LWN.net Weekly Edition for March 23, 2006 [LWN.net]

The Global Desktop Project

Free software has always seemed like a good match for the developing world. It makes top-quality software available to all, without forcing choices between buying expensive licenses (using hard-to-get foreign currencies) or dealing with the the consequences of wide-scale copying of proprietary code. Free software is one bit of technology which is just as available in the poorer parts of the world as it is in the richer countries.

What has been observed, however, is that, while use of free software in the developing world is taking off, participation in the development process is not growing at the same rate. This is true even in countries where there is no shortage of people with the technical skills needed to hack on free software. To a great extent, much of the developing world is a consumer of free software, but takes a relatively small role in its production. This costs the development community, which has no end of projects which could benefit from more developer attention. But it especially hurts the people who don't participate. A consumer of free software remains dependent on imported code without developing the ability to improve that code or influence its further evolution.

The United Nations University (UNU) recently sent out a press release on this issue:

Being a 'passive consumer' rather than an 'active participant' is not in the best interests of a developing nation's government or business sectors. Technological self determination in developing countries is key to their future prosperity and is contingent on harnessing the power of this high-tech phenomenon.

The UNU, working with governments and industry, has set out on an effort to improve participation rates in the developing world. Part of this effort is the Global Desktop Project, an initiative to increase the number of free software hackers by encouraging improvements to the Linux desktop experience. The leader of this project turns out to be a familiar name: Scott McNeil. Among other things, Scott has served as the head of SUSE's US operation, the "open source strategist" for VA Linux Systems, and the executive director of the Free Standards Group.

Scott tells us that the desktop focus was chosen because the desktop tends to be one of the most interesting areas for aspiring hackers. There is also a great deal of desktop-oriented work - such as internationalization - which is best done by locals. Within this focus, there are four separate initiatives being pursued. These include a "train the trainers" seminar series designed to help spread the free software methodology, the establishment of a set of open source labs, the creation of a series of FDL-licensed courses, and a student mentoring effort.

The first labs are expected to open in China later this year; they will be financed from initial funding received from Intel and a couple of Chinese government agencies. The labs will hire students - mostly at the graduate level - to work on free software projects. Lab staff will also work on mentoring to help new developers work with the community. Says Scott:

Mentoring of the interns will primarily be done by the project staff with some support from members of the community who we are engaging. While we have received some positive feedback from various open source developers, we believe that a majority of open source developers have no desire to mentor or assist newbies. This is why mentoring/management will be primarily done by the project staff. We have no desire to throw the kids into the hacker's pit and watch them get flamed and ignored...

Working with the community is often one of the biggest stumbling blocks for developers coming from outside of Europe and North America. These developers have all the technical skills they need, but there can be a strong impedance mismatch between the culture they grew up with and the often, um, impolite nature of discussion in the development communities. Being flamed on a mailing list is unpleasant for most of us (though there do seem to be people who live for that experience), but it can be shocking to somebody from a culture where people do not talk to each other that way. It can also lead to workplace difficulties. Even more gentle, well-meaning criticism can be problematic for some developers.

So developers from those areas tend to avoid the community - and not contribute back improvements they may have made. And that hurts everybody involved. That is why, as Scott says, "the Global Desktop Project is as much a socialization exercise as it is an engineering project." It is an effort to integrate these developers into the growing worldwide development community - a result which should be beneficial to everybody involved.

This project - which is expected to last three to five years - is just getting started, so it will be a while before results will be visible. There will, doubtless, be many cultural and funding hurdles to overcome during that time. But, if all goes well, the Global Desktop Project has the potential to increase the rate at which the developing world joins the free software development community. And, as a bonus, we might just get a better desktop out of the deal.

Comments (8 posted)

Xara releases the source

Xara Xtreme is yet another drawing and image composition tool for the Windows platform. A few months ago, Xara announced that it would branch out and make this application available for Mac OS and Linux platforms as well. Even better, it would be released under the GNU GPL. The result, it was said, would be a top-quality drawing tool for the free software community.

The first part of that promise has now been fulfilled: the source code is now available for the project now known as Xara LX. This version of Xara, it turns out, is a GTK+ application by way of wxWidgets. It comes with plenty of warnings: many of the features are not yet ported, and the whole thing can be somewhat unstable. But, the tool is now out there for people to play with.

Your editor has a hard time resisting an invitation like that. The unstable Xara LX build ran nicely, and it was easy to put together a simple drawing with features like transparency and blending. It was also not particularly hard to make the whole thing crash. But, suitable warnings had been given; this tool is not being provided for production use at this time. For an example of what can be done by users who know what they are doing, see this screenshots page.

Once it stabilizes, the Linux community should have another nice drawing package in its toolbox. Linux may not yet be poised to displace proprietary packages from the systems used by professional artists, but things are clearly headed in the right direction. With tools like the Gimp, Inkscape, Krita, and, now, Xara LX, we are getting closer to the day when there is no need to use those other, proprietary platforms even for the most demanding graphical tasks.

Comments (5 posted)

Money trouble at OpenBSD

The OpenBSD project sets the standard for security in free operating systems. More than with any other project, the OpenBSD hackers work at tracking down potential security problems before they affect users. This work has earned OpenBSD a well-deserved reputation for being hard to break.

A recent posting to the openbsd-misc mailing list has raised a non-technical issue: it seems that OpenBSD's finances are not as solid as its software. The project has been running at a $20,000 (US) annual deficit for the last couple of years, with no relief in sight. The problem, it is said, is that OpenBSD users have stopped buying CDs; instead, they content themselves with grabbing a copy from a network server for free. The sales of CDs and related items are a major source of money for the project; if CD sales do not live up to expectations, income will fall short.

LWN asked the OpenBSD project if there was any sort of public information on the group's budget and how it is spent. Unfortunately, it seems that there is no such information. From looking at what information is available, it appears that the biggest single expense is the occasional "hackathons" - coding-intensive developer meetings - run by the project. Beyond that, there's the usual costs for Internet service, equipment, and so on. It appears that very little of OpenBSD's budget goes toward paying salaries to developers.

To support its activities, OpenBSD would like to bring in about $100,000 per year. Donations recently have been a very small fraction of that, however. What the OpenBSD folks are saying now is: something has to change, or the project will be unable to continue at its current level of activity in the future.

Every free software project must support its work somehow. For small projects, that support may consist of no more than the occasional donation of development time by an interested hacker or two. Larger projects require more, however, in the way of infrastructure and developer time. So most projects, once they achieve a certain level of success, have to find a revenue stream from somewhere.

That, often, is when the core developers try to form a business around the project. It may just be a matter of lining up some consulting work to pay for the continued development and maintenance of the code, or there may be a more advanced business plan involved. Sometimes projects are able to obtain sponsors which have some interest in the project's success; witness Google's support of the Mozilla Foundation, for example. Sometimes developers will be hired by a company to work on free code; many Linux kernel hackers make their living in that way.

It is a rare project, however, which is able to get very far with sales of CDs and donations. There is little motivation for anybody with a broadband network connection to order CDs; a simple download gets more current software more quickly. This is why Linux distributors have been moving away from CD sales as a business model for years - and those which haven't are wishing they had. The OpenBSD project is simply discovering the same thing others have found out: the value of a CD is quite low. Anybody who is in the business of selling CDs full of free software is in a commodity business, and one which is in competition with its own customers at that.

There is no other business of any consequence built around OpenBSD, however. There are few products which incorporate OpenBSD, and few high-profile network-based services which use it. While OpenBSD does not lack for users, it seems there are relatively few who see a business interest in supporting its development. It must be said that the abrasive nature of OpenBSD's leadership cannot be helping in this regard.

The same posting hints at one approach for generating some cash:

[What] a lot of people don't seem to realize is that OpenSSH development is paid from the same pool of money as OpenBSD. OpenSSH is in use by millions around the world however the revenue stream just simply isn't there. This is where other projects could help. Without naming entities or projects by name there are others out there that are sitting on some cash. It would be wonderful if these entities could share some of the wealth to keep us going.

The project, in other words, is appealing to "entities" which obtain some value from OpenSSH to kick into the OpenBSD coffers. It is hard to imagine that, for example, Linux distributors - all of which distribute OpenSSH - are not among the "entities" being targeted here. This is just a bit ironic, given how the OpenBSD founder has chosen to trash Linux recently.

More disconcerting, however, is the implicit threat: support OpenBSD, or OpenSSH may go down the tubes. The answer the project is likely to hear may not be the one they are looking for; the world may ask, instead, why are OpenBSD and OpenSSH funded from the same pool of money? Might it not be better to separate the two - by forking OpenSSH, if necessary? Certainly some way could be found to keep OpenSSH going if OpenBSD were to come to an end.

The end of OpenBSD would be an unfortunate event, however. The project's uncompromising focus on security has raised the bar for all systems and made all of us - even those who have never run OpenBSD - more secure. We all benefit from having a group out there doing the work that the OpenBSD people have taken on. But it is up to the OpenBSD folks to put some of the same attention into securing their financial future, and that means finding a way to obtain money from those who benefit most from OpenBSD's existence. Given the size of the OpenBSD user base and the modest nature of its financial needs, it seems like this problem should have a solution.

Comments (31 posted)

Page editor: Jonathan Corbet

Security

One year of RHEL4 security

Red Hat Magazine is carrying an article by Mark J. Cox looking at the security record of the Red Hat Enterprise Linux 4 release in its first year. It certainly will be interesting reading for RHEL users, who can get a sense for how Red Hat views the security performance of its flagship distribution. One need not be an RHEL customer, however, to find items of interest in this report.

RHEL 4 marks the beginning of Red Hat's classification scheme for vulnerabilities. Severity classifications are an acknowledgment of an important aspect of Linux security: large numbers of advisories and updates are issued, but very few of the problems being fixed constitute real threats for most users. Every temporary file vulnerability should be fixed, for example, but it is a rare system which is compromised by way of a temporary file exploit. Red Hat's classifications can help to focus administrators' minds on the important problems. Perhaps more importantly, the classifications should help "analysts" and other commenters to look beyond the sheer volume of advisories and look at the ones which really matter.

Red Hat defines a "critical" vulnerability in this way:

By definition a critical vulnerability is one that could potentially be exploited remotely and automatically by a worm. We stretch the definition to also include those flaws that affect web browsers or plug-ins where a user only needs to visit a malicious web site in order to be exploited.

By this definition, there were 19 critical vulnerabilities disclosed for RHEL 4 in its first year. The list of involved packages is interesting: HelixPlayer, mozilla, firefox, kdelibs, lynx, gaim, kopete, thunderbird, and mod_auth_pgsql. All but one of the critical vulnerabilities, in other words, were in complex, graphical clients (though classifying lynx as such is a bit of a stretch). As a result of this distribution, a default RHEL server installation suffered from zero critical vulnerabilities in it first year. Workstation installations, instead, had a fair number.

Red Hat claims to have issued updates for all critical vulnerabilities within two days of their public disclosure.

The report also looks at exploits - the company is aware of 28 publicly-circulating exploits for software shipped in RHEL 4. It is claimed that the security technologies packaged with RHEL 4, including the "Exec-Shield" stack protection and address randomization techniques, impede or block about half of those. The "Lupper" worm could get past those barriers, but would be unable to execute its payload as a result of the SELinux policies in effect. The report does acknowledge, however, that a modified version of the worm would have been able to circumvent SELinux.

Anybody wanting to poke holes in this report could certainly do so. Not everybody will agree with how Red Hat classifies all of its vulnerabilities. It would be nice if that classification - or the entire report - could be done by an impartial outside party. One might also note that the response time for older RHEL versions can be longer; consider a recent cron vulnerability which was fixed for RHEL 4 last October, but the RHEL 3 update only arrived last week. Since part of RHEL's claim to value is its long-term support, the idea that updates will be slower in coming as the distribution ages is a little disconcerting. (In fairness: the gap is much smaller for more important problems: the patches for the recent firefox vulnerability for RHEL 2, 3, and 4 all came out on the same day).

The important thing, however, is that this report got written and published at all. While most distributors make a strong effort on security, few of them take the time to look at their record and tell the world about it. Full disclosure does not stop with individual vulnerabilities; Linux users benefit from a view of the larger picture as well. Red Hat is to be commended for putting this information together; hopefully other distributors will follow suit.

Comments (2 posted)

Brief items

Sun's "open source DRM" specifications released

Sun has announced the release of the first set of specifications for its "open source DRM" effort. It is an exercise in Orwellian naming: we have "Project DReaM" for "DRM/everywhere available," a system called "Mother May I," and the whole thing is found at OpenMediaCommons.org. Nonetheless, they got Lawrence Lessig to add a favorable statement. Code for a prototype "conditional access system" implementation has been posted.

Comments (29 posted)

A serious sendmail security hole

It's been a while since we had a good sendmail vulnerability...but we need wait no longer. Sendmail 8.13.6 has just been released in response to a security issue which could lead to a remote root exploit. This looks like a good one to fix in a hurry. Distributor updates have been seen so far from:

Comments (22 posted)

Xorg-server 1.0.2 security fix release

It would appear that one of the bugs found in the recent Coverity scan was a local root exploit in the X.org server (version 1.0.0 and later). The X11R6.9.0 and X11R7.0 releases are also vulnerable, though older releases are not. A 1.0.2 release has been made available with the fix; expect updates from distributors in the near future as well.

Comments (15 posted)

New vulnerabilities

beagle: untrusted search path vulnerability

Package(s):

beagle

CVE #(s):

CVE-2006-1296

Created:

March 21, 2006

Updated:

March 22, 2006

Description:

Untrusted search path vulnerability in Beagle 0.2.2.1 might allow local users to gain privileges via a malicious beagle-info program in the current working directory, or possibly directories specified in the PATH.

Alerts:

Fedora

FEDORA-2006-188

2006-03-21

LWN.net Weekly Edition for March 23, 2006

beagle: untrusted search path vulnerability

cairo: denial of service

crossfire: buffer overflow

curl: heap-based buffer overflow

drupal: multiple vulnerabilities

flash-plugin: arbitrary code execution

ilohamail: missing input sanitizing

kernel-patch-vserver: missing attribute support

PEAR-Auth: potential authentication bypass

PeerCast: buffer overflow

sendmail: remotely exploitable race condition

snmptrapfmt: temporary file vulnerability

wzdftpd: missing input sanitizing

xorg-x11-server: privilege escalation

xpvm: insecure temp file

ADOdb: PostgresSQL command injection

apache: cross-site scripting

Ubuntu installer: plain text passwords in log file

blender: integer overflow

bzip2: race condition and infinite loop

ktools: buffer overflow

cpio: arbitrary code execution

crossfire: arbitrary code execution

cube: multiple vulnerabilities

curl: buffer overflow

cyrus-imapd: buffer overflows

dia: missing input sanitizing

emacs21: format string vulnerability in "movemail"

enscript: arbitrary code execution

evolution: format string issues

fetchmail: multidrop bug

ffmpeg: buffer overflow

flex: buffer overflow

Foomatic: Arbitrary command execution in foomatic-rip

freeciv: denial of service

gdb: multiple vulnerabilities

gdk-pixbuf: multiple vulnerabilities

gedit: format string vulnerability

gnupg: incorrect signature verification

grip: buffer overflow

gzip: arbitrary command execution

heimdal: privilege escalation

imagemagick: arbitrary command execution

imap: buffer overflow in c-client

initscripts: privilege escalation

ipsec-tools: denial of service

kdebase: local root vulnerability

kdelibs: heap overflow

kdelibs: kate backup file permission leak

kernel: multiple vulnerabilities

kernel: multiple vulnerabilities

kernel: multiple vulnerabilities

kernel multiple vulnerabilities

kpdf: insufficient patching

xpdf heap based buffer overflow

libapreq2: algorithm weakness

libcrypt-cbc-perl: programming error

libgadu: memory alignment bug

libgd2: buffer overflows in PNG handling

libmail-audit-perl: insecure temporary file creation

libpam-ldap: authentication bypass

libpng: heap based buffer overflow

libungif: memory corruption

libxml2 - arbitrary code execution

libxml2: multiple buffer overflows

lurker: several vulnerabilities

lynx: arbitrary command execution

metamail: buffer overflow

mod_python: remote access vulnerability

mozilla: multiple vulnerabilities

Mozilla Thunderbird: remote code execution and DoS

nbd: arbitrary code execution

ncpfs: multiple vulnerabilities

ntp: uses wrong gid

openmotif: buffer overflows

OpenSSH: double shell expansion

perl: setuid vulnerabilities

php: multiple vulnerabilities

phpbb2: multiple vulnerabilities