Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for December 8, 2005FOSS.IN: A report FOSS.IN 2005 has run its course. Your editor, having returned (sans luggage and with a seriously confused body clock) to a Colorado cold snap, will now set out to summarize this impressive event. This article is a companion to the first-day report already published.
This report will not attempt to summarize the individual sessions. Those who are interested in further information should have a look at the numerous reports being posted on planet.foss.in. There are also quite a few photos available. On the last day of the conference, your editor delivered a brutally technical kernel programming talk to a crowd which nearly filled the 750-seat "Intel Hall." That is several times the number of people which normally turn up for that sort of session. These people were not just filling the seats; they asked no end of detailed questions during the session and after as well. Alan Cox's technical device driver talk drew an even larger crowd. An immediate conclusion which might be drawn is that Bangalore contains hundreds of programmers who are interested in - and capable of - hacking on the kernel. Even if only 10% of those attendees were truly active in kernel development, one would expect to see a significant amount of code from Bangalore working its way into the mainline kernel. And there are some Bangalore-based kernel hackers who are active on the mailing lists and who are contributing code. But their numbers are far smaller than one would expect after seeing how many people are interested and knowledgeable in this area. India is, as one developer put it, "the world's biggest consumer of free software," but it is not a huge contributor. Trying to reconcile this difference became one of your editor's primary objectives at FOSS.IN. It is not possible to claim that this objective was realized in any complete way. It has become clear, however, that a few forces are at play here. One of them become evident early on: of the numerous questions asked privately by attendees, quite a few had to do with binary-only kernel modules. It seems that the challenges involved in maintaining proprietary modules - the changing kernel API, GPL-only exports, etc. - are proving frustrating to deal with. But more to the point: it seems that a significant percentage of these kernel developers are engaged in the writing of proprietary code. Your editor was far from the only speaker to sermonize about the problems inherent in proprietary code and the importance of contributing back to the community, but, if Indian companies are demanding the creation of proprietary code, that's what their employees will write.
By several accounts, the problem starts with the university system. The Indian universities are strongly oriented toward the creation of employable graduates in large numbers; a number of FOSS.IN attendees described them as "assembly line" operations. There is a strong emphasis on passing tests and getting through the system on schedule, and, it seems, little interest in encouraging creativity and curiosity in the students. The universities were described as a conformist environment with little love of those who have their own ideas of how things should be done. The end result, as expressed to your editor, is that most students have had any love of hacking beaten out of them by the time they graduate. The fact that the universities are, for the most part, hostile to Linux and free software does not help either. Neeti's talk described Indian developers as needing to have their jobs laid out to them in great detail. They want to know where their boundaries are, and are uncomfortable if left to determine their own priorities and approaches. Your editor's initial reaction was that this claim sounded like classic talk from a pointy-haired boss who does not trust his employees to make decisions. Subsequent discussions backed up Neeti's claims, however. A few Indians told me that Indian employees require a high degree of supervision; perhaps that is why the pizza stand at the site required two-levels of necktie-wearing bosses who apparently did little to actually get pizza into the hands of conference attendees. It is not that Indians lack the intelligence to function without a boss breathing down their neck - that is clearly not the case - but all of their training tells them to work in that way. So if one were to construct a stereotypical picture of an Indian software developer, it would depict a person who sees programming very much as a job, and not as an activity which can be interesting or rewarding in its own right. This developer is most interested in getting - and keeping - a stable job in a country where an engineering career can be a ticket to a relatively comfortable middle-class existence. Keeping that job requires keeping management - and coworkers - happy, and not rocking the boat. For such a developer, the free software community is not a particularly attractive or welcoming place. A developer who contributes to a free software project may earn a strong reputation in the community, but that reputation is not appreciated by that developer's employer or co-workers, and is not helpful for his or her career. Criticism from the community - even routine criticism of a patch by people who appreciate the developer's contributions in general - can be hurtful to a career in a culture where open criticism is not the normal way of doing things. Developers who expect to have their job parameters laid out to them in detail may feel lost in a project where they are expected to find something useful to do, and push it forward themselves. And these developers, while being possibly quite skilled in what they do, often have no real passion for programming, and leave it all behind when they leave the office each day. It also does not help that, at this point, would-be contributors have few role models in India. In the long term, many of these problems may go away. For now, however, getting Indian programmers into the community will require some extra care. Often, it will be necessary to engage (respectfully) with their supervisors: in most cases, if an Indian is working with the community, it is because his or her boss is making it happen. Being careful with criticism and avoiding creating trouble for Indian developers in their work hierarchies can only help.
And, obviously, an important step will be the creation of a vibrant free software community in
India. This community can provide inspiration, mentoring, and support for
Events like FOSS.IN are crucial for the development of this community. So it is unfortunate that this event is currently dealing with some serious financial problems. A sponsorship shortfall led to a reduction in the conference program, and it leaves the organizers with a financial gap that they are struggling to close. Given this situation, it is worth noting that the list of conference sponsors (which includes Intel, Google, Sun, and HP) is missing the names of a few companies which work with free software, and which have a presence in Bangalore. In particular, IBM, Novell, and Red Hat all declined to sponsor FOSS.IN this year, even though many of their employees were using their vacation time to attend. Local companies, such as Wipro and InfoSys, were represented in the audience and among the speakers, but did not sponsor the event. If these companies see any benefit in having a thriving community to support their developers, sponsoring an event like FOSS.IN should look like an inexpensive way to help bring that community about. Your editor thanks FOSS.IN (and its sponsors) for making it possible for him to be there. It was a fun and informative event in an interesting and changing part of the world.
A look at the Patent Commons Project and OIN Now that we have both OSDL's Patent Commons Project and the Open Invention Network off and running, the questions that come to mind are: what is the difference, if any, between them, and are either of them -- or both of them together -- enough to protect Linux and FOSS development from a US patent system that appears to have gone bonkers? More specifically, can they protect Linux from Microsoft, or SCO-like surrogate trolls, should it decide to press forward in implementing its many hints of bringing patent infringement claims against Linux?An obvious first question might be: what are the differences between these two initiatives? While they are both designed for protection against patent infringement litigation, there are differences in approach. A patent commons provides both a safety zone and a way to barter. Corporations cross-license their patents all the time. GNU/Linux developers have been shut out of that club, but, with some patents and patent pledges in a patent commons, they would have something to barter with. Consequently, OSDL encourages individuals, companies, Open Source projects, and universities to obtain patents and then contribute them to the commons:
The Project also provides a meaningful way for those who oppose software
patents to use the current patent system for the benefit of the open source
community and industry. Patenting ideas reduces the likelihood that
detractors of open source software and open standards will obtain a patent
on that same invention and use it against the community and industry, or
extract royalties for its use. More importantly, patenting ideas and then
pledging the patents in support of The Commons expands and reinforces the
protective environment of The Commons.
OSDL's project is also designed to help developers keep track of all the patents and the patent pledges, and it is focused on all of Open Source:
Today's software patent environment is
growing increasingly complex for developers and users of both proprietary
and open source software. This is an intricate problem with many facets,
and most everyone understands the need for a comprehensive, long-term
solution.
It has as a goal to simplify the administrative process of licensing patents, so the industry finds it easy and pleasant to work with Open Source and can make their patents available without a lot of rigmarole. From the Patent Commons website:
With increasing frequency, institutions, companies, and inventors wish to
signal formally to open source developers, distributors, sellers and users
that software patents they hold are not a threat or inhibitor to the
development, distribution or use of open source software and open
standards. The traditional means of giving permission to use patented
inventions (such as licenses) can be expensive, time consuming, and
logistically difficult to provide. Commitments simplify the process by
which access to patented inventions can be granted.
The Patent Commons is set up to facilitate that process. The idea is to provide developers with a safer haven, and reassurance via understanding which patents will not be used against them. Also, enforcing the patents in the commons is administered by OSDL, which is an important benefit for patent donors. "Over the last 12 months, OSDL has been happy to see companies signal to the community their promises not to enforce patents against open source developers. We have wanted to ensure these pledges would be accessible to those who they are intended to support. The OSDL Project and website does just that," said Diane Peters, general counsel, OSDL. "For the first time, the pledges are being compiled and then cataloged in a neutral location where developers can view and analyze each pledge. So, regardless of where one stands on the value of one patent pledge over another, developers and IT managers can review the merits of each pledge and determine for themselves the value they can provide for them or their peers." As Eben Moglen stated, there is strength in numbers, and so even though he opposes patents, he encourages developers to contribute to the project. As Linus Torvalds put it, it's "one way to try to help developers deal with the threat" of patent litigation. It's not the complete solution, of course, because the patent system is dysfunctional in the US. Peters: "We do realize that the Patent Commons Project and website is one step of many that will need to take place to address the flawed patent system and we applaud other efforts that are taking place and encourage further discussion and actions to chip away at the current system." The Open Invention Network approaches the same threat, but in a different way. First, it's a company that has a patent portfolio, but it isn't using its patents for profit generation; instead it plans to use them to create a healthy environment for Linux to develop in safely, to promote safe innovation and drive advancement of applications for, and components of, Linux. It's primarily designed to protect Linux but it covers also other Open Source software. OIN has the 39 web services patents that Novell, through a subsidiary, bought from bankrupt CommerceOne in December for $15.5 million, and it will seek to acquire more patents, and then offer them royalty-free to any company, institution or individual that agrees not to assert its patents against the Linux operating system or certain Linux-related applications. IBM, Novell, Philips, Red Hat, and Sony currently fund OIN. OIN isn't just about collecting patents and offering them to others on mutually pleasant terms. A Red Hat SEC filing adds this:
The LLC may also take appropriate, good faith counter-measures within the
scope of its mandate, such as declaratory judgment actions, reexamination
actions, interferences or similar legal or administrative actions initiated
anywhere in the world.
In short, they are "armed and dangerous". I'm kidding, but only a little. These are some of the largest tech vendors in the world drawing a line in the sand and saying, if you cross this line and attack Linux, we will respond, and we have something to respond with effectively. One savvy editor, Richard Hoffman of Network Computing put it like this:
This is the first systematic attempt by a
group of large vendors to ensure that Linux and its users are protected
from the threat of legal action. OIN can't hope to acquire even a small
fraction of all applicable patents, but that's not how patent battles
work. All OIN must do is maintain an adequate stable of "defensive"
patents, which can be offered under a cross-licensing arrangement any time
Microsoft or others threaten legal action. In other words: You don't sue
us, we won't sue you.
But do these organizations provide any sort of meaningful protection? When you consider that Eben Moglen, OSDL, Linus Torvalds, Richard Stallman, and the lawyers at IBM, Novell, Red Hat, Sony, and Philips all think so, a better question would be, why would one doubt it? As you may have observed in the current Blackberry patent anguish, or the Microsoft-Eolas battle, even one patent can be dangerous, so having hundreds in your arsenal is bound to make any aggressor stop and think twice before taking you on. But are the patents any good, some may ask? Do you remember, before the auction of the CommerceOne patents, how anxious everyone was feeling, particularly Google, Oracle and Sun Microsystems? What if the patents fell into the wrong hands? Efforts to pool resources were reported in the press, including by a nonprofit group, the CommerceNet Consortium. Here is how the patents were described by CommerceNet:
CommerceNet asserted that the patents "cover
basic technology for facilitating network transactions by identifying a
transaction in terms of input and output documents. If obtained by an
intellectual property licensing organization, it is expected that the
patents would likely be broadly asserted against companies completing
transactions using web service interface descriptions (WSDL), service
registries (UDDI), and documents composed from XML building blocks."
At the time observers thought the patents were valuable and dangerous:
"There's a concern that these patents could be used aggressively by a buyer
to shake down the whole Web services industry," said Jason Schultz, an
attorney at technology activist organization the Electronic Frontier
Foundation.
Thanks to Novell, those patents are now available to the community, having been donated to OIN, and not only do they not endanger Linux, they protect it. They have the same power today that they had then. Even Microsoft is impacted by the patents, which is exactly what you want, if you wish to deter an attack, is it not? If OIN had nothing but these patents, it would have something useful in defending Linux. Here's what Gartner said about the value of OIN:
Software patents pose the single largest threat to the open-source software
model. Though they protect their owners' IP, they can also create legal
barriers to many open-source efforts. For example, as Linux and Windows
edge onto one another’s turf, the Linux community will have few defenses
against the power of Microsoft, if the software giant should seek to claim
royalties from the use of allegedly misappropriated IP. A company like OIN that can uphold a strong patent portfolio will create a counter-offensive against potential patent infringement claims. OIN expects to accumulate patents by purchase, auction or donation. It will contractually offer royalty-free usage of its patents to technology suppliers for use in their own products (as long as the patent user makes no future patent infringement claim against Linux and associated software). We believe this collaborative environment is likely to free up the flow of technology somewhat, by reducing fears of lawsuits from patent claims. It frees up the flow by holding evildoers at bay, pure and simple. Is it the complete solution? No. As far as I'm concerned, software and patents need to get a divorce on the grounds of incompatibility. Some feel that is the only goal worth striving for. But can you do it by next week? If you can, please do and we won't need either the OSDL Patent Commons Project or OIN. But if you can't, what do you suggest we do to hold patent attacks at bay? SCO didn't have any patents. Imagine if they did. How do you plan to protect GNU/Linux from such a patent infringement claim? If you don't have a plan, then are you thinking deeply enough? Something new, innovative, and powerful is now standing guard over Linux. The lawyers have been busy and very creative. and yes, it's real. It has deterrent value in the legal context. And if litigation comes along anyway, it has both defensive and offensive potential. A year ago, Linux had nothing but threats hanging over its head, threats of patent litigation heading its way. Now, there is some protection against that threat, protection which will continue to be strengthened, I'm sure. No matter what your position on software patents, how can that be anything but good?
Obnoxious legislation in Europe Much fuss has been made over the "DADVSI" law currently under consideration in France. By some accounts, the French government is trying to ban free software outright. Getting the real story of what is happening in France is difficult, especially for one who reads French as slowly as your editor does. But the truth which is emerging suggests that, while DADVSI is obnoxious, it isn't quite as bad as some have made it out to be.DADVSI is the French implementation of the EUCD directive from the European Union. It can be thought of as the French version of the DMCA; it has the usual prohibitions on the circumvention of digital restriction mechanisms and such. An amendment to this bill would appear to ban all software which does not contain DRM and watermarking capabilities; this provision has led the EUCD.info site to conclude that it would affect tools like web servers, ssh, and FTP. Such a ban looks impractical at best. What the amendment really appears to cover is any software which is capable of removing DRM and watermarks from content. This provision clearly covers some free code, with DeCSS being at the top of the list. No free software will ever be able to access restricted content under this law; since the source is available, any restrictions could be removed by the user. So the amended DADVSI law does effectively ban free software from certain areas, but it does not affect free software in general. This law, like all of its variants worldwide, is certainly worth opposing. An online petition has been posted for people to express their opposition to this law, which is expected to be considered immediately before Christmas. Signing the petition makes sense, especially for French citizens. Directly contacting members of the National Assembly is also a very good idea. Meanwhile, the European Union appears poised to adopt a new data retention directive. This law would require communications providers (telephone companies, ISPs) to record information on telephone calls, Internet use, email traffic, etc., and to retain it for 6-24 months. It is already impossible in some parts of Europe to sit down at an Internet cafe without showing identity papers; the data retention directive would force Internet providers across Europe to record identities and activities. Access to this data would be relatively unrestricted; the entertainment industry is lobbying to be able to use it for tracking down file sharers. While not directly related to free software, this directive is clearly hostile to the rights and privacy of all Europeans. Unfortunately, its passage in the European Parliament on December 12 appears to be an almost foregone conclusion. More information can be found in this EDRI-gram newsletter.
Page editor: Jonathan Corbet Security The SANS top-20 list SANS has posted a new version of its 20 most critical Internet security vulnerabilities list. As always, this list is a good starting point for those looking for potential security problems on their networks. Here are some highlights from the current version:
Once upon a time, this list was evenly divided between Windows and Unix vulnerabilities. A casual reading of the current list suggests that things have shifted in favor of Unix-based systems. While it may be true that Unix-based systems are easier to keep secure on the net, there is still no reason to be overly complacent. A system compromised by way of a Firefox or PHP vulnerability is still compromised.
New vulnerabilities apache2: memory leak
ktools: buffer overflow
helix-player: integer overflow
inkscape: insecure temp files
ipsec-tools: denial of service
mailman: denial of service
perl: integer overflow
trackballs: symlink vulnerability
xpdf: arbitrary code execution
Updated vulnerabilities a2ps: input validation error
bzip2: race condition and infinite loop
centericq: denial of service
cpio: directory traversal
cyrus-imapd: buffer overflows
dia: missing input sanitizing
egroupware: multiple vulnerabilities
eix: insecure temp file
emacs21: format string vulnerability in "movemail"
enigmail: information disclosure
enscript: arbitrary code execution
ethereal: multiple vulnerabilities
evolution: format string issues
firefox: multiple vulnerabilities
Foomatic: Arbitrary command execution in foomatic-rip
FUSE: mtab corruption through fusermount
gaim: buffer overflow
gdb: multiple vulnerabilities
gtk-pixbuf, gtk2: denial of service
gdk-pixbuf: multiple vulnerabilities
gettext: Insecure temporary file handling
groff: insecure temporary directory
gzip: arbitrary command execution
horde: cross site scripting vulnerability
horde3: missing input sanitizing
htdig: cross site scripting
imap: buffer overflow in c-client
inkscape: arbitrary code execution
ipmenu: insecure temp file
kdebase: local root vulnerability
kdelibs: kate backup file permission leak
kernel: multiple vulnerabilities
kernel: multiple vulnerabilities
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[FOSS.IN venue]](/images/conf/foss.in2005/venue-sm.jpg)
![[Neeti]](/images/conf/foss.in2005/Neetibodh_Agarwal-sm.jpg)
![[Gentoo booth]](/images/conf/foss.in2005/Gentoo-booth-sm.jpg)