The
first part of our interview
with Jim Gettys covered many aspects of the "One Laptop Per Child"
(OLPC) system. With the second and final installment, we look at a number
of other issues, including the software which will run on the system,
security issues, and more.
LWN: Time for a few questions about the mix of software you envision running on
the OLPC systems. To start with, it appears that the system will be based
on a pared-down Fedora-based distribution?
To date, Red Hat are the ones who are putting serious engineering into
OLPC and doing most the heavy lifting on the base system, and have
assembled a first rate team, including Dave Woodhouse and Marcelo
Tosatti.
Red Hat is putting together a pared-down Fedora derivative distribution.
The community being what it is, I expect others will put other
distributions on the machine as well, given that the OLPC system is an
open platform. I'm not sure such duplication is worthwhile, but I'm
resigned to it.
I *really* urge everyone to cooperate very strongly at the level of the
software for the kids, no matter what the underlying distribution in the
long term. This project is fundamentally about kids learning and helping
the world; not about free software.
That being said, *free software enables the kids to learn computing in a
way that they cannot learn it on closed proprietary platforms*. We are
therefore very much part of the free and open source software community.
Chris' team is putting together a python based environment (into which
conventional applications can be embedded) aimed at young children,
temporarily called "sugar"
(more information can be found in postings here, here, here, and here); conventional
GUI's are not
good for children still learning to read. I have a 8 year old son and
an 11 year old daughter, and so have seen over the last few years first
hand how unsuitable conventional desktops are for young children.
The Sugar environment, by using the Avahi library (zeroconf/mdns
technology), will show the presence of people on the network as a
fundamental aid to building collaborative applications. Collaboration is
fundamental to learning: most kids learn from their peer group, and
teachers serve as the guides.
Will the systems as shipped be 100% free software?
OLPC itself only plans to ship free software at this time.
If not, what other code
do you think you might include?
Let me give a concrete example: some countries have coded some
educational content in Flash.
We are strongly recommending that future content not be created in
closed format like Flash, whose format is closed, lack tools for
manipulation, and present major problems for accessibility tools.
But some countries have such content today, and need to use it
immediately. And since there is so much flash content on the web, it
would not surprise me if countries arrange for Flash to be installed,
even if they do not have existing educational content in Flash. We are
encouraging everyone to use open standards based formats, and to release
useful content under appropriate free creative commons and free software
licenses.
Reality being what it is, even if we had veto power over software on the
machine (which we certainly don't), we'll see such software included on
the machine by the time it in children and teacher's hands; just not
distributed from OLPC, but added on afterwords.
Is it true that there will be no package manager on this system?
This is an area where we continue to have discussions. Whether it is
like conventional packaging systems or not is unclear right now. Time
will tell.
If so,
will there be any provision for customizing the system software mix,
installing localization data, or updating software?
Of course. There has to be. By middle school, kids are taking different
courses and languages. Some kids have special needs, either advanced or
the opposite. One of the major advantages that an OLPC has over
conventional books, is the possibility to bring much more content
appropriate for each child to that child, who live in places which lack
libraries we find in U.S. and other developed nation's schools.
A system like this clearly needs a good set of education applications - an
area where free software has not traditionally been strong. What sort of
applications are you looking at in this area, and might any missing pieces
come from?
There is much software sold claiming to be "educational" software, which
isn't. The reality is that there aren't all that many good educational
applications on *any* platform. The pickings are pretty slim.
We believe all children learn by doing, and should be authoring content,
not only passively reading unchangeable engraved in stone content. We
are placing some major bets on wiki technology as a base for this. (Not
wiki markup though!).
I'd also like to draw your attention to a web site:
logowiki.net. Content doesn't have
to be static at all, and
content can be programs, even programs for young children. The ability
to run simulations and manipulate the starting conditions is a major
tool to learning.
And one more hardware feature is unique to our machine: you can choose
to use the audio input as a direct analog input, allowing direct
measurements be made with very cheap sensors (e.g. photodiodes,
accelerometers, etc.).
With the likes of Seymour Papert and Alan Kay involved, I think we're in
for some fun stuff. For example I saw a demo this week of a wonderful
music application called TamTam, that Jean Piche' et al in Canada and
Ireland are building using the Csound synthesis software Barry Vercoe
originally developed.
Will the systems include a compiler, or, failing that, an interpreter for a
language like Python?
Of course.
At a minimum, we expect Logo, javascript and python to be present, and compilers
as well when needed by interested kids. Learning programming, though, is best done in
interpreted language environment, rather than compiled languages.
Certainly C++ should never be a child's first
computer language.
In general, is hacking one of the uses to which you
think these machines will be put?
Hacking, in the original positive sense of the word
(see
the Jargon File), we certainly
believe should be strongly encouraged in interested children: computing is a
fundamental skill in today's society. For others, computers will just be a tool;
their pen and paper.
Do you expect that the kids will have root access on their systems?
Yes: we want children to be able to learn computing, if they are interested. For the kid's
systems, we want them "easy to fix", rather than "hard to break". For the school's
servers, a shared resource, we want them to be "hard to break" *and* "easy to fix",
and are exploring technologies like those developed by Planetlab.
Being root on your own personal machine is fundamentally different than having
any access to information on the network you should not have. Project Athena,
at MIT (where such technologies as Kerberos, X11, the first network IM system,
among others), demonstrated this even 20 years ago: on those systems having root access
does not get you access to anything but the services you had access to as an
individual user. The root password on those systems has been posted for years: it
just doesn't matter, if you do your homework properly.
The plan to use LinuxBIOS is interesting. Are there reasons driving that
choice (beyond cost)?
Cost isn't a real factor in this decision. The royalty rate of a conventional BIOS
is in fact very low.
Capability:
- we'd like to be able to boot over the mesh network for (re)install
- we may need to follow Mark Foster's fast suspend/resume path,
in which case having full source may be essential to its success.
- We want interested kids to be able to see how computers really work and
learn accordingly.
Some years ago when I was working on Linux on the iPAQ, we had a 12 year old
who was hacking on our boot loader, and learning tremendously as a result. Those
outstanding kids should also have the opportunity to learn computing deeply.
Is LinuxBIOS ready for this sort of deployment?
We think so. It's already deployed commercially at pretty high scale on a number
of products. And the very fast suspend/resume we may need to implement requires complete
freedom of action at all levels of the machine.
Millions of identical systems, mostly lacking professional administration,
would seem like a magnet for malware authors. What sort of thought is
being put into preventing these systems from becoming worm carriers and
large-scale zombie networks?
I doubt they will be exactly identical (other than hardware): language is but one of
the obvious differences; children take different courses, and study different languages.
And if they need professional administration, we've failed.
Our view is that systems cannot require professional administration at a local level:
we could not deploy quickly on this scale and have sufficient expertise if this were required.
Part of the IPv6 argument is exactly to allow administration to scale and to
simplify administration.
Eugene Kaspersky, who has been predicting Linux doom for years,
is now saying that the OLPC will result in a new wave of malware
from the developing world. Do you find this outcome plausible?
Why or why not?
I don't find Mr. Kaspersky's arguments plausible, for a number of reasons.
We certainly are aware that security is a challenge: young
children are not noted for choosing and keeping secure good passwords,
and we are looking at other methods as a result.
We expect to deploy SELinux protecting the "standard"
network services on our machines to help protect against day-0 attacks, to
prevent bad guys from successfully attacking our systems and prevent such people
from using our systems as a point of attack.
And keeping our systems up to date automatically is obviously essential.
As far as malware from the developing world: malware for what? Malware is very rare
on Linux or Apple's OS/X systems: both systems break out of the starting gate much
less insecure than Windows, and writing malware for either is inherently more difficult.
And if Mr. Kaspersky's worried about kids in the developing world
writing malware on the OLPC systems to attack Windows, how are the kids going to test
such Windows malware since our machines are running Linux?
Malware authors working for profit (e.g. stealing passwords and accounts) are certainly
going to be older than our kids, and will find a standard Windows system a much more
productive development environment, and internet cafe's a much more anonymous place to
launch attacks than our school environments.
Lastly, both at the school servers, and the networks supporting them, we have good
places to prevent, stop, and track down any such attacks, much better than you'd find in the
anonymous world of Internet Cafe's where anyone can pay for anonymous usage.
And high bandwidth back-haul from schools is unlikely to be very common, limiting the
problem if it does occur. There are much better targets for zombies: e.g. systems all over
the developed world where each machine has a high bandwidth broadband connection, rather than
a kid's machine on a large shared mesh network back connected through a similar single
connection. Per compromised machine, there may be a difference of a hundred to one of
useful bandwidth.
Seems to me that Mr. Kaspersky knows not what he writes of, and is trying to gain
eyeballs on his stories by sensationalism.
Given the state of the art, the chances of a security vulnerability turning
up in the shipped OLPC systems must be near 100%. What happens then? How
will OLPC users obtain and install security fixes?
Our challenge is not just the kid's machines and operating system, but also deployment
of server machines in all the schools, to cache distribute software and educational content to all of them.
We expect the kids machines to be updated from school servers, and possibly from other
kid's systems.
The closest management tools to what we need appears to be many of the technologies
developed by PlanetLab: the commercial distributed content systems are unlikely to work,
presuming as they do that systems are in data centers and always/usually available over high speed networks.
At our scale, (and with the highly variable Internet connections we expect),
a presumption of constant connectivity seems untenable. We'll know more as we
look into this aspect of the project more fully over the next few months.
Some commenters on LWN have expressed concerns that many of these systems
may be stolen from the children and used for (or sold to fund) rather less
wholesome ends. Is this an issue which the OLPC team has thought about?
Yes, we've thought about it quite a bit.
How could this risk be minimized?
First, we intend that the systems be instantly recognizable as kid's systems, not only so
that kids like them and value them more and take care of them carefully, but also so that
adults with machines in their possession may be asked questions about whether they
should have the machine. And these systems are physically sized for smaller children,
our primary "customers"; while adults can use them, it is less desirable than a bigger
machine might be.
Second, public education about these distinctive systems is a topic we've discussed with
deployment countries as a deterrent.
Third, by saturating each area during deployment, rather than distributing machines piecemeal,
we can expect much better mesh networking performance, but also less child from child theft.
Fourth, there will be a commercial version of the machine (that will look quite different)
at some point in the project, to reduce the pressure for these unique systems.
As I explained before, there are quite a few ways in which these machines are unique, so we'd
like there to be fewer reasons for theft, by enabling a commercial version. These
commercial machines may also help cross subsidize the children's machine, for
as long as the market might bear such a price differential.
Fifth, by its nature, there is a network MAC address in each machine that can aid its
tracing, in the case of theft, once a system is recovered. We are, however, very concerned
about the child's privacy and safety, and so don't want the systems to go around
broadcasting the hardware MAC address in the normal case.
And we're exploring some other possible identity systems as well that may help in this
area.
A huge "thank you" is due to Jim, who clearly took a great deal of time to
respond to LWN's questions in such detail.
Comments (24 posted)
Red Hat is long been a likely target of legal attacks; the company has a
high profile, customers who can be threatened, and a bank balance which is
worth the trouble of coveting. So it is not entirely surprising that a
small company called FireStar chose Red Hat as the target for a software
patent suit. It is unlikely to be the last.
The patent in question is US
patent 6,101,502, which is said to be infringed by the "Hibernate"
product acquired with JBoss. This patent, filed in 1998, asserts the
following claim:
A method for interfacing an object oriented software application
with a relational database, comprising the steps of:
- selecting an object model;
- generating a map of at least some relationships between schema
in the database and the selected object model;
- employing the map to create at least one interface object
associated with an object corresponding to a class associated with
the object oriented software application; and
- utilizing a runtime engine which invokes said at least one
interface object with the object oriented application to access
data from the relational database.
In other words, this is a patent on an object-oriented wrapper for data in
a relational database management system. To say that this idea is obvious
is to understate the case. The first thing any object-oriented programmer
does is to create classes to encapsulate the data to be manipulated; of
course such a programmer would create a series of objects to represent
relations in an RDBMS. One would expect that it would be possible to
examine a large number of object-oriented programs which work with RDBMS
systems and not find a single one which lacks this sort of
impedance-matching layer. So the world did not need to wait until 1998 for
the authors of this patent to come up with this idea.
Thus, if Red Hat puts up a suitable level of resistance, it should be able to
get this patent invalidated. But there is little comfort to be found
there. There are thousands of these patents in circulation and no shortage
of trolls willing to exploit them to line their own pockets. One such case
can be beaten down; but there will be more than one. Perhaps many more.
Software patents have long been seen as a serious threat to free software;
now we are beginning to see this threat come to life.
[As an aside, there have been some allegations that at least one Red Hat
employee engaged in pro-patent lobbying in Europe last year, and that, as a
result, this suit represents a sort of poetic justice. See this week's Letters Page for a
discussion of both sides of this issue. The statement from FFII found
there would appear to establish that Red Hat's position on software patents
has been clear and consistent.]
Comments (2 posted)
Your editor misses the Good Old Days, when outlandish SCO court filings
were a daily occurrence, Darl McBride's fulminations were daily press
fodder, and the occasional corporate teleconference could be counted upon
to keep blood pressures high in the community. One could almost get
nostalgic about plowing through yet another blurry PDF file filled with
bizarre legalese. The world feels a little lonely now that Chris Sontag no
longer shows his face in public.
Actually, the above paragraph is a bunch of hot air; LWN is more fun
without the SCO Group on the front page. But a certain morbid interest
suggests that the SCO end game should occasionally be chronicled as
important milestones unfold. One of those milestones was passed on
June 28, when Judge Wells issued an
order in SCO v. IBM. For those of us who have been patiently (or,
perhaps, not so patiently) waiting for SCO to feel the consequences of its
lack of discretion in public and its lack of any actual evidence of
wrongdoing, the time has finally come.
The SCO Group, remember, has been under court order for some time to
disclose "with specificity" exactly what it thinks IBM did wrong. SCO's
final answer took the form of 294 "specifics," described in a sealed
filing. IBM responded with a motion saying that most of SCO's claims
lacked the required level of specificity and should simply be thrown out,
regardless of whether they might have any merit or not. Judge Wells's
order was the court's response to this motion.
After reviewing (at length) SCO's history in the case, Judge Wells
concluded that SCO's claims were, indeed, not specific enough. Not enough
for the court, but also not up to the level that SCO expected from IBM.
Thus:
Given SCO's track record in this case, the court is certain that if
IBM had simply provided line information without version and file
information for "methods," SCO would have filed motions to compel
complaining about IBM's lack of specificity. The court cannot find
any reason why SCO should not be held to the same level of
accountability that SCO held IBM to. Thus, SCO should have supplied
not only line but version and file information for whatever claims
form the basis of SCO's case against IBM.
Failure to meet the specificity requirement is not enough to throw the
claims out, however; a couple of other criteria must be met. One is that
the failure was willful - that SCO deliberately failed to disclose that
information. According to Judge Wells, that is, indeed, the case:
There is no evidence before the court to indicate that SCO lacked
the ability to comply with the court's orders. In fact, given SCO's
own public statements outlined in part
supra, it would
appear that SCO had more than enough evidence to comply with the
court's orders....
Based on the foregoing, the court finds that SCO has had ample
opportunity to articulate, identify and substantiate its claims
against SCO. The court further finds that such failure was
intentional and therefore willful based on SCO's disregard of the
court's orders and failure to seek clarification. In the view
of the court it is almost like SCO sought to hide its case until
the ninth inning in hopes of gaining an unfair advantage despite
being repeatedly told to put "all evidence . . . on the table."
One might well argue that this is a charitable view of SCO's behavior. But
it makes one thing clear: the court has noticed the discrepancy between
SCO's public bluster and the evidence it has actually put forward in the
trial.
Finally, IBM had to show that it was being hurt by SCO's failure. The
court had no trouble buying IBM's argument that it would be hard put to
defend a case where it is unaware of what it has done wrong. The troubles
go beyond that, though:
Without more specificity than SCO has provided some very important
questions that could materially impact this case are nearly
impossible to answer. For example, is the code that comprised the
method or concept still in use in Linux? If not, then damages may
become nominal instead of in the billions. Or, it may be possible
that the code comprising a method or concept was already disclosed
pursuant to some other license such as the BSD License.... Without
the code, however, there is no way to ascertain exactly what the
impact is of prior disclosures that may involve the code at issue
in the instant case.
The end result is that IBM won big: 182 of SCO's claims have been summarily
tossed out - just ten short of what IBM had asked for. On the order of 100
claims remain. This ruling is clearly a major blow to SCO's case, but just
how major is hard to say: since SCO's claims remain under seal, we cannot
know which ones have survived. But it is clearly a much shorter list, with
much of the "methods and concepts" vapor removed. And, just as
importantly, the court appears to have concluded that SCO has been given
plenty of rope at this point; with luck, this whole episode might just
reach a conclusion sometime soon.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
July 5, 2006
This article was contributed by John Richard Moser
Prelink (PDF) is a
popular tool used to decrease program load time, shortening system boot
time and making applications start faster. Developed by Jakob Jelinek at
Red Hat, prelink relocates libraries on disk to save dynamic linking time.
When the dynamic linker loads a dynamically linked ELF binary, it has to
also load and link all of the libraries before executing the program's
entry point, _main(). This process involves relocating
libraries—changing all addresses referenced in the library to reflect
the actual addresses in memory. Relocating libraries involves iterating
through each address in the library and replacing it with the real address
as determined by the library's location in the process's virtual address
space. Most relocations happen in the symbol table and PLT;
but in rare cases there are also .text relocations which require
fixed-position executable code to be patched in a slightly slower process.
The relocation process will slow down an application's launch.
In order to speed up the process, prelink relocates the libraries ahead of
time. This is done by scanning every
executable to be prelinked, generating a graph of libraries that will be
loaded at the same time as other libraries, and then calculating target
addresses for each library at such that it will never be loaded at the same address
as other libraries. These offsets are then stored in the shared object
files themselves, and the symbol tables and segment addresses are all
adjusted to reflect addresses based on the chosen base address.
Once prelink has done its job, the dynamic linker no longer has to concern
itself with relocation. Libraries are loaded at the address specified in
the library header and the symbol table is already correct. If anything
forces the library to be loaded at a different address, then the library is
relocated appropriately as usual; otherwise we can say goodbye to the
load-time overhead of relocating libraries.
Kernel facilities supplying address space layout randomization for
libraries cannot be used in conjunction with prelink; to do so would
require relocating the libraries, defeating the purpose of prelinking.
Address space randomization is a core feature of secure systems such as
OpenBSD, Adamantix, Hardened Gentoo, Fedora Core, and Red Hat Enterprise
Linux. It has appeared as part of PaX as well as part of Ingo Molnar's
Exec Shield, and has been accepted into the mainline kernel as
of 2.6.12 after submission by Arjan van de Ven.
The simple purpose of address space randomization is to make it more
difficult to perform certain classes of attacks by changing where
in memory important segments for the attack are loaded. If an attacker
wants to execute injected shell code or manipulate the program to execute
out of order, he obviously has to know where that code is. By shuffling
memory segments around, these attacks become quite difficult; the chances of
successful attack are mathematically described in the PaX documentation
and Wikipedia.
In an attempt to restore some of the benefits of address space
randomization, prelink is capable of randomly selecting
the addresses used for prelinking. This makes it more difficult to perform
certain attacks on a system, because the addresses used are unique to that
system. This approach is, however, less effective than per-process
randomization because the addresses stay constant until prelink is run
again.
There is another implication that has to be examined with prelink. To
understand this implication, let us first review a feature of prelink by
examining the load address of the C standard library in two processes: a
user-owned 'cat' and a root-owned 'bash'. The C standard library is
interesting because, in practice, virtually all return-to-libc
attacks utilize it exclusively.
user@icebox:~$ cat /proc/self/maps | grep libc | grep r-xp
4df2e000-4e053000 r-xp 00000000 08:07 81197 /lib/tls/i686/cmov/libc-2.3.6.so
user@icebox:~$ sudo -s
root@icebox:/home/user# cat /proc/$$/maps | grep libc | grep r-xp
4df2e000-4e053000 r-xp 00000000 08:07 81197 /lib/tls/i686/cmov/libc-2.3.6.so
Closely examining these quickly verifies that the address of glibc's
executable code is the same between these two processes; this is consistent
with the behavior of prelink. Because the library itself is relocated
ahead of time, there is a preference for the dynamic linker to load it at
that address. Examination of libc itself yields the below.
user@icebox:~$ readelf -S /lib/tls/i686/cmov/libc-2.3.6.so | head -n 6
There are 64 section headers, starting at offset 0x12d114:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .note.ABI-tag NOTE 4df2e154 000154 000020 00 A 0 0 4
Computing 4df2e154 - 154, the address and offset taken from any given
non-NULL segment, yields 4df2e000, the base address of libc. This makes
sense; prelink rewrites the segment and symbol addresses for the library
based on a specific load address, and the dynamic linker loads the library
at that address to avoid relocating it. Further, any program that links
with libc has to be able to read libc, and will thus be able to derive the
same information.
All of this means that any program on the system using any prelinked
library will be able to leak information about higher privileged tasks
using the same library. This allows any attacker able to gain any form of
local access—or more directly any ability to read libc—to gain
information about the address space layout of higher privileged processes,
including the load address of libc. As we know, this information is
extremely valuable to an attacker wanting to exploit a privileged process
without brute forcing library load addresses.
This vulnerability only applies to attackers with local access; but this is
not an unreasonable requirement. Many web hosting companies give local
shell access or allow PHP; either of these can be used to remotely fetch a
copy of libc. Due to the nature of the dynamic linker and sane security
design, the dynamic linker is exactly as privileged as the process it is
starting; therefor, even the most stringent mandatory access policies on
systems such as SELinux, grsecurity, or AppArmor cannot prevent this
attack.
Besides avoiding prelinking, there is one other way to prevent this information
leak from being exploited. All processes linked to a prelinked library
need access to the library file and load that library at the same address;
the point of exposure is the use of the same copy of the library. In order
to prevent information leaking, then, you must have separate copy of each
library common between any two programs you don't want to leak information
about each other. This can be done with Xen, chroot jails, UML, or simply
isolated machines, as long as the directory hierarchies are individually
prelinked with prelink randomization. Each system will have a different
set of addresses from every other system in this scheme. This of course
requires more hardware, more disk space, more management, more memory, and
more work.
The direct implications of this information leak depend on your exact
security concerns. A web hosting company, for example, may not want to run
prelink on its servers, given the risk of effectively losing
the benefit of address space randomization. A home desktop, on the other
hand, may only have to worry about a trojan using the information leak to
stage an attack on a system service such as cups or dbus—and should
probably worry about /proc/PID/maps first. While these are both
essentially the concern of an attacker with local access, the likelihood of
attack and the value of potential damages are different.
The prelink tool gives a useful decrease in program load time, and can help
users reach their desktop and the programs they need to run more quickly.
It does however have some unfortunate repercussions that must be examined,
especially in security-sensitive environments relying on address space
randomization.
Comments (16 posted)
New vulnerabilities
acroread: unspecified security problems
| Package(s): | acroread |
CVE #(s): | CVE-2006-3093
|
| Created: | July 4, 2006 |
Updated: | July 5, 2006 |
| Description: |
Various unspecified security problems have been fixed in Acrobat Reader
version 7.0.8. Adobe does not provide detailed information about the
nature of the security problems. Therefore, it is necessary to assume that
remote code execution is possible. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2934
|
| Created: | July 5, 2006 |
Updated: | July 7, 2006 |
| Description: |
The netfilter SCTP connection tracking code can crash when faced with a "packet without chunks." This vulnerability was fixed in the 2.6.17.3 kernel release. |
| Alerts: |
|
Comments (none posted)
kiax: arbitrary code execution
| Package(s): | kiax |
CVE #(s): | CVE-2006-2923
|
| Created: | June 30, 2006 |
Updated: | July 5, 2006 |
| Description: |
The iax_net_read function in the iaxclient library fails to properly
handle IAX2 packets with truncated full frames or mini-frames. These
frames are detected in a length check but processed anyway, leading to
buffer overflows. |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
opera: integer overflow and SSL spoof
| Package(s): | opera |
CVE #(s): | CVE-2006-3198
CVE-2006-3331
|
| Created: | July 3, 2006 |
Updated: | July 5, 2006 |
| Description: |
Opera before version 9.0 has an integer overflow vulnerability due to the
improper handling of JPEG files. Also Opera did not reset the SSL security
bar after displaying a download dialog from an SSL-enabled website, which
could allow remote attackers to spoof a trusted SSL certificate from an
untrusted website and facilitate phishing attacks. |
| Alerts: |
|
Comments (none posted)
tikiwiki: multiple vulnerabilities
| Package(s): | tikiwiki |
CVE #(s): | CVE-2006-3048
CVE-2006-3047
|
| Created: | June 29, 2006 |
Updated: | July 5, 2006 |
| Description: |
The Tikiwiki content management system has an SQL injection
vulnerability due to insufficient input sanitization.
An attacker may be able to execute arbitrary SQL statements
or inject arbitrary scripts into the user's browser.
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
asterisk: buffer overflow
| Package(s): | asterisk |
CVE #(s): | CVE-2006-2898
|
| Created: | June 15, 2006 |
Updated: | July 27, 2006 |
| Description: |
The Asterisk PBX application has a buffer overflow vulnerability in the
IAX2 channel driver that can be used for the remote execution of
arbitrary code.
|
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2006-2362
|
| Created: | May 27, 2006 |
Updated: | August 29, 2006 |
| Description: |
The GNU Binutils has a buffer overflow vulnerability in libbfd.
Maliciously crafted Tektronix Hex Format files with improper length
characters can cause a crash and possibly lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
courier: denial of service
| Package(s): | courier |
CVE #(s): | CVE-2006-2659
|
| Created: | June 9, 2006 |
Updated: | August 4, 2006 |
| Description: |
A denial of service vulnerability has been found in the function for
encoding email addresses. Addresses containing a '=' before the '@'
character caused the Courier to hang in an endless loop, rendering the
service unusable. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
EnergyMech: denial of service
| Package(s): | emech |
CVE #(s): | |
| Created: | June 27, 2006 |
Updated: | June 28, 2006 |
| Description: |
A bug in EnergyMech fails to handle empty CTCP NOTICEs correctly, and
will cause a crash from a segmentation fault. By sending an empty CTCP
NOTICE, a remote attacker could exploit this vulnerability to cause a
denial of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: remote denial of service
| Package(s): | gnupg |
CVE #(s): | CVE-2006-3082
|
| Created: | June 21, 2006 |
Updated: | July 28, 2006 |
| Description: |
A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that
could allow a remote attacker to cause gpg to crash and possibly overwrite
memory via a message packet with a large length. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
Hashcash: possible heap overflow
| Package(s): | hashcash |
CVE #(s): | CVE-2006-3251
|
| Created: | June 27, 2006 |
Updated: | July 21, 2006 |
| Description: |
Andreas Seltenreich has reported a possible heap overflow in the
array_push() function in hashcash.c, as a result of an incorrect amount
of allocated memory for the "ARRAY" structure. |
| Alerts: |
|
Comments (none posted)
horde: missing input sanitizing
| Package(s): | horde |
CVE #(s): | CVE-2006-2195
|
| Created: | June 15, 2006 |
Updated: | June 29, 2006 |
| Description: |
The Horde3 web application framework does not perform sufficient
input sanitizing, allowing the possible injection of web
script code through a cross-site scripting attack. |
| Alerts: |
|
Comments (none posted)
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-2440
|
| Created: | May 25, 2006 |
Updated: | September 5, 2006 |
| Description: |
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdebase: privilege escalation
| Package(s): | kdebase |
CVE #(s): | CVE-2006-2449
|
| Created: | June 15, 2006 |
Updated: | August 28, 2006 |
| Description: |
The KDE Display Manager(KDM) is vulnerable to a local symlink attack.
A local user can use this to read arbitrary files that they do not
have permission to access. See this KDE
advisory for more information. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-2271
CVE-2006-2272
CVE-2006-2274
CVE-2006-2275
CVE-2006-1864
|
| Created: | May 12, 2006 |
Updated: | July 13, 2006 |
| Description: |
Multiple vulnerabilities in the Linux have been found.
- An error in the Stream Control Transmission Protocol (SCTP) code that
uses incorrect state table entries when certain ECNE chunks are received in
CLOSED state, could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- An error exist when handling incoming IP-fragmented SCTP control
chunks, which could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (infinite recursion and crash) via a packet that contains two or
more DATA fragments, which causes an skb pointer to refer back to itself
when the full message is reassembled, leading to infinite recursion in the
sctp_skb_pull function
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (deadlock) via a large number of small messages to a receiver
application that cannot process the messages quickly enough, which leads to
"spillover of the receive buffer."
- A vulnerability has been identified due to an input validation error
when processing arguments containing backslash ("\\") characters passed to
certain commands (e.g. "cd"), which could be exploited by authenticated
attackers to escape chroot restrictions for a CIFS or SMBFS mounted
filesystem.
|
| Alerts: |
|
Comments (none posted)
kernel: netfilter memory corruption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2444
|
| Created: | May 25, 2006 |
Updated: | July 5, 2006 |
| Description: |
The 2.6.12 kernel has a remote memory corruption vulnerability
that can be remotely triggered by loading the ip_nat_snmp_basic
module and traffic is network-translated on port 161 or 162. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-2445
CVE-2006-2448
CVE-2006-3085
|
| Created: | June 23, 2006 |
Updated: | August 11, 2006 |
| Description: |
There is a race condition error in the "posix-cpu-timers.c" script that
does not prevent another CPU from attaching the timer to an exiting
process. This could be exploited by attackers to cause a denial of
service.
A flaw due to errors in "powerpc/kernel/signal_32.c" and
"powerpc/kernel/signal_32.c" could allow userspace to provoke a machine
check on 32-bit kernels.
An infinite loop in "netfilter/xt_sctp.c" could be exploited by attackers
to exhaust all available memory resources, creating a denial of service
condition. |
| Alerts: |
|
Comments (none posted)
kernel: information disclosure
| Package(s): | kernel |
CVE #(s): | CVE-2006-1343
|
| Created: | May 31, 2006 |
Updated: | July 20, 2006 |
| Description: |
The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mozilla products have multiple vulnerabilities
Comments (none posted)
mpg123: buffer overflows
| Package(s): | mpg123 |
CVE #(s): | CVE-2006-1655
|
| Created: | May 24, 2006 |
Updated: | July 3, 2006 |
| Description: |
mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities. |
| Alerts: |
|
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: denial of service
| Package(s): | mysql |
CVE #(s): | CVE-2006-3081
|
| Created: | June 23, 2006 |
Updated: | July 18, 2006 |
| Description: |
Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before
5.1.6 allows remote authorized users to cause a denial of service (crash)
via a NULL second argument to the str_to_date function. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
shadow: privilege escalation
| Package(s): | passwd shadow |
CVE #(s): | |
| Created: | July 6, 2006 |
Updated: | July 12, 2006 |
| Description: |
Ilja van Sprundel discovered that passwd, when called with the -f, -g,
or -s option, did not check the result of the setuid() call. On
systems that configure PAM limits for the maximum number of user
processes, a local attacker could exploit this to execute chfn,
gpasswd, or chsh with root privileges. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-1990
CVE-2006-1991
CVE-2006-3017
|
| Created: | May 25, 2006 |
Updated: | August 18, 2006 |
| Description: |
The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function.
An attacker can use an out-of-bounds offset argument to cause a
memory access violation, causing a denial of service.
A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
pinball: privilege escalation
| Package(s): | pinball |
CVE #(s): | CVE-2006-2196
|
| Created: | June 26, 2006 |
Updated: | June 28, 2006 |
| Description: |
Pinball, a pinball game simulator, has a privilege escalation
vulnerability in which the application can be tricked into loading
level plugins from user-controlled directories without dropping
its privileges. |
| Alerts: |
|
Comments (none posted)
png: buffer overflow
| Package(s): | png |
CVE #(s): | |
| Created: | June 28, 2006 |
Updated: | June 28, 2006 |
| Description: |
The Portable Network Graphics (PNG) library contains a vulnerability caused
by a potential sprintf(3) related buffer overflow. |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
ppp: privilege escalation
| Package(s): | ppp |
CVE #(s): | CVE-2006-2194
|
| Created: | July 6, 2006 |
Updated: | August 14, 2006 |
| Description: |
Marcus Meissner discovered that the winbind plugin of pppd does not
check the result of the setuid() call. On systems that configure PAM
limits for the maximum number of user processes and enable the winbind
plugin, a local attacker could exploit this to execute the winbind
NTLM authentication helper as root. Depending on the local winbind
configuration, this could potentially lead to privilege escalation. |
| Alerts: |
|
Comments (none posted)
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
quagga: multiple vulnerabilities
| Package(s): | quagga |
CVE #(s): | CVE-2006-2223
CVE-2006-2224
CVE-2006-2276
|
| Created: | May 15, 2006 |
Updated: | July 24, 2006 |
| Description: |
Paul Jakma discovered that Quagga's ripd daemon did not properly
handle authentication of RIPv1 requests. If the RIPv1 protocol had
been disabled, or authentication for RIPv2 had been enabled, ripd
still replied to RIPv1 requests, which could lead to information
disclosure. (CVE-2006-2223)
Paul Jakma also noticed that ripd accepted unauthenticated RIPv1
response packets if RIPv2 was configured to require authentication and
both protocols were allowed. A remote attacker could exploit this to
inject arbitrary routes. (CVE-2006-2224)
Fredrik Widell discovered that Quagga did not properly handle certain
invalid 'sh ip bgp' commands. By sending special commands to Quagga, a
remote attacker with telnet access to the Quagga server could exploit
this to trigger an endless loop in the daemon (Denial of Service).
(CVE-2006-2276) |
| Alerts: |
|
Comments (1 posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
sendmail: denial of service
| Package(s): | sendmail |
CVE #(s): | CVE-2006-1173
|
| Created: | June 15, 2006 |
Updated: | November 1, 2006 |
| Description: |
Sendmail has a vulnerability in the way it handles multi-part MIME messages.
A remote attacker can create a specially crafted email message that can
be used to crash the sendmail process, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
squirrelmail: file inclusion vulnerability
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-2842
|
| Created: | June 8, 2006 |
Updated: | July 11, 2006 |
| Description: |
Squirrelmail, a PHP-based webmail package, has a file inclusion
vulnerability. |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
texinfo: temporary file vulnerability
| Package(s): | texinfo |
CVE #(s): | CAN-2005-3011
|
| Created: | October 5, 2005 |
Updated: | November 9, 2006 |
| Description: |
Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
tin: buffer overflow
| Package(s): | tin |
CVE #(s): | CVE-2006-0804
|
| Created: | February 19, 2006 |
Updated: | November 24, 2006 |
| Description: |
An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier
which can lead to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-2802
|
| Created: | June 9, 2006 |
Updated: | September 29, 2006 |
| Description: |
Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input
module. By tricking an user into opening a malicious remote media
location, a remote attacker could exploit this to crash Xine library
frontends (like totem-xine, gxine, or xine-ui) and possibly even
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xine-ui: format string vulnerabilities
| Package(s): | xine-ui |
CVE #(s): | CVE-2006-2230
|
| Created: | June 9, 2006 |
Updated: | January 24, 2007 |
| Description: |
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: denial of service
| Package(s): | xpdf kpdf |
CVE #(s): | CAN-2005-2097
|
| Created: | August 9, 2005 |
Updated: | August 2, 2006 |
| Description: |
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current stable 2.6 kernel is 2.6.17.3,
released on June 30. It
was a single-fix release for a denial of service vulnerability in the
netfilter SCTP connection tracking code. One day earlier,
2.6.17.2 had been released with
a relatively large set of important fixes. The SCTP fix can also be found
in
2.6.16.23.
The current 2.6 prepatch is 2.6.18-rc1, released by Linus on
July 5. A summary of changes can be found in a separate article
below. Also available are the short-form changelog (too bulky
to be included with Linus's announcement) and the long-form
changelog.
The current -mm tree is 2.6.17-mm6. Recent changes to
-mm include some extensions to the read-copy-update API, some "massive" CPU
scheduler cleanup work, the removal of a number of old (OSS) sound drivers,
and a set of patches shrinking the inode structure. A great many
patches have been removed from -mm as they have found their way into
2.6.18-rc1.
Comments (none posted)
Kernel development news
I like colorized diffs, but let's face it, those particular color
choices will make most people decide to pick out their eyes with a
fondue fork. And that's not good. Digging in your eye-sockets with
a fondue fork is strictly considered to be bad for your health, and
seven out of nine optometrists are dead set against the practice.
So in order to avoid a lot of blind git users, please apply this
patch.
-- Linus Torvalds
Comments (3 posted)
Your editor, having returned from an all-too-short vacation, was faced with
the prospect of looking over the 4500 (and counting) patches merged for the
2.6.18-rc1 release. Much of what has been merged is the usual set of fixes
and updates, but some more user and developer-visible patches have gone in
as well. The user-visible patches include:
- The new core time system has finally found its way into the mainline;
it was covered here in
January, 2005, but has evolved considerably since then.
- New device drivers for SMSC LAN911x Ethernet chipsets,
ZyDAS ZD1211-based wireless LAN adapters,
Myricom Myri-10G interfaces, CS553x NAND flash controllers,
Amstrad E3 Delta flash controllers, Abit uGuru hardware monitoring
chips, NS LM70 temperature sensors, a number of Echoaudio sound cards,
and more.
- Generic support for hardware random number generators has been added,
along with drivers for a long list of generators.
- The Philips Webcam driver has seen a massive update which adds image
decompression support (without legal issues this time), support for a
number of new devices, and many improvements.
- A large set of NFS patches has been merged, adding, among other
things, direct I/O support.
- A netlink interface for networking bridging management.
- A netfilter connection tracking helper for the SIP protocol.
- The TCP Low
Priority, TCP Compound, and TCP Veno
congestion control algorithms.
- A new mechanism for attaching SELinux labels to network packets.
There is also a new set of hooks allowing SELinux to regulate the
kernel key management subsystem.
- Extended attribute support in the JFFS2 filesystem.
- A number of kernel include files have been cleaned up to make it
easier to include them into user-space applications.
- PCI devices now export an "enable" attribute via sysfs. The main
purpose for the new attribute is to allow the X server to enable and
disable devices without doing direct I/O memory access.
- The swapless page migration
patches have been merged, easing the movement of pages between
NUMA nodes. There is also a new move_pages() system call
which can be used to determine where pages reside and possibly move
them to a new node.
- The TCP segmentation offload code has been updated and improved.
There is a new "generic segmentation offload" layer which can emulate
TSO in software; evidently this approach yields some of the
performance benefits of TSO on hardware which does not support
segmentation offloading.
- The default disk I/O scheduler is now the "completely fair queueing"
(CFQ) scheduler.
- A massive set of serial ATA
changes has been merged, including a new error handler, rewritten
programmed I/O support, native command queueing (NCQ) support (which
should improve performance considerably), and hotplug support.
- Priority-inheriting
futexes have been merged into the mainline.
- SMPnice, a set of
scheduler heuristic changes meant to improve handling of low-priority
processes on SMP systems, has been merged.
Internal API changes visible to kernel developers include:
- The generic IRQ layer
has been merged. The SA_* flags to request_irq()
have been renamed; the new prefix is IRQF_. A long series of patches
has converted in-tree drivers over to the new names; The old names
are scheduled for removal in January, 2007.
- 64-bit resources are now
supported. This change affects a number of users of the resource
management API.
- The kernel lock
validator has gone in, along with a number of fixes for potential
deadlocks found by the validator.
- At long last, the devfs subsystem has been removed.
- An API and support for
the Intel I/OAT DMA engine.
- The skb_linearize() function has been reworked, and no longer
has a GFP flags argument. There is also a new
skb_linearize_cow() function which ensures that the resulting
SKB is writable.
- Network drivers should no longer manipulate the xmit_lock
spinlock in the net_device structure; instead, the following
new functions should be used:
int netif_tx_lock(struct net_device *dev);
int netif_tx_lock_bh(struct net_device *dev);
void netif_tx_unlock(struct net_device *dev);
void netif_tx_unlock_bh(struct net_device *dev);
int netif_tx_trylock(struct net_device *dev);
- The long-deprecated inter_module API has finally been removed
altogether.
- A new kernel API providing access to the "inotify" functionality has
been added.
- The old scsi_request infrastructure has been removed, since
there are no longer any in-tree drivers which use it.
- The include file <linux/usb_input.h> is now
<linux/usb/input.h>.
- The VFS get_sb() filesystem method has a new prototype:
int (*get_sb)(struct file_system_type fstype, int flags,
const char *dev_name, void *data,
struct vfsmount *mnt);
The mnt parameter is new; it allows the filesystem to receive
a pointer to the target mount point structure. The mount point should
be associated with the superblock in the get_sb() method with
a call to:
int simple_set_mnt(struct vfsmount *mnt, struct super_block *sb);
The return value of get_sb() has also been changed to
an int error status. The various get_sb_*()
convenience functions have had the same changes applied. The purpose
of all this work is to allow NFS to share superblocks across mount
points.
- The statfs() superblock operation has a new prototype:
int (*statfs)(struct dentry *dentry, struct kstatfs *stats);
The old struct super_block pointer is now a dentry
pointer instead.
- Some functions have been added to make it easy for kernel code to
allocate a buffer with vmalloc() and map it into user space.
They are:
void *vmalloc_user(unsigned long size);
void *vmalloc_32_user(unsigned long size);
int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
unsigned long pgoff);
The first two functions are a form of vmalloc() which obtain
memory intended to be mapped into user space; among other things, they
zero the entire range to avoid leaking data.
vmalloc_32_user() allocates low memory only. A call to
remap_vmalloc_range() will complete the job; it will refuse,
however, to remap memory which has not been allocated with one of the
two functions above.
- The read-copy-update API is now accessible only to GPL-licensed
modules. The deprecated function synchronize_kernel() has
also been removed.
- There is a new strstrip() library function which removes
leading and trailing white space from a string.
- A new WARN_ON_ONCE macro will test a condition and complain
if that condition evaluates true - but only once per boot.
- A number of crypto API changes have been merged, the biggest being a
change to most algorithm-specific functions to take a pointer to the
crypto_tfm structure, rather than the old "context" pointer.
This change was necessary to support parameterized algorithms.
- There is a new make target "headers_install". Its purpose is
to install a set of kernel headers useful for libraries and user-space
tools. A limited set of headers is installed, and those headers are
sanitized on their way to the destination directory. It is hoped that
distributors will use this mechanism to set up kernel headers for
inclusion from user space in the future.
As of this writing, the 2.6.18 merge window has closed, so there probably
will not be a whole lot of additions to the above list.
Comments (7 posted)
A few weeks ago, this page
looked
at possible additions to the ext3 filesystem and the question of
whether the time had come to freeze ext3 and put new features into a new
ext4 filesystem again. The ext2/3 filesystem developers have now
responded to that discussion
with a clear answer: they will be moving on to ext4.
More specifically, a new filesystem will be created under fs/ext4
in the kernel source. Said filesystem will register itself as
"ext3dev," in an attempt to make it crystal clear that it is a
development filesystem, not suitable for the storage of data which one
actually wishes to keep. New feature work - especially changes which
change on-disk formats and prevent interoperation with current ext3 implementations
- will go into this new filesystem, while ext3 will continue to receive bug
fixes and some safe improvements. Throughout this process, the new
filesystem will retain its ability to work with the current ext3 format.
Sometime in the future, ext3dev will be declared stable and renamed "ext4."
Once the last bugs have been shaken out, this filesystem will lose its
"experimental" designation and users will be encouraged to upgrade. Since
support for ext3 formats will be there, this upgrade should be an easy
process, with no backup-and-restore step or downtime required. Further in
the future, the ext3 code may be removed and ext4 would transparently handle
ext3 filesystems as well.
There seems to be little opposition to this approach, so it would appear
that things will happen this way. Since the addition of a new,
experimental filesystem carries little regression risk, the creation of
ext4 and the addition of some new features (extents, for example) could yet
happen for 2.6.18.
Comments (2 posted)
July 5, 2006
This article was contributed by Valerie Henson
The Linux file systems community met in Portland in June 2006 to
discuss the next 5 years of file system development in Linux.
Organized by
Val Henson, Zach
Brown, and Arjan van de Ven, and sponsored by
Intel,
Google,
Oracle, the
Linux File Systems
Workshop brought together thirteen Linux file systems developers
and experts to share data and brainstorm for three days. Our goal was
to discuss the direction of Linux file systems development during the
next 5 years, with a focus on disruptive technologies rather than
incremental improvements. Our goal was not to design one new file
system to rule them all, but to come up with several useful new file
system architecture ideas (which may or may not reuse existing file
system code). To stay focused, we explicitly ruled out discussion of
the design of distributed or clustered file systems, with the
exception of how they impact local file system design. We came out of
the workshop with broad agreement on the problems facing Linux file
systems, several exciting file system architecture ideas, and a
commitment to working together on the next generation of Linux file
systems.
The Problem
Why do we need a Linux file systems workshop, when all seems well in
Linux file systems land? Disks purr gently along, larger and fatter
than ever before, but still essentially the same. I/O errors are an
endangered species, more rumor than fact, and easily corrected with a
simple fsck. The "df" command returns a comforting 50% free on most
of your file systems. You chuckle gently as you read old file system
man pages with directions for tuning inode/block ratios. Sure, that
32-bit file system size limit is looming somewhere over the horizon,
but a quick patch to change the size of your block pointers is all you
need and you'll be back in business again. After all, file systems
are a solved problem, right? Right?
If computer hardware never changed, we kernel developers would have
nothing better to do than argue about the optimal scheduling algorithm
and flame each others' coding style. Unfortunately, hardware has this
terrible habit of changing frequently, drastically, and worst of all,
exponentially. File systems are especially vulnerable to changes in
hardware because of their long-lived nature. Much of operating
systems software can be changed at will given a simple system reboot.
But file systems - and their on-disk data layouts - live on and on.
What has changed in hardware that affects file systems? Let's start
with some simple, unavoidable facts about the way disks are evolving.
Everyone knows that disk capacity is growing exponentially, doubling
every 9-18 months. But what about disk bandwidth and seek time? At
the last Storage Networking World
conference, Seagate presented some details of their hard disk
road map for the next 7 years (see page 16 of the
slides [PDF]). Their predictions for 3.5 inch hard disks are summarized
in the following table.
| Parameter | 2006 | 2009 | 2013 | Improvement |
| Capacity (GB) | 500 | 2000 | 8000 | 16x |
| Bandwidth (Mb/s) | 1000 | 2000 | 5000 | 5x |
| Read seek time (ms) | 8 | 7.2 | 6.5 | 1.2x |
In summary, over the next 7 years, disk capacity will increase by 16
times, while disk bandwidth will increase only 5 times, and seek time
will barely budge! Today it takes a theoretical minimum 4,000
seconds, or about 1 hour to read an entire disk sequentially (in
reality, it's longer due to a variety of factors). In 2013, it will
take a minimum of 12,800 seconds, or about 3.5 hours, to read an
entire disk - an increase of 3 times. Random I/O workloads are even
worse, since seek times are nearly flat. A workload that reads, e.g.,
10% of the disk non-sequentially will take much longer on our 8TB
2013-era disk than it did on our 500GB 2006-era disk.
Another interesting change in hardware is the rate of increase in
capacity versus the rate of reduction in I/O errors per bit. In order
for a disk to have the same overall number of I/O errors, every time
capacity doubles, the per-bit I/O error rate must halve. Needless to
say, this isn't happening, so I/O errors are actually more common even
though the per-bit error rate has dropped.
These are only a few of the changes in disk hardware that will occur
over the next decade. What do these changes mean for file systems?
First, fsck will take a lot longer in absolute terms, because disk
capacity is larger, but disk bandwidth is relatively smaller, and seek
time is relatively much larger. Fsck on multi-terabyte file systems
today can easily take 2 days, and in the future it will take even
longer! Second, the increasing number of I/O errors means that fsck
is going to happen a lot more often - and journaling won't help.
Existing file systems simply weren't designed with this kind of I/O
error frequency in mind.
These problems aren't theoretical - they are already affecting systems
that you care about. Recently, the main server for Linux kernel
source, kernel.org, suffered file system corruption from a failure at
the RAID level. It took over a week for fsck to repair the (ext3)
file system, when it would have taken far less time to restore from
backup.
The workshop
Now that the stage is set, we'll move on to what happened at the 2006
Workshop. The coverage has been split into the following pages:
- Day 1, devoted mostly to understand
the current state of the art: file system repair, disk errors, lessons
learned from existing file systems, and major filesystem
architectures.
- Days 2 and 3, concerned with the way
forward: interesting ideas, near-term needs, and development plans.
Comments (34 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Page editor: Jonathan Corbet
Distributions
News and Editorials
July 5, 2006
This article was contributed by Michael J. Hammel
See the previous articles in this series:
Part
I,
Part II and
Part III.
The last two sets of live CDs each fell into one of two broad categories:
desktop replacement or small footprint. Desktop replacement options try to
be all things to all people while small footprint CDs are designed for
lower end hardware or as the basis for embedded or small system computing.
This time around the set of three live CDs is more specialized, targeting a
smaller niche of users. This is the ultimate use of live CDs - filling a
special purpose that can't be fulfilled easily by more general purpose
solutions. While the niche may be smaller, it doesn't mean the target
audience is small. For example, with a games CD your audience could be
quite large.
Games KNOPPIX
This special purpose CD is simply a remastered KNOPPIX LiveCD.
Games KNOPPIX adds an
extra set of games to the base KNOPPIX collection. It doesn't appear to
complain about a lack of special purpose hardware and most of the games
worked out of the box even though the test hardware did not support 3D
acceleration.
I tried a number of the games, though in general I'm not much of a game
player. The complete
list of games is on the web site. Enigma has great graphics and an
interesting Breakout-like concept. There are both full screen and windowed
games, text and graphical games and arcade and 3D games. There are also
demos of some non-GPL games, such as Marble Blast Gold, Mutant Storm and
Space Tripper but most of the games are freely available versions.
GLTron and UFO were the only disappointments but that should have been
expected since no hardware acceleration was available for the OpenGL based
games.
The web site is light on useful information other than providing a list of
the games provided. Remastering this CD is not covered (unless you follow
the outlines for remastering a KNOPPIX CD) and at least one game requires
you to get permission from the author to do a remaster if the CD will be
sold commercially.
As an end user I'd like to see a CD like this one that pulls the
unnecessary applications from KNOPPIX and adds a front end that lets me
choose the games through a nice UI instead of a buried desktop menu.
| Cleanliness: | 7 |
| Originality: | 6 |
| On Target: | 5 |
| Extensibility: | 1 |
Ultimate Boot CD
The
Ultimate Boot CD boots into
a text based window of options, all accessible via the function and numeric
keys on the keyboard. Each option boots the kernel a different way and
runs a variety of tests, including tests against the CPU, memory, hard disk
and peripherals.
Tests and tools include CPU and memory tests, partition management,
CPU and graphics benchmarks, boot disks for recovery operations and system
identification tools. Not all of the tools and tests run under Linux so
this CD isn't a true Linux only solution. Tests like memtest86 run under
DOS so they can get full control of the CPU without the context switching
and memory management that Linux would need.
Hard disk tests are manufacturer specific. There are tests for Maxtor,
Seagate and Samsung drives. Most of the filesystem tools are Windows
specific and of little value to managing your Linux partitions. This is
true, too, of the antivirus tools.
Multiple boot disks are provided, including the FreeDOS and OpenDOS open
source systems as well as Tom's Boot Disk, BasicLinux, RIP and Trinux for
Linux users. Each of these can be used for recovery of hard disk based
systems that are failing to boot.
The Ultimate Boot CD allows user defined tools to be added. There is a
help screen explaining how to get more information on how this can be done,
which makes the CD very customizable.
Overall, this CD is well planned and implemented. It isn't flashy and
don't expect a desktop environment. But do expect a large number of very
useful tools for diagnosing computer hardware.
| Cleanliness: | 9 |
| Originality: | 9 |
| On Target: | 9 |
| Extensibility: | 8 |
KnoppMyth
KnoppMyth, also based on
the KNOPPIX live CD, is designed as an easy to use version of MythTV.
MythTV is an open source PVR (Personal
Video Recorder). The design of MythTV allows users to have a separate
backend server to record and manage videos, music, pictures and other
features while using a remote frontend system to access the server. What
KnoppMyth does is provide either a combined backend/frontend configuration
for standalone use or allow a frontend system to connect to an existing
backend server.
The live CD boots into a text based main menu where options include running
the live CD as a frontend system or installing the live CD to a disk. I
selected running the frontend only. After configuring the MythTV database
access information and telling the system to use DHCP, the KnoppMyth CD
booted directly into the MythTV frontend menus. MythTV is a graphical
application running under the X Window System. KnoppMyth did see the Via
graphics hardware at boot time and loaded the Via kernel and X video
drivers.
An extra menu option not found on the stock MythTV distributions is
available from the main menu and is titled "KnoppMyth". This allows the
user to backup their configuration, say to an NFS mounted partition or
burned to a DVD. Other than that the user interface for the KnoppMyth
frontend is just like the stock MythTV distribution. Unfortunately, I was
running an older version of the backend MythTV server on the test network.
The older server used protocol version 15 while the frontend used 26. So
the backend and frontend could not communicate and no further tests could
be run.
KnoppMyth is exactly what it is intended to be: an easy to use MythTV
system based on a live CD. The menu interface is much simpler to use than
a standard desktop which makes this an ideal consumer electronics
solution. But the incompatibility with older MythTV backends is a problem.
There is nothing on the web site about this unfortunately.
The system loads what looks like every possible video display kernel driver
along with the appropriate Via kernel and X drivers. Had I been able to
connect to the backend server, video display should have benefited from the
hardware MPEG decoding available in the test hardware. Like KNOPPIX,
KnoppMyth uses the XFree86 distribution instead of the newer X.org
distribution.
The CD is meant as an end user distribution and not intended as a
customizable solution. Therefore no information is provided on the web
site on how to extend the features of this live CD.
| Cleanliness: | 9 |
| Originality: | 9 |
| On Target: | 9 |
| Extensibility: | 0 |
Summary
Over the past 4 articles you've seen a variety of ways that a live CD can
be used. While there are literally hundreds of freely available live CDs,
the choice of which to use is completely personal. Desktop versions
abound, but niche solutions are also available to help you with whatever
project you have in mind.
For developers, understanding how a live CD is put together is the first
step in understanding some of the issues involved with small system
computing. If you need to squeeze a kernel and root filesystem down to fit
on a storage limited hand held, then understanding how live CDs make use of
SquashFS and UnionFS will get you started. From there, there is no end to
where you can go.
Comments (4 posted)
New Releases
2X has announced an upgrade and new name for its PXES Linux thin client: 2X
ThinClientServer PXES edition 3.0. This edition boasts a completely new
architecture, which includes a server component allowing for central
management of the connection settings and the thin client OS.
Full Story (comments: none)
The Bluewhite64 Linux Project has
announced the release of
Bluewhite64 Linux pre-11.0-beta. "
Bluewhite64 uses the 2.6.16.22
kernel bringing you advanced performance features such as the ReiserFS
journaling filesystem, ext2, ext3, IBM's JFS, and SGI's XFS filesystems,
SCSI, RAID, SATA controllers support and kernel support for X DRI (the
Direct Rendering Interface) that brings high-speed hardware accelerated 3D
graphics to Linux."
Comments (none posted)
DesktopLinux
takes a look
at Gentoox. "
The UK-based project team developing Gentoox, a
Gentoo-based Linux operating system for the Xbox featuring Linux kernel
2.4.32 and the KDE desktop, announced its latest release on July 5, Gentoox
Home v5.0. It is the team's first new release since v4.0 in June
2005."
Comments (none posted)
Distribution News
Raphael Hertzog
covers the status of the python
policy transition. "
I know some maintainers have decided to wait
before converting their packages to the new Python policy since the Python
infrastructure has been evolving at fast pace before the transition
announce and even a few days after. This is now over, the infrastructure is
in place and will even move to testing RSN. Once that is done the new
python-defaults will be uploaded (hopefully by the end of this week) and
will break packages not yet updated."
Steve McIntyre provides some Bits from the
2IC, with a look at Google Summer of Code projects, the irc.debian.org
move, Debconf 6 in Mexico, a new Sarge release, and several other topics.
Comments (none posted)
The Fedora Project is thinking about switching to the DejaVu font family as
the default font in Fedora Core. DejaVu is a derivative of the popular
Bitstream Vera family, which has not seen any updates since 2003; a number
of distributions are already using it. The Fedora developers are
looking for
feedback on the fonts and the proposed change. This is an opportunity
for Fedora users to help shape the appearance of future Fedora releases,
with no technical skills required.
Comments (19 posted)
The Cooperative Bug Isolation Project has been
announced and is available for Fedora Core 5.
"
What's that? You say you've never heard of the Cooperative Bug
Isolation Project (CBI)? Get with it! CBI is an ongoing, award-winning
research effort exploring ways to find bugs and improve the quality of open
source software using lightweight instrumentation, automated feedback, and
sophisticated machine learning algorithms... CBI needs *you*! The more data
we get, the more bugs we can find!"
Maintenance of Fedora Core 4 will transfer to
Fedora Legacy with the release of Fedora Core 6 test 2, currently
scheduled for July 19, 2006.
Comments (none posted)
After the launch of Ubuntu 6.06 LTS, Canonical has announced the
availability of Opera 9 for Ubuntu. With just a few clicks of the mouse,
all Ubuntu users can download and install the latest version of the Opera
browser.
Full Story (comments: none)
Distribution Newsletters
The July 4 issue of the Debian Weekly News is out; with this issue, DWN
editor Martin 'Joey' Schulze celebrates five years on the job. Other
topics include the Python policy transition, Flash support, and more.
Full Story (comments: none)
This week the
Fedora Weekly
News covers the Open Video Contest which is open now, Announcing Fedora
Core 6 Test 1 (5.90), A Fresh Look for Fedora Core 6, Phoronix: Fedora Core
6 Preview, FC6T1 mostly running on MacTel Mini, Yum Extender Update, the
Ohio LinuxFest 2006 schedule announced, Red Hat Fedora 5 Unleashed Book
Giveaway, and several other topics.
Comments (none posted)
This edition of the
Fedora Weekly
News covers Fedora Core 4 Status Update, Red Hat CEO Says Linux Could
Become U.S. Standard, Request for testing: DejaVu 2.7 font family, Mailing
List for K-12 Open Source Questions, DesktopLinux: Fedora Core 6 Test 1
beckons, OpenOffice.org 2.0.3 Is Here, QEMU a Virtualization System for
Open Source World, Red Hat Fedora 5 Unleashed Book Giveaway Winner, and
several other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for July 3, 2006 covers modular X.Org now marked as
stable, new KBase project, Java Upgrades, Spanish Translators, and much
more.
Comments (none posted)
This edition of the Ubuntu Weekly Newsletter covers Edgy release schedule,
Dapper backports is open for business, Ubuntu marketing team gearing up,
Pictures from UDS Paris (and personal ramblings), Artist in Chief
appointments, Weekly development meeting review, Ubuntu Dapper installfest
in Taiwan, and much more.
Full Story (comments: none)
The
DistroWatch
Weekly for July 3, 2006 is out. "
Last week was a slow one -
among the major distributions, only Novell provided some excitement with
the first public development release of SUSE Linux Enterprise 10. Several
smaller distributions also continued their work - the SME Server project
has finally released its long-awaited version 7.0, while a new and
excellent live CD edition of Zenwalk Linux also made its first appearance
last week. In other news, Smart for SUSE Linux and DesktopBSD's new package
management tool are the focus of the news section, while the first look
part of DistroWatch Weekly brings a short review of Frenzy 1.0, an
excellent live CD based on FreeBSD. Finally, we are pleased to announce
that the June 2006 DistroWatch donation of US$500.00 has been awarded to
Gentoo Foundation."
Comments (none posted)
Package updates
Updates for
Fedora Core 5:
nfs-utils-lib (latest upstream version),
xorg-x11-xtrans-devel (updates various
components of the X Window System),
libX11
(updates various components of the X Window System),
xorg-x11-server (updates various components of
the X Window System),
xorg-x11-xdm (updates
various components of the X Window System),
httpd (update to 2.2.2),
xorg-x11-xfs (updates various components of
the X Window System),
xorg-x11-xinit
(updates various components of the X Window System),
xorg-x11-apps (updates various components of
the X Window System),
libgssapi (update to
0.9),
xorg-x11-server (bug fix),
kasumi (new upstream release),
nfs-utils (update to 1.0.8),
nfs-utils (fixes broken upgrade path),
libvirt (needed for new xen release),
apr-util (update to 1.2.7),
ckermit (bug fix),
eclipse-changelog (update to version 2.1.0),
qt (bug fixes),
xorg-x11-server (bug fix),
kexec-tools (avoid crash with kickstart
kernel).
Updates for Fedora Core 4: lvm2
(update to support 2.6.16 kernel), device-mapper (update to support 2.6.16
kernel).
Comments (none posted)
Updates for
rPath Linux 1:
hplip, PyQt,
sip (improved HP printer support),
pcmcia-cs (include the scsi_info, ftl_check,
and ftl_format utilities),
hal, hal-gnome
(enable the gnome-volume-manager program to show newly-mounted volumes),
mutt (make system mailboxes default to
read-write).
Comments (none posted)
There were only a few updates to Slackware this week. Click below for the
short changelog entry.
Full Story (comments: none)
Newsletters and articles of interest
Linux.com
covers
the process of installing a firewall on Ubuntu. "
We'll look at two
packages that configure firewalls. The first is Lokkit, an application that
walks you through a few simple steps and configures a basic firewall for
you. Lokkit is dead easy to use, and requires very little understanding of
firewalls to set up, but it provides few options, and it's not a good
choice if you want to set up a complex firewall. By contrast, Guarddog, a
flexible GUI firewall configuration program, is much more complex than
Lokkit. Choose Guarddog only if you know what you're doing."
Comments (none posted)
ServerWatch
takes a
quick look at Pyramid Linux. "
Pyramid Linux is descended from
the wonderful Pebble Linux, which is based on Debian Woody. Pyramid comes
with a newer kernel, 2.6.16, the Lighttpd Web server with SSL and PHP
support, udev and sysfs, HostAP, a nice Web-based management console, and a
bag of other excellent goodies."
Comments (none posted)
Henry Gillow-Wiles
puts
PC-BSD to work in a community center. "
As the IT director for a
non-profit community center, I face several challenges, the most pressing
being the lack of money. This means our lab is filled with donated older
equipment with limited capabilities. Given this state of affairs, I am
always on the lookout for free, easy-to-use open source software. I chose
PC-BSD as our standard operating system because of its exemplary
performance on older equipment."
Comments (none posted)
NewsForge
takes
a look at the FreeDOS project. "
Jim Hall, creator of the open
source MS-DOS operating system project FreeDOS, says that while work on the
project may have slowed recently, he isn't ready to throw in the towel just
yet. In fact, Hall says he hopes to see version 1.0 released as soon as the
end of the month."
Comments (none posted)
Linux.com has
made
some training videos that show how to download and install Ubuntu
Linux. "
About the videos: They're in AVI format, encoded with the
free XviD codec, compatible with media players available for almost all
popular desktop PC operating systems. If -- and this is unlikely -- your
computer does not have the XviD codec installed, you can get it here or
through your favorite free operating system's software repository."
Comments (none posted)
Distribution reviews
DesktopLinux
reviews a
release candidate of SimplyMEPIS 6.2. "
SimplyMEPIS 6 is built on the
2.6.15 Linux kernel, with recent security patches. Unlike Ubuntu, which
uses GNOME for its default desktop, MEPIS uses KDE 3.5.3. For me, KDE
continues to be the better choice of the two."
Comments (none posted)
OSNews
reviews
Arch Linux. "
Make no mistake. Arch has seen some cool new additions
lately: a special mkinitrd utility, network profiles, ACPI support,
NetworkManager in the "Testing" tree and more. But what really stands out
compared to the user experience of the 1-2 years ago is the package
stability. Fewer buggy packages make it to -Current or -Extra trees these
days and the ones that do are quickly fixed by the very helpful hackers in
the Bugzilla."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Your author has been interested in computer speech synthesis since
the late 1970s, when he interfaced a
Votrax SC-01A
speech synthesizer chip to his
Imsai 8080 computer with some wire-wrap wire.
News of the recently created
eSpeak project
naturally piqued his long-time interest in speech synthesis.
eSpeak is a compact
phoneme-based
speech synthesis system that is available under version 2 of the
Gnu General Public license.
eSpeak is a software speech synthesizer for English, and potentially other languages.
eSpeak produces good quality English speech. It uses a different synthesis method from other open source TTS engines, and sounds quite different. It's perhaps not as natural or "smooth", but I find the articulation clearer and easier to listen to for long periods.
eSpeak is a much simpler system than
Festival,
a popular speech synthesis project from the University of Edinburgh's
Centre for Speech Technology Research. Unfortunately, the Festival
project has been
stuck at version 1.95 (2.0 beta) for the last two years.
The
installation and usage document explains how to set up the software. Installation is trivial, if somewhat different
than for most applications. It involves copying the binary
speak file to an executable directory and moving a
library directory to /usr/share.
The combined executable and library files weigh in at under 500 Kb,
making it suitable for use in embedded systems.
Source code for eSpeak
is available for those who wish to compile the software locally.
Using the software is trivial, typing "speak 'what you want to say'"
causes the desired speech to be rendered and output to the speaker.
Speaking the contents of a file can be done with the command:
speak -f filename. eSpeak can also read its input from stdin,
allowing it to be used with other applications.
There are currently nineteen
English phoneme sets available which provide a variety of
British accents, male/female voices and tonal characteristics.
German and Esperanto phoneme sets are also available.
Other languages can also be supported, but the work has not yet been done.
eSpeak can output directly to the sound driver, it can also create
.wav files, and send the audio to stdout. The -x option causes the
program to output phoneme mnemonics to the screen.
The speech quality is quite mechanical, but is fairly easy to understand.
It is not as refined as the output of Festival, but should suffice for
many applications. As with most speech synthesis applications,
mispronunciation is fairly common, English pronunciation rules
involve many special exceptions and ambiguities, accurate text to
speech conversion is a non-trivial software task.
The most recent release of eSpeak is version 1.10,
released on April 29, 2006. The
change log file indicates recent work on UTF-8 encoding, support for
embedded pitch and amplitude modulation, improvements to numerical
pronunciations, several new command line capabilities and more.
If you need a decent open-source speech synthesis application for
your latest project, or simply want to play with some interesting
software, give eSpeak a try.
Comments (3 posted)
System Applications
Database Software
Amr Ramadan has announced the GLScube semantic storage project.
"
GLS³ is an open source semantic storage solution for GNU/Linux that
indexes your data, extracts from it metadata and relevant information,
allows you to organize it using queries and tags, provides shared
schemas between applications through an API, a pseudo file system for
backward compatibility, a web interface, As-You-Type searching and
more."
Full Story (comments: 4)
Version 2.00 Release Candidate 3 of the Firebird DBMS
has been announced.
"
Firebird 2 contains a large number of new features, including derived tables, support for Execute Block, increased table sizes, new improved index code (the 252-byte index length limit is no longer applicable), expression indices, numerous optimiser improvements, enhanced security features, support for on-line incremental backups, new international language support, along with numerous other improvements and bug fixes."
Comments (3 posted)
Embedded Systems
Version 1.2.0 of
BusyBox, a collection
of command line utilities for embedded systems, is out.
"
The -devel branch has been stabilized and the result is Busybox 1.2.0. Lots of stuff changed, I need to work up a decent changelog over the weekend."
Comments (none posted)
LDAP Software
Version 1.1.4 of LAT, the LDAP Administration Tool, is out
with new capabilities and bug fixes.
Full Story (comments: none)
Libraries
Version 1.2.0 of the Cairo 2D graphics vector library has been announced.
"
We are very pleased to announce this release, the first major update
to cairo since the original 1.0 release 10 months ago. Compared to
cairo 1.0, the 1.2 release doubles the number of supported backends,
adding PDF, PostScript, and SVG backends to the previous xlib, win32
and image backends."
Full Story (comments: 38)
Networking Tools
Konstantin Emelyanov has sent us a notice about a new network
traffic collector project called NDSAD.
"
The NetUP ndsad utility captures IP-traffic from network interfaces and export NetFlow v.5. Data is
gathered from libpcap library on Unix and from winpcap on Windows. Also you are able to use
tee/divert sockets on FreeBSD and ULOG on Linux for data source."
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 0.9 beta 5 of Aqualung, a music player, is available
with many new capabilities.
"
This is a new milestone release after 17 months of silent
development. Large parts of the program have been rewritten,
refactored, fixed, etc. A multitude of new features have been
added to the software, which now weighs into Open Source with
about 30,000 lines of GPL'ed source code, all written by a handful
of free-time developers (no, you won't need your whole hand)."
Full Story (comments: none)
Version 0.3.1 of aubio, a library for audio labeling, is out
with bug fixes.
Full Story (comments: none)
The
freedb audio CD database
project is falling apart:
"
freedb is not able to operate without Joerg and Ari. There are other - hopefully free - projects that will take over freedbs heritage in a better way and stay free. freedbs future did not seem to be kept free regarding the lastest developments, so I tried to steer against this as I felt it more important to stay free instead of getting fancy web 2.0 features. But unfortunately Joerg and Ari (the main doers behind freedb) disagreed with me and decided that they want to go another direction." If anyone wants to take over the project and
domain name, the project will be allowed to continue.
(Thanks to Richard Palmer.)
Comments (4 posted)
Desktop Environments
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
The July 2, 2006 edition of the
KDE Commit-Digest has been
announced.
"
In this week's KDE Commit-Digest: PDF hyperlink and file editing
support in
KViewShell. DVI format support in Okular. Continued progress in "WorKflow",
"GMail-style conversation view for KMail" and "KDevelop-teamwork" Summer Of
Code projects. BsFilter and DSpam tools are now supported in the KMail
anti-spam wizard. LastFM stream support becomes more robust and polished,
alongside other notable development work in Amarok. Aesthetic modifications
made in Kmplot and Kalzium. KDE 4 changes: Work begins on the "Cokoon" widget
style, and KSpell2 is renamed "Sonnet" in preparation for some interesting
development work."
Comments (none posted)
Electronics
Version 0.4.3 of asco, a SPICE circuit optimizer,
has been announced.
"Changes include support for the Qucs simulator, better Ctrl-C handling,
native win32 compilation, autotools support and bug fixes.
Comments (none posted)
Version 2006-06-26 of
Kicad,
a printed circuit CAD application, is out.
Changes include translation work, gcc 4.1 compatibility,
editable field names, the ability to use URLs to document components,
3D color improvements, new pad editing features, negative printing
and delete improvements.
Comments (none posted)
Financial Applications
Version 2.6.15 of
SQL-Ledger,
a web-based accounting package, is out with several bug fixes.
Comments (none posted)
Games
Version 0.5.8 of Cyphesis
has been announced
by the WorldForge game project.
"
Cyphesis is a small to medium scale server for WorldForge games, with builtin AI. This version includes the demo game Mason which is currently in development. This release is intended for server administrators wishing to run a Mason server and World developers developing new worlds or game systems."
Comments (none posted)
Version 1.3 of Trip on the Funny Boat
has been announced on the PyGame site.
"
We got a nice patch from Konstantin Yegupov, so we decided to make a new release with his improvements. Some finer particle effect touches have been added, along with some cannonball-to-animal collision physics, a special super shot and a retro blinking effect when taking damage. Some bugs have also been squashed, which is always nice."
Comments (none posted)
GUI Packages
GnomeDesktop.org
looks at
the new capabilities of GTK+ 2.10.0.
Improvements include:
printing support, recent files support, drag-and-drop support in notebooks,
new widgets and cell renderers, changes in the filechooser,
changes in the tree view widget, changes in the text view and entry widgets,
themability improvements and changes to GTK and gdk-pixbuf.
Comments (none posted)
KDE.News
looks at
the new Qt 4.2 technology preview.
"
The final release of Qt 4.2 is currently scheduled for the fourth quarter of 2006." 4.2 adds a new canvas, SVG support and improved integration with GTK, CUPS and DBus."
Comments (none posted)
Music Applications
Version 0.2 of LoopDub, a cross-platform application for performing
live loop manipulation, is available with a number of new capabilities.
Full Story (comments: none)
Version 0.22 beta of MMA, the Musical MIDI Accompaniment
accompaniment generator is out with the following changes:
"
Minor (and not-so-minor) bug fixes, added options to
GROOVE selections, HARMONYVOLUME setting, FORCEOUT
option for keyboard tracks, and some command line fixes."
Full Story (comments: none)
Office Suites
Version 2.0.3 of the OpenOffice.org office suite has been announced.
"
OpenOffice.org 2.0.3 is now ready for download, three months since
the release of 2.0.2. This latest release contains a mixture of new
features, bug fixes, and security patches, and demonstrates the
OpenOffice.org Community's determination to maintain its position as
the world's leading open-source office productivity suite."
Full Story (comments: 13)
The June, 2006 edition of the OpenOffice.org Newsletter
is online with the latest OO.o office suite news.
Full Story (comments: none)
Miscellaneous
GnomeDesktop.org
looks at the personal collection manager
GCstar.
"
Detailed information on each item can be automatically retrieved
from the internet and you can store additional data, such as the
location or who you've lent it to. You may also search and filter
your collection by some criteria."
Comments (1 posted)
Stable version 3.55 of
Sunclock
has been announced.
"
Sunclock displays a map of the Earth and shows which portion is illuminated by the sun."
Comments (1 posted)
Languages and Tools
Caml
The July 4, 2006 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Lisp
Version 0.9i of Embeddable Common-Lisp is available.
"
ECL (Embeddable Common-Lisp) is "an effort to modernize Giuseppe
Attardi's ECL (ECoLisp) environment to produce an implementation of
the Common-Lisp language which complies to the ANSI X3J13 definition
of the language"."
Full Story (comments: none)
Python
The May 16-31, 2006 edition of the python-dev Summary is
online with coverage of the python-dev mailing list.
Full Story (comments: none)
Ruby
The July 2nd, 2006 edition of the
Ruby Weekly News looks at the latest discussions
on the ruby-talk mailing list and comp.lang.ruby newsgroup.
Comments (none posted)
Tcl/Tk
The July 1, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
The July 3, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Glyn Moody
looks
back at a 1999 interview with Richard Stallman to see how times have
changed. "
RMS may have felt back then that the best way for him to
contribute to freedom was to code, or to encourage others to code, rather
than trying to change the world directly, but things have moved on: today,
Stallman is becoming something of a political activist. I'm not talking
about the Free Software Foundation's "Defective by Design" campaign,
however entertaining and successful that has been in terms of raising
awareness about the threats posed by DRM (Digital Restrictions Management
or Digital Rights Mismanagement as Stallman likes to term it). What I have
in mind are two recent meetings in France between RMS and highly-placed
politicians there."
Comments (2 posted)
Florian Mueller
reports on a new patent suit against Red Hat Inc.
"
The Patently-O blog reported yesterday that a software company named FireStar has sued Red Hat over an alleged patent infringement. Patently-O also provides the complaint and the patent document, and quotes from Red Hats patent policy. The FireStar suit relates to a piece of software that Red Hat acquired as part of JBoss Inc.s intellectual property.
It seems to me that the FireStar patent is quite broad, and if it is upheld, it will affect other companies as well."
Comments (32 posted)
Trade Shows and Conferences
Benjamin Mako Hill
covers the recent Ubuntu Developer Summit Paris on NewsForge.
"
Last week, more than 60 Ubuntu developers met in Paris to plan Ubuntu's next release, codenamed Edgy Eft. Officially, the meeting was billed as a developer summit and not a conference. Each day, groups of two to 10 attendees brainstormed, drafted, and advanced specifications in more than 60 sessions in up to 10 parallel tracks. These specifications, which will stabilize in the next week, will then be prioritized and approved by Canonical staff and will serve as the feature goals for the next release."
Comments (none posted)
LinuxMedNews
reports on the
success of VistA. "
This is a report on an excellent talk that I am
hearing on the factors of success with VistA. The subject is the seven
critical success with Medical Software. Essentially these are the lessons
that VistA has learned via hard knocks. This list is partly compiled from
those who have succeeded but mostly is the result of those who have failed
with VistA."
Comments (13 posted)
Andy Oram
discusses identity issues on O'Reilly.
"
Who are you online? Your digital identity is a complex bundle of information--not just what you say about yourself, but what other people say about you and how trustworthy they are. O'Reilly editor Andy Oram recently attended the Identity Mashup conference at Harvard Law's Berkman Center and reports on one of the most vital issues of privacy and usability on the internet."
Comments (none posted)
The SCO Problem
Groklaw
reports on a new order by Judge Brooke Wells which grants IBM's
Motion to Limit SCO's Claims.
"
Here is Judge Brooke Wells's Order as text. 39 pages and 128 footnotes! Why? I can't read the judge's mind, of course, but my best guess is she is indicating to SCO not to bother to appeal this order. And if they do, she has provided her reasons -- with specificity, one might even say, sufficient to uphold her decision. You can follow along with the references on Groklaw's IBM Timeline page, where the docket numbers are provided."
For further reading, Linux-Watch
analyzes the situation:
"This means that the vast majority of SCO's claims against IBM for misusing Unix code in Linux have been thrown out."
Comments (7 posted)
Companies
Linux-Watch
reports on the latest financial news from Red Hat, Inc.
"
The first quarter of Red Hat Inc.'s 2007 fiscal year was a great one. But, because it fell short of analysts' expectations, the company's stock fell in after-hours trading.
The total revenue for the quarter, which was reported on June 28, was $84.0 million, an increase of 38 percent from the year ago quarter and 7 percent from the prior quarter. Subscription revenue from RHEL (Red Hat Enterprise Linux) was $71.5 million, up 45 percent year-over-year and 7 percent sequentially."
Comments (1 posted)
Linux Adoption
ZDNet
reports
on comments by Trolltech's Eirik
Chambe-Eng concerning Linux adoption by the mobile phone sector.
"
"Linux gives manufacturers and OEMs (original equipment manufacturers) complete control," said Chambe-Eng, who also claimed that Windows Mobile and Symbian--Linux's two great competitors in the mobile phone market--come with "agendas attached."
"Manufacturers are scared of Microsoft coming in and pushing margins away from the hardware. There are very thin margins in this business, and Symbian and Windows Mobile are typically expensive," he said."
Comments (5 posted)
heise online
reports on the move to Linux by the city of Munich.
"
The City of Munich's LiMux project center is rejecting charges by the Senate administration of Berlin that the migration to free software has gotten stuck before it ever got going. As Project director Peter Hofmann told heise online, "Open Source software at the workplace is a reality in Munich." At the end of May, his department presented the future basis client to the public at in information day. At present, the pilot phase is focusing on a software suite. The approximately 100 pilot users include Mayor Christian Ude and his deputy Christine Strobl."
Comments (1 posted)
NewsForge
reports on another step forward for open document standards. "
Belgium's Council of Ministers last month approved a proposal that requires
federal government departments to use open file formats for exchanging
documents. As it stands now, the only accepted standard is the Open Document
Format (ODF)."
Comments (none posted)
Legal
NewsForge
covers a new patent threat on the syslog logging protocol.
"
The Internet Engineering Task Force is working on a proposed standard for the age-old but never standardized syslog protocol, but their efforts may be in jeopardy thanks to a patent application by Huawei Technologies Co., Ltd., of Shenzhen, China."
Comments (none posted)
Interviews
The People Behind KDE have
interviewed Erik Kjær Pedersen.
Erik does Danish translations. "
When did you first hear of
KDE? I was on sabbatical at Odense University in Denmark
1997/98. While I was there two students lived in my house and used my
computer. It had Win 3.1 on one third of the hard disk and OS/2 on another
third, but the last third was empty. They wrote and asked me whether they
could install Linux on the empty part, and I said yes. When I came back I
tried to log into Linux, and I could see the files in the OS/2
partition. Just for fun I used Latex on one of my Tex-files, and I was very
surprised that it worked without any problems. That turned me on to Linux,
and shortly thereafter I noticed KDE somehow, I am not completely sure how
it happened, but I think Red Hat had KDE as an option then." (Found
on
KDE.News)
Comments (none posted)
The Seattle Post-Intelligencer has
an extended interview with Blake Ross, a founder of the Firefox project. "
People expect us to come up with ever-better Spread Firefox campaigns.
That's especially difficult for us, because the goal of Firefox has always been just to make things simpler, and making things simpler usually doesn't mean adding grandiose new features and making sure that the next version has something that identifies it as being new, which has kind of been the (Microsoft) Office model to date, every release has to have something new so people know they got their money's worth."
Comments (4 posted)
Resources
Linux Journal
builds the
ultimate Linux box starting with the ultimate AMD64 motherboard.
"
One very important consideration in our choices was, will this work
with most Linux distributions "out of the box"? We installed Debian,
Ubuntu/Kubuntu, Fedora Core 5, SUSE 10 and Mandriva on our do-it-yourself
system. All of these distributions ran without any trouble and without the
need for any additional drivers or special driver management. (We did,
however, use the proprietary NVIDIA drivers, not out of necessity, but in
order to make use of the SLI features of the motherboards.) We also ran
Knoppix, MEPIS and Kanotix live CDs without problems."
Comments (19 posted)
Linux.com
presents an
excerpt from chapter 9 of the Third Edition of
A Practical Guide to Red
Hat Linux: Fedora Core and Red Hat Enterprise Linux, which looks at
the bash history mechanism. "
The Bourne Again Shell's history
mechanism, a feature adapted from the C Shell, maintains a list of recently
issued command lines, also called events, providing a quick way to
reexecute any of the events in the list. This mechanism also enables you to
execute variations of previous commands and to reuse arguments from
them."
Comments (16 posted)
Joe 'Zonker' Brockmeier has
some
thoughts on email security. "
For many users, using encryption
may seem like overkill, but Michael Lucas, author of PGP & GPG: Email for
the Practical Paranoid , says that it's good to have the option whether you
have something to hide or not. "It's simply something in my gut that says,
'I want the option to have privacy,' and I think a lot of people feel the
same way.""
Comments (2 posted)
David E. Wheeler
looks
at PL/pgSQL in this O'ReillyNet article. "
A common pattern when
managing the relationship between object-oriented applications and
databases is the many-to-many relationship. Object-relational mappers
usually manage these relationships as collections of objects, wherein one
class has an accessor that returns a collection of related objects. For
example, imagine that you're creating (yet another) blogging
application. You want to associate your blog entries with tags. Tags can be
used over and over again for different blog entries, and each blog entry
can, of course, have more than one tag. In this scenario, the blog entry
class might have a method that returns a collection of tag
objects."
Comments (3 posted)
IT Week
covers
the Portland Project's interfaces for GNOME and KDE. "
The Portland
Project has released a beta version of its programming interfaces for the
Gnome and KDE Linux environments. This is designed to boost development of
desktop Linux applications by creating common application programming
interfaces (APIs) for developers to use."
Comments (12 posted)
HowtoForge
shows how to
set up a greylist spam hurdle. "
Greylisting in short means that
when someone wants to deliver a mail to your mailserver it will simply
reply "Please come back later". That is something all RFC compliant
mailservers do and when they do come back the mail is accepted. Most
spammers and spam software are not compliant and not patient enough to try
again. You will be surprised to see how effective this is. Anyway, follow
the links below to really learn about it. There are as always pros and cons
so do your homework before you put it on a production server."
Comments (12 posted)
NewsForge
looks
at free software and archeology. "
The discovery of the free
software philosophy and development model in archeology is a consequence of
several methodology problems that caused what some call the "great crisis"
of archeology. According to researcher Benjamin Ducke, "Since the 1990s
... there has been a lot of development on fundamental quantitative methods
but no software to put them into practice on a broad scale." However, Ducke
continues, today there is much more awareness of what is possible and
needed, as well as the notion that free software and formats can play an
essential role. Many researchers have realized that proprietary archeology
software is a dead end from many points of view, both scientific and
economic."
Comments (2 posted)
Reviews
Ed Burnette
reviews the Eclipse 3.2 Java Development Tools on O'Reilly.
"
The popular Eclipse IDE's latest release, version 3.2, is the cornerstone of
an ambitious release of ten Eclipse-branded projects on the same day. But
what's in it for you? Ed Burnette takes a look at the new features in
Eclipse's Java Development Tools and shows you how they'll make your
development much easier."
Comments (2 posted)
Linux.com
looks at a
Freevo setup. "
Freevo is like a window manager -- an interface
controlled by a remote control or the keyboard -- that provides access to
various media. It is written mostly in the Python programming language,
which makes it hacking-friendly. Everything you expect to find on a media
center platform is present in Freevo; you can listen to music, view
pictures, and watch TV and video."
Comments (none posted)
Linux.com
looks at
NSpluginwrapper. "
NSpluginwrapper is a cross-architecture tool
designed to let Firefox users on AMD64 and PowerPC Linux use i386-only,
binary Web browser plugins -- such as those frequently provided by closed
source, commercial interests. Following a protracted delay after its
initial, binary-only release back in May, NSpluginwrapper is now available
with source code."
Comments (8 posted)
Miscellaneous
Slashdot
mentions a new Linux platform, the
Eurotech ZYPAD.
"
"The Zypad is a new arm-wearable computer right out of Futurama. It can run Windows CE or Linux and has a 400 MHz CPU, 64MB Flash memory, 3.5 inch screen. The Zypad leaves the user's hands free it has no keyboard, just a touchscreen and navigation keys. Voice recognition is 'being developed.' It turns on only when you look at it, so it saves power. It has GPS and Bluetooth/WLAN/GSM connectivity."
Comments (1 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Microsoft has
announced that it has started the "Open XML Translator Project," which "
will create tools to build a technical
bridge between the Microsoft Office Open XML Formats and the
OpenDocument Format (ODF)." The result will be released under the BSD license.
The OpenOffice.org project has sent out a release of its own expressing its pleasure that "Microsoft has bowed to pressure from the marketplace."
Comments (16 posted)
DefectiveByDesign.org has announced a new petition:
"
The direct action campaign DefectiveByDesign.org, today called
for all technologists to sign
the petition calling upon Bono the lead singer of U2, to
take a stand against Digital Restrictions Management (DRM).
The campaign aims to
collect 10,000 signatures, at which point they will seek an audience
with Bono, and discuss with him the threats posed by DRM."
Full Story (comments: none)
The POSIX(R) Revision Draft 1 has been announced by the Austin Group.
It is available for review and revision until September 1, 2006.
Full Story (comments: none)
Damien Sandras has put together a
project history
of the Ekiga project (formerly GnomeMeeting).
"
We celebrate this week the 5th birthday of the Ekiga project.
Ekiga is the first Open Source software to bring both Voice over IP/IP Telephony and video conferencing to the desktop, since 2001. It quickly became popular, among others thanks to the compatibility with the Netmeeting software.
Today, Ekiga has evolved into a mature and stable product which is not limited to Netmeeting anymore, in terms of compatibility. This was made possible thanks to the addition of another protocol, namely SIP."
Comments (none posted)
Bram Biesbrouck has announced a new community-enabled video
helpdesking project.
"
It gets down to this: A friend asks you to help solve some computer-related problem. You fire up ScreenKast (see below), record
the answer/solution from your screen, add comments, submit your
captured tutorial to
http://captorials.com
and share it with your friend and everyone else."
Full Story (comments: none)
Google has announced the selection of six projects for the
Women's Summer Outreach Program 2006.
"
Following on from GNOME's participation in Google's Summer of Code, we've decided to sponsor three projects in a similar fashion to the Summer of Code, but for women only. GNOME had no Summer of Code applications from women, and we think it's time to do something to encourage more women to join our development community."
Comments (1 posted)
Commercial announcements
froglogic GmbH has
announced
the availability of Squish/KDE. Squish/KDE is a special, free edition of
the Qt GUI testing tool Squish to create and run tests on applications
developed for the K Desktop Environment.
Comments (none posted)
Linspire, Inc., partnering with AOpen and Mirus Innovations, has
announced the Linspire Mini Koobox PC.
"
Measuring in at just 6.5 x 6.5 x 2 inches and 3.0 lbs., the basic
configuration boasts a brushed matte-platinum case with clear blue plastic
accents, slot-in slim CDRW/DVD combo drive with DVD-playing software,
integrated Ethernet card, and is based on the Intel 915 chipset. To add to
the streamlined aesthetic, ports are located in the back of the unit,
including two USB 2.0 ports, one IEEE 1394 port (Firewire), speaker-out,
S-video, and mic. The Mini Koobox also has a DVI monitor connector and
includes a DVI-to-VGA adapter so that it can be connected to plasma-display
or large-format monitors. Inside, the machine checks in with 256 MB DDR2
RAM, Intel Celeron M 370 1.5 Ghz processor, and a 40 GB hard drive."
Comments (7 posted)
Resources
The
Linux Gazette for July
2006 is out. Articles include How Fonts Interact with the X Server
and X Clients, Creating a Rudimentary Kiosk System using
FVWM, A Brief Introduction to VMware Player, Subversion:
Installation, Configuration -- Tips and Tricks, Coding a Simple
Packet Sniffer, and more.
Comments (1 posted)
O'Reilly has published several new PDF Guides, including:
"RJS Templates for Rails" By Cody Fauser,
"bash Quick Reference" by Arnold Robbins,
"How to Keep Your Boss from Sinking Your Project" By Andrew Stellman
and Jennifer Greene and
"Your Life in Web Apps" by Giles Turnbull.
Full Story (comments: none)
Contests and Awards
LinuxMedNews
has announced that nominations are being accepted for the
6th annual Linux Medical News Freedom Award.
"
Deadline for entries is July 30th, 2006. This is NOT a
officially sponsored event of AMIA. Free and open source software isn't
'magic pixie dust' and there are people making significant personal
sacrifices as well as doing difficult work to make medicine's free software
future a reality. This award is intended to honor the individul or project
who has accomplished the most towards the goal of improving medical education
and practice through free/open source medical software."
Comments (none posted)
BULL has
announced that its Linux-based Tera 10 supercomputer is ranked as
the fastest in Europe.
"
Tera 10 is ranked number one in Europe and number five in the world
in the 27th TOP500 listing of the world's supercomputers, published at the
International Supercomputer Conference (ISC2006) in Dresden, Germany
- Installed in 2005, the supercomputer is made up of 544 NovaScale
computing nodes and 58 I/O management and system administration nodes,
representing over 4,500 Dual-Core Intel(R) Itanium(R) 2 'Montecito'
processors".
Comments (none posted)
Education and Certification
Novell, Inc. has
announced a collaboration with Thomson Learning involving the creation
of new SUSE courseware.
"
Novell unveiled its "Train the
Teacher" series, the industry's first free week-long boot camp for Linux
educators. In addition, Novell is the first Linux vendor to partner with
Thomson Course Technology, the world's leading technology education
publishers, with the release of a series of new joint SUSE(R) Linux
Enterprise courseware offerings."
Comments (none posted)
Event Reports
KDE.News
covers
the recent Free and Open Source conference in St. Augustin, Germany,
from the KDE perspective.
"
Hosted by the Computer Science department of the Bonn-Rhein-Sieg University of Applied Sciences, the conference also provided rooms for free software projects. One was seized by the KDE project for discussion and hacking. Additionally, representatives of the KDE project gave two talks at the official conference programs, as well as two other talks that directly related to KDE. Read on for the full report."
Comments (none posted)
O'Reilly sent out a press release for the recent Where 2.0 Conference.
"
At the second annual O'Reilly Where 2.0 Conference, over
700 location-aware hackers, entrepreneurs, "neogeographers," and members
of the mapping establishment spent two days immersed in the innovations
springing up at the intersection of the Internet and location. Where 2.0,
which wrapped up earlier this month in San Jose, California, explored hard
technical issues such as GIS/GPS in emergency situations, Virtual Earth
and Windows Live Local, NASA World Wind, the latest version of Google
Earth, mapping and mobility, geospatial data, business value, and more."
Full Story (comments: none)
Calls for Presentations
Registration is open for the Gelato ICE: Itanium(r) Conference & Expo to be
held on October 1-4, 2006 at the Biopolis in Singapore. In addition, Gelato
is seeking quality technical speakers to share their expertise of Linux on
Itanium architecture for this conference.
Full Story (comments: none)
A call for presentations has been sent out for
LCA 2007. The event will
be held on January 15-20, 2007 at the University of New South Wales
in Sydney, Australia.
"
The linux.conf.au 2007 team have opened the gates for new talent
to submit a
presentation, paper or mini-conf proposal. Earn your place amongst the
league of lca speakers such as Andrew Tridgell, Alan Cox, Eben Moglen and
Van Jacobson. We are particularly keen to hear from new talent to add to the
magic of lca."
Full Story (comments: none)
A call for papers reminder has gone out for the
15th International Conference on Computing, the event takes place on
November 21-24, 2006 in Mexico City, Mexico, papers are due by July 7.
Full Story (comments: none)
A Call For Papers has gone out for the No cON Name 2006 Congress (NcN).
"
This congress is thought for system and network administrators,
programmers, experts and/or security auditors, and also independent
self-taught computer security experts.
All of them with the same objective: to share and understand new and
different systems that actually form the world networks."
The event will take place in Palma de Mallorca, Spain on September
29-30, 2006, submissions are due by August 15.
Full Story (comments: none)
Upcoming Events
KDE.News has
announced
the opening of
registration
for the
Akademy 2006 conference.
"
KDE welcomes registration from anybody interested in the future development of KDE, including developers, translators, other free software projects, representatives of the software industry and ISVs interested in using free desktops and the KDE application framework."
The conference takes place from September 23-30, 2006 in Dublin, Ireland.
Comments (none posted)
The
php|works/db|works 2006 conference will take place in Toronto,
Canada on September 13-15, 2006.
"
The theme for this year's conference is "Lighter. Faster. More Powerful." Today's applications must be able to rapidly scale to support increasingly more complex requirements and features; php|works and db|works explore how PHP and database technologies are evolving to meet these requirements."
Comments (none posted)
The
PostgreSQL Anniversary Summit will take place on
July 8 and 9 in Toronto, Canada.
"
This 2-day event will feature numerous presentations and community sessions to let community members share their knowledge. Many major contributors to PostgreSQL will be there, and most of them will be speaking or leading coding sessions: Tom Lane, Bruce Momjian, Tatsuo Ishii, Gavin Sherry, Neil Conway and more. At the event we will also discuss and coordinate community advocacy and fundraising efforts."
Comments (none posted)
| Date | Event | Location |
| July 7 - 8, 2006 | 7th Libre Software
Meeting(LSM) | (Nancy 1 University)Vandoeuvre-les-Nancy, France |
| July 7 - 8, 2006 | V Jornades de Programari
Lliure | Barcelona, Spain |
| July 8 - 9, 2006 | PostgreSQL Anniversary
Summit | Toronto, Canada |
| July 10 - 11, 2006 | Global
db4o User Conference(dUC) | (Imperial College, South Kensington)London, UK |
| July 13 - 14, 2006 | Detection of
Intrusions and Malware, and Vulnerability Assessment(DIMVA) | Berlin, Germany |
| July 15 - 16, 2006 | Crystal Space
Conference | (University of Aachen)Aachen, Germany |
| July 16 - 19, 2006 | 2nd International Symposium
on Free/Open Source Software, Technologies and Content(FOSSTEC 2006) | Orlando, Florida,
USA |
| July 19 - 22, 2006 | Ottawa Linux Symposium
2006(OLS 2006) | Ottawa, Canada |
| July 22 - 23, 2006 | LugRadio Live | (Wolverhampton
University)Wolverhampton, UK |
| July 24 - 28, 2006 | O'Reilly
Open Source Convention(OSCON 2006) | Portland, Oregon |
| July 29 - August 3, 2006 | Black Hat USA 2006 Briefings and
Training | (Caesars Palace)Las Vegas, NV |
| August 4 - 6, 2006 | DEF CON 14 | (Riviera
Hotel)Las Vegas, NV |
| August 4 - 6, 2006 | Wikimania | (Harvard Law
School)Cambridge, MA |
| August 4 - 6, 2006 | Vancouver Python
Workshop | Vancouver, BC, Canada |
| August 8 - 10, 2006 | Flash Memory
Summit | (Wyndham Hotel)San Jose, CA |
| August 14 - 17, 2006 | LinuxWorld San Francisco
2006 | (Moscone Center)San Francisco, CA |
| August 14 - 17, 2006 | ApacheCon
Asia | (Trans Asia Hotel)Colombo, Sri Lanka |
| August 17 - 18, 2006 | Python for
Scientific Computing(SciPy2006) | (Caltech)Pasadena, CA |
| August 18 - 19, 2006 | The Ubucon
Conference | (Google headquarters)Mountain View, CA |
| August 28 - 31, 2006 | Bellua Cyber Security Asia
2006 | (Jakarta Convention Center)Jakarta, Indonesia |
Comments (none posted)
Audio and Video programs
The folks at
LugRadio
have produced three podcast shows, live from the GUADEC conference.
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Florian Mueller <fmueller.nosoftwarepatents-AT-googlemail.com> |
| To: |
| <lwn-AT-lwn.net> |
| Subject: |
| Evidence for Red Hat's Mark Webbink's pro-software patent directive lobbying |
| Date: |
| Mon, 3 Jul 2006 08:00:12 +0200 |
www.no-lobbyists-as-such.com/florian-mueller-blog/red-hat-mark-webbink/
Evidence for Mark Webbink's pro-patent directive lobbying on July 5, 2005
July 3rd, 2006
In my previous blog article, I mentioned the fact that Red Hat's deputy
general counsel, Mark Webbink, lobbied in the European Parliament on July 5,
2005 (the day before the EP's decisive vote to reject the software patent
bill) to keep the software patent directive alive.
I had not anticipated the kind of Internet debate that this statement would
trigger, including some insulting emails that were sent to me, and least of
all I would have expected Mark Webbink to call into question the "veracity
of [my] statements", which is what he did in the discussion below this
LWN.net article. He knows exactly what he did.
The word "motivations" also appears in that posting. It's really simple: on
the occasion of a patent suit having been filed against Red Hat, I thought
it was time to tell the truth. Especially the free and open source software
(FOSS) community should know where certain key players stand. That will
better enable people to take a critical perspective on such initiatives as
the OSDL Patent Commons.
Contrary to what Mark Webbink claims, my related statements are not
"unverifiable". What he did on July 5, 2005 is a well-documented fact, and
here's some evidence:
From: [name and address of adviser to Michel Rocard MEP deleted]
Sent: Monday, October 31, 2005 2:53 AM
To: Florian Mueller
Cc: europarl-help@ffii.org
Subject: Re: Economist article - coordinated response needed
[cut]
Yes. The day before the vote, as I had been considered
by them as somewhat connected to Mr Rocard 8^) , I
have been quite heavily lobbied by a group comprising
Mrs Thornby-Nielsen (Sun), Mrs Moll (Google), Mr Webbink
(RedHat) and Mr Cox (IBM). All four had basically the
same concerns
[cut]
I have removed parts of the email and in particular the name of the author,
further to his request. He would prefer to stay in the background, like many
political advisers do. But europarl-help@ffii.org is a key mailing list of
European anti-software patent activists, and dozens of people received that
email directly. No one will seriously question its authenticity.
And here's an important excerpt from a follow-up email:
From: [name and address of adviser to Michel Rocard MEP deleted]
Sent: Monday, October 31, 2005 1:44 PM
To: Florian Mueller
Cc: europarl-help@ffii.org
Subject: Re: Economist article - coordinated response needed
[cut]
> They were against the rejection deal, right? I know that Mark W. and
> Charlotte T.-N. didn't want rejection.
It seemed so to me. All of them. Basically, it seemed
to me they were not likely to have no sotware patents
at all. The interpretation I gave Mr Webbink was that
it is not culturally acceptable, for most people that
come from the legal and patent world, to reject a system
from which one can make some money.
[cut]
I believe the above should eliminate all reasonable doubt about what
happened that day. While the FFII and I were asking everyone we knew in the
European Parliament to reject the proposed software patent directive, Red
Hat's Mark Webbink, along with representatives of IBM, Sun and Google,
pushed in the opposite direction.
So what did he really want to achieve? Someone pointed me to an article Mark
Webbink wrote and which in its paragraph #20 refers to the EU software
patent directive. He asks for a definition of the term "technical
contribution" (a key term in patent law) that "will eliminate the vast
majority of business method patents and will restore a substantial
non-obviousness test to software patents". If you read that carefully, it
means he accepts software patents per se. He'd just like to raise the bar a
little bit, and the FFII and I and all others who know how substantive
patent law is applied in practice can tell you that defining "technical
contribution" properly would not be a sufficient measure. It would just have
the desired effect as part of a coherent framework of patentability
criteria. Otherwise it's like a bucket has five holes and you close one: all
of the water will still go through the other holes.
In the same article, and in the Red Hat/Sun position paper that Mark Webbink
published again on LWN.net, a lot of emphasis is put on an interoperability
privilege. That, again, means to accept the patentability of software per
se, but to demand a carve-out for certain purposes. To the FFII and myself,
interoperability was not even a secondary priority. We focused on the
definition of what is patentable and what is not. If software is not
patentable at all, there's no pressing need for an interoperability
exception as far as we're concerned. Interoperability was exactly the area
in which the pro-software patent forces were most wiling to make a
concession if it allowed them to win the wider battle.
Finally, I'd like to reiterate what I said in my previous post: What Mark
Webbink did behind the scenes is not necessarily Red Hat's position as a
company, even though Red Hat has entrusted him with patent lobbying. There
are many people at Red Hat who clearly oppose software patents, and who
opposed the EU software patent directive, most of all Alan Cox.
Comments (1 posted)
| From: |
| Jonas Maebe <jmaebe-AT-ffii.org> |
| To: |
| letters-AT-lwn.net |
| Subject: |
| FFII reaction to software patents/Red Hat controversy |
| Date: |
| Wed, 5 Jul 2006 17:03:09 +0200 |
| Cc: |
| eboard <eboard-AT-ffii.org> |
(Enlarged board of the FFII in CC)
Dear editors,
After reading some reactions at http://lwn.net/Articles/189693/ and
seeing the way the FFII is being implicated in the ensuing
discussion, we would like to make the statement you can find below.
Best regards,
Jonas Maebe
Board member of the FFII
---
We, the board and membership of the FFII, who fought alongside many
firms (including Red Hat) against software patents last year, and who
are continuing the fight against software patents today, would like
to state that:
1. During the second reading of the software patents directive last
year, 21 compromise
amendments (21CA) were tabled by MEPs following Rocard
(Socialists), Buzek/Roithová (Christian Democrats) and Duff
(Liberals), and also by the Greens, GUE/NGL and IND/DEM as groups.
These amendments went straight against the Commission and Council's
attempt to turn current EPO practice into law. The FFII fully
supported these amendments.
2. Until the last minute, the FFII's strategy was to support both
those amendments and rejection: we recommended both on the
voting lists [PDF] we distributed to MEPs.
Other people on our side chose to support only one of these options
for either strategic or political reasons. The FFII considered both
options a very good outcome, and would like to thank everyone who
helped no matter which option they promoted.
3. The pro software patent lobby decided, on the eve of the vote, to
start pushing for rejection rather than risk any of the 21CA being
approved. This was in part thanks to the dual strategy of lobbying
for both the amendments and for rejection: they were afraid that the
21CA would be approved, so they chose their second best option which
happened to be fine for us as well (and MEPs knew that both were fine
for us).
4. The lobbying by ourselves and others in favour of the 21CA by
definition implied a position "to keep the software patent directive
alive". This does not mean that these people, us included, were in
favour of software patents.
5. In the end, only the MEPs had the decision taking power. The MEPs
on our side were strong thanks to the widespread support which our
platform enjoyed (SMEs, academics, IT professionals, the open source
community, ...). Whether companies, organisations and individuals
decided to formulate their support for our platform by promoting the
21CA, rejection or both was up to them as far as the FFII is concerned.
6. The final decision was dictated by on the one hand the balance of
power within the political groups, and on the other the hand the
unhappiness all MEPs shared about the Commission refusing their two
restart requests. Rejection was therefore the ultimate compromise,
and at the same time a strong signal towards the EPO stating "we are
not turning your current practice into European law".
7. In conclusion: in July 2005 the FFII position was supported by Red
Hat and Mark Webbink, and we have no reason to believe we no longer
have their support today on the topic of software patents.
This side issue is regrettable and badly timed, considering that the
EU Commission is planning to launch the next round of their pro
software patents campaign next week in Brussels, promoting the European
Patent Litigation Agreement (EPLA). The EPLA is an attempt to
undo the work achieved last year in Parliament, and to institute
software patents through the back door, by enforcing EPO case law
across all Europe.
In a nutshell, the EPLA would remove all current national patent
courts, put one European-wide patent court in its place and have the
people currently running the EPO appoint its judges every six years.
We therefore call upon all parties to work with the FFII to continue
the fight against software patents in Europe and abroad and to
support us this year, as they did last year, against the lobbyists of
the patent establishment.
In the long term, the way forward is clear: build on the 21CA, and the related 10 core clarifications, to reinstate a
proper basis for patent law and to avoid its extension into economic
areas where it does not work. At the same time, the EPO must be
opened up so it is no longer exclusively controlled by the patent
establishment, as otherwise we keep trying to save a tree while
letting the forest burn.
Signed,
The Board and Membership of the FFII
Comments (none posted)
Page editor: Jonathan Corbet