Lawrence Lessig (and others) first start talking about
the Creative Commons Project some
months ago. It took until December 16, however, for the formal launch
![[Creative Commons]](/images/ns/ccommons.gif)
of the project. Now that Create Commons is live, it's time for a good look
at what they are up to.
The Creative Commons is a reaction to the steady increase in the power of
copyright holders over their creations. By allowing creators to lock up
their work indefinitely, the expansion of copyright protection is
impoverishing the intellectual "commons" -- the pool of ideas and works in
the public domain from which all can draw. By denying the growth of the
commons, content producers are denying the basic fact that the work they
would lock up also has its roots in that commons. Disney may have done
children a great service by cleaning up the gory and depressing parts of
"The Little Mermaid," but the foundation of the company's work lies deep
within the commons where the original Mermaid lives.
The copyright battle is being fought on many fronts, including in
legislatures and courts. The Creative Commons is taking a different
approach, however: it is attempting to create an explicit commons to which
creators of copyrightable works can donate their output. This effort has,
for now, two components.
The first is the Licensing
Project. This project aims to move works into the commons immediately
by providing a whole set of licenses for releasing works with varying
degrees of freedom. Content producers can select a license by answering
three basic questions:
- Should people redistributing the work be required to credit the
original author?
- Can others make commercial use of the work?
- Can others distribute (and perform, display, etc.) derived products of
work, or may it be used only in unaltered form? In the case where
changes are allowed, must the changes be distributed under the same
license?
The answers to those questions map onto a list of eleven licenses
that reflect the author's wishes. (The twelfth case - the one with no
restrictions - is apparently deemed as being equivalent to releasing the
content into the public domain). The more restrictive licenses would not
be considered truly "free," since they restrict commercial use and the
ability to make changes. On the other hand, the "Attribution"
license is fairly BSD-like, and "ShareAlike"
takes its cue from the GPL.
Not everybody wants to make their work freely distributable from the
beginning, however. For those who want to enjoy the benefits of copyright
protection for a while, but who would still like to see their work pass
into the commons in a timely manner, there is the Founders'
Copyright project. Essentially, the Founders' Copyright attempts to
take copyright law back to 1790 by way of a contract which will release a
given work into the public domain after 14 years. O'Reilly &
Associates, which has funded the Creative Commons, has pledge to put some
(currently unspecified) works into the public domain under these terms.
The path ahead of the Creative Commons project looks difficult; how many
content producers will really be interested in giving away their current
legal rights in order to nourish an amorphous "commons"? Twenty years ago,
however, one could have reasonably asked why any sane programmer would
donate code to a seemingly infeasible project to create a free operating
system? As people become more aware of the costs of freezing the growth of
the true intellectual commons, there may well be room for the development
of a privatized version. We need that commons, one way or another.
As an aside, those who are interested in U.S. copyright law and its
expansion over the years may want to have a look at The Progress
of Science and the Useful Arts, a lengthy report from the Free
Expression Policy Project.
Another leading thinker, Siva Vaidhyanathan, puts 'intellectual
property talk' at the root of today's conflicts over
anti-circumvention technology, extensions of the 'limited time' of
copyright, and other efforts by the industry to expand its profits
and control. Vaidhyanathan writes that copyright 'was not meant to
be a property right as the public generally understands
property. It was originally a narrow federal policy that granted a
limited trade monopoly in exchange for universal use and access.'
Viewing creative expression as property distorts this original
concept.
The report looks at copyright from the beginning through to current issues
(copyright extension, DMCA, etc.). It's a long but worthwhile read.
Comments (3 posted)
The ElcomSoft trial is over, and the verdict is in: not guilty. In the
end, the jury decided that ElcomSoft did not willfully violate the law, and
should not be punished. In other words, the court agrees with much of the
community that the U.S., last year, violated the rights of an innocent man
when it arrested and detained Dmitry Sklyarov.
The outcome of this case is good news for ElcomSoft, but it has little to
offer others who face possible DMCA prosecutions. As a low-level jury
trial, the ElcomSoft case would have had little precedent value in any
case; the judge in this case also went out of his way to ensure that the
validity of the DMCA itself was not called into question. The issue of
whether or not ElcomSoft's software was illegal was not much discussed;
what decided the case was the jury's assessment of whether ElcomSoft
knowingly and intentionally violated U.S. law.
So ElcomSoft was acquitted, which is good news for the company. But the
DMCA itself remains unchallenged, and companies that might consider
distributing a "circumvention device" have seen that the DMCA can lead to
expensive criminal trials and arrests, even if they win in the end. The
DMCA's chilling effect will thus be undiminished, and, for those who remain
unchilled, there will certainly be other criminal DMCA trials in the
future.
Comments (2 posted)
Remember Lineo? This company initially was spun out of Caldera as Caldera
Thin Systems, but switched over to Lineo shortly thereafter. Lineo
received vast amounts of venture capital, went on an acquisition spree
(FirePlug, INUP, Moreton Bay, USE, RT-Control, Zentropix, ...), and
filed for a
$60 million IPO - in May, 2000. Needless to say, things didn't
work out that way.
Denied its IPO cash windfall, Lineo went into decline. The hardware
businesses it had picked up were unacquired. Then, last April, the company
was "recapitalized" - from the details that have been made available it
seems that the company was foreclosed upon and reincarnated (as "Embedix,
Inc.") in the hands of the Canopy Group - the company's venture capital
firm. Now Lineo/Embedix has been sold to Metrowerks, which hopes
to make a compelling product out of the combination of Embedix and
CodeWarrior. Of the 200+ people employed by Lineo when it filed for its
IPO, about 30 remain to move to Metrowerks.
Lineo is a relic of the Linux Bubble Days; perhaps the only surprising
thing is that it lasted this long. The company certainly had worthwhile
products in its Embedix system, development tools, and embedded web
browser. But they got caught up in the hype of those days and went off
buying big trade show booths, acquiring companies of marginal use, and
generally trying to tread the high-flying IPO-bound path. When the IPO
failed to happen, there really just wasn't a whole lot left.
Lineo pursued a path that appeared to be rational and lucrative at the
time; it's hard to put (too much) blame on the company's management. It
has taken years, however, to divest the pieces of a company built around
the dotcom business model. What's left, finally, is the core of a real
Linux business, which, as part of a bigger structure, will be doing its
part for Linux World Domination in a more realistic way. The end of the
dotcom bubble has brought hard times to many Linux companies and
developers, but it has also brought a new focus on creating products and
services that customers actually want to buy. That change will, in the
long run, do far more good for Linux and free software than the Bubble Days
ever did.
Comments (none posted)
We'll start with the most fun news: the
LWN.net 2002 Linux Timeline is
now available. For the fifth straight year, we have gone through and
pulled out the most interesting news from the last twelve months. The
result is a concise, and, we hope, fun summary of what's been going on.
And...there's more!
As some of you may know, LWN.net will turn five years old next month. In a
bit of early celebration, we have put together the the LWN.net Five-Year Timeline,
giving a condensed view of what has happened while LWN has been watching.
There are now just over 2400 individual LWN.net subscribers. The number
continues its slow, steady growth despite an increase in the number of
expiring subscriptions. With luck, that trend will continue, but we remain
distant from our short-term goal of 4000 subscribers. (Meanwhile, the kind
soul who subscribed "cypherpunks" needs to renew, as it has expired...).
This is the last LWN Weekly Edition for 2002; there will be no Weekly
Edition during the Christmas week. We will return to our regular schedule
on January 2, 2003 (the front page will continue to be updated during
this time). Hopefully our readers will forgive us if we're
still a little hung over at the time.
This has been a challenging year, to say the least.
Through all of our ups and downs, we have continued
producing LWN because we have such a great set of readers.
Best wishes to all of you for great holidays and a happy new year
from the folks at LWN.
Comments (2 posted)
Page editor: Jonathan Corbet
Security
Brief items
[This article was contributed by LWN reader Burt
Janz]
Earlier this month, Schwäbisch Hall began an IBM-hosted initiative to convert
hundreds of its city-run computers to Linux. With Sony announcing that it
would be dropping Microsoft Office in favor of StarOffice on most consumer
systems sold in Europe, the availability of OEM-hosted Open Source desktop
applications may be prompting the next step in the adoption of Linux as an
alternative to Microsoft - especially in government.
Now, another initiative to convert Germany's government computer operations to
Linux has been announced. Joachim Jacobs, the Federal Commissioner for Data
Security, apparently feels that Open Source provides a more secure set of
network management tools than those available under Windows, and will begin
the conversion by moving mail, file services, DHCP and DNS, and other network
services to Linux. Additionally, up to 75 desktop systems will also be
converted to Linux.
In his announcement, Mr. Jacobs addressed one of the primary issues
cited by anti-Linux advocates: training. Herr Jacobs knows that there will
be a certain amount of retraining necessary in moving to Linux, but also
knows that Linux is sufficiently close to UNIX in most of his required
operations so that these retraining costs should be minimal.
However, Mr. Jacobs also attacks the retraining issue in another realm: the
desktop. This is the one area where Linux opponents are most vocal, and the
place where Microsoft is placing its largest bets. Mr. Jacob's response to
the issue is simple: since he has to retrain people every five years or so, and
since he has to have a budget to do it, why not retrain them to use Open
Source instead of Windows? This is a compelling argument, and could be used
to make the case for "test conversions" to Linux in the corporate world.
(See also: this Heise News
article (in German)).
Comments (2 posted)
Bruce Schneier's CRYPTO-GRAM Newsletter for December is out; it looks at
counterattacks, the new U.S. Department of Homeland Security, and the
Internet's next big thing: "
I think the next big Internet security trend is going to be crime. Not
the spray-painting cow-tipping annoyance-causing crime we've been
seeing over the past few years. Not the viruses and Trojans and DDoS
attacks for fun and bragging rights. Not even the epidemics that sweep
the Internet in hours and cause millions of dollars of damage. Real
crime."
Full Story (comments: none)
CERT has issued an advisory describing a number of SSH vulnerabilities which can lead to remote root exploits. OpenSSH is
not affected by these problems; neither is lsh.
Full Story (comments: none)
New vulnerabilities
exim: format string vulnerability
| Package(s): | exim |
CVE #(s): | |
| Created: | December 17, 2002 |
Updated: | December 17, 2002 |
| Description: |
Versions of exim prior to 4.10 have a format string vulnerability which may be used, in certain limited circumstances, for a local root exploit; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
MySQL: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 10, 2003 |
| Description: |
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache shared memory scoreboard vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2002-0839
|
| Created: | October 9, 2002 |
Updated: | December 18, 2002 |
| Description: |
Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related
vulnerabilities which can be exploited by local users running under the
Apache user ID. In-server scripting languages, such as PHP, are the most
likely means of carrying out the attacks. One vulnerability causes the
server to fork off new processes, leading to denial of service scenarios;
the other allows an attacker to send SIGUSR1 to any process as root,
probably killing that process. See this
iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (3 posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 21, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
BIND8: Multiple vulnerabilities
Comments (1 posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
dhcpcd: Character expansion vulnerability
| Package(s): | dhcpcd |
CVE #(s): | |
| Created: | November 19, 2002 |
Updated: | January 10, 2003 |
| Description: |
dhcpcd is an RFC2131 and RFC1541 compliant DHCP client daemon.
dhcpcd has the ability to execute an external script named
/sbin/dhcpcd-<interface>.exe when assigning a new IP address to a network
interface. This script sources a file named
/var/lib/dhcpcd/dhcpcd-<interface>.info that contains several shell
variables and assigments with DHCP information.
Simon Kelley pointed out a vulnerability in the way quotes inside these
assignments are treated. By exploiting this, a malicious DHCP server (or
attackers able to spoof DHCP responses) can execute arbitrary shell
commands on the DHCP client (which is run by root). |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl |
CVE #(s): | |
| Created: | October 1, 2002 |
Updated: | December 17, 2002 |
| Description: |
e-matters GmbH has issued an advisory
warning of a new set of buffer overflows in the fetchmail header parsing
code. The vulnerabilities have been fixed in fetchmail 6.1.0. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 21, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 30, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gtetrinet: buffer overflows
| Package(s): | gtetrinet |
CVE #(s): | |
| Created: | November 25, 2002 |
Updated: | December 11, 2002 |
| Description: |
Several buffer overflows were found in gtetrinet versions below
0.4.3. According to the authors these could be remotely exploited. |
| Alerts: |
|
Comments (none posted)
IM: creates temporary files insecurely
| Package(s): | im |
CVE #(s): | CAN-2002-1395
|
| Created: | December 3, 2002 |
Updated: | March 6, 2003 |
| Description: |
Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
- The impwagent program creates a temporary directory in an insecure
manner in /tmp using predictable directory names without checking
the return code of mkdir, so it's possible to seize a permission
of the temporary directory by local access as another user.
- The immknmz program creates a temporary file in an insecure manner
in /tmp using a predictable filename, so an attacker with local
access can easily create and overwrite files as another user.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs |
CVE #(s): | CAN-2002-1281
CAN-2002-1282
|
| Created: | November 22, 2002 |
Updated: | March 15, 2003 |
| Description: |
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt |
| Alerts: |
|
Comments (none posted)
kdenetwork: buffer overflow
| Package(s): | kdenetwork |
CVE #(s): | CAN-2002-1247
|
| Created: | November 11, 2002 |
Updated: | December 20, 2002 |
| Description: |
iDEFENSE reports a security vulnerability in the klisa package, that
provides a LAN information service similar to "Network Neighbourhood",
which was discovered by Texonet. It is possible for a local attacker
to exploit a buffer overflow condition in resLISa, a restricted
version of KLISa. The vulnerability exists in the parsing of the
LOGNAME environment variable, an overly long value will overwrite the
instruction pointer thereby allowing an attacker to seize control of
the executable. |
| Alerts: |
|
Comments (none posted)
kernel: local denial of service vulnerability
| Package(s): | kernel |
CVE #(s): | |
| Created: | November 19, 2002 |
Updated: | February 5, 2003 |
| Description: |
All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and
2.5.47 contain a vulnerability which allows any local user to crash the
system. This LWN article describes how the
exploit works in detail. The vulnerability affects only x86 systems. |
| Alerts: |
|
Comments (none posted)
krb5: Buffer Overflow in Kerberos Administration Daemon
| Package(s): | krb5, heimdal |
CVE #(s): | CAN-2002-1235
|
| Created: | October 29, 2002 |
Updated: | January 14, 2003 |
| Description: |
CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
Systems Affected
- MIT Kerberos version 4 and version 5 up to and including
krb5-1.2.6
- KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
0.5.1
- Other Kerberos implementations derived from vulnerable MIT or KTH
code
Overview
Multiple Kerberos distributions contain a remotely exploitable buffer
overflow in the Kerberos administration daemon. A remote attacker
could exploit this vulnerability to gain root privileges on a
vulnerable system.
The CERT/CC has received reports that indicate that this vulnerability
is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002
notes that an exploit is circulating.
We strongly encourage sites that use vulnerable Kerberos distributions
to verify the integrity of their systems and apply patches or upgrade
as appropriate. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc |
CVE #(s): | CAN-2002-0738
CAN-2002-1307
CAN-2002-1388
|
| Created: | September 11, 2002 |
Updated: | January 3, 2003 |
| Description: |
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
mod_ssl: cross site scripting problem
| Package(s): | mod_ssl, libapache-mod-ssl |
CVE #(s): | CAN-2002-1157
|
| Created: | October 22, 2002 |
Updated: | December 12, 2002 |
| Description: |
Joe Orton discovered a cross site scripting problem in mod_ssl, an
Apache module that adds Strong cryptography (i.e. HTTPS support) to
the webserver. The module will return the server name unescaped in
the response to an HTTP request on an SSL port.
Like the other recent Apache XSS bugs, this only affects servers using
a combination of "UseCanonicalName off" and wildcard DNS. This is very
unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it
already escapes this HTML. |
| Alerts: |
|
Comments (none posted)
Mozilla: Privacy leak and other vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CAN-2002-1126
CAN-2002-1091
|
| Created: | November 1, 2002 |
Updated: | February 13, 2003 |
| Description: |
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to
corrupt heap memory and execute arbitrary code via a GIF image with a zero
width.
See also Mozilla's
Recently fixed security issues page.
All users are encouraged to upgrade to this latest stable 1.0.x release of
Mozilla. |
| Alerts: |
|
Comments (none posted)
Buffer overflow in nss_ldap
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0825
CAN-2002-0374
|
| Created: | October 9, 2002 |
Updated: | December 11, 2002 |
| Description: |
The nss_ldap package has a buffer overflow which can be exploited when the
module configures itself from information in DNS. The problem is fixed in
nss_ldap-199 and later. |
| Alerts: |
|
Comments (none posted)
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 |
CVE #(s): | CAN-2002-1378
CAN-2002-1379
|
| Created: | December 6, 2002 |
Updated: | February 21, 2003 |
| Description: |
OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found
several buffer overflows and other bugs remote attackers could exploit to
gain access on systems running vulnerable LDAP servers. In addition to
these bugs, various local exploitable bugs within the OpenLDAP2 libraries
(openldap2-devel package) have been fixed.
Since there is no workaround possible except shutting down the LDAP server,
an update is strongly recommended. |
| Alerts: |
|
Comments (1 posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
pine: buffer overflow parsing "From:" addresses
| Package(s): | pine |
CVE #(s): | CAN-2002-1320
|
| Created: | November 27, 2002 |
Updated: | January 3, 2003 |
| Description: |
A malicious user could send a message with a specially crafted "From:"
address and cause a segmentation fault on the client. Pine 4.50 fixes this
vulnerability (CAN-2002-1320) and several others. Read the full advisory
here. |
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
smb2www: arbitrary command execution
| Package(s): | smb2www |
CVE #(s): | |
| Created: | December 5, 2002 |
Updated: | December 11, 2002 |
| Description: |
Robert Luberda found a security problem in smb2www, a Windows Network
client that is accessible through a web browser. This could lead a remote
attacker to execute arbitrary programs under the user id www-data on the
host where smb2www is running. |
| Alerts: |
|
Comments (none posted)
squirrelmail: cross-site scripting vulnerability
| Package(s): | squirrelmail |
CVE #(s): | CAN-2002-1131
CAN-2002-1132
|
| Created: | October 16, 2002 |
Updated: | January 2, 2003 |
| Description: |
The Squirrelmail web mail package has a cross-site scriptinog vulnerability; versions 1.2.7 and prior are affected. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: buffer overflow
| Package(s): | tcpdump |
CVE #(s): | |
| Created: | November 20, 2002 |
Updated: | December 19, 2002 |
| Description: |
A new buffer overflow in the printing of BGP packets could, conceivably, be remotely exploitable. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat |
CVE #(s): | |
| Created: | September 25, 2002 |
Updated: | January 29, 2003 |
| Description: |
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
|
| Alerts: |
|
Comments (none posted)
traceroute-nanog: buffer overflow and root exploit
| Package(s): | traceroute-nanog/nkitb |
CVE #(s): | |
| Created: | November 12, 2002 |
Updated: | February 27, 2003 |
| Description: |
Traceroute is a tool that can be used to track packets in a TCP/IP network
to determine it's route or to find out about not working routers.
Traceroute-nanog requires root privilege to open a raw socket. It does not
relinquish these privileges after doing so. This allows a malicious user to
gain root access by exploiting a buffer overflow at a later point. |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
wmaker: buffer overflow in Window Maker image handling code
| Package(s): | wmaker windowmaker |
CVE #(s): | CAN-2002-1277
|
| Created: | November 7, 2002 |
Updated: | February 6, 2003 |
| Description: |
Al Viro found a problem in the image handling code used in Window Maker,
a popular NEXTSTEP like window manager. When creating an image it would
allocate a buffer by multiplying the image width and height, but did not
check for an overflow. This makes it possible to overflow the buffer.
This could be exploited by using specially crafted image files (for
example when previewing themes). |
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans |
CVE #(s): | CAN-2002-0837
|
| Created: | September 11, 2002 |
Updated: | February 4, 2003 |
| Description: |
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. |
| Alerts: |
|
Comments (none posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
Resources
The December 16 Linux Security Week Newsletter from LinuxSecurity.com is
available.
Full Story (comments: none)
ACROS Security has published a white paper on a new class of vulnerability
that they call "session fixation." Essentially, some web applications
allow a form of session "pre-hijacking," where an attacker can create a
known session and cause the victim to log in to it.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current development kernel is 2.5.52, which was
released by Linus on December 15. It
consists mostly of fixes and updates, of course, but there's also a bunch
of changes from Andrew Morton's "-mm" tree (including the long-term fix for
the ext3
data=journal corruption bug), XFS and JFS updates, more
module fixes, and a kconfig update.
See
the long-format changelog for
the gory details.
The current stable kernel is 2.4.20; Marcelo released the second 2.4.21 prepatch on
December 18. This large patch is mostly made up of ia-64 updates, but
it also includes some NFS fixes, a couple of ext3 fixes, a bunch of stuff
from the "-ac" tree, a new megaraid driver, and various other fixes and
updates.
For those using very stable kernels: Alan Cox has announced the first 2.2.24 release candidate. It
contains a handful of bug fixes, including one for a new denial of service vulnerability caused
when somebody runs mmap() on a /proc/pid/mem
file.
Comments (3 posted)
Kernel development news
It all started with
an observation that
system calls on a modern Pentium 4 processor are far slower than on
older CPUs. It seems that, for whatever reason, software interrupts
generated with the
int instruction are very slow with the P4
processor. Since x86 Linux invokes system calls with
"
int $0x80", that slowness makes itself felt - especially
with system calls (like
getpid()) that would, otherwise, be very
fast.
There is an obvious solution to this problem: use the sysenter
instruction instead. sysenter is quite a bit faster on modern
Pentium processors. There are just a couple of problems: not all x86
processors support sysenter, and sysenter steps on
registers in ways that can be hard to work around.
The lack of across-the-board support for sysenter is a problem.
The kernel maintains a set of flags telling it what capabilities a given
processor has; other processor-specific options are set at configuration
time. System calls, however, are not invoked from the kernel - that is the
C library's job. The last thing glibc needs is to be trying to figure out,
at run time, the right way to invoke system calls.
Linus's solution to this problem is a patch
which brings back a variant of an old idea. As of 2.5.53, the kernel will
map a global, read-only page at the top of every process's address space.
That page contains the optimal code for executing a system call on the
current processor. Whenever glibc needs to call into the system, it simply
sets up the registers and, rather than doing the old
int $0x80, it jumps into the new page. The C library still
needs to do a runtime test (since older kernels will lack this "vsyscall"
page), but it need not concern itself with the detailed capabilities of
different processors.
Keeping the registers straight turned out to be a trickier problem. The
way sysenter steps on registers makes it hard to invoke system
calls with more than five parameters. Various schemes were looked at,
including creating a new "extra argument block" or simply requiring that
six-argument system calls be invoked the old way. Linus finally came up
with a tricky solution that makes it all work, however; those of you who
like digging through x86 assembly may want to peek at his "absolutely wonderfully disgusting solution" to
the problem. "I'm a disgusting pig, and proud of it to boot."
The result of all this: the gettimeofday() system call runs in
just over half the time on a P4 processor. The speedup on Pentium 3's
is less - a factor of 1.2 - but is still worthwhile.
Now that the vsyscall page is in place, will it be used for other things,
such as implementing gettimeofday() entirely in user space? The
answer, for now, appears to be "no". Getting a user-space
gettimeofday() right is, seemingly, harder than it looks; there
are synchronization issues, especially on some SMP systems where the clocks
may not be synchronized by the hardware. So a user-space
gettimeofday() appears to not be in the works, for now at least.
Comments (7 posted)
While most people seem to think that the new system call mechanism makes
sense, the question has come up: what kind of feature freeze are we in if
we're adding things like a whole new way of doing system calls? Alan Cox,
perhaps, had
the most direct comment:
Linus. you are doing the slow slide into a second round of
development work again, just like mid 2.3, just like 1.3.60, ...
Given the high hopes that have been placed on this feature freeze actually
working, this sort of remark is something to be concerned about.
Linus has acknowledged the concern, and
started a discussion on how patches should be reviewed. Looking ahead:
I thought about the code freeze require buy-in from three of four
people (me, Alan, Dave and Andrew come to mind) for a patch to go
in, but that's probably too draconian for now. Or is it (maybe
start with "needs approval by two" and switch it to three when
going into code freeze)?
There seems to be fairly widespread agreement, however, that this approach
could be overly bureaucratic for now. Each development kernel release
still contains hundreds of patches (636 for 2.5.51; in 2.5.52 there were
"only" 153); people are understandably nervous about having that many
patches go through a committee. Or even worse, being on the committee. Of
course, Larry McVoy has an elaborate approach
involving BitKeeper all planned out, but, given that a couple of people
on the short list don't use BitKeeper, things will probably not go that
way.
Andrew Morton has suggested simply adopting
a set of guidelines for what can be accepted. The suggested list:
- Bug fixes
- Speedups
- In-progress features (or those Linus had already said would be
merged)
- New drivers or filesystems
Anything outside of that list would not be included at this point. As the
freeze gets harder, items are dropped off the list, until only bug fixes
are left.
Given everybody's time constraints, the relatively informal approach is the
most likely one to be adopted at this point. The important thing, in the
end, is that everybody agrees that the feature freeze is important and is
keeping an eye out for violations. As long as that continues, things will
hopefully not get too far out of control.
Comments (none posted)
Now that the kernel has its own cryptographic API, James Morris is
thinking about how to support cryptographic
hardware. A number of cards which perform cryptographic functions exist,
and it would be nice to be able to make full use of these cards with a
Linux system. Quite a few issues need to be considered on the way there,
however, including:
- How should multiple cards be supported? This gets tricky, especially
for session-oriented crypto operations.
- How should card failures (and resource exhaustion) be handled? The
current crypto API isn't designed around this sort of failure.
- Some network cards can do their own IPsec processing; taking advantage
of that capability may require a higher-level interface.
- User space may want to be able to use cryptographic devices as well,
meaning that some sort of interface needs to be designed.
- Many devices lack useful programming documentation, which will make
creating a Linux driver harder (or impossible).
And so on. Now is the time to get these decisions right; anybody who is
interested in the interface to cryptographic hardware should probably have
a look at James's posting and join the discussion.
Comments (none posted)
Don't throw away that old 80286 system yet - with the just-announced
release of EDE (Elks Distribution Edition) 0.0.5, that system, too, can run
Linux. EDE comes with a bleeding-edge 0.1.1 kernel and a new elkscmd
package; click below for the details. (Thanks to Alan Cox).
Full Story (comments: 4)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Architecture-specific
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Another year has passed, and Linux distributions have gotten more numerous
than ever before. For many years analysts have predicted a consolidation
of distributions, but instead we continue to see growth. Even UnitedLinux
is more of a collaboration than a consolidation. Our first issue in
January, 2003 will take a long look at the distribution news of 2002, a year of many
changes.
We at LWN.net appreciate the opportunity to bring you news on the diversity
of Linux distributions. We would like to thank all of you that contributed
to LWN's survival and we look forward to bringing you more news in the
coming year.
Happy holidays to everyone.
Comments (none posted)
Distribution News
Here's the latest issue of the Debian Weekly News. This week David Graham,
leader of the Open and Free Technology Community (OFTC) talks about how
OFTC manages itself; David Welton asks whether the Debian project has
reached a state where it is no longer manageable; and lots more.
Full Story (comments: none)
The first update to Debian GNU/Linux 3.0 has been released. It adds a
(large) set
of security updates and a few other bug fixes to the base Woody
distribution.
Full Story (comments: 2)
The Mandrake Linux Community Newsletter for December 12, 2002 is out. This
week the newsletter covers MandrakeSoft's "OS Refugee Offer"; the PPC
Cooker; financial results for 2001/2002; and much more.
Full Story (comments: none)
Slackware users may have noticed that the
Slackware website has been down. This
note, dated December 18, 2002, explains why. "
Due to a series of
DDoS attacks which began on Dec 11 and continued until yesterday afternoon,
it has been difficult or impossible to reach our website for nearly a
week. We're glad that it seems to have stopped, but have no idea who is
behind the attacks, why they're doing it, or if they will start again. We
apologize for the downtime. An investigation into the source of the attacks
is ongoing, and we ask that anyone with any information that may help
contact the Slackware Security team at security@slackware.com. Thanks for
your patience."
Now that the site is back up you can check out all the latest changes to
slackware-current on the change log.
Comments (none posted)
Terra Soft Solutions has announced "YDL.net" an online community for Yellow
Dog Linux users.
Full Story (comments: none)
New Distributions
Embedded Freedom Linux is a
bootable Linux CD, to help new users see the power of Linux. It is built
with BBLCD, WhiteDwarf, and Slackware packages. It works on PCs and
laptops, supports wireless PCMCIA cards and almost any network, video, and
sound card, and features software from many open source projects such as
fvwm95 ( familiar windows 95 look and feel) gftp, GTK-Gnutella, centerICQ,
Dillo, sylpheed, airsnort, SSH, and more. Freedom joins our list with
version 1.
Comments (none posted)
Skolelinux is a Norwegian
distribution, where it is used as a server with thin clients. Since its
used in the educational system, it joins the
Educational section of our list.
Thanks to Morten Sickel
Comments (1 posted)
Minor distribution updates
CRUX has released
v1.0 with minor feature
enhancements. "
Changes: Basic support for JFS and PCMCIA were
added. GNU locate was replaced by slocate. About 50 other packages were
updated, such as Linux 2.4.20, Glibc 2.3.1, and GCC 3.2.1."
Comments (none posted)
KNOPPIX has
released
v3.1-12-12-2002 with major
bugfixes. Changes in 3.1-10-12-2002 include an updated Mozilla, cloop
support using the kernel's zlib_deflate function, and an updated mount-aes.
Also clara was replaced with gocr, and knx-hdinstall 0.35 was included to
give filesystem choices and initrd support.
Comments (none posted)
Lycoris has announced a new office suite featuring simple installation
coupled with Word, Excel and PowerPoint compatibility for Desktop/LX users.
Full Story (comments: none)
Xilinx, Inc.and MontaVista Software
announced
that MontaVista Linux Professional Edition has been certified for the new
Xilinx Virtex-II Pro ML300 development platform.
Altera Corporation and MontaVista Software announced
that the MontaVista Linux Professional Edition now supports Altera's
Excalibur EPXA1 Development Kit.
Comments (none posted)
NSA SELinux has updated its web
site including the mail list archive. The site includes a new release of
the LSM-based SELinux prototype. The base kernel versions have been updated
to 2.4.20 and 2.5.51. Initial SID and context for SCMP packets has been
added. Additional policy enhancement and patch contributions have been
merged. The logrotate patch has been updated to 3.6.5-2. The private
file oversight in LSM, inode_doinit bug in SELinux, and selopt compile
problems have all been fixed. Also version
2002121210 has
been released with minor
feature enhancements.
Full Story (comments: none)
RxLinux has released
1.2.2 with minor feature
enhancements. "
Changes: Three new packages have been added: Jboss,
Tomcat, and Jdk. Jdk as been bundled as a compressed ISO file (ziso), and
can be mounted directly from the CDROM or installed in a RAMdisk. Rxlinux
can now be customized as a diskless Web application server. A few minor
bugs have been fixed. More code cleanup was done."
Comments (none posted)
xbox-linux has released
v17-12-2002 with major
feature enhancements. "
Changes: A new XBE file format description
was added. Ed's ISO 0.0.9 is available, as is the first beta of the
'Cromwell' BIOS."
Comments (none posted)
NeTraverse Inc. and Xandros announced a strategic partnership which will
combine Win4Lin with the Xandros Desktop.
Full Story (comments: none)
Distribution reviews
DistroWatch
puts
Xandros Desktop through its paces. "
The review will be split
into four parts. First, I'll take a brief look at installation. Next, I'll
poke around the desktop, test the available applications and take a more
detailed look at Xandros-specific tools and utilities. The next section
will be devoted to pleasures and annonyances of general usage. Finally, and
this is something new, a general purpose FAQ of those questions that have
been asked on public forums and not answered elsewhere. The reason for this
section is that, unlike Corel Linux, Xandros Desktop is not available for
free download so consumers are naturally hesitant to spend money on a
product that has yet to prove itself."
Comments (none posted)
ZDNet
compares
SuSE 8.1 Profesional with Red Hat Linux 8.0 Professional. "
Analysis:
Windows users thinking of switching to Linux--either as an alternative or
as an adjunct in a dual-boot system--should turn to SuSE due to its ease of
use. But more seasoned users will find the stability and stronger font
control of Red Hat more to their taste."
Comments (none posted)
Linux Orbit
plays
around with SmoothWall 0.9.9 (the latest free release). "
So, you
want to share your Internet connection with more than one computer in your
house, and you want it to be secure. You're in the right place. SmoothWall
0.9.9 (the latest free release) is a small Linux operating system that
allows you to do that, and much more."
Comments (1 posted)
DistroWatch
reviews Libranet
GNU/Linux 2.7, a commercial Linux distribution based on Debian. "
A
key feature of Libranet is its proprietary system administration tools, the
text-based Adminmenu or the graphics-based Xadminmenu. Sysadmin duties you
can accomplish with this very easy-to-use utility include hardware
reconfiguration, adding and removing Libranet's DEB packages, configuring
X-Window, recompiling the kernel, setting the time and date, and pretty
much anything else you could have done during the installation procedure
itself. One thing still missing from Adminmenu is group administration -
for this you must use old-fashioned command-line tools such as "addgroup"
and "delgroup". Almost certainly, group administration will be added to the
next rendition of Adminmenu, but for now it's a noticeable
omission."
Comments (none posted)
Linux Journal
puts Knoppix
on the gift list. "
Loading Knoppix is as easy as cookies and
milk. Make sure your PC is set to boot from the CD, pop the disc into the
drive and reboot. Knoppix boots up to a nice, graphical screen with a
simple boot: prompt. Quite honestly, you can simply press Enter here and
let Knoppix do the rest; this is an amazingly simple install. Consequently,
it makes for a spectacular Linux ambassador. But I digress."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Version 1.0 beta3 of Aegir CMS
has been announced.
The
Aegir CMS home page
describes the system as follows:
"Aegir CMS is a versatile and user-friendly Web Content Management System. It provides site managers with MS Word compatible tools for maintaining site information, approval system for controlling the publication process, and a separate layout management system. Aegir CMS is available for free under Open Source licensing."
Aegir is considered a LAMP (Linux, Apache, MySQL, PHP/Python/Perl) system,
O'Reilly's ONLamp site is a good
place to read up on LAMP.
Aegir CMS is based on the
Midgard
open source application server platform.
The primary
features
of Aegis CMS are listed as:
- An MS Word compatible content editor.
- A dual-mode staging/live setup for testing site changes.
- Multi-company hosting support.
- A flexible templating and layout system.
- A full Midgard based content management framework.
A number of useful manuals are included in the Aegir CMS
Documentation
page.
New features in version 1.0 beta3 include:
- The NemeinLocalization framework for language translations.
- An image gallery that provides a centralized image repository.
- The ability to symlink articles.
- A themeable user interface for customizing the site appearance.
- The AegerAddOns system, which allows custom applications to be plugged in.
The software may be downloaded
here.
Comments (none posted)
System Applications
Audio Projects
The December 15, 2002 edition of
Ogg Traffic is
out with news on the Ogg Vorbis audio compression software.
Discussion topics include Corrupted Ogg Vorbis Files, Music in Ogg Vorbis
format, Ogg Standard Drafts submitted to IETF, and more.
Comments (none posted)
CORBA
A new snapshot of MICO has been announced.
"
we are pleased to announce the second public snapshot of our
"integrated" MICO version. It is based on the current MICO CVS, and
contains multi threading, Portable Interceptors, CSIv2 Level 0 and
CORBASec Level 2."
Full Story (comments: none)
Database Software
O'Reilly has published
some excerpts from Palu DuBois' book,
MySQL Recipes.
"
Paul DuBois has selected sample recipes from the hundreds you'll find in his book, MySQL Cookbook. In this second in a three-part series showcasing these recipes, learn how to manage simultaneous AUTO_INCREMENT values, as well as how to use AUTO_INCREMENT values and related tables."
Comments (none posted)
Education
Issue #85 of the
Linux in Education Report is out. Topics include
Schoolnet Namibia's Shoolnet wireless system,
fostering free software in education in the Washington DC area,
The GLUE CD collection of educational software and documentation,
the Armenian SpiTux Project, and a long list of new and updated
educational software.
Comments (none posted)
Electronics
Version 0.7 of the Icarus Verilog electronic simulation language compiler
has been announced.
"
Besides the usual tons of bug fixes and performance improvements, this stable release introduces good quality synthesis, and some initial code generators."
Comments (none posted)
Networking Tools
Use Perl
mentions the release of POE 0.24, a "
networking and multitasking framework for Perl". This version has had a major restructuring
and includes bug fixes and new features.
Comments (none posted)
Printing
Version 0.7.2 of the
OMNI printer driver is available.
Changes include new Ghostscript patches, Autotools build fixes,
a security fix, an HP LaserJet PCL media insertion fix,
a Foomatic printer XML fix, a linking fix, updated Epson Blitter code,
better backwards compatibility with GhostScript, and more.
Comments (none posted)
Web Site Development
Kevin Hartig
talks about Apache Formatting Objects on O'Reilly.
"
This article describes the architecture, design, and implementation of a reporting tool framework that uses XML standards and tools. The implementation demonstrates how reports are dynamically created using XML, XSL, XSLT, Java, and the Apache XML Formatting Objects Processor (FOP)."
Comments (none posted)
Dave Rolsky
writes about Mason on O'Reilly's Perl.com.
"
Mason is a powerful framework for generating dynamic text, and is especially useful when creating complex, featureful Web sites. For those (hopefully few) folks who haven't yet heard of Mason, it is a Perl-based templating framework comparable to frameworks such as Apache::ASP, Embperl, and Template Toolkit. Like the first two, and unlike the latter, Mason operates by embedding Perl in text."
Comments (none posted)
mnoGoSearch-php-extension-1.68, a PHP extension to the mnoGoSearch
web site search engine
is available.
Comments (none posted)
The most recent headlines on the
Zope Members News
include: Strip-o-Gram 1.3 Released!, CMF OpenOffice Document 0.1 released,
NeoPortal Content Pak 0.9a has been released,
NeoBoard 1.1b has been released, NeoPortal Library 0.9a has been released,
DocFinderEverywhere 0.4.1 Released,
A Boy and His Catalog: Taming ZCatalog for 2.6.1 and Beyond,
ASP404 1.0-beta1 Zope+IIS Connector, Zope 2.6.1 Beta 1 Released,
and more.
Comments (none posted)
The latest
Zope Newbies
topics include: Latest Zope Victim, Zope 2.6.1 beta 1, Tim Perdue
Interview, and Itamar on Zope3.
Comments (none posted)
Miscellaneous
Version 1.0.11 of Ganymede, the GPL'ed metadirectory system,
is available.
"
This is a maintenance release of the Ganymede directory management
software. The biggest bug fix pertains to a problem in permissions
handling where an owner group contains other owner groups. In
addition, the runServer script for Java 1.2 and later has been
modified so that the Ganymede server only runs full-heap garbage
collection once an hour, rather than the once a minute default of the
RMI system. This will significantly reduce the CPU loading on the
Ganymede server."
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 0.4.1 of GNUsound, a multi-track sound editor for Linux/x86,
has been released. New fewatures include more flexible waveform scaling,
"Center on Selection Start|End", LADSPA support updates, bug fixes,
and more.
Full Story (comments: none)
Version 0.9.0 of Meterbridge, a JACK audio plugin which simulates a number
of volume meters, has been released. This version adds better readability
to the basic VU meter, AES level conformance, reduced CPU usage,
bug fixes, and more. A new scope display has also been added recently.
Full Story (comments: none)
Version 0.8.5 of Rosegarden-4, a MIDI and audio sequencer and score
editor, has been released with lots of new features.
Full Story (comments: none)
Desktop Environments
KDE.News
has an announcement
for a new KDE CVS Digest. Check it out to see what KDE developments
are in progress.
Comments (none posted)
The latest GNOME summary is available. Topics this week include: the
resurrection for the GNOME Network; GTK2 VIM; GNOME 2 browsers; and much
more.
Full Story (comments: none)
Headlines on the GNOME desktop
FootNotes site include:
FOSDEM Interviews, Anjuta 1.0.1 released!, Evolution Offers Outlook Experience,
GIMP 1.2.4-pre2 available for testing, GNOME Summary for November 31st to December 14th, GNOME Installation Guide 12/2002 has been launched,
Evolution 1.2.1 Is out, Gnumeric 1.0.11 released, Bluefish 0.8 Released,
GNOME 2 Desktop System Administrator's Guide published,
Rhythmbox 0.4.1 is out, and more.
Comments (none posted)
Graphics
The latest
Gimp News items include:
GIMP 1.2.4-pre2 available for testing, and GIMP Development Version
hits the Big 1-0.
Comments (none posted)
GUI Packages
New items for FLTK, the
Fast, Light ToolKit includes: flPhoto 0.9, Mplot++ 0.84,
and fltdj - The Daily Journal 0.6.7.
Comments (none posted)
Interoperability
Samba version 2.2.7a has been released.
"
This is the latest stable release of Samba. This is the version
that all production Samba servers should be running for all current
bug-fixes. The primary reason for this release is to correct problems
with large file (>2Gb) support."
Full Story (comments: none)
Issue #148 of
Kernel Cousin Wine is out.
Topics include:
News: TransGaming Update, CrossOver Office Server 1.3.1,
Shared Memory Wineserver, Special (Accented) Characters / Dead Keys,
Why Have a wpp?, Garbage Collection With Wine, Registry Editors / Configuration Programs, and MS Installer or Lack Thereof.
Comments (none posted)
Office Applications
Issue #120 of the
AbiWord Weekly News is out with the latest AbiWord word processor
development news.
Comments (none posted)
Issue #59
of Kernel Cousin GNUe is out with the Gnu Enterprise development news
for the week.
Included are articles on the GNUe Architecture Diagram,
GNUe in Argentina, GNUe and Bayonne at eGovernment Conference?,
the Security framework for GNUe, the Preferred database back-end for GNUe,
Debian packages for 0.4.2 release, and much more.
Comments (none posted)
The KDE Project
announced the
release of KOffice 1.2.1. KOffice 1.2.1 is a stability and enhancement
release, with the principal improvements over KOffice 1.2, released last
September, occurring in the spreadsheet program (KSpread).
Comments (2 posted)
Version 1.2.2 of LyX, the GUI extension of the TeX documentation
system, is out. This is a maintenance release with a number of bug
fixes.
Full Story (comments: none)
Web Browsers
The NewsFactor Network looks at
Mozilla in an article entitled
Revenge of the Lizard, and explores Opera and Konqueror in
Divide and Konquer.
These articles
were found on KDE.org.
Comments (none posted)
The latest
mozillaZine topics
include: AutoScroll Extension for Phoenix and Mozilla,
Contest: Design a Better Sound for Type Ahead Find,
No Surprise: MozillaZine Readers Don't Like Spam,
Mozilla's Global Usage Share Now at 1.1 Percent,
Classic Mac OS Builds of Mozilla Transitioning to Port Status,
Mozilla Browser of Choice for Playboy Lifestyle,
Mozilla 1.3 Alpha
Released, and CNET News.com Notices Netscape 7.01.
Comments (none posted)
Languages and Tools
Caml
The Caml Weekly News for December 10-17, 2002 is out.
Topics include:
opengl bindings without tcl/tk, Resource acquisition is initialization,
mod_ocaml, maintainers for www.ocaml.org?, ocaml embedded scripting language,
and a BDBFS version 0.3 release announcement.
Full Story (comments: none)
This week, the new software on
The Caml Hump includes
the amalthea Io interpreter, the BDBFS user-level fileserver, mod_ocaml,
the Htree tree browsing library, and Luo, which performs average-case
complexity analysis of algorithms.
Comments (none posted)
Eiffel
Version 1.0 of SmartEiffel, the GNU Eiffel compiler, has been
announced.
"
SmartEiffel is complete implementation of Eiffel with
eight years of development behind it. SmartEiffel includes many new
language features such as agents and tuples, an extensive standard
library, and many support utilities. The compiler supports over 20
operating systems, including Linux."
Full Story (comments: none)
FORTRAN
Development on the
G95 FORTRAN compiler
project is continuing at a steady pace.
Comments (none posted)
Java
Sing Li
shows how to work with JMX Agent on IBM's developerWorks.
"
In this third and final article of the JMX series, Sing Li will use an actual Network Management System (NMS) to monitor a Java application instrumented with JMX, revealing the typical techniques used in NMS/JMX integration, as well as some of the common difficulties that may be encountered when deploying JMX."
Comments (none posted)
Scott Storkel
introduces the Eclipse IDE on O'Reilly.
"
If you closely follow open source or Java programming, you may have heard some of the buzz surrounding Eclipse. Eclipse is an extensible, open source IDE (integrated development environment). The project was originally launched in November 2001, when IBM donated $40 million worth of source code from Websphere Studio Workbench and formed the Eclipse Consortium to manage the continued development of the tool."
Comments (none posted)
Chuck Cavaness
illustrates the use of the Validator Framework on O'Reilly.
"
Every application has a responsibility to ensure that only valid data is inserted into its repository. After all, what value would an application offer if the data that it relied upon were corrupted? For applications that use a formal database, like a RDBMS, for example, there are rules or constraints that can be placed upon the fields, which help to guarantee that the data stored within it meets a certain level of quality. Any and all applications that utilize the data within the repository have a responsibility to protect the integrity of the data that they submit."
Comments (none posted)
Lisp
Version 0.13.2 of OpenMCL has been released.
"
This is mostly a maintenance/bugfix
release, whose only new feature is support for connection-oriented Unix
domain sockets."
Full Story (comments: none)
Perl
Use Perl
reports on the release of ActivePerl 5.8, following last week's
beta 1 release.
Comments (none posted)
Use Perl has published
This Week on Perl5-Porters for the week of December 9-15, 2002.
Topics include Deparse barewords with leading hyphens,
Debugger regression, %z in strftime(), Compile-time hints,
goto and redo, and more.
Comments (none posted)
PHP
PHP 4.3.0RC3
is available.
This is the last release candidate prior to the release of
PHP 4.3.0, please submit any bugs that you find back to the
developers.
Comments (none posted)
Topics on this week's
PHP Weekly Summary
include: PHP 4.3 RC3, php-cgi vs. php-cli, PECL netools,
Distributing PECL binaries, uniquid() enhancements, and
make clean for single extensions.
Comments (none posted)
John Coggeshall
continues his series on working with files in PHP on O'Reilly.
"
Last time I introduced you to the basic file access methods available to PHP: fopen(), fputs(), and fgets(). Although very useful, these functions work only with strings. This week I'll introduce to you more advanced file access functions that read and write binary files. We'll talk about fread() (used for reading), fseek() (used to find specific parts of a given file), along with a few other useful file access functions."
Comments (none posted)
Python
IBM's developerWorks has
an article by Patrick K. O'Brien on Python introspection.
"
This article introduces the introspection capabilities of the Python programming language. Python's support for introspection runs deep and wide throughout the language. In fact, it would be hard to imagine Python without its introspection features. By the end of this article you should be very comfortable poking inside the hearts and souls of your own Python objects."
Comments (none posted)
The Python-dev Summary for December 15 is out; it looks at a new import
mechanism, inheritance of __getstate__ in the presence of slots, and
several other topics.
Full Story (comments: none)
Dr. Dobb's Python-URL for December 18 is out, with the latest from the
Python development community.
Full Story (comments: none)
This week's
Daily Python-URL
article topics include:
A Python & XML Companion, The Daily Chump Bot,
PyRapi version 0.2 has been released!, and more.
Comments (none posted)
Ruby
Topics on this week's
Ruby Weekly News
include: Vim like ruby interpreter, ruby-lang.org site re-design,
Ruby tutorial madness, The return of RubyCentral, and un-extending objects.
New Ruby software includes:
ruby-locale 0.1, Spreadsheet/Excel 0.2.0, RTrans 1.0, ratlast 0.1,
RAA 2.1, GridFlow 0.6.3, RubyInline 2.0.0, installPkg 0.0.1,
RBit 0.1, and pcre 0.1.
Comments (none posted)
Scheme
The December 16, 2002 edition of the Scheme Weekly News is out.
Topics include Guile 1.6.1, ReadScheme Online Bibliography additions,
SISC 1.7.0 beta, Quack.el 0.16, MoshiMoshi 0.6, GNU TeXmacs 1.0.0.25,
and Gauche 0.6.6.
Full Story (comments: none)
Tcl/Tk
Dr. Dobb's Tcl-URL for December 18 is out; it looks at creating LED widgets
with Tk, C++ extensions, and several other Tcl/Tk topics.
Full Story (comments: none)
XML
Anthony Coates
explores Ant on O'Reilly's XML.com.
"
Ant is a build utility produced as part of the Apache Jakarta project. It's broadly equivalent to Unix's make or nmake under Windows. make-like tools work by comparing the date of an output file to the date of the input files required to build it. If any of the input files is newer than the output file, the output file needs to be rebuilt."
Comments (none posted)
Uche Ogbuji
reviews
Python & XML
by Christopher Jones and Fred Drake, on O'Reilly's XML.com.
"
As you would expect from such a team, this book is detailed and handy; however, I have a few notes, amplifications, and updates (the book was released in December of 2001) to offer -- all of which are distinct from the errata that the authors maintain. In this article I will provide updates, additional suggestions, and other material to serve as a companion to the book. You don't have to have the book in order to follow along."
Comments (none posted)
Bob DuCharme
continues his series on XSLT numbering with part 2.
"
This month we'll learn how to gain real control over section numbering, and we'll look at a more efficient alternative to xsl:number that's sometimes better for simple numbering."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
ZDNet
searches
the search engines for what's hot.. "
The top technology search term
for 2002 was MP3, indicating a continued demand for the compression
technology. The mobile phone texting format, SMS, was in second place,
followed by the compression tool Winzip, and Linux at number four, beating
ninth-placed Microsoft in the Google stakes."
Comments (10 posted)
Companies
MandrakeSoft
releases a firewall
product with a non-open source license, according to this News.com article.
"
It's not the first time an open-source company has made
philosophical adjustments for pragmatic reasons. The fervor for the
collaborative-programming model has yielded to bottom-line concerns at many
companies. Indeed, as the Internet mania of the late 1990s was replaced by
recession pessimism, many free-lunch ideas expired."
Comments (6 posted)
The Inquirer
reports
that Microsoft is thinking about opening up Windows source code to a select
band of government bodies in India. "
Other sources indicate that
Microsoft is already engaged in working out the logistics of sharing the
code and that Jason Matusow, the Vole's worldwide program manager for
shared source program, has been in India to work out the details of the
arrangement."
Thanks to Jaye Inabnit
Comments (9 posted)
Business
News.com
covers the
latest members of the open source Eclipse project. "
Eclipse members,
which now number 30, operate on under an open-source model of a common
public license, in which the software is developed in a sort of communal
effort rather than behind closed doors. New board members include
heavyweights Hewlett-Packard, SAP and Oracle, as well as smaller companies
such as AltoWeb, Parasoft, Flashline and MKS Software."
Comments (none posted)
Linux Adoption
The Inquirer
talks with
Rick Belluzzo, a former Microsoft exec now with Quantum. "
Asked
if he's now a Linux advocate, Beluzzo responds: "I consider myself an
advocate of whatever allows us to achieve our goals most effectively. And
today, for us, that certainly is Linux because it's free; it has a good
modular design; you can modify it to meet your needs. There is nothing else
that can meet our needs like that.""
Thanks to Alexander
Stohr
Comments (none posted)
Legal
Here's a Register
article about
an upcoming deadline for challenging the DMCA. "
One of the quirks of
the Act is that the Library of Congress provides administrative
oversight. A strange decision, since this is a job usually left to the
courts. But every three years the Librarian gets to review requests and
decide which cases are causing serious harm."
Comments (none posted)
News.com
talks with congressman Rick Boucher who will try again this year to push through legislation that would rescind parts of the DMCA. Referring to the ElcomSoft case: "
While this jury reached a commendable decision, another jury in a future case that involves similar facts could well convict. The law clearly contemplates conviction in circumstances where no infringement occurs, but the technology facilitates bypassing a technological protection measure."
Comments (3 posted)
CIO Insight has
an article
by Lawrence Lessig on copyright law. "
Copyright law is a crucial
part of the system of incentive necessary to spur creative work. But the
law affects creativity differently in cyberspace than in real
space. Content owners have been quick to argue that cyberspace weakens
copyright protection, since digital copies are so easy to make and
distribution costs are so low. That may be true. But it is also true that
the Internet can strengthen the power of copyright owners far beyond
anything imagined by the framers of our copyright act."
Comments (1 posted)
Wired
covers
the ElcomSoft trial, where the jury is in deliberations. "
Jurors are
being asked to render a verdict in five separate counts against
ElcomSoft. The first is that the company "willfully conspired" to provide a
technology that would allow users to circumvent protections on copyrighted
works."
Comments (none posted)
News.com
reports
that ElcomSoft has been found Not Guilty in its DMCA trial. "
After much wrangling among attorneys over the definition of the word 'willful,' the judge told jurors that in order to find the company guilty, they must agree that company representatives knew their actions were illegal and intended to violate the law. Merely offering a product that could violate copyrights was not enough to warrant a conviction, the jury instructions said."
Comments (2 posted)
Here is
Dan
Gillmor's take on the ElcomSoft verdict. "
Judge Ronald Whyte,
presiding over the case, upheld the U.S. government's right to prosecute
the Russian company. His holding that the law itself was constitutional,
despite its killing of fair use rights, was even more disturbing.
But he was following Congress' dictates -- or, to be precise, Congress'
enacting of what it was told to do by the entertainment and software
barons. That's the biggest shame of all, and we should all be grateful that
the San Jose jury did its duty." The column also talks a bit about
the Creative Commons project.
Comments (none posted)
LWN's hometown newspaper (the Daily Camera) has
an
article about a completely different DMCA case: 321 Studios is suing
the MPAA for the right to sell "DVD X Copy," a (proprietary) DVD copying
utility. "
Seldom does a new product land in court before it lands on
store shelves. But that's the case with DVD X Copy, a new software program
that gives consumers a relatively easy way to burn a backup copy of a
prerecorded, copy-protected DVD movie. What's even more unusual is that
the lawsuit was brought by the program's maker, Missouri's 321 Studios
Inc., in an attempt to get a definitive ruling that making personal copies
of DVDs is a legal activity under U.S. copyright laws."
Comments (6 posted)
Interviews
O'Reilly has
an interview with James Kent, developer of GigAssembler.
"
Stewart: What is your view on open source in bioinformatics?
Kent: Yea! Go. The genome is hard enough to decompile. Don't make me have to decompile your source as well.
"
Comments (none posted)
Resources
LinuxDevices.com has just published its weekly Embedded Linux Newsletter,
with all the latest news and info from the world of Embedded Linux and
Linux-based gadgets.
Full Story (comments: none)
LinuxDevices.com has
announced
that that ten new articles have just been added to its Embedded Linux
Journal Online ("ELJonline") repository for your reading pleasure.
Comments (none posted)
Vnunet has a
lengthy
article on Linux, with plenty of resources to help people get started.
"
In this feature, we'll be reporting on the background and history of
Linux, and showing you how it looks and works. If you fancy having a go,
we'll also be telling you how to get it and install it, and how to find
your way around it."
Comments (none posted)
IBM is running a 3-part series on the advantages of OpenMosix on IBM Linux
xSeries.
Part
1 provides an introduction to the current clustering technologies
available for Linux and and an introduction to openMosix.
Part
2 shows how to get a fully-functional openMosix cluster configured and
running.
Part
3 shows some ways to use openMosix to tackle computing challenges with
clusters built on IBM xSeries servers running Intel Xeon, making use of
performance-enhancing technologies such as Intel's Hyper-Threading
Technology.
Comments (none posted)
Reviews
Yahoo has picked up this
NewsFactor
article which explores the features of Mozilla. "
Mitchell Baker,
Mozilla's chief lizard wrangler, told NewsFactor that the software's open
source nature also helps the browser development team avoid Internet
Explorer's many security issues. "We've learned that openness makes our
product better, and that includes security. We benefit enormously from
community involvement in identifying possible security issues, in tracking
the progress of those bugs, and in implementing fixes.""
Thanks
to Elijah P Newren
Comments (1 posted)
The Register
covers
CodeWeavers CrossOver Office Server Edition. "
While version 1.3.1 of
CrossOver Office Server Edition enables applications to be hosted on Linux
and deployed on Linux or Solaris, an interesting turn of events will see a
later version of CrossOver Office Server Edition supporting Windows as a
thin client operating system. This could see users deploying Microsoft
applications on Windows-based thin clients via Linux-based servers."
Comments (none posted)
The Linux Journal
reviews "The
Web Wizard's Guide to PHP" by David A. Lash. "
If you're looking to
learn PHP or to teach a course on PHP, check out The Web Wizard's Guide to
PHP by David Lash. This is an excellent book for learning PHP, even if you
have no programming skills. If you're like me and have experience in
another language, such as Perl, you'll find that Lash's book makes it easy
to rapidly get up to speed in PHP."
Comments (none posted)
Here is a
book
review on Linux Journal for "The Business and Economics of Linux and
Open Source" by Martin Fink. "
The Business and Economics of Linux
and Open Source is written for executives whose companies produce
software and for IT managers who must choose and/or deploy this software
within their companies. It introduces both free and open-source software
(OSS), but predictably, the book focuses mostly on the latter. In spite of
this, actually, for these reasons, I'd also recommend the book to hackers,
for reasons that will be clear later in this review."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Commercial announcements
MandrakeSoft annonced a new network-product - "Multi Network Firewall" -
which can be used to deploy a complex and secured network infrastructure
(including VPN - Virtual Private Network - and DMZ - DeMilitarized
Zone). It also includes network traffic management, and - as usual for
MandrakeSoft products - offers a very friendly user-interface.
Full Story (comments: 1)
Metrowerks has sent out a press release stating its intent to acquire "the
key assets" of Embedix, Inc., the company formerly known as Lineo.
"
The acquisition of assets from Embedix and the addition of the
Embedix team
will enable Metrowerks to provide Linux OS-based development tools and
platforms for creating applications for PDAs, smart handheld devices,
residential gateways and digital TVs.."
Full Story (comments: none)
NVIDIA Corporation has
announced
a series of new corporate initiatives that include a technical support
program for end users and professional customers; a new software driver
package that includes performance enhancements and new features for
NVIDIA's advanced graphics features, including NVIDIA's CineFX(TM)
architecture delivered by NVIDIA's Unified Driver Architecture (UDA); and
support for the latest PC technologies, including AGP 8X and OpenGL(R) 1.4.
Comments (6 posted)
Red Hat. has
announced
its third quarter results. The bottom line is a $300,000 profit -
without excluding various losses this time.
Comments (2 posted)
Arkeia Corp.announced the release of Arkeia Light, a fully enabled free
version of Arkeia v5 enterprise software for open source environments.
Arkeia Light is designed to provide Linux-based PCs and small networks with
enterprise-caliber backup capability at no cost for personal or commercial
use.
Full Story (comments: none)
According to
this Dow Jones
article, Sony and Matsushita will be getting together to develop a new
Linux-based operating system. "
Based on the results of the joint
development, Sony and Matsushita are considering setting up an industry
forum group for digital home appliance-use Linux." (Thanks to Maya
Tamiya).
Comments (none posted)
STORServer has
announced STORServer Data Protection (SDP) for Oracle on Linux is now
shipping.
Comments (none posted)
O'Reilly has announced the release of the PHP Cookbook, by authors
David Sklar and Adam Trachtenberg.
Full Story (comments: none)
"Designing Embedded Hardware" is a book about designing small machines for
embedded applications, written by John Catsoulis and published by O'Reilly.
Full Story (comments: none)
Resources
The GFDD (GNUtemberg! Free Documentation Database) has reached a stable
version. GFDD is
online, and some
documents have already been indexed. The classification is based upon
Dublin Core and OMF.
Full Story (comments: none)
Reinhard Amersberger has put together a
Protux howtoot that introduces Protux, a keyboard/mouse-based utility
that is aimed at efficient audio production tasks.
Comments (none posted)
A new global bioinformatics grid
has been announced.
"
The Bioinformatics Organization (Bioinformatics.Org) announces the creation of a global bioinformatics grid. The Bioinformatics.Org Grid (BiO Grid) is a loosely networked cluster of heterogeneous computing technologies that can be accessed by members of the Organization free of charge (membership is also free).
The BiO Grid expands the services of The Open Lab, a collection of free and/or open services for bioinformatics research, development and education. It will augment the mission of the Bioinformatics Organization: to lower the barrier to entering and participating in the field of bioinformatics."
Comments (none posted)
Upcoming Events
IDG World Expo announced that the conference program for LinuxWorld
Conference & Expo has been expanded to provide dedicated tracks for
specific industries, including financial services, telecommunications,
government and defense.
Full Story (comments: none)
The
Third Free and Open Source Developers'
European Meeting will happen February 8 and 9 in Brussels.
Once again, the FOSDEM is publishing a set of interviews with people who
will be speaking at the event. The first two have been published:
- David
Faure. "I see work going on in that
direction [GNOME-KDE compatibility]. Mailing-lists and meetings are
happening to this
effect. RedHat pushes this a lot, but it seems that other people are
also interested in this."
- Michael
Meeks. "Ultimately I think Gnome 2 provides an excellent
environment to work in now - we have to focus on ensuring every
application integrates with the others intelligently, that we have a
coherent look and feel etc. (I applaud the Red Hat initiatives
there)."
Comments (1 posted)
LinuxMedNews has
an announcement for the OSS in Healthcare conference, to be held
in Washington, DC from March 17-19, 2003.
Comments (none posted)
The candidates for the Sun Microsystems Regional Delegate Program
have been announced at Linux.conf.au 2003.
Full Story (comments: none)
Transcripts are availble from the Free Software Initiative Japan,
which was held in Tokyo.
Full Story (comments: none)
| Date | Event | Location |
| December 19 - 20, 2002 | UMeet conference | On IRC |
| January 21 - 24, 2003 | LinuxWorld Conference & Expo | (Jacob K. Javits Center)New York, NY |
| January 22 - 25, 2003 | Linux.conf.au 2003 | Perth, Australia |
| January 27 - 31, 2003 | SAINT-2003 | Orlando, Florida, USA |
| February 3 - 6, 2003 | O'Reilly Bioinformatics Technology Conference | (Westin Horton Plaza.)San Diego, CA |
| February 10 - 14, 2003 | The fifth NordU/USENIX Conference(NordU2003) | (Aros Congress Center)Västerås, Sweden |
Comments (none posted)
Web sites
The Deep Space 6 initiative is a new Linux based IPv6 portal site,
designers of IPv6 software should contact the site authors for
inclusion.
Full Story (comments: none)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Miscellaneous
IBM has sent out a press release about the German city of Schwäbisch Hall,
which moving its computing systems from Windows and Office to SuSE Linux
and OpenOffice.org. The town of 36,000 eventually plans to have 400
desktops running Linux.
Full Story (comments: 1)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Rusty Russell <rusty@rustcorp.com.au> |
| To: |
| letters@lwn.net |
| Subject: |
| Slight correction for LWN 5 December 2002 |
| Date: |
| Tue, 17 Dec 2002 10:49:50 +1100 |
Hi guys,
I'm way behind in reading LWN, but I came across this from two
weeks ago:
> Then, there is the little problem that module parameters do not
> work. Rusty Russell has been working on this issue for a while, and
> has produced several sets of patches, none of which have been merged
> as of this writing.
That's not really true: I've been working on the userspace tools
mainly. The parameter patch (surely a core part of module
functionality!) was submitted with the original module rewrite, and
supported even for the very first release of the new userspace
utilities.
The patch was retransmitted several times before Linus asked for a
namechange of the new "unified" parameters (on which the old-style
MODULE_PARM macros are rebuilt). Then it was retransmitted several
times more (there were two trivial fixes along the way). It finally
went in just before 2.5.52 was released.
Why did it take so long? The most likely reason, I think, is simply
that Linus doesn't use modules.
I would like to thank those who *have* reported bugs to me, most of
which were trivial and easily fixed (or already fixed, and pending
inclusion by Linus).
Hope that clarifies!
Rusty.
--
Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
Comments (none posted)
| From: |
| Leon Brooks <leon@cyberknights.com.au> |
| To: |
| Please forward to Jackie Famulak for response <webmaster@caast.org> |
| Subject: |
| CAAST and FLOSS - Acronym Wars |
| Date: |
| Sun, 15 Dec 2002 00:39:36 +0800 |
| Cc: |
| Linux Weekly News - Letters <letters@lwn.net>,
Russell McOrmond <russell@flora.ca> |
Quoting Jackie Famulak, board member of
Canadian Alliance Against Software Theft (CAAST):
> "First, a large percentage of free, open source software out there
> is Linux-based; it's not products such as a photo management
> software suites," Famulak says.
At last count, there were several score FLOSS (Free/Libre Open Source
Software) photo management packages available for Linux, such as:
http://www.easysw.com/~mike/flphoto/ (local application)
http://photomanager.sourceforge.net/ (web-enabled application)
So, yes, Linux users can and do run photo management software (my 30yo
mother-of-four sister-in-law is an avid digital photographer and likes to use
Kuickshow for this on her Mandrake Linux system).
> "If you look at the users of software, there's not a lot of people out
> there that are ready to begin programming their own software.
You don't have to. Enormous amounts have already been developed, and most
Linux distributions come with hundreds to thousands of packages. See these
sites for examples of the many available packages:
http://freshmeat.net/ (lists 26,000 packages)
http://sal.kachinatech.com/ (lists 3,000 scientific packages)
http://www.sourceforge.net/ (hosts 53,000 packages)
> Companies don't always have the resources (to develop software)
They don't need to. Firstly, as mentioned, it's already provided; secondly,
it's simple to outsource. In fact, with many projects you can just ask nicely
for this or that feature and it gets added, free of charge.
Mandrake did this with their Linux distribution for me, and the developers of
the sysmond monitoring daemon did likewise (so I reciprocated by adding more
features for them).
On the other hand, companies using the software produced by CAAST members
don't have that option, in most cases can't even see the workings of the
software, to know for themselves how it does what it does.
When was the last time Microsoft added a feature to MS-Office, or AutoDesk
added something to AutoCAD for you? At any cost?
> they can't afford the downtime or provide the necessary support that a
> manufacturer can give them 24/7.
They generally have considerably less downtime, because FLOSS and the
platforms it runs on are often considerably more reliable than those supplied
by your members.
They automatically have assurance (which CAAST members do not offer them) that
should the supplier go bust, elect to discontinue a product, or begin
attaching unacceptable conditions to the continued use of the product, they
can reasonably expect to continue using and developing from the existing
product.
They also have a substantial, worldwide, polylingual, cross-timezone support
base which doesn't cost them an arm and a leg, and is often personally
interested (not just interested in a detached, corporate sense linked to a
bottom line) in seeing their problems resolved.
> When you consider it in that regard, we already are providing a service."
No, you are not. You are occupying a place which could be better occupied by a
body not limited representing such a narrow range of interests, one which
truly provides a service to Canadians, not just a service to its own members.
This tactic is called "dog in a manger" and I do wish you'd stop talking down
products and services which you clearly do not even understand.
FLOSS is not some two-bit operation. Saudi Aramco uses Linux to search for
oil, Google runs on Linux, the European Union is about to settle on the
OpenOffice.org file format as a document interchange standard, the 5th
fastest computer in the world is a Linux cluster, the most popular webserver
in the world (Apache) is under a BSD licence, and my 12yo daughter's
favourite coputer games are FLOSS.
You may wonder at the Australian internet domain; consider me an expatriate: I
was born in Merritt, British Columbia and exported, so I am both a Canadian
and an Australian citizen.
Cheers; Leon
--
http://www.cyberknights.com.au/ Modern tools, traditional dedication
http://slpwa.linux.org.au/ Member, Linux Professionals West Aus
http://conf.linux.org.au/ THE Australian Linux Technical Conf:
22-25 January 2003, Perth: be there!
Comments (10 posted)
Page editor: Jonathan Corbet