Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for October 5, 2006Similar in spirit? The recent discussions on the proposed version 3 of the GNU General Public License have been well documented here and elsewhere. This proposal has clearly exposed some differences of opinion within the development community, with the anti-DRM provisions being at the core of the debate. The addition of these provisions has created a fair amount of ill will against the Free Software Foundation; opposition to them appears to have created similar feelings in the opposite direction.In theory, this disagreement should not come about. GPLv2 contains the following language:
9. The Free Software Foundation may publish revised and/or new
versions of the General Public License from time to time. Such
new versions will be similar in spirit to the present version,
but may differ in detail to address new problems or concerns.
If the FSF is adhering to its part of this bargain, then anybody who bought into the "spirit" of GPLv2 should not have trouble with this revision. So, clearly, those who oppose the GPLv3 draft - many of whom have released vast amounts of code under GPLv2 - believe that the revisions are not "similar in spirit." Some have gone as far as to accuse the FSF of using its power over the GPL to push its founder's radical agenda onto the code of large numbers of unwilling developers. That accusation is probably over the top. The FSF is, with GPLv3, attempting to respond to a number of problems as it sees them. Software patents are a clear problem, and the GPLv3 draft tries to mitigate that problem somewhat. International applicability of the license has not yet proved to be a problem in practice, but it is clearly something that reasonable lawyers can worry about. It seems worth fixing the language before some court somewhere on the planet decides that the GPLv2 incantations only work in the US. And so on. The FSF also, clearly, sees locked-down systems as a problem. It is interesting that this has not always been the case; back in 2000, LWN took issue with an interview with Richard Stallman, where he said:
I'm less concerned with what happens with embedded systems than I
am with real computers. The real reason for this is the moral
issues about software freedom are much more significant for
computers that users see as a computer. And so I'm not really
concerned with what's running inside my microwave oven.
(This interview has disappeared off the original site, but the Wayback Machine has it). Most TiVo owners probably see their gadget as being more like a microwave oven than a computer. It is not that TiVo has come along since then (the 2000 LWN article mentions it); what has changed is the FSF's - or, at least, Richard Stallman's - position on it. There are few people who disagree with the idea that locked-down systems can be a problem. Beyond the fact that such devices will always deny users the full potential of the hardware, they can spy on us, deny fair use rights under copyright law, lock us out of our own data, prevent us from fixing serious problems, and so on. Locked-down systems are designed to implement the goals of somebody other than the ultimate owner of the device. Such systems are undesirable at best, and outright evil at their worst. The disagreement is over how this problem should be addressed. The two sides, insofar as there are two clear sides, would appear to be these:
This logjam looks hard to break. Your editor, in his infinite humility, would like to offer a couple of suggestions, however:
Finally, while your editor is standing on this nice soapbox... The anti-DRM language was very appealing when it first came out. Your editor does not much appreciate the idea of some vendor locking up his software and selling it back to him in a non-modifiable and potentially hostile form. It is a violation of the social contract (if not the legal license) under which the software was contributed. But the attempt to address this problem in GPLv3 carries a high risk of splitting the development community while doing very little to solve the real problem. Dropping that language could help to bring the community back together behind the new license, leaving us united to fight DRM (and numerous other attacks on our freedom) in more effective ways. The FSF may want to consider whether, in the long run, its goals would be better served by a license which lacks this language. Such a license might be closer to the spirit which brought this community together in the first place.
Busy busy busybox BusyBox is a set of command-line utilities developed with the goal of keeping its size as small as possible. To that end, all unnecessary options and code are ruthlessly cut out, and the entire command set is implemented by a single, multipurpose executable. BusyBox is found in a number of embedded environments; chances are it is running on your wireless router, for example. The command set has reached a level of capability that the new BusyBox maintainer believes that it is almost ready for use on desktop systems.Yes, BusyBox has a new maintainer, as the result of another disagreement over the draft revision of the GNU General Public License (GPLv3). This episode is worth looking at, as it may be an omen of disagreements that could come up in other projects as the GPLv3 process moves forward. Some projects reach 1.0 more quickly than others. BusyBox is one of the others. It was started by Bruce Perens in 1995, and became part of the Debian boot process. Bruce moved on to other interests shortly afterward, leaving BusyBox in an idle state, where it remained for a few years. Under the maintainership of Erik Andersen, BusyBox came back to life, and the much-delayed 1.0 release happened almost exactly two years ago - in October, 2004. Version numbers can be deceiving, however, as BusyBox had been in production use for many years prior to 1.0. In recent years, the BusyBox maintainer has been Rob Landley, an energetic individual (at least, when sufficient caffeine is at hand) who has done a lot to push the project forward. So the task of thinking about how BusyBox and GPLv3 relate fell to him. Since BusyBox can be found in so many embedded systems, it finds itself at the core of the GPLv3 anti-DRM debate. A GPLv3-licensed BusyBox would create obvious difficulties for any vendor wishing to incorporate it into a locked-down product. BusyBox is not a GNU project, so the Free Software Foundation does not hold its copyrights; instead, those copyrights are retained by the original authors. As Rob looked over the code, he found many contributions with the usual "or any later version" language which would allow a change to GPLv3. Others, however, had the explicit "version 2 only" language. Some, contributed by one Linus Torvalds, state that they "may be redistributed as per the Linux copyright." Some other contributions carry a BSD license - originally with the GPL-incompatible advertising clause. It was quite the mixture of licenses. Rob was especially concerned about the version-2-only licensing, since that would obviously get in the way of any switch to GPLv3. And, in any case, he was ambivalent at best about GPLv3; it seems that the BusyBox project had developed a plan to dual-license its code under both GPL versions, allowing it to continue to be used under either license. So his question with regard to the v2-only code was:
Anybody feel like auditing all those to make sure it was
unintentional and check to make sure that nobody that's contributed
to any of those files since is unwilling to also have their code
under v3, or should we just admit that the BusyBox license is GPLv2
only? (In which case we can take the hotplug patch...)
That led to the beginning of a long and unpleasant discussion about whether BusyBox should move to GPLv3 or not - and it quickly became clear that Rob had no interest in such a move. His reasoning is worth a read, as it includes a couple of new concerns - including the fact that a dual-licensed GPLv2/GPLv3 code base would be unable to accept contributions licensed under a single version (either version) of the license. Enter Bruce Perens, last seen in in BusyBox circles about ten years ago. Bruce clearly feels that he still has some rights over the code:
When I created Busybox, the policy was that it could be distributed
under the GPL. There was no restriction to prevent future versions
of the GPL. Over time, my work has been submerged in that of other
authors. But IMO it would be respectful of the original author to
continue to use those license terms.
What followed was a long discussion on whether DRM differs from simply putting the code into ROM, whether the FSF is more worthy of trust than IBM, whether a move to a GPLv2-only license was possible, how much of Bruce's original contribution remains, and so on. Interested parties are encouraged to go into the BusyBox list archives and spend considerable time plowing through the postings; they do not always show the free software community at its best. The real outcomes, however, are this:
To show that he meant it, Rob launched a project to find and excise any remaining contributions to BusyBox from Bruce. In response, Bruce has announced that he will be creating a fork of BusyBox which will be more responsive to his wishes. All of that may be moot, now that Rob has resigned from the project and handed the maintainership over to Denis Vlasenko - who plans to pursue moving Busybox onto the desktop. All of this could be dismissed as yet another silly community soap opera - and there is truth to that view. But this is a soap opera which is likely to be rerun a number of times over the coming months. Any project which (1) uses the GPL, and (2) allows contributors to retain their copyrights is likely to have a discussion like this one. Avoiding such discussions is, perhaps, why the FSF is so insistent on obtaining copyrights for the projects it manages. Version 2 of the GPL has brought together vast numbers of developers into a single agreement on the terms under which their code could be distributed. It may never have been possible to update the GPL without fracturing that agreement; it seems increasingly clear that the GPLv3 draft has, so far, failed in that regard. There are enough developers who see it as not being "similar in spirit" to GPLv2 to ensure that the new license, in its current form, will not be a simple drop-in replacement for its predecessor. Regardless of how one feels about the new terms in the GPLv3 draft, it is hard to see the potential for this sort of discord in the community as a good thing. (Thanks to the several LWN readers who brought this to our attention).
Open source systems management software A previous LWN feature examined the rise of the open source enterprise stack - a modular collection of applications that together provide the entire spectrum of enterprise computing functions. One component of that stack is systems management. This area encompasses areas such as provisioning and patching of servers; configuration and management of applications running on those servers; and monitoring all elements of the computing system - hardware, software, networks and their security. Systems management is dominated by the "Big Four": BMC's Performance Manager, CA's Unicenter, HP's OpenView and IBM's Tivoli. Like many proprietary systems, these are monolithic in design, and attempt to provide every kind of systems management features within a single, highly-complex program. Free software is by its very nature modular, so open source systems management programs tend to be focused on particular tasks. This has led to a richness of the free software tools addressing this area, often with multiple solutions for a given problem. The downside is a confusing array of possibilities, a wide range of rival approaches and some unnecessary duplication of effort. In an attempt to bring some harmony to this coding cacophony, the Open Management Consortium (OMC) was founded in May 2006 with the following objectives:
The founding members of the consortium are Ayamon, Emu Software, Qlusters, Symbiot, Webmin, and Zenoss. The oldest of these is Jamie Cameron's Webmin, established in 1997, which provides an easy Web-based user interface for Unix system administration. The project is sponsored by OpenCountry, which joined the OMC in September 2006. The other founding members of the OMC also support free software projects, in a variety of ways. For example, Ayamon was founded by Ethan Galstad, who is the creator and lead developer of Nagios, an open source host and service monitor that uses a plug-in architecture to provide a rich range of options. The case of Symbiot, which provides software for network security event and risk management, is more complex. The company was founded back in 2001, but initially sold only proprietary products. Then, as Symbiot's founder and CEO Mike Erwin explains: "We introduced an open toolkit and visualization platform called OpenSIMS in 2005, upon which a great degree of the Symbiot software is based. OpenSIMS is an independent package, maintained by Symbiot and programmed with hooks for other common open source packages." He says the benefits of this move flow both ways: "Open source code bases provide a method for end-users to do intelligent customization while providing the original code creators with [a] 'lighthouse' pointing them towards where the commercial space should go." Emu Software took a similar path to openness. It started life back in 2003 selling NetDirector as a closed source Web-based system administration platform. "Although we always felt that we would contribute at least part of the product to the open source community," says co-founder Greg Wallace, "we concluded in late 2005 that systems management would be the next big computing market to see significant open source adoption, and we wanted to be out in front." He believes that certain sectors lend themselves to the open source approach: those where there are "lots of users; a horizontal nature - that is, cross-industry adoption; a high incidence of user desire to customize; an initial market dominated by large incumbent vendors with integrated, and some might say over-engineered, products." Wallace explains how the OMC is trying to bring some order to the wealth of open source systems management solutions:
The
collaboration efforts that I see as being most promising are those that will
reduce the complexity for users of having multiple point management solutions in
their compute environments. Having lots of point systems can be a huge
headache, and it is one that some big vendors have addressed by building
massive, integrated product suites. But these suites never do everything,
and once users go down that road, they can become victim to lock-in. OMC
promises a different solution: make our various systems talk to one another,
and reuse as much of each other's architecture as possible. For example,
one initiative that has been discussed is the concept of an open agent that would be shared by various
systems. Were such an open agent to became ubiquitous, it would radically
simplify systems management implementation, as well as make such systems far
more flexible and adaptive, since users could leverage a common underlying agent
architecture to turn on new management functionalities as needed.
And Erwin notes one practical benefit Symbiot has already derived since joining the consortium:
Our offerings sometimes rely on the collection or
interpretation of data from other vendors. One such vendor is Nagios. Membership
in the consortium has already given us great access to the key code committer
(Mr. Galstad) which was invaluable in helping us set a developmental course.
Looking forward, Wallace hopes that the OMC will become
"more
structured, with some defined working groups and a more defined mission and
by-laws. Eventually, I'd like it to function, and be organized, like
Eclipse." Erwin believes its influence could be considerable: "In
the long term, I see the OMC as being a central clearinghouse and repository for
system management tools with not only the Big Four's participation, but likely
guidance."
That may be some way off, but already the membership of OMC is swelling fast: just four months after its foundation, the original five members had grown to 29. Among them is Hyperic, another major player in this space, and with an interesting history. It was originally part of Covalent, which provides commercial support for Apache, before splitting off in March 2004. Like Symbiot and Emu Software, it too began selling closed source products before opening up its flagship software Hyperic HQ, a suite of inventory auto-discovery, monitoring, alerting and portal tools, in July 2006. John Mark Walker, head of community development at Hyperic, explains the move: "From Hyperic's founding, it was always our intent to open source HQ - once we felt that it had reached a level of maturity to be useful for a number people, and once we had the in-house resources to properly support our community and foster its growth." And he points out: "The problem that existing management software strives to address - integrating with every existing and future technology in order to manage it - is only solvable through open source communities. It is impossible for a single company to keep up with all of the newly emerging software and other technologies in the data center. The problem requires the interactive, two-way communication inherent in the open source process. Not everyone sees the OMC as the way to do this. For example, another leading company in this area, GroundWork, prefers to do its own integration of open source systems management tools to create its GroundWork Monitor product line, which includes both closed and proprietary elements. Although the company says it doesn't "see a particular need in being a part of the OMC at this time," it has created its own Open Source Council in August 2006, with the aim of ensuring that GroundWork "will always be comprised of the very best open source projects comprehensively integrated into a platform." Whether within or outside the context of the OMC, integration remains the key challenge for open source management tools. Glyn Moody writes about open source at opendotdotdot.
Page editor: Jonathan Corbet Security A look at OpenID The OpenID project is an effort to produce a decentralized, open, user-centric identity management framework. The main benefit for users will be a 'single sign on' to websites that support it. The project provides open source libraries for both websites requiring authentication (relying parties) and for the servers that provide the authentication (identity providers, IdPs). One of the main goals is to allow anyone to run a server that authenticates their own or others' identities and avoid the centralized model of other identity frameworks. At its core, OpenID allows a user to associate a URL with his or her identity; a server can then authenticate that the user is the owner of that URL. Giving users control of their own identity makes OpenID a user-centric identity management system. To use OpenID authentication, the username is the URL and the password is stored on the identity provider. Thus, the same password is used to authenticate multiple accounts on various websites. There are different ways to use OpenID, depending on what the user's requirements and capabilities are. In the simplest case, one can sign up for a free account at a provider like MyOpenID and it will generate a URL for you to use (the author's test account was jake.edge.myopenid.com). After that, you can submit that URL at any OpenID enabled website and authenticate it. If you have not visited the site before, you will be redirected to MyOpenID to enable that site to authenticate you. You may also need to login to MyOpenID if you have not established a session there recently. Once you have enabled authentication, you are redirected back to the original site and MyOpenID will have authenticated you. If you have a valid MyOpenID session and have previously enabled the site you are visiting, you can be authenticated behind the scenes when you provide your URL and will be able to log in without providing a password. Another way to use a service like MyOpenID is by using a URL under your control as your identity. By putting some HTML into the HEAD section of the index document served from that URL, you can delegate the authentication to another server and gain the benefits of using your own URL without running your own OpenID server. If you do that, the URL for OpenID logins becomes the URL under your control. Over time, you could change the server that you delegate to while still retaining the identity associated with your URL. In addition, various OpenID server implementations exist for those who wish to fully control their identity and can run their own server. OpenID implements the authentication by using (but not requiring) strong encryption on the messages that are exchanged between relying parties and identity providers (IdPs). When a user enters a URL into an OpenID login, the relying party makes a GET request to the URL and expects to find some extra OpenID specific markup in the HEAD section. It uses this markup to find the IdP and can negotiate an association between the relying party and IdP, but does not have to. The association is an agreement on cryptographic protocols to use to sign the requests and responses. A relying party can then cache that information to use when contacting that IdP for any other user that might share the server. After that, the relying party redirects the user to the IdP which allows any IdP specific cookies to be delivered. The IdP may decide to require the user to authenticate with it, but that is outside of the scope of the OpenID specification. As described above, the IdP may also require the user to make a decision about whether to allow the relying party to authenticate them. Once that is complete, the IdP returns the user to the relying party site with an assertion about whether the authentication succeeded or failed. The most recent OpenID specification adds some additional capabilities. A nonce (a unique identifier) value was added as an option to the success response to thwart replay attacks. Also, support for Yadis discovery was added. Yadis allows relying parties to determine what authentication protocol to use so that sites can transparently support other protocols such as LID. From a security standpoint, there are a few different attack vectors that are described in the specification. Eavesdropping and man-in-the-middle attacks can be circumvented by using HTTPS (SSL). Unless the IdP is compromised, the identity itself is secure, though it could be spoofed on a particular site using those vectors. OpenID simply makes the connection between a URL and an identity, it asserts that the two are associated, it does not provide any trust information about the identity. Users of OpenID will still have to prove they are not programs at registration time because nothing in the protocol prevents programs from having identities. It is a starting point, as any kind of trust system must be based on an authenticated identity. A trust layer that uses OpenID identities could provide protection against blog spam and the like. Since OpenID identities can be anonymous, this will allow for anonymous, but authenticated, users; one can verify that the identity wrote a particular message without making a connection to the real life person behind it. There seems to be a growing number of sites that support OpenID; there is even a bounty for adding support to open source programs. Overall, it seems that OpenID provides a fairly painless route for digital identity management for both users and websites. It is probably worth a look for anyone that might be interested in such a thing.
New vulnerabilities cscope: buffer overflows
dokuwiki: input validation flaws
migrationtools: insecure temporary files
mono: symlink vulnerability
openldap: security bypass
openssl: multiple vulnerabilities
opera: RSA signature forgery
xine-lib: code execution
Updated vulnerabilities apache: cross-site scripting
bind: denial of service
binutils: buffer overflow
busybox: insecure password generation
bzip2: race condition and infinite loop
capi4hylafax: missing input sanitizing
cheesetracker: buffer overflow
cpio: arbitrary code execution
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
ffmpeg: buffer overflows
flash-plugin: arbitrary code execution
freeradius: several vulnerabilities
freetype: integer overflows
gcc: file overwrite vulnerability
gdb: buffer overflow
gdm: improper file permissions
gzip: multiple vulnerabilities
gzip: arbitrary command execution
kdelibs: kate backup file permission leak
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
libgadu: memory alignment bug
libgd2: denial of service
libmms: buffer overflows
libmusicbrainz: buffer overflows
libpam-ldap: authentication bypass
libpng: buffer overflow
libtiff: buffer overflow
libvncserver: authentication bypass
libwmf: integer overflow
mailman: several vulnerabilities
firefox: multiple vulnerabilities
mutt: IMAP namespace buffer overflow
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||