LWN.net Weekly Edition for October 26, 2006 [LWN.net]

On the marketing of free software

Please indulge your editor as he reminisces for a moment. Once upon a time, the cool machines to get in the office were Unix-based workstations, and the offerings from Sun Microsystems in particular. The first thing that would happen to one of these systems once it came out of the box was interesting, however: much of the software on the system would be immediately replaced. The new systems would be loaded down with the GNU toolchain, the X Window System, and various other goodies from all over the net. This pattern was common enough that a small company called Cygnus Solutions made a living from supporting free tools on proprietary Unix systems.

The replacement software was often better, but that was not always the case. There were long periods of time where trying to build early X11 releases with early gcc releases was an exercise in serious pain. But your editor did it, and, judging from the traffic on the mailing lists, quite a few others did it as well.

Many of us might not, at that time, have been able to explain why we subjected ourselves to this experience, even though Richard Stallman had already been trying to do exactly that for a few years by then. But now it's obvious: we wanted our systems to run free software. Loading them down with free code turned them into something more obviously oriented toward our needs, something we could fix if need be (and need often was, back then), and something which, in a palpable way, was more alive.

Free software has obviously come a long way since then, and a far larger group of people is aware of its importance. But it is still a geek phenomenon. For much of the wider community, "free software" still means "you don't have to pay for it," and many people still wonder about what use they, personally, could ever have for the source code. As a result, many users may have learned that Firefox, for example, is a better web browser, but they do not know why. It's just another program they can download and run.

So it is a little sad to see reports that the effort to market Firefox may emphasize features and downplay the fact that it is free software. Evidently the people behind these marketing campaigns have decided that it's features that "sell" the software, so that is what has to be pushed on users. For Firefox 2.0, this strategy might just help to drive usage statistics up a little higher. But in the longer term it does not seem like a winning approach.

The folks at Mozilla Corp. clearly see themselves in a battle with Microsoft and its reinvigorated Internet Explorer product. Firefox was, indeed, able to out-feature Internet Explorer for a while, and that doubtless helped to increase its adoption. But the history of the computing field is full of examples of companies which tried to engage in feature-checkbox battles with Microsoft. One can say many things about that company and its products, but few would accuse Microsoft of being unwilling or unable to add features. It seems unlikely that Mozilla Corp. has the resources to compete with Microsoft on features, and it is not at all clear that the wider development community will be able to make up the difference.

Where Firefox has a competitive advantage, instead, is in the fact that it is free software. This fact should drive what kinds of features are added: those which make the web experience better for Firefox users, with less concern for the comfort of advertisers or publishers. It should bring a higher level of concern for security - an area which can be slighted if the real purpose is to compete on features. It should make the software alive, interesting, evolving with the net, and not subject to stagnation just because the owning company loses interest in it for a while.

It seems unlikely that World Domination will be achieved by trying to out-feature proprietary software companies. Free software is not better by virtue of having more checkboxes on the package. It is better because it is free. If that cannot be made into a selling point, then we may not get much farther than we have until now. There are precedents that suggest that freedom could be made into a selling point; consider, for example, the growing success of organic produce. Like organic food, free software is better for you - and it doesn't even cost more. When people understand why free software is better for them, many of them will insist on it. One can only hope that projects which are sufficiently well-heeled to have marketing efforts will market freedom as one of their most important "features."

Comments (40 posted)

Compiere's Community Relationship Management problem

Compiere does not get as much attention as a number of other free software projects, but maybe it should. It is a full "enterprise resource planning" and "customer relationship management" application, with support for a number of tasks, including marketing and sales, human resources, inventory control, and more. There is also a full business accounting package - an area which has traditionally been under-served by free software. Compiere has slowly grown over time, and ComPiere Inc, the company formed around the software, landed a $6 million chunk of venture capital last June. Larry Augustin has recently become a member of the company's board.

Compiere places a lot of emphasis on its open source nature:

Compiere is Open Source with a difference. The Compiere ERP solution is Open Source software and by definition is free. However, unlike most Open Source projects, Compiere is backed by professional training, services, documentation, and a vibrant, responsive and knowledgeable worldwide open source community.

Interestingly, much of that "vibrant, responsive, and knowledgeable" community appears to have decided to pack its bags and head elsewhere. The result is a new project called ADempiere, started last month. It would appear that - in the opinion of the developers behind ADempiere, at least - Compiere has worked on building its business at the expense of its community.

In the most important way, Compiere's community credentials are unimpeachable: it has released a large amount of useful code under a free license. Once one looks beyond that, however, there are some things to wonder about. It is a rare free software project whose installation instructions begin with "install Oracle." There is an active forum area, but the project does not appear to have a functioning mailing list. The Compiere web site talks about "products," but has no area for developers. Compiere may be a free software project, but it is clearly on the cathedral side of the spectrum.

It would appear that, over time, the communications between ComPiere, Inc. and the wider community have fallen off. Developers report frustration in trying to find out what the company is up to, and great difficulties in getting patches accepted - or even discussed. Much of the disconnect, perhaps, is a result of the company reorganizing its operations to absorb the incoming venture capital; the company also recently relocated, which never helps. But a reading of the discussion leading up to the fork suggests that the problems have been growing for some time. To the wider community, Compiere looks increasingly like a proprietary software company which is still trying to claim to be an open source company.

The community is also concerned that ComPiere Inc. may take the system proprietary. In the short term, at least, there does not appear to be a whole lot of evidence that this could happen - though the company does reserve the right to create proprietary offerings:

We believe that the majority of the revenue will come from services, like support, training and even sponsored development. As with other members of the community, ComPiere Inc. may also chose to create Compiere extensions (e.g. predefined OLAP cube) which we may sell to customers under, for example, an "Enterprise" product offering.

The same message states that ComPiere, Inc. has no intention of taking Compiere proprietary or trying to cripple it in any way. Even so, some members of the community wonder what will happen once the venture capitalists start insisting on results.

For now, in any case, the damage appears to be done; ADempiere has taken off, and seems to be gaining a fair amount of attention. The developers are busily taking on projects - ports to MySQL and PostgreSQL, for example - that Compiere has never been interested in pursuing. The first development release is available. This fork appears to have enough energy behind it to get off the ground, though only time will tell if it can sustain itself in the long term.

In the free software community, ignoring developers will often lead to a fork like this one. It is one of the freedoms we depend on most heavily; nobody can bring development of a program to a halt as long as there are interested developers willing to do the work. Often, projects forked in this manner come back together once the original organization figures out that it needed its community after all; the gcc/egcs fork is, perhaps, one of the best examples. Perhaps ComPiere, Inc. might want to consider putting some of its venture funding into wooing this community back soon, before things drift too far apart.

Comments (7 posted)

The Apache source header policy

Any free software project which distributes code developed by others has a couple of responsibilities to take care of. It must, of course, be sure that it has the right to distribute that code; the project must also see to the licensing of the finished product. Sometimes it seems that there are as many approaches to this problem as there are projects. Some common policies are:

Just sort of toss in everything that comes and hope for the best. This can be the preferred approach of small projects in early stages, where there are no corporate lawyers involved.
Require developers to certify their right to contribute the code, and verify that the code's license is compatible with the project as a whole. Individual parts of the work retain their copyright ownership and licensing. The Linux kernel works this way.
Require that developers sign copyrights over to the group owning the project, and distribute the work under unified ownership and licensing. The Free Software Foundation, among others, operates in this mode.

The Apache Software Foundation (ASF) has taken a slightly different approach, with some new rules which take effect at the beginning of November. The result is worth a look as yet another example of how this issue can be managed.

Those who contribute to Apache projects are asked to sign an individual contributor license agreement with the project. Under this agreement, contributors retain ownership of their work, and can do anything they want with it. They do, however, hand some rights over to the Foundation:

Subject to the terms and conditions of this Agreement, You hereby grant to the Foundation and to recipients of software distributed by the Foundation a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.

Note that there is no requirement that the ASF apply any particular sort of license to the contributed work - though the agreement does promise that:

...the Foundation shall not use Your Contributions in a way that is contrary to the public benefit or inconsistent with its nonprofit status and bylaws in effect at the time of the Contribution.

Using this permission, the ASF distributes everything under the Apache License, regardless of what license the contributor might have originally used. The new source header policy is intended to reflect this state of affairs. So, as of November 1, code shipped by the ASF must contain the following header:

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

No other headers are allowed. Instead, any other information - including any copyright statements - must be moved to a separate file called NOTICE.

The interesting thing here is that people using code from Apache are doing so under a license received directly from the ASF, even though the ASF does not generally own that code. The ASF is making use of a compilation copyright which covers the mixture of contributions into a single project to impose a license on the whole work. Few projects use a collective work copyright in this way.

This arrangement gives the ASF complete control over the licensing of the projects housed under its umbrella. Should there be a version 3.0 of the Apache License in the future, there will be no trouble in moving the code to that license even in the absence of copyright assignments. Since it is the ASF's license which governs the distributed work, the Foundation has all the standing it needs should there be a reason to defend the license in court. The end result should be reasonably pleasing for everybody involved, as long as the original contributors have no objections to the Apache License - a condition one would expect to hold given that the code has been contributed in the first place.

Comments (9 posted)

Page editor: Jonathan Corbet

Security

Dazuko and the LSM API

October 25, 2006

This article was contributed by Jake Edge.

A recent commentary in The Inquirer led to quite a lively discussion in the LWN article that referred to it. The commentary itself was rather ill-considered, but it did raise some interesting questions about security modules, the kernel and the Linux Security Modules (LSM) API. Dazuko is one of a handful of security solutions that run on Linux, but are not maintained in the kernel tree and, in fact, have a relatively hostile attitude towards the suggested ways of moving their code into the tree.

Dazuko itself is a way for user-space applications to handle file access control; its main use seems to be malware checking at the file level, similar to the way that Windows anti-virus programs work. Some would argue that it is an unnecessary tool or that it is implemented poorly, but it does not seem like an unreasonable capability to add to Linux given that there appear to be users who want that functionality. This would seem to be exactly the kind of application that LSM was designed for, but the Dazuko developers have a different take.

Dazuko started out by using the LSM hooks to implement their application but claim they found LSM to be a moving target, changing the API between each kernel release. In addition, when other LSM using modules were loaded (most notably SELinux or AppArmor), as they are by default in various distributions, Dazuko no longer functioned correctly. This led the Dazuko developers in a direction that clearly will not fly with the kernel developers: system call hooking. This technique intercepts system calls (open, read, write, etc.) and runs Dazuko code before calling the actual kernel function.

This could be looked at as one of the common impedance mismatches between development groups and the kernel community; in this case it goes a bit deeper than that. Dazuko specifically mentions Rule Set Based Access Control (RSBAC) as a kernel security framework that it cleanly interfaces with. RSBAC is a set of kernel patches that implement a much more comprehensive set of hooks for access control than is provided by LSM. That project has a fairly lengthy justification for not using LSM and also points to another project, grsecurity with similar LSM issues.

There have been various discussions of removing LSM from the kernel along the way and the SELinux folks are strongly in favor of that. Up until this year's Kernel Summit (covered by LWN here), there was fairly widespread belief that it would happen. Few people, it seems, are particularly enamored with LSM. It was a compromise that was adopted when SELinux was being accepted into the kernel in order to allow other alternative security frameworks. For the most part, it has failed to do that; at least in the mainline kernel.

This situation would lead the hopeful to foresee a new API for the kernel that updates and enhances LSM so that more alternative frameworks could be incorporated into the kernel; unfortunately, there does not seem to be much movement in that direction. One impediment to that might be the perception that Linus and the kernel developers have rejected any security hooks that have a measurable performance impact. While it is perfectly understandable that punishing all kernel users for hooks that are only used by a small minority would be considered unacceptable, it does create a potentially insurmountable hurdle for those wishing for more intrusive hooks.

Dazuko has been working on a stackable filesystem that can provide the same kinds of services by mounting DazukoFS 'on top of' a regular kernel filesystem. This will allow Dazuko to work with approved kernel interfaces and leaves open the possibility that it could someday be moved into the kernel tree. Another alternative is to use the userspace filesystem (FUSE) interface to provide that functionality, though it is not clear that FUSE is able to solve the entire problem. For security frameworks that require more intrusive hooks, there is no real alternative to out-of-tree development. So RSBAC and grsecurity are likely to keep porting their patches to each new kernel as it is released. It seems unfortunate that these GPL-licensed alternative security mechanisms are unlikely to ever move into the kernel tree, but it appears they are caught between the proverbial rock and hard place.

Comments (4 posted)

New vulnerabilities

asterisk: arbitrary code execution

Package(s):

asterisk

CVE #(s):

CVE-2006-5444

Created:

October 19, 2006

Updated:

December 6, 2006

Description:

The Asterisk telephony PBX application has a heap overflow vulnerability in the skinny channel driver. A remote attacker can use this to arbitrarily execute code with the privileges of the Asterisk user. See this vulnerability report for more information.

Alerts:

Debian	DSA-1229-1	2006-12-06
SuSE	SUSE-SA:2006:069	2006-11-16
Gentoo	200610-15	2006-10-30
OpenPKG	OpenPKG-SA-2006.024	2006-10-19

LWN.net Weekly Edition for October 26, 2006

asterisk: arbitrary code execution

drupal: cross-site scripting, privilege escalation

mod_tcl: format string vulnerability

pike: SQL injection vulnerability

qt: pixmap image handling vulnerability

apache: cross-site scripting

bind: denial of service

binutils: buffer overflow

busybox: insecure password generation

bzip2: race condition and infinite loop

capi4hylafax: missing input sanitizing

cheesetracker: buffer overflow

clamav: multiple vulnerabilities

cpio: arbitrary code execution

vixie-cron: privilege escalation

cscope: buffer overflows

cscope: buffer overflows

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

ffmpeg: buffer overflows

freeradius: several vulnerabilities

freetype: integer overflows

gcc: file overwrite vulnerability

gdb: buffer overflow

gdm: improper file permissions

gedit: format string vulnerability

grip: buffer overflow

gzip: multiple vulnerabilities

gzip: arbitrary command execution

kdelibs: integer overflow

kdelibs: kate backup file permission leak

kernel: denial of service

kernel: denial of service

kernel: denial of service by memory consumption

kernel: denial of service

krb5: local privilege escalation

libgadu: memory alignment bug

libgd2: denial of service

libksba: parsing failure

libmms: buffer overflows

libmusicbrainz: buffer overflows

libpng: buffer overflow

libpng: heap based buffer overflow

libtiff: buffer overflow

libvncserver: authentication bypass

libwmf: integer overflow

libxml2 - arbitrary code execution

libxml2: multiple buffer overflows

lynx: arbitrary command execution

mailman: several vulnerabilities

mono: symlink vulnerability

firefox: multiple vulnerabilities

mutt: IMAP namespace buffer overflow

mysql: format string bug

MySQL: privilege violations

MySQL: logging bypass

nbd: arbitrary code execution

ncompress: buffer underflow

nss: signature forgery vulnerability

openldap: security bypass

openoffice.org: several vulnerabilities

OpenSSH: denial of service

openssh: remote denial of service

openssl: insufficient signature checking

openssl: multiple vulnerabilities

php: restriction bypass

php: several vulnerabilities

php: integer overflow

phpbb2: missing input sanitizing

phpbb2: multiple vulnerabilities

phpMyAdmin: multiple vulnerabilities

postgresql: SQL injection

python: arbitrary code execution

quake: buffer overflow

sendmail: denial of service

shadow-utils: mailbox creation vulnerability

texinfo: temporary file vulnerability

tin: buffer overflow

unzip: long file name buffer overflow

w3c-libwww: possible stack overflow