LWN.net Weekly Edition for February 27, 2003
Full disclosure and the banking industry
Back in 1992, an English police officer named John Munden returned from a vacation to find that a series of ATM withdrawals had cleaned out his bank account. His complaints to the bank were not received well; they responded that their systems were secure and only Mr. Munden could have made those withdrawals. When he persisted, the bank (the Halifax Building Society) had him prosecuted (and convicted) for fraud. It took four years, and a great deal of effort by a researcher named Ross Anderson, to shine a light on Halifax's poor security, and to get Mr. Munden freed on appeal. Even so, the attitude of the banking industry has changed little; complaints of "phantom withdrawals" are given little credence, and account holders often end up footing the bill. (Some countries, including the U.S., give consumers more protection than others, such as Britain, in this area).Given that peoples' money - and freedom - are being staked on the security of the ATM system, it would be nice to know that this system is truly secure. But banks, unsurprisingly, are unenthusiastic about opening up their systems to external review. Mr. Anderson and colleagues have continued their research into the phantom withdrawal problem, and have served as expert witnesses in associated court cases. Recently they turned up something interesting.
The personal ID numbers (PINs) used to verify the person using an ATM card are kept in a carefully-guarded database. It is not generally possible to extract a specific PIN directly. Instead, the ATM system operates through a set of hardware security modules that can give "yes or no" answers for a given account number and PIN. Thus, it is claimed, even a corrupt insider would be reduced to guessing to obtain a specific PIN number. The search space is not that large (10,000 numbers), but it still requires an average of 5,000 guesses to obtain a single PIN.
Mike Bond and Piotr Zielinski, working with Mr. Anderson, found a vulnerability in this system; their writeup is available (for now) on the web in PDF format (also available here while Cryptome, which apparently has been broken into, gets back on its feet). By manipulating a simple "decimalization table" used in the generation of the PIN from the account number, an attacker can quickly determine which digits are present in the PIN. Using that information and some additional tricks, the researchers were able to extract PIN numbers using an average of 15 guesses. An attacker, they conclude, would be able to extract about 7,000 PINs over the course of a half-hour lunch break.
Citibank has responded to this discovery by seeking a gag order to suppress the disclosure of the vulnerability information. The information, says Citibank, is confidential and should not be released publicly. This action immediately had the obvious effect: once word got out, the paper describing the vulnerability was copied far and wide across the net, beyond any feasible recall. Even in the modern world, once information gets out, it is out.
Citibank could certainly argue that it does not want to provide useful information to those who would attack its systems. On the other hand, the rising tide of phantom withdrawal cases suggests that some of this information is in the hands of the Bad Guys already. Could it be that the banks are really trying to avoid (1) admitting that phantom withdrawals are a real problem, and (2) undertaking the expensive task of fixing their systems?
Evidence in the software field consistently suggests that vendors do not rush out to fix their security problems in the absence of considerable external pressure to do so. This is especially true if the costs of the problems can be pushed onto somebody else. The banking industry needs disclosure of its problems if we are to have any confidence in its security at all. As with vulnerabilities in the software industry, banking vulnerabilities should be handled with some care. But the information has to get out, or the problems will not be fixed in any sort of timely way. Consider, for example, the uproar the resulted when Matt Blaze exposed a vulnerability in master-keyed door locks which, apparently, had been known to locksmiths (but not fixed) for decades.
The lessons we have learned in the software world are applicable in a much wider context. Continued defense of our ways of working, including disclosure of security problems and open review of security-related systems, is important for our security and freedom. This is true with regard to our computing systems, and far beyond.
The State of Multimedia Linux
[This article was contributed by Joe 'Zonker' Brockmeier]
About three years ago a volunteer project, sparked by Marco Trevisani, started working on DeMuDi (the Debian Multimedia Distribution). The goal of DeMuDi was to provide a multimedia GNU/Linux distribution. Not just a distribution with multimedia players and viewers, but a distribution with tools to author multimedia content. Originally devised for distribution at the International Computer Music Conference, the project took on a life of its own after that conference.According to Guenter Geiger, one of the developers who worked on the original DeMuDi project and who has been one of the main volunteers until recently, the project sparked the AGNULA (A GNU/Linux Audio distribution) project. (Note: The availability of the AGNULA website leaves much to be desired. It may be easier to get information on AGNULA using Google's caching feature.) The AGNULA project was started by Nicola Bernardini. Bernardini, the manager of Centro Tempo Reale in Florence, delivered a proposal to the European Commission. The EC gave a green light to the project, and provided a two-year funding package starting April 1, 2002.
The AGNULA project is coordinated by Tempo Reale and involves research institutions in Paris, Barcelona, Stockholm and the Free Software Foundation Europe. The goal of the project is to produce two distributions, DeMuDi and a Red Hat-based version called ReHMuDi, as well as a number of multimedia packages. Only free software is to be used to build these distributions.
Unfortunately, development of the distributions under the AGNULA project do not seem to be proceeding quite as quickly as some might have hoped. Trevisani, who was the Technical Coordinator for the AGNULA/DeMuDi project, spoke up a few weeks ago on the Debian developer media list about the problems with DeMuDi as a separate distribution and the need for a internal Debian multimedia project:
Trevisani has stepped down from his position as Technical Coordinator for the project after one year of work and the release of DeMuDi 0.9. The position is now being handled by Andrea Glorioso. Glorioso also took part in the discussion on the Debian developer mailing list, and says that they're trying to find a good way to cooperate between the AGNULA project and Debian. However, there are some technical hurdles in coordinating packages with Debian, since the stable distribution moves very slowly and the testing and unstable distributions are (by definition) always in a state of flux.
Geiger has also stopped working on DeMuDi and says that he wants to "concentrate more on pushing the idea within Debian, simply by maintaining the DeMuDi packages within the Debian framework." Geiger says that the main problem with DeMuDi is a lack of developers. A glance at the DeMuDi developer mailing list archives shows that there's not a lot of activity on that front.
While some developers are being paid for work related to Linux multimedia, Geiger says there is little money for creating the distribution itself. According to Geiger, "the big part of the money is going into the subprojects...the small part that is left for building the two distributions is divided equally among DeMuDi and RehMuDi." Both Geiger and Trevisani have worked on DeMuDi as volunteers.
For now, Geiger says that the he hopes there will be more discussion within Debian about an internal multimedia project. He also mentioned that a separate mailing list for discussion of a multimedia project has been requested. As of yet, there's no official word on the status of an internal Debian project.
Whether the AGNULA projects will result in a usable multimedia distribution, or if Trevisani and Geiger will be successful in producing a viable sub-project within Debian, remains to be seen. If Linux is going to make any kind of dent in Microsoft's share on the desktop, we'll definitely need multimedia applications that can compete with the commercial counterparts for Windows and the Mac OS. There are a number of applications that are showing promise, but a distribution that bundles the applications could be a huge boon in luring users away from proprietary platforms and onto Linux.
Continuing fun with software patents
The U.S. Patent and Trademark Office continues to amaze with the range of software technologies that it is willing to patent. Here are a couple of new ones:- Interwoven has been awarded patent
#6,505,212 for a "system and method for website development."
What the patent really covers, though, is a revision control
system; the management of web site content is just one possible use
suggested in the patent abstract. This patent covers content
management systems like Zope quite clearly; revision control systems
like CVS could also be threatened, however. (See also: Interwoven's
press release on the patent).
- Amazon, meanwhile, was just given patent #6,525,747, which covers online discussion systems. This patent would appear to cover just about any site which allows the posting of comments. It might be limited somewhat, however, by its reference to "items offered for sale" as the starting point for discussions.
There is no doubt that copious amounts of prior art can be found for both of these patents. Your editor first used a revision control system - accessed with punch cards - over twenty years ago. Web sites allowing discussions existed before Amazon hit the net, and certainly before 1999, when the patent was filed.
But prior art does not help address the real problem: the patent office is allowing companies to try to fence off little bits of the intellectual landscape without regard to originality or any pretense of promoting any sort of progress. Increasingly, it is impossible to write any sort of nontrivial program that does not infringe upon somebody's patent. The only saving grace is the fact that most of these patents are never enforced. Otherwise, software development would grind to a halt - at least, in those countries which allow software patents.
LWN Update
It's been a little while since we have posted one of these updates. That is as it should be...better to fill our pages with the stuff you all really came to read. We'll let you get into this week's hot security updates shortly, but, first, a word from your sponsor.The individual subscription count stands at almost exactly 2500; it really has not changed much in the last couple months. 2500 subscribers will keep the lights on for now, but that's really not enough to keep things going in the long term. Somehow we are going to have to find a way to inspire quite a few more of you to subscribe.
That said, here's a quick heads up: we'll be making a small change to subscription pricing shortly. Until now, we have encouraged readers to take out monthly subscriptions for a couple of reasons: we didn't want to risk going under with a large unfulfilled subscription liability, and we were doing our best to avoid getting in trouble with our credit card merchant bank. At this point, we are reasonably confident that we'll figure this out somehow and find a way to stick around for the long term. And our new merchant bank is rather more friendly than the old one was. The monthly renewals are also costing us a fair amount in processing fees.
So we will soon (within a week or two) implement a discount for longer-term subscriptions. It won't be huge, but it will reflect the difference in our costs, and, hopefully, encourage a shift away from the monthly method. An announcement will go out when the new scheme goes into effect.
Thanks, as always, for supporting LWN.
Security
Brief items
Giving Root to the Web
[This article was contributed by Tom Owen]
These days, pretty much any box with an Ethernet port has a web administration interface running alongside the command line and that iffy SNMP agent. Even if you can ignore horrors like the admin password going through an HTML form and no support for HTTPS, it's unlikely that the web server running in, say, a cheap switch will have been better tested or reviewed than miniserv.pl, the perl HTTP server which runs at the core of Webmin.Webmin is a popular administration package which provides form-based access to configuration files for many standard and optional components. Administrators use a browser and the Webmin forms to manage users DNS zone changes, driver modules and many other tasks. All the applications are perl modules, running via CGI under the miniserv.pl web server.
The recent vulnerability report from the LAC security lab suggests that miniserv.pl can be fooled by control characters in a web authentication string. It apparently needs the "Enable Password Timeout" option to be set in Webmin, but that's an option that many cautious admins will choose anyway. The inevitable exploit makes it concrete and easy. It's nicely set up to get a script kiddy going: a few lines of perl run netcat to fake a single HTTP GET. It's all simple and transparent except for an artfully crafted base64 string on the Authorization: header. The control codes there create a specific session for the default user "admin". A cookie containing the session ID on a local browser is then all the attacker needs to use all the Webmin modules. It's complete server root access with full havoc potential in a very few steps.
A search for "webmin" on Bugtraq shows a trickle of problems, mostly in the last couple of years, ranging from local privilege escalation to full remote admin access. Cross site scripting and other old favorites show up with oddities like leftover environment variables. In fact the the system seems more secure than many, but the consequences of failure are much worse than for ordinary web applications: instead of one function or application being compromised, it's the whole server. This situation raises a question: Can it ever be responsible to put a root function on to a web protocol?
This isn't particularly a Webmin issue. The miniserve.pl fault was promptly fixed in 1.070 but all of those cheap printers, switches and wireless access points are still booting the firmware they shipped with. We can be sure that this is a case where absence of reports doesn't mean the holes aren't there. Despite the potential for trouble, no reduction in web-based administration, even over the public internet, is going to happen soon. It probably won't even begin to happen until someone gets sued for negligence -- it's just too useful, and for remotely-hosted servers it's pretty much essential.
Just looking at Webmin, the value stands out:
- So many people hate text mode configuration
- Even those who love it acknowledge that systems like Bind are ticklish to get right by hand: A display like this is not lovely, but it can save you from forgetting the reverse addresses.
- Checklist purchasers need it: it's a good, demonstrable counterargument to "Linux is impossible to administer" charges.
- Turn off unused web administrator systems (and SNMP too.) Scan to make sure they stay off.
- When it's configurable, standardise on a web administration port to block unconditionally at the firewall. Caldera, for example, uses port 1000.
- Printers and switches don't need Internet access. At the firewall, block the IP range they're in.
- In simple LANs they don't even need a default gateway. 0.0.0.0 is fine.
- Webmin and others offer IP-based access control. Turn it on and only include administrators' machines.
- In the longer term, get that VPN on-line.
New vulnerabilities
apcupsd - remote root vulnerability and buffer overflows
| Package(s): | apcupsd | CVE #(s): | CAN-2003-0098 CAN-2003-0099 | ||||||||||||||||||||
| Created: | February 24, 2003 | Updated: | April 3, 2003 | ||||||||||||||||||||
| Description: | From the MandrakeSoft
advisory:
A remote root vulnerability in slave setups and some buffer overflows in the network information server code were discovered by the apcupsd developers. They have been fixed in the latest unstable version, 3.10.5 which contains additional enhancements like USB support, and the latest stable version, 3.8.6. There are a few changes that need to be noted, such as the port has changed from port 7000 to post 3551 for NIS, and the new config only allows access from the localhost. Users may need to modify their configuration files appropriately, depending upon their configuration. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
BitchX - denial of service
| Package(s): | BitchX | CVE #(s): | |||||||||||||||||
| Created: | February 20, 2003 | Updated: | May 26, 2003 | ||||||||||||||||
| Description: | From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
shadow-utils: useradd tool creates mail spools with incorrect permissions
| Package(s): | shadow-utils | CVE #(s): | CAN-2002-1509 | ||||||||
| Created: | February 20, 2003 | Updated: | February 27, 2003 | ||||||||
| Description: | The shadow-utils package includes programs for converting UNIX password
files to the shadow password format, plus programs for managing user and
group accounts. One of these programs is useradd, which is used to create
or update new user information.
When creating a user account, the version of useradd included in Red Hat Linux 7.2, 7.3, and 8.0 creates a mailbox file with incorrectly-set group ownership. Instead of setting the file's group ownership to the 'mail' group, it is set to the user's primary group. On systems where other users share the same primary group, this would allow those users to be able to read and write other user mailboxes. | ||||||||||
| Alerts: |
| ||||||||||
usermin - unauthorized access
| Package(s): | usermin, webmin | CVE #(s): | |||||||||||||||||
| Created: | February 24, 2003 | Updated: | February 27, 2003 | ||||||||||||||||
| Description: | - From announcement:
"Due to a remotely exploitable security hole being discovered that effects all previous Webmin releases, version 1.070 is now available for download from http://www.webmin.com/ and mirror sites. This problem was reported by Cintia M. Imanishi, but fortunately there have been no known malicious exploits of it yet. However, all users should upgrade to 1.070 as soon as possible." "Also available is Usermin 1.000 which fixes the exact same security hole. It includes the same File Manager features, as well as support for IMAP folders and an IMAP inbox in the Read Mail module." Read this alert for the details. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
vnc - replay and cookie vulnerabilities
| Package(s): | vnc | CVE #(s): | CAN-2002-1336 CAN-2002-1511 | ||||||||||||||||||||
| Created: | February 21, 2003 | Updated: | May 5, 2003 | ||||||||||||||||||||
| Description: | VNC is a tool for providing a remote graphical user interface. Two
vulnerabilities have been found in versions of VNC shipped by Red Hat.
The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. The VNC DES authentication scheme is implemented using a challenge-response architecture, producing a random and different challenge for each authentication attempt. A bug in the function for generating the random challenge caused the random seed to get reset to the current time on every authentication attempt. Therefore, two authentication attempts within the same second could receive the same challenge. An eavesdropper could exploit this vulnerability by replaying the response, thereby gaining authentication. All users of VNC are advised to upgrade to these erratum packages, which contain patches to correct these issues. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
zlib 1.1.4 has buffer overrun
| Package(s): | zlib | CVE #(s): | CAN-2003-0107 | ||||||||||||||||||||||||||||
| Created: | February 25, 2003 | Updated: | April 29, 2003 | ||||||||||||||||||||||||||||
| Description: | From this Bugtraq
posting:
"zlib contains a function called gzprintf(). This is similar in behaviour to fprintf() except that by default, this function will smash the stack if called with arguments that expand to more than Z_PRINTF_BUFSIZE (=4096 by default) bytes." | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Resources
Nessus 2.0 released
Version 2.0 of the Nessus security scanner has been released. It includes a reworked and reimplemented NASL language, an improved plugin system, a new port scanner, improved HTML reporting, and more.Linux Advisory Watch
The February 21 Linux Advisory Watch newsletter from LinuxSecurity.com is available.
Events
Call For Papers Announcement: Black Hat Briefings Amsterdam
The 2003 Black Hat Briefings will be held May 14 and 15 in Amsterdam. The call for papers has gone out with a submission deadline of March 25.
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current development kernel is 2.5.63, released by Linus on February 24. It includes an ISAPnP update, some IDE changes (see last week's Kernel Page), an ACPI update, various architecture updates, a new x86 "double fault" handler, a bluetooth update, and the inevitable set of spelling fixes. The the long-format changelog has the details.
Linus's BitKeeper tree includes some more loadable module fixes, more
spelling fixes ("A 'wether' is a castrated goat
"), a uClinux
update, an XFS update, a software suspend update, and various other fixes
and performance improvements.
The current stable kernel is 2.4.20. Marcelo has promised a new 2.4.21 prepatch soon, but it had not appeared as of this writing.
The current 2.4 prepatch from Alan Cox is 2.4.21-pre4-ac6; it adds mostly driver updates.
Kernel development news
The object-based reverse-mapping VM
The reverse-mapping VM (RMAP) was merged into 2.5 to solve a specific problem: there was no easy way for the kernel to find out which page tables referred to a given physical page. Certain activities - swapping being at the top of the list - require making changes to all relevant page tables. You simply can not swap a page to disk until all of the page table entries pointing to it have been invalidated. The 2.4 kernel handles swapping by scanning through the page tables, one process at a time, and invalidating entries for pages that look like suitable victims. If it happens to find all of the page table entries in time, the page can then be evicted to disk.In 2.5, a new data structure was added to make this process easier. Initially each page in the system (as represented by its struct page structure in the system memory map) had a linked list of reverse mapping entries pointing to every page table entry referencing that page. That worked, but it introduced some problems of its own. The reverse mapping entries took up a lot of memory, and quite a bit of time to maintain. Operations which required working with a lot of pages slowed down. And the fork() system call, which must add a new reverse mapping entry for every page in the process's address space, slowed significantly. As a result, there has been an ongoing effort to mitigate RMAP's costs.
Now a new technique, as embodied in this patch by Dave McCracken, has been proposed. This approach, called "object-based reverse mapping," is based on the realization that, in some cases at least, there are other paths from a struct page to a page table entry. If those paths can be used, the full RMAP overhead is unnecessary and can be cut out.
By one reckoning, there are two basic types of user-mode page in a Linux system. Anonymous pages are just plain memory, the kind a process would get from malloc(). Most other pages are file-backed in some way; this means that, behind the scenes, the contents of that page are associated with a file somewhere in the system. File-backed pages include program code and files mapped in with mmap(). For these pages, it is possible to find their page table entries without using RMAP entries. To see how, let us refer to the following low-quality graphic, the result of your editor's nonexistent drawing skills:
![[Cheezy drawing]](https://static.lwn.net/images/ns/ormap.png)
The struct page structure for a given page is in the upper left corner. One of the fields of that structure is called mapping; it points to an address_space structure describing the object which backs up that page. That structure includes the inode for the file, various data structures for managing the pages belonging to the file, and two linked lists (i_mmap and i_mmap_shared) containing the vm_area_struct structures for each process which has a mapping into the file. The vm_area_struct (usually called a "VMA") describes how the mapping appears in a particular process's address space; the file /proc/pid/maps lists out the VMAs for the process with ID pid. The VMA provides the information needed to find out what a given page's virtual address is in that process's address space, and that, in turn, can be used to find the correct page table entry.
So all the object-based RMAP patch does is remove the direct reverse mapping entry (pointing from the page structure directly to the page table entry). When it is necessary to find that entry, the virtual memory subsystem simply takes the longer way around, via the address_space and vm_area_struct structures. Finding a page table entry this way certainly will take longer than following a direct pointer, but it should come out cheaper when one considers all of the RMAP information that no longer needs to be maintained.
The object-based RMAP patch does not change the handling of anonymous pages, which do not have an associated address_space structure.
Martin Bligh has posted some initial benchmarks showing some moderate improvement in the all-important kernel compilation test. The object-based approach does seem to help with some of the worst RMAP performance regressions. Andrew Morton pointed out a worst-case performance scenario for this approach, but it is not clear how big a problem it would really be. Andrew has included this patch in his 2.5.62-mm3 tree.
Assuming that this patch goes in (it's late in the development process, but that hasn't stopped Linus from taking rather more disruptive VM patches before...), one might wonder if a complete object-based implementation might follow. The answer is "probably not." Anonymous pages tend to be private to individual processes, so there is no long chain of reverse mappings to manage in any case. So even if such pages came to look like file-backed pages (as could happen, say, with a rework of the swapping code), there isn't necessarily much to be gained from the object-based approach.
Page clustering
The object-based RMAP patch is one approach to reducing the overhead of the virtual memory subsystem. William Lee Irwin has posted another: page clustering. Much of the VM subsystem's overhead is per-page; each page requires a memory map entry, possibly RMAP chains, etc. One way of reducing that overhead, clearly, would be to have fewer pages. Since most users will react poorly to suggestions that they remove memory from their systems, the only feasible way of reducing the page count is to make the pages themselves bigger.The page clustering patch (based on work originally done by Hugh Dickins) works by taking physical pages (as seen by the hardware) and grouping them into larger, virtual pages as seen by the kernel. x86 hardware works (normally) with 4K pages; with page clustering the kernel can work with pages as large as 32K (according to the comments in page.h or 64K (according to what the code is actually doing). Thus, the page count (and associated overhead) can be reduced by a factor of up to 16.
This idea is not particularly new; early versions of BSD clustered the 512-byte pages provided by VAX systems into 1024-byte internal pages. Still, it's a bit tricky to implement inside the Linux kernel. Much kernel code thinks it understands the concept of the "page size," but, with this patch, there are two different page sizes. Code dealing with the hardware memory management unit (MMU) must work on the MMU's terms, while code working with kernel pages should see the larger size. The result is a great deal of work trying to figure out whether each bit of code should be working with PAGE_SIZE units, or the new MMUPAGE_SIZE. It is not a job for the faint of heart.
This patch is, for now, not for casual users; by William's admission a
number of things are still broken. But, fear not: "I've yet to
encounter non-fsck-recoverable filesystem corruption with remotely current
sources.
" Even when the problems are fixed, this patch looks fairly
involved for 2.5 at this point. But, one never knows.
Threads and /proc
One result of all the work that was done with improved threading support in the 2.5 kernel is that threads stopped showing up in the /proc filesystem. Most people don't miss them, but there are reasons for wanting to be able to deal with individual threads through /proc. The main problems have been useability and performance. If you are running a system with thousands of threads, /proc becomes rather large and difficult to work with. It's also slow. Ingo Molnar found that, with 16,000 threads in /proc, the top utility took 22 seconds to work through them all.The result of Ingo's work, of course, is a patch improving the situation. The first thing Ingo did was to create a "lookup cursor" that gets stashed into the file structure for a process that is digging through /proc. That cursor caches the current state of the directory read operation, greatly speeds the process of reading through a large /proc directory. Ingo also added some new process information so that the thread group leader can be queried for cumulative information on the whole group.
Nobody complained much about those changes; there was one other, though, that was a bit more controversial. With Ingo's patch, threads show up in /proc with a period in front of the process ID. Thus, a normal process might be represented as /proc/1234, while a thread would, instead, be /proc/.1234. That change makes it easy for applications to distinguish threads from "full" processes; it also has the effect of hiding threads from a casual /proc directory listing.
Unsurprisingly, a number of developers (including Linus) see the period as being a bit of a hack. Wouldn't it be better to put threads in a subdirectory under the thread group leader's ID? Linus even posted a quick patch showing how he thought it could be done. A new patch from Ingo has not yet appeared, but it seems likely that the next revision will put threads into subdirectories. At that point, threads will probably return to /proc in the 2.5 kernel.
And /proc will remain fast even with large numbers of threads; Ingo's 16,000-thread top case went from 22 seconds to 0.16 seconds.
Driver porting
New articles in the driver porting series
Below you'll find two new articles in the LWN driver porting series; they deal with timekeeping and safe sleeping. Since last week we have also added an article on working with the preemptible kernel and an updated description of the 2.5 workqueue interface. Those articles, and all the others, can be found on the driver porting page.Driver porting: Timekeeping changes
| This article is part of the LWN Porting Drivers to 2.6 series. |
Internal clock frequency
One change which shouldn't be problematic for most code is the change in the internal clock rate on the x86 architecture. In previous kernels, HZ was 100; in 2.6 it has been bumped up to 1000. If your code makes any assumptions about what HZ really was (or, by extension, what jiffies really signified), you may have to make some changes now. For what it's worth, as of 2.6.0-test9, the default values of HZ in the mainline kernel source (which sometimes lags the architecture-specific trees) is as follows: Alpha: 1024/1200; ARM: 100/128/200/1000; CRIS: 100; i386: 1000; IA-64: 1024; M68K: 100; M68K-nommu: 50-1000; MIPS: 100/128/1000; MIPS64: 100; PA-RISC: 100/1000; PowerPC32: 100; PowerPC64: 1000; S/390: 100; SPARC32: 100; SPARC64: 100; SuperH: 100/1000; UML: 100; v850: 24-100; x86-64: 1000.
Kernel time variables
When the internal clock rate on a 32-bit system is set to 1000, the classic 32-bit jiffies variable will overflow in just over 49 days. Overflows could always happen on systems with a long uptime, but, when it took well over a year of uptime, it was a relatively rare occurrence - even on Linux systems. It is not uncommon at all, however, for a system to be up for more than 50 days. In most cases, having jiffies wrap around is not a real problem; it can be inconvenient for tasks like process accounting, however. So the 2.5 kernel has a new counter called jiffies_64. With 64 bits to work with, jiffies_64 will not wrap around in a time frame that need concern most of us - at least until some future kernel starts using a gigahertz internal clock.For what it's worth, on most architectures, the classic, 32-bit jiffies variable is now just the least significant half of jiffies_64.
Note that, on 32-bit systems, a 64-bit jiffies value raises concurrency issues. It is deliberately not declared as a volatile value (for performance reasons), so the possibility exists that code like:
u64 my_time = jiffies_64;
could get an inconsistent version of the variable, where the top and bottom halves do not match. To avoid this possibility, code accessing jiffies_64 should use xtime_lock, which is the new seqlock type as of 2.5.60. In most cases, though, it will be easier to just use the convenience function provided by the kernel:
#include <linux/jiffies.h>
u64 my_time = get_jiffies_64();
Users of the internal xtime variable will notice a couple of similar changes. One is that xtime, too, is now protected by xtime_lock (as it is in 2.4 as of 2.4.10), so any code which plays around with disabling interrupts or such before accessing xtime will need to change. The best solution is probably to use:
struct timespec current_kernel_time(void);
which takes care of locking for you. xtime also now is a struct timespec rather than struct timeval; the difference being that the sub-second part is called tv_nsec, and is in nanoseconds.
Timers
The kernel timer interface is essentially unchanged since 2.4, with one exception. The new function:
void add_timer_on(struct timer_list *timer, int cpu);
will cause the timer function to run on the given CPU with the expiration time hits.
Delays
The 2.5 kernel includes a new macro ndelay(), which delays for a given number of nanoseconds. It can be useful for interactions with hardware which insists on very short delays between operations. On most architectures, however, ndelay(n) is equal to udelay(1) for waits of less than one microsecond.
POSIX clocks
The POSIX clocks patch (merged into 2.5.63) is beyond the scope of this article. If you are working with a device which can provide an interesting time service (high resolution or high accuracy), you may want to consider using it to drive a POSIX clock. Look into kernel/posix-timers.c for more information.Driver porting: sleeping and waking up
| This article is part of the LWN Porting Drivers to 2.6 series. |
wait_event() and friends
Most of those alternatives have been around since 2.3 or earlier. In many situations, one can use the wait_event() macros:
DECLARE_WAIT_QUEUE_HEAD(queue);
wait_event(queue, condition);
int wait_event_interruptible (queue, condition);
These macros work the same as in 2.4: condition is a boolean condition which will be tested within the macro; the wait will end when the condition evaluates true.
It is worth noting that these macros have moved from <linux/sched.h> to <linux/wait.h>, which seems a more sensible place for them. There is also a new one:
int wait_event_interruptible_timeout(queue, condition, timeout);
which will terminate the wait if the timeout expires.
prepare_to_wait() and friends
In many situations, wait_event() does not provide enough flexibility - often because tricky locking is involved. The alternative in those cases has been to do a full "manual" sleep, which involves the following steps (shown here in a sort of pseudocode, of course):
DECLARE_WAIT_QUEUE_HEAD(queue);
DECLARE_WAITQUEUE(wait, current);
for (;;) {
add_wait_queue(&queue, &wait);
set_current_state(TASK_INTERRUPTIBLE);
if (condition)
break;
schedule();
remove_wait_queue(&queue, &wait);
if (signal_pending(current))
return -ERESTARTSYS;
}
set_current_state(TASK_RUNNING);
A sleep coded in this manner is safe against missed wakeups. It is also a fair amount of error-prone boilerplate code for a very common situation. In 2.6, a set of helper functions has been added which makes this task easier. The modern equivalent of the above code would look like:
DECLARE_WAIT_QUEUE_HEAD(queue);
DEFINE_WAIT(wait);
while (! condition) {
prepare_to_wait(&queue, &wait, TASK_INTERRUPTIBLE);
if (! condition)
schedule();
finish_wait(&queue, &wait)
}
prepare_to_wait_exclusive() should be used when an exclusive wait is needed. Note that the new macro DEFINE_WAIT() is used here, rather than DECLARE_WAITQUEUE(). The former should be used when the wait queue entry is to be used with prepare_to_wait(), and should probably not be used in other situations unless you understand what it is doing (which we'll get into next).
Wait queue changes
In addition to being more concise and less error prone, prepare_to_wait() can yield higher performance in situations where wakeups happen frequently. This improvement is obtained by causing the process to be removed from the wait queue immediately upon wakeup; that removal keeps the process from seeing multiple wakeups if it doesn't otherwise get around to removing itself for a bit.The automatic wait queue removal is implemented via a change in the wait queue mechanism. Each wait queue entry now includes its own "wake function," whose job it is to handle wakeups. The default wake function (which has the surprising name default_wake_function()), behaves in the customary way: it sets the waiting task into the TASK_RUNNING state and handles scheduling issues. The DEFINE_WAIT() macro creates a wait queue entry with a different wake function, autoremove_wake_function(), which automatically takes the newly-awakened task out of the queue.
And that, of course, is how DEFINE_WAIT() differs from DECLARE_WAITQUEUE() - they set different wake functions. How the semantics of the two differ is not immediately evident from their names, but that's how it goes. (The new runtime initialization function init_wait() differs from the older init_waitqueue_entry() in exactly the same way).
If need be, you can define your own wake function - though the need for that should be quite rare (about the only user, currently, is the support code for the epoll() system calls). The wake function has this prototype:
typedef int (*wait_queue_func_t)(wait_queue_t *wait,
unsigned mode, int sync);
A wait queue entry can be given a different wakeup function with:
void init_waitqueue_func_entry(wait_queue_t *queue,
wait_queue_func_t func);
One other change that most programmers won't notice: a bunch of wait queue cruft from 2.4 (two different kinds of wait queue lock, wait queue debugging) has been removed from 2.6.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
The demise of MicroBSD
The MicroBSD project has shut down following allegations of copyright violations from members of the OpenBSD project. The web site now contains only a letter of explanation, which is not likely to stay long. LWN introduced MicroBSD in the June 6, 2002 edition of the Distributions page. MicroBSD's 0.4 Mini and Full x86 release version were announced May 28, 2002. Many software projects come and go in a year, but few go out with this kind of fanfare.This deadly.org article has a discussion with links and comments and plenty of recriminations. The short story is that OpenBSD accused MicroBSD of stealing code by changing instances of "openbsd" to "microbsd" in cvs source code. The MicroBSB crew has chosen not to argue these allegations, but to close shop and move on.
Reading through the comments it became clear not everyone seems to know what is and is not covered by copyright. OpenBSD's Copyright Policy is one of the least restrictive of all open source licenses. Giving proper credit for the code is really the only requirement.
Free software does not mean unlicensed software. The Open Source Initiative lists dozens of OSI Certified licenses. Most, including the GNU General Public License (GPL), are more restrictive than OpenBSD's Copyright Policy. Anyone leading an open source project needs to be aware of any licensing issues that go along with any code they use. It's not just the law, its polite.
Distribution News
Debian GNU/Linux
The Debian Weekly News for February 25th, 2003 is available. This week features an essay from Paul Graham about why nerds are unpopular; a feasibility study on free and open source software by the Swedish agency for public management; a DistroWatch review; and much more.Meet members of the Debian Project at several events in Europe, starting with LinuxForum in Copenhagen, March 1, 2003.
Here is a status report on the Debian
installer. The alpha release looks good, and most of the goals set in the
last report have been accomplished. "Still outstanding is the
addition of a self-test/logging tool.
"
Anand Kumria provides the listmaster update, with information about a new list, the fight against spam, and more.
Martin Michlmayr provides the new maintainer report, with information about where to find a listing of new members.
Gentoo Weekly Newsletter -- Volume 2, Issue 8
This week's Gentoo Weekly Newsletter looks at an agreement with NeTraverse to bring Win4Lin to Gentoo users at a reduced price, and much more.Mandrake Linux Community Newsletter - Issue #75
The Mandrake Linux Community Newsletter for February 21 is now available. This week's top story: Mandrake Linux 9.1 'RC1' is available; and much more.MontaVista Linux
MontaVista Software announced that MontaVista Linux Professional Edition will support the new Intel IXP420, IXP421 and IXP422 network processors unveiled at the recent Intel Developer Forum.Red Hat Linux
TechWeb reports that Red Hat has posted an update for Red Hat Advanced Server that optimizes performance with IBM's x440 high-end server and Intel's Tiger technology.Slackware Linux
This week the slackware-current change log shows several upgrades and bug fixes, and a couple of new additions.TimeSys Linux
TimeSys Corporation has announced the release of TimeSys Linux 4.0, a significantly upgraded version of its embedded Linux operating system and development environment. TimeSys Linux 4.0 adds a number of High Availability/Carrier Grade Linux requirements and updates the TimeSys Linux kernel to the 2.4.18 Linux kernel.TimeSys also announced a new pricing model for its royalty-free, full Linux real-time operating system (RTOS) with all Linux utilities and libraries, for Pentium processors for only $795.00
Trustix Security Linux
Trustix has a bug fix advisory for initscripts, pam, SysVinit.Porting uCLinux to the MC68360-Based MTPSR2-150 Board (Linux Journal)
Here's a Linux Journal article which shows how to get uCLinux running on several different microprocessor boards. "uClinux comes equipped with a full TCP/IP stack, as well as support for numerous other networking protocols. Pretty much all the networking protocols are implemented. uClinux is an Internet-ready OS perfect for embedded devices."
Minor distribution updates
BasicLinux
BasicLinux has released v2.0 with major feature enhancements. "Changes: This release is compatible with Slackware 7.1 and includes a new kernel, new libraries, new versions of busybox and links, and new mail and DHCP clients. There are also new installation scripts for both FD and HD."
bootE Linux
bootE Linux has released v0.20-r1 with major feature enhancements. "Changes: The kernel version is now 2.4.20. Most of the e2fsprogs package was included, along with sfdisk and fdisk from the util-linux package. BusyBox was upgraded to 0.60.5, and uClibc was upgraded to 0.9.17."
DyneBolic GNU/Linux
DyneBolic has released development version 1.0 alpha 4 with major feature enhancements. "Changes: There has been a complete recompilation of the whole system (gcc3.2 mcpu=i586), and squashfs is used to greatly improve speed performance. A multimedia production (not only fruition) tool is in the works; many free software programs are made available for audio/video acquisition, encoding, editing, and streaming. Among them are Blender, PD, TerminatorX, MuSE, mp4live, Freej, Soundtracker, MPlayer, GDAM, Audacity, Gimp, Abiword, Bluefish, Sylpheed+GPG, Lopster, Xchat, Samba, VNC, and lots more, including games."
Mindi Linux
Mindi Linux has released v0.82 with minor bugfixes. "Changes: In this version, various minor bugs have been fixe, and support for RAID and LVM has been improved."
PXES Linux Thin Client
PXES Linux Thin Client has released v0.5.1-30 with major feature enhancements. "Changes: This new release has some useful additions like supermount support in the 2.4.20-2pxes kernel and local devices sharing with samba in RDP sessions. A local session was added as a starting point for local session further developments. Microsoft Terminal Session: The local devices shared can be accessed as \\thinclientname\cdrom and \\thinclientname\fd from the terminal server where you can add a mapping. thinclientname is the thin client hostname that could be set by the DHCP server."
ttylinux
ttylinux has released v3.0 with minor feature enhancements. "Changes: This release updates LILO and util-linux to their latest versions and makes running with devfs a little easier."
uClinux
uClinux has released v2.5.63-uc0 with minor feature enhancements. "Changes: This release was merged with the latest kernel update. There are few patches remaining to be merged."
Warewulf
Warewulf has released v1.9 with minor feature enhancements. "Changes: Nodes can now be displayed with wwmon, wwstat, and wwnodes. The commands now default to only showing nodes that the user has access to. A NODES environment variable can be used to either list nodes or point to a file containing a node list. Bugs in nodeupdate and masterconf were fixed, and wwmon and wwstat now can query remote master nodes. warewulfd now outputs a node's short name instead of its FQDN."
Page editor: Rebecca Sobol
Development
Heartbeat 1.0.1 released
The High-Availability Linux Project (Linux-HA) aims to: "Provide a high-availability (clustering) solution for Linux which promotes reliability, availability, and serviceability (RAS) through a community development effort."
![[Linux High Availability]](https://static.lwn.net/images/ns/linuxha.jpg)
The primary software product from Linux-HA is called heartbeat.
Heartbeat:
"implements serial, UDP, and PPP/UDP heartbeats together with IP address takeover including a nice resource model including resource groups. It currently supports multiple IP addresses and a simple two-node primary/secondary model. It is both extremely useful and quite stable at this point in time.
"
A number of the prominent sites using Linux-HA are listed on the Heartbeat Success Stories page.
Version 1.0.1 of heartbeat has been announced, this version is:
Version 1.0.1 also includes a number of important bug fixes.
Heartbeat is available for download here.
System Applications
Audio Projects
Ogg Traffic
The February 23, 2003 edition of Ogg Traffic is available with the latest Ogg Vorbis audio compression software news. Discussion topics include: Status Updates, Integer Speex, Portables, Portables, Portables!, and Bringing Vorbis support to Nero software.JACK 0.50.0 released
Version 0.50.0 of the JACK Audio Connection Kit is available. Changes include: audio block sizes are fixed during runtime, partial blocks are no longer delivered, thread scheduling is hidden from clients for better portability, JACK now compiles under gcc-3.3 without errors, support has been added for 64-bit platforms, and transport control improvements have been implemented. See the release notes for more information.
CORBA
MICO 2.3.9 released
Version 2.3.9 of MICO is available. "The acronym MICO expands to MICO Is CORBA. The intention of this project is to provide a freely available and fully compliant implementation of the CORBA standard."
Database Software
MySQL 4.0.11 released
The announcement for MySQL 4.0.11 has gone out. This release includes a small set of new features (start transaction, new inner join syntax) along with a number of bug fixes.
Education
Linux in education report
Issue #90 of the Linux in education report is available. Topics include a CFP for the Romanian RoEduNet Conference, the Linux In Education Portal, Linux adoption in Indian schools, a mini-conference on April 5 in Grand Prairie, Texas, the Concord Consortium, and lots of new educational software.
Networking Tools
"Homesteading the Noosphere" problems on Zebra
Users of the GNU Zebra TCP/IP routing software have had some problems getting response from the code's author. A co-project has been formed to deal with the issue. "This bring an interesting twist to ESR 'Homesteading the Noosphere': What if the maintainer once did a great job, then is not up to par with what its community expects, but instead of giving away control or refusing to do so, just remains silent on the subject and acts as if the problem does not exist?"
Printing
LinuxPrinting.org news
The latest changes on LinuxPrinting.org include the addition of all PCL 5e entries to the HPIJS driver and the addition of many printers to the Kyocera printer driver.
Web Site Development
Creating Dynamic Websites with Lisp and Apache
A new web site called Creating Dynamic Websites with Lisp and Apache is now operating.Building a Vector Space Search Engine in Perl (O'Reilly)
Maciej Ceglowski writes about vector-space search engines on O'Reilly. "As a Perl programmer, sooner or later you'll get an opportunity to build a search engine. Like many programming tasks - parsing a date, validating an e-mail address, writing to a temporary file - this turns out to be easy to do, but hard to get right. Most people try end up with some kind of reverse index, a data structure that associates words with lists of documents. Onto this, they graft a scheme for ranking the results by relevance."
Zope Members News
The most recent headlines on the Zope Members News include: Silva 0.9.1 released, GivingSpace demonstration started on Zope, New ZPhotoSlides 1.0 released !, BZPUG meeting for feb 2003, Zope roadmap available at zope.com, and more.Zope Newbies
New article topics on Zope Newbies include: Where to find a first-rate evangelista, and How to Interview a Programmer.
Miscellaneous
RT 3.0 Beta 2 (use Perl)
Use Perl has an announcement for version 3.0 Beta 2 of RT, the Request Tracker open source task and ticket tracking platform. "It contains a number of improvements and bug fixes relative to Beta 1, released several weeks ago."
Desktop Applications
Audio Applications
JACK Rack 1.4.1 released
Version 1.4.1 of JACK Rack is available. This version adds: "Some fixes and extra bits for the midi stuff; makes things much more responsive."
WaveSurfer 1.4.7 available
Version 1.4.7 of WaveSurfer, an audio editing program, is available. Changes include packed 24 bit file support, highlighted transcription labels, support for Snack 2.2.1, Windows and MacOS improvements, and bug fixes. See the Change History document for details.Hydrogen 0.7.5 released
Version 0.7.5 of Hydrogen, a sample-based drum machine/step sequencer, is available. This marks the first "semi-usable" release of the utility.
CAD
Fourth release of PythonCAD now available
Release number four of PythonCAD is out. "The fourth release has major improvements in dimensioning. Angular dimensions are now available, and linear dimensions will be displayed. There is also more visual feedback when creating any dimension, and the display of the dimension text has been improved."
Desktop Environments
Desktop Configurability: Is More Better?
KDE.News reports on an ongoing KDE design issue: "One of the oft-recurring debates on KDE mailing lists is, how configurable should the KDE desktop be? With recent indications that GNOME seems to be heading in the "less is better" direction, independent KDE developer Mosfet has written an editorial urging why KDE should not follow suit."
FootNotes
Headlines on the GNOME desktop FootNotes site include: Mono 0.20 hits the streets, Synchronize Evolution address book with Pocket PC!, Gnome (2.2) Installation Guide 02/2003 has been launched, Software that 'just works', GNOME System Tools 0.23.0 is OUT!!, We Want You... To Write Documentation, CNET: Mozilla upstart looks up to Safari, and more.KDE-CVS-Digest
The February 21, 2003 KDE-CVS Digest is out. Here's the summary: "Highlighting large merges of Safari code, Xinerama support, msword filters and Kmail bugfixes. Kopete continues to be heavily developed, along with continuing work on Arts. Plus numerous bug fixes."
Games
LGP announces from-scratch game development project
Linux Game Publishing has announced a new project to increase the appeal of Linux gaming by sponsoring the development of a from-scratch Linux title. Developers will work in a team to produce a game that LGP will publish.
GUI Packages
XFree86 4.3.0 release
Version 4.3.0 of XFree86 is available. "The 4.3.0 release is scheduled to be tagged in the CVS repository late on 27 February 2003. It will be available from the CVS repository at that time. Source tarballs, source patches, and binaries for will be available over the week following that." Change information is in the source code.
FLTK Developments
The latest new software for FLTK, the Fast, Light ToolKit includes flcdsim 1.0, a simulator for a 2 line, 16 character LCD display.Accessibility in wxWindows
The WxWindows cross-platform GUI project has released a new document on accessibility titled: Accessibility in wxWindows that addresses a number of accessibility issues.
Interoperability
Kernel Cousin Wine
Issue #158 of Kernel Cousin Wine is out. Topics include: Wine-20030219, TransGaming Update, WineX Game Manager 2, TaxCut 2002, Why Develop MSVCRT.DLL?, Problems with OpenGL 5, Testing Petzold's Example Programs, and Patch Manager.Wine release 20030219
Release 20030219 of Wine is available. The main changes include: Better dead keys support, Many debugger fixes, More Direct3D work, and Lots of bug fixes.
Office Applications
AbiWord Weekly News
Issue #132 of the AbiWord Weekly News is out, with the latest AbiWord word processor development news.Kernel Cousin GNUe
Issue #69 of Kernel Cousin GNUe is out with the latest GNU Enterprise development news. Topics include: How User Interface drivers interact with Forms, HTML User Interface for Forms, Stock Keeping Units, Improvements to Common, Using wikiwikiweb in DCL, and Converting GNUe Small Business to use CVS (0.5.x) version of Forms.
Web Browsers
mozillaZine
The latest mozillaZine topics include: Minutes of the mozilla.org Staff Meeting of Wednesday 19th February 2003, Happy Fifth Birthday to mozilla.org, Mozilla Finishes First in ADC Mac Browser JavaScript Tests, Tree Branches for Mozilla 1.3, Asa Dotzler to Speak at Linux Users' Group of Davis Meeting, Minutes of the mozilla.org Staff Meeting of Wednesday 12th February 2003, Google Zeitgeist Browser Stats Now Recognise 'Netscape 5.x', and Mozilla: The Browser with Everything and the Kitchen Sink.
Languages and Tools
Caml
Caml Weekly News
The February 18-25, 2003 edition of the Caml Weekly News is out with lots of useful Caml developments.The Caml Light / OCaml Hump
This week, the new software on The Caml Light / OCaml Hump includes: CocOCaml, MozCaml, OCaml-MySQL, heap, Bdd, and more.
FORTRAN
G95 FORTRAN Compiler
Work continues on the G95 FORTRAN compiler project. "G95 is in a pupal state. Perusing the g77 source, we estimate that about 200,000 lines of code will be necessary to implement g95. G95 is currently about 51,000 lines long, making it about version 0.255."
Java
Magic with Merlin: Java networking enhancements (IBM developerWorks)
John Zukowski looks at J2SE 1.4 networking features on IBM's developerWorks. "In this article, John Zukowski shows you what's new and different in Java technology networking, including the latest networking features in J2SE 1.4: IPv6 support, URIs, network interfaces, secure sockets, and unbound sockets. Share your thoughts on this article with the author and other readers in the accompanying discussion forum."
Java Swing: Menus and Toolbars, Part 5 (O'Reilly)
O'Reilly continues its Book Excerpts series on Java Swing with part 5, Menus and Toolbars.
Lisp
CL-PDF 1.1 released
Version 1.1 of CL-PDF, a Common Lisp library for generating documents in Adobe Acrobat format, has been released.
Perl
This Week on perl5-porters (use Perl)
The February 17-23, 2003 edition of This Week on Perl 5-Porters is available. "In this week's p5p summary, some stories are continued, and new ones begin. Read about the safe signals, the recent support for assertions, and a load of fixes and of new bugs, waiting to be fixed."
use only This::One => 1.23; (use Perl)
Brian Ingerson has written a module that allows version specific module loading in Perl. "Have you ever wanted to make sure that use only loaded a particular version of a module? Or have you ever wanted to install several versions of a module, and easily be able to pick which one you want to load? I've written a module called only.pm to help you do just that.
PHP
PHP Weekly Summary
Topics on this week's PHP Weekly Summary include: Compiling PHP 5 CVS with Redhat, XML-based PHP extension generator, Advanced md5, sha1, 4.3.0 security flaw CGI, Leaking COM under Win32, file_put_contents(), cURL crash, More OpenSSL functions coming?, Dates and times.Working with Permissions in PHP, Part 2 (O'Reilly)
John Coggeshall continues his series on PHP permissions. "In my last column, we took a step away from PHP to discuss the Unix permissions system. In today's column we return to PHP to show you how to apply what you learned last time; again, this column applies only to those who work with PHP in an environment that supports Unix-like permission."
Python
Python 2.3a2 released
Guido van Rossum has announced the release of Python 2.3a2, the second (and likely last) alpha release of Python 2.3.Python-dev Summary
The latest Python-dev Summary, covering activity through February 15, is now available. It looks at a new acquire/release syntax proposal, extended function syntax, capabilities, improving execution speed, and several other topics.Dr. Dobb's Python-URL! for February 24, 2003
Here's the Dr. Dobb's Python-URL, with weekly news and links and for the Python community.The Daily Python-URL
This week's Daily Python-URL article topics include: The Major Leagues, RELEASED: Python 2.3a2, Python Package Index (PyPI) now on python.org, twander, FDFToolkit for Python, and more.Metaclass programming in Python (IBM developerWorks)
David Mertz, and Michele Simionato explain metaclass programming concepts in Python. "Most readers are already familiar with the concepts of object-oriented programming: inheritance, encapsulation, polymorphism. But the creation of objects of a given class, with certain parents, is usually thought of as a "just so" operation. It turns out that a number of new programming constructs become either easier, or possible at all, when you can customize the process of object creation. Metaclasses enable certain types of "aspect-oriented programming," for example, you can enhance classes with features like tracing capabilities, object persistence, exception logging, and more."
Scheme
Scheme Weekly News
The February 25, 2003 edition of the Scheme Weekly News is out. Topics include: Only the clock is the wrong side of midnight, Siag Office 3.5.6, GNU TeXmacs 1.0.1.5, STklos 0.54, HtmlPrag 0.4 Gauche-gl 0.2.2 and Gauche-gtk 0.3, and Swindle 20030217.
Tcl/Tk
Dr. Dobb's Tcl-URL!
The February 25, 2003 edition of Dr. Dobb's Tcl-URL! is out with another week's roundup of Tcl/Tk articles.
XML
Design XML schemas using UML (IBM developerWorks)
Ayesha Malik writes about the business applications of UML. "Unified Modeling Language (UML) is an industry standard that is used in modeling business concepts when building software systems in an object-oriented manner. Recently, XML has gained ground in becoming a key enabler of these systems in terms of transport of information and commands. XML schemas, which are used to define and constrain the nature of XML exchanged, have consequently come into the limelight. This article discusses the use of UML in designing XML schemas and gives a hands-on approach for using the UML framework to create your XML vocabularies."
The Pace of Innovation (O'Reilly)
Kendall Grant Clark discusses XML language development on O'Reilly. "In last week's column I suggested, only half-jokingly, that one motivation for new XML developments was to give techie journalists like me something new to write about. In making this silly claim, I was primarily reacting to what is widely seen as a kind of monotonous redundancy on the XML-DEV mailing list, an important part of the XML development community. If XML-DEV is any indication, the development community believes there are innovations remaining to be achieved with XML, but since the pace of innovation has slowed, it returns repeatedly to core, essentially, contested issues seems to relieve some of the psychological burden of expecting new things and not getting them."
XP and XML (O'Reilly)
Eric van der Vlist writes about extreme programming (XP) and XML on O'Reilly. ... "the more I think about it, the more I am convinced that both XP and XML could benefit from working more closely together. And there may even be some hope for remote pair programming. I can't pretend to have real experience with XP but only with some of its practices, which I have been able to follow despite my remoteness. Therefore, most of this article is theoretical, but I hope that these ideas will still be useful."
Miscellaneous
Manage packages using Stow (IBM developerWorks)
Mugdha Vairagade introduces Stow on IBM's developerWorks. "This article is about Stow, a software installation management utility for Linux that offers a number of advantages over the tried-and-true Red Hat and Debian package management systems. With Stow, you can package applications in standard tar files and keep application binaries logically arranged for easy access."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Exclusive rights to stagnate (Financial Times)
The Financial Times is carrying an article by Lawrence Lessig warning against the adoption of software patents in Europe. "Rather than copying a failed American policy, the Europeans could be exploring alternatives to patents that might provide protection without sinking the intended beneficiaries. No doctor would approve an untested drug for his or her patient. Nor should Europe inflict such a remedy on its already weakened software industry."
The debate about user interfaces (PCLinuxOnline)
PCLinuxOnline looks at the debate about how configurable a user interface should be. "A big debate these days seems to be focused on how configurable the Linux desktop should be. KDE has always taken the approach that users will have different preferences on how they like to work so the UI should be as flexible and configurable as possible. Gnome 2 has taken the direction that "less-is-more" and that the configurability in Linux desktops, including Gnome 1.x, was clutter and confusing to the end-user. This has resulted in some pundits calling for KDE to remove some of it's configurability." Thanks to Ashwin
Trade Shows and Conferences
Presentations from the NOIE Open Source & Linux symposium
The Australian government's NOIE Open Source & Linux symposium now has most of the presentations available for reading.
Companies
Mountain View Data Acquires TurboLinux's PowerCockpit (Register)
The Register writes an epitaph for Turbolinux after the sale of PowerCockpit to Mountain View Data. "PowerCockpit, which is proprietary software, allows the management and configuration of clusters of Linux and Windows servers in grid computing environments. Speaking to The Register yesterday, Mountain View Data president and CEO Cliff Miller said the acquisition was a good fit with Mountain View's existing range of products, and positioned the company nicely to take advantage of growth in the Intel-based clustering market."
Sun shines light on chip plans (News.com)
News.com looks at Sun's processor plans. "Sun has traditionally gone its own way with its servers, forsaking technology such as Intel processors and the Windows and Linux operating systems that most Sun competitors embraced. As that technology has improved and encroached further into Sun's market, many have criticized the company for shunning it or adopting it late." The article is worth a read if you are curious about where the SPARC architecture is going.
Linux Adoption
Fear holds back Linux adoption (vnunet)
This vnunet article looks at a report from AMR Research that says many companies still have technical and support fears that keep them from adopting Linux. "AMR said that Linux should be considered for non-mission-critical applications where cost and reliability are critical factors, adding that corporate policies should be refined with guidelines for evaluating and using open source software."
Falling in love with the penguin (stuff.co.nz)
This article from New Zealand looks at the places where Linux is hard at work. "Air New Zealand, meanwhile, is upgrading 4000 Microsoft email applications with open-source versions provided by IBM. "It wasn't a religious decision," said Carl Klitscher, IBM New Zealand's Linux guru. "It was purely pragmatic. They could see cost reductions and improve their bottom line."" Thanks to Kanchana Wickremasinghe
Linux marches on Whitehall (vnunet)
Vnunet reports that the UK government is seriously considering the use of open source software in a major Whitehall IT project. "A win for open source would boost its credentials as a serious alternative to traditional commercial platforms such as Unix and Windows, but the fact that it is even being considered is significant."
The Linux Uprising (BusinessWeek)
BusinessWeek examines the ways Linux has become entrenched in the business world. "How did Linux make the jump into the mainstream? A trio of powerful forces converged. First, credit the rotten economy. Corporations under intense pressure to reduce their computing bills began casting about for low-cost alternatives. Second, Intel Corp., the dominant maker of processors for PCs, loosened its tight links with Microsoft and started making chips for Linux. This made it possible for corporations to get all the computing power they wanted at a fraction of the price. The third ingredient was widespread resentment of Microsoft and fear that the company was on the verge of gaining a stranglehold on corporate customers. "I always want to have the right competitive dynamics. That's why we focus on Linux. Riding that wave will give us choices going forward," says John A. McKinley Jr., executive vice-president for global technology and services at Merrill Lynch & Co., which runs some key securities trading applications on Linux." Thanks to Ashwin
Legal
Compromise copyright bill in works (News.com)
News.com reports that DMCA opponents are mounting a new strategy, that would require labeling of anything that has built in antipiracy technology. "Stanford University law professor Larry Lessig outlined a plan for so-called compulsory licenses for copyrighted works, a strategy that would require movie and music companies to allow other people to use digital works but require payment to artists and other copyright holders. Variations of that idea are gaining traction among legal circles opposed to Hollywood's attempts to strengthen copyright law."
Trial Near in Patent Case on Key Internet Technology (NY Times)
The New York Times (registration required...you know the drill...) has an article by John Markoff on the upcoming SSL patent trial. Leon Stambler claims to own several patents covering SSL, and is suing VeriSign, RSA Security Inc., and others for infringement. "The patents have infuriated Internet security experts who contend the Stambler patents simply imitate the original work done by cryptographers at Stanford University and Massachusetts Institute of Technology during the 1970's and 1980's."
Interviews
Swarm Intelligence: An Interview with Eric Bonabeau (O'Reilly)
O'Reilly has an interview with Eric Bonabeau on the topic of swarm intelligence. "Eric Bonabeau, Ph.D, a keynote speaker at the upcoming Emerging Technology conference, is a leader in the field of swarm intelligence and has focused on applying these concepts to real world problems such as factory scheduling and telecommunications routing. The concept itself is borrowed from nature; in this interview, that's where the conversation begins, with ants and other social insects. Dr. Bonabeau takes us from his childhood nightmares of carnivorous wasps to applying the theories of swarm intelligence to solving real problems in the business world."
Resources
Embedded Linux Consortium releases ELCPS v1.0 (LinuxDevices)
This LinuxDevices.com Special Report includes the full text of the ELC's announcement, a whitepaper about the ELCPS standard, a newly updated "frequently asked questions" document, a roundup of news coverage, a poll, a discussion thread, and the spec itself.India Gets Its First Linux Publication (Linux Journal)
Linux Journal reports on the debut of LINUXForYou, India's first print magazine focusing on Linux. "The first issue contains a CD of the popular load-it-from-your-CD Knoppix distribution and news inputs come from a wide range. Responses to the magazine seem to have been mostly appreciative, apart from a few questions asking why it was not being named GNULinuxForYou or something similar."
Reviews
Open-source audio wins MP3 player support (News.com)
News.com covers an open source-friendly MP3 player that supports Ogg Vorbis format. "The release of the open-source support for the Neuros could be a welcome development for tech-minded audiophiles. Most commercial audio players such as Apple Computer's popular iPod have been released without support for Linux or Vorbis. Enterprising programmers have created tools to let both technologies work with some players, but overall support has been hit-or-miss at best."
Mozilla upstart looks up to Safari (News.com)
News.com covers a new development project called Epiphany. "While small size and simplicity were two of Galeon's early goals--just as they were initial goals of Mozilla--the breakaway Epiphany project accuses its predecessor of falling into the downward spiral of unnecessary complexity."
Lindows.com launches Linux notebook (Reuters)
Here's a Reuters article about new notebook computers from Lindows.com. "The company, which already offers a $199 desktop computer running Linux software, introduced its 2.9 pound Lindows Mobile PC computer running a 933 megahertz microprocessor from Taiwan's VIA Technologies Inc. (2388.TW), a small rival of computer chip giant Intel Corp." Thanks to Elijah P Newren
Lindows Launches $799 Linux Laptop (Linux Journal)
Linux Journal looks at new laptops from Lindows.com. "One show attendee told me, "This is down in the discretionary price range--I look at it as a highly loaded Linux PDA." I'll have more of a chance to kick it around later. But from a quick once-over, it appears to be solid, which is a prime consideration for a laptop (ab)user like me."
Linux on the desktop (InfoWorld)
Chad Dickerson decides that Linux is further along on the desktop than he thought. "This particular salesperson had not seen Linux in action, and as I turned to demonstrate, he looked at the open spreadsheet on my screen and said, "I didn't know Excel ran on Linux." In one simple sentence, the usefulness of the OpenOffice Calc program was validated -- if my spreadsheets work and a salesperson recognizes (functionally at least) the software at a first glance in the Linux environment, the training is mostly done." Thanks to Max Hyre
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
FSF Announces Associate Membership Meeting (Linux Journal)
Linux Journal has this announcement for the first annual Associate Membership Meeting of the Free Software Foundation. The meeting will be held on Saturday, March 15th, in Boston, Massachusetts, from 10:00am to 4:30pm. In order to attend the meeting, one has to be a registered Associate Member of FSF.New Buffalo Perl Mongers Users Group (use Perl)
According to Use Perl, a Perl users group has been formed in Buffalo, NY.
Commercial announcements
Adobe Photoshop Album built with Qt
Trolltech has announced that Adobe's Photoshop Album product was built on the Qt toolkit. One wonders if Adobe didn't make that choice with an eye toward eventually releasing some products for Linux..Arrow Electronics the First Distributor to Receive IBM's ''Leader for Linux'' Designation
The Support Net Division of Arrow Electronics, Inc. has announced that it is the first distributor to earn IBM's designation as a "Leader for Linux" Business Partner because of its extensive commitment to the Linux platform on IBM hardware.Cerberian and Lindows.com provide Web Filtering
Lindows.com and Cerberian provide Internet filtering capability to LindowsOS. Cerberian's Web Filter will be bundled with the Lindows desktop computers sold through Wal-Mart's retail Web site, walmart.com, and other retailers.Green Hills Software's MULTI Development Environment
Green Hills Software Inc. has announced the availability of its MULTI(R) Integrated Development Environment for embedded Linux(R) systems. The MULTI IDE will help debug Linux applications, the Linux kernel and Linux device drivers.Hannaford Bros. Rolls Out Linux Point-of-Sale Solution
Hannaford Bros. Co. thinks Linux is ready for their enterprise. Wincor Nixdorf Inc. has announced that Hannaford Bros. is installing Wincor's BEETLE(R) /S point-of-sale (POS) systems running Linux at its supermarkets and food and drug combination stores in the northeastern United States.Intrinsic Alchemy for Linux Released
Intrinsic Graphics, Inc. has announced the availability of Intrinsic Alchemy for Linux. "Based on research and development over the past year, the Linux version of Alchemy moves game development to the next generation and continues to broaden the platforms available to game developers. With Alchemy for Linux, developers have even more opportunity to prototype games for emerging platforms."
MailStripper Pro 0.94 released
Version 0.94 of MailStripper, a mail filtering system for spam removal, is available from Eridani Star System. Another version, 0.94A supersedes version 0.94 and fixes a deadlock problem with the stylesheet handler.MICO Commercial Support
Commercial support for the MICO CORBA implementation is available from a company known as ObjectSecurity.MySQL AB Brings its Training Program to India
MySQL AB will be offering its "Usage and Managing MySQL" course in Hyderabad, India on March 3-7, 2003.New books available from Network Theory Ltd.
Two new printed manuals are available from Network Theory Ltd; "Version Management with CVS" by Per Cederqvist et al. (ISBN 0-9541617-1-8), and the GNU diffutils manual "Comparing and Merging Files with GNU diff and patch" by David MacKenzie, Paul Eggert, and Richard Stallman (ISBN 0-9541617-5-0).SCO Group first quarter results
The SCO Group has announced its first quarter results: a loss of $724,000 on revenue of $13.5 million. Interestingly, SCO predicts that revenue will almost double ($22 to $25 million) in the next quarter. "These projections are based on anticipated revenue from our current operating platforms of $13 million to $15 million, and $10 million from the SCOsource licensing initiative." Either the company expects to sell 67,000 licenses to its System V library (at $149 each), or we are going to be hearing about other plans sometime soon.
Resources
A table of free replacements for Windows software
Here's a useful resource for people trying to figure out how to move over to free software: this table lists Linux replacements for hundreds of Windows packages. It is a good source of answers to the "where can I get a program like X?" questions.
Upcoming Events
YAPC::NA::2003 Registration Begins (use Perl)
Use Perl has announced that the registration for the YAPC::NA Perl conference, to be held on June 16-18, 2003 in Boca Raton, Florida, is open.CFP for Scandinavian Perl Workshop (use Perl)
Use Perl has a call for papers for the Scandinavian Perl Workshop, which will be held on April 25 and 26, 2003.Open64 User Forum in San Francisco
A user forum will be held for the Open64 64 bit compiler project. "An Open64 User Forum will be held in San Francisco during the CGO conference on March 24th. Please read the CFP in the Open64 User Forum section for more info." Here is a link to the CFP.
Seminar on Free and Open Source Software, Dublin
A conference called "Open Source Software - What's happening in Public Administration" will be held in Dublin, Ireland on March 11, 2003.First European Ruby Conference
The first European Ruby Conference will be held in Karlsruhe, Germany on June 21 and 22, 2003. Presentations are needed.Events: February 27 - April 24, 2003
| Date | Event | Location |
|---|---|---|
| February 27 - 28, 2003 | Linux Summit 2003 | (Dipoli Conference Center)Espoo, Finland |
| March 12 - 19, 2003 | CeBIT 2003 | (Hannover exhibition center)Hannover, Germany |
| March 17 - 19, 2003 | Open Source for National and Local eGovernment Programs in the U.S. and EU | (The Marvin Center Grand Ballroom, George Washington University)Washington, DC |
| March 20 - 21, 2003 | First OpenOffice.org Conference(OOoCon2003) | (University of Hamburg)Hamburg, Germany |
| March 20 - 21, 2003 | Conference PHP 2003 | (École Polytechnique de Montréal)Montreal, Quebec, Canada |
| March 26 - 28, 2003 | PyCon DC 2003 | (George Washington University)Washington DC |
| March 31 - April 2, 2003 | 2nd USENIX Conference on File and Storage Technologies(FAST '03) | (Cathedral Hill Hotel)San Francisco, CA |
| April 2 - 3, 2003 | The UK Python Conference | (Holiday Inn Oxford)Oxford, England |
| April 10 - 12, 2003 | MySQL Users Conference & Expo 2003 | (Doubletree Hotel)San Jose, California |
| April 13 - 17, 2003 | RSA Conference 2003 | (Moscone Center)San Francisco, CA |
| April 14 - 15, 2003 | Samba eXPerience 2003 | (Hotel Freizeit)Göttingen, Germany |
| April 15 - 16, 2003 | LinuxUser & Developer Expo 2003 | Birmingham, UK |
| April 22 - 26, 2003 | Embedded Systems Conference(ESC) | (Moscone Convention Center)San Francisco, CA |
| April 22 - 25, 2003 | The O'Reilly Emerging Technology Conference | (Westin, Santa Clara)Santa Clara, CA |
| April 23 - 25, 2003 | PHPCon East 2003 | (Park Central Hotel)New York, NY |
Web sites
MobiliX.org is now TuxMobil.org
Werner Heuser, who has been fighting a long legal battle over the use of the "MobiliX" name, has thrown in the towel (for now, anyway) and has moved his site to TuxMobil.org. The site remains a resource for those interested in Unix (and Unix-like) systems on mobile platforms.linuxmagau.org launched
A new online publication known as linmagau.org has been launched. "A new online (Linux/OSS) magazine. The idea for a "local content - local people" magazine for au/nz was raised back in Dec 2002, by a few folks from the local PLUG (Perth Linux Users Group) and over the last few months has steadily gained interested members and contributors via the web site."
Software announcements
This week's software announcements
Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
- Sorted alphabetically,
- Sorted by license.
Miscellaneous
2003 And Beyond (AAx Services)
The folks at AAx Services have posted a lengthy article on the state of the information technology market in 2003. It's an interesting look at how things are going, and how they might end up - though there is probably something there for just about anybody to disagree with. "Clearly, Microsoft can't continue bribing all the world to use Windows, the threat will keep coming back with each upgrade cycle. That $43 billion in the bank just won't stretch that far. Even worse, American corporations are starting to learn the extortion game too. Rumors abound that if a company demonstrates a strong Linux pilot program, Microsoft sales is authorized to drop license fees by up to 50%."
KOffice Icon Contest
According to KDE.Net, a contest will be held for making KOffice icons. "The KOffice developers have been making outstanding progress towards their goal of creating a useful, powerful and reliable KDE office suite. But whereas the technology in KOffice has been steadily improving, its visual appearance has not been keeping pace. To address this issue, the KOffice development team is pleased to announce the KOffice Icon Contest." The award for the winner will include free publicity and lots of geek-status. Gentlemen (and gentlewomen), start your Gimps.
Page editor: Forrest Cook
Letters to the editor
Don't imply that OSS/FS or GPL is always non-commercial.
| From: | David Wheeler <dwheeler@ida.org> | |
| To: | letters@lwn.net | |
| Subject: | Don't imply that OSS/FS or GPL is always non-commercial. | |
| Date: | Thu, 20 Feb 2003 13:20:30 -0500 |
In your last news issue you noted that Plone is "dual-licensed, it is available under the GPL and a commercial license." I think you mean "under the GPL and a license permitting use by proprietary software", or even a "so-called commercial license". Please, don't make the mistake of using text that implies that the opposite of OSS/FS is "commercial" software, or you'll terribly confuse many people. Companies like Red Hat, IBM, MySQL, Zope, and so on are clearly commercial companies who release OSS/FS programs in at least certain situations. Red Hat routinely uses the GPL as a commercial license, for example, yet it's a publicly traded commercial company. In general, the opposite of "open source software/Free Software" (OSS/FS) is "proprietary" or "closed" software. Text that implies that OSS/FS can't be commercial will confuse many. --- David A. Wheeler
Microsoft "Rights Management Service"
| From: | Charles Cazabon <web-regletters@discworld.dyndns.org> | |
| To: | john.leyden@theregister.co.uk | |
| Subject: | Microsoft "Rights Management Service" | |
| Date: | Mon, 24 Feb 2003 12:16:15 -0600 | |
| Cc: | letters@lwn.net |
Greetings, Mr. Leyden, I read your recent article "Microsoft devs Windows Rights Management Services" with great interest. Microsoft has finally tipped its hat as to when it will start making sure that their software does what they (or their "partners") want it to, instead of what the user (i.e. you) want it to do. But the ultimate irony is in the name: programs designed to remove the right of the user to copy or excerpt from a "protected text" (i.e. a fair-use right), going by the acronym of "RMS"? There isn't a less-appropriate three-letter acronym possible. Was this a deliberate slap at the Free Software Foundation and its founder, Richard M. Stallman, commonly known as "rms"? Charles Cazabon -- ----------------------------------------------------------------------- Charles Cazabon <web-regletters@discworld.dyndns.org> -----------------------------------------------------------------------
Page editor: Jonathan Corbet