The One Laptop Per Child platform was always going to present some
interesting security challenges. Millions of identical, network-attached
systems will be deployed into some remote parts of the world, where they
will be managed by people who are not security experts. The systems will
be obvious targets for theft, self-propagating malware, and the creation of
botnets. None of these activities feature highly on the OLPC project's
list of educational objectives, so it stands to reason that some
significant thought needs to go into how to prevent them.
The person charged with the OLPC's security thinking is Ivan Krstić. The
initial results of his work, done with help from Simson Garfinkel, have now
been posted with a request
for comments. Ivan and company have come up with a platform named
"Bitfrost," which, it is hoped, will keep OLPC systems out of trouble and
available for their owners. At this point, there is quite a bit of
information on what Bitfrost will do, but very little on how it will be
implemented.
After an introduction on the shortcomings of the traditional Unix file
permissions model, the Bitfrost specification gets into the overriding
principles and goals. The principles are consistent with the approach the
OLPC project has taken so far: security cannot depend on hardware or
software design secrets, it must be possible for users to gain complete
control over the system, security cannot depend on the user being able to
read, and the security mechanism must be unobtrusive. "Unobtrusive" does
not mean that security won't ever get in the way; instead, it means that
the user will not be pestered by popups with security-related questions.
The associated goals include no user passwords, no unencrypted
authentication, a system which is secure when it is first powered on, a
very limited use of public-key encryption infrastructure, and no permanent
data loss.
The process starts at manufacturing time, when each laptop will be equipped
with unique, randomly-generated serial and UUID numbers. The laptop starts
out in a non-functional, deactivated state; making it work involves the use
of a special activation key generated from the serial number and UUID.
The customer countries will have lists of serial and UUID numbers; from
those it will be able to create the activation keys. The plan is for these
keys to be generated in small batches and shipped, on a USB key, to the
destination schools. Once installed on a server there, the keys can be
used to enable the laptops sent specifically to that school. The purpose
here is to deter thieves who would grab pallets of laptops; without the
activation keys, those laptops would only be useful as spare parts.
There is an interesting step which happens once a laptop is activated and
booted:
On first boot, a program is run that asks the child for their name,
takes their picture, and in the background generates an ECC key
pair. The key pair is initially not protected by a passphrase, and
is then used to sign the child's name and picture. This information
and the signature are the child's 'digital identity'.
The laptop transmits the (SN, UUID, digital identity) tuple to the
activation server. The mapping between a laptop and the user's
identity is maintained by the country or regional authority for
anti-theft purposes, but never reaches OLPC.
The ability to locate the proper owner of an OLPC system has obvious
advantages; it should help to keep each laptop in the proper set of small
hands. On the other hand, the potential for a repressive government to
misuse this data seems real; it would be sad if the OLPC systems could not
be used for truly free communications without fear about who might be
listening.
At the BIOS level, security will be handled as described in this LWN article from last
August. The BIOS will only be rewritable when the new image has been
signed with a special cryptographic key. There will be "developer keys"
available which will enable a laptop's owner to reflash the BIOS, but, in
general, the children will not have that functionality available to them.
At the Linux level, security will be handled through a set of privileges
assigned to each installed program. Privileges look much like Linux
capabilities, but they are not capabilities; they are a new layer of
protections which will be implemented via some other means. Some of the
expected privileges will include:
- P_SF_CORE: the ability to modify the core software on the
system. This privilege is normally off, and cannot be enabled without
a special developer key. There is also P_SF_RUN, which
allows modification of the currently-running system software. This
privilege works by way of a copy-on-write filesystem mechanism;
software changes are saved as copies. This mechanism makes it easy to
revert the system to its initial state should the need arise.
- P_NET: a group of controls on network access. Programs can
be denied access to the net entirely, or they can have any of a wide
range of bandwidth, time-of-day, and destination restrictions applied
to them.
- P_MIC_CAM: programs can be granted (or denied) the ability to
use the camera and the microphone. There will also be LEDs (not
present on the current test systems) which will illuminate whenever
the camera or microphone are in use. So it should be difficult to use
an OLPC system to spy on its owner.
- There is a whole set of quotas designed to prevent a program from
using too much processor time, flash space, etc.
In addition, every program will be run in an isolated mode:
A program on the XO starts in a fortified chroot, akin to a BSD
jail, where its visible filesystem root is only its own constrained
scratch space. It normally has no access to system paths such as
/proc or /sys, cannot see other programs on the system or their
scratch spaces, and only the libraries it needs are mapped into its
scratch space. It cannot access user documents directly, but only
through the file store service, explained in the next section.
Again, details on just how the sandbox will be implemented are scarce for
now - though your editor has heard from Mr. Krstić that it will be
based on Linux-VServer.
The "file store service" is described as a sort of object-oriented
database for documents, "similar in very broad terms to the Microsoft
WinFS design". All access to files from programs goes by way of a
user dialog; there should be no way for a program to modify files outside
of its own scratch area without the user knowing about it.
There is also an optional anti-theft mechanism:
It works by running, as a privileged process that cannot be
disabled or terminated even by the root user, an anti-theft daemon
which detects Internet access, and performs a call-home request --
no more than once a day -- to the country's anti-theft servers. In
so doing, it is able to securely use NTP to set the machine RTC to
the current time, and then obtain a cryptographic lease to keep
running for some amount of time, e.g. 21 days. The lease duration
is controlled by each country.
If a machine has been reported as stolen, the "anti-theft server" will
instruct it to shut down hard and go back into the deactivated state. The
same thing will happen eventually if the stolen system is kept isolated
from the net. This mechanism should help to deter thefts; one can only
hope that it is sufficiently well designed that nobody figures out how to
trigger it as a denial of service attack.
The phone-home feature can be disabled - but only in the presence of
a developer key.
One feature which will not be built into the laptops is filesystem
encryption. The CPU in the OLPC XO laptop is simply too slow to perform
that task without bogging down the system entirely. This issue will be
reconsidered in the future. The OLPC developers have also explicitly
decided to stay out of the content-filtering business.
In summary, the security model developers have this to say:
[W]e believe we've imbued the OLPC security system with cunning and
more magic art than other similar works of craftmanship -- but not
for a second do we believe we've designed something that cannot be
broken when talented, determined and resourceful attackers go forth
harrying. Indeed, this was not the goal. The goal was to
significantly raise the bar from the current, deeply
unsatisfactory, state of desktop security.
If the implementation lives up to the specification, chances are that the
project will have achieved that goal. The OLPC platform is an ambitious
experiment from beginning to end, and its developers have, once again, not
wasted the opportunity to do something interesting with it. If the
security ideas incorporated into the OLPC systems work out as desired, it
would not be surprising to see at least some of them adopted by other
desktop environments. This could be another case where the OLPC project
creates benefits for a large group of people beyond its immediate target.
Comments (61 posted)
Toward the end of
his
linux.conf.au talk, Andrew Tannenbaum put up a few slides on the
runtime cost of the microkernel approach. He had quite a few benchmarks,
but the bottom line was that the microkernel architecture
used in Minix imposed a roughly 5-10% performance penalty, depending on
what one is trying to do. While operating systems hackers would normally
cringe at the prospect of paying a 5% penalty, to many people this could
seem like a good deal: give up 5-10% of a processor which is mostly idle
anyway in exchange for a more reliable system.
In truth, neither the claim of a 5-10% penalty nor that of higher
reliability has been proved in any definitive way. At the conference,
a number of attendees questioned the way in which the benchmarks had been
done, suspecting that Minix had been benchmarked against a monolithic
version of itself. If that is the case, the benchmarks will capture the
context switching costs but will have nothing to say about the costs of the
message-passing architecture. To get a true measure of the penalty of
the microkernel architecture, it was suggested, one should benchmark Minix
against Linux.
As it turns out, the linux.conf.au swag bag contained a CD with Minix 3.1.2a
on it; one might almost think the organizers had this sort of test in mind.
So your editor came home with the intention of installing that version of
Minix and doing a bit of benchmarking. That job has now been done, and we
can talk about how Minix and Linux compare.
Time for a brief digression:
once, some years ago, your editor actually had a spare moment in which to
see how nethack was coming along. One must stay on top of all the
important development projects, after all. The graphics have improved, the
game contained more monsters than ever, etc. But there is an especially
amusing moment when one drops into a level and is informed of a sense of
having entered a more primitive place. The graphics on that level are
straight from
VAX-era rogue, and the whole thing feels rough and, well, primitive.
A similar feeling will come over a Linux user who tries to get things done
on a Minix system. It is a POSIX-like environment, and it has a working version
of the X Window system (but don't go in expecting GNOME or KDE), but that's
as far as it goes. The
shell is painful to use, many commands are
missing, and one runs into obstacles on every path. Since Minix
does not really do paging, memory quickly runs out if too many processes
are run; your editor had not seen the old "not enough core" message in
quite some time. One of the harder things to do on Minix, it turns out, is
to build any sort of non-trivial software package - even after figuring out
that the default C compiler is crippled but gcc can be found under
/usr/gnu. As a result, your editor had to give up on most of his
attempts to build current benchmarks; they just would not compile on Minix.
In the end, your editor succeeded in building and running two benchmark
programs: IOtest and UnixBench. Neither seems to be recent enough to have
a currently-maintained web page. IOtest is a disk exerciser, evidently
intended originally as a tool for driver developers. It's
useful for exercising drives in a serious way;
it also produces performance numbers on the side. UnixBench was developed
by Byte in the 1990's, and hasn't seen a whole lot of work since. It
remains, however, a useful way to get a snapshot of the relative speeds of
many operating system functions.
The benchmarks were run on an AMD Athlon 1700 system using an unremarkable
ATA disk. There are three partitions on the disk: one for the operating
system, one for swap (Linux only, since Minix does not support it), and one
for destructive disk tests. The partitioning was not changed between the
installations. Minix does not support partitions larger than 4GB (who
could ever need more than that?) so the disk tests were restricted to 4GB
on both systems. The Minix tests were done on a full installation of Minix
3.1.2a; the Linux side was represented by a late-September
Debian Etch snapshot running a 2.6.17 kernel.
The IOtest read test simply performs random reads of varying sizes,
starting with one process and going up from there. IOtest can run a large
number of competing processes, but your editor limited it to four so as to
avoid running into Minix's memory limitations. For the curious, the full Minix results and Linux results are available. The bottom line
is that the results are nearly comparable: for all practical purposes, the
two systems performed about the same. Similar things can be said about the
results (Minix, Linux) of the read/write test, which are
summarized in the plot to the right (the dashed line represents Minix).
Comparable results would be expected with a benchmark like this, since it
will be dominated by the drive's seek performance. The portion of the disk
being exercised (only 4GB, remember) was not enough to demonstrate a
difference in I/O scheduler implementations. The disk never comes near its
peak I/O rate. So the main conclusion to draw from these results is that
Minix does not get terribly in the way.
The UnixBench results (raw results: Minix, Linux) paint a rather different
picture. These results are summarized in the plot to the left; the upper
bar for each test represents Linux.
The measured system call overhead for Minix is a full ten times
higher than the value for Linux. The file copy tests ran between two and
ten times faster on Linux. Pipe throughput differed by a factor of seven;
Minix was 140 times slower at process creation. The difference in shell
script execution performance, however, was 1.4 - in Minix's favor. One
assumes that the rather simple shell provided by Minix is, at least, faster
than bash.
One can argue that Minix is a new and unfinished system which has not, yet,
had the benefit of a great deal of performance tuning. There is doubtless
some merit to that claim; the Minix folks will probably find a number of
ways to make things faster. On the other hand, it would not be
unreasonable to argue that Linux, by supporting much greater functionality
on a far wider range of hardware, has every right to be slower - but it's
not. Linux is quite a bit faster; the Minix folks certainly ran benchmarks
which showed a 5-10% difference, but they were not benchmarking against
Linux.
Dr. Tanenbaum made the claim that only a computer geek would accept better
performance if that trade brought with it lower reliability. By that
reasoning, it doesn't matter that Minix is much slower than Linux on the
same hardware; Minix is aiming for a different goal. But people do care
about performance; the fact that Dr. Tanenbaum felt the need to put up
benchmark results suggests that he cares too. Trading some performance for
reliability could well be a good deal. When one compares Minix (in its
current state) to Linux, however, the performance difference is large, and
the increased reliability is unproven.
Comments (88 posted)
Last week's reader survey drew just about 1000
responses -
approximately 25% of our entire subscriber base. We appreciate the time
you all took to tell us what you think about LWN. Fully digesting the
responses will take some time, but there are a few things which jump out
quickly.
About 90% of those who responded were individual subscribers. As it
happens, almost 25% of LWN subscribers get their access through group
subscriptions, but fewer of them took the time to respond. Perhaps people
on group subscriptions tend to be more busy, or perhaps fewer of them
follow LWN every week. In any case, the opinions of group subscribers
were somewhat underrepresented.
A full 50% of the responses came from Europe, compared to 39% from North
America and 5% from Australia and New Zealand. It has been a while since
we had accurate statistics of where our readers are coming from - the
current LWN server isn't up to the task of recording all that information.
Once upon a time, North Americans and Europeans made up approximately equal
parts of our reader base. It would be interesting if the Europeans have
now pulled ahead.
There were few surprises in the responses on which parts of LWN readers
enjoy the most. It seems maybe we'll have to keep the Kernel Page after
all. Seriously, though, the most interesting result may have been the
relatively low scores given to the weekly Announcements Page. One of the
things we have noticed over the years is that a surprising number of items
from that page end up being mentioned in the annual LWN timeline feature.
Important stuff goes on that page, but it is currently set up as a sort of dumping
ground at the very end of the Weekly Edition. Some changes may be called
for there.
Quite a few readers were surprised to discover the index of kernel articles. The
index was prominently announced on the Kernel Page when it was created, and
it's linked at the top of the kernel
subsection page. But, clearly, it is not easy enough for people to
find.
More generally,
a number of respondents suggested that the time has come for a site
redesign. Trust us, we know that. The current design is mostly unchanged
since its unveiling in June, 2002, but it really dates back to January,
1998, when LWN first hit the net. Our purpose was to create a clean,
easy-to-read, text-oriented site, and the result has served us well for
some time. But it is definitely time to rethink things. That will be a
slow process, however.
Complaining about comment quality has been a popular activity in recent
times, but there was not a great deal of interest in either of the proposed
comment filtering mechanisms. A few readers really do want a blacklisting
capability, though. Instead, there were a number of requests for a
feature which would highlight comments posted to an article since the last
time one looked. Both blacklisting and highlighting (and many other
potential features) run into one practical problem: the single
1300 MHz Duron processor which runs the entire LWN site is already feeling
a little stressed. The more complicated content - weekly edition pages,
long comment trees, etc. - is aggressively pregenerated and cached; adding
per-user rendering would defeat that caching and force those pages to be
rendered on the fly. For various reasons,
upgrading the server involves far more expense than just buying a new box.
The day when we have to make that leap is coming, though.
There was a suggestion that the entire LWN archive be closed to
non-subscribers. That is not a step we expect to take. Closing the
archive would make LWN disappear from the net for all practical purposes,
with little in the way of expected benefit. It is also very much our goal
to increase the amount of useful information available to the community as
a whole, and that runs counter to the idea of a closed archive.
For those who called for more Grumpy Editor articles:
you have been heard. Those articles are a lot of work, and times have been
busy, which is why they have been relatively scarce recently. There
are a couple of topics queued up, however, so expect the Grumpy Editor to
make another appearance here before too long.
In summary: the information you have provided is useful - we are most
grateful. We will be looking at it closely as we ponder changes to LWN to
help make it more successful in the future. What will not change, however,
is our commitment to high-quality writing and high-quality coverage of the
Linux and free software community from within.
Comments (42 posted)
Page editor: Jonathan Corbet
Security
February 7, 2007
This article was contributed by Jake Edge.
Complaints about SELinux often center
around its overall complexity and the difficulty in developing policies
for applications that run on the system. The
SELinux Policy IDE
(SLIDE) is an Eclipse plug-in that provides a framework for developing and
testing policies that should help reduce some of these problems.
SELinux is a security framework
that uses the Linux Security Module (LSM) kernel interface to implement
mandatory access control (MAC) mechanism. MAC controls the capabilities that a
particular process can have based on the policies installed by the
administrator. Those policies govern much more than traditional
UNIX-style permissions and for that reason can be difficult to
generate and especially to test. Readers of this page will remember an
overview that covers
a bit more detail about SELinux internals.
SLIDE is an effort to ease the process of developing policies with an
eye towards applications and daemons that have policy support.
To do that, it uses the popular Eclipse integrated development
environment (IDE) as a way to organize and control policy development.
It provides all of the expected capabilities within Eclipse: syntax
highlighting, auto-completion, integrated searching, etc. One of the
biggest hurdles that developers face is keeping track of the various
interfaces, types, roles, and modules and how they interact; SLIDE
organizes and indexes them, along with their comments, and makes that
available in a nice GUI.
The testing features are particularly useful; one can set up a remote
machine (or local virtual machine) that can accept policy updates from
SLIDE. Once the updates have been accepted, various tests can be kicked
off on the remote machine and the audit log can be monitored to determine
whether the policies covered all of the required resources. If not, the
policy can be modified in SLIDE, pushed out to the remote machine and tested
again.
SLIDE is a project of Tresys Technology,
which has released it under the GPL. It does not appear to have attracted
much of a development community, at least yet and the SourceForge project
page has not
been updated in quite some time. The
documentation
and trac site provided by Tresys are excellent. Perhaps the SourceForge
project was an attempt to enlist community aid which did not attract the
level of interest that they might have hoped for. It is a fairly esoteric
subject that does not cause too many open source developers to itch. Many
of those developers, perhaps, simply turn SELinux off.
As with most complex tools, SLIDE will not be terribly helpful to those who
know little about SELinux policies. It has a steep learning curve even if
you have a bit of that background, but for experts it is probably quite
intuitive. For those reasons, it probably will not help other projects
to generate policies for their software. In order to foster more
applications with SELinux policies, it is likely that experts in policy
development will have to join forces with these other projects to produce
and maintain the policies. Using SLIDE will likely speed up that process and
it is a welcome addition to a fairly sparse toolkit.
Comments (4 posted)
New vulnerabilities
bcfg2: local password disclosure
| Package(s): | bcfg2 |
CVE #(s): | |
| Created: | February 1, 2007 |
Updated: | February 7, 2007 |
| Description: |
The bcfg2 configuration file has incorrect permissions, this can
be used for a local password disclosure to unprivileged users. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | November 18, 2009 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
mpg123: denial of service
| Package(s): | mpg123 |
CVE #(s): | CVE-2007-0578
|
| Created: | February 5, 2007 |
Updated: | February 7, 2007 |
| Description: |
The http_open function in httpget.c in mpg123 before 0.64 allows remote
attackers to cause a denial of service (infinite loop) by closing the HTTP
connection early. |
| Alerts: |
|
Comments (none posted)
postgresql: insufficient verification
| Package(s): | postgresql |
CVE #(s): | CVE-2007-0555
CVE-2007-0556
|
| Created: | February 5, 2007 |
Updated: | March 19, 2007 |
| Description: |
PostgreSQL has two vulnerabilities that allow an authenticated attacker
with the permissions to run arbitrary SQL to launch a denial-of-service
attack or possibly read out random chunks of memory. Since attacks to
require authenticated access, the security hole is only considered medium
risk. See announcement for additional
information. |
| Alerts: |
|
Comments (none posted)
samba: several vulnerabilities
Comments (none posted)
thttpd: remote file access
| Package(s): | thttpd |
CVE #(s): | |
| Created: | February 1, 2007 |
Updated: | February 7, 2007 |
| Description: |
The start-stop-daemon command from thttpd performs a chdir / command,
this allows all files that are readable by the thttpd
process to be remotely accessed by unauthenticated users. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
Comments (6 posted)
Updated vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2006-5857
CVE-2007-0045
CVE-2007-0046
|
| Created: | January 11, 2007 |
Updated: | October 26, 2009 |
| Description: |
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2007-0493
CVE-2007-0494
|
| Created: | January 26, 2007 |
Updated: | March 14, 2007 |
| Description: |
The bind package is vulnerable to two remote denial of service attacks in
which attackers can cause the bind daemon to to crash or exit unexpectedly
by providing malformed data to the daemon in a DNS request. |
| Alerts: |
|
Comments (none posted)
bluez-utils: hidd vulnerability
| Package(s): | bluez-utils |
CVE #(s): | CVE-2006-6899
|
| Created: | January 16, 2007 |
Updated: | May 14, 2007 |
| Description: |
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2006-4262
|
| Created: | October 2, 2006 |
Updated: | June 16, 2009 |
| Description: |
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
cvstrac: denial of service
| Package(s): | cvstrac |
CVE #(s): | CVE-2007-0347
|
| Created: | January 29, 2007 |
Updated: | January 31, 2007 |
| Description: |
Ralf S. Engelschall from OpenPKG GmbH discovered a denial of service (DoS)
vulnerability in the CVS/Subversion/Git Version Control System (VCS)
frontend CVSTrac, version 2.0.0. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dbus: denial of service
| Package(s): | dbus |
CVE #(s): | CVE-2006-6107
|
| Created: | December 15, 2006 |
Updated: | February 12, 2007 |
| Description: |
Unspecified vulnerability in the match_rule_equal function in bus/signals.c
in D-Bus before 1.0.2 allows local applications to remove match rules for
other applications and cause a denial of service (lost process messages). |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | October 22, 2009 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
fetchmail: password disclosure and DOS
| Package(s): | fetchmail |
CVE #(s): | CVE-2006-5867
CVE-2006-5974
|
| Created: | January 10, 2007 |
Updated: | March 16, 2007 |
| Description: |
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gtk2: denial of service
| Package(s): | gtk2 |
CVE #(s): | CVE-2007-0010
|
| Created: | January 24, 2007 |
Updated: | February 8, 2007 |
| Description: |
From the Red Hat advisory: A bug was found in the way the gtk2 GdkPixbufLoader() function processed
invalid input. Applications linked against gtk2 could crash if they
loaded a malformed image file. |
| Alerts: |
|
Comments (1 posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | January 20, 2010 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 4, 2010 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kdenetwork: denial of service
| Package(s): | kdenetwork |
CVE #(s): | CVE-2006-6811
|
| Created: | January 11, 2007 |
Updated: | February 1, 2007 |
| Description: |
The KsIRC 1.3.12 utility in kdenetwork is vulnerable to a remote
denial of service attack that can be caused by a malicious IRC server
sending a long PRIVMSG string. This causes an assertion failure and
an associated NULL pointer dereference. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | January 5, 2009 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | January 8, 2009 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow
| Package(s): | koffice |
CVE #(s): | CVE-2006-6120
|
| Created: | November 30, 2006 |
Updated: | February 20, 2007 |
| Description: |
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
krb5: uninitialized pointers
| Package(s): | krb5 |
CVE #(s): | CVE-2006-6143
CVE-2006-3084
|
| Created: | January 10, 2007 |
Updated: | July 7, 2010 |
| Description: |
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | July 7, 2010 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgtop2: buffer overflow
| Package(s): | libgtop2 |
CVE #(s): | CVE-2007-0235
|
| Created: | January 15, 2007 |
Updated: | August 9, 2007 |
| Description: |
The /proc parsing routines in libgtop are vulnerable to a buffer overflow.
If an attacker can run a process in a specially crafted long
path then trick a user into running gnome-system-monitor,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (none posted)
libmodplug: boundary errors
| Package(s): | libmodplug |
CVE #(s): | CVE-2006-4192
|
| Created: | December 11, 2006 |
Updated: | May 4, 2011 |
| Description: |
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | February 21, 2012 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openldap: security bypass
| Package(s): | openldap |
CVE #(s): | CVE-2006-4600
|
| Created: | September 29, 2006 |
Updated: | June 12, 2007 |
| Description: |
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN). |
| Alerts: |
|
Comments (none posted)
OpenSSH: denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4925
CVE-2006-5052
|
| Created: | October 6, 2006 |
Updated: | November 15, 2007 |
| Description: |
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running
on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort." |
| Alerts: |
|
Comments (none posted)
openssh: privilege separation issue
| Package(s): | openssh |
CVE #(s): | CVE-2006-5794
|
| Created: | November 8, 2006 |
Updated: | April 5, 2007 |
| Description: |
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities." |
| Alerts: |
|
Comments (none posted)
openssh: remote denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4924
CVE-2006-5051
|
| Created: | September 27, 2006 |
Updated: | September 17, 2008 |
| Description: |
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: buffer overflows
| Package(s): | php |
CVE #(s): | CVE-2006-5465
|
| Created: | November 3, 2006 |
Updated: | January 18, 2010 |
| Description: |
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used) |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
proftpd: stack-based buffer overflow
| Package(s): | proftpd |
CVE #(s): | CVE-2006-6563
|
| Created: | December 18, 2006 |
Updated: | February 14, 2007 |
| Description: |
A vulnerability exists in the FTP server ProFTPD, versions up to and
including 1.3.0a. The vulnerability is caused by a stack-based buffer
overflow in the "pr_ctrls_recv_request" function of the "Controls"
feature. This is an optional feature of ProFTPD server which is by default
disabled in OpenPKG and probably other distributions. |
| Alerts: |
|
Comments (1 posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
rmake: privilege escalation
| Package(s): | rmake |
CVE #(s): | CVE-2007-0536
CVE-2007-0557
|
| Created: | January 26, 2007 |
Updated: | January 31, 2007 |
| Description: |
Rmake prior to version 1.0.3-2-0.1 does not drop supplemental users in the
changeroot environment for builds. This provides malicious packages with
excess permissions that are configuration-dependent, and may allow local
users to run arbitrary code as the root user. |
| Alerts: |
|
Comments (none posted)
rpm: arbitrary code execution
| Package(s): | rpm |
CVE #(s): | CVE-2006-5466
|
| Created: | November 6, 2006 |
Updated: | August 28, 2007 |
| Description: |
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple cross-site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-6142
|
| Created: | December 11, 2006 |
Updated: | January 31, 2007 |
| Description: |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0
through 1.4.9 allow remote attackers to inject arbitrary web script or HTML
via the mailto parameter in webmail.php, the session and delete_draft
parameters in compose.php, and unspecified vectors involving "a shortcoming
in the magicHTML filter." |
| Alerts: |
|
Comments (none posted)
ulogd: buffer overflow
| Package(s): | ulogd |
CVE #(s): | CVE-2007-0460
|
| Created: | January 29, 2007 |
Updated: | March 19, 2007 |
| Description: |
A buffer overflow in ulogd has an unknown impact and attack vectors related
to "improper string length calculations." |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
xine: format string vulnerabilities
| Package(s): | xine |
CVE #(s): | CVE-2007-0017
|
| Created: | January 23, 2007 |
Updated: | August 10, 2007 |
| Description: |
Multiple format string vulnerabilities in (1) the cdio_log_handler function
in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and
the (2) cdio_log_handler and (3) vcd_log_handler functions in
modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in
VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to
execute arbitrary code via format string specifiers in an invalid URI, as
demonstrated by a udp://-- URI in an M3U file. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-6172
|
| Created: | December 5, 2006 |
Updated: | June 5, 2007 |
| Description: |
A buffer overflow was discovered in the Real Media input plugin in
xine-lib. If a user were tricked into loading a specially crafted stream
from a malicious server, the attacker could execute arbitrary code with the
user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xinit: race condition
| Package(s): | xinit |
CVE #(s): | CVE-2006-5214
|
| Created: | October 17, 2006 |
Updated: | August 9, 2007 |
| Description: |
A race condition allows local users to see error messages generated during
another user's X session. This could allow potentially sensitive
information to be leaked. |
| Alerts: |
|
Comments (1 posted)
X.org: local privilege escalations
| Package(s): | xorg-x11 |
CVE #(s): | CVE-2006-4447
|
| Created: | August 28, 2006 |
Updated: | April 30, 2007 |
| Description: |
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine. |
| Alerts: |
|
Comments (none posted)
X.org: integer overflows
| Package(s): | xorg, xorg-server |
CVE #(s): | CVE-2006-6101
CVE-2006-6102
CVE-2006-6103
|
| Created: | January 10, 2007 |
Updated: | March 8, 2007 |
| Description: |
A number of integer overflows have turned up in the X.org server. Some of these overflows involve calls to alloca(), and thus make corruption of the stack relatively easy. This vulnerability is exploitable by anybody who can make a connection to the server, meaning that it is a local root exploit in most settings. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 kernel is 2.6.20,
released by Linus on
February 4, otherwise known as Super Kernel Sunday. There's a bunch
of new stuff in 2.6.20, including
paravirt_ops and KVM, lots of
new drivers (including your editor's OLPC camera controller driver), the
UDP-Lite
protocol, Playstation 3 support, and more. See
the short-form changelog for details, the
long-format
changelog for more details, the
LWN
2.6 API changes page for a summary of internal API differences, or the
KernelNewbies Linux Changes
page for lots more information.
The patches for the 2.6.21 merge have just begun to find their way into the
mainline git repository as of this writing. A number of architecture
updates have been merged, along with a GFS2 patch set.
There have been no -mm tree releases over the last week.
For older kernels: 2.6.19.3 was released on
February 5. It contains quite a long list of fixes. The -stable team
had originally intended not to release any more 2.6.18 updates. It seems
that there are some fixes for that kernel which are worth distributing,
however, so one more 2.6.18.x release can be expected in the near future.
Adrian Bunk has released 2.6.16.40-rc1 with a relatively
small number of fixes.
For 2.4 users, Willy Tarreau has released 2.4.34.1 with only three
patches.
Comments (3 posted)
Kernel development news
Pretty simple: you read the largely-useless changelog then call the
bravely uncommented blk_plug_current() when you're about to submit
some IO and you call the audaciously uncommented
blk_unplug_current() when you've finished and you're ready to let
it rip.
-- Andrew Morton
Comments (none posted)
Last week's article on
fibrils caught the discussion in a relatively early state. That
discussion is
still in an early state, but some interesting ground
has been covered. Here, we'll catch up on a few themes from that
conversation.
Alan Cox has requested that the "fibril" name
be dumped:
The constructs Zach is using appear to be identical to co-routines,
and they've been called that in computer science literature for
fifty years. They are one of the great and somehow forgotten ideas.
Alan also points out that a number of hazards lie between the current state
of the fibril patch and anything robust enough for the mainline kernel -
but everybody involved already knew that. Linus acknowledges the similarities with coroutines,
but also maintains that they are sufficiently different to merit their own
name. A full coroutine implementation in the kernel, he says, would be
impractical.
Linus has also responded to Ingo Molnar's
criticisms of the fibril concept. He maintains that the real benefits to
fibrils are (1) the elimination of the separate code paths currently
associated with asynchronous I/O, and (2) reductions in setup and
teardown costs. The latter is significant, he says, because the bulk of
asynchronous operations can actually be satisfied from cache; being able to
run those operations without going through the full AIO setup would be a
big win.
Ingo has clarified his comments somewhat. The stumbling point seems to be
the addition of a new scheduling concept which, he thinks, is not
necessary. He has proposed alternatives which take the form of a pool of
kernel threads; rather than create a fibril, a blocking system call could
simply switch to another kernel thread which is there waiting for just that
occasion. Ingo believes that kernel threads
perform well enough to handle this task, and they could be made lighter; in
addition, the use of kernel threads would allow asynchronous calls to
spread across a multi-CPU system. Fibrils, instead, are currently limited to a
single processor. Zach Brown, the creator of the fibril patchset, seems to
think that the idea is at least worth a try. Linus, instead, has said that any adaptation of kernel threads to
this task would end up looking a lot like fibrils anyway. Rather than bear
the expense of keeping a (potentially large) pool of kernel threads around,
one might as well just create a truly lightweight object - a fibril.
Some discussion of the eventual user-space API has occurred. Linus has suggested that the asynchronous submission
call look something like this:
long async_submit(unsigned long flags, long *result_pointer,
long syscall_number, unsigned long *args);
The role of the flags argument has not really been discussed; one
just assumes such an argument will be necessary, sooner or later. The
result_pointer argument tells the kernel where to put the result
of the operation. Interestingly, the result code would follow the
in-kernel conventions: zero for success or a negative error code for
failure. While the operation is outstanding, the kernel would store a
positive "cookie" value which could be used by the application to wait for
(or cancel) the call.
The wait_for_async() system call remains for applications wanting
to get the completion status of their asynchronous operations. There have
been a couple of requests, however, for a mechanism by which applications
could obtain completion status without having to go back into the kernel.
That inspired David Miller to complain
about a big part of the conversation which is not happening: the
integration with the kevent
patches. Much of the kevent work has been aimed at solving just this
problem, but Evgeniy Polyakov continues to have trouble getting people to
look at it. To a great extent, wait_for_async() is another event
interface. It seems unlikely that the kernel needs two of them.
What does all this work bode for the existing asynchronous I/O interface,
and, in particular, the buffered
filesystem AIO patches which have not yet been merged? Seeking to fend
off doubt about the future of that interface, Suparna Bhattacharya has argued that the buffered AIO patches should still
be merged:
Since this is going to be a new interface, not the existing linux
AIO interface, I do not see any conflict between the two. Samba4
already uses fsaio, and we now have the ability to do POSIX AIO
over kernel AIO (which depends on fsaio). The more we delay real
world usage the longer we take to learn about the application
patterns that matter. And it is those patterns that are key.
Decision time will be soon, since the buffered AIO patches seem to be ready
for merging into 2.6.21. Over the next couple of weeks, somebody will have
to decide whether to merge those patches - and maintain them indefinitely -
or hold off with the idea that fibrils will evolve into the preferred
solution.
Finally, Bert Hubert noted that DragonFly
BSD had an asynchronous system call interface - until last July, when the
developers pulled it out. DragonFly had created two system calls -
sendsys2() and waitsys2() - which split up the tasks of
initiating a system call and waiting for its completion. A followup suggests that DragonFly BSD had taken
a different approach, requiring that every system call have asynchronous
support built into it. In that sense, their asynchronous interface looked
like a more general version of Linux AIO.
Pushing asynchronous support down into system calls, filesystems, and
device drivers brings a lot of complexity; the slow progress of Linux AIO
illustrates just how hard it can be. One of the major advantages of the
fibril idea is that (with few exceptions) the system calls do not have to
be changed; they do not need to be aware of asynchronous operation at all.
The ability to pull asynchronous support into a relatively small chunk of
core kernel code may be the key idea that sells the entire fibril concept.
Comments (3 posted)
Once upon a time, the ability to download, compile, and install a new
kernel was a vital skill for any Linux system administrator. That skill is
less in demand now; the kernels shipped with most distributions tend to be
adequate for most needs. Still, there comes a time, even for those who do
not hack on the kernel itself, when a system needs a custom kernel. Many
system administration books devote a bit of space to this task, but they

tend to pass over it fairly quickly. Configuring, building, and installing
a kernel remains a relatively dark art for many.
Kernel hacker Greg Kroah-Hartman decided to do something about it; the
result is Linux Kernel in a Nutshell, published by O'Reilly. By the
standards of other kernel books from that publisher, this is a thin volume
indeed: just over 180 pages, including the index. But it is packed with
information that should be useful to just about anybody who has to deal
with the kernels on their systems.
The early chapters cover some of the basics: what tools are required, where
to get the kernel source, etc. There is a chapter on the various ways of
configuring a kernel. Your editor remembers the days of configuring
kernels by stepping through the entire "make config" process; it's nice to
see Greg recommending against that approach now. The build process is
discussed, as are the necessary steps for installing the kernel once it's
built.
The second major part of the book discusses customizations - in particular,
enabling support for a device. The process for determining which driver
should be enabled for a specific device is distressingly hairy; it involves
listing out the PCI bus configuration, digging through sysfs, then trying
to find a match in the kernel source. It's not for nothing that Greg says:
The easiest way to figure out which driver controls a new device is
to build all of the different drivers of that type in the kernel
source tree as modules, and let the udev startup process match the
driver to the device.
As they say, there really should be a better way. But one can't fault Greg
for telling it like it is.
Next there is a set of "kernel configuration recipes" for enabling specific
behavior. The advice here is terse, sometimes to a fault. The discussion
on enabling kernel preemption, for example, could have benefited from a
mention of the reliability concerns which have kept most distributors from
turning preemption on. Similarly, it talks about how to enable SELinux with
no mention of the need for an accompanying policy loaded from user space.
The audience for this book seems likely to include quite a few people from
the "know just enough to hurt themselves" population; a few more hints
might have proved most helpful to those readers.
The final section, making up almost half of the book, is devoted to
reference material. There is an extensive list of kernel command line
parameters and what they do - though the treatment is, once again, terse.
There is a useful chapter on the various make targets and options
for the kernel; somehow your editor had managed to avoid learning about
make randconfig until now. There is also a reference chapter
for configuration options. This chapter is incomplete, however, and the
options do not appear to be listed in any particular order.
Minor grumbles aside, there is value in this book's conciseness. When
faced with a question about kernel configuring, building, or booting, this
book is likely to yield an answer without forcing the reader to search for
a needle in an 800-page haystack. It covers an area which was very much in
need of some improved documentation; it is also reasonably up to date,
having been written for the 2.6.18 kernel. Happily, Greg has
made the book available online.
Overall, Linux Kernel in a Nutshell is a more than welcome addition
to your editor's bookshelf.
Comments (2 posted)
| February 5, 2007 |
| This article was contributed by Paul McKenney |
Read-copy update (RCU) is a synchronization API that is sometimes used
in place of reader-writer locks. RCU's read-side primitives offer
extremely low overhead and deterministic execution time.
These properties imply that RCU updaters cannot block RCU readers,
which means that RCU readers can be expensive, as they must leave
old versions of the data structure in place to accommodate pre-existing
readers.
Furthermore, these old versions must be reclaimed after all pre-existing
readers complete.
The Linux kernel offers a number of RCU implementations, the first
such implementation being called "Classic RCU".
The RCU implementation for the -rt patchset is unusual in that
it permits read-side critical
sections to be blocked waiting for locks and due to preemption.
If these critical sections are blocked for too long,
grace periods will be stalled,
and the amount of memory awaiting the end of a grace
period will continually increase, eventually resulting
in an out-of-memory condition.
This theoretical possibility was apparent from the start,
but when Trevor Woerner actually made it happen, it was
clear that something needed to be done.
Because priority boosting is used in locking, it seemed natural to
apply it to realtime RCU.
Unfortunately, the priority-boosting algorithm used for locking
could not be applied straightforwardly to RCU because this
algorithm uses locking, and the whole point of RCU is to
avoid common-case use of such heavy-weight operations
in read-side primitives.
In fact, RCU's read-side primitives need to avoid common-case
use of all
heavyweight operations, including atomic instructions,
memory barriers, and cache misses.
Therefore, bringing priority boosting to RCU turned out to
be rather challenging, not because the eventual solution is
all that complicated, but rather due to the large number of
seductive but subtly wrong almost-solutions.
This document describes a way of providing light-weight
priority boosting to RCU, and also describes several of the
number of seductive but subtly wrong almost-solutions.
Approaches
This paper describes three approaches to priority-boosting blocked RCU
read-side critical sections.
The first approach minimizes scheduler-path overhead and uses locking
on non-fastpaths to decrease complexity.
The second approach is similar to the first, and was in fact a
higher-complexity intermediate point on the path to the first approach.
The third approach uses a per-task lock solely for its priority-inheritance
properties, which introduces the overhead of acquiring this lock into
the scheduler path, but avoids adding an "RCU boost" component to the
priority calculations.
Unfortunately, this third approach also cannot be made to reliably
boost tasks blocked in RCU read-side critical sections, so the first
approach should be used to the exclusion of the other two.
Each of these approaches is described in a following section,
after which is a section enumerating other roads not taken.
[ Editor's note: this article is long - but worth the read. Please
go to the full article text
to learn more about this technique.]
Comments (2 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
February 7, 2007
This article was contributed by Joey Schulze
The idea of a "Social Committee" came up during a private discussion.
With about 1,000 active developers the Debian project has grown to a size
where a lot of problems are expected to happen. As an international
project, Debian people originate from different countries and have
different social backgrounds which may contribute to some problems.
Josip Rodin proposed
to establish a "Social Committee" within the Debian project, a term Andreas
Tille coined. Such a committee would try to resolve or mitigate conflicts
between various members of the Debian project which are not of a technical
matter. For the latter, the "Technical Committee" has developed the Debian
policy manual.
According to Josip, the mere existence of such a committee would already
indicate a major change in the thinking of Debian developers. In fact,
many developers have evolved into strong personalities. It's good to have
self-confident people maintain important packages and infrastructure, but
it is not always helpful when dealing with different opinions or even
conflicts.
Social conflicts could emerge when two developers get in dispute over a bug
report or a discussion and don't seem to accept the other person's opinion.
On mailing lists, a participant could demonstrate difficult behavior when
communicating with other people. This could be a situation where mitigation
is required. When teams
inside the Debian project cause non-technical problems with other groups,
or
with the general developer body, the "Social Committee" could be called for
help.
Josip outlined how such a committee could work. First, it would have to agree
on its own charter, similar to other groups within the Debian project.
Once established, the committee would become active only upon request by
other developers or mailing list participants, just like the Technical Committee.
The social committee would delegate certain tasks such as monitoring mailing lists and teams
inside the project. The developers acting as delegates would have a bit
more authority to talk about problems than the average member of the groups
they're sent to. However, they may need to earn this authority or respect
first, by monitoring the discussions and ensuring that all problems are
addressed and no complaints go unresolved.
Manoj Srivastava, leader of the Technical Committee, questioned
this proposal, however. He noted that all social problems are very much
subjective. Participants come from a variety of cultures and may recognize
interaction with others differently. Often they come with different norms
and metrics which could make solving conflicts difficult for a neutral third party.
In response, Lars Wirzenius, countered
with the suggestion to develop social and cultural norms for the entire
project first, based on what all developers could agree to. After all,
members of the Debian project all agree on certain aspects, which could be
summarized, just like the project's technical policy.
Currently, it is not clear which powers such a committee could use to
enforce a social policy, due to the nature of the Debian project. Its
members are volunteers and not employees on a company's payroll. Hence,
adding pressure to people could become an interesting exercise.
While the "Social Committee" will become active only upon special request,
it can also only exercise selective enforcement which might be interpreted
as unfair. The same behavior by other people on the same mailing list may
be tolerated.
If there is something resembling a discussion culture in the Debian project, it's most probably a very tough one. Some list participants usually put on
armored pants when discussing controversial issues on the lists. Debian
people are known for raising their voices loudly. This is not limited to
Debian developers, though. However, it's surely a detail that drives away
interested people when they accidentally find themselves in the middle of a
flame war.
It happens every now and then that discussions on mailing lists end up as
flame wars of one sort or another. One side pretends to know what another
participant thinks and their words get interpreted in a way that was not
intended. This is often followed by smearing and more smearing, soon
the entire discussion becomes totally useless and only eats up bandwidth
and disk space.
Because of this behavior, a "Social Committee" or at least a mildly enforced charter for Debian lists is due. For several years the Debian
code of
conduct has asked participants not to use foul language and not to flame.
However, the number of discussions that have been turned
into flame wars has rather increased recently.
The code of conduct
for the Ubuntu community covers the behavior of its members in any
forum, mailing list, wiki, web site, IRC channel, install-fest, public
meeting or private correspondence. The Ubuntu Community Council will
arbitrate in any dispute over the conduct of a member of the
community. The number of flame wars in this community demonstrates
at least that it is possible to limit them to a minimum.
Several responses in the discussion on the "Social Committee" for the
Debian project indicate a strong interest in this, and a desire
to improve the climate. However, some developers are skeptical both
on the establishment of such a committee and its potential exercise of
power. In the meantime Gustavo Franco
started
to build an ombudsman team that will improve several social issues.
Comments (4 posted)
New Releases
The first test release for the upcoming Fedora 7 distribution is now
available; click below for details and download instructions. More
information on what's in Fedora 7 can be found on
this page.
Full Story (comments: none)
The third Feisty Fawn herd CD is available for testing, in Ubuntu, Kubuntu
and Edubuntu flavors.
Full Story (comments: none)
Beyond Linux From Scratch has announced the first release candidate for
version 6.2.0.
Full Story (comments: none)
Distribution News
The second openSUSE community meeting is scheduled for February 11, 2007
20:00 UTC on irc.freenode.net #opensuse-project "
This is the second
ever community meeting taking place, and it is run by openSUSE Community
members who are not employed by Novell/SUSE."
Full Story (comments: none)
The feature freeze for Ubuntu's Feisty Fawn main repository is scheduled
for February 8, 2007. The feature freeze for Universe starts on February
22, 2007. The first beta is expected March 22, 2007.
Full Story (comments: none)
A council is being formed to oversee Ubuntu's Masters of the Universe.
The first council members have been nominated. The council will help find
a consensus and have have a final say in conflicts. It will also approve
new MOTUs and organize MOTU efforts.
Full Story (comments: none)
There will be a FUDCon in Brussels at the Free and Open Source Developers'
Meeting (FOSDEM) in Brussels Belgium. If you are at FOSDEM stop by room
H2214 for FUDCon.
Full Story (comments: none)
The unofficial
Fedora FAQ has been
updated for Fedora Core 6. Click below for a quick look at the updates.
Full Story (comments: none)
It is time once again for Debian Project Leader Elections. Here's the
first call for nominations.
Testing is underway on the second release
candidate of the Debian Installer. Daily images are built using the
2.6.18-4 kernel packages.
Here's a status report on the Debian
GNU/FreeBSD port. This port consists of two architectures: kfreebsd-i386
and kfreebsd-amd64. "Currently we have reasonable subset of Etch
packages, but the number of unmerged patches is still too high. So doing
real Etch release looks difficult. Instead, we plan to release snapshot of
sid in time of Etch release for both kfreebsd-i386 and
kfreebsd-amd64."
debian.ch is a non-profit organization formed
to represent, hold assets for and further the Debian project in
Switzerland and the Principality of Liechtenstein.
Anthony Towns has sent out this announcment
encouraging more meetings between Debian developers.
Comments (none posted)
Distribution Newsletters
The
Fedora
Weekly News for February 5, 2007 looks at Announcing Fedora 7 Test 1
(6.90), Congratulations and thank you, Smolt: Fedora Hardware Profiler,
Fedora Package Database 0.1, Fedora LiveCD 7 Test 1 Preview, First test of
Fedora 7 released, Fedora's metrics have ripple effect and several other
articles.
Comments (none posted)
The
Gentoo
Weekly Newsletter for January 29, 2007 covers Xfce 4.4 released, Second
anniversary of Gentoo Forum Netherlands and several other topics.
Comments (none posted)
The second issue of the Ulteo newsletter covers Ulteo at SCALE 5X, a
follow-up on the Connected Desktop which will be demoed at SCALE, plus the
latest news from the development team, and more.
Full Story (comments: none)
The
DistroWatch
Weekly for February 5, 2007 is out. "
As usual, this week's issue
focuses on a variety of distributions and topics. We'll start with a
frightening financial analysis of Mandriva Corporation whose most recent
financial results were published last week. The news section then looks at
the release process of the Fedora Project whose latest -- and incomplete --
test release came, once again, without any release notes or other useful
information. Also in the news: Ubuntu has quietly scrapped the idea of
including the 3D desktop in Feisty Fawn, openSUSE and Linspire brace for
surprise announcements, Red Hat's Matthew Szulik has kind words to say
about Linus Torvalds, and Nexenta announces plans to produce more frequent
development releases. Finally, we are pleased to announce that the
DistroWatch January 2007 donation has been awarded to the GQview and
Kaffeine projects."
Comments (none posted)
Package updates
The LWN staff has decided that the time spent processing package updates
for various distributions could be better spent producing original
content. If you feel like you are missing out on these updates here's the
mailing list information for them.
- Fedora - Fedora-package-announce
- Mandriva - send an email with "subscribe security-announce" in the
message body to sympa@mandrivalinux.org
- rPath - update-announce
- Slackware - send an email to mrgoblin@userlocal.com with the subject
"subscribe slacklog"
- Trustix - tsl-announce
list.
- Ubuntu -
Comments (6 posted)
Newsletters and articles of interest
EFYtimes
introduces
Adriane Knoppix. "
It was my first meeting with the couple -- Klaus
and Adriane Knopper -- at LinuxAsia 2007. I had already met Klaus Knopper,
the creator of Knoppix, and was pretty much touched by his passion for
developing Knoppix. This time he was accompanied by his wife Adriane
Knopper who is visually handicapped and helps Klaus in developing Linux for
the blind, Adriane Knoppix."
Comments (none posted)
Linux.com
looks at
Fedora 7. "
There are two more test releases scheduled before Fedora
7 is slated for general availability on April 26. Though the team has
remained on schedule to this point, there is still plenty of work to be
done. Keating says some features of Fedora 7 are well under development
while others have yet to get off the ground. The team's goal is to have
them all testable by the release of Test 2 later this month with the
understanding that whatever is not ready for testing at that point will be
removed from the package and shelved for the time being."
Comments (1 posted)
Distribution reviews
DesktopLinux.com
reviews
the Scientific Linux 5 (SL5) alpha live CD/DVD.
"
A preview of Red Hat Enterprise Linux 5, which won't be released for about a month, is available via the latest Scientific Linux 5 (SL5) alpha live CD/DVD, released this week. Built from source packages for RHEL 5, SL5 sports a 2.6.18 kernel and either the KDE or GNOME desktops.
On the SL5 alpha live DVD, all client/workstation RPMs are installed and GNOME is the default desktop. On the SL5 alpha live CD, KDE is the default desktop."
Comments (none posted)
eWeek
reviews
Foresight Linux. "
Foresight is one of the most active projects based
on rPath's Conary software management system, which offers administrators a
great balance of flexibility and control in deploying and maintaining
applications on Linux."
Comments (none posted)
Page editor: Rebecca Sobol
Development
February 7, 2007
This article was contributed by Nathan Sanders
On January 27th, KDE developer Aurélien Gâteau made an entry on his blog announcing the next version of his Gwenview image viewer. The announcement is the result of extensive discussion on the kde-usability mailing list towards a completely new interface for the KDE 4 release of the popular image viewer. The new release features a refocusing on simplicity which will have interesting consequences for the venerable application, now in its seventh year of development, and for the K
Desktop Environment as a whole.
Gâteau designed the new interface to be efficient for, in his words,
"two use-cases...: 1: The user wants to see a single image, for example
from an image attachment. Maybe rotate it, scale or crop it. 2: The user
wants to browse all images of a folder, which he selected from Dolphin or Konqueror. Maybe in fullscreen mode,
as a slideshow or not." He summarizes, "...Gwenview [II] strives to be a
"simple" image viewer, not a full blown photo management application."
The original Gwenview was made with tasks that were less dependent upon the
file manager in mind. Gwenview
1.4 has directory tree and folder view panes for image navigation. For
Gwenview II, these have been removed. Gâteau explains, "I simplified
the interface by removing the folder view and the use of docked windows..."
He explains that these changes were prompted by the evolution of desktop
file managers: "...nowadays file managers are capable of providing simple
image browsing and cataloging, people won't resort to external image
applications until they need the cataloging power of applications such as
KPhotoAlbum or Digikam."
Gwenview II's purpose is to augment the features of these file managers. Gâteau
writes, "The new goals of Gwenview are to complement the file manager
to provide features it does not supply, such as immersive fullscreen
support (not just hiding title bars: showing only the image and providing a
discreet minimalist user
interface to browse), slideshow and basic image editing (rotate, mirror, scale,
crop, adjust colors, maybe red eye correction)." To facilitate this
simplification, the new
interface makes these functions readily available via toolbar
buttons. The current interface mockup does not include any menu
bars. Gâteau elaborates on the principle: "In the mockups, I
...removed various toolbars and took into consideration the fact that KDE4
will ship with captions below icons by default. To make it easy to perform
some editing tasks, I added a new "tools" side bar."
In light of this new direction, Gwenview has found itself with a more prominent
position in KDE for the upcoming fourth version of the desktop. Long
relegated to the kde-extragear
module, Gwenview will be moving to kde-graphics. Extragear is,
officially, "a collection of KDE applications that are associated with
the KDE project. Those apps are not part of the main KDE distribution for
various reasons, but they are still part of the project." The space is
generally used for applications that either duplicate the functionality of
other applications in the main distribution or are too specialized for mass
consumption. The
kde-graphics module, as one might expect, is filled with KDE
applications designed for image manipulation and viewing. In
Gâteau's words, "Yes, Gwenview will play a larger role in KDE4 than
it played in KDE3."
The move to kde-graphics is symbolic of higher stature within the KDE
project, but has other practical consequences, as well. In order to avoid
shipping duplicate functionality within the core of KDE, other applications
in the graphics module may have to be forced out. Gâteau writes
cautiously, "I would like to see Gwenview replace KView and
Kuickshow as well as the
photoalbum KPart, but we need to make sure we provide similar features and
performance. Please note that this is just my (subjective) personal
opinion, I
am not the one who makes such a decision." KView and Kuikshow are
the current members of kde-graphics responsible for simple image display
tasks. KParts are components of KDE applications which can be easily
embedded within other applications; for instance, videos played in
Konqueror use
the Kaffeine KPart.
Furthermore, the move should ease the work of both developers and users. Gâteau
explains, "I believe lots of users will simply use what's supplied by
the desktop, and won't take the time to install an application such as
Gwenview, so it makes sense to move Gwenview to [the main KDE
distribution]. It will also save me some time, as I won't have to worry
about making tarballs anymore." Previously, users of GNU/Linux
distributions which do not distribute the kde-extragear module through
their package management system would have to install Gwenview manually
using tarballs.
Gâteau had help from KDE
Usability in designing Gwenview's new interface. KDE Usability is a
community of interface usability experts within the project who assist
developers throughout the organization. Gâteau recalls the process:
"...after getting confirmation from the kde-devel-core mailing list
that Gwenview would move to kdegraphics, I was asked to work with the
usability team. I already had some ideas in my mind so I prepared some
mockups of them, which I posted on the kde-usability mailing list. They
were basically satisfied with the general idea of my first set of mockups,
but nevertheless made quite a few suggestions to improve them. Based on
this feedback I created a second set of mockups, which are the one I posted
on my blog. We mainly discussed the toolbar layout, what should get in the
toolbar and what should not,
as well as the expected behavior of some elements of the interface." Among the
usability experts who assisted him were KDE developers Aaron Seigo, John Tapsell and Celeste Lyn Paul.
Gâteau, also a developer on the open-source VOIP application WengoPhone, only
recently decided to see Gwenview through to a second major release. He
laments, "I decided to give up mainly because I couldn't find the
time to work on it anymore and because I thought I was no longer interested
in maintaining Gwenview." His decision to return to the project
reflects amusingly ideal behavior for a free software developer:
"Taking some days off I realized I was still interested in working on
Gwenview, and that it would be better to stop some other non-KDE related
activities." Gâteau remarks that he was also influenced by the
user comments following his call for a new Gwenview
maintainer.
Gwenview II clearly holds some drastic and exciting changes for the classic KDE
application, but Gâteau recognizes that they will not be universally
well-received. He notes: "Since Gwenview II will be quite different
than the present version, it's quite certain that there will be a new [set
of] users. I am also aware that, unfortunately, some users of the present
version won't like the new interface." Fortunately, the needs of all
users should be well addressed in KDE 4, with the Konqueror file manager
for the most basic image management, Gwenview II for more intermediate
functions, and digiKam
for advanced photo management capabilities.
Comments (6 posted)
System Applications
Database Software
Dejan Bosanac
shows how to tune Derby, the Apache DB project, on O'Reilly.
"
There is a big difference in the behavior of a database when it is populated with a small amount of test inputs and when it holds a large amount of data. Usually, you would not address these database performance issues early in the development process, but when the time comes, you should take some action to ensure that the application is working correctly with large amounts of data.
The all-Java open-source database Derby is no exception, so you'll have to make sure it will not be a bottleneck to your application."
Comments (none posted)
The February 4, 2007 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL DBMS articles and resources.
Full Story (comments: none)
Mail Software
Version 8.14.0 of the sendmail MTA has been announced.
New features include support for transparent 8 bit headers
and an extension of the milter API.
Full Story (comments: none)
Networking Tools
Version 1.6.3 of Streamline, a stream-based network
subsystem for Linux,
has been announced.
"
This first release in over a half year has been thoroug[h]ly stress-tested, so it should be more stable. New features include support for named and unnamed pipes, the full POSIX file IO interface, a write-after-read optimization similar to splicing, a method for catching HTTP GET requests and self-resizing (based on load) ringbuffer designs."
Comments (none posted)
Virtualization Software
The EasyVZ project has been launched.
"
I am happy to annou[n]ce the availability of EasyVZ, an OpenVZ
management GUI under the GPL. EasyVZ makes it simple to create, destroy
and manage Virtual Private Servers from within a cozy and comfortable graphical user interface. The EasyVZ client can manage the server from anywhere over the network, although, currently there is no authentication
available."
Full Story (comments: none)
KQEMU is the kernel acceleration module for the
QEMU processor
emulation system. As can be seen in the
KQEMU
changelog, the 1.3.0pre10 release quietly added a couple of interesting
features: full x86_64 virtualization support and a license change to
version 2 of the GPL. Since KQEMU had previously been released under
a proprietary license, this is a welcome change. (Thanks to Tzvetan Mikov).
Comments (37 posted)
Web Site Development
Version 0.3.0 beta of Drake CMS, a light-weight dynamic web authoring and
content management system,
has been announced.
"
Drake CMS v0.3 is the second major release of Drake CMS. All users are strongly encouraged to upgrade to Drake CMS v0.3.0; backward compatibility with Drake CMS v0.2 is granted.
We suggest to upgrade because of the new features (you might have already tasted them in Alpha releases 0.2.6-0.2.10) and the improved stability."
Comments (none posted)
Version 3.2.41 of
mnoGoSearch,
a web site search engine, is available for Unix platforms.
See the
change log
for release details.
Comments (none posted)
Nuxeo has announced the release of Nuxeo EP 5.0.0.GA, an open source
enterprise content management (ECM) platform.
"
Nuxeo ECM solutions are built on the experience accumulated for 5
years by Nuxeo and community members building mission-critical ECM
applications (web content management, document management, records
management, collaboration, intranet portals and workflow) for major
customers, using previously Zope technologies, and now Java EE 5,
JBoss Seam and OSGi."
Full Story (comments: none)
Release 1.2.2 of the
Rails
web development platform
has been announced.
"
Its time for another minor update to Rails 1.2. This was primarily prompted by a change in the API for SQLite between version 3.3.7 and 3.3.8+, which left the Rails database adapter for dead by the road side. But with this release and Jamis Bucks sqlite3-ruby gem at version 1.2.1, were back in business on all versions of SQLite3.
Second, were now depending on RubyGems 0.9.0 and above."
Comments (none posted)
Desktop Applications
Audio Applications
Version 0.99.77 of Alsaplayer, a multi-threaded PCM audio file player,
is out.
"
This is a bugfix release.
It include all the fixes and security committed by Hubert Chan from Debian.
Both the patch committed at alsaplayer-devel list and for Debian are included. They include patches from him and other peoples, and even a new
man page from Debian. Another good news is at the cvs will compile again,
inclusive the fftscope plugin."
Full Story (comments: none)
Issue #6 of the
Amarok Weekly Newsletter has been published. Topics include
Amarok 1.4.5, Plans for 1.4 series, Amarok 2.0 and
Cool tips: running Amarok in fullscreen.
Comments (none posted)
Release 0.9 beta 7 of Aqualung has been announced.
"
Aqualung is an advanced music player originally targeted at GNU/Linux,
today also running on other operating systems such as FreeBSD and
MS Windows. We are striving to create one of the finest music players
available, with respect to sound quality, stability, features and
ease of use.
This release is the latest in a series of beta releases on our way to
the future stable release of Aqualung 1.0. It adds significant new
functionality as well as important bugfixes."
Full Story (comments: 1)
Version 0.2 of JackMix has been released.
"
After almost two years of silence I managed to put together a new
release of JackMix. The name explained: Comparing to jackmix:0.1.0
some experimental features are dropped. On the other hand this release
is the first to use scons for the buildsystem and qt4 for the toolkit."
Full Story (comments: none)
The feature freeze for version 0.9 of the Jokosher audio workstation
project
has been announced.
"
So January ticks inevitably into Feburary and in sympathy with the weather (or the ice cream in the southern hemisphere!) Jokosher has frozen. Yes thats right, we are now in feature freeze for the next release which will be 0.9 and is due for release mid March
In the last week (from the 28th Jan) there have been commits from no less then 7 different people, and a quick bit of maths gives us the shock result that Laszlo is tied with David Corrales to be this weeks most prolific commiter with 17 commits each. Congratulations not only to David and Laszlo but also Johnk, johng, luket, mikes and stuartl for all their hard work across the 47 commits (theres still a few hours to break the 50 barrier so get coding!)"
Comments (none posted)
Version 0.9.2 of Sweep is out
with several new features and bug fixes.
"
Sweep is an audio editor and live playback tool for GNU/Linux, BSD and
compatible systems. It supports many music and voice formats including
WAV, AIFF, Ogg Vorbis, Speex and MP3, with multichannel editing and
LADSPA effects plugins. Inside lives a pesky little virtual stylus
called Scrubby who enjoys mixing around in your files."
Full Story (comments: none)
Business Applications
Version 4.5.1 of Sugar Open Source, a complete Customer Relationship
Management (CRM) system for businesses,
has been announced. New features include a
Campaign Wizard, a Campaign Manager with ROI Reports and
Automated Lead Capture.
Comments (none posted)
Data Visualization
Version 2.0.0 of
Gmsh,
a three-dimensional finite element mesh generator with built-in pre and post-processing facilities, has been announced. See the
versions file
for change information.
Comments (none posted)
Desktop Environments
Version 2.16.3 of GARNOME, the bleeding-edge GNOME distribution, is out.
"
As usual it includes a lot of updates and fixes, together with a
host of third-party GNOME packages, Bindings and the Mono(tm)
Platform -- this is the last release of the current stable GNOME
branch."
Full Story (comments: none)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
KDE.News
notes
two KDE applications that are part of the Season of Usability.
"
The Season of Usability, run by the OpenUsability project has kicked off with two KDE applications in the focus: BasKet Note Pads and the KDE 4 universal document viewer Okular. Usability, as one of the important focus points of the upcoming fourth major version of KDE, is also an active part of the KDE project. The Season of Usability manifests KDE's close involvement with OpenUsability."
Comments (none posted)
The February 4, 2007 edition of the
KDE Commit-Digest has been
announced.
The content summary says:
"
Work begins on Amarok 2.0. KBlackBox
becomes the latest games application to take the step into the scalable
graphics arena. KTTT, a tic-tac-toe game, is ported to KDE 4. Further
progress made on the knewstuff2 framework. Software RAID monitoring, along
with other improvements in KSysGuard. Mailody gets support for printing HTML
emails. Improved support for custom emoticons in Kopete. The
sublime-integration user interface branch is merged back into the main
KDevelop source tree. Step, an educational physics simulation package, is
imported into KDE SVN. KitchenSync is removed from KDE SVN, in anticipation
of an OpenSync-based implementation."
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
The following new Xorg software has been announced this week:
More information can be found on the
X.Org Foundation wiki.
Comments (none posted)
Encryption Software
Version 2.0.2 of GnuPG, the GNU Privacy Guard encryption system, is out.
"
This is maintenance release to fix build problems found after the
release of 2.0.1. There are also some minor enhancements."
Full Story (comments: none)
Games
Stable version 0.2a of
Snackware has been announced.
"
Snackware is a project aimed to create a "competition of coders" by making different classes or functions to battle amongst themselves through the rules of a game. It's not a traditional game, anyway, since it work with no human intervention."
Comments (none posted)
Graphics
Version 0.45 of
Inkscape,
an SVG-based vector drawing package, is out.
"
Inkscape 0.45 features a new Gaussian Blur
SVG filter. Sponsored by Google's Summer of Code program, Gaussian Blur
allows you to softly and naturally blur any Inkscape objects, including
shapes, text, and images. This enables a wide range of photorealistic
effects: arbitrarily shaped shades and lights, depth of field, drop
shadows, glows, etc. Also, blurred objects can be used as masks for
other objects to achieve the "feathered mask" effect.
Numerous other new features, enhancements to existing features, and bug
fixes have been included."
See the
release notes for details.
Full Story (comments: none)
Interoperability
Version 3.0.24 of Samba
has been announced.
"
This is a security release which addresses CVE-2007-0452, CVE-2007-0453, and CVE-2007-0454. This is the latest stable release of Samba. This is the version that production Samba servers should be running for all current bug-fixes. Please read the changes in the
Release Notes for details on new features and difference in behavior from previous releases."
Comments (none posted)
Multimedia
KDE.News
looks at Phonon.
"
Like the previously featured articles on new KDE 4 technologies for
Job Processes or SVG Widgets, today we feature the shiny new multimedia
technology Phonon. Phonon is designed to take some of the complications out
of writing multimedia applications in KDE 4, and ensure that these
applications will work on a multitude of platforms and sound
architectures. Unfortunately, writing about a sound technology produces
very few snazzy screenshots, so instead this week has a few more technical
details."
Comments (18 posted)
Music Applications
Version 1.5.0 of Rosegarden, an audio and MIDI sequencer and musical
notation editor, is out.
"
This release contains a number of new features, notably audio
time-stretching support, and many usability improvements particularly
in the matrix view.
This is also an interesting release from a developer perspective,
because the source code has been completely reorganised into a new
directory structure with a far more consistent file naming and
organisation scheme. Thanks to all involved with the project for their
hard work on this tedious business."
Full Story (comments: none)
Digital Photography
Prototype version 0.1 of
SnapMatcher
has been released.
"
SnapMatcher is an application intended for photographers, artists, or image packrats who have very large collections of digital images, some of which may be duplicates or near duplicates. By identifying images across multiple formats with the ability to filter out minor edits such as changes to contrast, brightness, color balance, resizing, or even the addition of text or borders SnapMatcher can be a valuable tool in organizing culling unwieldy collections."
Comments (none posted)
Web Browsers
MozillaZine
covers the development plans for the Netscape 9 browser.
"
The official Netscape Blog has announced that Netscape 9 is under development. Like the current Netscape Browser 8, this release will presumably be based on Mozilla Firefox. According to the announcement, Netscape 9 will be a standalone browser (lacking components like a mail client or Web page editor) and will have tight integration with the Netscape.com website, which was relaunched as a Digg-style user-driven news and current events portal last year. A subsequent post revealed that Netscape 9 will be released simultaneously for Windows, Linux and Mac OS X."
Comments (none posted)
Miscellaneous
Release 1.02 of
lcdtest,
a monitor test pattern generator that is useful for finding bad pixels,
is out.
"
Release 1.02 has no code changes, but incorporates the manual page, Makefile improvements, and Debian build information from Valerio Felici."
Comments (none posted)
The Wasabi project has announced its existence. "
Wasabi is new project with the goal of creating a unified, platform
independent, specification and api for desktop search engines (and later
metadata services). We have worked together with several search-projects and
now have a proposal ready for public evaluation. In short: we need feedback
from application developers - that means you."
Full Story (comments: 3)
Languages and Tools
C
Version 4.0.4 of GCC, the Gnu Compiler Collection, is out.
"
This release is a minor release, containing bug fixes for
regressions relative to earlier releases. It is the final
release from the 4.0.x series, and the gcc-4_0-branch is
now closed.
GCC 4.0.4 is provided for those who require a high degree
of binary compatibility with previous 4.0.x releases. For
most users, the GCC team recommends that version 4.1.1 or
later be used instead."
Full Story (comments: none)
The
GCC 4.1.2 Status Report for February 4, 2007 is out.
"
Thanks to all who have helped tested GCC 4.1.2 RC1 over the last week.
I've reviewed the list traffic and Bugzilla. Sadly, there are a fair
number of bugs. Fortunately, most seem not to be new in 4.1.2, and
therefore I don't consider them showstoppers."
Comments (none posted)
Caml
The February 6, 2007 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
JSP
Version 0.21 of the OpenLink AJAX Toolkit (OAT)
has been announced, it adds many new features.
"
OAT, OpenLink AJAX Tools, is a Javascript framework for building rich browser-based user interfaces using XML/A to connect to databases."
Comments (none posted)
Cedric Savarese
explores XUL on O'Reilly.
"
This article presents a little-known use of XUL (Mozilla's user-interface language) and shows how to take advantage of its superior performance and accessibility over HTML while maintaining cross-browser compatibility. I will illustrate this using a proof-of-concept JavaScript library that can render UI widgets using either XUL or DHTML."
Comments (none posted)
PHP
The online
PHP Manual
has been updated, according to the main
PHP site.
"
The PHP documentation team is proud to present to the PHP community a few fixes and tweaks to the PHP Manual, including:
an improved, XSL-based build system that will deliver compiled manuals to mirrors in a more timely manner (goodbye dsssl), manual pages can now contain images (see imagearc() for an example), updated function version information and capture system (fewer "no version information, might be only in CVS" messages) ... and more to come!"
Comments (none posted)
Tcl/Tk
The February 2, 2007 edition of the Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
Build Tools
Version 0.1 of Buildit
has been announced.
"
Buildit makes it easier to create a repeatable deployment of
software in a particular configuration. With it, you can perform
conditional complilation of source code, install software, run
scripts, or perform any repeatable sequence of tasks that ends up
creating a known set files on your filesystem. On subsequent runs
of the same set of tasks, Buildit performs the least amount of work
possible to create the same set of files, only performing the work
that it detects has not already been performed by earlier runs."
Comments (none posted)
Editors
Version 0.2.5 of
PDFedit,
an editor for manipulating PDF documents, is available. The project
description says:
"
GUI version + commandline interface.
Scripting is used to a great extent in editor and almost anything can be scripted, it is possible to create own scripts or plugins.
Target platform are operating systems of Unix type (Linux, BSD, ...), we are using C++, XPDF, QT3 and QSA."
Comments (1 posted)
Libraries
Version 0.3.0 of TA-Lib
has been announced.
"
TA-Lib provides more than 130 technical analysis functions for financial and trading applications.
Main feature of this release is a new
generated XML file to provide meta information of the interface. This
facilitate integration within .NET and Java applications."
Comments (none posted)
Miscellaneous
Version 3.1.1 of Open Object Rexx has been announced.
"
For the first time,
binary versions are available for Mac OSX and AIX. New binaries for Windows,
Linux and Solaris have been created as well with versions for Solaris
pending. In addition users can download the source code of Open Object
Rexx and may freely and readily build the programming language themselves.
IBM donated the source code of its Object REXX product to the Rexx Language
Association in December 2004 for publication and support as an open source
project. With ooRexx 3.1.1 both the Rexx and open source communities can
enjoy the numerous enhancements and fixes that have been incorporated into
ooRexx under RexxLA stewardship."
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Lunapark6 has
a lengthy preview of
Beryl 0.2.0. "
The Beryl project originally forked from the Compiz
3d desktop group around September of 2006. At the time I had a hard time
understanding why we needed another 3d desktop project, but now that I have
had a chance to watch Beryl develop, their decision makes a whole lot of
sense. As nice as Compiz is, Beryl is the group that is really pushing the
envelope of what a next generation desktop should be like."
Comments (1 posted)
Most people by now have seen
Steve Jobs's "Thoughts on music" posting where he seems to be arguing for the end of DRM on music. BoingBoing has put together
an interesting set of responses to that posting. A number of people point out that there are several artists and labels who would like to be able to sell DRM-free music through iTunes now, but Apple has not allowed that to happen.
Comments (20 posted)
Trade Shows and Conferences
DesktopLinux
looks forward
to SCALE 5X. "
SCALE 5X, the 2007 Southern California Linux Expo,
opens its doors at the Westin Los Angeles Airport hotel Feb. 9 and will
continue through Sunday, Feb. 11. The event will include about 50 seminars,
70-plus exhibitors, a high number of BoF meetings, and three days' worth of
exhibits and demonstrations."
Comments (1 posted)
Companies
eWeek
reports
that Red Hat, Inc has launched a Certified Service Provider Initiative.
"
The Program, which is now active in North America and will launch globally in the future, is designed to encourage the growth of open-source service practices through collaboration between Red Hat Global Professional Services and service-oriented channel partners with open-source expertise and resources."
Comments (none posted)
LinuxElectrons
looks
at Wind River's Linux support on TI's OMAP2430. "
"Wind River's
commercial-grade Linux and the advanced multimedia performance features in
OMAP2430 processors will offer a powerful Linux platform that supports
multimedia-rich, mobile applications and reduce the time and cost
associated with bringing these applications to the mobile device market,"
said Jeff Wender, worldwide marketing manager, Software Solutions for Texas
Instruments Cellular Systems Solutions. "We are excited to work with Wind
River to provide high-quality, flexible, solutions for the global wireless
market on the development platform of their choice, and we're pleased to
welcome Wind River to our wireless ecosystem.""
Comments (none posted)
Business
IT Manager's Journal
looks at small
consultants who specialize in open source software. "
A clear sign
that free and open source software (FOSS) has become mainstream is the
growing number of small consultants who specialize in it. Listed on local
users groups or high-tech forums and working mostly by themselves, these
consultants rarely make headlines, yet they represent a sizable and growing
niche in small business in modern North American cities."
Comments (none posted)
Linux Adoption
Linux in Brazil
reports
on problems with a Brazilian Linux initiative.
"
Computador para Todos is a government project that offers special tax exemptions and lines of credit for popular (low end) computer makers in Brazil, as long as the computers are sold with Linux and an array of 26 pre-installed free software common applications, like a word processor, an e-mail client and other apps surely found in most Linux distros. The tax exemption is only valid if the PC is sold for less than R$ 1200 (about US$ 550), retail.
According to official estimatives, more than 800,000 PCs were sold using these tax exemptions and lines of credit in 2006, with a wide variety of international and local brands of Linux distros installed, despite claims that roughly 73% of the customers replace the pre-installed Linux distro with unlicensed Windows XP copies, less than 4 weeks after buying the computer." (Thanks to Augusto Campos).
Comments (16 posted)
MosNews has
a brief
report on the case of a Russian school headmaster who is threatened
with a jail sentence as a result of non-purchased copies of Microsoft
software found on his school's systems. "
Microsoft says that the
incident has nothing to do with them, but it appears that Russian schools
in the area are so scared about being shipped off to a Siberian Gulag, that
they are buying Linux gear instead. Schools in the Perm region will soon
quit buying software from commercial companies, said the region's
Education Minister Nikolay Karpushin. The announcement was made in line
with the report on ensuring 'license purity' in the region's schools."
Comments (18 posted)
Linux at Work
Tina Gasperson
investigates Mark Kett's
Linux Guitar Project
on Linux.com.
"
Recently, Kett had an idea for a travel guitar. "It would have an iPod running Linux plugged in, that would allow me to record the music that was played on it." He shared the idea with David Patrick, the proprietor of the linuxcaffe, and through some brainstorming came up with the idea for an "open source" electric guitar -- designed from the ground up by community consensus and fitted with Linux technology. "We hashed out ideas about what the ultimate guitar would be -- running a full Linux operating system and with all the capabilities of a recording studio.""
Comments (2 posted)
Legal
LinuxWorld
covers
a pledge from courseware vendor Blackboard to not enforce its patents
against open source and homegrown software systems. "
The pledge is
intended to quell the anger and outrage which flared up last year after the
Washington D.C. software vendor, the leader in course management software
for education, announced it had been awarded U.S. patents for parts of its
software. Course management applications are widely deployed in education;
many are homegrown, and more recently, open source projects, such as that
sponsored by the Sakai Foundation, are emerging."
Comments (17 posted)
Interviews
The People Behind KDE
talk
with Cyrille Berger. "
In what ways do you make a
contribution to KDE? Up until now, I have been mostly working on
Krita, and more specially on its plugins. Either on code or other stuff,
like releasing KOffice 1.6. And currently, beside hacking on Krita version
2.0, I am also playing quite a lot with Qt4Ruby, but I don't know yet if
something interesting will come out of this." (Found on
KDE.News)
Comments (none posted)
The annual FOSDEM (Free and Open Source Developers' European Meeting) is
coming up at the end of February. This year, as in past years, the FOSDEM
crew is publishing interviews with the speakers. This
first batch of
interviews includes
Jim Gettys, of
the One Laptop Per Child project, ReactOS project leader
Aleksey
Bragin, GNOME developer and profiling enthusiast
Federico
Mena Quintero and
Øyvind Kolås
Norwegian developer and the main author of the GEGL image processing
library.
Comments (none posted)
The second
batch of
FOSDEM interviews is out. This round includes
Kristian
Høgsberg (AIGLX) about 3D, graphics drivers and eye candy,
Ronald G
Minnich (LinuxBIOS) about hardware vendors, the OLPC BIOS, and the
dangers of EFI,
Peter
Saint-Andre (Jabber) about Jabber and XMPP,
Kern Sibbald
(Bacula) about the history and future of Bacula and
Andrew Morton
(Linux kernel) very shortly about the current state of Linux in general,
and... at Google.
Comments (16 posted)
Resources
Rich Bowen
discusses Apache log file analysis modules on O'Reilly's ONLamp.com.
"
No doubt you're already aware of the standard logfiles that Apache httpd creates for you. There's the access log, which tells you every time a request is made to your server. There's also the error log, which makes a note every time something goes wrong or something of interest happens that you should know about.
There are a few things that you can do to make your access log more useful, such as using the combined, rather than the common, logfile format--but that's another article. Look at the documentation for mod_log_config for more information on that."
Comments (none posted)
The
February edition
of Linux Gazette is out, with articles on Nomachine NX server, Configuring
IPCop Firewalls (Book Review), TCP and Linux' Pluggable Congestion Control
Algorithms, Debugging WiFi and much more.
Comments (1 posted)
Bruce Byfield
discusses OpenOffice.org line spacing in a Linux Journal article.
"
The fact that OpenOffice.org Writer is more than a word processor is an open secret. Designed to write long documents, Writer is in many ways a document processor comparable to FrameMaker, suitable for designing books and dissertations while falling short of a complete desktop publishing solution. For this reason, it includes a number of tools for tweaking lines of text, including Tools > Language > Hyphenation and the tools for adjusting character width and letter space for individual characters. However, by far the least understood of these high-end tools is Writer's ability to adjust line-spacing."
Comments (none posted)
Reviews
Linux.com
reviews Data
Crow. "
Many Linux apps let you manage your movie collection, or your
book collection, or your music collection -- but Data Crow is one of the
few that handles all of the above, plus software and images. It also puts a
lot of import tools at your fingertips that can save you from entering
information about your media manually -- including importing information
directly from online services and text files, and extracting information
from music files."
Comments (none posted)
Nikos Kouremenos
looks at PyDEV on Linux.com.
"
PyDEV is a plugin that enables developers to use Eclipse for Python and Jython development, making Eclipse a first-class Python IDE. The software offers features such as code completion, syntax highlighting, syntax analysis, automated refactoring, template system, source code quality checking, and a debugging environment."
Comments (none posted)
Linux.com
reviews the ROX desktop. "
The ROX Desktop's performance is reminiscent of IceWM, and it's noticeably faster opening programs than GNOME or KDE. However, its speed comes at the expense of a needlessly redundant default configuration, and some users may balk at some of the assumptions its design makes about how they prefer to work."
Comments (3 posted)
Miscellaneous
The Technology Liberation Front
grumbles about the use of DRM on the PDF version of the U.S. 9/11 Commission's report. "
If I click to enter a password it tells me that I have permission to read and print the document, but not to copy from it. Because there is no copyright, the government has no right to prevent me from copying. I could circumvent the DRM on the PDF, but then it's possible that I'd be violating the DMCA (not the way I read it, but I'd have to take the risk)." As some of the commenters point out, the developers of the free PDF readers have tended to never quite get around to implementing the "no cut-and-paste" bit.
Comments (9 posted)
Here's
a Reuters article claiming that the Free Software Foundation may block Novell from selling Linux. "
'The community of people wants to do anything they can to interfere with this deal and all deals like it. They have every reason to be deeply concerned that this is the beginning of a significant patent aggression by Microsoft,' Eben Moglen, the Foundation's general counsel, said on Friday." The article is
probably talking about the potential addition of language to GPLv3 to prohibit deals like the one with Microsoft.
Comments (69 posted)
Brian McConnell
discusses web site language translation issues and the
Worldwide Lexicon Project in an O'Reilly ONLamp article.
"
This new version of the system is much simpler, and it's based on a key insight. Any website with an audience of more than a few dozen people probably has bilingual readers. The bigger the audience, the more languages its readers will speak. Moreover, these readers are presumably interested in the content, are more knowledgeable about it (they understand its context), and are more willing to help others read it."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation (EFF) has opened a new office in
Brussels to work with various institutions of the European Union (EU) on
innovation and digital rights. "
The new EFF Europe office, made
possible by the generous support of the Open Society Institute and Mr. Mark
Shuttleworth of the Shuttleworth Foundation, will allow EFF to have an
increased focus on the development of EU law. EFF also plans to expand its
efforts in European digital activism and looks forward to working with many
groups and organizations to fight effectively for consumers' and
technologists' interests. EFF's new European Affairs Coordinator, Erik
Josefsson, will be an on-the-ground analyst, activist, and educator about
critical intellectual property and civil liberties issues."
Full Story (comments: 2)
Public Patent Foundation has announced a challenge to the
Patriot Scientific Corp. microprocessor patent.
"
The Public Patent Foundation
("PUBPAT") announced today that it has filed a formal request with the
United States Patent and Trademark Office to review a patent held by
Patriot Scientific Corp. (OB: PTSC) that the company, which boasts of
"primarily focusing on deriving revenue from licensing patents", is
widely asserting against producers of computer microprocessors."
Full Story (comments: 1)
Commercial announcements
Ampro Computers, Inc. has
announced its ReadyPanel 10 industrial panel computer.
"
The new ReadyPanel 10 all-in-one panel PC solution includes a standard
EPIC form factor Pentium(R) processor-compatible single-board computer
(SBC) and an NEC LCD 10.4-inch XGA color flat panel display module that
provides 1024 x 768 resolution. The LCD, SBC, and touch screen are
integrated into a compact 11" x 8.5" x 5.5" enclosure."
Comments (none posted)
Bodelin Technologies has announced the availability of a Linux-UVC driver
for the ProScope HR USB digital microscope.
"
The ProScope HR is the second generation of the popular ProScope hand
held USB microscope used in thousands of schools, universities,
industrial quality control and law enforcement crime labs."
Full Story (comments: none)
Funambol has
announced a preview of its mobile
email portal at the 3GSM World Congress in Barcelona, Spain on February
12-15, 2007.
"
The company will also show the world's first open source Java
mobile email client for mass market phones and how its software powers the
email, contacts and calendars for the popular OpenMoko mobile Linux
platform."
Comments (none posted)
Hifn, Inc. has
announced an initiative to support hardware security
processors.
"
Hifn has contracted with Xelerance Inc., the recognized open
source security specialists, in a major development effort to make the
industry's fastest cryptographic accelerators as easy to use as graphics or
sound cards.
The project integrates Hifn's 795x algorithm accelerators, as well as
the 7855 and 8155 security processors, with Linux and FreeBSD."
Comments (none posted)
Ingres Corporation has
announced a new Ingres Eclipse DBMS Bundle for Java developers.
"
The new bundle contains all of the components needed to
successfully build and deploy next-generation applications with Eclipse,
a popular open source development framework, on Ingres 2006, Ingres's
latest release of its open source database."
Comments (none posted)
Microsoft Corp. has
announced an Open XML to ODF translator project.
"
Developers of the open
source project to produce a translator between OpenDocument format (ODF)
and Open XML document formats announced the completion of the 1.0 release
of the technology. The completed Open XML Translator enables conversion of
documents from one format to the other and is available for anyone to
download and use at no cost. When plugged into Microsoft(R) Office Word,
for example, the Translator provides customers with the choice to open and
save documents in ODF rather than the native Open XML format."
Comments (none posted)
Novell, Inc. has
announced preview releases of its security and identity
management solutions.
"
Novell today announced that it is previewing enhancements to
its flagship security and identity management solutions, Sentinel(TM) 6 and
Identity Manager 3.5, at the RSA Conference in San Francisco. Demonstrating
Novell's innovation and market leadership, these product releases will
showcase new features and enhanced capabilities to help customers ensure
security and compliance. When deployed together, both products deliver the
industry's most complete identity and security management solution for
supporting compliance and IT governance initiatives."
Comments (none posted)
TimeSys has announced the availability of LinuxLink subscriptions
for the Intel Pentium family of processors.
"
This LinuxLink complements the already popular
LinuxLink for the Intel Pentium III (i686) family of processors.
LinuxLink by TimeSys is the first commercial offering to support the
majority of embedded developers who build and assemble their own
commercial-grade custom Linux platforms. By delivering on-demand
access to continuously updated processor-optimized Linux packages,
components and tools, engineers benefit from a rich development
environment and community support."
Full Story (comments: none)
Strategic Test has announced availability of the TRITON
Development Kit-4.
"
... based on the Marvell
XScale PXA320 processor. The TDK-4 is supplied
with both Microsoft Windows CE 6.0 and Linux
2.6.17 at a competitive price of only 2900 Euro."
Full Story (comments: none)
United Electronic Industries (UEI) has announced the release of the UEIPAC
series of Programmable Automation Controllers (PACs). The UEIPAC-a
complete, Linux-based, Programmable Automation Controller. The UEIPAC can
have up to 150 analog or 288 digital I/O points all in its rugged, 4" x 4"
x 6" housing.
Full Story (comments: none)
VMware, Inc. has
announced the release of a new virtualization software bundle.
VMware "
... today announced a new bundle designed to provide SMBs using the free VMware
Server with an easy and cost-effective way to manage their virtual
infrastructure. The bundle includes VirtualCenter for VMware Server with
enterprise-class support from VMware for $1,500."
Comments (none posted)
New Books
O'Reilly has published the book
Rails Cookbook by Rob Orsini.
Full Story (comments: 1)
O'Reilly has published the book
Using Samba, Third Edition
by Gerald Carter, Jay Ts and Robert Eckstein.
Full Story (comments: none)
Resources
Manualinux is project that
provides documentation for Linux in English and Italian. The latest
version is 6.2, and its released under the GNU Free Documentation License.
Comments (none posted)
Contests and Awards
A Telephony Mashup Contest will take place at the O'Reilly Emerging
Telephony Conference. The conference takes place in Burlingame, CA on
February 27-March 1, 2007, submission proposals are due by February 21.
"
StrikeIron Inc., the
leading provider of live data and business functionality over the web and
O'Reilly Media, Inc. today announced the first ever Telephony Mashup
Contest to take place during the O'Reilly Emerging Telephony Conference
(ETel). This new contest provides a stage for developers to demonstrate
their creative skills using emerging telephony technologies such as
VoiceXML, SIP phones, VoIP, hosted PBX & IVR services, and Web Services.
In addition to StrikeIron and OReilly, Tellme Networks, Inc. and Sylantro
are sponsoring this contest with $3,000 of prizes to winning entries."
Full Story (comments: none)
GnomeDesktop
has announced
a new contest.
"
To make sure nobody misses it, but Novell and Linux Format magazine is
hosting a competition to have your dream application written for you. The
competition is called Make it with Mono. To
enter you just register on their site and submit a description of your dream
application. The proposal with the most votes after the voting period is over
(voting starts in April) will be attempted implemented with Mono."
Comments (none posted)
The next
PyWeek game programming challenge
will take place online from April 1-8, 2007.
"
Entries must be developed in Python during the challenge, and must incorporate some theme decided at the start of the challenge."
Comments (none posted)
Education and Certification
The Linux Professional Institute has launched their LPIC-3
Certification Program.
"
LPIC-3 represents the highest level of distribution-neutral
Linux certification within the industry and is targeted at Linux
professionals providing IT services at the enterprise level. The
certification consists of a single exam (LPI-301) and additional
specialty certifications."
Full Story (comments: none)
Novell has
announced
a new migration course.
"
Novell has developed a new training course to help systems administrators migrate from Red Hat Enterprise Linux 4 to SUSE Linux Enterprise Server 10 from Novell. The course is available both as a free download and as an instructor-led class, available at locations globally."
Comments (9 posted)
Upcoming Events
The announcement for FreedomHEC 2007 has gone out; this year's event will
happen May 18 and 19 in Los Angeles, immediately following
WinHEC. "
One hardware manufacturer devotes 150 engineers to a
Microsoft Windows driver, while one person can handle
the Linux driver. At FreedomHEC, you'll learn that
a Linux driver is a small investment for a big gain,
and you'll meet the Linux professionals who can open
the door to the Linux market for you."
Full Story (comments: none)
Sun Microsystems, Inc. has
announced the 2007 JavaOne Conference.
The event takes place at the Moscone Center in San Francisco, CA on
May 8-11, 2007.
Comments (none posted)
The 2007
MySQL Conference and Expo
will take place at the Santa
Clara Convention Center in Santa Clara, CA on April 23-26, 2007.
"
The conference is
poised to offer more than 110 sessions and tutorials geared to show
participants how to rapidly build innovative database applications that
can scale as an enterprise grows. A strong selection of MySQL users and
open source experts will share their knowledge about using MySQL to power
high-volume Web 2.0 sites, critical business applications, and the next
generation of packaged software."
The early registration discount is available until March 15.
Full Story (comments: none)
A call for location has gone out for the 2007 OpenOffice.org conference.
"
OpenOffice.org announces voting for the location for OOoCon 2007
The official international OpenOffice.org Conference (OOoCon) brings
together people who are interested in the development, promotion,
and use of OpenOffice.org.
Last year, members of the OpenOffice.org community gathered at the
official international OpenOffice.org Conference (OOoCon) in Lyon, France
for a superb conference hosted by the local OpenOffice.org community."
Full Story (comments: none)
The 2007
PyCamp is in the
planning stages.
The event will be held in Lockhart, Texas during August, 2007.
"
An unconference is a conference
where the content of the sessions is driven and created by the participants,
generally day-by-day during the course of the event, rather than by a single
organizer, or small group of organizers, in advance.
And tossing around some names, we decided upon "PyCamp"."
Comments (none posted)
The RailsConf 2007 will take place on May 17-20, 2007 at the Oregon
Convention Center in Portland, Oregon. Registration is now open.
"
The four-day RailsConf 2007 program will feature the most innovative and
successful Rails experts and companies. Attendees will learn about the
bleeding edge Rails techniques, strategies, and pitfalls in Rails
adoption, as well as best practice development theory. Sessions will be
offered for all levels of expertise including hands-on workshops that will
show how to employ Rails in a variety of situations."
Full Story (comments: none)
Events: February 15, 2007 to April 16, 2007
The following event listing is taken from the
LWN.net Calendar.
| Date(s) | Event | Location |
February 12 February 16 |
Ruby on Rails Bootcamp Training |
Atlanta, USA |
February 12 February 15 |
3GSM World Congress 2007 |
Barcelona, Spain |
February 14 February 15 |
LinuxWorld OpenSolutions Summit |
New York, NY, USA |
| February 15 |
TiE Open Source Summit |
Pittsburgh, PA, USA |
| February 16 |
The Ubucon New York |
New York, NY, USA |
February 19 February 23 |
DebianEDU DevCamp |
Soissons, France |
| February 22 |
PyCon Tutorial Day |
Addison, Texas, |
| February 22 |
CELF Japan Linux Technical Jamboree #13 |
Tokyo, Japan |
February 22 February 24 |
OpenMind 2007 |
San Giorgio a Cremano, Naples, Italy |
February 23 February 25 |
PyCon 2007 |
Addison, Texas, |
| February 23 |
PHP Conference UK 2007 |
London, England |
February 24 February 25 |
Free and Open Source Software Developers' European Meeting |
Brussels, Belgium |
February 24 February 25 |
Java/DevJam/2007/Fosdem |
Brussels, Belgium |
February 26 March 1 |
PyCon Sprints |
Addison, Texas, |
February 26 March 2 |
PHP5 Bootcamp Training at the Big Nerd Ranch |
Atlanta, Georgia, USA |
February 27 March 1 |
O'Reilly Emerging Telephony Conference |
San Francisco, CA, |
February 27 March 2 |
EUSecWest Applied Security Conference |
London, UK |
February 28 March 2 |
Network and Distributed System Security Symposium |
San Diego, CA, USA |
March 2 March 3 |
LinuxForum 2007 |
Copenhagen, Denmark |
March 3 March 8 |
O'Reilly Emerging Technology Conference |
San Diego, CA, USA |
March 5 March 8 |
EclipseCon 2007 |
Santa Clara, CA, USA |
March 5 March 6 |
Karlsruhe Workshop on Software Radios |
Karlsruhe, Germany |
March 8 March 10 |
2007 Open Source Think Tank |
Napa, CA, USA |
March 10 March 13 |
Camp 5 Advanced Zope3 Training |
Charlotte, North Carolina, USA |
March 12 March 16 |
QCon |
London, England |
March 12 March 16 |
Third Annual Security Enhanced Linux Symposium |
Baltimore, US |
March 12 March 14 |
BOSSA Conference |
Porto de Galinhas, Brazil |
March 13 March 14 |
The Linux Foundation Japan Symposium |
Tokyo, Japan |
March 14 March 16 |
PHP Quebec Conference |
Montreal, Canada |
March 14 March 17 |
Barbeque Sprint for Plone3 |
Charlotte, North Carolina, USA |
March 15 March 21 |
CeBIT computer fair |
Hannover, Germany |
March 16 March 17 |
MountainWest RubyConf |
Salt Lake City, USA |
March 18 March 23 |
Novell BrainShare 2007 |
Salt Lake City, Utah, USA |
March 19 March 21 |
UKUUG LISA/Spring Conference 2007 |
Manchester, UK |
March 22 March 25 |
Linux Audio Conference |
Berlin, Germany |
March 23 March 25 |
ShmooCon |
Washington DC, USA |
March 23 March 25 |
Guademy |
Coruña, Spain |
| March 24 |
FSF Associate Membership Meeting |
Cambridge, MA, USA |
March 26 March 29 |
Emerging Technology Conference |
San Diego, CA, USA |
April 1 April 4 |
International Lisp Conference 2007 |
Cambridge, England |
April 1 April 5 |
Embedded Systems Conference |
San Jose, CA, USA |
| April 1 |
GPLv3: Improving a Great Licence (discussion draft 3) |
Brussels, Belgium |
April 2 April 6 |
DJango Bootcamp |
Atlanta, Georgia, USA |
April 2 April 5 |
Hack in The Box Security Conference 2007 |
Dubai, United Arab Emirates |
April 3 April 8 |
Make Art 2007 |
Poitiers, France |
April 12 April 14 |
International Free Software Forum (Forum
Internacional Software Livre) |
Porto Alegre, Brazil, |
April 14 April 15 |
Ruby and Python Conference 2007 |
Poznan, Poland |
April 15 April 18 |
Gelato ICE: Itanium® Conference & Expo |
San Jose, California, USA |
If your event does not appear here, please
tell us about it.
Audio and Video programs
Nearthwort Obtain presents
a podcast with Richard Stallman.
"
This show features an interview with Richard Stallman, founder of the free software movement and the man who put the GNU into GNU/Linux.
After introducing the concept of free software, Richard offers some trenchant criticism of two tech superstars: the Lord of Linux, Linus Torvalds, and Apple guru Steve Jobs. From there, we move into a discussion of the impact of free software and freedom more generally on the evolution of personal and global consciousness."
Comments (none posted)
O'Reilly has released two podcasts from the Web 2.0 conference,
titles include
The State of the Internet, Part 3 and
What GoDaddy Knows.
Comments (none posted)
Page editor: Forrest Cook