LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 7, 2007Looking forward to Fedora 8Given the amount of work which went into the recent Fedora 7 release, it would not be surprising if the Fedora developers were to go off and focus on beer consumption for a little while. As it happens, the beer is (mostly) staying in the refrigerator and the Fedora community is getting a quick start on the Fedora 8 release; the beginning of a feature list is in the works. The draft schedule has been posted, and it is ambitious: Fedora 8 is due on October 31 (Halloween), after a mere five months of development.This schedule has raised some eyebrows within the community. Five months seems quite short for the development of a new version of this distribution. The final development freeze is on October 17, which disappoints KDE fans: the KDE4 schedule calls for an October 23 release. If one looks at the feature freeze date (August 20), then Fedora 8 appears poorly aligned with the GNOME 2.20 schedule as well. Why, it is asked, should the Fedora project rush out a distribution under a tight schedule which causes it to miss the major developments that users are looking for? The answer lies in the Fedora leadership's desire to get the distribution back onto a regular six-month schedule. A predictable release pattern is better for everybody involved. Users know when it will happen, and major development projects can, if they care, plan their own schedules around the distribution releases. Fedora's releases have been a bit less predictable than usual recently, an understandable result of the changes the project has undergone. But Fedora 8 looks like a good opportunity to bring things back in line. That reasoning still leaves open the question of why this cycle needs to be only five months long. The Fedora folks are juggling a couple of other concerns here. One of them is that final distribution releases are best placed far from the end of Red Hat's fiscal quarters; it seems that it's a lot easier to get peoples' attention when they're not trying to close out a quarter. The Fedora leadership has also noticed that, just occasionally, Fedora releases have been known to slip back a bit from their planned date. Putting that date in October allows for a certain amount of slippage without pushing the release back into the middle of the holiday season. A Fedora release as a Christmas/Hanukkah/Kwanza/Yule present is a pleasant idea, but it's less pleasant for Fedora developers who may have other plans during that time. The end result of all this is that Fedora is likely to cling fairly tightly to an April and October release schedule. We are seeing a similar pattern with some other distributions, and with other large projects. Over time, perhaps, some sort of loose, global coordination of release schedules across much of the community is emerging. That would be an interesting example of spontaneous organization where few expected it to happen. Meanwhile, there is still some significant grumbling within the ranks of the Fedora developers who came from the Extras side of the distribution. Putting an updated package into the old Extras repository was a simple process; now the "short form" of the packaging guidelines shows a 15-step process to upload a single package. A new requirement to route packages through the updates-testing area was the last straw for some developers who were already unhappy with what they see as a heavy bureaucracy which has been imposed upon them. There is talk of having lost control of what used to be a community-oriented Fedora Extras distribution. This discussion should be looked at with the understanding that the merger of Fedora Core and Fedora Extras was a major change in how Fedora is made. Naturally there will be culture clashes, growing pains, and conflicts as two very different sets of processes are merged into a single, new process. The path toward a solution was articulated clearly by longtime contributor Thorsten Leemhuis:
So lets deal with it now -- for example by making "contributing to
Fedora easy again, get the community involved better into the
decisions process and make packagers happy again" one of the most
important "Features" for Fedora 8. Otherwise the merge might fail
in the end.
Disagreements within large projects are not uncommon, even without the added stress of major change. The open nature of projects like Fedora causes these disagreements to unfold in very public ways. The good news is that if the project's participants are serious about pursuing a common goal - creating the best free distribution they can, for example - they usually find a way to address the issues and move on. With any luck the remaining difficulties from the merger will be a distant memory by the time we're thinking that our Fedora 7 systems are getting old and are in need of an upgrade.
Whose project is it anyway?A project's name is its identity which embodies all of the good (or bad) will that the software and its developers have built up over time. In order to protect it, a project will sometimes register a trademark for the name allowing them to control who uses it. If someone outside of the project tries to grab that control by registering the trademark, especially without consulting the development team, sparks will fly. That is just what we are seeing in a dispute between handhelds.org and two of the projects associated with it. As one might guess from the name, handhelds.org is essentially a portal for open source, typically Linux-based, software for small embedded devices, mostly PDAs. It provides CVS repositories, bug tracking, mailing lists and other developer services to a handful of projects related to handheld devices. The GPE Palmtop Environment (GPE) and the Open Palmtop Integrated Environment (Opie) provided a user interface including some Personal Information Management (PIM) applications for PDAs. Both projects were developed using the facilities at handhelds.org, but it is apparent that there is a disconnect between the projects and the portal: is handhelds.org just a hosting site like SourceForge or is it something more? That question is at the heart of the disputes. In August of 2006, several GPE Palmtop Environment (GPE) developers proposed moving the project from handhelds.org to a relatively new site called Linux-To-Go (LTG). The stated reasons for the move were somewhat vague, but it clearly was an attempt by those developers to gain more control over the hosting of the project and which development tools were used. It was perceived to be a power grab by some and was not met with wholehearted acceptance, but the main detractors were people associated or affiliated with handhelds.org rather than core GPE developers. Another round of mailing list flames came about in October when the move to LTG actually started to happen. As with any acrimonious split, there were accusations of various sorts being thrown around, the GPE developers were accused of deleting the CVS repository on handhelds.org while handhelds.org was alleged to have deleted user accounts, links to the new site and mailing list messages. The transition seems to have gone well for LTG as most or all of the GPE developers moved over to the new site. All of that bickering is well in the past now, the GPE project has moved on, and handhelds.org continues to host various projects, but a dispute over an Internet Relay Chat (IRC) channel has recently rekindled the flames. The administrators at freenode surely had no idea what they were stepping into when they acted on a renaming request from handhelds.org and pointed the #gpe channel at #handhelds-gpe. The #gpe channel had been in use by the project at LTG, and a request to control the channel had been made by LTG in November but had not yet been acted upon. When freenode discovered the problem they restored the channel to the LTG folks and promptly received an email from handhelds.org claiming GPE as their trademark. At that point, freenode took the channel away from both awaiting a resolution of the dispute. It turns out that in March, George France, CEO of Handhelds.org Inc., which is the non-profit company that runs the website, applied to register trademarks for several of the projects that are hosted there. GPE and Opie were two of those projects. Then in mid-May under cover of an innocuous CVS comment, France changed the handhelds.org legal page to include a statement claiming that GPE, Opie and another 11 projects as "Trademarks of Handhelds.org, Inc." France claims that GPE and Opie were always trademarks of handhelds.org and the registration is just to clean up the legalities of the matter:
Although I am not a lawyer, in the united states, a trademark comes from using
a mark in trade, which is known as an unregistered mark. You can not
register a trademark in the US unless it has been an unregistered mark first.
Registration is just bow, that gives extra rights like presumptive [ownership].
Opie has been a trademark of handhelds.org, inc for a long long time. Now it
is more visible, but nothing new is going on.
The GPE folks claim that the name GPE pre-dates hosting on handhelds.org and that the active project should be the one to hold the trademark, as all handhelds.org ever did was provide hosting services. France never consulted with either project regarding registering the trademarks, presumably because he believed them to be already the property of handhelds.org. It seems fairly presumptuous to claim a project's name, even for the most altruistic of reasons, without consulting the people whose code embodies that project. Whether the handhelds.org folks wish to acknowledge it or not, the active GPE project is now hosted at LTG. The GPE mailing list archives show no activity of consequence at handhelds.org since April whereas the LTG list is fairly active. Under those circumstances it seems disingenuous to suggest, as some handhelds.org folks have, that the LTG project is a fork and should therefore change its name. GPE has moved rather than forked. Opie seems to have gotten caught in the GPE crossfire to some extent. The project itself was not very active when one of the earlier developers tried to start an OpieII project that would update the code to Qt4. His choice of hosting it at LTG was at least partially to blame for a request from handhelds.org that he not use the name OpieII as it infringes upon the Opie trademark. This led to yet another flame-filled thread about handhelds.org usurping a project's name, but it also led to a possible solution to the whole mess. One of the original Opie founders stepped in and has come up with a possible resolution where he will be licensed to use the Opie name and will host an Opie development site separate from handhelds.org (though still affiliated as opie.handhelds.org). In addition, a community council for handhelds.org would be formed and a code of conduct would be created to try and avoid these kind of situations in the future. One might hope this model could lead to better relations between GPE and handhelds.org, but egos on both sides would make that an unlikely scenario. If a loose collection of developers comes together and starts contributing code to a project, one would think that they would be entitled to own the trademark on the name they chose. But unless the project puts together some kind of governing structure and applies for a trademark at or near day one, there can always be questions about the name. Does it belong to the founders, the current developers or the site that hosts their CVS repository? How do you define who is a "member" so that the governing structure adequately represents the interests of the "community"? These are difficult questions and are probably about the last thing a group of hackers wants to deal with at the initial stages of a project. In many cases, it is too early to tell if the project will even get going enough that it makes sense to spend any time on governance issues. Trademarks are a bit of a double-edged sword, they can protect a project from someone misrepresenting the code, a spyware infested browser called Firefox for instance, but there needs to be some kind of entity that administers and enforces the mark. It would be difficult for someone completely unrelated to a project to register the trademark and hope to have it stick, as William Della Croce found out with the Linux trademark in 1996, but it costs real money to wrest the trademark back, and a free software project is unlikely to have that easily at hand. This is an issue that project leaders need to at least think about as their projects mature.
Last call for GPLv3The Free Software Foundation has announced the release of the "last call" draft of version 3 of the GNU General Public License. In the absence of a significant reason to make changes, the FSF will be releasing something that looks very much like this draft on June 29. So this would be a good time for anybody who is concerned about this license to take a final look at the license text with an eye toward finding any last-minute problems.There are a few significant changes that went in this time around, and one which did not. The current draft contains this language:
You may not convey a covered work if you are a party to an
arrangement with a third party that is in the business of
distributing software, under which you make payment to the third
party based on the extent of your activity of conveying the work,
and under which the third party grants, to any of the parties who
would receive the covered work from you, a discriminatory patent
license (a) in connection with copies of the covered work conveyed
by you (or copies made from those copies), or (b) primarily for and
in connection with specific products or compilations that contain
the covered work, unless you entered into that arrangement, or that
patent license was granted, prior to 28 March 2007.
The final part is the "grandfather clause" which exempts the Microsoft/Novell deal from this restriction. In the previous draft, the FSF had mentioned the possibility of removing that clause, causing the full power of that language to apply against Novell. That, in turn, would have made it hard (or impossible) for Novell to distribute software licensed under GPLv3. According to the FSF, it now seems that it is better to let Novell distribute this software than to prohibit it:
Microsoft is scrambling to dispose of as many Novell SLES coupons
as possible prior to the adoption of GPLv3. Unfortunately for
Microsoft, those coupons bear no expiration date, and paragraph 6
has no cut-off date. Through its ongoing distribution of coupons,
Microsoft will have procured the distribution of GPLv3-covered
programs as soon as they are included in Novell SLES distributions,
thereby extending patent defenses to all downstream recipients of
that software by operation of paragraph 6.
If this reasoning holds up, any Microsoft patent which can be said to be infringed by GPLv3-licensed software distributed by Novell will, in essence, be licensed to the free software community. It seems too good to be true, but the people who are arguing this point should know what they are talking about. The definition of a "user product" - the sort of product to which the anti-DRM provisions apply - has changed somewhat. The previous draft used a reference to a U.S. law, which was not entirely well received in other parts of the world. The new draft says, instead:
A "User Product" is either (1) a "consumer product," which means
any tangible personal property which is normally used for personal,
family, or household purposes, or (2) anything designed or sold for
incorporation into a dwelling. In determining whether a product is
a consumer product, doubtful cases shall be resolved in favor of
coverage. For a particular product received by a particular user,
"normally used" refers to a typical or common use of that class of
product, regardless of the status of the particular user or of the
way in which the particular user actually uses, or expects or is
expected to use, the product. A product is a consumer product
regardless of whether the product has substantial commercial,
industrial or non-consumer uses, unless such uses represent the
only significant mode of use of the product.
The clear intent is to define most products as "user products," exempting only a very few products from the requirement that "installation instructions" be provided with the source. This requirement has always been one of the most controversial parts of GPLv3, but the FSF has stuck with it from the beginning. The permissions for distributing copies have been broadened a little with this language:
You may convey covered works to others for the sole purpose of
having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply
with the terms of this License in conveying all material for which
you do not hold copyright. Those thus making or running the covered
works for you must do so exclusively on your behalf, under your
direction and control, on terms that prohibit them from making any
copies of your copyrighted material outside their relationship with
you.
In other words, having an outside contractor work on a modified, GPLv3-licensed program does not force the distribution of the modifications to that program. Finally, this draft of the GPLv3 is considered to be fully compatible with version 2 of the Apache License. This compatibility was achieved by changing the interpretation of the Apache License slightly (in a way which matches the Apache Software Foundation's interpretation) and by adding a couple of permissible extra terms to the GPL. It is now possible to require indemnification of upstream contributors and to require modified works to be distributed under a different name. Since the Apache License contains terms like that, allowing them under GPLv3 was essential if the two were to be made compatible with each other. The screaming which accompanied earlier drafts of GPLv3 is notably absent this time around. A number of the issues which upset people have been resolved at this point. And most observers understand that other controversial terms - such as the anti-DRM provisions - are not going to change regardless of how much criticism is directed at them. For better or for worse, the GPLv3 process is nearly complete; soon it will be a matter of seeing which projects make the change to the new license. To that end, Richard Stallman has posted an essay encouraging movement to GPLv3. Starting on June 29, projects will have the option of following that advice.
Security Firefox security statusA major security flaw in various third-party extensions has given Firefox a bit of a black eye even though the browser is not vulnerable. A number of other issues in the browser itself caused a security release which kept Firefox in the news. Unfortunately, after the release, even more vulnerabilities were reported. One would have to guess that it has not been the best week or so for the Firefox security team. A large number of extensions - including toolbars for Google, Yahoo, Facebook and others - are susceptible to a man-in-the-middle attack that allows arbitrary code execution within the browser. The vulnerability exploits the update mechanism built into the extensions by providing malicious code as an update. An attacker that can control the DNS answers received by a victim can redirect the update queries from the extensions to a server under the attacker's control. The code provided gets installed, silently in many cases; it will then run as part of the browser with all of the capabilities of an extension. Situations where one may not be able to trust the DNS answers received are far more common than people realize. Using a public or unencrypted wireless network is probably the most common vulnerable situation, but home routers that have been subverted either through a vulnerability or because the owner never changed the default password can also leave an opening for an attack. Because the extensions typically check for updates frequently, there are lots of opportunities to provide them with bad code. There are any number of nasty things that a browser extension can do: keystroke logging, email reading, spamming, bank transfers, subscribing to LWN.net, etc. This is truly a situation that one wants to avoid. Vendors of these extensions have in many cases (with Google being specifically called out in the vulnerability announcement) bypassed the default Firefox prompt that would at least alert users that new code was being installed. Users running those extensions have no defense and need to delete them from the browser while awaiting a fix from the vendor. The open source extensions that are available at https://addons.mozilla.org are not vulnerable because of the use of SSL to prevent an attacker's host masquerading as the update server. The SSL certificate presented by the attacker's server will not pass muster with the browser so the malicious update will not be installed. This is the fix that the vulnerable extensions will have to implement. It is not particularly technically difficult, more of a logistics headache to roll out new code to millions of users. It may also require some infrastructure improvements to be able to support encrypted connections for that many users. Millions of users at risk for all manner of browser mayhem may make the fixes in the most recent security update pale by comparison but there are some serious issues there as well. The most important fix, rated as critical by Mozilla, fixes potentially exploitable crashes in the layout and Javascript engines. There is also a flaw that allows cross-site scripting using the addEventListener Javascript call which Mozilla rates as having a high impact. A few days after the release, Michal Zalewski was up to his usual tricks by reporting two vulnerabilities in Firefox, one that he rates as a major vulnerability, the other as medium. In both cases, various Javascript tricks can be used to make the browser behave badly which is yet another reason to look into the NoScript extension. Thor Larholm also had some bad news for the Firefox team shortly after the release when he reported that a patch that went into the 2.0.0.4 release only partially fixed the problem for Windows platforms while doing nothing to prevent the problem for Linux and other UNIX versions. The directory traversal vulnerability allows any local files accessible to the browser user with the name known by the attacker to be read via the resource:// URL handler. The information in the file could then be transmitted to any site visited. We can probably expect an update from the Firefox team for this particular problem relatively soon.
Brief items Google: Web Server Software and MalwareGoogle has published the results of some research on web servers and malware. "It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache. We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy, and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems." So the problem may not be that the software is inherently less secure, but that its proprietary licensing cuts off many deployments from security updates.
New vulnerabilities clamav: denial of service
file: integer overflow
firefox: multiple vulnerabilities
jasper: denial of service
lha: temporary file vulnerability
libexif: integer overflow
php: multiple vulnerabilities
php-pear: directory traversal
Sun JDK/JRE: multiple vulnerabilities
wpa_supplicant: buffer overflow
Updated vulnerabilities acroread: multiple vulnerabilities
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
bind: denial of service
bugzilla: multiple vulnerabilities
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
elinks: code execution
elinks: arbitrary file access
evolution: format string error
pop mail man-in-the-middle attacks
fail2ban: denial of service
file: arbitrary code execution
firefox: FTP PASV port-scanning
freetype: arbitrary code execution
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gdb: buffer overflow
gedit: format string vulnerability
gforge: arbitrary code execution
gimp: arbitrary code execution
grip: buffer overflow
gzip: multiple vulnerabilities
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
java: multiple vulnerabilities
kdelibs: kate backup file permission leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
krb5: uninitialized pointers
krb5: local privilege escalation
krb5: multiple vulnerabilities
ktorrent: incorrect validation
lftp: shell command execution
libgadu: memory alignment bug
libgtop2: buffer overflow
libmodplug: boundary errors
libpng: denial of service
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lighttpd: denial of service
lookup-el: insecure temporary file
lynx: arbitrary command execution
madwifi: denial of service
mod_jk: proxy bypass
mod_jk: stack overflow
mod_perl: denial of service
moin: arbitrary JavaScript execution
mplayer: buffer overflow
mydns: buffer overflows
mysql: denial of service
mysql: format string bug
MySQL: privilege violations
MySQL: logging bypass
nbd: arbitrary code execution
ncompress: buffer underflow
openldap: security bypass
OpenSSH: denial of service
openssh: remote denial of service
otrs2: code injection
php: multiple vulnerabilities
php: several vulnerabilities
php: buffer overflows
php: several vulnerabilities
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpwiki: remote code execution
postgresql: SQL injection
postgresql: privilege escalation
pptpd: denial of service
pulseaudio: denial of service
python: information disclosure
qemu: multiple vulnerabilities
qt: "/../" injection
quagga: denial of service
quake: buffer overflow
rpm: arbitrary code execution
samba: several vulnerabilities
Mozilla: multiple vulnerabilities
shadow-utils: mailbox creation vulnerability
snort: remote arbitrary code execution
squirrelmail: missing input sanitizing
tcpdump: denial of service
tetex: buffer overflow
tomcat: directory traversal
util-linux: access restriction bypass
vixie-cron: weak permissions may cause errors
wordpress: another pile of vulnerabilities
XFree86 X.org: integer overflows
xine: format string vulnerabilities
xine-lib: arbitrary code execution
xine-lib: buffer overflow
xine-lib: buffer overflow
xinit: race condition
xmms: BMP handling vulnerability
xscreensaver: password check bypass
zziplib: buffer overflow
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current 2.6 prepatch is 2.6.22-rc4, released on June 4. It adds a few hundred fixes aimed at further stabilizing 2.6.22. See the long-format changelog for the details.As of this writing, no patches have found their way into the mainline since -rc4. The current -mm tree is 2.6.22-rc4-mm1. Recent changes to -mm include an operation to disable all I/O space access (for virtualized guests), a lengthy patch set aimed at fixing a page fault deadlock, some suspend/hibernate work, the O_CLOEXEC patch (see below), support code for Xen on the x86-64 architecture, ext4 support for the upcoming fallocate() system call, and the containers patch set. For older kernels: 2.6.16.52 was released on May 31 with a handful of fixes.
Kernel development news Quotes of the week
I'm convinced there's some contest to see who can make the worst
graphical mail client for Linux. I'm not sure what the prize is, or
who's winning, but the entries so far are horrific.
-- Dave Jones
Lotus Notes has no serious competition.
-- Andrew Morton
Andy's patch-checking script will (should) detect wordwrapping, tab-expansion and hopefully space-stuffing. When we get that sorted out, people who submit broken patches to one of the lists should get a robot reply within minutes telling them what they did wrong, so things will become largely self-correcting. I am sooooo looking forward to that thing. <Sends note to Nobel prize committee>
Fun with file descriptorsLast week's article on syslets briefly mentioned a problem with using file descriptors for low-level communications with the kernel. There is a single namespace for file descriptors, combined with a strict rule for how those descriptors are allocated. As long as the application is fully in charge of that space all works well, and the "lowest available descriptor" rule can be relied upon. As soon as hidden levels (the C library in particular) start using file descriptors for their own purposes, though, the potential for conflicts and confusion at the application level arises. An application which makes a mistaken assumption about where a file descriptor will be allocated, or which indiscriminately "cleans up" open descriptors belonging to the libraries will break. This problem is evidently real, to the point that the glibc goes out of its way to avoid using internal file descriptors for anything.This issue is a problem for kernel developers. They would rather not create new, file-descriptor-based services (completion events for syslet-based asynchronous I/O, for example) if glibc will not use those services. So there has been a search for alternatives, most of which involve creating a separate space for "system" file descriptors. Linus suggested one way of doing this:
Which *could* be something as simple as saying "bit 30 in the file
descriptor specifies a separate fd space" along with some flags to
make open and friends return those separate fd's. That makes them
useless for "select()" (which assumes a flat address space, of
course), but would be useful for just about anything else.
Davide Libenzi took this idea forward with a patch to create a non-sequential file descriptor area. The current kernel tracks file descriptors in a linear array - a technique which works well as long as the "lowest available descriptor" rule holds. As soon as one starts setting high-order bits in file descriptor numbers, however, the linear array becomes rather less practical. So Davide's patch creates a separate, linked-list data structure used for the non-sequential file descriptor range. The second part of the patch set then fixes up the dup2() system call to use the new file descriptor range. The normal behavior of dup2() has not changed, but if the destination file descriptor is passed as FD_UNSEQ_ALLOC, a random file descriptor will be allocated from the non-sequential area. A specific file descriptor in that area can be requested by passing a number higher than FD_UNSEQ_BASE. This approach has the advantage of not requiring any new system calls or changing the default user-space binary interface at all. But according to Ulrich Drepper, that attribute is not an advantage at all. Since using this capability requires application changes in any case, Ulrich would rather just see a new system call created; he proposes:
int nonseqfd(int fd, int flags);
This system call would duplicate the open file descriptor fd into the non-sequential space, optionally closing fd in the process. The flags parameter would allow other attributes of the new file descriptor to be controlled. Of particular interest is whether that descriptor shows up in the /proc/pid/fd directory. The optimal way of closing all open file descriptors, apparently, is to read that directory to see which descriptors are currently open. Keeping special descriptors out of that directory (perhaps shifting them to a parallel private-fd directory) will prevent well-meaning applications from closing the library's file descriptors. It has been suggested that the open() system call should get a flag which would cause it to select a non-sequential file descriptor from the outset, eliminating the need for a separate call to nonseqfd(). There are, however, a number of system calls which create file descriptors but which have no flags parameter and which, thus, will never be able to return non-sequential file descriptors; socket() is a classic example. So there will still be a need for a system call which can duplicate a file descriptor into the new space. Ulrich has requested that all file descriptors in the non-sequential space be allocated randomly. He would rather not ever see a situation where application developers think they can rely on any specific allocation behavior when using that space. There have also been suggestions that the non-sequential space could be useful for for high-performance applications which hold large numbers of file descriptors open - web servers, for example. Such applications usually have no use for the "lowest available descriptor" guarantee and would happily do without the overhead of implementing that guarantee. Davide's current implementation does not appear to have been written with thousands of non-sequential file descriptors in mind, though. On another front, Ulrich has been working on a race condition which comes up with certain types of applications. It is possible to request that a file descriptor be automatically closed if the process performs an exec(); the fcntl() system call is used for this purpose. The problem is that there is some time between when the file descriptor is created (with an open() call, perhaps) and the subsequent fcntl() call. If another thread forks and runs a new program between those two calls, its copy of the new file descriptor will not have the close-on-exec flag set and will thus remain open. Solving that problem generally will take some work, but fixing the open case is relatively easy. Ulrich is proposing a new O_CLOEXEC flag for this purpose. There does not appear to be much opposition to this idea, so the new flag might well make an appearance in 2.6.23.
The thorny case of kmalloc(0)People running 2.6.22-rc kernels have likely noticed the occasional warning and traceback associated with zero-length allocations. It turns out that there is code in the kernel which asks kmalloc() to allocate a zero-sized object. Nobody really knew how often this happens until the warning went in as part of the SLUB allocator patch set; now that these cases are turning up, it seems that deciding what to do about them is harder than one might expect.One possibility is to return NULL. On the face of it, this option would appear to make sense; the caller has requested that no memory be allocated, and kmalloc() has complied. The problem here is that a NULL pointer is already loaded with meaning. It says that the allocation has failed (which it didn't - there is always enough memory left to allocate another zero bytes) and is often used as an indicator that a particular structure or subsystem has not been initialized. More to the point, it seems that there is an occasional situation where a zero-length allocation is not entirely incorrect; consider the allocation of a structure which, as a result of the kernel's configuration options, has been optimized down to zero members. Coding around such cases is possible, but it is not clear that adding more twists and turns is worth the trouble when zero-length allocations can just be handled in kmalloc(). Another possibility is to return the smallest object that kmalloc() can manage - currently eight bytes. That is what kmalloc() has silently done for years. This solution appears to work, but it has the disadvantage of returning memory which can be written to. A zero-length allocation can arguably be correct, but it's hard to find anybody who would agree that storing data into a zero-length chunk of memory makes sense. Even highly compressed data cannot be expected to fit into that space in all situations. People who worry about finding bugs would much prefer that any attempt to actually write to memory allocated with kmalloc(0) caused the kernel to protest in a very noisy way. That brings us to the third possibility: this patch from Christoph Lameter which causes kmalloc(0) to return a special ZERO_SIZE_PTR value. It is a non-NULL value which looks like a legitimate pointer, but which causes a fault on any attempt at dereferencing it. Any attempt to call kfree() with this special value will do the right thing, of course. The final option seems like it should be the right course, allowing zero-length allocations without masking any subsequent incorrect behavior. Surprisingly, though, there is an objection here too: now every call to kmalloc(0) returns the same value. One might not think this would be a problem; subsequent zero-length allocations will all be zero bytes apart, just like the C standard says they should be. But some developers are worried that this behavior might confuse code which compares pointers to see if two objects are the same. There is also, apparently, an established coding pattern (in user space) which uses zero-length allocations as a way of generating a unique cookie value. If all zero-length allocations return the same pointer, these cookies lose their uniqueness. That worry appears unlikely to carry the day, though; Linus says:
If people can't be bothered to create a "random ID generator"
themselves, they had damn well better use "kmalloc(1)" rather than
"kmalloc(0)" to get a unique cookie. Asking the allocator to do
something idiotic because some idiot thinks a memory allocator is a
cookie allocator is just crazy.
I can understand that things like user-level libraries have to take crazy people into account, but the kernel internal libraries definitely do not. Add to this argument the fact that nobody seems to have discovered such a use of kmalloc() in the kernel yet, and the "unique cookie" argument runs out of steam. So some form of the ZERO_SIZE_PTR patch, with the warning removed, will probably find its way into the mainline - but probably not before 2.6.23.
Wireless regulatory complianceWireless networking vendors have, over time, developed a large and imaginative set of reasons for their refusal to make free drivers and hardware programming information for their products available. One of those reasons is regulatory compliance; if untrusted parties can modify a wireless device driver, they may (accidentally or not) program the device to operate outside of the rules governing frequency use and power levels in their specific area. Some vendors apparently believe that they could be held responsible for what others do with their hardware, especially in parts of the world with relatively aggressive enforcement of regulations on spectrum use. While the United States is often mentioned in such discussions, people who have studied the issue tend to worry more about Japan. That said, there are regulations worldwide - differing regulations - and a Linux system with radio transmitters in it will be expected to comply with those regulations.To that end, Larry Finger has recently returned with a new version of his proposal for a mechanism which would enable Linux to operate wireless adapters in a legally-sanctioned way. The scheme involves the creation of a database describing the regulatory regime in various parts of the world. At system startup, a user-space daemon would determine (somehow) where the system was located, obtain the relevant parameters from the database, and feed them into the mac80211 subsystem, which would then instruct drivers on how to program their devices. In the absence of instructions from user space, the kernel would fall back to a minimal configuration known to be legal worldwide - if such a configuration can be found. There was some interesting feedback, starting with the assertion that the mac80211 layer is the wrong place for a regulatory module. There are wireless adapters which have full MAC capability built into them, and which will not use mac80211, but these devices have the same regulatory issues. Beyond that, Linux systems can contain other sorts of transmitters, starting with BlueTooth adapters and going on from there. If this sort of regulatory compliance is to be added to the kernel (and cleaned out of various drivers where it already exists), it would be best to add it once and have it work in all situations. It turns out that some thought has gone into a kernel "frequency broker" module which would handle this task, but development has not yet gone very far. Overly zealous regulatory enforcement is a concern for some users. There are people running Linux who have licenses allowing spectrum use which is denied to most of us. They would, understandably, like to be able to use their hardware (when it is capable of such use) in ways which take advantage of their wider permissions. If the kernel eventually adopts a regulatory mechanism which cannot be overruled, it will prevent some users from doing things which they are legally entitled to do. Until they go into the code and disable the regulatory code, at least. Of course, if legal users can override the regulatory mechanism, others can as well. That leads to the question of whether a regulatory regime implemented in free software can ever be good enough to satisfy the authorities. Luis Rodriguez pointed out an April, 2007 ruling [PDF] from the U.S. Federal Communications Commission which suggests that there could be trouble there:
The Commission did not address the possibility of manufacturers
using open source software to implement security measures. However,
we recognize that hardware and software security measures that
interact with the open source software need not be subject to an
open source agreement. We are hereby stating that it is our policy,
consistent with the intent of Cognitive Radio Report and Order and
Cisco's request, that manufacturers should not intentionally make
the distinctive elements that implement that manufacturer's
particular security measures in a software defined radio public, if
doing so would increase the risk that these security measures could
be defeated or otherwise circumvented to allow operation of the
radio in a manner that violates the Commission's rules. A system
that is wholly dependent on open source elements will have a high
burden to demonstrate that it is sufficiently secure to warrant
authorization as a software defined radio.
(Emphasis added). If free regulatory code will never be good enough for regulatory agencies, one might well ask whether it is worth the trouble for Linux developers to implement such a module in the first place. One could answer that operating transmitters in a way consistent with their licensing is the correct thing to do, regardless of whether governments see it as being sufficiently robust. But, if the main concern is keeping governments happy, the only real solution may be to do as Intel has done and move regulatory compliance back into the device's firmware and away from the host operating system altogether. This approach brings an additional benefit in the form of eliminating one excuse for not releasing free drivers.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Kernel building
Memory management
Networking
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Ubucon BoulderAn Ubucon is an informal, lightly structured gathering of "Ubunteros" - users of Ubuntu and its derivatives. Ubucon-Boulder was held on Saturday June 2 in your editor's home town of Boulder, Colorado, so I decided to check it out.This Ubucon was organized by Neal McBurnett and Mitch Mahan from the Ubuntu Colorado Local Team. Google's Boulder office kindly hosted this event and provided a conference room with WiFi and a projector for demonstrations. The idea behind this Ubucon was to see what people do with Ubuntu. To that end many of us kept a Synaptic session open on our laptops to install various applications and play with them during the demonstrations. I had intended to write about the various applications that were demoed during the day, but Neal already did a fine write up based on the notes he made on the wiki in real time. I do have a few things to add to Neal's coverage. Joey Stanford is a Canonical employee who carefully did not talk about some of the not-ready-for-release things that he is working on currently. However he did mention that the collaborative text-editor Gobby is used by the global community of Ubuntu Weekly News editors to put together the news each week. Joey also mentioned the somewhat announced Ubuntu Landscape, a paid service, much like Red Hat Network. He also said that Canonical does intend for all of Launchpad, the suite of tools used by Ubuntu developers, to be released as open source. Some of Launchpad is already open source, but some of these tools remain proprietary - and there is no time-table for when we might see that happen. Canonical is carefully balancing its need to make a profit and pay its developers with the concept that software strives to be free. All in all, it seems that a good time was had by all attendees of Ubucon-Boulder. One does not need to be a developer, or fluent in any programming language to get involved in a community group of this kind. There are Local Teams of Ubuntu enthusiasts all over the world. So find a Local Team in your area and check it out, or if there isn't one in your area you can create one. It looks like at least some of the Colorado team will be helping out at the Edubuntu booth at the Technology in Education Conference in Copper Mountain, Colorado, June 19 - 22, 2007.
New Releases Fedora 7 (Moonshine) releasedFedora 7 is out. "Howdy, cousins! Welcome to our little Fedora hollow, where we've brewed up some mighty, mighty Fedora 7 Moonshine for your enjoyment. Here, I'll help you pour that ... and some for me ... *cough, cough* Smoooooth ... sure does taste good. It's been sitting here in the jug for almost a whole month now!" Click below for more on this theme.
Foresight Linux 1.3 ReleasedVersion 1.3 of Foresight Linux has been announced. "Timed to be released with GNOME 2.18.2, the Foresight Linux team is happy and proud to announce the release of Foresight Linux 1.3. Foresight Linux continues to build on it's success of releasing a stable Linux distribution with the latest software, including GNOME and applications such as Banshee for music management, F-Spot for photo management, Pidgin and Ekiga for internet communication and OpenOffice.org for productivity and office applications. Providing the latest versions of applications gives our users access to the latest bug fixes, and the use of Conary as a package manager makes it easy for users to update the software on their desktop."
Distribution News debian-volatile: Service UpdateAndreas Barth covers recent improvements to the debian-volatile service. "We finally had the time to add a suite for Etch to volatile. During these changes, we also archived woody, and upgraded to a newer version of the archive scripts. If you notice some small hiccups, please just warn us (best by mail to debian-volatile@lists.debian.org) so that we can fix them. The changes include a different archive signing key, and separate keys per suite." debian-volatile allows stable Debian users to get updates for fast moving targets such as spam filtering and virus scanning.
A Fedora 7 FAQFor people looking at installing Fedora 7, there is now a Fedora 7 FAQ available with answers to questions which have come up so far.
More Fedora 7 newsMax Spevack has a few words about Fedora 7 (sent just before the final release). "It's the middle of the night in the main Red Hat offices in Raleigh and Westford, but I amm in Berlin this week for LinuxTag, which is the largest Linux conference in Europe (10,000 visitors over 4 days). We have a great looking Fedora booth, and we are holding a FUDCon (Fedora Users and Developers Conference) here today during which we have a conference hall that probably seats 150 people all to ourselves."The Cooperative Bug Isolation Project (CBI) is now available for Fedora 7. "CBI (http://www.cs.wisc.edu/cbi/) is an ongoing research effort to find and fix bugs in the real world. We distribute specially modified versions of popular open source software packages. These special versions monitor their own behavior while they run, and report back how they work (or how they fail to work) in the hands of real users like you. Even if you've never written a line of code in your life, you can help make things better for everyone simply by using our special bug-hunting packages." Freshrpms has announced that all freshrpms add-on packages are now available for Fedora 7. ATrpms has officially launched Fedora 7 support for i386, x86_64 and PPC.
The Fedora 8 release scheduleThe Fedora folks are not wasting any time; there is already a posted release schedule for Fedora 8. It's a short (five-month) development cycle this time, with the final release due on October 31. One can already imagine the Halloween-themed release announcement.
Discounts on Red Hat training for Fedora folksRed Hat is offering special discounts to Fedora contributors who register for upcoming Red Hat training courses. "We have two separate offers, valid in multiple regions. The details vary slightly depending on region (read on below), and the offer is valid for classes that are offered directly by Red Hat (not by Red Hat's training partners)."
Mandriva opens Linux development center in Russia (CNews)CNews reports on Mandriva's opening of a Russian office. "Mandriva, the official producer of Linux distribution has opened an office in St. Petersburg. One of the main tasks of the companys representation is to help its Russian users avoid claims on behalf of the governing bodies which not always know the peculiarities of Linux OS licensing. Meanwhile, Linux might be introduced in many of St. Petersburg schools."
Survey on commercial software for openSUSE distributionopenSUSE is running a survey on the use of commercial/proprietary software by openSUSE users. The survey will run until June 12. There's an added note about the appearance of non-proprietary TeXLive on the survey.
Ubuntu newsThe first Tribe CD, a testing milestone of Gutsy Gibbon, should be available on June 7, 2007.Matt Zimmerman has announced that, thanks to a joint effort of Launchpad and Ubuntu developers, you can now close bugs in Launchpad automatically when you upload a source package.
Distribution Newsletters Fedora Weekly News Issue 90The Fedora Weekly News for June 2, 2007 looks at the release of Fedora 7 (Moonshine), Freshrpms for Fedora 7, ATrpms for Fedora 7, A Few Words About Fedora 7, Discounts on Red Hat training for Fedora folks, Fedora is now an open source project, Interview of Max Spevack, Interview of Mike McGrath, Kernel hacking for laptops, fedoraproject.org promos, Some comments on Fedora 7, Fedora 7 "Moonshine": Freedom vs. Ease-of-Use (Part 1), and much more.
Foresight Linux Newsletter Volume 1, Issue 3The Foresight Linux Newsletter for May 2007 covers the release of Foresight Linux 1.3, GNOME 2.18.2 Live Media, installation and package updates, documentation updates, and more.
Mandriva Linux Community Newsletter Issue # 126The Mandriva Linux Community Newsletter for June 1, 2007 looks at Mandriva Linux 2007 Spring released, Mandriva Flash 4GB released, Mandriva Linux 2007 Spring Reviews, Erratum - Correction to promotional e-mail regarding Mastering Mandriva Linux 2007 Spring, and Mandriva Security - Better, stronger, faster.
Ubuntu Weekly News: Issue #43The Ubuntu Weekly Newsletter for June 2, 2007 covers an interview with Mark Shuttleworth, newly approved Ubuntu Core Developer Sarah Hobbs, the new batch of Ubuntu Members, an interview with Daniel Holbach, and much much more.
DistroWatch Weekly, Issue 205The DistroWatch Weekly for June 4, 2007 is out. "The release of Fedora 7 last week has been the dominant topic on many Linux web sites and DistroWatch is no exception; we'll comment on the release, bring you a first-look review, and present details about the project's upcoming version 8, scheduled for release at the end of October. In other news, Turbolinux introduces the world to a media player and portable operating system called Wizpy, Mandriva seeks solutions for its current financial troubles, Gentoo founder comments on SabayonLinux, and Debian updates its "volatile" infrastructure. Finally, as DistroWatch celebrates its 6th birthday, we are pleased to announce that the May 2007 donation was awarded to VectorLinux."
Distribution meetings DebConf7 Schedule availableThe schedule for DebConf7 is available. DebConf7 takes place in Scotland June 17 - 23, 2007.
Newsletters and articles of interest Music 101: The Mandriva Linux 2007 Spring song recipeAdam Williamson has written an article on using audio tools in Mandriva Spring. "Recently I was asked to write a small article talking about some of the tools related to audio in Mandriva Spring. I realized that writing a few things about the tools would be just the same as articles you can find in many websites and magazines. But instructions on creating music step from step from scratch, picking the right ingredients for "the song recipe", are rarely to be found. So I decided to try and make a song with only the tools I had available on Mandriva Spring, and write down how to do it."
Zenwalk 4.6 mini Linux boasts latest Xfce desktop (DesktopLinux)DesktopLinux covers the release of Zenwalk Linux 4.6. "The Zenwalk project today released Zenwalk Linux 4.6 (code-named Red Pill). The lightweight distribution utilizes a cutting-edge 2.6.21.3 Linux kernel with KVM support, along with the relatively new Xfce 4.4.1 desktop environment."
New HowtoForge tutorialsNow available from HowtoForge:
Distribution reviews Review: Fedora 7 (Linux.com)Linux.com has a review of Fedora 7. "Fedora 7 was released last week, a little bit behind schedule, with a spate of new features, updates, and live CD installable "spins" of Fedora in KDE and GNOME flavors. I found a lot of good in this release, but a bug in the FireWire stack that attacked my external backup drive made this release just a little shy of perfect."
Fedora 7 "Moonshine": Freedom vs. Ease-of-Use (TuxMachines)TuxMachines reviews Fedora 7 "Moonshine". "In my opinion, the entire issue of free vs. proprietary and patent-protected vs. patent-free is the biggest one facing Linux as a whole right now. I certainly understand and respect Red Hat's wishes to be free of all the legal repercussions that could arise if they were to be sued; after all, they've got a business to run, and Fedora doesn't earn them any money. I also respect and understand the open-source philosophy. Meanwhile, I want to listen to my MP3s, and watch my movies and YouTube clips, like anyone else."
Business vs Community: Xandros and PCLinuxOS compared (Polishlinux.org)Polishlinux.org compares Xandros Desktop with the more community-friendly PCLinuxOS.
PCLinuxOS is a Mandriva-based LiveCD, which we can either use as a demo CD
or install on a hard disk. This distribution is gaining a lot of popularity
and on Distrowatch it's currently rated at high third place. For the
purpose of this review, PCLinuxOS 2007 has been used....
Xandros is a commercial distribution targeted at business. For free we can only download a 30-day trial version. If you want a full version you have to pay (as of today: $39.99 for home, $79.99 for premium and $99.99 for professional edition). There is a chance that one of the previous versions of Xandros is available as a bonus to one of you local IT magazines (like Linux Magazine).
Sidux vs. Mint: Can You Live the Pure Open Source Life? (TuxMachines)TuxMachines compares Debian-Sid-based Sidux with Ubuntu-based Linux Mint. "Sidux and Linux Mint are similar in some fundamental ways. Primarily, they are both Debian derivations, although technically one is based on Ubuntu Linux. Both are delivered as one ~700 MB liveCD image. Both have hard drive installers, proprietary graphic driver installers, and a well rounded selection of starter applications. However, they are different in some significant ways as well."
Page editor: Rebecca Sobol Development Introducing CACAO, a Java Virtual MachineCACAO is an open-source Java Virtual Machine that runs on a wide variety of processors on several Unix platforms, including Linux. CACAO is being worked on by this group of developers.
CACAO is a Java Virtual Machine (JVM) which uses Just-In-Time (JIT) compilation to execute Java methods natively. Since release 0.93 a
Vmgen
based interpreter is also integrated. CACAO uses
GNU Classpath
as default Java core library.
The CACAO project started as a research JVM to explore new implementation techniques. The first version for the Alpha was released in February 1997 as a binary. In 2004, CACAO was released under the GPL and is currently actively developed.
The CACAO Wiki site lists some of CACAO's primary features and includes other documentation as well as project discussions. Version 0.98 of CACAO, named Free all JITs!, has been announced. This is a major feature enhancement and bug-fix release." New features in this release include:
System Applications Database Software MySQL 5.1.19-beta has been releasedVersion 5.1.19-beta of the MySQL DBMS is out with lots of bug fixes. "Bear in mind that this is a beta release, and as any other pre-production release, caution should be taken when installing on production level systems or systems with critical data."
PostgreSQL Weekly NewsThe June 3, 2007 edition of the PostgreSQL Weekly News is out with the latest from the PostgreSQL development community.
Embedded Systems BusyBox 1.6.0 releasedUnstable version 1.6.0 of BusyBox, a collection of command line utilities for embedded systems, is out. "Note that hush shell had many changes and (hopefully) is much improved now, but there is a possibility that it regressed in some obscure cases. Please report any such cases. lash users please note: lash is going to be deprecated in busybox 1.7.0 and removed in the more distant future. Please migrate to hush." A long list of additional changes have also been made.
Web Site Development Browsershots 0.3-beta1 announcedVersion 0.3-beta1 of Browsershots has been announced. "Browsershots is a system for automatically capturing screenshots of Web pages in a variety of browsers and making these images available to the public. Its goal is to make it easier to test the compatibility of Web pages with a variety of browsers. The system distributes the work of making screenshots among community members. Anyone can add URLs to the job queue on a central server."
Desktop Applications Audio Applications dvdtoogg 0.2 releasedVersion 0.2 of dvdtoogg has been announced. "dvdtoogg is a script for converting the audio content of a DVD to a multi-channel Ogg Vorbis file. (From 2 to 6 channels are supported.) It uses mplayer to find and extract DVD tracks, and uses oggenc to encode to a stereo or 5.1 Ogg Vorbis file."
jack_capture 0.9.6 releasedVersion 0.9.6 of jack_capture, a program for recording sound files from JACK audio data streams, is out with several bug fixes.
Rotter 0.3 announcedStable version 0.3 of Rotter has been announced. "Rotter is a transmission recording and audio logger for JACK. It was designed for use by radio stations, who are legally required to keep a recording of all their output. Rotter runs continuously, writing to a new file every hour."
Data Visualization Matplotlib 0.90.1 releasedVersion 0.90.1 of Matplotlib, a Python-based 2D plotting package, is out. "The 0.90 series is the last release that will continue to support Numeric, numarray and numpy. At 0.91, we will be using numpy only internally, though we will continue to provide the numerix compaitibility layer for external use."
Desktop Environments GNOME 2.18.2 releasedVersion 2.18.2 of the GNOME desktop environment is out. "This is the second release in a series of point releases for the 2.18 branch. Come and see all the bug fixing, all the new translations and all the updated documentation brought to you by the wonderful team of GNOME contributors! While development is underway on the GNOME 2.19/2.20 road, work on the stable branch continues to make it even more solid."
GARNOME 2.18.2 releasedVersion 2.18.2 of GARNOME, the bleeding-edge GNOME distribution, is out. "It includes updates and fixes after the official GNOME freeze, together with a host of third-party GNOME packages, Bindings and the Mono(tm) Platform -- this is the third release of the current stable GNOME branch, ironing out yet-more bugs, hopefully adding yet-more stability, and ships with the latest and greatest stable releases."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
Fedora 7 Release Adds Installable KDE Live CD (KDE.News)KDE.News notes the availability of a KDE live CD for the newly released Fedora 7 distribution. "The Fedora Project has announced the immediate availability of their latest release, Fedora 7 (Moonshine) including, for the first time, a KDE live CD/DVD showcasing KDE and KDE applications, which can also be installed to the hard disk, resulting in a regular Fedora installation with KDE. Along with other current software, Fedora 7 includes KDE 3.5.6."
Semantic Desktop and KDE 4: State and Plans of NEPOMUK-KDE (KDE.News)KDE.News introduces this article on /home/liquidat on Nepomuk-KDE. "Nepomuk-KDE is the basis for the semantic technologies we will see in KDE 4. Sebastian Trüg, the main developer behind Nepomuk-KDE, provided me with some up2date information about the current state and future plans."
KDE Commit-Digest for 3rd June 2007 (KDE.News)The June 3, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "Start of the Oxygen Meeting in Milan, with a focus on the Oxygen widget style and window decoration. Continued developments in Plasma, with the addition of a second example Plasmoid, for accessing developer commit feeds. More work in Konsole, with the addition of a command-line tool to manage Konsole user profiles. Support for RockBox-based devices in Amarok. Initial work begins on a Wikipedia-based "Picture of the Day" and "This Day in History" plugins for KOrganizer..."
KDE Software AnnouncementsThe following new KDE software has been announced this week:
Xorg Software AnnouncementsThe following new Xorg software has been announced this week:
Desktop Publishing LyX version 1.5.0 RC 1 releasedRelease candidate 1 of LyX 1.5.0, a GUI front-end to the TeX typesetting system, is out. "The difference to the last beta release is due to bug fixes only, no new features are allowed at this stage of development. The only exception to this rule is the addition of Farsi as a supported language since the available patch was not integrated in the previous release."
Electronics gEDA/gaf 20070526 announcedVersion 20070526 of gEDA/gaf, a collection of electronic design and CAD tools, is out. See the release notes for change details.
QLoud 0.22 releasedVersion 0.22 of QLoud is out with support for qt 4.3.x. "QLoud is a tool to measure loudspeaker frequency and step responses and distortions. Other hardware such an audio amplifier or a sound card itself can be tested also."
Games Flycam 3D 1.0 releasedThe PyGame project has an announcement for Flycam 3D 1.0. The project description states: "Creates a very simple 3D 'world' with OpenGL, and a 'fly-cam' to navigate it."
GUI Packages Trolltech Releases Qt and Qtopia Core 4.3 (KDE.News)KDE.News covers the release of Qt and Qtopia Core 4.3.0. "Qt Blog reports that Trolltech has released version 4.3.0 of Qt, its cross-platform development platform, and Qtopia Core, its basis for embedded application development. Major new features include QtScript, an ECMAscript standard application scripting engine, replacing QSA; SSL support; improved OpenGL engine; more flexible main window architecture; ability to both render and generate SVG images and a new font system."
SPTK 3.5.1 releasedVersion 3.5.1 of SPTK, the Simply Powerful ToolKit, has been announced. Changes include an updated CMake building system, a new CGuard class and bug fixes.
Interoperability Wine 0.9.38 releasedVersion 0.9.38 of Wine has been announced. Changes include: "Beginnings of support for copy protection kernel drivers, More MSI automation support, Many 64-bit compilation fixes, A number of OLE fixes and Lots of bug fixes."
Mail Clients Mozilla Thunderbird 1.5.0.12 released (MozillaZine)MozillaZine has announced the release of the Mozilla Thunderbird 1.5.0.12 mail client. "Mozilla Thunderbird 1.5.0.12 was released yesterday, offering stability and security updates to the Mozilla Corporation's mail client. This latest update replaces Thunderbird 15.0.10 (the 1.5.0.11 version number was skipped to keep up with Mozilla Firefox). The Mozilla Developer News weblog recommends that all Thunderbird 1.5 users upgrade."
Medical Applications GNUmed 0.2.6.1 released (LinuxMedNews)LinuxMedNews has an announcement for GNUmed 0.2.6.1, an electronic medical record system. Here are the changes: "The hooks framework has been extended. The bootstrapper transfers users and runs sanity checks for plausibility after upgrade. Encounter handling now allows a user to start a new encounter on demand. Simple data mining has been added. GNUmed now runs on Mac OS X and supports OsiriX DICOM viewer. Patient picture handling has been properly implemented. Debugging has been improved for better user feedback. The backend features an improved backup script and a new restore script, and now requires PG 8.1. A bug in the phrasewheel has been fixed."
Science PyChem 3.0.1 releasedStable version 3.0.1 of PyChem has been announced. "The purpose of this software is to provide a simple to install and easy to use graphical interface to multivariate algorithms. The package currently supports: storage of supporting experimental data (metadata); data pre-processing; principal components analysis (PCA); discriminant function analysis (DFA,CVA,LDA,DA); cluster analysis; partial least squares regression (PLSR, PLS1); genetic algorithm (GA) based variable selector coupled to PLS and DFA."
Video Applications dvdspanky 1.0.2 releasedStable version 1.0.2 of dvdspanky has been announced. dvdspanky is: "A CLI tool to convert video files into DVD compatible MPEG streams. It is designed to be easy to use no matter the input source, to automate common transcoding tasks and provide powerefull features. It is written in C and provides a frontend to transcode, mjpegtools, mplayer and feh. It includes additional features such as specifying destination file size and calculated cliping and letterboxing. The output can be used in dvdauthor or similar programs."
Web Browsers Firefox and SeaMonkey releasesMozilla Firefox 2.0.0.4 has been released. It adds support for a couple of new languages, but the main point is fixes for a new set of security issues. Firefox 1.5.0.12 is also available with just the security fixes; this release is expected to be the last one in the Firefox 1.5 line. SeaMonkey users will want the 1.1.2 release. Expect to see updates from distributors shortly.
Languages and Tools Caml Caml Weekly NewsThe June 5, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Haskell Haskell Communities and Activities ReportThe May, 2007 edition of the Haskell Communities and Activities Report has been published. "This edition has 138 entries, 33 of them are completely new (and therefore highlighted with a blue background), and 54 have had updates since the previous edition (and have a header with a blue background). All entries that have not been updated for a year or longer have been removed to make sure that your are reading information that is as up-to-date as possible."
PHP PHP 5.2.3 releasedVersion 5.2.3 of PHP has been released. "This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release." See the release announcement for more details.
Python Python-URL! - weekly Python news and linksThe June 4, 2007 edition of the Python-URL! is online with a new collection of Python article links.
The Python Papers Volume 2 Issue 2 now availableVolume 2 Issue 2 of The Python Papers is available for download [pdf]. "This issue marks a major landmark in our publication. We present a number of industry articles. There include "Python in Education" and "MPD WebAMP", as well as a great insight into Python in Germany, a wrap-up of PyCon 2007, a preview of EuroPython 2007 and a look at some great videos prepared my primary school students. Our peer-reviewed section reproduces two selected papers which were originally presented at the Open Source Developer's Conference 2006 (Melbourne, Australia)"
Tcl/Tk Tcl-URL! - weekly Tcl news and linksThe June 5, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Editors Emacs 22.1 releasedAt long last, the Emacs 22.1 release is out. There is a long list of new features; see the announcement for an abbreviated version of it. (LWN reviewed Emacs 22 last October).
Libraries libfishsound 0.8.0 releasedVersion 0.8.0 of libfishsound, an interface to the Xiph.Org Vorbis and Speex codecs, is out. "This release includes compatibility with the floating point portion of the libfishsound development trunk API, in preparation for use with liboggplay. In order to build a minimal version of libfishsound for use with liboggplay, configure with encoding disabled in order to produce a smaller binary and to remove the dependency on libvorbisenc."
Page editor: Forrest Cook Linux in the news Recommended Reading Why DRM won't ever work (ZDNet)Samba hacker Jeremy Allison offers his opinion about DRM: "The other party in the transaction, the consumer of the music or movie, is then given the encrypted data, knowledge of what algorithm is used to encrypt the data, and a copy of the encryption key used to encrypt the data. All of these things must be supplied to the consumer in order for them to be able to use the data; without them, there's no way the consumer can listen to or watch the data they've just bought. Yet DRM is supposed to be able to restrict what the customer can do with the data. How can this be done given the fundamental reality of the situation described above? The magic of dilithium crystals?"
DreamWorks Animation 'Shrek the Third': Linux Feeds an Ogre (Linux Journal)Linux Journal takes a look at how Linux helps make movies. "All the big film studios primarily use Linux for animation and visual effects. Perhaps no commercial Linux installation is larger than DreamWorks Animation, with more than 1,000 Linux desktops and more than 3,000 server CPUs."
Companies A fight Microsoft can't win? (LA Times)The LA Times looks at Microsoft and software patents. Little new here for LWN readers, but it is nice to see this sort of article in a mainstream newspaper. "More significantly, the battle raises questions about the value of software patents. One of the rationales for patents in general is that they provide a financial incentive for inventors to reveal what might otherwise be trade secrets for the sake of promoting scientific and technical advancement. But if the invention is something that others in the field could have figured out for themselves as software engineers frequently do it doesn't deserve a patent. The free-software movement also challenges the notion that patents create the financial incentives needed to foster invention. Despite licensing rules that make it hard for them to control the fruits of their work, developers of open-source programs have been prolific and innovative, much to the public's benefit."
MS Sees No Conflict with Its Patent/Open Source Initiatives (eWeek)eWeek reports on Microsoft's position on patent infringements by open-source software applications. "Microsoft does not believe there is an inherent contradiction between its recent statements that free and open-source software infringes on 235 of its patents, and the veiled legal threats that go along with that, and its attempts to reach out and build bridges with the open-source community. "In fact, one makes the other possible, especially at a time like this, when interoperability is so important."
Introducing the Palm FoleoPalm, Inc has announced the Palm Foleo mobile companion, a small diskless laptop computer that runs Linux. The marketing blurb says: "With its 10-inch screen and full-size keyboard, the Palm Foleo mobile companion connects wirelessly with your smartphone to help you do more on the go. Unfold it, press a button, and it's on instantlywhile just one touch brings your email to the big screen. Use your Foleo to view attachments, type longer emails, or to get a bigger look at web pages and photos you'd normally view on your smartphone. And with up to five hours of battery life packed into such a compact design, you'll do big things wherever you go."
Linux at Work Open source for students: 150,000 laptops may help bridge the digital divide in Brazil (Linux in Brazil)Linux in Brazil looks at the competition for bridging the digital divide in Brazil. "Government-issued laptops for kids are increasingly being offered by international organizations and corporations as a viable shortcut to help bridge the digital divide in developing countries, and the brazilian government wants to start paving this shortcut as soon as possible. Federal authorities are working on an international procurement process and have already earmarked US$ 30 million to buy the first 150,000 notebooks, which will be deployed on a pilot program."
Legal Deposition of Darl McBride in Novell: Dreaming of Billions From Linux (Groklaw)Groklaw has the text of Darl McBride's deposition in the Novell case. It's an interesting view of what was going on back then. If you believe Darl, a number of companies were getting close to paying up when Novell dropped its copyright ownership bomb. "I remember that the models were showing -- we would look at IDC numbers, and there were X millions of servers and growing at a certain rate. And I remember specifically 4 million servers going to 6 million servers over some time frame. I'd have to go back and refresh what the time frames were, but I remember bracketing if you've got 4 million servers against our list price of $700, you multipy that out, you get $2.8 billion. If you go up to the full list -- or the list price against the 6 million then you are talking about $4.2 billion. So it was always -- it's a ridiculously big number. So okay. I guess we could get finite on whether the number is $5 billion or $1 billion or $6 billion. The point is it was a lot of money for the company, and the size of company that we were."
Xandros Deal Isn't Identical to Novell's: Picking One's Way Around the GPL? - Updated 2Xs (Groklaw)Groklaw examines the Xandros/MS deal. "So it's not exactly what Novell agreed to, then, from the sound of it, not to me anyway. Patent covenants isn't the same wording as a patent peace agreement. So this must be an attempt to work around the GPLv3, I think."
Interviews Eben Moglen: Video series (Linux.com)Linux.com presents two more installments of a video taped interview with Professor Eben Moglen at the Red Hat Summit. The videos are in Ogg format.Eben Moglen: FSF - The Next Generation "Professor Moglen explains that it was not because of some rift within the FSF, or between himself and Richard Stallman, that he has decided to leave the board. Rather, it is simply time for the next generation to assume control, and suggests that it is time for Stallman to leave as well." Eben Moglen: How I discovered Free Software and met RMS "Professor Moglen grew up in an era where software was more free than it is today. In this clip he talks about his path eventually crossed that of Richard Stallman, and how they came to work together to make software free once more."
Eben Moglen: How to change the world (Linux.com)Linux.com has another video segment available of an interview with Eben Moglen. "Professor Eben Moglen is a polished speaker, a true orator. It is a real treat to hear him speak, and if you ever get a chance to do so, I heartily recommend that you do. I learned last week that he communicates just as well in one-on-one sessions."
Resources Catching Up With JOST (Linux Journal)Dave Phillips looks at the latest version of JOST on Linux Journal. "Three months ago I introduced my readers to a new system for hosting VST plugins compiled natively for Linux. That system has continued its development and has become a mainstay in the Studio Dave Linux audio arsenal. Here's an update on the system's recent incarnations, complete with the usual multimedia extravaganza of text, screenshots, and sounds."
KeyJnote: A nifty engine for your presentations (Linux.com)Linux.com looks at making presentations with KeyJnote. "If you need to create a presentation every now and then, but you find OpenOffice.org Impress too complicated and bulky, check out KeyJnote, a tool that turns any PDF document or set of graphics files into a professional-quality presentation with impressive transition effects."
Linux Gazette #139The June 2007 edition of Linux Gazette is out. Articles include Creating an Unkillable Process, dotProject, Installing Perl Modules as a Non-Root User, Writing PostgreSQL Functions in C, and much more.
Reviews Music Player Daemon rocks your net (Linux.com)Linux.com has a review of MPD, the Music Player Daemon. "Licensed under the GNU GPL, MPD has been available for several years, and is packaged for most popular GNU/Linux distributions. Debian, Ubuntu (using the universe repository), Mandriva, and Gentoo users can install the mpd package or ebuild. Fedora and openSUSE don't include MPD, but you can find unofficial RPMs for those distros online. To compile MPD from source, start at the install page on the MPD Wiki and follow the instructions for General Installing From Source."
TreeLine: Outliner meets free-form database (Linux.com)Linux.com takes a look at the Treeline outliner. "TreeLine is a hybrid application that combines the features of a traditional outliner with a free-form database. As such, it offers a unique way to organize heterogeneous data, be it contact information, bookmarks, text snippets, bibliography, task lists, or something else. Moreover, using TreeLine's outlining capabilities you can easily group and manage the mixed data inside the database."
TurboLinux Wizpy Linux MP3 Player Ships in June (I4U News)I4U News looks at the Wizpy Linux MP3 player from TurboLinux. "Japanese company TurboLinux is ready to ship their Linux MP3 player Wizpy this month world-wide. You can already order it in Japan on Amazon.jp."
Page editor: Forrest Cook Announcements Non-Commercial announcements Creative Commons retires two licensesLawrence Lessig has sent out a message stating that the Creative Commons organization has decided to retire the Developing Nations and Sampling licenses. "The Developing Nations license is in conflict with the growing 'Open Access Publishing' movement. While the license frees creative work in the developing nations, it does not free work in any way elsewhere. This means these licenses do not meet the minimum standards of the Open Access Movement. Because this movement is so important to the spread of science and knowledge, we no longer believe it correct to promote a stand alone version of this license." There are similar motivations for the retirement of the Sampling license.
Final call GPLv3 draft releasedThe final draft of version 3 of the GNU General Public License is now available. The changes from the previous draft are relatively small. GPLv3 will be compatible with version 2 of the Apache License thanks to a few tweaks and a more nuanced interpretation of the Apache License text. The term "user product" has been more precisely defined in a way which avoids references to U.S. law; it has been made clear that "user product" is a very broad category. And there is a term that you can have a contractor work on private changes to GPLv3-licensed software without being considered to have distributed that software. The "grandfather clause" which excludes the Microsoft/Novell deal from some of the new patent language is still present. See the rationale document [PDF] for more information on these changes. If something seems wrong, now is the last chance to file comments with the FSF.
First draft of the Affero GPL version 3The first draft of version 3 of the Affero GPL has been released for discussion. This version is essentially GPLv3 with an additional term: "Notwithstanding any other provision of this License, if you modify the Program, your modified version must give all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to copy the Corresponding Source from a network server at no charge."
Commercial announcements Atmel introduces an AVR32 Application processor for embedded Linux designsAtmel Corporation has announced the AT32AP7001 processor. "Atmel(R) Corporation announced today the AT32AP7001, a member of the AVR(R)32 AP7 family of Application Processors optimized for cost constrained, Linux(R)-based embedded designs. The device is packaged in a 30 x 30mm VQFP for easy integration into a four-layer PCB design. Examples of applications for the AT32AP7001 include printers, fax machines, surveillance cameras, audio processing and industrial control equipment. The new device is built to run the popular Linux operating system in an embedded setting. Atmel provides a free port and support of the OS and tool chain."
Capgemini and Novell enter broad mixed-source partnershipNovell, Inc. has announced a partnership with Capgemini. "Capgemini and Novell today announced a broad partnership that will deliver new solutions to enterprise customers using a combination of open source and proprietary software. Under terms of the agreement, Capgemini will enhance its open source consulting practice with Novell capabilities, specifically centered on the deployment of IT solutions using SUSE(R) Linux Enterprise from Novell(R) along with mixed-source applications and management tools. As a result, customers can deploy a Linux* platform across their entire desktop-to-data center infrastructures with the confidence that comes from working with a global consulting leader."
Sun extends compilers and tools to multi-core processorsSun Microsystems, Inc. has announced multi-core and multi-threading support in its compiler and tools technologies on Solaris and Linux. "Sun(TM) Studio 12 software, which includes a NetBeans(TM)-based integrated development environment (IDE), simplifies the development of applications on the newest multi-core SPARC(R) and x86/64 processor-based systems. In addition, Sun Studio 12 provides C, C++ and Fortran compilers and an advanced suite of static and dynamic tools for memory debugging, application profiling and multi-core optimizations, as well as libraries targeting the high performance market."
VariCAD releases VariCAD 2007 2.01VariCAD has released version 2.01 of its 3D/2D mechanical CAD system for Linux and Windows. "The new VariCAD 2007 2.01 brings many useful improvements, which include: completely new tools for 3D shells, 3D pipelines and 3D wires; a substantially improved 3D editing function allowing more complex editing, significantly improved STEP file import; new 3D checking functions and an extended tutorial and quick demonstration with new Flash examples".
Xandros signs up with MicrosoftXandros and Microsoft have announced a deal involving systems management interoperability, sharing office documents, joint sales, and, inevitably, patents. "Through the agreement, Microsoft will make available patent covenants for Xandros customers. These covenants will provide customers with confidence that the Xandros technologies they use and deploy in their environments are compliant with Microsoft's intellectual property. By putting a framework in place to share intellectual property, Xandros and Microsoft can speed the development of interoperable solutions."
New Books bash Cookbook - O'Reilly's Latest ReleaseO'Reilly has published the book bash Cookbook by Carl Albing, JP Vossen, and Cameron Newham.
Manage It! New from Pragmatic BookshelfPragmatic Bookshelf has published the book Manage It! Your Guide to Modern, Pragmatic Project Management by Johanna Rothman.
Contests and Awards Andrew S. Tanenbaum to Receive IEEE MedalThe IEEE will be rewarding Andrew S. Tanenbaum with the 2007 IEEE James H. Mulligan Jr. Education Medal. "Known by Some as the "Grandfather of Linux," over a Million Students Worldwide Have Studied Tanenbaum's Textbooks The IEEE has named Dr. Andrew S. Tanenbaum as the recipient of its 2007 IEEE James H. Mulligan Jr. Education Medal, in recognition of over three decades worth of his contributions to the field of computer science."
Calls for Presentations BCS'07 Call For PapersA call for papers has gone out for the BCS'07 information security & hacking conference. The event will take place in Jakarta, Indonesia on October 30 and 31, 2007. Submissions are due by June 30.
Upcoming Events 64 Studio music workshops in the UK this summerTwo 64 Studio workshops have been announced. They will take place in conjunction with Debian Day in Edinburgh, Scotland on June 16 and LugRadio Live in Wolverhampton, UK on July 8.
Events: June 14, 2007 to August 13, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it.
Page editor: Forrest Cook
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||