Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for December 22, 2005A 2005 retrospective The last issue of December is traditionally a time for many publications to look back at the past year. As we live through a year, it can be a hard time to get a perspective on all that is happening; a review can help develop a better understanding of what we have all experienced.Besides, there's usually not much more to write about at the end of December. In past years, your editor has reviewed the predictions made at the beginning of the year. That exercise seems a little self-indulgent this time around. So suffice to say that some of last January's predictions have been borne out, and others not. We'll not go through all of them here. Starting with one which didn't work out: your editor's prediction that 2005 would see the end of SCO was optimistic. We have seen the end of SCO in every way that matters; what remains, at this point, is the ghoulish exercise of watching it all fall apart and seeing where the pieces land. Following SCO is a waste of time at this point, a morbid and pointless exercise in the consequences of stupid decisions. We're looking forward to every minute of it. Your editor's prediction that software patents would not be enacted in Europe looked optimistic, especially in the first half of the year, but turned out to be correct in the end. More to the point, though: the free software community enjoyed legal victories in almost every battle which was decided this year. No software patents, no broadcast flag, the GPL upheld in German court, FAT patents thrown out, etc. Next year may be tougher, but, for this year, we can all raise a glass and toast our victories. It is not all hopeless. Let us not forget our defeats, however. The Grokster decision holds software developers responsible for the actions of their users - in some situations, at least. The bnetd decision placed limits on our right to create interoperable software. The situation is not all rosy either. One battle which came to head this year was open formats: as of this writing, the state of Massachusetts is still fighting over a mandate to use open formats in government. Open access to government documents is a clear requirement for a free society; it seems amazing that there is even a fight on this issue. Open formats are also a key to the desktop for free software. This is an important issue, and the debate has barely begun. The free software community has acquired a pool of patents of its own. Donations - of greater or lesser freedom - came from IBM, Sun, Nokia, Computer Associates, and others. These patents can help to prevent attacks from competitors in the software industry - though they will do little to deter lawyer-only patent troll firms. But a partial solution is better than none; one might well conclude that the risk of a patent attack against free software is, while still significant, lower than it was a year ago. For years, we have talked about the evils of digital restrictions management schemes and the dangers inherent in not having control over our own systems. But we can thank SonyBMG for making these points clear to a much larger audience. "Consumers" everywhere have seen what happens when others claim control over their systems. People who bought CDs because it was the right thing to do saw that they were punished for it. Their desire to do the right thing will be much reduced - and the entertainment industry must know it. The DRM battle is far from over, and we have a great deal of ugliness to endure yet. But SonyBMG may have shortened the process for us considerably. 2005 was, perhaps, the year of the foundation. A number of projects, including Zope, Ubuntu, and OpenPKG created independent foundations to look after their code. Red Hat also announced the creation of a Fedora foundation, but, the better part of a year later, that foundation has yet to materialize. The fundamental motivation behind all this founding of foundations is easily found: software (even free software) controlled by a single company tends to make other users nervous. The creation of an independent foundation gives others confidence in a free software project's future. The free software business world continues to develop. MandrakeSoft and Conectiva merged into Mandriva, Novell went through some difficulties but looks like it may be pulling things together, and the flow of venture capital toward free software businesses increased. HP claimed to have shipped over 1 million Linux servers. It seems there really is business to be done around free software. Meanwhile, the code continues to get better. The list of significant releases is far too large to review here - check the latest version of your favorite distribution to see much of it. Our development community is active and healthy; it is producing results that few would have thought possible even a few years ago. Ups and downs notwithstanding, 2005 has been a good year for the community. We can all raise a glass to that.
The LWN.net 2005 Linux and free software timeline For eight years now, the editors at LWN.net have put together a timeline highlighting the most important events of the last twelve months. As always, it has been a busy year. Attacks against free software continued in legislatures and the courts - but few have been successful. Corporations began donating patents to the community, some with more enthusiasm than others. The kernel developers improved their process - and dealt with the abrupt loss of their source code management system. SUSE development became more open. SonyBMG gave us all a lesson on the importance of control over our own computers. And so on.Most importantly, in 2005 the free software community kept on hacking. The variety and quality of the resulting software is simply amazing. The free software community is healthy and growing, despite the legal problems, corporate layoffs, hardware hassles, and occasional petty internal bickering. We are going strong. This is version 1.0 of the 2005 timeline. If you find any errors or remaining major omissions, please send them to us at timeline@lwn.net; please do not post errors or omissions as comments until after we have had a chance to address them. The development of the LWN.net Linux Timeline was supported by LWN subscribers; if you like what you see, please consider subscribing to LWN. As usual, the timeline is split up by month. One of these years, we really will restore the "one big page" option, honest.
For the historically minded, the timelines for the previous seven years remain available:
Thanks to the following people who have helped improve the 2005 Timeline: Ross Combs, Bernhard Reiter, Karl Schendel, and David A. Wheeler.
The XGL development model XGL is a version of the X server built on top of the OpenGL API. Many developers see the XGL approach as the way forward; as video hardware becomes increasingly 3D-only, OpenGL offers a uniform way to drive that hardware. Once an XGL server becomes available, the door will be opened for all kinds of fast 2D and 3D applications.As it turns out, there is a paid development team working at XGL; these developers are hosted at Novell. This work is being funded with the apparent idea of upgrading the free XGL server and benefiting the free software community in general. So it is interesting to see a significant amount of criticism of Novell's work in the desktop community. The problem comes down to this: all of Novell's work is being done in-house, using a private repository. The wider community knows that this work is going on, and has some idea of what has been done, but none of the resulting code has been seen beyond Novell. The best description of what is happening - and the reaction to it - can be found in Aaron Seigo's weblog. There we see that the non-Novell developers who would like to hack on XGL are frustrated. They know that a number of problems have already been fixed by Novell, but the code is not available. They fear that much of the work they are doing will be duplicated by what the Novell team does. They feel locked out, and wonder about Novell's reasons for taking this approach. Everybody seems to assume that Novell's work will, eventually, see the light of day and be contributed back - though the X license does not require that. But that release will confront the community with a large dump of corporate code. It will not have been reviewed by anybody outside of Novell, it may well incorporate design decisions which are not acceptable to other developers, and it is likely to duplicate and conflict with any work done by the rest of the community. The possibility that Novell will hold the code until it has packaged it into a SUSE Linux release is also somewhat annoying. In the absence of a statement from Novell, one can only speculate on why this approach is being taken. It is possible that Novell is just trying to avoid dealing with developers who oppose the XGL project in the first place. At the moment, it is almost impossible to use XGL without proprietary drivers; developers who feel strongly about avoiding proprietary code would thus rather take a different approach - and they have been rather vocal about that. It is also possible that Novell is simply looking to "get the job done" its way, without the distractions of dealing with the community. This situation should work out in the end, once Novell releases its code and the process of merging begins. At that point, with luck, the X community will have a much-improved XGL server to work with. But the memory of having been locked out of the process will persist for some time. One can only hope that this code release happens soon so that the next phase can begin.
Two discontinued browsers The writing has been on the wall for some time, but now it's official: Internet Explorer on the OS X platform will go unsupported at the end of 2005. This browser has seen no active development since 2003, but its users were at least provided with security updates. No more; IE for the Mac is at a dead end.There is little that OS X users can do about this decision. IE is very much a closed-source application, so there is no way for anybody to take over its maintenance after Microsoft walks away. This browser is dead, and its users have no choice but to seek alternatives; fortunately, a number of good alternatives exist. But anybody who was truly dependent on this piece of software is out of luck. It is always this way with proprietary software; it can disappear out from under you at its owner's whim. Earlier this year, the Mozilla Foundation announced that it was discontinuing support for the Mozilla browser suite. The Foundation saw its future in the independent Firefox and Thunderbird applications, and felt that the time had come to move past its one-time flagship suite. Mozilla users, of whom there are many, had little say in this decision; the Foundation makes its own decisions on how best to pursue its goals. But Mozilla is free software. So a group of dedicated users came together to continue the maintenance and development of the Mozilla suite, using the old SeaMonkey name. Mozilla/SeaMonkey is a large body of code, not something to be taken on lightly. But the SeaMonkey hackers thought that they could handle it. On December 19, these hackers announced the availability of SeaMonkey 1.0 Beta. The release includes a number of new features, including drag-and-drop tabs, SVG support, "blazingly fast back," and much more. It provides the full suite of tools: web browser, email client, HTML editor, IRC chat tool, DOM inspector, and two varieties of kitchen sink. This is the full suite, updated with the latest work from Firefox and elsewhere. The SeaMonkey hackers would appear to be up to the job. And, yes, it works on OS X. It would be hard to come up with a better example of why free software matters. There are a great many Mozilla users who will never look at the code, but they will still benefit from the freedom of that code. As long as there is a sufficient interest in the community, Mozilla, in the form of SeaMonkey, will live on. No proprietary software has such a bright future.
Holiday schedule As is traditional, LWN will be taking next week off; the next Weekly Edition will come out on January 5, 2006. We'll be posting news items occasionally over the break, however. Best wishes for a great holiday season from all of us here at LWN!
Page editor: Jonathan Corbet Security CAN-SPAM: mission accomplished? LWN first looked at the CAN-SPAM act back in 2003. This U.S. law was an attempt to address the spam problem through legal means. Our impression at the time was that CAN-SPAM would do little good, and might even do harm by overriding state legislation and legitimizing certain kinds of commercial email. One of the provisions of this law was that the U.S. Federal Trade Commission was required to create a report to Congress on how effective the law is, and what improvements could be made. That report is now available [PDF]. The FTC went through a major investigation; among other things, it used its compulsory powers to require nine ISPs to provide email information. The bottom line, according to the FTC: the CAN-SPAM act has been effective in reducing spam.Your editor's mailbox, now receiving something over 5,000 spams/day, would beg to differ from this conclusion. In fact, a deeper reading of the report suggests that CAN-SPAM has not been as effective as one might expect from reading the headlines, and that the real progress against spam has been made elsewhere. So what has CAN-SPAM accomplished? From the report:
First, the substantive provisions of the Act have mandated adoption
a number of commercial email "best practices" that many legitimate
online marketers are now following. Second, the Act has provided law
enforcement agencies and ISPs with an additional tool to use when
bringing suit against spammers. The more than 50 cases brought to
date by the FTC, the Department Justice, state Attorneys General,
and ISPs demonstrate CAN-SPAM's enforcement efficacy.
Both of these claims are probably true. And, doubtless, many LWN readers are pleased to know that some of their incoming commercial email follows "best practices." But the spam problem never had much to do with "legitimate online marketers." There have been suits brought against spammers, and that can only be helpful in the end. But even lawsuits will only be so effective in a world filled with spammers. So one might well wonder how to square these limited gains against this claim from the report:
One particularly significant development since the enactment
of CAN-SPAM is that the volume of spam has begun to decrease.
MX Logic, an email filtering company, reported that during the
first eight months of 2005, spam accounted for 67 percent of
email passing through its system, a nine percent decrease from
the same period one year earlier. Some ISPs report an even
more dramatic decline. For example, America Online ("AOL")
reported that its members received 75 percent less spam in
2004 than in 2003. Studies from other countries similarly
report a decrease in the amount of spam reaching consumers'
inboxes. As the Executive Director of the Institute for Spam
and Internet Public Policy succinctly stated, "the average
inbox doesn't have that much spam anymore."
(LWN reported on the MX Logic report last August.) A reading of the above paragraph might well lead one to the conclusion that the battle against spam has been won, and that CAN-SPAM did it. Anybody who deals with email in any serious way knows that this is not the case. What is going on - and the report recognizes this - is that anti-spam techniques unrelated to CAN-SPAM have gotten better. The reported 75% drop for AOL users does not mean that 75% less spam has been sent in that direction; it does not even mean that there are 75% fewer AOL users, though one might be tempted to reach that conclusion. The difference is that much less spam is actually making it all the way to their mailboxes. Your editor, too, has seen a reduction in spam reaching his inbox; spamassassin nicely takes care of the bulk of it. But better filtering is not a solution to the problem; it is more like sweeping it under the carpet. And, in any case, it was not legislated by CAN-SPAM. The report notes that a number of tactics adopted by large ISPs have helped. These include blocking outgoing access to port 25 (which imposes unfortunate costs on some users), rate-limiting email entering and leaving the system, and actively disconnecting users with known-compromised systems. Blacklisting is an effective tool; the report claims that large ISPs are able to block 80% of spam before it ever enters their mail server. The FTC also takes credit for helping to shut down open relays. Another happy result, according to the FTC, is that "users have grown more tolerant of spam." That's one way to solve the problem. For the future, the report notes an increase in phishing mail, as well as in spam containing malware. There are a few recommendations; one of those is the adoption of SenderID or some other sort of email authentication mechanism. The FTC would like to see the "US SAFE WEB Act" passed; this law would make it easier for the FTC to share information with agencies of other governments. It would also empower the FTC to compel information from ISPs and others while requiring confidentiality - an extension of governmental power which, given recent disclosures in the U.S., may not be entirely welcome. In fact, this recommendation, along with the agency's desire for email authentication and more rigorous requirements for WHOIS information, leads to the question of just how badly we want governments to "solve" the spam problem for us. Given that the most effective techniques we have so far did not come from governments, perhaps it's time to recognize that the solutions lie elsewhere.
New vulnerabilities dropbear: buffer overflow
fetchmail: multidrop bug
ffmpeg: buffer overflow
openldap: RUNPATH issues
Opera: arbitrary code execution
otrs: multiple vulnerabilities
redhat-config-nfs: incorrect permissions
sudo: vulnerability via scripts
udev: insecure files in /dev/input
Updated vulnerabilities a2ps: input validation error
apache: cross-site scripting
apache2: memory leak
bzip2: race condition and infinite loop
ktools: buffer overflow
courier: unauthorized access
cpio: directory traversal
curl: buffer overflow
cyrus-imapd: buffer overflows
dia: missing input sanitizing
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
ethereal: buffer overflow
ethereal: multiple vulnerabilities
evolution: format string issues
firefox: multiple vulnerabilities
Foomatic: Arbitrary command execution in foomatic-rip
FUSE: mtab corruption through fusermount
gaim: buffer overflow
gdb: multiple vulnerabilities
gtk-pixbuf, gtk2: denial of service
gdk-pixbuf: multiple vulnerabilities
gettext: Insecure temporary file handling
groff: insecure temporary directory
gzip: arbitrary command execution
htdig: cross site scripting
imap: buffer overflow in c-client
ipsec-tools: denial of service
kdebase: local root vulnerability
kdelibs: kate backup file permission leak
kernel: multiple vulnerabilities
kernel: key rebinding
kernel: multiple vulnerabilities
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||