LWN.net Weekly Edition for June 13, 2002
SELinux and patents
SELinux is a distribution produced by the U.S. National Security Agency. It is based on the Linux Security Module architecture (which is not yet part of the 2.5 kernel). SELinux provides a whole set of mandatory access control features to protect parts of the system from each other. There is no "root" user in SELinux. Even if a server process is compromised, it is highly limited in the damage it can do to the rest of the system.According to the license page, SELinux is freely distributable under the terms of the GPL. It looks like a high-quality and useful contribution to the Linux community.
There is a potential problem, however. Much of the actual work in the implementation of SELinux was done by Secure Computing Corporation (SCC). SCC, in its implementation of SELinux, used a technology that it calls type enforcement. As it turns out, SCC has a patent on this technology.
Concerns over the type enforcement patent are not new - they were first raised back in 2000. At that time, SCC put up an SELinux FAQ stating:
There will be no restrictions on the use of TE by the Linux open source community.... We will release source code for all the modifications to the existing kernel and for a general-purpose security policy engine under the GPL.
Recently, this page has been removed from the SCC web site - a move which should be of concern to anybody who is relying on web-based promises about access to patented technology. For now, the cached copy on Google is still available, though. Grab a copy while you can - web-posted promises can be ephemeral things.
More recently, in a conversation on the Linux Security Module list, an SCC employee made a rather different statement:
This, of course, puts a damper on many possible uses of SELinux, as well as negating any claims of GPL licensing. Projects which have used some of the SELinux code, such as the Debian SE effort, are having to reconsider.
It would appear that SCC has not really decided what its policy is going to be; a message has been posted stating:
So, SCC may eventually do the right thing (from the free software community's point of view) and preserve the free licensing of SELinux. (This cause will probably not be helped by sending inflammatory mail, by the way). Either way, this situation shows, yet another time, the sort of threat that software patents pose to free software.
Deersoft announces its existence
A press release hit the wires on June 12: a new company called "Deersoft" was announcing existence as a spam-fighting company. Deersoft, as it turns out, is an attempt to commercialize SpamAssassin, a highly effective, free spam filtering system.SpamAssassin is certainly a good base to start with. We first started using it here at LWN some months ago; as one might imagine, LWN's public email addresses get substantial amounts of spam. SpamAssassin filters out the vast majority of that spam (though, we notice, its hit rate has fallen a little recently) with almost no false positives. The SpamAssassin developers have provided us a real service.
Deersoft is following a reasonably common strategy for companies built around a free software package: offer a value-added, proprietary version of the program. In this case, Deersoft is selling "SpamAssassin Pro," which brings SpamAssassin's capabilities to Microsoft Outlook. A 30-day demo version can be downloaded from the company's web site.
The idea of charging Outlook users as a way of supporting SpamAssassin development has a certain appeal. There is, however, a considerable list of contributors who were, it seems, not asked whether it was permissible to distribute their code under a proprietary license. SpamAssassin is licensed under the Artistic License, which is a little vague on just when this sort of distribution is allowed. LWN has talked with a couple of people who have contributed code to SpamAssassin; they recognize the significant role that Deersoft principal Craig Hughes has taken in SpamAssassin development and seem to not begrudge the use of their contributions in this manner.
One hopes that development of the free version of SpamAssassin will continue. The press release makes encouraging noises in that regard:
The lack of an actual 2.3.0 release on SpamAssassin.org as of this writing, one presumes, is just the result of some last-minute delays.
Free software companies have had a hard time since the bubble burst; it really is harder to make money when the code is freely available. SpamAssassin is a great counterexample to the often-made claim that free software can only imitate, not innovate. Wouldn't it be nice if it also helped provide a good example of a successful business built around free software?
The Alexis de Tocqueville Institution report
The report issued by the Alexis de Tocqueville Institution has been extensively covered elsewhere. For those who may have missed it, here are the core points:- The "open source helps terrorists" line that featured prominently in
the
advance press release is gone. Security issues are touched on,
and the "security through obscurity" argument for proprietary software
is presented, but the claim that open source assists terrorism has
been deemphasized.
- Instead, the report is another attack on the GPL, featuring most of
the usual arguments and some new ones as well. For example, the
report claims that processing your code with a GPL-licensed tool
(i.e. emacs or gcc) could force your code to be released under the
GPL, which is nonsense.
- The quality of the research and writing is, in general, not what one would expect.
There are persistent claims that this report was directly funded by Microsoft, though nothing has been demonstrated in any definitive way. For the curious, this PoliTech posting documents many of the (numerous) past ties between Microsoft and the Institution.
(See also: this point-by-point rebuttal to the report by Leon Brooks).
Security
Brief items
Security through obsolescence (Register)
Robin Miller considers the virtues of mature software.
An interesting read.
The New Debian Security Build Infrastructure
Woody release manager Anthony Towns shares some information about the new security infrastructure. This new infrastructure is a critical component of the woody release.Super-Secure Linux, Inch by Inch (Wired)
Wired News covers the National Security Agency's Security-Enhanced linux (SElinux). "NSA's Wagner says that SELinux's adoption rate "has exceeded our original expectations. This release has also caused developers of non-Linux systems to consider incorporating similar controls based upon our earlier prototypes.""
If you haven't seem it already, this week's LWN.net leading item is about SELinux and patents.
Complex Linux virus warning (vnunet)
Vnunet covers cross-platform viruses, which might be able to infect Linux systems. "Although the virus was not the first of its kind to infect both Windows and Linux machines, it apparently moved virus-writing techniques "yet another step up the scale of complexity"."
New viruses aim to cross multi platforms (ZDNet)
Robert Lemos worries that although the Simile.D cross-platform virus isn't much of a threat,the techniques it uses may be bad news. Simile.D is one of the few, so far, viruses with the "ability to jump from Windows to Linux and back again."Support discontinued for SuSE 6.4
After Monday, June 17 2002, SuSE will will not provide security fixes for SuSE Linux 6.4 any more. With SuSE 8.0 in release, the announcement isn't a surprise.
Security reports
Security Advisory For Versions of Bugzilla 2.14 Prior To 2.14.2, 2.16 Prior To 2.16rc2
The Bugzilla team has issued a security advisory encouaging all Bugzilla installations to upgrade to the latest versions of Bugzilla released Jun 8th, 2002, 2.14.2 and 2.16rc2. " Various security issues of varying importance have been fixed in Bugzilla 2.14.2. Most of these were fixed already in 2.16rc1, a few were not."Remote vulnerability in Mozilla 1.0
Tom Vogt has reported a frustratring problem with Mozilla 1.0 and earlier. A maliciously crafted stylesheet can cause the X server to crash or consume memory until stopped with a kill -9. Either way, it takes the desktop with it when it goes.CBMS: XSS and SQL Injection holes
Ulf Harnhammar reports that CBMS "is littered with XSS (Cross-site Scripting) and SQL Injection holes."
CGIscript.net - csNews.cgi has multiple vulnerabilities
Steve Gustin has reported multiple vulnerabilities in the csNews.cgi script from CGIscript.net "Contact vendor for updated version, only allow completely trusted users to access the application, disable access to .style and *db files through Apache .htaccess files."AlienForm2 CGI script arbitrary file read/write vulnerability
Nick Cleaton reports that the AlienForm2 form to email gateway has a flaw which, subject to file permissions, allows an attacker to read and modify "any file on the server." A suggested fix is included.Format string vulnerabilities in mmmail and mmftpd
Guillaume Pelat has reported format string vulnerabilities in mmmail 0.0.13 and mmftpd 0.0.7. Updated versions which fix both problems are available. Mmmail supplies SMTP and POP3 daemons using MySQ and other features. Mmftpd is a secure FTP server
New vulnerabilities
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | ||||||||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | ||||||||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | ||||||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | ||||||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Resources
Using tcpserver with Mandrake Linux (MandrakeSecure.net )
Tcpserver is a secure replacement for inetd. This article is of interest to anyone who wants to use tcpserver on Linux allthough the it is, of course, specific to Mandrake Linux.Linux Security Week and Advisory Watch
The June 10th Linux Security Week and June 7th Linux Advisory Watch Newsletters from LinuxSecurity.com are available.Pine 4.44 privacy patch
A patch is available for Pine 4.44 that closes user name and id leaks due to automatic header line insertion. The patch is intended for use by "help desks and other role accounts."Next Generation Secure Remote Log Servers over TCP (LinuxSecurity.com)
Eric "Loki" Hines has written a "Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng Servers with the Snort Intrusion Detection System."
Events
HiverCon 2002 Announcement
HiverCon 2002 is scheduled for 26 and 27 November, 2002 in Dublin Ireland. The call for papers closes 6 September 2002.Black Hat 2002 Speakers Announced
The event is being held 31 July through 1 August 2002 in Las Vegas, Nevada, USA. " Richard Clarke, Special Advisor to President Bush for Cyberspace Security, will be one of the keynotes headlining the event."Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| June 17 - 19, 2002 | NetSec 2002 | San Fransisco, California, USA |
| June 17 - 19, 2002 | 3rd Annual Information Assurance Workshop | (United States Military Academy)West Point, New York |
| June 24 - 28, 2002 | 14th Annual Computer Security Incident Handling Conference | (Hilton Waikoloa Village)Hawaii |
| June 24 - 26, 2002 | 15th IEEE Computer Security Foundations Workshop | (Keltic Lodge, Cape Breton)Nova Scotia, Canada |
| June 28 - 29, 2002 | Edinburgh Financial Cryptography Engineering 2002 | Edinburgh, Scotland |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Kernel development
Current kernel release status
The current development kernel is 2.5.21, which was announced by Linus on June 8. Changes include a big S/390 patch, a number of networking fixups, more kernel build changes (see last week's LWN Kernel Page), more driver model work, an NTFS update, some USB updates, and more. The long format changelog is available for those wanting the details.Note that the IDE reworking process left a bug in 2.5.21 which can, apparently, send "format" commands to IDE drives. Said commands do not actually get run - nobody's drive has actually been formatted. But this is a good reminder that development kernels can always be a little hazardous, especially when fundamental layers (like IDE) are in a state of constant flux.
Linus's in-progress 2.5.22 patch (in BitKeeper) includes a big X86-64 update, a fix for a potential X86 security bug, an ACPI update, a new set of VFS and block device cleanups from Alexander Viro, a number of fixes for problems found by the Stanford Checker (see below), more IDE reworking, another set of kbuild fixes (not from kbuild-2.5), and more.
The latest prepatch from Dave Jones is 2.5.20-dj4; it brings in some fixes from the
2.4.19-pre series and the new CPU "frequency scaling" code ("Handle
with care, still experimental
").
The current 2.5 kernel status summary from Guillaume Boissiere was posted on June 12.
The current stable kernel remains 2.4.18. There have been no 2.4.19 prepatches or -ac patches released in the last week.
For followers of ancient kernels, David Weinehall has released 2.0.40-rc5, the fifth 2.0.40 release candidate.
The return of the Stanford Checker
We first looked at the "Stanford Checker" back in March, 2001. The Checker is a system built on top of gcc which analyzes large amounts of source code and looks for obscure errors. In the past, it has been responsible for many kernel bug fixes. The Checker team has been quiet for a while; now, perhaps with the end of the academic year, the group has returned with a new set of error reports.So what has the checker group found this time?
- Missing unlocks. Here, the Checker
looked for situations where kernel code could either take out a lock
or disable interrupts, then fail to undo the action before returning.
18 possible errors were found.
- Memory leaks. The Checker looked for
failure paths which failed to return allocated memory. "
while we only include 24 errors, there were lots in general
". - Failure to check return codes. Numerous
places were found where kernel code does not look at the return status
from a function which can fail.
- Missing null pointer checks (54
errors). Most of the errors seem to be with calls to
kmalloc.
- Large stack variables (37). Allocating a variable of size greater than 1KB may not be, strictly, an error, but it can lead to problems quickly when the stack runs out of space.
The Checker code itself remains unreleased, unfortunately. The Checker group does the kernel a great service by performing this testing and passing on the problems for fixing. But there are no end of other development projects out there that could benefit from this code. One can only hope that, someday, the Checker code will be more widely available.
DMA, small buffers, and cache incoherence
Roland Dreier reported on an interesting class of bugs which can affect drivers on some architectures. This particular source of subtle bugs is worth a look as an example of how hard it can be to really make things work on modern hardware.All modern systems, of course, employ one or more levels of cache in the processor to cut down on slow accesses to main memory. One challenge with in-processor caching has always been to avoid doing the wrong thing when something other than the processor changes memory. On SMP systems, for example, any processor can write anywhere in memory, and the other processors have to adjust immediately. For that reason, SMP systems have elaborate schemes for moving "ownership" of cached data between processors. This "cache line bouncing" is effective but expensive; modern operating system kernels try to minimize the need for such bouncing.
Another possible source of cache confusion is DMA I/O. Peripheral devices doing DMA can change memory directly and leave the processor cache in an incorrect state. Some processors (i.e. the x86) have a coherent cache which notices changes made by peripherals and automatically updates itself. Other processors have incoherent caches which can be fooled by DMA I/O operations.
The Linux DMA support code has been very carefully written to hide cache coherence issues from driver code. If you use the primitives provided and follow the rules regarding processor access to DMA buffers, you will not be bitten by cache problems. The DMA code takes care of invalidating cache contents as needed so that caches never contain incorrect copies of main memory.
That is the idea, anyway. Roland has found a situation where this protection does not quite work. Consider a driver which is using a structure like this:
struct iostruct {
...
int ifield;
char dma_buffer[SMALL_SIZE];
...
};
If this structure is allocated properly (with kmalloc, for example), then using the dma_buffer field in DMA operations is a legal thing to do. The problem is that other fields in the structure (such as ifield in the example above) may share a cache line with part of the buffer. Consider, then, a sequence of things that can happen:
- The driver starts a DMA read into dma_buffer. As part of
this operation, the kernel will invalidate the cache data containing
both dma_buffer and ifield.
- While the operation is outstanding, the driver accesses the
ifield member, bringing the invalidated cache line back into
memory.
- The I/O operation completes, changing memory underneath the cached data.
At this point, the data in the processor cache does not match what is in memory. If the driver accesses the data in dma_buffer, it may well find old data that was in memory before the I/O operation took place. If the driver changes ifield, the processor could write back the (incorrect) cache data, corrupting the data in main memory. If the kernel simply invalidates the cache again at the end of the operation, it could lose changes made to ifield. There really is no correct thing to do at this point.
The only way to deal with this problem is to not let it happen in the first place. A number of possibilities are being considered. One way, suggested by Roland, is to create a __dma_buffer attribute which can be used in the declaration of small buffers; on non-cache-coherent systems, this attribute would force the size and alignment of the buffer such that it would not share cache lines with any other data. Another approach is to require that all DMA buffers be allocated separately; the kernel memory allocation primitives already ensure that even the smallest buffers are properly aligned and padded. Yet another approach could be to simply disable caching for the page(s) in question while the operation is in progress; most architectures support this in their page tables. This approach could create performance problems, however (if the page in question has heavily-used data), and it could be complex.
David Miller, who wrote much of the current DMA code, has a different approach. He thinks that this kind of subtle cache issue is a trap for driver writers that should be simply avoided altogether. Rather than come up with new ways of working around incoherent caches, it's better to just change the rules and tell driver writers to allocate their small DMA buffers using the "PCI pool" interface. This interface, which was added in 2.4.4, was designed for just this purpose: allocating small buffers for DMA. Rather than make driver writers deal with this sort of cache coherence issue - and watch some of them get it wrong, David would bury it in the PCI pool code. While no real resolution has been proclaimed, this last option appears to be the likely outcome.
A new way of ordering kernel initialization
The Linux kernel is made up of a very large number of mostly independent modules. In general, these modules can be linked together and initialized (at boot time) in any order. There are cases, however, where initialization order matters. The memory management system generally needs to be set up early in the process, filesystems generally need a functioning block system to be ready first, etc. Some years ago, initialization order was handled with a big set of explicit calls in a single source file. This big file inhibited modularization and created a clash point for patches, and it was (mostly) eliminated some time ago.The current scheme involves marking initialization functions with variants of the initcall attribute. At link time, these functions are marshalled together into a special section of the kernel executable; the kernel finds them there at boot time and calls them all. As an added bonus, the initialization calls can generally be flushed out of memory once initialization is complete.
This scheme is far more modular and easy to maintain, but the initialization order problem remains. In recent times that problem has been handled through a combination of hardwired calls and variants on the initcall macro. So, subsystems whose initialization calls are marked with core_initcall are initialized before those using, say, fs_initcall. These macros give a coarse solution to the problem, but initialization order problems can still show up.
Now Rusty Russell has posted a new mechanism which allows kernel hackers to make initialization dependencies explicit. If driver1 must be set up before driver2 can be initialized, driver2 can simply mark its initialization call as:
initcall (driver2_init, driver2, init_after(driver1));
There is also an init_before marker, of course, along with
init_as_part_of for complicated subsystems. A new
build_initcalls script has the job of sorting out the dependencies
and creating an ordered list at kernel build time. The patch looks simple
and straightforward; initialization order problems could soon be a thing of
the past.
Patches and updates
The LWN.net kernel patch ticker
Since it was easy to do with the new site: there is now a new page where you can see the latest kernel patches as they get fed into our system. It is currently just an unorganized stream. We would like to hear if this feature is useful to anybody; if so, we may develop it further.
Kernel trees
Architecture-specific
Build system
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Networking
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Something Different
This is difficult column for me. While it may not be my last, in some ways I hope that it is. You see, after just over 3 years with LWN.net, I find myself looking for gainful employment.Gainful? With all credit to the fine folks that have donated to LWN.net, it has not been enough to pay salaries. Now my financial situation demands that I find an income, even if it means leaving LWN. I may still be around in some capacity or another, after all, I'm a vice-president of Eklektix, but I need to focus more of my energy on securing an income.
The ideal job of my future should make use of my writing and editing skills. I have grown very accustomed to working from home, so I would like to continue to do that, at least part time. The Linux box and the DSL line are already here. My next job could also draw on my experience as a software engineer, my knowledge of Linux, or something else entirely. I am an eclectic person with a little knowledge in many different fields.
Please see my resume for additional details.
Thank you,
Rebecca Sobol ris@lwn.net
Distribution News
Debian News
Woody release manager Anthony Towns shares some information about the new security infrastructure. This new infrastructure is a critical component of the woody release.For more information about the release, see the [2002-06-11] Release Status Update.
Unofficial woody MiniCD images updated. LordSutch.com MiniCD images are available for alpha, i386, m68k, and PowerPC; updated to the current state of woody. The main change is the upgrade of dpkg to 1.9.21. There is also ipppd added for the benefit of ISDN users.
Mandrake Linux Community Newsletter - Issue #45
This week's Mandrake Linux Community Newsletter looks at MandrakeSoft OEM Offers; More Details on LinuxTag 2002; MandrakeClub Activities; Business Case of the Week; Mandrake in the News; Website of the Week; What's New at MandrakeSecure.net?; Security-related Software Updates; and Headlines from MandrakeForum.Red Hat Linux
Red Hat reports that multiple kernel bugs were fixed, including generic kernel bugs, x86-specific bugs, and IA-64-specific bugs. Relevant releases/architectures include: Red Hat Linux 7.1, 7.1k, 7.2 - athlon, i386, i586, i686, ia64.Updated toolchain and glibc packages for s390 are now available which contain the latest recommended patches by IBM as well as several other bugfixes.
SuSE Linux - Supported Distributions
SuSE announced that support for the SuSE Linux 6.4 distribution will be discontinued with the release of the SuSE Linux 8.0 i386 FTP version.Slackware Linux
Progress on Slackware 8.1 continues. The third release candidate became available for testing on June 10, 2002. Visit the change log for more details. We've also included a review of 8.1rc2 in the review section below.Trustix Secure Linux
The Trustix Newsletter for July 2002 is available. It includes information about Trustix Linux Solutions, the Trustix Mileage program, and much more.Trustix has released several bug fix advisories this week. There has been package cleanup in apache and in mutt; an updated samba package corrects a problem with winbind and the storing of the *.tdb files; there are minor security fixes for the GNU fileutils package and the bzip2 package; and a minor bug fix in the imap package.
New Distributions
DMZS-Biatchux Bootable CD
The DMZS-Biatchux Bootable CD is a relatively new distribution, first making a public appearance on February 28 of this year. Biatchux is a portable, bootable CDROM distribution which aims to provide an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment. BiatchUX-Lite v.0.1.0.7a-45 was recently released, with major feature enhancements.
Minor distribution updates
Astaro Security Linux
Astaro Security Linux has released stable version 3.200 with major feature enhancements.GENDIST
GENDIST has released v1.4.0 with major feature enhancements.Gentoo Linux
Gentoo Linux has released v1.2. Changes include installation fixes and countless updates to the Portage tree, including full KDE 3.0.1 (20020604) and GNOME 2 support.Mindi Linux
Mindi Linux has released version 0.63-7 with major bugfixes.Netstation Linux
Netstation Linux has released development version 0.8 with major feature enhancements. Version 0.8.2 was released soon after, with more feature enhancements.ShareTheNet
ShareTheNet, a distribution that allows just about any network software to use the Internet, is no longer being sold or supported. It is still available for download. ShareTheNet has moved to the Historical section of our distributions list.TA-Linux sparc pre-0.2.0-test
TA-Linux has released sparc pre-0.2.0-test for your testing pleasure.ttylinux
ttylinux has released version 2.2 with minor bugfixes.
Distribution reviews
Taking Up the Slack(ware) (LinuxPlanet)
LinuxPlanet reviews Slackware 8.1rc2. "Slackware devotees won't be disappointed with this release because most of what you have come to know and love about Slackware is still present in this release. The pending release of Slackware 8.1 might interest users of other Linux distributions, too."
Feature: Hardened Linux Puts Hackers EnGarde (Network Computing)
Network Computing reviews several secure Linux distributions. "EnGarde walked away with our Editor's Choice award thanks to the depth of its security strategy, which covers nearly all the bases. Everything from the low-level mechanisms (binary integrity checking and stack protection) to high-level usability issues (including an excellent patching interface) demonstrate the serious effort the Guardian Digital crew has invested in EnGarde."
Engarde Secure Linux Pro 1.1 Review
LinuxLookup reviews Engarde Secure Linux Pro 1.1. "Most people who know me often tell me that I am paranoid. I say that I have good reason to be. Hacker attacks and malicious code are just a few examples of why I am cautious with my computer systems. Guardian Digital's Engarde Secure Linux Professional offers a lightweight, robust, and secure Linux Distribution for small and large networks."
ServerWatch Listing (With Download) for OpenLinux (internet.com)
Here's a review on internet.com of Caldera's OpenLinux Server 3.1.1. "The price of this package would be justified for many administrators for the mere fact that it elimintes the need to collect all of the components. However, it also offers many other benefits, including one of the best installation programs we've seen for any type of server (not just Linux), a documentation server that allows access to the 380-page documentation set from any browser, a browser-based administration console that provides a secure GUI management console for the server from any browser, and a 60-day evaluation of the Volution systems management product."
Page editor: Rebecca Sobol
Development
Mozilla 1.1 alpha released
Following last week's release of Mozilla 1.0, Mozilla 1.1 alpha is now available. This represents a new development branch for Mozilla, the 1.0 branch is now the stable branch.New features for version 1.1 alpha include:
- A newly enabled download manager.
- Quartz rendering for Mac OS X users.
- New layout performance enhancements.
- Application startup speed improvements.
- Viewsource for MathML and selections.
- Support for XBM images.
- A new directory button for the File Picker.
- Redundant backup of preference files.
- Greatly improved drag and drop support.
- Image blocking for Mail and News.
System Applications
Database Software
Mini SQL 3.0 Pre 5
Version 3.0 pre 5 of the Mini SQL database has been announced. See the release notes for all of the details.
Education
SEUL/Edu report #72
Issue #72 of the SEUL/Edu Linux in Education Report is available. Topics include troubles submitting software to the BECTa Educational Software Database, a K12LTSP party, Bob Young's Lulu Tech Circus project, and more.
Mail Software
Mail::Box mailinglist (use Perl)
Ideas and extensions are being requested for inclusion in the Perl Mail::Box e-mail handling module.
Printing
CUPS v1.1.15 is Released!
Version 1.1.15 (and Version 1.1.15-1) of the CUPS printing system has been released. Changes include MacOS license agreement mods, better defaults, and lots of bug fixes.LPRng 3.8.12 available
Version 3.18.12 of the LPRng print system has been released.
Web Site Development
Midgard Weekly Summary
After a long absence, the Midgard Weekly Summary is back. This issue looks at changes in the Midgard team, the new Midgard Knowledgebase, the Midgard Component Framework, and more. (Midgard is an extensive, PHP-based content management framework).ANNOUNCE: Quixote 0.5 released
Version 0.5 of the Quixote web application framework has been released. This is a relatively major release, with quite a few changes and improvements; click below for the details. (Quixote is the framework behind the new LWN site).Zope News for June 6, 2002
After a long hiatus, the Zope News is back, with a June 6, 2002 edition. Topics include EuroPython 2002, Balktalk support for Zope books, Casey Duncan's External Editor, Zope 3, planning for Zope 2.6, and more.Zope Members News
This week's Zope Members News looks at MailBoxer 1.3, the first release of the MAP WebMail client, Artemis Article Management System 1.0, ext2Image 0.1, and more.
Miscellaneous
The Linux Test Project test suite LTP-20020607 released
The Linux Test Project test suite LTP-20020607.tgz has been released. Among the highlights of this release is a white paper titled "Analysis of Linux Test Projects Kernel Code Coverage" and the LTP's Kernel code coverage web site.
Desktop Applications
Audio Applications
WaveSurfer 1.4.1 released
Version 1.4.1 of the WaveSurfer sound visualization and manipulation tool has been released. Minor enhancements and bug fixes have been added and some speech utilities have been fixed.GLAME 0.6.3 released
Version 0.6.3 of the GLAME audio editing tool has been released. This is a bug fix release that features much faster wave drawing capabilities.Audacity versions 1.0.0 and 1.1.0 released
Versions 1.0.0 and 1.1.0 of the Audacity multi-platform audio editor has been released. Version 1.0.0 is the final stable version of the original Audacity. "Version 1.1.0 is the first beta release of the next version of Audacity, which includes support for higher-quality audio, more audio file formats, more effects, more editing functions, an improved user interface, and support for foreign languages."
Desktop Environments
Quickies: Community Study, KSteak, Kde France
KDE.News has three quickie articles on the Kde France Site, the KSteak English-German translation tool, and a sociological study of KDE.KC KDE #38 is Out
Issue #38 of Kernel Cousin KDE covers the Klingon invasion, CVS Kung-Fu, and Mime news.GNOME 2.0 Desktop Snapshot 20020607
The 20020607 snapshot of the GNOME 2.0 Desktop has been announced on Gnotices. The Official GNOME 2.0.0 Desktop should be released on June 21.GNOME Summary for 2002-05-25 - 2002-06-01
The May 25 - June 1, 2002 edition of the Gnome Summary covers the GNOME 2 hard freeze, hacking GTK+ apps in LOGO, GnomeMeeting for Gnome 2, gthumb, the Acessibility Framework explained, and more.Rumours abounding about a new Gnome Media release
Gnotices looks at some of the changes that will be included in the next Gnome Media release.
GUI Packages
FLTK 1.1.0rc3 released
Version 1.1.0rc3 of FLTK, the Fast, Light Toolkit is available. This version features a new file chooser, better documentation, and tons of bug fixes.
Interoperability
Wine Weekly News for June 6, 2002
The June 6, 2002 Wine Weekly News looks at Wine-20020605, Lindows OS SPX, testing Lotus Notes, directly executing Windows binaries, licensing issues, and the future of Wine debugging.
Office Applications
Abiword Weekly News
Issue #95 of the AbiWord Weekly News has been published. Topics include the continued squashing of bugs, and bi-directional language support for AbiWord.Bluefish snapshot supports gtk2
The May 29, 2002 snapshot of the Bluefish HTML editor features support for gtk2.
Web Browsers
Galeon 1.2.5 available
Version 1.2.5 of the small, efficient Galeon web browser is available This version adds Mozilla 1.0 compatibilty, proxy auto configuration and printing fixes, and a new Vietnamese translation.
Languages and Tools
Caml
The Caml Hump
This week's additions to The Caml Hump include the findlib library, PXP: the polymorphic XML parser, an OCaml implementation of the API of the Scheme Shell, the Recursive OCaml module, and more.
COBOL
TinyCOBOL 0.58 released
Version 0.58 of TinyCOBOL has been released. A number of bugs have been fixed in this version.
Java
Java optimization techniques (IBM developerWorks)
A new guide on Java optimization is available on IBM's developerWorks. "Many useful techniques exist for optimizing a Java program. Instead of focusing on one particular technique, this article considers the optimization process as a whole. Authors Erwin Vervaet and Maarten De Cock walk readers through the performance tuning of a puzzle-solving program, applying an assortment of techniques ranging from simple technical tips to more advanced algorithm optimizations. The end result is a spectacular performance increase (more than a million fold) between the first working implementation and the fully optimized solution."
Perl
Parrot 0.0.6 Leaves The Village (use Perl)
Use Perl has an announcement for version 0.0.6 of the Perl 6 interpreter, Parrot.Bricolage 1.3.2 Released (use Perl)
Version 1.3.2 of the Bricolage content management system has been announced on Use Perl.Axkit 1.6 Released (use Perl)
A new version of the Axkit XML application server for Perl has been announced.
PHP
PHP Weekly Summary for June 10, 2002
The June 10, 2002 edition of the PHP Weekly Summary covers the discovery of a Zope Engine bug, discussion of Apache speed, a new RDF extension for PHP, overloaded operators, and a discussion on the future of PHP.
Python
Dr. Dobb's Python-URL! - weekly Python news and links (Jun 10)
The latest Dr. Dobb's Python-URL! looks into Programming Libraries; Python Development News; follows a discussion on the features of Python; and much more.Daily Python-URL
This week, the Daily Python-URL covers Python at OSCON 2002, Python properties, the ActiveState Active Awards, Pygame and Tkinter, keyword import, weightless threads, Andrew Kuchling on What's New in Python 2.3, and more.
Ruby
Ruby Weekly News
The June 9, 2002 edition of the Ruby Weekly News covers Interactive Learning Environment (ILE)/Ocelot, PageTemplate 0.3.2, Test::Mock 1.0, and REXML 2.3.5 and 2.2.3.
XML
Comparing and Replacing Strings (XML.com)
Bob DuCharme writes about string manipulation in XML. "This month we'll learn more ways to gain control over strings in your source document, as we see how to compare strings for equality and what kind of search-and-replace operations are possible in XSLT."
Miscellaneous
CVSGnome provides an alternative to other build systems.
This Article on Gnotices examines the CVSGnome build system. "CVSGnome is a new way for bleeding edge Hackers, Tweakers and Gurus to create a GNOME 2 system either from CVS or stable TARBALLS."
Jext 3.1pre4 available
Version 3.1pre4 of the Jext programmer's editor is available. This version includes bug fixes, and lots of new features, see the list of changes for the details.
Page editor: Forrest Cook
Linux in Business
Business News
MITRE Report - A Business Case Study of Open Source Software
The MITRE Corporation has published a report examining the business case for Open Source Software. This above link leads to an abstract of the report and a link to the 88 page report (PDF format). (Thanks to Rajesh Bhandari)
Press Releases
Open Source Announcements
- Deersoft, Inc. (PALO ALTO, Calif.): Deersoft Emerges to Combat Spam.
- eclipse.org (SUNNYVALE, Calif.): MontaVista Software to Join the Board of Eclipse.org; Contributes Vast Experience in Developer Tools for Embedded Applications and Deep Commitment to Open Source.
- Guardian Digital and LinuxCertified: Guardian Digital Partners with LinuxCertified to Provide Key Open Source Security Skills to IT Professionals.
- Nemein (HELSINKI): Datex-Ohmeda chooses Nemein's Open Source -based project management solution.
- Silicon Integration Initiative, Inc. (AUSTIN, Texas): OpenAccess Coalition Continues to Build Momentum As New Vendors Join the Initiative.
Distributions and Bundled Products
- HP, Oracle, Red Hat (PALO ALTO, Calif.): HP, Oracle and Red Hat Combine Engineering Expertise to Further Develop Linux Solutions for the Enterprise.
- LynuxWorks (SAN JOSE, Calif.): LynuxWorks Announces Availability of BlueCat RT.
- MontaVista Software, Inc. (SUNNYVALE, Calif.): MontaVista Selected to Upside "Hot 100".
- Oracle Corporation (REDWOOD SHORES, Calif.): Oracle to Provide Customers With Technical Support for Oracle Products On Red Hat Linux Advanced Server.
- Oracle Corporation (REDWOOD SHORES, Calif.): Dell, Oracle and Red Hat Deliver Business-Critical Linux Solutions For the Enterprise.
- SuSE Linux (Nuremberg, Germany): SuSE Linux Pro-Office CD with StarOffice 6 available from Mid-June.
Software for Linux
- Akuter, Inc. (SAN MATEO, Calif.): Akuter, Inc. Releases Updated eLearning Platform Software.
- Cadence Design Systems, Inc. (NEW ORLEANS): New Cadence 5.0 Custom IC Software Release Expands Lead in Growing Digital/Mixed-Signal Market.
- DMTF (SAN JOSE, Calif.): Distributed Management Task Force Releases Final CIM Schema v2.6; Newest Version of the Common Information Model Standard Supports UNIX and Linux.
- Freshwater Software (Boulder, Colo.): Freshwater delivers native Linux version of SiteScope Web system monitoring software.
- Insightful Corporation (SEATTLE): Insightful Corporation Announces S+FinMetrics; Powerful Econometric Software for In-depth Financial Analysis.
- Integrated Computer Solutions, Inc. (Cambridge, Mass.): ICS Announces Powerful New GUI Development Tool.
- LumenVox (SAN DIEGO): LumenVox Announces Linux Supported Speech Recognition Engine v2.5.
- Oracle Corporation (REDWOOD SHORES, Calif.): Oracle Announces Broad Support for Oracle9i on Linux.
- PTC (Needham, Mass.): PTC and HP Plan to Offer Support for Linux Users.
- RLX Technologies Inc. (HOUSTON, TX): RLX Technologies Announces Advances in Serverblade Clustering and Management; RLX Unveils Control Tower 3 Industry-Leading Blade Management Solution.
- RLX Technologies Inc. (HOUSTON, TX): RLX Technologies Delivers Industry First: Preinstalled Web-hosting Automation Blade Server Solution.
- STARBAK (COLUMBUS, Ohio): STARBAK Revolutionary Streaming Middleware Provides Industry's Highest Performance Next-Generation Platforms.
- ScanSoft, Inc. (PEABODY, Mass.): ScanSoft's RealSpeak Text-to-Speech Engine to be Integrated into InfoSpace's TTS Server.
- Serena Software, Inc (SAN FRANCISCO, CA): Serena Extends Distributed Change Management Solutions to New Markets.
- Sistina Software, Inc. (MINNEAPOLIS, MN): Sistina Software Announces Comprehensive Support For Oracle9i; Sistina's Global File System Uniquely Optimizes Oracle 9i RAC for Scalability, Reliability, and Manageability.
- Trolltech (OSLO, Norway and SANTA CLARA, Calif.): Trolltech Announces TheKompany.com's Shawn Gordon Named Winner of Qtopia Worldwide Developers Contest.
- webwasher.com (PADERBORN, Germany): Webwasher.com Introduces 4.0 Version of its WebWasher(R) Enterprise Edition.
Products and Services Using Linux
Hardware with Linux support
- AEP INC. (CAMPBELL, Calif. & DUBLIN): AEP Announces Their AEP Secure Delivering the Best Price/ Performance HSM on The Market; Solutions to Provide Dramatic Improvements in Secure Web Server and Network Appliance Performance.
- Egenera Inc. (MARLBORO, Mass.): Egenera Inc. to Exhibit at Securities Industry Association Technology Management Conference & Exposition.
- Eurologic Systems (BOXBOROUGH, Mass.): Eurologic Systems Announces High Performance SANbloc 2Gb RAID; Raises the Bar for Price/Performance.
- RackSaver Inc. (SAN DIEGO): RackSaver Leaps Forward in Supercomputing Technology Introducing the New BladeRack RS-1200V Featuring the AMD Athlon XP 2200+ Processor.
- Seiko Instruments USA Inc. (TORRANCE, Calif.): Seiko Instruments Software Engineering Team Shortens Product Design Cycle and Time-to-Market as Integral Part of ''Seiko Secure'' Value-Added Customer Support.
- SynTest (NEW ORLEANS): SynTest Expands Its Electronic Design Debugging Product Line, Introduces TurboDebug for SOC Memory-BIST Debug.
- TROY Group (SANTA ANA, Calif): TROY Wireless' EtherWind 802.11b Print Server Receives Winning Reviews by PC Magazine.
Linux at Work
- 1mage Software, Inc. (ENGLEWOOD, Colo.): 1mage Software Forms ASP Alliance To Bring Integrated Document Management To Healthcare Groups.
- IBM and Molecular Mining Corporation (SOMERS, N.Y. & KINGSTON, Ontario): IBM and Molecular Mining Team to Advance Drug Discovery.
- Institute for Systems Biology (SOMERS, N.Y. & SEATTLE): Institute for Systems Biology Turns to IBM for Linux Solutions; IBM eServer and DiscoveryLink Systems to Help Researchers Study Interactions Among Proteins.
- Xerox and MandrakeSoft (Paris): Xerox chooses MandrakeLinux/Caldera Graphics to optimize enterprise production.
Books and Documentation
- O'Reilly (Sebastopol, CA): "MySQL Reference Manual" Released by O'Reilly Community Press.
Partnerships
- Gibraltar Software (SUNNYVALE, Calif.): Gibraltar Software, Inc., Signs Strategic Relationship Agreement With Wide Area Management Services -- WAMS -- to Expand Sales.
- Horizon Companies, Inc. (EDISON, N.J. & PUNE, India): C-DAC and Horizon Companies Announce Joint Development Agreement to Develop U.S.-India Telecom Products Strategy.
- MSC.Software (SANTA ANA, Calif. & WESTWOOD, Mass.): MSC.Software and Precise Software Solutions Partner To Improve US Customers' Application Performance Management.
- Trolltech and Chinasoft (BEIJING, China): Trolltech, Chinasoft Bring Qt and Qtopia to the Chinese Market.
- Trolltech and Red Flag Linux (BEIJING, China): Trolltech, Redflag Linux to provide eLinux platform for China.
Financial Results
Personnel and New Offices
Miscellaneous
- Mentor Graphics (NEW ORLEANS): Synopsys Recognizes Mentor Graphics with Tenzing Norgay EDA Interoperability Achievement Award.
- OKENA (WALTHAM, Mass.): Leading Security Expert from OKENA Available to Discuss New 'Heap' Buffer Overflow Vulnerabilities; Web Server Protection Critical to Thwart Attacks.
- PICMG (WAKEFIELD, Mass.): PICMG Revises Two CompactPCI Specifications to Include New System Availability and Management Features.
- StarGen (Marlborough, Massachusetts): ADVISORY/ Stephen Christo of StarGen to Present At Embedded Linux Expo & Conference, as Part of the RTC Summit Dallas.
Page editor: Rebecca Sobol
Linux in the news
Recommended Reading
Anti-open source 'whitepaper' devastated (Register)
The Register carrys a lengthy rebuttal to the Alexis de Tocqueville Institution white paper from Roaring Penguin's David Skoll. "The AdTI's very weak and poorly-researched paper opens no debate. It simply confirms that Microsoft paid AdTI to come up with something -- anything -- to stem the growing adoption of open-source (especially GPL'd) software by business and government. Let's take a look at the paper in detail."
Report Flays Open-Source Licenses (Wired)
Wired joins in on bashing the ADTI white paper. "A spokesman for the ADTI said the report published last week was an old, unedited version that had been accidentally pushed on the Web. He said that a new version would be finished by late Monday, but he did not know if the report would be immediately posted on the Web. He promised to e-mail the final version to Wired News as soon as it was ready; by late Monday afternoon on the West Coast, no report had arrived."
The very real limitations of open source (ZDNet)
ZDNet is carrying this opinion piece which claims there's a critical flaw in the Open Source philosphy. "The problem, however, is that open source must rely on the willingness of programmers to contribute code without financial compensation. The Free Software Foundation claims that in a world of free software, people will program because "programming is fun." In their opinion, the promise of high returns has corrupted the programming discipline, as people have been "trained" to expect that they will be paid well to program."
U.S. Gov't Still Penguin Shy (Wired)
Wired looks at the use of Linux in the U.S. government - or the lack thereof. "'Linux is not on our list of approved operating systems,' said a senior State Department information technology official who spoke on condition of anonymity. 'That generally dictates whether it's used or not.'"
ANALYSIS: Microsoft vs. open source gets political (IDG.net)
This IDG.net article looks at the use of open source software in governments outside of the U.S. "The perceived benefits of open-source software have moved government officials in countries including Germany, France, Finland, the Philippines, South Korea, and China to try out the technology. A decision to replace Microsoft's Windows at least in part with open-source alternatives is often the result. Officials within these countries have identified open source as a potential driver for cost savings. Some say security is enhanced by embracing open-source software. Others have said use of open-source software could stem software piracy, and lead to growth of local software alternatives."
Super-Secure Linux, Inch by Inch (Wired)
Wired News covers the National Security Agency's Security-Enhanced linux (SElinux). "NSA's Wagner says that SELinux's adoption rate "has exceeded our original expectations. This release has also caused developers of non-Linux systems to consider incorporating similar controls based upon our earlier prototypes.""
Are ReplayTV users breaking the law? Are you sure? (Linux Journal)
Linux Journal covers Electronic Frontier Foundation involvment in a suit against the major movie studios. "The plaintiffs in the suit are five ReplayTV customers, who von Lohmann said "have a very legitimate concern that their rights will be adjudicated without them being involved." The movie studios are currently suing ReplayTV manufacturer Sonicblue."
Complex Linux virus warning (vnunet)
Vnunet covers cross-platform viruses, which might be able to infect Linux systems. "Although the virus was not the first of its kind to infect both Windows and Linux machines, it apparently moved virus-writing techniques "yet another step up the scale of complexity"."
Companies
Dell makes a move to Linux (ZDNet)
ZDNet reports on the latest collaboration between Dell, Oracle, and Red Hat. "The companies' announcement comes as large corporations look for ways to save money on technology. Running a nonproprietary Linux operating system is seen by some corporations as one way to do that."
Dell, Oracle join Red Hat for enterprise Linux (Register)
The Register covers the recently announced collaboration between Red Hat, Oracle, and Dell. "Red Hat Inc, Oracle Corp and Dell Computer Corp have teamed up to provide packaged support and services for Red Hat's Advanced Server operating system and Oracle's 9i Release 2 database management system."
Linux Packages With Panache From Dell And HP (TechWeb)
Information Week reports on the release of Linux-based clustering products by Dell and Hewlett Packard. "Linux continues to move upstream. Dell Computer and Hewlett-Packard last week unveiled packages that bring high-end clustering and database capabilities to Intel-based servers running the operating system."
Life Sciences Industry Turns to Linux and IBM
IBM will provide Linux systems for the Institute for Systems Biology. "The Institute for Systems Biology (ISB), a world renowned non-profit research institute, has selected IBM to provide its infrastructure technology. ISB will use IBM servers, storage and data integration products to support its research on protein-protein interactions to better understand and predict diseases, and identify potential preventions and treatments."
Everything but the Hat Hair (Linux Journal)
Linux Journal's Don Marti discusses the deal between Oracle, Red Hat, and Dell. "Oracle, Red Hat and Dell unveiled Unbreakable Linux today, cementing RH's place in the corporate world. Oracle CEO Larry Ellison ended the Linux distribution wars today, as far as corporate installations are concerned, with the flat-out statement that "We can't provide the same level of support" (for Oracle products on other distributions as they can on Red Hat). "We've elected to work very closely with Red Hat. We're recommending Red Hat." Ellison did everything for Red Hat except actually wear the red Red Hat hat handed to him by Red Hat CEO Matthew Szulik."
Linux: Red Hat should just stop whining (ZDNet)
ZDNet is running an article about the Red Hat and Sun's non-free version of Open Office. "RED HAT IS UPSET because Sun has started charging both end-users and OEMs for StarOffice, the Microsoft Office competitor that Sun owns and had previously given away. Red Hat has been including StarOffice for free in the box with its own Linux operating system; now it'll have to pay Sun if it wants to do that."
Red Hat accuses Sun of Microsoft tactics (News.com)
News.com covers Red Hat's Matthew Szulik in a rant against Sun. "Sun's Rogers said he'd still like to see Red Hat include StarOffice or the open-source project on which it's based, OpenOffice. Distributing OpenOffice furthers the use of StarOffice file formats and interfaces. Microsoft has successfully used file formats and interfaces to keep its Office suite dominant."
SuSE Linux to include StarOffice 6 (News.com)
News.com reports that SuSE will bundle Sun's StarOffice 6 word processor with its Pro-Office CD. The CD will sell for $24.95.Oracle develops 9i software for Linux (ZDNet)
ZDNet reports on Oracle's release of its database software for Linux. "The software maker said that it has developed a version of its 9i database software that can run across multiple Linux servers in a configuration called clustering. Clustering allows businesses to harness multiple servers to run a very large database, so servers can share work or take over from each other if one fails."
Oracle 9i RAC to support Red Hat clustering (ZDNet)
ZDNet is carrying a Gartner Group pronouncement on the availability of Oracle9i for Linux. "However, Oracle has not proven the need for a parallel DBMS on Linux, nor has it validated its claims for scalability with references and benchmarks. Thus, Oracle and Red Hat will likely concede substantial discounts as they seek to validate claims that Linux has a compelling total cost of ownership compared with Microsoft's SQL Server, DB2 Universal Database or Oracle on Unix."
IBM offers major boost to Linux (vnunet)
IBM will extend its systems management software to Linux environments, according to this vnunet article. "Linux support will initially be offered on key components of the Tivoli range, according to Tivoli European vice president, Milko van Duijl."
Bringing the J2EE Cathedral to the Bazaar
O'Reilly is running an article by Satya Komatineni that examines some issues with Sun and J2EE. "While Sun is quite diligently planning, coordinating, and building infrastructure for building cathedrals around J2EE, Microsoft's .NET is poised to steal the marketplace and own the bazaar, as they did with VB and the component market in the client-server wars. We have some parallels to go by. While CORBA focused on rearing thoroughbreds, COM stole the market with a mule called VB. The only way out of this quandary is to wake up and invite the J2EE cathedral to the bazaar."
CodeWeavers Announces CrossOver Office 1.1 (OpenForBusiness)
Open for Business reviews CodeWeavers' CrossOver Office. "On the new release, CodeWeavers CEO Jeremy White commented "With Outlook and Internet Explorer support, we feel that we have rounded out the most important features of the Microsoft Office Suite, and have made it simple and painless for an organization to adopt the Linux desktop." Based on our recent experience in OfB Labs, White very well could be correct."
Business
UnitedLinux (Linux Journal)
Linux Journal's Doc Searls analyzes several recent partnerships in the Linux world. "While Red Hat geared up to announce Unbreakable Linux, four smaller opponents joined to form UnitedLinux. The response so far has been divided. Today, June 5, 2002, Red Hat, Oracle and Dell are announcing "their collective commitments to Linux for the enterprise" (sounds almost Communist, doesn't it?) in a big launch event at Oracle's place in Silicon Valley. Invitations sent to the press said new products from all three companies would feature "Unbreakable Linux.""
UnitedLinux agrees to differ (Register)
The Register examines the UnitedLinux effort. "UnitedLinux is a marriage of four distros - SuSE, Caldera, Conectiva and TurboLinux - but it isn't really a distro, as we were led to believe by the pre-launch rumor mill. Well, yes and no."
"UnitedLinux is a server "distro" that at least shares common elements. The
big four retain branding rights, so you'll still find "SuSE powered by
OpenLinux". And each distro can add on its own features. But you'll find the
same files in the same places, which is long overdue, and signals a win for
the Linux Standards Base initiative.
"
United Linux musters support (vnunet)
Vnunet covers the United Linux collaboration. "Caldera, TurboLinux, SuSE and Connectiva will be the initial shareholders of the new organisation, and the first version of the software will be based on a release of SuSE Linux version 8."
Facing the open source firing squad (ZDNet)
Here's another ZDNet column on the business of open source software - or the lack thereof. "In other words, proprietary software revenue wags the open source tail, not the other way around. The fact that IBM hires people to work full time on open source is less of an indication of open source's inherent profitability than a demonstration of the freedom available to companies with business models based on the revenue generating power of proprietary software."
Interviews
Cyberspace's Legal Visionary (Reason)
Reason interviews Lawrence Lessig. "In a world where civil disobedience was treated with toleration, that might be a good strategy. But we're in a world where disobedience is treated with felony convictions. The idea that you are going to get lots of civil disobedience against the Digital Millennium Copyright Act is just crazy. You're going to get lots of prosecutions and people going away to jail. The cost of disobedience has become too high, and I'm not sure it's a viable strategy anymore."
Three EuroPython Interviews
The EuroPython site features three new interviews: Itamar Shtull-Trauring on the Twisted Framework, Stephan Richter and Steve Alexander on the next genration of Zope, and Paul Everitt, co-founder of Zope Corporation. Thanks to Martijn Faassen.
Resources
Tips for New Linux Users, Part II (ExtremeTech)
ExtremeTech has some tips for Linux newbies. "In Part I, we covered KDE's Konqueror, Gnome's Nautilus, Linux directory structure, tarballs, and mime types, among other things, and we'll now look at Linux Text Editors" (Thanks to Kyle Roberson)
Embedded Linux Newsletter for June 6, 2002
The June 6, 2002 edition of the Linux Devices Embedded Linux Newsletter has been published. Topics include a review of Craig Hollabaugh's book "Embedded Linux", an introduction to the Dillo browser, Lynxos V4.0 Linux ABI compatibility, how the ADEOS project gets around real-time linux patents, malloc under uClinux, and more.Constructing a Linux-powered IrDA printing device (LinuxDevices)
Tired of filling out forms? Nobody can read your handwriting? or spell your last name? In this brief technical article at LinuxDevices.com, Entrepreneur and Linux hacker Gerd Rausch explains how (and why) he created a small device that could be installed at rental-car agencies, hotel/airline check-in desks, or health-care facilities to receive data beamed directly from your PDA. It runs on a Linux platform, of course.Hack your TiVo! Here's how (ZDNet)
For those who have Linux-based TiVo box, here's a ZDNet article on hacking them. "AS WITH ANY good hacking article (and this will only be a fair one), I should warn you up front that proceeding further could render your TiVo useless, void your warranty, violate all sorts of end-user licensing agreements, and, in extreme cases, kill you (if you happen to touch the unshielded power supply inside the box while having an especially unlucky day)."
Want to hack your TiVo? Here's YOUR advice (ZDNet)
Previously LWN ran a ZDNet column about hacking a TiVo video recorder. Now ZDNet continues with more TiVo hacks from its readers. "The results of the QuickPoll were overwhelming. It asked: "Be honest: Would you consider hacking your TiVo (or other DVR), even if it risked damaging the machine or violating your user agreement?" Ninety percent of you answered: Duh--yes!"
Reviews
Keep Track of Your Money (Linux Journal)
The Linux Journal has put up an article comparing four different, free personal finance applications. "I felt at home immediately. Emma has the GNOME look and feel, with help windows and help functions where you expect them, e.g., each button has a little help bar that appears when you hold the mouse over it for a second. I like a program that doesn't scare me, so I appreciate an intuitive user interface."
Mozilla strides out (vnunet)
Vnunet looks at the new Mozilla 1.0 release. "Hell froze over in the geek community yesterday as Mozilla 1.0 was finally released. After nearly five years of work by thousands of developers, there was much rejoicing among the expectant fans and pigs were seen cruising at well over 1,000ft."
Mozilla 1.0 released after four long years (Register)
The Register reviews Mozilla 1.0. "Mozilla is nothing if not a 'vision thing'. The organization sees that it has created not just a browser to rival Internet Explorer - its initial mandate - but a cross-OS platform on top of which a next generation of standards-compliant applications can be built. In many ways, the vision goes back to Netscape's early dreams of using the browser to kill Windows."
Introducing Linux into the Enterprise (Linux Journal)
Linux Journal Reviews GSX Server, from VMware Inc. "Once installed, GSX runs on top of Linux, providing an environment that allows you to run multiple virtual server instances. In our case, we needed additional Windows NT 4.0 and Windows 2000 servers to provide development and test environments for new projects."
Linux Orbit Review Grab Bag
Linux Orbit has published the first of its Review Grab Bag features. This edition takes a look at a multi-gnome-terminal, the LimeWire gnutella client and the Metacity window manager for GNOME.Hitachi unveils new model of Linux-enabled Internet appliance (LinuxDevices)
LinuxDevices.com covers a new model of Hitachi's Linux-based FLORA-ie wireless web pad. The device has a 10.4-inch TFT LCD screen and is based on a 400 MHz Transmeta Crusoe processor running Midori Linux. It has built-in Ethernet and 802.11b wireless, and also provides two USB ports plus both CompactFlash Type II and PC Card (PCMCIA) expansion slots.Comparative Jabber book review
IBM's developerWorks features a review of three different books on Jabber.Taking Up the Slack(ware) (LinuxPlanet)
LinuxPlanet reviews Slackware 8.1rc2. "In short, you have a basic, highly functional Linux box that will just work without all the geegaws that thump performance. So, as far as I'm concerned. there's nothing wrong with this picture.--unless you are new to Linux or are addicted to graphical utilities and eye candy."
Miscellaneous
Celebrating the 20th Anniversary of the Swiss Open Systems Group (Linux Journal)
Linux Journal carries a post from Jon "maddog" Hall. maddog travels to Zurich to speak at the twentieth anniversary of the Swiss Open Systems Group. This is a story about clocks, friendly students, beer, a small Renaissance faire, and, of course, Linux/Open Source advocacy.Programmers enroll in political training (News.com)
News.com reports on an increase in political coursework for computer science students. "STANFORD, Calif.--It's not every computer science class that opens with a poem. But on a recent June day at Stanford University, khaki-clad senior Jeff Keltner stood before his classmates, cleared his throat, and recited verse about a Hollywood-led crackdown on technology that can transfer digital books to different devices. The final lines went something like this (to the beat of Dr. Seuss' "Green Eggs and Ham"):"
"'I want to read this book I bought,
but people tell me I ought not.
They say I will be locked away
because of the D-M-C-A.'
"
What's wrong with Nader's Microsoft plan (ZDNet)
ZDNet's Dan Farber comments on Ralph Nader's suggestion that Microsoft should release the source code to Office. "Nader even goes so far as to suggest that the federal government buy the code for Microsoft Office outright, and release it into the public domain in order to save the public money and avoid the costly upgrades from Microsoft that are designed to overcome interoperability problems. I wonder what price Gates would put on that software, which has more than a 90 percent market share."
MS-funded think tank propagates open-source lies (Register)
The Register writes about the study by the Alexis de Tocqueville Institution, which claims that open-source software aids terrorism. "Much to our disappointment, the organization's press release, which last week promised that the study would explain in gory detail how open-source software will foster international terrorism, turns out to have been a tissue of headline-pimping lies. Indeed, the paper never mentions terrorism at all."
Readers give high marks to security, Linux (News.com)
News.com looks at the results of a recent survey. "The enthusiasm for Linux among News.com readers was consistent with similar surveys in recent months. According to responses in a recent poll from Giga Information Group, 59 percent of IT managers said they would increase their use of Linux operating systems next year; none said that Linux use would decrease."
Linux server consolidation shortcut (ZDNet)
Here's an editorial on ZDNet, about Linux on mainframes. "If you're a columnist for ZDNet and you put the words Linux and mainframe in the same sentence (which I've done), all sorts of people will come out of the woodwork to give you their opinion. I've been saving one of those opinions for a rainy day and, based on news that Hewlett Packard will be integrating VMWare's ESX server into its ProLiant line of servers, that day is today."
The Heart of the Penguin (Linux Planet)
Linux Planet is running a feature article about a beowulf cluster that Biomedical Engineer Dr. Andy Pollard has assembled for simulating the operation of the human heart. "The research itself is targeted towards three areas: observation of the effect of electrical fields on heart tissue to learn how and why defibrillation works (and, in so doing, track down why fibrillations occur in the first place); learning in a more direct manner why fibrillations start; and how a fibrillation event progresses from start to finish."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
This week's software announcements
Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
- Sorted by section,
- Sorted by license.
Resources
Binary Versions of LSB Test Suites lsb-runtime-test (1.1.9-1)
Version 1.1.9-1 of the lsb-runtime-test binary package is available for download.New MySQL resources
Two new resources are available for the MySQL database. The MySQL reference manual has been published, and an online MySQL Newsletter is being produced on a monthly schedule.Encoding with Vorbis
Encoding files with Vorbis is the second in an ongoing series of four articles about the Ogg Vorbis audio compression system. "One of the unfortunate legacies of the mp3 era is the common assumption that bitrate directly affects quality. Though it is true that a higher bitrate results in a larger file, it does not necessarily sound better. There are better and easier ways to encode music. As an alternative to dealing with bitrates, Vorbis offers a streamlined "quality" setting control. The values range from zero to ten. The higher the value, the better the final quality."
Upcoming Events
Perl Meeting in Tel Aviv (use Perl)
Use Perl has an announcement for a Perl Mongers meeting in Tel Aviv, Israel on Thursday June 13, 2002.YAPC Schedule Posted (use Perl)
The YAPC::NA Perl conference will be held from June 26-28, 2002 in St. Louis, MO.Parrot/Perl 6 talk and Fundraiser in Phoenix (use Perl)
Use Perl has an announcement for a Perl/Parrot presentation in Phoenix, Arizona on June 20, 2002.Libre Software Meeting : registrations are open
The third annual Libre Software Meeting will take place near Bordeaux, France, from July 9 - July 13, 2002. Registration is open, and you can check on accomodations too.Events: June 13 - August 8, 2002
| June 13 - 14, 2002 | 2002 USENIX Annual Technical Conference | Monterey, CA |
| June 13, 2002 | Linux@work | Milan |
| June 13 - 14, 2002 | JabberConf Europe 2002 | Munich, Germany |
| June 17 - 19, 2002 | 3rd Annual Information Assurance Workshop | (United States Military Academy)West Point, New York |
| June 18 - 21, 2002 | INET 2002 | (Crystal Gateway Marriott)Arlington, VA |
| June 20 - 21, 2002 | First International IFIP/ACM Working Conference on Component Deployment(CD 2002) | Berlin, Germany |
| June 25, 2002 July 23, 2002 | Seattle Ruby Brigade Meeting | Seattle, Washington |
| June 26 - 28, 2002 | Embedded Systems Expo & Conference in Tokyo(ESEC) | (International Exhibition Center)Tokyo, Japan |
| June 26 - 28, 2002 | Yet Another Perl Conference(YAPC 2002) | (Washington University)Saint Louis, Missouri |
| June 26 - 28, 2002 | European Python and Zope Conference(EuroPython 2002) | (Charleroi Espace Meeting Européen)Charleroi, Belgium |
| June 26 - 29, 2002 | Ottawa Linux Symposium(OLS) | Ottawa, Canada |
| June 27 - 28, 2002 | European Tcl/Tk User Meeting | (Siemens Trainings Center)Munich, Germany |
| July 4 - 7, 2002 | UKUUG Linux Developers' Conference | (University of Bristol)Bristol, UK |
| July 5 - 7, 2002 | Debconf 2 | (York University)Toronto, Ontario |
| July 18 - 20, 2002 | Boston GNOME Summit | Boston, Mass. |
| July 22 - 26, 2002 | O'Reilly Open Source Convention | (Sheraton San Diego Hotel and Marina)San Diego, California |
| August 1 - 2, 2002 | 3rd annual Bioinformatics Open Source Conference(BOSC 2002) | Edmonton, Canada |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
Web sites
LinuxWiki.de - Collaboration WikiWikiWeb
LinuxWiki.de is a new collaboration and communication platform in the German language. It's based on the new WikiWikiWeb technology and it is there for the discussion of Linux, FreeSoftware and the OpenSource community.
Miscellaneous
Software Livre! (Linux Journal)
Linux Journal has an article by John maddog Hall in which he shares his experiences at the Software Livre conference held in Brazil in early May. "... cooperation, community and erva-mate. "Software Livre! Software Livre! Software Livre!"...the words got louder and louder like a chant. No, not like a chant, it was a chant--and I was leading it!"
Page editor: Forrest Cook
Letters to the editor
Re: Open-Source Fight Flares at Pentagon (Washington Post)
| From: | tet@accucard.com | |
| To: | letters@lwn.net | |
| Subject: | Re: Open-Source Fight Flares at Pentagon (Washington Post) | |
| Date: | Thu, 06 Jun 2002 16:28:03 +0100 |
Eric Smith writes:
> I'm not trying to suggest that the Defense Department and NSA should not
> conduct security testing of free software, but merely that procurement
> regulations are a complete non-issue for it.
Not only should the NSA conduct security testing of free software, but
they already *have*, resulting in their own approved, security enhanced
version of Linux:
http://www.nsa.gov/selinux/
Perfect for all US governmental use, one would have thought...
Tet
Keeping OSS out of the security arena
| From: | Leon Brooks <leon@cyberknights.com.au> | |
| To: | tolavsrud@internet.com | |
| Subject: | Keeping OSS out of the security arena | |
| Date: | Thu, 6 Jun 2002 08:40:43 +0800 | |
| Cc:: | kenbrown@erols.com, foss@adti.net, letters@lwn.net |
>From http://www.internetnews.com/dev-news/article.php/1276831
> while ADTI believes pooled talent is highly beneficial in software
> development, it is naive to allow "bad guys" as well as "good guys"
> into that talent pool.
Oh, sure... and who gets to define `good' and `bad'?
OSS can be contributed to and inspected by the poorest computer owners in the
world, but even benevolent engineering and infotech societies have membership
dues which well exceed the cost of owning and operating such a computer, so
membership in same as a criterion basically equates `bad' with `poor'.
Microsoft's traditional definition seems in practice to be `good' equals us
and `bad' equals competitors, that is, _everyone_ else. I can't see those
criteria being well recieved by the public, although based on past practice I
would expect them to be carefully and professionally marketed in various ways
by Microsoft. The same basic approach is shared by many political and
religious groups too, which would also render a broad range of social
criteria inappropriate.
When you've bashed your collective heads against that particular wall often
enough, consider the axiomatic approach, `if it works, don't fix it'. In real
life, OSS _has_proven_ to be more secure than competing methods, and without
controls. To be honest, one must say `competing method', singular.
To effectively put a brake on OSS adoption by pausing for study when much
study has already been done seems to be the biggest and most pressing
security risk in this situation.
AdTI's own mission statement* includes `Our principles guide the selection of
which issues are critical to the advancement of freedom - but we don't rush
to judgement about which means will be most effective in producing it.'
Excellent! But AdTI seem to be `rushing to judgement' here, unless AdTI uses
an odd definition for `freedom'.
If AdTI's sponsors wish to compete in a market which prefers OSS, by choice
or mandate, they need but Open Source their own products, noting that the GPL
requires source to be available for distribution as _only_ far as the
binaries are, _not_ to the public at large.
Cheers; Leon
* a pasteable text version would be nice
--
CyberKnights Modern tools, traditional dedication.
+61-409-655-359 http://www.cyberknights.com.au/
linux.conf.au 2003 The Australian Linux Technical Conference
http://conf.linux.org.au/ 22-25 January 2003 in Perth, Western Australia
Re: [riptide-announce] New riptide-0.3mbsibeta02061100 linux driver available
| From: | Jamie Lokier <jamie@shareable.org> | |
| To: | Marc Boucher <marc+linmodems@mbsi.ca> | |
| Subject: | Re: [riptide-announce] New riptide-0.3mbsibeta02061100 linux driver available | |
| Date: | Wed, 12 Jun 2002 16:09:53 +0100 | |
| Cc:: | discuss@linmodems.org, letters@lwn.net |
Marc Boucher wrote to discuss@linmodems.org:
> I am pleased to announce the first public open-source release of the
> Conexant (Rockwell) RipTide Audio/Communication Controller driver for
> Linux.
>
> It is now available for download from
>
> http://www.mbsi.ca/cnxtlindrv
Dear Marc,
Isn't that a misleading use of the term "open-source"?
818k of it is a proprietary, binary-only module. Users may not study or
modify or recompile the interesting bulk of the driver code, even though
it is plainly software which runs on the x86 CPU.
- Users cannot study the code, to simply learn from it.
- It only runs on x86 versions of Linux. It doesn't run on non-x86
hardware, and cannot be ported by anyone other than Conexent.
- Most of the code cannot be audited for security or correctness, any more
than other binary code.
- You even appear to have obfuscated the binary, to scramble symbolic
information that might be useful for reverse engineering or security
analysis.
In other words, the benefits of open source apply only to a very small
portion of the driver, and the caveats of closed source apply to the
rest.
It is a useful driver, for users prepared to run binary-only software
(with the caveats regarding freedom, security and reliability that
implies).
But to announce it as open source without mentioning that it is really
closed-source, binary-only software in an open-source wrapper is, IMHO,
marketing - not true by any stretch of the imagination.
Yours sincerely,
-- Jamie Lokier
PostgreSQL not relational!
| From: | =?UTF-8?B?TGVhbmRybyBHdWltYXLDo2VzIEZhcmlhIENvcnNldHRpIER1dHJh?= <lgcdutra@terra.com.br> | |
| To: | LWN Editor <letters@lwn.net> | |
| Subject: | PostgreSQL not relational! | |
| Date: | Thu, 06 Jun 2002 19:38:09 +0200 |
Re: http://lwn.net/Articles/809/
> Our archive of security alerts dating back to July, 2001 now lives in
> a PostgreSQL relational database.
As argued in http://dbdebunk.com/ and elsewhere, SQL is not relational.
Also, so-called object/relational DBMSs are even further away from the
relational model than SQL ones, and aren't even DBMSs proper, but
DBMS-construction kits.
This is not a trivial matter, as SQL not being relational keeps it from
fulfilling the possibilities of the model, which would fulfill all the
requirements for which OODBMSs are built.
--
_
/ \ Leandro Guimarães Faria Corsetti Dutra +41 (21) 216 15 93
\ / http://homepage.mac.com./leandrod/ fax +41 (21) 216 19 04
X http://tutoriald.sf.net./ Orange Communications CH
/ \ ASCII Ribbon Campaign against HTML email +41 (21) 216 15 93
Your LWN articles
| From: | David.Kastrup@t-online.de (David Kastrup) | |
| To: | letters@lwn.net | |
| Subject: | Your LWN articles | |
| Date: | 06 Jun 2002 12:38:40 +0200 | |
| Cc:: | rms@gnu.org |
You write:
> Describing the GNU system as "utilities" is quite an understatement.
> GNU is not a set of utilities--GNU is an operating system. The
> GNU/Linux system is pretty much the same as GNU, but not entirely
> the same, because it has Linux in it too.
> I appreciate Torvalds' contribution to the GNU/Linux system. I
> credit Torvalds (not hypothetical gods) for this work, and that's
> one reason I mention his contribution in the name of the operating
> system.
> I also appreciate that Torvalds' kernel would have mattered little
> for computer users' freedom, if not for the fact that we had already
> produced most of a free operating system for it to fit in. Giving
> him equal mention is more than fair.
The hypocritical thing about this is that you don't apply the
standards you demand from others to yourself.
A working GNU system requires a collection of basically Free Software
from a host of different sources. For example, most of the networking
stuff is typically taken from BSD, the windowing environments are
from X11, and so forth and so on. Some counts have indicated that
about a third of the identifiable portions from a GNU system are
actually GPLed, and only a small ratio of those are part of the GNU
project proper.
You feel you are entitled to call the resulting system "GNU" because
the GNU project had a vision of an entirely free system and
concentrated on providing those pieces of infrastructure that could
not freely be adopted from other free sources.
But exactly the same was done by Torvalds, other Linux developers and
distribution maintainers: they also took a look at what was available
and concentrated on providing those pieces of infrastructure that was
still missing in order to obtain a complete system meeting their
demands. At the time they were doing this, there was no such thing
as a complete GNU system.
While you consider it outrageous that those putting a complete system
together might not name it the way you would have named a similar
(but quite different system) had you completed work on it before that
time, you feel quite satisfied assuming that all of the various
contributors to such a system should be entirely happy to have their
individual work subsumed unter the "GNU" title, even if it had never
been intended as part of the GNU project.
The components of a GNU system are all intended as meaningful parts of
a complete system, but not necessarily as part of a particular system:
they are more versatile than that, and fit a lot of environments.
Now let us hypothetically assume that a GNU system actually consisted
to a majority from parts done specifically by and for the GNU project.
If an artist has in the creation of a work used only paints from a
particular manufacturer, does that mean that the resulting work is
that from the paint manufacturer, and that the paint manufacturer
should be able to choose the name? Hardly.
A situation may be conceivable where several paints would produced
particularly for a certain work, with particular pigments in it, and
given the artist freely. Would that make the title of the work
something to be chosen by the manufacturer? Hardly, unless the
manufacturer explicitly contracted for those paints, or commissioned
the entire work. Even in that case, an interference like this would
be generally considered distasteful since it interferes with one of
the basic artistic freedoms. And was not freedom something this was
all about?
This is the main problem with your naming crusade: even disregarding
the discrepancy between your demands for credit and your recognition
for that of others, and disregarding any discussions about your moral
or legal or whatever rights to it, the main problem is that it appears
distasteful. The amount of animosity and alienation you collect with
that stance vastly exceeds any possible gains in recognition you could
expect.
--
David Kastrup, Kriemhildstr. 15, 44793 Bochum
Email: David.Kastrup@t-online.de
Re: Your LWN articles
| From: | Richard Stallman <rms@gnu.org> | |
| To: | David.Kastrup@t-online.de | |
| Subject: | Re: Your LWN articles | |
| Date: | Fri, 7 Jun 2002 17:23:42 -0600 (MDT) | |
| Cc:: | letters@lwn.net |
In your letter, you summarized our reasons for the name GNU/Linux
thus:
You feel you are entitled to call the resulting system "GNU" because
the GNU project had a vision of an entirely free system and
concentrated on providing those pieces of infrastructure that could
not freely be adopted from other free sources.
In that description you have carefully selected a part of what we say.
It fits what we did, but it it omits something important: we launched
the system's development, and did largest part of the work. The only
usable pieces of free software available when we started were TeX and
Bison, and Bison needed substantial extensions to serve the purpose.
During the 80s, as we were working on GNU, additional usable pieces of
free software occasionally became available, but we had to write a
large part of the system ourselves.
But exactly the same was done by Torvalds, other Linux developers and
distribution maintainers:
You've designed your description very precisely so that it can fit a
series of cases that are rather different. For instance, it fits what
we did, doing the bulk of the work of developing the GNU operating
system; it fits what Linus Torvalds did, writing a program that filled
the main gap in an almost complete operating system; it fits what what
GNU/Linux distribution maintainers such as Red Hat did, polishing and
extending a basically working system (alas, often extending it with
non-free software).
Despite your success in crafting a description that fits this range of
cases, they are not similar cases. Many others have also contributed
to the system, but we're the system's principal developer.
On another issue, you assert that our request for people to call the
system GNU/Linux "appears distasteful" and does more harm than good
for the GNU Project. In my experience, people usually react favorably
and it does more good than harm. It is mainly people who deny the
validity of this request that find it distasteful. Typically they
deny its validity because they underestimate our role in the
community's history, and for that very reason, they are less likely to
cooperate with us anyway. We ought not to be worried about what they
will think. This campaign appears to making slow but steady headway
in correcting people's picture of the system's origin.
Response to Mr. Brown's critique of Open Source Software.
| From: | Ken Ambrose <kena@well.com> | |
| To: | matthew.broersma@cnet.com, <jamie@mccarthy.vg>, <kenbrown@adti.net>, <letters@lwn.net> | |
| Subject: | Response to Mr. Brown's critique of Open Source Software. | |
| Date: | Mon, 10 Jun 2002 17:27:40 -0700 (PDT) |
[Note: this response was written on June 10th, from a paper that Mr. Brown
apparently found fit to withdraw after initial publication. The URL that
the paper had previously been found at
(http://www.adti.net/html_files/defense/opensource_whitepaper.pdf)
stated, "The White Paper will be available by the close of business, June
10, 2002." Being as it is now after 8:00 p.m. EST, and the paper is still
not in evidence, I will not wait any longer to see if Mr. Brown has
changed his initial paper.]
Every now and then, you hear about or read something that forces you to
look at things in a new light, to marvel at the goings-on of the Universe.
The paper, "Opening the Open Source Debate," written by Kenneth Brown,
president of the Alexis de Tocqueville Institute, fails utterly and
entirely to accomplish this.
Regardless of the stance that one takes on a given issue, it is always
enjoyable to find a well-reasoned, objective treatment of said issue,
allowing the reader to consider previously un-thought-of venues and
realize new insights. However, this "paper," with a clear, very
subjective stance, does nothing except embarrass anyone who takes it
seriously. From the quirky use of English, to the figures cut out of
whole cloth, one has to wonder what possessed Mr. Brown to sit down and
put pen to paper.
An example of the questionable figures that Mr. Brown uses is this: "In
the U.S., the software sector accounted for approximately 319 million jobs
in 2001." Software has clearly taken off when it employs more people than
live in the country. If it were merely a typo, it might be forgiven, but
he then refers to his appendix, where the same figure resides, with
further reference to www.bls.gov/ces/home.htm#data, where the most I can
find is some 2.2 million, or slightly under 1% of the country's gross
population. While I admit I'm not certain of my figure in relevance to
whatever Mr. Brown thought he was quoting, at least I'm not presenting
something that is clearly incorrect.
If this were the only mistake, I would be tempted to let Mr. Brown off
fairly lightly. However, that is only the beginning. While he may term
his paper a "debate," one usually has to prop up premises with facts in a
debate; Mr. Brown showed no reluctance in avoiding this restriction.
I will start from the beginning, so that the interested reader may follow
along:
Brown: "Executable software accompanies binary code..."
Truth: Executable software -is- binary code; the two are one
and the same, at least withing the bounds of the arguments
that are being put forth.
Brown: "Open Software is not necessarily free software."
Truth: This is akin to saying "Water is free, usually." It's
such an open-ended statement that it begs further
qualification, not free-ranging pot-shots.
Brown: The entire section labelled, "GPL Open Source -- The
Gift that Keeps Taking".
Truth: Aside from the fact that the heading, itself, proves that
Mr. Brown has no interest in objectivity, the section is
so full of mis-representations and accusations, with nary
a shred of supporting evidence, as to make one cringe.
First, he attempts to show that the Gnu Public License
(the "GPL") is overly restrictive... and proves it by showing
how open it is. Then, having failed in this endeavor, he
decides that character assassination is not below him, and
takes aim at Richard M. Stallman. "The controversial nature
of Stallman's position began to turn away his supporters.
[...] The rise in the popularity of Linus Torvalds and the
Linux open source operating system began to create new
supporters. Ironically, Linux supporters became the biggest
proponents of the GPL." Clearly, Mr. Brown uses a different
definition for the word "ironically" than do most. Linux
supporters became proponents of the GPL not because they
like Linux, but because the like the GPL. If anything, one
could argue that they like Linux because of the GPL, and
not the other way around.
Brown: Another section, entitled "The Myth of a 'Public Software'
Community".
Truth: First and foremost, the heading implies a thesis to follow,
and then supporting argument. This is entirely untrue. I
don't know what point Mr. Brown tries to make in the argument
(perhaps that federal dollars can act as a catalyst in the
private sector? I'm really unsure.), but he fails across the
board to address anything, much less prove anything.
Brown: In the single attempt Mr. Brown makes to find an alternative
viewpoint, he quotes Rossz Vamos-Wentworth, "Security holes
are eventually found, with or without open source code."
Truth: The security world holds to two viewpoints, neither of which
is entirely conclusive. The truth lies somewhare in the
middle. The viewpoint that the paper puts forth is that, if
you can read the source code, it makes it all the easier to find
security holes. Ironically, this is also the opposing camp's
viewpoint; they, however, would append "and then fix them" to
the sentence. The problem with closed-source software is that
you generally find out it's insecure in one of two different
ways: when the manufacturer decides to let you know, or when you
get cracked.
Brown: A whole paragraph with a slew of questions. I will reproduce
them here in their entirety: "Issues include: Who should have
the right to alter software manuals? Who is the final editor
or is there one? How should changes be regulated? Are manuals
copyright protected documents? What is the process for making
changes? What body regulates these changes? How can organizations
guarantee that information in manuals is always accurate?"
Truth: WITHOUT EXCEPTION, every single one of the above questions can
be applied -- in some cases, moreso -- to the private sector.
The mere fact that Mr. Brown bothers to ask these seemingly
rhetorical questions to bolster his position speaks plainly of
how little he knows about the basic functioning of a real-world
software or hardware company. I know one very competent end-user
who spent TWO DAYS attempting to get a router to work properly.
Why was he unable to? Because the manual, from one of the largest
network equipment manufacturers, left out a two-word command.
In other words, the entire paragraph should apply, in my
considered opinion, to the software community at large. The
only documents that I consider to have good editorship and
version control, for the most part, are those by large,
non-proprietary organizations such as the IEEE and the RFCs,
describing open protocols, that are the white papers upon which
the Internet is based.
Brown: "It becomes unrealistic for a firm to depend too much on the
'trust'of an anonymous community..."
Truth: When an electrical engineer designs a "widget," one thing he
tries very hard to avoid is "single sourcing" a component.
In other words, the engineer goes to great lengths to make
sure that no given component can only be obtained from a
single vendor. The reason for this is that, were the vendor
to go under, or change its structure, or simply cease to
produce the component, suddenly the engineer's company would,
at a minimum, have to spend time and resources to redesign
their widget, and in a worst-case scenario, would be forced
to halt its production entirely. This is -exactly- the case
with closed-source software. Far better to have a loose-knit
community that is, and always will be, able to assist you
than one commercial entity that could fail tomorrow. Just
ask users of Wang word processors how much trouble they had
getting their information onto a more... well, "open" platform.
Furthermore, on top of the community, itself, there are also
a wide range of Open Source vendors (eg. Red Hat,
http://www.redhat.com) that offer service and support contracts,
and have under their employ some of the stars of the Open Source
community. Ask yourself: when you have competing vendors offering
support, do you get better service than when you're locked in? I
clearly don't need to bother answering that rhetorical question.
Brown: "While each of these firms would insist that they are not against
copyright protection, invoking the protections argues that they
are against people copying their marketing documents and symbols."
Truth: While I'm sure the preceding sentence is supposed to prove some
purported point, the fact that it's an oxymoron makes it difficult.
Okay, apologies: it's not an oxymoron, it's an "identity:" he just
restated the same thing, when he was attempting to contrast
something. Mr. Brown should clearly leave abstract thinking for
others.
Brown: "The purchase price of computer software is only a fraction of the
total cost of ownership ["TCO"]. So even if the price tag reads
"free", it can end up being more expensive than software you buy.
This is especially true for the typical consumer. If it requires
technical know-how to operate, doesn't offer built-in support, and
demands constant attention, it won't feel free for very long."
Truth: All this is very well and good... but it leaves out the fact that
the "average consumer" doesn't know how to fix a broken Windows
box, either. Once something goes wrong with proprietary software,
more likely than not, the answer is "re-install." This doesn't
strike me as a cost-beneficent solution, especially when time to
re-configure the system is involved. On the other hand, most
computers with Linux installed on them only have to get re-booted
when the machine has to be powered off to install new hardware.
Contrast this with re-booting to install, say, a USB driver for
a camera. And, if support is needed, it's actually -easier-
for people to remote-administer an Open Software machine than
a closed one; so long as you trust the remote operator, they
can likely fix you without having to lug your machine to Comp USA.
Brown: "If a software application representing 5000 hours uses GPL code
that reflects only 100 hours, is the GPL fair in its argument that
the entire product is GPL?"
Truth: This may be the least insightful argument Mr. Brown has used thus
far. Clearly, if only 100 hours' additional work would be required,
and the author wished for the software to remain proprietary, then
he would put in the 2% extra work himself. NOBODY forces ANYONE
to use GPL code; rather, it is there as a resource. If you choose
to use it, knowing full-well the ramifications, then, yes, the
license is applicable. Otherwise, you don't. As opposed to
closed source, at least you have a choice.
The rest of the paper meanders on; there are some other issues regarding
legal precedence in which Mr. Brown, to be blunt, makes me wonder whether
he is ignorant, or intentionally deceitful. ("There are unlimited
scenarios for accidents to occur, the license could be lost in the source
code's distribution, or maybe unreadable due to a glitch in its electronic
distribution." Do you eat candy you find, unwrapped, lying in the street?
No. And neither should a software firm; instead, any firm worth its charter
practices due diligence and is very careful of licensing, regardless of
whether it's open or closed. Common sense is clearly not one of Mr. Brown's
strong points.)
In his conclusion, I find it ironic that he names IBM as spending billions
on development, and wondering if Open Source would put their development
at risk. The reason I find this ironic is that IBM has put around a
billion dollars into Linux, itself, only to find it reaping great rewards
as it is able to make use of Linux's synergy, letting them minimize
in-house development costs, and allowing the lowering of their systems'
TCO, and, therefore, raising their margins and allowing them to compete
more proactively in the marketplace.
Or perhaps Mr. Brown is against competition, period.
Sincerely,
Ken D'Ambrosio
Merrimack, NH
Page editor: Jonathan Corbet