFF: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2005-1544
|
| Created: | May 10, 2005 |
Updated: | February 18, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
stack based buffer overflow in the libTIFF library when reading a TIFF
image with a malformed BitsPerSample tag. Successful exploitation would
require the victim to open a specially crafted TIFF image, resulting in the
execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
lm-sensors: insecure temp files
| Package(s): | lm-sensors |
CVE #(s): | CAN-2005-2672
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the pwmconfig script created
temporary files in an insecure manner. This could allow a symlink attack to
create or overwrite arbitrary files with full root privileges since
pwmconfig is usually executed by root. |
| Alerts: |
|
Comments (1 posted)
mantis: missing input sanitizing
| Package(s): | mantis |
CVE #(s): | CAN-2005-2556
CAN-2005-2557
|
| Created: | August 19, 2005 |
Updated: | September 26, 2005 |
| Description: |
Two security related problems have been discovered in Mantis, a
web-based bug tracking system. A remote attacker could insert arbitrary
SQL code into SQL statements and a remote attacker was able to insert
arbitrary HTML code bug reports, hence, cross site scripting. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 10, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
Mozilla: frame injection spoofing
| Package(s): | mozilla firefox |
CVE #(s): | CAN-2004-0718
CAN-2005-1937
|
| Created: | August 15, 2005 |
Updated: | September 19, 2005 |
| Description: |
A vulnerability has been discovered in Mozilla and Mozilla Firefox
that allows remote attackers to inject arbitrary Javascript from one
page into the frameset of another site. Thunderbird is not affected
by this. |
| Alerts: |
|
Comments (none posted)
mplayer: heap overflow
| Package(s): | mplayer |
CVE #(s): | CAN-2005-2718
|
| Created: | September 1, 2005 |
Updated: | September 7, 2005 |
| Description: |
mplayer's ad_pcm.c code has a heap overflow vulnerability.
The faulty code handles the strf chunk of PCM audio streams.
A maliciously created audio or video file could be created,
allowing code to be executed with the privileges of the
user who is running mplayer. |
| Alerts: |
|
Comments (none posted)
mysql: low-impact security fix
| Package(s): | mysql |
CVE #(s): | CAN-2005-1636
|
| Created: | July 20, 2005 |
Updated: | February 22, 2006 |
| Description: |
An update to MySQL version 4.1.12 fixes a low-impact security
problem (bz#158689). |
| Alerts: |
|
Comments (1 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
nfs-utils: arbitrary code execution
| Package(s): | nfs-utils |
CVE #(s): | CAN-2004-0946
|
| Created: | January 11, 2005 |
Updated: | February 27, 2006 |
| Description: |
Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
architectures; an improper integer conversion could lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could then lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openssh: GSSAPI credential disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2005-2798
|
| Created: | September 7, 2005 |
Updated: | February 3, 2006 |
| Description: |
OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
|
| Alerts: |
|
Comments (none posted)
OpenSSL: information leak
| Package(s): | openssl |
CVE #(s): | CAN-2005-0109
|
| Created: | May 23, 2005 |
Updated: | October 11, 2005 |
| Description: |
Hyper-Threading technology, as used in FreeBSD other operating systems and
implemented on Intel Pentium and other processors, allows local users to
use a malicious thread to create covert channels, monitor the execution of
other threads, and obtain sensitive information such as cryptographic keys,
via a timing attack on memory cache misses. See this LWN article for more information. |
| Alerts: |
|
Comments (none posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
openvpn: multiple vulnerabilities
| Package(s): | openvpn |
CVE #(s): | CAN-2005-2531
CAN-2005-2532
CAN-2005-2533
CAN-2005-2534
|
| Created: | August 23, 2005 |
Updated: | October 10, 2005 |
| Description: |
A number of vulnerabilities were discovered in OpenVPN that were fixed in
the 2.0.1 release:
A DoS attack against the server when run with "verb 0" and without
"tls-auth" when a client connection to the server fails certificate
verification, the OpenSSL error queue is not properly flushed. This could
result in another unrelated client instance on the server seeing the error
and responding to it, resulting in a disconnection of the unrelated client.
A DoS attack against the server by an authenticated client that sends a
packet which fails to decrypt on the server, the OpenSSL error queue was
not properly flushed. This could result in another unrelated client
instance on the server seeing the error and responding to it, resulting in
a disconnection of the unrelated client.
A DoS attack against the server by an authenticated client is possible in
"dev tap" ethernet bridging mode where a malicious client could
theoretically flood the server with packets appearing to come from hundreds
of thousands of different MAC addresses, resulting in the OpenVPN process
exhausting system virtual memory.
If two or more client machines tried to connect to the server at the same
time via TCP, using the same client certificate, a race condition could
crash the server if --duplicate-cn is not enabled on the server. |
| Alerts: |
|
Comments (none posted)
pam_ldap: plain text authentication leak
| Package(s): | pam_ldap |
CVE #(s): | CAN-2005-2069
|
| Created: | July 14, 2005 |
Updated: | October 17, 2005 |
| Description: |
pam_ldap
and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an
attacker to sniff unencrypted passwords and other information. |
| Alerts: |
|
Comments (none posted)
pcre3: arbitrary code execution
| Package(s): | pcre3 |
CVE #(s): | CAN-2005-2491
|
| Created: | August 23, 2005 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
perl: symlink vulnerability
| Package(s): | perl |
CVE #(s): | CAN-2005-0448
|
| Created: | March 9, 2005 |
Updated: | January 30, 2006 |
| Description: |
The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries. |
| Alerts: |
|
Comments (none posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CAN-2005-2498
|
| Created: | August 19, 2005 |
Updated: | October 4, 2005 |
| Description: |
A bug was discovered in the PEAR XML-RPC Server package included in PHP. If
a PHP script is used which implements an XML-RPC Server using the PEAR
XML-RPC package, then it is possible for a remote attacker to construct an
XML-RPC request which can cause PHP to execute arbitrary PHP commands as
the 'apache' user. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: cross-site-scripting
| Package(s): | phpsysinfo |
CVE #(s): | CAN-2005-0870
|
| Created: | May 18, 2005 |
Updated: | November 15, 2005 |
| Description: |
The phpsysinfo program contains several cross-site scripting vulnerabilities. |
| Alerts: |
|
Comments (none posted)
postgresql: database initialization errors
| Package(s): | postgresql |
CVE #(s): | CAN-2005-1409
CAN-2005-1410
|
| Created: | May 4, 2005 |
Updated: | February 28, 2006 |
| Description: |
PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
|
| Alerts: |
|
Comments (none posted)
Pound: buffer overflow
| Package(s): | pound |
CVE #(s): | CVE-2005-1391
|
| Created: | May 2, 2005 |
Updated: | January 10, 2006 |
| Description: |
Steven Van Acker has discovered a buffer overflow vulnerability in the
"add_port()" function in Pound 1.8.2+. A remote attacker could send a
request for an overly long hostname parameter, which could lead to the
remote execution of arbitrary code with the rights of the Pound daemon
process. |
| Alerts: |
|
Comments (none posted)
pstotext: remote execution of arbitrary code
| Package(s): | pstotext netpbm |
CVE #(s): | CAN-2005-2471
|
| Created: | August 1, 2005 |
Updated: | March 28, 2006 |
| Description: |
Max Vozeler reported that pstotext calls the GhostScript interpreter on
untrusted PostScript files without specifying the -dSAFER option. An
attacker could craft a malicious PostScript file and entice a user to run
pstotext on it, resulting in the execution of arbitrary commands with the
permissions of the user running pstotext. See this Secunia advisory for more information. |
| Alerts: |
|
Comments (2 posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 15, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
ruby: arbitrary command execution
| Package(s): | ruby |
CVE #(s): | CAN-2005-1992
|
| Created: | June 21, 2005 |
Updated: | October 6, 2005 |
| Description: |
Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on
XMLRPC servers. |
| Alerts: |
|
Comments (none posted)
shorewall: rule bypass vulnerability
| Package(s): | shorewall |
CVE #(s): | CAN-2005-2317
|
| Created: | July 21, 2005 |
Updated: | October 10, 2005 |
| Description: |
Shorewall has a vulnerability in which a client that is accepted by
MAC address filtering can bypass other rules, allowing access to
all open services on the firewall. |
| Alerts: |
|
Comments (none posted)
slocate: long path bug
| Package(s): | slocate |
CVE #(s): | CAN-2005-2499
|
| Created: | August 22, 2005 |
Updated: | October 5, 2005 |
| Description: |
A bug was found in the way slocate processes very long paths. A local user
could create a carefully crafted directory structure that would prevent
updatedb from completing its file system scan, resulting in an incomplete
slocate database. |
| Alerts: |
|
Comments (none posted)
smb4k: temporary file vulnerability
| Package(s): | smb4k |
CVE #(s): | CVE-2005-2851
|
| Created: | September 7, 2005 |
Updated: | December 7, 2005 |
| Description: |
Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
|
| Alerts: |
|
Comments (none posted)
squid: DoS issues
| Package(s): | squid |
CVE #(s): | CAN-2005-2794
CAN-2005-2796
|
| Created: | September 6, 2005 |
Updated: | November 7, 2005 |
| Description: |
Squid-2.5.10-r2 and earlier has three Denial of Service issues. |
| Alerts: |
|
Comments (none posted)
SquirrelMail: several XSS vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2005-1769
|
| Created: | June 21, 2005 |
Updated: | September 16, 2005 |
| Description: |
Several cross site scripting (XSS) vulnerabilities have been
discovered in SquirrelMail versions 1.4.0 - 1.4.4. |
| Alerts: |
|
Comments (none posted)
sudo: race condition
| Package(s): | sudo |
CVE #(s): | CAN-2005-1993
|
| Created: | June 21, 2005 |
Updated: | February 24, 2006 |
| Description: |
Charles Morris discovered a race condition in sudo which could lead to
privilege escalation. If /etc/sudoers allowed a user the execution of
selected programs, and this was followed by another line containing
the pseudo-command "ALL", that user could execute arbitrary commands
with sudo by creating symbolic links at a certain time. |
| Alerts: |
|
Comments (none posted)
sysreport: insecure temporary file
| Package(s): | sysreport |
CVE #(s): | CAN-2005-2104
|
| Created: | August 9, 2005 |
Updated: | November 11, 2005 |
| Description: |
Bill Stearns discovered a bug in the way sysreport creates temporary files.
It is possible that a local attacker could obtain sensitive information
about the system when sysreport is run. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: denial of service
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1267
|
| Created: | June 9, 2005 |
Updated: | October 10, 2005 |
| Description: |
Several tcpdump protocol decoders contain programming errors which can
cause them to go into infinite loops. |
| Alerts: |
|
Comments (none posted)
tcpdump: multiple DoS issues
| Package(s): | tcpdump |
CVE #(s): | CAN-2005-1280
CAN-2005-1279
CAN-2005-1278
|
| Created: | May 2, 2005 |
Updated: | April 10, 2006 |
| Description: |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted BGP packet, which is not properly
handled by RT_ROUTING_INFO, or LDP packet, which is not properly
handled by the ldp_print function. (CAN-2005-1279)
The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) via a zero length, as demonstrated using a GRE packet.
(CAN-2005-1278) |
| Alerts: |
|
Comments (none posted)
ucd-snmp: denial of service
| Package(s): | ucd-snmp |
CVE #(s): | CAN-2005-2177
|
| Created: | August 9, 2005 |
Updated: | January 27, 2006 |
| Description: |
A denial of service bug was found in the way ucd-snmp uses network stream
protocols. A remote attacker could send a ucd-snmp agent a specially
crafted packet which will cause the agent to crash. |
| Alerts: |
|
Comments (none posted)
vixie-cron: crontab allows any user to read another users crontabs
| Package(s): | vixie-cron |
CVE #(s): | CAN-2005-1038
|
| Created: | April 15, 2005 |
Updated: | March 15, 2006 |
| Description: |
crontab in Vixie cron 4.1, when running with the -e option, allows local
users to read the cron files of other users by changing the file being
edited to a symlink. NOTE: there is insufficient information to know
whether this is a duplicate of CVE-2001-0235. See also this Security Focus
report. |
| Alerts: |
|
Comments (none posted)
wget: file overwrites and arbitrary code execution
| Package(s): | wget |
CVE #(s): | CAN-2004-1487
CAN-2004-1488
|
| Created: | June 9, 2005 |
Updated: | September 27, 2005 |
| Description: |
wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite
certain files via a redirection URL containing a ".." that resolves to the
IP address of the malicious server, which bypasses wget's filtering for
".." sequences.
wget 1.8.x and 1.9.x does not filter or quote control characters when
displaying HTTP responses to the terminal, which may allow remote malicious
web servers to inject terminal escape sequences and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 10, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
xorg-x11: integer overflows
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2004-0914
|
| Created: | November 18, 2004 |
Updated: | September 12, 2005 |
| Description: |
The X.Org libXpm library has several integer overflow vulnerabilities
An attacker can modify XPM images to execute malicious code. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-2096
|
| Created: | July 6, 2005 |
Updated: | October 27, 2005 |
| Description: |
zlib has a buffer overflow vulnerability that can be exploited
by inflation of corrupted files, this can be used to crash zlib
or possibly remotely execute code. |
| Alerts: |
|
Comments (6 posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
Resources
Mozilla.org has announced
a simple workaround that closes the Firefox International Domain
Name (IDN) security vulnerability.
"
On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user."
Comments (9 posted)
Page editor: Rebecca Sobol
Kernel development
Brief items
The current stable 2.6 kernel is 2.6.13.1, which was
released on September 9.
It includes about ten patches, including fixes for two known security
issues.
The current 2.6 prepatch is 2.6.14-rc1 released by
Linus on September 12. Here is
the announcement
from Linus.
According to the revised development process, this release should contain
all of the major patches that will go into 2.6.14; everything from now on
should be a bug fix. So it looks like 2.6.14 will include the ipw2100 and
ipw2200 wireless drivers, the HostAP system (which allows a Linux
system with suitable hardware to function as a wireless access point),
version 19 of the wireless extensions API, relayfs, a large InfiniBand
update, an abstraction layer for ethernet PHY devices, four-level page
table support for the ppc64 architecture, a big netfilter update, a DCCP implementation, the filesystems in user space patch,
and v9fs.
Other changes of note include the "sparsemem extreme" patches (preparing
for hotplug memory), a NUMA-aware slab allocator, kzalloc(), a number of
swap file improvements, some kernel build system improvements, some klist API changes, a serial ATA
update (with a Marvell driver supporting PIO mode only), ongoing work to
shrink the sk_buff structure, and some block subsystem
enhancements.
The current -mm tree is 2.6.13-mm2. Recent changes to
-mm include some token-based swapping tweaks, some memory hotplug work, a
PCMCIA update, and the usual pile of fixes. The -mm tree has shrunk
considerably as patches have flowed into the mainline.
Your editor is out of town this week, so the Kernel Page will be a bit
thinner than usual. Everything should be back to normal next week.
Comments (3 posted)
Kernel development news
We should have a strict rule: anybody who adds things like
"must_check" and "deprecated" had better also be ready and willing
to fix all the new warnings they cause - you're not allowed to just
assume that "somebody else will fix it".
-- Linus Torvalds
Comments (2 posted)
The reiser4 filesystem has been the subject of a long, ongoing conversation
for many months; look under "reiser4" in the LWN Kernel Page Index for
previous coverage on this page. The reiser4 developers have been working
hard to get their new filesystem merged into the mainline kernel, and they
believe that the time has come. To that end, Hans Reiser has posted a list of concerns raised by others. His hope
is to get definitive answers on what has to be done to get reiser4 in,
hopefully for 2.6.14.
One of the big issues since the beginning has been the reiser4 metafiles
feature, where every file can, itself, be treated as a directory with the
file's attributes accessible as files in their own right. This feature
raised many eyebrows just by looking weird and non-Unix-like, but the real
issue was one of locking. The Linux virtual filesystem code is simply not
set up to handle files as directories, so it is easy for a user to deadlock
the system. Even Hans Reiser, a strong defender of the metafile feature,
sees these deadlocks as an undesirable thing.
So, while reiser4 has been in -mm for quite some time, the metafile feature
has been disabled. There is no talk of turning it back on for a mainline
merge; the real issue, instead, is whether the code should be allowed to
remain at all. The consensus on the kernel side would appear to be that
unused code does not belong in the kernel, so the metafile implementation
is likely to be removed altogether. Someday, if the locking issues are
resolved, it might yet return.
Reiser4 has long had trouble working with 4K kernel stacks (see last week's Kernel Page). It
would appear that this issue has now been resolved. Another complaint
which has been raised has to do with a large number of debugging tests in
the code itself; some developers see it as clutter and would like it to be
removed. Here, however, Andrew Morton has sided with the reiser4 hackers
and told them to leave the tests in.
Reiser4 implements a couple of its own types for condition variables and
linked lists. In both cases, it is thought that the in-kernel primitives
could be used, rather than introducing new, redundant types. Those will
probably have to be fixed before this code can be merged.
The end result is that quite a bit of work remains to be done, meaning that
it is unlikely to be ready before 2.6.14 closes to new features. Andrew
has hinted that reiser4 might just slip in
after the deadline, though:
But something like a brand new filesystem can go in pretty much any
time, as long as it compiles. Because it can't break anyone's
current setup.
The one issue which, interestingly, has not come up in the recent
discussion has been the plugin architecture used by reiser4. To a number
of developers, that sort of feature does not belong at the individual
filesystem level; it should, instead, be made part of the VFS layer and
made available to all filesystems. It would appear that a more moderate
viewpoint, allowing the feature to be merged now with the idea of shifting
it up into the VFS over time, has won out.
Comments (7 posted)
From what has been merged as of this writing, it appears that the 2.6.14
kernel will have few API changes which will break code. The changes which
have been merged are mostly additions to the kernel API. Here is a quick
discussion of a few of them.
Some previously-discussed additions have finally made it to the mainline.
One of those is kzalloc(), which
allocates pre-zeroed memory. The two new variants of
schedule_timeout() (which perform the setting of the task
state) have also been merged.
Speaking of task states, there is now a TASK_NONINTERACTIVE flag
which is used to mark non-interactive sleeps. It should be set alongside
TASK_INTERRUPTIBLE or TASK_UNINTERRUPTIBLE in cases where
the fact that a process is sleeping does not provide any information on
whether it is interactive or not. Its initial use is for processes waiting
on pipe buffers; the idea is to keep batch tasks using pipes (such as
kernel compiles) from looking more interactive than they are.
Ingo Molnar's spinlock consolidation patch
has gone in. This change should not affect much outside of the spinlock
implementation, but it effects some major cleanups inside. There have been
a number of simplifications and enhancements applied to the spinlock
debugging code in particular.
On the networking side, there is a new function for allocating
sk_buff structures:
struct sk_buff *alloc_skb_fclone(unsigned int size,
unsigned int priority);
This function is meant to be used for SKBs which are expected to be cloned
over their life cycle. It actually allocates a pair of sk_buff
structures, with the idea that the second can be used at
skb_clone() time without having to perform another memory
allocation. Some reference count tricks are used to know when the whole
assembly can be freed.
The net_device structure has long contained a
get_wireless_stats() method, used by wireless network drivers. A
previous update of the wireless extensions API moved that method over to
the iw_handler_def structure, but still continued to use the older
form when present. Wireless extensions 19 maintains that compatibility a
little longer, but now issues a warning when a driver uses the older API.
The block layer API has seen some enhancements. There is a pair of new
functions for creating I/O requests out of kernel buffers:
struct bio *bio_map_kern(request_queue_t *q, void *data, unsigned int len,
unsigned int gfp_mask);
struct request *blk_rq_map_kern(request_queue_t *q, int rw, void *kbuf,
unsigned int len, unsigned int gfp_mask)
The first will create a BIO structure out of the given kernel buffer (which
should not be space obtained with vmalloc()). The second takes
the additional step of queueing the request onto the given request queue.
There is also a new blk_rq_map_user_iov() which is intended to
work with the sg_iovec structures used in the SCSI layer.
As of this writing, the discussion of removing devfs has started up
again. That may not happen for 2.6.14, but it would be surprising, at this
point, if the devfs API lasted into 2.6.15.
Comments (2 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Page editor: Forrest Cook
Distributions
News and Editorials
September 14, 2005
This article was contributed by Brock A. Frazier
UserLinux has been for all practical purposes dead for months now. The
most immediate points of failure and a brief history were covered in last
week's edition of LWN. There were no
messages on the UserLinux list for over 30 days, ending when the thread
titled "Anyone still alive" was started on September 3rd. UserLinux today is a non-issue and of little
worth other than to learn from.
I spent a notable amount of time on this project, writing the Mission
Statement and other key components. Though UserLinux has failed, at least
I gained some worthwhile experience. As with other failures, there are
things to be learned from an autopsy after death.
Points of failure for UserLinux
Inability to deliver product
The immediate cause of death was an inability to deliver software. Today
there still is no real delivered product, over three months after the
release of Debian Sarge. A common claim was that UserLinux would have a
release out about a day after the Debian Sarge release and when
this didn't happen, confidence decreased for the project.
Lesson: Deliver!
Untimely delay of Debian Sarge release
There was an artificial delay in the move towards the initial 1.0 release
and this had a notable, but non-fatal effect on the project. This was not
the ultimate cause of death, however, and delivering as promised a short
time after the Debian Sarge release would have livened the project back
up.
Lesson: Dependence on outside sources can cause painful delays. Be
prepared for the consequences.
Lack of roadmaps
The "when it is ready" mantra is not sufficient for a lot of people. They
want an estimated schedule to look at and an idea of where things are
headed. Even if one is looking at third party development, or in the case
of UserLinux, there is an overlap of developers between the project and
Debian, confidence goes up if time estimates are made. People are used to
roadmaps and popular projects such as Mozilla Firefox (roadmap) and OpenOffice.org
(Roadmap) use
roadmaps as do many commercial software vendors. Yes, roadmaps are often inaccurate, but like weather forecasts,
people like an idea of what is going to happen in the future, even if
the forecast
is imperfect. It helps in planning, which is especially nice if
a migration is being considered. Given that an area of interest for
UserLinux was to encourage migration from Microsoft platforms,
roadmaps would have been very beneficial.
Lesson: Don't fear the roadmap. People appreciate and sometimes even
expect roadmaps.
Late on departmentalizing into teams
There was no serious effort to divide the project into teams until about
10 months after the project started. The lack of teams encouraged problems with naming and engineering focus.
Naming
Not much went right with the name. The name was a nonproductive
distraction to the project that was never fixed.
- Nonproductive Distraction: Everyone seems to want to name things. A
co-worker of mine was genuinely fascinated by the prospect of naming this
new distribution that he had no real interest in otherwise. This is an odd
piece of human behavior. Open source projects tend to have bad names which
lead to less than desirable first impressions. This genuinely hurts
adoption, especially in more corporate environments. We had our share of
mindless naming suggestions like "Rabbitware Linux" that had no real purpose other than to appeal to the person suggesting the name.
A notable chunk of the overall list traffic for UserLinux was related to
the name and though it wasn't all as bad as "Rabbitware Linux" (rwLinux
for short), marketing and positioning were often not considered foremost
when suggesting names.
- Never Fixed: The name UserLinux had three key flaws:
- People in general do not like the term 'User', and the hatred seems to
grow as the user base gets less technical. This is counterproductive,
especially with the existing Microsoft desktop market as a key area for
potential growth.
- Domains. It is a very good idea to have at minimum the .com domain, and
if running a non-profit, the .org domain for a given name. UserLinux did
not have the .org which can be confusing since a .org
domain is expected for organizationally based projects. Given the
primarily online nature of the project, strong domain presence is
important.
- It was occasionally confused with UnitedLinux by people familiar with
the Linux market. UnitedLinux is the old Caldera, Conectiva, SUSE and
Turbolinux initiative.
Naming Lessons:
- The naming problems could have been lessened by having a
marketing-specific group handle the task. The group should have had
the authority to establish
concrete naming guidelines. Unfortunately, neither was the case.
- Think of the audience when creating a name for a project or software.
- Understand the primary points of contact for an organization and if you
cannot sufficiently meet those needs with a particular name, find another
name that will work.
Engineering focus
Engineering was distracted by marketing activities.
Marketing talk was initially on the same list as engineering, which
distracted and annoyed some people who might have contributed more to the
project otherwise.
Engineering Lesson: The marketing list should have been created earlier.
Overall Team Lesson: Departmentalization should have been done earlier.
Teams help keep people focused on where their strengths are.
IT Problems
Multiple downtimes for the list seriously hurt participation, as did an
obnoxious amount of spamming on the wiki that could have been handled much
better and more swiftly.
Lesson: If web infrastructure is the primary point of contact for people
working on a project, maintaining those systems is remarkably important.
Group mentality baggage
Using KDE as a desktop environment alone or with GNOME was not in the best
interest of the project for a variety of reasons, but some would propose
that not including both desktop environments was unfair to the developers
of both environments.
Here is an example from the mailing list:
I think we (ok, not especially me, but the people involved in UserLinux)
don't have the right to prefer one of the two big DE projects over the
other.
Wrong. The real injustice is to force feed extra software with the
associated bulk, security risk, and training because one group of people
thinks that if their software isn't force-fed needlessly on users there is
some injustice occurring. Of course, the real injustice is not looking out
for the best interest of the people using the software. Put the people
using the software first. The focus on a developers-first attitude was
particularly disturbing to me. More recent announcements like the
Subversion team
recommending against use of Subversion for the Linux
Kernel development team show this is not a universal problem for all free software. Outside of KDE, UserLinux really didn't have many of these problems. My introduction to KDE, outside of running KDE occasionally as a desktop environment, was people on the list speaking out for KDE like in the example above.
Lessons:
- People will form in groups and argue for whatever their group thinks is
right, and while at it they are not afraid to put their interests first.
Software is not immune to this phenomena, unfortunately.
- Individuals working on software sometimes think of themselves first,
with little regard for the end user.
- If someone's first impression of a project is similar to what I
experienced with KDE, those actions are likely doing that project a
disservice. There are plenty of good people working on the project, but the
memory of interaction like the above has the biggest impact on the overall
impression, especially when it is the first interaction you've had with
people from a specific project. Over the course of months, people would
ask about that Linux project I'd mentioned I was working on some weeks
earlier. At the time ,the primary response they would get is me mentioning the problems with KDE people. I wasn't in a KDE camp or GNOME camp (yes, I did design the
GStreamer logo while at RidgeRun but we used GST for embedded applications
independent from GNOME), but KDE, through the actions of a few, started to
look ugly to me very quickly. And for what? Hopes of gaining a foothold in a
project that ended up amounting to nothing. We never had problems like this with other software decisions such as PostgreSQL vs. MySQL or Postfix vs. Exim.
Things done right
Concept
The concept of a non-commercial distribution with a limited set of
software accompanied by certifications and ISV support is superb. The
ultimate failure was in delivery. Some of the other ailments above could
have possibly been solved over time. The idea was not the failure, it was
the implementation.
Specialized work teams
Departmentalizing is a good idea even though it was accomplished too late and not sufficiently strong.
Mark Protection
The Mark Protection Policy is an
excellent idea. UserLinux software packages should have been named with
separation from the UserLinux name earlier than they were, and the Policy
itself should have been written better, but the idea is excellent. I
strongly recommend Mark Protection for free software projects.
Non-software organizations have learned the value of this from abuses many
years ago, and it is about time free software did too. Mozilla's Firefox
has protections in place today which is encouraging. Abuses like what has
occurred with Debian's open use mark, as mentioned in the UserLinux Mark
Protection Policy, need to be stopped.
Internationalization
It is most impressive how people from throughout
the world will translate something of interest if given the chance to
contribute. For example, the UserLinux Mission Statement is available in
over 10 languages. In retrospect, this was the most delightful surprise from working on this project.
Mission Statement
This helped people focus on the task at hand and
helped explain the purpose of the project quickly to people who would
hopefully consider migrating to UserLinux in the future.
The road ahead
Ubuntu has largely grown into the simple, effective distribution UserLinux
hoped to be. UserLinux is currently hoping for resurrection.
This seems unlikely.
The largest differences between UserLinux and Ubuntu are how they are funded and how the groups behind each distribution are designed to function. Beyond that, provided Ubuntu remains a streamlined distribution, remains free, includes a notable ISV support network, and
provides a reasonable certification program.
Ubuntu will largely deliver on
the UserLinux Mission Statement:
Provide businesses with freely available, high quality Linux operating
systems accompanied by certifications, service, and support options
designed to encourage productivity and security while reducing overall
costs.
Time will tell if Canonical will have commercial success with Ubuntu. They
already have made successful inroads into the early adopter market. If
they can cross the chasm into the early mainstream desktop market
adoption, they should be quite successful delivering custom OEM install
packages, certification services, and high-end customization and support
services. Key areas for success will be getting large OEM PC manufacturers
to create serious offerings with Ubuntu, establishing standards and tests
for certifications, and getting a network of Independent Software Vendors
(ISVs) behind Ubuntu Linux. This will not be an easy task, but it is
doable.
Comments (18 posted)
New Releases
The
Ubuntu 5.10 preview release is
available; it can be had in both installable and live CD forms. Additions
include GNOME 2.12, some new administrative tools, installation onto LVM
volumes, the OCFS2 and GFS filesystems, the 2.6.12.5 kernel, further
improved laptop support, and more. Once again, they will mail you a copy
of the final release (when available) if you ask. For KDE users, the
Kubuntu 5.10 preview is also available.
Comments (17 posted)
Edubuntu joins the Ubuntu and Kubuntu releases with a Breezy Badger
preview. "
Edubuntu is being developed as a version of the Ubuntu
operating system, which is suitable for classroom use. The aim is that an
educator with limited technical knowledge and skill will be able to set up
a computer lab, or establish an on-line learning environment, in an hour or
less, and then administer that environment without having to become a
fully-fledged Linux geek. This is our first step towards that goal."
Full Story (comments: none)
GnomeDesktop has
an announcement
for version 0.9 of the Foresight distribution.
"
Foresight takes another major step forward towards usability and functionality with the first release of the 0.9 series, and having the distinction of being the first distro to offer you Gnome 2.12! Featuring a refined look and improvements in just about every area, this is one hot tamale of a release!"
Comments (none posted)
GnomeDesktop
reports the
latest releases from
VLOS. There's
a release candidate for VLOS 1.2.1 and the first pre-alpha version of the
upcoming VLOS 1.3. VLOS 1.3 final is currently scheduled for release in
January 2006.
Comments (none posted)
Distribution News
The Debian Security Team has announced the beginning of "full security
support" for the "testing" distribution. Testing users may want to join the
new announcements list (or watch LWN); there is also a new apt repository
for testing security updates. Some 13 updates to testing have already been
released. Click below for the details.
Full Story (comments: 13)
Some time ago the Debian developers decided to remove documentation from
the main archive if it not meet Debian Free Software Guidelines. In order
to release Sarge, this was postponed... until now. Click below to see the
current plan to keep non-free documentation out of the main Etch archive.
Full Story (comments: none)
With the Breezy Badger nearly ready for its stable release, it is now time
to pick a name for next Ubuntu release. Click below for some information
on the UbuntuBelowZero conference, and how Ubuntu 6.04 came to be known as
The Dapper Drake.
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for September 13, 2005 is out. This week's edition
covers the new layout for the bug tracking system, an article by Ian
Murdock, the formation of the Debian UK Society, a calculation of the value
of Debian, security support for the testing distribution, team maintenance
of packages, and several other topics.
Full Story (comments: none)
The
Fedora
Weekly News issue number 13 looks at the Firefox IDN buffer overflow
security issue, a warning to Fedora.us FC3 APT users, meeting minutes for
Fedora Marketing, Red Hat contributions, and several other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of September 12, 2005 is out. Topics in
this edition include major package updates for Apache, tips and tricks for
tweaking kernel options, new developers, and more.
Comments (none posted)
The
DistroWatch
Weekly for September 12, 2005 is out. "
Last week was an exciting
one - besides GNOME 2.12 and the first beta release of Firefox 1.5, four
major Linux distributions have been sprinting towards the finishing line,
with the brand new Slackware Linux 10.2 release now imminent and the other
three following within the next few weeks. In the meanwhile, Debian has
announced security support for its testing branch, a move that will likely
be greeted with much enthusiasm among the Debian users. Also in this week's
issue: Microsoft tries to recruit a well-known open source advocate, a
brief look at Foresight Linux and a quick review of Linux+ DVD, a popular
European Linux magazine."
Comments (none posted)
Package updates
Updates for
Fedora Core 4:
slib (use
_datadir),
umb-scheme (fix conflict with
slib),
psmisc (fix buffer overflow in
fuser),
glib2 (update to 2.6.6),
gtk2 (new upstream version),
file (upgrade to file-4.15),
subversion (update to 1.2.3),
util-linux (enable
util-linux-2.12p-sfdisk-fgets.patch),
e2fsprogs (new version 1.38 and bug fixes),
selinux-policy-targeted (bug fixes),
vte (various fixes),
slib (various updates),
xdelta (ported to glib-2),
tvtime (update to 1.0.1),
evolution-data-server (add patches),
dhcp (bug fixes).
Updates for Fedora Core 3: e2fsprogs
(new version 1.38 and bug fixes), unzip
(fix TOCTOU issue), vte (various fixes), xdelta (ported to glib-2).
Comments (none posted)
Slackware 10.2 is nearly ready, but there have been quite a few fixes and
upgrades this week. Click below for this week's changelog entries.
Full Story (comments: none)
Trustix has bug fixes available for am-utils, apache-ant, devlabel,
distcache, diffstat, dvd+rw-tools, enscript, initscripts, kernel, mrtg,
net-tools and rpm.
Full Story (comments: none)
Distribution reviews
Linux.com
reviews
aLinux v12.5. "
It's been a long time since I've been this
disappointed by a GNU/Linux distribution. The project's Web site set me up
to believe that this was a professionally designed desktop operating
environment, but it ended up being anything but. It was hard to install,
hard to configure, didn't work properly on one of the test machines, and
the default applications were poorly chosen. I wasn't prompted to set up a
root password or any user accounts, no boot loader was installed, and
networking was left unconfigured."
Comments (none posted)
Page editor: Rebecca Sobol
Development
FLAC, the
Free Lossless Audio CODEC, is an audio application that is
used for compressing and de-compressing audio files.
FLAC is being developed by the
Xiph.org Foundation.
FLAC is similar in functionality to
shorten, another
lossless audio compression utility.
FLAC contrasts with popular lossy compression schemes such as
Vorbis and
MP3.
The
FLAC comparison document contains a lot of useful information
on FLAC and other encoder/decoder systems.
The FLAC software includes the flac command line utility,
the metaflac command-line metadata editor, a
library of reference encoders and decoders, and
input plugins for music players.
Some of the FLAC source code has been released
under a variant of the BSD license, and the rest is licensed under the GPL.
The FLAC format is open, as explained by the
FLAC license
document:
"The FLAC and Ogg FLAC formats themselves, and their specifications, are fully open to the public to be used for any purpose (the FLAC project reserves the right to set the FLAC specification and certify compliance). They are free for commercial or noncommercial use."
The FLAC features
include:
- Lossless audio encoding and decoding.
- Support for 1 to 8 channels of audio.
- Support for audio from 4-32 bits/sample and 1-655350 samples/second.
- Designed for fast decoding, encoding is more processor intensive.
- Capable of supporting hardware decoders.
- Data frames are atomic, allowing seeking and editing, and improving operation in the presence of errors.
- Support for forward-compatible metadata definitions.
- Contains CD cue-sheets in the metadata.
The
features documentation has an amusing take on FLAC's copy protection:
"Another way to look at it is that since copy protection is futile, it really carries no information, so you might say FLAC already losslessly compresses all possible copy protection information down to zero bits!"
Details on the inner workings of FLAC can be found in the
project documentation.
FLAC is used
by a long list of hardware vendors, organizations and web sites.
The software runs on a wide variety of platforms.
The current release of FLAC is version 1.1.2, it
was released
last February.
If you surf any of the numerous free (not to be confused with pirate)
music sites, chances are you will need a copy of FLAC.
You can download a copy
here.
Comments (4 posted)
System Applications
Database Software
Version 4.0.26 of the MySQL database is available, it features bug
fixes.
Full Story (comments: none)
Version 5.0.12-beta of the MySQL database
has been announced.
"
This is the eighth published Beta release in the 5.0 series.
All attention will continue to be focused on fixing bugs and stabilizing
5.0 for later production release."
Full Story (comments: none)
The September 11, 2005 edition of the PostgreSQL Weekly News is online
with the latest new PostgreSQL database articles and events.
Full Story (comments: none)
Version 1.6.0 of SchemaSpy, a database utility written in Java,
has been announced.
"
SchemaSpy analyzes schema metadata, letting you click through the hierarchy of tables' parent/child relationships either graphically or through tables. It works with just about any RDBMS given an appropriate JDBC driver. SchemaSpy also identifies common schema anomalies."
Changes include display of graphical relationships using Information
Engineering (IE) notation, improved dot execution detection, and
dot version information.
Comments (none posted)
Libraries
Version 3.8.0 of FreeImage, a library that supports several popular
image formats,
is available.
"
Release 3.8.0 brings new unicode functions, better support for 16- and 48-bit conversion, and improved internal code: the library has been updated with the new zlib (1.2.3) and libtiff (3.7.3) libraries. FreeImage is also distributed with a brand new VB6/VBA wrapper. Lastly, many bugs occuring with unusual image types have been fixed. "
Comments (none posted)
Version 0.22 of Liblo, an Open Sound
Control protocol library, is out with bug fixes, a new method, and more.
Full Story (comments: none)
Version 2.4.0 of Lapack++, a library for high performance linear
algebra computations,
is available.
"
In the current release, several problems with the LaIndex matrix index class have been fixed, including the renaming of ambiguous LaIndex methods. Additionally, the matrix assignments for matrices with non-unit stride has been fixed, and the documentation has been improved."
Comments (none posted)
Security
The folks behind the
Tor project have
announced
a contest to see
who can design the best graphical interface for Tor. Judges for the
contest include Bruce Schneier, Simson Garfinkel, and Edward Tufte.
Interested people need to make their initial submission (in the form of
sketches, at least) by the end of October. The one thing that is not clear
is what the winners will actually get beyond the glory of victory. (LWN
looked at Tor last June).
Comments (none posted)
Web Site Development
Version 2.3.1 of Campsite, an open-source multilingual content management system, is available with numerous bug fixes and a couple of new
features.
Full Story (comments: none)
Version 0.0.5 of CL-WIKI, a Wiki engine for Common Lisp, is out.
"
This
version features locking for CL-EMB, changes to configuration files, a
new start script for CMUCL, new Wiki codes, and more."
Full Story (comments: none)
Version 2.0 of Gallery, a web-based photo album application,
has been released.
"
While Gallery 2 is a very feature complete photo management system, it still lacks a few of the features found in Gallery 1. However, Gallery 2's modular design will let us quickly catch up and provide you with everything that you need."
Comments (none posted)
Version 2.1 of Magnolia
has been released.
"
Magnolia is a free, open source, Java based, J2EE deployable Enterprise Content-Management System (CMS) supporting the JCR API (JSR-170). It has an easy to use WebBrowser Interface, a clear API and a useful custom tag library for easy templating in JSP and Servlets. Magnolia Organization has released the open source, JSR-170 based Magnolia 2.1, sporting a number of bug fixes and enhancements."
Comments (none posted)
Version 1.7.1 of the Midgard Open Source Content Management System
is available.
"
Midgard's 1.7 branch is
a major overhaul of the whole Content Management System. Besides the stable and
mature Content Management features of first generation Midgard, it also ships a
preview version of second generation Midgard capabilities, allowing developers to
have a glimpse at the new day of Midgard2.
1.7.1 is a maintenance release and includes bug fixes and some new features."
Full Story (comments: none)
Version 1.3 of Silva, a content management system, has
been announced. This release adds a number of new features and
some bug fixes.
Full Story (comments: none)
Desktop Applications
Audio Applications
A new release of
Ardour, a multi-track
audio editing application, is out. The
release status
page says:
"
a metric ton of changes over 0.9beta29".
Comments (none posted)
Version 0.12.1 beta of
ReZound,
a graphical audio file editor, has been announced.
"
This release is mainly meant to address gcc4 issues and fix a few minor bugs."
Comments (none posted)
Business Applications
Zimbra has launched an open-source
collaboration suite.
"
Zimbra is a community for building and maintaining next generation collaboration technology. Currently, this technology is available as a beta version. At Zimbra, our goal is to make e-mail, calendar, contacts and other communications technologies the best they can be. We believe that by opening the technology to the community we will insure that we can maximize innovation, scale and the ability to co-exist with existing messaging systems."
Comments (none posted)
Desktop Environments
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
KDE.News presents a
Quickies
roundup of articles on various KDE applications.
"
The Qt 4 Resource Centre has tutorials for A Zoomable Picture Viewer and
Spying on Signals. This KDE 3.5 Alpha review shows us some new features
coming soon. Alternative KDE file manager Krusader found themselves new
web hosting. Linux.com introduces us to Kontact. Real-time 3D
strategy game Boson made a new release with extra smooth graphics and
multiplayer support..."
Comments (none posted)
Desktop Publishing
Version 1.2.3 of Scribus, a desktop publishing application,
has been announced.
"
The 1.2.3 release is focused on minor enhancements, bugfixes and additional documentation."
Comments (none posted)
Version 0.5 of wxPdfDocument
has been announced.
"
wxPdfDocument allows wxWidgets applications to
generate PDF documents. The code is a port of FPDF - a free PHP class for
generating PDF files - to C++ using the wxWidgets library. Several add-on PHP
scripts found on the FPDF web site are incorporated into wxPdfDocument.
Embedding of PNG, JPEG, GIF and WMF images is supported."
Comments (none posted)
Fonts and Images
Release 0.17 of the Open Clip Art Library, a collection of images,
is available.
This release passes the 5000 image mark and includes a new
Clip Art Browser, among other changes.
Full Story (comments: none)
Games
Version 1.9.1 of Bygfoot Football (Soccer) Manager
has been released.
"
This release fixes a couple of bugs and adds minor feature enhancements, such as Youth Academy, Sponsorship money and Memorable matches."
Comments (none posted)
Version 0.2.3 of Metal Mech
is out with bug fixes.
"
Metal Mech is a Web-based mass multiplayer game of battle between robots and
space exploration. It is a game of strategy, economics, role-playing, and
combat. Each player can handle their own war robot and battle against other
players to be the Emperor of the Universe. Players battle against each other
for resources, energy, money, buildings, and more."
Comments (none posted)
Graphics
A new Pseudo-Stable Release of Crystal Space
has been announced, it features bug fixes.
"
Crystal Space is a portable Open Source 3D engine which lots of features. It
fully supports OpenGL and uses various OpenGL features like stencil shadows,
vertex and fragment shaders (shaders through ARB extensions and CG), and
others."
Comments (none posted)
GUI Packages
Version 3.0 of SPTK, the Simply Powerful Toolkit,
has been announced.
"
The new version, SPTK 3.0, is quite different from SPTK before 2.4. All the favorite classes CString, CStringList, CStringMap, etc.. are replaced with std::string, std::vector, std::map and relatives. So, if you are going to migrate your old SPTK applications to the new one, it's going to take you a while."
Comments (none posted)
Version 0.4.5 of SwiXAT, a Swing-based authoring tool for the quick and easy development of
graphical UI Java applications,
is available.
"
This new version adds the support for EventListeners tags for java.awt.event, java.beans and javax.swing.event; the support for JFileChooser's FileFilter was added; the optional TreeCellRenderer tag was added for JTrees. Finally, the user's guide has been updated with the documentation about the new features."
Comments (none posted)
Mail Clients
Version 1.5 Beta 1 of Mozilla Thunderbird, an email client,
has been announced.
"
This is the first beta release of the next major Thunderbird update
and is aimed at testers, and extension/theme authors. The final release of
Thunderbird 1.5, which will be widely promoted to end-users, is scheduled for
later this year along with Firefox 1.5.
"New features include an improved software update system, spell check as you
type, phishing detection, podcasting, deleting attachments, reply and forward
actions for mail filters, Kerberos authentication, auto save as draft, and
many security enchancements.""
Comments (none posted)
Medical Applications
Version 0.8.0 of the FreeMED electronic medical
record and practice management system
has been announced, along with a new version of REMITT,
an electronic billing package.
Changes to FreeMed include
multiple screen layouts and configurations, a new accounts receivable system,
a claims manager for tracking payments from insurance companies,
configurable patient notifications featuring compatibility with REMITT 0.3,
advanced access control list support, a new fax system, and more.
Comments (none posted)
Music Applications
Version 1.0 of multimidicast has been announced.
"
I have released the first version of yet another MIDI over
network/ethernet software. My version uses the Alsa sequencer interface
to provide 20 ports for read/write access. Data is sent with UDP
multicast datagrams so sending/receiving is subscription and configureless.
As a bonus this software interoperates with a windows software called
ipMIDI, so you can mix windows/linux MIDI setups."
Full Story (comments: none)
Release 0.4.14 of swh-plugins, a set of audio plugin effects, is available.
It features gcc4 compatibility and bug fixes.
Full Story (comments: none)
Office Suites
Version 1.1.5 of the OpenOffice.org office suite is out.
"
OpenOffice.org 1.1.5 introduces import support for documents,
spreadsheets and presentations in OpenDocument format. The OpenDocument
format is an XML based international office document standard approved
by OASIS, the Organisation for the Advancement of Structured Information
Standards. XML based, the OpenDocument format enables the free exchange
of data between compliant software packages."
Full Story (comments: none)
Science
Version 0.6.2 of wxMaxima
has been announced.
"
wxMaxima is a cross-platform graphical front-end for the computer algebra
system Maxima based on wxWidgets. It provides nice display of mathematical
output and easy access to Maxima functions through menus and dialogs."
Comments (none posted)
Web Browsers
MozillaZine
reports that the first Firefox 1.5 beta is out. "
New features include an improved software update system, faster Back and Forward navigation, a feature for clearing private browsing data, drag-and-drop reordering of browser tabs, a redesigned Options/Preferences window and better popup blocking. Web standards support is also improved, with support for Scalable Vector Graphics, JavaScript 1.6 and more CSS."
Comments (6 posted)
Ryan Paul, Ian Smith-Heisters and Kris Kowal have written
a guide on writing Firefox Extensions.
"
In this edition of Linux.Ars, Kris will teach you how to use command line build tools to construct a complete Firefox extension, I will teach you how to add context menu items to Nautilus using the Nautilus Actions extension, and Ian introduces an LDAP utility called Luma."
Comments (none posted)
MozillaZine
has announced the availability of Alpha release candidates for
SeaMonkey,
a web browser, e-mail and newsgroup client suite.
Comments (none posted)
Word Processors
GnomeDesktop.org has
the announcement
for AbiWord-2.3.6 Beta 3.
"
The AbiWord team is happy to announce AbiWord v2.3.6 for your
stress-testing pleasure. This release is virtually identical to what will
become AbiWord 2.4, but still contains some bugs that we'd like to see
squashed over the next few days."
Comments (none posted)
Miscellaneous
Version 0.0.5 of FRET,
a command line tool for dentifying data structures and patterns
in files,
has been announced.
"
FRET, the file format analysis tool, has taken another step forward with the release of version 0.0.5. This bug-fix release has resolved some issues that were identified since the last release."
Comments (none posted)
Version 1.2.1 of Joone, a neural net framework for creating, trainnig
and testing artificial neural networks,
is out.
Changes include support for the Groovy language, a new logarithmic transformation capability, the ability to save data as XML, and
bug fixes.
Comments (none posted)
Version 1.0.11 of RoadMap, a car navigation system for Linux and
the Pocket PC, is out.
"
This release includes a lot of bug fixes, and some major new features."
Full Story (comments: 2)
Languages and Tools
Caml
The September 13, 2005 edition of the Caml Weekly News is out
with the latest Caml language articles.
Full Story (comments: none)
Haskell
The September 13, 2005
edition
of the Haskell Weekly News is online with the latest Haskell news.
Topics covered this week include several new releases, GHC 6.4.1 plans, and
discussions about monads and functional programming.
Comments (none posted)
Java
Vincent Massol
works with J2EE applications under Maven on O'Reilly
"
Using the example of a Petstore app, Massol shows you how to
generate J2EE artifacts (EJB JARs, WARs, EARs) with
Maven. He is coauthor of Maven: A Developer's Notebook."
Comments (none posted)
Lisp
Version 2.35 of GNU CLISP has been announced.
"
Changes in this
version are related to socket shutdown, character encoding and case,
compiled files, streams and a new translation of user interface
messages."
Full Story (comments: none)
Version 0.1 of ContextL, a Common Lisp CLOS extension for
Context-oriented programming, is out.
"
This
version eliminates a restriction on layered functions method naming,
adds WITH-INACTIVE-LAYERS, and removes some unnecessary declarations."
Full Story (comments: none)
PHP
Version 5.0.5 of
PHP has been released.
"
This version is a maintenance release, that contains numerous bug fixes, including security fixes to vulnerabilities found in the XMLRPC package. All users of PHP 5.0 are encouraged to upgrade to this version." See the
Change Log
for details.
Comments (none posted)
Python
Conrad Koziol
introduces IPython, an enhanced Interactive Python shell, in a
NewsForge article.
"
Python, an interpretive programming language that combines elegant code with
a powerful object-oriented approach and many modules, has been around since
the early 1990s. To make Python more productive, Fernando Perez in 2001 began
working on IPython, an enhanced interactive Python shell with improvements
such as history caching, profiles, object information, and session logging,
as a replacement for the default interpreter."
Comments (none posted)
The September 13, 2005 edition of Dr. Dobb's Python-URL!
is online with the latest Python language articles.
Full Story (comments: none)
Ruby
The September 11th, 2005 edition of the
Ruby Weekly News brings you the latest discussions
from the ruby-talk mailing list and comp.lang.ruby newsgroup.
Comments (none posted)
Tcl/Tk
The September 14, 2005 edition of Dr. Dobb's Tcl-URL! is online
with the latest Tcl/Tk news and resources.
Full Story (comments: none)
XML
Bob DuCharme
discusses
automatic stylesheet creation on O'Reilly.
"
Since the early days of XSLT, many have asked whether it was possible to automate the creation of XSLT stylesheets. The general idea of filling out a form or dragging some icons around, then clicking a button and seeing a productive stylesheet generated from your input has always appealed to people. However, the problem of generating working XSLT syntax from the result of someone clicking on pull-down menus and radio buttons has not attracted many takers."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Groklaw presents
an article by Fernanda Weiden that examines the
scarcity of female software developers in the open-source software arena.
"
The gender issue in the Free Software community is a big paradox: we have a community of volunteers teaching the world how to develop technology in a different way, one willing to distribute equal opportunities through free access to the software, and at the same time a community in which more than 50% of the total world population doesn't participate."
Comments (6 posted)
Linux.com has
some advice for those who haven't yet gotten around to upgrading to apache2.
"
Apache 2 offers a number of new features and improvements over the Apache 1.3 series, but the upgrade can seem daunting to those who haven't had much (or any) experience with Apache 2. I recently had to go through an upgrade from Apache 1.3 to Apache 2.0 on Debian Sarge, and it's not as difficult as you might think."
Comments (14 posted)
Trade Shows and Conferences
CMP Media has posted a
press release announcing the first day of the Embedded Systems Conference
in Boston.
"
"Just as celebrities and athletes are globally recognized, the Embedded
Systems Conference celebrates the heroes in our community -- rock star
engineers who every day, change the way we work, live and play through
astounding technological advancements," said Paul Miller, vice president and
group publisher of the CMP Media Electronics Group."
Comments (none posted)
NewsForge
covers a talk by Gartner Research Vice President Mark Driver
at the Gartner Application Development Summit.
"
He added a word of caution about Mono, however. Microsoft is happy to see Mono and even Java tools today because they protect the company from further charges of monopoly. Driver said it could crush Mono tomorrow with intellectual property warfare if they wanted to do so, but that Microsoft prefers them let them live for now. The killing blow will come from WinFX and the new Vista APIs. He is very pessimistic about Mono being able to maintain its current high degree of compatibility."
Comments (6 posted)
The SCO Problem
Groklaw
covers the SCO third quarter financial results press release.
"
The second paragraph says it all:
"Revenue for the third quarter of fiscal year 2005 was $9,353,000 as compared to $11,205,000 for the comparable quarter of the prior year. The decrease in revenue in the third quarter of fiscal year 2005 from the comparable quarter of the prior year was primarily due to continued competitive pressures on the Company's UNIX products and services and a decrease in SCOsource licensing revenue."
Oh, and this section of the forward-looking statements disclaimer:
"We wish to advise readers that a number of important factors could cause actual results to differ materially from historical results or those anticipated in such forward-looking statements. These factors include, but are not limited to, continued competitive pressure on its operating system products which could impact the profitability of the UNIX business, unforeseen legal costs related to our litigation, our inability to develop new products and services, and our inability to see our litigation through to its conclusion.""
Comments (4 posted)
Companies
News.com
covers comments by Novell CEO Jack Messman concerning cost of conversion to the next version of Windows.
"
"The cost of migrating to Windows XP to Vista will be higher than the cost of migrating to Linux and that will push migrations to Linux," Messman said.
Novell says it is making real gains on the desktop in Europe currently and that many organizations are choosing its Linux Desktop product especially in vertical industries that require locked-down clients with limited functionality."
Comments (47 posted)
News.com
examines Sun's newly announced Galaxy server line, which run
AMD Opteron processors.
"
Sun for years shunned the x86 servers in favor of machines running its own Solaris version of Unix and its own UltraSparc processors. But the server market growth has been with x86 systems running Windows and Linux, and Sun is working hard to make up lost time."
Comments (2 posted)
News.com
reports
that Sun Microsystems is talking with Red Hat about RHEL support on Sun's
new Galaxy servers. "
Sun is being more accommodating toward Linux
again--specifically, to Red Hat, whose Enterprise Linux product dominates
the Linux market. Sun extended its Red Hat support contract to the new
Galaxy servers and invited Red Hat to share some of its spotlight, along
with partners Oracle, MySQL and Advanced Micro Devices. "Stay tuned on the
Red Hat-Sun relationship," Sun President Jonathan Schwartz said at the
Galaxy launch event in New York. "We think there's ample opportunity to
work together out there.""
Comments (20 posted)
Linux Adoption
Silicon.com
looks at a Garner report concerning the mainstream use of Linux.
"
On the desktop, Linux is having a tougher time. Gartner claims the operating system is reaching the point where the costs of migration may exceed the cost benefits in a phase characterised by over-enthusiasm and unrealistic projections which lead to more failures than successes."
Comments (5 posted)
Interviews
Edd Dumbill
talks
with Alan Cox, who will be speaking at O'Reilly's EuroOSCON.
"
Alan Cox is well known for his long-standing work on the Linux
kernel, but at O'Reilly's EuroOSCON (October 17-20), he will speak about
computer security. According to Alan, we're just at the beginning of a long
journey into getting security right. Eager for directions and a glimpse of
the future, O'Reilly Network interviewed him about his upcoming
keynote."
Comments (13 posted)
The US Public Broadcasting Service (PBS) has created a weekly online TV
interview show, known as
NERDTV.
"
NerdTV is essentially Charlie Rose for geeks - a one-hour interview show with a single guest from the world of technology. Guests like Sun Microsystems co-founder Bill Joy or Apple computer inventor Steve Wozniak are household names if your household is nerdy enough, but as historical figures and geniuses in their own right, they have plenty to say to ALL of us. NerdTV is distributed under a Creative Commons license so viewers can legally share the shows with their friends and even edit their own versions." Linus Torvalds will be featured on November 29.
Comments (5 posted)
News.com
interviews Bill Gates.
"
Q:Looking at the open-source world, there's this movement away from selling licenses toward selling support. A lot of people are participating in that, and you have been skeptical. Why? Do you think that's fundamentally the wrong model?
A:The industry will always be a mix of free and commercial software. So there will be a balance between those. I think that we are going to have a lot of both. There are some zealots that think there should be no software jobs, that we should all, like, cut hair during the day and write code at night. Should you take some of those extreme views, I think it's easy to say that's not right."
Comments (22 posted)
Resources
Linux.com has an
introductory article about BitTorrent.
"
The BitTorrent protocol implements a hybrid client/server and P2P file transfer mechanism. BitTorrent efficiently distributes large amounts of static data, such as installation ISO images. It can replace protocols such as anonymous FTP, where client authentication is not required. Each BitTorrent client that downloads a file provides additional bandwidth for uploading the file, reducing the load on the initial source. In general BitTorrent downloads proceed more rapidly than FTP downloads."
Comments (15 posted)
The Linux Journal has posted
a tutorial on controlling OpenOffice.org remotely. "
To accomplish this goal, we will build an application written in C++ that is able to connect to OpenOffice.org, open a spreadsheet and then update, print and close the document. The problems that must be solved in order to build the source code will allow beginners to understand the basic principles of this technology."
Comments (none posted)
Really Linux presents
a tutorial
on implementing SAMBA under Fedora Linux.
"
Integrating Fedora Linux into a Windows network is reasonable and easy as long as you use the SAMBA utilities. I share every main step necessary to implement such a SAMBA server within a Windows environment. Once integrated a Linux server looks and acts exactly like any other server on a Windows intranet. You will have the ability to drag and drop files, view server contents and directories using Windows File Manager, and even edit files on a Linux server from any Windows desktop."
Comments (none posted)
Reviews
OS News
reviews
GNOME 2.12.
"
It's been a few years since I reviewed Gnome for the last time. Since then, Gnome has matured and made most things right -- except the spatial Nautilus that I personally don't like and the downplay of the Nautilus scripting/plugin engine. But all in all, Gnome is today more powerful, better integrated to the underlying system with DBUS and HAL, looks good, behaves as expected and, most of all, it's simple and clean. In my opinion, the Gnome Desktop is the best X11 desktop system today from the user's point of view when compared to the rest of the DE solutions."
Comments (none posted)
Miscellaneous
The Inquirer
reports
that FEMA is only allowing users of the Microsoft Internet Explorer
browser to apply for hurricane relief funds.
"
The now very much criticised US Federal Emergency Management Agency (FEMA) has stopped Mac and Linux victims of hurricane Katrina from applying for relief.
The agency, which is already in hot water for its lack-lustre rescue efforts in New Orleans, has created a web-based service that only works for users of Windows and IE6."
There is a work-around for Firefox users, involving the
User Agent Switcher extension.
Comments (11 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The OSS Guru Group
visited the Dutch
government organization for ICT (ICTU) for their first meeting. "
The
aim of the OSS Guru Group is to create a sustainable relationship between
the Open Source community and an ICTU-project that develops software for
the government. The software currently under development entails a redesign
of the GBA, i.e. the Population Registry. This software will be based on
open source components, and will be deployed on a large scale by
approximately 3 Ministries, 500 Municipalities and more than 5000
government agencies." (Thanks to Bart Knubben)
Comments (none posted)
Commercial announcements
DigiLore, Inc. has
announced a new version of Moodle.
"
DigiLore, Inc. the thought leader
in Learning Lifecycle Management(TM) announced today it has released, to the
open source community, enhancements to the Moodle Learning Management System
(LMS). These developments render Moodle compliant with the Office of the
Secretary of Defense (OSD) Advanced Distributed Learning (ADL) initiative's
SCORM 2004 standards."
Comments (none posted)
FSMLabs
is demonstrating single-digit microsecond timing in their software
while running on 64-bit dual core AMD Opteron processors.
"
RTLinux for AMD CPUs meets the hard real-time needs for high
performance communications, dedicated networking and security systems,
instrumentation and control, simulation, imaging, and other demanding embedded
deployments."
Comments (none posted)
Keane, Inc.
has been awarded a contract by the National Weather Service
to upgrade the Advanced Weather Interactive Processing System (AWIPS).
"
Keane will develop a vigorous, sustainable architecture and will integrate
and maintain the software products developed at the various NWS labs to
support AWIPS' real-time processing system. Utilizing advanced technologies,
Keane will manage the AWIPS migration to an all-Linux environment built on Red
Hat Enterprise 3.0 and support the migration of AWIPS to an open-standards,
service-oriented architecture based on a Web services platform."
Comments (none posted)
SugarCRM Inc. has
announced a collaboration with Novell.
"
SugarCRM Inc. today announced a collaboration with Novell.
its selection as one of the first open source application partners for
Novell's(R) Market Start program, designed to make the low cost and easy
back-office integration benefits of open source and open standards-based
enterprise applications easily accessible to small and mid-sized businesses.
SugarCRM's Sugar Suite is the first customer relationship management (CRM)
software to be selected for the program, reflecting the application's status
as the market's most successful commercial open source enterprise platform."
Comments (none posted)
Panasonic Digital Concepts Center has announced the launch of its new
Technology Collaboration Center, with a technology focus on embedded Linux
OS applications and middleware solutions.
Full Story (comments: none)
REAL Software has announced REALbasic 2005 for Linux.
"
REALbasic 2005 for Linux is a rapid
application development (RAD) environment that enables professional and
non-professional programmers alike to quickly create software for Linux." The company has also published a white paper on
migrating Visual Basic applications to Linux.
Full Story (comments: none)
SGI has
announced a new video board for its 64 bit Linux-based
visualization system.
"
Supporting the 64-bit Linux(R) operating system, the DMediaPro DM12 video
board is a professional digital media interface providing up to 2K (8-bit or
10-bit) input and output, with single and dual link HD-SDI capabilities
including dual-link output for RGBA (4:4:4:4) or YUVA (4:2:2:4). DM12
includes support of eight channels of digital audio, for embedded audio or
configured with AES/EBU interfaces."
Comments (none posted)
VMware, Inc. has
announced the release of its VMware Workstation 5.5 desktop
virtualization software. New features include
64-bit Guest Support, experimental Two-way Virtual SMP, improved
Virtual Machine Importer and command line interfaces, and more.
Comments (none posted)
Xilinx, Inc. has
announced a new PowerPC(TM) and MicroBlaze(TM) Development Kit.
"
The FX12 Edition delivers
an integrated platform with hardware, design tools, intellectual property (IP)
and reference designs to kick start the development process. Developers can
select the processor(s) best suited for the target application and rapidly
configure complete systems with a single, easy-to-use kit."
Comments (none posted)
New Books
O'Reilly has published the book
Digital Identity
by Phillip J. Windley.
Full Story (comments: none)
The book
php|architect's Pocket PHP Reference
has been published
by php|architect.
"
All profits from the sale of this book will be donated to the Canadian Red Cross' Hurricane Katrina's Relief Fund."
Comments (none posted)
O'Reilly has published the book
Commercial Photoshop Retouching:
In the Studio by Glenn Honiball.
Full Story (comments: none)
Resources
Peter Freitag has posted a handy
PostgreSQL Cheat Sheet that contains examples of
numerous database statements.
Comments (none posted)
Contests and Awards
The Code Project and Mainsoft Corporation have
announced the first Race to Linux contest.
"
The Race to Linux challenges Visual Studio developers to port
existing ASP.NET applications to Linux using their
cross-platform tool of choice (e.g. Mono, Grasshopper, PHP,
Macromedia, etc.). The Code Project will announce which
ASP.NET application needs to run on IBM xSeries Linux at the
start of each race.
The winners of each of the three races will win an Xbox 360."
Comments (none posted)
Surveys
O'Reilly
has announced the 2005 ONJava Reader Survey.
"
The 2005 ONJava Reader Survey is now open. This is your opportunity to let us know what you're using, what you're watching and waiting for, and what you'd like to see from ONJava in the future. The survey is about 20 questions long, a mixture of multiple-choice and free-response questions, and will only take a few minutes to complete."
Comments (none posted)
Education and Certification
APNIC Solutions Ltd. has launched the
Linux Learning Zone.
"
Linux Learning Zone provides a number of FREE services to the community as well as optional paid extras. Have a look through the site, play with the free stuff (some of which requires an account - this is free). Should you wish to subscribe to what is essentially a tailored linux training program then please get in contact immediately as that's what we do - using practical and hands-on methods to teach linux on any level. So please contact us immediately and see just how helpful we are!"
Comments (none posted)
Upcoming Events
The 2005 O'Reilly European OSCON will be held in Amsterdam,
the Netherlands on October 17-20, 2005.
Full Story (comments: none)
The
Gelato Federation will hold a
meeting in Brazil October 2-5 to advance Linux on the Intel Itanium
platform in Latin America.
Full Story (comments: none)
The Linux Users' Group of Davis will hold their next
Linux Install Workshop in Davis, CA on September 17, 2005.
Full Story (comments: none)
A
Call for Proposals
has gone out for the PyCon 2006 conference. Submissions are due by
October 31, 2005.
Comments (none posted)
| Date | Event | Location |
| September 15 - 16, 2005 | php|works | (Holiday Inn Yorkdale)Toronto,
Canada |
| September 15, 2005 | Embedded Systems
Conference | (Hynes Convention Center)Boston, Mass |
| September 15, 2005 | Novell
Brainshare 2005 | (CCIB)Barcelona, Spain |
| September 16 - 18, 2005 | ToorCon
7 | (San Diego Convention Center)San Diego, CA |
| September 17 - 18, 2005 | Freedel | New Delhi, India |
| September 19 - 21, 2005 | Plone
Conference 2005 | (Semper Depot, Lehargasse)Vienna, Austria |
| September 20 - 23, 2005 | New Security Paradigms
Workshop(NSPW) | (UCLA Conference Center)Lake Arrowhead, California |
| September 23 - 24, 2005 | Sixth Symposium on
Trends in Functional Programming(TFP 2005) | Tallinn, Estonia |
| September 26 - 29, 2005 | Hack in the Box
Security Conference(HITBSecConf2005) | Kuala Lumpur, Malaysia |
| September 26 - 30, 2005 | IEEE International
Conference on Cluster Computing(Cluster 2005) | Boston, Massachusetts |
| September 28 - 30, 2005 | OpenOffice.org Conference
2005(OO.oCon) | Koper (Capodistria), Slovenia |
| September 30 - October 2, 2005 | Linucon | Austin, Texas |
| October 1, 2005 | Ohio LinuxFest
2005 | Columbus, OH |
| October 2 - 5, 2005 | Gelato October 2005 Meeting for
Linux on Itanium | Porto Alegre, Brazil |
| October 5 - 6, 2005 | LinuxWorld
London | Olympia, London, UK |
| October 5 - 7, 2005 | Web 2.0
Conference | (Argent Hotel)San Francisco, CA |
| October 6, 2005 | Fedora Users and
Developers Conference(FUDCon London) | (LinuxWorld Conference and Expo UK)London,
UK |
| October 7 - 9, 2005 | Indie Games Con
2005(IGC) | Eugene, Oregon |
| October 8 - 10, 2005 | GNOME Boston
Summit | (Gates Building)Cambridge, MA |
| October 8, 2005 | LinuxForum
BOF-dag | Denmark |
| October 12 - 13, 2005 | IT
Underground(ITU) | Warsaw, Poland |
| October 13 - 14, 2005 | Open Source Desktop
Workshops | San Diego, CA |
| October 14 - 15, 2005 | HackLu
2005 | (Chambre des Metiers)Kirchberg, Luxembourg |
| October 14 - 16, 2005 | Blender Conference
2005 | (De Waag)Amsterdam, the Netherland |
| October 16 - 23, 2005 | piksel05 | Bergen, Norway |
| October 17 - 20, 2005 | O'Reilly European Open Source
Convention 2005(EuroOSCON) | Amsterdam, The Netherlands |
| October 17 - 20, 2005 | O'Reilly European Open Source
Convention(EuroOSCON) | (NH Grand Hotel Krasnapolsky)Amsterdam, the
Netherlands |
| October 18 - 21, 2005 | Zend/PHP Conference
and Expo 2005 | (Hyatt Regency SF Airport Hotel)Burlingame, CA |
| October 18, 2005 | Dynamic
Languages Symposium 2005(DLS05) | San Diego, CA |
| October 19 - 21, 2005 | Australian
Unix Users Group Conference 2005(AUUG) | Sydney, Australia |
| October 24 - 28, 2005 | 12th Annual
Tcl/Tk Conference | (Red Lion Hotel)Portland, Oregon |
October 30, 2005 October 31 - November 11, 2005 | Ubuntu Below Zero | (downtown Holiday
Inn)Montreal, Canada |
October 30, 2005 October 31 - November 11, 2005 | Ubuntu Below Zero | (downtown Holiday
Inn)Montreal, Canada |
| November 6 - 9, 2005 | International PHP
Conference 2005 | Frankfurt, Germany |
| November 7 - 9, 2005 | Open Source Database
Conference 05 | (NH-Hotel Frankfurt-Mörfelden)Frankfurt, Germany |
| November 8 - 9, 2005 | Association Française
des Utilisateurs de PHP(AFUP) | Paris, France |
Comments (none posted)
Web sites
MozillaZine has
announced a beta version of the
Mozilla Developer Center
"
Known as Devmo to its friends, the Mozilla Developer Center is a new site for coders wishing to build upon the Mozilla platform. There's documentation and resources for many groups, including extension authors, Web developers and localisers."
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Roger Dingledine <arma-AT-mit.edu> |
| To: |
| lwn-AT-lwn.net |
| Subject: |
| Re: Tor GUI competition |
| Date: |
| Mon, 12 Sep 2005 00:34:00 -0400 |
| Cc: |
| tor-assistants-AT-freehaven.net |
Hi Jonathan, others,
One of the Debian developers pointed me to your note today about the
Tor GUI competition. Thanks for helping us get the word out!
I wanted to answer your question about prizes, though -- if we have
prizes then it's legally a contest of skill, and (so our lawyers tell us)
we would need to include many pages of legal text, disallow submissions
from most parts of the world, and so on. Since Tor is a global effort,
we decided to avoid explicit prizes and instead give an EFF Tor T-shirt
for each submission.
Of course, the winning entries will likely be the subject of a slashdot
article and other press, so this 'glory of victory' is not totally
without its benefits. :)
Hope that helps. Feel free to post this as a comment / addendum / etc
if you like.
--Roger
Comments (none posted)
| From: |
| Victor Khimenko <khimru-AT-gmail.com> |
| To: |
| lwn-AT-lwn.net |
| Subject: |
| Re: The Grumpy Editor's guide to personal finance managers (Part I) |
| Date: |
| Wed, 14 Sep 2005 09:54:17 +0400 |
> The "Mortgage/Loan Druid" is highly capable, though with some strange
defaults (interest rate of 0.001%, for example)
This is not "strange default". Actually it's standard interest rate for
normal account in Japanese bank (plus there are 30% tax so actual interest
rate is 0.0007%). And I've seen programs where this standard default can not
be used at all (they'll just round it up to 0%), so it's quite good to show
that GnuCash actually can.
P.S. May be I'm wrong about reasoning but recently my friend from Japan
written about funny fact: when some bank actually forgot about this interest
rate and forgot to put funds on accounts not even single client complained -
and I can see why: I do not think a lot of clients ever check for it since
to check your account you must pay ~$30 (3000yen actually) and with
0.0007%per year it usually not worth it... Of course my friend used
the same bank
(that's how he was aware about the problem) and he too never checked if he
got these 0.0007% counted correctly or not...
Comments (none posted)
Page editor: Forrest Cook