LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 22, 2006Harald Welte on the flood of GPL violationsThough Harald Welte's contributions to the free software community are many, the work he is best known for may well be the gpl-violations.org effort. By pursuing those who ship his code (and that of others he represents) without complying with the source requirements of the GPL, Harald has secured the release of much code into the community, established a precedent upholding the GPL in German court, and greatly increased the respect many companies have for the GPL. Thanks to Harald, the GPL has some teeth.Back in February, Harald complained that the number of non-compliant products on the market was exploding, and that he did not have the time to deal with them all. He suggested that the time was right to incorporate gpl-violations.org into a nonprofit organization which could pursue violators while allowing Harald to get back to hacking. Those plans are moving forward, with the possibility that this new organization could be created by August, and operating by the end of the year. We were recently able to talk with Harald about this effort; so, without further ado... LWN: How many GPL violations have you found over the last year? How many of those have been brought to some sort of resolution?
There were 158 reports during the last 12 months, of which about 100
were real violations, about 50 have been addressed, and 40 of them
resolved, others are still going on.
The difference between 'reported real violations' and 'addressed violations' is due to:
Up to today, since the project was started, there was not a single legally unsuccessful enforcement. By legally unsuccessful I want to say that legally those formerly infringing companies are now clear. However, a small number (about 3) have decided to withdraw the product from the market rather than releasing source code. So those cases, while legally successful, haven't been successful with regard to the ideas of Free Software. You seem to be unique in carrying out this effort. Do you know of others who have been digging out GPL violations (in the kernel or elsewhere)?
There are two 'others' that I'm aware of: The FSF in the US, where
David Turner from the FSF compliance lab is enforcing the GPL
(out-of-court) for software that the FSF holds copyright.
The other one is MySQL, which only enforces the GPL on their DB software in order to motivate people to buy alternative licenses. It still is GPL enforcement, though ;) The FSF has a "GPL Compliance Lab" which only rarely draws attention to itself. Rather than incorporating a separate nonprofit, might there be an advantage in folding this effort into the work the FSF does? Why, or why not?
There are a number of reasons. First, the FSF only enforces (and can
only enforce) the GPL on software which they hold copyright on. So
joining efforts with the FSF GPL Compliance Lab would also mean that
I (and other copyright holders that I represent) would have to transfer
their rights to the FSF.
Secondly, the FSF has a quite different enforcement strategy. They are doing enforcement in a "softer" way, meaning that they don't pull as many legal strings as gpl-violations.org does. This difference is partly due to a difference in the US / German legal system and legal culture, but also intentional. My whole reason for starting gpl-violations.org was that I think a different strategy is more helpful in the end, since publicizing GPL violations will actually prevent new violations. Third, the FSF is based in the US, whereas gpl-violations.org is based in Germany. There are many legal differences in copyright law, and also many differences in the kind of companies we can take action against in our local jurisdiction. Having said that, I can assure you that there is a very friendly cooperation between the FSF GPL Compliance Lab and gpl-violations.org. We're passing on cases between each other, sometimes get active independently in the same violation and share information, etc. Would you be seeking funding to get this operation off the ground? What sort of individual or company, do you think, might be interested in funding this effort?
Obviously some initial funding would help to get moving more quickly.
However, I don't think it will be required for making it work.
As for your second question, I think a lot of individuals, both developers and users within the Free Software community, are very sympathetic to what gpl-violations.org does. I think some of them were willing to show their support by donating. However, I've discouraged them from doing it so far, since they would basically donate 'to me', and I would have to treat it like regular income, i.e. pay taxes on it, etc. Also, since there is no separate legal entity yet, there is no public accountability, i.e. you cannot audit the books, verify that your donation has only been spent in "the right way", etc. As for companies, there also are companies supporting the work we do at the project. I'm not sure whether I would be able to name them here, but let's say companies who do oblige to the GPL and take it seriously, and who think their competitors are gaining an illegal competitive advantage by using GPL licensed software but not following the GPL. Would you anticipate this effort being self-funding in the long term?
Yes, not only in the long-term. Looking at the rate of new violations
that we now have consistently for a number of years in the embedded
market, it should very much be possible to make it self-funding.
gpl-violations.org has been able to obtain various donations to charitable organizations such as EDRi, FoeBuD, CCC, FSF Europe, Bridge Foundation, ... during enforcement. Those donations are usually part of a settlement that allows the respective vendor to sell already-produced products (without a GPL license text or written offer) during a grace period. So the idea is to redirect those donations (or at least part of it) to the newly established gpl-violations.org organization. This way we can hire somebody to take care of the administrative and paper work. If that kind of self-funding stops for some time, then apparently we don't have as many GPL violations anymore, and the purpose of gpl-violations.org does no longer exist. That's the ideal case, and we can suspend or even dissolve the organization :) What do you think are the prospects of expanding the GPL compliance work beyond Germany?
We're actually doing GPL enforcement outside Germany already. We have
been able to obtain declarations to cease and desist from a number of
formerly-violating companies in Taiwan and Korea, for example.
To the casual observer, it looks like the rate of GPL violations is not decreasing - if anything, the opposite is happening. So far, the community has been quite accommodating to those who violate the GPL, being (for the most part) satisfied if the company involved brings itself into compliance. Might it be that the risk involved with violating the GPL is simply not high enough to deter people? Should the community start seeking damages against GPL violators?
The absolute rate is definitely increasing. But you have to set this
in relation with the overall massive growth of the Linux embedded
market. I don't have any figures on this (and I doubt anyone can have
good figures), but I think that the percentage of Linux-using embedded
devices that ship out of compliance is decreasing, or at most: steady.
There are people suggesting that the penalty should be higher, and we should seek damages. I think for 95% of all cases this would be the wrong decision. The vast majority of GPL violations happens because some Taiwanese or Korean OEM/ODM does something (sometimes even in clear violation with the contract to their customer!) that the Vendor that we're approaching isn't really aware of. Also, most of the companies who once had a GPL problem actually have a good record ever since. Yes, there are occasional "problem companies", such as D-Link or Sitecom. But in general, I have the feeling they take gpl-violations.org quite seriously. If we start asking for huge amounts of damages and try to raise the bar, then we will frighten vendors from using/buying embedded Linux at all. I am definitely not in favor of Linux adoption without GPL compliance. But we have to carefully draw the line between legally indicating that we don't accept GPL compliance, and on the other hand not frightening people who fear to make a mistake at some time from using Linux / GPL licensed software at all. Also, when you ask for (and actually get) damages, you have the problem of what to do with it. Distributing it between all the authors is virtually impossible, because in most cases the transaction fees will be higher than whatever the individual developer will get. Donating it to some organization? To which? Who decides on that? ... As a summary: I think for now, gpl-violations.org draws that line at a reasonable position. In the mid-term future that might be different, and for individual cases I might share the view that higher penalties are justified. But not in general. Anything else you think a clueless LWN writer should know about this work?
What is most interesting about having some organization backing this
project, is that we can actually do "more interesting" legal action than
I can do now. So far, we've only enforced very clear cases, from a legal
point of view. Until now, gpl-violations.org has not helped to
produce any legal precedents on important questions such as derivative
works or binary-only kernel modules. However, after funding the
organization later this year, and thus the legal risk landing on that
organization rather than me personally, I could very much imagine that
we would look into getting some court decisions on that area, too. So
stay tuned, there is probably an exciting time ahead in the next couple
of years ;)
I would like to thank Armijn Hemel who is basically doing almost as much work in gpl-violations.org than me these days, and I would like to thank JBB Rechtsaenwaelte, the Law firm that has so far helped us win all the cases we did :) So do you anticipate taking an action based specifically on binary-only modules?
I'm not planning anything concretely. But I expect sooner or later we
will face such an issue. And I think that matter needs clarification -
whether or not we (as in the Free Software enthusiasts) will like the
results. At least afterwards, there is some precedent either way, and a
much more clean situation for anybody doing software development in
mixed Free / proprietary environments.
Many thanks are due to Harald for taking the time to answer all of these questions.
The Grumpy Editor's guide to SSH servers
There are a number of things one can look at while evaluating an SSH server. Features, for example: which ciphers are supported, port forwarding features, control over what users can do, PAM integration, etc. One can also look at performance issues; data-heavy SSH sessions can put a significant load on the host system. But the issue which must dominate the others is security. An SSH server is designed to give access - perhaps full, root access - to a suitably authorized user coming in from an arbitrary location on the net. Any vulnerabilities in this server thus have a high probability of turning into a full compromise of the system. Evaluating security is hard. Certainly one can look at security-oriented features found in a given implementation, and there will be useful information there. But features do not make security; that requires careful coding, extensive code review, and quick response to security issues as they come up. It requires an active development community which continually works to tighten the security of the server. An SSH server which is the subject of a large number of security advisories would make your editor nervous, but a server with a moribund mailing list and no advisories at all would be worse. With these thoughts in mind, your editor set out to play with the three SSH server implementations he found which are free and under some sort of active development.
DropbearDropbear is an SSH server and client implementation available under an MIT-style license. It runs on just about every Unix-like system, including Cygwin. Dropbear development places a strong emphasis on small size; it is intended for use in embedded systems and other space-constrained situations. The current version of Dropbear is 0.48.1, released on March 12, 2006. As might be expected in a program which is meant to be small, Dropbear offers fewer features than some others. It can perform X11 connection forwarding (and port forwarding in general), and has options for controlling whether password authentication may be used to log in. There is no configuration file, however, and many of the options available with certain other servers are not implemented in Dropbear. Dropbear can do passwordless login using RSA or DSA keys. It understands OpenSSH-style authorized_keys files, allowing the same keys to be used with both servers. The key format for host keys is different, however; a script is provided to convert OpenSSH keys into Dropbear's format if needed. Dropbear can be configured to perform password authentication through PAM, though one gets the sense that most installations don't bother. There is little information available on the ciphers supported by Dropbear. A look at the code, however, shows options for AES-128, AES-256, triple DES, Blowfish, Twofish-128 and Twofish-256. Dropbear appears to have an active developer and user community. There is a fairly long list of distributions listed as using Dropbear, including OpenWRT, OpenZaurus, Trinux, and Motorola A780 phones. The volume on the mailing list is steady but low - Dropbear users apparently have little to talk about. The last publicly-acknowledged security issue was in March, 2006, when a denial of service problem (which also affected a wide variety of other network servers) was fixed. Prior to that, fully remotely exploitable format string vulnerability was disclosed (and very quickly fixed) in 2003. Another remote vulnerability was disclosed in 2004 and yet another was fixed in early 2005. In December of 2005, a "buffer sizing error" which could enable root access for authenticated users was fixed. The code base is small - a little over 23,000 lines for both the server and client - but not particularly well commented. The Dropbear code should be relatively easy to audit; the extent to which anybody has done so is unclear, however.
lshLsh comes billed as "a GNU implementation of the secure shell protocols." So, unsurprisingly, it is released under the GPL. Lsh provides both client and server implementations. The current release of lsh is 2.0.3, from May 9, 2006. The lshd server daemon, like Dropbear, lacks a configuration file; it does have a number of command-line options for controlling options like password authentication and port forwarding. There is support for public-key authentication in lshd, but OpenSSH-format keys must be converted into the lsh format first. The converted key must then be fed to lsh-authorize before the server will recognize it. There does not appear to be an lsh-unauthorize command, making it more challenging than it should be to revoke access for a specific key. Documentation for lsh is more complete than for Dropbear. From that documentation, one sees that the supported ciphers are AES-256, triple-DES (though it is listed as "3dec"), Blowfish, and ARCFOUR. Disclosed vulnerabilities in lsh include a file descriptor leak enabling a local denial of service attack (January, 2006), a denial of service problem (March, 2005), and a remotely exploitable buffer overflow (September, 2003). While lsh releases do continue to happen, it is not clear how large the user and developer community really is. The lsh mailing list is dominated by spam, with legitimate messages seemingly being carried at a rate of less than one per month. Lsh is written in C, but a look at the code gives the impression that the author would rather be using something else. Some sort of preprocessor is used on the code, a memory garbage collector has been implemented, there appears to be some sort of exception mechanism in place, etc. As a whole, the code is harder to read than the Dropbear code, and it is not clear that this code has seen much attention from anybody other than its original author. All told, your editor would hesitate before committing to lsh; it is far from clear that this tool has the user and developer communities needed to keep it alive and secure into the future.
OpenSSHOpenSSH is clearly the dominant offering in this area. All available evidence indicates that almost every publicly reachable SSH server is running OpenSSH. This implementation is maintained by the OpenBSD developers; the current release is 4.3 (or 4.3p2 for systems other than OpenBSD) from February, 2006. If you are looking for features, OpenSSH is the way to go. The sshd_config man page lists a vast number of options controlling authentication mechanisms, ciphers used, user restrictions, file locations, port forwarding, and more. The list of supported ciphers includes ARCFOUR, blowfish, CAST, and several variants of AES. OpenSSH is clearly the most feature-complete of the SSH server implementations; it is also, in many ways, the best documented. Vulnerabilities disclosed in OpenSSH include a root compromise in 2001 (but only when an obscure configuration option was set to a non-default value), a set of integer and buffer overflow vulnerabilities in 2002 which affected relatively few sites, a remotely exploitable heap corruption bug in 2003, an access restriction bypass vulnerability in 2003, a remotely exploitable PAM-related vulnerability in 2003 (non-default configurations only). The nastiest of these will be the 2003 heap corruption bug, which is thought by some to have been actively exploited for some months prior to being fixed. It would appear that no OpenSSH server vulnerabilities have emerged since 2003 (there has been one client-side vulnerability since then). As this article is being written, there is some discussion on the OpenSSH list of a number of bugs found by a Coverity scan. Fixes are in circulation, but there does not appear to be much concern that these bugs are exploitable. The OpenSSH developers clearly take security seriously. The code base is probably the most heavily reviewed of the three implementations discussed here. The OpenSSH server also has a "privilege separation" feature, wherein the bulk of the protocol code (prior to the establishment of the user's session) runs in a separate, unprivileged process. This mechanism will, it is hoped, contain the damage should an exploitable vulnerability turn up in that code in the future. The handling of the 2002 integer and buffer overflow vulnerability raised some eyebrows; the developers refused to disclose specifics on the vulnerability, insisting, instead, that all users perform a significant upgrade to the current release. They have made it clear that they would do so again:
If there is ever a security problem (again :) in OpenSSH we will
disclose it exactly like we want, and in no other way, and quite
frankly since noone has ever paid a cent for it's development they
have nothing they can say about it. Dear non-paying user --
please remember your place.
The fact remains that the OpenSSH developers have earned a high level of trust, and that most users are entirely happy in their place. The OpenSSH mailing list is active, with a steady flow of questions (and patches) from the user community. OpenSSH is implemented with a significant amount of C code. The code base is written for OpenBSD in particular; the version the rest of us use is the "portable" release which has seen added tweaks to make it run elsewhere. There is a set of regression tests packaged with the code as well.
ConclusionYour editor began this project with the idea of determining whether there are truly no alternatives to OpenSSH on the server side. Of the two discussed here, only Dropbear looks even remotely viable. For resource-constrained applications dropbear may even be the preferred choice, but it can also be used in any other setting that does not require the larger feature set of OpenSSH. As noted above, your editor is made a little nervous by lsh, and would choose to avoid it. There are two schools of thought on the OpenSSH monoculture - for that is essentially what it is. Some, including your editor, find the situation a little scary; a serious vulnerability in OpenSSH could be the opening needed for a devastating Internet worm. To these people, some diversity in the OpenSSH ecosystem could only help to make the net as a whole more secure. Others, however, feel that we are better off with a single code base which can benefit from the concentrated auditing and hardening efforts of the entire development community. One can only hope that there is some merit in the latter view, given that, for most systems, OpenSSH is the only viable choice available.
Some LWN notesIt has been a while since we have posted on the status of LWN. Now seems like a good time to catch up, especially since your editor is traveling and can write this article ahead of time.Subscriptions to LWN continue to grow, but that growth continues to be slow. Very slow. Various schemes for improving the situation are in the works, but various complications have impeded the process. We are contemplating hiring another editor to help to expand and improve the LWN content mix; those plans remain vague at this time. We are always looking for writers, however. To that end, we have raised our (still inadequate) pay scales a bit. If you have something to say to the community, and you are willing to write for demanding editors and even more demanding readers, please have a look at the writing for LWN page and contact us. Readers of the RSS feeds may have noticed some changes which have been made there. It has (slowly) occurred to us that RSS seems to be the primary interface to the site for many readers, and that maybe we should pay a bit of attention to it. There is also a new feed which tracks the most recently posted comments; anybody who is interested in tracking the LWN discussion across the site is encouraged to subscribe. See the LWN headlines page for a full list of available feeds; expect to see some others before too long. Maybe someday we'll implement an Atom feed and be properly buzzword compliant, but that is rather lower on the list of priorities. When LWN first started allowing comment posting, some readers predicted that one result might be the death of the "Letters to the Editor" page. Those readers may well have been right; the Weekly Edition almost never includes a Letters page anymore, because there are no letters to publish on it. So we are considering just dropping that page altogether. The alternative, for those who would like to see that page retained, would be to start sending us letters. Occasionally we get queries from people who would like to reuse content published on LWN, often translated into other languages. We have never yet refused such a request. We are still evolving a complete policy on licensing of LWN content, but it will look something like this:
This policy is still under development; we're interested in any suggestions or advice that anybody might have. Finally, for those of you who will be at the Ottawa Linux Symposium this year, LWN editor Jonathan Corbet will be talking on the state of Linux kernel development. It is, at this point, almost as traditional as the Black Thorn party.
Security Brief items Domain Keys for email sender authenticationLast week, this page described Sender Policy Framework (SPF) and some of its shortcomings. A different technique with similar goals is Domain Keys (DK) which appears to be gaining support. This week, DK will be examined along with the related Domain Keys Identified Mail (DKIM) proposal.DK was proposed by Yahoo as a way to authenticate the sender of an email. Essentially, the email is signed using a public key cryptographic signature. A receiving Mail Transfer Agent (MTA) or Mail User Agent (MUA) can look up the public key in the DNS record for the sending domain and compute the signature. If it matches the entry in the DomainKey-Signature header, the email has been verified to have come from that domain. The DK header can specify which other headers are signed and the email body is always included. The domain in the "From:" (or, in some cases, "Sender:") header must always match the domain in the DK header and that provides the linkage that verifies the sender. Because of the way the signature algorithm works, any modification to the signed parts will result in a signature mismatch -- this provides some email integrity protection. Domains and subdomains will maintain public keys as TXT records in their DNS entries. DK uses a standard section of a domain's DNS space to contain the public keys for that domain. In addition, a selector is specified in the DK header which can be used to restrict keys to specific organizations and to revoke keys periodically. To retrieve a key, one queries for the TXT record associated with selector._domainkey.example.com. DK has been adopted by two of the larger email providers: Yahoo and Gmail. Banks and other financial institutions are also starting to adopt it because it provides very good phishing protection for their customers. It allows customers the opportunity to verify that the mail is authentic. Unfortunately, the support for DK checking in MTAs and MUAs has not been widely deployed yet, but the early adopters appear to be betting that it will be. There are several issues with DK, but they do not fundamentally break the store and forward nature of email as SPF does. The main problem is that users will need to use an SMTP server associated with the domain that they are sending from or their MUA will need to generate a DK signature using a personal private key (that is listed appropriately in the domain's DNS). Another issue is that the signing of the body only works if the body is not modified after the signing. Unfortunately some mailing lists and other software (virus scanners for example) tack on a few lines to the body and this will cause the signature check to fail. A potentially bigger problem is that DK is covered by patents held by Yahoo. Microsoft's Sender ID proposal never gained any traction in the free software world because of patent issues, but it appears that Yahoo's liberal licensing terms have removed that issue, at least for free software. Yahoo licenses the patents under either the GPL or their own license agreement. A patent peace provision and a notice that acknowledges Yahoo's intellectual property are all that are required for those who do not wish to license under the GPL. Shortly after Yahoo released the Domain Keys specification, Cisco proposed Identified Internet Email. The two are similar in many respects and have since been merged into a proposal called Domain Keys Identified Mail (DKIM). The IETF has formed a DKIM working group that plans to guide the proposal towards adoption as an internet standard. Depending on whose opinion you believe, that could happen within the next year or two. It remains to be seen whether there is widespread adoption and conversion from Domain Keys if and when DKIM becomes a standard.
New vulnerabilities aRts: privilege escalation
asterisk: buffer overflow
dokuwiki: PHP code injection
gnupg: remote denial of service
horde: missing input sanitizing
kdebase: privilege escalation
libtiff: buffer overflow
pam_mysql: multiple vulnerabilities
sendmail: denial of service
wv2: integer overflow
Updated vulnerabilities awstats: missing input sanitizing
binutils: buffer overflow
blender: integer overflow
busybox: insecure password generation
bzip2: race condition and infinite loop
ktools: buffer overflow
courier: denial of service
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
curl: heap-based buffer overflow
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dhcdbd: denial of service
dovecot: information disclosure
freetype: integer overflows
gdb: multiple vulnerabilities
gdm: privilege escalation
gdm: improper file permissions
gedit: format string vulnerability
gforge: cross-site scripting
grip: buffer overflow
gzip: arbitrary command execution
ImageMagick: heap overflow vulnerability
libjpeg: Denial of Service
kdebase: local root vulnerability
kdelibs: kate backup file permission leak
kernel: multiple vulnerabilities
kernel: netfilter memory corruption
kernel: information disclosure
libgadu: memory alignment bug
libgd2: denial of service
libgd2: buffer overflows in PNG handling
libpam-ldap: authentication bypass
libpng: heap based buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lynx: arbitrary command execution
mozilla products have multiple vulnerabilities
mpg123: buffer overflows
mysql: SQL injection vulnerability
MySQL: logging bypass
mysql: information leaks
nbd: arbitrary code execution
ntp: uses wrong gid
openldap: stack-based buffer overflow
openmotif: buffer overflows
OpenSSH: double shell expansion
perl: setuid vulnerabilities
php: multiple vulnerabilities
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpMyAdmin: multiple vulnerabilities
postgresql: SQL injection
Py2Play: remote execution of arbitrary Python code
quagga: multiple vulnerabilities
quake: buffer overflow
scorched3d: multiple vulnerabilities
shadow-utils: mailbox creation vulnerability
spamassassin: arbitrary command execution
squirrelmail: file inclusion vulnerability
sudo: vulnerability via scripts
texinfo: temporary file vulnerability
tin: buffer overflow
tor: multiple vulnerabilities
typespeed: buffer overflow
unzip: long file name buffer overflow
w3c-libwww: possible stack overflow
webcalendar: uninitialized variable
wordpress: arbitrary command execution
xine-lib: buffer overflow
xine-lib: buffer overflow
xine-ui: format string vulnerabilities
X.Org: buffer overflow
xpdf: buffer overflow
xpdf: denial of service
xpdf: integer overflows
Page editor: Rebecca Sobol Kernel development Brief items Kernel release statusThe stable kernel team released the 2.6.17.1 kernel with a security fix for the SCTP network protocol, and the 2.6.16.21 kernel with the same SCTP fix, and a PPC 32bit fix and a local denial of service fix.Since the 2.6.17 kernel release Linus's tree has started filling up very quickly, with almost 1000 patches being accepted in 3 days. These changes include a very large MIPS update, ARM update, SCSI update, PCI Hotplug update, wireless networking update, network update, network driver update, userspace cleanup of the header files, and a firewire update.
Kernel development news Quote of the week
The thing is, I don't actually enjoy debugging my own machines. I
_much_ prefer having other people debug _their_ machines, and fixing my
machine in the process.
KHB: Transparent support for large pagesIntroduction: The Kernel Hacker's BookshelfA lot of great operating systems research goes on, but relatively little of it makes the leap into production operating systems, or from one operating system to another. The ideas that do trickle down into implementation are often delayed by years. Usually an idea gets ignored because it looked good in the research lab but turned out not to be practical in a production environment. But every so often, a practical idea goes unnoticed for years simply because none of the actual coders has the time to sit down and parse fifteen pages of dry academic prose. You're too busy writing code, can't someone make it easier to figure out which books and papers are worth reading?Welcome to The Kernel Hacker's Bookshelf. The goal of this series is to bring good research and good kernel hackers together through reviews focusing on the practical aspects of research, written in plain (possibly even entertaining) language. We hope you enjoy reading these articles - and writing code inspired by them!
Transparent operating systems support for large pagesWhile Moore's Law tramped inexorably on during the last few decades, increasing memory size and disk space along with transistor density, it left some elements of computer architecture in the dust. One of these stragglers is TLB coverage. The TLB (or Translation Look-aside Buffer) caches translations between virtual and physical memory addresses; usually every memory access requires a translation. Performance is best when all the needed translations can fit in the TLB and translations "hit" in the TLB instead of missing. The amount of memory translated by the entries in the TLB is called the TLB coverage. TLB coverage has been dropping as a fraction of total memory (and, more importantly, as a fraction of the total size of Netscape - er, Mozilla - er, Firefox), and TLB misses are often a serious drag on system performance. Since translations are done on a per-page basis, one solution is to increase the size of the system pages. We could increase the base page size - the smallest page available - but that would typically waste a lot of memory, cause more page-outs, trigger unexpected application bugs (ask me about the one with the JVM default stack size and 64KB pages some time), and make the system slower overall. Instead, many processors now offer multiple page sizes, beginning with a base page size of 4KB or 8KB and ranging up to a large page size of 2MB or occasionally a truly monstrous page size of 256MB or larger. Large pages increase TLB coverage and can reduce TLB misses significantly, often improving the performance of applications with large working sets by 10-15%. On the other hand, large pages can reduce performance by increasing the cost of paging memory in and out and adding the overhead of tracking several different page sizes. Implementing automatic, transparent OS-level support for large pages while simultaneously improving overall performance is not easy. It's also what Linux users are clamoring for - and some of them are switching to operating systems that already have automatic large page support (cough, cough, Solaris).
A Solution: The Rice PaperPractical, Transparent Operating System Support for Superpages by Juan Navarro, et al., describes a sophisticated and elegant implementation of transparent large pages. The authors implemented their system on FreeBSD on the Alpha processor, using 4 page sizes: 8KB, 64KB, 512KB, and 4MB. The paper was published in 2002, otherwise they might have picked a less ill-omened architecture than Alpha; fortunately the design is reasonably generic. Overall, this paper is one of the best I've ever read.The basic design is reservation-based; that is, enough pages to make a large page are reserved in advance and later promoted to a large page when justified. Memory fragmentation is reined in via careful grouping of page types and a smarter page replacement policy. Almost all applications tested saw at least some speed-up, and absolute worst case performance degradation varied from 2-9%. Most amazing of all, the implementation only required about 3500 lines of code - about half of an ext2. How exactly did they accomplish all this? Buckle up for some nitty-gritty details. First, a run of contiguous pages suitable for a large page is reserved whenever an application page fault occurs (outside an existing reservation, of course). The size of the reservation is picked based on the size and type of the memory object, with slight variations depending on whether the object is fixed in size (e.g., text) or might grow (e.g., stack). For example, an application with 700KB of text would have a 512KB page reserved the first time a page in the text was faulted into memory. Once a large page of any size has been fully populated (all of its pages referenced at least once), it is promoted into a large page. In our example, once a contiguous 64KB region anywhere in the program text has been faulted in, it will be promoted to a 64KB page. Promotion of a partially populated page is possible, but the trade off is that it may increase the application's total memory usage, unintentionally creating a memory hog. In the rough and tumble world of scarce memory, promotion is not a one-way street. Demotion of large pages into smaller pages is also useful. An application may start out using all pages in a large page but then stop referencing most of the pages. The only way to tell is to demote the large page and check the referenced bits on the smaller pages a little while later. A page is demoted when it is first written, when one of its base pages is evicted, and periodically when the system is under memory pressure. When an application wants more memory and no free space is available, unused parts of a reservation are preempted. "Use it or lose it" is the name of the game here. The reservation which loses is the one whose most recent allocation occurred least recently - LRU order, basically - since most applications touch most of their working set soon after starting up, and so it's unlikely the original owner of the reservation will need the space. Unused reservations live on different lists depending on the size of the allocation that can be made by preempting the reservation. A population map, implemented as a radix tree, keeps track of which pages are allocated inside each large page-sized extent for easy look up. This radix tree is a key data structure; it makes allocation, reservation, and promotion decisions fast and simple. The final key elements are the page replacement policy and the way pages of various types are grouped together. There are several different kinds of pages in the system. Some pages can't be moved or freed (pinned), some pages are in use but can be moved (active), and some pages are not currently used by anyone but may be used in the future (cached and/or inactive). If these pages are mixed together indiscriminately, pinned and active pages end up scattered everywhere, without any contiguous runs of free (or free-able) pages that can be converted into hotly pursued large pages. Fragmentation needs to be both prevented and repaired - without hurting performance by moving around pages too much. Pinned pages are the most difficult problem, since once allocated they cannot be moved and may never be freed. The system tries to allocate these pages in clusters, so they break up as few potential large pages as possible. Similarly, cache pages are allocated in clusters with free pages, since cached pages can be easily freed to allow the creation of a large page. Reservations can include cache pages, and cached pages contained inside a reservation continue to be active until the application actually needs to kick that page out. The page replacement daemon was changed to run not only when free memory runs low, but also when contiguity runs low. An "innocent until proven guilty" algorithm works here - we assume we don't need more contiguity until a large page reservation fails for lack of contiguity. When woken for this reason, the daemon runs just long enough to recover enough contiguous space to satisfy the allocations that failed. The page aging algorithm was changed slightly from the FreeBSD default; cached pages for a file are marked inactive on the last close, trading off the chance of the file being reopened against the opportunity for more contiguity.
Evaluating the SystemThe authors tested their system against a truly startling variety of applications, everything from gzip to web server trace replays to fast Fourier transforms, as well as a section exploring worst case situations. Personally, I'm not sure I've ever seen a better evaluation in a research paper; it's quite a treat to read.In the best case, with low fragmentation, 33 out of 35 applications showed some improvement (one was unchanged, and the other was about 2% slower). Several had significant improvements. For example, rotating an image using ImageMagick was about 20% faster; linking the FreeBSD kernel was about 30% faster; bzip2 was 14% faster. In the fragmented case, performance was not as good, but usually to picked up again after a few runs as the page replacement daemon moved things around. In the worst-case department, the performance was degraded by about 9% for an application that only touched one byte per large page before freeing it, and by about 2% for a test case in which large page promotion was turned off. It makes for a pretty convincing case that large pages are an overall win for many systems.
Implications for LinuxWhat does this paper tell us? It is possible to implement transparent large page support in such a way that most applications get at least some benefit, and some applications get a lot of benefit. The algorithms used are relatively simply to understand and implement, and hold up well in worst case behavior. Finally, transparent large pages can be implemented elegantly and cleanly - only 3500 lines of code! Best of all, this paper includes a plethora of implementation details and smart algorithms, just begging to be reused. All of the above earns this paper a hallowed place on the Kernel Hacker's Bookshelf.Over the past few years, several Linux developers have been working on various forms of transparent large page support. Some of that recent work, spearheaded by Mel Gorman, has been reviewed earlier in LWN:
Current work on large pages in Linux is summarized on the linux-mm wiki. I look forward to more work in this fascinating and fertile area of operating systems implementation. [Do you have a favorite textbook or systems paper? Of course you do. Send your suggestions to:
val dot henson at gmail dot com Valerie Henson is a Linux kernel developer working for Intel. Her interests include file systems, networking, women in computing, and walking up and down large mountains. She is always looking for good systems programmers, so send her some email and introduce yourself.]
Driver core finally changingBack in November of last year, I wrote a list of the steps that were going to happen for the future of the kernel driver core. Finally, some of the steps that were described there have been implemented.Making struct class_device go awayIn the -mm kernel tree, there is a small patch that allows almost all users within the kernel of the struct class_device structure to convert over to use a struct device structure instead. This patch changes the struct device structure by adding the following fields:struct device_attribute *devt_attr; struct list_head node; struct class *class; dev_t devt; The first two fields, devt_attr and node are used internally by the driver core code, and should not be touched by anything else. The other two fields class and devt are what is used by any code wishing to convert to the struct device structure. If the field class is set by someone, before the struct device is registered, the driver core assumes that this struct device is associated with the specified struct class. This means that the device is added to the list of all devices attached to that class, and a symlink is created in the class's directory in sysfs, showing that it is present. If the field devt is set, then a file named dev is created in the sysfs directory for the device, containing the major and minor number of the device. This is what programs like udev use in order to properly set up the /dev tree dynamically depending on what devices are present in the system. As an example of what the sysfs changes are when these fields are set, look at the usb_device class code that has been converted to use this new interface in the latest -mm release. The /sys/class/usb_device directory in the 2.6.17 kernel release looked something like this for most systems:
$ tree /sys/class/usb_device/
/sys/class/usb_device/
|-- usbdev1.1
| |-- dev
| |-- device -> ../../../devices/pci0000:00/0000:00:1d.7/usb1
| `-- uevent
|-- usbdev2.1
| |-- dev
| |-- device -> ../../../devices/pci0000:00/0000:00:1d.0/usb2
| `-- uevent
|-- usbdev3.1
| |-- dev
| |-- device -> ../../../devices/pci0000:00/0000:00:1d.1/usb3
| `-- uevent
|-- usbdev4.1
| |-- dev
| |-- device -> ../../../devices/pci0000:00/0000:00:1d.2/usb4
| `-- uevent
`-- usbdev4.3
|-- dev
|-- device -> ../../../devices/pci0000:00/0000:00:1d.2/usb4/4-1
`-- uevent
But now, converted over to use the struct device structure
instead of struct class_device, it looks like:
/sys/class/usb_device/ |-- usbdev1.1 -> ../../../devices/pci0000:00/0000:00:1d.7/usb1/usbdev1.1 |-- usbdev2.1 -> ../../../devices/pci0000:00/0000:00:1d.0/usb2/usbdev2.1 |-- usbdev3.1 -> ../../../devices/pci0000:00/0000:00:1d.1/usb3/usbdev3.1 |-- usbdev4.1 -> ../../../devices/pci0000:00/0000:00:1d.2/usb4/usbdev4.1 `-- usbdev4.3 -> ../../../devices/pci0000:00/0000:00:1d.2/usb4/4-1/usbdev4.3What this has accomplished is to move the USB device structure that used to be sitting out in the class directory, into the device tree itself in sysfs, providing a unified device tree, without needing to look in two different locations in sysfs to find the information. Helper functionsIn order to make the transition to converting existing kernel code to use the struct device structure instead of the struct class_device structure, two new functions have been introduced into the driver core:
struct device *device_create(struct class *cls, struct device *parent,
dev_t devt, char *fmt, ...)
__attribute__((format(printf,4,5)));
void device_destroy(struct class *cls, dev_t devt);
The function device_create, works almost identically to the existing kernel function, class_device_create. It dynamically creates a struct device structure, with all of the specified information, and registers it with the driver core and sysfs. The other new function, device_destroy, is used to remove any struct device structures that were created with a call to device_create earlier. It is almost identical to the existing function, class_device_destroy An example of how simple it is to convert existing code can be seen in the patch that does the conversion for the usb_device class code. Slowly over time, all users of struct class_device will be converted over to using struct device and then, struct class_device will be removed from the kernel. And hopefully, the other tasks outlined in that original article , will also get accomplished.
More sysfs symlinksAnother new change in sysfs that will be in the 2.6.18 kernel release, is the addition of another symlink in all device and class device directories. Kay Sievers has written a patch that adds the symlink "subsystem" to these directories. This symlink points back to either the class that the device is associated with, or the bus that the device is associated with.This symlink is identical to the information that the kernel has always been emitting to userspace through the hotplug interface whenever a device was created or removed from the system. Userspace uses the subsystem information in order to determine what to do with the device. If you look at the older hotplug package, it is broken down into a set of different scripts that run depending on the subsystem that is being addressed: $ ls /etc/hotplug/*.rc /etc/hotplug/input.rc /etc/hotplug/isapnp.rc /etc/hotplug/pci.rc /etc/hotplug/pnp.rc /etc/hotplug/usb.rcAnd udev rules also act on the subsystem type in order to determine what to do with the device: $ head -n 3 /etc/udev/rules.d/05-udev-early.rules # ignore these events until someone needs them SUBSYSTEM=="drivers", OPTIONS="ignore_device" SUBSYSTEM=="module", OPTIONS="ignore_device"But before this kernel patch, if a program wanted to walk through sysfs and try to determine the subsystem that a specific device was associated with, they had to do the following steps:
$ tree /sys/class/tty/ttyS0/ /sys/class/tty/ttyS0/ |-- dev |-- device -> ../../../devices/platform/serial8250 |-- subsystem -> ../../../class/tty `-- uevent $ tree /sys/devices/pci0000:00/0000:00:00.0/ /sys/devices/pci0000:00/0000:00:00.0/ |-- broken_parity_status |-- bus -> ../../../bus/pci |-- class |-- config |-- device |-- driver -> ../../../bus/pci/drivers/e752x_edac |-- enable |-- irq |-- local_cpus |-- modalias |-- power | |-- state | `-- wakeup |-- resource |-- subsystem -> ../../../bus/pci |-- subsystem_device |-- subsystem_vendor |-- uevent `-- vendor
Detecting kernel memory leaksThe implementation language for the Linux kernel is C. That choice makes a great deal of sense; C does a good job of staying out of the way and letting programmers control exactly what is happening. Anybody who does any significant amount of C programming, however, eventually ends up chasing down memory leaks. Since C forces programmers to track every block of allocated memory and clean up their own messes, things occasionally slip through the cracks. Memory leaks can be a problem in applications, especially those which run for a long time - ask any Firefox user. But kernel memory leaks are worse; every time the kernel drops a piece of memory, it is gone until the next boot. A system with a serious kernel memory leak will quickly become unusable.Tracking down memory leaks can be painful work. When a proprietary memory allocation tracking tool became available for SunOS many years ago, your editor had no qualms about spending thousands of his employer's dollars to license it; the payback time was quite short. In current times, Linux users can employ a free tool like valgrind (version 3.2.0 was released on June 8) to track down user-space memory leaks. But valgrind does not work on a running kernel. (Some work has been done on running User-mode Linux under valgrind, but sometimes one simply has to debug the host system). As the kernel developers rely more heavily on automated tools for finding bugs, the creation of a kernel memory leak detector is an obvious next step. Catalin Marinas has taken that step with a kernel memory leak detector patch series. This code, if accepted into the kernel, should help to eliminate another big class of errors. Catalin's patch functions much like a scan-and-mark garbage collector. The first step is to track every memory allocation in the system; to that end, the patch instruments the slab allocator. Every block allocated from a slab (which will include allocations from kmalloc()) is stored in a radix tree; along with a pointer to the block, the stored information includes the block size and a stack trace identifying where the block was allocated. When blocks are freed, their corresponding entries are removed from the radix tree. During normal system operation, this radix tree just sits there. Should somebody ask about memory leaks (by reading /sys/kernel/debug/memleak), the detection algorithm swings into action. The steps performed are:
In the real world, things get complicated, so the leak detector is not quite as simple as described above. One situation which had to be addressed is cases where the kernel keeps a pointer to the interior of a block of memory, rather than to the beginning. This happens frequently; many kernel structures are located by way of an embedded list_head structure or kobject, for example. As a way of locating these blocks, the memory leak detector records uses of the container_of() macro; in particular, it remembers the size of the block and the offset to the embedded structure. When a block of a given size is allocated, the detector records "alias" addresses for any possible embedded structures. A pointer to one of those aliases is considered to be equivalent to a pointer to the beginning of the block. There are various other special cases which must be handled. For example, memory obtained from vmalloc() will be pointed to by the memory allocation code itself, but might still be leaked. In other cases, memory is allocated which cannot be found by the scanning algorithm; a number of special annotations are added to the kernel to suppress the resulting false positive reports. The detector can also be fooled by pointers which are left behind in disused memory, or by random data which happens to look like a pointer to an allocated block; in these cases, false-negatives will result. Even with these problems, the situation is better than before - a lot of memory leak situations can be found. Ingo Molnar, however, has a vision of a more ambitious scheme wherein type information for every allocated block would be retained. Among other things, this information would allow the scanning to be restricted to parts of the block known to contain pointers; that should speed the process and reduce false negatives. Since type information is available, each scanned pointer could be checked to ensure that it points to a block of the correct type, adding another level of checking to the kernel. Implementing all of this looks like a big task, however; even Ingo may need a couple of days to get it done.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Forrest Cook Distributions News and Editorials Live CDs Part III: Small Footprint Systems[Editor's note: this is the third in a four-part series; the next installment will appear in the next week or two.]In Part II of this series I looked at three examples of live CDs that provide desktop replacements. Each of those examples provided large numbers of tools, applications and features that a typical desktop user would find important. In essence, they all try to provide everything a desktop user would need. On the opposite end of the spectrum you'll find small footprint systems. A small footprint live CD has the advantage of being able to run on memory limited hardware or even on much older processors, including pre-Pentium class machines. Each of the live CDs I looked at in this category came in under 120MB for the ISO, leaving lots of room for customization by end users. Small footprint systems should boot into minimal configurations and allow extensive configuration so that they can be tuned for specific hardware very easily. The goal of a small footprint system should be to provide the base upon which more elaborate customizations can occur.
OliveOlive is the successor of an older live CD called DeadCD. With an ISO image coming in at about 115MB, Olive is an example of a technology preview distribution because it uses newer software features not found in most other live CDs. Unlike the GNOME LiveCD (which we looked at last time), the technology here runs from the boot process through the desktop. This includes the use of GHLI, a Pascal script interpreter that was chosen over BASH for speed improvements for the init scripts. It also includes Enlightenment as the desktop environment instead of the more common KDE or GNOME environments but falls back to Xvesa for general graphics hardware support under the X Window System.There is no login on Olive. The CD takes you directly to a root prompt. From here you can start up the Enlightenment desktop or use a lightweight desktop based on FluxBox. X configuration is done manually yet easily handled common settings of 1024x768, 24bit color at 60Hz. The desktop is clean and uncluttered, with extra pizazz provided by Enlightenment. Applications include MPlayer and Audacious media players, the Firefox browser, GAIM and XChat Internet messengers, and Abiword for office documents. Olive correctly ran DHCP to setup the networking on the system without user interaction. It even set up the sit0 interface for IPV6-in-IPV4 routing, something my Fedora installations don't do by default (not that I know what to do with it yet). Many live CDs use their own methods of extending the feature set of the CD. Olive uses a project called UniPKG to install RPMS, Debian and other package formats onto a running system. This adds features at runtime, however and isn't used to update the ISO image in any way. Documentation does not mention user accessible methods of extending the ISO image. Only the ISO is available for download (no source or build system). Olive stays true to its purpose, coming in at only 117MB out of 229MB when running in the root shell without a GUI. Starting up Enlightenment takes this to 160MB while the light GUI (FluxBox) cuts it back to 150MB of memory.
Puppy LinuxThis live CD is more of a desktop replacement than a small footprint version, though even with OpenOffice installed it manages to keep the ISO under 90MB. Though small in size, Puppy Linux provides a wide set of applications and is thus more like a desktop replacement than a true small footprint environment. If you're new to Puppy Linux, the Wiki is a better place to start as the main web site is a bit more technical and slightly cluttered.Puppy Linux supports a wider range of hardware than Olive at the expense of lots of initial configuration. The system supports multiple keyboard configurations. Unfortunately, the default keyboard is not a US QWERTY configuration so I have to change this each time I boot. During boot up the system checks for a mountable USB device. If available, working files are saved to the device every 30 minutes. If it can't find a drive, it tells you that on boot up. Without USB, each boot requires you to go through extended configuration operations, like choosing a keyboard type. Though the USB support is a definite plus, the extra configuration required at boot time is annoying. Many systems make use of udev, lshwd or other mechanisms to do hardware configuration without user interaction. Another area where too much user interaction is required is in configuring the X environment. Puppy Linux provides a choice of between probing for video hardware using an xorg tool or using a standard VESA fallback configuration. Whether probing succeeds or fails, the choice of falling back to the VESA configuration (which supports most video hardware) is still available. The initial hardware probe for the X configuration defaulted to 1024x768 @ 16bit color. After probing, a menu is presented with other options. I was then able to change to 24bit color. Probing for audio hardware was painless but still required confirmation. Again, this all happens during the initial boot. Puppy Linux uses ROX Desktop and Joe's Window Manager (JWM) for the desktop environment, keeping memory usage to a minimum. At boot up, using the VESA X driver, the system used 115MB out of 229MB. The technology behind Puppy Linux includes SquashFS, for using compressed filesystem images, and UnionFS, for merging mount points from multiple SquashFS images. The system can be extended using the Puppy Custom CD Creator (PCCC) tool in conjunction with the PupGet package manager. Default applications include Abiword and Gnumeric for office documents, GAIM, Firefox and Sylpheed for Internet and mail access, and Snack and GXine media players. Extensive documentation on how to extend or even build your own Puppy Linux distribution makes this a popular choice for the do it yourself crowd.
Damn Small LinuxDamn Small Linux, more commonly referred to as DSL, which is not to be confused with the high speed Internet option from your local telco, is based on KNOPPIX technology. Like KNOPPIX, this very popular live CD has been a parent to many live CD children. Most are less well known than DSL though Feather Linux is also gaining popularity (and runtime size) on its own.DSL had little trouble recognizing the EPIA M10000 board, probably because the core developers are fans of the EPIA line of mini-ITX boards. They even run a small mini-ITX store to help support their development of DSL. Boot up was clean and fast and went straight into an X session for the "dsl" user (as opposed to root) running the Xvesa display server. A minimalist browser called Dillo is opened at startup that points to documentation on how to use and configure DSL. DSL uses the 2.4.26 kernel instead of more modern 2.6 kernels. This is an architectural choice. The 2.4 kernels are much smaller than the 2.6 kernels so using 2.4 helps keep a small memory footprint. The system correctly configured networking using a DHCP client at boot time. Top reports 69MB used out of 223MB available but Torsmo (the desktop system monitor) reports only 29MB used out of 218MB. I'm not sure why there is a discrepancy. Either way, DSL still uses less memory than Puppy Linux or Olive. The desktop defaults to using FluxBox though you can switch to Joe's Window Manager (JWM) on the fly. Applications include Firefox and Sylpheed for Web browsing and mail, Nano and VI for editors, xpdf for PDF viewing and xmms for multimedia. Office documents are handled by Ted and Siag. An automated network-based installation is available that supports a wide range of applications. It's also possible to install additional applications using Apt and Synaptic, though use of Apt is not enabled by default (it's a menu option from the desktop). DSL can also install itself to a hard disk or USB drive simply by choosing the appropriate menu option. DSL keeps to its word in providing a system that uses as little memory as possible while still providing a wide range of applications without having to install additional packages. Its dependency on older kernels may make it less suitable for more modern requirements.
In the last installment in this series I'll look at a set of live CDs targeted at specialized situations. This is the class of live CD many people will want to explore, because the usefulness of a live CD is in it's ability to solve a particular problem or fill a particular need. The three CDs under consideration will be GamesKNOPPIX, a game player oriented live CD, the Ultimate Boot CD, a diagnostics and system recovery CD, and KnoppMyth, a MythTV based media system.
New Releases Xandros Releases Digital Lifestyle Linux DesktopXandros has announced a new line of consumer desktop products targeting home and multimedia users: Xandros Desktop Home Edition and Xandros Desktop Home Edition - Premium.
Announcing Ubuntu 6.06 LTS server for SUN Sparc64The Ubuntu team has announced the release of Ubuntu 6.06 LTS server for SUN Sparc 64bit architecture. Highlights of this release include new kernels targeted at server platforms, improved support for clusters and SANs, and much more.
Musix GNU+Linux 0.49 releasedMusix 0.49 is an "experimental" version that was made just to support new hardware, such as the SATA hard disks, and the new sound and video cards. This version also sports a 2.6.16 kernel, uses the Kanotix installer and has many upgraded packages.
Announcing Fedora Core 6 Test 1 (5.90)Fedora Core 6 Test 1 is available for testing. "The Fedora Project announces the first release of the Fedora Core 6 development cycle, available for the i386, x86_64, and ppc/ppc64 architectures, including Intel based Macintosh computers. Beware that Test releases are recommended only for Linux experts/enthusiasts or for the technology evaluation, as many parts are likely to be broken [and] the rate of change is rapid."
Distribution News Unofficial Fedora FAQ UpdateThe Unofficial Fedora FAQ has seen some minor updates. Click below for details.
Fedora Project Board UpdateNotes from the June 20, 2006 meeting of the Fedora board are available. Topics discussed include Plone, FC6-T1, sponsorship and more.
Sun JRE/JDK Packages Available for rPath usersrPath has packaged the Sun Java JDK and JRE for use with rPath Linux and distributions derived from it. "NOTE: These packages contain software developed by Sun Microsystems, and are not part of rPath Linux proper. Therefore, rPath cannot provide source-level support; should issues arise, refer to Sun's Java resource sites for help..."
Tao Linux Retirement PlansTao Linux was one of those projects that aimed to provide a free Linux distribution from the sources used in Red Hat Enterprise Linux. Founder and lead developer David L. Parsley announced that he no longer has time for Tao development.
Over the last few weeks, I've consulted with other Tao developers and a
number of Tao users, as well as several CentOS developers, with whom I've
worked closely. Based on feedback, suggestions, and general agreement of
all concerned, I'm going with the following plan:
Preparations for Ubuntu summitThe Ubuntu summit begins today (June 19) in Paris. People who can't make it to the summit in Paris can still participate via VOIP and/or Gobby.
New Distributions Former FreeBSD project releases Linux live CD alpha (DesktopLinux)DesktopLinux covers the GNU-HALO project. "The GNU-HALO project team, which had been working on a new FreeBSD operating system distribution for several months but ultimately decided to switch over to a Linux core, finally released its first edition, GNU-HALO Alpha 0.1 Linux live CD, on June 19, a team spokesman said."
Distribution Newsletters Debian Weekly NewsThe Debian Weekly News for June 20, 2006 looks at a Debian Community Conference Italy in September, compressing PDF files, the relaunch of the Debian Mentors Site, hardly used orphaned packages, Debian Day at FroOSCon, and much more.
Fedora Weekly News Issue 51This edition of the Fedora Weekly News covers Red Hat Magazine Issue 20 June 2006, Looking for a few good women (and men), Interview with Max Spevack from the Fedora project, Distrowatch: Still undecided? Then install Fedora Core 5!, Google Earth 4 Beta for Linux, Red Hat Fedora 5 Unleashed Book, IT Reviews: Fedora Core 5 Review, Open Video Contest goes live this week, and more.
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for June 19, 2006 covers User Representative Nominations, Project Sunrise, Java 1.5 and several other topics.
DistroWatch Weekly, Issue 156The DistroWatch Weekly for June 19, 2006 is out. "There is a lot to look forward to this week - a brand new release of Xandros Desktop is expected to start shipping on Wednesday, while the first test build of Fedora Core 6 should be available from Fedora mirrors on the same day. In other news: Slackware 11.0 nears its release point, OpenSolaris celebrates its first birthday, and SCO becomes a victim of a strangely believable hoax that excites some of the former users of Caldera OpenLinux. In the "First Looks" section you'll find a round-up of currently available BSD-based live CDs, while in the "Site News" area we present the list of packages that have been selected as new entries into the database of software packages tracked by DistroWatch."
Package updates Fedora updatesUpdates for Fedora Core 5: python-docs (built older version for FC5), system-config-bind (bug fixes), autofs (bug fixes), libselinux (patched), arts (KDE 3.5.3), kdeaccessibility (update to 3.5.3), kdeaddons (update to 3.5.3), kdeadmin (update to 3.5.3), kdeartwork (update to 3.5.3), kdebase (update to 3.5.3), kdebindings (update to 3.5.3), kdeedu (update to 3.5.3), kdegames (update to 3.5.3), kdegraphics (update to 3.5.3), kde-i18n (update to 3.5.3), kdelibs (update to 3.5.3), kdemultimedia (update to 3.5.3), kdenetwork (update to 3.5.3), kdepim (update to 3.5.3), kdesdk (update to 3.5.3), kdeutils (update to 3.5.3), kdevelop (update to 3.5.3), kdewebdev (update to 3.5.3), qt (update to 3.3.6), gtk2 (fix lost dependencies), ruby (bug fixes), smartmontools (rebuild for FC5), kdepim (bug fix), nss (update to 3.11.1), system-config-lvm (update), scim (update for gtk2 change of path), gdm (update to 2.14.9), glib-java (update to current version of frysk), cairo-java (update to current version of frysk), libgtk-java (update to current version of frysk), libvte-java (update to current version of frysk), libgnome-java (update to current version of frysk), libglade-java (update to current version of frysk), frysk (update to current version of frysk).Updates for Fedora Core 4: arts (KDE 3.5.3), kdeaccessibility (update to 3.5.3), kdeaddons (update to 3.5.3), kdeadmin (update to 3.5.3), kdeartwork (update to 3.5.3), kdebase (update to 3.5.3), kdebindings (update to 3.5.3), kdeedu (update to 3.5.3), kdegames (update to 3.5.3), kdegraphics (update to 3.5.3), kde-i18n (update to 3.5.3), kdelibs (update to 3.5.3), kdemultimedia (update to 3.5.3), kdenetwork (update to 3.5.3), kdepim (update to 3.5.3), kdesdk (update to 3.5.3), kdeutils (update to 3.5.3), kdevelop (update to 3.5.3), kdewebdev (update to 3.5.3), autofs (bug fixes).
rPath updatesUpdates for rPath Linux 1: conary, conary-build, conary-policy (Conary 1.0.20), firefox-rBuilder-search (use the /rbuilder/search url), gcc, gcc-c++, gcc-f77, gcc-java, gcc-objc, libgcc, libstdc++ (move java related man pages)
Slackware updatesThis week alert readers of the Slackware-current change log may have noticed this note: "Although there's still quite a bit in the TODO queue here I'm making my steps carefully as -current is very stable, and I think it should ship as a stable 11.0 soon so that we can get back to the business of breaking things in -current."
Trustix updatesTrustix has issued a bug fix advisory for nss_ldap, pam_ldap, perl-dbd-mysql, perl-dbd-pg and sqlgrey. These packages have been updated for TSL 2.2 and 3.0.
Newsletters and articles of interest Mandriva sound contest announced (NewsForge)NewsForge covers a contest to find the best session startup and logoff music for the upcoming release of Mandriva Linux 2007 and all subsequent 2007 updates. "The contest begins Thursday, which coincides with a holiday called World Music Day, which is celebrated in many parts of Europe. A Web page with contest rules and a place to submit audio files will be up this evening, according to Romain D'Alverny, the technical lead for the contest."
Ten tips for new Ubuntu users (Linux.com)Linux.com has some tips for new Ubuntu users. "Ubuntu has become the most popular Linux distribution for new Linux users. It's easy to install, easy to use, and usually "just works." But moving to a different operating system can be confusing, no matter how well-designed it is. Here's a list of tips that might save you some time while you're getting used to Ubuntu."
Xandros Linux provides better wireless support (IT Week)IT Week reports that Xandros 4.0 will will include better support for wireless networking. "The exact feature set for Xandros Desktop OS Version 4 has yet to be disclosed, but the company said it will support Wireless Profiles to help laptop users connect to Wi-Fi hotspots and store settings. It will also feature Xandros Security Suite, a set of tools including a personal firewall and antivirus features to protect PCs against spam, spyware and viruses."
Distribution reviews Installing SUSE Linux 10.1 on a PowerPC Mac (Linux.com)Kris Shaffer does a test drive of SUSE Linux 10.1 on the PowerPC Mac platform. "Since version 7, PowerPC versions of SUSE Linux have been conspicuously absent from the SUSE desktop lineup. Instead, SUSE and Novell have focused on x86 (and x86_64) versions of their desktop Linux distribution. With version 10.0, PowerPC support returned to SUSE, but Novell has quite a few kinks that need to be worked out before this distro hums like its x86 counterpart, starting with some killer problems with installation."
Ubuntu 6.06 LTS review post (Debian News)Debian News has gathered a collection of reviews of Ubuntu 6.06 LTS (Dapper Drake). "This news post contains the many reviews of Ubuntu/Kubuntu/Edubuntu 6.06 LTS. Currently screenshot tour at OSDir and two reviews at TuxMachines, LinuxForums, ReviewLinux, Linux-watch, DesktopLinux, Nuxified, Linux.com, Tectonic, LinuxInsider, Linux.org, xbit64.net and videos at OSVids." (Thanks to Christian Jensen.)
Page editor: Rebecca Sobol Development Why the KDE project switched to CMake -- and howWhy the project revamped its build system for KDE4KDE developer Alexander Neundorf explains the background for the move away from the traditional "autotools" KDE is one of the largest Free and Open Source Software (FOSS) projects. It follows the typical "distributed development" model used by many other FOSS applications. More than 1.200 developers around the planet have accounts and credentials to access its central source code repository. This repository currently holds more than 4 million lines of program code, translations of approximately 100,000 user interface strings (and many more lines of application manuals) into more than 80 different languages. Every day there are about 300 or more "commits", adding new or modifying existing content. Any software project of this size and scope can only prosper and go forward if it uses tools that are good enough to manage and build all its code, for all its contributors, on all supported OS and CPU platforms, all the time, without major problems. Oftentimes "good enough" here translates into: "the best one that is available for our purposes". For its central source code management KDE last year migrated from the venerable "Concurrent Versioning System" (CVS) to the newer, more powerful Subversion (SVN) software. That change in itself was an enormous stress test for the capabilities of the still young SVN project: a year ago, several preparatory "dry runs" which simulated the pending move revealed quite a number of bugs and performance problems in advance. Close cooperation of some core KDE hackers with the Subversion developers lead to fixes and improvements to SVN itself before the real change-over for the huge KDE repository finally happened. Now the next big change is happening: KDE is leaving the aging "autotool" build chain behind. Some developers, not only in KDE, like to nickname the autotools as "auto-hell" because of its difficult to comprehend architecture. So, KDE 4 will feature a completely different build system: CMake. In typical KDE fashion the current move to CMake was not a "decision by committee". Instead, the old rule "who codes, decides" made itself felt once again. Let's look back at the history of this change. The principal move away from autoconf, automake, configure, libtool & friends was decided at last year's annual KDE conference, akademy. KDE developers at the time discussed and evaluated several alternatives: back then, SCons (a Python-based build tool) was favored, spiced up with a KDE-wrapper called bksys to help with the actual work. SCons/bksys already worked well for a number of developers who used it in their sub-projects, and the tandem seemed to easily win the race. Up until January 2006, several people worked hard on replacing the existing autotools based build system of KDE3 with SCons/bksys for KDE4. Their first acid test was to make it compile kdelibs on various platforms. However, various hurdles showed up unexpectedly. The KDE individuals who tried to bring SCons into a shape that made it fit for building such a huge project felt they didn't have any support from the upstream SCons developers. There were major problems building KDE on non-Linux platforms with SCons (e.g. on OS X); in general they felt it did not yet have a mature configuration system. The only option down that road was to create major SCons fixes and patches on their own. Since these changes would not likely be included in the upstream sources, it would require permanent maintenance of the fixes in a separate repository. In effect, this would have amounted to a fork of SCons. KDE developers would have had to maintain the new build system entirely on their own. So the rosy SCons/bksys image paled again.... It was decided that CMake would be the build system for KDE 4. Beginning now, CMake will be the tool that is used to base all of KDE4 development. Read the Full Article, including a section on the move of the Scribus project to CMake, and the current state of KDE 4.
System Applications Mail Software sendmail 8.13.7 availableSendmail version 8.13.7 has been announced. "It fixes a potential denial of service problem caused by excessive recursion which leads to stack exhaustion when attempting delivery of a malformed MIME message. Therefore, the function mime8to7() has been modified to limit the recursion level at (the compile time constant) MAXMIMENESTING. Note: This denial of service attack only affects delivery of mail from the queue and delivery of the malformed message."
Web Site Development Midgard 1.7.6 releasedVersion 1.7.6 of the Midgard Open Source Content Management System has been announced. "Midgard's 1.7 branch is a major overhaul of the whole Content Management System. Besides the stable and mature Content Management features of first generation Midgard, it also ships a preview version of second generation Midgard capabilities, allowing developers to have a glimpse at the new day of Midgard2. 1.7.6 "Fotomodelo" provides new PAM configuration features for Midgard authentication module. It also includes minor fixes for Midgard Quota and fixes which were included in 1.7.5.1 subreleases."
Desktop Applications Desktop Environments GNOME 2.15.3 Development Release announcedDevelopment Release 2.15.3 of GNOME is out. "This is our third development release on our road towards GNOME 2.16.0, which will be released in September 2006. So go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it."
GARNOME 2.15.3 is outVersion 2.15.3 of GARNOME, the bleeding edge GNOME distribution, is out. "We are pleased to announce the release of GARNOME 2.15.3 Desktop and Developer Platform. This release includes all of GNOME 2.15.3 plus a whole bunch of updates that were released after the GNOME freeze date. This is the third release in the unstable cycle, with more features, more fixes and yet more madness added."
The GNOME Journal, June Edition (GnomeDesktop)The June, 2006 edition of the GNOME Journal has been announced. "The latest issue of the GNOME Journal has just been published. It features insights into the role of end-users in the GNOME community, and an interview with Emmanuele Bassi, gnome-utils maintainer and GTK+ developer. Writers in this edition are Vincent Untz, and Lucas Rocha, respectively."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
KDE Commit-Digest (KDE.News)The June 18, 2006 edition of the KDE Commit-Digest has been announced. "In this week's KDE Commit-Digest: Work begins on 3d molecule visualisation features for Kalzium. More progress in the Kopete "OSCAR (AIM) File Transfer" and "KDevelop C# Parser" Summer Of Code projects. An enhanced version of the custom iconset developed during the 1.4 phase is re-enabled as the default option in Amarok. Following the brand clarifications of last week, oKular is now known as okular. Kitten is renamed Strigi. Two security issues are addressed."
Novell Contributes Polish Translation of KDE Docs (KDE.News)KDE.News covers Novell's efforts at translating KDE docs to Polish. "In the good spirit of cooperation between Novell and KDE, Novell Poland contributed a large number of translations of KDE documentation to the Polish localisation team. The contribution contained 119 translation files and over 5700 translated messages."
Desktop Publishing Contineo 2.1.0 releasedVersion 2.1.0 of Contineo, a document management system, has been announced. "This is the first major stable release since more than 1 year. This release includes many bug fixes, stability improvements, security updates and also many improvements to the user interface. The user interface is now shipped in English, German, Spanish, Italian and French."
The TeX Live CDJim Summe has informed us of the TeX Live CD. "TeX Live is an easy way to get up and running with TeX. It provides a comprehensive TeX system for most types of Unix, including GNU/Linux and MacOSX, and also Windows. It includes all major freely-available TeX-related programs, macro packages, and fonts, including support for many languages around the world. TeX Live 2005 was distributed on DVD and CD in December 2005 to members of most TeX user groups, as a principal part of the TeX Collection. The last update of packages and programs was made on 1 November 2005. For more recent versions, please consult CTAN."
Electronics gSpiceUI 0.8.55 releasedVersion 0.8.55 of gSpiceUI, a GUI for the electronic circuit simulation engines GNU-Cap and Ng-Spice, has been announced. "This is largely a maintenance release which fixes some problems I came across doing some design work. There are also some enhancements to existing functionality."
Icarus Verilog Snapshot 20060618Snapshot 20060618 of Icarus Verilog, an electronic simulation language compiler, is out. "It's been a big gap between snapshots, so there are a lot of changes. Mostly bug fixes, though, as I'm trying to get ahead of the bugs database. No special new features this time, just lots of bug fixes."
Kachina CAT Program 1.1 releasedVersion 1.1 of the Kachina CAT Program, an amateur radio control utility, is out with bug fixes and new features. "The purpose of this software is primarily to provide a Kachina control program that is compatible with the Linux operating system. When used on a Linux computer it is strongly linked to the modified gmfsk version .47 and above but can be used stand-alone."
Toped 0.8 ReleasedVersion 0.8 of Toped is out with a number of new features. "Toped is an open source cross-platform IC layout editor, based on openGL and wxWidgets. The project defines its own script - TELL, capable not only to configure the editor properties, but also to code and facilitate the layout generation. It started as a home project in late 2001 and in October 2005, project database has been exported to a public repository. The project is under active development, but already stable enough for tests."
XCircuit 3.4.26 and 3.6.35 releasedStable version 3.4.26 and development version 3.6.35 of XCircuit, an electronic schematic CAD system, have been released.
Financial Applications Release of GnuCash 1.9.8 (GnomeDesktop)Release candidate 1.9.8 of GnuCash, a financial management application, has been announced. "The GnuCash development team proudly announces GnuCash 1.9.8 aka "Grab that cash with both hands and make a stash", the first release candidate of the GnuCash Open Source Accounting Software which will eventually lead to the stable version 2.0.0. This release contains many bugfixes since the previous beta release."
Music Applications Breakage - artificially intelligent drum machineOllie Glass has announced the Breakage drum machine. "Breakage is an artificially intelligent drum machine which learns from trends in your rhythms so it can accompany your drumming. Patterns are written in a step sequencer grid and a neural network learns relationships between drums. After training, the network can accompany your drum programming in real time."
CLAM 0.91.0 announcedVersion 0.91.0 of CLAM, a cross-platform software framework for research and application development in the audio and music domain, has been announced. "This release is the first official one which incorporates the new CLAM Music Annotator featuring chord extraction. Almost 30 new spectral transformations have been incorporated into the processing repository. Some of them are already available from the NetworkEditor. Application usage has received some extra stress on this release."
VOIP Sofia-SIP 1.12.0 releasedVersion 1.12.0 of Sofia-SIP is available. "Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. It can be used as a building block for SIP client software for uses such as VoIP, IM, and many other real-time and person-to-person communication services. The primary target platform for Sofia-SIP is GNU/Linux. Sofia-SIP is based on a SIP stack developed at the Nokia Research Center. Sofia-SIP is licensed under the LGPL." See the release notes for this version for change details. (Thanks to Kai Vehmanen.)
Miscellaneous File Permissions in Nautilus (GnomeDesktop)GnomeDesktop mentions the latest changes to the Nautilus file manager permissions capabilities. "Alexander Larsson recently committed his work on the permissions page in Nautilus. He writes: I just commited a rework of the permissions page in the file property dialog. It has a simplified UI (and an advanced/unixy version availible via a gconf setting) and support for recursive permission changes."
Languages and Tools C GCC 4.2 Status ReportA GCC 4.2 Status Report dated June 16, 2006 has been published. "There are presently 200 P3 or higher regressions open against 4.2. We remain in regression-only mode on the mainline."
Caml Caml Weekly NewsThe June 13-20, 2006 edition of the Caml Weekly News is out with new Caml language articles.
PostScript Leading-edge ghostscript goes GPLGhostscript has long been developed under a two-license scheme: new work would appear in a non-free release, then be placed under the GPL one year later. No longer: Ghostscript hacker Raph Levien has announced that the current development version of Ghostscript is now GPL-licensed. Note that distributors tend to ship a third branch of Ghostscript based on the (older) GPL version, so it may be a little while before the leading-edge makes it into distributions. (Thanks to Kurt Pfeifle).
Python Dr. Dobb's Python-URL!The June 20, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.
Ruby Ruby Weekly NewsThe June 18th, 2006 edition of the Ruby Weekly News looks at the latest discussions on the ruby-talk mailing list and comp.lang.ruby newsgroup.
Tcl/Tk Dr. Dobb's Tcl-URL!The June 20, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.
Page editor: Forrest Cook Linux in the news Recommended Reading UNIX Methods and Concepts: Putting the Genie Back in the Bottle (Groklaw)Groklaw presents an article by Dr. Peter H. Salus and Warren K. Toomey of the UNIX Heritage Society, which looks at the history of Unix source code sharing. "Recently, The SCO Group has asserted that IBM negligently leaked the methods and concepts in UNIX. What The SCO Group fails to realize is that, from day one, the methods and concepts in UNIX were out in the open. And, as AT&T found out when UNIX was commercialized, staunching the leakage of UNIX methods and concepts was like putting the proverbial genie back into the bottle."
Synergy: One keyboard (and mouse) to rule them all (Linux.com)Joe 'Zonker' Brockmeier looks at Synergy in a Linux.com article. "If you're one of the many users who has two (or more) computers on your desk, you might get tired of switching between the keyboard and mouse on different systems. KVMs are one solution, but if you'd like to save a few bucks and be able to switch between two or more computers with a flick of the mouse, Synergy is the software for you. Synergy allows you to use a single keyboard and mouse to control multiple computers running Linux, Mac OS X, Windows, and other operating systems. It also allows you to share clipboards between computers, so you can select text in a program on Linux, and paste it into an application in Windows. Best of all, Synergy is freely available under the GNU General Public License (GPL)."
Trade Shows and Conferences LinuxWorld gets Seoul (NewsForge)NewsForge has a report from Korea's first LinuxWorld Conference and Expo. "Local TV cameras captured the opening ribbon-cutting ceremony, with a dozen or so Korean dignitaries and personalities doing the honors. David Korse, the CEO of conference sponsor IDG World Expo, kicked off the event with a few words on how excited he was that the company could bring LinuxWorld to Korea."
Companies Startup plans "complete" Linux smartphone OS (Linux Devices)Linux Devices reports on the Linux smartphone plans of "a la Mobile". "Silicon Valley startup a la Mobile plans to ship in September the industry's first "complete" Linux-based smartphone operating system. The Convergent Linux Platform (CLP), which aims to streamline Linux phone rollouts by ODMs, OEMs, and operators, will enter a field crowded with alternatives from MontaVista, Trolltech, ACCESS/PalmSource, and Wind River, among others. Founder Pauline Lo Alker compares a la Mobile's Convergent Linux Platform to Microsoft's Windows Mobile Smartphone platform, in terms of delivering all required software components within a single integrated stack."
Stratus plus Red Hat AS 4: Lots of nines (NewsForge)NewsForge covers Stratus Technologies' latest server offerings, which will run 64-bit Red Hat Enterprise Linux. "While Hewlett-Packard's NonStop Computing division -- formerly known as Tandem Computers -- is a formidable opponent in the world of fault tolerance, Stratus is making inroads in the market with its Intel-based lineup of less expensive, but still highly reliable, servers. How highly reliable? Stratus updates a speedometer at the bottom of its home page daily with a 60-day rolling average of the uptime of its fleet of ftServers around the globe. It shows 99.9997% at present, which equates to about 95 seconds per year."
Turbolinux Accelerates Into China (Tech News World)Tech News World covers two efforts by Turbolinux to expand into the Chinese market. "Japanese Linux vendor Turbolinux last week announced a couple of big deals in China, as the company looks to take advantage of China's pro-open source government backing and the replacement of SCO-Unix servers in a Turbolinux bid for market expansion. Turbolinux said Qinzang Railway, part of China's Western Development strategy, would begin using a complete Turbolinux server system for its infrastructure and management of a luggage and parcel e-government Latest News about e-government system beginning July 1. The second deal is a Turbolinux server use by China Mobile's Wireless Music Portal..."
Linux Adoption Berlin Senate opposes complete migration to Linux (Heise online)Heise online reports on a slowdown in Berlin's plans to move to Linux. "The administration of the Berlin Senate (the governement of the German federal state Berlin) has voiced its opposition to a complete migration of the authority's computers to Linux. It thus opposes the Berlin Parliament, which called for a two-phase migration of servers and workstations to Open Sources systems. The report presented to heise online on the Parliament's position states that the Senate does not believe the migration to free software called for in the resolution "would conform to the market or be a tenable step either technologically or economically.""
Bodog gambles on Linux and JBoss, and wins (NewsForge)NewsForge reports on the switch from Solaris to Linux by bodog.com. "Bodog.com is a casino, sport-betting emporium, and online poker palace. The site gets busy; during football season it takes almost 200,000 bets per week, while the virtual poker tables can handle up to 5,000 bettors at a time. Bodog started out using WebLogic and Versant on Solaris, but ran into problems when a bug repeatedly took servers down at critical junctures. Vendors didn't offer much help, but a switch to Linux and JBoss brought Bodog some much-needed relief in the form of more reliable uptime and scaling capacity."
Legal HOWTO: Pick an open source license (part 2) (ZDNet)Here's part 2 of Ed Burnette's 'HOWTO: Pick an open source license'. "In this part I'll go through some of the most common licenses and see where they fall from this tree. I'll also try to address some of the issues that people pointed out in the comments to my last posting. The same disclaimer applies: This isn't legal advice, and I'm not a lawyer, and I'm probably over-simplifying some of the points, but I hope you find it helpful."
Interviews Novell's Desktop Advances - The Better Desktop Initiative (LinuxPlanet)LinuxPlanet talks with Ross Chevalier, Chief Technology Officer of Novell Canada, Ltd. about desktop Linux. "At LinuxWorld Canada 2006, I sat down with Ross Chevalier, Chief Technology Officer of Novell Canada, Ltd, who wanted to talk about why 2006 is finally the year of Linux on the desktop. Or, more precisely, "The Year of Adoption for an Enterprise Linux Desktop." Our discussion mostly centered how it was the many desktop advances Novell managed for the release of SuSE 10.1 that will bring this year about. Some of these are related to the Better Desktop Initiative, a project Novell started in late 2005. Others are related to various technologies Novell decided to integrate into their latest release."
Resources ASCII art fun with boxes (Linux.com)Linux.com looks at ASCII art creation with boxes. "Using boxes from the command line is a breeze. The syntax is boxes -d <designtype>; the -d switch is for telling boxes the design name. There are a lot of designs available, such as dog, columns, and peek. The examples page has a description of many designs."
The Daemon, the GNU and the Penguin, ch. 25, by Dr. Peter H. Salus (Groklaw)Groklaw presents Chapter 25 of Peter Salus' online book, "The Daemon, the GNU and the Penguin", titled "The URL on Your Cereal Box". "In Chapter 17, I limned the creation and development of the Web. In a subsequent chapter, I'll talk about the geographical spread of Linux. But first, I want to look at the spread of the Internet and the Web that depends on it. The ARPAnet became functional in 1969: at the end of that year, there were four nodes. In January 1976, there were 63 (so much for 5- or 6-bit addressing). Five years later, in August 1981, Host Table #152 listed 213 hosts. In May 1982, Host Table #166 listed 235."
Emacs tips: More fun with outlines (Linux.com)Linux.com has fun with outlines in emacs. "In an earlier article, I covered the basics of making outlines in Emacs, but there's a lot more that you can do with them. In this article I'll show how to export and print outlines, customize outline heading line colors, and use outline mode's special features in everyday documents -- such as numbered lists, traditional outlines with Roman numerals, and even book manuscripts containing chapter and section headings."
Translate Haskell into English Manually (Linux Journal)Linux Journal looks at the Haskell programming language. "Have you ever tried to learn Haskell and hit a brick wall? Have you tried to read the main tutorial, "A Gentle Introduction to Haskell", and found it to be about as gentle as a Pan Galactic Gargle Blaster? Did you have to learn about monads before you could even write your first non-trivial Haskell program? Have you noticed that unless you already know Haskell, it's even less readable than Shakespeare? Have you searched for an example of a nontrivial Haskell program only to find you can't understand it?"
How to keep users from messing up their desktops (Linux.com)Linux.com presents an excerpt from Linux Annoyances for Geeks. "While I prefer allowing every user to customize his system, some managers may want to keep users from messing up a standard configuration. There are two basic approaches to this process. First, you can disable access to the key tools. Second, you can change ownership and permissions on associated configuration files to prevent changes by regular users."
How To Set Up Xen 3.0 From Binaries In Ubuntu 6.06 LTS (Howto forge)Howto forge presents a tutorial on setting up Xen 3.0 on Ubuntu 6.06 LTS. "Xen lets you create guest operating systems (*nix operating systems like Linux and FreeBSD), so called "virtual machines" or domUs, under a host operating system (dom0). Using Xen you can separate your applications into different virtual machines that are totally independent from each other (e.g. a virtual machine for a mail server, a virtual machine for a high-traffic web site, another virtual machine that serves your customers' web sites, a virtual machine for DNS, etc.), but still use the same hardware. This saves money, and what is even more important, it's more secure."
Reviews Server Monitoring With BixData (HowtoForge)HowtoForge looks at server monitoring with BixData. "BixData is a system, application, and network monitoring tool which allows you to easily monitor nearly every aspect of your servers. It can be used for general reporting, for sending notifications when problems arise, or for automatic maintenance and repairs - by executing scripts when errors or particular conditions arise."
Book Review: The Debian System, Concepts and Techniques (Groklaw)Carla Schroder reviews the book "The Debian System, Concepts and Techniques". "The Debian GNU/Linux operating system is a marvelous piece of engineering, and Martin Krafft's new book "The Debian System, Concepts and Techniques" shows you how to get under the hood and take advantage of all the power it puts in your hands. This is the definitive Debian manual, and I wish it had been written years ago. Mr. Krafft's affection and enthusiasm for Debian is apparent, and makes this book a pleasurable read."
Flock beta rocks (NewsForge)NewsForge looks at Flock. "Flock is a "social browser" built on the Firefox code base, which integrates blogging, photo sharing with Flickr or Photobucket, "favorites" (a.k.a. bookmarks) using del.icio.us or Shadows, and other collaborative features. Last November I took a look at an early Flock release, and found it to be interesting, if a little bit rough. The Flock folks have been hard at work, and the new Flock beta release looks solid enough to be a must for users who spend a great deal of time blogging, sharing pictures, or using services like del.icio.us."
Inkscape review (Softpedia)Softpedia reviews Inkscape. "Inkscape started in 2003 as a fork of the vector drawing editor Sodipodi. Inkscape does not yet have as many features as the best commercial vector editors, but it is currently suitable for a wide range of applications. Inkscape's implementation of SVG and CSS standards is incomplete; most notably, it has not yet implemented SVG filter effects, animation, and SVG fonts. Inkscape is currently under active development, with new features being added regularly." (Found on GnomeDesktop)
What Is Jetty (O'ReillyNet)Ethan McCallum looks at Jetty in an O'Reilly article. "Jetty is an open source servlet container, which means it serves Java-based web content such as servlets and JSPs. Jetty is written in Java and its API is available as a set of JARs. Developers can instantiate a Jetty container as an object, instantly adding network and web connectivity to a stand-alone Java app."
Dock any application to the system tray (Linux.com)Linux.com reviews KDocker and Alltray. "Wouldn't it be nice if you could dock any application, and not just those that support the docking feature, into the system tray? A simple point-and-click operation is all it takes, thanks to a couple of helpful applications called KDocker and Alltray."
Ruby and .NET - how will they taste together? (Linux Journal)Pat Eyler covers the Gardens Point GP Ruby .NET beta release. "At this point, they claim that it can compile Ruby source into verifiable .Net v2.0 assembly, or it can run Ruby code directly in a compile, load and execute cycle. They do warn that their implementation is not yet complete, although it does pass everything in samples/test.rb (I wonder if they're using the Rubicon/Rubytests stuff for further testing?)."
Miscellaneous Anti-DRM campaign targets the RIAA (NewsForge)NewsForge covers the planned activities of the Defective By Design campaign. "The Defective By Design anti-Digital Rights Management (DRM) campaign is urging supporters to participate in a day of action on Friday, June 23. This time, supporters are being asked to call the Recording Industry Association of America (RIAA) and similar organizations around the world to complain about DRM. After making the call, supporters will have the chance to share the results of their call with other participants."
Page editor: Forrest Cook Announcements Non-Commercial announcements MySQL Builds Momentum in Telecom SectorMySQL AB has announced increasing use of the MySQL dbms by the telecommunications industry. "MySQL AB, the developer of the world's most popular open source database, is seeing growing momentum in the UK-Ireland telecommunications sector with Tiger Communications, XOU Solutions and Anam Mobile leading a growing number of businesses adopting MySQL® open source database solutions. MySQL's success in the UK-Ireland telecom sector is reflected elsewhere in Europe. Alcatel, Nokia, Ericsson, Telio and Nortel have all selected MySQL products for important applications in the recent past."
Sun Celebrates Successful One-Year Anniversary of OpenSolarisSun Microsystems, Inc.has announced that in the one year since the OpenSolaris community went live, it has experienced tremendous growth in the open source community and customer adoption. "Since open sourcing the Solaris(TM) Operating System (OS) in June 2005, Sun has seen the OpenSolaris community grow to more than 14,000 members while Solaris 10 has exceeded 5 million registered license shipments -- more than its competitors have shipped collectively in the last 18 months, and more than all current Solaris OS versions combined."
Commercial announcements Collax, Inc. Establishes New Worldwide HeadquartersCollax, Inc. has announced its first U.S. office in Bedford, MA. "With the opening of this office, Collax officially moves its international headquarters from Munich, Germany to the Boston area in preparation for the company's upcoming U.S. launch. Collax was founded in early 2005 by CEO Olaf Jacobi, CFO William Hite and CTO Boris Nalbach and since has received series A funding from Intel Capital, Atlas Venture Partners and Wellington Partners. Its Linux-based server solutions contain a suite of applications for security, networking and communication."
Ingres Initiates Partnership With BEAIngres Corporation has announced a partnership with BEA Systems, Inc. "... with the common goal of dramatically lowering costs and increasing flexibility by providing a proven, open source alternative for enterprise service-oriented architecture (SOA) development. As a result of the partnership, BEA Workshop Studio is designed to include support for Ingres 2006, the latest release of the enterprise open source relational database."
Jungo Releases Version 8.02 of WinDriver USB/PCIJungo Software Technologies Inc. has released version 8.02 of its driver development toolkit for multiple operating systems. "WinDriver 8.02 includes support for Windows Mobile 5.0 (added to the WinDriver for Windows CE driver package)and the latest Linux kernels 2.6.14 - 2.6.16. The WinDriver USB Device (Firmware Development Kit) now includes support for the Silicon Laboratories C8051F340 development board."
A Linux-based mobile phone consortiumHere's a press release stating that a set of cellular phone companies (Motorola, NEC, NTT DoCoMo, Panasonic, Samsung, and Vodafone) has established a group to create "the world's first global, open Linux-based software platform for mobile devices." Interestingly, there are no distributors (embedded or otherwise) in this group. Wouldn't it be nice if owners turned out to be able to change the software on this "open" platform?
Microsoft Establishes Customer Council on InteroperabilityMicrosoft Corp. has announced a new Interoperability initiative. "Microsoft Corp. today announced that it has formed the Interoperability Customer Executive Council to identify areas for interoperability improvements across its products and the overall software industry. Customers are working in increasingly heterogeneous IT environments and asking for a greater level of interoperability from their IT vendors. Microsoft is committed to building bridges across the industry to deliver products to its customers that are interoperable by design." The Linux issues addressed include supporting Linux on Microsoft Virtual Server 2005 R2, a collaboration agreement with Sugar CRM Inc. and: "dialogue about interoperability issues for Windows(R), Linux, UNIX and open-source software on its community Web site, Port 25."
Sun Adds Java DB and Swing Visual Designer to Java Development KitSun Microsystems, Inc. has sent out an announcement about the upcoming Java SE 6 release. "Sun Microsystems, Inc., the creator and leading advocate of Java(TM) technology, today announced it will be incorporating Java(TM) DB, the Sun supported distribution of the open source Apache Derby Project, as well as the Group Layout component from the NetBeans(TM) GUI Builder code-named Project Matisse into the latest version of the Java(TM) Platform Standard Edition 6 (Java SE 6) Java(TM) Development Kit (JDK). In addition, Sun announced new agreements with Founder Technology Group and Lenovo to ship the Java(TM)Runtime Environment (JRE) on their hardware."
Sun Joins the OpenAJAX Alliance and Dojo FoundationSun Microsystems, Inc. has announced its joining of the OpenAJAX Alliance and the Dojo Foundation. "Sun plans to actively participate in these two communities to help drive open standards for AJAX programming and increase interoperability across AJAX technologies. As part of the OpenAJAX Alliance, Sun will collaborate with over 30 other member companies and organizations to identify and consolidate best practices, reach a consensus on programming models around a reference implementation for tools interoperability and generate wider AJAX adoption throughout the industry."
New Books IPv6 Essentials, Second Edition - New from O'ReillyO'Reilly has published the book IPv6 Essentials, Second Edition by Silvia Hagen.
Computer Security Basics, Second Edition - O'Reilly's Latest ReleaseO'Reilly has published the book Computer Security Basics, Second Edition by Rich Lehtinen, Deborah Russell and G.T. Gangemi, Sr.
DNS and BIND, Fifth Edition - New From O'ReillyO'Reilly has published the book DNS and BIND, Fifth Edition by Cricket Liu and Paul Albitz.
Pragmatic Bookshelf releases "Rails Recipes"Pragmatic Bookshelf has published the book Rails Recipes by Chad Fowler.
Ubuntu Hacks - New From O'ReillyO'Reilly has published the book Ubuntu Hacks by Jonathan Oxer, Kyle Rankin, and Bill Childers.
Resources Linux Brochure Project version 1.4.0 releasedVersion 1.4.0 of the Linux Brochure Project has been announced. "LBP is a GPL'd Linux advocacy and publicity project which documents key Linux information in a standard-sized brochure . A Spanish translation has been added for this release. French and Italian translations are also available."
Opera 9 LaunchesThe Opera 9 browser has been announced. "You can download it free in more than 25 languages for Windows, Mac, Linux and other platforms from www.opera.com. Opera 9 enhances the way you access, share and use online content by including innovative widgets - fun, small and useful Web programs - and support for BitTorrent(TM), the popular file distribution technology. Even while adding these improvements, Opera 9 maintains the security and speed millions of Opera fans have come to expect."
Contests and Awards The Open Video Contest (Creative Commons)Creative Commons has announced a contest for the creation of short Ogg Theora format videos. "Creative Commons and the Fedora Project have teamed up to promote open video by launching a contest. Join us for a chance to win a Fedora-branded Sony Camcorder. To make it fun for everyone, the first 150 submissions will receive a pair of handsome Fedora Flip-Flops." Entries are due by July 20.
Education and Certification Pure Data Summer School 2006, LondonThe Pure Data Summer School 2006 training event will be held at the SPACE Media Arts in London, UK on July 17-28, 2006. "Pure Data is a free and open source real-time graphical programming environment used by artists to create a range of visual arts, theatre, dance, audio, installation, performance and media art works."
Calls for Presentations aKademy 2006 - Call for participationA call for participation has gone out for aKademy 2006. "aKademy is the annual meeting of the KDE community. The venue (Trinity College Dublin, Ireland) and the time (Sept 23-30) have been confirmed and solidified." Abstracts are due by June 30.
The 2006 DC PHP Conference Call for PapersA call for papers has gone out for the 2006 DC PHP Conference. The event takes place on October 18-20, 2006 in Washington, DC, submissions are due by July 7.
Upcoming Events Registration opens for OOoCon2006Registration is open for the OpenOffice.org Conference 2006 in Lyon, France. "If you want to attend to the OpenOffice.org Conferences 2006 in Lyon (France), you should register to help us organizing the conferences." The conference takes place on September 11-13, 2006.
Events: June 22 - August 17, 2006
Audio and Video programs SAMBA with Jeremy Allison, Mad Penguin's Adam Doxtater (Novell)Novell has posted a podcast with Jeremy Allison. "The legendary Jeremy Allison graces Novell Open Audio's studio to tell Erin and Ted about the SAMBA project, and why he decided to join Novell. Adam Doxtater from madpenguin.org tells us why he is one of SUSE Linux's newest converts."
Page editor: Forrest Cook
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||