|
LWN.net Weekly Edition for February 6, 2003The Open-HCI project launches The announcement went out on the last day of January: members of the GNOME and KDE projects have gotten together to improve cooperation between the two with regard to human interface guidelines. For the (many) users who have wanted to see a higher degree of cooperation between KDE and GNOME, this move can only be seen as a step in the right direction.At the beginning, of course, it is a pretty small step. Both desktop projects maintain a set of usability guidelines which promote consistency and good human factors in desktop applications. The plan is to merge the two sets into a single document. Initially, each project's guidelines will remain in a separate section. Over time, the plan is to find areas which can be merged into shared sections, common to both desktops. The possibility exists that a single set of guidelines could eventually emerge. That is a distant hope, however; for now, the Open-HCI workers are more concerned with details like what format will be used for the combined document. It would be hard to overestimate the value of a high-quality, shared usability document. Usability work is hard, tedious, and unglorious; it is also a crucial part of the development of end-user applications that actually work. It is exactly the sort of work that free software projects are not supposed to be good at - though much of the work already done within GNOME and KDE puts the lie to that claim. Making it easier for both projects to benefit from the usability work that is being done can only lead to better desktop applications in the future. Shared usability guidelines should also lead to more consistent behavior between the two desktops. The competition between KDE and GNOME has been a good thing for both projects, and for the Linux desktop as a whole. But there is no need for the two to be separate islands. More consistent behavior will make it easier for users to pick and choose applications from both projects, allowing them to take advantage of the best of each. And that, too, should be good for the Linux desktop. (See also: usability guidelines for KDE and GNOME; there is also a mailing list for the Open-HCI project).
Desktop Linux Summits and Consortiums [This article was contributed by Joe 'Zonker' Brockmeier] Sometimes two stories in the media become inextricably linked. When one story is covered, the other issue is always mentioned -- creating an impression that there is a connection where the link is sometimes tenuous or non-existant.Such is the case with the Desktop Linux Summit and the Desktop Linux Consortium (DLC). The link, however, between the Summit and the DLC is thin at best and seems to be the victim of bad timing. With better timing, the DLC might be seen for what its founders want it to be: a meeting of the minds of companies and organizations who are interested in furthering Linux as a desktop operating system. Questions still remain as to exactly what happened with the Desktop Linux Summit. The event is promoted as a "multi-vendor" event about Linux on the desktop. However, many vendors have abandoned the summit after Bruce Perens was replaced as the keynote speaker by Michael Robertson -- not coincidentally the CEO and founder of Lindows.com. The original list of sponsors and exhibitors differs greatly from the current list. In fact, at least one organization listed as an exhibitor has asked to be withdrawn. Sam Hiser, of the OpenOffice.org Project confirmed today that the project has asked to be withdrawn from the list of exhibitors. However, they are still listed on the Summit website. A representative for Sun Microsystems also confirmed that they have asked to be removed as an exhibitor, but explained that it was because Sun's speaker would be unavailable for the conference -- not because Perens was no longer speaking. We spoke with Jill Ratkevic, who was the original coordinator for the Desktop Linux Summit. According to Ratkevic, Robertson and Lindows.com president Kevin Carmony were aware of the decision to have Perens do the keynote. However, Carmony claims that he "always" thought that Robertson would be the keynote speaker and that it was a "mix-up."
We'll take 100 percent responsibility for the miscommunication
early on... We haven't come out and told our side of the story, and
we really don't want to. We'd rather have everybody think ill of
Lindows and get on with business. Okay we're slimeballs, okay we
can take that as long as we get on with business. We don't want to
spend time on the debate.
Jeremy White, CEO of CodeWeavers, told us that no one had a problem with Robertson speaking -- only the manner in which the change was made. "I think that a lot of folks that were willing to be flexible on the agenda...what was frustrating was the manner in which it was done." According to Carmony, the event is still sold out, but it certainly has a different flavor now that many Linux companies have pulled out. Attendees listed for the "sold-out" conference now include such Linux-specific companies as Borders, NovaPCs and the Brobeck law firm. Shawn Gordon, of The Kompany, says he plans to remain involved:
I did pull out for a few days, for a different reason however, and
I'm back in it now... My interest is mostly in getting theKompany
as much exposure as possible to the main stream press and potential
users that haven't heard about us before, and this looked like the
best opportunity to do it, regardless of the speakers or program.
The Linux Professional Institute and SuSE will also remain involved. Holger Dyroff, head of SuSE's U.S. operations, said that he did not want to disappoint people who had already made appointments to speak with SuSE. However, by all accounts, the fuss over the summit is separate from the decision to form a Linux Desktop Consortium. Perens, who is serving as the interim executive director for the consortium, says that the LDC:
...is not a response to the summit issue, but I think that having
the Consortium run the next summit will result in some good
things... Lindows won't have to pay for everything, and we'll have
a better shot at a more even program.
White says that the discussions for the consortium began "more than a month ago." "A few of us got together and said, 'hey, we should do a Linux Desktop Consortium.' We felt that we could use a more unified voice, and it's time for a Linux desktop." White says that the consortium will focus on business users' needs, but "we definitely don't want to neglect grandma." The consortium is still in the planning stages right now. White says the group is "in a waiting period while we're gathering information." Despite the fact that a number of LDC members pulled out of the Summit, Lindows.com was still invited to join the LDC. Carmony says that Lindows.com is taking a wait-and-see attitude about the consortium, but that Lindows is "absolutely" open to the idea of joining the group if it turns out to be something they can get behind. Though the goals of the consortium are still somewhat vague, Perens said that they definitely plan to put on a vendor-neutral desktop conference. Group marketing initiatives also seem to be part of the plan. White says that the group wants to find a way that companies, projects and end-users can work together -- though the details haven't been ironed out yet. Member companies are being asked to pony up $1,000 for membership, but White says that the group doesn't plan to ask free software and open source projects for money. Some may wonder how successful the consortium will be, since many members are competing companies. However, Perens says that the consortium "won't have to do much to be successful... there are a number of things that the various players should be taking about. There are events that should be held that can be held fairly. We don't have to save the world." Holger Dyroff, head of SuSE Linux U.S. operations, says that SuSE doesn't plan to take the most active role in the organization but that SuSE is behind the idea of pooling marketing efforts and encouraging companies to see that their products integrate their products with Linux. With any luck, the bad blood over the Summit will fade in time and Linux vendors will be able to make Linux a real success on the desktop. Everyone we spoke to for this story indicated a desire to put the issue behind them and to work on making Linux a success rather than focusing on the negatives.
The MS-SQL worm: lessons for free software The MS-SQL worm has run its course and been cleared off the net. It is also, of course, another example of a proprietary software failure that did not affect Linux users except in indirect ways. Still, the worm is interesting to look at in a number of ways, and it should give free software users and developers a few things to think about.Much has been written about how quickly the worm spread across the net. Most of the vulnerable systems had been infected within about ten minutes. With that sort of propagation speed, there really is very little that system and network administrators can do; by the time they know that there is a problem, they have already been infected. There is no time to scramble for patches, or even to pull the plug. Someday networks will have to be able to react automatically to this sort of attack; automated response systems, however, are likely to be a source of outages themselves. The worm infected something on the order of 100,000 hosts. Given the size of the Internet, that is a relatively small number; there just weren't that many vulnerable systems which were directly reachable on the net. Even with such a small proportion of vulnerable systems, however, the worm was able to create a great deal of disruption. It is not necessary to infect much of the net to create trouble for everybody. This suggests that the talk of software monocultures that one often encounters (including on this site) may be a bit misguided. The net, certainly, is not a monoculture of vulnerable SQL Server systems. Monocultures still increase the risk of truly devastating, global attacks, but their elimination will not necessarily make the net a whole lot safer. There are plenty of free programs which run at least 100,000 network-exposed systems. A widespread vulnerability in any of these programs could, conceivably, be used to similar effect by a future attacker. There is a good chance, perhaps almost a certainty, that a vulnerability in free software will be used someday to trash the net. It is not an occasion to look forward too. Still, there are aspects of the free software way of doing things that help to make this kind of event less likely. They include:
All of the above points, hopefully, indicate that free software offers some relative security advantages, especially with regard to widespread infections. We have a long way to go, however, before we can even begin to think that we are safe. Smugness is the wrong response to this episode; instead, we need to learn from it and redouble our efforts to keep it from happening to us.
Page editor: Jonathan Corbet Security Security news Vulnerabilities and alerts in 2002 One of the advantages to having a site built on a real database is that you can use it to generate nifty tables. When we ran a list of vulnerabilities and alerts one year ago, the whole thing was generated by hand. Life is easier this time around....at least, if you're not concerned with keeping your systems secure. The following table, which covers the second half of 2002, contains 119 separate vulnerabilities, and well over 300 alerts. As much as we like to say that free software is more secure, the table below makes it clear that it is not anywhere near secure enough. On the other hand, it's worth pointing out that almost none of the vulnerabilities listed below have, to our knowledge, been exploited on any kind of scale. Most of these problems have been found (and fixed) by developers proactively auditing the code; in general, the fixes seem to get out to most users in time to avoid widespread problems. Many of these vulnerabilities are, most likely, relatively hard to exploit. The table reveals some of the limitations of our security database. If a vulnerability has no alerts from a particular distributor, it does not necessarily mean that said distributor never got around to fixing the problem. In many cases, the distributor did not ship a vulnerable version of the affected program, and thus did not need to put out an update.
New vulnerabilities bladeenc - improper input verification
courier - missing input sanitizing
kernel - Multiple vulnerabilities in version 2.4.18 of the kernel
krb5 - vulnerability in Kerberos ftp client
qt-dcgui: file leaking
slocate - buffer overflow
Updated vulnerabilities perl-MailTools: remote command execution
OpenLDAP2: remote command execution
Multiple-use vulnerability in Safe.pm
Heap corruption vulnerability in at
BIND8: Multiple vulnerabilities
bind buffer overflow vulnerability in DNS resolver libraries
Canna server: exploitable buffer overrun
cups - multiple vulnerabilities
CVS - exploitable double-free bug in the CVS server
dhcp3 - ignored counter boundary
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||