Leading items

Novell goes for the desktop

Novell took advantage of CeBIT to send out an advance announcement for the upcoming SUSE Linux Enterprise Desktop (SLED) release. SLED has the potential to be a relatively interesting distribution, and not just because Novell has backed off and restored the SUSE name. If things go well, SLED might just yet help 2006 to be the year of Linux on the desktop - for real, this time. But we will have to wait until the (northern hemisphere) summer before we can actually get our hands on this distribution.

Desktop Linux efforts are not new by any means. Mandriva got its start as an effort to add better desktop support to the Red Hat Linux distribution. Companies like Corel, Xandros, Linspire, and others have created commercially-supported Linux desktop offerings. While some of those distributions have found some success, none of them have taken the corporate desktop by storm. So it does not require a particularly cynical observer to wonder just why Novell's attempt is destined to be any different.

Whether SLED will ultimately be successful remains to be seen. But Novell is doing some things differently, as a result of past experience and the resources that the company is able to bring to the problem. Even if SLED fails in the market, it will have succeeded in advancing the state of the art and highlighting what really needs to be done to bring about corporate desktop conversions.

Part of Novell's recipe is plain old hard work. From the press release:

Much of this work has been posted to the Better Desktop Project site. When it comes to human factors, there is no substitute for watching people struggle with a program and seeing just where things go wrong. This is especially true if one is trying to create a system which is highly approachable for new users. Assuming Novell's developers pay attention to the lessons from this work, the result should be a system which is easier to use.

Novell then throws in some eye candy in the form of its XGL work. Solid support for (some) 3D cards should lead to a desktop with some real visual appeal. For many, a slicker desktop may be the final piece which pushes them toward acceptance of a Linux-based system.

For those with more practical concerns, Novell's GroupWise is, unsurprisingly, well supported. Novell has also added support for Microsoft visual basic macros in OpenOffice.org 2.0. Support for macros has been one of the big stumbling blocks for those looking to exchange documents with heavy Office users. VBA macro support is part of the ooo-build fork, but has not yet found its way into the OpenOffice.org mainline. Novell's work in integrating this support should help to push this feature forward for all users - once Novell releases the code.

Recent experience shows that Novell might be just a little slow to do that - though the release will certainly happen at some point. Novell is, in general, taking a very competitive approach to its Linux releases. And, while Novell is clearly interested in competing with Microsoft, it is also putting an emphasis on standing out from the other Linux distributions. So being the first distribution with important new features has become an important selling point for Novell. This push may make the competition between distributors a little less friendly, but that has been due to happen for some time anyway. With luck, it will also lead to better and faster progress in the area of desktop Linux, with the improved code finding its way to all users.

Comments (7 posted)

Ethereal and security

When Coverity released its first set of results from its defect scanning of a number of free software projects, the Ethereal protocol analyzer turned up with one of the lowest defect densities of all. Your editor, when posting the initial results, commented that the low defect density did not seem entirely consistent with the rather high density of security advisories for Ethereal. That comment did not sit well with the Ethereal developers, with one observing that "The article reads as if it was written by an amateur, not a professional with a proper grasp of sentence structure." Oh, well, your editor never claimed to be a "professional."

The original comment was unnecessary, however, and apologies are offered. In an attempt to make amends, your editor decided to take a closer look at Ethereal and its approach to security. What much of the world sees is a long list of security advisories and little else; if there is a larger story, it has not been told outside of the developers' lists. As it turns out, there is, indeed, a larger story.

The list of Ethereal security advisories is indeed long. The six advisories issued in 2005 enumerate 105 different security-related bugs, a number of which are of the form "several dissectors will do something unpleasant in these circumstances." There are 23 different CVE numbers cited. The Ethereal security page gives a number of suggestions for running Ethereal in a more secure way (don't run as root, use something like tcpdump to capture packets, etc.), and notes that "The Ethereal developers agree that the current situation isn't actually satisfying." Your editor, it seems, is not entirely alone in noting that some security issues may exist with Ethereal.

Ethereal has a couple of special challenges. One is that it must deal directly with arbitrary data which may have been specially generated by hostile parties. Any set of bits can come off a network, and Ethereal must do the right thing with it; most applications, instead, receive a cleaner and more controlled input stream from the outside. Ethereal also must deal with a wide variety of packet types, which leads to the inclusion of a large library of protocol-specific "dissectors." These dissectors bear some resemblance to device drivers in an operating system kernel: they are specialized, written by a diverse group of authors, and can be hard for others to review and test. And, as with drivers in the kernel, dissectors are the source of a large percentage of Ethereal bugs.

Ethereal vulnerabilities can also be serious. While problems in packages like cube, zoo, or tetex are very much worth fixing, the chances of systems being compromised by those vulnerabilities are relatively small. Ethereal, however, is a tool used by system and network administrators. Known vulnerabilities in Ethereal can be used to compromise an administrator's system; all that is required is the injection of a suitably-crafted packet onto a network where Ethereal is running. So Ethereal vulnerabilities could be especially attractive to an attacker with a specific target. This fact can be driven home by doing a quick search for Ethereal exploits; a number have been posted over the years.

So the Ethereal developers clearly need to keep security in mind. The good news is that they seem to be doing exactly that. While some of the vulnerabilities disclosed in 2005 were found by outside parties, the vast majority of them were turned up by the Ethereal hackers themselves. The developers, it seems, are putting some significant effort into finding problems before hostile outsiders do. This activity nicely explains both the large number of advisories and the small number of defects in the current Ethereal code base.

Clearly, the right kind of work is being done. Here (from the Ethereal security development page) are some of the things the Ethereal developers are doing to improve the security of their project:

• Fuzz testing. As has been discovered in many applications, the feeding of random data to a program can turn up all kinds of interesting behavior. Ethereal has a "randpkt" utility which feeds entirely random data to the system. There is also an "editcap" program which introduces random corruption into files containing streams of real packets. Any dissector which is not truly paranoid about the data contained in the packets presented to it will eventually be caught out by a fuzzed packet.

• Automatic code generation. Rather than hand-crafting code to deal with the structure of every packet type, the project is looking at generating dissector code from a description of the packet format. Once the code generator has been verified as safe, the resulting dissectors should be much more solid. Code generation is being used in a number of projects (Samba 4, for example) to produce better code in less time; Ethereal is machine generating some of its dissectors now, with an eye toward generating most or all of them at some point in the future.

• Various changes aimed at avoiding dangerous code. These include core API changes to make certain kinds of errors harder to create. The tvbuff abstraction, for example, allows a portion of a packet to be passed to a dissector and catches any attempts to access data outside of that area. The Ethereal developers are also making a (somewhat belated) effort to stop using dangerous C library functions like sprintf() and strcat().

Throw in techniques like privilege separation and good, old-fashioned code review, and the result should be a relatively secure package. Perfect security is hard to come by, and Ethereal users should still stay on top of their updates. But the Ethereal developers appear to have a handle on the problem and are trying to do the right things. If all free software projects took security as seriously, our systems would be rather more solid.

Comments (24 posted)

Another round of changes at Mandriva

Back in July, 1998, LWN received a message from Gaël Duval announcing the first Linux-Mandrake release. This new distribution was a reworked version of the Red Hat 5.1 GPL release with KDE 1.0 (then not well supported by Red Hat) integrated. It was intended to be an easy to use, desktop-oriented distribution. Linux-Mandrake was also a classic case of an itch being scratched: Gaël put together the distribution he wished he had, released it onto the net, and immediately departed on vacation. The response he found on his return was rather beyond his expectations.

Shortly thereafter, MandrakeSoft was founded in an attempt to build a business around Linux-Mandrake. The story since then has been a series of ups and downs. The Linux bubble hit MandrakeSoft harder than many other companies; when the bottom fell out, MandrakeSoft found itself with a heavy load of expenses, an externally-imposed management team which had little interest in community or the Mandrake distribution, and a rapidly shrinking bank account. After going into bankruptcy, dumping the managers, and refocusing on its real customers, MandrakeSoft actually managed to turn a small profit. Last year, MandrakeSoft acquired Conectiva and renamed itself Mandriva.

On March 7, the company released its first quarter results, which clearly show that Mandriva is not, yet, out of the woods. These results are, as described by the report, "disappointing." Mandriva is no longer making a profit; instead, the company shows a €590,000 loss. Revenue is nearly flat from one year ago, despite the acquisition of Conectiva in the mean time.

So why is Mandriva hurting again? The report gives a number of reasons, including "slower than expected" revenue from OEM contracts, fewer retail sales, money spent on execution of large enterprise accounts, and higher marketing costs. The drop in retail sales is blamed on the spread of broadband Internet connections, which may be partially true. But the availability of other desktop-friendly, free distributions has also grown, and some of those alternatives are quite good. If Mandriva wants to continue to sell individual boxes with Linux disks, it needs to offer something which is clearly better. Mandriva's recent releases have not been that much better.

Mandriva is responding to these results in a number of ways. Cost cutting will be a necessary part of that response. From the report, it seems that Mandriva is engaging in some belated reduction of redundancies caused by the Conectiva acquisition. Unfortunately, it seems that engineering is one place where the company feels over-staffed at the moment, so a number of developers have been let go. So Mandriva's participation in community development, already much reduced from its early years, will shrink again.

The company has also laid off Gaël Duval, the person who got the whole thing started. Jacques Le Marois, another founder of MandrakeSoft, is also on the way out. This company, it seems, is now completely disconnected from its origins.

The report notes that "enterprise services" saw a big increase over the quarter, to the point that they account for 42% of total sales. So "enterprise" appears to be the company's direction for the future. To that end, Mandriva has been working on an administrative tool called "Pulse" which, it is said, will be released in the near future. There is a new distribution for individuals in the works; it will be called "Mandriva One." But this distribution almost looks like an afterthought.

The enterprise market may be where the money is, but there is some competition there too. As Mandriva aims for the corporate clients, it will be running up against Red Hat and Novell, and, to an extent, against the corporate services offered by companies like IBM, HP, and others. Mandriva looks like a bit of an underdog in that crowd. Underdogs can be successful, but their life is not always easy. In response to pressures from this market, Mandriva seems likely to move further away from its community roots. It is telling, in that regard, that Mandriva's reports no longer mention the Mandriva Club, which was once an important part of the company's business. Mandriva moved away from its community roots once before, and things did not go particularly well. One can only hope that the prospects are better this time around.

Comments (11 posted)

Page editor: Jonathan Corbet
Next page: Security>>