| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for May 31, 2007An update from LWN It's been a while since the last LWN update. That's generally a good thing, but, as will be seen below, there's news to report.In the area of subscriber counts, however, there's not a whole lot of news. The number of individual subscribers continues to grow very slowly, and the group subscriptions are growing a little less slowly. We've had some modest increases in advertising and syndication income which have given us some welcome breathing room, but LWN is still not earning enough to cover the true expenses of creating it. As your editor's children approach college age, this situation is becoming increasingly pressing. LWN suffers from an obvious lack of attention to its business side. Much effort goes into the creation of the best content that we can, and we have no regrets about that. But without more attention to promoting the site, actually selling subscriptions, making sure that the benefits of LWN are clear to new visitors, selling advertisements, etc., LWN will not grow to where it needs to be by the time it needs to get there. It is a rare business which can thrive in the complete absence of a sales and marketing effort. So we need to free some time to devote toward making LWN a successful business. We could just cut back on content, but that does not seem much like a path with a successful conclusion either. So it has long been clear to us that LWN needs more staff to get itself to a sustainable position. The business, as it is organized now, needs more time than we are able to put into it. The good news is that, as a result of very careful spending, LWN actually has a small stash of money in the bank. After our infamous credit card dispute in 2002, we developed a healthy appreciation for the benefits of having enough cash on hand to carry through an interruption of our income stream. That pile has grown to the point that we are able to use it to fund another staff position for a year or so in the hope that the cash flow balances out by the end of that time. And that is what we intend to do. So we are happy to report that, starting in June, longtime LWN writer Jake Edge will be joining the crew full time. We asked Jake to provide a description of himself for the readers, and got back:
Jake has been doing software development for various small
companies for more than 20 years. He first started using Linux in
1993 with a pile of Slackware floppies and has rarely used anything
else since. For the past several years he has been contributing
articles to LWN, mostly on the Security page. When he is not
hacking code or words, he likes to read, nap, play bridge or go,
watch birds, float on the river or all of them at once. He lives
in Western Colorado with his wife Kristine and their two, hairier
than most, daughters: Petra and Chamisa.
Jake will be contributing (more) content, working on the site code, and generally helping to figure out how to turn LWN into a more successful operation. Welcome, Jake! On another front, we have often talked about the future of the "letters to the editor" page. A quick check shows that the last time we had a letter to publish was last January. So consider it official: the letters page is now gone. LWN.net will celebrate its tenth anniversary next January. Those years have flown by; somehow we had never imagined that we would be doing this for so long. There's only one reason why we have continued with this exercise for all those years: our readers. Your support has kept us going through all of the ups and downs. In response we offer our most sincere thanks while we work toward being here for another ten years - at least. Our 20th anniversary issue, we suspect, will be about the year of the Linux desktop.
OSBC: The Microsoft/Novell panel The 2007 Open Source Business Conference featured a panel discussion on the question of whether the Microsoft/Novell agreement is good for open source or not. Your editor was asked to sit on this panel and try to represent the community's point of view - as if the community has a single point of view. The event is a bit of a blur - only partially caused by the beer your editor sought out to help with the recovery afterward - so this will not be a complete report. Hopefully it will still be useful.Other members of the panel were Justin Steinman (Novell), Sam Ramji (Microsoft), and Alison Randal (O'Reilly). The panel was moderated by Doug Levin, the CEO of Black Duck Software. Mr. Levin did an admirable job of keeping this standing-room-only event on track and inclusive. After the introductions, each panelist got to make some opening remarks. Your editor had worried considerably over this stage of the event, and had prepared the following statement. The actual words were not read from this text, however; the intent was substantially the same but the wording was generally different.
So is this agreement good for open source? For much of the agreement the
answer is simple. More money for open source companies, used to develop
more open source software, can only be a good thing. And our community has
always been about interoperability with everybody; no complaints there.
The situation changes when we look at the patent side of the deal, however. Even if you accept that algorithms expressed in software are patentable - something much of the world does not accept - the current software patent situation in the U.S. is impossible to deal with. There are thousands of software patents covering the most basic techniques. You cannot write any non-trivial program without infringing upon an unknown number of patents, without having ever seen those patents. There is no way to know where they are until the tax collector shows up at the door. It is hard not to see a certain amount of sincerity in Microsoft's recent statement that it will not go out filing patent infringement suits. Microsoft is arguably the largest victim of the U.S. software patent regime, having literally been hit up for billions of dollars. The company says that it is typically defending two dozen or so patent suits at any given time. But when Microsoft's CEO starts talking about how Linux users are carrying undisclosed liabilities on their balance sheets, it makes that sincerity hard to believe. That is a clear fear, uncertainty, and doubt attack. As a platform for this sort of FUD, the agreement for Novell is not a good thing for open source. In the free software community, we are most careful about the provenance of our code. We do our own work; that is the only thing which lets us give that work away. Novell has now come and said that the free software it is distributing is not our own work, that it owes a debt to Microsoft, which wrote none of that software. The company's protestations that it has acknowledged no infringement ring hollow; Novell is paying Microsoft for something, and unless the company is willing to come out and say that its payments are simple protection money, it is paying for perceived patent infringements. When a company in our community makes a statement that taxes are due to Microsoft for the use of our work, it makes it harder for others to resist that demand. It weakens our defense. But the real reason why this agreement has taken such criticism from the community is deeper. We in the community are proud of our work. We have done it ourselves, and have not stolen anything from anybody. When a company like Novell tells me that my work was stolen from Microsoft, and that anybody using my work owes taxes to Microsoft, I cannot help but be deeply offended. When such a statement comes from inside our community, it's even worse. It feels like a betrayal of the trust which holds the development community together, it's a divisive thing. In that way, I think this agreement is not good for open source. Justin Steinman's opening remarks mostly highlighted how the agreement has been good for Novell. Microsoft is now selling SUSE Linux into places it has never been before; in fact, Microsoft is now Novell's biggest single sales channel. Increasing Linux adoption is a good thing, he says, and this agreement has certainly served that end. Allison Randal took the position that the agreement is mostly irrelevant for open source. It's just another boring industry partnership, with the usual sort of joint ventures. Had it been between Novell and IBM, she says, nobody would have noticed. Microsoft's patents are a problem, like so many other patents held by many others in the industry, many of which would come to our defense if Microsoft were to decide to start suing Linux users and start the "patent armageddon." Still, it would be nice, she suggested, if Microsoft were to join the Open Invention Network and help bring an end to this problem. Sam Ramji talked mostly about interoperability. Microsoft sees the computing network of the future as being entirely heterogeneous and it wants to be a proper player in that environment. He reiterated the "we would rather license than litigate" line, noting that Microsoft spends about $100 million per year defending patent suits. One of the questions from the audience had to do with the effect that GPLv3 will have on this agreement and potential patent litigation in general. Justin and Sam both declined to comment, saying that they saw no point in talking about a license which is still in a draft state. Allison pointed out that GPLv3 is unlikely to change much from the current discussion draft, but no more information was to be had from Microsoft or Novell. There was also a comment to the effect that open source users are better served by adherence to standards than interoperability agreements. Adding support for Microsoft's OOXML format seems to be a particularly sensitive point. Justin responded that if he were to go into a company trying to sell a solution based on OpenOffice.org, and that solution could not handle Office 2007 files, he would be laughed out the door. So supporting Microsoft's formats is important, even if Novell's policy remains that OpenDocument is the format of choice. Sam noted that standards are great, but true interoperability requires a great deal of work and testing; this agreement is about getting Microsoft and Novell engineers together to do that work. Perhaps the most surreal moment came in response to questions about why Microsoft is going out trumpeting its 235 patents if it does not intend to sue, and why it does not reveal the actual patents. Sam made the statement that the 235 patents came out as a response to requests for greater transparency in Microsoft's dealings on intellectual property issues - a response which did not achieve universal respect among the members of the audience. He did not want to address the question of revealing the patents, though - and he did not have to. Microsoft's lawyer in charge of open source issues just happened to be sitting in the front row; he sprung up and claimed that Microsoft doesn't reveal the patents because the administrative burden of doing so would be too high - a statement that The Register had much fun with the next day. Allison made the point that the community really does not want to know about these patents. Once we have been put on notice that we are alleged to be infringing upon a specific patent, we must respond in one way or another. A theme that came out a few times in the discussion is that there are voices within Microsoft arguing for greater participation with the open source community. There are people within Microsoft who understand the power of free software and who want the company to be a constructive force in the industry as it heads in that direction. Like any large company, Microsoft suffers from a certain amount of schizophrenia, with the result that different messages will be heard from different groups. But there is reason to hope that rational and friendly (though always competitive) thought will prevail. The session ended with a show-of-hands vote on whether the audience thought the agreement was a good thing or not. There were approximately equal numbers of yes and no votes - but the bulk of the audience did not vote at all. In many minds, it seems, the jury is still out on whether this deal is good for open source or not.
What Microsoft and Novell agreed to Since last November, there has been much discussion of the deal between Microsoft and Novell. To an extent, it has all been talk in a vacuum, since the actual text of the agreement has not been available. That has finally changed, however; the terms of the agreement have been released as part of Novell's (delayed) annual regulatory filings.It turns out that there are three different agreements: the patent cooperation agreement granting the patent non-licenses, the technical collaboration agreement describing the technical work each company will do, and the business collaboration agreement on the business arrangements. In the case of any disagreement between the agreements, the patent agreement wins out over the other two, and the technical agreement beats the business agreement. We still do not get to see the full set of terms; they have been redacted, heavily in some places. So one is left trying to make sense of text like:
*** will exercise its *** to *** by no later than *** that (i) the
*** OpenOffice (version 2 or later) *** does or will *** Office
Open XML format ("Open XML"), and (ii) it will make a *** ***
If *** does not *** it will *** within the same time frame that
*** in the *** on a*** to *** Open XML. *** will provide its
*** to*** at least *** in advance of *** The *** will be ***
not to be *** will provide *** in the *** will *** of such ***
the Term, including through *** in the *** is defined in the
Business Collaboration Agreement.
Fortunately, the bulk of the agreement has not been so heavily obscured. The core of the patent agreement is about what one would expect, given the conversation over the last six months:
Subject to the Parties' compliance with the terms of this
Agreement, each party on behalf of itself and its Subsidiaries
("Covenanting Party") shall, under the terms set forth in Exhibit
A, covenant not to sue the other Party's Customers ("Covenanted
Customers") for infringement of Covered Patents of Covenanting
Party on account of such Covenanted Customers' use of Covered
Products of the other Party.
Of course, there's no end of fine print which should be read by anybody wanting to rely upon this non-license. To begin with, Novell's customers only get the non-license from Microsoft for as long as Novell complies with the terms of the agreement. Many of those terms - especially in the termination section - are blanked out. If Novell and Microsoft get into a big disagreement in the future, the non-license could vanish overnight. The definition of "Covered Products" is complex and full of exclusions. In particular, "clone products" are not part of the deal:
"Clone Product" means a product (or major component thereof) of a
Party that has the same or substantially the same features and
functionality as a then-existing product (or major component
thereof) of the other Party ("Prior Product") and that (a) has
the same or substantially the same user interface, or (b)
implements all or substantially all of the Application Programming
Interfaces of the Prior Product.
Certain possible clone products shipped before the signing of the agreement are excluded from this definition, but four (Wine, OpenXchange, StarOffice, and OpenOffice) are explicitly excluded from the exclusion - though there is a complicated dance to the effect that those products are not necessarily clone products either. "Foundry products," seemingly being those which are developed by third parties, are excluded. Then, there's the "other excluded products" which include web-based office productivity applications, video game consoles, business applications ("such as accounting, payroll, human resources, project management, personnel performance management, sales management, financial forecasting, financial reporting, customer relationship management, and supply chain management"), "unified communications," and, interestingly, mail transfer agents. If you are a Novell customer running sendmail, and Microsoft claims patents in sendmail, you can still be sued. There's a few other details; the non-license is, unsurprisingly, not transferable. There is an explicit clause that neither party is acknowledging any infringement or even that the other side's patents are valid. Lots of details on what happens when companies are acquired or spun off. And so on. Novell has recently stated that the company itself remains as open as ever to patent infringement suits by Microsoft, but that's only partly true: both companies have forgiven each other for any infringement which may have happened before the agreement was signed. There is one exclusion here: there is no forgiveness for distributing Wine. One last thing worth noting: at OSBC, both Novell and Microsoft refused to comment on the possible impact of GPLv3, saying that it was inappropriate to talk about a license in draft form. Novell is a little more forthcoming in the "risk factors" section of its annual report:
If the final version of GPLv3 contains terms or conditions that
interfere with our agreement with Microsoft or our ability to
distribute GPLv3 code, Microsoft may cease to distribute SUSE Linux
coupons in order to avoid the extension of its patent covenants to
a broader range of GPLv3 software recipients, we may need to modify
our relationship with Microsoft under less advantageous terms than
our current agreement, or we may be restricted in our ability to
include GPLv3 code in our products, any of which could adversely
affect our business and our operating results.
The technical cooperation agreement contains relatively few surprises. Each company commits to working to make the other's system work better as a virtualized guest. There will be a special "shim" layer which implements Microsoft's top-secret hypercall API and glues it to Xen or another hypervisor. There will be information sharing on management interfaces for virtualized guests. An "optimization innovation laboratory" will be set up on the U.S. east coast to "showcase, test, and validate" the various virtualization efforts. There is an effort to collaborate on directory and identity management. And there is cooperation around the Office Open XML format; the first term of this agreement is the highly redacted section quoted above, so it's hard to tell what is really going on. The business cooperation agreement talks about creating a joint marketing plan to sell the various activities described in this deal. Microsoft will kick in $60 million to make this marketing happen; Novell gets to decide how some of that money will be spent. The two companies promise to endorse each other's offerings. Microsoft will be tossing in another $34 million for a sales force trying to sell the combined offerings. There is a special term prohibiting either company from selling the combined Linux/Windows package as a single unit. Each company must separately license its part of the offering to the customers. Microsoft commits to buying $240 million in SUSE Linux certificates. This section is highly redacted ("Microsoft may also *** through the *** in which case an *** will be *** from the *** for the *** in the Term") so there's a lot of presumably important details we'll never know about. Novell gets an exclusive deal in that Microsoft promises not to make any similar deals with other Linux distributors for three years. The bulk of this set of agreements really is as boring as some people have claimed. It's two companies trying to make their products work better together and to increase the market for both. The patent agreement is worth some study, though, especially for anybody who is tempted to rely on it to make their business somehow safer. The exclusions from coverage by the non-license have not been highlighted by any of the PR from either company, but they do very much affect the real nature of the coverage provided. The complicated dance around exclusions may just be lawyers trying to nail everything down, or it may indicate a deeper agenda somewhere. For those of us wondering what is really going on, the release of the text of these agreements may have shed rather less light than we would have liked.
Page editor: Jonathan Corbet Security USB laptop firewall runs Linux A new firewall product for Windows laptops would generally be greeted with yawns from the Linux community, but the newly announced Yoggie Pico has some features that may be of interest. The Pico is a device that contains a 'security processor' running Linux and whole slew of free and open source security applications in a USB 'key' form factor. The intent is to provide a laptop user on the road the same level of security as they would have behind the corporate firewall. At its core, the Pico has an Intel CPU, some RAM and two separate banks of flash. At boot time, it copies the read-only version of the software from one bank to the other and runs from the copy; an attempt to ensure that even if the Pico is successfully compromised, a reboot will restore it. A driver is installed on the laptop that snags all network traffic just above the link layer and sends it off to the Pico for filtering. This allows traffic from all network interfaces to be intercepted. The Pico provides firewall protection and Network Address Translation (NAT) via iptables and runs Snort for intrusion detection/prevention. It also does content filtering of various internet protocols (HTTP, FTP, POP3 and SMTP) to stop viruses, spyware, phishing and spam. It has three proprietary, patent-pending, modules that in some, unspecified way correlate the information gathered by the other security software to detect and thwart previously unknown threats. If you can believe everything that is said on the website, the Pico will protect a laptop from any known or unknown threat immediately upon plugging it in. One suspects the reality falls somewhat short of the hype. Statements like: 'simply plug it to your laptop and you are completely secure' are at best exaggerated, at worst deceptive; security is a process and a set of tradeoffs, not a destination. How those tradeoffs are administered is glossed over as well; too much configurability can be error-prone, while too little can lead to unusable rigidity. There certainly is a niche for this kind of protection; laptop security is often the Achilles heel of a company's network security. The Pico driver provides administrators a means to disallow network traffic when the Pico is not present which may help keep laptops from bringing home various ills. As a separate hardware device that does not rely on much from the host OS, the Pico could provide a nice laptop security device; it remains to be seen if its $180-200 price point is attractive. Yoggie plans to release a driver for Linux (as well as Mac OS X and Windows Vista) sometime soon, but because it is relatively easy to run the same applications on the laptop itself, it may not be a big seller in that (already small) market. Depending on how hackable the device is, there might be a rather larger market for a USB attached computer that can run Linux. It will be interesting to see whether Yoggie stands in the way or actively assists anyone interested in modifying their Pico for purposes other than what the company had in mind. And if Linux hackers can figure out how to 'mod' it and talk to it, with or without Yoggie's help, some very interesting applications could result. Some rumblings about GPL compliance have been heard in the community (for example see the comments on the LWN announcement). No links to source code could be found on the website; it is possible that the code is shipped with the device though there are indications that is not happening either. From the website, it would appear that the company has been shipping a similar Gatekeeper device with a different form factor and connectivity. It appears to have substantially the same software and one would have hoped that any GPL compliance issues would have been resolved then. An answer to an inquiry about the code is pending, stay tuned.
Security news Google, Yahoo, Facebook Extensions Put Millions of Firefox Users At Risk (Wired) Wired reports on a vulnerability in a number of Firefox extensions. "Unlike almost all of the extensions hosted at Mozilla, the foundation that created the open-source Firefox browser, these commercial extensions check for updates from servers controlled by their respective corporate overlords. And they fail to check for extensions from servers with SSL certificates, which most users know as sites that start with https://. That means that users who open their browsers when using an open wireless connection are vulnerable to a hacker being able to intercept these third-party extensions' checks for updates at a plain http:// site and then pretend to be the update server."Update: here's the disclosure of the vulnerability from Christopher Soghoian, the researcher who found it.
New vulnerabilities freetype: arbitrary code execution
gforge: arbitrary code execution
madwifi: denial of service
mod_jk: proxy bypass
otrs2: code injection
pulseaudio: denial of service
Updated vulnerabilities aircrack-ng: remote execution of arbitrary code
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
bind: denial of service
bugzilla: multiple vulnerabilities
clamav: file descriptor leak
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
elinks: code execution
evolution: format string error
pop mail man-in-the-middle attacks
fail2ban: denial of service
ffmpeg: buffer overflows
file: denial of service
file: arbitrary code execution
firefox: FTP PASV port-scanning
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gdb: buffer overflow
gimp: arbitrary code execution
gzip: multiple vulnerabilities
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
java: multiple vulnerabilities
kdelibs: cross-site scripting
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||