Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for August 31, 2006The Linux Standard Base gets some applications
The Linux Standard Base project will provide a vendor-neutral
standard, backed by source code, upon which to build Linux
distributions, much as the Linux kernel project provides a single
kernel that is shared by all distributions....
The application of the standard will be that any program that runs successfully on the reference platform can be expected to run on all Linux systems. With these words, the Linux Standard Base project was launched in May of 1998. This project set out to create a reference platform which would encourage the porting of commercial application programs to the Linux system. By eliminating the need to create a separate version of a program for every supported distribution, the LSB, it was thought, would bring about a wealth of Linux-based applications without impeding the free development of a variety of Linux distributions. Over the subsequent years, the LSB has limped along under a succession of leaders. Various LSB standards addressing various parts of the system have been created. Most of the major distributions have made the effort to implement LSB compliance, so there is a vast number of deployed, LSB-certified Linux systems out there. Only one little, nagging problem has remained, however: no application vendors have stepped forward to certify their products for Linux. That situation changed quietly a couple of weeks ago, however, when the Free Standards Group (the parent organization which is developing the LSB) announced the first two certified LSB applications. These applications - RealPlayer and MySQL - are no strangers to the Linux platform, so their certification is unlikely to change life for many Linux users. RealPlayer already works on the bulk of Linux distributions, and MySQL, being free software, is shipped with most of them. But the fact that these vendors made the effort to certify their products shows that the LSB effort - recently returned to life under the leadership of Ian Murdock - might just go somewhere this time. The real test, however, will be whether any new applications, previously unsupported under Linux, hit the market with LSB certification. Thus far, the LSB has failed to encourage any vendors - any at all - to support Linux by porting to the LSB platform. The recent announcement has not changed that fact - RealPlayer and MySQL were already available to Linux users in an uncertified form. Clearly, in 1998, the LSB was ahead of its time. The proprietary application vendors, for the most part, were not even close to being ready to support their products on Linux. There is not much that the LSB effort could have done to change that fact. As Linux grows, however, vendors will begin to believe that there might be a worthwhile market to be found there; the LSB intends to be there when they come around. To that end, the Free Standards Group has set up a new developers network with information for vendors writing applications for the LSB. Many LWN readers have little interest in the creation of a vibrant market for proprietary Linux applications. The available free software meets their needs, and, where it doesn't, projects are underway to improve the situation. For many, the installation of proprietary applications would only compromise the years-long effort to create a free system. These people care little about the progress of the LSB. The fact remains, however, that there is a large variety of proprietary software for which no free equivalent exists, not even in an early stage of development. There is also a large body of potential users who will not consider moving over to Linux until the applications they need are available. If the LSB succeeds in encouraging ports of some of those applications, it could encourage some of those users to make the jump to free software. And that, in the end, should be a good thing.
Managing Gentoo - a study in quotes People outside of the Gentoo Linux project may be surprised to learn that the Gentoo developers are currently electing a new management council. Unlike, say, Debian, Gentoo tends to do a fair amount of its deliberations out of public view. There has recently been a discussion, however, which has brought out some of the concerns that Gentoo developers have. Here are some excerpts.
I started my fourth year as a Gentoo developer in June, and Gentoo's
changed a lot since I started back in 2003. We've become a drastically
more democratic organization. But the question remains - _Is this a good
thing?_
When I think about where Gentoo was when we turned into a democracy years ago, and where Gentoo is now, I don't see much of a difference on the large scale. We lack any global vision for where Gentoo is going, we can't agree on who our audience is, and everyone's just working on pretty much whatever they feel like. [...] I'm not the only one to suggest that a democracy isn't the most productive way to run Gentoo. When people wanted to change in how Gentoo was run, democracy was the only option considered, rather than simply changing the leaders. There's an ongoing assumption that if problems exist, it must be somewhere in the structure rather than in the people. If I could go back in time a couple of years and prevent this democracy from ever happening, I would. If I could fix these problems myself, I would. But it requires buy-in from the entire Gentoo community if we're to do anything about it.
In addition to the conclusion that too much freedom has entered the
life-blood that drives Gentoo it is also often the case that from the
stance of upper management there is not enough freedom given. Part of
what paralyzes the Council and devrel and any other historical body that
has tried to keep Gentoo healthy is that there is an understanding that
they can only act as a whole...as individuals none of them have power as
there is fear that a rogue person in a position to abuse their
responsibility will do so. It is my contention that with a body of
multiple individuals such as the Council that there would be the ability
to recognize and mitigate the damage done by such a rogue. I'd posit
that by voting someone onto the council you are saying that you trust
them enough to carry this duty on their shoulders. The Council itself
should not be just a technical body to validate the merits of GLERs
and/or emerging projects, it (or some other yet to be established group)
has to carry the solemn duty of carrying Gentoo into the future,
nurturing it as only a parent could....
All in all I suppose that is the platform that I am running on for this years Council...take it for what you will but that is where I stand.
If there's a lack of
respect at the moment, it's not for devrel.
It's between individual developers, who either do not value each other
as people, or do not value each other as contributors.
A good way to sort that out is to get them together in the physical world, and use group de-polarisation exercises to help folks understand that their view of the world isn't the only view that is valid. This is why I'm hoping to see Gentoo establish a regular international dev conference. You'll find that the vast majority of issues won't arise once folks actually know each other better - and the personality clashes that are left are easier to see for what they are.
Maybe its a cultural thing between some of us, or maybe its the
'pre-daniel' versus 'post-daniel' devs. I'm curious the demographics of
our active developers that were on prior to daniel's leaving compared to
those who joined after. To most of the recent active folks, they never
knew what it was like before. Hell, I just got on towards the tail end
of the daniel-era, so I don't have much validity in that realm myself!
But I do remember how it used to be and how well we did things and how
we usually respected each other in some fashion or another.
I'm afraid those days are in the past unless some kind of fork happens where the folks who think we need a leader go their way and the folks who prefer the leader-by-committee approach go their way. We all hate forks, none of us have time for forks, but looking at the dividing line, I don't see how we'll be able to compromise with out adding more policies and BS.
It's very easy to claim that "there are too many flamewars", even if
that isn't actually true. It's hard to claim "Portage needs replacing,
the tree has huge QA issues, several archs are horribly unmaintained and
too many developers don't have a clue what they're doing" because a)
they're difficult problems to address, b) if you do say them, Condorcet
ensures that you won't get elected and c) you might be expected to fix
them.
Most of these problems could be solved if we had a council that was far less spineless, a council that's prepared to address the *real* issues rather than doing nothing, a council that shows leadership and provides direction where it's needed without screwing things up where it's not.
I definitely agree here. What has made me decide to run for the council
is my wish to see things improve before we honestly do start
hemorrhaging developers. We have seen indications that it is coming,
but it hasn't started quite yet. A strong leadership is needed to give
us direction where needed, and also to leave people well enough alone
where it is not needed.
At the top level, the council, in its present form does not manage
Gentoo. It can't, it's pretty much disempowered as a management
organisation due to the rules for its agenda setting. Further, don't
see any any evidence of it setting targets and measuring progress or
even getting progress reports.
-- Roy Bamford
So, now straight to the point, we could elect a Core Team, including
people from each team. And those will be the responsible to take Gentoo
into new 'realms', with its 'risks' included. I am also scared about this
model .. it might not work, it actually might create the next armageddon
for many. But what if it does?, it might help solving this stagnation
state Gentoo is facing right now, and bring more new ideas into play.
There's no detail in what you want to do, only a vague unhappiness
with how things are, a desire to return to the "good old days" that
never were, backed up by arguments that are demonstrably and factually
incorrect or incomplete.
What is your plan? Where do you want to take Gentoo, where it isn't already going? ... _If_ you're looking at Ubuntu with envious eyes, my advice is that you cross the floor and join them. There's no sense whatsoever in putting Gentoo head-to-head with any of the other Linux distros, unless they try to come after what we are good at.
As an aside, this has long been the fundamental structural problem in
the open source movement. Within a given project, things generally find
a way to get done, but when a problem lies between two projects (be they
peers, one dependent on the other, whatever) then things often remain
unresolved....
This is actually the cutting edge area in the free software movement at the moment - trying to find a common ground for not just projects but constellations of projects and above them distros to collaborate. -- Andrew Cowie In this context, it can also be interesting to read Matthew Garrett's note on his departure from the Debian Project:
There's a balance to be struck between organisational freedom and
organisational effectiveness. I'm not convinced that Debian has
that balance right as far as forming a working community goes. In
that respect, Ubuntu's an experiment - does a more rigid structure
and a greater willingness to enforce certain social standards
result in a more workable community?
The management of large-scale projects is hard - this has been known for centuries (or longer). Free software projects bring in some interesting new factors, however, as a result of their voluntary nature and distribution over a wide range of languages and cultures. We are unlikely to find definitive solutions to issues which have been around so long, but, perhaps, we'll learn some interesting lessons in the attempt.
The Blackboard Patent: Where's Waldo? I'm sure you have heard about the intense outrage over Blackboard, Inc.'s patent on a method of e-learning and about its initiating a patent infringement lawsuit against Canadian-based competitor Desire2Learn in the U.S. District Court for the Eastern District of Texas in July. But there is a part of the story you may not know.Blackboard has already been called "the SCO of the educational software market". Here's the complaint [PDF], if you'd like to read it. Like most patent infringement legal filings, it's dry as dust, but if you look at paragraph 10, you will see that Blackboard's litigation appears to target Desire2Learn's entire product line:
Upon information and belief, in violation of 35 U.S.C. Section 271,
D2L uses, offers to sell, and sells within the United States, and/or
imports into the United States, products and services that infringe the
'138 patent, including, but not limited to all D2L products based on the
D2L learning system or platform, such as the D2L eLearning Technology
Suite, which includes the D2L Learning Environment, Learning Repository and
LiveRoom, and all services supporting these D2L products, such as hosting
services, training services, help desk support services, implementation and
customization professional services, and content services.
According to an open letter by the CEO of Desire2Learn, John Baker, Blackboard didn't even contact Desire2Learn prior to filing in July. Yet Blackboard is asking the court to award it treble damages for "willful" infringement. There's already a Boycott Blackboard site, a No EDU Patents site, with a History of Internet-based learning page where you can contribute prior art, and many in higher education are blogging intensely -- studiously one might even say -- to chronicle every detail of this patent story. There is also now a Wikipedia page as mentioned by Tim O'Reilly in mid August. Indeed, it's mighty hard not to feel outrage, or at least keep your lip from curling, when you read the patent, or better yet a plain English version of it. Here's a diagram mocking what Blackboard "invented". The British Educational Communications and Technology Agency (BECTA), reportedly took a look and issued guidance on the patent to all companies involved in e-learning in the UK. This report, while noting that the patent has no force in the UK, reveals that Blackboard has applied for four patents at the European Patent Office (EPO). Here's a list of other patents it has applied for in the US too, including one ominously titled "Method and system for conducting online transactions." Is there some kind of a contest going on to see who can get the most obvious patent on planet earth? By the way, the US Supreme Court will be reviewing a case that speaks to the issue of what the standard should be for obviousness. Better late than never, as they say. Michael Geist reports that Blackboard "expects similar patents to be granted in nearly a dozen countries around the world including Canada, Australia, and the European Union." Initial review by the EPO found the claims not to be novel. Alfred Essa on "The NOSE: Information Technology in Higher Education," prefers the word "trivial" to describe the issued US patent:
By now I have read the Blackboard patent
carefully, including the notorious "44 claims". Despite what Blackboard has
said in public, the claims taken together describe a generic system for
e-learning and potentially covers every learning tool, present or
future.... Once you strip the "44 Claims" from its stylistic dross one can immediately see that Blackboard's "Idea", or innovation as they would claim, is laughably trivial and obvious. The core ideas in the system part of the claim originated with those individuals who developed the idea of network computing and using the Internet for collaboration. If there is one individual who deserves prior art for that Idea it's Tim Berners-Lee. But Berners-Lee himself would claim that hundreds, if not thousands of people worldwide, have contributed to developing and establishing the Idea of network and collaborative computing. The FOSS community is naturally very concerned that, after Blackboard finishes suing Desire2Learn, it will come after Open Source e-learning projects like Moodle. In response, the Sakai Foundation, which helps colleges and universities run open source e-learning systems, has hired the Software Freedom Law Center to advise these projects. I think they are right to be worried despite assurances from Matthew Small, Blackboard's general counsel, that the company has no plans to challenge Open Source projects. For one thing, not having current plans doesn't prevent Blackboard from changing its mind at any time if this patent stands. Then there is the SCO comparison. It started me researching. The SCO Comparison Gets Me Looking for Waldo Ever since SCO sued over allegedly infringing code in Linux and we found Microsoft a shadowy figure in the background, I have formed the habit of looking for a Microsoft connection whenever I see a story about FOSS being threatened. It's my personal "Where's Waldo" game. I remember Bill Gates saying in 2003, shortly after SCO began its campaign, that Linux would be hounded by IP legal troubles for 4 or 5 years. At the time, I took that as a 5-year plan. So when I heard about the Blackboard litigation, I went to Google and just searched by the keywords "blackboard microsoft." Bingo. I found a number of articles from 2001, which is when Blackboard and Microsoft first teamed up as partners. Yes, Blackboard and Microsoft. Here's one from June of 2001 on the deal and its purpose, "Internet Strategies for Education Markets: The Heller Report:"
Microsoft's .NET technologies (www.microsoft.com/net) will be more
common in higher education through a significant agreement with Blackboard,
Inc. (Washington, DC, www.blackboard.com). The co-marketing partnership
calls for Blackboard to develop the next version of its e learning platform
using the technologies, and for Microsoft to recognize Blackboard as its
preferred e-education partner.
The goal? In this article in The Chronicle of Higher Education, dated November 23, 2001, an analyst from Directions on Microsoft said the purpose of the deal was for Microsoft to "own the educational-software market." Blackboard, according to Essa, now has a 75% share of the e-learning market. The article quotes from a Mark V. East, worldwide general manager for the education-solutions group at Microsoft as saying, "Learning could take over from e-commerce as the number-one use of the Internet." To be able to take over a market, it probably helps if your product works better than your competition, and that was the stated plan:
Despite its emphasis on Microsoft products, Blackboard will still write
versions for Unix and Linux, says Matthew S. Pittinsky, chairman of
Blackboard. All versions will have the same set of basic features, although
Blackboard for Microsoft will eventually have more features than Blackboard
for Unix or Linux, he says.
"It will be more feature-rich to run Blackboard out of the box on Microsoft" than on other platforms, Mr. Pittinsky says. System administrators will have more options for configuring the Microsoft version of Blackboard than the non-Microsoft versions. End users will notice a difference between systems run on Microsoft and those run on other platforms, he says. It will be easier for users to incorporate documents from any Microsoft applications in Blackboard's online courses. They will have just one log-on for all Blackboard and Microsoft software through Microsoft's Passport technology. There are other articles too, like this one in the Daily Princetonian, where academics worried out loud about Microsoft inducing Blackboard to create its software in such a way that they would be forced to switch to Microsoft or give up Blackboard. They were thinking way too simply. The goal, judging from the litigation against Desire2Learn is not just market share; it's about money, honey. Patents are all about money, and when you have a broad patent -- and this one is nothing if not broad -- you can make all your competitors pay you licensing fees or if they refuse, you can shut them down. Think RIM and the Blackberry story. If there is any connection between patents and innovation, it seems to be to snuff it out wherever it happens to pop up in a competitor. When you look into who has funded Blackboard, what do we discover? Microsoft invested in Blackboard back in 2001, according to a BusinessWire press release, "Oak Hill Capital Leads Investors in $48 Million Financing of Blackboard Inc." And then in February of 2005, Business Week reported that Bill Gates himself had invested in Oak Hill Capital Partners to the tune of $55 million in the past and was ponying up $70 million for a second fund, Oak Hill Capital II. Business Week says the II fund was promising investors a 25% return. While it doesn't specify that the personal investment went to Blackboard, the Microsoft investment did. Bingo. There's Waldo. Geist puts his finger on the central point, I think:
Shock quickly gave way to fear, since the community worried
that Blackboard would leverage the patent to force competitors into
expensive licensing agreements, thereby increasing costs and reducing
innovation. Moreover, educators have expressed concern that the patent will create confusion within the academic community, leading some institutions to drop better learning management systems alternatives due to the legal uncertainties. Of course, some might say that's not a bug; it's a feature.
Page editor: Jonathan Corbet Security The OLPC and BIOS upgrades The One Laptop Per Child project will, if successful, place special laptop computers into the hands of millions of children all over the world. Most of these children will have never worked with a computer before. The consequences of providing Linux-based systems to this many children are likely to be huge. If this project is done right, these kids will grow up seeing free software as the preferred thing to use. Done wrong, it could turn them (and the adults around them) against Linux in a big way.Many aspects of the OLPC systems are interesting; one of those is that they will use LinuxBIOS as their onboard, boot-time firmware. LinuxBIOS will bring a high degree of flexibility to the system, and some complexity as well. There is a real possibility that, as the result of some late bug or security problem, an in-field upgrade to LinuxBIOS will be called for. In addition, some users may want to hack on the firmware and install their own version - after all, the source is available. For both reasons, the OLPC systems will be able to rewrite their BIOS on demand. There is a potential problem there, however. If it is too easy to rewrite the BIOS, no end of unpleasant things could happen. In the worst case, some sort of OLPC-based worm could, over a brief period, turn all online systems into expensive bricks. Or, perhaps even worse, the mass implantation of a low-level back door could be performed. For this reason, the OLPC design requires the user to give explicit permission before the BIOS can be rewritten. In particular, a specific sequence of keys on the keyboard must be held down before rewriting the BIOS will be possible. Ivan Krstić has recently been thinking about the BIOS issue; in particular, he is worried that the keyboard-based interlock still leaves the system open to phishing attacks. The target user base for the OLPC, remember, will be very young. If something pops up on their screen telling them to push a certain set of keys, some of them may well do it. Adults may be immune to this sort of attack, but children need to be treated with more care. So Ivan floated a proposal for a different way of doing things. It does away with the keyboard interlock; instead, the operating system is always forbidden to rewrite the BIOS. The BIOS, however, can rewrite itself, and would do so upon finding a new BIOS image in a specific place in the filesystem. That image would have to be cryptographically signed, however, so attackers would, presumably, be unable to get a new BIOS image written. Ivan says:
Voila. This is now a completely secure BIOS solution which requires
no TPM, allows fully automatic upgrades without the user's
cooperation (such as pressing keys), and fully protects both
against phishing and automated attacks -- in fact, it's
vector-independent.
Some who responded were not entirely happy with this approach, however. The potential for performing BIOS upgrades (even if properly signed) without the user's knowledge or consent is troubling. If a bug is found in the signature verification code, the fully automated mass bricking scenario becomes real again. Users who want to put in their own version of the BIOS will be frustrated - they cannot be given the signing key without compromising the entire mechanism (though this problem can be mitigated through the addition of a unique key for each system). Some countries may be unwilling to buy and distribute the OLPC systems without the ability to create and install their own BIOS images. And so on; see the list archive for the full discussion thread. There was no obvious consensus reached on the list - and no immediate decision to change the OLPC hardware design. It is an issue requiring some additional thought, however. The OLPC systems are designed, in general, to be easy to fix when a user breaks things - they are meant to be experimented with. A BIOS-level bricking, however, is decidedly not easy to fix; it is not a scenario which can be allowed to come about. So it will be interesting to see what solution the OLPC designers arrive at in the end. (Update: the OLPC project has decided to implement the new mechanism as originally described in the article).
New vulnerabilities AlsaPlayer: multiple buffer overflows
gtetrinet: buffer overflows
lesstif: libXm library privilege escalation
libmusicbrainz: buffer overflows
MySQL: privilege violations
streamripper: buffer overflow
wireshark: several vulnerabilities
X.org: local privilege escalations
Updated vulnerabilities apache: cross-site scripting
audacious: buffer overflow
binutils: buffer overflow
binutils: buffer overflow
busybox: insecure password generation
bzip2: race condition and infinite loop
ktools: buffer overflow
cpio: arbitrary code execution
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
fbi: incorrect filtering
mozilla: multiple vulnerabilities
freeradius: several vulnerabilities
freetype: integer overflows
gdm: improper file permissions
gzip: arbitrary command execution
heartbeat: out-of-bounds read
imagemagick: buffer overflow
ImageMagick: heap overflow vulnerability
kdebase: privilege escalation
kdelibs: kate backup file permission leak
kernel: denial of service by memory consumption
kernel: privilege escalation
krb5: local privilege escalation
libgadu: memory alignment bug
libgd2: denial of service
libmms: buffer overflows
libpam-ldap: authentication bypass
libpng: buffer overflow
libtiff: buffer overflows
libtiff: buffer overflow
libvncserver: authentication bypass
libwmf: integer overflow
mutt: IMAP namespace buffer overflow
mysql: format string bug
MySQL: logging bypass
ncompress: buffer underflow
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||