LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for November 23, 2006Novell, buyer's remorse, and the patent threatOne cannot help but wonder if Novell's executives aren't having second thoughts about that company's recent deal with Microsoft. Since the announcement, there has been quite a bit of hostile commentary in the community, and there are signs of increasing levels of unhappiness within the ranks of Novell's free software developers. The increase in Novell's stock price turned out to be short-lived. And Microsoft CEO Steve Ballmer has used this deal as his excuse to embark on a FUD campaign which brings back memories of Darl McBride's heyday.For an example, consider this widely-distributed bit of fun:
And we agreed on a, we call it an IP bridge, essentially an
arrangement under which they pay us some money for the right to
tell the customer that anybody who uses Suse Linux is appropriately
covered. There will be no patent issues. They've appropriately
compensated Microsoft for our intellectual property, which is
important to us. In a sense you could say anybody who has got Linux
in their data center today sort of has an undisclosed balance sheet
liability, because it's not just Microsoft patents. Because of the
way open-source works, there's nobody who's been able to do patent
coverage or patent indemnification behind that.
Mr. Ballmer is clearly claiming that Linux infringes upon Microsoft's patents, and that Linux users owe money to Microsoft. Novell is fairly clearly seen as having agreed with and validated that claim - otherwise, what, exactly, is Novell paying for? In an attempt to change that perception, Novell has sent out an open letter to the community, saying:
Since our announcement, some parties have spoken about this patent
agreement in a damaging way, and with a perspective that we do not
share. We strongly challenge those statements here.
We disagree with the recent statements made by Microsoft on the topic of Linux and patents. Importantly, our agreement with Microsoft is in no way an acknowledgment that Linux infringes upon any Microsoft intellectual property. When we entered the patent cooperation agreement with Microsoft, Novell did not agree or admit that Linux or any other Novell offering violates Microsoft patents. Microsoft has responded with a letter of its own. It seems that, perhaps, Novell got a slightly different deal than it was expecting at the outset. Presumably Novell's management is smart enough to understand that, if it throws away its community goodwill and runs into problems with the GPL, Novell's Linux business will have a dark future. Presumably, Novell's managers did not want to see their company be the enabler for a new flood of anti-Linux FUD and attempts to divide the community. Seemingly, however, those managers did not think through the consequences of signing this non-license with Microsoft. Thus the open letter and the IRC meeting about the deal, scheduled for November 27. Microsoft's claims have been met with a "show us the patents" response in parts of the community. Novell's open letter, which refuses to acknowledge the existence of patent issues, is a very similar sort of response. This approach worked well in the SCO case, for a simple reason: there was no substance to that company's wild claims. It is natural to think that the same sort of challenge will work this time around, but that thinking may be a mistake. The SCO case was, at least in certain phases, based on copyright. Avoidance of copyright problems is relatively easy for a free software project; all that is required is to not accept code of uncertain origin. Truly original work cannot have copyright issues. Microsoft, however, is talking about patents. Anybody who thinks that Microsoft holds no patents which can be applied to Linux has, perhaps, failed to understand the scope of the software patent problem. There is no clear way for a free software project to avoid software patent issues - at least, in parts of the world where such patents are recognized. An incredible number of patents have been issued covering trivial techniques. One of your editor's favorites is #6,732,359, the primary claim of which is:
A computer system having a memory, an operating system, a computer
application instantiated in a work space in the memory as managed
by the operating system, the application including a plurality of
application processes running in the work space, and an application
monitor monitoring whether each of the plurality of application
processes is in fact running and automatically attempting to remedy
an occurrence where any of the plurality of application processes
is not in fact running.
This ground-breaking, innovative work was patented in 2004; presumably, nobody ever thought of such a technique before 1999, when the patent was originally filed. In the real world, anybody trying to enforce a patent like this would be immediately buried in prior art. But there is little comfort to be found there. Even a relatively large company like Novell can only afford to defend so many patent suits, and there are a lot of patents like this one out there. Even if Microsoft does not currently own any patents which could be applied to Linux, there is no doubt that it could acquire some without great difficulty. Unlike SCO's claims, the patent problem is real, whether Novell publicly acknowledges it or not. If Microsoft had wanted to mount a patent attack against Linux, it could have easily done so by now. There's plenty of reasons which may explain why this has not happened so far. The fact that software patents are not recognized worldwide could well be part of the equation; that is why continued resistance to their imposition in Europe is so important. An attack against Linux certainly would not help Microsoft's position with antitrust authorities. Chances are that almost any company which is buying Linux support services is also a Microsoft customer, and Microsoft might just be smart enough to want to avoid upsetting its own customers. A legal campaign against Linux might well bring together a fearsome coalition of large companies with an interest in defending Linux and blood in its eyes. There is also the simple fact that Microsoft has not, to date, acted much like a patent troll; it has, instead, spent more time on the defendant's side of the courtroom. None of this gives any sort of real assurance that Linux is safe from such attacks by Microsoft, certainly. One should never underestimate corporate unpredictability - or stupidity. But it does suggest that the risk of a patent attack has not really changed as a result of Novell's arrangement. That risk existed before, and it still does. And, as Mr. Ballmer pointed out, it's not just Microsoft's patents. When the patent attack comes, it will likely originate from a small litigation company which has no customers to offend and no assets to countersue for. Novell (and its customers) will be no safer than the rest of us when this attack happens. So one might, indeed wonder what Novell thought it was buying. The answer, perhaps, lies in the fact that the net cash flow is very much in Novell's direction. Hundreds of millions of dollars can be hard to turn down. One can hope that this money ends up benefiting both Novell and the free software community that Novell depends on. At the moment, however, it looks like Novell has put itself into a bit of an uncomfortable position.
Notes from the leading edgeMuch of your editor's work has, for the last couple of years, been done on an x86-64 system running the Fedora Development ("Rawhide") distribution. Running Rawhide - just like running any other development distribution - has certainly provided sufficient experience to keep your editor grumpy for some time. Even so, the current state of post-FC6 rawhide is, perhaps, exceptional.The gnome-terminal package picked up some interesting behavior where it seemingly grows without bound - a 350MB virtual address space on your editor's system, with 76MB resident. It easily outweighs lean-and-mean applications like emacs and liferea - though it remains outclassed by firefox. The cursor does not respond to focus events; your editor has learned to type at terminals even if they look like they are not listening. Occasionally a terminal will get into a mode where it refuses to respond to input until it receives a mouse click or two. And, occasionally, the whole thing just crashes, taking down every terminal window and every associated ssh session. Your editor's longstanding appreciation for xterm is on the rise again. In the hope of picking up a fix in a timely manner, your editor has been tracking the Rawhide repository a bit more closely than usual. Or, at least, attempting to do so. It can be quite discouraging to type "yum update" and have yum simply go off forever. Among other things, one must wait a great long time to distinguish this behavior from yum's normal mode of operation. Other times, it comes back very quickly with a message saying, for all practical purposes, "RPM crashed, you lose, sorry." That is the sort of message that can chill a system administrator's blood. There's no end of system problems which can be addressed by reinstalling a package, perhaps moving to an older version. That is especially true for systems which are following a leading-edge development repository; one simply expects to install an ill-fated package occasionally. But if the package management system itself fails, this important tool goes away and one's ability to restore a sick system is severely compromised. It's about at this point that one begins to think it would have been good to check the system's backups a little more frequently. Some digging around turns up the fact that these problems are well known and well documented in the bug-tracking system. Also found was a magic command, previously unknown to your editor, which evidently needs to be part of every system administrator's toolkit (at least, those who work with RPM-based systems):
rm /var/lib/rpm/__db*
Sure enough, every time your editor's system goes nonlinear (i.e. after every "yum update"), removing those cache files makes the problem go away. It would be awfully nice if RPM could figure out for itself that its cache is corrupt and not depend on people to clean up its messes for it. But that, evidently, is more than we should feel entitled to expect. Still, one could consider taking this issue - perhaps with a patch - to the RPM maintainer. Except that, for the purposes of most distributions, there still is no RPM maintainer. Your editor asked who maintains RPM? back in August, but no distributor has since announced a plan for moving to the current "upstream" version of RPM or establishing a formal fork. The November 20 Fedora Board meeting talked about an upcoming "RPM announcement," but it remains unannounced as of this writing. Getting a handle on the status of that crucial package would be most beneficial for users of RPM-based distributions, whether or not they do silly things like track development repositories.
Embedded Linux: Small Root FilesystemsIn the first part of this series I looked at the TinyLinux project, a set of patches aimed at helping developers reduce both the size of their kernel images and the amount of memory they use at runtime. But if you're working to build a working small system you'll need more than a kernel. You need something for the kernel to manage. You need user space applications and an environment in which they can run on top of your tiny kernel. And like your tiny kernel, you need your environment and applications to be as small as possible.
The Root FilesystemThe Linux kernel works hand in hand with what is called the root filesystem. This is the filesystem upon which the root directory can be mounted and which contains the files necessary to bring the system to a state where other filesystems can be mounted and user space daemons and applications started. Most desktop and server distributions make use of two kinds of root filesystems: the initial root filesystem and the real root filesystem. The former is used to mount and run the latter. The directory structure for a root filesystem can be extremely minimal, as we'll see in a moment, or it can contain the usual set of directories including /dev, /bin, /etc, and /sbin, among others that you see in any desktop Linux distribution. The kernel boot process concludes with the init code (see init/main.c) whose primary purpose is to create and populate an initial root filesystem with a set of directories and files. It then tries to launch the first user mode process to run an executable file found on this initial filesystem. This first process ("init") is always given process ID 1. There are three ways for the kernel to find the file that will be run by the init process. The first method is to use a file specified at boot time with the init= kernel parameter. If this parameter is not set, the kernel tries a series of locations to find a file named "init". These include /sbin/init, /etc/init, and /bin/init. If all these fail, the kernel tries to run any shell it finds at /bin/sh. If this last fallback is not found, the kernel will print an error saying that no init could be found. Once the init process is started it typically begins to launch other user space programs. On a desktop or server system this is known as the sysvinit process and includes the set of scripts found (typically) under /etc/rc.d. The name sysvinit comes from the mechanism used in System V Unix, which defined the naming scheme used for directories and files. On embedded and small footprint systems the init process may be a set of custom designed scripts or even a single application. Some desktop distributions are also beginning to replace sysvinit with alternatives designed with faster booting in mind.
The early root filesystem: Initial RamdisksThe initial root filesystem is known as the initial ramdisk because the filesystem lives in a disk image created by the kernel in RAM. In a desktop or server system, the initial ramdisk is used to load drivers and initialize an environment so that an external storage system (disk or network attached storage) can be mounted. The switch from the initial root filesystem to the real root filesystem is called a pivot. The pivot causes the real root filesystem to be mounted over the initial root filesystem. When that happens, a new init process from the real root filesystem is launched and takes over the process id of 1. At that point the initial ramdisk is no longer needed and the memory can be freed. In an embedded system the initial ramdisk might be the only filesystem ever mounted, since it contains all the user mode applications required. Alternatively, the initial ramdisk might mount a flash drive or other local storage yet still not pivot. Instead the mounted storage might be used as a source for user space applications. In these cases the initial ramdisk is never cleared because the pivot never happens. In the 2.4 kernel, the initial ramdisk was referred to as the initrd image. It was created as a filesystem inside a file. The file was mounted and a filesystem created inside of it. A directory structure for the initial ramdisk was copied into this filesystem. The file was then unmounted, compressed and provided to the kernel via the initrd= kernel parameter at boot time. The initrd file could only be loaded at boot time from an external source (except for the MIPS kernel, which allowed you to embed the image into the kernel). The original ram disk mechanism for the 2.4 kernel created a synthetic fixed sized block device that needed the filesystem driver used when the initrd was created, such as ext2, in order to work with file data. At the end of the boot process the initrd image had to be unmounted in order to clean up memory usage before switching to a more complete root filesystem. In the 2.6 kernel the process of creating and using the initial ramdisk has been somewhat simplified. First, the files are simply collected together in an compressed CPIO file, now referred to as the initramfs instead of initrd. The initramfs file is always embedded in the kernel (for all hardware platforms) even if you don't create one yourself. If you don't, a default CPIO archive is created automatically by the kernel build process. Second, there is no external filesystem required at boot time for the initramfs. Instead, the initramfs is unpacked in a special ramfs-based filesystem called the rootfs. The ramfs filesystem support is built into the kernel and cannot be disabled, so it's always available. Because it doesn't use backing store, it's a simpler system than the mechanism used in the 2.4 kernel. And when the boot process is done with the initramfs, a more complete root filesystem (such as one found on disk) can be directly mounted over it without worrying about wasting a lot of memory.
Why use the initramfs?It would be ideal if the kernel could boot into a minimal state that knew just enough to bring the system to a useful state for the user or environment it will run in. This minimal state would allow the kernel to be as small as possible with as few options compiled in as possible. This is exactly why you use an initramfs. On any system, and most especially on resource limited systems, you want to keep the kernel itself small and dynamically load only those driver modules that are required to make the system finish booting. Most desktop systems use the initramfs to determine what kind of hard drive or other storage is available with a complete root filesystem. In this case the initramfs contains boot scripts and driver modules relevant to bringing up the system. These files are only kept around temporarily while the real root filesystem is mounted and the real init process is started. Because the variety of desktop hardware is large, the initramfs can end up being large and fairly sophisticated as it tries to guess what kind of hardware is about to be mounted. On small systems the situation can be much different. There may not be any additional storage available to hold another, more complete root filesystem. In that case the initramfs becomes the real root filesystem. Because the initramfs is running out of RAM, it will contain only those files and directories absolutely necessary to run the system. Alternatively, a small system might use a dedicated flash drive with read only access to prevent accidental destruction of the bootable system. In that case the initramfs will contain boot scripts that mount the flash device and perform a little trickery to simulate writeable partitions so the system can operate normally.
Creating an initramfsIt's possible to recreate an initial ramdisk that mirrors your running desktop using the mkinitrd script. The problem with using this script is that you're recreating your desktop environment. That's not likely what you're looking for in your embedded system or even a live CD. So we need to look at creating the initramfs manually. The kernel source includes the text file ramfs-rootfs-initramfs.txt under Documentation/filesystems. In this file, under the section titled "Populating initramfs" are instructions for creating a very minimal initramfs. This includes a minimal set of device files, the /proc, /sys and /mnt directories, an init script and a BusyBox binary. We'll get to BusyBox in a moment. Start by creating a directory called "myinitfs":
mkdir myinitfs
Add some basic directories:
mkdir -p myinitfs/{boot,proc,sys,mnt,sbin,dev,lib,usr/bin}
Not all of these are required but you'll want them around to populate with useful tools in your initramfs anyway. Next, add the required device files. If your kernel and user space processes need to be able to output messages then the minimal root filesystem will need a console device. This is created with the mknod command.
mknod -m 644 myinitfs/dev/console c 5 1
If your system is booting from a CD and the root filesystem is in a compressed filesystem image on the CD then you'll also need a loop device.
mknod -m 644 myinitfs/dev/loop0 b 7 0
Of course, your embedded system doesn't have to output messages to a console and it certainly doesn't have to mount any filesystems, so neither of these are required. But if you're creating a live CD you'll want them. After creating the directory structure and adding these two devices, we copy in a shell script for our init program and a compiled copy of the BusyBox binary. The content of the shell script and the makeup of the BusyBox binary are the keys to getting your small system running.
Starting Small: BusyBoxBusyBox is the workhorse of embedded systems. It is a collection of commonly used Unix utilities rolled together into a single binary. The command line utilities usually have fewer options than their standalone counterparts but tend to be functionality similar. The primary goal of BusyBox is to provide a full featured set of utilities for resource limited systems. BusyBox is a well designed package that is extremely easy to use. A graphical configuration utility similar in style to the curses-based kernel configuration utility allows you to choose the utilities you need. The Unix utilities are referred to as applets and the configuration utility lets you pick which applets to include in the binary. The choice of which applets to include depends entirely on the system you're trying to create. For a live CD that mounts a compressed file system from the CD as the real root filesystem (over the initramfs) you would include utilities like losetup, mount and umount, gzip, and tar, along with the basic ls, ash, grep, mkdir, mknod and so forth. The build process for BusyBox is simple. Unpack the BusyBox archive in the current directory (where myinitfs is located). This creates a BusyBox directory. In that directory, create your configuration:
make menuconfig
You'll be prompted to save the configuration, which you should do. In the configuration you should be certain to specify the directory where the build should be installed. While not absolutely required, it saves a copying step later. In the latest version of BusyBox, 1.2.1, look under the BusyBox Settings->Installation Options menu and set the install directory to "../myinitfs". After configuration, you simply build and install the binary:
make
make install
Getting Bigger: LFSBefore looking at the init script I want to mention that, although BusyBox can provide just about everything you need to get the system booted and even provide a runtime environment on its own, you might need far more user space support. If you're looking to extend your system to a full distribution, be sure to look at the LinuxFromScratch.org web site, known more commonly as LFS. Here you'll find step by step instructions on how to build a complete distribution. The LFS is often used in live CD distributions as the runtime system that is loaded from a compressed filesystem off a CD by a BusyBox-based initramfs. Building a live CD from scratch in this manner is a great way to learn what a Linux distribution is all about, from the kernel on up through KDE and GNOME.
A live CD init scriptAt this point you've created a minimal set of utilities and a directory structure suitable for booting (sans the kernel, of course). But you still need the all important init script that kicks things off for the user space environment. I've worked with this init script for some time, which is based on the init script found in an older version of the LFS live CD. It assumes the use of UnionFS and SquashFS for mounting and using compressed filesystem image files from the CD. In my next article in this series I'll look at how and why you would use compressed filesystems like SquashFS along with UnionFS to boot your system.
Security Virtual Machines and Memory ProtectionsThe IT industry and the open source community both currently enjoy a healthy want for security, a growing passion that has brought about new security tools and even some new programming languages. It isn't always easy to get all of these things working together; virtual machines such as Mono, for example, have difficulty with the memory space policies enforced by PaX or SELinux. Some implementations of the CLI virtual machine may have difficulty functioning with these security protections, and may be exposed to native code called from C# programs or the virtual machine itself. The C# programming language is gaining popularity, and has been used to write programs such as Beagle, F-Spot, and Banshee. It is also a supported language for development in the GNOME environment. C# has strong type checking, array bounds checking, detection of attempts to use uninitialized variables, and automatic garbage collection, making it both type-safe and memory-safe; these aspects make it an attractive language for developers who want to sidestep manual memory management and just get their programs working. C# programs are typically compiled to Common Instruction Language (CIL), a bytecode language designed to be run inside a virtual machine implementing the Common Language Infrastructure (CLI). Bytecode languages are similar to machine-level instructions, except they're not hosted on a physical CPU; effectively they are CPU architectures that are only run on emulators. Another familiar example of this is the Java platform, the typical target of the Java programming language. The most naive approach to bytecode execution is to use an interpreter. Interpreters read each instruction in the program as executed; determine what the instruction is; and then modify the state of the virtual machine as needed, changing memory values or the program execution point. Interpreters execute dozens of instructions each time they process a bytecode instruction; programs execute very slowly, with all but the simplest being irritatingly sluggish. Virtual machines often use a technique called Just-in-Time compilation (JIT) to improve performance. Rather than interpret, JIT compilers generate equivalent native code from the bytecode they encounter; in essence, they translate the parts of the program being run to run natively as encountered. Because of this, the continuous interpreter cost becomes a series of short one-time compilation costs, which in most cases goes unnoticed. The first time I wrote for LWN, I authored a small article on security improving technologies which could be deployed now. Since then, these and other technologies have become more prevalent; ProPolice is part of gcc, and some of the concepts behind PaX and grsecurity are now integrated into products such as Exec Shield and SELinux. SELinux has policy elements that can be applied to almost exactly mimic the behavior of mprotect() under PaX. Briefly put, both PaX and SELinux supply a set of protections that prevent programs from executing any memory that could have ever been directly altered by the program itself. A typical exploit technique is to use a flaw in a program to cause it to execute an area of memory an attacker loaded with code; with these restrictions, this attack is no longer possible. The attackers are forced then to resort to executing existing code out of order, which is a blind shot at a moving target due to address space randomization. These protections are highly significant; however, they interfere in an unfortunate way with the execution of programs on Just-in-Time (JIT) mechanisms such as those used in Mono. The JIT needs to write code into memory and execute it; and the security system won't allow code generated at runtime to run. Since the interpreter is far too slow to be useful, the only real option is to disable the security mechanisms that interfere with the JIT. The Common Language Infrastructure (CLI) allows for managed code to access unmanaged code; in other words, C# code can call plain old C libraries, making the program as a whole vulnerable to flaws that can't exist in C#. The implementation of the virtual machine is also a factor: Mono implements Web browser features using Mozilla's Gecko rendering engine; and Java implementations can, for example, use libpng bindings to supply PNG image handling rather than full managed rewrites. Below are listed a couple popular Mono applications—C# and other CLI applications that run on Mono—using native libraries; as well as some of those libraries that have had significant security holes allowing remote runtime code execution.
With this potential for vulnerability, it would be attractive to find a solution for executing Mono without using the JIT. To execute CLI applications without a JIT, Mono would have to provide a method of executing assemblies without rewriting them into native code at runtime. This method would have to function both for typical CIL code and for dynamic assembly. Dynamic assembly is used to generate CIL bytecode at runtime, which is then executed by Mono with the help of the JIT. The Cecil debugger; IronPython; and the IKVM Java runtime are examples of programs that use dynamic assembly to execute whole programs. The most naive method would be to switch back to the interpreter. Unfortunately we've already established that the interpreter is extremely slow, requiring dozens of cycles to complete even the simplest addition or variable assignment. Even if the interpreter didn't have such prohibitive performance issues, it's not really supported anywhere the JIT works, and isn't actively maintained. Another possibility is to use the Ahead-of-Time (AOT) compiler to run Mono programs. The AOT compiles Mono assemblies to native code and stores them as shared libraries. AOT modules can be cached, verified, and updated as needed. This allows Mono to dlopen() the generated code and execute it like any other library. This not only eliminates runtime code generation; but also also increases code sharing between applications, reducing overall system memory usage. Unfortunately, dynamic assembly doesn't work with AOT, because it cannot be cached and verified later. Ulrich Drepper described method of double-mapping a file, in which the same memory is available in two different places under two different permission sets. The file is created, opened, and unlinked so no other program can alter it; and then mmap() is used to make two shared mappings, one writable and one executable. This would work; but it would also increase disk access and use more of the task's virtual address space. It would also still allow a very obscure, unlikely, but possible method for directly introducing code into a program's address space and executing it successfully.Currently there doesn't seem to be an obvious great solution to get Mono to run without runtime code generation. The interpreter is too slow; AOT doesn't cover dynamic assembly; and Drepper's method of double-mapping a file creates more disk access. Hybrid methods such as AOT with double-mapping for dynamic assemblies are also possible, reducing the severity of some of the drawbacks. By combining these methods, varying degrees of immunity to remote code execution are afforded with corresponding cost trade-offs. Of interesting note is that double-mapping a file would prevent policy from being used to restrict the program to mapping only system libraries and a global AOT cache. Apart from the unlikely special case with double-mapping, enhanced memory protections will guarantee that an attacker cannot directly introduce code into a running program; however, attacks that use return-to-libc chains can still create, mmap(), and execute a file. To prevent this, one could restrict executable file-backed mappings to directories only the system administrator can write to, such as system libraries and a global AOT cache; of course, this would break double-mapping. I cannot predict the implications of these facts for trusted systems and the applications of C# and Mono in high-security environments. For my own purposes, I would prohibit the use of Mono programs in environments with strong security requirements. In my perspective, the cost and potential for error involved in manually auditing all native code in both the Mono virtual machine and any native code used by Mono applications simply does not supply enough value; it is much easier to utilize protections against classes of vulnerabilities than to prove that applications do not need said protections. Your mileage may vary.
New vulnerabilities elinks: arbitrary file access
flexbackup: insecure temporary file
gv: stack-based buffer overflow
libpng: denial of service
proftpd: denial of service
qmailadmin: buffer overflow
tikiwiki: multiple vulnerabilities
torque: insecure temporary file creation
Updated vulnerabilities apache: cross-site scripting
asterisk: arbitrary code execution
avahi: sender id check
bind: denial of service
bugzilla: multiple vulnerabilities
busybox: insecure password generation
bzip2: race condition and infinite loop
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
ffmpeg: buffer overflows
freeradius: several vulnerabilities
freetype: integer overflows
ftpd: privilege escalation
gcc: file overwrite vulnerability
gdb: buffer overflow
gdm: improper file permissions
gedit: format string vulnerability
grip: buffer overflow
gzip: multiple vulnerabilities
gzip: arbitrary command execution
ImageMagick: buffer overflows
imlib2: arbitrary code execution
ingo1: missing input sanitizing
kdelibs: integer overflow
kdelibs: kate backup file permission leak
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: denial of service
krb5: local privilege escalation
libgadu: memory alignment bug
libgd2: denial of service
libmms: buffer overflows
libpam-ldap: insecure password control
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libvncserver: authentication bypass
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
linux-restricted-modules: nVidia driver vulnerability
lynx: arbitrary command execution
mono: symlink vulnerability
firefox: multiple vulnerabilities
mysql: format string bug
MySQL: privilege violations
MySQL: logging bypass
nbd: arbitrary code execution
ncompress: buffer underflow
openldap: denial of service
openldap: security bypass
openoffice.org: several vulnerabilities
OpenSSH: denial of service
openssh: privilege separation issue
openssh: remote denial of service
openssl: insufficient signature checking
openssl: multiple vulnerabilities
pdns: buffer overflow
php: several vulnerabilities
php: buffer overflows
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpMyAdmin: multiple vulnerabilities
postgresql: SQL injection
quake: buffer overflow
rpm: arbitrary code execution
ruby: denial of service
shadow-utils: mailbox creation vulnerability
texinfo: buffer overflow
thttpd: insecure temporary files
Mozilla products: multiple vulnerabilities
tin: buffer overflow
trac: cross-site request forgery
unzip: long file name buffer overflow
w3c-libwww: possible stack overflow
wireshark: multiple vulnerabilities
WordPress: multiple vulnerabilities
wv: integer overflow
xine-lib: code execution
xine-lib: buffer overflow
xine-ui: format string vulnerabilities
xinit: race condition
X.org: local privilege escalations
X.Org: buffer overflow
xorg-x11: privilege escalation
xpdf: buffer overflow
xpdf: integer overflows
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current 2.6 prepatch is 2.6.19-rc6, released on November 15. It contains a fair number of fixes, but one hopes that most of the problems have been taken care of by now (though the latest version of the 2.6.19 known regressions list (November 21) still contains nine entries). See the long-format changelog for the details.Almost 90 fixes have gone into the mainline git repository since -rc6, as of this writing. There has been no word on whether that's enough to force the release of a 2.6.19-rc7 before this cycle comes to an end or not. There have been no -mm releases over the last week. The current stable 2.6 kernel is 2.6.18.3, released on November 18. It contains a fair number of fixes, at least one of which is security-related. Adrian Bunk has released 2.6.16.32 with quite a few fixes. 2.6.16.33-rc1 is also available. On the 2.4 front, Willy Tarreau has released 2.4.33.4 with a couple of security patches and a number of other fixes. 2.4.34-pre6 is also out, adding a relatively small number of patches.
Kernel development news Quotes of the week
Hm, I've never heard the driver model be called a "complete design
paradigm" in the past. I've heard it called a lot of real nasty
things though.
So don't fall for the classic "second system syndrome". The classic
reason for getting the second system wrong is because you focus on
the issues people complain about, and not on the issues that work
well (because the issues that work fine are obviously not getting a
lot of attention).
A summary of 2.6.19 API changesThe 2.6.19 kernel cycle has brought the usual pile of changes visible to kernel developers. Here is a quick summary of the most significant API modifications in 2.6.19.
As always, API changes are tracked on the LWN 2.6 API changes page.
Kernel key managementFilesystems, especially remote filesystems, may require some authentication or a key to enable access; the kernel key management interface provides hooks to store and manage this kind of information. The hooks come in two flavors; one used by the kernel to find keys for subsystems that require them and one used by userspace programs to manage keys. The intent is to provide a fast mechanism for the kernel to access the keys that it needs and to push the add, modify and delete operations into userspace. 'Key' is the term used, but it may not be keys in the traditional, cryptographic sense that are stored. Any kind of authentication or access information can be stored as a key; it is essentially an opaque chunk of data that is only interpreted by the kernel subsystem that is interested in it. While filesystems are the main target of the API, any kernel subsystem that requires this kind of information could use it. At the core, keys are stored in the aptly named struct key which has the following kinds of fields:
The key types provide a way for a filesystem to configure its own set of key operations. The operations that a key type can specify are:
int register_key_type(struct key_type *type);
When the kernel needs to find a key, it calls:
struct key *request_key(const struct key_type *type,
const char *description,
const char *callout_string);
It passes the type and description and the match
function from the struct key_type is used to try and find a matching
key. If no key is found, and callout_string is not NULL,
the kernel will invoke /sbin/request-key, which
attempts to obtain the necessary key from userspace.
The payload field of a key can be accessed once the key has been found, but if it is more complex than a simple integer, some arrangement must be made to prevent simultaneous reads and writes. Support for semaphore locking or Read-Copy-Update (RCU) are present in the key structure and must be used unless the key type has no modification methods. Once the filesystem is done with the key, it should be released with:
void key_put(struct key *key);
Keyrings are, as the name implies, collections of related keys and there are various calls to manipulate them. Each process is associated with three keyrings: a thread-specific keyring, a process-specific keyring and a session-specific keyring. These are the keyrings searched when a request_key is issued. Each user on the system is associated with a user-specific keyring; a default user session keyring used to initialize the session-specific keyring when a process changes its real user id. Permissions for keys are stored in a bit field, much like Linux file permissions, but are more extensive. Each key has a user and group id and a permissions mask for each of four potential accessors: possessor, user, group, and other. The mask consists of six bits:
The userspace API consists of the three main system calls:
key_serial_t add_key(const char *type, const char *desc,
const void *payload, size_t plen,
key_serial_t keyring);
key_serial_t request_key(const char *type, const char *description,
const char *callout_info,
key_serial_t dest_keyring);
key_serial_t keyctl(int cmd, key_serial_t id, int create);
add_key() adds a key to the keyring specified. request_key(),
much like its kernel-side counterpart,
searches for the key based on the type and description, possibly calling
out to userspace if callout_info is non-NULL. It can also attach
the key to the specified destination keyring if it is found. keyctl()
is an ioctl-like interface that provides for the management of keys.
<linux/keyctl.h> contains 17 separate commands for
updating, changing permissions, searching, linking, reading and the like.
The /bin/keyctl command-line utility, part of the keyutils package, provides an easy interface to the userspace system calls to facilitate working with keys from userspace. Also, the /proc/keys and /proc/key-users entries in procfs enable a user to view the keys and key users currently managed by the kernel. The only filesystem in the current 2.6 tree that uses the key management API is eCryptfs, a stacked filesystem that encrypts its data using a password and optional salt. It uses the user key type rather than creating its own type and does not directly support userspace callbacks. Instead it uses the mount.ecryptfs command to prompt the user for the password and stores that as the key. According to slides from Dave Howells' talk at the 2006 Ottawa Linux Symposium (available here), several other filesystems (including CIFS, NFSv4 and AFS) are planning to use the API in the future. For more information, extensive documentation can be found in the kernel tree in Documentation/keys.txt and Documentation/keys-request-key.txt. Overall, this looks to be a useful interface for kernel subsystems that require keys and, in keeping with kernel tradition, most of the policy and management pieces are pushed out to userspace. It provides all of the capabilities that one would expect and hopefully more kernel subsystems will be using it in the future.
KHB: Automating bug huntingIf you're a programmer, you've reviewed a lot of code - at minimum, your own code (or at least we hope so). It doesn't take a lot of code reviewing before you start recognizing familiar bugs - failure to drop a lock on the error exit path, dereferencing a pointer just after it's been proven to be null, forgetting to mark a buffer dirty. Before long, the sense of deja vu is overpowering. You might even begin to entertain the sneaking suspicion that half of code review work could be done by a trained chimpanzee, a 10-line script, or someone from marketing.
(Some of) The SolutionsAs it turns out, that suspicion is correct. A lot of software errors can be found automatically, in fact, surprisingly automatically. The automatic checking we'll discuss falls into two main categories: static and dynamic. Static checking runs on the source code and doesn't require integration with a running system. It is often better at exploring all execution paths, but often explores impossible execution paths (resulting in false positives), and usually can't deal with things like function pointers. Dynamic checking runs on a live system, which produces more accurate results but requires more invasive techniques and usually can't explore as many execution paths (though fusion with model-checking techniques can work around this; see eXplode later in this article). The good news is that automatic error checking techniques are compatible; we can use them all and get the best of all worlds.In this article, we'll review several papers describing some of the most practical and promising approaches, all from Dawson Engler's research group at Stanford. Many LWN readers will already be familiar with metacompilation (known as "the Stanford checker" in kernel circles) at a high level, but the approach rewards deeper study. Another approach, named EXE, uses symbolic execution, in which an instrumented program self-generates complex error-triggering inputs. We'll also look at eXplode, a light-weight system inspired by model-checking which quickly and efficiently checks file systems and other software for correct crash recovery. All of these approaches are compatible with the Linux kernel (requiring more or less code modification but generally less) and have found many real-world bugs resulting in system panic, data corruption, or security holes. Finally, we'll quickly review a variety of existing open source tools for automatically error-checking programs. With any luck, in a few years' time we'll have scripts doing the trained chimpanzee code review work instead of Linux kernel maintainers.
The PapersWe'll start with one of the most intellectually intriguing approaches, using code instrumentation and symbolic execution to automatically generate complex test inputs that trigger serious bugs. The paper is Automatically generating malicious disks using symbolic execution, by Junfeng Yang, Can Sar, Paul Twohey, Cristian Cadar, and Dawson Engler, and appeared in IEEE Security and Privacy 2006. (Another longer, more detailed paper on the topic is EXE: Automatically Generating Inputs of Death, by Cristian Cadar, Vijay Ganesh, Peter Pawlowski, David Dill, and Dawson Engler and appeared in ACM Computer Communications and Security 2006). The basic idea is that you begin executing the program with a "symbolic" input. As the program runs, the EXE system uses compiled-in instrumentation to keep track of the tests done on the input data. These tests create constraints on what the input data can be. Once the system has a set of constraints, it tries to solve them and come up with a set of allowed inputs. It then checks the allowed inputs to figure out if they will cause one of a known set of errors, such as dividing by zero, allowing access to arbitrary memory locations, triggering an assertion, etc.In this paper, the authors apply the system to the Linux file system mount code for ext2, ext3, and JFS. In this case, the system starts out with a symbolic representation of all possible disk images ("inputs"), and gradually whittles away allowed disk images at each point in the mount code, based on actions such as:
if (sbi->s_frag_size == 0)
goto cantfind_ext2;
It then checks all disk images allowed at any particular point to see
if any of them causes one of the bugs the system can detect. For
example, the statement:
sbi->s_frags_per_block = sb->s_blocksize / sbi->s_frag_size;
Would be flagged as triggering a divide by zero error without the
prior check pruning out all inputs with sb->s_frag_size equal to zero.
The advantage of this approach over simply generating random inputs is that random error generation can't go very deep in testing code paths because the random input will nearly always fail during the first few input checks. For example, random input testing for the file system mount code would almost always fail out at the check of the superblock magic number. Another pleasant quality of this approach is that it generates test inputs that trigger the bug detected by the system. Many other automatic error checkers are plagued by false positives; this system hands you the exact input that triggers the supposed bug. It can be accurately described as a error test case generating system in addition to an error checking system. The prospect is enough to make a systems programmer salivate. The next paper is eXplode: a Lightweight, General System for Finding Serious Storage System Errors, by Junfeng Yang, Can Sar, and Dawson Engler, which appeared in OSDI 2006. eXplode tests file systems (and more complex storage software stacks) by generating all possible disks that could be the result of a crash, and then automatically checking them using verification programs, such as fsck and programs that check for "correct" file system topology (e.g., the existence of the path "/a/b/" after creating and properly syncing it). The sequence of events leading up to an incorrect disk is recorded through some minor, not terribly intrusive instrumentation. Some minor modifications to Linux are needed to deterministically replay a sequence of events; mainly, the execution order of threads must be maintained, which they approximate using thread priorities. They also modify Linux to make certain error cases (such as memory allocation failure) more common. eXplode works for more than just file systems, it also works for databases on top of file systems, file systems on top of RAID, software configuration systems, or any combination of the above. This is due to the stackable, modular nature of the routines for creating, mutating, and checking disks. Each layer in the storage stack fills out the following routines:
A lot of hard work is needed to make this execute quickly and explore "interesting" parts of the state space, but the results are quite good, and a big improvement over their earlier system, FiSC. Sections 7 through 9 of the eXplode paper describe many of the interesting (and sometimes amusing) bugs eXplode found in Linux and various software running on Linux, such as Berkeley DB and Subversion. One of the least pleasant is a bug in the way ext2 handles fsync(). From the paper:
The ext2 bug is a case where an implementation error points out a
deeper design problem. The bug occurs when we: (1) shrink a file "A"
with truncate and (2) subsequently creat, write, and fsync a second
file "B." If file B reuses the indirect blocks of A freed via
truncate, then following a crash e2fsck notices that A's indirect
blocks are corrupt and clears them, destroying the contents of B. (For
good measure it then notices that A and B share blocks and "repairs" B
by duplicating blocks from A). Because ext2 makes no guarantees about
what is written to disk, fundamentally one cannot use fsync to safely
force a file to disk, since the file can still have implicit
dependencies on other file system state (in our case if it reuses an
indirect blocks for a file whose inode has been cleared in memory but
not on disk).
While it is well known that ext2 makes very few guarantees on the state of the file system, it is surprising that even an fsync() call does not make any guarantees about the state of file system on disk. eXplode also found an error in JFS, which does make fairly strong guarantees, in which an fsync()'d file could lose all its data when a directory inode is reused as a file inode. One of the primary goals of eXplode is ease of use and extension to new systems with only minor effort. The eXplode system runs on a live, running Linux kernel instance with only minor modifications. These modifications could be trivially rewritten to be configurable as a compile-time option (CONFIG_EXPLODE?), making them a reasonable candidate for integration in the mainline kernel. The checking interface allows programmers to check new systems (pretty much anything that runs on Linux and stores data on disks) by writing only a few lines of code. While the current interface uses C++, it seems relatively easy to add other front ends using C or shell scripts. The authors are considering open sourcing the code and are very interested in hearing more from kernel developers about how to make eXplode more attractive for everyday use. Our final paper is Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code, by Dawson Engler, David Yu Chen, Seth Hallem, Andy Chou, and Benjamin Chelf, and appeared in SOSP 2001. The basic idea is to create a framework for static code analysis which allows programmers to write extremely simple descriptions of rules that code should follow. Most readers will be familiar with the simpler applications of this work from the many bug reports produced by the Stanford checker and reviewed on the linux-kernel mailing list. This paper goes above and beyond this level of code analysis and describes on a statistical approach to inferring relationships between functions and variables, looking for deviations from the norm, and then ranking and ordering the results so that the deviations most likely to yield bugs are near the top of the list. For example, the system can infer relationships such as "only modify variable X in between calls to spin_lock(Y) and spin_unlock(Y)" - without writing a rule that explicitly lays out this relationship. It could almost be described as meta-meta-compilation - the system not only checks the rules automatically, it infers the rules automatically. A more recent paper, From Uncertainty to Belief: Inferring the Specification Within, by Ted Kremenek, Paul Twohey, Godmar Back, Andrew Y. Ng, and Dawson Engler, which appeared in OSDI 2006, pushes these ideas even further with a technique that is capable of inferring more complex rules using a combination of statistical inference, compiler analysis, and machine learning. For a system such as Linux where lines of code far outweigh lines of documentation, this approach has great merit. I find myself doing a human version of this statistical analysis every time I attempt to use an undocumented network driver framework function. A fun footnote is the slides from a talk entitled Weird things that surprise academics trying to commercialize a static checking tool. Check out the slides entitled "Myth: the C (or C++) language exists" or "No, your tool is broken: that's not a bug."
What does this mean for Linux?A lot of great, practical ideas for automatically finding errors are coming out of research these days. The existing implementations may not be practical or available for Linux (for example, the metacompilation work has been commercialized and will remain closed source for the indefinite future), but this work can often inspire useful (though usually not as complete) open source implementations.On the static code analysis side, both sparse and smatch implement some useful checks. sparse is already integrated into the kernel build system; smatch, unfortunately, appears to have stalled. Annotations like __must_check are producing voluminous (and sometimes mystifying) compiler warnings. A lot of checks are integrated directly into gcc, but this requires a programmer with knowledge of gcc and a fairly long release cycle turnaround time before the check becomes available. The general-purpose nature of these checks also means that they sometimes generate many false positives, especially on systems software, and have to be explicitly turned off again. A framework that allows gcc to be extended with metacompilation style checks without requiring recompilation of gcc might be more helpful. When it comes to dynamic code analysis, Linux has quite a few special purpose error checkers which can be configured in or out of the kernel, or turned on and off at boot time. One of the most exciting is lockdep, the lock correctness validator written by Ingo Molnar and Arjan van de Ven. It observes lock acquisition during runtime, and looks for invalid or inconsistent use of locks (such as reacquiring locks or acquiring locks in a different order). Even nicer would be a generic framework for implementing dynamic code checkers, perhaps using part of the SystemTap framework. File system testers are coming back into vogue. fsx is a file system stress tester that does a bunch of known-stressful operations to a file system and checks the results. fsfuzz is one of many useful tools for randomly altering file systems to expose bugs. There are many other useful automatic testing/chimpanzee-replacement tools; I encourage you to describe your favorites in the comments. Happy debugging!
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Networking
Architecture-specific
Virtualization and containers
Page editor: Jonathan Corbet Distributions News and Editorials Run Fedora on the PS3Do you have a PlayStation 3? Are you looking for a fun hack? Why not put Fedora on your PS3. Engadget has a brief article with a video showing Fedora running on a PlayStation 3. Qj.net has install instructions for Fedora Core 5. Additional videos of FC5 running on the PS3 can be found on the PS3mods blog.Disclaimer: your editor does not own a PS3 and is not likely to get one, so she has not tried this. These links were found on this post to fedora-devel and this this post to fedora-marketing.
New Releases Red Hat Enterprise Linux 5 Beta 2 AvailabilityRed Hat has announced the availability of Red Hat Enterprise Linux 5 Beta 2 (kernel 2.6.18-1.2747.el5). "Red Hat Enterprise Linux 5 has been developed in close cooperation with the Fedora Core 6 and the upstream community. This is the first Red Hat Enterprise Linux release that includes Xen-based open source virtualization technology. The Red Hat Enterprise Linux 5 Beta 2 release contains virtualization support on the x86 and x86-64 architectures as well as a technology preview of Xen for Itanium 2. We are particularly interested in your testing feedback on the virtualization technology."
Distribution News The DebianEdu OLPC effort, three first monthsThe DebianEdu team has been working with the KDE project, Skolelinux, mEDUXa, Edubuntu and others on the One Laptop Per Child (OLPC) project.
Debian release updateSteve Langasek looks at the release status of Debian etch. Once scheduled for early December, it now looks like the etch release will be in late December. "With the installer candidate out and an initial draft of the release notes available, we can use some help now from intrepid users doing upgrade testing from sarge to etch."
Call for help with the Debian FAQ (updates and review)With the etch release growing ever closer it is time to improve documentation by helping to update The Debian GNU/Linux FAQ. Click below to see the call for help.
DebConf7: registration and call for papersRegistration is open for DebConf7 as it the call for papers. DebConf7 is scheduled for June 17 - 23, 2007 in Edinburgh, UK.
Fedora board meeting minutesThe Fedora Board met on November 20; the members inaugurated a new policy of posting real-time minutes over an IRC channel. The meeting log has now been posted. For those who get tired of side-to-side scrolling, a lightly reformatted version can be had by hitting the link below. Among other things, the meeting covered the proposed new 13-month support policy, whether Mono will stay in Fedora (looks like it probably will, for a while at least), and hinted at an upcoming "RPM announcement."
FC6 downloads and installsMax Spevack looks at some Fedora Core 6 statistics. "Today is the 24th day -- about 3.5 weeks -- since FC6 was released. Since release, we've been tracking the number of unique IP addresses that check in via yum for updates... A few minutes ago, we crossed over the 300,000 mark."
IRC meeting about Novell/Microsoft dealSUSE will be hosting an IRC meeting to discuss the Microsoft/Novell deal; people present will include Nat Friedman and Holger Dyroff. It is interesting, however, that they chose this Thursday, November 23 for the meeting. That is a major holiday in the US, so attendance by Americans is likely to be quite low.Update: The meeting has been moved to the following Monday, November 27 to accommodate people in the US.
SUSE Linux 9.2 security support is now discontinued.Support for SUSE Linux 9.2 has been discontinued. SUSE Linux 9.2 was released in October 2004, so it has been supported for over 2 years. Click below for a summary of fixes.
New Distributions Linux Mint 2.0 "Barbara"Linux Mint aims to produce an elegant, up to date and comfortable GNU/Linux desktop based on Ubuntu. Linux Mint is like a customized version of Ubuntu. It uses the same repositories and the same packages. It follows the Ubuntu releases and innovations. Basically, it is 98% Ubuntu, with a few differences, notably the default inclusion of patented or proprietary technologies for an easy-to-use desktop out of the box. DesktopLinux looks at Linux Mint 2.0 "Barbara", based on Ubuntu 6.10.
Tempest ShowroomTempest Showroom is a live CD showcasing Tempest for Eliza, a program that makes your computer monitor send out special radio signals so that you can then hear computer generated music in your radio.
Distribution Newsletters Fedora Weekly News Issue 67The Fedora Weekly News for November 20, 2006 covers FC6 downloads and installs Stats, Fedora summit wrap-up, Back from the Fedora Summit, FACTFest 2006, Getting ready for VANLUG, SELinux: setroubleshootd in action, Yum Extender Next Generation and more.
Ubuntu Weekly NewsIssue 21 of the Ubuntu Weekly Newsletter has been published. Topics include: Ubuntu Developer Summit Mountain View, gNewSense announced, KDE 4 packages available, New teams, Forging Feisty, Changes in Feisty, In the Press, Edgy reviews, Security and Updates to 6.10 and 6.06 and Bug stats.
DistroWatch Weekly, Issue 178The DistroWatch Weekly for November 20, 2006 is out. "It was a relatively quiet week, only disturbed by the news about Java being released under the GPL and the unusual levels of interest in the new Linux Mint 2.0. This week's discussion revolves around adding third-party repositories to Ubuntu and other distributions; while the goal of extending the number of easily installable software packages sounds good, mindless addition of repositories can not only compromise system security, it can also break one's system beyond repair. Also in the news: Debian "etch" delays, Fedora 6 usage statistics, FreeBSD's new Security Event Auditing (SEA) system, and an opinion about including proprietary kernel modules in Linux distributions. Finally, the DistroWatch database saw an addition of four new Linux distributions last week; these include the low-end Fluxbuntu Linux and the user-friendly Ulteo."
Package updates Fedora updatesUpdates for Fedora Core 6: system-config-network (bug fixes), kdepim (bug fixes), scim-anthy (new upstream release), shadow-utils (fix stack overflow), m17n-db (bug fixes), desktop-printing (bug fixes), subversion (update to 1.4.2), yum (bug fixes), pirut (bug fixes), nfs-utils (bug fix), logwatch (added more logs), parted (bug fix), beagle (bug fix), gconf2 (bug fix), boost (bug fix), gnome-applet-vm (sync with upstream), selinux-policy (bump for FC6), dogtail (new upstream release), util-linux (bug fixes), mesa (bug fix), xorg-x11-drv-i810 (i965-xv-hang-fix.patch), xorg-x11-drv-ati (update to 6.6.3), xorg-x11-server (bug fixes), virt-manager (update to 0.2.6).Updates for Fedora Core 5: scim-anthy (new upstream release), m17n-db (bug fixes), desktop-printing (bug fixes), parted (bug fix), boost (bug fix), gconf2 (bug fix).
rPath updatesUpdates for rPath Linux 1: dovecot (correct permissions), anaconda, anaconda-utils, anaconda-templates, kernel (enhancements), system-config-display (depend on bitstream-vera-fonts package), dev86 (build for x86 and x86_64), xen (build for x86 and x86_64), rmake (bug fixes).
Trustix updatesUpdates for Trustix Secure Linux 2.2 & 3.0: imagemagick and php (various bug fixes).
Ubuntu updatesUpdates for Ubuntu 6.10: gimp 2.2.13-1ubuntu2, libgnomeprintui 2.12.1-4ubuntu1, gnome-games 1:2.16.1-0ubuntu2, vino 2.16.0-0ubuntu2.1, oprofile 0.9.2-1ubuntu0.1, kdebase 4:3.5.5-0ubuntu3.1.Updates fro Ubuntu 6.06 LTS: gcl 2.6.7-14ubuntu1, lighttpd 1.4.11-3ubuntu3.1, speex 1.1.11.1-1ubuntu0.1, dpkg 1.13.11ubuntu7, hal 0.5.7-1ubuntu18.2.
Newsletters and articles of interest Ubuntu Developer Summit report: Desktop plans, PowerPC's future, and community (Linux.com)Linux.com continues UDS coverage with a look at plans for the Ubuntu and Kubuntu desktops, the future of PowerPC, and how Ubuntu is working with local community teams. "One of the things that makes Ubuntu so successful is the community that's formed around the distribution. Out of about 140 attendees for the summit, only 30 were employed by Canonical to work on Ubuntu. The rest were there because of personal or commercial interests in Ubuntu. Shuttleworth and company seem to have done a pretty good job of bridging the commercial and community divide, and community building and governance was a major topic at the summit."
Jono Bacon (BehindUbuntu)BehindUbuntu interviews Jono Bacon. "I am the Ubuntu Community Manager, and my role is to help keep the wheels of the community rolling. I am here to optimise how the community works, resolve problems, encourage new contributors, build up our teams, improve how teams talk together and more. I also work alongside the community, speaking at conferences and user groups, dealing with concerns, getting feedback and more. I am here to ensure the Ubuntu community is a world class example of free software community in action."
Getting started with ParallelKnoppix, a live CD for clusters (Linux.com)Linux.com has an excerpt from the book Linux Live CDs covering ParallelKnoppix. "The ParallelKnoppix CD comes with quite a bit of software that isn't necessarily related to clustering. You'll find a number of editors, multimedia applications, Internet applications, games, and a lot more. Games and whatnot probably won't be on your list of desired apps if you're actually being productive, but if you happen to have the PK disc with you and want to kill some time, you can always turn a boring old Windows machine into a Knoppix desktop for a while."
Distribution reviews Mandriva Linux 2007 ONE for home users (coulier.org)coulier.org has a review of Mandriva Linux 2007 for home users. "What might a Linux distribution such as Mandriva Linux 2007 be to a Windows user? Is it a valuable alternative, or do you have to be a real computer nerd to risk the move? Why would an average PC user make the effort to change over to Linux? Admittedly, not necessarily everyone will benefit from such a move - but it could be a lot more interesting than you may suspect. Many discussions around this topic lead to considerable debate, and in this article we do not pretend to own the truth or to be complete. This article just sums up our own experiences after several years of use of both Microsoft Windows and Mandriva Linux."
Red Hat Enterprise Linux 5 beta 2 now available (Linux-Watch)Linux-Watch takes a quick look at the second beta for Red Hat Enterprise Linux 5. "RHEL 5 incorporates new, fully integrated server and storage virtualization functionality. This release enables an integrated virtualization solution, by coupling server virtualization with Red Hat's clustering support. For enhanced availability, failover at either the application or virtual machine level is provided by Red Hat Cluster Suite, Red Hat Global File System, and Cluster Logical Volume Manager. The technology allows application data to be securely accessed and shared by any guest from any system, Red Hat says."
Page editor: Rebecca Sobol Development Video editing in Linux, it *is* possibleVideo editing is probably one of the last areas where Linux is still lagging behind proprietary operating systems. I have used Linux almost exclusively for the last few years, except for video editing where I still use Windows. That is about to change.My goal was to build a video box that would let me grab video from my digital video (DV) camera, edit scenes with features such as transitions, and create full featured DVD recordings. My hardware is very low end for this kind of task and it has proven to be extremely slow under Microsoft Windows. The test machine featured a 1.3GHz AMD Duron processor, 512 MB of RAM, a 4X single layer DVD burner and a Pinnacle firewire video capture card. Due to my low-end hardware, I decided to install the Slackware 11 distribution. Slackware is known for good performance on limited hardware. Capturing VideoThe initial requirement for a video editing system is the ability to capture the video data. Two choices were available: Kino and dvgrab. Kino is easy to use and even allows you to control your DV camera from a nice GUI interface. Kino requires some GNOME libraries, but Slackware does not provide them out of the box.I chose to use dvgrab for video capture, it operates with a very simple to use command line interface. For installation of dvgrab on Slackware, you will need to install the following packages (available here): libiec61883, libraw1394, libavc1394, libdv, libsamplerate and dvgrab. Once installed, dvgrab complained about the lack of the IEE1394 interface, /dev/raw1394. Fixing that problem involved creating two device nodes:
mknod /dev/raw1394 c 171 0
mknod /dev/video1394 c 172 0
Finally, due to a permission issue, I opted to use the root account for capturing video with the following command:
dvgrab video_file_name
The ownership of the resulting video file was then changed to my regular user for further processing.
Video EditingThe next step, and the most complex one, is video editing. The only effective video editor that I found was Cinelerra CV (community version). Until recently, Cinelerra was very unstable software and was not an attractive solution. You had to save very often because of the high risk of crashing. With the latest release, I experienced absolutely no crashes, and I performed some very wacky editing tricks with the software.The installation process for Cinelerra CV is not trivial if you decide to compile the source yourself. Luckily, the latest version and its dependencies are available for Slackware 11. Selected packages include: faac, faad2, fftw, jack, lame, liba52, libdv, libquicktime, libsndfile, libx264, mjpegtools, openexr and cinelerra. The Cinelerra interface can be rough at first, but after a few hours of editing you will discover that it is rather usable. Basically, you just import the videos obtained through dvgrab, create clips from the video files, drag the desired clips to the various tracks, insert transitions, apply effects, and finally render your work. The Cinelerra wiki offers a clear explanation on how to use the various components of the software. You can do tasks such as compositing various video tracks and using multiple audio tracks for dialogs, music, narration and more. Unlike various commercial video editing solutions on the Windows platform, it is not necessary to pay fees for incremental features, such as using a second video track. Rendering the videoOnce you are satisfied with your work, it is time to render everything to a file format that will work with DVD players. Since this step is a tricky and frustrating one, I provided the various steps (also available in the Cinelerra CV wiki) that you need to perform to reach success:
The resulting mpeg file should be compatible with commercial DVD players.
Creating a DVDYou now have the data to create a DVD. Several tools are available for this task, but ManDVD stands out as being very easy to use and full of features. To use this application, you will need to install the following Slackware packages: mplayer, ffmpeg, transcode, libdvdread, dvdauthor, dvd-slideshow and mandvd.ManDVD allows you to write DVDs. It featuring animated menus and can be operated without touching the command line. ManDVD can burn the final product directly, or it can use K3b for this task. In my case, K3b failed to create a working DVD, so I recommend burning directly from ManDVD.
AfterthoughtsTwo new gstreamer-based video editing solutions are being developed at the moment, diva and PiTiVi. These two projects will eventually provide simple out of the box solutions for the various steps involved in movie creation. PiTiVi will also introduce some exciting new features, such as post-processing of screencasts created with Istanbul and collaborative video editing via bittorrent. The Diva and PiTiVi projects are under heavy development and would benefit from the help of additional hackers.Until those new alternatives become usable, you will need to rely on a combination of specialized tools to fulfill your video editing needs. With a minimum of pain and time, it is now possible to create professional looking home movies using an entirely free solution running on the Linux platform.
System Applications Database Software PostgreSQL Weekly NewsThe November 19, 2006 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Printing Common UNIX Printing System 1.2.7 announcedVersion 1.2.7 of CUPS, the Common Unix Print System, has been announced. "CUPS 1.2.7 adds several Mac OS X improvements, implements timeouts in the SSL negotiation code, and fixes the bounding box generated by the PostScript filter, bidirectional support in the USB backend, and another case where the lpstat command could hang."
Web Site Development Zope NewsThe November 1-15, 2006 edition of Zope News is online with coverage of the Zope web development platform.
Desktop Applications Audio Applications eSpeak 1.17 releasedVersion 1.17 of eSpeak, a speech synthesizer, is available. Changes include new support for the Finnish, Portuguese and Dutch languages and makefile improvements.
GLASHCtl 0.4.0 announcedVersion 0.4.0 of GLASHCtl is out with new capabilities. "This is a simple applet for controlling the LASH Audio Session Handler. When you run it it will appear as a small LASH icon in your "notification area" or "system tray"".
Jokosher 0.2 releasedVersion 0.2 of Jokosher, an audio editor, has been announced. "The Jokosher team are proud to announce the second pre-release of their simple yet powerful audio studio for the GNOME desktop. The new 0.2 version of the software has been in active development since July, and has packed Jokosher with the core features to perform full audio recording and production on the Linux desktop."
Data Visualization Data Plotting Library DISLIN 9.1 releasedVersion 9.1 of DISLIN has been announced. "DISLIN is a high-level and easy to use plotting library for displaying data as curves, bar graphs, pie charts, 3D-colour plots, surfaces, contours and maps. Several output formats are supported such as X11, VGA, PostScript, PDF, CGM, WMF, HPGL, TIFF, GIF, PNG, BMP and SVG. The software is available for several C, Fortran 77 and Fortran 90/95 compilers. Plotting extensions for the interpreting languages Perl, Python and Java are also supported ..."
Desktop Environments GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
KDE Commit-Digest (KDE.News)The November 19, 2006 edition of the KDE Commit-Digest has been announced. The content summary says: "KTorrent supports the creation of trackerless torrents, with work beginning on a web-based management GUI. Support for browsing the SHOUTcast webradio listings in Amarok. Work starts on a new Planner Summary plugin for Kontact. KDissert is renamed Semantik. Maps of more countries added to KGeography. Version 2 of Kallery, a web image gallery creator, is imported into KDE SVN. Qt3 and KDE 3 Java bindings are removed from KDE SVN, superceded by the developments of Qt Jambi."
KDE e.V. Quarterly Report (KDE.News)KDE.News has announced the July-September, 2006 edition of the KDE e.V. Quarterly Report (PDF). "Topics covered include the outcomes from the 2006 membership meeting, the status of the Technical Working Group's improved charter, the new press channel from the Marketing Working Group and for the first time a report from the Sysadmin Team."
Electronics eispice 0.7 announcedVersion 0.7 of eispice is available with new features and bug fixes. "eispice is a ground-up re-write of the Berkley Spice 3 Simulation engine in the form of a Python Module. It contains a subset of standard spice device models and a set of unique models that are targeted towards High Speed Digital Design.
GUI Packages The initial release of PythonQtThe initial release of PythonQt has been announced. "PythonQt is a dynamic and lightweight script binding of the Qt4 framework to the Python language. It can be easily embedded into Qt4 applications and makes any QObject derived object scriptable via Python without the need of wrapper code generation. The first public beta release is available as source code under the LGPL license."
Medical Applications Foundational Model of Anatomy Ontology released as open-source (LinuxMedNews)LinuxMedNews reports on the open-source release of the Foundational Model of Anatomy (FMA) Ontology. "From the announcement: 'In response to the increasing demand from the life science and biomedical informatics communities and the private industry for an anatomy ontology that can empower computer applications in biomedicine and provide a basic science framework for the integration of biological data from different sources, the University of Washington and the FMA Ontology Research team hereby release the open source license for the Foundational Model of Anatomy (FMA) ontology and grant licensees a perpetual, worldwide, non-exclusive, no-charge, royalty-free, copyright license to reproduce, publicly display, publicly perform, prepare modifications of, and distribute the FMA ontology with or without modifications."
Music Applications Musical MIDI Accompaniment 1.0 announcedVersion 1.0 of MMA, Musical MIDI Accompaniment, has been announced. "Included in this release: Minor changes in the install scripts, Command line option cleanup, Minor bug fixes. MMA is a accompaniment generator -- it creates midi tracks for a soloist to perform with."
Languages and Tools Caml Caml Weekly NewsThe November 21, 2006 edition of the Caml Weekly News is out with new Caml language articles.
Lisp Common Lisp DirectoryThe Common Lisp Directory has been launched. "The Common Lisp Directory (CLD) is a large and growing database of software and resources. It lists both open source and commercial Common Lisp software, for any operating system and implementation. It currently includes over 1000 entries and has almost 800 registered users."
Perl This week on the Perl 6 mailing lists (O'Reilly)The November 12-18, 2006 edition of the Weekly Perl 6 mailing list summary has been published, take a look for the latest Perl 6 discussions.
Python Dr. Dobb's Python-URL!The November 20, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.
Tcl/Tk Dr. Dobb's Tcl-URL!The November 21, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.
Build Tools The web-enabled version of MconfigA web-enabled Linux kernel configuration utility is available for building 2.4.X kernels. "Mconfig is a tool to configure the linux kernel, similar to make {menu,x} config, but written in C and with a proper yacc parser. This program is an http server "wrapper" around mconfig that makes kernel configuration, development and building completely web enabled. Links to configuration options, source files, kernel documentation and kernel driver information can be managed from a web browser using hyper links."
IDEs eric3 3.9.2 releasedVersion 3.9.2 of eric3, a Python and Ruby editor and IDE has been announced. "This is bug fix release with some new features"
Miscellaneous MCPP 2.6.2 releasedVersion 2.6.2 of MCPP, a portable C/C++ preprocessor, is available with bug fixes and other enhancements. See the release notes for more information.
Page editor: Forrest Cook Linux in the news Recommended Reading Winners and losers in the New Linux World (Linux-Watch)Linux-Watch predicts the outcome from recent corporate agreements involving Linux. "Would you have believed at the end of last summer that Microsoft and Novell would partner over Linux, or that Oracle would create its own brand of Linux? Yeah, I wouldn't have believed it either, but here we are. So, what does it all mean? Rather than make a snap judgment I decided to sit, wait and watch before trying to make sense of it all. Now, I'm ready to give you my two-cents on who are the winners and losers in this post-deal Linux world. First, here are the winners. Commercial Linux has taken one giant step forward."
Novell Speaks (Groklaw)Groklaw covers the latest back-and-forth between Novell and Microsoft, including Novell's open letter to the community: "We disagree with the recent statements made by Microsoft on the topic of Linux and patents. Importantly, our agreement with Microsoft is in no way an acknowledgment that Linux infringes upon any Microsoft intellectual property. When we entered the patent cooperation agreement with Microsoft, Novell did not agree or admit that Linux or any other Novell offering violates Microsoft patents."
Trade Shows and Conferences SC06: A Beowulf cluster of supercomputer people (Linux.com)Linux.com covers SuperComputing 2006. "SC06, "the premier international conference on high performance computing, networking and storage," was held last week in Tampa, Florida. I took my video camera with me so that I could give you a little feeling of what the show was like, and even grabbed a couple of shots of the "by invitation only" Beowulf Users Group party that was held at a bar a few blocks away from the Tampa Convention Center."
Companies IBM aims to ease Linux, grid deployments (LinuxWorld.com)LinuxWorld.com reports on IBM's latest Grid services. "On Wednesday, IBM introduced its Implementation Services for Linux and Grid and Grow Express Implementation Service, both of which expand on existing IBM offerings by building on lessons learned from individual projects to create a standard way to deploy computing grids and Linux. The services use an automated, Web-based tool to streamline projects, cutting costs and improving efficiencies, IBM says."
Microsoft May Indemnify Some Red Hat Linux Users (eWeek)eWeek reports that Microsoft may offer patent indemnity to Red Hat customers. ""We would like to strike similar patent deals with all the Linux vendors, but we had to start somewhere. The fact that Novell CEO Ron Hovsepian approached us in this regard made that conversation happen very quickly," Bill Hilf, Microsoft's general manager of platform strategy, told eWEEK in an interview here at IT Forum. But Hilf acknowledged that it is an awkward situation having Microsoft's customers who use Novell's SUSE Linux covered by the covenant not to sue, while those Windows users running Red Hat Linux are not."
Nokia Partners with Red Hat (Techtree.com)Techtree.com covers a partnership between Red Hat and Nokia. "Nokia and Red Hat have announced a collaboration to develop carrier-grade telecommunications solutions that meet the high performance and availability requirements of operators. As part of the deal, Nokia will deploy Red Hat Enterprise Linux as its primary operating system for carrier-grade platforms; while Red Hat will provide Nokia with onsite consulting, support, certification, and training services. Besides, the two teams will work together closely towards development of these high-end telecommunications solutions."
Red Hat ponders new JBoss strategy (ZDNet)ZDNet reports that Red Hat may split JBoss into a free, unsupported product and a subscription-based supported one. "Currently, there is a single version of JBoss, and Red Hat has sold support for it since acquiring the company behind it in April. But Chief Financial Officer Charlie Peters, speaking at a UBS financial conference Tuesday, said that the company is considering applying the two-version formula it used to profit from Linux."
Legal Getting Cute with the GPL (Groklaw)Groklaw mentions a new plan to adjust the wording of the GPLv3 license. "Eben Moglen has now stated that GPLv3 will be redrafted to include clear language that will make the Novell-Microsoft agreement an obvious GPL violation, and more: "GPL version 3 will be adjusted so the effect of the current deal is that Microsoft will by giving away access to the very patents Microsoft is trying to assert." I expect that got Microsoft's attention."
Interviews Linux desktop domination "just a matter of time" (DesktopLinux)DesktopLinux.com has an interview with Mark Shuttleworth. "South Africa native and current London resident Mark Shuttleworth, founder of Canonical Ltd. and the Ubuntu Linux distribution, told DesktopLinux.com Friday in an interview that widespread adoption of Linux on the desktop -- so long-awaited by many people -- "is just a matter of time, IMO.""
RedHat's response: Interview with Mark Webbink (RedHat) (LinuxInterviews.com)LinuxInterviews.com talks with Mark Webbink, Deputy General Counsel and Secretary at Red Hat. "LinuxInterviews.com: Given the recent announcement of the deal between Novell and Microsoft, would RedHat have accepted a similar deal? Mark Webbink: We have not had the opportunity to review the Microvell deal in detail, but from what we have read in public reports, we cannot see that this arrangement is in the interests of the open source software community or end users."
Resources Three, two, one...Geronimo!, Part 3: Issues of state (developerWorks)IBM developerWorks looks at Apache Geronimo. "Though computers and the Web make daily tasks more convenient, they also give rise to new challenges. Today's Internet no longer functions simply by responding to requests for HTML-coded Web pages. Nowadays, Web sites must maintain mountains of information about users and be able to manage many complicated tasks. Luckily, leading-edge tools can simplify such issues of state. Discover an industrial-grade solution to this age-old problem -- namely, session state. This article demonstrates how Apache Geronimo maintains the state of thousands of simultaneous connections so that IT managers can breathe easier."
Monitor your Linux computer with machine-generated music (IBM devloperWorks)Nathan Harrington shows how to turn system status into music in an IBM devloperWorks article. "Use Perl and FluidSynth to create a real-time musical composition of your system status. Learn how to integrate various system monitoring data into a harmony-producing, MIDI-controlled audio synthesis. Explore audible information methods and configurations to help you monitor and manage your computing environment."
Bring back deleted files with lsof (Linux.com)Michael Stutz explores lsof in a Linux.com article. "There you are, happily playing around with an audio file you've spent all afternoon tweaking, and you're thinking, "Wow, doesn't it sound great? Lemme just move it over here." At that point your subconscious chimes in, "Um, you meant mv, not rm, right?" Oops. I feel your pain -- this happens to everyone. But there's a straightforward method to recover your lost file, and since it works on every standard Linux system, everyone ought to know how to do it."
Getting My Kicks On Route 64 (Linux Journal)Dave Philips puts together a 64 bit audio workstation running the 64Studio distribution. "Daniel James and Free Ekayanaka share a dream. They want to create a pure 64-bit Linux distribution devoted to the needs of multimedia workers, complete with low-latency kernel and an up-to-date selection of Linux sound, music, and video applications. These fellows have the required expertise: Daniel is the editor-in-chief of Linux User & Developer, Free was one of the chief engineers of the great AGNULA/Demudi project. With their experience in this domain I expected great things from 64Studio. I'm most happy to say that I have not been disappointed."
Page editor: Forrest Cook Announcements Non-Commercial announcements FSFE becomes the legal guardian of the Bacula ProjectThe Free Software Foundation Europe is now the legal guardian of the Bacula Project. "Kern Sibbald, the founder and lead developer of the Bacula network backup solution, assigned his copyright to FSFE. "I wanted to underline the commitment of the Bacula Project to Free Software," said Kern. "Bacula has always been a community project and we're just solidifying that for the long-term. I am very thankful that the FSFE is providing this service because it removes an important administrative burden from the project, which allows us to focus on the task of programming.""
GNOME Foundation 2006 election questions (GnomeDesktop)Questions are being accepted for the 2006 GNOME Foundation elections. "The GNOME Foundation 2006 elections will begin next week. With the final list of candidates announced, it's time to submit questions about the GNOME Foundation and GNOME Project to this years prospective Board of Directors. A list of questions, including best questions from this thread, will be put to the candidates on the public Foundation mailing list."
Open Invention Network on Microsoft/NovellThe Open Invention Network has sent out a press release on the Microsoft/Novell deal. "OIN continues to support the Linux community's ability to collaborate and innovate. Through the accumulation of patents that may be used to shield the Linux environment, including users of Linux software, OIN has obviated the need for offers of protection from others." It would be nice if they had directly addressed the question of whether the patents from Novell are still effective, though.
PSF adopts a trademark policyThe Python Software Foundation has announced a new trademark policy. "The PSF holds a registered trademark on the word "Python". Every few weeks someone writes to the board and asks permission to distribute a program with the word "Python" in its name or to do something with the Python logo. The PSF's board wanted to have a document explaining the PSF's goals for the trademark and discussing common use cases."
Commercial announcements AVG Security Now for GNU/Linux and FreeBSDGRISOFT has announced several new versions of its antivirus offerings for GNU/Linux and FreeBSD platforms. The products include AVG Email Server Edition 7.5 for Linux/FreeBSD now with integrated anti-spam as well as new products for the GNU/Linux platform -- AVG Anti-Virus Professional Edition 7.5 for Linux/FreeBSD and AVG File Server Edition 7.5 for Linux/Free BSD.
Bull and JBoss Form Strategic PartnershipBull and JBoss have announced a strategic partnership with the aim of developing interoperable middleware solutions for enterprise service-oriented architecture. "The partnership, which builds on Bull's existing alliance with Red Hat, is JBoss' first strategic partnership in Europe to include open source research and development collaboration and demonstrates both companies' leadership and commitment to open source software innovation."
Linspire Offers Free Services to Desktop Linux UsersLinspire, Inc. has announced the FreeLinuxEmail service. "FreeLinuxEmail, an IMAP email and Net file storage service developed by Messaging Engine of Melbourne, Australia, provides desktop Linux users a free server-based email and file storage service that works with both web-based and client-based email."
Mandriva allies with IBPhoenix to support Firebird 2.0Mandriva and IBPhoenix have formed an alliance with the goal of supporting the Firebird 2.0 DBMS. "Thanks to a collaboration between IBPhoenix and Mandriva, Mandriva Linux is now the distribution offering the best integrated support for Firebird 2.0. Mandriva now offers the packages for Firebird (Classic and SuperServer versions), the ODBC pilots, Class 4 JCA-JDBC, Python and PHP as well as the administration guide Flamerobin. IBPhoenix is for its part preparing the training material."
Penguin Computing launches new server asset management toolsPenguin Computing has announced their Scyld ControlCenter server management software. "System administrators and key authorized users will have comprehensive but easy-to-use hardware command and control, so organizations can now effectively manage and monitor large pools of server assets with minimal system administration time and cost without compromising security of the overall system."
Red Hat to move to New York Stock ExchangeRed Hat has sent out a press release stating its intent to move its stock market listing over to the NYSE. If all goes well, the stock will trade as "RHT" starting on December 12. "'The move to the New York Stock Exchange is a significant event for Red Hat. We believe that listing on the New York Stock Exchange will increase Red Hat's visibility among investors, reduce trading volatility and offer more efficient pricing,' said Charlie Peters, CFO at Red Hat."
SugarCRM announces Sugar FastStackSugarCRM Inc. has announced their Sugar FastStack product. "SugarCRM Inc., the world's leading provider of commercial open source customer relationship management (CRM) software, today announced the availability of Sugar FastStack, a software support and delivery service that provides a fast and simple way to install a complete open source software solution, including Sugar software, the Apache Web Server, PHP and the MySQL database."
Toshiba announces single-chip LCD TV solutionToshiba America Electronic Components, Inc. has announced a second generation system-on-a-chip for mid and low-end television applications, the chip runs Linux. "Available in two versions and designated TC90407XBG and TC90407FG, the new SoCs were specifically designed for North American TV standards, including the Advanced Television Systems Committee (ATSC) standard and digital cable. Compared to the previous generation devices, they integrate more on-chip functional blocks to reduce system cost and support new algorithms that improve picture quality significantly."
New Books Essential CVS, Second Edition - O'Reilly's Latest ReleaseO'Reilly has published the book Essential CVS, Second Edition by Jennifer Vesperman.
SQL Hacks - New from O'ReillyO'Reilly has published the book SQL Hacks by Andrew Cumming and Gordon Russell.
Sams Publishing Announces SUSE Linux 10.1 Kick StartSams Publishing has published the book SUSE Linux 10.1 Kick Start by Jem Matzan.
Resources First Issue of Amarok Weekly Newsletter Released (KDE.News)KDE.News mentions the new Amarok Weekly Newsletter. "In the first issue of the Amarok Weekly Newsletter, we talk about Magnatune.com music store integration and security, search inside lyrics, a new GStreamer-based engine, support for user-definable labels and promotional activities."
Education and Certification LPI Announces New Training Partner ProgramThe Linux Professional Institute has announced a new training partner program. "The LPI Approved Training Partner program (LPI-ATP) has 124 participating training organizations in 22 countries. "LPI will continue to advocate a neutral approach to the adoption of Open Source Software, training and services. However, we are seeing an increased demand from both employers and exam candidates for recommendations of high quality training materials and programs. In response to this growing global market, we have improved our training partner program," said Jim Lacey, President and CEO of LPI."
Calls for Presentations DebConf7: registration and call for papersA call for papers and open registration announcement has gone out for DebConf7. The conference will take place in Edinburgh, Scotland on June 17-23, 2007, submissions are due by January 31.
Upcoming Events FAVE 2006 final line-up announcedThe final line-up for FAVE 2006 has been announced. "FAVE is an event for people who are interested in free and open source creative software on Linux and other computer platforms. It features workshops, talks and performances from free software developers and artists. The 2006 event is taking place at Limehouse Town Hall in London, England on Saturday the 25th of November."
FoSS.IN/2006 talk schedule announcedThe talk schedule for FOSS.IN/2006 has been announced. The event will take place on November 24-26, 2006 in Bangalore, India.
SCALE Announces Plans To Host Open-Source Health Care SummitThe Southern California Linux Expo will host an Open Source Health Care summit during the SCALE 5x conference. "The focus of this event will be on the use of open-source software in the health care industry. The goal of this event is to foster an awareness of the availability of open-source options to medical organizations, private practices, and hospitals. The Open-Source Health Care Summit will be held on February 9, 2007 at the Los Angeles Airport Westin Hotel."
Events: November 30, 2006 to January 29, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Audio and Video programs Questions Please...Jonathan Roberts has announced the launch of Questions Please..., the site aims to collect questions about free software via email, then produce a podcast with answers. "Richard Stallman, Jeremy Allison and Jeff Waugh have all agreed to take part on a panel answering questions forwarded by members of the community; I will 'chair' and record it, and then post it to here for all to download! We do, however, need your questions to make this work. Just grab the e-mail address from the footer and I'll pick the best to put to our guests."
Zack Rusin interviewed on the Linux Link Tech Show (KDE.News)KDE.News mentions the availability of an audio interview with Zack Rusin. " Yesterday night Zack Rusin made a guest appearance on The Linux Link Tech Show. He discussed recent developments in the X.Org project, Qt, KDE, his life in Norway and some other Open Source related issues. It is a lengthy interview that should satisfy those who say Zack's not blogging and responding to questions often enough."
Page editor: Forrest Cook
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||