Novell took advantage of CeBIT to send out an
for the upcoming SUSE Linux Enterprise
Desktop (SLED) release. SLED has the potential to be a relatively interesting
distribution, and not just because Novell has backed off and restored the
SUSE name. If things go well, SLED might just yet help 2006 to be the year
of Linux on the desktop - for real, this time. But we will have to wait
until the (northern hemisphere) summer before we can actually get our hands
on this distribution.
Desktop Linux efforts are not new by any means. Mandriva got its start as
an effort to add better desktop support to the Red Hat Linux distribution.
Companies like Corel, Xandros, Linspire, and others have created
commercially-supported Linux desktop offerings. While some of those
distributions have found some success, none of them have taken the
corporate desktop by storm. So it does not require a particularly cynical
observer to wonder just why Novell's attempt is destined to be any
Whether SLED will ultimately be successful remains to be seen. But Novell
is doing some things differently, as a result of past experience and the
resources that the company is able to bring to the problem. Even if SLED
fails in the market, it will have succeeded in advancing the state of the
art and highlighting what really needs to be done to bring about
corporate desktop conversions.
Part of Novell's recipe is plain old hard work. From the press release:
Novell conducted hundreds of distinct usability tests and shot
almost 1,500 hours of user interaction video that it used to aid
the design of SUSE Linux Enterprise Desktop. Each feature of SUSE
Linux Enterprise Desktop, such as setting desktop preferences,
finding files, launching applications, using external devices like
USB memory sticks, working with the Internet, and connecting to
local and wireless networks, was rigorously tested and refined for
usability to ensure the best possible performance in a business
Much of this work has been posted to the Better
Desktop Project site. When it comes to human factors, there is no
substitute for watching people struggle with a program and seeing just
where things go wrong. This is especially true if one is trying to create
a system which is highly approachable for new users. Assuming Novell's
developers pay attention to the lessons from this work, the result should
be a system which is easier to use.
Novell then throws in some eye candy in the form of its XGL work. Solid
support for (some) 3D cards should lead to a desktop with some real visual
appeal. For many, a slicker desktop may be the final piece which pushes
them toward acceptance of a Linux-based system.
For those with more practical concerns, Novell's GroupWise is,
unsurprisingly, well supported. Novell has also added support for
Microsoft visual basic macros in OpenOffice.org 2.0. Support for macros
has been one of the big stumbling blocks for those looking to exchange
documents with heavy Office users. VBA macro support is part of the ooo-build
fork, but has not yet found its way into the OpenOffice.org mainline.
Novell's work in integrating this support should help to push this feature
forward for all users - once Novell releases the code.
Recent experience shows that Novell might be just a little slow to do that
- though the release will certainly happen at some point. Novell is, in
general, taking a very competitive approach to its Linux releases. And,
while Novell is clearly interested in competing with Microsoft, it is also
putting an emphasis on standing out from the other Linux distributions.
So being the first distribution with important new features has become an
important selling point for Novell.
This push may make the competition between distributors a little less
friendly, but that has been due to happen for some time anyway. With luck,
it will also lead to better and faster progress in the area of desktop
Linux, with the improved code finding its way to all users.
Comments (7 posted)
When Coverity released its first set of results from its defect scanning of
a number of free software projects, the Ethereal protocol analyzer
turned up with
one of the lowest defect densities of all. Your editor, when posting the
initial results, commented that the low defect density did not seem
entirely consistent with the rather high density of security advisories
for Ethereal. That comment did not sit
with the Ethereal developers, with one observing
that "The article reads as if
it was written by an amateur, not a professional with a proper grasp of
" Oh, well, your editor never claimed to be a
The original comment was unnecessary, however, and apologies are offered.
In an attempt to make amends, your editor decided to take a closer look at
Ethereal and its approach to security. What much of the world sees is a
long list of security advisories and little else; if there is a larger
story, it has not been told outside of the developers' lists. As it turns
out, there is, indeed, a larger story.
The list of Ethereal security
indeed long. The six advisories issued in 2005 enumerate 105 different
security-related bugs, a number of which are of the form "several dissectors
will do something unpleasant in these circumstances." There are 23
different CVE numbers cited. The Ethereal security page gives a
number of suggestions for running Ethereal in a more secure way (don't run
as root, use something like tcpdump to capture packets, etc.), and notes
that "The Ethereal developers agree that the current situation isn't
actually satisfying." Your editor, it seems, is not entirely alone
in noting that some security issues may exist with Ethereal.
Ethereal has a couple of special challenges. One is that it must deal
directly with arbitrary data which may have been specially generated by
hostile parties. Any set of bits can come off a network, and Ethereal must
do the right thing with it; most applications, instead, receive a cleaner
and more controlled input stream from the outside. Ethereal also must deal
with a wide variety of packet types, which leads to the inclusion of a
large library of protocol-specific "dissectors." These dissectors bear
some resemblance to device drivers in an operating system kernel: they are
specialized, written by a diverse group of authors, and can be hard for
others to review and test. And, as with drivers in the kernel, dissectors
are the source of a large percentage of Ethereal bugs.
Ethereal vulnerabilities can also be serious. While problems in packages
like cube, zoo, or tetex are very much worth
fixing, the chances of systems being compromised by those vulnerabilities
are relatively small. Ethereal, however, is a tool used by system and
network administrators. Known vulnerabilities in Ethereal can be used to
compromise an administrator's system; all that is required is the injection
of a suitably-crafted packet onto a network where Ethereal is running. So
Ethereal vulnerabilities could be especially attractive to an attacker with
a specific target. This fact can be driven home by doing a quick search
for Ethereal exploits; a number have been posted over the years.
So the Ethereal developers clearly need to keep security in mind. The good
news is that they seem to be doing exactly that. While some of the
vulnerabilities disclosed in 2005 were found by outside parties, the vast
majority of them were turned up by the Ethereal hackers themselves. The
developers, it seems, are putting some significant effort into finding
problems before hostile outsiders do. This
activity nicely explains both the large number of advisories and the small
number of defects in the current Ethereal code base.
Clearly, the right kind of work is being done. Here (from the Ethereal security
development page) are some of the things the Ethereal developers are
doing to improve the security of their project:
- Fuzz testing. As
has been discovered in many applications, the feeding of random data
to a program can turn up all kinds of interesting behavior. Ethereal
has a "randpkt" utility which feeds entirely random data to the
system. There is also an "editcap" program which introduces random
corruption into files containing streams of real packets. Any
dissector which is not truly paranoid about the data contained in the
packets presented to it will eventually be caught out by a fuzzed
- Automatic code generation. Rather than hand-crafting code to deal
with the structure of every packet type, the project is looking at
generating dissector code from a description of the packet format.
Once the code generator has been verified as safe, the resulting
dissectors should be much more solid. Code generation is being used
in a number of projects (Samba 4, for example) to produce better
code in less time; Ethereal is machine generating some of its
dissectors now, with an eye toward generating most or all of them at
some point in the future.
- Various changes aimed at avoiding dangerous code. These include core
API changes to make certain kinds of errors harder to create. The
tvbuff abstraction, for example, allows a portion of a packet
to be passed to a dissector and catches any attempts to access data
outside of that area. The Ethereal developers are also making a
(somewhat belated) effort to stop using dangerous C library functions
like sprintf() and strcat().
Throw in techniques like privilege separation and good, old-fashioned code
review, and the result should be a relatively secure package. Perfect
security is hard to come by, and Ethereal users should still stay on top of
their updates. But the Ethereal developers appear to have a handle on the
problem and are trying to do the right things. If all free software
projects took security as seriously, our systems would be rather more
Comments (24 posted)
Back in July, 1998, LWN received a message
Gaël Duval announcing the first Linux-Mandrake release. This new
distribution was a reworked version of the Red Hat 5.1 GPL release with
KDE 1.0 (then not well supported by Red Hat) integrated. It was
intended to be an easy to use, desktop-oriented distribution.
Linux-Mandrake was also a classic case of an itch being scratched:
Gaël put together the distribution he wished he had, released it onto
the net, and immediately departed on vacation. The response he found on
his return was rather beyond his expectations.
Shortly thereafter, MandrakeSoft was founded in an attempt to build a
business around Linux-Mandrake. The story since then has been a series of
ups and downs.
The Linux bubble hit MandrakeSoft harder than many
other companies; when the bottom fell out, MandrakeSoft found itself with a
heavy load of expenses, an externally-imposed management team which had
little interest in community or the Mandrake distribution, and a rapidly
shrinking bank account. After going into bankruptcy, dumping the managers,
and refocusing on its real customers, MandrakeSoft actually managed to turn
a small profit. Last year, MandrakeSoft acquired Conectiva and renamed
On March 7, the company released its
first quarter results, which clearly show that Mandriva is not, yet,
out of the woods. These results are, as described by the report,
"disappointing." Mandriva is no longer making a profit; instead, the
company shows a €590,000 loss. Revenue is nearly flat from one year
ago, despite the acquisition of Conectiva in the mean time.
So why is Mandriva hurting again? The report gives a number of reasons,
including "slower than expected" revenue from OEM contracts, fewer retail
sales, money spent on execution of large enterprise accounts, and higher
marketing costs. The drop in retail sales is blamed on the spread of
broadband Internet connections, which may be partially true. But the
availability of other desktop-friendly, free distributions has also grown,
and some of those alternatives are quite good. If Mandriva wants to
continue to sell individual boxes with Linux disks, it needs to offer
something which is clearly better. Mandriva's recent releases have not
been that much better.
Mandriva is responding to these results in a number of ways. Cost cutting
will be a necessary part of that response. From the report, it seems that
Mandriva is engaging in some belated reduction of redundancies caused by
the Conectiva acquisition. Unfortunately, it seems that engineering is one
place where the company feels over-staffed at the moment, so a number of
developers have been let go. So Mandriva's participation in community
development, already much reduced from its early years, will shrink again.
The company has also laid off Gaël Duval, the person who got the whole
thing started. Jacques Le Marois, another founder of MandrakeSoft, is also
on the way out. This company, it seems, is now completely disconnected from
The report notes that "enterprise services" saw a big increase over the
quarter, to the point that they account for 42% of total sales. So
"enterprise" appears to be the company's direction for the future. To that
end, Mandriva has been working on an administrative tool called "Pulse"
which, it is said, will be released in the near future. There is a new
distribution for individuals in the works; it will be called "Mandriva
One." But this distribution almost looks like an afterthought.
The enterprise market may be where the money is, but there is some
competition there too. As Mandriva aims for the corporate clients, it will
be running up against Red Hat and Novell, and, to an extent, against the
corporate services offered by companies like IBM, HP, and others. Mandriva
looks like a bit of an underdog in that crowd. Underdogs can be
successful, but their life is not always easy. In response to pressures
from this market, Mandriva seems likely to move further away from its
community roots. It is telling, in that regard, that Mandriva's reports no
longer mention the Mandriva
Club, which was once an important part of the company's business.
Mandriva moved away from its community roots once before, and things did
not go particularly well. One can only hope that the prospects are better
this time around.
Comments (11 posted)
Page editor: Jonathan Corbet
Inside this week's LWN.net Weekly Edition
- Security: GPG signature verification trouble; New vulnerabilities in apache, gnupg, webcalendar, ...
- Kernel: API changes in 2.6.16; The VMI virtualization interface; Radix trees.
- Distributions: New in Fedora Core 5; Skolelinux 2.0; Tomahawk Desktop; 10 Best Security Live CDs
- Development: The Python IDE consolidation effort,
new versions of MySQL, liboggz, Apache SpamAssassin, Speedometer,
Sussen, netjack, LyX, XCircuit, SQL-Ledger, kiwi, MMA, Shelljam,
OO.o, GCC, Urwid.
- Press: RIAA on proposed DMCA exemptions, open spectrum, the Attention Economy,
Red Hat's Xen press conference, Desktop linix in NSW, Mandriva Fires Duval,
Linus on GPL3, tweaking Kubuntu, SUSE Linux Enterprise Desktop 10 review,
PubForge for public radio, make SUSE Like Debian.
- Announcements: SGI gets SAP certified, VMware and Intel partner, EC Patent issues,
FSFE turns 5, OSS for health care, Crystal Space Conf, LinuxWorld Boston,
European Lisp Workshop, edupython mailing list, Polish Linux Audio Forum.