LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for April 5, 2007Two approaches to FlashThe free software community has two independent projects working toward the implementation of a free Flash player: Gnash and swfdec. There has been some talk recently about these two projects, their goals, their accomplishments, and whether it makes sense to have them both. In an effort to bring more light to the situation, LWN held a conversation with the principal developers of both projects.LWN: Could you please introduce your project: its goal, what you think are its major strengths, and what you would most like to improve?
Benjamin Otte: The obvious goal of Swfdec is to create an
open flash player that is acceptably similar to Adobe's flash
player. This means that the average end user will install a Linux
distro and automatically get Flash functionality in their web
browser, and never know or worry about installing an add-on
component.
Of course, attaining this goal will open up so many opportunities that one might consider the opening of these opportunities as the real goal. Some of these are concrete -- improving accessibility of Flash-based web applications, tighter integration with the desktop, automatic blocking of advertisements. Others are more nebulous -- now that you have a feature-rich, graphics-oriented managed platform, what can you do with it.
Rob Savoye We are the "GNU Flash" player, Gnash. Our goal is
a multi-media architecture for a networked world that happens to be
Flash programmable. Gnash is the client side for streaming
multi-media. We also have a Flash media server project underway,
and a large database of meta-data and media content so people can
find things better than using Google. Gnash is the only currently
released component, the rest will be announced over the next few
months. All are GPL'd projects, and support multiple platforms.
Our major strengths are portability, and real support for small embedded systems. Gnash currently supports all the BSD and GNU/Linux distributions, as well as 64 bit systems, and embedded systems like the OpenEmbedded, and the OLPC. Gnash also runs on WinDoze and Darwin as well. We also support creating custom extensions to Flash, so it's now possible to embed a device driver for lets say, hardware buttons on your smartphone, to trigger event handlers within a Flash movie. I'd like to improve the completeness of our ActionScript support, there are some classes that exist only as stubs. That and adding Flash v9 support. This is all on the roadmap, but we need more developers to make better progress. LWN: How would you describe the current development state of your project?
Rob: We're in pretty good shape, although Gnash is not a
fully complete Flash player yet. The video support is progressing
nicely, and we will have full support for Lulu.tv, YouTube,
MySpace, etc... in the next release. Streaming video works in CVS,
now we're working our way through the obscure bugs in the various
video players to have this work 100% correctly. After the next
release, we'll be focusing on performance issues, and finally
starting to look at Flash v9 compliance.
Benjamin: Swfdec is actively going forward. With every
release it supports lots of new Flash files, and they currently
come out circa monthly. But as I mentioned on my
blog it's hard
to determine how far we've come as a complete Flash replacement.
It's certainly still closer to the start than being a done.
LWN: Tell us about your development community: how many active contributors do you have? Why should developers join your project?
Benjamin: These days the project is primarily run by me.
David Schleef, the previous maintainer is the other person that
hacks on the Swfdec core. But Swfdec integrates into the greater
Freedesktop and GNOME world, so we can draw from the knowledge and
input of hundreds of developers. I'd like to highlight in
particular the Cairo or
GStreamer people,
which are
invaluable in making Swfdec work. And then there's a pretty big
community building around Swfdec. Packagers, bug fixers, people
that want to use libswfdec in their applications or those that
contribute bindings to other languages like Python.
And developers should of course join the project because they want to and hacking on Flash is fun. For me it's not just wanting to play Flash files, but it's also that Flash is a platform. You can work on anything: a script language interpreter, rendering, multimedia, accessibility or security. And code that you write is immediately leveraged -- you make one thing work, and 100s of flash files start working.
Rob: We have about 6 core developers right now, and are
looking for more of course. What we offer to developers is several
things. One, we are a GPL'd project, which is important to some
open source developers. We also have funding now to work on Gnash,
which is also useful for some people to pay their bills. :-)
LWN: A working free Flash implementation would seem to be a high priority for the more desktop-oriented distributions. What sort of support are you getting from those distributors? Why do you think it's not stronger?
Rob: We get zero support from any of the distributions, we'd
love to see that change. I occasionally hear from the package
maintainers about packaging issues, but that's about it...
Benjamin: It would seem that way, but it isn't. For
example, a free Flash implementation was not on Ubuntu's list of
priorities at the last Ubuntu Developer's Summit. It seems that a
lot of distributions are content with shipping solutions that are
closed software when no Free software exists for a purpose.
Another example for this would be Free drivers for modern graphics
cards.
But I don't think it's solely the distributions' job to point out and work on deficiencies in the Free software world. It is also the job of the community. Distributions often just package what the community makes available to them. But it seems the community has also has been content with the closed solution. LWN: Some LWN readers have complained that having two projects aimed at implementing Flash is divisive and wasteful. How would you respond to those readers?
Benjamin: The optimal number of projects for a given project
space sounds like a good PhD thesis topic. Having multiple
projects in a space, or multiple solutions to a problem is simply
how things work in the community. Any non-trivial bug or project
space has multiple solutions, and often one cannot determine which
is the best solution until all have been tried. Also, people
working on these projects are real people with real interests and
complex motivations for working on particular projects.
Simplifying it into "you currently work on A, so you'd instead like
working on B in the same project space" is unrealistic. And IMO,
divisiveness between similar projects often has more to do with
fanboys than it has to do with developers, who obviously share
interests and experiences.
Rob:Maybe in the proprietary world this would be a problem,
but not in the open source world when we are both reverse
engineering how Flash works. It's easy to get into tunnel vision
with a single implementation, as some are bugs in our code, and
others are bugs in how we think Flash works internally. Having two
projects with very different implementations is very useful in
finding the differences between our bugs, and Flash internals
issues.
There is also a lot of coordination on things like test cases, specifications, and documentation that are shared between the two projects. So why is this a problem for some people is beyond me... LWN: What else do you wish I had asked? Answer too, please :)
Rob: The Adobe EULA for Flash forbids anyone who has
installed their Flash tools or plugin from working on Flash
technologies. This has had a chilling effect on the development of
free Flash players, since a developer must either choose to decide
that Adobe won't sue them over this, or to do what Gnash does,
which is a slow and inefficient, clean room, reverse engineering
project.
Adobe has declined to comment on this issue, since the confusion benefits their lockin of the market. Although Adobe has said they support Open Source projects, and donated Tamarin to Mozilla, we'd love to see a public statement that Gnash developers won't be subject to a lawsuit. It's very difficult to find developers that have never installed the Adobe software ever, which is what we've been doing to maintain our clean room approach.
Benjamin: A lot of people would describe Flash as an "evil"
format. What do you think the Free software community can gain
from Flash other than supporting yet another closed format?
Flash provides features that are unmatched in the current Free software world, even when comparing it to the newest projects in the realm like SVG. And Flash is a pretty simple format. People have done great-looking sites, games or applications with Flash in your browser that are currently hard or impossible to achieve on any desktop. And they did that 5 years ago. So even if the Free software world were to not use Flash it certainly can learn a lot from it. Another often overlooked thing is that there are a lot of content creators that create new multimedia content daily. Other people like Lawrence Lessig have already said that it is important to introduce them to Free content. In providing Free solutions to those artists and developers, the Free software community has a lot of mindshare to gain.
Interview with Sun's Chris MelissinosChris Melissinos, Sun's Chief Gaming Officer, has been playing - and writing - computer games since his teens. He has overseen the development of several major open source projects at Sun, including Darkstar, a research effort focused on the design of massive-scale, latency-optimized systems. He talked to Glyn Moody about the origins of Sun's interest in gaming, and how the company hopes to apply technologies like Darkstar far beyond that field.What's the background to Sun's gaming activity?
It was about '98 when I started writing emails around the company, asking why we were not focusing on the games industry, how the oncoming surge of connected gaming was really going to require enterprise-level cross-platform technologies to really move the industry forward. Selling videogames to an enterprise company who was the dot in dotcom during the Internet boom days was almost a religious experience. About two years later, after trying to force this, I finally went directly to Scott McNealy and said: Why aren't we doing this? And he said: OK, well, you do it.
When was Sun's Game Technologies Group set up?
It was formally established in 2003. What we've done is gone out to the games industry and said we want your help in making Java a terrific platform for game development. So what's wrong with it? Why aren't you using it? We held a summit and walked away with a blueprint and from that assembled an experts group of 14 game companies and submitted the largest submission to the Java Community Process, called JSR 134, which was the Java Game Profile. Basically the attempt was to build the equivalent of DirectX in Java, and provide a complete cross-platform stack for media and game development.
Trying to build 9 APIs in a community process with 14 game companies proved to be just insane. So after a year and half of doing this we walked away from that process and decided to take the core APIs, which were the Java bindings for OpenGL, Java bindings for OpenAL for audio, and input, and we released those to the open source community, about the end of 2003, beginning of 2004. Why did you decide to open source the APIs?
Consumers aren't going out and downloading a million different business applications or productivity applications, they're not going out and downloading a new email client every other week. But what they are downloading are new games, all the time. So in order to continue improving Java adoption on the consumer side, we really need to focus on entertainment.
If we're not going to actually to stand up the organization to go after that market, which would be a huge investment from Sun's perspective, we said, Why don't we go out and give it to the community, because they're the ones that are actually innovating in gameplay? The independent game development scene is important and it's going to continue to be important as nextgen consoles come and start tapping into that market. It was the open sourcing of those APIs that really helped further establish Java as a viable platform. Why is open source attractive to developers in the gaming community?
It's all about mitigating risk and cutting cost. As the budgets of these games continue to climb, they're looking for hardened, tested, proven technologies rather than building it themselves. Today, nobody wants to build their own tools anymore. It's too much money, it's too time-consuming - how many times do you have to rebuild chat? So they're looking towards things that they can get access to for low cost, test against, prove that it works and build on top of it.
How did Project Darkstar come about?
We said, OK, we've got these APIs done and we're moving forward, but there are some much bigger issues coming down the road with regard to network games and online gameplay that the games industry is ill-equipped to address. Being able to build enterprise-grade, scalable, fault-tolerant systems for online gaming is something the games industry just is not equipped to do. Why? Because they're game developers. Game developers don't want to deal with the pipes, the underlying network infrastructure. They want to build a game, they want to build an experience in art and story and music.
One of the things I like to point out is that really the biggest online multiplayer game in the world is Wall Street. If you look at everything that goes into building a realtime transaction-based system like a trading system, it's almost one for one what is required to build an online massively multiplayer game. So we said, OK, how do we take the things that we've learned about building those sorts of systems and apply them in a way that a game developer can get their heads around the technology without having to understand all the underlying components? What we have put together is a game-agnostic, platform-agnostic, server technology for online multiplayer gaming. Darkstar is a wholly new way of building back-end technologies for online gaming. I'll give you an example of the type of things that exist currently in the games industry, and what we had to do differently to bring this technology forward. [The virtual world] Second Life uses a geography-based grid system, which means that every square of their geography has to be physically represented by a server on the back-end - they've got 3000 of these servers. What that means is that if I have resources available on 80% of the servers because they're only running at 20% capacity, there's no way for me to grab those idle resources and apply them to other servers that are being just pounded because people are trying to get into that geography within the game world. Another model is the sharded model, and this is the one that's been most widely adopted by the massively multiplayer game marketplace. A series of servers that represents the entire video game state for a fixed amount of players. So I may have between 7 and 20 servers that run the entire game of Everquest II for 5000 players. And when I want to add another 5000 players I build another seven to 20 servers and I basically just replicate all the data and put the next 5000 on the second stack of servers. Again, you have problems. If I have 5000 people on one stack and I want to add 10 more people, I have to build a stack to service 5000 people, just to facilitate the introduction of 10 more people into the environment. Which then means that that second stack is costing 10 times the amount to run than the first stack, because you're not utilizing it. I cannot share dynamically those resources. More importantly, I can only see the 4999 people within my shard: I can't see the next 5000 people that have joined the Everquest II service. This becomes a problem if you and I are next door neighbors and we're sitting down to play a game of Everquest II and we log in to different servers. That's it, we can't play with each other. These are the things we have been addressing with Darkstar. Rather than assigning compute resources to a particular geography of a particular world, or a particular group of people, we are in essence assigning compute resources to the individual that connects to the system. As they move from area to area within the game we are basically moving those resources with them dynamically. Say I have the foo forest and the bar desert, and in the foo forest I can handle 100 people and in the bar desert I can handle a 100 people, and they're at 100% capacity. As people move out of the bar desert into the foo forest, they take those compute resources with them. All of a sudden the foo forest can handle 150 players and the resources being assigned to the bar desert have been decreased to handle only 50. So what we're doing is moving dynamically compute resources with the player as they move from interaction to interaction. And we're able to do this in a seamless way, we're able to do this with an incredibly high degree of data integrity because of the way the database system works within Darkstar. For example, if you're playing on the server, and you're doing a transaction, and the server goes down in the machine room, what we're able to do is on the fly say: OK, this thread that you were just occupying died; find any other available thread anywhere else in this entire thousand-node system, and just re-perform the operation. And it just does it automatically. That means the players never see the server go down, you're never disconnected from the service. And even if they are, because of the way that we actually do these transactions and we're pulling things into memory, we maintain a very high degree of persistence. So let's say you logged off your machine by accident - because you kicked the power cord out. When you log back in, we're able to persist all of the data that was there when you abruptly logged out, because the system knew that something happened, there was a disconnect here, it wasn't shut down as the client is supposed to, so persist the data. The interface that we've built to the system is through a set of APIs. So it's not as if [developers] have to understand how it's doing failover and what it's pulling into in memory, and all these other things. They just interface through the APIs. How will you be managing the community side of Darkstar?
Those are things that we are currently addressing. We are working to make sure that we have a dedicated community landing spot and place for people to engage directly with the Darkstar team at Sun Microsystems. To help incubate the games that will be built on top of the technology, we have announced a program called the Darkstar Playground. Basically, developers will have access to a set of resources operated and paid for by Sun Microsystems, free of charge.
What is the business model for all this?
I have to tell you that I was not a big believer in open source, originally. It took me a while to understand exactly what the benefits are of open source, and that the benefits clearly outweighed any other model we looked at.
So how do we make money here? Because I give you a server, for free, and open source that required years of development, millions of dollars in funding, and some of the brightest people that we have in Sun Microsystems to build, when it comes time to service that, are you, as a game company, going to go out and hire four guys and have them sit down and try to understand all of the inner workings of everything? Or do you come to me, and I can give you a service contract that has an SLA in there, that guarantees certain things to the company, and it's reasonably priced? Because Darkstar is game agnostic, and I can run multiple games simultaneously in the same stack, what you start looking at then is the ability to build a model that very much mirrors what the cable industry built against terrestrial television, which is a single infrastructure provisioning many channels of content. We can do the same sort of thing with Darkstar. One large infrastructure may handle many different channels of game content. So it's not unreasonable to look at the possibilities of setting up a complete service where a game developer or publisher never buys a single lick of hardware, they put their games onto a service, and then they're charged for usage. Looking further down the road, what if you're so good at collecting money and doing the billing that basically you wind up collecting the payments for them? Instead of the developer getting a bill from you every month, they get a check, and [you] take the burden of the operation of these things off the shoulders of content creators. And the third thing to look at is that we also happen to make some pretty awesome hardware, and wouldn't it be great if you had these kind of certified products that came out already preloaded that you could just slap into your data centre, expand your Darkstar infrastructure on the fly? How important do you think the revenue streams from these will be?
Without really giving out hard numbers, because it's not something that I can do, I can tell you that the online multiplayer segment of the games industry is not only the fastest-growing segment of the $40 billion industry, but is proving to be among the most critical pieces of the games industry. You look at the fact that every game console coming out, every one of them now is network enabled. From the Nintendo DS to the PS3, all of them have a network strategy.
Most people go: Ah well, how many people are actually playing those dungeons and dragons games anyway? That's an extremely small segment of what I believe is massively multiplayer games. The next-generation demand for these are not going to come from people like you and I at our ages, they're going to come from our kids. In fact, the biggest growth area right now I believe for online gaming is children between the ages of 6 and 12. One only has to look at sites like Neopets to get an inkling of where this thing is going to go. So do I believe that this could be a significant revenue source for Sun Microsystems? There is no doubt in my mind. I also believe that because of the nature of the technology, we're going to wind up seeing Darkstar in places other than pure online games - anything that's doing high volumes of transactions across many, many people simultaneously could leverage this technology. For example, at the Game Developers Conference we demonstrated a concept space called MPK20 - basically Sun looking at game-type technologies but applying them to business practices. MPK20 was a virtual office, and one of the things we integrated into the environment that you don't see in multiplayer games is positional audio. The core thing about it was that we were able to integrate this voice bridge technology that Sun has, which is a VoIP and audio technology, directly into this environment. As you're walking into the environment you can hear the conversations of the other participants as you walk by, and as you turn your head you hear them move. What about integration of external applications into this environment?
There is a complement to MPK20, which called Project Wonderland, basically an open source framework for doing the integration of applications into these sorts of environments. Look at this from a business perspective. Three of us are all connected to this virtual environment, and you and I are standing in your office, and on your wallpaper is your entire Linux desktop - you can use it from inside this 3D environment. And because you and I have sufficient permission to actually see that content, I'm looking at this screen as you're manipulating it. But then [someone] comes walking in and she does not have the right level of permissions, so what does she see? Just a blank window - she sees out to the mountains.
And can people collaborate on those documents?
Absolutely. I could put something up, we could each have a different-colored pen to draw on it, in this space in realtime. I can work on a piece of code, pop it up onto the wallpaper, and say: Hey, will you run this application when you come in, in the morning, since we're twelve hours behind each other in timezones, and just post your thoughts? And when I come back in the next day, you've run the application, all your notes are scribbled right there on the whiteboard in this virtual space.
Let's say there's a fourth person we wanted to be in this conversation, but they weren't able to be there. We can actually play back the entire script and they can view it at their leisure later on. Because it's just a script of a 3D engine, they can actually play it back nuance for nuance, word for word, audio for audio, movement for movement, at any other time. And because they're looking at it from a third-party perspective, they can actually move around the rest of the environment and hear other things that are going on, and see other things that were occurring at the same time. That MPK20 demo happens to be entirely written in Java - it went from paper to demo in six weeks, with four engineers. But Darkstar, the technology, does not require that your game is built in Java. So if you're writing your entire game in C or C++ we have the same APIs that will let you connect to Darkstar as somebody who's building a Java game. And both of those games written in those two different languages can connect to the same Darkstar server at the same time and use its resources. What we're saying is, from the client perspective, pick your client, we don't care. If you want to go out and build the game in Java, we'd love it. If you want to build it in C++, knock yourself out, and there are APIs to allow both of those technologies to leverage the platform. We're not saying that it has to be just Windows and OSX, it can be anything you want, including mobile. Right now, we're the only company that has built the technology that's designed to be multiplatform for network-based gaming. I think we're coming to the market at the right time with the right message. Open sourcing it means the community can grow and build the pieces that they really want and we're going to be there to support it, grow on top of it, and build the business around it. Glyn Moody writes about open source at opendotdotdot.
Security Brief items CROSS: A step towards better open source securityFinnish security company Codenomicon announced a new initiative to assist open source software projects in finding security flaws. The Codenomicon Robust Open Source Software (CROSS) program is targeted at projects that are part of the infrastructure of the internet and by making their proprietary testing tools available to the projects, they hope to find critical security flaws before attackers do.For Codenomicon, this is their second foray into assisting open source projects. In 2004, their tools were used by Red Hat engineers to find denial of service vulnerabilities (here and here) in Apache and OpenSSL. Unlike the previous effort, the CROSS program aims to work directly with the projects, allowing them to use the tools to find flaws. They are currently working with around 20 hand-picked projects, but Codenomicon hopes to add more projects down the road. The projects selected represent diverse network protocols, with voice over IP, network storage, and routing specifically mentioned as participants. Lack of prior testing as well as "interesting" protocols were also cited as criteria used to help select the participants. The list of specific CROSS projects is not publicly available as both Codenomicon and the projects themselves are concerned that participants would suffer from increased 'black hat' scrutiny if they were identified. Codenomicon's product line is a suite of network protocol testing tools called DEFENSICS that are an outgrowth of research done at the University of Oulu in the Secure Programming Group (OUSPG). The PROTOS project produced free software for protocol testing that is still available and is "widely used" according to Codenomicon CTO Ari Takanen. PROTOS is based around the idea of proactive protocol testing by injecting unexpected input into a protocol stream; in essence, fuzzing with some smarts behind the generated test data. Codenomicon observed that free tools did not get the same attention from management that was given to relatively expensive commercial tools and DEFENSICS bridges that gap. In addition, the DEFENSICS suite builds upon the lessons learned with PROTOS, extending and enhancing the basic concept while making it faster. Because of their research background and some level of altruism, Codenomicon wants to give back to the open source community and CROSS is their means of doing that. Obviously they are hoping to gain some name recognition and good press, but they also seem to have a real interest in helping to secure the internet by finding flaws proactively. Open source projects can generally use all the help they can get when it comes to finding security flaws. It is accepted as an article of faith that "many eyes make all bugs shallow", but that only works when those eyes actually focus on a particular project. Just opening the source does not magically attract the attention of security minded developers and that makes projects like CROSS very useful. The Codenomicon tools (and PROTOS before that) have been successful in finding flaws in the past and one can hope that this effort will similarly bear fruit. With luck we will see a number of security bug reports over the next few months that will credit CROSS. This effort is reminiscent of the Coverity's code analysis tools being used to assist open source projects and hopefully more companies decide to use our code as a testbed for their tools; it can only help both to get better.
Security reports Fortify Software documents Web 2.0 vulnerabilityFortify Software has announced the release of a new security advisory on JavaScript Hijacking. "Fortify Software, the leading provider of security products that help companies identify, manage and remediate software vulnerabilities, today announced that its Security Research Group has documented the first major vulnerability associated specifically with Web 2.0 and AJAX-style software. Termed JavaScript Hijacking, the vulnerability allows an attacker to steal critical data by emulating unsuspecting users. To combat this issue, Fortify has released an in-depth security advisory that details this vulnerability, how enterprises can determine if they are vulnerable and how they can fix the issue."
New vulnerabilities Asterisk: two SIP denial of service vulnerabilities
ImageMagick: DCM and XWD buffer overflows
ImageMagick: integer overflows
kdelibs: bug in FTP protocol
krb5: multiple vulnerabilities
OpenPBS: multiple vulnerabilities
qt: "/../" injection
XFree86 X.org: integer overflows
zope: cross-site scripting
zziplib: buffer overflow
Updated vulnerabilities acroread: multiple vulnerabilities
apache: cross-site scripting
bluez-utils: hidd vulnerability
bugzilla: multiple vulnerabilities
busybox: insecure password generation
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: index cache file handling error
ekiga: format string vulnerability
elinks: arbitrary file access
evolution: format string error
fail2ban: denial of service
ffmpeg: buffer overflows
file: arbitrary code execution
firefox: FTP PASV port-scanning
freeradius: several vulnerabilities
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gdb: buffer overflow
gdm: improper file permissions
gedit: format string vulnerability
GnuPG: unsigned data injection vulnerability
grip: buffer overflow
gv: stack-based buffer overflow
gzip: multiple vulnerabilities
horde-kronolith: local file inclusion
imlib2: arbitrary code execution
inkscape: format string vulnerabilities
java: multiple vulnerabilities
kdelibs: denial of service
kdelibs: kate backup file permission leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
krb5: uninitialized pointers
krb5: local privilege escalation
ktorrent: incorrect validation
libgadu: memory alignment bug
libgtop2: buffer overflow
libmodplug: boundary errors
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libwpd: buffer overflows
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lookup-el: insecure temporary file
lynx: arbitrary command execution
mod_jk: stack overflow
mplayer: buffer overflow
mysql: denial of service
mysql: format string bug
MySQL: privilege violations
MySQL: logging bypass
nas: code execution
nbd: arbitrary code execution
ncompress: buffer underflow
openafs: privilege escalation
openldap: security bypass
OpenOffice.org: buffer overflow and command execution
OpenSSH: denial of service
openssh: privilege separation issue
openssh: remote denial of service
php: several vulnerabilities
php: buffer overflows
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
postgresql: SQL injection
quake: buffer overflow
rpm: arbitrary code execution
Mozilla: multiple vulnerabilities
shadow-utils: mailbox creation vulnerability
slocate: information disclosure
snort: remote arbitrary code execution
squid: denial of service
sun-jdk: arbitrary code execution
tcpdump: denial of service
unzip: long file name buffer overflow
w3c-libwww: possible stack overflow
xine: format string vulnerabilities
xine-lib: arbitrary code execution
xine-lib: buffer overflow
xine-lib: buffer overflow
xinit: race condition
xmms: BMP handling vulnerability
X.org: local privilege escalations
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current 2.6 prepatch is 2.6.21-rc5, released on March 25. It contains a number of fixes, including a set for timer-related regressions. Says Linus: "Those timer changes ended up much more painful than anybody wished for, but big thanks to Thomas Gleixner for being on it like a weasel on a dead rat, and the regression list has kept shrinking." See the long-format changelog for the details.The current -mm tree is 2.6.21-rc5-mm3, released on March 30. (see below). The current stable 2.6 kernel is 2.6.20.4, released on March 23. For older kernels: 2.6.16.46 was released with several fixes and some USB work on March 31. (see below). In the 2.4 world, 2.4.34.2 was released on March 24; it only contains two changes. 2.4.35-pre2 is also out with a rather larger set of fixes.
Kernel development news Quote of the week
I find that the key to understanding kernel code is to understand the data
structures and the relationships between them. Once you have that in your
head, the code tends to just fall out. Hence there is good maintainability
payoff in putting work into documenting the struct, its fields, the
relationship between this struct and other structs, and any and all locking
requirements.
-- Andrew Morton
<wonders wtf "ticks" does>
A summary of 2.6.21 API changesThe 2.6.21 kernel release is getting closer, so it makes sense to review the internal API changes which have been made in this development cycle. As always, this information will eventually find its way to the LWN 2.6 kernel API changes page.
Video4Linux2 part 5b: format negotiation
As we saw in the previous article, there are many ways of representing image data in memory. There is probably no video device on the market which can handle all of the formats understood by the Video4Linux interface. Drivers are not expected to support formats not understood by the underlying hardware; in fact, performing format conversions within the kernel is explicitly frowned upon. So the driver must make it possible for the application to select a format which works with the hardware. The first step is to simply allow the application to query the supported formats. The VIDIOC_ENUM_FMT ioctl() is provided for the purpose; within the driver this command turns into a call to this callback (if a video capture device is being queried):
int (*vidioc_enum_fmt_cap)(struct file *file, void *private_data,
struct v4l2_fmtdesc *f);
This callback will ask a video capture device to describe one of its formats. The application will pass in a v4l2_fmtdesc structure:
struct v4l2_fmtdesc
{
__u32 index;
enum v4l2_buf_type type;
__u32 flags;
__u8 description[32];
__u32 pixelformat;
__u32 reserved[4];
};
The application will set the index and type fields. index is a simple integer used to identify a format; like the other indexes used by V4L2, this one starts at zero and increases to the maximum number of formats supported. An application can enumerate all of the supported formats by incrementing the index value until the driver returns EINVAL. The type field describes the data stream type; it will be V4L2_BUF_TYPE_VIDEO_CAPTURE for a video capture (camera or tuner) device. If the index corresponds to a supported format, the driver should fill in the rest of the structure. The pixelformat field should be the fourcc code describing the video representation and description a short textual description of the format. The only defined value for the flags field is V4L2_FMT_FLAG_COMPRESSED, which indicates a compressed video format. The above callback is for video capture devices; it will only be called when type is V4L2_BUF_TYPE_VIDEO_CAPTURE. The VIDIOC_ENUM_FMT call will be split out into different callbacks depending on the type field:
/* V4L2_BUF_TYPE_VIDEO_OUTPUT */
int (*vidioc_enum_fmt_video_output)(file, private_date, f);
/* V4L2_BUF_TYPE_VIDEO_OVERLAY */
int (*vidioc_enum_fmt_overlay)(file, private_date, f);
/* V4L2_BUF_TYPE_VBI_CAPTURE */
int (*vidioc_enum_fmt_vbi)(file, private_date, f);
/* V4L2_BUF_TYPE_SLICED_VBI_CAPTURE */ */
int (*vidioc_enum_fmt_vbi_capture)(file, private_date, f);
/* V4L2_BUF_TYPE_VBI_OUTPUT */
/* V4L2_BUF_TYPE_SLICED_VBI_OUTPUT */
int (*vidioc_enum_fmt_vbi_output)(file, private_date, f);
/* V4L2_BUF_TYPE_VIDEO_PRIVATE */
int (*vidioc_enum_fmt_type_private)(file, private_date, f);
The argument types are the same for all of these calls. It's worth noting that drivers can support special buffer types with codes starting with V4L2_BUF_TYPE_PRIVATE, but that would clearly require a special understanding on the application side. For the purposes of this article, we will focus on video capture and output devices; the other types of video devices will be examined in future installments. The application can find out how the hardware is currently configured with the VIDIOC_G_FMT call. The argument passed in this case is a v4l2_format structure:
struct v4l2_format
{
enum v4l2_buf_type type;
union
{
struct v4l2_pix_format pix;
struct v4l2_window win;
struct v4l2_vbi_format vbi;
struct v4l2_sliced_vbi_format sliced;
__u8 raw_data[200];
} fmt;
};
Once again, type describes the buffer type; the V4L2 layer will split this call into one of several driver callbacks depending on that type. For video capture devices, the callback is:
int (*vidioc_g_fmt_cap)(struct file *file, void *private_data,
struct v4l2_format *f);
For video capture (and output) devices, the pix field of the union is of interest. This is the v4l2_pix_format structure seen in the previous installment; the driver should fill in that structure with the current hardware settings and return. This call should not normally fail unless something is seriously wrong with the hardware. The other callbacks are:
int (*vidioc_s_fmt_overlay)(file, private_data, f);
int (*vidioc_s_fmt_video_output)(file, private_data, f);
int (*vidioc_s_fmt_vbi)(file, private_data, f);
int (*vidioc_s_fmt_vbi_output)(file, private_data, f);
int (*vidioc_s_fmt_vbi_capture)(file, private_data, f);
int (*vidioc_s_fmt_type_private)(file, private_data, f);
The vidioc_s_fmt_video_output() callback uses the same pix field in the same way as capture interfaces do. Most applications will eventually want to configure the hardware to provide a format which works for their purpose. There are two interfaces provided for changing video formats. The first of these is the VIDIOC_TRY_FMT call, which, within a V4L2 driver, turns into one of these callbacks:
int (*vidioc_try_fmt_cap)(struct file *file, void *private_data,
struct v4l2_format *f);
int (*vidioc_try_fmt_video_output)(struct file *file, void *private_data,
struct v4l2_format *f);
/* And so on for the other buffer types */
To handle this call, the driver should look at the requested video format and decide whether that format can be supported by the hardware or not. If the application has requested something impossible, the driver should return -EINVAL. So, for example, a fourcc code describing an unsupported format or a request for interlaced video on a progressive-only device would fail. On the other hand, the driver can adjust size fields to match an image size supported by the hardware; normal practice is to adjust sizes downward if need be. So a driver for a device which only handles VGA-resolution images would change the width and height parameters accordingly and return success. The v4l2_format structure will be copied back to user space after the call; the driver should update the structure to reflect any changed parameters so the application can see what it is really getting. The VIDIOC_TRY_FMT handlers are optional for drivers, but omitting this functionality is not recommended. If provided, this function is callable at any time, even if the device is currently operating. It should not make any changes to the actual hardware operating parameters; it is just a way for the application to find out what is possible. When the application wants to change the hardware's format for real, it does a VIDIOC_S_FMT call, which arrives at the driver in this form:
int (*vidioc_s_fmt_cap)(struct file *file, void *private_data,
struct v4l2_format *f);
int (*vidioc_s_fmt_video_output)(struct file *file, void *private_data,
struct v4l2_format *f);
Unlike VIDIOC_TRY_FMT, this call cannot be made at arbitrary times. If the hardware is currently operating, or if it has streaming buffers allocated (a topic for yet another future installment), changing the format could lead to no end of mayhem. Consider what happens, for example, if the new format is larger than the buffers which are currently in use. So the driver should always ensure that the hardware is idle and fail the request (with -EBUSY) if not. A format change should be atomic - it should change all of the parameters to match the request or none of them. Once again, image size parameters can be adjusted by the driver if need be. The usual form of these callbacks is something like this:
int my_s_fmt_cap(struct file *file, void *private,
struct v4l2_format *f)
{
struct mydev *dev = (struct mydev *) private;
int ret;
if (hardware_busy(mydev))
return -EBUSY;
ret = my_try_fmt_cap(file, private, f);
if (ret != 0)
return ret;
return tweak_hardware(mydev, &f->fmt.pix);
}
Using the VIDIOC_TRY_FMT handler avoids duplication of code and gets rid of any excuse for not implementing that handler in the first place. If the "try" function succeeds, the resulting format is known to work and can be programmed directly into the hardware. There are a number of other calls which influence how video I/O is done. Future articles will look at some of them. Support for setting formats is enough to enable applications to start transferring images, however, and that is what the purpose of all this structure is in the end. So the next article, hopefully to come after a shorter delay than happened this time around, will get into support for reading and writing video data.
A peek at the DragonFly Virtual Kernel (part 1)In this article, we will describe several aspects of the architecture of DragonFly BSD's virtual kernel infrastructure, which allows the kernel to be run as a user-space process. Its design and implementation is largely the work of the project's lead developer, Matthew Dillon, who first announced his intention of modifying the kernel to run in userspace on September 2nd 2006. The first stable DragonFlyBSD version to feature virtual kernel (vkernel) support was DragonFly 1.8, released on January 30th 2007.The motivation for this work (as can be found in the initial mail linked to above) was finding an elegant solution to one immediate and one long term issue in pursuing the project's main goal of Single System Image clustering over the Internet. First, as any person who is familiar with distributed algorithms will attest, implementing cache coherency without hardware support is a complex task. It would not be made any easier by enduring a 2-3 minute delay in the edit-compile-run cycle while each machine goes through the boot sequence. As a nice side effect, userspace programming errors are unlikely to bring the machine down and one has the benefit of working with superior debugging tools (and can more easily develop new ones). The second, long term, issue that virtual kernels are intended to address is finding a way to securely and efficiently dedicate system resources to a cluster that operates over the (hostile) Internet. Because a kernel is a more or less standalone environment, it should be possible to completely isolate the process a virtual kernel runs in from the rest of the system. While the problem of process isolation is far from solved, there exist a number of promising approaches. One option, for example, would be to use systrace (refer to [Provos03]) to mask-out all but the few (and hopefully carefully audited) system calls that the vkernel requires after initialization has taken place. This setup would allow for a significantly higher degree of protection for the host system in the event that the virtualized environment was compromised. Moreover, the host kernel already has well-tested facilities for arbitrating resources, although these facilities are not necessarily sufficient or dependable; the CPU scheduler is not infallible and mechanisms for allocating disk I/O bandwidth will need to be implemented or expanded. In any case, leveraging preexisting mechanisms reduces the burden on the project's development team, which can't be all bad. Preparatory workGetting the kernel to build as a regular, userspace, elf executable required tidying up large portions of the source tree. In this section we will focus on the two large sets of changes that took place as part of this cleanup. The second set might seem superficial and hardly worthy of mention as such, but in explaining the reason that lead to it, we shall discuss an important decision that was made in the implementation of the virtual kernel. The first set of changes was separating machine dependent code to platform- and CPU-specific parts. The real and virtual kernels can be considered to run on two different platforms; the first is (only, as must reluctantly be admitted) running on 32-bit PC-style hardware, while the second is running on a DragonFly kernel. Regardless of the differences between the two platforms, both kernels expect the same processor architecture. After the separation, the cpu/i386 directory of the kernel tree is left with hand-optimized assembly versions of certain kernel routines, headers relevant only to x86 CPUs and code that deals with object relocation and debug information. The real kernel's platform directory (platform/pc32) is familiar with things like programmable interrupt controllers, power management and the PC bios (that the vkernel doesn't need), while the virtual kernel's platform/vkernel directory is happily using the system calls that the real kernel can't have. Of course this does not imply that there is absolutely no code duplication, but fixing that is not a pressing problem. The massive second set of changes involved primarily renaming quite a few kernel symbols so that there are no clashes with the libc ones (e.g. *printf(), qsort, errno etc.) and using kdev_t for the POSIX dev_t type in the kernel. As should be plain, this was a prerequisite for having the virtual kernel link with the standard C library. Given that the kernel is self-hosted (this means that, since it cannot generally rely on support software after it has been loaded, the kernel includes its own helper routines), one can question the decision of pulling in all of libc instead of simply adding the (few) system calls that the vkernel actually uses. A controversial choice at the time, it prevailed because it was deemed that it would allow future vkernel code to leverage the extended functionality provided by libc. Particularly, thread-awareness in the system C library should accommodate the (medium term) plan to mimic multi-processor operation by the use of one vkernel thread for each hypothetical CPU. It is safe to say that if the plan is materialized, linking against libc will prove to be a most profitable tradeoff. The Virtual KernelIn this section, we will study the architecture of the virtual kernel and the design choices made in its development, focusing on its differences from a kernel running on actual hardware. In the process, we'll need to describe the changes made in the real (host) kernel code, specifically in order to support a DragonFly kernel running as a user process. Address Space ModelThe first design choice made in the development of the vkernel is that the whole virtualized environment is executing as part of the same real-kernel process. This imposes well defined limits on the amount of real-kernel resources that may be consumed by it and makes containment straightforward. Processes running under the vkernel are not in direct competition with host processes for cpu time and most parts of the bookkeeping that is expected from a kernel during the lifetime of a process are handled by the virtual kernel. The alternative[1], running each vkernel process[2] in the context of a real kernel process, imposes extra burden on the host kernel and requires additional mechanisms for effective isolation of vkernel processes from the host system. That said, the real kernel still has to deal with some amount of VM work and reserve some memory space that is proportional to the number of processes running under the vkernel. This statement will be made clear after we examine the new system calls for the manipulation of vmspace objects. In the kernel, the main purpose of a vmspace object is to describe the address space of one or more processes. Each process normally has one vmspace, but a vmspace may be shared by several processes. An address space is logically partitioned into sets of pages, so that all pages in a set are backed by the same VM object (and are linearly mapped on it) and have the same protection bits. All such sets are represented as vm_map_entry structures. VM map entries are linked together both by a tree and a linked list so that lookups, additions, deletions and merges can be performed efficiently (with low time complexity). Control information and pointers to these data structures are encapsulated in the vm_map object that is contained in every vmspace (see the diagram below).
A VM object (vm_object) is an interface to a data store and can be of various types (default, swap, vnode, ...) depending on where it gets its pages from. The existence of shadow objects somewhat complicates matters, but for our purposes this simplified model should be sufficient. For more information you're urged to have a look at the source and refer to [McKusick04] and [Dillon00]. In the first stages of the development of vkernel, a number of system calls were added to the kernel that allow a process to associate itself with more than one vmspace. The creation of a vmspace is accomplished by vmspace_create(). The new vmspace is uniquely identified by an arbitrary value supplied as an argument. Similarly, the vmspace_destroy() call deletes the vmspace identified by the value of its only parameter. It is expected that only a virtual kernel running as a user process will need access to alternate address spaces. Also, it should be made clear that while a process can have many vmspaces associated with it, only one vmspace is active at any given time. The active vmspace is the one operated on by mmap()/munmap()/madvise()/etc. The virtual kernel creates a vmspace for each of its processes and it destroys the associated vmspace when a vproc is terminated, but this behavior is not compulsory. Since, just like in the real kernel, all information about a process and its address space is stored in kernel memory[3], the vmspace can be disposed of and reinstantiated at will; its existence is only necessary while the vproc is running. One can imagine the vkernel destroying the vproc vmspaces in response to a low memory situation in the host system. When it decides that it needs to run a certain process, the vkernel issues a vmspace_ctl() system call with an argument of VMSPACE_CTL_RUN as the command (currently there are no other commands available), specifying the desired vmspace to activate. Naturally, it also needs to supply the necessary context (values of general purpose registers, instruction/stack pointers, descriptors) in which execution will resume. The original vmspace is special; if, while running on an alternate address space, a condition occurs which requires kernel intervention (for example, a floating point operation throws an exception or a system call is made), the host kernel automatically switches back to the previous vmspace handing over the execution context at the time the exceptional condition caused entry into the kernel and leaving it to the vkernel to resolve matters. Signals by other host processes are likewise delivered after switching back to the vkernel vmspace. Support for creating and managing alternate vmspaces is also available to vkernel processes. This requires special care so that all the relevant code sections can operate in a recursive manner. The result is that vkernels can be nested, that is, one can have a vkernel running as a process under a second vkernel running as a process under a third vkernel and so on. Naturally, the overhead incurred for each level of recursion does not make this an attractive setup performance-wise, but it is a neat feature nonetheless. The previous paragraphs have described the background of vkernel development and have given a high-level overview of how the vkernel fits in with the abstractions provided by the real kernel. We are now ready to dive into the most interesting parts of the code, where we will get acquainted with a new type of page table and discuss the details of FPU virtualization and vproc <->; vkernel communication. But this discussion needs an article of its own, therefore it will have to wait for a future week. Bibliography[McKusick04] The Design and Implementation of the FreeBSD Operating System, Kirk McKusick and George Neville-Neil [Dillon00] Design elements of the FreeBSD VM system Matthew Dillon [Lemon00] Kqueue: A generic and scalable event notification facility Jonathan Lemon [AST06] Operating Systems Design and Implementation,Andrew Tanenbaum and Albert Woodhull. [Provos03] Improving Host Security with System Call PoliciesNiels Provos [Stevens99] UNIX Network Programming, Volume 1: Sockets and XTI, Richard Stevens.
Notes
Patches and updates Kernel trees
Build system
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials A look at the BackTrack security distributionThe BackTrack distribution, which just released its 2.0 version, helps organize security tools into a live CD package that will be helpful to anyone faced with security oriented tasks. Hundreds of open source security tools exist and it can be difficult to sort through them and determine what they are used for; BackTrack can help by providing one-stop shopping and a well organized interface that categorizes the tools by the task they are focused on. BackTrack seems well suited to its stated goal of being the distribution of choice for penetration testers and other security professionals.
Based on SLAX, a live CD version of Slackware, BackTrack can boot directly from CD or USB stick and once it is up, the user can start KDE or Fluxbox to provide a GUI interface. As part of a test drive of BackTrack, the author started up the KDE interface and found it to be well organized, especially the Applications menu (see screenshot). The Firefox and Konqueror bookmark toolbar customizations, with buttons for several security oriented websites, was quite useful as well. SLAX seemingly had no trouble with the author's off-brand laptop nor on several desktop machines that it was tried on. The X server handled high resolution screens (up to 1600x1200) with aplomb unlike other live CD distributions that have been booted over the years. The selection of tools is where BackTrack truly shines. More than 300 up-to-date tools for everything from network mapping, through password cracking to digital forensics are available. Wireless network sniffing and packet injection are areas that BackTrack has clearly focused on. Using the 2.6.20 kernel and a variety of patched wireless drivers, BackTrack makes wireless penetration and fuzz testing easy. Bluetooth hacking is supported as well. The wiki provides a list of the security tools included for anyone who wants to ensure their favorite will be available before booting BackTrack. BackTrack also provides the now standard ability to write to the ostensibly read-only root filesystem using unionfs, but it extends that to be able to write data back to the media itself if it has multi-session capabilities. It also has some other unique features including the ability to provide a BackTrack image for other machines to boot over the network via PXE. The PXE boot can be combined with 'John the Ripper' to create a password cracking cluster. The BackTrack developers have also pre-configured some of the tools like Snort, kismet, Metasploit and others to allow folks to more quickly use those tools. Perhaps the 'swiss army knife' metaphor is overused, but this distribution certainly seems to fit that bill. There are other distributions with a similar focus (a year old list can be found here), but it will be hard to find one as up-to-date and as comprehensive as BackTrack 2.0.
New Releases Fedora 7 Test 3The third Fedora 7 test release is out. "Test 3 is for early adopters. Most things should work and we need to your help to find what is broken." Lots of packages have been updated, and a bleeding-edge 2.6.21-rc5 kernel is included.
Mandriva Linux 2007 Spring RC3 releasedMandriva Linux 2007 Spring RC3 "Beijing" is now available. "Beijing features fixes to all major bugs in previous betas and release candidates, the final version of GNOME 2.18, and the full feature set intended for the final release."
MontaVista Linux Professional Edition 5.0MontaVista Software has announced the release of MontaVista Linux Professional Edition 5.0. "MontaVista Linux Professional Edition 5.0 release establishes a number of Linux firsts for real-time performance. Building on the highly successful real-time capabilities MontaVista pioneered in previous offerings, MontaVista Linux Professional Edition 5.0 is first to include the latest advancements in real time technology. These advanced capabilities include high resolution timers and other native Linux real-time enhancements lead by Linux kernel maintainer Ingo Molnar and enable developers to deliver a more reliable, higher quality end-user experience."
SimplyMEPIS 6.5 Final Offers Many Updates For 6.0 UsersSimplyMEPIS 6.5 for 32 and 64 bit Intel and AMD based PCs and MacTels has been released by MEPIS. 6.5 started as a minor update to the Ubuntu pool compatible 6.0 release of SimplyMEPIS but the project quickly expanded to add the 7.1 X window manager, newer display and wireless drivers, Mac Intel support, Amarok music player with music store and mtp support, and the experimental Beryl 3D desktop.
Distribution News Debian Etch release scheduleAndreas Barth has an update on the Etch release, which should be soon. "The most important step that remains to be done is to finalize the release notes, skim through the update reports and - well, fix the last remaining few blockers. Etch is of a very good technical quality, and we just need to polish a few remaining issues."
Debian security updates via IPv6Martin "Joey" Schulze reports that security updates for Debian GNU/Linux are officially available via IPv6 in addition to the existing IPv4 mirrors.
Fourth call for votes for the debian project leader election 2007This is the fourth call for votes in this year's Debian Project Leader election. "At the time of writing, a couple of minutes into the third (and final) week of the vote, we are doing OK with regards to voter participation, all things considered. The big story in this election seems to be the debacle of the letter ë. This mostly impacts people sending in in-line OpenPGP signed ballots, since helpful MUAs and MTA in the path then "protect" the non-7bit clean message body, which mucks up the cryptographic check of the ballot."
Announcing the Smith Review Project: proofreading English in Debian packages textsThe Smith Review Project is a new Debian project that aims to review all English texts associated with Debian packages, namely debconf templates, manual pages and package descriptions. "The project is named Smith because every nice project must have a name and Smith is a commonly accepted "common name" for people in English-speaking parts of the world. It also opens possibilities to play on words with "blacksmith", "wordsmith" and the like. The project also has a three-letter acronym name (SRP) which is mandatory in Free Software projects." Contributors with good skills in the English language and good writing ability are welcome to join the project by subscribing to the debian-l10n-english mailing list.
DebConf7 - Reconfirmation phase startedAnyone who is planning on going to DebConf7 in Edinburgh should reconfirm their attendance by May 3, 2007.
Mandriva Linux 2006 nearing EOLAccording to the Mandriva End of Life Policy, Mandriva Linux 2006 will not be receiving security updates as of April 13, 2007.
Distribution Newsletters Fedora Weekly News Issue 81This edition of the Fedora Weekly News covers the Fedora 7 Test 3 announcement, the March 27 meeting of the board, Presto debut, missing /dev/hdX devices, FC6 NetworkManager gets some love, LSB Compliance of Initscripts, and several other topics.
Foresight Linux Newsletter Volume 1, Issue 1The first edition of the Foresight Linux Newsletter is out. This edition covers March 2007 with reports on what's happening with Foresight Linux, including information on the latest release, security updates, tips and tricks, what's in development and Foresight in the press.
Ubuntu Weekly News: Issue #34In this edition of the Ubuntu Weekly Newsletter Canonical is looking to hire a user interface developer, a new way to ask for a program to be packaged, Ubuntu Receives PC Welt Editor's Choice Award, easy-to-install Codec Wizards, and much more.
DistroWatch Weekly, Issue 196The DistroWatch Weekly for April 2, 2007 is out. "April is traditionally one of the most exciting months on the distribution release calendar and this year will be no different - Mandriva, Debian, Ubuntu, Fedora, and possibly Gentoo and Slackware are all getting ready for delivering their latest and greatest later this month. In other news, Arch Linux 0.8 hits the download mirrors, Foresight Linux publishes its first monthly newsletter, the developers of GParted LiveCD have released a new "Clonezilla" edition, and Oracle prepares for the upcoming release of Enterprise Linux 5. Also in this issue: an overview of PCLinuxOS and MEPIS Linux as part of the update to our "Top Ten Distributions" page. Finally, we are pleased to announce that the recipient of the DistroWatch.com March 2007 donation is the CentOS project."
Newsletters and articles of interest Building DVD Images Of Ubuntu Repositories (HowtoForge)HowtoForge has a tutorial on creating DVD images of Debian or Ubuntu. "Ubuntu doesn't offer DVDs ready to download with its main, universe, multiverse and/or restricted repositories. With the contents of this howto you can do it yourself. Having the Ubuntu or Debian repositories on DVD can be useful for those users who don't have access to the Internet where they have their Ubuntu installed but have access somewhere else to download the repository and build and burn the DVDs."
Distribution reviews Ubuntu 7.04 (Feisty Fawn) Beta Preview (Only Ubuntu)The Only Ubuntu blog has a preview of the Ubuntu 7.04 (Feisty Fawn) beta. "The Ubuntu developers are moving very quickly to bring you the absolute latest and greatest software the Open Source Community has to offer. This is the Ubuntu 7.04 Beta and it comes packed with a whole host of excellent new features including the released GNOME 2.18, the 2.6.20 kernel and much more."
Page editor: Rebecca Sobol Development GAFFitter: the Genetic Algorithm File FitterGAFFitter is a command line utility which can be run against directory trees to create groups of files that fit on media of a specified size:
Genetic Algorithm File Fitter (gaffitter) is a command-line software written in C++ that extracts --via
Genetic Algorithm-- subsets of an input list of files/directories that best fit the given volume size (target), such as CD, DVD and others. It is initially designed to run under Linux and POSIX systems, but easily portable to non-POSIX operating environment.
Using GA search, gaffitter improve different combinations of the files on the list so that the lost of space will be minimized. Ideal to be used for backups/records in CD, DVD and others.
![[GAFFitter]](/images/ns/gaffitter.png){kind=small}
Installation of GAFFitter was easy, the software was downloaded here in tar.bz2 form. Building involved the usual bunzip2, tar, make and make install steps. This all worked without problems on an Ubuntu Edgy Eft system that had the usual software build tools installed. The GAFFitter usage instructions give an idea of the various ways that the application can be run. An example run was tried on a collection of music files, GAFFitter did a good job of producing packed lists that would fit on a series of 700MB CDs. Version 0.5.1 of GAFFitter was announced on March 28, 2007: "This release fixes a bug (uninitialized variable) and changes the default behavior of GAFFitter, which now extracts the volumes as much as possible (unlimited iterations)." GAFFitter is a useful tool that can help to efficiently solve the problem of fitting large collections of files onto fixed-sized media. It is useful by itself, and can be incorporated into higher-level applications, as shown by this example integration script for the K3B multimedia utility. If you need to efficiently pack some files for archival, give it a try.
System Applications Database Software pgAdmin 1.6.3 releasedVersion 1.6.3 of pgAdmin is out with bug fixes. "The pgAdmin Development Team are pleased to announce the release of pgAdmin 1.6.3, the Open Source graphical PostgreSQL administration tool for Windows, Linux, FreeBSD , Mac OS X and Solaris".
SQLite 3.3.14 releasedVersion 3.3.14 of the SQLite DBMS is out. "This version focuses on performance improvements. If you recompile the amalgamation using GCC option -O3 (the precompiled binaries use -O2) you may see performance improvements of 35% or more over version 3.3.13 depending on your workload. This version also adds support for exclusive access mode."
Emulating Analytic (AKA Ranking) Functions with MySQL (O'ReillyNet)Stéphane Faroult discusses the emulation of analytic functions in MySQL on O'Reilly. "One of the most hailed extensions brought to SQL in recent years has been these functions that Oracle calls analytic functions, DB2 calls OLAP functions, and SQL Server 2005 calls ranking functions--but which MySQL, so far, still lacks. The good news is that they can be (relatively) easily and efficiently emulated."
Mail Software Postfix 2.5 snapshot 20070402Experimental release snapshot 20070402 of the Postfix 2.5 mail transfer agent is out. See the change log file for details.
Web Site Development Contineo 2.5.0 releasedVersion 2.5.0 of Contineo, a web-based document management system, has been released. "This release comes with many new features like skin (theme) support, right inheritance, valid XHTML page generation, limiting setup access to admin user, Italian and Spanish document search support, etc. The new version also brings an updated and extended technology platform, so that new versions should be easier to develop."
A New, Improved Visualization for Web Server Logs (O'ReillyNet)Raju Varghese presents part two in a series on visualizing web server log files in 3D. "In my last article I showed how web server logfiles can be visualized as a 3D plot with the help of Perl and gnuplot. In this article we will enhance the plot in several ways. The main things we will introduce are color and evening out of the plot."
Desktop Applications Audio Applications JackMix 0.3 hits the shelfsVersion 0.3 of JackMix, a mixer application for the JACK Audio Connection Kit, is out with the following changes: "Inspired by a lot of talking during LAC I have redone the sliders. They still look kind of similar to some vu-meters but I think it isn't that bad anymore. But there are new knobs in this version too. They did get positive feedback during the conference. :-) The knobs from 0.2 didn't seem to scale well. At least not from the usability point. The biggest change is that version 0.3 saves the own state to xml-files which can be read again later. Also adding a filename on the commandline opens that file on startup. This enables version 0.4 to have lash-support."
QjackCtl 0.2.22 releasedVersion 0.2.22 of QjackCtl, the GUI control for the JACK Audio Connection Kit, has been released. This version includes bug fixes and other improvements.
Desktop Environments Creation of a new roadmap for GNOMEA new GNOME roadmap process is being discussed. "In the next few days, all maintainers will receive a mail asking them some questions about their plans for the modules they're maintaining. It's really important that maintainers take the time to correctly reply to this mail. A new team (the Roadmap Gang) will analyse all the replies, and try to keep only the relevant parts for a GNOME-wide roadmap."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
KDE Commit-DigestThe April 1, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "The beginnings of a KControl module for Decibel configuration make an appearance. Developments in the Subversion plugin for KDevelop. More optimisations in the KJS JavaScript interpreter. Further progress in the KBattleship rewrite. New country maps in KGeography. KRfb, a desktop sharing utility, starts to be ported to KDE 4. A new GStreamer backend for Phonon, and QSR, a search-and-replace utility, are imported into KDE SVN."
Xorg Software AnnouncementsThe following new Xorg software has been announced this week:
Educational Software GradeL 0.7.5 releasedVersion 0.7.5 of GradeL, a grade book automation program for teachers, is available. "After quite a layoff, another version of GradeL has been released. This version fixes some issues and also adds some minor features."
Electronics gnucap development snapshot 2007-03-29A development snapshot 2007-03-29 of gnucap, the GNU Circuit Analysis Package, has been announced. "The new one contains tools plugins. For now, there are two plugins to adjust calculation precision. One selects full 80 bit precision on systems that by default round to 64 bit. The other selects 64 bit IEEE compliant math on systems that default to 80 bit. These only work on Intel and AMD 32 bit CPU's."
Icarus Verilog 0.8.4 releasedStable version 0.8.4 of Icarus Verilog, an electronic simulation language compiler, is out with bug fixes.
Financial Applications SQL-Ledger 2.8.0 releasedRelease 2.8.0 of SQL-Ledger, a web-based accounting package, is out with a long list of new features. See the What's New document for details.
GUI Packages wxWidgets 2.8.3 releasedRelease 2.8.3 of wxWidgets, a cross-platform GUI toolkit, has been announced. "This is mainly a bug fix release; please see changes.txt for details."
Interoperability Wine 0.9.34 releasedVersion 0.3.4 of Wine has been announced. Changes include: Support for Xcursor, A range of fixes for various installers, New builtin xcopy tool, The usual assortment of Direct3D fixes, and Lots of bug fixes.
Wine Weekly NewsletterThe March 30, 2007 edition of the Wine Weekly Newsletter is online with coverage of the Wine project. Topics include: CrossOver & Linspire, Road to 1.0, DirectX To-Do List, 0.9.33 Benchmarks, Testing & Older Windows Versions and Wine's Coverity Contact.
Medical Applications Ultimate EMR launches (LinuxMedNews)LinuxMedNews covers the release of Ultimate EMR. "Empower Med, Inc. announces the immediate release of Ultimate EMR on Sourceforge.net and Plone.org under the GNU General Public License. Ultimate EMR is the first Plone(tm) based, full-featured, web-enabled Electronic Medical Record software."
GNUmed 0.2.5 released (LinuxMedNews)LinuxMedNews notes the release of GNUmed version 0.2.5. "The GNUmed team worked hard to release yet another stable version. As features are being added more and more success stories of happy users reach us. For this release GNotary support on backup, improved phrasewheel code, handling of the original filename in the document archive, visual indication of patient birthday, initial KVK (German health insurance card) handling, connection pooling (massive speedup over slow network links), a generalized hooks framework and smart allergies handling has been added."
Office Suites OpenOffice.org 2.2 releasedOpenOffice.org 2.2 is out. "In version 2.2, users will immediately notice the improvement in the quality of text display in all parts of OpenOffice.org. The reason for this is that the previously optional support for kerning, a technique to improve the appearance of text written in proportional fonts, has now been enabled by default. OpenOffice.org's unique pdf export function has also been enhanced with the addition of the optional creation of bookmarks feature, and support for user-definable export of form fields." Click below for the full announcement.
OpenOffice.org NewsletterThe March, 2007 edition of the OpenOffice.org Newsletter is out with the latest OO.o office suite articles and events.
Languages and Tools Caml Caml Weekly NewsThe April 3, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Java GCJ improves Eclipse supportEclipse IDE support has been improved for GCJ the GNU Compiler for Java: "Keith Seitz and Kyle Galloway have made considerable progress on GCJ's implementation of the JDWP. It is now possible to use eclipse to debug interpreted Java code using libgcj as the VM."
Perl Weekly Perl 6 mailing list summary (O'Reilly)The March 31, 2007 edition of the Weekly Perl 6 mailing list summary is out with coverage of the latest Perl 6 developments.
Python Python-URL! - weekly Python news and linksThe March 30, 2007 edition of the Python-URL! is online with a new collection of Python article links.
Python-URL! - weekly Python news and linksThe April 2, 2007 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk Tcl-URL! - weekly Tcl news and linksThe April 3, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
XML XInclude Processing in XSLTErik Wilde discusses XInclude Processing in XSLT on O'Reilly. "Assembling various parts of a document before processing the assembled document is a recurring theme in document processing. XML Inclusions (XInclude) is the W3C standard created to support this scenario, but since it is a standalone specification, it needs to be supported by a piece of software implementing this functionality. The XInclude Processor (XIPr), written in XSLT 2.0, implements XInclude and thus may help to reduce the dependency on numerous software packages if XInclude is used in an environment where XSLT 2.0 is used anyway."
Page editor: Forrest Cook Linux in the news Recommended Reading Stallman, Torvalds, and Novell comment on GPLv3 (Linux.com)Linux.com has published some comments on the third draft of the GPLv3. "When the second draft of GPLv3 was released, Linus Torvalds was one of its most outspoken critics. Although he stresses that he is giving only a preliminary opinion on GPLv3, and may change his mind as he looks at it more closely, his first response to the third draft is to give it qualified approval. "Is it better?" Torvalds asks rhetorically. "Hell yeah. But it's been limited in ways that at least make it much saner. I'll have to think about it. The language seems cleaner and better than GPLv2 in many places, and many of my 'that is obviously totally idiotic crap' areas have either been improved or seem to have been removed entirely.""
Companies Dell Promises Pre-Installed Linux (PC World)PC World reports on Dell's plans for offering pre-installed Linux systems. "Thanks to requests by its customers, Dell Inc. is going to start offering Linux pre-installed on its PCs and notebooks, the company said Wednesday. Based on customer feedback Dell began soliciting last month, Dell said that top of mind among customers was that the company should begin offering Linux as an alternative to Windows on its personal computers, according to a posting on a company blog. Dell said it "has heard" what customers said and will act accordingly."
Buy! Buy! Buy! - into Openness (Linux Journal)Glyn Moody looks at Dell and Linux. "One of the core problems for open source has always been that as a radical force outside the mainstream it is hard for its supporters to influence conventional players there. In part, this was what made Dell's Ideastorm so important: it gave a voice to those hitherto unable to communicate usefully with the company. The effects have been dramatic, with Dell now promising to sell systems with pre-installed GNU/Linux. The question then must be, how can we build on that success to achieve maximum impact?"
Microsofts Linux Woes (Red Herring)Red Herring considers the effect of the GPLv3 license on Microsoft and Novell. "The new license, if accepted, could isolate Microsoft, as well as Novell, from the rest of the open-source community. What it means it that Novell and Microsoft would have to stay with the GPLv2 license since it would be in violation of the GPLv3 licenseand the duo would not be able to take advantage of new developments made under GPLv3. Microsoft reacted to the proposal with concern. It is unfortunate that the FSF is attempting to use the GPLv3 to prevent future collaboration among industry leaders to benefit customers, said Horacio Gutierrez, Microsofts vice president of intellectual property and licensing, in an email."
Mozilla and eBay are working togetherThe Mozilla Corporation has announced a partnership with eBay. "Mozilla and eBay International AG today announced they are working together to improve the online auction experience for people in France, Germany and the United Kingdom. Together, Mozilla and eBay are collaborating on new technology and approaches to enable eBay users to stay up to date with their auctions more easily from within Firefox regardless of where they are on the Web."MozillaZine predicts how the technology will be accomplished in the Firefox browser. "No more specific information has been released but further details are promised in the second quarter of this year. However, an extension that allows users to track eBay auctions from within Firefox seems a likely possibility."
Red Hat's gross income grows, net disappoints (Linux-Watch)Linux-Watch looks at Red Hat's financial results for the fiscal year. "Red Hat Inc. reported its financial results today for its fourth fiscal quarter and full fiscal year, both of which ended Feb. 28. While total revenue was up, the market was disappointed at the report that net income for the quarter fell about 25 percent year-over-year. Specifically, Q4 net income dropped from $28.75 million (13 cents per share) in 2006 to $21.5 million (10 cents per share) in 2007. Total revenue for the quarter was $111.1 million, an increase of 41 percent year-over-year and up 5 percent from the prior quarter. Subscription revenue was $95.9 million, up 44 percent year-over-year and 8 percent sequentially."
Customers happy with Red Hat/JBoss connection (LinuxWorld)LinuxWorld looks at Red Hat's acquisition of JBoss, nearly one year later. "Customers seem to like the acquisition, since many Red Hat customers were already JBoss users and can consolidate their vendor base with ease. Red Hat now offers a single subscription product, Red Hat Application Stack, that includes JBoss and Red Hat Enterprise Linux, along with the Apache Web server, the PHP and Perl languages, and the open-source databases MySQL and PostgreSQL."
Legal CAN-SPAM Act - Is it working? You Decide. (Linux Journal)Linux Journal's Tom Adelstein considers the effectiveness of the CAN-SPAM act. "As I delete spam from my Gmail spam folder, I notice the volumes increasing. A year ago, I would see about five to ten emails a day in that folder. This morning, I woke up to 56 items. The volume of spam has grown, no doubt. The acronym CAN-SPAM comes from the Congressional legislation's name: Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. The FTC has the responsibility of policing the Act. Of course, we all know what that means, the FTC will do little or nothing to enforce the legislation."
Defence statement released in Israeli GPL test (Linux.com)Linux.com reports that the GPL is being tested in Israeli court. "The defence in the Jin vs. Ichessu case, in which the GNU General Public License (GPL) is being tested in Israeli court, has filed a detailed defence, which moves the lawsuit from the fast-track short proceedings option into a regular court, where arguments are longer and possible settlements are unlimited. More importantly for the free and open source software community, the case now seems to hinge either on interpretations of the GPL or whether the GPL is valid under Israeli copyright law."
Interviews Albert Astals Cid (People Behind KDE)Here's a People Behind KDE interview with Albert Astals Cid. "In what ways do you make a contribution to KDE? I'm KPDF, Blinken and KGeography mantainer. I am the KDE liaison and one of the main developers of the Poppler project (a Freedesktop.org library for rendering PDF files). I am part of the okular project, that aims to give KDE 4 the best unified document viewer around. I'm working on a few new applications like Kombination (a scrabble game), PDF Transformer (a pdftk frontend) and Kiriki (a Gtali clone). Finally i'm quite active on the KDE-Edu and kdegames projects doing some maintenance work." (Found on KDE.News)
Orbiting Debian: Interview with Bdale Garbee (Tux Deluxe)Tux Deluxe has an interview with Bdale Garbee, Chief Technologist for Open Source & Linux at Hewlett-Packard, and a former Debian Project Leader. "The role of Bdale Garbee at HP involves advising the company on both the technology and community aspects of Linux and open source. He mentors internal HP departments on how to productively participate in the free software development process, and encourages the adoption of open source software and principles across the company. A contributor to the free software community for more than twenty-five years, his background also includes many years of hardware design, UNIX internals, and embedded systems work. He was an early participant in the Debian project, helped port Debian GNU/Linux to five architectures, and remains active in the Debian community."
An Interview with KDE-Edu Developers (KDE.News)KDE.News interviews KDE-Edu project developers Carsten Niehaus, Albert Astals Cid and Anne-Marie Mahfouf. "The KDE-Edu developers are developing high-quality educational software for the K Desktop Environment. Their primary focus is on school children aged 3 to 18, and the specialised user interface needs of young users. However, they are also have programs to aid teachers in planning lessons, and others that are of interest to university students and anyone else with a desire to learn!"
Portrait: GNOME Foundation's Dave Neary (Linux.com)Joe 'Zonker' Brockmeier takes a look at Dave Neary. "Neary says his introduction to free software came later, while he was working on a postgraduate research project at Dublin City University in Dublin, Ireland. "The project I was working on wouldn't compile or run properly under Windows (something about the paging in the memory model) so I was doing must of my work remotely through xterms on the department's Sun workstations. Emmet Caulfield convinced me that I'd be better off with my own personal Linux workstation, so I finally gave in and bought Linux for Dummies, which included an install CD for Red Hat 5.0.... A month later, I was up and running with my new shiny FVWM 95 desktop.""
Resources Linux Gazette #137The April edition of Linux Gazette is out. Articles include Cursor Appearance in the Linux Console, Getting Started with Linux Mint, Measuring Congestion Windows of TCP Senders, Rule-based DoS attacks prevention shell script and much more.
The April, 2007 Netcraft Web Server SurveyNetcraft has published the April, 2007 edition of the Web Server Survey. "This month the Web Server Survey adds public tracking of lighttpd, an open source server designed for high-performance sites that has been gaining popularity in recent months. Lighttpd is currently detected on 1.38 million sites for a 1.2% share of the web server market, well ahead of Zeus and moving up quickly on Sun. Lighttpd has a relatively small memory footprint and is optimized for a large number of parallel connections, which has made it popular on sites using applications based on AJAX or Ruby on Rails, or hosting environments for virtual private servers."
OpenOffice.org Calc functions, part 1: Understanding functions (Linux Journal)Bruce Byfield introduces OO.o Calc functions in part one of a Linux Journal article series. "A function is a pre-defined calculation entered in a cell to help you analyze or manipulate data in a spreadsheet. All you have to do is add the arguments, and the calculation is automatically made for you. Beginners might be content to use Calc for lists, but, for advanced users, functions are the main reason for spreadsheets. If you understand functions, then you can start to use the real power of a spreadsheet. In Part 1 of this article, I'll give a brief overview of functions and how they operate."
Reviews GNOME 2.18 shows incremental improvement (Linux.com)Linux.com reviews GNOME 2.18. "To get into full GNOME 2.18 mode, I installed the Ubuntu Feisty beta, which includes GNOME 2.18, and also test-drove the Foresight Linux release that includes 2.18. I found that the bump from 2.16 to 2.18 is pretty gentle. You're not going to find many differences in this release that really stand out -- it takes some looking."
Pogo Linux introduces NAS appliance (Computer Technology Review)Computer Technology Review takes a look at the Pogo Linux StorageDirector 3000, which comes in 4, 8 and 12 Terabyte versions. "Pogo Linux Inc., a provider of Linux-based servers, workstations and storage systems, has announced the release of its StorageDirector 3000 series NAS (network attached storage) appliance. The StorageDirector 3000 Series simplifies networked storage management, while providing NAS and iSCSI (Internet SCSI) functionality to meet increasingly complex customer needs at a small and medium business (SMB) price point, Pogo Linux said last week."
Samba 3 preview release behaves more like Windows (SearchEnterpriseLinux.com)SearchEnterpriseLinux.com looks at Samba 3.0.25. "The latest code changes and improvements to Samba 3.0.25 weren't overly dramatic, said the project's release manager, but the subtle changes do push things along toward a scheduled production release in early April. The changes also push Samba 3 along its path toward making Linux machines behave a bit more like Windows, said Samba release manager Jerry Carter."
Review: System 76 Darter laptop (Linux.com)Joe 'Zonker' Brockmeier reviews the Darter laptop from System 76. "With the exception of my trusty ThinkPad, the Darter is one of the sturdiest laptops I've had the pleasure of using. The laptop's chassis construction feels solid, and the screen does not flex much when you open and close it from a corner. The review system I received included a Intel Core 2 Duo T7200 CPU, 1GB of system RAM, an Intel GMA 950 video chipset, Intel integrated audio and 802.11 a/b/g wireless Ethernet adapter, and a dual-layer DVD-RW/CD-RW drive. The system also includes a 10/100 Ethernet port, a single PCI Express card slot, a memory card reader, and a FireWire port with a mini FireWire connector."
Taking XenExpress for a Spin (MontanaLinux.org)Scott Dowdle reviews XenExpress on MontanaLinux.org. "According to the XenSource About page, "XenSource plays the dual role of leading the open source Xen(tm) community, while simultaneously selling value-added enterprise solutions based on Xen technology." The first part of that leads to various Linux distro makers integrating Xen into their distributions (like SUSE, Red Hat/clones, and Fedora). For the second part of that, XenSource currently offers a product line which includes XenExpress, XenServer and XenEnterprise. Of the three offerings, XenExpress is designed to be the entry level product and is free."
Page editor: Forrest Cook Announcements Non-Commercial announcements Second discussion draft of LGPLv3 releasedA new discussion draft for version 3 of the GNU Lesser General Public License (LGPLv3) is out. "Since the license is currently written as a set of additional permissions on top of GPLv3, a number of terms have been updated to reflect changes in the GPLv3 draft released last week. Additionally, we have made a few small adjustments to clarify particular requirements."
Mandriva participates in Intel's Classmate PC projectMandriva has sent out a press release announcing that it is working with Intel on its competitor to the OLPC. "Mandriva and Intel spent eight months customizing the Mandriva Linux operating system for Classmate PC, including integrating drivers and adapting applications specially developed for this project. Classmate PC will be produced in Brazil and launched in the second quarter of 2007. Following the launch, Classmate PCs running Mandriva Linux 2007 will be available to Mexico, India and developing countries."
Commercial announcements Ampro PCI-104 CPU Breaks the 1 GHz BarrierAmpro Computers, Inc. has announced announced a new PC/104 platform performance record. "Ampro Computers, Inc., a leading supplier of standards-based computer systems, single board computers (SBCs), and computer-on-modules (COMs), shatters the previously-impenetrable 1 GHz barrier for rugged PC/104-size modules while remaining true to form factor standards. In order for military, avionics, transportation, and industrial system manufacturers to leverage existing enclosures while upgrading performance, Ampro's new 1 GHz CoreModule(TM) 800 achieved a number of technological breakthroughs in fitting a complete CPU subsystem with I/O, PCI-104 bus expansion, and network interfaces without violating the required 3.550" x 3.750" (90 x 96 mm) board outline."
Chelsio and AMCC demonstrate iSCSI storage solutionChelsio Communications, Inc. and AMCC have announced a demonstration Gigabit Ethernet raid system. "The complete, low-cost GbE storage solution from client to storage server is running hardware accelerated RAID 5 on Linux. The storage server includes AMCC's 440SPe "Katmai" evaluation board featuring the PowerPC 440SPe storage processor with high performance hardware RAID computational capabilities. Mounted on the board is a 2x1 GbE T3 acceleration card from Chelsio acting as the iSCSI target and an LSI Logic SAS IOC card. The Katmai platform is connected to an 8-disk storage array."
OpenVZ Virtualization for Latest Linux KernelThe OpenVZ project has announced a version of its virtualization software for Linux kernel version 2.6.20. ""Linux 2.6.20 is also the basis for the next Ubuntu distribution, which potentially would enable us a smooth transition to add OpenVZ virtualization," said Kir Kolyshkin, manager of the OpenVZ project. "With this latest release of OpenVZ software, we've made a number of improvements to benefit our users in the open source community.""
Open-Xchange Names New CEO and CTOOpen-Xchange Inc. has announced new CEO and CTO hires. "Open-Xchange Inc., the leading provider of open source collaboration software, today named Gerald Labie as the company's new CEO. The company also announced the appointment of Jurgen Geck to the position of CTO. The moves provide Open-Xchange with a seasoned management team to lead the company through a period of rapid growth."
Paragon Software Launches New Version of NTFS for LinuxParagon Software has announced the launch of Paragon NTFS for Linux 6.0. "The products purpose is to provide reliable, rapid and transparent read/write access to NTFS volumes under Linux. Among the new improvements and features in this release are complete support for 64 bit CPU architecture, Windows Vista NTFS file system, the latest Linux kernel and also includes performance enhancements."
Penguin Computing Closes $9 Million in Series 2 FinancingPenguin Computing, Inc. has announced its latest venture capital financing. "Penguin Computing, the leader in Linux Cluster Virtualization, today announced that it has closed $9 million in Series 2 financing, led by vSpring Capital, with participation from existing investors, San Francisco Equity Partners, Weber Capital and Convergence Partners. The injection of funds will help Penguin Computing take advantage of the increasing demand for Linux High Performance Computing (HPC) solutions, both among its strong customer base in the commercial, government and academic fields, and beyond to rapidly expanding enterprise markets such as web infrastructure."
TimeSys Announces Edward Nash as Vice President of EngineeringTimeSys has announced the appointment of Edward Nash as vice president of engineering. "Ed will be responsible for the development and deployment of TimeSys technologies, supporting the company's goal of delivering on-demand access to continuously updated processor-optimized Linux packages, components and tools for embedded Linux developers who build and assemble their own commercial-grade custom Linux platforms."
XenSource releases XenEnterprise 3.2XenSource has announced the release of XenEnterprise 3.2, its commercial server virtualization solution. "The new release, XenEnterprise 3.2, enables deployment of additional Windows and Linux versions, and enhances the power and flexibility of Windows guests via SMP support. XenEnterprise 3.2 also delivers greater security and performance, enhanced resource management capabilities, iSCSI SAN support, and improvements in manageability and serviceability."
New Books Release It! - New from the Pragmatic ProgrammersPragmatic Programmers has published the book Release It! Design and Deploy Production-Ready Software by Michael T. Nygard.
Contests and Awards Sahana wins the 2006 social benefit awardFree Software Foundation has announced the Sahana project as the winner of its Award for Projects of Social Benefit. "Sahana, an entirely volunteer effort to create technology for managing large-scale relief efforts, is the recipient of the 2006 Free Software Foundation Award for Projects of Social Benefit. Sahana was created, in the wake of the tsunami that devastated Southeast Asia in 2004, to compensate for the devastating consequences of a government attempt to manually manage the process of locating victims, distributing aid and coordinating volunteers." (Thanks to Krishna Pagadala).
Surveys OpenSUSE network settings surveyOpenSUSE is holding a survey on network settings, the survey is open until April 20, 2007.
Education and Certification O'Reilly School of Technology Opens its Virtual DoorsO'Reilly has launched the O'Reilly School of Technology. "The O'Reilly School of Technology bases its courses on the premise that for people to learn any skill they must immerse themselves in the skill and practice. The school employs an online learning technique called "useractive learning" in which the student or "user" is actively engaged in building and creating projects while the instructional material is presented. There are no presentation-heavy videos and simulations to sit through. Instead, the courses feature tutorial-style content and Learning Sandboxes(r) that contain easy-to-use, real, open programming environments in which the students try examples and work on projects."
Upcoming Events Gelato ICE technical program announcedThe technical program for the Gelato ICE conference & expo has been announced. The event takes place in San Jose, CA on April 15-18, 2007. "Program tracks include: multi-core programming, IA-64 Linux kernel work, virtualization, tools and tuning, topics for enterprise, GCC improvements, and cutting-edge research. Linux keynote speakers will be Andrew Morton, Maintainer of the Linux 2.6 Kernel, and Wim Coekaerts, Senior Director for Linux Engineering at Oracle. You will also not want to miss the presentation from Intel's James Fister outlining the latest, yet to be disclosed, Itanium processor roadmap."
Rockbox International Developers Conference 2007The Rockbox International Developers Conference 2007 will take place in Stockholm, Sweden on May 19 and 20, 2007. "We thought we'd get together for a two-day Rockbox hacking session, and that it would be cool if there were some other Rockbox devs who would drop by and share the fun."
Events: April 12, 2007 to June 11, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Web sites Launchpad 1.0 Beta ReleasedCanonical has announced the release of Launchpad 1.0 Beta, a web-based collaboration service. "Collaboration is crucial to free software projects, but has traditionally been difficult across communities that use different tools which don't easily exchange information. Launchpad's new approach links data from a variety of project-specific sources in different communities and presents it in a unified interface, bringing those communities closer together to solve common problems such as bugs in shared code. This public beta includes a redesigned interface that allows projects to brand their presence in the system and highlights the current activity of project members, making it easier to keep track of the latest changes."
Audio and Video programs Transcript of RMS on GPLv3 draft 3The Free Software Foundation Europe has released a transcript and audio from a talk by Richard Stallman on the third draft of the GPLv3 license. "This was his first GPLv3 talk since the release of draft 3 and he explains how the Novell-MS deal was tackled and how the tivoisation clause was narrowed to make it more acceptable."
Web 2.0 Podcast: What the desirable demographic wants (O'ReillyNet)O'Reilly presents a new podcast from the Where 2.0 conference. "One of the most enjoyable sessions at last year's was Safa Rashtchy's panel with a variety of teens. This year Rashtchy, a managing director for Piper Jaffray, is back with more teens and this time he includes their parents as well. You can download the audio as an mp3 or download the video as an mp4, or you can subscribe to the audio podcast or to the video podcast."
Page editor: Forrest Cook
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[diagram]](/images/ns/kernel/dbsd-vm.png)