LWN.net Weekly Edition for November 27, 2002
The BIND Forum and the maintenance of critical software
Spurred on, perhaps, by the latest set of BIND vulnerabilities (and the problematic handling of those vulnerabilities), the Internet Software Consortium has announced the startup of the "BIND Forum," with AFNIC, APNIC, ARIN, Compaq, Ericsson, HP, IBM, RIPE, Sun, and VeriSign as initial members. Many in the free software community are suspicious of the Forum and its motives. The Forum is worth a look, however, as one way of managing development and support for a piece of critical network software.BIND, of course, is the package that implements most of the domain name system. The BIND Forum is a relatively old (and controversial) idea - it was first announced back in January, 2001. The basic idea was that members, in exchange for helping to fund BIND development, would gain access to the BIND developers and, crucially, early access to security updates. The idea of restricting security information (about free software) to those who have paid a fee did not prove popular in the community. As a result of criticism, and, presumably, lack of interest, the Forum idea stalled for almost two years. Now, however, it is back.
Corporate memberships in the Forum cost $5000 per year - unless you have over $2 billion in revenue, in which case you pay $50,000. Universities and nonprofit organizations are asked to pay $1000, and individual memberships have a "target minimum" fee of $100. For these fees, members get:
- Direct notification of patches from ISC.
- Read-only access to the ISC cvs server.
- The ability to attend the "BIND Developers Workshop."
All of this requires signing a relatively lengthy contract (available from the ISC site), along with an "intellectual property policy statement" which, essentially, seems to be a restatement of the BIND license.
Those benefits may well be useful to a small number of companies that are deeply concerned with BIND development. What the Forum really has to offer, though, is early access to security alerts. That access is not available to standard Forum members, though; getting the security information requires signing a separate agreement and tacking an addition 20% onto the membership fees. The agreement states that ISC will notify members of security problems "up to ten days" before telling the world by way of CERT. Members are required to keep this information confidential, however, and must guard it "using authentication and encryption tools which have been approved in writing by ISC."
So, if you pay enough, you'll get early warning of security problems, but only if ISC feels like sending it out. Of course, the last vulnerability was not disclosed through ISC, so Forum membership would not have been all that useful that time around.
The Forum appears, to many, to be a way of extracting money from BIND users by restricting access to vital security information. Some see it as a violation of the ethics of full disclosure and free access to the software. This may all be true, but it is worth keeping some things in mind:
- Restricted access to security information during the early stages
of a vulnerability is increasingly the norm. Linux distributors (and
others), for example, maintain a controlled mailing list for the
discussion of security problems. Done properly, restricted access can
help ensure that patches are available to most users before
information on the problem is widely available.
- Companies that rely heavily on software like BIND have an interest
in seeing that it is maintained well. They should be willing
to pay for this work.
- BIND remains free software; anybody who has a better way of maintaining it and handling security problems can fork the project and run it as they see fit.
If the BIND Forum idea is implemented well, it could support the future development of the software and help make it more secure for all users. If implemented poorly, it could become an insiders club that ends up restricting the general availability of security information indefinitely. The "up to ten days" provision in the security notification agreement is encouraging in this respect: there is an implicit promise that security information will be restricted to the Forum for no longer than that period.
Whether the BIND Forum will be a success and be helpful to all BIND users remains to be seen. It could well go either way. But, as people and companies continue to look around for viable ways of funding free software development, it would not be surprising to see the creation of more organizations like the BIND Forum in the future.
Some DMCA bits
The DMCA will be returning to the news as the Elcomsoft trial starts up again on December 2. Thanks to some intervention by the Justice Department, the defendants will actually be able to show up for their trial this time. Elcomsoft will be trying to attack the DMCA and its effects on fair use rights, but the prosecution will do its best to keep fair use issues out of the courtroom altogether. The DMCA, after all, bans "circumvention devices" without care for the preservation of fair use. And Elcomsoft did sell a "circumvention device" in the US. We wish them the best of luck in their trial, but this case is unlikely to be the one that forces large changes in the DMCA.There is, meanwhile, a mechanism by which small changes can be made in the DMCA. Every three years, the Library of Congress Copyright Office is supposed to look into whether the prohibition on circumvention devices is having an overly adverse effect on any particular type of work. Should such an effect be found, the office can issue a three-year DMCA exemption.
That inquiry is happening now. Seth Finkelstein, who successfully used the exemption process to win immunity for his work looking at censorware blacklists, has posted an article on the EFF site on how to do it. The exemptions are hard to get, and they are very narrow - they do not extend to distribution of circumvention software, for example. Even so, exemptions poke little holes in the DMCA, and can protect certain kinds of work. For example, a certain Linux distributor has made a big show of not distributing information on security-related kernel patches within the U.S.; this company should probably don its colorful headwear and head off to apply for an exemption, and, thus, demonstrate the adverse effect that the DMCA has had in this area. Anybody else who would like to take the time to put in a serious application to highlight an adverse effect of the anti-circumvention provision of the DMCA should seriously consider doing so. The deadline is December 18.
LWN Update
This week's LWN.net Weekly Edition comes out one day early, so that the LWN staff can go off and enjoy the Thanksgiving holiday. With luck, we'll have finished digesting in time to put out next week's Edition on Thursday as usual.The individual subscriber count stands nearly constant at 2370. The number of expiring subscriptions is increasing; so far, the flow of new subscribers has been enough to keep the total count from going down.
The statistics-gathering capability of the site has recently been enhanced a bit. So we can now note that, for example, about 11% of the content traffic on LWN.net (excluding the RSS files) originates from logged-in subscribers. So the bulk of our readers, by far, have chosen not to subscribe. There is a relatively high percentage of subscriber traffic from the US, Germany, Britain, and Sweden; on the other hand, Japanese, French, Italian, Australian, and Austrian readers tend not to subscribe.
(For the curious, we got this information by feeding IP addresses to the GeoIP package. GeoIP is licensed under the GPL, and has a Python binding. The statistics are kept as simple counters; we do not track individual readers. The real purpose of this work is to evaluate the idea of offering country-specific text ads; the jury is still out on that one).
Enjoy this week's Edition, and we'll be back on our regular schedule after the holiday. Thanks, as always, for supporting LWN.
Security
Brief items
Microsoft examines the Darknet
Among the papers presented at the ACM Workshop on Digital Rights Management last week was one entitled "The Darknet and the Future of Content Distribution" written by four Microsoft engineers. The paper is available, in MS Word format, naturally.The "darknet," as described in the paper, is the copyright-violating underground so feared by the entertainment industry, along with the technological infrastructure which supports content sharing. Several techniques for shutting down (or making life more difficult for) the darknet are examined; the authors conclude that these techniques are likely to be ineffective.
For example, the paper points out that the weak points of most file sharing networks are global indexes and lack of anonymous sharing. A global index is an obvious target for an irate corporation and its lawyers, as Napster discovered. Traceable sharing can be used to track down (and prosecute) individuals who are sharing content. But these activities will only have the effects of (1) encouraging more distributed, difficult to trace networks, and (2) splitting trading networks into smaller, interlinked networks of people who know and trust each other. The long-term effect on file sharing volume is likely to be small.
Given that, one might look at ways to keep content from getting into the
darknet in the first place. Digital rights management and copy protection
systems, it is noted, have, almost without exception, been broken. Since
only one system need be broken to allow the injection of unprotected
content into the darknet, DRM systems are not seen as being effective in
shutting down sharing. Watermarking schemes are, in general, easy to
remove, and suffer from key management problems. Hardware which implements
watermarking is also at a competitive disadvantage, unless such technology
is mandated legally for all devices. "The recently proposed Hollings
bill is a step along these lines.
" It would be interesting to
imagine the entire journey, if the CBDTPA is just "a step."
The authors conclude by saying that, for all practical purposes, the darknet can not be stopped. Business models need to take this in mind.
(Emphasis in the original).
There is little here that has not been said before. The message seems to have been heard a little more widely this time, however, perhaps a a result of the authors' Microsoft affiliation. Whether the entertainment industry will hear the message remains to be seen, however; that industry still seems far more interested in controlling our computers and interactions than in providing convenience and low cost.
New vulnerabilities
gtetrinet: buffer overflows
| Package(s): | gtetrinet | CVE #(s): | |||||||||
| Created: | November 25, 2002 | Updated: | December 11, 2002 | ||||||||
| Description: | Several buffer overflows were found in gtetrinet versions below 0.4.3. According to the authors these could be remotely exploited. | ||||||||||
| Alerts: |
| ||||||||||
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs | CVE #(s): | CAN-2002-1281 CAN-2002-1282 | ||||||||||||||||
| Created: | November 22, 2002 | Updated: | March 15, 2003 | ||||||||||||||||
| Description: | Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files: /usr/share/services/telnet.protocol and /usr/share/services/rlogin.protocol. If either file also exists in a user's ~/.kde/share/services directory, they should likewise be removed. See also: http://www.kde.org/info/security/advisory-20021111-1.txt | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Resources
LinuxSecurity.com newsletters
This week's Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current development kernel is 2.5.49, released by Linus on November 22. "Architecture updates, threading improvements, shm fix (the cause of the Oracle problems), networking, scsi, modules, you name it, it's here." Details are in the long-format changelog.
Linus's (pre-2.5.50) BitKeeper tree has a great many patches, the bulk of which come from the -ac and -dj trees. It also has some latency reduction patches from Andrew Morton, real-time swap space accounting, a number of IDE enhancements, an LSM update, and a big ISDN update.
The current prepatch from Alan Cox is 2.5.49-ac1. It consists mostly of compile fixes and other small repairs.
The current stable kernel is 2.4.19. 2.4.20 is getting closer, though; 2.4.20-rc4 was released by Marcelo on November 26.
Alan Cox has released 2.4.20-rc4-ac1, which adds a few fixes to the 2.4.20 release candidate.
Kernel development news
A look at 2.5.49-mm1
Andrew Morton's -mm patch series continues to be the staging area for no end of interesting patches in the memory management area. As of this writing, Andrew's latest patch is 2.5.49-mm1. Here's a look at a few of the items in that patch that are (1) interesting, and (2) not so complicated as to give your editor severe brain strain.The shared page table patch is an important part of -mm1. This work was originally done by Daniel Phillips, but the patch has been beaten into shape and turned into something useful by David McCracken. The standard Linux virtual memory implementation does not share page tables between processes; even if two processes are sharing a large chunk of memory, they access that memory through separate page tables. With this patch, processes that fork() share their page tables (on a copy-on-write basis) with their child processes; page tables can also be shared when processes use mmap() to create a large shared memory region.
This patch can speed up fork() significantly (i.e. by a factor of almost 20 for very large processes) since it is no longer necessary to copy page tables and set up the associated reverse mapping data structures. It also greatly reduces the memory used for page tables and rmap entries; the savings can be hundreds of megabytes in the "large Oracle server" scenario. Shared page tables currently only work on x86 systems with high memory. The patch appears stable (the last bug that had been biting people just got stomped), but merging it into 2.5 would push the feature freeze pretty hard at this point. On the other hand, if it does not go into 2.5, it would not be surprising to see this patch worked into various distributor kernels.
The asynchronous direct I/O patch extends the asynchronous I/O infrastructure into the direct (block) I/O subsystem. It is part of the stated goal of making all I/O within the kernel be asynchronous.
Jens Axboe's rbtree I/O scheduler addresses a performance problem with the current I/O block scheduler: it has to scan through the list of pending requests every time it needs to add a new one. As the request queue gets long (and a certain length yields better performance), this scan takes time. So the new scheduler replaces the linear list of requests with a tree (using the generic red/black tree implementation in the 2.5 kernel).
The "currently untested and unused" page reservation API is meant to deal with situations where the kernel must be able to allocate pages without sleeping - and without failing. A call to reserve_local_pages() sets aside a given number of pages which are guaranteed to be available for a subsquent allocation (with the GPF_RESERVED allocation flag). There is also a new page walking API which simplifies the task of wanding through a process's address space. As a special case, this API includes support for the creation of scatter/gather lists for zero-copy I/O operations.
There's a lot of other work rolled into the 2.5.49-mm1 patch; see Andrew's posting for the full list.
Reworking User-Mode Linux
User-Mode Linux (UML) is Jeff Dike's "port" of the Linux kernel to itself; a UML instance runs as a set of processes on a "real" Linux system. UML has long been useful as a kernel development tool - it's nice to have a development environment which can be tweaked with normal debuggers, and which can crash without taking down the host system. In recent times, there has been a growing level of interest in UML for virtual hosting and honeypot applications as well. Users (or attackers) can be given root access to a UML instance without, one hopes, endangering the host system.UML has traditionally worked by running every UML process as a process on the host system. The kernel lives up at the top of each process's address space; transitions to and from "kernel mode" are handled with signals. The problem with this mode of operation is that it is hard to make secure, since the UML kernel's memory range is accessible to the processes it is running. This mode is also slow, since it involves frequent memory protection changes and signals.
So Jeff has released a patch which fixes these problems by radically changing how UML works. In the new scheme, a UML instance runs as exactly two processes on the host system. One is the UML kernel, while the other takes turn running user-space processes. The result is more secure (kernel space, being in a separate process, is now completely inaccessible), and significantly faster as well. There is, according to Jeff, only one disadvantage to the new way of doing things: it can't actually be implemented on a stock Linux kernel. This is the sort of nagging little problem that has been the downfall of many a great development project.
The problem has to do with how the user-space process works. That process needs to run each UML process in its own address space. In other words, every time the UML kernel decides to switch to a new process, the host-system process running the UML processes needs a whole new memory management data structure. The Linux kernel does not currently have the ability to switch a process's memory environment in this manner.
Jeff's solution is to create a magic file called /proc/mm. Opening this file creates a new address space; that address space can be modified by writing to the file. When the file is closed, the address space is deleted. Then, there is a set of ptrace() extensions, one of which allows the caller to change the address space of the traced process. By using /proc/mm to create a separate address space for each UML process, the UML kernel can give each of its processes its own view of the world within a single host system process. Problem solved.
It all looks like it works well. The /proc/mm approach may run into some rough sailing on linux-kernel; a system call implementation (or even /dev) might be better received. However it is implemented, this new feature is exactly that: a new feature. Adding new features into the virtual memory and process management subsystems is exactly what is not supposed to happen during this phase of 2.5 development.
Patches and updates
Kernel trees
Architecture-specific
Build system
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Security-related
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Debian - After the fire
On November 20, 2002 a fire destroyed the University of Twente Network Operations Center in the Netherlands. Among the computers housed there was one known as satie.debian.org, former home of security.debian.org, non-us.debian.org, nm.debian.org and qa.debian.org.Security was the first priority and the Debian Team had reinstalled security.debian.org on the host klecker within two days time. Some security fixes were lost, particularly those that were uploaded, but not yet installed. Most have probably been reconstructed by now, but if you downloaded security fixes before the fire, check the previous announcment to see if you can help.
The new maintainer service, nm.debian.org is in the process of getting back on track. Here's a status report on how nm.debian.org was affected and how it is being restored. As part of the New Maintainer web site, there is a new GPG Key Signing Coordination page as well. Anyone applying for new maintainer status should be aware that your information may have been lost. If you are applying for Debian developer status please read this information, and verify your status.
There is no word yet on the status of non-us and qa, but we expect those services to be restored soon. Remember that Debian is a volunteer organization, so those people who are working on restoring these services are taking time away from jobs, families and other commitments. Help out if you can, if not, please be patient.
In other Debian news, we have the most recent debian-installer status report for November 22, 2002. If you would like to help with the installer you can get more information from the installer's home page.
Distribution News
Mandrake Linux
The Mandrake Linux Community Newsletter for November 21, 2002 is available. This week covers Christmas at MandrakeStore; Mandrake 9.0 Standard Edition at a Glance; Mandrake Desktop Linux v. Microsoft; Mandrake Linux for Power and Enterprise Users; Stability; and more.A new initscripts package is available for Mandrake Linux 9.0, that fixes problems with certain locales including pl, sq, fi, lv, ru, sk, and Danish translation encoding. This package also corrects some issues with wireless link detection.
Slackware Linux
Slackware reports more changes to the slackware-current tree. Samba was upgraded to samba-2.2.7, mysql recompiled --with-extra-charsets=complex, Pine was upgraded to pine-4.50, gcc updates and more. See the change log for complete details.Trustix Secure Linux
Trustix has announced that as of March 31, 2003 updates for Trustix Secure Linux versions 1.01 and 1.1 will no longer be maintained, so they can focus on future versions.
Trustix has released a bug fix advisory for freeswan. "The previous package had the
wrong path to the internal tools. This has now been corrected. Since we
did a new package, it has also been updated to the latest release. The
kernel patch has also been updated, and a new kernel is thus shipped as
well.
"
There is also an enhancement to rpm which adds a %makeinstall macro to the older versions to make it easier to maintain packages over serveral distributions.
Minor distribution updates
Astaro Security Linux
Astaro Security Linux has released v2.031 with major security fixes. "Changes:This Up2Date fixes BIND vulnerabilities (VU#844360, VU#852283, VU#229595)."
Cool Linux CD
Cool Linux CD has released v2.01 with minor feature enhancements. "Changes: This version allows you to save your options on a CD as a second track (in multisession mode). ALSA 0.9.0rc5 drivers and utilites were added, as well as some more software."
LEAF (Linux Embedded Appliance Firewall)
LEAF Bering branch has released v1.0. "Changes: Fixes for some minor bugs from rc4, and addition of Shorewall version 1.3.10, PCMCIA-CS 3.2.3, and FreeSWAN/IPSec 1.99."
MURIX Cross Hardware Linux
MURIX Cross Hardware Linux has released v1.1 with minor feature enhancements. "Changes: This release has automatic redial if the line is dropped or busy, and a simple configuration."
Phrealon Linux
Phrealon Linux has released v0.81 with minor feature enhancements. "Changes: This release adds a tulip.o.gz module and changes name of the distribution to Phrealon Linux to avoid trademark issues."
PXES Linux Thin Client
PXES Linux Thin Client has released v0.5.1-9 with major feature enhancements. "Changes: VNC was included, and some small changes and corrections were made to auto-detection."
RxLinux
RxLinux has been busy this week. Features were added to version 1.0.8, which was followed by bug fixes in 1.0.8a. Version 1.0.9 with released soon after that with more major feature enhancements. "Changes: New packages have been added for Rxlinux: Samba, X11R6, and Mozilla. With these new packages, Rxlinux can be configure to be a file server, an X terminal, or a standalone diskless Web browser (128M RAM needed)."
ttylinux
ttylinux has released v2.6 with minor bug fixes. "Changes: This release updates busybox, e2fsprogs, e3, LILO, and modutils to their latest versions. There is also a bootable ISO image for download using the Linux 2.2.22 kernel."
Distribution reviews
Mandrake 9.0 Review (LinuxLookup)
LinuxLookup reviews Mandrake Linux 9.0. "If I were looking for a Linux distro that would meet the demands of the newest Linux customer, then Mandrake would probably be my first choice. All of the icons representing the applications are straightforward as to their function. The layout is incredibly simple (Hello! Hey, Red Hat! Are you listening?), the groupings are logically divided, and the desktop has a nice default pattern and style."
Page editor: Rebecca Sobol
Development
GCC 3.2.1 released
Version 3.2.1 of GCC, the GNU Compiler Collection, has been announced.The release is mainly intended to fix a number of bugs. The changes include:
- a new header directory search method.
- removal of the "Naming Types" extension.
- improvements to the IA-32 target code.
- improvements to the x86-64 target code.
The final release notes contain a detailed list of bug fixes that are associated with this release.
From the release notes:
"3.2.1 adds a new warning, -Wabi. This option warns when GNU C++ generates
code that is known not to be binary-compatible with the vendor-neutral
ia32/ia64 ABI. Please consult the GCC manual, included in the
distribution, for details.
"
System Applications
Audio Projects
Ogg Traffic
The November 24, 2002 edition of Ogg Traffic is out with the latest Ogg Vorbis audio compression news. Topics include developer status reports, Ogg Vorbis Industry Standard? Ogg Vorbis to MP3 transcoding, Tremor development, Speex joins Xiph.org, Theora Alpha One, and Icecast 2.libsndfile-1.0.2 released
Version 1.0.2 of the libsndfile audio library has been released with a number of bug fixes and new capabilities.
Database Software
knoda 0.5.5 released
Version 0.5.5 of the Knoda database GUI for KDE 3 is out. New features include an ODBC driver, an improved report designer, better configuration capabilities, and bug fixes.
Electronics
New gEDA releases
The latest news from the gEDA (Gnu Electronic Design and Analysis) project include new versions of the Icarus Verilog compiler and Gerber Viewer.
Networking Tools
Managing Bulk DNS Zones with Perl (O'Reilly)
Chris Josephes shows how to use Perl to assist in the management of DNS zones on O'Reilly.
Printing
LinuxPrinting.org news
LinuxPrinting.org mentions that the Foomatic printer database includes new entries for the HP LaserJet 4200 and 4300, the Epson Stylus CX5200 and 3200, and generic printers.
Web Site Development
Midgard framework in action
A case study of using the Midgard Content Management Framework has been published by Martin Langhoff. "A client of CWA New Media has recently made live a site we have developed using Midgard as the underlying framework. The project overall involved 3 companies, responsible for the back-end, front-end and hosting. This three teams, plus a sizable team put together by the client, worked for over a year from prototype to launch date."
Zope Members News
The most recent headlines on the Zope Members News include: RSS 2 Feed for Zope.org, Icube Releases ApplicationWizard for OpenFlow 1.0, Icube Releases OpenFlow 1.0, ContentPackage 0.3 released, Zope on IBM OS/2, Three leading Swiss Zope companies establish the SwissZope Association, PropertyObject & -folder 1.2 released, AbracadabraObject 1.5 released, Strip-o-Gram 1.2 Released!, and New York ZUG - November 21, 2002.Using Tomcat Configuring Tomcat and Apache With JK 1.2 (O'Reilly)
James Goodwill continues his series on Tomcat/Apache integration. "In the simplest terms, the JK modules, or mod_jk, are conduits between a Web server and the Tomcat JSP/servlet container. They replace the previous Web server module, mod_jserv, which had many shortcomings. The new JK modules include support for a wider variety of Web servers, better SSL support, support of the AJP13 protocol, and support for the entire Tomcat series from 3.2.x to 5.x."
Miscellaneous
GNU Free Documentation License v1.2
Version 1.2 of the Gnu Free Documentation License has been published. Thanks to Paul Sladen.Raising the Bar on RSS Feed Quality (O'Reilly)
Timothy Appnel covers RSS syntax, standards compliance issues, and more on O'Reilly. "RSS is an XML-based syntax for facilitating the exchange of information in a lightweight fashion through the distribution (or feeding) of resources. Publishers can use this versatile and increasingly essential format to assist end users in tracking and consuming content. Netscape originally developed the format but lost interest and eventually abandoned work on it. This created an identity crisis that devolved into varying interruptions, with dispute over even the meaning of the RSS acronym, RDF Site Summary or Rich Site Summary or Really Simple Syndication. But as divergent efforts work to develop RSS, one result has been a diminished overall quality in RSS feeds."
Desktop Applications
Audio Applications
GLAME 0.6.4 released
Version 0.6.4 of the Glame audio editing package is available, and includes a number of bug fixes.WaveSurfer 1.4.6 released
Version 1.4.6 of the WaveSurfer sound visualization and manipulation tool is out. The changes include a new WaveSurfer native transcription format, support for Snack 2.2, new keyboard shortcuts, two new visualization plugins, and lots of bug fixes.Audacity 1.1.1-3 tarball available
Version 1.1.1-3 of the Audacity multi-platform audio editor is available. "For Unix users, a new source tarball has been released, 1.1.1-3, which fixes problems compiling with wxGTK 2.2.9. We hope to have a version which compiles on RedHat 8 with no modifications soon."
Desktop Environments
FootNotes
Headlines on the GNOME desktop FootNotes site include: Happy holidays from the GNOME Foundation!, Totem ''We're getting almost every night'' 0.12.0 out, GNOME Germany's website updated, Opinions: Abstracting the Linux Desktop from the File-system, Sodipodi 0.28 released, Ruby-GNOME2-0.1 is released!, GNOME 2 Accessibility Guide now available, Evolution 1.2 review, Foundation Happenings, and more.Kernel Cousin KDE
The November 26, 2002 edition of Kernel Cousin KDE is out. Topics include: SMS plugin for Kopete, Debugging JavaScript, Improving tabs in Konqueror, Introducing kexi to KOffice, KSpread speaking better Excel, KOffice 1.3: Usability Aspects, Service for KOffice 1.2, No Money Handling in KOffice, and Dev. Newsflash.
Games
WorldForge Game News
New software from the World Forge game project include Uclient 0.15.1, and Cyphesis 0.2.New Pygame releases
New software from the PyGame project includes Pyzzle 0.8 and Basegolf 1.
GUI Packages
XFree86 4.3.0 Feature Freeze
A feature freeze has been announced for XFree86 4.3.0. The freeze will take place on November 30, 2002. The official release of 4.3.0 is planned for the Linux World Conference & Exposition in January.FLTK 1.1.2 available
Version 1.1.12 of FLTK, the Fast, Light ToolKit has been released. Change information is available in the source code.
Interoperability
Wine release 20021125
Release 20021125 of Wine has been announced. This release features a completed conversion to STRICT compilation mode, revival of WinHelp, support for client-side fonts, regression tests that no longer require Perl, and bug fixes.Kernel Cousin Wine
Issue #145 of Kernel Cousin Wine is out. Topics include: Fun Projects Slashdotted, Screenshots (Send More!), Porting PuTTY With Winelib 3, Building Apps With Different Wine Source/Build Trees, Implementing Import Libraries, wintab.dll: Better Tablet Support, Wineconsole Changes, Passing Commandline Arguments, Terminal Based Apps, Assumptions with autoconf, COM Objects, and Threads and CoInitialize.
Office Applications
OpenOffice developer build 643
Developer build #643C of OpenOffice is available. "This new developer build improves upon 643 and then goes beyond mere improvement. But it is less stable than OpenOffice.org 1.0.1, more prone to crashing than OpenOffice.org 1.0.1, and thus not recommended for the casual user."
Kernel Cousin GNUe
Issue #56 of Kernel Cousin GNUe is out with the latest GNU enterprise development news.
Web Browsers
mozillaZine
The latest mozillaZine topics include: Independent Status Reports, Roadmap Graphic Updated, The Role of XUL in Rich Internet Applications, Macworld Browser Comparison Features Mozilla, Chimera and Netscape, Favourite Phoenix Theme: And the Winner is..., Capital One Now Supports Mozilla, Bugzilla Status Update, and more.
Languages and Tools
Caml
Caml Weekly News
The November 19-26 edition of the Caml Weekly News is out with the week's Caml software development news.The Caml Hump
This week, the new software on The Caml Hump includes: Encore un cours de compilation, Initiation au langage OCaml, caml2html, Jabbr, APPSEM'2000, MLGMP, xmllexer, and OCaml-HTTP.
Java
Patterns, Hype, and Snobbery (O'Reilly)
Ted Neward clarifies some issues on Design Patterns. "Specifically, I want to address the huge misunderstanding that emerged through the industry about what design patterns are, what they were intended to do, and why they're still important, all hopefully without any trace of snobbery."
Implementing Templates with Struts (O'Reilly)
Vikram Goyal writes about Java templates on O'Reilly. "Developing portal sites without a framework in place can be a difficult job. Using templates can reduce the pain and help with sites where the content and layout can change in the blink of an eye. Struts can help you develop template-based portal sites, with the Struts Template tags. The article covers some basic templating ideas in relation to portals, explains templating support in Struts, and rounds up with a discussion of Struts Template tags vs. Tiles, another templating mechanism."
Unit testing with mock objects (IBM developerWorks)
Alexander Day Chaffee and William Pietri cover the use of mock objects on IBM developerWorks. "Mock objects are a useful way to write unit tests for objects that act as mediators. Instead of calling the real domain objects, the tested object calls a mock domain object that merely asserts that the correct methods were called, with the expected parameters, in the correct order. However, when the tested object must create the domain object, we are faced with a problem. How does the tested object know to create a mock domain object instead of the true domain object? In this article, software consultants Alexander Day Chaffee and William Pietri present a refactoring technique to create mock objects based on the factory method design pattern."
Perl
This Week on perl5-porters (Use Perl)
The November 18-24, 2002 edition of This Week on Perl 5-Porters is out. Topics include: Carp patch rejected, require $foo versus require Foo, Atomic in-place edit, Called as a subroutine or as a method ?, Parser patch for ? :, New warning proposal, and more.This week on Perl 6 (O'Reilly)
O'Reilly's This week on Perl 6 for November 21, 2002 is out. The topics include: Quick Roadmap, Branch Dump, Parrot BASIC 2, scope and functions in languages/scheme, Leo Tötsch is the Patch Monster, Bootstrapping Perl 6, Quick note on JIT bits, Perl 6 test organization, Meanwhile, in perl6-language, Unifying invocant and topic naming syntax, Superpositions and Laziness, FMTWYENTK about :=, Continuations, More Junctions (or, When junctions collapse), Control Structures I, II and III, String concatenation operator, Meanwhile, Over in perl6-documentation, and more.
PHP
PHP Weekly Summary
Topics on this week's PHP Weekly Summary include: bcmath extension, Incorrect HTTP headers, Release Candidate 2, leak() and crash(), Hebrew calendar improvements, License errors, DNS query functions, ZE2 F3P, Ideal error reporting, and $PHP_AUTH_USER or $PHP_AUTH_PW.
Python
The Daily Python-URL
This week's Daily Python-URL article topics include: PyCon 2003 - Call for participation, IndexedCatalog 0.4, csv 1.0, RSS for Python, and The best of two goodies ... Delphi & Python.
Ruby
The Ruby Weekly News
Topics on this week's Ruby Weekly News include WeRDS, the Weekly Ruby-Doc Summary, for 2002-11-17, ruby-dev summary 18711-18810, install.rb/setup.rb question, Unit Testing in Ruby for the (Absolute) Novice, and ruby-dev summary 18811-18923. New Ruby software includes ncurses-ruby 0.6, rbbr-0.1, and Ruby-GNOME 2.01.The Ruby Garden
New topics on the Ruby Garden include: regex search in Array of Strings, New Root for Class Hierachy, Suggest String#to_n to encompass to_i and to_f, uncatchable Deadlock exception, Move "timeout" method into its own class, and more.
XML
W3C XML Schema Design Patterns: Avoiding Complexity (O'Reilly)
Dare Obasanjo covers XML Schema issues on O'Reilly. "Over the course of the past year, during which I've worked closely with W3C XML Schema (WXS), I've observed many schema authors struggle with various aspects of the language. Given the size and relative complexity of the WXS recommendation, it seems that many schema authors would be best served by understanding and utilizing an effective subset instead of attempting to comprehend all of its esoterica."
Miscellaneous
Second Alpha of KDevelop 3.0 is Out (KDE.News)
KDE.News has an announcement for KDevelop version 3.0. "This release fixes many bugs since Alpha 1 was released over a month ago and adds a few minor features to the mix. Users of KDevelop 2.x will notice substantial improvements and are encouraged to begin upgrading so that new bugs can be identified and squashed.Jext 3.2 pre 2 available
Version 3.2 pre 2 of the Jext programmer's editor is available. A new Project Master plugin is also included.CVS Third-Party Tools (O'Reilly)
Jennifer Vesperman summarizes the capability of a bunch of open-source CVS extension tools. "CVS (Concurrent Versioning System) is a popular version control system. It provides many features, and is useful in many situations. It does, however, have its faults. The standard client works from the command line, it doesn't automatically integrate with development environments, and there are useful features it lacks. Not to worry. It's an open source program, and there are a host of third-party utilities that provide features and integration. There are also many graphical clients."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Group tackles OpenOffice desktop spec (News.com)
News.com reports on the formation of a working group to develop an XML file format specification for the OpenOffice project. "The working group is trying to develop a standard data format for the creation of content such as text, spreadsheets and charts. The goal is to develop an interface between the office software and other applications using XML (Extensible Markup Language)."
Is Open-Source Software Less Secure? (TechWeb)
TechWeb jumps into the debate about the security of open source vs. closed source. "A recent analyst report claiming open-source software surpassed Microsoft as the major source of severe security flaws has rekindled the security debate over open source versus proprietary software. The Aberdeen Group says open-source software, including the popular Linux OS and a wide variety of applications, has pushed aside Microsoft as the "poster child" for security problems."
Free-software gadfly takes on Net group (News.com)
News.com reports on Bruce Perens' idea to pack the Internet Engineering Task Force (IETF), a key Internet standard body. "Free-software advocates have until March to rally their troops to the IEFT front. The group holds its spring meeting in San Francisco from March 16 to 23, at which time it will decide whether to recharter the existing group to weigh a switch to a royalty-free policy."
AMIA Announces Open Source 'Exploratory Initiative' (LinuxMedNews)
Linux Med News covers an initiative by the American Medical Informatics Association (AMIA) to explore open-source software. "The American Medical Informatics Association (AMIA) has announced five task forces, among them an 'exploratory initiative' for Open Source: 'Open Source is currently an important topic throughout the computer software community and has implications for health care information systems. The purpose of this initiative is to explore the feasibility for AMIA to assume a leadership role in promoting and coordinating Open Source activities in the interests of health care system development."
Companies
SuSE, Mandrake Linux name new CEOs (News.com)
News.com covers the appointment of new CEOs at SuSE and MandrakeSoft. "Both companies are selecting new leaders after completing months-long restructuring operations. SuSE has solidified partnerships with software and hardware companies, joined the UnitedLinux collective, and put an emphasis on selling through business partners such as IBM. MandrakeSoft has returned to its roots, selling a desktop version of Linux."
Business
FedEx Freight delivers with Linux Web server migration (Network World)
Network World covers a FedEx migration to Linux. "The large-volume trucking division of FedEx recently installed 15 Red Hat Linux 7.2 and 7.3 servers running Apache Web server to act as a front end to its customer service application, used by businesses that hire Freight to deliver multitruckload shipments of goods across the country." Thanks to Peter Link
Linux for the Rest of Us (Business 2.0)
Business 2.0 has run an article on desktop Linux. "In place of familiar Redmond brands like Outlook, Excel, and Explorer (for e-mail, spreadsheets, and Web browsing), [Zumiez] technology director Lee Hudson has store clerks and managers tooling around on programs called Ximian Evolution, Gnumeric, and Mozilla. The names might sound like Zumiez's myriad skater brands, but they stand for something a tad more radical: the possibility that, at least in some markets, Linux is finally becoming a viable alternative to Microsoft products on commonplace PCs."
Open-Source Applications--Not Only for Auxiliary Tasks (Linux Journal)
Linux Journal looks at Linux use in Poland. "Comprehensive migration to open-source software is rare. In Poland, a well known exception is the implementation of Linux and StarOffice in the Jan III Sobieski hotel (alongside commercial software for hotel management). The Orbis hotel network also uses Linux, although they do not emphasise it."
Legal
Major test of copyright law set to start (News.com)
News.com looks at the Elcomsoft trial, which is ramping up again now that the defendants will actually be allowed into the US. "Burton, the ElcomSoft attorney, argued that in order to convict the company of wrongdoing, the jury should have to find that company representatives were acting with an 'evil-meaning mind' or for a 'bad purpose,' not just helping people crack copyright protections. He also argued that the jury should be instructed on what constitutes 'fair use,' a legal theory under copyright law that allows some copying of material for education, criticism and other purposes. But [Prosecutor Scott] Frewing disagreed. 'Fair use is irrelevant and improper,' to bring into the instructions, he said."
Court blocks state DVD-cracking suit (News.com)
News.com reports on a California Supreme Court ruling. Texas resident Matthew Pavlovich can't be sued in California for posting DVD-cracking code online. "The narrow decision overturns earlier rulings that had been widely criticized in the Internet community. Lower court rulings allowing Pavlovich to be sued would have created "universal jurisdiction" that would let any Web publisher be sued in California, critics contended."
Japan Weighs Linux For Government Use (TechWeb)
Here's a TechWeb article about a Japanese study into the possibility of using open-source software such as Linux at the government level. "Concerns about costs and security from heavy reliance on Windows have been growing here. Ruling party politicians have been urging the government to consider other operating systems, which may offer lower costs and better security."
Is it time for a GeekPAC? (News.com)
News.com covers the efforts underway to resuscitate the dormant League for Programming Freedom (LPF). "In its heyday, the LPF focused on software patents and user interface copyright, including the Lotus v. Borland lawsuit over the design of the Lotus 1-2-3 spreadsheet. Software patents are as problematic for today's programmers as they were a decade ago, but new threats such as the Digital Millennium Copyright Act (DMCA) have since emerged."
Interviews
The Boston Globe on Eben Moglen
The Boston Globe reports on the work done by Free Software advocate Eben Moglen. "But why so generous? Because Moglen is one worried guy. Even though the free software movement has generated a host of major products -- the Linux operating system, the Apache Web server, the Emacs text editing system -- Moglen thinks the movement faces a struggle for survival, with scarcely a dime in its war chest. "We're a small organization running a big revolution," said Moglen, "and we have big adversaries.""
Film Gimp - Lights, Camera, Linux! (DesktopLinux)
DesktopLinux.com interviews Robin Rowe about Film Gimp, a popular open source tool used in films like Harry Potter, Stuart Little, Scooby-Doo, and many others.. "Film Gimp is a tool for retouching motion pictures frame by frame. A typical application is removing dust marks after film is digitized. Scanning the negative is the first step in post-production, and the scans must be cleaned up to remove dust and scratches. Film Gimp also is used to eliminate wires when actors are being flown in wire rigs."
Codewalkers interviews Michael "Monty" Widenius
Here is a Codewalker interview with Monty Widenius, designer and lead programmer for the MySQL database. "His database software programming dates back to 1978 and his work with TCX DataKonsult AB, to 1981. Since 1995, Monty has been the primary force behind MySQL, devoting his time to product strategies, software design, and the development and reviewing of MySQL source code."
Resources
LinuxDevices.com Newsletter for Nov. 21, 2002
Here is the LinuxDevices.com's Embedded Linux Newsletter for November 21, 2002, with a wrapup of embedded Linux news over the past week.
Miscellaneous
Fire devastates Dutch Internet hub (The Register)
The Register covers a fire at the University of Twente in the Netherlands, which destroyed one of the fastest computer networks in Europe. Although it is not mentioned in the article, this network was home to an important Debian server, security.debian.org (aka satie.debian.org). Security and other Debian services will be disrupted until they can be moved. Things could be getting back to normal today, as new servers take over for satie. See this Debian announcement for additional details.
Page editor: Forrest Cook
Announcements
Commercial announcements
IBM Japan to install Linux desktop on recycled PCs
IBM Japan announced the "PC Long-life Service," a PC recycling service which will install Linux desktop (web browser, email client, word processor, etc.) on the PCs that have become too old for use with Windows. Customers can choose which Linux distribution to install.NeTraverse to Offer $200,000 worth of software to user groups
NeTraverse announced a program to sponsor Linux User Groups (LUGs) throughout the world. NeTraverse plans to donate over $200,000 worth of software to LUGS over the next year.Linux Tape Device Certification Program
The TOLIS Group, Inc will be providing a tape drive certification program for Linux. "Under this program, tape device manufacturers such as HP, Seagate, Exabyte and others submit current and unannounced drives for Linux compatibility testing. Manufacturers whose drives pass the suite of tests are then awarded use of the "Linux Compatible for Backup" logo - trademarked by Linus Torvalds - for use on their product materials. There is no charge for this service."
Software DVD Player for Embedded Linux
MontaVista Software and InterVideo introduced LinDVD, InterVideo's Linux DVD-playing software which has been validated and optimized for MontaVista Linux.EiffelStudio 5.2 for Linux
Version 5.2 of EiffelStudio, an Eiffel language development platform, is available for Linux.Automatically Install 50+ Open Source Projects on Linux
EJB Solutions announced the immediate availability of Out-of-the-Box 1.0, an instant infrastructure for Java developers that automatically installs, configures, integrates, deploys, and tests over 50 Open Source projects.IBM and Corrent Team to Accelerate PKCS#11 openCryptoki Performance
Corrent Corporation has announced the availability of an open source PKCS#11 library for Corrent's S2000 IPsec/SSL security accelerator card.ATI Drives Graphics Performance for Linux Users With New Unified Driver
ATI Technologies Inc. has announced the release of its Unified Linux Driver Version 2.4.3.ON Technology at Enterprise Linux Forum in Boston, Dec. 3 - 4, 2002
On Technology has announced that they will be demonstrating their On Command CCM product at the Enterprise Linux Forum in Boston.SCO Unveils SCO Linux 4.0, Powered by UnitedLinux
The SCO Group has announced version 4.0 of SCO Linux.New CEOs for MandrakeSoft and SuSE
MandrakeSoft has sent out an announcement that François Bancilhon will be taking charge as the new CEO of the company. He was a founder of companies like O2 Technology, Arioso, and Xyleme; he also served at CTO of SomaLogic. "After eighteen months of intensive restructuring, MandrakeSoft is showing extremely positive results: Revenue is up, while expenses have been drastically reduced. The company is now at the stage where it needs an experienced manager capable of taking it to the next level of development, while keeping the Open Source spirit which has always been one of MandrakeSoft's main strengths."
SuSE, meanwhile, has announced that its top job will be taken by Richard Seibt, a longtime IBM veteran.
OpenLink Uses Mono to Enable Cross Platform Integration of .NET
Ximian, Inc. has announced that OpenLink Software, Inc. is using Mono as part of the development efforts for Virtuoso 3.0, its latest Universal Server release.
Resources
1st multivendor Embedded Linux standard nears release
LinuxDevices reports on the final review of version 1.0 of the ELC Platform Specification. "The Embedded Linux Consortium's board of directors has started the clock on final review of version 1.0 of the ELC Platform Specification, according to an announcement sent to the ELC's members. The draft spec was completed by the platform spec working group in late October, triggering a 45-day review period that will culminate in a vote cycle authorizing public distribution of the world's first Embedded Linux standard."
New Survey of International Developers Shows Web Services Now Focused Inside Businesses
Evans Data Corporation has published its latest Developers Survey. "Linux continues to expand its user base. 59% of survey respondents expect to write Linux applications in the next year."
MySQL Cookbook available
O'Reilly has published the MySQL Cookbook.Second Zope Community Handbook
Work is in progress for the construction of the second community-authored Zope Handbook, which will consist of around 20 Zope related articles. Article writers are needed.
Upcoming Events
Super Computing announcements
Super Computing 2002 is in progress now, in Baltimore, Maryland. Here are a few Linux cluster supercomputing announcements.- Aspen Systems announced the availability of Aspen Beowulf Cluster (ABC) management software, a turn-key, browser-based software management system for their Beowulf Clusters.
- Aspen Systems also announced a partnership with High Performance Technologies, Inc. (HPTi) to build the eighth fastest supercomputer in the world, to be used at the National Oceanic and Atmospheric Administration's Forecast Systems Laboratory (NOAA).
- The University at Buffalo, The State University of New York has added a 300-node Dell high-performance computing cluster (HPCC) to its Center for Computational Research (CCR).
- Intel Corporation has announced the largest InfiniBand(1) cluster test bed built yet. The 128-node cluster housed at Los Alamos National Laboratory will initially will be used for InfiniBand software stack validation and hardware testing, and ultimately will be available for protocol research and development.
Forum du PHP 2002
Forum du PHP 2002 (in French) will be held in Paris, France on December 9 and 10, 2002.LinuxWorld UK debut
LinuxWorld will be presenting its first Linux event in the UK, to be held in Birmingham on September 3 and 4, 2003.LinuxWorld lands in the UK (ZDNet)
Next year in September LinuxWorld will land in the UK, according to this ZDNet article. "The UK show will take place at the Birmingham NEC from 3-4 September, and will be the second LinuxWorld event in Europe, joining an annual event in Germany. It will directly compete with Linux Expo UK, which has been running in this country for five years and will take place next October in London."
Events: November 27, 2002 - January 23, 2003
| Date | Event | Location |
|---|---|---|
| December 3 - 5, 2002 | Linux Bangalore/2002 | (J.N.Tata Auditorium)Bangalore, India |
| December 9 - 20, 2002 | UMeet conference | On IRC |
| December 9 - 10, 2002 | Forum du PHP 2002 | Paris, France |
| January 21 - 24, 2003 | LinuxWorld Conference & Expo | (Jacob K. Javits Center)New York, NY |
| January 22 - 25, 2003 | Linux.conf.au 2003 | Perth, Australia |
Web sites
Lisp resources have moved
Two Lisp resources, CLiki and the SBCL Internals Documentation Project, have been moved to cliki.net.
Software announcements
This week's software announcements
Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
- Sorted alphabetically,
- Sorted by license.
Miscellaneous
Robin Dunn joins OSAF
Mitch Kapor's Weblog reports that wxPython developer Robin Dunn has joined the OSAF for a six month contract. Thanks to Magnus Lycka.
Page editor: Forrest Cook