LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for August 31, 2006The Linux Standard Base gets some applications
The Linux Standard Base project will provide a vendor-neutral
standard, backed by source code, upon which to build Linux
distributions, much as the Linux kernel project provides a single
kernel that is shared by all distributions....
The application of the standard will be that any program that runs successfully on the reference platform can be expected to run on all Linux systems. With these words, the Linux Standard Base project was launched in May of 1998. This project set out to create a reference platform which would encourage the porting of commercial application programs to the Linux system. By eliminating the need to create a separate version of a program for every supported distribution, the LSB, it was thought, would bring about a wealth of Linux-based applications without impeding the free development of a variety of Linux distributions. Over the subsequent years, the LSB has limped along under a succession of leaders. Various LSB standards addressing various parts of the system have been created. Most of the major distributions have made the effort to implement LSB compliance, so there is a vast number of deployed, LSB-certified Linux systems out there. Only one little, nagging problem has remained, however: no application vendors have stepped forward to certify their products for Linux. That situation changed quietly a couple of weeks ago, however, when the Free Standards Group (the parent organization which is developing the LSB) announced the first two certified LSB applications. These applications - RealPlayer and MySQL - are no strangers to the Linux platform, so their certification is unlikely to change life for many Linux users. RealPlayer already works on the bulk of Linux distributions, and MySQL, being free software, is shipped with most of them. But the fact that these vendors made the effort to certify their products shows that the LSB effort - recently returned to life under the leadership of Ian Murdock - might just go somewhere this time. The real test, however, will be whether any new applications, previously unsupported under Linux, hit the market with LSB certification. Thus far, the LSB has failed to encourage any vendors - any at all - to support Linux by porting to the LSB platform. The recent announcement has not changed that fact - RealPlayer and MySQL were already available to Linux users in an uncertified form. Clearly, in 1998, the LSB was ahead of its time. The proprietary application vendors, for the most part, were not even close to being ready to support their products on Linux. There is not much that the LSB effort could have done to change that fact. As Linux grows, however, vendors will begin to believe that there might be a worthwhile market to be found there; the LSB intends to be there when they come around. To that end, the Free Standards Group has set up a new developers network with information for vendors writing applications for the LSB. Many LWN readers have little interest in the creation of a vibrant market for proprietary Linux applications. The available free software meets their needs, and, where it doesn't, projects are underway to improve the situation. For many, the installation of proprietary applications would only compromise the years-long effort to create a free system. These people care little about the progress of the LSB. The fact remains, however, that there is a large variety of proprietary software for which no free equivalent exists, not even in an early stage of development. There is also a large body of potential users who will not consider moving over to Linux until the applications they need are available. If the LSB succeeds in encouraging ports of some of those applications, it could encourage some of those users to make the jump to free software. And that, in the end, should be a good thing.
Managing Gentoo - a study in quotesPeople outside of the Gentoo Linux project may be surprised to learn that the Gentoo developers are currently electing a new management council. Unlike, say, Debian, Gentoo tends to do a fair amount of its deliberations out of public view. There has recently been a discussion, however, which has brought out some of the concerns that Gentoo developers have. Here are some excerpts.
I started my fourth year as a Gentoo developer in June, and Gentoo's
changed a lot since I started back in 2003. We've become a drastically
more democratic organization. But the question remains - _Is this a good
thing?_
When I think about where Gentoo was when we turned into a democracy years ago, and where Gentoo is now, I don't see much of a difference on the large scale. We lack any global vision for where Gentoo is going, we can't agree on who our audience is, and everyone's just working on pretty much whatever they feel like. [...] I'm not the only one to suggest that a democracy isn't the most productive way to run Gentoo. When people wanted to change in how Gentoo was run, democracy was the only option considered, rather than simply changing the leaders. There's an ongoing assumption that if problems exist, it must be somewhere in the structure rather than in the people. If I could go back in time a couple of years and prevent this democracy from ever happening, I would. If I could fix these problems myself, I would. But it requires buy-in from the entire Gentoo community if we're to do anything about it.
In addition to the conclusion that too much freedom has entered the
life-blood that drives Gentoo it is also often the case that from the
stance of upper management there is not enough freedom given. Part of
what paralyzes the Council and devrel and any other historical body that
has tried to keep Gentoo healthy is that there is an understanding that
they can only act as a whole...as individuals none of them have power as
there is fear that a rogue person in a position to abuse their
responsibility will do so. It is my contention that with a body of
multiple individuals such as the Council that there would be the ability
to recognize and mitigate the damage done by such a rogue. I'd posit
that by voting someone onto the council you are saying that you trust
them enough to carry this duty on their shoulders. The Council itself
should not be just a technical body to validate the merits of GLERs
and/or emerging projects, it (or some other yet to be established group)
has to carry the solemn duty of carrying Gentoo into the future,
nurturing it as only a parent could....
All in all I suppose that is the platform that I am running on for this years Council...take it for what you will but that is where I stand.
If there's a lack of
respect at the moment, it's not for devrel.
It's between individual developers, who either do not value each other
as people, or do not value each other as contributors.
A good way to sort that out is to get them together in the physical world, and use group de-polarisation exercises to help folks understand that their view of the world isn't the only view that is valid. This is why I'm hoping to see Gentoo establish a regular international dev conference. You'll find that the vast majority of issues won't arise once folks actually know each other better - and the personality clashes that are left are easier to see for what they are.
Maybe its a cultural thing between some of us, or maybe its the
'pre-daniel' versus 'post-daniel' devs. I'm curious the demographics of
our active developers that were on prior to daniel's leaving compared to
those who joined after. To most of the recent active folks, they never
knew what it was like before. Hell, I just got on towards the tail end
of the daniel-era, so I don't have much validity in that realm myself!
But I do remember how it used to be and how well we did things and how
we usually respected each other in some fashion or another.
I'm afraid those days are in the past unless some kind of fork happens where the folks who think we need a leader go their way and the folks who prefer the leader-by-committee approach go their way. We all hate forks, none of us have time for forks, but looking at the dividing line, I don't see how we'll be able to compromise with out adding more policies and BS.
It's very easy to claim that "there are too many flamewars", even if
that isn't actually true. It's hard to claim "Portage needs replacing,
the tree has huge QA issues, several archs are horribly unmaintained and
too many developers don't have a clue what they're doing" because a)
they're difficult problems to address, b) if you do say them, Condorcet
ensures that you won't get elected and c) you might be expected to fix
them.
Most of these problems could be solved if we had a council that was far less spineless, a council that's prepared to address the *real* issues rather than doing nothing, a council that shows leadership and provides direction where it's needed without screwing things up where it's not.
I definitely agree here. What has made me decide to run for the council
is my wish to see things improve before we honestly do start
hemorrhaging developers. We have seen indications that it is coming,
but it hasn't started quite yet. A strong leadership is needed to give
us direction where needed, and also to leave people well enough alone
where it is not needed.
At the top level, the council, in its present form does not manage
Gentoo. It can't, it's pretty much disempowered as a management
organisation due to the rules for its agenda setting. Further, don't
see any any evidence of it setting targets and measuring progress or
even getting progress reports.
-- Roy Bamford
So, now straight to the point, we could elect a Core Team, including
people from each team. And those will be the responsible to take Gentoo
into new 'realms', with its 'risks' included. I am also scared about this
model .. it might not work, it actually might create the next armageddon
for many. But what if it does?, it might help solving this stagnation
state Gentoo is facing right now, and bring more new ideas into play.
There's no detail in what you want to do, only a vague unhappiness
with how things are, a desire to return to the "good old days" that
never were, backed up by arguments that are demonstrably and factually
incorrect or incomplete.
What is your plan? Where do you want to take Gentoo, where it isn't already going? ... _If_ you're looking at Ubuntu with envious eyes, my advice is that you cross the floor and join them. There's no sense whatsoever in putting Gentoo head-to-head with any of the other Linux distros, unless they try to come after what we are good at.
As an aside, this has long been the fundamental structural problem in
the open source movement. Within a given project, things generally find
a way to get done, but when a problem lies between two projects (be they
peers, one dependent on the other, whatever) then things often remain
unresolved....
This is actually the cutting edge area in the free software movement at the moment - trying to find a common ground for not just projects but constellations of projects and above them distros to collaborate. -- Andrew Cowie In this context, it can also be interesting to read Matthew Garrett's note on his departure from the Debian Project:
There's a balance to be struck between organisational freedom and
organisational effectiveness. I'm not convinced that Debian has
that balance right as far as forming a working community goes. In
that respect, Ubuntu's an experiment - does a more rigid structure
and a greater willingness to enforce certain social standards
result in a more workable community?
The management of large-scale projects is hard - this has been known for centuries (or longer). Free software projects bring in some interesting new factors, however, as a result of their voluntary nature and distribution over a wide range of languages and cultures. We are unlikely to find definitive solutions to issues which have been around so long, but, perhaps, we'll learn some interesting lessons in the attempt.
The Blackboard Patent: Where's Waldo?I'm sure you have heard about the intense outrage over Blackboard, Inc.'s patent on a method of e-learning and about its initiating a patent infringement lawsuit against Canadian-based competitor Desire2Learn in the U.S. District Court for the Eastern District of Texas in July. But there is a part of the story you may not know.Blackboard has already been called "the SCO of the educational software market". Here's the complaint [PDF], if you'd like to read it. Like most patent infringement legal filings, it's dry as dust, but if you look at paragraph 10, you will see that Blackboard's litigation appears to target Desire2Learn's entire product line:
Upon information and belief, in violation of 35 U.S.C. Section 271,
D2L uses, offers to sell, and sells within the United States, and/or
imports into the United States, products and services that infringe the
'138 patent, including, but not limited to all D2L products based on the
D2L learning system or platform, such as the D2L eLearning Technology
Suite, which includes the D2L Learning Environment, Learning Repository and
LiveRoom, and all services supporting these D2L products, such as hosting
services, training services, help desk support services, implementation and
customization professional services, and content services.
According to an open letter by the CEO of Desire2Learn, John Baker, Blackboard didn't even contact Desire2Learn prior to filing in July. Yet Blackboard is asking the court to award it treble damages for "willful" infringement. There's already a Boycott Blackboard site, a No EDU Patents site, with a History of Internet-based learning page where you can contribute prior art, and many in higher education are blogging intensely -- studiously one might even say -- to chronicle every detail of this patent story. There is also now a Wikipedia page as mentioned by Tim O'Reilly in mid August. Indeed, it's mighty hard not to feel outrage, or at least keep your lip from curling, when you read the patent, or better yet a plain English version of it. Here's a diagram mocking what Blackboard "invented". The British Educational Communications and Technology Agency (BECTA), reportedly took a look and issued guidance on the patent to all companies involved in e-learning in the UK. This report, while noting that the patent has no force in the UK, reveals that Blackboard has applied for four patents at the European Patent Office (EPO). Here's a list of other patents it has applied for in the US too, including one ominously titled "Method and system for conducting online transactions." Is there some kind of a contest going on to see who can get the most obvious patent on planet earth? By the way, the US Supreme Court will be reviewing a case that speaks to the issue of what the standard should be for obviousness. Better late than never, as they say. Michael Geist reports that Blackboard "expects similar patents to be granted in nearly a dozen countries around the world including Canada, Australia, and the European Union." Initial review by the EPO found the claims not to be novel. Alfred Essa on "The NOSE: Information Technology in Higher Education," prefers the word "trivial" to describe the issued US patent:
By now I have read the Blackboard patent
carefully, including the notorious "44 claims". Despite what Blackboard has
said in public, the claims taken together describe a generic system for
e-learning and potentially covers every learning tool, present or
future.... Once you strip the "44 Claims" from its stylistic dross one can immediately see that Blackboard's "Idea", or innovation as they would claim, is laughably trivial and obvious. The core ideas in the system part of the claim originated with those individuals who developed the idea of network computing and using the Internet for collaboration. If there is one individual who deserves prior art for that Idea it's Tim Berners-Lee. But Berners-Lee himself would claim that hundreds, if not thousands of people worldwide, have contributed to developing and establishing the Idea of network and collaborative computing. The FOSS community is naturally very concerned that, after Blackboard finishes suing Desire2Learn, it will come after Open Source e-learning projects like Moodle. In response, the Sakai Foundation, which helps colleges and universities run open source e-learning systems, has hired the Software Freedom Law Center to advise these projects. I think they are right to be worried despite assurances from Matthew Small, Blackboard's general counsel, that the company has no plans to challenge Open Source projects. For one thing, not having current plans doesn't prevent Blackboard from changing its mind at any time if this patent stands. Then there is the SCO comparison. It started me researching. The SCO Comparison Gets Me Looking for Waldo Ever since SCO sued over allegedly infringing code in Linux and we found Microsoft a shadowy figure in the background, I have formed the habit of looking for a Microsoft connection whenever I see a story about FOSS being threatened. It's my personal "Where's Waldo" game. I remember Bill Gates saying in 2003, shortly after SCO began its campaign, that Linux would be hounded by IP legal troubles for 4 or 5 years. At the time, I took that as a 5-year plan. So when I heard about the Blackboard litigation, I went to Google and just searched by the keywords "blackboard microsoft." Bingo. I found a number of articles from 2001, which is when Blackboard and Microsoft first teamed up as partners. Yes, Blackboard and Microsoft. Here's one from June of 2001 on the deal and its purpose, "Internet Strategies for Education Markets: The Heller Report:"
Microsoft's .NET technologies (www.microsoft.com/net) will be more
common in higher education through a significant agreement with Blackboard,
Inc. (Washington, DC, www.blackboard.com). The co-marketing partnership
calls for Blackboard to develop the next version of its e learning platform
using the technologies, and for Microsoft to recognize Blackboard as its
preferred e-education partner.
The goal? In this article in The Chronicle of Higher Education, dated November 23, 2001, an analyst from Directions on Microsoft said the purpose of the deal was for Microsoft to "own the educational-software market." Blackboard, according to Essa, now has a 75% share of the e-learning market. The article quotes from a Mark V. East, worldwide general manager for the education-solutions group at Microsoft as saying, "Learning could take over from e-commerce as the number-one use of the Internet." To be able to take over a market, it probably helps if your product works better than your competition, and that was the stated plan:
Despite its emphasis on Microsoft products, Blackboard will still write
versions for Unix and Linux, says Matthew S. Pittinsky, chairman of
Blackboard. All versions will have the same set of basic features, although
Blackboard for Microsoft will eventually have more features than Blackboard
for Unix or Linux, he says.
"It will be more feature-rich to run Blackboard out of the box on Microsoft" than on other platforms, Mr. Pittinsky says. System administrators will have more options for configuring the Microsoft version of Blackboard than the non-Microsoft versions. End users will notice a difference between systems run on Microsoft and those run on other platforms, he says. It will be easier for users to incorporate documents from any Microsoft applications in Blackboard's online courses. They will have just one log-on for all Blackboard and Microsoft software through Microsoft's Passport technology. There are other articles too, like this one in the Daily Princetonian, where academics worried out loud about Microsoft inducing Blackboard to create its software in such a way that they would be forced to switch to Microsoft or give up Blackboard. They were thinking way too simply. The goal, judging from the litigation against Desire2Learn is not just market share; it's about money, honey. Patents are all about money, and when you have a broad patent -- and this one is nothing if not broad -- you can make all your competitors pay you licensing fees or if they refuse, you can shut them down. Think RIM and the Blackberry story. If there is any connection between patents and innovation, it seems to be to snuff it out wherever it happens to pop up in a competitor. When you look into who has funded Blackboard, what do we discover? Microsoft invested in Blackboard back in 2001, according to a BusinessWire press release, "Oak Hill Capital Leads Investors in $48 Million Financing of Blackboard Inc." And then in February of 2005, Business Week reported that Bill Gates himself had invested in Oak Hill Capital Partners to the tune of $55 million in the past and was ponying up $70 million for a second fund, Oak Hill Capital II. Business Week says the II fund was promising investors a 25% return. While it doesn't specify that the personal investment went to Blackboard, the Microsoft investment did. Bingo. There's Waldo. Geist puts his finger on the central point, I think:
Shock quickly gave way to fear, since the community worried
that Blackboard would leverage the patent to force competitors into
expensive licensing agreements, thereby increasing costs and reducing
innovation. Moreover, educators have expressed concern that the patent will create confusion within the academic community, leading some institutions to drop better learning management systems alternatives due to the legal uncertainties. Of course, some might say that's not a bug; it's a feature.
Security The OLPC and BIOS upgradesThe One Laptop Per Child project will, if successful, place special laptop computers into the hands of millions of children all over the world. Most of these children will have never worked with a computer before. The consequences of providing Linux-based systems to this many children are likely to be huge. If this project is done right, these kids will grow up seeing free software as the preferred thing to use. Done wrong, it could turn them (and the adults around them) against Linux in a big way.Many aspects of the OLPC systems are interesting; one of those is that they will use LinuxBIOS as their onboard, boot-time firmware. LinuxBIOS will bring a high degree of flexibility to the system, and some complexity as well. There is a real possibility that, as the result of some late bug or security problem, an in-field upgrade to LinuxBIOS will be called for. In addition, some users may want to hack on the firmware and install their own version - after all, the source is available. For both reasons, the OLPC systems will be able to rewrite their BIOS on demand. There is a potential problem there, however. If it is too easy to rewrite the BIOS, no end of unpleasant things could happen. In the worst case, some sort of OLPC-based worm could, over a brief period, turn all online systems into expensive bricks. Or, perhaps even worse, the mass implantation of a low-level back door could be performed. For this reason, the OLPC design requires the user to give explicit permission before the BIOS can be rewritten. In particular, a specific sequence of keys on the keyboard must be held down before rewriting the BIOS will be possible. Ivan Krstić has recently been thinking about the BIOS issue; in particular, he is worried that the keyboard-based interlock still leaves the system open to phishing attacks. The target user base for the OLPC, remember, will be very young. If something pops up on their screen telling them to push a certain set of keys, some of them may well do it. Adults may be immune to this sort of attack, but children need to be treated with more care. So Ivan floated a proposal for a different way of doing things. It does away with the keyboard interlock; instead, the operating system is always forbidden to rewrite the BIOS. The BIOS, however, can rewrite itself, and would do so upon finding a new BIOS image in a specific place in the filesystem. That image would have to be cryptographically signed, however, so attackers would, presumably, be unable to get a new BIOS image written. Ivan says:
Voila. This is now a completely secure BIOS solution which requires
no TPM, allows fully automatic upgrades without the user's
cooperation (such as pressing keys), and fully protects both
against phishing and automated attacks -- in fact, it's
vector-independent.
Some who responded were not entirely happy with this approach, however. The potential for performing BIOS upgrades (even if properly signed) without the user's knowledge or consent is troubling. If a bug is found in the signature verification code, the fully automated mass bricking scenario becomes real again. Users who want to put in their own version of the BIOS will be frustrated - they cannot be given the signing key without compromising the entire mechanism (though this problem can be mitigated through the addition of a unique key for each system). Some countries may be unwilling to buy and distribute the OLPC systems without the ability to create and install their own BIOS images. And so on; see the list archive for the full discussion thread. There was no obvious consensus reached on the list - and no immediate decision to change the OLPC hardware design. It is an issue requiring some additional thought, however. The OLPC systems are designed, in general, to be easy to fix when a user breaks things - they are meant to be experimented with. A BIOS-level bricking, however, is decidedly not easy to fix; it is not a scenario which can be allowed to come about. So it will be interesting to see what solution the OLPC designers arrive at in the end. (Update: the OLPC project has decided to implement the new mechanism as originally described in the article).
New vulnerabilities AlsaPlayer: multiple buffer overflows
gtetrinet: buffer overflows
lesstif: libXm library privilege escalation
libmusicbrainz: buffer overflows
MySQL: privilege violations
streamripper: buffer overflow
wireshark: several vulnerabilities
X.org: local privilege escalations
Updated vulnerabilities apache: cross-site scripting
audacious: buffer overflow
binutils: buffer overflow
binutils: buffer overflow
busybox: insecure password generation
bzip2: race condition and infinite loop
ktools: buffer overflow
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
fbi: incorrect filtering
mozilla: multiple vulnerabilities
freeradius: several vulnerabilities
freetype: integer overflows
gdm: improper file permissions
gedit: format string vulnerability
grip: buffer overflow
gzip: arbitrary command execution
heartbeat: out-of-bounds read
imagemagick: buffer overflow
ImageMagick: heap overflow vulnerability
kdebase: privilege escalation
kdelibs: kate backup file permission leak
kernel: denial of service by memory consumption
kernel: privilege escalation
krb5: local privilege escalation
libgadu: memory alignment bug
libgd2: denial of service
libmms: buffer overflows
libpam-ldap: authentication bypass
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflows
libtiff: buffer overflow
libvncserver: authentication bypass
libwmf: integer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lynx: arbitrary command execution
mutt: IMAP namespace buffer overflow
mysql: format string bug
MySQL: logging bypass
nbd: arbitrary code execution
ncompress: buffer underflow
openoffice.org: several vulnerabilities
php: multiple vulnerabilities
php: arbitrary code execution
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpMyAdmin: multiple vulnerabilities
postgresql: SQL injection
Py2Play: remote execution of arbitrary Python code
quake: buffer overflow
ruby: multiple vulnerabilities
sendmail: denial of service
shadow-utils: mailbox creation vulnerability
squirrelmail: insecure permissions
sudo: vulnerability via scripts
texinfo: temporary file vulnerability
tin: buffer overflow
trac: missing input sanitizing
unzip: long file name buffer overflow
w3c-libwww: possible stack overflow
xine-lib: buffer overflow
xine-lib: buffer overflow
xine-ui: format string vulnerabilities
X.Org: buffer overflow
xpdf: buffer overflow
xpdf: integer overflows
Resources Ross Anderson's Security Engineering book downloadableRoss Anderson's well regarded book Security Engineering is now available online. From Bruce Schneier's introduction:
Security engineering is different from any other kind of programming. It's a point I made over and over again: in my own book, Secrets and Lies, in my monthly newsletter Crypto-Gram, and in my other writings. And it's a point Ross makes in every chapter of this book. This is why, if you're doing any security engineering ... if you're
even thinking of doing any security engineering, you need to read this book. It's the
first, and only, end-to-end modern security design and engineering book ever written.
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current 2.6 prepatch is 2.6.18-rc5, released by Linus on August 27. As one would expect for this stage in the 2.6.18 cycle, this patch adds a bunch of fixes but not much else. See the long-format changelog for the details.A very small number of patches have gone into the mainline git repository since -rc5 was released. The current -mm tree is 2.6.18-rc4-mm3; changes in this release are mostly bug fixes and minor updates. Stable kernel 2.6.16.28 was released on August 26. There is a fairly long list of fixes in this release, including at least four which are security-related.
Kernel development news A guide to getting code mergedRik van Riel has put up a guide to getting code merged into the kernel on the kernelnewbies.org site. "However, some people react badly to the opinions and suggestions of the people who took hours out of their time to review their code. Some people even flame them to a crisp. Once you have turned enough of the linux-kernel 'top dogs' against you, it will become extremely hard to get your code merged. If only because nobody will take the time again to review the next iteration of your code."
An API for specifying latency constraintsModern processors support a number of power states. When there is nothing of any real interest going on, they can be instructed to power down to one of potentially several different levels. Since processors on most systems are idle much of the time, this capability can be put to use to bring about a significant reduction in power use. Cutting power demand is most helpful on systems with limited power sources - laptops, portable music players, Linux-powered penguin robots, etc. - but cutting power consumption is also a good thing to do in most other environments as well.Powering down the CPU becomes an even more useful thing to do once a dynamic tick mechanism is in use - something which appears possible for the Linux i386 port in 2.6.19. The elimination of the periodic clock interrupt will allow the processor to sleep for longer periods of time when there is nothing to do. Longer sleeps can translate into deeper power saving modes, reducing consumption even further. The problem that can come up, however, is that the more aggressive power management modes will, by their nature, cause the processor to take longer to get back into an operating state. So, as the processor is put more deeply to rest, the system's latency in responding to external events will increase. In some situations, that latency can cause the system to fail to operate properly. Audio or video data might get dropped, a network adapter may start to see errors, or that robotic penguin could fail to respond in time to a cyber-walrus threat. The usual response to that problem, beyond hunting walruses to extinction, is to simply disable the power-saving behavior. but such drastic responses should not really be necessary. Various devices in the system, when operating in certain modes, will need to obtain responses from the system within a given period of time. The drivers for those devices know how the device is being operated at any given moment, so they know what the latency requirements are. If the system as a whole had that information, it could tune its operations to the minimum latency requirements in effect at the moment, and could change its operations as the requirements change. But there is no mechanism in the system for handling - and reacting to - this information. Arjan van de Ven has set out to change this situation with a latency tracking infrastructure patch. This work adds a set of new functions which may be used by drivers to indicate their latency requirements:
#include <linux/latency.h>
void set_acceptable_latency(char *identifier, int usecs);
void modify_acceptable_latency(char *identifier, int usecs);
void remove_acceptable_latency(char *identifier);
When a driver enters a mode where it has specific latency requirements (a camera driver starts acquiring frame data, say), it can tell the system about the maximum latency it can handle with set_acceptable_latency(). The identifier parameter is only used for identifying the request later on; usecs is the maximum latency in microseconds. The latency requirement can be changed with modify_acceptable_latency(), or eliminated altogether with remove_acceptable_latency(). The back end of the latency infrastructure includes a notifier chain for letting interested subsystems know when the maximum acceptable latency has changed. The current consumer of this information is the ACPI subsystem, which can use it to adjust the processor's idle state to meet that requirement. One could imagine that a smart dynamic tick implementation could use this information as well. In the current patch, only one subsystem (the IPW2100 wireless network driver) declares its latency requirements. This version of the patch has been proposed for inclusion in the -mm kernel, however, with the idea that other driver maintainers could start to make use of it. Unless some sort of surprising objection comes up, the latency management infrastructure looks likely to be a part of the 2.6.19 kernel.
Workqueues and internal API conventionsThe internal kernel API has developed a number of conventions over the years. One of the most prevalent has to do with the return values from functions. In many cases, a function will return zero as an indicator of success, or a negative error code on failure. This convention goes against the normal C conventions for boolean values - a "false" value means that everything is OK. But it reflects the fact that, while all happy functions are alike, every unhappy function is unhappy in its own way. It is useful to be able to return a variety of error codes.There are exceptions to this convention, however. One of the more famous is copy_to_user() and copy_from_user(), both of which will, on failure, return the number of bytes which were not copied. Back in 2002, Rusty Russell audited 5500 calls to these functions and determined that 415 of them interpreted the return value incorrectly. He proposed changing the interface to match the kernel's conventions, but had no success. See the May 23, 2002 LWN Kernel Page for more on this episode. More recently, Alan Stern has been burned by the workqueue interface. Functions like queue_work() return a "normal" boolean value - zero on failure, non-zero if the requested work was actually queued. Alan suggested that these functions should be changed, and offered to fix up all in-tree callers in the process. The answer he got back was that fixing the return code would be a good thing, but that the name of the functions should be changed at the same time. Otherwise out-of-tree code could misinterpret the new return value with no indication to the programmer. The resulting patch does just that. With this patch, the functions for adding work to an arbitrary workqueue become:
int add_work_to_q(struct workqueue_struct *queue,
struct work_struct *work);
int add_delayed_work_to_q(struct workqueue_struct *queue,
struct work_struct *work,
unsigned long delay);
int add_delayed_work_to_q_on(int cpu,
struct workqueue_struct *queue,
struct work_struct *work,
unsigned long delay);
As expected, these functions return zero on success and a negative error code (-EBUSY) on failure. The return code makes sense because the only reason for the operation to fail in current code is if the given work_struct is already on a workqueue. Similar changes have been made to the functions which operate on the generic, shared workqueue (schedule_work() and friends). They are now:
int add_work(struct work_struct *work);
int add_delayed_work(struct work_struct *work, unsigned long delay);
int add_delayed_work_on(int cpu, struct work_struct *work,
unsigned long delay);
In all each case, wrapper functions with the old names have been provided so that out-of-tree code which has not been updated will not break. Most of the time, anyway. It seems that most in-tree callers never bothered to check the return value from these functions in the first place, and Alan has concluded that out-of-tree callers will be the same. So the new version of the old functions are declared as void, returning no value at all. Instead, they log a warning when an operation fails. As a result of this change, code which actually checks the return value will fail to compile, and, presumably, the author will update it to the new functions. Everything else will continue to run as it always did. Alan has also proposed an addition to the kernel coding style document. It reads (in part):
If the name of a function is an action or an imperative command,
the function should return an error-code integer. If the name
is a predicate, the function should return a "succeeded" boolean.
There does not seem to be much disagreement over this proposal, so that is likely to be how things go. This convention is still not likely to extend to copy_to_user() and copy_from_user(), however.
Resource beancountersYour editor remembers a time when "the computer" was a single, large machine shared among many users. This large machine was, one might say, not quite as powerful as the systems we work on - or carry around to play music on - today, so sharing it between dozens (or more) people was bound to lead to conflicts. Accordingly, most timesharing systems in those days implemented complex resource quota mechanisms to keep users in bounds. When these systems worked well, they let people get their work done while minimizing violence in the hallways.It is probably safe to say that almost all deployed Linux systems spend most of their time serving a single user or task. There is little need to keep users from stepping on each others' toes within a single system; instead, they can fight over the use of external resources like network bandwidth. So patches which implement such mechanisms (such as the class-based kernel resource management system) have generally not gotten very far. The driving need to fence users within a portion of a system's resources just has not been there. Virtualization and containers may change that situation, however. The purpose of these systems is to isolate users from each other. But if one container is able to use a disproportionate amount of some vital system resource, the others will feel its presence. The illusion of having a machine to one's self loses some of its credibility if that machine, say, has no memory available to it. As these projects gather steam, they are motivating another look at resource usage management structures. CKRM, now known as resource groups, may well make a resurgence. In the mean time, however, another approach has been proposed in the form of the resource beancounters patch. The beancounter developers appear to have tried to take a lighter-weight approach, but this patch still ends up touching a number of places in the kernel. The core object in this mechanism is, yes, the "beancounter." Each beancounter in the system tracks the resource usage of a group of processes - presumably all of the processes running within a specific container. Beancounters contain a reference count, a unique ID, and an array of resource values; for each tracked resource, this array contains a pair of limits, current usage, historical minimum and maximum use, and a count of how many times an attempt to increase usage of that resource was denied. Each process in the system contains a pointer to its (probably shared) beancounter object. There is also a second beancounter, called fork_bc, which is used for any child processes created with fork(). A new system call, get_bcid(), returns the ID number for the current process's beancounter object. A suitably privileged user can call:
int set_bcid(bcid_t id);
to change its current and fork IDs to a new value. Privileged processes can also change any process's limits with:
int set_bclimit(bcid_t id, unsigned long resource, unsigned long *limits);
Here, resource identifies which resource limit is being changed, and limits points to an array of two values holding the "barrier" and "limit" values. The barrier value is intended to be a sort of soft limit, where some allocations might fail, but others are allowed to proceed. In the posted patch, only one resource is tracked: kernel memory. For this resource, the "barrier" limit applies to most allocations; once the barrier is hit, allocation attempts will fail. The allocation of page tables and related structures, however, can go all the way to the "limit" value. So, while a process may start to see operations failing as a result of excessive kernel memory use, it should still be able to have its page faults handled normally while it tries to recover. The kernel allocates memory in many places, and not all of those should be charged to the process that happens to be running at the time. The beancounter patch adds a couple of new GFP flags to make the difference explicit. In the default case, memory allocations are not charged to any specific beancounter. Whenever an allocation function is called with the __GFP_BC flag set, however, the current beancounter will be charged. An additional flag (__GFP_BC_LIMIT) specifies that the higher limit value is to be used. There is also a SLAB_BC flag which can cause all allocations from a given slab cache to be charged. Finally, there is a new vmalloc_bc() function which performs the appropriate accounting. Needless to say, finding every allocation which should be tracked and charged to a beancounter would be a large task. The current patch does not even try; instead, it marks enough specific allocations to catch some of the larger uses of kernel memory and show how the whole system works. That may be as far as it gets; getting driver writers, for example, to think about whether their memory allocations should be charged seems like an uphill battle. Whether this patch set will get any further than CKRM (sorry, "resource groups") remains to be seen. There are some concerns about how accounting for shared resources are handled - does the process group which first faults in the C library get charged for the whole thing, giving others a free ride? Then, many developers will continue to see no real need for this sort of accounting structure. The growing use of virtualization techniques may just be the factor which pushes this kind of patch into the kernel, however.
Patches and updates Kernel trees
Core kernel code
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Kernel building
Memory management
Networking
Architecture-specific
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials What's happening at Ubuntu: from X.org updates to upstartLast week a number of Ubuntu users saw something they never expected to see, a "Linux Blue Screen of Death". A patch to the xorg-server package inadvertently broke the windowing environment on some Ubuntu 6.06 LTS systems. The faulty patch was available for download for about 17 hours beginning Monday August 21 and ending on August 22 at 10:00 UTC. After that time the patch was removed and the mirrors temporarily disabled to prevent others from downloading the faulty package.The problem did not corrupt or lose any data and affected users still had access to the system console. There were no security vulnerabilities associated with this problem. All in all it was not terribly serious, but for many users unused to the command line it may have seemed serious. More information can be found on this page. Instructions for fixing affected systems are also available. Mark Shuttleworth had this to say:
An incident report is being compiled by the team and we will publish that
for our broader community and users as soon as it is complete. My apologies
to those who have been affected, I know that a blue screen of death is the
very last thing anybody ever wants to see on Linux desktops and that any
downtime caused by mistakes on our part, even measured in minutes, is
unacceptable....
If there is a silver lining to the error, it is that it happened during the one week in six months when we have the core distribution development team together in one place. This gave us the opportunity not just to analyse and fix the issue, and to talk about the sequence of events that led to the problem, but also to discuss the processes we must improve to further reduce the likelihood of a repeat. The team is now more aware than ever of the responsibility we assume given extraordinary rate of adoption of Ubuntu. Some more exciting news from Ubuntu is that of an Upstart in Universe. Upstart is an event-based init daemon, designed to replace sysvinit and other startup daemons. Modern computers are more flexible; USB devices and network devices can be plugged in and removed at any point, some devices may need to load firmware after detection but before use by the system, mounting a partition in /etc/fstab may require tools in the network filesystem /usr requiring networking to brought up first, and so on. Upstart is designed to dynamically order the start up sequence based on the configuration and hardware found as it goes along. The current plan is to introduce upstart in stages:
The upstart package is available in the Ubuntu universe and experienced edgy users are invited to test it. Install the package and follow the instructions in /usr/share/doc/upstart/README.Debian to add a boot option that will use upstart instead of init. "If your system boots and shut downs normally (other than a slightly more verbose boot without usplash running) then it is working correctly." They don't mention it, but, should the system respond with a blue screen of death, it is not working correctly.
New Releases Gentoo Linux 2006.1 releasedGentoo Linux 2006.1 is out. "The 2006.1 release features many highlights that improve upon 2006.0. The AMD64, HPPA, x86, 32- and 64-bit PowerPC releases are built with and include GCC 4.1, a great improvement over version 3.4 used for 2006.0. Also included are the GNU C library version 2.4 and Gentoo's baselayout 1.12.1, with improved system startup scripts." Click below for the details.
Fedora Unity Project spins and respinsThe Fedora Unity project has ISO images of Fedora Core 5 available for i386 and x86_64 architectures via BitTorrent with all updates released as of August 18, 2006.Fedora Unity has also announced Live-Spin CD and DVD ISO image of Fedora Core 5. "These Live-Spin ISOs are based on Fedora Core 5 and all updates released as of August 21st, 2006. They are available for the i386 architecture via BitTorrent." They are also making FC6T2 live CDs.
Slackware 11.0 release candidate 3From the August 25, 2006 change log entry: "I think most of the irresistible upgrades are in here now, and the bug reports have been mostly handled. There may still be a few changes, and possibly another release candidate, but this is pretty close to final with the exception of updating documentation and building ZipSlack. Thanks very much to everyone who is helping to test these release candidates -- I think this is going to be a very up to date and stable release. :-)" See the full change log for complete details.
Distribution News The Debian Project Leader on firmware and etchLast week's LWN edition included an article on the current version of the Debian firmware debate. Now Project Leader Anthony Towns has weighed in on the issue. "So the question is what should we do here? One approach would be to say 'we're committed to making the Debian System completely free, so until that's done, we're not ready to release'. Another is to say 'we've made a lot of improvements since sarge, on this score and others, so let's get etch out now, and move onto the next bit after that'. A third is to say 'we've committed to getting etch out, and to making it be completely free -- if that means not supporting a range of hardware, so be it'." Polls of registered users and developers are being run in an attempt to help answer that question.
Proprietary Software and openSUSEAndreas Jaeger discusses openSUSE's position on proprietary software. "SUSE Linux 10.1 comes with six CDs. The first five contain only Open Source software, only the last one (if you download: the binary add-on CD) contains proprietary software. Freespire speaks about their "OSS Edition", a term SUSE Linux 10.0 already used a year ago."
Ubuntu newsThe Ubuntu developers at the distro sprint in Wiesbaden discussed ways to improve the time for archive administration tasks such as NEW queue processing and Debian package syncs. As a result there are some archive administration changes that should improve the handling of archive administration tasks such as NEW queue processing and Debian package syncs.The Edgy Knot CD schedule is available. A Knot CD 2 is expected by the end of the month and the Knot 3 CD two weeks after that. The final release is currently scheduled for October 26, 2006. Scott James Remnant looks at a proposed change to the merge policy.
New Distributions gNewSensegNewSense is a GNU/Linux project that aims to remove all the binary blobs out of a rather popular distribution and make it all free. So far the project has produced a set of scripts to create a GNU/Linux Distribution based on Ubuntu. From the press release: "A new GNU/Linux distribution has been announced (and a beta released): gNewSense. This distribution is not aimed at a large audience, it is in fact aimed at a specific group of users. These are the people who will not use a distribution other than one which is totally not encumbered by 'binary only' blobs where the user has no access to the source code."
GNU/Linux for Christians: Kubuntu-based Ichthux Beta5 is out (LXer)LXer introduces Ichthux. "Developers from the Debian, Ubuntu, and Sword Projects have been working since 2005 on Ichthux, a GNU/Linux distribution aimed at Christians and ministries. What initially began as a Custom Debian Distribution project is now a Kubuntu-based project, and is progressing nicely. The team is releasing Ichthux beta5, with an eye toward releasing Ichthux 6.09, their first major release on 10 September."
Distribution Newsletters Debian Weekly NewsThe Debian Weekly News for August 29, 2006 covers upcoming bug squashing parties, Debian installer screenshots, the general resolution on handling firmware, a report from FrOSCon, a report on the event coordination meeting, a report on Debian and free software in Cuba, translation of package descriptions, git transition plans, Sarge updates, and several other topics.
What's been up at FedoraNEWS.ORG?Thomas Chung takes a look (click below) at how the Fedora Weekly got started, and how it's grown.
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for August 21, 2006 covers Linux World aftermath, Slovak and Greek translations, GCC/glibc news, developer of the week - Thomas Cort, and more.
Ubuntu Weekly Newsletter - Issue #11The Ubuntu Weekly Newsletter for August 26, 2006 covers the X.org breakage in 6.06, Distro sprint in Germany, Backports are back, Upstart unveiled, and several other topics.
DistroWatch Weekly, Issue 166The DistroWatch Weekly for August 28, 2006 is out. "The essence of this week's issue is a comment on the status of Linux distributions. Why are there so many of them? What motivates developers to create new ones? Wouldn't we be better off if there were only 10 - 20 major projects, instead of hundreds of one-man distros? We attempt to give some answers. Also in this issue: a long-term SUSE user explains why Kubuntu meets his needs better, openSUSE's Andreas Jaeger comments on the reasons behind removal of proprietary kernel modules from the popular operating system, and Gentoo's Donnie Berkholz argues that democracy is not always a good thing for the advancements of the largest source-based distribution. Updates on Fedora Core 6 and Mandriva Linux 2007, together with links to two resources comparing and rating several popular distributions conclude the news section."
Package updates Fedora updatesUpdates for Fedora Core 5: coreutils (bug fix), csope (bug fix), curl (update to 7.15.5), udev (udev does not timeout anymore), vixie-cron (patched for compatibility with RFC3834), eject (bug fix), tcsh (bug fix), selinux-policy (bump for FC5), slang (update to slang-2.0.6), parted (update to parted-1.7.1), php-pear (add /etc/rpm/macros.pear)
Mandriva updatesUpdates for Manriva Linux 2006.0: epiphany-extensions (updated epiphany-extensions for the Epiphany browser).
rPath updatesUpdates for rPath Linux 1: libpng (bug fix for x86_64 systems).
Trustix updatesUpdates for Trustix Secure Linux 2.2 & 3.0: various bugs have been fixed in bind, curl, mailman, mysql and php-pear.
Ubuntu updatesUpdates for Ubuntu 6.06 LTS: libtheora (automated backport upload), dia (automated backport upload), k3b (automated backport upload), krusader (automated backport upload), ktorrent (automated backport upload), kbfx (automated backport upload), mplayerplug-in (automated backport upload), rsibreak (automated backport upload), gcin (automated backport upload), emacs-snapshot (automated backport upload), kbarcode (automated backport upload), nexuiz-data (automated backport upload), nexuiz (automated backport upload), amorok (automated backport upload), checkinstall (automated backport upload), cacti (automated backport upload), config-manager (automated backport upload), bluefish (automated backport upload), gxine (automated backport upload), kpowersave (automated backport upload), powersave (automated backport upload), phpmyadmin (automated backport upload), spamassassin (automated backport upload), squirrelmail (automated backport upload), taglib (automated backport upload), xchat (automated backport upload), xmoto (automated backport upload), libvisual (automated backport upload), mod-cband (automated backport upload), libtunepimp (automated backport upload), debootstrap (automated backport upload), scribus-ng (automated backport upload), kopete (automated backport upload).
Newsletters and articles of interest Reinhard Tartler (Behind Ubuntu)Behind Ubuntu has an interview with Reinhard Tartler. "You are a member of several launchpad teams, amongst others the ubuntu core development team. What roles do you play in them and how do they differ from each other? In the core-dev-team, I'm mainly helping out with merges. I'm currently focusing on the xine packages to get it back to shape. In ubuntu-dev, I started Mentoring (I already got someone to mentor ;), and help with merges as well."
Industrial Linux distro changes names (LinuxDevices)LinuxDevices reports that K-Linux has been renamed KaeilOS. "Cavallini describes KaeilOS 2.4.0 as "a complete development environment" that includes tested, validated 2.6.15 and 2.4.31 kernels and BSPs (board support packages) for Kontron and Taskit modules. It also includes an IDE (integrated development environment), and debugging instruments for embedded and real-time systems. Support documentation is available in English or Italian."
Swiss developers start rolling Your Own Linux Distribution (Linux.com)Linux.com looks at YOLD, (Your Own Linux Distribution), a company that builds customized Linux distributions. "Bernhard Rosenkraenzer, a native of Switzerland and the founder of the Ark Linux project, says some people were requesting features that "wouldn't make sense" for most other users. "That would go against the concept of not bloating it. We wanted to help those people, but we didn't want to do it at the cost of making Ark Linux worse for others.""
DIY Linux, the easy way (DesktopLinux)DesktopLinux covers two more roll-your-own Linux options. "There's a low-end personal option: Instalinux.com's free service, SystemDesigner. There's also a high-end corporate choice: rPath's rBuilder."
Distribution reviews Slackware 11.0 RC3 available (Linux-Watch)Linux-Watch takes a quick look at Slackware 11.0 RC3. "This release features a 2.4.33 Linux kernel, X.Org 6.9.0, a KDE 3.5.4 desktop, and the KOffice 1.5.2 application suite. The operating system also comes with the 2.6.17.x kernel in the /extra directory."
Puppy Linux 2.10 alpha emerges (DesktopLinux)DesktopLinux looks at Puppy version 2.10 Alpha. "Puppy Linux is extraordinarily small, yet full featured. It boots into a 64MB ramdisk and runs in RAM. Unlike live CD distributions that have to keep pulling stuff off the CD, Puppy in its entirety loads into RAM. This means that all applications start quickly and respond to user input instantly."
CentOS Linux v3.8 debuts (DesktopLinux)DesktopLinux covers the release of CentOS 3.8. "CentOS 3.8 offers a Single Server CD iso (i386 and x86_64 only). This CD contains a subset of packages used for most server installs on a single CD for installation. It can be a time saver (one iso instead of four for download)."
Page editor: Rebecca Sobol Development A comparison of Mail Transfer Agents - Part Two[ Editor's note: Mr. Shearer is maintaining an updated version of this article on his web site.]In part one of this article series, we covered the criterion for selecting a Mail Transfer Agent (MTA), and took a detailed look at Postfix and qmail. This week, we take a look at Sendmail and Exim, and come to some conclusions about which MTA is best. Sendmail
Design goals: Current Sendmail must be backwards-compatible, and the forthcoming Sendmail X is a total rewrite. Sendmail consists of about 118k lines of code, but that does not count the functionality in the M4 scripts used to generate the config file, nor any external milters. Documentation is good, and uniquely among MTAs, there is a dominant company (Sendmail, Inc.) dedicated to Sendmail services. The Sendmail Consortium is dedicated to maintaining the Sendmail code base. Sendmail has an extraordinarily obscure configuration file, a poor history of security breaches and a design centered around Unix in the early 1980s. It is a fact that hundreds of thousands of Sendmail sites are currently advertising themselves as having remotely exploitable security vulnerabilities. Add to this sendmail's renowned inefficiency and it might be hard to see why Sendmail is still used at all, but history has its own inertia. There is no good reason for a site without Sendmail experience to install it, given the effectiveness of the alternatives. Despite all this, Sendmail:
Although there are no recent surveys, Sendmail usage appears to be dropping over time. Dan Bernstein's 2001 SMTP survey (without published source code, and therefore not replicable) put Sendmail at about 42% market share. In 2006 it seems reasonable to assume [4] that Sendmail is on substantially fewer than 40% of the world's SMTP servers. Sendmail has been ported to many systems, including some that are not Unix-like such as Windows. Postfix isn't realistically portable to Windows, and Exim is something of a second-class citizen on Windows since it runs via Cygwin. So portability might be a reason to run Sendmail. Exim
Design goal: General-purpose MTA for Unix machines. Exim was inspired by the author's work with the smail 3 source code, which was itself provoked by the many problems of sendmail. So Exim too is a Sendmail drop-in replacement. The outstanding feature of Exim is the intention that it be a general-purpose mailer. Exim is not a total rethink about how mail works, like qmail is. Nor does it restrict its feature set in order to achieve theoretical security, like Postfix. Exim instead tries to give administrators what they asked for, with a strong interest in security, reliability and performance. Exim behaves much like any other Unix daemon, with a monolithic configuration file, a monolithic daemon, small number of log files and a standard style of spooling. It has a very good security record over the last seven years (early releases had classic security issues), it can cope with high load, and it has excellent integration facilities. Exim can be extended in many ways - it is even possible to compile in the entire Perl interpreter to call from the configuration file! If there is an MTA feature, then Exim can support that feature in some way or another. Exim is very tightly specified and documented. Many features can be omitted at compile-time, making a special-purpose Exim easy to create. Exim has its own filter language, implementing much of the functionality of procmail, and more. Exim is used at some very high-volume sites where it provides good service. Performance comparisons that say qmail and Postfix are faster and handle queuing better don't necessarily have any bearing on real-world conditions (in 2006 on current hardware and with current definitions of high load.) Open Source at WorkOne of the interesting things about the three non-Sendmail MTAs here is the ideas and code that are shared. Postfix uses the Perl Compatible Regular Expressions library developed for Exim. Exim understands the Constant Database Format developed for qmail, and the Maildir mail file format, also from qmail. Postfix can use the Constant Database Format and Sendmail milters. When Local Security Isn't a ProblemThe main reason why MTAs have to work so hard at security is because of the Unix tradition of local delivery. The mixture of setuid binaries, specially-owned directories, pedantic authentication of local destinations and paranoia over filesystem access all has to do with having the MTA write to a file owned by some other user, usually by becoming that user. Of course that is fraught with danger. No matter how well the code is written, a careless administrator can still make it behave in an unsafe manner. But in millions of sites this is no longer an issue because mail is kept in a central IMAP mailstore until the user chooses to view it. Mail comes into the SMTP daemon, which then makes an LMTP delivery to the IMAP daemon. In this scenario, local deliveries are completely avoided. It is possible to compile at least two of these mailers so that none of the potentially dangerous code is even in the mailer. Here's how it is done with Exim: All routers, directors, and transports are compiled only when specified in the Local/Makefile. You can compile Exim with only the SMTP transport - and make that use LMTP to address 127.0.0.1 for "local" delivery. Then you can run Exim entirely in "unprivileged" mode, where it runs as user exim the entire time, except during startup of the listening daemon. Usability comparisonThe following table compares the above MTAs for usability:
The quick answerMy recommendation for an MTA choice is Exim, here's why: Exim can solve any MTA problem at least as well, if not better than any of the other MTAs listed here. It has very good documentation and a most supportive community. It is the only modern mailer which expressly aims to be general-purpose. That is why it is my first choice. There are no ordinary circumstances where Exim is a bad choice, although there may be special circumstances where another MTA may be superior. Think of Exim as the Linux of free MTAs. There are many free Operating Systems and some of them are better than Linux for specific tasks. But Linux can do (at least) a good job for nearly everyone [5]. Some Home Truths
Footnotes4. I'm working on doing a survey of my own. Let me know if you want to help. 5. Which doesn't stop me learning from the others -- thank you NetBSD for ISBN 0-201-79940-5 and ISBN 0-321-16607-8. More articles by Dan Shearer are available here.
System Applications Database Software Mayfly 0.2 releasedVersion 0.2 of Mayfly, a Java-based SQL in-memory database for unit tests, is out. "Background: although there are a vast number of free and non-free SQL implementations in Java, few of them are really good for unit testing. A database for unit testing should be very fast on small data sets and should not present performance or other obstacles to setting up databases, adding and removing tables, and destroying databases. A typical unit test run will want to create thousands of databases. With most SQL databases, this is not achievable, and one must resort to compromises such as keeping the tables around and only setting up data on each unit test run. Mayfly aims to make creating an in-memory SQL database as easy as creating any other in-memory data structure."
LDAP Software LAT 1.1.6 releasedVersion 1.1.6 of LAT, the LDAP Administration Tool is out. "This release is the 7th of the 1.1.x development cycle which will eventually become v1.2. If you need a stable release stick with the 1.0 branch."
Desktop Applications Audio Applications eSpeak 1.12 releasedVersion 1.12 of eSpeak, a text to speech synthesizer, is out with improved Greek and Italian language support and other changes. See the release notes for details.
Desktop Environments GNOME 2.16.0 Release Candidate 1 released (GnomeDesktop)Release candidate 1 of GNOME 2.16.0 (AKA GNOME 2.15.92), has been announced. "This is one of the last releases in the 2.15 development series and represents a release that is now API/ABI, feature, string and UI frozen. Hard code freeze is quickly approaching : this means that we're pretty close to the final 2.16.0 release. The GNOME contributors are now busy fixing the most important bugs that are still out there, localizing the whole desktop or updating our documentation."
GARNOME 2.15.92 (2.16.0 RC) announcedVersion 2.15.92 (2.16.0 RC) of GARNOME, the bleeding edge GNOME distribution, is out. "This release includes all of GNOME 2.16.0 Release Candidate (2.15.92), tweaked and updated with love by the GARNOME Team."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
KDE Commit-Digest (KDE.News)The August 27, 2006 edition of the KDE Commit-Digest has been announced. The content summary says: "In this week's KDE Commit-Digest: as the Summer Of Code draws to a close, a mass code import in the Physiks project, and other notable commits for several of the other affiliated projects. Work begins on a Kexi importer for KSpread. Numerous improvements for displaying data in forms and table view in Kexi, including support for default values and tooltips for large content. Lots of work on the Kross scripting framework. Improved functionality in Konversation and KFTPGrabber. Speed and memory optimisations in KDevelop and Filelight. An experimental project begins to integrate the Orca Screen Reader into KDE 4 using D-Bus."
Quickies: Okular, Desktop Survey, Krusader, Presidential Wedding (KDE.News)KDE.News has posted a Quickies update. "Ten days ago we got the first snapshot of KDE4. If you already played a bit with it, now you can continue discovering more interesting things playing with the unstable package of Okular, a universal document viewer for KDE4 based on the KPDF code."
Electronics gEDA/gaf 20060824 releasedSnapshot 20060824 of gEDA/gaf, a collection of electronic design tools, is out. See the release announcement for details.
kicad 2006-08-28 announcedRelease 2006-08-28 of Kicad, an electronic schematic and printed circuit CAD system, is out. Changes include wxWidgets 2.7.0 support, documentation improvements, bug fixes and more.
PCB 20060822 snapshot announcedSnapshot 20060822 of PCB, an electronic printed circuit CAD application, is out. See the release announcement for details.
Financial Applications SQL-Ledger 2.6.17 releasedVersion 2.6.17 of SQL-Ledger, a web-based accounting system is out with bug fixes.
Games Cyphesis 0.5.9 releasedVersion 0.5.9 of Cyphesis has been announced. "Cyphesis is a small to medium scale server for WorldForge games, with builtin AI. This version includes the demo game Mason which is currently in development. This release is intended for server administrators wishing to run a Mason server and World developers developing new worlds or game systems."
In search opinions on GNOME Games module games (GnomeDesktop)GnomeDesktop.org is collecting opinions on which games to include in the next release of GNOME Games. "The GNOME Games maintainers are planning to deprecate one GNOME Games game which is unpopular and difficult to maintain during the 2.18 release cycle and replace it with a more popular game with better, more maintainable code. To this end, we are seeking input from our users to decide which game to remove and also opinions on which game to include."
Interoperability Wine 0.9.20 releasedVersion 0.9.20 of Wine has been announced. Changes include: XEmbed system tray support, Many improvements to NTLM support, Many messages made localizable instead of hardcoded to English, Improved support for various OpenGL platforms, More improvements to the IDL compiler and Lots of bug fixes.
Medical Applications Eclipse Open Healthcare Framework and OpenEHR at Stuttgart (LinuxMedNews)LinuxMedNews covers an effort to use Eclipse for building medical applications. "The Eclipse Open Healthcare Framework (OHF) Project is an open source project whose aim is to build an e-health computing platform (tools, run-times and community) on which developers can more effectively build useful and interoperable applications. We believe that the openEHR community could leverage the Eclipse platform - the tooling, run-time and governance support, to improve the coherence of the the tools, implementations and uptake of openEHR. OHF will propose an openEHR component at the European EclipseCon meeting."
Mirth HL7 Engine - Community Site now open (LinuxMedNews)LinuxMedNews has an announcement for version 1.1 of Mirth, an open-source HL7 interface engine. "We've just released a milestone 1.1 version of Mirth, and have just launched our new site at http://www.mirthproject.org. Head over and contribute to the messages boards, wiki, and submit any bugs to our issue tracker. As always, thanks to our users and contributors!"
Miscellaneous Wyneken 0.4 rc2 releasedVersion 0.4 rc2 of Wyneken is out with new capabilities, documentation updates and bug fixes. "Wyneken is a content-oriented text processor that makes your life as a student easier by allowing you to create and manage digital notebooks. Wyneken also allows you to create PDF presentations, letters, articles, and reports. Wyneken creates highly professional documents in PDF, DVI, HTML, RTF, and Ascii Text."
Languages and Tools Caml Caml Weekly NewsThe August 29, 2006 edition of the Caml Weekly News is out with new Caml language articles.
JSP The XSLDataGrid: XSLT Rocks Ajax (XML.com)Lindsey Simon works with XSLDataGrid on O'Reilly's XML.com. "Most web applications have a requirement somewhere in their interface for a tabular view of data -- often, a view of the rows in a database table. In some cases, the use of a static HTML <TABLE> is appropriate, but users have become increasingly accustomed to richer, more malleable interfaces that let them change column widths, order, etc. Among the application widgets in the web developer's toolbox, the dynamic datagrid is an often cumbersome one to set up. This article will outline a datagrid component powered by XSLT and JavaScript that aims to achieve easy setup, high performance, and minimum dependence."
Lisp SBCL 0.9.16 releasedVersion 0.9.16 of Steel Bank Common Lisp has been announced. "This version provides performance optimizations, better introspection and debugging support, several bug fixes, and more."
Perl Weekly Perl 6 mailing list summary (O'Reilly)The August 20-26, 2006 edition of the Weekly Perl 6 mailing list summary is out with coverage of the latest Perl 6 developments.
PHP PHP 5.1.6 ReleasedVersion 5.1.6 of PHP has been announced. "The PHP development team would like to announce the immediate availability of PHP 5.1.6. This release contains a fix for memory_limit restriction on 64 bit systems that was not included in PHP 5.1.5."
Python Dr. Dobb's Python-URL!The August 23, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.
PyTables 1.3.3 releasedVersion 1.3.3 of PyTables is out with better NumPy compatibility and bug fixes. "PyTables is a package for managing hierarchical datasets and designed to efficiently and easily cope with extremely large amounts of data."
Ruby Ruby 1.8.5 ReleasedVersion 1.8.5 of the Ruby language has been announced. "This is a bug fix release. There should be no big difference from 1.8.4. We hope 1.8.5 is more stable and reliable than its preceding versions." See the change log file for details. (Thanks to Pat Eyler.)
Tcl/Tk Dr. Dobb's Tcl-URL!The August 29, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.
IDEs Wing IDE 2.1.2 releasedVersion 2.1.2 of Wing IDE has been announced. "We're happy to announce version 2.1.2 of Wing IDE, an advanced development environment for the Python programming language. This is a bugfix release that improves support for Python 2.5 (2.5c1 is required) and fixes a number of bugs."
Page editor: Forrest Cook Linux in the news Recommended Reading Results from the 2006 Desktop Linux Survey (DesktopLinux)DesktopLinux.com ran a web-based distribution popularity contest, and is now discussing the results. "After this, we come to what I think of as the first surprise in our survey. Gentoo took fourth place with a total of 9.6 percent. Gentoo, to me, is a Linux expert's Linux. I know many serious Linux users who work with Gentoo to better understand Linux, but almost no one who uses it as their first choice for day-to-day work."
Which Free Linux Desktop Is Best? (CRN)CRN reviews the Freespire, OpenSUSE, and Ubuntu desktops. "Comparing these distributions head to head is no easy task. Each has its own idiosyncrasies and each is aimed at a slightly different audience, ranging from the corporate Linux diehard to the neophyte user. With that in mind, Test Center engineers focused on what aspects of a Linux desktop would most benefit system builders, including installation, setup, support, feature set and usability." They liked all three, but Ubuntu comes out on top.
Companies Ingres Christens Project Icebreaker (webpronews.com)webpronews.com covers the new Project Icebreaker from Ingres. "The open source database company Ingres teamed with another open source player to deliver Icebreaker, a way to place database services on a server with no operating system required. Ingres CTO Dave Dargo blogged about Icebreaker, which launched recently during the LinuxWorld Conference and Expo."
Sun releases open source single-sign-on code (NewsForge)NewsForge reports that Sun has released the source code to OpenSSO (Open Web Single Sign-On), an identity management system. "OpenSSO is based on Sun's proprietary Java System Access Manager, and is distributed under Sun's Common Development and Distribution License (CDDL). CDDL is OSI-approved, but is not GPL-compatible."
Zend Raises $20 Million (LinuxWorld)LinuxWorld.com takes a look at Zend fund-raising efforts. "PHP development and support company Zend Technologies Inc. announced today that it has raised $20 million in series D venture capital funding. Andi Gutmans, Zend's chief technology officer and a co-founder of the company, said in an interview Friday that top priorities for the new investment are Eclipse integration, the Zend Framework for web applications, and the company's services organization and European sales force."
Business CBR's open source VIPs (Computer Business Review)Computer Business Review has put up its "complete" list of open source VIPs. Interestingly, there's not a whole lot of active developers on the list. "Given his dislike of the phrase, one wonders what [Richard] Stallman would make of being an 'open source' VIP, but he is also indirectly responsible for the open source movement that created a more business-friendly approach to free and open software."
Linux at Work Do-It-Yourself Robots with Linux (Linux Journal)Linux Journal has an article from a high-school teacher whose students are making Linux-based robots. "Robots have been a passion of mine since I was a child, so imagine my excitement when I was given the opportunity to add a robotics class to our high school's computer curriculum! We recently celebrated our second year of offering robotics at Greater Houlton Christian Academy (GHCA), the school where I teach. During this time, we've produced three different robots, each based on a PC running Linux. We work with a tight budget, so we have to be creative in our design, use of materials and tools. This results in robots that any do-it-yourself hobbyist can build."
Legal The GPLv3 process: Public consultation and private drafting (Linux.com)Linux.com looks at the process of drafting the GPLv3. "How is the third version of the GNU General Public License (GPLv3) being written? Considering how much the revised license and its success or failure could affect the free and open source software communities, the question is almost as important as the final content. Yet, until now, the answer has been largely unknown."
Interviews Interview with Mike Melanson, lead engineer on the Linux Flash Player team (ZDNet)Ryan Stewart interviews Mike Melanson, the lead engineer on Adobe's Flash Player team, and one of the people behind the Linux Flash Player. "Can you give us a little bit of your background? How you got into Linux, how you came to be involved in the Linux Flash Player? I got into Linux when I wanted to use a free relational database called MySQL for a web project. I eventually went to Linux full time at home. Soon after, I realized I could not play Apple QuickTime movie trailers on Linux and wondered why. I started doing some homework and began contributing to, and occasionally leading, various multimedia-related open source projects and efforts, such as xine, FFmpeg, and MPlayer."
A conversation with Eben Moglen (Linux.com)Joe 'Zonker' Brockmeier talks with Eben Moglen. "Eben Moglen is a man who wears many hats: professor of law and legal history at Columbia University, general counsel for the Free Software Foundation, and chairman of the Software Freedom Law Center (SFLC). Last week at the LinuxWorld Conference & Expo in San Francisco, I sat down with Moglen to get an update on the draft process of the GNU General Public License version 3 (GPLv3), his opinion on modified versions of the GPL, and the status of the SFLC."
Resources Designing a book with LyX (NewsForge)Corinne McKay and Daniel J. Urist work with LyX to do desktop publishing. "Self-publishing is becoming easier and cheaper, thanks in part to improved printing technologies and desktop publishing tools. If you've ever considered writing a book, you may have looked at the layout capabilities of OpenOffice.org Writer, AbiWord, KWrite, or other word processing programs. While these tools can produce adequate results for many types of documents, it's also worth considering LyX, an open source (GPL) desktop publishing application that, with a bit of work, can create a really professional-looking book that is indistinguishable from a book produced by a mainstream publishing house."
Making waves in the Ruby world (Linux Journal)Pat Eyler looks at the methodology behind some successful Ruby language projects. "There are three projects in the Ruby world that really stood out this summer: JRuby, Mongrel, and Ruport. It's not so much what they've done in terms of development (though that's been impressive), but how well they've communicated. This is something that a lot of projects don't do as well, so I wanted to take a look at what they've done in hopes that more projects might follow their lead."
Ubuntu and Your iPod (Linux Journal)The Linux Journal has posted a book chapter on working with iPods on Ubuntu systems. "A relative newcomer to the iPod file management arena is YamiPod. YamiPod, which also comes in Mac and Windows versions, looks like a cleaned-up version of gtkpod; YamiPod's layout is more straightforward, making it easier to use in many ways. It also allows audio-direct, helper-less playback (which gtkpod doesn't), and it is easier to deal with in terms of playlist creation and handling."
Reviews Eclipse RCP: A Platform for Building Platforms (O'ReillyNet)Wayne Beaton looks at the Eclipse Rich Client Platform on O'Reilly. "Where do you start when building a Java desktop application? All Java gives you by default is public static void main (String[]); it's up to you from there. Eclipse's Rich Client Platform (RCP) offers a tested design, commonly-needed widgets, a standardized component model, pervasive extensibility, and more. Wayne Beaton has an introduction to get you up to speed with RCP-based development."
Kalzium creator brings the periodic table to life (NewsForge)NewsForge looks at Kalzium. "Kalzium was a originally developed as a simple interactive table of the periodic elements but has evolved into a full-featured application, complete with an equation solver and modified molecular calculator. Its database contains information on more than 100 chemical elements, and can be manipulated to show data in several ways, including mass, density, charge, and name origin. Kalzium even includes a timeline that allows users to sort data according to year of discovery."
DIY Linux home theater PC (LinuxDevices.com)LinuxDevices covers a Linux-powered home theater system from LixSystems. "The installation DVD's Linux OS image includes a Fedora 5-based 2.6.16 Linux kernel, along with an extensive set of drivers as well as support for support for USB, card reader audio, a "fully configured LIRC" (Linux Infrared Remote Control) receiver that works with the included handheld remote control, and a set of HTPC-oriented applications."
Nokia 770: Portable fun, but still needs polish (Linux.com)Linux.com reviews the Nokia 770 Internet Tablet. "The Nokia 770 Internet Tablet is a thin black handheld device with a Linux operating system and Wi-Fi and Bluetooth connectivity, but, unlike most Nokia handhelds, it's not a cell phone. Instead, it's a fun way to connect to the Internet. The latest version shows promise, but it's still not quite ready for prime time."
The Path to Linux Success (eWeek)eWeek takes a look at rPath. "rPath has attempted to split the difference between the roll-your-own and one-size-fits-all Linux approaches by building, maintaining and supporting a distribution of its own. The result is rPath Linux, and ISVs can marry their wares to it to create ready-to-deploy software appliances."
Miscellaneous FSF hires new GPL compliance engineer (Linux.com)Linux.com covers the Free Software Foundation's newest hire. "The Free Software Foundation (FSF) has hired long-time volunteer Brett Smith as compliance engineer for the GNU Public License (GPL). Smith replaces David Turner, who has held the position for more than five years. Both Smith and Turner say they expect a smooth changeover, with continued development of existing policies."
OpenUsability funds student projects (Linux.com)Linux.com looks at OpenUsability's student projects. "OpenUsability, the organization of software interface usability experts, has begun taking applications for the first in a series of funded student projects. Similar to the Google Summer of Code, selected students will be paired with mentors and set to work on projects to be completed over a three-month period, with a reward of $700 upon success. Students applying now will be competing for the first such position -- an opportunity to do interaction design for the GIMP."
The Portland project: No silver bullet for hairy problem of multiple desktops (Linux.com)Linux.com has an editorial look at the Portland project. "The Portland project is an effort to unify the Linux desktop by specifying and implementing a common set of APIs that all applications can use, and by supplying tools to assist application developers. Its primary target is third-party independent software vendors (ISV), a group that the Portland project leaders describe as interested in deploying software on Linux, but held back by the fractious dueling-desktop-environment mess."
Page editor: Forrest Cook Announcements Non-Commercial announcements KDE e.V. Quarterly Report (KDE.News)KDE.News has announced the availability of the second quarter 2006 KDE e.V. report. "KDE's legal body KDE e.V. has published its second 2006 quarterly report. Topics covered include progress organising Akademy 2006, activities from the working groups and sysadmins, events organised and attended and seven new members. If you have been helping KDE for a while, do consider joining the e.V. membership."
OpenDocument Fellowship receives development grantsThe OpenDocument Fellowship has received almost $40,000 in donations for its Targeted Donations Program. "One donation will be used to reward volunteers from the OASIS ODF Formula subcommittee for their continuing work on the formula specification. The other donations are targeted at development projects. The Fellowship is producing an "ODF toolkit" for developers, and a light-weight ODF viewer."
Commercial announcements 2X goes open source with 2X TerminalServer2X has announced the release of the source code for its its 2X TerminalServer for Linux product, under the GPL. "2X TerminalServer is a mature terminal server solution based on the popular NX protocol, which enables users to run a Linux desktop and Linux / Windows applications over any type of connection. A free terminal server solution provides significant value to the Linux community and will help justify a potential move to Linux on the desktop."
Linspire's "Click 'N Run" service now freeLinspire has announced that its "Click 'N Run" service is now available free of charge. "The strong revenue stream from the commercial desktop Linux software applications, as well as the premium 'CNR Gold' service, has opened the door for Linspire to offer the basic CNR service at no charge to all Linspire and Freespire users."
Linux/Unix version of SPECviewperf 9 now availableA free download of the SPECviewperf v9 graphics performance evaluation software is available for Linux, according to is available. "SPECviewperf has become a worldwide standard for users assessing graphics performance for new purchases and upgrades, graphics card vendors testing products under development, OEMs evaluating graphics components, and consultants and publication editors reviewing new graphics systems. SPECviewperf 9 represents a major upgrade to the popular benchmarking software, featuring two new viewsets, a totally restructured viewset, and code changes that bring the testing environment much closer to the realities experienced by application users."
Novell reports preliminary financial results for 3Q 2006Novell, Inc. has announced its preliminary third quarter financial results. "For the third fiscal quarter 2006, Novell reported net revenue of $241 million, compared to net revenue of $252 million for the third fiscal quarter 2005. The loss available to common stockholders from continuing operations in the third fiscal quarter 2006 was $3 million or $0.01 loss per diluted common share. This compares to income available to common stockholders from continuing operations of $0.4 million, or $0.00 per diluted common share, for the third fiscal quarter 2005."
Prosilica releases Linux software development kit (LaserFocusWorld)LaserFocusWorld reports that Prosilica has announced a Linux software development kit for its gigabit Ethernet cameras. "These GigE Vision gigabit Ethernet cameras, which have been used in wide range of Windows-based computer vision applications, can now also be easily used on Linux computers. The SDK also includes sample code to help programmers more easily use Prosilica's cameras in their Linux-based applications. Prosilica's Linux SDK for GigE Vision works on both x86 and PowerPC hardware which is of great interest to system integrators and equipment manufacturers who want to use low-cost computer platforms for their automated imaging systems."
Zenoss releases open-source enterprise monitoring productZenoss, Inc. has announced the release of a new version of its Zenoss open-source enterprise monitoring product. "Offering the most complete IT monitoring software suite available as open source, the new version of Zenoss features: Built in Support for Nagios Plug-Ins. Existing users of Nagios can continue to use widely available and/or customized Nagios plug-ins in support of their systems monitoring requirements."
New Books CSS: The Missing Manual--O'Reilly's latest releaseO'Reilly has published the book CSS: The Missing Manual by David Sawyer McFarland.
No Starch Press releases "Hacking the Cable Modem"No Starch Press has published the book Hacking the Cable Modem by DerEngel.
Ruby on Rails: Up and Running - O'Reilly's Latest ReleaseO'Reilly has published the book Ruby on Rails: Up and Running by Bruce Tate and Curt Hibbs.
Resources Open-Xchange Publishes Web 2.0 Collaboration Position PaperOpen-Xchange, Inc. has a position paper, written by Daniel Kusnetzky, entitled Three Critical Elements of a Web 2.0-based Collaborative Solution.
Contests and Awards Announcing The APC Chris Nicol FOSS Prize IN 2007 (LinuxMedNews)LinuxMedNews mentions a $4000 prize that is available for free software developers. "The Association for Progressive Communications (APC) Chris Nicol FOSS Prize recognises initiatives that are making it easy for people to start using free and open source software (FOSS). The prize will be awarded to a person or group doing extraordinary work to make FOSS accessible to ordinary computer users."
The Free Software Directory D5000 ContestThe Free Software Foundation has announced a contest to celebrate the 5000th entry in the Free Software Directory. "To mark the milestone of reaching 5000 entries, the FSF is holding a "D5000 contest" the winner of which will be rewarded for submitting the five thousandth entry. From now, 2006-08-21, until 2006-09-21, each new, valid and completed directory entry that is submitted will count as one chit in the raffle for the prize."
KPhotoAlbum Splash Screen Contest (KDE.News)KDE.News has announced the KPhotoAlbum Splash Screen Contest. "The contest comes with a prize of $100US straight from author Jesper's PayPal account. Some early designs are on the contest page already. The contest runs until September 15th, and after that the KPhotoAlbum community will vote on which one will be used for the next release."
MySQL wins database contestMySQL AB has announced the winning of an award. "MySQL AB, developer of the world's most popular open source database, announced today that its internal benchmark team has won an international contest sponsored by the renowned IT industry magazine c´t for the fastest e-commerce database application. The magazine's editors held the contest to evaluate database performance in real-world business use by creating a standard online inventory system."
Event Reports Python Sprint ReportGuido van Rossum reports on the Python Sprint in a blog posting. "This week, a number of Python developers (core and otherwise) and some Googlers got together in Mountain View and New York for a four-day Python and Python-3000 (Py3k) development sprint. Here's what we've done." Topics include: Warming Up, Int/Long Unification, Reinventing Comparison, Miscellaneous Projects and Python 2.5/2.6 Sprint Results.
Calls for Presentations linux.conf.au 2007 call for participation extended!The lca2007 Call For Participation has been extended until September 15, 2006. Submit your presentations, miniconfs, tutorials and papers before its too late. "Proposals for presentations and tutorials should be around 400 words and should detail the subject you want to talk about and include links to any other relevant details, such as a project home page. Remember this proposal needs to convince our programme committee that you should be talking at linux.conf.au 2007." lca2007 begins January 15, 2007.
Upcoming Events Update on Hack.lu 2006Hack.lu 2006 will be held in the Grand-Duchy of Luxembourg on October 19-21, 2006. "Hack.lu is an open convention /conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. The aim of the convention is to make a bridge of the various actors in the computer security world."
T-DOSE event in Eindhoven, the NetherlandsThe 2006 T-DOSE event has been announced. "During the weekend of December 2nd and 3rd 2006 the T-DOSE event will be held in the auditorium of the Technical University of Eindhoven, the Netherlands. The name T-DOSE stands for Technical Dutch Open Source Event and offers a central speakers track, an open source marketplace for the abundant sharing of information and several developer/community rooms."
Events: September 7, 2006 to November 6, 2006The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Web sites SpreadGNOME.org LaunchesThe new SpreadGNOME.org site has been launched. "In an effort to promote the adoption of GNU/Linux desktops, SpreadGNOME.org has launched with the goal of being a resource to help spread the word of GNOME to GNU/Linux desktop users and potential converts. It is meant as a place to share ideas to help promote GNOME in the community, and helping those who wish to get involved with GNOME. Feel free to submit other GNOME-related content as well to this site. SpreadGNOME.org is an independent web-site and is not affiliated with, authorized by, sponsored by, or otherwise approved by GNOME Foundation. "
A wiki about computer hardware, including Linux supportThue Janus Kristensen has announced a new wiki. "After having noted that there doesn't seem to be a wiki in existence about computer hardware and operating system support, I decided to create one. To me hardware and operating system support it seems like an obvious idea for a user-supported information collection, in the spirit of Wikipedia."
Audio and Video programs Lawrence Lessig's LinuxWorld talk onlineLinuxWorld has put up a video of Lawrence Lessig's LinuxWorld keynote. It is in Flash format, however, and thus not accessible to all Linux users.
Page editor: Forrest Cook
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Sendmail logo]](/images/ns/sendmail-logo.png){kind=logo}
![[Exim logo]](/images/ns/exim-logo.png){kind=logo}