Linux fragmenting at last?

Posted Feb 28, 2006 20:15 UTC (Tue) by freeio (guest, #9622) [Link]

The thing to remember is that neither RedHat nor Novell/suse represent gnu/linux by themselves. Yes, they are a couple of popular distributions, but they nevertheless do not define what the users can or must use. If the code is free/libre, then there is the possibility that others will develop it further, or it is possible that it will wilt and die. But so what? Each approach to solving a preceived problem is useful, if for no ther reson than that it provides something to try and see if it is the best solution, or even a good one.

The great benefit to free software is that no one is forced to use any particular commerical distribution's preferred methods. We have the choice. That, in and of itself, is not fragmentation. It is merely part of the evolutionary process which is inherent to free software.

Posted Feb 28, 2006 20:28 UTC (Tue) by elanthis (guest, #6227) [Link]

Linux is already pretty fragmented. Different directory locations, custom patches kernels and libcs and compilers, different init systems, different library versions and ABIs, etc.

Getting a binary that runs on multiple Linux distros isn't as easy as it should be.

Getting a script that works properly on multiple Linux distros can also be hard if you touch one of a handful of taboo areas.

Yet, it all still works well enough.

SELinux vs AppArmor isn't breaking or diversing anything. Neither is AIGLX and XGL.

This whole topic is just pointless panicking.

Posted Feb 28, 2006 20:29 UTC (Tue) by proski (subscriber, #104) [Link]

The difference from UNIX fragmentation is that major players in the GNU/Linux field can easily abandon their approach and take the competitor's technology. For example, Novell can abandon AppArmor in favor of SELinux is the former fails to achieve community support. Likewise, Red Hat can ship Xegl if it has better hardware support. Moreover, RedHat can implement AIGLX on top of Xegl and keep using its patched Metacity. In a similar vein, Novell could provide some compatibility layers for the software relying on AppArmor.

In the UNIX world, anything like that would involve big money changing hands. That's why UNIX companies kept working on their own software even if it was inferior in some serious aspects.

Posted Feb 28, 2006 21:39 UTC (Tue) by linuxbox (subscriber, #6928) [Link]

I'd be interested in links to such criticism. So far, I have been unsuccessful in locating in-depth critical analysis of the detailed design decisions of SELinux (security models in TE vs. those supported by other systems, consequences of file labeling, reliance on M4 macros, and others) that would let me feel confident in it.

I do find myself wishing for a more streamlined system, and so far, I have much preferred the other systems (eg, LIDS [but found it not stable] and Grsecrity [my current preference], haven't evaluated Subdomain/AppArmor) to SELinux).

It has occurred me that while may be the ideal system for a certain type of (US government?) customer, it might not be the ideal system for a large class of users. The citations in this article tend to strengthen my impression.

Posted Feb 28, 2006 22:50 UTC (Tue) by adren (guest, #20906) [Link]

There is an old article (1999) from Rick Moen on the subject called "Fear of forking" which explains that most forks eventually end up with a merge back to the original project or at least bring some improvements.

Examples of such forks are : Unixes, emacs, gcc, glibc etc.

Posted Mar 1, 2006 1:13 UTC (Wed) by cventers (subscriber, #31465) [Link]

I think the idea that Linux is forking is rather silly. The fact that the
system is made up of little tiny pieces means that it is inherently forky.
It's up to the distributors to play fork. If the distributors don't
differentiate, there's no reason to choose one over another.

What holds it together, I think, is rather ironic - it's ability to fork.
Since it's a part of the very nature of Linux, it just works.

The important pieces - glibc and the kernel - stay in tact. Glibc I don't
know a lot about, but I'm betting its because doing a libc isn't fun to a
lot of people. (And besides, when libc exists to uphold a standard,
forking seems kind of silly). As for the kernel, Linus has the right
personality and the right attitude. And anyone who gets too far from home
either ends up coming back or quitting. The fact that there's really very
little in terms of management structure - just anyone can walk in and say
"here's my code", needing nothing but good ideas and a solid
implementation, well, it's really a blessing.

Posted Mar 1, 2006 1:15 UTC (Wed) by erich (subscriber, #7127) [Link]

It's way too early to talk about fragmentation yet.
Noone has proven that these things can't just coexist. That one Distribution could support both SELinux and AppArmor, for example.
or that AIGLX can't run on top of Xgl.
These are just different approaches to solve outstanding issues (higher security, better graphics, ...)

The real issues I see here, is that these projects are often developed behind closed doors. There were many people complaining about the way Novell has handled the Xgl development, for example.

I've just these days blogged about AppArmor and SELinux:
http://blog.drinsama.de/erich/en/linux/selinux/2006022802...
And while this reads very harsh against SELinux, I'm still trying to bring good SELinux support to Debian.

But here, too, development is done largely behind closed doors at e.g. Tresys, which is just very unhealthy.
And despite it's maturity, SELinux is (likely due to all the new stuff added, like semanage) currently in a really bad shape for users.
Of course the people at Tresys and RedHat will flame me again for saying so. But Novell could hardly have picked a better time for attacking SELinux with AppArmor, and I for example know of noone running current modular SELinux successfully except on Fedora/RHEL (the redhat people) or Gentoo (the tresys people). All the other distributions have largely lost their SELinux support (well, the core stuff like init usually is SELinux-enabled, but there is absolutely no documentation available, and thus very few people even trying to get it up and running. And even fewer are successful at it.)
Let's hope Novell doesn't manage to exploit this current weakness of SELinux with AppArmor, which is said to have serious technical limitations (aka: "it's mostly useless")

Posted Mar 1, 2006 3:06 UTC (Wed) by job (guest, #670) [Link]

I haven't tried AppArmor, but I have made a serious effort to understand SELinux. I sort of did get it mostly working, but I never went so far as to use it in a production system. It's extremely complex and touches almost every part of the code. It's like it was designed by committee.

Most people only use it as a process based ACL system anyway, making the complexity useless. If that's what you want you'd better go with RSBAC, grsecurity or any of a dozen such systems. They are much simpler to understand and implement. It's not obvious which solution is better.

Oh, and you forget(?) the most important flame source of them all: KDE vs Gnome. If Novell hadn't acquired Ximian, it would be a much more KDEsque desktop, diverging from Red Hat on another important point.

Some of these chasms that take a lot of time to unite again, if ever. KDE and Gnome finally shares some libraries, but they still reinvent most software. This despite only one of them actually turned out to be the object oriented desktop both set out to be.

Posted Mar 1, 2006 6:15 UTC (Wed) by b7j0c (subscriber, #27559) [Link]

If the codebases used by competing distro vendors is licensed adequately, the market will choose the individual codebases they prefer, and someone out there will put them together into yet-another-distro.
s.

Posted Mar 1, 2006 10:13 UTC (Wed) by trithemius (guest, #18658) [Link]

Comparing the Linux world to the old UNIX world falls down in one major area: Licensing. The old UNIX world saw companies jealously hoarding their expertise and sources. Even if someone wanted to try to pull a best-of-breed system, they simply couldn't. If a customer was happy on a version of the software they were still forced to upgrade when support for their version was dropped (even if they were willing to buy a support contract!)

Contrast that with the Linux world where no matter what a vendor does with any major part of their system is an open book to everyone - customers and competitors alike. You like something a 'competing' distro patched into their kernel? Apply the same patch. A desktop competitor you secretly admire pulled an architectural trick that makes you envious, and you can crawl their system to your heart's content - imitation being the sincerest form of flattery. Don't want to be stuck paying $$ for upgrades for systems that are work damn fine and don't want to be changed? Plenty of people are willing to support what is transparent - for the right price of course.

No matter what idealogical direction you're coming to the party from, the bottom line is the same: The walls that were built in the UNIX world cannot be built here.

Nothing to see here. Move along.

Posted Mar 1, 2006 10:35 UTC (Wed) by nix (subscriber, #2304) [Link]

Well, Crispin said last night (in the pub after a thoroughly pleasant arranged-at-the-last-minute talk on AppArmor) that submission of the kernel parts to the mainline is imminent, probably 'next month' (i.e. March given that he said this very late on Feb 28 ;) ), and that packaging the userspace parts up more conventionally is also desirable.

Anyone willing to do it? (I might well do it if nobody else can find the time.)

(One other point is that AppArmor is wonderfully easy to configure. Not only are the profiles easy to edit but you hardly ever need to edit them anyway because the automatic learning tools are so flexible.)

(As an aside, SELinux and AppArmor use the *same hooks* in the kernel, the LSM hooks, and those hooks were designed with both systems in mind from the start. So this is hardly a sign of catastrophic kernel fragmentation.)

Posted Mar 1, 2006 17:33 UTC (Wed) by gmaxwell (subscriber, #30048) [Link]

This is just standard behavior for any Linux company which has gone anywhere near Novell. Caldera played the same games with their own in house enhancement to Linux. As is the case with anyone else, some were widely adopted, some were not... The things that Caldera which were in direct opposition to the trends in the rest of the community were ignored, and the same will be true of these recent developments by Novell.

Money can by resources. But obtaining control is actually a lot more complex than simple resources.

Posted Mar 2, 2006 5:14 UTC (Thu) by stock (guest, #5849) [Link]

stick to open source and all of the above goes away. This may not always
be possible, but at least try to use open source for all the public
internet and network services on your Linux server.

Posted Mar 3, 2006 17:18 UTC (Fri) by KaiRo (subscriber, #1987) [Link]

Interesting, we have long-lived different Linux desktop environment project, mainly KDE and GNOME, along withg a few others, we have different browser project with even different rendering backends, see Firefox, Konqueror, SeaMonkey, etc. (not to mention proprietary variants), we have lots of different applications for mail, media, and a plethora of other things.

And we all keep praising that as a good thing that open source brings, having the choice of what to use!

So, now we have that choice in security frameworks and 3D graphics support as well, what's the difference? Just that the two major distributors are putting work into different solutions and that a developer of one of them is complaining about it? Don't sound new to me, we had that with KDE vs. GNOME some while back as well, before they decided to work together via freedesktop.org...

Posted Mar 7, 2006 0:18 UTC (Tue) by filker0 (guest, #31278) [Link]

There was a time when a corporate ethernet might have Novell, IP, Decnet, appleTalk, or IBM LanMan running, but in many cases, they had to run over separate wires because even if the protocol supported typed packets, a lot of systems where not using them.

In the old days of Unix when the two dominantflavors were BSD and SysV, there were systems that had multiple "universes". Some programs ran under the SysV universe, others under the BSD universe. A user could select their universe in the shell, but if they ran an application that used the other universe, it would still run, as it was tagged to use a specific set of semantics on the system calls.

The hooks used by SELinux and AppArmor are the same. I can see a future where, either through virtualization (Xen or some other system) or simply having an overall policy or profile, both sets of semantics might coexist on the same system at the same time. This will happen if the community sees a need for it. My guess is that one of the security systems would control the layer used by the other, but I have not studied either extensively.

In the same way, even though Xgl and AIGLX use different approaches, eventually they'll support the same hardware. I don't see how having applications that depend on either one excludes the use of the other on the same system. If they conflict at a hardware level, some motivated group of developers will figure out a way to make them coexist, or to build a veineer for one that looks, to an application, like the other.

Once again, there will be peace in the bazzar, and the veterans of the old code wars will sit at the bar talking about how it was in the old days, and how much better one was than the other before they went and bloated it to appease those other miscreants who didn't know a deferred reference from an atomic operation.

It is not fragmentation. New approaches arise, compete, blend, and then return.

The fragementation in the Unix world happened because the code was proprietary, and vendors were not willing to give away the code to those unique kernel features they saw as competitive advantages that, for the most part, helped them sell their proprietary hardware. Each hardware platform was its own little world, and for a time, the vendors got away with it.

That is not the model of the Linux corporate world. Uniqueness comes from packaging and support.

So I don't think that Novell and Red Hat's current spat over SELinux/AppArmor and Xgl and AIGLX is a sign of a fragmentation any more than Gnome/KDE is.

Now, then, emacs vs. vi is another matter entirely, and is destined to destroy the world as we know it. :-)

Posted Mar 8, 2006 14:36 UTC (Wed) by daenzer (✭ supporter ✭, #7050) [Link]

Let me point out that the sentence 'AIGLX could work on top of Xgl' makes no sense. Xgl has supported accelerated indirect GLX (as have some proprietary GLX implementations) for a long time (way before Novell took its development behind closed doors for a while), in fact I believe it was one of David's main motivations to start working on Xgl. What is currently referred to as 'AIGLX' is not really a new concept but just extending the XFree86/X.org DDX with the capability of accelerated indirect GLX, which has been talked about for years but only now with GLX based compositing managers has become important enough to actually be done (but will be useful for other applications as well).

All of this is based on open protocols (X11, GLX, the Composite extension, ...) and APIs (OpenGL, ...) that are explicitly designed for interoperability, so there's definitely very little if any risk for fragmentation. Just good old choice, with all its (dis)advantages. :)

Hope this helps clear up some confusion.