LWN.net Logo

Advertisement

Inexpensive and reliable 750+ MB/s storage

Fast storage & processing: iSCSI, NFS, SMB/CIFS, clusters for financial, media, HPC, research, virtualization

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Leading items

The Open-HCI project launches

The announcement went out on the last day of January: members of the GNOME and KDE projects have gotten together to improve cooperation between the two with regard to human interface guidelines. For the (many) users who have wanted to see a higher degree of cooperation between KDE and GNOME, this move can only be seen as a step in the right direction.

At the beginning, of course, it is a pretty small step. Both desktop projects maintain a set of usability guidelines which promote consistency and good human factors in desktop applications. The plan is to merge the two sets into a single document. Initially, each project's guidelines will remain in a separate section. Over time, the plan is to find areas which can be merged into shared sections, common to both desktops. The possibility exists that a single set of guidelines could eventually emerge. That is a distant hope, however; for now, the Open-HCI workers are more concerned with details like what format will be used for the combined document.

It would be hard to overestimate the value of a high-quality, shared usability document. Usability work is hard, tedious, and unglorious; it is also a crucial part of the development of end-user applications that actually work. It is exactly the sort of work that free software projects are not supposed to be good at - though much of the work already done within GNOME and KDE puts the lie to that claim. Making it easier for both projects to benefit from the usability work that is being done can only lead to better desktop applications in the future.

Shared usability guidelines should also lead to more consistent behavior between the two desktops. The competition between KDE and GNOME has been a good thing for both projects, and for the Linux desktop as a whole. But there is no need for the two to be separate islands. More consistent behavior will make it easier for users to pick and choose applications from both projects, allowing them to take advantage of the best of each. And that, too, should be good for the Linux desktop.

(See also: usability guidelines for KDE and GNOME; there is also a mailing list for the Open-HCI project).

Comments (5 posted)

Desktop Linux Summits and Consortiums

[This article was contributed by Joe 'Zonker' Brockmeier]

Sometimes two stories in the media become inextricably linked. When one story is covered, the other issue is always mentioned -- creating an impression that there is a connection where the link is sometimes tenuous or non-existant.

Such is the case with the Desktop Linux Summit and the Desktop Linux Consortium (DLC).

The link, however, between the Summit and the DLC is thin at best and seems to be the victim of bad timing. With better timing, the DLC might be seen for what its founders want it to be: a meeting of the minds of companies and organizations who are interested in furthering Linux as a desktop operating system.

Questions still remain as to exactly what happened with the Desktop Linux Summit. The event is promoted as a "multi-vendor" event about Linux on the desktop. However, many vendors have abandoned the summit after Bruce Perens was replaced as the keynote speaker by Michael Robertson -- not coincidentally the CEO and founder of Lindows.com.

The original list of sponsors and exhibitors differs greatly from the current list. In fact, at least one organization listed as an exhibitor has asked to be withdrawn. Sam Hiser, of the OpenOffice.org Project confirmed today that the project has asked to be withdrawn from the list of exhibitors. However, they are still listed on the Summit website. A representative for Sun Microsystems also confirmed that they have asked to be removed as an exhibitor, but explained that it was because Sun's speaker would be unavailable for the conference -- not because Perens was no longer speaking.

We spoke with Jill Ratkevic, who was the original coordinator for the Desktop Linux Summit. According to Ratkevic, Robertson and Lindows.com president Kevin Carmony were aware of the decision to have Perens do the keynote. However, Carmony claims that he "always" thought that Robertson would be the keynote speaker and that it was a "mix-up."

We'll take 100 percent responsibility for the miscommunication early on... We haven't come out and told our side of the story, and we really don't want to. We'd rather have everybody think ill of Lindows and get on with business. Okay we're slimeballs, okay we can take that as long as we get on with business. We don't want to spend time on the debate.

Jeremy White, CEO of CodeWeavers, told us that no one had a problem with Robertson speaking -- only the manner in which the change was made. "I think that a lot of folks that were willing to be flexible on the agenda...what was frustrating was the manner in which it was done."

According to Carmony, the event is still sold out, but it certainly has a different flavor now that many Linux companies have pulled out. Attendees listed for the "sold-out" conference now include such Linux-specific companies as Borders, NovaPCs and the Brobeck law firm.

Shawn Gordon, of The Kompany, says he plans to remain involved:

I did pull out for a few days, for a different reason however, and I'm back in it now... My interest is mostly in getting theKompany as much exposure as possible to the main stream press and potential users that haven't heard about us before, and this looked like the best opportunity to do it, regardless of the speakers or program.

The Linux Professional Institute and SuSE will also remain involved. Holger Dyroff, head of SuSE's U.S. operations, said that he did not want to disappoint people who had already made appointments to speak with SuSE.

However, by all accounts, the fuss over the summit is separate from the decision to form a Linux Desktop Consortium. Perens, who is serving as the interim executive director for the consortium, says that the LDC:

...is not a response to the summit issue, but I think that having the Consortium run the next summit will result in some good things... Lindows won't have to pay for everything, and we'll have a better shot at a more even program.

White says that the discussions for the consortium began "more than a month ago." "A few of us got together and said, 'hey, we should do a Linux Desktop Consortium.' We felt that we could use a more unified voice, and it's time for a Linux desktop." White says that the consortium will focus on business users' needs, but "we definitely don't want to neglect grandma."

The consortium is still in the planning stages right now. White says the group is "in a waiting period while we're gathering information."

Despite the fact that a number of LDC members pulled out of the Summit, Lindows.com was still invited to join the LDC. Carmony says that Lindows.com is taking a wait-and-see attitude about the consortium, but that Lindows is "absolutely" open to the idea of joining the group if it turns out to be something they can get behind.

Though the goals of the consortium are still somewhat vague, Perens said that they definitely plan to put on a vendor-neutral desktop conference. Group marketing initiatives also seem to be part of the plan. White says that the group wants to find a way that companies, projects and end-users can work together -- though the details haven't been ironed out yet. Member companies are being asked to pony up $1,000 for membership, but White says that the group doesn't plan to ask free software and open source projects for money.

Some may wonder how successful the consortium will be, since many members are competing companies. However, Perens says that the consortium "won't have to do much to be successful... there are a number of things that the various players should be taking about. There are events that should be held that can be held fairly. We don't have to save the world."

Holger Dyroff, head of SuSE Linux U.S. operations, says that SuSE doesn't plan to take the most active role in the organization but that SuSE is behind the idea of pooling marketing efforts and encouraging companies to see that their products integrate their products with Linux.

With any luck, the bad blood over the Summit will fade in time and Linux vendors will be able to make Linux a real success on the desktop. Everyone we spoke to for this story indicated a desire to put the issue behind them and to work on making Linux a success rather than focusing on the negatives.

Comments (1 posted)

The MS-SQL worm: lessons for free software

The MS-SQL worm has run its course and been cleared off the net. It is also, of course, another example of a proprietary software failure that did not affect Linux users except in indirect ways. Still, the worm is interesting to look at in a number of ways, and it should give free software users and developers a few things to think about.

Much has been written about how quickly the worm spread across the net. Most of the vulnerable systems had been infected within about ten minutes. With that sort of propagation speed, there really is very little that system and network administrators can do; by the time they know that there is a problem, they have already been infected. There is no time to scramble for patches, or even to pull the plug. Someday networks will have to be able to react automatically to this sort of attack; automated response systems, however, are likely to be a source of outages themselves.

The worm infected something on the order of 100,000 hosts. Given the size of the Internet, that is a relatively small number; there just weren't that many vulnerable systems which were directly reachable on the net. Even with such a small proportion of vulnerable systems, however, the worm was able to create a great deal of disruption. It is not necessary to infect much of the net to create trouble for everybody.

This suggests that the talk of software monocultures that one often encounters (including on this site) may be a bit misguided. The net, certainly, is not a monoculture of vulnerable SQL Server systems. Monocultures still increase the risk of truly devastating, global attacks, but their elimination will not necessarily make the net a whole lot safer.

There are plenty of free programs which run at least 100,000 network-exposed systems. A widespread vulnerability in any of these programs could, conceivably, be used to similar effect by a future attacker. There is a good chance, perhaps almost a certainty, that a vulnerability in free software will be used someday to trash the net. It is not an occasion to look forward too.

Still, there are aspects of the free software way of doing things that help to make this kind of event less likely. They include:

  • Security updates for free programs tend to be small fixes which address the vulnerability and nothing else. Most distributors put considerable effort into backporting fixes to whatever version of the program they shipped. As a result, the security updates are relatively safe and easy to install. The SQL Server fix was, apparently, part of a huge patch set which changed many things. Applying all security updates as they come out to a Linux system can be tedious and annoying, but it is also a reasonable thing to do. It has been said that companies trying to keep up with Microsoft patch sets will encounter more outages from the patches themselves than from security breaches.

    The result of all this is that Linux systems are more likely to be current with their security updates. Or, at least, they have less of an excuse if they fall behind.

  • Many, if not most of the systems compromised by the MS-SQL worm were running a version of SQL Server that came packaged with a completely different application; some examples include the Cisco E-Mail Manager, ISS System Scanner, JD Edwards ERP, Office 2000/XP, Visio, Unicenter, and many others. Many of the people running vulnerable systems had no idea that SQL Server was even present. Free applications do not tend to drag along major subsystems in quite the same way. Further moves toward complicated applications and component architectures could change that, however.

  • SQL Server, by default, opens a port to the world as a whole. For the most part, free software (and Linux distributors) have learned better than that. PostgreSQL and MySQL will talk to the net, and both have had security issues in the recent past. It is a rare installation, however, which has exposed either database server to the net without deliberate action by the system administrator.

All of the above points, hopefully, indicate that free software offers some relative security advantages, especially with regard to widespread infections. We have a long way to go, however, before we can even begin to think that we are safe. Smugness is the wrong response to this episode; instead, we need to learn from it and redouble our efforts to keep it from happening to us.

Comments (3 posted)

Page editor: Jonathan Corbet
Next page: Security>>

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds