LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for March 30, 2006The Grumpy Editor's guide to RSS aggregators
Most sites with news-oriented content export one or more files with information about the most recently-posted articles; LWN's is over here. An RSS aggregator will grab the headline files from sites of interest and present them, in some unified format, to the reader. The result is a single interface to new postings from a multitude of sites, and an end to the tedious business of plowing through a long list of bookmarks. There is a huge variety of RSS aggregators out there. To narrow things down, your editor concentrated on standalone utilities with graphical interfaces. There are some console-based aggregators available, and quite a few web-based sites and systems. Your editor, believing (hoping) that an interface designed specifically for the aggregation task will work best, has chosen to pass over the other approaches for now. When looking at RSS aggregators, there are a few issues to think about:
Various other factors come into play as well, as will be seen in the discussions of the individual tools, below.
Akregator
Akregator provides a file manager-like navigation pane on the left, allowing the user to file feeds in a hierarchical system of folders. Each entry includes the number of unread articles for that feed - a nice feature that is not provided by all aggregators. Clicking on a folder will display a mixture of articles from all feeds in that folder. A prominent button allows the user to mark all articles as being read. It is also possible to mark articles as being "important." The display can be filtered (by way of a pulldown menu) so that only important, new, or unread articles are shown. A search bar at the top can be used to further limit the results to those matching a given string. Of the tools reviewed, Akregator is probably the most flexible in how it can be told to select articles for display. While most aggregators hand off the task of displaying web pages to a browser, akregator will, by default, display selected pages internally, using a tabbed interface. This behavior can be changed, of course, and a middle-click sends the URL to an external browser in any case. For some reason, it is not possible to drag a feed URL from firefox and drop it into an akregator window. So firefox users have to copy-and-paste the URL into the "new feed" dialog. Dropping a URL from konqueror does work, however. Feeds can be configured with their own archiving and update interval preferences; akregator does not appear to use update intervals supplied with the feeds themselves. If desired, akregator can generate notifications when new articles are found. Overall, akregator feels like a quick, flexible, and solid tool; definitely one of the better aggregators out there. Blam
The blam left pane is a simple, alphabetical list of feeds; there is no ability to rearrange or group them. A total count of unread articles is given, but there is no user-visible per-feed count. (Actually, there is - but the default width of the left pane hides it). There is no ability to mix articles from multiple feeds into a single stream. Marking a feed as read requires accessing a pulldown menu. Unlike almost every other aggregator, blam sorts articles (by default) from the oldest to the newest. Formatting of RSS items is done with gecko, with visually pleasing results. Clicking on a URL displays the page in firefox; there does not appear to be an option to make blam work with other browsers. Blam does not automatically poll feeds by default; an explicit user action is required. If automatic polling is turned on, the default interval is fifteen minutes, which is rather short. Blam can handle Atom feeds, but appears unable to work with feeds requiring authentication. Blam does not appear to be able to perform notifications, though it does put an icon into the GNOME notification area. Overall, your editor's opinion is that blam has some potential and a solid base for the creation of a powerful tool. But the current version, despite its 1.8.2 number, is not ready for widespread use.
Liferea
Despite its GNOME origins, Liferea has a large number of configuration options; only akregator compares on that score. It can be set up to automatically download enclosures into a user-specified directory, so those who follow podcasts can find new files waiting for them without having to explicitly grab them. Liferea can be quickly configured to work with a large variety of external browsers. Unfortunately, the switch controlling whether already-read articles are displayed is hidden inside the configuration dialogs; that adds up to a fair amount of clicking if the user wants to change the display mode often. Liferea has a plugin mechanism which can be used to load filters for feeds of interest. There is a respectable list of filters, many of which generate specialized RSS feeds from web sites. In general, Liferea is a pleasant and powerful tool - arguably the most advanced of the GNOME-based aggregators.
RSSOwl
A quote on the RSSOwl site reads "Simply the best RSS reader. Fast, lightweight and cross platform." Your editor begs to differ on the "fast, lightweight" portion of that claim. Not only was RSSOwl not fast, but, while it was running, nothing on the system was fast. It may be that, on a different Java platform, things might be different. But, on your editor's 1GB-memory system, RSSOwl managed to put everything into full-scale thrash mode. When first started, RSSOwl maximizes its window, a behavior which your editor finds to be flat-out rude. Once it gets itself established (and has been politely told how much screen space it may use), it is a reasonably capable aggregator. It comes with a long list of built-in feeds, and it has a search capability for finding more. Your editor, however, needed his system back and was not able to allow a search to run to completion. RSSOwl does not, by default, render HTML in article descriptions. This behavior can be changed; in the process dragging the gecko engine into the mix. Feeds are grouped hierarchically in the left pane, but it is not possible to mix articles from multiple feeds. Opening a feed requires a double-click - RSSOwl is the only aggregator reviewed which requires extra clicks in this way. Each feed opens in its own tab. The search feature is more capable than most, with the ability to work with boolean expressions. For whatever reason, RSSOwl is able to export an RSS feed to a PDF file. That must be useful to somebody, somewhere. RSSOwl handles Atom feeds, and it can deal with feeds requiring authentication. There is also an interface to AmphetaRate, which can be used to generate recommendations for other sites of interest. RSSOwl is certainly a capable tool, and it has some unique features. At its current level of performance, however, it is not particularly usable - at least on the Fedora platform.
Straw
One of those is that there is no hierarchical ordering of RSS feeds. Instead, each feed may be assigned one or more keywords, and the view of feeds can be restricted to a specific keyword. For added fun, the set of legal keywords must be managed in a separate dialog; until a keyword has been officially created in this manner, Straw will not acknowledge its existence. Once the keywords have been established, the left-pane view can be restricted to any one keyword. Browsing through feeds is reasonably quick, once one gets the hang of Straw's keyboard bindings, which use a lot of upper-case characters. If one types lower-case keystrokes at the Straw window, the reward is an unlabeled text entry field which materializes toward the bottom of the screen; experimentation shows that this field can be used to move directly to a feed by typing its name. There is no way to mix articles from multiple feeds. Straw does allow the configuration of per-feed update intervals, though it does not appear to use feed-supplied intervals. There is a reasonable search capability, but the resulting window behaves a bit strangely. Articles from multiple feeds will appear there, but the normal keyboard commands will not step through them - it is necessary to use the mouse. Despite its relatively long history, Straw feels unfinished to your editor. There are enough questionable user interface decisions to make Straw relatively difficult to use - though somebody, clearly, likes it that way.
Sage
The Sage screen has three panes. The left column contains a hierarchical list of subscribed feeds above a window containing a list of headlines from the currently-selected feed. The bulk of the window, however, contains a "newspaper style" rendering of the feed text in a somewhat strange two-column layout with a fair amount of empty space. Clicking on a title will pull up the full page. Sage allows the organization of this window to be changed by way of style sheets; predictably, a fair number of customized style sheets are available. Sage's feed discovery feature is nice: bring up a site of interest and click on the little magnifying glass icon. The Sage code will dig through the page and present any feeds it finds, allowing the user to subscribe to any or all of them. No more time spent looking for that little "XML" icon. There does not appear to be any option allowing the configuration of update intervals. Sage is not able to display a mixture of feeds on a single screen. There is also no ability to search for strings in feed text (though the normal Firefox search mechanism can be used in the article display screen). Sage is a slick and well-developed product, and there is real value in integrating the aggregator into the browser. If nothing else, there's one less window hanging around and cluttering up the screen. Still, the task of displaying a page is somewhat different from that of finding pages to look at in the first place. A tool which maintains its focus on the latter task should be able to provide a better interface than the Swiss army knife approach of cramming all of the tools into a single package.
ConclusionOn that note, one might well ask: how well do the current tools work at enabling us to find the articles of interest to us, quickly? The current readers have some nice features, and your editor favors akregator and liferea as the ones which are the most productive at this time. If your purpose is to keep up with the latest from a variety of news sites, either of those applications will do the job nicely. Your editor can't help but feel that much of the RSS and aggregation technology we are seeing now is just a stage in a longer transition, however. The net is not just about dispatches from news sites. People are using web logs, RSS feeds, "planet" sites and aggregator software in an attempt to organize, follow, and participate in conversations. When evaluated for that purpose, current RSS aggregators have quite a bit of ground to cover. Don Marti has written some worthwhile comments on this topic. So there is some ground to be covered, yet. And that, in turn, suggests that having a number of active development projects in this area is a good thing. If the developers behind these applications can go beyond mere aggregation, they stand a good chance of creating a new and powerful interface to the net and the discussions taking place there. Your editor, while pleased with the state of these tools as they exist now, is looking forward to where they will go from here.
Gutenberg 2.0: the birth of open contentA previous LWN.net feature examined the parallels between open source and open access, which strives for the free online availability of the academic knowledge distilled into research papers. Although it has some particular characteristics of its own, open access can be considered part of a wider move to gain free online access to general digital content.The roots of this open content movement, as it came to be called, go back to before the Internet existed, and when even computers were relatively rare beasts. In 1971, the year Richard Stallman joined the MIT AI Lab, Michael Hart was given an operator's account on a Xerox Sigma V mainframe at the University of Illinois. Since he estimated this computer time had a nominal worth of $100 million, he felt he had an obligation to repay this generosity by using it to create something of comparable and lasting value. His solution was to type in the US Declaration of Independence, roughly 5K of ASCII, and to attempt to send it to everyone on ARPANET (fortunately, this trailblazing attempt at spam failed). His insight was that once turned from analogue to digital form, a book could be reproduced endlessly for almost zero additional cost what Hart termed "Replicator Technology". By converting printed texts into etexts, he was able to create something whose potential aggregate value far exceeded even the heady figure he put on the computing time he used to generate it. Hart chose the name "Project Gutenberg" for this body of etexts, making a bold claim that they represented the start of something as epoch-making as the original Gutenberg revolution. Indeed, he goes further: he sees the original Gutenberg as the well-spring of the Industrial Revolution, and his own project as the precursor of the next Industrial Revolution, where Replicator Technology will be applied not just to digital entities as with Project Gutenberg but to analogue ones too. The Replicator idea is similar to one of the key defining characteristics of free software: that it can be copied endlessly, at almost no marginal cost. Hart's motivation for this move the creation of a huge permanent store of human knowledge is very different from Stallman's reason for starting the GNU project, which is powered by his commitment to spreading freedom. But on the Project Gutenberg site, there is a discussion about the ambiguity of the word "free" that could come straight from Stallman: "The word free in the English language does not distinguish between free of charge and freedom. .... Fortunately almost all Project Gutenberg ebooks are free of charge and free as in freedom." There are other interesting parallels between the two men. After they had their respective epiphanies, both labored almost entirely alone to begin with Hart entering page after page of books into a computer, and Stallman coding the first few programs of the GNU project. Even 20 years after Project Gutenberg had begun, Hart had only created 10 ebooks (today, the figure is 17,000). Given the dedication required, it is no surprise that both are driven men, sustained by their sense of moral duty and of the unparalleled possibilities for changing the world that the digital realm offers. Both, too, were aided enormously as the Internet grew and spread, since it allowed the two projects to adopt a distributed approach for their work. In the case of Project Gutenberg, this was formalized with the foundation of the Distributed Proofreaders team in October 2000; since then - and thanks in part to a Slashdotting in November 2002 - hundreds of books are being turned into ebooks every month. Moreover, just as free software paid back the debt by creating programs that pushed Internet adoption to even higher levels, so Project Gutenberg returned the compliment by making key early titles like "Zen and the Art of the Internet" (June 1992) and "The Hitchhikers Guide to the Internet" (September 1992) available to help new Internet users find their way around. The Internet was also the perfect low-cost distribution medium for the digital creations of Hart and Stallman. After starting out at the University of Illinois, Project Gutenberg was mirrored at the University of North Carolina, under the auspices of Paul Jones, one of the pioneers in facilitating free access to all kinds of digital files. In 1992, SunSITE was launched there, designed as "a central repository for a collection of public-domain software, shareware and other electronic material such as research articles and electronic images" according to the press release of the time. SunSITE became iBiblio.org in 2000 (after briefly turning into MetaLab in 1998), and received a $4 million grant from the Center for the Public Domain, set up by Red Hat co-founders Bob Young and Marc Ewing. Over time, iBiblio became Project Gutenberg's official host and primary distribution site. To the collection of open content at SunSITE was soon added an early GNU/Linux archive, managed successively by Jonathan Magid, Erik Troan, and Eric Raymond. Given this close association between SunSITE and GNU/Linux, it was only natural that it became the host for the Linux Documentation Project (LDP) when it was founded in 1992 by Matt Welsh, and this soon grew into another important early collection of free content. The LDP began with the Linux FAQ, and expanded to include a kernel hackers guide and system administrator guide when Michael K. Johnson and Lars Wirzenius joined the project. These texts were originally created in LaTeX, but documentation later appeared in the then-new HTML. Around the same time, in April 1993, there were discussions between people like Tim Berners-Lee, Guido van Rossum and Nathan Torkington about the idea of working with Project Gutenberg to distribute HTML versions of its etexts, in part, presumably, to use the well-established Project Gutenberg to help promote the fledgling Web format. An early concern about the LDP materials was that they might be published commercially without permission. To avoid this, a fairly restrictive license was employed, which allowed reproduction in electronic or printed form, but only non-commercially, and without modifications. This was later relaxed, and the current license allows derivative works. This issue of whether to allow changes has been a vexed one from the earliest days of online content: what were probably the first digital documents available on a network, the RFCs (which first appeared in 1969, even before ARPANET), had also forbidden modifications. Since Project Gutenberg's materials are almost exclusively drawn from the public domain (a few copyrighted works have been included with the author's permission), it might be expected that the license would allow any kind of use, including modifications. However, it imposes a number of conditions on those who wish to use the name Project Gutenberg in the ebooks they distribute; in this case, only verbatim copies are permitted, and commercial distributors must pay royalties. If all references to the Project are stripped out, leaving the bare text, the latter can be used in any way. One other condition for etexts distributed under the Project Gutenberg name is worth noting. The license stipulates:
if you provide access to or distribute copies of a Project
Gutenberg work in a format other than "Plain Vanilla ASCII" or
other format used in the official version posted on the official
Project Gutenberg-tm web site (www.gutenberg.net), you must, at no
additional cost, fee or expense to the user, provide a copy, a means
of exporting a copy, or a means of obtaining a copy upon request, of
the work in its original "Plain Vanilla ASCII" or other form.
Just as the GPL does for software, the Project Gutenberg license insists that the "source code" of etexts distributed in non-ASCII formats be freely available. In fact, an explicit connection between Project Gutenberg and free software is to be found at the top of every page on the Project Gutenberg Web site, which offers thanks to those who wrote the programs which the site employs GNU/Linux, Apache, PostgreSQL, PHP, Perl and Python and a link to the Free Software Foundation. Licensing proved to be the crucial issue for freely-available materials, and it was only when it was fully resolved that open content really began to take off. The next feature in this series will look at how that happened, and what some of the immediate consequences were. Glyn Moody writes about open source and open content at opendotdotdot.
Security SQL injection attacksOne of the more devastating attacks on a web application is also one of the most common: SQL injection. This technique allows an attacker to gain access to the database that underlies many web sites and read and potentially modify data that is not meant to be available to users of that site. This article provides an overview of how SQL injection works and what can be done to avoid it. A classic example of SQL injection starts with a query that looks something like:
SELECT id FROM users WHERE name='$name' AND pass='$pass';
This query might be used to authenticate users when they log in to a
web site. If it returns a row, the user id returned is considered to
be authenticated and the application proceeds to serve the correct page
for that user. In this case, the $name and $pass variables
would come from a login form that might look something like:
<form method="post" action="login.php">
<input type="text" name="name">
<input type="password" name="pass">
<input type="submit" value="login">
</form>
If the login.php program in this example blindly sets the variables to the values that come from the user, a malicious user can bypass the authentication. Consider the following inputs:
$user = "' OR 1=1 ";
$pass = "' OR 1=1 LIMIT 1";
This results in a query that is completely different from what the web
programmer expected:
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
This query will always return one row (unless the table is empty) and it
is likely to be the first entry in the table. For many applications, that
entry is the administrative login; the one with the most privileges.
This simple example barely scratches the surface of the kinds of attacks that can be made using SQL injection. Depending on the DBMS, it may be possible to do multiple queries via an injection by separating each with a semicolon:
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
which is, of course, a rather destructive injection.
MySQL does not allow multiple queries in a statement, but PostgreSQL is
susceptible to this technique.
Web site and/or database search functions are particularly dangerous because they display their output; if a malicious user can inject any query they choose, they can capture the entire contents of the database. The UNION keyword can turn a query such as:
SELECT city, state FROM users WHERE name LIKE '%$search%';
into:
SELECT city, state FROM users
WHERE name LIKE '%%' UNION
SELECT name, pass FROM users
WHERE name LIKE '%%';
And instead of just printing the city and state of users that match the input
string, we are also printing the username and password of every user in the
system.
A certain amount of guessing column names and types is required if an attacker does not have access to the database schema, but they are often not very hard to guess given some understanding of the application. Some database systems, notably Microsoft SQL Server, seem to deliberately shoot themselves in the foot by providing the schema for all tables in a generally accessible database, thereby removing all the guesswork. Injection also requires a certain amount of imagination to visualize the kinds of queries that might be going on behind the input boxes of a web form. It requires quite a bit of trial and error unless one has access to the source; this is why the majority of reported SQL injections are in free software or open source web applications. Note that it is not only web forms using the POST method that are vulnerable, many web applications that use the GET method are vulnerable to injections via the URL:
http://vulnerablewebapp.com/login.php?\
name=%27%20OR%201%3D1%20&pass=%27%20OR%201%3D1%20LIMIT%201
Like many other web vulnerabilities, SQL injection stems from insufficient filtering of user input. Unfortunately, it is sometimes difficult to determine what kinds of input should be accepted (for example the password "' OR 1=1" would not necessarily seem illegal) and using various filtering functions provided by the language may not actually prevent injections. The PHP addslashes() function is often used to sanitize user input because it will put a backslash in front of single quotes which will stop the kinds of injections described above. Unfortunately, there are techniques to circumvent this particular 'fix' as well. Probably the simplest way to protect queries from SQL injection is by using prepared statements with placeholders. Any reasonable database interface will provide a way to use this functionality and in many cases, it is fairly portable between languages and DBM systems. Instead of directly interpolating string values into query strings, a query is prepared using '?' as a placeholder for the variables as shown in the following pseudocode:
$sth = prepare("SELECT id FROM users WHERE name=? AND pass=?");
execute($sth, $name, $pass);
This has a number of advantages: the DBMS library is responsible for properly
quoting the values and because of the way the variables are
bound to the query, they can never be treated as anything other than data
for the particular place they have in the prepared statement. This
effectively turns the injection attempt above into a query like:
SELECT id FROM users WHERE name='\' OR 1=1 ' AND pass='\' OR 1=1 LIMIT 1';
which is unlikely to authenticate.
Another way to defend against injections is by ensuring that all user input is passed through a database specific quoting function before being used in a query:
$name = db_quote($name);
$pass = db_quote($pass);
SELECT id FROM users WHERE name=$name AND pass=$pass;
Depending on the language and database API, this method may also be fairly
portable.
The final recommended technique is also the most complicated; but it can provide an additional level of security if stored procedures are available for the DBMS. Stored procedures are queries (and more complicated functions) that are created by the database administrator and stored with the database. These procedures are then called by the application code to do any queries that they require. The equivalent of the prepare functionality is done on the procedures at the time they are stored and with proper coding, this will prevent injections. One of the main advantages is that these procedures run with the privileges of the user that stored them, instead of the user invoking them and this allows the application to have a much more limited set of privileges than it would normally require. The upshot is that it can protect the database from reading or writing even if the application is subverted in some way. SQL injections are clearly a serious security problem, but one that can be thwarted relatively easily once one understands the problem and the ways to program around it.
New vulnerabilities firebird2: buffer overflow
freeradius: authentication bypass
nethack: privilege escalation
RealPlayer: buffer overflow
Updated vulnerabilities ADOdb: PostgresSQL command injection
apache: cross-site scripting
beagle: untrusted search path vulnerability
blender: integer overflow
bzip2: race condition and infinite loop
cairo: denial of service
ktools: buffer overflow
cpio: arbitrary code execution
crossfire: buffer overflow
crossfire: arbitrary code execution
curl: heap-based buffer overflow
curl: buffer overflow
cyrus-imapd: buffer overflows
dia: missing input sanitizing
drupal: multiple vulnerabilities
emacs21: format string vulnerability in "movemail"
enscript: arbitrary code execution
evolution: format string issues
fetchmail: multidrop bug
flash-plugin: arbitrary code execution
flex: buffer overflow
Foomatic: Arbitrary command execution in foomatic-rip
gdb: multiple vulnerabilities
gedit: format string vulnerability
gnupg: incorrect signature verification
grip: buffer overflow
gzip: arbitrary command execution
ilohamail: missing input sanitizing
imagemagick: arbitrary command execution
imap: buffer overflow in c-client
ipsec-tools: denial of service
kdebase: local root vulnerability
kdelibs: kate backup file permission leak
kernel: multiple vulnerabilities
kernel: multiple vulnerabilities
kernel multiple vulnerabilities
kernel-patch-vserver: missing attribute support
libapreq2: algorithm weakness
libgadu: memory alignment bug
libgd2: buffer overflows in PNG handling
libpam-ldap: authentication bypass
libpng: heap based buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lynx: arbitrary command execution
mod_python: remote access vulnerability
mozilla: multiple vulnerabilities
Mozilla Thunderbird: remote code execution and DoS
nbd: arbitrary code execution
ncpfs: multiple vulnerabilities
ntp: uses wrong gid
openmotif: buffer overflows
OpenSSH: double shell expansion
PEAR-Auth: potential authentication bypass
PeerCast: buffer overflow
perl: setuid vulnerabilities
php: multiple vulnerabilities
phpbb2: multiple vulnerabilities
phpMyAdmin: multiple vulnerabilities
pound: HTTP Request Smuggling Attack
pstotext: remote execution of arbitrary code
Py2Play: remote execution of arbitrary Python code
scorched3d: multiple vulnerabilities
sendmail: remotely exploitable race condition
snmptrapfmt: temporary file vulnerability
squirrelmail: multiple vulnerabilities
sudo: vulnerability via scripts
tar: buffer overflow
File overwrite vulnerability in tar and unzip
tcpdump: multiple DoS issues
tetex: integer overflows
texinfo: temporary file vulnerability
tin: buffer overflow
unzip: long file name buffer overflow
uw-imap: buffer overflow
w3c-libwww: possible stack overflow
webcalendar: multiple vulnerabilities
wzdftpd: missing input sanitizing
xine-lib: buffer overflows
xine-ui - insecure temporary file creation
xloadimage: buffer overflows
xorg-x11-server: privilege escalation
xpdf: buffer overflow
xpdf: potential vulnerabilities
xpdf: denial of service
xpdf: integer overflows
xpvm: insecure temp file
zlib: buffer overflow
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current stable 2.6 kernel is 2.6.16.1, released on March 27. 2.6.15.7 was released at the same time. Both patches contain a fair number of important fixes, some of which are security-related.There has been no 2.6 development prepatch released over the last week. Patches are flowing into the mainline git repository at a high rate, however; see below for a list. The current -mm tree is 2.6.16-mm2. Recent changes to -mm include the ability to call poll() on sysfs files (LWN coverage), support for 64-bit I/O and memory resources, priority-inheriting futex support, and a new set of central time management patches.
Kernel development news What's going into 2.6.17, part 2The flood of patches heading into the mainline continues at full rate - though the merge window should be closing soon. The following is the highlights from code merged since last week's summary, starting with the user-visible changes:
Internal kernel API changes merged include:
If the usual pattern holds, the merging of new features will stop sometime around the end of the month, with 2.6.17-rc1 being released shortly thereafter.
A framework for page replacement policies"Holy cow."That was Andrew Morton's reaction to a 34-part patch, posted by Peter Zijlstra, which creates an abstract API for page replacement policies. The page replacement code is at the core of the virtual memory system; it is, essentially, a set of heuristics which must decide which pages should be evicted from main memory and made available for other uses. Page replacement is a bit of a black art; it is easy to see when a system is managing memory poorly, but path to improvements is often far from clear. Memory management in Linux was a sore point for many years, but it seems to work well for most loads now. Given that all this tricky code has finally been beaten into reasonably good shape, why would anybody want to mess with it now? The answer is that there is quite a bit of research work going into alternative page replacement mechanisms, and Linux might just be able to benefit from some of that work. After all, few people would say that Linux virtual memory works so well that there is no room for improvement. This massive patch set creates an API for page replacement algorithms, allowing them to be changed at will. Or, at least, changed at reboot; there is currently no provision for loading replacement algorithms as modules or swapping them out on the fly. But, by selecting a page replacement scheme at kernel configuration time, system administrators can choose one which best suits their workload. Virtual memory hackers and others can play with different algorithms to see how they work out. And there is no need to pick one in particular as the page replacement algorithm for the Linux kernel. To work with this API, a page replacement algorithm must define a set of specific functions. Thus, for example, there is a pair of initialization functions:
void page_replace_init(void);
void page_replace_init_zone(struct zone *zone);
These functions, called at boot time, prepare the page replacement code to work with the system it finds itself running on. When the core kernel knows something about the use of specific pages, it can tell the replacement algorithm with these calls:
void page_replace_hint_active(struct page *page);
void page_replace_hint_use_once(struct page *page);
The first is called when the kernel notes that the page is in active use, while the second indicates that the page is unlikely to be used again in the near future. There are various other functions for helping with the housekeeping, but the core of the API is this function here:
void page_replace_candidates(struct zone *zone, int count,
struct list_head *list);
This function must select up to count pages from the given zone as candidates for eviction. This is where the page replacement code will gaze into its crystal ball to figure out which pages will not be used again anytime soon; those are the ones which will be singled out and passed back to the core kernel. Quite a few other functions exist. They deal with issues like page migration, tracking of non-resident pages, printing out information from the page replacement code, and more. See the documentation file for a full list and brief explanation of those other functions. The patch set also contains four different page replacement mechanisms. One is the modified least-recently-used (LRU) code found in current kernels, reworked to use the new API. Another is the CLOCK-PRO algorithm, covered here last August. There is an implementation of the CART technique, discussed in this paper [PDF]. Then there is a simple random replacement scheme, seemingly just for the fun of it. Actually, the random replacement patch is, due to its simplicity, a good place to start for somebody interested in seeing what a modularized page replacement algorithm looks like. This patch looks somewhat similar to the pluggable CPU schedulers patch, which allows the scheduling algorithm to be changed. That patch continues to be maintained, but, since its initial posting in 2004, it has never been seriously considered for inclusion into the mainline kernel. There is a strong preference toward figuring out what's wrong - if anything - with the current code and fixing it, rather than creating a mechanism for playing with entirely different implementations. Thus, Andrew Morton followed his initial response with:
Rather than replacing the whole lot four times I'd really prefer to
see precise descriptions of these problems, see if we can improve
the situation incrementally rather than wholesale slash-n-burn...
Linus has a similar opinion, and, additionally, is not convinced that page replacement is really an issue needing a great deal of attention. "It smells like university research to me." The proponents of this patch respond that there are, indeed, situations where the current code falls apart. Given that, the next logical step would seem to be gathering information on the cases where Linux memory management fails. Then the developers can start to think about what needs to be done to address those failures. Even if the page replacement framework patches are never merged, it looks like they may help to drive forward the next phase of work in Linux memory management algorithms. That should be a good thing regardless.
The new pselect() system callApplications like network servers that need to monitor multiple file descriptors using select(), poll(), or (on Linux) epoll_wait() sometimes face a problem: how to wait until either one of the file descriptors becomes ready, or a signal (say, SIGINT) is delivered. These system calls, as it turns out, do not interact entirely well with signals. A seemingly obvious solution would be to write an empty handler for the signal, so that the signal delivery interrupts the select() call:
static void handler(int sig) { /* do nothing */ }
int main(int argc, char *argv[])
{
fd_set readfds;
struct sigaction sa;
int nfds, ready;
sa.sa_handler = handler; /* Establish signal handler */
sigemptyset(&sa.sa_mask);
sa.sa_flags = 0;
sigaction(SIGINT, &sa, NULL);
/* ... */
ready = select(nfds, &readfds, NULL, NULL, NULL);
/* ... */
After select() returns we can determine what happened by looking at the function result and errno. If errno comes back as EINTR, we know that the select() call was interrupted by a signal, and can act accordingly. But this solution suffers from a race condition: if the SIGINT signal is delivered after the call to sigaction(), but before the call to select(), it will fail to interrupt that select() call and will thus be lost. We can try playing various games like setting a global flag within the signal handler and monitoring that flag in the main program, and using sigprocmask() to block the signal until just before the select() call. However, none of these techniques can entirely eliminate the race condition: there is always some interval, no matter how brief, where the signal could be handled before the select() call is started. The traditional solution to this problem is the so-called self-pipe trick, often credited to D J Bernstein. Using this technique, a program establishes a signal handler that writes a byte to a specially created pipe whose read end is also monitored by the select(). The self-pipe trick cleverly solves the problem of safely waiting either for a file descriptor to become ready or a signal to be delivered. However, it requires a relatively large amount of code to implement a requirement that is essentially simple. (For example, a robust solution requires marking both the read and write ends of the pipe non-blocking.) For this reason, the POSIX.1g committee devised an enhanced version of select(), called pselect(). The major difference between select() and pselect() is that the latter call has a signal mask (sigset_t) as an additional argument:
int pselect(int n, fd_set *readfds, fd_set *writefds, fd_set *exceptfds,
const struct timespec *timeout, const sigset_t *sigmask);
The
sigmask
argument specifies a set of signals that should be blocked during the
pselect()
call; it overrides the current signal mask for the duration of that call.
So, when we make the following call:
ready = pselect(nfds, &readfds, &writefds, &exceptfds,
timeout, &sigmask);
the kernel performs a sequence of steps that
is equivalent to atomically performing the following system calls:
sigset_t sigsaved;
sigprocmask(SIG_SETMASK, &sigmask, &sigsaved);
ready = select(nfds, &readfds, &writefds, &exceptfds, timeout);
sigprocmask(SIG_SETMASK, &sigsaved, NULL);
For some time now, glibc has provided a library implementation of pselect() that actually uses the above sequence of system calls. The problem is that this implementation remains vulnerable to the very race condition that pselect() was designed to avoid, because the separate system calls are not executed as an atomic unit. Using pselect(), we can safely wait for either a signal to be delivered or a file descriptor to become ready, by replacing the first part of our example program with the following code:
sigset_t emptyset, blockset;
sigemptyset(&blockset); /* Block SIGINT */
sigaddset(&blockset, SIGINT);
sigprocmask(SIG_BLOCK, &blockset, NULL);
sa.sa_handler = handler; /* Establish signal handler */
sa.sa_flags = 0;
sigemptyset(&sa.sa_mask);
sigaction(SIGINT, &sa, NULL);
/* Initialize nfds and readfds, and perhaps do other work here */
/* Unblock signal, then wait for signal or ready file descriptor */
sigemptyset(&emptyset);
ready = pselect(nfds, &readfds, NULL, NULL, NULL, &emptyset);
...
This code works because the SIGINT signal is only unblocked once control has passed to the kernel. As a result, there is no point where the signal can be delivered before pselect() executes. If the signal is generated while pselect() is blocked, then, as with select(), the system call is interrupted, and the signal is delivered before the system call returns. Although pselect() was conceived several years ago, and was already publicized in 1998 by W. Richard Stevens in his Unix Network Programming, vol. 1, 2nd ed., actual implementations have been slow to appear. Their eventual appearance in recent releases of various Unix implementations has been driven in part by the fact that the 2001 revision of the POSIX.1 standard requires a conforming system to support pselect(). With the 2.6.16 kernel release, and the required wrapper function that appears in the recently released glibc 2.4, pselect() also becomes available on Linux. Linux 2.6.16 also includes a new (but nonstandard) ppoll() system call, which adds a signal mask argument to the traditional poll() interface:
int ppoll(struct pollfd *fds, nfds_t nfds, const struct timespec *timeout,
const sigset_t *sigmask);
This system call adds the same functionality to poll() that pselect() adds to select(). Not to be left in the cold, the epoll maintainer has patches in the pipeline to add similar functionality in the form of a new epoll_pwait() system call. There are a few other, minor differences between pselect() and ppoll() and their traditional counterparts. For example the type of the timeout is:
struct timespec {
long tv_sec; /* Seconds */
long tv_nsec; /* Nanoseconds */
};
This allows the timeout interval to be specified with greater precision than
is available with the older system calls.
The glibc wrappers for pselect() and ppoll() also hide a couple of details of the underlying system calls. First, the system calls actually expect the signal mask argument to be described by two arguments, one of which is a pointer to a sigset_t structure, while the other is an integer that indicates the size of that structure in bytes. This allows for the possibility of a larger sigset_t type in the future. The underlying system calls also modify their timeout argument so that on an early return (because a file descriptor became ready, or a signal was delivered), the caller knows how much of the timeout remained. However, the respective wrapper functions hide this detail by making a local copy of the timeout argument and passing that copy to the underlying system calls. (The Linux select() system call also modifies its timeout argument, and this behavior is visible to applications. However, many other select() implementations don't modify this argument. POSIX.1 permits either behavior in a select() implementation.) Further details of pselect() and ppoll() can be found in the latest versions of the select(2) and poll(2) man pages, which can be found here.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Distribution List updateIt is time for a look at the LWN Distributions List. The last update ran in the April 15, 2005 edition of this page. At that time there were 405 active distributions, but no mention of how many historical distributions. Now we have a whopping total of 504 distributions; 455 active plus 49 in the historical section. Compared to some years, not very many projects have been removed in the last year. Several that seemed to be dead managed to come back to life, proving that it's hard to keep a good distribution down. One example is Impi Linux. It was removed late last year when its link resolved to Ubuntu Linux. The new Impi is the official representative of Ubuntu and the official Ubuntu support provider in Africa, and a provider of customized desktop systems.Once upon a time dead distributions had a tendency to turn into porn sites. That doesn't happen anymore. Instead they lead to domains for sale, collections of Linux links and more general shopping sites. Good-Day GNU/Linux HA Server, once a Japanese distribution, has been pointing to a Debian Apache placeholder page for at least the last six months. Others that have disappeared include ARSIG, Bluewall GNU/Linux, COSIX, Dettu[Xx], Eshida Instant Embedded Linux, Evelin, LBA-Linux, Linux/Epia, Madeinlinux, SquiggleOS and White Dwarf Linux. Black Lab Linux was Terra Soft Solutions' Linux for HPC Clusters. That functionality was rolled into Yellow Dog Linux. Simply GNUstep packages can still be found at SourceForge, but somewhere it stopped being a unique distribution and turned into packages for Debian Sarge desktops. Those haven't been updated since January 2004. Conectiva and Lycoris were acquired by Mandriva last year. At that time several Conectiva employees and Lycoris founder Joseph Cheek were hired by Mandriva. Immunix was bought by Novell. Linux-SIS was the Thai School Internet Server project. There is still a School Net web site, but it doesn't look like a Linux distribution anymore. Finally, WHAX and Auditor joined forces to become BackTrack. So while Backtrack is on the list, the entries for WHAX and Auditor have been removed. As usual, the list gets updated once or twice a week. If you find anything missing or out of date let us know.
New Releases BLAG30003 ReleasedBLAG 30003 is the third update of this single-CD distribution, based on Fedora Core 3 with updates from Fedora Legacy and additional applications from Dag, Freshrpms, NewRPMS, and custom packages.
FreeRTOS.org Version 4 is Now AvailableFreeRTOS.org has announced the release of FreeRTOS v4 with ports supporting Luminary Micro's Stellaris(TM) family of microcontrollers, featuring the ARM Cortex-M3 microcontroller core. "FreeRTOS.org is a portable, open source miniature Real Time Kernel for use in embedded applications. FreeRTOS.org is free to download and royalty free for use even in commercial applications, subject to the license."
New MEPIS Linux Test Version Uses Ubuntu BaseMEPIS founder Warren Woodford has announced a test release of SimplyMEPIS 6.0, incorporating software from the Ubuntu Dapper package pools. This is the first version of SimplyMEPIS with an Ubuntu base. "Mark Shuttleworth, founder of Canonical, said "Collaboration with MEPIS will help Ubuntu offer even higher quality desktop packages for KDE users, and expands the number of people who can benefit from our work on system integration, desktop polish and Linux kernel reliability. The MEPIS community is vibrant and energetic and it will be exciting to be able to work more closely with them, while still respecting the ways in which Ubuntu and MEPIS are distinct.""
rPath Linux 1.0.1 available for x86 and x86_64rPath has updated rPath Linux 1. "Refreshed ISO images, release 1.0.1, have been made available for new installations of rPath Linux 1. These images include all updates through and including updates released on 23 March 2006. If you have already installed rPath Linux 1, you should update your current system rather than reinstall using the new images."
SUSE 10 kernel releasedThe OpenVZ project has released prebuilt kernel packages for SUSE 10 distributions. "Kernel has the same functionality and feature set as base SUSE development kernel (2.6.16-rc5-git9), combined with the power of OpenVZ virtualization technology, equivalent to the latest OpenVZ development kernel (026test005.1)."
Distribution News Building the whole Debian archive with GCC 4.1: a summaryOver the last two weeks, Debian developer Martin Michlmayr compiled the whole Debian archive on a quad-core MIPS machine donated by Broadcom using GCC 4.1. The aim was to find problems in GCC 4.1 itself and bugs in free software projects exhibited by GCC's increased standards conformance (in particular regarding C++ code). By compiling about 6200 packages, over 500 new bugs have been discovered and submitted, 280 of which are specific to the increased strictness of GCC 4.1. In a posting to the Debian development list, Martin classified the bugs he found and offered some useful links to programmers of C++ code. In a posting to the GCC list, he proposed that GCC should only produce new errors after warnings have been shown for at least one release, giving programmers more time to fix their code. This work is part of his research on quality in free software carried out at the University of Cambridge and sponsored by Google.
Second call for votes for the Debian Project Leader election 2006The second call for votes contains a look at the votes so far, in the 2006 DPL elections. The voting period ends at 23:59:59 UTC on April 8, 2006.
A day in the life of the CentOS teamIt seems that the CentOS developers recently had a little run-in with the city manager of Tuttle, Oklahoma, who accused them of having taken over his city's web servers. The resulting email exchange has been posted for our amusement. "I am computer literate! I have 22 years in computer systems engineering and operation. Now, can you tell me how to remove 'your software' that you acknowledge you provided free of charge? I consider this 'hacking'. I have no fear of the media, in fact I welcome this publicity." It all ends happily, though.
Ubuntu 'Warty' to go unsupported on April 30The initial Ubuntu release - 4.10 or "Warty Warthog" - will reach the end of its 18 months of support on April 30. The delay of "Dapper" means that there will be a one-month window where 4.10 users will have to upgrade to something else (the "Hoary" or "Breezy" releases) in order to have continuous support. "The Ubuntu 4.10 release changed the landscape of the Linux desktop. Quickly gaining popularity in homes, schools, businesses and governments around the world, Ubuntu is now widely considered the Linux desktop of choice."
Slackware 11.0 is comingBoxed sets of Slackware 11.0 can be pre-ordered at the Slackware store. Meanwhile, the Slackware -current ChangeLog shows plenty of upgrades and bug fixes in preparation.
New Distributions LiveCD Linux distro supports traditional Chinese (DesktopLinux)DesktopLinux introduces Taiwan's B2D Linux. "The new version -- B2D's sixth distribution release since March 2005 -- is called "PureKGB" and bundles applications from both the KDE and GNOME Linux environments, the project said."
Distribution Newsletters Debian Weekly NewsThe Debian Weekly News for March 28, 2006 is out. This edition looks at an RSS feed for DWN, the call for votes in the Debian Project Leader election ("which has seen the lowest participation ever in a Debian project leader election seen so far"), deprecating debmake after etch, notes from past events, the new Debian-Edu/Skolelinux release, and several other topics.
Fedora Weekly News Issue 39The Fedora Weekly News for March 27, 2006 looks at the Fedora Core 5 release announcement, Congratulations from Fedora Project Leader, Fedora Core 5 Now Available, Announcing FUDCon Boston 2006, Fedora Core 5 Feedbacks, Macromedia Flash Yum Repository for FC5, Space Optimization for Fedora Core 6, ATrpms for FC5/i386 and FC5/x86_64, and several other topics.
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for the week of March 27, 2006 covers the search for new members for the Security team, a Bugzilla category change, Ruby on Rails in Portage, and several other topics.
DistroWatch Weekly, Issue 144The DistroWatch Weekly for March 27, 2006 is out. "Following last week's Fedora 5 release, the next few days will be equally exciting: we are expecting KDE 3.5.2, DesktopBSD 1.0. Frugalware 0.4 and the first release candidate of SUSE Linux 10.1. Before that happens, we'll bring you news about MEPIS switching allegiance, Slackware preparing version 11.0, and Debian compiling with GCC 4.1. Also in this week's issue: Ulteo, a new distribution developed by the founder of Mandrake Linux is nearing release, while the user community of PCLinuxOS gets a new community resource. In the review section we'll take a brief look at an intriguing book entitled Mastering FreeBSD and OpenBSD Security."
Package updates Fedora updatesUpdates for Fedora Core 5: php-pear (update to XML_RPC 1.4.5), scim-anthy (bug 178400), anthy (new upstream release), shadow-utils (FC5 update), cpio (FC5 update), libsepol (rebuild for FC5), bind (minor fixes), file (fc5 update), readahead (cleanup), gnome-applet-vm (add dependence on usermode), man (fix the encoding of the Bulgarian translation), db4 (FC5 update), gok (update to 1.0.7), gedit (update to 2.14.1), epiphany (update to 2.14.0), evolution-connector (update to 2.6.0), evolution-data-server (update to 1.6.0), gnome-power-manager (update to 2.14.0), pyorbit (update to 2.14.0), totem (update to 1.4.0), libglade2 (make non-ASCII invisible characters work), gnome-icon-theme (update to 2.14.2), shared-mime-info (bug fixes), libxklavier (update to 2.2), gnome-vfs2 (packaging fix), gstreamer-plugins-base (bug fixes), gstreamer (bug fixes), cpio (bug fix), squirrelmail (fix Japanese mail), mtr (update to mtr-0.71), tix (make sure libTix8.4.so is in /usr/lib/Tix8.4), xterm (upgrade to upstream version 211), checkpolicy (update to NSA release), libselinux (update to NSA release), libsemanage (update to NSA release), policycoreutils (update to NSA release), selinux-policy (update to NSA release), libsetrans (update to NSA release), cpio (bug fixes), kernel (upgrade to 2.6.16.1), gconf-editor (bug fix), spamassassin (upgrade to 3.1.1), mlocate (update to mlocate-0.14), scim (bug fix), system-config-kickstart (bug fixes), ncpfs (remove opt flags).Updates for Fedora Core 4: xterm (bug 183993), tzdata (upstream 2006b), logwatch (update to 7.2.1), authconfig (bug fixes), squirrelmail (fix Japanese mail), glibc (bug fixes), mtr (update to mtr-0.71), perl (bug fixes), system-config-nfs (rebase to 1.3.19), gdm (fix the occasional crash).
Trustix Secure Linux updatesTrustix has released a bug fix advisory covering initscripts, php4 and xinetd for TSL 2.2 and 3.0.
New YDL 4.0.1 Errata packages postedYellow Dog Linux has released a new set of YDL 4.01 updates.
Distribution reviews DSL Linux: Small distro that packs a big punch (developerWorks)IBM developerWorks has a quick review of Damn Small Linux. "The popularity of Linux has grown by leaps and bounds. With so many distributions of Linux out there, selecting the best operating system for your business needs can be a challenge. But if you're looking for a great bundle of software in a small package, look no further than DSL Linux (also known as Demi-Sized Linux or the more common Damn Small Linux), one of the best "mini-Linux" distributions available. In this quick review, you see how to use DSL Linux, what applications come with the package, how to load and start it on your machine, and how to save between sessions when working from a bootable CD."
Review: Trustix Secure Linux lives up to its name (Linux.com)Linux.com reviews Trustix Secure Linux 2.2. "Trustix concentrates on keeping it simple. You won't get a GUI or the latest bells and whistles. What you do get with Trustix is a small and secure distribution that incorporates IBM's Stack Smash Protection, which protects the system and applications from stack-smashing attacks. This is one of the major forms of attacks, and many secure Linux distros have this turned on by default."
My desktop OS: VectorLinux SOHO (NewsForge)NewsForge looks at VectorLinux SOHO. "VectorLinux provides three editions (Standard, Deluxe, and SOHO) to cater to almost any Linux user. The SOHO Edition (Small Office, Home Office) includes KDE rather than the lightweight window managers provided with the Standard Edition. Despite the resource-hungry KDE desktop, VectorLinux SOHO still manages to be probably the fastest non-source distro on the planet, thanks to its use of a Slackware base, refinement of boot and shutdown scripts, well-chosen applications, and the loading of only necessary services."
Page editor: Rebecca Sobol Development The XMMS2 "Dr. Doolittle" releaseVersion 0.1DR2.2 of XMMS2, the X(cross)platform Music Multiplexing System, was announced this week. The project is still in the early stages of development.
This release is forged by the wormholes of
Stargate, Swedish schlager music, Chilean beaches and a lament for a
loved one. DrDoolittle is a minor-feature-addition and bug-fix
release instead of the expected major-break-the-world release. We
decided that enough critical fixes and small features were available
to make a release. You can watch the new Roadmap in order to see
what's going on with future releases.
XMMS2 is a redesign of XMMS, the popular X Multimedia System music player.
XMMS2 is a redesign of the XMMS (http://www.xmms.org) music player. It features a client-server model, allowing multiple (even simultaneous!) user interfaces, both textual and graphical. All common audio formats are supported using plugins. On top of this, there is a flexible media library to organize your music.
Your editor, who only recently started using XMMS, decided to see what XMMS2 had to offer. A handy Ubuntu "Breezy Badger" package set was available for download. The XMMS2 and dependent packages installed with no trouble. Firing up xmms2 for the first time yielded some mysterious error messages. A little digging around on the XMMS2 web site yielded the Using the application document, which showed the way to making xmms2 work. It is first necessary to fire up xmms2d, the xmms2 daemon, before running xmms2. Unlike the old XMMS GUI, xmms2 is a simple command line tool. Running xmms2 yields a list of possible command line options. One must first select a file or top-level directory where the audio files reside. The xmms2 radd directory command, followed by xmms2 play started the player. The xmms2 next command aborts playing of the current track and moves to the next one. The xmms2 stop commands stops playing and xmms2 quit shuts down the xmms2d process. The basic installation works fine with .wav files, but an attempt to install the xmms2-flac decoder produced a dependency error. It seems that libflac6 is required by XMMS2, but the Synaptic package manager reports that the package is uninstallable. The command line interface is sufficient for basic testing, but leaves the user wanting a GUI. There is a long list of GUI clients available, but none were included with the basic XMMS2 packages. At this point, XMMS2 is currently not an exact replacement for XMMS. XMMS2 can perform the basic music playing function, but it is still a bit early in its development to consider it prime-time software. Your editor is looking forward to future developments on the project.
System Applications Database Software Firebird 2.00 Beta 2 for AMD64 releasedVersion 2.00 Beta 2 of the Firebird database, including a Classic kit for AMD64 Linux, is available for testing.
Firebird Developer's JournalA new Firebird database Developer's Journal has been launched. "Well, after many months of thinking about this idea, we are finally starting this journal. It's intended to provide you with all the necessary news about the Firebird development process. So if you cannot (or just don't want to) follow the development mailing lists closely, this is your chance to still be informed about the progress."
PostgreSQL Weekly NewsThe March 26, 2006 edition of the PostgreSQL Weekly News is online with new articles and resources.
Embedded Systems BusyBox 1.1.1 announcedVersion 1.1.1 of BusyBox, a condensed collection of command line utilities for embedded systems, is out. "The new maintainer is Rob Landley, and the new release is BusyBox 1.1.1. Expect a "what's new" document in a few days."
Filesystem Utilities Radmind 1.6.1 available (SourceForge)Version 1.6.1 of the Radmind tools are available for download. Radmind is: "A suite of Unix command-line tools and a server designed to remotely administer the file systems of multiple Unix machines. For Mac OS X, there's also a graphical interface. At its core, radmind operates as a tripwire. It is able to detect changes to any managed filesystem object, e.g. files, directories, links, etc. However, radmind goes further than just integrity checking: once a change is detected, radmind can optionally reverse the change."
SICM v0.95 has been released (SourceForge)Version 0.95 of SICM is out with support for Perl 5.8.8 and improved documentation. "SICM is a tool to monitor, graph and alert the capacity of computing devices and applications. SICM runs on a Windows or Linux device on your network, 24 hours every day and constantly records the capacity parameters of any networked device using snmp, ping or custom modules. The recorded data is stored for later reference via a user friendly menu-driven web browser. E-mail alerts are raised if a user determined number of queries fail."
Interoperability Announcing Samba 4.0.0TP2Version 4.0.0 TP2, the second technology preview of Samba 4, is available for testing. "Samba 4 is the ambitious next version of the Samba suite that is being developed in parallel to the stable 3.0 series. The main emphasis in this branch is support for the Active Directory logon protocols used by Windows 2000 and above."
Latest Samba preview launched (ZDNet)ZDNet reviews the latest preview release of Samba. "Vernooij said the second test version of Samba 4 was aimed at "allowing users, managers and developers to see how we have progressed and to invite feedback and support." The development team has made more than 80 modifications to the software since the initial release, including better internal application programming interfaces and code quality in Samba's client-side application."
Mail Software Mailman 2.1.8b1 released (SourceForge)Version 2.1.8b1 of GNU Mailman, a mailing list manager, has been announced. "This is a beta test release, which includes security enhancement and bug fixes in 2.1.7. It is highly recommended that all sites update to 2.1.8b1."
Sendmail 8.13.6 releasedVersion 8.13.6 of Sendmail, a mail transfer agent, has been announced. "Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.13.6. It contains a fix for a security problem discovered by Mark Dowd of ISS X-Force. Sendmail thanks ISS for bringing this problem to our attention and reviewing the patch for it. sendmail 8.13.6 also includes fixes for other potential problems, see the release notes below for more details."
Printing CUPS 1.2 rc1 announcedRelease candidate 1 of the CUPS 1.2 printing system has been announced. "The first release candidate of CUPS 1.2 is now available for download from the CUPS web site. We are also providing binary packages for Red Hat Enterprise Linux 4 (32-bit + 64-bit Intel), Fedora Core 4 (32-bit Intel), and MacOS X 10.4 (32-bit PowerPC + Intel) for your convenience."
Web Site Development Bricolage 1.10.1 ReleasedVersion 1.10.1 of Bricolage, a web content management and publishing system, is out. "This maintenance release adds a few new features, a number of improvements, and many bug fixes. Highlights include new SOAP modules, improved packaging support, and smother upgrades from 1.8.x versions."
KForge 0.10 ReleasedStable version 0.10 of KForge has been released, it adds new capabilities and includes some bug fixes. "KForge is an open-source (GPL) system for managing software and knowledge projects. It re-uses existing best-of-breed tools such as a versioned storage (subversion), a tracker (trac), and wiki (trac or moinmoin), integrating them with the systems own facilities (projects, users, permissions etc). KForge also provides a complete web interface for project administration as well a fully-developed plugin system so that new services and features can be easily added."
TurboGears 0.9a2 releasedVersion 0.9a2 of TurboGears, a Python-based web framework, has been announced. "Weve had a whole raftload of feedback and contributions since the release of 0.9a1. 0.9 is becoming considerably more solid, but Im not going to upgrade it to beta until there are more docs. Be sure to read the upgrade instructions, because youll need to make some changes to come from 0.9a1 or 0.8 to this release."
Desktop Applications Business Applications Tina POS 0.0.15 released (SourceForge)Version 0.0.15 of Tina POS has been released. "Tina POS is a point of sale application designed for touch screens. Supports ESC/POS ticket printers, customer displays and barcode scanners. Its multiuser and has a great backoffice with a product entry form, reports and charts. This new release adds important changes to the code base of Tina POS, a lot of refactoring has been done."
Desktop Environments 40+ Suggestions for Better Desktop (GnomeDesktop)GnomeDesktop.org points to an interesting article by Peter Chabada in improving the desktop. "An article "40+ Suggestions for a Better Desktop" discusses how to extend recent desktops to improve their usability. Ideas in this article cover a wide range of desktop applications, e.g. Nautilus, multimedia, spreadsheets, mail clients, configuration, security..."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE 3.5.2 Released (KDE.News)KDE.News looks at the release announcement for the K Desktop Environment 3.5.2. "This second update release in the KDE 3.5 series brings an improved user experience and stability by focusing exclusively on translations and bug fixes."
KDE Software AnnouncementsThe following new KDE software has been announced this week:
Desktop Publishing Scribus 1.3.3 ReleasedVersion 1.3.3 of Scribus, a cross-platform open source page layout application, is out. "The 1.3.3 release is the fourth development version working towards a new stable 1.4. Within this release period over 200 bugs and feature requests were completed mostly focused on useability and correctness."
Electronics jtag-o-mat 1.2.5 releasedVersion 1.2.5 of jtag-o-mat, a cross-platform interface to JTAG test ports on embedded microprocessor devices, is out. "This program provides a simple but highly flexible interface to JTAG hardware. In opposite to similar projects, the focus is on running automatic JTAG sequences. The code has been kept intentionally simple to maintain portability and allow modification without the risk to spoil too many dependant parts."
Kicad 2006-03-28 releasedVersion 2006-03-28 of Kicad, a printed circuit CAD application, is available. Changes include wxWidgets 2.6.3 support and bug fixes.
KJWaves Version 1.0.7 releasedVersion 1.0.7 of KJWaves is out. "KJWaves was written to be a cross-platform SPICE tool in pure Java. It aids in viewing, modifying, and simulating SPICE CIRCUIT files. Output from SPICE3 (ngspice) can be read and displayed. Resulting graphs may be printed and saved."
pcb-20060321 snapshot availableDevelopment snapshot 20060321 of PCB, an printed circuit CAD application, has been announced. "I have made a new snapshot for pcb. It is anticipated that this is the last snapshot using only the GTK gui and that further releases will be based on the HID version of pcb."
Financial Applications SQL-Ledger 2.6.8 releasedVersion 2.6.8 of SQL-Ledger, a web-based accounting system, is available. Changes include improvements to invoice batch printing, balance calculations, translations, and more.
Games New PyGame ReleasesThe PyGame site lists several new game releases including GalaxyMage 0.3.0, Astrocrash 2.0, Legacy of Magic alpha-2 and more.
Stendhal 0.47 released (SourceForge)Version 0.47 of Stendhal, a multi-platform multi-player online adventure game, is available. "Stendhal features a new, rich and expanding world in which you can explore towns, buildings, plains, caves and dungeons. You will meet NPCs and acquire tasks and quests for valuable experience and cold hard cash. Your character will develop and grow and with each new level up become stronger and better. With the money you acquire you can buy new items and improve your armour and weapons. And for the blood thirsty of your; satisfy your killing desires by roaming the world in search of evil monsters! This release fix LOTS of bugs that we have recieve from and add some new interesting features like doors and keys, add two new big game areas: Wofol, the kobold's city that is suitable for team play of players around level 10-20 and N'mon, the lich fortress under the Orril castle, that is only for the most brave players."
GUI Packages PyQt v3.16 Released (Python Language Bindings for Qt)Version 3.16 of PyQt, the Python Language Bindings for Qt, is out. "The main benefit of this release is that it can be installed side by side with the soon-to-be-released PyQt v4 (for Qt v4)."
wxWidgets 2.6.3 releasedVersion 2.6.3 of wxWidgets, a cross-platform GUI toolkit, is out "This is a bug fix release. Notable improvements include Mac universal binary creation with the command-line tools, Windows Mobile 5.0 support, context menu and enhanced file selector support on Windows CE, AMD 64-bit compilation on Windows, better VC++ 2005 support, and more efficient paint handling on wxGTK."
Interoperability Wine Weekly NewsletterThe March 24, 2006 edition of the Wine Weekly Newsletter has been published. Topics include: Wine 0.9.10, Fedora Packages Available, Windows Vista & Wine, Confusing Macros, Disabling Networking and Mech Commander 2 Source Available.
Digital Photography Gallery 2.1 released (SourceForge)Version 2.1 of Gallery, a web-based photo album organizer, has been announced. "This release is a substantial improvement over Gallery 2.0 in both features and performance. We've added 10 new modules supporting features like RSS, ratings, permanent links, Picasa and Google Sitemaps. We've made many changes to the core framework to reduce code size and improve our performance, and this release includes page level caching which can provide a profound performance increase in most situations. This release has also received a professional security audit."
Video Applications Open Movie Editor 20060325 releasedVersion 20060325 of Open Movie Editor is available. "Open Movie Editor is designed to be a simple tool, that provides basic movie making capabilites. It aims to be powerful enough for the amateur movie artist, yet easy to use."
Miscellaneous Maxima 5.9.3 releasedVersion 5.9.3 of Maxima, a computer algebra system written in Common Lisp, has been released. "This version provides a build system expanded for internationalization, many revised and expanded functions, improved documentation, new add-on packages, and fixes."
Nautilus Actions : Share your actions ! (GnomeDesktop)GnomeDesktop looks at Nautilus-actions. "I'm happy to announce that it is now possible to share your actions created for Nautilus-actions on its web site. Nautilus-actions is an extension for Nautilus, the GNOME file manager. It allows the addition of arbitrary programs to be launched through the Nautilus popup menu on files that are selected."
Languages and Tools Caml Caml Weekly NewsThe March 21-28, 2006 edition of the Caml Weekly News is out with new Caml language articles.
Java Advanced Configuration of the Spring MVC Framework (O'ReillyNet)Dejan Bosanac works with Spring configuration in an O'Reilly article. "In this article I will present some configuration tips for the Spring MVC framework that could help you manage multiple instances of your Spring-based web application. The configuration management topic is often neglected in the literature, but as we will see, it is very important for real-life web development. It is not directly related to any particular technology, so we will start by explaining the basic concepts of the problem. Next, we will focus on the Spring MVC framework and offer a few solutions for projects developed using this technology."
Lisp SBCL 0.9.11 releasedVersion 0.9.11 of Steel Bank Common Lisp is available. "William Harold Newman has announced SBCL 0.9.11 on 26 March 2006. This version provides experimental support for x86/Darwin under MacOS X on Intel, performance improvements, and more."
McCLIM 0.9.2 releasedVersion 0.9.2 of McCLIM is available. "This version includes several changes such as a new installation process, improved backends, new documentation and examples, and more. McCLIM is an open-source implementation of the CLIM 2 (Common Lisp Interface Manager) specification. CLIM is "a powerful Lisp-based programming interface that provides a layered set of portable facilities for constructing user interfaces"."
Python Python 2.4.3, release candidate 1 is availablePython version 2.4.3, release candidate 1 has been announced. "Python 2.4.3 is a bug-fix release. See the release notes at the website for details of the more than 50 bugs squished in this release, including a number found by the Coverity Scan project. Assuming no major problems crop up, a final release of Python 2.4.3 will follow in about a week's time."
Dr. Dobb's Python-URL!The March 27, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.
Tcl/Tk Dr. Dobb's Tcl-URL!The March 28, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.
XML Understanding XForms: The Model (O'Reilly)Kurt Cagle introduces XForms in part two of an O'Reilly Xml.com series. "What I wanted to look at in this particular article is a much simpler walk through to put together an XForm based application that illustrates that it really isn't that difficult to create an XForm - you just have to have an understanding of what exactly XForms really are."
IDEs eric3 3.8.2 releasedVersion 3.8.2 of eric3, an IDE for Python and Ruby, has been announced: "this is to let all of you know about the release of eric3 3.8.2. This version fixes a compatibility bug with the latest PyQt release (PyQt 3.16). Eric3 is a Python and Ruby IDE with batteries included."
Page editor: Forrest Cook Linux in the news Recommended Reading Stein: 'In 5-10 years, most of the software you use will be free' (ZDNet)ZDNet covers the EclipseCon keynote by Greg Stein, chairman of the Apache Software Foundation. "Over time you're not going to see people paying for software anymore. All your software will be free. Customization, install, config, and maintenance will require expenditures. I predict that in 5-10 years most of the software you use will be free. So how do you win? The main thing is to track the licen[s]ing pressure trend. Everything is going down the stack. There are only a few types of software that can stay up at the top. Serviced based stuff. Software heavy in content, like modern games. Tax software, different in every state (needs a lot of paid people to research it, etc.). But most is going to go down."
Sandals and ponytail set cramp Linux (ZDNet)According to this ZDNet Australia article, former Massachusetts CIO Peter Quinn knows what's holding back desktop Linux adoption. "He pointed to the 'sandal and ponytail set' as detracting from the business-ready appearance of open-source technology and blamed the developers for the inertia for business Linux adoption. 'Open source has an unprofessional appearance, and the community needs to be more business savvy in order to start to make inroads in areas traditionally dominated by commercial software vendors.'"
The powerful appeal of something for nothing (Financial Times)Here's a Financial Times article giving a general overview of open source adoption in the developing world. "In the developing world, graduates with programming skills may have an extended family network depending on them as the breadwinner - so spending time debugging open source code for no payment will be especially hard to justify. 'The ability to become an active contributor to free software is at the moment limited to fairly wealthy countries and communities,' says Ubuntu founder Mark Shuttleworth." (Thanks to Philip Webb).
Trade Shows and Conferences Conference Report: FOSS Means Business, Belfast (Linux Journal)Linux Journal has a conference report from the FOSS Means Business Conference in Belfast. "Framed by two large stained glass windows, an impressive church pipe organ and an altar, Bruce Perens began his keynote by spreading his hands wide and uttering the words, "Dearly beloved". After the laughter died down, Perens joked further by comparing programmers to clergy, with references to "oaths of poverty", "chastity" and "celibacy" thrown in for good measure. Overall, Perens delivered an entertaining keynote, recounting tales from his days at Pixar and his first experience with collaborative software development across the Internet, apparently unbeknown to his Pixar bosses."
FreedomHEC to help Windows developers learn Linux (NewsForge)NewsForge looks at the FreedomHEC unconference. "FreedomHEC is scheduled for May 26 and 27, and will follow Microsoft's WinHEC, which takes place in Seattle May 23 through 25. The idea behind FreedomHEC is to provide a "shadow" conference to WinHEC to teach Windows hardware developers how easy it is to make hardware compatible with Linux and other free operating systems."
Idlelo2 FOSS conference in Kenya (IT Manager's Journal)IT Manager's Journal covers the Idlelo2 Conference in Nairobi, Kenya. "Last month Nairobi, Kenya, hosted the Idlelo2 Conference, a major African free and open source software (FOSS) symposium sponsored by the United Nations Economic Commission for Africa (UNECA), InWEnt Capacity Building International, Germany, and the eGovernment Directorate of Kenya. We spoke with one of the organizers of this year's conference, Milton Aineruhanga, program officer for Women of Uganda Network (WOUGNET)."
Plone Symposium Wrap-upAlan Runyan covers the recent Plone Symposium. "The Plone Symposium March 8-10 was a very special event. It was one of the first events to be held in New Orleans post Katrina. Quite a few people were hesitant to come to the Symposium event since New Orleans was shown in such bad condition on the national news. We still managed to pull in about 100 attendee's for a full three days of tutorials, talks, birds of feather and lightning talks. Oh and of course socializing. Lots of socializing *grin*"
Companies Microsoft's anti-ODF battle continues (Linux-Watch)Linux-Watch reports that Microsoft has joined the the Open Document Format standards body, and may have done so in order to slow down the group's progress. "Microsoft claims that Apple, Intel, and numerous Microsoft partners and resellers, such as InterKnowlogy LLC and The Computer Solution Company, have joined the Open XML group. Perhaps a more significant move than this public relations announcement, is that Microsoft's Jim Thatcher has just joined the U.S. national body responsible for the JTC1 SC34 "V1 Text Processing: Office and Publishing Systems Interface," which, in turn, is the group responsible for sheparding the ODF (OpenDocument Format) through the ISO (the International Organization for Standardization) certification process."
Novell Strikes Three Open Source Deals (News.com)News.com reports on Novell's newest customers. "Novell drove home its open source gospel Tuesday, trotting out three major converts to its Linux software suites: the Finnish military, a New England bank and a New York hospital chain. The announcements came on the second day of BrainShare Global 2006, the week-long conference that has drawn more than 6,000 Novell users, developers and sellers to the downtown Salt Lake Convention Center."
SUSE Linux CTO To Exit Novell (CRN)CRN reports that Juergen Geck, former CTO of SUSE Linux, is leaving Novell. "Last November, SUSE founder Hubert Mantel resigned from Novell following a corporate restructuring that claimed 600 jobs, a number of them at SUSE headquarters in Nuremberg, Germany. Earlier, in May, Novell lost former SUSE CEO Richard Seibt, who served as president of Novell's subsidiary for Europe, the Middle East and Africa (EMEA) after the acquisition. And in July, SUSE channel chief Petra Heinrich announced her resignation. Heinrich, who headed Novell's European, Middle East and Asia channel operations, joined Open-Xchange as its top sales executive."
Interviews Maddog says desktop the final frontier for Linux (IT Wire)IT Wire talks with Jon "maddog" Hall about Linux on the desktop. "In the desktop space, Maddog dismisses suggestions that Linux still faces challenges with usability in areas such as the installation of new applications. "I don't think that it's Linux itself that has to do work in that area. I think it's the people who create the applications that you want to install," he says."
Marco Gulino (People Behind KDE)The People Behind KDE have interviewed Marco Gulino. "In what ways do you make a contribution to KDE? First of all with my own project, KMobileTools. I also created the Konqueror Sidebar for Amarok. And I do bug reporting/fixing, when I can. (I mean of other's apps of course. It would be weird if I wouldn't solve my own bugs.)" (Found on KDE.News)
CEO Jack Messman talks about Novell's present and future (Linux-Watch)Linux-Watch interviews Jack Messman. "Messman also sees Microsoft's stumbling introduction of Vista as opening the door for Novell's forthcoming SLED (SUSE Linux Enterprise Desktop) 10. "People tell us that the more they learn about Vista, the more they see that switching to it isn't a migration; it's a conversion.""
Interview: Theo de Raadt of OpenBSD (NewsForge)NewsForge interviews Theo de Raadt of OpenBSD. " NF: You regularly organize events called hackathons. What exactly is a hackathon? TdR: This is something we started many years ago. A bunch of us would fly to one location (typically before or after a conference) and we would sit down and code. These events really are about getting tasks done; there is very little chatter, as we already know basically what needs to be done. They are not meetings, no one presents talks, nor are they so-called summits. They are for taking action in the source tree, knowing that the guy you need to ask a question of really quickly is sitting at a table a meter away."
Resources Multiple live CDs in one DVD (Linux.com)Linux.com shows how to bundle multiple live CDs on one DVD. "Nautopia.net has put up a script that you can use to make a custom DVD to boot multiple live CDs. The Nautopia script currently supports Knoppix, Kanotix, Kurumin, Livux, MEPIS, ProMEPIS, Slax, Aurox, BerryLinux, Basilisk, Adios, PCLinuxOS, MandrakeMove, Gnoppix, RiP, SystemRescueCD, Ultimate Boot CD, and INSERT distributions. Grab a couple of live CDs of any of the above listed distributions".
Taking Free Software to the Farmers and Fields of India (Linux Journal)Linux Journal covers the aAqua.org (Almost All Questions Answered) web site. "Thanks to work done by the prestigious Indian Institute of Technology (IIT-Bombay) and its partners, IT-savvy and knowledge-hungry people across rural India now can find relevant, demand-driven farming knowledge on the aAqua.org Web site. So far, the site has been a great way to bring together people such as Prasad Kaledhonkar, who has a clue about what the white patterns emerging on tomato plant leaves are; farmer's daughter Niyatee Nilesh, who wants advice on buying agricultural land; and Shirish, from rural Maharashtra, who wants to learn about using waste water from the school kitchen to irrigate gardens and crops."
Open-Source Framework Means Happy Trails for Java Developers (eWeek)eWeek covers the Trails framework, a new open source framework aimed at making Java easier for developers. "Some might call Nelson a flatterer, as imitation is considered the finest form of flattery and Trails gets some of its notions from the popular, though non-Java, Ruby on Rails framework. But Nelson said Trails was simply "inspired" by Ruby on Rails but is not a Java-based clone of it. "Developing J2EE [Java 2 Platform, Enterprise Edition] is just too hard," Nelson said in a talk at TheServerSide Java Symposium here on March 23. "Things like Hibernate, Spring, etc., make it easier, but it's still too hard. Ruby on Rails raises the bar," he said."
Mastering podcasts with Audacity (NewsForge)NewsForge has some tips for podcasters using Audacity. "Open source software makes podcasting easy -- too easy. Listening to a playlist of first-timer podcasts can leave your ears ringing from sudden changes in playback volume. The problem is audio mastering. Recording sound is simple, but mastering that sound -- compressing volume differences, maintaining a decibel ceiling, and similar operations -- is anything but. Fortunately, an open source tool offers everything you need for mastering podcasts and other spoken-word recordings. Audacity is well-known among podcasters on all platforms for its ability as an editor; here are some tips and tools for mastering and adjusting volume, aimed at podcasters, but they could apply to anyone who needs to produce a spoken-word recording under less-than-perfect conditions."
My sysadmin toolbox (Linux.com)Linux.com looks at a few desktop enhancement tools. "Torsmo differs from other system monitors, such as GKrellM, in that it does not spawn a new window, but instead renders text directly to your desktop. It can display almost anything about your system, including uptime, current CPU usage, network activity, hard drive usage, memory usage, and swap usage. The program's developers wrote it to use as little of your system's resources as possible, and it does a good job of this."
Snort on OpenWrt: Guarding the SOHO perimeter (Linux.com)Joe Barr looks at getting extra security by running Snort on an OpenWrt router. "Nicholas Thill -- known as Nico in the OpenWrt community -- maintains three separate packages for Snort in his repository of packages. They include a plain Jane version, without any support for logging to a database, and two database-specific packages: one for MySQL and one for PostgreSQL. All are based on the Snort release 2.3.3-1 and are considered to be in a testing state and not yet included in the official release."
Reviews Marcel's Linux App of the Month: KDissert (Unix Review)Marcel Gagné looks at KDissert on Unix Review. "Thomas Nagy's kdissert is an application referred to as a mind mapping tool. Its purpose is to help you create complex documents such as a thesis, or a dissertation, or a presentation. And yes, perhaps even an article or a book. You do that by creating a map of your ideas, a mind map, that allows you to structure the ideas you already have into the basis for producing a high-quality, well-ordered document." (Found on KDE.News)
Linux Multimedia Hacks: A Book Review (Linux Journal)Linux Journal reviews the book Linux Multimedia Hacks. "If you're interested in multimedia and the penguin, you certainly must be puzzled by the plethora of software available for Linux. Which one fits your needs? Linux Multimedia Hacks (LMH) explores several software options, the ones the author feels are worth spending time with. In terms of the hacks I tested for the purpose of this review, as well as my personal tastes, I have to say that I'm pleased by the choices the author made. With the help of this book, I've been able to solve all of the issues I encountered while trying to edit video on my Linux box."
New Scriptable Linux Screen Reader for Gnome on Freshmeat (Groklaw)Groklaw takes a look at Linux Screen Reader 0.1.0. From the LSR homepage: "The Linux Screen Reader (LSR) is an application that transforms the contents of the computer screen to other media, enabling non-visual access to the graphical Gnome desktop environment."
Few Linux, FOSS alternatives at tax time (NewsForge)NewsForge looks at Open Tax Solver (OTS), a tax application that was written by Aston Roberts. "Roberts says almost all tax software -- including popular programs such as TurboTax and TaxCut -- will calculate taxes, but describes OTS as an alternative method. "It operates quite differently from the commercial packages, which tend to be question-oriented, or interview-oriented," he says. "For some people, the interview method may be better, but others have found the direct input approach of OTS to be quicker, especially to those who have done taxes before and basically know where to put their numbers, but want to automate the math.""
Finding Linux Applications (Amauta)Amauta takes a quick look at the Linux App Finder. "Since many Linux applications are free and have no marketing to inform the public of their existence, it is often difficult to find the right program when it is needed. The goal of Linux App Finder is to make finding the right software an easy task by grouping programs into categories and allowing for a task based search."
Get Thoggen, and leave your DVDs at home (Linux.com)Linux.com has a review of thoggen, a DVD ripping tool. "That said, I still recommend Thoggen. For one thing, I can't heap enough praise on the interface. Simplicity is the watchword, and Thoggen gets it just right, presenting the user with the appropriate choices and working out the necessary details itself. Transcoding video is complicated, but Thoggen manages to make it simple. A lot of other apps could learn a lot from its design decisions."
Miscellaneous Mozilla plans to fund developer community (ZDNet)ZDNet reports that the Mozilla Foundation will be using some of its money to fund outside developers. "The foundation made $5.8 million in 2004 and is thought to have made tens of millions of dollars last year, predominantly from partnerships with search companies, such as Google and Yahoo. Though much of its money has gone toward increasing its head count, some has been used to bulk up its reserve fund. Mitchell Baker, the chief executive of the Mozilla Corporation, the commercial subsidiary of the Mozilla Foundation, said Mozilla plans to put some of its excess revenues back into the community."
Page editor: Forrest Cook Announcements Non-Commercial announcements Apple patents automatic software updatesApple's patent #7,016,944, issued on March 21, seems somehow familiar: "The present invention is a system and method that monitors upgrade availability for computer information on a user's computer and allows the user to determine which of the available upgrades will be downloaded to the user's computer and installed. The upgrade availability for computer information on the user's computer is monitored in the background, without user-intervention when the user connects to a network, such as the Internet. If any such upgrades are available, a flag is set to notify the user of such upgrades. The user is notified of any available upgrades when computer information is accessed for which an upgrade is available, and given a choice of whether or not to download the available upgrade(s)." Filed in 1999. (Seen on Macsimum News by way of FFII).
GPL tested in US courts in WallaceThe Free Software Foundation has announced that the GPL has been upheld by a US court in the Wallace Vs FSF case. "On Monday March 20, 2006 US Federal Judge John Daniel Tinder, dismissed the Sherman Act antitrust claims brought against the Free Software Foundation. The claims made by Plaintiff Daniel Wallace included: that the General Public License (GPL) constituted a contract, combination or conspiracy; that it created an unreasonable restraint of trade; and that the FSF conspired with IBM, Red Hat Inc., Novell and other individuals to pool and cross-license their copyrighted intellectual property in a predatory price fixing scheme."
The OSDL Fellowship FundOSDL has announced the creation of the "Fellowship Fund." "The Fund will provide financial support to software developers working on Linux and open source community projects that don't otherwise have access to financial resources or support." Funding decisions will be made by the OSDL board, with input from the newly-formed (kernel-heavy) technical advisory board. There is no information on the size of the fund.
SFLC representing BusyBox and uClibcThe BusyBox project is obtaining license enforcement management from the Software Freedom Law Center. "..we're pleased to announce that the Software Freedom Law Center has agreed to represent BusyBox and uClibc. We join a number of other free and open source software projects (such as X.org, Wine, and Plone in being represented by a fairly cool bunch of lawyers, which is not a phrase you get to use every day."
Commercial announcements Amanda 2.5 - A major new release of the Open Source Backup SoftwareAmanda has announced the release of version 2.5 of its open source backup and recovery software.
ANTs Software to Exhibit at LinuxWorld BostonANTs software inc. has announced its LinuxWorld exhibit. "ANTs software inc., a developer of universally compatible, high-performance SQL database management systems, today announced it will be exhibiting in the IBM Business Partner Pavilion, Booth 612, at this year's LinuxWorld Conference & Expo in Boston. Expo attendees will have the opportunity to talk with representatives from ANTs software and IBM, as well as examine the latest ANTs Data Server running on a variety of Linux 64-bit operating systems on both AMD Opteron and Intel platforms."
BitRock Releases LAMPStack 5BitRock has announced the release of BitRock LAMPStack 5. "BitRock LAMPStack 5 is an integrated, easy to install LAMP distribution that includes the latest major releases of Apache, PHP, MySQL, Python, and supporting libraries. The stack is now available for download at www.bitrock.com."
CodeSourcery Announces G++ GNU Toolchain for Luminary's Stellaris MicrocontrollersCodeSourcery, Inc. has announced the availability Sourcery G++ GNU Toolchain for Luminary Micro's Stellaris Microcontrollers. "In partnership with ARM, Ltd., CodeSourcery develops improvements to the GNU Toolchain for ARM processors and provides regular, carefully tested, precompiled releases of the GNU Toolchain. CodeSourcery's current release of Sourcery G++ includes full support for the ARM Cortex-M3 microcontroller core and Luminary Micro's Stellaris family of microcontrollers."
IBM and EMC Join MySQL Network Certified Partner ProgramMySQL AB has announced the joining of its Network Certified Partner Program by IBM and EMC. "Among other co-marketing and promotion activities with MySQL, both companies will be sponsors of next month's MySQL Users Conference in Santa Clara, California. The multi-tiered MySQL Network Certified Partner Program enables ISV partners to certify that their software has been tested and is compatible with the MySQL certified database server and related MySQL tools. The program also offers opportunities to hardware vendors and consulting companies to leverage the growing adoption of MySQL within mainstream IT organizations."
OpenPKG GmbH established to provide Business ServicesOpenPKG has announced the establishment of OpenPKG GmbH, a sibling organization with the dedicated goal of providing commercial services to OpenPKG business customers. "The Open Source software project OpenPKG was founded in 2000 by Ralf S. Engelschall and first released to the public in January 2002. Today OpenPKG is a mature technology in production use. It is maintained and improved by its original developers and volunteer contributors. Its end user and developer community is organized in the OpenPKG Foundation e.V. while its business customers are looked after by the OpenPKG GmbH."
RaveHD 2.0 Officially shipsSpectSoft LLC has announced their RaveHD 2.0 video recording software. "SpectSofts newest version not only offers new features that include reverse audio, slave record, deck standby, and 2K HSDL support but the overhaul of the existing code base now takes RaveHD 2.0 to a client/server product and makes this product an extensive VTR replacement solution. The client/server implementation allows studios to control many DDRs from a single interface in addition to making the GUI modular and easily modified."
Sun Releases UltraSPARC T1 Processor Design specs under GPLSun Microsystems, Inc. has announced the release of its UltraSPARC T1 Processor Design specifications under the GNU GPL license. "Sun Microsystems Inc. today announced a significant milestone in its OpenSPARC Initiative aimed at the creation of the world's first multi-core, multi-threaded eco-system: publication of the hardware design point and the Solaris(TM) 10 Operating System (OS) porting specifications for the breakthrough UltraSPARC T1 processor. For the first time in history, developers gain access to the chip multi-threading (CMT) technology unique to the UltraSPARC T1 processor, which will be released under the OSI-compliant GNU General Public License (GPL)."
Third Brigade's Intrusion Prevention System protects against Sendmail vulnerabilityThird Brigade has announced protection from a recent Sendmail vulnerability by its Intrusion Prevention System. "Third Brigade, Inc. today announced that customers that have deployed Deep Security, its advanced Intrusion Prevention System (IPS), are protected from attacks that could exploit a vulnerability recently disclosed in Sendmail."
New Books Visibooks publishes four OO.o textbooksVisibooks, LLC has announced the publication of four new OpenOffice.org textbooks. "An increasing number of schools in the U.S. and worldwide are using and teaching OpenOffice.org, a free, open-source suite of word processing, presentation, spreadsheet, and database programs. To serve these schools, Visibooks has published the first series of textbooks that help students learn OpenOffice.org programs. Visibooks has published four new textbooks on the programs that make up the OpenOffice.org 2.0 office suite: Base, Calc, Impress, and Writer. The titles are The Visibooks Guide to Base 2.0, The Visibooks Guide to Calc 2.0, The Visibooks Guide to Impress 2.0, and The Visibooks Guide to Writer 2.0."
The Art of SQL - O'Reilly's Latest ReleaseO'Reilly has published the book The Art of SQL by Stephane Faroult and Peter Robson.
Google: The Missing Manual, 2nd Ed--O'Reilly's Latest ReleaseO'Reilly has published the book Google: The Missing Manual, 2nd Edition by Sarah Milstein, J. D. Biersdorfer, and Matthew MacDonald.
Resources Tutorial: Setting Up A High-Availability NFS ServerFalko Timme has announced a new HowtoForge tutorial on setting up NFS servers. "in this tutorial I will describe how to set up a high-availability NFS server that can be used as storage solution for other high-availability services like, for example, a cluster of web servers that are being loadbalanced. In fact, I will create two NFS servers that mirror their data to each other in realtime using DRBD and that monitor each other using heartbeat, and if one NFS server fails, the other takes over silently."
Contests and Awards rPath announces new customer and cash awardsrPath has announced a set of awards for the use of its rBuilder software. "rPath is offering additional cash awards to winners of the VMware Ultimate Virtual Appliance Challenge who use its rBuilder Online technology to build a winning virtual appliance entry. In addition to VMware's prize offerings, rPath will pay out up to $25,000 to the top three entries and five best of category prizes. "This is a unique opportunity for developers to showcase their skills, while experiencing the flexibility and control that rBuilder provides," said Erik Troan, rPath founder and CTO."
Education and Certification LPI Offers Certification Exams at LinuxWorld BostonThe Linux Professional Institute will hold certification exams at the LinuxWorld Boston conference on April 4-6, 2006. Pre-registration is required.
Tuxaco extends training portfolioTuxaco will hold new Linux training courses in the UK. "OSC members, Tuxaco have recently announced that they will be providing public Linux courses in London and Birmingham, so the company can now offer classroom teaching in addition to its existing portfolio of onsite Linux courses."
Calls for Presentations GUADEC CFP / WarmUp weekend and the After Hours workshops (GnomeDesktop)GnomeDesktop has announced the final Call for Papers (March 31) for the GUADEC 2006 conference. The event will be held in Vilanova i la Geltrú, Spain on June 24-30, 2006. "As you probably know, March 31st (next Friday) is the deadline of the GUADEC 2006 Call for Participation. If you have a session in mind please submit it before then, even if it's only a draft or a collection of ideas. You will have more time to explain yourself once your session is submitted and scheduled. This year we have two new GUADEC phases apart from the 3 GUADEC Core days. They are also at your disposal and you are invited to submit sessions for these phases as well. Think of GUADEC as a funnel, where the WarmUp weekend is the wide entry, GUADEC Core is the neck and the After Hours workshops are in the exit, where the results of the discussions are distilled in hands-on work."
Upcoming Events FreedomHEC: May 26-27, 2006FreedomHEC, the High-intensity learning, networking and taking-back-the-PC-industry unconference will take place on May 26-27, 2006 in Seattle, Washington.
The Gelato ICE Conference and ExpoThe Gelato Itanium Conference & Expo will take place during the week of April 24, 2006 in San Jose, CA. "Join other end users, developers, researchers, ISVs, and system vendors for an outstanding technical program comprised of 50+ Linux Itanium-centric talks."
Linux Audio Conference 2006 registration openRegistration is open for the Linux Audio Conference 2006. The event takes place on April 27-30, 2006 in Karlsruhe, Germany.
Optaros Launches Open Source Webinar SeriesOptaros will be holding an Open Source Webinar Series. "Planned sessions throughout the year will include: * April 25 - Open Source and Customer Relationship Management, * June 27 - Service Oriented Architecture and Open Source Solutions, * August 24 - Overcoming Barriers to Open Source Adoption, * September 26 - Content Management Challenges and Open Source Solutions and * December 12 - Open Source Year in Review".
PostgreSQL Anniversary Summit registration now openRegistration is open for the PostgreSQL Anniversary Summit. The event will take place on July 8-9, 2006 in Toronto, Canada. "This 2-day event will feature numerous presentations and community sessions to let community members share their knowledge. Many major contributors to PostgreSQL will be there, and most of them will be speaking or leading coding sessions: Tom Lane, Bruce Momjian, Tatsuo Ishii, Gavin Sherry, Neil Conway and more. At the event we will also discuss and coordinate community advocacy and fundraising efforts."
rPath founder to present at LinuxWorldrPath CTO and co-founder Erik Troan will be demonstrating rBuilder at the LinuxWorld Expo on April 4. "rBuilder is the engine for creating and maintaining software appliances. With rBuilder, a software developer combines an application with a tailored version of rPath Linux and as a result delivers a software appliance to the customer. Customers get the benefit of the application without the hassle of coordinating multiple maintenance streams, release schedules, and service contracts."
Samba eXPerience 2006Samba eXPerience 2006 will take place in Göttingen, Germany on April 24-26, 2006. "The fifth "sambaXP" is again the leading conference event focussing on the most important free software alternative to non free file servers. 25 talks from developers, users and vendors will show the particular importance of this Free Software alternative for Windows clients. This year's highlights are the user reports."
Events: March 30 - May 25, 2006
Page editor: Forrest Cook
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[akregator]](/images/ns/grumpy/akregator-sm.png)
![[Blam]](/images/ns/grumpy/blam-sm.png)
![[liferea]](/images/ns/grumpy/liferea-sm.png)
![[RSSOwl]](/images/ns/grumpy/rssowl-sm.png)
![[Straw]](/images/ns/grumpy/straw-sm.png)
![[Sage]](/images/ns/grumpy/sage-sm.png)