Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for February 15, 2007The Grumpy Editor's guide to note-taking applications
This is the information age, of course, and paper full of handwritten notes is tremendously obsolete. Your editor's pen just doesn't have enough fonts, and, besides, contemporary disk drives allow for the creation of much higher piles of stuff. It's clearly time to go electronic. There are numerous applications out there which are aimed at people trying to create a digital note pile; your editor decided it was time to give a few of them a try. As a way of narrowing the field somewhat, only graphical applications were considered; command-line utilities, Emacs modes, and so on were taken off the list. There's no shortage of web-based wiki systems which can be employed in this role, but they are a topic for another article some other time. Finally, there are a few systems which are aimed at "mind mapping," which is a different objective entirely. Mind mapping applications are on your editor's list to review, but, according to his kids, your editor has lost his mind entirely and will thus have a hard time mapping it. Each application was looked at from a simple point of view: how well does it support the tasks of quickly and easily creating, organizing, finding, and using notes? There are, as we will see, a few approaches to this task.
xpad
Like a number of note-taking applications, xpad puts an icon into the panel task area. Simply clicking on that icon appears to do nothing - though double-clicking causes all known notes to show up in the current workspace. The right mouse button yields a menu with the titles of each note window, along with "show all" and "close all" options. "Close all" doesn't just close the windows, it causes the application to exit completely. There is an "edit lock" feature in xpad; it turns off editing on all notes. There does not appear to be a way to lock a single window. There's not a lot of other features available: no searching, no linking between notes, no audio effects, etc. As a basic notepad, however, xpad seems good enough.
xpostit
Note windows contain simple text in the ugliest monospace font the developers could find. There is, beyond doubt, some X resource which can be employed to change that font, but your editor, it must be said, has not found messing around with X resources cool for some years now. Xpostit is one of the few notes applications with a "save" button; most of them save notes implicitly. There are no features of interest beyond the provision of containers for bare text. There is no panel icon, and no way to find a specific note beyond getting them all on-screen with "show all" and starting to dig. In your editor's opinion, xpostit is an application whose time has passed.
knotes
KNotes puts an icon in the task area; clicking on it gives a menu of note titles. Selecting a title will move to the virtual desktop containing the note (if any), a bit of a disorienting experience for users who are not expecting it. Even worse, it remembers which desktop last contained a note, and will put the note back in that desktop before moving. The right mouse button gives a menu with a number of options, including creating new notes, adjusting the ample (this is KDE, after all) configuration options, and searching. The search function is a valuable thing for a notes application to have; once the number of notes gets large, it can get hard to remember where something specific can be found. KNotes search is nice, in that it searches through all notes and it supports regular expressions. There are a couple of rough spots, though; if the next occurrence of the desired text is in a window found on a different virtual desktop, it moves the desktop rather than the window. Then it helpfully puts up a little "search for the next occurrence?" dialog - directly on top of the window containing the text the user was looking for. There are a few features unique to KNotes. One of those is alarms, added presumably so that the user can use notes as a simple appointment manager. There is an option to send notes via email. It is also possible to send notes directly to an instance of KNotes running on another system - though the acceptance of notes over the network is (sensibly) turned off by default. Notes can be locked on a per-note basis, preventing inadvertent modification of notes when desired. Another nice feature is that notes can be dismissed by hitting the escape key. As a result, pulling up a note, adding a line, and making it go away can be a very quick operation - and that, in turn, encourages the keeping of good and complete notes. Without the desktop warping, KNotes would be almost perfect as a simple, quick, capable, and visually attractive notes manager. It's worth noting (so to speak) that KNotes is also available as a component of the Kontact organizer. Running Kontact gives access to all of the notes created in KNotes, but it appears that the full integration of this functionality is a work in progress. Kontact notes windows look more like traditional text editing windows; they do not appear to be intended to be left around the screen like KNotes windows. Kontact does add a spelling checker, however. Even so, in your editor's opinion, KNotes works better as a standalone application at this time.
Tomboy
Tomboy places an icon on the panel - not in the task area. Clicking on that icon yields a menu with the titles of the ten most recently modified notes, along with create and search options. Unfortunately, your editor seems to cycle through a set of about eleven notes, with the result that the desired one is often not on the list. Selecting "search all notes" brings up a dialog with all known notes and a simple search box. Typing text into that box trims the list of notes to those containing matches. There is no regular expression capability. The escape key will dismiss a Tomboy window; combined with the panel icon, this feature allows for quick note updates. A feature unique to Tomboy - at least, among the applications reviewed here - is the ability to link between notes. By highlighting a term, the user can create a new note using that term as its title; thereafter, clicking on the term will bring up the new note. There is also a backlink feature: the tools menu includes a "what links here?" item which will give a list of notes linking to the current one. Tomboy has a fair number of options for decorating text with different fonts, colors, sizes, etc. For the most part, there is not much use for this capability in a note-taking application, but the ability to create bold headers can be nice. It's also useful to be able to strike out text to, for example, mark off completed items on a "to do" list. A long list of crossed-out items just gives more satisfaction than simply deleting them, somehow. Tomboy will also create bulleted lists when lines are typed beginning with an asterisk. Notes can be printed (a feature not supported by all applications) or exported to HTML. There is a plugin mechanism which can be used to add interesting functionality; current plugins offer integration with evolution and bugzilla, for example. Tomboy also has a spelling checker which, by default, decorates notes with lots of obnoxious red underlines. It is rare that perfect spelling is required in a collection of personal notes, however, so your editor is pleased that this feature can be turned off. Overall, Tomboy is a nice application; your editor's biggest complaint would be that its memory footprint is huge - even by GNOME standards. The use of Mono cannot help in this regard; it is hard to imagine which features in an application like this would really need the Mono framework for their implementation. With a bit less baggage, Tomboy would be nearly perfect.
BasKet
Unlike other note-taking applications, BasKet does all of its work within a single window. At the top level, it maintains a tree of "baskets," each of which can contain any number of notes. Only one "basket" can be viewed at any given time. Baskets can be configured with up to three columns; notes are then lined up in the columns. There is also a free-format mode, where notes can be placed anywhere, even on top of each other. In your editor's opinion, the proper metaphor might be a bulletin board - each "basket" is a place where any number of things can be pinned and organized. BasKet offers a great deal of control over fonts, sizes, weights, and so on. There is a mechanism for attaching tags to notes; each tag brings with it an icon and, perhaps, a set of heavy-handed color choices. Tagging an item as "work," for example, turns the text a sort of dark yellow color. There is an "insert image" operation which yields an empty note and a dialog on how BasKet cannot do image editing. Dragging an image over from konqueror does the expected thing - though your editor remains a little mystified by the concept of "moving" (as opposed to "copying") an image into the application. Baskets can also contain links, application launchers, and other surprises. The end result of all this stuff is that the BasKet window quickly turns into a gaudy mess of wild colors and images. If your editor's word is not sufficient on this fact, the BasKet screenshots page should dispel any doubt. The BasKet developers are also enamored of animated effects, tooltips, and the use of audio signals. The display of any given basket can be narrowed to items marked with a given tag. There is also a simple search mechanism which shows only the notes containing a given string. No regular expressions are supported, and the search only applies to the currently-displayed basket by default - though there is an option to make it global. There is a feature by which baskets can be globally bound to shortcut keys, allowing them to be summoned by a single keystroke. Unfortunately, an attempt to play with that feature left your editor with a totally locked keyboard, a situation which made the writing of this article rather more difficult than it otherwise had to be. Logging in over the net and killing BasKet took care of the problem. One assumes this behavior is not part of the original design specification.
SummaryOf the applications reviewed, the first two (xpad and xpostit) are of relatively little interest. They reflect the state of the desktop art as it was several years in the past. Xpad is still a useful application, but it has been surpassed by others. BasKet is an interesting attempt to do new things with notes. For your editor's needs, however, it is overkill. The whole point of note taking is to collect ideas together, track things to do, etc. It doesn't need images, colors, animations, sounds, and so on. BasKet seems to be more directly aimed at people who care about making their notes collections look cool. Your editor, who gave up any hope of looking cool back in high school, does not need BasKet's features. That leaves KNotes and Tomboy. Either is an entirely capable application. The Tomboy feature set still seems like it is most directly focused on the note-taking application; the search feature is nicer to use and linking between notes is useful. But one could get the job done quite nicely with either of these applications.
Avoiding the tar pit This Washington Post article is one of many expressing disappointment with Microsoft's Vista release, which is famously late and which has failed to live up to Microsoft's early promises. The article claims that the problems are not specific to Microsoft:
The sad truth is that Microsoft's woes aren't unusual in this
industry. Large-scale software projects are perennially beset by
dashed hopes and bedeviling delays. They are as much a tar pit
today as they were 30 years ago, when a former IBM program manager
named Frederick P. Brooks Jr. applied that image to them in his
classic diagnosis of the programming field's troubles, "The
Mythical Man-Month."
In this context, it behooves us to ask: is there a free software tar pit in our future? What can we do to avoid a grim future where we bog down, our software collapsing under its own weight? Looking at the state of the free software community now, it is tempting to say that, so far, we have nicely avoided the tar pit. But have we? Here are a few dates from the past which may be of interest:
The 2.5 development series was stalled for almost one full year while 2.4 reached a state which actually approached stable. Overall, the process from 2.2.0 to a stable 2.4 took almost three years; the kernel was in a "feature freeze" state for about two of those years. This was a time when quite a few people - many of them kernel developers - felt let down by the development process. This, your editor would attest, was a tar pit era. One might well argue that the kernel has not yet escaped that tar pit. Like Vista, we lack a shiny new next-generation filesystem; the only credible attempt at such a filesystem (reiser4) remains in a stalled, feature-reduced state. It seems likely, however, that most observers would agree that the tar pit has been left far behind. The kernel development process has been humming along at a high pace, delivering interesting new releases every few months. The same story can be seen in many other parts of the free software community. If we accept that things have gotten better, it can be interesting to look at why. One hint can be found in the same article:
Without that discipline, too often, software teams get lost in what
are known in the field as "boil-the-ocean" projects -- vast schemes
to improve everything at once. That can be inspiring, but in the
end we might prefer that they hunker down and make incremental
improvements to rescue us from bugs and viruses and make our
computers easier to use. Idealistic software developers love to
dream about world-changing innovations; meanwhile, we wait and wait
for all the potholes to be fixed.
Any successful free software project must get good at fixing potholes; in the worst case, users (and distributors) will do the job for themselves. In a well-managed project, the people who are trying to improve the whole world will not get in the way of the pothole fixers. There is no single team, charged with all the development on a project, which can get bogged down in that way. A "well-managed project" must find a way to keep whole-world improvements from stopping everything else, however. The older, multi-year kernel process did not always succeed on that front; the attempt to improve the entire kernel ended up bogging down the entire process. The new kernel development model, with its short release cycles, has caused some developers to complain that it is no longer possible to make major changes that require a long time to settle down. To the extent that this complaint is true, it should maybe be seen as a good thing. By only merging changes which can be brought to a releasable state within a month or two, the new process sidesteps the tar pit and keeps the development machine running. One of the key suggestions in The Mythical Man Month is the formation of "surgical teams" to support the lead programmer(s). Some of the team members - such as the clerk who "keys in" the code - seem a little quaint now. But the idea that the people running the project (or parts of it) need lieutenants, documentation writers, tool makers, etc. still makes a lot of sense. Once upon a time, the kernel lacked much of that structure, with everything concentrating on a single developer - Linus Torvalds. Now there is a vast network of lieutenants. Quite a few developers focus their effort not on the kernel, but on the tools used by kernel developers. All that's missing are the clerks - and, perhaps, the documentation writers. One of the biggest anti-tar pit technologies used by the free software community would have been hard for Mr. Brooks to imagine back in 1972: multiple, independent development teams. Any project of any size has a wide range of independent, sometimes conflicting development efforts happening at the same time. If one group bogs down, the others continue unhindered. The process may seem inefficient, given that a significant portion of the work which is done may never survive to a stable release. Throwing away code can be painful, but it is far less so than throwing away the entire project. Peer review is also missing from the Brooks landscape. But peer review helps to ensure one of the things he thought was vital for a successful project: a clear conceptual architecture for the project. That architecture may take a surprising form: few free software projects have the sort of extensive design documentation that he probably had in mind. But a crowd of reviewers can help to ensure that new code is consistent with the principles behind a project - and that it is maintainable into the future. In this context, it is notable (and worrisome) that an increasing number of proposed kernel features are finding themselves stalled by a lack of reviews. Finally, one should note that free software projects have mostly learned a sure-fire way to avoid a failure to live up to their promises: they don't make any. Vaporware tends to be scarce in this community; either the code exists or it does not. Very few projects are truly controlled by one corporation, so companies are also restrained in the promises they make about future releases; they are in no position to ensure that those promises are fulfilled. The relative freedom from marketing-driven promises helps free software projects avoid disappointments - but it also helps them to focus effort on objectives with a reasonable chance of success. To argue that the free software community is immune to the problems of large-scale software development would be foolish. For all their growth, many or most components of a system like Linux are still a fraction of the size of their equivalents on certain proprietary systems. As our code base grows, there will undoubtedly be new challenges for those who would continue to develop it. But the free systems we have today must certainly far exceed the size of System/360 when Mr. Brooks was managing it, and we would appear to be going strong. With widespread community participation, improving tools, and the willingness to change our development models in response to real-world problems, we should be about to stay out of that tar pit for some time yet.
Page editor: Jonathan Corbet Security Linux botnets Collections of subverted machines, called botnets are typically associated with Windows; thousands of zombie desktops sending spam and causing other internet mayhem. Unfortunately, it is increasingly clear that Linux boxes (as well as MacOS X and other UNIX boxes) are participating in botnets, but in a bit of a twist, it is mostly servers that have been subverted. Botnets are an enormous problem that Vint Cerf recently estimated may involve up to one quarter of all internet connected computers. This translates to a botnet controller's fondest wish: 150 million zombie machines to rent to the highest bidder. Desktops are usually infected with a bot by an email-borne virus or a trojan attached to some application that the user installs, much like adware and spyware infect machines. The bot software then connects to a 'command and control' (C&C) infrastructure, that often use Internet Relay Chat (IRC) servers, to get instructions on what they should do. The 'owner' of a botnet (known as a bot herder) can then instruct the bots to do whatever they, or more likely their client, want. Because the traffic generated from a botnet comes from all over the Internet, it is difficult or impossible to recognize it for what it is. This allows botnets to be used for spamming, distributed denial of service (DDOS) attacks, click fraud and other malicious activities in a largely untraceable way. The desktop infection methods are not typically as useful for Linux boxes and so bot herders have turned to web application exploits as a means for collecting subverted machines. Attacking servers has the additional advantage that they are usually machines with much greater resources: faster network connectivity, more storage, faster processors, etc. The attacks are largely targeted at everyone's favorite Internet security whipping boy, PHP applications. Open source PHP applications are the main target as they are ubiquitous and typically easy to exploit as some recent research indicates. An additional benefit of targeting a higher level application is that it is a cross-platform exploit; the operating system and web server software are immaterial if the target is a PHP application. The easiest type of vulnerability to exploit is often Remote File Inclusion (RFI) which allows an attacker to run code on a vulnerable server with the permissions of the webserver. Generally, those permissions are sufficient to allow the bot to do anything the herder might wish it to; sending email and other network traffic is not normally a privileged activity. Even a cursory glance at the Bugtraq mailing list will reveal numerous RFI vulnerabilities; they are reported regularly and each can lead to bot exploitation if not patched. Many different types of malware can be installed on a vulnerable machine, depending on the intent of the herder. As with the exploit itself, the installed code tends to be written in a scripting language so that it is cross-platform. The malware can range from simple test tools that indicate vulnerable servers to sophisticated shells that allow the attacker to effectively login to the server and perform any allowed operation. The most serious damage that these botnets have caused is to our inbox; bots seem to be the preferred way to deliver spam these days. Diligent anti-spam efforts tend to get spamming accounts or systems shut down within hours but there is no easy way to shut down a spam-delivering botnet. A less visible, but potentially more damaging effect is DDOS attacks on internet sites. By attacking a site and working their way up the chain of DNS servers and registrars, a botnet can silence a site the herder does not like or hold sites hostage until they pay a ransom. Past efforts to thwart botnets have often focused on destroying the C&C servers by shutting down the affected IRC sites, but botnets are moving toward using HTTP for C&C which allows that traffic to hide amongst the sea of similar traffic; it also has the advantage of getting through most firewalls. Botnets will be a serious problem going forward, and Linux systems are not immune to participation in them. The financial incentive is large and the means of prevention are weak, at least so far. As we have learned by trying to deal with spam, money makes our adversaries much more inventive which makes long-term solutions hard to come by.
Security news An update on the Solaris telnet vulnerability For those who are interested in the Solaris telnet vulnerability, Gadi Evron has put together a comprehensive summary of the problem, how Sun responded, where to get fixes, etc. "Whatever my thoughts are on how silly, sad or funny this vulnerability is (quaint really), how they use telnet (?!) and how Sun should be smacked on the back of the head for it, I have to honestly admit Sun's response and the level they were open to the community and industry on this without too many PR/legal blocks getting in their way are very encouraging..."
New vulnerabilities ImageMagick: buffer overflow
MoinMoin: cross-site scripting
rar: buffer overflow
smb4k: multiple vulnerabilities
snort: denial of service
twiki: arbitrary code execution
wordpress: multiple vulnerabilities
Updated vulnerabilities apache: cross-site scripting
bcfg2: local password disclosure
bind: denial of service
bluez-utils: hidd vulnerability
bugzilla: multiple vulnerabilities
busybox: insecure password generation
cpio: arbitrary code execution
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dbus: denial of service
dovecot: index cache file handling error
fetchmail: password disclosure and DOS
ffmpeg: buffer overflows
Mozilla stuff: multiple vulnerabilities
freeradius: several vulnerabilities
freetype: integer overflows
ftpd: privilege escalation
gcc: file overwrite vulnerability
gd: buffer overflow
gdb: buffer overflow
gdm: improper file permissions
gnupg: stack overwrite
gtk2: denial of service
gv: stack-based buffer overflow
gzip: multiple vulnerabilities
horde-kronolith: local file inclusion
imagemagick: buffer overflows
ImageMagick: buffer overflows
imlib2: arbitrary code execution
java: multiple vulnerabilities
kdelibs: integer overflow
kdelibs: cross-site scripting
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[xpad]](/images/ns/grumpy/xpad-sm.png)
![[xpostit]](/images/ns/grumpy/xpostit-sm.png)
![[knotes]](/images/ns/grumpy/knotes-sm.png)
![[tomboy]](/images/ns/grumpy/tomboy-sm.png)
![[BasKet]](/images/ns/grumpy/basket-sm.png)